To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 291
- compare with another revision
- download diff
- download tarball
- view history from revision 291
- Committer: Teddy Hogeborn
- Date: 2009-01-31 10:33:17 UTC
- mfrom: (24.1.129 mandos)
- Revision ID: teddy@fukt.bsnet.se-20090131103317-wzqvyr532sjcjt7u
Merge from Björn:
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
* mandos-ctl: New option "--remove-client". Only default to listing
clients if no clients were given on the command line.
* plugins.d/mandos-client.c: Lower kernel log level while bringing up
network interface. New option "--delay"
to control the maximum delay to wait for
running interface.
* plugins.d/mandos-client.xml (SYNOPSIS, OPTIONS): New option
"--delay".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* nanosleep(), time() */
42
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <sys/klog.h> /* klogctl() */
44
79
80
/* Avahi */
81
/* All Avahi types, constants and functions
82
Avahi*, avahi_*,
83
AVAHI_* */
45
84
#include <avahi-core/core.h>
46
85
#include <avahi-core/lookup.h>
47
86
#include <avahi-core/log.h>
49
88
#include <avahi-common/malloc.h>
50
89
#include <avahi-common/error.h>
51
90
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt_long
71
#include <getopt.h>
91
/* GnuTLS */
92
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
93
functions:
94
gnutls_*
95
init_gnutls_session(),
96
GNUTLS_* */
97
#include <gnutls/openpgp.h>
98
/* gnutls_certificate_set_openpgp_key_file(),
99
GNUTLS_OPENPGP_FMT_BASE64 */
100
101
/* GPGME */
102
#include <gpgme.h> /* All GPGME types, constants and
103
functions:
104
gpgme_*
105
GPGME_PROTOCOL_OpenPGP,
106
GPG_ERR_NO_* */
72
107
73
108
#define BUFFER_SIZE 256
74
109
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
110
#define PATHDIR "/conf/conf.d/mandos"
111
#define SECKEY "seckey.txt"
112
#define PUBKEY "pubkey.txt"
78
113
79
114
bool debug = false;
115
static const char mandos_protocol_version[] = "1";
116
const char *argp_program_version = "mandos-client " VERSION;
117
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
80
118
81
/* Used for passing in values through all the callback functions */
119
/* Used for passing in values through the Avahi callback functions */
82
120
typedef struct {
83
121
AvahiSimplePoll *simple_poll;
84
122
AvahiServer *server;
85
123
gnutls_certificate_credentials_t cred;
86
124
unsigned int dh_bits;
125
gnutls_dh_params_t dh_params;
87
126
const char *priority;
127
gpgme_ctx_t ctx;
88
128
} mandos_context;
89
129
130
/*
131
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
132
* "buffer_capacity" is how much is currently allocated,
133
* "buffer_length" is how much is already used.
134
*/
135
size_t adjustbuffer(char **buffer, size_t buffer_length,
136
size_t buffer_capacity){
137
if(buffer_length + BUFFER_SIZE > buffer_capacity){
138
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
139
if(buffer == NULL){
140
return 0;
141
}
142
buffer_capacity += BUFFER_SIZE;
143
}
144
return buffer_capacity;
145
}
146
90
147
/*
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
92
* Returns -1 on error
148
* Initialize GPGME.
93
149
*/
94
static ssize_t pgp_packet_decrypt (const char *cryptotext,
95
size_t crypto_size,
96
char **plaintext,
97
const char *homedir){
98
gpgme_data_t dh_crypto, dh_plain;
99
gpgme_ctx_t ctx;
150
static bool init_gpgme(mandos_context *mc, const char *seckey,
151
const char *pubkey, const char *tempdir){
152
int ret;
100
153
gpgme_error_t rc;
101
ssize_t ret;
102
ssize_t plaintext_capacity = 0;
103
ssize_t plaintext_length = 0;
104
154
gpgme_engine_info_t engine_info;
105
155
106
if (debug){
107
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
156
157
/*
158
* Helper function to insert pub and seckey to the engine keyring.
159
*/
160
bool import_key(const char *filename){
161
int fd;
162
gpgme_data_t pgp_data;
163
164
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
165
if(fd == -1){
166
perror("open");
167
return false;
168
}
169
170
rc = gpgme_data_new_from_fd(&pgp_data, fd);
171
if(rc != GPG_ERR_NO_ERROR){
172
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
173
gpgme_strsource(rc), gpgme_strerror(rc));
174
return false;
175
}
176
177
rc = gpgme_op_import(mc->ctx, pgp_data);
178
if(rc != GPG_ERR_NO_ERROR){
179
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
180
gpgme_strsource(rc), gpgme_strerror(rc));
181
return false;
182
}
183
184
ret = (int)TEMP_FAILURE_RETRY(close(fd));
185
if(ret == -1){
186
perror("close");
187
}
188
gpgme_data_release(pgp_data);
189
return true;
190
}
191
192
if(debug){
193
fprintf(stderr, "Initialize gpgme\n");
108
194
}
109
195
110
196
/* Init GPGME */
111
197
gpgme_check_version(NULL);
112
198
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
113
if (rc != GPG_ERR_NO_ERROR){
199
if(rc != GPG_ERR_NO_ERROR){
114
200
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
115
201
gpgme_strsource(rc), gpgme_strerror(rc));
116
return -1;
202
return false;
117
203
}
118
204
119
/* Set GPGME home directory for the OpenPGP engine only */
120
rc = gpgme_get_engine_info (&engine_info);
121
if (rc != GPG_ERR_NO_ERROR){
205
/* Set GPGME home directory for the OpenPGP engine only */
206
rc = gpgme_get_engine_info(&engine_info);
207
if(rc != GPG_ERR_NO_ERROR){
122
208
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
123
209
gpgme_strsource(rc), gpgme_strerror(rc));
124
return -1;
210
return false;
125
211
}
126
212
while(engine_info != NULL){
127
213
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
128
214
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
129
engine_info->file_name, homedir);
215
engine_info->file_name, tempdir);
130
216
break;
131
217
}
132
218
engine_info = engine_info->next;
133
219
}
134
220
if(engine_info == NULL){
135
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
136
return -1;
221
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
222
return false;
223
}
224
225
/* Create new GPGME "context" */
226
rc = gpgme_new(&(mc->ctx));
227
if(rc != GPG_ERR_NO_ERROR){
228
fprintf(stderr, "bad gpgme_new: %s: %s\n",
229
gpgme_strsource(rc), gpgme_strerror(rc));
230
return false;
231
}
232
233
if(not import_key(pubkey) or not import_key(seckey)){
234
return false;
235
}
236
237
return true;
238
}
239
240
/*
241
* Decrypt OpenPGP data.
242
* Returns -1 on error
243
*/
244
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
245
const char *cryptotext,
246
size_t crypto_size,
247
char **plaintext){
248
gpgme_data_t dh_crypto, dh_plain;
249
gpgme_error_t rc;
250
ssize_t ret;
251
size_t plaintext_capacity = 0;
252
ssize_t plaintext_length = 0;
253
254
if(debug){
255
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
137
256
}
138
257
139
258
/* Create new GPGME data buffer from memory cryptotext */
140
259
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
141
260
0);
142
if (rc != GPG_ERR_NO_ERROR){
261
if(rc != GPG_ERR_NO_ERROR){
143
262
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
144
263
gpgme_strsource(rc), gpgme_strerror(rc));
145
264
return -1;
147
266
148
267
/* Create new empty GPGME data buffer for the plaintext */
149
268
rc = gpgme_data_new(&dh_plain);
150
if (rc != GPG_ERR_NO_ERROR){
269
if(rc != GPG_ERR_NO_ERROR){
151
270
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
152
271
gpgme_strsource(rc), gpgme_strerror(rc));
153
272
gpgme_data_release(dh_crypto);
154
273
return -1;
155
274
}
156
275
157
/* Create new GPGME "context" */
158
rc = gpgme_new(&ctx);
159
if (rc != GPG_ERR_NO_ERROR){
160
fprintf(stderr, "bad gpgme_new: %s: %s\n",
161
gpgme_strsource(rc), gpgme_strerror(rc));
162
plaintext_length = -1;
163
goto decrypt_end;
164
}
165
166
276
/* Decrypt data from the cryptotext data buffer to the plaintext
167
277
data buffer */
168
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
169
if (rc != GPG_ERR_NO_ERROR){
278
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
279
if(rc != GPG_ERR_NO_ERROR){
170
280
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
171
281
gpgme_strsource(rc), gpgme_strerror(rc));
172
282
plaintext_length = -1;
283
if(debug){
284
gpgme_decrypt_result_t result;
285
result = gpgme_op_decrypt_result(mc->ctx);
286
if(result == NULL){
287
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
288
} else {
289
fprintf(stderr, "Unsupported algorithm: %s\n",
290
result->unsupported_algorithm);
291
fprintf(stderr, "Wrong key usage: %u\n",
292
result->wrong_key_usage);
293
if(result->file_name != NULL){
294
fprintf(stderr, "File name: %s\n", result->file_name);
295
}
296
gpgme_recipient_t recipient;
297
recipient = result->recipients;
298
if(recipient){
299
while(recipient != NULL){
300
fprintf(stderr, "Public key algorithm: %s\n",
301
gpgme_pubkey_algo_name(recipient->pubkey_algo));
302
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
303
fprintf(stderr, "Secret key available: %s\n",
304
recipient->status == GPG_ERR_NO_SECKEY
305
? "No" : "Yes");
306
recipient = recipient->next;
307
}
308
}
309
}
310
}
173
311
goto decrypt_end;
174
312
}
175
313
177
315
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
178
316
}
179
317
180
if (debug){
181
gpgme_decrypt_result_t result;
182
result = gpgme_op_decrypt_result(ctx);
183
if (result == NULL){
184
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
185
} else {
186
fprintf(stderr, "Unsupported algorithm: %s\n",
187
result->unsupported_algorithm);
188
fprintf(stderr, "Wrong key usage: %d\n",
189
result->wrong_key_usage);
190
if(result->file_name != NULL){
191
fprintf(stderr, "File name: %s\n", result->file_name);
192
}
193
gpgme_recipient_t recipient;
194
recipient = result->recipients;
195
if(recipient){
196
while(recipient != NULL){
197
fprintf(stderr, "Public key algorithm: %s\n",
198
gpgme_pubkey_algo_name(recipient->pubkey_algo));
199
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
200
fprintf(stderr, "Secret key available: %s\n",
201
recipient->status == GPG_ERR_NO_SECKEY
202
? "No" : "Yes");
203
recipient = recipient->next;
204
}
205
}
206
}
207
}
208
209
318
/* Seek back to the beginning of the GPGME plaintext data buffer */
210
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
211
perror("pgpme_data_seek");
319
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
320
perror("gpgme_data_seek");
212
321
plaintext_length = -1;
213
322
goto decrypt_end;
214
323
}
215
324
216
325
*plaintext = NULL;
217
326
while(true){
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
221
+ BUFFER_SIZE);
222
if (*plaintext == NULL){
223
perror("realloc");
327
plaintext_capacity = adjustbuffer(plaintext,
328
(size_t)plaintext_length,
329
plaintext_capacity);
330
if(plaintext_capacity == 0){
331
perror("adjustbuffer");
224
332
plaintext_length = -1;
225
333
goto decrypt_end;
226
}
227
plaintext_capacity += BUFFER_SIZE;
228
334
}
229
335
230
336
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
231
337
BUFFER_SIZE);
232
338
/* Print the data, if any */
233
if (ret == 0){
339
if(ret == 0){
234
340
/* EOF */
235
341
break;
236
342
}
241
347
}
242
348
plaintext_length += ret;
243
349
}
244
350
245
351
if(debug){
246
352
fprintf(stderr, "Decrypted password is: ");
247
for(size_t i = 0; i < plaintext_length; i++){
353
for(ssize_t i = 0; i < plaintext_length; i++){
248
354
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
249
355
}
250
356
fprintf(stderr, "\n");
260
366
return plaintext_length;
261
367
}
262
368
263
static const char * safer_gnutls_strerror (int value) {
264
const char *ret = gnutls_strerror (value);
265
if (ret == NULL)
369
static const char * safer_gnutls_strerror(int value) {
370
const char *ret = gnutls_strerror(value); /* Spurious warning from
371
-Wunreachable-code */
372
if(ret == NULL)
266
373
ret = "(unknown)";
267
374
return ret;
268
375
}
269
376
377
/* GnuTLS log function callback */
270
378
static void debuggnutls(__attribute__((unused)) int level,
271
379
const char* string){
272
fprintf(stderr, "%s", string);
380
fprintf(stderr, "GnuTLS: %s", string);
273
381
}
274
382
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
277
const char *err;
383
static int init_gnutls_global(mandos_context *mc,
384
const char *pubkeyfilename,
385
const char *seckeyfilename){
278
386
int ret;
279
387
280
388
if(debug){
281
389
fprintf(stderr, "Initializing GnuTLS\n");
282
390
}
283
284
if ((ret = gnutls_global_init ())
285
!= GNUTLS_E_SUCCESS) {
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
391
392
ret = gnutls_global_init();
393
if(ret != GNUTLS_E_SUCCESS) {
394
fprintf(stderr, "GnuTLS global_init: %s\n",
395
safer_gnutls_strerror(ret));
287
396
return -1;
288
397
}
289
398
290
if (debug){
399
if(debug){
400
/* "Use a log level over 10 to enable all debugging options."
401
* - GnuTLS manual
402
*/
291
403
gnutls_global_set_log_level(11);
292
404
gnutls_global_set_log_function(debuggnutls);
293
405
}
294
406
295
/* openpgp credentials */
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
297
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "memory error: %s\n",
299
safer_gnutls_strerror(ret));
407
/* OpenPGP credentials */
408
gnutls_certificate_allocate_credentials(&mc->cred);
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
411
* from
412
* -Wunreachable-code
413
*/
414
safer_gnutls_strerror(ret));
415
gnutls_global_deinit();
300
416
return -1;
301
417
}
302
418
303
419
if(debug){
304
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
305
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
306
seckeyfile);
420
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
421
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
422
seckeyfilename);
307
423
}
308
424
309
425
ret = gnutls_certificate_set_openpgp_key_file
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
311
if (ret != GNUTLS_E_SUCCESS) {
312
fprintf
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
314
" '%s')\n",
315
ret, pubkeyfile, seckeyfile);
316
fprintf(stdout, "The Error is: %s\n",
317
safer_gnutls_strerror(ret));
318
return -1;
319
}
320
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
325
safer_gnutls_strerror(ret));
326
return -1;
327
}
328
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf (stderr, "Error in prime generation: %s\n",
332
safer_gnutls_strerror(ret));
333
return -1;
334
}
335
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
337
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
340
!= GNUTLS_E_SUCCESS){
426
(mc->cred, pubkeyfilename, seckeyfilename,
427
GNUTLS_OPENPGP_FMT_BASE64);
428
if(ret != GNUTLS_E_SUCCESS) {
429
fprintf(stderr,
430
"Error[%d] while reading the OpenPGP key pair ('%s',"
431
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
432
fprintf(stderr, "The GnuTLS error is: %s\n",
433
safer_gnutls_strerror(ret));
434
goto globalfail;
435
}
436
437
/* GnuTLS server initialization */
438
ret = gnutls_dh_params_init(&mc->dh_params);
439
if(ret != GNUTLS_E_SUCCESS) {
440
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
441
" %s\n", safer_gnutls_strerror(ret));
442
goto globalfail;
443
}
444
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
445
if(ret != GNUTLS_E_SUCCESS) {
446
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
447
safer_gnutls_strerror(ret));
448
goto globalfail;
449
}
450
451
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
452
453
return 0;
454
455
globalfail:
456
457
gnutls_certificate_free_credentials(mc->cred);
458
gnutls_global_deinit();
459
gnutls_dh_params_deinit(mc->dh_params);
460
return -1;
461
}
462
463
static int init_gnutls_session(mandos_context *mc,
464
gnutls_session_t *session){
465
int ret;
466
/* GnuTLS session creation */
467
ret = gnutls_init(session, GNUTLS_SERVER);
468
if(ret != GNUTLS_E_SUCCESS){
341
469
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
342
470
safer_gnutls_strerror(ret));
343
471
}
344
472
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
346
!= GNUTLS_E_SUCCESS) {
347
fprintf(stderr, "Syntax error at: %s\n", err);
348
fprintf(stderr, "GnuTLS error: %s\n",
349
safer_gnutls_strerror(ret));
350
return -1;
473
{
474
const char *err;
475
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
476
if(ret != GNUTLS_E_SUCCESS) {
477
fprintf(stderr, "Syntax error at: %s\n", err);
478
fprintf(stderr, "GnuTLS error: %s\n",
479
safer_gnutls_strerror(ret));
480
gnutls_deinit(*session);
481
return -1;
482
}
351
483
}
352
484
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
354
mc->cred))
355
!= GNUTLS_E_SUCCESS) {
356
fprintf(stderr, "Error setting a credentials set: %s\n",
485
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
486
mc->cred);
487
if(ret != GNUTLS_E_SUCCESS) {
488
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
357
489
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
358
491
return -1;
359
492
}
360
493
361
494
/* ignore client certificate if any. */
362
gnutls_certificate_server_set_request (*session,
363
GNUTLS_CERT_IGNORE);
495
gnutls_certificate_server_set_request(*session,
496
GNUTLS_CERT_IGNORE);
364
497
365
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
498
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
366
499
367
500
return 0;
368
501
}
369
502
503
/* Avahi log function callback */
370
504
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
371
505
__attribute__((unused)) const char *txt){}
372
506
507
/* Called when a Mandos server is found */
373
508
static int start_mandos_communication(const char *ip, uint16_t port,
374
509
AvahiIfIndex if_index,
375
510
mandos_context *mc){
376
511
int ret, tcp_sd;
377
struct sockaddr_in6 to;
512
ssize_t sret;
513
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
378
514
char *buffer = NULL;
379
515
char *decrypted_buffer;
380
516
size_t buffer_length = 0;
381
517
size_t buffer_capacity = 0;
382
518
ssize_t decrypted_buffer_size;
383
size_t written = 0;
519
size_t written;
384
520
int retval = 0;
385
521
char interface[IF_NAMESIZE];
386
522
gnutls_session_t session;
387
gnutls_dh_params_t dh_params;
523
524
ret = init_gnutls_session(mc, &session);
525
if(ret != 0){
526
return -1;
527
}
388
528
389
529
if(debug){
390
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
391
ip, port);
530
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
531
"\n", ip, port);
392
532
}
393
533
394
534
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
396
536
perror("socket");
397
537
return -1;
398
538
}
399
539
400
540
if(debug){
401
541
if(if_indextoname((unsigned int)if_index, interface) == NULL){
402
542
perror("if_indextoname");
405
545
fprintf(stderr, "Binding to interface %s\n", interface);
406
546
}
407
547
408
memset(&to,0,sizeof(to)); /* Spurious warning */
409
to.sin6_family = AF_INET6;
410
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
411
if (ret < 0 ){
548
memset(&to, 0, sizeof(to));
549
to.in6.sin6_family = AF_INET6;
550
/* It would be nice to have a way to detect if we were passed an
551
IPv4 address here. Now we assume an IPv6 address. */
552
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
553
if(ret < 0 ){
412
554
perror("inet_pton");
413
555
return -1;
414
556
}
416
558
fprintf(stderr, "Bad address: %s\n", ip);
417
559
return -1;
418
560
}
419
to.sin6_port = htons(port); /* Spurious warning */
561
to.in6.sin6_port = htons(port); /* Spurious warnings from
562
-Wconversion and
563
-Wunreachable-code */
420
564
421
to.sin6_scope_id = (uint32_t)if_index;
565
to.in6.sin6_scope_id = (uint32_t)if_index;
422
566
423
567
if(debug){
424
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
568
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
569
port);
425
570
char addrstr[INET6_ADDRSTRLEN] = "";
426
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
571
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
427
572
sizeof(addrstr)) == NULL){
428
573
perror("inet_ntop");
429
574
} else {
433
578
}
434
579
}
435
580
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
437
if (ret < 0){
581
ret = connect(tcp_sd, &to.in, sizeof(to));
582
if(ret < 0){
438
583
perror("connect");
439
584
return -1;
440
585
}
441
586
442
ret = initgnutls (mc, &session, &dh_params);
443
if (ret != 0){
444
retval = -1;
445
return -1;
587
const char *out = mandos_protocol_version;
588
written = 0;
589
while(true){
590
size_t out_size = strlen(out);
591
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
592
out_size - written));
593
if(ret == -1){
594
perror("write");
595
retval = -1;
596
goto mandos_end;
597
}
598
written += (size_t)ret;
599
if(written < out_size){
600
continue;
601
} else {
602
if(out == mandos_protocol_version){
603
written = 0;
604
out = "\r\n";
605
} else {
606
break;
607
}
608
}
446
609
}
447
610
448
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
449
450
611
if(debug){
451
612
fprintf(stderr, "Establishing TLS session with %s\n", ip);
452
613
}
453
614
454
ret = gnutls_handshake (session);
455
456
if (ret != GNUTLS_E_SUCCESS){
615
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
616
617
do{
618
ret = gnutls_handshake(session);
619
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
620
621
if(ret != GNUTLS_E_SUCCESS){
457
622
if(debug){
458
fprintf(stderr, "\n*** Handshake failed ***\n");
459
gnutls_perror (ret);
623
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
624
gnutls_perror(ret);
460
625
}
461
626
retval = -1;
462
goto exit;
627
goto mandos_end;
463
628
}
464
629
465
//Retrieve OpenPGP packet that contains the wanted password
630
/* Read OpenPGP packet that contains the wanted password */
466
631
467
632
if(debug){
468
633
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
469
634
ip);
470
635
}
471
636
472
637
while(true){
473
if (buffer_length + BUFFER_SIZE > buffer_capacity){
474
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
475
if (buffer == NULL){
476
perror("realloc");
477
goto exit;
478
}
479
buffer_capacity += BUFFER_SIZE;
638
buffer_capacity = adjustbuffer(&buffer, buffer_length,
639
buffer_capacity);
640
if(buffer_capacity == 0){
641
perror("adjustbuffer");
642
retval = -1;
643
goto mandos_end;
480
644
}
481
645
482
ret = gnutls_record_recv(session, buffer+buffer_length,
483
BUFFER_SIZE);
484
if (ret == 0){
646
sret = gnutls_record_recv(session, buffer+buffer_length,
647
BUFFER_SIZE);
648
if(sret == 0){
485
649
break;
486
650
}
487
if (ret < 0){
488
switch(ret){
651
if(sret < 0){
652
switch(sret){
489
653
case GNUTLS_E_INTERRUPTED:
490
654
case GNUTLS_E_AGAIN:
491
655
break;
492
656
case GNUTLS_E_REHANDSHAKE:
493
ret = gnutls_handshake (session);
494
if (ret < 0){
495
fprintf(stderr, "\n*** Handshake failed ***\n");
496
gnutls_perror (ret);
657
do{
658
ret = gnutls_handshake(session);
659
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
660
if(ret < 0){
661
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
662
gnutls_perror(ret);
497
663
retval = -1;
498
goto exit;
664
goto mandos_end;
499
665
}
500
666
break;
501
667
default:
502
668
fprintf(stderr, "Unknown error while reading data from"
503
" encrypted session with mandos server\n");
669
" encrypted session with Mandos server\n");
504
670
retval = -1;
505
gnutls_bye (session, GNUTLS_SHUT_RDWR);
506
goto exit;
671
gnutls_bye(session, GNUTLS_SHUT_RDWR);
672
goto mandos_end;
507
673
}
508
674
} else {
509
buffer_length += (size_t) ret;
675
buffer_length += (size_t) sret;
510
676
}
511
677
}
512
678
513
if (buffer_length > 0){
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
679
if(debug){
680
fprintf(stderr, "Closing TLS session\n");
681
}
682
683
gnutls_bye(session, GNUTLS_SHUT_RDWR);
684
685
if(buffer_length > 0){
686
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
515
687
buffer_length,
516
&decrypted_buffer,
517
keydir);
518
if (decrypted_buffer_size >= 0){
688
&decrypted_buffer);
689
if(decrypted_buffer_size >= 0){
690
written = 0;
519
691
while(written < (size_t) decrypted_buffer_size){
520
ret = (int)fwrite (decrypted_buffer + written, 1,
521
(size_t)decrypted_buffer_size - written,
522
stdout);
692
ret = (int)fwrite(decrypted_buffer + written, 1,
693
(size_t)decrypted_buffer_size - written,
694
stdout);
523
695
if(ret == 0 and ferror(stdout)){
524
696
if(debug){
525
697
fprintf(stderr, "Error writing encrypted data: %s\n",
534
706
} else {
535
707
retval = -1;
536
708
}
537
}
538
539
//shutdown procedure
540
541
if(debug){
542
fprintf(stderr, "Closing TLS session\n");
543
}
544
709
} else {
710
retval = -1;
711
}
712
713
/* Shutdown procedure */
714
715
mandos_end:
545
716
free(buffer);
546
gnutls_bye (session, GNUTLS_SHUT_RDWR);
547
exit:
548
close(tcp_sd);
549
gnutls_deinit (session);
550
gnutls_certificate_free_credentials (mc->cred);
551
gnutls_global_deinit ();
717
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
718
if(ret == -1){
719
perror("close");
720
}
721
gnutls_deinit(session);
552
722
return retval;
553
723
}
554
724
567
737
flags,
568
738
void* userdata) {
569
739
mandos_context *mc = userdata;
570
assert(r); /* Spurious warning */
740
assert(r);
571
741
572
742
/* Called whenever a service has been resolved successfully or
573
743
timed out */
574
744
575
switch (event) {
745
switch(event) {
576
746
default:
577
747
case AVAHI_RESOLVER_FAILURE:
578
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
579
" type '%s' in domain '%s': %s\n", name, type, domain,
748
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
749
" of type '%s' in domain '%s': %s\n", name, type, domain,
580
750
avahi_strerror(avahi_server_errno(mc->server)));
581
751
break;
582
752
585
755
char ip[AVAHI_ADDRESS_STR_MAX];
586
756
avahi_address_snprint(ip, sizeof(ip), address);
587
757
if(debug){
588
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
589
" port %d\n", name, host_name, ip, port);
758
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
759
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
760
ip, (intmax_t)interface, port);
590
761
}
591
762
int ret = start_mandos_communication(ip, port, interface, mc);
592
if (ret == 0){
593
exit(EXIT_SUCCESS);
763
if(ret == 0){
764
avahi_simple_poll_quit(mc->simple_poll);
594
765
}
595
766
}
596
767
}
608
779
flags,
609
780
void* userdata) {
610
781
mandos_context *mc = userdata;
611
assert(b); /* Spurious warning */
782
assert(b);
612
783
613
784
/* Called whenever a new services becomes available on the LAN or
614
785
is removed from the LAN */
615
786
616
switch (event) {
787
switch(event) {
617
788
default:
618
789
case AVAHI_BROWSER_FAILURE:
619
790
620
fprintf(stderr, "(Browser) %s\n",
791
fprintf(stderr, "(Avahi browser) %s\n",
621
792
avahi_strerror(avahi_server_errno(mc->server)));
622
793
avahi_simple_poll_quit(mc->simple_poll);
623
794
return;
624
795
625
796
case AVAHI_BROWSER_NEW:
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
797
/* We ignore the returned Avahi resolver object. In the callback
798
function we free it. If the Avahi server is terminated before
799
the callback function is called the Avahi server will free the
800
resolver for us. */
630
801
631
if (!(avahi_s_service_resolver_new(mc->server, interface,
802
if(!(avahi_s_service_resolver_new(mc->server, interface,
632
803
protocol, name, type, domain,
633
804
AVAHI_PROTO_INET6, 0,
634
805
resolve_callback, mc)))
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
806
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
807
name, avahi_strerror(avahi_server_errno(mc->server)));
637
808
break;
638
809
639
810
case AVAHI_BROWSER_REMOVE:
641
812
642
813
case AVAHI_BROWSER_ALL_FOR_NOW:
643
814
case AVAHI_BROWSER_CACHE_EXHAUSTED:
815
if(debug){
816
fprintf(stderr, "No Mandos server found, still searching...\n");
817
}
644
818
break;
645
819
}
646
820
}
647
821
648
/* Combines file name and path and returns the malloced new
649
string. some sane checks could/should be added */
650
static const char *combinepath(const char *first, const char *second){
651
size_t f_len = strlen(first);
652
size_t s_len = strlen(second);
653
char *tmp = malloc(f_len + s_len + 2);
654
if (tmp == NULL){
655
return NULL;
656
}
657
if(f_len > 0){
658
memcpy(tmp, first, f_len); /* Spurious warning */
659
}
660
tmp[f_len] = '/';
661
if(s_len > 0){
662
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
663
}
664
tmp[f_len + 1 + s_len] = '\0';
665
return tmp;
666
}
667
668
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
670
AvahiServerConfig config;
822
int main(int argc, char *argv[]){
671
823
AvahiSServiceBrowser *sb = NULL;
672
824
int error;
673
825
int ret;
674
int debug_int;
675
int returncode = EXIT_SUCCESS;
826
intmax_t tmpmax;
827
int numchars;
828
int exitcode = EXIT_SUCCESS;
676
829
const char *interface = "eth0";
677
830
struct ifreq network;
678
831
int sd;
832
uid_t uid;
833
gid_t gid;
679
834
char *connect_to = NULL;
835
char tempdir[] = "/tmp/mandosXXXXXX";
836
bool tempdir_created = false;
680
837
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
838
const char *seckey = PATHDIR "/" SECKEY;
839
const char *pubkey = PATHDIR "/" PUBKEY;
840
681
841
mandos_context mc = { .simple_poll = NULL, .server = NULL,
682
.dh_bits = 1024, .priority = "SECURE256"};
683
684
debug_int = debug ? 1 : 0;
685
while (true){
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
695
{0, 0, 0, 0} };
696
697
int option_index = 0;
698
ret = getopt_long (argc, argv, "i:", long_options,
699
&option_index);
700
701
if (ret == -1){
702
break;
703
}
704
705
switch(ret){
706
case 0:
707
break;
708
case 'i':
709
interface = optarg;
710
break;
711
case 'c':
712
connect_to = optarg;
713
break;
714
case 'd':
715
keydir = optarg;
716
break;
717
case 'p':
718
pubkeyfile = optarg;
719
break;
720
case 's':
721
seckeyfile = optarg;
722
break;
723
case 'D':
724
errno = 0;
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
726
if (errno){
727
perror("strtol");
728
exit(EXIT_FAILURE);
729
}
730
break;
731
case 'P':
732
mc.priority = optarg;
733
break;
734
case '?':
735
default:
736
exit(EXIT_FAILURE);
737
}
738
}
739
debug = debug_int ? true : false;
740
741
pubkeyfile = combinepath(keydir, pubkeyfile);
742
if (pubkeyfile == NULL){
743
perror("combinepath");
744
returncode = EXIT_FAILURE;
745
goto exit;
746
}
747
748
seckeyfile = combinepath(keydir, seckeyfile);
749
if (seckeyfile == NULL){
750
perror("combinepath");
751
goto exit;
842
.dh_bits = 1024, .priority = "SECURE256"
843
":!CTYPE-X.509:+CTYPE-OPENPGP" };
844
bool gnutls_initialized = false;
845
bool gpgme_initialized = false;
846
double delay = 2.5;
847
848
{
849
struct argp_option options[] = {
850
{ .name = "debug", .key = 128,
851
.doc = "Debug mode", .group = 3 },
852
{ .name = "connect", .key = 'c',
853
.arg = "ADDRESS:PORT",
854
.doc = "Connect directly to a specific Mandos server",
855
.group = 1 },
856
{ .name = "interface", .key = 'i',
857
.arg = "NAME",
858
.doc = "Interface that will be used to search for Mandos"
859
" servers",
860
.group = 1 },
861
{ .name = "seckey", .key = 's',
862
.arg = "FILE",
863
.doc = "OpenPGP secret key file base name",
864
.group = 1 },
865
{ .name = "pubkey", .key = 'p',
866
.arg = "FILE",
867
.doc = "OpenPGP public key file base name",
868
.group = 2 },
869
{ .name = "dh-bits", .key = 129,
870
.arg = "BITS",
871
.doc = "Bit length of the prime number used in the"
872
" Diffie-Hellman key exchange",
873
.group = 2 },
874
{ .name = "priority", .key = 130,
875
.arg = "STRING",
876
.doc = "GnuTLS priority string for the TLS handshake",
877
.group = 1 },
878
{ .name = "delay", .key = 131,
879
.arg = "SECONDS",
880
.doc = "Maximum delay to wait for interface startup",
881
.group = 2 },
882
{ .name = NULL }
883
};
884
885
error_t parse_opt(int key, char *arg,
886
struct argp_state *state) {
887
switch(key) {
888
case 128: /* --debug */
889
debug = true;
890
break;
891
case 'c': /* --connect */
892
connect_to = arg;
893
break;
894
case 'i': /* --interface */
895
interface = arg;
896
break;
897
case 's': /* --seckey */
898
seckey = arg;
899
break;
900
case 'p': /* --pubkey */
901
pubkey = arg;
902
break;
903
case 129: /* --dh-bits */
904
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
905
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
906
or arg[numchars] != '\0'){
907
fprintf(stderr, "Bad number of DH bits\n");
908
exit(EXIT_FAILURE);
909
}
910
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
911
break;
912
case 130: /* --priority */
913
mc.priority = arg;
914
break;
915
case 131: /* --delay */
916
ret = sscanf(arg, "%lf%n", &delay, &numchars);
917
if(ret < 1 or arg[numchars] != '\0'){
918
fprintf(stderr, "Bad delay\n");
919
exit(EXIT_FAILURE);
920
}
921
break;
922
case ARGP_KEY_ARG:
923
argp_usage(state);
924
case ARGP_KEY_END:
925
break;
926
default:
927
return ARGP_ERR_UNKNOWN;
928
}
929
return 0;
930
}
931
932
struct argp argp = { .options = options, .parser = parse_opt,
933
.args_doc = "",
934
.doc = "Mandos client -- Get and decrypt"
935
" passwords from a Mandos server" };
936
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
937
if(ret == ARGP_ERR_UNKNOWN){
938
fprintf(stderr, "Unknown error while parsing arguments\n");
939
exitcode = EXIT_FAILURE;
940
goto end;
941
}
942
}
943
944
/* If the interface is down, bring it up */
945
{
946
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
947
messages to mess up the prompt */
948
ret = klogctl(8, NULL, 5);
949
if(ret == -1){
950
perror("klogctl");
951
}
952
953
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
954
if(sd < 0) {
955
perror("socket");
956
exitcode = EXIT_FAILURE;
957
ret = klogctl(7, NULL, 0);
958
if(ret == -1){
959
perror("klogctl");
960
}
961
goto end;
962
}
963
strcpy(network.ifr_name, interface);
964
ret = ioctl(sd, SIOCGIFFLAGS, &network);
965
if(ret == -1){
966
perror("ioctl SIOCGIFFLAGS");
967
ret = klogctl(7, NULL, 0);
968
if(ret == -1){
969
perror("klogctl");
970
}
971
exitcode = EXIT_FAILURE;
972
goto end;
973
}
974
if((network.ifr_flags & IFF_UP) == 0){
975
network.ifr_flags |= IFF_UP;
976
ret = ioctl(sd, SIOCSIFFLAGS, &network);
977
if(ret == -1){
978
perror("ioctl SIOCSIFFLAGS");
979
exitcode = EXIT_FAILURE;
980
ret = klogctl(7, NULL, 0);
981
if(ret == -1){
982
perror("klogctl");
983
}
984
goto end;
985
}
986
}
987
/* sleep checking until interface is running */
988
for(int i=0; i < delay * 4; i++){
989
ret = ioctl(sd, SIOCGIFFLAGS, &network);
990
if(ret == -1){
991
perror("ioctl SIOCGIFFLAGS");
992
} else if(network.ifr_flags & IFF_RUNNING){
993
break;
994
}
995
struct timespec sleeptime = { .tv_nsec = 250000000 };
996
nanosleep(&sleeptime, NULL);
997
}
998
ret = (int)TEMP_FAILURE_RETRY(close(sd));
999
if(ret == -1){
1000
perror("close");
1001
}
1002
/* Restores kernel loglevel to default */
1003
ret = klogctl(7, NULL, 0);
1004
if(ret == -1){
1005
perror("klogctl");
1006
}
1007
}
1008
1009
uid = getuid();
1010
gid = getgid();
1011
1012
setgid(gid);
1013
if(ret == -1){
1014
perror("setgid");
1015
}
1016
1017
ret = setuid(uid);
1018
if(ret == -1){
1019
perror("setuid");
1020
}
1021
1022
ret = init_gnutls_global(&mc, pubkey, seckey);
1023
if(ret == -1){
1024
fprintf(stderr, "init_gnutls_global failed\n");
1025
exitcode = EXIT_FAILURE;
1026
goto end;
1027
} else {
1028
gnutls_initialized = true;
1029
}
1030
1031
if(mkdtemp(tempdir) == NULL){
1032
perror("mkdtemp");
1033
goto end;
1034
}
1035
tempdir_created = true;
1036
1037
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1038
fprintf(stderr, "init_gpgme failed\n");
1039
exitcode = EXIT_FAILURE;
1040
goto end;
1041
} else {
1042
gpgme_initialized = true;
752
1043
}
753
1044
754
1045
if_index = (AvahiIfIndex) if_nametoindex(interface);
755
1046
if(if_index == 0){
756
1047
fprintf(stderr, "No such interface: \"%s\"\n", interface);
757
exit(EXIT_FAILURE);
1048
exitcode = EXIT_FAILURE;
1049
goto end;
758
1050
}
759
1051
760
1052
if(connect_to != NULL){
763
1055
char *address = strrchr(connect_to, ':');
764
1056
if(address == NULL){
765
1057
fprintf(stderr, "No colon in address\n");
766
exit(EXIT_FAILURE);
767
}
768
errno = 0;
769
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
770
if(errno){
771
perror("Bad port number");
772
exit(EXIT_FAILURE);
773
}
1058
exitcode = EXIT_FAILURE;
1059
goto end;
1060
}
1061
uint16_t port;
1062
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1063
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1064
or address[numchars+1] != '\0'){
1065
fprintf(stderr, "Bad port number\n");
1066
exitcode = EXIT_FAILURE;
1067
goto end;
1068
}
1069
port = (uint16_t)tmpmax;
774
1070
*address = '\0';
775
1071
address = connect_to;
776
1072
ret = start_mandos_communication(address, port, if_index, &mc);
777
1073
if(ret < 0){
778
exit(EXIT_FAILURE);
1074
exitcode = EXIT_FAILURE;
779
1075
} else {
780
exit(EXIT_SUCCESS);
781
}
782
}
783
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
785
if(sd < 0) {
786
perror("socket");
787
returncode = EXIT_FAILURE;
788
goto exit;
789
}
790
strcpy(network.ifr_name, interface); /* Spurious warning */
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
792
if(ret == -1){
793
794
perror("ioctl SIOCGIFFLAGS");
795
returncode = EXIT_FAILURE;
796
goto exit;
797
}
798
if((network.ifr_flags & IFF_UP) == 0){
799
network.ifr_flags |= IFF_UP;
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
801
if(ret == -1){
802
perror("ioctl SIOCSIFFLAGS");
803
returncode = EXIT_FAILURE;
804
goto exit;
805
}
806
}
807
close(sd);
808
809
if (not debug){
1076
exitcode = EXIT_SUCCESS;
1077
}
1078
goto end;
1079
}
1080
1081
if(not debug){
810
1082
avahi_set_log_function(empty_log);
811
1083
}
812
1084
813
/* Initialize the psuedo-RNG */
1085
/* Initialize the pseudo-RNG for Avahi */
814
1086
srand((unsigned int) time(NULL));
815
816
/* Allocate main loop object */
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
818
fprintf(stderr, "Failed to create simple poll object.\n");
819
returncode = EXIT_FAILURE;
820
goto exit;
821
}
822
823
/* Do not publish any local records */
824
avahi_server_config_init(&config);
825
config.publish_hinfo = 0;
826
config.publish_addresses = 0;
827
config.publish_workstation = 0;
828
config.publish_domain = 0;
829
830
/* Allocate a new server */
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
833
834
/* Free the configuration data */
835
avahi_server_config_free(&config);
836
837
/* Check if creating the server object succeeded */
838
if (!mc.server) {
839
fprintf(stderr, "Failed to create server: %s\n",
1087
1088
/* Allocate main Avahi loop object */
1089
mc.simple_poll = avahi_simple_poll_new();
1090
if(mc.simple_poll == NULL) {
1091
fprintf(stderr, "Avahi: Failed to create simple poll"
1092
" object.\n");
1093
exitcode = EXIT_FAILURE;
1094
goto end;
1095
}
1096
1097
{
1098
AvahiServerConfig config;
1099
/* Do not publish any local Zeroconf records */
1100
avahi_server_config_init(&config);
1101
config.publish_hinfo = 0;
1102
config.publish_addresses = 0;
1103
config.publish_workstation = 0;
1104
config.publish_domain = 0;
1105
1106
/* Allocate a new server */
1107
mc.server = avahi_server_new(avahi_simple_poll_get
1108
(mc.simple_poll), &config, NULL,
1109
NULL, &error);
1110
1111
/* Free the Avahi configuration data */
1112
avahi_server_config_free(&config);
1113
}
1114
1115
/* Check if creating the Avahi server object succeeded */
1116
if(mc.server == NULL) {
1117
fprintf(stderr, "Failed to create Avahi server: %s\n",
840
1118
avahi_strerror(error));
841
returncode = EXIT_FAILURE;
842
goto exit;
1119
exitcode = EXIT_FAILURE;
1120
goto end;
843
1121
}
844
1122
845
/* Create the service browser */
1123
/* Create the Avahi service browser */
846
1124
sb = avahi_s_service_browser_new(mc.server, if_index,
847
1125
AVAHI_PROTO_INET6,
848
1126
"_mandos._tcp", NULL, 0,
849
1127
browse_callback, &mc);
850
if (!sb) {
1128
if(sb == NULL) {
851
1129
fprintf(stderr, "Failed to create service browser: %s\n",
852
1130
avahi_strerror(avahi_server_errno(mc.server)));
853
returncode = EXIT_FAILURE;
854
goto exit;
1131
exitcode = EXIT_FAILURE;
1132
goto end;
855
1133
}
856
1134
857
1135
/* Run the main loop */
1136
1137
if(debug){
1138
fprintf(stderr, "Starting Avahi loop search\n");
1139
}
858
1140
859
if (debug){
860
fprintf(stderr, "Starting avahi loop search\n");
861
}
862
863
1141
avahi_simple_poll_loop(mc.simple_poll);
864
1142
865
exit:
866
867
if (debug){
1143
end:
1144
1145
if(debug){
868
1146
fprintf(stderr, "%s exiting\n", argv[0]);
869
1147
}
870
1148
871
1149
/* Cleanup things */
872
if (sb)
1150
if(sb != NULL)
873
1151
avahi_s_service_browser_free(sb);
874
1152
875
if (mc.server)
1153
if(mc.server != NULL)
876
1154
avahi_server_free(mc.server);
877
878
if (mc.simple_poll)
1155
1156
if(mc.simple_poll != NULL)
879
1157
avahi_simple_poll_free(mc.simple_poll);
880
free(pubkeyfile);
881
free(seckeyfile);
882
883
return returncode;
1158
1159
if(gnutls_initialized){
1160
gnutls_certificate_free_credentials(mc.cred);
1161
gnutls_global_deinit();
1162
gnutls_dh_params_deinit(mc.dh_params);
1163
}
1164
1165
if(gpgme_initialized){
1166
gpgme_release(mc.ctx);
1167
}
1168
1169
/* Removes the temp directory used by GPGME */
1170
if(tempdir_created){
1171
DIR *d;
1172
struct dirent *direntry;
1173
d = opendir(tempdir);
1174
if(d == NULL){
1175
if(errno != ENOENT){
1176
perror("opendir");
1177
}
1178
} else {
1179
while(true){
1180
direntry = readdir(d);
1181
if(direntry == NULL){
1182
break;
1183
}
1184
/* Skip "." and ".." */
1185
if(direntry->d_name[0] == '.'
1186
and (direntry->d_name[1] == '\0'
1187
or (direntry->d_name[1] == '.'
1188
and direntry->d_name[2] == '\0'))){
1189
continue;
1190
}
1191
char *fullname = NULL;
1192
ret = asprintf(&fullname, "%s/%s", tempdir,
1193
direntry->d_name);
1194
if(ret < 0){
1195
perror("asprintf");
1196
continue;
1197
}
1198
ret = remove(fullname);
1199
if(ret == -1){
1200
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1201
strerror(errno));
1202
}
1203
free(fullname);
1204
}
1205
closedir(d);
1206
}
1207
ret = rmdir(tempdir);
1208
if(ret == -1 and errno != ENOENT){
1209
perror("rmdir");
1210
}
1211
}
1212
1213
return exitcode;
884
1214
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0