To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 314
- compare with another revision
- download diff
- download tarball
- view history from revision 314
- Committer: Teddy Hogeborn
- Date: 2009-02-13 05:38:21 UTC
- Revision ID: teddy@fukt.bsnet.se-20090213053821-03e696gckk4nbjps
Support not using IPv6 in server:
* mandos (AvahiService.__init__): Take new "protocol" parameter. All
callers changed.
(IPv6_TCPServer.__init__): Take new "use_ipv6" parameter. All
callers changed.
(IPv6_TCPServer.server_bind): Create IPv4 socket if not using IPv6.
(main): New "--no-ipv6" command line option. New "use_ipv6" config
option.
* mandos-options.xml ([@id="address"]): Document conditional IPv4
address support.
([@id="ipv6"]): New paragraph.
* mandos.conf (use_ipv6): New config option.
* mandos.conf.xml (OPTIONS): Document new "use_dbus" option.
(EXAMPLE): Changed to use IPv6 link-local address. Added "use_ipv6"
option.
* mandos.xml (SYNOPSIS): New "--no-ipv6" option.
(OPTIONS): Document new "--no-ipv6" option.
* mandos (AvahiService.__init__): Take new "protocol" parameter. All
callers changed.
(IPv6_TCPServer.__init__): Take new "use_ipv6" parameter. All
callers changed.
(IPv6_TCPServer.server_bind): Create IPv4 socket if not using IPv6.
(main): New "--no-ipv6" command line option. New "use_ipv6" config
option.
* mandos-options.xml ([@id="address"]): Document conditional IPv4
address support.
([@id="ipv6"]): New paragraph.
* mandos.conf (use_ipv6): New config option.
* mandos.conf.xml (OPTIONS): Document new "use_dbus" option.
(EXAMPLE): Changed to use IPv6 link-local address. Added "use_ipv6"
option.
* mandos.xml (SYNOPSIS): New "--no-ipv6" option.
(OPTIONS): Document new "--no-ipv6" option.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), remove() */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand(), strtof() */
44
#include <stdbool.h> /* bool, false, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, uid_t, gid_t, open(),
51
opendir(), DIR */
52
#include <sys/stat.h> /* open() */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
inet_pton(), connect() */
55
#include <fcntl.h> /* open() */
56
#include <dirent.h> /* opendir(), struct dirent, readdir()
57
*/
58
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
59
strtoimax() */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction,
80
sig_atomic_t */
81
82
#ifdef __linux__
83
#include <sys/klog.h> /* klogctl() */
84
#endif /* __linux__ */
85
86
/* Avahi */
87
/* All Avahi types, constants and functions
88
Avahi*, avahi_*,
89
AVAHI_* */
41
90
#include <avahi-core/core.h>
42
91
#include <avahi-core/lookup.h>
43
92
#include <avahi-core/log.h>
45
94
#include <avahi-common/malloc.h>
46
95
#include <avahi-common/error.h>
47
96
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt long
67
#include <getopt.h>
97
/* GnuTLS */
98
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
99
functions:
100
gnutls_*
101
init_gnutls_session(),
102
GNUTLS_* */
103
#include <gnutls/openpgp.h>
104
/* gnutls_certificate_set_openpgp_key_file(),
105
GNUTLS_OPENPGP_FMT_BASE64 */
106
107
/* GPGME */
108
#include <gpgme.h> /* All GPGME types, constants and
109
functions:
110
gpgme_*
111
GPGME_PROTOCOL_OpenPGP,
112
GPG_ERR_NO_* */
68
113
69
114
#define BUFFER_SIZE 256
70
#define DH_BITS 1024
71
115
72
static const char *certdir = "/conf/conf.d/mandos";
73
static const char *certfile = "openpgp-client.txt";
74
static const char *certkey = "openpgp-client-key.txt";
116
#define PATHDIR "/conf/conf.d/mandos"
117
#define SECKEY "seckey.txt"
118
#define PUBKEY "pubkey.txt"
75
119
76
120
bool debug = false;
121
static const char mandos_protocol_version[] = "1";
122
const char *argp_program_version = "mandos-client " VERSION;
123
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
77
124
125
/* Used for passing in values through the Avahi callback functions */
78
126
typedef struct {
79
gnutls_session_t session;
127
AvahiSimplePoll *simple_poll;
128
AvahiServer *server;
80
129
gnutls_certificate_credentials_t cred;
130
unsigned int dh_bits;
81
131
gnutls_dh_params_t dh_params;
82
} encrypted_session;
83
84
85
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet,
87
const char *homedir){
88
gpgme_data_t dh_crypto, dh_plain;
132
const char *priority;
89
133
gpgme_ctx_t ctx;
134
} mandos_context;
135
136
/* global context so signal handler can reach it*/
137
mandos_context mc = { .simple_poll = NULL, .server = NULL,
138
.dh_bits = 1024, .priority = "SECURE256"
139
":!CTYPE-X.509:+CTYPE-OPENPGP" };
140
141
/*
142
* Make additional room in "buffer" for at least BUFFER_SIZE more
143
* bytes. "buffer_capacity" is how much is currently allocated,
144
* "buffer_length" is how much is already used.
145
*/
146
size_t incbuffer(char **buffer, size_t buffer_length,
147
size_t buffer_capacity){
148
if(buffer_length + BUFFER_SIZE > buffer_capacity){
149
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
150
if(buffer == NULL){
151
return 0;
152
}
153
buffer_capacity += BUFFER_SIZE;
154
}
155
return buffer_capacity;
156
}
157
158
/*
159
* Initialize GPGME.
160
*/
161
static bool init_gpgme(const char *seckey,
162
const char *pubkey, const char *tempdir){
163
int ret;
90
164
gpgme_error_t rc;
91
ssize_t ret;
92
ssize_t new_packet_capacity = 0;
93
ssize_t new_packet_length = 0;
94
165
gpgme_engine_info_t engine_info;
95
96
if (debug){
97
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
166
167
168
/*
169
* Helper function to insert pub and seckey to the engine keyring.
170
*/
171
bool import_key(const char *filename){
172
int fd;
173
gpgme_data_t pgp_data;
174
175
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
176
if(fd == -1){
177
perror("open");
178
return false;
179
}
180
181
rc = gpgme_data_new_from_fd(&pgp_data, fd);
182
if(rc != GPG_ERR_NO_ERROR){
183
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
184
gpgme_strsource(rc), gpgme_strerror(rc));
185
return false;
186
}
187
188
rc = gpgme_op_import(mc.ctx, pgp_data);
189
if(rc != GPG_ERR_NO_ERROR){
190
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
191
gpgme_strsource(rc), gpgme_strerror(rc));
192
return false;
193
}
194
195
ret = (int)TEMP_FAILURE_RETRY(close(fd));
196
if(ret == -1){
197
perror("close");
198
}
199
gpgme_data_release(pgp_data);
200
return true;
201
}
202
203
if(debug){
204
fprintf(stderr, "Initializing GPGME\n");
98
205
}
99
206
100
207
/* Init GPGME */
101
208
gpgme_check_version(NULL);
102
209
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
103
if (rc != GPG_ERR_NO_ERROR){
210
if(rc != GPG_ERR_NO_ERROR){
104
211
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
105
212
gpgme_strsource(rc), gpgme_strerror(rc));
106
return -1;
213
return false;
107
214
}
108
215
109
/* Set GPGME home directory */
110
rc = gpgme_get_engine_info (&engine_info);
111
if (rc != GPG_ERR_NO_ERROR){
216
/* Set GPGME home directory for the OpenPGP engine only */
217
rc = gpgme_get_engine_info(&engine_info);
218
if(rc != GPG_ERR_NO_ERROR){
112
219
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
113
220
gpgme_strsource(rc), gpgme_strerror(rc));
114
return -1;
221
return false;
115
222
}
116
223
while(engine_info != NULL){
117
224
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
118
225
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
119
engine_info->file_name, homedir);
226
engine_info->file_name, tempdir);
120
227
break;
121
228
}
122
229
engine_info = engine_info->next;
123
230
}
124
231
if(engine_info == NULL){
125
fprintf(stderr, "Could not set home dir to %s\n", homedir);
126
return -1;
127
}
128
129
/* Create new GPGME data buffer from packet buffer */
130
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
131
if (rc != GPG_ERR_NO_ERROR){
232
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
233
return false;
234
}
235
236
/* Create new GPGME "context" */
237
rc = gpgme_new(&(mc.ctx));
238
if(rc != GPG_ERR_NO_ERROR){
239
fprintf(stderr, "bad gpgme_new: %s: %s\n",
240
gpgme_strsource(rc), gpgme_strerror(rc));
241
return false;
242
}
243
244
if(not import_key(pubkey) or not import_key(seckey)){
245
return false;
246
}
247
248
return true;
249
}
250
251
/*
252
* Decrypt OpenPGP data.
253
* Returns -1 on error
254
*/
255
static ssize_t pgp_packet_decrypt(const char *cryptotext,
256
size_t crypto_size,
257
char **plaintext){
258
gpgme_data_t dh_crypto, dh_plain;
259
gpgme_error_t rc;
260
ssize_t ret;
261
size_t plaintext_capacity = 0;
262
ssize_t plaintext_length = 0;
263
264
if(debug){
265
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
266
}
267
268
/* Create new GPGME data buffer from memory cryptotext */
269
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
270
0);
271
if(rc != GPG_ERR_NO_ERROR){
132
272
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
133
273
gpgme_strsource(rc), gpgme_strerror(rc));
134
274
return -1;
136
276
137
277
/* Create new empty GPGME data buffer for the plaintext */
138
278
rc = gpgme_data_new(&dh_plain);
139
if (rc != GPG_ERR_NO_ERROR){
279
if(rc != GPG_ERR_NO_ERROR){
140
280
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
141
281
gpgme_strsource(rc), gpgme_strerror(rc));
142
return -1;
143
}
144
145
/* Create new GPGME "context" */
146
rc = gpgme_new(&ctx);
147
if (rc != GPG_ERR_NO_ERROR){
148
fprintf(stderr, "bad gpgme_new: %s: %s\n",
149
gpgme_strsource(rc), gpgme_strerror(rc));
150
return -1;
151
}
152
153
/* Decrypt data from the FILE pointer to the plaintext data
154
buffer */
155
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
156
if (rc != GPG_ERR_NO_ERROR){
282
gpgme_data_release(dh_crypto);
283
return -1;
284
}
285
286
/* Decrypt data from the cryptotext data buffer to the plaintext
287
data buffer */
288
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
289
if(rc != GPG_ERR_NO_ERROR){
157
290
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
158
291
gpgme_strsource(rc), gpgme_strerror(rc));
159
return -1;
292
plaintext_length = -1;
293
if(debug){
294
gpgme_decrypt_result_t result;
295
result = gpgme_op_decrypt_result(mc.ctx);
296
if(result == NULL){
297
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
298
} else {
299
fprintf(stderr, "Unsupported algorithm: %s\n",
300
result->unsupported_algorithm);
301
fprintf(stderr, "Wrong key usage: %u\n",
302
result->wrong_key_usage);
303
if(result->file_name != NULL){
304
fprintf(stderr, "File name: %s\n", result->file_name);
305
}
306
gpgme_recipient_t recipient;
307
recipient = result->recipients;
308
if(recipient){
309
while(recipient != NULL){
310
fprintf(stderr, "Public key algorithm: %s\n",
311
gpgme_pubkey_algo_name(recipient->pubkey_algo));
312
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
313
fprintf(stderr, "Secret key available: %s\n",
314
recipient->status == GPG_ERR_NO_SECKEY
315
? "No" : "Yes");
316
recipient = recipient->next;
317
}
318
}
319
}
320
}
321
goto decrypt_end;
160
322
}
161
323
162
324
if(debug){
163
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
164
}
165
166
if (debug){
167
gpgme_decrypt_result_t result;
168
result = gpgme_op_decrypt_result(ctx);
169
if (result == NULL){
170
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
} else {
172
fprintf(stderr, "Unsupported algorithm: %s\n",
173
result->unsupported_algorithm);
174
fprintf(stderr, "Wrong key usage: %d\n",
175
result->wrong_key_usage);
176
if(result->file_name != NULL){
177
fprintf(stderr, "File name: %s\n", result->file_name);
178
}
179
gpgme_recipient_t recipient;
180
recipient = result->recipients;
181
if(recipient){
182
while(recipient != NULL){
183
fprintf(stderr, "Public key algorithm: %s\n",
184
gpgme_pubkey_algo_name(recipient->pubkey_algo));
185
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
186
fprintf(stderr, "Secret key available: %s\n",
187
recipient->status == GPG_ERR_NO_SECKEY
188
? "No" : "Yes");
189
recipient = recipient->next;
190
}
191
}
192
}
193
}
194
195
/* Delete the GPGME FILE pointer cryptotext data buffer */
196
gpgme_data_release(dh_crypto);
325
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
326
}
197
327
198
328
/* Seek back to the beginning of the GPGME plaintext data buffer */
199
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
200
perror("pgpme_data_seek");
329
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
330
perror("gpgme_data_seek");
331
plaintext_length = -1;
332
goto decrypt_end;
201
333
}
202
334
203
*new_packet = 0;
335
*plaintext = NULL;
204
336
while(true){
205
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
206
*new_packet = realloc(*new_packet,
207
(unsigned int)new_packet_capacity
208
+ BUFFER_SIZE);
209
if (*new_packet == NULL){
210
perror("realloc");
211
return -1;
212
}
213
new_packet_capacity += BUFFER_SIZE;
337
plaintext_capacity = incbuffer(plaintext,
338
(size_t)plaintext_length,
339
plaintext_capacity);
340
if(plaintext_capacity == 0){
341
perror("incbuffer");
342
plaintext_length = -1;
343
goto decrypt_end;
214
344
}
215
345
216
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
346
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
217
347
BUFFER_SIZE);
218
348
/* Print the data, if any */
219
if (ret == 0){
349
if(ret == 0){
350
/* EOF */
220
351
break;
221
352
}
222
353
if(ret < 0){
223
354
perror("gpgme_data_read");
224
return -1;
225
}
226
new_packet_length += ret;
227
}
228
229
/* FIXME: check characters before printing to screen so to not print
230
terminal control characters */
231
/* if(debug){ */
232
/* fprintf(stderr, "decrypted password is: "); */
233
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
234
/* fprintf(stderr, "\n"); */
235
/* } */
355
plaintext_length = -1;
356
goto decrypt_end;
357
}
358
plaintext_length += ret;
359
}
360
361
if(debug){
362
fprintf(stderr, "Decrypted password is: ");
363
for(ssize_t i = 0; i < plaintext_length; i++){
364
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
365
}
366
fprintf(stderr, "\n");
367
}
368
369
decrypt_end:
370
371
/* Delete the GPGME cryptotext data buffer */
372
gpgme_data_release(dh_crypto);
236
373
237
374
/* Delete the GPGME plaintext data buffer */
238
375
gpgme_data_release(dh_plain);
239
return new_packet_length;
376
return plaintext_length;
240
377
}
241
378
242
static const char * safer_gnutls_strerror (int value) {
243
const char *ret = gnutls_strerror (value);
244
if (ret == NULL)
379
static const char * safer_gnutls_strerror(int value){
380
const char *ret = gnutls_strerror(value); /* Spurious warning from
381
-Wunreachable-code */
382
if(ret == NULL)
245
383
ret = "(unknown)";
246
384
return ret;
247
385
}
248
386
387
/* GnuTLS log function callback */
249
388
static void debuggnutls(__attribute__((unused)) int level,
250
389
const char* string){
251
fprintf(stderr, "%s", string);
390
fprintf(stderr, "GnuTLS: %s", string);
252
391
}
253
392
254
static int initgnutls(encrypted_session *es){
255
const char *err;
393
static int init_gnutls_global(const char *pubkeyfilename,
394
const char *seckeyfilename){
256
395
int ret;
257
396
258
397
if(debug){
259
398
fprintf(stderr, "Initializing GnuTLS\n");
260
399
}
261
262
if ((ret = gnutls_global_init ())
263
!= GNUTLS_E_SUCCESS) {
264
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
400
401
ret = gnutls_global_init();
402
if(ret != GNUTLS_E_SUCCESS){
403
fprintf(stderr, "GnuTLS global_init: %s\n",
404
safer_gnutls_strerror(ret));
265
405
return -1;
266
406
}
267
268
if (debug){
407
408
if(debug){
409
/* "Use a log level over 10 to enable all debugging options."
410
* - GnuTLS manual
411
*/
269
412
gnutls_global_set_log_level(11);
270
413
gnutls_global_set_log_function(debuggnutls);
271
414
}
272
415
273
/* openpgp credentials */
274
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
275
!= GNUTLS_E_SUCCESS) {
276
fprintf (stderr, "memory error: %s\n",
277
safer_gnutls_strerror(ret));
416
/* OpenPGP credentials */
417
gnutls_certificate_allocate_credentials(&mc.cred);
418
if(ret != GNUTLS_E_SUCCESS){
419
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
420
from
421
-Wunreachable-code
422
*/
423
safer_gnutls_strerror(ret));
424
gnutls_global_deinit();
278
425
return -1;
279
426
}
280
427
281
428
if(debug){
282
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
283
" and keyfile %s as GnuTLS credentials\n", certfile,
284
certkey);
429
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
430
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
431
seckeyfilename);
285
432
}
286
433
287
434
ret = gnutls_certificate_set_openpgp_key_file
288
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
289
if (ret != GNUTLS_E_SUCCESS) {
290
fprintf
291
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
" '%s')\n",
293
ret, certfile, certkey);
294
fprintf(stdout, "The Error is: %s\n",
295
safer_gnutls_strerror(ret));
296
return -1;
297
}
298
299
//GnuTLS server initialization
300
if ((ret = gnutls_dh_params_init (&es->dh_params))
301
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "Error in dh parameter initialization: %s\n",
303
safer_gnutls_strerror(ret));
304
return -1;
305
}
306
307
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
308
!= GNUTLS_E_SUCCESS) {
309
fprintf (stderr, "Error in prime generation: %s\n",
310
safer_gnutls_strerror(ret));
311
return -1;
312
}
313
314
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
316
// GnuTLS session creation
317
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
318
!= GNUTLS_E_SUCCESS){
435
(mc.cred, pubkeyfilename, seckeyfilename,
436
GNUTLS_OPENPGP_FMT_BASE64);
437
if(ret != GNUTLS_E_SUCCESS){
438
fprintf(stderr,
439
"Error[%d] while reading the OpenPGP key pair ('%s',"
440
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
441
fprintf(stderr, "The GnuTLS error is: %s\n",
442
safer_gnutls_strerror(ret));
443
goto globalfail;
444
}
445
446
/* GnuTLS server initialization */
447
ret = gnutls_dh_params_init(&mc.dh_params);
448
if(ret != GNUTLS_E_SUCCESS){
449
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
450
" %s\n", safer_gnutls_strerror(ret));
451
goto globalfail;
452
}
453
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
454
if(ret != GNUTLS_E_SUCCESS){
455
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
456
safer_gnutls_strerror(ret));
457
goto globalfail;
458
}
459
460
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
461
462
return 0;
463
464
globalfail:
465
466
gnutls_certificate_free_credentials(mc.cred);
467
gnutls_global_deinit();
468
gnutls_dh_params_deinit(mc.dh_params);
469
return -1;
470
}
471
472
static int init_gnutls_session(gnutls_session_t *session){
473
int ret;
474
/* GnuTLS session creation */
475
ret = gnutls_init(session, GNUTLS_SERVER);
476
if(ret != GNUTLS_E_SUCCESS){
319
477
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
320
478
safer_gnutls_strerror(ret));
321
479
}
322
480
323
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
324
!= GNUTLS_E_SUCCESS) {
325
fprintf(stderr, "Syntax error at: %s\n", err);
326
fprintf(stderr, "GnuTLS error: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
481
{
482
const char *err;
483
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
484
if(ret != GNUTLS_E_SUCCESS){
485
fprintf(stderr, "Syntax error at: %s\n", err);
486
fprintf(stderr, "GnuTLS error: %s\n",
487
safer_gnutls_strerror(ret));
488
gnutls_deinit(*session);
489
return -1;
490
}
329
491
}
330
492
331
if ((ret = gnutls_credentials_set
332
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
333
!= GNUTLS_E_SUCCESS) {
334
fprintf(stderr, "Error setting a credentials set: %s\n",
493
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
494
mc.cred);
495
if(ret != GNUTLS_E_SUCCESS){
496
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
335
497
safer_gnutls_strerror(ret));
498
gnutls_deinit(*session);
336
499
return -1;
337
500
}
338
501
339
502
/* ignore client certificate if any. */
340
gnutls_certificate_server_set_request (es->session,
341
GNUTLS_CERT_IGNORE);
503
gnutls_certificate_server_set_request(*session,
504
GNUTLS_CERT_IGNORE);
342
505
343
gnutls_dh_set_prime_bits (es->session, DH_BITS);
506
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
344
507
345
508
return 0;
346
509
}
347
510
511
/* Avahi log function callback */
348
512
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
349
513
__attribute__((unused)) const char *txt){}
350
514
515
/* Called when a Mandos server is found */
351
516
static int start_mandos_communication(const char *ip, uint16_t port,
352
AvahiIfIndex if_index){
517
AvahiIfIndex if_index,
518
int af){
353
519
int ret, tcp_sd;
354
struct sockaddr_in6 to;
355
encrypted_session es;
520
ssize_t sret;
521
union {
522
struct sockaddr_in in;
523
struct sockaddr_in6 in6;
524
} to;
356
525
char *buffer = NULL;
357
526
char *decrypted_buffer;
358
527
size_t buffer_length = 0;
359
528
size_t buffer_capacity = 0;
360
529
ssize_t decrypted_buffer_size;
361
size_t written = 0;
530
size_t written;
362
531
int retval = 0;
363
char interface[IF_NAMESIZE];
532
gnutls_session_t session;
533
int pf; /* Protocol family */
534
535
switch(af){
536
case AF_INET6:
537
pf = PF_INET6;
538
break;
539
case AF_INET:
540
pf = PF_INET;
541
break;
542
default:
543
fprintf(stderr, "Bad address family: %d\n", af);
544
return -1;
545
}
546
547
ret = init_gnutls_session(&session);
548
if(ret != 0){
549
return -1;
550
}
364
551
365
552
if(debug){
366
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
367
ip, port);
553
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
554
"\n", ip, port);
368
555
}
369
556
370
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
371
if(tcp_sd < 0) {
557
tcp_sd = socket(pf, SOCK_STREAM, 0);
558
if(tcp_sd < 0){
372
559
perror("socket");
373
560
return -1;
374
561
}
375
562
376
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
if(debug){
378
perror("if_indextoname");
379
}
380
return -1;
381
}
382
383
if(debug){
384
fprintf(stderr, "Binding to interface %s\n", interface);
385
}
386
387
memset(&to,0,sizeof(to)); /* Spurious warning */
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
390
if (ret < 0 ){
563
memset(&to, 0, sizeof(to));
564
if(af == AF_INET6){
565
to.in6.sin6_family = (uint16_t)af;
566
ret = inet_pton(af, ip, &to.in6.sin6_addr);
567
} else { /* IPv4 */
568
to.in.sin_family = (sa_family_t)af;
569
ret = inet_pton(af, ip, &to.in.sin_addr);
570
}
571
if(ret < 0 ){
391
572
perror("inet_pton");
392
573
return -1;
393
}
574
}
394
575
if(ret == 0){
395
576
fprintf(stderr, "Bad address: %s\n", ip);
396
577
return -1;
397
578
}
398
to.sin6_port = htons(port); /* Spurious warning */
399
400
to.sin6_scope_id = (uint32_t)if_index;
579
if(af == AF_INET6){
580
to.in6.sin6_port = htons(port); /* Spurious warnings from
581
-Wconversion and
582
-Wunreachable-code */
583
584
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
585
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
586
-Wunreachable-code*/
587
if(if_index == AVAHI_IF_UNSPEC){
588
fprintf(stderr, "An IPv6 link-local address is incomplete"
589
" without a network interface\n");
590
return -1;
591
}
592
/* Set the network interface number as scope */
593
to.in6.sin6_scope_id = (uint32_t)if_index;
594
}
595
} else {
596
to.in.sin_port = htons(port); /* Spurious warnings from
597
-Wconversion and
598
-Wunreachable-code */
599
}
401
600
402
601
if(debug){
403
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
404
/* char addrstr[INET6_ADDRSTRLEN]; */
405
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
406
/* sizeof(addrstr)) == NULL){ */
407
/* perror("inet_ntop"); */
408
/* } else { */
409
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
410
/* addrstr, ntohs(to.sin6_port)); */
411
/* } */
602
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
603
char interface[IF_NAMESIZE];
604
if(if_indextoname((unsigned int)if_index, interface) == NULL){
605
perror("if_indextoname");
606
} else {
607
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
608
ip, interface, port);
609
}
610
} else {
611
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
612
port);
613
}
614
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
615
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
616
const char *pcret;
617
if(af == AF_INET6){
618
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
619
sizeof(addrstr));
620
} else {
621
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
622
sizeof(addrstr));
623
}
624
if(pcret == NULL){
625
perror("inet_ntop");
626
} else {
627
if(strcmp(addrstr, ip) != 0){
628
fprintf(stderr, "Canonical address form: %s\n", addrstr);
629
}
630
}
412
631
}
413
632
414
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
415
if (ret < 0){
633
if(af == AF_INET6){
634
ret = connect(tcp_sd, &to.in6, sizeof(to));
635
} else {
636
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
637
}
638
if(ret < 0){
416
639
perror("connect");
417
640
return -1;
418
641
}
419
642
420
ret = initgnutls (&es);
421
if (ret != 0){
422
retval = -1;
423
return -1;
643
const char *out = mandos_protocol_version;
644
written = 0;
645
while(true){
646
size_t out_size = strlen(out);
647
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
648
out_size - written));
649
if(ret == -1){
650
perror("write");
651
retval = -1;
652
goto mandos_end;
653
}
654
written += (size_t)ret;
655
if(written < out_size){
656
continue;
657
} else {
658
if(out == mandos_protocol_version){
659
written = 0;
660
out = "\r\n";
661
} else {
662
break;
663
}
664
}
424
665
}
425
666
426
gnutls_transport_set_ptr (es.session,
427
(gnutls_transport_ptr_t) tcp_sd);
428
429
667
if(debug){
430
668
fprintf(stderr, "Establishing TLS session with %s\n", ip);
431
669
}
432
670
433
ret = gnutls_handshake (es.session);
434
435
if (ret != GNUTLS_E_SUCCESS){
671
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
672
673
do{
674
ret = gnutls_handshake(session);
675
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
676
677
if(ret != GNUTLS_E_SUCCESS){
436
678
if(debug){
437
fprintf(stderr, "\n*** Handshake failed ***\n");
438
gnutls_perror (ret);
679
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
680
gnutls_perror(ret);
439
681
}
440
682
retval = -1;
441
goto exit;
683
goto mandos_end;
442
684
}
443
685
444
//Retrieve OpenPGP packet that contains the wanted password
686
/* Read OpenPGP packet that contains the wanted password */
445
687
446
688
if(debug){
447
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
689
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
448
690
ip);
449
691
}
450
692
451
693
while(true){
452
if (buffer_length + BUFFER_SIZE > buffer_capacity){
453
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
454
if (buffer == NULL){
455
perror("realloc");
456
goto exit;
457
}
458
buffer_capacity += BUFFER_SIZE;
694
buffer_capacity = incbuffer(&buffer, buffer_length,
695
buffer_capacity);
696
if(buffer_capacity == 0){
697
perror("incbuffer");
698
retval = -1;
699
goto mandos_end;
459
700
}
460
701
461
ret = gnutls_record_recv
462
(es.session, buffer+buffer_length, BUFFER_SIZE);
463
if (ret == 0){
702
sret = gnutls_record_recv(session, buffer+buffer_length,
703
BUFFER_SIZE);
704
if(sret == 0){
464
705
break;
465
706
}
466
if (ret < 0){
467
switch(ret){
707
if(sret < 0){
708
switch(sret){
468
709
case GNUTLS_E_INTERRUPTED:
469
710
case GNUTLS_E_AGAIN:
470
711
break;
471
712
case GNUTLS_E_REHANDSHAKE:
472
ret = gnutls_handshake (es.session);
473
if (ret < 0){
474
fprintf(stderr, "\n*** Handshake failed ***\n");
475
gnutls_perror (ret);
713
do{
714
ret = gnutls_handshake(session);
715
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
716
if(ret < 0){
717
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
718
gnutls_perror(ret);
476
719
retval = -1;
477
goto exit;
720
goto mandos_end;
478
721
}
479
722
break;
480
723
default:
481
724
fprintf(stderr, "Unknown error while reading data from"
482
" encrypted session with mandos server\n");
725
" encrypted session with Mandos server\n");
483
726
retval = -1;
484
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
485
goto exit;
727
gnutls_bye(session, GNUTLS_SHUT_RDWR);
728
goto mandos_end;
486
729
}
487
730
} else {
488
buffer_length += (size_t) ret;
731
buffer_length += (size_t) sret;
489
732
}
490
733
}
491
734
492
if (buffer_length > 0){
735
if(debug){
736
fprintf(stderr, "Closing TLS session\n");
737
}
738
739
gnutls_bye(session, GNUTLS_SHUT_RDWR);
740
741
if(buffer_length > 0){
493
742
decrypted_buffer_size = pgp_packet_decrypt(buffer,
494
743
buffer_length,
495
&decrypted_buffer,
496
certdir);
497
if (decrypted_buffer_size >= 0){
744
&decrypted_buffer);
745
if(decrypted_buffer_size >= 0){
746
written = 0;
498
747
while(written < (size_t) decrypted_buffer_size){
499
ret = (int)fwrite (decrypted_buffer + written, 1,
500
(size_t)decrypted_buffer_size - written,
501
stdout);
748
ret = (int)fwrite(decrypted_buffer + written, 1,
749
(size_t)decrypted_buffer_size - written,
750
stdout);
502
751
if(ret == 0 and ferror(stdout)){
503
752
if(debug){
504
753
fprintf(stderr, "Error writing encrypted data: %s\n",
513
762
} else {
514
763
retval = -1;
515
764
}
516
}
517
518
//shutdown procedure
519
520
if(debug){
521
fprintf(stderr, "Closing TLS session\n");
522
}
523
765
} else {
766
retval = -1;
767
}
768
769
/* Shutdown procedure */
770
771
mandos_end:
524
772
free(buffer);
525
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
526
exit:
527
close(tcp_sd);
528
gnutls_deinit (es.session);
529
gnutls_certificate_free_credentials (es.cred);
530
gnutls_global_deinit ();
773
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
774
if(ret == -1){
775
perror("close");
776
}
777
gnutls_deinit(session);
531
778
return retval;
532
779
}
533
780
534
static AvahiSimplePoll *simple_poll = NULL;
535
static AvahiServer *server = NULL;
536
537
static void resolve_callback(
538
AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
552
assert(r); /* Spurious warning */
781
static void resolve_callback(AvahiSServiceResolver *r,
782
AvahiIfIndex interface,
783
AvahiProtocol proto,
784
AvahiResolverEvent event,
785
const char *name,
786
const char *type,
787
const char *domain,
788
const char *host_name,
789
const AvahiAddress *address,
790
uint16_t port,
791
AVAHI_GCC_UNUSED AvahiStringList *txt,
792
AVAHI_GCC_UNUSED AvahiLookupResultFlags
793
flags,
794
AVAHI_GCC_UNUSED void* userdata){
795
assert(r);
553
796
554
797
/* Called whenever a service has been resolved successfully or
555
798
timed out */
556
799
557
switch (event) {
800
switch(event){
558
801
default:
559
802
case AVAHI_RESOLVER_FAILURE:
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(server)));
803
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
804
" of type '%s' in domain '%s': %s\n", name, type, domain,
805
avahi_strerror(avahi_server_errno(mc.server)));
563
806
break;
564
807
565
808
case AVAHI_RESOLVER_FOUND:
567
810
char ip[AVAHI_ADDRESS_STR_MAX];
568
811
avahi_address_snprint(ip, sizeof(ip), address);
569
812
if(debug){
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
813
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
814
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
815
ip, (intmax_t)interface, port);
572
816
}
573
int ret = start_mandos_communication(ip, port, interface);
574
if (ret == 0){
575
exit(EXIT_SUCCESS);
817
int ret = start_mandos_communication(ip, port, interface,
818
avahi_proto_to_af(proto));
819
if(ret == 0){
820
avahi_simple_poll_quit(mc.simple_poll);
576
821
}
577
822
}
578
823
}
579
824
avahi_s_service_resolver_free(r);
580
825
}
581
826
582
static void browse_callback(
583
AvahiSServiceBrowser *b,
584
AvahiIfIndex interface,
585
AvahiProtocol protocol,
586
AvahiBrowserEvent event,
587
const char *name,
588
const char *type,
589
const char *domain,
590
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
591
void* userdata) {
592
593
AvahiServer *s = userdata;
594
assert(b); /* Spurious warning */
595
596
/* Called whenever a new services becomes available on the LAN or
597
is removed from the LAN */
598
599
switch (event) {
600
default:
601
case AVAHI_BROWSER_FAILURE:
602
603
fprintf(stderr, "(Browser) %s\n",
604
avahi_strerror(avahi_server_errno(server)));
605
avahi_simple_poll_quit(simple_poll);
606
return;
607
608
case AVAHI_BROWSER_NEW:
609
/* We ignore the returned resolver object. In the callback
610
function we free it. If the server is terminated before
611
the callback function is called the server will free
612
the resolver for us. */
613
614
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
type, domain,
616
AVAHI_PROTO_INET6, 0,
617
resolve_callback, s)))
618
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
619
avahi_strerror(avahi_server_errno(s)));
620
break;
621
622
case AVAHI_BROWSER_REMOVE:
623
break;
624
625
case AVAHI_BROWSER_ALL_FOR_NOW:
626
case AVAHI_BROWSER_CACHE_EXHAUSTED:
627
break;
628
}
629
}
630
631
/* Combines file name and path and returns the malloced new
632
string. some sane checks could/should be added */
633
static const char *combinepath(const char *first, const char *second){
634
size_t f_len = strlen(first);
635
size_t s_len = strlen(second);
636
char *tmp = malloc(f_len + s_len + 2);
637
if (tmp == NULL){
638
return NULL;
639
}
640
if(f_len > 0){
641
memcpy(tmp, first, f_len);
642
}
643
tmp[f_len] = '/';
644
if(s_len > 0){
645
memcpy(tmp + f_len + 1, second, s_len);
646
}
647
tmp[f_len + 1 + s_len] = '\0';
648
return tmp;
649
}
650
651
652
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
827
static void browse_callback(AvahiSServiceBrowser *b,
828
AvahiIfIndex interface,
829
AvahiProtocol protocol,
830
AvahiBrowserEvent event,
831
const char *name,
832
const char *type,
833
const char *domain,
834
AVAHI_GCC_UNUSED AvahiLookupResultFlags
835
flags,
836
AVAHI_GCC_UNUSED void* userdata){
837
assert(b);
838
839
/* Called whenever a new services becomes available on the LAN or
840
is removed from the LAN */
841
842
switch(event){
843
default:
844
case AVAHI_BROWSER_FAILURE:
845
846
fprintf(stderr, "(Avahi browser) %s\n",
847
avahi_strerror(avahi_server_errno(mc.server)));
848
avahi_simple_poll_quit(mc.simple_poll);
849
return;
850
851
case AVAHI_BROWSER_NEW:
852
/* We ignore the returned Avahi resolver object. In the callback
853
function we free it. If the Avahi server is terminated before
854
the callback function is called the Avahi server will free the
855
resolver for us. */
856
857
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
858
name, type, domain, protocol, 0,
859
resolve_callback, NULL) == NULL)
860
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
861
name, avahi_strerror(avahi_server_errno(mc.server)));
862
break;
863
864
case AVAHI_BROWSER_REMOVE:
865
break;
866
867
case AVAHI_BROWSER_ALL_FOR_NOW:
868
case AVAHI_BROWSER_CACHE_EXHAUSTED:
869
if(debug){
870
fprintf(stderr, "No Mandos server found, still searching...\n");
871
}
872
break;
873
}
874
}
875
876
sig_atomic_t quit_now = 0;
877
878
/* stop main loop after sigterm has been called */
879
static void handle_sigterm(__attribute__((unused)) int sig){
880
if(quit_now){
881
return;
882
}
883
quit_now = 1;
884
int old_errno = errno;
885
if(mc.simple_poll != NULL){
886
avahi_simple_poll_quit(mc.simple_poll);
887
}
888
errno = old_errno;
889
}
890
891
int main(int argc, char *argv[]){
892
AvahiSServiceBrowser *sb = NULL;
893
int error;
894
int ret;
895
intmax_t tmpmax;
896
char *tmp;
897
int exitcode = EXIT_SUCCESS;
898
const char *interface = "eth0";
899
struct ifreq network;
900
int sd;
901
uid_t uid;
902
gid_t gid;
903
char *connect_to = NULL;
904
char tempdir[] = "/tmp/mandosXXXXXX";
905
bool tempdir_created = false;
906
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
907
const char *seckey = PATHDIR "/" SECKEY;
908
const char *pubkey = PATHDIR "/" PUBKEY;
909
910
bool gnutls_initialized = false;
911
bool gpgme_initialized = false;
912
float delay = 2.5f;
913
914
struct sigaction old_sigterm_action;
915
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
916
917
{
918
struct argp_option options[] = {
919
{ .name = "debug", .key = 128,
920
.doc = "Debug mode", .group = 3 },
921
{ .name = "connect", .key = 'c',
922
.arg = "ADDRESS:PORT",
923
.doc = "Connect directly to a specific Mandos server",
924
.group = 1 },
925
{ .name = "interface", .key = 'i',
926
.arg = "NAME",
927
.doc = "Network interface that will be used to search for"
928
" Mandos servers",
929
.group = 1 },
930
{ .name = "seckey", .key = 's',
931
.arg = "FILE",
932
.doc = "OpenPGP secret key file base name",
933
.group = 1 },
934
{ .name = "pubkey", .key = 'p',
935
.arg = "FILE",
936
.doc = "OpenPGP public key file base name",
937
.group = 2 },
938
{ .name = "dh-bits", .key = 129,
939
.arg = "BITS",
940
.doc = "Bit length of the prime number used in the"
941
" Diffie-Hellman key exchange",
942
.group = 2 },
943
{ .name = "priority", .key = 130,
944
.arg = "STRING",
945
.doc = "GnuTLS priority string for the TLS handshake",
946
.group = 1 },
947
{ .name = "delay", .key = 131,
948
.arg = "SECONDS",
949
.doc = "Maximum delay to wait for interface startup",
950
.group = 2 },
951
{ .name = NULL }
952
};
953
954
error_t parse_opt(int key, char *arg,
955
struct argp_state *state){
956
switch(key){
957
case 128: /* --debug */
958
debug = true;
959
break;
960
case 'c': /* --connect */
961
connect_to = arg;
962
break;
963
case 'i': /* --interface */
964
interface = arg;
965
break;
966
case 's': /* --seckey */
967
seckey = arg;
968
break;
969
case 'p': /* --pubkey */
970
pubkey = arg;
971
break;
972
case 129: /* --dh-bits */
973
errno = 0;
974
tmpmax = strtoimax(arg, &tmp, 10);
975
if(errno != 0 or tmp == arg or *tmp != '\0'
976
or tmpmax != (typeof(mc.dh_bits))tmpmax){
977
fprintf(stderr, "Bad number of DH bits\n");
978
exit(EXIT_FAILURE);
979
}
980
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
981
break;
982
case 130: /* --priority */
983
mc.priority = arg;
984
break;
985
case 131: /* --delay */
986
errno = 0;
987
delay = strtof(arg, &tmp);
988
if(errno != 0 or tmp == arg or *tmp != '\0'){
989
fprintf(stderr, "Bad delay\n");
990
exit(EXIT_FAILURE);
991
}
992
break;
993
case ARGP_KEY_ARG:
994
argp_usage(state);
995
case ARGP_KEY_END:
996
break;
997
default:
998
return ARGP_ERR_UNKNOWN;
999
}
1000
return 0;
1001
}
1002
1003
struct argp argp = { .options = options, .parser = parse_opt,
1004
.args_doc = "",
1005
.doc = "Mandos client -- Get and decrypt"
1006
" passwords from a Mandos server" };
1007
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1008
if(ret == ARGP_ERR_UNKNOWN){
1009
fprintf(stderr, "Unknown error while parsing arguments\n");
1010
exitcode = EXIT_FAILURE;
1011
goto end;
1012
}
1013
}
1014
1015
if(not debug){
1016
avahi_set_log_function(empty_log);
1017
}
1018
1019
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1020
from the signal handler */
1021
/* Initialize the pseudo-RNG for Avahi */
1022
srand((unsigned int) time(NULL));
1023
mc.simple_poll = avahi_simple_poll_new();
1024
if(mc.simple_poll == NULL){
1025
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1026
exitcode = EXIT_FAILURE;
1027
goto end;
1028
}
1029
1030
sigemptyset(&sigterm_action.sa_mask);
1031
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1032
if(ret == -1){
1033
perror("sigaddset");
1034
exitcode = EXIT_FAILURE;
1035
goto end;
1036
}
1037
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1038
if(ret == -1){
1039
perror("sigaddset");
1040
exitcode = EXIT_FAILURE;
1041
goto end;
1042
}
1043
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1044
if(ret == -1){
1045
perror("sigaddset");
1046
exitcode = EXIT_FAILURE;
1047
goto end;
1048
}
1049
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1050
if(ret == -1){
1051
perror("sigaction");
1052
exitcode = EXIT_FAILURE;
1053
goto end;
1054
}
1055
1056
/* If the interface is down, bring it up */
1057
if(interface[0] != '\0'){
1058
#ifdef __linux__
1059
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1060
messages to mess up the prompt */
1061
ret = klogctl(8, NULL, 5);
1062
bool restore_loglevel = true;
1063
if(ret == -1){
1064
restore_loglevel = false;
1065
perror("klogctl");
1066
}
1067
#endif /* __linux__ */
1068
1069
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1070
if(sd < 0){
1071
perror("socket");
1072
exitcode = EXIT_FAILURE;
1073
#ifdef __linux__
1074
if(restore_loglevel){
1075
ret = klogctl(7, NULL, 0);
1076
if(ret == -1){
1077
perror("klogctl");
1078
}
1079
}
1080
#endif /* __linux__ */
1081
goto end;
1082
}
1083
strcpy(network.ifr_name, interface);
1084
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1085
if(ret == -1){
1086
perror("ioctl SIOCGIFFLAGS");
1087
#ifdef __linux__
1088
if(restore_loglevel){
1089
ret = klogctl(7, NULL, 0);
1090
if(ret == -1){
1091
perror("klogctl");
1092
}
1093
}
1094
#endif /* __linux__ */
1095
exitcode = EXIT_FAILURE;
1096
goto end;
1097
}
1098
if((network.ifr_flags & IFF_UP) == 0){
1099
network.ifr_flags |= IFF_UP;
1100
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1101
if(ret == -1){
1102
perror("ioctl SIOCSIFFLAGS");
1103
exitcode = EXIT_FAILURE;
1104
#ifdef __linux__
1105
if(restore_loglevel){
1106
ret = klogctl(7, NULL, 0);
1107
if(ret == -1){
1108
perror("klogctl");
1109
}
1110
}
1111
#endif /* __linux__ */
1112
goto end;
1113
}
1114
}
1115
/* sleep checking until interface is running */
1116
for(int i=0; i < delay * 4; i++){
1117
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1118
if(ret == -1){
1119
perror("ioctl SIOCGIFFLAGS");
1120
} else if(network.ifr_flags & IFF_RUNNING){
1121
break;
1122
}
1123
struct timespec sleeptime = { .tv_nsec = 250000000 };
1124
ret = nanosleep(&sleeptime, NULL);
1125
if(ret == -1 and errno != EINTR){
1126
perror("nanosleep");
1127
}
1128
}
1129
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1130
if(ret == -1){
1131
perror("close");
1132
}
1133
#ifdef __linux__
1134
if(restore_loglevel){
1135
/* Restores kernel loglevel to default */
1136
ret = klogctl(7, NULL, 0);
1137
if(ret == -1){
1138
perror("klogctl");
1139
}
1140
}
1141
#endif /* __linux__ */
1142
}
1143
1144
uid = getuid();
1145
gid = getgid();
1146
1147
errno = 0;
1148
setgid(gid);
1149
if(ret == -1){
1150
perror("setgid");
1151
}
1152
1153
ret = setuid(uid);
1154
if(ret == -1){
1155
perror("setuid");
1156
}
1157
1158
ret = init_gnutls_global(pubkey, seckey);
1159
if(ret == -1){
1160
fprintf(stderr, "init_gnutls_global failed\n");
1161
exitcode = EXIT_FAILURE;
1162
goto end;
1163
} else {
1164
gnutls_initialized = true;
1165
}
1166
1167
if(mkdtemp(tempdir) == NULL){
1168
perror("mkdtemp");
1169
goto end;
1170
}
1171
tempdir_created = true;
1172
1173
if(not init_gpgme(pubkey, seckey, tempdir)){
1174
fprintf(stderr, "init_gpgme failed\n");
1175
exitcode = EXIT_FAILURE;
1176
goto end;
1177
} else {
1178
gpgme_initialized = true;
1179
}
1180
1181
if(interface[0] != '\0'){
1182
if_index = (AvahiIfIndex) if_nametoindex(interface);
1183
if(if_index == 0){
1184
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1185
exitcode = EXIT_FAILURE;
1186
goto end;
1187
}
1188
}
1189
1190
if(connect_to != NULL){
1191
/* Connect directly, do not use Zeroconf */
1192
/* (Mainly meant for debugging) */
1193
char *address = strrchr(connect_to, ':');
1194
if(address == NULL){
1195
fprintf(stderr, "No colon in address\n");
1196
exitcode = EXIT_FAILURE;
1197
goto end;
1198
}
1199
uint16_t port;
1200
errno = 0;
1201
tmpmax = strtoimax(address+1, &tmp, 10);
1202
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1203
or tmpmax != (uint16_t)tmpmax){
1204
fprintf(stderr, "Bad port number\n");
1205
exitcode = EXIT_FAILURE;
1206
goto end;
1207
}
1208
port = (uint16_t)tmpmax;
1209
*address = '\0';
1210
address = connect_to;
1211
/* Colon in address indicates IPv6 */
1212
int af;
1213
if(strchr(address, ':') != NULL){
1214
af = AF_INET6;
1215
} else {
1216
af = AF_INET;
1217
}
1218
ret = start_mandos_communication(address, port, if_index, af);
1219
if(ret < 0){
1220
exitcode = EXIT_FAILURE;
1221
} else {
1222
exitcode = EXIT_SUCCESS;
1223
}
1224
goto end;
1225
}
1226
1227
{
653
1228
AvahiServerConfig config;
654
AvahiSServiceBrowser *sb = NULL;
655
int error;
656
int ret;
657
int returncode = EXIT_SUCCESS;
658
const char *interface = NULL;
659
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
660
char *connect_to = NULL;
661
662
while (true){
663
static struct option long_options[] = {
664
{"debug", no_argument, (int *)&debug, 1},
665
{"connect", required_argument, 0, 'C'},
666
{"interface", required_argument, 0, 'i'},
667
{"certdir", required_argument, 0, 'd'},
668
{"certkey", required_argument, 0, 'c'},
669
{"certfile", required_argument, 0, 'k'},
670
{0, 0, 0, 0} };
671
672
int option_index = 0;
673
ret = getopt_long (argc, argv, "i:", long_options,
674
&option_index);
675
676
if (ret == -1){
677
break;
678
}
679
680
switch(ret){
681
case 0:
682
break;
683
case 'i':
684
interface = optarg;
685
break;
686
case 'C':
687
connect_to = optarg;
688
break;
689
case 'd':
690
certdir = optarg;
691
break;
692
case 'c':
693
certfile = optarg;
694
break;
695
case 'k':
696
certkey = optarg;
697
break;
698
default:
699
exit(EXIT_FAILURE);
700
}
701
}
702
703
certfile = combinepath(certdir, certfile);
704
if (certfile == NULL){
705
perror("combinepath");
706
goto exit;
707
}
708
709
if(interface != NULL){
710
if_index = (AvahiIfIndex) if_nametoindex(interface);
711
if(if_index == 0){
712
fprintf(stderr, "No such interface: \"%s\"\n", interface);
713
exit(EXIT_FAILURE);
714
}
715
}
716
717
if(connect_to != NULL){
718
/* Connect directly, do not use Zeroconf */
719
/* (Mainly meant for debugging) */
720
char *address = strrchr(connect_to, ':');
721
if(address == NULL){
722
fprintf(stderr, "No colon in address\n");
723
exit(EXIT_FAILURE);
724
}
725
errno = 0;
726
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
727
if(errno){
728
perror("Bad port number");
729
exit(EXIT_FAILURE);
730
}
731
*address = '\0';
732
address = connect_to;
733
ret = start_mandos_communication(address, port, if_index);
734
if(ret < 0){
735
exit(EXIT_FAILURE);
736
} else {
737
exit(EXIT_SUCCESS);
738
}
739
}
740
741
certkey = combinepath(certdir, certkey);
742
if (certkey == NULL){
743
perror("combinepath");
744
goto exit;
745
}
746
747
if (not debug){
748
avahi_set_log_function(empty_log);
749
}
750
751
/* Initialize the psuedo-RNG */
752
srand((unsigned int) time(NULL));
753
754
/* Allocate main loop object */
755
if (!(simple_poll = avahi_simple_poll_new())) {
756
fprintf(stderr, "Failed to create simple poll object.\n");
757
758
goto exit;
759
}
760
761
/* Do not publish any local records */
1229
/* Do not publish any local Zeroconf records */
762
1230
avahi_server_config_init(&config);
763
1231
config.publish_hinfo = 0;
764
1232
config.publish_addresses = 0;
765
1233
config.publish_workstation = 0;
766
1234
config.publish_domain = 0;
767
1235
768
1236
/* Allocate a new server */
769
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
770
&config, NULL, NULL, &error);
771
772
/* Free the configuration data */
1237
mc.server = avahi_server_new(avahi_simple_poll_get
1238
(mc.simple_poll), &config, NULL,
1239
NULL, &error);
1240
1241
/* Free the Avahi configuration data */
773
1242
avahi_server_config_free(&config);
774
775
/* Check if creating the server object succeeded */
776
if (!server) {
777
fprintf(stderr, "Failed to create server: %s\n",
778
avahi_strerror(error));
779
returncode = EXIT_FAILURE;
780
goto exit;
781
}
782
783
/* Create the service browser */
784
sb = avahi_s_service_browser_new(server, if_index,
785
AVAHI_PROTO_INET6,
786
"_mandos._tcp", NULL, 0,
787
browse_callback, server);
788
if (!sb) {
789
fprintf(stderr, "Failed to create service browser: %s\n",
790
avahi_strerror(avahi_server_errno(server)));
791
returncode = EXIT_FAILURE;
792
goto exit;
793
}
794
795
/* Run the main loop */
796
797
if (debug){
798
fprintf(stderr, "Starting avahi loop search\n");
799
}
800
801
avahi_simple_poll_loop(simple_poll);
802
803
exit:
804
805
if (debug){
806
fprintf(stderr, "%s exiting\n", argv[0]);
807
}
808
809
/* Cleanup things */
810
if (sb)
811
avahi_s_service_browser_free(sb);
812
813
if (server)
814
avahi_server_free(server);
815
816
if (simple_poll)
817
avahi_simple_poll_free(simple_poll);
818
free(certfile);
819
free(certkey);
820
821
return returncode;
1243
}
1244
1245
/* Check if creating the Avahi server object succeeded */
1246
if(mc.server == NULL){
1247
fprintf(stderr, "Failed to create Avahi server: %s\n",
1248
avahi_strerror(error));
1249
exitcode = EXIT_FAILURE;
1250
goto end;
1251
}
1252
1253
/* Create the Avahi service browser */
1254
sb = avahi_s_service_browser_new(mc.server, if_index,
1255
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1256
NULL, 0, browse_callback, NULL);
1257
if(sb == NULL){
1258
fprintf(stderr, "Failed to create service browser: %s\n",
1259
avahi_strerror(avahi_server_errno(mc.server)));
1260
exitcode = EXIT_FAILURE;
1261
goto end;
1262
}
1263
1264
/* Run the main loop */
1265
1266
if(debug){
1267
fprintf(stderr, "Starting Avahi loop search\n");
1268
}
1269
1270
avahi_simple_poll_loop(mc.simple_poll);
1271
1272
end:
1273
1274
if(debug){
1275
fprintf(stderr, "%s exiting\n", argv[0]);
1276
}
1277
1278
/* Cleanup things */
1279
if(sb != NULL)
1280
avahi_s_service_browser_free(sb);
1281
1282
if(mc.server != NULL)
1283
avahi_server_free(mc.server);
1284
1285
if(mc.simple_poll != NULL)
1286
avahi_simple_poll_free(mc.simple_poll);
1287
1288
if(gnutls_initialized){
1289
gnutls_certificate_free_credentials(mc.cred);
1290
gnutls_global_deinit();
1291
gnutls_dh_params_deinit(mc.dh_params);
1292
}
1293
1294
if(gpgme_initialized){
1295
gpgme_release(mc.ctx);
1296
}
1297
1298
/* Removes the temp directory used by GPGME */
1299
if(tempdir_created){
1300
DIR *d;
1301
struct dirent *direntry;
1302
d = opendir(tempdir);
1303
if(d == NULL){
1304
if(errno != ENOENT){
1305
perror("opendir");
1306
}
1307
} else {
1308
while(true){
1309
direntry = readdir(d);
1310
if(direntry == NULL){
1311
break;
1312
}
1313
/* Skip "." and ".." */
1314
if(direntry->d_name[0] == '.'
1315
and (direntry->d_name[1] == '\0'
1316
or (direntry->d_name[1] == '.'
1317
and direntry->d_name[2] == '\0'))){
1318
continue;
1319
}
1320
char *fullname = NULL;
1321
ret = asprintf(&fullname, "%s/%s", tempdir,
1322
direntry->d_name);
1323
if(ret < 0){
1324
perror("asprintf");
1325
continue;
1326
}
1327
ret = remove(fullname);
1328
if(ret == -1){
1329
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1330
strerror(errno));
1331
}
1332
free(fullname);
1333
}
1334
closedir(d);
1335
}
1336
ret = rmdir(tempdir);
1337
if(ret == -1 and errno != ENOENT){
1338
perror("rmdir");
1339
}
1340
}
1341
1342
return exitcode;
822
1343
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0