To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 246
- compare with another revision
- download diff
- download tarball
- view history from revision 246
- Committer: Teddy Hogeborn
- Date: 2009-01-04 21:54:55 UTC
- Revision ID: teddy@fukt.bsnet.se-20090104215455-o5q1zdrlxzr1wmn1
* README: Update copyright year; add "2009".
* debian/copyright: - '' -
* mandos: - '' -
* mandos-clients.conf.xml: - '' -
* mandos-keygen: - '' -
* mandos-keygen.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* plugin-runner.c: - '' -
* plugin-runner.xml: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/askpass-fifo.xml: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/mandos-client.xml: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/password-prompt.xml: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/splashy.xml: - '' -
* plugins.d/usplash.c: - '' -
* plugins.d/usplash.xml: - '' -
* debian/copyright: - '' -
* mandos: - '' -
* mandos-clients.conf.xml: - '' -
* mandos-keygen: - '' -
* mandos-keygen.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* plugin-runner.c: - '' -
* plugin-runner.xml: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/askpass-fifo.xml: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/mandos-client.xml: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/password-prompt.xml: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/splashy.xml: - '' -
* plugins.d/usplash.c: - '' -
* plugins.d/usplash.xml: - '' -
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
25
26
* along with this program. If not, see
26
27
* <http://www.gnu.org/licenses/>.
27
28
*
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
29
* Contact the authors at <mandos@fukt.bsnet.se>.
30
30
*/
31
31
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
33
#define _LARGEFILE_SOURCE
34
34
#define _FILE_OFFSET_BITS 64
35
35
36
#include <stdio.h>
37
#include <assert.h>
38
#include <stdlib.h>
39
#include <time.h>
40
#include <net/if.h> /* if_nametoindex */
41
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror() */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand() */
44
#include <stdbool.h> /* bool, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, INET6_ADDRSTRLEN,
51
uid_t, gid_t, open(), opendir(), DIR */
52
#include <sys/stat.h> /* open() */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
struct in6_addr, inet_pton(),
55
connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir() */
58
#include <inttypes.h> /* PRIu16 */
59
#include <assert.h> /* assert() */
60
#include <errno.h> /* perror(), errno */
61
#include <time.h> /* time() */
62
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
63
SIOCSIFFLAGS, if_indextoname(),
64
if_nametoindex(), IF_NAMESIZE */
65
#include <netinet/in.h>
66
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
67
getuid(), getgid(), setuid(),
68
setgid() */
69
#include <arpa/inet.h> /* inet_pton(), htons */
70
#include <iso646.h> /* not, and */
71
#include <argp.h> /* struct argp_option, error_t, struct
72
argp_state, struct argp,
73
argp_parse(), ARGP_KEY_ARG,
74
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
75
76
/* Avahi */
77
/* All Avahi types, constants and functions
78
Avahi*, avahi_*,
79
AVAHI_* */
42
80
#include <avahi-core/core.h>
43
81
#include <avahi-core/lookup.h>
44
82
#include <avahi-core/log.h>
46
84
#include <avahi-common/malloc.h>
47
85
#include <avahi-common/error.h>
48
86
49
//mandos client part
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
62
63
// gpgme
64
#include <errno.h> /* perror() */
65
#include <gpgme.h>
66
67
// getopt long
68
#include <getopt.h>
69
70
#ifndef CERT_ROOT
71
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
72
#endif
73
#define CERTFILE CERT_ROOT "openpgp-client.txt"
74
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
87
/* GnuTLS */
88
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
89
functions:
90
gnutls_*
91
init_gnutls_session(),
92
GNUTLS_* */
93
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
94
GNUTLS_OPENPGP_FMT_BASE64 */
95
96
/* GPGME */
97
#include <gpgme.h> /* All GPGME types, constants and
98
functions:
99
gpgme_*
100
GPGME_PROTOCOL_OpenPGP,
101
GPG_ERR_NO_* */
102
75
103
#define BUFFER_SIZE 256
76
#define DH_BITS 1024
104
105
#define PATHDIR "/conf/conf.d/mandos"
106
#define SECKEY "seckey.txt"
107
#define PUBKEY "pubkey.txt"
77
108
78
109
bool debug = false;
110
static const char mandos_protocol_version[] = "1";
111
const char *argp_program_version = "mandos-client " VERSION;
112
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
79
113
114
/* Used for passing in values through the Avahi callback functions */
80
115
typedef struct {
81
gnutls_session_t session;
116
AvahiSimplePoll *simple_poll;
117
AvahiServer *server;
82
118
gnutls_certificate_credentials_t cred;
119
unsigned int dh_bits;
83
120
gnutls_dh_params_t dh_params;
84
} encrypted_session;
85
86
87
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet, const char *homedir){
89
gpgme_data_t dh_crypto, dh_plain;
121
const char *priority;
90
122
gpgme_ctx_t ctx;
123
} mandos_context;
124
125
/*
126
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
127
* "buffer_capacity" is how much is currently allocated,
128
* "buffer_length" is how much is already used.
129
*/
130
size_t adjustbuffer(char **buffer, size_t buffer_length,
131
size_t buffer_capacity){
132
if (buffer_length + BUFFER_SIZE > buffer_capacity){
133
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
134
if (buffer == NULL){
135
return 0;
136
}
137
buffer_capacity += BUFFER_SIZE;
138
}
139
return buffer_capacity;
140
}
141
142
/*
143
* Initialize GPGME.
144
*/
145
static bool init_gpgme(mandos_context *mc, const char *seckey,
146
const char *pubkey, const char *tempdir){
147
int ret;
91
148
gpgme_error_t rc;
92
ssize_t ret;
93
ssize_t new_packet_capacity = 0;
94
ssize_t new_packet_length = 0;
95
149
gpgme_engine_info_t engine_info;
96
150
151
152
/*
153
* Helper function to insert pub and seckey to the enigne keyring.
154
*/
155
bool import_key(const char *filename){
156
int fd;
157
gpgme_data_t pgp_data;
158
159
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
160
if(fd == -1){
161
perror("open");
162
return false;
163
}
164
165
rc = gpgme_data_new_from_fd(&pgp_data, fd);
166
if (rc != GPG_ERR_NO_ERROR){
167
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
168
gpgme_strsource(rc), gpgme_strerror(rc));
169
return false;
170
}
171
172
rc = gpgme_op_import(mc->ctx, pgp_data);
173
if (rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
ret = TEMP_FAILURE_RETRY(close(fd));
180
if(ret == -1){
181
perror("close");
182
}
183
gpgme_data_release(pgp_data);
184
return true;
185
}
186
97
187
if (debug){
98
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
188
fprintf(stderr, "Initialize gpgme\n");
99
189
}
100
190
101
191
/* Init GPGME */
102
192
gpgme_check_version(NULL);
103
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
193
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
194
if (rc != GPG_ERR_NO_ERROR){
195
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
196
gpgme_strsource(rc), gpgme_strerror(rc));
197
return false;
198
}
104
199
105
/* Set GPGME home directory */
200
/* Set GPGME home directory for the OpenPGP engine only */
106
201
rc = gpgme_get_engine_info (&engine_info);
107
202
if (rc != GPG_ERR_NO_ERROR){
108
203
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
109
204
gpgme_strsource(rc), gpgme_strerror(rc));
110
return -1;
205
return false;
111
206
}
112
207
while(engine_info != NULL){
113
208
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
114
209
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
115
engine_info->file_name, homedir);
210
engine_info->file_name, tempdir);
116
211
break;
117
212
}
118
213
engine_info = engine_info->next;
119
214
}
120
215
if(engine_info == NULL){
121
fprintf(stderr, "Could not set home dir to %s\n", homedir);
122
return -1;
123
}
124
125
/* Create new GPGME data buffer from packet buffer */
126
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
216
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
217
return false;
218
}
219
220
/* Create new GPGME "context" */
221
rc = gpgme_new(&(mc->ctx));
222
if (rc != GPG_ERR_NO_ERROR){
223
fprintf(stderr, "bad gpgme_new: %s: %s\n",
224
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
226
}
227
228
if (not import_key(pubkey) or not import_key(seckey)){
229
return false;
230
}
231
232
return true;
233
}
234
235
/*
236
* Decrypt OpenPGP data.
237
* Returns -1 on error
238
*/
239
static ssize_t pgp_packet_decrypt (const mandos_context *mc,
240
const char *cryptotext,
241
size_t crypto_size,
242
char **plaintext){
243
gpgme_data_t dh_crypto, dh_plain;
244
gpgme_error_t rc;
245
ssize_t ret;
246
size_t plaintext_capacity = 0;
247
ssize_t plaintext_length = 0;
248
249
if (debug){
250
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
251
}
252
253
/* Create new GPGME data buffer from memory cryptotext */
254
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
255
0);
127
256
if (rc != GPG_ERR_NO_ERROR){
128
257
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
129
258
gpgme_strsource(rc), gpgme_strerror(rc));
135
264
if (rc != GPG_ERR_NO_ERROR){
136
265
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
137
266
gpgme_strsource(rc), gpgme_strerror(rc));
138
return -1;
139
}
140
141
/* Create new GPGME "context" */
142
rc = gpgme_new(&ctx);
143
if (rc != GPG_ERR_NO_ERROR){
144
fprintf(stderr, "bad gpgme_new: %s: %s\n",
145
gpgme_strsource(rc), gpgme_strerror(rc));
146
return -1;
147
}
148
149
/* Decrypt data from the FILE pointer to the plaintext data
150
buffer */
151
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
267
gpgme_data_release(dh_crypto);
268
return -1;
269
}
270
271
/* Decrypt data from the cryptotext data buffer to the plaintext
272
data buffer */
273
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
152
274
if (rc != GPG_ERR_NO_ERROR){
153
275
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
154
276
gpgme_strsource(rc), gpgme_strerror(rc));
155
return -1;
277
plaintext_length = -1;
278
if (debug){
279
gpgme_decrypt_result_t result;
280
result = gpgme_op_decrypt_result(mc->ctx);
281
if (result == NULL){
282
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
283
} else {
284
fprintf(stderr, "Unsupported algorithm: %s\n",
285
result->unsupported_algorithm);
286
fprintf(stderr, "Wrong key usage: %u\n",
287
result->wrong_key_usage);
288
if(result->file_name != NULL){
289
fprintf(stderr, "File name: %s\n", result->file_name);
290
}
291
gpgme_recipient_t recipient;
292
recipient = result->recipients;
293
if(recipient){
294
while(recipient != NULL){
295
fprintf(stderr, "Public key algorithm: %s\n",
296
gpgme_pubkey_algo_name(recipient->pubkey_algo));
297
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
298
fprintf(stderr, "Secret key available: %s\n",
299
recipient->status == GPG_ERR_NO_SECKEY
300
? "No" : "Yes");
301
recipient = recipient->next;
302
}
303
}
304
}
305
}
306
goto decrypt_end;
156
307
}
157
308
158
309
if(debug){
159
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
160
}
161
162
if (debug){
163
gpgme_decrypt_result_t result;
164
result = gpgme_op_decrypt_result(ctx);
165
if (result == NULL){
166
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
167
} else {
168
fprintf(stderr, "Unsupported algorithm: %s\n",
169
result->unsupported_algorithm);
170
fprintf(stderr, "Wrong key usage: %d\n",
171
result->wrong_key_usage);
172
if(result->file_name != NULL){
173
fprintf(stderr, "File name: %s\n", result->file_name);
174
}
175
gpgme_recipient_t recipient;
176
recipient = result->recipients;
177
if(recipient){
178
while(recipient != NULL){
179
fprintf(stderr, "Public key algorithm: %s\n",
180
gpgme_pubkey_algo_name(recipient->pubkey_algo));
181
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
182
fprintf(stderr, "Secret key available: %s\n",
183
recipient->status == GPG_ERR_NO_SECKEY
184
? "No" : "Yes");
185
recipient = recipient->next;
186
}
187
}
188
}
189
}
190
191
/* Delete the GPGME FILE pointer cryptotext data buffer */
192
gpgme_data_release(dh_crypto);
310
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
311
}
193
312
194
313
/* Seek back to the beginning of the GPGME plaintext data buffer */
195
gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);
196
197
*new_packet = 0;
314
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
315
perror("gpgme_data_seek");
316
plaintext_length = -1;
317
goto decrypt_end;
318
}
319
320
*plaintext = NULL;
198
321
while(true){
199
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
200
*new_packet = realloc(*new_packet,
201
(unsigned int)new_packet_capacity
202
+ BUFFER_SIZE);
203
if (*new_packet == NULL){
204
perror("realloc");
205
return -1;
206
}
207
new_packet_capacity += BUFFER_SIZE;
322
plaintext_capacity = adjustbuffer(plaintext,
323
(size_t)plaintext_length,
324
plaintext_capacity);
325
if (plaintext_capacity == 0){
326
perror("adjustbuffer");
327
plaintext_length = -1;
328
goto decrypt_end;
208
329
}
209
330
210
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
331
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
211
332
BUFFER_SIZE);
212
333
/* Print the data, if any */
213
334
if (ret == 0){
335
/* EOF */
214
336
break;
215
337
}
216
338
if(ret < 0){
217
339
perror("gpgme_data_read");
218
return -1;
219
}
220
new_packet_length += ret;
221
}
222
223
/* FIXME: check characters before printing to screen so to not print
224
terminal control characters */
225
/* if(debug){ */
226
/* fprintf(stderr, "decrypted password is: "); */
227
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
228
/* fprintf(stderr, "\n"); */
229
/* } */
340
plaintext_length = -1;
341
goto decrypt_end;
342
}
343
plaintext_length += ret;
344
}
345
346
if(debug){
347
fprintf(stderr, "Decrypted password is: ");
348
for(ssize_t i = 0; i < plaintext_length; i++){
349
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
350
}
351
fprintf(stderr, "\n");
352
}
353
354
decrypt_end:
355
356
/* Delete the GPGME cryptotext data buffer */
357
gpgme_data_release(dh_crypto);
230
358
231
359
/* Delete the GPGME plaintext data buffer */
232
360
gpgme_data_release(dh_plain);
233
return new_packet_length;
361
return plaintext_length;
234
362
}
235
363
236
364
static const char * safer_gnutls_strerror (int value) {
237
const char *ret = gnutls_strerror (value);
365
const char *ret = gnutls_strerror (value); /* Spurious warning */
238
366
if (ret == NULL)
239
367
ret = "(unknown)";
240
368
return ret;
241
369
}
242
370
243
void debuggnutls(__attribute__((unused)) int level,
244
const char* string){
245
fprintf(stderr, "%s", string);
371
/* GnuTLS log function callback */
372
static void debuggnutls(__attribute__((unused)) int level,
373
const char* string){
374
fprintf(stderr, "GnuTLS: %s", string);
246
375
}
247
376
248
int initgnutls(encrypted_session *es){
249
const char *err;
377
static int init_gnutls_global(mandos_context *mc,
378
const char *pubkeyfilename,
379
const char *seckeyfilename){
250
380
int ret;
251
381
252
382
if(debug){
253
383
fprintf(stderr, "Initializing GnuTLS\n");
254
384
}
255
385
256
if ((ret = gnutls_global_init ())
257
!= GNUTLS_E_SUCCESS) {
258
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
386
ret = gnutls_global_init();
387
if (ret != GNUTLS_E_SUCCESS) {
388
fprintf (stderr, "GnuTLS global_init: %s\n",
389
safer_gnutls_strerror(ret));
259
390
return -1;
260
391
}
261
392
262
393
if (debug){
394
/* "Use a log level over 10 to enable all debugging options."
395
* - GnuTLS manual
396
*/
263
397
gnutls_global_set_log_level(11);
264
398
gnutls_global_set_log_function(debuggnutls);
265
399
}
266
400
267
/* openpgp credentials */
268
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
269
!= GNUTLS_E_SUCCESS) {
270
fprintf (stderr, "memory error: %s\n",
401
/* OpenPGP credentials */
402
gnutls_certificate_allocate_credentials(&mc->cred);
403
if (ret != GNUTLS_E_SUCCESS){
404
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
405
warning */
271
406
safer_gnutls_strerror(ret));
407
gnutls_global_deinit ();
272
408
return -1;
273
409
}
274
410
275
411
if(debug){
276
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
277
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
278
KEYFILE);
412
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
413
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
414
seckeyfilename);
279
415
}
280
416
281
417
ret = gnutls_certificate_set_openpgp_key_file
282
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
418
(mc->cred, pubkeyfilename, seckeyfilename,
419
GNUTLS_OPENPGP_FMT_BASE64);
283
420
if (ret != GNUTLS_E_SUCCESS) {
284
fprintf
285
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
286
" '%s')\n",
287
ret, CERTFILE, KEYFILE);
288
fprintf(stdout, "The Error is: %s\n",
421
fprintf(stderr,
422
"Error[%d] while reading the OpenPGP key pair ('%s',"
423
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
424
fprintf(stderr, "The GnuTLS error is: %s\n",
289
425
safer_gnutls_strerror(ret));
290
return -1;
291
}
292
293
//GnuTLS server initialization
294
if ((ret = gnutls_dh_params_init (&es->dh_params))
295
!= GNUTLS_E_SUCCESS) {
296
fprintf (stderr, "Error in dh parameter initialization: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
302
!= GNUTLS_E_SUCCESS) {
303
fprintf (stderr, "Error in prime generation: %s\n",
304
safer_gnutls_strerror(ret));
305
return -1;
306
}
307
308
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
309
310
// GnuTLS session creation
311
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
312
!= GNUTLS_E_SUCCESS){
426
goto globalfail;
427
}
428
429
/* GnuTLS server initialization */
430
ret = gnutls_dh_params_init(&mc->dh_params);
431
if (ret != GNUTLS_E_SUCCESS) {
432
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
433
" %s\n", safer_gnutls_strerror(ret));
434
goto globalfail;
435
}
436
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
437
if (ret != GNUTLS_E_SUCCESS) {
438
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
439
safer_gnutls_strerror(ret));
440
goto globalfail;
441
}
442
443
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
444
445
return 0;
446
447
globalfail:
448
449
gnutls_certificate_free_credentials(mc->cred);
450
gnutls_global_deinit();
451
gnutls_dh_params_deinit(mc->dh_params);
452
return -1;
453
}
454
455
static int init_gnutls_session(mandos_context *mc,
456
gnutls_session_t *session){
457
int ret;
458
/* GnuTLS session creation */
459
ret = gnutls_init(session, GNUTLS_SERVER);
460
if (ret != GNUTLS_E_SUCCESS){
313
461
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
314
462
safer_gnutls_strerror(ret));
315
463
}
316
464
317
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf(stderr, "Syntax error at: %s\n", err);
320
fprintf(stderr, "GnuTLS error: %s\n",
321
safer_gnutls_strerror(ret));
322
return -1;
465
{
466
const char *err;
467
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
468
if (ret != GNUTLS_E_SUCCESS) {
469
fprintf(stderr, "Syntax error at: %s\n", err);
470
fprintf(stderr, "GnuTLS error: %s\n",
471
safer_gnutls_strerror(ret));
472
gnutls_deinit (*session);
473
return -1;
474
}
323
475
}
324
476
325
if ((ret = gnutls_credentials_set
326
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
327
!= GNUTLS_E_SUCCESS) {
328
fprintf(stderr, "Error setting a credentials set: %s\n",
477
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
478
mc->cred);
479
if (ret != GNUTLS_E_SUCCESS) {
480
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
329
481
safer_gnutls_strerror(ret));
482
gnutls_deinit (*session);
330
483
return -1;
331
484
}
332
485
333
486
/* ignore client certificate if any. */
334
gnutls_certificate_server_set_request (es->session,
487
gnutls_certificate_server_set_request (*session,
335
488
GNUTLS_CERT_IGNORE);
336
489
337
gnutls_dh_set_prime_bits (es->session, DH_BITS);
490
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
338
491
339
492
return 0;
340
493
}
341
494
342
void empty_log(__attribute__((unused)) AvahiLogLevel level,
343
__attribute__((unused)) const char *txt){}
495
/* Avahi log function callback */
496
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
497
__attribute__((unused)) const char *txt){}
344
498
345
int start_mandos_communication(const char *ip, uint16_t port,
346
AvahiIfIndex if_index){
499
/* Called when a Mandos server is found */
500
static int start_mandos_communication(const char *ip, uint16_t port,
501
AvahiIfIndex if_index,
502
mandos_context *mc){
347
503
int ret, tcp_sd;
348
struct sockaddr_in6 to;
349
encrypted_session es;
504
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
350
505
char *buffer = NULL;
351
506
char *decrypted_buffer;
352
507
size_t buffer_length = 0;
353
508
size_t buffer_capacity = 0;
354
509
ssize_t decrypted_buffer_size;
355
size_t written = 0;
510
size_t written;
356
511
int retval = 0;
357
512
char interface[IF_NAMESIZE];
513
gnutls_session_t session;
514
515
ret = init_gnutls_session (mc, &session);
516
if (ret != 0){
517
return -1;
518
}
358
519
359
520
if(debug){
360
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
361
ip, port);
521
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
522
"\n", ip, port);
362
523
}
363
524
364
525
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
367
528
return -1;
368
529
}
369
530
370
if(if_indextoname((unsigned int)if_index, interface) == NULL){
371
if(debug){
531
if(debug){
532
if(if_indextoname((unsigned int)if_index, interface) == NULL){
372
533
perror("if_indextoname");
534
return -1;
373
535
}
374
return -1;
375
}
376
377
if(debug){
378
536
fprintf(stderr, "Binding to interface %s\n", interface);
379
537
}
380
538
381
memset(&to,0,sizeof(to)); /* Spurious warning */
382
to.sin6_family = AF_INET6;
383
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
539
memset(&to, 0, sizeof(to));
540
to.in6.sin6_family = AF_INET6;
541
/* It would be nice to have a way to detect if we were passed an
542
IPv4 address here. Now we assume an IPv6 address. */
543
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
384
544
if (ret < 0 ){
385
545
perror("inet_pton");
386
546
return -1;
387
}
547
}
388
548
if(ret == 0){
389
549
fprintf(stderr, "Bad address: %s\n", ip);
390
550
return -1;
391
551
}
392
to.sin6_port = htons(port); /* Spurious warning */
552
to.in6.sin6_port = htons(port); /* Spurious warning */
393
553
394
to.sin6_scope_id = (uint32_t)if_index;
554
to.in6.sin6_scope_id = (uint32_t)if_index;
395
555
396
556
if(debug){
397
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
398
/* char addrstr[INET6_ADDRSTRLEN]; */
399
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
400
/* sizeof(addrstr)) == NULL){ */
401
/* perror("inet_ntop"); */
402
/* } else { */
403
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
404
/* addrstr, ntohs(to.sin6_port)); */
405
/* } */
557
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
558
port);
559
char addrstr[INET6_ADDRSTRLEN] = "";
560
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
561
sizeof(addrstr)) == NULL){
562
perror("inet_ntop");
563
} else {
564
if(strcmp(addrstr, ip) != 0){
565
fprintf(stderr, "Canonical address form: %s\n", addrstr);
566
}
567
}
406
568
}
407
569
408
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
570
ret = connect(tcp_sd, &to.in, sizeof(to));
409
571
if (ret < 0){
410
572
perror("connect");
411
573
return -1;
412
574
}
413
575
414
ret = initgnutls (&es);
415
if (ret != 0){
416
retval = -1;
417
return -1;
576
const char *out = mandos_protocol_version;
577
written = 0;
578
while (true){
579
size_t out_size = strlen(out);
580
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
581
out_size - written));
582
if (ret == -1){
583
perror("write");
584
retval = -1;
585
goto mandos_end;
586
}
587
written += (size_t)ret;
588
if(written < out_size){
589
continue;
590
} else {
591
if (out == mandos_protocol_version){
592
written = 0;
593
out = "\r\n";
594
} else {
595
break;
596
}
597
}
418
598
}
419
599
420
gnutls_transport_set_ptr (es.session,
421
(gnutls_transport_ptr_t) tcp_sd);
422
423
600
if(debug){
424
601
fprintf(stderr, "Establishing TLS session with %s\n", ip);
425
602
}
426
603
427
ret = gnutls_handshake (es.session);
604
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
605
606
do{
607
ret = gnutls_handshake (session);
608
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
428
609
429
610
if (ret != GNUTLS_E_SUCCESS){
430
611
if(debug){
431
fprintf(stderr, "\n*** Handshake failed ***\n");
612
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
432
613
gnutls_perror (ret);
433
614
}
434
615
retval = -1;
435
goto exit;
616
goto mandos_end;
436
617
}
437
618
438
//Retrieve OpenPGP packet that contains the wanted password
619
/* Read OpenPGP packet that contains the wanted password */
439
620
440
621
if(debug){
441
622
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
442
623
ip);
443
624
}
444
625
445
626
while(true){
446
if (buffer_length + BUFFER_SIZE > buffer_capacity){
447
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
448
if (buffer == NULL){
449
perror("realloc");
450
goto exit;
451
}
452
buffer_capacity += BUFFER_SIZE;
627
buffer_capacity = adjustbuffer(&buffer, buffer_length,
628
buffer_capacity);
629
if (buffer_capacity == 0){
630
perror("adjustbuffer");
631
retval = -1;
632
goto mandos_end;
453
633
}
454
634
455
ret = gnutls_record_recv
456
(es.session, buffer+buffer_length, BUFFER_SIZE);
635
ret = gnutls_record_recv(session, buffer+buffer_length,
636
BUFFER_SIZE);
457
637
if (ret == 0){
458
638
break;
459
639
}
463
643
case GNUTLS_E_AGAIN:
464
644
break;
465
645
case GNUTLS_E_REHANDSHAKE:
466
ret = gnutls_handshake (es.session);
646
do{
647
ret = gnutls_handshake (session);
648
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
467
649
if (ret < 0){
468
fprintf(stderr, "\n*** Handshake failed ***\n");
650
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
469
651
gnutls_perror (ret);
470
652
retval = -1;
471
goto exit;
653
goto mandos_end;
472
654
}
473
655
break;
474
656
default:
475
657
fprintf(stderr, "Unknown error while reading data from"
476
" encrypted session with mandos server\n");
658
" encrypted session with Mandos server\n");
477
659
retval = -1;
478
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
479
goto exit;
660
gnutls_bye (session, GNUTLS_SHUT_RDWR);
661
goto mandos_end;
480
662
}
481
663
} else {
482
664
buffer_length += (size_t) ret;
483
665
}
484
666
}
485
667
668
if(debug){
669
fprintf(stderr, "Closing TLS session\n");
670
}
671
672
gnutls_bye (session, GNUTLS_SHUT_RDWR);
673
486
674
if (buffer_length > 0){
487
decrypted_buffer_size = pgp_packet_decrypt(buffer,
675
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
488
676
buffer_length,
489
&decrypted_buffer,
490
CERT_ROOT);
677
&decrypted_buffer);
491
678
if (decrypted_buffer_size >= 0){
679
written = 0;
492
680
while(written < (size_t) decrypted_buffer_size){
493
681
ret = (int)fwrite (decrypted_buffer + written, 1,
494
682
(size_t)decrypted_buffer_size - written,
507
695
} else {
508
696
retval = -1;
509
697
}
510
}
511
512
//shutdown procedure
513
514
if(debug){
515
fprintf(stderr, "Closing TLS session\n");
516
}
517
698
} else {
699
retval = -1;
700
}
701
702
/* Shutdown procedure */
703
704
mandos_end:
518
705
free(buffer);
519
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
520
exit:
521
close(tcp_sd);
522
gnutls_deinit (es.session);
523
gnutls_certificate_free_credentials (es.cred);
524
gnutls_global_deinit ();
706
ret = TEMP_FAILURE_RETRY(close(tcp_sd));
707
if(ret == -1){
708
perror("close");
709
}
710
gnutls_deinit (session);
525
711
return retval;
526
712
}
527
713
528
static AvahiSimplePoll *simple_poll = NULL;
529
static AvahiServer *server = NULL;
530
531
static void resolve_callback(
532
AvahiSServiceResolver *r,
533
AvahiIfIndex interface,
534
AVAHI_GCC_UNUSED AvahiProtocol protocol,
535
AvahiResolverEvent event,
536
const char *name,
537
const char *type,
538
const char *domain,
539
const char *host_name,
540
const AvahiAddress *address,
541
uint16_t port,
542
AVAHI_GCC_UNUSED AvahiStringList *txt,
543
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
544
AVAHI_GCC_UNUSED void* userdata) {
545
546
assert(r); /* Spurious warning */
714
static void resolve_callback(AvahiSServiceResolver *r,
715
AvahiIfIndex interface,
716
AVAHI_GCC_UNUSED AvahiProtocol protocol,
717
AvahiResolverEvent event,
718
const char *name,
719
const char *type,
720
const char *domain,
721
const char *host_name,
722
const AvahiAddress *address,
723
uint16_t port,
724
AVAHI_GCC_UNUSED AvahiStringList *txt,
725
AVAHI_GCC_UNUSED AvahiLookupResultFlags
726
flags,
727
void* userdata) {
728
mandos_context *mc = userdata;
729
assert(r);
547
730
548
731
/* Called whenever a service has been resolved successfully or
549
732
timed out */
551
734
switch (event) {
552
735
default:
553
736
case AVAHI_RESOLVER_FAILURE:
554
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
555
" type '%s' in domain '%s': %s\n", name, type, domain,
556
avahi_strerror(avahi_server_errno(server)));
737
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
738
" of type '%s' in domain '%s': %s\n", name, type, domain,
739
avahi_strerror(avahi_server_errno(mc->server)));
557
740
break;
558
741
559
742
case AVAHI_RESOLVER_FOUND:
561
744
char ip[AVAHI_ADDRESS_STR_MAX];
562
745
avahi_address_snprint(ip, sizeof(ip), address);
563
746
if(debug){
564
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
565
" port %d\n", name, host_name, ip, port);
747
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
748
PRIu16 ") on port %d\n", name, host_name, ip,
749
interface, port);
566
750
}
567
int ret = start_mandos_communication(ip, port, interface);
751
int ret = start_mandos_communication(ip, port, interface, mc);
568
752
if (ret == 0){
569
exit(EXIT_SUCCESS);
753
avahi_simple_poll_quit(mc->simple_poll);
570
754
}
571
755
}
572
756
}
573
757
avahi_s_service_resolver_free(r);
574
758
}
575
759
576
static void browse_callback(
577
AvahiSServiceBrowser *b,
578
AvahiIfIndex interface,
579
AvahiProtocol protocol,
580
AvahiBrowserEvent event,
581
const char *name,
582
const char *type,
583
const char *domain,
584
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
585
void* userdata) {
586
587
AvahiServer *s = userdata;
588
assert(b); /* Spurious warning */
589
590
/* Called whenever a new services becomes available on the LAN or
591
is removed from the LAN */
592
593
switch (event) {
594
default:
595
case AVAHI_BROWSER_FAILURE:
596
597
fprintf(stderr, "(Browser) %s\n",
598
avahi_strerror(avahi_server_errno(server)));
599
avahi_simple_poll_quit(simple_poll);
600
return;
601
602
case AVAHI_BROWSER_NEW:
603
/* We ignore the returned resolver object. In the callback
604
function we free it. If the server is terminated before
605
the callback function is called the server will free
606
the resolver for us. */
607
608
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
609
type, domain,
610
AVAHI_PROTO_INET6, 0,
611
resolve_callback, s)))
612
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
613
avahi_strerror(avahi_server_errno(s)));
614
break;
615
616
case AVAHI_BROWSER_REMOVE:
617
break;
618
619
case AVAHI_BROWSER_ALL_FOR_NOW:
620
case AVAHI_BROWSER_CACHE_EXHAUSTED:
621
break;
760
static void browse_callback( AvahiSServiceBrowser *b,
761
AvahiIfIndex interface,
762
AvahiProtocol protocol,
763
AvahiBrowserEvent event,
764
const char *name,
765
const char *type,
766
const char *domain,
767
AVAHI_GCC_UNUSED AvahiLookupResultFlags
768
flags,
769
void* userdata) {
770
mandos_context *mc = userdata;
771
assert(b);
772
773
/* Called whenever a new services becomes available on the LAN or
774
is removed from the LAN */
775
776
switch (event) {
777
default:
778
case AVAHI_BROWSER_FAILURE:
779
780
fprintf(stderr, "(Avahi browser) %s\n",
781
avahi_strerror(avahi_server_errno(mc->server)));
782
avahi_simple_poll_quit(mc->simple_poll);
783
return;
784
785
case AVAHI_BROWSER_NEW:
786
/* We ignore the returned Avahi resolver object. In the callback
787
function we free it. If the Avahi server is terminated before
788
the callback function is called the Avahi server will free the
789
resolver for us. */
790
791
if (!(avahi_s_service_resolver_new(mc->server, interface,
792
protocol, name, type, domain,
793
AVAHI_PROTO_INET6, 0,
794
resolve_callback, mc)))
795
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
796
name, avahi_strerror(avahi_server_errno(mc->server)));
797
break;
798
799
case AVAHI_BROWSER_REMOVE:
800
break;
801
802
case AVAHI_BROWSER_ALL_FOR_NOW:
803
case AVAHI_BROWSER_CACHE_EXHAUSTED:
804
if(debug){
805
fprintf(stderr, "No Mandos server found, still searching...\n");
622
806
}
807
break;
808
}
623
809
}
624
810
625
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
626
AvahiServerConfig config;
811
int main(int argc, char *argv[]){
627
812
AvahiSServiceBrowser *sb = NULL;
628
813
int error;
629
814
int ret;
630
int returncode = EXIT_SUCCESS;
631
const char *interface = NULL;
815
int exitcode = EXIT_SUCCESS;
816
const char *interface = "eth0";
817
struct ifreq network;
818
int sd;
819
uid_t uid;
820
gid_t gid;
821
char *connect_to = NULL;
822
char tempdir[] = "/tmp/mandosXXXXXX";
632
823
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
633
char *connect_to = NULL;
634
635
while (true){
636
static struct option long_options[] = {
637
{"debug", no_argument, (int *)&debug, 1},
638
{"connect", required_argument, 0, 'c'},
639
{"interface", required_argument, 0, 'i'},
640
{0, 0, 0, 0} };
641
642
int option_index = 0;
643
ret = getopt_long (argc, argv, "i:", long_options,
644
&option_index);
645
646
if (ret == -1){
647
break;
648
}
649
650
switch(ret){
651
case 0:
652
break;
653
case 'i':
654
interface = optarg;
655
break;
656
case 'c':
657
connect_to = optarg;
658
break;
659
default:
660
exit(EXIT_FAILURE);
661
}
662
}
663
664
if(interface != NULL){
665
if_index = (AvahiIfIndex) if_nametoindex(interface);
666
if(if_index == 0){
667
fprintf(stderr, "No such interface: \"%s\"\n", interface);
668
exit(EXIT_FAILURE);
669
}
824
const char *seckey = PATHDIR "/" SECKEY;
825
const char *pubkey = PATHDIR "/" PUBKEY;
826
827
mandos_context mc = { .simple_poll = NULL, .server = NULL,
828
.dh_bits = 1024, .priority = "SECURE256"
829
":!CTYPE-X.509:+CTYPE-OPENPGP" };
830
bool gnutls_initalized = false;
831
bool gpgme_initalized = false;
832
833
{
834
struct argp_option options[] = {
835
{ .name = "debug", .key = 128,
836
.doc = "Debug mode", .group = 3 },
837
{ .name = "connect", .key = 'c',
838
.arg = "ADDRESS:PORT",
839
.doc = "Connect directly to a specific Mandos server",
840
.group = 1 },
841
{ .name = "interface", .key = 'i',
842
.arg = "NAME",
843
.doc = "Interface that will be used to search for Mandos"
844
" servers",
845
.group = 1 },
846
{ .name = "seckey", .key = 's',
847
.arg = "FILE",
848
.doc = "OpenPGP secret key file base name",
849
.group = 1 },
850
{ .name = "pubkey", .key = 'p',
851
.arg = "FILE",
852
.doc = "OpenPGP public key file base name",
853
.group = 2 },
854
{ .name = "dh-bits", .key = 129,
855
.arg = "BITS",
856
.doc = "Bit length of the prime number used in the"
857
" Diffie-Hellman key exchange",
858
.group = 2 },
859
{ .name = "priority", .key = 130,
860
.arg = "STRING",
861
.doc = "GnuTLS priority string for the TLS handshake",
862
.group = 1 },
863
{ .name = NULL }
864
};
865
866
error_t parse_opt (int key, char *arg,
867
struct argp_state *state) {
868
/* Get the INPUT argument from `argp_parse', which we know is
869
a pointer to our plugin list pointer. */
870
switch (key) {
871
case 128: /* --debug */
872
debug = true;
873
break;
874
case 'c': /* --connect */
875
connect_to = arg;
876
break;
877
case 'i': /* --interface */
878
interface = arg;
879
break;
880
case 's': /* --seckey */
881
seckey = arg;
882
break;
883
case 'p': /* --pubkey */
884
pubkey = arg;
885
break;
886
case 129: /* --dh-bits */
887
errno = 0;
888
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
889
if (errno){
890
perror("strtol");
891
exit(EXIT_FAILURE);
892
}
893
break;
894
case 130: /* --priority */
895
mc.priority = arg;
896
break;
897
case ARGP_KEY_ARG:
898
argp_usage (state);
899
case ARGP_KEY_END:
900
break;
901
default:
902
return ARGP_ERR_UNKNOWN;
903
}
904
return 0;
905
}
906
907
struct argp argp = { .options = options, .parser = parse_opt,
908
.args_doc = "",
909
.doc = "Mandos client -- Get and decrypt"
910
" passwords from a Mandos server" };
911
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
912
if (ret == ARGP_ERR_UNKNOWN){
913
fprintf(stderr, "Unknown error while parsing arguments\n");
914
exitcode = EXIT_FAILURE;
915
goto end;
916
}
917
}
918
919
/* If the interface is down, bring it up */
920
{
921
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
922
if(sd < 0) {
923
perror("socket");
924
exitcode = EXIT_FAILURE;
925
goto end;
926
}
927
strcpy(network.ifr_name, interface);
928
ret = ioctl(sd, SIOCGIFFLAGS, &network);
929
if(ret == -1){
930
perror("ioctl SIOCGIFFLAGS");
931
exitcode = EXIT_FAILURE;
932
goto end;
933
}
934
if((network.ifr_flags & IFF_UP) == 0){
935
network.ifr_flags |= IFF_UP;
936
ret = ioctl(sd, SIOCSIFFLAGS, &network);
937
if(ret == -1){
938
perror("ioctl SIOCSIFFLAGS");
939
exitcode = EXIT_FAILURE;
940
goto end;
941
}
942
}
943
ret = TEMP_FAILURE_RETRY(close(sd));
944
if(ret == -1){
945
perror("close");
946
}
947
}
948
949
uid = getuid();
950
gid = getgid();
951
952
ret = setuid(uid);
953
if (ret == -1){
954
perror("setuid");
955
}
956
957
setgid(gid);
958
if (ret == -1){
959
perror("setgid");
960
}
961
962
ret = init_gnutls_global(&mc, pubkey, seckey);
963
if (ret == -1){
964
fprintf(stderr, "init_gnutls_global failed\n");
965
exitcode = EXIT_FAILURE;
966
goto end;
967
} else {
968
gnutls_initalized = true;
969
}
970
971
if(mkdtemp(tempdir) == NULL){
972
perror("mkdtemp");
973
tempdir[0] = '\0';
974
goto end;
975
}
976
977
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
978
fprintf(stderr, "gpgme_initalized failed\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
} else {
982
gpgme_initalized = true;
983
}
984
985
if_index = (AvahiIfIndex) if_nametoindex(interface);
986
if(if_index == 0){
987
fprintf(stderr, "No such interface: \"%s\"\n", interface);
988
exit(EXIT_FAILURE);
670
989
}
671
990
672
991
if(connect_to != NULL){
675
994
char *address = strrchr(connect_to, ':');
676
995
if(address == NULL){
677
996
fprintf(stderr, "No colon in address\n");
678
exit(EXIT_FAILURE);
997
exitcode = EXIT_FAILURE;
998
goto end;
679
999
}
680
1000
errno = 0;
681
1001
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
682
1002
if(errno){
683
1003
perror("Bad port number");
684
exit(EXIT_FAILURE);
1004
exitcode = EXIT_FAILURE;
1005
goto end;
685
1006
}
686
1007
*address = '\0';
687
1008
address = connect_to;
688
ret = start_mandos_communication(address, port, if_index);
1009
ret = start_mandos_communication(address, port, if_index, &mc);
689
1010
if(ret < 0){
690
exit(EXIT_FAILURE);
1011
exitcode = EXIT_FAILURE;
691
1012
} else {
692
exit(EXIT_SUCCESS);
1013
exitcode = EXIT_SUCCESS;
693
1014
}
1015
goto end;
694
1016
}
695
1017
696
1018
if (not debug){
697
1019
avahi_set_log_function(empty_log);
698
1020
}
699
1021
700
/* Initialize the psuedo-RNG */
1022
/* Initialize the pseudo-RNG for Avahi */
701
1023
srand((unsigned int) time(NULL));
702
703
/* Allocate main loop object */
704
if (!(simple_poll = avahi_simple_poll_new())) {
705
fprintf(stderr, "Failed to create simple poll object.\n");
706
707
goto exit;
708
}
709
710
/* Do not publish any local records */
711
avahi_server_config_init(&config);
712
config.publish_hinfo = 0;
713
config.publish_addresses = 0;
714
config.publish_workstation = 0;
715
config.publish_domain = 0;
716
717
/* Allocate a new server */
718
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
719
&config, NULL, NULL, &error);
720
721
/* Free the configuration data */
722
avahi_server_config_free(&config);
723
724
/* Check if creating the server object succeeded */
725
if (!server) {
726
fprintf(stderr, "Failed to create server: %s\n",
1024
1025
/* Allocate main Avahi loop object */
1026
mc.simple_poll = avahi_simple_poll_new();
1027
if (mc.simple_poll == NULL) {
1028
fprintf(stderr, "Avahi: Failed to create simple poll"
1029
" object.\n");
1030
exitcode = EXIT_FAILURE;
1031
goto end;
1032
}
1033
1034
{
1035
AvahiServerConfig config;
1036
/* Do not publish any local Zeroconf records */
1037
avahi_server_config_init(&config);
1038
config.publish_hinfo = 0;
1039
config.publish_addresses = 0;
1040
config.publish_workstation = 0;
1041
config.publish_domain = 0;
1042
1043
/* Allocate a new server */
1044
mc.server = avahi_server_new(avahi_simple_poll_get
1045
(mc.simple_poll), &config, NULL,
1046
NULL, &error);
1047
1048
/* Free the Avahi configuration data */
1049
avahi_server_config_free(&config);
1050
}
1051
1052
/* Check if creating the Avahi server object succeeded */
1053
if (mc.server == NULL) {
1054
fprintf(stderr, "Failed to create Avahi server: %s\n",
727
1055
avahi_strerror(error));
728
returncode = EXIT_FAILURE;
729
goto exit;
1056
exitcode = EXIT_FAILURE;
1057
goto end;
730
1058
}
731
1059
732
/* Create the service browser */
733
sb = avahi_s_service_browser_new(server, if_index,
1060
/* Create the Avahi service browser */
1061
sb = avahi_s_service_browser_new(mc.server, if_index,
734
1062
AVAHI_PROTO_INET6,
735
1063
"_mandos._tcp", NULL, 0,
736
browse_callback, server);
737
if (!sb) {
1064
browse_callback, &mc);
1065
if (sb == NULL) {
738
1066
fprintf(stderr, "Failed to create service browser: %s\n",
739
avahi_strerror(avahi_server_errno(server)));
740
returncode = EXIT_FAILURE;
741
goto exit;
1067
avahi_strerror(avahi_server_errno(mc.server)));
1068
exitcode = EXIT_FAILURE;
1069
goto end;
742
1070
}
743
1071
744
1072
/* Run the main loop */
745
1073
746
1074
if (debug){
747
fprintf(stderr, "Starting avahi loop search\n");
1075
fprintf(stderr, "Starting Avahi loop search\n");
748
1076
}
749
1077
750
avahi_simple_poll_loop(simple_poll);
751
752
exit:
753
1078
avahi_simple_poll_loop(mc.simple_poll);
1079
1080
end:
1081
754
1082
if (debug){
755
1083
fprintf(stderr, "%s exiting\n", argv[0]);
756
1084
}
757
1085
758
1086
/* Cleanup things */
759
if (sb)
1087
if (sb != NULL)
760
1088
avahi_s_service_browser_free(sb);
761
1089
762
if (server)
763
avahi_server_free(server);
764
765
if (simple_poll)
766
avahi_simple_poll_free(simple_poll);
767
768
return returncode;
1090
if (mc.server != NULL)
1091
avahi_server_free(mc.server);
1092
1093
if (mc.simple_poll != NULL)
1094
avahi_simple_poll_free(mc.simple_poll);
1095
1096
if (gnutls_initalized){
1097
gnutls_certificate_free_credentials(mc.cred);
1098
gnutls_global_deinit ();
1099
gnutls_dh_params_deinit(mc.dh_params);
1100
}
1101
1102
if(gpgme_initalized){
1103
gpgme_release(mc.ctx);
1104
}
1105
1106
/* Removes the temp directory used by GPGME */
1107
if(tempdir[0] != '\0'){
1108
DIR *d;
1109
struct dirent *direntry;
1110
d = opendir(tempdir);
1111
if(d == NULL){
1112
perror("opendir");
1113
} else {
1114
while(true){
1115
direntry = readdir(d);
1116
if(direntry == NULL){
1117
break;
1118
}
1119
if (direntry->d_type == DT_REG){
1120
char *fullname = NULL;
1121
ret = asprintf(&fullname, "%s/%s", tempdir,
1122
direntry->d_name);
1123
if(ret < 0){
1124
perror("asprintf");
1125
continue;
1126
}
1127
ret = unlink(fullname);
1128
if(ret == -1){
1129
fprintf(stderr, "unlink(\"%s\"): %s",
1130
fullname, strerror(errno));
1131
}
1132
free(fullname);
1133
}
1134
}
1135
closedir(d);
1136
}
1137
ret = rmdir(tempdir);
1138
if(ret == -1){
1139
perror("rmdir");
1140
}
1141
}
1142
1143
return exitcode;
769
1144
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0