/mandos/trunk : revision 287

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-01-27 00:07:26 UTC
Revision ID: teddy@fukt.bsnet.se-20090127000726-4cafcfy35g8kh2b8

* INSTALL (Prerequisites/Mandos Server): Added "PyGObject".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
server.py => mandos

server.conf => mandos.conf

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* Mandos-client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), sscanf(),

remove() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(),

DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and, or */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt_long

#include <getopt.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h>

/* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

100

/* GPGME */

101

#include <gpgme.h> /* All GPGME types, constants and

102

functions:

103

gpgme_*

104

GPGME_PROTOCOL_OpenPGP,

105

GPG_ERR_NO_* */

106

107

#define BUFFER_SIZE 256

108

static const char *keydir = "/conf/conf.d/mandos";

static const char *pubkeyfile = "pubkey.txt";

static const char *seckeyfile = "seckey.txt";

109

#define PATHDIR "/conf/conf.d/mandos"

110

#define SECKEY "seckey.txt"

111

#define PUBKEY "pubkey.txt"

112

113

bool debug = false;

114

static const char mandos_protocol_version[] = "1";

115

const char *argp_program_version = "mandos-client " VERSION;

116

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

117

/* Used for passing in values through all the callback functions */

118

/* Used for passing in values through the Avahi callback functions */

119

typedef struct {

120

AvahiSimplePoll *simple_poll;

121

AvahiServer *server;

122

gnutls_certificate_credentials_t cred;

123

unsigned int dh_bits;

124

gnutls_dh_params_t dh_params;

125

const char *priority;

126

gpgme_ctx_t ctx;

127

} mandos_context;

128

129

130

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

131

* "buffer_capacity" is how much is currently allocated,

132

* "buffer_length" is how much is already used.

133

134

size_t adjustbuffer(char **buffer, size_t buffer_length,

135

size_t buffer_capacity){

136

if(buffer_length + BUFFER_SIZE > buffer_capacity){

137

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

138

if(buffer == NULL){

139

return 0;

140

}

141

buffer_capacity += BUFFER_SIZE;

142

}

143

return buffer_capacity;

144

}

145

146

* Decrypt OpenPGP data using keyrings in HOMEDIR.

* Returns -1 on error

147

* Initialize GPGME.

148

static ssize_t pgp_packet_decrypt (const char *cryptotext,

size_t crypto_size,

char **plaintext,

const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

gpgme_ctx_t ctx;

149

static bool init_gpgme(mandos_context *mc, const char *seckey,

150

const char *pubkey, const char *tempdir){

151

int ret;

100

152

gpgme_error_t rc;

101

ssize_t ret;

102

ssize_t plaintext_capacity = 0;

103

ssize_t plaintext_length = 0;

104

153

gpgme_engine_info_t engine_info;

105

154

106

if (debug){

107

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

155

156

157

* Helper function to insert pub and seckey to the enigne keyring.

158

159

bool import_key(const char *filename){

160

int fd;

161

gpgme_data_t pgp_data;

162

163

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

164

if(fd == -1){

165

perror("open");

166

return false;

167

}

168

169

rc = gpgme_data_new_from_fd(&pgp_data, fd);

170

if(rc != GPG_ERR_NO_ERROR){

171

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

172

gpgme_strsource(rc), gpgme_strerror(rc));

173

return false;

174

}

175

176

rc = gpgme_op_import(mc->ctx, pgp_data);

177

if(rc != GPG_ERR_NO_ERROR){

178

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

179

gpgme_strsource(rc), gpgme_strerror(rc));

180

return false;

181

}

182

183

ret = (int)TEMP_FAILURE_RETRY(close(fd));

184

if(ret == -1){

185

perror("close");

186

}

187

gpgme_data_release(pgp_data);

188

return true;

189

}

190

191

if(debug){

192

fprintf(stderr, "Initialize gpgme\n");

108

193

}

109

194

110

195

/* Init GPGME */

111

196

gpgme_check_version(NULL);

112

197

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

113

if (rc != GPG_ERR_NO_ERROR){

198

if(rc != GPG_ERR_NO_ERROR){

114

199

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

115

200

gpgme_strsource(rc), gpgme_strerror(rc));

116

return -1;

201

return false;

117

202

}

118

203

119

/* Set GPGME home directory for the OpenPGP engine only */

120

rc = gpgme_get_engine_info (&engine_info);

121

if (rc != GPG_ERR_NO_ERROR){

204

/* Set GPGME home directory for the OpenPGP engine only */

205

rc = gpgme_get_engine_info(&engine_info);

206

if(rc != GPG_ERR_NO_ERROR){

122

207

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

123

208

gpgme_strsource(rc), gpgme_strerror(rc));

124

return -1;

209

return false;

125

210

}

126

211

while(engine_info != NULL){

127

212

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

128

213

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

129

engine_info->file_name, homedir);

214

engine_info->file_name, tempdir);

130

215

break;

131

216

}

132

217

engine_info = engine_info->next;

133

218

}

134

219

if(engine_info == NULL){

135

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

136

return -1;

220

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

221

return false;

222

}

223

224

/* Create new GPGME "context" */

225

rc = gpgme_new(&(mc->ctx));

226

if(rc != GPG_ERR_NO_ERROR){

227

fprintf(stderr, "bad gpgme_new: %s: %s\n",

228

gpgme_strsource(rc), gpgme_strerror(rc));

229

return false;

230

}

231

232

if(not import_key(pubkey) or not import_key(seckey)){

233

return false;

234

}

235

236

return true;

237

}

238

239

240

* Decrypt OpenPGP data.

241

* Returns -1 on error

242

243

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

244

const char *cryptotext,

245

size_t crypto_size,

246

char **plaintext){

247

gpgme_data_t dh_crypto, dh_plain;

248

gpgme_error_t rc;

249

ssize_t ret;

250

size_t plaintext_capacity = 0;

251

ssize_t plaintext_length = 0;

252

253

if(debug){

254

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

137

255

}

138

256

139

257

/* Create new GPGME data buffer from memory cryptotext */

140

258

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

141

259

0);

142

if (rc != GPG_ERR_NO_ERROR){

260

if(rc != GPG_ERR_NO_ERROR){

143

261

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

144

262

gpgme_strsource(rc), gpgme_strerror(rc));

145

263

return -1;

147

265

148

266

/* Create new empty GPGME data buffer for the plaintext */

149

267

rc = gpgme_data_new(&dh_plain);

150

if (rc != GPG_ERR_NO_ERROR){

268

if(rc != GPG_ERR_NO_ERROR){

151

269

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

152

270

gpgme_strsource(rc), gpgme_strerror(rc));

153

271

gpgme_data_release(dh_crypto);

154

272

return -1;

155

273

}

156

274

157

/* Create new GPGME "context" */

158

rc = gpgme_new(&ctx);

159

if (rc != GPG_ERR_NO_ERROR){

160

fprintf(stderr, "bad gpgme_new: %s: %s\n",

161

gpgme_strsource(rc), gpgme_strerror(rc));

162

plaintext_length = -1;

163

goto decrypt_end;

164

}

165

166

275

/* Decrypt data from the cryptotext data buffer to the plaintext

167

276

data buffer */

168

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

169

if (rc != GPG_ERR_NO_ERROR){

277

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

278

if(rc != GPG_ERR_NO_ERROR){

170

279

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

171

280

gpgme_strsource(rc), gpgme_strerror(rc));

172

281

plaintext_length = -1;

282

if(debug){

283

gpgme_decrypt_result_t result;

284

result = gpgme_op_decrypt_result(mc->ctx);

285

if(result == NULL){

286

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

287

} else {

288

fprintf(stderr, "Unsupported algorithm: %s\n",

289

result->unsupported_algorithm);

290

fprintf(stderr, "Wrong key usage: %u\n",

291

result->wrong_key_usage);

292

if(result->file_name != NULL){

293

fprintf(stderr, "File name: %s\n", result->file_name);

294

}

295

gpgme_recipient_t recipient;

296

recipient = result->recipients;

297

if(recipient){

298

while(recipient != NULL){

299

fprintf(stderr, "Public key algorithm: %s\n",

300

gpgme_pubkey_algo_name(recipient->pubkey_algo));

301

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

302

fprintf(stderr, "Secret key available: %s\n",

303

recipient->status == GPG_ERR_NO_SECKEY

304

? "No" : "Yes");

305

recipient = recipient->next;

306

}

307

}

308

}

309

}

173

310

goto decrypt_end;

174

311

}

175

312

177

314

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

178

315

}

179

316

180

if (debug){

181

gpgme_decrypt_result_t result;

182

result = gpgme_op_decrypt_result(ctx);

183

if (result == NULL){

184

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

185

} else {

186

fprintf(stderr, "Unsupported algorithm: %s\n",

187

result->unsupported_algorithm);

188

fprintf(stderr, "Wrong key usage: %d\n",

189

result->wrong_key_usage);

190

if(result->file_name != NULL){

191

fprintf(stderr, "File name: %s\n", result->file_name);

192

}

193

gpgme_recipient_t recipient;

194

recipient = result->recipients;

195

if(recipient){

196

while(recipient != NULL){

197

fprintf(stderr, "Public key algorithm: %s\n",

198

gpgme_pubkey_algo_name(recipient->pubkey_algo));

199

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

200

fprintf(stderr, "Secret key available: %s\n",

201

recipient->status == GPG_ERR_NO_SECKEY

202

? "No" : "Yes");

203

recipient = recipient->next;

204

}

205

}

206

}

207

}

208

209

317

/* Seek back to the beginning of the GPGME plaintext data buffer */

210

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

211

perror("pgpme_data_seek");

318

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

319

perror("gpgme_data_seek");

212

320

plaintext_length = -1;

213

321

goto decrypt_end;

214

322

}

215

323

216

324

*plaintext = NULL;

217

325

while(true){

218

if (plaintext_length + BUFFER_SIZE > plaintext_capacity){

219

*plaintext = realloc(*plaintext,

220

(unsigned int)plaintext_capacity

221

+ BUFFER_SIZE);

222

if (*plaintext == NULL){

223

perror("realloc");

326

plaintext_capacity = adjustbuffer(plaintext,

327

(size_t)plaintext_length,

328

plaintext_capacity);

329

if(plaintext_capacity == 0){

330

perror("adjustbuffer");

224

331

plaintext_length = -1;

225

332

goto decrypt_end;

226

}

227

plaintext_capacity += BUFFER_SIZE;

228

333

}

229

334

230

335

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

231

336

BUFFER_SIZE);

232

337

/* Print the data, if any */

233

if (ret == 0){

338

if(ret == 0){

234

339

/* EOF */

235

340

break;

236

341

}

241

346

}

242

347

plaintext_length += ret;

243

348

}

244

349

245

350

if(debug){

246

351

fprintf(stderr, "Decrypted password is: ");

247

for(size_t i = 0; i < plaintext_length; i++){

352

for(ssize_t i = 0; i < plaintext_length; i++){

248

353

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

249

354

}

250

355

fprintf(stderr, "\n");

260

365

return plaintext_length;

261

366

}

262

367

263

static const char * safer_gnutls_strerror (int value) {

264

const char *ret = gnutls_strerror (value);

265

if (ret == NULL)

368

static const char * safer_gnutls_strerror(int value) {

369

const char *ret = gnutls_strerror(value); /* Spurious warning from

370

-Wunreachable-code */

371

if(ret == NULL)

266

372

ret = "(unknown)";

267

373

return ret;

268

374

}

269

375

376

/* GnuTLS log function callback */

270

377

static void debuggnutls(__attribute__((unused)) int level,

271

378

const char* string){

272

fprintf(stderr, "%s", string);

379

fprintf(stderr, "GnuTLS: %s", string);

273

380

}

274

381

275

static int initgnutls(mandos_context *mc, gnutls_session_t *session,

276

gnutls_dh_params_t *dh_params){

277

const char *err;

382

static int init_gnutls_global(mandos_context *mc,

383

const char *pubkeyfilename,

384

const char *seckeyfilename){

278

385

int ret;

279

386

280

387

if(debug){

281

388

fprintf(stderr, "Initializing GnuTLS\n");

282

389

}

283

284

if ((ret = gnutls_global_init ())

285

!= GNUTLS_E_SUCCESS) {

286

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

390

391

ret = gnutls_global_init();

392

if(ret != GNUTLS_E_SUCCESS) {

393

fprintf(stderr, "GnuTLS global_init: %s\n",

394

safer_gnutls_strerror(ret));

287

395

return -1;

288

396

}

289

397

290

if (debug){

398

if(debug){

399

/* "Use a log level over 10 to enable all debugging options."

400

* - GnuTLS manual

401

291

402

gnutls_global_set_log_level(11);

292

403

gnutls_global_set_log_function(debuggnutls);

293

404

}

294

405

295

/* openpgp credentials */

296

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

297

!= GNUTLS_E_SUCCESS) {

298

fprintf (stderr, "memory error: %s\n",

299

safer_gnutls_strerror(ret));

406

/* OpenPGP credentials */

407

gnutls_certificate_allocate_credentials(&mc->cred);

408

if(ret != GNUTLS_E_SUCCESS){

409

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

410

* from

411

* -Wunreachable-code

412

413

safer_gnutls_strerror(ret));

414

gnutls_global_deinit();

300

415

return -1;

301

416

}

302

417

303

418

if(debug){

304

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

305

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

306

seckeyfile);

419

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

420

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

421

seckeyfilename);

307

422

}

308

423

309

424

ret = gnutls_certificate_set_openpgp_key_file

310

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

311

if (ret != GNUTLS_E_SUCCESS) {

312

fprintf

313

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

314

" '%s')\n",

315

ret, pubkeyfile, seckeyfile);

316

fprintf(stdout, "The Error is: %s\n",

317

safer_gnutls_strerror(ret));

318

return -1;

319

}

320

321

//GnuTLS server initialization

322

if ((ret = gnutls_dh_params_init(dh_params))

323

!= GNUTLS_E_SUCCESS) {

324

fprintf (stderr, "Error in dh parameter initialization: %s\n",

325

safer_gnutls_strerror(ret));

326

return -1;

327

}

328

329

if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))

330

!= GNUTLS_E_SUCCESS) {

331

fprintf (stderr, "Error in prime generation: %s\n",

332

safer_gnutls_strerror(ret));

333

return -1;

334

}

335

336

gnutls_certificate_set_dh_params(mc->cred, *dh_params);

337

338

// GnuTLS session creation

339

if ((ret = gnutls_init(session, GNUTLS_SERVER))

340

!= GNUTLS_E_SUCCESS){

425

(mc->cred, pubkeyfilename, seckeyfilename,

426

GNUTLS_OPENPGP_FMT_BASE64);

427

if(ret != GNUTLS_E_SUCCESS) {

428

fprintf(stderr,

429

"Error[%d] while reading the OpenPGP key pair ('%s',"

430

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

431

fprintf(stderr, "The GnuTLS error is: %s\n",

432

safer_gnutls_strerror(ret));

433

goto globalfail;

434

}

435

436

/* GnuTLS server initialization */

437

ret = gnutls_dh_params_init(&mc->dh_params);

438

if(ret != GNUTLS_E_SUCCESS) {

439

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

440

" %s\n", safer_gnutls_strerror(ret));

441

goto globalfail;

442

}

443

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

444

if(ret != GNUTLS_E_SUCCESS) {

445

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

446

safer_gnutls_strerror(ret));

447

goto globalfail;

448

}

449

450

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

451

452

return 0;

453

454

globalfail:

455

456

gnutls_certificate_free_credentials(mc->cred);

457

gnutls_global_deinit();

458

gnutls_dh_params_deinit(mc->dh_params);

459

return -1;

460

}

461

462

static int init_gnutls_session(mandos_context *mc,

463

gnutls_session_t *session){

464

int ret;

465

/* GnuTLS session creation */

466

ret = gnutls_init(session, GNUTLS_SERVER);

467

if(ret != GNUTLS_E_SUCCESS){

341

468

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

342

469

safer_gnutls_strerror(ret));

343

470

}

344

471

345

if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))

346

!= GNUTLS_E_SUCCESS) {

347

fprintf(stderr, "Syntax error at: %s\n", err);

348

fprintf(stderr, "GnuTLS error: %s\n",

349

safer_gnutls_strerror(ret));

350

return -1;

472

{

473

const char *err;

474

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

475

if(ret != GNUTLS_E_SUCCESS) {

476

fprintf(stderr, "Syntax error at: %s\n", err);

477

fprintf(stderr, "GnuTLS error: %s\n",

478

safer_gnutls_strerror(ret));

479

gnutls_deinit(*session);

480

return -1;

481

}

351

482

}

352

483

353

if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

354

mc->cred))

355

!= GNUTLS_E_SUCCESS) {

356

fprintf(stderr, "Error setting a credentials set: %s\n",

484

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

485

mc->cred);

486

if(ret != GNUTLS_E_SUCCESS) {

487

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

357

488

safer_gnutls_strerror(ret));

489

gnutls_deinit(*session);

358

490

return -1;

359

491

}

360

492

361

493

/* ignore client certificate if any. */

362

gnutls_certificate_server_set_request (*session,

363

GNUTLS_CERT_IGNORE);

494

gnutls_certificate_server_set_request(*session,

495

GNUTLS_CERT_IGNORE);

364

496

365

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

497

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

366

498

367

499

return 0;

368

500

}

369

501

502

/* Avahi log function callback */

370

503

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

371

504

__attribute__((unused)) const char *txt){}

372

505

506

/* Called when a Mandos server is found */

373

507

static int start_mandos_communication(const char *ip, uint16_t port,

374

508

AvahiIfIndex if_index,

375

509

mandos_context *mc){

376

510

int ret, tcp_sd;

377

struct sockaddr_in6 to;

511

ssize_t sret;

512

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

378

513

char *buffer = NULL;

379

514

char *decrypted_buffer;

380

515

size_t buffer_length = 0;

381

516

size_t buffer_capacity = 0;

382

517

ssize_t decrypted_buffer_size;

383

size_t written = 0;

518

size_t written;

384

519

int retval = 0;

385

520

char interface[IF_NAMESIZE];

386

521

gnutls_session_t session;

387

gnutls_dh_params_t dh_params;

522

523

ret = init_gnutls_session(mc, &session);

524

if(ret != 0){

525

return -1;

526

}

388

527

389

528

if(debug){

390

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

391

ip, port);

529

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

530

"\n", ip, port);

392

531

}

393

532

394

533

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

396

535

perror("socket");

397

536

return -1;

398

537

}

399

538

400

539

if(debug){

401

540

if(if_indextoname((unsigned int)if_index, interface) == NULL){

402

541

perror("if_indextoname");

405

544

fprintf(stderr, "Binding to interface %s\n", interface);

406

545

}

407

546

408

memset(&to,0,sizeof(to)); /* Spurious warning */

409

to.sin6_family = AF_INET6;

410

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

411

if (ret < 0 ){

547

memset(&to, 0, sizeof(to));

548

to.in6.sin6_family = AF_INET6;

549

/* It would be nice to have a way to detect if we were passed an

550

IPv4 address here. Now we assume an IPv6 address. */

551

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

552

if(ret < 0 ){

412

553

perror("inet_pton");

413

554

return -1;

414

555

}

416

557

fprintf(stderr, "Bad address: %s\n", ip);

417

558

return -1;

418

559

}

419

to.sin6_port = htons(port); /* Spurious warning */

560

to.in6.sin6_port = htons(port); /* Spurious warnings from

561

-Wconversion and

562

-Wunreachable-code */

420

563

421

to.sin6_scope_id = (uint32_t)if_index;

564

to.in6.sin6_scope_id = (uint32_t)if_index;

422

565

423

566

if(debug){

424

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

567

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

568

port);

425

569

char addrstr[INET6_ADDRSTRLEN] = "";

426

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

570

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

427

571

sizeof(addrstr)) == NULL){

428

572

perror("inet_ntop");

429

573

} else {

433

577

}

434

578

}

435

579

436

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

437

if (ret < 0){

580

ret = connect(tcp_sd, &to.in, sizeof(to));

581

if(ret < 0){

438

582

perror("connect");

439

583

return -1;

440

584

}

441

585

442

ret = initgnutls (mc, &session, &dh_params);

443

if (ret != 0){

444

retval = -1;

445

return -1;

586

const char *out = mandos_protocol_version;

587

written = 0;

588

while(true){

589

size_t out_size = strlen(out);

590

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

591

out_size - written));

592

if(ret == -1){

593

perror("write");

594

retval = -1;

595

goto mandos_end;

596

}

597

written += (size_t)ret;

598

if(written < out_size){

599

continue;

600

} else {

601

if(out == mandos_protocol_version){

602

written = 0;

603

out = "\r\n";

604

} else {

605

break;

606

}

607

}

446

608

}

447

609

448

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

449

450

610

if(debug){

451

611

fprintf(stderr, "Establishing TLS session with %s\n", ip);

452

612

}

453

613

454

ret = gnutls_handshake (session);

455

456

if (ret != GNUTLS_E_SUCCESS){

614

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

615

616

do{

617

ret = gnutls_handshake(session);

618

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

619

620

if(ret != GNUTLS_E_SUCCESS){

457

621

if(debug){

458

fprintf(stderr, "\n*** Handshake failed ***\n");

459

gnutls_perror (ret);

622

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

623

gnutls_perror(ret);

460

624

}

461

625

retval = -1;

462

goto exit;

626

goto mandos_end;

463

627

}

464

628

465

//Retrieve OpenPGP packet that contains the wanted password

629

/* Read OpenPGP packet that contains the wanted password */

466

630

467

631

if(debug){

468

632

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

469

633

ip);

470

634

}

471

635

472

636

while(true){

473

if (buffer_length + BUFFER_SIZE > buffer_capacity){

474

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

475

if (buffer == NULL){

476

perror("realloc");

477

goto exit;

478

}

479

buffer_capacity += BUFFER_SIZE;

637

buffer_capacity = adjustbuffer(&buffer, buffer_length,

638

buffer_capacity);

639

if(buffer_capacity == 0){

640

perror("adjustbuffer");

641

retval = -1;

642

goto mandos_end;

480

643

}

481

644

482

ret = gnutls_record_recv(session, buffer+buffer_length,

483

BUFFER_SIZE);

484

if (ret == 0){

645

sret = gnutls_record_recv(session, buffer+buffer_length,

646

BUFFER_SIZE);

647

if(sret == 0){

485

648

break;

486

649

}

487

if (ret < 0){

488

switch(ret){

650

if(sret < 0){

651

switch(sret){

489

652

case GNUTLS_E_INTERRUPTED:

490

653

case GNUTLS_E_AGAIN:

491

654

break;

492

655

case GNUTLS_E_REHANDSHAKE:

493

ret = gnutls_handshake (session);

494

if (ret < 0){

495

fprintf(stderr, "\n*** Handshake failed ***\n");

496

gnutls_perror (ret);

656

do{

657

ret = gnutls_handshake(session);

658

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

659

if(ret < 0){

660

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

661

gnutls_perror(ret);

497

662

retval = -1;

498

goto exit;

663

goto mandos_end;

499

664

}

500

665

break;

501

666

default:

502

667

fprintf(stderr, "Unknown error while reading data from"

503

" encrypted session with mandos server\n");

668

" encrypted session with Mandos server\n");

504

669

retval = -1;

505

gnutls_bye (session, GNUTLS_SHUT_RDWR);

506

goto exit;

670

gnutls_bye(session, GNUTLS_SHUT_RDWR);

671

goto mandos_end;

507

672

}

508

673

} else {

509

buffer_length += (size_t) ret;

674

buffer_length += (size_t) sret;

510

675

}

511

676

}

512

677

513

if (buffer_length > 0){

514

decrypted_buffer_size = pgp_packet_decrypt(buffer,

678

if(debug){

679

fprintf(stderr, "Closing TLS session\n");

680

}

681

682

gnutls_bye(session, GNUTLS_SHUT_RDWR);

683

684

if(buffer_length > 0){

685

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

515

686

buffer_length,

516

&decrypted_buffer,

517

keydir);

518

if (decrypted_buffer_size >= 0){

687

&decrypted_buffer);

688

if(decrypted_buffer_size >= 0){

689

written = 0;

519

690

while(written < (size_t) decrypted_buffer_size){

520

ret = (int)fwrite (decrypted_buffer + written, 1,

521

(size_t)decrypted_buffer_size - written,

522

stdout);

691

ret = (int)fwrite(decrypted_buffer + written, 1,

692

(size_t)decrypted_buffer_size - written,

693

stdout);

523

694

if(ret == 0 and ferror(stdout)){

524

695

if(debug){

525

696

fprintf(stderr, "Error writing encrypted data: %s\n",

534

705

} else {

535

706

retval = -1;

536

707

}

537

}

538

539

//shutdown procedure

540

541

if(debug){

542

fprintf(stderr, "Closing TLS session\n");

543

}

544

708

} else {

709

retval = -1;

710

}

711

712

/* Shutdown procedure */

713

714

mandos_end:

545

715

free(buffer);

546

gnutls_bye (session, GNUTLS_SHUT_RDWR);

547

exit:

548

close(tcp_sd);

549

gnutls_deinit (session);

550

gnutls_certificate_free_credentials (mc->cred);

551

gnutls_global_deinit ();

716

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

717

if(ret == -1){

718

perror("close");

719

}

720

gnutls_deinit(session);

552

721

return retval;

553

722

}

554

723

567

736

flags,

568

737

void* userdata) {

569

738

mandos_context *mc = userdata;

570

assert(r); /* Spurious warning */

739

assert(r);

571

740

572

741

/* Called whenever a service has been resolved successfully or

573

742

timed out */

574

743

575

switch (event) {

744

switch(event) {

576

745

default:

577

746

case AVAHI_RESOLVER_FAILURE:

578

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

579

" type '%s' in domain '%s': %s\n", name, type, domain,

747

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

748

" of type '%s' in domain '%s': %s\n", name, type, domain,

580

749

avahi_strerror(avahi_server_errno(mc->server)));

581

750

break;

582

751

585

754

char ip[AVAHI_ADDRESS_STR_MAX];

586

755

avahi_address_snprint(ip, sizeof(ip), address);

587

756

if(debug){

588

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

589

" port %d\n", name, host_name, ip, port);

757

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

758

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

759

ip, (intmax_t)interface, port);

590

760

}

591

761

int ret = start_mandos_communication(ip, port, interface, mc);

592

if (ret == 0){

593

exit(EXIT_SUCCESS);

762

if(ret == 0){

763

avahi_simple_poll_quit(mc->simple_poll);

594

764

}

595

765

}

596

766

}

608

778

flags,

609

779

void* userdata) {

610

780

mandos_context *mc = userdata;

611

assert(b); /* Spurious warning */

781

assert(b);

612

782

613

783

/* Called whenever a new services becomes available on the LAN or

614

784

is removed from the LAN */

615

785

616

switch (event) {

786

switch(event) {

617

787

default:

618

788

case AVAHI_BROWSER_FAILURE:

619

789

620

fprintf(stderr, "(Browser) %s\n",

790

fprintf(stderr, "(Avahi browser) %s\n",

621

791

avahi_strerror(avahi_server_errno(mc->server)));

622

792

avahi_simple_poll_quit(mc->simple_poll);

623

793

return;

624

794

625

795

case AVAHI_BROWSER_NEW:

626

/* We ignore the returned resolver object. In the callback

627

function we free it. If the server is terminated before

628

the callback function is called the server will free

629

the resolver for us. */

796

/* We ignore the returned Avahi resolver object. In the callback

797

function we free it. If the Avahi server is terminated before

798

the callback function is called the Avahi server will free the

799

resolver for us. */

630

800

631

if (!(avahi_s_service_resolver_new(mc->server, interface,

801

if(!(avahi_s_service_resolver_new(mc->server, interface,

632

802

protocol, name, type, domain,

633

803

AVAHI_PROTO_INET6, 0,

634

804

resolve_callback, mc)))

635

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

636

avahi_strerror(avahi_server_errno(mc->server)));

805

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

806

name, avahi_strerror(avahi_server_errno(mc->server)));

637

807

break;

638

808

639

809

case AVAHI_BROWSER_REMOVE:

641

811

642

812

case AVAHI_BROWSER_ALL_FOR_NOW:

643

813

case AVAHI_BROWSER_CACHE_EXHAUSTED:

814

if(debug){

815

fprintf(stderr, "No Mandos server found, still searching...\n");

816

}

644

817

break;

645

818

}

646

819

}

647

820

648

/* Combines file name and path and returns the malloced new

649

string. some sane checks could/should be added */

650

static const char *combinepath(const char *first, const char *second){

651

size_t f_len = strlen(first);

652

size_t s_len = strlen(second);

653

char *tmp = malloc(f_len + s_len + 2);

654

if (tmp == NULL){

655

return NULL;

656

}

657

if(f_len > 0){

658

memcpy(tmp, first, f_len); /* Spurious warning */

659

}

660

tmp[f_len] = '/';

661

if(s_len > 0){

662

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

663

}

664

tmp[f_len + 1 + s_len] = '\0';

665

return tmp;

666

}

667

668

669

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

670

AvahiServerConfig config;

821

int main(int argc, char *argv[]){

671

822

AvahiSServiceBrowser *sb = NULL;

672

823

int error;

673

824

int ret;

674

int debug_int;

675

int returncode = EXIT_SUCCESS;

825

intmax_t tmpmax;

826

int numchars;

827

int exitcode = EXIT_SUCCESS;

676

828

const char *interface = "eth0";

677

829

struct ifreq network;

678

830

int sd;

831

uid_t uid;

832

gid_t gid;

679

833

char *connect_to = NULL;

834

char tempdir[] = "/tmp/mandosXXXXXX";

680

835

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

836

const char *seckey = PATHDIR "/" SECKEY;

837

const char *pubkey = PATHDIR "/" PUBKEY;

838

681

839

mandos_context mc = { .simple_poll = NULL, .server = NULL,

682

.dh_bits = 1024, .priority = "SECURE256"};

683

684

debug_int = debug ? 1 : 0;

685

while (true){

686

struct option long_options[] = {

687

{"debug", no_argument, &debug_int, 1},

688

{"connect", required_argument, NULL, 'c'},

689

{"interface", required_argument, NULL, 'i'},

690

{"keydir", required_argument, NULL, 'd'},

691

{"seckey", required_argument, NULL, 's'},

692

{"pubkey", required_argument, NULL, 'p'},

693

{"dh-bits", required_argument, NULL, 'D'},

694

{"priority", required_argument, NULL, 'P'},

695

{0, 0, 0, 0} };

696

697

int option_index = 0;

698

ret = getopt_long (argc, argv, "i:", long_options,

699

&option_index);

700

701

if (ret == -1){

702

break;

703

}

704

705

switch(ret){

706

case 0:

707

break;

708

case 'i':

709

interface = optarg;

710

break;

711

case 'c':

712

connect_to = optarg;

713

break;

714

case 'd':

715

keydir = optarg;

716

break;

717

case 'p':

718

pubkeyfile = optarg;

719

break;

720

case 's':

721

seckeyfile = optarg;

722

break;

723

case 'D':

724

errno = 0;

725

mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);

726

if (errno){

727

perror("strtol");

728

exit(EXIT_FAILURE);

729

}

730

break;

731

case 'P':

732

mc.priority = optarg;

733

break;

734

case '?':

735

default:

736

exit(EXIT_FAILURE);

737

}

738

}

739

debug = debug_int ? true : false;

740

741

pubkeyfile = combinepath(keydir, pubkeyfile);

742

if (pubkeyfile == NULL){

743

perror("combinepath");

744

returncode = EXIT_FAILURE;

745

goto exit;

746

}

747

748

seckeyfile = combinepath(keydir, seckeyfile);

749

if (seckeyfile == NULL){

750

perror("combinepath");

751

goto exit;

840

.dh_bits = 1024, .priority = "SECURE256"

841

":!CTYPE-X.509:+CTYPE-OPENPGP" };

842

bool gnutls_initialized = false;

843

bool gpgme_initialized = false;

844

845

{

846

struct argp_option options[] = {

847

{ .name = "debug", .key = 128,

848

.doc = "Debug mode", .group = 3 },

849

{ .name = "connect", .key = 'c',

850

.arg = "ADDRESS:PORT",

851

.doc = "Connect directly to a specific Mandos server",

852

.group = 1 },

853

{ .name = "interface", .key = 'i',

854

.arg = "NAME",

855

.doc = "Interface that will be used to search for Mandos"

856

" servers",

857

.group = 1 },

858

{ .name = "seckey", .key = 's',

859

.arg = "FILE",

860

.doc = "OpenPGP secret key file base name",

861

.group = 1 },

862

{ .name = "pubkey", .key = 'p',

863

.arg = "FILE",

864

.doc = "OpenPGP public key file base name",

865

.group = 2 },

866

{ .name = "dh-bits", .key = 129,

867

.arg = "BITS",

868

.doc = "Bit length of the prime number used in the"

869

" Diffie-Hellman key exchange",

870

.group = 2 },

871

{ .name = "priority", .key = 130,

872

.arg = "STRING",

873

.doc = "GnuTLS priority string for the TLS handshake",

874

.group = 1 },

875

{ .name = NULL }

876

};

877

878

error_t parse_opt(int key, char *arg,

879

struct argp_state *state) {

880

switch(key) {

881

case 128: /* --debug */

882

debug = true;

883

break;

884

case 'c': /* --connect */

885

connect_to = arg;

886

break;

887

case 'i': /* --interface */

888

interface = arg;

889

break;

890

case 's': /* --seckey */

891

seckey = arg;

892

break;

893

case 'p': /* --pubkey */

894

pubkey = arg;

895

break;

896

case 129: /* --dh-bits */

897

ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);

898

if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax

899

or arg[numchars] != '\0'){

900

fprintf(stderr, "Bad number of DH bits\n");

901

exit(EXIT_FAILURE);

902

}

903

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

904

break;

905

case 130: /* --priority */

906

mc.priority = arg;

907

break;

908

case ARGP_KEY_ARG:

909

argp_usage(state);

910

case ARGP_KEY_END:

911

break;

912

default:

913

return ARGP_ERR_UNKNOWN;

914

}

915

return 0;

916

}

917

918

struct argp argp = { .options = options, .parser = parse_opt,

919

.args_doc = "",

920

.doc = "Mandos client -- Get and decrypt"

921

" passwords from a Mandos server" };

922

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

923

if(ret == ARGP_ERR_UNKNOWN){

924

fprintf(stderr, "Unknown error while parsing arguments\n");

925

exitcode = EXIT_FAILURE;

926

goto end;

927

}

928

}

929

930

/* If the interface is down, bring it up */

931

{

932

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

933

if(sd < 0) {

934

perror("socket");

935

exitcode = EXIT_FAILURE;

936

goto end;

937

}

938

strcpy(network.ifr_name, interface);

939

ret = ioctl(sd, SIOCGIFFLAGS, &network);

940

if(ret == -1){

941

perror("ioctl SIOCGIFFLAGS");

942

exitcode = EXIT_FAILURE;

943

goto end;

944

}

945

if((network.ifr_flags & IFF_UP) == 0){

946

network.ifr_flags |= IFF_UP;

947

ret = ioctl(sd, SIOCSIFFLAGS, &network);

948

if(ret == -1){

949

perror("ioctl SIOCSIFFLAGS");

950

exitcode = EXIT_FAILURE;

951

goto end;

952

}

953

}

954

ret = (int)TEMP_FAILURE_RETRY(close(sd));

955

if(ret == -1){

956

perror("close");

957

}

958

}

959

960

uid = getuid();

961

gid = getgid();

962

963

ret = setuid(uid);

964

if(ret == -1){

965

perror("setuid");

966

}

967

968

setgid(gid);

969

if(ret == -1){

970

perror("setgid");

971

}

972

973

ret = init_gnutls_global(&mc, pubkey, seckey);

974

if(ret == -1){

975

fprintf(stderr, "init_gnutls_global failed\n");

976

exitcode = EXIT_FAILURE;

977

goto end;

978

} else {

979

gnutls_initialized = true;

980

}

981

982

if(mkdtemp(tempdir) == NULL){

983

perror("mkdtemp");

984

tempdir[0] = '\0';

985

goto end;

986

}

987

988

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

989

fprintf(stderr, "init_gpgme failed\n");

990

exitcode = EXIT_FAILURE;

991

goto end;

992

} else {

993

gpgme_initialized = true;

752

994

}

753

995

754

996

if_index = (AvahiIfIndex) if_nametoindex(interface);

763

1005

char *address = strrchr(connect_to, ':');

764

1006

if(address == NULL){

765

1007

fprintf(stderr, "No colon in address\n");

766

exit(EXIT_FAILURE);

767

}

768

errno = 0;

769

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

770

if(errno){

771

perror("Bad port number");

772

exit(EXIT_FAILURE);

773

}

1008

exitcode = EXIT_FAILURE;

1009

goto end;

1010

}

1011

uint16_t port;

1012

ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);

1013

if(ret < 1 or tmpmax != (uint16_t)tmpmax

1014

or address[numchars+1] != '\0'){

1015

fprintf(stderr, "Bad port number\n");

1016

exitcode = EXIT_FAILURE;

1017

goto end;

1018

}

1019

port = (uint16_t)tmpmax;

774

1020

*address = '\0';

775

1021

address = connect_to;

776

1022

ret = start_mandos_communication(address, port, if_index, &mc);

777

1023

if(ret < 0){

778

exit(EXIT_FAILURE);

1024

exitcode = EXIT_FAILURE;

779

1025

} else {

780

exit(EXIT_SUCCESS);

781

}

782

}

783

784

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

785

if(sd < 0) {

786

perror("socket");

787

returncode = EXIT_FAILURE;

788

goto exit;

789

}

790

strcpy(network.ifr_name, interface); /* Spurious warning */

791

ret = ioctl(sd, SIOCGIFFLAGS, &network);

792

if(ret == -1){

793

794

perror("ioctl SIOCGIFFLAGS");

795

returncode = EXIT_FAILURE;

796

goto exit;

797

}

798

if((network.ifr_flags & IFF_UP) == 0){

799

network.ifr_flags |= IFF_UP;

800

ret = ioctl(sd, SIOCSIFFLAGS, &network);

801

if(ret == -1){

802

perror("ioctl SIOCSIFFLAGS");

803

returncode = EXIT_FAILURE;

804

goto exit;

805

}

806

}

807

close(sd);

808

809

if (not debug){

1026

exitcode = EXIT_SUCCESS;

1027

}

1028

goto end;

1029

}

1030

1031

if(not debug){

810

1032

avahi_set_log_function(empty_log);

811

1033

}

812

1034

813

/* Initialize the psuedo-RNG */

1035

/* Initialize the pseudo-RNG for Avahi */

814

1036

srand((unsigned int) time(NULL));

815

816

/* Allocate main loop object */

817

if (!(mc.simple_poll = avahi_simple_poll_new())) {

818

fprintf(stderr, "Failed to create simple poll object.\n");

819

returncode = EXIT_FAILURE;

820

goto exit;

821

}

822

823

/* Do not publish any local records */

824

avahi_server_config_init(&config);

825

config.publish_hinfo = 0;

826

config.publish_addresses = 0;

827

config.publish_workstation = 0;

828

config.publish_domain = 0;

829

830

/* Allocate a new server */

831

mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),

832

&config, NULL, NULL, &error);

833

834

/* Free the configuration data */

835

avahi_server_config_free(&config);

836

837

/* Check if creating the server object succeeded */

838

if (!mc.server) {

839

fprintf(stderr, "Failed to create server: %s\n",

1037

1038

/* Allocate main Avahi loop object */

1039

mc.simple_poll = avahi_simple_poll_new();

1040

if(mc.simple_poll == NULL) {

1041

fprintf(stderr, "Avahi: Failed to create simple poll"

1042

" object.\n");

1043

exitcode = EXIT_FAILURE;

1044

goto end;

1045

}

1046

1047

{

1048

AvahiServerConfig config;

1049

/* Do not publish any local Zeroconf records */

1050

avahi_server_config_init(&config);

1051

config.publish_hinfo = 0;

1052

config.publish_addresses = 0;

1053

config.publish_workstation = 0;

1054

config.publish_domain = 0;

1055

1056

/* Allocate a new server */

1057

mc.server = avahi_server_new(avahi_simple_poll_get

1058

(mc.simple_poll), &config, NULL,

1059

NULL, &error);

1060

1061

/* Free the Avahi configuration data */

1062

avahi_server_config_free(&config);

1063

}

1064

1065

/* Check if creating the Avahi server object succeeded */

1066

if(mc.server == NULL) {

1067

fprintf(stderr, "Failed to create Avahi server: %s\n",

840

1068

avahi_strerror(error));

841

returncode = EXIT_FAILURE;

842

goto exit;

1069

exitcode = EXIT_FAILURE;

1070

goto end;

843

1071

}

844

1072

845

/* Create the service browser */

1073

/* Create the Avahi service browser */

846

1074

sb = avahi_s_service_browser_new(mc.server, if_index,

847

1075

AVAHI_PROTO_INET6,

848

1076

"_mandos._tcp", NULL, 0,

849

1077

browse_callback, &mc);

850

if (!sb) {

1078

if(sb == NULL) {

851

1079

fprintf(stderr, "Failed to create service browser: %s\n",

852

1080

avahi_strerror(avahi_server_errno(mc.server)));

853

returncode = EXIT_FAILURE;

854

goto exit;

1081

exitcode = EXIT_FAILURE;

1082

goto end;

855

1083

}

856

1084

857

1085

/* Run the main loop */

858

859

if (debug){

860

fprintf(stderr, "Starting avahi loop search\n");

1086

1087

if(debug){

1088

fprintf(stderr, "Starting Avahi loop search\n");

861

1089

}

862

1090

863

1091

avahi_simple_poll_loop(mc.simple_poll);

864

1092

865

exit:

866

867

if (debug){

1093

end:

1094

1095

if(debug){

868

1096

fprintf(stderr, "%s exiting\n", argv[0]);

869

1097

}

870

1098

871

1099

/* Cleanup things */

872

if (sb)

1100

if(sb != NULL)

873

1101

avahi_s_service_browser_free(sb);

874

1102

875

if (mc.server)

1103

if(mc.server != NULL)

876

1104

avahi_server_free(mc.server);

877

878

if (mc.simple_poll)

1105

1106

if(mc.simple_poll != NULL)

879

1107

avahi_simple_poll_free(mc.simple_poll);

880

free(pubkeyfile);

881

free(seckeyfile);

882

883

return returncode;

1108

1109

if(gnutls_initialized){

1110

gnutls_certificate_free_credentials(mc.cred);

1111

gnutls_global_deinit();

1112

gnutls_dh_params_deinit(mc.dh_params);

1113

}

1114

1115

if(gpgme_initialized){

1116

gpgme_release(mc.ctx);

1117

}

1118

1119

/* Removes the temp directory used by GPGME */

1120

if(tempdir[0] != '\0'){

1121

DIR *d;

1122

struct dirent *direntry;

1123

d = opendir(tempdir);

1124

if(d == NULL){

1125

if(errno != ENOENT){

1126

perror("opendir");

1127

}

1128

} else {

1129

while(true){

1130

direntry = readdir(d);

1131

if(direntry == NULL){

1132

break;

1133

}

1134

/* Skip "." and ".." */

1135

if(direntry->d_name[0] == '.'

1136

and (direntry->d_name[1] == '\0'

1137

or (direntry->d_name[1] == '.'

1138

and direntry->d_name[2] == '\0'))){

1139

continue;

1140

}

1141

char *fullname = NULL;

1142

ret = asprintf(&fullname, "%s/%s", tempdir,

1143

direntry->d_name);

1144

if(ret < 0){

1145

perror("asprintf");

1146

continue;

1147

}

1148

ret = remove(fullname);

1149

if(ret == -1){

1150

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1151

strerror(errno));

1152

}

1153

free(fullname);

1154

}

1155

closedir(d);

1156

}

1157

ret = rmdir(tempdir);

1158

if(ret == -1 and errno != ENOENT){

1159

perror("rmdir");

1160

}

1161

}

1162

1163

return exitcode;

884

1164

}

Older »