To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.8
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.8
- Committer: Björn Påhlsson
- Date: 2008-08-02 18:46:45 UTC
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 38.
- Revision ID: belorn@braxen-20080802184645-t5i3yboc53gdas7m
plugbasedclient
Parse a single argument as a plus-separated list of options
Parse a single argument as a plus-separated list of options
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
33
32
#define _LARGEFILE_SOURCE
34
33
#define _FILE_OFFSET_BITS 64
35
34
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, false, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, uid_t, gid_t, open(),
52
opendir(), DIR */
53
#include <sys/stat.h> /* open() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
inet_pton(), connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir()
58
*/
59
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#ifdef __linux__
79
#include <sys/klog.h> /* klogctl() */
80
#endif
81
82
/* Avahi */
83
/* All Avahi types, constants and functions
84
Avahi*, avahi_*,
85
AVAHI_* */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
86
43
#include <avahi-core/core.h>
87
44
#include <avahi-core/lookup.h>
88
45
#include <avahi-core/log.h>
90
47
#include <avahi-common/malloc.h>
91
48
#include <avahi-common/error.h>
92
49
93
/* GnuTLS */
94
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
95
functions:
96
gnutls_*
97
init_gnutls_session(),
98
GNUTLS_* */
99
#include <gnutls/openpgp.h>
100
/* gnutls_certificate_set_openpgp_key_file(),
101
GNUTLS_OPENPGP_FMT_BASE64 */
102
103
/* GPGME */
104
#include <gpgme.h> /* All GPGME types, constants and
105
functions:
106
gpgme_*
107
GPGME_PROTOCOL_OpenPGP,
108
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
109
70
110
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
111
73
112
#define PATHDIR "/conf/conf.d/mandos"
113
#define SECKEY "seckey.txt"
114
#define PUBKEY "pubkey.txt"
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
115
77
116
78
bool debug = false;
117
static const char mandos_protocol_version[] = "1";
118
const char *argp_program_version = "mandos-client " VERSION;
119
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
120
79
121
/* Used for passing in values through the Avahi callback functions */
122
80
typedef struct {
123
AvahiSimplePoll *simple_poll;
124
AvahiServer *server;
81
gnutls_session_t session;
125
82
gnutls_certificate_credentials_t cred;
126
unsigned int dh_bits;
127
83
gnutls_dh_params_t dh_params;
128
const char *priority;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
89
const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
129
91
gpgme_ctx_t ctx;
130
} mandos_context;
131
132
/*
133
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
134
* "buffer_capacity" is how much is currently allocated,
135
* "buffer_length" is how much is already used.
136
*/
137
size_t adjustbuffer(char **buffer, size_t buffer_length,
138
size_t buffer_capacity){
139
if(buffer_length + BUFFER_SIZE > buffer_capacity){
140
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
141
if(buffer == NULL){
142
return 0;
143
}
144
buffer_capacity += BUFFER_SIZE;
145
}
146
return buffer_capacity;
147
}
148
149
/*
150
* Initialize GPGME.
151
*/
152
static bool init_gpgme(mandos_context *mc, const char *seckey,
153
const char *pubkey, const char *tempdir){
154
int ret;
155
92
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
156
96
gpgme_engine_info_t engine_info;
157
158
159
/*
160
* Helper function to insert pub and seckey to the engine keyring.
161
*/
162
bool import_key(const char *filename){
163
int fd;
164
gpgme_data_t pgp_data;
165
166
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
167
if(fd == -1){
168
perror("open");
169
return false;
170
}
171
172
rc = gpgme_data_new_from_fd(&pgp_data, fd);
173
if(rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
rc = gpgme_op_import(mc->ctx, pgp_data);
180
if(rc != GPG_ERR_NO_ERROR){
181
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
182
gpgme_strsource(rc), gpgme_strerror(rc));
183
return false;
184
}
185
186
ret = (int)TEMP_FAILURE_RETRY(close(fd));
187
if(ret == -1){
188
perror("close");
189
}
190
gpgme_data_release(pgp_data);
191
return true;
192
}
193
194
if(debug){
195
fprintf(stderr, "Initialize gpgme\n");
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
196
100
}
197
101
198
102
/* Init GPGME */
199
103
gpgme_check_version(NULL);
200
104
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
201
if(rc != GPG_ERR_NO_ERROR){
105
if (rc != GPG_ERR_NO_ERROR){
202
106
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
203
107
gpgme_strsource(rc), gpgme_strerror(rc));
204
return false;
108
return -1;
205
109
}
206
110
207
/* Set GPGME home directory for the OpenPGP engine only */
208
rc = gpgme_get_engine_info(&engine_info);
209
if(rc != GPG_ERR_NO_ERROR){
111
/* Set GPGME home directory */
112
rc = gpgme_get_engine_info (&engine_info);
113
if (rc != GPG_ERR_NO_ERROR){
210
114
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
211
115
gpgme_strsource(rc), gpgme_strerror(rc));
212
return false;
116
return -1;
213
117
}
214
118
while(engine_info != NULL){
215
119
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
216
120
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
217
engine_info->file_name, tempdir);
121
engine_info->file_name, homedir);
218
122
break;
219
123
}
220
124
engine_info = engine_info->next;
221
125
}
222
126
if(engine_info == NULL){
223
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
224
return false;
225
}
226
227
/* Create new GPGME "context" */
228
rc = gpgme_new(&(mc->ctx));
229
if(rc != GPG_ERR_NO_ERROR){
230
fprintf(stderr, "bad gpgme_new: %s: %s\n",
231
gpgme_strsource(rc), gpgme_strerror(rc));
232
return false;
233
}
234
235
if(not import_key(pubkey) or not import_key(seckey)){
236
return false;
237
}
238
239
return true;
240
}
241
242
/*
243
* Decrypt OpenPGP data.
244
* Returns -1 on error
245
*/
246
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
247
const char *cryptotext,
248
size_t crypto_size,
249
char **plaintext){
250
gpgme_data_t dh_crypto, dh_plain;
251
gpgme_error_t rc;
252
ssize_t ret;
253
size_t plaintext_capacity = 0;
254
ssize_t plaintext_length = 0;
255
256
if(debug){
257
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
258
}
259
260
/* Create new GPGME data buffer from memory cryptotext */
261
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
262
0);
263
if(rc != GPG_ERR_NO_ERROR){
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
return -1;
129
}
130
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
133
if (rc != GPG_ERR_NO_ERROR){
264
134
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
265
135
gpgme_strsource(rc), gpgme_strerror(rc));
266
136
return -1;
268
138
269
139
/* Create new empty GPGME data buffer for the plaintext */
270
140
rc = gpgme_data_new(&dh_plain);
271
if(rc != GPG_ERR_NO_ERROR){
141
if (rc != GPG_ERR_NO_ERROR){
272
142
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
273
143
gpgme_strsource(rc), gpgme_strerror(rc));
274
gpgme_data_release(dh_crypto);
275
return -1;
276
}
277
278
/* Decrypt data from the cryptotext data buffer to the plaintext
279
data buffer */
280
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
281
if(rc != GPG_ERR_NO_ERROR){
144
return -1;
145
}
146
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
153
}
154
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
158
if (rc != GPG_ERR_NO_ERROR){
282
159
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
283
160
gpgme_strsource(rc), gpgme_strerror(rc));
284
plaintext_length = -1;
285
if(debug){
286
gpgme_decrypt_result_t result;
287
result = gpgme_op_decrypt_result(mc->ctx);
288
if(result == NULL){
289
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
290
} else {
291
fprintf(stderr, "Unsupported algorithm: %s\n",
292
result->unsupported_algorithm);
293
fprintf(stderr, "Wrong key usage: %u\n",
294
result->wrong_key_usage);
295
if(result->file_name != NULL){
296
fprintf(stderr, "File name: %s\n", result->file_name);
297
}
298
gpgme_recipient_t recipient;
299
recipient = result->recipients;
300
if(recipient){
301
while(recipient != NULL){
302
fprintf(stderr, "Public key algorithm: %s\n",
303
gpgme_pubkey_algo_name(recipient->pubkey_algo));
304
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
305
fprintf(stderr, "Secret key available: %s\n",
306
recipient->status == GPG_ERR_NO_SECKEY
307
? "No" : "Yes");
308
recipient = recipient->next;
309
}
161
return -1;
162
}
163
164
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
}
167
168
if (debug){
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
171
if (result == NULL){
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
173
} else {
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
180
}
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
183
if(recipient){
184
while(recipient != NULL){
185
fprintf(stderr, "Public key algorithm: %s\n",
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
187
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
188
fprintf(stderr, "Secret key available: %s\n",
189
recipient->status == GPG_ERR_NO_SECKEY
190
? "No" : "Yes");
191
recipient = recipient->next;
310
192
}
311
193
}
312
194
}
313
goto decrypt_end;
314
195
}
315
196
316
if(debug){
317
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
318
}
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
319
199
320
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
321
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
322
perror("gpgme_data_seek");
323
plaintext_length = -1;
324
goto decrypt_end;
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
325
203
}
326
204
327
*plaintext = NULL;
205
*new_packet = 0;
328
206
while(true){
329
plaintext_capacity = adjustbuffer(plaintext,
330
(size_t)plaintext_length,
331
plaintext_capacity);
332
if(plaintext_capacity == 0){
333
perror("adjustbuffer");
334
plaintext_length = -1;
335
goto decrypt_end;
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
336
216
}
337
217
338
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
339
219
BUFFER_SIZE);
340
220
/* Print the data, if any */
341
if(ret == 0){
342
/* EOF */
221
if (ret == 0){
343
222
break;
344
223
}
345
224
if(ret < 0){
346
225
perror("gpgme_data_read");
347
plaintext_length = -1;
348
goto decrypt_end;
349
}
350
plaintext_length += ret;
351
}
352
353
if(debug){
354
fprintf(stderr, "Decrypted password is: ");
355
for(ssize_t i = 0; i < plaintext_length; i++){
356
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
357
}
358
fprintf(stderr, "\n");
359
}
360
361
decrypt_end:
362
363
/* Delete the GPGME cryptotext data buffer */
364
gpgme_data_release(dh_crypto);
226
return -1;
227
}
228
new_packet_length += ret;
229
}
230
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
365
238
366
239
/* Delete the GPGME plaintext data buffer */
367
240
gpgme_data_release(dh_plain);
368
return plaintext_length;
241
return new_packet_length;
369
242
}
370
243
371
static const char * safer_gnutls_strerror(int value){
372
const char *ret = gnutls_strerror(value); /* Spurious warning from
373
-Wunreachable-code */
374
if(ret == NULL)
244
static const char * safer_gnutls_strerror (int value) {
245
const char *ret = gnutls_strerror (value);
246
if (ret == NULL)
375
247
ret = "(unknown)";
376
248
return ret;
377
249
}
378
250
379
/* GnuTLS log function callback */
380
251
static void debuggnutls(__attribute__((unused)) int level,
381
252
const char* string){
382
fprintf(stderr, "GnuTLS: %s", string);
253
fprintf(stderr, "%s", string);
383
254
}
384
255
385
static int init_gnutls_global(mandos_context *mc,
386
const char *pubkeyfilename,
387
const char *seckeyfilename){
256
static int initgnutls(encrypted_session *es){
257
const char *err;
388
258
int ret;
389
259
390
260
if(debug){
391
261
fprintf(stderr, "Initializing GnuTLS\n");
392
262
}
393
394
ret = gnutls_global_init();
395
if(ret != GNUTLS_E_SUCCESS){
396
fprintf(stderr, "GnuTLS global_init: %s\n",
397
safer_gnutls_strerror(ret));
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
398
267
return -1;
399
268
}
400
401
if(debug){
402
/* "Use a log level over 10 to enable all debugging options."
403
* - GnuTLS manual
404
*/
269
270
if (debug){
405
271
gnutls_global_set_log_level(11);
406
272
gnutls_global_set_log_function(debuggnutls);
407
273
}
408
274
409
/* OpenPGP credentials */
410
gnutls_certificate_allocate_credentials(&mc->cred);
411
if(ret != GNUTLS_E_SUCCESS){
412
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
413
from
414
-Wunreachable-code
415
*/
416
safer_gnutls_strerror(ret));
417
gnutls_global_deinit();
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
279
safer_gnutls_strerror(ret));
418
280
return -1;
419
281
}
420
282
421
283
if(debug){
422
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
423
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
424
seckeyfilename);
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", certfile,
286
certkey);
425
287
}
426
288
427
289
ret = gnutls_certificate_set_openpgp_key_file
428
(mc->cred, pubkeyfilename, seckeyfilename,
429
GNUTLS_OPENPGP_FMT_BASE64);
430
if(ret != GNUTLS_E_SUCCESS){
431
fprintf(stderr,
432
"Error[%d] while reading the OpenPGP key pair ('%s',"
433
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
434
fprintf(stderr, "The GnuTLS error is: %s\n",
435
safer_gnutls_strerror(ret));
436
goto globalfail;
437
}
438
439
/* GnuTLS server initialization */
440
ret = gnutls_dh_params_init(&mc->dh_params);
441
if(ret != GNUTLS_E_SUCCESS){
442
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
443
" %s\n", safer_gnutls_strerror(ret));
444
goto globalfail;
445
}
446
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
447
if(ret != GNUTLS_E_SUCCESS){
448
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
449
safer_gnutls_strerror(ret));
450
goto globalfail;
451
}
452
453
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
454
455
return 0;
456
457
globalfail:
458
459
gnutls_certificate_free_credentials(mc->cred);
460
gnutls_global_deinit();
461
gnutls_dh_params_deinit(mc->dh_params);
462
return -1;
463
}
464
465
static int init_gnutls_session(mandos_context *mc,
466
gnutls_session_t *session){
467
int ret;
468
/* GnuTLS session creation */
469
ret = gnutls_init(session, GNUTLS_SERVER);
470
if(ret != GNUTLS_E_SUCCESS){
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
291
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
471
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
472
322
safer_gnutls_strerror(ret));
473
323
}
474
324
475
{
476
const char *err;
477
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
478
if(ret != GNUTLS_E_SUCCESS){
479
fprintf(stderr, "Syntax error at: %s\n", err);
480
fprintf(stderr, "GnuTLS error: %s\n",
481
safer_gnutls_strerror(ret));
482
gnutls_deinit(*session);
483
return -1;
484
}
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
485
331
}
486
332
487
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
488
mc->cred);
489
if(ret != GNUTLS_E_SUCCESS){
490
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
491
337
safer_gnutls_strerror(ret));
492
gnutls_deinit(*session);
493
338
return -1;
494
339
}
495
340
496
341
/* ignore client certificate if any. */
497
gnutls_certificate_server_set_request(*session,
498
GNUTLS_CERT_IGNORE);
342
gnutls_certificate_server_set_request (es->session,
343
GNUTLS_CERT_IGNORE);
499
344
500
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
501
346
502
347
return 0;
503
348
}
504
349
505
/* Avahi log function callback */
506
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
507
351
__attribute__((unused)) const char *txt){}
508
352
509
/* Called when a Mandos server is found */
510
353
static int start_mandos_communication(const char *ip, uint16_t port,
511
AvahiIfIndex if_index,
512
mandos_context *mc, int af){
354
AvahiIfIndex if_index){
513
355
int ret, tcp_sd;
514
ssize_t sret;
515
union {
516
struct sockaddr_in in;
517
struct sockaddr_in6 in6;
518
} to;
356
struct sockaddr_in6 to;
357
encrypted_session es;
519
358
char *buffer = NULL;
520
359
char *decrypted_buffer;
521
360
size_t buffer_length = 0;
522
361
size_t buffer_capacity = 0;
523
362
ssize_t decrypted_buffer_size;
524
size_t written;
363
size_t written = 0;
525
364
int retval = 0;
526
gnutls_session_t session;
527
int pf; /* Protocol family */
528
529
switch(af){
530
case AF_INET6:
531
pf = PF_INET6;
532
break;
533
case AF_INET:
534
pf = PF_INET;
535
break;
536
default:
537
fprintf(stderr, "Bad address family: %d\n", af);
538
return -1;
539
}
540
541
ret = init_gnutls_session(mc, &session);
542
if(ret != 0){
543
return -1;
544
}
365
char interface[IF_NAMESIZE];
545
366
546
367
if(debug){
547
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
548
"\n", ip, port);
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
369
ip, port);
549
370
}
550
371
551
tcp_sd = socket(pf, SOCK_STREAM, 0);
552
if(tcp_sd < 0){
372
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
373
if(tcp_sd < 0) {
553
374
perror("socket");
554
375
return -1;
555
376
}
377
378
if(debug){
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
380
if(debug){
381
perror("if_indextoname");
382
}
383
return -1;
384
}
385
386
fprintf(stderr, "Binding to interface %s\n", interface);
387
}
556
388
557
memset(&to, 0, sizeof(to));
558
if(af == AF_INET6){
559
to.in6.sin6_family = (uint16_t)af;
560
ret = inet_pton(af, ip, &to.in6.sin6_addr);
561
} else { /* IPv4 */
562
to.in.sin_family = (sa_family_t)af;
563
ret = inet_pton(af, ip, &to.in.sin_addr);
564
}
565
if(ret < 0 ){
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
392
if (ret < 0 ){
566
393
perror("inet_pton");
567
394
return -1;
568
}
395
}
569
396
if(ret == 0){
570
397
fprintf(stderr, "Bad address: %s\n", ip);
571
398
return -1;
572
399
}
573
if(af == AF_INET6){
574
to.in6.sin6_port = htons(port); /* Spurious warnings from
575
-Wconversion and
576
-Wunreachable-code */
577
578
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
579
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
580
-Wunreachable-code*/
581
if(if_index == AVAHI_IF_UNSPEC){
582
fprintf(stderr, "An IPv6 link-local address is incomplete"
583
" without a network interface\n");
584
return -1;
585
}
586
/* Set the network interface number as scope */
587
to.in6.sin6_scope_id = (uint32_t)if_index;
588
}
589
} else {
590
to.in.sin_port = htons(port); /* Spurious warnings from
591
-Wconversion and
592
-Wunreachable-code */
593
}
400
to.sin6_port = htons(port); /* Spurious warning */
401
402
to.sin6_scope_id = (uint32_t)if_index;
594
403
595
404
if(debug){
596
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
597
char interface[IF_NAMESIZE];
598
if(if_indextoname((unsigned int)if_index, interface) == NULL){
599
perror("if_indextoname");
600
} else {
601
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
602
ip, interface, port);
603
}
604
} else {
605
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
606
port);
607
}
608
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
609
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
610
const char *pcret;
611
if(af == AF_INET6){
612
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
613
sizeof(addrstr));
614
} else {
615
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
616
sizeof(addrstr));
617
}
618
if(pcret == NULL){
619
perror("inet_ntop");
620
} else {
621
if(strcmp(addrstr, ip) != 0){
622
fprintf(stderr, "Canonical address form: %s\n", addrstr);
623
}
624
}
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
410
/* } else { */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
413
/* } */
625
414
}
626
415
627
if(af == AF_INET6){
628
ret = connect(tcp_sd, &to.in6, sizeof(to));
629
} else {
630
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
631
}
632
if(ret < 0){
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
417
if (ret < 0){
633
418
perror("connect");
634
419
return -1;
635
420
}
636
421
637
const char *out = mandos_protocol_version;
638
written = 0;
639
while(true){
640
size_t out_size = strlen(out);
641
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
642
out_size - written));
643
if(ret == -1){
644
perror("write");
645
retval = -1;
646
goto mandos_end;
647
}
648
written += (size_t)ret;
649
if(written < out_size){
650
continue;
651
} else {
652
if(out == mandos_protocol_version){
653
written = 0;
654
out = "\r\n";
655
} else {
656
break;
657
}
658
}
422
ret = initgnutls (&es);
423
if (ret != 0){
424
retval = -1;
425
return -1;
659
426
}
660
427
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
430
661
431
if(debug){
662
432
fprintf(stderr, "Establishing TLS session with %s\n", ip);
663
433
}
664
434
665
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
666
667
do{
668
ret = gnutls_handshake(session);
669
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
670
671
if(ret != GNUTLS_E_SUCCESS){
435
ret = gnutls_handshake (es.session);
436
437
if (ret != GNUTLS_E_SUCCESS){
672
438
if(debug){
673
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
674
gnutls_perror(ret);
439
fprintf(stderr, "\n*** Handshake failed ***\n");
440
gnutls_perror (ret);
675
441
}
676
442
retval = -1;
677
goto mandos_end;
443
goto exit;
678
444
}
679
445
680
/* Read OpenPGP packet that contains the wanted password */
446
//Retrieve OpenPGP packet that contains the wanted password
681
447
682
448
if(debug){
683
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
684
450
ip);
685
451
}
686
452
687
453
while(true){
688
buffer_capacity = adjustbuffer(&buffer, buffer_length,
689
buffer_capacity);
690
if(buffer_capacity == 0){
691
perror("adjustbuffer");
692
retval = -1;
693
goto mandos_end;
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
456
if (buffer == NULL){
457
perror("realloc");
458
goto exit;
459
}
460
buffer_capacity += BUFFER_SIZE;
694
461
}
695
462
696
sret = gnutls_record_recv(session, buffer+buffer_length,
697
BUFFER_SIZE);
698
if(sret == 0){
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
465
if (ret == 0){
699
466
break;
700
467
}
701
if(sret < 0){
702
switch(sret){
468
if (ret < 0){
469
switch(ret){
703
470
case GNUTLS_E_INTERRUPTED:
704
471
case GNUTLS_E_AGAIN:
705
472
break;
706
473
case GNUTLS_E_REHANDSHAKE:
707
do{
708
ret = gnutls_handshake(session);
709
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
710
if(ret < 0){
711
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
712
gnutls_perror(ret);
474
ret = gnutls_handshake (es.session);
475
if (ret < 0){
476
fprintf(stderr, "\n*** Handshake failed ***\n");
477
gnutls_perror (ret);
713
478
retval = -1;
714
goto mandos_end;
479
goto exit;
715
480
}
716
481
break;
717
482
default:
718
483
fprintf(stderr, "Unknown error while reading data from"
719
" encrypted session with Mandos server\n");
484
" encrypted session with mandos server\n");
720
485
retval = -1;
721
gnutls_bye(session, GNUTLS_SHUT_RDWR);
722
goto mandos_end;
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
goto exit;
723
488
}
724
489
} else {
725
buffer_length += (size_t) sret;
490
buffer_length += (size_t) ret;
726
491
}
727
492
}
728
493
729
if(debug){
730
fprintf(stderr, "Closing TLS session\n");
731
}
732
733
gnutls_bye(session, GNUTLS_SHUT_RDWR);
734
735
if(buffer_length > 0){
736
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
494
if (buffer_length > 0){
495
decrypted_buffer_size = pgp_packet_decrypt(buffer,
737
496
buffer_length,
738
&decrypted_buffer);
739
if(decrypted_buffer_size >= 0){
740
written = 0;
497
&decrypted_buffer,
498
certdir);
499
if (decrypted_buffer_size >= 0){
741
500
while(written < (size_t) decrypted_buffer_size){
742
ret = (int)fwrite(decrypted_buffer + written, 1,
743
(size_t)decrypted_buffer_size - written,
744
stdout);
501
ret = (int)fwrite (decrypted_buffer + written, 1,
502
(size_t)decrypted_buffer_size - written,
503
stdout);
745
504
if(ret == 0 and ferror(stdout)){
746
505
if(debug){
747
506
fprintf(stderr, "Error writing encrypted data: %s\n",
756
515
} else {
757
516
retval = -1;
758
517
}
759
} else {
760
retval = -1;
761
}
762
763
/* Shutdown procedure */
764
765
mandos_end:
518
}
519
520
//shutdown procedure
521
522
if(debug){
523
fprintf(stderr, "Closing TLS session\n");
524
}
525
766
526
free(buffer);
767
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
768
if(ret == -1){
769
perror("close");
770
}
771
gnutls_deinit(session);
527
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
528
exit:
529
close(tcp_sd);
530
gnutls_deinit (es.session);
531
gnutls_certificate_free_credentials (es.cred);
532
gnutls_global_deinit ();
772
533
return retval;
773
534
}
774
535
775
static void resolve_callback(AvahiSServiceResolver *r,
776
AvahiIfIndex interface,
777
AvahiProtocol proto,
778
AvahiResolverEvent event,
779
const char *name,
780
const char *type,
781
const char *domain,
782
const char *host_name,
783
const AvahiAddress *address,
784
uint16_t port,
785
AVAHI_GCC_UNUSED AvahiStringList *txt,
786
AVAHI_GCC_UNUSED AvahiLookupResultFlags
787
flags,
788
void* userdata){
789
mandos_context *mc = userdata;
790
assert(r);
536
static AvahiSimplePoll *simple_poll = NULL;
537
static AvahiServer *server = NULL;
538
539
static void resolve_callback(
540
AvahiSServiceResolver *r,
541
AvahiIfIndex interface,
542
AVAHI_GCC_UNUSED AvahiProtocol protocol,
543
AvahiResolverEvent event,
544
const char *name,
545
const char *type,
546
const char *domain,
547
const char *host_name,
548
const AvahiAddress *address,
549
uint16_t port,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
552
AVAHI_GCC_UNUSED void* userdata) {
553
554
assert(r); /* Spurious warning */
791
555
792
556
/* Called whenever a service has been resolved successfully or
793
557
timed out */
794
558
795
switch(event){
559
switch (event) {
796
560
default:
797
561
case AVAHI_RESOLVER_FAILURE:
798
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
799
" of type '%s' in domain '%s': %s\n", name, type, domain,
800
avahi_strerror(avahi_server_errno(mc->server)));
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
801
565
break;
802
566
803
567
case AVAHI_RESOLVER_FOUND:
805
569
char ip[AVAHI_ADDRESS_STR_MAX];
806
570
avahi_address_snprint(ip, sizeof(ip), address);
807
571
if(debug){
808
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
809
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
810
ip, (intmax_t)interface, port);
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
811
574
}
812
int ret = start_mandos_communication(ip, port, interface, mc,
813
avahi_proto_to_af(proto));
814
if(ret == 0){
815
avahi_simple_poll_quit(mc->simple_poll);
575
int ret = start_mandos_communication(ip, port, interface);
576
if (ret == 0){
577
exit(EXIT_SUCCESS);
816
578
}
817
579
}
818
580
}
819
581
avahi_s_service_resolver_free(r);
820
582
}
821
583
822
static void browse_callback(AvahiSServiceBrowser *b,
823
AvahiIfIndex interface,
824
AvahiProtocol protocol,
825
AvahiBrowserEvent event,
826
const char *name,
827
const char *type,
828
const char *domain,
829
AVAHI_GCC_UNUSED AvahiLookupResultFlags
830
flags,
831
void* userdata){
832
mandos_context *mc = userdata;
833
assert(b);
834
835
/* Called whenever a new services becomes available on the LAN or
836
is removed from the LAN */
837
838
switch(event){
839
default:
840
case AVAHI_BROWSER_FAILURE:
841
842
fprintf(stderr, "(Avahi browser) %s\n",
843
avahi_strerror(avahi_server_errno(mc->server)));
844
avahi_simple_poll_quit(mc->simple_poll);
845
return;
846
847
case AVAHI_BROWSER_NEW:
848
/* We ignore the returned Avahi resolver object. In the callback
849
function we free it. If the Avahi server is terminated before
850
the callback function is called the Avahi server will free the
851
resolver for us. */
852
853
if(!(avahi_s_service_resolver_new(mc->server, interface,
854
protocol, name, type, domain,
855
AVAHI_PROTO_INET6, 0,
856
resolve_callback, mc)))
857
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
858
name, avahi_strerror(avahi_server_errno(mc->server)));
859
break;
860
861
case AVAHI_BROWSER_REMOVE:
862
break;
863
864
case AVAHI_BROWSER_ALL_FOR_NOW:
865
case AVAHI_BROWSER_CACHE_EXHAUSTED:
866
if(debug){
867
fprintf(stderr, "No Mandos server found, still searching...\n");
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
589
const char *name,
590
const char *type,
591
const char *domain,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
593
void* userdata) {
594
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
597
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
600
601
switch (event) {
602
default:
603
case AVAHI_BROWSER_FAILURE:
604
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
608
return;
609
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
615
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
617
type, domain,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
622
break;
623
624
case AVAHI_BROWSER_REMOVE:
625
break;
626
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
629
break;
868
630
}
869
break;
870
}
871
}
872
873
int main(int argc, char *argv[]){
874
AvahiSServiceBrowser *sb = NULL;
875
int error;
876
int ret;
877
intmax_t tmpmax;
878
int numchars;
879
int exitcode = EXIT_SUCCESS;
880
const char *interface = "eth0";
881
struct ifreq network;
882
int sd;
883
uid_t uid;
884
gid_t gid;
885
char *connect_to = NULL;
886
char tempdir[] = "/tmp/mandosXXXXXX";
887
bool tempdir_created = false;
888
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
889
const char *seckey = PATHDIR "/" SECKEY;
890
const char *pubkey = PATHDIR "/" PUBKEY;
891
892
mandos_context mc = { .simple_poll = NULL, .server = NULL,
893
.dh_bits = 1024, .priority = "SECURE256"
894
":!CTYPE-X.509:+CTYPE-OPENPGP" };
895
bool gnutls_initialized = false;
896
bool gpgme_initialized = false;
897
double delay = 2.5;
898
899
{
900
struct argp_option options[] = {
901
{ .name = "debug", .key = 128,
902
.doc = "Debug mode", .group = 3 },
903
{ .name = "connect", .key = 'c',
904
.arg = "ADDRESS:PORT",
905
.doc = "Connect directly to a specific Mandos server",
906
.group = 1 },
907
{ .name = "interface", .key = 'i',
908
.arg = "NAME",
909
.doc = "Network interface that will be used to search for"
910
" Mandos servers",
911
.group = 1 },
912
{ .name = "seckey", .key = 's',
913
.arg = "FILE",
914
.doc = "OpenPGP secret key file base name",
915
.group = 1 },
916
{ .name = "pubkey", .key = 'p',
917
.arg = "FILE",
918
.doc = "OpenPGP public key file base name",
919
.group = 2 },
920
{ .name = "dh-bits", .key = 129,
921
.arg = "BITS",
922
.doc = "Bit length of the prime number used in the"
923
" Diffie-Hellman key exchange",
924
.group = 2 },
925
{ .name = "priority", .key = 130,
926
.arg = "STRING",
927
.doc = "GnuTLS priority string for the TLS handshake",
928
.group = 1 },
929
{ .name = "delay", .key = 131,
930
.arg = "SECONDS",
931
.doc = "Maximum delay to wait for interface startup",
932
.group = 2 },
933
{ .name = NULL }
934
};
631
}
632
633
/* Combines file name and path and returns the malloced new
634
string. some sane checks could/should be added */
635
static const char *combinepath(const char *first, const char *second){
636
size_t f_len = strlen(first);
637
size_t s_len = strlen(second);
638
char *tmp = malloc(f_len + s_len + 2);
639
if (tmp == NULL){
640
return NULL;
641
}
642
if(f_len > 0){
643
memcpy(tmp, first, f_len);
644
}
645
tmp[f_len] = '/';
646
if(s_len > 0){
647
memcpy(tmp + f_len + 1, second, s_len);
648
}
649
tmp[f_len + 1 + s_len] = '\0';
650
return tmp;
651
}
652
653
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
656
AvahiSServiceBrowser *sb = NULL;
657
int error;
658
int ret;
659
int returncode = EXIT_SUCCESS;
660
const char *interface = "eth0";
661
struct ifreq network;
662
int sd;
663
char *connect_to = NULL;
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
935
665
936
error_t parse_opt(int key, char *arg,
937
struct argp_state *state){
938
switch(key){
939
case 128: /* --debug */
940
debug = true;
941
break;
942
case 'c': /* --connect */
943
connect_to = arg;
944
break;
945
case 'i': /* --interface */
946
interface = arg;
947
break;
948
case 's': /* --seckey */
949
seckey = arg;
950
break;
951
case 'p': /* --pubkey */
952
pubkey = arg;
953
break;
954
case 129: /* --dh-bits */
955
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
956
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
957
or arg[numchars] != '\0'){
958
fprintf(stderr, "Bad number of DH bits\n");
959
exit(EXIT_FAILURE);
960
}
961
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
962
break;
963
case 130: /* --priority */
964
mc.priority = arg;
965
break;
966
case 131: /* --delay */
967
ret = sscanf(arg, "%lf%n", &delay, &numchars);
968
if(ret < 1 or arg[numchars] != '\0'){
969
fprintf(stderr, "Bad delay\n");
970
exit(EXIT_FAILURE);
971
}
972
break;
973
case ARGP_KEY_ARG:
974
argp_usage(state);
975
case ARGP_KEY_END:
666
while (true){
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
976
701
break;
977
702
default:
978
return ARGP_ERR_UNKNOWN;
979
}
980
return 0;
981
}
982
983
struct argp argp = { .options = options, .parser = parse_opt,
984
.args_doc = "",
985
.doc = "Mandos client -- Get and decrypt"
986
" passwords from a Mandos server" };
987
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
988
if(ret == ARGP_ERR_UNKNOWN){
989
fprintf(stderr, "Unknown error while parsing arguments\n");
990
exitcode = EXIT_FAILURE;
991
goto end;
992
}
993
}
994
995
/* If the interface is down, bring it up */
996
if(interface[0] != '\0'){
997
#ifdef __linux__
998
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
999
messages to mess up the prompt */
1000
ret = klogctl(8, NULL, 5);
1001
bool restore_loglevel = true;
1002
if(ret == -1){
1003
restore_loglevel = false;
1004
perror("klogctl");
1005
}
1006
#endif
703
exit(EXIT_FAILURE);
704
}
705
}
706
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
711
goto exit;
712
}
713
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
718
goto exit;
719
}
720
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
722
if(if_index == 0){
723
fprintf(stderr, "No such interface: \"%s\"\n", interface);
724
exit(EXIT_FAILURE);
725
}
726
727
if(connect_to != NULL){
728
/* Connect directly, do not use Zeroconf */
729
/* (Mainly meant for debugging) */
730
char *address = strrchr(connect_to, ':');
731
if(address == NULL){
732
fprintf(stderr, "No colon in address\n");
733
exit(EXIT_FAILURE);
734
}
735
errno = 0;
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
737
if(errno){
738
perror("Bad port number");
739
exit(EXIT_FAILURE);
740
}
741
*address = '\0';
742
address = connect_to;
743
ret = start_mandos_communication(address, port, if_index);
744
if(ret < 0){
745
exit(EXIT_FAILURE);
746
} else {
747
exit(EXIT_SUCCESS);
748
}
749
}
1007
750
1008
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1009
if(sd < 0){
752
if(sd < 0) {
1010
753
perror("socket");
1011
exitcode = EXIT_FAILURE;
1012
#ifdef __linux__
1013
if(restore_loglevel){
1014
ret = klogctl(7, NULL, 0);
1015
if(ret == -1){
1016
perror("klogctl");
1017
}
1018
}
1019
#endif
1020
goto end;
754
returncode = EXIT_FAILURE;
755
goto exit;
1021
756
}
1022
strcpy(network.ifr_name, interface);
757
strcpy(network.ifr_name, interface);
1023
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1024
759
if(ret == -1){
760
1025
761
perror("ioctl SIOCGIFFLAGS");
1026
#ifdef __linux__
1027
if(restore_loglevel){
1028
ret = klogctl(7, NULL, 0);
1029
if(ret == -1){
1030
perror("klogctl");
1031
}
1032
}
1033
#endif
1034
exitcode = EXIT_FAILURE;
1035
goto end;
762
returncode = EXIT_FAILURE;
763
goto exit;
1036
764
}
1037
765
if((network.ifr_flags & IFF_UP) == 0){
1038
766
network.ifr_flags |= IFF_UP;
1039
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1040
768
if(ret == -1){
1041
769
perror("ioctl SIOCSIFFLAGS");
1042
exitcode = EXIT_FAILURE;
1043
#ifdef __linux__
1044
if(restore_loglevel){
1045
ret = klogctl(7, NULL, 0);
1046
if(ret == -1){
1047
perror("klogctl");
1048
}
1049
}
1050
#endif
1051
goto end;
1052
}
1053
}
1054
/* sleep checking until interface is running */
1055
for(int i=0; i < delay * 4; i++){
1056
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1057
if(ret == -1){
1058
perror("ioctl SIOCGIFFLAGS");
1059
} else if(network.ifr_flags & IFF_RUNNING){
1060
break;
1061
}
1062
struct timespec sleeptime = { .tv_nsec = 250000000 };
1063
ret = nanosleep(&sleeptime, NULL);
1064
if(ret == -1 and errno != EINTR){
1065
perror("nanosleep");
1066
}
1067
}
1068
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1069
if(ret == -1){
1070
perror("close");
1071
}
1072
#ifdef __linux__
1073
if(restore_loglevel){
1074
/* Restores kernel loglevel to default */
1075
ret = klogctl(7, NULL, 0);
1076
if(ret == -1){
1077
perror("klogctl");
1078
}
1079
}
1080
#endif
1081
}
1082
1083
uid = getuid();
1084
gid = getgid();
1085
1086
errno = 0;
1087
setgid(gid);
1088
if(ret == -1){
1089
perror("setgid");
1090
}
1091
1092
ret = setuid(uid);
1093
if(ret == -1){
1094
perror("setuid");
1095
}
1096
1097
ret = init_gnutls_global(&mc, pubkey, seckey);
1098
if(ret == -1){
1099
fprintf(stderr, "init_gnutls_global failed\n");
1100
exitcode = EXIT_FAILURE;
1101
goto end;
1102
} else {
1103
gnutls_initialized = true;
1104
}
1105
1106
if(mkdtemp(tempdir) == NULL){
1107
perror("mkdtemp");
1108
goto end;
1109
}
1110
tempdir_created = true;
1111
1112
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1113
fprintf(stderr, "init_gpgme failed\n");
1114
exitcode = EXIT_FAILURE;
1115
goto end;
1116
} else {
1117
gpgme_initialized = true;
1118
}
1119
1120
if(interface[0] != '\0'){
1121
if_index = (AvahiIfIndex) if_nametoindex(interface);
1122
if(if_index == 0){
1123
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1124
exitcode = EXIT_FAILURE;
1125
goto end;
1126
}
1127
}
1128
1129
if(connect_to != NULL){
1130
/* Connect directly, do not use Zeroconf */
1131
/* (Mainly meant for debugging) */
1132
char *address = strrchr(connect_to, ':');
1133
if(address == NULL){
1134
fprintf(stderr, "No colon in address\n");
1135
exitcode = EXIT_FAILURE;
1136
goto end;
1137
}
1138
uint16_t port;
1139
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1140
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1141
or address[numchars+1] != '\0'){
1142
fprintf(stderr, "Bad port number\n");
1143
exitcode = EXIT_FAILURE;
1144
goto end;
1145
}
1146
port = (uint16_t)tmpmax;
1147
*address = '\0';
1148
address = connect_to;
1149
/* Colon in address indicates IPv6 */
1150
int af;
1151
if(strchr(address, ':') != NULL){
1152
af = AF_INET6;
1153
} else {
1154
af = AF_INET;
1155
}
1156
ret = start_mandos_communication(address, port, if_index, &mc,
1157
af);
1158
if(ret < 0){
1159
exitcode = EXIT_FAILURE;
1160
} else {
1161
exitcode = EXIT_SUCCESS;
1162
}
1163
goto end;
1164
}
1165
1166
if(not debug){
1167
avahi_set_log_function(empty_log);
1168
}
1169
1170
/* Initialize the pseudo-RNG for Avahi */
1171
srand((unsigned int) time(NULL));
1172
1173
/* Allocate main Avahi loop object */
1174
mc.simple_poll = avahi_simple_poll_new();
1175
if(mc.simple_poll == NULL){
1176
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1177
exitcode = EXIT_FAILURE;
1178
goto end;
1179
}
1180
1181
{
1182
AvahiServerConfig config;
1183
/* Do not publish any local Zeroconf records */
770
returncode = EXIT_FAILURE;
771
goto exit;
772
}
773
}
774
close(sd);
775
776
if (not debug){
777
avahi_set_log_function(empty_log);
778
}
779
780
/* Initialize the psuedo-RNG */
781
srand((unsigned int) time(NULL));
782
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
787
goto exit;
788
}
789
790
/* Do not publish any local records */
1184
791
avahi_server_config_init(&config);
1185
792
config.publish_hinfo = 0;
1186
793
config.publish_addresses = 0;
1187
794
config.publish_workstation = 0;
1188
795
config.publish_domain = 0;
1189
796
1190
797
/* Allocate a new server */
1191
mc.server = avahi_server_new(avahi_simple_poll_get
1192
(mc.simple_poll), &config, NULL,
1193
NULL, &error);
1194
1195
/* Free the Avahi configuration data */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
800
801
/* Free the configuration data */
1196
802
avahi_server_config_free(&config);
1197
}
1198
1199
/* Check if creating the Avahi server object succeeded */
1200
if(mc.server == NULL){
1201
fprintf(stderr, "Failed to create Avahi server: %s\n",
1202
avahi_strerror(error));
1203
exitcode = EXIT_FAILURE;
1204
goto end;
1205
}
1206
1207
/* Create the Avahi service browser */
1208
sb = avahi_s_service_browser_new(mc.server, if_index,
1209
AVAHI_PROTO_INET6, "_mandos._tcp",
1210
NULL, 0, browse_callback, &mc);
1211
if(sb == NULL){
1212
fprintf(stderr, "Failed to create service browser: %s\n",
1213
avahi_strerror(avahi_server_errno(mc.server)));
1214
exitcode = EXIT_FAILURE;
1215
goto end;
1216
}
1217
1218
/* Run the main loop */
1219
1220
if(debug){
1221
fprintf(stderr, "Starting Avahi loop search\n");
1222
}
1223
1224
avahi_simple_poll_loop(mc.simple_poll);
1225
1226
end:
1227
1228
if(debug){
1229
fprintf(stderr, "%s exiting\n", argv[0]);
1230
}
1231
1232
/* Cleanup things */
1233
if(sb != NULL)
1234
avahi_s_service_browser_free(sb);
1235
1236
if(mc.server != NULL)
1237
avahi_server_free(mc.server);
1238
1239
if(mc.simple_poll != NULL)
1240
avahi_simple_poll_free(mc.simple_poll);
1241
1242
if(gnutls_initialized){
1243
gnutls_certificate_free_credentials(mc.cred);
1244
gnutls_global_deinit();
1245
gnutls_dh_params_deinit(mc.dh_params);
1246
}
1247
1248
if(gpgme_initialized){
1249
gpgme_release(mc.ctx);
1250
}
1251
1252
/* Removes the temp directory used by GPGME */
1253
if(tempdir_created){
1254
DIR *d;
1255
struct dirent *direntry;
1256
d = opendir(tempdir);
1257
if(d == NULL){
1258
if(errno != ENOENT){
1259
perror("opendir");
1260
}
1261
} else {
1262
while(true){
1263
direntry = readdir(d);
1264
if(direntry == NULL){
1265
break;
1266
}
1267
/* Skip "." and ".." */
1268
if(direntry->d_name[0] == '.'
1269
and (direntry->d_name[1] == '\0'
1270
or (direntry->d_name[1] == '.'
1271
and direntry->d_name[2] == '\0'))){
1272
continue;
1273
}
1274
char *fullname = NULL;
1275
ret = asprintf(&fullname, "%s/%s", tempdir,
1276
direntry->d_name);
1277
if(ret < 0){
1278
perror("asprintf");
1279
continue;
1280
}
1281
ret = remove(fullname);
1282
if(ret == -1){
1283
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1284
strerror(errno));
1285
}
1286
free(fullname);
1287
}
1288
closedir(d);
1289
}
1290
ret = rmdir(tempdir);
1291
if(ret == -1 and errno != ENOENT){
1292
perror("rmdir");
1293
}
1294
}
1295
1296
return exitcode;
803
804
/* Check if creating the server object succeeded */
805
if (!server) {
806
fprintf(stderr, "Failed to create server: %s\n",
807
avahi_strerror(error));
808
returncode = EXIT_FAILURE;
809
goto exit;
810
}
811
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
814
AVAHI_PROTO_INET6,
815
"_mandos._tcp", NULL, 0,
816
browse_callback, server);
817
if (!sb) {
818
fprintf(stderr, "Failed to create service browser: %s\n",
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
821
goto exit;
822
}
823
824
/* Run the main loop */
825
826
if (debug){
827
fprintf(stderr, "Starting avahi loop search\n");
828
}
829
830
avahi_simple_poll_loop(simple_poll);
831
832
exit:
833
834
if (debug){
835
fprintf(stderr, "%s exiting\n", argv[0]);
836
}
837
838
/* Cleanup things */
839
if (sb)
840
avahi_s_service_browser_free(sb);
841
842
if (server)
843
avahi_server_free(server);
844
845
if (simple_poll)
846
avahi_simple_poll_free(simple_poll);
847
free(certfile);
848
free(certkey);
849
850
return returncode;
1297
851
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0