/mandos/trunk : revision 24.1.24

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.c

Committer: Björn Påhlsson
Date: 2008-08-08 01:51:58 UTC
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 50.
Revision ID: belorn@braxen-20080808015158-gudud63aet3l8jlw

minor edits

files added:
network-protocol.txt

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.lsm

overview.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
mandos-clients.conf.xml => clients.conf.xml

plugin-runner.c => mandos-client.c

plugin-runner.xml => mandos-client.xml

plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
Makefile

TODO

clients.conf

mandos

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.c

/* -*- coding: utf-8 -*- */

* Mandos-client - get and decrypt data from a Mandos server

* Mandos client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), remove() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand(), strtof() */

#include <stdbool.h> /* bool, false, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, uid_t, gid_t, open(),

opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

inet_pton(), connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,

strtoimax() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* nanosleep(), time() */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,

INET_ADDRSTRLEN, INET6_ADDRSTRLEN

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, or, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

#include <signal.h> /* sigemptyset(), sigaddset(),

sigaction(), SIGTERM, sigaction,

sig_atomic_t */

#ifdef __linux__

#include <sys/klog.h> /* klogctl() */

#endif /* __linux__ */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

SIOCSIFFLAGS */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

100

gnutls_*

101

init_gnutls_session(),

102

GNUTLS_* */

103

#include <gnutls/openpgp.h>

104

/* gnutls_certificate_set_openpgp_key_file(),

105

GNUTLS_OPENPGP_FMT_BASE64 */

/* Mandos client part */

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

106

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

#include <net/if.h> /* IF_NAMESIZE */

#include <argp.h> /* struct argp_option,

struct argp_state, struct argp,

argp_parse() */

107

/* GPGME */

108

#include <gpgme.h> /* All GPGME types, constants and

109

functions:

110

gpgme_*

111

GPGME_PROTOCOL_OpenPGP,

112

GPG_ERR_NO_* */

#include <errno.h> /* perror() */

#include <gpgme.h>

113

114

#define BUFFER_SIZE 256

115

116

#define PATHDIR "/conf/conf.d/mandos"

117

#define SECKEY "seckey.txt"

118

#define PUBKEY "pubkey.txt"

119

120

bool debug = false;

static const char *keydir = "/conf/conf.d/mandos";

121

static const char mandos_protocol_version[] = "1";

122

const char *argp_program_version = "mandos-client " VERSION;

const char *argp_program_version = "mandosclient 0.9";

123

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

124

125

/* Used for passing in values through the Avahi callback functions */

130

unsigned int dh_bits;

131

gnutls_dh_params_t dh_params;

132

const char *priority;

133

gpgme_ctx_t ctx;

134

} mandos_context;

135

136

/* global context so signal handler can reach it*/

137

mandos_context mc = { .simple_poll = NULL, .server = NULL,

138

.dh_bits = 1024, .priority = "SECURE256"

139

":!CTYPE-X.509:+CTYPE-OPENPGP" };

140

141

142

* Make additional room in "buffer" for at least BUFFER_SIZE more

143

* bytes. "buffer_capacity" is how much is currently allocated,

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

* "buffer_capacity" is how much is currently allocated,

144

* "buffer_length" is how much is already used.

145

146

size_t incbuffer(char **buffer, size_t buffer_length,

size_t adjustbuffer(char **buffer, size_t buffer_length,

147

size_t buffer_capacity){

148

if(buffer_length + BUFFER_SIZE > buffer_capacity){

100

if (buffer_length + BUFFER_SIZE > buffer_capacity){

149

101

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

150

if(buffer == NULL){

102

if (buffer == NULL){

151

103

return 0;

152

104

}

153

105

buffer_capacity += BUFFER_SIZE;

156

108

}

157

109

158

110

159

* Initialize GPGME.

111

* Decrypt OpenPGP data using keyrings in HOMEDIR.

112

* Returns -1 on error

160

113

161

static bool init_gpgme(const char *seckey,

162

const char *pubkey, const char *tempdir){

163

int ret;

114

static ssize_t pgp_packet_decrypt (const char *cryptotext,

115

size_t crypto_size,

116

char **plaintext,

117

const char *homedir){

118

gpgme_data_t dh_crypto, dh_plain;

119

gpgme_ctx_t ctx;

164

120

gpgme_error_t rc;

121

ssize_t ret;

122

size_t plaintext_capacity = 0;

123

ssize_t plaintext_length = 0;

165

124

gpgme_engine_info_t engine_info;

166

125

167

168

169

* Helper function to insert pub and seckey to the engine keyring.

170

171

bool import_key(const char *filename){

172

int fd;

173

gpgme_data_t pgp_data;

174

175

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

176

if(fd == -1){

177

perror("open");

178

return false;

179

}

180

181

rc = gpgme_data_new_from_fd(&pgp_data, fd);

182

if(rc != GPG_ERR_NO_ERROR){

183

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

184

gpgme_strsource(rc), gpgme_strerror(rc));

185

return false;

186

}

187

188

rc = gpgme_op_import(mc.ctx, pgp_data);

189

if(rc != GPG_ERR_NO_ERROR){

190

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

191

gpgme_strsource(rc), gpgme_strerror(rc));

192

return false;

193

}

194

195

ret = (int)TEMP_FAILURE_RETRY(close(fd));

196

if(ret == -1){

197

perror("close");

198

}

199

gpgme_data_release(pgp_data);

200

return true;

201

}

202

203

if(debug){

204

fprintf(stderr, "Initializing GPGME\n");

126

if (debug){

127

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

205

128

}

206

129

207

130

/* Init GPGME */

208

131

gpgme_check_version(NULL);

209

132

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

210

if(rc != GPG_ERR_NO_ERROR){

133

if (rc != GPG_ERR_NO_ERROR){

211

134

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

212

135

gpgme_strsource(rc), gpgme_strerror(rc));

213

return false;

136

return -1;

214

137

}

215

138

216

/* Set GPGME home directory for the OpenPGP engine only */

217

rc = gpgme_get_engine_info(&engine_info);

218

if(rc != GPG_ERR_NO_ERROR){

139

/* Set GPGME home directory for the OpenPGP engine only */

140

rc = gpgme_get_engine_info (&engine_info);

141

if (rc != GPG_ERR_NO_ERROR){

219

142

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

220

143

gpgme_strsource(rc), gpgme_strerror(rc));

221

return false;

144

return -1;

222

145

}

223

146

while(engine_info != NULL){

224

147

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

225

148

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

226

engine_info->file_name, tempdir);

149

engine_info->file_name, homedir);

227

150

break;

228

151

}

229

152

engine_info = engine_info->next;

230

153

}

231

154

if(engine_info == NULL){

232

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

233

return false;

234

}

235

236

/* Create new GPGME "context" */

237

rc = gpgme_new(&(mc.ctx));

238

if(rc != GPG_ERR_NO_ERROR){

239

fprintf(stderr, "bad gpgme_new: %s: %s\n",

240

gpgme_strsource(rc), gpgme_strerror(rc));

241

return false;

242

}

243

244

if(not import_key(pubkey) or not import_key(seckey)){

245

return false;

246

}

247

248

return true;

249

}

250

251

252

* Decrypt OpenPGP data.

253

* Returns -1 on error

254

255

static ssize_t pgp_packet_decrypt(const char *cryptotext,

256

size_t crypto_size,

257

char **plaintext){

258

gpgme_data_t dh_crypto, dh_plain;

259

gpgme_error_t rc;

260

ssize_t ret;

261

size_t plaintext_capacity = 0;

262

ssize_t plaintext_length = 0;

263

264

if(debug){

265

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

155

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

156

return -1;

266

157

}

267

158

268

159

/* Create new GPGME data buffer from memory cryptotext */

269

160

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

270

161

0);

271

if(rc != GPG_ERR_NO_ERROR){

162

if (rc != GPG_ERR_NO_ERROR){

272

163

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

273

164

gpgme_strsource(rc), gpgme_strerror(rc));

274

165

return -1;

276

167

277

168

/* Create new empty GPGME data buffer for the plaintext */

278

169

rc = gpgme_data_new(&dh_plain);

279

if(rc != GPG_ERR_NO_ERROR){

170

if (rc != GPG_ERR_NO_ERROR){

280

171

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

281

172

gpgme_strsource(rc), gpgme_strerror(rc));

282

173

gpgme_data_release(dh_crypto);

283

174

return -1;

284

175

}

285

176

177

/* Create new GPGME "context" */

178

rc = gpgme_new(&ctx);

179

if (rc != GPG_ERR_NO_ERROR){

180

fprintf(stderr, "bad gpgme_new: %s: %s\n",

181

gpgme_strsource(rc), gpgme_strerror(rc));

182

plaintext_length = -1;

183

goto decrypt_end;

184

}

185

286

186

/* Decrypt data from the cryptotext data buffer to the plaintext

287

187

data buffer */

288

rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);

289

if(rc != GPG_ERR_NO_ERROR){

188

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

189

if (rc != GPG_ERR_NO_ERROR){

290

190

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

291

191

gpgme_strsource(rc), gpgme_strerror(rc));

292

192

plaintext_length = -1;

293

if(debug){

294

gpgme_decrypt_result_t result;

295

result = gpgme_op_decrypt_result(mc.ctx);

296

if(result == NULL){

297

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

298

} else {

299

fprintf(stderr, "Unsupported algorithm: %s\n",

300

result->unsupported_algorithm);

301

fprintf(stderr, "Wrong key usage: %u\n",

302

result->wrong_key_usage);

303

if(result->file_name != NULL){

304

fprintf(stderr, "File name: %s\n", result->file_name);

305

}

306

gpgme_recipient_t recipient;

307

recipient = result->recipients;

308

if(recipient){

309

while(recipient != NULL){

310

fprintf(stderr, "Public key algorithm: %s\n",

311

gpgme_pubkey_algo_name(recipient->pubkey_algo));

312

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

313

fprintf(stderr, "Secret key available: %s\n",

314

recipient->status == GPG_ERR_NO_SECKEY

315

? "No" : "Yes");

316

recipient = recipient->next;

317

}

318

}

319

}

320

}

321

193

goto decrypt_end;

322

194

}

323

195

325

197

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

326

198

}

327

199

200

if (debug){

201

gpgme_decrypt_result_t result;

202

result = gpgme_op_decrypt_result(ctx);

203

if (result == NULL){

204

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

205

} else {

206

fprintf(stderr, "Unsupported algorithm: %s\n",

207

result->unsupported_algorithm);

208

fprintf(stderr, "Wrong key usage: %d\n",

209

result->wrong_key_usage);

210

if(result->file_name != NULL){

211

fprintf(stderr, "File name: %s\n", result->file_name);

212

}

213

gpgme_recipient_t recipient;

214

recipient = result->recipients;

215

if(recipient){

216

while(recipient != NULL){

217

fprintf(stderr, "Public key algorithm: %s\n",

218

gpgme_pubkey_algo_name(recipient->pubkey_algo));

219

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

220

fprintf(stderr, "Secret key available: %s\n",

221

recipient->status == GPG_ERR_NO_SECKEY

222

? "No" : "Yes");

223

recipient = recipient->next;

224

}

225

}

226

}

227

}

228

328

229

/* Seek back to the beginning of the GPGME plaintext data buffer */

329

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

330

perror("gpgme_data_seek");

230

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

231

perror("pgpme_data_seek");

331

232

plaintext_length = -1;

332

233

goto decrypt_end;

333

234

}

334

235

335

236

*plaintext = NULL;

336

237

while(true){

337

plaintext_capacity = incbuffer(plaintext,

238

plaintext_capacity = adjustbuffer(plaintext,

338

239

(size_t)plaintext_length,

339

240

plaintext_capacity);

340

if(plaintext_capacity == 0){

341

perror("incbuffer");

241

if (plaintext_capacity == 0){

242

perror("adjustbuffer");

342

243

plaintext_length = -1;

343

244

goto decrypt_end;

344

245

}

346

247

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

347

248

BUFFER_SIZE);

348

249

/* Print the data, if any */

349

if(ret == 0){

250

if (ret == 0){

350

251

/* EOF */

351

252

break;

352

253

}

357

258

}

358

259

plaintext_length += ret;

359

260

}

360

261

361

262

if(debug){

362

263

fprintf(stderr, "Decrypted password is: ");

363

264

for(ssize_t i = 0; i < plaintext_length; i++){

376

277

return plaintext_length;

377

278

}

378

279

379

static const char * safer_gnutls_strerror(int value){

380

const char *ret = gnutls_strerror(value); /* Spurious warning from

381

-Wunreachable-code */

382

if(ret == NULL)

280

static const char * safer_gnutls_strerror (int value) {

281

const char *ret = gnutls_strerror (value);

282

if (ret == NULL)

383

283

ret = "(unknown)";

384

284

return ret;

385

285

}

390

290

fprintf(stderr, "GnuTLS: %s", string);

391

291

}

392

292

393

static int init_gnutls_global(const char *pubkeyfilename,

394

const char *seckeyfilename){

293

static int init_gnutls_global(mandos_context *mc,

294

const char *pubkeyfile,

295

const char *seckeyfile){

395

296

int ret;

396

297

397

298

if(debug){

398

299

fprintf(stderr, "Initializing GnuTLS\n");

399

300

}

400

401

ret = gnutls_global_init();

402

if(ret != GNUTLS_E_SUCCESS){

403

fprintf(stderr, "GnuTLS global_init: %s\n",

404

safer_gnutls_strerror(ret));

301

302

if ((ret = gnutls_global_init ())

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "GnuTLS global_init: %s\n",

305

safer_gnutls_strerror(ret));

405

306

return -1;

406

307

}

407

308

408

if(debug){

309

if (debug){

409

310

/* "Use a log level over 10 to enable all debugging options."

410

311

* - GnuTLS manual

411

312

414

315

}

415

316

416

317

/* OpenPGP credentials */

417

gnutls_certificate_allocate_credentials(&mc.cred);

418

if(ret != GNUTLS_E_SUCCESS){

419

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

420

from

421

-Wunreachable-code

422

423

safer_gnutls_strerror(ret));

424

gnutls_global_deinit();

318

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

319

!= GNUTLS_E_SUCCESS) {

320

fprintf (stderr, "GnuTLS memory error: %s\n",

321

safer_gnutls_strerror(ret));

322

gnutls_global_deinit ();

425

323

return -1;

426

324

}

427

325

428

326

if(debug){

429

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

430

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

431

seckeyfilename);

327

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

328

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

329

seckeyfile);

432

330

}

433

331

434

332

ret = gnutls_certificate_set_openpgp_key_file

435

(mc.cred, pubkeyfilename, seckeyfilename,

436

GNUTLS_OPENPGP_FMT_BASE64);

437

if(ret != GNUTLS_E_SUCCESS){

333

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

334

if (ret != GNUTLS_E_SUCCESS) {

438

335

fprintf(stderr,

439

336

"Error[%d] while reading the OpenPGP key pair ('%s',"

440

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

441

fprintf(stderr, "The GnuTLS error is: %s\n",

337

" '%s')\n", ret, pubkeyfile, seckeyfile);

338

fprintf(stdout, "The GnuTLS error is: %s\n",

442

339

safer_gnutls_strerror(ret));

443

340

goto globalfail;

444

341

}

445

342

446

343

/* GnuTLS server initialization */

447

ret = gnutls_dh_params_init(&mc.dh_params);

448

if(ret != GNUTLS_E_SUCCESS){

449

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

450

" %s\n", safer_gnutls_strerror(ret));

451

goto globalfail;

452

}

453

ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);

454

if(ret != GNUTLS_E_SUCCESS){

455

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

456

safer_gnutls_strerror(ret));

457

goto globalfail;

458

}

459

460

gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);

461

344

ret = gnutls_dh_params_init(&mc->dh_params);

345

if (ret != GNUTLS_E_SUCCESS) {

346

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

347

" %s\n", safer_gnutls_strerror(ret));

348

goto globalfail;

349

}

350

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

351

if (ret != GNUTLS_E_SUCCESS) {

352

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

353

safer_gnutls_strerror(ret));

354

goto globalfail;

355

}

356

357

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

358

462

359

return 0;

463

360

464

361

globalfail:

465

466

gnutls_certificate_free_credentials(mc.cred);

467

gnutls_global_deinit();

468

gnutls_dh_params_deinit(mc.dh_params);

362

363

gnutls_certificate_free_credentials (mc->cred);

364

gnutls_global_deinit ();

469

365

return -1;

366

470

367

}

471

368

472

static int init_gnutls_session(gnutls_session_t *session){

369

static int init_gnutls_session(mandos_context *mc,

370

gnutls_session_t *session){

473

371

int ret;

474

372

/* GnuTLS session creation */

475

373

ret = gnutls_init(session, GNUTLS_SERVER);

476

if(ret != GNUTLS_E_SUCCESS){

374

if (ret != GNUTLS_E_SUCCESS){

477

375

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

478

376

safer_gnutls_strerror(ret));

479

377

}

480

378

481

379

{

482

380

const char *err;

483

ret = gnutls_priority_set_direct(*session, mc.priority, &err);

484

if(ret != GNUTLS_E_SUCCESS){

381

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

382

if (ret != GNUTLS_E_SUCCESS) {

485

383

fprintf(stderr, "Syntax error at: %s\n", err);

486

384

fprintf(stderr, "GnuTLS error: %s\n",

487

385

safer_gnutls_strerror(ret));

488

gnutls_deinit(*session);

386

gnutls_deinit (*session);

489

387

return -1;

490

388

}

491

389

}

492

390

493

391

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

494

mc.cred);

495

if(ret != GNUTLS_E_SUCCESS){

392

mc->cred);

393

if (ret != GNUTLS_E_SUCCESS) {

496

394

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

497

395

safer_gnutls_strerror(ret));

498

gnutls_deinit(*session);

396

gnutls_deinit (*session);

499

397

return -1;

500

398

}

501

399

502

400

/* ignore client certificate if any. */

503

gnutls_certificate_server_set_request(*session,

504

GNUTLS_CERT_IGNORE);

401

gnutls_certificate_server_set_request (*session,

402

GNUTLS_CERT_IGNORE);

505

403

506

gnutls_dh_set_prime_bits(*session, mc.dh_bits);

404

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

507

405

508

406

return 0;

509

407

}

515

413

/* Called when a Mandos server is found */

516

414

static int start_mandos_communication(const char *ip, uint16_t port,

517

415

AvahiIfIndex if_index,

518

int af){

416

mandos_context *mc){

519

417

int ret, tcp_sd;

520

ssize_t sret;

521

union {

522

struct sockaddr_in in;

523

struct sockaddr_in6 in6;

524

} to;

418

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

525

419

char *buffer = NULL;

526

420

char *decrypted_buffer;

527

421

size_t buffer_length = 0;

529

423

ssize_t decrypted_buffer_size;

530

424

size_t written;

531

425

int retval = 0;

426

char interface[IF_NAMESIZE];

532

427

gnutls_session_t session;

533

int pf; /* Protocol family */

534

535

switch(af){

536

case AF_INET6:

537

pf = PF_INET6;

538

break;

539

case AF_INET:

540

pf = PF_INET;

541

break;

542

default:

543

fprintf(stderr, "Bad address family: %d\n", af);

544

return -1;

545

}

546

547

ret = init_gnutls_session(&session);

548

if(ret != 0){

428

429

ret = init_gnutls_session (mc, &session);

430

if (ret != 0){

549

431

return -1;

550

432

}

551

433

552

434

if(debug){

553

fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16

554

"\n", ip, port);

435

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

436

ip, port);

555

437

}

556

438

557

tcp_sd = socket(pf, SOCK_STREAM, 0);

558

if(tcp_sd < 0){

439

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

440

if(tcp_sd < 0) {

559

441

perror("socket");

560

442

return -1;

561

443

}

444

445

if(debug){

446

if(if_indextoname((unsigned int)if_index, interface) == NULL){

447

perror("if_indextoname");

448

return -1;

449

}

450

fprintf(stderr, "Binding to interface %s\n", interface);

451

}

562

452

563

memset(&to, 0, sizeof(to));

564

if(af == AF_INET6){

565

to.in6.sin6_family = (uint16_t)af;

566

ret = inet_pton(af, ip, &to.in6.sin6_addr);

567

} else { /* IPv4 */

568

to.in.sin_family = (sa_family_t)af;

569

ret = inet_pton(af, ip, &to.in.sin_addr);

570

}

571

if(ret < 0 ){

453

memset(&to,0,sizeof(to)); /* Spurious warning */

454

to.in6.sin6_family = AF_INET6;

455

/* It would be nice to have a way to detect if we were passed an

456

IPv4 address here. Now we assume an IPv6 address. */

457

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

458

if (ret < 0 ){

572

459

perror("inet_pton");

573

460

return -1;

574

461

}

576

463

fprintf(stderr, "Bad address: %s\n", ip);

577

464

return -1;

578

465

}

579

if(af == AF_INET6){

580

to.in6.sin6_port = htons(port); /* Spurious warnings from

581

-Wconversion and

582

-Wunreachable-code */

583

584

if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */

585

(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and

586

-Wunreachable-code*/

587

if(if_index == AVAHI_IF_UNSPEC){

588

fprintf(stderr, "An IPv6 link-local address is incomplete"

589

" without a network interface\n");

590

return -1;

591

}

592

/* Set the network interface number as scope */

593

to.in6.sin6_scope_id = (uint32_t)if_index;

594

}

595

} else {

596

to.in.sin_port = htons(port); /* Spurious warnings from

597

-Wconversion and

598

-Wunreachable-code */

599

}

466

to.in6.sin6_port = htons(port); /* Spurious warning */

467

468

to.in6.sin6_scope_id = (uint32_t)if_index;

600

469

601

470

if(debug){

602

if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){

603

char interface[IF_NAMESIZE];

604

if(if_indextoname((unsigned int)if_index, interface) == NULL){

605

perror("if_indextoname");

606

} else {

607

fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",

608

ip, interface, port);

609

}

610

} else {

611

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

612

port);

613

}

614

char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?

615

INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";

616

const char *pcret;

617

if(af == AF_INET6){

618

pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,

619

sizeof(addrstr));

620

} else {

621

pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,

622

sizeof(addrstr));

623

}

624

if(pcret == NULL){

471

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

472

char addrstr[INET6_ADDRSTRLEN] = "";

473

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

474

sizeof(addrstr)) == NULL){

625

475

perror("inet_ntop");

626

476

} else {

627

477

if(strcmp(addrstr, ip) != 0){

630

480

}

631

481

}

632

482

633

if(af == AF_INET6){

634

ret = connect(tcp_sd, &to.in6, sizeof(to));

635

} else {

636

ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */

637

}

638

if(ret < 0){

483

ret = connect(tcp_sd, &to.in, sizeof(to));

484

if (ret < 0){

639

485

perror("connect");

640

486

return -1;

641

487

}

642

488

643

489

const char *out = mandos_protocol_version;

644

490

written = 0;

645

while(true){

491

while (true){

646

492

size_t out_size = strlen(out);

647

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

493

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

648

494

out_size - written));

649

if(ret == -1){

495

if (ret == -1){

650

496

perror("write");

651

497

retval = -1;

652

498

goto mandos_end;

655

501

if(written < out_size){

656

502

continue;

657

503

} else {

658

if(out == mandos_protocol_version){

504

if (out == mandos_protocol_version){

659

505

written = 0;

660

506

out = "\r\n";

661

507

} else {

663

509

}

664

510

}

665

511

}

666

512

667

513

if(debug){

668

514

fprintf(stderr, "Establishing TLS session with %s\n", ip);

669

515

}

670

516

671

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

672

673

do{

674

ret = gnutls_handshake(session);

675

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

676

677

if(ret != GNUTLS_E_SUCCESS){

517

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

518

519

ret = gnutls_handshake (session);

520

521

if (ret != GNUTLS_E_SUCCESS){

678

522

if(debug){

679

523

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

680

gnutls_perror(ret);

524

gnutls_perror (ret);

681

525

}

682

526

retval = -1;

683

527

goto mandos_end;

686

530

/* Read OpenPGP packet that contains the wanted password */

687

531

688

532

if(debug){

689

fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",

533

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

690

534

ip);

691

535

}

692

536

693

537

while(true){

694

buffer_capacity = incbuffer(&buffer, buffer_length,

538

buffer_capacity = adjustbuffer(&buffer, buffer_length,

695

539

buffer_capacity);

696

if(buffer_capacity == 0){

697

perror("incbuffer");

540

if (buffer_capacity == 0){

541

perror("adjustbuffer");

698

542

retval = -1;

699

543

goto mandos_end;

700

544

}

701

545

702

sret = gnutls_record_recv(session, buffer+buffer_length,

703

BUFFER_SIZE);

704

if(sret == 0){

546

ret = gnutls_record_recv(session, buffer+buffer_length,

547

BUFFER_SIZE);

548

if (ret == 0){

705

549

break;

706

550

}

707

if(sret < 0){

708

switch(sret){

551

if (ret < 0){

552

switch(ret){

709

553

case GNUTLS_E_INTERRUPTED:

710

554

case GNUTLS_E_AGAIN:

711

555

break;

712

556

case GNUTLS_E_REHANDSHAKE:

713

do{

714

ret = gnutls_handshake(session);

715

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

716

if(ret < 0){

557

ret = gnutls_handshake (session);

558

if (ret < 0){

717

559

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

718

gnutls_perror(ret);

560

gnutls_perror (ret);

719

561

retval = -1;

720

562

goto mandos_end;

721

563

}

724

566

fprintf(stderr, "Unknown error while reading data from"

725

567

" encrypted session with Mandos server\n");

726

568

retval = -1;

727

gnutls_bye(session, GNUTLS_SHUT_RDWR);

569

gnutls_bye (session, GNUTLS_SHUT_RDWR);

728

570

goto mandos_end;

729

571

}

730

572

} else {

731

buffer_length += (size_t) sret;

573

buffer_length += (size_t) ret;

732

574

}

733

575

}

734

576

736

578

fprintf(stderr, "Closing TLS session\n");

737

579

}

738

580

739

gnutls_bye(session, GNUTLS_SHUT_RDWR);

581

gnutls_bye (session, GNUTLS_SHUT_RDWR);

740

582

741

if(buffer_length > 0){

583

if (buffer_length > 0){

742

584

decrypted_buffer_size = pgp_packet_decrypt(buffer,

743

585

buffer_length,

744

&decrypted_buffer);

745

if(decrypted_buffer_size >= 0){

586

&decrypted_buffer,

587

keydir);

588

if (decrypted_buffer_size >= 0){

746

589

written = 0;

747

590

while(written < (size_t) decrypted_buffer_size){

748

ret = (int)fwrite(decrypted_buffer + written, 1,

749

(size_t)decrypted_buffer_size - written,

750

stdout);

591

ret = (int)fwrite (decrypted_buffer + written, 1,

592

(size_t)decrypted_buffer_size - written,

593

stdout);

751

594

if(ret == 0 and ferror(stdout)){

752

595

if(debug){

753

596

fprintf(stderr, "Error writing encrypted data: %s\n",

762

605

} else {

763

606

retval = -1;

764

607

}

765

} else {

766

retval = -1;

767

608

}

768

609

769

610

/* Shutdown procedure */

770

611

771

612

mandos_end:

772

613

free(buffer);

773

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

774

if(ret == -1){

775

perror("close");

776

}

777

gnutls_deinit(session);

614

close(tcp_sd);

615

gnutls_deinit (session);

778

616

return retval;

779

617

}

780

618

781

619

static void resolve_callback(AvahiSServiceResolver *r,

782

620

AvahiIfIndex interface,

783

AvahiProtocol proto,

621

AVAHI_GCC_UNUSED AvahiProtocol protocol,

784

622

AvahiResolverEvent event,

785

623

const char *name,

786

624

const char *type,

791

629

AVAHI_GCC_UNUSED AvahiStringList *txt,

792

630

AVAHI_GCC_UNUSED AvahiLookupResultFlags

793

631

flags,

794

AVAHI_GCC_UNUSED void* userdata){

795

assert(r);

632

void* userdata) {

633

mandos_context *mc = userdata;

634

assert(r); /* Spurious warning */

796

635

797

636

/* Called whenever a service has been resolved successfully or

798

637

timed out */

799

638

800

switch(event){

639

switch (event) {

801

640

default:

802

641

case AVAHI_RESOLVER_FAILURE:

803

642

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

804

643

" of type '%s' in domain '%s': %s\n", name, type, domain,

805

avahi_strerror(avahi_server_errno(mc.server)));

644

avahi_strerror(avahi_server_errno(mc->server)));

806

645

break;

807

646

808

647

case AVAHI_RESOLVER_FOUND:

810

649

char ip[AVAHI_ADDRESS_STR_MAX];

811

650

avahi_address_snprint(ip, sizeof(ip), address);

812

651

if(debug){

813

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

814

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

815

ip, (intmax_t)interface, port);

652

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

653

" port %d\n", name, host_name, ip, interface, port);

816

654

}

817

int ret = start_mandos_communication(ip, port, interface,

818

avahi_proto_to_af(proto));

819

if(ret == 0){

820

avahi_simple_poll_quit(mc.simple_poll);

655

int ret = start_mandos_communication(ip, port, interface, mc);

656

if (ret == 0){

657

exit(EXIT_SUCCESS);

821

658

}

822

659

}

823

660

}

824

661

avahi_s_service_resolver_free(r);

825

662

}

826

663

827

static void browse_callback(AvahiSServiceBrowser *b,

828

AvahiIfIndex interface,

829

AvahiProtocol protocol,

830

AvahiBrowserEvent event,

831

const char *name,

832

const char *type,

833

const char *domain,

834

AVAHI_GCC_UNUSED AvahiLookupResultFlags

835

flags,

836

AVAHI_GCC_UNUSED void* userdata){

837

assert(b);

664

static void browse_callback( AvahiSServiceBrowser *b,

665

AvahiIfIndex interface,

666

AvahiProtocol protocol,

667

AvahiBrowserEvent event,

668

const char *name,

669

const char *type,

670

const char *domain,

671

AVAHI_GCC_UNUSED AvahiLookupResultFlags

672

flags,

673

void* userdata) {

674

mandos_context *mc = userdata;

675

assert(b); /* Spurious warning */

838

676

839

677

/* Called whenever a new services becomes available on the LAN or

840

678

is removed from the LAN */

841

679

842

switch(event){

680

switch (event) {

843

681

default:

844

682

case AVAHI_BROWSER_FAILURE:

845

683

846

684

fprintf(stderr, "(Avahi browser) %s\n",

847

avahi_strerror(avahi_server_errno(mc.server)));

848

avahi_simple_poll_quit(mc.simple_poll);

685

avahi_strerror(avahi_server_errno(mc->server)));

686

avahi_simple_poll_quit(mc->simple_poll);

849

687

return;

850

688

851

689

case AVAHI_BROWSER_NEW:

854

692

the callback function is called the Avahi server will free the

855

693

resolver for us. */

856

694

857

if(avahi_s_service_resolver_new(mc.server, interface, protocol,

858

name, type, domain, protocol, 0,

859

resolve_callback, NULL) == NULL)

695

if (!(avahi_s_service_resolver_new(mc->server, interface,

696

protocol, name, type, domain,

697

AVAHI_PROTO_INET6, 0,

698

resolve_callback, mc)))

860

699

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

861

name, avahi_strerror(avahi_server_errno(mc.server)));

700

name, avahi_strerror(avahi_server_errno(mc->server)));

862

701

break;

863

702

864

703

case AVAHI_BROWSER_REMOVE:

873

712

}

874

713

}

875

714

876

sig_atomic_t quit_now = 0;

877

878

/* stop main loop after sigterm has been called */

879

static void handle_sigterm(__attribute__((unused)) int sig){

880

if(quit_now){

881

return;

882

}

883

quit_now = 1;

884

int old_errno = errno;

885

if(mc.simple_poll != NULL){

886

avahi_simple_poll_quit(mc.simple_poll);

887

}

888

errno = old_errno;

715

/* Combines file name and path and returns the malloced new

716

string. some sane checks could/should be added */

717

static const char *combinepath(const char *first, const char *second){

718

size_t f_len = strlen(first);

719

size_t s_len = strlen(second);

720

char *tmp = malloc(f_len + s_len + 2);

721

if (tmp == NULL){

722

return NULL;

723

}

724

if(f_len > 0){

725

memcpy(tmp, first, f_len); /* Spurious warning */

726

}

727

tmp[f_len] = '/';

728

if(s_len > 0){

729

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

730

}

731

tmp[f_len + 1 + s_len] = '\0';

732

return tmp;

889

733

}

890

734

735

891

736

int main(int argc, char *argv[]){

892

AvahiSServiceBrowser *sb = NULL;

893

int error;

894

int ret;

895

intmax_t tmpmax;

896

char *tmp;

897

int exitcode = EXIT_SUCCESS;

898

const char *interface = "eth0";

899

struct ifreq network;

900

int sd;

901

uid_t uid;

902

gid_t gid;

903

char *connect_to = NULL;

904

char tempdir[] = "/tmp/mandosXXXXXX";

905

bool tempdir_created = false;

906

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

907

const char *seckey = PATHDIR "/" SECKEY;

908

const char *pubkey = PATHDIR "/" PUBKEY;

909

910

bool gnutls_initialized = false;

911

bool gpgme_initialized = false;

912

float delay = 2.5f;

913

914

struct sigaction old_sigterm_action;

915

struct sigaction sigterm_action = { .sa_handler = handle_sigterm };

916

917

{

918

struct argp_option options[] = {

919

{ .name = "debug", .key = 128,

920

.doc = "Debug mode", .group = 3 },

921

{ .name = "connect", .key = 'c',

922

.arg = "ADDRESS:PORT",

923

.doc = "Connect directly to a specific Mandos server",

924

.group = 1 },

925

{ .name = "interface", .key = 'i',

926

.arg = "NAME",

927

.doc = "Network interface that will be used to search for"

928

" Mandos servers",

929

.group = 1 },

930

{ .name = "seckey", .key = 's',

931

.arg = "FILE",

932

.doc = "OpenPGP secret key file base name",

933

.group = 1 },

934

{ .name = "pubkey", .key = 'p',

935

.arg = "FILE",

936

.doc = "OpenPGP public key file base name",

937

.group = 2 },

938

{ .name = "dh-bits", .key = 129,

939

.arg = "BITS",

940

.doc = "Bit length of the prime number used in the"

941

" Diffie-Hellman key exchange",

942

.group = 2 },

943

{ .name = "priority", .key = 130,

944

.arg = "STRING",

945

.doc = "GnuTLS priority string for the TLS handshake",

946

.group = 1 },

947

{ .name = "delay", .key = 131,

948

.arg = "SECONDS",

949

.doc = "Maximum delay to wait for interface startup",

950

.group = 2 },

951

{ .name = NULL }

952

};

953

954

error_t parse_opt(int key, char *arg,

955

struct argp_state *state){

956

switch(key){

957

case 128: /* --debug */

958

debug = true;

959

break;

960

case 'c': /* --connect */

961

connect_to = arg;

962

break;

963

case 'i': /* --interface */

964

interface = arg;

965

break;

966

case 's': /* --seckey */

967

seckey = arg;

968

break;

969

case 'p': /* --pubkey */

970

pubkey = arg;

971

break;

972

case 129: /* --dh-bits */

973

errno = 0;

974

tmpmax = strtoimax(arg, &tmp, 10);

975

if(errno != 0 or tmp == arg or *tmp != '\0'

976

or tmpmax != (typeof(mc.dh_bits))tmpmax){

977

fprintf(stderr, "Bad number of DH bits\n");

978

exit(EXIT_FAILURE);

979

}

980

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

981

break;

982

case 130: /* --priority */

983

mc.priority = arg;

984

break;

985

case 131: /* --delay */

986

errno = 0;

987

delay = strtof(arg, &tmp);

988

if(errno != 0 or tmp == arg or *tmp != '\0'){

989

fprintf(stderr, "Bad delay\n");

990

exit(EXIT_FAILURE);

991

}

992

break;

993

case ARGP_KEY_ARG:

994

argp_usage(state);

995

case ARGP_KEY_END:

996

break;

997

default:

998

return ARGP_ERR_UNKNOWN;

999

}

1000

return 0;

1001

}

1002

1003

struct argp argp = { .options = options, .parser = parse_opt,

1004

.args_doc = "",

1005

.doc = "Mandos client -- Get and decrypt"

1006

" passwords from a Mandos server" };

1007

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

1008

if(ret == ARGP_ERR_UNKNOWN){

1009

fprintf(stderr, "Unknown error while parsing arguments\n");

1010

exitcode = EXIT_FAILURE;

1011

goto end;

1012

}

1013

}

1014

1015

if(not debug){

1016

avahi_set_log_function(empty_log);

1017

}

1018

1019

/* Initialize Avahi early so avahi_simple_poll_quit() can be called

1020

from the signal handler */

1021

/* Initialize the pseudo-RNG for Avahi */

1022

srand((unsigned int) time(NULL));

1023

mc.simple_poll = avahi_simple_poll_new();

1024

if(mc.simple_poll == NULL){

1025

fprintf(stderr, "Avahi: Failed to create simple poll object.\n");

1026

exitcode = EXIT_FAILURE;

1027

goto end;

1028

}

1029

1030

sigemptyset(&sigterm_action.sa_mask);

1031

ret = sigaddset(&sigterm_action.sa_mask, SIGINT);

1032

if(ret == -1){

1033

perror("sigaddset");

1034

exitcode = EXIT_FAILURE;

1035

goto end;

1036

}

1037

ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);

1038

if(ret == -1){

1039

perror("sigaddset");

1040

exitcode = EXIT_FAILURE;

1041

goto end;

1042

}

1043

ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);

1044

if(ret == -1){

1045

perror("sigaddset");

1046

exitcode = EXIT_FAILURE;

1047

goto end;

1048

}

1049

ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);

1050

if(ret == -1){

1051

perror("sigaction");

1052

exitcode = EXIT_FAILURE;

1053

goto end;

1054

}

1055

1056

/* If the interface is down, bring it up */

1057

if(interface[0] != '\0'){

1058

#ifdef __linux__

1059

/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO

1060

messages to mess up the prompt */

1061

ret = klogctl(8, NULL, 5);

1062

bool restore_loglevel = true;

1063

if(ret == -1){

1064

restore_loglevel = false;

1065

perror("klogctl");

1066

}

1067

#endif /* __linux__ */

1068

1069

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

1070

if(sd < 0){

1071

perror("socket");

1072

exitcode = EXIT_FAILURE;

1073

#ifdef __linux__

1074

if(restore_loglevel){

1075

ret = klogctl(7, NULL, 0);

1076

if(ret == -1){

1077

perror("klogctl");

1078

}

1079

}

1080

#endif /* __linux__ */

1081

goto end;

1082

}

1083

strcpy(network.ifr_name, interface);

1084

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1085

if(ret == -1){

1086

perror("ioctl SIOCGIFFLAGS");

1087

#ifdef __linux__

1088

if(restore_loglevel){

1089

ret = klogctl(7, NULL, 0);

1090

if(ret == -1){

1091

perror("klogctl");

1092

}

1093

}

1094

#endif /* __linux__ */

1095

exitcode = EXIT_FAILURE;

1096

goto end;

1097

}

1098

if((network.ifr_flags & IFF_UP) == 0){

1099

network.ifr_flags |= IFF_UP;

1100

ret = ioctl(sd, SIOCSIFFLAGS, &network);

1101

if(ret == -1){

1102

perror("ioctl SIOCSIFFLAGS");

1103

exitcode = EXIT_FAILURE;

1104

#ifdef __linux__

1105

if(restore_loglevel){

1106

ret = klogctl(7, NULL, 0);

1107

if(ret == -1){

1108

perror("klogctl");

737

AvahiSServiceBrowser *sb = NULL;

738

int error;

739

int ret;

740

int exitcode = EXIT_SUCCESS;

741

const char *interface = "eth0";

742

struct ifreq network;

743

int sd;

744

uid_t uid;

745

gid_t gid;

746

char *connect_to = NULL;

747

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

748

const char *pubkeyfile = "pubkey.txt";

749

const char *seckeyfile = "seckey.txt";

750

mandos_context mc = { .simple_poll = NULL, .server = NULL,

751

.dh_bits = 1024, .priority = "SECURE256"};

752

bool gnutls_initalized = false;

753

754

{

755

struct argp_option options[] = {

756

{ .name = "debug", .key = 128,

757

.doc = "Debug mode", .group = 3 },

758

{ .name = "connect", .key = 'c',

759

.arg = "IP",

760

.doc = "Connect directly to a sepcified mandos server",

761

.group = 1 },

762

{ .name = "interface", .key = 'i',

763

.arg = "INTERFACE",

764

.doc = "Interface that Avahi will conntect through",

765

.group = 1 },

766

{ .name = "keydir", .key = 'd',

767

.arg = "KEYDIR",

768

.doc = "Directory where the openpgp keyring is",

769

.group = 1 },

770

{ .name = "seckey", .key = 's',

771

.arg = "SECKEY",

772

.doc = "Secret openpgp key for gnutls authentication",

773

.group = 1 },

774

{ .name = "pubkey", .key = 'p',

775

.arg = "PUBKEY",

776

.doc = "Public openpgp key for gnutls authentication",

777

.group = 2 },

778

{ .name = "dh-bits", .key = 129,

779

.arg = "BITS",

780

.doc = "dh-bits to use in gnutls communication",

781

.group = 2 },

782

{ .name = "priority", .key = 130,

783

.arg = "PRIORITY",

784

.doc = "GNUTLS priority", .group = 1 },

785

{ .name = NULL }

786

};

787

788

789

error_t parse_opt (int key, char *arg,

790

struct argp_state *state) {

791

/* Get the INPUT argument from `argp_parse', which we know is

792

a pointer to our plugin list pointer. */

793

switch (key) {

794

case 128:

795

debug = true;

796

break;

797

case 'c':

798

connect_to = arg;

799

break;

800

case 'i':

801

interface = arg;

802

break;

803

case 'd':

804

keydir = arg;

805

break;

806

case 's':

807

seckeyfile = arg;

808

break;

809

case 'p':

810

pubkeyfile = arg;

811

break;

812

case 129:

813

errno = 0;

814

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

815

if (errno){

816

perror("strtol");

817

exit(EXIT_FAILURE);

1109

818

}

819

break;

820

case 130:

821

mc.priority = arg;

822

break;

823

case ARGP_KEY_ARG:

824

argp_usage (state);

825

break;

826

case ARGP_KEY_END:

827

break;

828

default:

829

return ARGP_ERR_UNKNOWN;

1110

830

}

1111

#endif /* __linux__ */

1112

goto end;

1113

}

1114

}

1115

/* sleep checking until interface is running */

1116

for(int i=0; i < delay * 4; i++){

1117

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1118

if(ret == -1){

1119

perror("ioctl SIOCGIFFLAGS");

1120

} else if(network.ifr_flags & IFF_RUNNING){

1121

break;

1122

}

1123

struct timespec sleeptime = { .tv_nsec = 250000000 };

1124

ret = nanosleep(&sleeptime, NULL);

1125

if(ret == -1 and errno != EINTR){

1126

perror("nanosleep");

1127

}

1128

}

1129

ret = (int)TEMP_FAILURE_RETRY(close(sd));

1130

if(ret == -1){

1131

perror("close");

1132

}

1133

#ifdef __linux__

1134

if(restore_loglevel){

1135

/* Restores kernel loglevel to default */

1136

ret = klogctl(7, NULL, 0);

1137

if(ret == -1){

1138

perror("klogctl");

1139

}

1140

}

1141

#endif /* __linux__ */

1142

}

1143

1144

uid = getuid();

1145

gid = getgid();

1146

1147

errno = 0;

1148

setgid(gid);

1149

if(ret == -1){

1150

perror("setgid");

1151

}

1152

1153

ret = setuid(uid);

1154

if(ret == -1){

1155

perror("setuid");

1156

}

1157

1158

ret = init_gnutls_global(pubkey, seckey);

1159

if(ret == -1){

1160

fprintf(stderr, "init_gnutls_global failed\n");

1161

exitcode = EXIT_FAILURE;

1162

goto end;

1163

} else {

1164

gnutls_initialized = true;

1165

}

1166

1167

if(mkdtemp(tempdir) == NULL){

1168

perror("mkdtemp");

1169

goto end;

1170

}

1171

tempdir_created = true;

1172

1173

if(not init_gpgme(pubkey, seckey, tempdir)){

1174

fprintf(stderr, "init_gpgme failed\n");

1175

exitcode = EXIT_FAILURE;

1176

goto end;

1177

} else {

1178

gpgme_initialized = true;

1179

}

1180

1181

if(interface[0] != '\0'){

831

return 0;

832

}

833

834

struct argp argp = { .options = options, .parser = parse_opt,

835

.args_doc = "",

836

.doc = "Mandos client -- Get and decrypt"

837

" passwords from mandos server" };

838

argp_parse (&argp, argc, argv, 0, 0, NULL);

839

}

840

841

pubkeyfile = combinepath(keydir, pubkeyfile);

842

if (pubkeyfile == NULL){

843

perror("combinepath");

844

exitcode = EXIT_FAILURE;

845

goto end;

846

}

847

848

seckeyfile = combinepath(keydir, seckeyfile);

849

if (seckeyfile == NULL){

850

perror("combinepath");

851

goto end;

852

}

853

854

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

855

if (ret == -1){

856

fprintf(stderr, "init_gnutls_global\n");

857

goto end;

858

} else {

859

gnutls_initalized = true;

860

}

861

862

uid = getuid();

863

gid = getgid();

864

865

ret = setuid(uid);

866

if (ret == -1){

867

perror("setuid");

868

}

869

870

setgid(gid);

871

if (ret == -1){

872

perror("setgid");

873

}

874

1182

875

if_index = (AvahiIfIndex) if_nametoindex(interface);

1183

876

if(if_index == 0){

1184

877

fprintf(stderr, "No such interface: \"%s\"\n", interface);

1185

exitcode = EXIT_FAILURE;

1186

goto end;

1187

}

1188

}

1189

1190

if(connect_to != NULL){

1191

/* Connect directly, do not use Zeroconf */

1192

/* (Mainly meant for debugging) */

1193

char *address = strrchr(connect_to, ':');

1194

if(address == NULL){

1195

fprintf(stderr, "No colon in address\n");

1196

exitcode = EXIT_FAILURE;

1197

goto end;

1198

}

1199

uint16_t port;

1200

errno = 0;

1201

tmpmax = strtoimax(address+1, &tmp, 10);

1202

if(errno != 0 or tmp == address+1 or *tmp != '\0'

1203

or tmpmax != (uint16_t)tmpmax){

1204

fprintf(stderr, "Bad port number\n");

1205

exitcode = EXIT_FAILURE;

1206

goto end;

1207

}

1208

port = (uint16_t)tmpmax;

1209

*address = '\0';

1210

address = connect_to;

1211

/* Colon in address indicates IPv6 */

1212

int af;

1213

if(strchr(address, ':') != NULL){

1214

af = AF_INET6;

1215

} else {

1216

af = AF_INET;

1217

}

1218

ret = start_mandos_communication(address, port, if_index, af);

1219

if(ret < 0){

1220

exitcode = EXIT_FAILURE;

1221

} else {

1222

exitcode = EXIT_SUCCESS;

1223

}

1224

goto end;

1225

}

1226

1227

{

1228

AvahiServerConfig config;

1229

/* Do not publish any local Zeroconf records */

1230

avahi_server_config_init(&config);

1231

config.publish_hinfo = 0;

1232

config.publish_addresses = 0;

1233

config.publish_workstation = 0;

1234

config.publish_domain = 0;

1235

1236

/* Allocate a new server */

1237

mc.server = avahi_server_new(avahi_simple_poll_get

1238

(mc.simple_poll), &config, NULL,

1239

NULL, &error);

1240

1241

/* Free the Avahi configuration data */

1242

avahi_server_config_free(&config);

1243

}

1244

1245

/* Check if creating the Avahi server object succeeded */

1246

if(mc.server == NULL){

1247

fprintf(stderr, "Failed to create Avahi server: %s\n",

1248

avahi_strerror(error));

1249

exitcode = EXIT_FAILURE;

1250

goto end;

1251

}

1252

1253

/* Create the Avahi service browser */

1254

sb = avahi_s_service_browser_new(mc.server, if_index,

1255

AVAHI_PROTO_UNSPEC, "_mandos._tcp",

1256

NULL, 0, browse_callback, NULL);

1257

if(sb == NULL){

1258

fprintf(stderr, "Failed to create service browser: %s\n",

1259

avahi_strerror(avahi_server_errno(mc.server)));

1260

exitcode = EXIT_FAILURE;

1261

goto end;

1262

}

1263

1264

/* Run the main loop */

1265

1266

if(debug){

1267

fprintf(stderr, "Starting Avahi loop search\n");

1268

}

1269

1270

avahi_simple_poll_loop(mc.simple_poll);

1271

878

exit(EXIT_FAILURE);

879

}

880

881

if(connect_to != NULL){

882

/* Connect directly, do not use Zeroconf */

883

/* (Mainly meant for debugging) */

884

char *address = strrchr(connect_to, ':');

885

if(address == NULL){

886

fprintf(stderr, "No colon in address\n");

887

exitcode = EXIT_FAILURE;

888

goto end;

889

}

890

errno = 0;

891

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

892

if(errno){

893

perror("Bad port number");

894

exitcode = EXIT_FAILURE;

895

goto end;

896

}

897

*address = '\0';

898

address = connect_to;

899

ret = start_mandos_communication(address, port, if_index, &mc);

900

if(ret < 0){

901

exitcode = EXIT_FAILURE;

902

} else {

903

exitcode = EXIT_SUCCESS;

904

}

905

goto end;

906

}

907

908

/* If the interface is down, bring it up */

909

{

910

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

911

if(sd < 0) {

912

perror("socket");

913

exitcode = EXIT_FAILURE;

914

goto end;

915

}

916

strcpy(network.ifr_name, interface); /* Spurious warning */

917

ret = ioctl(sd, SIOCGIFFLAGS, &network);

918

if(ret == -1){

919

perror("ioctl SIOCGIFFLAGS");

920

exitcode = EXIT_FAILURE;

921

goto end;

922

}

923

if((network.ifr_flags & IFF_UP) == 0){

924

network.ifr_flags |= IFF_UP;

925

ret = ioctl(sd, SIOCSIFFLAGS, &network);

926

if(ret == -1){

927

perror("ioctl SIOCSIFFLAGS");

928

exitcode = EXIT_FAILURE;

929

goto end;

930

}

931

}

932

close(sd);

933

}

934

935

if (not debug){

936

avahi_set_log_function(empty_log);

937

}

938

939

/* Initialize the pseudo-RNG for Avahi */

940

srand((unsigned int) time(NULL));

941

942

/* Allocate main Avahi loop object */

943

mc.simple_poll = avahi_simple_poll_new();

944

if (mc.simple_poll == NULL) {

945

fprintf(stderr, "Avahi: Failed to create simple poll"

946

" object.\n");

947

exitcode = EXIT_FAILURE;

948

goto end;

949

}

950

951

{

952

AvahiServerConfig config;

953

/* Do not publish any local Zeroconf records */

954

avahi_server_config_init(&config);

955

config.publish_hinfo = 0;

956

config.publish_addresses = 0;

957

config.publish_workstation = 0;

958

config.publish_domain = 0;

959

960

/* Allocate a new server */

961

mc.server = avahi_server_new(avahi_simple_poll_get

962

(mc.simple_poll), &config, NULL,

963

NULL, &error);

964

965

/* Free the Avahi configuration data */

966

avahi_server_config_free(&config);

967

}

968

969

/* Check if creating the Avahi server object succeeded */

970

if (mc.server == NULL) {

971

fprintf(stderr, "Failed to create Avahi server: %s\n",

972

avahi_strerror(error));

973

exitcode = EXIT_FAILURE;

974

goto end;

975

}

976

977

/* Create the Avahi service browser */

978

sb = avahi_s_service_browser_new(mc.server, if_index,

979

AVAHI_PROTO_INET6,

980

"_mandos._tcp", NULL, 0,

981

browse_callback, &mc);

982

if (sb == NULL) {

983

fprintf(stderr, "Failed to create service browser: %s\n",

984

avahi_strerror(avahi_server_errno(mc.server)));

985

exitcode = EXIT_FAILURE;

986

goto end;

987

}

988

989

/* Run the main loop */

990

991

if (debug){

992

fprintf(stderr, "Starting Avahi loop search\n");

993

}

994

995

avahi_simple_poll_loop(mc.simple_poll);

996

1272

997

end:

1273

1274

if(debug){

1275

fprintf(stderr, "%s exiting\n", argv[0]);

1276

}

1277

1278

/* Cleanup things */

1279

if(sb != NULL)

1280

avahi_s_service_browser_free(sb);

1281

1282

if(mc.server != NULL)

1283

avahi_server_free(mc.server);

1284

1285

if(mc.simple_poll != NULL)

1286

avahi_simple_poll_free(mc.simple_poll);

1287

1288

if(gnutls_initialized){

1289

gnutls_certificate_free_credentials(mc.cred);

1290

gnutls_global_deinit();

1291

gnutls_dh_params_deinit(mc.dh_params);

1292

}

1293

1294

if(gpgme_initialized){

1295

gpgme_release(mc.ctx);

1296

}

1297

1298

/* Removes the temp directory used by GPGME */

1299

if(tempdir_created){

1300

DIR *d;

1301

struct dirent *direntry;

1302

d = opendir(tempdir);

1303

if(d == NULL){

1304

if(errno != ENOENT){

1305

perror("opendir");

1306

}

1307

} else {

1308

while(true){

1309

direntry = readdir(d);

1310

if(direntry == NULL){

1311

break;

1312

}

1313

/* Skip "." and ".." */

1314

if(direntry->d_name[0] == '.'

1315

and (direntry->d_name[1] == '\0'

1316

or (direntry->d_name[1] == '.'

1317

and direntry->d_name[2] == '\0'))){

1318

continue;

1319

}

1320

char *fullname = NULL;

1321

ret = asprintf(&fullname, "%s/%s", tempdir,

1322

direntry->d_name);

1323

if(ret < 0){

1324

perror("asprintf");

1325

continue;

1326

}

1327

ret = remove(fullname);

1328

if(ret == -1){

1329

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1330

strerror(errno));

1331

}

1332

free(fullname);

1333

}

1334

closedir(d);

1335

}

1336

ret = rmdir(tempdir);

1337

if(ret == -1 and errno != ENOENT){

1338

perror("rmdir");

1339

}

1340

}

1341

1342

return exitcode;

998

999

if (debug){

1000

fprintf(stderr, "%s exiting\n", argv[0]);

1001

}

1002

1003

/* Cleanup things */

1004

if (sb != NULL)

1005

avahi_s_service_browser_free(sb);

1006

1007

if (mc.server != NULL)

1008

avahi_server_free(mc.server);

1009

1010

if (mc.simple_poll != NULL)

1011

avahi_simple_poll_free(mc.simple_poll);

1012

free(pubkeyfile);

1013

free(seckeyfile);

1014

1015

if (gnutls_initalized){

1016

gnutls_certificate_free_credentials (mc.cred);

1017

gnutls_global_deinit ();

1018

}

1019

1020

return exitcode;

1343

1021

}

Older »