/mandos/trunk : revision 286

1

/* -*- coding: utf-8 -*- */

2

/*

3

* Mandos client - get and decrypt data from a Mandos server

3

* Mandos-client - get and decrypt data from a Mandos server

4

*

5

* This program is partly derived from an example program for an Avahi

6

* service browser, downloaded from

9

* "browse_callback", and parts of "main".

10

*

11

* Everything else is

12

13

14

*

14

15

* This program is free software: you can redistribute it and/or

15

16

* modify it under the terms of the GNU General Public License as

32

33

#define _LARGEFILE_SOURCE

33

34

#define _FILE_OFFSET_BITS 64

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

36

37

#include <stdio.h>

38

#include <assert.h>

39

#include <stdlib.h>

40

#include <time.h>

41

#include <net/if.h> /* if_nametoindex */

42

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

43

SIOCSIFFLAGS */

38

#include <stdio.h> /* fprintf(), stderr, fwrite(),

39

stdout, ferror(), sscanf(),

40

remove() */

41

#include <stdint.h> /* uint16_t, uint32_t */

42

#include <stddef.h> /* NULL, size_t, ssize_t */

43

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

44

srand() */

45

#include <stdbool.h> /* bool, true */

46

#include <string.h> /* memset(), strcmp(), strlen(),

47

strerror(), asprintf(), strcpy() */

48

#include <sys/ioctl.h> /* ioctl */

49

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

50

sockaddr_in6, PF_INET6,

51

SOCK_STREAM, INET6_ADDRSTRLEN,

52

uid_t, gid_t, open(), opendir(),

53

DIR */

54

#include <sys/stat.h> /* open() */

55

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

56

struct in6_addr, inet_pton(),

57

connect() */

58

#include <fcntl.h> /* open() */

59

#include <dirent.h> /* opendir(), struct dirent, readdir()

60

*/

61

#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */

62

#include <assert.h> /* assert() */

63

#include <errno.h> /* perror(), errno */

64

#include <time.h> /* time() */

44

65

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

45

SIOCSIFFLAGS */

66

SIOCSIFFLAGS, if_indextoname(),

67

if_nametoindex(), IF_NAMESIZE */

68

#include <netinet/in.h>

69

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

70

getuid(), getgid(), setuid(),

71

setgid() */

72

#include <arpa/inet.h> /* inet_pton(), htons */

73

#include <iso646.h> /* not, and, or */

74

#include <argp.h> /* struct argp_option, error_t, struct

75

argp_state, struct argp,

76

argp_parse(), ARGP_KEY_ARG,

77

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

46

78

79

/* Avahi */

80

/* All Avahi types, constants and functions

81

Avahi*, avahi_*,

82

AVAHI_* */

47

83

#include <avahi-core/core.h>

48

84

#include <avahi-core/lookup.h>

49

85

#include <avahi-core/log.h>

51

87

#include <avahi-common/malloc.h>

52

88

#include <avahi-common/error.h>

53

89

54

/* Mandos client part */

55

#include <sys/types.h> /* socket(), inet_pton() */

56

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

57

struct in6_addr, inet_pton() */

58

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

59

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

90

/* GnuTLS */

91

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

92

functions:

93

gnutls_*

94

init_gnutls_session(),

95

GNUTLS_* */

96

#include <gnutls/openpgp.h>

97

/* gnutls_certificate_set_openpgp_key_file(),

98

GNUTLS_OPENPGP_FMT_BASE64 */

60

99

61

#include <unistd.h> /* close() */

62

#include <netinet/in.h>

63

#include <stdbool.h> /* true */

64

#include <string.h> /* memset */

65

#include <arpa/inet.h> /* inet_pton() */

66

#include <iso646.h> /* not */

67

#include <net/if.h> /* IF_NAMESIZE */

68

#include <argp.h> /* struct argp_option,

69

struct argp_state, struct argp,

70

argp_parse() */

71

100

/* GPGME */

72

#include <errno.h> /* perror() */

73

#include <gpgme.h>

101

#include <gpgme.h> /* All GPGME types, constants and

102

functions:

103

gpgme_*

104

GPGME_PROTOCOL_OpenPGP,

105

GPG_ERR_NO_* */

74

106

75

107

#define BUFFER_SIZE 256

76

108

109

#define PATHDIR "/conf/conf.d/mandos"

110

#define SECKEY "seckey.txt"

111

#define PUBKEY "pubkey.txt"

112

77

113

bool debug = false;

78

static const char *keydir = "/conf/conf.d/mandos";

79

114

static const char mandos_protocol_version[] = "1";

80

const char *argp_program_version = "mandosclient 0.9";

115

const char *argp_program_version = "mandos-client " VERSION;

81

116

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

82

117

83

118

/* Used for passing in values through the Avahi callback functions */

88

123

unsigned int dh_bits;

89

124

gnutls_dh_params_t dh_params;

90

125

const char *priority;

126

gpgme_ctx_t ctx;

91

127

} mandos_context;

92

128

93

129

/*

97

133

*/

98

134

size_t adjustbuffer(char **buffer, size_t buffer_length,

99

135

size_t buffer_capacity){

100

if (buffer_length + BUFFER_SIZE > buffer_capacity){

136

if(buffer_length + BUFFER_SIZE > buffer_capacity){

101

137

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

102

if (buffer == NULL){

138

if(buffer == NULL){

103

139

return 0;

104

140

}

105

141

buffer_capacity += BUFFER_SIZE;

108

144

}

109

145

110

146

/*

111

* Decrypt OpenPGP data using keyrings in HOMEDIR.

112

* Returns -1 on error

147

* Initialize GPGME.

113

148

*/

114

static ssize_t pgp_packet_decrypt (const char *cryptotext,

115

size_t crypto_size,

116

char **plaintext,

117

const char *homedir){

118

gpgme_data_t dh_crypto, dh_plain;

119

gpgme_ctx_t ctx;

149

static bool init_gpgme(mandos_context *mc, const char *seckey,

150

const char *pubkey, const char *tempdir){

151

int ret;

120

152

gpgme_error_t rc;

121

ssize_t ret;

122

size_t plaintext_capacity = 0;

123

ssize_t plaintext_length = 0;

124

153

gpgme_engine_info_t engine_info;

125

154

126

if (debug){

127

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

155

156

/*

157

* Helper function to insert pub and seckey to the enigne keyring.

158

*/

159

bool import_key(const char *filename){

160

int fd;

161

gpgme_data_t pgp_data;

162

163

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

164

if(fd == -1){

165

perror("open");

166

return false;

167

}

168

169

rc = gpgme_data_new_from_fd(&pgp_data, fd);

170

if(rc != GPG_ERR_NO_ERROR){

171

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

172

gpgme_strsource(rc), gpgme_strerror(rc));

173

return false;

174

}

175

176

rc = gpgme_op_import(mc->ctx, pgp_data);

177

if(rc != GPG_ERR_NO_ERROR){

178

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

179

gpgme_strsource(rc), gpgme_strerror(rc));

180

return false;

181

}

182

183

ret = (int)TEMP_FAILURE_RETRY(close(fd));

184

if(ret == -1){

185

perror("close");

186

}

187

gpgme_data_release(pgp_data);

188

return true;

189

}

190

191

if(debug){

192

fprintf(stderr, "Initialize gpgme\n");

128

193

}

129

194

130

195

/* Init GPGME */

131

196

gpgme_check_version(NULL);

132

197

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

133

if (rc != GPG_ERR_NO_ERROR){

198

if(rc != GPG_ERR_NO_ERROR){

134

199

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

135

200

gpgme_strsource(rc), gpgme_strerror(rc));

136

return -1;

201

return false;

137

202

}

138

203

139

/* Set GPGME home directory for the OpenPGP engine only */

140

rc = gpgme_get_engine_info (&engine_info);

141

if (rc != GPG_ERR_NO_ERROR){

204

/* Set GPGME home directory for the OpenPGP engine only */

205

rc = gpgme_get_engine_info(&engine_info);

206

if(rc != GPG_ERR_NO_ERROR){

142

207

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

143

208

gpgme_strsource(rc), gpgme_strerror(rc));

144

return -1;

209

return false;

145

210

}

146

211

while(engine_info != NULL){

147

212

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

148

213

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

149

engine_info->file_name, homedir);

214

engine_info->file_name, tempdir);

150

215

break;

151

216

}

152

217

engine_info = engine_info->next;

153

218

}

154

219

if(engine_info == NULL){

155

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

156

return -1;

220

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

221

return false;

222

}

223

224

/* Create new GPGME "context" */

225

rc = gpgme_new(&(mc->ctx));

226

if(rc != GPG_ERR_NO_ERROR){

227

fprintf(stderr, "bad gpgme_new: %s: %s\n",

228

gpgme_strsource(rc), gpgme_strerror(rc));

229

return false;

230

}

231

232

if(not import_key(pubkey) or not import_key(seckey)){

233

return false;

234

}

235

236

return true;

237

}

238

239

/*

240

* Decrypt OpenPGP data.

241

* Returns -1 on error

242

*/

243

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

244

const char *cryptotext,

245

size_t crypto_size,

246

char **plaintext){

247

gpgme_data_t dh_crypto, dh_plain;

248

gpgme_error_t rc;

249

ssize_t ret;

250

size_t plaintext_capacity = 0;

251

ssize_t plaintext_length = 0;

252

253

if(debug){

254

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

157

255

}

158

256

159

257

/* Create new GPGME data buffer from memory cryptotext */

160

258

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

161

259

0);

162

if (rc != GPG_ERR_NO_ERROR){

260

if(rc != GPG_ERR_NO_ERROR){

163

261

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

164

262

gpgme_strsource(rc), gpgme_strerror(rc));

165

263

return -1;

167

265

168

266

/* Create new empty GPGME data buffer for the plaintext */

169

267

rc = gpgme_data_new(&dh_plain);

170

if (rc != GPG_ERR_NO_ERROR){

268

if(rc != GPG_ERR_NO_ERROR){

171

269

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

172

270

gpgme_strsource(rc), gpgme_strerror(rc));

173

271

gpgme_data_release(dh_crypto);

174

272

return -1;

175

273

}

176

274

177

/* Create new GPGME "context" */

178

rc = gpgme_new(&ctx);

179

if (rc != GPG_ERR_NO_ERROR){

180

fprintf(stderr, "bad gpgme_new: %s: %s\n",

181

gpgme_strsource(rc), gpgme_strerror(rc));

182

plaintext_length = -1;

183

goto decrypt_end;

184

}

185

186

275

/* Decrypt data from the cryptotext data buffer to the plaintext

187

276

data buffer */

188

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

189

if (rc != GPG_ERR_NO_ERROR){

277

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

278

if(rc != GPG_ERR_NO_ERROR){

190

279

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

191

280

gpgme_strsource(rc), gpgme_strerror(rc));

192

281

plaintext_length = -1;

282

if(debug){

283

gpgme_decrypt_result_t result;

284

result = gpgme_op_decrypt_result(mc->ctx);

285

if(result == NULL){

286

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

287

} else {

288

fprintf(stderr, "Unsupported algorithm: %s\n",

289

result->unsupported_algorithm);

290

fprintf(stderr, "Wrong key usage: %u\n",

291

result->wrong_key_usage);

292

if(result->file_name != NULL){

293

fprintf(stderr, "File name: %s\n", result->file_name);

294

}

295

gpgme_recipient_t recipient;

296

recipient = result->recipients;

297

if(recipient){

298

while(recipient != NULL){

299

fprintf(stderr, "Public key algorithm: %s\n",

300

gpgme_pubkey_algo_name(recipient->pubkey_algo));

301

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

302

fprintf(stderr, "Secret key available: %s\n",

303

recipient->status == GPG_ERR_NO_SECKEY

304

? "No" : "Yes");

305

recipient = recipient->next;

306

}

307

}

308

}

309

}

193

310

goto decrypt_end;

194

311

}

195

312

197

314

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

198

315

}

199

316

200

if (debug){

201

gpgme_decrypt_result_t result;

202

result = gpgme_op_decrypt_result(ctx);

203

if (result == NULL){

204

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

205

} else {

206

fprintf(stderr, "Unsupported algorithm: %s\n",

207

result->unsupported_algorithm);

208

fprintf(stderr, "Wrong key usage: %d\n",

209

result->wrong_key_usage);

210

if(result->file_name != NULL){

211

fprintf(stderr, "File name: %s\n", result->file_name);

212

}

213

gpgme_recipient_t recipient;

214

recipient = result->recipients;

215

if(recipient){

216

while(recipient != NULL){

217

fprintf(stderr, "Public key algorithm: %s\n",

218

gpgme_pubkey_algo_name(recipient->pubkey_algo));

219

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

220

fprintf(stderr, "Secret key available: %s\n",

221

recipient->status == GPG_ERR_NO_SECKEY

222

? "No" : "Yes");

223

recipient = recipient->next;

224

}

225

}

226

}

227

}

228

229

317

/* Seek back to the beginning of the GPGME plaintext data buffer */

230

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

231

perror("pgpme_data_seek");

318

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

319

perror("gpgme_data_seek");

232

320

plaintext_length = -1;

233

321

goto decrypt_end;

234

322

}

238

326

plaintext_capacity = adjustbuffer(plaintext,

239

327

(size_t)plaintext_length,

240

328

plaintext_capacity);

241

if (plaintext_capacity == 0){

329

if(plaintext_capacity == 0){

242

330

perror("adjustbuffer");

243

331

plaintext_length = -1;

244

332

goto decrypt_end;

247

335

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

248

336

BUFFER_SIZE);

249

337

/* Print the data, if any */

250

if (ret == 0){

338

if(ret == 0){

251

339

/* EOF */

252

340

break;

253

341

}

258

346

}

259

347

plaintext_length += ret;

260

348

}

261

349

262

350

if(debug){

263

351

fprintf(stderr, "Decrypted password is: ");

264

352

for(ssize_t i = 0; i < plaintext_length; i++){

277

365

return plaintext_length;

278

366

}

279

367

280

static const char * safer_gnutls_strerror (int value) {

281

const char *ret = gnutls_strerror (value);

282

if (ret == NULL)

368

static const char * safer_gnutls_strerror(int value) {

369

const char *ret = gnutls_strerror(value); /* Spurious warning from

370

-Wunreachable-code */

371

if(ret == NULL)

283

372

ret = "(unknown)";

284

373

return ret;

285

374

}

291

380

}

292

381

293

382

static int init_gnutls_global(mandos_context *mc,

294

const char *pubkeyfile,

295

const char *seckeyfile){

383

const char *pubkeyfilename,

384

const char *seckeyfilename){

296

385

int ret;

297

386

298

387

if(debug){

299

388

fprintf(stderr, "Initializing GnuTLS\n");

300

389

}

301

302

if ((ret = gnutls_global_init ())

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "GnuTLS global_init: %s\n",

305

safer_gnutls_strerror(ret));

390

391

ret = gnutls_global_init();

392

if(ret != GNUTLS_E_SUCCESS) {

393

fprintf(stderr, "GnuTLS global_init: %s\n",

394

safer_gnutls_strerror(ret));

306

395

return -1;

307

396

}

308

397

309

if (debug){

398

if(debug){

310

399

/* "Use a log level over 10 to enable all debugging options."

311

400

* - GnuTLS manual

312

401

*/

315

404

}

316

405

317

406

/* OpenPGP credentials */

318

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

319

!= GNUTLS_E_SUCCESS) {

320

fprintf (stderr, "GnuTLS memory error: %s\n",

321

safer_gnutls_strerror(ret));

407

gnutls_certificate_allocate_credentials(&mc->cred);

408

if(ret != GNUTLS_E_SUCCESS){

409

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

410

* from

411

* -Wunreachable-code

412

*/

413

safer_gnutls_strerror(ret));

414

gnutls_global_deinit();

322

415

return -1;

323

416

}

324

417

325

418

if(debug){

326

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

327

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

328

seckeyfile);

419

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

420

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

421

seckeyfilename);

329

422

}

330

423

331

424

ret = gnutls_certificate_set_openpgp_key_file

332

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

333

if (ret != GNUTLS_E_SUCCESS) {

425

(mc->cred, pubkeyfilename, seckeyfilename,

426

GNUTLS_OPENPGP_FMT_BASE64);

427

if(ret != GNUTLS_E_SUCCESS) {

334

428

fprintf(stderr,

335

429

"Error[%d] while reading the OpenPGP key pair ('%s',"

336

" '%s')\n", ret, pubkeyfile, seckeyfile);

337

fprintf(stdout, "The GnuTLS error is: %s\n",

430

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

431

fprintf(stderr, "The GnuTLS error is: %s\n",

338

432

safer_gnutls_strerror(ret));

339

return -1;

433

goto globalfail;

340

434

}

341

435

342

436

/* GnuTLS server initialization */

343

437

ret = gnutls_dh_params_init(&mc->dh_params);

344

if (ret != GNUTLS_E_SUCCESS) {

345

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

346

" %s\n", safer_gnutls_strerror(ret));

347

return -1;

438

if(ret != GNUTLS_E_SUCCESS) {

439

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

440

" %s\n", safer_gnutls_strerror(ret));

441

goto globalfail;

348

442

}

349

443

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

350

if (ret != GNUTLS_E_SUCCESS) {

351

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

352

safer_gnutls_strerror(ret));

353

return -1;

444

if(ret != GNUTLS_E_SUCCESS) {

445

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

446

safer_gnutls_strerror(ret));

447

goto globalfail;

354

448

}

355

449

356

450

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

357

451

358

452

return 0;

453

454

globalfail:

455

456

gnutls_certificate_free_credentials(mc->cred);

457

gnutls_global_deinit();

458

gnutls_dh_params_deinit(mc->dh_params);

459

return -1;

359

460

}

360

461

361

462

static int init_gnutls_session(mandos_context *mc,

363

464

int ret;

364

465

/* GnuTLS session creation */

365

466

ret = gnutls_init(session, GNUTLS_SERVER);

366

if (ret != GNUTLS_E_SUCCESS){

467

if(ret != GNUTLS_E_SUCCESS){

367

468

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

368

469

safer_gnutls_strerror(ret));

369

470

}

371

472

{

372

473

const char *err;

373

474

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

374

if (ret != GNUTLS_E_SUCCESS) {

475

if(ret != GNUTLS_E_SUCCESS) {

375

476

fprintf(stderr, "Syntax error at: %s\n", err);

376

477

fprintf(stderr, "GnuTLS error: %s\n",

377

478

safer_gnutls_strerror(ret));

479

gnutls_deinit(*session);

378

480

return -1;

379

481

}

380

482

}

381

483

382

484

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

383

485

mc->cred);

384

if (ret != GNUTLS_E_SUCCESS) {

486

if(ret != GNUTLS_E_SUCCESS) {

385

487

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

386

488

safer_gnutls_strerror(ret));

489

gnutls_deinit(*session);

387

490

return -1;

388

491

}

389

492

390

493

/* ignore client certificate if any. */

391

gnutls_certificate_server_set_request (*session,

392

GNUTLS_CERT_IGNORE);

494

gnutls_certificate_server_set_request(*session,

495

GNUTLS_CERT_IGNORE);

393

496

394

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

497

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

395

498

396

499

return 0;

397

500

}

405

508

AvahiIfIndex if_index,

406

509

mandos_context *mc){

407

510

int ret, tcp_sd;

511

ssize_t sret;

408

512

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

409

513

char *buffer = NULL;

410

514

char *decrypted_buffer;

416

520

char interface[IF_NAMESIZE];

417

521

gnutls_session_t session;

418

522

419

ret = init_gnutls_session (mc, &session);

420

if (ret != 0){

523

ret = init_gnutls_session(mc, &session);

524

if(ret != 0){

421

525

return -1;

422

526

}

423

527

424

528

if(debug){

425

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

426

ip, port);

529

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

530

"\n", ip, port);

427

531

}

428

532

429

533

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

431

535

perror("socket");

432

536

return -1;

433

537

}

434

538

435

539

if(debug){

436

540

if(if_indextoname((unsigned int)if_index, interface) == NULL){

437

541

perror("if_indextoname");

440

544

fprintf(stderr, "Binding to interface %s\n", interface);

441

545

}

442

546

443

memset(&to,0,sizeof(to)); /* Spurious warning */

547

memset(&to, 0, sizeof(to));

444

548

to.in6.sin6_family = AF_INET6;

445

549

/* It would be nice to have a way to detect if we were passed an

446

550

IPv4 address here. Now we assume an IPv6 address. */

447

551

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

448

if (ret < 0 ){

552

if(ret < 0 ){

449

553

perror("inet_pton");

450

554

return -1;

451

555

}

453

557

fprintf(stderr, "Bad address: %s\n", ip);

454

558

return -1;

455

559

}

456

to.in6.sin6_port = htons(port); /* Spurious warning */

560

to.in6.sin6_port = htons(port); /* Spurious warnings from

561

-Wconversion and

562

-Wunreachable-code */

457

563

458

564

to.in6.sin6_scope_id = (uint32_t)if_index;

459

565

460

566

if(debug){

461

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

567

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

568

port);

462

569

char addrstr[INET6_ADDRSTRLEN] = "";

463

570

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

464

571

sizeof(addrstr)) == NULL){

471

578

}

472

579

473

580

ret = connect(tcp_sd, &to.in, sizeof(to));

474

if (ret < 0){

581

if(ret < 0){

475

582

perror("connect");

476

583

return -1;

477

584

}

478

585

479

586

const char *out = mandos_protocol_version;

480

587

written = 0;

481

while (true){

588

while(true){

482

589

size_t out_size = strlen(out);

483

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

590

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

484

591

out_size - written));

485

if (ret == -1){

592

if(ret == -1){

486

593

perror("write");

487

594

retval = -1;

488

595

goto mandos_end;

491

598

if(written < out_size){

492

599

continue;

493

600

} else {

494

if (out == mandos_protocol_version){

601

if(out == mandos_protocol_version){

495

602

written = 0;

496

603

out = "\r\n";

497

604

} else {

499

606

}

500

607

}

501

608

}

502

609

503

610

if(debug){

504

611

fprintf(stderr, "Establishing TLS session with %s\n", ip);

505

612

}

506

613

507

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

508

509

ret = gnutls_handshake (session);

510

511

if (ret != GNUTLS_E_SUCCESS){

614

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

615

616

do{

617

ret = gnutls_handshake(session);

618

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

619

620

if(ret != GNUTLS_E_SUCCESS){

512

621

if(debug){

513

622

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

514

gnutls_perror (ret);

623

gnutls_perror(ret);

515

624

}

516

625

retval = -1;

517

626

goto mandos_end;

523

632

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

524

633

ip);

525

634

}

526

635

527

636

while(true){

528

637

buffer_capacity = adjustbuffer(&buffer, buffer_length,

529

638

buffer_capacity);

530

if (buffer_capacity == 0){

639

if(buffer_capacity == 0){

531

640

perror("adjustbuffer");

532

641

retval = -1;

533

642

goto mandos_end;

534

643

}

535

644

536

ret = gnutls_record_recv(session, buffer+buffer_length,

537

BUFFER_SIZE);

538

if (ret == 0){

645

sret = gnutls_record_recv(session, buffer+buffer_length,

646

BUFFER_SIZE);

647

if(sret == 0){

539

648

break;

540

649

}

541

if (ret < 0){

542

switch(ret){

650

if(sret < 0){

651

switch(sret){

543

652

case GNUTLS_E_INTERRUPTED:

544

653

case GNUTLS_E_AGAIN:

545

654

break;

546

655

case GNUTLS_E_REHANDSHAKE:

547

ret = gnutls_handshake (session);

548

if (ret < 0){

656

do{

657

ret = gnutls_handshake(session);

658

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

659

if(ret < 0){

549

660

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

550

gnutls_perror (ret);

661

gnutls_perror(ret);

551

662

retval = -1;

552

663

goto mandos_end;

553

664

}

556

667

fprintf(stderr, "Unknown error while reading data from"

557

668

" encrypted session with Mandos server\n");

558

669

retval = -1;

559

gnutls_bye (session, GNUTLS_SHUT_RDWR);

670

gnutls_bye(session, GNUTLS_SHUT_RDWR);

560

671

goto mandos_end;

561

672

}

562

673

} else {

563

buffer_length += (size_t) ret;

674

buffer_length += (size_t) sret;

564

675

}

565

676

}

566

677

568

679

fprintf(stderr, "Closing TLS session\n");

569

680

}

570

681

571

gnutls_bye (session, GNUTLS_SHUT_RDWR);

682

gnutls_bye(session, GNUTLS_SHUT_RDWR);

572

683

573

if (buffer_length > 0){

574

decrypted_buffer_size = pgp_packet_decrypt(buffer,

684

if(buffer_length > 0){

685

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

575

686

buffer_length,

576

&decrypted_buffer,

577

keydir);

578

if (decrypted_buffer_size >= 0){

687

&decrypted_buffer);

688

if(decrypted_buffer_size >= 0){

579

689

written = 0;

580

690

while(written < (size_t) decrypted_buffer_size){

581

ret = (int)fwrite (decrypted_buffer + written, 1,

582

(size_t)decrypted_buffer_size - written,

583

stdout);

691

ret = (int)fwrite(decrypted_buffer + written, 1,

692

(size_t)decrypted_buffer_size - written,

693

stdout);

584

694

if(ret == 0 and ferror(stdout)){

585

695

if(debug){

586

696

fprintf(stderr, "Error writing encrypted data: %s\n",

595

705

} else {

596

706

retval = -1;

597

707

}

708

} else {

709

retval = -1;

598

710

}

599

711

600

712

/* Shutdown procedure */

601

713

602

714

mandos_end:

603

715

free(buffer);

604

close(tcp_sd);

605

gnutls_deinit (session);

606

gnutls_certificate_free_credentials (mc->cred);

607

gnutls_global_deinit ();

716

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

717

if(ret == -1){

718

perror("close");

719

}

720

gnutls_deinit(session);

608

721

return retval;

609

722

}

610

723

623

736

flags,

624

737

void* userdata) {

625

738

mandos_context *mc = userdata;

626

assert(r); /* Spurious warning */

739

assert(r);

627

740

628

741

/* Called whenever a service has been resolved successfully or

629

742

timed out */

630

743

631

switch (event) {

744

switch(event) {

632

745

default:

633

746

case AVAHI_RESOLVER_FAILURE:

634

747

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

641

754

char ip[AVAHI_ADDRESS_STR_MAX];

642

755

avahi_address_snprint(ip, sizeof(ip), address);

643

756

if(debug){

644

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

645

" port %d\n", name, host_name, ip, interface, port);

757

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

758

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

759

ip, (intmax_t)interface, port);

646

760

}

647

761

int ret = start_mandos_communication(ip, port, interface, mc);

648

if (ret == 0){

649

exit(EXIT_SUCCESS);

762

if(ret == 0){

763

avahi_simple_poll_quit(mc->simple_poll);

650

764

}

651

765

}

652

766

}

664

778

flags,

665

779

void* userdata) {

666

780

mandos_context *mc = userdata;

667

assert(b); /* Spurious warning */

781

assert(b);

668

782

669

783

/* Called whenever a new services becomes available on the LAN or

670

784

is removed from the LAN */

671

785

672

switch (event) {

786

switch(event) {

673

787

default:

674

788

case AVAHI_BROWSER_FAILURE:

675

789

684

798

the callback function is called the Avahi server will free the

685

799

resolver for us. */

686

800

687

if (!(avahi_s_service_resolver_new(mc->server, interface,

801

if(!(avahi_s_service_resolver_new(mc->server, interface,

688

802

protocol, name, type, domain,

689

803

AVAHI_PROTO_INET6, 0,

690

804

resolve_callback, mc)))

704

818

}

705

819

}

706

820

707

/* Combines file name and path and returns the malloced new

708

string. some sane checks could/should be added */

709

static const char *combinepath(const char *first, const char *second){

710

size_t f_len = strlen(first);

711

size_t s_len = strlen(second);

712

char *tmp = malloc(f_len + s_len + 2);

713

if (tmp == NULL){

714

return NULL;

715

}

716

if(f_len > 0){

717

memcpy(tmp, first, f_len); /* Spurious warning */

718

}

719

tmp[f_len] = '/';

720

if(s_len > 0){

721

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

722

}

723

tmp[f_len + 1 + s_len] = '\0';

724

return tmp;

725

}

726

727

728

821

int main(int argc, char *argv[]){

729

822

AvahiSServiceBrowser *sb = NULL;

730

823

int error;

731

824

int ret;

825

intmax_t tmpmax;

826

int numchars;

732

827

int exitcode = EXIT_SUCCESS;

733

828

const char *interface = "eth0";

734

829

struct ifreq network;

736

831

uid_t uid;

737

832

gid_t gid;

738

833

char *connect_to = NULL;

834

char tempdir[] = "/tmp/mandosXXXXXX";

739

835

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

740

const char *pubkeyfile = "pubkey.txt";

741

const char *seckeyfile = "seckey.txt";

836

const char *seckey = PATHDIR "/" SECKEY;

837

const char *pubkey = PATHDIR "/" PUBKEY;

838

742

839

mandos_context mc = { .simple_poll = NULL, .server = NULL,

743

.dh_bits = 1024, .priority = "SECURE256"};

840

.dh_bits = 1024, .priority = "SECURE256"

841

":!CTYPE-X.509:+CTYPE-OPENPGP" };

842

bool gnutls_initialized = false;

843

bool gpgme_initialized = false;

744

844

745

845

{

746

846

struct argp_option options[] = {

747

847

{ .name = "debug", .key = 128,

748

848

.doc = "Debug mode", .group = 3 },

749

849

{ .name = "connect", .key = 'c',

750

.arg = "IP",

751

.doc = "Connect directly to a sepcified mandos server",

850

.arg = "ADDRESS:PORT",

851

.doc = "Connect directly to a specific Mandos server",

752

852

.group = 1 },

753

853

{ .name = "interface", .key = 'i',

754

.arg = "INTERFACE",

755

.doc = "Interface that Avahi will conntect through",

756

.group = 1 },

757

{ .name = "keydir", .key = 'd',

758

.arg = "KEYDIR",

759

.doc = "Directory where the openpgp keyring is",

854

.arg = "NAME",

855

.doc = "Interface that will be used to search for Mandos"

856

" servers",

760

857

.group = 1 },

761

858

{ .name = "seckey", .key = 's',

762

.arg = "SECKEY",

763

.doc = "Secret openpgp key for gnutls authentication",

859

.arg = "FILE",

860

.doc = "OpenPGP secret key file base name",

764

861

.group = 1 },

765

862

{ .name = "pubkey", .key = 'p',

766

.arg = "PUBKEY",

767

.doc = "Public openpgp key for gnutls authentication",

863

.arg = "FILE",

864

.doc = "OpenPGP public key file base name",

768

865

.group = 2 },

769

866

{ .name = "dh-bits", .key = 129,

770

867

.arg = "BITS",

771

.doc = "dh-bits to use in gnutls communication",

868

.doc = "Bit length of the prime number used in the"

869

" Diffie-Hellman key exchange",

772

870

.group = 2 },

773

871

{ .name = "priority", .key = 130,

774

.arg = "PRIORITY",

775

.doc = "GNUTLS priority", .group = 1 },

872

.arg = "STRING",

873

.doc = "GnuTLS priority string for the TLS handshake",

874

.group = 1 },

776

875

{ .name = NULL }

777

876

};

778

779

877

780

error_t parse_opt (int key, char *arg,

781

struct argp_state *state) {

782

/* Get the INPUT argument from `argp_parse', which we know is

783

a pointer to our plugin list pointer. */

784

switch (key) {

785

case 128:

878

error_t parse_opt(int key, char *arg,

879

struct argp_state *state) {

880

switch(key) {

881

case 128: /* --debug */

786

882

debug = true;

787

883

break;

788

case 'c':

884

case 'c': /* --connect */

789

885

connect_to = arg;

790

886

break;

791

case 'i':

887

case 'i': /* --interface */

792

888

interface = arg;

793

889

break;

794

case 'd':

795

keydir = arg;

796

break;

797

case 's':

798

seckeyfile = arg;

799

break;

800

case 'p':

801

pubkeyfile = arg;

802

break;

803

case 129:

804

errno = 0;

805

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

806

if (errno){

807

perror("strtol");

890

case 's': /* --seckey */

891

seckey = arg;

892

break;

893

case 'p': /* --pubkey */

894

pubkey = arg;

895

break;

896

case 129: /* --dh-bits */

897

ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);

898

if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax

899

or arg[numchars] != '\0'){

900

fprintf(stderr, "Bad number of DH bits\n");

808

901

exit(EXIT_FAILURE);

809

902

}

903

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

810

904

break;

811

case 130:

905

case 130: /* --priority */

812

906

mc.priority = arg;

813

907

break;

814

908

case ARGP_KEY_ARG:

815

argp_usage (state);

909

argp_usage(state);

910

case ARGP_KEY_END:

816

911

break;

817

case ARGP_KEY_END:

818

break;

819

912

default:

820

913

return ARGP_ERR_UNKNOWN;

821

914

}

822

915

return 0;

823

916

}

824

917

825

918

struct argp argp = { .options = options, .parser = parse_opt,

826

919

.args_doc = "",

827

920

.doc = "Mandos client -- Get and decrypt"

828

" passwords from mandos server" };

829

argp_parse (&argp, argc, argv, 0, 0, NULL);

830

}

831

832

pubkeyfile = combinepath(keydir, pubkeyfile);

833

if (pubkeyfile == NULL){

834

perror("combinepath");

835

exitcode = EXIT_FAILURE;

836

goto end;

837

}

838

839

seckeyfile = combinepath(keydir, seckeyfile);

840

if (seckeyfile == NULL){

841

perror("combinepath");

842

goto end;

843

}

844

845

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

846

if (ret == -1){

847

fprintf(stderr, "init_gnutls_global\n");

848

goto end;

849

}

850

921

" passwords from a Mandos server" };

922

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

923

if(ret == ARGP_ERR_UNKNOWN){

924

fprintf(stderr, "Unknown error while parsing arguments\n");

925

exitcode = EXIT_FAILURE;

926

goto end;

927

}

928

}

929

930

/* If the interface is down, bring it up */

931

{

932

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

933

if(sd < 0) {

934

perror("socket");

935

exitcode = EXIT_FAILURE;

936

goto end;

937

}

938

strcpy(network.ifr_name, interface);

939

ret = ioctl(sd, SIOCGIFFLAGS, &network);

940

if(ret == -1){

941

perror("ioctl SIOCGIFFLAGS");

942

exitcode = EXIT_FAILURE;

943

goto end;

944

}

945

if((network.ifr_flags & IFF_UP) == 0){

946

network.ifr_flags |= IFF_UP;

947

ret = ioctl(sd, SIOCSIFFLAGS, &network);

948

if(ret == -1){

949

perror("ioctl SIOCSIFFLAGS");

950

exitcode = EXIT_FAILURE;

951

goto end;

952

}

953

}

954

ret = (int)TEMP_FAILURE_RETRY(close(sd));

955

if(ret == -1){

956

perror("close");

957

}

958

}

959

851

960

uid = getuid();

852

961

gid = getgid();

853

962

854

963

ret = setuid(uid);

855

if (ret == -1){

964

if(ret == -1){

856

965

perror("setuid");

857

966

}

858

967

859

968

setgid(gid);

860

if (ret == -1){

969

if(ret == -1){

861

970

perror("setgid");

862

971

}

863

972

973

ret = init_gnutls_global(&mc, pubkey, seckey);

974

if(ret == -1){

975

fprintf(stderr, "init_gnutls_global failed\n");

976

exitcode = EXIT_FAILURE;

977

goto end;

978

} else {

979

gnutls_initialized = true;

980

}

981

982

if(mkdtemp(tempdir) == NULL){

983

perror("mkdtemp");

984

tempdir[0] = '\0';

985

goto end;

986

}

987

988

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

989

fprintf(stderr, "init_gpgme failed\n");

990

exitcode = EXIT_FAILURE;

991

goto end;

992

} else {

993

gpgme_initialized = true;

994

}

995

864

996

if_index = (AvahiIfIndex) if_nametoindex(interface);

865

997

if(if_index == 0){

866

998

fprintf(stderr, "No such interface: \"%s\"\n", interface);

876

1008

exitcode = EXIT_FAILURE;

877

1009

goto end;

878

1010

}

879

errno = 0;

880

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

881

if(errno){

882

perror("Bad port number");

1011

uint16_t port;

1012

ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);

1013

if(ret < 1 or tmpmax != (uint16_t)tmpmax

1014

or address[numchars+1] != '\0'){

1015

fprintf(stderr, "Bad port number\n");

883

1016

exitcode = EXIT_FAILURE;

884

1017

goto end;

885

1018

}

1019

port = (uint16_t)tmpmax;

886

1020

*address = '\0';

887

1021

address = connect_to;

888

1022

ret = start_mandos_communication(address, port, if_index, &mc);

894

1028

goto end;

895

1029

}

896

1030

897

/* If the interface is down, bring it up */

898

{

899

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

900

if(sd < 0) {

901

perror("socket");

902

exitcode = EXIT_FAILURE;

903

goto end;

904

}

905

strcpy(network.ifr_name, interface); /* Spurious warning */

906

ret = ioctl(sd, SIOCGIFFLAGS, &network);

907

if(ret == -1){

908

perror("ioctl SIOCGIFFLAGS");

909

exitcode = EXIT_FAILURE;

910

goto end;

911

}

912

if((network.ifr_flags & IFF_UP) == 0){

913

network.ifr_flags |= IFF_UP;

914

ret = ioctl(sd, SIOCSIFFLAGS, &network);

915

if(ret == -1){

916

perror("ioctl SIOCSIFFLAGS");

917

exitcode = EXIT_FAILURE;

918

goto end;

919

}

920

}

921

close(sd);

922

}

923

924

if (not debug){

1031

if(not debug){

925

1032

avahi_set_log_function(empty_log);

926

1033

}

927

1034

930

1037

931

1038

/* Allocate main Avahi loop object */

932

1039

mc.simple_poll = avahi_simple_poll_new();

933

if (mc.simple_poll == NULL) {

1040

if(mc.simple_poll == NULL) {

934

1041

fprintf(stderr, "Avahi: Failed to create simple poll"

935

1042

" object.\n");

936

1043

exitcode = EXIT_FAILURE;

937

1044

goto end;

938

1045

}

939

1046

940

1047

{

941

1048

AvahiServerConfig config;

942

1049

/* Do not publish any local Zeroconf records */

945

1052

config.publish_addresses = 0;

946

1053

config.publish_workstation = 0;

947

1054

config.publish_domain = 0;

948

1055

949

1056

/* Allocate a new server */

950

1057

mc.server = avahi_server_new(avahi_simple_poll_get

951

1058

(mc.simple_poll), &config, NULL,

952

1059

NULL, &error);

953

1060

954

1061

/* Free the Avahi configuration data */

955

1062

avahi_server_config_free(&config);

956

1063

}

957

1064

958

1065

/* Check if creating the Avahi server object succeeded */

959

if (mc.server == NULL) {

1066

if(mc.server == NULL) {

960

1067

fprintf(stderr, "Failed to create Avahi server: %s\n",

961

1068

avahi_strerror(error));

962

1069

exitcode = EXIT_FAILURE;

968

1075

AVAHI_PROTO_INET6,

969

1076

"_mandos._tcp", NULL, 0,

970

1077

browse_callback, &mc);

971

if (sb == NULL) {

1078

if(sb == NULL) {

972

1079

fprintf(stderr, "Failed to create service browser: %s\n",

973

1080

avahi_strerror(avahi_server_errno(mc.server)));

974

1081

exitcode = EXIT_FAILURE;

976

1083

}

977

1084

978

1085

/* Run the main loop */

979

980

if (debug){

1086

1087

if(debug){

981

1088

fprintf(stderr, "Starting Avahi loop search\n");

982

1089

}

983

1090

984

1091

avahi_simple_poll_loop(mc.simple_poll);

985

1092

986

1093

end:

987

988

if (debug){

1094

1095

if(debug){

989

1096

fprintf(stderr, "%s exiting\n", argv[0]);

990

1097

}

991

1098

992

1099

/* Cleanup things */

993

if (sb != NULL)

1100

if(sb != NULL)

994

1101

avahi_s_service_browser_free(sb);

995

1102

996

if (mc.server != NULL)

1103

if(mc.server != NULL)

997

1104

avahi_server_free(mc.server);

998

999

if (mc.simple_poll != NULL)

1105

1106

if(mc.simple_poll != NULL)

1000

1107

avahi_simple_poll_free(mc.simple_poll);

1001

free(pubkeyfile);

1002

free(seckeyfile);

1108

1109

if(gnutls_initialized){

1110

gnutls_certificate_free_credentials(mc.cred);

1111

gnutls_global_deinit();

1112

gnutls_dh_params_deinit(mc.dh_params);

1113

}

1114

1115

if(gpgme_initialized){

1116

gpgme_release(mc.ctx);

1117

}

1118

1119

/* Removes the temp directory used by GPGME */

1120

if(tempdir[0] != '\0'){

1121

DIR *d;

1122

struct dirent *direntry;

1123

d = opendir(tempdir);

1124

if(d == NULL){

1125

if(errno != ENOENT){

1126

perror("opendir");

1127

}

1128

} else {

1129

while(true){

1130

direntry = readdir(d);

1131

if(direntry == NULL){

1132

break;

1133

}

1134

/* Skip "." and ".." */

1135

if(direntry->d_name[0] == '.'

1136

and (direntry->d_name[1] == '\0'

1137

or (direntry->d_name[1] == '.'

1138

and direntry->d_name[2] == '\0'))){

1139

continue;

1140

}

1141

char *fullname = NULL;

1142

ret = asprintf(&fullname, "%s/%s", tempdir,

1143

direntry->d_name);

1144

if(ret < 0){

1145

perror("asprintf");

1146

continue;

1147

}

1148

ret = remove(fullname);

1149

if(ret == -1){

1150

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1151

strerror(errno));

1152

}

1153

free(fullname);

1154

}

1155

closedir(d);

1156

}

1157

ret = rmdir(tempdir);

1158

if(ret == -1 and errno != ENOENT){

1159

perror("rmdir");

1160

}

1161

}

1003

1162

1004

1163

return exitcode;

1005

1164

}