To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 355
- compare with another revision
- download diff
- download tarball
- view history from revision 355
- Committer: Teddy Hogeborn
- Date: 2009-08-30 03:10:29 UTC
- Revision ID: teddy@fukt.bsnet.se-20090830031029-cj8po3rc4g1cux1d
* mandos: White-space fixes only.
* mandos-ctl: - '' -
* plugin-runner.c: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/password-prompt.c: - '' -
* mandos-ctl: - '' -
* plugin-runner.c: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/password-prompt.c: - '' -
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- mandos-clients.conf => clients.conf
- server.py => mandos
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
8
8
* includes the following functions: "resolve_callback",
9
9
* "browse_callback", and parts of "main".
10
10
*
11
* Everything else is Copyright © 2007-2008 Teddy Hogeborn and Björn
12
* Påhlsson.
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
25
26
* along with this program. If not, see
26
27
* <http://www.gnu.org/licenses/>.
27
28
*
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
29
* Contact the authors at <mandos@fukt.bsnet.se>.
30
30
*/
31
31
32
#define _FORTIFY_SOURCE 2
33
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
34
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
35
37
#define _FILE_OFFSET_BITS 64
36
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time() */
67
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
SIOCSIFFLAGS, if_indextoname(),
69
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
75
setgid() */
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
78
#include <argp.h> /* struct argp_option, error_t, struct
79
argp_state, struct argp,
80
argp_parse(), ARGP_KEY_ARG,
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
86
#ifdef __linux__
87
#include <sys/klog.h> /* klogctl() */
88
#endif /* __linux__ */
89
90
/* Avahi */
91
/* All Avahi types, constants and functions
92
Avahi*, avahi_*,
93
AVAHI_* */
43
94
#include <avahi-core/core.h>
44
95
#include <avahi-core/lookup.h>
45
96
#include <avahi-core/log.h>
47
98
#include <avahi-common/malloc.h>
48
99
#include <avahi-common/error.h>
49
100
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
70
71
#ifndef CERT_ROOT
72
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
73
#endif
74
#define CERTFILE CERT_ROOT "openpgp-client.txt"
75
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
101
/* GnuTLS */
102
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
103
functions:
104
gnutls_*
105
init_gnutls_session(),
106
GNUTLS_* */
107
#include <gnutls/openpgp.h>
108
/* gnutls_certificate_set_openpgp_key_file(),
109
GNUTLS_OPENPGP_FMT_BASE64 */
110
111
/* GPGME */
112
#include <gpgme.h> /* All GPGME types, constants and
113
functions:
114
gpgme_*
115
GPGME_PROTOCOL_OpenPGP,
116
GPG_ERR_NO_* */
117
76
118
#define BUFFER_SIZE 256
77
#define DH_BITS 1024
119
120
#define PATHDIR "/conf/conf.d/mandos"
121
#define SECKEY "seckey.txt"
122
#define PUBKEY "pubkey.txt"
78
123
79
124
bool debug = false;
125
static const char mandos_protocol_version[] = "1";
126
const char *argp_program_version = "mandos-client " VERSION;
127
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
80
128
129
/* Used for passing in values through the Avahi callback functions */
81
130
typedef struct {
82
gnutls_session_t session;
131
AvahiSimplePoll *simple_poll;
132
AvahiServer *server;
83
133
gnutls_certificate_credentials_t cred;
134
unsigned int dh_bits;
84
135
gnutls_dh_params_t dh_params;
85
} encrypted_session;
86
87
88
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
89
char **new_packet, const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
136
const char *priority;
91
137
gpgme_ctx_t ctx;
138
} mandos_context;
139
140
/* global context so signal handler can reach it*/
141
mandos_context mc = { .simple_poll = NULL, .server = NULL,
142
.dh_bits = 1024, .priority = "SECURE256"
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
145
/*
146
* Make additional room in "buffer" for at least BUFFER_SIZE more
147
* bytes. "buffer_capacity" is how much is currently allocated,
148
* "buffer_length" is how much is already used.
149
*/
150
size_t incbuffer(char **buffer, size_t buffer_length,
151
size_t buffer_capacity){
152
if(buffer_length + BUFFER_SIZE > buffer_capacity){
153
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
154
if(buffer == NULL){
155
return 0;
156
}
157
buffer_capacity += BUFFER_SIZE;
158
}
159
return buffer_capacity;
160
}
161
162
/*
163
* Initialize GPGME.
164
*/
165
static bool init_gpgme(const char *seckey,
166
const char *pubkey, const char *tempdir){
167
int ret;
92
168
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
96
169
gpgme_engine_info_t engine_info;
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
170
171
172
/*
173
* Helper function to insert pub and seckey to the engine keyring.
174
*/
175
bool import_key(const char *filename){
176
int fd;
177
gpgme_data_t pgp_data;
178
179
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
180
if(fd == -1){
181
perror("open");
182
return false;
183
}
184
185
rc = gpgme_data_new_from_fd(&pgp_data, fd);
186
if(rc != GPG_ERR_NO_ERROR){
187
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
188
gpgme_strsource(rc), gpgme_strerror(rc));
189
return false;
190
}
191
192
rc = gpgme_op_import(mc.ctx, pgp_data);
193
if(rc != GPG_ERR_NO_ERROR){
194
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
195
gpgme_strsource(rc), gpgme_strerror(rc));
196
return false;
197
}
198
199
ret = (int)TEMP_FAILURE_RETRY(close(fd));
200
if(ret == -1){
201
perror("close");
202
}
203
gpgme_data_release(pgp_data);
204
return true;
205
}
206
207
if(debug){
208
fprintf(stderr, "Initializing GPGME\n");
100
209
}
101
210
102
211
/* Init GPGME */
103
212
gpgme_check_version(NULL);
104
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
213
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
214
if(rc != GPG_ERR_NO_ERROR){
215
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
216
gpgme_strsource(rc), gpgme_strerror(rc));
217
return false;
218
}
105
219
106
/* Set GPGME home directory */
107
rc = gpgme_get_engine_info (&engine_info);
108
if (rc != GPG_ERR_NO_ERROR){
220
/* Set GPGME home directory for the OpenPGP engine only */
221
rc = gpgme_get_engine_info(&engine_info);
222
if(rc != GPG_ERR_NO_ERROR){
109
223
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
110
224
gpgme_strsource(rc), gpgme_strerror(rc));
111
return -1;
225
return false;
112
226
}
113
227
while(engine_info != NULL){
114
228
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
115
229
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
116
engine_info->file_name, homedir);
230
engine_info->file_name, tempdir);
117
231
break;
118
232
}
119
233
engine_info = engine_info->next;
120
234
}
121
235
if(engine_info == NULL){
122
fprintf(stderr, "Could not set home dir to %s\n", homedir);
123
return -1;
124
}
125
126
/* Create new GPGME data buffer from packet buffer */
127
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
128
if (rc != GPG_ERR_NO_ERROR){
236
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
237
return false;
238
}
239
240
/* Create new GPGME "context" */
241
rc = gpgme_new(&(mc.ctx));
242
if(rc != GPG_ERR_NO_ERROR){
243
fprintf(stderr, "bad gpgme_new: %s: %s\n",
244
gpgme_strsource(rc), gpgme_strerror(rc));
245
return false;
246
}
247
248
if(not import_key(pubkey) or not import_key(seckey)){
249
return false;
250
}
251
252
return true;
253
}
254
255
/*
256
* Decrypt OpenPGP data.
257
* Returns -1 on error
258
*/
259
static ssize_t pgp_packet_decrypt(const char *cryptotext,
260
size_t crypto_size,
261
char **plaintext){
262
gpgme_data_t dh_crypto, dh_plain;
263
gpgme_error_t rc;
264
ssize_t ret;
265
size_t plaintext_capacity = 0;
266
ssize_t plaintext_length = 0;
267
268
if(debug){
269
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
270
}
271
272
/* Create new GPGME data buffer from memory cryptotext */
273
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
274
0);
275
if(rc != GPG_ERR_NO_ERROR){
129
276
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
130
277
gpgme_strsource(rc), gpgme_strerror(rc));
131
278
return -1;
133
280
134
281
/* Create new empty GPGME data buffer for the plaintext */
135
282
rc = gpgme_data_new(&dh_plain);
136
if (rc != GPG_ERR_NO_ERROR){
283
if(rc != GPG_ERR_NO_ERROR){
137
284
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
138
285
gpgme_strsource(rc), gpgme_strerror(rc));
139
return -1;
140
}
141
142
/* Create new GPGME "context" */
143
rc = gpgme_new(&ctx);
144
if (rc != GPG_ERR_NO_ERROR){
145
fprintf(stderr, "bad gpgme_new: %s: %s\n",
146
gpgme_strsource(rc), gpgme_strerror(rc));
147
return -1;
148
}
149
150
/* Decrypt data from the FILE pointer to the plaintext data
151
buffer */
152
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
153
if (rc != GPG_ERR_NO_ERROR){
286
gpgme_data_release(dh_crypto);
287
return -1;
288
}
289
290
/* Decrypt data from the cryptotext data buffer to the plaintext
291
data buffer */
292
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
293
if(rc != GPG_ERR_NO_ERROR){
154
294
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
155
295
gpgme_strsource(rc), gpgme_strerror(rc));
156
return -1;
157
}
158
159
if(debug){
160
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
161
}
162
163
if (debug){
164
gpgme_decrypt_result_t result;
165
result = gpgme_op_decrypt_result(ctx);
166
if (result == NULL){
167
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
168
} else {
169
fprintf(stderr, "Unsupported algorithm: %s\n",
170
result->unsupported_algorithm);
171
fprintf(stderr, "Wrong key usage: %d\n",
172
result->wrong_key_usage);
173
if(result->file_name != NULL){
174
fprintf(stderr, "File name: %s\n", result->file_name);
175
}
176
gpgme_recipient_t recipient;
177
recipient = result->recipients;
178
if(recipient){
296
plaintext_length = -1;
297
if(debug){
298
gpgme_decrypt_result_t result;
299
result = gpgme_op_decrypt_result(mc.ctx);
300
if(result == NULL){
301
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
302
} else {
303
fprintf(stderr, "Unsupported algorithm: %s\n",
304
result->unsupported_algorithm);
305
fprintf(stderr, "Wrong key usage: %u\n",
306
result->wrong_key_usage);
307
if(result->file_name != NULL){
308
fprintf(stderr, "File name: %s\n", result->file_name);
309
}
310
gpgme_recipient_t recipient;
311
recipient = result->recipients;
179
312
while(recipient != NULL){
180
313
fprintf(stderr, "Public key algorithm: %s\n",
181
314
gpgme_pubkey_algo_name(recipient->pubkey_algo));
187
320
}
188
321
}
189
322
}
323
goto decrypt_end;
190
324
}
191
325
192
/* Delete the GPGME FILE pointer cryptotext data buffer */
193
gpgme_data_release(dh_crypto);
326
if(debug){
327
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
328
}
194
329
195
330
/* Seek back to the beginning of the GPGME plaintext data buffer */
196
gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);
197
198
*new_packet = 0;
331
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
332
perror("gpgme_data_seek");
333
plaintext_length = -1;
334
goto decrypt_end;
335
}
336
337
*plaintext = NULL;
199
338
while(true){
200
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
201
*new_packet = realloc(*new_packet,
202
(unsigned int)new_packet_capacity
203
+ BUFFER_SIZE);
204
if (*new_packet == NULL){
205
perror("realloc");
206
return -1;
207
}
208
new_packet_capacity += BUFFER_SIZE;
339
plaintext_capacity = incbuffer(plaintext,
340
(size_t)plaintext_length,
341
plaintext_capacity);
342
if(plaintext_capacity == 0){
343
perror("incbuffer");
344
plaintext_length = -1;
345
goto decrypt_end;
209
346
}
210
347
211
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
348
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
212
349
BUFFER_SIZE);
213
350
/* Print the data, if any */
214
if (ret == 0){
351
if(ret == 0){
352
/* EOF */
215
353
break;
216
354
}
217
355
if(ret < 0){
218
356
perror("gpgme_data_read");
219
return -1;
220
}
221
new_packet_length += ret;
222
}
223
224
/* FIXME: check characters before printing to screen so to not print
225
terminal control characters */
226
/* if(debug){ */
227
/* fprintf(stderr, "decrypted password is: "); */
228
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
229
/* fprintf(stderr, "\n"); */
230
/* } */
357
plaintext_length = -1;
358
goto decrypt_end;
359
}
360
plaintext_length += ret;
361
}
362
363
if(debug){
364
fprintf(stderr, "Decrypted password is: ");
365
for(ssize_t i = 0; i < plaintext_length; i++){
366
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
367
}
368
fprintf(stderr, "\n");
369
}
370
371
decrypt_end:
372
373
/* Delete the GPGME cryptotext data buffer */
374
gpgme_data_release(dh_crypto);
231
375
232
376
/* Delete the GPGME plaintext data buffer */
233
377
gpgme_data_release(dh_plain);
234
return new_packet_length;
378
return plaintext_length;
235
379
}
236
380
237
static const char * safer_gnutls_strerror (int value) {
238
const char *ret = gnutls_strerror (value);
239
if (ret == NULL)
381
static const char * safer_gnutls_strerror(int value){
382
const char *ret = gnutls_strerror(value); /* Spurious warning from
383
-Wunreachable-code */
384
if(ret == NULL)
240
385
ret = "(unknown)";
241
386
return ret;
242
387
}
243
388
244
void debuggnutls(__attribute__((unused)) int level,
245
const char* string){
246
fprintf(stderr, "%s", string);
389
/* GnuTLS log function callback */
390
static void debuggnutls(__attribute__((unused)) int level,
391
const char* string){
392
fprintf(stderr, "GnuTLS: %s", string);
247
393
}
248
394
249
int initgnutls(encrypted_session *es){
250
const char *err;
395
static int init_gnutls_global(const char *pubkeyfilename,
396
const char *seckeyfilename){
251
397
int ret;
252
398
253
399
if(debug){
254
400
fprintf(stderr, "Initializing GnuTLS\n");
255
401
}
256
402
257
if ((ret = gnutls_global_init ())
258
!= GNUTLS_E_SUCCESS) {
259
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
403
ret = gnutls_global_init();
404
if(ret != GNUTLS_E_SUCCESS){
405
fprintf(stderr, "GnuTLS global_init: %s\n",
406
safer_gnutls_strerror(ret));
260
407
return -1;
261
408
}
262
263
if (debug){
409
410
if(debug){
411
/* "Use a log level over 10 to enable all debugging options."
412
* - GnuTLS manual
413
*/
264
414
gnutls_global_set_log_level(11);
265
415
gnutls_global_set_log_function(debuggnutls);
266
416
}
267
417
268
/* openpgp credentials */
269
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
270
!= GNUTLS_E_SUCCESS) {
271
fprintf (stderr, "memory error: %s\n",
272
safer_gnutls_strerror(ret));
418
/* OpenPGP credentials */
419
gnutls_certificate_allocate_credentials(&mc.cred);
420
if(ret != GNUTLS_E_SUCCESS){
421
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
422
from
423
-Wunreachable-code
424
*/
425
safer_gnutls_strerror(ret));
426
gnutls_global_deinit();
273
427
return -1;
274
428
}
275
429
276
430
if(debug){
277
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
278
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
279
KEYFILE);
431
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
432
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
433
seckeyfilename);
280
434
}
281
435
282
436
ret = gnutls_certificate_set_openpgp_key_file
283
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
284
if (ret != GNUTLS_E_SUCCESS) {
285
fprintf
286
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
287
" '%s')\n",
288
ret, CERTFILE, KEYFILE);
289
fprintf(stdout, "The Error is: %s\n",
290
safer_gnutls_strerror(ret));
291
return -1;
292
}
293
294
//GnuTLS server initialization
295
if ((ret = gnutls_dh_params_init (&es->dh_params))
296
!= GNUTLS_E_SUCCESS) {
297
fprintf (stderr, "Error in dh parameter initialization: %s\n",
298
safer_gnutls_strerror(ret));
299
return -1;
300
}
301
302
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in prime generation: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
310
311
// GnuTLS session creation
312
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
313
!= GNUTLS_E_SUCCESS){
437
(mc.cred, pubkeyfilename, seckeyfilename,
438
GNUTLS_OPENPGP_FMT_BASE64);
439
if(ret != GNUTLS_E_SUCCESS){
440
fprintf(stderr,
441
"Error[%d] while reading the OpenPGP key pair ('%s',"
442
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
443
fprintf(stderr, "The GnuTLS error is: %s\n",
444
safer_gnutls_strerror(ret));
445
goto globalfail;
446
}
447
448
/* GnuTLS server initialization */
449
ret = gnutls_dh_params_init(&mc.dh_params);
450
if(ret != GNUTLS_E_SUCCESS){
451
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
452
" %s\n", safer_gnutls_strerror(ret));
453
goto globalfail;
454
}
455
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
456
if(ret != GNUTLS_E_SUCCESS){
457
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
458
safer_gnutls_strerror(ret));
459
goto globalfail;
460
}
461
462
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
463
464
return 0;
465
466
globalfail:
467
468
gnutls_certificate_free_credentials(mc.cred);
469
gnutls_global_deinit();
470
gnutls_dh_params_deinit(mc.dh_params);
471
return -1;
472
}
473
474
static int init_gnutls_session(gnutls_session_t *session){
475
int ret;
476
/* GnuTLS session creation */
477
ret = gnutls_init(session, GNUTLS_SERVER);
478
if(ret != GNUTLS_E_SUCCESS){
314
479
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
315
480
safer_gnutls_strerror(ret));
316
481
}
317
482
318
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
319
!= GNUTLS_E_SUCCESS) {
320
fprintf(stderr, "Syntax error at: %s\n", err);
321
fprintf(stderr, "GnuTLS error: %s\n",
322
safer_gnutls_strerror(ret));
323
return -1;
483
{
484
const char *err;
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
486
if(ret != GNUTLS_E_SUCCESS){
487
fprintf(stderr, "Syntax error at: %s\n", err);
488
fprintf(stderr, "GnuTLS error: %s\n",
489
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
491
return -1;
492
}
324
493
}
325
494
326
if ((ret = gnutls_credentials_set
327
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
328
!= GNUTLS_E_SUCCESS) {
329
fprintf(stderr, "Error setting a credentials set: %s\n",
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
497
if(ret != GNUTLS_E_SUCCESS){
498
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
330
499
safer_gnutls_strerror(ret));
500
gnutls_deinit(*session);
331
501
return -1;
332
502
}
333
503
334
504
/* ignore client certificate if any. */
335
gnutls_certificate_server_set_request (es->session,
336
GNUTLS_CERT_IGNORE);
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
337
507
338
gnutls_dh_set_prime_bits (es->session, DH_BITS);
508
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
339
509
340
510
return 0;
341
511
}
342
512
343
void empty_log(__attribute__((unused)) AvahiLogLevel level,
344
__attribute__((unused)) const char *txt){}
345
346
int start_mandos_communication(const char *ip, uint16_t port,
347
unsigned int if_index){
513
/* Avahi log function callback */
514
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
515
__attribute__((unused)) const char *txt){}
516
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
520
/* Called when a Mandos server is found */
521
static int start_mandos_communication(const char *ip, uint16_t port,
522
AvahiIfIndex if_index,
523
int af){
348
524
int ret, tcp_sd;
349
struct sockaddr_in6 to;
350
encrypted_session es;
525
ssize_t sret;
526
union {
527
struct sockaddr_in in;
528
struct sockaddr_in6 in6;
529
} to;
351
530
char *buffer = NULL;
352
531
char *decrypted_buffer;
353
532
size_t buffer_length = 0;
354
533
size_t buffer_capacity = 0;
355
534
ssize_t decrypted_buffer_size;
356
size_t written = 0;
535
size_t written;
357
536
int retval = 0;
358
char interface[IF_NAMESIZE];
537
gnutls_session_t session;
538
int pf; /* Protocol family */
539
540
switch(af){
541
case AF_INET6:
542
pf = PF_INET6;
543
break;
544
case AF_INET:
545
pf = PF_INET;
546
break;
547
default:
548
fprintf(stderr, "Bad address family: %d\n", af);
549
return -1;
550
}
551
552
ret = init_gnutls_session(&session);
553
if(ret != 0){
554
return -1;
555
}
359
556
360
557
if(debug){
361
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
558
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
559
"\n", ip, port);
362
560
}
363
561
364
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
365
if(tcp_sd < 0) {
562
tcp_sd = socket(pf, SOCK_STREAM, 0);
563
if(tcp_sd < 0){
366
564
perror("socket");
367
565
return -1;
368
566
}
369
567
370
if(if_indextoname(if_index, interface) == NULL){
371
if(debug){
372
perror("if_indextoname");
373
}
374
return -1;
375
}
376
377
if(debug){
378
fprintf(stderr, "Binding to interface %s\n", interface);
379
}
380
381
memset(&to,0,sizeof(to)); /* Spurious warning */
382
to.sin6_family = AF_INET6;
383
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
384
if (ret < 0 ){
568
memset(&to, 0, sizeof(to));
569
if(af == AF_INET6){
570
to.in6.sin6_family = (sa_family_t)af;
571
ret = inet_pton(af, ip, &to.in6.sin6_addr);
572
} else { /* IPv4 */
573
to.in.sin_family = (sa_family_t)af;
574
ret = inet_pton(af, ip, &to.in.sin_addr);
575
}
576
if(ret < 0 ){
385
577
perror("inet_pton");
386
578
return -1;
387
}
579
}
388
580
if(ret == 0){
389
581
fprintf(stderr, "Bad address: %s\n", ip);
390
582
return -1;
391
583
}
392
to.sin6_port = htons(port); /* Spurious warning */
393
394
to.sin6_scope_id = (uint32_t)if_index;
584
if(af == AF_INET6){
585
to.in6.sin6_port = htons(port); /* Spurious warnings from
586
-Wconversion and
587
-Wunreachable-code */
588
589
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
590
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
591
-Wunreachable-code*/
592
if(if_index == AVAHI_IF_UNSPEC){
593
fprintf(stderr, "An IPv6 link-local address is incomplete"
594
" without a network interface\n");
595
return -1;
596
}
597
/* Set the network interface number as scope */
598
to.in6.sin6_scope_id = (uint32_t)if_index;
599
}
600
} else {
601
to.in.sin_port = htons(port); /* Spurious warnings from
602
-Wconversion and
603
-Wunreachable-code */
604
}
395
605
396
606
if(debug){
397
fprintf(stderr, "Connection to: %s\n", ip);
607
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
608
char interface[IF_NAMESIZE];
609
if(if_indextoname((unsigned int)if_index, interface) == NULL){
610
perror("if_indextoname");
611
} else {
612
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
613
ip, interface, port);
614
}
615
} else {
616
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
617
port);
618
}
619
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
620
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
621
const char *pcret;
622
if(af == AF_INET6){
623
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
624
sizeof(addrstr));
625
} else {
626
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
627
sizeof(addrstr));
628
}
629
if(pcret == NULL){
630
perror("inet_ntop");
631
} else {
632
if(strcmp(addrstr, ip) != 0){
633
fprintf(stderr, "Canonical address form: %s\n", addrstr);
634
}
635
}
398
636
}
399
637
400
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
401
if (ret < 0){
638
if(af == AF_INET6){
639
ret = connect(tcp_sd, &to.in6, sizeof(to));
640
} else {
641
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
642
}
643
if(ret < 0){
402
644
perror("connect");
403
645
return -1;
404
646
}
405
647
406
ret = initgnutls (&es);
407
if (ret != 0){
408
retval = -1;
409
return -1;
648
const char *out = mandos_protocol_version;
649
written = 0;
650
while(true){
651
size_t out_size = strlen(out);
652
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
653
out_size - written));
654
if(ret == -1){
655
perror("write");
656
retval = -1;
657
goto mandos_end;
658
}
659
written += (size_t)ret;
660
if(written < out_size){
661
continue;
662
} else {
663
if(out == mandos_protocol_version){
664
written = 0;
665
out = "\r\n";
666
} else {
667
break;
668
}
669
}
410
670
}
411
671
412
gnutls_transport_set_ptr (es.session,
413
(gnutls_transport_ptr_t) tcp_sd);
414
415
672
if(debug){
416
673
fprintf(stderr, "Establishing TLS session with %s\n", ip);
417
674
}
418
675
419
ret = gnutls_handshake (es.session);
420
421
if (ret != GNUTLS_E_SUCCESS){
676
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
677
678
do{
679
ret = gnutls_handshake(session);
680
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
681
682
if(ret != GNUTLS_E_SUCCESS){
422
683
if(debug){
423
fprintf(stderr, "\n*** Handshake failed ***\n");
424
gnutls_perror (ret);
684
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
685
gnutls_perror(ret);
425
686
}
426
687
retval = -1;
427
goto exit;
688
goto mandos_end;
428
689
}
429
690
430
//Retrieve OpenPGP packet that contains the wanted password
691
/* Read OpenPGP packet that contains the wanted password */
431
692
432
693
if(debug){
433
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
694
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
434
695
ip);
435
696
}
436
697
437
698
while(true){
438
if (buffer_length + BUFFER_SIZE > buffer_capacity){
439
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
440
if (buffer == NULL){
441
perror("realloc");
442
goto exit;
443
}
444
buffer_capacity += BUFFER_SIZE;
699
buffer_capacity = incbuffer(&buffer, buffer_length,
700
buffer_capacity);
701
if(buffer_capacity == 0){
702
perror("incbuffer");
703
retval = -1;
704
goto mandos_end;
445
705
}
446
706
447
ret = gnutls_record_recv
448
(es.session, buffer+buffer_length, BUFFER_SIZE);
449
if (ret == 0){
707
sret = gnutls_record_recv(session, buffer+buffer_length,
708
BUFFER_SIZE);
709
if(sret == 0){
450
710
break;
451
711
}
452
if (ret < 0){
453
switch(ret){
712
if(sret < 0){
713
switch(sret){
454
714
case GNUTLS_E_INTERRUPTED:
455
715
case GNUTLS_E_AGAIN:
456
716
break;
457
717
case GNUTLS_E_REHANDSHAKE:
458
ret = gnutls_handshake (es.session);
459
if (ret < 0){
460
fprintf(stderr, "\n*** Handshake failed ***\n");
461
gnutls_perror (ret);
718
do{
719
ret = gnutls_handshake(session);
720
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
721
if(ret < 0){
722
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
723
gnutls_perror(ret);
462
724
retval = -1;
463
goto exit;
725
goto mandos_end;
464
726
}
465
727
break;
466
728
default:
467
729
fprintf(stderr, "Unknown error while reading data from"
468
" encrypted session with mandos server\n");
730
" encrypted session with Mandos server\n");
469
731
retval = -1;
470
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
471
goto exit;
732
gnutls_bye(session, GNUTLS_SHUT_RDWR);
733
goto mandos_end;
472
734
}
473
735
} else {
474
buffer_length += (size_t) ret;
736
buffer_length += (size_t) sret;
475
737
}
476
738
}
477
739
478
if (buffer_length > 0){
740
if(debug){
741
fprintf(stderr, "Closing TLS session\n");
742
}
743
744
gnutls_bye(session, GNUTLS_SHUT_RDWR);
745
746
if(buffer_length > 0){
479
747
decrypted_buffer_size = pgp_packet_decrypt(buffer,
480
748
buffer_length,
481
&decrypted_buffer,
482
CERT_ROOT);
483
if (decrypted_buffer_size >= 0){
484
while(written < decrypted_buffer_size){
485
ret = (int)fwrite (decrypted_buffer + written, 1,
486
(size_t)decrypted_buffer_size - written,
487
stdout);
749
&decrypted_buffer);
750
if(decrypted_buffer_size >= 0){
751
written = 0;
752
while(written < (size_t) decrypted_buffer_size){
753
ret = (int)fwrite(decrypted_buffer + written, 1,
754
(size_t)decrypted_buffer_size - written,
755
stdout);
488
756
if(ret == 0 and ferror(stdout)){
489
757
if(debug){
490
758
fprintf(stderr, "Error writing encrypted data: %s\n",
499
767
} else {
500
768
retval = -1;
501
769
}
502
}
503
504
//shutdown procedure
505
506
if(debug){
507
fprintf(stderr, "Closing TLS session\n");
508
}
509
770
} else {
771
retval = -1;
772
}
773
774
/* Shutdown procedure */
775
776
mandos_end:
510
777
free(buffer);
511
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
512
exit:
513
close(tcp_sd);
514
gnutls_deinit (es.session);
515
gnutls_certificate_free_credentials (es.cred);
516
gnutls_global_deinit ();
778
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
779
if(ret == -1){
780
perror("close");
781
}
782
gnutls_deinit(session);
517
783
return retval;
518
784
}
519
785
520
static AvahiSimplePoll *simple_poll = NULL;
521
static AvahiServer *server = NULL;
522
523
static void resolve_callback(
524
AvahiSServiceResolver *r,
525
AvahiIfIndex interface,
526
AVAHI_GCC_UNUSED AvahiProtocol protocol,
527
AvahiResolverEvent event,
528
const char *name,
529
const char *type,
530
const char *domain,
531
const char *host_name,
532
const AvahiAddress *address,
533
uint16_t port,
534
AVAHI_GCC_UNUSED AvahiStringList *txt,
535
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
536
AVAHI_GCC_UNUSED void* userdata) {
537
538
assert(r); /* Spurious warning */
786
static void resolve_callback(AvahiSServiceResolver *r,
787
AvahiIfIndex interface,
788
AvahiProtocol proto,
789
AvahiResolverEvent event,
790
const char *name,
791
const char *type,
792
const char *domain,
793
const char *host_name,
794
const AvahiAddress *address,
795
uint16_t port,
796
AVAHI_GCC_UNUSED AvahiStringList *txt,
797
AVAHI_GCC_UNUSED AvahiLookupResultFlags
798
flags,
799
AVAHI_GCC_UNUSED void* userdata){
800
assert(r);
539
801
540
802
/* Called whenever a service has been resolved successfully or
541
803
timed out */
542
804
543
switch (event) {
805
if(quit_now){
806
return;
807
}
808
809
switch(event){
544
810
default:
545
811
case AVAHI_RESOLVER_FAILURE:
546
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
547
" type '%s' in domain '%s': %s\n", name, type, domain,
548
avahi_strerror(avahi_server_errno(server)));
812
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
813
" of type '%s' in domain '%s': %s\n", name, type, domain,
814
avahi_strerror(avahi_server_errno(mc.server)));
549
815
break;
550
816
551
817
case AVAHI_RESOLVER_FOUND:
553
819
char ip[AVAHI_ADDRESS_STR_MAX];
554
820
avahi_address_snprint(ip, sizeof(ip), address);
555
821
if(debug){
556
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
557
" port %d\n", name, host_name, ip, port);
822
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
823
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
824
ip, (intmax_t)interface, port);
558
825
}
559
int ret = start_mandos_communication(ip, port,
560
(unsigned int) interface);
561
if (ret == 0){
562
exit(EXIT_SUCCESS);
826
int ret = start_mandos_communication(ip, port, interface,
827
avahi_proto_to_af(proto));
828
if(ret == 0){
829
avahi_simple_poll_quit(mc.simple_poll);
563
830
}
564
831
}
565
832
}
566
833
avahi_s_service_resolver_free(r);
567
834
}
568
835
569
static void browse_callback(
570
AvahiSServiceBrowser *b,
571
AvahiIfIndex interface,
572
AvahiProtocol protocol,
573
AvahiBrowserEvent event,
574
const char *name,
575
const char *type,
576
const char *domain,
577
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
578
void* userdata) {
579
580
AvahiServer *s = userdata;
581
assert(b); /* Spurious warning */
582
583
/* Called whenever a new services becomes available on the LAN or
584
is removed from the LAN */
585
586
switch (event) {
587
default:
588
case AVAHI_BROWSER_FAILURE:
589
590
fprintf(stderr, "(Browser) %s\n",
591
avahi_strerror(avahi_server_errno(server)));
592
avahi_simple_poll_quit(simple_poll);
593
return;
594
595
case AVAHI_BROWSER_NEW:
596
/* We ignore the returned resolver object. In the callback
597
function we free it. If the server is terminated before
598
the callback function is called the server will free
599
the resolver for us. */
600
601
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
602
type, domain,
603
AVAHI_PROTO_INET6, 0,
604
resolve_callback, s)))
605
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
606
avahi_strerror(avahi_server_errno(s)));
607
break;
608
609
case AVAHI_BROWSER_REMOVE:
610
break;
611
612
case AVAHI_BROWSER_ALL_FOR_NOW:
613
case AVAHI_BROWSER_CACHE_EXHAUSTED:
614
break;
615
}
616
}
617
618
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
836
static void browse_callback(AvahiSServiceBrowser *b,
837
AvahiIfIndex interface,
838
AvahiProtocol protocol,
839
AvahiBrowserEvent event,
840
const char *name,
841
const char *type,
842
const char *domain,
843
AVAHI_GCC_UNUSED AvahiLookupResultFlags
844
flags,
845
AVAHI_GCC_UNUSED void* userdata){
846
assert(b);
847
848
/* Called whenever a new services becomes available on the LAN or
849
is removed from the LAN */
850
851
switch(event){
852
default:
853
case AVAHI_BROWSER_FAILURE:
854
855
fprintf(stderr, "(Avahi browser) %s\n",
856
avahi_strerror(avahi_server_errno(mc.server)));
857
avahi_simple_poll_quit(mc.simple_poll);
858
return;
859
860
case AVAHI_BROWSER_NEW:
861
/* We ignore the returned Avahi resolver object. In the callback
862
function we free it. If the Avahi server is terminated before
863
the callback function is called the Avahi server will free the
864
resolver for us. */
865
866
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
867
name, type, domain, protocol, 0,
868
resolve_callback, NULL) == NULL)
869
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
870
name, avahi_strerror(avahi_server_errno(mc.server)));
871
break;
872
873
case AVAHI_BROWSER_REMOVE:
874
break;
875
876
case AVAHI_BROWSER_ALL_FOR_NOW:
877
case AVAHI_BROWSER_CACHE_EXHAUSTED:
878
if(debug){
879
fprintf(stderr, "No Mandos server found, still searching...\n");
880
}
881
break;
882
}
883
}
884
885
/* stop main loop after sigterm has been called */
886
static void handle_sigterm(int sig){
887
if(quit_now){
888
return;
889
}
890
quit_now = 1;
891
signal_received = sig;
892
int old_errno = errno;
893
if(mc.simple_poll != NULL){
894
avahi_simple_poll_quit(mc.simple_poll);
895
}
896
errno = old_errno;
897
}
898
899
int main(int argc, char *argv[]){
900
AvahiSServiceBrowser *sb = NULL;
901
int error;
902
int ret;
903
intmax_t tmpmax;
904
char *tmp;
905
int exitcode = EXIT_SUCCESS;
906
const char *interface = "eth0";
907
struct ifreq network;
908
int sd = -1;
909
bool take_down_interface = false;
910
uid_t uid;
911
gid_t gid;
912
char *connect_to = NULL;
913
char tempdir[] = "/tmp/mandosXXXXXX";
914
bool tempdir_created = false;
915
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
916
const char *seckey = PATHDIR "/" SECKEY;
917
const char *pubkey = PATHDIR "/" PUBKEY;
918
919
bool gnutls_initialized = false;
920
bool gpgme_initialized = false;
921
float delay = 2.5f;
922
923
struct sigaction old_sigterm_action;
924
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
925
926
{
927
struct argp_option options[] = {
928
{ .name = "debug", .key = 128,
929
.doc = "Debug mode", .group = 3 },
930
{ .name = "connect", .key = 'c',
931
.arg = "ADDRESS:PORT",
932
.doc = "Connect directly to a specific Mandos server",
933
.group = 1 },
934
{ .name = "interface", .key = 'i',
935
.arg = "NAME",
936
.doc = "Network interface that will be used to search for"
937
" Mandos servers",
938
.group = 1 },
939
{ .name = "seckey", .key = 's',
940
.arg = "FILE",
941
.doc = "OpenPGP secret key file base name",
942
.group = 1 },
943
{ .name = "pubkey", .key = 'p',
944
.arg = "FILE",
945
.doc = "OpenPGP public key file base name",
946
.group = 2 },
947
{ .name = "dh-bits", .key = 129,
948
.arg = "BITS",
949
.doc = "Bit length of the prime number used in the"
950
" Diffie-Hellman key exchange",
951
.group = 2 },
952
{ .name = "priority", .key = 130,
953
.arg = "STRING",
954
.doc = "GnuTLS priority string for the TLS handshake",
955
.group = 1 },
956
{ .name = "delay", .key = 131,
957
.arg = "SECONDS",
958
.doc = "Maximum delay to wait for interface startup",
959
.group = 2 },
960
{ .name = NULL }
961
};
962
963
error_t parse_opt(int key, char *arg,
964
struct argp_state *state){
965
switch(key){
966
case 128: /* --debug */
967
debug = true;
968
break;
969
case 'c': /* --connect */
970
connect_to = arg;
971
break;
972
case 'i': /* --interface */
973
interface = arg;
974
break;
975
case 's': /* --seckey */
976
seckey = arg;
977
break;
978
case 'p': /* --pubkey */
979
pubkey = arg;
980
break;
981
case 129: /* --dh-bits */
982
errno = 0;
983
tmpmax = strtoimax(arg, &tmp, 10);
984
if(errno != 0 or tmp == arg or *tmp != '\0'
985
or tmpmax != (typeof(mc.dh_bits))tmpmax){
986
fprintf(stderr, "Bad number of DH bits\n");
987
exit(EXIT_FAILURE);
988
}
989
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
990
break;
991
case 130: /* --priority */
992
mc.priority = arg;
993
break;
994
case 131: /* --delay */
995
errno = 0;
996
delay = strtof(arg, &tmp);
997
if(errno != 0 or tmp == arg or *tmp != '\0'){
998
fprintf(stderr, "Bad delay\n");
999
exit(EXIT_FAILURE);
1000
}
1001
break;
1002
case ARGP_KEY_ARG:
1003
argp_usage(state);
1004
case ARGP_KEY_END:
1005
break;
1006
default:
1007
return ARGP_ERR_UNKNOWN;
1008
}
1009
return 0;
1010
}
1011
1012
struct argp argp = { .options = options, .parser = parse_opt,
1013
.args_doc = "",
1014
.doc = "Mandos client -- Get and decrypt"
1015
" passwords from a Mandos server" };
1016
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1017
if(ret == ARGP_ERR_UNKNOWN){
1018
fprintf(stderr, "Unknown error while parsing arguments\n");
1019
exitcode = EXIT_FAILURE;
1020
goto end;
1021
}
1022
}
1023
1024
if(not debug){
1025
avahi_set_log_function(empty_log);
1026
}
1027
1028
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1029
from the signal handler */
1030
/* Initialize the pseudo-RNG for Avahi */
1031
srand((unsigned int) time(NULL));
1032
mc.simple_poll = avahi_simple_poll_new();
1033
if(mc.simple_poll == NULL){
1034
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1035
exitcode = EXIT_FAILURE;
1036
goto end;
1037
}
1038
1039
sigemptyset(&sigterm_action.sa_mask);
1040
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1041
if(ret == -1){
1042
perror("sigaddset");
1043
exitcode = EXIT_FAILURE;
1044
goto end;
1045
}
1046
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1047
if(ret == -1){
1048
perror("sigaddset");
1049
exitcode = EXIT_FAILURE;
1050
goto end;
1051
}
1052
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1053
if(ret == -1){
1054
perror("sigaddset");
1055
exitcode = EXIT_FAILURE;
1056
goto end;
1057
}
1058
ret = sigaction(SIGINT, &sigterm_action, &old_sigterm_action);
1059
if(ret == -1){
1060
perror("sigaction");
1061
exitcode = EXIT_FAILURE;
1062
goto end;
1063
}
1064
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1065
if(ret == -1){
1066
perror("sigaction");
1067
exitcode = EXIT_FAILURE;
1068
goto end;
1069
}
1070
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1071
if(ret == -1){
1072
perror("sigaction");
1073
exitcode = EXIT_FAILURE;
1074
goto end;
1075
}
1076
1077
/* If the interface is down, bring it up */
1078
if(interface[0] != '\0'){
1079
if_index = (AvahiIfIndex) if_nametoindex(interface);
1080
if(if_index == 0){
1081
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1082
exitcode = EXIT_FAILURE;
1083
goto end;
1084
}
1085
1086
if(quit_now){
1087
goto end;
1088
}
1089
1090
#ifdef __linux__
1091
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1092
messages to mess up the prompt */
1093
ret = klogctl(8, NULL, 5);
1094
bool restore_loglevel = true;
1095
if(ret == -1){
1096
restore_loglevel = false;
1097
perror("klogctl");
1098
}
1099
#endif /* __linux__ */
1100
1101
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1102
if(sd < 0){
1103
perror("socket");
1104
exitcode = EXIT_FAILURE;
1105
#ifdef __linux__
1106
if(restore_loglevel){
1107
ret = klogctl(7, NULL, 0);
1108
if(ret == -1){
1109
perror("klogctl");
1110
}
1111
}
1112
#endif /* __linux__ */
1113
goto end;
1114
}
1115
strcpy(network.ifr_name, interface);
1116
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1117
if(ret == -1){
1118
perror("ioctl SIOCGIFFLAGS");
1119
#ifdef __linux__
1120
if(restore_loglevel){
1121
ret = klogctl(7, NULL, 0);
1122
if(ret == -1){
1123
perror("klogctl");
1124
}
1125
}
1126
#endif /* __linux__ */
1127
exitcode = EXIT_FAILURE;
1128
goto end;
1129
}
1130
if((network.ifr_flags & IFF_UP) == 0){
1131
network.ifr_flags |= IFF_UP;
1132
take_down_interface = true;
1133
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1134
if(ret == -1){
1135
take_down_interface = false;
1136
perror("ioctl SIOCSIFFLAGS");
1137
exitcode = EXIT_FAILURE;
1138
#ifdef __linux__
1139
if(restore_loglevel){
1140
ret = klogctl(7, NULL, 0);
1141
if(ret == -1){
1142
perror("klogctl");
1143
}
1144
}
1145
#endif /* __linux__ */
1146
goto end;
1147
}
1148
}
1149
/* sleep checking until interface is running */
1150
for(int i=0; i < delay * 4; i++){
1151
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1152
if(ret == -1){
1153
perror("ioctl SIOCGIFFLAGS");
1154
} else if(network.ifr_flags & IFF_RUNNING){
1155
break;
1156
}
1157
struct timespec sleeptime = { .tv_nsec = 250000000 };
1158
ret = nanosleep(&sleeptime, NULL);
1159
if(ret == -1 and errno != EINTR){
1160
perror("nanosleep");
1161
}
1162
}
1163
if(not take_down_interface){
1164
/* We won't need the socket anymore */
1165
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1166
if(ret == -1){
1167
perror("close");
1168
}
1169
}
1170
#ifdef __linux__
1171
if(restore_loglevel){
1172
/* Restores kernel loglevel to default */
1173
ret = klogctl(7, NULL, 0);
1174
if(ret == -1){
1175
perror("klogctl");
1176
}
1177
}
1178
#endif /* __linux__ */
1179
}
1180
1181
if(quit_now){
1182
goto end;
1183
}
1184
1185
uid = getuid();
1186
gid = getgid();
1187
1188
errno = 0;
1189
setgid(gid);
1190
if(ret == -1){
1191
perror("setgid");
1192
}
1193
1194
ret = setuid(uid);
1195
if(ret == -1){
1196
perror("setuid");
1197
}
1198
1199
if(quit_now){
1200
goto end;
1201
}
1202
1203
ret = init_gnutls_global(pubkey, seckey);
1204
if(ret == -1){
1205
fprintf(stderr, "init_gnutls_global failed\n");
1206
exitcode = EXIT_FAILURE;
1207
goto end;
1208
} else {
1209
gnutls_initialized = true;
1210
}
1211
1212
if(quit_now){
1213
goto end;
1214
}
1215
1216
tempdir_created = true;
1217
if(mkdtemp(tempdir) == NULL){
1218
tempdir_created = false;
1219
perror("mkdtemp");
1220
goto end;
1221
}
1222
1223
if(quit_now){
1224
goto end;
1225
}
1226
1227
if(not init_gpgme(pubkey, seckey, tempdir)){
1228
fprintf(stderr, "init_gpgme failed\n");
1229
exitcode = EXIT_FAILURE;
1230
goto end;
1231
} else {
1232
gpgme_initialized = true;
1233
}
1234
1235
if(quit_now){
1236
goto end;
1237
}
1238
1239
if(connect_to != NULL){
1240
/* Connect directly, do not use Zeroconf */
1241
/* (Mainly meant for debugging) */
1242
char *address = strrchr(connect_to, ':');
1243
if(address == NULL){
1244
fprintf(stderr, "No colon in address\n");
1245
exitcode = EXIT_FAILURE;
1246
goto end;
1247
}
1248
1249
if(quit_now){
1250
goto end;
1251
}
1252
1253
uint16_t port;
1254
errno = 0;
1255
tmpmax = strtoimax(address+1, &tmp, 10);
1256
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1257
or tmpmax != (uint16_t)tmpmax){
1258
fprintf(stderr, "Bad port number\n");
1259
exitcode = EXIT_FAILURE;
1260
goto end;
1261
}
1262
1263
if(quit_now){
1264
goto end;
1265
}
1266
1267
port = (uint16_t)tmpmax;
1268
*address = '\0';
1269
address = connect_to;
1270
/* Colon in address indicates IPv6 */
1271
int af;
1272
if(strchr(address, ':') != NULL){
1273
af = AF_INET6;
1274
} else {
1275
af = AF_INET;
1276
}
1277
1278
if(quit_now){
1279
goto end;
1280
}
1281
1282
ret = start_mandos_communication(address, port, if_index, af);
1283
if(ret < 0){
1284
exitcode = EXIT_FAILURE;
1285
} else {
1286
exitcode = EXIT_SUCCESS;
1287
}
1288
goto end;
1289
}
1290
1291
if(quit_now){
1292
goto end;
1293
}
1294
1295
{
619
1296
AvahiServerConfig config;
620
AvahiSServiceBrowser *sb = NULL;
621
int error;
622
int ret;
623
int returncode = EXIT_SUCCESS;
624
const char *interface = "eth0";
625
626
while (true){
627
static struct option long_options[] = {
628
{"debug", no_argument, (int *)&debug, 1},
629
{"interface", required_argument, 0, 'i'},
630
{0, 0, 0, 0} };
631
632
int option_index = 0;
633
ret = getopt_long (argc, argv, "i:", long_options,
634
&option_index);
635
636
if (ret == -1){
637
break;
638
}
639
640
switch(ret){
641
case 0:
642
break;
643
case 'i':
644
interface = optarg;
645
break;
646
default:
647
exit(EXIT_FAILURE);
648
}
649
}
650
651
if (not debug){
652
avahi_set_log_function(empty_log);
653
}
654
655
/* Initialize the psuedo-RNG */
656
srand((unsigned int) time(NULL));
657
658
/* Allocate main loop object */
659
if (!(simple_poll = avahi_simple_poll_new())) {
660
fprintf(stderr, "Failed to create simple poll object.\n");
661
662
goto exit;
663
}
664
665
/* Do not publish any local records */
1297
/* Do not publish any local Zeroconf records */
666
1298
avahi_server_config_init(&config);
667
1299
config.publish_hinfo = 0;
668
1300
config.publish_addresses = 0;
669
1301
config.publish_workstation = 0;
670
1302
config.publish_domain = 0;
671
1303
672
1304
/* Allocate a new server */
673
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
674
&config, NULL, NULL, &error);
675
676
/* Free the configuration data */
1305
mc.server = avahi_server_new(avahi_simple_poll_get
1306
(mc.simple_poll), &config, NULL,
1307
NULL, &error);
1308
1309
/* Free the Avahi configuration data */
677
1310
avahi_server_config_free(&config);
678
679
/* Check if creating the server object succeeded */
680
if (!server) {
681
fprintf(stderr, "Failed to create server: %s\n",
682
avahi_strerror(error));
683
returncode = EXIT_FAILURE;
684
goto exit;
685
}
686
687
/* Create the service browser */
688
sb = avahi_s_service_browser_new(server,
689
(AvahiIfIndex)
690
if_nametoindex(interface),
691
AVAHI_PROTO_INET6,
692
"_mandos._tcp", NULL, 0,
693
browse_callback, server);
694
if (!sb) {
695
fprintf(stderr, "Failed to create service browser: %s\n",
696
avahi_strerror(avahi_server_errno(server)));
697
returncode = EXIT_FAILURE;
698
goto exit;
699
}
700
701
/* Run the main loop */
702
703
if (debug){
704
fprintf(stderr, "Starting avahi loop search\n");
705
}
706
707
avahi_simple_poll_loop(simple_poll);
708
709
exit:
710
711
if (debug){
712
fprintf(stderr, "%s exiting\n", argv[0]);
713
}
714
715
/* Cleanup things */
716
if (sb)
717
avahi_s_service_browser_free(sb);
718
719
if (server)
720
avahi_server_free(server);
721
722
if (simple_poll)
723
avahi_simple_poll_free(simple_poll);
724
725
return returncode;
1311
}
1312
1313
/* Check if creating the Avahi server object succeeded */
1314
if(mc.server == NULL){
1315
fprintf(stderr, "Failed to create Avahi server: %s\n",
1316
avahi_strerror(error));
1317
exitcode = EXIT_FAILURE;
1318
goto end;
1319
}
1320
1321
if(quit_now){
1322
goto end;
1323
}
1324
1325
/* Create the Avahi service browser */
1326
sb = avahi_s_service_browser_new(mc.server, if_index,
1327
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1328
NULL, 0, browse_callback, NULL);
1329
if(sb == NULL){
1330
fprintf(stderr, "Failed to create service browser: %s\n",
1331
avahi_strerror(avahi_server_errno(mc.server)));
1332
exitcode = EXIT_FAILURE;
1333
goto end;
1334
}
1335
1336
if(quit_now){
1337
goto end;
1338
}
1339
1340
/* Run the main loop */
1341
1342
if(debug){
1343
fprintf(stderr, "Starting Avahi loop search\n");
1344
}
1345
1346
avahi_simple_poll_loop(mc.simple_poll);
1347
1348
end:
1349
1350
if(debug){
1351
fprintf(stderr, "%s exiting\n", argv[0]);
1352
}
1353
1354
/* Cleanup things */
1355
if(sb != NULL)
1356
avahi_s_service_browser_free(sb);
1357
1358
if(mc.server != NULL)
1359
avahi_server_free(mc.server);
1360
1361
if(mc.simple_poll != NULL)
1362
avahi_simple_poll_free(mc.simple_poll);
1363
1364
if(gnutls_initialized){
1365
gnutls_certificate_free_credentials(mc.cred);
1366
gnutls_global_deinit();
1367
gnutls_dh_params_deinit(mc.dh_params);
1368
}
1369
1370
if(gpgme_initialized){
1371
gpgme_release(mc.ctx);
1372
}
1373
1374
/* Take down the network interface */
1375
if(take_down_interface){
1376
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1377
if(ret == -1){
1378
perror("ioctl SIOCGIFFLAGS");
1379
} else if(network.ifr_flags & IFF_UP) {
1380
network.ifr_flags &= ~IFF_UP; /* clear flag */
1381
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1382
if(ret == -1){
1383
perror("ioctl SIOCSIFFLAGS");
1384
}
1385
}
1386
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1387
if(ret == -1){
1388
perror("close");
1389
}
1390
}
1391
1392
/* Removes the temp directory used by GPGME */
1393
if(tempdir_created){
1394
DIR *d;
1395
struct dirent *direntry;
1396
d = opendir(tempdir);
1397
if(d == NULL){
1398
if(errno != ENOENT){
1399
perror("opendir");
1400
}
1401
} else {
1402
while(true){
1403
direntry = readdir(d);
1404
if(direntry == NULL){
1405
break;
1406
}
1407
/* Skip "." and ".." */
1408
if(direntry->d_name[0] == '.'
1409
and (direntry->d_name[1] == '\0'
1410
or (direntry->d_name[1] == '.'
1411
and direntry->d_name[2] == '\0'))){
1412
continue;
1413
}
1414
char *fullname = NULL;
1415
ret = asprintf(&fullname, "%s/%s", tempdir,
1416
direntry->d_name);
1417
if(ret < 0){
1418
perror("asprintf");
1419
continue;
1420
}
1421
ret = remove(fullname);
1422
if(ret == -1){
1423
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1424
strerror(errno));
1425
}
1426
free(fullname);
1427
}
1428
closedir(d);
1429
}
1430
ret = rmdir(tempdir);
1431
if(ret == -1 and errno != ENOENT){
1432
perror("rmdir");
1433
}
1434
}
1435
1436
if(quit_now){
1437
ret = sigaction(signal_received, &old_sigterm_action, NULL);
1438
if(ret == -1){
1439
perror("sigaction");
1440
}
1441
raise(signal_received);
1442
}
1443
1444
return exitcode;
726
1445
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0