To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.9
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.9
- Committer: Björn Påhlsson
- Date: 2008-08-02 21:06:29 UTC
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 38.
- Revision ID: belorn@braxen-20080802210629-p9jc5515yufcg4ge
not working midwork...
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
30
29
*/
31
30
32
31
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
32
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
33
#define _FILE_OFFSET_BITS 64
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time() */
67
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
SIOCSIFFLAGS, if_indextoname(),
69
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), seteuid(),
75
setgid(), pause() */
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
78
#include <argp.h> /* struct argp_option, error_t, struct
79
argp_state, struct argp,
80
argp_parse(), ARGP_KEY_ARG,
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
86
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
87
88
#ifdef __linux__
89
#include <sys/klog.h> /* klogctl() */
90
#endif /* __linux__ */
91
92
/* Avahi */
93
/* All Avahi types, constants and functions
94
Avahi*, avahi_*,
95
AVAHI_* */
34
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
96
43
#include <avahi-core/core.h>
97
44
#include <avahi-core/lookup.h>
98
45
#include <avahi-core/log.h>
100
47
#include <avahi-common/malloc.h>
101
48
#include <avahi-common/error.h>
102
49
103
/* GnuTLS */
104
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
105
functions:
106
gnutls_*
107
init_gnutls_session(),
108
GNUTLS_* */
109
#include <gnutls/openpgp.h>
110
/* gnutls_certificate_set_openpgp_key_file(),
111
GNUTLS_OPENPGP_FMT_BASE64 */
112
113
/* GPGME */
114
#include <gpgme.h> /* All GPGME types, constants and
115
functions:
116
gpgme_*
117
GPGME_PROTOCOL_OpenPGP,
118
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
119
70
120
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
121
73
122
#define PATHDIR "/conf/conf.d/mandos"
123
#define SECKEY "seckey.txt"
124
#define PUBKEY "pubkey.txt"
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
125
77
126
78
bool debug = false;
127
static const char mandos_protocol_version[] = "1";
128
const char *argp_program_version = "mandos-client " VERSION;
129
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
130
79
131
/* Used for passing in values through the Avahi callback functions */
132
80
typedef struct {
133
81
AvahiSimplePoll *simple_poll;
134
82
AvahiServer *server;
135
83
gnutls_certificate_credentials_t cred;
136
84
unsigned int dh_bits;
137
gnutls_dh_params_t dh_params;
138
85
const char *priority;
86
} mandos_context;
87
88
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
89
char **new_packet,
90
const char *homedir){
91
gpgme_data_t dh_crypto, dh_plain;
139
92
gpgme_ctx_t ctx;
140
} mandos_context;
141
142
/* global context so signal handler can reach it*/
143
mandos_context mc = { .simple_poll = NULL, .server = NULL,
144
.dh_bits = 1024, .priority = "SECURE256"
145
":!CTYPE-X.509:+CTYPE-OPENPGP" };
146
147
sig_atomic_t quit_now = 0;
148
int signal_received = 0;
149
150
/*
151
* Make additional room in "buffer" for at least BUFFER_SIZE more
152
* bytes. "buffer_capacity" is how much is currently allocated,
153
* "buffer_length" is how much is already used.
154
*/
155
size_t incbuffer(char **buffer, size_t buffer_length,
156
size_t buffer_capacity){
157
if(buffer_length + BUFFER_SIZE > buffer_capacity){
158
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
159
if(buffer == NULL){
160
return 0;
161
}
162
buffer_capacity += BUFFER_SIZE;
163
}
164
return buffer_capacity;
165
}
166
167
/*
168
* Initialize GPGME.
169
*/
170
static bool init_gpgme(const char *seckey,
171
const char *pubkey, const char *tempdir){
172
93
gpgme_error_t rc;
94
ssize_t ret;
95
ssize_t new_packet_capacity = 0;
96
ssize_t new_packet_length = 0;
173
97
gpgme_engine_info_t engine_info;
174
175
176
/*
177
* Helper function to insert pub and seckey to the engine keyring.
178
*/
179
bool import_key(const char *filename){
180
int ret;
181
int fd;
182
gpgme_data_t pgp_data;
183
184
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
185
if(fd == -1){
186
perror("open");
187
return false;
188
}
189
190
rc = gpgme_data_new_from_fd(&pgp_data, fd);
191
if(rc != GPG_ERR_NO_ERROR){
192
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
193
gpgme_strsource(rc), gpgme_strerror(rc));
194
return false;
195
}
196
197
rc = gpgme_op_import(mc.ctx, pgp_data);
198
if(rc != GPG_ERR_NO_ERROR){
199
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
200
gpgme_strsource(rc), gpgme_strerror(rc));
201
return false;
202
}
203
204
ret = (int)TEMP_FAILURE_RETRY(close(fd));
205
if(ret == -1){
206
perror("close");
207
}
208
gpgme_data_release(pgp_data);
209
return true;
210
}
211
212
if(debug){
213
fprintf(stderr, "Initializing GPGME\n");
98
99
if (debug){
100
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
214
101
}
215
102
216
103
/* Init GPGME */
217
104
gpgme_check_version(NULL);
218
105
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
219
if(rc != GPG_ERR_NO_ERROR){
106
if (rc != GPG_ERR_NO_ERROR){
220
107
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
221
108
gpgme_strsource(rc), gpgme_strerror(rc));
222
return false;
109
return -1;
223
110
}
224
111
225
/* Set GPGME home directory for the OpenPGP engine only */
226
rc = gpgme_get_engine_info(&engine_info);
227
if(rc != GPG_ERR_NO_ERROR){
112
/* Set GPGME home directory */
113
rc = gpgme_get_engine_info (&engine_info);
114
if (rc != GPG_ERR_NO_ERROR){
228
115
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
229
116
gpgme_strsource(rc), gpgme_strerror(rc));
230
return false;
117
return -1;
231
118
}
232
119
while(engine_info != NULL){
233
120
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
234
121
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
235
engine_info->file_name, tempdir);
122
engine_info->file_name, homedir);
236
123
break;
237
124
}
238
125
engine_info = engine_info->next;
239
126
}
240
127
if(engine_info == NULL){
241
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
242
return false;
243
}
244
245
/* Create new GPGME "context" */
246
rc = gpgme_new(&(mc.ctx));
247
if(rc != GPG_ERR_NO_ERROR){
248
fprintf(stderr, "bad gpgme_new: %s: %s\n",
249
gpgme_strsource(rc), gpgme_strerror(rc));
250
return false;
251
}
252
253
if(not import_key(pubkey) or not import_key(seckey)){
254
return false;
255
}
256
257
return true;
258
}
259
260
/*
261
* Decrypt OpenPGP data.
262
* Returns -1 on error
263
*/
264
static ssize_t pgp_packet_decrypt(const char *cryptotext,
265
size_t crypto_size,
266
char **plaintext){
267
gpgme_data_t dh_crypto, dh_plain;
268
gpgme_error_t rc;
269
ssize_t ret;
270
size_t plaintext_capacity = 0;
271
ssize_t plaintext_length = 0;
272
273
if(debug){
274
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
275
}
276
277
/* Create new GPGME data buffer from memory cryptotext */
278
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
279
0);
280
if(rc != GPG_ERR_NO_ERROR){
128
fprintf(stderr, "Could not set home dir to %s\n", homedir);
129
return -1;
130
}
131
132
/* Create new GPGME data buffer from packet buffer */
133
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
134
if (rc != GPG_ERR_NO_ERROR){
281
135
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
282
136
gpgme_strsource(rc), gpgme_strerror(rc));
283
137
return -1;
285
139
286
140
/* Create new empty GPGME data buffer for the plaintext */
287
141
rc = gpgme_data_new(&dh_plain);
288
if(rc != GPG_ERR_NO_ERROR){
142
if (rc != GPG_ERR_NO_ERROR){
289
143
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
290
144
gpgme_strsource(rc), gpgme_strerror(rc));
291
gpgme_data_release(dh_crypto);
292
return -1;
293
}
294
295
/* Decrypt data from the cryptotext data buffer to the plaintext
296
data buffer */
297
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
298
if(rc != GPG_ERR_NO_ERROR){
145
return -1;
146
}
147
148
/* Create new GPGME "context" */
149
rc = gpgme_new(&ctx);
150
if (rc != GPG_ERR_NO_ERROR){
151
fprintf(stderr, "bad gpgme_new: %s: %s\n",
152
gpgme_strsource(rc), gpgme_strerror(rc));
153
return -1;
154
}
155
156
/* Decrypt data from the FILE pointer to the plaintext data
157
buffer */
158
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
159
if (rc != GPG_ERR_NO_ERROR){
299
160
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
300
161
gpgme_strsource(rc), gpgme_strerror(rc));
301
plaintext_length = -1;
302
if(debug){
303
gpgme_decrypt_result_t result;
304
result = gpgme_op_decrypt_result(mc.ctx);
305
if(result == NULL){
306
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
307
} else {
308
fprintf(stderr, "Unsupported algorithm: %s\n",
309
result->unsupported_algorithm);
310
fprintf(stderr, "Wrong key usage: %u\n",
311
result->wrong_key_usage);
312
if(result->file_name != NULL){
313
fprintf(stderr, "File name: %s\n", result->file_name);
314
}
315
gpgme_recipient_t recipient;
316
recipient = result->recipients;
162
return -1;
163
}
164
165
if(debug){
166
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
167
}
168
169
if (debug){
170
gpgme_decrypt_result_t result;
171
result = gpgme_op_decrypt_result(ctx);
172
if (result == NULL){
173
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
174
} else {
175
fprintf(stderr, "Unsupported algorithm: %s\n",
176
result->unsupported_algorithm);
177
fprintf(stderr, "Wrong key usage: %d\n",
178
result->wrong_key_usage);
179
if(result->file_name != NULL){
180
fprintf(stderr, "File name: %s\n", result->file_name);
181
}
182
gpgme_recipient_t recipient;
183
recipient = result->recipients;
184
if(recipient){
317
185
while(recipient != NULL){
318
186
fprintf(stderr, "Public key algorithm: %s\n",
319
187
gpgme_pubkey_algo_name(recipient->pubkey_algo));
325
193
}
326
194
}
327
195
}
328
goto decrypt_end;
329
196
}
330
197
331
if(debug){
332
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
333
}
198
/* Delete the GPGME FILE pointer cryptotext data buffer */
199
gpgme_data_release(dh_crypto);
334
200
335
201
/* Seek back to the beginning of the GPGME plaintext data buffer */
336
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
337
perror("gpgme_data_seek");
338
plaintext_length = -1;
339
goto decrypt_end;
202
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
203
perror("pgpme_data_seek");
340
204
}
341
205
342
*plaintext = NULL;
206
*new_packet = 0;
343
207
while(true){
344
plaintext_capacity = incbuffer(plaintext,
345
(size_t)plaintext_length,
346
plaintext_capacity);
347
if(plaintext_capacity == 0){
348
perror("incbuffer");
349
plaintext_length = -1;
350
goto decrypt_end;
208
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
209
*new_packet = realloc(*new_packet,
210
(unsigned int)new_packet_capacity
211
+ BUFFER_SIZE);
212
if (*new_packet == NULL){
213
perror("realloc");
214
return -1;
215
}
216
new_packet_capacity += BUFFER_SIZE;
351
217
}
352
218
353
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
219
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
354
220
BUFFER_SIZE);
355
221
/* Print the data, if any */
356
if(ret == 0){
357
/* EOF */
222
if (ret == 0){
358
223
break;
359
224
}
360
225
if(ret < 0){
361
226
perror("gpgme_data_read");
362
plaintext_length = -1;
363
goto decrypt_end;
364
}
365
plaintext_length += ret;
366
}
367
368
if(debug){
369
fprintf(stderr, "Decrypted password is: ");
370
for(ssize_t i = 0; i < plaintext_length; i++){
371
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
372
}
373
fprintf(stderr, "\n");
374
}
375
376
decrypt_end:
377
378
/* Delete the GPGME cryptotext data buffer */
379
gpgme_data_release(dh_crypto);
227
return -1;
228
}
229
new_packet_length += ret;
230
}
231
232
/* FIXME: check characters before printing to screen so to not print
233
terminal control characters */
234
/* if(debug){ */
235
/* fprintf(stderr, "decrypted password is: "); */
236
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
237
/* fprintf(stderr, "\n"); */
238
/* } */
380
239
381
240
/* Delete the GPGME plaintext data buffer */
382
241
gpgme_data_release(dh_plain);
383
return plaintext_length;
242
return new_packet_length;
384
243
}
385
244
386
static const char * safer_gnutls_strerror(int value){
387
const char *ret = gnutls_strerror(value); /* Spurious warning from
388
-Wunreachable-code */
389
if(ret == NULL)
245
static const char * safer_gnutls_strerror (int value) {
246
const char *ret = gnutls_strerror (value);
247
if (ret == NULL)
390
248
ret = "(unknown)";
391
249
return ret;
392
250
}
393
251
394
/* GnuTLS log function callback */
395
252
static void debuggnutls(__attribute__((unused)) int level,
396
253
const char* string){
397
fprintf(stderr, "GnuTLS: %s", string);
254
fprintf(stderr, "%s", string);
398
255
}
399
256
400
static int init_gnutls_global(const char *pubkeyfilename,
401
const char *seckeyfilename){
257
static int initgnutls(mandos_context *mc){
258
const char *err;
402
259
int ret;
403
260
404
261
if(debug){
405
262
fprintf(stderr, "Initializing GnuTLS\n");
406
263
}
407
408
ret = gnutls_global_init();
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS global_init: %s\n",
411
safer_gnutls_strerror(ret));
264
265
if ((ret = gnutls_global_init ())
266
!= GNUTLS_E_SUCCESS) {
267
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
412
268
return -1;
413
269
}
414
415
if(debug){
416
/* "Use a log level over 10 to enable all debugging options."
417
* - GnuTLS manual
418
*/
270
271
if (debug){
419
272
gnutls_global_set_log_level(11);
420
273
gnutls_global_set_log_function(debuggnutls);
421
274
}
422
275
423
/* OpenPGP credentials */
424
gnutls_certificate_allocate_credentials(&mc.cred);
425
if(ret != GNUTLS_E_SUCCESS){
426
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
427
from
428
-Wunreachable-code
429
*/
430
safer_gnutls_strerror(ret));
431
gnutls_global_deinit();
276
/* openpgp credentials */
277
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
278
!= GNUTLS_E_SUCCESS) {
279
fprintf (stderr, "memory error: %s\n",
280
safer_gnutls_strerror(ret));
432
281
return -1;
433
282
}
434
283
435
284
if(debug){
436
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
437
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
438
seckeyfilename);
285
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
286
" and keyfile %s as GnuTLS credentials\n", certfile,
287
certkey);
439
288
}
440
289
441
290
ret = gnutls_certificate_set_openpgp_key_file
442
(mc.cred, pubkeyfilename, seckeyfilename,
443
GNUTLS_OPENPGP_FMT_BASE64);
444
if(ret != GNUTLS_E_SUCCESS){
445
fprintf(stderr,
446
"Error[%d] while reading the OpenPGP key pair ('%s',"
447
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
448
fprintf(stderr, "The GnuTLS error is: %s\n",
449
safer_gnutls_strerror(ret));
450
goto globalfail;
451
}
452
453
/* GnuTLS server initialization */
454
ret = gnutls_dh_params_init(&mc.dh_params);
455
if(ret != GNUTLS_E_SUCCESS){
456
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
457
" %s\n", safer_gnutls_strerror(ret));
458
goto globalfail;
459
}
460
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
461
if(ret != GNUTLS_E_SUCCESS){
462
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
463
safer_gnutls_strerror(ret));
464
goto globalfail;
465
}
466
467
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
468
469
return 0;
470
471
globalfail:
472
473
gnutls_certificate_free_credentials(mc.cred);
474
gnutls_global_deinit();
475
gnutls_dh_params_deinit(mc.dh_params);
476
return -1;
477
}
478
479
static int init_gnutls_session(gnutls_session_t *session){
480
int ret;
481
/* GnuTLS session creation */
482
do {
483
ret = gnutls_init(session, GNUTLS_SERVER);
484
if(quit_now){
485
return -1;
486
}
487
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
488
if(ret != GNUTLS_E_SUCCESS){
291
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
292
if (ret != GNUTLS_E_SUCCESS) {
293
fprintf
294
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
295
" '%s')\n",
296
ret, certfile, certkey);
297
fprintf(stdout, "The Error is: %s\n",
298
safer_gnutls_strerror(ret));
299
return -1;
300
}
301
302
//GnuTLS server initialization
303
if ((ret = gnutls_dh_params_init (&es->dh_params))
304
!= GNUTLS_E_SUCCESS) {
305
fprintf (stderr, "Error in dh parameter initialization: %s\n",
306
safer_gnutls_strerror(ret));
307
return -1;
308
}
309
310
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
311
!= GNUTLS_E_SUCCESS) {
312
fprintf (stderr, "Error in prime generation: %s\n",
313
safer_gnutls_strerror(ret));
314
return -1;
315
}
316
317
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
318
319
// GnuTLS session creation
320
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
321
!= GNUTLS_E_SUCCESS){
489
322
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
490
323
safer_gnutls_strerror(ret));
491
324
}
492
325
493
{
494
const char *err;
495
do {
496
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
497
if(quit_now){
498
gnutls_deinit(*session);
499
return -1;
500
}
501
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
502
if(ret != GNUTLS_E_SUCCESS){
503
fprintf(stderr, "Syntax error at: %s\n", err);
504
fprintf(stderr, "GnuTLS error: %s\n",
505
safer_gnutls_strerror(ret));
506
gnutls_deinit(*session);
507
return -1;
508
}
326
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
327
!= GNUTLS_E_SUCCESS) {
328
fprintf(stderr, "Syntax error at: %s\n", err);
329
fprintf(stderr, "GnuTLS error: %s\n",
330
safer_gnutls_strerror(ret));
331
return -1;
509
332
}
510
333
511
do {
512
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
513
mc.cred);
514
if(quit_now){
515
gnutls_deinit(*session);
516
return -1;
517
}
518
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
519
if(ret != GNUTLS_E_SUCCESS){
520
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
334
if ((ret = gnutls_credentials_set
335
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
336
!= GNUTLS_E_SUCCESS) {
337
fprintf(stderr, "Error setting a credentials set: %s\n",
521
338
safer_gnutls_strerror(ret));
522
gnutls_deinit(*session);
523
339
return -1;
524
340
}
525
341
526
342
/* ignore client certificate if any. */
527
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
343
gnutls_certificate_server_set_request (es->session,
344
GNUTLS_CERT_IGNORE);
528
345
529
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
346
gnutls_dh_set_prime_bits (es->session, DH_BITS);
530
347
531
348
return 0;
532
349
}
533
350
534
/* Avahi log function callback */
535
351
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
536
352
__attribute__((unused)) const char *txt){}
537
353
538
/* Called when a Mandos server is found */
539
354
static int start_mandos_communication(const char *ip, uint16_t port,
540
355
AvahiIfIndex if_index,
541
int af){
542
int ret, tcp_sd = -1;
543
ssize_t sret;
544
union {
545
struct sockaddr_in in;
546
struct sockaddr_in6 in6;
547
} to;
356
mandos_context *mc){
357
int ret, tcp_sd;
358
struct sockaddr_in6 to;
359
encrypted_session es;
548
360
char *buffer = NULL;
549
char *decrypted_buffer = NULL;
361
char *decrypted_buffer;
550
362
size_t buffer_length = 0;
551
363
size_t buffer_capacity = 0;
552
size_t written;
553
int retval = -1;
554
gnutls_session_t session;
555
int pf; /* Protocol family */
556
557
errno = 0;
558
559
if(quit_now){
560
errno = EINTR;
561
return -1;
562
}
563
564
switch(af){
565
case AF_INET6:
566
pf = PF_INET6;
567
break;
568
case AF_INET:
569
pf = PF_INET;
570
break;
571
default:
572
fprintf(stderr, "Bad address family: %d\n", af);
573
errno = EINVAL;
574
return -1;
575
}
576
577
ret = init_gnutls_session(&session);
578
if(ret != 0){
579
return -1;
580
}
364
ssize_t decrypted_buffer_size;
365
size_t written = 0;
366
int retval = 0;
367
char interface[IF_NAMESIZE];
581
368
582
369
if(debug){
583
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
584
"\n", ip, port);
370
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
371
ip, port);
585
372
}
586
373
587
tcp_sd = socket(pf, SOCK_STREAM, 0);
588
if(tcp_sd < 0){
589
int e = errno;
374
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
375
if(tcp_sd < 0) {
590
376
perror("socket");
591
errno = e;
592
goto mandos_end;
593
}
594
595
if(quit_now){
596
errno = EINTR;
597
goto mandos_end;
598
}
599
600
memset(&to, 0, sizeof(to));
601
if(af == AF_INET6){
602
to.in6.sin6_family = (sa_family_t)af;
603
ret = inet_pton(af, ip, &to.in6.sin6_addr);
604
} else { /* IPv4 */
605
to.in.sin_family = (sa_family_t)af;
606
ret = inet_pton(af, ip, &to.in.sin_addr);
607
}
608
if(ret < 0 ){
609
int e = errno;
377
return -1;
378
}
379
380
if(debug){
381
if(if_indextoname((unsigned int)if_index, interface) == NULL){
382
if(debug){
383
perror("if_indextoname");
384
}
385
return -1;
386
}
387
388
fprintf(stderr, "Binding to interface %s\n", interface);
389
}
390
391
memset(&to,0,sizeof(to)); /* Spurious warning */
392
to.sin6_family = AF_INET6;
393
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
394
if (ret < 0 ){
610
395
perror("inet_pton");
611
errno = e;
612
goto mandos_end;
613
}
396
return -1;
397
}
614
398
if(ret == 0){
615
int e = errno;
616
399
fprintf(stderr, "Bad address: %s\n", ip);
617
errno = e;
618
goto mandos_end;
619
}
620
if(af == AF_INET6){
621
to.in6.sin6_port = htons(port); /* Spurious warnings from
622
-Wconversion and
623
-Wunreachable-code */
624
625
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
626
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
627
-Wunreachable-code*/
628
if(if_index == AVAHI_IF_UNSPEC){
629
fprintf(stderr, "An IPv6 link-local address is incomplete"
630
" without a network interface\n");
631
errno = EINVAL;
632
goto mandos_end;
633
}
634
/* Set the network interface number as scope */
635
to.in6.sin6_scope_id = (uint32_t)if_index;
636
}
637
} else {
638
to.in.sin_port = htons(port); /* Spurious warnings from
639
-Wconversion and
640
-Wunreachable-code */
641
}
400
return -1;
401
}
402
to.sin6_port = htons(port); /* Spurious warning */
642
403
643
if(quit_now){
644
errno = EINTR;
645
goto mandos_end;
646
}
404
to.sin6_scope_id = (uint32_t)if_index;
647
405
648
406
if(debug){
649
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
650
char interface[IF_NAMESIZE];
651
if(if_indextoname((unsigned int)if_index, interface) == NULL){
652
perror("if_indextoname");
653
} else {
654
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
655
ip, interface, port);
656
}
657
} else {
658
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
659
port);
660
}
661
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
662
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
663
const char *pcret;
664
if(af == AF_INET6){
665
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
666
sizeof(addrstr));
667
} else {
668
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
669
sizeof(addrstr));
670
}
671
if(pcret == NULL){
672
perror("inet_ntop");
673
} else {
674
if(strcmp(addrstr, ip) != 0){
675
fprintf(stderr, "Canonical address form: %s\n", addrstr);
676
}
677
}
678
}
679
680
if(quit_now){
681
errno = EINTR;
682
goto mandos_end;
683
}
684
685
if(af == AF_INET6){
686
ret = connect(tcp_sd, &to.in6, sizeof(to));
687
} else {
688
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
689
}
690
if(ret < 0){
691
int e = errno;
407
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
408
/* char addrstr[INET6_ADDRSTRLEN]; */
409
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
410
/* sizeof(addrstr)) == NULL){ */
411
/* perror("inet_ntop"); */
412
/* } else { */
413
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
414
/* addrstr, ntohs(to.sin6_port)); */
415
/* } */
416
}
417
418
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
419
if (ret < 0){
692
420
perror("connect");
693
errno = e;
694
goto mandos_end;
695
}
696
697
if(quit_now){
698
errno = EINTR;
699
goto mandos_end;
700
}
701
702
const char *out = mandos_protocol_version;
703
written = 0;
704
while(true){
705
size_t out_size = strlen(out);
706
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
707
out_size - written));
708
if(ret == -1){
709
int e = errno;
710
perror("write");
711
errno = e;
712
goto mandos_end;
713
}
714
written += (size_t)ret;
715
if(written < out_size){
716
continue;
717
} else {
718
if(out == mandos_protocol_version){
719
written = 0;
720
out = "\r\n";
721
} else {
722
break;
723
}
724
}
725
726
if(quit_now){
727
errno = EINTR;
728
goto mandos_end;
729
}
730
}
421
return -1;
422
}
423
424
ret = initgnutls (&es);
425
if (ret != 0){
426
retval = -1;
427
return -1;
428
}
429
430
gnutls_transport_set_ptr (es.session,
431
(gnutls_transport_ptr_t) tcp_sd);
731
432
732
433
if(debug){
733
434
fprintf(stderr, "Establishing TLS session with %s\n", ip);
734
435
}
735
436
736
if(quit_now){
737
errno = EINTR;
738
goto mandos_end;
739
}
740
741
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
742
743
if(quit_now){
744
errno = EINTR;
745
goto mandos_end;
746
}
747
748
do {
749
ret = gnutls_handshake(session);
750
if(quit_now){
751
errno = EINTR;
752
goto mandos_end;
753
}
754
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
755
756
if(ret != GNUTLS_E_SUCCESS){
437
ret = gnutls_handshake (es.session);
438
439
if (ret != GNUTLS_E_SUCCESS){
757
440
if(debug){
758
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
759
gnutls_perror(ret);
441
fprintf(stderr, "\n*** Handshake failed ***\n");
442
gnutls_perror (ret);
760
443
}
761
errno = EPROTO;
762
goto mandos_end;
444
retval = -1;
445
goto exit;
763
446
}
764
447
765
/* Read OpenPGP packet that contains the wanted password */
448
//Retrieve OpenPGP packet that contains the wanted password
766
449
767
450
if(debug){
768
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
451
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
769
452
ip);
770
453
}
771
454
772
455
while(true){
773
774
if(quit_now){
775
errno = EINTR;
776
goto mandos_end;
777
}
778
779
buffer_capacity = incbuffer(&buffer, buffer_length,
780
buffer_capacity);
781
if(buffer_capacity == 0){
782
int e = errno;
783
perror("incbuffer");
784
errno = e;
785
goto mandos_end;
786
}
787
788
if(quit_now){
789
errno = EINTR;
790
goto mandos_end;
791
}
792
793
sret = gnutls_record_recv(session, buffer+buffer_length,
794
BUFFER_SIZE);
795
if(sret == 0){
456
if (buffer_length + BUFFER_SIZE > buffer_capacity){
457
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
458
if (buffer == NULL){
459
perror("realloc");
460
goto exit;
461
}
462
buffer_capacity += BUFFER_SIZE;
463
}
464
465
ret = gnutls_record_recv
466
(es.session, buffer+buffer_length, BUFFER_SIZE);
467
if (ret == 0){
796
468
break;
797
469
}
798
if(sret < 0){
799
switch(sret){
470
if (ret < 0){
471
switch(ret){
800
472
case GNUTLS_E_INTERRUPTED:
801
473
case GNUTLS_E_AGAIN:
802
474
break;
803
475
case GNUTLS_E_REHANDSHAKE:
804
do {
805
ret = gnutls_handshake(session);
806
807
if(quit_now){
808
errno = EINTR;
809
goto mandos_end;
810
}
811
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
812
if(ret < 0){
813
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
814
gnutls_perror(ret);
815
errno = EPROTO;
816
goto mandos_end;
476
ret = gnutls_handshake (es.session);
477
if (ret < 0){
478
fprintf(stderr, "\n*** Handshake failed ***\n");
479
gnutls_perror (ret);
480
retval = -1;
481
goto exit;
817
482
}
818
483
break;
819
484
default:
820
485
fprintf(stderr, "Unknown error while reading data from"
821
" encrypted session with Mandos server\n");
822
gnutls_bye(session, GNUTLS_SHUT_RDWR);
823
errno = EIO;
824
goto mandos_end;
486
" encrypted session with mandos server\n");
487
retval = -1;
488
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
489
goto exit;
825
490
}
826
491
} else {
827
buffer_length += (size_t) sret;
828
}
829
}
830
831
if(debug){
832
fprintf(stderr, "Closing TLS session\n");
833
}
834
835
if(quit_now){
836
errno = EINTR;
837
goto mandos_end;
838
}
839
840
do {
841
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
842
if(quit_now){
843
errno = EINTR;
844
goto mandos_end;
845
}
846
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
847
848
if(buffer_length > 0){
849
ssize_t decrypted_buffer_size;
492
buffer_length += (size_t) ret;
493
}
494
}
495
496
if (buffer_length > 0){
850
497
decrypted_buffer_size = pgp_packet_decrypt(buffer,
851
498
buffer_length,
852
&decrypted_buffer);
853
if(decrypted_buffer_size >= 0){
854
855
written = 0;
499
&decrypted_buffer,
500
certdir);
501
if (decrypted_buffer_size >= 0){
856
502
while(written < (size_t) decrypted_buffer_size){
857
if(quit_now){
858
errno = EINTR;
859
goto mandos_end;
860
}
861
862
ret = (int)fwrite(decrypted_buffer + written, 1,
863
(size_t)decrypted_buffer_size - written,
864
stdout);
503
ret = (int)fwrite (decrypted_buffer + written, 1,
504
(size_t)decrypted_buffer_size - written,
505
stdout);
865
506
if(ret == 0 and ferror(stdout)){
866
int e = errno;
867
507
if(debug){
868
508
fprintf(stderr, "Error writing encrypted data: %s\n",
869
509
strerror(errno));
870
510
}
871
errno = e;
872
goto mandos_end;
511
retval = -1;
512
break;
873
513
}
874
514
written += (size_t)ret;
875
515
}
876
retval = 0;
877
}
878
}
879
880
/* Shutdown procedure */
881
882
mandos_end:
883
{
884
int e = errno;
885
free(decrypted_buffer);
886
free(buffer);
887
if(tcp_sd >= 0){
888
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
889
}
890
if(ret == -1){
891
if(e == 0){
892
e = errno;
893
}
894
perror("close");
895
}
896
gnutls_deinit(session);
897
if(quit_now){
898
e = EINTR;
516
free(decrypted_buffer);
517
} else {
899
518
retval = -1;
900
519
}
901
errno = e;
902
}
520
}
521
522
//shutdown procedure
523
524
if(debug){
525
fprintf(stderr, "Closing TLS session\n");
526
}
527
528
free(buffer);
529
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
530
exit:
531
close(tcp_sd);
532
gnutls_deinit (es.session);
533
gnutls_certificate_free_credentials (es.cred);
534
gnutls_global_deinit ();
903
535
return retval;
904
536
}
905
537
906
static void resolve_callback(AvahiSServiceResolver *r,
907
AvahiIfIndex interface,
908
AvahiProtocol proto,
909
AvahiResolverEvent event,
910
const char *name,
911
const char *type,
912
const char *domain,
913
const char *host_name,
914
const AvahiAddress *address,
915
uint16_t port,
916
AVAHI_GCC_UNUSED AvahiStringList *txt,
917
AVAHI_GCC_UNUSED AvahiLookupResultFlags
918
flags,
919
AVAHI_GCC_UNUSED void* userdata){
920
assert(r);
538
static void resolve_callback( AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
mandos_context *mc = userdata;
552
assert(r); /* Spurious warning */
921
553
922
554
/* Called whenever a service has been resolved successfully or
923
555
timed out */
924
556
925
if(quit_now){
926
return;
927
}
928
929
switch(event){
557
switch (event) {
930
558
default:
931
559
case AVAHI_RESOLVER_FAILURE:
932
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
933
" of type '%s' in domain '%s': %s\n", name, type, domain,
934
avahi_strerror(avahi_server_errno(mc.server)));
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(mc->server)));
935
563
break;
936
564
937
565
case AVAHI_RESOLVER_FOUND:
939
567
char ip[AVAHI_ADDRESS_STR_MAX];
940
568
avahi_address_snprint(ip, sizeof(ip), address);
941
569
if(debug){
942
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
943
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
944
ip, (intmax_t)interface, port);
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
945
572
}
946
int ret = start_mandos_communication(ip, port, interface,
947
avahi_proto_to_af(proto));
948
if(ret == 0){
949
avahi_simple_poll_quit(mc.simple_poll);
573
int ret = start_mandos_communication(ip, port, interface, mc);
574
if (ret == 0){
575
exit(EXIT_SUCCESS);
950
576
}
951
577
}
952
578
}
953
579
avahi_s_service_resolver_free(r);
954
580
}
955
581
956
static void browse_callback(AvahiSServiceBrowser *b,
957
AvahiIfIndex interface,
958
AvahiProtocol protocol,
959
AvahiBrowserEvent event,
960
const char *name,
961
const char *type,
962
const char *domain,
963
AVAHI_GCC_UNUSED AvahiLookupResultFlags
964
flags,
965
AVAHI_GCC_UNUSED void* userdata){
966
assert(b);
582
static void browse_callback( AvahiSServiceBrowser *b,
583
AvahiIfIndex interface,
584
AvahiProtocol protocol,
585
AvahiBrowserEvent event,
586
const char *name,
587
const char *type,
588
const char *domain,
589
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
590
void* userdata) {
591
mandos_context *mc = userdata;
592
assert(b); /* Spurious warning */
967
593
968
594
/* Called whenever a new services becomes available on the LAN or
969
595
is removed from the LAN */
970
596
971
if(quit_now){
972
return;
973
}
974
975
switch(event){
597
switch (event) {
976
598
default:
977
599
case AVAHI_BROWSER_FAILURE:
978
979
fprintf(stderr, "(Avahi browser) %s\n",
980
avahi_strerror(avahi_server_errno(mc.server)));
981
avahi_simple_poll_quit(mc.simple_poll);
600
601
fprintf(stderr, "(Browser) %s\n",
602
avahi_strerror(avahi_server_errno(mc->server)));
603
avahi_simple_poll_quit(mc->simple_poll);
982
604
return;
983
605
984
606
case AVAHI_BROWSER_NEW:
985
/* We ignore the returned Avahi resolver object. In the callback
986
function we free it. If the Avahi server is terminated before
987
the callback function is called the Avahi server will free the
988
resolver for us. */
989
990
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
991
name, type, domain, protocol, 0,
992
resolve_callback, NULL) == NULL)
993
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
994
name, avahi_strerror(avahi_server_errno(mc.server)));
607
/* We ignore the returned resolver object. In the callback
608
function we free it. If the server is terminated before
609
the callback function is called the server will free
610
the resolver for us. */
611
612
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
613
type, domain,
614
AVAHI_PROTO_INET6, 0,
615
resolve_callback, mc)))
616
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
617
avahi_strerror(avahi_server_errno(s)));
995
618
break;
996
619
997
620
case AVAHI_BROWSER_REMOVE:
998
621
break;
999
622
1000
623
case AVAHI_BROWSER_ALL_FOR_NOW:
1001
624
case AVAHI_BROWSER_CACHE_EXHAUSTED:
1002
if(debug){
1003
fprintf(stderr, "No Mandos server found, still searching...\n");
1004
}
1005
625
break;
1006
626
}
1007
627
}
1008
628
1009
/* stop main loop after sigterm has been called */
1010
static void handle_sigterm(int sig){
1011
if(quit_now){
1012
return;
1013
}
1014
quit_now = 1;
1015
signal_received = sig;
1016
int old_errno = errno;
1017
if(mc.simple_poll != NULL){
1018
avahi_simple_poll_quit(mc.simple_poll);
1019
}
1020
errno = old_errno;
629
/* Combines file name and path and returns the malloced new
630
string. some sane checks could/should be added */
631
static const char *combinepath(const char *first, const char *second){
632
size_t f_len = strlen(first);
633
size_t s_len = strlen(second);
634
char *tmp = malloc(f_len + s_len + 2);
635
if (tmp == NULL){
636
return NULL;
637
}
638
if(f_len > 0){
639
memcpy(tmp, first, f_len);
640
}
641
tmp[f_len] = '/';
642
if(s_len > 0){
643
memcpy(tmp + f_len + 1, second, s_len);
644
}
645
tmp[f_len + 1 + s_len] = '\0';
646
return tmp;
1021
647
}
1022
648
1023
int main(int argc, char *argv[]){
1024
AvahiSServiceBrowser *sb = NULL;
1025
int error;
1026
int ret;
1027
intmax_t tmpmax;
1028
char *tmp;
1029
int exitcode = EXIT_SUCCESS;
1030
const char *interface = "eth0";
1031
struct ifreq network;
1032
int sd = -1;
1033
bool take_down_interface = false;
1034
uid_t uid;
1035
gid_t gid;
1036
char *connect_to = NULL;
1037
char tempdir[] = "/tmp/mandosXXXXXX";
1038
bool tempdir_created = false;
1039
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1040
const char *seckey = PATHDIR "/" SECKEY;
1041
const char *pubkey = PATHDIR "/" PUBKEY;
1042
1043
bool gnutls_initialized = false;
1044
bool gpgme_initialized = false;
1045
float delay = 2.5f;
1046
1047
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1048
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1049
1050
uid = getuid();
1051
gid = getgid();
1052
1053
/* Lower any group privileges we might have, just to be safe */
1054
errno = 0;
1055
ret = setgid(gid);
1056
if(ret == -1){
1057
perror("setgid");
1058
}
1059
1060
/* Lower user privileges (temporarily) */
1061
errno = 0;
1062
ret = seteuid(uid);
1063
if(ret == -1){
1064
perror("seteuid");
1065
}
1066
1067
if(quit_now){
1068
goto end;
1069
}
1070
1071
{
1072
struct argp_option options[] = {
1073
{ .name = "debug", .key = 128,
1074
.doc = "Debug mode", .group = 3 },
1075
{ .name = "connect", .key = 'c',
1076
.arg = "ADDRESS:PORT",
1077
.doc = "Connect directly to a specific Mandos server",
1078
.group = 1 },
1079
{ .name = "interface", .key = 'i',
1080
.arg = "NAME",
1081
.doc = "Network interface that will be used to search for"
1082
" Mandos servers",
1083
.group = 1 },
1084
{ .name = "seckey", .key = 's',
1085
.arg = "FILE",
1086
.doc = "OpenPGP secret key file base name",
1087
.group = 1 },
1088
{ .name = "pubkey", .key = 'p',
1089
.arg = "FILE",
1090
.doc = "OpenPGP public key file base name",
1091
.group = 2 },
1092
{ .name = "dh-bits", .key = 129,
1093
.arg = "BITS",
1094
.doc = "Bit length of the prime number used in the"
1095
" Diffie-Hellman key exchange",
1096
.group = 2 },
1097
{ .name = "priority", .key = 130,
1098
.arg = "STRING",
1099
.doc = "GnuTLS priority string for the TLS handshake",
1100
.group = 1 },
1101
{ .name = "delay", .key = 131,
1102
.arg = "SECONDS",
1103
.doc = "Maximum delay to wait for interface startup",
1104
.group = 2 },
1105
/*
1106
* These reproduce what we would get without ARGP_NO_HELP
1107
*/
1108
{ .name = "help", .key = '?',
1109
.doc = "Give this help list", .group = -1 },
1110
{ .name = "usage", .key = -3,
1111
.doc = "Give a short usage message", .group = -1 },
1112
{ .name = "version", .key = 'V',
1113
.doc = "Print program version", .group = -1 },
1114
{ .name = NULL }
1115
};
649
650
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
651
AvahiServerConfig config;
652
AvahiSServiceBrowser *sb = NULL;
653
int error;
654
int ret;
655
int returncode = EXIT_SUCCESS;
656
const char *interface = "eth0";
657
struct ifreq network;
658
int sd;
659
char *connect_to = NULL;
660
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
661
mandos_context mc = { .simple_poll = NULL, .server = NULL,
662
.dh_bits = 2048, .priority = "SECURE256"};
1116
663
1117
error_t parse_opt(int key, char *arg,
1118
struct argp_state *state){
1119
errno = 0;
1120
switch(key){
1121
case 128: /* --debug */
1122
debug = true;
1123
break;
1124
case 'c': /* --connect */
1125
connect_to = arg;
1126
break;
1127
case 'i': /* --interface */
1128
interface = arg;
1129
break;
1130
case 's': /* --seckey */
1131
seckey = arg;
1132
break;
1133
case 'p': /* --pubkey */
1134
pubkey = arg;
1135
break;
1136
case 129: /* --dh-bits */
1137
errno = 0;
1138
tmpmax = strtoimax(arg, &tmp, 10);
1139
if(errno != 0 or tmp == arg or *tmp != '\0'
1140
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1141
argp_error(state, "Bad number of DH bits");
1142
}
1143
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1144
break;
1145
case 130: /* --priority */
1146
mc.priority = arg;
1147
break;
1148
case 131: /* --delay */
1149
errno = 0;
1150
delay = strtof(arg, &tmp);
1151
if(errno != 0 or tmp == arg or *tmp != '\0'){
1152
argp_error(state, "Bad delay");
1153
}
1154
break;
1155
/*
1156
* These reproduce what we would get without ARGP_NO_HELP
1157
*/
1158
case '?': /* --help */
1159
argp_state_help(state, state->out_stream,
1160
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
1161
& ~(unsigned int)ARGP_HELP_EXIT_OK);
1162
case -3: /* --usage */
1163
argp_state_help(state, state->out_stream,
1164
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
1165
case 'V': /* --version */
1166
fprintf(state->out_stream, "%s\n", argp_program_version);
1167
exit(argp_err_exit_status);
664
while (true){
665
static struct option long_options[] = {
666
{"debug", no_argument, (int *)&debug, 1},
667
{"connect", required_argument, 0, 'C'},
668
{"interface", required_argument, 0, 'i'},
669
{"certdir", required_argument, 0, 'd'},
670
{"certkey", required_argument, 0, 'c'},
671
{"certfile", required_argument, 0, 'k'},
672
{"dh_bits", required_argument, 0, 'D'},
673
{"priority", required_argument, 0, 'p'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
701
break;
702
case 'D':
703
{
704
long int tmp;
705
errno = 0;
706
tmp = strtol(optarg, NULL, 10);
707
if (errno == ERANGE){
708
perror("strtol");
709
exit(EXIT_FAILURE);
710
}
711
mc.dh_bits = tmp;
712
}
713
break;
714
case 'p':
715
mc.priority = optarg;
1168
716
break;
1169
717
default:
1170
return ARGP_ERR_UNKNOWN;
718
exit(EXIT_FAILURE);
1171
719
}
1172
return errno;
1173
}
1174
1175
struct argp argp = { .options = options, .parser = parse_opt,
1176
.args_doc = "",
1177
.doc = "Mandos client -- Get and decrypt"
1178
" passwords from a Mandos server" };
1179
ret = argp_parse(&argp, argc, argv,
1180
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
1181
switch(ret){
1182
case 0:
1183
break;
1184
case ENOMEM:
1185
default:
1186
errno = ret;
1187
perror("argp_parse");
1188
exitcode = EX_OSERR;
1189
goto end;
1190
case EINVAL:
1191
exitcode = EX_USAGE;
1192
goto end;
1193
}
1194
}
1195
1196
if(not debug){
1197
avahi_set_log_function(empty_log);
1198
}
1199
1200
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1201
from the signal handler */
1202
/* Initialize the pseudo-RNG for Avahi */
1203
srand((unsigned int) time(NULL));
1204
mc.simple_poll = avahi_simple_poll_new();
1205
if(mc.simple_poll == NULL){
1206
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1207
exitcode = EX_UNAVAILABLE;
1208
goto end;
1209
}
1210
1211
sigemptyset(&sigterm_action.sa_mask);
1212
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1213
if(ret == -1){
1214
perror("sigaddset");
1215
exitcode = EX_OSERR;
1216
goto end;
1217
}
1218
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1219
if(ret == -1){
1220
perror("sigaddset");
1221
exitcode = EX_OSERR;
1222
goto end;
1223
}
1224
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1225
if(ret == -1){
1226
perror("sigaddset");
1227
exitcode = EX_OSERR;
1228
goto end;
1229
}
1230
/* Need to check if the handler is SIG_IGN before handling:
1231
| [[info:libc:Initial Signal Actions]] |
1232
| [[info:libc:Basic Signal Handling]] |
1233
*/
1234
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1235
if(ret == -1){
1236
perror("sigaction");
1237
return EX_OSERR;
1238
}
1239
if(old_sigterm_action.sa_handler != SIG_IGN){
1240
ret = sigaction(SIGINT, &sigterm_action, NULL);
1241
if(ret == -1){
1242
perror("sigaction");
1243
exitcode = EX_OSERR;
1244
goto end;
1245
}
1246
}
1247
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1248
if(ret == -1){
1249
perror("sigaction");
1250
return EX_OSERR;
1251
}
1252
if(old_sigterm_action.sa_handler != SIG_IGN){
1253
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1254
if(ret == -1){
1255
perror("sigaction");
1256
exitcode = EX_OSERR;
1257
goto end;
1258
}
1259
}
1260
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1261
if(ret == -1){
1262
perror("sigaction");
1263
return EX_OSERR;
1264
}
1265
if(old_sigterm_action.sa_handler != SIG_IGN){
1266
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1267
if(ret == -1){
1268
perror("sigaction");
1269
exitcode = EX_OSERR;
1270
goto end;
1271
}
1272
}
1273
1274
/* If the interface is down, bring it up */
1275
if(interface[0] != '\0'){
720
}
721
722
certfile = combinepath(certdir, certfile);
723
if (certfile == NULL){
724
perror("combinepath");
725
returncode = EXIT_FAILURE;
726
goto exit;
727
}
728
729
certkey = combinepath(certdir, certkey);
730
if (certkey == NULL){
731
perror("combinepath");
732
returncode = EXIT_FAILURE;
733
goto exit;
734
}
735
1276
736
if_index = (AvahiIfIndex) if_nametoindex(interface);
1277
737
if(if_index == 0){
1278
738
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1279
exitcode = EX_UNAVAILABLE;
1280
goto end;
1281
}
1282
1283
if(quit_now){
1284
goto end;
1285
}
1286
1287
/* Re-raise priviliges */
1288
errno = 0;
1289
ret = seteuid(0);
1290
if(ret == -1){
1291
perror("seteuid");
1292
}
1293
1294
#ifdef __linux__
1295
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1296
messages about the network interface to mess up the prompt */
1297
ret = klogctl(8, NULL, 5);
1298
bool restore_loglevel = true;
1299
if(ret == -1){
1300
restore_loglevel = false;
1301
perror("klogctl");
1302
}
1303
#endif /* __linux__ */
739
exit(EXIT_FAILURE);
740
}
741
742
if(connect_to != NULL){
743
/* Connect directly, do not use Zeroconf */
744
/* (Mainly meant for debugging) */
745
char *address = strrchr(connect_to, ':');
746
if(address == NULL){
747
fprintf(stderr, "No colon in address\n");
748
exit(EXIT_FAILURE);
749
}
750
errno = 0;
751
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
752
if(errno){
753
perror("Bad port number");
754
exit(EXIT_FAILURE);
755
}
756
*address = '\0';
757
address = connect_to;
758
ret = start_mandos_communication(address, port, if_index);
759
if(ret < 0){
760
exit(EXIT_FAILURE);
761
} else {
762
exit(EXIT_SUCCESS);
763
}
764
}
1304
765
1305
766
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1306
if(sd < 0){
767
if(sd < 0) {
1307
768
perror("socket");
1308
exitcode = EX_OSERR;
1309
#ifdef __linux__
1310
if(restore_loglevel){
1311
ret = klogctl(7, NULL, 0);
1312
if(ret == -1){
1313
perror("klogctl");
1314
}
1315
}
1316
#endif /* __linux__ */
1317
/* Lower privileges */
1318
errno = 0;
1319
ret = seteuid(uid);
1320
if(ret == -1){
1321
perror("seteuid");
1322
}
1323
goto end;
769
returncode = EXIT_FAILURE;
770
goto exit;
1324
771
}
1325
strcpy(network.ifr_name, interface);
772
strcpy(network.ifr_name, interface);
1326
773
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1327
774
if(ret == -1){
775
1328
776
perror("ioctl SIOCGIFFLAGS");
1329
#ifdef __linux__
1330
if(restore_loglevel){
1331
ret = klogctl(7, NULL, 0);
1332
if(ret == -1){
1333
perror("klogctl");
1334
}
1335
}
1336
#endif /* __linux__ */
1337
exitcode = EX_OSERR;
1338
/* Lower privileges */
1339
errno = 0;
1340
ret = seteuid(uid);
1341
if(ret == -1){
1342
perror("seteuid");
1343
}
1344
goto end;
777
returncode = EXIT_FAILURE;
778
goto exit;
1345
779
}
1346
780
if((network.ifr_flags & IFF_UP) == 0){
1347
781
network.ifr_flags |= IFF_UP;
1348
take_down_interface = true;
1349
782
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1350
783
if(ret == -1){
1351
take_down_interface = false;
1352
784
perror("ioctl SIOCSIFFLAGS");
1353
exitcode = EX_OSERR;
1354
#ifdef __linux__
1355
if(restore_loglevel){
1356
ret = klogctl(7, NULL, 0);
1357
if(ret == -1){
1358
perror("klogctl");
1359
}
1360
}
1361
#endif /* __linux__ */
1362
/* Lower privileges */
1363
errno = 0;
1364
ret = seteuid(uid);
1365
if(ret == -1){
1366
perror("seteuid");
1367
}
1368
goto end;
1369
}
1370
}
1371
/* sleep checking until interface is running */
1372
for(int i=0; i < delay * 4; i++){
1373
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1374
if(ret == -1){
1375
perror("ioctl SIOCGIFFLAGS");
1376
} else if(network.ifr_flags & IFF_RUNNING){
1377
break;
1378
}
1379
struct timespec sleeptime = { .tv_nsec = 250000000 };
1380
ret = nanosleep(&sleeptime, NULL);
1381
if(ret == -1 and errno != EINTR){
1382
perror("nanosleep");
1383
}
1384
}
1385
if(not take_down_interface){
1386
/* We won't need the socket anymore */
1387
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1388
if(ret == -1){
1389
perror("close");
1390
}
1391
}
1392
#ifdef __linux__
1393
if(restore_loglevel){
1394
/* Restores kernel loglevel to default */
1395
ret = klogctl(7, NULL, 0);
1396
if(ret == -1){
1397
perror("klogctl");
1398
}
1399
}
1400
#endif /* __linux__ */
1401
/* Lower privileges */
1402
errno = 0;
1403
if(take_down_interface){
1404
/* Lower privileges */
1405
ret = seteuid(uid);
1406
if(ret == -1){
1407
perror("seteuid");
1408
}
1409
} else {
1410
/* Lower privileges permanently */
1411
ret = setuid(uid);
1412
if(ret == -1){
1413
perror("setuid");
1414
}
1415
}
1416
}
1417
1418
if(quit_now){
1419
goto end;
1420
}
1421
1422
ret = init_gnutls_global(pubkey, seckey);
1423
if(ret == -1){
1424
fprintf(stderr, "init_gnutls_global failed\n");
1425
exitcode = EX_UNAVAILABLE;
1426
goto end;
1427
} else {
1428
gnutls_initialized = true;
1429
}
1430
1431
if(quit_now){
1432
goto end;
1433
}
1434
1435
tempdir_created = true;
1436
if(mkdtemp(tempdir) == NULL){
1437
tempdir_created = false;
1438
perror("mkdtemp");
1439
goto end;
1440
}
1441
1442
if(quit_now){
1443
goto end;
1444
}
1445
1446
if(not init_gpgme(pubkey, seckey, tempdir)){
1447
fprintf(stderr, "init_gpgme failed\n");
1448
exitcode = EX_UNAVAILABLE;
1449
goto end;
1450
} else {
1451
gpgme_initialized = true;
1452
}
1453
1454
if(quit_now){
1455
goto end;
1456
}
1457
1458
if(connect_to != NULL){
1459
/* Connect directly, do not use Zeroconf */
1460
/* (Mainly meant for debugging) */
1461
char *address = strrchr(connect_to, ':');
1462
if(address == NULL){
1463
fprintf(stderr, "No colon in address\n");
1464
exitcode = EX_USAGE;
1465
goto end;
1466
}
1467
1468
if(quit_now){
1469
goto end;
1470
}
1471
1472
uint16_t port;
1473
errno = 0;
1474
tmpmax = strtoimax(address+1, &tmp, 10);
1475
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1476
or tmpmax != (uint16_t)tmpmax){
1477
fprintf(stderr, "Bad port number\n");
1478
exitcode = EX_USAGE;
1479
goto end;
1480
}
1481
1482
if(quit_now){
1483
goto end;
1484
}
1485
1486
port = (uint16_t)tmpmax;
1487
*address = '\0';
1488
address = connect_to;
1489
/* Colon in address indicates IPv6 */
1490
int af;
1491
if(strchr(address, ':') != NULL){
1492
af = AF_INET6;
1493
} else {
1494
af = AF_INET;
1495
}
1496
1497
if(quit_now){
1498
goto end;
1499
}
1500
1501
ret = start_mandos_communication(address, port, if_index, af);
1502
if(ret < 0){
1503
switch(errno){
1504
case ENETUNREACH:
1505
case EHOSTDOWN:
1506
case EHOSTUNREACH:
1507
exitcode = EX_NOHOST;
1508
break;
1509
case EINVAL:
1510
exitcode = EX_USAGE;
1511
break;
1512
case EIO:
1513
exitcode = EX_IOERR;
1514
break;
1515
case EPROTO:
1516
exitcode = EX_PROTOCOL;
1517
break;
1518
default:
1519
exitcode = EX_OSERR;
1520
break;
1521
}
1522
} else {
1523
exitcode = EXIT_SUCCESS;
1524
}
1525
goto end;
1526
}
1527
1528
if(quit_now){
1529
goto end;
1530
}
1531
1532
{
1533
AvahiServerConfig config;
1534
/* Do not publish any local Zeroconf records */
785
returncode = EXIT_FAILURE;
786
goto exit;
787
}
788
}
789
close(sd);
790
791
if (not debug){
792
avahi_set_log_function(empty_log);
793
}
794
795
/* Initialize the psuedo-RNG */
796
srand((unsigned int) time(NULL));
797
798
/* Allocate main loop object */
799
if (!(mc.simple_poll = avahi_simple_poll_new())) {
800
fprintf(stderr, "Failed to create simple poll object.\n");
801
returncode = EXIT_FAILURE;
802
goto exit;
803
}
804
805
/* Do not publish any local records */
1535
806
avahi_server_config_init(&config);
1536
807
config.publish_hinfo = 0;
1537
808
config.publish_addresses = 0;
1538
809
config.publish_workstation = 0;
1539
810
config.publish_domain = 0;
1540
811
1541
812
/* Allocate a new server */
1542
mc.server = avahi_server_new(avahi_simple_poll_get
1543
(mc.simple_poll), &config, NULL,
1544
NULL, &error);
1545
1546
/* Free the Avahi configuration data */
813
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
814
&config, NULL, NULL, &error);
815
816
/* Free the configuration data */
1547
817
avahi_server_config_free(&config);
1548
}
1549
1550
/* Check if creating the Avahi server object succeeded */
1551
if(mc.server == NULL){
1552
fprintf(stderr, "Failed to create Avahi server: %s\n",
1553
avahi_strerror(error));
1554
exitcode = EX_UNAVAILABLE;
1555
goto end;
1556
}
1557
1558
if(quit_now){
1559
goto end;
1560
}
1561
1562
/* Create the Avahi service browser */
1563
sb = avahi_s_service_browser_new(mc.server, if_index,
1564
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1565
NULL, 0, browse_callback, NULL);
1566
if(sb == NULL){
1567
fprintf(stderr, "Failed to create service browser: %s\n",
1568
avahi_strerror(avahi_server_errno(mc.server)));
1569
exitcode = EX_UNAVAILABLE;
1570
goto end;
1571
}
1572
1573
if(quit_now){
1574
goto end;
1575
}
1576
1577
/* Run the main loop */
1578
1579
if(debug){
1580
fprintf(stderr, "Starting Avahi loop search\n");
1581
}
1582
1583
avahi_simple_poll_loop(mc.simple_poll);
1584
1585
end:
1586
1587
if(debug){
1588
fprintf(stderr, "%s exiting\n", argv[0]);
1589
}
1590
1591
/* Cleanup things */
1592
if(sb != NULL)
1593
avahi_s_service_browser_free(sb);
1594
1595
if(mc.server != NULL)
1596
avahi_server_free(mc.server);
1597
1598
if(mc.simple_poll != NULL)
1599
avahi_simple_poll_free(mc.simple_poll);
1600
1601
if(gnutls_initialized){
1602
gnutls_certificate_free_credentials(mc.cred);
1603
gnutls_global_deinit();
1604
gnutls_dh_params_deinit(mc.dh_params);
1605
}
1606
1607
if(gpgme_initialized){
1608
gpgme_release(mc.ctx);
1609
}
1610
1611
/* Take down the network interface */
1612
if(take_down_interface){
1613
/* Re-raise priviliges */
1614
errno = 0;
1615
ret = seteuid(0);
1616
if(ret == -1){
1617
perror("seteuid");
1618
}
1619
if(geteuid() == 0){
1620
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1621
if(ret == -1){
1622
perror("ioctl SIOCGIFFLAGS");
1623
} else if(network.ifr_flags & IFF_UP) {
1624
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
1625
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1626
if(ret == -1){
1627
perror("ioctl SIOCSIFFLAGS");
1628
}
1629
}
1630
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1631
if(ret == -1){
1632
perror("close");
1633
}
1634
/* Lower privileges permanently */
1635
errno = 0;
1636
ret = setuid(uid);
1637
if(ret == -1){
1638
perror("setuid");
1639
}
1640
}
1641
}
1642
1643
/* Removes the temp directory used by GPGME */
1644
if(tempdir_created){
1645
DIR *d;
1646
struct dirent *direntry;
1647
d = opendir(tempdir);
1648
if(d == NULL){
1649
if(errno != ENOENT){
1650
perror("opendir");
1651
}
1652
} else {
1653
while(true){
1654
direntry = readdir(d);
1655
if(direntry == NULL){
1656
break;
1657
}
1658
/* Skip "." and ".." */
1659
if(direntry->d_name[0] == '.'
1660
and (direntry->d_name[1] == '\0'
1661
or (direntry->d_name[1] == '.'
1662
and direntry->d_name[2] == '\0'))){
1663
continue;
1664
}
1665
char *fullname = NULL;
1666
ret = asprintf(&fullname, "%s/%s", tempdir,
1667
direntry->d_name);
1668
if(ret < 0){
1669
perror("asprintf");
1670
continue;
1671
}
1672
ret = remove(fullname);
1673
if(ret == -1){
1674
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1675
strerror(errno));
1676
}
1677
free(fullname);
1678
}
1679
closedir(d);
1680
}
1681
ret = rmdir(tempdir);
1682
if(ret == -1 and errno != ENOENT){
1683
perror("rmdir");
1684
}
1685
}
1686
1687
if(quit_now){
1688
sigemptyset(&old_sigterm_action.sa_mask);
1689
old_sigterm_action.sa_handler = SIG_DFL;
1690
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1691
&old_sigterm_action,
1692
NULL));
1693
if(ret == -1){
1694
perror("sigaction");
1695
}
1696
do {
1697
ret = raise(signal_received);
1698
} while(ret != 0 and errno == EINTR);
1699
if(ret != 0){
1700
perror("raise");
1701
abort();
1702
}
1703
TEMP_FAILURE_RETRY(pause());
1704
}
1705
1706
return exitcode;
818
819
/* Check if creating the server object succeeded */
820
if (!mc.server) {
821
fprintf(stderr, "Failed to create server: %s\n",
822
avahi_strerror(error));
823
returncode = EXIT_FAILURE;
824
goto exit;
825
}
826
827
/* Create the service browser */
828
sb = avahi_s_service_browser_new(mc.server, if_index,
829
AVAHI_PROTO_INET6,
830
"_mandos._tcp", NULL, 0,
831
browse_callback, &mc);
832
if (!sb) {
833
fprintf(stderr, "Failed to create service browser: %s\n",
834
avahi_strerror(avahi_server_errno(mc.server)));
835
returncode = EXIT_FAILURE;
836
goto exit;
837
}
838
839
/* Run the main loop */
840
841
if (debug){
842
fprintf(stderr, "Starting avahi loop search\n");
843
}
844
845
avahi_simple_poll_loop(simple_poll);
846
847
exit:
848
849
if (debug){
850
fprintf(stderr, "%s exiting\n", argv[0]);
851
}
852
853
/* Cleanup things */
854
if (sb)
855
avahi_s_service_browser_free(sb);
856
857
if (mc.server)
858
avahi_server_free(mc.server);
859
860
if (simple_poll)
861
avahi_simple_poll_free(simple_poll);
862
free(certfile);
863
free(certkey);
864
865
return returncode;
1707
866
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0