/mandos/trunk : revision 268

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-01-14 14:20:17 UTC
Revision ID: teddy@fukt.bsnet.se-20090114142017-84t4kfw56bsftjlo

Fixes for sscanf usage:

* plugin-runner.c (main): Parse numbers correctly and portably using
                          an intermediate "intmax_t".  Cast "pid_t" to
                          "intmax_t" before passing it to "printf()".
* plugins.d/mandos-client.c (main): Parse numbers correctly and
                                    portably using an intermediate
                                    "intmax_t".  Bug fix: cast
                                    "AvahiIfIndex" to "intmax_t" and
                                    use "PRIdMAX" instead of using
                                    "PRIu16", and use "PRIu16" to
                                    format port number.
* plugins.d/splashy.c (main): Parse numbers correctly and portably
                              using an intermediate "intmax_t".
* plugins.d/usplash.c (main): - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-list

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
server.py => mandos

server.conf => mandos.conf

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* Mandos-client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), sscanf */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(),

DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and, or */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h>

/* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

100

#include <gpgme.h> /* All GPGME types, constants and

101

functions:

102

gpgme_*

103

GPGME_PROTOCOL_OpenPGP,

104

GPG_ERR_NO_* */

105

106

#define BUFFER_SIZE 256

#define DH_BITS 1024

107

108

#define PATHDIR "/conf/conf.d/mandos"

109

#define SECKEY "seckey.txt"

110

#define PUBKEY "pubkey.txt"

111

112

bool debug = false;

113

static const char mandos_protocol_version[] = "1";

114

const char *argp_program_version = "mandos-client " VERSION;

115

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

116

117

/* Used for passing in values through the Avahi callback functions */

118

typedef struct {

gnutls_session_t session;

119

AvahiSimplePoll *simple_poll;

120

AvahiServer *server;

121

gnutls_certificate_credentials_t cred;

122

unsigned int dh_bits;

123

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

124

const char *priority;

125

gpgme_ctx_t ctx;

126

} mandos_context;

127

128

129

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

130

* "buffer_capacity" is how much is currently allocated,

131

* "buffer_length" is how much is already used.

132

133

size_t adjustbuffer(char **buffer, size_t buffer_length,

134

size_t buffer_capacity){

135

if(buffer_length + BUFFER_SIZE > buffer_capacity){

136

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

137

if(buffer == NULL){

138

return 0;

139

}

140

buffer_capacity += BUFFER_SIZE;

141

}

142

return buffer_capacity;

143

}

144

145

146

* Initialize GPGME.

147

148

static bool init_gpgme(mandos_context *mc, const char *seckey,

149

const char *pubkey, const char *tempdir){

150

int ret;

151

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

152

gpgme_engine_info_t engine_info;

if (debug){

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

153

154

155

156

* Helper function to insert pub and seckey to the enigne keyring.

157

158

bool import_key(const char *filename){

159

int fd;

160

gpgme_data_t pgp_data;

161

162

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

163

if(fd == -1){

164

perror("open");

165

return false;

166

}

167

168

rc = gpgme_data_new_from_fd(&pgp_data, fd);

169

if(rc != GPG_ERR_NO_ERROR){

170

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

171

gpgme_strsource(rc), gpgme_strerror(rc));

172

return false;

173

}

174

175

rc = gpgme_op_import(mc->ctx, pgp_data);

176

if(rc != GPG_ERR_NO_ERROR){

177

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

178

gpgme_strsource(rc), gpgme_strerror(rc));

179

return false;

180

}

181

182

ret = (int)TEMP_FAILURE_RETRY(close(fd));

183

if(ret == -1){

184

perror("close");

185

}

186

gpgme_data_release(pgp_data);

187

return true;

188

}

189

190

if(debug){

191

fprintf(stderr, "Initialize gpgme\n");

192

}

100

193

101

194

/* Init GPGME */

102

195

gpgme_check_version(NULL);

103

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

196

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

197

if(rc != GPG_ERR_NO_ERROR){

198

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

199

gpgme_strsource(rc), gpgme_strerror(rc));

200

return false;

201

}

104

202

105

/* Set GPGME home directory */

106

rc = gpgme_get_engine_info (&engine_info);

107

if (rc != GPG_ERR_NO_ERROR){

203

/* Set GPGME home directory for the OpenPGP engine only */

204

rc = gpgme_get_engine_info(&engine_info);

205

if(rc != GPG_ERR_NO_ERROR){

108

206

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

109

207

gpgme_strsource(rc), gpgme_strerror(rc));

110

return -1;

208

return false;

111

209

}

112

210

while(engine_info != NULL){

113

211

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

114

212

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

115

engine_info->file_name, homedir);

213

engine_info->file_name, tempdir);

116

214

break;

117

215

}

118

216

engine_info = engine_info->next;

119

217

}

120

218

if(engine_info == NULL){

121

fprintf(stderr, "Could not set home dir to %s\n", homedir);

122

return -1;

123

}

124

125

/* Create new GPGME data buffer from packet buffer */

126

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

127

if (rc != GPG_ERR_NO_ERROR){

219

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

220

return false;

221

}

222

223

/* Create new GPGME "context" */

224

rc = gpgme_new(&(mc->ctx));

225

if(rc != GPG_ERR_NO_ERROR){

226

fprintf(stderr, "bad gpgme_new: %s: %s\n",

227

gpgme_strsource(rc), gpgme_strerror(rc));

228

return false;

229

}

230

231

if(not import_key(pubkey) or not import_key(seckey)){

232

return false;

233

}

234

235

return true;

236

}

237

238

239

* Decrypt OpenPGP data.

240

* Returns -1 on error

241

242

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

243

const char *cryptotext,

244

size_t crypto_size,

245

char **plaintext){

246

gpgme_data_t dh_crypto, dh_plain;

247

gpgme_error_t rc;

248

ssize_t ret;

249

size_t plaintext_capacity = 0;

250

ssize_t plaintext_length = 0;

251

252

if(debug){

253

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

254

}

255

256

/* Create new GPGME data buffer from memory cryptotext */

257

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

258

0);

259

if(rc != GPG_ERR_NO_ERROR){

128

260

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

129

261

gpgme_strsource(rc), gpgme_strerror(rc));

130

262

return -1;

132

264

133

265

/* Create new empty GPGME data buffer for the plaintext */

134

266

rc = gpgme_data_new(&dh_plain);

135

if (rc != GPG_ERR_NO_ERROR){

267

if(rc != GPG_ERR_NO_ERROR){

136

268

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

137

269

gpgme_strsource(rc), gpgme_strerror(rc));

138

return -1;

139

}

140

141

/* Create new GPGME "context" */

142

rc = gpgme_new(&ctx);

143

if (rc != GPG_ERR_NO_ERROR){

144

fprintf(stderr, "bad gpgme_new: %s: %s\n",

145

gpgme_strsource(rc), gpgme_strerror(rc));

146

return -1;

147

}

148

149

/* Decrypt data from the FILE pointer to the plaintext data

150

buffer */

151

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

152

if (rc != GPG_ERR_NO_ERROR){

270

gpgme_data_release(dh_crypto);

271

return -1;

272

}

273

274

/* Decrypt data from the cryptotext data buffer to the plaintext

275

data buffer */

276

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

277

if(rc != GPG_ERR_NO_ERROR){

153

278

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

154

279

gpgme_strsource(rc), gpgme_strerror(rc));

155

return -1;

280

plaintext_length = -1;

281

if(debug){

282

gpgme_decrypt_result_t result;

283

result = gpgme_op_decrypt_result(mc->ctx);

284

if(result == NULL){

285

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

286

} else {

287

fprintf(stderr, "Unsupported algorithm: %s\n",

288

result->unsupported_algorithm);

289

fprintf(stderr, "Wrong key usage: %u\n",

290

result->wrong_key_usage);

291

if(result->file_name != NULL){

292

fprintf(stderr, "File name: %s\n", result->file_name);

293

}

294

gpgme_recipient_t recipient;

295

recipient = result->recipients;

296

if(recipient){

297

while(recipient != NULL){

298

fprintf(stderr, "Public key algorithm: %s\n",

299

gpgme_pubkey_algo_name(recipient->pubkey_algo));

300

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

301

fprintf(stderr, "Secret key available: %s\n",

302

recipient->status == GPG_ERR_NO_SECKEY

303

? "No" : "Yes");

304

recipient = recipient->next;

305

}

306

}

307

}

308

}

309

goto decrypt_end;

156

310

}

157

311

158

312

if(debug){

159

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

160

}

161

162

if (debug){

163

gpgme_decrypt_result_t result;

164

result = gpgme_op_decrypt_result(ctx);

165

if (result == NULL){

166

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

167

} else {

168

fprintf(stderr, "Unsupported algorithm: %s\n",

169

result->unsupported_algorithm);

170

fprintf(stderr, "Wrong key usage: %d\n",

171

result->wrong_key_usage);

172

if(result->file_name != NULL){

173

fprintf(stderr, "File name: %s\n", result->file_name);

174

}

175

gpgme_recipient_t recipient;

176

recipient = result->recipients;

177

if(recipient){

178

while(recipient != NULL){

179

fprintf(stderr, "Public key algorithm: %s\n",

180

gpgme_pubkey_algo_name(recipient->pubkey_algo));

181

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

182

fprintf(stderr, "Secret key available: %s\n",

183

recipient->status == GPG_ERR_NO_SECKEY

184

? "No" : "Yes");

185

recipient = recipient->next;

186

}

187

}

188

}

189

}

190

191

/* Delete the GPGME FILE pointer cryptotext data buffer */

192

gpgme_data_release(dh_crypto);

313

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

314

}

193

315

194

316

/* Seek back to the beginning of the GPGME plaintext data buffer */

195

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

196

197

*new_packet = 0;

317

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

318

perror("gpgme_data_seek");

319

plaintext_length = -1;

320

goto decrypt_end;

321

}

322

323

*plaintext = NULL;

198

324

while(true){

199

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

200

*new_packet = realloc(*new_packet,

201

(unsigned int)new_packet_capacity

202

+ BUFFER_SIZE);

203

if (*new_packet == NULL){

204

perror("realloc");

205

return -1;

206

}

207

new_packet_capacity += BUFFER_SIZE;

325

plaintext_capacity = adjustbuffer(plaintext,

326

(size_t)plaintext_length,

327

plaintext_capacity);

328

if(plaintext_capacity == 0){

329

perror("adjustbuffer");

330

plaintext_length = -1;

331

goto decrypt_end;

208

332

}

209

333

210

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

334

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

211

335

BUFFER_SIZE);

212

336

/* Print the data, if any */

213

if (ret == 0){

337

if(ret == 0){

338

/* EOF */

214

339

break;

215

340

}

216

341

if(ret < 0){

217

342

perror("gpgme_data_read");

218

return -1;

219

}

220

new_packet_length += ret;

221

}

222

223

/* FIXME: check characters before printing to screen so to not print

224

terminal control characters */

225

/* if(debug){ */

226

/* fprintf(stderr, "decrypted password is: "); */

227

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

228

/* fprintf(stderr, "\n"); */

229

/* } */

343

plaintext_length = -1;

344

goto decrypt_end;

345

}

346

plaintext_length += ret;

347

}

348

349

if(debug){

350

fprintf(stderr, "Decrypted password is: ");

351

for(ssize_t i = 0; i < plaintext_length; i++){

352

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

353

}

354

fprintf(stderr, "\n");

355

}

356

357

decrypt_end:

358

359

/* Delete the GPGME cryptotext data buffer */

360

gpgme_data_release(dh_crypto);

230

361

231

362

/* Delete the GPGME plaintext data buffer */

232

363

gpgme_data_release(dh_plain);

233

return new_packet_length;

364

return plaintext_length;

234

365

}

235

366

236

static const char * safer_gnutls_strerror (int value) {

237

const char *ret = gnutls_strerror (value);

238

if (ret == NULL)

367

static const char * safer_gnutls_strerror(int value) {

368

const char *ret = gnutls_strerror(value); /* Spurious warning from

369

-Wunreachable-code */

370

if(ret == NULL)

239

371

ret = "(unknown)";

240

372

return ret;

241

373

}

242

374

243

void debuggnutls(__attribute__((unused)) int level,

244

const char* string){

245

fprintf(stderr, "%s", string);

375

/* GnuTLS log function callback */

376

static void debuggnutls(__attribute__((unused)) int level,

377

const char* string){

378

fprintf(stderr, "GnuTLS: %s", string);

246

379

}

247

380

248

int initgnutls(encrypted_session *es){

249

const char *err;

381

static int init_gnutls_global(mandos_context *mc,

382

const char *pubkeyfilename,

383

const char *seckeyfilename){

250

384

int ret;

251

385

252

386

if(debug){

253

387

fprintf(stderr, "Initializing GnuTLS\n");

254

388

}

255

389

256

if ((ret = gnutls_global_init ())

257

!= GNUTLS_E_SUCCESS) {

258

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

390

ret = gnutls_global_init();

391

if(ret != GNUTLS_E_SUCCESS) {

392

fprintf(stderr, "GnuTLS global_init: %s\n",

393

safer_gnutls_strerror(ret));

259

394

return -1;

260

395

}

261

262

if (debug){

396

397

if(debug){

398

/* "Use a log level over 10 to enable all debugging options."

399

* - GnuTLS manual

400

263

401

gnutls_global_set_log_level(11);

264

402

gnutls_global_set_log_function(debuggnutls);

265

403

}

266

404

267

/* openpgp credentials */

268

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

269

!= GNUTLS_E_SUCCESS) {

270

fprintf (stderr, "memory error: %s\n",

271

safer_gnutls_strerror(ret));

405

/* OpenPGP credentials */

406

gnutls_certificate_allocate_credentials(&mc->cred);

407

if(ret != GNUTLS_E_SUCCESS){

408

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

409

* from

410

* -Wunreachable-code

411

412

safer_gnutls_strerror(ret));

413

gnutls_global_deinit();

272

414

return -1;

273

415

}

274

416

275

417

if(debug){

276

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

277

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

278

KEYFILE);

418

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

419

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

420

seckeyfilename);

279

421

}

280

422

281

423

ret = gnutls_certificate_set_openpgp_key_file

282

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

283

if (ret != GNUTLS_E_SUCCESS) {

284

fprintf

285

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

286

" '%s')\n",

287

ret, CERTFILE, KEYFILE);

288

fprintf(stdout, "The Error is: %s\n",

289

safer_gnutls_strerror(ret));

290

return -1;

291

}

292

293

//GnuTLS server initialization

294

if ((ret = gnutls_dh_params_init (&es->dh_params))

295

!= GNUTLS_E_SUCCESS) {

296

fprintf (stderr, "Error in dh parameter initialization: %s\n",

297

safer_gnutls_strerror(ret));

298

return -1;

299

}

300

301

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

302

!= GNUTLS_E_SUCCESS) {

303

fprintf (stderr, "Error in prime generation: %s\n",

304

safer_gnutls_strerror(ret));

305

return -1;

306

}

307

308

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

309

310

// GnuTLS session creation

311

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

312

!= GNUTLS_E_SUCCESS){

424

(mc->cred, pubkeyfilename, seckeyfilename,

425

GNUTLS_OPENPGP_FMT_BASE64);

426

if(ret != GNUTLS_E_SUCCESS) {

427

fprintf(stderr,

428

"Error[%d] while reading the OpenPGP key pair ('%s',"

429

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

430

fprintf(stderr, "The GnuTLS error is: %s\n",

431

safer_gnutls_strerror(ret));

432

goto globalfail;

433

}

434

435

/* GnuTLS server initialization */

436

ret = gnutls_dh_params_init(&mc->dh_params);

437

if(ret != GNUTLS_E_SUCCESS) {

438

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

439

" %s\n", safer_gnutls_strerror(ret));

440

goto globalfail;

441

}

442

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

443

if(ret != GNUTLS_E_SUCCESS) {

444

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

445

safer_gnutls_strerror(ret));

446

goto globalfail;

447

}

448

449

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

450

451

return 0;

452

453

globalfail:

454

455

gnutls_certificate_free_credentials(mc->cred);

456

gnutls_global_deinit();

457

gnutls_dh_params_deinit(mc->dh_params);

458

return -1;

459

}

460

461

static int init_gnutls_session(mandos_context *mc,

462

gnutls_session_t *session){

463

int ret;

464

/* GnuTLS session creation */

465

ret = gnutls_init(session, GNUTLS_SERVER);

466

if(ret != GNUTLS_E_SUCCESS){

313

467

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

314

468

safer_gnutls_strerror(ret));

315

469

}

316

470

317

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

318

!= GNUTLS_E_SUCCESS) {

319

fprintf(stderr, "Syntax error at: %s\n", err);

320

fprintf(stderr, "GnuTLS error: %s\n",

321

safer_gnutls_strerror(ret));

322

return -1;

471

{

472

const char *err;

473

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

474

if(ret != GNUTLS_E_SUCCESS) {

475

fprintf(stderr, "Syntax error at: %s\n", err);

476

fprintf(stderr, "GnuTLS error: %s\n",

477

safer_gnutls_strerror(ret));

478

gnutls_deinit(*session);

479

return -1;

480

}

323

481

}

324

482

325

if ((ret = gnutls_credentials_set

326

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

327

!= GNUTLS_E_SUCCESS) {

328

fprintf(stderr, "Error setting a credentials set: %s\n",

483

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

484

mc->cred);

485

if(ret != GNUTLS_E_SUCCESS) {

486

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

329

487

safer_gnutls_strerror(ret));

488

gnutls_deinit(*session);

330

489

return -1;

331

490

}

332

491

333

492

/* ignore client certificate if any. */

334

gnutls_certificate_server_set_request (es->session,

335

GNUTLS_CERT_IGNORE);

493

gnutls_certificate_server_set_request(*session,

494

GNUTLS_CERT_IGNORE);

336

495

337

gnutls_dh_set_prime_bits (es->session, DH_BITS);

496

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

338

497

339

498

return 0;

340

499

}

341

500

342

void empty_log(__attribute__((unused)) AvahiLogLevel level,

343

__attribute__((unused)) const char *txt){}

501

/* Avahi log function callback */

502

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

503

__attribute__((unused)) const char *txt){}

344

504

345

int start_mandos_communication(const char *ip, uint16_t port,

346

AvahiIfIndex if_index){

505

/* Called when a Mandos server is found */

506

static int start_mandos_communication(const char *ip, uint16_t port,

507

AvahiIfIndex if_index,

508

mandos_context *mc){

347

509

int ret, tcp_sd;

348

struct sockaddr_in6 to;

349

encrypted_session es;

510

ssize_t sret;

511

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

350

512

char *buffer = NULL;

351

513

char *decrypted_buffer;

352

514

size_t buffer_length = 0;

353

515

size_t buffer_capacity = 0;

354

516

ssize_t decrypted_buffer_size;

355

size_t written = 0;

517

size_t written;

356

518

int retval = 0;

357

519

char interface[IF_NAMESIZE];

520

gnutls_session_t session;

521

522

ret = init_gnutls_session(mc, &session);

523

if(ret != 0){

524

return -1;

525

}

358

526

359

527

if(debug){

360

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

361

ip, port);

528

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

529

"\n", ip, port);

362

530

}

363

531

364

532

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

367

535

return -1;

368

536

}

369

537

370

if(if_indextoname((unsigned int)if_index, interface) == NULL){

371

if(debug){

538

if(debug){

539

if(if_indextoname((unsigned int)if_index, interface) == NULL){

372

540

perror("if_indextoname");

541

return -1;

373

542

}

374

return -1;

375

}

376

377

if(debug){

378

543

fprintf(stderr, "Binding to interface %s\n", interface);

379

544

}

380

545

381

memset(&to,0,sizeof(to)); /* Spurious warning */

382

to.sin6_family = AF_INET6;

383

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

384

if (ret < 0 ){

546

memset(&to, 0, sizeof(to));

547

to.in6.sin6_family = AF_INET6;

548

/* It would be nice to have a way to detect if we were passed an

549

IPv4 address here. Now we assume an IPv6 address. */

550

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

551

if(ret < 0 ){

385

552

perror("inet_pton");

386

553

return -1;

387

}

554

}

388

555

if(ret == 0){

389

556

fprintf(stderr, "Bad address: %s\n", ip);

390

557

return -1;

391

558

}

392

to.sin6_port = htons(port); /* Spurious warning */

559

to.in6.sin6_port = htons(port); /* Spurious warnings from

560

-Wconversion and

561

-Wunreachable-code */

393

562

394

to.sin6_scope_id = (uint32_t)if_index;

563

to.in6.sin6_scope_id = (uint32_t)if_index;

395

564

396

565

if(debug){

397

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

398

/* char addrstr[INET6_ADDRSTRLEN]; */

399

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

400

/* sizeof(addrstr)) == NULL){ */

401

/* perror("inet_ntop"); */

402

/* } else { */

403

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

404

/* addrstr, ntohs(to.sin6_port)); */

405

/* } */

566

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

567

port);

568

char addrstr[INET6_ADDRSTRLEN] = "";

569

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

570

sizeof(addrstr)) == NULL){

571

perror("inet_ntop");

572

} else {

573

if(strcmp(addrstr, ip) != 0){

574

fprintf(stderr, "Canonical address form: %s\n", addrstr);

575

}

576

}

406

577

}

407

578

408

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

409

if (ret < 0){

579

ret = connect(tcp_sd, &to.in, sizeof(to));

580

if(ret < 0){

410

581

perror("connect");

411

582

return -1;

412

583

}

413

584

414

ret = initgnutls (&es);

415

if (ret != 0){

416

retval = -1;

417

return -1;

585

const char *out = mandos_protocol_version;

586

written = 0;

587

while(true){

588

size_t out_size = strlen(out);

589

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

590

out_size - written));

591

if(ret == -1){

592

perror("write");

593

retval = -1;

594

goto mandos_end;

595

}

596

written += (size_t)ret;

597

if(written < out_size){

598

continue;

599

} else {

600

if(out == mandos_protocol_version){

601

written = 0;

602

out = "\r\n";

603

} else {

604

break;

605

}

606

}

418

607

}

419

608

420

gnutls_transport_set_ptr (es.session,

421

(gnutls_transport_ptr_t) tcp_sd);

422

423

609

if(debug){

424

610

fprintf(stderr, "Establishing TLS session with %s\n", ip);

425

611

}

426

612

427

ret = gnutls_handshake (es.session);

428

429

if (ret != GNUTLS_E_SUCCESS){

613

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

614

615

do{

616

ret = gnutls_handshake(session);

617

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

618

619

if(ret != GNUTLS_E_SUCCESS){

430

620

if(debug){

431

fprintf(stderr, "\n*** Handshake failed ***\n");

432

gnutls_perror (ret);

621

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

622

gnutls_perror(ret);

433

623

}

434

624

retval = -1;

435

goto exit;

625

goto mandos_end;

436

626

}

437

627

438

//Retrieve OpenPGP packet that contains the wanted password

628

/* Read OpenPGP packet that contains the wanted password */

439

629

440

630

if(debug){

441

631

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

442

632

ip);

443

633

}

444

634

445

635

while(true){

446

if (buffer_length + BUFFER_SIZE > buffer_capacity){

447

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

448

if (buffer == NULL){

449

perror("realloc");

450

goto exit;

451

}

452

buffer_capacity += BUFFER_SIZE;

636

buffer_capacity = adjustbuffer(&buffer, buffer_length,

637

buffer_capacity);

638

if(buffer_capacity == 0){

639

perror("adjustbuffer");

640

retval = -1;

641

goto mandos_end;

453

642

}

454

643

455

ret = gnutls_record_recv

456

(es.session, buffer+buffer_length, BUFFER_SIZE);

457

if (ret == 0){

644

sret = gnutls_record_recv(session, buffer+buffer_length,

645

BUFFER_SIZE);

646

if(sret == 0){

458

647

break;

459

648

}

460

if (ret < 0){

461

switch(ret){

649

if(sret < 0){

650

switch(sret){

462

651

case GNUTLS_E_INTERRUPTED:

463

652

case GNUTLS_E_AGAIN:

464

653

break;

465

654

case GNUTLS_E_REHANDSHAKE:

466

ret = gnutls_handshake (es.session);

467

if (ret < 0){

468

fprintf(stderr, "\n*** Handshake failed ***\n");

469

gnutls_perror (ret);

655

do{

656

ret = gnutls_handshake(session);

657

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

658

if(ret < 0){

659

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

660

gnutls_perror(ret);

470

661

retval = -1;

471

goto exit;

662

goto mandos_end;

472

663

}

473

664

break;

474

665

default:

475

666

fprintf(stderr, "Unknown error while reading data from"

476

" encrypted session with mandos server\n");

667

" encrypted session with Mandos server\n");

477

668

retval = -1;

478

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

479

goto exit;

669

gnutls_bye(session, GNUTLS_SHUT_RDWR);

670

goto mandos_end;

480

671

}

481

672

} else {

482

buffer_length += (size_t) ret;

673

buffer_length += (size_t) sret;

483

674

}

484

675

}

485

676

486

if (buffer_length > 0){

487

decrypted_buffer_size = pgp_packet_decrypt(buffer,

677

if(debug){

678

fprintf(stderr, "Closing TLS session\n");

679

}

680

681

gnutls_bye(session, GNUTLS_SHUT_RDWR);

682

683

if(buffer_length > 0){

684

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

488

685

buffer_length,

489

&decrypted_buffer,

490

CERT_ROOT);

491

if (decrypted_buffer_size >= 0){

686

&decrypted_buffer);

687

if(decrypted_buffer_size >= 0){

688

written = 0;

492

689

while(written < (size_t) decrypted_buffer_size){

493

ret = (int)fwrite (decrypted_buffer + written, 1,

494

(size_t)decrypted_buffer_size - written,

495

stdout);

690

ret = (int)fwrite(decrypted_buffer + written, 1,

691

(size_t)decrypted_buffer_size - written,

692

stdout);

496

693

if(ret == 0 and ferror(stdout)){

497

694

if(debug){

498

695

fprintf(stderr, "Error writing encrypted data: %s\n",

507

704

} else {

508

705

retval = -1;

509

706

}

510

}

511

512

//shutdown procedure

513

514

if(debug){

515

fprintf(stderr, "Closing TLS session\n");

516

}

517

707

} else {

708

retval = -1;

709

}

710

711

/* Shutdown procedure */

712

713

mandos_end:

518

714

free(buffer);

519

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

520

exit:

521

close(tcp_sd);

522

gnutls_deinit (es.session);

523

gnutls_certificate_free_credentials (es.cred);

524

gnutls_global_deinit ();

715

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

716

if(ret == -1){

717

perror("close");

718

}

719

gnutls_deinit(session);

525

720

return retval;

526

721

}

527

722

528

static AvahiSimplePoll *simple_poll = NULL;

529

static AvahiServer *server = NULL;

530

531

static void resolve_callback(

532

AvahiSServiceResolver *r,

533

AvahiIfIndex interface,

534

AVAHI_GCC_UNUSED AvahiProtocol protocol,

535

AvahiResolverEvent event,

536

const char *name,

537

const char *type,

538

const char *domain,

539

const char *host_name,

540

const AvahiAddress *address,

541

uint16_t port,

542

AVAHI_GCC_UNUSED AvahiStringList *txt,

543

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

544

AVAHI_GCC_UNUSED void* userdata) {

545

546

assert(r); /* Spurious warning */

723

static void resolve_callback(AvahiSServiceResolver *r,

724

AvahiIfIndex interface,

725

AVAHI_GCC_UNUSED AvahiProtocol protocol,

726

AvahiResolverEvent event,

727

const char *name,

728

const char *type,

729

const char *domain,

730

const char *host_name,

731

const AvahiAddress *address,

732

uint16_t port,

733

AVAHI_GCC_UNUSED AvahiStringList *txt,

734

AVAHI_GCC_UNUSED AvahiLookupResultFlags

735

flags,

736

void* userdata) {

737

mandos_context *mc = userdata;

738

assert(r);

547

739

548

740

/* Called whenever a service has been resolved successfully or

549

741

timed out */

550

742

551

switch (event) {

743

switch(event) {

552

744

default:

553

745

case AVAHI_RESOLVER_FAILURE:

554

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

555

" type '%s' in domain '%s': %s\n", name, type, domain,

556

avahi_strerror(avahi_server_errno(server)));

746

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

747

" of type '%s' in domain '%s': %s\n", name, type, domain,

748

avahi_strerror(avahi_server_errno(mc->server)));

557

749

break;

558

750

559

751

case AVAHI_RESOLVER_FOUND:

561

753

char ip[AVAHI_ADDRESS_STR_MAX];

562

754

avahi_address_snprint(ip, sizeof(ip), address);

563

755

if(debug){

564

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

565

" port %d\n", name, host_name, ip, port);

756

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

757

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

758

ip, (intmax_t)interface, port);

566

759

}

567

int ret = start_mandos_communication(ip, port, interface);

568

if (ret == 0){

569

exit(EXIT_SUCCESS);

760

int ret = start_mandos_communication(ip, port, interface, mc);

761

if(ret == 0){

762

avahi_simple_poll_quit(mc->simple_poll);

570

763

}

571

764

}

572

765

}

573

766

avahi_s_service_resolver_free(r);

574

767

}

575

768

576

static void browse_callback(

577

AvahiSServiceBrowser *b,

578

AvahiIfIndex interface,

579

AvahiProtocol protocol,

580

AvahiBrowserEvent event,

581

const char *name,

582

const char *type,

583

const char *domain,

584

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

585

void* userdata) {

586

587

AvahiServer *s = userdata;

588

assert(b); /* Spurious warning */

589

590

/* Called whenever a new services becomes available on the LAN or

591

is removed from the LAN */

592

593

switch (event) {

594

default:

595

case AVAHI_BROWSER_FAILURE:

596

597

fprintf(stderr, "(Browser) %s\n",

598

avahi_strerror(avahi_server_errno(server)));

599

avahi_simple_poll_quit(simple_poll);

600

return;

601

602

case AVAHI_BROWSER_NEW:

603

/* We ignore the returned resolver object. In the callback

604

function we free it. If the server is terminated before

605

the callback function is called the server will free

606

the resolver for us. */

607

608

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

609

type, domain,

610

AVAHI_PROTO_INET6, 0,

611

resolve_callback, s)))

612

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

613

avahi_strerror(avahi_server_errno(s)));

614

break;

615

616

case AVAHI_BROWSER_REMOVE:

617

break;

618

619

case AVAHI_BROWSER_ALL_FOR_NOW:

620

case AVAHI_BROWSER_CACHE_EXHAUSTED:

621

break;

769

static void browse_callback( AvahiSServiceBrowser *b,

770

AvahiIfIndex interface,

771

AvahiProtocol protocol,

772

AvahiBrowserEvent event,

773

const char *name,

774

const char *type,

775

const char *domain,

776

AVAHI_GCC_UNUSED AvahiLookupResultFlags

777

flags,

778

void* userdata) {

779

mandos_context *mc = userdata;

780

assert(b);

781

782

/* Called whenever a new services becomes available on the LAN or

783

is removed from the LAN */

784

785

switch(event) {

786

default:

787

case AVAHI_BROWSER_FAILURE:

788

789

fprintf(stderr, "(Avahi browser) %s\n",

790

avahi_strerror(avahi_server_errno(mc->server)));

791

avahi_simple_poll_quit(mc->simple_poll);

792

return;

793

794

case AVAHI_BROWSER_NEW:

795

/* We ignore the returned Avahi resolver object. In the callback

796

function we free it. If the Avahi server is terminated before

797

the callback function is called the Avahi server will free the

798

resolver for us. */

799

800

if(!(avahi_s_service_resolver_new(mc->server, interface,

801

protocol, name, type, domain,

802

AVAHI_PROTO_INET6, 0,

803

resolve_callback, mc)))

804

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

805

name, avahi_strerror(avahi_server_errno(mc->server)));

806

break;

807

808

case AVAHI_BROWSER_REMOVE:

809

break;

810

811

case AVAHI_BROWSER_ALL_FOR_NOW:

812

case AVAHI_BROWSER_CACHE_EXHAUSTED:

813

if(debug){

814

fprintf(stderr, "No Mandos server found, still searching...\n");

622

815

}

816

break;

817

}

623

818

}

624

819

625

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

626

AvahiServerConfig config;

820

int main(int argc, char *argv[]){

627

821

AvahiSServiceBrowser *sb = NULL;

628

822

int error;

629

823

int ret;

630

int returncode = EXIT_SUCCESS;

631

const char *interface = NULL;

824

intmax_t tmpmax;

825

int numchars;

826

int exitcode = EXIT_SUCCESS;

827

const char *interface = "eth0";

828

struct ifreq network;

829

int sd;

830

uid_t uid;

831

gid_t gid;

832

char *connect_to = NULL;

833

char tempdir[] = "/tmp/mandosXXXXXX";

632

834

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

633

char *connect_to = NULL;

634

635

while (true){

636

static struct option long_options[] = {

637

{"debug", no_argument, (int *)&debug, 1},

638

{"connect", required_argument, 0, 'c'},

639

{"interface", required_argument, 0, 'i'},

640

{0, 0, 0, 0} };

641

642

int option_index = 0;

643

ret = getopt_long (argc, argv, "i:", long_options,

644

&option_index);

645

646

if (ret == -1){

647

break;

648

}

649

650

switch(ret){

651

case 0:

652

break;

653

case 'i':

654

interface = optarg;

655

break;

656

case 'c':

657

connect_to = optarg;

658

break;

659

default:

660

exit(EXIT_FAILURE);

661

}

662

}

663

664

if(interface != NULL){

665

if_index = (AvahiIfIndex) if_nametoindex(interface);

666

if(if_index == 0){

667

fprintf(stderr, "No such interface: \"%s\"\n", interface);

668

exit(EXIT_FAILURE);

669

}

835

const char *seckey = PATHDIR "/" SECKEY;

836

const char *pubkey = PATHDIR "/" PUBKEY;

837

838

mandos_context mc = { .simple_poll = NULL, .server = NULL,

839

.dh_bits = 1024, .priority = "SECURE256"

840

":!CTYPE-X.509:+CTYPE-OPENPGP" };

841

bool gnutls_initalized = false;

842

bool gpgme_initalized = false;

843

844

{

845

struct argp_option options[] = {

846

{ .name = "debug", .key = 128,

847

.doc = "Debug mode", .group = 3 },

848

{ .name = "connect", .key = 'c',

849

.arg = "ADDRESS:PORT",

850

.doc = "Connect directly to a specific Mandos server",

851

.group = 1 },

852

{ .name = "interface", .key = 'i',

853

.arg = "NAME",

854

.doc = "Interface that will be used to search for Mandos"

855

" servers",

856

.group = 1 },

857

{ .name = "seckey", .key = 's',

858

.arg = "FILE",

859

.doc = "OpenPGP secret key file base name",

860

.group = 1 },

861

{ .name = "pubkey", .key = 'p',

862

.arg = "FILE",

863

.doc = "OpenPGP public key file base name",

864

.group = 2 },

865

{ .name = "dh-bits", .key = 129,

866

.arg = "BITS",

867

.doc = "Bit length of the prime number used in the"

868

" Diffie-Hellman key exchange",

869

.group = 2 },

870

{ .name = "priority", .key = 130,

871

.arg = "STRING",

872

.doc = "GnuTLS priority string for the TLS handshake",

873

.group = 1 },

874

{ .name = NULL }

875

};

876

877

error_t parse_opt(int key, char *arg,

878

struct argp_state *state) {

879

switch(key) {

880

case 128: /* --debug */

881

debug = true;

882

break;

883

case 'c': /* --connect */

884

connect_to = arg;

885

break;

886

case 'i': /* --interface */

887

interface = arg;

888

break;

889

case 's': /* --seckey */

890

seckey = arg;

891

break;

892

case 'p': /* --pubkey */

893

pubkey = arg;

894

break;

895

case 129: /* --dh-bits */

896

ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);

897

if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax

898

or arg[numchars] != '\0'){

899

fprintf(stderr, "Bad number of DH bits\n");

900

exit(EXIT_FAILURE);

901

}

902

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

903

break;

904

case 130: /* --priority */

905

mc.priority = arg;

906

break;

907

case ARGP_KEY_ARG:

908

argp_usage(state);

909

case ARGP_KEY_END:

910

break;

911

default:

912

return ARGP_ERR_UNKNOWN;

913

}

914

return 0;

915

}

916

917

struct argp argp = { .options = options, .parser = parse_opt,

918

.args_doc = "",

919

.doc = "Mandos client -- Get and decrypt"

920

" passwords from a Mandos server" };

921

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

922

if(ret == ARGP_ERR_UNKNOWN){

923

fprintf(stderr, "Unknown error while parsing arguments\n");

924

exitcode = EXIT_FAILURE;

925

goto end;

926

}

927

}

928

929

/* If the interface is down, bring it up */

930

{

931

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

932

if(sd < 0) {

933

perror("socket");

934

exitcode = EXIT_FAILURE;

935

goto end;

936

}

937

strcpy(network.ifr_name, interface);

938

ret = ioctl(sd, SIOCGIFFLAGS, &network);

939

if(ret == -1){

940

perror("ioctl SIOCGIFFLAGS");

941

exitcode = EXIT_FAILURE;

942

goto end;

943

}

944

if((network.ifr_flags & IFF_UP) == 0){

945

network.ifr_flags |= IFF_UP;

946

ret = ioctl(sd, SIOCSIFFLAGS, &network);

947

if(ret == -1){

948

perror("ioctl SIOCSIFFLAGS");

949

exitcode = EXIT_FAILURE;

950

goto end;

951

}

952

}

953

ret = (int)TEMP_FAILURE_RETRY(close(sd));

954

if(ret == -1){

955

perror("close");

956

}

957

}

958

959

uid = getuid();

960

gid = getgid();

961

962

ret = setuid(uid);

963

if(ret == -1){

964

perror("setuid");

965

}

966

967

setgid(gid);

968

if(ret == -1){

969

perror("setgid");

970

}

971

972

ret = init_gnutls_global(&mc, pubkey, seckey);

973

if(ret == -1){

974

fprintf(stderr, "init_gnutls_global failed\n");

975

exitcode = EXIT_FAILURE;

976

goto end;

977

} else {

978

gnutls_initalized = true;

979

}

980

981

if(mkdtemp(tempdir) == NULL){

982

perror("mkdtemp");

983

tempdir[0] = '\0';

984

goto end;

985

}

986

987

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

988

fprintf(stderr, "gpgme_initalized failed\n");

989

exitcode = EXIT_FAILURE;

990

goto end;

991

} else {

992

gpgme_initalized = true;

993

}

994

995

if_index = (AvahiIfIndex) if_nametoindex(interface);

996

if(if_index == 0){

997

fprintf(stderr, "No such interface: \"%s\"\n", interface);

998

exit(EXIT_FAILURE);

670

999

}

671

1000

672

1001

if(connect_to != NULL){

675

1004

char *address = strrchr(connect_to, ':');

676

1005

if(address == NULL){

677

1006

fprintf(stderr, "No colon in address\n");

678

exit(EXIT_FAILURE);

679

}

680

errno = 0;

681

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

682

if(errno){

683

perror("Bad port number");

684

exit(EXIT_FAILURE);

685

}

1007

exitcode = EXIT_FAILURE;

1008

goto end;

1009

}

1010

uint16_t port;

1011

ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);

1012

if(ret < 1 or tmpmax != (uint16_t)tmpmax

1013

or address[numchars+1] != '\0'){

1014

fprintf(stderr, "Bad port number\n");

1015

exitcode = EXIT_FAILURE;

1016

goto end;

1017

}

1018

port = (uint16_t)tmpmax;

686

1019

*address = '\0';

687

1020

address = connect_to;

688

ret = start_mandos_communication(address, port, if_index);

1021

ret = start_mandos_communication(address, port, if_index, &mc);

689

1022

if(ret < 0){

690

exit(EXIT_FAILURE);

1023

exitcode = EXIT_FAILURE;

691

1024

} else {

692

exit(EXIT_SUCCESS);

1025

exitcode = EXIT_SUCCESS;

693

1026

}

1027

goto end;

694

1028

}

695

1029

696

if (not debug){

1030

if(not debug){

697

1031

avahi_set_log_function(empty_log);

698

1032

}

699

1033

700

/* Initialize the psuedo-RNG */

1034

/* Initialize the pseudo-RNG for Avahi */

701

1035

srand((unsigned int) time(NULL));

702

703

/* Allocate main loop object */

704

if (!(simple_poll = avahi_simple_poll_new())) {

705

fprintf(stderr, "Failed to create simple poll object.\n");

706

707

goto exit;

708

}

709

710

/* Do not publish any local records */

711

avahi_server_config_init(&config);

712

config.publish_hinfo = 0;

713

config.publish_addresses = 0;

714

config.publish_workstation = 0;

715

config.publish_domain = 0;

716

717

/* Allocate a new server */

718

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

719

&config, NULL, NULL, &error);

720

721

/* Free the configuration data */

722

avahi_server_config_free(&config);

723

724

/* Check if creating the server object succeeded */

725

if (!server) {

726

fprintf(stderr, "Failed to create server: %s\n",

1036

1037

/* Allocate main Avahi loop object */

1038

mc.simple_poll = avahi_simple_poll_new();

1039

if(mc.simple_poll == NULL) {

1040

fprintf(stderr, "Avahi: Failed to create simple poll"

1041

" object.\n");

1042

exitcode = EXIT_FAILURE;

1043

goto end;

1044

}

1045

1046

{

1047

AvahiServerConfig config;

1048

/* Do not publish any local Zeroconf records */

1049

avahi_server_config_init(&config);

1050

config.publish_hinfo = 0;

1051

config.publish_addresses = 0;

1052

config.publish_workstation = 0;

1053

config.publish_domain = 0;

1054

1055

/* Allocate a new server */

1056

mc.server = avahi_server_new(avahi_simple_poll_get

1057

(mc.simple_poll), &config, NULL,

1058

NULL, &error);

1059

1060

/* Free the Avahi configuration data */

1061

avahi_server_config_free(&config);

1062

}

1063

1064

/* Check if creating the Avahi server object succeeded */

1065

if(mc.server == NULL) {

1066

fprintf(stderr, "Failed to create Avahi server: %s\n",

727

1067

avahi_strerror(error));

728

returncode = EXIT_FAILURE;

729

goto exit;

1068

exitcode = EXIT_FAILURE;

1069

goto end;

730

1070

}

731

1071

732

/* Create the service browser */

733

sb = avahi_s_service_browser_new(server, if_index,

1072

/* Create the Avahi service browser */

1073

sb = avahi_s_service_browser_new(mc.server, if_index,

734

1074

AVAHI_PROTO_INET6,

735

1075

"_mandos._tcp", NULL, 0,

736

browse_callback, server);

737

if (!sb) {

1076

browse_callback, &mc);

1077

if(sb == NULL) {

738

1078

fprintf(stderr, "Failed to create service browser: %s\n",

739

avahi_strerror(avahi_server_errno(server)));

740

returncode = EXIT_FAILURE;

741

goto exit;

1079

avahi_strerror(avahi_server_errno(mc.server)));

1080

exitcode = EXIT_FAILURE;

1081

goto end;

742

1082

}

743

1083

744

1084

/* Run the main loop */

745

746

if (debug){

747

fprintf(stderr, "Starting avahi loop search\n");

1085

1086

if(debug){

1087

fprintf(stderr, "Starting Avahi loop search\n");

748

1088

}

749

1089

750

avahi_simple_poll_loop(simple_poll);

751

752

exit:

753

754

if (debug){

1090

avahi_simple_poll_loop(mc.simple_poll);

1091

1092

end:

1093

1094

if(debug){

755

1095

fprintf(stderr, "%s exiting\n", argv[0]);

756

1096

}

757

1097

758

1098

/* Cleanup things */

759

if (sb)

1099

if(sb != NULL)

760

1100

avahi_s_service_browser_free(sb);

761

1101

762

if (server)

763

avahi_server_free(server);

764

765

if (simple_poll)

766

avahi_simple_poll_free(simple_poll);

767

768

return returncode;

1102

if(mc.server != NULL)

1103

avahi_server_free(mc.server);

1104

1105

if(mc.simple_poll != NULL)

1106

avahi_simple_poll_free(mc.simple_poll);

1107

1108

if(gnutls_initalized){

1109

gnutls_certificate_free_credentials(mc.cred);

1110

gnutls_global_deinit();

1111

gnutls_dh_params_deinit(mc.dh_params);

1112

}

1113

1114

if(gpgme_initalized){

1115

gpgme_release(mc.ctx);

1116

}

1117

1118

/* Removes the temp directory used by GPGME */

1119

if(tempdir[0] != '\0'){

1120

DIR *d;

1121

struct dirent *direntry;

1122

d = opendir(tempdir);

1123

if(d == NULL){

1124

if(errno != ENOENT){

1125

perror("opendir");

1126

}

1127

} else {

1128

while(true){

1129

direntry = readdir(d);

1130

if(direntry == NULL){

1131

break;

1132

}

1133

if(direntry->d_type == DT_REG){

1134

char *fullname = NULL;

1135

ret = asprintf(&fullname, "%s/%s", tempdir,

1136

direntry->d_name);

1137

if(ret < 0){

1138

perror("asprintf");

1139

continue;

1140

}

1141

ret = unlink(fullname);

1142

if(ret == -1){

1143

fprintf(stderr, "unlink(\"%s\"): %s",

1144

fullname, strerror(errno));

1145

}

1146

free(fullname);

1147

}

1148

}

1149

closedir(d);

1150

}

1151

ret = rmdir(tempdir);

1152

if(ret == -1 and errno != ENOENT){

1153

perror("rmdir");

1154

}

1155

}

1156

1157

return exitcode;

769

1158

}

Older »