To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 40
- compare with another revision
- download diff
- download tarball
- view history from revision 40
- Committer: Teddy Hogeborn
- Date: 2008-08-03 16:05:52 UTC
- Revision ID: teddy@fukt.bsnet.se-20080803160552-mvqy5klry3wn57x1
* plugins.d/mandosclient.c (initgnutls): Moved "err" variable into its
own code block.
(start_mandos_communication): Moved call to "initgnutls" to
beginning. Renamed label "exit" to
"mandos_end". Bug fix: set return
code if failure to realloc buffer.
Close TLS session as early as
possible.
(resolve_callback): Also print interface number when debugging.
(main): Moved "debug_int" and "config" into their own respective
code blocks.
own code block.
(start_mandos_communication): Moved call to "initgnutls" to
beginning. Renamed label "exit" to
"mandos_end". Bug fix: set return
code if failure to realloc buffer.
Close TLS session as early as
possible.
(resolve_callback): Also print interface number when debugging.
(main): Moved "debug_int" and "config" into their own respective
code blocks.
- files modified:
- TODO
added
removed
plugins.d/mandosclient.c
25
25
* along with this program. If not, see
26
26
* <http://www.gnu.org/licenses/>.
27
27
*
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
28
* Contact the authors at <mandos@fukt.bsnet.se>.
30
29
*/
31
30
32
31
/* Needed by GPGME, specifically gpgme_data_seek() */
38
37
#include <stdlib.h>
39
38
#include <time.h>
40
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
42
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
41
44
42
45
#include <avahi-core/core.h>
43
46
#include <avahi-core/lookup.h>
46
49
#include <avahi-common/malloc.h>
47
50
#include <avahi-common/error.h>
48
51
49
//mandos client part
52
/* Mandos client part */
50
53
#include <sys/types.h> /* socket(), inet_pton() */
51
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
55
struct in6_addr, inet_pton() */
59
62
#include <string.h> /* memset */
60
63
#include <arpa/inet.h> /* inet_pton() */
61
64
#include <iso646.h> /* not */
65
#include <net/if.h> /* IF_NAMESIZE */
62
66
63
// gpgme
67
/* GPGME */
64
68
#include <errno.h> /* perror() */
65
69
#include <gpgme.h>
66
70
67
// getopt long
71
/* getopt_long */
68
72
#include <getopt.h>
69
73
70
#ifndef CERT_ROOT
71
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
72
#endif
73
#define CERTFILE CERT_ROOT "openpgp-client.txt"
74
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
75
74
#define BUFFER_SIZE 256
76
#define DH_BITS 1024
75
76
static const char *keydir = "/conf/conf.d/mandos";
77
static const char *pubkeyfile = "pubkey.txt";
78
static const char *seckeyfile = "seckey.txt";
77
79
78
80
bool debug = false;
79
81
82
/* Used for passing in values through all the callback functions */
80
83
typedef struct {
81
gnutls_session_t session;
84
AvahiSimplePoll *simple_poll;
85
AvahiServer *server;
82
86
gnutls_certificate_credentials_t cred;
83
gnutls_dh_params_t dh_params;
84
} encrypted_session;
85
86
87
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet, const char *homedir){
87
unsigned int dh_bits;
88
const char *priority;
89
} mandos_context;
90
91
/*
92
* Decrypt OpenPGP data using keyrings in HOMEDIR.
93
* Returns -1 on error
94
*/
95
static ssize_t pgp_packet_decrypt (const char *cryptotext,
96
size_t crypto_size,
97
char **plaintext,
98
const char *homedir){
89
99
gpgme_data_t dh_crypto, dh_plain;
90
100
gpgme_ctx_t ctx;
91
101
gpgme_error_t rc;
92
102
ssize_t ret;
93
ssize_t new_packet_capacity = 0;
94
ssize_t new_packet_length = 0;
103
size_t plaintext_capacity = 0;
104
ssize_t plaintext_length = 0;
95
105
gpgme_engine_info_t engine_info;
96
106
97
107
if (debug){
98
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
108
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
99
109
}
100
110
101
111
/* Init GPGME */
102
112
gpgme_check_version(NULL);
103
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
113
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
114
if (rc != GPG_ERR_NO_ERROR){
115
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
116
gpgme_strsource(rc), gpgme_strerror(rc));
117
return -1;
118
}
104
119
105
/* Set GPGME home directory */
120
/* Set GPGME home directory for the OpenPGP engine only */
106
121
rc = gpgme_get_engine_info (&engine_info);
107
122
if (rc != GPG_ERR_NO_ERROR){
108
123
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
118
133
engine_info = engine_info->next;
119
134
}
120
135
if(engine_info == NULL){
121
fprintf(stderr, "Could not set home dir to %s\n", homedir);
136
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
122
137
return -1;
123
138
}
124
139
125
/* Create new GPGME data buffer from packet buffer */
126
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
140
/* Create new GPGME data buffer from memory cryptotext */
141
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
142
0);
127
143
if (rc != GPG_ERR_NO_ERROR){
128
144
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
129
145
gpgme_strsource(rc), gpgme_strerror(rc));
135
151
if (rc != GPG_ERR_NO_ERROR){
136
152
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
137
153
gpgme_strsource(rc), gpgme_strerror(rc));
154
gpgme_data_release(dh_crypto);
138
155
return -1;
139
156
}
140
157
143
160
if (rc != GPG_ERR_NO_ERROR){
144
161
fprintf(stderr, "bad gpgme_new: %s: %s\n",
145
162
gpgme_strsource(rc), gpgme_strerror(rc));
146
return -1;
163
plaintext_length = -1;
164
goto decrypt_end;
147
165
}
148
166
149
/* Decrypt data from the FILE pointer to the plaintext data
150
buffer */
167
/* Decrypt data from the cryptotext data buffer to the plaintext
168
data buffer */
151
169
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
152
170
if (rc != GPG_ERR_NO_ERROR){
153
171
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
154
172
gpgme_strsource(rc), gpgme_strerror(rc));
155
return -1;
173
plaintext_length = -1;
174
goto decrypt_end;
156
175
}
157
176
158
177
if(debug){
159
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
178
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
160
179
}
161
180
162
181
if (debug){
163
182
gpgme_decrypt_result_t result;
164
183
result = gpgme_op_decrypt_result(ctx);
188
207
}
189
208
}
190
209
191
/* Delete the GPGME FILE pointer cryptotext data buffer */
192
gpgme_data_release(dh_crypto);
193
194
210
/* Seek back to the beginning of the GPGME plaintext data buffer */
195
gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);
196
197
*new_packet = 0;
211
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
212
perror("pgpme_data_seek");
213
plaintext_length = -1;
214
goto decrypt_end;
215
}
216
217
*plaintext = NULL;
198
218
while(true){
199
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
200
*new_packet = realloc(*new_packet,
201
(unsigned int)new_packet_capacity
219
if (plaintext_length + BUFFER_SIZE
220
> (ssize_t) plaintext_capacity){
221
*plaintext = realloc(*plaintext, plaintext_capacity
202
222
+ BUFFER_SIZE);
203
if (*new_packet == NULL){
223
if (*plaintext == NULL){
204
224
perror("realloc");
205
return -1;
225
plaintext_length = -1;
226
goto decrypt_end;
206
227
}
207
new_packet_capacity += BUFFER_SIZE;
228
plaintext_capacity += BUFFER_SIZE;
208
229
}
209
230
210
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
231
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
211
232
BUFFER_SIZE);
212
233
/* Print the data, if any */
213
234
if (ret == 0){
235
/* EOF */
214
236
break;
215
237
}
216
238
if(ret < 0){
217
239
perror("gpgme_data_read");
218
return -1;
240
plaintext_length = -1;
241
goto decrypt_end;
219
242
}
220
new_packet_length += ret;
243
plaintext_length += ret;
221
244
}
222
245
223
/* FIXME: check characters before printing to screen so to not print
224
terminal control characters */
225
/* if(debug){ */
226
/* fprintf(stderr, "decrypted password is: "); */
227
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
228
/* fprintf(stderr, "\n"); */
229
/* } */
246
if(debug){
247
fprintf(stderr, "Decrypted password is: ");
248
for(ssize_t i = 0; i < plaintext_length; i++){
249
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
250
}
251
fprintf(stderr, "\n");
252
}
253
254
decrypt_end:
255
256
/* Delete the GPGME cryptotext data buffer */
257
gpgme_data_release(dh_crypto);
230
258
231
259
/* Delete the GPGME plaintext data buffer */
232
260
gpgme_data_release(dh_plain);
233
return new_packet_length;
261
return plaintext_length;
234
262
}
235
263
236
264
static const char * safer_gnutls_strerror (int value) {
240
268
return ret;
241
269
}
242
270
243
void debuggnutls(__attribute__((unused)) int level,
244
const char* string){
245
fprintf(stderr, "%s", string);
271
/* GnuTLS log function callback */
272
static void debuggnutls(__attribute__((unused)) int level,
273
const char* string){
274
fprintf(stderr, "GnuTLS: %s", string);
246
275
}
247
276
248
int initgnutls(encrypted_session *es){
249
const char *err;
277
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
278
gnutls_dh_params_t *dh_params){
250
279
int ret;
251
280
252
281
if(debug){
253
282
fprintf(stderr, "Initializing GnuTLS\n");
254
283
}
255
284
256
285
if ((ret = gnutls_global_init ())
257
286
!= GNUTLS_E_SUCCESS) {
258
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
287
fprintf (stderr, "GnuTLS global_init: %s\n",
288
safer_gnutls_strerror(ret));
259
289
return -1;
260
290
}
261
291
262
292
if (debug){
293
/* "Use a log level over 10 to enable all debugging options."
294
* - GnuTLS manual
295
*/
263
296
gnutls_global_set_log_level(11);
264
297
gnutls_global_set_log_function(debuggnutls);
265
298
}
266
299
267
/* openpgp credentials */
268
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
300
/* OpenPGP credentials */
301
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
269
302
!= GNUTLS_E_SUCCESS) {
270
fprintf (stderr, "memory error: %s\n",
303
fprintf (stderr, "GnuTLS memory error: %s\n",
271
304
safer_gnutls_strerror(ret));
272
305
return -1;
273
306
}
274
307
275
308
if(debug){
276
309
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
277
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
278
KEYFILE);
310
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
311
seckeyfile);
279
312
}
280
313
281
314
ret = gnutls_certificate_set_openpgp_key_file
282
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
315
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
283
316
if (ret != GNUTLS_E_SUCCESS) {
284
fprintf
285
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
286
" '%s')\n",
287
ret, CERTFILE, KEYFILE);
288
fprintf(stdout, "The Error is: %s\n",
317
fprintf(stderr,
318
"Error[%d] while reading the OpenPGP key pair ('%s',"
319
" '%s')\n", ret, pubkeyfile, seckeyfile);
320
fprintf(stdout, "The GnuTLS error is: %s\n",
289
321
safer_gnutls_strerror(ret));
290
322
return -1;
291
323
}
292
324
293
//GnuTLS server initialization
294
if ((ret = gnutls_dh_params_init (&es->dh_params))
295
!= GNUTLS_E_SUCCESS) {
296
fprintf (stderr, "Error in dh parameter initialization: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
302
!= GNUTLS_E_SUCCESS) {
303
fprintf (stderr, "Error in prime generation: %s\n",
304
safer_gnutls_strerror(ret));
305
return -1;
306
}
307
308
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
309
310
// GnuTLS session creation
311
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
312
!= GNUTLS_E_SUCCESS){
325
/* GnuTLS server initialization */
326
ret = gnutls_dh_params_init(dh_params);
327
if (ret != GNUTLS_E_SUCCESS) {
328
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
329
" %s\n", safer_gnutls_strerror(ret));
330
return -1;
331
}
332
ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits);
333
if (ret != GNUTLS_E_SUCCESS) {
334
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
335
safer_gnutls_strerror(ret));
336
return -1;
337
}
338
339
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
340
341
/* GnuTLS session creation */
342
ret = gnutls_init(session, GNUTLS_SERVER);
343
if (ret != GNUTLS_E_SUCCESS){
313
344
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
314
345
safer_gnutls_strerror(ret));
315
346
}
316
347
317
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf(stderr, "Syntax error at: %s\n", err);
320
fprintf(stderr, "GnuTLS error: %s\n",
321
safer_gnutls_strerror(ret));
322
return -1;
348
{
349
const char *err;
350
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
351
if (ret != GNUTLS_E_SUCCESS) {
352
fprintf(stderr, "Syntax error at: %s\n", err);
353
fprintf(stderr, "GnuTLS error: %s\n",
354
safer_gnutls_strerror(ret));
355
return -1;
356
}
323
357
}
324
358
325
if ((ret = gnutls_credentials_set
326
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
327
!= GNUTLS_E_SUCCESS) {
328
fprintf(stderr, "Error setting a credentials set: %s\n",
359
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
360
mc->cred);
361
if (ret != GNUTLS_E_SUCCESS) {
362
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
329
363
safer_gnutls_strerror(ret));
330
364
return -1;
331
365
}
332
366
333
367
/* ignore client certificate if any. */
334
gnutls_certificate_server_set_request (es->session,
368
gnutls_certificate_server_set_request (*session,
335
369
GNUTLS_CERT_IGNORE);
336
370
337
gnutls_dh_set_prime_bits (es->session, DH_BITS);
371
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
338
372
339
373
return 0;
340
374
}
341
375
342
void empty_log(__attribute__((unused)) AvahiLogLevel level,
343
__attribute__((unused)) const char *txt){}
376
/* Avahi log function callback */
377
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
378
__attribute__((unused)) const char *txt){}
344
379
345
int start_mandos_communication(const char *ip, uint16_t port,
346
AvahiIfIndex if_index){
380
/* Called when a Mandos server is found */
381
static int start_mandos_communication(const char *ip, uint16_t port,
382
AvahiIfIndex if_index,
383
mandos_context *mc){
347
384
int ret, tcp_sd;
348
385
struct sockaddr_in6 to;
349
encrypted_session es;
350
386
char *buffer = NULL;
351
387
char *decrypted_buffer;
352
388
size_t buffer_length = 0;
355
391
size_t written = 0;
356
392
int retval = 0;
357
393
char interface[IF_NAMESIZE];
394
gnutls_session_t session;
395
gnutls_dh_params_t dh_params;
396
397
ret = initgnutls (mc, &session, &dh_params);
398
if (ret != 0){
399
return -1;
400
}
358
401
359
402
if(debug){
360
403
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
366
409
perror("socket");
367
410
return -1;
368
411
}
369
370
if(if_indextoname((unsigned int)if_index, interface) == NULL){
371
if(debug){
412
413
if(debug){
414
if(if_indextoname((unsigned int)if_index, interface) == NULL){
372
415
perror("if_indextoname");
416
return -1;
373
417
}
374
return -1;
375
}
376
377
if(debug){
378
418
fprintf(stderr, "Binding to interface %s\n", interface);
379
419
}
380
420
381
421
memset(&to,0,sizeof(to)); /* Spurious warning */
382
422
to.sin6_family = AF_INET6;
423
/* It would be nice to have a way to detect if we were passed an
424
IPv4 address here. Now we assume an IPv6 address. */
383
425
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
384
426
if (ret < 0 ){
385
427
perror("inet_pton");
386
428
return -1;
387
}
429
}
388
430
if(ret == 0){
389
431
fprintf(stderr, "Bad address: %s\n", ip);
390
432
return -1;
395
437
396
438
if(debug){
397
439
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
398
/* char addrstr[INET6_ADDRSTRLEN]; */
399
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
400
/* sizeof(addrstr)) == NULL){ */
401
/* perror("inet_ntop"); */
402
/* } else { */
403
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
404
/* addrstr, ntohs(to.sin6_port)); */
405
/* } */
440
char addrstr[INET6_ADDRSTRLEN] = "";
441
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
442
sizeof(addrstr)) == NULL){
443
perror("inet_ntop");
444
} else {
445
if(strcmp(addrstr, ip) != 0){
446
fprintf(stderr, "Canonical address form: %s\n", addrstr);
447
}
448
}
406
449
}
407
450
408
451
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
411
454
return -1;
412
455
}
413
456
414
ret = initgnutls (&es);
415
if (ret != 0){
416
retval = -1;
417
return -1;
418
}
419
420
gnutls_transport_set_ptr (es.session,
421
(gnutls_transport_ptr_t) tcp_sd);
422
423
457
if(debug){
424
458
fprintf(stderr, "Establishing TLS session with %s\n", ip);
425
459
}
426
460
427
ret = gnutls_handshake (es.session);
461
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
462
463
ret = gnutls_handshake (session);
428
464
429
465
if (ret != GNUTLS_E_SUCCESS){
430
466
if(debug){
431
fprintf(stderr, "\n*** Handshake failed ***\n");
467
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
432
468
gnutls_perror (ret);
433
469
}
434
470
retval = -1;
435
goto exit;
471
goto mandos_end;
436
472
}
437
473
438
//Retrieve OpenPGP packet that contains the wanted password
474
/* Read OpenPGP packet that contains the wanted password */
439
475
440
476
if(debug){
441
477
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
447
483
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
448
484
if (buffer == NULL){
449
485
perror("realloc");
450
goto exit;
486
retval = -1;
487
goto mandos_end;
451
488
}
452
489
buffer_capacity += BUFFER_SIZE;
453
490
}
454
491
455
ret = gnutls_record_recv
456
(es.session, buffer+buffer_length, BUFFER_SIZE);
492
ret = gnutls_record_recv(session, buffer+buffer_length,
493
BUFFER_SIZE);
457
494
if (ret == 0){
458
495
break;
459
496
}
463
500
case GNUTLS_E_AGAIN:
464
501
break;
465
502
case GNUTLS_E_REHANDSHAKE:
466
ret = gnutls_handshake (es.session);
503
ret = gnutls_handshake (session);
467
504
if (ret < 0){
468
fprintf(stderr, "\n*** Handshake failed ***\n");
505
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
469
506
gnutls_perror (ret);
470
507
retval = -1;
471
goto exit;
508
goto mandos_end;
472
509
}
473
510
break;
474
511
default:
475
512
fprintf(stderr, "Unknown error while reading data from"
476
" encrypted session with mandos server\n");
513
" encrypted session with Mandos server\n");
477
514
retval = -1;
478
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
479
goto exit;
515
gnutls_bye (session, GNUTLS_SHUT_RDWR);
516
goto mandos_end;
480
517
}
481
518
} else {
482
519
buffer_length += (size_t) ret;
483
520
}
484
521
}
485
522
523
if(debug){
524
fprintf(stderr, "Closing TLS session\n");
525
}
526
527
gnutls_bye (session, GNUTLS_SHUT_RDWR);
528
486
529
if (buffer_length > 0){
487
530
decrypted_buffer_size = pgp_packet_decrypt(buffer,
488
531
buffer_length,
489
532
&decrypted_buffer,
490
CERT_ROOT);
533
keydir);
491
534
if (decrypted_buffer_size >= 0){
492
535
while(written < (size_t) decrypted_buffer_size){
493
536
ret = (int)fwrite (decrypted_buffer + written, 1,
508
551
retval = -1;
509
552
}
510
553
}
511
512
//shutdown procedure
513
514
if(debug){
515
fprintf(stderr, "Closing TLS session\n");
516
}
517
554
555
/* Shutdown procedure */
556
557
mandos_end:
518
558
free(buffer);
519
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
520
exit:
521
559
close(tcp_sd);
522
gnutls_deinit (es.session);
523
gnutls_certificate_free_credentials (es.cred);
560
gnutls_deinit (session);
561
gnutls_certificate_free_credentials (mc->cred);
524
562
gnutls_global_deinit ();
525
563
return retval;
526
564
}
527
565
528
static AvahiSimplePoll *simple_poll = NULL;
529
static AvahiServer *server = NULL;
530
531
static void resolve_callback(
532
AvahiSServiceResolver *r,
533
AvahiIfIndex interface,
534
AVAHI_GCC_UNUSED AvahiProtocol protocol,
535
AvahiResolverEvent event,
536
const char *name,
537
const char *type,
538
const char *domain,
539
const char *host_name,
540
const AvahiAddress *address,
541
uint16_t port,
542
AVAHI_GCC_UNUSED AvahiStringList *txt,
543
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
544
AVAHI_GCC_UNUSED void* userdata) {
545
566
static void resolve_callback(AvahiSServiceResolver *r,
567
AvahiIfIndex interface,
568
AVAHI_GCC_UNUSED AvahiProtocol protocol,
569
AvahiResolverEvent event,
570
const char *name,
571
const char *type,
572
const char *domain,
573
const char *host_name,
574
const AvahiAddress *address,
575
uint16_t port,
576
AVAHI_GCC_UNUSED AvahiStringList *txt,
577
AVAHI_GCC_UNUSED AvahiLookupResultFlags
578
flags,
579
void* userdata) {
580
mandos_context *mc = userdata;
546
581
assert(r); /* Spurious warning */
547
582
548
583
/* Called whenever a service has been resolved successfully or
551
586
switch (event) {
552
587
default:
553
588
case AVAHI_RESOLVER_FAILURE:
554
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
555
" type '%s' in domain '%s': %s\n", name, type, domain,
556
avahi_strerror(avahi_server_errno(server)));
589
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
590
" of type '%s' in domain '%s': %s\n", name, type, domain,
591
avahi_strerror(avahi_server_errno(mc->server)));
557
592
break;
558
593
559
594
case AVAHI_RESOLVER_FOUND:
561
596
char ip[AVAHI_ADDRESS_STR_MAX];
562
597
avahi_address_snprint(ip, sizeof(ip), address);
563
598
if(debug){
564
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
565
" port %d\n", name, host_name, ip, port);
599
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
600
" port %d\n", name, host_name, ip, interface, port);
566
601
}
567
int ret = start_mandos_communication(ip, port, interface);
602
int ret = start_mandos_communication(ip, port, interface, mc);
568
603
if (ret == 0){
569
604
exit(EXIT_SUCCESS);
570
605
}
573
608
avahi_s_service_resolver_free(r);
574
609
}
575
610
576
static void browse_callback(
577
AvahiSServiceBrowser *b,
578
AvahiIfIndex interface,
579
AvahiProtocol protocol,
580
AvahiBrowserEvent event,
581
const char *name,
582
const char *type,
583
const char *domain,
584
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
585
void* userdata) {
586
587
AvahiServer *s = userdata;
588
assert(b); /* Spurious warning */
589
590
/* Called whenever a new services becomes available on the LAN or
591
is removed from the LAN */
592
593
switch (event) {
594
default:
595
case AVAHI_BROWSER_FAILURE:
596
597
fprintf(stderr, "(Browser) %s\n",
598
avahi_strerror(avahi_server_errno(server)));
599
avahi_simple_poll_quit(simple_poll);
600
return;
601
602
case AVAHI_BROWSER_NEW:
603
/* We ignore the returned resolver object. In the callback
604
function we free it. If the server is terminated before
605
the callback function is called the server will free
606
the resolver for us. */
607
608
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
609
type, domain,
610
AVAHI_PROTO_INET6, 0,
611
resolve_callback, s)))
612
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
613
avahi_strerror(avahi_server_errno(s)));
614
break;
615
616
case AVAHI_BROWSER_REMOVE:
617
break;
618
619
case AVAHI_BROWSER_ALL_FOR_NOW:
620
case AVAHI_BROWSER_CACHE_EXHAUSTED:
621
break;
611
static void browse_callback( AvahiSServiceBrowser *b,
612
AvahiIfIndex interface,
613
AvahiProtocol protocol,
614
AvahiBrowserEvent event,
615
const char *name,
616
const char *type,
617
const char *domain,
618
AVAHI_GCC_UNUSED AvahiLookupResultFlags
619
flags,
620
void* userdata) {
621
mandos_context *mc = userdata;
622
assert(b); /* Spurious warning */
623
624
/* Called whenever a new services becomes available on the LAN or
625
is removed from the LAN */
626
627
switch (event) {
628
default:
629
case AVAHI_BROWSER_FAILURE:
630
631
fprintf(stderr, "(Avahi browser) %s\n",
632
avahi_strerror(avahi_server_errno(mc->server)));
633
avahi_simple_poll_quit(mc->simple_poll);
634
return;
635
636
case AVAHI_BROWSER_NEW:
637
/* We ignore the returned Avahi resolver object. In the callback
638
function we free it. If the Avahi server is terminated before
639
the callback function is called the Avahi server will free the
640
resolver for us. */
641
642
if (!(avahi_s_service_resolver_new(mc->server, interface,
643
protocol, name, type, domain,
644
AVAHI_PROTO_INET6, 0,
645
resolve_callback, mc)))
646
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
647
name, avahi_strerror(avahi_server_errno(mc->server)));
648
break;
649
650
case AVAHI_BROWSER_REMOVE:
651
break;
652
653
case AVAHI_BROWSER_ALL_FOR_NOW:
654
case AVAHI_BROWSER_CACHE_EXHAUSTED:
655
if(debug){
656
fprintf(stderr, "No Mandos server found, still searching...\n");
622
657
}
623
}
624
625
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
626
AvahiServerConfig config;
658
break;
659
}
660
}
661
662
/* Combines file name and path and returns the malloced new
663
string. some sane checks could/should be added */
664
static const char *combinepath(const char *first, const char *second){
665
size_t f_len = strlen(first);
666
size_t s_len = strlen(second);
667
char *tmp = malloc(f_len + s_len + 2);
668
if (tmp == NULL){
669
return NULL;
670
}
671
if(f_len > 0){
672
memcpy(tmp, first, f_len); /* Spurious warning */
673
}
674
tmp[f_len] = '/';
675
if(s_len > 0){
676
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
677
}
678
tmp[f_len + 1 + s_len] = '\0';
679
return tmp;
680
}
681
682
683
int main(int argc, char *argv[]){
627
684
AvahiSServiceBrowser *sb = NULL;
628
685
int error;
629
686
int ret;
630
int returncode = EXIT_SUCCESS;
631
const char *interface = NULL;
687
int exitcode = EXIT_SUCCESS;
688
const char *interface = "eth0";
689
struct ifreq network;
690
int sd;
691
char *connect_to = NULL;
632
692
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
633
char *connect_to = NULL;
634
635
while (true){
636
static struct option long_options[] = {
637
{"debug", no_argument, (int *)&debug, 1},
638
{"connect", required_argument, 0, 'c'},
639
{"interface", required_argument, 0, 'i'},
640
{0, 0, 0, 0} };
641
642
int option_index = 0;
643
ret = getopt_long (argc, argv, "i:", long_options,
644
&option_index);
645
646
if (ret == -1){
647
break;
648
}
649
650
switch(ret){
651
case 0:
652
break;
653
case 'i':
654
interface = optarg;
655
break;
656
case 'c':
657
connect_to = optarg;
658
break;
659
default:
660
exit(EXIT_FAILURE);
661
}
662
}
663
664
if(interface != NULL){
665
if_index = (AvahiIfIndex) if_nametoindex(interface);
666
if(if_index == 0){
667
fprintf(stderr, "No such interface: \"%s\"\n", interface);
668
exit(EXIT_FAILURE);
669
}
693
mandos_context mc = { .simple_poll = NULL, .server = NULL,
694
.dh_bits = 1024, .priority = "SECURE256"};
695
696
{
697
/* Temporary int to get the address of for getopt_long */
698
int debug_int = debug ? 1 : 0;
699
while (true){
700
struct option long_options[] = {
701
{"debug", no_argument, &debug_int, 1},
702
{"connect", required_argument, NULL, 'c'},
703
{"interface", required_argument, NULL, 'i'},
704
{"keydir", required_argument, NULL, 'd'},
705
{"seckey", required_argument, NULL, 's'},
706
{"pubkey", required_argument, NULL, 'p'},
707
{"dh-bits", required_argument, NULL, 'D'},
708
{"priority", required_argument, NULL, 'P'},
709
{0, 0, 0, 0} };
710
711
int option_index = 0;
712
ret = getopt_long (argc, argv, "i:", long_options,
713
&option_index);
714
715
if (ret == -1){
716
break;
717
}
718
719
switch(ret){
720
case 0:
721
break;
722
case 'i':
723
interface = optarg;
724
break;
725
case 'c':
726
connect_to = optarg;
727
break;
728
case 'd':
729
keydir = optarg;
730
break;
731
case 'p':
732
pubkeyfile = optarg;
733
break;
734
case 's':
735
seckeyfile = optarg;
736
break;
737
case 'D':
738
errno = 0;
739
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
740
if (errno){
741
perror("strtol");
742
exit(EXIT_FAILURE);
743
}
744
break;
745
case 'P':
746
mc.priority = optarg;
747
break;
748
case '?':
749
default:
750
/* getopt_long() has already printed a message about the
751
unrcognized option, so just exit. */
752
exit(EXIT_FAILURE);
753
}
754
}
755
/* Set the global debug flag from the temporary int */
756
debug = debug_int ? true : false;
757
}
758
759
pubkeyfile = combinepath(keydir, pubkeyfile);
760
if (pubkeyfile == NULL){
761
perror("combinepath");
762
exitcode = EXIT_FAILURE;
763
goto end;
764
}
765
766
seckeyfile = combinepath(keydir, seckeyfile);
767
if (seckeyfile == NULL){
768
perror("combinepath");
769
goto end;
770
}
771
772
if_index = (AvahiIfIndex) if_nametoindex(interface);
773
if(if_index == 0){
774
fprintf(stderr, "No such interface: \"%s\"\n", interface);
775
exit(EXIT_FAILURE);
670
776
}
671
777
672
778
if(connect_to != NULL){
685
791
}
686
792
*address = '\0';
687
793
address = connect_to;
688
ret = start_mandos_communication(address, port, if_index);
794
ret = start_mandos_communication(address, port, if_index, &mc);
689
795
if(ret < 0){
690
796
exit(EXIT_FAILURE);
691
797
} else {
693
799
}
694
800
}
695
801
802
/* If the interface is down, bring it up */
803
{
804
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
805
if(sd < 0) {
806
perror("socket");
807
exitcode = EXIT_FAILURE;
808
goto end;
809
}
810
strcpy(network.ifr_name, interface); /* Spurious warning */
811
ret = ioctl(sd, SIOCGIFFLAGS, &network);
812
if(ret == -1){
813
perror("ioctl SIOCGIFFLAGS");
814
exitcode = EXIT_FAILURE;
815
goto end;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
820
if(ret == -1){
821
perror("ioctl SIOCSIFFLAGS");
822
exitcode = EXIT_FAILURE;
823
goto end;
824
}
825
}
826
close(sd);
827
}
828
696
829
if (not debug){
697
830
avahi_set_log_function(empty_log);
698
831
}
699
832
700
/* Initialize the psuedo-RNG */
833
/* Initialize the pseudo-RNG for Avahi */
701
834
srand((unsigned int) time(NULL));
702
703
/* Allocate main loop object */
704
if (!(simple_poll = avahi_simple_poll_new())) {
705
fprintf(stderr, "Failed to create simple poll object.\n");
706
707
goto exit;
708
}
709
710
/* Do not publish any local records */
711
avahi_server_config_init(&config);
712
config.publish_hinfo = 0;
713
config.publish_addresses = 0;
714
config.publish_workstation = 0;
715
config.publish_domain = 0;
716
717
/* Allocate a new server */
718
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
719
&config, NULL, NULL, &error);
720
721
/* Free the configuration data */
722
avahi_server_config_free(&config);
723
724
/* Check if creating the server object succeeded */
725
if (!server) {
726
fprintf(stderr, "Failed to create server: %s\n",
835
836
/* Allocate main Avahi loop object */
837
mc.simple_poll = avahi_simple_poll_new();
838
if (mc.simple_poll == NULL) {
839
fprintf(stderr, "Avahi: Failed to create simple poll"
840
" object.\n");
841
exitcode = EXIT_FAILURE;
842
goto end;
843
}
844
845
{
846
AvahiServerConfig config;
847
/* Do not publish any local Zeroconf records */
848
avahi_server_config_init(&config);
849
config.publish_hinfo = 0;
850
config.publish_addresses = 0;
851
config.publish_workstation = 0;
852
config.publish_domain = 0;
853
854
/* Allocate a new server */
855
mc.server = avahi_server_new(avahi_simple_poll_get
856
(mc.simple_poll), &config, NULL,
857
NULL, &error);
858
859
/* Free the Avahi configuration data */
860
avahi_server_config_free(&config);
861
}
862
863
/* Check if creating the Avahi server object succeeded */
864
if (mc.server == NULL) {
865
fprintf(stderr, "Failed to create Avahi server: %s\n",
727
866
avahi_strerror(error));
728
returncode = EXIT_FAILURE;
729
goto exit;
867
exitcode = EXIT_FAILURE;
868
goto end;
730
869
}
731
870
732
/* Create the service browser */
733
sb = avahi_s_service_browser_new(server, if_index,
871
/* Create the Avahi service browser */
872
sb = avahi_s_service_browser_new(mc.server, if_index,
734
873
AVAHI_PROTO_INET6,
735
874
"_mandos._tcp", NULL, 0,
736
browse_callback, server);
737
if (!sb) {
875
browse_callback, &mc);
876
if (sb == NULL) {
738
877
fprintf(stderr, "Failed to create service browser: %s\n",
739
avahi_strerror(avahi_server_errno(server)));
740
returncode = EXIT_FAILURE;
741
goto exit;
878
avahi_strerror(avahi_server_errno(mc.server)));
879
exitcode = EXIT_FAILURE;
880
goto end;
742
881
}
743
882
744
883
/* Run the main loop */
745
884
746
885
if (debug){
747
fprintf(stderr, "Starting avahi loop search\n");
886
fprintf(stderr, "Starting Avahi loop search\n");
748
887
}
749
888
750
avahi_simple_poll_loop(simple_poll);
889
avahi_simple_poll_loop(mc.simple_poll);
751
890
752
exit:
891
end:
753
892
754
893
if (debug){
755
894
fprintf(stderr, "%s exiting\n", argv[0]);
756
895
}
757
896
758
897
/* Cleanup things */
759
if (sb)
898
if (sb != NULL)
760
899
avahi_s_service_browser_free(sb);
761
900
762
if (server)
763
avahi_server_free(server);
764
765
if (simple_poll)
766
avahi_simple_poll_free(simple_poll);
767
768
return returncode;
901
if (mc.server != NULL)
902
avahi_server_free(mc.server);
903
904
if (mc.simple_poll != NULL)
905
avahi_simple_poll_free(mc.simple_poll);
906
free(pubkeyfile);
907
free(seckeyfile);
908
909
return exitcode;
769
910
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0