To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 311
- compare with another revision
- download diff
- download tarball
- view history from revision 311
- Committer: Teddy Hogeborn
- Date: 2009-02-12 18:56:52 UTC
- Revision ID: teddy@fukt.bsnet.se-20090212185652-ast00yprt2pe2l4p
Overflows are not detected by sscanf(), so stop using it:
* plugin-runner.c (main/parse_opt): Change from using "sscanf()" to
"strtoimax()".
* plugins.d/mandos-client.c (main/parse_opt, main): Change from using
"sscanf()" to
"strtoimax()" and
"strtof()".
* splashy.c (main): Change from using "sscanf()" to "strtoimax()".
* usplash.c (main): - '' -
* plugin-runner.c (main/parse_opt): Change from using "sscanf()" to
"strtoimax()".
* plugins.d/mandos-client.c (main/parse_opt, main): Change from using
"sscanf()" to
"strtoimax()" and
"strtof()".
* splashy.c (main): Change from using "sscanf()" to "strtoimax()".
* usplash.c (main): - '' -
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- mandos-clients.conf => clients.conf
- server.py => mandos
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
/***
2
This file is part of avahi.
3
4
avahi is free software; you can redistribute it and/or modify it
5
under the terms of the GNU Lesser General Public License as
6
published by the Free Software Foundation; either version 2.1 of the
7
License, or (at your option) any later version.
8
9
avahi is distributed in the hope that it will be useful, but WITHOUT
10
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
12
Public License for more details.
13
14
You should have received a copy of the GNU Lesser General Public
15
License along with avahi; if not, write to the Free Software
16
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
17
USA.
18
***/
1
/* -*- coding: utf-8 -*- */
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
4
*
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
10
*
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
14
*
15
* This program is free software: you can redistribute it and/or
16
* modify it under the terms of the GNU General Public License as
17
* published by the Free Software Foundation, either version 3 of the
18
* License, or (at your option) any later version.
19
*
20
* This program is distributed in the hope that it will be useful, but
21
* WITHOUT ANY WARRANTY; without even the implied warranty of
22
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
23
* General Public License for more details.
24
*
25
* You should have received a copy of the GNU General Public License
26
* along with this program. If not, see
27
* <http://www.gnu.org/licenses/>.
28
*
29
* Contact the authors at <mandos@fukt.bsnet.se>.
30
*/
19
31
32
/* Needed by GPGME, specifically gpgme_data_seek() */
20
33
#define _LARGEFILE_SOURCE
21
34
#define _FILE_OFFSET_BITS 64
22
35
23
#include <stdio.h>
24
#include <assert.h>
25
#include <stdlib.h>
26
#include <time.h>
27
#include <net/if.h> /* if_nametoindex */
28
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), remove() */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand(), strtof() */
44
#include <stdbool.h> /* bool, false, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, uid_t, gid_t, open(),
51
opendir(), DIR */
52
#include <sys/stat.h> /* open() */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
inet_pton(), connect() */
55
#include <fcntl.h> /* open() */
56
#include <dirent.h> /* opendir(), struct dirent, readdir()
57
*/
58
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
59
strtoimax() */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction,
80
sig_atomic_t */
81
82
#ifdef __linux__
83
#include <sys/klog.h> /* klogctl() */
84
#endif /* __linux__ */
85
86
/* Avahi */
87
/* All Avahi types, constants and functions
88
Avahi*, avahi_*,
89
AVAHI_* */
29
90
#include <avahi-core/core.h>
30
91
#include <avahi-core/lookup.h>
31
92
#include <avahi-core/log.h>
33
94
#include <avahi-common/malloc.h>
34
95
#include <avahi-common/error.h>
35
96
36
//mandos client part
37
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
38
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
39
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
40
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
41
42
#include <unistd.h> /* close() */
43
#include <netinet/in.h>
44
#include <stdbool.h> /* true */
45
#include <string.h> /* memset */
46
#include <arpa/inet.h> /* inet_pton() */
47
#include <iso646.h> /* not */
48
49
// gpgme
50
#include <errno.h> /* perror() */
51
#include <gpgme.h>
52
53
// getopt long
54
#include <getopt.h>
55
56
#ifndef CERT_ROOT
57
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
58
#endif
59
#define CERTFILE CERT_ROOT "openpgp-client.txt"
60
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
97
/* GnuTLS */
98
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
99
functions:
100
gnutls_*
101
init_gnutls_session(),
102
GNUTLS_* */
103
#include <gnutls/openpgp.h>
104
/* gnutls_certificate_set_openpgp_key_file(),
105
GNUTLS_OPENPGP_FMT_BASE64 */
106
107
/* GPGME */
108
#include <gpgme.h> /* All GPGME types, constants and
109
functions:
110
gpgme_*
111
GPGME_PROTOCOL_OpenPGP,
112
GPG_ERR_NO_* */
113
61
114
#define BUFFER_SIZE 256
62
#define DH_BITS 1024
115
116
#define PATHDIR "/conf/conf.d/mandos"
117
#define SECKEY "seckey.txt"
118
#define PUBKEY "pubkey.txt"
63
119
64
120
bool debug = false;
65
char *interface = "eth0";
121
static const char mandos_protocol_version[] = "1";
122
const char *argp_program_version = "mandos-client " VERSION;
123
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
66
124
125
/* Used for passing in values through the Avahi callback functions */
67
126
typedef struct {
68
gnutls_session_t session;
127
AvahiSimplePoll *simple_poll;
128
AvahiServer *server;
69
129
gnutls_certificate_credentials_t cred;
130
unsigned int dh_bits;
70
131
gnutls_dh_params_t dh_params;
71
} encrypted_session;
72
73
74
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
75
gpgme_data_t dh_crypto, dh_plain;
132
const char *priority;
76
133
gpgme_ctx_t ctx;
134
} mandos_context;
135
136
/* global context so signal handler can reach it*/
137
mandos_context mc = { .simple_poll = NULL, .server = NULL,
138
.dh_bits = 1024, .priority = "SECURE256"
139
":!CTYPE-X.509:+CTYPE-OPENPGP" };
140
141
/*
142
* Make additional room in "buffer" for at least BUFFER_SIZE more
143
* bytes. "buffer_capacity" is how much is currently allocated,
144
* "buffer_length" is how much is already used.
145
*/
146
size_t incbuffer(char **buffer, size_t buffer_length,
147
size_t buffer_capacity){
148
if(buffer_length + BUFFER_SIZE > buffer_capacity){
149
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
150
if(buffer == NULL){
151
return 0;
152
}
153
buffer_capacity += BUFFER_SIZE;
154
}
155
return buffer_capacity;
156
}
157
158
/*
159
* Initialize GPGME.
160
*/
161
static bool init_gpgme(const char *seckey,
162
const char *pubkey, const char *tempdir){
163
int ret;
77
164
gpgme_error_t rc;
78
ssize_t ret;
79
size_t new_packet_capacity = 0;
80
size_t new_packet_length = 0;
81
165
gpgme_engine_info_t engine_info;
82
83
if (debug){
84
fprintf(stderr, "Attempting to decrypt password from gpg packet\n");
166
167
168
/*
169
* Helper function to insert pub and seckey to the engine keyring.
170
*/
171
bool import_key(const char *filename){
172
int fd;
173
gpgme_data_t pgp_data;
174
175
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
176
if(fd == -1){
177
perror("open");
178
return false;
179
}
180
181
rc = gpgme_data_new_from_fd(&pgp_data, fd);
182
if(rc != GPG_ERR_NO_ERROR){
183
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
184
gpgme_strsource(rc), gpgme_strerror(rc));
185
return false;
186
}
187
188
rc = gpgme_op_import(mc.ctx, pgp_data);
189
if(rc != GPG_ERR_NO_ERROR){
190
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
191
gpgme_strsource(rc), gpgme_strerror(rc));
192
return false;
193
}
194
195
ret = (int)TEMP_FAILURE_RETRY(close(fd));
196
if(ret == -1){
197
perror("close");
198
}
199
gpgme_data_release(pgp_data);
200
return true;
201
}
202
203
if(debug){
204
fprintf(stderr, "Initializing GPGME\n");
85
205
}
86
206
87
207
/* Init GPGME */
88
208
gpgme_check_version(NULL);
89
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
209
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
210
if(rc != GPG_ERR_NO_ERROR){
211
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
212
gpgme_strsource(rc), gpgme_strerror(rc));
213
return false;
214
}
90
215
91
/* Set GPGME home directory */
92
rc = gpgme_get_engine_info (&engine_info);
93
if (rc != GPG_ERR_NO_ERROR){
216
/* Set GPGME home directory for the OpenPGP engine only */
217
rc = gpgme_get_engine_info(&engine_info);
218
if(rc != GPG_ERR_NO_ERROR){
94
219
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
95
220
gpgme_strsource(rc), gpgme_strerror(rc));
96
return -1;
221
return false;
97
222
}
98
223
while(engine_info != NULL){
99
224
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
100
225
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
101
engine_info->file_name, homedir);
226
engine_info->file_name, tempdir);
102
227
break;
103
228
}
104
229
engine_info = engine_info->next;
105
230
}
106
231
if(engine_info == NULL){
107
fprintf(stderr, "Could not set home dir to %s\n", homedir);
108
return -1;
109
}
110
111
/* Create new GPGME data buffer from packet buffer */
112
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
113
if (rc != GPG_ERR_NO_ERROR){
232
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
233
return false;
234
}
235
236
/* Create new GPGME "context" */
237
rc = gpgme_new(&(mc.ctx));
238
if(rc != GPG_ERR_NO_ERROR){
239
fprintf(stderr, "bad gpgme_new: %s: %s\n",
240
gpgme_strsource(rc), gpgme_strerror(rc));
241
return false;
242
}
243
244
if(not import_key(pubkey) or not import_key(seckey)){
245
return false;
246
}
247
248
return true;
249
}
250
251
/*
252
* Decrypt OpenPGP data.
253
* Returns -1 on error
254
*/
255
static ssize_t pgp_packet_decrypt(const char *cryptotext,
256
size_t crypto_size,
257
char **plaintext){
258
gpgme_data_t dh_crypto, dh_plain;
259
gpgme_error_t rc;
260
ssize_t ret;
261
size_t plaintext_capacity = 0;
262
ssize_t plaintext_length = 0;
263
264
if(debug){
265
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
266
}
267
268
/* Create new GPGME data buffer from memory cryptotext */
269
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
270
0);
271
if(rc != GPG_ERR_NO_ERROR){
114
272
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
115
273
gpgme_strsource(rc), gpgme_strerror(rc));
116
274
return -1;
118
276
119
277
/* Create new empty GPGME data buffer for the plaintext */
120
278
rc = gpgme_data_new(&dh_plain);
121
if (rc != GPG_ERR_NO_ERROR){
279
if(rc != GPG_ERR_NO_ERROR){
122
280
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
123
281
gpgme_strsource(rc), gpgme_strerror(rc));
124
return -1;
125
}
126
127
/* Create new GPGME "context" */
128
rc = gpgme_new(&ctx);
129
if (rc != GPG_ERR_NO_ERROR){
130
fprintf(stderr, "bad gpgme_new: %s: %s\n",
131
gpgme_strsource(rc), gpgme_strerror(rc));
132
return -1;
133
}
134
135
/* Decrypt data from the FILE pointer to the plaintext data buffer */
136
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
137
if (rc != GPG_ERR_NO_ERROR){
282
gpgme_data_release(dh_crypto);
283
return -1;
284
}
285
286
/* Decrypt data from the cryptotext data buffer to the plaintext
287
data buffer */
288
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
289
if(rc != GPG_ERR_NO_ERROR){
138
290
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
139
291
gpgme_strsource(rc), gpgme_strerror(rc));
140
return -1;
292
plaintext_length = -1;
293
if(debug){
294
gpgme_decrypt_result_t result;
295
result = gpgme_op_decrypt_result(mc.ctx);
296
if(result == NULL){
297
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
298
} else {
299
fprintf(stderr, "Unsupported algorithm: %s\n",
300
result->unsupported_algorithm);
301
fprintf(stderr, "Wrong key usage: %u\n",
302
result->wrong_key_usage);
303
if(result->file_name != NULL){
304
fprintf(stderr, "File name: %s\n", result->file_name);
305
}
306
gpgme_recipient_t recipient;
307
recipient = result->recipients;
308
if(recipient){
309
while(recipient != NULL){
310
fprintf(stderr, "Public key algorithm: %s\n",
311
gpgme_pubkey_algo_name(recipient->pubkey_algo));
312
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
313
fprintf(stderr, "Secret key available: %s\n",
314
recipient->status == GPG_ERR_NO_SECKEY
315
? "No" : "Yes");
316
recipient = recipient->next;
317
}
318
}
319
}
320
}
321
goto decrypt_end;
141
322
}
142
323
143
324
if(debug){
144
fprintf(stderr, "decryption of gpg packet succeeded\n");
145
}
146
147
if (debug){
148
gpgme_decrypt_result_t result;
149
result = gpgme_op_decrypt_result(ctx);
150
if (result == NULL){
151
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
152
} else {
153
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
154
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
155
if(result->file_name != NULL){
156
fprintf(stderr, "File name: %s\n", result->file_name);
157
}
158
gpgme_recipient_t recipient;
159
recipient = result->recipients;
160
if(recipient){
161
while(recipient != NULL){
162
fprintf(stderr, "Public key algorithm: %s\n",
163
gpgme_pubkey_algo_name(recipient->pubkey_algo));
164
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
165
fprintf(stderr, "Secret key available: %s\n",
166
recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
167
recipient = recipient->next;
168
}
169
}
170
}
171
}
172
173
/* Delete the GPGME FILE pointer cryptotext data buffer */
174
gpgme_data_release(dh_crypto);
325
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
326
}
175
327
176
328
/* Seek back to the beginning of the GPGME plaintext data buffer */
177
gpgme_data_seek(dh_plain, 0, SEEK_SET);
178
179
*new_packet = 0;
329
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
330
perror("gpgme_data_seek");
331
plaintext_length = -1;
332
goto decrypt_end;
333
}
334
335
*plaintext = NULL;
180
336
while(true){
181
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
182
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
183
if (*new_packet == NULL){
184
perror("realloc");
185
return -1;
186
}
187
new_packet_capacity += BUFFER_SIZE;
337
plaintext_capacity = incbuffer(plaintext,
338
(size_t)plaintext_length,
339
plaintext_capacity);
340
if(plaintext_capacity == 0){
341
perror("incbuffer");
342
plaintext_length = -1;
343
goto decrypt_end;
188
344
}
189
345
190
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
346
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
347
BUFFER_SIZE);
191
348
/* Print the data, if any */
192
if (ret == 0){
193
/* If password is empty, then a incorrect error will be printed */
349
if(ret == 0){
350
/* EOF */
194
351
break;
195
352
}
196
353
if(ret < 0){
197
354
perror("gpgme_data_read");
198
return -1;
199
}
200
new_packet_length += ret;
201
}
202
203
/* FIXME: check characters before printing to screen so to not print
204
terminal control characters */
205
/* if(debug){ */
206
/* fprintf(stderr, "decrypted password is: "); */
207
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
208
/* fprintf(stderr, "\n"); */
209
/* } */
355
plaintext_length = -1;
356
goto decrypt_end;
357
}
358
plaintext_length += ret;
359
}
360
361
if(debug){
362
fprintf(stderr, "Decrypted password is: ");
363
for(ssize_t i = 0; i < plaintext_length; i++){
364
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
365
}
366
fprintf(stderr, "\n");
367
}
368
369
decrypt_end:
370
371
/* Delete the GPGME cryptotext data buffer */
372
gpgme_data_release(dh_crypto);
210
373
211
374
/* Delete the GPGME plaintext data buffer */
212
375
gpgme_data_release(dh_plain);
213
return new_packet_length;
376
return plaintext_length;
214
377
}
215
378
216
static const char * safer_gnutls_strerror (int value) {
217
const char *ret = gnutls_strerror (value);
218
if (ret == NULL)
379
static const char * safer_gnutls_strerror(int value){
380
const char *ret = gnutls_strerror(value); /* Spurious warning from
381
-Wunreachable-code */
382
if(ret == NULL)
219
383
ret = "(unknown)";
220
384
return ret;
221
385
}
222
386
223
void debuggnutls(int level, const char* string){
224
fprintf(stderr, "%s", string);
387
/* GnuTLS log function callback */
388
static void debuggnutls(__attribute__((unused)) int level,
389
const char* string){
390
fprintf(stderr, "GnuTLS: %s", string);
225
391
}
226
392
227
int initgnutls(encrypted_session *es){
228
const char *err;
393
static int init_gnutls_global(const char *pubkeyfilename,
394
const char *seckeyfilename){
229
395
int ret;
230
396
231
397
if(debug){
232
fprintf(stderr, "Initializing gnutls\n");
398
fprintf(stderr, "Initializing GnuTLS\n");
233
399
}
234
235
400
236
if ((ret = gnutls_global_init ())
237
!= GNUTLS_E_SUCCESS) {
238
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
401
ret = gnutls_global_init();
402
if(ret != GNUTLS_E_SUCCESS){
403
fprintf(stderr, "GnuTLS global_init: %s\n",
404
safer_gnutls_strerror(ret));
239
405
return -1;
240
406
}
241
242
if (debug){
407
408
if(debug){
409
/* "Use a log level over 10 to enable all debugging options."
410
* - GnuTLS manual
411
*/
243
412
gnutls_global_set_log_level(11);
244
413
gnutls_global_set_log_function(debuggnutls);
245
414
}
246
415
247
248
/* openpgp credentials */
249
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
250
!= GNUTLS_E_SUCCESS) {
251
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
416
/* OpenPGP credentials */
417
gnutls_certificate_allocate_credentials(&mc.cred);
418
if(ret != GNUTLS_E_SUCCESS){
419
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
420
from
421
-Wunreachable-code
422
*/
423
safer_gnutls_strerror(ret));
424
gnutls_global_deinit();
252
425
return -1;
253
426
}
254
427
255
428
if(debug){
256
fprintf(stderr, "Attempting to use openpgp certificate %s"
257
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
429
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
430
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
431
seckeyfilename);
258
432
}
259
433
260
434
ret = gnutls_certificate_set_openpgp_key_file
261
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
262
if (ret != GNUTLS_E_SUCCESS) {
263
fprintf
264
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
265
ret, CERTFILE, KEYFILE);
266
fprintf(stdout, "The Error is: %s\n",
267
safer_gnutls_strerror(ret));
268
return -1;
269
}
270
271
//Gnutls server initialization
272
if ((ret = gnutls_dh_params_init (&es->dh_params))
273
!= GNUTLS_E_SUCCESS) {
274
fprintf (stderr, "Error in dh parameter initialization: %s\n",
275
safer_gnutls_strerror(ret));
276
return -1;
277
}
278
279
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
280
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "Error in prime generation: %s\n",
282
safer_gnutls_strerror(ret));
283
return -1;
284
}
285
286
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
287
288
// Gnutls session creation
289
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
290
!= GNUTLS_E_SUCCESS){
291
fprintf(stderr, "Error in gnutls session initialization: %s\n",
292
safer_gnutls_strerror(ret));
293
}
294
295
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
296
!= GNUTLS_E_SUCCESS) {
297
fprintf(stderr, "Syntax error at: %s\n", err);
298
fprintf(stderr, "Gnutls error: %s\n",
299
safer_gnutls_strerror(ret));
300
return -1;
301
}
302
303
if ((ret = gnutls_credentials_set
304
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf(stderr, "Error setting a credentials set: %s\n",
307
safer_gnutls_strerror(ret));
308
return -1;
309
}
310
435
(mc.cred, pubkeyfilename, seckeyfilename,
436
GNUTLS_OPENPGP_FMT_BASE64);
437
if(ret != GNUTLS_E_SUCCESS){
438
fprintf(stderr,
439
"Error[%d] while reading the OpenPGP key pair ('%s',"
440
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
441
fprintf(stderr, "The GnuTLS error is: %s\n",
442
safer_gnutls_strerror(ret));
443
goto globalfail;
444
}
445
446
/* GnuTLS server initialization */
447
ret = gnutls_dh_params_init(&mc.dh_params);
448
if(ret != GNUTLS_E_SUCCESS){
449
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
450
" %s\n", safer_gnutls_strerror(ret));
451
goto globalfail;
452
}
453
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
454
if(ret != GNUTLS_E_SUCCESS){
455
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
456
safer_gnutls_strerror(ret));
457
goto globalfail;
458
}
459
460
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
461
462
return 0;
463
464
globalfail:
465
466
gnutls_certificate_free_credentials(mc.cred);
467
gnutls_global_deinit();
468
gnutls_dh_params_deinit(mc.dh_params);
469
return -1;
470
}
471
472
static int init_gnutls_session(gnutls_session_t *session){
473
int ret;
474
/* GnuTLS session creation */
475
ret = gnutls_init(session, GNUTLS_SERVER);
476
if(ret != GNUTLS_E_SUCCESS){
477
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
478
safer_gnutls_strerror(ret));
479
}
480
481
{
482
const char *err;
483
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
484
if(ret != GNUTLS_E_SUCCESS){
485
fprintf(stderr, "Syntax error at: %s\n", err);
486
fprintf(stderr, "GnuTLS error: %s\n",
487
safer_gnutls_strerror(ret));
488
gnutls_deinit(*session);
489
return -1;
490
}
491
}
492
493
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
494
mc.cred);
495
if(ret != GNUTLS_E_SUCCESS){
496
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
497
safer_gnutls_strerror(ret));
498
gnutls_deinit(*session);
499
return -1;
500
}
501
311
502
/* ignore client certificate if any. */
312
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
503
gnutls_certificate_server_set_request(*session,
504
GNUTLS_CERT_IGNORE);
313
505
314
gnutls_dh_set_prime_bits (es->session, DH_BITS);
506
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
315
507
316
508
return 0;
317
509
}
318
510
319
void empty_log(AvahiLogLevel level, const char *txt){}
511
/* Avahi log function callback */
512
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
513
__attribute__((unused)) const char *txt){}
320
514
321
int start_mandos_communication(char *ip, uint16_t port){
515
/* Called when a Mandos server is found */
516
static int start_mandos_communication(const char *ip, uint16_t port,
517
AvahiIfIndex if_index,
518
int af){
322
519
int ret, tcp_sd;
323
struct sockaddr_in6 to;
324
encrypted_session es;
520
ssize_t sret;
521
union {
522
struct sockaddr_in in;
523
struct sockaddr_in6 in6;
524
} to;
325
525
char *buffer = NULL;
326
526
char *decrypted_buffer;
327
527
size_t buffer_length = 0;
328
528
size_t buffer_capacity = 0;
329
529
ssize_t decrypted_buffer_size;
530
size_t written;
330
531
int retval = 0;
331
532
gnutls_session_t session;
533
int pf; /* Protocol family */
534
535
switch(af){
536
case AF_INET6:
537
pf = PF_INET6;
538
break;
539
case AF_INET:
540
pf = PF_INET;
541
break;
542
default:
543
fprintf(stderr, "Bad address family: %d\n", af);
544
return -1;
545
}
546
547
ret = init_gnutls_session(&session);
548
if(ret != 0){
549
return -1;
550
}
551
332
552
if(debug){
333
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
553
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
554
"\n", ip, port);
334
555
}
335
556
336
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
337
if(tcp_sd < 0) {
557
tcp_sd = socket(pf, SOCK_STREAM, 0);
558
if(tcp_sd < 0){
338
559
perror("socket");
339
560
return -1;
340
561
}
341
342
if(debug){
343
fprintf(stderr, "Binding to interface %s\n", interface);
344
}
345
346
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
347
if(tcp_sd < 0) {
348
perror("setsockopt bindtodevice");
349
return -1;
350
}
351
562
352
memset(&to,0,sizeof(to));
353
to.sin6_family = AF_INET6;
354
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
355
if (ret < 0 ){
563
memset(&to, 0, sizeof(to));
564
if(af == AF_INET6){
565
to.in6.sin6_family = (uint16_t)af;
566
ret = inet_pton(af, ip, &to.in6.sin6_addr);
567
} else { /* IPv4 */
568
to.in.sin_family = (sa_family_t)af;
569
ret = inet_pton(af, ip, &to.in.sin_addr);
570
}
571
if(ret < 0 ){
356
572
perror("inet_pton");
357
573
return -1;
358
}
574
}
359
575
if(ret == 0){
360
576
fprintf(stderr, "Bad address: %s\n", ip);
361
577
return -1;
362
578
}
363
to.sin6_port = htons(port);
364
to.sin6_scope_id = if_nametoindex(interface);
365
579
if(af == AF_INET6){
580
to.in6.sin6_port = htons(port); /* Spurious warnings from
581
-Wconversion and
582
-Wunreachable-code */
583
584
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
585
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
586
-Wunreachable-code*/
587
if(if_index == AVAHI_IF_UNSPEC){
588
fprintf(stderr, "An IPv6 link-local address is incomplete"
589
" without a network interface\n");
590
return -1;
591
}
592
/* Set the network interface number as scope */
593
to.in6.sin6_scope_id = (uint32_t)if_index;
594
}
595
} else {
596
to.in.sin_port = htons(port); /* Spurious warnings from
597
-Wconversion and
598
-Wunreachable-code */
599
}
600
366
601
if(debug){
367
fprintf(stderr, "Connection to: %s\n", ip);
602
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
603
char interface[IF_NAMESIZE];
604
if(if_indextoname((unsigned int)if_index, interface) == NULL){
605
perror("if_indextoname");
606
} else {
607
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
608
ip, interface, port);
609
}
610
} else {
611
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
612
port);
613
}
614
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
615
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
616
const char *pcret;
617
if(af == AF_INET6){
618
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
619
sizeof(addrstr));
620
} else {
621
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
622
sizeof(addrstr));
623
}
624
if(pcret == NULL){
625
perror("inet_ntop");
626
} else {
627
if(strcmp(addrstr, ip) != 0){
628
fprintf(stderr, "Canonical address form: %s\n", addrstr);
629
}
630
}
368
631
}
369
632
370
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
371
if (ret < 0){
633
if(af == AF_INET6){
634
ret = connect(tcp_sd, &to.in6, sizeof(to));
635
} else {
636
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
637
}
638
if(ret < 0){
372
639
perror("connect");
373
640
return -1;
374
641
}
375
642
376
ret = initgnutls (&es);
377
if (ret != 0){
378
retval = -1;
379
return -1;
380
}
381
382
383
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
384
385
if(debug){
386
fprintf(stderr, "Establishing tls session with %s\n", ip);
387
}
388
389
390
ret = gnutls_handshake (es.session);
391
392
if (ret != GNUTLS_E_SUCCESS){
393
fprintf(stderr, "\n*** Handshake failed ***\n");
394
gnutls_perror (ret);
395
retval = -1;
396
goto exit;
397
}
398
399
//Retrieve gpg packet that contains the wanted password
400
401
if(debug){
402
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
403
}
404
643
const char *out = mandos_protocol_version;
644
written = 0;
405
645
while(true){
406
if (buffer_length + BUFFER_SIZE > buffer_capacity){
407
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
408
if (buffer == NULL){
409
perror("realloc");
410
goto exit;
646
size_t out_size = strlen(out);
647
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
648
out_size - written));
649
if(ret == -1){
650
perror("write");
651
retval = -1;
652
goto mandos_end;
653
}
654
written += (size_t)ret;
655
if(written < out_size){
656
continue;
657
} else {
658
if(out == mandos_protocol_version){
659
written = 0;
660
out = "\r\n";
661
} else {
662
break;
411
663
}
412
buffer_capacity += BUFFER_SIZE;
664
}
665
}
666
667
if(debug){
668
fprintf(stderr, "Establishing TLS session with %s\n", ip);
669
}
670
671
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
672
673
do{
674
ret = gnutls_handshake(session);
675
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
676
677
if(ret != GNUTLS_E_SUCCESS){
678
if(debug){
679
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
680
gnutls_perror(ret);
681
}
682
retval = -1;
683
goto mandos_end;
684
}
685
686
/* Read OpenPGP packet that contains the wanted password */
687
688
if(debug){
689
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
690
ip);
691
}
692
693
while(true){
694
buffer_capacity = incbuffer(&buffer, buffer_length,
695
buffer_capacity);
696
if(buffer_capacity == 0){
697
perror("incbuffer");
698
retval = -1;
699
goto mandos_end;
413
700
}
414
701
415
ret = gnutls_record_recv
416
(es.session, buffer+buffer_length, BUFFER_SIZE);
417
if (ret == 0){
702
sret = gnutls_record_recv(session, buffer+buffer_length,
703
BUFFER_SIZE);
704
if(sret == 0){
418
705
break;
419
706
}
420
if (ret < 0){
421
switch(ret){
707
if(sret < 0){
708
switch(sret){
422
709
case GNUTLS_E_INTERRUPTED:
423
710
case GNUTLS_E_AGAIN:
424
711
break;
425
712
case GNUTLS_E_REHANDSHAKE:
426
ret = gnutls_handshake (es.session);
427
if (ret < 0){
428
fprintf(stderr, "\n*** Handshake failed ***\n");
429
gnutls_perror (ret);
713
do{
714
ret = gnutls_handshake(session);
715
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
716
if(ret < 0){
717
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
718
gnutls_perror(ret);
430
719
retval = -1;
431
goto exit;
720
goto mandos_end;
432
721
}
433
722
break;
434
723
default:
435
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
724
fprintf(stderr, "Unknown error while reading data from"
725
" encrypted session with Mandos server\n");
436
726
retval = -1;
437
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
438
goto exit;
727
gnutls_bye(session, GNUTLS_SHUT_RDWR);
728
goto mandos_end;
439
729
}
440
730
} else {
441
buffer_length += ret;
731
buffer_length += (size_t) sret;
442
732
}
443
733
}
444
734
445
if (buffer_length > 0){
446
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
447
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
735
if(debug){
736
fprintf(stderr, "Closing TLS session\n");
737
}
738
739
gnutls_bye(session, GNUTLS_SHUT_RDWR);
740
741
if(buffer_length > 0){
742
decrypted_buffer_size = pgp_packet_decrypt(buffer,
743
buffer_length,
744
&decrypted_buffer);
745
if(decrypted_buffer_size >= 0){
746
written = 0;
747
while(written < (size_t) decrypted_buffer_size){
748
ret = (int)fwrite(decrypted_buffer + written, 1,
749
(size_t)decrypted_buffer_size - written,
750
stdout);
751
if(ret == 0 and ferror(stdout)){
752
if(debug){
753
fprintf(stderr, "Error writing encrypted data: %s\n",
754
strerror(errno));
755
}
756
retval = -1;
757
break;
758
}
759
written += (size_t)ret;
760
}
448
761
free(decrypted_buffer);
449
762
} else {
450
763
retval = -1;
451
764
}
452
}
453
454
//shutdown procedure
455
456
if(debug){
457
fprintf(stderr, "Closing tls session\n");
458
}
459
765
} else {
766
retval = -1;
767
}
768
769
/* Shutdown procedure */
770
771
mandos_end:
460
772
free(buffer);
461
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
462
exit:
463
close(tcp_sd);
464
gnutls_deinit (es.session);
465
gnutls_certificate_free_credentials (es.cred);
466
gnutls_global_deinit ();
773
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
774
if(ret == -1){
775
perror("close");
776
}
777
gnutls_deinit(session);
467
778
return retval;
468
779
}
469
780
470
static AvahiSimplePoll *simple_poll = NULL;
471
static AvahiServer *server = NULL;
472
473
static void resolve_callback(
474
AvahiSServiceResolver *r,
475
AVAHI_GCC_UNUSED AvahiIfIndex interface,
476
AVAHI_GCC_UNUSED AvahiProtocol protocol,
477
AvahiResolverEvent event,
478
const char *name,
479
const char *type,
480
const char *domain,
481
const char *host_name,
482
const AvahiAddress *address,
483
uint16_t port,
484
AvahiStringList *txt,
485
AvahiLookupResultFlags flags,
486
AVAHI_GCC_UNUSED void* userdata) {
487
488
assert(r);
489
490
/* Called whenever a service has been resolved successfully or timed out */
491
492
switch (event) {
493
case AVAHI_RESOLVER_FAILURE:
494
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
495
break;
496
497
case AVAHI_RESOLVER_FOUND: {
498
char ip[AVAHI_ADDRESS_STR_MAX];
499
avahi_address_snprint(ip, sizeof(ip), address);
500
if(debug){
501
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
502
}
503
int ret = start_mandos_communication(ip, port);
504
if (ret == 0){
505
exit(EXIT_SUCCESS);
506
} else {
507
exit(EXIT_FAILURE);
508
}
509
}
510
}
511
avahi_s_service_resolver_free(r);
512
}
513
514
static void browse_callback(
515
AvahiSServiceBrowser *b,
516
AvahiIfIndex interface,
517
AvahiProtocol protocol,
518
AvahiBrowserEvent event,
519
const char *name,
520
const char *type,
521
const char *domain,
522
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
523
void* userdata) {
524
525
AvahiServer *s = userdata;
526
assert(b);
527
528
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
529
530
switch (event) {
531
532
case AVAHI_BROWSER_FAILURE:
533
534
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
535
avahi_simple_poll_quit(simple_poll);
536
return;
537
538
case AVAHI_BROWSER_NEW:
539
/* We ignore the returned resolver object. In the callback
540
function we free it. If the server is terminated before
541
the callback function is called the server will free
542
the resolver for us. */
543
544
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
545
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
546
547
break;
548
549
case AVAHI_BROWSER_REMOVE:
550
break;
551
552
case AVAHI_BROWSER_ALL_FOR_NOW:
553
case AVAHI_BROWSER_CACHE_EXHAUSTED:
554
break;
555
}
556
}
557
558
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
781
static void resolve_callback(AvahiSServiceResolver *r,
782
AvahiIfIndex interface,
783
AvahiProtocol proto,
784
AvahiResolverEvent event,
785
const char *name,
786
const char *type,
787
const char *domain,
788
const char *host_name,
789
const AvahiAddress *address,
790
uint16_t port,
791
AVAHI_GCC_UNUSED AvahiStringList *txt,
792
AVAHI_GCC_UNUSED AvahiLookupResultFlags
793
flags,
794
AVAHI_GCC_UNUSED void* userdata){
795
assert(r);
796
797
/* Called whenever a service has been resolved successfully or
798
timed out */
799
800
switch(event){
801
default:
802
case AVAHI_RESOLVER_FAILURE:
803
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
804
" of type '%s' in domain '%s': %s\n", name, type, domain,
805
avahi_strerror(avahi_server_errno(mc.server)));
806
break;
807
808
case AVAHI_RESOLVER_FOUND:
809
{
810
char ip[AVAHI_ADDRESS_STR_MAX];
811
avahi_address_snprint(ip, sizeof(ip), address);
812
if(debug){
813
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
814
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
815
ip, (intmax_t)interface, port);
816
}
817
int ret = start_mandos_communication(ip, port, interface,
818
avahi_proto_to_af(proto));
819
if(ret == 0){
820
avahi_simple_poll_quit(mc.simple_poll);
821
}
822
}
823
}
824
avahi_s_service_resolver_free(r);
825
}
826
827
static void browse_callback(AvahiSServiceBrowser *b,
828
AvahiIfIndex interface,
829
AvahiProtocol protocol,
830
AvahiBrowserEvent event,
831
const char *name,
832
const char *type,
833
const char *domain,
834
AVAHI_GCC_UNUSED AvahiLookupResultFlags
835
flags,
836
AVAHI_GCC_UNUSED void* userdata){
837
assert(b);
838
839
/* Called whenever a new services becomes available on the LAN or
840
is removed from the LAN */
841
842
switch(event){
843
default:
844
case AVAHI_BROWSER_FAILURE:
845
846
fprintf(stderr, "(Avahi browser) %s\n",
847
avahi_strerror(avahi_server_errno(mc.server)));
848
avahi_simple_poll_quit(mc.simple_poll);
849
return;
850
851
case AVAHI_BROWSER_NEW:
852
/* We ignore the returned Avahi resolver object. In the callback
853
function we free it. If the Avahi server is terminated before
854
the callback function is called the Avahi server will free the
855
resolver for us. */
856
857
if(!(avahi_s_service_resolver_new(mc.server, interface,
858
protocol, name, type, domain,
859
AVAHI_PROTO_INET6, 0,
860
resolve_callback, NULL)))
861
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
862
name, avahi_strerror(avahi_server_errno(mc.server)));
863
break;
864
865
case AVAHI_BROWSER_REMOVE:
866
break;
867
868
case AVAHI_BROWSER_ALL_FOR_NOW:
869
case AVAHI_BROWSER_CACHE_EXHAUSTED:
870
if(debug){
871
fprintf(stderr, "No Mandos server found, still searching...\n");
872
}
873
break;
874
}
875
}
876
877
sig_atomic_t quit_now = 0;
878
879
/* stop main loop after sigterm has been called */
880
static void handle_sigterm(__attribute__((unused)) int sig){
881
if(quit_now){
882
return;
883
}
884
quit_now = 1;
885
int old_errno = errno;
886
if(mc.simple_poll != NULL){
887
avahi_simple_poll_quit(mc.simple_poll);
888
}
889
errno = old_errno;
890
}
891
892
int main(int argc, char *argv[]){
893
AvahiSServiceBrowser *sb = NULL;
894
int error;
895
int ret;
896
intmax_t tmpmax;
897
char *tmp;
898
int exitcode = EXIT_SUCCESS;
899
const char *interface = "eth0";
900
struct ifreq network;
901
int sd;
902
uid_t uid;
903
gid_t gid;
904
char *connect_to = NULL;
905
char tempdir[] = "/tmp/mandosXXXXXX";
906
bool tempdir_created = false;
907
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
908
const char *seckey = PATHDIR "/" SECKEY;
909
const char *pubkey = PATHDIR "/" PUBKEY;
910
911
/* Initialize Mandos context */
912
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
913
.dh_bits = 1024, .priority = "SECURE256"
914
":!CTYPE-X.509:+CTYPE-OPENPGP" };
915
bool gnutls_initialized = false;
916
bool gpgme_initialized = false;
917
float delay = 2.5f;
918
919
struct sigaction old_sigterm_action;
920
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
921
922
{
923
struct argp_option options[] = {
924
{ .name = "debug", .key = 128,
925
.doc = "Debug mode", .group = 3 },
926
{ .name = "connect", .key = 'c',
927
.arg = "ADDRESS:PORT",
928
.doc = "Connect directly to a specific Mandos server",
929
.group = 1 },
930
{ .name = "interface", .key = 'i',
931
.arg = "NAME",
932
.doc = "Network interface that will be used to search for"
933
" Mandos servers",
934
.group = 1 },
935
{ .name = "seckey", .key = 's',
936
.arg = "FILE",
937
.doc = "OpenPGP secret key file base name",
938
.group = 1 },
939
{ .name = "pubkey", .key = 'p',
940
.arg = "FILE",
941
.doc = "OpenPGP public key file base name",
942
.group = 2 },
943
{ .name = "dh-bits", .key = 129,
944
.arg = "BITS",
945
.doc = "Bit length of the prime number used in the"
946
" Diffie-Hellman key exchange",
947
.group = 2 },
948
{ .name = "priority", .key = 130,
949
.arg = "STRING",
950
.doc = "GnuTLS priority string for the TLS handshake",
951
.group = 1 },
952
{ .name = "delay", .key = 131,
953
.arg = "SECONDS",
954
.doc = "Maximum delay to wait for interface startup",
955
.group = 2 },
956
{ .name = NULL }
957
};
958
959
error_t parse_opt(int key, char *arg,
960
struct argp_state *state){
961
switch(key){
962
case 128: /* --debug */
963
debug = true;
964
break;
965
case 'c': /* --connect */
966
connect_to = arg;
967
break;
968
case 'i': /* --interface */
969
interface = arg;
970
break;
971
case 's': /* --seckey */
972
seckey = arg;
973
break;
974
case 'p': /* --pubkey */
975
pubkey = arg;
976
break;
977
case 129: /* --dh-bits */
978
errno = 0;
979
tmpmax = strtoimax(arg, &tmp, 10);
980
if(errno != 0 or tmp == arg or *tmp != '\0'
981
or tmpmax != (typeof(mc.dh_bits))tmpmax){
982
fprintf(stderr, "Bad number of DH bits\n");
983
exit(EXIT_FAILURE);
984
}
985
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
986
break;
987
case 130: /* --priority */
988
mc.priority = arg;
989
break;
990
case 131: /* --delay */
991
errno = 0;
992
delay = strtof(arg, &tmp);
993
if(errno != 0 or tmp == arg or *tmp != '\0'){
994
fprintf(stderr, "Bad delay\n");
995
exit(EXIT_FAILURE);
996
}
997
break;
998
case ARGP_KEY_ARG:
999
argp_usage(state);
1000
case ARGP_KEY_END:
1001
break;
1002
default:
1003
return ARGP_ERR_UNKNOWN;
1004
}
1005
return 0;
1006
}
1007
1008
struct argp argp = { .options = options, .parser = parse_opt,
1009
.args_doc = "",
1010
.doc = "Mandos client -- Get and decrypt"
1011
" passwords from a Mandos server" };
1012
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1013
if(ret == ARGP_ERR_UNKNOWN){
1014
fprintf(stderr, "Unknown error while parsing arguments\n");
1015
exitcode = EXIT_FAILURE;
1016
goto end;
1017
}
1018
}
1019
1020
if(not debug){
1021
avahi_set_log_function(empty_log);
1022
}
1023
1024
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1025
from the signal handler */
1026
/* Initialize the pseudo-RNG for Avahi */
1027
srand((unsigned int) time(NULL));
1028
mc.simple_poll = avahi_simple_poll_new();
1029
if(mc.simple_poll == NULL){
1030
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1031
exitcode = EXIT_FAILURE;
1032
goto end;
1033
}
1034
1035
sigemptyset(&sigterm_action.sa_mask);
1036
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1037
if(ret == -1){
1038
perror("sigaddset");
1039
exitcode = EXIT_FAILURE;
1040
goto end;
1041
}
1042
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1043
if(ret == -1){
1044
perror("sigaddset");
1045
exitcode = EXIT_FAILURE;
1046
goto end;
1047
}
1048
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1049
if(ret == -1){
1050
perror("sigaddset");
1051
exitcode = EXIT_FAILURE;
1052
goto end;
1053
}
1054
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1055
if(ret == -1){
1056
perror("sigaction");
1057
exitcode = EXIT_FAILURE;
1058
goto end;
1059
}
1060
1061
/* If the interface is down, bring it up */
1062
if(interface[0] != '\0'){
1063
#ifdef __linux__
1064
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1065
messages to mess up the prompt */
1066
ret = klogctl(8, NULL, 5);
1067
bool restore_loglevel = true;
1068
if(ret == -1){
1069
restore_loglevel = false;
1070
perror("klogctl");
1071
}
1072
#endif /* __linux__ */
1073
1074
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1075
if(sd < 0){
1076
perror("socket");
1077
exitcode = EXIT_FAILURE;
1078
#ifdef __linux__
1079
if(restore_loglevel){
1080
ret = klogctl(7, NULL, 0);
1081
if(ret == -1){
1082
perror("klogctl");
1083
}
1084
}
1085
#endif /* __linux__ */
1086
goto end;
1087
}
1088
strcpy(network.ifr_name, interface);
1089
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1090
if(ret == -1){
1091
perror("ioctl SIOCGIFFLAGS");
1092
#ifdef __linux__
1093
if(restore_loglevel){
1094
ret = klogctl(7, NULL, 0);
1095
if(ret == -1){
1096
perror("klogctl");
1097
}
1098
}
1099
#endif /* __linux__ */
1100
exitcode = EXIT_FAILURE;
1101
goto end;
1102
}
1103
if((network.ifr_flags & IFF_UP) == 0){
1104
network.ifr_flags |= IFF_UP;
1105
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1106
if(ret == -1){
1107
perror("ioctl SIOCSIFFLAGS");
1108
exitcode = EXIT_FAILURE;
1109
#ifdef __linux__
1110
if(restore_loglevel){
1111
ret = klogctl(7, NULL, 0);
1112
if(ret == -1){
1113
perror("klogctl");
1114
}
1115
}
1116
#endif /* __linux__ */
1117
goto end;
1118
}
1119
}
1120
/* sleep checking until interface is running */
1121
for(int i=0; i < delay * 4; i++){
1122
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1123
if(ret == -1){
1124
perror("ioctl SIOCGIFFLAGS");
1125
} else if(network.ifr_flags & IFF_RUNNING){
1126
break;
1127
}
1128
struct timespec sleeptime = { .tv_nsec = 250000000 };
1129
ret = nanosleep(&sleeptime, NULL);
1130
if(ret == -1 and errno != EINTR){
1131
perror("nanosleep");
1132
}
1133
}
1134
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1135
if(ret == -1){
1136
perror("close");
1137
}
1138
#ifdef __linux__
1139
if(restore_loglevel){
1140
/* Restores kernel loglevel to default */
1141
ret = klogctl(7, NULL, 0);
1142
if(ret == -1){
1143
perror("klogctl");
1144
}
1145
}
1146
#endif /* __linux__ */
1147
}
1148
1149
uid = getuid();
1150
gid = getgid();
1151
1152
errno = 0;
1153
setgid(gid);
1154
if(ret == -1){
1155
perror("setgid");
1156
}
1157
1158
ret = setuid(uid);
1159
if(ret == -1){
1160
perror("setuid");
1161
}
1162
1163
ret = init_gnutls_global(pubkey, seckey);
1164
if(ret == -1){
1165
fprintf(stderr, "init_gnutls_global failed\n");
1166
exitcode = EXIT_FAILURE;
1167
goto end;
1168
} else {
1169
gnutls_initialized = true;
1170
}
1171
1172
if(mkdtemp(tempdir) == NULL){
1173
perror("mkdtemp");
1174
goto end;
1175
}
1176
tempdir_created = true;
1177
1178
if(not init_gpgme(pubkey, seckey, tempdir)){
1179
fprintf(stderr, "init_gpgme failed\n");
1180
exitcode = EXIT_FAILURE;
1181
goto end;
1182
} else {
1183
gpgme_initialized = true;
1184
}
1185
1186
if(interface[0] != '\0'){
1187
if_index = (AvahiIfIndex) if_nametoindex(interface);
1188
if(if_index == 0){
1189
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1190
exitcode = EXIT_FAILURE;
1191
goto end;
1192
}
1193
}
1194
1195
if(connect_to != NULL){
1196
/* Connect directly, do not use Zeroconf */
1197
/* (Mainly meant for debugging) */
1198
char *address = strrchr(connect_to, ':');
1199
if(address == NULL){
1200
fprintf(stderr, "No colon in address\n");
1201
exitcode = EXIT_FAILURE;
1202
goto end;
1203
}
1204
uint16_t port;
1205
errno = 0;
1206
tmpmax = strtoimax(address+1, &tmp, 10);
1207
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1208
or tmpmax != (uint16_t)tmpmax){
1209
fprintf(stderr, "Bad port number\n");
1210
exitcode = EXIT_FAILURE;
1211
goto end;
1212
}
1213
port = (uint16_t)tmpmax;
1214
*address = '\0';
1215
address = connect_to;
1216
/* Colon in address indicates IPv6 */
1217
int af;
1218
if(strchr(address, ':') != NULL){
1219
af = AF_INET6;
1220
} else {
1221
af = AF_INET;
1222
}
1223
ret = start_mandos_communication(address, port, if_index, af);
1224
if(ret < 0){
1225
exitcode = EXIT_FAILURE;
1226
} else {
1227
exitcode = EXIT_SUCCESS;
1228
}
1229
goto end;
1230
}
1231
1232
{
559
1233
AvahiServerConfig config;
560
AvahiSServiceBrowser *sb = NULL;
561
int error;
562
int ret;
563
int returncode = EXIT_SUCCESS;
564
565
while (true){
566
static struct option long_options[] = {
567
{"debug", no_argument, (int *)&debug, 1},
568
{"interface", required_argument, 0, 'i'},
569
{0, 0, 0, 0} };
570
571
int option_index = 0;
572
ret = getopt_long (argc, argv, "i:", long_options, &option_index);
573
574
if (ret == -1){
575
break;
576
}
577
578
switch(ret){
579
case 0:
580
break;
581
case 'i':
582
interface = optarg;
583
break;
584
default:
585
exit(EXIT_FAILURE);
586
}
587
}
588
589
if (not debug){
590
avahi_set_log_function(empty_log);
591
}
592
593
/* Initialize the psuedo-RNG */
594
srand(time(NULL));
595
596
/* Allocate main loop object */
597
if (!(simple_poll = avahi_simple_poll_new())) {
598
fprintf(stderr, "Failed to create simple poll object.\n");
599
600
goto exit;
601
}
602
603
/* Do not publish any local records */
1234
/* Do not publish any local Zeroconf records */
604
1235
avahi_server_config_init(&config);
605
1236
config.publish_hinfo = 0;
606
1237
config.publish_addresses = 0;
607
1238
config.publish_workstation = 0;
608
1239
config.publish_domain = 0;
609
1240
610
1241
/* Allocate a new server */
611
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
612
613
/* Free the configuration data */
1242
mc.server = avahi_server_new(avahi_simple_poll_get
1243
(mc.simple_poll), &config, NULL,
1244
NULL, &error);
1245
1246
/* Free the Avahi configuration data */
614
1247
avahi_server_config_free(&config);
615
616
/* Check if creating the server object succeeded */
617
if (!server) {
618
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
619
returncode = EXIT_FAILURE;
620
goto exit;
621
}
622
623
/* Create the service browser */
624
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
625
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
626
returncode = EXIT_FAILURE;
627
goto exit;
628
}
629
630
/* Run the main loop */
631
632
if (debug){
633
fprintf(stderr, "Starting avahi loop search\n");
634
}
635
636
avahi_simple_poll_loop(simple_poll);
637
638
exit:
639
640
if (debug){
641
fprintf(stderr, "%s exiting\n", argv[0]);
642
}
643
644
/* Cleanup things */
645
if (sb)
646
avahi_s_service_browser_free(sb);
647
648
if (server)
649
avahi_server_free(server);
650
651
if (simple_poll)
652
avahi_simple_poll_free(simple_poll);
653
654
return returncode;
1248
}
1249
1250
/* Check if creating the Avahi server object succeeded */
1251
if(mc.server == NULL){
1252
fprintf(stderr, "Failed to create Avahi server: %s\n",
1253
avahi_strerror(error));
1254
exitcode = EXIT_FAILURE;
1255
goto end;
1256
}
1257
1258
/* Create the Avahi service browser */
1259
sb = avahi_s_service_browser_new(mc.server, if_index,
1260
AVAHI_PROTO_INET6, "_mandos._tcp",
1261
NULL, 0, browse_callback, NULL);
1262
if(sb == NULL){
1263
fprintf(stderr, "Failed to create service browser: %s\n",
1264
avahi_strerror(avahi_server_errno(mc.server)));
1265
exitcode = EXIT_FAILURE;
1266
goto end;
1267
}
1268
1269
/* Run the main loop */
1270
1271
if(debug){
1272
fprintf(stderr, "Starting Avahi loop search\n");
1273
}
1274
1275
avahi_simple_poll_loop(mc.simple_poll);
1276
1277
end:
1278
1279
if(debug){
1280
fprintf(stderr, "%s exiting\n", argv[0]);
1281
}
1282
1283
/* Cleanup things */
1284
if(sb != NULL)
1285
avahi_s_service_browser_free(sb);
1286
1287
if(mc.server != NULL)
1288
avahi_server_free(mc.server);
1289
1290
if(mc.simple_poll != NULL)
1291
avahi_simple_poll_free(mc.simple_poll);
1292
1293
if(gnutls_initialized){
1294
gnutls_certificate_free_credentials(mc.cred);
1295
gnutls_global_deinit();
1296
gnutls_dh_params_deinit(mc.dh_params);
1297
}
1298
1299
if(gpgme_initialized){
1300
gpgme_release(mc.ctx);
1301
}
1302
1303
/* Removes the temp directory used by GPGME */
1304
if(tempdir_created){
1305
DIR *d;
1306
struct dirent *direntry;
1307
d = opendir(tempdir);
1308
if(d == NULL){
1309
if(errno != ENOENT){
1310
perror("opendir");
1311
}
1312
} else {
1313
while(true){
1314
direntry = readdir(d);
1315
if(direntry == NULL){
1316
break;
1317
}
1318
/* Skip "." and ".." */
1319
if(direntry->d_name[0] == '.'
1320
and (direntry->d_name[1] == '\0'
1321
or (direntry->d_name[1] == '.'
1322
and direntry->d_name[2] == '\0'))){
1323
continue;
1324
}
1325
char *fullname = NULL;
1326
ret = asprintf(&fullname, "%s/%s", tempdir,
1327
direntry->d_name);
1328
if(ret < 0){
1329
perror("asprintf");
1330
continue;
1331
}
1332
ret = remove(fullname);
1333
if(ret == -1){
1334
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1335
strerror(errno));
1336
}
1337
free(fullname);
1338
}
1339
closedir(d);
1340
}
1341
ret = rmdir(tempdir);
1342
if(ret == -1 and errno != ENOENT){
1343
perror("rmdir");
1344
}
1345
}
1346
1347
return exitcode;
655
1348
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0