/mandos/trunk : revision 62

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.c

Committer: Teddy Hogeborn
Date: 2008-08-10 17:52:54 UTC
Revision ID: teddy@fukt.bsnet.se-20080810175254-pxjzwws523ji49n7

* Makefile (DOCBOOKTOMAN): Do not generate AUTHORS section.

files added:
network-protocol.txt

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.lsm

overview.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugin-runner.c => mandos-client.c

plugin-runner.xml => mandos-client.xml

plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
Makefile

TODO

clients.conf

mandos

mandos-clients.conf.xml

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.c

/* -*- coding: utf-8 -*- */

* Mandos-client - get and decrypt data from a Mandos server

* Mandos client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), remove() */

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,

ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand(), strtof() */

#include <stdbool.h> /* bool, false, true */

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

strerror(), memcpy(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,

IFF_UP */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, uid_t, gid_t, open(),

opendir(), DIR */

#include <sys/stat.h> /* open() */

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t */

#include <inttypes.h> /* PRIu16 */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

inet_pton(), connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,

strtoimax() */

struct in6_addr, inet_pton(),

connect() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* nanosleep(), time() */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,

INET_ADDRSTRLEN, INET6_ADDRSTRLEN

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <netinet/in.h>

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, or, and */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

#include <signal.h> /* sigemptyset(), sigaddset(),

sigaction(), SIGTERM, sigaction,

sig_atomic_t */

#ifdef __linux__

#include <sys/klog.h> /* klogctl() */

#endif /* __linux__ */

/* Avahi */

/* All Avahi types, constants and functions

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions

100

gnutls_*

101

init_gnutls_session(),

102

GNUTLS_* */

103

#include <gnutls/openpgp.h>

104

/* gnutls_certificate_set_openpgp_key_file(),

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

105

GNUTLS_OPENPGP_FMT_BASE64 */

106

107

/* GPGME */

108

#include <gpgme.h> /* All GPGME types, constants and

109

functions:

#include <gpgme.h> /* All GPGME types, constants and functions

110

gpgme_*

111

GPGME_PROTOCOL_OpenPGP,

112

GPG_ERR_NO_* */

113

114

#define BUFFER_SIZE 256

115

100

116

#define PATHDIR "/conf/conf.d/mandos"

117

#define SECKEY "seckey.txt"

118

#define PUBKEY "pubkey.txt"

119

120

101

bool debug = false;

102

static const char *keydir = "/conf/conf.d/mandos";

121

103

static const char mandos_protocol_version[] = "1";

122

const char *argp_program_version = "mandos-client " VERSION;

104

const char *argp_program_version = "password-request 1.0";

123

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

124

106

125

107

/* Used for passing in values through the Avahi callback functions */

130

112

unsigned int dh_bits;

131

113

gnutls_dh_params_t dh_params;

132

114

const char *priority;

133

gpgme_ctx_t ctx;

134

115

} mandos_context;

135

116

136

/* global context so signal handler can reach it*/

137

mandos_context mc = { .simple_poll = NULL, .server = NULL,

138

.dh_bits = 1024, .priority = "SECURE256"

139

":!CTYPE-X.509:+CTYPE-OPENPGP" };

140

141

117

142

* Make additional room in "buffer" for at least BUFFER_SIZE more

143

* bytes. "buffer_capacity" is how much is currently allocated,

118

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

119

* "buffer_capacity" is how much is currently allocated,

144

120

* "buffer_length" is how much is already used.

145

121

146

size_t incbuffer(char **buffer, size_t buffer_length,

122

size_t adjustbuffer(char **buffer, size_t buffer_length,

147

123

size_t buffer_capacity){

148

if(buffer_length + BUFFER_SIZE > buffer_capacity){

124

if (buffer_length + BUFFER_SIZE > buffer_capacity){

149

125

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

150

if(buffer == NULL){

126

if (buffer == NULL){

151

127

return 0;

152

128

}

153

129

buffer_capacity += BUFFER_SIZE;

156

132

}

157

133

158

134

159

* Initialize GPGME.

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

136

* Returns -1 on error

160

137

161

static bool init_gpgme(const char *seckey,

162

const char *pubkey, const char *tempdir){

163

int ret;

138

static ssize_t pgp_packet_decrypt (const char *cryptotext,

139

size_t crypto_size,

140

char **plaintext,

141

const char *homedir){

142

gpgme_data_t dh_crypto, dh_plain;

143

gpgme_ctx_t ctx;

164

144

gpgme_error_t rc;

145

ssize_t ret;

146

size_t plaintext_capacity = 0;

147

ssize_t plaintext_length = 0;

165

148

gpgme_engine_info_t engine_info;

166

149

167

168

169

* Helper function to insert pub and seckey to the engine keyring.

170

171

bool import_key(const char *filename){

172

int fd;

173

gpgme_data_t pgp_data;

174

175

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

176

if(fd == -1){

177

perror("open");

178

return false;

179

}

180

181

rc = gpgme_data_new_from_fd(&pgp_data, fd);

182

if(rc != GPG_ERR_NO_ERROR){

183

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

184

gpgme_strsource(rc), gpgme_strerror(rc));

185

return false;

186

}

187

188

rc = gpgme_op_import(mc.ctx, pgp_data);

189

if(rc != GPG_ERR_NO_ERROR){

190

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

191

gpgme_strsource(rc), gpgme_strerror(rc));

192

return false;

193

}

194

195

ret = (int)TEMP_FAILURE_RETRY(close(fd));

196

if(ret == -1){

197

perror("close");

198

}

199

gpgme_data_release(pgp_data);

200

return true;

201

}

202

203

if(debug){

204

fprintf(stderr, "Initializing GPGME\n");

150

if (debug){

151

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

205

152

}

206

153

207

154

/* Init GPGME */

208

155

gpgme_check_version(NULL);

209

156

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

210

if(rc != GPG_ERR_NO_ERROR){

157

if (rc != GPG_ERR_NO_ERROR){

211

158

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

212

159

gpgme_strsource(rc), gpgme_strerror(rc));

213

return false;

160

return -1;

214

161

}

215

162

216

/* Set GPGME home directory for the OpenPGP engine only */

217

rc = gpgme_get_engine_info(&engine_info);

218

if(rc != GPG_ERR_NO_ERROR){

163

/* Set GPGME home directory for the OpenPGP engine only */

164

rc = gpgme_get_engine_info (&engine_info);

165

if (rc != GPG_ERR_NO_ERROR){

219

166

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

220

167

gpgme_strsource(rc), gpgme_strerror(rc));

221

return false;

168

return -1;

222

169

}

223

170

while(engine_info != NULL){

224

171

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

225

172

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

226

engine_info->file_name, tempdir);

173

engine_info->file_name, homedir);

227

174

break;

228

175

}

229

176

engine_info = engine_info->next;

230

177

}

231

178

if(engine_info == NULL){

232

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

233

return false;

234

}

235

236

/* Create new GPGME "context" */

237

rc = gpgme_new(&(mc.ctx));

238

if(rc != GPG_ERR_NO_ERROR){

239

fprintf(stderr, "bad gpgme_new: %s: %s\n",

240

gpgme_strsource(rc), gpgme_strerror(rc));

241

return false;

242

}

243

244

if(not import_key(pubkey) or not import_key(seckey)){

245

return false;

246

}

247

248

return true;

249

}

250

251

252

* Decrypt OpenPGP data.

253

* Returns -1 on error

254

255

static ssize_t pgp_packet_decrypt(const char *cryptotext,

256

size_t crypto_size,

257

char **plaintext){

258

gpgme_data_t dh_crypto, dh_plain;

259

gpgme_error_t rc;

260

ssize_t ret;

261

size_t plaintext_capacity = 0;

262

ssize_t plaintext_length = 0;

263

264

if(debug){

265

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

179

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

180

return -1;

266

181

}

267

182

268

183

/* Create new GPGME data buffer from memory cryptotext */

269

184

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

270

185

0);

271

if(rc != GPG_ERR_NO_ERROR){

186

if (rc != GPG_ERR_NO_ERROR){

272

187

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

273

188

gpgme_strsource(rc), gpgme_strerror(rc));

274

189

return -1;

276

191

277

192

/* Create new empty GPGME data buffer for the plaintext */

278

193

rc = gpgme_data_new(&dh_plain);

279

if(rc != GPG_ERR_NO_ERROR){

194

if (rc != GPG_ERR_NO_ERROR){

280

195

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

281

196

gpgme_strsource(rc), gpgme_strerror(rc));

282

197

gpgme_data_release(dh_crypto);

283

198

return -1;

284

199

}

285

200

201

/* Create new GPGME "context" */

202

rc = gpgme_new(&ctx);

203

if (rc != GPG_ERR_NO_ERROR){

204

fprintf(stderr, "bad gpgme_new: %s: %s\n",

205

gpgme_strsource(rc), gpgme_strerror(rc));

206

plaintext_length = -1;

207

goto decrypt_end;

208

}

209

286

210

/* Decrypt data from the cryptotext data buffer to the plaintext

287

211

data buffer */

288

rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);

289

if(rc != GPG_ERR_NO_ERROR){

212

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

213

if (rc != GPG_ERR_NO_ERROR){

290

214

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

291

215

gpgme_strsource(rc), gpgme_strerror(rc));

292

216

plaintext_length = -1;

293

if(debug){

294

gpgme_decrypt_result_t result;

295

result = gpgme_op_decrypt_result(mc.ctx);

296

if(result == NULL){

297

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

298

} else {

299

fprintf(stderr, "Unsupported algorithm: %s\n",

300

result->unsupported_algorithm);

301

fprintf(stderr, "Wrong key usage: %u\n",

302

result->wrong_key_usage);

303

if(result->file_name != NULL){

304

fprintf(stderr, "File name: %s\n", result->file_name);

305

}

306

gpgme_recipient_t recipient;

307

recipient = result->recipients;

308

if(recipient){

309

while(recipient != NULL){

310

fprintf(stderr, "Public key algorithm: %s\n",

311

gpgme_pubkey_algo_name(recipient->pubkey_algo));

312

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

313

fprintf(stderr, "Secret key available: %s\n",

314

recipient->status == GPG_ERR_NO_SECKEY

315

? "No" : "Yes");

316

recipient = recipient->next;

317

}

318

}

319

}

320

}

321

217

goto decrypt_end;

322

218

}

323

219

325

221

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

326

222

}

327

223

224

if (debug){

225

gpgme_decrypt_result_t result;

226

result = gpgme_op_decrypt_result(ctx);

227

if (result == NULL){

228

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

229

} else {

230

fprintf(stderr, "Unsupported algorithm: %s\n",

231

result->unsupported_algorithm);

232

fprintf(stderr, "Wrong key usage: %u\n",

233

result->wrong_key_usage);

234

if(result->file_name != NULL){

235

fprintf(stderr, "File name: %s\n", result->file_name);

236

}

237

gpgme_recipient_t recipient;

238

recipient = result->recipients;

239

if(recipient){

240

while(recipient != NULL){

241

fprintf(stderr, "Public key algorithm: %s\n",

242

gpgme_pubkey_algo_name(recipient->pubkey_algo));

243

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

244

fprintf(stderr, "Secret key available: %s\n",

245

recipient->status == GPG_ERR_NO_SECKEY

246

? "No" : "Yes");

247

recipient = recipient->next;

248

}

249

}

250

}

251

}

252

328

253

/* Seek back to the beginning of the GPGME plaintext data buffer */

329

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

330

perror("gpgme_data_seek");

254

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

255

perror("pgpme_data_seek");

331

256

plaintext_length = -1;

332

257

goto decrypt_end;

333

258

}

334

259

335

260

*plaintext = NULL;

336

261

while(true){

337

plaintext_capacity = incbuffer(plaintext,

262

plaintext_capacity = adjustbuffer(plaintext,

338

263

(size_t)plaintext_length,

339

264

plaintext_capacity);

340

if(plaintext_capacity == 0){

341

perror("incbuffer");

265

if (plaintext_capacity == 0){

266

perror("adjustbuffer");

342

267

plaintext_length = -1;

343

268

goto decrypt_end;

344

269

}

346

271

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

347

272

BUFFER_SIZE);

348

273

/* Print the data, if any */

349

if(ret == 0){

274

if (ret == 0){

350

275

/* EOF */

351

276

break;

352

277

}

357

282

}

358

283

plaintext_length += ret;

359

284

}

360

285

361

286

if(debug){

362

287

fprintf(stderr, "Decrypted password is: ");

363

288

for(ssize_t i = 0; i < plaintext_length; i++){

376

301

return plaintext_length;

377

302

}

378

303

379

static const char * safer_gnutls_strerror(int value){

380

const char *ret = gnutls_strerror(value); /* Spurious warning from

381

-Wunreachable-code */

382

if(ret == NULL)

304

static const char * safer_gnutls_strerror (int value) {

305

const char *ret = gnutls_strerror (value);

306

if (ret == NULL)

383

307

ret = "(unknown)";

384

308

return ret;

385

309

}

390

314

fprintf(stderr, "GnuTLS: %s", string);

391

315

}

392

316

393

static int init_gnutls_global(const char *pubkeyfilename,

394

const char *seckeyfilename){

317

static int init_gnutls_global(mandos_context *mc,

318

const char *pubkeyfile,

319

const char *seckeyfile){

395

320

int ret;

396

321

397

322

if(debug){

399

324

}

400

325

401

326

ret = gnutls_global_init();

402

if(ret != GNUTLS_E_SUCCESS){

403

fprintf(stderr, "GnuTLS global_init: %s\n",

404

safer_gnutls_strerror(ret));

327

if (ret != GNUTLS_E_SUCCESS) {

328

fprintf (stderr, "GnuTLS global_init: %s\n",

329

safer_gnutls_strerror(ret));

405

330

return -1;

406

331

}

407

332

408

if(debug){

333

if (debug){

409

334

/* "Use a log level over 10 to enable all debugging options."

410

335

* - GnuTLS manual

411

336

414

339

}

415

340

416

341

/* OpenPGP credentials */

417

gnutls_certificate_allocate_credentials(&mc.cred);

418

if(ret != GNUTLS_E_SUCCESS){

419

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

420

from

421

-Wunreachable-code

422

423

safer_gnutls_strerror(ret));

424

gnutls_global_deinit();

342

gnutls_certificate_allocate_credentials(&mc->cred);

343

if (ret != GNUTLS_E_SUCCESS){

344

fprintf (stderr, "GnuTLS memory error: %s\n",

345

safer_gnutls_strerror(ret));

346

gnutls_global_deinit ();

425

347

return -1;

426

348

}

427

349

428

350

if(debug){

429

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

430

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

431

seckeyfilename);

351

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

352

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

353

seckeyfile);

432

354

}

433

355

434

356

ret = gnutls_certificate_set_openpgp_key_file

435

(mc.cred, pubkeyfilename, seckeyfilename,

436

GNUTLS_OPENPGP_FMT_BASE64);

437

if(ret != GNUTLS_E_SUCCESS){

357

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

358

if (ret != GNUTLS_E_SUCCESS) {

438

359

fprintf(stderr,

439

360

"Error[%d] while reading the OpenPGP key pair ('%s',"

440

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

441

fprintf(stderr, "The GnuTLS error is: %s\n",

361

" '%s')\n", ret, pubkeyfile, seckeyfile);

362

fprintf(stdout, "The GnuTLS error is: %s\n",

442

363

safer_gnutls_strerror(ret));

443

364

goto globalfail;

444

365

}

445

366

446

367

/* GnuTLS server initialization */

447

ret = gnutls_dh_params_init(&mc.dh_params);

448

if(ret != GNUTLS_E_SUCCESS){

449

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

450

" %s\n", safer_gnutls_strerror(ret));

451

goto globalfail;

452

}

453

ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);

454

if(ret != GNUTLS_E_SUCCESS){

455

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

456

safer_gnutls_strerror(ret));

457

goto globalfail;

458

}

459

460

gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);

461

368

ret = gnutls_dh_params_init(&mc->dh_params);

369

if (ret != GNUTLS_E_SUCCESS) {

370

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

371

" %s\n", safer_gnutls_strerror(ret));

372

goto globalfail;

373

}

374

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

375

if (ret != GNUTLS_E_SUCCESS) {

376

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

377

safer_gnutls_strerror(ret));

378

goto globalfail;

379

}

380

381

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

382

462

383

return 0;

463

384

464

385

globalfail:

465

466

gnutls_certificate_free_credentials(mc.cred);

386

387

gnutls_certificate_free_credentials(mc->cred);

467

388

gnutls_global_deinit();

468

gnutls_dh_params_deinit(mc.dh_params);

469

389

return -1;

390

470

391

}

471

392

472

static int init_gnutls_session(gnutls_session_t *session){

393

static int init_gnutls_session(mandos_context *mc,

394

gnutls_session_t *session){

473

395

int ret;

474

396

/* GnuTLS session creation */

475

397

ret = gnutls_init(session, GNUTLS_SERVER);

476

if(ret != GNUTLS_E_SUCCESS){

398

if (ret != GNUTLS_E_SUCCESS){

477

399

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

478

400

safer_gnutls_strerror(ret));

479

401

}

480

402

481

403

{

482

404

const char *err;

483

ret = gnutls_priority_set_direct(*session, mc.priority, &err);

484

if(ret != GNUTLS_E_SUCCESS){

405

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

406

if (ret != GNUTLS_E_SUCCESS) {

485

407

fprintf(stderr, "Syntax error at: %s\n", err);

486

408

fprintf(stderr, "GnuTLS error: %s\n",

487

409

safer_gnutls_strerror(ret));

488

gnutls_deinit(*session);

410

gnutls_deinit (*session);

489

411

return -1;

490

412

}

491

413

}

492

414

493

415

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

494

mc.cred);

495

if(ret != GNUTLS_E_SUCCESS){

416

mc->cred);

417

if (ret != GNUTLS_E_SUCCESS) {

496

418

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

497

419

safer_gnutls_strerror(ret));

498

gnutls_deinit(*session);

420

gnutls_deinit (*session);

499

421

return -1;

500

422

}

501

423

502

424

/* ignore client certificate if any. */

503

gnutls_certificate_server_set_request(*session,

504

GNUTLS_CERT_IGNORE);

425

gnutls_certificate_server_set_request (*session,

426

GNUTLS_CERT_IGNORE);

505

427

506

gnutls_dh_set_prime_bits(*session, mc.dh_bits);

428

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

507

429

508

430

return 0;

509

431

}

515

437

/* Called when a Mandos server is found */

516

438

static int start_mandos_communication(const char *ip, uint16_t port,

517

439

AvahiIfIndex if_index,

518

int af){

440

mandos_context *mc){

519

441

int ret, tcp_sd;

520

ssize_t sret;

521

union {

522

struct sockaddr_in in;

523

struct sockaddr_in6 in6;

524

} to;

442

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

525

443

char *buffer = NULL;

526

444

char *decrypted_buffer;

527

445

size_t buffer_length = 0;

529

447

ssize_t decrypted_buffer_size;

530

448

size_t written;

531

449

int retval = 0;

450

char interface[IF_NAMESIZE];

532

451

gnutls_session_t session;

533

int pf; /* Protocol family */

534

535

switch(af){

536

case AF_INET6:

537

pf = PF_INET6;

538

break;

539

case AF_INET:

540

pf = PF_INET;

541

break;

542

default:

543

fprintf(stderr, "Bad address family: %d\n", af);

544

return -1;

545

}

546

547

ret = init_gnutls_session(&session);

548

if(ret != 0){

452

453

ret = init_gnutls_session (mc, &session);

454

if (ret != 0){

549

455

return -1;

550

456

}

551

457

552

458

if(debug){

553

fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16

459

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

554

460

"\n", ip, port);

555

461

}

556

462

557

tcp_sd = socket(pf, SOCK_STREAM, 0);

558

if(tcp_sd < 0){

463

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

464

if(tcp_sd < 0) {

559

465

perror("socket");

560

466

return -1;

561

467

}

468

469

if(debug){

470

if(if_indextoname((unsigned int)if_index, interface) == NULL){

471

perror("if_indextoname");

472

return -1;

473

}

474

fprintf(stderr, "Binding to interface %s\n", interface);

475

}

562

476

563

memset(&to, 0, sizeof(to));

564

if(af == AF_INET6){

565

to.in6.sin6_family = (uint16_t)af;

566

ret = inet_pton(af, ip, &to.in6.sin6_addr);

567

} else { /* IPv4 */

568

to.in.sin_family = (sa_family_t)af;

569

ret = inet_pton(af, ip, &to.in.sin_addr);

570

}

571

if(ret < 0 ){

477

memset(&to,0,sizeof(to)); /* Spurious warning */

478

to.in6.sin6_family = AF_INET6;

479

/* It would be nice to have a way to detect if we were passed an

480

IPv4 address here. Now we assume an IPv6 address. */

481

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

482

if (ret < 0 ){

572

483

perror("inet_pton");

573

484

return -1;

574

485

}

576

487

fprintf(stderr, "Bad address: %s\n", ip);

577

488

return -1;

578

489

}

579

if(af == AF_INET6){

580

to.in6.sin6_port = htons(port); /* Spurious warnings from

581

-Wconversion and

582

-Wunreachable-code */

583

584

if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */

585

(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and

586

-Wunreachable-code*/

587

if(if_index == AVAHI_IF_UNSPEC){

588

fprintf(stderr, "An IPv6 link-local address is incomplete"

589

" without a network interface\n");

590

return -1;

591

}

592

/* Set the network interface number as scope */

593

to.in6.sin6_scope_id = (uint32_t)if_index;

594

}

595

} else {

596

to.in.sin_port = htons(port); /* Spurious warnings from

597

-Wconversion and

598

-Wunreachable-code */

599

}

490

to.in6.sin6_port = htons(port); /* Spurious warning */

491

492

to.in6.sin6_scope_id = (uint32_t)if_index;

600

493

601

494

if(debug){

602

if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){

603

char interface[IF_NAMESIZE];

604

if(if_indextoname((unsigned int)if_index, interface) == NULL){

605

perror("if_indextoname");

606

} else {

607

fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",

608

ip, interface, port);

609

}

610

} else {

611

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

612

port);

613

}

614

char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?

615

INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";

616

const char *pcret;

617

if(af == AF_INET6){

618

pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,

619

sizeof(addrstr));

620

} else {

621

pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,

622

sizeof(addrstr));

623

}

624

if(pcret == NULL){

495

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

496

port);

497

char addrstr[INET6_ADDRSTRLEN] = "";

498

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

499

sizeof(addrstr)) == NULL){

625

500

perror("inet_ntop");

626

501

} else {

627

502

if(strcmp(addrstr, ip) != 0){

630

505

}

631

506

}

632

507

633

if(af == AF_INET6){

634

ret = connect(tcp_sd, &to.in6, sizeof(to));

635

} else {

636

ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */

637

}

638

if(ret < 0){

508

ret = connect(tcp_sd, &to.in, sizeof(to));

509

if (ret < 0){

639

510

perror("connect");

640

511

return -1;

641

512

}

642

513

643

514

const char *out = mandos_protocol_version;

644

515

written = 0;

645

while(true){

516

while (true){

646

517

size_t out_size = strlen(out);

647

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

518

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

648

519

out_size - written));

649

if(ret == -1){

520

if (ret == -1){

650

521

perror("write");

651

522

retval = -1;

652

523

goto mandos_end;

655

526

if(written < out_size){

656

527

continue;

657

528

} else {

658

if(out == mandos_protocol_version){

529

if (out == mandos_protocol_version){

659

530

written = 0;

660

531

out = "\r\n";

661

532

} else {

663

534

}

664

535

}

665

536

}

666

537

667

538

if(debug){

668

539

fprintf(stderr, "Establishing TLS session with %s\n", ip);

669

540

}

670

541

671

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

672

542

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

543

673

544

do{

674

ret = gnutls_handshake(session);

545

ret = gnutls_handshake (session);

675

546

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

676

547

677

if(ret != GNUTLS_E_SUCCESS){

548

if (ret != GNUTLS_E_SUCCESS){

678

549

if(debug){

679

550

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

680

gnutls_perror(ret);

551

gnutls_perror (ret);

681

552

}

682

553

retval = -1;

683

554

goto mandos_end;

686

557

/* Read OpenPGP packet that contains the wanted password */

687

558

688

559

if(debug){

689

fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",

560

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

690

561

ip);

691

562

}

692

563

693

564

while(true){

694

buffer_capacity = incbuffer(&buffer, buffer_length,

565

buffer_capacity = adjustbuffer(&buffer, buffer_length,

695

566

buffer_capacity);

696

if(buffer_capacity == 0){

697

perror("incbuffer");

567

if (buffer_capacity == 0){

568

perror("adjustbuffer");

698

569

retval = -1;

699

570

goto mandos_end;

700

571

}

701

572

702

sret = gnutls_record_recv(session, buffer+buffer_length,

703

BUFFER_SIZE);

704

if(sret == 0){

573

ret = gnutls_record_recv(session, buffer+buffer_length,

574

BUFFER_SIZE);

575

if (ret == 0){

705

576

break;

706

577

}

707

if(sret < 0){

708

switch(sret){

578

if (ret < 0){

579

switch(ret){

709

580

case GNUTLS_E_INTERRUPTED:

710

581

case GNUTLS_E_AGAIN:

711

582

break;

712

583

case GNUTLS_E_REHANDSHAKE:

713

584

do{

714

ret = gnutls_handshake(session);

585

ret = gnutls_handshake (session);

715

586

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

716

if(ret < 0){

587

if (ret < 0){

717

588

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

718

gnutls_perror(ret);

589

gnutls_perror (ret);

719

590

retval = -1;

720

591

goto mandos_end;

721

592

}

724

595

fprintf(stderr, "Unknown error while reading data from"

725

596

" encrypted session with Mandos server\n");

726

597

retval = -1;

727

gnutls_bye(session, GNUTLS_SHUT_RDWR);

598

gnutls_bye (session, GNUTLS_SHUT_RDWR);

728

599

goto mandos_end;

729

600

}

730

601

} else {

731

buffer_length += (size_t) sret;

602

buffer_length += (size_t) ret;

732

603

}

733

604

}

734

605

736

607

fprintf(stderr, "Closing TLS session\n");

737

608

}

738

609

739

gnutls_bye(session, GNUTLS_SHUT_RDWR);

610

gnutls_bye (session, GNUTLS_SHUT_RDWR);

740

611

741

if(buffer_length > 0){

612

if (buffer_length > 0){

742

613

decrypted_buffer_size = pgp_packet_decrypt(buffer,

743

614

buffer_length,

744

&decrypted_buffer);

745

if(decrypted_buffer_size >= 0){

615

&decrypted_buffer,

616

keydir);

617

if (decrypted_buffer_size >= 0){

746

618

written = 0;

747

619

while(written < (size_t) decrypted_buffer_size){

748

ret = (int)fwrite(decrypted_buffer + written, 1,

749

(size_t)decrypted_buffer_size - written,

750

stdout);

620

ret = (int)fwrite (decrypted_buffer + written, 1,

621

(size_t)decrypted_buffer_size - written,

622

stdout);

751

623

if(ret == 0 and ferror(stdout)){

752

624

if(debug){

753

625

fprintf(stderr, "Error writing encrypted data: %s\n",

762

634

} else {

763

635

retval = -1;

764

636

}

765

} else {

766

retval = -1;

767

637

}

768

638

769

639

/* Shutdown procedure */

770

640

771

641

mandos_end:

772

642

free(buffer);

773

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

774

if(ret == -1){

775

perror("close");

776

}

777

gnutls_deinit(session);

643

close(tcp_sd);

644

gnutls_deinit (session);

778

645

return retval;

779

646

}

780

647

781

648

static void resolve_callback(AvahiSServiceResolver *r,

782

649

AvahiIfIndex interface,

783

AvahiProtocol proto,

650

AVAHI_GCC_UNUSED AvahiProtocol protocol,

784

651

AvahiResolverEvent event,

785

652

const char *name,

786

653

const char *type,

791

658

AVAHI_GCC_UNUSED AvahiStringList *txt,

792

659

AVAHI_GCC_UNUSED AvahiLookupResultFlags

793

660

flags,

794

AVAHI_GCC_UNUSED void* userdata){

795

assert(r);

661

void* userdata) {

662

mandos_context *mc = userdata;

663

assert(r); /* Spurious warning */

796

664

797

665

/* Called whenever a service has been resolved successfully or

798

666

timed out */

799

667

800

switch(event){

668

switch (event) {

801

669

default:

802

670

case AVAHI_RESOLVER_FAILURE:

803

671

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

804

672

" of type '%s' in domain '%s': %s\n", name, type, domain,

805

avahi_strerror(avahi_server_errno(mc.server)));

673

avahi_strerror(avahi_server_errno(mc->server)));

806

674

break;

807

675

808

676

case AVAHI_RESOLVER_FOUND:

811

679

avahi_address_snprint(ip, sizeof(ip), address);

812

680

if(debug){

813

681

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

814

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

815

ip, (intmax_t)interface, port);

682

PRIu16 ") on port %d\n", name, host_name, ip,

683

interface, port);

816

684

}

817

int ret = start_mandos_communication(ip, port, interface,

818

avahi_proto_to_af(proto));

819

if(ret == 0){

820

avahi_simple_poll_quit(mc.simple_poll);

685

int ret = start_mandos_communication(ip, port, interface, mc);

686

if (ret == 0){

687

exit(EXIT_SUCCESS);

821

688

}

822

689

}

823

690

}

824

691

avahi_s_service_resolver_free(r);

825

692

}

826

693

827

static void browse_callback(AvahiSServiceBrowser *b,

828

AvahiIfIndex interface,

829

AvahiProtocol protocol,

830

AvahiBrowserEvent event,

831

const char *name,

832

const char *type,

833

const char *domain,

834

AVAHI_GCC_UNUSED AvahiLookupResultFlags

835

flags,

836

AVAHI_GCC_UNUSED void* userdata){

837

assert(b);

694

static void browse_callback( AvahiSServiceBrowser *b,

695

AvahiIfIndex interface,

696

AvahiProtocol protocol,

697

AvahiBrowserEvent event,

698

const char *name,

699

const char *type,

700

const char *domain,

701

AVAHI_GCC_UNUSED AvahiLookupResultFlags

702

flags,

703

void* userdata) {

704

mandos_context *mc = userdata;

705

assert(b); /* Spurious warning */

838

706

839

707

/* Called whenever a new services becomes available on the LAN or

840

708

is removed from the LAN */

841

709

842

switch(event){

710

switch (event) {

843

711

default:

844

712

case AVAHI_BROWSER_FAILURE:

845

713

846

714

fprintf(stderr, "(Avahi browser) %s\n",

847

avahi_strerror(avahi_server_errno(mc.server)));

848

avahi_simple_poll_quit(mc.simple_poll);

715

avahi_strerror(avahi_server_errno(mc->server)));

716

avahi_simple_poll_quit(mc->simple_poll);

849

717

return;

850

718

851

719

case AVAHI_BROWSER_NEW:

854

722

the callback function is called the Avahi server will free the

855

723

resolver for us. */

856

724

857

if(!(avahi_s_service_resolver_new(mc.server, interface,

725

if (!(avahi_s_service_resolver_new(mc->server, interface,

858

726

protocol, name, type, domain,

859

727

AVAHI_PROTO_INET6, 0,

860

resolve_callback, NULL)))

728

resolve_callback, mc)))

861

729

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

862

name, avahi_strerror(avahi_server_errno(mc.server)));

730

name, avahi_strerror(avahi_server_errno(mc->server)));

863

731

break;

864

732

865

733

case AVAHI_BROWSER_REMOVE:

874

742

}

875

743

}

876

744

877

sig_atomic_t quit_now = 0;

878

879

/* stop main loop after sigterm has been called */

880

static void handle_sigterm(__attribute__((unused)) int sig){

881

if(quit_now){

882

return;

883

}

884

quit_now = 1;

885

int old_errno = errno;

886

if(mc.simple_poll != NULL){

887

avahi_simple_poll_quit(mc.simple_poll);

888

}

889

errno = old_errno;

745

/* Combines file name and path and returns the malloced new

746

string. some sane checks could/should be added */

747

static const char *combinepath(const char *first, const char *second){

748

size_t f_len = strlen(first);

749

size_t s_len = strlen(second);

750

char *tmp = malloc(f_len + s_len + 2);

751

if (tmp == NULL){

752

return NULL;

753

}

754

if(f_len > 0){

755

memcpy(tmp, first, f_len); /* Spurious warning */

756

}

757

tmp[f_len] = '/';

758

if(s_len > 0){

759

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

760

}

761

tmp[f_len + 1 + s_len] = '\0';

762

return tmp;

890

763

}

891

764

765

892

766

int main(int argc, char *argv[]){

893

AvahiSServiceBrowser *sb = NULL;

894

int error;

895

int ret;

896

intmax_t tmpmax;

897

char *tmp;

898

int exitcode = EXIT_SUCCESS;

899

const char *interface = "eth0";

900

struct ifreq network;

901

int sd;

902

uid_t uid;

903

gid_t gid;

904

char *connect_to = NULL;

905

char tempdir[] = "/tmp/mandosXXXXXX";

906

bool tempdir_created = false;

907

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

908

const char *seckey = PATHDIR "/" SECKEY;

909

const char *pubkey = PATHDIR "/" PUBKEY;

910

911

/* Initialize Mandos context */

912

mc = (mandos_context){ .simple_poll = NULL, .server = NULL,

913

.dh_bits = 1024, .priority = "SECURE256"

914

":!CTYPE-X.509:+CTYPE-OPENPGP" };

915

bool gnutls_initialized = false;

916

bool gpgme_initialized = false;

917

float delay = 2.5f;

918

919

struct sigaction old_sigterm_action;

920

struct sigaction sigterm_action = { .sa_handler = handle_sigterm };

921

922

{

923

struct argp_option options[] = {

924

{ .name = "debug", .key = 128,

925

.doc = "Debug mode", .group = 3 },

926

{ .name = "connect", .key = 'c',

927

.arg = "ADDRESS:PORT",

928

.doc = "Connect directly to a specific Mandos server",

929

.group = 1 },

930

{ .name = "interface", .key = 'i',

931

.arg = "NAME",

932

.doc = "Network interface that will be used to search for"

933

" Mandos servers",

934

.group = 1 },

935

{ .name = "seckey", .key = 's',

936

.arg = "FILE",

937

.doc = "OpenPGP secret key file base name",

938

.group = 1 },

939

{ .name = "pubkey", .key = 'p',

940

.arg = "FILE",

941

.doc = "OpenPGP public key file base name",

942

.group = 2 },

943

{ .name = "dh-bits", .key = 129,

944

.arg = "BITS",

945

.doc = "Bit length of the prime number used in the"

946

" Diffie-Hellman key exchange",

947

.group = 2 },

948

{ .name = "priority", .key = 130,

949

.arg = "STRING",

950

.doc = "GnuTLS priority string for the TLS handshake",

951

.group = 1 },

952

{ .name = "delay", .key = 131,

953

.arg = "SECONDS",

954

.doc = "Maximum delay to wait for interface startup",

955

.group = 2 },

956

{ .name = NULL }

957

};

958

959

error_t parse_opt(int key, char *arg,

960

struct argp_state *state){

961

switch(key){

962

case 128: /* --debug */

963

debug = true;

964

break;

965

case 'c': /* --connect */

966

connect_to = arg;

967

break;

968

case 'i': /* --interface */

969

interface = arg;

970

break;

971

case 's': /* --seckey */

972

seckey = arg;

973

break;

974

case 'p': /* --pubkey */

975

pubkey = arg;

976

break;

977

case 129: /* --dh-bits */

978

errno = 0;

979

tmpmax = strtoimax(arg, &tmp, 10);

980

if(errno != 0 or tmp == arg or *tmp != '\0'

981

or tmpmax != (typeof(mc.dh_bits))tmpmax){

982

fprintf(stderr, "Bad number of DH bits\n");

983

exit(EXIT_FAILURE);

984

}

985

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

986

break;

987

case 130: /* --priority */

988

mc.priority = arg;

989

break;

990

case 131: /* --delay */

991

errno = 0;

992

delay = strtof(arg, &tmp);

993

if(errno != 0 or tmp == arg or *tmp != '\0'){

994

fprintf(stderr, "Bad delay\n");

995

exit(EXIT_FAILURE);

996

}

997

break;

998

case ARGP_KEY_ARG:

999

argp_usage(state);

1000

case ARGP_KEY_END:

1001

break;

1002

default:

1003

return ARGP_ERR_UNKNOWN;

1004

}

1005

return 0;

1006

}

1007

1008

struct argp argp = { .options = options, .parser = parse_opt,

1009

.args_doc = "",

1010

.doc = "Mandos client -- Get and decrypt"

1011

" passwords from a Mandos server" };

1012

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

1013

if(ret == ARGP_ERR_UNKNOWN){

1014

fprintf(stderr, "Unknown error while parsing arguments\n");

1015

exitcode = EXIT_FAILURE;

1016

goto end;

1017

}

1018

}

1019

1020

if(not debug){

1021

avahi_set_log_function(empty_log);

1022

}

1023

1024

/* Initialize Avahi early so avahi_simple_poll_quit() can be called

1025

from the signal handler */

1026

/* Initialize the pseudo-RNG for Avahi */

1027

srand((unsigned int) time(NULL));

1028

mc.simple_poll = avahi_simple_poll_new();

1029

if(mc.simple_poll == NULL){

1030

fprintf(stderr, "Avahi: Failed to create simple poll object.\n");

1031

exitcode = EXIT_FAILURE;

1032

goto end;

1033

}

1034

1035

sigemptyset(&sigterm_action.sa_mask);

1036

ret = sigaddset(&sigterm_action.sa_mask, SIGINT);

1037

if(ret == -1){

1038

perror("sigaddset");

1039

exitcode = EXIT_FAILURE;

1040

goto end;

1041

}

1042

ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);

1043

if(ret == -1){

1044

perror("sigaddset");

1045

exitcode = EXIT_FAILURE;

1046

goto end;

1047

}

1048

ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);

1049

if(ret == -1){

1050

perror("sigaddset");

1051

exitcode = EXIT_FAILURE;

1052

goto end;

1053

}

1054

ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);

1055

if(ret == -1){

1056

perror("sigaction");

1057

exitcode = EXIT_FAILURE;

1058

goto end;

1059

}

1060

1061

/* If the interface is down, bring it up */

1062

if(interface[0] != '\0'){

1063

#ifdef __linux__

1064

/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO

1065

messages to mess up the prompt */

1066

ret = klogctl(8, NULL, 5);

1067

bool restore_loglevel = true;

1068

if(ret == -1){

1069

restore_loglevel = false;

1070

perror("klogctl");

1071

}

1072

#endif /* __linux__ */

1073

1074

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

1075

if(sd < 0){

1076

perror("socket");

1077

exitcode = EXIT_FAILURE;

1078

#ifdef __linux__

1079

if(restore_loglevel){

1080

ret = klogctl(7, NULL, 0);

1081

if(ret == -1){

1082

perror("klogctl");

1083

}

1084

}

1085

#endif /* __linux__ */

1086

goto end;

1087

}

1088

strcpy(network.ifr_name, interface);

1089

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1090

if(ret == -1){

1091

perror("ioctl SIOCGIFFLAGS");

1092

#ifdef __linux__

1093

if(restore_loglevel){

1094

ret = klogctl(7, NULL, 0);

1095

if(ret == -1){

1096

perror("klogctl");

1097

}

1098

}

1099

#endif /* __linux__ */

1100

exitcode = EXIT_FAILURE;

1101

goto end;

1102

}

1103

if((network.ifr_flags & IFF_UP) == 0){

1104

network.ifr_flags |= IFF_UP;

1105

ret = ioctl(sd, SIOCSIFFLAGS, &network);

1106

if(ret == -1){

1107

perror("ioctl SIOCSIFFLAGS");

767

AvahiSServiceBrowser *sb = NULL;

768

int error;

769

int ret;

770

int exitcode = EXIT_SUCCESS;

771

const char *interface = "eth0";

772

struct ifreq network;

773

int sd;

774

uid_t uid;

775

gid_t gid;

776

char *connect_to = NULL;

777

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

778

const char *pubkeyfile = "pubkey.txt";

779

const char *seckeyfile = "seckey.txt";

780

mandos_context mc = { .simple_poll = NULL, .server = NULL,

781

.dh_bits = 1024, .priority = "SECURE256"};

782

bool gnutls_initalized = false;

783

784

{

785

struct argp_option options[] = {

786

{ .name = "debug", .key = 128,

787

.doc = "Debug mode", .group = 3 },

788

{ .name = "connect", .key = 'c',

789

.arg = "IP",

790

.doc = "Connect directly to a sepcified mandos server",

791

.group = 1 },

792

{ .name = "interface", .key = 'i',

793

.arg = "INTERFACE",

794

.doc = "Interface that Avahi will conntect through",

795

.group = 1 },

796

{ .name = "keydir", .key = 'd',

797

.arg = "KEYDIR",

798

.doc = "Directory where the openpgp keyring is",

799

.group = 1 },

800

{ .name = "seckey", .key = 's',

801

.arg = "SECKEY",

802

.doc = "Secret openpgp key for gnutls authentication",

803

.group = 1 },

804

{ .name = "pubkey", .key = 'p',

805

.arg = "PUBKEY",

806

.doc = "Public openpgp key for gnutls authentication",

807

.group = 2 },

808

{ .name = "dh-bits", .key = 129,

809

.arg = "BITS",

810

.doc = "dh-bits to use in gnutls communication",

811

.group = 2 },

812

{ .name = "priority", .key = 130,

813

.arg = "PRIORITY",

814

.doc = "GNUTLS priority", .group = 1 },

815

{ .name = NULL }

816

};

817

818

819

error_t parse_opt (int key, char *arg,

820

struct argp_state *state) {

821

/* Get the INPUT argument from `argp_parse', which we know is

822

a pointer to our plugin list pointer. */

823

switch (key) {

824

case 128:

825

debug = true;

826

break;

827

case 'c':

828

connect_to = arg;

829

break;

830

case 'i':

831

interface = arg;

832

break;

833

case 'd':

834

keydir = arg;

835

break;

836

case 's':

837

seckeyfile = arg;

838

break;

839

case 'p':

840

pubkeyfile = arg;

841

break;

842

case 129:

843

errno = 0;

844

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

845

if (errno){

846

perror("strtol");

847

exit(EXIT_FAILURE);

848

}

849

break;

850

case 130:

851

mc.priority = arg;

852

break;

853

case ARGP_KEY_ARG:

854

argp_usage (state);

855

break;

856

case ARGP_KEY_END:

857

break;

858

default:

859

return ARGP_ERR_UNKNOWN;

860

}

861

return 0;

862

}

863

864

struct argp argp = { .options = options, .parser = parse_opt,

865

.args_doc = "",

866

.doc = "Mandos client -- Get and decrypt"

867

" passwords from mandos server" };

868

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

869

if (ret == ARGP_ERR_UNKNOWN){

870

fprintf(stderr, "Unkown error while parsing arguments\n");

1108

871

exitcode = EXIT_FAILURE;

1109

#ifdef __linux__

1110

if(restore_loglevel){

1111

ret = klogctl(7, NULL, 0);

1112

if(ret == -1){

1113

perror("klogctl");

1114

}

1115

}

1116

#endif /* __linux__ */

1117

872

goto end;

1118

873

}

1119

874

}

1120

/* sleep checking until interface is running */

1121

for(int i=0; i < delay * 4; i++){

1122

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1123

if(ret == -1){

1124

perror("ioctl SIOCGIFFLAGS");

1125

} else if(network.ifr_flags & IFF_RUNNING){

1126

break;

1127

}

1128

struct timespec sleeptime = { .tv_nsec = 250000000 };

1129

ret = nanosleep(&sleeptime, NULL);

1130

if(ret == -1 and errno != EINTR){

1131

perror("nanosleep");

1132

}

1133

}

1134

ret = (int)TEMP_FAILURE_RETRY(close(sd));

1135

if(ret == -1){

1136

perror("close");

1137

}

1138

#ifdef __linux__

1139

if(restore_loglevel){

1140

/* Restores kernel loglevel to default */

1141

ret = klogctl(7, NULL, 0);

1142

if(ret == -1){

1143

perror("klogctl");

1144

}

1145

}

1146

#endif /* __linux__ */

1147

}

1148

1149

uid = getuid();

1150

gid = getgid();

1151

1152

errno = 0;

1153

setgid(gid);

1154

if(ret == -1){

1155

perror("setgid");

1156

}

1157

1158

ret = setuid(uid);

1159

if(ret == -1){

1160

perror("setuid");

1161

}

1162

1163

ret = init_gnutls_global(pubkey, seckey);

1164

if(ret == -1){

1165

fprintf(stderr, "init_gnutls_global failed\n");

1166

exitcode = EXIT_FAILURE;

1167

goto end;

1168

} else {

1169

gnutls_initialized = true;

1170

}

1171

1172

if(mkdtemp(tempdir) == NULL){

1173

perror("mkdtemp");

1174

goto end;

1175

}

1176

tempdir_created = true;

1177

1178

if(not init_gpgme(pubkey, seckey, tempdir)){

1179

fprintf(stderr, "init_gpgme failed\n");

1180

exitcode = EXIT_FAILURE;

1181

goto end;

1182

} else {

1183

gpgme_initialized = true;

1184

}

1185

1186

if(interface[0] != '\0'){

875

876

pubkeyfile = combinepath(keydir, pubkeyfile);

877

if (pubkeyfile == NULL){

878

perror("combinepath");

879

exitcode = EXIT_FAILURE;

880

goto end;

881

}

882

883

seckeyfile = combinepath(keydir, seckeyfile);

884

if (seckeyfile == NULL){

885

perror("combinepath");

886

goto end;

887

}

888

889

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

890

if (ret == -1){

891

fprintf(stderr, "init_gnutls_global\n");

892

goto end;

893

} else {

894

gnutls_initalized = true;

895

}

896

897

uid = getuid();

898

gid = getgid();

899

900

ret = setuid(uid);

901

if (ret == -1){

902

perror("setuid");

903

}

904

905

setgid(gid);

906

if (ret == -1){

907

perror("setgid");

908

}

909

1187

910

if_index = (AvahiIfIndex) if_nametoindex(interface);

1188

911

if(if_index == 0){

1189

912

fprintf(stderr, "No such interface: \"%s\"\n", interface);

1190

exitcode = EXIT_FAILURE;

1191

goto end;

1192

}

1193

}

1194

1195

if(connect_to != NULL){

1196

/* Connect directly, do not use Zeroconf */

1197

/* (Mainly meant for debugging) */

1198

char *address = strrchr(connect_to, ':');

1199

if(address == NULL){

1200

fprintf(stderr, "No colon in address\n");

1201

exitcode = EXIT_FAILURE;

1202

goto end;

1203

}

1204

uint16_t port;

1205

errno = 0;

1206

tmpmax = strtoimax(address+1, &tmp, 10);

1207

if(errno != 0 or tmp == address+1 or *tmp != '\0'

1208

or tmpmax != (uint16_t)tmpmax){

1209

fprintf(stderr, "Bad port number\n");

1210

exitcode = EXIT_FAILURE;

1211

goto end;

1212

}

1213

port = (uint16_t)tmpmax;

1214

*address = '\0';

1215

address = connect_to;

1216

/* Colon in address indicates IPv6 */

1217

int af;

1218

if(strchr(address, ':') != NULL){

1219

af = AF_INET6;

1220

} else {

1221

af = AF_INET;

1222

}

1223

ret = start_mandos_communication(address, port, if_index, af);

1224

if(ret < 0){

1225

exitcode = EXIT_FAILURE;

1226

} else {

1227

exitcode = EXIT_SUCCESS;

1228

}

1229

goto end;

1230

}

1231

1232

{

1233

AvahiServerConfig config;

1234

/* Do not publish any local Zeroconf records */

1235

avahi_server_config_init(&config);

1236

config.publish_hinfo = 0;

1237

config.publish_addresses = 0;

1238

config.publish_workstation = 0;

1239

config.publish_domain = 0;

1240

1241

/* Allocate a new server */

1242

mc.server = avahi_server_new(avahi_simple_poll_get

1243

(mc.simple_poll), &config, NULL,

1244

NULL, &error);

1245

1246

/* Free the Avahi configuration data */

1247

avahi_server_config_free(&config);

1248

}

1249

1250

/* Check if creating the Avahi server object succeeded */

1251

if(mc.server == NULL){

1252

fprintf(stderr, "Failed to create Avahi server: %s\n",

1253

avahi_strerror(error));

1254

exitcode = EXIT_FAILURE;

1255

goto end;

1256

}

1257

1258

/* Create the Avahi service browser */

1259

sb = avahi_s_service_browser_new(mc.server, if_index,

1260

AVAHI_PROTO_INET6, "_mandos._tcp",

1261

NULL, 0, browse_callback, NULL);

1262

if(sb == NULL){

1263

fprintf(stderr, "Failed to create service browser: %s\n",

1264

avahi_strerror(avahi_server_errno(mc.server)));

1265

exitcode = EXIT_FAILURE;

1266

goto end;

1267

}

1268

1269

/* Run the main loop */

1270

1271

if(debug){

1272

fprintf(stderr, "Starting Avahi loop search\n");

1273

}

1274

1275

avahi_simple_poll_loop(mc.simple_poll);

1276

913

exit(EXIT_FAILURE);

914

}

915

916

if(connect_to != NULL){

917

/* Connect directly, do not use Zeroconf */

918

/* (Mainly meant for debugging) */

919

char *address = strrchr(connect_to, ':');

920

if(address == NULL){

921

fprintf(stderr, "No colon in address\n");

922

exitcode = EXIT_FAILURE;

923

goto end;

924

}

925

errno = 0;

926

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

927

if(errno){

928

perror("Bad port number");

929

exitcode = EXIT_FAILURE;

930

goto end;

931

}

932

*address = '\0';

933

address = connect_to;

934

ret = start_mandos_communication(address, port, if_index, &mc);

935

if(ret < 0){

936

exitcode = EXIT_FAILURE;

937

} else {

938

exitcode = EXIT_SUCCESS;

939

}

940

goto end;

941

}

942

943

/* If the interface is down, bring it up */

944

{

945

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

946

if(sd < 0) {

947

perror("socket");

948

exitcode = EXIT_FAILURE;

949

goto end;

950

}

951

strcpy(network.ifr_name, interface); /* Spurious warning */

952

ret = ioctl(sd, SIOCGIFFLAGS, &network);

953

if(ret == -1){

954

perror("ioctl SIOCGIFFLAGS");

955

exitcode = EXIT_FAILURE;

956

goto end;

957

}

958

if((network.ifr_flags & IFF_UP) == 0){

959

network.ifr_flags |= IFF_UP;

960

ret = ioctl(sd, SIOCSIFFLAGS, &network);

961

if(ret == -1){

962

perror("ioctl SIOCSIFFLAGS");

963

exitcode = EXIT_FAILURE;

964

goto end;

965

}

966

}

967

close(sd);

968

}

969

970

if (not debug){

971

avahi_set_log_function(empty_log);

972

}

973

974

/* Initialize the pseudo-RNG for Avahi */

975

srand((unsigned int) time(NULL));

976

977

/* Allocate main Avahi loop object */

978

mc.simple_poll = avahi_simple_poll_new();

979

if (mc.simple_poll == NULL) {

980

fprintf(stderr, "Avahi: Failed to create simple poll"

981

" object.\n");

982

exitcode = EXIT_FAILURE;

983

goto end;

984

}

985

986

{

987

AvahiServerConfig config;

988

/* Do not publish any local Zeroconf records */

989

avahi_server_config_init(&config);

990

config.publish_hinfo = 0;

991

config.publish_addresses = 0;

992

config.publish_workstation = 0;

993

config.publish_domain = 0;

994

995

/* Allocate a new server */

996

mc.server = avahi_server_new(avahi_simple_poll_get

997

(mc.simple_poll), &config, NULL,

998

NULL, &error);

999

1000

/* Free the Avahi configuration data */

1001

avahi_server_config_free(&config);

1002

}

1003

1004

/* Check if creating the Avahi server object succeeded */

1005

if (mc.server == NULL) {

1006

fprintf(stderr, "Failed to create Avahi server: %s\n",

1007

avahi_strerror(error));

1008

exitcode = EXIT_FAILURE;

1009

goto end;

1010

}

1011

1012

/* Create the Avahi service browser */

1013

sb = avahi_s_service_browser_new(mc.server, if_index,

1014

AVAHI_PROTO_INET6,

1015

"_mandos._tcp", NULL, 0,

1016

browse_callback, &mc);

1017

if (sb == NULL) {

1018

fprintf(stderr, "Failed to create service browser: %s\n",

1019

avahi_strerror(avahi_server_errno(mc.server)));

1020

exitcode = EXIT_FAILURE;

1021

goto end;

1022

}

1023

1024

/* Run the main loop */

1025

1026

if (debug){

1027

fprintf(stderr, "Starting Avahi loop search\n");

1028

}

1029

1030

avahi_simple_poll_loop(mc.simple_poll);

1031

1277

1032

end:

1278

1279

if(debug){

1280

fprintf(stderr, "%s exiting\n", argv[0]);

1281

}

1282

1283

/* Cleanup things */

1284

if(sb != NULL)

1285

avahi_s_service_browser_free(sb);

1286

1287

if(mc.server != NULL)

1288

avahi_server_free(mc.server);

1289

1290

if(mc.simple_poll != NULL)

1291

avahi_simple_poll_free(mc.simple_poll);

1292

1293

if(gnutls_initialized){

1294

gnutls_certificate_free_credentials(mc.cred);

1295

gnutls_global_deinit();

1296

gnutls_dh_params_deinit(mc.dh_params);

1297

}

1298

1299

if(gpgme_initialized){

1300

gpgme_release(mc.ctx);

1301

}

1302

1303

/* Removes the temp directory used by GPGME */

1304

if(tempdir_created){

1305

DIR *d;

1306

struct dirent *direntry;

1307

d = opendir(tempdir);

1308

if(d == NULL){

1309

if(errno != ENOENT){

1310

perror("opendir");

1311

}

1312

} else {

1313

while(true){

1314

direntry = readdir(d);

1315

if(direntry == NULL){

1316

break;

1317

}

1318

/* Skip "." and ".." */

1319

if(direntry->d_name[0] == '.'

1320

and (direntry->d_name[1] == '\0'

1321

or (direntry->d_name[1] == '.'

1322

and direntry->d_name[2] == '\0'))){

1323

continue;

1324

}

1325

char *fullname = NULL;

1326

ret = asprintf(&fullname, "%s/%s", tempdir,

1327

direntry->d_name);

1328

if(ret < 0){

1329

perror("asprintf");

1330

continue;

1331

}

1332

ret = remove(fullname);

1333

if(ret == -1){

1334

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1335

strerror(errno));

1336

}

1337

free(fullname);

1338

}

1339

closedir(d);

1340

}

1341

ret = rmdir(tempdir);

1342

if(ret == -1 and errno != ENOENT){

1343

perror("rmdir");

1344

}

1345

}

1346

1347

return exitcode;

1033

1034

if (debug){

1035

fprintf(stderr, "%s exiting\n", argv[0]);

1036

}

1037

1038

/* Cleanup things */

1039

if (sb != NULL)

1040

avahi_s_service_browser_free(sb);

1041

1042

if (mc.server != NULL)

1043

avahi_server_free(mc.server);

1044

1045

if (mc.simple_poll != NULL)

1046

avahi_simple_poll_free(mc.simple_poll);

1047

free(pubkeyfile);

1048

free(seckeyfile);

1049

1050

if (gnutls_initalized){

1051

gnutls_certificate_free_credentials(mc.cred);

1052

gnutls_global_deinit ();

1053

}

1054

1055

return exitcode;

1348

1056

}

Older »