(root)/mandos/release
» Revision
237.2.129
(compared to revision 237.2.116)
: plugins.d/mandos-client.c
To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.129
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.129
- Committer: Teddy Hogeborn
- Date: 2009-09-08 06:28:20 UTC
- mto: (24.1.142 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 264.
- Revision ID: teddy@fukt.bsnet.se-20090908062820-xgkdkrnvuze9vc72
* debian/mandos-client.README.Debian: Improved wording and formatting.
Updated location of nfsroot.txt.
* debian/mandos.README.Debian: Improved wording and formatting.
Updated location of nfsroot.txt.
* debian/mandos.README.Debian: Improved wording and formatting.
added
removed
plugins.d/mandos-client.c
71
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
72
*/
73
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
74
getuid(), getgid(), seteuid(),
75
75
setgid() */
76
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
77
#include <iso646.h> /* not, or, and */
80
80
argp_parse(), ARGP_KEY_ARG,
81
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sigaction,
84
sig_atomic_t */
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
85
86
86
#ifdef __linux__
87
87
#include <sys/klog.h> /* klogctl() */
164
164
*/
165
165
static bool init_gpgme(const char *seckey,
166
166
const char *pubkey, const char *tempdir){
167
int ret;
168
167
gpgme_error_t rc;
169
168
gpgme_engine_info_t engine_info;
170
169
173
172
* Helper function to insert pub and seckey to the engine keyring.
174
173
*/
175
174
bool import_key(const char *filename){
175
int ret;
176
176
int fd;
177
177
gpgme_data_t pgp_data;
178
178
249
249
return false;
250
250
}
251
251
252
return true;
252
return true;
253
253
}
254
254
255
255
/*
514
514
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
515
515
__attribute__((unused)) const char *txt){}
516
516
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
517
520
/* Called when a Mandos server is found */
518
521
static int start_mandos_communication(const char *ip, uint16_t port,
519
522
AvahiIfIndex if_index,
520
523
int af){
521
int ret, tcp_sd;
524
int ret, tcp_sd = -1;
522
525
ssize_t sret;
523
526
union {
524
527
struct sockaddr_in in;
528
531
char *decrypted_buffer;
529
532
size_t buffer_length = 0;
530
533
size_t buffer_capacity = 0;
531
ssize_t decrypted_buffer_size;
532
534
size_t written;
533
535
int retval = 0;
534
536
gnutls_session_t session;
535
537
int pf; /* Protocol family */
536
538
539
if(quit_now){
540
return -1;
541
}
542
537
543
switch(af){
538
544
case AF_INET6:
539
545
pf = PF_INET6;
559
565
tcp_sd = socket(pf, SOCK_STREAM, 0);
560
566
if(tcp_sd < 0){
561
567
perror("socket");
562
return -1;
568
retval = -1;
569
goto mandos_end;
570
}
571
572
if(quit_now){
573
goto mandos_end;
563
574
}
564
575
565
576
memset(&to, 0, sizeof(to));
572
583
}
573
584
if(ret < 0 ){
574
585
perror("inet_pton");
575
return -1;
586
retval = -1;
587
goto mandos_end;
576
588
}
577
589
if(ret == 0){
578
590
fprintf(stderr, "Bad address: %s\n", ip);
579
return -1;
591
retval = -1;
592
goto mandos_end;
580
593
}
581
594
if(af == AF_INET6){
582
595
to.in6.sin6_port = htons(port); /* Spurious warnings from
589
602
if(if_index == AVAHI_IF_UNSPEC){
590
603
fprintf(stderr, "An IPv6 link-local address is incomplete"
591
604
" without a network interface\n");
592
return -1;
605
retval = -1;
606
goto mandos_end;
593
607
}
594
608
/* Set the network interface number as scope */
595
609
to.in6.sin6_scope_id = (uint32_t)if_index;
600
614
-Wunreachable-code */
601
615
}
602
616
617
if(quit_now){
618
goto mandos_end;
619
}
620
603
621
if(debug){
604
622
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
605
623
char interface[IF_NAMESIZE];
632
650
}
633
651
}
634
652
653
if(quit_now){
654
goto mandos_end;
655
}
656
635
657
if(af == AF_INET6){
636
658
ret = connect(tcp_sd, &to.in6, sizeof(to));
637
659
} else {
639
661
}
640
662
if(ret < 0){
641
663
perror("connect");
642
return -1;
664
retval = -1;
665
goto mandos_end;
666
}
667
668
if(quit_now){
669
goto mandos_end;
643
670
}
644
671
645
672
const char *out = mandos_protocol_version;
664
691
break;
665
692
}
666
693
}
694
695
if(quit_now){
696
goto mandos_end;
697
}
667
698
}
668
699
669
700
if(debug){
670
701
fprintf(stderr, "Establishing TLS session with %s\n", ip);
671
702
}
672
703
704
if(quit_now){
705
goto mandos_end;
706
}
707
673
708
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
674
709
675
do{
710
if(quit_now){
711
goto mandos_end;
712
}
713
714
do {
676
715
ret = gnutls_handshake(session);
716
if(quit_now){
717
goto mandos_end;
718
}
677
719
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
678
720
679
721
if(ret != GNUTLS_E_SUCCESS){
693
735
}
694
736
695
737
while(true){
738
739
if(quit_now){
740
goto mandos_end;
741
}
742
696
743
buffer_capacity = incbuffer(&buffer, buffer_length,
697
744
buffer_capacity);
698
745
if(buffer_capacity == 0){
701
748
goto mandos_end;
702
749
}
703
750
751
if(quit_now){
752
goto mandos_end;
753
}
754
704
755
sret = gnutls_record_recv(session, buffer+buffer_length,
705
756
BUFFER_SIZE);
706
757
if(sret == 0){
712
763
case GNUTLS_E_AGAIN:
713
764
break;
714
765
case GNUTLS_E_REHANDSHAKE:
715
do{
766
do {
716
767
ret = gnutls_handshake(session);
768
769
if(quit_now){
770
goto mandos_end;
771
}
717
772
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
718
773
if(ret < 0){
719
774
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
738
793
fprintf(stderr, "Closing TLS session\n");
739
794
}
740
795
796
if(quit_now){
797
goto mandos_end;
798
}
799
741
800
gnutls_bye(session, GNUTLS_SHUT_RDWR);
742
801
802
if(quit_now){
803
goto mandos_end;
804
}
805
743
806
if(buffer_length > 0){
807
ssize_t decrypted_buffer_size;
744
808
decrypted_buffer_size = pgp_packet_decrypt(buffer,
745
809
buffer_length,
746
810
&decrypted_buffer);
747
811
if(decrypted_buffer_size >= 0){
812
748
813
written = 0;
749
814
while(written < (size_t) decrypted_buffer_size){
815
if(quit_now){
816
goto mandos_end;
817
}
818
750
819
ret = (int)fwrite(decrypted_buffer + written, 1,
751
820
(size_t)decrypted_buffer_size - written,
752
821
stdout);
772
841
773
842
mandos_end:
774
843
free(buffer);
775
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
844
if(tcp_sd >= 0){
845
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
846
}
776
847
if(ret == -1){
777
848
perror("close");
778
849
}
779
850
gnutls_deinit(session);
851
if(quit_now){
852
retval = -1;
853
}
780
854
return retval;
781
855
}
782
856
783
sig_atomic_t quit_now = 0;
784
785
857
static void resolve_callback(AvahiSServiceResolver *r,
786
858
AvahiIfIndex interface,
787
859
AvahiProtocol proto,
847
919
/* Called whenever a new services becomes available on the LAN or
848
920
is removed from the LAN */
849
921
922
if(quit_now){
923
return;
924
}
925
850
926
switch(event){
851
927
default:
852
928
case AVAHI_BROWSER_FAILURE:
882
958
}
883
959
884
960
/* stop main loop after sigterm has been called */
885
static void handle_sigterm(__attribute__((unused)) int sig){
961
static void handle_sigterm(int sig){
886
962
if(quit_now){
887
963
return;
888
964
}
889
965
quit_now = 1;
966
signal_received = sig;
890
967
int old_errno = errno;
891
968
if(mc.simple_poll != NULL){
892
969
avahi_simple_poll_quit(mc.simple_poll);
1053
1130
exitcode = EXIT_FAILURE;
1054
1131
goto end;
1055
1132
}
1056
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1057
if(ret == -1){
1058
perror("sigaction");
1059
exitcode = EXIT_FAILURE;
1060
goto end;
1061
}
1133
/* Need to check if the handler is SIG_IGN before handling:
1134
| [[info:libc:Initial Signal Actions]] |
1135
| [[info:libc:Basic Signal Handling]] |
1136
*/
1137
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1138
if(ret == -1){
1139
perror("sigaction");
1140
return EXIT_FAILURE;
1141
}
1142
if(old_sigterm_action.sa_handler != SIG_IGN){
1143
ret = sigaction(SIGINT, &sigterm_action, NULL);
1144
if(ret == -1){
1145
perror("sigaction");
1146
exitcode = EXIT_FAILURE;
1147
goto end;
1148
}
1149
}
1150
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1151
if(ret == -1){
1152
perror("sigaction");
1153
return EXIT_FAILURE;
1154
}
1155
if(old_sigterm_action.sa_handler != SIG_IGN){
1156
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1157
if(ret == -1){
1158
perror("sigaction");
1159
exitcode = EXIT_FAILURE;
1160
goto end;
1161
}
1162
}
1163
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1164
if(ret == -1){
1165
perror("sigaction");
1166
return EXIT_FAILURE;
1167
}
1168
if(old_sigterm_action.sa_handler != SIG_IGN){
1169
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1170
if(ret == -1){
1171
perror("sigaction");
1172
exitcode = EXIT_FAILURE;
1173
goto end;
1174
}
1175
}
1062
1176
1063
1177
/* If the interface is down, bring it up */
1064
1178
if(interface[0] != '\0'){
1171
1285
uid = getuid();
1172
1286
gid = getgid();
1173
1287
1288
/* Drop any group privileges we might have, just to be safe */
1174
1289
errno = 0;
1175
setgid(gid);
1290
ret = setgid(gid);
1176
1291
if(ret == -1){
1177
1292
perror("setgid");
1178
1293
}
1179
1294
1180
ret = setuid(uid);
1181
if(ret == -1){
1182
perror("setuid");
1295
/* Drop user privileges */
1296
errno = 0;
1297
/* Will we need privileges later? */
1298
if(take_down_interface){
1299
/* Drop user privileges temporarily */
1300
ret = seteuid(uid);
1301
if(ret == -1){
1302
perror("seteuid");
1303
}
1304
} else {
1305
/* Drop user privileges permanently */
1306
ret = setuid(uid);
1307
if(ret == -1){
1308
perror("setuid");
1309
}
1183
1310
}
1184
1311
1185
1312
if(quit_now){
1359
1486
1360
1487
/* Take down the network interface */
1361
1488
if(take_down_interface){
1362
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1489
/* Re-raise priviliges */
1490
errno = 0;
1491
ret = seteuid(0);
1363
1492
if(ret == -1){
1364
perror("ioctl SIOCGIFFLAGS");
1365
} else if(network.ifr_flags & IFF_UP) {
1366
network.ifr_flags &= ~IFF_UP; /* clear flag */
1367
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1368
if(ret == -1){
1369
perror("ioctl SIOCSIFFLAGS");
1370
}
1493
perror("seteuid");
1371
1494
}
1372
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1373
if(ret == -1){
1374
perror("close");
1495
if(geteuid() == 0){
1496
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1497
if(ret == -1){
1498
perror("ioctl SIOCGIFFLAGS");
1499
} else if(network.ifr_flags & IFF_UP) {
1500
network.ifr_flags &= ~IFF_UP; /* clear flag */
1501
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1502
if(ret == -1){
1503
perror("ioctl SIOCSIFFLAGS");
1504
}
1505
}
1506
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1507
if(ret == -1){
1508
perror("close");
1509
}
1510
/* Lower privileges, permanently this time */
1511
errno = 0;
1512
ret = setuid(uid);
1513
if(ret == -1){
1514
perror("setuid");
1515
}
1375
1516
}
1376
1517
}
1377
1518
1419
1560
}
1420
1561
}
1421
1562
1563
if(quit_now){
1564
sigemptyset(&old_sigterm_action.sa_mask);
1565
old_sigterm_action.sa_handler = SIG_DFL;
1566
ret = sigaction(signal_received, &old_sigterm_action, NULL);
1567
if(ret == -1){
1568
perror("sigaction");
1569
}
1570
raise(signal_received);
1571
}
1572
1422
1573
return exitcode;
1423
1574
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0