/mandos/trunk : revision 24.1.5

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Björn Påhlsson
Date: 2008-07-31 16:20:47 UTC
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 30.
Revision ID: belorn@braxen-20080731162047-lahe2b2prwjw8b2l

plugbasedclient:
        Added support to disable plugins
        Added support to change plugin directory

mandosclient.c
        Fixed some funtion calls that lacked error handling
        small bugfix

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

/* -*- coding: utf-8 -*- */

* Mandos-client - get and decrypt data from a Mandos server

* Mandos client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Everything else is

* Påhlsson.

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _FORTIFY_SOURCE 2

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), sscanf(),

remove() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(),

DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* nanosleep(), time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and, or */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

#include <sys/klog.h> /* klogctl() */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h>

/* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

100

101

/* GPGME */

102

#include <gpgme.h> /* All GPGME types, constants and

103

functions:

104

gpgme_*

105

GPGME_PROTOCOL_OpenPGP,

106

GPG_ERR_NO_* */

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

107

108

#define BUFFER_SIZE 256

#define DH_BITS 1024

109

110

#define PATHDIR "/conf/conf.d/mandos"

111

#define SECKEY "seckey.txt"

112

#define PUBKEY "pubkey.txt"

const char *certdir = "/conf/conf.d/cryptkeyreq/";

const char *certfile = "openpgp-client.txt";

const char *certkey = "openpgp-client-key.txt";

113

114

bool debug = false;

115

static const char mandos_protocol_version[] = "1";

116

const char *argp_program_version = "mandos-client " VERSION;

117

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

118

119

/* Used for passing in values through the Avahi callback functions */

120

typedef struct {

121

AvahiSimplePoll *simple_poll;

122

AvahiServer *server;

gnutls_session_t session;

123

gnutls_certificate_credentials_t cred;

124

unsigned int dh_bits;

125

gnutls_dh_params_t dh_params;

126

const char *priority;

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

127

gpgme_ctx_t ctx;

128

} mandos_context;

129

130

131

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

132

* "buffer_capacity" is how much is currently allocated,

133

* "buffer_length" is how much is already used.

134

135

size_t adjustbuffer(char **buffer, size_t buffer_length,

136

size_t buffer_capacity){

137

if(buffer_length + BUFFER_SIZE > buffer_capacity){

138

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

139

if(buffer == NULL){

140

return 0;

141

}

142

buffer_capacity += BUFFER_SIZE;

143

}

144

return buffer_capacity;

145

}

146

147

148

* Initialize GPGME.

149

150

static bool init_gpgme(mandos_context *mc, const char *seckey,

151

const char *pubkey, const char *tempdir){

152

int ret;

153

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

154

gpgme_engine_info_t engine_info;

155

156

157

158

* Helper function to insert pub and seckey to the engine keyring.

159

160

bool import_key(const char *filename){

161

int fd;

162

gpgme_data_t pgp_data;

163

164

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

165

if(fd == -1){

166

perror("open");

167

return false;

168

}

169

170

rc = gpgme_data_new_from_fd(&pgp_data, fd);

171

if(rc != GPG_ERR_NO_ERROR){

172

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

173

gpgme_strsource(rc), gpgme_strerror(rc));

174

return false;

175

}

176

177

rc = gpgme_op_import(mc->ctx, pgp_data);

178

if(rc != GPG_ERR_NO_ERROR){

179

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

180

gpgme_strsource(rc), gpgme_strerror(rc));

181

return false;

182

}

183

184

ret = (int)TEMP_FAILURE_RETRY(close(fd));

185

if(ret == -1){

186

perror("close");

187

}

188

gpgme_data_release(pgp_data);

189

return true;

190

}

191

192

if(debug){

193

fprintf(stderr, "Initialize gpgme\n");

if (debug){

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

194

}

195

100

196

101

/* Init GPGME */

197

102

gpgme_check_version(NULL);

198

103

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

199

if(rc != GPG_ERR_NO_ERROR){

104

if (rc != GPG_ERR_NO_ERROR){

200

105

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

201

106

gpgme_strsource(rc), gpgme_strerror(rc));

202

return false;

107

return -1;

203

108

}

204

109

205

/* Set GPGME home directory for the OpenPGP engine only */

206

rc = gpgme_get_engine_info(&engine_info);

207

if(rc != GPG_ERR_NO_ERROR){

110

/* Set GPGME home directory */

111

rc = gpgme_get_engine_info (&engine_info);

112

if (rc != GPG_ERR_NO_ERROR){

208

113

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

209

114

gpgme_strsource(rc), gpgme_strerror(rc));

210

return false;

115

return -1;

211

116

}

212

117

while(engine_info != NULL){

213

118

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

214

119

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

215

engine_info->file_name, tempdir);

120

engine_info->file_name, homedir);

216

121

break;

217

122

}

218

123

engine_info = engine_info->next;

219

124

}

220

125

if(engine_info == NULL){

221

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

222

return false;

223

}

224

225

/* Create new GPGME "context" */

226

rc = gpgme_new(&(mc->ctx));

227

if(rc != GPG_ERR_NO_ERROR){

228

fprintf(stderr, "bad gpgme_new: %s: %s\n",

229

gpgme_strsource(rc), gpgme_strerror(rc));

230

return false;

231

}

232

233

if(not import_key(pubkey) or not import_key(seckey)){

234

return false;

235

}

236

237

return true;

238

}

239

240

241

* Decrypt OpenPGP data.

242

* Returns -1 on error

243

244

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

245

const char *cryptotext,

246

size_t crypto_size,

247

char **plaintext){

248

gpgme_data_t dh_crypto, dh_plain;

249

gpgme_error_t rc;

250

ssize_t ret;

251

size_t plaintext_capacity = 0;

252

ssize_t plaintext_length = 0;

253

254

if(debug){

255

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

256

}

257

258

/* Create new GPGME data buffer from memory cryptotext */

259

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

260

0);

261

if(rc != GPG_ERR_NO_ERROR){

126

fprintf(stderr, "Could not set home dir to %s\n", homedir);

127

return -1;

128

}

129

130

/* Create new GPGME data buffer from packet buffer */

131

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

132

if (rc != GPG_ERR_NO_ERROR){

262

133

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

263

134

gpgme_strsource(rc), gpgme_strerror(rc));

264

135

return -1;

266

137

267

138

/* Create new empty GPGME data buffer for the plaintext */

268

139

rc = gpgme_data_new(&dh_plain);

269

if(rc != GPG_ERR_NO_ERROR){

140

if (rc != GPG_ERR_NO_ERROR){

270

141

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

271

142

gpgme_strsource(rc), gpgme_strerror(rc));

272

gpgme_data_release(dh_crypto);

273

return -1;

274

}

275

276

/* Decrypt data from the cryptotext data buffer to the plaintext

277

data buffer */

278

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

279

if(rc != GPG_ERR_NO_ERROR){

143

return -1;

144

}

145

146

/* Create new GPGME "context" */

147

rc = gpgme_new(&ctx);

148

if (rc != GPG_ERR_NO_ERROR){

149

fprintf(stderr, "bad gpgme_new: %s: %s\n",

150

gpgme_strsource(rc), gpgme_strerror(rc));

151

return -1;

152

}

153

154

/* Decrypt data from the FILE pointer to the plaintext data

155

buffer */

156

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

157

if (rc != GPG_ERR_NO_ERROR){

280

158

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

281

159

gpgme_strsource(rc), gpgme_strerror(rc));

282

plaintext_length = -1;

283

if(debug){

284

gpgme_decrypt_result_t result;

285

result = gpgme_op_decrypt_result(mc->ctx);

286

if(result == NULL){

287

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

288

} else {

289

fprintf(stderr, "Unsupported algorithm: %s\n",

290

result->unsupported_algorithm);

291

fprintf(stderr, "Wrong key usage: %u\n",

292

result->wrong_key_usage);

293

if(result->file_name != NULL){

294

fprintf(stderr, "File name: %s\n", result->file_name);

295

}

296

gpgme_recipient_t recipient;

297

recipient = result->recipients;

298

if(recipient){

299

while(recipient != NULL){

300

fprintf(stderr, "Public key algorithm: %s\n",

301

gpgme_pubkey_algo_name(recipient->pubkey_algo));

302

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

303

fprintf(stderr, "Secret key available: %s\n",

304

recipient->status == GPG_ERR_NO_SECKEY

305

? "No" : "Yes");

306

recipient = recipient->next;

307

}

160

return -1;

161

}

162

163

if(debug){

164

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

165

}

166

167

if (debug){

168

gpgme_decrypt_result_t result;

169

result = gpgme_op_decrypt_result(ctx);

170

if (result == NULL){

171

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

172

} else {

173

fprintf(stderr, "Unsupported algorithm: %s\n",

174

result->unsupported_algorithm);

175

fprintf(stderr, "Wrong key usage: %d\n",

176

result->wrong_key_usage);

177

if(result->file_name != NULL){

178

fprintf(stderr, "File name: %s\n", result->file_name);

179

}

180

gpgme_recipient_t recipient;

181

recipient = result->recipients;

182

if(recipient){

183

while(recipient != NULL){

184

fprintf(stderr, "Public key algorithm: %s\n",

185

gpgme_pubkey_algo_name(recipient->pubkey_algo));

186

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

187

fprintf(stderr, "Secret key available: %s\n",

188

recipient->status == GPG_ERR_NO_SECKEY

189

? "No" : "Yes");

190

recipient = recipient->next;

308

191

}

309

192

}

310

193

}

311

goto decrypt_end;

312

194

}

313

195

314

if(debug){

315

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

316

}

196

/* Delete the GPGME FILE pointer cryptotext data buffer */

197

gpgme_data_release(dh_crypto);

317

198

318

199

/* Seek back to the beginning of the GPGME plaintext data buffer */

319

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

320

perror("gpgme_data_seek");

321

plaintext_length = -1;

322

goto decrypt_end;

200

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

201

perror("pgpme_data_seek");

323

202

}

324

203

325

*plaintext = NULL;

204

*new_packet = 0;

326

205

while(true){

327

plaintext_capacity = adjustbuffer(plaintext,

328

(size_t)plaintext_length,

329

plaintext_capacity);

330

if(plaintext_capacity == 0){

331

perror("adjustbuffer");

332

plaintext_length = -1;

333

goto decrypt_end;

206

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

207

*new_packet = realloc(*new_packet,

208

(unsigned int)new_packet_capacity

209

+ BUFFER_SIZE);

210

if (*new_packet == NULL){

211

perror("realloc");

212

return -1;

213

}

214

new_packet_capacity += BUFFER_SIZE;

334

215

}

335

216

336

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

217

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

337

218

BUFFER_SIZE);

338

219

/* Print the data, if any */

339

if(ret == 0){

340

/* EOF */

220

if (ret == 0){

341

221

break;

342

222

}

343

223

if(ret < 0){

344

224

perror("gpgme_data_read");

345

plaintext_length = -1;

346

goto decrypt_end;

347

}

348

plaintext_length += ret;

349

}

350

351

if(debug){

352

fprintf(stderr, "Decrypted password is: ");

353

for(ssize_t i = 0; i < plaintext_length; i++){

354

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

355

}

356

fprintf(stderr, "\n");

357

}

358

359

decrypt_end:

360

361

/* Delete the GPGME cryptotext data buffer */

362

gpgme_data_release(dh_crypto);

225

return -1;

226

}

227

new_packet_length += ret;

228

}

229

230

/* FIXME: check characters before printing to screen so to not print

231

terminal control characters */

232

/* if(debug){ */

233

/* fprintf(stderr, "decrypted password is: "); */

234

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

235

/* fprintf(stderr, "\n"); */

236

/* } */

363

237

364

238

/* Delete the GPGME plaintext data buffer */

365

239

gpgme_data_release(dh_plain);

366

return plaintext_length;

240

return new_packet_length;

367

241

}

368

242

369

static const char * safer_gnutls_strerror(int value) {

370

const char *ret = gnutls_strerror(value); /* Spurious warning from

371

-Wunreachable-code */

372

if(ret == NULL)

243

static const char * safer_gnutls_strerror (int value) {

244

const char *ret = gnutls_strerror (value);

245

if (ret == NULL)

373

246

ret = "(unknown)";

374

247

return ret;

375

248

}

376

249

377

/* GnuTLS log function callback */

378

static void debuggnutls(__attribute__((unused)) int level,

379

const char* string){

380

fprintf(stderr, "GnuTLS: %s", string);

250

void debuggnutls(__attribute__((unused)) int level,

251

const char* string){

252

fprintf(stderr, "%s", string);

381

253

}

382

254

383

static int init_gnutls_global(mandos_context *mc,

384

const char *pubkeyfilename,

385

const char *seckeyfilename){

255

int initgnutls(encrypted_session *es){

256

const char *err;

386

257

int ret;

387

258

388

259

if(debug){

389

260

fprintf(stderr, "Initializing GnuTLS\n");

390

261

}

391

392

ret = gnutls_global_init();

393

if(ret != GNUTLS_E_SUCCESS) {

394

fprintf(stderr, "GnuTLS global_init: %s\n",

395

safer_gnutls_strerror(ret));

262

263

if ((ret = gnutls_global_init ())

264

!= GNUTLS_E_SUCCESS) {

265

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

396

266

return -1;

397

267

}

398

399

if(debug){

400

/* "Use a log level over 10 to enable all debugging options."

401

* - GnuTLS manual

402

268

269

if (debug){

403

270

gnutls_global_set_log_level(11);

404

271

gnutls_global_set_log_function(debuggnutls);

405

272

}

406

273

407

/* OpenPGP credentials */

408

gnutls_certificate_allocate_credentials(&mc->cred);

409

if(ret != GNUTLS_E_SUCCESS){

410

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

411

* from

412

* -Wunreachable-code

413

414

safer_gnutls_strerror(ret));

415

gnutls_global_deinit();

274

/* openpgp credentials */

275

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

276

!= GNUTLS_E_SUCCESS) {

277

fprintf (stderr, "memory error: %s\n",

278

safer_gnutls_strerror(ret));

416

279

return -1;

417

280

}

418

281

419

282

if(debug){

420

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

421

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

422

seckeyfilename);

283

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

284

" and keyfile %s as GnuTLS credentials\n", certfile,

285

certkey);

423

286

}

424

287

425

288

ret = gnutls_certificate_set_openpgp_key_file

426

(mc->cred, pubkeyfilename, seckeyfilename,

427

GNUTLS_OPENPGP_FMT_BASE64);

428

if(ret != GNUTLS_E_SUCCESS) {

429

fprintf(stderr,

430

"Error[%d] while reading the OpenPGP key pair ('%s',"

431

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

432

fprintf(stderr, "The GnuTLS error is: %s\n",

433

safer_gnutls_strerror(ret));

434

goto globalfail;

435

}

436

437

/* GnuTLS server initialization */

438

ret = gnutls_dh_params_init(&mc->dh_params);

439

if(ret != GNUTLS_E_SUCCESS) {

440

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

441

" %s\n", safer_gnutls_strerror(ret));

442

goto globalfail;

443

}

444

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

445

if(ret != GNUTLS_E_SUCCESS) {

446

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

447

safer_gnutls_strerror(ret));

448

goto globalfail;

449

}

450

451

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

452

453

return 0;

454

455

globalfail:

456

457

gnutls_certificate_free_credentials(mc->cred);

458

gnutls_global_deinit();

459

gnutls_dh_params_deinit(mc->dh_params);

460

return -1;

461

}

462

463

static int init_gnutls_session(mandos_context *mc,

464

gnutls_session_t *session){

465

int ret;

466

/* GnuTLS session creation */

467

ret = gnutls_init(session, GNUTLS_SERVER);

468

if(ret != GNUTLS_E_SUCCESS){

289

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

290

if (ret != GNUTLS_E_SUCCESS) {

291

fprintf

292

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

293

" '%s')\n",

294

ret, certfile, certkey);

295

fprintf(stdout, "The Error is: %s\n",

296

safer_gnutls_strerror(ret));

297

return -1;

298

}

299

300

//GnuTLS server initialization

301

if ((ret = gnutls_dh_params_init (&es->dh_params))

302

!= GNUTLS_E_SUCCESS) {

303

fprintf (stderr, "Error in dh parameter initialization: %s\n",

304

safer_gnutls_strerror(ret));

305

return -1;

306

}

307

308

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

309

!= GNUTLS_E_SUCCESS) {

310

fprintf (stderr, "Error in prime generation: %s\n",

311

safer_gnutls_strerror(ret));

312

return -1;

313

}

314

315

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

316

317

// GnuTLS session creation

318

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

319

!= GNUTLS_E_SUCCESS){

469

320

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

470

321

safer_gnutls_strerror(ret));

471

322

}

472

323

473

{

474

const char *err;

475

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

476

if(ret != GNUTLS_E_SUCCESS) {

477

fprintf(stderr, "Syntax error at: %s\n", err);

478

fprintf(stderr, "GnuTLS error: %s\n",

479

safer_gnutls_strerror(ret));

480

gnutls_deinit(*session);

481

return -1;

482

}

324

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

325

!= GNUTLS_E_SUCCESS) {

326

fprintf(stderr, "Syntax error at: %s\n", err);

327

fprintf(stderr, "GnuTLS error: %s\n",

328

safer_gnutls_strerror(ret));

329

return -1;

483

330

}

484

331

485

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

486

mc->cred);

487

if(ret != GNUTLS_E_SUCCESS) {

488

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

332

if ((ret = gnutls_credentials_set

333

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

334

!= GNUTLS_E_SUCCESS) {

335

fprintf(stderr, "Error setting a credentials set: %s\n",

489

336

safer_gnutls_strerror(ret));

490

gnutls_deinit(*session);

491

337

return -1;

492

338

}

493

339

494

340

/* ignore client certificate if any. */

495

gnutls_certificate_server_set_request(*session,

496

GNUTLS_CERT_IGNORE);

341

gnutls_certificate_server_set_request (es->session,

342

GNUTLS_CERT_IGNORE);

497

343

498

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

344

gnutls_dh_set_prime_bits (es->session, DH_BITS);

499

345

500

346

return 0;

501

347

}

502

348

503

/* Avahi log function callback */

504

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

505

__attribute__((unused)) const char *txt){}

349

void empty_log(__attribute__((unused)) AvahiLogLevel level,

350

__attribute__((unused)) const char *txt){}

506

351

507

/* Called when a Mandos server is found */

508

static int start_mandos_communication(const char *ip, uint16_t port,

509

AvahiIfIndex if_index,

510

mandos_context *mc){

352

int start_mandos_communication(const char *ip, uint16_t port,

353

unsigned int if_index){

511

354

int ret, tcp_sd;

512

ssize_t sret;

513

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

355

struct sockaddr_in6 to;

356

encrypted_session es;

514

357

char *buffer = NULL;

515

358

char *decrypted_buffer;

516

359

size_t buffer_length = 0;

517

360

size_t buffer_capacity = 0;

518

361

ssize_t decrypted_buffer_size;

519

size_t written;

362

size_t written = 0;

520

363

int retval = 0;

521

364

char interface[IF_NAMESIZE];

522

gnutls_session_t session;

523

524

ret = init_gnutls_session(mc, &session);

525

if(ret != 0){

526

return -1;

527

}

528

365

529

366

if(debug){

530

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

531

"\n", ip, port);

367

fprintf(stderr, "Setting up a tcp connection to %s\n", ip);

532

368

}

533

369

534

370

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

537

373

return -1;

538

374

}

539

375

540

if(debug){

541

if(if_indextoname((unsigned int)if_index, interface) == NULL){

376

if(if_indextoname(if_index, interface) == NULL){

377

if(debug){

542

378

perror("if_indextoname");

543

return -1;

544

379

}

380

return -1;

381

}

382

383

if(debug){

545

384

fprintf(stderr, "Binding to interface %s\n", interface);

546

385

}

547

386

548

memset(&to, 0, sizeof(to));

549

to.in6.sin6_family = AF_INET6;

550

/* It would be nice to have a way to detect if we were passed an

551

IPv4 address here. Now we assume an IPv6 address. */

552

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

553

if(ret < 0 ){

387

memset(&to,0,sizeof(to)); /* Spurious warning */

388

to.sin6_family = AF_INET6;

389

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

390

if (ret < 0 ){

554

391

perror("inet_pton");

555

392

return -1;

556

}

393

}

557

394

if(ret == 0){

558

395

fprintf(stderr, "Bad address: %s\n", ip);

559

396

return -1;

560

397

}

561

to.in6.sin6_port = htons(port); /* Spurious warnings from

562

-Wconversion and

563

-Wunreachable-code */

398

to.sin6_port = htons(port); /* Spurious warning */

564

399

565

to.in6.sin6_scope_id = (uint32_t)if_index;

400

to.sin6_scope_id = (uint32_t)if_index;

566

401

567

402

if(debug){

568

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

569

port);

570

char addrstr[INET6_ADDRSTRLEN] = "";

571

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

572

sizeof(addrstr)) == NULL){

573

perror("inet_ntop");

574

} else {

575

if(strcmp(addrstr, ip) != 0){

576

fprintf(stderr, "Canonical address form: %s\n", addrstr);

577

}

578

}

403

fprintf(stderr, "Connection to: %s\n", ip);

579

404

}

580

405

581

ret = connect(tcp_sd, &to.in, sizeof(to));

582

if(ret < 0){

406

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

407

if (ret < 0){

583

408

perror("connect");

584

409

return -1;

585

410

}

586

411

587

const char *out = mandos_protocol_version;

588

written = 0;

589

while(true){

590

size_t out_size = strlen(out);

591

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

592

out_size - written));

593

if(ret == -1){

594

perror("write");

595

retval = -1;

596

goto mandos_end;

597

}

598

written += (size_t)ret;

599

if(written < out_size){

600

continue;

601

} else {

602

if(out == mandos_protocol_version){

603

written = 0;

604

out = "\r\n";

605

} else {

606

break;

607

}

608

}

412

ret = initgnutls (&es);

413

if (ret != 0){

414

retval = -1;

415

return -1;

609

416

}

610

417

418

gnutls_transport_set_ptr (es.session,

419

(gnutls_transport_ptr_t) tcp_sd);

420

611

421

if(debug){

612

422

fprintf(stderr, "Establishing TLS session with %s\n", ip);

613

423

}

614

424

615

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

616

617

do{

618

ret = gnutls_handshake(session);

619

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

620

621

if(ret != GNUTLS_E_SUCCESS){

425

ret = gnutls_handshake (es.session);

426

427

if (ret != GNUTLS_E_SUCCESS){

622

428

if(debug){

623

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

624

gnutls_perror(ret);

429

fprintf(stderr, "\n*** Handshake failed ***\n");

430

gnutls_perror (ret);

625

431

}

626

432

retval = -1;

627

goto mandos_end;

433

goto exit;

628

434

}

629

435

630

/* Read OpenPGP packet that contains the wanted password */

436

//Retrieve OpenPGP packet that contains the wanted password

631

437

632

438

if(debug){

633

439

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

634

440

ip);

635

441

}

636

442

637

443

while(true){

638

buffer_capacity = adjustbuffer(&buffer, buffer_length,

639

buffer_capacity);

640

if(buffer_capacity == 0){

641

perror("adjustbuffer");

642

retval = -1;

643

goto mandos_end;

444

if (buffer_length + BUFFER_SIZE > buffer_capacity){

445

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

446

if (buffer == NULL){

447

perror("realloc");

448

goto exit;

449

}

450

buffer_capacity += BUFFER_SIZE;

644

451

}

645

452

646

sret = gnutls_record_recv(session, buffer+buffer_length,

647

BUFFER_SIZE);

648

if(sret == 0){

453

ret = gnutls_record_recv

454

(es.session, buffer+buffer_length, BUFFER_SIZE);

455

if (ret == 0){

649

456

break;

650

457

}

651

if(sret < 0){

652

switch(sret){

458

if (ret < 0){

459

switch(ret){

653

460

case GNUTLS_E_INTERRUPTED:

654

461

case GNUTLS_E_AGAIN:

655

462

break;

656

463

case GNUTLS_E_REHANDSHAKE:

657

do{

658

ret = gnutls_handshake(session);

659

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

660

if(ret < 0){

661

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

662

gnutls_perror(ret);

464

ret = gnutls_handshake (es.session);

465

if (ret < 0){

466

fprintf(stderr, "\n*** Handshake failed ***\n");

467

gnutls_perror (ret);

663

468

retval = -1;

664

goto mandos_end;

469

goto exit;

665

470

}

666

471

break;

667

472

default:

668

473

fprintf(stderr, "Unknown error while reading data from"

669

" encrypted session with Mandos server\n");

474

" encrypted session with mandos server\n");

670

475

retval = -1;

671

gnutls_bye(session, GNUTLS_SHUT_RDWR);

672

goto mandos_end;

476

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

477

goto exit;

673

478

}

674

479

} else {

675

buffer_length += (size_t) sret;

480

buffer_length += (size_t) ret;

676

481

}

677

482

}

678

483

679

if(debug){

680

fprintf(stderr, "Closing TLS session\n");

681

}

682

683

gnutls_bye(session, GNUTLS_SHUT_RDWR);

684

685

if(buffer_length > 0){

686

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

484

if (buffer_length > 0){

485

decrypted_buffer_size = pgp_packet_decrypt(buffer,

687

486

buffer_length,

688

&decrypted_buffer);

689

if(decrypted_buffer_size >= 0){

690

written = 0;

691

while(written < (size_t) decrypted_buffer_size){

692

ret = (int)fwrite(decrypted_buffer + written, 1,

693

(size_t)decrypted_buffer_size - written,

694

stdout);

487

&decrypted_buffer,

488

certdir);

489

if (decrypted_buffer_size >= 0){

490

while(written < decrypted_buffer_size){

491

ret = (int)fwrite (decrypted_buffer + written, 1,

492

(size_t)decrypted_buffer_size - written,

493

stdout);

695

494

if(ret == 0 and ferror(stdout)){

696

495

if(debug){

697

496

fprintf(stderr, "Error writing encrypted data: %s\n",

706

505

} else {

707

506

retval = -1;

708

507

}

709

} else {

710

retval = -1;

711

}

712

713

/* Shutdown procedure */

714

715

mandos_end:

508

}

509

510

//shutdown procedure

511

512

if(debug){

513

fprintf(stderr, "Closing TLS session\n");

514

}

515

716

516

free(buffer);

717

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

718

if(ret == -1){

719

perror("close");

720

}

721

gnutls_deinit(session);

517

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

518

exit:

519

close(tcp_sd);

520

gnutls_deinit (es.session);

521

gnutls_certificate_free_credentials (es.cred);

522

gnutls_global_deinit ();

722

523

return retval;

723

524

}

724

525

725

static void resolve_callback(AvahiSServiceResolver *r,

726

AvahiIfIndex interface,

727

AVAHI_GCC_UNUSED AvahiProtocol protocol,

728

AvahiResolverEvent event,

729

const char *name,

730

const char *type,

731

const char *domain,

732

const char *host_name,

733

const AvahiAddress *address,

734

uint16_t port,

735

AVAHI_GCC_UNUSED AvahiStringList *txt,

736

AVAHI_GCC_UNUSED AvahiLookupResultFlags

737

flags,

738

void* userdata) {

739

mandos_context *mc = userdata;

740

assert(r);

526

static AvahiSimplePoll *simple_poll = NULL;

527

static AvahiServer *server = NULL;

528

529

static void resolve_callback(

530

AvahiSServiceResolver *r,

531

AvahiIfIndex interface,

532

AVAHI_GCC_UNUSED AvahiProtocol protocol,

533

AvahiResolverEvent event,

534

const char *name,

535

const char *type,

536

const char *domain,

537

const char *host_name,

538

const AvahiAddress *address,

539

uint16_t port,

540

AVAHI_GCC_UNUSED AvahiStringList *txt,

541

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

542

AVAHI_GCC_UNUSED void* userdata) {

543

544

assert(r); /* Spurious warning */

741

545

742

546

/* Called whenever a service has been resolved successfully or

743

547

timed out */

744

548

745

switch(event) {

549

switch (event) {

746

550

default:

747

551

case AVAHI_RESOLVER_FAILURE:

748

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

749

" of type '%s' in domain '%s': %s\n", name, type, domain,

750

avahi_strerror(avahi_server_errno(mc->server)));

552

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

553

" type '%s' in domain '%s': %s\n", name, type, domain,

554

avahi_strerror(avahi_server_errno(server)));

751

555

break;

752

556

753

557

case AVAHI_RESOLVER_FOUND:

755

559

char ip[AVAHI_ADDRESS_STR_MAX];

756

560

avahi_address_snprint(ip, sizeof(ip), address);

757

561

if(debug){

758

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

759

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

760

ip, (intmax_t)interface, port);

562

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

563

" port %d\n", name, host_name, ip, port);

761

564

}

762

int ret = start_mandos_communication(ip, port, interface, mc);

763

if(ret == 0){

764

avahi_simple_poll_quit(mc->simple_poll);

565

int ret = start_mandos_communication(ip, port,

566

(unsigned int) interface);

567

if (ret == 0){

568

exit(EXIT_SUCCESS);

765

569

}

766

570

}

767

571

}

768

572

avahi_s_service_resolver_free(r);

769

573

}

770

574

771

static void browse_callback( AvahiSServiceBrowser *b,

772

AvahiIfIndex interface,

773

AvahiProtocol protocol,

774

AvahiBrowserEvent event,

775

const char *name,

776

const char *type,

777

const char *domain,

778

AVAHI_GCC_UNUSED AvahiLookupResultFlags

779

flags,

780

void* userdata) {

781

mandos_context *mc = userdata;

782

assert(b);

783

784

/* Called whenever a new services becomes available on the LAN or

785

is removed from the LAN */

786

787

switch(event) {

788

default:

789

case AVAHI_BROWSER_FAILURE:

790

791

fprintf(stderr, "(Avahi browser) %s\n",

792

avahi_strerror(avahi_server_errno(mc->server)));

793

avahi_simple_poll_quit(mc->simple_poll);

794

return;

795

796

case AVAHI_BROWSER_NEW:

797

/* We ignore the returned Avahi resolver object. In the callback

798

function we free it. If the Avahi server is terminated before

799

the callback function is called the Avahi server will free the

800

resolver for us. */

801

802

if(!(avahi_s_service_resolver_new(mc->server, interface,

803

protocol, name, type, domain,

804

AVAHI_PROTO_INET6, 0,

805

resolve_callback, mc)))

806

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

807

name, avahi_strerror(avahi_server_errno(mc->server)));

808

break;

809

810

case AVAHI_BROWSER_REMOVE:

811

break;

812

813

case AVAHI_BROWSER_ALL_FOR_NOW:

814

case AVAHI_BROWSER_CACHE_EXHAUSTED:

815

if(debug){

816

fprintf(stderr, "No Mandos server found, still searching...\n");

575

static void browse_callback(

576

AvahiSServiceBrowser *b,

577

AvahiIfIndex interface,

578

AvahiProtocol protocol,

579

AvahiBrowserEvent event,

580

const char *name,

581

const char *type,

582

const char *domain,

583

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

584

void* userdata) {

585

586

AvahiServer *s = userdata;

587

assert(b); /* Spurious warning */

588

589

/* Called whenever a new services becomes available on the LAN or

590

is removed from the LAN */

591

592

switch (event) {

593

default:

594

case AVAHI_BROWSER_FAILURE:

595

596

fprintf(stderr, "(Browser) %s\n",

597

avahi_strerror(avahi_server_errno(server)));

598

avahi_simple_poll_quit(simple_poll);

599

return;

600

601

case AVAHI_BROWSER_NEW:

602

/* We ignore the returned resolver object. In the callback

603

function we free it. If the server is terminated before

604

the callback function is called the server will free

605

the resolver for us. */

606

607

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

608

type, domain,

609

AVAHI_PROTO_INET6, 0,

610

resolve_callback, s)))

611

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

612

avahi_strerror(avahi_server_errno(s)));

613

break;

614

615

case AVAHI_BROWSER_REMOVE:

616

break;

617

618

case AVAHI_BROWSER_ALL_FOR_NOW:

619

case AVAHI_BROWSER_CACHE_EXHAUSTED:

620

break;

817

621

}

818

break;

819

}

820

}

821

822

int main(int argc, char *argv[]){

622

}

623

624

/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */

625

const char *combinepath(const char *first, const char *second){

626

char *tmp;

627

tmp = malloc(strlen(first) + strlen(second) + 2);

628

if (tmp == NULL){

629

perror("malloc");

630

return NULL;

631

}

632

strcpy(tmp, first);

633

if (first[0] != '\0' and first[strlen(first) - 1] != '/'){

634

strcat(tmp, "/");

635

}

636

strcat(tmp, second);

637

return tmp;

638

}

639

640

641

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

642

AvahiServerConfig config;

823

643

AvahiSServiceBrowser *sb = NULL;

824

644

int error;

825

645

int ret;

826

intmax_t tmpmax;

827

int numchars;

828

int exitcode = EXIT_SUCCESS;

646

int returncode = EXIT_SUCCESS;

829

647

const char *interface = "eth0";

830

struct ifreq network;

831

int sd;

832

uid_t uid;

833

gid_t gid;

834

char *connect_to = NULL;

835

char tempdir[] = "/tmp/mandosXXXXXX";

836

bool tempdir_created = false;

837

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

838

const char *seckey = PATHDIR "/" SECKEY;

839

const char *pubkey = PATHDIR "/" PUBKEY;

840

841

mandos_context mc = { .simple_poll = NULL, .server = NULL,

842

.dh_bits = 1024, .priority = "SECURE256"

843

":!CTYPE-X.509:+CTYPE-OPENPGP" };

844

bool gnutls_initialized = false;

845

bool gpgme_initialized = false;

846

double delay = 2.5;

847

848

{

849

struct argp_option options[] = {

850

{ .name = "debug", .key = 128,

851

.doc = "Debug mode", .group = 3 },

852

{ .name = "connect", .key = 'c',

853

.arg = "ADDRESS:PORT",

854

.doc = "Connect directly to a specific Mandos server",

855

.group = 1 },

856

{ .name = "interface", .key = 'i',

857

.arg = "NAME",

858

.doc = "Interface that will be used to search for Mandos"

859

" servers",

860

.group = 1 },

861

{ .name = "seckey", .key = 's',

862

.arg = "FILE",

863

.doc = "OpenPGP secret key file base name",

864

.group = 1 },

865

{ .name = "pubkey", .key = 'p',

866

.arg = "FILE",

867

.doc = "OpenPGP public key file base name",

868

.group = 2 },

869

{ .name = "dh-bits", .key = 129,

870

.arg = "BITS",

871

.doc = "Bit length of the prime number used in the"

872

" Diffie-Hellman key exchange",

873

.group = 2 },

874

{ .name = "priority", .key = 130,

875

.arg = "STRING",

876

.doc = "GnuTLS priority string for the TLS handshake",

877

.group = 1 },

878

{ .name = "delay", .key = 131,

879

.arg = "SECONDS",

880

.doc = "Maximum delay to wait for interface startup",

881

.group = 2 },

882

{ .name = NULL }

883

};

884

885

error_t parse_opt(int key, char *arg,

886

struct argp_state *state) {

887

switch(key) {

888

case 128: /* --debug */

889

debug = true;

890

break;

891

case 'c': /* --connect */

892

connect_to = arg;

893

break;

894

case 'i': /* --interface */

895

interface = arg;

896

break;

897

case 's': /* --seckey */

898

seckey = arg;

899

break;

900

case 'p': /* --pubkey */

901

pubkey = arg;

902

break;

903

case 129: /* --dh-bits */

904

ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);

905

if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax

906

or arg[numchars] != '\0'){

907

fprintf(stderr, "Bad number of DH bits\n");

908

exit(EXIT_FAILURE);

909

}

910

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

911

break;

912

case 130: /* --priority */

913

mc.priority = arg;

914

break;

915

case 131: /* --delay */

916

ret = sscanf(arg, "%lf%n", &delay, &numchars);

917

if(ret < 1 or arg[numchars] != '\0'){

918

fprintf(stderr, "Bad delay\n");

919

exit(EXIT_FAILURE);

920

}

921

break;

922

case ARGP_KEY_ARG:

923

argp_usage(state);

924

case ARGP_KEY_END:

925

break;

926

default:

927

return ARGP_ERR_UNKNOWN;

928

}

929

return 0;

930

}

931

932

struct argp argp = { .options = options, .parser = parse_opt,

933

.args_doc = "",

934

.doc = "Mandos client -- Get and decrypt"

935

" passwords from a Mandos server" };

936

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

937

if(ret == ARGP_ERR_UNKNOWN){

938

fprintf(stderr, "Unknown error while parsing arguments\n");

939

exitcode = EXIT_FAILURE;

940

goto end;

941

}

942

}

943

944

/* If the interface is down, bring it up */

945

{

946

/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO

947

messages to mess up the prompt */

948

ret = klogctl(8, NULL, 5);

949

if(ret == -1){

950

perror("klogctl");

951

}

952

953

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

954

if(sd < 0) {

955

perror("socket");

956

exitcode = EXIT_FAILURE;

957

ret = klogctl(7, NULL, 0);

958

if(ret == -1){

959

perror("klogctl");

960

}

961

goto end;

962

}

963

strcpy(network.ifr_name, interface);

964

ret = ioctl(sd, SIOCGIFFLAGS, &network);

965

if(ret == -1){

966

perror("ioctl SIOCGIFFLAGS");

967

ret = klogctl(7, NULL, 0);

968

if(ret == -1){

969

perror("klogctl");

970

}

971

exitcode = EXIT_FAILURE;

972

goto end;

973

}

974

if((network.ifr_flags & IFF_UP) == 0){

975

network.ifr_flags |= IFF_UP;

976

ret = ioctl(sd, SIOCSIFFLAGS, &network);

977

if(ret == -1){

978

perror("ioctl SIOCSIFFLAGS");

979

exitcode = EXIT_FAILURE;

980

ret = klogctl(7, NULL, 0);

981

if(ret == -1){

982

perror("klogctl");

983

}

984

goto end;

985

}

986

}

987

/* sleep checking until interface is running */

988

for(int i=0; i < delay * 4; i++){

989

ret = ioctl(sd, SIOCGIFFLAGS, &network);

990

if(ret == -1){

991

perror("ioctl SIOCGIFFLAGS");

992

} else if(network.ifr_flags & IFF_RUNNING){

993

break;

994

}

995

struct timespec sleeptime = { .tv_nsec = 250000000 };

996

nanosleep(&sleeptime, NULL);

997

}

998

ret = (int)TEMP_FAILURE_RETRY(close(sd));

999

if(ret == -1){

1000

perror("close");

1001

}

1002

/* Restores kernel loglevel to default */

1003

ret = klogctl(7, NULL, 0);

1004

if(ret == -1){

1005

perror("klogctl");

1006

}

1007

}

1008

1009

uid = getuid();

1010

gid = getgid();

1011

1012

setgid(gid);

1013

if(ret == -1){

1014

perror("setgid");

1015

}

1016

1017

ret = setuid(uid);

1018

if(ret == -1){

1019

perror("setuid");

1020

}

1021

1022

ret = init_gnutls_global(&mc, pubkey, seckey);

1023

if(ret == -1){

1024

fprintf(stderr, "init_gnutls_global failed\n");

1025

exitcode = EXIT_FAILURE;

1026

goto end;

1027

} else {

1028

gnutls_initialized = true;

1029

}

1030

1031

if(mkdtemp(tempdir) == NULL){

1032

perror("mkdtemp");

1033

goto end;

1034

}

1035

tempdir_created = true;

1036

1037

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

1038

fprintf(stderr, "init_gpgme failed\n");

1039

exitcode = EXIT_FAILURE;

1040

goto end;

1041

} else {

1042

gpgme_initialized = true;

1043

}

1044

1045

if_index = (AvahiIfIndex) if_nametoindex(interface);

1046

if(if_index == 0){

1047

fprintf(stderr, "No such interface: \"%s\"\n", interface);

1048

exitcode = EXIT_FAILURE;

1049

goto end;

1050

}

1051

1052

if(connect_to != NULL){

1053

/* Connect directly, do not use Zeroconf */

1054

/* (Mainly meant for debugging) */

1055

char *address = strrchr(connect_to, ':');

1056

if(address == NULL){

1057

fprintf(stderr, "No colon in address\n");

1058

exitcode = EXIT_FAILURE;

1059

goto end;

1060

}

1061

uint16_t port;

1062

ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);

1063

if(ret < 1 or tmpmax != (uint16_t)tmpmax

1064

or address[numchars+1] != '\0'){

1065

fprintf(stderr, "Bad port number\n");

1066

exitcode = EXIT_FAILURE;

1067

goto end;

1068

}

1069

port = (uint16_t)tmpmax;

1070

*address = '\0';

1071

address = connect_to;

1072

ret = start_mandos_communication(address, port, if_index, &mc);

1073

if(ret < 0){

1074

exitcode = EXIT_FAILURE;

1075

} else {

1076

exitcode = EXIT_SUCCESS;

1077

}

1078

goto end;

1079

}

1080

1081

if(not debug){

648

649

while (true){

650

static struct option long_options[] = {

651

{"debug", no_argument, (int *)&debug, 1},

652

{"interface", required_argument, 0, 'i'},

653

{"certdir", required_argument, 0, 'd'},

654

{"certkey", required_argument, 0, 'c'},

655

{"certfile", required_argument, 0, 'k'},

656

{0, 0, 0, 0} };

657

658

int option_index = 0;

659

ret = getopt_long (argc, argv, "i:", long_options,

660

&option_index);

661

662

if (ret == -1){

663

break;

664

}

665

666

switch(ret){

667

case 0:

668

break;

669

case 'i':

670

interface = optarg;

671

break;

672

case 'd':

673

certdir = optarg;

674

break;

675

case 'c':

676

certfile = optarg;

677

break;

678

case 'k':

679

certkey = optarg;

680

break;

681

default:

682

exit(EXIT_FAILURE);

683

}

684

}

685

686

certfile = combinepath(certdir, certfile);

687

if (certfile == NULL){

688

goto exit;

689

}

690

691

certkey = combinepath(certdir, certkey);

692

if (certkey == NULL){

693

goto exit;

694

}

695

696

if (not debug){

1082

697

avahi_set_log_function(empty_log);

1083

698

}

1084

699

1085

/* Initialize the pseudo-RNG for Avahi */

700

/* Initialize the psuedo-RNG */

1086

701

srand((unsigned int) time(NULL));

1087

1088

/* Allocate main Avahi loop object */

1089

mc.simple_poll = avahi_simple_poll_new();

1090

if(mc.simple_poll == NULL) {

1091

fprintf(stderr, "Avahi: Failed to create simple poll"

1092

" object.\n");

1093

exitcode = EXIT_FAILURE;

1094

goto end;

1095

}

1096

1097

{

1098

AvahiServerConfig config;

1099

/* Do not publish any local Zeroconf records */

1100

avahi_server_config_init(&config);

1101

config.publish_hinfo = 0;

1102

config.publish_addresses = 0;

1103

config.publish_workstation = 0;

1104

config.publish_domain = 0;

1105

1106

/* Allocate a new server */

1107

mc.server = avahi_server_new(avahi_simple_poll_get

1108

(mc.simple_poll), &config, NULL,

1109

NULL, &error);

1110

1111

/* Free the Avahi configuration data */

1112

avahi_server_config_free(&config);

1113

}

1114

1115

/* Check if creating the Avahi server object succeeded */

1116

if(mc.server == NULL) {

1117

fprintf(stderr, "Failed to create Avahi server: %s\n",

702

703

/* Allocate main loop object */

704

if (!(simple_poll = avahi_simple_poll_new())) {

705

fprintf(stderr, "Failed to create simple poll object.\n");

706

707

goto exit;

708

}

709

710

/* Do not publish any local records */

711

avahi_server_config_init(&config);

712

config.publish_hinfo = 0;

713

config.publish_addresses = 0;

714

config.publish_workstation = 0;

715

config.publish_domain = 0;

716

717

/* Allocate a new server */

718

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

719

&config, NULL, NULL, &error);

720

721

/* Free the configuration data */

722

avahi_server_config_free(&config);

723

724

/* Check if creating the server object succeeded */

725

if (!server) {

726

fprintf(stderr, "Failed to create server: %s\n",

1118

727

avahi_strerror(error));

1119

exitcode = EXIT_FAILURE;

1120

goto end;

728

returncode = EXIT_FAILURE;

729

goto exit;

1121

730

}

1122

731

1123

/* Create the Avahi service browser */

1124

sb = avahi_s_service_browser_new(mc.server, if_index,

732

/* Create the service browser */

733

sb = avahi_s_service_browser_new(server,

734

(AvahiIfIndex)

735

if_nametoindex(interface),

1125

736

AVAHI_PROTO_INET6,

1126

737

"_mandos._tcp", NULL, 0,

1127

browse_callback, &mc);

1128

if(sb == NULL) {

738

browse_callback, server);

739

if (!sb) {

1129

740

fprintf(stderr, "Failed to create service browser: %s\n",

1130

avahi_strerror(avahi_server_errno(mc.server)));

1131

exitcode = EXIT_FAILURE;

1132

goto end;

741

avahi_strerror(avahi_server_errno(server)));

742

returncode = EXIT_FAILURE;

743

goto exit;

1133

744

}

1134

745

1135

746

/* Run the main loop */

1136

1137

if(debug){

1138

fprintf(stderr, "Starting Avahi loop search\n");

747

748

if (debug){

749

fprintf(stderr, "Starting avahi loop search\n");

1139

750

}

751

752

avahi_simple_poll_loop(simple_poll);

753

754

exit:

1140

755

1141

avahi_simple_poll_loop(mc.simple_poll);

1142

1143

end:

1144

1145

if(debug){

756

if (debug){

1146

757

fprintf(stderr, "%s exiting\n", argv[0]);

1147

758

}

1148

759

1149

760

/* Cleanup things */

1150

if(sb != NULL)

761

if (sb)

1151

762

avahi_s_service_browser_free(sb);

1152

763

1153

if(mc.server != NULL)

1154

avahi_server_free(mc.server);

1155

1156

if(mc.simple_poll != NULL)

1157

avahi_simple_poll_free(mc.simple_poll);

1158

1159

if(gnutls_initialized){

1160

gnutls_certificate_free_credentials(mc.cred);

1161

gnutls_global_deinit();

1162

gnutls_dh_params_deinit(mc.dh_params);

1163

}

1164

1165

if(gpgme_initialized){

1166

gpgme_release(mc.ctx);

1167

}

1168

1169

/* Removes the temp directory used by GPGME */

1170

if(tempdir_created){

1171

DIR *d;

1172

struct dirent *direntry;

1173

d = opendir(tempdir);

1174

if(d == NULL){

1175

if(errno != ENOENT){

1176

perror("opendir");

1177

}

1178

} else {

1179

while(true){

1180

direntry = readdir(d);

1181

if(direntry == NULL){

1182

break;

1183

}

1184

/* Skip "." and ".." */

1185

if(direntry->d_name[0] == '.'

1186

and (direntry->d_name[1] == '\0'

1187

or (direntry->d_name[1] == '.'

1188

and direntry->d_name[2] == '\0'))){

1189

continue;

1190

}

1191

char *fullname = NULL;

1192

ret = asprintf(&fullname, "%s/%s", tempdir,

1193

direntry->d_name);

1194

if(ret < 0){

1195

perror("asprintf");

1196

continue;

1197

}

1198

ret = remove(fullname);

1199

if(ret == -1){

1200

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1201

strerror(errno));

1202

}

1203

free(fullname);

1204

}

1205

closedir(d);

1206

}

1207

ret = rmdir(tempdir);

1208

if(ret == -1 and errno != ENOENT){

1209

perror("rmdir");

1210

}

1211

}

1212

1213

return exitcode;

764

if (server)

765

avahi_server_free(server);

766

767

if (simple_poll)

768

avahi_simple_poll_free(simple_poll);

769

free(certfile);

770

free(certkey);

771

772

return returncode;

1214

773

}

Older »