/mandos/release : revision 237.2.128

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-09-08 04:41:37 UTC
mto: (24.1.142 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 264.
Revision ID: teddy@fukt.bsnet.se-20090908044137-4cxubotvn4etoxxl

* plugins.d/mandos-client.c (main): Bug fix: Check result of setgid().
                                    Bug fix: If taking down network
                                    interface, do not drop privileges
                                    completely; save them and reassert
                                    privileges when needed.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.lsm

overview.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
network-protocol.txt

files renamed:
mandos-client.c => plugin-runner.c

mandos-client.xml => plugin-runner.xml

plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

mandos

mandos-clients.conf.xml

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* Mandos-client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

/* Needed by GPGME, specifically gpgme_data_seek() */

#ifndef _LARGEFILE_SOURCE

#define _LARGEFILE_SOURCE

#endif

#ifndef _FILE_OFFSET_BITS

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout, ferror() */

#endif

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), remove() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen, strerror() */

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand(), strtof() */

#include <stdbool.h> /* bool, false, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6, SOCK_STREAM, INET6_ADDRSTRLEN */

sockaddr_in6, PF_INET6,

SOCK_STREAM, uid_t, gid_t, open(),

opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <assert.h>

#include <errno.h> /* perror() */

#include <time.h>

inet_pton(), connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,

strtoimax() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* nanosleep(), time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <unistd.h> /* close(), SEEK_SET, off_t, write()*/

#include <netinet/in.h>

#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,

INET_ADDRSTRLEN, INET6_ADDRSTRLEN

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), seteuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not */

#include <argp.h> /* struct argp_option,

struct argp_state, struct argp,

argp_parse() */

#include <iso646.h> /* not, or, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

#include <signal.h> /* sigemptyset(), sigaddset(),

sigaction(), SIGTERM, sig_atomic_t,

raise() */

#ifdef __linux__

#include <sys/klog.h> /* klogctl() */

#endif /* __linux__ */

/* Avahi */

#include <avahi-core/core.h> /* AvahiSimplePoll, AvahiServer,

AvahiIfIndex */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h> /* AvahiLogLevel */

#include <avahi-core/log.h>

#include <avahi-common/simple-watch.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

100

101

/* GnuTLS */

#include <gnutls/gnutls.h> /* gnutls_certificate_credentials_t,

gnutls_dh_params_t,

gnutls_strerror(),

gnutls_global_init(),

gnutls_global_set_log_level(),

gnutls_global_set_log_function(),

gnutls_certificate_allocate_credentials(),

gnutls_global_deinit(),

gnutls_dh_params_init(),

gnutls_dh_params_generate(),

gnutls_certificate_set_dh_params(),

gnutls_certificate_free_credentials(),

gnutls_session_t, gnutls_init(),

gnutls_priority_set_direct(),

gnutls_deinit(),

gnutls_credentials_set(),

gnutls_certificate_server_set_request(),

gnutls_dh_set_prime_bits(),

gnutls_transport_set_ptr(),

gnutls_transport_ptr_t,

gnutls_handshake(),

gnutls_record_recv()

gnutls_perror(), gnutls_bye(),

102

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

103

functions:

104

gnutls_*

105

init_gnutls_session(),

GNUTLS_E_SUCCESS,

GNUTLS_CRD_CERTIFICATE,

100

GNUTLS_CERT_IGNORE,

101

GNUTLS_E_INTERRUPTED,

102

GNUTLS_E_AGAIN,

103

GNUTLS_E_REHANDSHAKE,

104

GNUTLS_SHUT_RDWR, */

105

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

106

GNUTLS_OPENPGP_FMT_BASE64 */

106

GNUTLS_* */

107

#include <gnutls/openpgp.h>

108

/* gnutls_certificate_set_openpgp_key_file(),

109

GNUTLS_OPENPGP_FMT_BASE64 */

107

110

108

111

/* GPGME */

109

#include <gpgme.h> /* gpgme_data_t, gpgme_ctx_t,

110

gpgme_error_t, gpgme_engine_info_t,

111

gpgme_check_version(),

112

gpgme_engine_check_version(),

113

gpgme_strsource(),

114

gpgme_strerror(),

115

gpgme_get_engine_info(),

116

gpgme_set_engine_info(),

117

gpgme_data_new_from_mem(),

118

gpgme_data_new(), gpgme_new(),

119

gpgme_op_decrypt(),

120

gpgme_decrypt_result_t,

121

gpgme_op_decrypt_result(),

122

gpgme_recipient_t,

123

gpgme_pubkey_algo_name(),

124

gpgme_data_seek(),

125

gpgme_data_read(),

126

gpgme_data_release()

112

#include <gpgme.h> /* All GPGME types, constants and

113

functions:

114

gpgme_*

127

115

GPGME_PROTOCOL_OpenPGP,

128

GPG_ERR_NO_ERROR,

129

GPG_ERR_NO_SECKEY, */

116

GPG_ERR_NO_* */

130

117

131

118

#define BUFFER_SIZE 256

132

119

120

#define PATHDIR "/conf/conf.d/mandos"

121

#define SECKEY "seckey.txt"

122

#define PUBKEY "pubkey.txt"

123

133

124

bool debug = false;

134

static const char *keydir = "/conf/conf.d/mandos";

135

125

static const char mandos_protocol_version[] = "1";

136

const char *argp_program_version = "mandosclient 0.9";

126

const char *argp_program_version = "mandos-client " VERSION;

137

127

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

138

128

139

129

/* Used for passing in values through the Avahi callback functions */

144

134

unsigned int dh_bits;

145

135

gnutls_dh_params_t dh_params;

146

136

const char *priority;

137

gpgme_ctx_t ctx;

147

138

} mandos_context;

148

139

140

/* global context so signal handler can reach it*/

141

mandos_context mc = { .simple_poll = NULL, .server = NULL,

142

.dh_bits = 1024, .priority = "SECURE256"

143

":!CTYPE-X.509:+CTYPE-OPENPGP" };

144

149

145

150

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

151

* "buffer_capacity" is how much is currently allocated,

146

* Make additional room in "buffer" for at least BUFFER_SIZE more

147

* bytes. "buffer_capacity" is how much is currently allocated,

152

148

* "buffer_length" is how much is already used.

153

149

154

size_t adjustbuffer(char **buffer, size_t buffer_length,

150

size_t incbuffer(char **buffer, size_t buffer_length,

155

151

size_t buffer_capacity){

156

if (buffer_length + BUFFER_SIZE > buffer_capacity){

152

if(buffer_length + BUFFER_SIZE > buffer_capacity){

157

153

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

158

if (buffer == NULL){

154

if(buffer == NULL){

159

155

return 0;

160

156

}

161

157

buffer_capacity += BUFFER_SIZE;

164

160

}

165

161

166

162

167

* Decrypt OpenPGP data using keyrings in HOMEDIR.

168

* Returns -1 on error

163

* Initialize GPGME.

169

164

170

static ssize_t pgp_packet_decrypt (const char *cryptotext,

171

size_t crypto_size,

172

char **plaintext,

173

const char *homedir){

174

gpgme_data_t dh_crypto, dh_plain;

175

gpgme_ctx_t ctx;

165

static bool init_gpgme(const char *seckey,

166

const char *pubkey, const char *tempdir){

176

167

gpgme_error_t rc;

177

ssize_t ret;

178

size_t plaintext_capacity = 0;

179

ssize_t plaintext_length = 0;

180

168

gpgme_engine_info_t engine_info;

181

169

182

if (debug){

183

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

170

171

172

* Helper function to insert pub and seckey to the engine keyring.

173

174

bool import_key(const char *filename){

175

int ret;

176

int fd;

177

gpgme_data_t pgp_data;

178

179

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

180

if(fd == -1){

181

perror("open");

182

return false;

183

}

184

185

rc = gpgme_data_new_from_fd(&pgp_data, fd);

186

if(rc != GPG_ERR_NO_ERROR){

187

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

188

gpgme_strsource(rc), gpgme_strerror(rc));

189

return false;

190

}

191

192

rc = gpgme_op_import(mc.ctx, pgp_data);

193

if(rc != GPG_ERR_NO_ERROR){

194

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

195

gpgme_strsource(rc), gpgme_strerror(rc));

196

return false;

197

}

198

199

ret = (int)TEMP_FAILURE_RETRY(close(fd));

200

if(ret == -1){

201

perror("close");

202

}

203

gpgme_data_release(pgp_data);

204

return true;

205

}

206

207

if(debug){

208

fprintf(stderr, "Initializing GPGME\n");

184

209

}

185

210

186

211

/* Init GPGME */

187

212

gpgme_check_version(NULL);

188

213

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

189

if (rc != GPG_ERR_NO_ERROR){

214

if(rc != GPG_ERR_NO_ERROR){

190

215

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

191

216

gpgme_strsource(rc), gpgme_strerror(rc));

192

return -1;

217

return false;

193

218

}

194

219

195

/* Set GPGME home directory for the OpenPGP engine only */

196

rc = gpgme_get_engine_info (&engine_info);

197

if (rc != GPG_ERR_NO_ERROR){

220

/* Set GPGME home directory for the OpenPGP engine only */

221

rc = gpgme_get_engine_info(&engine_info);

222

if(rc != GPG_ERR_NO_ERROR){

198

223

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

199

224

gpgme_strsource(rc), gpgme_strerror(rc));

200

return -1;

225

return false;

201

226

}

202

227

while(engine_info != NULL){

203

228

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

204

229

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

205

engine_info->file_name, homedir);

230

engine_info->file_name, tempdir);

206

231

break;

207

232

}

208

233

engine_info = engine_info->next;

209

234

}

210

235

if(engine_info == NULL){

211

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

212

return -1;

236

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

237

return false;

238

}

239

240

/* Create new GPGME "context" */

241

rc = gpgme_new(&(mc.ctx));

242

if(rc != GPG_ERR_NO_ERROR){

243

fprintf(stderr, "bad gpgme_new: %s: %s\n",

244

gpgme_strsource(rc), gpgme_strerror(rc));

245

return false;

246

}

247

248

if(not import_key(pubkey) or not import_key(seckey)){

249

return false;

250

}

251

252

return true;

253

}

254

255

256

* Decrypt OpenPGP data.

257

* Returns -1 on error

258

259

static ssize_t pgp_packet_decrypt(const char *cryptotext,

260

size_t crypto_size,

261

char **plaintext){

262

gpgme_data_t dh_crypto, dh_plain;

263

gpgme_error_t rc;

264

ssize_t ret;

265

size_t plaintext_capacity = 0;

266

ssize_t plaintext_length = 0;

267

268

if(debug){

269

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

213

270

}

214

271

215

272

/* Create new GPGME data buffer from memory cryptotext */

216

273

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

217

274

0);

218

if (rc != GPG_ERR_NO_ERROR){

275

if(rc != GPG_ERR_NO_ERROR){

219

276

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

220

277

gpgme_strsource(rc), gpgme_strerror(rc));

221

278

return -1;

223

280

224

281

/* Create new empty GPGME data buffer for the plaintext */

225

282

rc = gpgme_data_new(&dh_plain);

226

if (rc != GPG_ERR_NO_ERROR){

283

if(rc != GPG_ERR_NO_ERROR){

227

284

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

228

285

gpgme_strsource(rc), gpgme_strerror(rc));

229

286

gpgme_data_release(dh_crypto);

230

287

return -1;

231

288

}

232

289

233

/* Create new GPGME "context" */

234

rc = gpgme_new(&ctx);

235

if (rc != GPG_ERR_NO_ERROR){

236

fprintf(stderr, "bad gpgme_new: %s: %s\n",

237

gpgme_strsource(rc), gpgme_strerror(rc));

238

plaintext_length = -1;

239

goto decrypt_end;

240

}

241

242

290

/* Decrypt data from the cryptotext data buffer to the plaintext

243

291

data buffer */

244

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

245

if (rc != GPG_ERR_NO_ERROR){

292

rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);

293

if(rc != GPG_ERR_NO_ERROR){

246

294

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

247

295

gpgme_strsource(rc), gpgme_strerror(rc));

248

296

plaintext_length = -1;

249

goto decrypt_end;

250

}

251

252

if(debug){

253

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

254

}

255

256

if (debug){

257

gpgme_decrypt_result_t result;

258

result = gpgme_op_decrypt_result(ctx);

259

if (result == NULL){

260

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

261

} else {

262

fprintf(stderr, "Unsupported algorithm: %s\n",

263

result->unsupported_algorithm);

264

fprintf(stderr, "Wrong key usage: %d\n",

265

result->wrong_key_usage);

266

if(result->file_name != NULL){

267

fprintf(stderr, "File name: %s\n", result->file_name);

268

}

269

gpgme_recipient_t recipient;

270

recipient = result->recipients;

271

if(recipient){

297

if(debug){

298

gpgme_decrypt_result_t result;

299

result = gpgme_op_decrypt_result(mc.ctx);

300

if(result == NULL){

301

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

302

} else {

303

fprintf(stderr, "Unsupported algorithm: %s\n",

304

result->unsupported_algorithm);

305

fprintf(stderr, "Wrong key usage: %u\n",

306

result->wrong_key_usage);

307

if(result->file_name != NULL){

308

fprintf(stderr, "File name: %s\n", result->file_name);

309

}

310

gpgme_recipient_t recipient;

311

recipient = result->recipients;

272

312

while(recipient != NULL){

273

313

fprintf(stderr, "Public key algorithm: %s\n",

274

314

gpgme_pubkey_algo_name(recipient->pubkey_algo));

280

320

}

281

321

}

282

322

}

323

goto decrypt_end;

324

}

325

326

if(debug){

327

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

283

328

}

284

329

285

330

/* Seek back to the beginning of the GPGME plaintext data buffer */

286

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

287

perror("pgpme_data_seek");

331

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

332

perror("gpgme_data_seek");

288

333

plaintext_length = -1;

289

334

goto decrypt_end;

290

335

}

291

336

292

337

*plaintext = NULL;

293

338

while(true){

294

plaintext_capacity = adjustbuffer(plaintext,

339

plaintext_capacity = incbuffer(plaintext,

295

340

(size_t)plaintext_length,

296

341

plaintext_capacity);

297

if (plaintext_capacity == 0){

298

perror("adjustbuffer");

342

if(plaintext_capacity == 0){

343

perror("incbuffer");

299

344

plaintext_length = -1;

300

345

goto decrypt_end;

301

346

}

303

348

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

304

349

BUFFER_SIZE);

305

350

/* Print the data, if any */

306

if (ret == 0){

351

if(ret == 0){

307

352

/* EOF */

308

353

break;

309

354

}

314

359

}

315

360

plaintext_length += ret;

316

361

}

317

362

318

363

if(debug){

319

364

fprintf(stderr, "Decrypted password is: ");

320

365

for(ssize_t i = 0; i < plaintext_length; i++){

333

378

return plaintext_length;

334

379

}

335

380

336

static const char * safer_gnutls_strerror (int value) {

337

const char *ret = gnutls_strerror (value);

338

if (ret == NULL)

381

static const char * safer_gnutls_strerror(int value){

382

const char *ret = gnutls_strerror(value); /* Spurious warning from

383

-Wunreachable-code */

384

if(ret == NULL)

339

385

ret = "(unknown)";

340

386

return ret;

341

387

}

346

392

fprintf(stderr, "GnuTLS: %s", string);

347

393

}

348

394

349

static int init_gnutls_global(mandos_context *mc,

350

const char *pubkeyfile,

351

const char *seckeyfile){

395

static int init_gnutls_global(const char *pubkeyfilename,

396

const char *seckeyfilename){

352

397

int ret;

353

398

354

399

if(debug){

355

400

fprintf(stderr, "Initializing GnuTLS\n");

356

401

}

357

358

if ((ret = gnutls_global_init ())

359

!= GNUTLS_E_SUCCESS) {

360

fprintf (stderr, "GnuTLS global_init: %s\n",

361

safer_gnutls_strerror(ret));

402

403

ret = gnutls_global_init();

404

if(ret != GNUTLS_E_SUCCESS){

405

fprintf(stderr, "GnuTLS global_init: %s\n",

406

safer_gnutls_strerror(ret));

362

407

return -1;

363

408

}

364

409

365

if (debug){

410

if(debug){

366

411

/* "Use a log level over 10 to enable all debugging options."

367

412

* - GnuTLS manual

368

413

371

416

}

372

417

373

418

/* OpenPGP credentials */

374

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

375

!= GNUTLS_E_SUCCESS) {

376

fprintf (stderr, "GnuTLS memory error: %s\n",

377

safer_gnutls_strerror(ret));

378

gnutls_global_deinit ();

419

gnutls_certificate_allocate_credentials(&mc.cred);

420

if(ret != GNUTLS_E_SUCCESS){

421

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

422

from

423

-Wunreachable-code

424

425

safer_gnutls_strerror(ret));

426

gnutls_global_deinit();

379

427

return -1;

380

428

}

381

429

382

430

if(debug){

383

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

384

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

385

seckeyfile);

431

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

432

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

433

seckeyfilename);

386

434

}

387

435

388

436

ret = gnutls_certificate_set_openpgp_key_file

389

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

390

if (ret != GNUTLS_E_SUCCESS) {

437

(mc.cred, pubkeyfilename, seckeyfilename,

438

GNUTLS_OPENPGP_FMT_BASE64);

439

if(ret != GNUTLS_E_SUCCESS){

391

440

fprintf(stderr,

392

441

"Error[%d] while reading the OpenPGP key pair ('%s',"

393

" '%s')\n", ret, pubkeyfile, seckeyfile);

394

fprintf(stdout, "The GnuTLS error is: %s\n",

442

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

443

fprintf(stderr, "The GnuTLS error is: %s\n",

395

444

safer_gnutls_strerror(ret));

396

445

goto globalfail;

397

446

}

398

447

399

448

/* GnuTLS server initialization */

400

ret = gnutls_dh_params_init(&mc->dh_params);

401

if (ret != GNUTLS_E_SUCCESS) {

402

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

403

" %s\n", safer_gnutls_strerror(ret));

404

goto globalfail;

405

}

406

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

407

if (ret != GNUTLS_E_SUCCESS) {

408

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

409

safer_gnutls_strerror(ret));

410

goto globalfail;

411

}

412

413

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

414

449

ret = gnutls_dh_params_init(&mc.dh_params);

450

if(ret != GNUTLS_E_SUCCESS){

451

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

452

" %s\n", safer_gnutls_strerror(ret));

453

goto globalfail;

454

}

455

ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);

456

if(ret != GNUTLS_E_SUCCESS){

457

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

458

safer_gnutls_strerror(ret));

459

goto globalfail;

460

}

461

462

gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);

463

415

464

return 0;

416

465

417

466

globalfail:

418

419

gnutls_certificate_free_credentials(mc->cred);

467

468

gnutls_certificate_free_credentials(mc.cred);

420

469

gnutls_global_deinit();

470

gnutls_dh_params_deinit(mc.dh_params);

421

471

return -1;

422

423

472

}

424

473

425

static int init_gnutls_session(mandos_context *mc,

426

gnutls_session_t *session){

474

static int init_gnutls_session(gnutls_session_t *session){

427

475

int ret;

428

476

/* GnuTLS session creation */

429

477

ret = gnutls_init(session, GNUTLS_SERVER);

430

if (ret != GNUTLS_E_SUCCESS){

478

if(ret != GNUTLS_E_SUCCESS){

431

479

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

432

480

safer_gnutls_strerror(ret));

433

481

}

434

482

435

483

{

436

484

const char *err;

437

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

438

if (ret != GNUTLS_E_SUCCESS) {

485

ret = gnutls_priority_set_direct(*session, mc.priority, &err);

486

if(ret != GNUTLS_E_SUCCESS){

439

487

fprintf(stderr, "Syntax error at: %s\n", err);

440

488

fprintf(stderr, "GnuTLS error: %s\n",

441

489

safer_gnutls_strerror(ret));

442

gnutls_deinit (*session);

490

gnutls_deinit(*session);

443

491

return -1;

444

492

}

445

493

}

446

494

447

495

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

448

mc->cred);

449

if (ret != GNUTLS_E_SUCCESS) {

496

mc.cred);

497

if(ret != GNUTLS_E_SUCCESS){

450

498

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

451

499

safer_gnutls_strerror(ret));

452

gnutls_deinit (*session);

500

gnutls_deinit(*session);

453

501

return -1;

454

502

}

455

503

456

504

/* ignore client certificate if any. */

457

gnutls_certificate_server_set_request (*session,

458

GNUTLS_CERT_IGNORE);

505

gnutls_certificate_server_set_request(*session,

506

GNUTLS_CERT_IGNORE);

459

507

460

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

508

gnutls_dh_set_prime_bits(*session, mc.dh_bits);

461

509

462

510

return 0;

463

511

}

466

514

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

467

515

__attribute__((unused)) const char *txt){}

468

516

517

sig_atomic_t quit_now = 0;

518

int signal_received = 0;

519

469

520

/* Called when a Mandos server is found */

470

521

static int start_mandos_communication(const char *ip, uint16_t port,

471

522

AvahiIfIndex if_index,

472

mandos_context *mc){

473

int ret, tcp_sd;

474

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

523

int af){

524

int ret, tcp_sd = -1;

525

ssize_t sret;

526

union {

527

struct sockaddr_in in;

528

struct sockaddr_in6 in6;

529

} to;

475

530

char *buffer = NULL;

476

531

char *decrypted_buffer;

477

532

size_t buffer_length = 0;

478

533

size_t buffer_capacity = 0;

479

ssize_t decrypted_buffer_size;

480

534

size_t written;

481

535

int retval = 0;

482

char interface[IF_NAMESIZE];

483

536

gnutls_session_t session;

484

485

ret = init_gnutls_session (mc, &session);

486

if (ret != 0){

537

int pf; /* Protocol family */

538

539

if(quit_now){

540

return -1;

541

}

542

543

switch(af){

544

case AF_INET6:

545

pf = PF_INET6;

546

break;

547

case AF_INET:

548

pf = PF_INET;

549

break;

550

default:

551

fprintf(stderr, "Bad address family: %d\n", af);

552

return -1;

553

}

554

555

ret = init_gnutls_session(&session);

556

if(ret != 0){

487

557

return -1;

488

558

}

489

559

490

560

if(debug){

491

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

492

ip, port);

561

fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16

562

"\n", ip, port);

493

563

}

494

564

495

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

496

if(tcp_sd < 0) {

565

tcp_sd = socket(pf, SOCK_STREAM, 0);

566

if(tcp_sd < 0){

497

567

perror("socket");

498

return -1;

499

}

500

501

if(debug){

502

if(if_indextoname((unsigned int)if_index, interface) == NULL){

503

perror("if_indextoname");

504

return -1;

505

}

506

fprintf(stderr, "Binding to interface %s\n", interface);

507

}

508

509

memset(&to,0,sizeof(to)); /* Spurious warning */

510

to.in6.sin6_family = AF_INET6;

511

/* It would be nice to have a way to detect if we were passed an

512

IPv4 address here. Now we assume an IPv6 address. */

513

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

514

if (ret < 0 ){

568

retval = -1;

569

goto mandos_end;

570

}

571

572

if(quit_now){

573

goto mandos_end;

574

}

575

576

memset(&to, 0, sizeof(to));

577

if(af == AF_INET6){

578

to.in6.sin6_family = (sa_family_t)af;

579

ret = inet_pton(af, ip, &to.in6.sin6_addr);

580

} else { /* IPv4 */

581

to.in.sin_family = (sa_family_t)af;

582

ret = inet_pton(af, ip, &to.in.sin_addr);

583

}

584

if(ret < 0 ){

515

585

perror("inet_pton");

516

return -1;

586

retval = -1;

587

goto mandos_end;

517

588

}

518

589

if(ret == 0){

519

590

fprintf(stderr, "Bad address: %s\n", ip);

520

return -1;

521

}

522

to.in6.sin6_port = htons(port); /* Spurious warning */

591

retval = -1;

592

goto mandos_end;

593

}

594

if(af == AF_INET6){

595

to.in6.sin6_port = htons(port); /* Spurious warnings from

596

-Wconversion and

597

-Wunreachable-code */

598

599

if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */

600

(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and

601

-Wunreachable-code*/

602

if(if_index == AVAHI_IF_UNSPEC){

603

fprintf(stderr, "An IPv6 link-local address is incomplete"

604

" without a network interface\n");

605

retval = -1;

606

goto mandos_end;

607

}

608

/* Set the network interface number as scope */

609

to.in6.sin6_scope_id = (uint32_t)if_index;

610

}

611

} else {

612

to.in.sin_port = htons(port); /* Spurious warnings from

613

-Wconversion and

614

-Wunreachable-code */

615

}

523

616

524

to.in6.sin6_scope_id = (uint32_t)if_index;

617

if(quit_now){

618

goto mandos_end;

619

}

525

620

526

621

if(debug){

527

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

528

char addrstr[INET6_ADDRSTRLEN] = "";

529

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

530

sizeof(addrstr)) == NULL){

622

if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){

623

char interface[IF_NAMESIZE];

624

if(if_indextoname((unsigned int)if_index, interface) == NULL){

625

perror("if_indextoname");

626

} else {

627

fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",

628

ip, interface, port);

629

}

630

} else {

631

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

632

port);

633

}

634

char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?

635

INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";

636

const char *pcret;

637

if(af == AF_INET6){

638

pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,

639

sizeof(addrstr));

640

} else {

641

pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,

642

sizeof(addrstr));

643

}

644

if(pcret == NULL){

531

645

perror("inet_ntop");

532

646

} else {

533

647

if(strcmp(addrstr, ip) != 0){

536

650

}

537

651

}

538

652

539

ret = connect(tcp_sd, &to.in, sizeof(to));

540

if (ret < 0){

653

if(quit_now){

654

goto mandos_end;

655

}

656

657

if(af == AF_INET6){

658

ret = connect(tcp_sd, &to.in6, sizeof(to));

659

} else {

660

ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */

661

}

662

if(ret < 0){

541

663

perror("connect");

542

return -1;

543

}

544

664

retval = -1;

665

goto mandos_end;

666

}

667

668

if(quit_now){

669

goto mandos_end;

670

}

671

545

672

const char *out = mandos_protocol_version;

546

673

written = 0;

547

while (true){

674

while(true){

548

675

size_t out_size = strlen(out);

549

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

676

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

550

677

out_size - written));

551

if (ret == -1){

678

if(ret == -1){

552

679

perror("write");

553

680

retval = -1;

554

681

goto mandos_end;

557

684

if(written < out_size){

558

685

continue;

559

686

} else {

560

if (out == mandos_protocol_version){

687

if(out == mandos_protocol_version){

561

688

written = 0;

562

689

out = "\r\n";

563

690

} else {

564

691

break;

565

692

}

566

693

}

694

695

if(quit_now){

696

goto mandos_end;

697

}

567

698

}

568

699

569

700

if(debug){

570

701

fprintf(stderr, "Establishing TLS session with %s\n", ip);

571

702

}

572

703

573

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

574

575

ret = gnutls_handshake (session);

576

577

if (ret != GNUTLS_E_SUCCESS){

704

if(quit_now){

705

goto mandos_end;

706

}

707

708

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

709

710

if(quit_now){

711

goto mandos_end;

712

}

713

714

do {

715

ret = gnutls_handshake(session);

716

if(quit_now){

717

goto mandos_end;

718

}

719

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

720

721

if(ret != GNUTLS_E_SUCCESS){

578

722

if(debug){

579

723

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

580

gnutls_perror (ret);

724

gnutls_perror(ret);

581

725

}

582

726

retval = -1;

583

727

goto mandos_end;

586

730

/* Read OpenPGP packet that contains the wanted password */

587

731

588

732

if(debug){

589

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

733

fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",

590

734

ip);

591

735

}

592

736

593

737

while(true){

594

buffer_capacity = adjustbuffer(&buffer, buffer_length,

738

739

if(quit_now){

740

goto mandos_end;

741

}

742

743

buffer_capacity = incbuffer(&buffer, buffer_length,

595

744

buffer_capacity);

596

if (buffer_capacity == 0){

597

perror("adjustbuffer");

745

if(buffer_capacity == 0){

746

perror("incbuffer");

598

747

retval = -1;

599

748

goto mandos_end;

600

749

}

601

750

602

ret = gnutls_record_recv(session, buffer+buffer_length,

603

BUFFER_SIZE);

604

if (ret == 0){

751

if(quit_now){

752

goto mandos_end;

753

}

754

755

sret = gnutls_record_recv(session, buffer+buffer_length,

756

BUFFER_SIZE);

757

if(sret == 0){

605

758

break;

606

759

}

607

if (ret < 0){

608

switch(ret){

760

if(sret < 0){

761

switch(sret){

609

762

case GNUTLS_E_INTERRUPTED:

610

763

case GNUTLS_E_AGAIN:

611

764

break;

612

765

case GNUTLS_E_REHANDSHAKE:

613

ret = gnutls_handshake (session);

614

if (ret < 0){

766

do {

767

ret = gnutls_handshake(session);

768

769

if(quit_now){

770

goto mandos_end;

771

}

772

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

773

if(ret < 0){

615

774

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

616

gnutls_perror (ret);

775

gnutls_perror(ret);

617

776

retval = -1;

618

777

goto mandos_end;

619

778

}

622

781

fprintf(stderr, "Unknown error while reading data from"

623

782

" encrypted session with Mandos server\n");

624

783

retval = -1;

625

gnutls_bye (session, GNUTLS_SHUT_RDWR);

784

gnutls_bye(session, GNUTLS_SHUT_RDWR);

626

785

goto mandos_end;

627

786

}

628

787

} else {

629

buffer_length += (size_t) ret;

788

buffer_length += (size_t) sret;

630

789

}

631

790

}

632

791

634

793

fprintf(stderr, "Closing TLS session\n");

635

794

}

636

795

637

gnutls_bye (session, GNUTLS_SHUT_RDWR);

638

639

if (buffer_length > 0){

796

if(quit_now){

797

goto mandos_end;

798

}

799

800

gnutls_bye(session, GNUTLS_SHUT_RDWR);

801

802

if(quit_now){

803

goto mandos_end;

804

}

805

806

if(buffer_length > 0){

807

ssize_t decrypted_buffer_size;

640

808

decrypted_buffer_size = pgp_packet_decrypt(buffer,

641

809

buffer_length,

642

&decrypted_buffer,

643

keydir);

644

if (decrypted_buffer_size >= 0){

810

&decrypted_buffer);

811

if(decrypted_buffer_size >= 0){

812

645

813

written = 0;

646

814

while(written < (size_t) decrypted_buffer_size){

647

ret = (int)fwrite (decrypted_buffer + written, 1,

648

(size_t)decrypted_buffer_size - written,

649

stdout);

815

if(quit_now){

816

goto mandos_end;

817

}

818

819

ret = (int)fwrite(decrypted_buffer + written, 1,

820

(size_t)decrypted_buffer_size - written,

821

stdout);

650

822

if(ret == 0 and ferror(stdout)){

651

823

if(debug){

652

824

fprintf(stderr, "Error writing encrypted data: %s\n",

661

833

} else {

662

834

retval = -1;

663

835

}

836

} else {

837

retval = -1;

664

838

}

665

839

666

840

/* Shutdown procedure */

667

841

668

842

mandos_end:

669

843

free(buffer);

670

close(tcp_sd);

671

gnutls_deinit (session);

844

if(tcp_sd >= 0){

845

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

846

}

847

if(ret == -1){

848

perror("close");

849

}

850

gnutls_deinit(session);

851

if(quit_now){

852

retval = -1;

853

}

672

854

return retval;

673

855

}

674

856

675

857

static void resolve_callback(AvahiSServiceResolver *r,

676

858

AvahiIfIndex interface,

677

AVAHI_GCC_UNUSED AvahiProtocol protocol,

859

AvahiProtocol proto,

678

860

AvahiResolverEvent event,

679

861

const char *name,

680

862

const char *type,

685

867

AVAHI_GCC_UNUSED AvahiStringList *txt,

686

868

AVAHI_GCC_UNUSED AvahiLookupResultFlags

687

869

flags,

688

void* userdata) {

689

mandos_context *mc = userdata;

690

assert(r); /* Spurious warning */

870

AVAHI_GCC_UNUSED void* userdata){

871

assert(r);

691

872

692

873

/* Called whenever a service has been resolved successfully or

693

874

timed out */

694

875

695

switch (event) {

876

if(quit_now){

877

return;

878

}

879

880

switch(event){

696

881

default:

697

882

case AVAHI_RESOLVER_FAILURE:

698

883

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

699

884

" of type '%s' in domain '%s': %s\n", name, type, domain,

700

avahi_strerror(avahi_server_errno(mc->server)));

885

avahi_strerror(avahi_server_errno(mc.server)));

701

886

break;

702

887

703

888

case AVAHI_RESOLVER_FOUND:

705

890

char ip[AVAHI_ADDRESS_STR_MAX];

706

891

avahi_address_snprint(ip, sizeof(ip), address);

707

892

if(debug){

708

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

709

" port %d\n", name, host_name, ip, interface, port);

893

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

894

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

895

ip, (intmax_t)interface, port);

710

896

}

711

int ret = start_mandos_communication(ip, port, interface, mc);

712

if (ret == 0){

713

exit(EXIT_SUCCESS);

897

int ret = start_mandos_communication(ip, port, interface,

898

avahi_proto_to_af(proto));

899

if(ret == 0){

900

avahi_simple_poll_quit(mc.simple_poll);

714

901

}

715

902

}

716

903

}

717

904

avahi_s_service_resolver_free(r);

718

905

}

719

906

720

static void browse_callback( AvahiSServiceBrowser *b,

721

AvahiIfIndex interface,

722

AvahiProtocol protocol,

723

AvahiBrowserEvent event,

724

const char *name,

725

const char *type,

726

const char *domain,

727

AVAHI_GCC_UNUSED AvahiLookupResultFlags

728

flags,

729

void* userdata) {

730

mandos_context *mc = userdata;

731

assert(b); /* Spurious warning */

907

static void browse_callback(AvahiSServiceBrowser *b,

908

AvahiIfIndex interface,

909

AvahiProtocol protocol,

910

AvahiBrowserEvent event,

911

const char *name,

912

const char *type,

913

const char *domain,

914

AVAHI_GCC_UNUSED AvahiLookupResultFlags

915

flags,

916

AVAHI_GCC_UNUSED void* userdata){

917

assert(b);

732

918

733

919

/* Called whenever a new services becomes available on the LAN or

734

920

is removed from the LAN */

735

921

736

switch (event) {

922

if(quit_now){

923

return;

924

}

925

926

switch(event){

737

927

default:

738

928

case AVAHI_BROWSER_FAILURE:

739

929

740

930

fprintf(stderr, "(Avahi browser) %s\n",

741

avahi_strerror(avahi_server_errno(mc->server)));

742

avahi_simple_poll_quit(mc->simple_poll);

931

avahi_strerror(avahi_server_errno(mc.server)));

932

avahi_simple_poll_quit(mc.simple_poll);

743

933

return;

744

934

745

935

case AVAHI_BROWSER_NEW:

748

938

the callback function is called the Avahi server will free the

749

939

resolver for us. */

750

940

751

if (!(avahi_s_service_resolver_new(mc->server, interface,

752

protocol, name, type, domain,

753

AVAHI_PROTO_INET6, 0,

754

resolve_callback, mc)))

941

if(avahi_s_service_resolver_new(mc.server, interface, protocol,

942

name, type, domain, protocol, 0,

943

resolve_callback, NULL) == NULL)

755

944

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

756

name, avahi_strerror(avahi_server_errno(mc->server)));

945

name, avahi_strerror(avahi_server_errno(mc.server)));

757

946

break;

758

947

759

948

case AVAHI_BROWSER_REMOVE:

768

957

}

769

958

}

770

959

771

/* Combines file name and path and returns the malloced new

772

string. some sane checks could/should be added */

773

static const char *combinepath(const char *first, const char *second){

774

size_t f_len = strlen(first);

775

size_t s_len = strlen(second);

776

char *tmp = malloc(f_len + s_len + 2);

777

if (tmp == NULL){

778

return NULL;

779

}

780

if(f_len > 0){

781

memcpy(tmp, first, f_len); /* Spurious warning */

782

}

783

tmp[f_len] = '/';

784

if(s_len > 0){

785

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

786

}

787

tmp[f_len + 1 + s_len] = '\0';

788

return tmp;

960

/* stop main loop after sigterm has been called */

961

static void handle_sigterm(int sig){

962

if(quit_now){

963

return;

964

}

965

quit_now = 1;

966

signal_received = sig;

967

int old_errno = errno;

968

if(mc.simple_poll != NULL){

969

avahi_simple_poll_quit(mc.simple_poll);

970

}

971

errno = old_errno;

789

972

}

790

973

791

792

974

int main(int argc, char *argv[]){

793

AvahiSServiceBrowser *sb = NULL;

794

int error;

795

int ret;

796

int exitcode = EXIT_SUCCESS;

797

const char *interface = "eth0";

798

struct ifreq network;

799

int sd;

800

uid_t uid;

801

gid_t gid;

802

char *connect_to = NULL;

803

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

804

const char *pubkeyfile = "pubkey.txt";

805

const char *seckeyfile = "seckey.txt";

806

mandos_context mc = { .simple_poll = NULL, .server = NULL,

807

.dh_bits = 1024, .priority = "SECURE256"};

808

bool gnutls_initalized = false;

975

AvahiSServiceBrowser *sb = NULL;

976

int error;

977

int ret;

978

intmax_t tmpmax;

979

char *tmp;

980

int exitcode = EXIT_SUCCESS;

981

const char *interface = "eth0";

982

struct ifreq network;

983

int sd = -1;

984

bool take_down_interface = false;

985

uid_t uid;

986

gid_t gid;

987

char *connect_to = NULL;

988

char tempdir[] = "/tmp/mandosXXXXXX";

989

bool tempdir_created = false;

990

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

991

const char *seckey = PATHDIR "/" SECKEY;

992

const char *pubkey = PATHDIR "/" PUBKEY;

993

994

bool gnutls_initialized = false;

995

bool gpgme_initialized = false;

996

float delay = 2.5f;

997

998

struct sigaction old_sigterm_action;

999

struct sigaction sigterm_action = { .sa_handler = handle_sigterm };

1000

1001

{

1002

struct argp_option options[] = {

1003

{ .name = "debug", .key = 128,

1004

.doc = "Debug mode", .group = 3 },

1005

{ .name = "connect", .key = 'c',

1006

.arg = "ADDRESS:PORT",

1007

.doc = "Connect directly to a specific Mandos server",

1008

.group = 1 },

1009

{ .name = "interface", .key = 'i',

1010

.arg = "NAME",

1011

.doc = "Network interface that will be used to search for"

1012

" Mandos servers",

1013

.group = 1 },

1014

{ .name = "seckey", .key = 's',

1015

.arg = "FILE",

1016

.doc = "OpenPGP secret key file base name",

1017

.group = 1 },

1018

{ .name = "pubkey", .key = 'p',

1019

.arg = "FILE",

1020

.doc = "OpenPGP public key file base name",

1021

.group = 2 },

1022

{ .name = "dh-bits", .key = 129,

1023

.arg = "BITS",

1024

.doc = "Bit length of the prime number used in the"

1025

" Diffie-Hellman key exchange",

1026

.group = 2 },

1027

{ .name = "priority", .key = 130,

1028

.arg = "STRING",

1029

.doc = "GnuTLS priority string for the TLS handshake",

1030

.group = 1 },

1031

{ .name = "delay", .key = 131,

1032

.arg = "SECONDS",

1033

.doc = "Maximum delay to wait for interface startup",

1034

.group = 2 },

1035

{ .name = NULL }

1036

};

809

1037

810

{

811

struct argp_option options[] = {

812

{ .name = "debug", .key = 128,

813

.doc = "Debug mode", .group = 3 },

814

{ .name = "connect", .key = 'c',

815

.arg = "IP",

816

.doc = "Connect directly to a sepcified mandos server",

817

.group = 1 },

818

{ .name = "interface", .key = 'i',

819

.arg = "INTERFACE",

820

.doc = "Interface that Avahi will conntect through",

821

.group = 1 },

822

{ .name = "keydir", .key = 'd',

823

.arg = "KEYDIR",

824

.doc = "Directory where the openpgp keyring is",

825

.group = 1 },

826

{ .name = "seckey", .key = 's',

827

.arg = "SECKEY",

828

.doc = "Secret openpgp key for gnutls authentication",

829

.group = 1 },

830

{ .name = "pubkey", .key = 'p',

831

.arg = "PUBKEY",

832

.doc = "Public openpgp key for gnutls authentication",

833

.group = 2 },

834

{ .name = "dh-bits", .key = 129,

835

.arg = "BITS",

836

.doc = "dh-bits to use in gnutls communication",

837

.group = 2 },

838

{ .name = "priority", .key = 130,

839

.arg = "PRIORITY",

840

.doc = "GNUTLS priority", .group = 1 },

841

{ .name = NULL }

842

};

843

844

845

error_t parse_opt (int key, char *arg,

846

struct argp_state *state) {

847

/* Get the INPUT argument from `argp_parse', which we know is

848

a pointer to our plugin list pointer. */

849

switch (key) {

850

case 128:

851

debug = true;

852

break;

853

case 'c':

854

connect_to = arg;

855

break;

856

case 'i':

857

interface = arg;

858

break;

859

case 'd':

860

keydir = arg;

861

break;

862

case 's':

863

seckeyfile = arg;

864

break;

865

case 'p':

866

pubkeyfile = arg;

867

break;

868

case 129:

869

errno = 0;

870

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

871

if (errno){

872

perror("strtol");

873

exit(EXIT_FAILURE);

874

}

875

break;

876

case 130:

877

mc.priority = arg;

878

break;

879

case ARGP_KEY_ARG:

880

argp_usage (state);

881

break;

882

case ARGP_KEY_END:

883

break;

884

default:

885

return ARGP_ERR_UNKNOWN;

886

}

887

return 0;

1038

error_t parse_opt(int key, char *arg,

1039

struct argp_state *state){

1040

switch(key){

1041

case 128: /* --debug */

1042

debug = true;

1043

break;

1044

case 'c': /* --connect */

1045

connect_to = arg;

1046

break;

1047

case 'i': /* --interface */

1048

interface = arg;

1049

break;

1050

case 's': /* --seckey */

1051

seckey = arg;

1052

break;

1053

case 'p': /* --pubkey */

1054

pubkey = arg;

1055

break;

1056

case 129: /* --dh-bits */

1057

errno = 0;

1058

tmpmax = strtoimax(arg, &tmp, 10);

1059

if(errno != 0 or tmp == arg or *tmp != '\0'

1060

or tmpmax != (typeof(mc.dh_bits))tmpmax){

1061

fprintf(stderr, "Bad number of DH bits\n");

1062

exit(EXIT_FAILURE);

1063

}

1064

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

1065

break;

1066

case 130: /* --priority */

1067

mc.priority = arg;

1068

break;

1069

case 131: /* --delay */

1070

errno = 0;

1071

delay = strtof(arg, &tmp);

1072

if(errno != 0 or tmp == arg or *tmp != '\0'){

1073

fprintf(stderr, "Bad delay\n");

1074

exit(EXIT_FAILURE);

1075

}

1076

break;

1077

case ARGP_KEY_ARG:

1078

argp_usage(state);

1079

case ARGP_KEY_END:

1080

break;

1081

default:

1082

return ARGP_ERR_UNKNOWN;

888

1083

}

889

890

struct argp argp = { .options = options, .parser = parse_opt,

891

.args_doc = "",

892

.doc = "Mandos client -- Get and decrypt"

893

" passwords from mandos server" };

894

argp_parse (&argp, argc, argv, 0, 0, NULL);

895

}

896

897

pubkeyfile = combinepath(keydir, pubkeyfile);

898

if (pubkeyfile == NULL){

899

perror("combinepath");

900

exitcode = EXIT_FAILURE;

901

goto end;

902

}

903

904

seckeyfile = combinepath(keydir, seckeyfile);

905

if (seckeyfile == NULL){

906

perror("combinepath");

907

goto end;

908

}

909

910

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

911

if (ret == -1){

912

fprintf(stderr, "init_gnutls_global\n");

913

goto end;

914

} else {

915

gnutls_initalized = true;

916

}

917

918

uid = getuid();

919

gid = getgid();

920

921

ret = setuid(uid);

922

if (ret == -1){

923

perror("setuid");

924

}

925

926

setgid(gid);

927

if (ret == -1){

928

perror("setgid");

929

}

930

1084

return 0;

1085

}

1086

1087

struct argp argp = { .options = options, .parser = parse_opt,

1088

.args_doc = "",

1089

.doc = "Mandos client -- Get and decrypt"

1090

" passwords from a Mandos server" };

1091

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

1092

if(ret == ARGP_ERR_UNKNOWN){

1093

fprintf(stderr, "Unknown error while parsing arguments\n");

1094

exitcode = EXIT_FAILURE;

1095

goto end;

1096

}

1097

}

1098

1099

if(not debug){

1100

avahi_set_log_function(empty_log);

1101

}

1102

1103

/* Initialize Avahi early so avahi_simple_poll_quit() can be called

1104

from the signal handler */

1105

/* Initialize the pseudo-RNG for Avahi */

1106

srand((unsigned int) time(NULL));

1107

mc.simple_poll = avahi_simple_poll_new();

1108

if(mc.simple_poll == NULL){

1109

fprintf(stderr, "Avahi: Failed to create simple poll object.\n");

1110

exitcode = EXIT_FAILURE;

1111

goto end;

1112

}

1113

1114

sigemptyset(&sigterm_action.sa_mask);

1115

ret = sigaddset(&sigterm_action.sa_mask, SIGINT);

1116

if(ret == -1){

1117

perror("sigaddset");

1118

exitcode = EXIT_FAILURE;

1119

goto end;

1120

}

1121

ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);

1122

if(ret == -1){

1123

perror("sigaddset");

1124

exitcode = EXIT_FAILURE;

1125

goto end;

1126

}

1127

ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);

1128

if(ret == -1){

1129

perror("sigaddset");

1130

exitcode = EXIT_FAILURE;

1131

goto end;

1132

}

1133

/* Need to check if the handler is SIG_IGN before handling:

1134

| [[info:libc:Initial Signal Actions]] |

1135

| [[info:libc:Basic Signal Handling]] |

1136

1137

ret = sigaction(SIGINT, NULL, &old_sigterm_action);

1138

if(ret == -1){

1139

perror("sigaction");

1140

return EXIT_FAILURE;

1141

}

1142

if(old_sigterm_action.sa_handler != SIG_IGN){

1143

ret = sigaction(SIGINT, &sigterm_action, NULL);

1144

if(ret == -1){

1145

perror("sigaction");

1146

exitcode = EXIT_FAILURE;

1147

goto end;

1148

}

1149

}

1150

ret = sigaction(SIGHUP, NULL, &old_sigterm_action);

1151

if(ret == -1){

1152

perror("sigaction");

1153

return EXIT_FAILURE;

1154

}

1155

if(old_sigterm_action.sa_handler != SIG_IGN){

1156

ret = sigaction(SIGHUP, &sigterm_action, NULL);

1157

if(ret == -1){

1158

perror("sigaction");

1159

exitcode = EXIT_FAILURE;

1160

goto end;

1161

}

1162

}

1163

ret = sigaction(SIGTERM, NULL, &old_sigterm_action);

1164

if(ret == -1){

1165

perror("sigaction");

1166

return EXIT_FAILURE;

1167

}

1168

if(old_sigterm_action.sa_handler != SIG_IGN){

1169

ret = sigaction(SIGTERM, &sigterm_action, NULL);

1170

if(ret == -1){

1171

perror("sigaction");

1172

exitcode = EXIT_FAILURE;

1173

goto end;

1174

}

1175

}

1176

1177

/* If the interface is down, bring it up */

1178

if(interface[0] != '\0'){

931

1179

if_index = (AvahiIfIndex) if_nametoindex(interface);

932

1180

if(if_index == 0){

933

1181

fprintf(stderr, "No such interface: \"%s\"\n", interface);

934

exit(EXIT_FAILURE);

935

}

936

937

if(connect_to != NULL){

938

/* Connect directly, do not use Zeroconf */

939

/* (Mainly meant for debugging) */

940

char *address = strrchr(connect_to, ':');

941

if(address == NULL){

942

fprintf(stderr, "No colon in address\n");

943

exitcode = EXIT_FAILURE;

944

goto end;

945

}

946

errno = 0;

947

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

948

if(errno){

949

perror("Bad port number");

950

exitcode = EXIT_FAILURE;

951

goto end;

952

}

953

*address = '\0';

954

address = connect_to;

955

ret = start_mandos_communication(address, port, if_index, &mc);

956

if(ret < 0){

957

exitcode = EXIT_FAILURE;

958

} else {

959

exitcode = EXIT_SUCCESS;

960

}

961

goto end;

962

}

963

964

/* If the interface is down, bring it up */

965

{

966

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

967

if(sd < 0) {

968

perror("socket");

969

exitcode = EXIT_FAILURE;

970

goto end;

971

}

972

strcpy(network.ifr_name, interface); /* Spurious warning */

973

ret = ioctl(sd, SIOCGIFFLAGS, &network);

974

if(ret == -1){

975

perror("ioctl SIOCGIFFLAGS");

976

exitcode = EXIT_FAILURE;

977

goto end;

978

}

979

if((network.ifr_flags & IFF_UP) == 0){

980

network.ifr_flags |= IFF_UP;

1182

exitcode = EXIT_FAILURE;

1183

goto end;

1184

}

1185

1186

if(quit_now){

1187

goto end;

1188

}

1189

1190

#ifdef __linux__

1191

/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO

1192

messages to mess up the prompt */

1193

ret = klogctl(8, NULL, 5);

1194

bool restore_loglevel = true;

1195

if(ret == -1){

1196

restore_loglevel = false;

1197

perror("klogctl");

1198

}

1199

#endif /* __linux__ */

1200

1201

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

1202

if(sd < 0){

1203

perror("socket");

1204

exitcode = EXIT_FAILURE;

1205

#ifdef __linux__

1206

if(restore_loglevel){

1207

ret = klogctl(7, NULL, 0);

1208

if(ret == -1){

1209

perror("klogctl");

1210

}

1211

}

1212

#endif /* __linux__ */

1213

goto end;

1214

}

1215

strcpy(network.ifr_name, interface);

1216

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1217

if(ret == -1){

1218

perror("ioctl SIOCGIFFLAGS");

1219

#ifdef __linux__

1220

if(restore_loglevel){

1221

ret = klogctl(7, NULL, 0);

1222

if(ret == -1){

1223

perror("klogctl");

1224

}

1225

}

1226

#endif /* __linux__ */

1227

exitcode = EXIT_FAILURE;

1228

goto end;

1229

}

1230

if((network.ifr_flags & IFF_UP) == 0){

1231

network.ifr_flags |= IFF_UP;

1232

take_down_interface = true;

1233

ret = ioctl(sd, SIOCSIFFLAGS, &network);

1234

if(ret == -1){

1235

take_down_interface = false;

1236

perror("ioctl SIOCSIFFLAGS");

1237

exitcode = EXIT_FAILURE;

1238

#ifdef __linux__

1239

if(restore_loglevel){

1240

ret = klogctl(7, NULL, 0);

1241

if(ret == -1){

1242

perror("klogctl");

1243

}

1244

}

1245

#endif /* __linux__ */

1246

goto end;

1247

}

1248

}

1249

/* sleep checking until interface is running */

1250

for(int i=0; i < delay * 4; i++){

1251

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1252

if(ret == -1){

1253

perror("ioctl SIOCGIFFLAGS");

1254

} else if(network.ifr_flags & IFF_RUNNING){

1255

break;

1256

}

1257

struct timespec sleeptime = { .tv_nsec = 250000000 };

1258

ret = nanosleep(&sleeptime, NULL);

1259

if(ret == -1 and errno != EINTR){

1260

perror("nanosleep");

1261

}

1262

}

1263

if(not take_down_interface){

1264

/* We won't need the socket anymore */

1265

ret = (int)TEMP_FAILURE_RETRY(close(sd));

1266

if(ret == -1){

1267

perror("close");

1268

}

1269

}

1270

#ifdef __linux__

1271

if(restore_loglevel){

1272

/* Restores kernel loglevel to default */

1273

ret = klogctl(7, NULL, 0);

1274

if(ret == -1){

1275

perror("klogctl");

1276

}

1277

}

1278

#endif /* __linux__ */

1279

}

1280

1281

if(quit_now){

1282

goto end;

1283

}

1284

1285

uid = getuid();

1286

gid = getgid();

1287

1288

/* Drop any group privileges we might have, just to be safe */

1289

errno = 0;

1290

ret = setgid(gid);

1291

if(ret == -1){

1292

perror("setgid");

1293

}

1294

1295

/* Drop user privileges */

1296

errno = 0;

1297

/* Will we need privileges later? */

1298

if(take_down_interface){

1299

/* Drop user privileges temporarily */

1300

ret = seteuid(uid);

1301

if(ret == -1){

1302

perror("seteuid");

1303

}

1304

} else {

1305

/* Drop user privileges permanently */

1306

ret = setuid(uid);

1307

if(ret == -1){

1308

perror("setuid");

1309

}

1310

}

1311

1312

if(quit_now){

1313

goto end;

1314

}

1315

1316

ret = init_gnutls_global(pubkey, seckey);

1317

if(ret == -1){

1318

fprintf(stderr, "init_gnutls_global failed\n");

1319

exitcode = EXIT_FAILURE;

1320

goto end;

1321

} else {

1322

gnutls_initialized = true;

1323

}

1324

1325

if(quit_now){

1326

goto end;

1327

}

1328

1329

tempdir_created = true;

1330

if(mkdtemp(tempdir) == NULL){

1331

tempdir_created = false;

1332

perror("mkdtemp");

1333

goto end;

1334

}

1335

1336

if(quit_now){

1337

goto end;

1338

}

1339

1340

if(not init_gpgme(pubkey, seckey, tempdir)){

1341

fprintf(stderr, "init_gpgme failed\n");

1342

exitcode = EXIT_FAILURE;

1343

goto end;

1344

} else {

1345

gpgme_initialized = true;

1346

}

1347

1348

if(quit_now){

1349

goto end;

1350

}

1351

1352

if(connect_to != NULL){

1353

/* Connect directly, do not use Zeroconf */

1354

/* (Mainly meant for debugging) */

1355

char *address = strrchr(connect_to, ':');

1356

if(address == NULL){

1357

fprintf(stderr, "No colon in address\n");

1358

exitcode = EXIT_FAILURE;

1359

goto end;

1360

}

1361

1362

if(quit_now){

1363

goto end;

1364

}

1365

1366

uint16_t port;

1367

errno = 0;

1368

tmpmax = strtoimax(address+1, &tmp, 10);

1369

if(errno != 0 or tmp == address+1 or *tmp != '\0'

1370

or tmpmax != (uint16_t)tmpmax){

1371

fprintf(stderr, "Bad port number\n");

1372

exitcode = EXIT_FAILURE;

1373

goto end;

1374

}

1375

1376

if(quit_now){

1377

goto end;

1378

}

1379

1380

port = (uint16_t)tmpmax;

1381

*address = '\0';

1382

address = connect_to;

1383

/* Colon in address indicates IPv6 */

1384

int af;

1385

if(strchr(address, ':') != NULL){

1386

af = AF_INET6;

1387

} else {

1388

af = AF_INET;

1389

}

1390

1391

if(quit_now){

1392

goto end;

1393

}

1394

1395

ret = start_mandos_communication(address, port, if_index, af);

1396

if(ret < 0){

1397

exitcode = EXIT_FAILURE;

1398

} else {

1399

exitcode = EXIT_SUCCESS;

1400

}

1401

goto end;

1402

}

1403

1404

if(quit_now){

1405

goto end;

1406

}

1407

1408

{

1409

AvahiServerConfig config;

1410

/* Do not publish any local Zeroconf records */

1411

avahi_server_config_init(&config);

1412

config.publish_hinfo = 0;

1413

config.publish_addresses = 0;

1414

config.publish_workstation = 0;

1415

config.publish_domain = 0;

1416

1417

/* Allocate a new server */

1418

mc.server = avahi_server_new(avahi_simple_poll_get

1419

(mc.simple_poll), &config, NULL,

1420

NULL, &error);

1421

1422

/* Free the Avahi configuration data */

1423

avahi_server_config_free(&config);

1424

}

1425

1426

/* Check if creating the Avahi server object succeeded */

1427

if(mc.server == NULL){

1428

fprintf(stderr, "Failed to create Avahi server: %s\n",

1429

avahi_strerror(error));

1430

exitcode = EXIT_FAILURE;

1431

goto end;

1432

}

1433

1434

if(quit_now){

1435

goto end;

1436

}

1437

1438

/* Create the Avahi service browser */

1439

sb = avahi_s_service_browser_new(mc.server, if_index,

1440

AVAHI_PROTO_UNSPEC, "_mandos._tcp",

1441

NULL, 0, browse_callback, NULL);

1442

if(sb == NULL){

1443

fprintf(stderr, "Failed to create service browser: %s\n",

1444

avahi_strerror(avahi_server_errno(mc.server)));

1445

exitcode = EXIT_FAILURE;

1446

goto end;

1447

}

1448

1449

if(quit_now){

1450

goto end;

1451

}

1452

1453

/* Run the main loop */

1454

1455

if(debug){

1456

fprintf(stderr, "Starting Avahi loop search\n");

1457

}

1458

1459

avahi_simple_poll_loop(mc.simple_poll);

1460

1461

end:

1462

1463

if(debug){

1464

fprintf(stderr, "%s exiting\n", argv[0]);

1465

}

1466

1467

/* Cleanup things */

1468

if(sb != NULL)

1469

avahi_s_service_browser_free(sb);

1470

1471

if(mc.server != NULL)

1472

avahi_server_free(mc.server);

1473

1474

if(mc.simple_poll != NULL)

1475

avahi_simple_poll_free(mc.simple_poll);

1476

1477

if(gnutls_initialized){

1478

gnutls_certificate_free_credentials(mc.cred);

1479

gnutls_global_deinit();

1480

gnutls_dh_params_deinit(mc.dh_params);

1481

}

1482

1483

if(gpgme_initialized){

1484

gpgme_release(mc.ctx);

1485

}

1486

1487

/* Take down the network interface */

1488

if(take_down_interface){

1489

/* Re-raise priviliges */

1490

errno = 0;

1491

ret = seteuid(0);

1492

if(ret == -1){

1493

perror("seteuid");

1494

}

1495

if(geteuid() == 0){

1496

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1497

if(ret == -1){

1498

perror("ioctl SIOCGIFFLAGS");

1499

} else if(network.ifr_flags & IFF_UP) {

1500

network.ifr_flags &= ~IFF_UP; /* clear flag */

981

1501

ret = ioctl(sd, SIOCSIFFLAGS, &network);

982

1502

if(ret == -1){

983

1503

perror("ioctl SIOCSIFFLAGS");

984

exitcode = EXIT_FAILURE;

985

goto end;

986

}

987

}

988

close(sd);

989

}

990

991

if (not debug){

992

avahi_set_log_function(empty_log);

993

}

994

995

/* Initialize the pseudo-RNG for Avahi */

996

srand((unsigned int) time(NULL));

997

998

/* Allocate main Avahi loop object */

999

mc.simple_poll = avahi_simple_poll_new();

1000

if (mc.simple_poll == NULL) {

1001

fprintf(stderr, "Avahi: Failed to create simple poll"

1002

" object.\n");

1003

exitcode = EXIT_FAILURE;

1004

goto end;

1005

}

1006

1007

{

1008

AvahiServerConfig config;

1009

/* Do not publish any local Zeroconf records */

1010

avahi_server_config_init(&config);

1011

config.publish_hinfo = 0;

1012

config.publish_addresses = 0;

1013

config.publish_workstation = 0;

1014

config.publish_domain = 0;

1015

1016

/* Allocate a new server */

1017

mc.server = avahi_server_new(avahi_simple_poll_get

1018

(mc.simple_poll), &config, NULL,

1019

NULL, &error);

1020

1021

/* Free the Avahi configuration data */

1022

avahi_server_config_free(&config);

1023

}

1024

1025

/* Check if creating the Avahi server object succeeded */

1026

if (mc.server == NULL) {

1027

fprintf(stderr, "Failed to create Avahi server: %s\n",

1028

avahi_strerror(error));

1029

exitcode = EXIT_FAILURE;

1030

goto end;

1031

}

1032

1033

/* Create the Avahi service browser */

1034

sb = avahi_s_service_browser_new(mc.server, if_index,

1035

AVAHI_PROTO_INET6,

1036

"_mandos._tcp", NULL, 0,

1037

browse_callback, &mc);

1038

if (sb == NULL) {

1039

fprintf(stderr, "Failed to create service browser: %s\n",

1040

avahi_strerror(avahi_server_errno(mc.server)));

1041

exitcode = EXIT_FAILURE;

1042

goto end;

1043

}

1044

1045

/* Run the main loop */

1046

1047

if (debug){

1048

fprintf(stderr, "Starting Avahi loop search\n");

1049

}

1050

1051

avahi_simple_poll_loop(mc.simple_poll);

1052

1053

end:

1054

1055

if (debug){

1056

fprintf(stderr, "%s exiting\n", argv[0]);

1057

}

1058

1059

/* Cleanup things */

1060

if (sb != NULL)

1061

avahi_s_service_browser_free(sb);

1062

1063

if (mc.server != NULL)

1064

avahi_server_free(mc.server);

1065

1066

if (mc.simple_poll != NULL)

1067

avahi_simple_poll_free(mc.simple_poll);

1068

free(pubkeyfile);

1069

free(seckeyfile);

1070

1071

if (gnutls_initalized){

1072

gnutls_certificate_free_credentials (mc.cred);

1073

gnutls_global_deinit ();

1074

}

1075

1076

return exitcode;

1504

}

1505

}

1506

ret = (int)TEMP_FAILURE_RETRY(close(sd));

1507

if(ret == -1){

1508

perror("close");

1509

}

1510

/* Lower privileges, permanently this time */

1511

errno = 0;

1512

ret = setuid(uid);

1513

if(ret == -1){

1514

perror("setuid");

1515

}

1516

}

1517

}

1518

1519

/* Removes the temp directory used by GPGME */

1520

if(tempdir_created){

1521

DIR *d;

1522

struct dirent *direntry;

1523

d = opendir(tempdir);

1524

if(d == NULL){

1525

if(errno != ENOENT){

1526

perror("opendir");

1527

}

1528

} else {

1529

while(true){

1530

direntry = readdir(d);

1531

if(direntry == NULL){

1532

break;

1533

}

1534

/* Skip "." and ".." */

1535

if(direntry->d_name[0] == '.'

1536

and (direntry->d_name[1] == '\0'

1537

or (direntry->d_name[1] == '.'

1538

and direntry->d_name[2] == '\0'))){

1539

continue;

1540

}

1541

char *fullname = NULL;

1542

ret = asprintf(&fullname, "%s/%s", tempdir,

1543

direntry->d_name);

1544

if(ret < 0){

1545

perror("asprintf");

1546

continue;

1547

}

1548

ret = remove(fullname);

1549

if(ret == -1){

1550

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1551

strerror(errno));

1552

}

1553

free(fullname);

1554

}

1555

closedir(d);

1556

}

1557

ret = rmdir(tempdir);

1558

if(ret == -1 and errno != ENOENT){

1559

perror("rmdir");

1560

}

1561

}

1562

1563

if(quit_now){

1564

sigemptyset(&old_sigterm_action.sa_mask);

1565

old_sigterm_action.sa_handler = SIG_DFL;

1566

ret = sigaction(signal_received, &old_sigterm_action, NULL);

1567

if(ret == -1){

1568

perror("sigaction");

1569

}

1570

raise(signal_received);

1571

}

1572

1573

return exitcode;

1077

1574

}

Older »