To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 310
- compare with another revision
- download diff
- download tarball
- view history from revision 310
- Committer: Teddy Hogeborn
- Date: 2009-02-12 06:09:24 UTC
- Revision ID: teddy@fukt.bsnet.se-20090212060924-vwxgitxnwr14w9e4
* mandos (Client.start_checker): Bug fix: Add extra check in case the
checker process completed quickly.
checker process completed quickly.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, false, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, uid_t, gid_t, open(),
52
opendir(), DIR */
53
#include <sys/stat.h> /* open() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
inet_pton(), connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir()
58
*/
59
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction,
80
sig_atomic_t */
81
82
#ifdef __linux__
83
#include <sys/klog.h> /* klogctl() */
84
#endif /* __linux__ */
85
86
/* Avahi */
87
/* All Avahi types, constants and functions
88
Avahi*, avahi_*,
89
AVAHI_* */
41
90
#include <avahi-core/core.h>
42
91
#include <avahi-core/lookup.h>
43
92
#include <avahi-core/log.h>
45
94
#include <avahi-common/malloc.h>
46
95
#include <avahi-common/error.h>
47
96
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt_long
67
#include <getopt.h>
97
/* GnuTLS */
98
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
99
functions:
100
gnutls_*
101
init_gnutls_session(),
102
GNUTLS_* */
103
#include <gnutls/openpgp.h>
104
/* gnutls_certificate_set_openpgp_key_file(),
105
GNUTLS_OPENPGP_FMT_BASE64 */
106
107
/* GPGME */
108
#include <gpgme.h> /* All GPGME types, constants and
109
functions:
110
gpgme_*
111
GPGME_PROTOCOL_OpenPGP,
112
GPG_ERR_NO_* */
68
113
69
114
#define BUFFER_SIZE 256
70
115
71
static int dh_bits = 1024;
72
73
static const char *keydir = "/conf/conf.d/mandos";
74
static const char *pubkeyfile = "pubkey.txt";
75
static const char *seckeyfile = "seckey.txt";
116
#define PATHDIR "/conf/conf.d/mandos"
117
#define SECKEY "seckey.txt"
118
#define PUBKEY "pubkey.txt"
76
119
77
120
bool debug = false;
121
static const char mandos_protocol_version[] = "1";
122
const char *argp_program_version = "mandos-client " VERSION;
123
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
78
124
79
/* Used for */
125
/* Used for passing in values through the Avahi callback functions */
80
126
typedef struct {
81
gnutls_session_t session;
127
AvahiSimplePoll *simple_poll;
128
AvahiServer *server;
82
129
gnutls_certificate_credentials_t cred;
130
unsigned int dh_bits;
83
131
gnutls_dh_params_t dh_params;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
89
const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
132
const char *priority;
91
133
gpgme_ctx_t ctx;
134
} mandos_context;
135
136
/* global context so signal handler can reach it*/
137
mandos_context mc = { .simple_poll = NULL, .server = NULL,
138
.dh_bits = 1024, .priority = "SECURE256"
139
":!CTYPE-X.509:+CTYPE-OPENPGP" };
140
141
/*
142
* Make additional room in "buffer" for at least BUFFER_SIZE more
143
* bytes. "buffer_capacity" is how much is currently allocated,
144
* "buffer_length" is how much is already used.
145
*/
146
size_t incbuffer(char **buffer, size_t buffer_length,
147
size_t buffer_capacity){
148
if(buffer_length + BUFFER_SIZE > buffer_capacity){
149
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
150
if(buffer == NULL){
151
return 0;
152
}
153
buffer_capacity += BUFFER_SIZE;
154
}
155
return buffer_capacity;
156
}
157
158
/*
159
* Initialize GPGME.
160
*/
161
static bool init_gpgme(const char *seckey,
162
const char *pubkey, const char *tempdir){
163
int ret;
92
164
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
96
165
gpgme_engine_info_t engine_info;
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
166
167
168
/*
169
* Helper function to insert pub and seckey to the engine keyring.
170
*/
171
bool import_key(const char *filename){
172
int fd;
173
gpgme_data_t pgp_data;
174
175
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
176
if(fd == -1){
177
perror("open");
178
return false;
179
}
180
181
rc = gpgme_data_new_from_fd(&pgp_data, fd);
182
if(rc != GPG_ERR_NO_ERROR){
183
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
184
gpgme_strsource(rc), gpgme_strerror(rc));
185
return false;
186
}
187
188
rc = gpgme_op_import(mc.ctx, pgp_data);
189
if(rc != GPG_ERR_NO_ERROR){
190
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
191
gpgme_strsource(rc), gpgme_strerror(rc));
192
return false;
193
}
194
195
ret = (int)TEMP_FAILURE_RETRY(close(fd));
196
if(ret == -1){
197
perror("close");
198
}
199
gpgme_data_release(pgp_data);
200
return true;
201
}
202
203
if(debug){
204
fprintf(stderr, "Initializing GPGME\n");
100
205
}
101
206
102
207
/* Init GPGME */
103
208
gpgme_check_version(NULL);
104
209
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
105
if (rc != GPG_ERR_NO_ERROR){
210
if(rc != GPG_ERR_NO_ERROR){
106
211
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
107
212
gpgme_strsource(rc), gpgme_strerror(rc));
108
return -1;
213
return false;
109
214
}
110
215
111
/* Set GPGME home directory */
112
rc = gpgme_get_engine_info (&engine_info);
113
if (rc != GPG_ERR_NO_ERROR){
216
/* Set GPGME home directory for the OpenPGP engine only */
217
rc = gpgme_get_engine_info(&engine_info);
218
if(rc != GPG_ERR_NO_ERROR){
114
219
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
115
220
gpgme_strsource(rc), gpgme_strerror(rc));
116
return -1;
221
return false;
117
222
}
118
223
while(engine_info != NULL){
119
224
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
120
225
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
121
engine_info->file_name, homedir);
226
engine_info->file_name, tempdir);
122
227
break;
123
228
}
124
229
engine_info = engine_info->next;
125
230
}
126
231
if(engine_info == NULL){
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
return -1;
129
}
130
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
133
if (rc != GPG_ERR_NO_ERROR){
232
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
233
return false;
234
}
235
236
/* Create new GPGME "context" */
237
rc = gpgme_new(&(mc.ctx));
238
if(rc != GPG_ERR_NO_ERROR){
239
fprintf(stderr, "bad gpgme_new: %s: %s\n",
240
gpgme_strsource(rc), gpgme_strerror(rc));
241
return false;
242
}
243
244
if(not import_key(pubkey) or not import_key(seckey)){
245
return false;
246
}
247
248
return true;
249
}
250
251
/*
252
* Decrypt OpenPGP data.
253
* Returns -1 on error
254
*/
255
static ssize_t pgp_packet_decrypt(const char *cryptotext,
256
size_t crypto_size,
257
char **plaintext){
258
gpgme_data_t dh_crypto, dh_plain;
259
gpgme_error_t rc;
260
ssize_t ret;
261
size_t plaintext_capacity = 0;
262
ssize_t plaintext_length = 0;
263
264
if(debug){
265
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
266
}
267
268
/* Create new GPGME data buffer from memory cryptotext */
269
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
270
0);
271
if(rc != GPG_ERR_NO_ERROR){
134
272
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
135
273
gpgme_strsource(rc), gpgme_strerror(rc));
136
274
return -1;
138
276
139
277
/* Create new empty GPGME data buffer for the plaintext */
140
278
rc = gpgme_data_new(&dh_plain);
141
if (rc != GPG_ERR_NO_ERROR){
279
if(rc != GPG_ERR_NO_ERROR){
142
280
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
143
281
gpgme_strsource(rc), gpgme_strerror(rc));
144
return -1;
145
}
146
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
153
}
154
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
158
if (rc != GPG_ERR_NO_ERROR){
282
gpgme_data_release(dh_crypto);
283
return -1;
284
}
285
286
/* Decrypt data from the cryptotext data buffer to the plaintext
287
data buffer */
288
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
289
if(rc != GPG_ERR_NO_ERROR){
159
290
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
160
291
gpgme_strsource(rc), gpgme_strerror(rc));
161
return -1;
292
plaintext_length = -1;
293
if(debug){
294
gpgme_decrypt_result_t result;
295
result = gpgme_op_decrypt_result(mc.ctx);
296
if(result == NULL){
297
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
298
} else {
299
fprintf(stderr, "Unsupported algorithm: %s\n",
300
result->unsupported_algorithm);
301
fprintf(stderr, "Wrong key usage: %u\n",
302
result->wrong_key_usage);
303
if(result->file_name != NULL){
304
fprintf(stderr, "File name: %s\n", result->file_name);
305
}
306
gpgme_recipient_t recipient;
307
recipient = result->recipients;
308
if(recipient){
309
while(recipient != NULL){
310
fprintf(stderr, "Public key algorithm: %s\n",
311
gpgme_pubkey_algo_name(recipient->pubkey_algo));
312
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
313
fprintf(stderr, "Secret key available: %s\n",
314
recipient->status == GPG_ERR_NO_SECKEY
315
? "No" : "Yes");
316
recipient = recipient->next;
317
}
318
}
319
}
320
}
321
goto decrypt_end;
162
322
}
163
323
164
324
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
}
167
168
if (debug){
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
171
if (result == NULL){
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
173
} else {
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
180
}
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
183
if(recipient){
184
while(recipient != NULL){
185
fprintf(stderr, "Public key algorithm: %s\n",
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
187
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
188
fprintf(stderr, "Secret key available: %s\n",
189
recipient->status == GPG_ERR_NO_SECKEY
190
? "No" : "Yes");
191
recipient = recipient->next;
192
}
193
}
194
}
195
}
196
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
325
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
326
}
199
327
200
328
/* Seek back to the beginning of the GPGME plaintext data buffer */
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
329
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
330
perror("gpgme_data_seek");
331
plaintext_length = -1;
332
goto decrypt_end;
203
333
}
204
334
205
*new_packet = 0;
335
*plaintext = NULL;
206
336
while(true){
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
337
plaintext_capacity = incbuffer(plaintext,
338
(size_t)plaintext_length,
339
plaintext_capacity);
340
if(plaintext_capacity == 0){
341
perror("incbuffer");
342
plaintext_length = -1;
343
goto decrypt_end;
216
344
}
217
345
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
346
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
219
347
BUFFER_SIZE);
220
348
/* Print the data, if any */
221
if (ret == 0){
349
if(ret == 0){
350
/* EOF */
222
351
break;
223
352
}
224
353
if(ret < 0){
225
354
perror("gpgme_data_read");
226
return -1;
227
}
228
new_packet_length += ret;
229
}
230
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
355
plaintext_length = -1;
356
goto decrypt_end;
357
}
358
plaintext_length += ret;
359
}
360
361
if(debug){
362
fprintf(stderr, "Decrypted password is: ");
363
for(ssize_t i = 0; i < plaintext_length; i++){
364
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
365
}
366
fprintf(stderr, "\n");
367
}
368
369
decrypt_end:
370
371
/* Delete the GPGME cryptotext data buffer */
372
gpgme_data_release(dh_crypto);
238
373
239
374
/* Delete the GPGME plaintext data buffer */
240
375
gpgme_data_release(dh_plain);
241
return new_packet_length;
376
return plaintext_length;
242
377
}
243
378
244
static const char * safer_gnutls_strerror (int value) {
245
const char *ret = gnutls_strerror (value);
246
if (ret == NULL)
379
static const char * safer_gnutls_strerror(int value){
380
const char *ret = gnutls_strerror(value); /* Spurious warning from
381
-Wunreachable-code */
382
if(ret == NULL)
247
383
ret = "(unknown)";
248
384
return ret;
249
385
}
250
386
387
/* GnuTLS log function callback */
251
388
static void debuggnutls(__attribute__((unused)) int level,
252
389
const char* string){
253
fprintf(stderr, "%s", string);
390
fprintf(stderr, "GnuTLS: %s", string);
254
391
}
255
392
256
static int initgnutls(encrypted_session *es){
257
const char *err;
393
static int init_gnutls_global(const char *pubkeyfilename,
394
const char *seckeyfilename){
258
395
int ret;
259
396
260
397
if(debug){
261
398
fprintf(stderr, "Initializing GnuTLS\n");
262
399
}
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
400
401
ret = gnutls_global_init();
402
if(ret != GNUTLS_E_SUCCESS){
403
fprintf(stderr, "GnuTLS global_init: %s\n",
404
safer_gnutls_strerror(ret));
267
405
return -1;
268
406
}
269
270
if (debug){
407
408
if(debug){
409
/* "Use a log level over 10 to enable all debugging options."
410
* - GnuTLS manual
411
*/
271
412
gnutls_global_set_log_level(11);
272
413
gnutls_global_set_log_function(debuggnutls);
273
414
}
274
415
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
279
safer_gnutls_strerror(ret));
416
/* OpenPGP credentials */
417
gnutls_certificate_allocate_credentials(&mc.cred);
418
if(ret != GNUTLS_E_SUCCESS){
419
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
420
from
421
-Wunreachable-code
422
*/
423
safer_gnutls_strerror(ret));
424
gnutls_global_deinit();
280
425
return -1;
281
426
}
282
427
283
428
if(debug){
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
286
seckeyfile);
429
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
430
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
431
seckeyfilename);
287
432
}
288
433
289
434
ret = gnutls_certificate_set_openpgp_key_file
290
(es->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
291
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, pubkeyfile, seckeyfile);
296
fprintf(stdout, "The Error is: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, dh_bits))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
435
(mc.cred, pubkeyfilename, seckeyfilename,
436
GNUTLS_OPENPGP_FMT_BASE64);
437
if(ret != GNUTLS_E_SUCCESS){
438
fprintf(stderr,
439
"Error[%d] while reading the OpenPGP key pair ('%s',"
440
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
441
fprintf(stderr, "The GnuTLS error is: %s\n",
442
safer_gnutls_strerror(ret));
443
goto globalfail;
444
}
445
446
/* GnuTLS server initialization */
447
ret = gnutls_dh_params_init(&mc.dh_params);
448
if(ret != GNUTLS_E_SUCCESS){
449
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
450
" %s\n", safer_gnutls_strerror(ret));
451
goto globalfail;
452
}
453
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
454
if(ret != GNUTLS_E_SUCCESS){
455
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
456
safer_gnutls_strerror(ret));
457
goto globalfail;
458
}
459
460
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
461
462
return 0;
463
464
globalfail:
465
466
gnutls_certificate_free_credentials(mc.cred);
467
gnutls_global_deinit();
468
gnutls_dh_params_deinit(mc.dh_params);
469
return -1;
470
}
471
472
static int init_gnutls_session(gnutls_session_t *session){
473
int ret;
474
/* GnuTLS session creation */
475
ret = gnutls_init(session, GNUTLS_SERVER);
476
if(ret != GNUTLS_E_SUCCESS){
321
477
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
322
478
safer_gnutls_strerror(ret));
323
479
}
324
480
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
481
{
482
const char *err;
483
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
484
if(ret != GNUTLS_E_SUCCESS){
485
fprintf(stderr, "Syntax error at: %s\n", err);
486
fprintf(stderr, "GnuTLS error: %s\n",
487
safer_gnutls_strerror(ret));
488
gnutls_deinit(*session);
489
return -1;
490
}
331
491
}
332
492
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
493
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
494
mc.cred);
495
if(ret != GNUTLS_E_SUCCESS){
496
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
337
497
safer_gnutls_strerror(ret));
498
gnutls_deinit(*session);
338
499
return -1;
339
500
}
340
501
341
502
/* ignore client certificate if any. */
342
gnutls_certificate_server_set_request (es->session,
343
GNUTLS_CERT_IGNORE);
503
gnutls_certificate_server_set_request(*session,
504
GNUTLS_CERT_IGNORE);
344
505
345
gnutls_dh_set_prime_bits (es->session, dh_bits);
506
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
346
507
347
508
return 0;
348
509
}
349
510
511
/* Avahi log function callback */
350
512
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
351
513
__attribute__((unused)) const char *txt){}
352
514
515
/* Called when a Mandos server is found */
353
516
static int start_mandos_communication(const char *ip, uint16_t port,
354
AvahiIfIndex if_index){
517
AvahiIfIndex if_index,
518
int af){
355
519
int ret, tcp_sd;
356
struct sockaddr_in6 to;
357
encrypted_session es;
520
ssize_t sret;
521
union {
522
struct sockaddr_in in;
523
struct sockaddr_in6 in6;
524
} to;
358
525
char *buffer = NULL;
359
526
char *decrypted_buffer;
360
527
size_t buffer_length = 0;
361
528
size_t buffer_capacity = 0;
362
529
ssize_t decrypted_buffer_size;
363
size_t written = 0;
530
size_t written;
364
531
int retval = 0;
365
char interface[IF_NAMESIZE];
532
gnutls_session_t session;
533
int pf; /* Protocol family */
534
535
switch(af){
536
case AF_INET6:
537
pf = PF_INET6;
538
break;
539
case AF_INET:
540
pf = PF_INET;
541
break;
542
default:
543
fprintf(stderr, "Bad address family: %d\n", af);
544
return -1;
545
}
546
547
ret = init_gnutls_session(&session);
548
if(ret != 0){
549
return -1;
550
}
366
551
367
552
if(debug){
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
369
ip, port);
553
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
554
"\n", ip, port);
370
555
}
371
556
372
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
373
if(tcp_sd < 0) {
557
tcp_sd = socket(pf, SOCK_STREAM, 0);
558
if(tcp_sd < 0){
374
559
perror("socket");
375
560
return -1;
376
561
}
377
562
378
if(if_indextoname((unsigned int)if_index, interface) == NULL){
379
if(debug){
380
perror("if_indextoname");
381
}
382
return -1;
383
}
384
385
if(debug){
386
fprintf(stderr, "Binding to interface %s\n", interface);
387
}
388
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
392
if (ret < 0 ){
563
memset(&to, 0, sizeof(to));
564
if(af == AF_INET6){
565
to.in6.sin6_family = (uint16_t)af;
566
ret = inet_pton(af, ip, &to.in6.sin6_addr);
567
} else { /* IPv4 */
568
to.in.sin_family = (sa_family_t)af;
569
ret = inet_pton(af, ip, &to.in.sin_addr);
570
}
571
if(ret < 0 ){
393
572
perror("inet_pton");
394
573
return -1;
395
}
574
}
396
575
if(ret == 0){
397
576
fprintf(stderr, "Bad address: %s\n", ip);
398
577
return -1;
399
578
}
400
to.sin6_port = htons(port); /* Spurious warning */
401
402
to.sin6_scope_id = (uint32_t)if_index;
579
if(af == AF_INET6){
580
to.in6.sin6_port = htons(port); /* Spurious warnings from
581
-Wconversion and
582
-Wunreachable-code */
583
584
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
585
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
586
-Wunreachable-code*/
587
if(if_index == AVAHI_IF_UNSPEC){
588
fprintf(stderr, "An IPv6 link-local address is incomplete"
589
" without a network interface\n");
590
return -1;
591
}
592
/* Set the network interface number as scope */
593
to.in6.sin6_scope_id = (uint32_t)if_index;
594
}
595
} else {
596
to.in.sin_port = htons(port); /* Spurious warnings from
597
-Wconversion and
598
-Wunreachable-code */
599
}
403
600
404
601
if(debug){
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
char addrstr[INET6_ADDRSTRLEN] = "";
407
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
408
sizeof(addrstr)) == NULL){
602
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
603
char interface[IF_NAMESIZE];
604
if(if_indextoname((unsigned int)if_index, interface) == NULL){
605
perror("if_indextoname");
606
} else {
607
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
608
ip, interface, port);
609
}
610
} else {
611
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
612
port);
613
}
614
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
615
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
616
const char *pcret;
617
if(af == AF_INET6){
618
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
619
sizeof(addrstr));
620
} else {
621
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
622
sizeof(addrstr));
623
}
624
if(pcret == NULL){
409
625
perror("inet_ntop");
410
626
} else {
411
627
if(strcmp(addrstr, ip) != 0){
412
fprintf(stderr, "Canonical address form: %s\n",
413
addrstr, ntohs(to.sin6_port));
628
fprintf(stderr, "Canonical address form: %s\n", addrstr);
414
629
}
415
630
}
416
631
}
417
632
418
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
419
if (ret < 0){
633
if(af == AF_INET6){
634
ret = connect(tcp_sd, &to.in6, sizeof(to));
635
} else {
636
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
637
}
638
if(ret < 0){
420
639
perror("connect");
421
640
return -1;
422
641
}
423
642
424
ret = initgnutls (&es);
425
if (ret != 0){
426
retval = -1;
427
return -1;
643
const char *out = mandos_protocol_version;
644
written = 0;
645
while(true){
646
size_t out_size = strlen(out);
647
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
648
out_size - written));
649
if(ret == -1){
650
perror("write");
651
retval = -1;
652
goto mandos_end;
653
}
654
written += (size_t)ret;
655
if(written < out_size){
656
continue;
657
} else {
658
if(out == mandos_protocol_version){
659
written = 0;
660
out = "\r\n";
661
} else {
662
break;
663
}
664
}
428
665
}
429
666
430
gnutls_transport_set_ptr (es.session,
431
(gnutls_transport_ptr_t) tcp_sd);
432
433
667
if(debug){
434
668
fprintf(stderr, "Establishing TLS session with %s\n", ip);
435
669
}
436
670
437
ret = gnutls_handshake (es.session);
438
439
if (ret != GNUTLS_E_SUCCESS){
671
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
672
673
do{
674
ret = gnutls_handshake(session);
675
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
676
677
if(ret != GNUTLS_E_SUCCESS){
440
678
if(debug){
441
fprintf(stderr, "\n*** Handshake failed ***\n");
442
gnutls_perror (ret);
679
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
680
gnutls_perror(ret);
443
681
}
444
682
retval = -1;
445
goto exit;
683
goto mandos_end;
446
684
}
447
685
448
//Retrieve OpenPGP packet that contains the wanted password
686
/* Read OpenPGP packet that contains the wanted password */
449
687
450
688
if(debug){
451
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
689
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
452
690
ip);
453
691
}
454
692
455
693
while(true){
456
if (buffer_length + BUFFER_SIZE > buffer_capacity){
457
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
458
if (buffer == NULL){
459
perror("realloc");
460
goto exit;
461
}
462
buffer_capacity += BUFFER_SIZE;
694
buffer_capacity = incbuffer(&buffer, buffer_length,
695
buffer_capacity);
696
if(buffer_capacity == 0){
697
perror("incbuffer");
698
retval = -1;
699
goto mandos_end;
463
700
}
464
701
465
ret = gnutls_record_recv
466
(es.session, buffer+buffer_length, BUFFER_SIZE);
467
if (ret == 0){
702
sret = gnutls_record_recv(session, buffer+buffer_length,
703
BUFFER_SIZE);
704
if(sret == 0){
468
705
break;
469
706
}
470
if (ret < 0){
471
switch(ret){
707
if(sret < 0){
708
switch(sret){
472
709
case GNUTLS_E_INTERRUPTED:
473
710
case GNUTLS_E_AGAIN:
474
711
break;
475
712
case GNUTLS_E_REHANDSHAKE:
476
ret = gnutls_handshake (es.session);
477
if (ret < 0){
478
fprintf(stderr, "\n*** Handshake failed ***\n");
479
gnutls_perror (ret);
713
do{
714
ret = gnutls_handshake(session);
715
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
716
if(ret < 0){
717
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
718
gnutls_perror(ret);
480
719
retval = -1;
481
goto exit;
720
goto mandos_end;
482
721
}
483
722
break;
484
723
default:
485
724
fprintf(stderr, "Unknown error while reading data from"
486
" encrypted session with mandos server\n");
725
" encrypted session with Mandos server\n");
487
726
retval = -1;
488
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
489
goto exit;
727
gnutls_bye(session, GNUTLS_SHUT_RDWR);
728
goto mandos_end;
490
729
}
491
730
} else {
492
buffer_length += (size_t) ret;
731
buffer_length += (size_t) sret;
493
732
}
494
733
}
495
734
496
if (buffer_length > 0){
735
if(debug){
736
fprintf(stderr, "Closing TLS session\n");
737
}
738
739
gnutls_bye(session, GNUTLS_SHUT_RDWR);
740
741
if(buffer_length > 0){
497
742
decrypted_buffer_size = pgp_packet_decrypt(buffer,
498
743
buffer_length,
499
&decrypted_buffer,
500
keydir);
501
if (decrypted_buffer_size >= 0){
744
&decrypted_buffer);
745
if(decrypted_buffer_size >= 0){
746
written = 0;
502
747
while(written < (size_t) decrypted_buffer_size){
503
ret = (int)fwrite (decrypted_buffer + written, 1,
504
(size_t)decrypted_buffer_size - written,
505
stdout);
748
ret = (int)fwrite(decrypted_buffer + written, 1,
749
(size_t)decrypted_buffer_size - written,
750
stdout);
506
751
if(ret == 0 and ferror(stdout)){
507
752
if(debug){
508
753
fprintf(stderr, "Error writing encrypted data: %s\n",
517
762
} else {
518
763
retval = -1;
519
764
}
520
}
521
522
//shutdown procedure
523
524
if(debug){
525
fprintf(stderr, "Closing TLS session\n");
526
}
527
765
} else {
766
retval = -1;
767
}
768
769
/* Shutdown procedure */
770
771
mandos_end:
528
772
free(buffer);
529
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
530
exit:
531
close(tcp_sd);
532
gnutls_deinit (es.session);
533
gnutls_certificate_free_credentials (es.cred);
534
gnutls_global_deinit ();
773
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
774
if(ret == -1){
775
perror("close");
776
}
777
gnutls_deinit(session);
535
778
return retval;
536
779
}
537
780
538
static AvahiSimplePoll *simple_poll = NULL;
539
static AvahiServer *server = NULL;
540
541
static void resolve_callback(
542
AvahiSServiceResolver *r,
543
AvahiIfIndex interface,
544
AVAHI_GCC_UNUSED AvahiProtocol protocol,
545
AvahiResolverEvent event,
546
const char *name,
547
const char *type,
548
const char *domain,
549
const char *host_name,
550
const AvahiAddress *address,
551
uint16_t port,
552
AVAHI_GCC_UNUSED AvahiStringList *txt,
553
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
554
AVAHI_GCC_UNUSED void* userdata) {
555
556
assert(r); /* Spurious warning */
781
static void resolve_callback(AvahiSServiceResolver *r,
782
AvahiIfIndex interface,
783
AvahiProtocol proto,
784
AvahiResolverEvent event,
785
const char *name,
786
const char *type,
787
const char *domain,
788
const char *host_name,
789
const AvahiAddress *address,
790
uint16_t port,
791
AVAHI_GCC_UNUSED AvahiStringList *txt,
792
AVAHI_GCC_UNUSED AvahiLookupResultFlags
793
flags,
794
AVAHI_GCC_UNUSED void* userdata){
795
assert(r);
557
796
558
797
/* Called whenever a service has been resolved successfully or
559
798
timed out */
560
799
561
switch (event) {
800
switch(event){
562
801
default:
563
802
case AVAHI_RESOLVER_FAILURE:
564
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
565
" type '%s' in domain '%s': %s\n", name, type, domain,
566
avahi_strerror(avahi_server_errno(server)));
803
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
804
" of type '%s' in domain '%s': %s\n", name, type, domain,
805
avahi_strerror(avahi_server_errno(mc.server)));
567
806
break;
568
807
569
808
case AVAHI_RESOLVER_FOUND:
571
810
char ip[AVAHI_ADDRESS_STR_MAX];
572
811
avahi_address_snprint(ip, sizeof(ip), address);
573
812
if(debug){
574
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
575
" port %d\n", name, host_name, ip, port);
813
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
814
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
815
ip, (intmax_t)interface, port);
576
816
}
577
int ret = start_mandos_communication(ip, port, interface);
578
if (ret == 0){
579
exit(EXIT_SUCCESS);
817
int ret = start_mandos_communication(ip, port, interface,
818
avahi_proto_to_af(proto));
819
if(ret == 0){
820
avahi_simple_poll_quit(mc.simple_poll);
580
821
}
581
822
}
582
823
}
583
824
avahi_s_service_resolver_free(r);
584
825
}
585
826
586
static void browse_callback(
587
AvahiSServiceBrowser *b,
588
AvahiIfIndex interface,
589
AvahiProtocol protocol,
590
AvahiBrowserEvent event,
591
const char *name,
592
const char *type,
593
const char *domain,
594
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
595
void* userdata) {
596
597
AvahiServer *s = userdata;
598
assert(b); /* Spurious warning */
599
600
/* Called whenever a new services becomes available on the LAN or
601
is removed from the LAN */
602
603
switch (event) {
604
default:
605
case AVAHI_BROWSER_FAILURE:
606
607
fprintf(stderr, "(Browser) %s\n",
608
avahi_strerror(avahi_server_errno(server)));
609
avahi_simple_poll_quit(simple_poll);
610
return;
611
612
case AVAHI_BROWSER_NEW:
613
/* We ignore the returned resolver object. In the callback
614
function we free it. If the server is terminated before
615
the callback function is called the server will free
616
the resolver for us. */
617
618
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
619
type, domain,
620
AVAHI_PROTO_INET6, 0,
621
resolve_callback, s)))
622
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
623
avahi_strerror(avahi_server_errno(s)));
624
break;
625
626
case AVAHI_BROWSER_REMOVE:
627
break;
628
629
case AVAHI_BROWSER_ALL_FOR_NOW:
630
case AVAHI_BROWSER_CACHE_EXHAUSTED:
631
break;
632
}
633
}
634
635
/* Combines file name and path and returns the malloced new
636
string. some sane checks could/should be added */
637
static const char *combinepath(const char *first, const char *second){
638
size_t f_len = strlen(first);
639
size_t s_len = strlen(second);
640
char *tmp = malloc(f_len + s_len + 2);
641
if (tmp == NULL){
642
return NULL;
643
}
644
if(f_len > 0){
645
memcpy(tmp, first, f_len);
646
}
647
tmp[f_len] = '/';
648
if(s_len > 0){
649
memcpy(tmp + f_len + 1, second, s_len);
650
}
651
tmp[f_len + 1 + s_len] = '\0';
652
return tmp;
653
}
654
655
656
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
827
static void browse_callback(AvahiSServiceBrowser *b,
828
AvahiIfIndex interface,
829
AvahiProtocol protocol,
830
AvahiBrowserEvent event,
831
const char *name,
832
const char *type,
833
const char *domain,
834
AVAHI_GCC_UNUSED AvahiLookupResultFlags
835
flags,
836
AVAHI_GCC_UNUSED void* userdata){
837
assert(b);
838
839
/* Called whenever a new services becomes available on the LAN or
840
is removed from the LAN */
841
842
switch(event){
843
default:
844
case AVAHI_BROWSER_FAILURE:
845
846
fprintf(stderr, "(Avahi browser) %s\n",
847
avahi_strerror(avahi_server_errno(mc.server)));
848
avahi_simple_poll_quit(mc.simple_poll);
849
return;
850
851
case AVAHI_BROWSER_NEW:
852
/* We ignore the returned Avahi resolver object. In the callback
853
function we free it. If the Avahi server is terminated before
854
the callback function is called the Avahi server will free the
855
resolver for us. */
856
857
if(!(avahi_s_service_resolver_new(mc.server, interface,
858
protocol, name, type, domain,
859
AVAHI_PROTO_INET6, 0,
860
resolve_callback, NULL)))
861
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
862
name, avahi_strerror(avahi_server_errno(mc.server)));
863
break;
864
865
case AVAHI_BROWSER_REMOVE:
866
break;
867
868
case AVAHI_BROWSER_ALL_FOR_NOW:
869
case AVAHI_BROWSER_CACHE_EXHAUSTED:
870
if(debug){
871
fprintf(stderr, "No Mandos server found, still searching...\n");
872
}
873
break;
874
}
875
}
876
877
sig_atomic_t quit_now = 0;
878
879
/* stop main loop after sigterm has been called */
880
static void handle_sigterm(__attribute__((unused)) int sig){
881
if(quit_now){
882
return;
883
}
884
quit_now = 1;
885
int old_errno = errno;
886
if(mc.simple_poll != NULL){
887
avahi_simple_poll_quit(mc.simple_poll);
888
}
889
errno = old_errno;
890
}
891
892
int main(int argc, char *argv[]){
893
AvahiSServiceBrowser *sb = NULL;
894
int error;
895
int ret;
896
intmax_t tmpmax;
897
int numchars;
898
int exitcode = EXIT_SUCCESS;
899
const char *interface = "eth0";
900
struct ifreq network;
901
int sd;
902
uid_t uid;
903
gid_t gid;
904
char *connect_to = NULL;
905
char tempdir[] = "/tmp/mandosXXXXXX";
906
bool tempdir_created = false;
907
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
908
const char *seckey = PATHDIR "/" SECKEY;
909
const char *pubkey = PATHDIR "/" PUBKEY;
910
911
/* Initialize Mandos context */
912
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
913
.dh_bits = 1024, .priority = "SECURE256"
914
":!CTYPE-X.509:+CTYPE-OPENPGP" };
915
bool gnutls_initialized = false;
916
bool gpgme_initialized = false;
917
double delay = 2.5;
918
919
struct sigaction old_sigterm_action;
920
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
921
922
{
923
struct argp_option options[] = {
924
{ .name = "debug", .key = 128,
925
.doc = "Debug mode", .group = 3 },
926
{ .name = "connect", .key = 'c',
927
.arg = "ADDRESS:PORT",
928
.doc = "Connect directly to a specific Mandos server",
929
.group = 1 },
930
{ .name = "interface", .key = 'i',
931
.arg = "NAME",
932
.doc = "Network interface that will be used to search for"
933
" Mandos servers",
934
.group = 1 },
935
{ .name = "seckey", .key = 's',
936
.arg = "FILE",
937
.doc = "OpenPGP secret key file base name",
938
.group = 1 },
939
{ .name = "pubkey", .key = 'p',
940
.arg = "FILE",
941
.doc = "OpenPGP public key file base name",
942
.group = 2 },
943
{ .name = "dh-bits", .key = 129,
944
.arg = "BITS",
945
.doc = "Bit length of the prime number used in the"
946
" Diffie-Hellman key exchange",
947
.group = 2 },
948
{ .name = "priority", .key = 130,
949
.arg = "STRING",
950
.doc = "GnuTLS priority string for the TLS handshake",
951
.group = 1 },
952
{ .name = "delay", .key = 131,
953
.arg = "SECONDS",
954
.doc = "Maximum delay to wait for interface startup",
955
.group = 2 },
956
{ .name = NULL }
957
};
958
959
error_t parse_opt(int key, char *arg,
960
struct argp_state *state){
961
switch(key){
962
case 128: /* --debug */
963
debug = true;
964
break;
965
case 'c': /* --connect */
966
connect_to = arg;
967
break;
968
case 'i': /* --interface */
969
interface = arg;
970
break;
971
case 's': /* --seckey */
972
seckey = arg;
973
break;
974
case 'p': /* --pubkey */
975
pubkey = arg;
976
break;
977
case 129: /* --dh-bits */
978
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
979
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
980
or arg[numchars] != '\0'){
981
fprintf(stderr, "Bad number of DH bits\n");
982
exit(EXIT_FAILURE);
983
}
984
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
985
break;
986
case 130: /* --priority */
987
mc.priority = arg;
988
break;
989
case 131: /* --delay */
990
ret = sscanf(arg, "%lf%n", &delay, &numchars);
991
if(ret < 1 or arg[numchars] != '\0'){
992
fprintf(stderr, "Bad delay\n");
993
exit(EXIT_FAILURE);
994
}
995
break;
996
case ARGP_KEY_ARG:
997
argp_usage(state);
998
case ARGP_KEY_END:
999
break;
1000
default:
1001
return ARGP_ERR_UNKNOWN;
1002
}
1003
return 0;
1004
}
1005
1006
struct argp argp = { .options = options, .parser = parse_opt,
1007
.args_doc = "",
1008
.doc = "Mandos client -- Get and decrypt"
1009
" passwords from a Mandos server" };
1010
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1011
if(ret == ARGP_ERR_UNKNOWN){
1012
fprintf(stderr, "Unknown error while parsing arguments\n");
1013
exitcode = EXIT_FAILURE;
1014
goto end;
1015
}
1016
}
1017
1018
if(not debug){
1019
avahi_set_log_function(empty_log);
1020
}
1021
1022
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1023
from the signal handler */
1024
/* Initialize the pseudo-RNG for Avahi */
1025
srand((unsigned int) time(NULL));
1026
mc.simple_poll = avahi_simple_poll_new();
1027
if(mc.simple_poll == NULL){
1028
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1029
exitcode = EXIT_FAILURE;
1030
goto end;
1031
}
1032
1033
sigemptyset(&sigterm_action.sa_mask);
1034
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1035
if(ret == -1){
1036
perror("sigaddset");
1037
exitcode = EXIT_FAILURE;
1038
goto end;
1039
}
1040
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1041
if(ret == -1){
1042
perror("sigaddset");
1043
exitcode = EXIT_FAILURE;
1044
goto end;
1045
}
1046
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1047
if(ret == -1){
1048
perror("sigaddset");
1049
exitcode = EXIT_FAILURE;
1050
goto end;
1051
}
1052
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1053
if(ret == -1){
1054
perror("sigaction");
1055
exitcode = EXIT_FAILURE;
1056
goto end;
1057
}
1058
1059
/* If the interface is down, bring it up */
1060
if(interface[0] != '\0'){
1061
#ifdef __linux__
1062
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1063
messages to mess up the prompt */
1064
ret = klogctl(8, NULL, 5);
1065
bool restore_loglevel = true;
1066
if(ret == -1){
1067
restore_loglevel = false;
1068
perror("klogctl");
1069
}
1070
#endif /* __linux__ */
1071
1072
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1073
if(sd < 0){
1074
perror("socket");
1075
exitcode = EXIT_FAILURE;
1076
#ifdef __linux__
1077
if(restore_loglevel){
1078
ret = klogctl(7, NULL, 0);
1079
if(ret == -1){
1080
perror("klogctl");
1081
}
1082
}
1083
#endif /* __linux__ */
1084
goto end;
1085
}
1086
strcpy(network.ifr_name, interface);
1087
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1088
if(ret == -1){
1089
perror("ioctl SIOCGIFFLAGS");
1090
#ifdef __linux__
1091
if(restore_loglevel){
1092
ret = klogctl(7, NULL, 0);
1093
if(ret == -1){
1094
perror("klogctl");
1095
}
1096
}
1097
#endif /* __linux__ */
1098
exitcode = EXIT_FAILURE;
1099
goto end;
1100
}
1101
if((network.ifr_flags & IFF_UP) == 0){
1102
network.ifr_flags |= IFF_UP;
1103
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1104
if(ret == -1){
1105
perror("ioctl SIOCSIFFLAGS");
1106
exitcode = EXIT_FAILURE;
1107
#ifdef __linux__
1108
if(restore_loglevel){
1109
ret = klogctl(7, NULL, 0);
1110
if(ret == -1){
1111
perror("klogctl");
1112
}
1113
}
1114
#endif /* __linux__ */
1115
goto end;
1116
}
1117
}
1118
/* sleep checking until interface is running */
1119
for(int i=0; i < delay * 4; i++){
1120
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1121
if(ret == -1){
1122
perror("ioctl SIOCGIFFLAGS");
1123
} else if(network.ifr_flags & IFF_RUNNING){
1124
break;
1125
}
1126
struct timespec sleeptime = { .tv_nsec = 250000000 };
1127
ret = nanosleep(&sleeptime, NULL);
1128
if(ret == -1 and errno != EINTR){
1129
perror("nanosleep");
1130
}
1131
}
1132
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1133
if(ret == -1){
1134
perror("close");
1135
}
1136
#ifdef __linux__
1137
if(restore_loglevel){
1138
/* Restores kernel loglevel to default */
1139
ret = klogctl(7, NULL, 0);
1140
if(ret == -1){
1141
perror("klogctl");
1142
}
1143
}
1144
#endif /* __linux__ */
1145
}
1146
1147
uid = getuid();
1148
gid = getgid();
1149
1150
errno = 0;
1151
setgid(gid);
1152
if(ret == -1){
1153
perror("setgid");
1154
}
1155
1156
ret = setuid(uid);
1157
if(ret == -1){
1158
perror("setuid");
1159
}
1160
1161
ret = init_gnutls_global(pubkey, seckey);
1162
if(ret == -1){
1163
fprintf(stderr, "init_gnutls_global failed\n");
1164
exitcode = EXIT_FAILURE;
1165
goto end;
1166
} else {
1167
gnutls_initialized = true;
1168
}
1169
1170
if(mkdtemp(tempdir) == NULL){
1171
perror("mkdtemp");
1172
goto end;
1173
}
1174
tempdir_created = true;
1175
1176
if(not init_gpgme(pubkey, seckey, tempdir)){
1177
fprintf(stderr, "init_gpgme failed\n");
1178
exitcode = EXIT_FAILURE;
1179
goto end;
1180
} else {
1181
gpgme_initialized = true;
1182
}
1183
1184
if(interface[0] != '\0'){
1185
if_index = (AvahiIfIndex) if_nametoindex(interface);
1186
if(if_index == 0){
1187
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1188
exitcode = EXIT_FAILURE;
1189
goto end;
1190
}
1191
}
1192
1193
if(connect_to != NULL){
1194
/* Connect directly, do not use Zeroconf */
1195
/* (Mainly meant for debugging) */
1196
char *address = strrchr(connect_to, ':');
1197
if(address == NULL){
1198
fprintf(stderr, "No colon in address\n");
1199
exitcode = EXIT_FAILURE;
1200
goto end;
1201
}
1202
uint16_t port;
1203
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1204
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1205
or address[numchars+1] != '\0'){
1206
fprintf(stderr, "Bad port number\n");
1207
exitcode = EXIT_FAILURE;
1208
goto end;
1209
}
1210
port = (uint16_t)tmpmax;
1211
*address = '\0';
1212
address = connect_to;
1213
/* Colon in address indicates IPv6 */
1214
int af;
1215
if(strchr(address, ':') != NULL){
1216
af = AF_INET6;
1217
} else {
1218
af = AF_INET;
1219
}
1220
ret = start_mandos_communication(address, port, if_index, af);
1221
if(ret < 0){
1222
exitcode = EXIT_FAILURE;
1223
} else {
1224
exitcode = EXIT_SUCCESS;
1225
}
1226
goto end;
1227
}
1228
1229
{
657
1230
AvahiServerConfig config;
658
AvahiSServiceBrowser *sb = NULL;
659
int error;
660
int ret;
661
int debug_int = 0;
662
int returncode = EXIT_SUCCESS;
663
const char *interface = NULL;
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
665
char *connect_to = NULL;
666
667
debug_int = debug ? 1 : 0;
668
while (true){
669
static struct option long_options[] = {
670
{"debug", no_argument, &debug_int, 1},
671
{"connect", required_argument, NULL, 'C'},
672
{"interface", required_argument, NULL, 'i'},
673
{"keydir", required_argument, NULL, 'd'},
674
{"seckey", required_argument, NULL, 'c'},
675
{"pubkey", required_argument, NULL, 'k'},
676
{"dh-bits", required_argument, NULL, 'D'},
677
{0, 0, 0, 0} };
678
679
int option_index = 0;
680
ret = getopt_long (argc, argv, "i:", long_options,
681
&option_index);
682
683
if (ret == -1){
684
break;
685
}
686
687
switch(ret){
688
case 0:
689
break;
690
case 'i':
691
interface = optarg;
692
break;
693
case 'C':
694
connect_to = optarg;
695
break;
696
case 'd':
697
keydir = optarg;
698
break;
699
case 'c':
700
pubkeyfile = optarg;
701
break;
702
case 'k':
703
seckeyfile = optarg;
704
break;
705
case 'D':
706
dh_bits = atoi(optarg);
707
break;
708
case '?':
709
break
710
default:
711
exit(EXIT_FAILURE);
712
}
713
}
714
debug = debug_int ? true : false;
715
716
pubkeyfile = combinepath(keydir, pubkeyfile);
717
if (pubkeyfile == NULL){
718
perror("combinepath");
719
goto exit;
720
}
721
722
if(interface != NULL){
723
if_index = (AvahiIfIndex) if_nametoindex(interface);
724
if(if_index == 0){
725
fprintf(stderr, "No such interface: \"%s\"\n", interface);
726
exit(EXIT_FAILURE);
727
}
728
}
729
730
if(connect_to != NULL){
731
/* Connect directly, do not use Zeroconf */
732
/* (Mainly meant for debugging) */
733
char *address = strrchr(connect_to, ':');
734
if(address == NULL){
735
fprintf(stderr, "No colon in address\n");
736
exit(EXIT_FAILURE);
737
}
738
errno = 0;
739
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
740
if(errno){
741
perror("Bad port number");
742
exit(EXIT_FAILURE);
743
}
744
*address = '\0';
745
address = connect_to;
746
ret = start_mandos_communication(address, port, if_index);
747
if(ret < 0){
748
exit(EXIT_FAILURE);
749
} else {
750
exit(EXIT_SUCCESS);
751
}
752
}
753
754
seckeyfile = combinepath(keydir, seckeyfile);
755
if (seckeyfile == NULL){
756
perror("combinepath");
757
goto exit;
758
}
759
760
if (not debug){
761
avahi_set_log_function(empty_log);
762
}
763
764
/* Initialize the psuedo-RNG */
765
srand((unsigned int) time(NULL));
766
767
/* Allocate main loop object */
768
if (!(simple_poll = avahi_simple_poll_new())) {
769
fprintf(stderr, "Failed to create simple poll object.\n");
770
771
goto exit;
772
}
773
774
/* Do not publish any local records */
1231
/* Do not publish any local Zeroconf records */
775
1232
avahi_server_config_init(&config);
776
1233
config.publish_hinfo = 0;
777
1234
config.publish_addresses = 0;
778
1235
config.publish_workstation = 0;
779
1236
config.publish_domain = 0;
780
1237
781
1238
/* Allocate a new server */
782
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
783
&config, NULL, NULL, &error);
784
785
/* Free the configuration data */
1239
mc.server = avahi_server_new(avahi_simple_poll_get
1240
(mc.simple_poll), &config, NULL,
1241
NULL, &error);
1242
1243
/* Free the Avahi configuration data */
786
1244
avahi_server_config_free(&config);
787
788
/* Check if creating the server object succeeded */
789
if (!server) {
790
fprintf(stderr, "Failed to create server: %s\n",
791
avahi_strerror(error));
792
returncode = EXIT_FAILURE;
793
goto exit;
794
}
795
796
/* Create the service browser */
797
sb = avahi_s_service_browser_new(server, if_index,
798
AVAHI_PROTO_INET6,
799
"_mandos._tcp", NULL, 0,
800
browse_callback, server);
801
if (!sb) {
802
fprintf(stderr, "Failed to create service browser: %s\n",
803
avahi_strerror(avahi_server_errno(server)));
804
returncode = EXIT_FAILURE;
805
goto exit;
806
}
807
808
/* Run the main loop */
809
810
if (debug){
811
fprintf(stderr, "Starting avahi loop search\n");
812
}
813
814
avahi_simple_poll_loop(simple_poll);
815
816
exit:
817
818
if (debug){
819
fprintf(stderr, "%s exiting\n", argv[0]);
820
}
821
822
/* Cleanup things */
823
if (sb)
824
avahi_s_service_browser_free(sb);
825
826
if (server)
827
avahi_server_free(server);
828
829
if (simple_poll)
830
avahi_simple_poll_free(simple_poll);
831
free(pubkeyfile);
832
free(seckeyfile);
833
834
return returncode;
1245
}
1246
1247
/* Check if creating the Avahi server object succeeded */
1248
if(mc.server == NULL){
1249
fprintf(stderr, "Failed to create Avahi server: %s\n",
1250
avahi_strerror(error));
1251
exitcode = EXIT_FAILURE;
1252
goto end;
1253
}
1254
1255
/* Create the Avahi service browser */
1256
sb = avahi_s_service_browser_new(mc.server, if_index,
1257
AVAHI_PROTO_INET6, "_mandos._tcp",
1258
NULL, 0, browse_callback, NULL);
1259
if(sb == NULL){
1260
fprintf(stderr, "Failed to create service browser: %s\n",
1261
avahi_strerror(avahi_server_errno(mc.server)));
1262
exitcode = EXIT_FAILURE;
1263
goto end;
1264
}
1265
1266
/* Run the main loop */
1267
1268
if(debug){
1269
fprintf(stderr, "Starting Avahi loop search\n");
1270
}
1271
1272
avahi_simple_poll_loop(mc.simple_poll);
1273
1274
end:
1275
1276
if(debug){
1277
fprintf(stderr, "%s exiting\n", argv[0]);
1278
}
1279
1280
/* Cleanup things */
1281
if(sb != NULL)
1282
avahi_s_service_browser_free(sb);
1283
1284
if(mc.server != NULL)
1285
avahi_server_free(mc.server);
1286
1287
if(mc.simple_poll != NULL)
1288
avahi_simple_poll_free(mc.simple_poll);
1289
1290
if(gnutls_initialized){
1291
gnutls_certificate_free_credentials(mc.cred);
1292
gnutls_global_deinit();
1293
gnutls_dh_params_deinit(mc.dh_params);
1294
}
1295
1296
if(gpgme_initialized){
1297
gpgme_release(mc.ctx);
1298
}
1299
1300
/* Removes the temp directory used by GPGME */
1301
if(tempdir_created){
1302
DIR *d;
1303
struct dirent *direntry;
1304
d = opendir(tempdir);
1305
if(d == NULL){
1306
if(errno != ENOENT){
1307
perror("opendir");
1308
}
1309
} else {
1310
while(true){
1311
direntry = readdir(d);
1312
if(direntry == NULL){
1313
break;
1314
}
1315
/* Skip "." and ".." */
1316
if(direntry->d_name[0] == '.'
1317
and (direntry->d_name[1] == '\0'
1318
or (direntry->d_name[1] == '.'
1319
and direntry->d_name[2] == '\0'))){
1320
continue;
1321
}
1322
char *fullname = NULL;
1323
ret = asprintf(&fullname, "%s/%s", tempdir,
1324
direntry->d_name);
1325
if(ret < 0){
1326
perror("asprintf");
1327
continue;
1328
}
1329
ret = remove(fullname);
1330
if(ret == -1){
1331
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1332
strerror(errno));
1333
}
1334
free(fullname);
1335
}
1336
closedir(d);
1337
}
1338
ret = rmdir(tempdir);
1339
if(ret == -1 and errno != ENOENT){
1340
perror("rmdir");
1341
}
1342
}
1343
1344
return exitcode;
835
1345
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0