/mandos/trunk : revision 28

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-07-29 03:35:39 UTC
Revision ID: teddy@fukt.bsnet.se-20080729033539-08zecoj3jwlkpjhw

* server.conf: New file.

* mandos-clients.conf: Renamed to clients.conf.

* Makefile (FORTIFY): New.
  (CFLAGS): Include $(FORTIFY).

* plugins.d/mandosclient.c (main): New "if_index" variable.  Bug fix:
                                   check if interface exists.  New
                                   "--connect" option.

* server.py (serviceInterface): Removed; replaced by
                                "AvahiService.interface".  All users
                                changed.
  (AvahiError, AvahiServiceError, AvahiGroupError): New exception
                                                    classes.
  (AvahiService): New class.
  (serviceName): Removed; replaced by "AvahiService.name".  All users
                 changed.
  (serviceType): Removed; replaced by "AvahiService.type".  All users
                 changed.
  (servicePort): Removed; replaced by "AvahiService.port".  All users
                 changed.
  (serviceTXT): Removed; replaced by "AvahiService.TXT".  All users
                changed.
  (domain): Removed; replaced by "AvahiService.domain".  All users
            changed.
  (host): Removed; replaced by "AvahiService.host".  All users
          changed.
  (rename_count): Removed; replaced by "AvahiService.rename_count" and
                 "AvahiService.max_renames".  All users changed.
  (Client.__init__): If no secret or secfile, raise TypeError instead
                     of RuntimeError.
  (Client.last_seen): Renamed to "Client.last_checked_ok".  All users
                      changed.
  (Client.stop, Client.stop_checker): Use "getattr" with default value
                                      instead of "hasattr".
  (Client.still_valid): Removed "now" argument.
  (Client.handle): Separate the "no client found" and "client invalid"
                   cases for clearer code.
  (IPv6_TCPServer.__init__): "options" argument replaced by
                             "settings".  All callers changed.
  (IPv6_TCPServer.options): Replaced by "IPv6_TCPServer.settings".
                            All users changed.
  (IPv6_TCPServer.server_bind): Use getattr instead of hasattr.
  (add_service): Removed; replaced by "AvahiService.add".  All callers
                 changed.
  (remove_service): Removed; replaced by "AvahiService.remove".  All
                    callers changed.
  (entry_group_state_changed): On entry group collision, call the new
                               AvahiService.rename method.  Raise
                               AvahiGroupError on group error.
  (if_nametoindex): Use ctypes.utils.find_library to locate the C
                    library.  Cache the result.  Loop on EINTR.
  (daemon): Use os.path.devnull to locate "/dev/null".
  (killme): Removed.  All callers changed to do "sys.exit()" instead,
            except where stated otherwise.
  (main): Removed "exitstatus".  Removed all default values from all
          non-bool options.  New option "--configdir".  New variables
          "server_defaults" and "server_settings", read from
          "%(configdir)s/server.conf".  Let any supplied command line
          options override server settings.   Variable "defaults"
          renamed to "client_defaults", which is read from
          "clients.conf" instead of "mandos-clients.conf".  New global
          AvahiService object "service" replaces old global variables.
          Catch AvahiError and exit with error if caught.

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
.bzrignore

COPYING

README

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/password-prompt.xml

plugins.d/password-request.xml

plugins.d/usplash

files renamed:
plugin-runner.c => plugbasedclient.c

plugins.d/password-request.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos.conf => server.conf

mandos => server.py

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir() */

#include <inttypes.h> /* PRIu16 */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

GPGME_PROTOCOL_OpenPGP,

100

GPG_ERR_NO_* */

101

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

102

#define BUFFER_SIZE 256

103

104

105

#define PATHDIR "/conf/conf.d/mandos"

106

107

108

#define PATHDIR "/conf/conf.d/mandos"

109

#define SECKEY "seckey.txt"

110

#define PUBKEY "pupkey.txt"

#define DH_BITS 1024

111

112

bool debug = false;

113

static const char mandos_protocol_version[] = "1";

114

const char *argp_program_version = "password-request 1.0";

115

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

116

117

/* Used for passing in values through the Avahi callback functions */

118

typedef struct {

119

AvahiSimplePoll *simple_poll;

120

AvahiServer *server;

gnutls_session_t session;

121

gnutls_certificate_credentials_t cred;

122

unsigned int dh_bits;

123

gnutls_dh_params_t dh_params;

124

const char *priority;

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

125

gpgme_ctx_t ctx;

126

} mandos_context;

127

128

129

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

130

* "buffer_capacity" is how much is currently allocated,

131

* "buffer_length" is how much is already used.

132

133

size_t adjustbuffer(char **buffer, size_t buffer_length,

134

size_t buffer_capacity){

135

if (buffer_length + BUFFER_SIZE > buffer_capacity){

136

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

137

if (buffer == NULL){

138

return 0;

139

}

140

buffer_capacity += BUFFER_SIZE;

141

}

142

return buffer_capacity;

143

}

144

145

146

* Initialize GPGME.

147

148

static bool init_gpgme(mandos_context *mc, const char *seckey,

149

const char *pubkey, const char *tempdir){

150

int ret;

151

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

152

gpgme_engine_info_t engine_info;

153

154

155

156

* Helper function to insert pub and seckey to the enigne keyring.

157

158

bool import_key(const char *filename){

159

int fd;

160

gpgme_data_t pgp_data;

161

162

fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

163

if(fd == -1){

164

perror("open");

165

return false;

166

}

167

168

rc = gpgme_data_new_from_fd(&pgp_data, fd);

169

if (rc != GPG_ERR_NO_ERROR){

170

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

171

gpgme_strsource(rc), gpgme_strerror(rc));

172

return false;

173

}

174

175

rc = gpgme_op_import(mc->ctx, pgp_data);

176

if (rc != GPG_ERR_NO_ERROR){

177

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

178

gpgme_strsource(rc), gpgme_strerror(rc));

179

return false;

180

}

181

182

ret = TEMP_FAILURE_RETRY(close(fd));

183

if(ret == -1){

184

perror("close");

185

}

186

gpgme_data_release(pgp_data);

187

return true;

188

}

189

190

if (debug){

191

fprintf(stderr, "Initialize gpgme\n");

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

192

}

193

100

194

101

/* Init GPGME */

195

102

gpgme_check_version(NULL);

196

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

197

if (rc != GPG_ERR_NO_ERROR){

198

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

199

gpgme_strsource(rc), gpgme_strerror(rc));

200

return false;

201

}

202

203

/* Set GPGME home directory for the OpenPGP engine only */

103

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

104

105

/* Set GPGME home directory */

204

106

rc = gpgme_get_engine_info (&engine_info);

205

107

if (rc != GPG_ERR_NO_ERROR){

206

108

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

207

109

gpgme_strsource(rc), gpgme_strerror(rc));

208

return false;

110

return -1;

209

111

}

210

112

while(engine_info != NULL){

211

113

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

212

114

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

213

engine_info->file_name, tempdir);

115

engine_info->file_name, homedir);

214

116

break;

215

117

}

216

118

engine_info = engine_info->next;

217

119

}

218

120

if(engine_info == NULL){

219

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

220

return false;

221

}

222

223

/* Create new GPGME "context" */

224

rc = gpgme_new(&(mc->ctx));

225

if (rc != GPG_ERR_NO_ERROR){

226

fprintf(stderr, "bad gpgme_new: %s: %s\n",

227

gpgme_strsource(rc), gpgme_strerror(rc));

228

return false;

229

}

230

231

if (not import_key(pubkey) or not import_key(seckey)){

232

return false;

233

}

234

235

return true;

236

}

237

238

239

* Decrypt OpenPGP data.

240

* Returns -1 on error

241

242

static ssize_t pgp_packet_decrypt (const mandos_context *mc,

243

const char *cryptotext,

244

size_t crypto_size,

245

char **plaintext){

246

gpgme_data_t dh_crypto, dh_plain;

247

gpgme_error_t rc;

248

ssize_t ret;

249

size_t plaintext_capacity = 0;

250

ssize_t plaintext_length = 0;

251

252

if (debug){

253

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

254

}

255

256

/* Create new GPGME data buffer from memory cryptotext */

257

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

258

0);

121

fprintf(stderr, "Could not set home dir to %s\n", homedir);

122

return -1;

123

}

124

125

/* Create new GPGME data buffer from packet buffer */

126

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

259

127

if (rc != GPG_ERR_NO_ERROR){

260

128

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

261

129

gpgme_strsource(rc), gpgme_strerror(rc));

267

135

if (rc != GPG_ERR_NO_ERROR){

268

136

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

269

137

gpgme_strsource(rc), gpgme_strerror(rc));

270

gpgme_data_release(dh_crypto);

271

return -1;

272

}

273

274

/* Decrypt data from the cryptotext data buffer to the plaintext

275

data buffer */

276

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

138

return -1;

139

}

140

141

/* Create new GPGME "context" */

142

rc = gpgme_new(&ctx);

143

if (rc != GPG_ERR_NO_ERROR){

144

fprintf(stderr, "bad gpgme_new: %s: %s\n",

145

gpgme_strsource(rc), gpgme_strerror(rc));

146

return -1;

147

}

148

149

/* Decrypt data from the FILE pointer to the plaintext data

150

buffer */

151

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

277

152

if (rc != GPG_ERR_NO_ERROR){

278

153

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

279

154

gpgme_strsource(rc), gpgme_strerror(rc));

280

plaintext_length = -1;

281

if (debug){

282

gpgme_decrypt_result_t result;

283

result = gpgme_op_decrypt_result(mc->ctx);

284

if (result == NULL){

285

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

286

} else {

287

fprintf(stderr, "Unsupported algorithm: %s\n",

288

result->unsupported_algorithm);

289

fprintf(stderr, "Wrong key usage: %u\n",

290

result->wrong_key_usage);

291

if(result->file_name != NULL){

292

fprintf(stderr, "File name: %s\n", result->file_name);

293

}

294

gpgme_recipient_t recipient;

295

recipient = result->recipients;

296

if(recipient){

297

while(recipient != NULL){

298

fprintf(stderr, "Public key algorithm: %s\n",

299

gpgme_pubkey_algo_name(recipient->pubkey_algo));

300

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

301

fprintf(stderr, "Secret key available: %s\n",

302

recipient->status == GPG_ERR_NO_SECKEY

303

? "No" : "Yes");

304

recipient = recipient->next;

305

}

155

return -1;

156

}

157

158

if(debug){

159

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

160

}

161

162

if (debug){

163

gpgme_decrypt_result_t result;

164

result = gpgme_op_decrypt_result(ctx);

165

if (result == NULL){

166

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

167

} else {

168

fprintf(stderr, "Unsupported algorithm: %s\n",

169

result->unsupported_algorithm);

170

fprintf(stderr, "Wrong key usage: %d\n",

171

result->wrong_key_usage);

172

if(result->file_name != NULL){

173

fprintf(stderr, "File name: %s\n", result->file_name);

174

}

175

gpgme_recipient_t recipient;

176

recipient = result->recipients;

177

if(recipient){

178

while(recipient != NULL){

179

fprintf(stderr, "Public key algorithm: %s\n",

180

gpgme_pubkey_algo_name(recipient->pubkey_algo));

181

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

182

fprintf(stderr, "Secret key available: %s\n",

183

recipient->status == GPG_ERR_NO_SECKEY

184

? "No" : "Yes");

185

recipient = recipient->next;

306

186

}

307

187

}

308

188

}

309

goto decrypt_end;

310

189

}

311

190

312

if(debug){

313

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

314

}

191

/* Delete the GPGME FILE pointer cryptotext data buffer */

192

gpgme_data_release(dh_crypto);

315

193

316

194

/* Seek back to the beginning of the GPGME plaintext data buffer */

317

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

318

perror("pgpme_data_seek");

319

plaintext_length = -1;

320

goto decrypt_end;

321

}

322

323

*plaintext = NULL;

195

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

196

197

*new_packet = 0;

324

198

while(true){

325

plaintext_capacity = adjustbuffer(plaintext,

326

(size_t)plaintext_length,

327

plaintext_capacity);

328

if (plaintext_capacity == 0){

329

perror("adjustbuffer");

330

plaintext_length = -1;

331

goto decrypt_end;

199

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

200

*new_packet = realloc(*new_packet,

201

(unsigned int)new_packet_capacity

202

+ BUFFER_SIZE);

203

if (*new_packet == NULL){

204

perror("realloc");

205

return -1;

206

}

207

new_packet_capacity += BUFFER_SIZE;

332

208

}

333

209

334

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

210

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

335

211

BUFFER_SIZE);

336

212

/* Print the data, if any */

337

213

if (ret == 0){

338

/* EOF */

339

214

break;

340

215

}

341

216

if(ret < 0){

342

217

perror("gpgme_data_read");

343

plaintext_length = -1;

344

goto decrypt_end;

345

}

346

plaintext_length += ret;

347

}

348

349

if(debug){

350

fprintf(stderr, "Decrypted password is: ");

351

for(ssize_t i = 0; i < plaintext_length; i++){

352

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

353

}

354

fprintf(stderr, "\n");

355

}

356

357

decrypt_end:

358

359

/* Delete the GPGME cryptotext data buffer */

360

gpgme_data_release(dh_crypto);

218

return -1;

219

}

220

new_packet_length += ret;

221

}

222

223

/* FIXME: check characters before printing to screen so to not print

224

terminal control characters */

225

/* if(debug){ */

226

/* fprintf(stderr, "decrypted password is: "); */

227

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

228

/* fprintf(stderr, "\n"); */

229

/* } */

361

230

362

231

/* Delete the GPGME plaintext data buffer */

363

232

gpgme_data_release(dh_plain);

364

return plaintext_length;

233

return new_packet_length;

365

234

}

366

235

367

236

static const char * safer_gnutls_strerror (int value) {

368

const char *ret = gnutls_strerror (value); /* Spurious warning */

237

const char *ret = gnutls_strerror (value);

369

238

if (ret == NULL)

370

239

ret = "(unknown)";

371

240

return ret;

372

241

}

373

242

374

/* GnuTLS log function callback */

375

static void debuggnutls(__attribute__((unused)) int level,

376

const char* string){

377

fprintf(stderr, "GnuTLS: %s", string);

243

void debuggnutls(__attribute__((unused)) int level,

244

const char* string){

245

fprintf(stderr, "%s", string);

378

246

}

379

247

380

static int init_gnutls_global(mandos_context *mc,

381

const char *pubkeyfilename,

382

const char *seckeyfilename){

248

int initgnutls(encrypted_session *es){

249

const char *err;

383

250

int ret;

384

251

385

252

if(debug){

386

253

fprintf(stderr, "Initializing GnuTLS\n");

387

254

}

388

255

389

ret = gnutls_global_init();

390

if (ret != GNUTLS_E_SUCCESS) {

391

fprintf (stderr, "GnuTLS global_init: %s\n",

392

safer_gnutls_strerror(ret));

256

if ((ret = gnutls_global_init ())

257

!= GNUTLS_E_SUCCESS) {

258

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

393

259

return -1;

394

260

}

395

261

396

262

if (debug){

397

/* "Use a log level over 10 to enable all debugging options."

398

* - GnuTLS manual

399

400

263

gnutls_global_set_log_level(11);

401

264

gnutls_global_set_log_function(debuggnutls);

402

265

}

403

266

404

/* OpenPGP credentials */

405

gnutls_certificate_allocate_credentials(&mc->cred);

406

if (ret != GNUTLS_E_SUCCESS){

407

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

408

warning */

267

/* openpgp credentials */

268

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

269

!= GNUTLS_E_SUCCESS) {

270

fprintf (stderr, "memory error: %s\n",

409

271

safer_gnutls_strerror(ret));

410

gnutls_global_deinit ();

411

272

return -1;

412

273

}

413

274

414

275

if(debug){

415

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

416

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

417

seckeyfilename);

276

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

277

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

278

KEYFILE);

418

279

}

419

280

420

281

ret = gnutls_certificate_set_openpgp_key_file

421

(mc->cred, pubkeyfilename, seckeyfilename,

422

GNUTLS_OPENPGP_FMT_BASE64);

282

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

423

283

if (ret != GNUTLS_E_SUCCESS) {

424

fprintf(stderr,

425

"Error[%d] while reading the OpenPGP key pair ('%s',"

426

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

427

fprintf(stderr, "The GnuTLS error is: %s\n",

284

fprintf

285

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

286

" '%s')\n",

287

ret, CERTFILE, KEYFILE);

288

fprintf(stdout, "The Error is: %s\n",

428

289

safer_gnutls_strerror(ret));

429

goto globalfail;

430

}

431

432

/* GnuTLS server initialization */

433

ret = gnutls_dh_params_init(&mc->dh_params);

434

if (ret != GNUTLS_E_SUCCESS) {

435

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

436

" %s\n", safer_gnutls_strerror(ret));

437

goto globalfail;

438

}

439

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

440

if (ret != GNUTLS_E_SUCCESS) {

441

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

442

safer_gnutls_strerror(ret));

443

goto globalfail;

444

}

445

446

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

447

448

return 0;

449

450

globalfail:

451

452

gnutls_certificate_free_credentials(mc->cred);

453

gnutls_global_deinit();

454

return -1;

455

}

456

457

static int init_gnutls_session(mandos_context *mc,

458

gnutls_session_t *session){

459

int ret;

460

/* GnuTLS session creation */

461

ret = gnutls_init(session, GNUTLS_SERVER);

462

if (ret != GNUTLS_E_SUCCESS){

290

return -1;

291

}

292

293

//GnuTLS server initialization

294

if ((ret = gnutls_dh_params_init (&es->dh_params))

295

!= GNUTLS_E_SUCCESS) {

296

fprintf (stderr, "Error in dh parameter initialization: %s\n",

297

safer_gnutls_strerror(ret));

298

return -1;

299

}

300

301

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

302

!= GNUTLS_E_SUCCESS) {

303

fprintf (stderr, "Error in prime generation: %s\n",

304

safer_gnutls_strerror(ret));

305

return -1;

306

}

307

308

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

309

310

// GnuTLS session creation

311

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

312

!= GNUTLS_E_SUCCESS){

463

313

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

464

314

safer_gnutls_strerror(ret));

465

315

}

466

316

467

{

468

const char *err;

469

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

470

if (ret != GNUTLS_E_SUCCESS) {

471

fprintf(stderr, "Syntax error at: %s\n", err);

472

fprintf(stderr, "GnuTLS error: %s\n",

473

safer_gnutls_strerror(ret));

474

gnutls_deinit (*session);

475

return -1;

476

}

317

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

318

!= GNUTLS_E_SUCCESS) {

319

fprintf(stderr, "Syntax error at: %s\n", err);

320

fprintf(stderr, "GnuTLS error: %s\n",

321

safer_gnutls_strerror(ret));

322

return -1;

477

323

}

478

324

479

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

480

mc->cred);

481

if (ret != GNUTLS_E_SUCCESS) {

482

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

325

if ((ret = gnutls_credentials_set

326

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

327

!= GNUTLS_E_SUCCESS) {

328

fprintf(stderr, "Error setting a credentials set: %s\n",

483

329

safer_gnutls_strerror(ret));

484

gnutls_deinit (*session);

485

330

return -1;

486

331

}

487

332

488

333

/* ignore client certificate if any. */

489

gnutls_certificate_server_set_request (*session,

334

gnutls_certificate_server_set_request (es->session,

490

335

GNUTLS_CERT_IGNORE);

491

336

492

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

337

gnutls_dh_set_prime_bits (es->session, DH_BITS);

493

338

494

339

return 0;

495

340

}

496

341

497

/* Avahi log function callback */

498

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

499

__attribute__((unused)) const char *txt){}

342

void empty_log(__attribute__((unused)) AvahiLogLevel level,

343

__attribute__((unused)) const char *txt){}

500

344

501

/* Called when a Mandos server is found */

502

static int start_mandos_communication(const char *ip, uint16_t port,

503

AvahiIfIndex if_index,

504

mandos_context *mc){

345

int start_mandos_communication(const char *ip, uint16_t port,

346

unsigned int if_index){

505

347

int ret, tcp_sd;

506

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

348

struct sockaddr_in6 to;

349

encrypted_session es;

507

350

char *buffer = NULL;

508

351

char *decrypted_buffer;

509

352

size_t buffer_length = 0;

510

353

size_t buffer_capacity = 0;

511

354

ssize_t decrypted_buffer_size;

512

size_t written;

355

size_t written = 0;

513

356

int retval = 0;

514

357

char interface[IF_NAMESIZE];

515

gnutls_session_t session;

516

517

ret = init_gnutls_session (mc, &session);

518

if (ret != 0){

519

return -1;

520

}

521

358

522

359

if(debug){

523

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

524

"\n", ip, port);

360

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

361

ip, port);

525

362

}

526

363

527

364

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

530

367

return -1;

531

368

}

532

369

533

if(debug){

534

if(if_indextoname((unsigned int)if_index, interface) == NULL){

370

if(if_indextoname(if_index, interface) == NULL){

371

if(debug){

535

372

perror("if_indextoname");

536

return -1;

537

373

}

374

return -1;

375

}

376

377

if(debug){

538

378

fprintf(stderr, "Binding to interface %s\n", interface);

539

379

}

540

380

541

memset(&to, 0, sizeof(to));

542

to.in6.sin6_family = AF_INET6;

543

/* It would be nice to have a way to detect if we were passed an

544

IPv4 address here. Now we assume an IPv6 address. */

545

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

381

memset(&to,0,sizeof(to)); /* Spurious warning */

382

to.sin6_family = AF_INET6;

383

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

546

384

if (ret < 0 ){

547

385

perror("inet_pton");

548

386

return -1;

549

}

387

}

550

388

if(ret == 0){

551

389

fprintf(stderr, "Bad address: %s\n", ip);

552

390

return -1;

553

391

}

554

to.in6.sin6_port = htons(port); /* Spurious warning */

392

to.sin6_port = htons(port); /* Spurious warning */

555

393

556

to.in6.sin6_scope_id = (uint32_t)if_index;

394

to.sin6_scope_id = (uint32_t)if_index;

557

395

558

396

if(debug){

559

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

560

port);

561

char addrstr[INET6_ADDRSTRLEN] = "";

562

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

563

sizeof(addrstr)) == NULL){

564

perror("inet_ntop");

565

} else {

566

if(strcmp(addrstr, ip) != 0){

567

fprintf(stderr, "Canonical address form: %s\n", addrstr);

568

}

569

}

397

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

398

/* char addrstr[INET6_ADDRSTRLEN]; */

399

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

400

/* sizeof(addrstr)) == NULL){ */

401

/* perror("inet_ntop"); */

402

/* } else { */

403

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

404

/* addrstr, ntohs(to.sin6_port)); */

405

/* } */

570

406

}

571

407

572

ret = connect(tcp_sd, &to.in, sizeof(to));

408

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

573

409

if (ret < 0){

574

410

perror("connect");

575

411

return -1;

576

412

}

577

413

578

const char *out = mandos_protocol_version;

579

written = 0;

580

while (true){

581

size_t out_size = strlen(out);

582

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

583

out_size - written));

584

if (ret == -1){

585

perror("write");

586

retval = -1;

587

goto mandos_end;

588

}

589

written += (size_t)ret;

590

if(written < out_size){

591

continue;

592

} else {

593

if (out == mandos_protocol_version){

594

written = 0;

595

out = "\r\n";

596

} else {

597

break;

598

}

599

}

414

ret = initgnutls (&es);

415

if (ret != 0){

416

retval = -1;

417

return -1;

600

418

}

601

419

420

gnutls_transport_set_ptr (es.session,

421

(gnutls_transport_ptr_t) tcp_sd);

422

602

423

if(debug){

603

424

fprintf(stderr, "Establishing TLS session with %s\n", ip);

604

425

}

605

426

606

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

607

608

do{

609

ret = gnutls_handshake (session);

610

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

427

ret = gnutls_handshake (es.session);

611

428

612

429

if (ret != GNUTLS_E_SUCCESS){

613

430

if(debug){

614

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

431

fprintf(stderr, "\n*** Handshake failed ***\n");

615

432

gnutls_perror (ret);

616

433

}

617

434

retval = -1;

618

goto mandos_end;

435

goto exit;

619

436

}

620

437

621

/* Read OpenPGP packet that contains the wanted password */

438

//Retrieve OpenPGP packet that contains the wanted password

622

439

623

440

if(debug){

624

441

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

625

442

ip);

626

443

}

627

444

628

445

while(true){

629

buffer_capacity = adjustbuffer(&buffer, buffer_length,

630

buffer_capacity);

631

if (buffer_capacity == 0){

632

perror("adjustbuffer");

633

retval = -1;

634

goto mandos_end;

446

if (buffer_length + BUFFER_SIZE > buffer_capacity){

447

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

448

if (buffer == NULL){

449

perror("realloc");

450

goto exit;

451

}

452

buffer_capacity += BUFFER_SIZE;

635

453

}

636

454

637

ret = gnutls_record_recv(session, buffer+buffer_length,

638

BUFFER_SIZE);

455

ret = gnutls_record_recv

456

(es.session, buffer+buffer_length, BUFFER_SIZE);

639

457

if (ret == 0){

640

458

break;

641

459

}

645

463

case GNUTLS_E_AGAIN:

646

464

break;

647

465

case GNUTLS_E_REHANDSHAKE:

648

do{

649

ret = gnutls_handshake (session);

650

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

466

ret = gnutls_handshake (es.session);

651

467

if (ret < 0){

652

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

468

fprintf(stderr, "\n*** Handshake failed ***\n");

653

469

gnutls_perror (ret);

654

470

retval = -1;

655

goto mandos_end;

471

goto exit;

656

472

}

657

473

break;

658

474

default:

659

475

fprintf(stderr, "Unknown error while reading data from"

660

" encrypted session with Mandos server\n");

476

" encrypted session with mandos server\n");

661

477

retval = -1;

662

gnutls_bye (session, GNUTLS_SHUT_RDWR);

663

goto mandos_end;

478

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

479

goto exit;

664

480

}

665

481

} else {

666

482

buffer_length += (size_t) ret;

667

483

}

668

484

}

669

485

670

if(debug){

671

fprintf(stderr, "Closing TLS session\n");

672

}

673

674

gnutls_bye (session, GNUTLS_SHUT_RDWR);

675

676

486

if (buffer_length > 0){

677

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

487

decrypted_buffer_size = pgp_packet_decrypt(buffer,

678

488

buffer_length,

679

&decrypted_buffer);

489

&decrypted_buffer,

490

CERT_ROOT);

680

491

if (decrypted_buffer_size >= 0){

681

written = 0;

682

492

while(written < (size_t) decrypted_buffer_size){

683

493

ret = (int)fwrite (decrypted_buffer + written, 1,

684

494

(size_t)decrypted_buffer_size - written,

697

507

} else {

698

508

retval = -1;

699

509

}

700

} else {

701

retval = -1;

702

}

703

704

/* Shutdown procedure */

705

706

mandos_end:

510

}

511

512

//shutdown procedure

513

514

if(debug){

515

fprintf(stderr, "Closing TLS session\n");

516

}

517

707

518

free(buffer);

708

ret = TEMP_FAILURE_RETRY(close(tcp_sd));

709

if(ret == -1){

710

perror("close");

711

}

712

gnutls_deinit (session);

519

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

520

exit:

521

close(tcp_sd);

522

gnutls_deinit (es.session);

523

gnutls_certificate_free_credentials (es.cred);

524

gnutls_global_deinit ();

713

525

return retval;

714

526

}

715

527

716

static void resolve_callback(AvahiSServiceResolver *r,

717

AvahiIfIndex interface,

718

AVAHI_GCC_UNUSED AvahiProtocol protocol,

719

AvahiResolverEvent event,

720

const char *name,

721

const char *type,

722

const char *domain,

723

const char *host_name,

724

const AvahiAddress *address,

725

uint16_t port,

726

AVAHI_GCC_UNUSED AvahiStringList *txt,

727

AVAHI_GCC_UNUSED AvahiLookupResultFlags

728

flags,

729

void* userdata) {

730

mandos_context *mc = userdata;

731

assert(r);

528

static AvahiSimplePoll *simple_poll = NULL;

529

static AvahiServer *server = NULL;

530

531

static void resolve_callback(

532

AvahiSServiceResolver *r,

533

AvahiIfIndex interface,

534

AVAHI_GCC_UNUSED AvahiProtocol protocol,

535

AvahiResolverEvent event,

536

const char *name,

537

const char *type,

538

const char *domain,

539

const char *host_name,

540

const AvahiAddress *address,

541

uint16_t port,

542

AVAHI_GCC_UNUSED AvahiStringList *txt,

543

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

544

AVAHI_GCC_UNUSED void* userdata) {

545

546

assert(r); /* Spurious warning */

732

547

733

548

/* Called whenever a service has been resolved successfully or

734

549

timed out */

736

551

switch (event) {

737

552

default:

738

553

case AVAHI_RESOLVER_FAILURE:

739

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

740

" of type '%s' in domain '%s': %s\n", name, type, domain,

741

avahi_strerror(avahi_server_errno(mc->server)));

554

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

555

" type '%s' in domain '%s': %s\n", name, type, domain,

556

avahi_strerror(avahi_server_errno(server)));

742

557

break;

743

558

744

559

case AVAHI_RESOLVER_FOUND:

746

561

char ip[AVAHI_ADDRESS_STR_MAX];

747

562

avahi_address_snprint(ip, sizeof(ip), address);

748

563

if(debug){

749

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

750

PRIu16 ") on port %d\n", name, host_name, ip,

751

interface, port);

564

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

565

" port %d\n", name, host_name, ip, port);

752

566

}

753

int ret = start_mandos_communication(ip, port, interface, mc);

567

int ret = start_mandos_communication(ip, port,

568

(unsigned int) interface);

754

569

if (ret == 0){

755

avahi_simple_poll_quit(mc->simple_poll);

570

exit(EXIT_SUCCESS);

756

571

}

757

572

}

758

573

}

759

574

avahi_s_service_resolver_free(r);

760

575

}

761

576

762

static void browse_callback( AvahiSServiceBrowser *b,

763

AvahiIfIndex interface,

764

AvahiProtocol protocol,

765

AvahiBrowserEvent event,

766

const char *name,

767

const char *type,

768

const char *domain,

769

AVAHI_GCC_UNUSED AvahiLookupResultFlags

770

flags,

771

void* userdata) {

772

mandos_context *mc = userdata;

773

assert(b);

774

775

/* Called whenever a new services becomes available on the LAN or

776

is removed from the LAN */

777

778

switch (event) {

779

default:

780

case AVAHI_BROWSER_FAILURE:

781

782

fprintf(stderr, "(Avahi browser) %s\n",

783

avahi_strerror(avahi_server_errno(mc->server)));

784

avahi_simple_poll_quit(mc->simple_poll);

785

return;

786

787

case AVAHI_BROWSER_NEW:

788

/* We ignore the returned Avahi resolver object. In the callback

789

function we free it. If the Avahi server is terminated before

790

the callback function is called the Avahi server will free the

791

resolver for us. */

792

793

if (!(avahi_s_service_resolver_new(mc->server, interface,

794

protocol, name, type, domain,

795

AVAHI_PROTO_INET6, 0,

796

resolve_callback, mc)))

797

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

798

name, avahi_strerror(avahi_server_errno(mc->server)));

799

break;

800

801

case AVAHI_BROWSER_REMOVE:

802

break;

803

804

case AVAHI_BROWSER_ALL_FOR_NOW:

805

case AVAHI_BROWSER_CACHE_EXHAUSTED:

806

if(debug){

807

fprintf(stderr, "No Mandos server found, still searching...\n");

577

static void browse_callback(

578

AvahiSServiceBrowser *b,

579

AvahiIfIndex interface,

580

AvahiProtocol protocol,

581

AvahiBrowserEvent event,

582

const char *name,

583

const char *type,

584

const char *domain,

585

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

586

void* userdata) {

587

588

AvahiServer *s = userdata;

589

assert(b); /* Spurious warning */

590

591

/* Called whenever a new services becomes available on the LAN or

592

is removed from the LAN */

593

594

switch (event) {

595

default:

596

case AVAHI_BROWSER_FAILURE:

597

598

fprintf(stderr, "(Browser) %s\n",

599

avahi_strerror(avahi_server_errno(server)));

600

avahi_simple_poll_quit(simple_poll);

601

return;

602

603

case AVAHI_BROWSER_NEW:

604

/* We ignore the returned resolver object. In the callback

605

function we free it. If the server is terminated before

606

the callback function is called the server will free

607

the resolver for us. */

608

609

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

610

type, domain,

611

AVAHI_PROTO_INET6, 0,

612

resolve_callback, s)))

613

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

614

avahi_strerror(avahi_server_errno(s)));

615

break;

616

617

case AVAHI_BROWSER_REMOVE:

618

break;

619

620

case AVAHI_BROWSER_ALL_FOR_NOW:

621

case AVAHI_BROWSER_CACHE_EXHAUSTED:

622

break;

808

623

}

809

break;

810

}

811

624

}

812

625

813

int main(int argc, char *argv[]){

626

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

627

AvahiServerConfig config;

814

628

AvahiSServiceBrowser *sb = NULL;

815

629

int error;

816

630

int ret;

817

int exitcode = EXIT_SUCCESS;

631

int returncode = EXIT_SUCCESS;

818

632

const char *interface = "eth0";

819

struct ifreq network;

820

int sd;

821

uid_t uid;

822

gid_t gid;

633

unsigned int if_index;

823

634

char *connect_to = NULL;

824

char tempdir[] = "/tmp/mandosXXXXXX";

825

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

826

const char *seckey = PATHDIR "/" SECKEY;

827

const char *pubkey = PATHDIR "/" PUBKEY;

828

829

mandos_context mc = { .simple_poll = NULL, .server = NULL,

830

.dh_bits = 1024, .priority = "SECURE256"

831

":!CTYPE-X.509:+CTYPE-OPENPGP" };

832

bool gnutls_initalized = false;

833

bool pgpme_initalized = false;

834

835

{

836

struct argp_option options[] = {

837

{ .name = "debug", .key = 128,

838

.doc = "Debug mode", .group = 3 },

839

{ .name = "connect", .key = 'c',

840

.arg = "ADDRESS:PORT",

841

.doc = "Connect directly to a specific Mandos server",

842

.group = 1 },

843

{ .name = "interface", .key = 'i',

844

.arg = "NAME",

845

.doc = "Interface that will be used to search for Mandos"

846

" servers",

847

.group = 1 },

848

{ .name = "seckey", .key = 's',

849

.arg = "FILE",

850

.doc = "OpenPGP secret key file base name",

851

.group = 1 },

852

{ .name = "pubkey", .key = 'p',

853

.arg = "FILE",

854

.doc = "OpenPGP public key file base name",

855

.group = 2 },

856

{ .name = "dh-bits", .key = 129,

857

.arg = "BITS",

858

.doc = "Bit length of the prime number used in the"

859

" Diffie-Hellman key exchange",

860

.group = 2 },

861

{ .name = "priority", .key = 130,

862

.arg = "STRING",

863

.doc = "GnuTLS priority string for the TLS handshake",

864

.group = 1 },

865

{ .name = NULL }

866

};

867

868

error_t parse_opt (int key, char *arg,

869

struct argp_state *state) {

870

/* Get the INPUT argument from `argp_parse', which we know is

871

a pointer to our plugin list pointer. */

872

switch (key) {

873

case 128: /* --debug */

874

debug = true;

875

break;

876

case 'c': /* --connect */

877

connect_to = arg;

878

break;

879

case 'i': /* --interface */

880

interface = arg;

881

break;

882

case 's': /* --seckey */

883

seckey = arg;

884

break;

885

case 'p': /* --pubkey */

886

pubkey = arg;

887

break;

888

case 129: /* --dh-bits */

889

errno = 0;

890

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

891

if (errno){

892

perror("strtol");

893

exit(EXIT_FAILURE);

894

}

895

break;

896

case 130: /* --priority */

897

mc.priority = arg;

898

break;

899

case ARGP_KEY_ARG:

900

argp_usage (state);

901

case ARGP_KEY_END:

902

break;

903

default:

904

return ARGP_ERR_UNKNOWN;

905

}

906

return 0;

907

}

908

909

struct argp argp = { .options = options, .parser = parse_opt,

910

.args_doc = "",

911

.doc = "Mandos client -- Get and decrypt"

912

" passwords from a Mandos server" };

913

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

914

if (ret == ARGP_ERR_UNKNOWN){

915

fprintf(stderr, "Unknown error while parsing arguments\n");

916

exitcode = EXIT_FAILURE;

917

goto end;

918

}

919

}

920

921

/* If the interface is down, bring it up */

922

{

923

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

924

if(sd < 0) {

925

perror("socket");

926

exitcode = EXIT_FAILURE;

927

goto end;

928

}

929

strcpy(network.ifr_name, interface);

930

ret = ioctl(sd, SIOCGIFFLAGS, &network);

931

if(ret == -1){

932

perror("ioctl SIOCGIFFLAGS");

933

exitcode = EXIT_FAILURE;

934

goto end;

935

}

936

if((network.ifr_flags & IFF_UP) == 0){

937

network.ifr_flags |= IFF_UP;

938

ret = ioctl(sd, SIOCSIFFLAGS, &network);

939

if(ret == -1){

940

perror("ioctl SIOCSIFFLAGS");

941

exitcode = EXIT_FAILURE;

942

goto end;

943

}

944

}

945

ret = TEMP_FAILURE_RETRY(close(sd));

946

if(ret == -1){

947

perror("close");

948

}

949

}

950

951

uid = getuid();

952

gid = getgid();

953

954

ret = setuid(uid);

955

if (ret == -1){

956

perror("setuid");

957

}

958

959

setgid(gid);

960

if (ret == -1){

961

perror("setgid");

962

}

963

964

ret = init_gnutls_global(&mc, pubkey, seckey);

965

if (ret == -1){

966

fprintf(stderr, "init_gnutls_global failed\n");

967

exitcode = EXIT_FAILURE;

968

goto end;

969

} else {

970

gnutls_initalized = true;

971

}

972

973

if(mkdtemp(tempdir) == NULL){

974

perror("mkdtemp");

975

tempdir[0] = '\0';

976

goto end;

977

}

978

979

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

980

fprintf(stderr, "pgpme_initalized failed\n");

981

exitcode = EXIT_FAILURE;

982

goto end;

983

} else {

984

pgpme_initalized = true;

985

}

986

987

if_index = (AvahiIfIndex) if_nametoindex(interface);

635

636

while (true){

637

static struct option long_options[] = {

638

{"debug", no_argument, (int *)&debug, 1},

639

{"connect", required_argument, 0, 'c'},

640

{"interface", required_argument, 0, 'i'},

641

{0, 0, 0, 0} };

642

643

int option_index = 0;

644

ret = getopt_long (argc, argv, "i:", long_options,

645

&option_index);

646

647

if (ret == -1){

648

break;

649

}

650

651

switch(ret){

652

case 0:

653

break;

654

case 'i':

655

interface = optarg;

656

break;

657

case 'c':

658

connect_to = optarg;

659

break;

660

default:

661

exit(EXIT_FAILURE);

662

}

663

}

664

665

if_index = if_nametoindex(interface);

988

666

if(if_index == 0){

989

667

fprintf(stderr, "No such interface: \"%s\"\n", interface);

990

668

exit(EXIT_FAILURE);

996

674

char *address = strrchr(connect_to, ':');

997

675

if(address == NULL){

998

676

fprintf(stderr, "No colon in address\n");

999

exitcode = EXIT_FAILURE;

1000

goto end;

677

exit(EXIT_FAILURE);

1001

678

}

1002

679

errno = 0;

1003

680

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

1004

681

if(errno){

1005

682

perror("Bad port number");

1006

exitcode = EXIT_FAILURE;

1007

goto end;

683

exit(EXIT_FAILURE);

1008

684

}

1009

685

*address = '\0';

1010

686

address = connect_to;

1011

ret = start_mandos_communication(address, port, if_index, &mc);

687

ret = start_mandos_communication(address, port, if_index);

1012

688

if(ret < 0){

1013

exitcode = EXIT_FAILURE;

689

exit(EXIT_FAILURE);

1014

690

} else {

1015

exitcode = EXIT_SUCCESS;

691

exit(EXIT_SUCCESS);

1016

692

}

1017

goto end;

1018

693

}

1019

694

1020

695

if (not debug){

1021

696

avahi_set_log_function(empty_log);

1022

697

}

1023

698

1024

/* Initialize the pseudo-RNG for Avahi */

699

/* Initialize the psuedo-RNG */

1025

700

srand((unsigned int) time(NULL));

1026

1027

/* Allocate main Avahi loop object */

1028

mc.simple_poll = avahi_simple_poll_new();

1029

if (mc.simple_poll == NULL) {

1030

fprintf(stderr, "Avahi: Failed to create simple poll"

1031

" object.\n");

1032

exitcode = EXIT_FAILURE;

1033

goto end;

1034

}

1035

1036

{

1037

AvahiServerConfig config;

1038

/* Do not publish any local Zeroconf records */

1039

avahi_server_config_init(&config);

1040

config.publish_hinfo = 0;

1041

config.publish_addresses = 0;

1042

config.publish_workstation = 0;

1043

config.publish_domain = 0;

1044

1045

/* Allocate a new server */

1046

mc.server = avahi_server_new(avahi_simple_poll_get

1047

(mc.simple_poll), &config, NULL,

1048

NULL, &error);

1049

1050

/* Free the Avahi configuration data */

1051

avahi_server_config_free(&config);

1052

}

1053

1054

/* Check if creating the Avahi server object succeeded */

1055

if (mc.server == NULL) {

1056

fprintf(stderr, "Failed to create Avahi server: %s\n",

701

702

/* Allocate main loop object */

703

if (!(simple_poll = avahi_simple_poll_new())) {

704

fprintf(stderr, "Failed to create simple poll object.\n");

705

706

goto exit;

707

}

708

709

/* Do not publish any local records */

710

avahi_server_config_init(&config);

711

config.publish_hinfo = 0;

712

config.publish_addresses = 0;

713

config.publish_workstation = 0;

714

config.publish_domain = 0;

715

716

/* Allocate a new server */

717

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

718

&config, NULL, NULL, &error);

719

720

/* Free the configuration data */

721

avahi_server_config_free(&config);

722

723

/* Check if creating the server object succeeded */

724

if (!server) {

725

fprintf(stderr, "Failed to create server: %s\n",

1057

726

avahi_strerror(error));

1058

exitcode = EXIT_FAILURE;

1059

goto end;

727

returncode = EXIT_FAILURE;

728

goto exit;

1060

729

}

1061

730

1062

/* Create the Avahi service browser */

1063

sb = avahi_s_service_browser_new(mc.server, if_index,

731

/* Create the service browser */

732

sb = avahi_s_service_browser_new(server, (AvahiIfIndex)if_index,

1064

733

AVAHI_PROTO_INET6,

1065

734

"_mandos._tcp", NULL, 0,

1066

browse_callback, &mc);

1067

if (sb == NULL) {

735

browse_callback, server);

736

if (!sb) {

1068

737

fprintf(stderr, "Failed to create service browser: %s\n",

1069

avahi_strerror(avahi_server_errno(mc.server)));

1070

exitcode = EXIT_FAILURE;

1071

goto end;

738

avahi_strerror(avahi_server_errno(server)));

739

returncode = EXIT_FAILURE;

740

goto exit;

1072

741

}

1073

742

1074

743

/* Run the main loop */

1075

744

1076

745

if (debug){

1077

fprintf(stderr, "Starting Avahi loop search\n");

746

fprintf(stderr, "Starting avahi loop search\n");

1078

747

}

1079

748

1080

avahi_simple_poll_loop(mc.simple_poll);

1081

1082

end:

1083

749

avahi_simple_poll_loop(simple_poll);

750

751

exit:

752

1084

753

if (debug){

1085

754

fprintf(stderr, "%s exiting\n", argv[0]);

1086

755

}

1087

756

1088

757

/* Cleanup things */

1089

if (sb != NULL)

758

if (sb)

1090

759

avahi_s_service_browser_free(sb);

1091

760

1092

if (mc.server != NULL)

1093

avahi_server_free(mc.server);

1094

1095

if (mc.simple_poll != NULL)

1096

avahi_simple_poll_free(mc.simple_poll);

1097

1098

if (gnutls_initalized){

1099

gnutls_certificate_free_credentials(mc.cred);

1100

gnutls_global_deinit ();

1101

}

1102

1103

if(pgpme_initalized){

1104

gpgme_release(mc.ctx);

1105

}

1106

1107

/* Removes the temp directory used by GPGME */

1108

if(tempdir[0] != '\0'){

1109

DIR *d;

1110

struct dirent *direntry;

1111

d = opendir(tempdir);

1112

if(d == NULL){

1113

perror("opendir");

1114

} else {

1115

while(true){

1116

direntry = readdir(d);

1117

if(direntry == NULL){

1118

break;

1119

}

1120

if (direntry->d_type == DT_REG){

1121

char *fullname = NULL;

1122

ret = asprintf(&fullname, "%s/%s", tempdir,

1123

direntry->d_name);

1124

if(ret < 0){

1125

perror("asprintf");

1126

continue;

1127

}

1128

ret = unlink(fullname);

1129

if(ret == -1){

1130

fprintf(stderr, "unlink(\"%s\"): %s",

1131

fullname, strerror(errno));

1132

}

1133

free(fullname);

1134

}

1135

}

1136

}

1137

ret = rmdir(tempdir);

1138

if(ret == -1){

1139

perror("rmdir");

1140

}

1141

}

1142

1143

return exitcode;

761

if (server)

762

avahi_server_free(server);

763

764

if (simple_poll)

765

avahi_simple_poll_free(simple_poll);

766

767

return returncode;

1144

768

}

Older »