To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 291
- compare with another revision
- download diff
- download tarball
- view history from revision 291
- Committer: Teddy Hogeborn
- Date: 2009-01-31 10:33:17 UTC
- mfrom: (24.1.129 mandos)
- Revision ID: teddy@fukt.bsnet.se-20090131103317-wzqvyr532sjcjt7u
Merge from Björn:
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
25
26
* along with this program. If not, see
26
27
* <http://www.gnu.org/licenses/>.
27
28
*
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
29
* Contact the authors at <mandos@fukt.bsnet.se>.
30
30
*/
31
31
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
33
#define _LARGEFILE_SOURCE
34
34
#define _FILE_OFFSET_BITS 64
35
35
36
#include <stdio.h>
37
#include <assert.h>
38
#include <stdlib.h>
39
#include <time.h>
40
#include <net/if.h> /* if_nametoindex */
41
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* nanosleep(), time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <sys/klog.h> /* klogctl() */
79
80
/* Avahi */
81
/* All Avahi types, constants and functions
82
Avahi*, avahi_*,
83
AVAHI_* */
42
84
#include <avahi-core/core.h>
43
85
#include <avahi-core/lookup.h>
44
86
#include <avahi-core/log.h>
46
88
#include <avahi-common/malloc.h>
47
89
#include <avahi-common/error.h>
48
90
49
//mandos client part
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
62
63
// gpgme
64
#include <errno.h> /* perror() */
65
#include <gpgme.h>
66
67
// getopt long
68
#include <getopt.h>
69
70
#ifndef CERT_ROOT
71
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
72
#endif
73
#define CERTFILE CERT_ROOT "openpgp-client.txt"
74
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
91
/* GnuTLS */
92
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
93
functions:
94
gnutls_*
95
init_gnutls_session(),
96
GNUTLS_* */
97
#include <gnutls/openpgp.h>
98
/* gnutls_certificate_set_openpgp_key_file(),
99
GNUTLS_OPENPGP_FMT_BASE64 */
100
101
/* GPGME */
102
#include <gpgme.h> /* All GPGME types, constants and
103
functions:
104
gpgme_*
105
GPGME_PROTOCOL_OpenPGP,
106
GPG_ERR_NO_* */
107
75
108
#define BUFFER_SIZE 256
76
#define DH_BITS 1024
109
110
#define PATHDIR "/conf/conf.d/mandos"
111
#define SECKEY "seckey.txt"
112
#define PUBKEY "pubkey.txt"
77
113
78
114
bool debug = false;
115
static const char mandos_protocol_version[] = "1";
116
const char *argp_program_version = "mandos-client " VERSION;
117
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
79
118
119
/* Used for passing in values through the Avahi callback functions */
80
120
typedef struct {
81
gnutls_session_t session;
121
AvahiSimplePoll *simple_poll;
122
AvahiServer *server;
82
123
gnutls_certificate_credentials_t cred;
124
unsigned int dh_bits;
83
125
gnutls_dh_params_t dh_params;
84
} encrypted_session;
85
86
87
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet, const char *homedir){
89
gpgme_data_t dh_crypto, dh_plain;
126
const char *priority;
90
127
gpgme_ctx_t ctx;
128
} mandos_context;
129
130
/*
131
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
132
* "buffer_capacity" is how much is currently allocated,
133
* "buffer_length" is how much is already used.
134
*/
135
size_t adjustbuffer(char **buffer, size_t buffer_length,
136
size_t buffer_capacity){
137
if(buffer_length + BUFFER_SIZE > buffer_capacity){
138
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
139
if(buffer == NULL){
140
return 0;
141
}
142
buffer_capacity += BUFFER_SIZE;
143
}
144
return buffer_capacity;
145
}
146
147
/*
148
* Initialize GPGME.
149
*/
150
static bool init_gpgme(mandos_context *mc, const char *seckey,
151
const char *pubkey, const char *tempdir){
152
int ret;
91
153
gpgme_error_t rc;
92
ssize_t ret;
93
ssize_t new_packet_capacity = 0;
94
ssize_t new_packet_length = 0;
95
154
gpgme_engine_info_t engine_info;
96
97
if (debug){
98
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
155
156
157
/*
158
* Helper function to insert pub and seckey to the engine keyring.
159
*/
160
bool import_key(const char *filename){
161
int fd;
162
gpgme_data_t pgp_data;
163
164
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
165
if(fd == -1){
166
perror("open");
167
return false;
168
}
169
170
rc = gpgme_data_new_from_fd(&pgp_data, fd);
171
if(rc != GPG_ERR_NO_ERROR){
172
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
173
gpgme_strsource(rc), gpgme_strerror(rc));
174
return false;
175
}
176
177
rc = gpgme_op_import(mc->ctx, pgp_data);
178
if(rc != GPG_ERR_NO_ERROR){
179
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
180
gpgme_strsource(rc), gpgme_strerror(rc));
181
return false;
182
}
183
184
ret = (int)TEMP_FAILURE_RETRY(close(fd));
185
if(ret == -1){
186
perror("close");
187
}
188
gpgme_data_release(pgp_data);
189
return true;
190
}
191
192
if(debug){
193
fprintf(stderr, "Initialize gpgme\n");
99
194
}
100
195
101
196
/* Init GPGME */
102
197
gpgme_check_version(NULL);
103
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
198
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
199
if(rc != GPG_ERR_NO_ERROR){
200
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
201
gpgme_strsource(rc), gpgme_strerror(rc));
202
return false;
203
}
104
204
105
/* Set GPGME home directory */
106
rc = gpgme_get_engine_info (&engine_info);
107
if (rc != GPG_ERR_NO_ERROR){
205
/* Set GPGME home directory for the OpenPGP engine only */
206
rc = gpgme_get_engine_info(&engine_info);
207
if(rc != GPG_ERR_NO_ERROR){
108
208
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
109
209
gpgme_strsource(rc), gpgme_strerror(rc));
110
return -1;
210
return false;
111
211
}
112
212
while(engine_info != NULL){
113
213
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
114
214
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
115
engine_info->file_name, homedir);
215
engine_info->file_name, tempdir);
116
216
break;
117
217
}
118
218
engine_info = engine_info->next;
119
219
}
120
220
if(engine_info == NULL){
121
fprintf(stderr, "Could not set home dir to %s\n", homedir);
122
return -1;
123
}
124
125
/* Create new GPGME data buffer from packet buffer */
126
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
127
if (rc != GPG_ERR_NO_ERROR){
221
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
222
return false;
223
}
224
225
/* Create new GPGME "context" */
226
rc = gpgme_new(&(mc->ctx));
227
if(rc != GPG_ERR_NO_ERROR){
228
fprintf(stderr, "bad gpgme_new: %s: %s\n",
229
gpgme_strsource(rc), gpgme_strerror(rc));
230
return false;
231
}
232
233
if(not import_key(pubkey) or not import_key(seckey)){
234
return false;
235
}
236
237
return true;
238
}
239
240
/*
241
* Decrypt OpenPGP data.
242
* Returns -1 on error
243
*/
244
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
245
const char *cryptotext,
246
size_t crypto_size,
247
char **plaintext){
248
gpgme_data_t dh_crypto, dh_plain;
249
gpgme_error_t rc;
250
ssize_t ret;
251
size_t plaintext_capacity = 0;
252
ssize_t plaintext_length = 0;
253
254
if(debug){
255
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
256
}
257
258
/* Create new GPGME data buffer from memory cryptotext */
259
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
260
0);
261
if(rc != GPG_ERR_NO_ERROR){
128
262
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
129
263
gpgme_strsource(rc), gpgme_strerror(rc));
130
264
return -1;
132
266
133
267
/* Create new empty GPGME data buffer for the plaintext */
134
268
rc = gpgme_data_new(&dh_plain);
135
if (rc != GPG_ERR_NO_ERROR){
269
if(rc != GPG_ERR_NO_ERROR){
136
270
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
137
271
gpgme_strsource(rc), gpgme_strerror(rc));
138
return -1;
139
}
140
141
/* Create new GPGME "context" */
142
rc = gpgme_new(&ctx);
143
if (rc != GPG_ERR_NO_ERROR){
144
fprintf(stderr, "bad gpgme_new: %s: %s\n",
145
gpgme_strsource(rc), gpgme_strerror(rc));
146
return -1;
147
}
148
149
/* Decrypt data from the FILE pointer to the plaintext data
150
buffer */
151
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
152
if (rc != GPG_ERR_NO_ERROR){
272
gpgme_data_release(dh_crypto);
273
return -1;
274
}
275
276
/* Decrypt data from the cryptotext data buffer to the plaintext
277
data buffer */
278
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
279
if(rc != GPG_ERR_NO_ERROR){
153
280
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
154
281
gpgme_strsource(rc), gpgme_strerror(rc));
155
return -1;
282
plaintext_length = -1;
283
if(debug){
284
gpgme_decrypt_result_t result;
285
result = gpgme_op_decrypt_result(mc->ctx);
286
if(result == NULL){
287
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
288
} else {
289
fprintf(stderr, "Unsupported algorithm: %s\n",
290
result->unsupported_algorithm);
291
fprintf(stderr, "Wrong key usage: %u\n",
292
result->wrong_key_usage);
293
if(result->file_name != NULL){
294
fprintf(stderr, "File name: %s\n", result->file_name);
295
}
296
gpgme_recipient_t recipient;
297
recipient = result->recipients;
298
if(recipient){
299
while(recipient != NULL){
300
fprintf(stderr, "Public key algorithm: %s\n",
301
gpgme_pubkey_algo_name(recipient->pubkey_algo));
302
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
303
fprintf(stderr, "Secret key available: %s\n",
304
recipient->status == GPG_ERR_NO_SECKEY
305
? "No" : "Yes");
306
recipient = recipient->next;
307
}
308
}
309
}
310
}
311
goto decrypt_end;
156
312
}
157
313
158
314
if(debug){
159
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
160
}
161
162
if (debug){
163
gpgme_decrypt_result_t result;
164
result = gpgme_op_decrypt_result(ctx);
165
if (result == NULL){
166
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
167
} else {
168
fprintf(stderr, "Unsupported algorithm: %s\n",
169
result->unsupported_algorithm);
170
fprintf(stderr, "Wrong key usage: %d\n",
171
result->wrong_key_usage);
172
if(result->file_name != NULL){
173
fprintf(stderr, "File name: %s\n", result->file_name);
174
}
175
gpgme_recipient_t recipient;
176
recipient = result->recipients;
177
if(recipient){
178
while(recipient != NULL){
179
fprintf(stderr, "Public key algorithm: %s\n",
180
gpgme_pubkey_algo_name(recipient->pubkey_algo));
181
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
182
fprintf(stderr, "Secret key available: %s\n",
183
recipient->status == GPG_ERR_NO_SECKEY
184
? "No" : "Yes");
185
recipient = recipient->next;
186
}
187
}
188
}
189
}
190
191
/* Delete the GPGME FILE pointer cryptotext data buffer */
192
gpgme_data_release(dh_crypto);
315
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
316
}
193
317
194
318
/* Seek back to the beginning of the GPGME plaintext data buffer */
195
gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);
196
197
*new_packet = 0;
319
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
320
perror("gpgme_data_seek");
321
plaintext_length = -1;
322
goto decrypt_end;
323
}
324
325
*plaintext = NULL;
198
326
while(true){
199
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
200
*new_packet = realloc(*new_packet,
201
(unsigned int)new_packet_capacity
202
+ BUFFER_SIZE);
203
if (*new_packet == NULL){
204
perror("realloc");
205
return -1;
206
}
207
new_packet_capacity += BUFFER_SIZE;
327
plaintext_capacity = adjustbuffer(plaintext,
328
(size_t)plaintext_length,
329
plaintext_capacity);
330
if(plaintext_capacity == 0){
331
perror("adjustbuffer");
332
plaintext_length = -1;
333
goto decrypt_end;
208
334
}
209
335
210
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
336
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
211
337
BUFFER_SIZE);
212
338
/* Print the data, if any */
213
if (ret == 0){
339
if(ret == 0){
340
/* EOF */
214
341
break;
215
342
}
216
343
if(ret < 0){
217
344
perror("gpgme_data_read");
218
return -1;
219
}
220
new_packet_length += ret;
221
}
222
223
/* FIXME: check characters before printing to screen so to not print
224
terminal control characters */
225
/* if(debug){ */
226
/* fprintf(stderr, "decrypted password is: "); */
227
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
228
/* fprintf(stderr, "\n"); */
229
/* } */
345
plaintext_length = -1;
346
goto decrypt_end;
347
}
348
plaintext_length += ret;
349
}
350
351
if(debug){
352
fprintf(stderr, "Decrypted password is: ");
353
for(ssize_t i = 0; i < plaintext_length; i++){
354
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
355
}
356
fprintf(stderr, "\n");
357
}
358
359
decrypt_end:
360
361
/* Delete the GPGME cryptotext data buffer */
362
gpgme_data_release(dh_crypto);
230
363
231
364
/* Delete the GPGME plaintext data buffer */
232
365
gpgme_data_release(dh_plain);
233
return new_packet_length;
366
return plaintext_length;
234
367
}
235
368
236
static const char * safer_gnutls_strerror (int value) {
237
const char *ret = gnutls_strerror (value);
238
if (ret == NULL)
369
static const char * safer_gnutls_strerror(int value) {
370
const char *ret = gnutls_strerror(value); /* Spurious warning from
371
-Wunreachable-code */
372
if(ret == NULL)
239
373
ret = "(unknown)";
240
374
return ret;
241
375
}
242
376
243
void debuggnutls(__attribute__((unused)) int level,
244
const char* string){
245
fprintf(stderr, "%s", string);
377
/* GnuTLS log function callback */
378
static void debuggnutls(__attribute__((unused)) int level,
379
const char* string){
380
fprintf(stderr, "GnuTLS: %s", string);
246
381
}
247
382
248
int initgnutls(encrypted_session *es){
249
const char *err;
383
static int init_gnutls_global(mandos_context *mc,
384
const char *pubkeyfilename,
385
const char *seckeyfilename){
250
386
int ret;
251
387
252
388
if(debug){
253
389
fprintf(stderr, "Initializing GnuTLS\n");
254
390
}
255
391
256
if ((ret = gnutls_global_init ())
257
!= GNUTLS_E_SUCCESS) {
258
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
392
ret = gnutls_global_init();
393
if(ret != GNUTLS_E_SUCCESS) {
394
fprintf(stderr, "GnuTLS global_init: %s\n",
395
safer_gnutls_strerror(ret));
259
396
return -1;
260
397
}
261
262
if (debug){
398
399
if(debug){
400
/* "Use a log level over 10 to enable all debugging options."
401
* - GnuTLS manual
402
*/
263
403
gnutls_global_set_log_level(11);
264
404
gnutls_global_set_log_function(debuggnutls);
265
405
}
266
406
267
/* openpgp credentials */
268
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
269
!= GNUTLS_E_SUCCESS) {
270
fprintf (stderr, "memory error: %s\n",
271
safer_gnutls_strerror(ret));
407
/* OpenPGP credentials */
408
gnutls_certificate_allocate_credentials(&mc->cred);
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
411
* from
412
* -Wunreachable-code
413
*/
414
safer_gnutls_strerror(ret));
415
gnutls_global_deinit();
272
416
return -1;
273
417
}
274
418
275
419
if(debug){
276
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
277
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
278
KEYFILE);
420
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
421
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
422
seckeyfilename);
279
423
}
280
424
281
425
ret = gnutls_certificate_set_openpgp_key_file
282
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
283
if (ret != GNUTLS_E_SUCCESS) {
284
fprintf
285
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
286
" '%s')\n",
287
ret, CERTFILE, KEYFILE);
288
fprintf(stdout, "The Error is: %s\n",
289
safer_gnutls_strerror(ret));
290
return -1;
291
}
292
293
//GnuTLS server initialization
294
if ((ret = gnutls_dh_params_init (&es->dh_params))
295
!= GNUTLS_E_SUCCESS) {
296
fprintf (stderr, "Error in dh parameter initialization: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
302
!= GNUTLS_E_SUCCESS) {
303
fprintf (stderr, "Error in prime generation: %s\n",
304
safer_gnutls_strerror(ret));
305
return -1;
306
}
307
308
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
309
310
// GnuTLS session creation
311
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
312
!= GNUTLS_E_SUCCESS){
426
(mc->cred, pubkeyfilename, seckeyfilename,
427
GNUTLS_OPENPGP_FMT_BASE64);
428
if(ret != GNUTLS_E_SUCCESS) {
429
fprintf(stderr,
430
"Error[%d] while reading the OpenPGP key pair ('%s',"
431
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
432
fprintf(stderr, "The GnuTLS error is: %s\n",
433
safer_gnutls_strerror(ret));
434
goto globalfail;
435
}
436
437
/* GnuTLS server initialization */
438
ret = gnutls_dh_params_init(&mc->dh_params);
439
if(ret != GNUTLS_E_SUCCESS) {
440
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
441
" %s\n", safer_gnutls_strerror(ret));
442
goto globalfail;
443
}
444
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
445
if(ret != GNUTLS_E_SUCCESS) {
446
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
447
safer_gnutls_strerror(ret));
448
goto globalfail;
449
}
450
451
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
452
453
return 0;
454
455
globalfail:
456
457
gnutls_certificate_free_credentials(mc->cred);
458
gnutls_global_deinit();
459
gnutls_dh_params_deinit(mc->dh_params);
460
return -1;
461
}
462
463
static int init_gnutls_session(mandos_context *mc,
464
gnutls_session_t *session){
465
int ret;
466
/* GnuTLS session creation */
467
ret = gnutls_init(session, GNUTLS_SERVER);
468
if(ret != GNUTLS_E_SUCCESS){
313
469
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
314
470
safer_gnutls_strerror(ret));
315
471
}
316
472
317
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf(stderr, "Syntax error at: %s\n", err);
320
fprintf(stderr, "GnuTLS error: %s\n",
321
safer_gnutls_strerror(ret));
322
return -1;
473
{
474
const char *err;
475
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
476
if(ret != GNUTLS_E_SUCCESS) {
477
fprintf(stderr, "Syntax error at: %s\n", err);
478
fprintf(stderr, "GnuTLS error: %s\n",
479
safer_gnutls_strerror(ret));
480
gnutls_deinit(*session);
481
return -1;
482
}
323
483
}
324
484
325
if ((ret = gnutls_credentials_set
326
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
327
!= GNUTLS_E_SUCCESS) {
328
fprintf(stderr, "Error setting a credentials set: %s\n",
485
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
486
mc->cred);
487
if(ret != GNUTLS_E_SUCCESS) {
488
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
329
489
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
330
491
return -1;
331
492
}
332
493
333
494
/* ignore client certificate if any. */
334
gnutls_certificate_server_set_request (es->session,
335
GNUTLS_CERT_IGNORE);
495
gnutls_certificate_server_set_request(*session,
496
GNUTLS_CERT_IGNORE);
336
497
337
gnutls_dh_set_prime_bits (es->session, DH_BITS);
498
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
338
499
339
500
return 0;
340
501
}
341
502
342
void empty_log(__attribute__((unused)) AvahiLogLevel level,
343
__attribute__((unused)) const char *txt){}
503
/* Avahi log function callback */
504
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
505
__attribute__((unused)) const char *txt){}
344
506
345
int start_mandos_communication(const char *ip, uint16_t port,
346
unsigned int if_index){
507
/* Called when a Mandos server is found */
508
static int start_mandos_communication(const char *ip, uint16_t port,
509
AvahiIfIndex if_index,
510
mandos_context *mc){
347
511
int ret, tcp_sd;
348
struct sockaddr_in6 to;
349
encrypted_session es;
512
ssize_t sret;
513
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
350
514
char *buffer = NULL;
351
515
char *decrypted_buffer;
352
516
size_t buffer_length = 0;
353
517
size_t buffer_capacity = 0;
354
518
ssize_t decrypted_buffer_size;
355
size_t written = 0;
519
size_t written;
356
520
int retval = 0;
357
521
char interface[IF_NAMESIZE];
522
gnutls_session_t session;
523
524
ret = init_gnutls_session(mc, &session);
525
if(ret != 0){
526
return -1;
527
}
358
528
359
529
if(debug){
360
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
361
ip, port);
530
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
531
"\n", ip, port);
362
532
}
363
533
364
534
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
367
537
return -1;
368
538
}
369
539
370
if(if_indextoname(if_index, interface) == NULL){
371
if(debug){
540
if(debug){
541
if(if_indextoname((unsigned int)if_index, interface) == NULL){
372
542
perror("if_indextoname");
543
return -1;
373
544
}
374
return -1;
375
}
376
377
if(debug){
378
545
fprintf(stderr, "Binding to interface %s\n", interface);
379
546
}
380
547
381
memset(&to,0,sizeof(to)); /* Spurious warning */
382
to.sin6_family = AF_INET6;
383
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
384
if (ret < 0 ){
548
memset(&to, 0, sizeof(to));
549
to.in6.sin6_family = AF_INET6;
550
/* It would be nice to have a way to detect if we were passed an
551
IPv4 address here. Now we assume an IPv6 address. */
552
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
553
if(ret < 0 ){
385
554
perror("inet_pton");
386
555
return -1;
387
}
556
}
388
557
if(ret == 0){
389
558
fprintf(stderr, "Bad address: %s\n", ip);
390
559
return -1;
391
560
}
392
to.sin6_port = htons(port); /* Spurious warning */
561
to.in6.sin6_port = htons(port); /* Spurious warnings from
562
-Wconversion and
563
-Wunreachable-code */
393
564
394
to.sin6_scope_id = (uint32_t)if_index;
565
to.in6.sin6_scope_id = (uint32_t)if_index;
395
566
396
567
if(debug){
397
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
398
/* char addrstr[INET6_ADDRSTRLEN]; */
399
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
400
/* sizeof(addrstr)) == NULL){ */
401
/* perror("inet_ntop"); */
402
/* } else { */
403
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
404
/* addrstr, ntohs(to.sin6_port)); */
405
/* } */
568
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
569
port);
570
char addrstr[INET6_ADDRSTRLEN] = "";
571
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
572
sizeof(addrstr)) == NULL){
573
perror("inet_ntop");
574
} else {
575
if(strcmp(addrstr, ip) != 0){
576
fprintf(stderr, "Canonical address form: %s\n", addrstr);
577
}
578
}
406
579
}
407
580
408
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
409
if (ret < 0){
581
ret = connect(tcp_sd, &to.in, sizeof(to));
582
if(ret < 0){
410
583
perror("connect");
411
584
return -1;
412
585
}
413
586
414
ret = initgnutls (&es);
415
if (ret != 0){
416
retval = -1;
417
return -1;
587
const char *out = mandos_protocol_version;
588
written = 0;
589
while(true){
590
size_t out_size = strlen(out);
591
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
592
out_size - written));
593
if(ret == -1){
594
perror("write");
595
retval = -1;
596
goto mandos_end;
597
}
598
written += (size_t)ret;
599
if(written < out_size){
600
continue;
601
} else {
602
if(out == mandos_protocol_version){
603
written = 0;
604
out = "\r\n";
605
} else {
606
break;
607
}
608
}
418
609
}
419
610
420
gnutls_transport_set_ptr (es.session,
421
(gnutls_transport_ptr_t) tcp_sd);
422
423
611
if(debug){
424
612
fprintf(stderr, "Establishing TLS session with %s\n", ip);
425
613
}
426
614
427
ret = gnutls_handshake (es.session);
428
429
if (ret != GNUTLS_E_SUCCESS){
615
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
616
617
do{
618
ret = gnutls_handshake(session);
619
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
620
621
if(ret != GNUTLS_E_SUCCESS){
430
622
if(debug){
431
fprintf(stderr, "\n*** Handshake failed ***\n");
432
gnutls_perror (ret);
623
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
624
gnutls_perror(ret);
433
625
}
434
626
retval = -1;
435
goto exit;
627
goto mandos_end;
436
628
}
437
629
438
//Retrieve OpenPGP packet that contains the wanted password
630
/* Read OpenPGP packet that contains the wanted password */
439
631
440
632
if(debug){
441
633
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
442
634
ip);
443
635
}
444
636
445
637
while(true){
446
if (buffer_length + BUFFER_SIZE > buffer_capacity){
447
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
448
if (buffer == NULL){
449
perror("realloc");
450
goto exit;
451
}
452
buffer_capacity += BUFFER_SIZE;
638
buffer_capacity = adjustbuffer(&buffer, buffer_length,
639
buffer_capacity);
640
if(buffer_capacity == 0){
641
perror("adjustbuffer");
642
retval = -1;
643
goto mandos_end;
453
644
}
454
645
455
ret = gnutls_record_recv
456
(es.session, buffer+buffer_length, BUFFER_SIZE);
457
if (ret == 0){
646
sret = gnutls_record_recv(session, buffer+buffer_length,
647
BUFFER_SIZE);
648
if(sret == 0){
458
649
break;
459
650
}
460
if (ret < 0){
461
switch(ret){
651
if(sret < 0){
652
switch(sret){
462
653
case GNUTLS_E_INTERRUPTED:
463
654
case GNUTLS_E_AGAIN:
464
655
break;
465
656
case GNUTLS_E_REHANDSHAKE:
466
ret = gnutls_handshake (es.session);
467
if (ret < 0){
468
fprintf(stderr, "\n*** Handshake failed ***\n");
469
gnutls_perror (ret);
657
do{
658
ret = gnutls_handshake(session);
659
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
660
if(ret < 0){
661
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
662
gnutls_perror(ret);
470
663
retval = -1;
471
goto exit;
664
goto mandos_end;
472
665
}
473
666
break;
474
667
default:
475
668
fprintf(stderr, "Unknown error while reading data from"
476
" encrypted session with mandos server\n");
669
" encrypted session with Mandos server\n");
477
670
retval = -1;
478
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
479
goto exit;
671
gnutls_bye(session, GNUTLS_SHUT_RDWR);
672
goto mandos_end;
480
673
}
481
674
} else {
482
buffer_length += (size_t) ret;
675
buffer_length += (size_t) sret;
483
676
}
484
677
}
485
678
486
if (buffer_length > 0){
487
decrypted_buffer_size = pgp_packet_decrypt(buffer,
679
if(debug){
680
fprintf(stderr, "Closing TLS session\n");
681
}
682
683
gnutls_bye(session, GNUTLS_SHUT_RDWR);
684
685
if(buffer_length > 0){
686
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
488
687
buffer_length,
489
&decrypted_buffer,
490
CERT_ROOT);
491
if (decrypted_buffer_size >= 0){
688
&decrypted_buffer);
689
if(decrypted_buffer_size >= 0){
690
written = 0;
492
691
while(written < (size_t) decrypted_buffer_size){
493
ret = (int)fwrite (decrypted_buffer + written, 1,
494
(size_t)decrypted_buffer_size - written,
495
stdout);
692
ret = (int)fwrite(decrypted_buffer + written, 1,
693
(size_t)decrypted_buffer_size - written,
694
stdout);
496
695
if(ret == 0 and ferror(stdout)){
497
696
if(debug){
498
697
fprintf(stderr, "Error writing encrypted data: %s\n",
507
706
} else {
508
707
retval = -1;
509
708
}
510
}
511
512
//shutdown procedure
513
514
if(debug){
515
fprintf(stderr, "Closing TLS session\n");
516
}
517
709
} else {
710
retval = -1;
711
}
712
713
/* Shutdown procedure */
714
715
mandos_end:
518
716
free(buffer);
519
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
520
exit:
521
close(tcp_sd);
522
gnutls_deinit (es.session);
523
gnutls_certificate_free_credentials (es.cred);
524
gnutls_global_deinit ();
717
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
718
if(ret == -1){
719
perror("close");
720
}
721
gnutls_deinit(session);
525
722
return retval;
526
723
}
527
724
528
static AvahiSimplePoll *simple_poll = NULL;
529
static AvahiServer *server = NULL;
530
531
static void resolve_callback(
532
AvahiSServiceResolver *r,
533
AvahiIfIndex interface,
534
AVAHI_GCC_UNUSED AvahiProtocol protocol,
535
AvahiResolverEvent event,
536
const char *name,
537
const char *type,
538
const char *domain,
539
const char *host_name,
540
const AvahiAddress *address,
541
uint16_t port,
542
AVAHI_GCC_UNUSED AvahiStringList *txt,
543
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
544
AVAHI_GCC_UNUSED void* userdata) {
545
546
assert(r); /* Spurious warning */
725
static void resolve_callback(AvahiSServiceResolver *r,
726
AvahiIfIndex interface,
727
AVAHI_GCC_UNUSED AvahiProtocol protocol,
728
AvahiResolverEvent event,
729
const char *name,
730
const char *type,
731
const char *domain,
732
const char *host_name,
733
const AvahiAddress *address,
734
uint16_t port,
735
AVAHI_GCC_UNUSED AvahiStringList *txt,
736
AVAHI_GCC_UNUSED AvahiLookupResultFlags
737
flags,
738
void* userdata) {
739
mandos_context *mc = userdata;
740
assert(r);
547
741
548
742
/* Called whenever a service has been resolved successfully or
549
743
timed out */
550
744
551
switch (event) {
745
switch(event) {
552
746
default:
553
747
case AVAHI_RESOLVER_FAILURE:
554
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
555
" type '%s' in domain '%s': %s\n", name, type, domain,
556
avahi_strerror(avahi_server_errno(server)));
748
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
749
" of type '%s' in domain '%s': %s\n", name, type, domain,
750
avahi_strerror(avahi_server_errno(mc->server)));
557
751
break;
558
752
559
753
case AVAHI_RESOLVER_FOUND:
561
755
char ip[AVAHI_ADDRESS_STR_MAX];
562
756
avahi_address_snprint(ip, sizeof(ip), address);
563
757
if(debug){
564
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
565
" port %d\n", name, host_name, ip, port);
758
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
759
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
760
ip, (intmax_t)interface, port);
566
761
}
567
int ret = start_mandos_communication(ip, port,
568
(unsigned int) interface);
569
if (ret == 0){
570
exit(EXIT_SUCCESS);
762
int ret = start_mandos_communication(ip, port, interface, mc);
763
if(ret == 0){
764
avahi_simple_poll_quit(mc->simple_poll);
571
765
}
572
766
}
573
767
}
574
768
avahi_s_service_resolver_free(r);
575
769
}
576
770
577
static void browse_callback(
578
AvahiSServiceBrowser *b,
579
AvahiIfIndex interface,
580
AvahiProtocol protocol,
581
AvahiBrowserEvent event,
582
const char *name,
583
const char *type,
584
const char *domain,
585
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
586
void* userdata) {
587
588
AvahiServer *s = userdata;
589
assert(b); /* Spurious warning */
590
591
/* Called whenever a new services becomes available on the LAN or
592
is removed from the LAN */
593
594
switch (event) {
595
default:
596
case AVAHI_BROWSER_FAILURE:
597
598
fprintf(stderr, "(Browser) %s\n",
599
avahi_strerror(avahi_server_errno(server)));
600
avahi_simple_poll_quit(simple_poll);
601
return;
602
603
case AVAHI_BROWSER_NEW:
604
/* We ignore the returned resolver object. In the callback
605
function we free it. If the server is terminated before
606
the callback function is called the server will free
607
the resolver for us. */
608
609
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
610
type, domain,
611
AVAHI_PROTO_INET6, 0,
612
resolve_callback, s)))
613
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
614
avahi_strerror(avahi_server_errno(s)));
615
break;
616
617
case AVAHI_BROWSER_REMOVE:
618
break;
619
620
case AVAHI_BROWSER_ALL_FOR_NOW:
621
case AVAHI_BROWSER_CACHE_EXHAUSTED:
622
break;
771
static void browse_callback( AvahiSServiceBrowser *b,
772
AvahiIfIndex interface,
773
AvahiProtocol protocol,
774
AvahiBrowserEvent event,
775
const char *name,
776
const char *type,
777
const char *domain,
778
AVAHI_GCC_UNUSED AvahiLookupResultFlags
779
flags,
780
void* userdata) {
781
mandos_context *mc = userdata;
782
assert(b);
783
784
/* Called whenever a new services becomes available on the LAN or
785
is removed from the LAN */
786
787
switch(event) {
788
default:
789
case AVAHI_BROWSER_FAILURE:
790
791
fprintf(stderr, "(Avahi browser) %s\n",
792
avahi_strerror(avahi_server_errno(mc->server)));
793
avahi_simple_poll_quit(mc->simple_poll);
794
return;
795
796
case AVAHI_BROWSER_NEW:
797
/* We ignore the returned Avahi resolver object. In the callback
798
function we free it. If the Avahi server is terminated before
799
the callback function is called the Avahi server will free the
800
resolver for us. */
801
802
if(!(avahi_s_service_resolver_new(mc->server, interface,
803
protocol, name, type, domain,
804
AVAHI_PROTO_INET6, 0,
805
resolve_callback, mc)))
806
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
807
name, avahi_strerror(avahi_server_errno(mc->server)));
808
break;
809
810
case AVAHI_BROWSER_REMOVE:
811
break;
812
813
case AVAHI_BROWSER_ALL_FOR_NOW:
814
case AVAHI_BROWSER_CACHE_EXHAUSTED:
815
if(debug){
816
fprintf(stderr, "No Mandos server found, still searching...\n");
623
817
}
818
break;
819
}
624
820
}
625
821
626
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
627
AvahiServerConfig config;
822
int main(int argc, char *argv[]){
628
823
AvahiSServiceBrowser *sb = NULL;
629
824
int error;
630
825
int ret;
631
int returncode = EXIT_SUCCESS;
826
intmax_t tmpmax;
827
int numchars;
828
int exitcode = EXIT_SUCCESS;
632
829
const char *interface = "eth0";
633
unsigned int if_index;
830
struct ifreq network;
831
int sd;
832
uid_t uid;
833
gid_t gid;
634
834
char *connect_to = NULL;
635
636
while (true){
637
static struct option long_options[] = {
638
{"debug", no_argument, (int *)&debug, 1},
639
{"connect", required_argument, 0, 'c'},
640
{"interface", required_argument, 0, 'i'},
641
{0, 0, 0, 0} };
642
643
int option_index = 0;
644
ret = getopt_long (argc, argv, "i:", long_options,
645
&option_index);
646
647
if (ret == -1){
648
break;
649
}
650
651
switch(ret){
652
case 0:
653
break;
654
case 'i':
655
interface = optarg;
656
break;
657
case 'c':
658
connect_to = optarg;
659
break;
660
default:
661
exit(EXIT_FAILURE);
662
}
663
}
664
665
if_index = if_nametoindex(interface);
835
char tempdir[] = "/tmp/mandosXXXXXX";
836
bool tempdir_created = false;
837
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
838
const char *seckey = PATHDIR "/" SECKEY;
839
const char *pubkey = PATHDIR "/" PUBKEY;
840
841
mandos_context mc = { .simple_poll = NULL, .server = NULL,
842
.dh_bits = 1024, .priority = "SECURE256"
843
":!CTYPE-X.509:+CTYPE-OPENPGP" };
844
bool gnutls_initialized = false;
845
bool gpgme_initialized = false;
846
double delay = 2.5;
847
848
{
849
struct argp_option options[] = {
850
{ .name = "debug", .key = 128,
851
.doc = "Debug mode", .group = 3 },
852
{ .name = "connect", .key = 'c',
853
.arg = "ADDRESS:PORT",
854
.doc = "Connect directly to a specific Mandos server",
855
.group = 1 },
856
{ .name = "interface", .key = 'i',
857
.arg = "NAME",
858
.doc = "Interface that will be used to search for Mandos"
859
" servers",
860
.group = 1 },
861
{ .name = "seckey", .key = 's',
862
.arg = "FILE",
863
.doc = "OpenPGP secret key file base name",
864
.group = 1 },
865
{ .name = "pubkey", .key = 'p',
866
.arg = "FILE",
867
.doc = "OpenPGP public key file base name",
868
.group = 2 },
869
{ .name = "dh-bits", .key = 129,
870
.arg = "BITS",
871
.doc = "Bit length of the prime number used in the"
872
" Diffie-Hellman key exchange",
873
.group = 2 },
874
{ .name = "priority", .key = 130,
875
.arg = "STRING",
876
.doc = "GnuTLS priority string for the TLS handshake",
877
.group = 1 },
878
{ .name = "delay", .key = 131,
879
.arg = "SECONDS",
880
.doc = "Maximum delay to wait for interface startup",
881
.group = 2 },
882
{ .name = NULL }
883
};
884
885
error_t parse_opt(int key, char *arg,
886
struct argp_state *state) {
887
switch(key) {
888
case 128: /* --debug */
889
debug = true;
890
break;
891
case 'c': /* --connect */
892
connect_to = arg;
893
break;
894
case 'i': /* --interface */
895
interface = arg;
896
break;
897
case 's': /* --seckey */
898
seckey = arg;
899
break;
900
case 'p': /* --pubkey */
901
pubkey = arg;
902
break;
903
case 129: /* --dh-bits */
904
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
905
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
906
or arg[numchars] != '\0'){
907
fprintf(stderr, "Bad number of DH bits\n");
908
exit(EXIT_FAILURE);
909
}
910
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
911
break;
912
case 130: /* --priority */
913
mc.priority = arg;
914
break;
915
case 131: /* --delay */
916
ret = sscanf(arg, "%lf%n", &delay, &numchars);
917
if(ret < 1 or arg[numchars] != '\0'){
918
fprintf(stderr, "Bad delay\n");
919
exit(EXIT_FAILURE);
920
}
921
break;
922
case ARGP_KEY_ARG:
923
argp_usage(state);
924
case ARGP_KEY_END:
925
break;
926
default:
927
return ARGP_ERR_UNKNOWN;
928
}
929
return 0;
930
}
931
932
struct argp argp = { .options = options, .parser = parse_opt,
933
.args_doc = "",
934
.doc = "Mandos client -- Get and decrypt"
935
" passwords from a Mandos server" };
936
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
937
if(ret == ARGP_ERR_UNKNOWN){
938
fprintf(stderr, "Unknown error while parsing arguments\n");
939
exitcode = EXIT_FAILURE;
940
goto end;
941
}
942
}
943
944
/* If the interface is down, bring it up */
945
{
946
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
947
messages to mess up the prompt */
948
ret = klogctl(8, NULL, 5);
949
if(ret == -1){
950
perror("klogctl");
951
}
952
953
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
954
if(sd < 0) {
955
perror("socket");
956
exitcode = EXIT_FAILURE;
957
ret = klogctl(7, NULL, 0);
958
if(ret == -1){
959
perror("klogctl");
960
}
961
goto end;
962
}
963
strcpy(network.ifr_name, interface);
964
ret = ioctl(sd, SIOCGIFFLAGS, &network);
965
if(ret == -1){
966
perror("ioctl SIOCGIFFLAGS");
967
ret = klogctl(7, NULL, 0);
968
if(ret == -1){
969
perror("klogctl");
970
}
971
exitcode = EXIT_FAILURE;
972
goto end;
973
}
974
if((network.ifr_flags & IFF_UP) == 0){
975
network.ifr_flags |= IFF_UP;
976
ret = ioctl(sd, SIOCSIFFLAGS, &network);
977
if(ret == -1){
978
perror("ioctl SIOCSIFFLAGS");
979
exitcode = EXIT_FAILURE;
980
ret = klogctl(7, NULL, 0);
981
if(ret == -1){
982
perror("klogctl");
983
}
984
goto end;
985
}
986
}
987
/* sleep checking until interface is running */
988
for(int i=0; i < delay * 4; i++){
989
ret = ioctl(sd, SIOCGIFFLAGS, &network);
990
if(ret == -1){
991
perror("ioctl SIOCGIFFLAGS");
992
} else if(network.ifr_flags & IFF_RUNNING){
993
break;
994
}
995
struct timespec sleeptime = { .tv_nsec = 250000000 };
996
nanosleep(&sleeptime, NULL);
997
}
998
ret = (int)TEMP_FAILURE_RETRY(close(sd));
999
if(ret == -1){
1000
perror("close");
1001
}
1002
/* Restores kernel loglevel to default */
1003
ret = klogctl(7, NULL, 0);
1004
if(ret == -1){
1005
perror("klogctl");
1006
}
1007
}
1008
1009
uid = getuid();
1010
gid = getgid();
1011
1012
setgid(gid);
1013
if(ret == -1){
1014
perror("setgid");
1015
}
1016
1017
ret = setuid(uid);
1018
if(ret == -1){
1019
perror("setuid");
1020
}
1021
1022
ret = init_gnutls_global(&mc, pubkey, seckey);
1023
if(ret == -1){
1024
fprintf(stderr, "init_gnutls_global failed\n");
1025
exitcode = EXIT_FAILURE;
1026
goto end;
1027
} else {
1028
gnutls_initialized = true;
1029
}
1030
1031
if(mkdtemp(tempdir) == NULL){
1032
perror("mkdtemp");
1033
goto end;
1034
}
1035
tempdir_created = true;
1036
1037
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1038
fprintf(stderr, "init_gpgme failed\n");
1039
exitcode = EXIT_FAILURE;
1040
goto end;
1041
} else {
1042
gpgme_initialized = true;
1043
}
1044
1045
if_index = (AvahiIfIndex) if_nametoindex(interface);
666
1046
if(if_index == 0){
667
1047
fprintf(stderr, "No such interface: \"%s\"\n", interface);
668
exit(EXIT_FAILURE);
1048
exitcode = EXIT_FAILURE;
1049
goto end;
669
1050
}
670
1051
671
1052
if(connect_to != NULL){
674
1055
char *address = strrchr(connect_to, ':');
675
1056
if(address == NULL){
676
1057
fprintf(stderr, "No colon in address\n");
677
exit(EXIT_FAILURE);
678
}
679
errno = 0;
680
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
681
if(errno){
682
perror("Bad port number");
683
exit(EXIT_FAILURE);
684
}
1058
exitcode = EXIT_FAILURE;
1059
goto end;
1060
}
1061
uint16_t port;
1062
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1063
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1064
or address[numchars+1] != '\0'){
1065
fprintf(stderr, "Bad port number\n");
1066
exitcode = EXIT_FAILURE;
1067
goto end;
1068
}
1069
port = (uint16_t)tmpmax;
685
1070
*address = '\0';
686
1071
address = connect_to;
687
ret = start_mandos_communication(address, port, if_index);
1072
ret = start_mandos_communication(address, port, if_index, &mc);
688
1073
if(ret < 0){
689
exit(EXIT_FAILURE);
1074
exitcode = EXIT_FAILURE;
690
1075
} else {
691
exit(EXIT_SUCCESS);
1076
exitcode = EXIT_SUCCESS;
692
1077
}
1078
goto end;
693
1079
}
694
1080
695
if (not debug){
1081
if(not debug){
696
1082
avahi_set_log_function(empty_log);
697
1083
}
698
1084
699
/* Initialize the psuedo-RNG */
1085
/* Initialize the pseudo-RNG for Avahi */
700
1086
srand((unsigned int) time(NULL));
701
702
/* Allocate main loop object */
703
if (!(simple_poll = avahi_simple_poll_new())) {
704
fprintf(stderr, "Failed to create simple poll object.\n");
705
706
goto exit;
707
}
708
709
/* Do not publish any local records */
710
avahi_server_config_init(&config);
711
config.publish_hinfo = 0;
712
config.publish_addresses = 0;
713
config.publish_workstation = 0;
714
config.publish_domain = 0;
715
716
/* Allocate a new server */
717
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
718
&config, NULL, NULL, &error);
719
720
/* Free the configuration data */
721
avahi_server_config_free(&config);
722
723
/* Check if creating the server object succeeded */
724
if (!server) {
725
fprintf(stderr, "Failed to create server: %s\n",
1087
1088
/* Allocate main Avahi loop object */
1089
mc.simple_poll = avahi_simple_poll_new();
1090
if(mc.simple_poll == NULL) {
1091
fprintf(stderr, "Avahi: Failed to create simple poll"
1092
" object.\n");
1093
exitcode = EXIT_FAILURE;
1094
goto end;
1095
}
1096
1097
{
1098
AvahiServerConfig config;
1099
/* Do not publish any local Zeroconf records */
1100
avahi_server_config_init(&config);
1101
config.publish_hinfo = 0;
1102
config.publish_addresses = 0;
1103
config.publish_workstation = 0;
1104
config.publish_domain = 0;
1105
1106
/* Allocate a new server */
1107
mc.server = avahi_server_new(avahi_simple_poll_get
1108
(mc.simple_poll), &config, NULL,
1109
NULL, &error);
1110
1111
/* Free the Avahi configuration data */
1112
avahi_server_config_free(&config);
1113
}
1114
1115
/* Check if creating the Avahi server object succeeded */
1116
if(mc.server == NULL) {
1117
fprintf(stderr, "Failed to create Avahi server: %s\n",
726
1118
avahi_strerror(error));
727
returncode = EXIT_FAILURE;
728
goto exit;
1119
exitcode = EXIT_FAILURE;
1120
goto end;
729
1121
}
730
1122
731
/* Create the service browser */
732
sb = avahi_s_service_browser_new(server, (AvahiIfIndex)if_index,
1123
/* Create the Avahi service browser */
1124
sb = avahi_s_service_browser_new(mc.server, if_index,
733
1125
AVAHI_PROTO_INET6,
734
1126
"_mandos._tcp", NULL, 0,
735
browse_callback, server);
736
if (!sb) {
1127
browse_callback, &mc);
1128
if(sb == NULL) {
737
1129
fprintf(stderr, "Failed to create service browser: %s\n",
738
avahi_strerror(avahi_server_errno(server)));
739
returncode = EXIT_FAILURE;
740
goto exit;
1130
avahi_strerror(avahi_server_errno(mc.server)));
1131
exitcode = EXIT_FAILURE;
1132
goto end;
741
1133
}
742
1134
743
1135
/* Run the main loop */
744
745
if (debug){
746
fprintf(stderr, "Starting avahi loop search\n");
1136
1137
if(debug){
1138
fprintf(stderr, "Starting Avahi loop search\n");
747
1139
}
748
749
avahi_simple_poll_loop(simple_poll);
750
751
exit:
752
1140
753
if (debug){
1141
avahi_simple_poll_loop(mc.simple_poll);
1142
1143
end:
1144
1145
if(debug){
754
1146
fprintf(stderr, "%s exiting\n", argv[0]);
755
1147
}
756
1148
757
1149
/* Cleanup things */
758
if (sb)
1150
if(sb != NULL)
759
1151
avahi_s_service_browser_free(sb);
760
1152
761
if (server)
762
avahi_server_free(server);
763
764
if (simple_poll)
765
avahi_simple_poll_free(simple_poll);
766
767
return returncode;
1153
if(mc.server != NULL)
1154
avahi_server_free(mc.server);
1155
1156
if(mc.simple_poll != NULL)
1157
avahi_simple_poll_free(mc.simple_poll);
1158
1159
if(gnutls_initialized){
1160
gnutls_certificate_free_credentials(mc.cred);
1161
gnutls_global_deinit();
1162
gnutls_dh_params_deinit(mc.dh_params);
1163
}
1164
1165
if(gpgme_initialized){
1166
gpgme_release(mc.ctx);
1167
}
1168
1169
/* Removes the temp directory used by GPGME */
1170
if(tempdir_created){
1171
DIR *d;
1172
struct dirent *direntry;
1173
d = opendir(tempdir);
1174
if(d == NULL){
1175
if(errno != ENOENT){
1176
perror("opendir");
1177
}
1178
} else {
1179
while(true){
1180
direntry = readdir(d);
1181
if(direntry == NULL){
1182
break;
1183
}
1184
/* Skip "." and ".." */
1185
if(direntry->d_name[0] == '.'
1186
and (direntry->d_name[1] == '\0'
1187
or (direntry->d_name[1] == '.'
1188
and direntry->d_name[2] == '\0'))){
1189
continue;
1190
}
1191
char *fullname = NULL;
1192
ret = asprintf(&fullname, "%s/%s", tempdir,
1193
direntry->d_name);
1194
if(ret < 0){
1195
perror("asprintf");
1196
continue;
1197
}
1198
ret = remove(fullname);
1199
if(ret == -1){
1200
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1201
strerror(errno));
1202
}
1203
free(fullname);
1204
}
1205
closedir(d);
1206
}
1207
ret = rmdir(tempdir);
1208
if(ret == -1 and errno != ENOENT){
1209
perror("rmdir");
1210
}
1211
}
1212
1213
return exitcode;
768
1214
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0