To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.7
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.7
- Committer: Björn Påhlsson
- Date: 2008-08-02 15:47:42 UTC
- mfrom: (36 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 38.
- Revision ID: belorn@braxen-20080802154742-pixsom1utki8x3yo
merge
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
33
32
#define _LARGEFILE_SOURCE
34
33
#define _FILE_OFFSET_BITS 64
35
34
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand() */
44
#include <stdbool.h> /* bool, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, INET6_ADDRSTRLEN,
51
uid_t, gid_t, open(), opendir(),
52
DIR */
53
#include <sys/stat.h> /* open() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton(),
56
connect() */
57
#include <fcntl.h> /* open() */
58
#include <dirent.h> /* opendir(), struct dirent, readdir()
59
*/
60
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
61
#include <assert.h> /* assert() */
62
#include <errno.h> /* perror(), errno */
63
#include <time.h> /* time(), nanosleep() */
64
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
65
SIOCSIFFLAGS, if_indextoname(),
66
if_nametoindex(), IF_NAMESIZE */
67
#include <netinet/in.h>
68
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
69
getuid(), getgid(), setuid(),
70
setgid() */
71
#include <arpa/inet.h> /* inet_pton(), htons */
72
#include <iso646.h> /* not, and, or */
73
#include <argp.h> /* struct argp_option, error_t, struct
74
argp_state, struct argp,
75
argp_parse(), ARGP_KEY_ARG,
76
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
77
#include <sys/klog.h> /* klogctl() */
78
79
/* Avahi */
80
/* All Avahi types, constants and functions
81
Avahi*, avahi_*,
82
AVAHI_* */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
83
43
#include <avahi-core/core.h>
84
44
#include <avahi-core/lookup.h>
85
45
#include <avahi-core/log.h>
87
47
#include <avahi-common/malloc.h>
88
48
#include <avahi-common/error.h>
89
49
90
/* GnuTLS */
91
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
92
functions:
93
gnutls_*
94
init_gnutls_session(),
95
GNUTLS_* */
96
#include <gnutls/openpgp.h>
97
/* gnutls_certificate_set_openpgp_key_file(),
98
GNUTLS_OPENPGP_FMT_BASE64 */
99
100
/* GPGME */
101
#include <gpgme.h> /* All GPGME types, constants and
102
functions:
103
gpgme_*
104
GPGME_PROTOCOL_OpenPGP,
105
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
106
70
107
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
108
73
109
#define PATHDIR "/conf/conf.d/mandos"
110
#define SECKEY "seckey.txt"
111
#define PUBKEY "pubkey.txt"
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
112
77
113
78
bool debug = false;
114
static const char mandos_protocol_version[] = "1";
115
const char *argp_program_version = "mandos-client " VERSION;
116
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
117
79
118
/* Used for passing in values through the Avahi callback functions */
119
80
typedef struct {
120
AvahiSimplePoll *simple_poll;
121
AvahiServer *server;
81
gnutls_session_t session;
122
82
gnutls_certificate_credentials_t cred;
123
unsigned int dh_bits;
124
83
gnutls_dh_params_t dh_params;
125
const char *priority;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
89
const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
126
91
gpgme_ctx_t ctx;
127
} mandos_context;
128
129
/*
130
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
131
* "buffer_capacity" is how much is currently allocated,
132
* "buffer_length" is how much is already used.
133
*/
134
size_t adjustbuffer(char **buffer, size_t buffer_length,
135
size_t buffer_capacity){
136
if(buffer_length + BUFFER_SIZE > buffer_capacity){
137
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
138
if(buffer == NULL){
139
return 0;
140
}
141
buffer_capacity += BUFFER_SIZE;
142
}
143
return buffer_capacity;
144
}
145
146
/*
147
* Initialize GPGME.
148
*/
149
static bool init_gpgme(mandos_context *mc, const char *seckey,
150
const char *pubkey, const char *tempdir){
151
int ret;
152
92
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
153
96
gpgme_engine_info_t engine_info;
154
155
156
/*
157
* Helper function to insert pub and seckey to the enigne keyring.
158
*/
159
bool import_key(const char *filename){
160
int fd;
161
gpgme_data_t pgp_data;
162
163
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
164
if(fd == -1){
165
perror("open");
166
return false;
167
}
168
169
rc = gpgme_data_new_from_fd(&pgp_data, fd);
170
if(rc != GPG_ERR_NO_ERROR){
171
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
return false;
174
}
175
176
rc = gpgme_op_import(mc->ctx, pgp_data);
177
if(rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
return false;
181
}
182
183
ret = (int)TEMP_FAILURE_RETRY(close(fd));
184
if(ret == -1){
185
perror("close");
186
}
187
gpgme_data_release(pgp_data);
188
return true;
189
}
190
191
if(debug){
192
fprintf(stderr, "Initialize gpgme\n");
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
193
100
}
194
101
195
102
/* Init GPGME */
196
103
gpgme_check_version(NULL);
197
104
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
198
if(rc != GPG_ERR_NO_ERROR){
105
if (rc != GPG_ERR_NO_ERROR){
199
106
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
200
107
gpgme_strsource(rc), gpgme_strerror(rc));
201
return false;
108
return -1;
202
109
}
203
110
204
/* Set GPGME home directory for the OpenPGP engine only */
205
rc = gpgme_get_engine_info(&engine_info);
206
if(rc != GPG_ERR_NO_ERROR){
111
/* Set GPGME home directory */
112
rc = gpgme_get_engine_info (&engine_info);
113
if (rc != GPG_ERR_NO_ERROR){
207
114
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
208
115
gpgme_strsource(rc), gpgme_strerror(rc));
209
return false;
116
return -1;
210
117
}
211
118
while(engine_info != NULL){
212
119
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
213
120
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
214
engine_info->file_name, tempdir);
121
engine_info->file_name, homedir);
215
122
break;
216
123
}
217
124
engine_info = engine_info->next;
218
125
}
219
126
if(engine_info == NULL){
220
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
221
return false;
222
}
223
224
/* Create new GPGME "context" */
225
rc = gpgme_new(&(mc->ctx));
226
if(rc != GPG_ERR_NO_ERROR){
227
fprintf(stderr, "bad gpgme_new: %s: %s\n",
228
gpgme_strsource(rc), gpgme_strerror(rc));
229
return false;
230
}
231
232
if(not import_key(pubkey) or not import_key(seckey)){
233
return false;
234
}
235
236
return true;
237
}
238
239
/*
240
* Decrypt OpenPGP data.
241
* Returns -1 on error
242
*/
243
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
244
const char *cryptotext,
245
size_t crypto_size,
246
char **plaintext){
247
gpgme_data_t dh_crypto, dh_plain;
248
gpgme_error_t rc;
249
ssize_t ret;
250
size_t plaintext_capacity = 0;
251
ssize_t plaintext_length = 0;
252
253
if(debug){
254
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
255
}
256
257
/* Create new GPGME data buffer from memory cryptotext */
258
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
259
0);
260
if(rc != GPG_ERR_NO_ERROR){
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
return -1;
129
}
130
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
133
if (rc != GPG_ERR_NO_ERROR){
261
134
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
262
135
gpgme_strsource(rc), gpgme_strerror(rc));
263
136
return -1;
265
138
266
139
/* Create new empty GPGME data buffer for the plaintext */
267
140
rc = gpgme_data_new(&dh_plain);
268
if(rc != GPG_ERR_NO_ERROR){
141
if (rc != GPG_ERR_NO_ERROR){
269
142
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
270
143
gpgme_strsource(rc), gpgme_strerror(rc));
271
gpgme_data_release(dh_crypto);
272
return -1;
273
}
274
275
/* Decrypt data from the cryptotext data buffer to the plaintext
276
data buffer */
277
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
278
if(rc != GPG_ERR_NO_ERROR){
144
return -1;
145
}
146
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
153
}
154
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
158
if (rc != GPG_ERR_NO_ERROR){
279
159
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
280
160
gpgme_strsource(rc), gpgme_strerror(rc));
281
plaintext_length = -1;
282
if(debug){
283
gpgme_decrypt_result_t result;
284
result = gpgme_op_decrypt_result(mc->ctx);
285
if(result == NULL){
286
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
} else {
288
fprintf(stderr, "Unsupported algorithm: %s\n",
289
result->unsupported_algorithm);
290
fprintf(stderr, "Wrong key usage: %u\n",
291
result->wrong_key_usage);
292
if(result->file_name != NULL){
293
fprintf(stderr, "File name: %s\n", result->file_name);
294
}
295
gpgme_recipient_t recipient;
296
recipient = result->recipients;
297
if(recipient){
298
while(recipient != NULL){
299
fprintf(stderr, "Public key algorithm: %s\n",
300
gpgme_pubkey_algo_name(recipient->pubkey_algo));
301
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
302
fprintf(stderr, "Secret key available: %s\n",
303
recipient->status == GPG_ERR_NO_SECKEY
304
? "No" : "Yes");
305
recipient = recipient->next;
306
}
161
return -1;
162
}
163
164
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
}
167
168
if (debug){
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
171
if (result == NULL){
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
173
} else {
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
180
}
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
183
if(recipient){
184
while(recipient != NULL){
185
fprintf(stderr, "Public key algorithm: %s\n",
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
187
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
188
fprintf(stderr, "Secret key available: %s\n",
189
recipient->status == GPG_ERR_NO_SECKEY
190
? "No" : "Yes");
191
recipient = recipient->next;
307
192
}
308
193
}
309
194
}
310
goto decrypt_end;
311
195
}
312
196
313
if(debug){
314
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
315
}
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
316
199
317
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
318
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
319
perror("gpgme_data_seek");
320
plaintext_length = -1;
321
goto decrypt_end;
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
322
203
}
323
204
324
*plaintext = NULL;
205
*new_packet = 0;
325
206
while(true){
326
plaintext_capacity = adjustbuffer(plaintext,
327
(size_t)plaintext_length,
328
plaintext_capacity);
329
if(plaintext_capacity == 0){
330
perror("adjustbuffer");
331
plaintext_length = -1;
332
goto decrypt_end;
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
333
216
}
334
217
335
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
336
219
BUFFER_SIZE);
337
220
/* Print the data, if any */
338
if(ret == 0){
339
/* EOF */
221
if (ret == 0){
340
222
break;
341
223
}
342
224
if(ret < 0){
343
225
perror("gpgme_data_read");
344
plaintext_length = -1;
345
goto decrypt_end;
346
}
347
plaintext_length += ret;
348
}
349
350
if(debug){
351
fprintf(stderr, "Decrypted password is: ");
352
for(ssize_t i = 0; i < plaintext_length; i++){
353
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
354
}
355
fprintf(stderr, "\n");
356
}
357
358
decrypt_end:
359
360
/* Delete the GPGME cryptotext data buffer */
361
gpgme_data_release(dh_crypto);
226
return -1;
227
}
228
new_packet_length += ret;
229
}
230
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
362
238
363
239
/* Delete the GPGME plaintext data buffer */
364
240
gpgme_data_release(dh_plain);
365
return plaintext_length;
241
return new_packet_length;
366
242
}
367
243
368
static const char * safer_gnutls_strerror(int value) {
369
const char *ret = gnutls_strerror(value); /* Spurious warning from
370
-Wunreachable-code */
371
if(ret == NULL)
244
static const char * safer_gnutls_strerror (int value) {
245
const char *ret = gnutls_strerror (value);
246
if (ret == NULL)
372
247
ret = "(unknown)";
373
248
return ret;
374
249
}
375
250
376
/* GnuTLS log function callback */
377
251
static void debuggnutls(__attribute__((unused)) int level,
378
252
const char* string){
379
fprintf(stderr, "GnuTLS: %s", string);
253
fprintf(stderr, "%s", string);
380
254
}
381
255
382
static int init_gnutls_global(mandos_context *mc,
383
const char *pubkeyfilename,
384
const char *seckeyfilename){
256
static int initgnutls(encrypted_session *es){
257
const char *err;
385
258
int ret;
386
259
387
260
if(debug){
388
261
fprintf(stderr, "Initializing GnuTLS\n");
389
262
}
390
391
ret = gnutls_global_init();
392
if(ret != GNUTLS_E_SUCCESS) {
393
fprintf(stderr, "GnuTLS global_init: %s\n",
394
safer_gnutls_strerror(ret));
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
395
267
return -1;
396
268
}
397
398
if(debug){
399
/* "Use a log level over 10 to enable all debugging options."
400
* - GnuTLS manual
401
*/
269
270
if (debug){
402
271
gnutls_global_set_log_level(11);
403
272
gnutls_global_set_log_function(debuggnutls);
404
273
}
405
274
406
/* OpenPGP credentials */
407
gnutls_certificate_allocate_credentials(&mc->cred);
408
if(ret != GNUTLS_E_SUCCESS){
409
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
410
* from
411
* -Wunreachable-code
412
*/
413
safer_gnutls_strerror(ret));
414
gnutls_global_deinit();
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
279
safer_gnutls_strerror(ret));
415
280
return -1;
416
281
}
417
282
418
283
if(debug){
419
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
420
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
421
seckeyfilename);
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", certfile,
286
certkey);
422
287
}
423
288
424
289
ret = gnutls_certificate_set_openpgp_key_file
425
(mc->cred, pubkeyfilename, seckeyfilename,
426
GNUTLS_OPENPGP_FMT_BASE64);
427
if(ret != GNUTLS_E_SUCCESS) {
428
fprintf(stderr,
429
"Error[%d] while reading the OpenPGP key pair ('%s',"
430
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
431
fprintf(stderr, "The GnuTLS error is: %s\n",
432
safer_gnutls_strerror(ret));
433
goto globalfail;
434
}
435
436
/* GnuTLS server initialization */
437
ret = gnutls_dh_params_init(&mc->dh_params);
438
if(ret != GNUTLS_E_SUCCESS) {
439
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
440
" %s\n", safer_gnutls_strerror(ret));
441
goto globalfail;
442
}
443
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
444
if(ret != GNUTLS_E_SUCCESS) {
445
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
446
safer_gnutls_strerror(ret));
447
goto globalfail;
448
}
449
450
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
451
452
return 0;
453
454
globalfail:
455
456
gnutls_certificate_free_credentials(mc->cred);
457
gnutls_global_deinit();
458
gnutls_dh_params_deinit(mc->dh_params);
459
return -1;
460
}
461
462
static int init_gnutls_session(mandos_context *mc,
463
gnutls_session_t *session){
464
int ret;
465
/* GnuTLS session creation */
466
ret = gnutls_init(session, GNUTLS_SERVER);
467
if(ret != GNUTLS_E_SUCCESS){
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
291
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
468
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
469
322
safer_gnutls_strerror(ret));
470
323
}
471
324
472
{
473
const char *err;
474
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
475
if(ret != GNUTLS_E_SUCCESS) {
476
fprintf(stderr, "Syntax error at: %s\n", err);
477
fprintf(stderr, "GnuTLS error: %s\n",
478
safer_gnutls_strerror(ret));
479
gnutls_deinit(*session);
480
return -1;
481
}
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
482
331
}
483
332
484
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
485
mc->cred);
486
if(ret != GNUTLS_E_SUCCESS) {
487
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
488
337
safer_gnutls_strerror(ret));
489
gnutls_deinit(*session);
490
338
return -1;
491
339
}
492
340
493
341
/* ignore client certificate if any. */
494
gnutls_certificate_server_set_request(*session,
495
GNUTLS_CERT_IGNORE);
342
gnutls_certificate_server_set_request (es->session,
343
GNUTLS_CERT_IGNORE);
496
344
497
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
498
346
499
347
return 0;
500
348
}
501
349
502
/* Avahi log function callback */
503
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
504
351
__attribute__((unused)) const char *txt){}
505
352
506
/* Called when a Mandos server is found */
507
353
static int start_mandos_communication(const char *ip, uint16_t port,
508
AvahiIfIndex if_index,
509
mandos_context *mc){
354
AvahiIfIndex if_index){
510
355
int ret, tcp_sd;
511
ssize_t sret;
512
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
356
struct sockaddr_in6 to;
357
encrypted_session es;
513
358
char *buffer = NULL;
514
359
char *decrypted_buffer;
515
360
size_t buffer_length = 0;
516
361
size_t buffer_capacity = 0;
517
362
ssize_t decrypted_buffer_size;
518
size_t written;
363
size_t written = 0;
519
364
int retval = 0;
520
365
char interface[IF_NAMESIZE];
521
gnutls_session_t session;
522
523
ret = init_gnutls_session(mc, &session);
524
if(ret != 0){
525
return -1;
526
}
527
366
528
367
if(debug){
529
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
530
"\n", ip, port);
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
369
ip, port);
531
370
}
532
371
533
372
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
535
374
perror("socket");
536
375
return -1;
537
376
}
538
377
539
378
if(debug){
540
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
541
perror("if_indextoname");
380
if(debug){
381
perror("if_indextoname");
382
}
542
383
return -1;
543
384
}
385
544
386
fprintf(stderr, "Binding to interface %s\n", interface);
545
387
}
546
388
547
memset(&to, 0, sizeof(to));
548
to.in6.sin6_family = AF_INET6;
549
/* It would be nice to have a way to detect if we were passed an
550
IPv4 address here. Now we assume an IPv6 address. */
551
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
552
if(ret < 0 ){
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
392
if (ret < 0 ){
553
393
perror("inet_pton");
554
394
return -1;
555
}
395
}
556
396
if(ret == 0){
557
397
fprintf(stderr, "Bad address: %s\n", ip);
558
398
return -1;
559
399
}
560
to.in6.sin6_port = htons(port); /* Spurious warnings from
561
-Wconversion and
562
-Wunreachable-code */
400
to.sin6_port = htons(port); /* Spurious warning */
563
401
564
to.in6.sin6_scope_id = (uint32_t)if_index;
402
to.sin6_scope_id = (uint32_t)if_index;
565
403
566
404
if(debug){
567
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
568
port);
569
char addrstr[INET6_ADDRSTRLEN] = "";
570
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
571
sizeof(addrstr)) == NULL){
572
perror("inet_ntop");
573
} else {
574
if(strcmp(addrstr, ip) != 0){
575
fprintf(stderr, "Canonical address form: %s\n", addrstr);
576
}
577
}
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
410
/* } else { */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
413
/* } */
578
414
}
579
415
580
ret = connect(tcp_sd, &to.in, sizeof(to));
581
if(ret < 0){
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
417
if (ret < 0){
582
418
perror("connect");
583
419
return -1;
584
420
}
585
421
586
const char *out = mandos_protocol_version;
587
written = 0;
588
while(true){
589
size_t out_size = strlen(out);
590
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
591
out_size - written));
592
if(ret == -1){
593
perror("write");
594
retval = -1;
595
goto mandos_end;
596
}
597
written += (size_t)ret;
598
if(written < out_size){
599
continue;
600
} else {
601
if(out == mandos_protocol_version){
602
written = 0;
603
out = "\r\n";
604
} else {
605
break;
606
}
607
}
422
ret = initgnutls (&es);
423
if (ret != 0){
424
retval = -1;
425
return -1;
608
426
}
609
427
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
430
610
431
if(debug){
611
432
fprintf(stderr, "Establishing TLS session with %s\n", ip);
612
433
}
613
434
614
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
615
616
do{
617
ret = gnutls_handshake(session);
618
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
619
620
if(ret != GNUTLS_E_SUCCESS){
435
ret = gnutls_handshake (es.session);
436
437
if (ret != GNUTLS_E_SUCCESS){
621
438
if(debug){
622
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
623
gnutls_perror(ret);
439
fprintf(stderr, "\n*** Handshake failed ***\n");
440
gnutls_perror (ret);
624
441
}
625
442
retval = -1;
626
goto mandos_end;
443
goto exit;
627
444
}
628
445
629
/* Read OpenPGP packet that contains the wanted password */
446
//Retrieve OpenPGP packet that contains the wanted password
630
447
631
448
if(debug){
632
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
633
450
ip);
634
451
}
635
452
636
453
while(true){
637
buffer_capacity = adjustbuffer(&buffer, buffer_length,
638
buffer_capacity);
639
if(buffer_capacity == 0){
640
perror("adjustbuffer");
641
retval = -1;
642
goto mandos_end;
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
456
if (buffer == NULL){
457
perror("realloc");
458
goto exit;
459
}
460
buffer_capacity += BUFFER_SIZE;
643
461
}
644
462
645
sret = gnutls_record_recv(session, buffer+buffer_length,
646
BUFFER_SIZE);
647
if(sret == 0){
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
465
if (ret == 0){
648
466
break;
649
467
}
650
if(sret < 0){
651
switch(sret){
468
if (ret < 0){
469
switch(ret){
652
470
case GNUTLS_E_INTERRUPTED:
653
471
case GNUTLS_E_AGAIN:
654
472
break;
655
473
case GNUTLS_E_REHANDSHAKE:
656
do{
657
ret = gnutls_handshake(session);
658
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
659
if(ret < 0){
660
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
661
gnutls_perror(ret);
474
ret = gnutls_handshake (es.session);
475
if (ret < 0){
476
fprintf(stderr, "\n*** Handshake failed ***\n");
477
gnutls_perror (ret);
662
478
retval = -1;
663
goto mandos_end;
479
goto exit;
664
480
}
665
481
break;
666
482
default:
667
483
fprintf(stderr, "Unknown error while reading data from"
668
" encrypted session with Mandos server\n");
484
" encrypted session with mandos server\n");
669
485
retval = -1;
670
gnutls_bye(session, GNUTLS_SHUT_RDWR);
671
goto mandos_end;
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
goto exit;
672
488
}
673
489
} else {
674
buffer_length += (size_t) sret;
490
buffer_length += (size_t) ret;
675
491
}
676
492
}
677
493
678
if(debug){
679
fprintf(stderr, "Closing TLS session\n");
680
}
681
682
gnutls_bye(session, GNUTLS_SHUT_RDWR);
683
684
if(buffer_length > 0){
685
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
494
if (buffer_length > 0){
495
decrypted_buffer_size = pgp_packet_decrypt(buffer,
686
496
buffer_length,
687
&decrypted_buffer);
688
if(decrypted_buffer_size >= 0){
689
written = 0;
497
&decrypted_buffer,
498
certdir);
499
if (decrypted_buffer_size >= 0){
690
500
while(written < (size_t) decrypted_buffer_size){
691
ret = (int)fwrite(decrypted_buffer + written, 1,
692
(size_t)decrypted_buffer_size - written,
693
stdout);
501
ret = (int)fwrite (decrypted_buffer + written, 1,
502
(size_t)decrypted_buffer_size - written,
503
stdout);
694
504
if(ret == 0 and ferror(stdout)){
695
505
if(debug){
696
506
fprintf(stderr, "Error writing encrypted data: %s\n",
705
515
} else {
706
516
retval = -1;
707
517
}
708
} else {
709
retval = -1;
710
}
711
712
/* Shutdown procedure */
713
714
mandos_end:
518
}
519
520
//shutdown procedure
521
522
if(debug){
523
fprintf(stderr, "Closing TLS session\n");
524
}
525
715
526
free(buffer);
716
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
717
if(ret == -1){
718
perror("close");
719
}
720
gnutls_deinit(session);
527
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
528
exit:
529
close(tcp_sd);
530
gnutls_deinit (es.session);
531
gnutls_certificate_free_credentials (es.cred);
532
gnutls_global_deinit ();
721
533
return retval;
722
534
}
723
535
724
static void resolve_callback(AvahiSServiceResolver *r,
725
AvahiIfIndex interface,
726
AVAHI_GCC_UNUSED AvahiProtocol protocol,
727
AvahiResolverEvent event,
728
const char *name,
729
const char *type,
730
const char *domain,
731
const char *host_name,
732
const AvahiAddress *address,
733
uint16_t port,
734
AVAHI_GCC_UNUSED AvahiStringList *txt,
735
AVAHI_GCC_UNUSED AvahiLookupResultFlags
736
flags,
737
void* userdata) {
738
mandos_context *mc = userdata;
739
assert(r);
536
static AvahiSimplePoll *simple_poll = NULL;
537
static AvahiServer *server = NULL;
538
539
static void resolve_callback(
540
AvahiSServiceResolver *r,
541
AvahiIfIndex interface,
542
AVAHI_GCC_UNUSED AvahiProtocol protocol,
543
AvahiResolverEvent event,
544
const char *name,
545
const char *type,
546
const char *domain,
547
const char *host_name,
548
const AvahiAddress *address,
549
uint16_t port,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
552
AVAHI_GCC_UNUSED void* userdata) {
553
554
assert(r); /* Spurious warning */
740
555
741
556
/* Called whenever a service has been resolved successfully or
742
557
timed out */
743
558
744
switch(event) {
559
switch (event) {
745
560
default:
746
561
case AVAHI_RESOLVER_FAILURE:
747
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
748
" of type '%s' in domain '%s': %s\n", name, type, domain,
749
avahi_strerror(avahi_server_errno(mc->server)));
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
750
565
break;
751
566
752
567
case AVAHI_RESOLVER_FOUND:
754
569
char ip[AVAHI_ADDRESS_STR_MAX];
755
570
avahi_address_snprint(ip, sizeof(ip), address);
756
571
if(debug){
757
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
758
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
759
ip, (intmax_t)interface, port);
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
760
574
}
761
int ret = start_mandos_communication(ip, port, interface, mc);
762
if(ret == 0){
763
avahi_simple_poll_quit(mc->simple_poll);
575
int ret = start_mandos_communication(ip, port, interface);
576
if (ret == 0){
577
exit(EXIT_SUCCESS);
764
578
}
765
579
}
766
580
}
767
581
avahi_s_service_resolver_free(r);
768
582
}
769
583
770
static void browse_callback( AvahiSServiceBrowser *b,
771
AvahiIfIndex interface,
772
AvahiProtocol protocol,
773
AvahiBrowserEvent event,
774
const char *name,
775
const char *type,
776
const char *domain,
777
AVAHI_GCC_UNUSED AvahiLookupResultFlags
778
flags,
779
void* userdata) {
780
mandos_context *mc = userdata;
781
assert(b);
782
783
/* Called whenever a new services becomes available on the LAN or
784
is removed from the LAN */
785
786
switch(event) {
787
default:
788
case AVAHI_BROWSER_FAILURE:
789
790
fprintf(stderr, "(Avahi browser) %s\n",
791
avahi_strerror(avahi_server_errno(mc->server)));
792
avahi_simple_poll_quit(mc->simple_poll);
793
return;
794
795
case AVAHI_BROWSER_NEW:
796
/* We ignore the returned Avahi resolver object. In the callback
797
function we free it. If the Avahi server is terminated before
798
the callback function is called the Avahi server will free the
799
resolver for us. */
800
801
if(!(avahi_s_service_resolver_new(mc->server, interface,
802
protocol, name, type, domain,
803
AVAHI_PROTO_INET6, 0,
804
resolve_callback, mc)))
805
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
806
name, avahi_strerror(avahi_server_errno(mc->server)));
807
break;
808
809
case AVAHI_BROWSER_REMOVE:
810
break;
811
812
case AVAHI_BROWSER_ALL_FOR_NOW:
813
case AVAHI_BROWSER_CACHE_EXHAUSTED:
814
if(debug){
815
fprintf(stderr, "No Mandos server found, still searching...\n");
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
589
const char *name,
590
const char *type,
591
const char *domain,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
593
void* userdata) {
594
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
597
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
600
601
switch (event) {
602
default:
603
case AVAHI_BROWSER_FAILURE:
604
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
608
return;
609
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
615
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
617
type, domain,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
622
break;
623
624
case AVAHI_BROWSER_REMOVE:
625
break;
626
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
629
break;
816
630
}
817
break;
818
}
819
}
820
821
int main(int argc, char *argv[]){
631
}
632
633
/* Combines file name and path and returns the malloced new
634
string. some sane checks could/should be added */
635
static const char *combinepath(const char *first, const char *second){
636
size_t f_len = strlen(first);
637
size_t s_len = strlen(second);
638
char *tmp = malloc(f_len + s_len + 2);
639
if (tmp == NULL){
640
return NULL;
641
}
642
if(f_len > 0){
643
memcpy(tmp, first, f_len);
644
}
645
tmp[f_len] = '/';
646
if(s_len > 0){
647
memcpy(tmp + f_len + 1, second, s_len);
648
}
649
tmp[f_len + 1 + s_len] = '\0';
650
return tmp;
651
}
652
653
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
822
656
AvahiSServiceBrowser *sb = NULL;
823
657
int error;
824
658
int ret;
825
intmax_t tmpmax;
826
int numchars;
827
int exitcode = EXIT_SUCCESS;
659
int returncode = EXIT_SUCCESS;
828
660
const char *interface = "eth0";
829
661
struct ifreq network;
830
662
int sd;
831
uid_t uid;
832
gid_t gid;
833
663
char *connect_to = NULL;
834
char tempdir[] = "/tmp/mandosXXXXXX";
835
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
836
const char *seckey = PATHDIR "/" SECKEY;
837
const char *pubkey = PATHDIR "/" PUBKEY;
838
839
mandos_context mc = { .simple_poll = NULL, .server = NULL,
840
.dh_bits = 1024, .priority = "SECURE256"
841
":!CTYPE-X.509:+CTYPE-OPENPGP" };
842
bool gnutls_initalized = false;
843
bool gpgme_initalized = false;
844
double delay = 2.5;
845
846
{
847
struct argp_option options[] = {
848
{ .name = "debug", .key = 128,
849
.doc = "Debug mode", .group = 3 },
850
{ .name = "connect", .key = 'c',
851
.arg = "ADDRESS:PORT",
852
.doc = "Connect directly to a specific Mandos server",
853
.group = 1 },
854
{ .name = "interface", .key = 'i',
855
.arg = "NAME",
856
.doc = "Interface that will be used to search for Mandos"
857
" servers",
858
.group = 1 },
859
{ .name = "seckey", .key = 's',
860
.arg = "FILE",
861
.doc = "OpenPGP secret key file base name",
862
.group = 1 },
863
{ .name = "pubkey", .key = 'p',
864
.arg = "FILE",
865
.doc = "OpenPGP public key file base name",
866
.group = 2 },
867
{ .name = "dh-bits", .key = 129,
868
.arg = "BITS",
869
.doc = "Bit length of the prime number used in the"
870
" Diffie-Hellman key exchange",
871
.group = 2 },
872
{ .name = "priority", .key = 130,
873
.arg = "STRING",
874
.doc = "GnuTLS priority string for the TLS handshake",
875
.group = 1 },
876
{ .name = "delay", .key = 131,
877
.arg = "SECONDS",
878
.doc = "Maximum delay to wait for interface startup",
879
.group = 2 },
880
{ .name = NULL }
881
};
882
883
error_t parse_opt(int key, char *arg,
884
struct argp_state *state) {
885
switch(key) {
886
case 128: /* --debug */
887
debug = true;
888
break;
889
case 'c': /* --connect */
890
connect_to = arg;
891
break;
892
case 'i': /* --interface */
893
interface = arg;
894
break;
895
case 's': /* --seckey */
896
seckey = arg;
897
break;
898
case 'p': /* --pubkey */
899
pubkey = arg;
900
break;
901
case 129: /* --dh-bits */
902
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
903
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
904
or arg[numchars] != '\0'){
905
fprintf(stderr, "Bad number of DH bits\n");
906
exit(EXIT_FAILURE);
907
}
908
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
909
break;
910
case 130: /* --priority */
911
mc.priority = arg;
912
break;
913
case 131: /* --delay */
914
ret = sscanf(arg, "%lf%n", &delay, &numchars);
915
if(ret < 1 or arg[numchars] != '\0'){
916
fprintf(stderr, "Bad delay\n");
917
exit(EXIT_FAILURE);
918
}
919
break;
920
case ARGP_KEY_ARG:
921
argp_usage(state);
922
case ARGP_KEY_END:
923
break;
924
default:
925
return ARGP_ERR_UNKNOWN;
926
}
927
return 0;
928
}
929
930
struct argp argp = { .options = options, .parser = parse_opt,
931
.args_doc = "",
932
.doc = "Mandos client -- Get and decrypt"
933
" passwords from a Mandos server" };
934
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
935
if(ret == ARGP_ERR_UNKNOWN){
936
fprintf(stderr, "Unknown error while parsing arguments\n");
937
exitcode = EXIT_FAILURE;
938
goto end;
939
}
940
}
941
942
/* If the interface is down, bring it up */
943
{
944
// Lower kernel loglevel to KERN_NOTICE to avoid
945
// KERN_INFO messages to mess up the prompt
946
ret = klogctl(8, NULL, 5);
947
if(ret == -1){
948
perror("klogctl");
949
}
665
666
while (true){
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
701
break;
702
default:
703
exit(EXIT_FAILURE);
704
}
705
}
706
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
711
goto exit;
712
}
950
713
951
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
952
if(sd < 0) {
953
perror("socket");
954
exitcode = EXIT_FAILURE;
955
ret = klogctl(7, NULL, 0);
956
if(ret == -1){
957
perror("klogctl");
958
}
959
goto end;
960
}
961
strcpy(network.ifr_name, interface);
962
ret = ioctl(sd, SIOCGIFFLAGS, &network);
963
if(ret == -1){
964
perror("ioctl SIOCGIFFLAGS");
965
ret = klogctl(7, NULL, 0);
966
if(ret == -1){
967
perror("klogctl");
968
}
969
exitcode = EXIT_FAILURE;
970
goto end;
971
}
972
if((network.ifr_flags & IFF_UP) == 0){
973
network.ifr_flags |= IFF_UP;
974
ret = ioctl(sd, SIOCSIFFLAGS, &network);
975
if(ret == -1){
976
perror("ioctl SIOCSIFFLAGS");
977
exitcode = EXIT_FAILURE;
978
ret = klogctl(7, NULL, 0);
979
if(ret == -1){
980
perror("klogctl");
981
}
982
goto end;
983
}
984
}
985
// sleep checking until interface is running
986
for(int i=0; i < delay * 4; i++){
987
ret = ioctl(sd, SIOCGIFFLAGS, &network);
988
if(ret == -1){
989
perror("ioctl SIOCGIFFLAGS");
990
} else if(network.ifr_flags & IFF_RUNNING){
991
break;
992
}
993
struct timespec sleeptime = { .tv_nsec = 250000000 };
994
nanosleep(&sleeptime, NULL);
995
}
996
ret = (int)TEMP_FAILURE_RETRY(close(sd));
997
if(ret == -1){
998
perror("close");
999
}
1000
// Restores kernel loglevel to default
1001
ret = klogctl(7, NULL, 0);
1002
if(ret == -1){
1003
perror("klogctl");
1004
}
1005
}
1006
1007
uid = getuid();
1008
gid = getgid();
1009
1010
ret = setuid(uid);
1011
if(ret == -1){
1012
perror("setuid");
1013
}
1014
1015
setgid(gid);
1016
if(ret == -1){
1017
perror("setgid");
1018
}
1019
1020
ret = init_gnutls_global(&mc, pubkey, seckey);
1021
if(ret == -1){
1022
fprintf(stderr, "init_gnutls_global failed\n");
1023
exitcode = EXIT_FAILURE;
1024
goto end;
1025
} else {
1026
gnutls_initalized = true;
1027
}
1028
1029
if(mkdtemp(tempdir) == NULL){
1030
perror("mkdtemp");
1031
tempdir[0] = '\0';
1032
goto end;
1033
}
1034
1035
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1036
fprintf(stderr, "gpgme_initalized failed\n");
1037
exitcode = EXIT_FAILURE;
1038
goto end;
1039
} else {
1040
gpgme_initalized = true;
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
718
goto exit;
1041
719
}
1042
720
1043
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
1052
730
char *address = strrchr(connect_to, ':');
1053
731
if(address == NULL){
1054
732
fprintf(stderr, "No colon in address\n");
1055
exitcode = EXIT_FAILURE;
1056
goto end;
1057
}
1058
uint16_t port;
1059
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1060
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1061
or address[numchars+1] != '\0'){
1062
fprintf(stderr, "Bad port number\n");
1063
exitcode = EXIT_FAILURE;
1064
goto end;
1065
}
1066
port = (uint16_t)tmpmax;
733
exit(EXIT_FAILURE);
734
}
735
errno = 0;
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
737
if(errno){
738
perror("Bad port number");
739
exit(EXIT_FAILURE);
740
}
1067
741
*address = '\0';
1068
742
address = connect_to;
1069
ret = start_mandos_communication(address, port, if_index, &mc);
743
ret = start_mandos_communication(address, port, if_index);
1070
744
if(ret < 0){
1071
exitcode = EXIT_FAILURE;
745
exit(EXIT_FAILURE);
1072
746
} else {
1073
exitcode = EXIT_SUCCESS;
1074
}
1075
goto end;
1076
}
1077
1078
if(not debug){
747
exit(EXIT_SUCCESS);
748
}
749
}
750
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
752
if(sd < 0) {
753
perror("socket");
754
returncode = EXIT_FAILURE;
755
goto exit;
756
}
757
strcpy(network.ifr_name, interface);
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
759
if(ret == -1){
760
761
perror("ioctl SIOCGIFFLAGS");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
if((network.ifr_flags & IFF_UP) == 0){
766
network.ifr_flags |= IFF_UP;
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
768
if(ret == -1){
769
perror("ioctl SIOCSIFFLAGS");
770
returncode = EXIT_FAILURE;
771
goto exit;
772
}
773
}
774
close(sd);
775
776
if (not debug){
1079
777
avahi_set_log_function(empty_log);
1080
778
}
1081
779
1082
/* Initialize the pseudo-RNG for Avahi */
780
/* Initialize the psuedo-RNG */
1083
781
srand((unsigned int) time(NULL));
1084
1085
/* Allocate main Avahi loop object */
1086
mc.simple_poll = avahi_simple_poll_new();
1087
if(mc.simple_poll == NULL) {
1088
fprintf(stderr, "Avahi: Failed to create simple poll"
1089
" object.\n");
1090
exitcode = EXIT_FAILURE;
1091
goto end;
1092
}
1093
1094
{
1095
AvahiServerConfig config;
1096
/* Do not publish any local Zeroconf records */
1097
avahi_server_config_init(&config);
1098
config.publish_hinfo = 0;
1099
config.publish_addresses = 0;
1100
config.publish_workstation = 0;
1101
config.publish_domain = 0;
1102
1103
/* Allocate a new server */
1104
mc.server = avahi_server_new(avahi_simple_poll_get
1105
(mc.simple_poll), &config, NULL,
1106
NULL, &error);
1107
1108
/* Free the Avahi configuration data */
1109
avahi_server_config_free(&config);
1110
}
1111
1112
/* Check if creating the Avahi server object succeeded */
1113
if(mc.server == NULL) {
1114
fprintf(stderr, "Failed to create Avahi server: %s\n",
782
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
787
goto exit;
788
}
789
790
/* Do not publish any local records */
791
avahi_server_config_init(&config);
792
config.publish_hinfo = 0;
793
config.publish_addresses = 0;
794
config.publish_workstation = 0;
795
config.publish_domain = 0;
796
797
/* Allocate a new server */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
800
801
/* Free the configuration data */
802
avahi_server_config_free(&config);
803
804
/* Check if creating the server object succeeded */
805
if (!server) {
806
fprintf(stderr, "Failed to create server: %s\n",
1115
807
avahi_strerror(error));
1116
exitcode = EXIT_FAILURE;
1117
goto end;
808
returncode = EXIT_FAILURE;
809
goto exit;
1118
810
}
1119
811
1120
/* Create the Avahi service browser */
1121
sb = avahi_s_service_browser_new(mc.server, if_index,
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
1122
814
AVAHI_PROTO_INET6,
1123
815
"_mandos._tcp", NULL, 0,
1124
browse_callback, &mc);
1125
if(sb == NULL) {
816
browse_callback, server);
817
if (!sb) {
1126
818
fprintf(stderr, "Failed to create service browser: %s\n",
1127
avahi_strerror(avahi_server_errno(mc.server)));
1128
exitcode = EXIT_FAILURE;
1129
goto end;
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
821
goto exit;
1130
822
}
1131
823
1132
824
/* Run the main loop */
1133
1134
if(debug){
1135
fprintf(stderr, "Starting Avahi loop search\n");
825
826
if (debug){
827
fprintf(stderr, "Starting avahi loop search\n");
1136
828
}
829
830
avahi_simple_poll_loop(simple_poll);
831
832
exit:
1137
833
1138
avahi_simple_poll_loop(mc.simple_poll);
1139
1140
end:
1141
1142
if(debug){
834
if (debug){
1143
835
fprintf(stderr, "%s exiting\n", argv[0]);
1144
836
}
1145
837
1146
838
/* Cleanup things */
1147
if(sb != NULL)
839
if (sb)
1148
840
avahi_s_service_browser_free(sb);
1149
841
1150
if(mc.server != NULL)
1151
avahi_server_free(mc.server);
1152
1153
if(mc.simple_poll != NULL)
1154
avahi_simple_poll_free(mc.simple_poll);
1155
1156
if(gnutls_initalized){
1157
gnutls_certificate_free_credentials(mc.cred);
1158
gnutls_global_deinit();
1159
gnutls_dh_params_deinit(mc.dh_params);
1160
}
1161
1162
if(gpgme_initalized){
1163
gpgme_release(mc.ctx);
1164
}
1165
1166
/* Removes the temp directory used by GPGME */
1167
if(tempdir[0] != '\0'){
1168
DIR *d;
1169
struct dirent *direntry;
1170
d = opendir(tempdir);
1171
if(d == NULL){
1172
if(errno != ENOENT){
1173
perror("opendir");
1174
}
1175
} else {
1176
while(true){
1177
direntry = readdir(d);
1178
if(direntry == NULL){
1179
break;
1180
}
1181
if(direntry->d_type == DT_REG){
1182
char *fullname = NULL;
1183
ret = asprintf(&fullname, "%s/%s", tempdir,
1184
direntry->d_name);
1185
if(ret < 0){
1186
perror("asprintf");
1187
continue;
1188
}
1189
ret = unlink(fullname);
1190
if(ret == -1){
1191
fprintf(stderr, "unlink(\"%s\"): %s",
1192
fullname, strerror(errno));
1193
}
1194
free(fullname);
1195
}
1196
}
1197
closedir(d);
1198
}
1199
ret = rmdir(tempdir);
1200
if(ret == -1 and errno != ENOENT){
1201
perror("rmdir");
1202
}
1203
}
1204
1205
return exitcode;
842
if (server)
843
avahi_server_free(server);
844
845
if (simple_poll)
846
avahi_simple_poll_free(simple_poll);
847
free(certfile);
848
free(certkey);
849
850
return returncode;
1206
851
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0