To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 287
- compare with another revision
- download diff
- download tarball
- view history from revision 287
- Committer: Teddy Hogeborn
- Date: 2009-01-27 00:07:26 UTC
- Revision ID: teddy@fukt.bsnet.se-20090127000726-4cafcfy35g8kh2b8
* INSTALL (Prerequisites/Mandos Server): Added "PyGObject".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
79
/* Avahi */
80
/* All Avahi types, constants and functions
81
Avahi*, avahi_*,
82
AVAHI_* */
41
83
#include <avahi-core/core.h>
42
84
#include <avahi-core/lookup.h>
43
85
#include <avahi-core/log.h>
45
87
#include <avahi-common/malloc.h>
46
88
#include <avahi-common/error.h>
47
89
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt long
67
#include <getopt.h>
90
/* GnuTLS */
91
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
92
functions:
93
gnutls_*
94
init_gnutls_session(),
95
GNUTLS_* */
96
#include <gnutls/openpgp.h>
97
/* gnutls_certificate_set_openpgp_key_file(),
98
GNUTLS_OPENPGP_FMT_BASE64 */
99
100
/* GPGME */
101
#include <gpgme.h> /* All GPGME types, constants and
102
functions:
103
gpgme_*
104
GPGME_PROTOCOL_OpenPGP,
105
GPG_ERR_NO_* */
68
106
69
107
#define BUFFER_SIZE 256
70
#define DH_BITS 1024
71
108
72
static const char *certdir = "/conf/conf.d/mandos";
73
static const char *certfile = "openpgp-client.txt";
74
static const char *certkey = "openpgp-client-key.txt";
109
#define PATHDIR "/conf/conf.d/mandos"
110
#define SECKEY "seckey.txt"
111
#define PUBKEY "pubkey.txt"
75
112
76
113
bool debug = false;
114
static const char mandos_protocol_version[] = "1";
115
const char *argp_program_version = "mandos-client " VERSION;
116
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
77
117
118
/* Used for passing in values through the Avahi callback functions */
78
119
typedef struct {
79
gnutls_session_t session;
120
AvahiSimplePoll *simple_poll;
121
AvahiServer *server;
80
122
gnutls_certificate_credentials_t cred;
123
unsigned int dh_bits;
81
124
gnutls_dh_params_t dh_params;
82
} encrypted_session;
83
84
85
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet,
87
const char *homedir){
88
gpgme_data_t dh_crypto, dh_plain;
125
const char *priority;
89
126
gpgme_ctx_t ctx;
127
} mandos_context;
128
129
/*
130
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
131
* "buffer_capacity" is how much is currently allocated,
132
* "buffer_length" is how much is already used.
133
*/
134
size_t adjustbuffer(char **buffer, size_t buffer_length,
135
size_t buffer_capacity){
136
if(buffer_length + BUFFER_SIZE > buffer_capacity){
137
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
138
if(buffer == NULL){
139
return 0;
140
}
141
buffer_capacity += BUFFER_SIZE;
142
}
143
return buffer_capacity;
144
}
145
146
/*
147
* Initialize GPGME.
148
*/
149
static bool init_gpgme(mandos_context *mc, const char *seckey,
150
const char *pubkey, const char *tempdir){
151
int ret;
90
152
gpgme_error_t rc;
91
ssize_t ret;
92
ssize_t new_packet_capacity = 0;
93
ssize_t new_packet_length = 0;
94
153
gpgme_engine_info_t engine_info;
95
96
if (debug){
97
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
154
155
156
/*
157
* Helper function to insert pub and seckey to the enigne keyring.
158
*/
159
bool import_key(const char *filename){
160
int fd;
161
gpgme_data_t pgp_data;
162
163
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
164
if(fd == -1){
165
perror("open");
166
return false;
167
}
168
169
rc = gpgme_data_new_from_fd(&pgp_data, fd);
170
if(rc != GPG_ERR_NO_ERROR){
171
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
return false;
174
}
175
176
rc = gpgme_op_import(mc->ctx, pgp_data);
177
if(rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
return false;
181
}
182
183
ret = (int)TEMP_FAILURE_RETRY(close(fd));
184
if(ret == -1){
185
perror("close");
186
}
187
gpgme_data_release(pgp_data);
188
return true;
189
}
190
191
if(debug){
192
fprintf(stderr, "Initialize gpgme\n");
98
193
}
99
194
100
195
/* Init GPGME */
101
196
gpgme_check_version(NULL);
102
197
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
103
if (rc != GPG_ERR_NO_ERROR){
198
if(rc != GPG_ERR_NO_ERROR){
104
199
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
105
200
gpgme_strsource(rc), gpgme_strerror(rc));
106
return -1;
201
return false;
107
202
}
108
203
109
/* Set GPGME home directory */
110
rc = gpgme_get_engine_info (&engine_info);
111
if (rc != GPG_ERR_NO_ERROR){
204
/* Set GPGME home directory for the OpenPGP engine only */
205
rc = gpgme_get_engine_info(&engine_info);
206
if(rc != GPG_ERR_NO_ERROR){
112
207
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
113
208
gpgme_strsource(rc), gpgme_strerror(rc));
114
return -1;
209
return false;
115
210
}
116
211
while(engine_info != NULL){
117
212
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
118
213
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
119
engine_info->file_name, homedir);
214
engine_info->file_name, tempdir);
120
215
break;
121
216
}
122
217
engine_info = engine_info->next;
123
218
}
124
219
if(engine_info == NULL){
125
fprintf(stderr, "Could not set home dir to %s\n", homedir);
126
return -1;
127
}
128
129
/* Create new GPGME data buffer from packet buffer */
130
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
131
if (rc != GPG_ERR_NO_ERROR){
220
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
221
return false;
222
}
223
224
/* Create new GPGME "context" */
225
rc = gpgme_new(&(mc->ctx));
226
if(rc != GPG_ERR_NO_ERROR){
227
fprintf(stderr, "bad gpgme_new: %s: %s\n",
228
gpgme_strsource(rc), gpgme_strerror(rc));
229
return false;
230
}
231
232
if(not import_key(pubkey) or not import_key(seckey)){
233
return false;
234
}
235
236
return true;
237
}
238
239
/*
240
* Decrypt OpenPGP data.
241
* Returns -1 on error
242
*/
243
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
244
const char *cryptotext,
245
size_t crypto_size,
246
char **plaintext){
247
gpgme_data_t dh_crypto, dh_plain;
248
gpgme_error_t rc;
249
ssize_t ret;
250
size_t plaintext_capacity = 0;
251
ssize_t plaintext_length = 0;
252
253
if(debug){
254
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
255
}
256
257
/* Create new GPGME data buffer from memory cryptotext */
258
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
259
0);
260
if(rc != GPG_ERR_NO_ERROR){
132
261
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
133
262
gpgme_strsource(rc), gpgme_strerror(rc));
134
263
return -1;
136
265
137
266
/* Create new empty GPGME data buffer for the plaintext */
138
267
rc = gpgme_data_new(&dh_plain);
139
if (rc != GPG_ERR_NO_ERROR){
268
if(rc != GPG_ERR_NO_ERROR){
140
269
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
141
270
gpgme_strsource(rc), gpgme_strerror(rc));
142
return -1;
143
}
144
145
/* Create new GPGME "context" */
146
rc = gpgme_new(&ctx);
147
if (rc != GPG_ERR_NO_ERROR){
148
fprintf(stderr, "bad gpgme_new: %s: %s\n",
149
gpgme_strsource(rc), gpgme_strerror(rc));
150
return -1;
151
}
152
153
/* Decrypt data from the FILE pointer to the plaintext data
154
buffer */
155
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
156
if (rc != GPG_ERR_NO_ERROR){
271
gpgme_data_release(dh_crypto);
272
return -1;
273
}
274
275
/* Decrypt data from the cryptotext data buffer to the plaintext
276
data buffer */
277
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
278
if(rc != GPG_ERR_NO_ERROR){
157
279
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
158
280
gpgme_strsource(rc), gpgme_strerror(rc));
159
return -1;
281
plaintext_length = -1;
282
if(debug){
283
gpgme_decrypt_result_t result;
284
result = gpgme_op_decrypt_result(mc->ctx);
285
if(result == NULL){
286
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
} else {
288
fprintf(stderr, "Unsupported algorithm: %s\n",
289
result->unsupported_algorithm);
290
fprintf(stderr, "Wrong key usage: %u\n",
291
result->wrong_key_usage);
292
if(result->file_name != NULL){
293
fprintf(stderr, "File name: %s\n", result->file_name);
294
}
295
gpgme_recipient_t recipient;
296
recipient = result->recipients;
297
if(recipient){
298
while(recipient != NULL){
299
fprintf(stderr, "Public key algorithm: %s\n",
300
gpgme_pubkey_algo_name(recipient->pubkey_algo));
301
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
302
fprintf(stderr, "Secret key available: %s\n",
303
recipient->status == GPG_ERR_NO_SECKEY
304
? "No" : "Yes");
305
recipient = recipient->next;
306
}
307
}
308
}
309
}
310
goto decrypt_end;
160
311
}
161
312
162
313
if(debug){
163
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
164
}
165
166
if (debug){
167
gpgme_decrypt_result_t result;
168
result = gpgme_op_decrypt_result(ctx);
169
if (result == NULL){
170
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
} else {
172
fprintf(stderr, "Unsupported algorithm: %s\n",
173
result->unsupported_algorithm);
174
fprintf(stderr, "Wrong key usage: %d\n",
175
result->wrong_key_usage);
176
if(result->file_name != NULL){
177
fprintf(stderr, "File name: %s\n", result->file_name);
178
}
179
gpgme_recipient_t recipient;
180
recipient = result->recipients;
181
if(recipient){
182
while(recipient != NULL){
183
fprintf(stderr, "Public key algorithm: %s\n",
184
gpgme_pubkey_algo_name(recipient->pubkey_algo));
185
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
186
fprintf(stderr, "Secret key available: %s\n",
187
recipient->status == GPG_ERR_NO_SECKEY
188
? "No" : "Yes");
189
recipient = recipient->next;
190
}
191
}
192
}
193
}
194
195
/* Delete the GPGME FILE pointer cryptotext data buffer */
196
gpgme_data_release(dh_crypto);
314
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
315
}
197
316
198
317
/* Seek back to the beginning of the GPGME plaintext data buffer */
199
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
200
perror("pgpme_data_seek");
318
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
319
perror("gpgme_data_seek");
320
plaintext_length = -1;
321
goto decrypt_end;
201
322
}
202
323
203
*new_packet = 0;
324
*plaintext = NULL;
204
325
while(true){
205
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
206
*new_packet = realloc(*new_packet,
207
(unsigned int)new_packet_capacity
208
+ BUFFER_SIZE);
209
if (*new_packet == NULL){
210
perror("realloc");
211
return -1;
212
}
213
new_packet_capacity += BUFFER_SIZE;
326
plaintext_capacity = adjustbuffer(plaintext,
327
(size_t)plaintext_length,
328
plaintext_capacity);
329
if(plaintext_capacity == 0){
330
perror("adjustbuffer");
331
plaintext_length = -1;
332
goto decrypt_end;
214
333
}
215
334
216
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
335
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
217
336
BUFFER_SIZE);
218
337
/* Print the data, if any */
219
if (ret == 0){
338
if(ret == 0){
339
/* EOF */
220
340
break;
221
341
}
222
342
if(ret < 0){
223
343
perror("gpgme_data_read");
224
return -1;
225
}
226
new_packet_length += ret;
227
}
228
229
/* FIXME: check characters before printing to screen so to not print
230
terminal control characters */
231
/* if(debug){ */
232
/* fprintf(stderr, "decrypted password is: "); */
233
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
234
/* fprintf(stderr, "\n"); */
235
/* } */
344
plaintext_length = -1;
345
goto decrypt_end;
346
}
347
plaintext_length += ret;
348
}
349
350
if(debug){
351
fprintf(stderr, "Decrypted password is: ");
352
for(ssize_t i = 0; i < plaintext_length; i++){
353
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
354
}
355
fprintf(stderr, "\n");
356
}
357
358
decrypt_end:
359
360
/* Delete the GPGME cryptotext data buffer */
361
gpgme_data_release(dh_crypto);
236
362
237
363
/* Delete the GPGME plaintext data buffer */
238
364
gpgme_data_release(dh_plain);
239
return new_packet_length;
365
return plaintext_length;
240
366
}
241
367
242
static const char * safer_gnutls_strerror (int value) {
243
const char *ret = gnutls_strerror (value);
244
if (ret == NULL)
368
static const char * safer_gnutls_strerror(int value) {
369
const char *ret = gnutls_strerror(value); /* Spurious warning from
370
-Wunreachable-code */
371
if(ret == NULL)
245
372
ret = "(unknown)";
246
373
return ret;
247
374
}
248
375
376
/* GnuTLS log function callback */
249
377
static void debuggnutls(__attribute__((unused)) int level,
250
378
const char* string){
251
fprintf(stderr, "%s", string);
379
fprintf(stderr, "GnuTLS: %s", string);
252
380
}
253
381
254
static int initgnutls(encrypted_session *es){
255
const char *err;
382
static int init_gnutls_global(mandos_context *mc,
383
const char *pubkeyfilename,
384
const char *seckeyfilename){
256
385
int ret;
257
386
258
387
if(debug){
259
388
fprintf(stderr, "Initializing GnuTLS\n");
260
389
}
261
262
if ((ret = gnutls_global_init ())
263
!= GNUTLS_E_SUCCESS) {
264
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
390
391
ret = gnutls_global_init();
392
if(ret != GNUTLS_E_SUCCESS) {
393
fprintf(stderr, "GnuTLS global_init: %s\n",
394
safer_gnutls_strerror(ret));
265
395
return -1;
266
396
}
267
268
if (debug){
397
398
if(debug){
399
/* "Use a log level over 10 to enable all debugging options."
400
* - GnuTLS manual
401
*/
269
402
gnutls_global_set_log_level(11);
270
403
gnutls_global_set_log_function(debuggnutls);
271
404
}
272
405
273
/* openpgp credentials */
274
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
275
!= GNUTLS_E_SUCCESS) {
276
fprintf (stderr, "memory error: %s\n",
277
safer_gnutls_strerror(ret));
406
/* OpenPGP credentials */
407
gnutls_certificate_allocate_credentials(&mc->cred);
408
if(ret != GNUTLS_E_SUCCESS){
409
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
410
* from
411
* -Wunreachable-code
412
*/
413
safer_gnutls_strerror(ret));
414
gnutls_global_deinit();
278
415
return -1;
279
416
}
280
417
281
418
if(debug){
282
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
283
" and keyfile %s as GnuTLS credentials\n", certfile,
284
certkey);
419
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
420
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
421
seckeyfilename);
285
422
}
286
423
287
424
ret = gnutls_certificate_set_openpgp_key_file
288
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
289
if (ret != GNUTLS_E_SUCCESS) {
290
fprintf
291
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
" '%s')\n",
293
ret, certfile, certkey);
294
fprintf(stdout, "The Error is: %s\n",
295
safer_gnutls_strerror(ret));
296
return -1;
297
}
298
299
//GnuTLS server initialization
300
if ((ret = gnutls_dh_params_init (&es->dh_params))
301
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "Error in dh parameter initialization: %s\n",
303
safer_gnutls_strerror(ret));
304
return -1;
305
}
306
307
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
308
!= GNUTLS_E_SUCCESS) {
309
fprintf (stderr, "Error in prime generation: %s\n",
310
safer_gnutls_strerror(ret));
311
return -1;
312
}
313
314
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
316
// GnuTLS session creation
317
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
318
!= GNUTLS_E_SUCCESS){
425
(mc->cred, pubkeyfilename, seckeyfilename,
426
GNUTLS_OPENPGP_FMT_BASE64);
427
if(ret != GNUTLS_E_SUCCESS) {
428
fprintf(stderr,
429
"Error[%d] while reading the OpenPGP key pair ('%s',"
430
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
431
fprintf(stderr, "The GnuTLS error is: %s\n",
432
safer_gnutls_strerror(ret));
433
goto globalfail;
434
}
435
436
/* GnuTLS server initialization */
437
ret = gnutls_dh_params_init(&mc->dh_params);
438
if(ret != GNUTLS_E_SUCCESS) {
439
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
440
" %s\n", safer_gnutls_strerror(ret));
441
goto globalfail;
442
}
443
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
444
if(ret != GNUTLS_E_SUCCESS) {
445
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
446
safer_gnutls_strerror(ret));
447
goto globalfail;
448
}
449
450
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
451
452
return 0;
453
454
globalfail:
455
456
gnutls_certificate_free_credentials(mc->cred);
457
gnutls_global_deinit();
458
gnutls_dh_params_deinit(mc->dh_params);
459
return -1;
460
}
461
462
static int init_gnutls_session(mandos_context *mc,
463
gnutls_session_t *session){
464
int ret;
465
/* GnuTLS session creation */
466
ret = gnutls_init(session, GNUTLS_SERVER);
467
if(ret != GNUTLS_E_SUCCESS){
319
468
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
320
469
safer_gnutls_strerror(ret));
321
470
}
322
471
323
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
324
!= GNUTLS_E_SUCCESS) {
325
fprintf(stderr, "Syntax error at: %s\n", err);
326
fprintf(stderr, "GnuTLS error: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
472
{
473
const char *err;
474
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
475
if(ret != GNUTLS_E_SUCCESS) {
476
fprintf(stderr, "Syntax error at: %s\n", err);
477
fprintf(stderr, "GnuTLS error: %s\n",
478
safer_gnutls_strerror(ret));
479
gnutls_deinit(*session);
480
return -1;
481
}
329
482
}
330
483
331
if ((ret = gnutls_credentials_set
332
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
333
!= GNUTLS_E_SUCCESS) {
334
fprintf(stderr, "Error setting a credentials set: %s\n",
484
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
485
mc->cred);
486
if(ret != GNUTLS_E_SUCCESS) {
487
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
335
488
safer_gnutls_strerror(ret));
489
gnutls_deinit(*session);
336
490
return -1;
337
491
}
338
492
339
493
/* ignore client certificate if any. */
340
gnutls_certificate_server_set_request (es->session,
341
GNUTLS_CERT_IGNORE);
494
gnutls_certificate_server_set_request(*session,
495
GNUTLS_CERT_IGNORE);
342
496
343
gnutls_dh_set_prime_bits (es->session, DH_BITS);
497
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
344
498
345
499
return 0;
346
500
}
347
501
502
/* Avahi log function callback */
348
503
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
349
504
__attribute__((unused)) const char *txt){}
350
505
506
/* Called when a Mandos server is found */
351
507
static int start_mandos_communication(const char *ip, uint16_t port,
352
AvahiIfIndex if_index){
508
AvahiIfIndex if_index,
509
mandos_context *mc){
353
510
int ret, tcp_sd;
354
struct sockaddr_in6 to;
355
encrypted_session es;
511
ssize_t sret;
512
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
356
513
char *buffer = NULL;
357
514
char *decrypted_buffer;
358
515
size_t buffer_length = 0;
359
516
size_t buffer_capacity = 0;
360
517
ssize_t decrypted_buffer_size;
361
size_t written = 0;
518
size_t written;
362
519
int retval = 0;
363
520
char interface[IF_NAMESIZE];
521
gnutls_session_t session;
522
523
ret = init_gnutls_session(mc, &session);
524
if(ret != 0){
525
return -1;
526
}
364
527
365
528
if(debug){
366
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
367
ip, port);
529
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
530
"\n", ip, port);
368
531
}
369
532
370
533
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
373
536
return -1;
374
537
}
375
538
376
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
if(debug){
539
if(debug){
540
if(if_indextoname((unsigned int)if_index, interface) == NULL){
378
541
perror("if_indextoname");
542
return -1;
379
543
}
380
return -1;
381
}
382
383
if(debug){
384
544
fprintf(stderr, "Binding to interface %s\n", interface);
385
545
}
386
546
387
memset(&to,0,sizeof(to)); /* Spurious warning */
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
390
if (ret < 0 ){
547
memset(&to, 0, sizeof(to));
548
to.in6.sin6_family = AF_INET6;
549
/* It would be nice to have a way to detect if we were passed an
550
IPv4 address here. Now we assume an IPv6 address. */
551
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
552
if(ret < 0 ){
391
553
perror("inet_pton");
392
554
return -1;
393
}
555
}
394
556
if(ret == 0){
395
557
fprintf(stderr, "Bad address: %s\n", ip);
396
558
return -1;
397
559
}
398
to.sin6_port = htons(port); /* Spurious warning */
560
to.in6.sin6_port = htons(port); /* Spurious warnings from
561
-Wconversion and
562
-Wunreachable-code */
399
563
400
to.sin6_scope_id = (uint32_t)if_index;
564
to.in6.sin6_scope_id = (uint32_t)if_index;
401
565
402
566
if(debug){
403
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
404
/* char addrstr[INET6_ADDRSTRLEN]; */
405
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
406
/* sizeof(addrstr)) == NULL){ */
407
/* perror("inet_ntop"); */
408
/* } else { */
409
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
410
/* addrstr, ntohs(to.sin6_port)); */
411
/* } */
567
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
568
port);
569
char addrstr[INET6_ADDRSTRLEN] = "";
570
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
571
sizeof(addrstr)) == NULL){
572
perror("inet_ntop");
573
} else {
574
if(strcmp(addrstr, ip) != 0){
575
fprintf(stderr, "Canonical address form: %s\n", addrstr);
576
}
577
}
412
578
}
413
579
414
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
415
if (ret < 0){
580
ret = connect(tcp_sd, &to.in, sizeof(to));
581
if(ret < 0){
416
582
perror("connect");
417
583
return -1;
418
584
}
419
585
420
ret = initgnutls (&es);
421
if (ret != 0){
422
retval = -1;
423
return -1;
586
const char *out = mandos_protocol_version;
587
written = 0;
588
while(true){
589
size_t out_size = strlen(out);
590
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
591
out_size - written));
592
if(ret == -1){
593
perror("write");
594
retval = -1;
595
goto mandos_end;
596
}
597
written += (size_t)ret;
598
if(written < out_size){
599
continue;
600
} else {
601
if(out == mandos_protocol_version){
602
written = 0;
603
out = "\r\n";
604
} else {
605
break;
606
}
607
}
424
608
}
425
609
426
gnutls_transport_set_ptr (es.session,
427
(gnutls_transport_ptr_t) tcp_sd);
428
429
610
if(debug){
430
611
fprintf(stderr, "Establishing TLS session with %s\n", ip);
431
612
}
432
613
433
ret = gnutls_handshake (es.session);
434
435
if (ret != GNUTLS_E_SUCCESS){
614
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
615
616
do{
617
ret = gnutls_handshake(session);
618
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
619
620
if(ret != GNUTLS_E_SUCCESS){
436
621
if(debug){
437
fprintf(stderr, "\n*** Handshake failed ***\n");
438
gnutls_perror (ret);
622
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
623
gnutls_perror(ret);
439
624
}
440
625
retval = -1;
441
goto exit;
626
goto mandos_end;
442
627
}
443
628
444
//Retrieve OpenPGP packet that contains the wanted password
629
/* Read OpenPGP packet that contains the wanted password */
445
630
446
631
if(debug){
447
632
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
448
633
ip);
449
634
}
450
635
451
636
while(true){
452
if (buffer_length + BUFFER_SIZE > buffer_capacity){
453
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
454
if (buffer == NULL){
455
perror("realloc");
456
goto exit;
457
}
458
buffer_capacity += BUFFER_SIZE;
637
buffer_capacity = adjustbuffer(&buffer, buffer_length,
638
buffer_capacity);
639
if(buffer_capacity == 0){
640
perror("adjustbuffer");
641
retval = -1;
642
goto mandos_end;
459
643
}
460
644
461
ret = gnutls_record_recv
462
(es.session, buffer+buffer_length, BUFFER_SIZE);
463
if (ret == 0){
645
sret = gnutls_record_recv(session, buffer+buffer_length,
646
BUFFER_SIZE);
647
if(sret == 0){
464
648
break;
465
649
}
466
if (ret < 0){
467
switch(ret){
650
if(sret < 0){
651
switch(sret){
468
652
case GNUTLS_E_INTERRUPTED:
469
653
case GNUTLS_E_AGAIN:
470
654
break;
471
655
case GNUTLS_E_REHANDSHAKE:
472
ret = gnutls_handshake (es.session);
473
if (ret < 0){
474
fprintf(stderr, "\n*** Handshake failed ***\n");
475
gnutls_perror (ret);
656
do{
657
ret = gnutls_handshake(session);
658
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
659
if(ret < 0){
660
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
661
gnutls_perror(ret);
476
662
retval = -1;
477
goto exit;
663
goto mandos_end;
478
664
}
479
665
break;
480
666
default:
481
667
fprintf(stderr, "Unknown error while reading data from"
482
" encrypted session with mandos server\n");
668
" encrypted session with Mandos server\n");
483
669
retval = -1;
484
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
485
goto exit;
670
gnutls_bye(session, GNUTLS_SHUT_RDWR);
671
goto mandos_end;
486
672
}
487
673
} else {
488
buffer_length += (size_t) ret;
674
buffer_length += (size_t) sret;
489
675
}
490
676
}
491
677
492
if (buffer_length > 0){
493
decrypted_buffer_size = pgp_packet_decrypt(buffer,
678
if(debug){
679
fprintf(stderr, "Closing TLS session\n");
680
}
681
682
gnutls_bye(session, GNUTLS_SHUT_RDWR);
683
684
if(buffer_length > 0){
685
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
494
686
buffer_length,
495
&decrypted_buffer,
496
certdir);
497
if (decrypted_buffer_size >= 0){
687
&decrypted_buffer);
688
if(decrypted_buffer_size >= 0){
689
written = 0;
498
690
while(written < (size_t) decrypted_buffer_size){
499
ret = (int)fwrite (decrypted_buffer + written, 1,
500
(size_t)decrypted_buffer_size - written,
501
stdout);
691
ret = (int)fwrite(decrypted_buffer + written, 1,
692
(size_t)decrypted_buffer_size - written,
693
stdout);
502
694
if(ret == 0 and ferror(stdout)){
503
695
if(debug){
504
696
fprintf(stderr, "Error writing encrypted data: %s\n",
513
705
} else {
514
706
retval = -1;
515
707
}
516
}
517
518
//shutdown procedure
519
520
if(debug){
521
fprintf(stderr, "Closing TLS session\n");
522
}
523
708
} else {
709
retval = -1;
710
}
711
712
/* Shutdown procedure */
713
714
mandos_end:
524
715
free(buffer);
525
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
526
exit:
527
close(tcp_sd);
528
gnutls_deinit (es.session);
529
gnutls_certificate_free_credentials (es.cred);
530
gnutls_global_deinit ();
716
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
717
if(ret == -1){
718
perror("close");
719
}
720
gnutls_deinit(session);
531
721
return retval;
532
722
}
533
723
534
static AvahiSimplePoll *simple_poll = NULL;
535
static AvahiServer *server = NULL;
536
537
static void resolve_callback(
538
AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
552
assert(r); /* Spurious warning */
724
static void resolve_callback(AvahiSServiceResolver *r,
725
AvahiIfIndex interface,
726
AVAHI_GCC_UNUSED AvahiProtocol protocol,
727
AvahiResolverEvent event,
728
const char *name,
729
const char *type,
730
const char *domain,
731
const char *host_name,
732
const AvahiAddress *address,
733
uint16_t port,
734
AVAHI_GCC_UNUSED AvahiStringList *txt,
735
AVAHI_GCC_UNUSED AvahiLookupResultFlags
736
flags,
737
void* userdata) {
738
mandos_context *mc = userdata;
739
assert(r);
553
740
554
741
/* Called whenever a service has been resolved successfully or
555
742
timed out */
556
743
557
switch (event) {
744
switch(event) {
558
745
default:
559
746
case AVAHI_RESOLVER_FAILURE:
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(server)));
747
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
748
" of type '%s' in domain '%s': %s\n", name, type, domain,
749
avahi_strerror(avahi_server_errno(mc->server)));
563
750
break;
564
751
565
752
case AVAHI_RESOLVER_FOUND:
567
754
char ip[AVAHI_ADDRESS_STR_MAX];
568
755
avahi_address_snprint(ip, sizeof(ip), address);
569
756
if(debug){
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
757
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
758
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
759
ip, (intmax_t)interface, port);
572
760
}
573
int ret = start_mandos_communication(ip, port, interface);
574
if (ret == 0){
575
exit(EXIT_SUCCESS);
761
int ret = start_mandos_communication(ip, port, interface, mc);
762
if(ret == 0){
763
avahi_simple_poll_quit(mc->simple_poll);
576
764
}
577
765
}
578
766
}
579
767
avahi_s_service_resolver_free(r);
580
768
}
581
769
582
static void browse_callback(
583
AvahiSServiceBrowser *b,
584
AvahiIfIndex interface,
585
AvahiProtocol protocol,
586
AvahiBrowserEvent event,
587
const char *name,
588
const char *type,
589
const char *domain,
590
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
591
void* userdata) {
592
593
AvahiServer *s = userdata;
594
assert(b); /* Spurious warning */
595
596
/* Called whenever a new services becomes available on the LAN or
597
is removed from the LAN */
598
599
switch (event) {
600
default:
601
case AVAHI_BROWSER_FAILURE:
602
603
fprintf(stderr, "(Browser) %s\n",
604
avahi_strerror(avahi_server_errno(server)));
605
avahi_simple_poll_quit(simple_poll);
606
return;
607
608
case AVAHI_BROWSER_NEW:
609
/* We ignore the returned resolver object. In the callback
610
function we free it. If the server is terminated before
611
the callback function is called the server will free
612
the resolver for us. */
613
614
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
type, domain,
616
AVAHI_PROTO_INET6, 0,
617
resolve_callback, s)))
618
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
619
avahi_strerror(avahi_server_errno(s)));
620
break;
621
622
case AVAHI_BROWSER_REMOVE:
623
break;
624
625
case AVAHI_BROWSER_ALL_FOR_NOW:
626
case AVAHI_BROWSER_CACHE_EXHAUSTED:
627
break;
770
static void browse_callback( AvahiSServiceBrowser *b,
771
AvahiIfIndex interface,
772
AvahiProtocol protocol,
773
AvahiBrowserEvent event,
774
const char *name,
775
const char *type,
776
const char *domain,
777
AVAHI_GCC_UNUSED AvahiLookupResultFlags
778
flags,
779
void* userdata) {
780
mandos_context *mc = userdata;
781
assert(b);
782
783
/* Called whenever a new services becomes available on the LAN or
784
is removed from the LAN */
785
786
switch(event) {
787
default:
788
case AVAHI_BROWSER_FAILURE:
789
790
fprintf(stderr, "(Avahi browser) %s\n",
791
avahi_strerror(avahi_server_errno(mc->server)));
792
avahi_simple_poll_quit(mc->simple_poll);
793
return;
794
795
case AVAHI_BROWSER_NEW:
796
/* We ignore the returned Avahi resolver object. In the callback
797
function we free it. If the Avahi server is terminated before
798
the callback function is called the Avahi server will free the
799
resolver for us. */
800
801
if(!(avahi_s_service_resolver_new(mc->server, interface,
802
protocol, name, type, domain,
803
AVAHI_PROTO_INET6, 0,
804
resolve_callback, mc)))
805
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
806
name, avahi_strerror(avahi_server_errno(mc->server)));
807
break;
808
809
case AVAHI_BROWSER_REMOVE:
810
break;
811
812
case AVAHI_BROWSER_ALL_FOR_NOW:
813
case AVAHI_BROWSER_CACHE_EXHAUSTED:
814
if(debug){
815
fprintf(stderr, "No Mandos server found, still searching...\n");
628
816
}
629
}
630
631
/* Combines file name and path and returns the malloced new
632
string. some sane checks could/should be added */
633
static const char *combinepath(const char *first, const char *second){
634
size_t f_len = strlen(first);
635
size_t s_len = strlen(second);
636
char *tmp = malloc(f_len + s_len + 2);
637
if (tmp == NULL){
638
return NULL;
639
}
640
if(f_len > 0){
641
memcpy(tmp, first, f_len);
642
}
643
tmp[f_len] = '/';
644
if(s_len > 0){
645
memcpy(tmp + f_len + 1, second, s_len);
646
}
647
tmp[f_len + 1 + s_len] = '\0';
648
return tmp;
649
}
650
651
652
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
653
AvahiServerConfig config;
817
break;
818
}
819
}
820
821
int main(int argc, char *argv[]){
654
822
AvahiSServiceBrowser *sb = NULL;
655
823
int error;
656
824
int ret;
657
int returncode = EXIT_SUCCESS;
658
const char *interface = NULL;
825
intmax_t tmpmax;
826
int numchars;
827
int exitcode = EXIT_SUCCESS;
828
const char *interface = "eth0";
829
struct ifreq network;
830
int sd;
831
uid_t uid;
832
gid_t gid;
833
char *connect_to = NULL;
834
char tempdir[] = "/tmp/mandosXXXXXX";
659
835
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
660
char *connect_to = NULL;
661
662
while (true){
663
static struct option long_options[] = {
664
{"debug", no_argument, (int *)&debug, 1},
665
{"connect", required_argument, 0, 'C'},
666
{"interface", required_argument, 0, 'i'},
667
{"certdir", required_argument, 0, 'd'},
668
{"certkey", required_argument, 0, 'c'},
669
{"certfile", required_argument, 0, 'k'},
670
{0, 0, 0, 0} };
671
672
int option_index = 0;
673
ret = getopt_long (argc, argv, "i:", long_options,
674
&option_index);
675
676
if (ret == -1){
677
break;
678
}
679
680
switch(ret){
681
case 0:
682
break;
683
case 'i':
684
interface = optarg;
685
break;
686
case 'C':
687
connect_to = optarg;
688
break;
689
case 'd':
690
certdir = optarg;
691
break;
692
case 'c':
693
certfile = optarg;
694
break;
695
case 'k':
696
certkey = optarg;
697
break;
698
default:
699
exit(EXIT_FAILURE);
700
}
701
}
702
703
certfile = combinepath(certdir, certfile);
704
if (certfile == NULL){
705
perror("combinepath");
706
goto exit;
707
}
708
709
if(interface != NULL){
710
if_index = (AvahiIfIndex) if_nametoindex(interface);
711
if(if_index == 0){
712
fprintf(stderr, "No such interface: \"%s\"\n", interface);
713
exit(EXIT_FAILURE);
714
}
836
const char *seckey = PATHDIR "/" SECKEY;
837
const char *pubkey = PATHDIR "/" PUBKEY;
838
839
mandos_context mc = { .simple_poll = NULL, .server = NULL,
840
.dh_bits = 1024, .priority = "SECURE256"
841
":!CTYPE-X.509:+CTYPE-OPENPGP" };
842
bool gnutls_initialized = false;
843
bool gpgme_initialized = false;
844
845
{
846
struct argp_option options[] = {
847
{ .name = "debug", .key = 128,
848
.doc = "Debug mode", .group = 3 },
849
{ .name = "connect", .key = 'c',
850
.arg = "ADDRESS:PORT",
851
.doc = "Connect directly to a specific Mandos server",
852
.group = 1 },
853
{ .name = "interface", .key = 'i',
854
.arg = "NAME",
855
.doc = "Interface that will be used to search for Mandos"
856
" servers",
857
.group = 1 },
858
{ .name = "seckey", .key = 's',
859
.arg = "FILE",
860
.doc = "OpenPGP secret key file base name",
861
.group = 1 },
862
{ .name = "pubkey", .key = 'p',
863
.arg = "FILE",
864
.doc = "OpenPGP public key file base name",
865
.group = 2 },
866
{ .name = "dh-bits", .key = 129,
867
.arg = "BITS",
868
.doc = "Bit length of the prime number used in the"
869
" Diffie-Hellman key exchange",
870
.group = 2 },
871
{ .name = "priority", .key = 130,
872
.arg = "STRING",
873
.doc = "GnuTLS priority string for the TLS handshake",
874
.group = 1 },
875
{ .name = NULL }
876
};
877
878
error_t parse_opt(int key, char *arg,
879
struct argp_state *state) {
880
switch(key) {
881
case 128: /* --debug */
882
debug = true;
883
break;
884
case 'c': /* --connect */
885
connect_to = arg;
886
break;
887
case 'i': /* --interface */
888
interface = arg;
889
break;
890
case 's': /* --seckey */
891
seckey = arg;
892
break;
893
case 'p': /* --pubkey */
894
pubkey = arg;
895
break;
896
case 129: /* --dh-bits */
897
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
898
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
899
or arg[numchars] != '\0'){
900
fprintf(stderr, "Bad number of DH bits\n");
901
exit(EXIT_FAILURE);
902
}
903
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
904
break;
905
case 130: /* --priority */
906
mc.priority = arg;
907
break;
908
case ARGP_KEY_ARG:
909
argp_usage(state);
910
case ARGP_KEY_END:
911
break;
912
default:
913
return ARGP_ERR_UNKNOWN;
914
}
915
return 0;
916
}
917
918
struct argp argp = { .options = options, .parser = parse_opt,
919
.args_doc = "",
920
.doc = "Mandos client -- Get and decrypt"
921
" passwords from a Mandos server" };
922
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
923
if(ret == ARGP_ERR_UNKNOWN){
924
fprintf(stderr, "Unknown error while parsing arguments\n");
925
exitcode = EXIT_FAILURE;
926
goto end;
927
}
928
}
929
930
/* If the interface is down, bring it up */
931
{
932
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
933
if(sd < 0) {
934
perror("socket");
935
exitcode = EXIT_FAILURE;
936
goto end;
937
}
938
strcpy(network.ifr_name, interface);
939
ret = ioctl(sd, SIOCGIFFLAGS, &network);
940
if(ret == -1){
941
perror("ioctl SIOCGIFFLAGS");
942
exitcode = EXIT_FAILURE;
943
goto end;
944
}
945
if((network.ifr_flags & IFF_UP) == 0){
946
network.ifr_flags |= IFF_UP;
947
ret = ioctl(sd, SIOCSIFFLAGS, &network);
948
if(ret == -1){
949
perror("ioctl SIOCSIFFLAGS");
950
exitcode = EXIT_FAILURE;
951
goto end;
952
}
953
}
954
ret = (int)TEMP_FAILURE_RETRY(close(sd));
955
if(ret == -1){
956
perror("close");
957
}
958
}
959
960
uid = getuid();
961
gid = getgid();
962
963
ret = setuid(uid);
964
if(ret == -1){
965
perror("setuid");
966
}
967
968
setgid(gid);
969
if(ret == -1){
970
perror("setgid");
971
}
972
973
ret = init_gnutls_global(&mc, pubkey, seckey);
974
if(ret == -1){
975
fprintf(stderr, "init_gnutls_global failed\n");
976
exitcode = EXIT_FAILURE;
977
goto end;
978
} else {
979
gnutls_initialized = true;
980
}
981
982
if(mkdtemp(tempdir) == NULL){
983
perror("mkdtemp");
984
tempdir[0] = '\0';
985
goto end;
986
}
987
988
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
989
fprintf(stderr, "init_gpgme failed\n");
990
exitcode = EXIT_FAILURE;
991
goto end;
992
} else {
993
gpgme_initialized = true;
994
}
995
996
if_index = (AvahiIfIndex) if_nametoindex(interface);
997
if(if_index == 0){
998
fprintf(stderr, "No such interface: \"%s\"\n", interface);
999
exit(EXIT_FAILURE);
715
1000
}
716
1001
717
1002
if(connect_to != NULL){
720
1005
char *address = strrchr(connect_to, ':');
721
1006
if(address == NULL){
722
1007
fprintf(stderr, "No colon in address\n");
723
exit(EXIT_FAILURE);
724
}
725
errno = 0;
726
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
727
if(errno){
728
perror("Bad port number");
729
exit(EXIT_FAILURE);
730
}
1008
exitcode = EXIT_FAILURE;
1009
goto end;
1010
}
1011
uint16_t port;
1012
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1013
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1014
or address[numchars+1] != '\0'){
1015
fprintf(stderr, "Bad port number\n");
1016
exitcode = EXIT_FAILURE;
1017
goto end;
1018
}
1019
port = (uint16_t)tmpmax;
731
1020
*address = '\0';
732
1021
address = connect_to;
733
ret = start_mandos_communication(address, port, if_index);
1022
ret = start_mandos_communication(address, port, if_index, &mc);
734
1023
if(ret < 0){
735
exit(EXIT_FAILURE);
1024
exitcode = EXIT_FAILURE;
736
1025
} else {
737
exit(EXIT_SUCCESS);
1026
exitcode = EXIT_SUCCESS;
738
1027
}
739
}
740
741
certkey = combinepath(certdir, certkey);
742
if (certkey == NULL){
743
perror("combinepath");
744
goto exit;
745
}
746
747
if (not debug){
1028
goto end;
1029
}
1030
1031
if(not debug){
748
1032
avahi_set_log_function(empty_log);
749
1033
}
750
1034
751
/* Initialize the psuedo-RNG */
1035
/* Initialize the pseudo-RNG for Avahi */
752
1036
srand((unsigned int) time(NULL));
753
754
/* Allocate main loop object */
755
if (!(simple_poll = avahi_simple_poll_new())) {
756
fprintf(stderr, "Failed to create simple poll object.\n");
757
758
goto exit;
759
}
760
761
/* Do not publish any local records */
762
avahi_server_config_init(&config);
763
config.publish_hinfo = 0;
764
config.publish_addresses = 0;
765
config.publish_workstation = 0;
766
config.publish_domain = 0;
767
768
/* Allocate a new server */
769
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
770
&config, NULL, NULL, &error);
771
772
/* Free the configuration data */
773
avahi_server_config_free(&config);
774
775
/* Check if creating the server object succeeded */
776
if (!server) {
777
fprintf(stderr, "Failed to create server: %s\n",
1037
1038
/* Allocate main Avahi loop object */
1039
mc.simple_poll = avahi_simple_poll_new();
1040
if(mc.simple_poll == NULL) {
1041
fprintf(stderr, "Avahi: Failed to create simple poll"
1042
" object.\n");
1043
exitcode = EXIT_FAILURE;
1044
goto end;
1045
}
1046
1047
{
1048
AvahiServerConfig config;
1049
/* Do not publish any local Zeroconf records */
1050
avahi_server_config_init(&config);
1051
config.publish_hinfo = 0;
1052
config.publish_addresses = 0;
1053
config.publish_workstation = 0;
1054
config.publish_domain = 0;
1055
1056
/* Allocate a new server */
1057
mc.server = avahi_server_new(avahi_simple_poll_get
1058
(mc.simple_poll), &config, NULL,
1059
NULL, &error);
1060
1061
/* Free the Avahi configuration data */
1062
avahi_server_config_free(&config);
1063
}
1064
1065
/* Check if creating the Avahi server object succeeded */
1066
if(mc.server == NULL) {
1067
fprintf(stderr, "Failed to create Avahi server: %s\n",
778
1068
avahi_strerror(error));
779
returncode = EXIT_FAILURE;
780
goto exit;
1069
exitcode = EXIT_FAILURE;
1070
goto end;
781
1071
}
782
1072
783
/* Create the service browser */
784
sb = avahi_s_service_browser_new(server, if_index,
1073
/* Create the Avahi service browser */
1074
sb = avahi_s_service_browser_new(mc.server, if_index,
785
1075
AVAHI_PROTO_INET6,
786
1076
"_mandos._tcp", NULL, 0,
787
browse_callback, server);
788
if (!sb) {
1077
browse_callback, &mc);
1078
if(sb == NULL) {
789
1079
fprintf(stderr, "Failed to create service browser: %s\n",
790
avahi_strerror(avahi_server_errno(server)));
791
returncode = EXIT_FAILURE;
792
goto exit;
1080
avahi_strerror(avahi_server_errno(mc.server)));
1081
exitcode = EXIT_FAILURE;
1082
goto end;
793
1083
}
794
1084
795
1085
/* Run the main loop */
796
797
if (debug){
798
fprintf(stderr, "Starting avahi loop search\n");
1086
1087
if(debug){
1088
fprintf(stderr, "Starting Avahi loop search\n");
799
1089
}
800
1090
801
avahi_simple_poll_loop(simple_poll);
802
803
exit:
804
805
if (debug){
1091
avahi_simple_poll_loop(mc.simple_poll);
1092
1093
end:
1094
1095
if(debug){
806
1096
fprintf(stderr, "%s exiting\n", argv[0]);
807
1097
}
808
1098
809
1099
/* Cleanup things */
810
if (sb)
1100
if(sb != NULL)
811
1101
avahi_s_service_browser_free(sb);
812
1102
813
if (server)
814
avahi_server_free(server);
815
816
if (simple_poll)
817
avahi_simple_poll_free(simple_poll);
818
free(certfile);
819
free(certkey);
820
821
return returncode;
1103
if(mc.server != NULL)
1104
avahi_server_free(mc.server);
1105
1106
if(mc.simple_poll != NULL)
1107
avahi_simple_poll_free(mc.simple_poll);
1108
1109
if(gnutls_initialized){
1110
gnutls_certificate_free_credentials(mc.cred);
1111
gnutls_global_deinit();
1112
gnutls_dh_params_deinit(mc.dh_params);
1113
}
1114
1115
if(gpgme_initialized){
1116
gpgme_release(mc.ctx);
1117
}
1118
1119
/* Removes the temp directory used by GPGME */
1120
if(tempdir[0] != '\0'){
1121
DIR *d;
1122
struct dirent *direntry;
1123
d = opendir(tempdir);
1124
if(d == NULL){
1125
if(errno != ENOENT){
1126
perror("opendir");
1127
}
1128
} else {
1129
while(true){
1130
direntry = readdir(d);
1131
if(direntry == NULL){
1132
break;
1133
}
1134
/* Skip "." and ".." */
1135
if(direntry->d_name[0] == '.'
1136
and (direntry->d_name[1] == '\0'
1137
or (direntry->d_name[1] == '.'
1138
and direntry->d_name[2] == '\0'))){
1139
continue;
1140
}
1141
char *fullname = NULL;
1142
ret = asprintf(&fullname, "%s/%s", tempdir,
1143
direntry->d_name);
1144
if(ret < 0){
1145
perror("asprintf");
1146
continue;
1147
}
1148
ret = remove(fullname);
1149
if(ret == -1){
1150
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1151
strerror(errno));
1152
}
1153
free(fullname);
1154
}
1155
closedir(d);
1156
}
1157
ret = rmdir(tempdir);
1158
if(ret == -1 and errno != ENOENT){
1159
perror("rmdir");
1160
}
1161
}
1162
1163
return exitcode;
822
1164
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0