To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 38
- compare with another revision
- download diff
- download tarball
- view history from revision 38
- Committer: Teddy Hogeborn
- Date: 2008-08-03 01:09:36 UTC
- mfrom: (24.1.9 mandos)
- Revision ID: teddy@fukt.bsnet.se-20080803010936-ujme8tgxceszfbi1
* plugbasedclient.c (main): New "--userid" and "--groupid" options.
Take an additional non-option argument and
parse it as a plus-separated and -prefixed
list of additional options.
* plugins.d/mandosclient.c (DH_BITS): Replaced with
"mandos_context.dh_bits". All
users changed.
(certdir): Renamed to "keydir". All users changed.
(certfile): Renamed to "pubkeyfile". All users changed.
(certkey): Renamed to "seckeyfile". All users changed.
(encrypted_session): Replaced with "mandos_context". All users
changed.
(initgnutls): Take additional "session" and "dh_params" arguments.
All callers changed.
(start_mandos_communication): Take additional "mc" argument. All
callers changed. Print target IPv6
address if different than supplied
string.
(simple_poll) Replaced with "mandos_context.simple_poll". All users
changed.
(server): Replaced with "mandos_context.server". All users changed.
(main): Default interface to "eth0". Rename "--certdir" to
"--keydir", "--certkey" to "--seckey", and "--certfile" to
"--pubkey". New options "--dh-bits" and "--priority". If
the interface is not up, bring it up.
Take an additional non-option argument and
parse it as a plus-separated and -prefixed
list of additional options.
* plugins.d/mandosclient.c (DH_BITS): Replaced with
"mandos_context.dh_bits". All
users changed.
(certdir): Renamed to "keydir". All users changed.
(certfile): Renamed to "pubkeyfile". All users changed.
(certkey): Renamed to "seckeyfile". All users changed.
(encrypted_session): Replaced with "mandos_context". All users
changed.
(initgnutls): Take additional "session" and "dh_params" arguments.
All callers changed.
(start_mandos_communication): Take additional "mc" argument. All
callers changed. Print target IPv6
address if different than supplied
string.
(simple_poll) Replaced with "mandos_context.simple_poll". All users
changed.
(server): Replaced with "mandos_context.server". All users changed.
(main): Default interface to "eth0". Rename "--certdir" to
"--keydir", "--certkey" to "--seckey", and "--certfile" to
"--pubkey". New options "--dh-bits" and "--priority". If
the interface is not up, bring it up.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
30
29
*/
31
30
32
31
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
32
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
33
#define _FILE_OFFSET_BITS 64
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time() */
67
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
SIOCSIFFLAGS, if_indextoname(),
69
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), seteuid(),
75
setgid(), pause() */
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
78
#include <argp.h> /* struct argp_option, error_t, struct
79
argp_state, struct argp,
80
argp_parse(), ARGP_KEY_ARG,
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
86
#ifdef __linux__
87
#include <sys/klog.h> /* klogctl() */
88
#endif /* __linux__ */
89
90
/* Avahi */
91
/* All Avahi types, constants and functions
92
Avahi*, avahi_*,
93
AVAHI_* */
34
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
94
43
#include <avahi-core/core.h>
95
44
#include <avahi-core/lookup.h>
96
45
#include <avahi-core/log.h>
98
47
#include <avahi-common/malloc.h>
99
48
#include <avahi-common/error.h>
100
49
101
/* GnuTLS */
102
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
103
functions:
104
gnutls_*
105
init_gnutls_session(),
106
GNUTLS_* */
107
#include <gnutls/openpgp.h>
108
/* gnutls_certificate_set_openpgp_key_file(),
109
GNUTLS_OPENPGP_FMT_BASE64 */
110
111
/* GPGME */
112
#include <gpgme.h> /* All GPGME types, constants and
113
functions:
114
gpgme_*
115
GPGME_PROTOCOL_OpenPGP,
116
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt_long
69
#include <getopt.h>
117
70
118
71
#define BUFFER_SIZE 256
119
72
120
#define PATHDIR "/conf/conf.d/mandos"
121
#define SECKEY "seckey.txt"
122
#define PUBKEY "pubkey.txt"
73
static const char *keydir = "/conf/conf.d/mandos";
74
static const char *pubkeyfile = "pubkey.txt";
75
static const char *seckeyfile = "seckey.txt";
123
76
124
77
bool debug = false;
125
static const char mandos_protocol_version[] = "1";
126
const char *argp_program_version = "mandos-client " VERSION;
127
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
128
static const char sys_class_net[] = "/sys/class/net";
129
char *connect_to = NULL;
130
78
131
/* Used for passing in values through the Avahi callback functions */
79
/* Used for passing in values through all the callback functions */
132
80
typedef struct {
133
81
AvahiSimplePoll *simple_poll;
134
82
AvahiServer *server;
135
83
gnutls_certificate_credentials_t cred;
136
84
unsigned int dh_bits;
137
gnutls_dh_params_t dh_params;
138
85
const char *priority;
86
} mandos_context;
87
88
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
89
char **new_packet,
90
const char *homedir){
91
gpgme_data_t dh_crypto, dh_plain;
139
92
gpgme_ctx_t ctx;
140
} mandos_context;
141
142
/* global context so signal handler can reach it*/
143
mandos_context mc = { .simple_poll = NULL, .server = NULL,
144
.dh_bits = 1024, .priority = "SECURE256"
145
":!CTYPE-X.509:+CTYPE-OPENPGP" };
146
147
sig_atomic_t quit_now = 0;
148
int signal_received = 0;
149
150
/*
151
* Make additional room in "buffer" for at least BUFFER_SIZE more
152
* bytes. "buffer_capacity" is how much is currently allocated,
153
* "buffer_length" is how much is already used.
154
*/
155
size_t incbuffer(char **buffer, size_t buffer_length,
156
size_t buffer_capacity){
157
if(buffer_length + BUFFER_SIZE > buffer_capacity){
158
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
159
if(buffer == NULL){
160
return 0;
161
}
162
buffer_capacity += BUFFER_SIZE;
163
}
164
return buffer_capacity;
165
}
166
167
/*
168
* Initialize GPGME.
169
*/
170
static bool init_gpgme(const char *seckey,
171
const char *pubkey, const char *tempdir){
172
93
gpgme_error_t rc;
94
ssize_t ret;
95
ssize_t new_packet_capacity = 0;
96
ssize_t new_packet_length = 0;
173
97
gpgme_engine_info_t engine_info;
174
175
176
/*
177
* Helper function to insert pub and seckey to the engine keyring.
178
*/
179
bool import_key(const char *filename){
180
int ret;
181
int fd;
182
gpgme_data_t pgp_data;
183
184
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
185
if(fd == -1){
186
perror("open");
187
return false;
188
}
189
190
rc = gpgme_data_new_from_fd(&pgp_data, fd);
191
if(rc != GPG_ERR_NO_ERROR){
192
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
193
gpgme_strsource(rc), gpgme_strerror(rc));
194
return false;
195
}
196
197
rc = gpgme_op_import(mc.ctx, pgp_data);
198
if(rc != GPG_ERR_NO_ERROR){
199
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
200
gpgme_strsource(rc), gpgme_strerror(rc));
201
return false;
202
}
203
204
ret = (int)TEMP_FAILURE_RETRY(close(fd));
205
if(ret == -1){
206
perror("close");
207
}
208
gpgme_data_release(pgp_data);
209
return true;
210
}
211
212
if(debug){
213
fprintf(stderr, "Initializing GPGME\n");
98
99
if (debug){
100
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
214
101
}
215
102
216
103
/* Init GPGME */
217
104
gpgme_check_version(NULL);
218
105
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
219
if(rc != GPG_ERR_NO_ERROR){
106
if (rc != GPG_ERR_NO_ERROR){
220
107
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
221
108
gpgme_strsource(rc), gpgme_strerror(rc));
222
return false;
109
return -1;
223
110
}
224
111
225
/* Set GPGME home directory for the OpenPGP engine only */
226
rc = gpgme_get_engine_info(&engine_info);
227
if(rc != GPG_ERR_NO_ERROR){
112
/* Set GPGME home directory */
113
rc = gpgme_get_engine_info (&engine_info);
114
if (rc != GPG_ERR_NO_ERROR){
228
115
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
229
116
gpgme_strsource(rc), gpgme_strerror(rc));
230
return false;
117
return -1;
231
118
}
232
119
while(engine_info != NULL){
233
120
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
234
121
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
235
engine_info->file_name, tempdir);
122
engine_info->file_name, homedir);
236
123
break;
237
124
}
238
125
engine_info = engine_info->next;
239
126
}
240
127
if(engine_info == NULL){
241
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
242
return false;
243
}
244
245
/* Create new GPGME "context" */
246
rc = gpgme_new(&(mc.ctx));
247
if(rc != GPG_ERR_NO_ERROR){
248
fprintf(stderr, "bad gpgme_new: %s: %s\n",
249
gpgme_strsource(rc), gpgme_strerror(rc));
250
return false;
251
}
252
253
if(not import_key(pubkey) or not import_key(seckey)){
254
return false;
255
}
256
257
return true;
258
}
259
260
/*
261
* Decrypt OpenPGP data.
262
* Returns -1 on error
263
*/
264
static ssize_t pgp_packet_decrypt(const char *cryptotext,
265
size_t crypto_size,
266
char **plaintext){
267
gpgme_data_t dh_crypto, dh_plain;
268
gpgme_error_t rc;
269
ssize_t ret;
270
size_t plaintext_capacity = 0;
271
ssize_t plaintext_length = 0;
272
273
if(debug){
274
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
275
}
276
277
/* Create new GPGME data buffer from memory cryptotext */
278
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
279
0);
280
if(rc != GPG_ERR_NO_ERROR){
128
fprintf(stderr, "Could not set home dir to %s\n", homedir);
129
return -1;
130
}
131
132
/* Create new GPGME data buffer from packet buffer */
133
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
134
if (rc != GPG_ERR_NO_ERROR){
281
135
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
282
136
gpgme_strsource(rc), gpgme_strerror(rc));
283
137
return -1;
285
139
286
140
/* Create new empty GPGME data buffer for the plaintext */
287
141
rc = gpgme_data_new(&dh_plain);
288
if(rc != GPG_ERR_NO_ERROR){
142
if (rc != GPG_ERR_NO_ERROR){
289
143
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
290
144
gpgme_strsource(rc), gpgme_strerror(rc));
291
gpgme_data_release(dh_crypto);
292
return -1;
293
}
294
295
/* Decrypt data from the cryptotext data buffer to the plaintext
296
data buffer */
297
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
298
if(rc != GPG_ERR_NO_ERROR){
145
return -1;
146
}
147
148
/* Create new GPGME "context" */
149
rc = gpgme_new(&ctx);
150
if (rc != GPG_ERR_NO_ERROR){
151
fprintf(stderr, "bad gpgme_new: %s: %s\n",
152
gpgme_strsource(rc), gpgme_strerror(rc));
153
return -1;
154
}
155
156
/* Decrypt data from the FILE pointer to the plaintext data
157
buffer */
158
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
159
if (rc != GPG_ERR_NO_ERROR){
299
160
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
300
161
gpgme_strsource(rc), gpgme_strerror(rc));
301
plaintext_length = -1;
302
if(debug){
303
gpgme_decrypt_result_t result;
304
result = gpgme_op_decrypt_result(mc.ctx);
305
if(result == NULL){
306
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
307
} else {
308
fprintf(stderr, "Unsupported algorithm: %s\n",
309
result->unsupported_algorithm);
310
fprintf(stderr, "Wrong key usage: %u\n",
311
result->wrong_key_usage);
312
if(result->file_name != NULL){
313
fprintf(stderr, "File name: %s\n", result->file_name);
314
}
315
gpgme_recipient_t recipient;
316
recipient = result->recipients;
162
return -1;
163
}
164
165
if(debug){
166
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
167
}
168
169
if (debug){
170
gpgme_decrypt_result_t result;
171
result = gpgme_op_decrypt_result(ctx);
172
if (result == NULL){
173
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
174
} else {
175
fprintf(stderr, "Unsupported algorithm: %s\n",
176
result->unsupported_algorithm);
177
fprintf(stderr, "Wrong key usage: %d\n",
178
result->wrong_key_usage);
179
if(result->file_name != NULL){
180
fprintf(stderr, "File name: %s\n", result->file_name);
181
}
182
gpgme_recipient_t recipient;
183
recipient = result->recipients;
184
if(recipient){
317
185
while(recipient != NULL){
318
186
fprintf(stderr, "Public key algorithm: %s\n",
319
187
gpgme_pubkey_algo_name(recipient->pubkey_algo));
325
193
}
326
194
}
327
195
}
328
goto decrypt_end;
329
196
}
330
197
331
if(debug){
332
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
333
}
198
/* Delete the GPGME FILE pointer cryptotext data buffer */
199
gpgme_data_release(dh_crypto);
334
200
335
201
/* Seek back to the beginning of the GPGME plaintext data buffer */
336
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
337
perror("gpgme_data_seek");
338
plaintext_length = -1;
339
goto decrypt_end;
202
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
203
perror("pgpme_data_seek");
340
204
}
341
205
342
*plaintext = NULL;
206
*new_packet = 0;
343
207
while(true){
344
plaintext_capacity = incbuffer(plaintext,
345
(size_t)plaintext_length,
346
plaintext_capacity);
347
if(plaintext_capacity == 0){
348
perror("incbuffer");
349
plaintext_length = -1;
350
goto decrypt_end;
208
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
209
*new_packet = realloc(*new_packet,
210
(unsigned int)new_packet_capacity
211
+ BUFFER_SIZE);
212
if (*new_packet == NULL){
213
perror("realloc");
214
return -1;
215
}
216
new_packet_capacity += BUFFER_SIZE;
351
217
}
352
218
353
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
219
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
354
220
BUFFER_SIZE);
355
221
/* Print the data, if any */
356
if(ret == 0){
357
/* EOF */
222
if (ret == 0){
358
223
break;
359
224
}
360
225
if(ret < 0){
361
226
perror("gpgme_data_read");
362
plaintext_length = -1;
363
goto decrypt_end;
364
}
365
plaintext_length += ret;
366
}
367
368
if(debug){
369
fprintf(stderr, "Decrypted password is: ");
370
for(ssize_t i = 0; i < plaintext_length; i++){
371
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
372
}
373
fprintf(stderr, "\n");
374
}
375
376
decrypt_end:
377
378
/* Delete the GPGME cryptotext data buffer */
379
gpgme_data_release(dh_crypto);
227
return -1;
228
}
229
new_packet_length += ret;
230
}
231
232
/* FIXME: check characters before printing to screen so to not print
233
terminal control characters */
234
/* if(debug){ */
235
/* fprintf(stderr, "decrypted password is: "); */
236
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
237
/* fprintf(stderr, "\n"); */
238
/* } */
380
239
381
240
/* Delete the GPGME plaintext data buffer */
382
241
gpgme_data_release(dh_plain);
383
return plaintext_length;
242
return new_packet_length;
384
243
}
385
244
386
static const char * safer_gnutls_strerror(int value){
387
const char *ret = gnutls_strerror(value); /* Spurious warning from
388
-Wunreachable-code */
389
if(ret == NULL)
245
static const char * safer_gnutls_strerror (int value) {
246
const char *ret = gnutls_strerror (value);
247
if (ret == NULL)
390
248
ret = "(unknown)";
391
249
return ret;
392
250
}
393
251
394
/* GnuTLS log function callback */
395
252
static void debuggnutls(__attribute__((unused)) int level,
396
253
const char* string){
397
fprintf(stderr, "GnuTLS: %s", string);
254
fprintf(stderr, "%s", string);
398
255
}
399
256
400
static int init_gnutls_global(const char *pubkeyfilename,
401
const char *seckeyfilename){
257
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
258
gnutls_dh_params_t *dh_params){
259
const char *err;
402
260
int ret;
403
261
404
262
if(debug){
405
263
fprintf(stderr, "Initializing GnuTLS\n");
406
264
}
407
408
ret = gnutls_global_init();
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS global_init: %s\n",
411
safer_gnutls_strerror(ret));
265
266
if ((ret = gnutls_global_init ())
267
!= GNUTLS_E_SUCCESS) {
268
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
412
269
return -1;
413
270
}
414
271
415
if(debug){
416
/* "Use a log level over 10 to enable all debugging options."
417
* - GnuTLS manual
418
*/
272
if (debug){
419
273
gnutls_global_set_log_level(11);
420
274
gnutls_global_set_log_function(debuggnutls);
421
275
}
422
276
423
/* OpenPGP credentials */
424
gnutls_certificate_allocate_credentials(&mc.cred);
425
if(ret != GNUTLS_E_SUCCESS){
426
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
427
from
428
-Wunreachable-code
429
*/
430
safer_gnutls_strerror(ret));
431
gnutls_global_deinit();
277
/* openpgp credentials */
278
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
279
!= GNUTLS_E_SUCCESS) {
280
fprintf (stderr, "memory error: %s\n",
281
safer_gnutls_strerror(ret));
432
282
return -1;
433
283
}
434
284
435
285
if(debug){
436
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
437
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
438
seckeyfilename);
286
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
287
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
288
seckeyfile);
439
289
}
440
290
441
291
ret = gnutls_certificate_set_openpgp_key_file
442
(mc.cred, pubkeyfilename, seckeyfilename,
443
GNUTLS_OPENPGP_FMT_BASE64);
444
if(ret != GNUTLS_E_SUCCESS){
445
fprintf(stderr,
446
"Error[%d] while reading the OpenPGP key pair ('%s',"
447
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
448
fprintf(stderr, "The GnuTLS error is: %s\n",
449
safer_gnutls_strerror(ret));
450
goto globalfail;
451
}
452
453
/* GnuTLS server initialization */
454
ret = gnutls_dh_params_init(&mc.dh_params);
455
if(ret != GNUTLS_E_SUCCESS){
456
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
457
" %s\n", safer_gnutls_strerror(ret));
458
goto globalfail;
459
}
460
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
461
if(ret != GNUTLS_E_SUCCESS){
462
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
463
safer_gnutls_strerror(ret));
464
goto globalfail;
465
}
466
467
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
468
469
return 0;
470
471
globalfail:
472
473
gnutls_certificate_free_credentials(mc.cred);
474
gnutls_global_deinit();
475
gnutls_dh_params_deinit(mc.dh_params);
476
return -1;
477
}
478
479
static int init_gnutls_session(gnutls_session_t *session){
480
int ret;
481
/* GnuTLS session creation */
482
do {
483
ret = gnutls_init(session, GNUTLS_SERVER);
484
if(quit_now){
485
return -1;
486
}
487
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
488
if(ret != GNUTLS_E_SUCCESS){
292
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
293
if (ret != GNUTLS_E_SUCCESS) {
294
fprintf
295
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
296
" '%s')\n",
297
ret, pubkeyfile, seckeyfile);
298
fprintf(stdout, "The Error is: %s\n",
299
safer_gnutls_strerror(ret));
300
return -1;
301
}
302
303
//GnuTLS server initialization
304
if ((ret = gnutls_dh_params_init(dh_params))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf (stderr, "Error in dh parameter initialization: %s\n",
307
safer_gnutls_strerror(ret));
308
return -1;
309
}
310
311
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
312
!= GNUTLS_E_SUCCESS) {
313
fprintf (stderr, "Error in prime generation: %s\n",
314
safer_gnutls_strerror(ret));
315
return -1;
316
}
317
318
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
319
320
// GnuTLS session creation
321
if ((ret = gnutls_init(session, GNUTLS_SERVER))
322
!= GNUTLS_E_SUCCESS){
489
323
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
490
324
safer_gnutls_strerror(ret));
491
325
}
492
326
493
{
494
const char *err;
495
do {
496
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
497
if(quit_now){
498
gnutls_deinit(*session);
499
return -1;
500
}
501
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
502
if(ret != GNUTLS_E_SUCCESS){
503
fprintf(stderr, "Syntax error at: %s\n", err);
504
fprintf(stderr, "GnuTLS error: %s\n",
505
safer_gnutls_strerror(ret));
506
gnutls_deinit(*session);
507
return -1;
508
}
327
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
328
!= GNUTLS_E_SUCCESS) {
329
fprintf(stderr, "Syntax error at: %s\n", err);
330
fprintf(stderr, "GnuTLS error: %s\n",
331
safer_gnutls_strerror(ret));
332
return -1;
509
333
}
510
334
511
do {
512
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
513
mc.cred);
514
if(quit_now){
515
gnutls_deinit(*session);
516
return -1;
517
}
518
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
519
if(ret != GNUTLS_E_SUCCESS){
520
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
335
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
336
mc->cred))
337
!= GNUTLS_E_SUCCESS) {
338
fprintf(stderr, "Error setting a credentials set: %s\n",
521
339
safer_gnutls_strerror(ret));
522
gnutls_deinit(*session);
523
340
return -1;
524
341
}
525
342
526
343
/* ignore client certificate if any. */
527
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
344
gnutls_certificate_server_set_request (*session,
345
GNUTLS_CERT_IGNORE);
528
346
529
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
347
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
530
348
531
349
return 0;
532
350
}
533
351
534
/* Avahi log function callback */
535
352
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
536
353
__attribute__((unused)) const char *txt){}
537
354
538
/* Called when a Mandos server is found */
539
355
static int start_mandos_communication(const char *ip, uint16_t port,
540
356
AvahiIfIndex if_index,
541
int af){
542
int ret, tcp_sd = -1;
543
ssize_t sret;
544
union {
545
struct sockaddr_in in;
546
struct sockaddr_in6 in6;
547
} to;
357
mandos_context *mc){
358
int ret, tcp_sd;
359
struct sockaddr_in6 to;
548
360
char *buffer = NULL;
549
char *decrypted_buffer = NULL;
361
char *decrypted_buffer;
550
362
size_t buffer_length = 0;
551
363
size_t buffer_capacity = 0;
552
size_t written;
553
int retval = -1;
364
ssize_t decrypted_buffer_size;
365
size_t written = 0;
366
int retval = 0;
367
char interface[IF_NAMESIZE];
554
368
gnutls_session_t session;
555
int pf; /* Protocol family */
556
557
if(quit_now){
558
return -1;
559
}
560
561
switch(af){
562
case AF_INET6:
563
pf = PF_INET6;
564
break;
565
case AF_INET:
566
pf = PF_INET;
567
break;
568
default:
569
fprintf(stderr, "Bad address family: %d\n", af);
570
return -1;
571
}
572
573
ret = init_gnutls_session(&session);
574
if(ret != 0){
575
return -1;
576
}
369
gnutls_dh_params_t dh_params;
577
370
578
371
if(debug){
579
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
580
"\n", ip, port);
372
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
373
ip, port);
581
374
}
582
375
583
tcp_sd = socket(pf, SOCK_STREAM, 0);
584
if(tcp_sd < 0){
376
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
377
if(tcp_sd < 0) {
585
378
perror("socket");
586
goto mandos_end;
587
}
588
589
if(quit_now){
590
goto mandos_end;
591
}
592
593
memset(&to, 0, sizeof(to));
594
if(af == AF_INET6){
595
to.in6.sin6_family = (sa_family_t)af;
596
ret = inet_pton(af, ip, &to.in6.sin6_addr);
597
} else { /* IPv4 */
598
to.in.sin_family = (sa_family_t)af;
599
ret = inet_pton(af, ip, &to.in.sin_addr);
600
}
601
if(ret < 0 ){
379
return -1;
380
}
381
382
if(debug){
383
if(if_indextoname((unsigned int)if_index, interface) == NULL){
384
perror("if_indextoname");
385
return -1;
386
}
387
fprintf(stderr, "Binding to interface %s\n", interface);
388
}
389
390
memset(&to,0,sizeof(to)); /* Spurious warning */
391
to.sin6_family = AF_INET6;
392
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
393
if (ret < 0 ){
602
394
perror("inet_pton");
603
goto mandos_end;
395
return -1;
604
396
}
605
397
if(ret == 0){
606
398
fprintf(stderr, "Bad address: %s\n", ip);
607
goto mandos_end;
608
}
609
if(af == AF_INET6){
610
to.in6.sin6_port = htons(port); /* Spurious warnings from
611
-Wconversion and
612
-Wunreachable-code */
613
614
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
615
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
616
-Wunreachable-code*/
617
if(if_index == AVAHI_IF_UNSPEC){
618
fprintf(stderr, "An IPv6 link-local address is incomplete"
619
" without a network interface\n");
620
goto mandos_end;
621
}
622
/* Set the network interface number as scope */
623
to.in6.sin6_scope_id = (uint32_t)if_index;
624
}
625
} else {
626
to.in.sin_port = htons(port); /* Spurious warnings from
627
-Wconversion and
628
-Wunreachable-code */
629
}
399
return -1;
400
}
401
to.sin6_port = htons(port); /* Spurious warning */
630
402
631
if(quit_now){
632
goto mandos_end;
633
}
403
to.sin6_scope_id = (uint32_t)if_index;
634
404
635
405
if(debug){
636
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
637
char interface[IF_NAMESIZE];
638
if(if_indextoname((unsigned int)if_index, interface) == NULL){
639
perror("if_indextoname");
640
} else {
641
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
642
ip, interface, port);
643
}
644
} else {
645
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
646
port);
647
}
648
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
649
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
650
const char *pcret;
651
if(af == AF_INET6){
652
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
653
sizeof(addrstr));
654
} else {
655
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
656
sizeof(addrstr));
657
}
658
if(pcret == NULL){
406
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
407
char addrstr[INET6_ADDRSTRLEN] = "";
408
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
409
sizeof(addrstr)) == NULL){
659
410
perror("inet_ntop");
660
411
} else {
661
412
if(strcmp(addrstr, ip) != 0){
664
415
}
665
416
}
666
417
667
if(quit_now){
668
goto mandos_end;
669
}
670
671
if(af == AF_INET6){
672
ret = connect(tcp_sd, &to.in6, sizeof(to));
673
} else {
674
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
675
}
676
if(ret < 0){
418
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
419
if (ret < 0){
677
420
perror("connect");
678
goto mandos_end;
679
}
680
681
if(quit_now){
682
goto mandos_end;
683
}
684
685
const char *out = mandos_protocol_version;
686
written = 0;
687
while(true){
688
size_t out_size = strlen(out);
689
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
690
out_size - written));
691
if(ret == -1){
692
perror("write");
693
goto mandos_end;
694
}
695
written += (size_t)ret;
696
if(written < out_size){
697
continue;
698
} else {
699
if(out == mandos_protocol_version){
700
written = 0;
701
out = "\r\n";
702
} else {
703
break;
704
}
705
}
706
707
if(quit_now){
708
goto mandos_end;
709
}
710
}
421
return -1;
422
}
423
424
ret = initgnutls (mc, &session, &dh_params);
425
if (ret != 0){
426
retval = -1;
427
return -1;
428
}
429
430
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
711
431
712
432
if(debug){
713
433
fprintf(stderr, "Establishing TLS session with %s\n", ip);
714
434
}
715
435
716
if(quit_now){
717
goto mandos_end;
718
}
719
720
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
721
722
if(quit_now){
723
goto mandos_end;
724
}
725
726
do {
727
ret = gnutls_handshake(session);
728
if(quit_now){
729
goto mandos_end;
730
}
731
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
732
733
if(ret != GNUTLS_E_SUCCESS){
436
ret = gnutls_handshake (session);
437
438
if (ret != GNUTLS_E_SUCCESS){
734
439
if(debug){
735
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
736
gnutls_perror(ret);
440
fprintf(stderr, "\n*** Handshake failed ***\n");
441
gnutls_perror (ret);
737
442
}
738
goto mandos_end;
443
retval = -1;
444
goto exit;
739
445
}
740
446
741
/* Read OpenPGP packet that contains the wanted password */
447
//Retrieve OpenPGP packet that contains the wanted password
742
448
743
449
if(debug){
744
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
450
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
745
451
ip);
746
452
}
747
453
748
454
while(true){
749
750
if(quit_now){
751
goto mandos_end;
752
}
753
754
buffer_capacity = incbuffer(&buffer, buffer_length,
755
buffer_capacity);
756
if(buffer_capacity == 0){
757
perror("incbuffer");
758
goto mandos_end;
759
}
760
761
if(quit_now){
762
goto mandos_end;
763
}
764
765
sret = gnutls_record_recv(session, buffer+buffer_length,
766
BUFFER_SIZE);
767
if(sret == 0){
455
if (buffer_length + BUFFER_SIZE > buffer_capacity){
456
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
457
if (buffer == NULL){
458
perror("realloc");
459
goto exit;
460
}
461
buffer_capacity += BUFFER_SIZE;
462
}
463
464
ret = gnutls_record_recv(session, buffer+buffer_length,
465
BUFFER_SIZE);
466
if (ret == 0){
768
467
break;
769
468
}
770
if(sret < 0){
771
switch(sret){
469
if (ret < 0){
470
switch(ret){
772
471
case GNUTLS_E_INTERRUPTED:
773
472
case GNUTLS_E_AGAIN:
774
473
break;
775
474
case GNUTLS_E_REHANDSHAKE:
776
do {
777
ret = gnutls_handshake(session);
778
779
if(quit_now){
780
goto mandos_end;
781
}
782
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
783
if(ret < 0){
784
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
785
gnutls_perror(ret);
786
goto mandos_end;
475
ret = gnutls_handshake (session);
476
if (ret < 0){
477
fprintf(stderr, "\n*** Handshake failed ***\n");
478
gnutls_perror (ret);
479
retval = -1;
480
goto exit;
787
481
}
788
482
break;
789
483
default:
790
484
fprintf(stderr, "Unknown error while reading data from"
791
" encrypted session with Mandos server\n");
792
gnutls_bye(session, GNUTLS_SHUT_RDWR);
793
goto mandos_end;
485
" encrypted session with mandos server\n");
486
retval = -1;
487
gnutls_bye (session, GNUTLS_SHUT_RDWR);
488
goto exit;
794
489
}
795
490
} else {
796
buffer_length += (size_t) sret;
797
}
798
}
799
800
if(debug){
801
fprintf(stderr, "Closing TLS session\n");
802
}
803
804
if(quit_now){
805
goto mandos_end;
806
}
807
808
do {
809
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
810
if(quit_now){
811
goto mandos_end;
812
}
813
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
814
815
if(buffer_length > 0){
816
ssize_t decrypted_buffer_size;
491
buffer_length += (size_t) ret;
492
}
493
}
494
495
if (buffer_length > 0){
817
496
decrypted_buffer_size = pgp_packet_decrypt(buffer,
818
497
buffer_length,
819
&decrypted_buffer);
820
if(decrypted_buffer_size >= 0){
821
822
written = 0;
498
&decrypted_buffer,
499
keydir);
500
if (decrypted_buffer_size >= 0){
823
501
while(written < (size_t) decrypted_buffer_size){
824
if(quit_now){
825
goto mandos_end;
826
}
827
828
ret = (int)fwrite(decrypted_buffer + written, 1,
829
(size_t)decrypted_buffer_size - written,
830
stdout);
502
ret = (int)fwrite (decrypted_buffer + written, 1,
503
(size_t)decrypted_buffer_size - written,
504
stdout);
831
505
if(ret == 0 and ferror(stdout)){
832
506
if(debug){
833
507
fprintf(stderr, "Error writing encrypted data: %s\n",
834
508
strerror(errno));
835
509
}
836
goto mandos_end;
510
retval = -1;
511
break;
837
512
}
838
513
written += (size_t)ret;
839
514
}
840
retval = 0;
515
free(decrypted_buffer);
516
} else {
517
retval = -1;
841
518
}
842
519
}
843
844
/* Shutdown procedure */
845
846
mandos_end:
847
free(decrypted_buffer);
520
521
//shutdown procedure
522
523
if(debug){
524
fprintf(stderr, "Closing TLS session\n");
525
}
526
848
527
free(buffer);
849
if(tcp_sd >= 0){
850
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
851
}
852
if(ret == -1){
853
perror("close");
854
}
855
gnutls_deinit(session);
856
if(quit_now){
857
retval = -1;
858
}
528
gnutls_bye (session, GNUTLS_SHUT_RDWR);
529
exit:
530
close(tcp_sd);
531
gnutls_deinit (session);
532
gnutls_certificate_free_credentials (mc->cred);
533
gnutls_global_deinit ();
859
534
return retval;
860
535
}
861
536
862
static void resolve_callback(AvahiSServiceResolver *r,
863
AvahiIfIndex interface,
864
AvahiProtocol proto,
865
AvahiResolverEvent event,
866
const char *name,
867
const char *type,
868
const char *domain,
869
const char *host_name,
870
const AvahiAddress *address,
871
uint16_t port,
872
AVAHI_GCC_UNUSED AvahiStringList *txt,
873
AVAHI_GCC_UNUSED AvahiLookupResultFlags
874
flags,
875
AVAHI_GCC_UNUSED void* userdata){
876
assert(r);
537
static void resolve_callback( AvahiSServiceResolver *r,
538
AvahiIfIndex interface,
539
AVAHI_GCC_UNUSED AvahiProtocol protocol,
540
AvahiResolverEvent event,
541
const char *name,
542
const char *type,
543
const char *domain,
544
const char *host_name,
545
const AvahiAddress *address,
546
uint16_t port,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
549
void* userdata) {
550
mandos_context *mc = userdata;
551
assert(r); /* Spurious warning */
877
552
878
553
/* Called whenever a service has been resolved successfully or
879
554
timed out */
880
555
881
if(quit_now){
882
return;
883
}
884
885
switch(event){
556
switch (event) {
886
557
default:
887
558
case AVAHI_RESOLVER_FAILURE:
888
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
889
" of type '%s' in domain '%s': %s\n", name, type, domain,
890
avahi_strerror(avahi_server_errno(mc.server)));
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
561
avahi_strerror(avahi_server_errno(mc->server)));
891
562
break;
892
563
893
564
case AVAHI_RESOLVER_FOUND:
895
566
char ip[AVAHI_ADDRESS_STR_MAX];
896
567
avahi_address_snprint(ip, sizeof(ip), address);
897
568
if(debug){
898
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
899
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
900
ip, (intmax_t)interface, port);
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
901
571
}
902
int ret = start_mandos_communication(ip, port, interface,
903
avahi_proto_to_af(proto));
904
if(ret == 0){
905
avahi_simple_poll_quit(mc.simple_poll);
572
int ret = start_mandos_communication(ip, port, interface, mc);
573
if (ret == 0){
574
exit(EXIT_SUCCESS);
906
575
}
907
576
}
908
577
}
909
578
avahi_s_service_resolver_free(r);
910
579
}
911
580
912
static void browse_callback(AvahiSServiceBrowser *b,
913
AvahiIfIndex interface,
914
AvahiProtocol protocol,
915
AvahiBrowserEvent event,
916
const char *name,
917
const char *type,
918
const char *domain,
919
AVAHI_GCC_UNUSED AvahiLookupResultFlags
920
flags,
921
AVAHI_GCC_UNUSED void* userdata){
922
assert(b);
581
static void browse_callback( AvahiSServiceBrowser *b,
582
AvahiIfIndex interface,
583
AvahiProtocol protocol,
584
AvahiBrowserEvent event,
585
const char *name,
586
const char *type,
587
const char *domain,
588
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
589
void* userdata) {
590
mandos_context *mc = userdata;
591
assert(b); /* Spurious warning */
923
592
924
593
/* Called whenever a new services becomes available on the LAN or
925
594
is removed from the LAN */
926
595
927
if(quit_now){
928
return;
929
}
930
931
switch(event){
596
switch (event) {
932
597
default:
933
598
case AVAHI_BROWSER_FAILURE:
934
599
935
fprintf(stderr, "(Avahi browser) %s\n",
936
avahi_strerror(avahi_server_errno(mc.server)));
937
avahi_simple_poll_quit(mc.simple_poll);
600
fprintf(stderr, "(Browser) %s\n",
601
avahi_strerror(avahi_server_errno(mc->server)));
602
avahi_simple_poll_quit(mc->simple_poll);
938
603
return;
939
604
940
605
case AVAHI_BROWSER_NEW:
941
/* We ignore the returned Avahi resolver object. In the callback
942
function we free it. If the Avahi server is terminated before
943
the callback function is called the Avahi server will free the
944
resolver for us. */
606
/* We ignore the returned resolver object. In the callback
607
function we free it. If the server is terminated before
608
the callback function is called the server will free
609
the resolver for us. */
945
610
946
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
947
name, type, domain, protocol, 0,
948
resolve_callback, NULL) == NULL)
949
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
950
name, avahi_strerror(avahi_server_errno(mc.server)));
611
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
612
type, domain,
613
AVAHI_PROTO_INET6, 0,
614
resolve_callback, mc)))
615
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
616
avahi_strerror(avahi_server_errno(mc->server)));
951
617
break;
952
618
953
619
case AVAHI_BROWSER_REMOVE:
955
621
956
622
case AVAHI_BROWSER_ALL_FOR_NOW:
957
623
case AVAHI_BROWSER_CACHE_EXHAUSTED:
958
if(debug){
959
fprintf(stderr, "No Mandos server found, still searching...\n");
960
}
961
624
break;
962
625
}
963
626
}
964
627
965
/* stop main loop after sigterm has been called */
966
static void handle_sigterm(int sig){
967
if(quit_now){
968
return;
969
}
970
quit_now = 1;
971
signal_received = sig;
972
int old_errno = errno;
973
if(mc.simple_poll != NULL){
974
avahi_simple_poll_quit(mc.simple_poll);
975
}
976
errno = old_errno;
977
}
978
979
/*
980
* This function determines if a directory entry in /sys/class/net
981
* corresponds to an acceptable network device.
982
* (This function is passed to scandir(3) as a filter function.)
983
*/
984
int good_interface(const struct dirent *if_entry){
985
ssize_t ssret;
986
char *flagname = NULL;
987
int ret = asprintf(&flagname, "%s/%s/flags", sys_class_net,
988
if_entry->d_name);
989
if(ret < 0){
990
perror("asprintf");
991
return 0;
992
}
993
if(if_entry->d_name[0] == '.'){
994
return 0;
995
}
996
int flags_fd = (int)TEMP_FAILURE_RETRY(open(flagname, O_RDONLY));
997
if(flags_fd == -1){
998
perror("open");
999
return 0;
1000
}
1001
typedef short ifreq_flags; /* ifreq.ifr_flags in netdevice(7) */
1002
/* read line from flags_fd */
1003
ssize_t to_read = (sizeof(ifreq_flags)*2)+3; /* "0x1003\n" */
1004
char *flagstring = malloc((size_t)to_read+1); /* +1 for final \0 */
1005
flagstring[(size_t)to_read] = '\0';
1006
if(flagstring == NULL){
1007
perror("malloc");
1008
close(flags_fd);
1009
return 0;
1010
}
1011
while(to_read > 0){
1012
ssret = (ssize_t)TEMP_FAILURE_RETRY(read(flags_fd, flagstring,
1013
(size_t)to_read));
1014
if(ssret == -1){
1015
perror("read");
1016
free(flagstring);
1017
close(flags_fd);
1018
return 0;
1019
}
1020
to_read -= ssret;
1021
if(ssret == 0){
1022
break;
1023
}
1024
}
1025
close(flags_fd);
1026
intmax_t tmpmax;
1027
char *tmp;
1028
errno = 0;
1029
tmpmax = strtoimax(flagstring, &tmp, 0);
1030
if(errno != 0 or tmp == flagstring or (*tmp != '\0'
1031
and not (isspace(*tmp)))
1032
or tmpmax != (ifreq_flags)tmpmax){
1033
if(debug){
1034
fprintf(stderr, "Invalid flags \"%s\" for interface \"%s\"\n",
1035
flagstring, if_entry->d_name);
1036
}
1037
free(flagstring);
1038
return 0;
1039
}
1040
free(flagstring);
1041
ifreq_flags flags = (ifreq_flags)tmpmax;
1042
/* Reject the loopback device */
1043
if(flags & IFF_LOOPBACK){
1044
if(debug){
1045
fprintf(stderr, "Rejecting loopback interface \"%s\"\n",
1046
if_entry->d_name);
1047
}
1048
return 0;
1049
}
1050
/* Accept point-to-point devices only if connect_to is specified */
1051
if(connect_to != NULL and (flags & IFF_POINTOPOINT)){
1052
if(debug){
1053
fprintf(stderr, "Accepting point-to-point interface \"%s\"\n",
1054
if_entry->d_name);
1055
}
1056
return 1;
1057
}
1058
/* Otherwise, reject non-broadcast-capable devices */
1059
if(not (flags & IFF_BROADCAST)){
1060
if(debug){
1061
fprintf(stderr, "Rejecting non-broadcast interface \"%s\"\n",
1062
if_entry->d_name);
1063
}
1064
return 0;
1065
}
1066
/* Accept this device */
1067
if(debug){
1068
fprintf(stderr, "Interface \"%s\" is acceptable\n",
1069
if_entry->d_name);
1070
}
1071
return 1;
1072
}
1073
1074
int main(int argc, char *argv[]){
1075
AvahiSServiceBrowser *sb = NULL;
1076
int error;
1077
int ret;
1078
intmax_t tmpmax;
1079
char *tmp;
1080
int exitcode = EXIT_SUCCESS;
1081
const char *interface = "";
1082
struct ifreq network;
1083
int sd = -1;
1084
bool take_down_interface = false;
1085
uid_t uid;
1086
gid_t gid;
1087
char tempdir[] = "/tmp/mandosXXXXXX";
1088
bool tempdir_created = false;
1089
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1090
const char *seckey = PATHDIR "/" SECKEY;
1091
const char *pubkey = PATHDIR "/" PUBKEY;
1092
1093
bool gnutls_initialized = false;
1094
bool gpgme_initialized = false;
1095
float delay = 2.5f;
1096
1097
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1098
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1099
1100
uid = getuid();
1101
gid = getgid();
1102
1103
/* Lower any group privileges we might have, just to be safe */
1104
errno = 0;
1105
ret = setgid(gid);
1106
if(ret == -1){
1107
perror("setgid");
1108
}
1109
1110
/* Lower user privileges (temporarily) */
1111
errno = 0;
1112
ret = seteuid(uid);
1113
if(ret == -1){
1114
perror("seteuid");
1115
}
1116
1117
if(quit_now){
1118
goto end;
1119
}
1120
1121
{
1122
struct argp_option options[] = {
1123
{ .name = "debug", .key = 128,
1124
.doc = "Debug mode", .group = 3 },
1125
{ .name = "connect", .key = 'c',
1126
.arg = "ADDRESS:PORT",
1127
.doc = "Connect directly to a specific Mandos server",
1128
.group = 1 },
1129
{ .name = "interface", .key = 'i',
1130
.arg = "NAME",
1131
.doc = "Network interface that will be used to search for"
1132
" Mandos servers",
1133
.group = 1 },
1134
{ .name = "seckey", .key = 's',
1135
.arg = "FILE",
1136
.doc = "OpenPGP secret key file base name",
1137
.group = 1 },
1138
{ .name = "pubkey", .key = 'p',
1139
.arg = "FILE",
1140
.doc = "OpenPGP public key file base name",
1141
.group = 2 },
1142
{ .name = "dh-bits", .key = 129,
1143
.arg = "BITS",
1144
.doc = "Bit length of the prime number used in the"
1145
" Diffie-Hellman key exchange",
1146
.group = 2 },
1147
{ .name = "priority", .key = 130,
1148
.arg = "STRING",
1149
.doc = "GnuTLS priority string for the TLS handshake",
1150
.group = 1 },
1151
{ .name = "delay", .key = 131,
1152
.arg = "SECONDS",
1153
.doc = "Maximum delay to wait for interface startup",
1154
.group = 2 },
1155
{ .name = NULL }
1156
};
628
/* Combines file name and path and returns the malloced new
629
string. some sane checks could/should be added */
630
static const char *combinepath(const char *first, const char *second){
631
size_t f_len = strlen(first);
632
size_t s_len = strlen(second);
633
char *tmp = malloc(f_len + s_len + 2);
634
if (tmp == NULL){
635
return NULL;
636
}
637
if(f_len > 0){
638
memcpy(tmp, first, f_len); /* Spurious warning */
639
}
640
tmp[f_len] = '/';
641
if(s_len > 0){
642
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
643
}
644
tmp[f_len + 1 + s_len] = '\0';
645
return tmp;
646
}
647
648
649
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
650
AvahiServerConfig config;
651
AvahiSServiceBrowser *sb = NULL;
652
int error;
653
int ret;
654
int debug_int;
655
int returncode = EXIT_SUCCESS;
656
const char *interface = "eth0";
657
struct ifreq network;
658
int sd;
659
char *connect_to = NULL;
660
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
661
mandos_context mc = { .simple_poll = NULL, .server = NULL,
662
.dh_bits = 1024, .priority = "SECURE256"};
1157
663
1158
error_t parse_opt(int key, char *arg,
1159
struct argp_state *state){
1160
switch(key){
1161
case 128: /* --debug */
1162
debug = true;
1163
break;
1164
case 'c': /* --connect */
1165
connect_to = arg;
1166
break;
1167
case 'i': /* --interface */
1168
interface = arg;
1169
break;
1170
case 's': /* --seckey */
1171
seckey = arg;
1172
break;
1173
case 'p': /* --pubkey */
1174
pubkey = arg;
1175
break;
1176
case 129: /* --dh-bits */
1177
errno = 0;
1178
tmpmax = strtoimax(arg, &tmp, 10);
1179
if(errno != 0 or tmp == arg or *tmp != '\0'
1180
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1181
fprintf(stderr, "Bad number of DH bits\n");
1182
exit(EXIT_FAILURE);
1183
}
1184
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1185
break;
1186
case 130: /* --priority */
1187
mc.priority = arg;
1188
break;
1189
case 131: /* --delay */
1190
errno = 0;
1191
delay = strtof(arg, &tmp);
1192
if(errno != 0 or tmp == arg or *tmp != '\0'){
1193
fprintf(stderr, "Bad delay\n");
1194
exit(EXIT_FAILURE);
1195
}
1196
break;
1197
case ARGP_KEY_ARG:
1198
argp_usage(state);
1199
case ARGP_KEY_END:
1200
break;
664
debug_int = debug ? 1 : 0;
665
while (true){
666
struct option long_options[] = {
667
{"debug", no_argument, &debug_int, 1},
668
{"connect", required_argument, NULL, 'c'},
669
{"interface", required_argument, NULL, 'i'},
670
{"keydir", required_argument, NULL, 'd'},
671
{"seckey", required_argument, NULL, 's'},
672
{"pubkey", required_argument, NULL, 'p'},
673
{"dh-bits", required_argument, NULL, 'D'},
674
{"priority", required_argument, NULL, 'P'},
675
{0, 0, 0, 0} };
676
677
int option_index = 0;
678
ret = getopt_long (argc, argv, "i:", long_options,
679
&option_index);
680
681
if (ret == -1){
682
break;
683
}
684
685
switch(ret){
686
case 0:
687
break;
688
case 'i':
689
interface = optarg;
690
break;
691
case 'c':
692
connect_to = optarg;
693
break;
694
case 'd':
695
keydir = optarg;
696
break;
697
case 'p':
698
pubkeyfile = optarg;
699
break;
700
case 's':
701
seckeyfile = optarg;
702
break;
703
case 'D':
704
errno = 0;
705
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
706
if (errno){
707
perror("strtol");
708
exit(EXIT_FAILURE);
709
}
710
break;
711
case 'P':
712
mc.priority = optarg;
713
break;
714
case '?':
1201
715
default:
1202
return ARGP_ERR_UNKNOWN;
1203
}
1204
return 0;
1205
}
1206
1207
struct argp argp = { .options = options, .parser = parse_opt,
1208
.args_doc = "",
1209
.doc = "Mandos client -- Get and decrypt"
1210
" passwords from a Mandos server" };
1211
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1212
if(ret == ARGP_ERR_UNKNOWN){
1213
fprintf(stderr, "Unknown error while parsing arguments\n");
1214
exitcode = EXIT_FAILURE;
1215
goto end;
1216
}
1217
}
1218
1219
if(not debug){
1220
avahi_set_log_function(empty_log);
1221
}
1222
1223
if(interface[0] == '\0'){
1224
struct dirent **direntries;
1225
ret = scandir(sys_class_net, &direntries, good_interface,
1226
alphasort);
1227
if(ret >= 1){
1228
/* Pick the first good interface */
1229
interface = strdup(direntries[0]->d_name);
1230
if(debug){
1231
fprintf(stderr, "Using interface \"%s\"\n", interface);
1232
}
1233
if(interface == NULL){
1234
perror("malloc");
1235
free(direntries);
1236
exitcode = EXIT_FAILURE;
1237
goto end;
1238
}
1239
free(direntries);
1240
} else {
1241
free(direntries);
1242
fprintf(stderr, "Could not find a network interface\n");
1243
exitcode = EXIT_FAILURE;
1244
goto end;
1245
}
1246
}
1247
1248
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1249
from the signal handler */
1250
/* Initialize the pseudo-RNG for Avahi */
1251
srand((unsigned int) time(NULL));
1252
mc.simple_poll = avahi_simple_poll_new();
1253
if(mc.simple_poll == NULL){
1254
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1255
exitcode = EXIT_FAILURE;
1256
goto end;
1257
}
1258
1259
sigemptyset(&sigterm_action.sa_mask);
1260
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1261
if(ret == -1){
1262
perror("sigaddset");
1263
exitcode = EXIT_FAILURE;
1264
goto end;
1265
}
1266
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1267
if(ret == -1){
1268
perror("sigaddset");
1269
exitcode = EXIT_FAILURE;
1270
goto end;
1271
}
1272
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1273
if(ret == -1){
1274
perror("sigaddset");
1275
exitcode = EXIT_FAILURE;
1276
goto end;
1277
}
1278
/* Need to check if the handler is SIG_IGN before handling:
1279
| [[info:libc:Initial Signal Actions]] |
1280
| [[info:libc:Basic Signal Handling]] |
1281
*/
1282
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1283
if(ret == -1){
1284
perror("sigaction");
1285
return EXIT_FAILURE;
1286
}
1287
if(old_sigterm_action.sa_handler != SIG_IGN){
1288
ret = sigaction(SIGINT, &sigterm_action, NULL);
1289
if(ret == -1){
1290
perror("sigaction");
1291
exitcode = EXIT_FAILURE;
1292
goto end;
1293
}
1294
}
1295
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1296
if(ret == -1){
1297
perror("sigaction");
1298
return EXIT_FAILURE;
1299
}
1300
if(old_sigterm_action.sa_handler != SIG_IGN){
1301
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1302
if(ret == -1){
1303
perror("sigaction");
1304
exitcode = EXIT_FAILURE;
1305
goto end;
1306
}
1307
}
1308
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1309
if(ret == -1){
1310
perror("sigaction");
1311
return EXIT_FAILURE;
1312
}
1313
if(old_sigterm_action.sa_handler != SIG_IGN){
1314
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1315
if(ret == -1){
1316
perror("sigaction");
1317
exitcode = EXIT_FAILURE;
1318
goto end;
1319
}
1320
}
1321
1322
/* If the interface is down, bring it up */
1323
if(strcmp(interface, "none") != 0){
716
exit(EXIT_FAILURE);
717
}
718
}
719
debug = debug_int ? true : false;
720
721
pubkeyfile = combinepath(keydir, pubkeyfile);
722
if (pubkeyfile == NULL){
723
perror("combinepath");
724
returncode = EXIT_FAILURE;
725
goto exit;
726
}
727
728
seckeyfile = combinepath(keydir, seckeyfile);
729
if (seckeyfile == NULL){
730
perror("combinepath");
731
goto exit;
732
}
733
1324
734
if_index = (AvahiIfIndex) if_nametoindex(interface);
1325
735
if(if_index == 0){
1326
736
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1327
exitcode = EXIT_FAILURE;
1328
goto end;
1329
}
1330
1331
if(quit_now){
1332
goto end;
1333
}
1334
1335
/* Re-raise priviliges */
1336
errno = 0;
1337
ret = seteuid(0);
1338
if(ret == -1){
1339
perror("seteuid");
1340
}
1341
1342
#ifdef __linux__
1343
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1344
messages to mess up the prompt */
1345
ret = klogctl(8, NULL, 5);
1346
bool restore_loglevel = true;
1347
if(ret == -1){
1348
restore_loglevel = false;
1349
perror("klogctl");
1350
}
1351
#endif /* __linux__ */
737
exit(EXIT_FAILURE);
738
}
739
740
if(connect_to != NULL){
741
/* Connect directly, do not use Zeroconf */
742
/* (Mainly meant for debugging) */
743
char *address = strrchr(connect_to, ':');
744
if(address == NULL){
745
fprintf(stderr, "No colon in address\n");
746
exit(EXIT_FAILURE);
747
}
748
errno = 0;
749
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
750
if(errno){
751
perror("Bad port number");
752
exit(EXIT_FAILURE);
753
}
754
*address = '\0';
755
address = connect_to;
756
ret = start_mandos_communication(address, port, if_index, &mc);
757
if(ret < 0){
758
exit(EXIT_FAILURE);
759
} else {
760
exit(EXIT_SUCCESS);
761
}
762
}
1352
763
1353
764
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1354
if(sd < 0){
765
if(sd < 0) {
1355
766
perror("socket");
1356
exitcode = EXIT_FAILURE;
1357
#ifdef __linux__
1358
if(restore_loglevel){
1359
ret = klogctl(7, NULL, 0);
1360
if(ret == -1){
1361
perror("klogctl");
1362
}
1363
}
1364
#endif /* __linux__ */
1365
/* Lower privileges */
1366
errno = 0;
1367
ret = seteuid(uid);
1368
if(ret == -1){
1369
perror("seteuid");
1370
}
1371
goto end;
767
returncode = EXIT_FAILURE;
768
goto exit;
1372
769
}
1373
strcpy(network.ifr_name, interface);
770
strcpy(network.ifr_name, interface); /* Spurious warning */
1374
771
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1375
772
if(ret == -1){
773
1376
774
perror("ioctl SIOCGIFFLAGS");
1377
#ifdef __linux__
1378
if(restore_loglevel){
1379
ret = klogctl(7, NULL, 0);
1380
if(ret == -1){
1381
perror("klogctl");
1382
}
1383
}
1384
#endif /* __linux__ */
1385
exitcode = EXIT_FAILURE;
1386
/* Lower privileges */
1387
errno = 0;
1388
ret = seteuid(uid);
1389
if(ret == -1){
1390
perror("seteuid");
1391
}
1392
goto end;
775
returncode = EXIT_FAILURE;
776
goto exit;
1393
777
}
1394
778
if((network.ifr_flags & IFF_UP) == 0){
1395
779
network.ifr_flags |= IFF_UP;
1396
take_down_interface = true;
1397
780
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1398
781
if(ret == -1){
1399
take_down_interface = false;
1400
perror("ioctl SIOCSIFFLAGS +IFF_UP");
1401
exitcode = EXIT_FAILURE;
1402
#ifdef __linux__
1403
if(restore_loglevel){
1404
ret = klogctl(7, NULL, 0);
1405
if(ret == -1){
1406
perror("klogctl");
1407
}
1408
}
1409
#endif /* __linux__ */
1410
/* Lower privileges */
1411
errno = 0;
1412
ret = seteuid(uid);
1413
if(ret == -1){
1414
perror("seteuid");
1415
}
1416
goto end;
1417
}
1418
}
1419
/* sleep checking until interface is running */
1420
for(int i=0; i < delay * 4; i++){
1421
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1422
if(ret == -1){
1423
perror("ioctl SIOCGIFFLAGS");
1424
} else if(network.ifr_flags & IFF_RUNNING){
1425
break;
1426
}
1427
struct timespec sleeptime = { .tv_nsec = 250000000 };
1428
ret = nanosleep(&sleeptime, NULL);
1429
if(ret == -1 and errno != EINTR){
1430
perror("nanosleep");
1431
}
1432
}
1433
if(not take_down_interface){
1434
/* We won't need the socket anymore */
1435
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1436
if(ret == -1){
1437
perror("close");
1438
}
1439
}
1440
#ifdef __linux__
1441
if(restore_loglevel){
1442
/* Restores kernel loglevel to default */
1443
ret = klogctl(7, NULL, 0);
1444
if(ret == -1){
1445
perror("klogctl");
1446
}
1447
}
1448
#endif /* __linux__ */
1449
/* Lower privileges */
1450
errno = 0;
1451
if(take_down_interface){
1452
/* Lower privileges */
1453
ret = seteuid(uid);
1454
if(ret == -1){
1455
perror("seteuid");
1456
}
1457
} else {
1458
/* Lower privileges permanently */
1459
ret = setuid(uid);
1460
if(ret == -1){
1461
perror("setuid");
1462
}
1463
}
1464
}
1465
1466
if(quit_now){
1467
goto end;
1468
}
1469
1470
ret = init_gnutls_global(pubkey, seckey);
1471
if(ret == -1){
1472
fprintf(stderr, "init_gnutls_global failed\n");
1473
exitcode = EXIT_FAILURE;
1474
goto end;
1475
} else {
1476
gnutls_initialized = true;
1477
}
1478
1479
if(quit_now){
1480
goto end;
1481
}
1482
1483
tempdir_created = true;
1484
if(mkdtemp(tempdir) == NULL){
1485
tempdir_created = false;
1486
perror("mkdtemp");
1487
goto end;
1488
}
1489
1490
if(quit_now){
1491
goto end;
1492
}
1493
1494
if(not init_gpgme(pubkey, seckey, tempdir)){
1495
fprintf(stderr, "init_gpgme failed\n");
1496
exitcode = EXIT_FAILURE;
1497
goto end;
1498
} else {
1499
gpgme_initialized = true;
1500
}
1501
1502
if(quit_now){
1503
goto end;
1504
}
1505
1506
if(connect_to != NULL){
1507
/* Connect directly, do not use Zeroconf */
1508
/* (Mainly meant for debugging) */
1509
char *address = strrchr(connect_to, ':');
1510
if(address == NULL){
1511
fprintf(stderr, "No colon in address\n");
1512
exitcode = EXIT_FAILURE;
1513
goto end;
1514
}
1515
1516
if(quit_now){
1517
goto end;
1518
}
1519
1520
uint16_t port;
1521
errno = 0;
1522
tmpmax = strtoimax(address+1, &tmp, 10);
1523
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1524
or tmpmax != (uint16_t)tmpmax){
1525
fprintf(stderr, "Bad port number\n");
1526
exitcode = EXIT_FAILURE;
1527
goto end;
1528
}
1529
1530
if(quit_now){
1531
goto end;
1532
}
1533
1534
port = (uint16_t)tmpmax;
1535
*address = '\0';
1536
address = connect_to;
1537
/* Colon in address indicates IPv6 */
1538
int af;
1539
if(strchr(address, ':') != NULL){
1540
af = AF_INET6;
1541
} else {
1542
af = AF_INET;
1543
}
1544
1545
if(quit_now){
1546
goto end;
1547
}
1548
1549
ret = start_mandos_communication(address, port, if_index, af);
1550
if(ret < 0){
1551
exitcode = EXIT_FAILURE;
1552
} else {
1553
exitcode = EXIT_SUCCESS;
1554
}
1555
goto end;
1556
}
1557
1558
if(quit_now){
1559
goto end;
1560
}
1561
1562
{
1563
AvahiServerConfig config;
1564
/* Do not publish any local Zeroconf records */
782
perror("ioctl SIOCSIFFLAGS");
783
returncode = EXIT_FAILURE;
784
goto exit;
785
}
786
}
787
close(sd);
788
789
if (not debug){
790
avahi_set_log_function(empty_log);
791
}
792
793
/* Initialize the psuedo-RNG */
794
srand((unsigned int) time(NULL));
795
796
/* Allocate main loop object */
797
if (!(mc.simple_poll = avahi_simple_poll_new())) {
798
fprintf(stderr, "Failed to create simple poll object.\n");
799
returncode = EXIT_FAILURE;
800
goto exit;
801
}
802
803
/* Do not publish any local records */
1565
804
avahi_server_config_init(&config);
1566
805
config.publish_hinfo = 0;
1567
806
config.publish_addresses = 0;
1568
807
config.publish_workstation = 0;
1569
808
config.publish_domain = 0;
1570
809
1571
810
/* Allocate a new server */
1572
mc.server = avahi_server_new(avahi_simple_poll_get
1573
(mc.simple_poll), &config, NULL,
1574
NULL, &error);
811
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
812
&config, NULL, NULL, &error);
1575
813
1576
/* Free the Avahi configuration data */
814
/* Free the configuration data */
1577
815
avahi_server_config_free(&config);
1578
}
1579
1580
/* Check if creating the Avahi server object succeeded */
1581
if(mc.server == NULL){
1582
fprintf(stderr, "Failed to create Avahi server: %s\n",
1583
avahi_strerror(error));
1584
exitcode = EXIT_FAILURE;
1585
goto end;
1586
}
1587
1588
if(quit_now){
1589
goto end;
1590
}
1591
1592
/* Create the Avahi service browser */
1593
sb = avahi_s_service_browser_new(mc.server, if_index,
1594
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1595
NULL, 0, browse_callback, NULL);
1596
if(sb == NULL){
1597
fprintf(stderr, "Failed to create service browser: %s\n",
1598
avahi_strerror(avahi_server_errno(mc.server)));
1599
exitcode = EXIT_FAILURE;
1600
goto end;
1601
}
1602
1603
if(quit_now){
1604
goto end;
1605
}
1606
1607
/* Run the main loop */
1608
1609
if(debug){
1610
fprintf(stderr, "Starting Avahi loop search\n");
1611
}
1612
1613
avahi_simple_poll_loop(mc.simple_poll);
1614
1615
end:
1616
1617
if(debug){
1618
fprintf(stderr, "%s exiting\n", argv[0]);
1619
}
1620
1621
/* Cleanup things */
1622
if(sb != NULL)
1623
avahi_s_service_browser_free(sb);
1624
1625
if(mc.server != NULL)
1626
avahi_server_free(mc.server);
1627
1628
if(mc.simple_poll != NULL)
1629
avahi_simple_poll_free(mc.simple_poll);
1630
1631
if(gnutls_initialized){
1632
gnutls_certificate_free_credentials(mc.cred);
1633
gnutls_global_deinit();
1634
gnutls_dh_params_deinit(mc.dh_params);
1635
}
1636
1637
if(gpgme_initialized){
1638
gpgme_release(mc.ctx);
1639
}
1640
1641
/* Take down the network interface */
1642
if(take_down_interface){
1643
/* Re-raise priviliges */
1644
errno = 0;
1645
ret = seteuid(0);
1646
if(ret == -1){
1647
perror("seteuid");
1648
}
1649
if(geteuid() == 0){
1650
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1651
if(ret == -1){
1652
perror("ioctl SIOCGIFFLAGS");
1653
} else if(network.ifr_flags & IFF_UP) {
1654
network.ifr_flags &= ~IFF_UP; /* clear flag */
1655
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1656
if(ret == -1){
1657
perror("ioctl SIOCSIFFLAGS -IFF_UP");
1658
}
1659
}
1660
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1661
if(ret == -1){
1662
perror("close");
1663
}
1664
/* Lower privileges permanently */
1665
errno = 0;
1666
ret = setuid(uid);
1667
if(ret == -1){
1668
perror("setuid");
1669
}
1670
}
1671
}
1672
1673
/* Removes the temp directory used by GPGME */
1674
if(tempdir_created){
1675
DIR *d;
1676
struct dirent *direntry;
1677
d = opendir(tempdir);
1678
if(d == NULL){
1679
if(errno != ENOENT){
1680
perror("opendir");
1681
}
1682
} else {
1683
while(true){
1684
direntry = readdir(d);
1685
if(direntry == NULL){
1686
break;
1687
}
1688
/* Skip "." and ".." */
1689
if(direntry->d_name[0] == '.'
1690
and (direntry->d_name[1] == '\0'
1691
or (direntry->d_name[1] == '.'
1692
and direntry->d_name[2] == '\0'))){
1693
continue;
1694
}
1695
char *fullname = NULL;
1696
ret = asprintf(&fullname, "%s/%s", tempdir,
1697
direntry->d_name);
1698
if(ret < 0){
1699
perror("asprintf");
1700
continue;
1701
}
1702
ret = remove(fullname);
1703
if(ret == -1){
1704
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1705
strerror(errno));
1706
}
1707
free(fullname);
1708
}
1709
closedir(d);
1710
}
1711
ret = rmdir(tempdir);
1712
if(ret == -1 and errno != ENOENT){
1713
perror("rmdir");
1714
}
1715
}
1716
1717
if(quit_now){
1718
sigemptyset(&old_sigterm_action.sa_mask);
1719
old_sigterm_action.sa_handler = SIG_DFL;
1720
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1721
&old_sigterm_action,
1722
NULL));
1723
if(ret == -1){
1724
perror("sigaction");
1725
}
1726
do {
1727
ret = raise(signal_received);
1728
} while(ret != 0 and errno == EINTR);
1729
if(ret != 0){
1730
perror("raise");
1731
abort();
1732
}
1733
TEMP_FAILURE_RETRY(pause());
1734
}
1735
1736
return exitcode;
816
817
/* Check if creating the server object succeeded */
818
if (!mc.server) {
819
fprintf(stderr, "Failed to create server: %s\n",
820
avahi_strerror(error));
821
returncode = EXIT_FAILURE;
822
goto exit;
823
}
824
825
/* Create the service browser */
826
sb = avahi_s_service_browser_new(mc.server, if_index,
827
AVAHI_PROTO_INET6,
828
"_mandos._tcp", NULL, 0,
829
browse_callback, &mc);
830
if (!sb) {
831
fprintf(stderr, "Failed to create service browser: %s\n",
832
avahi_strerror(avahi_server_errno(mc.server)));
833
returncode = EXIT_FAILURE;
834
goto exit;
835
}
836
837
/* Run the main loop */
838
839
if (debug){
840
fprintf(stderr, "Starting avahi loop search\n");
841
}
842
843
avahi_simple_poll_loop(mc.simple_poll);
844
845
exit:
846
847
if (debug){
848
fprintf(stderr, "%s exiting\n", argv[0]);
849
}
850
851
/* Cleanup things */
852
if (sb)
853
avahi_s_service_browser_free(sb);
854
855
if (mc.server)
856
avahi_server_free(mc.server);
857
858
if (mc.simple_poll)
859
avahi_simple_poll_free(mc.simple_poll);
860
free(pubkeyfile);
861
free(seckeyfile);
862
863
return returncode;
1737
864
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0