/mandos/trunk : revision 250

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-01-06 05:08:37 UTC
Revision ID: teddy@fukt.bsnet.se-20090106050837-111vhmg0s4kv424d

* debian/mandos-client.config: Removed.
* debian/mandos-client.postinst: Do not source
"/usr/share/debconf/confmodule".
* debian/mandos.config: Removed.
* debian/mandos.postinst: Do not source
"/usr/share/debconf/confmodule".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-list

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
server.py => mandos

server.conf => mandos.conf

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir() */

#include <inttypes.h> /* PRIu16 */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

100

GPGME_PROTOCOL_OpenPGP,

101

GPG_ERR_NO_* */

102

103

#define BUFFER_SIZE 256

#define DH_BITS 1024

104

105

#define PATHDIR "/conf/conf.d/mandos"

106

#define SECKEY "seckey.txt"

107

#define PUBKEY "pubkey.txt"

108

109

bool debug = false;

110

static const char mandos_protocol_version[] = "1";

111

const char *argp_program_version = "mandos-client " VERSION;

112

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

113

114

/* Used for passing in values through the Avahi callback functions */

115

typedef struct {

gnutls_session_t session;

116

AvahiSimplePoll *simple_poll;

117

AvahiServer *server;

118

gnutls_certificate_credentials_t cred;

119

unsigned int dh_bits;

120

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

121

const char *priority;

122

gpgme_ctx_t ctx;

123

} mandos_context;

124

125

126

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

127

* "buffer_capacity" is how much is currently allocated,

128

* "buffer_length" is how much is already used.

129

130

size_t adjustbuffer(char **buffer, size_t buffer_length,

131

size_t buffer_capacity){

132

if (buffer_length + BUFFER_SIZE > buffer_capacity){

133

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

134

if (buffer == NULL){

135

return 0;

136

}

137

buffer_capacity += BUFFER_SIZE;

138

}

139

return buffer_capacity;

140

}

141

142

143

* Initialize GPGME.

144

145

static bool init_gpgme(mandos_context *mc, const char *seckey,

146

const char *pubkey, const char *tempdir){

147

int ret;

148

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

149

gpgme_engine_info_t engine_info;

150

151

152

153

* Helper function to insert pub and seckey to the enigne keyring.

154

155

bool import_key(const char *filename){

156

int fd;

157

gpgme_data_t pgp_data;

158

159

fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

160

if(fd == -1){

161

perror("open");

162

return false;

163

}

164

165

rc = gpgme_data_new_from_fd(&pgp_data, fd);

166

if (rc != GPG_ERR_NO_ERROR){

167

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

168

gpgme_strsource(rc), gpgme_strerror(rc));

169

return false;

170

}

171

172

rc = gpgme_op_import(mc->ctx, pgp_data);

173

if (rc != GPG_ERR_NO_ERROR){

174

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

175

gpgme_strsource(rc), gpgme_strerror(rc));

176

return false;

177

}

178

179

ret = TEMP_FAILURE_RETRY(close(fd));

180

if(ret == -1){

181

perror("close");

182

}

183

gpgme_data_release(pgp_data);

184

return true;

185

}

186

187

if (debug){

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

188

fprintf(stderr, "Initialize gpgme\n");

189

}

100

190

101

191

/* Init GPGME */

102

192

gpgme_check_version(NULL);

103

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

193

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

194

if (rc != GPG_ERR_NO_ERROR){

195

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

196

gpgme_strsource(rc), gpgme_strerror(rc));

197

return false;

198

}

104

199

105

/* Set GPGME home directory */

200

/* Set GPGME home directory for the OpenPGP engine only */

106

201

rc = gpgme_get_engine_info (&engine_info);

107

202

if (rc != GPG_ERR_NO_ERROR){

108

203

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

109

204

gpgme_strsource(rc), gpgme_strerror(rc));

110

return -1;

205

return false;

111

206

}

112

207

while(engine_info != NULL){

113

208

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

114

209

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

115

engine_info->file_name, homedir);

210

engine_info->file_name, tempdir);

116

211

break;

117

212

}

118

213

engine_info = engine_info->next;

119

214

}

120

215

if(engine_info == NULL){

121

fprintf(stderr, "Could not set home dir to %s\n", homedir);

122

return -1;

123

}

124

125

/* Create new GPGME data buffer from packet buffer */

126

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

216

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

217

return false;

218

}

219

220

/* Create new GPGME "context" */

221

rc = gpgme_new(&(mc->ctx));

222

if (rc != GPG_ERR_NO_ERROR){

223

fprintf(stderr, "bad gpgme_new: %s: %s\n",

224

gpgme_strsource(rc), gpgme_strerror(rc));

225

return false;

226

}

227

228

if (not import_key(pubkey) or not import_key(seckey)){

229

return false;

230

}

231

232

return true;

233

}

234

235

236

* Decrypt OpenPGP data.

237

* Returns -1 on error

238

239

static ssize_t pgp_packet_decrypt (const mandos_context *mc,

240

const char *cryptotext,

241

size_t crypto_size,

242

char **plaintext){

243

gpgme_data_t dh_crypto, dh_plain;

244

gpgme_error_t rc;

245

ssize_t ret;

246

size_t plaintext_capacity = 0;

247

ssize_t plaintext_length = 0;

248

249

if (debug){

250

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

251

}

252

253

/* Create new GPGME data buffer from memory cryptotext */

254

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

255

0);

127

256

if (rc != GPG_ERR_NO_ERROR){

128

257

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

129

258

gpgme_strsource(rc), gpgme_strerror(rc));

135

264

if (rc != GPG_ERR_NO_ERROR){

136

265

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

137

266

gpgme_strsource(rc), gpgme_strerror(rc));

138

return -1;

139

}

140

141

/* Create new GPGME "context" */

142

rc = gpgme_new(&ctx);

143

if (rc != GPG_ERR_NO_ERROR){

144

fprintf(stderr, "bad gpgme_new: %s: %s\n",

145

gpgme_strsource(rc), gpgme_strerror(rc));

146

return -1;

147

}

148

149

/* Decrypt data from the FILE pointer to the plaintext data

150

buffer */

151

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

267

gpgme_data_release(dh_crypto);

268

return -1;

269

}

270

271

/* Decrypt data from the cryptotext data buffer to the plaintext

272

data buffer */

273

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

152

274

if (rc != GPG_ERR_NO_ERROR){

153

275

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

154

276

gpgme_strsource(rc), gpgme_strerror(rc));

155

return -1;

277

plaintext_length = -1;

278

if (debug){

279

gpgme_decrypt_result_t result;

280

result = gpgme_op_decrypt_result(mc->ctx);

281

if (result == NULL){

282

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

283

} else {

284

fprintf(stderr, "Unsupported algorithm: %s\n",

285

result->unsupported_algorithm);

286

fprintf(stderr, "Wrong key usage: %u\n",

287

result->wrong_key_usage);

288

if(result->file_name != NULL){

289

fprintf(stderr, "File name: %s\n", result->file_name);

290

}

291

gpgme_recipient_t recipient;

292

recipient = result->recipients;

293

if(recipient){

294

while(recipient != NULL){

295

fprintf(stderr, "Public key algorithm: %s\n",

296

gpgme_pubkey_algo_name(recipient->pubkey_algo));

297

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

298

fprintf(stderr, "Secret key available: %s\n",

299

recipient->status == GPG_ERR_NO_SECKEY

300

? "No" : "Yes");

301

recipient = recipient->next;

302

}

303

}

304

}

305

}

306

goto decrypt_end;

156

307

}

157

308

158

309

if(debug){

159

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

160

}

161

162

if (debug){

163

gpgme_decrypt_result_t result;

164

result = gpgme_op_decrypt_result(ctx);

165

if (result == NULL){

166

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

167

} else {

168

fprintf(stderr, "Unsupported algorithm: %s\n",

169

result->unsupported_algorithm);

170

fprintf(stderr, "Wrong key usage: %d\n",

171

result->wrong_key_usage);

172

if(result->file_name != NULL){

173

fprintf(stderr, "File name: %s\n", result->file_name);

174

}

175

gpgme_recipient_t recipient;

176

recipient = result->recipients;

177

if(recipient){

178

while(recipient != NULL){

179

fprintf(stderr, "Public key algorithm: %s\n",

180

gpgme_pubkey_algo_name(recipient->pubkey_algo));

181

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

182

fprintf(stderr, "Secret key available: %s\n",

183

recipient->status == GPG_ERR_NO_SECKEY

184

? "No" : "Yes");

185

recipient = recipient->next;

186

}

187

}

188

}

189

}

190

191

/* Delete the GPGME FILE pointer cryptotext data buffer */

192

gpgme_data_release(dh_crypto);

310

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

311

}

193

312

194

313

/* Seek back to the beginning of the GPGME plaintext data buffer */

195

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

196

197

*new_packet = 0;

314

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

315

perror("gpgme_data_seek");

316

plaintext_length = -1;

317

goto decrypt_end;

318

}

319

320

*plaintext = NULL;

198

321

while(true){

199

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

200

*new_packet = realloc(*new_packet,

201

(unsigned int)new_packet_capacity

202

+ BUFFER_SIZE);

203

if (*new_packet == NULL){

204

perror("realloc");

205

return -1;

206

}

207

new_packet_capacity += BUFFER_SIZE;

322

plaintext_capacity = adjustbuffer(plaintext,

323

(size_t)plaintext_length,

324

plaintext_capacity);

325

if (plaintext_capacity == 0){

326

perror("adjustbuffer");

327

plaintext_length = -1;

328

goto decrypt_end;

208

329

}

209

330

210

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

331

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

211

332

BUFFER_SIZE);

212

333

/* Print the data, if any */

213

334

if (ret == 0){

335

/* EOF */

214

336

break;

215

337

}

216

338

if(ret < 0){

217

339

perror("gpgme_data_read");

218

return -1;

219

}

220

new_packet_length += ret;

221

}

222

223

/* FIXME: check characters before printing to screen so to not print

224

terminal control characters */

225

/* if(debug){ */

226

/* fprintf(stderr, "decrypted password is: "); */

227

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

228

/* fprintf(stderr, "\n"); */

229

/* } */

340

plaintext_length = -1;

341

goto decrypt_end;

342

}

343

plaintext_length += ret;

344

}

345

346

if(debug){

347

fprintf(stderr, "Decrypted password is: ");

348

for(ssize_t i = 0; i < plaintext_length; i++){

349

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

350

}

351

fprintf(stderr, "\n");

352

}

353

354

decrypt_end:

355

356

/* Delete the GPGME cryptotext data buffer */

357

gpgme_data_release(dh_crypto);

230

358

231

359

/* Delete the GPGME plaintext data buffer */

232

360

gpgme_data_release(dh_plain);

233

return new_packet_length;

361

return plaintext_length;

234

362

}

235

363

236

364

static const char * safer_gnutls_strerror (int value) {

237

const char *ret = gnutls_strerror (value);

365

const char *ret = gnutls_strerror (value); /* Spurious warning */

238

366

if (ret == NULL)

239

367

ret = "(unknown)";

240

368

return ret;

241

369

}

242

370

243

void debuggnutls(__attribute__((unused)) int level,

244

const char* string){

245

fprintf(stderr, "%s", string);

371

/* GnuTLS log function callback */

372

static void debuggnutls(__attribute__((unused)) int level,

373

const char* string){

374

fprintf(stderr, "GnuTLS: %s", string);

246

375

}

247

376

248

int initgnutls(encrypted_session *es){

249

const char *err;

377

static int init_gnutls_global(mandos_context *mc,

378

const char *pubkeyfilename,

379

const char *seckeyfilename){

250

380

int ret;

251

381

252

382

if(debug){

253

383

fprintf(stderr, "Initializing GnuTLS\n");

254

384

}

255

385

256

if ((ret = gnutls_global_init ())

257

!= GNUTLS_E_SUCCESS) {

258

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

386

ret = gnutls_global_init();

387

if (ret != GNUTLS_E_SUCCESS) {

388

fprintf (stderr, "GnuTLS global_init: %s\n",

389

safer_gnutls_strerror(ret));

259

390

return -1;

260

391

}

261

392

262

393

if (debug){

394

/* "Use a log level over 10 to enable all debugging options."

395

* - GnuTLS manual

396

263

397

gnutls_global_set_log_level(11);

264

398

gnutls_global_set_log_function(debuggnutls);

265

399

}

266

400

267

/* openpgp credentials */

268

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

269

!= GNUTLS_E_SUCCESS) {

270

fprintf (stderr, "memory error: %s\n",

401

/* OpenPGP credentials */

402

gnutls_certificate_allocate_credentials(&mc->cred);

403

if (ret != GNUTLS_E_SUCCESS){

404

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

405

warning */

271

406

safer_gnutls_strerror(ret));

407

gnutls_global_deinit ();

272

408

return -1;

273

409

}

274

410

275

411

if(debug){

276

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

277

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

278

KEYFILE);

412

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

413

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

414

seckeyfilename);

279

415

}

280

416

281

417

ret = gnutls_certificate_set_openpgp_key_file

282

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

418

(mc->cred, pubkeyfilename, seckeyfilename,

419

GNUTLS_OPENPGP_FMT_BASE64);

283

420

if (ret != GNUTLS_E_SUCCESS) {

284

fprintf

285

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

286

" '%s')\n",

287

ret, CERTFILE, KEYFILE);

288

fprintf(stdout, "The Error is: %s\n",

421

fprintf(stderr,

422

"Error[%d] while reading the OpenPGP key pair ('%s',"

423

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

424

fprintf(stderr, "The GnuTLS error is: %s\n",

289

425

safer_gnutls_strerror(ret));

290

return -1;

291

}

292

293

//GnuTLS server initialization

294

if ((ret = gnutls_dh_params_init (&es->dh_params))

295

!= GNUTLS_E_SUCCESS) {

296

fprintf (stderr, "Error in dh parameter initialization: %s\n",

297

safer_gnutls_strerror(ret));

298

return -1;

299

}

300

301

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

302

!= GNUTLS_E_SUCCESS) {

303

fprintf (stderr, "Error in prime generation: %s\n",

304

safer_gnutls_strerror(ret));

305

return -1;

306

}

307

308

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

309

310

// GnuTLS session creation

311

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

312

!= GNUTLS_E_SUCCESS){

426

goto globalfail;

427

}

428

429

/* GnuTLS server initialization */

430

ret = gnutls_dh_params_init(&mc->dh_params);

431

if (ret != GNUTLS_E_SUCCESS) {

432

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

433

" %s\n", safer_gnutls_strerror(ret));

434

goto globalfail;

435

}

436

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

437

if (ret != GNUTLS_E_SUCCESS) {

438

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

439

safer_gnutls_strerror(ret));

440

goto globalfail;

441

}

442

443

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

444

445

return 0;

446

447

globalfail:

448

449

gnutls_certificate_free_credentials(mc->cred);

450

gnutls_global_deinit();

451

gnutls_dh_params_deinit(mc->dh_params);

452

return -1;

453

}

454

455

static int init_gnutls_session(mandos_context *mc,

456

gnutls_session_t *session){

457

int ret;

458

/* GnuTLS session creation */

459

ret = gnutls_init(session, GNUTLS_SERVER);

460

if (ret != GNUTLS_E_SUCCESS){

313

461

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

314

462

safer_gnutls_strerror(ret));

315

463

}

316

464

317

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

318

!= GNUTLS_E_SUCCESS) {

319

fprintf(stderr, "Syntax error at: %s\n", err);

320

fprintf(stderr, "GnuTLS error: %s\n",

321

safer_gnutls_strerror(ret));

322

return -1;

465

{

466

const char *err;

467

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

468

if (ret != GNUTLS_E_SUCCESS) {

469

fprintf(stderr, "Syntax error at: %s\n", err);

470

fprintf(stderr, "GnuTLS error: %s\n",

471

safer_gnutls_strerror(ret));

472

gnutls_deinit (*session);

473

return -1;

474

}

323

475

}

324

476

325

if ((ret = gnutls_credentials_set

326

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

327

!= GNUTLS_E_SUCCESS) {

328

fprintf(stderr, "Error setting a credentials set: %s\n",

477

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

478

mc->cred);

479

if (ret != GNUTLS_E_SUCCESS) {

480

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

329

481

safer_gnutls_strerror(ret));

482

gnutls_deinit (*session);

330

483

return -1;

331

484

}

332

485

333

486

/* ignore client certificate if any. */

334

gnutls_certificate_server_set_request (es->session,

487

gnutls_certificate_server_set_request (*session,

335

488

GNUTLS_CERT_IGNORE);

336

489

337

gnutls_dh_set_prime_bits (es->session, DH_BITS);

490

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

338

491

339

492

return 0;

340

493

}

341

494

342

void empty_log(__attribute__((unused)) AvahiLogLevel level,

343

__attribute__((unused)) const char *txt){}

495

/* Avahi log function callback */

496

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

497

__attribute__((unused)) const char *txt){}

344

498

345

int start_mandos_communication(const char *ip, uint16_t port,

346

AvahiIfIndex if_index){

499

/* Called when a Mandos server is found */

500

static int start_mandos_communication(const char *ip, uint16_t port,

501

AvahiIfIndex if_index,

502

mandos_context *mc){

347

503

int ret, tcp_sd;

348

struct sockaddr_in6 to;

349

encrypted_session es;

504

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

350

505

char *buffer = NULL;

351

506

char *decrypted_buffer;

352

507

size_t buffer_length = 0;

353

508

size_t buffer_capacity = 0;

354

509

ssize_t decrypted_buffer_size;

355

size_t written = 0;

510

size_t written;

356

511

int retval = 0;

357

512

char interface[IF_NAMESIZE];

513

gnutls_session_t session;

514

515

ret = init_gnutls_session (mc, &session);

516

if (ret != 0){

517

return -1;

518

}

358

519

359

520

if(debug){

360

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

361

ip, port);

521

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

522

"\n", ip, port);

362

523

}

363

524

364

525

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

367

528

return -1;

368

529

}

369

530

370

if(if_indextoname((unsigned int)if_index, interface) == NULL){

371

if(debug){

531

if(debug){

532

if(if_indextoname((unsigned int)if_index, interface) == NULL){

372

533

perror("if_indextoname");

534

return -1;

373

535

}

374

return -1;

375

}

376

377

if(debug){

378

536

fprintf(stderr, "Binding to interface %s\n", interface);

379

537

}

380

538

381

memset(&to,0,sizeof(to)); /* Spurious warning */

382

to.sin6_family = AF_INET6;

383

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

539

memset(&to, 0, sizeof(to));

540

to.in6.sin6_family = AF_INET6;

541

/* It would be nice to have a way to detect if we were passed an

542

IPv4 address here. Now we assume an IPv6 address. */

543

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

384

544

if (ret < 0 ){

385

545

perror("inet_pton");

386

546

return -1;

387

}

547

}

388

548

if(ret == 0){

389

549

fprintf(stderr, "Bad address: %s\n", ip);

390

550

return -1;

391

551

}

392

to.sin6_port = htons(port); /* Spurious warning */

552

to.in6.sin6_port = htons(port); /* Spurious warning */

393

553

394

to.sin6_scope_id = (uint32_t)if_index;

554

to.in6.sin6_scope_id = (uint32_t)if_index;

395

555

396

556

if(debug){

397

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

398

/* char addrstr[INET6_ADDRSTRLEN]; */

399

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

400

/* sizeof(addrstr)) == NULL){ */

401

/* perror("inet_ntop"); */

402

/* } else { */

403

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

404

/* addrstr, ntohs(to.sin6_port)); */

405

/* } */

557

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

558

port);

559

char addrstr[INET6_ADDRSTRLEN] = "";

560

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

561

sizeof(addrstr)) == NULL){

562

perror("inet_ntop");

563

} else {

564

if(strcmp(addrstr, ip) != 0){

565

fprintf(stderr, "Canonical address form: %s\n", addrstr);

566

}

567

}

406

568

}

407

569

408

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

570

ret = connect(tcp_sd, &to.in, sizeof(to));

409

571

if (ret < 0){

410

572

perror("connect");

411

573

return -1;

412

574

}

413

575

414

ret = initgnutls (&es);

415

if (ret != 0){

416

retval = -1;

417

return -1;

576

const char *out = mandos_protocol_version;

577

written = 0;

578

while (true){

579

size_t out_size = strlen(out);

580

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

581

out_size - written));

582

if (ret == -1){

583

perror("write");

584

retval = -1;

585

goto mandos_end;

586

}

587

written += (size_t)ret;

588

if(written < out_size){

589

continue;

590

} else {

591

if (out == mandos_protocol_version){

592

written = 0;

593

out = "\r\n";

594

} else {

595

break;

596

}

597

}

418

598

}

419

599

420

gnutls_transport_set_ptr (es.session,

421

(gnutls_transport_ptr_t) tcp_sd);

422

423

600

if(debug){

424

601

fprintf(stderr, "Establishing TLS session with %s\n", ip);

425

602

}

426

603

427

ret = gnutls_handshake (es.session);

604

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

605

606

do{

607

ret = gnutls_handshake (session);

608

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

428

609

429

610

if (ret != GNUTLS_E_SUCCESS){

430

611

if(debug){

431

fprintf(stderr, "\n*** Handshake failed ***\n");

612

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

432

613

gnutls_perror (ret);

433

614

}

434

615

retval = -1;

435

goto exit;

616

goto mandos_end;

436

617

}

437

618

438

//Retrieve OpenPGP packet that contains the wanted password

619

/* Read OpenPGP packet that contains the wanted password */

439

620

440

621

if(debug){

441

622

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

442

623

ip);

443

624

}

444

625

445

626

while(true){

446

if (buffer_length + BUFFER_SIZE > buffer_capacity){

447

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

448

if (buffer == NULL){

449

perror("realloc");

450

goto exit;

451

}

452

buffer_capacity += BUFFER_SIZE;

627

buffer_capacity = adjustbuffer(&buffer, buffer_length,

628

buffer_capacity);

629

if (buffer_capacity == 0){

630

perror("adjustbuffer");

631

retval = -1;

632

goto mandos_end;

453

633

}

454

634

455

ret = gnutls_record_recv

456

(es.session, buffer+buffer_length, BUFFER_SIZE);

635

ret = gnutls_record_recv(session, buffer+buffer_length,

636

BUFFER_SIZE);

457

637

if (ret == 0){

458

638

break;

459

639

}

463

643

case GNUTLS_E_AGAIN:

464

644

break;

465

645

case GNUTLS_E_REHANDSHAKE:

466

ret = gnutls_handshake (es.session);

646

do{

647

ret = gnutls_handshake (session);

648

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

467

649

if (ret < 0){

468

fprintf(stderr, "\n*** Handshake failed ***\n");

650

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

469

651

gnutls_perror (ret);

470

652

retval = -1;

471

goto exit;

653

goto mandos_end;

472

654

}

473

655

break;

474

656

default:

475

657

fprintf(stderr, "Unknown error while reading data from"

476

" encrypted session with mandos server\n");

658

" encrypted session with Mandos server\n");

477

659

retval = -1;

478

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

479

goto exit;

660

gnutls_bye (session, GNUTLS_SHUT_RDWR);

661

goto mandos_end;

480

662

}

481

663

} else {

482

664

buffer_length += (size_t) ret;

483

665

}

484

666

}

485

667

668

if(debug){

669

fprintf(stderr, "Closing TLS session\n");

670

}

671

672

gnutls_bye (session, GNUTLS_SHUT_RDWR);

673

486

674

if (buffer_length > 0){

487

decrypted_buffer_size = pgp_packet_decrypt(buffer,

675

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

488

676

buffer_length,

489

&decrypted_buffer,

490

CERT_ROOT);

677

&decrypted_buffer);

491

678

if (decrypted_buffer_size >= 0){

679

written = 0;

492

680

while(written < (size_t) decrypted_buffer_size){

493

681

ret = (int)fwrite (decrypted_buffer + written, 1,

494

682

(size_t)decrypted_buffer_size - written,

507

695

} else {

508

696

retval = -1;

509

697

}

510

}

511

512

//shutdown procedure

513

514

if(debug){

515

fprintf(stderr, "Closing TLS session\n");

516

}

517

698

} else {

699

retval = -1;

700

}

701

702

/* Shutdown procedure */

703

704

mandos_end:

518

705

free(buffer);

519

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

520

exit:

521

close(tcp_sd);

522

gnutls_deinit (es.session);

523

gnutls_certificate_free_credentials (es.cred);

524

gnutls_global_deinit ();

706

ret = TEMP_FAILURE_RETRY(close(tcp_sd));

707

if(ret == -1){

708

perror("close");

709

}

710

gnutls_deinit (session);

525

711

return retval;

526

712

}

527

713

528

static AvahiSimplePoll *simple_poll = NULL;

529

static AvahiServer *server = NULL;

530

531

static void resolve_callback(

532

AvahiSServiceResolver *r,

533

AvahiIfIndex interface,

534

AVAHI_GCC_UNUSED AvahiProtocol protocol,

535

AvahiResolverEvent event,

536

const char *name,

537

const char *type,

538

const char *domain,

539

const char *host_name,

540

const AvahiAddress *address,

541

uint16_t port,

542

AVAHI_GCC_UNUSED AvahiStringList *txt,

543

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

544

AVAHI_GCC_UNUSED void* userdata) {

545

546

assert(r); /* Spurious warning */

714

static void resolve_callback(AvahiSServiceResolver *r,

715

AvahiIfIndex interface,

716

AVAHI_GCC_UNUSED AvahiProtocol protocol,

717

AvahiResolverEvent event,

718

const char *name,

719

const char *type,

720

const char *domain,

721

const char *host_name,

722

const AvahiAddress *address,

723

uint16_t port,

724

AVAHI_GCC_UNUSED AvahiStringList *txt,

725

AVAHI_GCC_UNUSED AvahiLookupResultFlags

726

flags,

727

void* userdata) {

728

mandos_context *mc = userdata;

729

assert(r);

547

730

548

731

/* Called whenever a service has been resolved successfully or

549

732

timed out */

551

734

switch (event) {

552

735

default:

553

736

case AVAHI_RESOLVER_FAILURE:

554

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

555

" type '%s' in domain '%s': %s\n", name, type, domain,

556

avahi_strerror(avahi_server_errno(server)));

737

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

738

" of type '%s' in domain '%s': %s\n", name, type, domain,

739

avahi_strerror(avahi_server_errno(mc->server)));

557

740

break;

558

741

559

742

case AVAHI_RESOLVER_FOUND:

561

744

char ip[AVAHI_ADDRESS_STR_MAX];

562

745

avahi_address_snprint(ip, sizeof(ip), address);

563

746

if(debug){

564

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

565

" port %d\n", name, host_name, ip, port);

747

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

748

PRIu16 ") on port %d\n", name, host_name, ip,

749

interface, port);

566

750

}

567

int ret = start_mandos_communication(ip, port, interface);

751

int ret = start_mandos_communication(ip, port, interface, mc);

568

752

if (ret == 0){

569

exit(EXIT_SUCCESS);

753

avahi_simple_poll_quit(mc->simple_poll);

570

754

}

571

755

}

572

756

}

573

757

avahi_s_service_resolver_free(r);

574

758

}

575

759

576

static void browse_callback(

577

AvahiSServiceBrowser *b,

578

AvahiIfIndex interface,

579

AvahiProtocol protocol,

580

AvahiBrowserEvent event,

581

const char *name,

582

const char *type,

583

const char *domain,

584

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

585

void* userdata) {

586

587

AvahiServer *s = userdata;

588

assert(b); /* Spurious warning */

589

590

/* Called whenever a new services becomes available on the LAN or

591

is removed from the LAN */

592

593

switch (event) {

594

default:

595

case AVAHI_BROWSER_FAILURE:

596

597

fprintf(stderr, "(Browser) %s\n",

598

avahi_strerror(avahi_server_errno(server)));

599

avahi_simple_poll_quit(simple_poll);

600

return;

601

602

case AVAHI_BROWSER_NEW:

603

/* We ignore the returned resolver object. In the callback

604

function we free it. If the server is terminated before

605

the callback function is called the server will free

606

the resolver for us. */

607

608

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

609

type, domain,

610

AVAHI_PROTO_INET6, 0,

611

resolve_callback, s)))

612

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

613

avahi_strerror(avahi_server_errno(s)));

614

break;

615

616

case AVAHI_BROWSER_REMOVE:

617

break;

618

619

case AVAHI_BROWSER_ALL_FOR_NOW:

620

case AVAHI_BROWSER_CACHE_EXHAUSTED:

621

break;

760

static void browse_callback( AvahiSServiceBrowser *b,

761

AvahiIfIndex interface,

762

AvahiProtocol protocol,

763

AvahiBrowserEvent event,

764

const char *name,

765

const char *type,

766

const char *domain,

767

AVAHI_GCC_UNUSED AvahiLookupResultFlags

768

flags,

769

void* userdata) {

770

mandos_context *mc = userdata;

771

assert(b);

772

773

/* Called whenever a new services becomes available on the LAN or

774

is removed from the LAN */

775

776

switch (event) {

777

default:

778

case AVAHI_BROWSER_FAILURE:

779

780

fprintf(stderr, "(Avahi browser) %s\n",

781

avahi_strerror(avahi_server_errno(mc->server)));

782

avahi_simple_poll_quit(mc->simple_poll);

783

return;

784

785

case AVAHI_BROWSER_NEW:

786

/* We ignore the returned Avahi resolver object. In the callback

787

function we free it. If the Avahi server is terminated before

788

the callback function is called the Avahi server will free the

789

resolver for us. */

790

791

if (!(avahi_s_service_resolver_new(mc->server, interface,

792

protocol, name, type, domain,

793

AVAHI_PROTO_INET6, 0,

794

resolve_callback, mc)))

795

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

796

name, avahi_strerror(avahi_server_errno(mc->server)));

797

break;

798

799

case AVAHI_BROWSER_REMOVE:

800

break;

801

802

case AVAHI_BROWSER_ALL_FOR_NOW:

803

case AVAHI_BROWSER_CACHE_EXHAUSTED:

804

if(debug){

805

fprintf(stderr, "No Mandos server found, still searching...\n");

622

806

}

807

break;

808

}

623

809

}

624

810

625

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

626

AvahiServerConfig config;

811

int main(int argc, char *argv[]){

627

812

AvahiSServiceBrowser *sb = NULL;

628

813

int error;

629

814

int ret;

630

int returncode = EXIT_SUCCESS;

631

const char *interface = NULL;

815

int exitcode = EXIT_SUCCESS;

816

const char *interface = "eth0";

817

struct ifreq network;

818

int sd;

819

uid_t uid;

820

gid_t gid;

821

char *connect_to = NULL;

822

char tempdir[] = "/tmp/mandosXXXXXX";

632

823

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

633

char *connect_to = NULL;

634

635

while (true){

636

static struct option long_options[] = {

637

{"debug", no_argument, (int *)&debug, 1},

638

{"connect", required_argument, 0, 'c'},

639

{"interface", required_argument, 0, 'i'},

640

{0, 0, 0, 0} };

641

642

int option_index = 0;

643

ret = getopt_long (argc, argv, "i:", long_options,

644

&option_index);

645

646

if (ret == -1){

647

break;

648

}

649

650

switch(ret){

651

case 0:

652

break;

653

case 'i':

654

interface = optarg;

655

break;

656

case 'c':

657

connect_to = optarg;

658

break;

659

default:

660

exit(EXIT_FAILURE);

661

}

662

}

663

664

if(interface != NULL){

665

if_index = (AvahiIfIndex) if_nametoindex(interface);

666

if(if_index == 0){

667

fprintf(stderr, "No such interface: \"%s\"\n", interface);

668

exit(EXIT_FAILURE);

669

}

824

const char *seckey = PATHDIR "/" SECKEY;

825

const char *pubkey = PATHDIR "/" PUBKEY;

826

827

mandos_context mc = { .simple_poll = NULL, .server = NULL,

828

.dh_bits = 1024, .priority = "SECURE256"

829

":!CTYPE-X.509:+CTYPE-OPENPGP" };

830

bool gnutls_initalized = false;

831

bool gpgme_initalized = false;

832

833

{

834

struct argp_option options[] = {

835

{ .name = "debug", .key = 128,

836

.doc = "Debug mode", .group = 3 },

837

{ .name = "connect", .key = 'c',

838

.arg = "ADDRESS:PORT",

839

.doc = "Connect directly to a specific Mandos server",

840

.group = 1 },

841

{ .name = "interface", .key = 'i',

842

.arg = "NAME",

843

.doc = "Interface that will be used to search for Mandos"

844

" servers",

845

.group = 1 },

846

{ .name = "seckey", .key = 's',

847

.arg = "FILE",

848

.doc = "OpenPGP secret key file base name",

849

.group = 1 },

850

{ .name = "pubkey", .key = 'p',

851

.arg = "FILE",

852

.doc = "OpenPGP public key file base name",

853

.group = 2 },

854

{ .name = "dh-bits", .key = 129,

855

.arg = "BITS",

856

.doc = "Bit length of the prime number used in the"

857

" Diffie-Hellman key exchange",

858

.group = 2 },

859

{ .name = "priority", .key = 130,

860

.arg = "STRING",

861

.doc = "GnuTLS priority string for the TLS handshake",

862

.group = 1 },

863

{ .name = NULL }

864

};

865

866

error_t parse_opt (int key, char *arg,

867

struct argp_state *state) {

868

/* Get the INPUT argument from `argp_parse', which we know is

869

a pointer to our plugin list pointer. */

870

switch (key) {

871

case 128: /* --debug */

872

debug = true;

873

break;

874

case 'c': /* --connect */

875

connect_to = arg;

876

break;

877

case 'i': /* --interface */

878

interface = arg;

879

break;

880

case 's': /* --seckey */

881

seckey = arg;

882

break;

883

case 'p': /* --pubkey */

884

pubkey = arg;

885

break;

886

case 129: /* --dh-bits */

887

errno = 0;

888

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

889

if (errno){

890

perror("strtol");

891

exit(EXIT_FAILURE);

892

}

893

break;

894

case 130: /* --priority */

895

mc.priority = arg;

896

break;

897

case ARGP_KEY_ARG:

898

argp_usage (state);

899

case ARGP_KEY_END:

900

break;

901

default:

902

return ARGP_ERR_UNKNOWN;

903

}

904

return 0;

905

}

906

907

struct argp argp = { .options = options, .parser = parse_opt,

908

.args_doc = "",

909

.doc = "Mandos client -- Get and decrypt"

910

" passwords from a Mandos server" };

911

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

912

if (ret == ARGP_ERR_UNKNOWN){

913

fprintf(stderr, "Unknown error while parsing arguments\n");

914

exitcode = EXIT_FAILURE;

915

goto end;

916

}

917

}

918

919

/* If the interface is down, bring it up */

920

{

921

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

922

if(sd < 0) {

923

perror("socket");

924

exitcode = EXIT_FAILURE;

925

goto end;

926

}

927

strcpy(network.ifr_name, interface);

928

ret = ioctl(sd, SIOCGIFFLAGS, &network);

929

if(ret == -1){

930

perror("ioctl SIOCGIFFLAGS");

931

exitcode = EXIT_FAILURE;

932

goto end;

933

}

934

if((network.ifr_flags & IFF_UP) == 0){

935

network.ifr_flags |= IFF_UP;

936

ret = ioctl(sd, SIOCSIFFLAGS, &network);

937

if(ret == -1){

938

perror("ioctl SIOCSIFFLAGS");

939

exitcode = EXIT_FAILURE;

940

goto end;

941

}

942

}

943

ret = TEMP_FAILURE_RETRY(close(sd));

944

if(ret == -1){

945

perror("close");

946

}

947

}

948

949

uid = getuid();

950

gid = getgid();

951

952

ret = setuid(uid);

953

if (ret == -1){

954

perror("setuid");

955

}

956

957

setgid(gid);

958

if (ret == -1){

959

perror("setgid");

960

}

961

962

ret = init_gnutls_global(&mc, pubkey, seckey);

963

if (ret == -1){

964

fprintf(stderr, "init_gnutls_global failed\n");

965

exitcode = EXIT_FAILURE;

966

goto end;

967

} else {

968

gnutls_initalized = true;

969

}

970

971

if(mkdtemp(tempdir) == NULL){

972

perror("mkdtemp");

973

tempdir[0] = '\0';

974

goto end;

975

}

976

977

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

978

fprintf(stderr, "gpgme_initalized failed\n");

979

exitcode = EXIT_FAILURE;

980

goto end;

981

} else {

982

gpgme_initalized = true;

983

}

984

985

if_index = (AvahiIfIndex) if_nametoindex(interface);

986

if(if_index == 0){

987

fprintf(stderr, "No such interface: \"%s\"\n", interface);

988

exit(EXIT_FAILURE);

670

989

}

671

990

672

991

if(connect_to != NULL){

675

994

char *address = strrchr(connect_to, ':');

676

995

if(address == NULL){

677

996

fprintf(stderr, "No colon in address\n");

678

exit(EXIT_FAILURE);

997

exitcode = EXIT_FAILURE;

998

goto end;

679

999

}

680

1000

errno = 0;

681

1001

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

682

1002

if(errno){

683

1003

perror("Bad port number");

684

exit(EXIT_FAILURE);

1004

exitcode = EXIT_FAILURE;

1005

goto end;

685

1006

}

686

1007

*address = '\0';

687

1008

address = connect_to;

688

ret = start_mandos_communication(address, port, if_index);

1009

ret = start_mandos_communication(address, port, if_index, &mc);

689

1010

if(ret < 0){

690

exit(EXIT_FAILURE);

1011

exitcode = EXIT_FAILURE;

691

1012

} else {

692

exit(EXIT_SUCCESS);

1013

exitcode = EXIT_SUCCESS;

693

1014

}

1015

goto end;

694

1016

}

695

1017

696

1018

if (not debug){

697

1019

avahi_set_log_function(empty_log);

698

1020

}

699

1021

700

/* Initialize the psuedo-RNG */

1022

/* Initialize the pseudo-RNG for Avahi */

701

1023

srand((unsigned int) time(NULL));

702

703

/* Allocate main loop object */

704

if (!(simple_poll = avahi_simple_poll_new())) {

705

fprintf(stderr, "Failed to create simple poll object.\n");

706

707

goto exit;

708

}

709

710

/* Do not publish any local records */

711

avahi_server_config_init(&config);

712

config.publish_hinfo = 0;

713

config.publish_addresses = 0;

714

config.publish_workstation = 0;

715

config.publish_domain = 0;

716

717

/* Allocate a new server */

718

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

719

&config, NULL, NULL, &error);

720

721

/* Free the configuration data */

722

avahi_server_config_free(&config);

723

724

/* Check if creating the server object succeeded */

725

if (!server) {

726

fprintf(stderr, "Failed to create server: %s\n",

1024

1025

/* Allocate main Avahi loop object */

1026

mc.simple_poll = avahi_simple_poll_new();

1027

if (mc.simple_poll == NULL) {

1028

fprintf(stderr, "Avahi: Failed to create simple poll"

1029

" object.\n");

1030

exitcode = EXIT_FAILURE;

1031

goto end;

1032

}

1033

1034

{

1035

AvahiServerConfig config;

1036

/* Do not publish any local Zeroconf records */

1037

avahi_server_config_init(&config);

1038

config.publish_hinfo = 0;

1039

config.publish_addresses = 0;

1040

config.publish_workstation = 0;

1041

config.publish_domain = 0;

1042

1043

/* Allocate a new server */

1044

mc.server = avahi_server_new(avahi_simple_poll_get

1045

(mc.simple_poll), &config, NULL,

1046

NULL, &error);

1047

1048

/* Free the Avahi configuration data */

1049

avahi_server_config_free(&config);

1050

}

1051

1052

/* Check if creating the Avahi server object succeeded */

1053

if (mc.server == NULL) {

1054

fprintf(stderr, "Failed to create Avahi server: %s\n",

727

1055

avahi_strerror(error));

728

returncode = EXIT_FAILURE;

729

goto exit;

1056

exitcode = EXIT_FAILURE;

1057

goto end;

730

1058

}

731

1059

732

/* Create the service browser */

733

sb = avahi_s_service_browser_new(server, if_index,

1060

/* Create the Avahi service browser */

1061

sb = avahi_s_service_browser_new(mc.server, if_index,

734

1062

AVAHI_PROTO_INET6,

735

1063

"_mandos._tcp", NULL, 0,

736

browse_callback, server);

737

if (!sb) {

1064

browse_callback, &mc);

1065

if (sb == NULL) {

738

1066

fprintf(stderr, "Failed to create service browser: %s\n",

739

avahi_strerror(avahi_server_errno(server)));

740

returncode = EXIT_FAILURE;

741

goto exit;

1067

avahi_strerror(avahi_server_errno(mc.server)));

1068

exitcode = EXIT_FAILURE;

1069

goto end;

742

1070

}

743

1071

744

1072

/* Run the main loop */

745

1073

746

1074

if (debug){

747

fprintf(stderr, "Starting avahi loop search\n");

1075

fprintf(stderr, "Starting Avahi loop search\n");

748

1076

}

749

1077

750

avahi_simple_poll_loop(simple_poll);

751

752

exit:

753

1078

avahi_simple_poll_loop(mc.simple_poll);

1079

1080

end:

1081

754

1082

if (debug){

755

1083

fprintf(stderr, "%s exiting\n", argv[0]);

756

1084

}

757

1085

758

1086

/* Cleanup things */

759

if (sb)

1087

if (sb != NULL)

760

1088

avahi_s_service_browser_free(sb);

761

1089

762

if (server)

763

avahi_server_free(server);

764

765

if (simple_poll)

766

avahi_simple_poll_free(simple_poll);

767

768

return returncode;

1090

if (mc.server != NULL)

1091

avahi_server_free(mc.server);

1092

1093

if (mc.simple_poll != NULL)

1094

avahi_simple_poll_free(mc.simple_poll);

1095

1096

if (gnutls_initalized){

1097

gnutls_certificate_free_credentials(mc.cred);

1098

gnutls_global_deinit ();

1099

gnutls_dh_params_deinit(mc.dh_params);

1100

}

1101

1102

if(gpgme_initalized){

1103

gpgme_release(mc.ctx);

1104

}

1105

1106

/* Removes the temp directory used by GPGME */

1107

if(tempdir[0] != '\0'){

1108

DIR *d;

1109

struct dirent *direntry;

1110

d = opendir(tempdir);

1111

if(d == NULL){

1112

perror("opendir");

1113

} else {

1114

while(true){

1115

direntry = readdir(d);

1116

if(direntry == NULL){

1117

break;

1118

}

1119

if (direntry->d_type == DT_REG){

1120

char *fullname = NULL;

1121

ret = asprintf(&fullname, "%s/%s", tempdir,

1122

direntry->d_name);

1123

if(ret < 0){

1124

perror("asprintf");

1125

continue;

1126

}

1127

ret = unlink(fullname);

1128

if(ret == -1){

1129

fprintf(stderr, "unlink(\"%s\"): %s",

1130

fullname, strerror(errno));

1131

}

1132

free(fullname);

1133

}

1134

}

1135

closedir(d);

1136

}

1137

ret = rmdir(tempdir);

1138

if(ret == -1){

1139

perror("rmdir");

1140

}

1141

}

1142

1143

return exitcode;

769

1144

}

Older »