(root)/mandos/release
» Revision
237.7.369
(compared to revision 237.25.2)
: plugins.d/mandos-client.c
To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.7.369
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.369
- Committer: Teddy Hogeborn
- Date: 2016-03-05 21:42:56 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 335.
- Revision ID: teddy@recompile.se-20160305214256-79progf0wfkd9068
Add bug reporting information to manual pages
* bugs.xml: New file.
* intro.xml (BUGS): New section; include "bugs.xml".
* mandos-clients.conf.xml (BUGS): Include "bugs.xml".
* mandos-ctl.xml (BUGS): Uncommented; include "bugs.xml".
* mandos-keygen.xml (BUGS): - '' -
* mandos-monitor.xml (BUGS): Include "bugs.xml".
* mandos.conf.xml (BUGS): - '' -
* mandos.xml (BUGS): - '' -
* plugin-runner.xml (BUGS): - '' -
* plugins.d/askpass-fifo.xml (BUGS): New section; include
"../bugs.xml".
* plugins.d/mandos-client.xml (BUGS): Uncommented; include
"../bugs.xml".
* plugins.d/password-prompt.xml (BUGS): Include "../bugs.xml".
* plugins.d/plymouth.xml (BUGS): - '' -
* plugins.d/splashy.xml (BUGS): - '' -
* plugins.d/usplash.xml (BUGS): - '' -
* bugs.xml: New file.
* intro.xml (BUGS): New section; include "bugs.xml".
* mandos-clients.conf.xml (BUGS): Include "bugs.xml".
* mandos-ctl.xml (BUGS): Uncommented; include "bugs.xml".
* mandos-keygen.xml (BUGS): - '' -
* mandos-monitor.xml (BUGS): Include "bugs.xml".
* mandos.conf.xml (BUGS): - '' -
* mandos.xml (BUGS): - '' -
* plugin-runner.xml (BUGS): - '' -
* plugins.d/askpass-fifo.xml (BUGS): New section; include
"../bugs.xml".
* plugins.d/mandos-client.xml (BUGS): Uncommented; include
"../bugs.xml".
* plugins.d/password-prompt.xml (BUGS): Include "../bugs.xml".
* plugins.d/plymouth.xml (BUGS): - '' -
* plugins.d/splashy.xml (BUGS): - '' -
* plugins.d/usplash.xml (BUGS): - '' -
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008-2015 Teddy Hogeborn
13
* Copyright © 2008-2015 Björn Påhlsson
12
* Copyright © 2008-2016 Teddy Hogeborn
13
* Copyright © 2008-2016 Björn Påhlsson
14
14
*
15
15
* This program is free software: you can redistribute it and/or
16
16
* modify it under the terms of the GNU General Public License as
46
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
47
strtof(), abort() */
48
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
49
#include <string.h> /* strcmp(), strlen(), strerror(),
50
asprintf(), strncpy() */
51
51
#include <sys/ioctl.h> /* ioctl */
52
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
53
sockaddr_in6, PF_INET6,
57
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
58
inet_pton(), connect(),
59
59
getnameinfo() */
60
#include <fcntl.h> /* open(), unlinkat() */
60
#include <fcntl.h> /* open(), unlinkat(), AT_REMOVEDIR */
61
61
#include <dirent.h> /* opendir(), struct dirent, readdir()
62
62
*/
63
63
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
64
64
strtoimax() */
65
#include <errno.h> /* perror(), errno,
65
#include <errno.h> /* perror(), errno, EINTR, EINVAL,
66
EAI_SYSTEM, ENETUNREACH,
67
EHOSTUNREACH, ECONNREFUSED, EPROTO,
68
EIO, ENOENT, ENXIO, ENOMEM, EISDIR,
69
ENOTEMPTY,
66
70
program_invocation_short_name */
67
71
#include <time.h> /* nanosleep(), time(), sleep() */
68
72
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
305
309
return false;
306
310
}
307
311
308
ret = (int)TEMP_FAILURE_RETRY(close(fd));
312
ret = close(fd);
309
313
if(ret == -1){
310
314
perror_plus("close");
311
315
}
493
497
return plaintext_length;
494
498
}
495
499
500
__attribute__((warn_unused_result, const))
501
static const char *safe_string(const char *str){
502
if(str == NULL)
503
return "(unknown)";
504
return str;
505
}
506
496
507
__attribute__((warn_unused_result))
497
508
static const char *safer_gnutls_strerror(int value){
498
509
const char *ret = gnutls_strerror(value);
499
if(ret == NULL)
500
ret = "(unknown)";
501
return ret;
510
return safe_string(ret);
502
511
}
503
512
504
513
/* GnuTLS log function callback */
508
517
fprintf_plus(stderr, "GnuTLS: %s", string);
509
518
}
510
519
511
__attribute__((nonnull, warn_unused_result))
520
__attribute__((nonnull(1, 2, 4), warn_unused_result))
512
521
static int init_gnutls_global(const char *pubkeyfilename,
513
522
const char *seckeyfilename,
523
const char *dhparamsfilename,
514
524
mandos_context *mc){
515
525
int ret;
526
unsigned int uret;
516
527
517
528
if(debug){
518
529
fprintf_plus(stderr, "Initializing GnuTLS\n");
519
530
}
520
531
521
ret = gnutls_global_init();
522
if(ret != GNUTLS_E_SUCCESS){
523
fprintf_plus(stderr, "GnuTLS global_init: %s\n",
524
safer_gnutls_strerror(ret));
525
return -1;
526
}
527
528
532
if(debug){
529
533
/* "Use a log level over 10 to enable all debugging options."
530
534
* - GnuTLS manual
538
542
if(ret != GNUTLS_E_SUCCESS){
539
543
fprintf_plus(stderr, "GnuTLS memory error: %s\n",
540
544
safer_gnutls_strerror(ret));
541
gnutls_global_deinit();
542
545
return -1;
543
546
}
544
547
569
572
safer_gnutls_strerror(ret));
570
573
goto globalfail;
571
574
}
572
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
573
if(ret != GNUTLS_E_SUCCESS){
574
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
575
safer_gnutls_strerror(ret));
576
goto globalfail;
577
}
578
575
/* If a Diffie-Hellman parameters file was given, try to use it */
576
if(dhparamsfilename != NULL){
577
gnutls_datum_t params = { .data = NULL, .size = 0 };
578
do {
579
int dhpfile = open(dhparamsfilename, O_RDONLY);
580
if(dhpfile == -1){
581
perror_plus("open");
582
dhparamsfilename = NULL;
583
break;
584
}
585
size_t params_capacity = 0;
586
while(true){
587
params_capacity = incbuffer((char **)¶ms.data,
588
(size_t)params.size,
589
(size_t)params_capacity);
590
if(params_capacity == 0){
591
perror_plus("incbuffer");
592
free(params.data);
593
params.data = NULL;
594
dhparamsfilename = NULL;
595
break;
596
}
597
ssize_t bytes_read = read(dhpfile,
598
params.data + params.size,
599
BUFFER_SIZE);
600
/* EOF */
601
if(bytes_read == 0){
602
break;
603
}
604
/* check bytes_read for failure */
605
if(bytes_read < 0){
606
perror_plus("read");
607
free(params.data);
608
params.data = NULL;
609
dhparamsfilename = NULL;
610
break;
611
}
612
params.size += (unsigned int)bytes_read;
613
}
614
if(params.data == NULL){
615
dhparamsfilename = NULL;
616
}
617
if(dhparamsfilename == NULL){
618
break;
619
}
620
ret = gnutls_dh_params_import_pkcs3(mc->dh_params, ¶ms,
621
GNUTLS_X509_FMT_PEM);
622
if(ret != GNUTLS_E_SUCCESS){
623
fprintf_plus(stderr, "Failed to parse DH parameters in file"
624
" \"%s\": %s\n", dhparamsfilename,
625
safer_gnutls_strerror(ret));
626
dhparamsfilename = NULL;
627
}
628
} while(false);
629
}
630
if(dhparamsfilename == NULL){
631
if(mc->dh_bits == 0){
632
/* Find out the optimal number of DH bits */
633
/* Try to read the private key file */
634
gnutls_datum_t buffer = { .data = NULL, .size = 0 };
635
do {
636
int secfile = open(seckeyfilename, O_RDONLY);
637
if(secfile == -1){
638
perror_plus("open");
639
break;
640
}
641
size_t buffer_capacity = 0;
642
while(true){
643
buffer_capacity = incbuffer((char **)&buffer.data,
644
(size_t)buffer.size,
645
(size_t)buffer_capacity);
646
if(buffer_capacity == 0){
647
perror_plus("incbuffer");
648
free(buffer.data);
649
buffer.data = NULL;
650
break;
651
}
652
ssize_t bytes_read = read(secfile,
653
buffer.data + buffer.size,
654
BUFFER_SIZE);
655
/* EOF */
656
if(bytes_read == 0){
657
break;
658
}
659
/* check bytes_read for failure */
660
if(bytes_read < 0){
661
perror_plus("read");
662
free(buffer.data);
663
buffer.data = NULL;
664
break;
665
}
666
buffer.size += (unsigned int)bytes_read;
667
}
668
close(secfile);
669
} while(false);
670
/* If successful, use buffer to parse private key */
671
gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;
672
if(buffer.data != NULL){
673
{
674
gnutls_openpgp_privkey_t privkey = NULL;
675
ret = gnutls_openpgp_privkey_init(&privkey);
676
if(ret != GNUTLS_E_SUCCESS){
677
fprintf_plus(stderr, "Error initializing OpenPGP key"
678
" structure: %s",
679
safer_gnutls_strerror(ret));
680
free(buffer.data);
681
buffer.data = NULL;
682
} else {
683
ret = gnutls_openpgp_privkey_import
684
(privkey, &buffer, GNUTLS_OPENPGP_FMT_BASE64, "", 0);
685
if(ret != GNUTLS_E_SUCCESS){
686
fprintf_plus(stderr, "Error importing OpenPGP key : %s",
687
safer_gnutls_strerror(ret));
688
privkey = NULL;
689
}
690
free(buffer.data);
691
buffer.data = NULL;
692
if(privkey != NULL){
693
/* Use private key to suggest an appropriate
694
sec_param */
695
sec_param = gnutls_openpgp_privkey_sec_param(privkey);
696
gnutls_openpgp_privkey_deinit(privkey);
697
if(debug){
698
fprintf_plus(stderr, "This OpenPGP key implies using"
699
" a GnuTLS security parameter \"%s\".\n",
700
safe_string(gnutls_sec_param_get_name
701
(sec_param)));
702
}
703
}
704
}
705
}
706
if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){
707
/* Err on the side of caution */
708
sec_param = GNUTLS_SEC_PARAM_ULTRA;
709
if(debug){
710
fprintf_plus(stderr, "Falling back to security parameter"
711
" \"%s\"\n",
712
safe_string(gnutls_sec_param_get_name
713
(sec_param)));
714
}
715
}
716
}
717
uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
718
if(uret != 0){
719
mc->dh_bits = uret;
720
if(debug){
721
fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"
722
" implies %u DH bits; using that.\n",
723
safe_string(gnutls_sec_param_get_name
724
(sec_param)),
725
mc->dh_bits);
726
}
727
} else {
728
fprintf_plus(stderr, "Failed to get implied number of DH"
729
" bits for security parameter \"%s\"): %s\n",
730
safe_string(gnutls_sec_param_get_name
731
(sec_param)),
732
safer_gnutls_strerror(ret));
733
goto globalfail;
734
}
735
} else if(debug){
736
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
737
mc->dh_bits);
738
}
739
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
740
if(ret != GNUTLS_E_SUCCESS){
741
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
742
" bits): %s\n", mc->dh_bits,
743
safer_gnutls_strerror(ret));
744
goto globalfail;
745
}
746
}
579
747
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
580
748
581
749
return 0;
583
751
globalfail:
584
752
585
753
gnutls_certificate_free_credentials(mc->cred);
586
gnutls_global_deinit();
587
754
gnutls_dh_params_deinit(mc->dh_params);
588
755
return -1;
589
756
}
641
808
/* ignore client certificate if any. */
642
809
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
643
810
644
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
645
646
811
return 0;
647
812
}
648
813
652
817
653
818
/* Set effective uid to 0, return errno */
654
819
__attribute__((warn_unused_result))
655
error_t raise_privileges(void){
656
error_t old_errno = errno;
657
error_t ret_errno = 0;
820
int raise_privileges(void){
821
int old_errno = errno;
822
int ret = 0;
658
823
if(seteuid(0) == -1){
659
ret_errno = errno;
824
ret = errno;
660
825
}
661
826
errno = old_errno;
662
return ret_errno;
827
return ret;
663
828
}
664
829
665
830
/* Set effective and real user ID to 0. Return errno. */
666
831
__attribute__((warn_unused_result))
667
error_t raise_privileges_permanently(void){
668
error_t old_errno = errno;
669
error_t ret_errno = raise_privileges();
670
if(ret_errno != 0){
832
int raise_privileges_permanently(void){
833
int old_errno = errno;
834
int ret = raise_privileges();
835
if(ret != 0){
671
836
errno = old_errno;
672
return ret_errno;
837
return ret;
673
838
}
674
839
if(setuid(0) == -1){
675
ret_errno = errno;
840
ret = errno;
676
841
}
677
842
errno = old_errno;
678
return ret_errno;
843
return ret;
679
844
}
680
845
681
846
/* Set effective user ID to unprivileged saved user ID */
682
847
__attribute__((warn_unused_result))
683
error_t lower_privileges(void){
684
error_t old_errno = errno;
685
error_t ret_errno = 0;
848
int lower_privileges(void){
849
int old_errno = errno;
850
int ret = 0;
686
851
if(seteuid(uid) == -1){
687
ret_errno = errno;
852
ret = errno;
688
853
}
689
854
errno = old_errno;
690
return ret_errno;
855
return ret;
691
856
}
692
857
693
858
/* Lower privileges permanently */
694
859
__attribute__((warn_unused_result))
695
error_t lower_privileges_permanently(void){
696
error_t old_errno = errno;
697
error_t ret_errno = 0;
860
int lower_privileges_permanently(void){
861
int old_errno = errno;
862
int ret = 0;
698
863
if(setuid(uid) == -1){
699
ret_errno = errno;
864
ret = errno;
700
865
}
701
866
errno = old_errno;
702
return ret_errno;
867
return ret;
703
868
}
704
869
705
/* Helper function to add_local_route() and remove_local_route() */
870
/* Helper function to add_local_route() and delete_local_route() */
706
871
__attribute__((nonnull, warn_unused_result))
707
static bool add_remove_local_route(const bool add,
872
static bool add_delete_local_route(const bool add,
708
873
const char *address,
709
874
AvahiIfIndex if_index){
710
875
int ret;
711
876
char helper[] = "mandos-client-iprouteadddel";
712
877
char add_arg[] = "add";
713
char remove_arg[] = "remove";
878
char delete_arg[] = "delete";
879
char debug_flag[] = "--debug";
714
880
char *pluginhelperdir = getenv("MANDOSPLUGINHELPERDIR");
715
881
if(pluginhelperdir == NULL){
716
882
if(debug){
775
941
| O_DIRECTORY
776
942
| O_PATH
777
943
| O_CLOEXEC));
944
if(helperdir_fd == -1){
945
perror_plus("open");
946
_exit(EX_UNAVAILABLE);
947
}
778
948
int helper_fd = (int)TEMP_FAILURE_RETRY(openat(helperdir_fd,
779
949
helper, O_RDONLY));
780
TEMP_FAILURE_RETRY(close(helperdir_fd));
950
if(helper_fd == -1){
951
perror_plus("openat");
952
close(helperdir_fd);
953
_exit(EX_UNAVAILABLE);
954
}
955
close(helperdir_fd);
781
956
#ifdef __GNUC__
782
957
#pragma GCC diagnostic push
783
958
#pragma GCC diagnostic ignored "-Wcast-qual"
784
959
#endif
785
960
if(fexecve(helper_fd, (char *const [])
786
{ helper, add ? add_arg : remove_arg, (char *)address,
787
interface, NULL }, environ) == -1){
961
{ helper, add ? add_arg : delete_arg, (char *)address,
962
interface, debug ? debug_flag : NULL, NULL },
963
environ) == -1){
788
964
#ifdef __GNUC__
789
965
#pragma GCC diagnostic pop
790
966
#endif
842
1018
__attribute__((nonnull, warn_unused_result))
843
1019
static bool add_local_route(const char *address,
844
1020
AvahiIfIndex if_index){
845
return add_remove_local_route(true, address, if_index);
1021
if(debug){
1022
fprintf_plus(stderr, "Adding route to %s\n", address);
1023
}
1024
return add_delete_local_route(true, address, if_index);
846
1025
}
847
1026
848
1027
__attribute__((nonnull, warn_unused_result))
849
static bool remove_local_route(const char *address,
1028
static bool delete_local_route(const char *address,
850
1029
AvahiIfIndex if_index){
851
return add_remove_local_route(false, address, if_index);
1030
if(debug){
1031
fprintf_plus(stderr, "Removing route to %s\n", address);
1032
}
1033
return add_delete_local_route(false, address, if_index);
852
1034
}
853
1035
854
1036
/* Called when a Mandos server is found */
944
1126
goto mandos_end;
945
1127
}
946
1128
947
memset(&to, 0, sizeof(to));
948
1129
if(af == AF_INET6){
949
((struct sockaddr_in6 *)&to)->sin6_family = (sa_family_t)af;
950
ret = inet_pton(af, ip, &((struct sockaddr_in6 *)&to)->sin6_addr);
1130
struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&to;
1131
*to6 = (struct sockaddr_in6){ .sin6_family = (sa_family_t)af };
1132
ret = inet_pton(af, ip, &to6->sin6_addr);
951
1133
} else { /* IPv4 */
952
((struct sockaddr_in *)&to)->sin_family = (sa_family_t)af;
953
ret = inet_pton(af, ip, &((struct sockaddr_in *)&to)->sin_addr);
1134
struct sockaddr_in *to4 = (struct sockaddr_in *)&to;
1135
*to4 = (struct sockaddr_in){ .sin_family = (sa_family_t)af };
1136
ret = inet_pton(af, ip, &to4->sin_addr);
954
1137
}
955
1138
if(ret < 0 ){
956
1139
int e = errno;
1035
1218
sizeof(struct sockaddr_in));
1036
1219
}
1037
1220
if(ret < 0){
1038
if(errno == ENETUNREACH
1221
if(((errno == ENETUNREACH) or (errno == EHOSTUNREACH))
1039
1222
and if_index != AVAHI_IF_UNSPEC
1040
1223
and connect_to == NULL
1041
1224
and not route_added and
1057
1240
http://lists.freedesktop.org/archives/avahi/2010-February/001833.html
1058
1241
https://bugs.debian.org/587961
1059
1242
*/
1243
if(debug){
1244
fprintf_plus(stderr, "Mandos server unreachable, trying"
1245
" direct route\n");
1246
}
1060
1247
int e = errno;
1061
1248
route_added = add_local_route(ip, if_index);
1062
1249
if(route_added){
1266
1453
mandos_end:
1267
1454
{
1268
1455
if(route_added){
1269
if(not remove_local_route(ip, if_index)){
1270
fprintf_plus(stderr, "Failed to remove local route to %s on"
1456
if(not delete_local_route(ip, if_index)){
1457
fprintf_plus(stderr, "Failed to delete local route to %s on"
1271
1458
" interface %d", ip, if_index);
1272
1459
}
1273
1460
}
1275
1462
free(decrypted_buffer);
1276
1463
free(buffer);
1277
1464
if(tcp_sd >= 0){
1278
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
1465
ret = close(tcp_sd);
1279
1466
}
1280
1467
if(ret == -1){
1281
1468
if(e == 0){
1436
1623
__attribute__((nonnull, warn_unused_result))
1437
1624
bool get_flags(const char *ifname, struct ifreq *ifr){
1438
1625
int ret;
1439
error_t ret_errno;
1626
int old_errno;
1440
1627
1441
1628
int s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1442
1629
if(s < 0){
1443
ret_errno = errno;
1630
old_errno = errno;
1444
1631
perror_plus("socket");
1445
errno = ret_errno;
1632
errno = old_errno;
1446
1633
return false;
1447
1634
}
1448
strcpy(ifr->ifr_name, ifname);
1635
strncpy(ifr->ifr_name, ifname, IF_NAMESIZE);
1636
ifr->ifr_name[IF_NAMESIZE-1] = '\0'; /* NUL terminate */
1449
1637
ret = ioctl(s, SIOCGIFFLAGS, ifr);
1450
1638
if(ret == -1){
1451
1639
if(debug){
1452
ret_errno = errno;
1640
old_errno = errno;
1453
1641
perror_plus("ioctl SIOCGIFFLAGS");
1454
errno = ret_errno;
1642
errno = old_errno;
1455
1643
}
1456
1644
return false;
1457
1645
}
1721
1909
return;
1722
1910
}
1723
1911
}
1724
#ifdef __GLIBC__
1725
#if __GLIBC_PREREQ(2, 15)
1726
1912
int numhooks = scandirat(hookdir_fd, ".", &direntries,
1727
1913
runnable_hook, alphasort);
1728
#else /* not __GLIBC_PREREQ(2, 15) */
1729
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1730
alphasort);
1731
#endif /* not __GLIBC_PREREQ(2, 15) */
1732
#else /* not __GLIBC__ */
1733
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1734
alphasort);
1735
#endif /* not __GLIBC__ */
1736
1914
if(numhooks == -1){
1737
1915
perror_plus("scandir");
1738
1916
return;
1813
1991
_exit(EX_OSERR);
1814
1992
}
1815
1993
}
1816
int hook_fd = TEMP_FAILURE_RETRY(openat(hookdir_fd,
1817
direntry->d_name,
1818
O_RDONLY));
1994
int hook_fd = (int)TEMP_FAILURE_RETRY(openat(hookdir_fd,
1995
direntry->d_name,
1996
O_RDONLY));
1819
1997
if(hook_fd == -1){
1820
1998
perror_plus("openat");
1821
1999
_exit(EXIT_FAILURE);
1822
2000
}
1823
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
2001
if(close(hookdir_fd) == -1){
1824
2002
perror_plus("close");
1825
2003
_exit(EXIT_FAILURE);
1826
2004
}
1884
2062
free(direntry);
1885
2063
}
1886
2064
free(direntries);
1887
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
2065
if(close(hookdir_fd) == -1){
1888
2066
perror_plus("close");
1889
2067
} else {
1890
2068
hookdir_fd = -1;
1893
2071
}
1894
2072
1895
2073
__attribute__((nonnull, warn_unused_result))
1896
error_t bring_up_interface(const char *const interface,
1897
const float delay){
1898
error_t old_errno = errno;
2074
int bring_up_interface(const char *const interface,
2075
const float delay){
2076
int old_errno = errno;
1899
2077
int ret;
1900
2078
struct ifreq network;
1901
2079
unsigned int if_index = if_nametoindex(interface);
1911
2089
}
1912
2090
1913
2091
if(not interface_is_up(interface)){
1914
error_t ret_errno = 0, ioctl_errno = 0;
2092
int ret_errno = 0;
2093
int ioctl_errno = 0;
1915
2094
if(not get_flags(interface, &network)){
1916
2095
ret_errno = errno;
1917
2096
fprintf_plus(stderr, "Failed to get flags for interface "
1930
2109
}
1931
2110
1932
2111
if(quit_now){
1933
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2112
ret = close(sd);
1934
2113
if(ret == -1){
1935
2114
perror_plus("close");
1936
2115
}
1986
2165
}
1987
2166
1988
2167
/* Close the socket */
1989
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2168
ret = close(sd);
1990
2169
if(ret == -1){
1991
2170
perror_plus("close");
1992
2171
}
2020
2199
}
2021
2200
2022
2201
__attribute__((nonnull, warn_unused_result))
2023
error_t take_down_interface(const char *const interface){
2024
error_t old_errno = errno;
2202
int take_down_interface(const char *const interface){
2203
int old_errno = errno;
2025
2204
struct ifreq network;
2026
2205
unsigned int if_index = if_nametoindex(interface);
2027
2206
if(if_index == 0){
2030
2209
return ENXIO;
2031
2210
}
2032
2211
if(interface_is_up(interface)){
2033
error_t ret_errno = 0, ioctl_errno = 0;
2212
int ret_errno = 0;
2213
int ioctl_errno = 0;
2034
2214
if(not get_flags(interface, &network) and debug){
2035
2215
ret_errno = errno;
2036
2216
fprintf_plus(stderr, "Failed to get flags for interface "
2074
2254
}
2075
2255
2076
2256
/* Close the socket */
2077
int ret = (int)TEMP_FAILURE_RETRY(close(sd));
2257
int ret = close(sd);
2078
2258
if(ret == -1){
2079
2259
perror_plus("close");
2080
2260
}
2095
2275
}
2096
2276
2097
2277
int main(int argc, char *argv[]){
2098
mandos_context mc = { .server = NULL, .dh_bits = 1024,
2099
.priority = "SECURE256:!CTYPE-X.509:"
2100
"+CTYPE-OPENPGP", .current_server = NULL,
2101
.interfaces = NULL, .interfaces_size = 0 };
2278
mandos_context mc = { .server = NULL, .dh_bits = 0,
2279
.priority = "SECURE256:!CTYPE-X.509"
2280
":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",
2281
.current_server = NULL, .interfaces = NULL,
2282
.interfaces_size = 0 };
2102
2283
AvahiSServiceBrowser *sb = NULL;
2103
2284
error_t ret_errno;
2104
2285
int ret;
2113
2294
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
2114
2295
const char *seckey = PATHDIR "/" SECKEY;
2115
2296
const char *pubkey = PATHDIR "/" PUBKEY;
2297
const char *dh_params_file = NULL;
2116
2298
char *interfaces_hooks = NULL;
2117
2299
2118
2300
bool gnutls_initialized = false;
2171
2353
.doc = "Bit length of the prime number used in the"
2172
2354
" Diffie-Hellman key exchange",
2173
2355
.group = 2 },
2356
{ .name = "dh-params", .key = 134,
2357
.arg = "FILE",
2358
.doc = "PEM-encoded PKCS#3 file with pre-generated parameters"
2359
" for the Diffie-Hellman key exchange",
2360
.group = 2 },
2174
2361
{ .name = "priority", .key = 130,
2175
2362
.arg = "STRING",
2176
2363
.doc = "GnuTLS priority string for the TLS handshake",
2231
2418
}
2232
2419
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
2233
2420
break;
2421
case 134: /* --dh-params */
2422
dh_params_file = arg;
2423
break;
2234
2424
case 130: /* --priority */
2235
2425
mc.priority = arg;
2236
2426
break;
2276
2466
.args_doc = "",
2277
2467
.doc = "Mandos client -- Get and decrypt"
2278
2468
" passwords from a Mandos server" };
2279
ret = argp_parse(&argp, argc, argv,
2280
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
2281
switch(ret){
2469
ret_errno = argp_parse(&argp, argc, argv,
2470
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
2471
switch(ret_errno){
2282
2472
case 0:
2283
2473
break;
2284
2474
case ENOMEM:
2285
2475
default:
2286
errno = ret;
2476
errno = ret_errno;
2287
2477
perror_plus("argp_parse");
2288
2478
exitcode = EX_OSERR;
2289
2479
goto end;
2298
2488
<http://bugs.debian.org/633582> */
2299
2489
2300
2490
/* Re-raise privileges */
2301
ret_errno = raise_privileges();
2302
if(ret_errno != 0){
2303
errno = ret_errno;
2491
ret = raise_privileges();
2492
if(ret != 0){
2493
errno = ret;
2304
2494
perror_plus("Failed to raise privileges");
2305
2495
} else {
2306
2496
struct stat st;
2322
2512
}
2323
2513
}
2324
2514
}
2325
TEMP_FAILURE_RETRY(close(seckey_fd));
2515
close(seckey_fd);
2326
2516
}
2327
2517
}
2328
2518
2343
2533
}
2344
2534
}
2345
2535
}
2346
TEMP_FAILURE_RETRY(close(pubkey_fd));
2536
close(pubkey_fd);
2537
}
2538
}
2539
2540
if(dh_params_file != NULL
2541
and strcmp(dh_params_file, PATHDIR "/dhparams.pem" ) == 0){
2542
int dhparams_fd = open(dh_params_file, O_RDONLY);
2543
if(dhparams_fd == -1){
2544
perror_plus("open");
2545
} else {
2546
ret = (int)TEMP_FAILURE_RETRY(fstat(dhparams_fd, &st));
2547
if(ret == -1){
2548
perror_plus("fstat");
2549
} else {
2550
if(S_ISREG(st.st_mode)
2551
and st.st_uid == 0 and st.st_gid == 0){
2552
ret = fchown(dhparams_fd, uid, gid);
2553
if(ret == -1){
2554
perror_plus("fchown");
2555
}
2556
}
2557
}
2558
close(dhparams_fd);
2347
2559
}
2348
2560
}
2349
2561
2350
2562
/* Lower privileges */
2351
ret_errno = lower_privileges();
2352
if(ret_errno != 0){
2353
errno = ret_errno;
2563
ret = lower_privileges();
2564
if(ret != 0){
2565
errno = ret;
2354
2566
perror_plus("Failed to lower privileges");
2355
2567
}
2356
2568
}
2526
2738
errno = bring_up_interface(interface, delay);
2527
2739
if(not interface_was_up){
2528
2740
if(errno != 0){
2529
perror_plus("Failed to bring up interface");
2741
fprintf_plus(stderr, "Failed to bring up interface \"%s\":"
2742
" %s\n", interface, strerror(errno));
2530
2743
} else {
2531
2744
errno = argz_add(&interfaces_to_take_down,
2532
2745
&interfaces_to_take_down_size,
2555
2768
goto end;
2556
2769
}
2557
2770
2558
ret = init_gnutls_global(pubkey, seckey, &mc);
2771
ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);
2559
2772
if(ret == -1){
2560
2773
fprintf_plus(stderr, "init_gnutls_global failed\n");
2561
2774
exitcode = EX_UNAVAILABLE;
2683
2896
2684
2897
/* Allocate a new server */
2685
2898
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
2686
&config, NULL, NULL, &ret_errno);
2899
&config, NULL, NULL, &ret);
2687
2900
2688
2901
/* Free the Avahi configuration data */
2689
2902
avahi_server_config_free(&config);
2692
2905
/* Check if creating the Avahi server object succeeded */
2693
2906
if(mc.server == NULL){
2694
2907
fprintf_plus(stderr, "Failed to create Avahi server: %s\n",
2695
avahi_strerror(ret_errno));
2908
avahi_strerror(ret));
2696
2909
exitcode = EX_UNAVAILABLE;
2697
2910
goto end;
2698
2911
}
2750
2963
2751
2964
if(gnutls_initialized){
2752
2965
gnutls_certificate_free_credentials(mc.cred);
2753
gnutls_global_deinit();
2754
2966
gnutls_dh_params_deinit(mc.dh_params);
2755
2967
}
2756
2968
2779
2991
2780
2992
/* Re-raise privileges */
2781
2993
{
2782
ret_errno = raise_privileges();
2783
if(ret_errno != 0){
2784
errno = ret_errno;
2994
ret = raise_privileges();
2995
if(ret != 0){
2996
errno = ret;
2785
2997
perror_plus("Failed to raise privileges");
2786
2998
} else {
2787
2999
2795
3007
while((interface=argz_next(interfaces_to_take_down,
2796
3008
interfaces_to_take_down_size,
2797
3009
interface))){
2798
ret_errno = take_down_interface(interface);
2799
if(ret_errno != 0){
2800
errno = ret_errno;
3010
ret = take_down_interface(interface);
3011
if(ret != 0){
3012
errno = ret;
2801
3013
perror_plus("Failed to take down interface");
2802
3014
}
2803
3015
}
2808
3020
}
2809
3021
}
2810
3022
2811
ret_errno = lower_privileges_permanently();
2812
if(ret_errno != 0){
2813
errno = ret_errno;
3023
ret = lower_privileges_permanently();
3024
if(ret != 0){
3025
errno = ret;
2814
3026
perror_plus("Failed to lower privileges permanently");
2815
3027
}
2816
3028
}
2818
3030
free(interfaces_to_take_down);
2819
3031
free(interfaces_hooks);
2820
3032
3033
void clean_dir_at(int base, const char * const dirname,
3034
uintmax_t level){
3035
struct dirent **direntries = NULL;
3036
int dret;
3037
int dir_fd = (int)TEMP_FAILURE_RETRY(openat(base, dirname,
3038
O_RDONLY
3039
| O_NOFOLLOW
3040
| O_DIRECTORY
3041
| O_PATH));
3042
if(dir_fd == -1){
3043
perror_plus("open");
3044
}
3045
int numentries = scandirat(dir_fd, ".", &direntries,
3046
notdotentries, alphasort);
3047
if(numentries >= 0){
3048
for(int i = 0; i < numentries; i++){
3049
if(debug){
3050
fprintf_plus(stderr, "Unlinking \"%s/%s\"\n",
3051
dirname, direntries[i]->d_name);
3052
}
3053
dret = unlinkat(dir_fd, direntries[i]->d_name, 0);
3054
if(dret == -1){
3055
if(errno == EISDIR){
3056
dret = unlinkat(dir_fd, direntries[i]->d_name,
3057
AT_REMOVEDIR);
3058
}
3059
if((dret == -1) and (errno == ENOTEMPTY)
3060
and (strcmp(direntries[i]->d_name, "private-keys-v1.d")
3061
== 0) and (level == 0)){
3062
/* Recurse only in this special case */
3063
clean_dir_at(dir_fd, direntries[i]->d_name, level+1);
3064
dret = 0;
3065
}
3066
if(dret == -1){
3067
fprintf_plus(stderr, "unlink(\"%s/%s\"): %s\n", dirname,
3068
direntries[i]->d_name, strerror(errno));
3069
}
3070
}
3071
free(direntries[i]);
3072
}
3073
3074
/* need to clean even if 0 because man page doesn't specify */
3075
free(direntries);
3076
if(numentries == -1){
3077
perror_plus("scandirat");
3078
}
3079
dret = unlinkat(base, dirname, AT_REMOVEDIR);
3080
if(dret == -1 and errno != ENOENT){
3081
perror_plus("rmdir");
3082
}
3083
} else {
3084
perror_plus("scandirat");
3085
}
3086
close(dir_fd);
3087
}
3088
2821
3089
/* Removes the GPGME temp directory and all files inside */
2822
3090
if(tempdir != NULL){
2823
struct dirent **direntries = NULL;
2824
int tempdir_fd = (int)TEMP_FAILURE_RETRY(open(tempdir, O_RDONLY
2825
| O_NOFOLLOW
2826
| O_DIRECTORY
2827
| O_PATH));
2828
if(tempdir_fd == -1){
2829
perror_plus("open");
2830
} else {
2831
#ifdef __GLIBC__
2832
#if __GLIBC_PREREQ(2, 15)
2833
int numentries = scandirat(tempdir_fd, ".", &direntries,
2834
notdotentries, alphasort);
2835
#else /* not __GLIBC_PREREQ(2, 15) */
2836
int numentries = scandir(tempdir, &direntries, notdotentries,
2837
alphasort);
2838
#endif /* not __GLIBC_PREREQ(2, 15) */
2839
#else /* not __GLIBC__ */
2840
int numentries = scandir(tempdir, &direntries, notdotentries,
2841
alphasort);
2842
#endif /* not __GLIBC__ */
2843
if(numentries >= 0){
2844
for(int i = 0; i < numentries; i++){
2845
ret = unlinkat(tempdir_fd, direntries[i]->d_name, 0);
2846
if(ret == -1){
2847
fprintf_plus(stderr, "unlinkat(open(\"%s\", O_RDONLY),"
2848
" \"%s\", 0): %s\n", tempdir,
2849
direntries[i]->d_name, strerror(errno));
2850
}
2851
free(direntries[i]);
2852
}
2853
2854
/* need to clean even if 0 because man page doesn't specify */
2855
free(direntries);
2856
if(numentries == -1){
2857
perror_plus("scandir");
2858
}
2859
ret = rmdir(tempdir);
2860
if(ret == -1 and errno != ENOENT){
2861
perror_plus("rmdir");
2862
}
2863
}
2864
TEMP_FAILURE_RETRY(close(tempdir_fd));
2865
}
3091
clean_dir_at(-1, tempdir, 0);
2866
3092
}
2867
3093
2868
3094
if(quit_now){
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0