/mandos/trunk : revision 266

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-01-13 04:35:19 UTC
Revision ID: teddy@fukt.bsnet.se-20090113043519-0yr39snphoegq8l1

* plugin-runner.c: Only space changes.
* plugins.d/mandos-client.c: - '' -
* plugins.d/password-prompt.c: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-list

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
server.py => mandos

server.conf => mandos.conf

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* Mandos-client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), sscanf */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(),

DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, SCNu16 */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and, or */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h>

/* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

100

#include <gpgme.h> /* All GPGME types, constants and

101

functions:

102

gpgme_*

103

GPGME_PROTOCOL_OpenPGP,

104

GPG_ERR_NO_* */

105

106

#define BUFFER_SIZE 256

#define DH_BITS 1024

107

108

#define PATHDIR "/conf/conf.d/mandos"

109

#define SECKEY "seckey.txt"

110

#define PUBKEY "pubkey.txt"

111

112

bool debug = false;

113

static const char mandos_protocol_version[] = "1";

114

const char *argp_program_version = "mandos-client " VERSION;

115

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

116

117

/* Used for passing in values through the Avahi callback functions */

118

typedef struct {

gnutls_session_t session;

119

AvahiSimplePoll *simple_poll;

120

AvahiServer *server;

121

gnutls_certificate_credentials_t cred;

122

unsigned int dh_bits;

123

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

124

const char *priority;

125

gpgme_ctx_t ctx;

126

} mandos_context;

127

128

129

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

130

* "buffer_capacity" is how much is currently allocated,

131

* "buffer_length" is how much is already used.

132

133

size_t adjustbuffer(char **buffer, size_t buffer_length,

134

size_t buffer_capacity){

135

if(buffer_length + BUFFER_SIZE > buffer_capacity){

136

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

137

if(buffer == NULL){

138

return 0;

139

}

140

buffer_capacity += BUFFER_SIZE;

141

}

142

return buffer_capacity;

143

}

144

145

146

* Initialize GPGME.

147

148

static bool init_gpgme(mandos_context *mc, const char *seckey,

149

const char *pubkey, const char *tempdir){

150

int ret;

151

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

152

gpgme_engine_info_t engine_info;

if (debug){

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

153

154

155

156

* Helper function to insert pub and seckey to the enigne keyring.

157

158

bool import_key(const char *filename){

159

int fd;

160

gpgme_data_t pgp_data;

161

162

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

163

if(fd == -1){

164

perror("open");

165

return false;

166

}

167

168

rc = gpgme_data_new_from_fd(&pgp_data, fd);

169

if(rc != GPG_ERR_NO_ERROR){

170

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

171

gpgme_strsource(rc), gpgme_strerror(rc));

172

return false;

173

}

174

175

rc = gpgme_op_import(mc->ctx, pgp_data);

176

if(rc != GPG_ERR_NO_ERROR){

177

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

178

gpgme_strsource(rc), gpgme_strerror(rc));

179

return false;

180

}

181

182

ret = (int)TEMP_FAILURE_RETRY(close(fd));

183

if(ret == -1){

184

perror("close");

185

}

186

gpgme_data_release(pgp_data);

187

return true;

188

}

189

190

if(debug){

191

fprintf(stderr, "Initialize gpgme\n");

192

}

100

193

101

194

/* Init GPGME */

102

195

gpgme_check_version(NULL);

103

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

196

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

197

if(rc != GPG_ERR_NO_ERROR){

198

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

199

gpgme_strsource(rc), gpgme_strerror(rc));

200

return false;

201

}

104

202

105

/* Set GPGME home directory */

106

rc = gpgme_get_engine_info (&engine_info);

107

if (rc != GPG_ERR_NO_ERROR){

203

/* Set GPGME home directory for the OpenPGP engine only */

204

rc = gpgme_get_engine_info(&engine_info);

205

if(rc != GPG_ERR_NO_ERROR){

108

206

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

109

207

gpgme_strsource(rc), gpgme_strerror(rc));

110

return -1;

208

return false;

111

209

}

112

210

while(engine_info != NULL){

113

211

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

114

212

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

115

engine_info->file_name, homedir);

213

engine_info->file_name, tempdir);

116

214

break;

117

215

}

118

216

engine_info = engine_info->next;

119

217

}

120

218

if(engine_info == NULL){

121

fprintf(stderr, "Could not set home dir to %s\n", homedir);

122

return -1;

123

}

124

125

/* Create new GPGME data buffer from packet buffer */

126

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

127

if (rc != GPG_ERR_NO_ERROR){

219

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

220

return false;

221

}

222

223

/* Create new GPGME "context" */

224

rc = gpgme_new(&(mc->ctx));

225

if(rc != GPG_ERR_NO_ERROR){

226

fprintf(stderr, "bad gpgme_new: %s: %s\n",

227

gpgme_strsource(rc), gpgme_strerror(rc));

228

return false;

229

}

230

231

if(not import_key(pubkey) or not import_key(seckey)){

232

return false;

233

}

234

235

return true;

236

}

237

238

239

* Decrypt OpenPGP data.

240

* Returns -1 on error

241

242

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

243

const char *cryptotext,

244

size_t crypto_size,

245

char **plaintext){

246

gpgme_data_t dh_crypto, dh_plain;

247

gpgme_error_t rc;

248

ssize_t ret;

249

size_t plaintext_capacity = 0;

250

ssize_t plaintext_length = 0;

251

252

if(debug){

253

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

254

}

255

256

/* Create new GPGME data buffer from memory cryptotext */

257

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

258

0);

259

if(rc != GPG_ERR_NO_ERROR){

128

260

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

129

261

gpgme_strsource(rc), gpgme_strerror(rc));

130

262

return -1;

132

264

133

265

/* Create new empty GPGME data buffer for the plaintext */

134

266

rc = gpgme_data_new(&dh_plain);

135

if (rc != GPG_ERR_NO_ERROR){

267

if(rc != GPG_ERR_NO_ERROR){

136

268

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

137

269

gpgme_strsource(rc), gpgme_strerror(rc));

138

return -1;

139

}

140

141

/* Create new GPGME "context" */

142

rc = gpgme_new(&ctx);

143

if (rc != GPG_ERR_NO_ERROR){

144

fprintf(stderr, "bad gpgme_new: %s: %s\n",

145

gpgme_strsource(rc), gpgme_strerror(rc));

146

return -1;

147

}

148

149

/* Decrypt data from the FILE pointer to the plaintext data

150

buffer */

151

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

152

if (rc != GPG_ERR_NO_ERROR){

270

gpgme_data_release(dh_crypto);

271

return -1;

272

}

273

274

/* Decrypt data from the cryptotext data buffer to the plaintext

275

data buffer */

276

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

277

if(rc != GPG_ERR_NO_ERROR){

153

278

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

154

279

gpgme_strsource(rc), gpgme_strerror(rc));

155

return -1;

280

plaintext_length = -1;

281

if(debug){

282

gpgme_decrypt_result_t result;

283

result = gpgme_op_decrypt_result(mc->ctx);

284

if(result == NULL){

285

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

286

} else {

287

fprintf(stderr, "Unsupported algorithm: %s\n",

288

result->unsupported_algorithm);

289

fprintf(stderr, "Wrong key usage: %u\n",

290

result->wrong_key_usage);

291

if(result->file_name != NULL){

292

fprintf(stderr, "File name: %s\n", result->file_name);

293

}

294

gpgme_recipient_t recipient;

295

recipient = result->recipients;

296

if(recipient){

297

while(recipient != NULL){

298

fprintf(stderr, "Public key algorithm: %s\n",

299

gpgme_pubkey_algo_name(recipient->pubkey_algo));

300

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

301

fprintf(stderr, "Secret key available: %s\n",

302

recipient->status == GPG_ERR_NO_SECKEY

303

? "No" : "Yes");

304

recipient = recipient->next;

305

}

306

}

307

}

308

}

309

goto decrypt_end;

156

310

}

157

311

158

312

if(debug){

159

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

160

}

161

162

if (debug){

163

gpgme_decrypt_result_t result;

164

result = gpgme_op_decrypt_result(ctx);

165

if (result == NULL){

166

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

167

} else {

168

fprintf(stderr, "Unsupported algorithm: %s\n",

169

result->unsupported_algorithm);

170

fprintf(stderr, "Wrong key usage: %d\n",

171

result->wrong_key_usage);

172

if(result->file_name != NULL){

173

fprintf(stderr, "File name: %s\n", result->file_name);

174

}

175

gpgme_recipient_t recipient;

176

recipient = result->recipients;

177

if(recipient){

178

while(recipient != NULL){

179

fprintf(stderr, "Public key algorithm: %s\n",

180

gpgme_pubkey_algo_name(recipient->pubkey_algo));

181

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

182

fprintf(stderr, "Secret key available: %s\n",

183

recipient->status == GPG_ERR_NO_SECKEY

184

? "No" : "Yes");

185

recipient = recipient->next;

186

}

187

}

188

}

189

}

190

191

/* Delete the GPGME FILE pointer cryptotext data buffer */

192

gpgme_data_release(dh_crypto);

313

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

314

}

193

315

194

316

/* Seek back to the beginning of the GPGME plaintext data buffer */

195

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

196

197

*new_packet = 0;

317

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

318

perror("gpgme_data_seek");

319

plaintext_length = -1;

320

goto decrypt_end;

321

}

322

323

*plaintext = NULL;

198

324

while(true){

199

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

200

*new_packet = realloc(*new_packet,

201

(unsigned int)new_packet_capacity

202

+ BUFFER_SIZE);

203

if (*new_packet == NULL){

204

perror("realloc");

205

return -1;

206

}

207

new_packet_capacity += BUFFER_SIZE;

325

plaintext_capacity = adjustbuffer(plaintext,

326

(size_t)plaintext_length,

327

plaintext_capacity);

328

if(plaintext_capacity == 0){

329

perror("adjustbuffer");

330

plaintext_length = -1;

331

goto decrypt_end;

208

332

}

209

333

210

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

334

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

211

335

BUFFER_SIZE);

212

336

/* Print the data, if any */

213

if (ret == 0){

337

if(ret == 0){

338

/* EOF */

214

339

break;

215

340

}

216

341

if(ret < 0){

217

342

perror("gpgme_data_read");

218

return -1;

219

}

220

new_packet_length += ret;

221

}

222

223

/* FIXME: check characters before printing to screen so to not print

224

terminal control characters */

225

/* if(debug){ */

226

/* fprintf(stderr, "decrypted password is: "); */

227

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

228

/* fprintf(stderr, "\n"); */

229

/* } */

343

plaintext_length = -1;

344

goto decrypt_end;

345

}

346

plaintext_length += ret;

347

}

348

349

if(debug){

350

fprintf(stderr, "Decrypted password is: ");

351

for(ssize_t i = 0; i < plaintext_length; i++){

352

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

353

}

354

fprintf(stderr, "\n");

355

}

356

357

decrypt_end:

358

359

/* Delete the GPGME cryptotext data buffer */

360

gpgme_data_release(dh_crypto);

230

361

231

362

/* Delete the GPGME plaintext data buffer */

232

363

gpgme_data_release(dh_plain);

233

return new_packet_length;

364

return plaintext_length;

234

365

}

235

366

236

static const char * safer_gnutls_strerror (int value) {

237

const char *ret = gnutls_strerror (value);

238

if (ret == NULL)

367

static const char * safer_gnutls_strerror(int value) {

368

const char *ret = gnutls_strerror(value); /* Spurious warning */

369

if(ret == NULL)

239

370

ret = "(unknown)";

240

371

return ret;

241

372

}

242

373

243

void debuggnutls(__attribute__((unused)) int level,

244

const char* string){

245

fprintf(stderr, "%s", string);

374

/* GnuTLS log function callback */

375

static void debuggnutls(__attribute__((unused)) int level,

376

const char* string){

377

fprintf(stderr, "GnuTLS: %s", string);

246

378

}

247

379

248

int initgnutls(encrypted_session *es){

249

const char *err;

380

static int init_gnutls_global(mandos_context *mc,

381

const char *pubkeyfilename,

382

const char *seckeyfilename){

250

383

int ret;

251

384

252

385

if(debug){

253

386

fprintf(stderr, "Initializing GnuTLS\n");

254

387

}

255

388

256

if ((ret = gnutls_global_init ())

257

!= GNUTLS_E_SUCCESS) {

258

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

389

ret = gnutls_global_init();

390

if(ret != GNUTLS_E_SUCCESS) {

391

fprintf(stderr, "GnuTLS global_init: %s\n",

392

safer_gnutls_strerror(ret));

259

393

return -1;

260

394

}

261

262

if (debug){

395

396

if(debug){

397

/* "Use a log level over 10 to enable all debugging options."

398

* - GnuTLS manual

399

263

400

gnutls_global_set_log_level(11);

264

401

gnutls_global_set_log_function(debuggnutls);

265

402

}

266

403

267

/* openpgp credentials */

268

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

269

!= GNUTLS_E_SUCCESS) {

270

fprintf (stderr, "memory error: %s\n",

271

safer_gnutls_strerror(ret));

404

/* OpenPGP credentials */

405

gnutls_certificate_allocate_credentials(&mc->cred);

406

if(ret != GNUTLS_E_SUCCESS){

407

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious

408

warning */

409

safer_gnutls_strerror(ret));

410

gnutls_global_deinit();

272

411

return -1;

273

412

}

274

413

275

414

if(debug){

276

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

277

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

278

KEYFILE);

415

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

416

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

417

seckeyfilename);

279

418

}

280

419

281

420

ret = gnutls_certificate_set_openpgp_key_file

282

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

283

if (ret != GNUTLS_E_SUCCESS) {

284

fprintf

285

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

286

" '%s')\n",

287

ret, CERTFILE, KEYFILE);

288

fprintf(stdout, "The Error is: %s\n",

289

safer_gnutls_strerror(ret));

290

return -1;

291

}

292

293

//GnuTLS server initialization

294

if ((ret = gnutls_dh_params_init (&es->dh_params))

295

!= GNUTLS_E_SUCCESS) {

296

fprintf (stderr, "Error in dh parameter initialization: %s\n",

297

safer_gnutls_strerror(ret));

298

return -1;

299

}

300

301

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

302

!= GNUTLS_E_SUCCESS) {

303

fprintf (stderr, "Error in prime generation: %s\n",

304

safer_gnutls_strerror(ret));

305

return -1;

306

}

307

308

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

309

310

// GnuTLS session creation

311

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

312

!= GNUTLS_E_SUCCESS){

421

(mc->cred, pubkeyfilename, seckeyfilename,

422

GNUTLS_OPENPGP_FMT_BASE64);

423

if(ret != GNUTLS_E_SUCCESS) {

424

fprintf(stderr,

425

"Error[%d] while reading the OpenPGP key pair ('%s',"

426

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

427

fprintf(stderr, "The GnuTLS error is: %s\n",

428

safer_gnutls_strerror(ret));

429

goto globalfail;

430

}

431

432

/* GnuTLS server initialization */

433

ret = gnutls_dh_params_init(&mc->dh_params);

434

if(ret != GNUTLS_E_SUCCESS) {

435

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

436

" %s\n", safer_gnutls_strerror(ret));

437

goto globalfail;

438

}

439

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

440

if(ret != GNUTLS_E_SUCCESS) {

441

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

442

safer_gnutls_strerror(ret));

443

goto globalfail;

444

}

445

446

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

447

448

return 0;

449

450

globalfail:

451

452

gnutls_certificate_free_credentials(mc->cred);

453

gnutls_global_deinit();

454

gnutls_dh_params_deinit(mc->dh_params);

455

return -1;

456

}

457

458

static int init_gnutls_session(mandos_context *mc,

459

gnutls_session_t *session){

460

int ret;

461

/* GnuTLS session creation */

462

ret = gnutls_init(session, GNUTLS_SERVER);

463

if(ret != GNUTLS_E_SUCCESS){

313

464

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

314

465

safer_gnutls_strerror(ret));

315

466

}

316

467

317

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

318

!= GNUTLS_E_SUCCESS) {

319

fprintf(stderr, "Syntax error at: %s\n", err);

320

fprintf(stderr, "GnuTLS error: %s\n",

321

safer_gnutls_strerror(ret));

322

return -1;

468

{

469

const char *err;

470

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

471

if(ret != GNUTLS_E_SUCCESS) {

472

fprintf(stderr, "Syntax error at: %s\n", err);

473

fprintf(stderr, "GnuTLS error: %s\n",

474

safer_gnutls_strerror(ret));

475

gnutls_deinit(*session);

476

return -1;

477

}

323

478

}

324

479

325

if ((ret = gnutls_credentials_set

326

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

327

!= GNUTLS_E_SUCCESS) {

328

fprintf(stderr, "Error setting a credentials set: %s\n",

480

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

481

mc->cred);

482

if(ret != GNUTLS_E_SUCCESS) {

483

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

329

484

safer_gnutls_strerror(ret));

485

gnutls_deinit(*session);

330

486

return -1;

331

487

}

332

488

333

489

/* ignore client certificate if any. */

334

gnutls_certificate_server_set_request (es->session,

335

GNUTLS_CERT_IGNORE);

490

gnutls_certificate_server_set_request(*session,

491

GNUTLS_CERT_IGNORE);

336

492

337

gnutls_dh_set_prime_bits (es->session, DH_BITS);

493

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

338

494

339

495

return 0;

340

496

}

341

497

342

void empty_log(__attribute__((unused)) AvahiLogLevel level,

343

__attribute__((unused)) const char *txt){}

498

/* Avahi log function callback */

499

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

500

__attribute__((unused)) const char *txt){}

344

501

345

int start_mandos_communication(const char *ip, uint16_t port,

346

AvahiIfIndex if_index){

502

/* Called when a Mandos server is found */

503

static int start_mandos_communication(const char *ip, uint16_t port,

504

AvahiIfIndex if_index,

505

mandos_context *mc){

347

506

int ret, tcp_sd;

348

struct sockaddr_in6 to;

349

encrypted_session es;

507

ssize_t sret;

508

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

350

509

char *buffer = NULL;

351

510

char *decrypted_buffer;

352

511

size_t buffer_length = 0;

353

512

size_t buffer_capacity = 0;

354

513

ssize_t decrypted_buffer_size;

355

size_t written = 0;

514

size_t written;

356

515

int retval = 0;

357

516

char interface[IF_NAMESIZE];

517

gnutls_session_t session;

518

519

ret = init_gnutls_session(mc, &session);

520

if(ret != 0){

521

return -1;

522

}

358

523

359

524

if(debug){

360

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

361

ip, port);

525

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

526

"\n", ip, port);

362

527

}

363

528

364

529

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

367

532

return -1;

368

533

}

369

534

370

if(if_indextoname((unsigned int)if_index, interface) == NULL){

371

if(debug){

535

if(debug){

536

if(if_indextoname((unsigned int)if_index, interface) == NULL){

372

537

perror("if_indextoname");

538

return -1;

373

539

}

374

return -1;

375

}

376

377

if(debug){

378

540

fprintf(stderr, "Binding to interface %s\n", interface);

379

541

}

380

542

381

memset(&to,0,sizeof(to)); /* Spurious warning */

382

to.sin6_family = AF_INET6;

383

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

384

if (ret < 0 ){

543

memset(&to, 0, sizeof(to));

544

to.in6.sin6_family = AF_INET6;

545

/* It would be nice to have a way to detect if we were passed an

546

IPv4 address here. Now we assume an IPv6 address. */

547

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

548

if(ret < 0 ){

385

549

perror("inet_pton");

386

550

return -1;

387

}

551

}

388

552

if(ret == 0){

389

553

fprintf(stderr, "Bad address: %s\n", ip);

390

554

return -1;

391

555

}

392

to.sin6_port = htons(port); /* Spurious warning */

556

to.in6.sin6_port = htons(port); /* Spurious warning */

393

557

394

to.sin6_scope_id = (uint32_t)if_index;

558

to.in6.sin6_scope_id = (uint32_t)if_index;

395

559

396

560

if(debug){

397

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

398

/* char addrstr[INET6_ADDRSTRLEN]; */

399

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

400

/* sizeof(addrstr)) == NULL){ */

401

/* perror("inet_ntop"); */

402

/* } else { */

403

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

404

/* addrstr, ntohs(to.sin6_port)); */

405

/* } */

561

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

562

port);

563

char addrstr[INET6_ADDRSTRLEN] = "";

564

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

565

sizeof(addrstr)) == NULL){

566

perror("inet_ntop");

567

} else {

568

if(strcmp(addrstr, ip) != 0){

569

fprintf(stderr, "Canonical address form: %s\n", addrstr);

570

}

571

}

406

572

}

407

573

408

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

409

if (ret < 0){

574

ret = connect(tcp_sd, &to.in, sizeof(to));

575

if(ret < 0){

410

576

perror("connect");

411

577

return -1;

412

578

}

413

579

414

ret = initgnutls (&es);

415

if (ret != 0){

416

retval = -1;

417

return -1;

580

const char *out = mandos_protocol_version;

581

written = 0;

582

while(true){

583

size_t out_size = strlen(out);

584

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

585

out_size - written));

586

if(ret == -1){

587

perror("write");

588

retval = -1;

589

goto mandos_end;

590

}

591

written += (size_t)ret;

592

if(written < out_size){

593

continue;

594

} else {

595

if(out == mandos_protocol_version){

596

written = 0;

597

out = "\r\n";

598

} else {

599

break;

600

}

601

}

418

602

}

419

603

420

gnutls_transport_set_ptr (es.session,

421

(gnutls_transport_ptr_t) tcp_sd);

422

423

604

if(debug){

424

605

fprintf(stderr, "Establishing TLS session with %s\n", ip);

425

606

}

426

607

427

ret = gnutls_handshake (es.session);

428

429

if (ret != GNUTLS_E_SUCCESS){

608

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

609

610

do{

611

ret = gnutls_handshake(session);

612

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

613

614

if(ret != GNUTLS_E_SUCCESS){

430

615

if(debug){

431

fprintf(stderr, "\n*** Handshake failed ***\n");

432

gnutls_perror (ret);

616

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

617

gnutls_perror(ret);

433

618

}

434

619

retval = -1;

435

goto exit;

620

goto mandos_end;

436

621

}

437

622

438

//Retrieve OpenPGP packet that contains the wanted password

623

/* Read OpenPGP packet that contains the wanted password */

439

624

440

625

if(debug){

441

626

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

442

627

ip);

443

628

}

444

629

445

630

while(true){

446

if (buffer_length + BUFFER_SIZE > buffer_capacity){

447

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

448

if (buffer == NULL){

449

perror("realloc");

450

goto exit;

451

}

452

buffer_capacity += BUFFER_SIZE;

631

buffer_capacity = adjustbuffer(&buffer, buffer_length,

632

buffer_capacity);

633

if(buffer_capacity == 0){

634

perror("adjustbuffer");

635

retval = -1;

636

goto mandos_end;

453

637

}

454

638

455

ret = gnutls_record_recv

456

(es.session, buffer+buffer_length, BUFFER_SIZE);

457

if (ret == 0){

639

sret = gnutls_record_recv(session, buffer+buffer_length,

640

BUFFER_SIZE);

641

if(sret == 0){

458

642

break;

459

643

}

460

if (ret < 0){

461

switch(ret){

644

if(sret < 0){

645

switch(sret){

462

646

case GNUTLS_E_INTERRUPTED:

463

647

case GNUTLS_E_AGAIN:

464

648

break;

465

649

case GNUTLS_E_REHANDSHAKE:

466

ret = gnutls_handshake (es.session);

467

if (ret < 0){

468

fprintf(stderr, "\n*** Handshake failed ***\n");

469

gnutls_perror (ret);

650

do{

651

ret = gnutls_handshake(session);

652

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

653

if(ret < 0){

654

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

655

gnutls_perror(ret);

470

656

retval = -1;

471

goto exit;

657

goto mandos_end;

472

658

}

473

659

break;

474

660

default:

475

661

fprintf(stderr, "Unknown error while reading data from"

476

" encrypted session with mandos server\n");

662

" encrypted session with Mandos server\n");

477

663

retval = -1;

478

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

479

goto exit;

664

gnutls_bye(session, GNUTLS_SHUT_RDWR);

665

goto mandos_end;

480

666

}

481

667

} else {

482

buffer_length += (size_t) ret;

668

buffer_length += (size_t) sret;

483

669

}

484

670

}

485

671

486

if (buffer_length > 0){

487

decrypted_buffer_size = pgp_packet_decrypt(buffer,

672

if(debug){

673

fprintf(stderr, "Closing TLS session\n");

674

}

675

676

gnutls_bye(session, GNUTLS_SHUT_RDWR);

677

678

if(buffer_length > 0){

679

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

488

680

buffer_length,

489

&decrypted_buffer,

490

CERT_ROOT);

491

if (decrypted_buffer_size >= 0){

681

&decrypted_buffer);

682

if(decrypted_buffer_size >= 0){

683

written = 0;

492

684

while(written < (size_t) decrypted_buffer_size){

493

ret = (int)fwrite (decrypted_buffer + written, 1,

494

(size_t)decrypted_buffer_size - written,

495

stdout);

685

ret = (int)fwrite(decrypted_buffer + written, 1,

686

(size_t)decrypted_buffer_size - written,

687

stdout);

496

688

if(ret == 0 and ferror(stdout)){

497

689

if(debug){

498

690

fprintf(stderr, "Error writing encrypted data: %s\n",

507

699

} else {

508

700

retval = -1;

509

701

}

510

}

511

512

//shutdown procedure

513

514

if(debug){

515

fprintf(stderr, "Closing TLS session\n");

516

}

517

702

} else {

703

retval = -1;

704

}

705

706

/* Shutdown procedure */

707

708

mandos_end:

518

709

free(buffer);

519

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

520

exit:

521

close(tcp_sd);

522

gnutls_deinit (es.session);

523

gnutls_certificate_free_credentials (es.cred);

524

gnutls_global_deinit ();

710

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

711

if(ret == -1){

712

perror("close");

713

}

714

gnutls_deinit(session);

525

715

return retval;

526

716

}

527

717

528

static AvahiSimplePoll *simple_poll = NULL;

529

static AvahiServer *server = NULL;

530

531

static void resolve_callback(

532

AvahiSServiceResolver *r,

533

AvahiIfIndex interface,

534

AVAHI_GCC_UNUSED AvahiProtocol protocol,

535

AvahiResolverEvent event,

536

const char *name,

537

const char *type,

538

const char *domain,

539

const char *host_name,

540

const AvahiAddress *address,

541

uint16_t port,

542

AVAHI_GCC_UNUSED AvahiStringList *txt,

543

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

544

AVAHI_GCC_UNUSED void* userdata) {

545

546

assert(r); /* Spurious warning */

718

static void resolve_callback(AvahiSServiceResolver *r,

719

AvahiIfIndex interface,

720

AVAHI_GCC_UNUSED AvahiProtocol protocol,

721

AvahiResolverEvent event,

722

const char *name,

723

const char *type,

724

const char *domain,

725

const char *host_name,

726

const AvahiAddress *address,

727

uint16_t port,

728

AVAHI_GCC_UNUSED AvahiStringList *txt,

729

AVAHI_GCC_UNUSED AvahiLookupResultFlags

730

flags,

731

void* userdata) {

732

mandos_context *mc = userdata;

733

assert(r);

547

734

548

735

/* Called whenever a service has been resolved successfully or

549

736

timed out */

550

737

551

switch (event) {

738

switch(event) {

552

739

default:

553

740

case AVAHI_RESOLVER_FAILURE:

554

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

555

" type '%s' in domain '%s': %s\n", name, type, domain,

556

avahi_strerror(avahi_server_errno(server)));

741

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

742

" of type '%s' in domain '%s': %s\n", name, type, domain,

743

avahi_strerror(avahi_server_errno(mc->server)));

557

744

break;

558

745

559

746

case AVAHI_RESOLVER_FOUND:

561

748

char ip[AVAHI_ADDRESS_STR_MAX];

562

749

avahi_address_snprint(ip, sizeof(ip), address);

563

750

if(debug){

564

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

565

" port %d\n", name, host_name, ip, port);

751

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

752

PRIu16 ") on port %d\n", name, host_name, ip,

753

interface, port);

566

754

}

567

int ret = start_mandos_communication(ip, port, interface);

568

if (ret == 0){

569

exit(EXIT_SUCCESS);

755

int ret = start_mandos_communication(ip, port, interface, mc);

756

if(ret == 0){

757

avahi_simple_poll_quit(mc->simple_poll);

570

758

}

571

759

}

572

760

}

573

761

avahi_s_service_resolver_free(r);

574

762

}

575

763

576

static void browse_callback(

577

AvahiSServiceBrowser *b,

578

AvahiIfIndex interface,

579

AvahiProtocol protocol,

580

AvahiBrowserEvent event,

581

const char *name,

582

const char *type,

583

const char *domain,

584

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

585

void* userdata) {

586

587

AvahiServer *s = userdata;

588

assert(b); /* Spurious warning */

589

590

/* Called whenever a new services becomes available on the LAN or

591

is removed from the LAN */

592

593

switch (event) {

594

default:

595

case AVAHI_BROWSER_FAILURE:

596

597

fprintf(stderr, "(Browser) %s\n",

598

avahi_strerror(avahi_server_errno(server)));

599

avahi_simple_poll_quit(simple_poll);

600

return;

601

602

case AVAHI_BROWSER_NEW:

603

/* We ignore the returned resolver object. In the callback

604

function we free it. If the server is terminated before

605

the callback function is called the server will free

606

the resolver for us. */

607

608

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

609

type, domain,

610

AVAHI_PROTO_INET6, 0,

611

resolve_callback, s)))

612

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

613

avahi_strerror(avahi_server_errno(s)));

614

break;

615

616

case AVAHI_BROWSER_REMOVE:

617

break;

618

619

case AVAHI_BROWSER_ALL_FOR_NOW:

620

case AVAHI_BROWSER_CACHE_EXHAUSTED:

621

break;

764

static void browse_callback( AvahiSServiceBrowser *b,

765

AvahiIfIndex interface,

766

AvahiProtocol protocol,

767

AvahiBrowserEvent event,

768

const char *name,

769

const char *type,

770

const char *domain,

771

AVAHI_GCC_UNUSED AvahiLookupResultFlags

772

flags,

773

void* userdata) {

774

mandos_context *mc = userdata;

775

assert(b);

776

777

/* Called whenever a new services becomes available on the LAN or

778

is removed from the LAN */

779

780

switch(event) {

781

default:

782

case AVAHI_BROWSER_FAILURE:

783

784

fprintf(stderr, "(Avahi browser) %s\n",

785

avahi_strerror(avahi_server_errno(mc->server)));

786

avahi_simple_poll_quit(mc->simple_poll);

787

return;

788

789

case AVAHI_BROWSER_NEW:

790

/* We ignore the returned Avahi resolver object. In the callback

791

function we free it. If the Avahi server is terminated before

792

the callback function is called the Avahi server will free the

793

resolver for us. */

794

795

if(!(avahi_s_service_resolver_new(mc->server, interface,

796

protocol, name, type, domain,

797

AVAHI_PROTO_INET6, 0,

798

resolve_callback, mc)))

799

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

800

name, avahi_strerror(avahi_server_errno(mc->server)));

801

break;

802

803

case AVAHI_BROWSER_REMOVE:

804

break;

805

806

case AVAHI_BROWSER_ALL_FOR_NOW:

807

case AVAHI_BROWSER_CACHE_EXHAUSTED:

808

if(debug){

809

fprintf(stderr, "No Mandos server found, still searching...\n");

622

810

}

811

break;

812

}

623

813

}

624

814

625

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

626

AvahiServerConfig config;

815

int main(int argc, char *argv[]){

627

816

AvahiSServiceBrowser *sb = NULL;

628

817

int error;

629

818

int ret;

630

int returncode = EXIT_SUCCESS;

631

const char *interface = NULL;

819

int exitcode = EXIT_SUCCESS;

820

const char *interface = "eth0";

821

struct ifreq network;

822

int sd;

823

uid_t uid;

824

gid_t gid;

825

char *connect_to = NULL;

826

char tempdir[] = "/tmp/mandosXXXXXX";

632

827

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

633

char *connect_to = NULL;

634

635

while (true){

636

static struct option long_options[] = {

637

{"debug", no_argument, (int *)&debug, 1},

638

{"connect", required_argument, 0, 'c'},

639

{"interface", required_argument, 0, 'i'},

640

{0, 0, 0, 0} };

641

642

int option_index = 0;

643

ret = getopt_long (argc, argv, "i:", long_options,

644

&option_index);

645

646

if (ret == -1){

647

break;

648

}

649

650

switch(ret){

651

case 0:

652

break;

653

case 'i':

654

interface = optarg;

655

break;

656

case 'c':

657

connect_to = optarg;

658

break;

659

default:

660

exit(EXIT_FAILURE);

661

}

662

}

663

664

if(interface != NULL){

665

if_index = (AvahiIfIndex) if_nametoindex(interface);

666

if(if_index == 0){

667

fprintf(stderr, "No such interface: \"%s\"\n", interface);

668

exit(EXIT_FAILURE);

669

}

828

const char *seckey = PATHDIR "/" SECKEY;

829

const char *pubkey = PATHDIR "/" PUBKEY;

830

831

mandos_context mc = { .simple_poll = NULL, .server = NULL,

832

.dh_bits = 1024, .priority = "SECURE256"

833

":!CTYPE-X.509:+CTYPE-OPENPGP" };

834

bool gnutls_initalized = false;

835

bool gpgme_initalized = false;

836

837

{

838

struct argp_option options[] = {

839

{ .name = "debug", .key = 128,

840

.doc = "Debug mode", .group = 3 },

841

{ .name = "connect", .key = 'c',

842

.arg = "ADDRESS:PORT",

843

.doc = "Connect directly to a specific Mandos server",

844

.group = 1 },

845

{ .name = "interface", .key = 'i',

846

.arg = "NAME",

847

.doc = "Interface that will be used to search for Mandos"

848

" servers",

849

.group = 1 },

850

{ .name = "seckey", .key = 's',

851

.arg = "FILE",

852

.doc = "OpenPGP secret key file base name",

853

.group = 1 },

854

{ .name = "pubkey", .key = 'p',

855

.arg = "FILE",

856

.doc = "OpenPGP public key file base name",

857

.group = 2 },

858

{ .name = "dh-bits", .key = 129,

859

.arg = "BITS",

860

.doc = "Bit length of the prime number used in the"

861

" Diffie-Hellman key exchange",

862

.group = 2 },

863

{ .name = "priority", .key = 130,

864

.arg = "STRING",

865

.doc = "GnuTLS priority string for the TLS handshake",

866

.group = 1 },

867

{ .name = NULL }

868

};

869

870

error_t parse_opt(int key, char *arg,

871

struct argp_state *state) {

872

switch(key) {

873

case 128: /* --debug */

874

debug = true;

875

break;

876

case 'c': /* --connect */

877

connect_to = arg;

878

break;

879

case 'i': /* --interface */

880

interface = arg;

881

break;

882

case 's': /* --seckey */

883

seckey = arg;

884

break;

885

case 'p': /* --pubkey */

886

pubkey = arg;

887

break;

888

case 129: /* --dh-bits */

889

ret = sscanf(arg, "%u", &mc.dh_bits);

890

if(ret != 1){

891

fprintf(stderr, "Bad number of DH bits\n");

892

exit(EXIT_FAILURE);

893

}

894

break;

895

case 130: /* --priority */

896

mc.priority = arg;

897

break;

898

case ARGP_KEY_ARG:

899

argp_usage(state);

900

case ARGP_KEY_END:

901

break;

902

default:

903

return ARGP_ERR_UNKNOWN;

904

}

905

return 0;

906

}

907

908

struct argp argp = { .options = options, .parser = parse_opt,

909

.args_doc = "",

910

.doc = "Mandos client -- Get and decrypt"

911

" passwords from a Mandos server" };

912

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

913

if(ret == ARGP_ERR_UNKNOWN){

914

fprintf(stderr, "Unknown error while parsing arguments\n");

915

exitcode = EXIT_FAILURE;

916

goto end;

917

}

918

}

919

920

/* If the interface is down, bring it up */

921

{

922

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

923

if(sd < 0) {

924

perror("socket");

925

exitcode = EXIT_FAILURE;

926

goto end;

927

}

928

strcpy(network.ifr_name, interface);

929

ret = ioctl(sd, SIOCGIFFLAGS, &network);

930

if(ret == -1){

931

perror("ioctl SIOCGIFFLAGS");

932

exitcode = EXIT_FAILURE;

933

goto end;

934

}

935

if((network.ifr_flags & IFF_UP) == 0){

936

network.ifr_flags |= IFF_UP;

937

ret = ioctl(sd, SIOCSIFFLAGS, &network);

938

if(ret == -1){

939

perror("ioctl SIOCSIFFLAGS");

940

exitcode = EXIT_FAILURE;

941

goto end;

942

}

943

}

944

ret = (int)TEMP_FAILURE_RETRY(close(sd));

945

if(ret == -1){

946

perror("close");

947

}

948

}

949

950

uid = getuid();

951

gid = getgid();

952

953

ret = setuid(uid);

954

if(ret == -1){

955

perror("setuid");

956

}

957

958

setgid(gid);

959

if(ret == -1){

960

perror("setgid");

961

}

962

963

ret = init_gnutls_global(&mc, pubkey, seckey);

964

if(ret == -1){

965

fprintf(stderr, "init_gnutls_global failed\n");

966

exitcode = EXIT_FAILURE;

967

goto end;

968

} else {

969

gnutls_initalized = true;

970

}

971

972

if(mkdtemp(tempdir) == NULL){

973

perror("mkdtemp");

974

tempdir[0] = '\0';

975

goto end;

976

}

977

978

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

979

fprintf(stderr, "gpgme_initalized failed\n");

980

exitcode = EXIT_FAILURE;

981

goto end;

982

} else {

983

gpgme_initalized = true;

984

}

985

986

if_index = (AvahiIfIndex) if_nametoindex(interface);

987

if(if_index == 0){

988

fprintf(stderr, "No such interface: \"%s\"\n", interface);

989

exit(EXIT_FAILURE);

670

990

}

671

991

672

992

if(connect_to != NULL){

675

995

char *address = strrchr(connect_to, ':');

676

996

if(address == NULL){

677

997

fprintf(stderr, "No colon in address\n");

678

exit(EXIT_FAILURE);

998

exitcode = EXIT_FAILURE;

999

goto end;

679

1000

}

680

errno = 0;

681

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

682

if(errno){

683

perror("Bad port number");

684

exit(EXIT_FAILURE);

1001

uint16_t port;

1002

ret = sscanf(address+1, "%" SCNu16, &port);

1003

if(ret != 1){

1004

fprintf(stderr, "Bad port number\n");

1005

exitcode = EXIT_FAILURE;

1006

goto end;

685

1007

}

686

1008

*address = '\0';

687

1009

address = connect_to;

688

ret = start_mandos_communication(address, port, if_index);

1010

ret = start_mandos_communication(address, port, if_index, &mc);

689

1011

if(ret < 0){

690

exit(EXIT_FAILURE);

1012

exitcode = EXIT_FAILURE;

691

1013

} else {

692

exit(EXIT_SUCCESS);

1014

exitcode = EXIT_SUCCESS;

693

1015

}

1016

goto end;

694

1017

}

695

1018

696

if (not debug){

1019

if(not debug){

697

1020

avahi_set_log_function(empty_log);

698

1021

}

699

1022

700

/* Initialize the psuedo-RNG */

1023

/* Initialize the pseudo-RNG for Avahi */

701

1024

srand((unsigned int) time(NULL));

702

703

/* Allocate main loop object */

704

if (!(simple_poll = avahi_simple_poll_new())) {

705

fprintf(stderr, "Failed to create simple poll object.\n");

706

707

goto exit;

708

}

709

710

/* Do not publish any local records */

711

avahi_server_config_init(&config);

712

config.publish_hinfo = 0;

713

config.publish_addresses = 0;

714

config.publish_workstation = 0;

715

config.publish_domain = 0;

716

717

/* Allocate a new server */

718

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

719

&config, NULL, NULL, &error);

720

721

/* Free the configuration data */

722

avahi_server_config_free(&config);

723

724

/* Check if creating the server object succeeded */

725

if (!server) {

726

fprintf(stderr, "Failed to create server: %s\n",

1025

1026

/* Allocate main Avahi loop object */

1027

mc.simple_poll = avahi_simple_poll_new();

1028

if(mc.simple_poll == NULL) {

1029

fprintf(stderr, "Avahi: Failed to create simple poll"

1030

" object.\n");

1031

exitcode = EXIT_FAILURE;

1032

goto end;

1033

}

1034

1035

{

1036

AvahiServerConfig config;

1037

/* Do not publish any local Zeroconf records */

1038

avahi_server_config_init(&config);

1039

config.publish_hinfo = 0;

1040

config.publish_addresses = 0;

1041

config.publish_workstation = 0;

1042

config.publish_domain = 0;

1043

1044

/* Allocate a new server */

1045

mc.server = avahi_server_new(avahi_simple_poll_get

1046

(mc.simple_poll), &config, NULL,

1047

NULL, &error);

1048

1049

/* Free the Avahi configuration data */

1050

avahi_server_config_free(&config);

1051

}

1052

1053

/* Check if creating the Avahi server object succeeded */

1054

if(mc.server == NULL) {

1055

fprintf(stderr, "Failed to create Avahi server: %s\n",

727

1056

avahi_strerror(error));

728

returncode = EXIT_FAILURE;

729

goto exit;

1057

exitcode = EXIT_FAILURE;

1058

goto end;

730

1059

}

731

1060

732

/* Create the service browser */

733

sb = avahi_s_service_browser_new(server, if_index,

1061

/* Create the Avahi service browser */

1062

sb = avahi_s_service_browser_new(mc.server, if_index,

734

1063

AVAHI_PROTO_INET6,

735

1064

"_mandos._tcp", NULL, 0,

736

browse_callback, server);

737

if (!sb) {

1065

browse_callback, &mc);

1066

if(sb == NULL) {

738

1067

fprintf(stderr, "Failed to create service browser: %s\n",

739

avahi_strerror(avahi_server_errno(server)));

740

returncode = EXIT_FAILURE;

741

goto exit;

1068

avahi_strerror(avahi_server_errno(mc.server)));

1069

exitcode = EXIT_FAILURE;

1070

goto end;

742

1071

}

743

1072

744

1073

/* Run the main loop */

745

746

if (debug){

747

fprintf(stderr, "Starting avahi loop search\n");

1074

1075

if(debug){

1076

fprintf(stderr, "Starting Avahi loop search\n");

748

1077

}

749

1078

750

avahi_simple_poll_loop(simple_poll);

751

752

exit:

753

754

if (debug){

1079

avahi_simple_poll_loop(mc.simple_poll);

1080

1081

end:

1082

1083

if(debug){

755

1084

fprintf(stderr, "%s exiting\n", argv[0]);

756

1085

}

757

1086

758

1087

/* Cleanup things */

759

if (sb)

1088

if(sb != NULL)

760

1089

avahi_s_service_browser_free(sb);

761

1090

762

if (server)

763

avahi_server_free(server);

764

765

if (simple_poll)

766

avahi_simple_poll_free(simple_poll);

767

768

return returncode;

1091

if(mc.server != NULL)

1092

avahi_server_free(mc.server);

1093

1094

if(mc.simple_poll != NULL)

1095

avahi_simple_poll_free(mc.simple_poll);

1096

1097

if(gnutls_initalized){

1098

gnutls_certificate_free_credentials(mc.cred);

1099

gnutls_global_deinit();

1100

gnutls_dh_params_deinit(mc.dh_params);

1101

}

1102

1103

if(gpgme_initalized){

1104

gpgme_release(mc.ctx);

1105

}

1106

1107

/* Removes the temp directory used by GPGME */

1108

if(tempdir[0] != '\0'){

1109

DIR *d;

1110

struct dirent *direntry;

1111

d = opendir(tempdir);

1112

if(d == NULL){

1113

if(errno != ENOENT){

1114

perror("opendir");

1115

}

1116

} else {

1117

while(true){

1118

direntry = readdir(d);

1119

if(direntry == NULL){

1120

break;

1121

}

1122

if(direntry->d_type == DT_REG){

1123

char *fullname = NULL;

1124

ret = asprintf(&fullname, "%s/%s", tempdir,

1125

direntry->d_name);

1126

if(ret < 0){

1127

perror("asprintf");

1128

continue;

1129

}

1130

ret = unlink(fullname);

1131

if(ret == -1){

1132

fprintf(stderr, "unlink(\"%s\"): %s",

1133

fullname, strerror(errno));

1134

}

1135

free(fullname);

1136

}

1137

}

1138

closedir(d);

1139

}

1140

ret = rmdir(tempdir);

1141

if(ret == -1 and errno != ENOENT){

1142

perror("rmdir");

1143

}

1144

}

1145

1146

return exitcode;

769

1147

}

Older »