To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 264
- compare with another revision
- download diff
- download tarball
- view history from revision 264
- Committer: Teddy Hogeborn
- Date: 2009-01-13 01:36:46 UTC
- Revision ID: teddy@fukt.bsnet.se-20090113013646-1u21ie2oaotcekdz
* plugin-runner.c (main): Use "sscanf" instead of "strtol"; using the
correct type instead of casting.
* plugins.d/mandos-cliend.c (main): Detect an empty string when
parsing DH bits and port number.
* plugins.d/splashy.c (main): Use "sscanf" instead of "strtoul"; using
the correct type instead of casting.
* plugins.d/usplash.c (main): - '' -
correct type instead of casting.
* plugins.d/mandos-cliend.c (main): Detect an empty string when
parsing DH bits and port number.
* plugins.d/splashy.c (main): Use "sscanf" instead of "strtoul"; using
the correct type instead of casting.
* plugins.d/usplash.c (main): - '' -
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand() */
44
#include <stdbool.h> /* bool, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, INET6_ADDRSTRLEN,
51
uid_t, gid_t, open(), opendir(), DIR */
52
#include <sys/stat.h> /* open() */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
struct in6_addr, inet_pton(),
55
connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir() */
58
#include <inttypes.h> /* PRIu16, SCNu16 */
59
#include <assert.h> /* assert() */
60
#include <errno.h> /* perror(), errno */
61
#include <time.h> /* time() */
62
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
63
SIOCSIFFLAGS, if_indextoname(),
64
if_nametoindex(), IF_NAMESIZE */
65
#include <netinet/in.h>
66
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
67
getuid(), getgid(), setuid(),
68
setgid() */
69
#include <arpa/inet.h> /* inet_pton(), htons */
70
#include <iso646.h> /* not, and, or */
71
#include <argp.h> /* struct argp_option, error_t, struct
72
argp_state, struct argp,
73
argp_parse(), ARGP_KEY_ARG,
74
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
75
76
/* Avahi */
77
/* All Avahi types, constants and functions
78
Avahi*, avahi_*,
79
AVAHI_* */
41
80
#include <avahi-core/core.h>
42
81
#include <avahi-core/lookup.h>
43
82
#include <avahi-core/log.h>
45
84
#include <avahi-common/malloc.h>
46
85
#include <avahi-common/error.h>
47
86
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt_long
67
#include <getopt.h>
87
/* GnuTLS */
88
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
89
functions:
90
gnutls_*
91
init_gnutls_session(),
92
GNUTLS_* */
93
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
94
GNUTLS_OPENPGP_FMT_BASE64 */
95
96
/* GPGME */
97
#include <gpgme.h> /* All GPGME types, constants and
98
functions:
99
gpgme_*
100
GPGME_PROTOCOL_OpenPGP,
101
GPG_ERR_NO_* */
68
102
69
103
#define BUFFER_SIZE 256
70
104
71
static int dh_bits = 1024;
72
73
static const char *keydir = "/conf/conf.d/mandos";
74
static const char *pubkeyfile = "pubkey.txt";
75
static const char *seckeyfile = "seckey.txt";
105
#define PATHDIR "/conf/conf.d/mandos"
106
#define SECKEY "seckey.txt"
107
#define PUBKEY "pubkey.txt"
76
108
77
109
bool debug = false;
110
static const char mandos_protocol_version[] = "1";
111
const char *argp_program_version = "mandos-client " VERSION;
112
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
78
113
79
/* Used for */
114
/* Used for passing in values through the Avahi callback functions */
80
115
typedef struct {
81
gnutls_session_t session;
116
AvahiSimplePoll *simple_poll;
117
AvahiServer *server;
82
118
gnutls_certificate_credentials_t cred;
119
unsigned int dh_bits;
83
120
gnutls_dh_params_t dh_params;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
89
const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
121
const char *priority;
91
122
gpgme_ctx_t ctx;
123
} mandos_context;
124
125
/*
126
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
127
* "buffer_capacity" is how much is currently allocated,
128
* "buffer_length" is how much is already used.
129
*/
130
size_t adjustbuffer(char **buffer, size_t buffer_length,
131
size_t buffer_capacity){
132
if (buffer_length + BUFFER_SIZE > buffer_capacity){
133
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
134
if (buffer == NULL){
135
return 0;
136
}
137
buffer_capacity += BUFFER_SIZE;
138
}
139
return buffer_capacity;
140
}
141
142
/*
143
* Initialize GPGME.
144
*/
145
static bool init_gpgme(mandos_context *mc, const char *seckey,
146
const char *pubkey, const char *tempdir){
147
int ret;
92
148
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
96
149
gpgme_engine_info_t engine_info;
97
150
151
152
/*
153
* Helper function to insert pub and seckey to the enigne keyring.
154
*/
155
bool import_key(const char *filename){
156
int fd;
157
gpgme_data_t pgp_data;
158
159
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
160
if(fd == -1){
161
perror("open");
162
return false;
163
}
164
165
rc = gpgme_data_new_from_fd(&pgp_data, fd);
166
if (rc != GPG_ERR_NO_ERROR){
167
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
168
gpgme_strsource(rc), gpgme_strerror(rc));
169
return false;
170
}
171
172
rc = gpgme_op_import(mc->ctx, pgp_data);
173
if (rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
ret = (int)TEMP_FAILURE_RETRY(close(fd));
180
if(ret == -1){
181
perror("close");
182
}
183
gpgme_data_release(pgp_data);
184
return true;
185
}
186
98
187
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
188
fprintf(stderr, "Initialize gpgme\n");
100
189
}
101
190
102
191
/* Init GPGME */
105
194
if (rc != GPG_ERR_NO_ERROR){
106
195
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
107
196
gpgme_strsource(rc), gpgme_strerror(rc));
108
return -1;
197
return false;
109
198
}
110
199
111
/* Set GPGME home directory */
200
/* Set GPGME home directory for the OpenPGP engine only */
112
201
rc = gpgme_get_engine_info (&engine_info);
113
202
if (rc != GPG_ERR_NO_ERROR){
114
203
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
115
204
gpgme_strsource(rc), gpgme_strerror(rc));
116
return -1;
205
return false;
117
206
}
118
207
while(engine_info != NULL){
119
208
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
120
209
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
121
engine_info->file_name, homedir);
210
engine_info->file_name, tempdir);
122
211
break;
123
212
}
124
213
engine_info = engine_info->next;
125
214
}
126
215
if(engine_info == NULL){
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
return -1;
129
}
130
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
216
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
217
return false;
218
}
219
220
/* Create new GPGME "context" */
221
rc = gpgme_new(&(mc->ctx));
222
if (rc != GPG_ERR_NO_ERROR){
223
fprintf(stderr, "bad gpgme_new: %s: %s\n",
224
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
226
}
227
228
if (not import_key(pubkey) or not import_key(seckey)){
229
return false;
230
}
231
232
return true;
233
}
234
235
/*
236
* Decrypt OpenPGP data.
237
* Returns -1 on error
238
*/
239
static ssize_t pgp_packet_decrypt (const mandos_context *mc,
240
const char *cryptotext,
241
size_t crypto_size,
242
char **plaintext){
243
gpgme_data_t dh_crypto, dh_plain;
244
gpgme_error_t rc;
245
ssize_t ret;
246
size_t plaintext_capacity = 0;
247
ssize_t plaintext_length = 0;
248
249
if (debug){
250
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
251
}
252
253
/* Create new GPGME data buffer from memory cryptotext */
254
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
255
0);
133
256
if (rc != GPG_ERR_NO_ERROR){
134
257
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
135
258
gpgme_strsource(rc), gpgme_strerror(rc));
141
264
if (rc != GPG_ERR_NO_ERROR){
142
265
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
143
266
gpgme_strsource(rc), gpgme_strerror(rc));
144
return -1;
145
}
146
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
153
}
154
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
267
gpgme_data_release(dh_crypto);
268
return -1;
269
}
270
271
/* Decrypt data from the cryptotext data buffer to the plaintext
272
data buffer */
273
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
158
274
if (rc != GPG_ERR_NO_ERROR){
159
275
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
160
276
gpgme_strsource(rc), gpgme_strerror(rc));
161
return -1;
277
plaintext_length = -1;
278
if (debug){
279
gpgme_decrypt_result_t result;
280
result = gpgme_op_decrypt_result(mc->ctx);
281
if (result == NULL){
282
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
283
} else {
284
fprintf(stderr, "Unsupported algorithm: %s\n",
285
result->unsupported_algorithm);
286
fprintf(stderr, "Wrong key usage: %u\n",
287
result->wrong_key_usage);
288
if(result->file_name != NULL){
289
fprintf(stderr, "File name: %s\n", result->file_name);
290
}
291
gpgme_recipient_t recipient;
292
recipient = result->recipients;
293
if(recipient){
294
while(recipient != NULL){
295
fprintf(stderr, "Public key algorithm: %s\n",
296
gpgme_pubkey_algo_name(recipient->pubkey_algo));
297
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
298
fprintf(stderr, "Secret key available: %s\n",
299
recipient->status == GPG_ERR_NO_SECKEY
300
? "No" : "Yes");
301
recipient = recipient->next;
302
}
303
}
304
}
305
}
306
goto decrypt_end;
162
307
}
163
308
164
309
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
}
167
168
if (debug){
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
171
if (result == NULL){
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
173
} else {
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
180
}
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
183
if(recipient){
184
while(recipient != NULL){
185
fprintf(stderr, "Public key algorithm: %s\n",
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
187
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
188
fprintf(stderr, "Secret key available: %s\n",
189
recipient->status == GPG_ERR_NO_SECKEY
190
? "No" : "Yes");
191
recipient = recipient->next;
192
}
193
}
194
}
195
}
196
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
310
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
311
}
199
312
200
313
/* Seek back to the beginning of the GPGME plaintext data buffer */
201
314
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
315
perror("gpgme_data_seek");
316
plaintext_length = -1;
317
goto decrypt_end;
203
318
}
204
319
205
*new_packet = 0;
320
*plaintext = NULL;
206
321
while(true){
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
322
plaintext_capacity = adjustbuffer(plaintext,
323
(size_t)plaintext_length,
324
plaintext_capacity);
325
if (plaintext_capacity == 0){
326
perror("adjustbuffer");
327
plaintext_length = -1;
328
goto decrypt_end;
216
329
}
217
330
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
331
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
219
332
BUFFER_SIZE);
220
333
/* Print the data, if any */
221
334
if (ret == 0){
335
/* EOF */
222
336
break;
223
337
}
224
338
if(ret < 0){
225
339
perror("gpgme_data_read");
226
return -1;
227
}
228
new_packet_length += ret;
229
}
230
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
340
plaintext_length = -1;
341
goto decrypt_end;
342
}
343
plaintext_length += ret;
344
}
345
346
if(debug){
347
fprintf(stderr, "Decrypted password is: ");
348
for(ssize_t i = 0; i < plaintext_length; i++){
349
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
350
}
351
fprintf(stderr, "\n");
352
}
353
354
decrypt_end:
355
356
/* Delete the GPGME cryptotext data buffer */
357
gpgme_data_release(dh_crypto);
238
358
239
359
/* Delete the GPGME plaintext data buffer */
240
360
gpgme_data_release(dh_plain);
241
return new_packet_length;
361
return plaintext_length;
242
362
}
243
363
244
364
static const char * safer_gnutls_strerror (int value) {
245
const char *ret = gnutls_strerror (value);
365
const char *ret = gnutls_strerror (value); /* Spurious warning */
246
366
if (ret == NULL)
247
367
ret = "(unknown)";
248
368
return ret;
249
369
}
250
370
371
/* GnuTLS log function callback */
251
372
static void debuggnutls(__attribute__((unused)) int level,
252
373
const char* string){
253
fprintf(stderr, "%s", string);
374
fprintf(stderr, "GnuTLS: %s", string);
254
375
}
255
376
256
static int initgnutls(encrypted_session *es){
257
const char *err;
377
static int init_gnutls_global(mandos_context *mc,
378
const char *pubkeyfilename,
379
const char *seckeyfilename){
258
380
int ret;
259
381
260
382
if(debug){
261
383
fprintf(stderr, "Initializing GnuTLS\n");
262
384
}
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
385
386
ret = gnutls_global_init();
387
if (ret != GNUTLS_E_SUCCESS) {
388
fprintf (stderr, "GnuTLS global_init: %s\n",
389
safer_gnutls_strerror(ret));
267
390
return -1;
268
391
}
269
392
270
393
if (debug){
394
/* "Use a log level over 10 to enable all debugging options."
395
* - GnuTLS manual
396
*/
271
397
gnutls_global_set_log_level(11);
272
398
gnutls_global_set_log_function(debuggnutls);
273
399
}
274
400
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
401
/* OpenPGP credentials */
402
gnutls_certificate_allocate_credentials(&mc->cred);
403
if (ret != GNUTLS_E_SUCCESS){
404
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
405
warning */
279
406
safer_gnutls_strerror(ret));
407
gnutls_global_deinit ();
280
408
return -1;
281
409
}
282
410
283
411
if(debug){
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
286
seckeyfile);
412
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
413
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
414
seckeyfilename);
287
415
}
288
416
289
417
ret = gnutls_certificate_set_openpgp_key_file
290
(es->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
418
(mc->cred, pubkeyfilename, seckeyfilename,
419
GNUTLS_OPENPGP_FMT_BASE64);
291
420
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, pubkeyfile, seckeyfile);
296
fprintf(stdout, "The Error is: %s\n",
421
fprintf(stderr,
422
"Error[%d] while reading the OpenPGP key pair ('%s',"
423
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
424
fprintf(stderr, "The GnuTLS error is: %s\n",
297
425
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, dh_bits))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
426
goto globalfail;
427
}
428
429
/* GnuTLS server initialization */
430
ret = gnutls_dh_params_init(&mc->dh_params);
431
if (ret != GNUTLS_E_SUCCESS) {
432
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
433
" %s\n", safer_gnutls_strerror(ret));
434
goto globalfail;
435
}
436
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
437
if (ret != GNUTLS_E_SUCCESS) {
438
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
439
safer_gnutls_strerror(ret));
440
goto globalfail;
441
}
442
443
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
444
445
return 0;
446
447
globalfail:
448
449
gnutls_certificate_free_credentials(mc->cred);
450
gnutls_global_deinit();
451
gnutls_dh_params_deinit(mc->dh_params);
452
return -1;
453
}
454
455
static int init_gnutls_session(mandos_context *mc,
456
gnutls_session_t *session){
457
int ret;
458
/* GnuTLS session creation */
459
ret = gnutls_init(session, GNUTLS_SERVER);
460
if (ret != GNUTLS_E_SUCCESS){
321
461
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
322
462
safer_gnutls_strerror(ret));
323
463
}
324
464
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
465
{
466
const char *err;
467
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
468
if (ret != GNUTLS_E_SUCCESS) {
469
fprintf(stderr, "Syntax error at: %s\n", err);
470
fprintf(stderr, "GnuTLS error: %s\n",
471
safer_gnutls_strerror(ret));
472
gnutls_deinit (*session);
473
return -1;
474
}
331
475
}
332
476
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
477
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
478
mc->cred);
479
if (ret != GNUTLS_E_SUCCESS) {
480
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
337
481
safer_gnutls_strerror(ret));
482
gnutls_deinit (*session);
338
483
return -1;
339
484
}
340
485
341
486
/* ignore client certificate if any. */
342
gnutls_certificate_server_set_request (es->session,
487
gnutls_certificate_server_set_request (*session,
343
488
GNUTLS_CERT_IGNORE);
344
489
345
gnutls_dh_set_prime_bits (es->session, dh_bits);
490
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
346
491
347
492
return 0;
348
493
}
349
494
495
/* Avahi log function callback */
350
496
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
351
497
__attribute__((unused)) const char *txt){}
352
498
499
/* Called when a Mandos server is found */
353
500
static int start_mandos_communication(const char *ip, uint16_t port,
354
AvahiIfIndex if_index){
501
AvahiIfIndex if_index,
502
mandos_context *mc){
355
503
int ret, tcp_sd;
356
struct sockaddr_in6 to;
357
encrypted_session es;
504
ssize_t sret;
505
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
358
506
char *buffer = NULL;
359
507
char *decrypted_buffer;
360
508
size_t buffer_length = 0;
361
509
size_t buffer_capacity = 0;
362
510
ssize_t decrypted_buffer_size;
363
size_t written = 0;
511
size_t written;
364
512
int retval = 0;
365
513
char interface[IF_NAMESIZE];
514
gnutls_session_t session;
515
516
ret = init_gnutls_session (mc, &session);
517
if (ret != 0){
518
return -1;
519
}
366
520
367
521
if(debug){
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
369
ip, port);
522
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
523
"\n", ip, port);
370
524
}
371
525
372
526
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
375
529
return -1;
376
530
}
377
531
378
if(if_indextoname((unsigned int)if_index, interface) == NULL){
379
if(debug){
532
if(debug){
533
if(if_indextoname((unsigned int)if_index, interface) == NULL){
380
534
perror("if_indextoname");
535
return -1;
381
536
}
382
return -1;
383
}
384
385
if(debug){
386
537
fprintf(stderr, "Binding to interface %s\n", interface);
387
538
}
388
539
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
540
memset(&to, 0, sizeof(to));
541
to.in6.sin6_family = AF_INET6;
542
/* It would be nice to have a way to detect if we were passed an
543
IPv4 address here. Now we assume an IPv6 address. */
544
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
392
545
if (ret < 0 ){
393
546
perror("inet_pton");
394
547
return -1;
395
}
548
}
396
549
if(ret == 0){
397
550
fprintf(stderr, "Bad address: %s\n", ip);
398
551
return -1;
399
552
}
400
to.sin6_port = htons(port); /* Spurious warning */
553
to.in6.sin6_port = htons(port); /* Spurious warning */
401
554
402
to.sin6_scope_id = (uint32_t)if_index;
555
to.in6.sin6_scope_id = (uint32_t)if_index;
403
556
404
557
if(debug){
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
558
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
559
port);
406
560
char addrstr[INET6_ADDRSTRLEN] = "";
407
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
561
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
408
562
sizeof(addrstr)) == NULL){
409
563
perror("inet_ntop");
410
564
} else {
411
565
if(strcmp(addrstr, ip) != 0){
412
fprintf(stderr, "Canonical address form: %s\n",
413
addrstr, ntohs(to.sin6_port));
566
fprintf(stderr, "Canonical address form: %s\n", addrstr);
414
567
}
415
568
}
416
569
}
417
570
418
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
571
ret = connect(tcp_sd, &to.in, sizeof(to));
419
572
if (ret < 0){
420
573
perror("connect");
421
574
return -1;
422
575
}
423
576
424
ret = initgnutls (&es);
425
if (ret != 0){
426
retval = -1;
427
return -1;
577
const char *out = mandos_protocol_version;
578
written = 0;
579
while (true){
580
size_t out_size = strlen(out);
581
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
582
out_size - written));
583
if (ret == -1){
584
perror("write");
585
retval = -1;
586
goto mandos_end;
587
}
588
written += (size_t)ret;
589
if(written < out_size){
590
continue;
591
} else {
592
if (out == mandos_protocol_version){
593
written = 0;
594
out = "\r\n";
595
} else {
596
break;
597
}
598
}
428
599
}
429
600
430
gnutls_transport_set_ptr (es.session,
431
(gnutls_transport_ptr_t) tcp_sd);
432
433
601
if(debug){
434
602
fprintf(stderr, "Establishing TLS session with %s\n", ip);
435
603
}
436
604
437
ret = gnutls_handshake (es.session);
605
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
606
607
do{
608
ret = gnutls_handshake (session);
609
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
438
610
439
611
if (ret != GNUTLS_E_SUCCESS){
440
612
if(debug){
441
fprintf(stderr, "\n*** Handshake failed ***\n");
613
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
442
614
gnutls_perror (ret);
443
615
}
444
616
retval = -1;
445
goto exit;
617
goto mandos_end;
446
618
}
447
619
448
//Retrieve OpenPGP packet that contains the wanted password
620
/* Read OpenPGP packet that contains the wanted password */
449
621
450
622
if(debug){
451
623
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
452
624
ip);
453
625
}
454
626
455
627
while(true){
456
if (buffer_length + BUFFER_SIZE > buffer_capacity){
457
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
458
if (buffer == NULL){
459
perror("realloc");
460
goto exit;
461
}
462
buffer_capacity += BUFFER_SIZE;
628
buffer_capacity = adjustbuffer(&buffer, buffer_length,
629
buffer_capacity);
630
if (buffer_capacity == 0){
631
perror("adjustbuffer");
632
retval = -1;
633
goto mandos_end;
463
634
}
464
635
465
ret = gnutls_record_recv
466
(es.session, buffer+buffer_length, BUFFER_SIZE);
467
if (ret == 0){
636
sret = gnutls_record_recv(session, buffer+buffer_length,
637
BUFFER_SIZE);
638
if (sret == 0){
468
639
break;
469
640
}
470
if (ret < 0){
471
switch(ret){
641
if (sret < 0){
642
switch(sret){
472
643
case GNUTLS_E_INTERRUPTED:
473
644
case GNUTLS_E_AGAIN:
474
645
break;
475
646
case GNUTLS_E_REHANDSHAKE:
476
ret = gnutls_handshake (es.session);
647
do{
648
ret = gnutls_handshake (session);
649
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
477
650
if (ret < 0){
478
fprintf(stderr, "\n*** Handshake failed ***\n");
651
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
479
652
gnutls_perror (ret);
480
653
retval = -1;
481
goto exit;
654
goto mandos_end;
482
655
}
483
656
break;
484
657
default:
485
658
fprintf(stderr, "Unknown error while reading data from"
486
" encrypted session with mandos server\n");
659
" encrypted session with Mandos server\n");
487
660
retval = -1;
488
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
489
goto exit;
661
gnutls_bye (session, GNUTLS_SHUT_RDWR);
662
goto mandos_end;
490
663
}
491
664
} else {
492
buffer_length += (size_t) ret;
665
buffer_length += (size_t) sret;
493
666
}
494
667
}
495
668
669
if(debug){
670
fprintf(stderr, "Closing TLS session\n");
671
}
672
673
gnutls_bye (session, GNUTLS_SHUT_RDWR);
674
496
675
if (buffer_length > 0){
497
decrypted_buffer_size = pgp_packet_decrypt(buffer,
676
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
498
677
buffer_length,
499
&decrypted_buffer,
500
keydir);
678
&decrypted_buffer);
501
679
if (decrypted_buffer_size >= 0){
680
written = 0;
502
681
while(written < (size_t) decrypted_buffer_size){
503
682
ret = (int)fwrite (decrypted_buffer + written, 1,
504
683
(size_t)decrypted_buffer_size - written,
517
696
} else {
518
697
retval = -1;
519
698
}
520
}
521
522
//shutdown procedure
523
524
if(debug){
525
fprintf(stderr, "Closing TLS session\n");
526
}
527
699
} else {
700
retval = -1;
701
}
702
703
/* Shutdown procedure */
704
705
mandos_end:
528
706
free(buffer);
529
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
530
exit:
531
close(tcp_sd);
532
gnutls_deinit (es.session);
533
gnutls_certificate_free_credentials (es.cred);
534
gnutls_global_deinit ();
707
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
708
if(ret == -1){
709
perror("close");
710
}
711
gnutls_deinit (session);
535
712
return retval;
536
713
}
537
714
538
static AvahiSimplePoll *simple_poll = NULL;
539
static AvahiServer *server = NULL;
540
541
static void resolve_callback(
542
AvahiSServiceResolver *r,
543
AvahiIfIndex interface,
544
AVAHI_GCC_UNUSED AvahiProtocol protocol,
545
AvahiResolverEvent event,
546
const char *name,
547
const char *type,
548
const char *domain,
549
const char *host_name,
550
const AvahiAddress *address,
551
uint16_t port,
552
AVAHI_GCC_UNUSED AvahiStringList *txt,
553
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
554
AVAHI_GCC_UNUSED void* userdata) {
555
556
assert(r); /* Spurious warning */
715
static void resolve_callback(AvahiSServiceResolver *r,
716
AvahiIfIndex interface,
717
AVAHI_GCC_UNUSED AvahiProtocol protocol,
718
AvahiResolverEvent event,
719
const char *name,
720
const char *type,
721
const char *domain,
722
const char *host_name,
723
const AvahiAddress *address,
724
uint16_t port,
725
AVAHI_GCC_UNUSED AvahiStringList *txt,
726
AVAHI_GCC_UNUSED AvahiLookupResultFlags
727
flags,
728
void* userdata) {
729
mandos_context *mc = userdata;
730
assert(r);
557
731
558
732
/* Called whenever a service has been resolved successfully or
559
733
timed out */
561
735
switch (event) {
562
736
default:
563
737
case AVAHI_RESOLVER_FAILURE:
564
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
565
" type '%s' in domain '%s': %s\n", name, type, domain,
566
avahi_strerror(avahi_server_errno(server)));
738
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
739
" of type '%s' in domain '%s': %s\n", name, type, domain,
740
avahi_strerror(avahi_server_errno(mc->server)));
567
741
break;
568
742
569
743
case AVAHI_RESOLVER_FOUND:
571
745
char ip[AVAHI_ADDRESS_STR_MAX];
572
746
avahi_address_snprint(ip, sizeof(ip), address);
573
747
if(debug){
574
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
575
" port %d\n", name, host_name, ip, port);
748
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
749
PRIu16 ") on port %d\n", name, host_name, ip,
750
interface, port);
576
751
}
577
int ret = start_mandos_communication(ip, port, interface);
752
int ret = start_mandos_communication(ip, port, interface, mc);
578
753
if (ret == 0){
579
exit(EXIT_SUCCESS);
754
avahi_simple_poll_quit(mc->simple_poll);
580
755
}
581
756
}
582
757
}
583
758
avahi_s_service_resolver_free(r);
584
759
}
585
760
586
static void browse_callback(
587
AvahiSServiceBrowser *b,
588
AvahiIfIndex interface,
589
AvahiProtocol protocol,
590
AvahiBrowserEvent event,
591
const char *name,
592
const char *type,
593
const char *domain,
594
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
595
void* userdata) {
596
597
AvahiServer *s = userdata;
598
assert(b); /* Spurious warning */
599
600
/* Called whenever a new services becomes available on the LAN or
601
is removed from the LAN */
602
603
switch (event) {
604
default:
605
case AVAHI_BROWSER_FAILURE:
606
607
fprintf(stderr, "(Browser) %s\n",
608
avahi_strerror(avahi_server_errno(server)));
609
avahi_simple_poll_quit(simple_poll);
610
return;
611
612
case AVAHI_BROWSER_NEW:
613
/* We ignore the returned resolver object. In the callback
614
function we free it. If the server is terminated before
615
the callback function is called the server will free
616
the resolver for us. */
617
618
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
619
type, domain,
620
AVAHI_PROTO_INET6, 0,
621
resolve_callback, s)))
622
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
623
avahi_strerror(avahi_server_errno(s)));
624
break;
625
626
case AVAHI_BROWSER_REMOVE:
627
break;
628
629
case AVAHI_BROWSER_ALL_FOR_NOW:
630
case AVAHI_BROWSER_CACHE_EXHAUSTED:
631
break;
761
static void browse_callback( AvahiSServiceBrowser *b,
762
AvahiIfIndex interface,
763
AvahiProtocol protocol,
764
AvahiBrowserEvent event,
765
const char *name,
766
const char *type,
767
const char *domain,
768
AVAHI_GCC_UNUSED AvahiLookupResultFlags
769
flags,
770
void* userdata) {
771
mandos_context *mc = userdata;
772
assert(b);
773
774
/* Called whenever a new services becomes available on the LAN or
775
is removed from the LAN */
776
777
switch (event) {
778
default:
779
case AVAHI_BROWSER_FAILURE:
780
781
fprintf(stderr, "(Avahi browser) %s\n",
782
avahi_strerror(avahi_server_errno(mc->server)));
783
avahi_simple_poll_quit(mc->simple_poll);
784
return;
785
786
case AVAHI_BROWSER_NEW:
787
/* We ignore the returned Avahi resolver object. In the callback
788
function we free it. If the Avahi server is terminated before
789
the callback function is called the Avahi server will free the
790
resolver for us. */
791
792
if (!(avahi_s_service_resolver_new(mc->server, interface,
793
protocol, name, type, domain,
794
AVAHI_PROTO_INET6, 0,
795
resolve_callback, mc)))
796
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
797
name, avahi_strerror(avahi_server_errno(mc->server)));
798
break;
799
800
case AVAHI_BROWSER_REMOVE:
801
break;
802
803
case AVAHI_BROWSER_ALL_FOR_NOW:
804
case AVAHI_BROWSER_CACHE_EXHAUSTED:
805
if(debug){
806
fprintf(stderr, "No Mandos server found, still searching...\n");
632
807
}
633
}
634
635
/* Combines file name and path and returns the malloced new
636
string. some sane checks could/should be added */
637
static const char *combinepath(const char *first, const char *second){
638
size_t f_len = strlen(first);
639
size_t s_len = strlen(second);
640
char *tmp = malloc(f_len + s_len + 2);
641
if (tmp == NULL){
642
return NULL;
643
}
644
if(f_len > 0){
645
memcpy(tmp, first, f_len);
646
}
647
tmp[f_len] = '/';
648
if(s_len > 0){
649
memcpy(tmp + f_len + 1, second, s_len);
650
}
651
tmp[f_len + 1 + s_len] = '\0';
652
return tmp;
653
}
654
655
656
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
657
AvahiServerConfig config;
808
break;
809
}
810
}
811
812
int main(int argc, char *argv[]){
658
813
AvahiSServiceBrowser *sb = NULL;
659
814
int error;
660
815
int ret;
661
int debug_int = 0;
662
int returncode = EXIT_SUCCESS;
663
const char *interface = NULL;
816
int exitcode = EXIT_SUCCESS;
817
const char *interface = "eth0";
818
struct ifreq network;
819
int sd;
820
uid_t uid;
821
gid_t gid;
822
char *connect_to = NULL;
823
char tempdir[] = "/tmp/mandosXXXXXX";
664
824
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
665
char *connect_to = NULL;
666
667
debug_int = debug ? 1 : 0;
668
while (true){
669
static struct option long_options[] = {
670
{"debug", no_argument, &debug_int, 1},
671
{"connect", required_argument, NULL, 'C'},
672
{"interface", required_argument, NULL, 'i'},
673
{"keydir", required_argument, NULL, 'd'},
674
{"seckey", required_argument, NULL, 'c'},
675
{"pubkey", required_argument, NULL, 'k'},
676
{"dh-bits", required_argument, NULL, 'D'},
677
{0, 0, 0, 0} };
678
679
int option_index = 0;
680
ret = getopt_long (argc, argv, "i:", long_options,
681
&option_index);
682
683
if (ret == -1){
684
break;
685
}
686
687
switch(ret){
688
case 0:
689
break;
690
case 'i':
691
interface = optarg;
692
break;
693
case 'C':
694
connect_to = optarg;
695
break;
696
case 'd':
697
keydir = optarg;
698
break;
699
case 'c':
700
pubkeyfile = optarg;
701
break;
702
case 'k':
703
seckeyfile = optarg;
704
break;
705
case 'D':
706
dh_bits = atoi(optarg);
707
break;
708
case '?':
709
break
710
default:
711
exit(EXIT_FAILURE);
712
}
713
}
714
debug = debug_int ? true : false;
715
716
pubkeyfile = combinepath(keydir, pubkeyfile);
717
if (pubkeyfile == NULL){
718
perror("combinepath");
719
goto exit;
720
}
721
722
if(interface != NULL){
723
if_index = (AvahiIfIndex) if_nametoindex(interface);
724
if(if_index == 0){
725
fprintf(stderr, "No such interface: \"%s\"\n", interface);
726
exit(EXIT_FAILURE);
727
}
825
const char *seckey = PATHDIR "/" SECKEY;
826
const char *pubkey = PATHDIR "/" PUBKEY;
827
828
mandos_context mc = { .simple_poll = NULL, .server = NULL,
829
.dh_bits = 1024, .priority = "SECURE256"
830
":!CTYPE-X.509:+CTYPE-OPENPGP" };
831
bool gnutls_initalized = false;
832
bool gpgme_initalized = false;
833
834
{
835
struct argp_option options[] = {
836
{ .name = "debug", .key = 128,
837
.doc = "Debug mode", .group = 3 },
838
{ .name = "connect", .key = 'c',
839
.arg = "ADDRESS:PORT",
840
.doc = "Connect directly to a specific Mandos server",
841
.group = 1 },
842
{ .name = "interface", .key = 'i',
843
.arg = "NAME",
844
.doc = "Interface that will be used to search for Mandos"
845
" servers",
846
.group = 1 },
847
{ .name = "seckey", .key = 's',
848
.arg = "FILE",
849
.doc = "OpenPGP secret key file base name",
850
.group = 1 },
851
{ .name = "pubkey", .key = 'p',
852
.arg = "FILE",
853
.doc = "OpenPGP public key file base name",
854
.group = 2 },
855
{ .name = "dh-bits", .key = 129,
856
.arg = "BITS",
857
.doc = "Bit length of the prime number used in the"
858
" Diffie-Hellman key exchange",
859
.group = 2 },
860
{ .name = "priority", .key = 130,
861
.arg = "STRING",
862
.doc = "GnuTLS priority string for the TLS handshake",
863
.group = 1 },
864
{ .name = NULL }
865
};
866
867
error_t parse_opt (int key, char *arg,
868
struct argp_state *state) {
869
switch (key) {
870
case 128: /* --debug */
871
debug = true;
872
break;
873
case 'c': /* --connect */
874
connect_to = arg;
875
break;
876
case 'i': /* --interface */
877
interface = arg;
878
break;
879
case 's': /* --seckey */
880
seckey = arg;
881
break;
882
case 'p': /* --pubkey */
883
pubkey = arg;
884
break;
885
case 129: /* --dh-bits */
886
ret = sscanf(arg, "%u", &mc.dh_bits);
887
if(ret != 1){
888
fprintf(stderr, "Bad number of DH bits\n");
889
exit(EXIT_FAILURE);
890
}
891
break;
892
case 130: /* --priority */
893
mc.priority = arg;
894
break;
895
case ARGP_KEY_ARG:
896
argp_usage (state);
897
case ARGP_KEY_END:
898
break;
899
default:
900
return ARGP_ERR_UNKNOWN;
901
}
902
return 0;
903
}
904
905
struct argp argp = { .options = options, .parser = parse_opt,
906
.args_doc = "",
907
.doc = "Mandos client -- Get and decrypt"
908
" passwords from a Mandos server" };
909
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
910
if (ret == ARGP_ERR_UNKNOWN){
911
fprintf(stderr, "Unknown error while parsing arguments\n");
912
exitcode = EXIT_FAILURE;
913
goto end;
914
}
915
}
916
917
/* If the interface is down, bring it up */
918
{
919
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
920
if(sd < 0) {
921
perror("socket");
922
exitcode = EXIT_FAILURE;
923
goto end;
924
}
925
strcpy(network.ifr_name, interface);
926
ret = ioctl(sd, SIOCGIFFLAGS, &network);
927
if(ret == -1){
928
perror("ioctl SIOCGIFFLAGS");
929
exitcode = EXIT_FAILURE;
930
goto end;
931
}
932
if((network.ifr_flags & IFF_UP) == 0){
933
network.ifr_flags |= IFF_UP;
934
ret = ioctl(sd, SIOCSIFFLAGS, &network);
935
if(ret == -1){
936
perror("ioctl SIOCSIFFLAGS");
937
exitcode = EXIT_FAILURE;
938
goto end;
939
}
940
}
941
ret = (int)TEMP_FAILURE_RETRY(close(sd));
942
if(ret == -1){
943
perror("close");
944
}
945
}
946
947
uid = getuid();
948
gid = getgid();
949
950
ret = setuid(uid);
951
if (ret == -1){
952
perror("setuid");
953
}
954
955
setgid(gid);
956
if (ret == -1){
957
perror("setgid");
958
}
959
960
ret = init_gnutls_global(&mc, pubkey, seckey);
961
if (ret == -1){
962
fprintf(stderr, "init_gnutls_global failed\n");
963
exitcode = EXIT_FAILURE;
964
goto end;
965
} else {
966
gnutls_initalized = true;
967
}
968
969
if(mkdtemp(tempdir) == NULL){
970
perror("mkdtemp");
971
tempdir[0] = '\0';
972
goto end;
973
}
974
975
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
976
fprintf(stderr, "gpgme_initalized failed\n");
977
exitcode = EXIT_FAILURE;
978
goto end;
979
} else {
980
gpgme_initalized = true;
981
}
982
983
if_index = (AvahiIfIndex) if_nametoindex(interface);
984
if(if_index == 0){
985
fprintf(stderr, "No such interface: \"%s\"\n", interface);
986
exit(EXIT_FAILURE);
728
987
}
729
988
730
989
if(connect_to != NULL){
733
992
char *address = strrchr(connect_to, ':');
734
993
if(address == NULL){
735
994
fprintf(stderr, "No colon in address\n");
736
exit(EXIT_FAILURE);
995
exitcode = EXIT_FAILURE;
996
goto end;
737
997
}
738
errno = 0;
739
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
740
if(errno){
741
perror("Bad port number");
742
exit(EXIT_FAILURE);
998
uint16_t port;
999
ret = sscanf(address+1, "%" SCNu16, &port);
1000
if(ret != 1){
1001
fprintf(stderr, "Bad port number\n");
1002
exitcode = EXIT_FAILURE;
1003
goto end;
743
1004
}
744
1005
*address = '\0';
745
1006
address = connect_to;
746
ret = start_mandos_communication(address, port, if_index);
1007
ret = start_mandos_communication(address, port, if_index, &mc);
747
1008
if(ret < 0){
748
exit(EXIT_FAILURE);
1009
exitcode = EXIT_FAILURE;
749
1010
} else {
750
exit(EXIT_SUCCESS);
1011
exitcode = EXIT_SUCCESS;
751
1012
}
752
}
753
754
seckeyfile = combinepath(keydir, seckeyfile);
755
if (seckeyfile == NULL){
756
perror("combinepath");
757
goto exit;
1013
goto end;
758
1014
}
759
1015
760
1016
if (not debug){
761
1017
avahi_set_log_function(empty_log);
762
1018
}
763
1019
764
/* Initialize the psuedo-RNG */
1020
/* Initialize the pseudo-RNG for Avahi */
765
1021
srand((unsigned int) time(NULL));
766
767
/* Allocate main loop object */
768
if (!(simple_poll = avahi_simple_poll_new())) {
769
fprintf(stderr, "Failed to create simple poll object.\n");
770
771
goto exit;
772
}
773
774
/* Do not publish any local records */
775
avahi_server_config_init(&config);
776
config.publish_hinfo = 0;
777
config.publish_addresses = 0;
778
config.publish_workstation = 0;
779
config.publish_domain = 0;
780
781
/* Allocate a new server */
782
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
783
&config, NULL, NULL, &error);
784
785
/* Free the configuration data */
786
avahi_server_config_free(&config);
787
788
/* Check if creating the server object succeeded */
789
if (!server) {
790
fprintf(stderr, "Failed to create server: %s\n",
1022
1023
/* Allocate main Avahi loop object */
1024
mc.simple_poll = avahi_simple_poll_new();
1025
if (mc.simple_poll == NULL) {
1026
fprintf(stderr, "Avahi: Failed to create simple poll"
1027
" object.\n");
1028
exitcode = EXIT_FAILURE;
1029
goto end;
1030
}
1031
1032
{
1033
AvahiServerConfig config;
1034
/* Do not publish any local Zeroconf records */
1035
avahi_server_config_init(&config);
1036
config.publish_hinfo = 0;
1037
config.publish_addresses = 0;
1038
config.publish_workstation = 0;
1039
config.publish_domain = 0;
1040
1041
/* Allocate a new server */
1042
mc.server = avahi_server_new(avahi_simple_poll_get
1043
(mc.simple_poll), &config, NULL,
1044
NULL, &error);
1045
1046
/* Free the Avahi configuration data */
1047
avahi_server_config_free(&config);
1048
}
1049
1050
/* Check if creating the Avahi server object succeeded */
1051
if (mc.server == NULL) {
1052
fprintf(stderr, "Failed to create Avahi server: %s\n",
791
1053
avahi_strerror(error));
792
returncode = EXIT_FAILURE;
793
goto exit;
1054
exitcode = EXIT_FAILURE;
1055
goto end;
794
1056
}
795
1057
796
/* Create the service browser */
797
sb = avahi_s_service_browser_new(server, if_index,
1058
/* Create the Avahi service browser */
1059
sb = avahi_s_service_browser_new(mc.server, if_index,
798
1060
AVAHI_PROTO_INET6,
799
1061
"_mandos._tcp", NULL, 0,
800
browse_callback, server);
801
if (!sb) {
1062
browse_callback, &mc);
1063
if (sb == NULL) {
802
1064
fprintf(stderr, "Failed to create service browser: %s\n",
803
avahi_strerror(avahi_server_errno(server)));
804
returncode = EXIT_FAILURE;
805
goto exit;
1065
avahi_strerror(avahi_server_errno(mc.server)));
1066
exitcode = EXIT_FAILURE;
1067
goto end;
806
1068
}
807
1069
808
1070
/* Run the main loop */
809
1071
810
1072
if (debug){
811
fprintf(stderr, "Starting avahi loop search\n");
1073
fprintf(stderr, "Starting Avahi loop search\n");
812
1074
}
813
1075
814
avahi_simple_poll_loop(simple_poll);
815
816
exit:
817
1076
avahi_simple_poll_loop(mc.simple_poll);
1077
1078
end:
1079
818
1080
if (debug){
819
1081
fprintf(stderr, "%s exiting\n", argv[0]);
820
1082
}
821
1083
822
1084
/* Cleanup things */
823
if (sb)
1085
if (sb != NULL)
824
1086
avahi_s_service_browser_free(sb);
825
1087
826
if (server)
827
avahi_server_free(server);
828
829
if (simple_poll)
830
avahi_simple_poll_free(simple_poll);
831
free(pubkeyfile);
832
free(seckeyfile);
833
834
return returncode;
1088
if (mc.server != NULL)
1089
avahi_server_free(mc.server);
1090
1091
if (mc.simple_poll != NULL)
1092
avahi_simple_poll_free(mc.simple_poll);
1093
1094
if (gnutls_initalized){
1095
gnutls_certificate_free_credentials(mc.cred);
1096
gnutls_global_deinit ();
1097
gnutls_dh_params_deinit(mc.dh_params);
1098
}
1099
1100
if(gpgme_initalized){
1101
gpgme_release(mc.ctx);
1102
}
1103
1104
/* Removes the temp directory used by GPGME */
1105
if(tempdir[0] != '\0'){
1106
DIR *d;
1107
struct dirent *direntry;
1108
d = opendir(tempdir);
1109
if(d == NULL){
1110
if(errno != ENOENT){
1111
perror("opendir");
1112
}
1113
} else {
1114
while(true){
1115
direntry = readdir(d);
1116
if(direntry == NULL){
1117
break;
1118
}
1119
if (direntry->d_type == DT_REG){
1120
char *fullname = NULL;
1121
ret = asprintf(&fullname, "%s/%s", tempdir,
1122
direntry->d_name);
1123
if(ret < 0){
1124
perror("asprintf");
1125
continue;
1126
}
1127
ret = unlink(fullname);
1128
if(ret == -1){
1129
fprintf(stderr, "unlink(\"%s\"): %s",
1130
fullname, strerror(errno));
1131
}
1132
free(fullname);
1133
}
1134
}
1135
closedir(d);
1136
}
1137
ret = rmdir(tempdir);
1138
if(ret == -1 and errno != ENOENT){
1139
perror("rmdir");
1140
}
1141
}
1142
1143
return exitcode;
835
1144
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0