To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 30
- compare with another revision
- download diff
- download tarball
- view history from revision 30
- Committer: Teddy Hogeborn
- Date: 2008-07-31 19:51:44 UTC
- mfrom: (24.1.5 mandos)
- Revision ID: teddy@fukt.bsnet.se-20080731195144-yb37wz2sr1e6b3m4
Merge.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
26
25
* along with this program. If not, see
27
26
* <http://www.gnu.org/licenses/>.
28
27
*
29
* Contact the authors at <mandos@fukt.bsnet.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
30
30
*/
31
31
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
33
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
34
#define _FILE_OFFSET_BITS 64
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time() */
67
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
SIOCSIFFLAGS, if_indextoname(),
69
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
75
setgid() */
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
78
#include <argp.h> /* struct argp_option, error_t, struct
79
argp_state, struct argp,
80
argp_parse(), ARGP_KEY_ARG,
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
86
#ifdef __linux__
87
#include <sys/klog.h> /* klogctl() */
88
#endif /* __linux__ */
89
90
/* Avahi */
91
/* All Avahi types, constants and functions
92
Avahi*, avahi_*,
93
AVAHI_* */
35
36
#include <stdio.h>
37
#include <assert.h>
38
#include <stdlib.h>
39
#include <time.h>
40
#include <net/if.h> /* if_nametoindex */
41
94
42
#include <avahi-core/core.h>
95
43
#include <avahi-core/lookup.h>
96
44
#include <avahi-core/log.h>
98
46
#include <avahi-common/malloc.h>
99
47
#include <avahi-common/error.h>
100
48
101
/* GnuTLS */
102
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
103
functions:
104
gnutls_*
105
init_gnutls_session(),
106
GNUTLS_* */
107
#include <gnutls/openpgp.h>
108
/* gnutls_certificate_set_openpgp_key_file(),
109
GNUTLS_OPENPGP_FMT_BASE64 */
110
111
/* GPGME */
112
#include <gpgme.h> /* All GPGME types, constants and
113
functions:
114
gpgme_*
115
GPGME_PROTOCOL_OpenPGP,
116
GPG_ERR_NO_* */
49
//mandos client part
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
62
63
// gpgme
64
#include <errno.h> /* perror() */
65
#include <gpgme.h>
66
67
// getopt long
68
#include <getopt.h>
117
69
118
70
#define BUFFER_SIZE 256
71
#define DH_BITS 1024
119
72
120
#define PATHDIR "/conf/conf.d/mandos"
121
#define SECKEY "seckey.txt"
122
#define PUBKEY "pubkey.txt"
73
const char *certdir = "/conf/conf.d/cryptkeyreq/";
74
const char *certfile = "openpgp-client.txt";
75
const char *certkey = "openpgp-client-key.txt";
123
76
124
77
bool debug = false;
125
static const char mandos_protocol_version[] = "1";
126
const char *argp_program_version = "mandos-client " VERSION;
127
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
128
78
129
/* Used for passing in values through the Avahi callback functions */
130
79
typedef struct {
131
AvahiSimplePoll *simple_poll;
132
AvahiServer *server;
80
gnutls_session_t session;
133
81
gnutls_certificate_credentials_t cred;
134
unsigned int dh_bits;
135
82
gnutls_dh_params_t dh_params;
136
const char *priority;
83
} encrypted_session;
84
85
86
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
87
char **new_packet, const char *homedir){
88
gpgme_data_t dh_crypto, dh_plain;
137
89
gpgme_ctx_t ctx;
138
} mandos_context;
139
140
/* global context so signal handler can reach it*/
141
mandos_context mc = { .simple_poll = NULL, .server = NULL,
142
.dh_bits = 1024, .priority = "SECURE256"
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
145
/*
146
* Make additional room in "buffer" for at least BUFFER_SIZE more
147
* bytes. "buffer_capacity" is how much is currently allocated,
148
* "buffer_length" is how much is already used.
149
*/
150
size_t incbuffer(char **buffer, size_t buffer_length,
151
size_t buffer_capacity){
152
if(buffer_length + BUFFER_SIZE > buffer_capacity){
153
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
154
if(buffer == NULL){
155
return 0;
156
}
157
buffer_capacity += BUFFER_SIZE;
158
}
159
return buffer_capacity;
160
}
161
162
/*
163
* Initialize GPGME.
164
*/
165
static bool init_gpgme(const char *seckey,
166
const char *pubkey, const char *tempdir){
167
int ret;
168
90
gpgme_error_t rc;
91
ssize_t ret;
92
ssize_t new_packet_capacity = 0;
93
ssize_t new_packet_length = 0;
169
94
gpgme_engine_info_t engine_info;
170
171
172
/*
173
* Helper function to insert pub and seckey to the engine keyring.
174
*/
175
bool import_key(const char *filename){
176
int fd;
177
gpgme_data_t pgp_data;
178
179
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
180
if(fd == -1){
181
perror("open");
182
return false;
183
}
184
185
rc = gpgme_data_new_from_fd(&pgp_data, fd);
186
if(rc != GPG_ERR_NO_ERROR){
187
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
188
gpgme_strsource(rc), gpgme_strerror(rc));
189
return false;
190
}
191
192
rc = gpgme_op_import(mc.ctx, pgp_data);
193
if(rc != GPG_ERR_NO_ERROR){
194
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
195
gpgme_strsource(rc), gpgme_strerror(rc));
196
return false;
197
}
198
199
ret = (int)TEMP_FAILURE_RETRY(close(fd));
200
if(ret == -1){
201
perror("close");
202
}
203
gpgme_data_release(pgp_data);
204
return true;
205
}
206
207
if(debug){
208
fprintf(stderr, "Initializing GPGME\n");
95
96
if (debug){
97
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
209
98
}
210
99
211
100
/* Init GPGME */
212
101
gpgme_check_version(NULL);
213
102
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
214
if(rc != GPG_ERR_NO_ERROR){
103
if (rc != GPG_ERR_NO_ERROR){
215
104
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
216
105
gpgme_strsource(rc), gpgme_strerror(rc));
217
return false;
106
return -1;
218
107
}
219
108
220
/* Set GPGME home directory for the OpenPGP engine only */
221
rc = gpgme_get_engine_info(&engine_info);
222
if(rc != GPG_ERR_NO_ERROR){
109
/* Set GPGME home directory */
110
rc = gpgme_get_engine_info (&engine_info);
111
if (rc != GPG_ERR_NO_ERROR){
223
112
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
224
113
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
114
return -1;
226
115
}
227
116
while(engine_info != NULL){
228
117
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
229
118
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
230
engine_info->file_name, tempdir);
119
engine_info->file_name, homedir);
231
120
break;
232
121
}
233
122
engine_info = engine_info->next;
234
123
}
235
124
if(engine_info == NULL){
236
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
237
return false;
238
}
239
240
/* Create new GPGME "context" */
241
rc = gpgme_new(&(mc.ctx));
242
if(rc != GPG_ERR_NO_ERROR){
243
fprintf(stderr, "bad gpgme_new: %s: %s\n",
244
gpgme_strsource(rc), gpgme_strerror(rc));
245
return false;
246
}
247
248
if(not import_key(pubkey) or not import_key(seckey)){
249
return false;
250
}
251
252
return true;
253
}
254
255
/*
256
* Decrypt OpenPGP data.
257
* Returns -1 on error
258
*/
259
static ssize_t pgp_packet_decrypt(const char *cryptotext,
260
size_t crypto_size,
261
char **plaintext){
262
gpgme_data_t dh_crypto, dh_plain;
263
gpgme_error_t rc;
264
ssize_t ret;
265
size_t plaintext_capacity = 0;
266
ssize_t plaintext_length = 0;
267
268
if(debug){
269
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
270
}
271
272
/* Create new GPGME data buffer from memory cryptotext */
273
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
274
0);
275
if(rc != GPG_ERR_NO_ERROR){
125
fprintf(stderr, "Could not set home dir to %s\n", homedir);
126
return -1;
127
}
128
129
/* Create new GPGME data buffer from packet buffer */
130
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
131
if (rc != GPG_ERR_NO_ERROR){
276
132
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
277
133
gpgme_strsource(rc), gpgme_strerror(rc));
278
134
return -1;
280
136
281
137
/* Create new empty GPGME data buffer for the plaintext */
282
138
rc = gpgme_data_new(&dh_plain);
283
if(rc != GPG_ERR_NO_ERROR){
139
if (rc != GPG_ERR_NO_ERROR){
284
140
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
285
141
gpgme_strsource(rc), gpgme_strerror(rc));
286
gpgme_data_release(dh_crypto);
287
return -1;
288
}
289
290
/* Decrypt data from the cryptotext data buffer to the plaintext
291
data buffer */
292
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
293
if(rc != GPG_ERR_NO_ERROR){
142
return -1;
143
}
144
145
/* Create new GPGME "context" */
146
rc = gpgme_new(&ctx);
147
if (rc != GPG_ERR_NO_ERROR){
148
fprintf(stderr, "bad gpgme_new: %s: %s\n",
149
gpgme_strsource(rc), gpgme_strerror(rc));
150
return -1;
151
}
152
153
/* Decrypt data from the FILE pointer to the plaintext data
154
buffer */
155
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
156
if (rc != GPG_ERR_NO_ERROR){
294
157
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
295
158
gpgme_strsource(rc), gpgme_strerror(rc));
296
plaintext_length = -1;
297
if(debug){
298
gpgme_decrypt_result_t result;
299
result = gpgme_op_decrypt_result(mc.ctx);
300
if(result == NULL){
301
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
302
} else {
303
fprintf(stderr, "Unsupported algorithm: %s\n",
304
result->unsupported_algorithm);
305
fprintf(stderr, "Wrong key usage: %u\n",
306
result->wrong_key_usage);
307
if(result->file_name != NULL){
308
fprintf(stderr, "File name: %s\n", result->file_name);
309
}
310
gpgme_recipient_t recipient;
311
recipient = result->recipients;
159
return -1;
160
}
161
162
if(debug){
163
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
164
}
165
166
if (debug){
167
gpgme_decrypt_result_t result;
168
result = gpgme_op_decrypt_result(ctx);
169
if (result == NULL){
170
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
} else {
172
fprintf(stderr, "Unsupported algorithm: %s\n",
173
result->unsupported_algorithm);
174
fprintf(stderr, "Wrong key usage: %d\n",
175
result->wrong_key_usage);
176
if(result->file_name != NULL){
177
fprintf(stderr, "File name: %s\n", result->file_name);
178
}
179
gpgme_recipient_t recipient;
180
recipient = result->recipients;
181
if(recipient){
312
182
while(recipient != NULL){
313
183
fprintf(stderr, "Public key algorithm: %s\n",
314
184
gpgme_pubkey_algo_name(recipient->pubkey_algo));
320
190
}
321
191
}
322
192
}
323
goto decrypt_end;
324
193
}
325
194
326
if(debug){
327
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
328
}
195
/* Delete the GPGME FILE pointer cryptotext data buffer */
196
gpgme_data_release(dh_crypto);
329
197
330
198
/* Seek back to the beginning of the GPGME plaintext data buffer */
331
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
332
perror("gpgme_data_seek");
333
plaintext_length = -1;
334
goto decrypt_end;
199
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
200
perror("pgpme_data_seek");
335
201
}
336
202
337
*plaintext = NULL;
203
*new_packet = 0;
338
204
while(true){
339
plaintext_capacity = incbuffer(plaintext,
340
(size_t)plaintext_length,
341
plaintext_capacity);
342
if(plaintext_capacity == 0){
343
perror("incbuffer");
344
plaintext_length = -1;
345
goto decrypt_end;
205
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
206
*new_packet = realloc(*new_packet,
207
(unsigned int)new_packet_capacity
208
+ BUFFER_SIZE);
209
if (*new_packet == NULL){
210
perror("realloc");
211
return -1;
212
}
213
new_packet_capacity += BUFFER_SIZE;
346
214
}
347
215
348
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
216
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
349
217
BUFFER_SIZE);
350
218
/* Print the data, if any */
351
if(ret == 0){
352
/* EOF */
219
if (ret == 0){
353
220
break;
354
221
}
355
222
if(ret < 0){
356
223
perror("gpgme_data_read");
357
plaintext_length = -1;
358
goto decrypt_end;
359
}
360
plaintext_length += ret;
361
}
362
363
if(debug){
364
fprintf(stderr, "Decrypted password is: ");
365
for(ssize_t i = 0; i < plaintext_length; i++){
366
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
367
}
368
fprintf(stderr, "\n");
369
}
370
371
decrypt_end:
372
373
/* Delete the GPGME cryptotext data buffer */
374
gpgme_data_release(dh_crypto);
224
return -1;
225
}
226
new_packet_length += ret;
227
}
228
229
/* FIXME: check characters before printing to screen so to not print
230
terminal control characters */
231
/* if(debug){ */
232
/* fprintf(stderr, "decrypted password is: "); */
233
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
234
/* fprintf(stderr, "\n"); */
235
/* } */
375
236
376
237
/* Delete the GPGME plaintext data buffer */
377
238
gpgme_data_release(dh_plain);
378
return plaintext_length;
239
return new_packet_length;
379
240
}
380
241
381
static const char * safer_gnutls_strerror(int value){
382
const char *ret = gnutls_strerror(value); /* Spurious warning from
383
-Wunreachable-code */
384
if(ret == NULL)
242
static const char * safer_gnutls_strerror (int value) {
243
const char *ret = gnutls_strerror (value);
244
if (ret == NULL)
385
245
ret = "(unknown)";
386
246
return ret;
387
247
}
388
248
389
/* GnuTLS log function callback */
390
static void debuggnutls(__attribute__((unused)) int level,
391
const char* string){
392
fprintf(stderr, "GnuTLS: %s", string);
249
void debuggnutls(__attribute__((unused)) int level,
250
const char* string){
251
fprintf(stderr, "%s", string);
393
252
}
394
253
395
static int init_gnutls_global(const char *pubkeyfilename,
396
const char *seckeyfilename){
254
int initgnutls(encrypted_session *es){
255
const char *err;
397
256
int ret;
398
257
399
258
if(debug){
400
259
fprintf(stderr, "Initializing GnuTLS\n");
401
260
}
402
403
ret = gnutls_global_init();
404
if(ret != GNUTLS_E_SUCCESS){
405
fprintf(stderr, "GnuTLS global_init: %s\n",
406
safer_gnutls_strerror(ret));
261
262
if ((ret = gnutls_global_init ())
263
!= GNUTLS_E_SUCCESS) {
264
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
407
265
return -1;
408
266
}
409
410
if(debug){
411
/* "Use a log level over 10 to enable all debugging options."
412
* - GnuTLS manual
413
*/
267
268
if (debug){
414
269
gnutls_global_set_log_level(11);
415
270
gnutls_global_set_log_function(debuggnutls);
416
271
}
417
272
418
/* OpenPGP credentials */
419
gnutls_certificate_allocate_credentials(&mc.cred);
420
if(ret != GNUTLS_E_SUCCESS){
421
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
422
from
423
-Wunreachable-code
424
*/
425
safer_gnutls_strerror(ret));
426
gnutls_global_deinit();
273
/* openpgp credentials */
274
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
275
!= GNUTLS_E_SUCCESS) {
276
fprintf (stderr, "memory error: %s\n",
277
safer_gnutls_strerror(ret));
427
278
return -1;
428
279
}
429
280
430
281
if(debug){
431
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
432
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
433
seckeyfilename);
282
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
283
" and keyfile %s as GnuTLS credentials\n", certfile,
284
certkey);
434
285
}
435
286
436
287
ret = gnutls_certificate_set_openpgp_key_file
437
(mc.cred, pubkeyfilename, seckeyfilename,
438
GNUTLS_OPENPGP_FMT_BASE64);
439
if(ret != GNUTLS_E_SUCCESS){
440
fprintf(stderr,
441
"Error[%d] while reading the OpenPGP key pair ('%s',"
442
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
443
fprintf(stderr, "The GnuTLS error is: %s\n",
444
safer_gnutls_strerror(ret));
445
goto globalfail;
446
}
447
448
/* GnuTLS server initialization */
449
ret = gnutls_dh_params_init(&mc.dh_params);
450
if(ret != GNUTLS_E_SUCCESS){
451
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
452
" %s\n", safer_gnutls_strerror(ret));
453
goto globalfail;
454
}
455
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
456
if(ret != GNUTLS_E_SUCCESS){
457
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
458
safer_gnutls_strerror(ret));
459
goto globalfail;
460
}
461
462
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
463
464
return 0;
465
466
globalfail:
467
468
gnutls_certificate_free_credentials(mc.cred);
469
gnutls_global_deinit();
470
gnutls_dh_params_deinit(mc.dh_params);
471
return -1;
472
}
473
474
static int init_gnutls_session(gnutls_session_t *session){
475
int ret;
476
/* GnuTLS session creation */
477
ret = gnutls_init(session, GNUTLS_SERVER);
478
if(ret != GNUTLS_E_SUCCESS){
288
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
289
if (ret != GNUTLS_E_SUCCESS) {
290
fprintf
291
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
" '%s')\n",
293
ret, certfile, certkey);
294
fprintf(stdout, "The Error is: %s\n",
295
safer_gnutls_strerror(ret));
296
return -1;
297
}
298
299
//GnuTLS server initialization
300
if ((ret = gnutls_dh_params_init (&es->dh_params))
301
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "Error in dh parameter initialization: %s\n",
303
safer_gnutls_strerror(ret));
304
return -1;
305
}
306
307
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
308
!= GNUTLS_E_SUCCESS) {
309
fprintf (stderr, "Error in prime generation: %s\n",
310
safer_gnutls_strerror(ret));
311
return -1;
312
}
313
314
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
316
// GnuTLS session creation
317
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
318
!= GNUTLS_E_SUCCESS){
479
319
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
480
320
safer_gnutls_strerror(ret));
481
321
}
482
322
483
{
484
const char *err;
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
486
if(ret != GNUTLS_E_SUCCESS){
487
fprintf(stderr, "Syntax error at: %s\n", err);
488
fprintf(stderr, "GnuTLS error: %s\n",
489
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
491
return -1;
492
}
323
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
324
!= GNUTLS_E_SUCCESS) {
325
fprintf(stderr, "Syntax error at: %s\n", err);
326
fprintf(stderr, "GnuTLS error: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
493
329
}
494
330
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
497
if(ret != GNUTLS_E_SUCCESS){
498
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
331
if ((ret = gnutls_credentials_set
332
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
333
!= GNUTLS_E_SUCCESS) {
334
fprintf(stderr, "Error setting a credentials set: %s\n",
499
335
safer_gnutls_strerror(ret));
500
gnutls_deinit(*session);
501
336
return -1;
502
337
}
503
338
504
339
/* ignore client certificate if any. */
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
340
gnutls_certificate_server_set_request (es->session,
341
GNUTLS_CERT_IGNORE);
507
342
508
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
343
gnutls_dh_set_prime_bits (es->session, DH_BITS);
509
344
510
345
return 0;
511
346
}
512
347
513
/* Avahi log function callback */
514
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
515
__attribute__((unused)) const char *txt){}
516
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
520
/* Called when a Mandos server is found */
521
static int start_mandos_communication(const char *ip, uint16_t port,
522
AvahiIfIndex if_index,
523
int af){
524
int ret, tcp_sd = -1;
525
ssize_t sret;
526
union {
527
struct sockaddr_in in;
528
struct sockaddr_in6 in6;
529
} to;
348
void empty_log(__attribute__((unused)) AvahiLogLevel level,
349
__attribute__((unused)) const char *txt){}
350
351
int start_mandos_communication(const char *ip, uint16_t port,
352
AvahiIfIndex if_index){
353
int ret, tcp_sd;
354
struct sockaddr_in6 to;
355
encrypted_session es;
530
356
char *buffer = NULL;
531
357
char *decrypted_buffer;
532
358
size_t buffer_length = 0;
533
359
size_t buffer_capacity = 0;
534
360
ssize_t decrypted_buffer_size;
535
size_t written;
361
size_t written = 0;
536
362
int retval = 0;
537
gnutls_session_t session;
538
int pf; /* Protocol family */
539
540
if(quit_now){
541
return -1;
542
}
543
544
switch(af){
545
case AF_INET6:
546
pf = PF_INET6;
547
break;
548
case AF_INET:
549
pf = PF_INET;
550
break;
551
default:
552
fprintf(stderr, "Bad address family: %d\n", af);
553
return -1;
554
}
555
556
ret = init_gnutls_session(&session);
557
if(ret != 0){
558
return -1;
559
}
363
char interface[IF_NAMESIZE];
560
364
561
365
if(debug){
562
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
563
"\n", ip, port);
366
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
367
ip, port);
564
368
}
565
369
566
tcp_sd = socket(pf, SOCK_STREAM, 0);
567
if(tcp_sd < 0){
370
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
371
if(tcp_sd < 0) {
568
372
perror("socket");
569
retval = -1;
570
goto mandos_end;
571
}
572
573
if(quit_now){
574
goto mandos_end;
575
}
576
577
memset(&to, 0, sizeof(to));
578
if(af == AF_INET6){
579
to.in6.sin6_family = (sa_family_t)af;
580
ret = inet_pton(af, ip, &to.in6.sin6_addr);
581
} else { /* IPv4 */
582
to.in.sin_family = (sa_family_t)af;
583
ret = inet_pton(af, ip, &to.in.sin_addr);
584
}
585
if(ret < 0 ){
373
return -1;
374
}
375
376
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
if(debug){
378
perror("if_indextoname");
379
}
380
return -1;
381
}
382
383
if(debug){
384
fprintf(stderr, "Binding to interface %s\n", interface);
385
}
386
387
memset(&to,0,sizeof(to)); /* Spurious warning */
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
390
if (ret < 0 ){
586
391
perror("inet_pton");
587
retval = -1;
588
goto mandos_end;
589
}
392
return -1;
393
}
590
394
if(ret == 0){
591
395
fprintf(stderr, "Bad address: %s\n", ip);
592
retval = -1;
593
goto mandos_end;
594
}
595
if(af == AF_INET6){
596
to.in6.sin6_port = htons(port); /* Spurious warnings from
597
-Wconversion and
598
-Wunreachable-code */
599
600
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
601
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
602
-Wunreachable-code*/
603
if(if_index == AVAHI_IF_UNSPEC){
604
fprintf(stderr, "An IPv6 link-local address is incomplete"
605
" without a network interface\n");
606
retval = -1;
607
goto mandos_end;
608
}
609
/* Set the network interface number as scope */
610
to.in6.sin6_scope_id = (uint32_t)if_index;
611
}
612
} else {
613
to.in.sin_port = htons(port); /* Spurious warnings from
614
-Wconversion and
615
-Wunreachable-code */
616
}
396
return -1;
397
}
398
to.sin6_port = htons(port); /* Spurious warning */
617
399
618
if(quit_now){
619
goto mandos_end;
620
}
400
to.sin6_scope_id = (uint32_t)if_index;
621
401
622
402
if(debug){
623
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
624
char interface[IF_NAMESIZE];
625
if(if_indextoname((unsigned int)if_index, interface) == NULL){
626
perror("if_indextoname");
627
} else {
628
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
629
ip, interface, port);
630
}
631
} else {
632
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
633
port);
634
}
635
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
636
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
637
const char *pcret;
638
if(af == AF_INET6){
639
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
640
sizeof(addrstr));
641
} else {
642
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
643
sizeof(addrstr));
644
}
645
if(pcret == NULL){
646
perror("inet_ntop");
647
} else {
648
if(strcmp(addrstr, ip) != 0){
649
fprintf(stderr, "Canonical address form: %s\n", addrstr);
650
}
651
}
652
}
653
654
if(quit_now){
655
goto mandos_end;
656
}
657
658
if(af == AF_INET6){
659
ret = connect(tcp_sd, &to.in6, sizeof(to));
660
} else {
661
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
662
}
663
if(ret < 0){
403
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
404
/* char addrstr[INET6_ADDRSTRLEN]; */
405
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
406
/* sizeof(addrstr)) == NULL){ */
407
/* perror("inet_ntop"); */
408
/* } else { */
409
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
410
/* addrstr, ntohs(to.sin6_port)); */
411
/* } */
412
}
413
414
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
415
if (ret < 0){
664
416
perror("connect");
417
return -1;
418
}
419
420
ret = initgnutls (&es);
421
if (ret != 0){
665
422
retval = -1;
666
goto mandos_end;
667
}
668
669
if(quit_now){
670
goto mandos_end;
671
}
672
673
const char *out = mandos_protocol_version;
674
written = 0;
675
while(true){
676
size_t out_size = strlen(out);
677
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
678
out_size - written));
679
if(ret == -1){
680
perror("write");
681
retval = -1;
682
goto mandos_end;
683
}
684
written += (size_t)ret;
685
if(written < out_size){
686
continue;
687
} else {
688
if(out == mandos_protocol_version){
689
written = 0;
690
out = "\r\n";
691
} else {
692
break;
693
}
694
}
695
696
if(quit_now){
697
goto mandos_end;
698
}
699
}
423
return -1;
424
}
425
426
gnutls_transport_set_ptr (es.session,
427
(gnutls_transport_ptr_t) tcp_sd);
700
428
701
429
if(debug){
702
430
fprintf(stderr, "Establishing TLS session with %s\n", ip);
703
431
}
704
432
705
if(quit_now){
706
goto mandos_end;
707
}
708
709
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
710
711
if(quit_now){
712
goto mandos_end;
713
}
714
715
do{
716
ret = gnutls_handshake(session);
717
if(quit_now){
718
goto mandos_end;
719
}
720
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
721
722
if(ret != GNUTLS_E_SUCCESS){
433
ret = gnutls_handshake (es.session);
434
435
if (ret != GNUTLS_E_SUCCESS){
723
436
if(debug){
724
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
725
gnutls_perror(ret);
437
fprintf(stderr, "\n*** Handshake failed ***\n");
438
gnutls_perror (ret);
726
439
}
727
440
retval = -1;
728
goto mandos_end;
441
goto exit;
729
442
}
730
443
731
/* Read OpenPGP packet that contains the wanted password */
444
//Retrieve OpenPGP packet that contains the wanted password
732
445
733
446
if(debug){
734
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
447
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
735
448
ip);
736
449
}
737
450
738
451
while(true){
739
740
if(quit_now){
741
goto mandos_end;
742
}
743
744
buffer_capacity = incbuffer(&buffer, buffer_length,
745
buffer_capacity);
746
if(buffer_capacity == 0){
747
perror("incbuffer");
748
retval = -1;
749
goto mandos_end;
750
}
751
752
if(quit_now){
753
goto mandos_end;
754
}
755
756
sret = gnutls_record_recv(session, buffer+buffer_length,
757
BUFFER_SIZE);
758
if(sret == 0){
452
if (buffer_length + BUFFER_SIZE > buffer_capacity){
453
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
454
if (buffer == NULL){
455
perror("realloc");
456
goto exit;
457
}
458
buffer_capacity += BUFFER_SIZE;
459
}
460
461
ret = gnutls_record_recv
462
(es.session, buffer+buffer_length, BUFFER_SIZE);
463
if (ret == 0){
759
464
break;
760
465
}
761
if(sret < 0){
762
switch(sret){
466
if (ret < 0){
467
switch(ret){
763
468
case GNUTLS_E_INTERRUPTED:
764
469
case GNUTLS_E_AGAIN:
765
470
break;
766
471
case GNUTLS_E_REHANDSHAKE:
767
do{
768
ret = gnutls_handshake(session);
769
770
if(quit_now){
771
goto mandos_end;
772
}
773
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
774
if(ret < 0){
775
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
776
gnutls_perror(ret);
472
ret = gnutls_handshake (es.session);
473
if (ret < 0){
474
fprintf(stderr, "\n*** Handshake failed ***\n");
475
gnutls_perror (ret);
777
476
retval = -1;
778
goto mandos_end;
477
goto exit;
779
478
}
780
479
break;
781
480
default:
782
481
fprintf(stderr, "Unknown error while reading data from"
783
" encrypted session with Mandos server\n");
482
" encrypted session with mandos server\n");
784
483
retval = -1;
785
gnutls_bye(session, GNUTLS_SHUT_RDWR);
786
goto mandos_end;
484
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
485
goto exit;
787
486
}
788
487
} else {
789
buffer_length += (size_t) sret;
488
buffer_length += (size_t) ret;
790
489
}
791
490
}
792
491
793
if(debug){
794
fprintf(stderr, "Closing TLS session\n");
795
}
796
797
if(quit_now){
798
goto mandos_end;
799
}
800
801
gnutls_bye(session, GNUTLS_SHUT_RDWR);
802
803
if(quit_now){
804
goto mandos_end;
805
}
806
807
if(buffer_length > 0){
492
if (buffer_length > 0){
808
493
decrypted_buffer_size = pgp_packet_decrypt(buffer,
809
494
buffer_length,
810
&decrypted_buffer);
811
if(decrypted_buffer_size >= 0){
812
written = 0;
495
&decrypted_buffer,
496
certdir);
497
if (decrypted_buffer_size >= 0){
813
498
while(written < (size_t) decrypted_buffer_size){
814
if(quit_now){
815
goto mandos_end;
816
}
817
818
ret = (int)fwrite(decrypted_buffer + written, 1,
819
(size_t)decrypted_buffer_size - written,
820
stdout);
499
ret = (int)fwrite (decrypted_buffer + written, 1,
500
(size_t)decrypted_buffer_size - written,
501
stdout);
821
502
if(ret == 0 and ferror(stdout)){
822
503
if(debug){
823
504
fprintf(stderr, "Error writing encrypted data: %s\n",
832
513
} else {
833
514
retval = -1;
834
515
}
835
} else {
836
retval = -1;
837
}
838
839
/* Shutdown procedure */
840
841
mandos_end:
516
}
517
518
//shutdown procedure
519
520
if(debug){
521
fprintf(stderr, "Closing TLS session\n");
522
}
523
842
524
free(buffer);
843
if(tcp_sd >= 0){
844
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
845
}
846
if(ret == -1){
847
perror("close");
848
}
849
gnutls_deinit(session);
850
if(quit_now){
851
retval = -1;
852
}
525
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
526
exit:
527
close(tcp_sd);
528
gnutls_deinit (es.session);
529
gnutls_certificate_free_credentials (es.cred);
530
gnutls_global_deinit ();
853
531
return retval;
854
532
}
855
533
856
static void resolve_callback(AvahiSServiceResolver *r,
857
AvahiIfIndex interface,
858
AvahiProtocol proto,
859
AvahiResolverEvent event,
860
const char *name,
861
const char *type,
862
const char *domain,
863
const char *host_name,
864
const AvahiAddress *address,
865
uint16_t port,
866
AVAHI_GCC_UNUSED AvahiStringList *txt,
867
AVAHI_GCC_UNUSED AvahiLookupResultFlags
868
flags,
869
AVAHI_GCC_UNUSED void* userdata){
870
assert(r);
534
static AvahiSimplePoll *simple_poll = NULL;
535
static AvahiServer *server = NULL;
536
537
static void resolve_callback(
538
AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
552
assert(r); /* Spurious warning */
871
553
872
554
/* Called whenever a service has been resolved successfully or
873
555
timed out */
874
556
875
if(quit_now){
876
return;
877
}
878
879
switch(event){
557
switch (event) {
880
558
default:
881
559
case AVAHI_RESOLVER_FAILURE:
882
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
883
" of type '%s' in domain '%s': %s\n", name, type, domain,
884
avahi_strerror(avahi_server_errno(mc.server)));
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(server)));
885
563
break;
886
564
887
565
case AVAHI_RESOLVER_FOUND:
889
567
char ip[AVAHI_ADDRESS_STR_MAX];
890
568
avahi_address_snprint(ip, sizeof(ip), address);
891
569
if(debug){
892
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
893
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
894
ip, (intmax_t)interface, port);
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
895
572
}
896
int ret = start_mandos_communication(ip, port, interface,
897
avahi_proto_to_af(proto));
898
if(ret == 0){
899
avahi_simple_poll_quit(mc.simple_poll);
573
int ret = start_mandos_communication(ip, port, interface);
574
if (ret == 0){
575
exit(EXIT_SUCCESS);
900
576
}
901
577
}
902
578
}
903
579
avahi_s_service_resolver_free(r);
904
580
}
905
581
906
static void browse_callback(AvahiSServiceBrowser *b,
907
AvahiIfIndex interface,
908
AvahiProtocol protocol,
909
AvahiBrowserEvent event,
910
const char *name,
911
const char *type,
912
const char *domain,
913
AVAHI_GCC_UNUSED AvahiLookupResultFlags
914
flags,
915
AVAHI_GCC_UNUSED void* userdata){
916
assert(b);
917
918
/* Called whenever a new services becomes available on the LAN or
919
is removed from the LAN */
920
921
if(quit_now){
922
return;
923
}
924
925
switch(event){
926
default:
927
case AVAHI_BROWSER_FAILURE:
928
929
fprintf(stderr, "(Avahi browser) %s\n",
930
avahi_strerror(avahi_server_errno(mc.server)));
931
avahi_simple_poll_quit(mc.simple_poll);
932
return;
933
934
case AVAHI_BROWSER_NEW:
935
/* We ignore the returned Avahi resolver object. In the callback
936
function we free it. If the Avahi server is terminated before
937
the callback function is called the Avahi server will free the
938
resolver for us. */
939
940
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
941
name, type, domain, protocol, 0,
942
resolve_callback, NULL) == NULL)
943
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
944
name, avahi_strerror(avahi_server_errno(mc.server)));
945
break;
946
947
case AVAHI_BROWSER_REMOVE:
948
break;
949
950
case AVAHI_BROWSER_ALL_FOR_NOW:
951
case AVAHI_BROWSER_CACHE_EXHAUSTED:
952
if(debug){
953
fprintf(stderr, "No Mandos server found, still searching...\n");
582
static void browse_callback(
583
AvahiSServiceBrowser *b,
584
AvahiIfIndex interface,
585
AvahiProtocol protocol,
586
AvahiBrowserEvent event,
587
const char *name,
588
const char *type,
589
const char *domain,
590
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
591
void* userdata) {
592
593
AvahiServer *s = userdata;
594
assert(b); /* Spurious warning */
595
596
/* Called whenever a new services becomes available on the LAN or
597
is removed from the LAN */
598
599
switch (event) {
600
default:
601
case AVAHI_BROWSER_FAILURE:
602
603
fprintf(stderr, "(Browser) %s\n",
604
avahi_strerror(avahi_server_errno(server)));
605
avahi_simple_poll_quit(simple_poll);
606
return;
607
608
case AVAHI_BROWSER_NEW:
609
/* We ignore the returned resolver object. In the callback
610
function we free it. If the server is terminated before
611
the callback function is called the server will free
612
the resolver for us. */
613
614
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
type, domain,
616
AVAHI_PROTO_INET6, 0,
617
resolve_callback, s)))
618
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
619
avahi_strerror(avahi_server_errno(s)));
620
break;
621
622
case AVAHI_BROWSER_REMOVE:
623
break;
624
625
case AVAHI_BROWSER_ALL_FOR_NOW:
626
case AVAHI_BROWSER_CACHE_EXHAUSTED:
627
break;
954
628
}
955
break;
956
}
957
}
958
959
/* stop main loop after sigterm has been called */
960
static void handle_sigterm(int sig){
961
if(quit_now){
962
return;
963
}
964
quit_now = 1;
965
signal_received = sig;
966
int old_errno = errno;
967
if(mc.simple_poll != NULL){
968
avahi_simple_poll_quit(mc.simple_poll);
969
}
970
errno = old_errno;
971
}
972
973
int main(int argc, char *argv[]){
974
AvahiSServiceBrowser *sb = NULL;
975
int error;
976
int ret;
977
intmax_t tmpmax;
629
}
630
631
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
632
const char *combinepath(const char *first, const char *second){
978
633
char *tmp;
979
int exitcode = EXIT_SUCCESS;
980
const char *interface = "eth0";
981
struct ifreq network;
982
int sd = -1;
983
bool take_down_interface = false;
984
uid_t uid;
985
gid_t gid;
986
char *connect_to = NULL;
987
char tempdir[] = "/tmp/mandosXXXXXX";
988
bool tempdir_created = false;
989
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
990
const char *seckey = PATHDIR "/" SECKEY;
991
const char *pubkey = PATHDIR "/" PUBKEY;
992
993
bool gnutls_initialized = false;
994
bool gpgme_initialized = false;
995
float delay = 2.5f;
996
997
struct sigaction old_sigterm_action;
998
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
999
1000
{
1001
struct argp_option options[] = {
1002
{ .name = "debug", .key = 128,
1003
.doc = "Debug mode", .group = 3 },
1004
{ .name = "connect", .key = 'c',
1005
.arg = "ADDRESS:PORT",
1006
.doc = "Connect directly to a specific Mandos server",
1007
.group = 1 },
1008
{ .name = "interface", .key = 'i',
1009
.arg = "NAME",
1010
.doc = "Network interface that will be used to search for"
1011
" Mandos servers",
1012
.group = 1 },
1013
{ .name = "seckey", .key = 's',
1014
.arg = "FILE",
1015
.doc = "OpenPGP secret key file base name",
1016
.group = 1 },
1017
{ .name = "pubkey", .key = 'p',
1018
.arg = "FILE",
1019
.doc = "OpenPGP public key file base name",
1020
.group = 2 },
1021
{ .name = "dh-bits", .key = 129,
1022
.arg = "BITS",
1023
.doc = "Bit length of the prime number used in the"
1024
" Diffie-Hellman key exchange",
1025
.group = 2 },
1026
{ .name = "priority", .key = 130,
1027
.arg = "STRING",
1028
.doc = "GnuTLS priority string for the TLS handshake",
1029
.group = 1 },
1030
{ .name = "delay", .key = 131,
1031
.arg = "SECONDS",
1032
.doc = "Maximum delay to wait for interface startup",
1033
.group = 2 },
1034
{ .name = NULL }
1035
};
1036
1037
error_t parse_opt(int key, char *arg,
1038
struct argp_state *state){
1039
switch(key){
1040
case 128: /* --debug */
1041
debug = true;
1042
break;
1043
case 'c': /* --connect */
1044
connect_to = arg;
1045
break;
1046
case 'i': /* --interface */
1047
interface = arg;
1048
break;
1049
case 's': /* --seckey */
1050
seckey = arg;
1051
break;
1052
case 'p': /* --pubkey */
1053
pubkey = arg;
1054
break;
1055
case 129: /* --dh-bits */
1056
errno = 0;
1057
tmpmax = strtoimax(arg, &tmp, 10);
1058
if(errno != 0 or tmp == arg or *tmp != '\0'
1059
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1060
fprintf(stderr, "Bad number of DH bits\n");
1061
exit(EXIT_FAILURE);
1062
}
1063
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1064
break;
1065
case 130: /* --priority */
1066
mc.priority = arg;
1067
break;
1068
case 131: /* --delay */
1069
errno = 0;
1070
delay = strtof(arg, &tmp);
1071
if(errno != 0 or tmp == arg or *tmp != '\0'){
1072
fprintf(stderr, "Bad delay\n");
1073
exit(EXIT_FAILURE);
1074
}
1075
break;
1076
case ARGP_KEY_ARG:
1077
argp_usage(state);
1078
case ARGP_KEY_END:
1079
break;
1080
default:
1081
return ARGP_ERR_UNKNOWN;
1082
}
1083
return 0;
1084
}
1085
1086
struct argp argp = { .options = options, .parser = parse_opt,
1087
.args_doc = "",
1088
.doc = "Mandos client -- Get and decrypt"
1089
" passwords from a Mandos server" };
1090
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1091
if(ret == ARGP_ERR_UNKNOWN){
1092
fprintf(stderr, "Unknown error while parsing arguments\n");
1093
exitcode = EXIT_FAILURE;
1094
goto end;
1095
}
1096
}
1097
1098
if(not debug){
1099
avahi_set_log_function(empty_log);
1100
}
1101
1102
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1103
from the signal handler */
1104
/* Initialize the pseudo-RNG for Avahi */
1105
srand((unsigned int) time(NULL));
1106
mc.simple_poll = avahi_simple_poll_new();
1107
if(mc.simple_poll == NULL){
1108
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1109
exitcode = EXIT_FAILURE;
1110
goto end;
1111
}
1112
1113
sigemptyset(&sigterm_action.sa_mask);
1114
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1115
if(ret == -1){
1116
perror("sigaddset");
1117
exitcode = EXIT_FAILURE;
1118
goto end;
1119
}
1120
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1121
if(ret == -1){
1122
perror("sigaddset");
1123
exitcode = EXIT_FAILURE;
1124
goto end;
1125
}
1126
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1127
if(ret == -1){
1128
perror("sigaddset");
1129
exitcode = EXIT_FAILURE;
1130
goto end;
1131
}
1132
/* Need to check if the handler is SIG_IGN before handling:
1133
| [[info:libc:Initial Signal Actions]] |
1134
| [[info:libc:Basic Signal Handling]] |
1135
*/
1136
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1137
if(ret == -1){
1138
perror("sigaction");
1139
return EXIT_FAILURE;
1140
}
1141
if(old_sigterm_action.sa_handler != SIG_IGN){
1142
ret = sigaction(SIGINT, &sigterm_action, NULL);
1143
if(ret == -1){
1144
perror("sigaction");
1145
exitcode = EXIT_FAILURE;
1146
goto end;
1147
}
1148
}
1149
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1150
if(ret == -1){
1151
perror("sigaction");
1152
return EXIT_FAILURE;
1153
}
1154
if(old_sigterm_action.sa_handler != SIG_IGN){
1155
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1156
if(ret == -1){
1157
perror("sigaction");
1158
exitcode = EXIT_FAILURE;
1159
goto end;
1160
}
1161
}
1162
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1163
if(ret == -1){
1164
perror("sigaction");
1165
return EXIT_FAILURE;
1166
}
1167
if(old_sigterm_action.sa_handler != SIG_IGN){
1168
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1169
if(ret == -1){
1170
perror("sigaction");
1171
exitcode = EXIT_FAILURE;
1172
goto end;
1173
}
1174
}
1175
1176
/* If the interface is down, bring it up */
1177
if(interface[0] != '\0'){
1178
if_index = (AvahiIfIndex) if_nametoindex(interface);
1179
if(if_index == 0){
1180
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1181
exitcode = EXIT_FAILURE;
1182
goto end;
1183
}
1184
1185
if(quit_now){
1186
goto end;
1187
}
1188
1189
#ifdef __linux__
1190
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1191
messages to mess up the prompt */
1192
ret = klogctl(8, NULL, 5);
1193
bool restore_loglevel = true;
1194
if(ret == -1){
1195
restore_loglevel = false;
1196
perror("klogctl");
1197
}
1198
#endif /* __linux__ */
1199
1200
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1201
if(sd < 0){
1202
perror("socket");
1203
exitcode = EXIT_FAILURE;
1204
#ifdef __linux__
1205
if(restore_loglevel){
1206
ret = klogctl(7, NULL, 0);
1207
if(ret == -1){
1208
perror("klogctl");
1209
}
1210
}
1211
#endif /* __linux__ */
1212
goto end;
1213
}
1214
strcpy(network.ifr_name, interface);
1215
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1216
if(ret == -1){
1217
perror("ioctl SIOCGIFFLAGS");
1218
#ifdef __linux__
1219
if(restore_loglevel){
1220
ret = klogctl(7, NULL, 0);
1221
if(ret == -1){
1222
perror("klogctl");
1223
}
1224
}
1225
#endif /* __linux__ */
1226
exitcode = EXIT_FAILURE;
1227
goto end;
1228
}
1229
if((network.ifr_flags & IFF_UP) == 0){
1230
network.ifr_flags |= IFF_UP;
1231
take_down_interface = true;
1232
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1233
if(ret == -1){
1234
take_down_interface = false;
1235
perror("ioctl SIOCSIFFLAGS");
1236
exitcode = EXIT_FAILURE;
1237
#ifdef __linux__
1238
if(restore_loglevel){
1239
ret = klogctl(7, NULL, 0);
1240
if(ret == -1){
1241
perror("klogctl");
1242
}
1243
}
1244
#endif /* __linux__ */
1245
goto end;
1246
}
1247
}
1248
/* sleep checking until interface is running */
1249
for(int i=0; i < delay * 4; i++){
1250
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1251
if(ret == -1){
1252
perror("ioctl SIOCGIFFLAGS");
1253
} else if(network.ifr_flags & IFF_RUNNING){
1254
break;
1255
}
1256
struct timespec sleeptime = { .tv_nsec = 250000000 };
1257
ret = nanosleep(&sleeptime, NULL);
1258
if(ret == -1 and errno != EINTR){
1259
perror("nanosleep");
1260
}
1261
}
1262
if(not take_down_interface){
1263
/* We won't need the socket anymore */
1264
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1265
if(ret == -1){
1266
perror("close");
1267
}
1268
}
1269
#ifdef __linux__
1270
if(restore_loglevel){
1271
/* Restores kernel loglevel to default */
1272
ret = klogctl(7, NULL, 0);
1273
if(ret == -1){
1274
perror("klogctl");
1275
}
1276
}
1277
#endif /* __linux__ */
1278
}
1279
1280
if(quit_now){
1281
goto end;
1282
}
1283
1284
uid = getuid();
1285
gid = getgid();
1286
1287
errno = 0;
1288
setgid(gid);
1289
if(ret == -1){
1290
perror("setgid");
1291
}
1292
1293
ret = setuid(uid);
1294
if(ret == -1){
1295
perror("setuid");
1296
}
1297
1298
if(quit_now){
1299
goto end;
1300
}
1301
1302
ret = init_gnutls_global(pubkey, seckey);
1303
if(ret == -1){
1304
fprintf(stderr, "init_gnutls_global failed\n");
1305
exitcode = EXIT_FAILURE;
1306
goto end;
1307
} else {
1308
gnutls_initialized = true;
1309
}
1310
1311
if(quit_now){
1312
goto end;
1313
}
1314
1315
tempdir_created = true;
1316
if(mkdtemp(tempdir) == NULL){
1317
tempdir_created = false;
1318
perror("mkdtemp");
1319
goto end;
1320
}
1321
1322
if(quit_now){
1323
goto end;
1324
}
1325
1326
if(not init_gpgme(pubkey, seckey, tempdir)){
1327
fprintf(stderr, "init_gpgme failed\n");
1328
exitcode = EXIT_FAILURE;
1329
goto end;
1330
} else {
1331
gpgme_initialized = true;
1332
}
1333
1334
if(quit_now){
1335
goto end;
1336
}
1337
1338
if(connect_to != NULL){
1339
/* Connect directly, do not use Zeroconf */
1340
/* (Mainly meant for debugging) */
1341
char *address = strrchr(connect_to, ':');
1342
if(address == NULL){
1343
fprintf(stderr, "No colon in address\n");
1344
exitcode = EXIT_FAILURE;
1345
goto end;
1346
}
1347
1348
if(quit_now){
1349
goto end;
1350
}
1351
1352
uint16_t port;
1353
errno = 0;
1354
tmpmax = strtoimax(address+1, &tmp, 10);
1355
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1356
or tmpmax != (uint16_t)tmpmax){
1357
fprintf(stderr, "Bad port number\n");
1358
exitcode = EXIT_FAILURE;
1359
goto end;
1360
}
1361
1362
if(quit_now){
1363
goto end;
1364
}
1365
1366
port = (uint16_t)tmpmax;
1367
*address = '\0';
1368
address = connect_to;
1369
/* Colon in address indicates IPv6 */
1370
int af;
1371
if(strchr(address, ':') != NULL){
1372
af = AF_INET6;
1373
} else {
1374
af = AF_INET;
1375
}
1376
1377
if(quit_now){
1378
goto end;
1379
}
1380
1381
ret = start_mandos_communication(address, port, if_index, af);
1382
if(ret < 0){
1383
exitcode = EXIT_FAILURE;
1384
} else {
1385
exitcode = EXIT_SUCCESS;
1386
}
1387
goto end;
1388
}
1389
1390
if(quit_now){
1391
goto end;
1392
}
1393
1394
{
634
tmp = malloc(strlen(first) + strlen(second) + 2);
635
if (tmp == NULL){
636
perror("malloc");
637
return NULL;
638
}
639
strcpy(tmp, first);
640
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
641
strcat(tmp, "/");
642
}
643
strcat(tmp, second);
644
return tmp;
645
}
646
647
648
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
1395
649
AvahiServerConfig config;
1396
/* Do not publish any local Zeroconf records */
650
AvahiSServiceBrowser *sb = NULL;
651
int error;
652
int ret;
653
int returncode = EXIT_SUCCESS;
654
const char *interface = NULL;
655
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
656
char *connect_to = NULL;
657
658
while (true){
659
static struct option long_options[] = {
660
{"debug", no_argument, (int *)&debug, 1},
661
{"connect", required_argument, 0, 'C'},
662
{"interface", required_argument, 0, 'i'},
663
{"certdir", required_argument, 0, 'd'},
664
{"certkey", required_argument, 0, 'c'},
665
{"certfile", required_argument, 0, 'k'},
666
{0, 0, 0, 0} };
667
668
int option_index = 0;
669
ret = getopt_long (argc, argv, "i:", long_options,
670
&option_index);
671
672
if (ret == -1){
673
break;
674
}
675
676
switch(ret){
677
case 0:
678
break;
679
case 'i':
680
interface = optarg;
681
break;
682
case 'C':
683
connect_to = optarg;
684
break;
685
case 'd':
686
certdir = optarg;
687
break;
688
case 'c':
689
certfile = optarg;
690
break;
691
case 'k':
692
certkey = optarg;
693
break;
694
default:
695
exit(EXIT_FAILURE);
696
}
697
}
698
699
certfile = combinepath(certdir, certfile);
700
if (certfile == NULL){
701
goto exit;
702
}
703
704
if(interface != NULL){
705
if_index = (AvahiIfIndex) if_nametoindex(interface);
706
if(if_index == 0){
707
fprintf(stderr, "No such interface: \"%s\"\n", interface);
708
exit(EXIT_FAILURE);
709
}
710
}
711
712
if(connect_to != NULL){
713
/* Connect directly, do not use Zeroconf */
714
/* (Mainly meant for debugging) */
715
char *address = strrchr(connect_to, ':');
716
if(address == NULL){
717
fprintf(stderr, "No colon in address\n");
718
exit(EXIT_FAILURE);
719
}
720
errno = 0;
721
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
722
if(errno){
723
perror("Bad port number");
724
exit(EXIT_FAILURE);
725
}
726
*address = '\0';
727
address = connect_to;
728
ret = start_mandos_communication(address, port, if_index);
729
if(ret < 0){
730
exit(EXIT_FAILURE);
731
} else {
732
exit(EXIT_SUCCESS);
733
}
734
}
735
736
certkey = combinepath(certdir, certkey);
737
if (certkey == NULL){
738
goto exit;
739
}
740
741
if (not debug){
742
avahi_set_log_function(empty_log);
743
}
744
745
/* Initialize the psuedo-RNG */
746
srand((unsigned int) time(NULL));
747
748
/* Allocate main loop object */
749
if (!(simple_poll = avahi_simple_poll_new())) {
750
fprintf(stderr, "Failed to create simple poll object.\n");
751
752
goto exit;
753
}
754
755
/* Do not publish any local records */
1397
756
avahi_server_config_init(&config);
1398
757
config.publish_hinfo = 0;
1399
758
config.publish_addresses = 0;
1400
759
config.publish_workstation = 0;
1401
760
config.publish_domain = 0;
1402
761
1403
762
/* Allocate a new server */
1404
mc.server = avahi_server_new(avahi_simple_poll_get
1405
(mc.simple_poll), &config, NULL,
1406
NULL, &error);
1407
1408
/* Free the Avahi configuration data */
763
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
764
&config, NULL, NULL, &error);
765
766
/* Free the configuration data */
1409
767
avahi_server_config_free(&config);
1410
}
1411
1412
/* Check if creating the Avahi server object succeeded */
1413
if(mc.server == NULL){
1414
fprintf(stderr, "Failed to create Avahi server: %s\n",
1415
avahi_strerror(error));
1416
exitcode = EXIT_FAILURE;
1417
goto end;
1418
}
1419
1420
if(quit_now){
1421
goto end;
1422
}
1423
1424
/* Create the Avahi service browser */
1425
sb = avahi_s_service_browser_new(mc.server, if_index,
1426
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1427
NULL, 0, browse_callback, NULL);
1428
if(sb == NULL){
1429
fprintf(stderr, "Failed to create service browser: %s\n",
1430
avahi_strerror(avahi_server_errno(mc.server)));
1431
exitcode = EXIT_FAILURE;
1432
goto end;
1433
}
1434
1435
if(quit_now){
1436
goto end;
1437
}
1438
1439
/* Run the main loop */
1440
1441
if(debug){
1442
fprintf(stderr, "Starting Avahi loop search\n");
1443
}
1444
1445
avahi_simple_poll_loop(mc.simple_poll);
1446
1447
end:
1448
1449
if(debug){
1450
fprintf(stderr, "%s exiting\n", argv[0]);
1451
}
1452
1453
/* Cleanup things */
1454
if(sb != NULL)
1455
avahi_s_service_browser_free(sb);
1456
1457
if(mc.server != NULL)
1458
avahi_server_free(mc.server);
1459
1460
if(mc.simple_poll != NULL)
1461
avahi_simple_poll_free(mc.simple_poll);
1462
1463
if(gnutls_initialized){
1464
gnutls_certificate_free_credentials(mc.cred);
1465
gnutls_global_deinit();
1466
gnutls_dh_params_deinit(mc.dh_params);
1467
}
1468
1469
if(gpgme_initialized){
1470
gpgme_release(mc.ctx);
1471
}
1472
1473
/* Take down the network interface */
1474
if(take_down_interface){
1475
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1476
if(ret == -1){
1477
perror("ioctl SIOCGIFFLAGS");
1478
} else if(network.ifr_flags & IFF_UP) {
1479
network.ifr_flags &= ~IFF_UP; /* clear flag */
1480
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1481
if(ret == -1){
1482
perror("ioctl SIOCSIFFLAGS");
1483
}
1484
}
1485
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1486
if(ret == -1){
1487
perror("close");
1488
}
1489
}
1490
1491
/* Removes the temp directory used by GPGME */
1492
if(tempdir_created){
1493
DIR *d;
1494
struct dirent *direntry;
1495
d = opendir(tempdir);
1496
if(d == NULL){
1497
if(errno != ENOENT){
1498
perror("opendir");
1499
}
1500
} else {
1501
while(true){
1502
direntry = readdir(d);
1503
if(direntry == NULL){
1504
break;
1505
}
1506
/* Skip "." and ".." */
1507
if(direntry->d_name[0] == '.'
1508
and (direntry->d_name[1] == '\0'
1509
or (direntry->d_name[1] == '.'
1510
and direntry->d_name[2] == '\0'))){
1511
continue;
1512
}
1513
char *fullname = NULL;
1514
ret = asprintf(&fullname, "%s/%s", tempdir,
1515
direntry->d_name);
1516
if(ret < 0){
1517
perror("asprintf");
1518
continue;
1519
}
1520
ret = remove(fullname);
1521
if(ret == -1){
1522
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1523
strerror(errno));
1524
}
1525
free(fullname);
1526
}
1527
closedir(d);
1528
}
1529
ret = rmdir(tempdir);
1530
if(ret == -1 and errno != ENOENT){
1531
perror("rmdir");
1532
}
1533
}
1534
1535
if(quit_now){
1536
sigemptyset(&old_sigterm_action.sa_mask);
1537
old_sigterm_action.sa_handler = SIG_DFL;
1538
ret = sigaction(signal_received, &old_sigterm_action, NULL);
1539
if(ret == -1){
1540
perror("sigaction");
1541
}
1542
raise(signal_received);
1543
}
1544
1545
return exitcode;
768
769
/* Check if creating the server object succeeded */
770
if (!server) {
771
fprintf(stderr, "Failed to create server: %s\n",
772
avahi_strerror(error));
773
returncode = EXIT_FAILURE;
774
goto exit;
775
}
776
777
/* Create the service browser */
778
sb = avahi_s_service_browser_new(server, if_index,
779
AVAHI_PROTO_INET6,
780
"_mandos._tcp", NULL, 0,
781
browse_callback, server);
782
if (!sb) {
783
fprintf(stderr, "Failed to create service browser: %s\n",
784
avahi_strerror(avahi_server_errno(server)));
785
returncode = EXIT_FAILURE;
786
goto exit;
787
}
788
789
/* Run the main loop */
790
791
if (debug){
792
fprintf(stderr, "Starting avahi loop search\n");
793
}
794
795
avahi_simple_poll_loop(simple_poll);
796
797
exit:
798
799
if (debug){
800
fprintf(stderr, "%s exiting\n", argv[0]);
801
}
802
803
/* Cleanup things */
804
if (sb)
805
avahi_s_service_browser_free(sb);
806
807
if (server)
808
avahi_server_free(server);
809
810
if (simple_poll)
811
avahi_simple_poll_free(simple_poll);
812
free(certfile);
813
free(certkey);
814
815
return returncode;
1546
816
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0