/mandos/trunk : revision 28

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-07-29 03:35:39 UTC
Revision ID: teddy@fukt.bsnet.se-20080729033539-08zecoj3jwlkpjhw

* server.conf: New file.

* mandos-clients.conf: Renamed to clients.conf.

* Makefile (FORTIFY): New.
  (CFLAGS): Include $(FORTIFY).

* plugins.d/mandosclient.c (main): New "if_index" variable.  Bug fix:
                                   check if interface exists.  New
                                   "--connect" option.

* server.py (serviceInterface): Removed; replaced by
                                "AvahiService.interface".  All users
                                changed.
  (AvahiError, AvahiServiceError, AvahiGroupError): New exception
                                                    classes.
  (AvahiService): New class.
  (serviceName): Removed; replaced by "AvahiService.name".  All users
                 changed.
  (serviceType): Removed; replaced by "AvahiService.type".  All users
                 changed.
  (servicePort): Removed; replaced by "AvahiService.port".  All users
                 changed.
  (serviceTXT): Removed; replaced by "AvahiService.TXT".  All users
                changed.
  (domain): Removed; replaced by "AvahiService.domain".  All users
            changed.
  (host): Removed; replaced by "AvahiService.host".  All users
          changed.
  (rename_count): Removed; replaced by "AvahiService.rename_count" and
                 "AvahiService.max_renames".  All users changed.
  (Client.__init__): If no secret or secfile, raise TypeError instead
                     of RuntimeError.
  (Client.last_seen): Renamed to "Client.last_checked_ok".  All users
                      changed.
  (Client.stop, Client.stop_checker): Use "getattr" with default value
                                      instead of "hasattr".
  (Client.still_valid): Removed "now" argument.
  (Client.handle): Separate the "no client found" and "client invalid"
                   cases for clearer code.
  (IPv6_TCPServer.__init__): "options" argument replaced by
                             "settings".  All callers changed.
  (IPv6_TCPServer.options): Replaced by "IPv6_TCPServer.settings".
                            All users changed.
  (IPv6_TCPServer.server_bind): Use getattr instead of hasattr.
  (add_service): Removed; replaced by "AvahiService.add".  All callers
                 changed.
  (remove_service): Removed; replaced by "AvahiService.remove".  All
                    callers changed.
  (entry_group_state_changed): On entry group collision, call the new
                               AvahiService.rename method.  Raise
                               AvahiGroupError on group error.
  (if_nametoindex): Use ctypes.utils.find_library to locate the C
                    library.  Cache the result.  Loop on EINTR.
  (daemon): Use os.path.devnull to locate "/dev/null".
  (killme): Removed.  All callers changed to do "sys.exit()" instead,
            except where stated otherwise.
  (main): Removed "exitstatus".  Removed all default values from all
          non-bool options.  New option "--configdir".  New variables
          "server_defaults" and "server_settings", read from
          "%(configdir)s/server.conf".  Let any supplied command line
          options override server settings.   Variable "defaults"
          renamed to "client_defaults", which is read from
          "clients.conf" instead of "mandos-clients.conf".  New global
          AvahiService object "service" replaces old global variables.
          Catch AvahiError and exit with error if caught.

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
.bzrignore

COPYING

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.xml

plugins.d/password-prompt.xml

plugins.d/password-request.xml

plugins.d/usplash

files renamed:
plugin-runner.c => plugbasedclient.c

plugins.d/password-request.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos.conf => server.conf

mandos => server.py

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t */

#include <inttypes.h> /* PRIu16 */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <netinet/in.h>

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

GPGME_PROTOCOL_OpenPGP,

GPG_ERR_NO_* */

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

#define BUFFER_SIZE 256

#define DH_BITS 1024

100

101

bool debug = false;

102

static const char *keydir = "/conf/conf.d/mandos";

103

static const char mandos_protocol_version[] = "1";

104

const char *argp_program_version = "password-request 1.0";

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

106

107

/* Used for passing in values through the Avahi callback functions */

108

typedef struct {

109

AvahiSimplePoll *simple_poll;

110

AvahiServer *server;

gnutls_session_t session;

111

gnutls_certificate_credentials_t cred;

112

unsigned int dh_bits;

113

gnutls_dh_params_t dh_params;

114

const char *priority;

115

} mandos_context;

116

117

118

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

119

* "buffer_capacity" is how much is currently allocated,

120

* "buffer_length" is how much is already used.

121

122

size_t adjustbuffer(char **buffer, size_t buffer_length,

123

size_t buffer_capacity){

124

if (buffer_length + BUFFER_SIZE > buffer_capacity){

125

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

126

if (buffer == NULL){

127

return 0;

128

}

129

buffer_capacity += BUFFER_SIZE;

130

}

131

return buffer_capacity;

132

}

133

134

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

136

* Returns -1 on error

137

138

static ssize_t pgp_packet_decrypt (const char *cryptotext,

139

size_t crypto_size,

140

char **plaintext,

141

const char *homedir){

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

142

gpgme_data_t dh_crypto, dh_plain;

143

gpgme_ctx_t ctx;

144

gpgme_error_t rc;

145

ssize_t ret;

146

size_t plaintext_capacity = 0;

147

ssize_t plaintext_length = 0;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

148

gpgme_engine_info_t engine_info;

149

150

if (debug){

151

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

152

}

153

100

154

101

/* Init GPGME */

155

102

gpgme_check_version(NULL);

156

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

157

if (rc != GPG_ERR_NO_ERROR){

158

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

159

gpgme_strsource(rc), gpgme_strerror(rc));

160

return -1;

161

}

103

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

162

104

163

/* Set GPGME home directory for the OpenPGP engine only */

105

/* Set GPGME home directory */

164

106

rc = gpgme_get_engine_info (&engine_info);

165

107

if (rc != GPG_ERR_NO_ERROR){

166

108

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

176

118

engine_info = engine_info->next;

177

119

}

178

120

if(engine_info == NULL){

179

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

121

fprintf(stderr, "Could not set home dir to %s\n", homedir);

180

122

return -1;

181

123

}

182

124

183

/* Create new GPGME data buffer from memory cryptotext */

184

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

185

0);

125

/* Create new GPGME data buffer from packet buffer */

126

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

186

127

if (rc != GPG_ERR_NO_ERROR){

187

128

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

188

129

gpgme_strsource(rc), gpgme_strerror(rc));

194

135

if (rc != GPG_ERR_NO_ERROR){

195

136

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

196

137

gpgme_strsource(rc), gpgme_strerror(rc));

197

gpgme_data_release(dh_crypto);

198

138

return -1;

199

139

}

200

140

203

143

if (rc != GPG_ERR_NO_ERROR){

204

144

fprintf(stderr, "bad gpgme_new: %s: %s\n",

205

145

gpgme_strsource(rc), gpgme_strerror(rc));

206

plaintext_length = -1;

207

goto decrypt_end;

146

return -1;

208

147

}

209

148

210

/* Decrypt data from the cryptotext data buffer to the plaintext

211

data buffer */

149

/* Decrypt data from the FILE pointer to the plaintext data

150

buffer */

212

151

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

213

152

if (rc != GPG_ERR_NO_ERROR){

214

153

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

215

154

gpgme_strsource(rc), gpgme_strerror(rc));

216

plaintext_length = -1;

217

if (debug){

218

gpgme_decrypt_result_t result;

219

result = gpgme_op_decrypt_result(ctx);

220

if (result == NULL){

221

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

222

} else {

223

fprintf(stderr, "Unsupported algorithm: %s\n",

224

result->unsupported_algorithm);

225

fprintf(stderr, "Wrong key usage: %u\n",

226

result->wrong_key_usage);

227

if(result->file_name != NULL){

228

fprintf(stderr, "File name: %s\n", result->file_name);

229

}

230

gpgme_recipient_t recipient;

231

recipient = result->recipients;

232

if(recipient){

233

while(recipient != NULL){

234

fprintf(stderr, "Public key algorithm: %s\n",

235

gpgme_pubkey_algo_name(recipient->pubkey_algo));

236

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

237

fprintf(stderr, "Secret key available: %s\n",

238

recipient->status == GPG_ERR_NO_SECKEY

239

? "No" : "Yes");

240

recipient = recipient->next;

241

}

155

return -1;

156

}

157

158

if(debug){

159

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

160

}

161

162

if (debug){

163

gpgme_decrypt_result_t result;

164

result = gpgme_op_decrypt_result(ctx);

165

if (result == NULL){

166

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

167

} else {

168

fprintf(stderr, "Unsupported algorithm: %s\n",

169

result->unsupported_algorithm);

170

fprintf(stderr, "Wrong key usage: %d\n",

171

result->wrong_key_usage);

172

if(result->file_name != NULL){

173

fprintf(stderr, "File name: %s\n", result->file_name);

174

}

175

gpgme_recipient_t recipient;

176

recipient = result->recipients;

177

if(recipient){

178

while(recipient != NULL){

179

fprintf(stderr, "Public key algorithm: %s\n",

180

gpgme_pubkey_algo_name(recipient->pubkey_algo));

181

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

182

fprintf(stderr, "Secret key available: %s\n",

183

recipient->status == GPG_ERR_NO_SECKEY

184

? "No" : "Yes");

185

recipient = recipient->next;

242

186

}

243

187

}

244

188

}

245

goto decrypt_end;

246

189

}

247

190

248

if(debug){

249

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

250

}

191

/* Delete the GPGME FILE pointer cryptotext data buffer */

192

gpgme_data_release(dh_crypto);

251

193

252

194

/* Seek back to the beginning of the GPGME plaintext data buffer */

253

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

254

perror("pgpme_data_seek");

255

plaintext_length = -1;

256

goto decrypt_end;

257

}

258

259

*plaintext = NULL;

195

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

196

197

*new_packet = 0;

260

198

while(true){

261

plaintext_capacity = adjustbuffer(plaintext,

262

(size_t)plaintext_length,

263

plaintext_capacity);

264

if (plaintext_capacity == 0){

265

perror("adjustbuffer");

266

plaintext_length = -1;

267

goto decrypt_end;

199

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

200

*new_packet = realloc(*new_packet,

201

(unsigned int)new_packet_capacity

202

+ BUFFER_SIZE);

203

if (*new_packet == NULL){

204

perror("realloc");

205

return -1;

206

}

207

new_packet_capacity += BUFFER_SIZE;

268

208

}

269

209

270

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

210

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

271

211

BUFFER_SIZE);

272

212

/* Print the data, if any */

273

213

if (ret == 0){

274

/* EOF */

275

214

break;

276

215

}

277

216

if(ret < 0){

278

217

perror("gpgme_data_read");

279

plaintext_length = -1;

280

goto decrypt_end;

281

}

282

plaintext_length += ret;

283

}

284

285

if(debug){

286

fprintf(stderr, "Decrypted password is: ");

287

for(ssize_t i = 0; i < plaintext_length; i++){

288

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

289

}

290

fprintf(stderr, "\n");

291

}

292

293

decrypt_end:

294

295

/* Delete the GPGME cryptotext data buffer */

296

gpgme_data_release(dh_crypto);

218

return -1;

219

}

220

new_packet_length += ret;

221

}

222

223

/* FIXME: check characters before printing to screen so to not print

224

terminal control characters */

225

/* if(debug){ */

226

/* fprintf(stderr, "decrypted password is: "); */

227

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

228

/* fprintf(stderr, "\n"); */

229

/* } */

297

230

298

231

/* Delete the GPGME plaintext data buffer */

299

232

gpgme_data_release(dh_plain);

300

return plaintext_length;

233

return new_packet_length;

301

234

}

302

235

303

236

static const char * safer_gnutls_strerror (int value) {

304

const char *ret = gnutls_strerror (value); /* Spurious warning */

237

const char *ret = gnutls_strerror (value);

305

238

if (ret == NULL)

306

239

ret = "(unknown)";

307

240

return ret;

308

241

}

309

242

310

/* GnuTLS log function callback */

311

static void debuggnutls(__attribute__((unused)) int level,

312

const char* string){

313

fprintf(stderr, "GnuTLS: %s", string);

243

void debuggnutls(__attribute__((unused)) int level,

244

const char* string){

245

fprintf(stderr, "%s", string);

314

246

}

315

247

316

static int init_gnutls_global(mandos_context *mc,

317

const char *pubkeyfilename,

318

const char *seckeyfilename){

248

int initgnutls(encrypted_session *es){

249

const char *err;

319

250

int ret;

320

251

321

252

if(debug){

322

253

fprintf(stderr, "Initializing GnuTLS\n");

323

254

}

324

255

325

ret = gnutls_global_init();

326

if (ret != GNUTLS_E_SUCCESS) {

327

fprintf (stderr, "GnuTLS global_init: %s\n",

328

safer_gnutls_strerror(ret));

256

if ((ret = gnutls_global_init ())

257

!= GNUTLS_E_SUCCESS) {

258

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

329

259

return -1;

330

260

}

331

261

332

262

if (debug){

333

/* "Use a log level over 10 to enable all debugging options."

334

* - GnuTLS manual

335

336

263

gnutls_global_set_log_level(11);

337

264

gnutls_global_set_log_function(debuggnutls);

338

265

}

339

266

340

/* OpenPGP credentials */

341

gnutls_certificate_allocate_credentials(&mc->cred);

342

if (ret != GNUTLS_E_SUCCESS){

343

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

344

warning */

267

/* openpgp credentials */

268

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

269

!= GNUTLS_E_SUCCESS) {

270

fprintf (stderr, "memory error: %s\n",

345

271

safer_gnutls_strerror(ret));

346

gnutls_global_deinit ();

347

272

return -1;

348

273

}

349

274

350

275

if(debug){

351

276

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

352

" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,

353

seckeyfilename);

277

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

278

KEYFILE);

354

279

}

355

280

356

281

ret = gnutls_certificate_set_openpgp_key_file

357

(mc->cred, pubkeyfilename, seckeyfilename,

358

GNUTLS_OPENPGP_FMT_BASE64);

282

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

359

283

if (ret != GNUTLS_E_SUCCESS) {

360

fprintf(stderr,

361

"Error[%d] while reading the OpenPGP key pair ('%s',"

362

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

363

fprintf(stdout, "The GnuTLS error is: %s\n",

284

fprintf

285

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

286

" '%s')\n",

287

ret, CERTFILE, KEYFILE);

288

fprintf(stdout, "The Error is: %s\n",

364

289

safer_gnutls_strerror(ret));

365

goto globalfail;

366

}

367

368

/* GnuTLS server initialization */

369

ret = gnutls_dh_params_init(&mc->dh_params);

370

if (ret != GNUTLS_E_SUCCESS) {

371

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

372

" %s\n", safer_gnutls_strerror(ret));

373

goto globalfail;

374

}

375

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

376

if (ret != GNUTLS_E_SUCCESS) {

377

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

378

safer_gnutls_strerror(ret));

379

goto globalfail;

380

}

381

382

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

383

384

return 0;

385

386

globalfail:

387

388

gnutls_certificate_free_credentials(mc->cred);

389

gnutls_global_deinit();

390

return -1;

391

}

392

393

static int init_gnutls_session(mandos_context *mc,

394

gnutls_session_t *session){

395

int ret;

396

/* GnuTLS session creation */

397

ret = gnutls_init(session, GNUTLS_SERVER);

398

if (ret != GNUTLS_E_SUCCESS){

290

return -1;

291

}

292

293

//GnuTLS server initialization

294

if ((ret = gnutls_dh_params_init (&es->dh_params))

295

!= GNUTLS_E_SUCCESS) {

296

fprintf (stderr, "Error in dh parameter initialization: %s\n",

297

safer_gnutls_strerror(ret));

298

return -1;

299

}

300

301

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

302

!= GNUTLS_E_SUCCESS) {

303

fprintf (stderr, "Error in prime generation: %s\n",

304

safer_gnutls_strerror(ret));

305

return -1;

306

}

307

308

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

309

310

// GnuTLS session creation

311

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

312

!= GNUTLS_E_SUCCESS){

399

313

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

400

314

safer_gnutls_strerror(ret));

401

315

}

402

316

403

{

404

const char *err;

405

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

406

if (ret != GNUTLS_E_SUCCESS) {

407

fprintf(stderr, "Syntax error at: %s\n", err);

408

fprintf(stderr, "GnuTLS error: %s\n",

409

safer_gnutls_strerror(ret));

410

gnutls_deinit (*session);

411

return -1;

412

}

317

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

318

!= GNUTLS_E_SUCCESS) {

319

fprintf(stderr, "Syntax error at: %s\n", err);

320

fprintf(stderr, "GnuTLS error: %s\n",

321

safer_gnutls_strerror(ret));

322

return -1;

413

323

}

414

324

415

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

416

mc->cred);

417

if (ret != GNUTLS_E_SUCCESS) {

418

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

325

if ((ret = gnutls_credentials_set

326

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

327

!= GNUTLS_E_SUCCESS) {

328

fprintf(stderr, "Error setting a credentials set: %s\n",

419

329

safer_gnutls_strerror(ret));

420

gnutls_deinit (*session);

421

330

return -1;

422

331

}

423

332

424

333

/* ignore client certificate if any. */

425

gnutls_certificate_server_set_request (*session,

334

gnutls_certificate_server_set_request (es->session,

426

335

GNUTLS_CERT_IGNORE);

427

336

428

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

337

gnutls_dh_set_prime_bits (es->session, DH_BITS);

429

338

430

339

return 0;

431

340

}

432

341

433

/* Avahi log function callback */

434

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

435

__attribute__((unused)) const char *txt){}

342

void empty_log(__attribute__((unused)) AvahiLogLevel level,

343

__attribute__((unused)) const char *txt){}

436

344

437

/* Called when a Mandos server is found */

438

static int start_mandos_communication(const char *ip, uint16_t port,

439

AvahiIfIndex if_index,

440

mandos_context *mc){

345

int start_mandos_communication(const char *ip, uint16_t port,

346

unsigned int if_index){

441

347

int ret, tcp_sd;

442

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

348

struct sockaddr_in6 to;

349

encrypted_session es;

443

350

char *buffer = NULL;

444

351

char *decrypted_buffer;

445

352

size_t buffer_length = 0;

446

353

size_t buffer_capacity = 0;

447

354

ssize_t decrypted_buffer_size;

448

size_t written;

355

size_t written = 0;

449

356

int retval = 0;

450

357

char interface[IF_NAMESIZE];

451

gnutls_session_t session;

452

453

ret = init_gnutls_session (mc, &session);

454

if (ret != 0){

455

return -1;

456

}

457

358

458

359

if(debug){

459

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

460

"\n", ip, port);

360

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

361

ip, port);

461

362

}

462

363

463

364

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

466

367

return -1;

467

368

}

468

369

469

if(debug){

470

if(if_indextoname((unsigned int)if_index, interface) == NULL){

370

if(if_indextoname(if_index, interface) == NULL){

371

if(debug){

471

372

perror("if_indextoname");

472

return -1;

473

373

}

374

return -1;

375

}

376

377

if(debug){

474

378

fprintf(stderr, "Binding to interface %s\n", interface);

475

379

}

476

380

477

memset(&to, 0, sizeof(to));

478

to.in6.sin6_family = AF_INET6;

479

/* It would be nice to have a way to detect if we were passed an

480

IPv4 address here. Now we assume an IPv6 address. */

481

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

381

memset(&to,0,sizeof(to)); /* Spurious warning */

382

to.sin6_family = AF_INET6;

383

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

482

384

if (ret < 0 ){

483

385

perror("inet_pton");

484

386

return -1;

485

}

387

}

486

388

if(ret == 0){

487

389

fprintf(stderr, "Bad address: %s\n", ip);

488

390

return -1;

489

391

}

490

to.in6.sin6_port = htons(port); /* Spurious warning */

392

to.sin6_port = htons(port); /* Spurious warning */

491

393

492

to.in6.sin6_scope_id = (uint32_t)if_index;

394

to.sin6_scope_id = (uint32_t)if_index;

493

395

494

396

if(debug){

495

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

496

port);

497

char addrstr[INET6_ADDRSTRLEN] = "";

498

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

499

sizeof(addrstr)) == NULL){

500

perror("inet_ntop");

501

} else {

502

if(strcmp(addrstr, ip) != 0){

503

fprintf(stderr, "Canonical address form: %s\n", addrstr);

504

}

505

}

397

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

398

/* char addrstr[INET6_ADDRSTRLEN]; */

399

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

400

/* sizeof(addrstr)) == NULL){ */

401

/* perror("inet_ntop"); */

402

/* } else { */

403

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

404

/* addrstr, ntohs(to.sin6_port)); */

405

/* } */

506

406

}

507

407

508

ret = connect(tcp_sd, &to.in, sizeof(to));

408

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

509

409

if (ret < 0){

510

410

perror("connect");

511

411

return -1;

512

412

}

513

413

514

const char *out = mandos_protocol_version;

515

written = 0;

516

while (true){

517

size_t out_size = strlen(out);

518

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

519

out_size - written));

520

if (ret == -1){

521

perror("write");

522

retval = -1;

523

goto mandos_end;

524

}

525

written += (size_t)ret;

526

if(written < out_size){

527

continue;

528

} else {

529

if (out == mandos_protocol_version){

530

written = 0;

531

out = "\r\n";

532

} else {

533

break;

534

}

535

}

414

ret = initgnutls (&es);

415

if (ret != 0){

416

retval = -1;

417

return -1;

536

418

}

537

419

420

gnutls_transport_set_ptr (es.session,

421

(gnutls_transport_ptr_t) tcp_sd);

422

538

423

if(debug){

539

424

fprintf(stderr, "Establishing TLS session with %s\n", ip);

540

425

}

541

426

542

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

543

544

do{

545

ret = gnutls_handshake (session);

546

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

427

ret = gnutls_handshake (es.session);

547

428

548

429

if (ret != GNUTLS_E_SUCCESS){

549

430

if(debug){

550

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

431

fprintf(stderr, "\n*** Handshake failed ***\n");

551

432

gnutls_perror (ret);

552

433

}

553

434

retval = -1;

554

goto mandos_end;

435

goto exit;

555

436

}

556

437

557

/* Read OpenPGP packet that contains the wanted password */

438

//Retrieve OpenPGP packet that contains the wanted password

558

439

559

440

if(debug){

560

441

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

561

442

ip);

562

443

}

563

444

564

445

while(true){

565

buffer_capacity = adjustbuffer(&buffer, buffer_length,

566

buffer_capacity);

567

if (buffer_capacity == 0){

568

perror("adjustbuffer");

569

retval = -1;

570

goto mandos_end;

446

if (buffer_length + BUFFER_SIZE > buffer_capacity){

447

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

448

if (buffer == NULL){

449

perror("realloc");

450

goto exit;

451

}

452

buffer_capacity += BUFFER_SIZE;

571

453

}

572

454

573

ret = gnutls_record_recv(session, buffer+buffer_length,

574

BUFFER_SIZE);

455

ret = gnutls_record_recv

456

(es.session, buffer+buffer_length, BUFFER_SIZE);

575

457

if (ret == 0){

576

458

break;

577

459

}

581

463

case GNUTLS_E_AGAIN:

582

464

break;

583

465

case GNUTLS_E_REHANDSHAKE:

584

do{

585

ret = gnutls_handshake (session);

586

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

466

ret = gnutls_handshake (es.session);

587

467

if (ret < 0){

588

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

468

fprintf(stderr, "\n*** Handshake failed ***\n");

589

469

gnutls_perror (ret);

590

470

retval = -1;

591

goto mandos_end;

471

goto exit;

592

472

}

593

473

break;

594

474

default:

595

475

fprintf(stderr, "Unknown error while reading data from"

596

" encrypted session with Mandos server\n");

476

" encrypted session with mandos server\n");

597

477

retval = -1;

598

gnutls_bye (session, GNUTLS_SHUT_RDWR);

599

goto mandos_end;

478

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

479

goto exit;

600

480

}

601

481

} else {

602

482

buffer_length += (size_t) ret;

603

483

}

604

484

}

605

485

606

if(debug){

607

fprintf(stderr, "Closing TLS session\n");

608

}

609

610

gnutls_bye (session, GNUTLS_SHUT_RDWR);

611

612

486

if (buffer_length > 0){

613

487

decrypted_buffer_size = pgp_packet_decrypt(buffer,

614

488

buffer_length,

615

489

&decrypted_buffer,

616

keydir);

490

CERT_ROOT);

617

491

if (decrypted_buffer_size >= 0){

618

written = 0;

619

492

while(written < (size_t) decrypted_buffer_size){

620

493

ret = (int)fwrite (decrypted_buffer + written, 1,

621

494

(size_t)decrypted_buffer_size - written,

634

507

} else {

635

508

retval = -1;

636

509

}

637

} else {

638

retval = -1;

639

}

640

641

/* Shutdown procedure */

642

643

mandos_end:

510

}

511

512

//shutdown procedure

513

514

if(debug){

515

fprintf(stderr, "Closing TLS session\n");

516

}

517

644

518

free(buffer);

519

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

520

exit:

645

521

close(tcp_sd);

646

gnutls_deinit (session);

522

gnutls_deinit (es.session);

523

gnutls_certificate_free_credentials (es.cred);

524

gnutls_global_deinit ();

647

525

return retval;

648

526

}

649

527

650

static void resolve_callback(AvahiSServiceResolver *r,

651

AvahiIfIndex interface,

652

AVAHI_GCC_UNUSED AvahiProtocol protocol,

653

AvahiResolverEvent event,

654

const char *name,

655

const char *type,

656

const char *domain,

657

const char *host_name,

658

const AvahiAddress *address,

659

uint16_t port,

660

AVAHI_GCC_UNUSED AvahiStringList *txt,

661

AVAHI_GCC_UNUSED AvahiLookupResultFlags

662

flags,

663

void* userdata) {

664

mandos_context *mc = userdata;

665

assert(r);

528

static AvahiSimplePoll *simple_poll = NULL;

529

static AvahiServer *server = NULL;

530

531

static void resolve_callback(

532

AvahiSServiceResolver *r,

533

AvahiIfIndex interface,

534

AVAHI_GCC_UNUSED AvahiProtocol protocol,

535

AvahiResolverEvent event,

536

const char *name,

537

const char *type,

538

const char *domain,

539

const char *host_name,

540

const AvahiAddress *address,

541

uint16_t port,

542

AVAHI_GCC_UNUSED AvahiStringList *txt,

543

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

544

AVAHI_GCC_UNUSED void* userdata) {

545

546

assert(r); /* Spurious warning */

666

547

667

548

/* Called whenever a service has been resolved successfully or

668

549

timed out */

670

551

switch (event) {

671

552

default:

672

553

case AVAHI_RESOLVER_FAILURE:

673

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

674

" of type '%s' in domain '%s': %s\n", name, type, domain,

675

avahi_strerror(avahi_server_errno(mc->server)));

554

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

555

" type '%s' in domain '%s': %s\n", name, type, domain,

556

avahi_strerror(avahi_server_errno(server)));

676

557

break;

677

558

678

559

case AVAHI_RESOLVER_FOUND:

680

561

char ip[AVAHI_ADDRESS_STR_MAX];

681

562

avahi_address_snprint(ip, sizeof(ip), address);

682

563

if(debug){

683

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

684

PRIu16 ") on port %d\n", name, host_name, ip,

685

interface, port);

564

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

565

" port %d\n", name, host_name, ip, port);

686

566

}

687

int ret = start_mandos_communication(ip, port, interface, mc);

567

int ret = start_mandos_communication(ip, port,

568

(unsigned int) interface);

688

569

if (ret == 0){

689

avahi_simple_poll_quit(mc->simple_poll);

570

exit(EXIT_SUCCESS);

690

571

}

691

572

}

692

573

}

693

574

avahi_s_service_resolver_free(r);

694

575

}

695

576

696

static void browse_callback( AvahiSServiceBrowser *b,

697

AvahiIfIndex interface,

698

AvahiProtocol protocol,

699

AvahiBrowserEvent event,

700

const char *name,

701

const char *type,

702

const char *domain,

703

AVAHI_GCC_UNUSED AvahiLookupResultFlags

704

flags,

705

void* userdata) {

706

mandos_context *mc = userdata;

707

assert(b);

708

709

/* Called whenever a new services becomes available on the LAN or

710

is removed from the LAN */

711

712

switch (event) {

713

default:

714

case AVAHI_BROWSER_FAILURE:

715

716

fprintf(stderr, "(Avahi browser) %s\n",

717

avahi_strerror(avahi_server_errno(mc->server)));

718

avahi_simple_poll_quit(mc->simple_poll);

719

return;

720

721

case AVAHI_BROWSER_NEW:

722

/* We ignore the returned Avahi resolver object. In the callback

723

function we free it. If the Avahi server is terminated before

724

the callback function is called the Avahi server will free the

725

resolver for us. */

726

727

if (!(avahi_s_service_resolver_new(mc->server, interface,

728

protocol, name, type, domain,

729

AVAHI_PROTO_INET6, 0,

730

resolve_callback, mc)))

731

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

732

name, avahi_strerror(avahi_server_errno(mc->server)));

733

break;

734

735

case AVAHI_BROWSER_REMOVE:

736

break;

737

738

case AVAHI_BROWSER_ALL_FOR_NOW:

739

case AVAHI_BROWSER_CACHE_EXHAUSTED:

740

if(debug){

741

fprintf(stderr, "No Mandos server found, still searching...\n");

577

static void browse_callback(

578

AvahiSServiceBrowser *b,

579

AvahiIfIndex interface,

580

AvahiProtocol protocol,

581

AvahiBrowserEvent event,

582

const char *name,

583

const char *type,

584

const char *domain,

585

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

586

void* userdata) {

587

588

AvahiServer *s = userdata;

589

assert(b); /* Spurious warning */

590

591

/* Called whenever a new services becomes available on the LAN or

592

is removed from the LAN */

593

594

switch (event) {

595

default:

596

case AVAHI_BROWSER_FAILURE:

597

598

fprintf(stderr, "(Browser) %s\n",

599

avahi_strerror(avahi_server_errno(server)));

600

avahi_simple_poll_quit(simple_poll);

601

return;

602

603

case AVAHI_BROWSER_NEW:

604

/* We ignore the returned resolver object. In the callback

605

function we free it. If the server is terminated before

606

the callback function is called the server will free

607

the resolver for us. */

608

609

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

610

type, domain,

611

AVAHI_PROTO_INET6, 0,

612

resolve_callback, s)))

613

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

614

avahi_strerror(avahi_server_errno(s)));

615

break;

616

617

case AVAHI_BROWSER_REMOVE:

618

break;

619

620

case AVAHI_BROWSER_ALL_FOR_NOW:

621

case AVAHI_BROWSER_CACHE_EXHAUSTED:

622

break;

742

623

}

743

break;

744

}

745

}

746

747

/* Combines file name and path and returns the malloced new

748

string. some sane checks could/should be added */

749

static char *combinepath(const char *first, const char *second){

750

char *tmp;

751

int ret = asprintf(&tmp, "%s/%s", first, second);

752

if(ret < 0){

753

return NULL;

754

}

755

return tmp;

756

}

757

758

759

int main(int argc, char *argv[]){

624

}

625

626

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

627

AvahiServerConfig config;

760

628

AvahiSServiceBrowser *sb = NULL;

761

629

int error;

762

630

int ret;

763

int exitcode = EXIT_SUCCESS;

631

int returncode = EXIT_SUCCESS;

764

632

const char *interface = "eth0";

765

struct ifreq network;

766

int sd;

767

uid_t uid;

768

gid_t gid;

633

unsigned int if_index;

769

634

char *connect_to = NULL;

770

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

771

char *pubkeyfilename = NULL;

772

char *seckeyfilename = NULL;

773

const char *pubkeyname = "pubkey.txt";

774

const char *seckeyname = "seckey.txt";

775

mandos_context mc = { .simple_poll = NULL, .server = NULL,

776

.dh_bits = 1024, .priority = "SECURE256"

777

":!CTYPE-X.509:+CTYPE-OPENPGP" };

778

bool gnutls_initalized = false;

779

780

{

781

struct argp_option options[] = {

782

{ .name = "debug", .key = 128,

783

.doc = "Debug mode", .group = 3 },

784

{ .name = "connect", .key = 'c',

785

.arg = "ADDRESS:PORT",

786

.doc = "Connect directly to a specific Mandos server",

787

.group = 1 },

788

{ .name = "interface", .key = 'i',

789

.arg = "NAME",

790

.doc = "Interface that will be used to search for Mandos"

791

" servers",

792

.group = 1 },

793

{ .name = "keydir", .key = 'd',

794

.arg = "DIRECTORY",

795

.doc = "Directory to read the OpenPGP key files from",

796

.group = 1 },

797

{ .name = "seckey", .key = 's',

798

.arg = "FILE",

799

.doc = "OpenPGP secret key file base name",

800

.group = 1 },

801

{ .name = "pubkey", .key = 'p',

802

.arg = "FILE",

803

.doc = "OpenPGP public key file base name",

804

.group = 2 },

805

{ .name = "dh-bits", .key = 129,

806

.arg = "BITS",

807

.doc = "Bit length of the prime number used in the"

808

" Diffie-Hellman key exchange",

809

.group = 2 },

810

{ .name = "priority", .key = 130,

811

.arg = "STRING",

812

.doc = "GnuTLS priority string for the TLS handshake",

813

.group = 1 },

814

{ .name = NULL }

815

};

816

817

error_t parse_opt (int key, char *arg,

818

struct argp_state *state) {

819

/* Get the INPUT argument from `argp_parse', which we know is

820

a pointer to our plugin list pointer. */

821

switch (key) {

822

case 128: /* --debug */

823

debug = true;

824

break;

825

case 'c': /* --connect */

826

connect_to = arg;

827

break;

828

case 'i': /* --interface */

829

interface = arg;

830

break;

831

case 'd': /* --keydir */

832

keydir = arg;

833

break;

834

case 's': /* --seckey */

835

seckeyname = arg;

836

break;

837

case 'p': /* --pubkey */

838

pubkeyname = arg;

839

break;

840

case 129: /* --dh-bits */

841

errno = 0;

842

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

843

if (errno){

844

perror("strtol");

845

exit(EXIT_FAILURE);

846

}

847

break;

848

case 130: /* --priority */

849

mc.priority = arg;

850

break;

851

case ARGP_KEY_ARG:

852

argp_usage (state);

853

case ARGP_KEY_END:

854

break;

855

default:

856

return ARGP_ERR_UNKNOWN;

857

}

858

return 0;

859

}

860

861

struct argp argp = { .options = options, .parser = parse_opt,

862

.args_doc = "",

863

.doc = "Mandos client -- Get and decrypt"

864

" passwords from a Mandos server" };

865

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

866

if (ret == ARGP_ERR_UNKNOWN){

867

fprintf(stderr, "Unknown error while parsing arguments\n");

868

exitcode = EXIT_FAILURE;

869

goto end;

870

}

871

}

872

873

pubkeyfilename = combinepath(keydir, pubkeyname);

874

if (pubkeyfilename == NULL){

875

perror("combinepath");

876

exitcode = EXIT_FAILURE;

877

goto end;

878

}

879

880

seckeyfilename = combinepath(keydir, seckeyname);

881

if (seckeyfilename == NULL){

882

perror("combinepath");

883

exitcode = EXIT_FAILURE;

884

goto end;

885

}

886

887

ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);

888

if (ret == -1){

889

fprintf(stderr, "init_gnutls_global failed\n");

890

exitcode = EXIT_FAILURE;

891

goto end;

892

} else {

893

gnutls_initalized = true;

894

}

895

896

/* If the interface is down, bring it up */

897

{

898

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

899

if(sd < 0) {

900

perror("socket");

901

exitcode = EXIT_FAILURE;

902

goto end;

903

}

904

strcpy(network.ifr_name, interface);

905

ret = ioctl(sd, SIOCGIFFLAGS, &network);

906

if(ret == -1){

907

perror("ioctl SIOCGIFFLAGS");

908

exitcode = EXIT_FAILURE;

909

goto end;

910

}

911

if((network.ifr_flags & IFF_UP) == 0){

912

network.ifr_flags |= IFF_UP;

913

ret = ioctl(sd, SIOCSIFFLAGS, &network);

914

if(ret == -1){

915

perror("ioctl SIOCSIFFLAGS");

916

exitcode = EXIT_FAILURE;

917

goto end;

918

}

919

}

920

close(sd);

921

}

922

923

uid = getuid();

924

gid = getgid();

925

926

ret = setuid(uid);

927

if (ret == -1){

928

perror("setuid");

929

}

930

931

setgid(gid);

932

if (ret == -1){

933

perror("setgid");

934

}

935

936

if_index = (AvahiIfIndex) if_nametoindex(interface);

635

636

while (true){

637

static struct option long_options[] = {

638

{"debug", no_argument, (int *)&debug, 1},

639

{"connect", required_argument, 0, 'c'},

640

{"interface", required_argument, 0, 'i'},

641

{0, 0, 0, 0} };

642

643

int option_index = 0;

644

ret = getopt_long (argc, argv, "i:", long_options,

645

&option_index);

646

647

if (ret == -1){

648

break;

649

}

650

651

switch(ret){

652

case 0:

653

break;

654

case 'i':

655

interface = optarg;

656

break;

657

case 'c':

658

connect_to = optarg;

659

break;

660

default:

661

exit(EXIT_FAILURE);

662

}

663

}

664

665

if_index = if_nametoindex(interface);

937

666

if(if_index == 0){

938

667

fprintf(stderr, "No such interface: \"%s\"\n", interface);

939

668

exit(EXIT_FAILURE);

945

674

char *address = strrchr(connect_to, ':');

946

675

if(address == NULL){

947

676

fprintf(stderr, "No colon in address\n");

948

exitcode = EXIT_FAILURE;

949

goto end;

677

exit(EXIT_FAILURE);

950

678

}

951

679

errno = 0;

952

680

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

953

681

if(errno){

954

682

perror("Bad port number");

955

exitcode = EXIT_FAILURE;

956

goto end;

683

exit(EXIT_FAILURE);

957

684

}

958

685

*address = '\0';

959

686

address = connect_to;

960

ret = start_mandos_communication(address, port, if_index, &mc);

687

ret = start_mandos_communication(address, port, if_index);

961

688

if(ret < 0){

962

exitcode = EXIT_FAILURE;

689

exit(EXIT_FAILURE);

963

690

} else {

964

exitcode = EXIT_SUCCESS;

691

exit(EXIT_SUCCESS);

965

692

}

966

goto end;

967

693

}

968

694

969

695

if (not debug){

970

696

avahi_set_log_function(empty_log);

971

697

}

972

698

973

/* Initialize the pseudo-RNG for Avahi */

699

/* Initialize the psuedo-RNG */

974

700

srand((unsigned int) time(NULL));

975

976

/* Allocate main Avahi loop object */

977

mc.simple_poll = avahi_simple_poll_new();

978

if (mc.simple_poll == NULL) {

979

fprintf(stderr, "Avahi: Failed to create simple poll"

980

" object.\n");

981

exitcode = EXIT_FAILURE;

982

goto end;

983

}

984

985

{

986

AvahiServerConfig config;

987

/* Do not publish any local Zeroconf records */

988

avahi_server_config_init(&config);

989

config.publish_hinfo = 0;

990

config.publish_addresses = 0;

991

config.publish_workstation = 0;

992

config.publish_domain = 0;

993

994

/* Allocate a new server */

995

mc.server = avahi_server_new(avahi_simple_poll_get

996

(mc.simple_poll), &config, NULL,

997

NULL, &error);

998

999

/* Free the Avahi configuration data */

1000

avahi_server_config_free(&config);

1001

}

1002

1003

/* Check if creating the Avahi server object succeeded */

1004

if (mc.server == NULL) {

1005

fprintf(stderr, "Failed to create Avahi server: %s\n",

701

702

/* Allocate main loop object */

703

if (!(simple_poll = avahi_simple_poll_new())) {

704

fprintf(stderr, "Failed to create simple poll object.\n");

705

706

goto exit;

707

}

708

709

/* Do not publish any local records */

710

avahi_server_config_init(&config);

711

config.publish_hinfo = 0;

712

config.publish_addresses = 0;

713

config.publish_workstation = 0;

714

config.publish_domain = 0;

715

716

/* Allocate a new server */

717

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

718

&config, NULL, NULL, &error);

719

720

/* Free the configuration data */

721

avahi_server_config_free(&config);

722

723

/* Check if creating the server object succeeded */

724

if (!server) {

725

fprintf(stderr, "Failed to create server: %s\n",

1006

726

avahi_strerror(error));

1007

exitcode = EXIT_FAILURE;

1008

goto end;

727

returncode = EXIT_FAILURE;

728

goto exit;

1009

729

}

1010

730

1011

/* Create the Avahi service browser */

1012

sb = avahi_s_service_browser_new(mc.server, if_index,

731

/* Create the service browser */

732

sb = avahi_s_service_browser_new(server, (AvahiIfIndex)if_index,

1013

733

AVAHI_PROTO_INET6,

1014

734

"_mandos._tcp", NULL, 0,

1015

browse_callback, &mc);

1016

if (sb == NULL) {

735

browse_callback, server);

736

if (!sb) {

1017

737

fprintf(stderr, "Failed to create service browser: %s\n",

1018

avahi_strerror(avahi_server_errno(mc.server)));

1019

exitcode = EXIT_FAILURE;

1020

goto end;

738

avahi_strerror(avahi_server_errno(server)));

739

returncode = EXIT_FAILURE;

740

goto exit;

1021

741

}

1022

742

1023

743

/* Run the main loop */

1024

744

1025

745

if (debug){

1026

fprintf(stderr, "Starting Avahi loop search\n");

746

fprintf(stderr, "Starting avahi loop search\n");

1027

747

}

1028

748

1029

avahi_simple_poll_loop(mc.simple_poll);

1030

1031

end:

1032

749

avahi_simple_poll_loop(simple_poll);

750

751

exit:

752

1033

753

if (debug){

1034

754

fprintf(stderr, "%s exiting\n", argv[0]);

1035

755

}

1036

756

1037

757

/* Cleanup things */

1038

if (sb != NULL)

758

if (sb)

1039

759

avahi_s_service_browser_free(sb);

1040

760

1041

if (mc.server != NULL)

1042

avahi_server_free(mc.server);

1043

1044

if (mc.simple_poll != NULL)

1045

avahi_simple_poll_free(mc.simple_poll);

1046

free(pubkeyfilename);

1047

free(seckeyfilename);

1048

1049

if (gnutls_initalized){

1050

gnutls_certificate_free_credentials(mc.cred);

1051

gnutls_global_deinit ();

1052

}

1053

1054

return exitcode;

761

if (server)

762

avahi_server_free(server);

763

764

if (simple_poll)

765

avahi_simple_poll_free(simple_poll);

766

767

return returncode;

1055

768

}

Older »