To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.2
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.2
- Committer: Björn Påhlsson
- Date: 2008-07-22 06:26:12 UTC
- mfrom: (26 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 27.
- Revision ID: belorn@braxen-20080722062612-0om9eb3fpsso8xc4
merge
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files renamed:
- clients.conf => mandos-clients.conf
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
8
8
* includes the following functions: "resolve_callback",
9
9
* "browse_callback", and parts of "main".
10
10
*
11
* Everything else is
12
* Copyright © 2008-2011 Teddy Hogeborn
13
* Copyright © 2008-2011 Björn Påhlsson
11
* Everything else is Copyright © 2007-2008 Teddy Hogeborn and Björn
12
* Påhlsson.
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
26
25
* along with this program. If not, see
27
26
* <http://www.gnu.org/licenses/>.
28
27
*
29
* Contact the authors at <mandos@recompile.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
30
30
*/
31
31
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
32
#define _FORTIFY_SOURCE 2
33
34
34
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
35
#define _FILE_OFFSET_BITS 64
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open(), S_ISREG */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno,
66
program_invocation_short_name */
67
#include <time.h> /* nanosleep(), time(), sleep() */
68
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
69
SIOCSIFFLAGS, if_indextoname(),
70
if_nametoindex(), IF_NAMESIZE */
71
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
72
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
73
*/
74
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
75
getuid(), getgid(), seteuid(),
76
setgid(), pause() */
77
#include <arpa/inet.h> /* inet_pton(), htons, inet_ntop() */
78
#include <iso646.h> /* not, or, and */
79
#include <argp.h> /* struct argp_option, error_t, struct
80
argp_state, struct argp,
81
argp_parse(), ARGP_KEY_ARG,
82
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
83
#include <signal.h> /* sigemptyset(), sigaddset(),
84
sigaction(), SIGTERM, sig_atomic_t,
85
raise() */
86
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
87
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
88
#include <sys/wait.h> /* waitpid(), WIFEXITED(),
89
WEXITSTATUS(), WTERMSIG() */
90
91
#ifdef __linux__
92
#include <sys/klog.h> /* klogctl() */
93
#endif /* __linux__ */
94
95
/* Avahi */
96
/* All Avahi types, constants and functions
97
Avahi*, avahi_*,
98
AVAHI_* */
36
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
99
43
#include <avahi-core/core.h>
100
44
#include <avahi-core/lookup.h>
101
45
#include <avahi-core/log.h>
103
47
#include <avahi-common/malloc.h>
104
48
#include <avahi-common/error.h>
105
49
106
/* GnuTLS */
107
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
108
functions:
109
gnutls_*
110
init_gnutls_session(),
111
GNUTLS_* */
112
#include <gnutls/openpgp.h>
113
/* gnutls_certificate_set_openpgp_key_file(),
114
GNUTLS_OPENPGP_FMT_BASE64 */
115
116
/* GPGME */
117
#include <gpgme.h> /* All GPGME types, constants and
118
functions:
119
gpgme_*
120
GPGME_PROTOCOL_OpenPGP,
121
GPG_ERR_NO_* */
122
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
70
71
#ifndef CERT_ROOT
72
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
73
#endif
74
#define CERTFILE CERT_ROOT "openpgp-client.txt"
75
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
123
76
#define BUFFER_SIZE 256
124
125
#define PATHDIR "/conf/conf.d/mandos"
126
#define SECKEY "seckey.txt"
127
#define PUBKEY "pubkey.txt"
128
#define HOOKDIR "/lib/mandos/network-hooks.d"
77
#define DH_BITS 1024
129
78
130
79
bool debug = false;
131
static const char mandos_protocol_version[] = "1";
132
const char *argp_program_version = "mandos-client " VERSION;
133
const char *argp_program_bug_address = "<mandos@recompile.se>";
134
static const char sys_class_net[] = "/sys/class/net";
135
char *connect_to = NULL;
136
const char *hookdir = HOOKDIR;
137
138
/* Doubly linked list that need to be circularly linked when used */
139
typedef struct server{
140
const char *ip;
141
uint16_t port;
142
AvahiIfIndex if_index;
143
int af;
144
struct timespec last_seen;
145
struct server *next;
146
struct server *prev;
147
} server;
148
149
/* Used for passing in values through the Avahi callback functions */
80
150
81
typedef struct {
151
AvahiSimplePoll *simple_poll;
152
AvahiServer *server;
82
gnutls_session_t session;
153
83
gnutls_certificate_credentials_t cred;
154
unsigned int dh_bits;
155
84
gnutls_dh_params_t dh_params;
156
const char *priority;
85
} encrypted_session;
86
87
88
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
89
char **new_packet, const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
157
91
gpgme_ctx_t ctx;
158
server *current_server;
159
} mandos_context;
160
161
/* global context so signal handler can reach it*/
162
mandos_context mc = { .simple_poll = NULL, .server = NULL,
163
.dh_bits = 1024, .priority = "SECURE256"
164
":!CTYPE-X.509:+CTYPE-OPENPGP",
165
.current_server = NULL };
166
167
sig_atomic_t quit_now = 0;
168
int signal_received = 0;
169
170
/* Function to use when printing errors */
171
void perror_plus(const char *print_text){
172
fprintf(stderr, "Mandos plugin %s: ",
173
program_invocation_short_name);
174
perror(print_text);
175
}
176
177
/*
178
* Make additional room in "buffer" for at least BUFFER_SIZE more
179
* bytes. "buffer_capacity" is how much is currently allocated,
180
* "buffer_length" is how much is already used.
181
*/
182
size_t incbuffer(char **buffer, size_t buffer_length,
183
size_t buffer_capacity){
184
if(buffer_length + BUFFER_SIZE > buffer_capacity){
185
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
186
if(buffer == NULL){
187
return 0;
188
}
189
buffer_capacity += BUFFER_SIZE;
190
}
191
return buffer_capacity;
192
}
193
194
/* Add server to set of servers to retry periodically */
195
int add_server(const char *ip, uint16_t port, AvahiIfIndex if_index,
196
int af){
197
int ret;
198
server *new_server = malloc(sizeof(server));
199
if(new_server == NULL){
200
perror_plus("malloc");
201
return -1;
202
}
203
*new_server = (server){ .ip = strdup(ip),
204
.port = port,
205
.if_index = if_index,
206
.af = af };
207
if(new_server->ip == NULL){
208
perror_plus("strdup");
209
return -1;
210
}
211
/* Special case of first server */
212
if (mc.current_server == NULL){
213
new_server->next = new_server;
214
new_server->prev = new_server;
215
mc.current_server = new_server;
216
/* Place the new server last in the list */
217
} else {
218
new_server->next = mc.current_server;
219
new_server->prev = mc.current_server->prev;
220
new_server->prev->next = new_server;
221
mc.current_server->prev = new_server;
222
}
223
ret = clock_gettime(CLOCK_MONOTONIC, &mc.current_server->last_seen);
224
if(ret == -1){
225
perror_plus("clock_gettime");
226
return -1;
227
}
228
return 0;
229
}
230
231
/*
232
* Initialize GPGME.
233
*/
234
static bool init_gpgme(const char *seckey, const char *pubkey,
235
const char *tempdir){
236
92
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
237
96
gpgme_engine_info_t engine_info;
238
239
240
/*
241
* Helper function to insert pub and seckey to the engine keyring.
242
*/
243
bool import_key(const char *filename){
244
int ret;
245
int fd;
246
gpgme_data_t pgp_data;
247
248
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
249
if(fd == -1){
250
perror_plus("open");
251
return false;
252
}
253
254
rc = gpgme_data_new_from_fd(&pgp_data, fd);
255
if(rc != GPG_ERR_NO_ERROR){
256
fprintf(stderr, "Mandos plugin mandos-client: "
257
"bad gpgme_data_new_from_fd: %s: %s\n",
258
gpgme_strsource(rc), gpgme_strerror(rc));
259
return false;
260
}
261
262
rc = gpgme_op_import(mc.ctx, pgp_data);
263
if(rc != GPG_ERR_NO_ERROR){
264
fprintf(stderr, "Mandos plugin mandos-client: "
265
"bad gpgme_op_import: %s: %s\n",
266
gpgme_strsource(rc), gpgme_strerror(rc));
267
return false;
268
}
269
270
ret = (int)TEMP_FAILURE_RETRY(close(fd));
271
if(ret == -1){
272
perror_plus("close");
273
}
274
gpgme_data_release(pgp_data);
275
return true;
276
}
277
278
if(debug){
279
fprintf(stderr, "Mandos plugin mandos-client: "
280
"Initializing GPGME\n");
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
281
100
}
282
101
283
102
/* Init GPGME */
284
103
gpgme_check_version(NULL);
285
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
286
if(rc != GPG_ERR_NO_ERROR){
287
fprintf(stderr, "Mandos plugin mandos-client: "
288
"bad gpgme_engine_check_version: %s: %s\n",
289
gpgme_strsource(rc), gpgme_strerror(rc));
290
return false;
291
}
104
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
292
105
293
/* Set GPGME home directory for the OpenPGP engine only */
294
rc = gpgme_get_engine_info(&engine_info);
295
if(rc != GPG_ERR_NO_ERROR){
296
fprintf(stderr, "Mandos plugin mandos-client: "
297
"bad gpgme_get_engine_info: %s: %s\n",
106
/* Set GPGME home directory */
107
rc = gpgme_get_engine_info (&engine_info);
108
if (rc != GPG_ERR_NO_ERROR){
109
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
298
110
gpgme_strsource(rc), gpgme_strerror(rc));
299
return false;
111
return -1;
300
112
}
301
113
while(engine_info != NULL){
302
114
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
303
115
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
304
engine_info->file_name, tempdir);
116
engine_info->file_name, homedir);
305
117
break;
306
118
}
307
119
engine_info = engine_info->next;
308
120
}
309
121
if(engine_info == NULL){
310
fprintf(stderr, "Mandos plugin mandos-client: "
311
"Could not set GPGME home dir to %s\n", tempdir);
312
return false;
313
}
314
315
/* Create new GPGME "context" */
316
rc = gpgme_new(&(mc.ctx));
317
if(rc != GPG_ERR_NO_ERROR){
318
fprintf(stderr, "Mandos plugin mandos-client: "
319
"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),
320
gpgme_strerror(rc));
321
return false;
322
}
323
324
if(not import_key(pubkey) or not import_key(seckey)){
325
return false;
326
}
327
328
return true;
329
}
330
331
/*
332
* Decrypt OpenPGP data.
333
* Returns -1 on error
334
*/
335
static ssize_t pgp_packet_decrypt(const char *cryptotext,
336
size_t crypto_size,
337
char **plaintext){
338
gpgme_data_t dh_crypto, dh_plain;
339
gpgme_error_t rc;
340
ssize_t ret;
341
size_t plaintext_capacity = 0;
342
ssize_t plaintext_length = 0;
343
344
if(debug){
345
fprintf(stderr, "Mandos plugin mandos-client: "
346
"Trying to decrypt OpenPGP data\n");
347
}
348
349
/* Create new GPGME data buffer from memory cryptotext */
350
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
351
0);
352
if(rc != GPG_ERR_NO_ERROR){
353
fprintf(stderr, "Mandos plugin mandos-client: "
354
"bad gpgme_data_new_from_mem: %s: %s\n",
122
fprintf(stderr, "Could not set home dir to %s\n", homedir);
123
return -1;
124
}
125
126
/* Create new GPGME data buffer from packet buffer */
127
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
128
if (rc != GPG_ERR_NO_ERROR){
129
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
355
130
gpgme_strsource(rc), gpgme_strerror(rc));
356
131
return -1;
357
132
}
358
133
359
134
/* Create new empty GPGME data buffer for the plaintext */
360
135
rc = gpgme_data_new(&dh_plain);
361
if(rc != GPG_ERR_NO_ERROR){
362
fprintf(stderr, "Mandos plugin mandos-client: "
363
"bad gpgme_data_new: %s: %s\n",
364
gpgme_strsource(rc), gpgme_strerror(rc));
365
gpgme_data_release(dh_crypto);
366
return -1;
367
}
368
369
/* Decrypt data from the cryptotext data buffer to the plaintext
370
data buffer */
371
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
372
if(rc != GPG_ERR_NO_ERROR){
373
fprintf(stderr, "Mandos plugin mandos-client: "
374
"bad gpgme_op_decrypt: %s: %s\n",
375
gpgme_strsource(rc), gpgme_strerror(rc));
376
plaintext_length = -1;
377
if(debug){
378
gpgme_decrypt_result_t result;
379
result = gpgme_op_decrypt_result(mc.ctx);
380
if(result == NULL){
381
fprintf(stderr, "Mandos plugin mandos-client: "
382
"gpgme_op_decrypt_result failed\n");
383
} else {
384
fprintf(stderr, "Mandos plugin mandos-client: "
385
"Unsupported algorithm: %s\n",
386
result->unsupported_algorithm);
387
fprintf(stderr, "Mandos plugin mandos-client: "
388
"Wrong key usage: %u\n",
389
result->wrong_key_usage);
390
if(result->file_name != NULL){
391
fprintf(stderr, "Mandos plugin mandos-client: "
392
"File name: %s\n", result->file_name);
393
}
394
gpgme_recipient_t recipient;
395
recipient = result->recipients;
136
if (rc != GPG_ERR_NO_ERROR){
137
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
138
gpgme_strsource(rc), gpgme_strerror(rc));
139
return -1;
140
}
141
142
/* Create new GPGME "context" */
143
rc = gpgme_new(&ctx);
144
if (rc != GPG_ERR_NO_ERROR){
145
fprintf(stderr, "bad gpgme_new: %s: %s\n",
146
gpgme_strsource(rc), gpgme_strerror(rc));
147
return -1;
148
}
149
150
/* Decrypt data from the FILE pointer to the plaintext data
151
buffer */
152
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
153
if (rc != GPG_ERR_NO_ERROR){
154
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
155
gpgme_strsource(rc), gpgme_strerror(rc));
156
return -1;
157
}
158
159
if(debug){
160
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
161
}
162
163
if (debug){
164
gpgme_decrypt_result_t result;
165
result = gpgme_op_decrypt_result(ctx);
166
if (result == NULL){
167
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
168
} else {
169
fprintf(stderr, "Unsupported algorithm: %s\n",
170
result->unsupported_algorithm);
171
fprintf(stderr, "Wrong key usage: %d\n",
172
result->wrong_key_usage);
173
if(result->file_name != NULL){
174
fprintf(stderr, "File name: %s\n", result->file_name);
175
}
176
gpgme_recipient_t recipient;
177
recipient = result->recipients;
178
if(recipient){
396
179
while(recipient != NULL){
397
fprintf(stderr, "Mandos plugin mandos-client: "
398
"Public key algorithm: %s\n",
180
fprintf(stderr, "Public key algorithm: %s\n",
399
181
gpgme_pubkey_algo_name(recipient->pubkey_algo));
400
fprintf(stderr, "Mandos plugin mandos-client: "
401
"Key ID: %s\n", recipient->keyid);
402
fprintf(stderr, "Mandos plugin mandos-client: "
403
"Secret key available: %s\n",
182
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
183
fprintf(stderr, "Secret key available: %s\n",
404
184
recipient->status == GPG_ERR_NO_SECKEY
405
185
? "No" : "Yes");
406
186
recipient = recipient->next;
407
187
}
408
188
}
409
189
}
410
goto decrypt_end;
411
190
}
412
191
413
if(debug){
414
fprintf(stderr, "Mandos plugin mandos-client: "
415
"Decryption of OpenPGP data succeeded\n");
416
}
192
/* Delete the GPGME FILE pointer cryptotext data buffer */
193
gpgme_data_release(dh_crypto);
417
194
418
195
/* Seek back to the beginning of the GPGME plaintext data buffer */
419
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
420
perror_plus("gpgme_data_seek");
421
plaintext_length = -1;
422
goto decrypt_end;
423
}
424
425
*plaintext = NULL;
196
gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);
197
198
*new_packet = 0;
426
199
while(true){
427
plaintext_capacity = incbuffer(plaintext,
428
(size_t)plaintext_length,
429
plaintext_capacity);
430
if(plaintext_capacity == 0){
431
perror_plus("incbuffer");
432
plaintext_length = -1;
433
goto decrypt_end;
200
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
201
*new_packet = realloc(*new_packet,
202
(unsigned int)new_packet_capacity
203
+ BUFFER_SIZE);
204
if (*new_packet == NULL){
205
perror("realloc");
206
return -1;
207
}
208
new_packet_capacity += BUFFER_SIZE;
434
209
}
435
210
436
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
211
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
437
212
BUFFER_SIZE);
438
213
/* Print the data, if any */
439
if(ret == 0){
440
/* EOF */
214
if (ret == 0){
441
215
break;
442
216
}
443
217
if(ret < 0){
444
perror_plus("gpgme_data_read");
445
plaintext_length = -1;
446
goto decrypt_end;
447
}
448
plaintext_length += ret;
449
}
450
451
if(debug){
452
fprintf(stderr, "Mandos plugin mandos-client: "
453
"Decrypted password is: ");
454
for(ssize_t i = 0; i < plaintext_length; i++){
455
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
456
}
457
fprintf(stderr, "\n");
458
}
459
460
decrypt_end:
461
462
/* Delete the GPGME cryptotext data buffer */
463
gpgme_data_release(dh_crypto);
218
perror("gpgme_data_read");
219
return -1;
220
}
221
new_packet_length += ret;
222
}
223
224
/* FIXME: check characters before printing to screen so to not print
225
terminal control characters */
226
/* if(debug){ */
227
/* fprintf(stderr, "decrypted password is: "); */
228
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
229
/* fprintf(stderr, "\n"); */
230
/* } */
464
231
465
232
/* Delete the GPGME plaintext data buffer */
466
233
gpgme_data_release(dh_plain);
467
return plaintext_length;
234
return new_packet_length;
468
235
}
469
236
470
static const char * safer_gnutls_strerror(int value){
471
const char *ret = gnutls_strerror(value); /* Spurious warning from
472
-Wunreachable-code */
473
if(ret == NULL)
237
static const char * safer_gnutls_strerror (int value) {
238
const char *ret = gnutls_strerror (value);
239
if (ret == NULL)
474
240
ret = "(unknown)";
475
241
return ret;
476
242
}
477
243
478
/* GnuTLS log function callback */
479
static void debuggnutls(__attribute__((unused)) int level,
480
const char* string){
481
fprintf(stderr, "Mandos plugin mandos-client: GnuTLS: %s", string);
244
void debuggnutls(__attribute__((unused)) int level,
245
const char* string){
246
fprintf(stderr, "%s", string);
482
247
}
483
248
484
static int init_gnutls_global(const char *pubkeyfilename,
485
const char *seckeyfilename){
249
int initgnutls(encrypted_session *es){
250
const char *err;
486
251
int ret;
487
252
488
253
if(debug){
489
fprintf(stderr, "Mandos plugin mandos-client: "
490
"Initializing GnuTLS\n");
254
fprintf(stderr, "Initializing GnuTLS\n");
491
255
}
492
256
493
ret = gnutls_global_init();
494
if(ret != GNUTLS_E_SUCCESS){
495
fprintf(stderr, "Mandos plugin mandos-client: "
496
"GnuTLS global_init: %s\n", safer_gnutls_strerror(ret));
257
if ((ret = gnutls_global_init ())
258
!= GNUTLS_E_SUCCESS) {
259
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
497
260
return -1;
498
261
}
499
500
if(debug){
501
/* "Use a log level over 10 to enable all debugging options."
502
* - GnuTLS manual
503
*/
262
263
if (debug){
504
264
gnutls_global_set_log_level(11);
505
265
gnutls_global_set_log_function(debuggnutls);
506
266
}
507
267
508
/* OpenPGP credentials */
509
ret = gnutls_certificate_allocate_credentials(&mc.cred);
510
if(ret != GNUTLS_E_SUCCESS){
511
fprintf(stderr, "Mandos plugin mandos-client: "
512
"GnuTLS memory error: %s\n", safer_gnutls_strerror(ret));
513
gnutls_global_deinit();
268
/* openpgp credentials */
269
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
270
!= GNUTLS_E_SUCCESS) {
271
fprintf (stderr, "memory error: %s\n",
272
safer_gnutls_strerror(ret));
514
273
return -1;
515
274
}
516
275
517
276
if(debug){
518
fprintf(stderr, "Mandos plugin mandos-client: "
519
"Attempting to use OpenPGP public key %s and"
520
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
521
seckeyfilename);
277
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
278
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
279
KEYFILE);
522
280
}
523
281
524
282
ret = gnutls_certificate_set_openpgp_key_file
525
(mc.cred, pubkeyfilename, seckeyfilename,
526
GNUTLS_OPENPGP_FMT_BASE64);
527
if(ret != GNUTLS_E_SUCCESS){
528
fprintf(stderr,
529
"Mandos plugin mandos-client: "
530
"Error[%d] while reading the OpenPGP key pair ('%s',"
531
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
532
fprintf(stderr, "Mandos plugin mandos-client: "
533
"The GnuTLS error is: %s\n", safer_gnutls_strerror(ret));
534
goto globalfail;
535
}
536
537
/* GnuTLS server initialization */
538
ret = gnutls_dh_params_init(&mc.dh_params);
539
if(ret != GNUTLS_E_SUCCESS){
540
fprintf(stderr, "Mandos plugin mandos-client: "
541
"Error in GnuTLS DH parameter initialization:"
542
" %s\n", safer_gnutls_strerror(ret));
543
goto globalfail;
544
}
545
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
546
if(ret != GNUTLS_E_SUCCESS){
547
fprintf(stderr, "Mandos plugin mandos-client: "
548
"Error in GnuTLS prime generation: %s\n",
549
safer_gnutls_strerror(ret));
550
goto globalfail;
551
}
552
553
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
554
555
return 0;
556
557
globalfail:
558
559
gnutls_certificate_free_credentials(mc.cred);
560
gnutls_global_deinit();
561
gnutls_dh_params_deinit(mc.dh_params);
562
return -1;
563
}
564
565
static int init_gnutls_session(gnutls_session_t *session){
566
int ret;
567
/* GnuTLS session creation */
568
do {
569
ret = gnutls_init(session, GNUTLS_SERVER);
570
if(quit_now){
571
return -1;
572
}
573
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
574
if(ret != GNUTLS_E_SUCCESS){
575
fprintf(stderr, "Mandos plugin mandos-client: "
576
"Error in GnuTLS session initialization: %s\n",
577
safer_gnutls_strerror(ret));
578
}
579
580
{
581
const char *err;
582
do {
583
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
584
if(quit_now){
585
gnutls_deinit(*session);
586
return -1;
587
}
588
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
589
if(ret != GNUTLS_E_SUCCESS){
590
fprintf(stderr, "Mandos plugin mandos-client: "
591
"Syntax error at: %s\n", err);
592
fprintf(stderr, "Mandos plugin mandos-client: "
593
"GnuTLS error: %s\n", safer_gnutls_strerror(ret));
594
gnutls_deinit(*session);
595
return -1;
596
}
597
}
598
599
do {
600
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
601
mc.cred);
602
if(quit_now){
603
gnutls_deinit(*session);
604
return -1;
605
}
606
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
607
if(ret != GNUTLS_E_SUCCESS){
608
fprintf(stderr, "Mandos plugin mandos-client: "
609
"Error setting GnuTLS credentials: %s\n",
610
safer_gnutls_strerror(ret));
611
gnutls_deinit(*session);
283
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
284
if (ret != GNUTLS_E_SUCCESS) {
285
fprintf
286
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
287
" '%s')\n",
288
ret, CERTFILE, KEYFILE);
289
fprintf(stdout, "The Error is: %s\n",
290
safer_gnutls_strerror(ret));
291
return -1;
292
}
293
294
//GnuTLS server initialization
295
if ((ret = gnutls_dh_params_init (&es->dh_params))
296
!= GNUTLS_E_SUCCESS) {
297
fprintf (stderr, "Error in dh parameter initialization: %s\n",
298
safer_gnutls_strerror(ret));
299
return -1;
300
}
301
302
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in prime generation: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
310
311
// GnuTLS session creation
312
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
313
!= GNUTLS_E_SUCCESS){
314
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
315
safer_gnutls_strerror(ret));
316
}
317
318
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
319
!= GNUTLS_E_SUCCESS) {
320
fprintf(stderr, "Syntax error at: %s\n", err);
321
fprintf(stderr, "GnuTLS error: %s\n",
322
safer_gnutls_strerror(ret));
323
return -1;
324
}
325
326
if ((ret = gnutls_credentials_set
327
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
328
!= GNUTLS_E_SUCCESS) {
329
fprintf(stderr, "Error setting a credentials set: %s\n",
330
safer_gnutls_strerror(ret));
612
331
return -1;
613
332
}
614
333
615
334
/* ignore client certificate if any. */
616
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
335
gnutls_certificate_server_set_request (es->session,
336
GNUTLS_CERT_IGNORE);
617
337
618
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
338
gnutls_dh_set_prime_bits (es->session, DH_BITS);
619
339
620
340
return 0;
621
341
}
622
342
623
/* Avahi log function callback */
624
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
625
__attribute__((unused)) const char *txt){}
343
void empty_log(__attribute__((unused)) AvahiLogLevel level,
344
__attribute__((unused)) const char *txt){}
626
345
627
/* Called when a Mandos server is found */
628
static int start_mandos_communication(const char *ip, uint16_t port,
629
AvahiIfIndex if_index,
630
int af){
631
int ret, tcp_sd = -1;
632
ssize_t sret;
633
union {
634
struct sockaddr_in in;
635
struct sockaddr_in6 in6;
636
} to;
346
int start_mandos_communication(const char *ip, uint16_t port,
347
unsigned int if_index){
348
int ret, tcp_sd;
349
struct sockaddr_in6 to;
350
encrypted_session es;
637
351
char *buffer = NULL;
638
char *decrypted_buffer = NULL;
352
char *decrypted_buffer;
639
353
size_t buffer_length = 0;
640
354
size_t buffer_capacity = 0;
641
size_t written;
642
int retval = -1;
643
gnutls_session_t session;
644
int pf; /* Protocol family */
645
646
errno = 0;
647
648
if(quit_now){
649
errno = EINTR;
650
return -1;
651
}
652
653
switch(af){
654
case AF_INET6:
655
pf = PF_INET6;
656
break;
657
case AF_INET:
658
pf = PF_INET;
659
break;
660
default:
661
fprintf(stderr, "Mandos plugin mandos-client: "
662
"Bad address family: %d\n", af);
663
errno = EINVAL;
664
return -1;
665
}
666
667
ret = init_gnutls_session(&session);
668
if(ret != 0){
669
return -1;
670
}
671
672
if(debug){
673
fprintf(stderr, "Mandos plugin mandos-client: "
674
"Setting up a TCP connection to %s, port %" PRIu16
675
"\n", ip, port);
676
}
677
678
tcp_sd = socket(pf, SOCK_STREAM, 0);
679
if(tcp_sd < 0){
680
int e = errno;
681
perror_plus("socket");
682
errno = e;
683
goto mandos_end;
684
}
685
686
if(quit_now){
687
errno = EINTR;
688
goto mandos_end;
689
}
690
691
memset(&to, 0, sizeof(to));
692
if(af == AF_INET6){
693
to.in6.sin6_family = (sa_family_t)af;
694
ret = inet_pton(af, ip, &to.in6.sin6_addr);
695
} else { /* IPv4 */
696
to.in.sin_family = (sa_family_t)af;
697
ret = inet_pton(af, ip, &to.in.sin_addr);
698
}
699
if(ret < 0 ){
700
int e = errno;
701
perror_plus("inet_pton");
702
errno = e;
703
goto mandos_end;
704
}
355
ssize_t decrypted_buffer_size;
356
size_t written = 0;
357
int retval = 0;
358
char interface[IF_NAMESIZE];
359
360
if(debug){
361
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
362
}
363
364
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
365
if(tcp_sd < 0) {
366
perror("socket");
367
return -1;
368
}
369
370
if(if_indextoname(if_index, interface) == NULL){
371
if(debug){
372
perror("if_indextoname");
373
}
374
return -1;
375
}
376
377
if(debug){
378
fprintf(stderr, "Binding to interface %s\n", interface);
379
}
380
381
memset(&to,0,sizeof(to)); /* Spurious warning */
382
to.sin6_family = AF_INET6;
383
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
384
if (ret < 0 ){
385
perror("inet_pton");
386
return -1;
387
}
705
388
if(ret == 0){
706
int e = errno;
707
fprintf(stderr, "Mandos plugin mandos-client: "
708
"Bad address: %s\n", ip);
709
errno = e;
710
goto mandos_end;
711
}
712
if(af == AF_INET6){
713
to.in6.sin6_port = htons(port); /* Spurious warnings from
714
-Wconversion and
715
-Wunreachable-code */
716
717
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
718
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
719
-Wunreachable-code*/
720
if(if_index == AVAHI_IF_UNSPEC){
721
fprintf(stderr, "Mandos plugin mandos-client: "
722
"An IPv6 link-local address is incomplete"
723
" without a network interface\n");
724
errno = EINVAL;
725
goto mandos_end;
726
}
727
/* Set the network interface number as scope */
728
to.in6.sin6_scope_id = (uint32_t)if_index;
729
}
730
} else {
731
to.in.sin_port = htons(port); /* Spurious warnings from
732
-Wconversion and
733
-Wunreachable-code */
734
}
735
736
if(quit_now){
737
errno = EINTR;
738
goto mandos_end;
739
}
740
741
if(debug){
742
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
743
char interface[IF_NAMESIZE];
744
if(if_indextoname((unsigned int)if_index, interface) == NULL){
745
perror_plus("if_indextoname");
746
} else {
747
fprintf(stderr, "Mandos plugin mandos-client: "
748
"Connection to: %s%%%s, port %" PRIu16 "\n",
749
ip, interface, port);
750
}
751
} else {
752
fprintf(stderr, "Mandos plugin mandos-client: "
753
"Connection to: %s, port %" PRIu16 "\n", ip, port);
754
}
755
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
756
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
757
const char *pcret;
758
if(af == AF_INET6){
759
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
760
sizeof(addrstr));
761
} else {
762
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
763
sizeof(addrstr));
764
}
765
if(pcret == NULL){
766
perror_plus("inet_ntop");
767
} else {
768
if(strcmp(addrstr, ip) != 0){
769
fprintf(stderr, "Mandos plugin mandos-client: "
770
"Canonical address form: %s\n", addrstr);
771
}
772
}
773
}
774
775
if(quit_now){
776
errno = EINTR;
777
goto mandos_end;
778
}
779
780
if(af == AF_INET6){
781
ret = connect(tcp_sd, &to.in6, sizeof(to));
782
} else {
783
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
784
}
785
if(ret < 0){
786
if ((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
787
int e = errno;
788
perror_plus("connect");
789
errno = e;
790
}
791
goto mandos_end;
792
}
793
794
if(quit_now){
795
errno = EINTR;
796
goto mandos_end;
797
}
798
799
const char *out = mandos_protocol_version;
800
written = 0;
801
while(true){
802
size_t out_size = strlen(out);
803
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
804
out_size - written));
805
if(ret == -1){
806
int e = errno;
807
perror_plus("write");
808
errno = e;
809
goto mandos_end;
810
}
811
written += (size_t)ret;
812
if(written < out_size){
813
continue;
814
} else {
815
if(out == mandos_protocol_version){
816
written = 0;
817
out = "\r\n";
818
} else {
819
break;
820
}
821
}
822
823
if(quit_now){
824
errno = EINTR;
825
goto mandos_end;
826
}
827
}
828
829
if(debug){
830
fprintf(stderr, "Mandos plugin mandos-client: "
831
"Establishing TLS session with %s\n", ip);
832
}
833
834
if(quit_now){
835
errno = EINTR;
836
goto mandos_end;
837
}
838
839
/* Spurious warning from -Wint-to-pointer-cast */
840
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
841
842
if(quit_now){
843
errno = EINTR;
844
goto mandos_end;
845
}
846
847
do {
848
ret = gnutls_handshake(session);
849
if(quit_now){
850
errno = EINTR;
851
goto mandos_end;
852
}
853
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
854
855
if(ret != GNUTLS_E_SUCCESS){
389
fprintf(stderr, "Bad address: %s\n", ip);
390
return -1;
391
}
392
to.sin6_port = htons(port); /* Spurious warning */
393
394
to.sin6_scope_id = (uint32_t)if_index;
395
396
if(debug){
397
fprintf(stderr, "Connection to: %s\n", ip);
398
}
399
400
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
401
if (ret < 0){
402
perror("connect");
403
return -1;
404
}
405
406
ret = initgnutls (&es);
407
if (ret != 0){
408
retval = -1;
409
return -1;
410
}
411
412
gnutls_transport_set_ptr (es.session,
413
(gnutls_transport_ptr_t) tcp_sd);
414
415
if(debug){
416
fprintf(stderr, "Establishing TLS session with %s\n", ip);
417
}
418
419
ret = gnutls_handshake (es.session);
420
421
if (ret != GNUTLS_E_SUCCESS){
856
422
if(debug){
857
fprintf(stderr, "Mandos plugin mandos-client: "
858
"*** GnuTLS Handshake failed ***\n");
859
gnutls_perror(ret);
423
fprintf(stderr, "\n*** Handshake failed ***\n");
424
gnutls_perror (ret);
860
425
}
861
errno = EPROTO;
862
goto mandos_end;
426
retval = -1;
427
goto exit;
863
428
}
864
429
865
/* Read OpenPGP packet that contains the wanted password */
430
//Retrieve OpenPGP packet that contains the wanted password
866
431
867
432
if(debug){
868
fprintf(stderr, "Mandos plugin mandos-client: "
869
"Retrieving OpenPGP encrypted password from %s\n", ip);
433
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
434
ip);
870
435
}
871
436
872
437
while(true){
873
874
if(quit_now){
875
errno = EINTR;
876
goto mandos_end;
877
}
878
879
buffer_capacity = incbuffer(&buffer, buffer_length,
880
buffer_capacity);
881
if(buffer_capacity == 0){
882
int e = errno;
883
perror_plus("incbuffer");
884
errno = e;
885
goto mandos_end;
886
}
887
888
if(quit_now){
889
errno = EINTR;
890
goto mandos_end;
891
}
892
893
sret = gnutls_record_recv(session, buffer+buffer_length,
894
BUFFER_SIZE);
895
if(sret == 0){
438
if (buffer_length + BUFFER_SIZE > buffer_capacity){
439
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
440
if (buffer == NULL){
441
perror("realloc");
442
goto exit;
443
}
444
buffer_capacity += BUFFER_SIZE;
445
}
446
447
ret = gnutls_record_recv
448
(es.session, buffer+buffer_length, BUFFER_SIZE);
449
if (ret == 0){
896
450
break;
897
451
}
898
if(sret < 0){
899
switch(sret){
452
if (ret < 0){
453
switch(ret){
900
454
case GNUTLS_E_INTERRUPTED:
901
455
case GNUTLS_E_AGAIN:
902
456
break;
903
457
case GNUTLS_E_REHANDSHAKE:
904
do {
905
ret = gnutls_handshake(session);
906
907
if(quit_now){
908
errno = EINTR;
909
goto mandos_end;
910
}
911
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
912
if(ret < 0){
913
fprintf(stderr, "Mandos plugin mandos-client: "
914
"*** GnuTLS Re-handshake failed ***\n");
915
gnutls_perror(ret);
916
errno = EPROTO;
917
goto mandos_end;
458
ret = gnutls_handshake (es.session);
459
if (ret < 0){
460
fprintf(stderr, "\n*** Handshake failed ***\n");
461
gnutls_perror (ret);
462
retval = -1;
463
goto exit;
918
464
}
919
465
break;
920
466
default:
921
fprintf(stderr, "Mandos plugin mandos-client: "
922
"Unknown error while reading data from"
923
" encrypted session with Mandos server\n");
924
gnutls_bye(session, GNUTLS_SHUT_RDWR);
925
errno = EIO;
926
goto mandos_end;
467
fprintf(stderr, "Unknown error while reading data from"
468
" encrypted session with mandos server\n");
469
retval = -1;
470
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
471
goto exit;
927
472
}
928
473
} else {
929
buffer_length += (size_t) sret;
930
}
931
}
932
933
if(debug){
934
fprintf(stderr, "Mandos plugin mandos-client: "
935
"Closing TLS session\n");
936
}
937
938
if(quit_now){
939
errno = EINTR;
940
goto mandos_end;
941
}
942
943
do {
944
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
945
if(quit_now){
946
errno = EINTR;
947
goto mandos_end;
948
}
949
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
950
951
if(buffer_length > 0){
952
ssize_t decrypted_buffer_size;
953
decrypted_buffer_size = pgp_packet_decrypt(buffer, buffer_length,
954
&decrypted_buffer);
955
if(decrypted_buffer_size >= 0){
956
957
written = 0;
958
while(written < (size_t) decrypted_buffer_size){
959
if(quit_now){
960
errno = EINTR;
961
goto mandos_end;
962
}
963
964
ret = (int)fwrite(decrypted_buffer + written, 1,
965
(size_t)decrypted_buffer_size - written,
966
stdout);
474
buffer_length += (size_t) ret;
475
}
476
}
477
478
if (buffer_length > 0){
479
decrypted_buffer_size = pgp_packet_decrypt(buffer,
480
buffer_length,
481
&decrypted_buffer,
482
CERT_ROOT);
483
if (decrypted_buffer_size >= 0){
484
while(written < decrypted_buffer_size){
485
ret = (int)fwrite (decrypted_buffer + written, 1,
486
(size_t)decrypted_buffer_size - written,
487
stdout);
967
488
if(ret == 0 and ferror(stdout)){
968
int e = errno;
969
489
if(debug){
970
fprintf(stderr, "Mandos plugin mandos-client: "
971
"Error writing encrypted data: %s\n",
490
fprintf(stderr, "Error writing encrypted data: %s\n",
972
491
strerror(errno));
973
492
}
974
errno = e;
975
goto mandos_end;
493
retval = -1;
494
break;
976
495
}
977
496
written += (size_t)ret;
978
497
}
979
retval = 0;
980
}
981
}
982
983
/* Shutdown procedure */
984
985
mandos_end:
986
{
987
int e = errno;
988
free(decrypted_buffer);
989
free(buffer);
990
if(tcp_sd >= 0){
991
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
992
}
993
if(ret == -1){
994
if(e == 0){
995
e = errno;
996
}
997
perror_plus("close");
998
}
999
gnutls_deinit(session);
1000
errno = e;
1001
if(quit_now){
1002
errno = EINTR;
498
free(decrypted_buffer);
499
} else {
1003
500
retval = -1;
1004
501
}
1005
502
}
503
504
//shutdown procedure
505
506
if(debug){
507
fprintf(stderr, "Closing TLS session\n");
508
}
509
510
free(buffer);
511
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
512
exit:
513
close(tcp_sd);
514
gnutls_deinit (es.session);
515
gnutls_certificate_free_credentials (es.cred);
516
gnutls_global_deinit ();
1006
517
return retval;
1007
518
}
1008
519
1009
static void resolve_callback(AvahiSServiceResolver *r,
1010
AvahiIfIndex interface,
1011
AvahiProtocol proto,
1012
AvahiResolverEvent event,
1013
const char *name,
1014
const char *type,
1015
const char *domain,
1016
const char *host_name,
1017
const AvahiAddress *address,
1018
uint16_t port,
1019
AVAHI_GCC_UNUSED AvahiStringList *txt,
1020
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1021
flags,
1022
AVAHI_GCC_UNUSED void* userdata){
1023
assert(r);
520
static AvahiSimplePoll *simple_poll = NULL;
521
static AvahiServer *server = NULL;
522
523
static void resolve_callback(
524
AvahiSServiceResolver *r,
525
AvahiIfIndex interface,
526
AVAHI_GCC_UNUSED AvahiProtocol protocol,
527
AvahiResolverEvent event,
528
const char *name,
529
const char *type,
530
const char *domain,
531
const char *host_name,
532
const AvahiAddress *address,
533
uint16_t port,
534
AVAHI_GCC_UNUSED AvahiStringList *txt,
535
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
536
AVAHI_GCC_UNUSED void* userdata) {
537
538
assert(r); /* Spurious warning */
1024
539
1025
540
/* Called whenever a service has been resolved successfully or
1026
541
timed out */
1027
542
1028
if(quit_now){
1029
return;
1030
}
1031
1032
switch(event){
543
switch (event) {
1033
544
default:
1034
545
case AVAHI_RESOLVER_FAILURE:
1035
fprintf(stderr, "Mandos plugin mandos-client: "
1036
"(Avahi Resolver) Failed to resolve service '%s'"
1037
" of type '%s' in domain '%s': %s\n", name, type, domain,
1038
avahi_strerror(avahi_server_errno(mc.server)));
546
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
547
" type '%s' in domain '%s': %s\n", name, type, domain,
548
avahi_strerror(avahi_server_errno(server)));
1039
549
break;
1040
550
1041
551
case AVAHI_RESOLVER_FOUND:
1043
553
char ip[AVAHI_ADDRESS_STR_MAX];
1044
554
avahi_address_snprint(ip, sizeof(ip), address);
1045
555
if(debug){
1046
fprintf(stderr, "Mandos plugin mandos-client: "
1047
"Mandos server \"%s\" found on %s (%s, %"
1048
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
1049
ip, (intmax_t)interface, port);
556
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
557
" port %d\n", name, host_name, ip, port);
1050
558
}
1051
int ret = start_mandos_communication(ip, port, interface,
1052
avahi_proto_to_af(proto));
1053
if(ret == 0){
1054
avahi_simple_poll_quit(mc.simple_poll);
1055
} else {
1056
ret = add_server(ip, port, interface,
1057
avahi_proto_to_af(proto));
559
int ret = start_mandos_communication(ip, port,
560
(unsigned int) interface);
561
if (ret == 0){
562
exit(EXIT_SUCCESS);
1058
563
}
1059
564
}
1060
565
}
1061
566
avahi_s_service_resolver_free(r);
1062
567
}
1063
568
1064
static void browse_callback(AvahiSServiceBrowser *b,
1065
AvahiIfIndex interface,
1066
AvahiProtocol protocol,
1067
AvahiBrowserEvent event,
1068
const char *name,
1069
const char *type,
1070
const char *domain,
1071
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1072
flags,
1073
AVAHI_GCC_UNUSED void* userdata){
1074
assert(b);
1075
1076
/* Called whenever a new services becomes available on the LAN or
1077
is removed from the LAN */
1078
1079
if(quit_now){
1080
return;
1081
}
1082
1083
switch(event){
1084
default:
1085
case AVAHI_BROWSER_FAILURE:
1086
1087
fprintf(stderr, "Mandos plugin mandos-client: "
1088
"(Avahi browser) %s\n",
1089
avahi_strerror(avahi_server_errno(mc.server)));
1090
avahi_simple_poll_quit(mc.simple_poll);
1091
return;
1092
1093
case AVAHI_BROWSER_NEW:
1094
/* We ignore the returned Avahi resolver object. In the callback
1095
function we free it. If the Avahi server is terminated before
1096
the callback function is called the Avahi server will free the
1097
resolver for us. */
1098
1099
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
1100
name, type, domain, protocol, 0,
1101
resolve_callback, NULL) == NULL)
1102
fprintf(stderr, "Mandos plugin mandos-client: "
1103
"Avahi: Failed to resolve service '%s': %s\n",
1104
name, avahi_strerror(avahi_server_errno(mc.server)));
1105
break;
1106
1107
case AVAHI_BROWSER_REMOVE:
1108
break;
1109
1110
case AVAHI_BROWSER_ALL_FOR_NOW:
1111
case AVAHI_BROWSER_CACHE_EXHAUSTED:
1112
if(debug){
1113
fprintf(stderr, "Mandos plugin mandos-client: "
1114
"No Mandos server found, still searching...\n");
1115
}
1116
break;
1117
}
1118
}
1119
1120
/* Signal handler that stops main loop after SIGTERM */
1121
static void handle_sigterm(int sig){
1122
if(quit_now){
1123
return;
1124
}
1125
quit_now = 1;
1126
signal_received = sig;
1127
int old_errno = errno;
1128
/* set main loop to exit */
1129
if(mc.simple_poll != NULL){
1130
avahi_simple_poll_quit(mc.simple_poll);
1131
}
1132
errno = old_errno;
1133
}
1134
1135
bool get_flags(const char *ifname, struct ifreq *ifr){
1136
int ret;
1137
1138
int s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1139
if(s < 0){
1140
perror_plus("socket");
1141
return false;
1142
}
1143
strcpy(ifr->ifr_name, ifname);
1144
ret = ioctl(s, SIOCGIFFLAGS, ifr);
1145
if(ret == -1){
1146
if(debug){
1147
perror_plus("ioctl SIOCGIFFLAGS");
1148
}
1149
return false;
1150
}
1151
return true;
1152
}
1153
1154
bool good_flags(const char *ifname, const struct ifreq *ifr){
1155
1156
/* Reject the loopback device */
1157
if(ifr->ifr_flags & IFF_LOOPBACK){
1158
if(debug){
1159
fprintf(stderr, "Mandos plugin mandos-client: "
1160
"Rejecting loopback interface \"%s\"\n", ifname);
1161
}
1162
return false;
1163
}
1164
/* Accept point-to-point devices only if connect_to is specified */
1165
if(connect_to != NULL and (ifr->ifr_flags & IFF_POINTOPOINT)){
1166
if(debug){
1167
fprintf(stderr, "Mandos plugin mandos-client: "
1168
"Accepting point-to-point interface \"%s\"\n", ifname);
1169
}
1170
return true;
1171
}
1172
/* Otherwise, reject non-broadcast-capable devices */
1173
if(not (ifr->ifr_flags & IFF_BROADCAST)){
1174
if(debug){
1175
fprintf(stderr, "Mandos plugin mandos-client: "
1176
"Rejecting non-broadcast interface \"%s\"\n", ifname);
1177
}
1178
return false;
1179
}
1180
/* Reject non-ARP interfaces (including dummy interfaces) */
1181
if(ifr->ifr_flags & IFF_NOARP){
1182
if(debug){
1183
fprintf(stderr, "Mandos plugin mandos-client: "
1184
"Rejecting non-ARP interface \"%s\"\n", ifname);
1185
}
1186
return false;
1187
}
1188
1189
/* Accept this device */
1190
if(debug){
1191
fprintf(stderr, "Mandos plugin mandos-client: "
1192
"Interface \"%s\" is good\n", ifname);
1193
}
1194
return true;
1195
}
1196
1197
/*
1198
* This function determines if a directory entry in /sys/class/net
1199
* corresponds to an acceptable network device.
1200
* (This function is passed to scandir(3) as a filter function.)
1201
*/
1202
int good_interface(const struct dirent *if_entry){
1203
if(if_entry->d_name[0] == '.'){
1204
return 0;
1205
}
1206
1207
struct ifreq ifr;
1208
if(not get_flags(if_entry->d_name, &ifr)){
1209
if(debug){
1210
fprintf(stderr, "Mandos plugin mandos-client: "
1211
"Failed to get flags for interface \"%s\"\n",
1212
if_entry->d_name);
1213
}
1214
return 0;
1215
}
1216
1217
if(not good_flags(if_entry->d_name, &ifr)){
1218
return 0;
1219
}
1220
return 1;
1221
}
1222
1223
/*
1224
* This function determines if a directory entry in /sys/class/net
1225
* corresponds to an acceptable network device which is up.
1226
* (This function is passed to scandir(3) as a filter function.)
1227
*/
1228
int up_interface(const struct dirent *if_entry){
1229
if(if_entry->d_name[0] == '.'){
1230
return 0;
1231
}
1232
1233
struct ifreq ifr;
1234
if(not get_flags(if_entry->d_name, &ifr)){
1235
if(debug){
1236
fprintf(stderr, "Mandos plugin mandos-client: "
1237
"Failed to get flags for interface \"%s\"\n",
1238
if_entry->d_name);
1239
}
1240
return 0;
1241
}
1242
1243
/* Reject down interfaces */
1244
if(not (ifr.ifr_flags & IFF_UP)){
1245
if(debug){
1246
fprintf(stderr, "Mandos plugin mandos-client: "
1247
"Rejecting down interface \"%s\"\n",
1248
if_entry->d_name);
1249
}
1250
return 0;
1251
}
1252
1253
/* Reject non-running interfaces */
1254
if(not (ifr.ifr_flags & IFF_RUNNING)){
1255
if(debug){
1256
fprintf(stderr, "Mandos plugin mandos-client: "
1257
"Rejecting non-running interface \"%s\"\n",
1258
if_entry->d_name);
1259
}
1260
return 0;
1261
}
1262
1263
if(not good_flags(if_entry->d_name, &ifr)){
1264
return 0;
1265
}
1266
return 1;
1267
}
1268
1269
int notdotentries(const struct dirent *direntry){
1270
/* Skip "." and ".." */
1271
if(direntry->d_name[0] == '.'
1272
and (direntry->d_name[1] == '\0'
1273
or (direntry->d_name[1] == '.'
1274
and direntry->d_name[2] == '\0'))){
1275
return 0;
1276
}
1277
return 1;
1278
}
1279
1280
/* Is this directory entry a runnable program? */
1281
int runnable_hook(const struct dirent *direntry){
1282
int ret;
1283
size_t sret;
1284
struct stat st;
1285
1286
if((direntry->d_name)[0] == '\0'){
1287
/* Empty name? */
1288
return 0;
1289
}
1290
1291
sret = strspn(direntry->d_name, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
1292
"abcdefghijklmnopqrstuvwxyz"
1293
"0123456789"
1294
"_-");
1295
if((direntry->d_name)[sret] != '\0'){
1296
/* Contains non-allowed characters */
1297
if(debug){
1298
fprintf(stderr, "Mandos plugin mandos-client: "
1299
"Ignoring hook \"%s\" with bad name\n",
1300
direntry->d_name);
1301
}
1302
return 0;
1303
}
1304
1305
char *fullname = NULL;
1306
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1307
if(ret < 0){
1308
perror_plus("asprintf");
1309
return 0;
1310
}
1311
1312
ret = stat(fullname, &st);
1313
if(ret == -1){
1314
if(debug){
1315
perror_plus("Could not stat hook");
1316
}
1317
return 0;
1318
}
1319
if(not (S_ISREG(st.st_mode))){
1320
/* Not a regular file */
1321
if(debug){
1322
fprintf(stderr, "Mandos plugin mandos-client: "
1323
"Ignoring hook \"%s\" - not a file\n",
1324
direntry->d_name);
1325
}
1326
return 0;
1327
}
1328
if(not (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))){
1329
/* Not executable */
1330
if(debug){
1331
fprintf(stderr, "Mandos plugin mandos-client: "
1332
"Ignoring hook \"%s\" - not executable\n",
1333
direntry->d_name);
1334
}
1335
return 0;
1336
}
1337
return 1;
1338
}
1339
1340
int avahi_loop_with_timeout(AvahiSimplePoll *s, int retry_interval){
1341
int ret;
1342
struct timespec now;
1343
struct timespec waited_time;
1344
intmax_t block_time;
1345
1346
while(true){
1347
if(mc.current_server == NULL){
1348
if (debug){
1349
fprintf(stderr, "Mandos plugin mandos-client: "
1350
"Wait until first server is found. No timeout!\n");
1351
}
1352
ret = avahi_simple_poll_iterate(s, -1);
1353
} else {
1354
if (debug){
1355
fprintf(stderr, "Mandos plugin mandos-client: "
1356
"Check current_server if we should run it,"
1357
" or wait\n");
1358
}
1359
/* the current time */
1360
ret = clock_gettime(CLOCK_MONOTONIC, &now);
1361
if(ret == -1){
1362
perror_plus("clock_gettime");
1363
return -1;
1364
}
1365
/* Calculating in ms how long time between now and server
1366
who we visted longest time ago. Now - last seen. */
1367
waited_time.tv_sec = (now.tv_sec
1368
- mc.current_server->last_seen.tv_sec);
1369
waited_time.tv_nsec = (now.tv_nsec
1370
- mc.current_server->last_seen.tv_nsec);
1371
/* total time is 10s/10,000ms.
1372
Converting to s from ms by dividing by 1,000,
1373
and ns to ms by dividing by 1,000,000. */
1374
block_time = ((retry_interval
1375
- ((intmax_t)waited_time.tv_sec * 1000))
1376
- ((intmax_t)waited_time.tv_nsec / 1000000));
1377
1378
if (debug){
1379
fprintf(stderr, "Mandos plugin mandos-client: "
1380
"Blocking for %" PRIdMAX " ms\n", block_time);
1381
}
1382
1383
if(block_time <= 0){
1384
ret = start_mandos_communication(mc.current_server->ip,
1385
mc.current_server->port,
1386
mc.current_server->if_index,
1387
mc.current_server->af);
1388
if(ret == 0){
1389
avahi_simple_poll_quit(mc.simple_poll);
1390
return 0;
1391
}
1392
ret = clock_gettime(CLOCK_MONOTONIC,
1393
&mc.current_server->last_seen);
1394
if(ret == -1){
1395
perror_plus("clock_gettime");
1396
return -1;
1397
}
1398
mc.current_server = mc.current_server->next;
1399
block_time = 0; /* Call avahi to find new Mandos
1400
servers, but don't block */
1401
}
1402
1403
ret = avahi_simple_poll_iterate(s, (int)block_time);
1404
}
1405
if(ret != 0){
1406
if (ret > 0 or errno != EINTR){
1407
return (ret != 1) ? ret : 0;
1408
}
1409
}
1410
}
1411
}
1412
1413
int main(int argc, char *argv[]){
1414
AvahiSServiceBrowser *sb = NULL;
1415
int error;
1416
int ret;
1417
intmax_t tmpmax;
1418
char *tmp;
1419
int exitcode = EXIT_SUCCESS;
1420
const char *interface = "";
1421
struct ifreq network;
1422
int sd = -1;
1423
bool take_down_interface = false;
1424
uid_t uid;
1425
gid_t gid;
1426
char tempdir[] = "/tmp/mandosXXXXXX";
1427
bool tempdir_created = false;
1428
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1429
const char *seckey = PATHDIR "/" SECKEY;
1430
const char *pubkey = PATHDIR "/" PUBKEY;
1431
1432
bool gnutls_initialized = false;
1433
bool gpgme_initialized = false;
1434
float delay = 2.5f;
1435
double retry_interval = 10; /* 10s between trying a server and
1436
retrying the same server again */
1437
1438
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1439
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1440
1441
uid = getuid();
1442
gid = getgid();
1443
1444
/* Lower any group privileges we might have, just to be safe */
1445
errno = 0;
1446
ret = setgid(gid);
1447
if(ret == -1){
1448
perror_plus("setgid");
1449
}
1450
1451
/* Lower user privileges (temporarily) */
1452
errno = 0;
1453
ret = seteuid(uid);
1454
if(ret == -1){
1455
perror_plus("seteuid");
1456
}
1457
1458
if(quit_now){
1459
goto end;
1460
}
1461
1462
{
1463
struct argp_option options[] = {
1464
{ .name = "debug", .key = 128,
1465
.doc = "Debug mode", .group = 3 },
1466
{ .name = "connect", .key = 'c',
1467
.arg = "ADDRESS:PORT",
1468
.doc = "Connect directly to a specific Mandos server",
1469
.group = 1 },
1470
{ .name = "interface", .key = 'i',
1471
.arg = "NAME",
1472
.doc = "Network interface that will be used to search for"
1473
" Mandos servers",
1474
.group = 1 },
1475
{ .name = "seckey", .key = 's',
1476
.arg = "FILE",
1477
.doc = "OpenPGP secret key file base name",
1478
.group = 1 },
1479
{ .name = "pubkey", .key = 'p',
1480
.arg = "FILE",
1481
.doc = "OpenPGP public key file base name",
1482
.group = 2 },
1483
{ .name = "dh-bits", .key = 129,
1484
.arg = "BITS",
1485
.doc = "Bit length of the prime number used in the"
1486
" Diffie-Hellman key exchange",
1487
.group = 2 },
1488
{ .name = "priority", .key = 130,
1489
.arg = "STRING",
1490
.doc = "GnuTLS priority string for the TLS handshake",
1491
.group = 1 },
1492
{ .name = "delay", .key = 131,
1493
.arg = "SECONDS",
1494
.doc = "Maximum delay to wait for interface startup",
1495
.group = 2 },
1496
{ .name = "retry", .key = 132,
1497
.arg = "SECONDS",
1498
.doc = "Retry interval used when denied by the mandos server",
1499
.group = 2 },
1500
{ .name = "network-hook-dir", .key = 133,
1501
.arg = "DIR",
1502
.doc = "Directory where network hooks are located",
1503
.group = 2 },
1504
/*
1505
* These reproduce what we would get without ARGP_NO_HELP
1506
*/
1507
{ .name = "help", .key = '?',
1508
.doc = "Give this help list", .group = -1 },
1509
{ .name = "usage", .key = -3,
1510
.doc = "Give a short usage message", .group = -1 },
1511
{ .name = "version", .key = 'V',
1512
.doc = "Print program version", .group = -1 },
1513
{ .name = NULL }
1514
};
1515
1516
error_t parse_opt(int key, char *arg,
1517
struct argp_state *state){
1518
errno = 0;
1519
switch(key){
1520
case 128: /* --debug */
1521
debug = true;
1522
break;
1523
case 'c': /* --connect */
1524
connect_to = arg;
1525
break;
1526
case 'i': /* --interface */
1527
interface = arg;
1528
break;
1529
case 's': /* --seckey */
1530
seckey = arg;
1531
break;
1532
case 'p': /* --pubkey */
1533
pubkey = arg;
1534
break;
1535
case 129: /* --dh-bits */
1536
errno = 0;
1537
tmpmax = strtoimax(arg, &tmp, 10);
1538
if(errno != 0 or tmp == arg or *tmp != '\0'
1539
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1540
argp_error(state, "Bad number of DH bits");
1541
}
1542
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1543
break;
1544
case 130: /* --priority */
1545
mc.priority = arg;
1546
break;
1547
case 131: /* --delay */
1548
errno = 0;
1549
delay = strtof(arg, &tmp);
1550
if(errno != 0 or tmp == arg or *tmp != '\0'){
1551
argp_error(state, "Bad delay");
1552
}
1553
case 132: /* --retry */
1554
errno = 0;
1555
retry_interval = strtod(arg, &tmp);
1556
if(errno != 0 or tmp == arg or *tmp != '\0'
1557
or (retry_interval * 1000) > INT_MAX
1558
or retry_interval < 0){
1559
argp_error(state, "Bad retry interval");
1560
}
1561
break;
1562
case 133: /* --network-hook-dir */
1563
hookdir = arg;
1564
break;
1565
/*
1566
* These reproduce what we would get without ARGP_NO_HELP
1567
*/
1568
case '?': /* --help */
1569
argp_state_help(state, state->out_stream,
1570
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
1571
& ~(unsigned int)ARGP_HELP_EXIT_OK);
1572
case -3: /* --usage */
1573
argp_state_help(state, state->out_stream,
1574
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
1575
case 'V': /* --version */
1576
fprintf(state->out_stream, "Mandos plugin mandos-client: ");
1577
fprintf(state->out_stream, "%s\n", argp_program_version);
1578
exit(argp_err_exit_status);
1579
break;
1580
default:
1581
return ARGP_ERR_UNKNOWN;
1582
}
1583
return errno;
1584
}
1585
1586
struct argp argp = { .options = options, .parser = parse_opt,
1587
.args_doc = "",
1588
.doc = "Mandos client -- Get and decrypt"
1589
" passwords from a Mandos server" };
1590
ret = argp_parse(&argp, argc, argv,
1591
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
1592
switch(ret){
1593
case 0:
1594
break;
1595
case ENOMEM:
569
static void browse_callback(
570
AvahiSServiceBrowser *b,
571
AvahiIfIndex interface,
572
AvahiProtocol protocol,
573
AvahiBrowserEvent event,
574
const char *name,
575
const char *type,
576
const char *domain,
577
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
578
void* userdata) {
579
580
AvahiServer *s = userdata;
581
assert(b); /* Spurious warning */
582
583
/* Called whenever a new services becomes available on the LAN or
584
is removed from the LAN */
585
586
switch (event) {
1596
587
default:
1597
errno = ret;
1598
perror_plus("argp_parse");
1599
exitcode = EX_OSERR;
1600
goto end;
1601
case EINVAL:
1602
exitcode = EX_USAGE;
1603
goto end;
1604
}
1605
}
1606
1607
{
1608
/* Work around Debian bug #633582:
1609
<http://bugs.debian.org/633582> */
1610
struct stat st;
1611
1612
/* Re-raise priviliges */
1613
errno = 0;
1614
ret = seteuid(0);
1615
if(ret == -1){
1616
perror_plus("seteuid");
1617
}
1618
1619
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
1620
int seckey_fd = open(seckey, O_RDONLY);
1621
if(seckey_fd == -1){
1622
perror_plus("open");
1623
} else {
1624
ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st));
1625
if(ret == -1){
1626
perror_plus("fstat");
1627
} else {
1628
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1629
ret = fchown(seckey_fd, uid, gid);
1630
if(ret == -1){
1631
perror_plus("fchown");
1632
}
1633
}
1634
}
1635
TEMP_FAILURE_RETRY(close(seckey_fd));
1636
}
1637
}
1638
1639
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
1640
int pubkey_fd = open(pubkey, O_RDONLY);
1641
if(pubkey_fd == -1){
1642
perror_plus("open");
1643
} else {
1644
ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st));
1645
if(ret == -1){
1646
perror_plus("fstat");
1647
} else {
1648
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1649
ret = fchown(pubkey_fd, uid, gid);
1650
if(ret == -1){
1651
perror_plus("fchown");
1652
}
1653
}
1654
}
1655
TEMP_FAILURE_RETRY(close(pubkey_fd));
1656
}
1657
}
1658
1659
/* Lower privileges */
1660
errno = 0;
1661
ret = seteuid(uid);
1662
if(ret == -1){
1663
perror_plus("seteuid");
1664
}
1665
}
1666
1667
/* Find network hooks and run them */
1668
{
1669
struct dirent **direntries;
1670
struct dirent *direntry;
1671
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1672
alphasort);
1673
if(numhooks == -1){
1674
perror_plus("scandir");
1675
} else {
1676
int devnull = open("/dev/null", O_RDONLY);
1677
for(int i = 0; i < numhooks; i++){
1678
direntry = direntries[0];
1679
char *fullname = NULL;
1680
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1681
if(ret < 0){
1682
perror_plus("asprintf");
1683
continue;
1684
}
1685
pid_t hook_pid = fork();
1686
if(hook_pid == 0){
1687
/* Child */
1688
dup2(devnull, STDIN_FILENO);
1689
close(devnull);
1690
dup2(STDERR_FILENO, STDOUT_FILENO);
1691
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1692
if(ret == -1){
1693
perror_plus("setenv");
1694
exit(1);
1695
}
1696
ret = setenv("DEVICE", interface, 1);
1697
if(ret == -1){
1698
perror_plus("setenv");
1699
exit(1);
1700
}
1701
ret = setenv("VERBOSE", debug ? "1" : "0", 1);
1702
if(ret == -1){
1703
perror_plus("setenv");
1704
exit(1);
1705
}
1706
ret = setenv("MODE", "start", 1);
1707
if(ret == -1){
1708
perror_plus("setenv");
1709
exit(1);
1710
}
1711
char *delaystring;
1712
ret = asprintf(&delaystring, "%f", delay);
1713
if(ret == -1){
1714
perror_plus("asprintf");
1715
exit(1);
1716
}
1717
ret = setenv("DELAY", delaystring, 1);
1718
if(ret == -1){
1719
free(delaystring);
1720
perror_plus("setenv");
1721
exit(1);
1722
}
1723
free(delaystring);
1724
ret = execl(fullname, direntry->d_name, "start", NULL);
1725
perror_plus("execl");
1726
} else {
1727
int status;
1728
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1729
perror_plus("waitpid");
1730
free(fullname);
1731
continue;
1732
}
1733
if(WIFEXITED(status)){
1734
if(WEXITSTATUS(status) != 0){
1735
fprintf(stderr, "Mandos plugin mandos-client: "
1736
"Warning: network hook \"%s\" exited"
1737
" with status %d\n", direntry->d_name,
1738
WEXITSTATUS(status));
1739
free(fullname);
1740
continue;
1741
}
1742
} else if(WIFSIGNALED(status)){
1743
fprintf(stderr, "Mandos plugin mandos-client: "
1744
"Warning: network hook \"%s\" died by"
1745
" signal %d\n", direntry->d_name,
1746
WTERMSIG(status));
1747
free(fullname);
1748
continue;
1749
} else {
1750
fprintf(stderr, "Mandos plugin mandos-client: "
1751
"Warning: network hook \"%s\" crashed\n",
1752
direntry->d_name);
1753
free(fullname);
1754
continue;
1755
}
1756
}
1757
free(fullname);
1758
if(quit_now){
1759
goto end;
1760
}
1761
}
1762
close(devnull);
1763
}
1764
}
1765
1766
if(not debug){
1767
avahi_set_log_function(empty_log);
1768
}
1769
1770
if(interface[0] == '\0'){
1771
struct dirent **direntries;
1772
/* First look for interfaces that are up */
1773
ret = scandir(sys_class_net, &direntries, up_interface,
1774
alphasort);
1775
if(ret == 0){
1776
/* No up interfaces, look for any good interfaces */
1777
free(direntries);
1778
ret = scandir(sys_class_net, &direntries, good_interface,
1779
alphasort);
1780
}
1781
if(ret >= 1){
1782
/* Pick the first interface returned */
1783
interface = strdup(direntries[0]->d_name);
1784
if(debug){
1785
fprintf(stderr, "Mandos plugin mandos-client: "
1786
"Using interface \"%s\"\n", interface);
1787
}
1788
if(interface == NULL){
1789
perror_plus("malloc");
1790
free(direntries);
1791
exitcode = EXIT_FAILURE;
1792
goto end;
1793
}
1794
free(direntries);
1795
} else {
1796
free(direntries);
1797
fprintf(stderr, "Mandos plugin mandos-client: "
1798
"Could not find a network interface\n");
1799
exitcode = EXIT_FAILURE;
1800
goto end;
1801
}
1802
}
1803
1804
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1805
from the signal handler */
1806
/* Initialize the pseudo-RNG for Avahi */
1807
srand((unsigned int) time(NULL));
1808
mc.simple_poll = avahi_simple_poll_new();
1809
if(mc.simple_poll == NULL){
1810
fprintf(stderr, "Mandos plugin mandos-client: "
1811
"Avahi: Failed to create simple poll object.\n");
1812
exitcode = EX_UNAVAILABLE;
1813
goto end;
1814
}
1815
1816
sigemptyset(&sigterm_action.sa_mask);
1817
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1818
if(ret == -1){
1819
perror_plus("sigaddset");
1820
exitcode = EX_OSERR;
1821
goto end;
1822
}
1823
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1824
if(ret == -1){
1825
perror_plus("sigaddset");
1826
exitcode = EX_OSERR;
1827
goto end;
1828
}
1829
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1830
if(ret == -1){
1831
perror_plus("sigaddset");
1832
exitcode = EX_OSERR;
1833
goto end;
1834
}
1835
/* Need to check if the handler is SIG_IGN before handling:
1836
| [[info:libc:Initial Signal Actions]] |
1837
| [[info:libc:Basic Signal Handling]] |
1838
*/
1839
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1840
if(ret == -1){
1841
perror_plus("sigaction");
1842
return EX_OSERR;
1843
}
1844
if(old_sigterm_action.sa_handler != SIG_IGN){
1845
ret = sigaction(SIGINT, &sigterm_action, NULL);
1846
if(ret == -1){
1847
perror_plus("sigaction");
1848
exitcode = EX_OSERR;
1849
goto end;
1850
}
1851
}
1852
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1853
if(ret == -1){
1854
perror_plus("sigaction");
1855
return EX_OSERR;
1856
}
1857
if(old_sigterm_action.sa_handler != SIG_IGN){
1858
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1859
if(ret == -1){
1860
perror_plus("sigaction");
1861
exitcode = EX_OSERR;
1862
goto end;
1863
}
1864
}
1865
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1866
if(ret == -1){
1867
perror_plus("sigaction");
1868
return EX_OSERR;
1869
}
1870
if(old_sigterm_action.sa_handler != SIG_IGN){
1871
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1872
if(ret == -1){
1873
perror_plus("sigaction");
1874
exitcode = EX_OSERR;
1875
goto end;
1876
}
1877
}
1878
1879
/* If the interface is down, bring it up */
1880
if(strcmp(interface, "none") != 0){
1881
if_index = (AvahiIfIndex) if_nametoindex(interface);
1882
if(if_index == 0){
1883
fprintf(stderr, "Mandos plugin mandos-client: "
1884
"No such interface: \"%s\"\n", interface);
1885
exitcode = EX_UNAVAILABLE;
1886
goto end;
1887
}
1888
1889
if(quit_now){
1890
goto end;
1891
}
1892
1893
/* Re-raise priviliges */
1894
errno = 0;
1895
ret = seteuid(0);
1896
if(ret == -1){
1897
perror_plus("seteuid");
1898
}
1899
1900
#ifdef __linux__
1901
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1902
messages about the network interface to mess up the prompt */
1903
ret = klogctl(8, NULL, 5);
1904
bool restore_loglevel = true;
1905
if(ret == -1){
1906
restore_loglevel = false;
1907
perror_plus("klogctl");
1908
}
1909
#endif /* __linux__ */
1910
1911
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1912
if(sd < 0){
1913
perror_plus("socket");
1914
exitcode = EX_OSERR;
1915
#ifdef __linux__
1916
if(restore_loglevel){
1917
ret = klogctl(7, NULL, 0);
1918
if(ret == -1){
1919
perror_plus("klogctl");
1920
}
1921
}
1922
#endif /* __linux__ */
1923
/* Lower privileges */
1924
errno = 0;
1925
ret = seteuid(uid);
1926
if(ret == -1){
1927
perror_plus("seteuid");
1928
}
1929
goto end;
1930
}
1931
strcpy(network.ifr_name, interface);
1932
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1933
if(ret == -1){
1934
perror_plus("ioctl SIOCGIFFLAGS");
1935
#ifdef __linux__
1936
if(restore_loglevel){
1937
ret = klogctl(7, NULL, 0);
1938
if(ret == -1){
1939
perror_plus("klogctl");
1940
}
1941
}
1942
#endif /* __linux__ */
1943
exitcode = EX_OSERR;
1944
/* Lower privileges */
1945
errno = 0;
1946
ret = seteuid(uid);
1947
if(ret == -1){
1948
perror_plus("seteuid");
1949
}
1950
goto end;
1951
}
1952
if((network.ifr_flags & IFF_UP) == 0){
1953
network.ifr_flags |= IFF_UP;
1954
take_down_interface = true;
1955
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1956
if(ret == -1){
1957
take_down_interface = false;
1958
perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");
1959
exitcode = EX_OSERR;
1960
#ifdef __linux__
1961
if(restore_loglevel){
1962
ret = klogctl(7, NULL, 0);
1963
if(ret == -1){
1964
perror_plus("klogctl");
1965
}
1966
}
1967
#endif /* __linux__ */
1968
/* Lower privileges */
1969
errno = 0;
1970
ret = seteuid(uid);
1971
if(ret == -1){
1972
perror_plus("seteuid");
1973
}
1974
goto end;
1975
}
1976
}
1977
/* Sleep checking until interface is running.
1978
Check every 0.25s, up to total time of delay */
1979
for(int i=0; i < delay * 4; i++){
1980
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1981
if(ret == -1){
1982
perror_plus("ioctl SIOCGIFFLAGS");
1983
} else if(network.ifr_flags & IFF_RUNNING){
1984
break;
1985
}
1986
struct timespec sleeptime = { .tv_nsec = 250000000 };
1987
ret = nanosleep(&sleeptime, NULL);
1988
if(ret == -1 and errno != EINTR){
1989
perror_plus("nanosleep");
1990
}
1991
}
1992
if(not take_down_interface){
1993
/* We won't need the socket anymore */
1994
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1995
if(ret == -1){
1996
perror_plus("close");
1997
}
1998
}
1999
#ifdef __linux__
2000
if(restore_loglevel){
2001
/* Restores kernel loglevel to default */
2002
ret = klogctl(7, NULL, 0);
2003
if(ret == -1){
2004
perror_plus("klogctl");
2005
}
2006
}
2007
#endif /* __linux__ */
2008
/* Lower privileges */
2009
errno = 0;
2010
if(take_down_interface){
2011
/* Lower privileges */
2012
ret = seteuid(uid);
2013
if(ret == -1){
2014
perror_plus("seteuid");
2015
}
2016
} else {
2017
/* Lower privileges permanently */
2018
ret = setuid(uid);
2019
if(ret == -1){
2020
perror_plus("setuid");
2021
}
2022
}
2023
}
2024
2025
if(quit_now){
2026
goto end;
2027
}
2028
2029
ret = init_gnutls_global(pubkey, seckey);
2030
if(ret == -1){
2031
fprintf(stderr, "Mandos plugin mandos-client: "
2032
"init_gnutls_global failed\n");
2033
exitcode = EX_UNAVAILABLE;
2034
goto end;
2035
} else {
2036
gnutls_initialized = true;
2037
}
2038
2039
if(quit_now){
2040
goto end;
2041
}
2042
2043
if(mkdtemp(tempdir) == NULL){
2044
perror_plus("mkdtemp");
2045
goto end;
2046
}
2047
tempdir_created = true;
2048
2049
if(quit_now){
2050
goto end;
2051
}
2052
2053
if(not init_gpgme(pubkey, seckey, tempdir)){
2054
fprintf(stderr, "Mandos plugin mandos-client: "
2055
"init_gpgme failed\n");
2056
exitcode = EX_UNAVAILABLE;
2057
goto end;
2058
} else {
2059
gpgme_initialized = true;
2060
}
2061
2062
if(quit_now){
2063
goto end;
2064
}
2065
2066
if(connect_to != NULL){
2067
/* Connect directly, do not use Zeroconf */
2068
/* (Mainly meant for debugging) */
2069
char *address = strrchr(connect_to, ':');
2070
if(address == NULL){
2071
fprintf(stderr, "Mandos plugin mandos-client: "
2072
"No colon in address\n");
2073
exitcode = EX_USAGE;
2074
goto end;
2075
}
2076
2077
if(quit_now){
2078
goto end;
2079
}
2080
2081
uint16_t port;
2082
errno = 0;
2083
tmpmax = strtoimax(address+1, &tmp, 10);
2084
if(errno != 0 or tmp == address+1 or *tmp != '\0'
2085
or tmpmax != (uint16_t)tmpmax){
2086
fprintf(stderr, "Mandos plugin mandos-client: "
2087
"Bad port number\n");
2088
exitcode = EX_USAGE;
2089
goto end;
2090
}
2091
2092
if(quit_now){
2093
goto end;
2094
}
2095
2096
port = (uint16_t)tmpmax;
2097
*address = '\0';
2098
/* Colon in address indicates IPv6 */
2099
int af;
2100
if(strchr(connect_to, ':') != NULL){
2101
af = AF_INET6;
2102
/* Accept [] around IPv6 address - see RFC 5952 */
2103
if(connect_to[0] == '[' and address[-1] == ']')
2104
{
2105
connect_to++;
2106
address[-1] = '\0';
2107
}
2108
} else {
2109
af = AF_INET;
2110
}
2111
address = connect_to;
2112
2113
if(quit_now){
2114
goto end;
2115
}
2116
2117
while(not quit_now){
2118
ret = start_mandos_communication(address, port, if_index, af);
2119
if(quit_now or ret == 0){
2120
break;
2121
}
2122
if(debug){
2123
fprintf(stderr, "Mandos plugin mandos-client: "
2124
"Retrying in %d seconds\n", (int)retry_interval);
2125
}
2126
sleep((int)retry_interval);
2127
}
2128
2129
if (not quit_now){
2130
exitcode = EXIT_SUCCESS;
2131
}
2132
2133
goto end;
2134
}
2135
2136
if(quit_now){
2137
goto end;
2138
}
2139
2140
{
588
case AVAHI_BROWSER_FAILURE:
589
590
fprintf(stderr, "(Browser) %s\n",
591
avahi_strerror(avahi_server_errno(server)));
592
avahi_simple_poll_quit(simple_poll);
593
return;
594
595
case AVAHI_BROWSER_NEW:
596
/* We ignore the returned resolver object. In the callback
597
function we free it. If the server is terminated before
598
the callback function is called the server will free
599
the resolver for us. */
600
601
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
602
type, domain,
603
AVAHI_PROTO_INET6, 0,
604
resolve_callback, s)))
605
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
606
avahi_strerror(avahi_server_errno(s)));
607
break;
608
609
case AVAHI_BROWSER_REMOVE:
610
break;
611
612
case AVAHI_BROWSER_ALL_FOR_NOW:
613
case AVAHI_BROWSER_CACHE_EXHAUSTED:
614
break;
615
}
616
}
617
618
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
2141
619
AvahiServerConfig config;
2142
/* Do not publish any local Zeroconf records */
620
AvahiSServiceBrowser *sb = NULL;
621
int error;
622
int ret;
623
int returncode = EXIT_SUCCESS;
624
const char *interface = "eth0";
625
626
while (true){
627
static struct option long_options[] = {
628
{"debug", no_argument, (int *)&debug, 1},
629
{"interface", required_argument, 0, 'i'},
630
{0, 0, 0, 0} };
631
632
int option_index = 0;
633
ret = getopt_long (argc, argv, "i:", long_options,
634
&option_index);
635
636
if (ret == -1){
637
break;
638
}
639
640
switch(ret){
641
case 0:
642
break;
643
case 'i':
644
interface = optarg;
645
break;
646
default:
647
exit(EXIT_FAILURE);
648
}
649
}
650
651
if (not debug){
652
avahi_set_log_function(empty_log);
653
}
654
655
/* Initialize the psuedo-RNG */
656
srand((unsigned int) time(NULL));
657
658
/* Allocate main loop object */
659
if (!(simple_poll = avahi_simple_poll_new())) {
660
fprintf(stderr, "Failed to create simple poll object.\n");
661
662
goto exit;
663
}
664
665
/* Do not publish any local records */
2143
666
avahi_server_config_init(&config);
2144
667
config.publish_hinfo = 0;
2145
668
config.publish_addresses = 0;
2146
669
config.publish_workstation = 0;
2147
670
config.publish_domain = 0;
2148
671
2149
672
/* Allocate a new server */
2150
mc.server = avahi_server_new(avahi_simple_poll_get
2151
(mc.simple_poll), &config, NULL,
2152
NULL, &error);
2153
2154
/* Free the Avahi configuration data */
673
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
674
&config, NULL, NULL, &error);
675
676
/* Free the configuration data */
2155
677
avahi_server_config_free(&config);
2156
}
2157
2158
/* Check if creating the Avahi server object succeeded */
2159
if(mc.server == NULL){
2160
fprintf(stderr, "Mandos plugin mandos-client: "
2161
"Failed to create Avahi server: %s\n",
2162
avahi_strerror(error));
2163
exitcode = EX_UNAVAILABLE;
2164
goto end;
2165
}
2166
2167
if(quit_now){
2168
goto end;
2169
}
2170
2171
/* Create the Avahi service browser */
2172
sb = avahi_s_service_browser_new(mc.server, if_index,
2173
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
2174
NULL, 0, browse_callback, NULL);
2175
if(sb == NULL){
2176
fprintf(stderr, "Mandos plugin mandos-client: "
2177
"Failed to create service browser: %s\n",
2178
avahi_strerror(avahi_server_errno(mc.server)));
2179
exitcode = EX_UNAVAILABLE;
2180
goto end;
2181
}
2182
2183
if(quit_now){
2184
goto end;
2185
}
2186
2187
/* Run the main loop */
2188
2189
if(debug){
2190
fprintf(stderr, "Mandos plugin mandos-client: "
2191
"Starting Avahi loop search\n");
2192
}
2193
2194
ret = avahi_loop_with_timeout(mc.simple_poll,
2195
(int)(retry_interval * 1000));
2196
if(debug){
2197
fprintf(stderr, "Mandos plugin mandos-client: "
2198
"avahi_loop_with_timeout exited %s\n",
2199
(ret == 0) ? "successfully" : "with error");
2200
}
2201
2202
end:
2203
2204
if(debug){
2205
fprintf(stderr, "Mandos plugin mandos-client: "
2206
"%s exiting\n", argv[0]);
2207
}
2208
2209
/* Cleanup things */
2210
if(sb != NULL)
2211
avahi_s_service_browser_free(sb);
2212
2213
if(mc.server != NULL)
2214
avahi_server_free(mc.server);
2215
2216
if(mc.simple_poll != NULL)
2217
avahi_simple_poll_free(mc.simple_poll);
2218
2219
if(gnutls_initialized){
2220
gnutls_certificate_free_credentials(mc.cred);
2221
gnutls_global_deinit();
2222
gnutls_dh_params_deinit(mc.dh_params);
2223
}
2224
2225
if(gpgme_initialized){
2226
gpgme_release(mc.ctx);
2227
}
2228
2229
/* Cleans up the circular linked list of Mandos servers the client
2230
has seen */
2231
if(mc.current_server != NULL){
2232
mc.current_server->prev->next = NULL;
2233
while(mc.current_server != NULL){
2234
server *next = mc.current_server->next;
2235
free(mc.current_server);
2236
mc.current_server = next;
2237
}
2238
}
2239
2240
/* XXX run network hooks "stop" here */
2241
2242
/* Take down the network interface */
2243
if(take_down_interface){
2244
/* Re-raise priviliges */
2245
errno = 0;
2246
ret = seteuid(0);
2247
if(ret == -1){
2248
perror_plus("seteuid");
2249
}
2250
if(geteuid() == 0){
2251
ret = ioctl(sd, SIOCGIFFLAGS, &network);
2252
if(ret == -1){
2253
perror_plus("ioctl SIOCGIFFLAGS");
2254
} else if(network.ifr_flags & IFF_UP){
2255
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
2256
ret = ioctl(sd, SIOCSIFFLAGS, &network);
2257
if(ret == -1){
2258
perror_plus("ioctl SIOCSIFFLAGS -IFF_UP");
2259
}
2260
}
2261
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2262
if(ret == -1){
2263
perror_plus("close");
2264
}
2265
/* Lower privileges permanently */
2266
errno = 0;
2267
ret = setuid(uid);
2268
if(ret == -1){
2269
perror_plus("setuid");
2270
}
2271
}
2272
}
2273
2274
/* Removes the GPGME temp directory and all files inside */
2275
if(tempdir_created){
2276
struct dirent **direntries = NULL;
2277
struct dirent *direntry = NULL;
2278
int numentries = scandir(tempdir, &direntries, notdotentries,
2279
alphasort);
2280
if (numentries > 0){
2281
for(int i = 0; i < numentries; i++){
2282
direntry = direntries[i];
2283
char *fullname = NULL;
2284
ret = asprintf(&fullname, "%s/%s", tempdir,
2285
direntry->d_name);
2286
if(ret < 0){
2287
perror_plus("asprintf");
2288
continue;
2289
}
2290
ret = remove(fullname);
2291
if(ret == -1){
2292
fprintf(stderr, "Mandos plugin mandos-client: "
2293
"remove(\"%s\"): %s\n", fullname, strerror(errno));
2294
}
2295
free(fullname);
2296
}
2297
}
2298
2299
/* need to clean even if 0 because man page doesn't specify */
2300
free(direntries);
2301
if (numentries == -1){
2302
perror_plus("scandir");
2303
}
2304
ret = rmdir(tempdir);
2305
if(ret == -1 and errno != ENOENT){
2306
perror_plus("rmdir");
2307
}
2308
}
2309
2310
if(quit_now){
2311
sigemptyset(&old_sigterm_action.sa_mask);
2312
old_sigterm_action.sa_handler = SIG_DFL;
2313
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
2314
&old_sigterm_action,
2315
NULL));
2316
if(ret == -1){
2317
perror_plus("sigaction");
2318
}
2319
do {
2320
ret = raise(signal_received);
2321
} while(ret != 0 and errno == EINTR);
2322
if(ret != 0){
2323
perror_plus("raise");
2324
abort();
2325
}
2326
TEMP_FAILURE_RETRY(pause());
2327
}
2328
2329
return exitcode;
678
679
/* Check if creating the server object succeeded */
680
if (!server) {
681
fprintf(stderr, "Failed to create server: %s\n",
682
avahi_strerror(error));
683
returncode = EXIT_FAILURE;
684
goto exit;
685
}
686
687
/* Create the service browser */
688
sb = avahi_s_service_browser_new(server,
689
(AvahiIfIndex)
690
if_nametoindex(interface),
691
AVAHI_PROTO_INET6,
692
"_mandos._tcp", NULL, 0,
693
browse_callback, server);
694
if (!sb) {
695
fprintf(stderr, "Failed to create service browser: %s\n",
696
avahi_strerror(avahi_server_errno(server)));
697
returncode = EXIT_FAILURE;
698
goto exit;
699
}
700
701
/* Run the main loop */
702
703
if (debug){
704
fprintf(stderr, "Starting avahi loop search\n");
705
}
706
707
avahi_simple_poll_loop(simple_poll);
708
709
exit:
710
711
if (debug){
712
fprintf(stderr, "%s exiting\n", argv[0]);
713
}
714
715
/* Cleanup things */
716
if (sb)
717
avahi_s_service_browser_free(sb);
718
719
if (server)
720
avahi_server_free(server);
721
722
if (simple_poll)
723
avahi_simple_poll_free(simple_poll);
724
725
return returncode;
2330
726
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0