To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 35
- compare with another revision
- download diff
- download tarball
- view history from revision 35
- Committer: Teddy Hogeborn
- Date: 2008-08-02 10:48:24 UTC
- Revision ID: teddy@fukt.bsnet.se-20080802104824-fx0miwp9o4g9r31e
* plugbasedclient.c (struct process): New fields "eof", "completed",
and "status".
(handle_sigchld): New function.
(main): Initialize "dir" to NULL to only closedir() it if necessary.
Move "process_list" to be a global variable to be accessible
by "handle_sigchld". Make "handle_sigchld" handle SIGCHLD.
Remove redundant check for NULL "dir". Free "filename" when
no longer used. Block SIGCHLD around fork()/exec().
Restore normal signals in child. Only loop while running
processes exist. Print process buffer when the process is
done and it has emitted EOF, not when it only emits EOF.
Remove processes from list which exit non-cleanly. In
cleaning up, closedir() if necessary. Bug fix: set next
pointer correctly when freeing process list.
* plugins.d/passprompt.c (main): Do not ignore SIGQUIT.
and "status".
(handle_sigchld): New function.
(main): Initialize "dir" to NULL to only closedir() it if necessary.
Move "process_list" to be a global variable to be accessible
by "handle_sigchld". Make "handle_sigchld" handle SIGCHLD.
Remove redundant check for NULL "dir". Free "filename" when
no longer used. Block SIGCHLD around fork()/exec().
Restore normal signals in child. Only loop while running
processes exist. Print process buffer when the process is
done and it has emitted EOF, not when it only emits EOF.
Remove processes from list which exit non-cleanly. In
cleaning up, closedir() if necessary. Bug fix: set next
pointer correctly when freeing process list.
* plugins.d/passprompt.c (main): Do not ignore SIGQUIT.
- files modified:
- TODO
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
35
#include <stdio.h>
38
36
#include <assert.h>
39
37
#include <stdlib.h>
40
38
#include <time.h>
41
39
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
46
40
47
41
#include <avahi-core/core.h>
48
42
#include <avahi-core/lookup.h>
51
45
#include <avahi-common/malloc.h>
52
46
#include <avahi-common/error.h>
53
47
54
/* Mandos client part */
48
//mandos client part
55
49
#include <sys/types.h> /* socket(), inet_pton() */
56
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
51
struct in6_addr, inet_pton() */
64
58
#include <string.h> /* memset */
65
59
#include <arpa/inet.h> /* inet_pton() */
66
60
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
61
69
/* GPGME */
62
// gpgme
70
63
#include <errno.h> /* perror() */
71
64
#include <gpgme.h>
72
65
73
/* getopt_long */
66
// getopt long
74
67
#include <getopt.h>
75
68
76
69
#define BUFFER_SIZE 256
70
#define DH_BITS 1024
77
71
78
static const char *keydir = "/conf/conf.d/mandos";
79
static const char *pubkeyfile = "pubkey.txt";
80
static const char *seckeyfile = "seckey.txt";
72
const char *certdir = "/conf/conf.d/cryptkeyreq/";
73
const char *certfile = "openpgp-client.txt";
74
const char *certkey = "openpgp-client-key.txt";
81
75
82
76
bool debug = false;
83
77
84
const char mandos_protocol_version[] = "1";
85
86
/* Used for passing in values through all the callback functions */
87
78
typedef struct {
88
AvahiSimplePoll *simple_poll;
89
AvahiServer *server;
79
gnutls_session_t session;
90
80
gnutls_certificate_credentials_t cred;
91
unsigned int dh_bits;
92
81
gnutls_dh_params_t dh_params;
93
const char *priority;
94
} mandos_context;
95
96
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
size_t buffer_capacity){
98
if (buffer_length + BUFFER_SIZE > buffer_capacity){
99
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
100
if (buffer == NULL){
101
return 0;
102
}
103
buffer_capacity += BUFFER_SIZE;
104
}
105
return buffer_capacity;
106
}
107
108
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
111
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
115
const char *homedir){
82
} encrypted_session;
83
84
85
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet, const char *homedir){
116
87
gpgme_data_t dh_crypto, dh_plain;
117
88
gpgme_ctx_t ctx;
118
89
gpgme_error_t rc;
119
90
ssize_t ret;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
91
ssize_t new_packet_capacity = 0;
92
ssize_t new_packet_length = 0;
122
93
gpgme_engine_info_t engine_info;
123
94
124
95
if (debug){
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
96
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
126
97
}
127
98
128
99
/* Init GPGME */
134
105
return -1;
135
106
}
136
107
137
/* Set GPGME home directory for the OpenPGP engine only */
108
/* Set GPGME home directory */
138
109
rc = gpgme_get_engine_info (&engine_info);
139
110
if (rc != GPG_ERR_NO_ERROR){
140
111
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
150
121
engine_info = engine_info->next;
151
122
}
152
123
if(engine_info == NULL){
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
124
fprintf(stderr, "Could not set home dir to %s\n", homedir);
154
125
return -1;
155
126
}
156
127
157
/* Create new GPGME data buffer from memory cryptotext */
158
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
159
0);
128
/* Create new GPGME data buffer from packet buffer */
129
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
160
130
if (rc != GPG_ERR_NO_ERROR){
161
131
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
162
132
gpgme_strsource(rc), gpgme_strerror(rc));
168
138
if (rc != GPG_ERR_NO_ERROR){
169
139
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
170
140
gpgme_strsource(rc), gpgme_strerror(rc));
171
gpgme_data_release(dh_crypto);
172
141
return -1;
173
142
}
174
143
177
146
if (rc != GPG_ERR_NO_ERROR){
178
147
fprintf(stderr, "bad gpgme_new: %s: %s\n",
179
148
gpgme_strsource(rc), gpgme_strerror(rc));
180
plaintext_length = -1;
181
goto decrypt_end;
149
return -1;
182
150
}
183
151
184
/* Decrypt data from the cryptotext data buffer to the plaintext
185
data buffer */
152
/* Decrypt data from the FILE pointer to the plaintext data
153
buffer */
186
154
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
187
155
if (rc != GPG_ERR_NO_ERROR){
188
156
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
189
157
gpgme_strsource(rc), gpgme_strerror(rc));
190
plaintext_length = -1;
191
goto decrypt_end;
158
return -1;
192
159
}
193
160
194
161
if(debug){
195
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
162
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
196
163
}
197
164
198
165
if (debug){
199
166
gpgme_decrypt_result_t result;
200
167
result = gpgme_op_decrypt_result(ctx);
224
191
}
225
192
}
226
193
194
/* Delete the GPGME FILE pointer cryptotext data buffer */
195
gpgme_data_release(dh_crypto);
196
227
197
/* Seek back to the beginning of the GPGME plaintext data buffer */
228
198
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
229
199
perror("pgpme_data_seek");
230
plaintext_length = -1;
231
goto decrypt_end;
232
200
}
233
201
234
*plaintext = NULL;
202
*new_packet = 0;
235
203
while(true){
236
plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,
237
plaintext_capacity);
238
if (plaintext_capacity == 0){
239
perror("adjustbuffer");
240
plaintext_length = -1;
241
goto decrypt_end;
204
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
205
*new_packet = realloc(*new_packet,
206
(unsigned int)new_packet_capacity
207
+ BUFFER_SIZE);
208
if (*new_packet == NULL){
209
perror("realloc");
210
return -1;
211
}
212
new_packet_capacity += BUFFER_SIZE;
242
213
}
243
214
244
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
215
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
245
216
BUFFER_SIZE);
246
217
/* Print the data, if any */
247
218
if (ret == 0){
248
/* EOF */
249
219
break;
250
220
}
251
221
if(ret < 0){
252
222
perror("gpgme_data_read");
253
plaintext_length = -1;
254
goto decrypt_end;
223
return -1;
255
224
}
256
plaintext_length += ret;
225
new_packet_length += ret;
257
226
}
258
227
259
if(debug){
260
fprintf(stderr, "Decrypted password is: ");
261
for(ssize_t i = 0; i < plaintext_length; i++){
262
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
263
}
264
fprintf(stderr, "\n");
265
}
266
267
decrypt_end:
268
269
/* Delete the GPGME cryptotext data buffer */
270
gpgme_data_release(dh_crypto);
228
/* FIXME: check characters before printing to screen so to not print
229
terminal control characters */
230
/* if(debug){ */
231
/* fprintf(stderr, "decrypted password is: "); */
232
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
233
/* fprintf(stderr, "\n"); */
234
/* } */
271
235
272
236
/* Delete the GPGME plaintext data buffer */
273
237
gpgme_data_release(dh_plain);
274
return plaintext_length;
238
return new_packet_length;
275
239
}
276
240
277
241
static const char * safer_gnutls_strerror (int value) {
281
245
return ret;
282
246
}
283
247
284
/* GnuTLS log function callback */
285
static void debuggnutls(__attribute__((unused)) int level,
286
const char* string){
287
fprintf(stderr, "GnuTLS: %s", string);
248
void debuggnutls(__attribute__((unused)) int level,
249
const char* string){
250
fprintf(stderr, "%s", string);
288
251
}
289
252
290
static int init_gnutls_global(mandos_context *mc){
253
int initgnutls(encrypted_session *es){
254
const char *err;
291
255
int ret;
292
256
293
257
if(debug){
296
260
297
261
if ((ret = gnutls_global_init ())
298
262
!= GNUTLS_E_SUCCESS) {
299
fprintf (stderr, "GnuTLS global_init: %s\n",
300
safer_gnutls_strerror(ret));
263
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
301
264
return -1;
302
265
}
303
266
304
267
if (debug){
305
/* "Use a log level over 10 to enable all debugging options."
306
* - GnuTLS manual
307
*/
308
268
gnutls_global_set_log_level(11);
309
269
gnutls_global_set_log_function(debuggnutls);
310
270
}
311
271
312
/* OpenPGP credentials */
313
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
272
/* openpgp credentials */
273
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
314
274
!= GNUTLS_E_SUCCESS) {
315
fprintf (stderr, "GnuTLS memory error: %s\n",
275
fprintf (stderr, "memory error: %s\n",
316
276
safer_gnutls_strerror(ret));
317
277
return -1;
318
278
}
319
279
320
280
if(debug){
321
281
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
322
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
323
seckeyfile);
282
" and keyfile %s as GnuTLS credentials\n", certfile,
283
certkey);
324
284
}
325
285
326
286
ret = gnutls_certificate_set_openpgp_key_file
327
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
287
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
328
288
if (ret != GNUTLS_E_SUCCESS) {
329
fprintf(stderr,
330
"Error[%d] while reading the OpenPGP key pair ('%s',"
331
" '%s')\n", ret, pubkeyfile, seckeyfile);
332
fprintf(stdout, "The GnuTLS error is: %s\n",
289
fprintf
290
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
291
" '%s')\n",
292
ret, certfile, certkey);
293
fprintf(stdout, "The Error is: %s\n",
333
294
safer_gnutls_strerror(ret));
334
295
return -1;
335
296
}
336
297
337
/* GnuTLS server initialization */
338
ret = gnutls_dh_params_init(&mc->dh_params);
339
if (ret != GNUTLS_E_SUCCESS) {
340
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
341
" %s\n", safer_gnutls_strerror(ret));
342
return -1;
343
}
344
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
345
if (ret != GNUTLS_E_SUCCESS) {
346
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
347
safer_gnutls_strerror(ret));
348
return -1;
349
}
350
351
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
352
353
return 0;
354
}
355
356
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
357
int ret;
358
/* GnuTLS session creation */
359
ret = gnutls_init(session, GNUTLS_SERVER);
360
if (ret != GNUTLS_E_SUCCESS){
298
//GnuTLS server initialization
299
if ((ret = gnutls_dh_params_init (&es->dh_params))
300
!= GNUTLS_E_SUCCESS) {
301
fprintf (stderr, "Error in dh parameter initialization: %s\n",
302
safer_gnutls_strerror(ret));
303
return -1;
304
}
305
306
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
307
!= GNUTLS_E_SUCCESS) {
308
fprintf (stderr, "Error in prime generation: %s\n",
309
safer_gnutls_strerror(ret));
310
return -1;
311
}
312
313
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
314
315
// GnuTLS session creation
316
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
317
!= GNUTLS_E_SUCCESS){
361
318
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
362
319
safer_gnutls_strerror(ret));
363
320
}
364
321
365
{
366
const char *err;
367
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
368
if (ret != GNUTLS_E_SUCCESS) {
369
fprintf(stderr, "Syntax error at: %s\n", err);
370
fprintf(stderr, "GnuTLS error: %s\n",
371
safer_gnutls_strerror(ret));
372
return -1;
373
}
322
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf(stderr, "Syntax error at: %s\n", err);
325
fprintf(stderr, "GnuTLS error: %s\n",
326
safer_gnutls_strerror(ret));
327
return -1;
374
328
}
375
329
376
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
377
mc->cred);
378
if (ret != GNUTLS_E_SUCCESS) {
379
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
330
if ((ret = gnutls_credentials_set
331
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
332
!= GNUTLS_E_SUCCESS) {
333
fprintf(stderr, "Error setting a credentials set: %s\n",
380
334
safer_gnutls_strerror(ret));
381
335
return -1;
382
336
}
383
337
384
338
/* ignore client certificate if any. */
385
gnutls_certificate_server_set_request (*session,
339
gnutls_certificate_server_set_request (es->session,
386
340
GNUTLS_CERT_IGNORE);
387
341
388
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
342
gnutls_dh_set_prime_bits (es->session, DH_BITS);
389
343
390
344
return 0;
391
345
}
392
346
393
/* Avahi log function callback */
394
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
395
__attribute__((unused)) const char *txt){}
347
void empty_log(__attribute__((unused)) AvahiLogLevel level,
348
__attribute__((unused)) const char *txt){}
396
349
397
/* Called when a Mandos server is found */
398
static int start_mandos_communication(const char *ip, uint16_t port,
399
AvahiIfIndex if_index,
400
mandos_context *mc){
350
int start_mandos_communication(const char *ip, uint16_t port,
351
AvahiIfIndex if_index){
401
352
int ret, tcp_sd;
402
353
struct sockaddr_in6 to;
354
encrypted_session es;
403
355
char *buffer = NULL;
404
356
char *decrypted_buffer;
405
357
size_t buffer_length = 0;
406
358
size_t buffer_capacity = 0;
407
359
ssize_t decrypted_buffer_size;
408
size_t written;
360
size_t written = 0;
409
361
int retval = 0;
410
362
char interface[IF_NAMESIZE];
411
gnutls_session_t session;
412
gnutls_dh_params_t dh_params;
413
414
ret = init_gnutls_session (mc, &session);
415
if (ret != 0){
416
return -1;
417
}
418
363
419
364
if(debug){
420
365
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
426
371
perror("socket");
427
372
return -1;
428
373
}
429
430
if(debug){
431
if(if_indextoname((unsigned int)if_index, interface) == NULL){
374
375
if(if_indextoname((unsigned int)if_index, interface) == NULL){
376
if(debug){
432
377
perror("if_indextoname");
433
return -1;
434
378
}
379
return -1;
380
}
381
382
if(debug){
435
383
fprintf(stderr, "Binding to interface %s\n", interface);
436
384
}
437
385
438
386
memset(&to,0,sizeof(to)); /* Spurious warning */
439
387
to.sin6_family = AF_INET6;
440
/* It would be nice to have a way to detect if we were passed an
441
IPv4 address here. Now we assume an IPv6 address. */
442
388
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
443
389
if (ret < 0 ){
444
390
perror("inet_pton");
445
391
return -1;
446
}
392
}
447
393
if(ret == 0){
448
394
fprintf(stderr, "Bad address: %s\n", ip);
449
395
return -1;
454
400
455
401
if(debug){
456
402
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
457
char addrstr[INET6_ADDRSTRLEN] = "";
458
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
459
sizeof(addrstr)) == NULL){
460
perror("inet_ntop");
461
} else {
462
if(strcmp(addrstr, ip) != 0){
463
fprintf(stderr, "Canonical address form: %s\n", addrstr);
464
}
465
}
403
/* char addrstr[INET6_ADDRSTRLEN]; */
404
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
405
/* sizeof(addrstr)) == NULL){ */
406
/* perror("inet_ntop"); */
407
/* } else { */
408
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
409
/* addrstr, ntohs(to.sin6_port)); */
410
/* } */
466
411
}
467
412
468
413
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
470
415
perror("connect");
471
416
return -1;
472
417
}
473
474
const char *out = mandos_protocol_version;
475
written = 0;
476
while (true){
477
size_t out_size = strlen(out);
478
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
479
out_size - written));
480
if (ret == -1){
481
perror("write");
482
retval = -1;
483
goto mandos_end;
484
}
485
written += (size_t)ret;
486
if(written < out_size){
487
continue;
488
} else {
489
if (out == mandos_protocol_version){
490
written = 0;
491
out = "\r\n";
492
} else {
493
break;
494
}
495
}
418
419
ret = initgnutls (&es);
420
if (ret != 0){
421
retval = -1;
422
return -1;
496
423
}
497
424
425
gnutls_transport_set_ptr (es.session,
426
(gnutls_transport_ptr_t) tcp_sd);
427
498
428
if(debug){
499
429
fprintf(stderr, "Establishing TLS session with %s\n", ip);
500
430
}
501
431
502
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
503
504
ret = gnutls_handshake (session);
432
ret = gnutls_handshake (es.session);
505
433
506
434
if (ret != GNUTLS_E_SUCCESS){
507
435
if(debug){
508
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
436
fprintf(stderr, "\n*** Handshake failed ***\n");
509
437
gnutls_perror (ret);
510
438
}
511
439
retval = -1;
512
goto mandos_end;
440
goto exit;
513
441
}
514
442
515
/* Read OpenPGP packet that contains the wanted password */
443
//Retrieve OpenPGP packet that contains the wanted password
516
444
517
445
if(debug){
518
446
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
520
448
}
521
449
522
450
while(true){
523
buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);
524
if (buffer_capacity == 0){
525
perror("adjustbuffer");
526
retval = -1;
527
goto mandos_end;
451
if (buffer_length + BUFFER_SIZE > buffer_capacity){
452
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
453
if (buffer == NULL){
454
perror("realloc");
455
goto exit;
456
}
457
buffer_capacity += BUFFER_SIZE;
528
458
}
529
459
530
ret = gnutls_record_recv(session, buffer+buffer_length,
531
BUFFER_SIZE);
460
ret = gnutls_record_recv
461
(es.session, buffer+buffer_length, BUFFER_SIZE);
532
462
if (ret == 0){
533
463
break;
534
464
}
538
468
case GNUTLS_E_AGAIN:
539
469
break;
540
470
case GNUTLS_E_REHANDSHAKE:
541
ret = gnutls_handshake (session);
471
ret = gnutls_handshake (es.session);
542
472
if (ret < 0){
543
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
473
fprintf(stderr, "\n*** Handshake failed ***\n");
544
474
gnutls_perror (ret);
545
475
retval = -1;
546
goto mandos_end;
476
goto exit;
547
477
}
548
478
break;
549
479
default:
550
480
fprintf(stderr, "Unknown error while reading data from"
551
" encrypted session with Mandos server\n");
481
" encrypted session with mandos server\n");
552
482
retval = -1;
553
gnutls_bye (session, GNUTLS_SHUT_RDWR);
554
goto mandos_end;
483
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
484
goto exit;
555
485
}
556
486
} else {
557
487
buffer_length += (size_t) ret;
558
488
}
559
489
}
560
490
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
565
gnutls_bye (session, GNUTLS_SHUT_RDWR);
566
567
491
if (buffer_length > 0){
568
492
decrypted_buffer_size = pgp_packet_decrypt(buffer,
569
493
buffer_length,
570
494
&decrypted_buffer,
571
keydir);
495
certdir);
572
496
if (decrypted_buffer_size >= 0){
573
written = 0;
574
497
while(written < (size_t) decrypted_buffer_size){
575
498
ret = (int)fwrite (decrypted_buffer + written, 1,
576
499
(size_t)decrypted_buffer_size - written,
590
513
retval = -1;
591
514
}
592
515
}
593
594
/* Shutdown procedure */
595
596
mandos_end:
516
517
//shutdown procedure
518
519
if(debug){
520
fprintf(stderr, "Closing TLS session\n");
521
}
522
597
523
free(buffer);
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
exit:
598
526
close(tcp_sd);
599
gnutls_deinit (session);
600
gnutls_certificate_free_credentials (mc->cred);
527
gnutls_deinit (es.session);
528
gnutls_certificate_free_credentials (es.cred);
601
529
gnutls_global_deinit ();
602
530
return retval;
603
531
}
604
532
605
static void resolve_callback(AvahiSServiceResolver *r,
606
AvahiIfIndex interface,
607
AVAHI_GCC_UNUSED AvahiProtocol protocol,
608
AvahiResolverEvent event,
609
const char *name,
610
const char *type,
611
const char *domain,
612
const char *host_name,
613
const AvahiAddress *address,
614
uint16_t port,
615
AVAHI_GCC_UNUSED AvahiStringList *txt,
616
AVAHI_GCC_UNUSED AvahiLookupResultFlags
617
flags,
618
void* userdata) {
619
mandos_context *mc = userdata;
533
static AvahiSimplePoll *simple_poll = NULL;
534
static AvahiServer *server = NULL;
535
536
static void resolve_callback(
537
AvahiSServiceResolver *r,
538
AvahiIfIndex interface,
539
AVAHI_GCC_UNUSED AvahiProtocol protocol,
540
AvahiResolverEvent event,
541
const char *name,
542
const char *type,
543
const char *domain,
544
const char *host_name,
545
const AvahiAddress *address,
546
uint16_t port,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
549
AVAHI_GCC_UNUSED void* userdata) {
550
620
551
assert(r); /* Spurious warning */
621
552
622
553
/* Called whenever a service has been resolved successfully or
625
556
switch (event) {
626
557
default:
627
558
case AVAHI_RESOLVER_FAILURE:
628
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
629
" of type '%s' in domain '%s': %s\n", name, type, domain,
630
avahi_strerror(avahi_server_errno(mc->server)));
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
561
avahi_strerror(avahi_server_errno(server)));
631
562
break;
632
563
633
564
case AVAHI_RESOLVER_FOUND:
635
566
char ip[AVAHI_ADDRESS_STR_MAX];
636
567
avahi_address_snprint(ip, sizeof(ip), address);
637
568
if(debug){
638
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
639
" port %d\n", name, host_name, ip, interface, port);
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
640
571
}
641
int ret = start_mandos_communication(ip, port, interface, mc);
572
int ret = start_mandos_communication(ip, port, interface);
642
573
if (ret == 0){
643
574
exit(EXIT_SUCCESS);
644
575
}
647
578
avahi_s_service_resolver_free(r);
648
579
}
649
580
650
static void browse_callback( AvahiSServiceBrowser *b,
651
AvahiIfIndex interface,
652
AvahiProtocol protocol,
653
AvahiBrowserEvent event,
654
const char *name,
655
const char *type,
656
const char *domain,
657
AVAHI_GCC_UNUSED AvahiLookupResultFlags
658
flags,
659
void* userdata) {
660
mandos_context *mc = userdata;
661
assert(b); /* Spurious warning */
662
663
/* Called whenever a new services becomes available on the LAN or
664
is removed from the LAN */
665
666
switch (event) {
667
default:
668
case AVAHI_BROWSER_FAILURE:
669
670
fprintf(stderr, "(Avahi browser) %s\n",
671
avahi_strerror(avahi_server_errno(mc->server)));
672
avahi_simple_poll_quit(mc->simple_poll);
673
return;
674
675
case AVAHI_BROWSER_NEW:
676
/* We ignore the returned Avahi resolver object. In the callback
677
function we free it. If the Avahi server is terminated before
678
the callback function is called the Avahi server will free the
679
resolver for us. */
680
681
if (!(avahi_s_service_resolver_new(mc->server, interface,
682
protocol, name, type, domain,
683
AVAHI_PROTO_INET6, 0,
684
resolve_callback, mc)))
685
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
686
name, avahi_strerror(avahi_server_errno(mc->server)));
687
break;
688
689
case AVAHI_BROWSER_REMOVE:
690
break;
691
692
case AVAHI_BROWSER_ALL_FOR_NOW:
693
case AVAHI_BROWSER_CACHE_EXHAUSTED:
694
if(debug){
695
fprintf(stderr, "No Mandos server found, still searching...\n");
581
static void browse_callback(
582
AvahiSServiceBrowser *b,
583
AvahiIfIndex interface,
584
AvahiProtocol protocol,
585
AvahiBrowserEvent event,
586
const char *name,
587
const char *type,
588
const char *domain,
589
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
590
void* userdata) {
591
592
AvahiServer *s = userdata;
593
assert(b); /* Spurious warning */
594
595
/* Called whenever a new services becomes available on the LAN or
596
is removed from the LAN */
597
598
switch (event) {
599
default:
600
case AVAHI_BROWSER_FAILURE:
601
602
fprintf(stderr, "(Browser) %s\n",
603
avahi_strerror(avahi_server_errno(server)));
604
avahi_simple_poll_quit(simple_poll);
605
return;
606
607
case AVAHI_BROWSER_NEW:
608
/* We ignore the returned resolver object. In the callback
609
function we free it. If the server is terminated before
610
the callback function is called the server will free
611
the resolver for us. */
612
613
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
614
type, domain,
615
AVAHI_PROTO_INET6, 0,
616
resolve_callback, s)))
617
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
618
avahi_strerror(avahi_server_errno(s)));
619
break;
620
621
case AVAHI_BROWSER_REMOVE:
622
break;
623
624
case AVAHI_BROWSER_ALL_FOR_NOW:
625
case AVAHI_BROWSER_CACHE_EXHAUSTED:
626
break;
696
627
}
697
break;
698
}
699
628
}
700
629
701
/* Combines file name and path and returns the malloced new
702
string. some sane checks could/should be added */
703
static const char *combinepath(const char *first, const char *second){
704
size_t f_len = strlen(first);
705
size_t s_len = strlen(second);
706
char *tmp = malloc(f_len + s_len + 2);
630
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
631
const char *combinepath(const char *first, const char *second){
632
char *tmp;
633
tmp = malloc(strlen(first) + strlen(second) + 2);
707
634
if (tmp == NULL){
635
perror("malloc");
708
636
return NULL;
709
637
}
710
if(f_len > 0){
711
memcpy(tmp, first, f_len); /* Spurious warning */
712
}
713
tmp[f_len] = '/';
714
if(s_len > 0){
715
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
716
}
717
tmp[f_len + 1 + s_len] = '\0';
638
strcpy(tmp, first);
639
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
640
strcat(tmp, "/");
641
}
642
strcat(tmp, second);
718
643
return tmp;
719
644
}
720
645
721
646
722
int main(int argc, char *argv[]){
647
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
648
AvahiServerConfig config;
723
649
AvahiSServiceBrowser *sb = NULL;
724
650
int error;
725
651
int ret;
726
int exitcode = EXIT_SUCCESS;
727
const char *interface = "eth0";
728
struct ifreq network;
729
int sd;
730
uid_t uid;
731
gid_t gid;
652
int returncode = EXIT_SUCCESS;
653
const char *interface = NULL;
654
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
732
655
char *connect_to = NULL;
733
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
734
mandos_context mc = { .simple_poll = NULL, .server = NULL,
735
.dh_bits = 1024, .priority = "SECURE256"};
736
737
{
738
/* Temporary int to get the address of for getopt_long */
739
int debug_int = debug ? 1 : 0;
740
while (true){
741
struct option long_options[] = {
742
{"debug", no_argument, &debug_int, 1},
743
{"connect", required_argument, NULL, 'c'},
744
{"interface", required_argument, NULL, 'i'},
745
{"keydir", required_argument, NULL, 'd'},
746
{"seckey", required_argument, NULL, 's'},
747
{"pubkey", required_argument, NULL, 'p'},
748
{"dh-bits", required_argument, NULL, 'D'},
749
{"priority", required_argument, NULL, 'P'},
750
{0, 0, 0, 0} };
751
752
int option_index = 0;
753
ret = getopt_long (argc, argv, "i:", long_options,
754
&option_index);
755
756
if (ret == -1){
757
break;
758
}
759
760
switch(ret){
761
case 0:
762
break;
763
case 'i':
764
interface = optarg;
765
break;
766
case 'c':
767
connect_to = optarg;
768
break;
769
case 'd':
770
keydir = optarg;
771
break;
772
case 'p':
773
pubkeyfile = optarg;
774
break;
775
case 's':
776
seckeyfile = optarg;
777
break;
778
case 'D':
779
errno = 0;
780
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
781
if (errno){
782
perror("strtol");
783
exit(EXIT_FAILURE);
784
}
785
break;
786
case 'P':
787
mc.priority = optarg;
788
break;
789
case '?':
790
default:
791
/* getopt_long() has already printed a message about the
792
unrcognized option, so just exit. */
793
exit(EXIT_FAILURE);
794
}
795
}
796
/* Set the global debug flag from the temporary int */
797
debug = debug_int ? true : false;
798
}
799
800
pubkeyfile = combinepath(keydir, pubkeyfile);
801
if (pubkeyfile == NULL){
802
perror("combinepath");
803
exitcode = EXIT_FAILURE;
804
goto end;
805
}
806
807
seckeyfile = combinepath(keydir, seckeyfile);
808
if (seckeyfile == NULL){
809
perror("combinepath");
810
goto end;
811
}
812
813
ret = init_gnutls_global(&mc);
814
if (ret == -1){
815
fprintf(stderr, "init_gnutls_global\n");
816
goto end;
817
}
818
819
uid = getuid();
820
gid = getgid();
821
822
ret = setuid(uid);
823
if (ret == -1){
824
perror("setuid");
825
}
826
827
setgid(gid);
828
if (ret == -1){
829
perror("setgid");
830
}
831
832
if_index = (AvahiIfIndex) if_nametoindex(interface);
833
if(if_index == 0){
834
fprintf(stderr, "No such interface: \"%s\"\n", interface);
835
exit(EXIT_FAILURE);
656
657
while (true){
658
static struct option long_options[] = {
659
{"debug", no_argument, (int *)&debug, 1},
660
{"connect", required_argument, 0, 'C'},
661
{"interface", required_argument, 0, 'i'},
662
{"certdir", required_argument, 0, 'd'},
663
{"certkey", required_argument, 0, 'c'},
664
{"certfile", required_argument, 0, 'k'},
665
{0, 0, 0, 0} };
666
667
int option_index = 0;
668
ret = getopt_long (argc, argv, "i:", long_options,
669
&option_index);
670
671
if (ret == -1){
672
break;
673
}
674
675
switch(ret){
676
case 0:
677
break;
678
case 'i':
679
interface = optarg;
680
break;
681
case 'C':
682
connect_to = optarg;
683
break;
684
case 'd':
685
certdir = optarg;
686
break;
687
case 'c':
688
certfile = optarg;
689
break;
690
case 'k':
691
certkey = optarg;
692
break;
693
default:
694
exit(EXIT_FAILURE);
695
}
696
}
697
698
certfile = combinepath(certdir, certfile);
699
if (certfile == NULL){
700
goto exit;
701
}
702
703
if(interface != NULL){
704
if_index = (AvahiIfIndex) if_nametoindex(interface);
705
if(if_index == 0){
706
fprintf(stderr, "No such interface: \"%s\"\n", interface);
707
exit(EXIT_FAILURE);
708
}
836
709
}
837
710
838
711
if(connect_to != NULL){
841
714
char *address = strrchr(connect_to, ':');
842
715
if(address == NULL){
843
716
fprintf(stderr, "No colon in address\n");
844
exitcode = EXIT_FAILURE;
845
goto end;
717
exit(EXIT_FAILURE);
846
718
}
847
719
errno = 0;
848
720
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
849
721
if(errno){
850
722
perror("Bad port number");
851
exitcode = EXIT_FAILURE;
852
goto end;
723
exit(EXIT_FAILURE);
853
724
}
854
725
*address = '\0';
855
726
address = connect_to;
856
ret = start_mandos_communication(address, port, if_index, &mc);
727
ret = start_mandos_communication(address, port, if_index);
857
728
if(ret < 0){
858
exitcode = EXIT_FAILURE;
729
exit(EXIT_FAILURE);
859
730
} else {
860
exitcode = EXIT_SUCCESS;
731
exit(EXIT_SUCCESS);
861
732
}
862
goto end;
863
733
}
864
734
865
/* If the interface is down, bring it up */
866
{
867
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
868
if(sd < 0) {
869
perror("socket");
870
exitcode = EXIT_FAILURE;
871
goto end;
872
}
873
strcpy(network.ifr_name, interface); /* Spurious warning */
874
ret = ioctl(sd, SIOCGIFFLAGS, &network);
875
if(ret == -1){
876
perror("ioctl SIOCGIFFLAGS");
877
exitcode = EXIT_FAILURE;
878
goto end;
879
}
880
if((network.ifr_flags & IFF_UP) == 0){
881
network.ifr_flags |= IFF_UP;
882
ret = ioctl(sd, SIOCSIFFLAGS, &network);
883
if(ret == -1){
884
perror("ioctl SIOCSIFFLAGS");
885
exitcode = EXIT_FAILURE;
886
goto end;
887
}
888
}
889
close(sd);
735
certkey = combinepath(certdir, certkey);
736
if (certkey == NULL){
737
goto exit;
890
738
}
891
739
892
740
if (not debug){
893
741
avahi_set_log_function(empty_log);
894
742
}
895
743
896
/* Initialize the pseudo-RNG for Avahi */
744
/* Initialize the psuedo-RNG */
897
745
srand((unsigned int) time(NULL));
898
899
/* Allocate main Avahi loop object */
900
mc.simple_poll = avahi_simple_poll_new();
901
if (mc.simple_poll == NULL) {
902
fprintf(stderr, "Avahi: Failed to create simple poll"
903
" object.\n");
904
exitcode = EXIT_FAILURE;
905
goto end;
906
}
907
908
{
909
AvahiServerConfig config;
910
/* Do not publish any local Zeroconf records */
911
avahi_server_config_init(&config);
912
config.publish_hinfo = 0;
913
config.publish_addresses = 0;
914
config.publish_workstation = 0;
915
config.publish_domain = 0;
916
917
/* Allocate a new server */
918
mc.server = avahi_server_new(avahi_simple_poll_get
919
(mc.simple_poll), &config, NULL,
920
NULL, &error);
921
922
/* Free the Avahi configuration data */
923
avahi_server_config_free(&config);
924
}
925
926
/* Check if creating the Avahi server object succeeded */
927
if (mc.server == NULL) {
928
fprintf(stderr, "Failed to create Avahi server: %s\n",
746
747
/* Allocate main loop object */
748
if (!(simple_poll = avahi_simple_poll_new())) {
749
fprintf(stderr, "Failed to create simple poll object.\n");
750
751
goto exit;
752
}
753
754
/* Do not publish any local records */
755
avahi_server_config_init(&config);
756
config.publish_hinfo = 0;
757
config.publish_addresses = 0;
758
config.publish_workstation = 0;
759
config.publish_domain = 0;
760
761
/* Allocate a new server */
762
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
763
&config, NULL, NULL, &error);
764
765
/* Free the configuration data */
766
avahi_server_config_free(&config);
767
768
/* Check if creating the server object succeeded */
769
if (!server) {
770
fprintf(stderr, "Failed to create server: %s\n",
929
771
avahi_strerror(error));
930
exitcode = EXIT_FAILURE;
931
goto end;
772
returncode = EXIT_FAILURE;
773
goto exit;
932
774
}
933
775
934
/* Create the Avahi service browser */
935
sb = avahi_s_service_browser_new(mc.server, if_index,
776
/* Create the service browser */
777
sb = avahi_s_service_browser_new(server, if_index,
936
778
AVAHI_PROTO_INET6,
937
779
"_mandos._tcp", NULL, 0,
938
browse_callback, &mc);
939
if (sb == NULL) {
780
browse_callback, server);
781
if (!sb) {
940
782
fprintf(stderr, "Failed to create service browser: %s\n",
941
avahi_strerror(avahi_server_errno(mc.server)));
942
exitcode = EXIT_FAILURE;
943
goto end;
783
avahi_strerror(avahi_server_errno(server)));
784
returncode = EXIT_FAILURE;
785
goto exit;
944
786
}
945
787
946
788
/* Run the main loop */
947
789
948
790
if (debug){
949
fprintf(stderr, "Starting Avahi loop search\n");
791
fprintf(stderr, "Starting avahi loop search\n");
950
792
}
951
793
952
avahi_simple_poll_loop(mc.simple_poll);
794
avahi_simple_poll_loop(simple_poll);
953
795
954
end:
796
exit:
955
797
956
798
if (debug){
957
799
fprintf(stderr, "%s exiting\n", argv[0]);
958
800
}
959
801
960
802
/* Cleanup things */
961
if (sb != NULL)
803
if (sb)
962
804
avahi_s_service_browser_free(sb);
963
805
964
if (mc.server != NULL)
965
avahi_server_free(mc.server);
806
if (server)
807
avahi_server_free(server);
966
808
967
if (mc.simple_poll != NULL)
968
avahi_simple_poll_free(mc.simple_poll);
969
free(pubkeyfile);
970
free(seckeyfile);
809
if (simple_poll)
810
avahi_simple_poll_free(simple_poll);
811
free(certfile);
812
free(certkey);
971
813
972
return exitcode;
814
return returncode;
973
815
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0