To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 259
- compare with another revision
- download diff
- download tarball
- view history from revision 259
- Committer: Teddy Hogeborn
- Date: 2009-01-10 02:39:56 UTC
- mfrom: (257.1.2 mandos)
- Revision ID: teddy@fukt.bsnet.se-20090110023956-o7f5r8af28fmgahw
Fixed warnings on AMD64, thanks to Mooie <mooie@cow.se> for the patch.
* plugins.d/askpass-fifo.c (main): Cast value from TEMP_FAILURE_RETRY
to int, the value the inner
function returns.
* plugins.d/mandos-client.c (init_gpgme): - '' -
(start_mandos_communication): New variable "ssize_t sret"; used to
store return value from
"gnutls_record_recv". Also cast value
from TEMP_FAILURE_RETRY as above.
* plugins.d/usplash.c (usplash_write): New variable "ssize_t sret";
used to store return value from
"write".
* plugins.d/askpass-fifo.c (main): Cast value from TEMP_FAILURE_RETRY
to int, the value the inner
function returns.
* plugins.d/mandos-client.c (init_gpgme): - '' -
(start_mandos_communication): New variable "ssize_t sret"; used to
store return value from
"gnutls_record_recv". Also cast value
from TEMP_FAILURE_RETRY as above.
* plugins.d/usplash.c (usplash_write): New variable "ssize_t sret";
used to store return value from
"write".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
44
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror() */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand() */
44
#include <stdbool.h> /* bool, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, INET6_ADDRSTRLEN,
51
uid_t, gid_t, open(), opendir(), DIR */
52
#include <sys/stat.h> /* open() */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
struct in6_addr, inet_pton(),
55
connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir() */
58
#include <inttypes.h> /* PRIu16 */
59
#include <assert.h> /* assert() */
60
#include <errno.h> /* perror(), errno */
61
#include <time.h> /* time() */
62
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
63
SIOCSIFFLAGS, if_indextoname(),
64
if_nametoindex(), IF_NAMESIZE */
65
#include <netinet/in.h>
66
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
67
getuid(), getgid(), setuid(),
68
setgid() */
69
#include <arpa/inet.h> /* inet_pton(), htons */
70
#include <iso646.h> /* not, and */
71
#include <argp.h> /* struct argp_option, error_t, struct
72
argp_state, struct argp,
73
argp_parse(), ARGP_KEY_ARG,
74
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
75
76
/* Avahi */
77
/* All Avahi types, constants and functions
78
Avahi*, avahi_*,
79
AVAHI_* */
45
80
#include <avahi-core/core.h>
46
81
#include <avahi-core/lookup.h>
47
82
#include <avahi-core/log.h>
49
84
#include <avahi-common/malloc.h>
50
85
#include <avahi-common/error.h>
51
86
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt long
71
#include <getopt.h>
87
/* GnuTLS */
88
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
89
functions:
90
gnutls_*
91
init_gnutls_session(),
92
GNUTLS_* */
93
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
94
GNUTLS_OPENPGP_FMT_BASE64 */
95
96
/* GPGME */
97
#include <gpgme.h> /* All GPGME types, constants and
98
functions:
99
gpgme_*
100
GPGME_PROTOCOL_OpenPGP,
101
GPG_ERR_NO_* */
72
102
73
103
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
104
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
105
#define PATHDIR "/conf/conf.d/mandos"
106
#define SECKEY "seckey.txt"
107
#define PUBKEY "pubkey.txt"
79
108
80
109
bool debug = false;
81
82
const char mandos_protocol_version[] = "1";
83
110
static const char mandos_protocol_version[] = "1";
111
const char *argp_program_version = "mandos-client " VERSION;
112
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
113
114
/* Used for passing in values through the Avahi callback functions */
84
115
typedef struct {
85
116
AvahiSimplePoll *simple_poll;
86
117
AvahiServer *server;
87
118
gnutls_certificate_credentials_t cred;
88
119
unsigned int dh_bits;
120
gnutls_dh_params_t dh_params;
89
121
const char *priority;
122
gpgme_ctx_t ctx;
90
123
} mandos_context;
91
124
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
125
/*
126
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
127
* "buffer_capacity" is how much is currently allocated,
128
* "buffer_length" is how much is already used.
129
*/
130
size_t adjustbuffer(char **buffer, size_t buffer_length,
93
131
size_t buffer_capacity){
94
132
if (buffer_length + BUFFER_SIZE > buffer_capacity){
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
133
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
96
134
if (buffer == NULL){
97
135
return 0;
98
136
}
101
139
return buffer_capacity;
102
140
}
103
141
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
106
const char *homedir){
107
gpgme_data_t dh_crypto, dh_plain;
108
gpgme_ctx_t ctx;
142
/*
143
* Initialize GPGME.
144
*/
145
static bool init_gpgme(mandos_context *mc, const char *seckey,
146
const char *pubkey, const char *tempdir){
147
int ret;
109
148
gpgme_error_t rc;
110
ssize_t ret;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
113
149
gpgme_engine_info_t engine_info;
114
150
151
152
/*
153
* Helper function to insert pub and seckey to the enigne keyring.
154
*/
155
bool import_key(const char *filename){
156
int fd;
157
gpgme_data_t pgp_data;
158
159
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
160
if(fd == -1){
161
perror("open");
162
return false;
163
}
164
165
rc = gpgme_data_new_from_fd(&pgp_data, fd);
166
if (rc != GPG_ERR_NO_ERROR){
167
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
168
gpgme_strsource(rc), gpgme_strerror(rc));
169
return false;
170
}
171
172
rc = gpgme_op_import(mc->ctx, pgp_data);
173
if (rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
ret = (int)TEMP_FAILURE_RETRY(close(fd));
180
if(ret == -1){
181
perror("close");
182
}
183
gpgme_data_release(pgp_data);
184
return true;
185
}
186
115
187
if (debug){
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
188
fprintf(stderr, "Initialize gpgme\n");
117
189
}
118
190
119
191
/* Init GPGME */
122
194
if (rc != GPG_ERR_NO_ERROR){
123
195
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
124
196
gpgme_strsource(rc), gpgme_strerror(rc));
125
return -1;
197
return false;
126
198
}
127
199
128
/* Set GPGME home directory */
200
/* Set GPGME home directory for the OpenPGP engine only */
129
201
rc = gpgme_get_engine_info (&engine_info);
130
202
if (rc != GPG_ERR_NO_ERROR){
131
203
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
132
204
gpgme_strsource(rc), gpgme_strerror(rc));
133
return -1;
205
return false;
134
206
}
135
207
while(engine_info != NULL){
136
208
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
137
209
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
138
engine_info->file_name, homedir);
210
engine_info->file_name, tempdir);
139
211
break;
140
212
}
141
213
engine_info = engine_info->next;
142
214
}
143
215
if(engine_info == NULL){
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
145
return -1;
146
}
147
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
216
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
217
return false;
218
}
219
220
/* Create new GPGME "context" */
221
rc = gpgme_new(&(mc->ctx));
222
if (rc != GPG_ERR_NO_ERROR){
223
fprintf(stderr, "bad gpgme_new: %s: %s\n",
224
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
226
}
227
228
if (not import_key(pubkey) or not import_key(seckey)){
229
return false;
230
}
231
232
return true;
233
}
234
235
/*
236
* Decrypt OpenPGP data.
237
* Returns -1 on error
238
*/
239
static ssize_t pgp_packet_decrypt (const mandos_context *mc,
240
const char *cryptotext,
241
size_t crypto_size,
242
char **plaintext){
243
gpgme_data_t dh_crypto, dh_plain;
244
gpgme_error_t rc;
245
ssize_t ret;
246
size_t plaintext_capacity = 0;
247
ssize_t plaintext_length = 0;
248
249
if (debug){
250
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
251
}
252
253
/* Create new GPGME data buffer from memory cryptotext */
254
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
255
0);
150
256
if (rc != GPG_ERR_NO_ERROR){
151
257
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
152
258
gpgme_strsource(rc), gpgme_strerror(rc));
158
264
if (rc != GPG_ERR_NO_ERROR){
159
265
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
160
266
gpgme_strsource(rc), gpgme_strerror(rc));
161
return -1;
162
}
163
164
/* Create new GPGME "context" */
165
rc = gpgme_new(&ctx);
166
if (rc != GPG_ERR_NO_ERROR){
167
fprintf(stderr, "bad gpgme_new: %s: %s\n",
168
gpgme_strsource(rc), gpgme_strerror(rc));
169
return -1;
170
}
171
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
174
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
267
gpgme_data_release(dh_crypto);
268
return -1;
269
}
270
271
/* Decrypt data from the cryptotext data buffer to the plaintext
272
data buffer */
273
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
175
274
if (rc != GPG_ERR_NO_ERROR){
176
275
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
177
276
gpgme_strsource(rc), gpgme_strerror(rc));
178
return -1;
277
plaintext_length = -1;
278
if (debug){
279
gpgme_decrypt_result_t result;
280
result = gpgme_op_decrypt_result(mc->ctx);
281
if (result == NULL){
282
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
283
} else {
284
fprintf(stderr, "Unsupported algorithm: %s\n",
285
result->unsupported_algorithm);
286
fprintf(stderr, "Wrong key usage: %u\n",
287
result->wrong_key_usage);
288
if(result->file_name != NULL){
289
fprintf(stderr, "File name: %s\n", result->file_name);
290
}
291
gpgme_recipient_t recipient;
292
recipient = result->recipients;
293
if(recipient){
294
while(recipient != NULL){
295
fprintf(stderr, "Public key algorithm: %s\n",
296
gpgme_pubkey_algo_name(recipient->pubkey_algo));
297
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
298
fprintf(stderr, "Secret key available: %s\n",
299
recipient->status == GPG_ERR_NO_SECKEY
300
? "No" : "Yes");
301
recipient = recipient->next;
302
}
303
}
304
}
305
}
306
goto decrypt_end;
179
307
}
180
308
181
309
if(debug){
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
183
}
184
185
if (debug){
186
gpgme_decrypt_result_t result;
187
result = gpgme_op_decrypt_result(ctx);
188
if (result == NULL){
189
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
190
} else {
191
fprintf(stderr, "Unsupported algorithm: %s\n",
192
result->unsupported_algorithm);
193
fprintf(stderr, "Wrong key usage: %d\n",
194
result->wrong_key_usage);
195
if(result->file_name != NULL){
196
fprintf(stderr, "File name: %s\n", result->file_name);
197
}
198
gpgme_recipient_t recipient;
199
recipient = result->recipients;
200
if(recipient){
201
while(recipient != NULL){
202
fprintf(stderr, "Public key algorithm: %s\n",
203
gpgme_pubkey_algo_name(recipient->pubkey_algo));
204
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
205
fprintf(stderr, "Secret key available: %s\n",
206
recipient->status == GPG_ERR_NO_SECKEY
207
? "No" : "Yes");
208
recipient = recipient->next;
209
}
210
}
211
}
212
}
213
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
310
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
311
}
216
312
217
313
/* Seek back to the beginning of the GPGME plaintext data buffer */
218
314
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
219
perror("pgpme_data_seek");
315
perror("gpgme_data_seek");
316
plaintext_length = -1;
317
goto decrypt_end;
220
318
}
221
319
222
*new_packet = 0;
320
*plaintext = NULL;
223
321
while(true){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
322
plaintext_capacity = adjustbuffer(plaintext,
323
(size_t)plaintext_length,
324
plaintext_capacity);
325
if (plaintext_capacity == 0){
227
326
perror("adjustbuffer");
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
327
plaintext_length = -1;
328
goto decrypt_end;
231
329
}
232
330
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
331
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
234
332
BUFFER_SIZE);
235
333
/* Print the data, if any */
236
334
if (ret == 0){
335
/* EOF */
237
336
break;
238
337
}
239
338
if(ret < 0){
240
339
perror("gpgme_data_read");
241
return -1;
242
}
243
new_packet_length += ret;
244
}
245
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
340
plaintext_length = -1;
341
goto decrypt_end;
342
}
343
plaintext_length += ret;
344
}
345
346
if(debug){
347
fprintf(stderr, "Decrypted password is: ");
348
for(ssize_t i = 0; i < plaintext_length; i++){
349
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
350
}
351
fprintf(stderr, "\n");
352
}
353
354
decrypt_end:
355
356
/* Delete the GPGME cryptotext data buffer */
357
gpgme_data_release(dh_crypto);
253
358
254
359
/* Delete the GPGME plaintext data buffer */
255
360
gpgme_data_release(dh_plain);
256
return new_packet_length;
361
return plaintext_length;
257
362
}
258
363
259
364
static const char * safer_gnutls_strerror (int value) {
260
const char *ret = gnutls_strerror (value);
365
const char *ret = gnutls_strerror (value); /* Spurious warning */
261
366
if (ret == NULL)
262
367
ret = "(unknown)";
263
368
return ret;
264
369
}
265
370
371
/* GnuTLS log function callback */
266
372
static void debuggnutls(__attribute__((unused)) int level,
267
373
const char* string){
268
fprintf(stderr, "%s", string);
374
fprintf(stderr, "GnuTLS: %s", string);
269
375
}
270
376
271
static int initgnutls(mandos_context *mc){
272
const char *err;
377
static int init_gnutls_global(mandos_context *mc,
378
const char *pubkeyfilename,
379
const char *seckeyfilename){
273
380
int ret;
274
381
275
382
if(debug){
276
383
fprintf(stderr, "Initializing GnuTLS\n");
277
384
}
278
279
if ((ret = gnutls_global_init ())
280
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
385
386
ret = gnutls_global_init();
387
if (ret != GNUTLS_E_SUCCESS) {
388
fprintf (stderr, "GnuTLS global_init: %s\n",
389
safer_gnutls_strerror(ret));
282
390
return -1;
283
391
}
284
392
285
393
if (debug){
394
/* "Use a log level over 10 to enable all debugging options."
395
* - GnuTLS manual
396
*/
286
397
gnutls_global_set_log_level(11);
287
398
gnutls_global_set_log_function(debuggnutls);
288
399
}
289
400
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
292
!= GNUTLS_E_SUCCESS) {
293
fprintf (stderr, "memory error: %s\n",
401
/* OpenPGP credentials */
402
gnutls_certificate_allocate_credentials(&mc->cred);
403
if (ret != GNUTLS_E_SUCCESS){
404
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
405
warning */
294
406
safer_gnutls_strerror(ret));
407
gnutls_global_deinit ();
295
408
return -1;
296
409
}
297
410
298
411
if(debug){
299
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
412
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
413
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
414
seckeyfilename);
302
415
}
303
416
304
417
ret = gnutls_certificate_set_openpgp_key_file
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
418
(mc->cred, pubkeyfilename, seckeyfilename,
419
GNUTLS_OPENPGP_FMT_BASE64);
306
420
if (ret != GNUTLS_E_SUCCESS) {
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
421
fprintf(stderr,
422
"Error[%d] while reading the OpenPGP key pair ('%s',"
423
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
424
fprintf(stderr, "The GnuTLS error is: %s\n",
312
425
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
426
goto globalfail;
427
}
428
429
/* GnuTLS server initialization */
430
ret = gnutls_dh_params_init(&mc->dh_params);
431
if (ret != GNUTLS_E_SUCCESS) {
432
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
433
" %s\n", safer_gnutls_strerror(ret));
434
goto globalfail;
435
}
436
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
437
if (ret != GNUTLS_E_SUCCESS) {
438
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
439
safer_gnutls_strerror(ret));
440
goto globalfail;
441
}
442
443
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
444
445
return 0;
446
447
globalfail:
448
449
gnutls_certificate_free_credentials(mc->cred);
450
gnutls_global_deinit();
451
gnutls_dh_params_deinit(mc->dh_params);
452
return -1;
453
}
454
455
static int init_gnutls_session(mandos_context *mc,
456
gnutls_session_t *session){
457
int ret;
458
/* GnuTLS session creation */
459
ret = gnutls_init(session, GNUTLS_SERVER);
460
if (ret != GNUTLS_E_SUCCESS){
336
461
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
337
462
safer_gnutls_strerror(ret));
338
463
}
339
464
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
465
{
466
const char *err;
467
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
468
if (ret != GNUTLS_E_SUCCESS) {
469
fprintf(stderr, "Syntax error at: %s\n", err);
470
fprintf(stderr, "GnuTLS error: %s\n",
471
safer_gnutls_strerror(ret));
472
gnutls_deinit (*session);
473
return -1;
474
}
346
475
}
347
476
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
477
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
478
mc->cred);
479
if (ret != GNUTLS_E_SUCCESS) {
480
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
352
481
safer_gnutls_strerror(ret));
482
gnutls_deinit (*session);
353
483
return -1;
354
484
}
355
485
356
486
/* ignore client certificate if any. */
357
gnutls_certificate_server_set_request (es->session,
487
gnutls_certificate_server_set_request (*session,
358
488
GNUTLS_CERT_IGNORE);
359
489
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
490
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
361
491
362
492
return 0;
363
493
}
364
494
495
/* Avahi log function callback */
365
496
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
366
497
__attribute__((unused)) const char *txt){}
367
498
499
/* Called when a Mandos server is found */
368
500
static int start_mandos_communication(const char *ip, uint16_t port,
369
501
AvahiIfIndex if_index,
370
502
mandos_context *mc){
371
503
int ret, tcp_sd;
372
struct sockaddr_in6 to;
373
encrypted_session es;
504
ssize_t sret;
505
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
374
506
char *buffer = NULL;
375
507
char *decrypted_buffer;
376
508
size_t buffer_length = 0;
379
511
size_t written;
380
512
int retval = 0;
381
513
char interface[IF_NAMESIZE];
514
gnutls_session_t session;
515
516
ret = init_gnutls_session (mc, &session);
517
if (ret != 0){
518
return -1;
519
}
382
520
383
521
if(debug){
384
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
385
ip, port);
522
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
523
"\n", ip, port);
386
524
}
387
525
388
526
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
390
528
perror("socket");
391
529
return -1;
392
530
}
393
531
394
532
if(debug){
395
533
if(if_indextoname((unsigned int)if_index, interface) == NULL){
396
if(debug){
397
perror("if_indextoname");
398
}
534
perror("if_indextoname");
399
535
return -1;
400
536
}
401
402
537
fprintf(stderr, "Binding to interface %s\n", interface);
403
538
}
404
539
405
memset(&to,0,sizeof(to)); /* Spurious warning */
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
540
memset(&to, 0, sizeof(to));
541
to.in6.sin6_family = AF_INET6;
542
/* It would be nice to have a way to detect if we were passed an
543
IPv4 address here. Now we assume an IPv6 address. */
544
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
408
545
if (ret < 0 ){
409
546
perror("inet_pton");
410
547
return -1;
411
}
548
}
412
549
if(ret == 0){
413
550
fprintf(stderr, "Bad address: %s\n", ip);
414
551
return -1;
415
552
}
416
to.sin6_port = htons(port); /* Spurious warning */
553
to.in6.sin6_port = htons(port); /* Spurious warning */
417
554
418
to.sin6_scope_id = (uint32_t)if_index;
555
to.in6.sin6_scope_id = (uint32_t)if_index;
419
556
420
557
if(debug){
421
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
558
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
559
port);
560
char addrstr[INET6_ADDRSTRLEN] = "";
561
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
562
sizeof(addrstr)) == NULL){
563
perror("inet_ntop");
564
} else {
565
if(strcmp(addrstr, ip) != 0){
566
fprintf(stderr, "Canonical address form: %s\n", addrstr);
567
}
568
}
430
569
}
431
570
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
571
ret = connect(tcp_sd, &to.in, sizeof(to));
433
572
if (ret < 0){
434
573
perror("connect");
435
574
return -1;
436
575
}
437
438
char *out = mandos_protocol_version;
576
577
const char *out = mandos_protocol_version;
439
578
written = 0;
440
579
while (true){
441
580
size_t out_size = strlen(out);
442
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
581
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
443
582
out_size - written));
444
583
if (ret == -1){
445
584
perror("write");
446
585
retval = -1;
447
goto end;
586
goto mandos_end;
448
587
}
449
written += ret;
588
written += (size_t)ret;
450
589
if(written < out_size){
451
590
continue;
452
591
} else {
458
597
}
459
598
}
460
599
}
461
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
600
471
601
if(debug){
472
602
fprintf(stderr, "Establishing TLS session with %s\n", ip);
473
603
}
474
604
475
ret = gnutls_handshake (es.session);
605
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
606
607
do{
608
ret = gnutls_handshake (session);
609
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
476
610
477
611
if (ret != GNUTLS_E_SUCCESS){
478
612
if(debug){
479
fprintf(stderr, "\n*** Handshake failed ***\n");
613
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
480
614
gnutls_perror (ret);
481
615
}
482
616
retval = -1;
483
goto exit;
617
goto mandos_end;
484
618
}
485
619
486
//Retrieve OpenPGP packet that contains the wanted password
620
/* Read OpenPGP packet that contains the wanted password */
487
621
488
622
if(debug){
489
623
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
490
624
ip);
491
625
}
492
626
493
627
while(true){
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
628
buffer_capacity = adjustbuffer(&buffer, buffer_length,
629
buffer_capacity);
495
630
if (buffer_capacity == 0){
496
631
perror("adjustbuffer");
497
632
retval = -1;
498
goto exit;
633
goto mandos_end;
499
634
}
500
635
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
503
if (ret == 0){
636
sret = gnutls_record_recv(session, buffer+buffer_length,
637
BUFFER_SIZE);
638
if (sret == 0){
504
639
break;
505
640
}
506
if (ret < 0){
507
switch(ret){
641
if (sret < 0){
642
switch(sret){
508
643
case GNUTLS_E_INTERRUPTED:
509
644
case GNUTLS_E_AGAIN:
510
645
break;
511
646
case GNUTLS_E_REHANDSHAKE:
512
ret = gnutls_handshake (es.session);
647
do{
648
ret = gnutls_handshake (session);
649
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
513
650
if (ret < 0){
514
fprintf(stderr, "\n*** Handshake failed ***\n");
651
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
515
652
gnutls_perror (ret);
516
653
retval = -1;
517
goto exit;
654
goto mandos_end;
518
655
}
519
656
break;
520
657
default:
521
658
fprintf(stderr, "Unknown error while reading data from"
522
" encrypted session with mandos server\n");
659
" encrypted session with Mandos server\n");
523
660
retval = -1;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
661
gnutls_bye (session, GNUTLS_SHUT_RDWR);
662
goto mandos_end;
526
663
}
527
664
} else {
528
buffer_length += (size_t) ret;
665
buffer_length += (size_t) sret;
529
666
}
530
667
}
531
668
669
if(debug){
670
fprintf(stderr, "Closing TLS session\n");
671
}
672
673
gnutls_bye (session, GNUTLS_SHUT_RDWR);
674
532
675
if (buffer_length > 0){
533
decrypted_buffer_size = pgp_packet_decrypt(buffer,
676
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
534
677
buffer_length,
535
&decrypted_buffer,
536
certdir);
678
&decrypted_buffer);
537
679
if (decrypted_buffer_size >= 0){
538
680
written = 0;
539
681
while(written < (size_t) decrypted_buffer_size){
554
696
} else {
555
697
retval = -1;
556
698
}
557
}
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
699
} else {
700
retval = -1;
701
}
702
703
/* Shutdown procedure */
704
705
mandos_end:
565
706
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
568
close(tcp_sd);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
571
gnutls_global_deinit ();
707
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
708
if(ret == -1){
709
perror("close");
710
}
711
gnutls_deinit (session);
572
712
return retval;
573
713
}
574
714
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
715
static void resolve_callback(AvahiSServiceResolver *r,
716
AvahiIfIndex interface,
717
AVAHI_GCC_UNUSED AvahiProtocol protocol,
718
AvahiResolverEvent event,
719
const char *name,
720
const char *type,
721
const char *domain,
722
const char *host_name,
723
const AvahiAddress *address,
724
uint16_t port,
725
AVAHI_GCC_UNUSED AvahiStringList *txt,
726
AVAHI_GCC_UNUSED AvahiLookupResultFlags
727
flags,
728
void* userdata) {
588
729
mandos_context *mc = userdata;
589
assert(r); /* Spurious warning */
730
assert(r);
590
731
591
732
/* Called whenever a service has been resolved successfully or
592
733
timed out */
594
735
switch (event) {
595
736
default:
596
737
case AVAHI_RESOLVER_FAILURE:
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
738
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
739
" of type '%s' in domain '%s': %s\n", name, type, domain,
599
740
avahi_strerror(avahi_server_errno(mc->server)));
600
741
break;
601
742
604
745
char ip[AVAHI_ADDRESS_STR_MAX];
605
746
avahi_address_snprint(ip, sizeof(ip), address);
606
747
if(debug){
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
748
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
749
PRIu16 ") on port %d\n", name, host_name, ip,
750
interface, port);
609
751
}
610
752
int ret = start_mandos_communication(ip, port, interface, mc);
611
753
if (ret == 0){
612
exit(EXIT_SUCCESS);
754
avahi_simple_poll_quit(mc->simple_poll);
613
755
}
614
756
}
615
757
}
623
765
const char *name,
624
766
const char *type,
625
767
const char *domain,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
768
AVAHI_GCC_UNUSED AvahiLookupResultFlags
769
flags,
627
770
void* userdata) {
628
771
mandos_context *mc = userdata;
629
assert(b); /* Spurious warning */
772
assert(b);
630
773
631
774
/* Called whenever a new services becomes available on the LAN or
632
775
is removed from the LAN */
634
777
switch (event) {
635
778
default:
636
779
case AVAHI_BROWSER_FAILURE:
637
638
fprintf(stderr, "(Browser) %s\n",
780
781
fprintf(stderr, "(Avahi browser) %s\n",
639
782
avahi_strerror(avahi_server_errno(mc->server)));
640
783
avahi_simple_poll_quit(mc->simple_poll);
641
784
return;
642
785
643
786
case AVAHI_BROWSER_NEW:
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
787
/* We ignore the returned Avahi resolver object. In the callback
788
function we free it. If the Avahi server is terminated before
789
the callback function is called the Avahi server will free the
790
resolver for us. */
791
792
if (!(avahi_s_service_resolver_new(mc->server, interface,
793
protocol, name, type, domain,
651
794
AVAHI_PROTO_INET6, 0,
652
795
resolve_callback, mc)))
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
796
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
797
name, avahi_strerror(avahi_server_errno(mc->server)));
655
798
break;
656
799
657
800
case AVAHI_BROWSER_REMOVE:
658
801
break;
659
802
660
803
case AVAHI_BROWSER_ALL_FOR_NOW:
661
804
case AVAHI_BROWSER_CACHE_EXHAUSTED:
805
if(debug){
806
fprintf(stderr, "No Mandos server found, still searching...\n");
807
}
662
808
break;
663
809
}
664
810
}
665
811
666
/* Combines file name and path and returns the malloced new
667
string. some sane checks could/should be added */
668
static const char *combinepath(const char *first, const char *second){
669
size_t f_len = strlen(first);
670
size_t s_len = strlen(second);
671
char *tmp = malloc(f_len + s_len + 2);
672
if (tmp == NULL){
673
return NULL;
674
}
675
if(f_len > 0){
676
memcpy(tmp, first, f_len);
677
}
678
tmp[f_len] = '/';
679
if(s_len > 0){
680
memcpy(tmp + f_len + 1, second, s_len);
681
}
682
tmp[f_len + 1 + s_len] = '\0';
683
return tmp;
684
}
685
686
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
812
int main(int argc, char *argv[]){
689
813
AvahiSServiceBrowser *sb = NULL;
690
814
int error;
691
815
int ret;
692
int returncode = EXIT_SUCCESS;
816
int exitcode = EXIT_SUCCESS;
693
817
const char *interface = "eth0";
694
818
struct ifreq network;
695
819
int sd;
820
uid_t uid;
821
gid_t gid;
696
822
char *connect_to = NULL;
823
char tempdir[] = "/tmp/mandosXXXXXX";
697
824
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
825
const char *seckey = PATHDIR "/" SECKEY;
826
const char *pubkey = PATHDIR "/" PUBKEY;
827
698
828
mandos_context mc = { .simple_poll = NULL, .server = NULL,
699
.dh_bits = 2048, .priority = "SECURE256"};
829
.dh_bits = 1024, .priority = "SECURE256"
830
":!CTYPE-X.509:+CTYPE-OPENPGP" };
831
bool gnutls_initalized = false;
832
bool gpgme_initalized = false;
700
833
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
834
{
835
struct argp_option options[] = {
836
{ .name = "debug", .key = 128,
837
.doc = "Debug mode", .group = 3 },
838
{ .name = "connect", .key = 'c',
839
.arg = "ADDRESS:PORT",
840
.doc = "Connect directly to a specific Mandos server",
841
.group = 1 },
842
{ .name = "interface", .key = 'i',
843
.arg = "NAME",
844
.doc = "Interface that will be used to search for Mandos"
845
" servers",
846
.group = 1 },
847
{ .name = "seckey", .key = 's',
848
.arg = "FILE",
849
.doc = "OpenPGP secret key file base name",
850
.group = 1 },
851
{ .name = "pubkey", .key = 'p',
852
.arg = "FILE",
853
.doc = "OpenPGP public key file base name",
854
.group = 2 },
855
{ .name = "dh-bits", .key = 129,
856
.arg = "BITS",
857
.doc = "Bit length of the prime number used in the"
858
" Diffie-Hellman key exchange",
859
.group = 2 },
860
{ .name = "priority", .key = 130,
861
.arg = "STRING",
862
.doc = "GnuTLS priority string for the TLS handshake",
863
.group = 1 },
864
{ .name = NULL }
865
};
866
867
error_t parse_opt (int key, char *arg,
868
struct argp_state *state) {
869
/* Get the INPUT argument from `argp_parse', which we know is
870
a pointer to our plugin list pointer. */
871
switch (key) {
872
case 128: /* --debug */
873
debug = true;
874
break;
875
case 'c': /* --connect */
876
connect_to = arg;
877
break;
878
case 'i': /* --interface */
879
interface = arg;
880
break;
881
case 's': /* --seckey */
882
seckey = arg;
883
break;
884
case 'p': /* --pubkey */
885
pubkey = arg;
886
break;
887
case 129: /* --dh-bits */
742
888
errno = 0;
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
889
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
890
if (errno){
745
891
perror("strtol");
746
892
exit(EXIT_FAILURE);
747
893
}
748
mc.dh_bits = tmp;
749
}
750
break;
751
case 'p':
752
mc.priority = optarg;
753
break;
754
default:
755
exit(EXIT_FAILURE);
756
}
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
894
break;
895
case 130: /* --priority */
896
mc.priority = arg;
897
break;
898
case ARGP_KEY_ARG:
899
argp_usage (state);
900
case ARGP_KEY_END:
901
break;
902
default:
903
return ARGP_ERR_UNKNOWN;
904
}
905
return 0;
906
}
907
908
struct argp argp = { .options = options, .parser = parse_opt,
909
.args_doc = "",
910
.doc = "Mandos client -- Get and decrypt"
911
" passwords from a Mandos server" };
912
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
913
if (ret == ARGP_ERR_UNKNOWN){
914
fprintf(stderr, "Unknown error while parsing arguments\n");
915
exitcode = EXIT_FAILURE;
916
goto end;
917
}
918
}
919
920
/* If the interface is down, bring it up */
921
{
922
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
923
if(sd < 0) {
924
perror("socket");
925
exitcode = EXIT_FAILURE;
926
goto end;
927
}
928
strcpy(network.ifr_name, interface);
929
ret = ioctl(sd, SIOCGIFFLAGS, &network);
930
if(ret == -1){
931
perror("ioctl SIOCGIFFLAGS");
932
exitcode = EXIT_FAILURE;
933
goto end;
934
}
935
if((network.ifr_flags & IFF_UP) == 0){
936
network.ifr_flags |= IFF_UP;
937
ret = ioctl(sd, SIOCSIFFLAGS, &network);
938
if(ret == -1){
939
perror("ioctl SIOCSIFFLAGS");
940
exitcode = EXIT_FAILURE;
941
goto end;
942
}
943
}
944
ret = (int)TEMP_FAILURE_RETRY(close(sd));
945
if(ret == -1){
946
perror("close");
947
}
948
}
949
950
uid = getuid();
951
gid = getgid();
952
953
ret = setuid(uid);
954
if (ret == -1){
955
perror("setuid");
956
}
957
958
setgid(gid);
959
if (ret == -1){
960
perror("setgid");
961
}
962
963
ret = init_gnutls_global(&mc, pubkey, seckey);
964
if (ret == -1){
965
fprintf(stderr, "init_gnutls_global failed\n");
966
exitcode = EXIT_FAILURE;
967
goto end;
968
} else {
969
gnutls_initalized = true;
970
}
971
972
if(mkdtemp(tempdir) == NULL){
973
perror("mkdtemp");
974
tempdir[0] = '\0';
975
goto end;
976
}
977
978
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
979
fprintf(stderr, "gpgme_initalized failed\n");
980
exitcode = EXIT_FAILURE;
981
goto end;
982
} else {
983
gpgme_initalized = true;
771
984
}
772
985
773
986
if_index = (AvahiIfIndex) if_nametoindex(interface);
782
995
char *address = strrchr(connect_to, ':');
783
996
if(address == NULL){
784
997
fprintf(stderr, "No colon in address\n");
785
exit(EXIT_FAILURE);
998
exitcode = EXIT_FAILURE;
999
goto end;
786
1000
}
787
1001
errno = 0;
788
1002
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
789
1003
if(errno){
790
1004
perror("Bad port number");
791
exit(EXIT_FAILURE);
1005
exitcode = EXIT_FAILURE;
1006
goto end;
792
1007
}
793
1008
*address = '\0';
794
1009
address = connect_to;
795
ret = start_mandos_communication(address, port, if_index);
1010
ret = start_mandos_communication(address, port, if_index, &mc);
796
1011
if(ret < 0){
797
exit(EXIT_FAILURE);
1012
exitcode = EXIT_FAILURE;
798
1013
} else {
799
exit(EXIT_SUCCESS);
800
}
801
}
802
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
805
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
808
}
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
if(ret == -1){
812
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
820
if(ret == -1){
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
825
}
826
close(sd);
1014
exitcode = EXIT_SUCCESS;
1015
}
1016
goto end;
1017
}
827
1018
828
1019
if (not debug){
829
1020
avahi_set_log_function(empty_log);
830
1021
}
831
1022
832
/* Initialize the psuedo-RNG */
1023
/* Initialize the pseudo-RNG for Avahi */
833
1024
srand((unsigned int) time(NULL));
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
848
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
1025
1026
/* Allocate main Avahi loop object */
1027
mc.simple_poll = avahi_simple_poll_new();
1028
if (mc.simple_poll == NULL) {
1029
fprintf(stderr, "Avahi: Failed to create simple poll"
1030
" object.\n");
1031
exitcode = EXIT_FAILURE;
1032
goto end;
1033
}
1034
1035
{
1036
AvahiServerConfig config;
1037
/* Do not publish any local Zeroconf records */
1038
avahi_server_config_init(&config);
1039
config.publish_hinfo = 0;
1040
config.publish_addresses = 0;
1041
config.publish_workstation = 0;
1042
config.publish_domain = 0;
1043
1044
/* Allocate a new server */
1045
mc.server = avahi_server_new(avahi_simple_poll_get
1046
(mc.simple_poll), &config, NULL,
1047
NULL, &error);
1048
1049
/* Free the Avahi configuration data */
1050
avahi_server_config_free(&config);
1051
}
1052
1053
/* Check if creating the Avahi server object succeeded */
1054
if (mc.server == NULL) {
1055
fprintf(stderr, "Failed to create Avahi server: %s\n",
859
1056
avahi_strerror(error));
860
returncode = EXIT_FAILURE;
861
goto exit;
1057
exitcode = EXIT_FAILURE;
1058
goto end;
862
1059
}
863
1060
864
/* Create the service browser */
1061
/* Create the Avahi service browser */
865
1062
sb = avahi_s_service_browser_new(mc.server, if_index,
866
1063
AVAHI_PROTO_INET6,
867
1064
"_mandos._tcp", NULL, 0,
868
1065
browse_callback, &mc);
869
if (!sb) {
1066
if (sb == NULL) {
870
1067
fprintf(stderr, "Failed to create service browser: %s\n",
871
1068
avahi_strerror(avahi_server_errno(mc.server)));
872
returncode = EXIT_FAILURE;
873
goto exit;
1069
exitcode = EXIT_FAILURE;
1070
goto end;
874
1071
}
875
1072
876
1073
/* Run the main loop */
877
1074
878
1075
if (debug){
879
fprintf(stderr, "Starting avahi loop search\n");
1076
fprintf(stderr, "Starting Avahi loop search\n");
880
1077
}
881
1078
882
avahi_simple_poll_loop(simple_poll);
883
884
exit:
885
1079
avahi_simple_poll_loop(mc.simple_poll);
1080
1081
end:
1082
886
1083
if (debug){
887
1084
fprintf(stderr, "%s exiting\n", argv[0]);
888
1085
}
889
1086
890
1087
/* Cleanup things */
891
if (sb)
1088
if (sb != NULL)
892
1089
avahi_s_service_browser_free(sb);
893
1090
894
if (mc.server)
1091
if (mc.server != NULL)
895
1092
avahi_server_free(mc.server);
896
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
901
902
return returncode;
1093
1094
if (mc.simple_poll != NULL)
1095
avahi_simple_poll_free(mc.simple_poll);
1096
1097
if (gnutls_initalized){
1098
gnutls_certificate_free_credentials(mc.cred);
1099
gnutls_global_deinit ();
1100
gnutls_dh_params_deinit(mc.dh_params);
1101
}
1102
1103
if(gpgme_initalized){
1104
gpgme_release(mc.ctx);
1105
}
1106
1107
/* Removes the temp directory used by GPGME */
1108
if(tempdir[0] != '\0'){
1109
DIR *d;
1110
struct dirent *direntry;
1111
d = opendir(tempdir);
1112
if(d == NULL){
1113
perror("opendir");
1114
} else {
1115
while(true){
1116
direntry = readdir(d);
1117
if(direntry == NULL){
1118
break;
1119
}
1120
if (direntry->d_type == DT_REG){
1121
char *fullname = NULL;
1122
ret = asprintf(&fullname, "%s/%s", tempdir,
1123
direntry->d_name);
1124
if(ret < 0){
1125
perror("asprintf");
1126
continue;
1127
}
1128
ret = unlink(fullname);
1129
if(ret == -1){
1130
fprintf(stderr, "unlink(\"%s\"): %s",
1131
fullname, strerror(errno));
1132
}
1133
free(fullname);
1134
}
1135
}
1136
closedir(d);
1137
}
1138
ret = rmdir(tempdir);
1139
if(ret == -1){
1140
perror("rmdir");
1141
}
1142
}
1143
1144
return exitcode;
903
1145
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0