/mandos/trunk : revision 24.1.27

9

* "browse_callback", and parts of "main".

10

*

11

* Everything else is

12

13

12

14

13

*

15

14

* This program is free software: you can redistribute it and/or

16

15

* modify it under the terms of the GNU General Public License as

33

32

#define _LARGEFILE_SOURCE

34

33

#define _FILE_OFFSET_BITS 64

35

34

36

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

37

36

38

#include <stdio.h> /* fprintf(), stderr, fwrite(),

39

stdout, ferror() */

37

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout, ferror() */

40

38

#include <stdint.h> /* uint16_t, uint32_t */

41

39

#include <stddef.h> /* NULL, size_t, ssize_t */

42

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

43

srand() */

40

#include <stdlib.h> /* free() */

44

41

#include <stdbool.h> /* bool, true */

45

#include <string.h> /* memset(), strcmp(), strlen(),

46

strerror(), asprintf(), strcpy() */

47

#include <sys/ioctl.h> /* ioctl */

42

#include <string.h> /* memset(), strcmp(), strlen, strerror() */

43

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

44

SIOCSIFFLAGS */

48

45

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

49

sockaddr_in6, PF_INET6,

50

SOCK_STREAM, INET6_ADDRSTRLEN,

51

uid_t, gid_t, open(), opendir(), DIR */

52

#include <sys/stat.h> /* open() */

46

sockaddr_in6, PF_INET6, SOCK_STREAM, INET6_ADDRSTRLEN */

53

47

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

54

48

struct in6_addr, inet_pton(),

55

49

connect() */

56

#include <fcntl.h> /* open() */

57

#include <dirent.h> /* opendir(), struct dirent, readdir() */

58

#include <inttypes.h> /* PRIu16 */

59

#include <assert.h> /* assert() */

60

#include <errno.h> /* perror(), errno */

61

#include <time.h> /* time() */

50

#include <assert.h>

51

#include <errno.h> /* perror() */

52

#include <time.h>

62

53

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

63

54

SIOCSIFFLAGS, if_indextoname(),

64

55

if_nametoindex(), IF_NAMESIZE */

56

#include <unistd.h> /* close(), SEEK_SET, off_t, write()*/

65

57

#include <netinet/in.h>

66

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

67

getuid(), getgid(), setuid(),

68

setgid() */

69

58

#include <arpa/inet.h> /* inet_pton(), htons */

70

#include <iso646.h> /* not, and */

71

#include <argp.h> /* struct argp_option, error_t, struct

72

argp_state, struct argp,

73

argp_parse(), ARGP_KEY_ARG,

74

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

59

#include <iso646.h> /* not */

60

#include <argp.h> /* struct argp_option,

61

struct argp_state, struct argp,

62

argp_parse() */

75

63

76

64

/* Avahi */

77

/* All Avahi types, constants and functions

78

Avahi*, avahi_*,

79

AVAHI_* */

80

#include <avahi-core/core.h>

65

#include <avahi-core/core.h> /* AvahiSimplePoll, AvahiServer,

66

AvahiIfIndex */

81

67

#include <avahi-core/lookup.h>

82

#include <avahi-core/log.h>

68

#include <avahi-core/log.h> /* AvahiLogLevel */

83

69

#include <avahi-common/simple-watch.h>

84

70

#include <avahi-common/malloc.h>

85

71

#include <avahi-common/error.h>

86

72

87

73

/* GnuTLS */

88

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

89

functions:

90

gnutls_*

74

#include <gnutls/gnutls.h> /* gnutls_certificate_credentials_t,

75

gnutls_dh_params_t,

76

gnutls_strerror(),

77

gnutls_global_init(),

78

gnutls_global_set_log_level(),

79

gnutls_global_set_log_function(),

80

gnutls_certificate_allocate_credentials(),

81

gnutls_global_deinit(),

82

gnutls_dh_params_init(),

83

gnutls_dh_params_generate(),

84

gnutls_certificate_set_dh_params(),

85

gnutls_certificate_free_credentials(),

86

gnutls_session_t, gnutls_init(),

87

gnutls_priority_set_direct(),

88

gnutls_deinit(),

89

gnutls_credentials_set(),

90

gnutls_certificate_server_set_request(),

91

gnutls_dh_set_prime_bits(),

92

gnutls_transport_set_ptr(),

93

gnutls_transport_ptr_t,

94

gnutls_handshake(),

95

gnutls_record_recv()

96

gnutls_perror(), gnutls_bye(),

91

97

init_gnutls_session(),

92

GNUTLS_* */

93

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

94

GNUTLS_OPENPGP_FMT_BASE64 */

98

GNUTLS_E_SUCCESS,

99

GNUTLS_CRD_CERTIFICATE,

100

GNUTLS_CERT_IGNORE,

101

GNUTLS_E_INTERRUPTED,

102

GNUTLS_E_AGAIN,

103

GNUTLS_E_REHANDSHAKE,

104

GNUTLS_SHUT_RDWR, */

105

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

106

GNUTLS_OPENPGP_FMT_BASE64 */

95

107

96

108

/* GPGME */

97

#include <gpgme.h> /* All GPGME types, constants and

98

functions:

99

gpgme_*

109

#include <gpgme.h> /* gpgme_data_t, gpgme_ctx_t,

110

gpgme_error_t, gpgme_engine_info_t,

111

gpgme_check_version(),

112

gpgme_engine_check_version(),

113

gpgme_strsource(),

114

gpgme_strerror(),

115

gpgme_get_engine_info(),

116

gpgme_set_engine_info(),

117

gpgme_data_new_from_mem(),

118

gpgme_data_new(), gpgme_new(),

119

gpgme_op_decrypt(),

120

gpgme_decrypt_result_t,

121

gpgme_op_decrypt_result(),

122

gpgme_recipient_t,

123

gpgme_pubkey_algo_name(),

124

gpgme_data_seek(),

125

gpgme_data_read(),

126

gpgme_data_release()

100

127

GPGME_PROTOCOL_OpenPGP,

101

GPG_ERR_NO_* */

128

GPG_ERR_NO_ERROR,

129

GPG_ERR_NO_SECKEY, */

102

130

103

131

#define BUFFER_SIZE 256

104

132

105

#define PATHDIR "/conf/conf.d/mandos"

106

#define SECKEY "seckey.txt"

107

#define PUBKEY "pubkey.txt"

108

109

133

bool debug = false;

134

static const char *keydir = "/conf/conf.d/mandos";

110

135

static const char mandos_protocol_version[] = "1";

111

const char *argp_program_version = "mandos-client " VERSION;

136

const char *argp_program_version = "mandosclient 0.9";

112

137

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

113

138

114

139

/* Used for passing in values through the Avahi callback functions */

119

144

unsigned int dh_bits;

120

145

gnutls_dh_params_t dh_params;

121

146

const char *priority;

122

gpgme_ctx_t ctx;

123

147

} mandos_context;

124

148

125

149

/*

140

164

}

141

165

142

166

/*

143

* Initialize GPGME.

167

* Decrypt OpenPGP data using keyrings in HOMEDIR.

168

* Returns -1 on error

144

169

*/

145

static bool init_gpgme(mandos_context *mc, const char *seckey,

146

const char *pubkey, const char *tempdir){

147

int ret;

170

static ssize_t pgp_packet_decrypt (const char *cryptotext,

171

size_t crypto_size,

172

char **plaintext,

173

const char *homedir){

174

gpgme_data_t dh_crypto, dh_plain;

175

gpgme_ctx_t ctx;

148

176

gpgme_error_t rc;

177

ssize_t ret;

178

size_t plaintext_capacity = 0;

179

ssize_t plaintext_length = 0;

149

180

gpgme_engine_info_t engine_info;

150

181

151

152

/*

153

* Helper function to insert pub and seckey to the enigne keyring.

154

*/

155

bool import_key(const char *filename){

156

int fd;

157

gpgme_data_t pgp_data;

158

159

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

160

if(fd == -1){

161

perror("open");

162

return false;

163

}

164

165

rc = gpgme_data_new_from_fd(&pgp_data, fd);

166

if (rc != GPG_ERR_NO_ERROR){

167

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

168

gpgme_strsource(rc), gpgme_strerror(rc));

169

return false;

170

}

171

172

rc = gpgme_op_import(mc->ctx, pgp_data);

173

if (rc != GPG_ERR_NO_ERROR){

174

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

175

gpgme_strsource(rc), gpgme_strerror(rc));

176

return false;

177

}

178

179

ret = (int)TEMP_FAILURE_RETRY(close(fd));

180

if(ret == -1){

181

perror("close");

182

}

183

gpgme_data_release(pgp_data);

184

return true;

185

}

186

187

182

if (debug){

188

fprintf(stderr, "Initialize gpgme\n");

183

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

189

184

}

190

185

191

186

/* Init GPGME */

194

189

if (rc != GPG_ERR_NO_ERROR){

195

190

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

196

191

gpgme_strsource(rc), gpgme_strerror(rc));

197

return false;

192

return -1;

198

193

}

199

194

200

/* Set GPGME home directory for the OpenPGP engine only */

195

/* Set GPGME home directory for the OpenPGP engine only */

201

196

rc = gpgme_get_engine_info (&engine_info);

202

197

if (rc != GPG_ERR_NO_ERROR){

203

198

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

204

199

gpgme_strsource(rc), gpgme_strerror(rc));

205

return false;

200

return -1;

206

201

}

207

202

while(engine_info != NULL){

208

203

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

209

204

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

210

engine_info->file_name, tempdir);

205

engine_info->file_name, homedir);

211

206

break;

212

207

}

213

208

engine_info = engine_info->next;

214

209

}

215

210

if(engine_info == NULL){

216

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

217

return false;

218

}

219

220

/* Create new GPGME "context" */

221

rc = gpgme_new(&(mc->ctx));

222

if (rc != GPG_ERR_NO_ERROR){

223

fprintf(stderr, "bad gpgme_new: %s: %s\n",

224

gpgme_strsource(rc), gpgme_strerror(rc));

225

return false;

226

}

227

228

if (not import_key(pubkey) or not import_key(seckey)){

229

return false;

230

}

231

232

return true;

233

}

234

235

/*

236

* Decrypt OpenPGP data.

237

* Returns -1 on error

238

*/

239

static ssize_t pgp_packet_decrypt (const mandos_context *mc,

240

const char *cryptotext,

241

size_t crypto_size,

242

char **plaintext){

243

gpgme_data_t dh_crypto, dh_plain;

244

gpgme_error_t rc;

245

ssize_t ret;

246

size_t plaintext_capacity = 0;

247

ssize_t plaintext_length = 0;

248

249

if (debug){

250

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

211

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

212

return -1;

251

213

}

252

214

253

215

/* Create new GPGME data buffer from memory cryptotext */

268

230

return -1;

269

231

}

270

232

233

/* Create new GPGME "context" */

234

rc = gpgme_new(&ctx);

235

if (rc != GPG_ERR_NO_ERROR){

236

fprintf(stderr, "bad gpgme_new: %s: %s\n",

237

gpgme_strsource(rc), gpgme_strerror(rc));

238

plaintext_length = -1;

239

goto decrypt_end;

240

}

241

271

242

/* Decrypt data from the cryptotext data buffer to the plaintext

272

243

data buffer */

273

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

244

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

274

245

if (rc != GPG_ERR_NO_ERROR){

275

246

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

276

247

gpgme_strsource(rc), gpgme_strerror(rc));

277

248

plaintext_length = -1;

278

if (debug){

279

gpgme_decrypt_result_t result;

280

result = gpgme_op_decrypt_result(mc->ctx);

281

if (result == NULL){

282

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

283

} else {

284

fprintf(stderr, "Unsupported algorithm: %s\n",

285

result->unsupported_algorithm);

286

fprintf(stderr, "Wrong key usage: %u\n",

287

result->wrong_key_usage);

288

if(result->file_name != NULL){

289

fprintf(stderr, "File name: %s\n", result->file_name);

290

}

291

gpgme_recipient_t recipient;

292

recipient = result->recipients;

293

if(recipient){

294

while(recipient != NULL){

295

fprintf(stderr, "Public key algorithm: %s\n",

296

gpgme_pubkey_algo_name(recipient->pubkey_algo));

297

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

298

fprintf(stderr, "Secret key available: %s\n",

299

recipient->status == GPG_ERR_NO_SECKEY

300

? "No" : "Yes");

301

recipient = recipient->next;

302

}

303

}

304

}

305

}

306

249

goto decrypt_end;

307

250

}

308

251

310

253

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

311

254

}

312

255

256

if (debug){

257

gpgme_decrypt_result_t result;

258

result = gpgme_op_decrypt_result(ctx);

259

if (result == NULL){

260

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

261

} else {

262

fprintf(stderr, "Unsupported algorithm: %s\n",

263

result->unsupported_algorithm);

264

fprintf(stderr, "Wrong key usage: %d\n",

265

result->wrong_key_usage);

266

if(result->file_name != NULL){

267

fprintf(stderr, "File name: %s\n", result->file_name);

268

}

269

gpgme_recipient_t recipient;

270

recipient = result->recipients;

271

if(recipient){

272

while(recipient != NULL){

273

fprintf(stderr, "Public key algorithm: %s\n",

274

gpgme_pubkey_algo_name(recipient->pubkey_algo));

275

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

276

fprintf(stderr, "Secret key available: %s\n",

277

recipient->status == GPG_ERR_NO_SECKEY

278

? "No" : "Yes");

279

recipient = recipient->next;

280

}

281

}

282

}

283

}

284

313

285

/* Seek back to the beginning of the GPGME plaintext data buffer */

314

286

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

315

perror("gpgme_data_seek");

287

perror("pgpme_data_seek");

316

288

plaintext_length = -1;

317

289

goto decrypt_end;

318

290

}

342

314

}

343

315

plaintext_length += ret;

344

316

}

345

317

346

318

if(debug){

347

319

fprintf(stderr, "Decrypted password is: ");

348

320

for(ssize_t i = 0; i < plaintext_length; i++){

362

334

}

363

335

364

336

static const char * safer_gnutls_strerror (int value) {

365

const char *ret = gnutls_strerror (value); /* Spurious warning */

337

const char *ret = gnutls_strerror (value);

366

338

if (ret == NULL)

367

339

ret = "(unknown)";

368

340

return ret;

375

347

}

376

348

377

349

static int init_gnutls_global(mandos_context *mc,

378

const char *pubkeyfilename,

379

const char *seckeyfilename){

350

const char *pubkeyfile,

351

const char *seckeyfile){

380

352

int ret;

381

353

382

354

if(debug){

383

355

fprintf(stderr, "Initializing GnuTLS\n");

384

356

}

385

386

ret = gnutls_global_init();

387

if (ret != GNUTLS_E_SUCCESS) {

357

358

if ((ret = gnutls_global_init ())

359

!= GNUTLS_E_SUCCESS) {

388

360

fprintf (stderr, "GnuTLS global_init: %s\n",

389

361

safer_gnutls_strerror(ret));

390

362

return -1;

399

371

}

400

372

401

373

/* OpenPGP credentials */

402

gnutls_certificate_allocate_credentials(&mc->cred);

403

if (ret != GNUTLS_E_SUCCESS){

404

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

405

warning */

374

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

375

!= GNUTLS_E_SUCCESS) {

376

fprintf (stderr, "GnuTLS memory error: %s\n",

406

377

safer_gnutls_strerror(ret));

407

378

gnutls_global_deinit ();

408

379

return -1;

409

380

}

410

381

411

382

if(debug){

412

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

413

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

414

seckeyfilename);

383

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

384

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

385

seckeyfile);

415

386

}

416

387

417

388

ret = gnutls_certificate_set_openpgp_key_file

418

(mc->cred, pubkeyfilename, seckeyfilename,

419

GNUTLS_OPENPGP_FMT_BASE64);

389

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

420

390

if (ret != GNUTLS_E_SUCCESS) {

421

391

fprintf(stderr,

422

392

"Error[%d] while reading the OpenPGP key pair ('%s',"

423

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

424

fprintf(stderr, "The GnuTLS error is: %s\n",

393

" '%s')\n", ret, pubkeyfile, seckeyfile);

394

fprintf(stdout, "The GnuTLS error is: %s\n",

425

395

safer_gnutls_strerror(ret));

426

396

goto globalfail;

427

397

}

441

411

}

442

412

443

413

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

444

414

445

415

return 0;

446

416

447

417

globalfail:

448

418

449

419

gnutls_certificate_free_credentials(mc->cred);

450

420

gnutls_global_deinit();

451

gnutls_dh_params_deinit(mc->dh_params);

452

421

return -1;

422

453

423

}

454

424

455

425

static int init_gnutls_session(mandos_context *mc,

501

471

AvahiIfIndex if_index,

502

472

mandos_context *mc){

503

473

int ret, tcp_sd;

504

ssize_t sret;

505

474

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

506

475

char *buffer = NULL;

507

476

char *decrypted_buffer;

519

488

}

520

489

521

490

if(debug){

522

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

523

"\n", ip, port);

491

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

492

ip, port);

524

493

}

525

494

526

495

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

528

497

perror("socket");

529

498

return -1;

530

499

}

531

500

532

501

if(debug){

533

502

if(if_indextoname((unsigned int)if_index, interface) == NULL){

534

503

perror("if_indextoname");

537

506

fprintf(stderr, "Binding to interface %s\n", interface);

538

507

}

539

508

540

memset(&to, 0, sizeof(to));

509

memset(&to,0,sizeof(to)); /* Spurious warning */

541

510

to.in6.sin6_family = AF_INET6;

542

511

/* It would be nice to have a way to detect if we were passed an

543

512

IPv4 address here. Now we assume an IPv6 address. */

550

519

fprintf(stderr, "Bad address: %s\n", ip);

551

520

return -1;

552

521

}

553

to.in6.sin6_port = htons(port); /* Spurious warning */

522

to.in6.sin6_port = htons(port); /* Spurious warning */

554

523

555

524

to.in6.sin6_scope_id = (uint32_t)if_index;

556

525

557

526

if(debug){

558

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

559

port);

527

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

560

528

char addrstr[INET6_ADDRSTRLEN] = "";

561

529

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

562

530

sizeof(addrstr)) == NULL){

573

541

perror("connect");

574

542

return -1;

575

543

}

576

544

577

545

const char *out = mandos_protocol_version;

578

546

written = 0;

579

547

while (true){

580

548

size_t out_size = strlen(out);

581

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

549

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

582

550

out_size - written));

583

551

if (ret == -1){

584

552

perror("write");

597

565

}

598

566

}

599

567

}

600

568

601

569

if(debug){

602

570

fprintf(stderr, "Establishing TLS session with %s\n", ip);

603

571

}

604

572

605

573

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

606

574

607

do{

608

ret = gnutls_handshake (session);

609

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

575

ret = gnutls_handshake (session);

610

576

611

577

if (ret != GNUTLS_E_SUCCESS){

612

578

if(debug){

623

589

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

624

590

ip);

625

591

}

626

592

627

593

while(true){

628

594

buffer_capacity = adjustbuffer(&buffer, buffer_length,

629

595

buffer_capacity);

633

599

goto mandos_end;

634

600

}

635

601

636

sret = gnutls_record_recv(session, buffer+buffer_length,

637

BUFFER_SIZE);

638

if (sret == 0){

602

ret = gnutls_record_recv(session, buffer+buffer_length,

603

BUFFER_SIZE);

604

if (ret == 0){

639

605

break;

640

606

}

641

if (sret < 0){

642

switch(sret){

607

if (ret < 0){

608

switch(ret){

643

609

case GNUTLS_E_INTERRUPTED:

644

610

case GNUTLS_E_AGAIN:

645

611

break;

646

612

case GNUTLS_E_REHANDSHAKE:

647

do{

648

ret = gnutls_handshake (session);

649

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

613

ret = gnutls_handshake (session);

650

614

if (ret < 0){

651

615

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

652

616

gnutls_perror (ret);

662

626

goto mandos_end;

663

627

}

664

628

} else {

665

buffer_length += (size_t) sret;

629

buffer_length += (size_t) ret;

666

630

}

667

631

}

668

632

673

637

gnutls_bye (session, GNUTLS_SHUT_RDWR);

674

638

675

639

if (buffer_length > 0){

676

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

640

decrypted_buffer_size = pgp_packet_decrypt(buffer,

677

641

buffer_length,

678

&decrypted_buffer);

642

&decrypted_buffer,

643

keydir);

679

644

if (decrypted_buffer_size >= 0){

680

645

written = 0;

681

646

while(written < (size_t) decrypted_buffer_size){

696

661

} else {

697

662

retval = -1;

698

663

}

699

} else {

700

retval = -1;

701

664

}

702

665

703

666

/* Shutdown procedure */

704

667

705

668

mandos_end:

706

669

free(buffer);

707

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

708

if(ret == -1){

709

perror("close");

710

}

670

close(tcp_sd);

711

671

gnutls_deinit (session);

712

672

return retval;

713

673

}

727

687

flags,

728

688

void* userdata) {

729

689

mandos_context *mc = userdata;

730

assert(r);

690

assert(r); /* Spurious warning */

731

691

732

692

/* Called whenever a service has been resolved successfully or

733

693

timed out */

745

705

char ip[AVAHI_ADDRESS_STR_MAX];

746

706

avahi_address_snprint(ip, sizeof(ip), address);

747

707

if(debug){

748

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

749

PRIu16 ") on port %d\n", name, host_name, ip,

750

interface, port);

708

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

709

" port %d\n", name, host_name, ip, interface, port);

751

710

}

752

711

int ret = start_mandos_communication(ip, port, interface, mc);

753

712

if (ret == 0){

754

avahi_simple_poll_quit(mc->simple_poll);

713

exit(EXIT_SUCCESS);

755

714

}

756

715

}

757

716

}

769

728

flags,

770

729

void* userdata) {

771

730

mandos_context *mc = userdata;

772

assert(b);

731

assert(b); /* Spurious warning */

773

732

774

733

/* Called whenever a new services becomes available on the LAN or

775

734

is removed from the LAN */

809

768

}

810

769

}

811

770

771

/* Combines file name and path and returns the malloced new

772

string. some sane checks could/should be added */

773

static const char *combinepath(const char *first, const char *second){

774

size_t f_len = strlen(first);

775

size_t s_len = strlen(second);

776

char *tmp = malloc(f_len + s_len + 2);

777

if (tmp == NULL){

778

return NULL;

779

}

780

if(f_len > 0){

781

memcpy(tmp, first, f_len); /* Spurious warning */

782

}

783

tmp[f_len] = '/';

784

if(s_len > 0){

785

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

786

}

787

tmp[f_len + 1 + s_len] = '\0';

788

return tmp;

789

}

790

791

812

792

int main(int argc, char *argv[]){

813

793

AvahiSServiceBrowser *sb = NULL;

814

794

int error;

820

800

uid_t uid;

821

801

gid_t gid;

822

802

char *connect_to = NULL;

823

char tempdir[] = "/tmp/mandosXXXXXX";

824

803

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

825

const char *seckey = PATHDIR "/" SECKEY;

826

const char *pubkey = PATHDIR "/" PUBKEY;

827

804

const char *pubkeyfile = "pubkey.txt";

805

const char *seckeyfile = "seckey.txt";

828

806

mandos_context mc = { .simple_poll = NULL, .server = NULL,

829

.dh_bits = 1024, .priority = "SECURE256"

830

":!CTYPE-X.509:+CTYPE-OPENPGP" };

807

.dh_bits = 1024, .priority = "SECURE256"};

831

808

bool gnutls_initalized = false;

832

bool gpgme_initalized = false;

833

809

834

810

{

835

811

struct argp_option options[] = {

836

812

{ .name = "debug", .key = 128,

837

813

.doc = "Debug mode", .group = 3 },

838

814

{ .name = "connect", .key = 'c',

839

.arg = "ADDRESS:PORT",

840

.doc = "Connect directly to a specific Mandos server",

815

.arg = "IP",

816

.doc = "Connect directly to a sepcified mandos server",

841

817

.group = 1 },

842

818

{ .name = "interface", .key = 'i',

843

.arg = "NAME",

844

.doc = "Interface that will be used to search for Mandos"

845

" servers",

819

.arg = "INTERFACE",

820

.doc = "Interface that Avahi will conntect through",

821

.group = 1 },

822

{ .name = "keydir", .key = 'd',

823

.arg = "KEYDIR",

824

.doc = "Directory where the openpgp keyring is",

846

825

.group = 1 },

847

826

{ .name = "seckey", .key = 's',

848

.arg = "FILE",

849

.doc = "OpenPGP secret key file base name",

827

.arg = "SECKEY",

828

.doc = "Secret openpgp key for gnutls authentication",

850

829

.group = 1 },

851

830

{ .name = "pubkey", .key = 'p',

852

.arg = "FILE",

853

.doc = "OpenPGP public key file base name",

831

.arg = "PUBKEY",

832

.doc = "Public openpgp key for gnutls authentication",

854

833

.group = 2 },

855

834

{ .name = "dh-bits", .key = 129,

856

835

.arg = "BITS",

857

.doc = "Bit length of the prime number used in the"

858

" Diffie-Hellman key exchange",

836

.doc = "dh-bits to use in gnutls communication",

859

837

.group = 2 },

860

838

{ .name = "priority", .key = 130,

861

.arg = "STRING",

862

.doc = "GnuTLS priority string for the TLS handshake",

863

.group = 1 },

839

.arg = "PRIORITY",

840

.doc = "GNUTLS priority", .group = 1 },

864

841

{ .name = NULL }

865

842

};

843

866

844

867

845

error_t parse_opt (int key, char *arg,

868

846

struct argp_state *state) {

869

847

/* Get the INPUT argument from `argp_parse', which we know is

870

848

a pointer to our plugin list pointer. */

871

849

switch (key) {

872

case 128: /* --debug */

850

case 128:

873

851

debug = true;

874

852

break;

875

case 'c': /* --connect */

853

case 'c':

876

854

connect_to = arg;

877

855

break;

878

case 'i': /* --interface */

856

case 'i':

879

857

interface = arg;

880

858

break;

881

case 's': /* --seckey */

882

seckey = arg;

883

break;

884

case 'p': /* --pubkey */

885

pubkey = arg;

886

break;

887

case 129: /* --dh-bits */

859

case 'd':

860

keydir = arg;

861

break;

862

case 's':

863

seckeyfile = arg;

864

break;

865

case 'p':

866

pubkeyfile = arg;

867

break;

868

case 129:

888

869

errno = 0;

889

870

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

890

871

if (errno){

892

873

exit(EXIT_FAILURE);

893

874

}

894

875

break;

895

case 130: /* --priority */

876

case 130:

896

877

mc.priority = arg;

897

878

break;

898

879

case ARGP_KEY_ARG:

899

880

argp_usage (state);

900

case ARGP_KEY_END:

901

881

break;

882

case ARGP_KEY_END:

883

break;

902

884

default:

903

885

return ARGP_ERR_UNKNOWN;

904

886

}

905

887

return 0;

906

888

}

907

889

908

890

struct argp argp = { .options = options, .parser = parse_opt,

909

891

.args_doc = "",

910

892

.doc = "Mandos client -- Get and decrypt"

911

" passwords from a Mandos server" };

912

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

913

if (ret == ARGP_ERR_UNKNOWN){

914

fprintf(stderr, "Unknown error while parsing arguments\n");

915

exitcode = EXIT_FAILURE;

916

goto end;

917

}

918

}

919

920

/* If the interface is down, bring it up */

921

{

922

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

923

if(sd < 0) {

924

perror("socket");

925

exitcode = EXIT_FAILURE;

926

goto end;

927

}

928

strcpy(network.ifr_name, interface);

929

ret = ioctl(sd, SIOCGIFFLAGS, &network);

930

if(ret == -1){

931

perror("ioctl SIOCGIFFLAGS");

932

exitcode = EXIT_FAILURE;

933

goto end;

934

}

935

if((network.ifr_flags & IFF_UP) == 0){

936

network.ifr_flags |= IFF_UP;

937

ret = ioctl(sd, SIOCSIFFLAGS, &network);

938

if(ret == -1){

939

perror("ioctl SIOCSIFFLAGS");

940

exitcode = EXIT_FAILURE;

941

goto end;

942

}

943

}

944

ret = (int)TEMP_FAILURE_RETRY(close(sd));

945

if(ret == -1){

946

perror("close");

947

}

948

}

949

893

" passwords from mandos server" };

894

argp_parse (&argp, argc, argv, 0, 0, NULL);

895

}

896

897

pubkeyfile = combinepath(keydir, pubkeyfile);

898

if (pubkeyfile == NULL){

899

perror("combinepath");

900

exitcode = EXIT_FAILURE;

901

goto end;

902

}

903

904

seckeyfile = combinepath(keydir, seckeyfile);

905

if (seckeyfile == NULL){

906

perror("combinepath");

907

goto end;

908

}

909

910

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

911

if (ret == -1){

912

fprintf(stderr, "init_gnutls_global\n");

913

goto end;

914

} else {

915

gnutls_initalized = true;

916

}

917

950

918

uid = getuid();

951

919

gid = getgid();

952

920

953

921

ret = setuid(uid);

954

922

if (ret == -1){

955

923

perror("setuid");

960

928

perror("setgid");

961

929

}

962

930

963

ret = init_gnutls_global(&mc, pubkey, seckey);

964

if (ret == -1){

965

fprintf(stderr, "init_gnutls_global failed\n");

966

exitcode = EXIT_FAILURE;

967

goto end;

968

} else {

969

gnutls_initalized = true;

970

}

971

972

if(mkdtemp(tempdir) == NULL){

973

perror("mkdtemp");

974

tempdir[0] = '\0';

975

goto end;

976

}

977

978

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

979

fprintf(stderr, "gpgme_initalized failed\n");

980

exitcode = EXIT_FAILURE;

981

goto end;

982

} else {

983

gpgme_initalized = true;

984

}

985

986

931

if_index = (AvahiIfIndex) if_nametoindex(interface);

987

932

if(if_index == 0){

988

933

fprintf(stderr, "No such interface: \"%s\"\n", interface);

1016

961

goto end;

1017

962

}

1018

963

964

/* If the interface is down, bring it up */

965

{

966

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

967

if(sd < 0) {

968

perror("socket");

969

exitcode = EXIT_FAILURE;

970

goto end;

971

}

972

strcpy(network.ifr_name, interface); /* Spurious warning */

973

ret = ioctl(sd, SIOCGIFFLAGS, &network);

974

if(ret == -1){

975

perror("ioctl SIOCGIFFLAGS");

976

exitcode = EXIT_FAILURE;

977

goto end;

978

}

979

if((network.ifr_flags & IFF_UP) == 0){

980

network.ifr_flags |= IFF_UP;

981

ret = ioctl(sd, SIOCSIFFLAGS, &network);

982

if(ret == -1){

983

perror("ioctl SIOCSIFFLAGS");

984

exitcode = EXIT_FAILURE;

985

goto end;

986

}

987

}

988

close(sd);

989

}

990

1019

991

if (not debug){

1020

992

avahi_set_log_function(empty_log);

1021

993

}

1031

1003

exitcode = EXIT_FAILURE;

1032

1004

goto end;

1033

1005

}

1034

1006

1035

1007

{

1036

1008

AvahiServerConfig config;

1037

1009

/* Do not publish any local Zeroconf records */

1040

1012

config.publish_addresses = 0;

1041

1013

config.publish_workstation = 0;

1042

1014

config.publish_domain = 0;

1043

1015

1044

1016

/* Allocate a new server */

1045

1017

mc.server = avahi_server_new(avahi_simple_poll_get

1046

1018

(mc.simple_poll), &config, NULL,

1047

1019

NULL, &error);

1048

1020

1049

1021

/* Free the Avahi configuration data */

1050

1022

avahi_server_config_free(&config);

1051

1023

}

1071

1043

}

1072

1044

1073

1045

/* Run the main loop */

1074

1046

1075

1047

if (debug){

1076

1048

fprintf(stderr, "Starting Avahi loop search\n");

1077

1049

}

1079

1051

avahi_simple_poll_loop(mc.simple_poll);

1080

1052

1081

1053

end:

1082

1054

1083

1055

if (debug){

1084

1056

fprintf(stderr, "%s exiting\n", argv[0]);

1085

1057

}

1090

1062

1091

1063

if (mc.server != NULL)

1092

1064

avahi_server_free(mc.server);

1093

1065

1094

1066

if (mc.simple_poll != NULL)

1095

1067

avahi_simple_poll_free(mc.simple_poll);

1096

1068

free(pubkeyfile);

1069

free(seckeyfile);

1070

1097

1071

if (gnutls_initalized){

1098

gnutls_certificate_free_credentials(mc.cred);

1072

gnutls_certificate_free_credentials (mc.cred);

1099

1073

gnutls_global_deinit ();

1100

gnutls_dh_params_deinit(mc.dh_params);

1101

}

1102

1103

if(gpgme_initalized){

1104

gpgme_release(mc.ctx);

1105

}

1106

1107

/* Removes the temp directory used by GPGME */

1108

if(tempdir[0] != '\0'){

1109

DIR *d;

1110

struct dirent *direntry;

1111

d = opendir(tempdir);

1112

if(d == NULL){

1113

perror("opendir");

1114

} else {

1115

while(true){

1116

direntry = readdir(d);

1117

if(direntry == NULL){

1118

break;

1119

}

1120

if (direntry->d_type == DT_REG){

1121

char *fullname = NULL;

1122

ret = asprintf(&fullname, "%s/%s", tempdir,

1123

direntry->d_name);

1124

if(ret < 0){

1125

perror("asprintf");

1126

continue;

1127

}

1128

ret = unlink(fullname);

1129

if(ret == -1){

1130

fprintf(stderr, "unlink(\"%s\"): %s",

1131

fullname, strerror(errno));

1132

}

1133

free(fullname);

1134

}

1135

}

1136

closedir(d);

1137

}

1138

ret = rmdir(tempdir);

1139

if(ret == -1){

1140

perror("rmdir");

1141

}

1142

}

1143

1074

}

1075

1144

1076

return exitcode;

1145

1077

}