/mandos/trunk : revision 39

32

#define _LARGEFILE_SOURCE

33

#define _FILE_OFFSET_BITS 64

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

37

35

#include <stdio.h>

38

36

#include <assert.h>

39

37

#include <stdlib.h>

51

49

#include <avahi-common/malloc.h>

52

50

#include <avahi-common/error.h>

53

51

54

/* Mandos client part */

52

//mandos client part

55

53

#include <sys/types.h> /* socket(), inet_pton() */

56

54

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

57

55

struct in6_addr, inet_pton() */

64

62

#include <string.h> /* memset */

65

63

#include <arpa/inet.h> /* inet_pton() */

66

64

#include <iso646.h> /* not */

67

#include <net/if.h> /* IF_NAMESIZE */

68

#include <argp.h> /* struct argp_option,

69

struct argp_state, struct argp,

70

argp_parse() */

71

/* GPGME */

65

66

// gpgme

72

67

#include <errno.h> /* perror() */

73

68

#include <gpgme.h>

74

69

70

// getopt_long

71

#include <getopt.h>

72

75

73

#define BUFFER_SIZE 256

76

74

75

static const char *keydir = "/conf/conf.d/mandos";

76

static const char *pubkeyfile = "pubkey.txt";

77

static const char *seckeyfile = "seckey.txt";

78

77

79

bool debug = false;

78

static const char *keydir = "/conf/conf.d/mandos";

79

static const char mandos_protocol_version[] = "1";

80

const char *argp_program_version = "mandosclient 0.9";

81

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

82

80

83

/* Used for passing in values through the Avahi callback functions */

81

/* Used for passing in values through all the callback functions */

84

82

typedef struct {

85

83

AvahiSimplePoll *simple_poll;

86

84

AvahiServer *server;

87

85

gnutls_certificate_credentials_t cred;

88

86

unsigned int dh_bits;

89

gnutls_dh_params_t dh_params;

90

87

const char *priority;

91

88

} mandos_context;

92

89

93

/*

94

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

95

* "buffer_capacity" is how much is currently allocated,

96

* "buffer_length" is how much is already used.

97

*/

98

size_t adjustbuffer(char **buffer, size_t buffer_length,

99

size_t buffer_capacity){

100

if (buffer_length + BUFFER_SIZE > buffer_capacity){

101

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

102

if (buffer == NULL){

103

return 0;

104

}

105

buffer_capacity += BUFFER_SIZE;

106

}

107

return buffer_capacity;

108

}

109

110

90

/*

111

91

* Decrypt OpenPGP data using keyrings in HOMEDIR.

112

92

* Returns -1 on error

119

99

gpgme_ctx_t ctx;

120

100

gpgme_error_t rc;

121

101

ssize_t ret;

122

size_t plaintext_capacity = 0;

102

ssize_t plaintext_capacity = 0;

123

103

ssize_t plaintext_length = 0;

124

104

gpgme_engine_info_t engine_info;

125

105

235

215

236

216

*plaintext = NULL;

237

217

while(true){

238

plaintext_capacity = adjustbuffer(plaintext,

239

(size_t)plaintext_length,

240

plaintext_capacity);

241

if (plaintext_capacity == 0){

242

perror("adjustbuffer");

218

if (plaintext_length + BUFFER_SIZE > plaintext_capacity){

219

*plaintext = realloc(*plaintext,

220

(unsigned int)plaintext_capacity

221

+ BUFFER_SIZE);

222

if (*plaintext == NULL){

223

perror("realloc");

243

224

plaintext_length = -1;

244

225

goto decrypt_end;

226

}

227

plaintext_capacity += BUFFER_SIZE;

245

228

}

246

229

247

230

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

261

244

262

245

if(debug){

263

246

fprintf(stderr, "Decrypted password is: ");

264

for(ssize_t i = 0; i < plaintext_length; i++){

247

for(size_t i = 0; i < plaintext_length; i++){

265

248

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

266

249

}

267

250

fprintf(stderr, "\n");

284

267

return ret;

285

268

}

286

269

287

/* GnuTLS log function callback */

288

270

static void debuggnutls(__attribute__((unused)) int level,

289

271

const char* string){

290

fprintf(stderr, "GnuTLS: %s", string);

272

fprintf(stderr, "%s", string);

291

273

}

292

274

293

static int init_gnutls_global(mandos_context *mc,

294

const char *pubkeyfile,

295

const char *seckeyfile){

275

static int initgnutls(mandos_context *mc, gnutls_session_t *session,

276

gnutls_dh_params_t *dh_params){

277

const char *err;

296

278

int ret;

297

279

298

280

if(debug){

301

283

302

284

if ((ret = gnutls_global_init ())

303

285

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "GnuTLS global_init: %s\n",

305

safer_gnutls_strerror(ret));

286

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

306

287

return -1;

307

288

}

308

289

309

290

if (debug){

310

/* "Use a log level over 10 to enable all debugging options."

311

* - GnuTLS manual

312

*/

313

291

gnutls_global_set_log_level(11);

314

292

gnutls_global_set_log_function(debuggnutls);

315

293

}

316

294

317

/* OpenPGP credentials */

295

/* openpgp credentials */

318

296

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

319

297

!= GNUTLS_E_SUCCESS) {

320

fprintf (stderr, "GnuTLS memory error: %s\n",

298

fprintf (stderr, "memory error: %s\n",

321

299

safer_gnutls_strerror(ret));

322

gnutls_global_deinit ();

323

300

return -1;

324

301

}

325

302

332

309

ret = gnutls_certificate_set_openpgp_key_file

333

310

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

334

311

if (ret != GNUTLS_E_SUCCESS) {

335

fprintf(stderr,

336

"Error[%d] while reading the OpenPGP key pair ('%s',"

337

" '%s')\n", ret, pubkeyfile, seckeyfile);

338

fprintf(stdout, "The GnuTLS error is: %s\n",

312

fprintf

313

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

314

" '%s')\n",

315

ret, pubkeyfile, seckeyfile);

316

fprintf(stdout, "The Error is: %s\n",

339

317

safer_gnutls_strerror(ret));

340

goto globalfail;

341

}

342

343

/* GnuTLS server initialization */

344

ret = gnutls_dh_params_init(&mc->dh_params);

345

if (ret != GNUTLS_E_SUCCESS) {

346

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

347

" %s\n", safer_gnutls_strerror(ret));

348

goto globalfail;

349

}

350

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

351

if (ret != GNUTLS_E_SUCCESS) {

352

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

353

safer_gnutls_strerror(ret));

354

goto globalfail;

355

}

356

357

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

358

359

return 0;

360

361

globalfail:

362

363

gnutls_certificate_free_credentials (mc->cred);

364

gnutls_global_deinit ();

365

return -1;

366

367

}

368

369

static int init_gnutls_session(mandos_context *mc,

370

gnutls_session_t *session){

371

int ret;

372

/* GnuTLS session creation */

373

ret = gnutls_init(session, GNUTLS_SERVER);

374

if (ret != GNUTLS_E_SUCCESS){

318

return -1;

319

}

320

321

//GnuTLS server initialization

322

if ((ret = gnutls_dh_params_init(dh_params))

323

!= GNUTLS_E_SUCCESS) {

324

fprintf (stderr, "Error in dh parameter initialization: %s\n",

325

safer_gnutls_strerror(ret));

326

return -1;

327

}

328

329

if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))

330

!= GNUTLS_E_SUCCESS) {

331

fprintf (stderr, "Error in prime generation: %s\n",

332

safer_gnutls_strerror(ret));

333

return -1;

334

}

335

336

gnutls_certificate_set_dh_params(mc->cred, *dh_params);

337

338

// GnuTLS session creation

339

if ((ret = gnutls_init(session, GNUTLS_SERVER))

340

!= GNUTLS_E_SUCCESS){

375

341

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

376

342

safer_gnutls_strerror(ret));

377

343

}

378

344

379

{

380

const char *err;

381

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

382

if (ret != GNUTLS_E_SUCCESS) {

383

fprintf(stderr, "Syntax error at: %s\n", err);

384

fprintf(stderr, "GnuTLS error: %s\n",

385

safer_gnutls_strerror(ret));

386

gnutls_deinit (*session);

387

return -1;

388

}

345

if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))

346

!= GNUTLS_E_SUCCESS) {

347

fprintf(stderr, "Syntax error at: %s\n", err);

348

fprintf(stderr, "GnuTLS error: %s\n",

349

safer_gnutls_strerror(ret));

350

return -1;

389

351

}

390

352

391

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

392

mc->cred);

393

if (ret != GNUTLS_E_SUCCESS) {

394

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

353

if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

354

mc->cred))

355

!= GNUTLS_E_SUCCESS) {

356

fprintf(stderr, "Error setting a credentials set: %s\n",

395

357

safer_gnutls_strerror(ret));

396

gnutls_deinit (*session);

397

358

return -1;

398

359

}

399

360

406

367

return 0;

407

368

}

408

369

409

/* Avahi log function callback */

410

370

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

411

371

__attribute__((unused)) const char *txt){}

412

372

413

/* Called when a Mandos server is found */

414

373

static int start_mandos_communication(const char *ip, uint16_t port,

415

374

AvahiIfIndex if_index,

416

375

mandos_context *mc){

417

376

int ret, tcp_sd;

418

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

377

struct sockaddr_in6 to;

419

378

char *buffer = NULL;

420

379

char *decrypted_buffer;

421

380

size_t buffer_length = 0;

422

381

size_t buffer_capacity = 0;

423

382

ssize_t decrypted_buffer_size;

424

size_t written;

383

size_t written = 0;

425

384

int retval = 0;

426

385

char interface[IF_NAMESIZE];

427

386

gnutls_session_t session;

428

429

ret = init_gnutls_session (mc, &session);

430

if (ret != 0){

431

return -1;

432

}

387

gnutls_dh_params_t dh_params;

433

388

434

389

if(debug){

435

390

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

451

406

}

452

407

453

408

memset(&to,0,sizeof(to)); /* Spurious warning */

454

to.in6.sin6_family = AF_INET6;

455

/* It would be nice to have a way to detect if we were passed an

456

IPv4 address here. Now we assume an IPv6 address. */

457

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

409

to.sin6_family = AF_INET6;

410

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

458

411

if (ret < 0 ){

459

412

perror("inet_pton");

460

413

return -1;

463

416

fprintf(stderr, "Bad address: %s\n", ip);

464

417

return -1;

465

418

}

466

to.in6.sin6_port = htons(port); /* Spurious warning */

419

to.sin6_port = htons(port); /* Spurious warning */

467

420

468

to.in6.sin6_scope_id = (uint32_t)if_index;

421

to.sin6_scope_id = (uint32_t)if_index;

469

422

470

423

if(debug){

471

424

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

472

425

char addrstr[INET6_ADDRSTRLEN] = "";

473

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

426

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

474

427

sizeof(addrstr)) == NULL){

475

428

perror("inet_ntop");

476

429

} else {

480

433

}

481

434

}

482

435

483

ret = connect(tcp_sd, &to.in, sizeof(to));

436

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

484

437

if (ret < 0){

485

438

perror("connect");

486

439

return -1;

487

440

}

488

489

const char *out = mandos_protocol_version;

490

written = 0;

491

while (true){

492

size_t out_size = strlen(out);

493

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

494

out_size - written));

495

if (ret == -1){

496

perror("write");

497

retval = -1;

498

goto mandos_end;

499

}

500

written += (size_t)ret;

501

if(written < out_size){

502

continue;

503

} else {

504

if (out == mandos_protocol_version){

505

written = 0;

506

out = "\r\n";

507

} else {

508

break;

509

}

510

}

441

442

ret = initgnutls (mc, &session, &dh_params);

443

if (ret != 0){

444

retval = -1;

445

return -1;

511

446

}

512

447

448

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

449

513

450

if(debug){

514

451

fprintf(stderr, "Establishing TLS session with %s\n", ip);

515

452

}

516

453

517

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

518

519

454

ret = gnutls_handshake (session);

520

455

521

456

if (ret != GNUTLS_E_SUCCESS){

522

457

if(debug){

523

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

458

fprintf(stderr, "\n*** Handshake failed ***\n");

524

459

gnutls_perror (ret);

525

460

}

526

461

retval = -1;

527

goto mandos_end;

462

goto exit;

528

463

}

529

464

530

/* Read OpenPGP packet that contains the wanted password */

465

//Retrieve OpenPGP packet that contains the wanted password

531

466

532

467

if(debug){

533

468

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

535

470

}

536

471

537

472

while(true){

538

buffer_capacity = adjustbuffer(&buffer, buffer_length,

539

buffer_capacity);

540

if (buffer_capacity == 0){

541

perror("adjustbuffer");

542

retval = -1;

543

goto mandos_end;

473

if (buffer_length + BUFFER_SIZE > buffer_capacity){

474

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

475

if (buffer == NULL){

476

perror("realloc");

477

goto exit;

478

}

479

buffer_capacity += BUFFER_SIZE;

544

480

}

545

481

546

482

ret = gnutls_record_recv(session, buffer+buffer_length,

556

492

case GNUTLS_E_REHANDSHAKE:

557

493

ret = gnutls_handshake (session);

558

494

if (ret < 0){

559

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

495

fprintf(stderr, "\n*** Handshake failed ***\n");

560

496

gnutls_perror (ret);

561

497

retval = -1;

562

goto mandos_end;

498

goto exit;

563

499

}

564

500

break;

565

501

default:

566

502

fprintf(stderr, "Unknown error while reading data from"

567

" encrypted session with Mandos server\n");

503

" encrypted session with mandos server\n");

568

504

retval = -1;

569

505

gnutls_bye (session, GNUTLS_SHUT_RDWR);

570

goto mandos_end;

506

goto exit;

571

507

}

572

508

} else {

573

509

buffer_length += (size_t) ret;

574

510

}

575

511

}

576

512

577

if(debug){

578

fprintf(stderr, "Closing TLS session\n");

579

}

580

581

gnutls_bye (session, GNUTLS_SHUT_RDWR);

582

583

513

if (buffer_length > 0){

584

514

decrypted_buffer_size = pgp_packet_decrypt(buffer,

585

515

buffer_length,

586

516

&decrypted_buffer,

587

517

keydir);

588

518

if (decrypted_buffer_size >= 0){

589

written = 0;

590

519

while(written < (size_t) decrypted_buffer_size){

591

520

ret = (int)fwrite (decrypted_buffer + written, 1,

592

521

(size_t)decrypted_buffer_size - written,

606

535

retval = -1;

607

536

}

608

537

}

609

610

/* Shutdown procedure */

611

612

mandos_end:

538

539

//shutdown procedure

540

541

if(debug){

542

fprintf(stderr, "Closing TLS session\n");

543

}

544

613

545

free(buffer);

546

gnutls_bye (session, GNUTLS_SHUT_RDWR);

547

exit:

614

548

close(tcp_sd);

615

549

gnutls_deinit (session);

550

gnutls_certificate_free_credentials (mc->cred);

551

gnutls_global_deinit ();

616

552

return retval;

617

553

}

618

554

639

575

switch (event) {

640

576

default:

641

577

case AVAHI_RESOLVER_FAILURE:

642

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

643

" of type '%s' in domain '%s': %s\n", name, type, domain,

578

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

579

" type '%s' in domain '%s': %s\n", name, type, domain,

644

580

avahi_strerror(avahi_server_errno(mc->server)));

645

581

break;

646

582

649

585

char ip[AVAHI_ADDRESS_STR_MAX];

650

586

avahi_address_snprint(ip, sizeof(ip), address);

651

587

if(debug){

652

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

653

" port %d\n", name, host_name, ip, interface, port);

588

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

589

" port %d\n", name, host_name, ip, port);

654

590

}

655

591

int ret = start_mandos_communication(ip, port, interface, mc);

656

592

if (ret == 0){

681

617

default:

682

618

case AVAHI_BROWSER_FAILURE:

683

619

684

fprintf(stderr, "(Avahi browser) %s\n",

620

fprintf(stderr, "(Browser) %s\n",

685

621

avahi_strerror(avahi_server_errno(mc->server)));

686

622

avahi_simple_poll_quit(mc->simple_poll);

687

623

return;

688

624

689

625

case AVAHI_BROWSER_NEW:

690

/* We ignore the returned Avahi resolver object. In the callback

691

function we free it. If the Avahi server is terminated before

692

the callback function is called the Avahi server will free the

693

resolver for us. */

626

/* We ignore the returned resolver object. In the callback

627

function we free it. If the server is terminated before

628

the callback function is called the server will free

629

the resolver for us. */

694

630

695

631

if (!(avahi_s_service_resolver_new(mc->server, interface,

696

632

protocol, name, type, domain,

697

633

AVAHI_PROTO_INET6, 0,

698

634

resolve_callback, mc)))

699

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

700

name, avahi_strerror(avahi_server_errno(mc->server)));

635

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

636

avahi_strerror(avahi_server_errno(mc->server)));

701

637

break;

702

638

703

639

case AVAHI_BROWSER_REMOVE:

705

641

706

642

case AVAHI_BROWSER_ALL_FOR_NOW:

707

643

case AVAHI_BROWSER_CACHE_EXHAUSTED:

708

if(debug){

709

fprintf(stderr, "No Mandos server found, still searching...\n");

710

}

711

644

break;

712

645

}

713

646

}

733

666

}

734

667

735

668

736

int main(int argc, char *argv[]){

669

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

670

AvahiServerConfig config;

737

671

AvahiSServiceBrowser *sb = NULL;

738

672

int error;

739

673

int ret;

740

int exitcode = EXIT_SUCCESS;

674

int debug_int;

675

int returncode = EXIT_SUCCESS;

741

676

const char *interface = "eth0";

742

677

struct ifreq network;

743

678

int sd;

744

uid_t uid;

745

gid_t gid;

746

679

char *connect_to = NULL;

747

680

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

748

const char *pubkeyfile = "pubkey.txt";

749

const char *seckeyfile = "seckey.txt";

750

681

mandos_context mc = { .simple_poll = NULL, .server = NULL,

751

682

.dh_bits = 1024, .priority = "SECURE256"};

752

bool gnutls_initalized = false;

753

683

754

{

755

struct argp_option options[] = {

756

{ .name = "debug", .key = 128,

757

.doc = "Debug mode", .group = 3 },

758

{ .name = "connect", .key = 'c',

759

.arg = "IP",

760

.doc = "Connect directly to a sepcified mandos server",

761

.group = 1 },

762

{ .name = "interface", .key = 'i',

763

.arg = "INTERFACE",

764

.doc = "Interface that Avahi will conntect through",

765

.group = 1 },

766

{ .name = "keydir", .key = 'd',

767

.arg = "KEYDIR",

768

.doc = "Directory where the openpgp keyring is",

769

.group = 1 },

770

{ .name = "seckey", .key = 's',

771

.arg = "SECKEY",

772

.doc = "Secret openpgp key for gnutls authentication",

773

.group = 1 },

774

{ .name = "pubkey", .key = 'p',

775

.arg = "PUBKEY",

776

.doc = "Public openpgp key for gnutls authentication",

777

.group = 2 },

778

{ .name = "dh-bits", .key = 129,

779

.arg = "BITS",

780

.doc = "dh-bits to use in gnutls communication",

781

.group = 2 },

782

{ .name = "priority", .key = 130,

783

.arg = "PRIORITY",

784

.doc = "GNUTLS priority", .group = 1 },

785

{ .name = NULL }

786

};

787

788

789

error_t parse_opt (int key, char *arg,

790

struct argp_state *state) {

791

/* Get the INPUT argument from `argp_parse', which we know is

792

a pointer to our plugin list pointer. */

793

switch (key) {

794

case 128:

795

debug = true;

796

break;

797

case 'c':

798

connect_to = arg;

799

break;

800

case 'i':

801

interface = arg;

802

break;

803

case 'd':

804

keydir = arg;

805

break;

806

case 's':

807

seckeyfile = arg;

808

break;

809

case 'p':

810

pubkeyfile = arg;

811

break;

812

case 129:

813

errno = 0;

814

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

815

if (errno){

816

perror("strtol");

817

exit(EXIT_FAILURE);

818

}

819

break;

820

case 130:

821

mc.priority = arg;

822

break;

823

case ARGP_KEY_ARG:

824

argp_usage (state);

825

break;

826

case ARGP_KEY_END:

827

break;

828

default:

829

return ARGP_ERR_UNKNOWN;

684

debug_int = debug ? 1 : 0;

685

while (true){

686

struct option long_options[] = {

687

{"debug", no_argument, &debug_int, 1},

688

{"connect", required_argument, NULL, 'c'},

689

{"interface", required_argument, NULL, 'i'},

690

{"keydir", required_argument, NULL, 'd'},

691

{"seckey", required_argument, NULL, 's'},

692

{"pubkey", required_argument, NULL, 'p'},

693

{"dh-bits", required_argument, NULL, 'D'},

694

{"priority", required_argument, NULL, 'P'},

695

{0, 0, 0, 0} };

696

697

int option_index = 0;

698

ret = getopt_long (argc, argv, "i:", long_options,

699

&option_index);

700

701

if (ret == -1){

702

break;

703

}

704

705

switch(ret){

706

case 0:

707

break;

708

case 'i':

709

interface = optarg;

710

break;

711

case 'c':

712

connect_to = optarg;

713

break;

714

case 'd':

715

keydir = optarg;

716

break;

717

case 'p':

718

pubkeyfile = optarg;

719

break;

720

case 's':

721

seckeyfile = optarg;

722

break;

723

case 'D':

724

errno = 0;

725

mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);

726

if (errno){

727

perror("strtol");

728

exit(EXIT_FAILURE);

830

729

}

831

return 0;

730

break;

731

case 'P':

732

mc.priority = optarg;

733

break;

734

case '?':

735

default:

736

exit(EXIT_FAILURE);

832

737

}

833

834

struct argp argp = { .options = options, .parser = parse_opt,

835

.args_doc = "",

836

.doc = "Mandos client -- Get and decrypt"

837

" passwords from mandos server" };

838

argp_parse (&argp, argc, argv, 0, 0, NULL);

839

738

}

840

739

debug = debug_int ? true : false;

740

841

741

pubkeyfile = combinepath(keydir, pubkeyfile);

842

742

if (pubkeyfile == NULL){

843

743

perror("combinepath");

844

exitcode = EXIT_FAILURE;

845

goto end;

744

returncode = EXIT_FAILURE;

745

goto exit;

846

746

}

847

747

848

748

seckeyfile = combinepath(keydir, seckeyfile);

849

749

if (seckeyfile == NULL){

850

750

perror("combinepath");

851

goto end;

852

}

853

854

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

855

if (ret == -1){

856

fprintf(stderr, "init_gnutls_global\n");

857

goto end;

858

} else {

859

gnutls_initalized = true;

860

}

861

862

uid = getuid();

863

gid = getgid();

864

865

ret = setuid(uid);

866

if (ret == -1){

867

perror("setuid");

868

}

869

870

setgid(gid);

871

if (ret == -1){

872

perror("setgid");

751

goto exit;

873

752

}

874

753

875

754

if_index = (AvahiIfIndex) if_nametoindex(interface);

884

763

char *address = strrchr(connect_to, ':');

885

764

if(address == NULL){

886

765

fprintf(stderr, "No colon in address\n");

887

exitcode = EXIT_FAILURE;

888

goto end;

766

exit(EXIT_FAILURE);

889

767

}

890

768

errno = 0;

891

769

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

892

770

if(errno){

893

771

perror("Bad port number");

894

exitcode = EXIT_FAILURE;

895

goto end;

772

exit(EXIT_FAILURE);

896

773

}

897

774

*address = '\0';

898

775

address = connect_to;

899

776

ret = start_mandos_communication(address, port, if_index, &mc);

900

777

if(ret < 0){

901

exitcode = EXIT_FAILURE;

778

exit(EXIT_FAILURE);

902

779

} else {

903

exitcode = EXIT_SUCCESS;

780

exit(EXIT_SUCCESS);

904

781

}

905

goto end;

906

782

}

907

783

908

/* If the interface is down, bring it up */

909

{

910

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

911

if(sd < 0) {

912

perror("socket");

913

exitcode = EXIT_FAILURE;

914

goto end;

915

}

916

strcpy(network.ifr_name, interface); /* Spurious warning */

917

ret = ioctl(sd, SIOCGIFFLAGS, &network);

784

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

785

if(sd < 0) {

786

perror("socket");

787

returncode = EXIT_FAILURE;

788

goto exit;

789

}

790

strcpy(network.ifr_name, interface); /* Spurious warning */

791

ret = ioctl(sd, SIOCGIFFLAGS, &network);

792

if(ret == -1){

793

794

perror("ioctl SIOCGIFFLAGS");

795

returncode = EXIT_FAILURE;

796

goto exit;

797

}

798

if((network.ifr_flags & IFF_UP) == 0){

799

network.ifr_flags |= IFF_UP;

800

ret = ioctl(sd, SIOCSIFFLAGS, &network);

918

801

if(ret == -1){

919

perror("ioctl SIOCGIFFLAGS");

920

exitcode = EXIT_FAILURE;

921

goto end;

922

}

923

if((network.ifr_flags & IFF_UP) == 0){

924

network.ifr_flags |= IFF_UP;

925

ret = ioctl(sd, SIOCSIFFLAGS, &network);

926

if(ret == -1){

927

perror("ioctl SIOCSIFFLAGS");

928

exitcode = EXIT_FAILURE;

929

goto end;

930

}

931

}

932

close(sd);

802

perror("ioctl SIOCSIFFLAGS");

803

returncode = EXIT_FAILURE;

804

goto exit;

805

}

933

806

}

807

close(sd);

934

808

935

809

if (not debug){

936

810

avahi_set_log_function(empty_log);

937

811

}

938

812

939

/* Initialize the pseudo-RNG for Avahi */

813

/* Initialize the psuedo-RNG */

940

814

srand((unsigned int) time(NULL));

941

942

/* Allocate main Avahi loop object */

943

mc.simple_poll = avahi_simple_poll_new();

944

if (mc.simple_poll == NULL) {

945

fprintf(stderr, "Avahi: Failed to create simple poll"

946

" object.\n");

947

exitcode = EXIT_FAILURE;

948

goto end;

949

}

950

951

{

952

AvahiServerConfig config;

953

/* Do not publish any local Zeroconf records */

954

avahi_server_config_init(&config);

955

config.publish_hinfo = 0;

956

config.publish_addresses = 0;

957

config.publish_workstation = 0;

958

config.publish_domain = 0;

959

960

/* Allocate a new server */

961

mc.server = avahi_server_new(avahi_simple_poll_get

962

(mc.simple_poll), &config, NULL,

963

NULL, &error);

964

965

/* Free the Avahi configuration data */

966

avahi_server_config_free(&config);

967

}

968

969

/* Check if creating the Avahi server object succeeded */

970

if (mc.server == NULL) {

971

fprintf(stderr, "Failed to create Avahi server: %s\n",

815

816

/* Allocate main loop object */

817

if (!(mc.simple_poll = avahi_simple_poll_new())) {

818

fprintf(stderr, "Failed to create simple poll object.\n");

819

returncode = EXIT_FAILURE;

820

goto exit;

821

}

822

823

/* Do not publish any local records */

824

avahi_server_config_init(&config);

825

config.publish_hinfo = 0;

826

config.publish_addresses = 0;

827

config.publish_workstation = 0;

828

config.publish_domain = 0;

829

830

/* Allocate a new server */

831

mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),

832

&config, NULL, NULL, &error);

833

834

/* Free the configuration data */

835

avahi_server_config_free(&config);

836

837

/* Check if creating the server object succeeded */

838

if (!mc.server) {

839

fprintf(stderr, "Failed to create server: %s\n",

972

840

avahi_strerror(error));

973

exitcode = EXIT_FAILURE;

974

goto end;

841

returncode = EXIT_FAILURE;

842

goto exit;

975

843

}

976

844

977

/* Create the Avahi service browser */

845

/* Create the service browser */

978

846

sb = avahi_s_service_browser_new(mc.server, if_index,

979

847

AVAHI_PROTO_INET6,

980

848

"_mandos._tcp", NULL, 0,

981

849

browse_callback, &mc);

982

if (sb == NULL) {

850

if (!sb) {

983

851

fprintf(stderr, "Failed to create service browser: %s\n",

984

852

avahi_strerror(avahi_server_errno(mc.server)));

985

exitcode = EXIT_FAILURE;

986

goto end;

853

returncode = EXIT_FAILURE;

854

goto exit;

987

855

}

988

856

989

857

/* Run the main loop */

990

858

991

859

if (debug){

992

fprintf(stderr, "Starting Avahi loop search\n");

860

fprintf(stderr, "Starting avahi loop search\n");

993

861

}

994

862

995

863

avahi_simple_poll_loop(mc.simple_poll);

996

864

997

end:

865

exit:

998

866

999

867

if (debug){

1000

868

fprintf(stderr, "%s exiting\n", argv[0]);

1001

869

}

1002

870

1003

871

/* Cleanup things */

1004

if (sb != NULL)

872

if (sb)

1005

873

avahi_s_service_browser_free(sb);

1006

874

1007

if (mc.server != NULL)

875

if (mc.server)

1008

876

avahi_server_free(mc.server);

1009

877

1010

if (mc.simple_poll != NULL)

878

if (mc.simple_poll)

1011

879

avahi_simple_poll_free(mc.simple_poll);

1012

880

free(pubkeyfile);

1013

881

free(seckeyfile);

1014

1015

if (gnutls_initalized){

1016

gnutls_certificate_free_credentials (mc.cred);

1017

gnutls_global_deinit ();

1018

}

1019

882

1020

return exitcode;

883

return returncode;

1021

884

}