(root)/mandos/release
» Revision
237.2.134
(compared to revision 237.2.120)
: plugins.d/mandos-client.c
To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.134
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.134
- Committer: Teddy Hogeborn
- Date: 2009-09-17 02:42:49 UTC
- mto: (24.1.142 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 264.
- Revision ID: teddy@fukt.bsnet.se-20090917024249-y6j76xtzz3i2vptv
* plugins.d/mandos-client.c (init_gnutls_session): Always fail and
return immediately
if interrupted by
signal.
return immediately
if interrupted by
signal.
- files modified:
- TODO
added
removed
plugins.d/mandos-client.c
71
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
72
*/
73
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
74
getuid(), getgid(), seteuid(),
75
75
setgid() */
76
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
77
#include <iso646.h> /* not, or, and */
142
142
.dh_bits = 1024, .priority = "SECURE256"
143
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
144
145
sig_atomic_t quit_now = 0;
146
int signal_received = 0;
147
145
148
/*
146
149
* Make additional room in "buffer" for at least BUFFER_SIZE more
147
150
* bytes. "buffer_capacity" is how much is currently allocated,
164
167
*/
165
168
static bool init_gpgme(const char *seckey,
166
169
const char *pubkey, const char *tempdir){
167
int ret;
168
170
gpgme_error_t rc;
169
171
gpgme_engine_info_t engine_info;
170
172
173
175
* Helper function to insert pub and seckey to the engine keyring.
174
176
*/
175
177
bool import_key(const char *filename){
178
int ret;
176
179
int fd;
177
180
gpgme_data_t pgp_data;
178
181
474
477
static int init_gnutls_session(gnutls_session_t *session){
475
478
int ret;
476
479
/* GnuTLS session creation */
477
ret = gnutls_init(session, GNUTLS_SERVER);
480
do {
481
ret = gnutls_init(session, GNUTLS_SERVER);
482
if(quit_now){
483
return -1;
484
}
485
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
478
486
if(ret != GNUTLS_E_SUCCESS){
479
487
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
480
488
safer_gnutls_strerror(ret));
482
490
483
491
{
484
492
const char *err;
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
493
do {
494
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
495
if(quit_now){
496
gnutls_deinit(*session);
497
return -1;
498
}
499
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
486
500
if(ret != GNUTLS_E_SUCCESS){
487
501
fprintf(stderr, "Syntax error at: %s\n", err);
488
502
fprintf(stderr, "GnuTLS error: %s\n",
492
506
}
493
507
}
494
508
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
509
do {
510
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
511
mc.cred);
512
if(quit_now){
513
gnutls_deinit(*session);
514
return -1;
515
}
516
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
497
517
if(ret != GNUTLS_E_SUCCESS){
498
518
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
499
519
safer_gnutls_strerror(ret));
502
522
}
503
523
504
524
/* ignore client certificate if any. */
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
525
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
507
526
508
527
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
509
528
514
533
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
515
534
__attribute__((unused)) const char *txt){}
516
535
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
520
536
/* Called when a Mandos server is found */
521
537
static int start_mandos_communication(const char *ip, uint16_t port,
522
538
AvahiIfIndex if_index,
523
539
int af){
524
int ret, tcp_sd;
540
int ret, tcp_sd = -1;
525
541
ssize_t sret;
526
542
union {
527
543
struct sockaddr_in in;
531
547
char *decrypted_buffer;
532
548
size_t buffer_length = 0;
533
549
size_t buffer_capacity = 0;
534
ssize_t decrypted_buffer_size;
535
550
size_t written;
536
551
int retval = 0;
537
552
gnutls_session_t session;
538
553
int pf; /* Protocol family */
539
554
555
if(quit_now){
556
return -1;
557
}
558
540
559
switch(af){
541
560
case AF_INET6:
542
561
pf = PF_INET6;
562
581
tcp_sd = socket(pf, SOCK_STREAM, 0);
563
582
if(tcp_sd < 0){
564
583
perror("socket");
565
return -1;
584
retval = -1;
585
goto mandos_end;
586
}
587
588
if(quit_now){
589
retval = -1;
590
goto mandos_end;
566
591
}
567
592
568
593
memset(&to, 0, sizeof(to));
575
600
}
576
601
if(ret < 0 ){
577
602
perror("inet_pton");
578
return -1;
603
retval = -1;
604
goto mandos_end;
579
605
}
580
606
if(ret == 0){
581
607
fprintf(stderr, "Bad address: %s\n", ip);
582
return -1;
608
retval = -1;
609
goto mandos_end;
583
610
}
584
611
if(af == AF_INET6){
585
612
to.in6.sin6_port = htons(port); /* Spurious warnings from
592
619
if(if_index == AVAHI_IF_UNSPEC){
593
620
fprintf(stderr, "An IPv6 link-local address is incomplete"
594
621
" without a network interface\n");
595
return -1;
622
retval = -1;
623
goto mandos_end;
596
624
}
597
625
/* Set the network interface number as scope */
598
626
to.in6.sin6_scope_id = (uint32_t)if_index;
603
631
-Wunreachable-code */
604
632
}
605
633
634
if(quit_now){
635
retval = -1;
636
goto mandos_end;
637
}
638
606
639
if(debug){
607
640
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
608
641
char interface[IF_NAMESIZE];
635
668
}
636
669
}
637
670
671
if(quit_now){
672
retval = -1;
673
goto mandos_end;
674
}
675
638
676
if(af == AF_INET6){
639
677
ret = connect(tcp_sd, &to.in6, sizeof(to));
640
678
} else {
642
680
}
643
681
if(ret < 0){
644
682
perror("connect");
645
return -1;
683
retval = -1;
684
goto mandos_end;
685
}
686
687
if(quit_now){
688
retval = -1;
689
goto mandos_end;
646
690
}
647
691
648
692
const char *out = mandos_protocol_version;
667
711
break;
668
712
}
669
713
}
714
715
if(quit_now){
716
retval = -1;
717
goto mandos_end;
718
}
670
719
}
671
720
672
721
if(debug){
673
722
fprintf(stderr, "Establishing TLS session with %s\n", ip);
674
723
}
675
724
725
if(quit_now){
726
retval = -1;
727
goto mandos_end;
728
}
729
676
730
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
677
731
678
do{
732
if(quit_now){
733
retval = -1;
734
goto mandos_end;
735
}
736
737
do {
679
738
ret = gnutls_handshake(session);
739
if(quit_now){
740
retval = -1;
741
goto mandos_end;
742
}
680
743
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
681
744
682
745
if(ret != GNUTLS_E_SUCCESS){
696
759
}
697
760
698
761
while(true){
762
763
if(quit_now){
764
retval = -1;
765
goto mandos_end;
766
}
767
699
768
buffer_capacity = incbuffer(&buffer, buffer_length,
700
769
buffer_capacity);
701
770
if(buffer_capacity == 0){
704
773
goto mandos_end;
705
774
}
706
775
776
if(quit_now){
777
retval = -1;
778
goto mandos_end;
779
}
780
707
781
sret = gnutls_record_recv(session, buffer+buffer_length,
708
782
BUFFER_SIZE);
709
783
if(sret == 0){
715
789
case GNUTLS_E_AGAIN:
716
790
break;
717
791
case GNUTLS_E_REHANDSHAKE:
718
do{
792
do {
719
793
ret = gnutls_handshake(session);
794
795
if(quit_now){
796
retval = -1;
797
goto mandos_end;
798
}
720
799
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
721
800
if(ret < 0){
722
801
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
741
820
fprintf(stderr, "Closing TLS session\n");
742
821
}
743
822
744
gnutls_bye(session, GNUTLS_SHUT_RDWR);
823
if(quit_now){
824
retval = -1;
825
goto mandos_end;
826
}
827
828
do {
829
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
830
if(quit_now){
831
retval = -1;
832
goto mandos_end;
833
}
834
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
745
835
746
836
if(buffer_length > 0){
837
ssize_t decrypted_buffer_size;
747
838
decrypted_buffer_size = pgp_packet_decrypt(buffer,
748
839
buffer_length,
749
840
&decrypted_buffer);
750
841
if(decrypted_buffer_size >= 0){
842
751
843
written = 0;
752
844
while(written < (size_t) decrypted_buffer_size){
845
if(quit_now){
846
retval = -1;
847
goto mandos_end;
848
}
849
753
850
ret = (int)fwrite(decrypted_buffer + written, 1,
754
851
(size_t)decrypted_buffer_size - written,
755
852
stdout);
775
872
776
873
mandos_end:
777
874
free(buffer);
778
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
875
if(tcp_sd >= 0){
876
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
877
}
779
878
if(ret == -1){
780
879
perror("close");
781
880
}
782
881
gnutls_deinit(session);
882
if(quit_now){
883
retval = -1;
884
}
783
885
return retval;
784
886
}
785
887
848
950
/* Called whenever a new services becomes available on the LAN or
849
951
is removed from the LAN */
850
952
953
if(quit_now){
954
return;
955
}
956
851
957
switch(event){
852
958
default:
853
959
case AVAHI_BROWSER_FAILURE:
920
1026
bool gpgme_initialized = false;
921
1027
float delay = 2.5f;
922
1028
923
struct sigaction old_sigterm_action;
1029
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
924
1030
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
925
1031
1032
uid = getuid();
1033
gid = getgid();
1034
1035
/* Lower any group privileges we might have, just to be safe */
1036
errno = 0;
1037
ret = setgid(gid);
1038
if(ret == -1){
1039
perror("setgid");
1040
}
1041
1042
/* Lower user privileges (temporarily) */
1043
errno = 0;
1044
ret = seteuid(uid);
1045
if(ret == -1){
1046
perror("seteuid");
1047
}
1048
1049
if(quit_now){
1050
goto end;
1051
}
1052
926
1053
{
927
1054
struct argp_option options[] = {
928
1055
{ .name = "debug", .key = 128,
1112
1239
goto end;
1113
1240
}
1114
1241
1242
/* Re-raise priviliges */
1243
errno = 0;
1244
ret = seteuid(0);
1245
if(ret == -1){
1246
perror("seteuid");
1247
}
1248
1115
1249
#ifdef __linux__
1116
1250
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1117
1251
messages to mess up the prompt */
1135
1269
}
1136
1270
}
1137
1271
#endif /* __linux__ */
1272
/* Lower privileges */
1273
errno = 0;
1274
ret = seteuid(uid);
1275
if(ret == -1){
1276
perror("seteuid");
1277
}
1138
1278
goto end;
1139
1279
}
1140
1280
strcpy(network.ifr_name, interface);
1150
1290
}
1151
1291
#endif /* __linux__ */
1152
1292
exitcode = EXIT_FAILURE;
1293
/* Lower privileges */
1294
errno = 0;
1295
ret = seteuid(uid);
1296
if(ret == -1){
1297
perror("seteuid");
1298
}
1153
1299
goto end;
1154
1300
}
1155
1301
if((network.ifr_flags & IFF_UP) == 0){
1168
1314
}
1169
1315
}
1170
1316
#endif /* __linux__ */
1317
/* Lower privileges */
1318
errno = 0;
1319
ret = seteuid(uid);
1320
if(ret == -1){
1321
perror("seteuid");
1322
}
1171
1323
goto end;
1172
1324
}
1173
1325
}
1201
1353
}
1202
1354
}
1203
1355
#endif /* __linux__ */
1204
}
1205
1206
if(quit_now){
1207
goto end;
1208
}
1209
1210
uid = getuid();
1211
gid = getgid();
1212
1213
errno = 0;
1214
setgid(gid);
1215
if(ret == -1){
1216
perror("setgid");
1217
}
1218
1219
ret = setuid(uid);
1220
if(ret == -1){
1221
perror("setuid");
1356
/* Lower privileges */
1357
errno = 0;
1358
if(take_down_interface){
1359
/* Lower privileges */
1360
ret = seteuid(uid);
1361
if(ret == -1){
1362
perror("seteuid");
1363
}
1364
} else {
1365
/* Lower privileges permanently */
1366
ret = setuid(uid);
1367
if(ret == -1){
1368
perror("setuid");
1369
}
1370
}
1222
1371
}
1223
1372
1224
1373
if(quit_now){
1398
1547
1399
1548
/* Take down the network interface */
1400
1549
if(take_down_interface){
1401
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1550
/* Re-raise priviliges */
1551
errno = 0;
1552
ret = seteuid(0);
1402
1553
if(ret == -1){
1403
perror("ioctl SIOCGIFFLAGS");
1404
} else if(network.ifr_flags & IFF_UP) {
1405
network.ifr_flags &= ~IFF_UP; /* clear flag */
1406
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1407
if(ret == -1){
1408
perror("ioctl SIOCSIFFLAGS");
1409
}
1554
perror("seteuid");
1410
1555
}
1411
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1412
if(ret == -1){
1413
perror("close");
1556
if(geteuid() == 0){
1557
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1558
if(ret == -1){
1559
perror("ioctl SIOCGIFFLAGS");
1560
} else if(network.ifr_flags & IFF_UP) {
1561
network.ifr_flags &= ~IFF_UP; /* clear flag */
1562
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1563
if(ret == -1){
1564
perror("ioctl SIOCSIFFLAGS");
1565
}
1566
}
1567
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1568
if(ret == -1){
1569
perror("close");
1570
}
1571
/* Lower privileges permanently */
1572
errno = 0;
1573
ret = setuid(uid);
1574
if(ret == -1){
1575
perror("setuid");
1576
}
1414
1577
}
1415
1578
}
1416
1579
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0