To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 39
- compare with another revision
- download diff
- download tarball
- view history from revision 39
- Committer: Teddy Hogeborn
- Date: 2008-08-03 03:33:56 UTC
- Revision ID: teddy@fukt.bsnet.se-20080803033356-6aemgj0g0hoz91ow
* plugins.d/mandosclient.c (pgp_packet_decrypt): Renamed variables.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
30
29
*/
31
30
32
31
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
32
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
33
#define _FILE_OFFSET_BITS 64
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time() */
34
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
67
42
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
SIOCSIFFLAGS, if_indextoname(),
69
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), seteuid(),
75
setgid(), pause() */
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
78
#include <argp.h> /* struct argp_option, error_t, struct
79
argp_state, struct argp,
80
argp_parse(), ARGP_KEY_ARG,
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
86
#ifdef __linux__
87
#include <sys/klog.h> /* klogctl() */
88
#endif /* __linux__ */
89
90
/* Avahi */
91
/* All Avahi types, constants and functions
92
Avahi*, avahi_*,
93
AVAHI_* */
43
SIOCSIFFLAGS */
44
94
45
#include <avahi-core/core.h>
95
46
#include <avahi-core/lookup.h>
96
47
#include <avahi-core/log.h>
98
49
#include <avahi-common/malloc.h>
99
50
#include <avahi-common/error.h>
100
51
101
/* GnuTLS */
102
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
103
functions:
104
gnutls_*
105
init_gnutls_session(),
106
GNUTLS_* */
107
#include <gnutls/openpgp.h>
108
/* gnutls_certificate_set_openpgp_key_file(),
109
GNUTLS_OPENPGP_FMT_BASE64 */
110
111
/* GPGME */
112
#include <gpgme.h> /* All GPGME types, constants and
113
functions:
114
gpgme_*
115
GPGME_PROTOCOL_OpenPGP,
116
GPG_ERR_NO_* */
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt_long
71
#include <getopt.h>
117
72
118
73
#define BUFFER_SIZE 256
119
74
120
#define PATHDIR "/conf/conf.d/mandos"
121
#define SECKEY "seckey.txt"
122
#define PUBKEY "pubkey.txt"
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
123
78
124
79
bool debug = false;
125
static const char mandos_protocol_version[] = "1";
126
const char *argp_program_version = "mandos-client " VERSION;
127
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
128
static const char sys_class_net[] = "/sys/class/net";
129
char *connect_to = NULL;
130
80
131
/* Used for passing in values through the Avahi callback functions */
81
/* Used for passing in values through all the callback functions */
132
82
typedef struct {
133
83
AvahiSimplePoll *simple_poll;
134
84
AvahiServer *server;
135
85
gnutls_certificate_credentials_t cred;
136
86
unsigned int dh_bits;
137
gnutls_dh_params_t dh_params;
138
87
const char *priority;
88
} mandos_context;
89
90
/*
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
92
* Returns -1 on error
93
*/
94
static ssize_t pgp_packet_decrypt (const char *cryptotext,
95
size_t crypto_size,
96
char **plaintext,
97
const char *homedir){
98
gpgme_data_t dh_crypto, dh_plain;
139
99
gpgme_ctx_t ctx;
140
} mandos_context;
141
142
/* global context so signal handler can reach it*/
143
mandos_context mc = { .simple_poll = NULL, .server = NULL,
144
.dh_bits = 1024, .priority = "SECURE256"
145
":!CTYPE-X.509:+CTYPE-OPENPGP" };
146
147
sig_atomic_t quit_now = 0;
148
int signal_received = 0;
149
150
/*
151
* Make additional room in "buffer" for at least BUFFER_SIZE more
152
* bytes. "buffer_capacity" is how much is currently allocated,
153
* "buffer_length" is how much is already used.
154
*/
155
size_t incbuffer(char **buffer, size_t buffer_length,
156
size_t buffer_capacity){
157
if(buffer_length + BUFFER_SIZE > buffer_capacity){
158
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
159
if(buffer == NULL){
160
return 0;
161
}
162
buffer_capacity += BUFFER_SIZE;
163
}
164
return buffer_capacity;
165
}
166
167
/*
168
* Initialize GPGME.
169
*/
170
static bool init_gpgme(const char *seckey,
171
const char *pubkey, const char *tempdir){
172
100
gpgme_error_t rc;
101
ssize_t ret;
102
ssize_t plaintext_capacity = 0;
103
ssize_t plaintext_length = 0;
173
104
gpgme_engine_info_t engine_info;
174
105
175
176
/*
177
* Helper function to insert pub and seckey to the engine keyring.
178
*/
179
bool import_key(const char *filename){
180
int ret;
181
int fd;
182
gpgme_data_t pgp_data;
183
184
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
185
if(fd == -1){
186
perror("open");
187
return false;
188
}
189
190
rc = gpgme_data_new_from_fd(&pgp_data, fd);
191
if(rc != GPG_ERR_NO_ERROR){
192
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
193
gpgme_strsource(rc), gpgme_strerror(rc));
194
return false;
195
}
196
197
rc = gpgme_op_import(mc.ctx, pgp_data);
198
if(rc != GPG_ERR_NO_ERROR){
199
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
200
gpgme_strsource(rc), gpgme_strerror(rc));
201
return false;
202
}
203
204
ret = (int)TEMP_FAILURE_RETRY(close(fd));
205
if(ret == -1){
206
perror("close");
207
}
208
gpgme_data_release(pgp_data);
209
return true;
210
}
211
212
if(debug){
213
fprintf(stderr, "Initializing GPGME\n");
106
if (debug){
107
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
214
108
}
215
109
216
110
/* Init GPGME */
217
111
gpgme_check_version(NULL);
218
112
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
219
if(rc != GPG_ERR_NO_ERROR){
113
if (rc != GPG_ERR_NO_ERROR){
220
114
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
221
115
gpgme_strsource(rc), gpgme_strerror(rc));
222
return false;
116
return -1;
223
117
}
224
118
225
/* Set GPGME home directory for the OpenPGP engine only */
226
rc = gpgme_get_engine_info(&engine_info);
227
if(rc != GPG_ERR_NO_ERROR){
119
/* Set GPGME home directory for the OpenPGP engine only */
120
rc = gpgme_get_engine_info (&engine_info);
121
if (rc != GPG_ERR_NO_ERROR){
228
122
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
229
123
gpgme_strsource(rc), gpgme_strerror(rc));
230
return false;
124
return -1;
231
125
}
232
126
while(engine_info != NULL){
233
127
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
234
128
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
235
engine_info->file_name, tempdir);
129
engine_info->file_name, homedir);
236
130
break;
237
131
}
238
132
engine_info = engine_info->next;
239
133
}
240
134
if(engine_info == NULL){
241
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
242
return false;
243
}
244
245
/* Create new GPGME "context" */
246
rc = gpgme_new(&(mc.ctx));
247
if(rc != GPG_ERR_NO_ERROR){
248
fprintf(stderr, "bad gpgme_new: %s: %s\n",
249
gpgme_strsource(rc), gpgme_strerror(rc));
250
return false;
251
}
252
253
if(not import_key(pubkey) or not import_key(seckey)){
254
return false;
255
}
256
257
return true;
258
}
259
260
/*
261
* Decrypt OpenPGP data.
262
* Returns -1 on error
263
*/
264
static ssize_t pgp_packet_decrypt(const char *cryptotext,
265
size_t crypto_size,
266
char **plaintext){
267
gpgme_data_t dh_crypto, dh_plain;
268
gpgme_error_t rc;
269
ssize_t ret;
270
size_t plaintext_capacity = 0;
271
ssize_t plaintext_length = 0;
272
273
if(debug){
274
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
135
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
136
return -1;
275
137
}
276
138
277
139
/* Create new GPGME data buffer from memory cryptotext */
278
140
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
279
141
0);
280
if(rc != GPG_ERR_NO_ERROR){
142
if (rc != GPG_ERR_NO_ERROR){
281
143
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
282
144
gpgme_strsource(rc), gpgme_strerror(rc));
283
145
return -1;
285
147
286
148
/* Create new empty GPGME data buffer for the plaintext */
287
149
rc = gpgme_data_new(&dh_plain);
288
if(rc != GPG_ERR_NO_ERROR){
150
if (rc != GPG_ERR_NO_ERROR){
289
151
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
290
152
gpgme_strsource(rc), gpgme_strerror(rc));
291
153
gpgme_data_release(dh_crypto);
292
154
return -1;
293
155
}
294
156
157
/* Create new GPGME "context" */
158
rc = gpgme_new(&ctx);
159
if (rc != GPG_ERR_NO_ERROR){
160
fprintf(stderr, "bad gpgme_new: %s: %s\n",
161
gpgme_strsource(rc), gpgme_strerror(rc));
162
plaintext_length = -1;
163
goto decrypt_end;
164
}
165
295
166
/* Decrypt data from the cryptotext data buffer to the plaintext
296
167
data buffer */
297
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
298
if(rc != GPG_ERR_NO_ERROR){
168
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
169
if (rc != GPG_ERR_NO_ERROR){
299
170
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
300
171
gpgme_strsource(rc), gpgme_strerror(rc));
301
172
plaintext_length = -1;
302
if(debug){
303
gpgme_decrypt_result_t result;
304
result = gpgme_op_decrypt_result(mc.ctx);
305
if(result == NULL){
306
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
307
} else {
308
fprintf(stderr, "Unsupported algorithm: %s\n",
309
result->unsupported_algorithm);
310
fprintf(stderr, "Wrong key usage: %u\n",
311
result->wrong_key_usage);
312
if(result->file_name != NULL){
313
fprintf(stderr, "File name: %s\n", result->file_name);
314
}
315
gpgme_recipient_t recipient;
316
recipient = result->recipients;
173
goto decrypt_end;
174
}
175
176
if(debug){
177
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
178
}
179
180
if (debug){
181
gpgme_decrypt_result_t result;
182
result = gpgme_op_decrypt_result(ctx);
183
if (result == NULL){
184
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
185
} else {
186
fprintf(stderr, "Unsupported algorithm: %s\n",
187
result->unsupported_algorithm);
188
fprintf(stderr, "Wrong key usage: %d\n",
189
result->wrong_key_usage);
190
if(result->file_name != NULL){
191
fprintf(stderr, "File name: %s\n", result->file_name);
192
}
193
gpgme_recipient_t recipient;
194
recipient = result->recipients;
195
if(recipient){
317
196
while(recipient != NULL){
318
197
fprintf(stderr, "Public key algorithm: %s\n",
319
198
gpgme_pubkey_algo_name(recipient->pubkey_algo));
325
204
}
326
205
}
327
206
}
328
goto decrypt_end;
329
}
330
331
if(debug){
332
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
333
207
}
334
208
335
209
/* Seek back to the beginning of the GPGME plaintext data buffer */
336
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
337
perror("gpgme_data_seek");
210
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
211
perror("pgpme_data_seek");
338
212
plaintext_length = -1;
339
213
goto decrypt_end;
340
214
}
341
215
342
216
*plaintext = NULL;
343
217
while(true){
344
plaintext_capacity = incbuffer(plaintext,
345
(size_t)plaintext_length,
346
plaintext_capacity);
347
if(plaintext_capacity == 0){
348
perror("incbuffer");
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
221
+ BUFFER_SIZE);
222
if (*plaintext == NULL){
223
perror("realloc");
349
224
plaintext_length = -1;
350
225
goto decrypt_end;
226
}
227
plaintext_capacity += BUFFER_SIZE;
351
228
}
352
229
353
230
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
354
231
BUFFER_SIZE);
355
232
/* Print the data, if any */
356
if(ret == 0){
233
if (ret == 0){
357
234
/* EOF */
358
235
break;
359
236
}
364
241
}
365
242
plaintext_length += ret;
366
243
}
367
244
368
245
if(debug){
369
246
fprintf(stderr, "Decrypted password is: ");
370
for(ssize_t i = 0; i < plaintext_length; i++){
247
for(size_t i = 0; i < plaintext_length; i++){
371
248
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
372
249
}
373
250
fprintf(stderr, "\n");
383
260
return plaintext_length;
384
261
}
385
262
386
static const char * safer_gnutls_strerror(int value){
387
const char *ret = gnutls_strerror(value); /* Spurious warning from
388
-Wunreachable-code */
389
if(ret == NULL)
263
static const char * safer_gnutls_strerror (int value) {
264
const char *ret = gnutls_strerror (value);
265
if (ret == NULL)
390
266
ret = "(unknown)";
391
267
return ret;
392
268
}
393
269
394
/* GnuTLS log function callback */
395
270
static void debuggnutls(__attribute__((unused)) int level,
396
271
const char* string){
397
fprintf(stderr, "GnuTLS: %s", string);
272
fprintf(stderr, "%s", string);
398
273
}
399
274
400
static int init_gnutls_global(const char *pubkeyfilename,
401
const char *seckeyfilename){
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
277
const char *err;
402
278
int ret;
403
279
404
280
if(debug){
405
281
fprintf(stderr, "Initializing GnuTLS\n");
406
282
}
407
408
ret = gnutls_global_init();
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS global_init: %s\n",
411
safer_gnutls_strerror(ret));
283
284
if ((ret = gnutls_global_init ())
285
!= GNUTLS_E_SUCCESS) {
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
412
287
return -1;
413
288
}
414
289
415
if(debug){
416
/* "Use a log level over 10 to enable all debugging options."
417
* - GnuTLS manual
418
*/
290
if (debug){
419
291
gnutls_global_set_log_level(11);
420
292
gnutls_global_set_log_function(debuggnutls);
421
293
}
422
294
423
/* OpenPGP credentials */
424
gnutls_certificate_allocate_credentials(&mc.cred);
425
if(ret != GNUTLS_E_SUCCESS){
426
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
427
from
428
-Wunreachable-code
429
*/
430
safer_gnutls_strerror(ret));
431
gnutls_global_deinit();
295
/* openpgp credentials */
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
297
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "memory error: %s\n",
299
safer_gnutls_strerror(ret));
432
300
return -1;
433
301
}
434
302
435
303
if(debug){
436
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
437
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
438
seckeyfilename);
304
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
305
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
306
seckeyfile);
439
307
}
440
308
441
309
ret = gnutls_certificate_set_openpgp_key_file
442
(mc.cred, pubkeyfilename, seckeyfilename,
443
GNUTLS_OPENPGP_FMT_BASE64);
444
if(ret != GNUTLS_E_SUCCESS){
445
fprintf(stderr,
446
"Error[%d] while reading the OpenPGP key pair ('%s',"
447
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
448
fprintf(stderr, "The GnuTLS error is: %s\n",
449
safer_gnutls_strerror(ret));
450
goto globalfail;
451
}
452
453
/* GnuTLS server initialization */
454
ret = gnutls_dh_params_init(&mc.dh_params);
455
if(ret != GNUTLS_E_SUCCESS){
456
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
457
" %s\n", safer_gnutls_strerror(ret));
458
goto globalfail;
459
}
460
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
461
if(ret != GNUTLS_E_SUCCESS){
462
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
463
safer_gnutls_strerror(ret));
464
goto globalfail;
465
}
466
467
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
468
469
return 0;
470
471
globalfail:
472
473
gnutls_certificate_free_credentials(mc.cred);
474
gnutls_global_deinit();
475
gnutls_dh_params_deinit(mc.dh_params);
476
return -1;
477
}
478
479
static int init_gnutls_session(gnutls_session_t *session){
480
int ret;
481
/* GnuTLS session creation */
482
do {
483
ret = gnutls_init(session, GNUTLS_SERVER);
484
if(quit_now){
485
return -1;
486
}
487
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
488
if(ret != GNUTLS_E_SUCCESS){
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
311
if (ret != GNUTLS_E_SUCCESS) {
312
fprintf
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
314
" '%s')\n",
315
ret, pubkeyfile, seckeyfile);
316
fprintf(stdout, "The Error is: %s\n",
317
safer_gnutls_strerror(ret));
318
return -1;
319
}
320
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
325
safer_gnutls_strerror(ret));
326
return -1;
327
}
328
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf (stderr, "Error in prime generation: %s\n",
332
safer_gnutls_strerror(ret));
333
return -1;
334
}
335
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
337
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
340
!= GNUTLS_E_SUCCESS){
489
341
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
490
342
safer_gnutls_strerror(ret));
491
343
}
492
344
493
{
494
const char *err;
495
do {
496
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
497
if(quit_now){
498
gnutls_deinit(*session);
499
return -1;
500
}
501
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
502
if(ret != GNUTLS_E_SUCCESS){
503
fprintf(stderr, "Syntax error at: %s\n", err);
504
fprintf(stderr, "GnuTLS error: %s\n",
505
safer_gnutls_strerror(ret));
506
gnutls_deinit(*session);
507
return -1;
508
}
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
346
!= GNUTLS_E_SUCCESS) {
347
fprintf(stderr, "Syntax error at: %s\n", err);
348
fprintf(stderr, "GnuTLS error: %s\n",
349
safer_gnutls_strerror(ret));
350
return -1;
509
351
}
510
352
511
do {
512
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
513
mc.cred);
514
if(quit_now){
515
gnutls_deinit(*session);
516
return -1;
517
}
518
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
519
if(ret != GNUTLS_E_SUCCESS){
520
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
354
mc->cred))
355
!= GNUTLS_E_SUCCESS) {
356
fprintf(stderr, "Error setting a credentials set: %s\n",
521
357
safer_gnutls_strerror(ret));
522
gnutls_deinit(*session);
523
358
return -1;
524
359
}
525
360
526
361
/* ignore client certificate if any. */
527
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
362
gnutls_certificate_server_set_request (*session,
363
GNUTLS_CERT_IGNORE);
528
364
529
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
365
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
530
366
531
367
return 0;
532
368
}
533
369
534
/* Avahi log function callback */
535
370
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
536
371
__attribute__((unused)) const char *txt){}
537
372
538
/* Called when a Mandos server is found */
539
373
static int start_mandos_communication(const char *ip, uint16_t port,
540
374
AvahiIfIndex if_index,
541
int af){
542
int ret, tcp_sd = -1;
543
ssize_t sret;
544
union {
545
struct sockaddr_in in;
546
struct sockaddr_in6 in6;
547
} to;
375
mandos_context *mc){
376
int ret, tcp_sd;
377
struct sockaddr_in6 to;
548
378
char *buffer = NULL;
549
char *decrypted_buffer = NULL;
379
char *decrypted_buffer;
550
380
size_t buffer_length = 0;
551
381
size_t buffer_capacity = 0;
552
size_t written;
553
int retval = -1;
382
ssize_t decrypted_buffer_size;
383
size_t written = 0;
384
int retval = 0;
385
char interface[IF_NAMESIZE];
554
386
gnutls_session_t session;
555
int pf; /* Protocol family */
556
557
if(quit_now){
558
return -1;
559
}
560
561
switch(af){
562
case AF_INET6:
563
pf = PF_INET6;
564
break;
565
case AF_INET:
566
pf = PF_INET;
567
break;
568
default:
569
fprintf(stderr, "Bad address family: %d\n", af);
570
return -1;
571
}
572
573
ret = init_gnutls_session(&session);
574
if(ret != 0){
575
return -1;
576
}
387
gnutls_dh_params_t dh_params;
577
388
578
389
if(debug){
579
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
580
"\n", ip, port);
390
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
391
ip, port);
581
392
}
582
393
583
tcp_sd = socket(pf, SOCK_STREAM, 0);
584
if(tcp_sd < 0){
394
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
395
if(tcp_sd < 0) {
585
396
perror("socket");
586
goto mandos_end;
587
}
588
589
if(quit_now){
590
goto mandos_end;
591
}
592
593
memset(&to, 0, sizeof(to));
594
if(af == AF_INET6){
595
to.in6.sin6_family = (sa_family_t)af;
596
ret = inet_pton(af, ip, &to.in6.sin6_addr);
597
} else { /* IPv4 */
598
to.in.sin_family = (sa_family_t)af;
599
ret = inet_pton(af, ip, &to.in.sin_addr);
600
}
601
if(ret < 0 ){
397
return -1;
398
}
399
400
if(debug){
401
if(if_indextoname((unsigned int)if_index, interface) == NULL){
402
perror("if_indextoname");
403
return -1;
404
}
405
fprintf(stderr, "Binding to interface %s\n", interface);
406
}
407
408
memset(&to,0,sizeof(to)); /* Spurious warning */
409
to.sin6_family = AF_INET6;
410
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
411
if (ret < 0 ){
602
412
perror("inet_pton");
603
goto mandos_end;
413
return -1;
604
414
}
605
415
if(ret == 0){
606
416
fprintf(stderr, "Bad address: %s\n", ip);
607
goto mandos_end;
608
}
609
if(af == AF_INET6){
610
to.in6.sin6_port = htons(port); /* Spurious warnings from
611
-Wconversion and
612
-Wunreachable-code */
613
614
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
615
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
616
-Wunreachable-code*/
617
if(if_index == AVAHI_IF_UNSPEC){
618
fprintf(stderr, "An IPv6 link-local address is incomplete"
619
" without a network interface\n");
620
goto mandos_end;
621
}
622
/* Set the network interface number as scope */
623
to.in6.sin6_scope_id = (uint32_t)if_index;
624
}
625
} else {
626
to.in.sin_port = htons(port); /* Spurious warnings from
627
-Wconversion and
628
-Wunreachable-code */
629
}
417
return -1;
418
}
419
to.sin6_port = htons(port); /* Spurious warning */
630
420
631
if(quit_now){
632
goto mandos_end;
633
}
421
to.sin6_scope_id = (uint32_t)if_index;
634
422
635
423
if(debug){
636
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
637
char interface[IF_NAMESIZE];
638
if(if_indextoname((unsigned int)if_index, interface) == NULL){
639
perror("if_indextoname");
640
} else {
641
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
642
ip, interface, port);
643
}
644
} else {
645
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
646
port);
647
}
648
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
649
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
650
const char *pcret;
651
if(af == AF_INET6){
652
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
653
sizeof(addrstr));
654
} else {
655
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
656
sizeof(addrstr));
657
}
658
if(pcret == NULL){
424
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
425
char addrstr[INET6_ADDRSTRLEN] = "";
426
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
427
sizeof(addrstr)) == NULL){
659
428
perror("inet_ntop");
660
429
} else {
661
430
if(strcmp(addrstr, ip) != 0){
664
433
}
665
434
}
666
435
667
if(quit_now){
668
goto mandos_end;
669
}
670
671
if(af == AF_INET6){
672
ret = connect(tcp_sd, &to.in6, sizeof(to));
673
} else {
674
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
675
}
676
if(ret < 0){
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
437
if (ret < 0){
677
438
perror("connect");
678
goto mandos_end;
679
}
680
681
if(quit_now){
682
goto mandos_end;
683
}
684
685
const char *out = mandos_protocol_version;
686
written = 0;
687
while(true){
688
size_t out_size = strlen(out);
689
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
690
out_size - written));
691
if(ret == -1){
692
perror("write");
693
goto mandos_end;
694
}
695
written += (size_t)ret;
696
if(written < out_size){
697
continue;
698
} else {
699
if(out == mandos_protocol_version){
700
written = 0;
701
out = "\r\n";
702
} else {
703
break;
704
}
705
}
706
707
if(quit_now){
708
goto mandos_end;
709
}
710
}
439
return -1;
440
}
441
442
ret = initgnutls (mc, &session, &dh_params);
443
if (ret != 0){
444
retval = -1;
445
return -1;
446
}
447
448
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
711
449
712
450
if(debug){
713
451
fprintf(stderr, "Establishing TLS session with %s\n", ip);
714
452
}
715
453
716
if(quit_now){
717
goto mandos_end;
718
}
719
720
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
721
722
if(quit_now){
723
goto mandos_end;
724
}
725
726
do {
727
ret = gnutls_handshake(session);
728
if(quit_now){
729
goto mandos_end;
730
}
731
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
732
733
if(ret != GNUTLS_E_SUCCESS){
454
ret = gnutls_handshake (session);
455
456
if (ret != GNUTLS_E_SUCCESS){
734
457
if(debug){
735
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
736
gnutls_perror(ret);
458
fprintf(stderr, "\n*** Handshake failed ***\n");
459
gnutls_perror (ret);
737
460
}
738
goto mandos_end;
461
retval = -1;
462
goto exit;
739
463
}
740
464
741
/* Read OpenPGP packet that contains the wanted password */
465
//Retrieve OpenPGP packet that contains the wanted password
742
466
743
467
if(debug){
744
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
468
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
745
469
ip);
746
470
}
747
471
748
472
while(true){
749
750
if(quit_now){
751
goto mandos_end;
752
}
753
754
buffer_capacity = incbuffer(&buffer, buffer_length,
755
buffer_capacity);
756
if(buffer_capacity == 0){
757
perror("incbuffer");
758
goto mandos_end;
759
}
760
761
if(quit_now){
762
goto mandos_end;
763
}
764
765
sret = gnutls_record_recv(session, buffer+buffer_length,
766
BUFFER_SIZE);
767
if(sret == 0){
473
if (buffer_length + BUFFER_SIZE > buffer_capacity){
474
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
475
if (buffer == NULL){
476
perror("realloc");
477
goto exit;
478
}
479
buffer_capacity += BUFFER_SIZE;
480
}
481
482
ret = gnutls_record_recv(session, buffer+buffer_length,
483
BUFFER_SIZE);
484
if (ret == 0){
768
485
break;
769
486
}
770
if(sret < 0){
771
switch(sret){
487
if (ret < 0){
488
switch(ret){
772
489
case GNUTLS_E_INTERRUPTED:
773
490
case GNUTLS_E_AGAIN:
774
491
break;
775
492
case GNUTLS_E_REHANDSHAKE:
776
do {
777
ret = gnutls_handshake(session);
778
779
if(quit_now){
780
goto mandos_end;
781
}
782
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
783
if(ret < 0){
784
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
785
gnutls_perror(ret);
786
goto mandos_end;
493
ret = gnutls_handshake (session);
494
if (ret < 0){
495
fprintf(stderr, "\n*** Handshake failed ***\n");
496
gnutls_perror (ret);
497
retval = -1;
498
goto exit;
787
499
}
788
500
break;
789
501
default:
790
502
fprintf(stderr, "Unknown error while reading data from"
791
" encrypted session with Mandos server\n");
792
gnutls_bye(session, GNUTLS_SHUT_RDWR);
793
goto mandos_end;
503
" encrypted session with mandos server\n");
504
retval = -1;
505
gnutls_bye (session, GNUTLS_SHUT_RDWR);
506
goto exit;
794
507
}
795
508
} else {
796
buffer_length += (size_t) sret;
797
}
798
}
799
800
if(debug){
801
fprintf(stderr, "Closing TLS session\n");
802
}
803
804
if(quit_now){
805
goto mandos_end;
806
}
807
808
do {
809
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
810
if(quit_now){
811
goto mandos_end;
812
}
813
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
814
815
if(buffer_length > 0){
816
ssize_t decrypted_buffer_size;
509
buffer_length += (size_t) ret;
510
}
511
}
512
513
if (buffer_length > 0){
817
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
818
515
buffer_length,
819
&decrypted_buffer);
820
if(decrypted_buffer_size >= 0){
821
822
written = 0;
516
&decrypted_buffer,
517
keydir);
518
if (decrypted_buffer_size >= 0){
823
519
while(written < (size_t) decrypted_buffer_size){
824
if(quit_now){
825
goto mandos_end;
826
}
827
828
ret = (int)fwrite(decrypted_buffer + written, 1,
829
(size_t)decrypted_buffer_size - written,
830
stdout);
520
ret = (int)fwrite (decrypted_buffer + written, 1,
521
(size_t)decrypted_buffer_size - written,
522
stdout);
831
523
if(ret == 0 and ferror(stdout)){
832
524
if(debug){
833
525
fprintf(stderr, "Error writing encrypted data: %s\n",
834
526
strerror(errno));
835
527
}
836
goto mandos_end;
528
retval = -1;
529
break;
837
530
}
838
531
written += (size_t)ret;
839
532
}
840
retval = 0;
533
free(decrypted_buffer);
534
} else {
535
retval = -1;
841
536
}
842
537
}
843
844
/* Shutdown procedure */
845
846
mandos_end:
847
free(decrypted_buffer);
538
539
//shutdown procedure
540
541
if(debug){
542
fprintf(stderr, "Closing TLS session\n");
543
}
544
848
545
free(buffer);
849
if(tcp_sd >= 0){
850
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
851
}
852
if(ret == -1){
853
perror("close");
854
}
855
gnutls_deinit(session);
856
if(quit_now){
857
retval = -1;
858
}
546
gnutls_bye (session, GNUTLS_SHUT_RDWR);
547
exit:
548
close(tcp_sd);
549
gnutls_deinit (session);
550
gnutls_certificate_free_credentials (mc->cred);
551
gnutls_global_deinit ();
859
552
return retval;
860
553
}
861
554
862
555
static void resolve_callback(AvahiSServiceResolver *r,
863
556
AvahiIfIndex interface,
864
AvahiProtocol proto,
557
AVAHI_GCC_UNUSED AvahiProtocol protocol,
865
558
AvahiResolverEvent event,
866
559
const char *name,
867
560
const char *type,
872
565
AVAHI_GCC_UNUSED AvahiStringList *txt,
873
566
AVAHI_GCC_UNUSED AvahiLookupResultFlags
874
567
flags,
875
AVAHI_GCC_UNUSED void* userdata){
876
assert(r);
568
void* userdata) {
569
mandos_context *mc = userdata;
570
assert(r); /* Spurious warning */
877
571
878
572
/* Called whenever a service has been resolved successfully or
879
573
timed out */
880
574
881
if(quit_now){
882
return;
883
}
884
885
switch(event){
575
switch (event) {
886
576
default:
887
577
case AVAHI_RESOLVER_FAILURE:
888
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
889
" of type '%s' in domain '%s': %s\n", name, type, domain,
890
avahi_strerror(avahi_server_errno(mc.server)));
578
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
579
" type '%s' in domain '%s': %s\n", name, type, domain,
580
avahi_strerror(avahi_server_errno(mc->server)));
891
581
break;
892
582
893
583
case AVAHI_RESOLVER_FOUND:
895
585
char ip[AVAHI_ADDRESS_STR_MAX];
896
586
avahi_address_snprint(ip, sizeof(ip), address);
897
587
if(debug){
898
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
899
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
900
ip, (intmax_t)interface, port);
588
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
589
" port %d\n", name, host_name, ip, port);
901
590
}
902
int ret = start_mandos_communication(ip, port, interface,
903
avahi_proto_to_af(proto));
904
if(ret == 0){
905
avahi_simple_poll_quit(mc.simple_poll);
591
int ret = start_mandos_communication(ip, port, interface, mc);
592
if (ret == 0){
593
exit(EXIT_SUCCESS);
906
594
}
907
595
}
908
596
}
909
597
avahi_s_service_resolver_free(r);
910
598
}
911
599
912
static void browse_callback(AvahiSServiceBrowser *b,
913
AvahiIfIndex interface,
914
AvahiProtocol protocol,
915
AvahiBrowserEvent event,
916
const char *name,
917
const char *type,
918
const char *domain,
919
AVAHI_GCC_UNUSED AvahiLookupResultFlags
920
flags,
921
AVAHI_GCC_UNUSED void* userdata){
922
assert(b);
600
static void browse_callback( AvahiSServiceBrowser *b,
601
AvahiIfIndex interface,
602
AvahiProtocol protocol,
603
AvahiBrowserEvent event,
604
const char *name,
605
const char *type,
606
const char *domain,
607
AVAHI_GCC_UNUSED AvahiLookupResultFlags
608
flags,
609
void* userdata) {
610
mandos_context *mc = userdata;
611
assert(b); /* Spurious warning */
923
612
924
613
/* Called whenever a new services becomes available on the LAN or
925
614
is removed from the LAN */
926
615
927
if(quit_now){
928
return;
929
}
930
931
switch(event){
616
switch (event) {
932
617
default:
933
618
case AVAHI_BROWSER_FAILURE:
934
619
935
fprintf(stderr, "(Avahi browser) %s\n",
936
avahi_strerror(avahi_server_errno(mc.server)));
937
avahi_simple_poll_quit(mc.simple_poll);
620
fprintf(stderr, "(Browser) %s\n",
621
avahi_strerror(avahi_server_errno(mc->server)));
622
avahi_simple_poll_quit(mc->simple_poll);
938
623
return;
939
624
940
625
case AVAHI_BROWSER_NEW:
941
/* We ignore the returned Avahi resolver object. In the callback
942
function we free it. If the Avahi server is terminated before
943
the callback function is called the Avahi server will free the
944
resolver for us. */
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
945
630
946
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
947
name, type, domain, protocol, 0,
948
resolve_callback, NULL) == NULL)
949
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
950
name, avahi_strerror(avahi_server_errno(mc.server)));
631
if (!(avahi_s_service_resolver_new(mc->server, interface,
632
protocol, name, type, domain,
633
AVAHI_PROTO_INET6, 0,
634
resolve_callback, mc)))
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
951
637
break;
952
638
953
639
case AVAHI_BROWSER_REMOVE:
955
641
956
642
case AVAHI_BROWSER_ALL_FOR_NOW:
957
643
case AVAHI_BROWSER_CACHE_EXHAUSTED:
958
if(debug){
959
fprintf(stderr, "No Mandos server found, still searching...\n");
960
}
961
644
break;
962
645
}
963
646
}
964
647
965
/* stop main loop after sigterm has been called */
966
static void handle_sigterm(int sig){
967
if(quit_now){
968
return;
969
}
970
quit_now = 1;
971
signal_received = sig;
972
int old_errno = errno;
973
if(mc.simple_poll != NULL){
974
avahi_simple_poll_quit(mc.simple_poll);
975
}
976
errno = old_errno;
977
}
978
979
/*
980
* This function determines if a directory entry in /sys/class/net
981
* corresponds to an acceptable network device.
982
* (This function is passed to scandir(3) as a filter function.)
983
*/
984
int good_interface(const struct dirent *if_entry){
985
ssize_t ssret;
986
char *flagname = NULL;
987
int ret = asprintf(&flagname, "%s/%s/flags", sys_class_net,
988
if_entry->d_name);
989
if(ret < 0){
990
perror("asprintf");
991
return 0;
992
}
993
if(if_entry->d_name[0] == '.'){
994
return 0;
995
}
996
int flags_fd = (int)TEMP_FAILURE_RETRY(open(flagname, O_RDONLY));
997
if(flags_fd == -1){
998
perror("open");
999
return 0;
1000
}
1001
typedef short ifreq_flags; /* ifreq.ifr_flags in netdevice(7) */
1002
/* read line from flags_fd */
1003
ssize_t to_read = (sizeof(ifreq_flags)*2)+3; /* "0x1003\n" */
1004
char *flagstring = malloc((size_t)to_read);
1005
if(flagstring == NULL){
1006
perror("malloc");
1007
close(flags_fd);
1008
return 0;
1009
}
1010
while(to_read > 0){
1011
ssret = (ssize_t)TEMP_FAILURE_RETRY(read(flags_fd, flagstring,
1012
(size_t)to_read));
1013
if(ssret == -1){
1014
perror("read");
1015
free(flagstring);
1016
close(flags_fd);
1017
return 0;
1018
}
1019
to_read -= ssret;
1020
if(ssret == 0){
1021
break;
1022
}
1023
}
1024
close(flags_fd);
1025
intmax_t tmpmax;
1026
char *tmp;
1027
errno = 0;
1028
tmpmax = strtoimax(flagstring, &tmp, 0);
1029
if(errno != 0 or tmp == flagstring or (*tmp != '\0'
1030
and not (isspace(*tmp)))
1031
or tmpmax != (ifreq_flags)tmpmax){
1032
free(flagstring);
1033
return 0;
1034
}
1035
free(flagstring);
1036
ifreq_flags flags = (ifreq_flags)tmpmax;
1037
/* Reject the loopback device */
1038
if(flags & IFF_LOOPBACK){
1039
return 0;
1040
}
1041
/* Accept point-to-point devices only if connect_to is specified */
1042
if(connect_to != NULL and (flags & IFF_POINTOPOINT)){
1043
return 1;
1044
}
1045
/* Otherwise, reject non-broadcast-capable devices */
1046
if(not (flags & IFF_BROADCAST)){
1047
return 0;
1048
}
1049
/* Accept this device */
1050
return 1;
1051
}
1052
1053
int main(int argc, char *argv[]){
1054
AvahiSServiceBrowser *sb = NULL;
1055
int error;
1056
int ret;
1057
intmax_t tmpmax;
1058
char *tmp;
1059
int exitcode = EXIT_SUCCESS;
1060
const char *interface = "";
1061
struct ifreq network;
1062
int sd = -1;
1063
bool take_down_interface = false;
1064
uid_t uid;
1065
gid_t gid;
1066
char tempdir[] = "/tmp/mandosXXXXXX";
1067
bool tempdir_created = false;
1068
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1069
const char *seckey = PATHDIR "/" SECKEY;
1070
const char *pubkey = PATHDIR "/" PUBKEY;
1071
1072
bool gnutls_initialized = false;
1073
bool gpgme_initialized = false;
1074
float delay = 2.5f;
1075
1076
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1077
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1078
1079
uid = getuid();
1080
gid = getgid();
1081
1082
/* Lower any group privileges we might have, just to be safe */
1083
errno = 0;
1084
ret = setgid(gid);
1085
if(ret == -1){
1086
perror("setgid");
1087
}
1088
1089
/* Lower user privileges (temporarily) */
1090
errno = 0;
1091
ret = seteuid(uid);
1092
if(ret == -1){
1093
perror("seteuid");
1094
}
1095
1096
if(quit_now){
1097
goto end;
1098
}
1099
1100
{
1101
struct argp_option options[] = {
1102
{ .name = "debug", .key = 128,
1103
.doc = "Debug mode", .group = 3 },
1104
{ .name = "connect", .key = 'c',
1105
.arg = "ADDRESS:PORT",
1106
.doc = "Connect directly to a specific Mandos server",
1107
.group = 1 },
1108
{ .name = "interface", .key = 'i',
1109
.arg = "NAME",
1110
.doc = "Network interface that will be used to search for"
1111
" Mandos servers",
1112
.group = 1 },
1113
{ .name = "seckey", .key = 's',
1114
.arg = "FILE",
1115
.doc = "OpenPGP secret key file base name",
1116
.group = 1 },
1117
{ .name = "pubkey", .key = 'p',
1118
.arg = "FILE",
1119
.doc = "OpenPGP public key file base name",
1120
.group = 2 },
1121
{ .name = "dh-bits", .key = 129,
1122
.arg = "BITS",
1123
.doc = "Bit length of the prime number used in the"
1124
" Diffie-Hellman key exchange",
1125
.group = 2 },
1126
{ .name = "priority", .key = 130,
1127
.arg = "STRING",
1128
.doc = "GnuTLS priority string for the TLS handshake",
1129
.group = 1 },
1130
{ .name = "delay", .key = 131,
1131
.arg = "SECONDS",
1132
.doc = "Maximum delay to wait for interface startup",
1133
.group = 2 },
1134
{ .name = NULL }
1135
};
648
/* Combines file name and path and returns the malloced new
649
string. some sane checks could/should be added */
650
static const char *combinepath(const char *first, const char *second){
651
size_t f_len = strlen(first);
652
size_t s_len = strlen(second);
653
char *tmp = malloc(f_len + s_len + 2);
654
if (tmp == NULL){
655
return NULL;
656
}
657
if(f_len > 0){
658
memcpy(tmp, first, f_len); /* Spurious warning */
659
}
660
tmp[f_len] = '/';
661
if(s_len > 0){
662
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
663
}
664
tmp[f_len + 1 + s_len] = '\0';
665
return tmp;
666
}
667
668
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
670
AvahiServerConfig config;
671
AvahiSServiceBrowser *sb = NULL;
672
int error;
673
int ret;
674
int debug_int;
675
int returncode = EXIT_SUCCESS;
676
const char *interface = "eth0";
677
struct ifreq network;
678
int sd;
679
char *connect_to = NULL;
680
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
681
mandos_context mc = { .simple_poll = NULL, .server = NULL,
682
.dh_bits = 1024, .priority = "SECURE256"};
1136
683
1137
error_t parse_opt(int key, char *arg,
1138
struct argp_state *state){
1139
switch(key){
1140
case 128: /* --debug */
1141
debug = true;
1142
break;
1143
case 'c': /* --connect */
1144
connect_to = arg;
1145
break;
1146
case 'i': /* --interface */
1147
interface = arg;
1148
break;
1149
case 's': /* --seckey */
1150
seckey = arg;
1151
break;
1152
case 'p': /* --pubkey */
1153
pubkey = arg;
1154
break;
1155
case 129: /* --dh-bits */
1156
errno = 0;
1157
tmpmax = strtoimax(arg, &tmp, 10);
1158
if(errno != 0 or tmp == arg or *tmp != '\0'
1159
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1160
fprintf(stderr, "Bad number of DH bits\n");
1161
exit(EXIT_FAILURE);
1162
}
1163
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1164
break;
1165
case 130: /* --priority */
1166
mc.priority = arg;
1167
break;
1168
case 131: /* --delay */
1169
errno = 0;
1170
delay = strtof(arg, &tmp);
1171
if(errno != 0 or tmp == arg or *tmp != '\0'){
1172
fprintf(stderr, "Bad delay\n");
1173
exit(EXIT_FAILURE);
1174
}
1175
break;
1176
case ARGP_KEY_ARG:
1177
argp_usage(state);
1178
case ARGP_KEY_END:
1179
break;
684
debug_int = debug ? 1 : 0;
685
while (true){
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
695
{0, 0, 0, 0} };
696
697
int option_index = 0;
698
ret = getopt_long (argc, argv, "i:", long_options,
699
&option_index);
700
701
if (ret == -1){
702
break;
703
}
704
705
switch(ret){
706
case 0:
707
break;
708
case 'i':
709
interface = optarg;
710
break;
711
case 'c':
712
connect_to = optarg;
713
break;
714
case 'd':
715
keydir = optarg;
716
break;
717
case 'p':
718
pubkeyfile = optarg;
719
break;
720
case 's':
721
seckeyfile = optarg;
722
break;
723
case 'D':
724
errno = 0;
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
726
if (errno){
727
perror("strtol");
728
exit(EXIT_FAILURE);
729
}
730
break;
731
case 'P':
732
mc.priority = optarg;
733
break;
734
case '?':
1180
735
default:
1181
return ARGP_ERR_UNKNOWN;
1182
}
1183
return 0;
1184
}
1185
1186
struct argp argp = { .options = options, .parser = parse_opt,
1187
.args_doc = "",
1188
.doc = "Mandos client -- Get and decrypt"
1189
" passwords from a Mandos server" };
1190
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1191
if(ret == ARGP_ERR_UNKNOWN){
1192
fprintf(stderr, "Unknown error while parsing arguments\n");
1193
exitcode = EXIT_FAILURE;
1194
goto end;
1195
}
1196
}
1197
1198
if(not debug){
1199
avahi_set_log_function(empty_log);
1200
}
1201
1202
if(interface[0] == '\0'){
1203
struct dirent **direntries;
1204
ret = scandir(sys_class_net, &direntries, good_interface,
1205
alphasort);
1206
if(ret >= 1){
1207
/* Pick the first good interface */
1208
interface = strdup(direntries[0]->d_name);
1209
if(interface == NULL){
1210
perror("malloc");
1211
free(direntries);
1212
exitcode = EXIT_FAILURE;
1213
goto end;
1214
}
1215
free(direntries);
1216
} else {
1217
free(direntries);
1218
fprintf(stderr, "Could not find a network interface\n");
1219
exitcode = EXIT_FAILURE;
1220
goto end;
1221
}
1222
}
1223
1224
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1225
from the signal handler */
1226
/* Initialize the pseudo-RNG for Avahi */
1227
srand((unsigned int) time(NULL));
1228
mc.simple_poll = avahi_simple_poll_new();
1229
if(mc.simple_poll == NULL){
1230
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1231
exitcode = EXIT_FAILURE;
1232
goto end;
1233
}
1234
1235
sigemptyset(&sigterm_action.sa_mask);
1236
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1237
if(ret == -1){
1238
perror("sigaddset");
1239
exitcode = EXIT_FAILURE;
1240
goto end;
1241
}
1242
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1243
if(ret == -1){
1244
perror("sigaddset");
1245
exitcode = EXIT_FAILURE;
1246
goto end;
1247
}
1248
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1249
if(ret == -1){
1250
perror("sigaddset");
1251
exitcode = EXIT_FAILURE;
1252
goto end;
1253
}
1254
/* Need to check if the handler is SIG_IGN before handling:
1255
| [[info:libc:Initial Signal Actions]] |
1256
| [[info:libc:Basic Signal Handling]] |
1257
*/
1258
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1259
if(ret == -1){
1260
perror("sigaction");
1261
return EXIT_FAILURE;
1262
}
1263
if(old_sigterm_action.sa_handler != SIG_IGN){
1264
ret = sigaction(SIGINT, &sigterm_action, NULL);
1265
if(ret == -1){
1266
perror("sigaction");
1267
exitcode = EXIT_FAILURE;
1268
goto end;
1269
}
1270
}
1271
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1272
if(ret == -1){
1273
perror("sigaction");
1274
return EXIT_FAILURE;
1275
}
1276
if(old_sigterm_action.sa_handler != SIG_IGN){
1277
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1278
if(ret == -1){
1279
perror("sigaction");
1280
exitcode = EXIT_FAILURE;
1281
goto end;
1282
}
1283
}
1284
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1285
if(ret == -1){
1286
perror("sigaction");
1287
return EXIT_FAILURE;
1288
}
1289
if(old_sigterm_action.sa_handler != SIG_IGN){
1290
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1291
if(ret == -1){
1292
perror("sigaction");
1293
exitcode = EXIT_FAILURE;
1294
goto end;
1295
}
1296
}
1297
1298
/* If the interface is down, bring it up */
1299
if(strcmp(interface, "none") != 0){
736
exit(EXIT_FAILURE);
737
}
738
}
739
debug = debug_int ? true : false;
740
741
pubkeyfile = combinepath(keydir, pubkeyfile);
742
if (pubkeyfile == NULL){
743
perror("combinepath");
744
returncode = EXIT_FAILURE;
745
goto exit;
746
}
747
748
seckeyfile = combinepath(keydir, seckeyfile);
749
if (seckeyfile == NULL){
750
perror("combinepath");
751
goto exit;
752
}
753
1300
754
if_index = (AvahiIfIndex) if_nametoindex(interface);
1301
755
if(if_index == 0){
1302
756
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1303
exitcode = EXIT_FAILURE;
1304
goto end;
1305
}
1306
1307
if(quit_now){
1308
goto end;
1309
}
1310
1311
/* Re-raise priviliges */
1312
errno = 0;
1313
ret = seteuid(0);
1314
if(ret == -1){
1315
perror("seteuid");
1316
}
1317
1318
#ifdef __linux__
1319
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1320
messages to mess up the prompt */
1321
ret = klogctl(8, NULL, 5);
1322
bool restore_loglevel = true;
1323
if(ret == -1){
1324
restore_loglevel = false;
1325
perror("klogctl");
1326
}
1327
#endif /* __linux__ */
757
exit(EXIT_FAILURE);
758
}
759
760
if(connect_to != NULL){
761
/* Connect directly, do not use Zeroconf */
762
/* (Mainly meant for debugging) */
763
char *address = strrchr(connect_to, ':');
764
if(address == NULL){
765
fprintf(stderr, "No colon in address\n");
766
exit(EXIT_FAILURE);
767
}
768
errno = 0;
769
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
770
if(errno){
771
perror("Bad port number");
772
exit(EXIT_FAILURE);
773
}
774
*address = '\0';
775
address = connect_to;
776
ret = start_mandos_communication(address, port, if_index, &mc);
777
if(ret < 0){
778
exit(EXIT_FAILURE);
779
} else {
780
exit(EXIT_SUCCESS);
781
}
782
}
1328
783
1329
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1330
if(sd < 0){
785
if(sd < 0) {
1331
786
perror("socket");
1332
exitcode = EXIT_FAILURE;
1333
#ifdef __linux__
1334
if(restore_loglevel){
1335
ret = klogctl(7, NULL, 0);
1336
if(ret == -1){
1337
perror("klogctl");
1338
}
1339
}
1340
#endif /* __linux__ */
1341
/* Lower privileges */
1342
errno = 0;
1343
ret = seteuid(uid);
1344
if(ret == -1){
1345
perror("seteuid");
1346
}
1347
goto end;
787
returncode = EXIT_FAILURE;
788
goto exit;
1348
789
}
1349
strcpy(network.ifr_name, interface);
790
strcpy(network.ifr_name, interface); /* Spurious warning */
1350
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1351
792
if(ret == -1){
793
1352
794
perror("ioctl SIOCGIFFLAGS");
1353
#ifdef __linux__
1354
if(restore_loglevel){
1355
ret = klogctl(7, NULL, 0);
1356
if(ret == -1){
1357
perror("klogctl");
1358
}
1359
}
1360
#endif /* __linux__ */
1361
exitcode = EXIT_FAILURE;
1362
/* Lower privileges */
1363
errno = 0;
1364
ret = seteuid(uid);
1365
if(ret == -1){
1366
perror("seteuid");
1367
}
1368
goto end;
795
returncode = EXIT_FAILURE;
796
goto exit;
1369
797
}
1370
798
if((network.ifr_flags & IFF_UP) == 0){
1371
799
network.ifr_flags |= IFF_UP;
1372
take_down_interface = true;
1373
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1374
801
if(ret == -1){
1375
take_down_interface = false;
1376
802
perror("ioctl SIOCSIFFLAGS");
1377
exitcode = EXIT_FAILURE;
1378
#ifdef __linux__
1379
if(restore_loglevel){
1380
ret = klogctl(7, NULL, 0);
1381
if(ret == -1){
1382
perror("klogctl");
1383
}
1384
}
1385
#endif /* __linux__ */
1386
/* Lower privileges */
1387
errno = 0;
1388
ret = seteuid(uid);
1389
if(ret == -1){
1390
perror("seteuid");
1391
}
1392
goto end;
1393
}
1394
}
1395
/* sleep checking until interface is running */
1396
for(int i=0; i < delay * 4; i++){
1397
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1398
if(ret == -1){
1399
perror("ioctl SIOCGIFFLAGS");
1400
} else if(network.ifr_flags & IFF_RUNNING){
1401
break;
1402
}
1403
struct timespec sleeptime = { .tv_nsec = 250000000 };
1404
ret = nanosleep(&sleeptime, NULL);
1405
if(ret == -1 and errno != EINTR){
1406
perror("nanosleep");
1407
}
1408
}
1409
if(not take_down_interface){
1410
/* We won't need the socket anymore */
1411
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1412
if(ret == -1){
1413
perror("close");
1414
}
1415
}
1416
#ifdef __linux__
1417
if(restore_loglevel){
1418
/* Restores kernel loglevel to default */
1419
ret = klogctl(7, NULL, 0);
1420
if(ret == -1){
1421
perror("klogctl");
1422
}
1423
}
1424
#endif /* __linux__ */
1425
/* Lower privileges */
1426
errno = 0;
1427
if(take_down_interface){
1428
/* Lower privileges */
1429
ret = seteuid(uid);
1430
if(ret == -1){
1431
perror("seteuid");
1432
}
1433
} else {
1434
/* Lower privileges permanently */
1435
ret = setuid(uid);
1436
if(ret == -1){
1437
perror("setuid");
1438
}
1439
}
1440
}
1441
1442
if(quit_now){
1443
goto end;
1444
}
1445
1446
ret = init_gnutls_global(pubkey, seckey);
1447
if(ret == -1){
1448
fprintf(stderr, "init_gnutls_global failed\n");
1449
exitcode = EXIT_FAILURE;
1450
goto end;
1451
} else {
1452
gnutls_initialized = true;
1453
}
1454
1455
if(quit_now){
1456
goto end;
1457
}
1458
1459
tempdir_created = true;
1460
if(mkdtemp(tempdir) == NULL){
1461
tempdir_created = false;
1462
perror("mkdtemp");
1463
goto end;
1464
}
1465
1466
if(quit_now){
1467
goto end;
1468
}
1469
1470
if(not init_gpgme(pubkey, seckey, tempdir)){
1471
fprintf(stderr, "init_gpgme failed\n");
1472
exitcode = EXIT_FAILURE;
1473
goto end;
1474
} else {
1475
gpgme_initialized = true;
1476
}
1477
1478
if(quit_now){
1479
goto end;
1480
}
1481
1482
if(connect_to != NULL){
1483
/* Connect directly, do not use Zeroconf */
1484
/* (Mainly meant for debugging) */
1485
char *address = strrchr(connect_to, ':');
1486
if(address == NULL){
1487
fprintf(stderr, "No colon in address\n");
1488
exitcode = EXIT_FAILURE;
1489
goto end;
1490
}
1491
1492
if(quit_now){
1493
goto end;
1494
}
1495
1496
uint16_t port;
1497
errno = 0;
1498
tmpmax = strtoimax(address+1, &tmp, 10);
1499
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1500
or tmpmax != (uint16_t)tmpmax){
1501
fprintf(stderr, "Bad port number\n");
1502
exitcode = EXIT_FAILURE;
1503
goto end;
1504
}
1505
1506
if(quit_now){
1507
goto end;
1508
}
1509
1510
port = (uint16_t)tmpmax;
1511
*address = '\0';
1512
address = connect_to;
1513
/* Colon in address indicates IPv6 */
1514
int af;
1515
if(strchr(address, ':') != NULL){
1516
af = AF_INET6;
1517
} else {
1518
af = AF_INET;
1519
}
1520
1521
if(quit_now){
1522
goto end;
1523
}
1524
1525
ret = start_mandos_communication(address, port, if_index, af);
1526
if(ret < 0){
1527
exitcode = EXIT_FAILURE;
1528
} else {
1529
exitcode = EXIT_SUCCESS;
1530
}
1531
goto end;
1532
}
1533
1534
if(quit_now){
1535
goto end;
1536
}
1537
1538
{
1539
AvahiServerConfig config;
1540
/* Do not publish any local Zeroconf records */
803
returncode = EXIT_FAILURE;
804
goto exit;
805
}
806
}
807
close(sd);
808
809
if (not debug){
810
avahi_set_log_function(empty_log);
811
}
812
813
/* Initialize the psuedo-RNG */
814
srand((unsigned int) time(NULL));
815
816
/* Allocate main loop object */
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
818
fprintf(stderr, "Failed to create simple poll object.\n");
819
returncode = EXIT_FAILURE;
820
goto exit;
821
}
822
823
/* Do not publish any local records */
1541
824
avahi_server_config_init(&config);
1542
825
config.publish_hinfo = 0;
1543
826
config.publish_addresses = 0;
1544
827
config.publish_workstation = 0;
1545
828
config.publish_domain = 0;
1546
829
1547
830
/* Allocate a new server */
1548
mc.server = avahi_server_new(avahi_simple_poll_get
1549
(mc.simple_poll), &config, NULL,
1550
NULL, &error);
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
1551
833
1552
/* Free the Avahi configuration data */
834
/* Free the configuration data */
1553
835
avahi_server_config_free(&config);
1554
}
1555
1556
/* Check if creating the Avahi server object succeeded */
1557
if(mc.server == NULL){
1558
fprintf(stderr, "Failed to create Avahi server: %s\n",
1559
avahi_strerror(error));
1560
exitcode = EXIT_FAILURE;
1561
goto end;
1562
}
1563
1564
if(quit_now){
1565
goto end;
1566
}
1567
1568
/* Create the Avahi service browser */
1569
sb = avahi_s_service_browser_new(mc.server, if_index,
1570
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1571
NULL, 0, browse_callback, NULL);
1572
if(sb == NULL){
1573
fprintf(stderr, "Failed to create service browser: %s\n",
1574
avahi_strerror(avahi_server_errno(mc.server)));
1575
exitcode = EXIT_FAILURE;
1576
goto end;
1577
}
1578
1579
if(quit_now){
1580
goto end;
1581
}
1582
1583
/* Run the main loop */
1584
1585
if(debug){
1586
fprintf(stderr, "Starting Avahi loop search\n");
1587
}
1588
1589
avahi_simple_poll_loop(mc.simple_poll);
1590
1591
end:
1592
1593
if(debug){
1594
fprintf(stderr, "%s exiting\n", argv[0]);
1595
}
1596
1597
/* Cleanup things */
1598
if(sb != NULL)
1599
avahi_s_service_browser_free(sb);
1600
1601
if(mc.server != NULL)
1602
avahi_server_free(mc.server);
1603
1604
if(mc.simple_poll != NULL)
1605
avahi_simple_poll_free(mc.simple_poll);
1606
1607
if(gnutls_initialized){
1608
gnutls_certificate_free_credentials(mc.cred);
1609
gnutls_global_deinit();
1610
gnutls_dh_params_deinit(mc.dh_params);
1611
}
1612
1613
if(gpgme_initialized){
1614
gpgme_release(mc.ctx);
1615
}
1616
1617
/* Take down the network interface */
1618
if(take_down_interface){
1619
/* Re-raise priviliges */
1620
errno = 0;
1621
ret = seteuid(0);
1622
if(ret == -1){
1623
perror("seteuid");
1624
}
1625
if(geteuid() == 0){
1626
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1627
if(ret == -1){
1628
perror("ioctl SIOCGIFFLAGS");
1629
} else if(network.ifr_flags & IFF_UP) {
1630
network.ifr_flags &= ~IFF_UP; /* clear flag */
1631
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1632
if(ret == -1){
1633
perror("ioctl SIOCSIFFLAGS");
1634
}
1635
}
1636
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1637
if(ret == -1){
1638
perror("close");
1639
}
1640
/* Lower privileges permanently */
1641
errno = 0;
1642
ret = setuid(uid);
1643
if(ret == -1){
1644
perror("setuid");
1645
}
1646
}
1647
}
1648
1649
/* Removes the temp directory used by GPGME */
1650
if(tempdir_created){
1651
DIR *d;
1652
struct dirent *direntry;
1653
d = opendir(tempdir);
1654
if(d == NULL){
1655
if(errno != ENOENT){
1656
perror("opendir");
1657
}
1658
} else {
1659
while(true){
1660
direntry = readdir(d);
1661
if(direntry == NULL){
1662
break;
1663
}
1664
/* Skip "." and ".." */
1665
if(direntry->d_name[0] == '.'
1666
and (direntry->d_name[1] == '\0'
1667
or (direntry->d_name[1] == '.'
1668
and direntry->d_name[2] == '\0'))){
1669
continue;
1670
}
1671
char *fullname = NULL;
1672
ret = asprintf(&fullname, "%s/%s", tempdir,
1673
direntry->d_name);
1674
if(ret < 0){
1675
perror("asprintf");
1676
continue;
1677
}
1678
ret = remove(fullname);
1679
if(ret == -1){
1680
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1681
strerror(errno));
1682
}
1683
free(fullname);
1684
}
1685
closedir(d);
1686
}
1687
ret = rmdir(tempdir);
1688
if(ret == -1 and errno != ENOENT){
1689
perror("rmdir");
1690
}
1691
}
1692
1693
if(quit_now){
1694
sigemptyset(&old_sigterm_action.sa_mask);
1695
old_sigterm_action.sa_handler = SIG_DFL;
1696
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1697
&old_sigterm_action,
1698
NULL));
1699
if(ret == -1){
1700
perror("sigaction");
1701
}
1702
do {
1703
ret = raise(signal_received);
1704
} while(ret != 0 and errno == EINTR);
1705
if(ret != 0){
1706
perror("raise");
1707
abort();
1708
}
1709
TEMP_FAILURE_RETRY(pause());
1710
}
1711
1712
return exitcode;
836
837
/* Check if creating the server object succeeded */
838
if (!mc.server) {
839
fprintf(stderr, "Failed to create server: %s\n",
840
avahi_strerror(error));
841
returncode = EXIT_FAILURE;
842
goto exit;
843
}
844
845
/* Create the service browser */
846
sb = avahi_s_service_browser_new(mc.server, if_index,
847
AVAHI_PROTO_INET6,
848
"_mandos._tcp", NULL, 0,
849
browse_callback, &mc);
850
if (!sb) {
851
fprintf(stderr, "Failed to create service browser: %s\n",
852
avahi_strerror(avahi_server_errno(mc.server)));
853
returncode = EXIT_FAILURE;
854
goto exit;
855
}
856
857
/* Run the main loop */
858
859
if (debug){
860
fprintf(stderr, "Starting avahi loop search\n");
861
}
862
863
avahi_simple_poll_loop(mc.simple_poll);
864
865
exit:
866
867
if (debug){
868
fprintf(stderr, "%s exiting\n", argv[0]);
869
}
870
871
/* Cleanup things */
872
if (sb)
873
avahi_s_service_browser_free(sb);
874
875
if (mc.server)
876
avahi_server_free(mc.server);
877
878
if (mc.simple_poll)
879
avahi_simple_poll_free(mc.simple_poll);
880
free(pubkeyfile);
881
free(seckeyfile);
882
883
return returncode;
1713
884
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0