/mandos/trunk : revision 292

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-02-03 22:41:49 UTC
Revision ID: teddy@fukt.bsnet.se-20090203224149-fc1301jojmusbzlx

* Makefile (run-server): Use "--no-dbus" unconditionally.

* initramfs-tools-script: Correct tests for writable "/conf/conf.d".

* mandos: Add process ID number to logging messages.
  (IPv6_TCPServer.server_bind): Use plain "raise".
  (main): Do not try to handle SIGSEGV; it does not work.  Use plain
         "raise".  Log KeyboardInterrupt and server exit.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
server.py => mandos

server.conf => mandos.conf

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* Mandos-client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), sscanf(),

remove() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(),

DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* nanosleep(), time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and, or */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

#include <sys/klog.h> /* klogctl() */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h>

/* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

100

101

/* GPGME */

102

#include <gpgme.h> /* All GPGME types, constants and

103

functions:

104

gpgme_*

105

GPGME_PROTOCOL_OpenPGP,

106

GPG_ERR_NO_* */

107

108

#define BUFFER_SIZE 256

#define DH_BITS 1024

109

static const char *certdir = "/conf/conf.d/mandos";

static const char *certfile = "openpgp-client.txt";

static const char *certkey = "openpgp-client-key.txt";

110

#define PATHDIR "/conf/conf.d/mandos"

111

#define SECKEY "seckey.txt"

112

#define PUBKEY "pubkey.txt"

113

114

bool debug = false;

115

static const char mandos_protocol_version[] = "1";

116

const char *argp_program_version = "mandos-client " VERSION;

117

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

118

119

/* Used for passing in values through the Avahi callback functions */

120

typedef struct {

gnutls_session_t session;

121

AvahiSimplePoll *simple_poll;

122

AvahiServer *server;

123

gnutls_certificate_credentials_t cred;

124

unsigned int dh_bits;

125

gnutls_dh_params_t dh_params;

} encrypted_session;

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet,

const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

126

const char *priority;

127

gpgme_ctx_t ctx;

128

} mandos_context;

129

130

131

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

132

* "buffer_capacity" is how much is currently allocated,

133

* "buffer_length" is how much is already used.

134

135

size_t adjustbuffer(char **buffer, size_t buffer_length,

136

size_t buffer_capacity){

137

if(buffer_length + BUFFER_SIZE > buffer_capacity){

138

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

139

if(buffer == NULL){

140

return 0;

141

}

142

buffer_capacity += BUFFER_SIZE;

143

}

144

return buffer_capacity;

145

}

146

147

148

* Initialize GPGME.

149

150

static bool init_gpgme(mandos_context *mc, const char *seckey,

151

const char *pubkey, const char *tempdir){

152

int ret;

153

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

154

gpgme_engine_info_t engine_info;

if (debug){

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

155

156

157

158

* Helper function to insert pub and seckey to the engine keyring.

159

160

bool import_key(const char *filename){

161

int fd;

162

gpgme_data_t pgp_data;

163

164

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

165

if(fd == -1){

166

perror("open");

167

return false;

168

}

169

170

rc = gpgme_data_new_from_fd(&pgp_data, fd);

171

if(rc != GPG_ERR_NO_ERROR){

172

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

173

gpgme_strsource(rc), gpgme_strerror(rc));

174

return false;

175

}

176

177

rc = gpgme_op_import(mc->ctx, pgp_data);

178

if(rc != GPG_ERR_NO_ERROR){

179

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

180

gpgme_strsource(rc), gpgme_strerror(rc));

181

return false;

182

}

183

184

ret = (int)TEMP_FAILURE_RETRY(close(fd));

185

if(ret == -1){

186

perror("close");

187

}

188

gpgme_data_release(pgp_data);

189

return true;

190

}

191

192

if(debug){

193

fprintf(stderr, "Initialize gpgme\n");

100

194

}

101

195

102

196

/* Init GPGME */

103

197

gpgme_check_version(NULL);

104

198

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

105

if (rc != GPG_ERR_NO_ERROR){

199

if(rc != GPG_ERR_NO_ERROR){

106

200

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

107

201

gpgme_strsource(rc), gpgme_strerror(rc));

108

return -1;

202

return false;

109

203

}

110

204

111

/* Set GPGME home directory */

112

rc = gpgme_get_engine_info (&engine_info);

113

if (rc != GPG_ERR_NO_ERROR){

205

/* Set GPGME home directory for the OpenPGP engine only */

206

rc = gpgme_get_engine_info(&engine_info);

207

if(rc != GPG_ERR_NO_ERROR){

114

208

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

115

209

gpgme_strsource(rc), gpgme_strerror(rc));

116

return -1;

210

return false;

117

211

}

118

212

while(engine_info != NULL){

119

213

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

120

214

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

121

engine_info->file_name, homedir);

215

engine_info->file_name, tempdir);

122

216

break;

123

217

}

124

218

engine_info = engine_info->next;

125

219

}

126

220

if(engine_info == NULL){

127

fprintf(stderr, "Could not set home dir to %s\n", homedir);

128

return -1;

129

}

130

131

/* Create new GPGME data buffer from packet buffer */

132

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

133

if (rc != GPG_ERR_NO_ERROR){

221

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

222

return false;

223

}

224

225

/* Create new GPGME "context" */

226

rc = gpgme_new(&(mc->ctx));

227

if(rc != GPG_ERR_NO_ERROR){

228

fprintf(stderr, "bad gpgme_new: %s: %s\n",

229

gpgme_strsource(rc), gpgme_strerror(rc));

230

return false;

231

}

232

233

if(not import_key(pubkey) or not import_key(seckey)){

234

return false;

235

}

236

237

return true;

238

}

239

240

241

* Decrypt OpenPGP data.

242

* Returns -1 on error

243

244

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

245

const char *cryptotext,

246

size_t crypto_size,

247

char **plaintext){

248

gpgme_data_t dh_crypto, dh_plain;

249

gpgme_error_t rc;

250

ssize_t ret;

251

size_t plaintext_capacity = 0;

252

ssize_t plaintext_length = 0;

253

254

if(debug){

255

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

256

}

257

258

/* Create new GPGME data buffer from memory cryptotext */

259

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

260

0);

261

if(rc != GPG_ERR_NO_ERROR){

134

262

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

135

263

gpgme_strsource(rc), gpgme_strerror(rc));

136

264

return -1;

138

266

139

267

/* Create new empty GPGME data buffer for the plaintext */

140

268

rc = gpgme_data_new(&dh_plain);

141

if (rc != GPG_ERR_NO_ERROR){

269

if(rc != GPG_ERR_NO_ERROR){

142

270

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

143

271

gpgme_strsource(rc), gpgme_strerror(rc));

144

return -1;

145

}

146

147

/* Create new GPGME "context" */

148

rc = gpgme_new(&ctx);

149

if (rc != GPG_ERR_NO_ERROR){

150

fprintf(stderr, "bad gpgme_new: %s: %s\n",

151

gpgme_strsource(rc), gpgme_strerror(rc));

152

return -1;

153

}

154

155

/* Decrypt data from the FILE pointer to the plaintext data

156

buffer */

157

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

158

if (rc != GPG_ERR_NO_ERROR){

272

gpgme_data_release(dh_crypto);

273

return -1;

274

}

275

276

/* Decrypt data from the cryptotext data buffer to the plaintext

277

data buffer */

278

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

279

if(rc != GPG_ERR_NO_ERROR){

159

280

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

160

281

gpgme_strsource(rc), gpgme_strerror(rc));

161

return -1;

282

plaintext_length = -1;

283

if(debug){

284

gpgme_decrypt_result_t result;

285

result = gpgme_op_decrypt_result(mc->ctx);

286

if(result == NULL){

287

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

288

} else {

289

fprintf(stderr, "Unsupported algorithm: %s\n",

290

result->unsupported_algorithm);

291

fprintf(stderr, "Wrong key usage: %u\n",

292

result->wrong_key_usage);

293

if(result->file_name != NULL){

294

fprintf(stderr, "File name: %s\n", result->file_name);

295

}

296

gpgme_recipient_t recipient;

297

recipient = result->recipients;

298

if(recipient){

299

while(recipient != NULL){

300

fprintf(stderr, "Public key algorithm: %s\n",

301

gpgme_pubkey_algo_name(recipient->pubkey_algo));

302

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

303

fprintf(stderr, "Secret key available: %s\n",

304

recipient->status == GPG_ERR_NO_SECKEY

305

? "No" : "Yes");

306

recipient = recipient->next;

307

}

308

}

309

}

310

}

311

goto decrypt_end;

162

312

}

163

313

164

314

if(debug){

165

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

166

}

167

168

if (debug){

169

gpgme_decrypt_result_t result;

170

result = gpgme_op_decrypt_result(ctx);

171

if (result == NULL){

172

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

173

} else {

174

fprintf(stderr, "Unsupported algorithm: %s\n",

175

result->unsupported_algorithm);

176

fprintf(stderr, "Wrong key usage: %d\n",

177

result->wrong_key_usage);

178

if(result->file_name != NULL){

179

fprintf(stderr, "File name: %s\n", result->file_name);

180

}

181

gpgme_recipient_t recipient;

182

recipient = result->recipients;

183

if(recipient){

184

while(recipient != NULL){

185

fprintf(stderr, "Public key algorithm: %s\n",

186

gpgme_pubkey_algo_name(recipient->pubkey_algo));

187

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

188

fprintf(stderr, "Secret key available: %s\n",

189

recipient->status == GPG_ERR_NO_SECKEY

190

? "No" : "Yes");

191

recipient = recipient->next;

192

}

193

}

194

}

195

}

196

197

/* Delete the GPGME FILE pointer cryptotext data buffer */

198

gpgme_data_release(dh_crypto);

315

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

316

}

199

317

200

318

/* Seek back to the beginning of the GPGME plaintext data buffer */

201

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

202

perror("pgpme_data_seek");

319

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

320

perror("gpgme_data_seek");

321

plaintext_length = -1;

322

goto decrypt_end;

203

323

}

204

324

205

*new_packet = 0;

325

*plaintext = NULL;

206

326

while(true){

207

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

208

*new_packet = realloc(*new_packet,

209

(unsigned int)new_packet_capacity

210

+ BUFFER_SIZE);

211

if (*new_packet == NULL){

212

perror("realloc");

213

return -1;

214

}

215

new_packet_capacity += BUFFER_SIZE;

327

plaintext_capacity = adjustbuffer(plaintext,

328

(size_t)plaintext_length,

329

plaintext_capacity);

330

if(plaintext_capacity == 0){

331

perror("adjustbuffer");

332

plaintext_length = -1;

333

goto decrypt_end;

216

334

}

217

335

218

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

336

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

219

337

BUFFER_SIZE);

220

338

/* Print the data, if any */

221

if (ret == 0){

339

if(ret == 0){

340

/* EOF */

222

341

break;

223

342

}

224

343

if(ret < 0){

225

344

perror("gpgme_data_read");

226

return -1;

227

}

228

new_packet_length += ret;

229

}

230

231

/* FIXME: check characters before printing to screen so to not print

232

terminal control characters */

233

/* if(debug){ */

234

/* fprintf(stderr, "decrypted password is: "); */

235

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

236

/* fprintf(stderr, "\n"); */

237

/* } */

345

plaintext_length = -1;

346

goto decrypt_end;

347

}

348

plaintext_length += ret;

349

}

350

351

if(debug){

352

fprintf(stderr, "Decrypted password is: ");

353

for(ssize_t i = 0; i < plaintext_length; i++){

354

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

355

}

356

fprintf(stderr, "\n");

357

}

358

359

decrypt_end:

360

361

/* Delete the GPGME cryptotext data buffer */

362

gpgme_data_release(dh_crypto);

238

363

239

364

/* Delete the GPGME plaintext data buffer */

240

365

gpgme_data_release(dh_plain);

241

return new_packet_length;

366

return plaintext_length;

242

367

}

243

368

244

static const char * safer_gnutls_strerror (int value) {

245

const char *ret = gnutls_strerror (value);

246

if (ret == NULL)

369

static const char * safer_gnutls_strerror(int value) {

370

const char *ret = gnutls_strerror(value); /* Spurious warning from

371

-Wunreachable-code */

372

if(ret == NULL)

247

373

ret = "(unknown)";

248

374

return ret;

249

375

}

250

376

377

/* GnuTLS log function callback */

251

378

static void debuggnutls(__attribute__((unused)) int level,

252

379

const char* string){

253

fprintf(stderr, "%s", string);

380

fprintf(stderr, "GnuTLS: %s", string);

254

381

}

255

382

256

static int initgnutls(encrypted_session *es){

257

const char *err;

383

static int init_gnutls_global(mandos_context *mc,

384

const char *pubkeyfilename,

385

const char *seckeyfilename){

258

386

int ret;

259

387

260

388

if(debug){

261

389

fprintf(stderr, "Initializing GnuTLS\n");

262

390

}

263

264

if ((ret = gnutls_global_init ())

265

!= GNUTLS_E_SUCCESS) {

266

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

391

392

ret = gnutls_global_init();

393

if(ret != GNUTLS_E_SUCCESS) {

394

fprintf(stderr, "GnuTLS global_init: %s\n",

395

safer_gnutls_strerror(ret));

267

396

return -1;

268

397

}

269

270

if (debug){

398

399

if(debug){

400

/* "Use a log level over 10 to enable all debugging options."

401

* - GnuTLS manual

402

271

403

gnutls_global_set_log_level(11);

272

404

gnutls_global_set_log_function(debuggnutls);

273

405

}

274

406

275

/* openpgp credentials */

276

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

277

!= GNUTLS_E_SUCCESS) {

278

fprintf (stderr, "memory error: %s\n",

279

safer_gnutls_strerror(ret));

407

/* OpenPGP credentials */

408

gnutls_certificate_allocate_credentials(&mc->cred);

409

if(ret != GNUTLS_E_SUCCESS){

410

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

411

* from

412

* -Wunreachable-code

413

414

safer_gnutls_strerror(ret));

415

gnutls_global_deinit();

280

416

return -1;

281

417

}

282

418

283

419

if(debug){

284

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

285

" and keyfile %s as GnuTLS credentials\n", certfile,

286

certkey);

420

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

421

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

422

seckeyfilename);

287

423

}

288

424

289

425

ret = gnutls_certificate_set_openpgp_key_file

290

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

291

if (ret != GNUTLS_E_SUCCESS) {

292

fprintf

293

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

294

" '%s')\n",

295

ret, certfile, certkey);

296

fprintf(stdout, "The Error is: %s\n",

297

safer_gnutls_strerror(ret));

298

return -1;

299

}

300

301

//GnuTLS server initialization

302

if ((ret = gnutls_dh_params_init (&es->dh_params))

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "Error in dh parameter initialization: %s\n",

305

safer_gnutls_strerror(ret));

306

return -1;

307

}

308

309

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

310

!= GNUTLS_E_SUCCESS) {

311

fprintf (stderr, "Error in prime generation: %s\n",

312

safer_gnutls_strerror(ret));

313

return -1;

314

}

315

316

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

317

318

// GnuTLS session creation

319

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

320

!= GNUTLS_E_SUCCESS){

426

(mc->cred, pubkeyfilename, seckeyfilename,

427

GNUTLS_OPENPGP_FMT_BASE64);

428

if(ret != GNUTLS_E_SUCCESS) {

429

fprintf(stderr,

430

"Error[%d] while reading the OpenPGP key pair ('%s',"

431

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

432

fprintf(stderr, "The GnuTLS error is: %s\n",

433

safer_gnutls_strerror(ret));

434

goto globalfail;

435

}

436

437

/* GnuTLS server initialization */

438

ret = gnutls_dh_params_init(&mc->dh_params);

439

if(ret != GNUTLS_E_SUCCESS) {

440

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

441

" %s\n", safer_gnutls_strerror(ret));

442

goto globalfail;

443

}

444

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

445

if(ret != GNUTLS_E_SUCCESS) {

446

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

447

safer_gnutls_strerror(ret));

448

goto globalfail;

449

}

450

451

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

452

453

return 0;

454

455

globalfail:

456

457

gnutls_certificate_free_credentials(mc->cred);

458

gnutls_global_deinit();

459

gnutls_dh_params_deinit(mc->dh_params);

460

return -1;

461

}

462

463

static int init_gnutls_session(mandos_context *mc,

464

gnutls_session_t *session){

465

int ret;

466

/* GnuTLS session creation */

467

ret = gnutls_init(session, GNUTLS_SERVER);

468

if(ret != GNUTLS_E_SUCCESS){

321

469

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

322

470

safer_gnutls_strerror(ret));

323

471

}

324

472

325

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

326

!= GNUTLS_E_SUCCESS) {

327

fprintf(stderr, "Syntax error at: %s\n", err);

328

fprintf(stderr, "GnuTLS error: %s\n",

329

safer_gnutls_strerror(ret));

330

return -1;

473

{

474

const char *err;

475

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

476

if(ret != GNUTLS_E_SUCCESS) {

477

fprintf(stderr, "Syntax error at: %s\n", err);

478

fprintf(stderr, "GnuTLS error: %s\n",

479

safer_gnutls_strerror(ret));

480

gnutls_deinit(*session);

481

return -1;

482

}

331

483

}

332

484

333

if ((ret = gnutls_credentials_set

334

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

335

!= GNUTLS_E_SUCCESS) {

336

fprintf(stderr, "Error setting a credentials set: %s\n",

485

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

486

mc->cred);

487

if(ret != GNUTLS_E_SUCCESS) {

488

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

337

489

safer_gnutls_strerror(ret));

490

gnutls_deinit(*session);

338

491

return -1;

339

492

}

340

493

341

494

/* ignore client certificate if any. */

342

gnutls_certificate_server_set_request (es->session,

343

GNUTLS_CERT_IGNORE);

495

gnutls_certificate_server_set_request(*session,

496

GNUTLS_CERT_IGNORE);

344

497

345

gnutls_dh_set_prime_bits (es->session, DH_BITS);

498

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

346

499

347

500

return 0;

348

501

}

349

502

503

/* Avahi log function callback */

350

504

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

351

505

__attribute__((unused)) const char *txt){}

352

506

507

/* Called when a Mandos server is found */

353

508

static int start_mandos_communication(const char *ip, uint16_t port,

354

AvahiIfIndex if_index){

509

AvahiIfIndex if_index,

510

mandos_context *mc){

355

511

int ret, tcp_sd;

356

struct sockaddr_in6 to;

357

encrypted_session es;

512

ssize_t sret;

513

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

358

514

char *buffer = NULL;

359

515

char *decrypted_buffer;

360

516

size_t buffer_length = 0;

361

517

size_t buffer_capacity = 0;

362

518

ssize_t decrypted_buffer_size;

363

size_t written = 0;

519

size_t written;

364

520

int retval = 0;

365

521

char interface[IF_NAMESIZE];

522

gnutls_session_t session;

523

524

ret = init_gnutls_session(mc, &session);

525

if(ret != 0){

526

return -1;

527

}

366

528

367

529

if(debug){

368

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

369

ip, port);

530

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

531

"\n", ip, port);

370

532

}

371

533

372

534

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

374

536

perror("socket");

375

537

return -1;

376

538

}

377

539

378

540

if(debug){

379

541

if(if_indextoname((unsigned int)if_index, interface) == NULL){

380

if(debug){

381

perror("if_indextoname");

382

}

542

perror("if_indextoname");

383

543

return -1;

384

544

}

385

386

545

fprintf(stderr, "Binding to interface %s\n", interface);

387

546

}

388

547

389

memset(&to,0,sizeof(to)); /* Spurious warning */

390

to.sin6_family = AF_INET6;

391

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

392

if (ret < 0 ){

548

memset(&to, 0, sizeof(to));

549

to.in6.sin6_family = AF_INET6;

550

/* It would be nice to have a way to detect if we were passed an

551

IPv4 address here. Now we assume an IPv6 address. */

552

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

553

if(ret < 0 ){

393

554

perror("inet_pton");

394

555

return -1;

395

}

556

}

396

557

if(ret == 0){

397

558

fprintf(stderr, "Bad address: %s\n", ip);

398

559

return -1;

399

560

}

400

to.sin6_port = htons(port); /* Spurious warning */

561

to.in6.sin6_port = htons(port); /* Spurious warnings from

562

-Wconversion and

563

-Wunreachable-code */

401

564

402

to.sin6_scope_id = (uint32_t)if_index;

565

to.in6.sin6_scope_id = (uint32_t)if_index;

403

566

404

567

if(debug){

405

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

406

/* char addrstr[INET6_ADDRSTRLEN]; */

407

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

408

/* sizeof(addrstr)) == NULL){ */

409

/* perror("inet_ntop"); */

410

/* } else { */

411

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

412

/* addrstr, ntohs(to.sin6_port)); */

413

/* } */

568

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

569

port);

570

char addrstr[INET6_ADDRSTRLEN] = "";

571

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

572

sizeof(addrstr)) == NULL){

573

perror("inet_ntop");

574

} else {

575

if(strcmp(addrstr, ip) != 0){

576

fprintf(stderr, "Canonical address form: %s\n", addrstr);

577

}

578

}

414

579

}

415

580

416

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

417

if (ret < 0){

581

ret = connect(tcp_sd, &to.in, sizeof(to));

582

if(ret < 0){

418

583

perror("connect");

419

584

return -1;

420

585

}

421

586

422

ret = initgnutls (&es);

423

if (ret != 0){

424

retval = -1;

425

return -1;

587

const char *out = mandos_protocol_version;

588

written = 0;

589

while(true){

590

size_t out_size = strlen(out);

591

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

592

out_size - written));

593

if(ret == -1){

594

perror("write");

595

retval = -1;

596

goto mandos_end;

597

}

598

written += (size_t)ret;

599

if(written < out_size){

600

continue;

601

} else {

602

if(out == mandos_protocol_version){

603

written = 0;

604

out = "\r\n";

605

} else {

606

break;

607

}

608

}

426

609

}

427

610

428

gnutls_transport_set_ptr (es.session,

429

(gnutls_transport_ptr_t) tcp_sd);

430

431

611

if(debug){

432

612

fprintf(stderr, "Establishing TLS session with %s\n", ip);

433

613

}

434

614

435

ret = gnutls_handshake (es.session);

436

437

if (ret != GNUTLS_E_SUCCESS){

615

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

616

617

do{

618

ret = gnutls_handshake(session);

619

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

620

621

if(ret != GNUTLS_E_SUCCESS){

438

622

if(debug){

439

fprintf(stderr, "\n*** Handshake failed ***\n");

440

gnutls_perror (ret);

623

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

624

gnutls_perror(ret);

441

625

}

442

626

retval = -1;

443

goto exit;

627

goto mandos_end;

444

628

}

445

629

446

//Retrieve OpenPGP packet that contains the wanted password

630

/* Read OpenPGP packet that contains the wanted password */

447

631

448

632

if(debug){

449

633

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

450

634

ip);

451

635

}

452

636

453

637

while(true){

454

if (buffer_length + BUFFER_SIZE > buffer_capacity){

455

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

456

if (buffer == NULL){

457

perror("realloc");

458

goto exit;

459

}

460

buffer_capacity += BUFFER_SIZE;

638

buffer_capacity = adjustbuffer(&buffer, buffer_length,

639

buffer_capacity);

640

if(buffer_capacity == 0){

641

perror("adjustbuffer");

642

retval = -1;

643

goto mandos_end;

461

644

}

462

645

463

ret = gnutls_record_recv

464

(es.session, buffer+buffer_length, BUFFER_SIZE);

465

if (ret == 0){

646

sret = gnutls_record_recv(session, buffer+buffer_length,

647

BUFFER_SIZE);

648

if(sret == 0){

466

649

break;

467

650

}

468

if (ret < 0){

469

switch(ret){

651

if(sret < 0){

652

switch(sret){

470

653

case GNUTLS_E_INTERRUPTED:

471

654

case GNUTLS_E_AGAIN:

472

655

break;

473

656

case GNUTLS_E_REHANDSHAKE:

474

ret = gnutls_handshake (es.session);

475

if (ret < 0){

476

fprintf(stderr, "\n*** Handshake failed ***\n");

477

gnutls_perror (ret);

657

do{

658

ret = gnutls_handshake(session);

659

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

660

if(ret < 0){

661

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

662

gnutls_perror(ret);

478

663

retval = -1;

479

goto exit;

664

goto mandos_end;

480

665

}

481

666

break;

482

667

default:

483

668

fprintf(stderr, "Unknown error while reading data from"

484

" encrypted session with mandos server\n");

669

" encrypted session with Mandos server\n");

485

670

retval = -1;

486

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

487

goto exit;

671

gnutls_bye(session, GNUTLS_SHUT_RDWR);

672

goto mandos_end;

488

673

}

489

674

} else {

490

buffer_length += (size_t) ret;

675

buffer_length += (size_t) sret;

491

676

}

492

677

}

493

678

494

if (buffer_length > 0){

495

decrypted_buffer_size = pgp_packet_decrypt(buffer,

679

if(debug){

680

fprintf(stderr, "Closing TLS session\n");

681

}

682

683

gnutls_bye(session, GNUTLS_SHUT_RDWR);

684

685

if(buffer_length > 0){

686

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

496

687

buffer_length,

497

&decrypted_buffer,

498

certdir);

499

if (decrypted_buffer_size >= 0){

688

&decrypted_buffer);

689

if(decrypted_buffer_size >= 0){

690

written = 0;

500

691

while(written < (size_t) decrypted_buffer_size){

501

ret = (int)fwrite (decrypted_buffer + written, 1,

502

(size_t)decrypted_buffer_size - written,

503

stdout);

692

ret = (int)fwrite(decrypted_buffer + written, 1,

693

(size_t)decrypted_buffer_size - written,

694

stdout);

504

695

if(ret == 0 and ferror(stdout)){

505

696

if(debug){

506

697

fprintf(stderr, "Error writing encrypted data: %s\n",

515

706

} else {

516

707

retval = -1;

517

708

}

518

}

519

520

//shutdown procedure

521

522

if(debug){

523

fprintf(stderr, "Closing TLS session\n");

524

}

525

709

} else {

710

retval = -1;

711

}

712

713

/* Shutdown procedure */

714

715

mandos_end:

526

716

free(buffer);

527

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

528

exit:

529

close(tcp_sd);

530

gnutls_deinit (es.session);

531

gnutls_certificate_free_credentials (es.cred);

532

gnutls_global_deinit ();

717

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

718

if(ret == -1){

719

perror("close");

720

}

721

gnutls_deinit(session);

533

722

return retval;

534

723

}

535

724

536

static AvahiSimplePoll *simple_poll = NULL;

537

static AvahiServer *server = NULL;

538

539

static void resolve_callback(

540

AvahiSServiceResolver *r,

541

AvahiIfIndex interface,

542

AVAHI_GCC_UNUSED AvahiProtocol protocol,

543

AvahiResolverEvent event,

544

const char *name,

545

const char *type,

546

const char *domain,

547

const char *host_name,

548

const AvahiAddress *address,

549

uint16_t port,

550

AVAHI_GCC_UNUSED AvahiStringList *txt,

551

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

552

AVAHI_GCC_UNUSED void* userdata) {

553

554

assert(r); /* Spurious warning */

725

static void resolve_callback(AvahiSServiceResolver *r,

726

AvahiIfIndex interface,

727

AVAHI_GCC_UNUSED AvahiProtocol protocol,

728

AvahiResolverEvent event,

729

const char *name,

730

const char *type,

731

const char *domain,

732

const char *host_name,

733

const AvahiAddress *address,

734

uint16_t port,

735

AVAHI_GCC_UNUSED AvahiStringList *txt,

736

AVAHI_GCC_UNUSED AvahiLookupResultFlags

737

flags,

738

void* userdata) {

739

mandos_context *mc = userdata;

740

assert(r);

555

741

556

742

/* Called whenever a service has been resolved successfully or

557

743

timed out */

558

744

559

switch (event) {

745

switch(event) {

560

746

default:

561

747

case AVAHI_RESOLVER_FAILURE:

562

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

563

" type '%s' in domain '%s': %s\n", name, type, domain,

564

avahi_strerror(avahi_server_errno(server)));

748

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

749

" of type '%s' in domain '%s': %s\n", name, type, domain,

750

avahi_strerror(avahi_server_errno(mc->server)));

565

751

break;

566

752

567

753

case AVAHI_RESOLVER_FOUND:

569

755

char ip[AVAHI_ADDRESS_STR_MAX];

570

756

avahi_address_snprint(ip, sizeof(ip), address);

571

757

if(debug){

572

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

573

" port %d\n", name, host_name, ip, port);

758

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

759

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

760

ip, (intmax_t)interface, port);

574

761

}

575

int ret = start_mandos_communication(ip, port, interface);

576

if (ret == 0){

577

exit(EXIT_SUCCESS);

762

int ret = start_mandos_communication(ip, port, interface, mc);

763

if(ret == 0){

764

avahi_simple_poll_quit(mc->simple_poll);

578

765

}

579

766

}

580

767

}

581

768

avahi_s_service_resolver_free(r);

582

769

}

583

770

584

static void browse_callback(

585

AvahiSServiceBrowser *b,

586

AvahiIfIndex interface,

587

AvahiProtocol protocol,

588

AvahiBrowserEvent event,

589

const char *name,

590

const char *type,

591

const char *domain,

592

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

593

void* userdata) {

594

595

AvahiServer *s = userdata;

596

assert(b); /* Spurious warning */

597

598

/* Called whenever a new services becomes available on the LAN or

599

is removed from the LAN */

600

601

switch (event) {

602

default:

603

case AVAHI_BROWSER_FAILURE:

604

605

fprintf(stderr, "(Browser) %s\n",

606

avahi_strerror(avahi_server_errno(server)));

607

avahi_simple_poll_quit(simple_poll);

608

return;

609

610

case AVAHI_BROWSER_NEW:

611

/* We ignore the returned resolver object. In the callback

612

function we free it. If the server is terminated before

613

the callback function is called the server will free

614

the resolver for us. */

615

616

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

617

type, domain,

618

AVAHI_PROTO_INET6, 0,

619

resolve_callback, s)))

620

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

621

avahi_strerror(avahi_server_errno(s)));

622

break;

623

624

case AVAHI_BROWSER_REMOVE:

625

break;

626

627

case AVAHI_BROWSER_ALL_FOR_NOW:

628

case AVAHI_BROWSER_CACHE_EXHAUSTED:

629

break;

771

static void browse_callback( AvahiSServiceBrowser *b,

772

AvahiIfIndex interface,

773

AvahiProtocol protocol,

774

AvahiBrowserEvent event,

775

const char *name,

776

const char *type,

777

const char *domain,

778

AVAHI_GCC_UNUSED AvahiLookupResultFlags

779

flags,

780

void* userdata) {

781

mandos_context *mc = userdata;

782

assert(b);

783

784

/* Called whenever a new services becomes available on the LAN or

785

is removed from the LAN */

786

787

switch(event) {

788

default:

789

case AVAHI_BROWSER_FAILURE:

790

791

fprintf(stderr, "(Avahi browser) %s\n",

792

avahi_strerror(avahi_server_errno(mc->server)));

793

avahi_simple_poll_quit(mc->simple_poll);

794

return;

795

796

case AVAHI_BROWSER_NEW:

797

/* We ignore the returned Avahi resolver object. In the callback

798

function we free it. If the Avahi server is terminated before

799

the callback function is called the Avahi server will free the

800

resolver for us. */

801

802

if(!(avahi_s_service_resolver_new(mc->server, interface,

803

protocol, name, type, domain,

804

AVAHI_PROTO_INET6, 0,

805

resolve_callback, mc)))

806

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

807

name, avahi_strerror(avahi_server_errno(mc->server)));

808

break;

809

810

case AVAHI_BROWSER_REMOVE:

811

break;

812

813

case AVAHI_BROWSER_ALL_FOR_NOW:

814

case AVAHI_BROWSER_CACHE_EXHAUSTED:

815

if(debug){

816

fprintf(stderr, "No Mandos server found, still searching...\n");

630

817

}

631

}

632

633

/* Combines file name and path and returns the malloced new

634

string. some sane checks could/should be added */

635

static const char *combinepath(const char *first, const char *second){

636

size_t f_len = strlen(first);

637

size_t s_len = strlen(second);

638

char *tmp = malloc(f_len + s_len + 2);

639

if (tmp == NULL){

640

return NULL;

641

}

642

if(f_len > 0){

643

memcpy(tmp, first, f_len);

644

}

645

tmp[f_len] = '/';

646

if(s_len > 0){

647

memcpy(tmp + f_len + 1, second, s_len);

648

}

649

tmp[f_len + 1 + s_len] = '\0';

650

return tmp;

651

}

652

653

654

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

655

AvahiServerConfig config;

818

break;

819

}

820

}

821

822

int main(int argc, char *argv[]){

656

823

AvahiSServiceBrowser *sb = NULL;

657

824

int error;

658

825

int ret;

659

int returncode = EXIT_SUCCESS;

826

intmax_t tmpmax;

827

int numchars;

828

int exitcode = EXIT_SUCCESS;

660

829

const char *interface = "eth0";

661

830

struct ifreq network;

662

831

int sd;

832

uid_t uid;

833

gid_t gid;

663

834

char *connect_to = NULL;

835

char tempdir[] = "/tmp/mandosXXXXXX";

836

bool tempdir_created = false;

664

837

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

665

666

while (true){

667

static struct option long_options[] = {

668

{"debug", no_argument, (int *)&debug, 1},

669

{"connect", required_argument, 0, 'C'},

670

{"interface", required_argument, 0, 'i'},

671

{"certdir", required_argument, 0, 'd'},

672

{"certkey", required_argument, 0, 'c'},

673

{"certfile", required_argument, 0, 'k'},

674

{0, 0, 0, 0} };

675

676

int option_index = 0;

677

ret = getopt_long (argc, argv, "i:", long_options,

678

&option_index);

679

680

if (ret == -1){

681

break;

682

}

683

684

switch(ret){

685

case 0:

686

break;

687

case 'i':

688

interface = optarg;

689

break;

690

case 'C':

691

connect_to = optarg;

692

break;

693

case 'd':

694

certdir = optarg;

695

break;

696

case 'c':

697

certfile = optarg;

698

break;

699

case 'k':

700

certkey = optarg;

701

break;

702

default:

703

exit(EXIT_FAILURE);

704

}

705

}

706

707

certfile = combinepath(certdir, certfile);

708

if (certfile == NULL){

709

perror("combinepath");

710

returncode = EXIT_FAILURE;

711

goto exit;

712

}

713

714

certkey = combinepath(certdir, certkey);

715

if (certkey == NULL){

716

perror("combinepath");

717

returncode = EXIT_FAILURE;

718

goto exit;

838

const char *seckey = PATHDIR "/" SECKEY;

839

const char *pubkey = PATHDIR "/" PUBKEY;

840

841

mandos_context mc = { .simple_poll = NULL, .server = NULL,

842

.dh_bits = 1024, .priority = "SECURE256"

843

":!CTYPE-X.509:+CTYPE-OPENPGP" };

844

bool gnutls_initialized = false;

845

bool gpgme_initialized = false;

846

double delay = 2.5;

847

848

{

849

struct argp_option options[] = {

850

{ .name = "debug", .key = 128,

851

.doc = "Debug mode", .group = 3 },

852

{ .name = "connect", .key = 'c',

853

.arg = "ADDRESS:PORT",

854

.doc = "Connect directly to a specific Mandos server",

855

.group = 1 },

856

{ .name = "interface", .key = 'i',

857

.arg = "NAME",

858

.doc = "Interface that will be used to search for Mandos"

859

" servers",

860

.group = 1 },

861

{ .name = "seckey", .key = 's',

862

.arg = "FILE",

863

.doc = "OpenPGP secret key file base name",

864

.group = 1 },

865

{ .name = "pubkey", .key = 'p',

866

.arg = "FILE",

867

.doc = "OpenPGP public key file base name",

868

.group = 2 },

869

{ .name = "dh-bits", .key = 129,

870

.arg = "BITS",

871

.doc = "Bit length of the prime number used in the"

872

" Diffie-Hellman key exchange",

873

.group = 2 },

874

{ .name = "priority", .key = 130,

875

.arg = "STRING",

876

.doc = "GnuTLS priority string for the TLS handshake",

877

.group = 1 },

878

{ .name = "delay", .key = 131,

879

.arg = "SECONDS",

880

.doc = "Maximum delay to wait for interface startup",

881

.group = 2 },

882

{ .name = NULL }

883

};

884

885

error_t parse_opt(int key, char *arg,

886

struct argp_state *state) {

887

switch(key) {

888

case 128: /* --debug */

889

debug = true;

890

break;

891

case 'c': /* --connect */

892

connect_to = arg;

893

break;

894

case 'i': /* --interface */

895

interface = arg;

896

break;

897

case 's': /* --seckey */

898

seckey = arg;

899

break;

900

case 'p': /* --pubkey */

901

pubkey = arg;

902

break;

903

case 129: /* --dh-bits */

904

ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);

905

if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax

906

or arg[numchars] != '\0'){

907

fprintf(stderr, "Bad number of DH bits\n");

908

exit(EXIT_FAILURE);

909

}

910

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

911

break;

912

case 130: /* --priority */

913

mc.priority = arg;

914

break;

915

case 131: /* --delay */

916

ret = sscanf(arg, "%lf%n", &delay, &numchars);

917

if(ret < 1 or arg[numchars] != '\0'){

918

fprintf(stderr, "Bad delay\n");

919

exit(EXIT_FAILURE);

920

}

921

break;

922

case ARGP_KEY_ARG:

923

argp_usage(state);

924

case ARGP_KEY_END:

925

break;

926

default:

927

return ARGP_ERR_UNKNOWN;

928

}

929

return 0;

930

}

931

932

struct argp argp = { .options = options, .parser = parse_opt,

933

.args_doc = "",

934

.doc = "Mandos client -- Get and decrypt"

935

" passwords from a Mandos server" };

936

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

937

if(ret == ARGP_ERR_UNKNOWN){

938

fprintf(stderr, "Unknown error while parsing arguments\n");

939

exitcode = EXIT_FAILURE;

940

goto end;

941

}

942

}

943

944

/* If the interface is down, bring it up */

945

{

946

/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO

947

messages to mess up the prompt */

948

ret = klogctl(8, NULL, 5);

949

if(ret == -1){

950

perror("klogctl");

951

}

952

953

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

954

if(sd < 0) {

955

perror("socket");

956

exitcode = EXIT_FAILURE;

957

ret = klogctl(7, NULL, 0);

958

if(ret == -1){

959

perror("klogctl");

960

}

961

goto end;

962

}

963

strcpy(network.ifr_name, interface);

964

ret = ioctl(sd, SIOCGIFFLAGS, &network);

965

if(ret == -1){

966

perror("ioctl SIOCGIFFLAGS");

967

ret = klogctl(7, NULL, 0);

968

if(ret == -1){

969

perror("klogctl");

970

}

971

exitcode = EXIT_FAILURE;

972

goto end;

973

}

974

if((network.ifr_flags & IFF_UP) == 0){

975

network.ifr_flags |= IFF_UP;

976

ret = ioctl(sd, SIOCSIFFLAGS, &network);

977

if(ret == -1){

978

perror("ioctl SIOCSIFFLAGS");

979

exitcode = EXIT_FAILURE;

980

ret = klogctl(7, NULL, 0);

981

if(ret == -1){

982

perror("klogctl");

983

}

984

goto end;

985

}

986

}

987

/* sleep checking until interface is running */

988

for(int i=0; i < delay * 4; i++){

989

ret = ioctl(sd, SIOCGIFFLAGS, &network);

990

if(ret == -1){

991

perror("ioctl SIOCGIFFLAGS");

992

} else if(network.ifr_flags & IFF_RUNNING){

993

break;

994

}

995

struct timespec sleeptime = { .tv_nsec = 250000000 };

996

nanosleep(&sleeptime, NULL);

997

}

998

ret = (int)TEMP_FAILURE_RETRY(close(sd));

999

if(ret == -1){

1000

perror("close");

1001

}

1002

/* Restores kernel loglevel to default */

1003

ret = klogctl(7, NULL, 0);

1004

if(ret == -1){

1005

perror("klogctl");

1006

}

1007

}

1008

1009

uid = getuid();

1010

gid = getgid();

1011

1012

setgid(gid);

1013

if(ret == -1){

1014

perror("setgid");

1015

}

1016

1017

ret = setuid(uid);

1018

if(ret == -1){

1019

perror("setuid");

1020

}

1021

1022

ret = init_gnutls_global(&mc, pubkey, seckey);

1023

if(ret == -1){

1024

fprintf(stderr, "init_gnutls_global failed\n");

1025

exitcode = EXIT_FAILURE;

1026

goto end;

1027

} else {

1028

gnutls_initialized = true;

1029

}

1030

1031

if(mkdtemp(tempdir) == NULL){

1032

perror("mkdtemp");

1033

goto end;

1034

}

1035

tempdir_created = true;

1036

1037

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

1038

fprintf(stderr, "init_gpgme failed\n");

1039

exitcode = EXIT_FAILURE;

1040

goto end;

1041

} else {

1042

gpgme_initialized = true;

719

1043

}

720

1044

721

1045

if_index = (AvahiIfIndex) if_nametoindex(interface);

722

1046

if(if_index == 0){

723

1047

fprintf(stderr, "No such interface: \"%s\"\n", interface);

724

exit(EXIT_FAILURE);

1048

exitcode = EXIT_FAILURE;

1049

goto end;

725

1050

}

726

1051

727

1052

if(connect_to != NULL){

730

1055

char *address = strrchr(connect_to, ':');

731

1056

if(address == NULL){

732

1057

fprintf(stderr, "No colon in address\n");

733

exit(EXIT_FAILURE);

734

}

735

errno = 0;

736

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

737

if(errno){

738

perror("Bad port number");

739

exit(EXIT_FAILURE);

740

}

1058

exitcode = EXIT_FAILURE;

1059

goto end;

1060

}

1061

uint16_t port;

1062

ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);

1063

if(ret < 1 or tmpmax != (uint16_t)tmpmax

1064

or address[numchars+1] != '\0'){

1065

fprintf(stderr, "Bad port number\n");

1066

exitcode = EXIT_FAILURE;

1067

goto end;

1068

}

1069

port = (uint16_t)tmpmax;

741

1070

*address = '\0';

742

1071

address = connect_to;

743

ret = start_mandos_communication(address, port, if_index);

1072

ret = start_mandos_communication(address, port, if_index, &mc);

744

1073

if(ret < 0){

745

exit(EXIT_FAILURE);

1074

exitcode = EXIT_FAILURE;

746

1075

} else {

747

exit(EXIT_SUCCESS);

748

}

749

}

750

751

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

752

if(sd < 0) {

753

perror("socket");

754

returncode = EXIT_FAILURE;

755

goto exit;

756

}

757

strcpy(network.ifr_name, interface);

758

ret = ioctl(sd, SIOCGIFFLAGS, &network);

759

if(ret == -1){

760

761

perror("ioctl SIOCGIFFLAGS");

762

returncode = EXIT_FAILURE;

763

goto exit;

764

}

765

if((network.ifr_flags & IFF_UP) == 0){

766

network.ifr_flags |= IFF_UP;

767

ret = ioctl(sd, SIOCSIFFLAGS, &network);

768

if(ret == -1){

769

perror("ioctl SIOCSIFFLAGS");

770

returncode = EXIT_FAILURE;

771

goto exit;

772

}

773

}

774

close(sd);

775

776

if (not debug){

1076

exitcode = EXIT_SUCCESS;

1077

}

1078

goto end;

1079

}

1080

1081

if(not debug){

777

1082

avahi_set_log_function(empty_log);

778

1083

}

779

1084

780

/* Initialize the psuedo-RNG */

1085

/* Initialize the pseudo-RNG for Avahi */

781

1086

srand((unsigned int) time(NULL));

782

783

/* Allocate main loop object */

784

if (!(simple_poll = avahi_simple_poll_new())) {

785

fprintf(stderr, "Failed to create simple poll object.\n");

786

returncode = EXIT_FAILURE;

787

goto exit;

788

}

789

790

/* Do not publish any local records */

791

avahi_server_config_init(&config);

792

config.publish_hinfo = 0;

793

config.publish_addresses = 0;

794

config.publish_workstation = 0;

795

config.publish_domain = 0;

796

797

/* Allocate a new server */

798

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

799

&config, NULL, NULL, &error);

800

801

/* Free the configuration data */

802

avahi_server_config_free(&config);

803

804

/* Check if creating the server object succeeded */

805

if (!server) {

806

fprintf(stderr, "Failed to create server: %s\n",

1087

1088

/* Allocate main Avahi loop object */

1089

mc.simple_poll = avahi_simple_poll_new();

1090

if(mc.simple_poll == NULL) {

1091

fprintf(stderr, "Avahi: Failed to create simple poll"

1092

" object.\n");

1093

exitcode = EXIT_FAILURE;

1094

goto end;

1095

}

1096

1097

{

1098

AvahiServerConfig config;

1099

/* Do not publish any local Zeroconf records */

1100

avahi_server_config_init(&config);

1101

config.publish_hinfo = 0;

1102

config.publish_addresses = 0;

1103

config.publish_workstation = 0;

1104

config.publish_domain = 0;

1105

1106

/* Allocate a new server */

1107

mc.server = avahi_server_new(avahi_simple_poll_get

1108

(mc.simple_poll), &config, NULL,

1109

NULL, &error);

1110

1111

/* Free the Avahi configuration data */

1112

avahi_server_config_free(&config);

1113

}

1114

1115

/* Check if creating the Avahi server object succeeded */

1116

if(mc.server == NULL) {

1117

fprintf(stderr, "Failed to create Avahi server: %s\n",

807

1118

avahi_strerror(error));

808

returncode = EXIT_FAILURE;

809

goto exit;

1119

exitcode = EXIT_FAILURE;

1120

goto end;

810

1121

}

811

1122

812

/* Create the service browser */

813

sb = avahi_s_service_browser_new(server, if_index,

1123

/* Create the Avahi service browser */

1124

sb = avahi_s_service_browser_new(mc.server, if_index,

814

1125

AVAHI_PROTO_INET6,

815

1126

"_mandos._tcp", NULL, 0,

816

browse_callback, server);

817

if (!sb) {

1127

browse_callback, &mc);

1128

if(sb == NULL) {

818

1129

fprintf(stderr, "Failed to create service browser: %s\n",

819

avahi_strerror(avahi_server_errno(server)));

820

returncode = EXIT_FAILURE;

821

goto exit;

1130

avahi_strerror(avahi_server_errno(mc.server)));

1131

exitcode = EXIT_FAILURE;

1132

goto end;

822

1133

}

823

1134

824

1135

/* Run the main loop */

825

826

if (debug){

827

fprintf(stderr, "Starting avahi loop search\n");

1136

1137

if(debug){

1138

fprintf(stderr, "Starting Avahi loop search\n");

828

1139

}

829

830

avahi_simple_poll_loop(simple_poll);

831

832

exit:

833

1140

834

if (debug){

1141

avahi_simple_poll_loop(mc.simple_poll);

1142

1143

end:

1144

1145

if(debug){

835

1146

fprintf(stderr, "%s exiting\n", argv[0]);

836

1147

}

837

1148

838

1149

/* Cleanup things */

839

if (sb)

1150

if(sb != NULL)

840

1151

avahi_s_service_browser_free(sb);

841

1152

842

if (server)

843

avahi_server_free(server);

844

845

if (simple_poll)

846

avahi_simple_poll_free(simple_poll);

847

free(certfile);

848

free(certkey);

849

850

return returncode;

1153

if(mc.server != NULL)

1154

avahi_server_free(mc.server);

1155

1156

if(mc.simple_poll != NULL)

1157

avahi_simple_poll_free(mc.simple_poll);

1158

1159

if(gnutls_initialized){

1160

gnutls_certificate_free_credentials(mc.cred);

1161

gnutls_global_deinit();

1162

gnutls_dh_params_deinit(mc.dh_params);

1163

}

1164

1165

if(gpgme_initialized){

1166

gpgme_release(mc.ctx);

1167

}

1168

1169

/* Removes the temp directory used by GPGME */

1170

if(tempdir_created){

1171

DIR *d;

1172

struct dirent *direntry;

1173

d = opendir(tempdir);

1174

if(d == NULL){

1175

if(errno != ENOENT){

1176

perror("opendir");

1177

}

1178

} else {

1179

while(true){

1180

direntry = readdir(d);

1181

if(direntry == NULL){

1182

break;

1183

}

1184

/* Skip "." and ".." */

1185

if(direntry->d_name[0] == '.'

1186

and (direntry->d_name[1] == '\0'

1187

or (direntry->d_name[1] == '.'

1188

and direntry->d_name[2] == '\0'))){

1189

continue;

1190

}

1191

char *fullname = NULL;

1192

ret = asprintf(&fullname, "%s/%s", tempdir,

1193

direntry->d_name);

1194

if(ret < 0){

1195

perror("asprintf");

1196

continue;

1197

}

1198

ret = remove(fullname);

1199

if(ret == -1){

1200

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1201

strerror(errno));

1202

}

1203

free(fullname);

1204

}

1205

closedir(d);

1206

}

1207

ret = rmdir(tempdir);

1208

if(ret == -1 and errno != ENOENT){

1209

perror("rmdir");

1210

}

1211

}

1212

1213

return exitcode;

851

1214

}

Older »