To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.4
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.4
- Committer: Björn Påhlsson
- Date: 2008-07-30 02:11:33 UTC
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 30.
- Revision ID: belorn@braxen-20080730021133-q341llq93r328q5b
Added optional parameters certdir, certkey and certfile that can be iven at start in the command line.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- clients.conf => mandos-clients.conf
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
8
8
* includes the following functions: "resolve_callback",
9
9
* "browse_callback", and parts of "main".
10
10
*
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
11
* Everything else is Copyright © 2007-2008 Teddy Hogeborn and Björn
12
* Påhlsson.
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
26
25
* along with this program. If not, see
27
26
* <http://www.gnu.org/licenses/>.
28
27
*
29
* Contact the authors at <mandos@fukt.bsnet.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
30
30
*/
31
31
32
/* Needed by GPGME, specifically gpgme_data_seek() */
32
#define _FORTIFY_SOURCE 2
33
33
34
#define _LARGEFILE_SOURCE
34
35
#define _FILE_OFFSET_BITS 64
35
36
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* nanosleep(), time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <sys/klog.h> /* klogctl() */
79
80
/* Avahi */
81
/* All Avahi types, constants and functions
82
Avahi*, avahi_*,
83
AVAHI_* */
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
84
43
#include <avahi-core/core.h>
85
44
#include <avahi-core/lookup.h>
86
45
#include <avahi-core/log.h>
88
47
#include <avahi-common/malloc.h>
89
48
#include <avahi-common/error.h>
90
49
91
/* GnuTLS */
92
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
93
functions:
94
gnutls_*
95
init_gnutls_session(),
96
GNUTLS_* */
97
#include <gnutls/openpgp.h>
98
/* gnutls_certificate_set_openpgp_key_file(),
99
GNUTLS_OPENPGP_FMT_BASE64 */
100
101
/* GPGME */
102
#include <gpgme.h> /* All GPGME types, constants and
103
functions:
104
gpgme_*
105
GPGME_PROTOCOL_OpenPGP,
106
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
107
70
108
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
109
73
110
#define PATHDIR "/conf/conf.d/mandos"
111
#define SECKEY "seckey.txt"
112
#define PUBKEY "pubkey.txt"
74
const char *certdir = "/conf/conf.d/cryptkeyreq/";
75
const char *certfile = "openpgp-client.txt";
76
const char *certkey = "openpgp-client-key.txt";
113
77
114
78
bool debug = false;
115
static const char mandos_protocol_version[] = "1";
116
const char *argp_program_version = "mandos-client " VERSION;
117
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
118
79
119
/* Used for passing in values through the Avahi callback functions */
120
80
typedef struct {
121
AvahiSimplePoll *simple_poll;
122
AvahiServer *server;
81
gnutls_session_t session;
123
82
gnutls_certificate_credentials_t cred;
124
unsigned int dh_bits;
125
83
gnutls_dh_params_t dh_params;
126
const char *priority;
84
} encrypted_session;
85
86
87
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet, const char *homedir){
89
gpgme_data_t dh_crypto, dh_plain;
127
90
gpgme_ctx_t ctx;
128
} mandos_context;
129
130
/*
131
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
132
* "buffer_capacity" is how much is currently allocated,
133
* "buffer_length" is how much is already used.
134
*/
135
size_t adjustbuffer(char **buffer, size_t buffer_length,
136
size_t buffer_capacity){
137
if(buffer_length + BUFFER_SIZE > buffer_capacity){
138
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
139
if(buffer == NULL){
140
return 0;
141
}
142
buffer_capacity += BUFFER_SIZE;
143
}
144
return buffer_capacity;
145
}
146
147
/*
148
* Initialize GPGME.
149
*/
150
static bool init_gpgme(mandos_context *mc, const char *seckey,
151
const char *pubkey, const char *tempdir){
152
int ret;
153
91
gpgme_error_t rc;
92
ssize_t ret;
93
ssize_t new_packet_capacity = 0;
94
ssize_t new_packet_length = 0;
154
95
gpgme_engine_info_t engine_info;
155
156
157
/*
158
* Helper function to insert pub and seckey to the engine keyring.
159
*/
160
bool import_key(const char *filename){
161
int fd;
162
gpgme_data_t pgp_data;
163
164
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
165
if(fd == -1){
166
perror("open");
167
return false;
168
}
169
170
rc = gpgme_data_new_from_fd(&pgp_data, fd);
171
if(rc != GPG_ERR_NO_ERROR){
172
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
173
gpgme_strsource(rc), gpgme_strerror(rc));
174
return false;
175
}
176
177
rc = gpgme_op_import(mc->ctx, pgp_data);
178
if(rc != GPG_ERR_NO_ERROR){
179
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
180
gpgme_strsource(rc), gpgme_strerror(rc));
181
return false;
182
}
183
184
ret = (int)TEMP_FAILURE_RETRY(close(fd));
185
if(ret == -1){
186
perror("close");
187
}
188
gpgme_data_release(pgp_data);
189
return true;
190
}
191
192
if(debug){
193
fprintf(stderr, "Initialize gpgme\n");
96
97
if (debug){
98
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
194
99
}
195
100
196
101
/* Init GPGME */
197
102
gpgme_check_version(NULL);
198
103
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
199
if(rc != GPG_ERR_NO_ERROR){
104
if (rc != GPG_ERR_NO_ERROR){
200
105
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
201
106
gpgme_strsource(rc), gpgme_strerror(rc));
202
return false;
107
return -1;
203
108
}
204
109
205
/* Set GPGME home directory for the OpenPGP engine only */
206
rc = gpgme_get_engine_info(&engine_info);
207
if(rc != GPG_ERR_NO_ERROR){
110
/* Set GPGME home directory */
111
rc = gpgme_get_engine_info (&engine_info);
112
if (rc != GPG_ERR_NO_ERROR){
208
113
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
209
114
gpgme_strsource(rc), gpgme_strerror(rc));
210
return false;
115
return -1;
211
116
}
212
117
while(engine_info != NULL){
213
118
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
214
119
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
215
engine_info->file_name, tempdir);
120
engine_info->file_name, homedir);
216
121
break;
217
122
}
218
123
engine_info = engine_info->next;
219
124
}
220
125
if(engine_info == NULL){
221
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
222
return false;
223
}
224
225
/* Create new GPGME "context" */
226
rc = gpgme_new(&(mc->ctx));
227
if(rc != GPG_ERR_NO_ERROR){
228
fprintf(stderr, "bad gpgme_new: %s: %s\n",
229
gpgme_strsource(rc), gpgme_strerror(rc));
230
return false;
231
}
232
233
if(not import_key(pubkey) or not import_key(seckey)){
234
return false;
235
}
236
237
return true;
238
}
239
240
/*
241
* Decrypt OpenPGP data.
242
* Returns -1 on error
243
*/
244
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
245
const char *cryptotext,
246
size_t crypto_size,
247
char **plaintext){
248
gpgme_data_t dh_crypto, dh_plain;
249
gpgme_error_t rc;
250
ssize_t ret;
251
size_t plaintext_capacity = 0;
252
ssize_t plaintext_length = 0;
253
254
if(debug){
255
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
256
}
257
258
/* Create new GPGME data buffer from memory cryptotext */
259
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
260
0);
261
if(rc != GPG_ERR_NO_ERROR){
126
fprintf(stderr, "Could not set home dir to %s\n", homedir);
127
return -1;
128
}
129
130
/* Create new GPGME data buffer from packet buffer */
131
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
132
if (rc != GPG_ERR_NO_ERROR){
262
133
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
263
134
gpgme_strsource(rc), gpgme_strerror(rc));
264
135
return -1;
266
137
267
138
/* Create new empty GPGME data buffer for the plaintext */
268
139
rc = gpgme_data_new(&dh_plain);
269
if(rc != GPG_ERR_NO_ERROR){
140
if (rc != GPG_ERR_NO_ERROR){
270
141
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
271
142
gpgme_strsource(rc), gpgme_strerror(rc));
272
gpgme_data_release(dh_crypto);
273
return -1;
274
}
275
276
/* Decrypt data from the cryptotext data buffer to the plaintext
277
data buffer */
278
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
279
if(rc != GPG_ERR_NO_ERROR){
143
return -1;
144
}
145
146
/* Create new GPGME "context" */
147
rc = gpgme_new(&ctx);
148
if (rc != GPG_ERR_NO_ERROR){
149
fprintf(stderr, "bad gpgme_new: %s: %s\n",
150
gpgme_strsource(rc), gpgme_strerror(rc));
151
return -1;
152
}
153
154
/* Decrypt data from the FILE pointer to the plaintext data
155
buffer */
156
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
157
if (rc != GPG_ERR_NO_ERROR){
280
158
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
281
159
gpgme_strsource(rc), gpgme_strerror(rc));
282
plaintext_length = -1;
283
if(debug){
284
gpgme_decrypt_result_t result;
285
result = gpgme_op_decrypt_result(mc->ctx);
286
if(result == NULL){
287
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
288
} else {
289
fprintf(stderr, "Unsupported algorithm: %s\n",
290
result->unsupported_algorithm);
291
fprintf(stderr, "Wrong key usage: %u\n",
292
result->wrong_key_usage);
293
if(result->file_name != NULL){
294
fprintf(stderr, "File name: %s\n", result->file_name);
295
}
296
gpgme_recipient_t recipient;
297
recipient = result->recipients;
298
if(recipient){
299
while(recipient != NULL){
300
fprintf(stderr, "Public key algorithm: %s\n",
301
gpgme_pubkey_algo_name(recipient->pubkey_algo));
302
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
303
fprintf(stderr, "Secret key available: %s\n",
304
recipient->status == GPG_ERR_NO_SECKEY
305
? "No" : "Yes");
306
recipient = recipient->next;
307
}
160
return -1;
161
}
162
163
if(debug){
164
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
165
}
166
167
if (debug){
168
gpgme_decrypt_result_t result;
169
result = gpgme_op_decrypt_result(ctx);
170
if (result == NULL){
171
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
172
} else {
173
fprintf(stderr, "Unsupported algorithm: %s\n",
174
result->unsupported_algorithm);
175
fprintf(stderr, "Wrong key usage: %d\n",
176
result->wrong_key_usage);
177
if(result->file_name != NULL){
178
fprintf(stderr, "File name: %s\n", result->file_name);
179
}
180
gpgme_recipient_t recipient;
181
recipient = result->recipients;
182
if(recipient){
183
while(recipient != NULL){
184
fprintf(stderr, "Public key algorithm: %s\n",
185
gpgme_pubkey_algo_name(recipient->pubkey_algo));
186
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
187
fprintf(stderr, "Secret key available: %s\n",
188
recipient->status == GPG_ERR_NO_SECKEY
189
? "No" : "Yes");
190
recipient = recipient->next;
308
191
}
309
192
}
310
193
}
311
goto decrypt_end;
312
194
}
313
195
314
if(debug){
315
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
316
}
196
/* Delete the GPGME FILE pointer cryptotext data buffer */
197
gpgme_data_release(dh_crypto);
317
198
318
199
/* Seek back to the beginning of the GPGME plaintext data buffer */
319
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
320
perror("gpgme_data_seek");
321
plaintext_length = -1;
322
goto decrypt_end;
323
}
324
325
*plaintext = NULL;
200
gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);
201
202
*new_packet = 0;
326
203
while(true){
327
plaintext_capacity = adjustbuffer(plaintext,
328
(size_t)plaintext_length,
329
plaintext_capacity);
330
if(plaintext_capacity == 0){
331
perror("adjustbuffer");
332
plaintext_length = -1;
333
goto decrypt_end;
204
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
205
*new_packet = realloc(*new_packet,
206
(unsigned int)new_packet_capacity
207
+ BUFFER_SIZE);
208
if (*new_packet == NULL){
209
perror("realloc");
210
return -1;
211
}
212
new_packet_capacity += BUFFER_SIZE;
334
213
}
335
214
336
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
215
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
337
216
BUFFER_SIZE);
338
217
/* Print the data, if any */
339
if(ret == 0){
340
/* EOF */
218
if (ret == 0){
341
219
break;
342
220
}
343
221
if(ret < 0){
344
222
perror("gpgme_data_read");
345
plaintext_length = -1;
346
goto decrypt_end;
347
}
348
plaintext_length += ret;
349
}
350
351
if(debug){
352
fprintf(stderr, "Decrypted password is: ");
353
for(ssize_t i = 0; i < plaintext_length; i++){
354
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
355
}
356
fprintf(stderr, "\n");
357
}
358
359
decrypt_end:
360
361
/* Delete the GPGME cryptotext data buffer */
362
gpgme_data_release(dh_crypto);
223
return -1;
224
}
225
new_packet_length += ret;
226
}
227
228
/* FIXME: check characters before printing to screen so to not print
229
terminal control characters */
230
/* if(debug){ */
231
/* fprintf(stderr, "decrypted password is: "); */
232
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
233
/* fprintf(stderr, "\n"); */
234
/* } */
363
235
364
236
/* Delete the GPGME plaintext data buffer */
365
237
gpgme_data_release(dh_plain);
366
return plaintext_length;
238
return new_packet_length;
367
239
}
368
240
369
static const char * safer_gnutls_strerror(int value) {
370
const char *ret = gnutls_strerror(value); /* Spurious warning from
371
-Wunreachable-code */
372
if(ret == NULL)
241
static const char * safer_gnutls_strerror (int value) {
242
const char *ret = gnutls_strerror (value);
243
if (ret == NULL)
373
244
ret = "(unknown)";
374
245
return ret;
375
246
}
376
247
377
/* GnuTLS log function callback */
378
static void debuggnutls(__attribute__((unused)) int level,
379
const char* string){
380
fprintf(stderr, "GnuTLS: %s", string);
248
void debuggnutls(__attribute__((unused)) int level,
249
const char* string){
250
fprintf(stderr, "%s", string);
381
251
}
382
252
383
static int init_gnutls_global(mandos_context *mc,
384
const char *pubkeyfilename,
385
const char *seckeyfilename){
253
int initgnutls(encrypted_session *es){
254
const char *err;
386
255
int ret;
387
256
388
257
if(debug){
389
258
fprintf(stderr, "Initializing GnuTLS\n");
390
259
}
391
392
ret = gnutls_global_init();
393
if(ret != GNUTLS_E_SUCCESS) {
394
fprintf(stderr, "GnuTLS global_init: %s\n",
395
safer_gnutls_strerror(ret));
260
261
if ((ret = gnutls_global_init ())
262
!= GNUTLS_E_SUCCESS) {
263
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
396
264
return -1;
397
265
}
398
399
if(debug){
400
/* "Use a log level over 10 to enable all debugging options."
401
* - GnuTLS manual
402
*/
266
267
if (debug){
403
268
gnutls_global_set_log_level(11);
404
269
gnutls_global_set_log_function(debuggnutls);
405
270
}
406
271
407
/* OpenPGP credentials */
408
gnutls_certificate_allocate_credentials(&mc->cred);
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
411
* from
412
* -Wunreachable-code
413
*/
414
safer_gnutls_strerror(ret));
415
gnutls_global_deinit();
272
/* openpgp credentials */
273
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
274
!= GNUTLS_E_SUCCESS) {
275
fprintf (stderr, "memory error: %s\n",
276
safer_gnutls_strerror(ret));
416
277
return -1;
417
278
}
418
279
419
280
if(debug){
420
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
421
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
422
seckeyfilename);
281
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
282
" and keyfile %s as GnuTLS credentials\n", certfile,
283
certkey);
423
284
}
424
285
425
286
ret = gnutls_certificate_set_openpgp_key_file
426
(mc->cred, pubkeyfilename, seckeyfilename,
427
GNUTLS_OPENPGP_FMT_BASE64);
428
if(ret != GNUTLS_E_SUCCESS) {
429
fprintf(stderr,
430
"Error[%d] while reading the OpenPGP key pair ('%s',"
431
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
432
fprintf(stderr, "The GnuTLS error is: %s\n",
433
safer_gnutls_strerror(ret));
434
goto globalfail;
435
}
436
437
/* GnuTLS server initialization */
438
ret = gnutls_dh_params_init(&mc->dh_params);
439
if(ret != GNUTLS_E_SUCCESS) {
440
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
441
" %s\n", safer_gnutls_strerror(ret));
442
goto globalfail;
443
}
444
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
445
if(ret != GNUTLS_E_SUCCESS) {
446
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
447
safer_gnutls_strerror(ret));
448
goto globalfail;
449
}
450
451
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
452
453
return 0;
454
455
globalfail:
456
457
gnutls_certificate_free_credentials(mc->cred);
458
gnutls_global_deinit();
459
gnutls_dh_params_deinit(mc->dh_params);
460
return -1;
461
}
462
463
static int init_gnutls_session(mandos_context *mc,
464
gnutls_session_t *session){
465
int ret;
466
/* GnuTLS session creation */
467
ret = gnutls_init(session, GNUTLS_SERVER);
468
if(ret != GNUTLS_E_SUCCESS){
287
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
288
if (ret != GNUTLS_E_SUCCESS) {
289
fprintf
290
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
291
" '%s')\n",
292
ret, certfile, certkey);
293
fprintf(stdout, "The Error is: %s\n",
294
safer_gnutls_strerror(ret));
295
return -1;
296
}
297
298
//GnuTLS server initialization
299
if ((ret = gnutls_dh_params_init (&es->dh_params))
300
!= GNUTLS_E_SUCCESS) {
301
fprintf (stderr, "Error in dh parameter initialization: %s\n",
302
safer_gnutls_strerror(ret));
303
return -1;
304
}
305
306
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
307
!= GNUTLS_E_SUCCESS) {
308
fprintf (stderr, "Error in prime generation: %s\n",
309
safer_gnutls_strerror(ret));
310
return -1;
311
}
312
313
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
314
315
// GnuTLS session creation
316
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
317
!= GNUTLS_E_SUCCESS){
469
318
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
470
319
safer_gnutls_strerror(ret));
471
320
}
472
321
473
{
474
const char *err;
475
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
476
if(ret != GNUTLS_E_SUCCESS) {
477
fprintf(stderr, "Syntax error at: %s\n", err);
478
fprintf(stderr, "GnuTLS error: %s\n",
479
safer_gnutls_strerror(ret));
480
gnutls_deinit(*session);
481
return -1;
482
}
322
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf(stderr, "Syntax error at: %s\n", err);
325
fprintf(stderr, "GnuTLS error: %s\n",
326
safer_gnutls_strerror(ret));
327
return -1;
483
328
}
484
329
485
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
486
mc->cred);
487
if(ret != GNUTLS_E_SUCCESS) {
488
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
330
if ((ret = gnutls_credentials_set
331
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
332
!= GNUTLS_E_SUCCESS) {
333
fprintf(stderr, "Error setting a credentials set: %s\n",
489
334
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
491
335
return -1;
492
336
}
493
337
494
338
/* ignore client certificate if any. */
495
gnutls_certificate_server_set_request(*session,
496
GNUTLS_CERT_IGNORE);
339
gnutls_certificate_server_set_request (es->session,
340
GNUTLS_CERT_IGNORE);
497
341
498
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
342
gnutls_dh_set_prime_bits (es->session, DH_BITS);
499
343
500
344
return 0;
501
345
}
502
346
503
/* Avahi log function callback */
504
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
505
__attribute__((unused)) const char *txt){}
347
void empty_log(__attribute__((unused)) AvahiLogLevel level,
348
__attribute__((unused)) const char *txt){}
506
349
507
/* Called when a Mandos server is found */
508
static int start_mandos_communication(const char *ip, uint16_t port,
509
AvahiIfIndex if_index,
510
mandos_context *mc){
350
int start_mandos_communication(const char *ip, uint16_t port,
351
unsigned int if_index){
511
352
int ret, tcp_sd;
512
ssize_t sret;
513
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
353
struct sockaddr_in6 to;
354
encrypted_session es;
514
355
char *buffer = NULL;
515
356
char *decrypted_buffer;
516
357
size_t buffer_length = 0;
517
358
size_t buffer_capacity = 0;
518
359
ssize_t decrypted_buffer_size;
519
size_t written;
360
size_t written = 0;
520
361
int retval = 0;
521
362
char interface[IF_NAMESIZE];
522
gnutls_session_t session;
523
524
ret = init_gnutls_session(mc, &session);
525
if(ret != 0){
526
return -1;
527
}
528
363
529
364
if(debug){
530
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
531
"\n", ip, port);
365
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
532
366
}
533
367
534
368
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
537
371
return -1;
538
372
}
539
373
540
if(debug){
541
if(if_indextoname((unsigned int)if_index, interface) == NULL){
374
if(if_indextoname(if_index, interface) == NULL){
375
if(debug){
542
376
perror("if_indextoname");
543
return -1;
544
377
}
378
return -1;
379
}
380
381
if(debug){
545
382
fprintf(stderr, "Binding to interface %s\n", interface);
546
383
}
547
384
548
memset(&to, 0, sizeof(to));
549
to.in6.sin6_family = AF_INET6;
550
/* It would be nice to have a way to detect if we were passed an
551
IPv4 address here. Now we assume an IPv6 address. */
552
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
553
if(ret < 0 ){
385
memset(&to,0,sizeof(to)); /* Spurious warning */
386
to.sin6_family = AF_INET6;
387
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
388
if (ret < 0 ){
554
389
perror("inet_pton");
555
390
return -1;
556
}
391
}
557
392
if(ret == 0){
558
393
fprintf(stderr, "Bad address: %s\n", ip);
559
394
return -1;
560
395
}
561
to.in6.sin6_port = htons(port); /* Spurious warnings from
562
-Wconversion and
563
-Wunreachable-code */
396
to.sin6_port = htons(port); /* Spurious warning */
564
397
565
to.in6.sin6_scope_id = (uint32_t)if_index;
398
to.sin6_scope_id = (uint32_t)if_index;
566
399
567
400
if(debug){
568
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
569
port);
570
char addrstr[INET6_ADDRSTRLEN] = "";
571
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
572
sizeof(addrstr)) == NULL){
573
perror("inet_ntop");
574
} else {
575
if(strcmp(addrstr, ip) != 0){
576
fprintf(stderr, "Canonical address form: %s\n", addrstr);
577
}
578
}
401
fprintf(stderr, "Connection to: %s\n", ip);
579
402
}
580
403
581
ret = connect(tcp_sd, &to.in, sizeof(to));
582
if(ret < 0){
404
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
405
if (ret < 0){
583
406
perror("connect");
584
407
return -1;
585
408
}
586
409
587
const char *out = mandos_protocol_version;
588
written = 0;
589
while(true){
590
size_t out_size = strlen(out);
591
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
592
out_size - written));
593
if(ret == -1){
594
perror("write");
595
retval = -1;
596
goto mandos_end;
597
}
598
written += (size_t)ret;
599
if(written < out_size){
600
continue;
601
} else {
602
if(out == mandos_protocol_version){
603
written = 0;
604
out = "\r\n";
605
} else {
606
break;
607
}
608
}
410
ret = initgnutls (&es);
411
if (ret != 0){
412
retval = -1;
413
return -1;
609
414
}
610
415
416
gnutls_transport_set_ptr (es.session,
417
(gnutls_transport_ptr_t) tcp_sd);
418
611
419
if(debug){
612
420
fprintf(stderr, "Establishing TLS session with %s\n", ip);
613
421
}
614
422
615
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
616
617
do{
618
ret = gnutls_handshake(session);
619
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
620
621
if(ret != GNUTLS_E_SUCCESS){
423
ret = gnutls_handshake (es.session);
424
425
if (ret != GNUTLS_E_SUCCESS){
622
426
if(debug){
623
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
624
gnutls_perror(ret);
427
fprintf(stderr, "\n*** Handshake failed ***\n");
428
gnutls_perror (ret);
625
429
}
626
430
retval = -1;
627
goto mandos_end;
431
goto exit;
628
432
}
629
433
630
/* Read OpenPGP packet that contains the wanted password */
434
//Retrieve OpenPGP packet that contains the wanted password
631
435
632
436
if(debug){
633
437
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
634
438
ip);
635
439
}
636
440
637
441
while(true){
638
buffer_capacity = adjustbuffer(&buffer, buffer_length,
639
buffer_capacity);
640
if(buffer_capacity == 0){
641
perror("adjustbuffer");
642
retval = -1;
643
goto mandos_end;
442
if (buffer_length + BUFFER_SIZE > buffer_capacity){
443
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
444
if (buffer == NULL){
445
perror("realloc");
446
goto exit;
447
}
448
buffer_capacity += BUFFER_SIZE;
644
449
}
645
450
646
sret = gnutls_record_recv(session, buffer+buffer_length,
647
BUFFER_SIZE);
648
if(sret == 0){
451
ret = gnutls_record_recv
452
(es.session, buffer+buffer_length, BUFFER_SIZE);
453
if (ret == 0){
649
454
break;
650
455
}
651
if(sret < 0){
652
switch(sret){
456
if (ret < 0){
457
switch(ret){
653
458
case GNUTLS_E_INTERRUPTED:
654
459
case GNUTLS_E_AGAIN:
655
460
break;
656
461
case GNUTLS_E_REHANDSHAKE:
657
do{
658
ret = gnutls_handshake(session);
659
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
660
if(ret < 0){
661
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
662
gnutls_perror(ret);
462
ret = gnutls_handshake (es.session);
463
if (ret < 0){
464
fprintf(stderr, "\n*** Handshake failed ***\n");
465
gnutls_perror (ret);
663
466
retval = -1;
664
goto mandos_end;
467
goto exit;
665
468
}
666
469
break;
667
470
default:
668
471
fprintf(stderr, "Unknown error while reading data from"
669
" encrypted session with Mandos server\n");
472
" encrypted session with mandos server\n");
670
473
retval = -1;
671
gnutls_bye(session, GNUTLS_SHUT_RDWR);
672
goto mandos_end;
474
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
475
goto exit;
673
476
}
674
477
} else {
675
buffer_length += (size_t) sret;
478
buffer_length += (size_t) ret;
676
479
}
677
480
}
678
481
679
if(debug){
680
fprintf(stderr, "Closing TLS session\n");
681
}
682
683
gnutls_bye(session, GNUTLS_SHUT_RDWR);
684
685
if(buffer_length > 0){
686
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
482
if (buffer_length > 0){
483
decrypted_buffer_size = pgp_packet_decrypt(buffer,
687
484
buffer_length,
688
&decrypted_buffer);
689
if(decrypted_buffer_size >= 0){
690
written = 0;
691
while(written < (size_t) decrypted_buffer_size){
692
ret = (int)fwrite(decrypted_buffer + written, 1,
693
(size_t)decrypted_buffer_size - written,
694
stdout);
485
&decrypted_buffer,
486
certdir);
487
if (decrypted_buffer_size >= 0){
488
while(written < decrypted_buffer_size){
489
ret = (int)fwrite (decrypted_buffer + written, 1,
490
(size_t)decrypted_buffer_size - written,
491
stdout);
695
492
if(ret == 0 and ferror(stdout)){
696
493
if(debug){
697
494
fprintf(stderr, "Error writing encrypted data: %s\n",
706
503
} else {
707
504
retval = -1;
708
505
}
709
} else {
710
retval = -1;
711
}
712
713
/* Shutdown procedure */
714
715
mandos_end:
506
}
507
508
//shutdown procedure
509
510
if(debug){
511
fprintf(stderr, "Closing TLS session\n");
512
}
513
716
514
free(buffer);
717
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
718
if(ret == -1){
719
perror("close");
720
}
721
gnutls_deinit(session);
515
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
516
exit:
517
close(tcp_sd);
518
gnutls_deinit (es.session);
519
gnutls_certificate_free_credentials (es.cred);
520
gnutls_global_deinit ();
722
521
return retval;
723
522
}
724
523
725
static void resolve_callback(AvahiSServiceResolver *r,
726
AvahiIfIndex interface,
727
AVAHI_GCC_UNUSED AvahiProtocol protocol,
728
AvahiResolverEvent event,
729
const char *name,
730
const char *type,
731
const char *domain,
732
const char *host_name,
733
const AvahiAddress *address,
734
uint16_t port,
735
AVAHI_GCC_UNUSED AvahiStringList *txt,
736
AVAHI_GCC_UNUSED AvahiLookupResultFlags
737
flags,
738
void* userdata) {
739
mandos_context *mc = userdata;
740
assert(r);
524
static AvahiSimplePoll *simple_poll = NULL;
525
static AvahiServer *server = NULL;
526
527
static void resolve_callback(
528
AvahiSServiceResolver *r,
529
AvahiIfIndex interface,
530
AVAHI_GCC_UNUSED AvahiProtocol protocol,
531
AvahiResolverEvent event,
532
const char *name,
533
const char *type,
534
const char *domain,
535
const char *host_name,
536
const AvahiAddress *address,
537
uint16_t port,
538
AVAHI_GCC_UNUSED AvahiStringList *txt,
539
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
540
AVAHI_GCC_UNUSED void* userdata) {
541
542
assert(r); /* Spurious warning */
741
543
742
544
/* Called whenever a service has been resolved successfully or
743
545
timed out */
744
546
745
switch(event) {
547
switch (event) {
746
548
default:
747
549
case AVAHI_RESOLVER_FAILURE:
748
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
749
" of type '%s' in domain '%s': %s\n", name, type, domain,
750
avahi_strerror(avahi_server_errno(mc->server)));
550
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
551
" type '%s' in domain '%s': %s\n", name, type, domain,
552
avahi_strerror(avahi_server_errno(server)));
751
553
break;
752
554
753
555
case AVAHI_RESOLVER_FOUND:
755
557
char ip[AVAHI_ADDRESS_STR_MAX];
756
558
avahi_address_snprint(ip, sizeof(ip), address);
757
559
if(debug){
758
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
759
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
760
ip, (intmax_t)interface, port);
560
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
561
" port %d\n", name, host_name, ip, port);
761
562
}
762
int ret = start_mandos_communication(ip, port, interface, mc);
763
if(ret == 0){
764
avahi_simple_poll_quit(mc->simple_poll);
563
int ret = start_mandos_communication(ip, port,
564
(unsigned int) interface);
565
if (ret == 0){
566
exit(EXIT_SUCCESS);
765
567
}
766
568
}
767
569
}
768
570
avahi_s_service_resolver_free(r);
769
571
}
770
572
771
static void browse_callback( AvahiSServiceBrowser *b,
772
AvahiIfIndex interface,
773
AvahiProtocol protocol,
774
AvahiBrowserEvent event,
775
const char *name,
776
const char *type,
777
const char *domain,
778
AVAHI_GCC_UNUSED AvahiLookupResultFlags
779
flags,
780
void* userdata) {
781
mandos_context *mc = userdata;
782
assert(b);
783
784
/* Called whenever a new services becomes available on the LAN or
785
is removed from the LAN */
786
787
switch(event) {
788
default:
789
case AVAHI_BROWSER_FAILURE:
790
791
fprintf(stderr, "(Avahi browser) %s\n",
792
avahi_strerror(avahi_server_errno(mc->server)));
793
avahi_simple_poll_quit(mc->simple_poll);
794
return;
795
796
case AVAHI_BROWSER_NEW:
797
/* We ignore the returned Avahi resolver object. In the callback
798
function we free it. If the Avahi server is terminated before
799
the callback function is called the Avahi server will free the
800
resolver for us. */
801
802
if(!(avahi_s_service_resolver_new(mc->server, interface,
803
protocol, name, type, domain,
804
AVAHI_PROTO_INET6, 0,
805
resolve_callback, mc)))
806
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
807
name, avahi_strerror(avahi_server_errno(mc->server)));
808
break;
809
810
case AVAHI_BROWSER_REMOVE:
811
break;
812
813
case AVAHI_BROWSER_ALL_FOR_NOW:
814
case AVAHI_BROWSER_CACHE_EXHAUSTED:
815
if(debug){
816
fprintf(stderr, "No Mandos server found, still searching...\n");
573
static void browse_callback(
574
AvahiSServiceBrowser *b,
575
AvahiIfIndex interface,
576
AvahiProtocol protocol,
577
AvahiBrowserEvent event,
578
const char *name,
579
const char *type,
580
const char *domain,
581
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
582
void* userdata) {
583
584
AvahiServer *s = userdata;
585
assert(b); /* Spurious warning */
586
587
/* Called whenever a new services becomes available on the LAN or
588
is removed from the LAN */
589
590
switch (event) {
591
default:
592
case AVAHI_BROWSER_FAILURE:
593
594
fprintf(stderr, "(Browser) %s\n",
595
avahi_strerror(avahi_server_errno(server)));
596
avahi_simple_poll_quit(simple_poll);
597
return;
598
599
case AVAHI_BROWSER_NEW:
600
/* We ignore the returned resolver object. In the callback
601
function we free it. If the server is terminated before
602
the callback function is called the server will free
603
the resolver for us. */
604
605
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
606
type, domain,
607
AVAHI_PROTO_INET6, 0,
608
resolve_callback, s)))
609
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
610
avahi_strerror(avahi_server_errno(s)));
611
break;
612
613
case AVAHI_BROWSER_REMOVE:
614
break;
615
616
case AVAHI_BROWSER_ALL_FOR_NOW:
617
case AVAHI_BROWSER_CACHE_EXHAUSTED:
618
break;
817
619
}
818
break;
620
}
621
622
/* combinds two strings and returns the malloced new string. som sane checks could/should be added */
623
const char *combinestrings(const char *first, const char *second){
624
char *tmp;
625
tmp = malloc(strlen(first) + strlen(second));
626
if (tmp == NULL){
627
perror("malloc");
628
return NULL;
819
629
}
630
strcpy(tmp, first);
631
strcat(tmp, second);
632
return tmp;
820
633
}
821
634
822
int main(int argc, char *argv[]){
635
636
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
637
AvahiServerConfig config;
823
638
AvahiSServiceBrowser *sb = NULL;
824
639
int error;
825
640
int ret;
826
intmax_t tmpmax;
827
int numchars;
828
int exitcode = EXIT_SUCCESS;
641
int returncode = EXIT_SUCCESS;
829
642
const char *interface = "eth0";
830
struct ifreq network;
831
int sd;
832
uid_t uid;
833
gid_t gid;
834
char *connect_to = NULL;
835
char tempdir[] = "/tmp/mandosXXXXXX";
836
bool tempdir_created = false;
837
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
838
const char *seckey = PATHDIR "/" SECKEY;
839
const char *pubkey = PATHDIR "/" PUBKEY;
840
841
mandos_context mc = { .simple_poll = NULL, .server = NULL,
842
.dh_bits = 1024, .priority = "SECURE256"
843
":!CTYPE-X.509:+CTYPE-OPENPGP" };
844
bool gnutls_initialized = false;
845
bool gpgme_initialized = false;
846
double delay = 2.5;
847
848
{
849
struct argp_option options[] = {
850
{ .name = "debug", .key = 128,
851
.doc = "Debug mode", .group = 3 },
852
{ .name = "connect", .key = 'c',
853
.arg = "ADDRESS:PORT",
854
.doc = "Connect directly to a specific Mandos server",
855
.group = 1 },
856
{ .name = "interface", .key = 'i',
857
.arg = "NAME",
858
.doc = "Interface that will be used to search for Mandos"
859
" servers",
860
.group = 1 },
861
{ .name = "seckey", .key = 's',
862
.arg = "FILE",
863
.doc = "OpenPGP secret key file base name",
864
.group = 1 },
865
{ .name = "pubkey", .key = 'p',
866
.arg = "FILE",
867
.doc = "OpenPGP public key file base name",
868
.group = 2 },
869
{ .name = "dh-bits", .key = 129,
870
.arg = "BITS",
871
.doc = "Bit length of the prime number used in the"
872
" Diffie-Hellman key exchange",
873
.group = 2 },
874
{ .name = "priority", .key = 130,
875
.arg = "STRING",
876
.doc = "GnuTLS priority string for the TLS handshake",
877
.group = 1 },
878
{ .name = "delay", .key = 131,
879
.arg = "SECONDS",
880
.doc = "Maximum delay to wait for interface startup",
881
.group = 2 },
882
{ .name = NULL }
883
};
884
885
error_t parse_opt(int key, char *arg,
886
struct argp_state *state) {
887
switch(key) {
888
case 128: /* --debug */
889
debug = true;
890
break;
891
case 'c': /* --connect */
892
connect_to = arg;
893
break;
894
case 'i': /* --interface */
895
interface = arg;
896
break;
897
case 's': /* --seckey */
898
seckey = arg;
899
break;
900
case 'p': /* --pubkey */
901
pubkey = arg;
902
break;
903
case 129: /* --dh-bits */
904
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
905
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
906
or arg[numchars] != '\0'){
907
fprintf(stderr, "Bad number of DH bits\n");
908
exit(EXIT_FAILURE);
909
}
910
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
911
break;
912
case 130: /* --priority */
913
mc.priority = arg;
914
break;
915
case 131: /* --delay */
916
ret = sscanf(arg, "%lf%n", &delay, &numchars);
917
if(ret < 1 or arg[numchars] != '\0'){
918
fprintf(stderr, "Bad delay\n");
919
exit(EXIT_FAILURE);
920
}
921
break;
922
case ARGP_KEY_ARG:
923
argp_usage(state);
924
case ARGP_KEY_END:
925
break;
926
default:
927
return ARGP_ERR_UNKNOWN;
928
}
929
return 0;
930
}
931
932
struct argp argp = { .options = options, .parser = parse_opt,
933
.args_doc = "",
934
.doc = "Mandos client -- Get and decrypt"
935
" passwords from a Mandos server" };
936
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
937
if(ret == ARGP_ERR_UNKNOWN){
938
fprintf(stderr, "Unknown error while parsing arguments\n");
939
exitcode = EXIT_FAILURE;
940
goto end;
941
}
942
}
943
944
/* If the interface is down, bring it up */
945
{
946
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
947
messages to mess up the prompt */
948
ret = klogctl(8, NULL, 5);
949
if(ret == -1){
950
perror("klogctl");
951
}
952
953
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
954
if(sd < 0) {
955
perror("socket");
956
exitcode = EXIT_FAILURE;
957
ret = klogctl(7, NULL, 0);
958
if(ret == -1){
959
perror("klogctl");
960
}
961
goto end;
962
}
963
strcpy(network.ifr_name, interface);
964
ret = ioctl(sd, SIOCGIFFLAGS, &network);
965
if(ret == -1){
966
perror("ioctl SIOCGIFFLAGS");
967
ret = klogctl(7, NULL, 0);
968
if(ret == -1){
969
perror("klogctl");
970
}
971
exitcode = EXIT_FAILURE;
972
goto end;
973
}
974
if((network.ifr_flags & IFF_UP) == 0){
975
network.ifr_flags |= IFF_UP;
976
ret = ioctl(sd, SIOCSIFFLAGS, &network);
977
if(ret == -1){
978
perror("ioctl SIOCSIFFLAGS");
979
exitcode = EXIT_FAILURE;
980
ret = klogctl(7, NULL, 0);
981
if(ret == -1){
982
perror("klogctl");
983
}
984
goto end;
985
}
986
}
987
/* sleep checking until interface is running */
988
for(int i=0; i < delay * 4; i++){
989
ret = ioctl(sd, SIOCGIFFLAGS, &network);
990
if(ret == -1){
991
perror("ioctl SIOCGIFFLAGS");
992
} else if(network.ifr_flags & IFF_RUNNING){
993
break;
994
}
995
struct timespec sleeptime = { .tv_nsec = 250000000 };
996
nanosleep(&sleeptime, NULL);
997
}
998
ret = (int)TEMP_FAILURE_RETRY(close(sd));
999
if(ret == -1){
1000
perror("close");
1001
}
1002
/* Restores kernel loglevel to default */
1003
ret = klogctl(7, NULL, 0);
1004
if(ret == -1){
1005
perror("klogctl");
1006
}
1007
}
1008
1009
uid = getuid();
1010
gid = getgid();
1011
1012
setgid(gid);
1013
if(ret == -1){
1014
perror("setgid");
1015
}
1016
1017
ret = setuid(uid);
1018
if(ret == -1){
1019
perror("setuid");
1020
}
1021
1022
ret = init_gnutls_global(&mc, pubkey, seckey);
1023
if(ret == -1){
1024
fprintf(stderr, "init_gnutls_global failed\n");
1025
exitcode = EXIT_FAILURE;
1026
goto end;
1027
} else {
1028
gnutls_initialized = true;
1029
}
1030
1031
if(mkdtemp(tempdir) == NULL){
1032
perror("mkdtemp");
1033
goto end;
1034
}
1035
tempdir_created = true;
1036
1037
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1038
fprintf(stderr, "init_gpgme failed\n");
1039
exitcode = EXIT_FAILURE;
1040
goto end;
1041
} else {
1042
gpgme_initialized = true;
1043
}
1044
1045
if_index = (AvahiIfIndex) if_nametoindex(interface);
1046
if(if_index == 0){
1047
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1048
exitcode = EXIT_FAILURE;
1049
goto end;
1050
}
1051
1052
if(connect_to != NULL){
1053
/* Connect directly, do not use Zeroconf */
1054
/* (Mainly meant for debugging) */
1055
char *address = strrchr(connect_to, ':');
1056
if(address == NULL){
1057
fprintf(stderr, "No colon in address\n");
1058
exitcode = EXIT_FAILURE;
1059
goto end;
1060
}
1061
uint16_t port;
1062
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1063
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1064
or address[numchars+1] != '\0'){
1065
fprintf(stderr, "Bad port number\n");
1066
exitcode = EXIT_FAILURE;
1067
goto end;
1068
}
1069
port = (uint16_t)tmpmax;
1070
*address = '\0';
1071
address = connect_to;
1072
ret = start_mandos_communication(address, port, if_index, &mc);
1073
if(ret < 0){
1074
exitcode = EXIT_FAILURE;
1075
} else {
1076
exitcode = EXIT_SUCCESS;
1077
}
1078
goto end;
1079
}
1080
1081
if(not debug){
643
644
while (true){
645
static struct option long_options[] = {
646
{"debug", no_argument, (int *)&debug, 1},
647
{"interface", required_argument, 0, 'i'},
648
{"certdir", required_argument, 0, 'd'},
649
{"certkey", required_argument, 0, 'c'},
650
{"certfile", required_argument, 0, 'k'},
651
{0, 0, 0, 0} };
652
653
int option_index = 0;
654
ret = getopt_long (argc, argv, "i:", long_options,
655
&option_index);
656
657
if (ret == -1){
658
break;
659
}
660
661
switch(ret){
662
case 0:
663
break;
664
case 'i':
665
interface = optarg;
666
break;
667
case 'd':
668
certdir = optarg;
669
break;
670
case 'c':
671
certfile = optarg;
672
break;
673
case 'k':
674
certkey = optarg;
675
break;
676
default:
677
exit(EXIT_FAILURE);
678
}
679
}
680
681
certfile = combinestrings(certdir, certfile);
682
if (certfile == NULL){
683
goto exit;
684
}
685
686
certkey = combinestrings(certdir, certkey);
687
if (certkey == NULL){
688
goto exit;
689
}
690
691
if (not debug){
1082
692
avahi_set_log_function(empty_log);
1083
693
}
1084
694
1085
/* Initialize the pseudo-RNG for Avahi */
695
/* Initialize the psuedo-RNG */
1086
696
srand((unsigned int) time(NULL));
1087
1088
/* Allocate main Avahi loop object */
1089
mc.simple_poll = avahi_simple_poll_new();
1090
if(mc.simple_poll == NULL) {
1091
fprintf(stderr, "Avahi: Failed to create simple poll"
1092
" object.\n");
1093
exitcode = EXIT_FAILURE;
1094
goto end;
1095
}
1096
1097
{
1098
AvahiServerConfig config;
1099
/* Do not publish any local Zeroconf records */
1100
avahi_server_config_init(&config);
1101
config.publish_hinfo = 0;
1102
config.publish_addresses = 0;
1103
config.publish_workstation = 0;
1104
config.publish_domain = 0;
1105
1106
/* Allocate a new server */
1107
mc.server = avahi_server_new(avahi_simple_poll_get
1108
(mc.simple_poll), &config, NULL,
1109
NULL, &error);
1110
1111
/* Free the Avahi configuration data */
1112
avahi_server_config_free(&config);
1113
}
1114
1115
/* Check if creating the Avahi server object succeeded */
1116
if(mc.server == NULL) {
1117
fprintf(stderr, "Failed to create Avahi server: %s\n",
697
698
/* Allocate main loop object */
699
if (!(simple_poll = avahi_simple_poll_new())) {
700
fprintf(stderr, "Failed to create simple poll object.\n");
701
702
goto exit;
703
}
704
705
/* Do not publish any local records */
706
avahi_server_config_init(&config);
707
config.publish_hinfo = 0;
708
config.publish_addresses = 0;
709
config.publish_workstation = 0;
710
config.publish_domain = 0;
711
712
/* Allocate a new server */
713
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
714
&config, NULL, NULL, &error);
715
716
/* Free the configuration data */
717
avahi_server_config_free(&config);
718
719
/* Check if creating the server object succeeded */
720
if (!server) {
721
fprintf(stderr, "Failed to create server: %s\n",
1118
722
avahi_strerror(error));
1119
exitcode = EXIT_FAILURE;
1120
goto end;
723
returncode = EXIT_FAILURE;
724
goto exit;
1121
725
}
1122
726
1123
/* Create the Avahi service browser */
1124
sb = avahi_s_service_browser_new(mc.server, if_index,
727
/* Create the service browser */
728
sb = avahi_s_service_browser_new(server,
729
(AvahiIfIndex)
730
if_nametoindex(interface),
1125
731
AVAHI_PROTO_INET6,
1126
732
"_mandos._tcp", NULL, 0,
1127
browse_callback, &mc);
1128
if(sb == NULL) {
733
browse_callback, server);
734
if (!sb) {
1129
735
fprintf(stderr, "Failed to create service browser: %s\n",
1130
avahi_strerror(avahi_server_errno(mc.server)));
1131
exitcode = EXIT_FAILURE;
1132
goto end;
736
avahi_strerror(avahi_server_errno(server)));
737
returncode = EXIT_FAILURE;
738
goto exit;
1133
739
}
1134
740
1135
741
/* Run the main loop */
1136
1137
if(debug){
1138
fprintf(stderr, "Starting Avahi loop search\n");
742
743
if (debug){
744
fprintf(stderr, "Starting avahi loop search\n");
1139
745
}
746
747
avahi_simple_poll_loop(simple_poll);
748
749
exit:
1140
750
1141
avahi_simple_poll_loop(mc.simple_poll);
1142
1143
end:
1144
1145
if(debug){
751
if (debug){
1146
752
fprintf(stderr, "%s exiting\n", argv[0]);
1147
753
}
1148
754
1149
755
/* Cleanup things */
1150
if(sb != NULL)
756
if (sb)
1151
757
avahi_s_service_browser_free(sb);
1152
758
1153
if(mc.server != NULL)
1154
avahi_server_free(mc.server);
1155
1156
if(mc.simple_poll != NULL)
1157
avahi_simple_poll_free(mc.simple_poll);
1158
1159
if(gnutls_initialized){
1160
gnutls_certificate_free_credentials(mc.cred);
1161
gnutls_global_deinit();
1162
gnutls_dh_params_deinit(mc.dh_params);
1163
}
1164
1165
if(gpgme_initialized){
1166
gpgme_release(mc.ctx);
1167
}
1168
1169
/* Removes the temp directory used by GPGME */
1170
if(tempdir_created){
1171
DIR *d;
1172
struct dirent *direntry;
1173
d = opendir(tempdir);
1174
if(d == NULL){
1175
if(errno != ENOENT){
1176
perror("opendir");
1177
}
1178
} else {
1179
while(true){
1180
direntry = readdir(d);
1181
if(direntry == NULL){
1182
break;
1183
}
1184
/* Skip "." and ".." */
1185
if(direntry->d_name[0] == '.'
1186
and (direntry->d_name[1] == '\0'
1187
or (direntry->d_name[1] == '.'
1188
and direntry->d_name[2] == '\0'))){
1189
continue;
1190
}
1191
char *fullname = NULL;
1192
ret = asprintf(&fullname, "%s/%s", tempdir,
1193
direntry->d_name);
1194
if(ret < 0){
1195
perror("asprintf");
1196
continue;
1197
}
1198
ret = remove(fullname);
1199
if(ret == -1){
1200
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1201
strerror(errno));
1202
}
1203
free(fullname);
1204
}
1205
closedir(d);
1206
}
1207
ret = rmdir(tempdir);
1208
if(ret == -1 and errno != ENOENT){
1209
perror("rmdir");
1210
}
1211
}
1212
1213
return exitcode;
759
if (server)
760
avahi_server_free(server);
761
762
if (simple_poll)
763
avahi_simple_poll_free(simple_poll);
764
765
return returncode;
1214
766
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0