32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), asprintf(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
48
sockaddr_in6, PF_INET6,
49
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t, open(), opendir(), DIR */
51
#include <sys/stat.h> /* open() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton(),
55
#include <fcntl.h> /* open() */
56
#include <dirent.h> /* opendir(), struct dirent, readdir() */
57
#include <inttypes.h> /* PRIu16 */
58
#include <assert.h> /* assert() */
59
#include <errno.h> /* perror(), errno */
60
#include <time.h> /* time() */
61
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
62
SIOCSIFFLAGS, if_indextoname(),
63
if_nametoindex(), IF_NAMESIZE */
64
#include <netinet/in.h>
65
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
66
getuid(), getgid(), setuid(),
68
#include <arpa/inet.h> /* inet_pton(), htons */
69
#include <iso646.h> /* not, and */
70
#include <argp.h> /* struct argp_option, error_t, struct
71
argp_state, struct argp,
72
argp_parse(), ARGP_KEY_ARG,
73
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
76
/* All Avahi types, constants and functions
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
79
43
#include <avahi-core/core.h>
80
44
#include <avahi-core/lookup.h>
81
45
#include <avahi-core/log.h>
83
47
#include <avahi-common/malloc.h>
84
48
#include <avahi-common/error.h>
87
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
90
init_gnutls_session(),
92
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
93
GNUTLS_OPENPGP_FMT_BASE64 */
96
#include <gpgme.h> /* All GPGME types, constants and
99
GPGME_PROTOCOL_OpenPGP,
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
65
#include <errno.h> /* perror() */
102
71
#define BUFFER_SIZE 256
105
#define PATHDIR "/conf/conf.d/mandos"
108
#define PATHDIR "/conf/conf.d/mandos"
109
#define SECKEY "seckey.txt"
110
#define PUBKEY "pubkey.txt"
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
112
78
bool debug = false;
113
static const char mandos_protocol_version[] = "1";
114
const char *argp_program_version = "mandos-client 1.0";
115
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
117
/* Used for passing in values through the Avahi callback functions */
119
AvahiSimplePoll *simple_poll;
81
gnutls_session_t session;
121
82
gnutls_certificate_credentials_t cred;
122
unsigned int dh_bits;
123
83
gnutls_dh_params_t dh_params;
124
const char *priority;
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
90
gpgme_data_t dh_crypto, dh_plain;
129
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
130
* "buffer_capacity" is how much is currently allocated,
131
* "buffer_length" is how much is already used.
133
size_t adjustbuffer(char **buffer, size_t buffer_length,
134
size_t buffer_capacity){
135
if (buffer_length + BUFFER_SIZE > buffer_capacity){
136
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
140
buffer_capacity += BUFFER_SIZE;
142
return buffer_capacity;
148
static bool init_gpgme(mandos_context *mc, const char *seckey,
149
const char *pubkey, const char *tempdir){
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
152
96
gpgme_engine_info_t engine_info;
156
* Helper function to insert pub and seckey to the enigne keyring.
158
bool import_key(const char *filename){
160
gpgme_data_t pgp_data;
162
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
168
rc = gpgme_data_new_from_fd(&pgp_data, fd);
169
if (rc != GPG_ERR_NO_ERROR){
170
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
171
gpgme_strsource(rc), gpgme_strerror(rc));
175
rc = gpgme_op_import(mc->ctx, pgp_data);
176
if (rc != GPG_ERR_NO_ERROR){
177
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
178
gpgme_strsource(rc), gpgme_strerror(rc));
182
ret = TEMP_FAILURE_RETRY(close(fd));
186
gpgme_data_release(pgp_data);
191
fprintf(stderr, "Initialize gpgme\n");
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
267
141
if (rc != GPG_ERR_NO_ERROR){
268
142
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
269
143
gpgme_strsource(rc), gpgme_strerror(rc));
270
gpgme_data_release(dh_crypto);
274
/* Decrypt data from the cryptotext data buffer to the plaintext
276
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
155
/* Decrypt data from the FILE pointer to the plaintext data
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
277
158
if (rc != GPG_ERR_NO_ERROR){
278
159
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
279
160
gpgme_strsource(rc), gpgme_strerror(rc));
280
plaintext_length = -1;
282
gpgme_decrypt_result_t result;
283
result = gpgme_op_decrypt_result(mc->ctx);
285
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
fprintf(stderr, "Unsupported algorithm: %s\n",
288
result->unsupported_algorithm);
289
fprintf(stderr, "Wrong key usage: %u\n",
290
result->wrong_key_usage);
291
if(result->file_name != NULL){
292
fprintf(stderr, "File name: %s\n", result->file_name);
294
gpgme_recipient_t recipient;
295
recipient = result->recipients;
297
while(recipient != NULL){
298
fprintf(stderr, "Public key algorithm: %s\n",
299
gpgme_pubkey_algo_name(recipient->pubkey_algo));
300
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
301
fprintf(stderr, "Secret key available: %s\n",
302
recipient->status == GPG_ERR_NO_SECKEY
304
recipient = recipient->next;
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
184
while(recipient != NULL){
185
fprintf(stderr, "Public key algorithm: %s\n",
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
187
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
188
fprintf(stderr, "Secret key available: %s\n",
189
recipient->status == GPG_ERR_NO_SECKEY
191
recipient = recipient->next;
313
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
316
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
317
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
318
perror("gpgme_data_seek");
319
plaintext_length = -1;
202
perror("pgpme_data_seek");
325
plaintext_capacity = adjustbuffer(plaintext,
326
(size_t)plaintext_length,
328
if (plaintext_capacity == 0){
329
perror("adjustbuffer");
330
plaintext_length = -1;
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
211
if (*new_packet == NULL){
215
new_packet_capacity += BUFFER_SIZE;
334
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
336
220
/* Print the data, if any */
342
225
perror("gpgme_data_read");
343
plaintext_length = -1;
346
plaintext_length += ret;
350
fprintf(stderr, "Decrypted password is: ");
351
for(ssize_t i = 0; i < plaintext_length; i++){
352
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
354
fprintf(stderr, "\n");
359
/* Delete the GPGME cryptotext data buffer */
360
gpgme_data_release(dh_crypto);
228
new_packet_length += ret;
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
362
239
/* Delete the GPGME plaintext data buffer */
363
240
gpgme_data_release(dh_plain);
364
return plaintext_length;
241
return new_packet_length;
367
244
static const char * safer_gnutls_strerror (int value) {
368
const char *ret = gnutls_strerror (value); /* Spurious warning */
245
const char *ret = gnutls_strerror (value);
370
247
ret = "(unknown)";
374
/* GnuTLS log function callback */
375
251
static void debuggnutls(__attribute__((unused)) int level,
376
252
const char* string){
377
fprintf(stderr, "GnuTLS: %s", string);
253
fprintf(stderr, "%s", string);
380
static int init_gnutls_global(mandos_context *mc,
381
const char *pubkeyfilename,
382
const char *seckeyfilename){
256
static int initgnutls(encrypted_session *es){
386
261
fprintf(stderr, "Initializing GnuTLS\n");
389
ret = gnutls_global_init();
390
if (ret != GNUTLS_E_SUCCESS) {
391
fprintf (stderr, "GnuTLS global_init: %s\n",
392
safer_gnutls_strerror(ret));
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
397
/* "Use a log level over 10 to enable all debugging options."
400
271
gnutls_global_set_log_level(11);
401
272
gnutls_global_set_log_function(debuggnutls);
404
/* OpenPGP credentials */
405
gnutls_certificate_allocate_credentials(&mc->cred);
406
if (ret != GNUTLS_E_SUCCESS){
407
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
409
279
safer_gnutls_strerror(ret));
410
gnutls_global_deinit ();
415
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
416
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", certfile,
420
289
ret = gnutls_certificate_set_openpgp_key_file
421
(mc->cred, pubkeyfilename, seckeyfilename,
422
GNUTLS_OPENPGP_FMT_BASE64);
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
423
291
if (ret != GNUTLS_E_SUCCESS) {
425
"Error[%d] while reading the OpenPGP key pair ('%s',"
426
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
427
fprintf(stderr, "The GnuTLS error is: %s\n",
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
428
297
safer_gnutls_strerror(ret));
432
/* GnuTLS server initialization */
433
ret = gnutls_dh_params_init(&mc->dh_params);
434
if (ret != GNUTLS_E_SUCCESS) {
435
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
436
" %s\n", safer_gnutls_strerror(ret));
439
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
440
if (ret != GNUTLS_E_SUCCESS) {
441
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
442
safer_gnutls_strerror(ret));
446
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
452
gnutls_certificate_free_credentials(mc->cred);
453
gnutls_global_deinit();
454
gnutls_dh_params_deinit(mc->dh_params);
458
static int init_gnutls_session(mandos_context *mc,
459
gnutls_session_t *session){
461
/* GnuTLS session creation */
462
ret = gnutls_init(session, GNUTLS_SERVER);
463
if (ret != GNUTLS_E_SUCCESS){
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
464
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
465
322
safer_gnutls_strerror(ret));
470
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
471
if (ret != GNUTLS_E_SUCCESS) {
472
fprintf(stderr, "Syntax error at: %s\n", err);
473
fprintf(stderr, "GnuTLS error: %s\n",
474
safer_gnutls_strerror(ret));
475
gnutls_deinit (*session);
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
480
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
482
if (ret != GNUTLS_E_SUCCESS) {
483
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
484
337
safer_gnutls_strerror(ret));
485
gnutls_deinit (*session);
489
341
/* ignore client certificate if any. */
490
gnutls_certificate_server_set_request (*session,
342
gnutls_certificate_server_set_request (es->session,
491
343
GNUTLS_CERT_IGNORE);
493
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
498
/* Avahi log function callback */
499
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
500
351
__attribute__((unused)) const char *txt){}
502
/* Called when a Mandos server is found */
503
353
static int start_mandos_communication(const char *ip, uint16_t port,
504
AvahiIfIndex if_index,
354
AvahiIfIndex if_index){
507
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
356
struct sockaddr_in6 to;
357
encrypted_session es;
508
358
char *buffer = NULL;
509
359
char *decrypted_buffer;
510
360
size_t buffer_length = 0;
511
361
size_t buffer_capacity = 0;
512
362
ssize_t decrypted_buffer_size;
515
365
char interface[IF_NAMESIZE];
516
gnutls_session_t session;
518
ret = init_gnutls_session (mc, &session);
524
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
528
372
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
530
374
perror("socket");
535
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
536
perror("if_indextoname");
381
perror("if_indextoname");
539
386
fprintf(stderr, "Binding to interface %s\n", interface);
542
memset(&to, 0, sizeof(to));
543
to.in6.sin6_family = AF_INET6;
544
/* It would be nice to have a way to detect if we were passed an
545
IPv4 address here. Now we assume an IPv6 address. */
546
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
548
393
perror("inet_pton");
552
397
fprintf(stderr, "Bad address: %s\n", ip);
555
to.in6.sin6_port = htons(port); /* Spurious warning */
400
to.sin6_port = htons(port); /* Spurious warning */
557
to.in6.sin6_scope_id = (uint32_t)if_index;
402
to.sin6_scope_id = (uint32_t)if_index;
560
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
562
char addrstr[INET6_ADDRSTRLEN] = "";
563
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
564
sizeof(addrstr)) == NULL){
567
if(strcmp(addrstr, ip) != 0){
568
fprintf(stderr, "Canonical address form: %s\n", addrstr);
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
573
ret = connect(tcp_sd, &to.in, sizeof(to));
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
575
418
perror("connect");
579
const char *out = mandos_protocol_version;
582
size_t out_size = strlen(out);
583
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
584
out_size - written));
590
written += (size_t)ret;
591
if(written < out_size){
594
if (out == mandos_protocol_version){
422
ret = initgnutls (&es);
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
604
432
fprintf(stderr, "Establishing TLS session with %s\n", ip);
607
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
610
ret = gnutls_handshake (session);
611
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
435
ret = gnutls_handshake (es.session);
613
437
if (ret != GNUTLS_E_SUCCESS){
615
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
439
fprintf(stderr, "\n*** Handshake failed ***\n");
616
440
gnutls_perror (ret);
622
/* Read OpenPGP packet that contains the wanted password */
446
//Retrieve OpenPGP packet that contains the wanted password
625
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
630
buffer_capacity = adjustbuffer(&buffer, buffer_length,
632
if (buffer_capacity == 0){
633
perror("adjustbuffer");
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
460
buffer_capacity += BUFFER_SIZE;
638
ret = gnutls_record_recv(session, buffer+buffer_length,
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
747
569
char ip[AVAHI_ADDRESS_STR_MAX];
748
570
avahi_address_snprint(ip, sizeof(ip), address);
750
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
751
PRIu16 ") on port %d\n", name, host_name, ip,
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
754
int ret = start_mandos_communication(ip, port, interface, mc);
575
int ret = start_mandos_communication(ip, port, interface);
756
avahi_simple_poll_quit(mc->simple_poll);
760
581
avahi_s_service_resolver_free(r);
763
static void browse_callback( AvahiSServiceBrowser *b,
764
AvahiIfIndex interface,
765
AvahiProtocol protocol,
766
AvahiBrowserEvent event,
770
AVAHI_GCC_UNUSED AvahiLookupResultFlags
773
mandos_context *mc = userdata;
776
/* Called whenever a new services becomes available on the LAN or
777
is removed from the LAN */
781
case AVAHI_BROWSER_FAILURE:
783
fprintf(stderr, "(Avahi browser) %s\n",
784
avahi_strerror(avahi_server_errno(mc->server)));
785
avahi_simple_poll_quit(mc->simple_poll);
788
case AVAHI_BROWSER_NEW:
789
/* We ignore the returned Avahi resolver object. In the callback
790
function we free it. If the Avahi server is terminated before
791
the callback function is called the Avahi server will free the
794
if (!(avahi_s_service_resolver_new(mc->server, interface,
795
protocol, name, type, domain,
796
AVAHI_PROTO_INET6, 0,
797
resolve_callback, mc)))
798
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
799
name, avahi_strerror(avahi_server_errno(mc->server)));
802
case AVAHI_BROWSER_REMOVE:
805
case AVAHI_BROWSER_ALL_FOR_NOW:
806
case AVAHI_BROWSER_CACHE_EXHAUSTED:
808
fprintf(stderr, "No Mandos server found, still searching...\n");
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
603
case AVAHI_BROWSER_FAILURE:
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
624
case AVAHI_BROWSER_REMOVE:
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
814
int main(int argc, char *argv[]){
633
/* Combines file name and path and returns the malloced new
634
string. some sane checks could/should be added */
635
static const char *combinepath(const char *first, const char *second){
636
size_t f_len = strlen(first);
637
size_t s_len = strlen(second);
638
char *tmp = malloc(f_len + s_len + 2);
643
memcpy(tmp, first, f_len);
647
memcpy(tmp + f_len + 1, second, s_len);
649
tmp[f_len + 1 + s_len] = '\0';
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
815
656
AvahiSServiceBrowser *sb = NULL;
818
int exitcode = EXIT_SUCCESS;
659
int returncode = EXIT_SUCCESS;
819
660
const char *interface = "eth0";
820
661
struct ifreq network;
824
663
char *connect_to = NULL;
825
char tempdir[] = "/tmp/mandosXXXXXX";
826
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
827
const char *seckey = PATHDIR "/" SECKEY;
828
const char *pubkey = PATHDIR "/" PUBKEY;
830
mandos_context mc = { .simple_poll = NULL, .server = NULL,
831
.dh_bits = 1024, .priority = "SECURE256"
832
":!CTYPE-X.509:+CTYPE-OPENPGP" };
833
bool gnutls_initalized = false;
834
bool gpgme_initalized = false;
837
struct argp_option options[] = {
838
{ .name = "debug", .key = 128,
839
.doc = "Debug mode", .group = 3 },
840
{ .name = "connect", .key = 'c',
841
.arg = "ADDRESS:PORT",
842
.doc = "Connect directly to a specific Mandos server",
844
{ .name = "interface", .key = 'i',
846
.doc = "Interface that will be used to search for Mandos"
849
{ .name = "seckey", .key = 's',
851
.doc = "OpenPGP secret key file base name",
853
{ .name = "pubkey", .key = 'p',
855
.doc = "OpenPGP public key file base name",
857
{ .name = "dh-bits", .key = 129,
859
.doc = "Bit length of the prime number used in the"
860
" Diffie-Hellman key exchange",
862
{ .name = "priority", .key = 130,
864
.doc = "GnuTLS priority string for the TLS handshake",
869
error_t parse_opt (int key, char *arg,
870
struct argp_state *state) {
871
/* Get the INPUT argument from `argp_parse', which we know is
872
a pointer to our plugin list pointer. */
874
case 128: /* --debug */
877
case 'c': /* --connect */
880
case 'i': /* --interface */
883
case 's': /* --seckey */
886
case 'p': /* --pubkey */
889
case 129: /* --dh-bits */
891
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
897
case 130: /* --priority */
905
return ARGP_ERR_UNKNOWN;
910
struct argp argp = { .options = options, .parser = parse_opt,
912
.doc = "Mandos client -- Get and decrypt"
913
" passwords from a Mandos server" };
914
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
915
if (ret == ARGP_ERR_UNKNOWN){
916
fprintf(stderr, "Unknown error while parsing arguments\n");
917
exitcode = EXIT_FAILURE;
922
/* If the interface is down, bring it up */
924
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
927
exitcode = EXIT_FAILURE;
930
strcpy(network.ifr_name, interface);
931
ret = ioctl(sd, SIOCGIFFLAGS, &network);
933
perror("ioctl SIOCGIFFLAGS");
934
exitcode = EXIT_FAILURE;
937
if((network.ifr_flags & IFF_UP) == 0){
938
network.ifr_flags |= IFF_UP;
939
ret = ioctl(sd, SIOCSIFFLAGS, &network);
941
perror("ioctl SIOCSIFFLAGS");
942
exitcode = EXIT_FAILURE;
946
ret = TEMP_FAILURE_RETRY(close(sd));
965
ret = init_gnutls_global(&mc, pubkey, seckey);
967
fprintf(stderr, "init_gnutls_global failed\n");
968
exitcode = EXIT_FAILURE;
971
gnutls_initalized = true;
974
if(mkdtemp(tempdir) == NULL){
980
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
981
fprintf(stderr, "gpgme_initalized failed\n");
982
exitcode = EXIT_FAILURE;
985
gpgme_initalized = true;
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
988
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
997
730
char *address = strrchr(connect_to, ':');
998
731
if(address == NULL){
999
732
fprintf(stderr, "No colon in address\n");
1000
exitcode = EXIT_FAILURE;
1004
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
1006
738
perror("Bad port number");
1007
exitcode = EXIT_FAILURE;
1010
741
*address = '\0';
1011
742
address = connect_to;
1012
ret = start_mandos_communication(address, port, if_index, &mc);
743
ret = start_mandos_communication(address, port, if_index);
1014
exitcode = EXIT_FAILURE;
1016
exitcode = EXIT_SUCCESS;
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
754
returncode = EXIT_FAILURE;
757
strcpy(network.ifr_name, interface);
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
761
perror("ioctl SIOCGIFFLAGS");
762
returncode = EXIT_FAILURE;
765
if((network.ifr_flags & IFF_UP) == 0){
766
network.ifr_flags |= IFF_UP;
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
769
perror("ioctl SIOCSIFFLAGS");
770
returncode = EXIT_FAILURE;
1022
777
avahi_set_log_function(empty_log);
1025
/* Initialize the pseudo-RNG for Avahi */
780
/* Initialize the psuedo-RNG */
1026
781
srand((unsigned int) time(NULL));
1028
/* Allocate main Avahi loop object */
1029
mc.simple_poll = avahi_simple_poll_new();
1030
if (mc.simple_poll == NULL) {
1031
fprintf(stderr, "Avahi: Failed to create simple poll"
1033
exitcode = EXIT_FAILURE;
1038
AvahiServerConfig config;
1039
/* Do not publish any local Zeroconf records */
1040
avahi_server_config_init(&config);
1041
config.publish_hinfo = 0;
1042
config.publish_addresses = 0;
1043
config.publish_workstation = 0;
1044
config.publish_domain = 0;
1046
/* Allocate a new server */
1047
mc.server = avahi_server_new(avahi_simple_poll_get
1048
(mc.simple_poll), &config, NULL,
1051
/* Free the Avahi configuration data */
1052
avahi_server_config_free(&config);
1055
/* Check if creating the Avahi server object succeeded */
1056
if (mc.server == NULL) {
1057
fprintf(stderr, "Failed to create Avahi server: %s\n",
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
790
/* Do not publish any local records */
791
avahi_server_config_init(&config);
792
config.publish_hinfo = 0;
793
config.publish_addresses = 0;
794
config.publish_workstation = 0;
795
config.publish_domain = 0;
797
/* Allocate a new server */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
801
/* Free the configuration data */
802
avahi_server_config_free(&config);
804
/* Check if creating the server object succeeded */
806
fprintf(stderr, "Failed to create server: %s\n",
1058
807
avahi_strerror(error));
1059
exitcode = EXIT_FAILURE;
808
returncode = EXIT_FAILURE;
1063
/* Create the Avahi service browser */
1064
sb = avahi_s_service_browser_new(mc.server, if_index,
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
1065
814
AVAHI_PROTO_INET6,
1066
815
"_mandos._tcp", NULL, 0,
1067
browse_callback, &mc);
816
browse_callback, server);
1069
818
fprintf(stderr, "Failed to create service browser: %s\n",
1070
avahi_strerror(avahi_server_errno(mc.server)));
1071
exitcode = EXIT_FAILURE;
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
1075
824
/* Run the main loop */
1078
fprintf(stderr, "Starting Avahi loop search\n");
827
fprintf(stderr, "Starting avahi loop search\n");
1081
avahi_simple_poll_loop(mc.simple_poll);
830
avahi_simple_poll_loop(simple_poll);
1086
835
fprintf(stderr, "%s exiting\n", argv[0]);
1089
838
/* Cleanup things */
1091
840
avahi_s_service_browser_free(sb);
1093
if (mc.server != NULL)
1094
avahi_server_free(mc.server);
1096
if (mc.simple_poll != NULL)
1097
avahi_simple_poll_free(mc.simple_poll);
1099
if (gnutls_initalized){
1100
gnutls_certificate_free_credentials(mc.cred);
1101
gnutls_global_deinit ();
1102
gnutls_dh_params_deinit(mc.dh_params);
1105
if(gpgme_initalized){
1106
gpgme_release(mc.ctx);
1109
/* Removes the temp directory used by GPGME */
1110
if(tempdir[0] != '\0'){
1112
struct dirent *direntry;
1113
d = opendir(tempdir);
1118
direntry = readdir(d);
1119
if(direntry == NULL){
1122
if (direntry->d_type == DT_REG){
1123
char *fullname = NULL;
1124
ret = asprintf(&fullname, "%s/%s", tempdir,
1130
ret = unlink(fullname);
1132
fprintf(stderr, "unlink(\"%s\"): %s",
1133
fullname, strerror(errno));
1140
ret = rmdir(tempdir);
843
avahi_server_free(server);
846
avahi_simple_poll_free(simple_poll);