9
9
* "browse_callback", and parts of "main".
11
11
* Everything else is
12
* Copyright © 2008-2014 Teddy Hogeborn
13
* Copyright © 2008-2014 Björn Påhlsson
15
* This program is free software: you can redistribute it and/or
16
* modify it under the terms of the GNU General Public License as
17
* published by the Free Software Foundation, either version 3 of the
18
* License, or (at your option) any later version.
20
* This program is distributed in the hope that it will be useful, but
12
* Copyright © 2008-2017 Teddy Hogeborn
13
* Copyright © 2008-2017 Björn Påhlsson
15
* This file is part of Mandos.
17
* Mandos is free software: you can redistribute it and/or modify it
18
* under the terms of the GNU General Public License as published by
19
* the Free Software Foundation, either version 3 of the License, or
20
* (at your option) any later version.
22
* Mandos is distributed in the hope that it will be useful, but
21
23
* WITHOUT ANY WARRANTY; without even the implied warranty of
22
24
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
23
25
* General Public License for more details.
25
27
* You should have received a copy of the GNU General Public License
26
* along with this program. If not, see
27
* <http://www.gnu.org/licenses/>.
28
* along with Mandos. If not, see <http://www.gnu.org/licenses/>.
29
30
* Contact the authors at <mandos@recompile.se>.
40
41
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
42
43
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
45
#include <stdint.h> /* uint16_t, uint32_t, intptr_t */
45
46
#include <stddef.h> /* NULL, size_t, ssize_t */
46
47
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
48
strtof(), abort() */
48
49
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
50
#include <string.h> /* strcmp(), strlen(), strerror(),
51
asprintf(), strncpy(), strsignal()
51
53
#include <sys/ioctl.h> /* ioctl */
52
54
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
55
sockaddr_in6, PF_INET6,
57
59
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
60
inet_pton(), connect(),
60
#include <fcntl.h> /* open() */
62
#include <fcntl.h> /* open(), unlinkat(), AT_REMOVEDIR */
61
63
#include <dirent.h> /* opendir(), struct dirent, readdir()
63
65
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
65
#include <errno.h> /* perror(), errno,
67
#include <errno.h> /* perror(), errno, EINTR, EINVAL,
68
EAI_SYSTEM, ENETUNREACH,
69
EHOSTUNREACH, ECONNREFUSED, EPROTO,
70
EIO, ENOENT, ENXIO, ENOMEM, EISDIR,
66
72
program_invocation_short_name */
67
73
#include <time.h> /* nanosleep(), time(), sleep() */
68
74
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
497
519
fprintf_plus(stderr, "GnuTLS: %s", string);
500
__attribute__((nonnull, warn_unused_result))
522
__attribute__((nonnull(1, 2, 4), warn_unused_result))
501
523
static int init_gnutls_global(const char *pubkeyfilename,
502
524
const char *seckeyfilename,
525
const char *dhparamsfilename,
503
526
mandos_context *mc){
507
531
fprintf_plus(stderr, "Initializing GnuTLS\n");
510
ret = gnutls_global_init();
511
if(ret != GNUTLS_E_SUCCESS){
512
fprintf_plus(stderr, "GnuTLS global_init: %s\n",
513
safer_gnutls_strerror(ret));
518
535
/* "Use a log level over 10 to enable all debugging options."
519
536
* - GnuTLS manual
558
574
safer_gnutls_strerror(ret));
561
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
562
if(ret != GNUTLS_E_SUCCESS){
563
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
564
safer_gnutls_strerror(ret));
577
/* If a Diffie-Hellman parameters file was given, try to use it */
578
if(dhparamsfilename != NULL){
579
gnutls_datum_t params = { .data = NULL, .size = 0 };
581
int dhpfile = open(dhparamsfilename, O_RDONLY);
584
dhparamsfilename = NULL;
587
size_t params_capacity = 0;
589
params_capacity = incbuffer((char **)¶ms.data,
591
(size_t)params_capacity);
592
if(params_capacity == 0){
593
perror_plus("incbuffer");
596
dhparamsfilename = NULL;
599
ssize_t bytes_read = read(dhpfile,
600
params.data + params.size,
606
/* check bytes_read for failure */
611
dhparamsfilename = NULL;
614
params.size += (unsigned int)bytes_read;
616
if(params.data == NULL){
617
dhparamsfilename = NULL;
619
if(dhparamsfilename == NULL){
622
ret = gnutls_dh_params_import_pkcs3(mc->dh_params, ¶ms,
623
GNUTLS_X509_FMT_PEM);
624
if(ret != GNUTLS_E_SUCCESS){
625
fprintf_plus(stderr, "Failed to parse DH parameters in file"
626
" \"%s\": %s\n", dhparamsfilename,
627
safer_gnutls_strerror(ret));
628
dhparamsfilename = NULL;
633
if(dhparamsfilename == NULL){
634
if(mc->dh_bits == 0){
635
/* Find out the optimal number of DH bits */
636
/* Try to read the private key file */
637
gnutls_datum_t buffer = { .data = NULL, .size = 0 };
639
int secfile = open(seckeyfilename, O_RDONLY);
644
size_t buffer_capacity = 0;
646
buffer_capacity = incbuffer((char **)&buffer.data,
648
(size_t)buffer_capacity);
649
if(buffer_capacity == 0){
650
perror_plus("incbuffer");
655
ssize_t bytes_read = read(secfile,
656
buffer.data + buffer.size,
662
/* check bytes_read for failure */
669
buffer.size += (unsigned int)bytes_read;
673
/* If successful, use buffer to parse private key */
674
gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;
675
if(buffer.data != NULL){
677
gnutls_openpgp_privkey_t privkey = NULL;
678
ret = gnutls_openpgp_privkey_init(&privkey);
679
if(ret != GNUTLS_E_SUCCESS){
680
fprintf_plus(stderr, "Error initializing OpenPGP key"
682
safer_gnutls_strerror(ret));
686
ret = gnutls_openpgp_privkey_import
687
(privkey, &buffer, GNUTLS_OPENPGP_FMT_BASE64, "", 0);
688
if(ret != GNUTLS_E_SUCCESS){
689
fprintf_plus(stderr, "Error importing OpenPGP key : %s",
690
safer_gnutls_strerror(ret));
696
/* Use private key to suggest an appropriate
698
sec_param = gnutls_openpgp_privkey_sec_param(privkey);
699
gnutls_openpgp_privkey_deinit(privkey);
701
fprintf_plus(stderr, "This OpenPGP key implies using"
702
" a GnuTLS security parameter \"%s\".\n",
703
safe_string(gnutls_sec_param_get_name
709
if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){
710
/* Err on the side of caution */
711
sec_param = GNUTLS_SEC_PARAM_ULTRA;
713
fprintf_plus(stderr, "Falling back to security parameter"
715
safe_string(gnutls_sec_param_get_name
720
uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
724
fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"
725
" implies %u DH bits; using that.\n",
726
safe_string(gnutls_sec_param_get_name
731
fprintf_plus(stderr, "Failed to get implied number of DH"
732
" bits for security parameter \"%s\"): %s\n",
733
safe_string(gnutls_sec_param_get_name
735
safer_gnutls_strerror(ret));
739
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
742
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
743
if(ret != GNUTLS_E_SUCCESS){
744
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
745
" bits): %s\n", mc->dh_bits,
746
safer_gnutls_strerror(ret));
568
750
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
639
818
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
640
819
__attribute__((unused)) const char *txt){}
821
/* Set effective uid to 0, return errno */
822
__attribute__((warn_unused_result))
823
int raise_privileges(void){
824
int old_errno = errno;
826
if(seteuid(0) == -1){
833
/* Set effective and real user ID to 0. Return errno. */
834
__attribute__((warn_unused_result))
835
int raise_privileges_permanently(void){
836
int old_errno = errno;
837
int ret = raise_privileges();
849
/* Set effective user ID to unprivileged saved user ID */
850
__attribute__((warn_unused_result))
851
int lower_privileges(void){
852
int old_errno = errno;
854
if(seteuid(uid) == -1){
861
/* Lower privileges permanently */
862
__attribute__((warn_unused_result))
863
int lower_privileges_permanently(void){
864
int old_errno = errno;
866
if(setuid(uid) == -1){
873
/* Helper function to add_local_route() and delete_local_route() */
874
__attribute__((nonnull, warn_unused_result))
875
static bool add_delete_local_route(const bool add,
877
AvahiIfIndex if_index){
879
char helper[] = "mandos-client-iprouteadddel";
880
char add_arg[] = "add";
881
char delete_arg[] = "delete";
882
char debug_flag[] = "--debug";
883
char *pluginhelperdir = getenv("MANDOSPLUGINHELPERDIR");
884
if(pluginhelperdir == NULL){
886
fprintf_plus(stderr, "MANDOSPLUGINHELPERDIR environment"
887
" variable not set; cannot run helper\n");
892
char interface[IF_NAMESIZE];
893
if(if_indextoname((unsigned int)if_index, interface) == NULL){
894
perror_plus("if_indextoname");
898
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
900
perror_plus("open(\"/dev/null\", O_RDONLY)");
906
/* Raise privileges */
907
errno = raise_privileges_permanently();
909
perror_plus("Failed to raise privileges");
910
/* _exit(EX_NOPERM); */
916
perror_plus("setgid");
919
/* Reset supplementary groups */
921
ret = setgroups(0, NULL);
923
perror_plus("setgroups");
927
ret = dup2(devnull, STDIN_FILENO);
929
perror_plus("dup2(devnull, STDIN_FILENO)");
932
ret = close(devnull);
934
perror_plus("close");
937
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
939
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
942
int helperdir_fd = (int)TEMP_FAILURE_RETRY(open(pluginhelperdir,
947
if(helperdir_fd == -1){
949
_exit(EX_UNAVAILABLE);
951
int helper_fd = (int)TEMP_FAILURE_RETRY(openat(helperdir_fd,
954
perror_plus("openat");
956
_exit(EX_UNAVAILABLE);
960
#pragma GCC diagnostic push
961
#pragma GCC diagnostic ignored "-Wcast-qual"
963
if(fexecve(helper_fd, (char *const [])
964
{ helper, add ? add_arg : delete_arg, (char *)address,
965
interface, debug ? debug_flag : NULL, NULL },
968
#pragma GCC diagnostic pop
970
perror_plus("fexecve");
982
pret = waitpid(pid, &status, 0);
983
if(pret == -1 and errno == EINTR and quit_now){
984
int errno_raising = 0;
985
if((errno = raise_privileges()) != 0){
986
errno_raising = errno;
987
perror_plus("Failed to raise privileges in order to"
988
" kill helper program");
990
if(kill(pid, SIGTERM) == -1){
993
if((errno_raising == 0) and (errno = lower_privileges()) != 0){
994
perror_plus("Failed to lower privileges after killing"
999
} while(pret == -1 and errno == EINTR);
1001
perror_plus("waitpid");
1004
if(WIFEXITED(status)){
1005
if(WEXITSTATUS(status) != 0){
1006
fprintf_plus(stderr, "Error: iprouteadddel exited"
1007
" with status %d\n", WEXITSTATUS(status));
1012
if(WIFSIGNALED(status)){
1013
fprintf_plus(stderr, "Error: iprouteadddel died by"
1014
" signal %d\n", WTERMSIG(status));
1017
fprintf_plus(stderr, "Error: iprouteadddel crashed\n");
1021
__attribute__((nonnull, warn_unused_result))
1022
static bool add_local_route(const char *address,
1023
AvahiIfIndex if_index){
1025
fprintf_plus(stderr, "Adding route to %s\n", address);
1027
return add_delete_local_route(true, address, if_index);
1030
__attribute__((nonnull, warn_unused_result))
1031
static bool delete_local_route(const char *address,
1032
AvahiIfIndex if_index){
1034
fprintf_plus(stderr, "Removing route to %s\n", address);
1036
return add_delete_local_route(false, address, if_index);
642
1039
/* Called when a Mandos server is found */
643
1040
__attribute__((nonnull, warn_unused_result))
644
1041
static int start_mandos_communication(const char *ip, in_port_t port,
731
1130
goto mandos_end;
734
memset(&to, 0, sizeof(to));
735
1133
if(af == AF_INET6){
736
((struct sockaddr_in6 *)&to)->sin6_family = (sa_family_t)af;
737
ret = inet_pton(af, ip, &((struct sockaddr_in6 *)&to)->sin6_addr);
1134
struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&to;
1135
*to6 = (struct sockaddr_in6){ .sin6_family = (sa_family_t)af };
1136
ret = inet_pton(af, ip, &to6->sin6_addr);
738
1137
} else { /* IPv4 */
739
((struct sockaddr_in *)&to)->sin_family = (sa_family_t)af;
740
ret = inet_pton(af, ip, &((struct sockaddr_in *)&to)->sin_addr);
1138
struct sockaddr_in *to4 = (struct sockaddr_in *)&to;
1139
*to4 = (struct sockaddr_in){ .sin_family = (sa_family_t)af };
1140
ret = inet_pton(af, ip, &to4->sin_addr);
813
1213
goto mandos_end;
817
ret = connect(tcp_sd, (struct sockaddr *)&to,
818
sizeof(struct sockaddr_in6));
820
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
821
sizeof(struct sockaddr_in));
824
if((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
826
perror_plus("connect");
1218
ret = connect(tcp_sd, (struct sockaddr *)&to,
1219
sizeof(struct sockaddr_in6));
1221
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
1222
sizeof(struct sockaddr_in));
1225
if(((errno == ENETUNREACH) or (errno == EHOSTUNREACH))
1226
and if_index != AVAHI_IF_UNSPEC
1227
and connect_to == NULL
1228
and not route_added and
1229
((af == AF_INET6 and not
1230
IN6_IS_ADDR_LINKLOCAL(&(((struct sockaddr_in6 *)
1232
or (af == AF_INET and
1233
/* Not a a IPv4LL address */
1234
(ntohl(((struct sockaddr_in *)&to)->sin_addr.s_addr)
1235
& 0xFFFF0000L) != 0xA9FE0000L))){
1236
/* Work around Avahi bug - Avahi does not announce link-local
1237
addresses if it has a global address, so local hosts with
1238
*only* a link-local address (e.g. Mandos clients) cannot
1239
connect to a Mandos server announced by Avahi on a server
1240
host with a global address. Work around this by retrying
1241
with an explicit route added with the server's address.
1243
Avahi bug reference:
1244
https://lists.freedesktop.org/archives/avahi/2010-February/001833.html
1245
https://bugs.debian.org/587961
1248
fprintf_plus(stderr, "Mandos server unreachable, trying"
1252
route_added = add_local_route(ip, if_index);
1258
if(errno != ECONNREFUSED or debug){
1260
perror_plus("connect");
837
1273
const char *out = mandos_protocol_version;
1461
/* Set effective uid to 0, return errno */
1462
__attribute__((warn_unused_result))
1463
error_t raise_privileges(void){
1464
error_t old_errno = errno;
1465
error_t ret_errno = 0;
1466
if(seteuid(0) == -1){
1468
perror_plus("seteuid");
1474
/* Set effective and real user ID to 0. Return errno. */
1475
__attribute__((warn_unused_result))
1476
error_t raise_privileges_permanently(void){
1477
error_t old_errno = errno;
1478
error_t ret_errno = raise_privileges();
1483
if(setuid(0) == -1){
1485
perror_plus("seteuid");
1491
/* Set effective user ID to unprivileged saved user ID */
1492
__attribute__((warn_unused_result))
1493
error_t lower_privileges(void){
1494
error_t old_errno = errno;
1495
error_t ret_errno = 0;
1496
if(seteuid(uid) == -1){
1498
perror_plus("seteuid");
1504
/* Lower privileges permanently */
1505
__attribute__((warn_unused_result))
1506
error_t lower_privileges_permanently(void){
1507
error_t old_errno = errno;
1508
error_t ret_errno = 0;
1509
if(setuid(uid) == -1){
1511
perror_plus("setuid");
1519
* Based on the example in the GNU LibC manual chapter 13.13 "File
1520
* Descriptor Flags".
1521
| [[info:libc:Descriptor%20Flags][File Descriptor Flags]] |
1523
__attribute__((warn_unused_result))
1524
static int set_cloexec_flag(int fd){
1525
int ret = (int)TEMP_FAILURE_RETRY(fcntl(fd, F_GETFD, 0));
1526
/* If reading the flags failed, return error indication now. */
1530
/* Store modified flag word in the descriptor. */
1531
return (int)TEMP_FAILURE_RETRY(fcntl(fd, F_SETFD,
1534
#endif /* not O_CLOEXEC */
1536
1907
__attribute__((nonnull))
1537
1908
void run_network_hooks(const char *mode, const char *interface,
1538
1909
const float delay){
1539
struct dirent **direntries;
1910
struct dirent **direntries = NULL;
1540
1911
if(hookdir_fd == -1){
1541
hookdir_fd = open(hookdir, O_RDONLY |
1544
#else /* not O_CLOEXEC */
1546
#endif /* not O_CLOEXEC */
1912
hookdir_fd = open(hookdir, O_RDONLY | O_DIRECTORY | O_PATH
1548
1914
if(hookdir_fd == -1){
1549
1915
if(errno == ENOENT){
1560
if(set_cloexec_flag(hookdir_fd) < 0){
1561
perror_plus("set_cloexec_flag");
1562
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
1563
perror_plus("close");
1569
#endif /* not O_CLOEXEC */
1572
#if __GLIBC_PREREQ(2, 15)
1573
1926
int numhooks = scandirat(hookdir_fd, ".", &direntries,
1574
1927
runnable_hook, alphasort);
1575
#else /* not __GLIBC_PREREQ(2, 15) */
1576
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1578
#endif /* not __GLIBC_PREREQ(2, 15) */
1579
#else /* not __GLIBC__ */
1580
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1582
#endif /* not __GLIBC__ */
1583
1928
if(numhooks == -1){
1584
1929
perror_plus("scandir");
1587
1932
struct dirent *direntry;
1589
int devnull = open("/dev/null", O_RDONLY);
1934
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
1936
perror_plus("open(\"/dev/null\", O_RDONLY)");
1590
1939
for(int i = 0; i < numhooks; i++){
1591
1940
direntry = direntries[i];
1670
2005
_exit(EX_OSERR);
1673
if(fexecve(hookdir_fd, (char *const [])
1674
{ direntry->d_name, NULL }, environ) == -1){
2008
int hook_fd = (int)TEMP_FAILURE_RETRY(openat(hookdir_fd,
2012
perror_plus("openat");
2013
_exit(EXIT_FAILURE);
2015
if(close(hookdir_fd) == -1){
2016
perror_plus("close");
2017
_exit(EXIT_FAILURE);
2019
ret = dup2(devnull, STDIN_FILENO);
2021
perror_plus("dup2(devnull, STDIN_FILENO)");
2024
ret = close(devnull);
2026
perror_plus("close");
2029
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
2031
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
2034
if(fexecve(hook_fd, (char *const []){ direntry->d_name, NULL },
1675
2036
perror_plus("fexecve");
1676
2037
_exit(EXIT_FAILURE);
2041
perror_plus("fork");
1680
2046
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1681
2047
perror_plus("waitpid");
1684
2051
if(WIFEXITED(status)){
2622
3050
free(interfaces_to_take_down);
2623
3051
free(interfaces_hooks);
3053
void clean_dir_at(int base, const char * const dirname,
3055
struct dirent **direntries = NULL;
3057
int dir_fd = (int)TEMP_FAILURE_RETRY(openat(base, dirname,
3063
perror_plus("open");
3065
int numentries = scandirat(dir_fd, ".", &direntries,
3066
notdotentries, alphasort);
3067
if(numentries >= 0){
3068
for(int i = 0; i < numentries; i++){
3070
fprintf_plus(stderr, "Unlinking \"%s/%s\"\n",
3071
dirname, direntries[i]->d_name);
3073
dret = unlinkat(dir_fd, direntries[i]->d_name, 0);
3075
if(errno == EISDIR){
3076
dret = unlinkat(dir_fd, direntries[i]->d_name,
3079
if((dret == -1) and (errno == ENOTEMPTY)
3080
and (strcmp(direntries[i]->d_name, "private-keys-v1.d")
3081
== 0) and (level == 0)){
3082
/* Recurse only in this special case */
3083
clean_dir_at(dir_fd, direntries[i]->d_name, level+1);
3087
fprintf_plus(stderr, "unlink(\"%s/%s\"): %s\n", dirname,
3088
direntries[i]->d_name, strerror(errno));
3091
free(direntries[i]);
3094
/* need to clean even if 0 because man page doesn't specify */
3096
if(numentries == -1){
3097
perror_plus("scandirat");
3099
dret = unlinkat(base, dirname, AT_REMOVEDIR);
3100
if(dret == -1 and errno != ENOENT){
3101
perror_plus("rmdir");
3104
perror_plus("scandirat");
2625
3109
/* Removes the GPGME temp directory and all files inside */
2626
3110
if(tempdir != NULL){
2627
struct dirent **direntries = NULL;
2628
struct dirent *direntry = NULL;
2629
int numentries = scandir(tempdir, &direntries, notdotentries,
2632
for(int i = 0; i < numentries; i++){
2633
direntry = direntries[i];
2634
char *fullname = NULL;
2635
ret = asprintf(&fullname, "%s/%s", tempdir,
2638
perror_plus("asprintf");
2641
ret = remove(fullname);
2643
fprintf_plus(stderr, "remove(\"%s\"): %s\n", fullname,
2650
/* need to clean even if 0 because man page doesn't specify */
2652
if(numentries == -1){
2653
perror_plus("scandir");
2655
ret = rmdir(tempdir);
2656
if(ret == -1 and errno != ENOENT){
2657
perror_plus("rmdir");
3111
clean_dir_at(-1, tempdir, 0);