To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.16.5
- compare with another revision
- download diff
- download tarball
- view history from revision 237.16.5
- Committer: teddy at bsnet
- Date: 2011-11-12 18:04:35 UTC
- mto: (237.15.5 mandos-client-network-hooks)
- mto: This revision was merged to the branch mainline in revision 290.
- Revision ID: teddy@fukt.bsnet.se-20111112180435-kdui7a6o7jfpgz9r
* plugins.d/mandos-client.c (SYNOPSIS, OPTIONS): Document
"--network-hook-dir"
option.
"--network-hook-dir"
option.
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008-2011 Teddy Hogeborn
13
* Copyright © 2008-2011 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
25
26
* along with this program. If not, see
26
27
* <http://www.gnu.org/licenses/>.
27
28
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
29
* Contact the authors at <mandos@recompile.se>.
29
30
*/
30
31
31
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
32
34
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
33
37
#define _FILE_OFFSET_BITS 64
34
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open(), S_ISREG */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno,
66
program_invocation_short_name */
67
#include <time.h> /* nanosleep(), time(), sleep() */
68
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
69
SIOCSIFFLAGS, if_indextoname(),
70
if_nametoindex(), IF_NAMESIZE */
71
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
72
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
73
*/
74
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
75
getuid(), getgid(), seteuid(),
76
setgid(), pause() */
77
#include <arpa/inet.h> /* inet_pton(), htons, inet_ntop() */
78
#include <iso646.h> /* not, or, and */
79
#include <argp.h> /* struct argp_option, error_t, struct
80
argp_state, struct argp,
81
argp_parse(), ARGP_KEY_ARG,
82
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
83
#include <signal.h> /* sigemptyset(), sigaddset(),
84
sigaction(), SIGTERM, sig_atomic_t,
85
raise() */
86
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
87
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
88
#include <sys/wait.h> /* waitpid(), WIFEXITED(),
89
WEXITSTATUS(), WTERMSIG() */
90
91
#ifdef __linux__
92
#include <sys/klog.h> /* klogctl() */
93
#endif /* __linux__ */
94
95
/* Avahi */
96
/* All Avahi types, constants and functions
97
Avahi*, avahi_*,
98
AVAHI_* */
41
99
#include <avahi-core/core.h>
42
100
#include <avahi-core/lookup.h>
43
101
#include <avahi-core/log.h>
45
103
#include <avahi-common/malloc.h>
46
104
#include <avahi-common/error.h>
47
105
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt long
67
#include <getopt.h>
106
/* GnuTLS */
107
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
108
functions:
109
gnutls_*
110
init_gnutls_session(),
111
GNUTLS_* */
112
#include <gnutls/openpgp.h>
113
/* gnutls_certificate_set_openpgp_key_file(),
114
GNUTLS_OPENPGP_FMT_BASE64 */
115
116
/* GPGME */
117
#include <gpgme.h> /* All GPGME types, constants and
118
functions:
119
gpgme_*
120
GPGME_PROTOCOL_OpenPGP,
121
GPG_ERR_NO_* */
68
122
69
123
#define BUFFER_SIZE 256
70
#define DH_BITS 1024
71
124
72
const char *certdir = "/conf/conf.d/cryptkeyreq/";
73
const char *certfile = "openpgp-client.txt";
74
const char *certkey = "openpgp-client-key.txt";
125
#define PATHDIR "/conf/conf.d/mandos"
126
#define SECKEY "seckey.txt"
127
#define PUBKEY "pubkey.txt"
128
#define HOOKDIR "/lib/mandos/network-hooks.d"
75
129
76
130
bool debug = false;
77
131
static const char mandos_protocol_version[] = "1";
132
const char *argp_program_version = "mandos-client " VERSION;
133
const char *argp_program_bug_address = "<mandos@recompile.se>";
134
static const char sys_class_net[] = "/sys/class/net";
135
char *connect_to = NULL;
136
const char *hookdir = HOOKDIR;
137
138
/* Doubly linked list that need to be circularly linked when used */
139
typedef struct server{
140
const char *ip;
141
uint16_t port;
142
AvahiIfIndex if_index;
143
int af;
144
struct timespec last_seen;
145
struct server *next;
146
struct server *prev;
147
} server;
148
149
/* Used for passing in values through the Avahi callback functions */
78
150
typedef struct {
79
gnutls_session_t session;
151
AvahiSimplePoll *simple_poll;
152
AvahiServer *server;
80
153
gnutls_certificate_credentials_t cred;
154
unsigned int dh_bits;
81
155
gnutls_dh_params_t dh_params;
82
} encrypted_session;
83
84
85
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet, const char *homedir){
87
gpgme_data_t dh_crypto, dh_plain;
156
const char *priority;
88
157
gpgme_ctx_t ctx;
158
server *current_server;
159
} mandos_context;
160
161
/* global context so signal handler can reach it*/
162
mandos_context mc = { .simple_poll = NULL, .server = NULL,
163
.dh_bits = 1024, .priority = "SECURE256"
164
":!CTYPE-X.509:+CTYPE-OPENPGP",
165
.current_server = NULL };
166
167
sig_atomic_t quit_now = 0;
168
int signal_received = 0;
169
170
/* Function to use when printing errors */
171
void perror_plus(const char *print_text){
172
fprintf(stderr, "Mandos plugin %s: ",
173
program_invocation_short_name);
174
perror(print_text);
175
}
176
177
/*
178
* Make additional room in "buffer" for at least BUFFER_SIZE more
179
* bytes. "buffer_capacity" is how much is currently allocated,
180
* "buffer_length" is how much is already used.
181
*/
182
size_t incbuffer(char **buffer, size_t buffer_length,
183
size_t buffer_capacity){
184
if(buffer_length + BUFFER_SIZE > buffer_capacity){
185
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
186
if(buffer == NULL){
187
return 0;
188
}
189
buffer_capacity += BUFFER_SIZE;
190
}
191
return buffer_capacity;
192
}
193
194
/* Add server to set of servers to retry periodically */
195
int add_server(const char *ip, uint16_t port,
196
AvahiIfIndex if_index,
197
int af){
198
int ret;
199
server *new_server = malloc(sizeof(server));
200
if(new_server == NULL){
201
perror_plus("malloc");
202
return -1;
203
}
204
*new_server = (server){ .ip = strdup(ip),
205
.port = port,
206
.if_index = if_index,
207
.af = af };
208
if(new_server->ip == NULL){
209
perror_plus("strdup");
210
return -1;
211
}
212
/* Special case of first server */
213
if (mc.current_server == NULL){
214
new_server->next = new_server;
215
new_server->prev = new_server;
216
mc.current_server = new_server;
217
/* Place the new server last in the list */
218
} else {
219
new_server->next = mc.current_server;
220
new_server->prev = mc.current_server->prev;
221
new_server->prev->next = new_server;
222
mc.current_server->prev = new_server;
223
}
224
ret = clock_gettime(CLOCK_MONOTONIC, &mc.current_server->last_seen);
225
if(ret == -1){
226
perror_plus("clock_gettime");
227
return -1;
228
}
229
return 0;
230
}
231
232
/*
233
* Initialize GPGME.
234
*/
235
static bool init_gpgme(const char *seckey,
236
const char *pubkey, const char *tempdir){
89
237
gpgme_error_t rc;
90
ssize_t ret;
91
ssize_t new_packet_capacity = 0;
92
ssize_t new_packet_length = 0;
93
238
gpgme_engine_info_t engine_info;
94
95
if (debug){
96
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
239
240
241
/*
242
* Helper function to insert pub and seckey to the engine keyring.
243
*/
244
bool import_key(const char *filename){
245
int ret;
246
int fd;
247
gpgme_data_t pgp_data;
248
249
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
250
if(fd == -1){
251
perror_plus("open");
252
return false;
253
}
254
255
rc = gpgme_data_new_from_fd(&pgp_data, fd);
256
if(rc != GPG_ERR_NO_ERROR){
257
fprintf(stderr, "Mandos plugin mandos-client: "
258
"bad gpgme_data_new_from_fd: %s: %s\n",
259
gpgme_strsource(rc), gpgme_strerror(rc));
260
return false;
261
}
262
263
rc = gpgme_op_import(mc.ctx, pgp_data);
264
if(rc != GPG_ERR_NO_ERROR){
265
fprintf(stderr, "Mandos plugin mandos-client: "
266
"bad gpgme_op_import: %s: %s\n",
267
gpgme_strsource(rc), gpgme_strerror(rc));
268
return false;
269
}
270
271
ret = (int)TEMP_FAILURE_RETRY(close(fd));
272
if(ret == -1){
273
perror_plus("close");
274
}
275
gpgme_data_release(pgp_data);
276
return true;
277
}
278
279
if(debug){
280
fprintf(stderr, "Mandos plugin mandos-client: "
281
"Initializing GPGME\n");
97
282
}
98
283
99
284
/* Init GPGME */
100
285
gpgme_check_version(NULL);
101
286
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
102
if (rc != GPG_ERR_NO_ERROR){
103
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
287
if(rc != GPG_ERR_NO_ERROR){
288
fprintf(stderr, "Mandos plugin mandos-client: "
289
"bad gpgme_engine_check_version: %s: %s\n",
104
290
gpgme_strsource(rc), gpgme_strerror(rc));
105
return -1;
291
return false;
106
292
}
107
293
108
/* Set GPGME home directory */
109
rc = gpgme_get_engine_info (&engine_info);
110
if (rc != GPG_ERR_NO_ERROR){
111
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
294
/* Set GPGME home directory for the OpenPGP engine only */
295
rc = gpgme_get_engine_info(&engine_info);
296
if(rc != GPG_ERR_NO_ERROR){
297
fprintf(stderr, "Mandos plugin mandos-client: "
298
"bad gpgme_get_engine_info: %s: %s\n",
112
299
gpgme_strsource(rc), gpgme_strerror(rc));
113
return -1;
300
return false;
114
301
}
115
302
while(engine_info != NULL){
116
303
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
117
304
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
118
engine_info->file_name, homedir);
305
engine_info->file_name, tempdir);
119
306
break;
120
307
}
121
308
engine_info = engine_info->next;
122
309
}
123
310
if(engine_info == NULL){
124
fprintf(stderr, "Could not set home dir to %s\n", homedir);
125
return -1;
126
}
127
128
/* Create new GPGME data buffer from packet buffer */
129
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
130
if (rc != GPG_ERR_NO_ERROR){
131
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
311
fprintf(stderr, "Mandos plugin mandos-client: "
312
"Could not set GPGME home dir to %s\n", tempdir);
313
return false;
314
}
315
316
/* Create new GPGME "context" */
317
rc = gpgme_new(&(mc.ctx));
318
if(rc != GPG_ERR_NO_ERROR){
319
fprintf(stderr, "Mandos plugin mandos-client: "
320
"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),
321
gpgme_strerror(rc));
322
return false;
323
}
324
325
if(not import_key(pubkey) or not import_key(seckey)){
326
return false;
327
}
328
329
return true;
330
}
331
332
/*
333
* Decrypt OpenPGP data.
334
* Returns -1 on error
335
*/
336
static ssize_t pgp_packet_decrypt(const char *cryptotext,
337
size_t crypto_size,
338
char **plaintext){
339
gpgme_data_t dh_crypto, dh_plain;
340
gpgme_error_t rc;
341
ssize_t ret;
342
size_t plaintext_capacity = 0;
343
ssize_t plaintext_length = 0;
344
345
if(debug){
346
fprintf(stderr, "Mandos plugin mandos-client: "
347
"Trying to decrypt OpenPGP data\n");
348
}
349
350
/* Create new GPGME data buffer from memory cryptotext */
351
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
352
0);
353
if(rc != GPG_ERR_NO_ERROR){
354
fprintf(stderr, "Mandos plugin mandos-client: "
355
"bad gpgme_data_new_from_mem: %s: %s\n",
132
356
gpgme_strsource(rc), gpgme_strerror(rc));
133
357
return -1;
134
358
}
135
359
136
360
/* Create new empty GPGME data buffer for the plaintext */
137
361
rc = gpgme_data_new(&dh_plain);
138
if (rc != GPG_ERR_NO_ERROR){
139
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
140
gpgme_strsource(rc), gpgme_strerror(rc));
141
return -1;
142
}
143
144
/* Create new GPGME "context" */
145
rc = gpgme_new(&ctx);
146
if (rc != GPG_ERR_NO_ERROR){
147
fprintf(stderr, "bad gpgme_new: %s: %s\n",
148
gpgme_strsource(rc), gpgme_strerror(rc));
149
return -1;
150
}
151
152
/* Decrypt data from the FILE pointer to the plaintext data
153
buffer */
154
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
155
if (rc != GPG_ERR_NO_ERROR){
156
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
157
gpgme_strsource(rc), gpgme_strerror(rc));
158
return -1;
159
}
160
161
if(debug){
162
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
163
}
164
165
if (debug){
166
gpgme_decrypt_result_t result;
167
result = gpgme_op_decrypt_result(ctx);
168
if (result == NULL){
169
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
170
} else {
171
fprintf(stderr, "Unsupported algorithm: %s\n",
172
result->unsupported_algorithm);
173
fprintf(stderr, "Wrong key usage: %d\n",
174
result->wrong_key_usage);
175
if(result->file_name != NULL){
176
fprintf(stderr, "File name: %s\n", result->file_name);
177
}
178
gpgme_recipient_t recipient;
179
recipient = result->recipients;
180
if(recipient){
362
if(rc != GPG_ERR_NO_ERROR){
363
fprintf(stderr, "Mandos plugin mandos-client: "
364
"bad gpgme_data_new: %s: %s\n",
365
gpgme_strsource(rc), gpgme_strerror(rc));
366
gpgme_data_release(dh_crypto);
367
return -1;
368
}
369
370
/* Decrypt data from the cryptotext data buffer to the plaintext
371
data buffer */
372
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
373
if(rc != GPG_ERR_NO_ERROR){
374
fprintf(stderr, "Mandos plugin mandos-client: "
375
"bad gpgme_op_decrypt: %s: %s\n",
376
gpgme_strsource(rc), gpgme_strerror(rc));
377
plaintext_length = -1;
378
if(debug){
379
gpgme_decrypt_result_t result;
380
result = gpgme_op_decrypt_result(mc.ctx);
381
if(result == NULL){
382
fprintf(stderr, "Mandos plugin mandos-client: "
383
"gpgme_op_decrypt_result failed\n");
384
} else {
385
fprintf(stderr, "Mandos plugin mandos-client: "
386
"Unsupported algorithm: %s\n",
387
result->unsupported_algorithm);
388
fprintf(stderr, "Mandos plugin mandos-client: "
389
"Wrong key usage: %u\n",
390
result->wrong_key_usage);
391
if(result->file_name != NULL){
392
fprintf(stderr, "Mandos plugin mandos-client: "
393
"File name: %s\n", result->file_name);
394
}
395
gpgme_recipient_t recipient;
396
recipient = result->recipients;
181
397
while(recipient != NULL){
182
fprintf(stderr, "Public key algorithm: %s\n",
398
fprintf(stderr, "Mandos plugin mandos-client: "
399
"Public key algorithm: %s\n",
183
400
gpgme_pubkey_algo_name(recipient->pubkey_algo));
184
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
185
fprintf(stderr, "Secret key available: %s\n",
401
fprintf(stderr, "Mandos plugin mandos-client: "
402
"Key ID: %s\n", recipient->keyid);
403
fprintf(stderr, "Mandos plugin mandos-client: "
404
"Secret key available: %s\n",
186
405
recipient->status == GPG_ERR_NO_SECKEY
187
406
? "No" : "Yes");
188
407
recipient = recipient->next;
189
408
}
190
409
}
191
410
}
411
goto decrypt_end;
192
412
}
193
413
194
/* Delete the GPGME FILE pointer cryptotext data buffer */
195
gpgme_data_release(dh_crypto);
414
if(debug){
415
fprintf(stderr, "Mandos plugin mandos-client: "
416
"Decryption of OpenPGP data succeeded\n");
417
}
196
418
197
419
/* Seek back to the beginning of the GPGME plaintext data buffer */
198
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
199
perror("pgpme_data_seek");
420
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
421
perror_plus("gpgme_data_seek");
422
plaintext_length = -1;
423
goto decrypt_end;
200
424
}
201
425
202
*new_packet = 0;
426
*plaintext = NULL;
203
427
while(true){
204
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
205
*new_packet = realloc(*new_packet,
206
(unsigned int)new_packet_capacity
207
+ BUFFER_SIZE);
208
if (*new_packet == NULL){
209
perror("realloc");
210
return -1;
211
}
212
new_packet_capacity += BUFFER_SIZE;
428
plaintext_capacity = incbuffer(plaintext,
429
(size_t)plaintext_length,
430
plaintext_capacity);
431
if(plaintext_capacity == 0){
432
perror_plus("incbuffer");
433
plaintext_length = -1;
434
goto decrypt_end;
213
435
}
214
436
215
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
437
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
216
438
BUFFER_SIZE);
217
439
/* Print the data, if any */
218
if (ret == 0){
440
if(ret == 0){
441
/* EOF */
219
442
break;
220
443
}
221
444
if(ret < 0){
222
perror("gpgme_data_read");
223
return -1;
224
}
225
new_packet_length += ret;
226
}
227
228
/* FIXME: check characters before printing to screen so to not print
229
terminal control characters */
230
/* if(debug){ */
231
/* fprintf(stderr, "decrypted password is: "); */
232
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
233
/* fprintf(stderr, "\n"); */
234
/* } */
445
perror_plus("gpgme_data_read");
446
plaintext_length = -1;
447
goto decrypt_end;
448
}
449
plaintext_length += ret;
450
}
451
452
if(debug){
453
fprintf(stderr, "Mandos plugin mandos-client: "
454
"Decrypted password is: ");
455
for(ssize_t i = 0; i < plaintext_length; i++){
456
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
457
}
458
fprintf(stderr, "\n");
459
}
460
461
decrypt_end:
462
463
/* Delete the GPGME cryptotext data buffer */
464
gpgme_data_release(dh_crypto);
235
465
236
466
/* Delete the GPGME plaintext data buffer */
237
467
gpgme_data_release(dh_plain);
238
return new_packet_length;
468
return plaintext_length;
239
469
}
240
470
241
static const char * safer_gnutls_strerror (int value) {
242
const char *ret = gnutls_strerror (value);
243
if (ret == NULL)
471
static const char * safer_gnutls_strerror(int value){
472
const char *ret = gnutls_strerror(value); /* Spurious warning from
473
-Wunreachable-code */
474
if(ret == NULL)
244
475
ret = "(unknown)";
245
476
return ret;
246
477
}
247
478
248
void debuggnutls(__attribute__((unused)) int level,
249
const char* string){
250
fprintf(stderr, "%s", string);
479
/* GnuTLS log function callback */
480
static void debuggnutls(__attribute__((unused)) int level,
481
const char* string){
482
fprintf(stderr, "Mandos plugin mandos-client: GnuTLS: %s", string);
251
483
}
252
484
253
int initgnutls(encrypted_session *es){
254
const char *err;
485
static int init_gnutls_global(const char *pubkeyfilename,
486
const char *seckeyfilename){
255
487
int ret;
256
488
257
489
if(debug){
258
fprintf(stderr, "Initializing GnuTLS\n");
490
fprintf(stderr, "Mandos plugin mandos-client: "
491
"Initializing GnuTLS\n");
259
492
}
260
261
if ((ret = gnutls_global_init ())
262
!= GNUTLS_E_SUCCESS) {
263
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
493
494
ret = gnutls_global_init();
495
if(ret != GNUTLS_E_SUCCESS){
496
fprintf(stderr, "Mandos plugin mandos-client: "
497
"GnuTLS global_init: %s\n", safer_gnutls_strerror(ret));
264
498
return -1;
265
499
}
266
267
if (debug){
500
501
if(debug){
502
/* "Use a log level over 10 to enable all debugging options."
503
* - GnuTLS manual
504
*/
268
505
gnutls_global_set_log_level(11);
269
506
gnutls_global_set_log_function(debuggnutls);
270
507
}
271
508
272
/* openpgp credentials */
273
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
274
!= GNUTLS_E_SUCCESS) {
275
fprintf (stderr, "memory error: %s\n",
276
safer_gnutls_strerror(ret));
509
/* OpenPGP credentials */
510
ret = gnutls_certificate_allocate_credentials(&mc.cred);
511
if(ret != GNUTLS_E_SUCCESS){
512
fprintf(stderr, "Mandos plugin mandos-client: "
513
"GnuTLS memory error: %s\n", safer_gnutls_strerror(ret));
514
gnutls_global_deinit();
277
515
return -1;
278
516
}
279
517
280
518
if(debug){
281
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
282
" and keyfile %s as GnuTLS credentials\n", certfile,
283
certkey);
519
fprintf(stderr, "Mandos plugin mandos-client: "
520
"Attempting to use OpenPGP public key %s and"
521
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
522
seckeyfilename);
284
523
}
285
524
286
525
ret = gnutls_certificate_set_openpgp_key_file
287
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
288
if (ret != GNUTLS_E_SUCCESS) {
289
fprintf
290
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
291
" '%s')\n",
292
ret, certfile, certkey);
293
fprintf(stdout, "The Error is: %s\n",
294
safer_gnutls_strerror(ret));
295
return -1;
296
}
297
298
//GnuTLS server initialization
299
if ((ret = gnutls_dh_params_init (&es->dh_params))
300
!= GNUTLS_E_SUCCESS) {
301
fprintf (stderr, "Error in dh parameter initialization: %s\n",
302
safer_gnutls_strerror(ret));
303
return -1;
304
}
305
306
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
307
!= GNUTLS_E_SUCCESS) {
308
fprintf (stderr, "Error in prime generation: %s\n",
309
safer_gnutls_strerror(ret));
310
return -1;
311
}
312
313
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
314
315
// GnuTLS session creation
316
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
317
!= GNUTLS_E_SUCCESS){
318
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
319
safer_gnutls_strerror(ret));
320
}
321
322
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf(stderr, "Syntax error at: %s\n", err);
325
fprintf(stderr, "GnuTLS error: %s\n",
326
safer_gnutls_strerror(ret));
327
return -1;
328
}
329
330
if ((ret = gnutls_credentials_set
331
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
332
!= GNUTLS_E_SUCCESS) {
333
fprintf(stderr, "Error setting a credentials set: %s\n",
334
safer_gnutls_strerror(ret));
526
(mc.cred, pubkeyfilename, seckeyfilename,
527
GNUTLS_OPENPGP_FMT_BASE64);
528
if(ret != GNUTLS_E_SUCCESS){
529
fprintf(stderr,
530
"Mandos plugin mandos-client: "
531
"Error[%d] while reading the OpenPGP key pair ('%s',"
532
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
533
fprintf(stderr, "Mandos plugin mandos-client: "
534
"The GnuTLS error is: %s\n", safer_gnutls_strerror(ret));
535
goto globalfail;
536
}
537
538
/* GnuTLS server initialization */
539
ret = gnutls_dh_params_init(&mc.dh_params);
540
if(ret != GNUTLS_E_SUCCESS){
541
fprintf(stderr, "Mandos plugin mandos-client: "
542
"Error in GnuTLS DH parameter initialization:"
543
" %s\n", safer_gnutls_strerror(ret));
544
goto globalfail;
545
}
546
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
547
if(ret != GNUTLS_E_SUCCESS){
548
fprintf(stderr, "Mandos plugin mandos-client: "
549
"Error in GnuTLS prime generation: %s\n",
550
safer_gnutls_strerror(ret));
551
goto globalfail;
552
}
553
554
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
555
556
return 0;
557
558
globalfail:
559
560
gnutls_certificate_free_credentials(mc.cred);
561
gnutls_global_deinit();
562
gnutls_dh_params_deinit(mc.dh_params);
563
return -1;
564
}
565
566
static int init_gnutls_session(gnutls_session_t *session){
567
int ret;
568
/* GnuTLS session creation */
569
do {
570
ret = gnutls_init(session, GNUTLS_SERVER);
571
if(quit_now){
572
return -1;
573
}
574
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
575
if(ret != GNUTLS_E_SUCCESS){
576
fprintf(stderr, "Mandos plugin mandos-client: "
577
"Error in GnuTLS session initialization: %s\n",
578
safer_gnutls_strerror(ret));
579
}
580
581
{
582
const char *err;
583
do {
584
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
585
if(quit_now){
586
gnutls_deinit(*session);
587
return -1;
588
}
589
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
590
if(ret != GNUTLS_E_SUCCESS){
591
fprintf(stderr, "Mandos plugin mandos-client: "
592
"Syntax error at: %s\n", err);
593
fprintf(stderr, "Mandos plugin mandos-client: "
594
"GnuTLS error: %s\n", safer_gnutls_strerror(ret));
595
gnutls_deinit(*session);
596
return -1;
597
}
598
}
599
600
do {
601
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
602
mc.cred);
603
if(quit_now){
604
gnutls_deinit(*session);
605
return -1;
606
}
607
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
608
if(ret != GNUTLS_E_SUCCESS){
609
fprintf(stderr, "Mandos plugin mandos-client: "
610
"Error setting GnuTLS credentials: %s\n",
611
safer_gnutls_strerror(ret));
612
gnutls_deinit(*session);
335
613
return -1;
336
614
}
337
615
338
616
/* ignore client certificate if any. */
339
gnutls_certificate_server_set_request (es->session,
340
GNUTLS_CERT_IGNORE);
617
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
341
618
342
gnutls_dh_set_prime_bits (es->session, DH_BITS);
619
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
343
620
344
621
return 0;
345
622
}
346
623
347
void empty_log(__attribute__((unused)) AvahiLogLevel level,
348
__attribute__((unused)) const char *txt){}
624
/* Avahi log function callback */
625
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
626
__attribute__((unused)) const char *txt){}
349
627
350
int start_mandos_communication(const char *ip, uint16_t port,
351
AvahiIfIndex if_index){
352
int ret, tcp_sd;
353
struct sockaddr_in6 to;
354
encrypted_session es;
628
/* Called when a Mandos server is found */
629
static int start_mandos_communication(const char *ip, uint16_t port,
630
AvahiIfIndex if_index,
631
int af){
632
int ret, tcp_sd = -1;
633
ssize_t sret;
634
union {
635
struct sockaddr_in in;
636
struct sockaddr_in6 in6;
637
} to;
355
638
char *buffer = NULL;
356
char *decrypted_buffer;
639
char *decrypted_buffer = NULL;
357
640
size_t buffer_length = 0;
358
641
size_t buffer_capacity = 0;
359
ssize_t decrypted_buffer_size;
360
size_t written = 0;
361
int retval = 0;
362
char interface[IF_NAMESIZE];
363
364
if(debug){
365
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
366
ip, port);
367
}
368
369
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
370
if(tcp_sd < 0) {
371
perror("socket");
372
return -1;
373
}
374
375
if(if_indextoname((unsigned int)if_index, interface) == NULL){
376
if(debug){
377
perror("if_indextoname");
378
}
379
return -1;
380
}
381
382
if(debug){
383
fprintf(stderr, "Binding to interface %s\n", interface);
384
}
385
386
memset(&to,0,sizeof(to)); /* Spurious warning */
387
to.sin6_family = AF_INET6;
388
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
389
if (ret < 0 ){
390
perror("inet_pton");
391
return -1;
392
}
642
size_t written;
643
int retval = -1;
644
gnutls_session_t session;
645
int pf; /* Protocol family */
646
647
errno = 0;
648
649
if(quit_now){
650
errno = EINTR;
651
return -1;
652
}
653
654
switch(af){
655
case AF_INET6:
656
pf = PF_INET6;
657
break;
658
case AF_INET:
659
pf = PF_INET;
660
break;
661
default:
662
fprintf(stderr, "Mandos plugin mandos-client: "
663
"Bad address family: %d\n", af);
664
errno = EINVAL;
665
return -1;
666
}
667
668
ret = init_gnutls_session(&session);
669
if(ret != 0){
670
return -1;
671
}
672
673
if(debug){
674
fprintf(stderr, "Mandos plugin mandos-client: "
675
"Setting up a TCP connection to %s, port %" PRIu16
676
"\n", ip, port);
677
}
678
679
tcp_sd = socket(pf, SOCK_STREAM, 0);
680
if(tcp_sd < 0){
681
int e = errno;
682
perror_plus("socket");
683
errno = e;
684
goto mandos_end;
685
}
686
687
if(quit_now){
688
errno = EINTR;
689
goto mandos_end;
690
}
691
692
memset(&to, 0, sizeof(to));
693
if(af == AF_INET6){
694
to.in6.sin6_family = (sa_family_t)af;
695
ret = inet_pton(af, ip, &to.in6.sin6_addr);
696
} else { /* IPv4 */
697
to.in.sin_family = (sa_family_t)af;
698
ret = inet_pton(af, ip, &to.in.sin_addr);
699
}
700
if(ret < 0 ){
701
int e = errno;
702
perror_plus("inet_pton");
703
errno = e;
704
goto mandos_end;
705
}
393
706
if(ret == 0){
394
fprintf(stderr, "Bad address: %s\n", ip);
395
return -1;
396
}
397
to.sin6_port = htons(port); /* Spurious warning */
398
399
to.sin6_scope_id = (uint32_t)if_index;
400
401
if(debug){
402
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
403
/* char addrstr[INET6_ADDRSTRLEN]; */
404
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
405
/* sizeof(addrstr)) == NULL){ */
406
/* perror("inet_ntop"); */
407
/* } else { */
408
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
409
/* addrstr, ntohs(to.sin6_port)); */
410
/* } */
411
}
412
413
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
414
if (ret < 0){
415
perror("connect");
416
return -1;
417
}
418
419
ret = initgnutls (&es);
420
if (ret != 0){
421
retval = -1;
422
return -1;
423
}
424
425
gnutls_transport_set_ptr (es.session,
426
(gnutls_transport_ptr_t) tcp_sd);
427
428
if(debug){
429
fprintf(stderr, "Establishing TLS session with %s\n", ip);
430
}
431
432
ret = gnutls_handshake (es.session);
433
434
if (ret != GNUTLS_E_SUCCESS){
707
int e = errno;
708
fprintf(stderr, "Mandos plugin mandos-client: "
709
"Bad address: %s\n", ip);
710
errno = e;
711
goto mandos_end;
712
}
713
if(af == AF_INET6){
714
to.in6.sin6_port = htons(port); /* Spurious warnings from
715
-Wconversion and
716
-Wunreachable-code */
717
718
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
719
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
720
-Wunreachable-code*/
721
if(if_index == AVAHI_IF_UNSPEC){
722
fprintf(stderr, "Mandos plugin mandos-client: "
723
"An IPv6 link-local address is incomplete"
724
" without a network interface\n");
725
errno = EINVAL;
726
goto mandos_end;
727
}
728
/* Set the network interface number as scope */
729
to.in6.sin6_scope_id = (uint32_t)if_index;
730
}
731
} else {
732
to.in.sin_port = htons(port); /* Spurious warnings from
733
-Wconversion and
734
-Wunreachable-code */
735
}
736
737
if(quit_now){
738
errno = EINTR;
739
goto mandos_end;
740
}
741
742
if(debug){
743
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
744
char interface[IF_NAMESIZE];
745
if(if_indextoname((unsigned int)if_index, interface) == NULL){
746
perror_plus("if_indextoname");
747
} else {
748
fprintf(stderr, "Mandos plugin mandos-client: "
749
"Connection to: %s%%%s, port %" PRIu16 "\n",
750
ip, interface, port);
751
}
752
} else {
753
fprintf(stderr, "Mandos plugin mandos-client: "
754
"Connection to: %s, port %" PRIu16 "\n", ip, port);
755
}
756
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
757
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
758
const char *pcret;
759
if(af == AF_INET6){
760
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
761
sizeof(addrstr));
762
} else {
763
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
764
sizeof(addrstr));
765
}
766
if(pcret == NULL){
767
perror_plus("inet_ntop");
768
} else {
769
if(strcmp(addrstr, ip) != 0){
770
fprintf(stderr, "Mandos plugin mandos-client: "
771
"Canonical address form: %s\n", addrstr);
772
}
773
}
774
}
775
776
if(quit_now){
777
errno = EINTR;
778
goto mandos_end;
779
}
780
781
if(af == AF_INET6){
782
ret = connect(tcp_sd, &to.in6, sizeof(to));
783
} else {
784
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
785
}
786
if(ret < 0){
787
if ((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
788
int e = errno;
789
perror_plus("connect");
790
errno = e;
791
}
792
goto mandos_end;
793
}
794
795
if(quit_now){
796
errno = EINTR;
797
goto mandos_end;
798
}
799
800
const char *out = mandos_protocol_version;
801
written = 0;
802
while(true){
803
size_t out_size = strlen(out);
804
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
805
out_size - written));
806
if(ret == -1){
807
int e = errno;
808
perror_plus("write");
809
errno = e;
810
goto mandos_end;
811
}
812
written += (size_t)ret;
813
if(written < out_size){
814
continue;
815
} else {
816
if(out == mandos_protocol_version){
817
written = 0;
818
out = "\r\n";
819
} else {
820
break;
821
}
822
}
823
824
if(quit_now){
825
errno = EINTR;
826
goto mandos_end;
827
}
828
}
829
830
if(debug){
831
fprintf(stderr, "Mandos plugin mandos-client: "
832
"Establishing TLS session with %s\n", ip);
833
}
834
835
if(quit_now){
836
errno = EINTR;
837
goto mandos_end;
838
}
839
840
/* Spurious warning from -Wint-to-pointer-cast */
841
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
842
843
if(quit_now){
844
errno = EINTR;
845
goto mandos_end;
846
}
847
848
do {
849
ret = gnutls_handshake(session);
850
if(quit_now){
851
errno = EINTR;
852
goto mandos_end;
853
}
854
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
855
856
if(ret != GNUTLS_E_SUCCESS){
435
857
if(debug){
436
fprintf(stderr, "\n*** Handshake failed ***\n");
437
gnutls_perror (ret);
858
fprintf(stderr, "Mandos plugin mandos-client: "
859
"*** GnuTLS Handshake failed ***\n");
860
gnutls_perror(ret);
438
861
}
439
retval = -1;
440
goto exit;
862
errno = EPROTO;
863
goto mandos_end;
441
864
}
442
865
443
//Retrieve OpenPGP packet that contains the wanted password
866
/* Read OpenPGP packet that contains the wanted password */
444
867
445
868
if(debug){
446
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
447
ip);
869
fprintf(stderr, "Mandos plugin mandos-client: "
870
"Retrieving OpenPGP encrypted password from %s\n", ip);
448
871
}
449
872
450
873
while(true){
451
if (buffer_length + BUFFER_SIZE > buffer_capacity){
452
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
453
if (buffer == NULL){
454
perror("realloc");
455
goto exit;
456
}
457
buffer_capacity += BUFFER_SIZE;
458
}
459
460
ret = gnutls_record_recv
461
(es.session, buffer+buffer_length, BUFFER_SIZE);
462
if (ret == 0){
874
875
if(quit_now){
876
errno = EINTR;
877
goto mandos_end;
878
}
879
880
buffer_capacity = incbuffer(&buffer, buffer_length,
881
buffer_capacity);
882
if(buffer_capacity == 0){
883
int e = errno;
884
perror_plus("incbuffer");
885
errno = e;
886
goto mandos_end;
887
}
888
889
if(quit_now){
890
errno = EINTR;
891
goto mandos_end;
892
}
893
894
sret = gnutls_record_recv(session, buffer+buffer_length,
895
BUFFER_SIZE);
896
if(sret == 0){
463
897
break;
464
898
}
465
if (ret < 0){
466
switch(ret){
899
if(sret < 0){
900
switch(sret){
467
901
case GNUTLS_E_INTERRUPTED:
468
902
case GNUTLS_E_AGAIN:
469
903
break;
470
904
case GNUTLS_E_REHANDSHAKE:
471
ret = gnutls_handshake (es.session);
472
if (ret < 0){
473
fprintf(stderr, "\n*** Handshake failed ***\n");
474
gnutls_perror (ret);
475
retval = -1;
476
goto exit;
905
do {
906
ret = gnutls_handshake(session);
907
908
if(quit_now){
909
errno = EINTR;
910
goto mandos_end;
911
}
912
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
913
if(ret < 0){
914
fprintf(stderr, "Mandos plugin mandos-client: "
915
"*** GnuTLS Re-handshake failed ***\n");
916
gnutls_perror(ret);
917
errno = EPROTO;
918
goto mandos_end;
477
919
}
478
920
break;
479
921
default:
480
fprintf(stderr, "Unknown error while reading data from"
481
" encrypted session with mandos server\n");
482
retval = -1;
483
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
484
goto exit;
922
fprintf(stderr, "Mandos plugin mandos-client: "
923
"Unknown error while reading data from"
924
" encrypted session with Mandos server\n");
925
gnutls_bye(session, GNUTLS_SHUT_RDWR);
926
errno = EIO;
927
goto mandos_end;
485
928
}
486
929
} else {
487
buffer_length += (size_t) ret;
488
}
489
}
490
491
if (buffer_length > 0){
930
buffer_length += (size_t) sret;
931
}
932
}
933
934
if(debug){
935
fprintf(stderr, "Mandos plugin mandos-client: "
936
"Closing TLS session\n");
937
}
938
939
if(quit_now){
940
errno = EINTR;
941
goto mandos_end;
942
}
943
944
do {
945
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
946
if(quit_now){
947
errno = EINTR;
948
goto mandos_end;
949
}
950
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
951
952
if(buffer_length > 0){
953
ssize_t decrypted_buffer_size;
492
954
decrypted_buffer_size = pgp_packet_decrypt(buffer,
493
955
buffer_length,
494
&decrypted_buffer,
495
certdir);
496
if (decrypted_buffer_size >= 0){
956
&decrypted_buffer);
957
if(decrypted_buffer_size >= 0){
958
959
written = 0;
497
960
while(written < (size_t) decrypted_buffer_size){
498
ret = (int)fwrite (decrypted_buffer + written, 1,
499
(size_t)decrypted_buffer_size - written,
500
stdout);
961
if(quit_now){
962
errno = EINTR;
963
goto mandos_end;
964
}
965
966
ret = (int)fwrite(decrypted_buffer + written, 1,
967
(size_t)decrypted_buffer_size - written,
968
stdout);
501
969
if(ret == 0 and ferror(stdout)){
970
int e = errno;
502
971
if(debug){
503
fprintf(stderr, "Error writing encrypted data: %s\n",
972
fprintf(stderr, "Mandos plugin mandos-client: "
973
"Error writing encrypted data: %s\n",
504
974
strerror(errno));
505
975
}
506
retval = -1;
507
break;
976
errno = e;
977
goto mandos_end;
508
978
}
509
979
written += (size_t)ret;
510
980
}
511
free(decrypted_buffer);
512
} else {
981
retval = 0;
982
}
983
}
984
985
/* Shutdown procedure */
986
987
mandos_end:
988
{
989
int e = errno;
990
free(decrypted_buffer);
991
free(buffer);
992
if(tcp_sd >= 0){
993
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
994
}
995
if(ret == -1){
996
if(e == 0){
997
e = errno;
998
}
999
perror_plus("close");
1000
}
1001
gnutls_deinit(session);
1002
errno = e;
1003
if(quit_now){
1004
errno = EINTR;
513
1005
retval = -1;
514
1006
}
515
1007
}
516
517
//shutdown procedure
518
519
if(debug){
520
fprintf(stderr, "Closing TLS session\n");
521
}
522
523
free(buffer);
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
exit:
526
close(tcp_sd);
527
gnutls_deinit (es.session);
528
gnutls_certificate_free_credentials (es.cred);
529
gnutls_global_deinit ();
530
1008
return retval;
531
1009
}
532
1010
533
static AvahiSimplePoll *simple_poll = NULL;
534
static AvahiServer *server = NULL;
535
536
static void resolve_callback(
537
AvahiSServiceResolver *r,
538
AvahiIfIndex interface,
539
AVAHI_GCC_UNUSED AvahiProtocol protocol,
540
AvahiResolverEvent event,
541
const char *name,
542
const char *type,
543
const char *domain,
544
const char *host_name,
545
const AvahiAddress *address,
546
uint16_t port,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
549
AVAHI_GCC_UNUSED void* userdata) {
550
551
assert(r); /* Spurious warning */
1011
static void resolve_callback(AvahiSServiceResolver *r,
1012
AvahiIfIndex interface,
1013
AvahiProtocol proto,
1014
AvahiResolverEvent event,
1015
const char *name,
1016
const char *type,
1017
const char *domain,
1018
const char *host_name,
1019
const AvahiAddress *address,
1020
uint16_t port,
1021
AVAHI_GCC_UNUSED AvahiStringList *txt,
1022
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1023
flags,
1024
AVAHI_GCC_UNUSED void* userdata){
1025
assert(r);
552
1026
553
1027
/* Called whenever a service has been resolved successfully or
554
1028
timed out */
555
1029
556
switch (event) {
1030
if(quit_now){
1031
return;
1032
}
1033
1034
switch(event){
557
1035
default:
558
1036
case AVAHI_RESOLVER_FAILURE:
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
561
avahi_strerror(avahi_server_errno(server)));
1037
fprintf(stderr, "Mandos plugin mandos-client: "
1038
"(Avahi Resolver) Failed to resolve service '%s'"
1039
" of type '%s' in domain '%s': %s\n", name, type, domain,
1040
avahi_strerror(avahi_server_errno(mc.server)));
562
1041
break;
563
1042
564
1043
case AVAHI_RESOLVER_FOUND:
566
1045
char ip[AVAHI_ADDRESS_STR_MAX];
567
1046
avahi_address_snprint(ip, sizeof(ip), address);
568
1047
if(debug){
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
1048
fprintf(stderr, "Mandos plugin mandos-client: "
1049
"Mandos server \"%s\" found on %s (%s, %"
1050
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
1051
ip, (intmax_t)interface, port);
571
1052
}
572
int ret = start_mandos_communication(ip, port, interface);
573
if (ret == 0){
574
exit(EXIT_SUCCESS);
1053
int ret = start_mandos_communication(ip, port, interface,
1054
avahi_proto_to_af(proto));
1055
if(ret == 0){
1056
avahi_simple_poll_quit(mc.simple_poll);
1057
} else {
1058
ret = add_server(ip, port, interface,
1059
avahi_proto_to_af(proto));
575
1060
}
576
1061
}
577
1062
}
578
1063
avahi_s_service_resolver_free(r);
579
1064
}
580
1065
581
static void browse_callback(
582
AvahiSServiceBrowser *b,
583
AvahiIfIndex interface,
584
AvahiProtocol protocol,
585
AvahiBrowserEvent event,
586
const char *name,
587
const char *type,
588
const char *domain,
589
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
590
void* userdata) {
591
592
AvahiServer *s = userdata;
593
assert(b); /* Spurious warning */
594
595
/* Called whenever a new services becomes available on the LAN or
596
is removed from the LAN */
597
598
switch (event) {
1066
static void browse_callback(AvahiSServiceBrowser *b,
1067
AvahiIfIndex interface,
1068
AvahiProtocol protocol,
1069
AvahiBrowserEvent event,
1070
const char *name,
1071
const char *type,
1072
const char *domain,
1073
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1074
flags,
1075
AVAHI_GCC_UNUSED void* userdata){
1076
assert(b);
1077
1078
/* Called whenever a new services becomes available on the LAN or
1079
is removed from the LAN */
1080
1081
if(quit_now){
1082
return;
1083
}
1084
1085
switch(event){
1086
default:
1087
case AVAHI_BROWSER_FAILURE:
1088
1089
fprintf(stderr, "Mandos plugin mandos-client: "
1090
"(Avahi browser) %s\n",
1091
avahi_strerror(avahi_server_errno(mc.server)));
1092
avahi_simple_poll_quit(mc.simple_poll);
1093
return;
1094
1095
case AVAHI_BROWSER_NEW:
1096
/* We ignore the returned Avahi resolver object. In the callback
1097
function we free it. If the Avahi server is terminated before
1098
the callback function is called the Avahi server will free the
1099
resolver for us. */
1100
1101
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
1102
name, type, domain, protocol, 0,
1103
resolve_callback, NULL) == NULL)
1104
fprintf(stderr, "Mandos plugin mandos-client: "
1105
"Avahi: Failed to resolve service '%s': %s\n",
1106
name, avahi_strerror(avahi_server_errno(mc.server)));
1107
break;
1108
1109
case AVAHI_BROWSER_REMOVE:
1110
break;
1111
1112
case AVAHI_BROWSER_ALL_FOR_NOW:
1113
case AVAHI_BROWSER_CACHE_EXHAUSTED:
1114
if(debug){
1115
fprintf(stderr, "Mandos plugin mandos-client: "
1116
"No Mandos server found, still searching...\n");
1117
}
1118
break;
1119
}
1120
}
1121
1122
/* Signal handler that stops main loop after SIGTERM */
1123
static void handle_sigterm(int sig){
1124
if(quit_now){
1125
return;
1126
}
1127
quit_now = 1;
1128
signal_received = sig;
1129
int old_errno = errno;
1130
/* set main loop to exit */
1131
if(mc.simple_poll != NULL){
1132
avahi_simple_poll_quit(mc.simple_poll);
1133
}
1134
errno = old_errno;
1135
}
1136
1137
bool get_flags(const char *ifname, struct ifreq *ifr){
1138
int ret;
1139
1140
int s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1141
if(s < 0){
1142
perror_plus("socket");
1143
return false;
1144
}
1145
strcpy(ifr->ifr_name, ifname);
1146
ret = ioctl(s, SIOCGIFFLAGS, ifr);
1147
if(ret == -1){
1148
if(debug){
1149
perror_plus("ioctl SIOCGIFFLAGS");
1150
}
1151
return false;
1152
}
1153
return true;
1154
}
1155
1156
bool good_flags(const char *ifname, const struct ifreq *ifr){
1157
1158
/* Reject the loopback device */
1159
if(ifr->ifr_flags & IFF_LOOPBACK){
1160
if(debug){
1161
fprintf(stderr, "Mandos plugin mandos-client: "
1162
"Rejecting loopback interface \"%s\"\n", ifname);
1163
}
1164
return false;
1165
}
1166
/* Accept point-to-point devices only if connect_to is specified */
1167
if(connect_to != NULL and (ifr->ifr_flags & IFF_POINTOPOINT)){
1168
if(debug){
1169
fprintf(stderr, "Mandos plugin mandos-client: "
1170
"Accepting point-to-point interface \"%s\"\n", ifname);
1171
}
1172
return true;
1173
}
1174
/* Otherwise, reject non-broadcast-capable devices */
1175
if(not (ifr->ifr_flags & IFF_BROADCAST)){
1176
if(debug){
1177
fprintf(stderr, "Mandos plugin mandos-client: "
1178
"Rejecting non-broadcast interface \"%s\"\n", ifname);
1179
}
1180
return false;
1181
}
1182
/* Reject non-ARP interfaces (including dummy interfaces) */
1183
if(ifr->ifr_flags & IFF_NOARP){
1184
if(debug){
1185
fprintf(stderr, "Mandos plugin mandos-client: "
1186
"Rejecting non-ARP interface \"%s\"\n", ifname);
1187
}
1188
return false;
1189
}
1190
1191
/* Accept this device */
1192
if(debug){
1193
fprintf(stderr, "Mandos plugin mandos-client: "
1194
"Interface \"%s\" is good\n", ifname);
1195
}
1196
return true;
1197
}
1198
1199
/*
1200
* This function determines if a directory entry in /sys/class/net
1201
* corresponds to an acceptable network device.
1202
* (This function is passed to scandir(3) as a filter function.)
1203
*/
1204
int good_interface(const struct dirent *if_entry){
1205
if(if_entry->d_name[0] == '.'){
1206
return 0;
1207
}
1208
1209
struct ifreq ifr;
1210
if(not get_flags(if_entry->d_name, &ifr)){
1211
if(debug){
1212
fprintf(stderr, "Mandos plugin mandos-client: "
1213
"Failed to get flags for interface \"%s\"\n",
1214
if_entry->d_name);
1215
}
1216
return 0;
1217
}
1218
1219
if(not good_flags(if_entry->d_name, &ifr)){
1220
return 0;
1221
}
1222
return 1;
1223
}
1224
1225
/*
1226
* This function determines if a directory entry in /sys/class/net
1227
* corresponds to an acceptable network device which is up.
1228
* (This function is passed to scandir(3) as a filter function.)
1229
*/
1230
int up_interface(const struct dirent *if_entry){
1231
if(if_entry->d_name[0] == '.'){
1232
return 0;
1233
}
1234
1235
struct ifreq ifr;
1236
if(not get_flags(if_entry->d_name, &ifr)){
1237
if(debug){
1238
fprintf(stderr, "Mandos plugin mandos-client: "
1239
"Failed to get flags for interface \"%s\"\n",
1240
if_entry->d_name);
1241
}
1242
return 0;
1243
}
1244
1245
/* Reject down interfaces */
1246
if(not (ifr.ifr_flags & IFF_UP)){
1247
if(debug){
1248
fprintf(stderr, "Mandos plugin mandos-client: "
1249
"Rejecting down interface \"%s\"\n",
1250
if_entry->d_name);
1251
}
1252
return 0;
1253
}
1254
1255
/* Reject non-running interfaces */
1256
if(not (ifr.ifr_flags & IFF_RUNNING)){
1257
if(debug){
1258
fprintf(stderr, "Mandos plugin mandos-client: "
1259
"Rejecting non-running interface \"%s\"\n",
1260
if_entry->d_name);
1261
}
1262
return 0;
1263
}
1264
1265
if(not good_flags(if_entry->d_name, &ifr)){
1266
return 0;
1267
}
1268
return 1;
1269
}
1270
1271
int notdotentries(const struct dirent *direntry){
1272
/* Skip "." and ".." */
1273
if(direntry->d_name[0] == '.'
1274
and (direntry->d_name[1] == '\0'
1275
or (direntry->d_name[1] == '.'
1276
and direntry->d_name[2] == '\0'))){
1277
return 0;
1278
}
1279
return 1;
1280
}
1281
1282
/* Is this directory entry a runnable program? */
1283
int runnable_hook(const struct dirent *direntry){
1284
int ret;
1285
struct stat st;
1286
1287
if((direntry->d_name)[0] == '\0'){
1288
/* Empty name? */
1289
return 0;
1290
}
1291
1292
/* Save pointer to last character */
1293
char *end = strchr(direntry->d_name, '\0')-1;
1294
1295
if(*end == '~'){
1296
/* Backup name~ */
1297
return 0;
1298
}
1299
1300
if(((direntry->d_name)[0] == '#')
1301
and (*end == '#')){
1302
/* Temporary #name# */
1303
return 0;
1304
}
1305
1306
/* XXX more rules here */
1307
1308
char *fullname = NULL;
1309
ret = asprintf(&fullname, "%s/%s", hookdir,
1310
direntry->d_name);
1311
if(ret < 0){
1312
perror_plus("asprintf");
1313
return 0;
1314
}
1315
1316
ret = stat(fullname, &st);
1317
if(ret == -1){
1318
if(debug){
1319
perror_plus("Could not stat plugin");
1320
}
1321
return 0;
1322
}
1323
if(not (S_ISREG(st.st_mode))){
1324
/* Not a regular file */
1325
return 0;
1326
}
1327
if(not (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))){
1328
/* Not executable */
1329
return 0;
1330
}
1331
return 1;
1332
}
1333
1334
int avahi_loop_with_timeout(AvahiSimplePoll *s, int retry_interval){
1335
int ret;
1336
struct timespec now;
1337
struct timespec waited_time;
1338
intmax_t block_time;
1339
1340
while(true){
1341
if(mc.current_server == NULL){
1342
if (debug){
1343
fprintf(stderr, "Mandos plugin mandos-client: "
1344
"Wait until first server is found. No timeout!\n");
1345
}
1346
ret = avahi_simple_poll_iterate(s, -1);
1347
} else {
1348
if (debug){
1349
fprintf(stderr, "Mandos plugin mandos-client: "
1350
"Check current_server if we should run it,"
1351
" or wait\n");
1352
}
1353
/* the current time */
1354
ret = clock_gettime(CLOCK_MONOTONIC, &now);
1355
if(ret == -1){
1356
perror_plus("clock_gettime");
1357
return -1;
1358
}
1359
/* Calculating in ms how long time between now and server
1360
who we visted longest time ago. Now - last seen. */
1361
waited_time.tv_sec = (now.tv_sec
1362
- mc.current_server->last_seen.tv_sec);
1363
waited_time.tv_nsec = (now.tv_nsec
1364
- mc.current_server->last_seen.tv_nsec);
1365
/* total time is 10s/10,000ms.
1366
Converting to s from ms by dividing by 1,000,
1367
and ns to ms by dividing by 1,000,000. */
1368
block_time = ((retry_interval
1369
- ((intmax_t)waited_time.tv_sec * 1000))
1370
- ((intmax_t)waited_time.tv_nsec / 1000000));
1371
1372
if (debug){
1373
fprintf(stderr, "Mandos plugin mandos-client: "
1374
"Blocking for %" PRIdMAX " ms\n", block_time);
1375
}
1376
1377
if(block_time <= 0){
1378
ret = start_mandos_communication(mc.current_server->ip,
1379
mc.current_server->port,
1380
mc.current_server->if_index,
1381
mc.current_server->af);
1382
if(ret == 0){
1383
avahi_simple_poll_quit(mc.simple_poll);
1384
return 0;
1385
}
1386
ret = clock_gettime(CLOCK_MONOTONIC,
1387
&mc.current_server->last_seen);
1388
if(ret == -1){
1389
perror_plus("clock_gettime");
1390
return -1;
1391
}
1392
mc.current_server = mc.current_server->next;
1393
block_time = 0; /* Call avahi to find new Mandos
1394
servers, but don't block */
1395
}
1396
1397
ret = avahi_simple_poll_iterate(s, (int)block_time);
1398
}
1399
if(ret != 0){
1400
if (ret > 0 or errno != EINTR){
1401
return (ret != 1) ? ret : 0;
1402
}
1403
}
1404
}
1405
}
1406
1407
int main(int argc, char *argv[]){
1408
AvahiSServiceBrowser *sb = NULL;
1409
int error;
1410
int ret;
1411
intmax_t tmpmax;
1412
char *tmp;
1413
int exitcode = EXIT_SUCCESS;
1414
const char *interface = "";
1415
struct ifreq network;
1416
int sd = -1;
1417
bool take_down_interface = false;
1418
uid_t uid;
1419
gid_t gid;
1420
char tempdir[] = "/tmp/mandosXXXXXX";
1421
bool tempdir_created = false;
1422
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1423
const char *seckey = PATHDIR "/" SECKEY;
1424
const char *pubkey = PATHDIR "/" PUBKEY;
1425
1426
bool gnutls_initialized = false;
1427
bool gpgme_initialized = false;
1428
float delay = 2.5f;
1429
double retry_interval = 10; /* 10s between trying a server and
1430
retrying the same server again */
1431
1432
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1433
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1434
1435
uid = getuid();
1436
gid = getgid();
1437
1438
/* Lower any group privileges we might have, just to be safe */
1439
errno = 0;
1440
ret = setgid(gid);
1441
if(ret == -1){
1442
perror_plus("setgid");
1443
}
1444
1445
/* Lower user privileges (temporarily) */
1446
errno = 0;
1447
ret = seteuid(uid);
1448
if(ret == -1){
1449
perror_plus("seteuid");
1450
}
1451
1452
if(quit_now){
1453
goto end;
1454
}
1455
1456
{
1457
struct argp_option options[] = {
1458
{ .name = "debug", .key = 128,
1459
.doc = "Debug mode", .group = 3 },
1460
{ .name = "connect", .key = 'c',
1461
.arg = "ADDRESS:PORT",
1462
.doc = "Connect directly to a specific Mandos server",
1463
.group = 1 },
1464
{ .name = "interface", .key = 'i',
1465
.arg = "NAME",
1466
.doc = "Network interface that will be used to search for"
1467
" Mandos servers",
1468
.group = 1 },
1469
{ .name = "seckey", .key = 's',
1470
.arg = "FILE",
1471
.doc = "OpenPGP secret key file base name",
1472
.group = 1 },
1473
{ .name = "pubkey", .key = 'p',
1474
.arg = "FILE",
1475
.doc = "OpenPGP public key file base name",
1476
.group = 2 },
1477
{ .name = "dh-bits", .key = 129,
1478
.arg = "BITS",
1479
.doc = "Bit length of the prime number used in the"
1480
" Diffie-Hellman key exchange",
1481
.group = 2 },
1482
{ .name = "priority", .key = 130,
1483
.arg = "STRING",
1484
.doc = "GnuTLS priority string for the TLS handshake",
1485
.group = 1 },
1486
{ .name = "delay", .key = 131,
1487
.arg = "SECONDS",
1488
.doc = "Maximum delay to wait for interface startup",
1489
.group = 2 },
1490
{ .name = "retry", .key = 132,
1491
.arg = "SECONDS",
1492
.doc = "Retry interval used when denied by the mandos server",
1493
.group = 2 },
1494
{ .name = "network-hook-dir", .key = 133,
1495
.arg = "DIR",
1496
.doc = "Directory where network hooks are located",
1497
.group = 2 },
1498
/*
1499
* These reproduce what we would get without ARGP_NO_HELP
1500
*/
1501
{ .name = "help", .key = '?',
1502
.doc = "Give this help list", .group = -1 },
1503
{ .name = "usage", .key = -3,
1504
.doc = "Give a short usage message", .group = -1 },
1505
{ .name = "version", .key = 'V',
1506
.doc = "Print program version", .group = -1 },
1507
{ .name = NULL }
1508
};
1509
1510
error_t parse_opt(int key, char *arg,
1511
struct argp_state *state){
1512
errno = 0;
1513
switch(key){
1514
case 128: /* --debug */
1515
debug = true;
1516
break;
1517
case 'c': /* --connect */
1518
connect_to = arg;
1519
break;
1520
case 'i': /* --interface */
1521
interface = arg;
1522
break;
1523
case 's': /* --seckey */
1524
seckey = arg;
1525
break;
1526
case 'p': /* --pubkey */
1527
pubkey = arg;
1528
break;
1529
case 129: /* --dh-bits */
1530
errno = 0;
1531
tmpmax = strtoimax(arg, &tmp, 10);
1532
if(errno != 0 or tmp == arg or *tmp != '\0'
1533
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1534
argp_error(state, "Bad number of DH bits");
1535
}
1536
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1537
break;
1538
case 130: /* --priority */
1539
mc.priority = arg;
1540
break;
1541
case 131: /* --delay */
1542
errno = 0;
1543
delay = strtof(arg, &tmp);
1544
if(errno != 0 or tmp == arg or *tmp != '\0'){
1545
argp_error(state, "Bad delay");
1546
}
1547
case 132: /* --retry */
1548
errno = 0;
1549
retry_interval = strtod(arg, &tmp);
1550
if(errno != 0 or tmp == arg or *tmp != '\0'
1551
or (retry_interval * 1000) > INT_MAX
1552
or retry_interval < 0){
1553
argp_error(state, "Bad retry interval");
1554
}
1555
break;
1556
case 133: /* --network-hook-dir */
1557
hookdir = arg;
1558
break;
1559
/*
1560
* These reproduce what we would get without ARGP_NO_HELP
1561
*/
1562
case '?': /* --help */
1563
argp_state_help(state, state->out_stream,
1564
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
1565
& ~(unsigned int)ARGP_HELP_EXIT_OK);
1566
case -3: /* --usage */
1567
argp_state_help(state, state->out_stream,
1568
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
1569
case 'V': /* --version */
1570
fprintf(state->out_stream, "Mandos plugin mandos-client: ");
1571
fprintf(state->out_stream, "%s\n", argp_program_version);
1572
exit(argp_err_exit_status);
1573
break;
1574
default:
1575
return ARGP_ERR_UNKNOWN;
1576
}
1577
return errno;
1578
}
1579
1580
struct argp argp = { .options = options, .parser = parse_opt,
1581
.args_doc = "",
1582
.doc = "Mandos client -- Get and decrypt"
1583
" passwords from a Mandos server" };
1584
ret = argp_parse(&argp, argc, argv,
1585
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
1586
switch(ret){
1587
case 0:
1588
break;
1589
case ENOMEM:
599
1590
default:
600
case AVAHI_BROWSER_FAILURE:
601
602
fprintf(stderr, "(Browser) %s\n",
603
avahi_strerror(avahi_server_errno(server)));
604
avahi_simple_poll_quit(simple_poll);
605
return;
606
607
case AVAHI_BROWSER_NEW:
608
/* We ignore the returned resolver object. In the callback
609
function we free it. If the server is terminated before
610
the callback function is called the server will free
611
the resolver for us. */
612
613
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
614
type, domain,
615
AVAHI_PROTO_INET6, 0,
616
resolve_callback, s)))
617
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
618
avahi_strerror(avahi_server_errno(s)));
619
break;
620
621
case AVAHI_BROWSER_REMOVE:
622
break;
623
624
case AVAHI_BROWSER_ALL_FOR_NOW:
625
case AVAHI_BROWSER_CACHE_EXHAUSTED:
626
break;
627
}
628
}
629
630
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
631
const char *combinepath(const char *first, const char *second){
632
char *tmp;
633
tmp = malloc(strlen(first) + strlen(second) + 2);
634
if (tmp == NULL){
635
perror("malloc");
636
return NULL;
637
}
638
strcpy(tmp, first);
639
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
640
strcat(tmp, "/");
641
}
642
strcat(tmp, second);
643
return tmp;
644
}
645
646
647
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
1591
errno = ret;
1592
perror_plus("argp_parse");
1593
exitcode = EX_OSERR;
1594
goto end;
1595
case EINVAL:
1596
exitcode = EX_USAGE;
1597
goto end;
1598
}
1599
}
1600
1601
{
1602
/* Work around Debian bug #633582:
1603
<http://bugs.debian.org/633582> */
1604
struct stat st;
1605
1606
/* Re-raise priviliges */
1607
errno = 0;
1608
ret = seteuid(0);
1609
if(ret == -1){
1610
perror_plus("seteuid");
1611
}
1612
1613
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
1614
int seckey_fd = open(seckey, O_RDONLY);
1615
if(seckey_fd == -1){
1616
perror_plus("open");
1617
} else {
1618
ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st));
1619
if(ret == -1){
1620
perror_plus("fstat");
1621
} else {
1622
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1623
ret = fchown(seckey_fd, uid, gid);
1624
if(ret == -1){
1625
perror_plus("fchown");
1626
}
1627
}
1628
}
1629
TEMP_FAILURE_RETRY(close(seckey_fd));
1630
}
1631
}
1632
1633
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
1634
int pubkey_fd = open(pubkey, O_RDONLY);
1635
if(pubkey_fd == -1){
1636
perror_plus("open");
1637
} else {
1638
ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st));
1639
if(ret == -1){
1640
perror_plus("fstat");
1641
} else {
1642
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1643
ret = fchown(pubkey_fd, uid, gid);
1644
if(ret == -1){
1645
perror_plus("fchown");
1646
}
1647
}
1648
}
1649
TEMP_FAILURE_RETRY(close(pubkey_fd));
1650
}
1651
}
1652
1653
/* Lower privileges */
1654
errno = 0;
1655
ret = seteuid(uid);
1656
if(ret == -1){
1657
perror_plus("seteuid");
1658
}
1659
}
1660
1661
/* Find network hooks and run them */
1662
{
1663
struct dirent **direntries;
1664
struct dirent *direntry;
1665
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1666
alphasort);
1667
if(numhooks == -1){
1668
perror_plus("scandir");
1669
} else {
1670
int devnull = open("/dev/null", O_RDONLY);
1671
for(int i = 0; i < numhooks; i++){
1672
direntry = direntries[0];
1673
char *fullname = NULL;
1674
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1675
if(ret < 0){
1676
perror_plus("asprintf");
1677
continue;
1678
}
1679
pid_t hook_pid = fork();
1680
if(hook_pid == 0){
1681
/* Child */
1682
dup2(devnull, STDIN_FILENO);
1683
close(devnull);
1684
dup2(STDERR_FILENO, STDOUT_FILENO);
1685
ret = setenv("DEVICE", interface, 1);
1686
if(ret == -1){
1687
perror_plus("setenv");
1688
exit(1);
1689
}
1690
ret = setenv("VERBOSE", debug ? "1" : "0", 1);
1691
if(ret == -1){
1692
perror_plus("setenv");
1693
exit(1);
1694
}
1695
ret = setenv("MODE", "start", 1);
1696
if(ret == -1){
1697
perror_plus("setenv");
1698
exit(1);
1699
}
1700
char *delaystring;
1701
ret = asprintf(&delaystring, "%f", delay);
1702
if(ret == -1){
1703
perror_plus("asprintf");
1704
exit(1);
1705
}
1706
ret = setenv("DELAY", delaystring, 1);
1707
if(ret == -1){
1708
free(delaystring);
1709
perror_plus("setenv");
1710
exit(1);
1711
}
1712
free(delaystring);
1713
ret = execl(fullname, direntry->d_name, "start", NULL);
1714
perror_plus("execl");
1715
} else {
1716
int status;
1717
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1718
perror_plus("waitpid");
1719
free(fullname);
1720
continue;
1721
}
1722
if(WIFEXITED(status)){
1723
if(WEXITSTATUS(status) != 0){
1724
fprintf(stderr, "Mandos plugin mandos-client: "
1725
"Warning: network hook \"%s\" exited"
1726
" with status %d\n", direntry->d_name,
1727
WEXITSTATUS(status));
1728
free(fullname);
1729
continue;
1730
}
1731
} else if(WIFSIGNALED(status)){
1732
fprintf(stderr, "Mandos plugin mandos-client: "
1733
"Warning: network hook \"%s\" died by"
1734
" signal %d\n", direntry->d_name,
1735
WTERMSIG(status));
1736
free(fullname);
1737
continue;
1738
} else {
1739
fprintf(stderr, "Mandos plugin mandos-client: "
1740
"Warning: network hook \"%s\" crashed\n",
1741
direntry->d_name);
1742
free(fullname);
1743
continue;
1744
}
1745
}
1746
free(fullname);
1747
if(quit_now){
1748
goto end;
1749
}
1750
}
1751
close(devnull);
1752
}
1753
}
1754
1755
if(not debug){
1756
avahi_set_log_function(empty_log);
1757
}
1758
1759
if(interface[0] == '\0'){
1760
struct dirent **direntries;
1761
/* First look for interfaces that are up */
1762
ret = scandir(sys_class_net, &direntries, up_interface,
1763
alphasort);
1764
if(ret == 0){
1765
/* No up interfaces, look for any good interfaces */
1766
free(direntries);
1767
ret = scandir(sys_class_net, &direntries, good_interface,
1768
alphasort);
1769
}
1770
if(ret >= 1){
1771
/* Pick the first interface returned */
1772
interface = strdup(direntries[0]->d_name);
1773
if(debug){
1774
fprintf(stderr, "Mandos plugin mandos-client: "
1775
"Using interface \"%s\"\n", interface);
1776
}
1777
if(interface == NULL){
1778
perror_plus("malloc");
1779
free(direntries);
1780
exitcode = EXIT_FAILURE;
1781
goto end;
1782
}
1783
free(direntries);
1784
} else {
1785
free(direntries);
1786
fprintf(stderr, "Mandos plugin mandos-client: "
1787
"Could not find a network interface\n");
1788
exitcode = EXIT_FAILURE;
1789
goto end;
1790
}
1791
}
1792
1793
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1794
from the signal handler */
1795
/* Initialize the pseudo-RNG for Avahi */
1796
srand((unsigned int) time(NULL));
1797
mc.simple_poll = avahi_simple_poll_new();
1798
if(mc.simple_poll == NULL){
1799
fprintf(stderr, "Mandos plugin mandos-client: "
1800
"Avahi: Failed to create simple poll object.\n");
1801
exitcode = EX_UNAVAILABLE;
1802
goto end;
1803
}
1804
1805
sigemptyset(&sigterm_action.sa_mask);
1806
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1807
if(ret == -1){
1808
perror_plus("sigaddset");
1809
exitcode = EX_OSERR;
1810
goto end;
1811
}
1812
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1813
if(ret == -1){
1814
perror_plus("sigaddset");
1815
exitcode = EX_OSERR;
1816
goto end;
1817
}
1818
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1819
if(ret == -1){
1820
perror_plus("sigaddset");
1821
exitcode = EX_OSERR;
1822
goto end;
1823
}
1824
/* Need to check if the handler is SIG_IGN before handling:
1825
| [[info:libc:Initial Signal Actions]] |
1826
| [[info:libc:Basic Signal Handling]] |
1827
*/
1828
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1829
if(ret == -1){
1830
perror_plus("sigaction");
1831
return EX_OSERR;
1832
}
1833
if(old_sigterm_action.sa_handler != SIG_IGN){
1834
ret = sigaction(SIGINT, &sigterm_action, NULL);
1835
if(ret == -1){
1836
perror_plus("sigaction");
1837
exitcode = EX_OSERR;
1838
goto end;
1839
}
1840
}
1841
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1842
if(ret == -1){
1843
perror_plus("sigaction");
1844
return EX_OSERR;
1845
}
1846
if(old_sigterm_action.sa_handler != SIG_IGN){
1847
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1848
if(ret == -1){
1849
perror_plus("sigaction");
1850
exitcode = EX_OSERR;
1851
goto end;
1852
}
1853
}
1854
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1855
if(ret == -1){
1856
perror_plus("sigaction");
1857
return EX_OSERR;
1858
}
1859
if(old_sigterm_action.sa_handler != SIG_IGN){
1860
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1861
if(ret == -1){
1862
perror_plus("sigaction");
1863
exitcode = EX_OSERR;
1864
goto end;
1865
}
1866
}
1867
1868
/* If the interface is down, bring it up */
1869
if(strcmp(interface, "none") != 0){
1870
if_index = (AvahiIfIndex) if_nametoindex(interface);
1871
if(if_index == 0){
1872
fprintf(stderr, "Mandos plugin mandos-client: "
1873
"No such interface: \"%s\"\n", interface);
1874
exitcode = EX_UNAVAILABLE;
1875
goto end;
1876
}
1877
1878
if(quit_now){
1879
goto end;
1880
}
1881
1882
/* Re-raise priviliges */
1883
errno = 0;
1884
ret = seteuid(0);
1885
if(ret == -1){
1886
perror_plus("seteuid");
1887
}
1888
1889
#ifdef __linux__
1890
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1891
messages about the network interface to mess up the prompt */
1892
ret = klogctl(8, NULL, 5);
1893
bool restore_loglevel = true;
1894
if(ret == -1){
1895
restore_loglevel = false;
1896
perror_plus("klogctl");
1897
}
1898
#endif /* __linux__ */
1899
1900
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1901
if(sd < 0){
1902
perror_plus("socket");
1903
exitcode = EX_OSERR;
1904
#ifdef __linux__
1905
if(restore_loglevel){
1906
ret = klogctl(7, NULL, 0);
1907
if(ret == -1){
1908
perror_plus("klogctl");
1909
}
1910
}
1911
#endif /* __linux__ */
1912
/* Lower privileges */
1913
errno = 0;
1914
ret = seteuid(uid);
1915
if(ret == -1){
1916
perror_plus("seteuid");
1917
}
1918
goto end;
1919
}
1920
strcpy(network.ifr_name, interface);
1921
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1922
if(ret == -1){
1923
perror_plus("ioctl SIOCGIFFLAGS");
1924
#ifdef __linux__
1925
if(restore_loglevel){
1926
ret = klogctl(7, NULL, 0);
1927
if(ret == -1){
1928
perror_plus("klogctl");
1929
}
1930
}
1931
#endif /* __linux__ */
1932
exitcode = EX_OSERR;
1933
/* Lower privileges */
1934
errno = 0;
1935
ret = seteuid(uid);
1936
if(ret == -1){
1937
perror_plus("seteuid");
1938
}
1939
goto end;
1940
}
1941
if((network.ifr_flags & IFF_UP) == 0){
1942
network.ifr_flags |= IFF_UP;
1943
take_down_interface = true;
1944
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1945
if(ret == -1){
1946
take_down_interface = false;
1947
perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");
1948
exitcode = EX_OSERR;
1949
#ifdef __linux__
1950
if(restore_loglevel){
1951
ret = klogctl(7, NULL, 0);
1952
if(ret == -1){
1953
perror_plus("klogctl");
1954
}
1955
}
1956
#endif /* __linux__ */
1957
/* Lower privileges */
1958
errno = 0;
1959
ret = seteuid(uid);
1960
if(ret == -1){
1961
perror_plus("seteuid");
1962
}
1963
goto end;
1964
}
1965
}
1966
/* Sleep checking until interface is running.
1967
Check every 0.25s, up to total time of delay */
1968
for(int i=0; i < delay * 4; i++){
1969
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1970
if(ret == -1){
1971
perror_plus("ioctl SIOCGIFFLAGS");
1972
} else if(network.ifr_flags & IFF_RUNNING){
1973
break;
1974
}
1975
struct timespec sleeptime = { .tv_nsec = 250000000 };
1976
ret = nanosleep(&sleeptime, NULL);
1977
if(ret == -1 and errno != EINTR){
1978
perror_plus("nanosleep");
1979
}
1980
}
1981
if(not take_down_interface){
1982
/* We won't need the socket anymore */
1983
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1984
if(ret == -1){
1985
perror_plus("close");
1986
}
1987
}
1988
#ifdef __linux__
1989
if(restore_loglevel){
1990
/* Restores kernel loglevel to default */
1991
ret = klogctl(7, NULL, 0);
1992
if(ret == -1){
1993
perror_plus("klogctl");
1994
}
1995
}
1996
#endif /* __linux__ */
1997
/* Lower privileges */
1998
errno = 0;
1999
if(take_down_interface){
2000
/* Lower privileges */
2001
ret = seteuid(uid);
2002
if(ret == -1){
2003
perror_plus("seteuid");
2004
}
2005
} else {
2006
/* Lower privileges permanently */
2007
ret = setuid(uid);
2008
if(ret == -1){
2009
perror_plus("setuid");
2010
}
2011
}
2012
}
2013
2014
if(quit_now){
2015
goto end;
2016
}
2017
2018
ret = init_gnutls_global(pubkey, seckey);
2019
if(ret == -1){
2020
fprintf(stderr, "Mandos plugin mandos-client: "
2021
"init_gnutls_global failed\n");
2022
exitcode = EX_UNAVAILABLE;
2023
goto end;
2024
} else {
2025
gnutls_initialized = true;
2026
}
2027
2028
if(quit_now){
2029
goto end;
2030
}
2031
2032
if(mkdtemp(tempdir) == NULL){
2033
perror_plus("mkdtemp");
2034
goto end;
2035
}
2036
tempdir_created = true;
2037
2038
if(quit_now){
2039
goto end;
2040
}
2041
2042
if(not init_gpgme(pubkey, seckey, tempdir)){
2043
fprintf(stderr, "Mandos plugin mandos-client: "
2044
"init_gpgme failed\n");
2045
exitcode = EX_UNAVAILABLE;
2046
goto end;
2047
} else {
2048
gpgme_initialized = true;
2049
}
2050
2051
if(quit_now){
2052
goto end;
2053
}
2054
2055
if(connect_to != NULL){
2056
/* Connect directly, do not use Zeroconf */
2057
/* (Mainly meant for debugging) */
2058
char *address = strrchr(connect_to, ':');
2059
if(address == NULL){
2060
fprintf(stderr, "Mandos plugin mandos-client: "
2061
"No colon in address\n");
2062
exitcode = EX_USAGE;
2063
goto end;
2064
}
2065
2066
if(quit_now){
2067
goto end;
2068
}
2069
2070
uint16_t port;
2071
errno = 0;
2072
tmpmax = strtoimax(address+1, &tmp, 10);
2073
if(errno != 0 or tmp == address+1 or *tmp != '\0'
2074
or tmpmax != (uint16_t)tmpmax){
2075
fprintf(stderr, "Mandos plugin mandos-client: "
2076
"Bad port number\n");
2077
exitcode = EX_USAGE;
2078
goto end;
2079
}
2080
2081
if(quit_now){
2082
goto end;
2083
}
2084
2085
port = (uint16_t)tmpmax;
2086
*address = '\0';
2087
/* Colon in address indicates IPv6 */
2088
int af;
2089
if(strchr(connect_to, ':') != NULL){
2090
af = AF_INET6;
2091
/* Accept [] around IPv6 address - see RFC 5952 */
2092
if(connect_to[0] == '[' and address[-1] == ']')
2093
{
2094
connect_to++;
2095
address[-1] = '\0';
2096
}
2097
} else {
2098
af = AF_INET;
2099
}
2100
address = connect_to;
2101
2102
if(quit_now){
2103
goto end;
2104
}
2105
2106
while(not quit_now){
2107
ret = start_mandos_communication(address, port, if_index, af);
2108
if(quit_now or ret == 0){
2109
break;
2110
}
2111
if(debug){
2112
fprintf(stderr, "Mandos plugin mandos-client: "
2113
"Retrying in %d seconds\n", (int)retry_interval);
2114
}
2115
sleep((int)retry_interval);
2116
}
2117
2118
if (not quit_now){
2119
exitcode = EXIT_SUCCESS;
2120
}
2121
2122
goto end;
2123
}
2124
2125
if(quit_now){
2126
goto end;
2127
}
2128
2129
{
648
2130
AvahiServerConfig config;
649
AvahiSServiceBrowser *sb = NULL;
650
int error;
651
int ret;
652
int returncode = EXIT_SUCCESS;
653
const char *interface = NULL;
654
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
655
char *connect_to = NULL;
656
657
while (true){
658
static struct option long_options[] = {
659
{"debug", no_argument, (int *)&debug, 1},
660
{"connect", required_argument, 0, 'C'},
661
{"interface", required_argument, 0, 'i'},
662
{"certdir", required_argument, 0, 'd'},
663
{"certkey", required_argument, 0, 'c'},
664
{"certfile", required_argument, 0, 'k'},
665
{0, 0, 0, 0} };
666
667
int option_index = 0;
668
ret = getopt_long (argc, argv, "i:", long_options,
669
&option_index);
670
671
if (ret == -1){
672
break;
673
}
674
675
switch(ret){
676
case 0:
677
break;
678
case 'i':
679
interface = optarg;
680
break;
681
case 'C':
682
connect_to = optarg;
683
break;
684
case 'd':
685
certdir = optarg;
686
break;
687
case 'c':
688
certfile = optarg;
689
break;
690
case 'k':
691
certkey = optarg;
692
break;
693
default:
694
exit(EXIT_FAILURE);
695
}
696
}
697
698
certfile = combinepath(certdir, certfile);
699
if (certfile == NULL){
700
goto exit;
701
}
702
703
if(interface != NULL){
704
if_index = (AvahiIfIndex) if_nametoindex(interface);
705
if(if_index == 0){
706
fprintf(stderr, "No such interface: \"%s\"\n", interface);
707
exit(EXIT_FAILURE);
708
}
709
}
710
711
if(connect_to != NULL){
712
/* Connect directly, do not use Zeroconf */
713
/* (Mainly meant for debugging) */
714
char *address = strrchr(connect_to, ':');
715
if(address == NULL){
716
fprintf(stderr, "No colon in address\n");
717
exit(EXIT_FAILURE);
718
}
719
errno = 0;
720
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
721
if(errno){
722
perror("Bad port number");
723
exit(EXIT_FAILURE);
724
}
725
*address = '\0';
726
address = connect_to;
727
ret = start_mandos_communication(address, port, if_index);
728
if(ret < 0){
729
exit(EXIT_FAILURE);
730
} else {
731
exit(EXIT_SUCCESS);
732
}
733
}
734
735
certkey = combinepath(certdir, certkey);
736
if (certkey == NULL){
737
goto exit;
738
}
739
740
if (not debug){
741
avahi_set_log_function(empty_log);
742
}
743
744
/* Initialize the psuedo-RNG */
745
srand((unsigned int) time(NULL));
746
747
/* Allocate main loop object */
748
if (!(simple_poll = avahi_simple_poll_new())) {
749
fprintf(stderr, "Failed to create simple poll object.\n");
750
751
goto exit;
752
}
753
754
/* Do not publish any local records */
2131
/* Do not publish any local Zeroconf records */
755
2132
avahi_server_config_init(&config);
756
2133
config.publish_hinfo = 0;
757
2134
config.publish_addresses = 0;
758
2135
config.publish_workstation = 0;
759
2136
config.publish_domain = 0;
760
2137
761
2138
/* Allocate a new server */
762
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
763
&config, NULL, NULL, &error);
764
765
/* Free the configuration data */
2139
mc.server = avahi_server_new(avahi_simple_poll_get
2140
(mc.simple_poll), &config, NULL,
2141
NULL, &error);
2142
2143
/* Free the Avahi configuration data */
766
2144
avahi_server_config_free(&config);
767
768
/* Check if creating the server object succeeded */
769
if (!server) {
770
fprintf(stderr, "Failed to create server: %s\n",
771
avahi_strerror(error));
772
returncode = EXIT_FAILURE;
773
goto exit;
774
}
775
776
/* Create the service browser */
777
sb = avahi_s_service_browser_new(server, if_index,
778
AVAHI_PROTO_INET6,
779
"_mandos._tcp", NULL, 0,
780
browse_callback, server);
781
if (!sb) {
782
fprintf(stderr, "Failed to create service browser: %s\n",
783
avahi_strerror(avahi_server_errno(server)));
784
returncode = EXIT_FAILURE;
785
goto exit;
786
}
787
788
/* Run the main loop */
789
790
if (debug){
791
fprintf(stderr, "Starting avahi loop search\n");
792
}
793
794
avahi_simple_poll_loop(simple_poll);
795
796
exit:
797
798
if (debug){
799
fprintf(stderr, "%s exiting\n", argv[0]);
800
}
801
802
/* Cleanup things */
803
if (sb)
804
avahi_s_service_browser_free(sb);
805
806
if (server)
807
avahi_server_free(server);
808
809
if (simple_poll)
810
avahi_simple_poll_free(simple_poll);
811
free(certfile);
812
free(certkey);
813
814
return returncode;
2145
}
2146
2147
/* Check if creating the Avahi server object succeeded */
2148
if(mc.server == NULL){
2149
fprintf(stderr, "Mandos plugin mandos-client: "
2150
"Failed to create Avahi server: %s\n",
2151
avahi_strerror(error));
2152
exitcode = EX_UNAVAILABLE;
2153
goto end;
2154
}
2155
2156
if(quit_now){
2157
goto end;
2158
}
2159
2160
/* Create the Avahi service browser */
2161
sb = avahi_s_service_browser_new(mc.server, if_index,
2162
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
2163
NULL, 0, browse_callback, NULL);
2164
if(sb == NULL){
2165
fprintf(stderr, "Mandos plugin mandos-client: "
2166
"Failed to create service browser: %s\n",
2167
avahi_strerror(avahi_server_errno(mc.server)));
2168
exitcode = EX_UNAVAILABLE;
2169
goto end;
2170
}
2171
2172
if(quit_now){
2173
goto end;
2174
}
2175
2176
/* Run the main loop */
2177
2178
if(debug){
2179
fprintf(stderr, "Mandos plugin mandos-client: "
2180
"Starting Avahi loop search\n");
2181
}
2182
2183
ret = avahi_loop_with_timeout(mc.simple_poll,
2184
(int)(retry_interval * 1000));
2185
if(debug){
2186
fprintf(stderr, "Mandos plugin mandos-client: "
2187
"avahi_loop_with_timeout exited %s\n",
2188
(ret == 0) ? "successfully" : "with error");
2189
}
2190
2191
end:
2192
2193
if(debug){
2194
fprintf(stderr, "Mandos plugin mandos-client: "
2195
"%s exiting\n", argv[0]);
2196
}
2197
2198
/* Cleanup things */
2199
if(sb != NULL)
2200
avahi_s_service_browser_free(sb);
2201
2202
if(mc.server != NULL)
2203
avahi_server_free(mc.server);
2204
2205
if(mc.simple_poll != NULL)
2206
avahi_simple_poll_free(mc.simple_poll);
2207
2208
if(gnutls_initialized){
2209
gnutls_certificate_free_credentials(mc.cred);
2210
gnutls_global_deinit();
2211
gnutls_dh_params_deinit(mc.dh_params);
2212
}
2213
2214
if(gpgme_initialized){
2215
gpgme_release(mc.ctx);
2216
}
2217
2218
/* Cleans up the circular linked list of Mandos servers the client
2219
has seen */
2220
if(mc.current_server != NULL){
2221
mc.current_server->prev->next = NULL;
2222
while(mc.current_server != NULL){
2223
server *next = mc.current_server->next;
2224
free(mc.current_server);
2225
mc.current_server = next;
2226
}
2227
}
2228
2229
/* XXX run network hooks "stop" here */
2230
2231
/* Take down the network interface */
2232
if(take_down_interface){
2233
/* Re-raise priviliges */
2234
errno = 0;
2235
ret = seteuid(0);
2236
if(ret == -1){
2237
perror_plus("seteuid");
2238
}
2239
if(geteuid() == 0){
2240
ret = ioctl(sd, SIOCGIFFLAGS, &network);
2241
if(ret == -1){
2242
perror_plus("ioctl SIOCGIFFLAGS");
2243
} else if(network.ifr_flags & IFF_UP){
2244
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
2245
ret = ioctl(sd, SIOCSIFFLAGS, &network);
2246
if(ret == -1){
2247
perror_plus("ioctl SIOCSIFFLAGS -IFF_UP");
2248
}
2249
}
2250
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2251
if(ret == -1){
2252
perror_plus("close");
2253
}
2254
/* Lower privileges permanently */
2255
errno = 0;
2256
ret = setuid(uid);
2257
if(ret == -1){
2258
perror_plus("setuid");
2259
}
2260
}
2261
}
2262
2263
/* Removes the GPGME temp directory and all files inside */
2264
if(tempdir_created){
2265
struct dirent **direntries = NULL;
2266
struct dirent *direntry = NULL;
2267
int numentries = scandir(tempdir, &direntries, notdotentries,
2268
alphasort);
2269
if (numentries > 0){
2270
for(int i = 0; i < numentries; i++){
2271
direntry = direntries[i];
2272
char *fullname = NULL;
2273
ret = asprintf(&fullname, "%s/%s", tempdir,
2274
direntry->d_name);
2275
if(ret < 0){
2276
perror_plus("asprintf");
2277
continue;
2278
}
2279
ret = remove(fullname);
2280
if(ret == -1){
2281
fprintf(stderr, "Mandos plugin mandos-client: "
2282
"remove(\"%s\"): %s\n", fullname, strerror(errno));
2283
}
2284
free(fullname);
2285
}
2286
}
2287
2288
/* need to clean even if 0 because man page doesn't specify */
2289
free(direntries);
2290
if (numentries == -1){
2291
perror_plus("scandir");
2292
}
2293
ret = rmdir(tempdir);
2294
if(ret == -1 and errno != ENOENT){
2295
perror_plus("rmdir");
2296
}
2297
}
2298
2299
if(quit_now){
2300
sigemptyset(&old_sigterm_action.sa_mask);
2301
old_sigterm_action.sa_handler = SIG_DFL;
2302
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
2303
&old_sigterm_action,
2304
NULL));
2305
if(ret == -1){
2306
perror_plus("sigaction");
2307
}
2308
do {
2309
ret = raise(signal_received);
2310
} while(ret != 0 and errno == EINTR);
2311
if(ret != 0){
2312
perror_plus("raise");
2313
abort();
2314
}
2315
TEMP_FAILURE_RETRY(pause());
2316
}
2317
2318
return exitcode;
815
2319
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0