To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.8
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.8
- Committer: Björn Påhlsson
- Date: 2008-08-02 18:46:45 UTC
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 38.
- Revision ID: belorn@braxen-20080802184645-t5i3yboc53gdas7m
plugbasedclient
Parse a single argument as a plus-separated list of options
Parse a single argument as a plus-separated list of options
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
30
29
*/
31
30
32
31
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
32
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
33
#define _FILE_OFFSET_BITS 64
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time() */
67
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
SIOCSIFFLAGS, if_indextoname(),
69
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
75
setgid() */
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
78
#include <argp.h> /* struct argp_option, error_t, struct
79
argp_state, struct argp,
80
argp_parse(), ARGP_KEY_ARG,
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
86
#ifdef __linux__
87
#include <sys/klog.h> /* klogctl() */
88
#endif /* __linux__ */
89
90
/* Avahi */
91
/* All Avahi types, constants and functions
92
Avahi*, avahi_*,
93
AVAHI_* */
34
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
94
43
#include <avahi-core/core.h>
95
44
#include <avahi-core/lookup.h>
96
45
#include <avahi-core/log.h>
98
47
#include <avahi-common/malloc.h>
99
48
#include <avahi-common/error.h>
100
49
101
/* GnuTLS */
102
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
103
functions:
104
gnutls_*
105
init_gnutls_session(),
106
GNUTLS_* */
107
#include <gnutls/openpgp.h>
108
/* gnutls_certificate_set_openpgp_key_file(),
109
GNUTLS_OPENPGP_FMT_BASE64 */
110
111
/* GPGME */
112
#include <gpgme.h> /* All GPGME types, constants and
113
functions:
114
gpgme_*
115
GPGME_PROTOCOL_OpenPGP,
116
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
117
70
118
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
119
73
120
#define PATHDIR "/conf/conf.d/mandos"
121
#define SECKEY "seckey.txt"
122
#define PUBKEY "pubkey.txt"
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
123
77
124
78
bool debug = false;
125
static const char mandos_protocol_version[] = "1";
126
const char *argp_program_version = "mandos-client " VERSION;
127
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
128
79
129
/* Used for passing in values through the Avahi callback functions */
130
80
typedef struct {
131
AvahiSimplePoll *simple_poll;
132
AvahiServer *server;
81
gnutls_session_t session;
133
82
gnutls_certificate_credentials_t cred;
134
unsigned int dh_bits;
135
83
gnutls_dh_params_t dh_params;
136
const char *priority;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
89
const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
137
91
gpgme_ctx_t ctx;
138
} mandos_context;
139
140
/* global context so signal handler can reach it*/
141
mandos_context mc = { .simple_poll = NULL, .server = NULL,
142
.dh_bits = 1024, .priority = "SECURE256"
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
145
/*
146
* Make additional room in "buffer" for at least BUFFER_SIZE more
147
* bytes. "buffer_capacity" is how much is currently allocated,
148
* "buffer_length" is how much is already used.
149
*/
150
size_t incbuffer(char **buffer, size_t buffer_length,
151
size_t buffer_capacity){
152
if(buffer_length + BUFFER_SIZE > buffer_capacity){
153
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
154
if(buffer == NULL){
155
return 0;
156
}
157
buffer_capacity += BUFFER_SIZE;
158
}
159
return buffer_capacity;
160
}
161
162
/*
163
* Initialize GPGME.
164
*/
165
static bool init_gpgme(const char *seckey,
166
const char *pubkey, const char *tempdir){
167
int ret;
168
92
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
169
96
gpgme_engine_info_t engine_info;
170
171
172
/*
173
* Helper function to insert pub and seckey to the engine keyring.
174
*/
175
bool import_key(const char *filename){
176
int fd;
177
gpgme_data_t pgp_data;
178
179
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
180
if(fd == -1){
181
perror("open");
182
return false;
183
}
184
185
rc = gpgme_data_new_from_fd(&pgp_data, fd);
186
if(rc != GPG_ERR_NO_ERROR){
187
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
188
gpgme_strsource(rc), gpgme_strerror(rc));
189
return false;
190
}
191
192
rc = gpgme_op_import(mc.ctx, pgp_data);
193
if(rc != GPG_ERR_NO_ERROR){
194
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
195
gpgme_strsource(rc), gpgme_strerror(rc));
196
return false;
197
}
198
199
ret = (int)TEMP_FAILURE_RETRY(close(fd));
200
if(ret == -1){
201
perror("close");
202
}
203
gpgme_data_release(pgp_data);
204
return true;
205
}
206
207
if(debug){
208
fprintf(stderr, "Initializing GPGME\n");
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
209
100
}
210
101
211
102
/* Init GPGME */
212
103
gpgme_check_version(NULL);
213
104
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
214
if(rc != GPG_ERR_NO_ERROR){
105
if (rc != GPG_ERR_NO_ERROR){
215
106
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
216
107
gpgme_strsource(rc), gpgme_strerror(rc));
217
return false;
108
return -1;
218
109
}
219
110
220
/* Set GPGME home directory for the OpenPGP engine only */
221
rc = gpgme_get_engine_info(&engine_info);
222
if(rc != GPG_ERR_NO_ERROR){
111
/* Set GPGME home directory */
112
rc = gpgme_get_engine_info (&engine_info);
113
if (rc != GPG_ERR_NO_ERROR){
223
114
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
224
115
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
116
return -1;
226
117
}
227
118
while(engine_info != NULL){
228
119
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
229
120
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
230
engine_info->file_name, tempdir);
121
engine_info->file_name, homedir);
231
122
break;
232
123
}
233
124
engine_info = engine_info->next;
234
125
}
235
126
if(engine_info == NULL){
236
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
237
return false;
238
}
239
240
/* Create new GPGME "context" */
241
rc = gpgme_new(&(mc.ctx));
242
if(rc != GPG_ERR_NO_ERROR){
243
fprintf(stderr, "bad gpgme_new: %s: %s\n",
244
gpgme_strsource(rc), gpgme_strerror(rc));
245
return false;
246
}
247
248
if(not import_key(pubkey) or not import_key(seckey)){
249
return false;
250
}
251
252
return true;
253
}
254
255
/*
256
* Decrypt OpenPGP data.
257
* Returns -1 on error
258
*/
259
static ssize_t pgp_packet_decrypt(const char *cryptotext,
260
size_t crypto_size,
261
char **plaintext){
262
gpgme_data_t dh_crypto, dh_plain;
263
gpgme_error_t rc;
264
ssize_t ret;
265
size_t plaintext_capacity = 0;
266
ssize_t plaintext_length = 0;
267
268
if(debug){
269
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
270
}
271
272
/* Create new GPGME data buffer from memory cryptotext */
273
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
274
0);
275
if(rc != GPG_ERR_NO_ERROR){
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
return -1;
129
}
130
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
133
if (rc != GPG_ERR_NO_ERROR){
276
134
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
277
135
gpgme_strsource(rc), gpgme_strerror(rc));
278
136
return -1;
280
138
281
139
/* Create new empty GPGME data buffer for the plaintext */
282
140
rc = gpgme_data_new(&dh_plain);
283
if(rc != GPG_ERR_NO_ERROR){
141
if (rc != GPG_ERR_NO_ERROR){
284
142
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
285
143
gpgme_strsource(rc), gpgme_strerror(rc));
286
gpgme_data_release(dh_crypto);
287
return -1;
288
}
289
290
/* Decrypt data from the cryptotext data buffer to the plaintext
291
data buffer */
292
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
293
if(rc != GPG_ERR_NO_ERROR){
144
return -1;
145
}
146
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
153
}
154
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
158
if (rc != GPG_ERR_NO_ERROR){
294
159
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
295
160
gpgme_strsource(rc), gpgme_strerror(rc));
296
plaintext_length = -1;
297
if(debug){
298
gpgme_decrypt_result_t result;
299
result = gpgme_op_decrypt_result(mc.ctx);
300
if(result == NULL){
301
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
302
} else {
303
fprintf(stderr, "Unsupported algorithm: %s\n",
304
result->unsupported_algorithm);
305
fprintf(stderr, "Wrong key usage: %u\n",
306
result->wrong_key_usage);
307
if(result->file_name != NULL){
308
fprintf(stderr, "File name: %s\n", result->file_name);
309
}
310
gpgme_recipient_t recipient;
311
recipient = result->recipients;
161
return -1;
162
}
163
164
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
}
167
168
if (debug){
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
171
if (result == NULL){
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
173
} else {
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
180
}
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
183
if(recipient){
312
184
while(recipient != NULL){
313
185
fprintf(stderr, "Public key algorithm: %s\n",
314
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
320
192
}
321
193
}
322
194
}
323
goto decrypt_end;
324
195
}
325
196
326
if(debug){
327
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
328
}
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
329
199
330
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
331
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
332
perror("gpgme_data_seek");
333
plaintext_length = -1;
334
goto decrypt_end;
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
335
203
}
336
204
337
*plaintext = NULL;
205
*new_packet = 0;
338
206
while(true){
339
plaintext_capacity = incbuffer(plaintext,
340
(size_t)plaintext_length,
341
plaintext_capacity);
342
if(plaintext_capacity == 0){
343
perror("incbuffer");
344
plaintext_length = -1;
345
goto decrypt_end;
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
346
216
}
347
217
348
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
349
219
BUFFER_SIZE);
350
220
/* Print the data, if any */
351
if(ret == 0){
352
/* EOF */
221
if (ret == 0){
353
222
break;
354
223
}
355
224
if(ret < 0){
356
225
perror("gpgme_data_read");
357
plaintext_length = -1;
358
goto decrypt_end;
359
}
360
plaintext_length += ret;
361
}
362
363
if(debug){
364
fprintf(stderr, "Decrypted password is: ");
365
for(ssize_t i = 0; i < plaintext_length; i++){
366
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
367
}
368
fprintf(stderr, "\n");
369
}
370
371
decrypt_end:
372
373
/* Delete the GPGME cryptotext data buffer */
374
gpgme_data_release(dh_crypto);
226
return -1;
227
}
228
new_packet_length += ret;
229
}
230
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
375
238
376
239
/* Delete the GPGME plaintext data buffer */
377
240
gpgme_data_release(dh_plain);
378
return plaintext_length;
241
return new_packet_length;
379
242
}
380
243
381
static const char * safer_gnutls_strerror(int value){
382
const char *ret = gnutls_strerror(value); /* Spurious warning from
383
-Wunreachable-code */
384
if(ret == NULL)
244
static const char * safer_gnutls_strerror (int value) {
245
const char *ret = gnutls_strerror (value);
246
if (ret == NULL)
385
247
ret = "(unknown)";
386
248
return ret;
387
249
}
388
250
389
/* GnuTLS log function callback */
390
251
static void debuggnutls(__attribute__((unused)) int level,
391
252
const char* string){
392
fprintf(stderr, "GnuTLS: %s", string);
253
fprintf(stderr, "%s", string);
393
254
}
394
255
395
static int init_gnutls_global(const char *pubkeyfilename,
396
const char *seckeyfilename){
256
static int initgnutls(encrypted_session *es){
257
const char *err;
397
258
int ret;
398
259
399
260
if(debug){
400
261
fprintf(stderr, "Initializing GnuTLS\n");
401
262
}
402
403
ret = gnutls_global_init();
404
if(ret != GNUTLS_E_SUCCESS){
405
fprintf(stderr, "GnuTLS global_init: %s\n",
406
safer_gnutls_strerror(ret));
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
407
267
return -1;
408
268
}
409
410
if(debug){
411
/* "Use a log level over 10 to enable all debugging options."
412
* - GnuTLS manual
413
*/
269
270
if (debug){
414
271
gnutls_global_set_log_level(11);
415
272
gnutls_global_set_log_function(debuggnutls);
416
273
}
417
274
418
/* OpenPGP credentials */
419
gnutls_certificate_allocate_credentials(&mc.cred);
420
if(ret != GNUTLS_E_SUCCESS){
421
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
422
from
423
-Wunreachable-code
424
*/
425
safer_gnutls_strerror(ret));
426
gnutls_global_deinit();
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
279
safer_gnutls_strerror(ret));
427
280
return -1;
428
281
}
429
282
430
283
if(debug){
431
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
432
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
433
seckeyfilename);
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", certfile,
286
certkey);
434
287
}
435
288
436
289
ret = gnutls_certificate_set_openpgp_key_file
437
(mc.cred, pubkeyfilename, seckeyfilename,
438
GNUTLS_OPENPGP_FMT_BASE64);
439
if(ret != GNUTLS_E_SUCCESS){
440
fprintf(stderr,
441
"Error[%d] while reading the OpenPGP key pair ('%s',"
442
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
443
fprintf(stderr, "The GnuTLS error is: %s\n",
444
safer_gnutls_strerror(ret));
445
goto globalfail;
446
}
447
448
/* GnuTLS server initialization */
449
ret = gnutls_dh_params_init(&mc.dh_params);
450
if(ret != GNUTLS_E_SUCCESS){
451
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
452
" %s\n", safer_gnutls_strerror(ret));
453
goto globalfail;
454
}
455
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
456
if(ret != GNUTLS_E_SUCCESS){
457
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
458
safer_gnutls_strerror(ret));
459
goto globalfail;
460
}
461
462
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
463
464
return 0;
465
466
globalfail:
467
468
gnutls_certificate_free_credentials(mc.cred);
469
gnutls_global_deinit();
470
gnutls_dh_params_deinit(mc.dh_params);
471
return -1;
472
}
473
474
static int init_gnutls_session(gnutls_session_t *session){
475
int ret;
476
/* GnuTLS session creation */
477
ret = gnutls_init(session, GNUTLS_SERVER);
478
if(ret != GNUTLS_E_SUCCESS){
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
291
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
479
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
480
322
safer_gnutls_strerror(ret));
481
323
}
482
324
483
{
484
const char *err;
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
486
if(ret != GNUTLS_E_SUCCESS){
487
fprintf(stderr, "Syntax error at: %s\n", err);
488
fprintf(stderr, "GnuTLS error: %s\n",
489
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
491
return -1;
492
}
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
493
331
}
494
332
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
497
if(ret != GNUTLS_E_SUCCESS){
498
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
499
337
safer_gnutls_strerror(ret));
500
gnutls_deinit(*session);
501
338
return -1;
502
339
}
503
340
504
341
/* ignore client certificate if any. */
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
342
gnutls_certificate_server_set_request (es->session,
343
GNUTLS_CERT_IGNORE);
507
344
508
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
509
346
510
347
return 0;
511
348
}
512
349
513
/* Avahi log function callback */
514
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
515
351
__attribute__((unused)) const char *txt){}
516
352
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
520
/* Called when a Mandos server is found */
521
353
static int start_mandos_communication(const char *ip, uint16_t port,
522
AvahiIfIndex if_index,
523
int af){
354
AvahiIfIndex if_index){
524
355
int ret, tcp_sd;
525
ssize_t sret;
526
union {
527
struct sockaddr_in in;
528
struct sockaddr_in6 in6;
529
} to;
356
struct sockaddr_in6 to;
357
encrypted_session es;
530
358
char *buffer = NULL;
531
359
char *decrypted_buffer;
532
360
size_t buffer_length = 0;
533
361
size_t buffer_capacity = 0;
534
362
ssize_t decrypted_buffer_size;
535
size_t written;
363
size_t written = 0;
536
364
int retval = 0;
537
gnutls_session_t session;
538
int pf; /* Protocol family */
539
540
switch(af){
541
case AF_INET6:
542
pf = PF_INET6;
543
break;
544
case AF_INET:
545
pf = PF_INET;
546
break;
547
default:
548
fprintf(stderr, "Bad address family: %d\n", af);
549
return -1;
550
}
551
552
ret = init_gnutls_session(&session);
553
if(ret != 0){
554
return -1;
555
}
365
char interface[IF_NAMESIZE];
556
366
557
367
if(debug){
558
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
559
"\n", ip, port);
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
369
ip, port);
560
370
}
561
371
562
tcp_sd = socket(pf, SOCK_STREAM, 0);
563
if(tcp_sd < 0){
372
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
373
if(tcp_sd < 0) {
564
374
perror("socket");
565
375
return -1;
566
376
}
377
378
if(debug){
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
380
if(debug){
381
perror("if_indextoname");
382
}
383
return -1;
384
}
385
386
fprintf(stderr, "Binding to interface %s\n", interface);
387
}
567
388
568
memset(&to, 0, sizeof(to));
569
if(af == AF_INET6){
570
to.in6.sin6_family = (sa_family_t)af;
571
ret = inet_pton(af, ip, &to.in6.sin6_addr);
572
} else { /* IPv4 */
573
to.in.sin_family = (sa_family_t)af;
574
ret = inet_pton(af, ip, &to.in.sin_addr);
575
}
576
if(ret < 0 ){
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
392
if (ret < 0 ){
577
393
perror("inet_pton");
578
394
return -1;
579
}
395
}
580
396
if(ret == 0){
581
397
fprintf(stderr, "Bad address: %s\n", ip);
582
398
return -1;
583
399
}
584
if(af == AF_INET6){
585
to.in6.sin6_port = htons(port); /* Spurious warnings from
586
-Wconversion and
587
-Wunreachable-code */
588
589
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
590
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
591
-Wunreachable-code*/
592
if(if_index == AVAHI_IF_UNSPEC){
593
fprintf(stderr, "An IPv6 link-local address is incomplete"
594
" without a network interface\n");
595
return -1;
596
}
597
/* Set the network interface number as scope */
598
to.in6.sin6_scope_id = (uint32_t)if_index;
599
}
600
} else {
601
to.in.sin_port = htons(port); /* Spurious warnings from
602
-Wconversion and
603
-Wunreachable-code */
604
}
400
to.sin6_port = htons(port); /* Spurious warning */
401
402
to.sin6_scope_id = (uint32_t)if_index;
605
403
606
404
if(debug){
607
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
608
char interface[IF_NAMESIZE];
609
if(if_indextoname((unsigned int)if_index, interface) == NULL){
610
perror("if_indextoname");
611
} else {
612
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
613
ip, interface, port);
614
}
615
} else {
616
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
617
port);
618
}
619
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
620
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
621
const char *pcret;
622
if(af == AF_INET6){
623
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
624
sizeof(addrstr));
625
} else {
626
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
627
sizeof(addrstr));
628
}
629
if(pcret == NULL){
630
perror("inet_ntop");
631
} else {
632
if(strcmp(addrstr, ip) != 0){
633
fprintf(stderr, "Canonical address form: %s\n", addrstr);
634
}
635
}
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
410
/* } else { */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
413
/* } */
636
414
}
637
415
638
if(af == AF_INET6){
639
ret = connect(tcp_sd, &to.in6, sizeof(to));
640
} else {
641
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
642
}
643
if(ret < 0){
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
417
if (ret < 0){
644
418
perror("connect");
645
419
return -1;
646
420
}
647
421
648
const char *out = mandos_protocol_version;
649
written = 0;
650
while(true){
651
size_t out_size = strlen(out);
652
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
653
out_size - written));
654
if(ret == -1){
655
perror("write");
656
retval = -1;
657
goto mandos_end;
658
}
659
written += (size_t)ret;
660
if(written < out_size){
661
continue;
662
} else {
663
if(out == mandos_protocol_version){
664
written = 0;
665
out = "\r\n";
666
} else {
667
break;
668
}
669
}
422
ret = initgnutls (&es);
423
if (ret != 0){
424
retval = -1;
425
return -1;
670
426
}
671
427
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
430
672
431
if(debug){
673
432
fprintf(stderr, "Establishing TLS session with %s\n", ip);
674
433
}
675
434
676
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
677
678
do{
679
ret = gnutls_handshake(session);
680
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
681
682
if(ret != GNUTLS_E_SUCCESS){
435
ret = gnutls_handshake (es.session);
436
437
if (ret != GNUTLS_E_SUCCESS){
683
438
if(debug){
684
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
685
gnutls_perror(ret);
439
fprintf(stderr, "\n*** Handshake failed ***\n");
440
gnutls_perror (ret);
686
441
}
687
442
retval = -1;
688
goto mandos_end;
443
goto exit;
689
444
}
690
445
691
/* Read OpenPGP packet that contains the wanted password */
446
//Retrieve OpenPGP packet that contains the wanted password
692
447
693
448
if(debug){
694
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
695
450
ip);
696
451
}
697
452
698
453
while(true){
699
buffer_capacity = incbuffer(&buffer, buffer_length,
700
buffer_capacity);
701
if(buffer_capacity == 0){
702
perror("incbuffer");
703
retval = -1;
704
goto mandos_end;
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
456
if (buffer == NULL){
457
perror("realloc");
458
goto exit;
459
}
460
buffer_capacity += BUFFER_SIZE;
705
461
}
706
462
707
sret = gnutls_record_recv(session, buffer+buffer_length,
708
BUFFER_SIZE);
709
if(sret == 0){
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
465
if (ret == 0){
710
466
break;
711
467
}
712
if(sret < 0){
713
switch(sret){
468
if (ret < 0){
469
switch(ret){
714
470
case GNUTLS_E_INTERRUPTED:
715
471
case GNUTLS_E_AGAIN:
716
472
break;
717
473
case GNUTLS_E_REHANDSHAKE:
718
do{
719
ret = gnutls_handshake(session);
720
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
721
if(ret < 0){
722
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
723
gnutls_perror(ret);
474
ret = gnutls_handshake (es.session);
475
if (ret < 0){
476
fprintf(stderr, "\n*** Handshake failed ***\n");
477
gnutls_perror (ret);
724
478
retval = -1;
725
goto mandos_end;
479
goto exit;
726
480
}
727
481
break;
728
482
default:
729
483
fprintf(stderr, "Unknown error while reading data from"
730
" encrypted session with Mandos server\n");
484
" encrypted session with mandos server\n");
731
485
retval = -1;
732
gnutls_bye(session, GNUTLS_SHUT_RDWR);
733
goto mandos_end;
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
goto exit;
734
488
}
735
489
} else {
736
buffer_length += (size_t) sret;
490
buffer_length += (size_t) ret;
737
491
}
738
492
}
739
493
740
if(debug){
741
fprintf(stderr, "Closing TLS session\n");
742
}
743
744
gnutls_bye(session, GNUTLS_SHUT_RDWR);
745
746
if(buffer_length > 0){
494
if (buffer_length > 0){
747
495
decrypted_buffer_size = pgp_packet_decrypt(buffer,
748
496
buffer_length,
749
&decrypted_buffer);
750
if(decrypted_buffer_size >= 0){
751
written = 0;
497
&decrypted_buffer,
498
certdir);
499
if (decrypted_buffer_size >= 0){
752
500
while(written < (size_t) decrypted_buffer_size){
753
ret = (int)fwrite(decrypted_buffer + written, 1,
754
(size_t)decrypted_buffer_size - written,
755
stdout);
501
ret = (int)fwrite (decrypted_buffer + written, 1,
502
(size_t)decrypted_buffer_size - written,
503
stdout);
756
504
if(ret == 0 and ferror(stdout)){
757
505
if(debug){
758
506
fprintf(stderr, "Error writing encrypted data: %s\n",
767
515
} else {
768
516
retval = -1;
769
517
}
770
} else {
771
retval = -1;
772
}
773
774
/* Shutdown procedure */
775
776
mandos_end:
518
}
519
520
//shutdown procedure
521
522
if(debug){
523
fprintf(stderr, "Closing TLS session\n");
524
}
525
777
526
free(buffer);
778
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
779
if(ret == -1){
780
perror("close");
781
}
782
gnutls_deinit(session);
527
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
528
exit:
529
close(tcp_sd);
530
gnutls_deinit (es.session);
531
gnutls_certificate_free_credentials (es.cred);
532
gnutls_global_deinit ();
783
533
return retval;
784
534
}
785
535
786
static void resolve_callback(AvahiSServiceResolver *r,
787
AvahiIfIndex interface,
788
AvahiProtocol proto,
789
AvahiResolverEvent event,
790
const char *name,
791
const char *type,
792
const char *domain,
793
const char *host_name,
794
const AvahiAddress *address,
795
uint16_t port,
796
AVAHI_GCC_UNUSED AvahiStringList *txt,
797
AVAHI_GCC_UNUSED AvahiLookupResultFlags
798
flags,
799
AVAHI_GCC_UNUSED void* userdata){
800
assert(r);
536
static AvahiSimplePoll *simple_poll = NULL;
537
static AvahiServer *server = NULL;
538
539
static void resolve_callback(
540
AvahiSServiceResolver *r,
541
AvahiIfIndex interface,
542
AVAHI_GCC_UNUSED AvahiProtocol protocol,
543
AvahiResolverEvent event,
544
const char *name,
545
const char *type,
546
const char *domain,
547
const char *host_name,
548
const AvahiAddress *address,
549
uint16_t port,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
552
AVAHI_GCC_UNUSED void* userdata) {
553
554
assert(r); /* Spurious warning */
801
555
802
556
/* Called whenever a service has been resolved successfully or
803
557
timed out */
804
558
805
if(quit_now){
806
return;
807
}
808
809
switch(event){
559
switch (event) {
810
560
default:
811
561
case AVAHI_RESOLVER_FAILURE:
812
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
813
" of type '%s' in domain '%s': %s\n", name, type, domain,
814
avahi_strerror(avahi_server_errno(mc.server)));
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
815
565
break;
816
566
817
567
case AVAHI_RESOLVER_FOUND:
819
569
char ip[AVAHI_ADDRESS_STR_MAX];
820
570
avahi_address_snprint(ip, sizeof(ip), address);
821
571
if(debug){
822
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
823
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
824
ip, (intmax_t)interface, port);
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
825
574
}
826
int ret = start_mandos_communication(ip, port, interface,
827
avahi_proto_to_af(proto));
828
if(ret == 0){
829
avahi_simple_poll_quit(mc.simple_poll);
575
int ret = start_mandos_communication(ip, port, interface);
576
if (ret == 0){
577
exit(EXIT_SUCCESS);
830
578
}
831
579
}
832
580
}
833
581
avahi_s_service_resolver_free(r);
834
582
}
835
583
836
static void browse_callback(AvahiSServiceBrowser *b,
837
AvahiIfIndex interface,
838
AvahiProtocol protocol,
839
AvahiBrowserEvent event,
840
const char *name,
841
const char *type,
842
const char *domain,
843
AVAHI_GCC_UNUSED AvahiLookupResultFlags
844
flags,
845
AVAHI_GCC_UNUSED void* userdata){
846
assert(b);
847
848
/* Called whenever a new services becomes available on the LAN or
849
is removed from the LAN */
850
851
switch(event){
852
default:
853
case AVAHI_BROWSER_FAILURE:
854
855
fprintf(stderr, "(Avahi browser) %s\n",
856
avahi_strerror(avahi_server_errno(mc.server)));
857
avahi_simple_poll_quit(mc.simple_poll);
858
return;
859
860
case AVAHI_BROWSER_NEW:
861
/* We ignore the returned Avahi resolver object. In the callback
862
function we free it. If the Avahi server is terminated before
863
the callback function is called the Avahi server will free the
864
resolver for us. */
865
866
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
867
name, type, domain, protocol, 0,
868
resolve_callback, NULL) == NULL)
869
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
870
name, avahi_strerror(avahi_server_errno(mc.server)));
871
break;
872
873
case AVAHI_BROWSER_REMOVE:
874
break;
875
876
case AVAHI_BROWSER_ALL_FOR_NOW:
877
case AVAHI_BROWSER_CACHE_EXHAUSTED:
878
if(debug){
879
fprintf(stderr, "No Mandos server found, still searching...\n");
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
589
const char *name,
590
const char *type,
591
const char *domain,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
593
void* userdata) {
594
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
597
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
600
601
switch (event) {
602
default:
603
case AVAHI_BROWSER_FAILURE:
604
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
608
return;
609
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
615
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
617
type, domain,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
622
break;
623
624
case AVAHI_BROWSER_REMOVE:
625
break;
626
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
629
break;
880
630
}
881
break;
882
}
883
}
884
885
/* stop main loop after sigterm has been called */
886
static void handle_sigterm(int sig){
887
if(quit_now){
888
return;
889
}
890
quit_now = 1;
891
signal_received = sig;
892
int old_errno = errno;
893
if(mc.simple_poll != NULL){
894
avahi_simple_poll_quit(mc.simple_poll);
895
}
896
errno = old_errno;
897
}
898
899
int main(int argc, char *argv[]){
900
AvahiSServiceBrowser *sb = NULL;
901
int error;
902
int ret;
903
intmax_t tmpmax;
904
char *tmp;
905
int exitcode = EXIT_SUCCESS;
906
const char *interface = "eth0";
907
struct ifreq network;
908
int sd = -1;
909
bool take_down_interface = false;
910
uid_t uid;
911
gid_t gid;
912
char *connect_to = NULL;
913
char tempdir[] = "/tmp/mandosXXXXXX";
914
bool tempdir_created = false;
915
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
916
const char *seckey = PATHDIR "/" SECKEY;
917
const char *pubkey = PATHDIR "/" PUBKEY;
918
919
bool gnutls_initialized = false;
920
bool gpgme_initialized = false;
921
float delay = 2.5f;
922
923
struct sigaction old_sigterm_action;
924
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
925
926
{
927
struct argp_option options[] = {
928
{ .name = "debug", .key = 128,
929
.doc = "Debug mode", .group = 3 },
930
{ .name = "connect", .key = 'c',
931
.arg = "ADDRESS:PORT",
932
.doc = "Connect directly to a specific Mandos server",
933
.group = 1 },
934
{ .name = "interface", .key = 'i',
935
.arg = "NAME",
936
.doc = "Network interface that will be used to search for"
937
" Mandos servers",
938
.group = 1 },
939
{ .name = "seckey", .key = 's',
940
.arg = "FILE",
941
.doc = "OpenPGP secret key file base name",
942
.group = 1 },
943
{ .name = "pubkey", .key = 'p',
944
.arg = "FILE",
945
.doc = "OpenPGP public key file base name",
946
.group = 2 },
947
{ .name = "dh-bits", .key = 129,
948
.arg = "BITS",
949
.doc = "Bit length of the prime number used in the"
950
" Diffie-Hellman key exchange",
951
.group = 2 },
952
{ .name = "priority", .key = 130,
953
.arg = "STRING",
954
.doc = "GnuTLS priority string for the TLS handshake",
955
.group = 1 },
956
{ .name = "delay", .key = 131,
957
.arg = "SECONDS",
958
.doc = "Maximum delay to wait for interface startup",
959
.group = 2 },
960
{ .name = NULL }
961
};
631
}
632
633
/* Combines file name and path and returns the malloced new
634
string. some sane checks could/should be added */
635
static const char *combinepath(const char *first, const char *second){
636
size_t f_len = strlen(first);
637
size_t s_len = strlen(second);
638
char *tmp = malloc(f_len + s_len + 2);
639
if (tmp == NULL){
640
return NULL;
641
}
642
if(f_len > 0){
643
memcpy(tmp, first, f_len);
644
}
645
tmp[f_len] = '/';
646
if(s_len > 0){
647
memcpy(tmp + f_len + 1, second, s_len);
648
}
649
tmp[f_len + 1 + s_len] = '\0';
650
return tmp;
651
}
652
653
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
656
AvahiSServiceBrowser *sb = NULL;
657
int error;
658
int ret;
659
int returncode = EXIT_SUCCESS;
660
const char *interface = "eth0";
661
struct ifreq network;
662
int sd;
663
char *connect_to = NULL;
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
962
665
963
error_t parse_opt(int key, char *arg,
964
struct argp_state *state){
965
switch(key){
966
case 128: /* --debug */
967
debug = true;
968
break;
969
case 'c': /* --connect */
970
connect_to = arg;
971
break;
972
case 'i': /* --interface */
973
interface = arg;
974
break;
975
case 's': /* --seckey */
976
seckey = arg;
977
break;
978
case 'p': /* --pubkey */
979
pubkey = arg;
980
break;
981
case 129: /* --dh-bits */
982
errno = 0;
983
tmpmax = strtoimax(arg, &tmp, 10);
984
if(errno != 0 or tmp == arg or *tmp != '\0'
985
or tmpmax != (typeof(mc.dh_bits))tmpmax){
986
fprintf(stderr, "Bad number of DH bits\n");
987
exit(EXIT_FAILURE);
988
}
989
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
990
break;
991
case 130: /* --priority */
992
mc.priority = arg;
993
break;
994
case 131: /* --delay */
995
errno = 0;
996
delay = strtof(arg, &tmp);
997
if(errno != 0 or tmp == arg or *tmp != '\0'){
998
fprintf(stderr, "Bad delay\n");
999
exit(EXIT_FAILURE);
1000
}
1001
break;
1002
case ARGP_KEY_ARG:
1003
argp_usage(state);
1004
case ARGP_KEY_END:
666
while (true){
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
1005
701
break;
1006
702
default:
1007
return ARGP_ERR_UNKNOWN;
703
exit(EXIT_FAILURE);
1008
704
}
1009
return 0;
1010
}
1011
1012
struct argp argp = { .options = options, .parser = parse_opt,
1013
.args_doc = "",
1014
.doc = "Mandos client -- Get and decrypt"
1015
" passwords from a Mandos server" };
1016
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1017
if(ret == ARGP_ERR_UNKNOWN){
1018
fprintf(stderr, "Unknown error while parsing arguments\n");
1019
exitcode = EXIT_FAILURE;
1020
goto end;
1021
}
1022
}
1023
1024
if(not debug){
1025
avahi_set_log_function(empty_log);
1026
}
1027
1028
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1029
from the signal handler */
1030
/* Initialize the pseudo-RNG for Avahi */
1031
srand((unsigned int) time(NULL));
1032
mc.simple_poll = avahi_simple_poll_new();
1033
if(mc.simple_poll == NULL){
1034
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1035
exitcode = EXIT_FAILURE;
1036
goto end;
1037
}
1038
1039
sigemptyset(&sigterm_action.sa_mask);
1040
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1041
if(ret == -1){
1042
perror("sigaddset");
1043
exitcode = EXIT_FAILURE;
1044
goto end;
1045
}
1046
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1047
if(ret == -1){
1048
perror("sigaddset");
1049
exitcode = EXIT_FAILURE;
1050
goto end;
1051
}
1052
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1053
if(ret == -1){
1054
perror("sigaddset");
1055
exitcode = EXIT_FAILURE;
1056
goto end;
1057
}
1058
/* Need to check if the handler is SIG_IGN before handling:
1059
| [[info:libc:Initial Signal Actions]] |
1060
| [[info:libc:Basic Signal Handling]] |
1061
*/
1062
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1063
if(ret == -1){
1064
perror("sigaction");
1065
return EXIT_FAILURE;
1066
}
1067
if(old_sigterm_action.sa_handler != SIG_IGN){
1068
ret = sigaction(SIGINT, &sigterm_action, NULL);
1069
if(ret == -1){
1070
perror("sigaction");
1071
exitcode = EXIT_FAILURE;
1072
goto end;
1073
}
1074
}
1075
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1076
if(ret == -1){
1077
perror("sigaction");
1078
return EXIT_FAILURE;
1079
}
1080
if(old_sigterm_action.sa_handler != SIG_IGN){
1081
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1082
if(ret == -1){
1083
perror("sigaction");
1084
exitcode = EXIT_FAILURE;
1085
goto end;
1086
}
1087
}
1088
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1089
if(ret == -1){
1090
perror("sigaction");
1091
return EXIT_FAILURE;
1092
}
1093
if(old_sigterm_action.sa_handler != SIG_IGN){
1094
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1095
if(ret == -1){
1096
perror("sigaction");
1097
exitcode = EXIT_FAILURE;
1098
goto end;
1099
}
1100
}
1101
1102
/* If the interface is down, bring it up */
1103
if(interface[0] != '\0'){
705
}
706
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
711
goto exit;
712
}
713
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
718
goto exit;
719
}
720
1104
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
1105
722
if(if_index == 0){
1106
723
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1107
exitcode = EXIT_FAILURE;
1108
goto end;
1109
}
1110
1111
if(quit_now){
1112
goto end;
1113
}
1114
1115
#ifdef __linux__
1116
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1117
messages to mess up the prompt */
1118
ret = klogctl(8, NULL, 5);
1119
bool restore_loglevel = true;
1120
if(ret == -1){
1121
restore_loglevel = false;
1122
perror("klogctl");
1123
}
1124
#endif /* __linux__ */
724
exit(EXIT_FAILURE);
725
}
726
727
if(connect_to != NULL){
728
/* Connect directly, do not use Zeroconf */
729
/* (Mainly meant for debugging) */
730
char *address = strrchr(connect_to, ':');
731
if(address == NULL){
732
fprintf(stderr, "No colon in address\n");
733
exit(EXIT_FAILURE);
734
}
735
errno = 0;
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
737
if(errno){
738
perror("Bad port number");
739
exit(EXIT_FAILURE);
740
}
741
*address = '\0';
742
address = connect_to;
743
ret = start_mandos_communication(address, port, if_index);
744
if(ret < 0){
745
exit(EXIT_FAILURE);
746
} else {
747
exit(EXIT_SUCCESS);
748
}
749
}
1125
750
1126
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1127
if(sd < 0){
752
if(sd < 0) {
1128
753
perror("socket");
1129
exitcode = EXIT_FAILURE;
1130
#ifdef __linux__
1131
if(restore_loglevel){
1132
ret = klogctl(7, NULL, 0);
1133
if(ret == -1){
1134
perror("klogctl");
1135
}
1136
}
1137
#endif /* __linux__ */
1138
goto end;
754
returncode = EXIT_FAILURE;
755
goto exit;
1139
756
}
1140
strcpy(network.ifr_name, interface);
757
strcpy(network.ifr_name, interface);
1141
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1142
759
if(ret == -1){
760
1143
761
perror("ioctl SIOCGIFFLAGS");
1144
#ifdef __linux__
1145
if(restore_loglevel){
1146
ret = klogctl(7, NULL, 0);
1147
if(ret == -1){
1148
perror("klogctl");
1149
}
1150
}
1151
#endif /* __linux__ */
1152
exitcode = EXIT_FAILURE;
1153
goto end;
762
returncode = EXIT_FAILURE;
763
goto exit;
1154
764
}
1155
765
if((network.ifr_flags & IFF_UP) == 0){
1156
766
network.ifr_flags |= IFF_UP;
1157
take_down_interface = true;
1158
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1159
768
if(ret == -1){
1160
take_down_interface = false;
1161
769
perror("ioctl SIOCSIFFLAGS");
1162
exitcode = EXIT_FAILURE;
1163
#ifdef __linux__
1164
if(restore_loglevel){
1165
ret = klogctl(7, NULL, 0);
1166
if(ret == -1){
1167
perror("klogctl");
1168
}
1169
}
1170
#endif /* __linux__ */
1171
goto end;
1172
}
1173
}
1174
/* sleep checking until interface is running */
1175
for(int i=0; i < delay * 4; i++){
1176
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1177
if(ret == -1){
1178
perror("ioctl SIOCGIFFLAGS");
1179
} else if(network.ifr_flags & IFF_RUNNING){
1180
break;
1181
}
1182
struct timespec sleeptime = { .tv_nsec = 250000000 };
1183
ret = nanosleep(&sleeptime, NULL);
1184
if(ret == -1 and errno != EINTR){
1185
perror("nanosleep");
1186
}
1187
}
1188
if(not take_down_interface){
1189
/* We won't need the socket anymore */
1190
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1191
if(ret == -1){
1192
perror("close");
1193
}
1194
}
1195
#ifdef __linux__
1196
if(restore_loglevel){
1197
/* Restores kernel loglevel to default */
1198
ret = klogctl(7, NULL, 0);
1199
if(ret == -1){
1200
perror("klogctl");
1201
}
1202
}
1203
#endif /* __linux__ */
1204
}
1205
1206
if(quit_now){
1207
goto end;
1208
}
1209
1210
uid = getuid();
1211
gid = getgid();
1212
1213
errno = 0;
1214
setgid(gid);
1215
if(ret == -1){
1216
perror("setgid");
1217
}
1218
1219
ret = setuid(uid);
1220
if(ret == -1){
1221
perror("setuid");
1222
}
1223
1224
if(quit_now){
1225
goto end;
1226
}
1227
1228
ret = init_gnutls_global(pubkey, seckey);
1229
if(ret == -1){
1230
fprintf(stderr, "init_gnutls_global failed\n");
1231
exitcode = EXIT_FAILURE;
1232
goto end;
1233
} else {
1234
gnutls_initialized = true;
1235
}
1236
1237
if(quit_now){
1238
goto end;
1239
}
1240
1241
tempdir_created = true;
1242
if(mkdtemp(tempdir) == NULL){
1243
tempdir_created = false;
1244
perror("mkdtemp");
1245
goto end;
1246
}
1247
1248
if(quit_now){
1249
goto end;
1250
}
1251
1252
if(not init_gpgme(pubkey, seckey, tempdir)){
1253
fprintf(stderr, "init_gpgme failed\n");
1254
exitcode = EXIT_FAILURE;
1255
goto end;
1256
} else {
1257
gpgme_initialized = true;
1258
}
1259
1260
if(quit_now){
1261
goto end;
1262
}
1263
1264
if(connect_to != NULL){
1265
/* Connect directly, do not use Zeroconf */
1266
/* (Mainly meant for debugging) */
1267
char *address = strrchr(connect_to, ':');
1268
if(address == NULL){
1269
fprintf(stderr, "No colon in address\n");
1270
exitcode = EXIT_FAILURE;
1271
goto end;
1272
}
1273
1274
if(quit_now){
1275
goto end;
1276
}
1277
1278
uint16_t port;
1279
errno = 0;
1280
tmpmax = strtoimax(address+1, &tmp, 10);
1281
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1282
or tmpmax != (uint16_t)tmpmax){
1283
fprintf(stderr, "Bad port number\n");
1284
exitcode = EXIT_FAILURE;
1285
goto end;
1286
}
1287
1288
if(quit_now){
1289
goto end;
1290
}
1291
1292
port = (uint16_t)tmpmax;
1293
*address = '\0';
1294
address = connect_to;
1295
/* Colon in address indicates IPv6 */
1296
int af;
1297
if(strchr(address, ':') != NULL){
1298
af = AF_INET6;
1299
} else {
1300
af = AF_INET;
1301
}
1302
1303
if(quit_now){
1304
goto end;
1305
}
1306
1307
ret = start_mandos_communication(address, port, if_index, af);
1308
if(ret < 0){
1309
exitcode = EXIT_FAILURE;
1310
} else {
1311
exitcode = EXIT_SUCCESS;
1312
}
1313
goto end;
1314
}
1315
1316
if(quit_now){
1317
goto end;
1318
}
1319
1320
{
1321
AvahiServerConfig config;
1322
/* Do not publish any local Zeroconf records */
770
returncode = EXIT_FAILURE;
771
goto exit;
772
}
773
}
774
close(sd);
775
776
if (not debug){
777
avahi_set_log_function(empty_log);
778
}
779
780
/* Initialize the psuedo-RNG */
781
srand((unsigned int) time(NULL));
782
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
787
goto exit;
788
}
789
790
/* Do not publish any local records */
1323
791
avahi_server_config_init(&config);
1324
792
config.publish_hinfo = 0;
1325
793
config.publish_addresses = 0;
1326
794
config.publish_workstation = 0;
1327
795
config.publish_domain = 0;
1328
796
1329
797
/* Allocate a new server */
1330
mc.server = avahi_server_new(avahi_simple_poll_get
1331
(mc.simple_poll), &config, NULL,
1332
NULL, &error);
1333
1334
/* Free the Avahi configuration data */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
800
801
/* Free the configuration data */
1335
802
avahi_server_config_free(&config);
1336
}
1337
1338
/* Check if creating the Avahi server object succeeded */
1339
if(mc.server == NULL){
1340
fprintf(stderr, "Failed to create Avahi server: %s\n",
1341
avahi_strerror(error));
1342
exitcode = EXIT_FAILURE;
1343
goto end;
1344
}
1345
1346
if(quit_now){
1347
goto end;
1348
}
1349
1350
/* Create the Avahi service browser */
1351
sb = avahi_s_service_browser_new(mc.server, if_index,
1352
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1353
NULL, 0, browse_callback, NULL);
1354
if(sb == NULL){
1355
fprintf(stderr, "Failed to create service browser: %s\n",
1356
avahi_strerror(avahi_server_errno(mc.server)));
1357
exitcode = EXIT_FAILURE;
1358
goto end;
1359
}
1360
1361
if(quit_now){
1362
goto end;
1363
}
1364
1365
/* Run the main loop */
1366
1367
if(debug){
1368
fprintf(stderr, "Starting Avahi loop search\n");
1369
}
1370
1371
avahi_simple_poll_loop(mc.simple_poll);
1372
1373
end:
1374
1375
if(debug){
1376
fprintf(stderr, "%s exiting\n", argv[0]);
1377
}
1378
1379
/* Cleanup things */
1380
if(sb != NULL)
1381
avahi_s_service_browser_free(sb);
1382
1383
if(mc.server != NULL)
1384
avahi_server_free(mc.server);
1385
1386
if(mc.simple_poll != NULL)
1387
avahi_simple_poll_free(mc.simple_poll);
1388
1389
if(gnutls_initialized){
1390
gnutls_certificate_free_credentials(mc.cred);
1391
gnutls_global_deinit();
1392
gnutls_dh_params_deinit(mc.dh_params);
1393
}
1394
1395
if(gpgme_initialized){
1396
gpgme_release(mc.ctx);
1397
}
1398
1399
/* Take down the network interface */
1400
if(take_down_interface){
1401
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1402
if(ret == -1){
1403
perror("ioctl SIOCGIFFLAGS");
1404
} else if(network.ifr_flags & IFF_UP) {
1405
network.ifr_flags &= ~IFF_UP; /* clear flag */
1406
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1407
if(ret == -1){
1408
perror("ioctl SIOCSIFFLAGS");
1409
}
1410
}
1411
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1412
if(ret == -1){
1413
perror("close");
1414
}
1415
}
1416
1417
/* Removes the temp directory used by GPGME */
1418
if(tempdir_created){
1419
DIR *d;
1420
struct dirent *direntry;
1421
d = opendir(tempdir);
1422
if(d == NULL){
1423
if(errno != ENOENT){
1424
perror("opendir");
1425
}
1426
} else {
1427
while(true){
1428
direntry = readdir(d);
1429
if(direntry == NULL){
1430
break;
1431
}
1432
/* Skip "." and ".." */
1433
if(direntry->d_name[0] == '.'
1434
and (direntry->d_name[1] == '\0'
1435
or (direntry->d_name[1] == '.'
1436
and direntry->d_name[2] == '\0'))){
1437
continue;
1438
}
1439
char *fullname = NULL;
1440
ret = asprintf(&fullname, "%s/%s", tempdir,
1441
direntry->d_name);
1442
if(ret < 0){
1443
perror("asprintf");
1444
continue;
1445
}
1446
ret = remove(fullname);
1447
if(ret == -1){
1448
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1449
strerror(errno));
1450
}
1451
free(fullname);
1452
}
1453
closedir(d);
1454
}
1455
ret = rmdir(tempdir);
1456
if(ret == -1 and errno != ENOENT){
1457
perror("rmdir");
1458
}
1459
}
1460
1461
if(quit_now){
1462
sigemptyset(&old_sigterm_action.sa_mask);
1463
old_sigterm_action.sa_handler = SIG_DFL;
1464
ret = sigaction(signal_received, &old_sigterm_action, NULL);
1465
if(ret == -1){
1466
perror("sigaction");
1467
}
1468
raise(signal_received);
1469
}
1470
1471
return exitcode;
803
804
/* Check if creating the server object succeeded */
805
if (!server) {
806
fprintf(stderr, "Failed to create server: %s\n",
807
avahi_strerror(error));
808
returncode = EXIT_FAILURE;
809
goto exit;
810
}
811
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
814
AVAHI_PROTO_INET6,
815
"_mandos._tcp", NULL, 0,
816
browse_callback, server);
817
if (!sb) {
818
fprintf(stderr, "Failed to create service browser: %s\n",
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
821
goto exit;
822
}
823
824
/* Run the main loop */
825
826
if (debug){
827
fprintf(stderr, "Starting avahi loop search\n");
828
}
829
830
avahi_simple_poll_loop(simple_poll);
831
832
exit:
833
834
if (debug){
835
fprintf(stderr, "%s exiting\n", argv[0]);
836
}
837
838
/* Cleanup things */
839
if (sb)
840
avahi_s_service_browser_free(sb);
841
842
if (server)
843
avahi_server_free(server);
844
845
if (simple_poll)
846
avahi_simple_poll_free(simple_poll);
847
free(certfile);
848
free(certkey);
849
850
return returncode;
1472
851
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0