119
288
/* Create new empty GPGME data buffer for the plaintext */
120
289
rc = gpgme_data_new(&dh_plain);
121
if (rc != GPG_ERR_NO_ERROR){
290
if(rc != GPG_ERR_NO_ERROR){
122
291
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
123
292
gpgme_strsource(rc), gpgme_strerror(rc));
127
/* Create new GPGME "context" */
128
rc = gpgme_new(&ctx);
129
if (rc != GPG_ERR_NO_ERROR){
130
fprintf(stderr, "bad gpgme_new: %s: %s\n",
131
gpgme_strsource(rc), gpgme_strerror(rc));
135
/* Decrypt data from the FILE pointer to the plaintext data buffer */
136
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
137
if (rc != GPG_ERR_NO_ERROR){
293
gpgme_data_release(dh_crypto);
297
/* Decrypt data from the cryptotext data buffer to the plaintext
299
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
300
if(rc != GPG_ERR_NO_ERROR){
138
301
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
139
302
gpgme_strsource(rc), gpgme_strerror(rc));
144
fprintf(stderr, "decryption of gpg packet succeeded\n");
148
gpgme_decrypt_result_t result;
149
result = gpgme_op_decrypt_result(ctx);
151
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
153
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
154
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
155
if(result->file_name != NULL){
156
fprintf(stderr, "File name: %s\n", result->file_name);
158
gpgme_recipient_t recipient;
159
recipient = result->recipients;
303
plaintext_length = -1;
305
gpgme_decrypt_result_t result;
306
result = gpgme_op_decrypt_result(mc.ctx);
308
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
310
fprintf(stderr, "Unsupported algorithm: %s\n",
311
result->unsupported_algorithm);
312
fprintf(stderr, "Wrong key usage: %u\n",
313
result->wrong_key_usage);
314
if(result->file_name != NULL){
315
fprintf(stderr, "File name: %s\n", result->file_name);
317
gpgme_recipient_t recipient;
318
recipient = result->recipients;
161
319
while(recipient != NULL){
162
320
fprintf(stderr, "Public key algorithm: %s\n",
163
321
gpgme_pubkey_algo_name(recipient->pubkey_algo));
164
322
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
165
323
fprintf(stderr, "Secret key available: %s\n",
166
recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
324
recipient->status == GPG_ERR_NO_SECKEY
167
326
recipient = recipient->next;
173
/* Delete the GPGME FILE pointer cryptotext data buffer */
174
gpgme_data_release(dh_crypto);
334
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
176
337
/* Seek back to the beginning of the GPGME plaintext data buffer */
177
gpgme_data_seek(dh_plain, 0, SEEK_SET);
338
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
339
perror("gpgme_data_seek");
340
plaintext_length = -1;
181
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
182
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
183
if (*new_packet == NULL){
187
new_packet_capacity += BUFFER_SIZE;
346
plaintext_capacity = incbuffer(plaintext,
347
(size_t)plaintext_length,
349
if(plaintext_capacity == 0){
351
plaintext_length = -1;
190
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
355
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
191
357
/* Print the data, if any */
193
/* If password is empty, then a incorrect error will be printed */
197
363
perror("gpgme_data_read");
200
new_packet_length += ret;
203
/* FIXME: check characters before printing to screen so to not print
204
terminal control characters */
206
/* fprintf(stderr, "decrypted password is: "); */
207
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
208
/* fprintf(stderr, "\n"); */
364
plaintext_length = -1;
367
plaintext_length += ret;
371
fprintf(stderr, "Decrypted password is: ");
372
for(ssize_t i = 0; i < plaintext_length; i++){
373
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
375
fprintf(stderr, "\n");
380
/* Delete the GPGME cryptotext data buffer */
381
gpgme_data_release(dh_crypto);
211
383
/* Delete the GPGME plaintext data buffer */
212
384
gpgme_data_release(dh_plain);
213
return new_packet_length;
385
return plaintext_length;
216
static const char * safer_gnutls_strerror (int value) {
217
const char *ret = gnutls_strerror (value);
388
static const char * safer_gnutls_strerror(int value){
389
const char *ret = gnutls_strerror(value); /* Spurious warning from
390
-Wunreachable-code */
219
392
ret = "(unknown)";
223
void debuggnutls(int level, const char* string){
224
fprintf(stderr, "%s", string);
396
/* GnuTLS log function callback */
397
static void debuggnutls(__attribute__((unused)) int level,
399
fprintf(stderr, "GnuTLS: %s", string);
227
int initgnutls(encrypted_session *es){
402
static int init_gnutls_global(const char *pubkeyfilename,
403
const char *seckeyfilename){
232
fprintf(stderr, "Initializing gnutls\n");
407
fprintf(stderr, "Initializing GnuTLS\n");
236
if ((ret = gnutls_global_init ())
237
!= GNUTLS_E_SUCCESS) {
238
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
410
ret = gnutls_global_init();
411
if(ret != GNUTLS_E_SUCCESS){
412
fprintf(stderr, "GnuTLS global_init: %s\n",
413
safer_gnutls_strerror(ret));
418
/* "Use a log level over 10 to enable all debugging options."
243
421
gnutls_global_set_log_level(11);
244
422
gnutls_global_set_log_function(debuggnutls);
248
/* openpgp credentials */
249
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
250
!= GNUTLS_E_SUCCESS) {
251
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
425
/* OpenPGP credentials */
426
gnutls_certificate_allocate_credentials(&mc.cred);
427
if(ret != GNUTLS_E_SUCCESS){
428
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
432
safer_gnutls_strerror(ret));
433
gnutls_global_deinit();
256
fprintf(stderr, "Attempting to use openpgp certificate %s"
257
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
438
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
439
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
260
443
ret = gnutls_certificate_set_openpgp_key_file
261
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
262
if (ret != GNUTLS_E_SUCCESS) {
264
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
265
ret, CERTFILE, KEYFILE);
266
fprintf(stdout, "The Error is: %s\n",
267
safer_gnutls_strerror(ret));
271
//Gnutls server initialization
272
if ((ret = gnutls_dh_params_init (&es->dh_params))
273
!= GNUTLS_E_SUCCESS) {
274
fprintf (stderr, "Error in dh parameter initialization: %s\n",
275
safer_gnutls_strerror(ret));
279
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
280
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "Error in prime generation: %s\n",
282
safer_gnutls_strerror(ret));
286
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
288
// Gnutls session creation
289
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
290
!= GNUTLS_E_SUCCESS){
291
fprintf(stderr, "Error in gnutls session initialization: %s\n",
292
safer_gnutls_strerror(ret));
295
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
296
!= GNUTLS_E_SUCCESS) {
297
fprintf(stderr, "Syntax error at: %s\n", err);
298
fprintf(stderr, "Gnutls error: %s\n",
299
safer_gnutls_strerror(ret));
303
if ((ret = gnutls_credentials_set
304
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf(stderr, "Error setting a credentials set: %s\n",
307
safer_gnutls_strerror(ret));
444
(mc.cred, pubkeyfilename, seckeyfilename,
445
GNUTLS_OPENPGP_FMT_BASE64);
446
if(ret != GNUTLS_E_SUCCESS){
448
"Error[%d] while reading the OpenPGP key pair ('%s',"
449
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
450
fprintf(stderr, "The GnuTLS error is: %s\n",
451
safer_gnutls_strerror(ret));
455
/* GnuTLS server initialization */
456
ret = gnutls_dh_params_init(&mc.dh_params);
457
if(ret != GNUTLS_E_SUCCESS){
458
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
459
" %s\n", safer_gnutls_strerror(ret));
462
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
463
if(ret != GNUTLS_E_SUCCESS){
464
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
465
safer_gnutls_strerror(ret));
469
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
475
gnutls_certificate_free_credentials(mc.cred);
476
gnutls_global_deinit();
477
gnutls_dh_params_deinit(mc.dh_params);
481
static int init_gnutls_session(gnutls_session_t *session){
483
/* GnuTLS session creation */
485
ret = gnutls_init(session, GNUTLS_SERVER);
489
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
490
if(ret != GNUTLS_E_SUCCESS){
491
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
492
safer_gnutls_strerror(ret));
498
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
500
gnutls_deinit(*session);
503
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
504
if(ret != GNUTLS_E_SUCCESS){
505
fprintf(stderr, "Syntax error at: %s\n", err);
506
fprintf(stderr, "GnuTLS error: %s\n",
507
safer_gnutls_strerror(ret));
508
gnutls_deinit(*session);
514
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
517
gnutls_deinit(*session);
520
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
521
if(ret != GNUTLS_E_SUCCESS){
522
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
523
safer_gnutls_strerror(ret));
524
gnutls_deinit(*session);
311
528
/* ignore client certificate if any. */
312
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
529
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
314
gnutls_dh_set_prime_bits (es->session, DH_BITS);
531
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
319
void empty_log(AvahiLogLevel level, const char *txt){}
536
/* Avahi log function callback */
537
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
538
__attribute__((unused)) const char *txt){}
321
int start_mandos_communcation(char *ip, uint16_t port){
323
struct sockaddr_in6 to;
324
struct in6_addr ip_addr;
325
encrypted_session es;
540
/* Called when a Mandos server is found */
541
static int start_mandos_communication(const char *ip, uint16_t port,
542
AvahiIfIndex if_index,
544
int ret, tcp_sd = -1;
547
struct sockaddr_in in;
548
struct sockaddr_in6 in6;
326
550
char *buffer = NULL;
327
char *decrypted_buffer;
551
char *decrypted_buffer = NULL;
328
552
size_t buffer_length = 0;
329
553
size_t buffer_capacity = 0;
330
ssize_t decrypted_buffer_size;
556
gnutls_session_t session;
557
int pf; /* Protocol family */
574
fprintf(stderr, "Bad address family: %d\n", af);
579
ret = init_gnutls_session(&session);
334
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
585
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
337
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
589
tcp_sd = socket(pf, SOCK_STREAM, 0);
339
592
perror("socket");
344
fprintf(stderr, "Binding to interface %s\n", interface);
347
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
349
perror("setsockopt bindtodevice");
353
memset(&to,0,sizeof(to));
354
to.sin6_family = AF_INET6;
355
ret = inet_pton(AF_INET6, ip, &ip_addr);
602
memset(&to, 0, sizeof(to));
604
to.in6.sin6_family = (sa_family_t)af;
605
ret = inet_pton(af, ip, &to.in6.sin6_addr);
607
to.in.sin_family = (sa_family_t)af;
608
ret = inet_pton(af, ip, &to.in.sin_addr);
357
612
perror("inet_pton");
361
618
fprintf(stderr, "Bad address: %s\n", ip);
364
to.sin6_port = htons(port);
365
to.sin6_scope_id = if_nametoindex(interface);
368
fprintf(stderr, "Connection to: %s\n", ip);
371
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
377
ret = initgnutls (&es);
384
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
387
fprintf(stderr, "Establishing tls session with %s\n", ip);
391
ret = gnutls_handshake (es.session);
393
if (ret != GNUTLS_E_SUCCESS){
394
fprintf(stderr, "\n*** Handshake failed ***\n");
400
//Retrieve gpg packet that contains the wanted password
403
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
407
if (buffer_length + BUFFER_SIZE > buffer_capacity){
408
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
413
buffer_capacity += BUFFER_SIZE;
416
ret = gnutls_record_recv
417
(es.session, buffer+buffer_length, BUFFER_SIZE);
623
to.in6.sin6_port = htons(port); /* Spurious warnings from
625
-Wunreachable-code */
627
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
628
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
630
if(if_index == AVAHI_IF_UNSPEC){
631
fprintf(stderr, "An IPv6 link-local address is incomplete"
632
" without a network interface\n");
636
/* Set the network interface number as scope */
637
to.in6.sin6_scope_id = (uint32_t)if_index;
640
to.in.sin_port = htons(port); /* Spurious warnings from
642
-Wunreachable-code */
651
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
652
char interface[IF_NAMESIZE];
653
if(if_indextoname((unsigned int)if_index, interface) == NULL){
654
perror("if_indextoname");
656
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
657
ip, interface, port);
660
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
663
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
664
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
667
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
670
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
676
if(strcmp(addrstr, ip) != 0){
677
fprintf(stderr, "Canonical address form: %s\n", addrstr);
688
ret = connect(tcp_sd, &to.in6, sizeof(to));
690
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
693
if ((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
706
const char *out = mandos_protocol_version;
709
size_t out_size = strlen(out);
710
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
711
out_size - written));
718
written += (size_t)ret;
719
if(written < out_size){
722
if(out == mandos_protocol_version){
737
fprintf(stderr, "Establishing TLS session with %s\n", ip);
745
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
753
ret = gnutls_handshake(session);
758
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
760
if(ret != GNUTLS_E_SUCCESS){
762
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
769
/* Read OpenPGP packet that contains the wanted password */
772
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
783
buffer_capacity = incbuffer(&buffer, buffer_length,
785
if(buffer_capacity == 0){
797
sret = gnutls_record_recv(session, buffer+buffer_length,
423
804
case GNUTLS_E_INTERRUPTED:
424
805
case GNUTLS_E_AGAIN:
426
807
case GNUTLS_E_REHANDSHAKE:
427
ret = gnutls_handshake (es.session);
429
fprintf(stderr, "\n*** Handshake failed ***\n");
809
ret = gnutls_handshake(session);
815
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
817
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
436
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
438
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
442
buffer_length += ret;
446
if (buffer_length > 0){
447
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
448
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
449
free(decrypted_buffer);
824
fprintf(stderr, "Unknown error while reading data from"
825
" encrypted session with Mandos server\n");
826
gnutls_bye(session, GNUTLS_SHUT_RDWR);
831
buffer_length += (size_t) sret;
836
fprintf(stderr, "Closing TLS session\n");
845
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
850
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
852
if(buffer_length > 0){
853
ssize_t decrypted_buffer_size;
854
decrypted_buffer_size = pgp_packet_decrypt(buffer,
857
if(decrypted_buffer_size >= 0){
860
while(written < (size_t) decrypted_buffer_size){
866
ret = (int)fwrite(decrypted_buffer + written, 1,
867
(size_t)decrypted_buffer_size - written,
869
if(ret == 0 and ferror(stdout)){
872
fprintf(stderr, "Error writing encrypted data: %s\n",
878
written += (size_t)ret;
884
/* Shutdown procedure */
889
free(decrypted_buffer);
892
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
900
gnutls_deinit(session);
458
fprintf(stderr, "Closing tls session\n");
462
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
465
gnutls_deinit (es.session);
466
gnutls_certificate_free_credentials (es.cred);
467
gnutls_global_deinit ();
471
static AvahiSimplePoll *simple_poll = NULL;
472
static AvahiServer *server = NULL;
474
static void resolve_callback(
475
AvahiSServiceResolver *r,
476
AVAHI_GCC_UNUSED AvahiIfIndex interface,
477
AVAHI_GCC_UNUSED AvahiProtocol protocol,
478
AvahiResolverEvent event,
482
const char *host_name,
483
const AvahiAddress *address,
485
AvahiStringList *txt,
486
AvahiLookupResultFlags flags,
487
AVAHI_GCC_UNUSED void* userdata) {
491
/* Called whenever a service has been resolved successfully or timed out */
494
case AVAHI_RESOLVER_FAILURE:
495
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
498
case AVAHI_RESOLVER_FOUND: {
499
char ip[AVAHI_ADDRESS_STR_MAX];
500
avahi_address_snprint(ip, sizeof(ip), address);
502
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
504
int ret = start_mandos_communcation(ip, port);
512
avahi_s_service_resolver_free(r);
515
static void browse_callback(
516
AvahiSServiceBrowser *b,
517
AvahiIfIndex interface,
518
AvahiProtocol protocol,
519
AvahiBrowserEvent event,
523
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
526
AvahiServer *s = userdata;
529
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
533
case AVAHI_BROWSER_FAILURE:
535
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
536
avahi_simple_poll_quit(simple_poll);
539
case AVAHI_BROWSER_NEW:
540
/* We ignore the returned resolver object. In the callback
541
function we free it. If the server is terminated before
542
the callback function is called the server will free
543
the resolver for us. */
545
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
546
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
550
case AVAHI_BROWSER_REMOVE:
553
case AVAHI_BROWSER_ALL_FOR_NOW:
554
case AVAHI_BROWSER_CACHE_EXHAUSTED:
559
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
910
static void resolve_callback(AvahiSServiceResolver *r,
911
AvahiIfIndex interface,
913
AvahiResolverEvent event,
917
const char *host_name,
918
const AvahiAddress *address,
920
AVAHI_GCC_UNUSED AvahiStringList *txt,
921
AVAHI_GCC_UNUSED AvahiLookupResultFlags
923
AVAHI_GCC_UNUSED void* userdata){
926
/* Called whenever a service has been resolved successfully or
935
case AVAHI_RESOLVER_FAILURE:
936
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
937
" of type '%s' in domain '%s': %s\n", name, type, domain,
938
avahi_strerror(avahi_server_errno(mc.server)));
941
case AVAHI_RESOLVER_FOUND:
943
char ip[AVAHI_ADDRESS_STR_MAX];
944
avahi_address_snprint(ip, sizeof(ip), address);
946
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
947
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
948
ip, (intmax_t)interface, port);
950
int ret = start_mandos_communication(ip, port, interface,
951
avahi_proto_to_af(proto));
953
avahi_simple_poll_quit(mc.simple_poll);
957
avahi_s_service_resolver_free(r);
960
static void browse_callback(AvahiSServiceBrowser *b,
961
AvahiIfIndex interface,
962
AvahiProtocol protocol,
963
AvahiBrowserEvent event,
967
AVAHI_GCC_UNUSED AvahiLookupResultFlags
969
AVAHI_GCC_UNUSED void* userdata){
972
/* Called whenever a new services becomes available on the LAN or
973
is removed from the LAN */
981
case AVAHI_BROWSER_FAILURE:
983
fprintf(stderr, "(Avahi browser) %s\n",
984
avahi_strerror(avahi_server_errno(mc.server)));
985
avahi_simple_poll_quit(mc.simple_poll);
988
case AVAHI_BROWSER_NEW:
989
/* We ignore the returned Avahi resolver object. In the callback
990
function we free it. If the Avahi server is terminated before
991
the callback function is called the Avahi server will free the
994
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
995
name, type, domain, protocol, 0,
996
resolve_callback, NULL) == NULL)
997
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
998
name, avahi_strerror(avahi_server_errno(mc.server)));
1001
case AVAHI_BROWSER_REMOVE:
1004
case AVAHI_BROWSER_ALL_FOR_NOW:
1005
case AVAHI_BROWSER_CACHE_EXHAUSTED:
1007
fprintf(stderr, "No Mandos server found, still searching...\n");
1013
/* stop main loop after sigterm has been called */
1014
static void handle_sigterm(int sig){
1019
signal_received = sig;
1020
int old_errno = errno;
1021
if(mc.simple_poll != NULL){
1022
avahi_simple_poll_quit(mc.simple_poll);
1028
* This function determines if a directory entry in /sys/class/net
1029
* corresponds to an acceptable network device.
1030
* (This function is passed to scandir(3) as a filter function.)
1032
int good_interface(const struct dirent *if_entry){
1034
char *flagname = NULL;
1035
int ret = asprintf(&flagname, "%s/%s/flags", sys_class_net,
1041
if(if_entry->d_name[0] == '.'){
1044
int flags_fd = (int)TEMP_FAILURE_RETRY(open(flagname, O_RDONLY));
1049
typedef short ifreq_flags; /* ifreq.ifr_flags in netdevice(7) */
1050
/* read line from flags_fd */
1051
ssize_t to_read = (sizeof(ifreq_flags)*2)+3; /* "0x1003\n" */
1052
char *flagstring = malloc((size_t)to_read+1); /* +1 for final \0 */
1053
flagstring[(size_t)to_read] = '\0';
1054
if(flagstring == NULL){
1060
ssret = (ssize_t)TEMP_FAILURE_RETRY(read(flags_fd, flagstring,
1077
tmpmax = strtoimax(flagstring, &tmp, 0);
1078
if(errno != 0 or tmp == flagstring or (*tmp != '\0'
1079
and not (isspace(*tmp)))
1080
or tmpmax != (ifreq_flags)tmpmax){
1082
fprintf(stderr, "Invalid flags \"%s\" for interface \"%s\"\n",
1083
flagstring, if_entry->d_name);
1089
ifreq_flags flags = (ifreq_flags)tmpmax;
1090
/* Reject the loopback device */
1091
if(flags & IFF_LOOPBACK){
1093
fprintf(stderr, "Rejecting loopback interface \"%s\"\n",
1098
/* Accept point-to-point devices only if connect_to is specified */
1099
if(connect_to != NULL and (flags & IFF_POINTOPOINT)){
1101
fprintf(stderr, "Accepting point-to-point interface \"%s\"\n",
1106
/* Otherwise, reject non-broadcast-capable devices */
1107
if(not (flags & IFF_BROADCAST)){
1109
fprintf(stderr, "Rejecting non-broadcast interface \"%s\"\n",
1114
/* Accept this device */
1116
fprintf(stderr, "Interface \"%s\" is acceptable\n",
1122
int main(int argc, char *argv[]){
1123
AvahiSServiceBrowser *sb = NULL;
1128
int exitcode = EXIT_SUCCESS;
1129
const char *interface = "";
1130
struct ifreq network;
1132
bool take_down_interface = false;
1135
char tempdir[] = "/tmp/mandosXXXXXX";
1136
bool tempdir_created = false;
1137
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1138
const char *seckey = PATHDIR "/" SECKEY;
1139
const char *pubkey = PATHDIR "/" PUBKEY;
1141
bool gnutls_initialized = false;
1142
bool gpgme_initialized = false;
1145
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1146
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1151
/* Lower any group privileges we might have, just to be safe */
1158
/* Lower user privileges (temporarily) */
1170
struct argp_option options[] = {
1171
{ .name = "debug", .key = 128,
1172
.doc = "Debug mode", .group = 3 },
1173
{ .name = "connect", .key = 'c',
1174
.arg = "ADDRESS:PORT",
1175
.doc = "Connect directly to a specific Mandos server",
1177
{ .name = "interface", .key = 'i',
1179
.doc = "Network interface that will be used to search for"
1182
{ .name = "seckey", .key = 's',
1184
.doc = "OpenPGP secret key file base name",
1186
{ .name = "pubkey", .key = 'p',
1188
.doc = "OpenPGP public key file base name",
1190
{ .name = "dh-bits", .key = 129,
1192
.doc = "Bit length of the prime number used in the"
1193
" Diffie-Hellman key exchange",
1195
{ .name = "priority", .key = 130,
1197
.doc = "GnuTLS priority string for the TLS handshake",
1199
{ .name = "delay", .key = 131,
1201
.doc = "Maximum delay to wait for interface startup",
1204
* These reproduce what we would get without ARGP_NO_HELP
1206
{ .name = "help", .key = '?',
1207
.doc = "Give this help list", .group = -1 },
1208
{ .name = "usage", .key = -3,
1209
.doc = "Give a short usage message", .group = -1 },
1210
{ .name = "version", .key = 'V',
1211
.doc = "Print program version", .group = -1 },
1215
error_t parse_opt(int key, char *arg,
1216
struct argp_state *state){
1219
case 128: /* --debug */
1222
case 'c': /* --connect */
1225
case 'i': /* --interface */
1228
case 's': /* --seckey */
1231
case 'p': /* --pubkey */
1234
case 129: /* --dh-bits */
1236
tmpmax = strtoimax(arg, &tmp, 10);
1237
if(errno != 0 or tmp == arg or *tmp != '\0'
1238
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1239
argp_error(state, "Bad number of DH bits");
1241
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1243
case 130: /* --priority */
1246
case 131: /* --delay */
1248
delay = strtof(arg, &tmp);
1249
if(errno != 0 or tmp == arg or *tmp != '\0'){
1250
argp_error(state, "Bad delay");
1254
* These reproduce what we would get without ARGP_NO_HELP
1256
case '?': /* --help */
1257
argp_state_help(state, state->out_stream,
1258
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
1259
& ~(unsigned int)ARGP_HELP_EXIT_OK);
1260
case -3: /* --usage */
1261
argp_state_help(state, state->out_stream,
1262
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
1263
case 'V': /* --version */
1264
fprintf(state->out_stream, "%s\n", argp_program_version);
1265
exit(argp_err_exit_status);
1268
return ARGP_ERR_UNKNOWN;
1273
struct argp argp = { .options = options, .parser = parse_opt,
1275
.doc = "Mandos client -- Get and decrypt"
1276
" passwords from a Mandos server" };
1277
ret = argp_parse(&argp, argc, argv,
1278
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
1285
perror("argp_parse");
1286
exitcode = EX_OSERR;
1289
exitcode = EX_USAGE;
1295
avahi_set_log_function(empty_log);
1298
if(interface[0] == '\0'){
1299
struct dirent **direntries;
1300
ret = scandir(sys_class_net, &direntries, good_interface,
1303
/* Pick the first good interface */
1304
interface = strdup(direntries[0]->d_name);
1306
fprintf(stderr, "Using interface \"%s\"\n", interface);
1308
if(interface == NULL){
1311
exitcode = EXIT_FAILURE;
1317
fprintf(stderr, "Could not find a network interface\n");
1318
exitcode = EXIT_FAILURE;
1323
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1324
from the signal handler */
1325
/* Initialize the pseudo-RNG for Avahi */
1326
srand((unsigned int) time(NULL));
1327
mc.simple_poll = avahi_simple_poll_new();
1328
if(mc.simple_poll == NULL){
1329
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1330
exitcode = EX_UNAVAILABLE;
1334
sigemptyset(&sigterm_action.sa_mask);
1335
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1337
perror("sigaddset");
1338
exitcode = EX_OSERR;
1341
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1343
perror("sigaddset");
1344
exitcode = EX_OSERR;
1347
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1349
perror("sigaddset");
1350
exitcode = EX_OSERR;
1353
/* Need to check if the handler is SIG_IGN before handling:
1354
| [[info:libc:Initial Signal Actions]] |
1355
| [[info:libc:Basic Signal Handling]] |
1357
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1359
perror("sigaction");
1362
if(old_sigterm_action.sa_handler != SIG_IGN){
1363
ret = sigaction(SIGINT, &sigterm_action, NULL);
1365
perror("sigaction");
1366
exitcode = EX_OSERR;
1370
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1372
perror("sigaction");
1375
if(old_sigterm_action.sa_handler != SIG_IGN){
1376
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1378
perror("sigaction");
1379
exitcode = EX_OSERR;
1383
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1385
perror("sigaction");
1388
if(old_sigterm_action.sa_handler != SIG_IGN){
1389
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1391
perror("sigaction");
1392
exitcode = EX_OSERR;
1397
/* If the interface is down, bring it up */
1398
if(strcmp(interface, "none") != 0){
1399
if_index = (AvahiIfIndex) if_nametoindex(interface);
1401
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1402
exitcode = EX_UNAVAILABLE;
1410
/* Re-raise priviliges */
1418
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1419
messages about the network interface to mess up the prompt */
1420
ret = klogctl(8, NULL, 5);
1421
bool restore_loglevel = true;
1423
restore_loglevel = false;
1426
#endif /* __linux__ */
1428
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1431
exitcode = EX_OSERR;
1433
if(restore_loglevel){
1434
ret = klogctl(7, NULL, 0);
1439
#endif /* __linux__ */
1440
/* Lower privileges */
1448
strcpy(network.ifr_name, interface);
1449
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1451
perror("ioctl SIOCGIFFLAGS");
1453
if(restore_loglevel){
1454
ret = klogctl(7, NULL, 0);
1459
#endif /* __linux__ */
1460
exitcode = EX_OSERR;
1461
/* Lower privileges */
1469
if((network.ifr_flags & IFF_UP) == 0){
1470
network.ifr_flags |= IFF_UP;
1471
take_down_interface = true;
1472
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1474
take_down_interface = false;
1475
perror("ioctl SIOCSIFFLAGS +IFF_UP");
1476
exitcode = EX_OSERR;
1478
if(restore_loglevel){
1479
ret = klogctl(7, NULL, 0);
1484
#endif /* __linux__ */
1485
/* Lower privileges */
1494
/* sleep checking until interface is running */
1495
for(int i=0; i < delay * 4; i++){
1496
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1498
perror("ioctl SIOCGIFFLAGS");
1499
} else if(network.ifr_flags & IFF_RUNNING){
1502
struct timespec sleeptime = { .tv_nsec = 250000000 };
1503
ret = nanosleep(&sleeptime, NULL);
1504
if(ret == -1 and errno != EINTR){
1505
perror("nanosleep");
1508
if(not take_down_interface){
1509
/* We won't need the socket anymore */
1510
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1516
if(restore_loglevel){
1517
/* Restores kernel loglevel to default */
1518
ret = klogctl(7, NULL, 0);
1523
#endif /* __linux__ */
1524
/* Lower privileges */
1526
if(take_down_interface){
1527
/* Lower privileges */
1533
/* Lower privileges permanently */
1545
ret = init_gnutls_global(pubkey, seckey);
1547
fprintf(stderr, "init_gnutls_global failed\n");
1548
exitcode = EX_UNAVAILABLE;
1551
gnutls_initialized = true;
1558
tempdir_created = true;
1559
if(mkdtemp(tempdir) == NULL){
1560
tempdir_created = false;
1569
if(not init_gpgme(pubkey, seckey, tempdir)){
1570
fprintf(stderr, "init_gpgme failed\n");
1571
exitcode = EX_UNAVAILABLE;
1574
gpgme_initialized = true;
1581
if(connect_to != NULL){
1582
/* Connect directly, do not use Zeroconf */
1583
/* (Mainly meant for debugging) */
1584
char *address = strrchr(connect_to, ':');
1585
if(address == NULL){
1586
fprintf(stderr, "No colon in address\n");
1587
exitcode = EX_USAGE;
1597
tmpmax = strtoimax(address+1, &tmp, 10);
1598
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1599
or tmpmax != (uint16_t)tmpmax){
1600
fprintf(stderr, "Bad port number\n");
1601
exitcode = EX_USAGE;
1609
port = (uint16_t)tmpmax;
1611
address = connect_to;
1612
/* Colon in address indicates IPv6 */
1614
if(strchr(address, ':') != NULL){
1624
while(not quit_now){
1625
ret = start_mandos_communication(address, port, if_index, af);
1626
if(quit_now or ret == 0){
1633
exitcode = EXIT_SUCCESS;
560
1644
AvahiServerConfig config;
561
AvahiSServiceBrowser *sb = NULL;
564
int returncode = EXIT_SUCCESS;
567
static struct option long_options[] = {
568
{"debug", no_argument, (int *)&debug, 1},
569
{"interface", required_argument, 0, 'i'},
572
int option_index = 0;
573
ret = getopt_long (argc, argv, "i:", long_options, &option_index);
591
avahi_set_log_function(empty_log);
594
/* Initialize the psuedo-RNG */
597
/* Allocate main loop object */
598
if (!(simple_poll = avahi_simple_poll_new())) {
599
fprintf(stderr, "Failed to create simple poll object.\n");
604
/* Do not publish any local records */
1645
/* Do not publish any local Zeroconf records */
605
1646
avahi_server_config_init(&config);
606
1647
config.publish_hinfo = 0;
607
1648
config.publish_addresses = 0;
608
1649
config.publish_workstation = 0;
609
1650
config.publish_domain = 0;
611
1652
/* Allocate a new server */
612
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
614
/* Free the configuration data */
1653
mc.server = avahi_server_new(avahi_simple_poll_get
1654
(mc.simple_poll), &config, NULL,
1657
/* Free the Avahi configuration data */
615
1658
avahi_server_config_free(&config);
617
/* Check if creating the server object succeeded */
619
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
620
returncode = EXIT_FAILURE;
624
/* Create the service browser */
625
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
626
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
627
returncode = EXIT_FAILURE;
631
/* Run the main loop */
634
fprintf(stderr, "Starting avahi loop search\n");
637
avahi_simple_poll_loop(simple_poll);
642
fprintf(stderr, "%s exiting\n", argv[0]);
647
avahi_s_service_browser_free(sb);
650
avahi_server_free(server);
653
avahi_simple_poll_free(simple_poll);
1661
/* Check if creating the Avahi server object succeeded */
1662
if(mc.server == NULL){
1663
fprintf(stderr, "Failed to create Avahi server: %s\n",
1664
avahi_strerror(error));
1665
exitcode = EX_UNAVAILABLE;
1673
/* Create the Avahi service browser */
1674
sb = avahi_s_service_browser_new(mc.server, if_index,
1675
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1676
NULL, 0, browse_callback, NULL);
1678
fprintf(stderr, "Failed to create service browser: %s\n",
1679
avahi_strerror(avahi_server_errno(mc.server)));
1680
exitcode = EX_UNAVAILABLE;
1688
/* Run the main loop */
1691
fprintf(stderr, "Starting Avahi loop search\n");
1694
avahi_simple_poll_loop(mc.simple_poll);
1699
fprintf(stderr, "%s exiting\n", argv[0]);
1702
/* Cleanup things */
1704
avahi_s_service_browser_free(sb);
1706
if(mc.server != NULL)
1707
avahi_server_free(mc.server);
1709
if(mc.simple_poll != NULL)
1710
avahi_simple_poll_free(mc.simple_poll);
1712
if(gnutls_initialized){
1713
gnutls_certificate_free_credentials(mc.cred);
1714
gnutls_global_deinit();
1715
gnutls_dh_params_deinit(mc.dh_params);
1718
if(gpgme_initialized){
1719
gpgme_release(mc.ctx);
1722
/* Take down the network interface */
1723
if(take_down_interface){
1724
/* Re-raise priviliges */
1731
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1733
perror("ioctl SIOCGIFFLAGS");
1734
} else if(network.ifr_flags & IFF_UP) {
1735
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
1736
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1738
perror("ioctl SIOCSIFFLAGS -IFF_UP");
1741
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1745
/* Lower privileges permanently */
1754
/* Removes the temp directory used by GPGME */
1755
if(tempdir_created){
1757
struct dirent *direntry;
1758
d = opendir(tempdir);
1760
if(errno != ENOENT){
1765
direntry = readdir(d);
1766
if(direntry == NULL){
1769
/* Skip "." and ".." */
1770
if(direntry->d_name[0] == '.'
1771
and (direntry->d_name[1] == '\0'
1772
or (direntry->d_name[1] == '.'
1773
and direntry->d_name[2] == '\0'))){
1776
char *fullname = NULL;
1777
ret = asprintf(&fullname, "%s/%s", tempdir,
1783
ret = remove(fullname);
1785
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1792
ret = rmdir(tempdir);
1793
if(ret == -1 and errno != ENOENT){
1799
sigemptyset(&old_sigterm_action.sa_mask);
1800
old_sigterm_action.sa_handler = SIG_DFL;
1801
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1802
&old_sigterm_action,
1805
perror("sigaction");
1808
ret = raise(signal_received);
1809
} while(ret != 0 and errno == EINTR);
1814
TEMP_FAILURE_RETRY(pause());