To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.7
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.7
- Committer: Björn Påhlsson
- Date: 2008-08-02 15:47:42 UTC
- mfrom: (36 mandos)
- mto: (237.7.1 mandos) (24.1.154 mandos)
- mto: This revision was merged to the branch mainline in revision 38.
- Revision ID: belorn@braxen-20080802154742-pixsom1utki8x3yo
merge
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008-2011 Teddy Hogeborn
13
* Copyright © 2008-2011 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
26
25
* along with this program. If not, see
27
26
* <http://www.gnu.org/licenses/>.
28
27
*
29
* Contact the authors at <mandos@recompile.se>.
28
* Contact the authors at <mandos@fukt.bsnet.se>.
30
29
*/
31
30
32
31
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
32
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
33
#define _FILE_OFFSET_BITS 64
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open(), S_ISREG */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno,
66
program_invocation_short_name */
67
#include <time.h> /* nanosleep(), time(), sleep() */
68
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
69
SIOCSIFFLAGS, if_indextoname(),
70
if_nametoindex(), IF_NAMESIZE */
71
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
72
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
73
*/
74
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
75
getuid(), getgid(), seteuid(),
76
setgid(), pause() */
77
#include <arpa/inet.h> /* inet_pton(), htons, inet_ntop() */
78
#include <iso646.h> /* not, or, and */
79
#include <argp.h> /* struct argp_option, error_t, struct
80
argp_state, struct argp,
81
argp_parse(), ARGP_KEY_ARG,
82
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
83
#include <signal.h> /* sigemptyset(), sigaddset(),
84
sigaction(), SIGTERM, sig_atomic_t,
85
raise() */
86
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
87
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
88
#include <sys/wait.h> /* waitpid(), WIFEXITED(),
89
WEXITSTATUS(), WTERMSIG() */
90
91
#ifdef __linux__
92
#include <sys/klog.h> /* klogctl() */
93
#endif /* __linux__ */
94
95
/* Avahi */
96
/* All Avahi types, constants and functions
97
Avahi*, avahi_*,
98
AVAHI_* */
34
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
99
43
#include <avahi-core/core.h>
100
44
#include <avahi-core/lookup.h>
101
45
#include <avahi-core/log.h>
103
47
#include <avahi-common/malloc.h>
104
48
#include <avahi-common/error.h>
105
49
106
/* GnuTLS */
107
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
108
functions:
109
gnutls_*
110
init_gnutls_session(),
111
GNUTLS_* */
112
#include <gnutls/openpgp.h>
113
/* gnutls_certificate_set_openpgp_key_file(),
114
GNUTLS_OPENPGP_FMT_BASE64 */
115
116
/* GPGME */
117
#include <gpgme.h> /* All GPGME types, constants and
118
functions:
119
gpgme_*
120
GPGME_PROTOCOL_OpenPGP,
121
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
122
70
123
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
124
73
125
#define PATHDIR "/conf/conf.d/mandos"
126
#define SECKEY "seckey.txt"
127
#define PUBKEY "pubkey.txt"
128
#define HOOKDIR "/lib/mandos/network-hooks.d"
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
129
77
130
78
bool debug = false;
131
static const char mandos_protocol_version[] = "1";
132
const char *argp_program_version = "mandos-client " VERSION;
133
const char *argp_program_bug_address = "<mandos@recompile.se>";
134
static const char sys_class_net[] = "/sys/class/net";
135
char *connect_to = NULL;
136
const char *hookdir = HOOKDIR;
137
138
/* Doubly linked list that need to be circularly linked when used */
139
typedef struct server{
140
const char *ip;
141
uint16_t port;
142
AvahiIfIndex if_index;
143
int af;
144
struct timespec last_seen;
145
struct server *next;
146
struct server *prev;
147
} server;
148
149
/* Used for passing in values through the Avahi callback functions */
79
150
80
typedef struct {
151
AvahiSimplePoll *simple_poll;
152
AvahiServer *server;
81
gnutls_session_t session;
153
82
gnutls_certificate_credentials_t cred;
154
unsigned int dh_bits;
155
83
gnutls_dh_params_t dh_params;
156
const char *priority;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
89
const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
157
91
gpgme_ctx_t ctx;
158
server *current_server;
159
} mandos_context;
160
161
/* global context so signal handler can reach it*/
162
mandos_context mc = { .simple_poll = NULL, .server = NULL,
163
.dh_bits = 1024, .priority = "SECURE256"
164
":!CTYPE-X.509:+CTYPE-OPENPGP",
165
.current_server = NULL };
166
167
sig_atomic_t quit_now = 0;
168
int signal_received = 0;
169
170
/* Function to use when printing errors */
171
void perror_plus(const char *print_text){
172
fprintf(stderr, "Mandos plugin %s: ",
173
program_invocation_short_name);
174
perror(print_text);
175
}
176
177
/*
178
* Make additional room in "buffer" for at least BUFFER_SIZE more
179
* bytes. "buffer_capacity" is how much is currently allocated,
180
* "buffer_length" is how much is already used.
181
*/
182
size_t incbuffer(char **buffer, size_t buffer_length,
183
size_t buffer_capacity){
184
if(buffer_length + BUFFER_SIZE > buffer_capacity){
185
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
186
if(buffer == NULL){
187
return 0;
188
}
189
buffer_capacity += BUFFER_SIZE;
190
}
191
return buffer_capacity;
192
}
193
194
/* Add server to set of servers to retry periodically */
195
int add_server(const char *ip, uint16_t port, AvahiIfIndex if_index,
196
int af){
197
int ret;
198
server *new_server = malloc(sizeof(server));
199
if(new_server == NULL){
200
perror_plus("malloc");
201
return -1;
202
}
203
*new_server = (server){ .ip = strdup(ip),
204
.port = port,
205
.if_index = if_index,
206
.af = af };
207
if(new_server->ip == NULL){
208
perror_plus("strdup");
209
return -1;
210
}
211
/* Special case of first server */
212
if (mc.current_server == NULL){
213
new_server->next = new_server;
214
new_server->prev = new_server;
215
mc.current_server = new_server;
216
/* Place the new server last in the list */
217
} else {
218
new_server->next = mc.current_server;
219
new_server->prev = mc.current_server->prev;
220
new_server->prev->next = new_server;
221
mc.current_server->prev = new_server;
222
}
223
ret = clock_gettime(CLOCK_MONOTONIC, &mc.current_server->last_seen);
224
if(ret == -1){
225
perror_plus("clock_gettime");
226
return -1;
227
}
228
return 0;
229
}
230
231
/*
232
* Initialize GPGME.
233
*/
234
static bool init_gpgme(const char *seckey, const char *pubkey,
235
const char *tempdir){
236
92
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
237
96
gpgme_engine_info_t engine_info;
238
239
240
/*
241
* Helper function to insert pub and seckey to the engine keyring.
242
*/
243
bool import_key(const char *filename){
244
int ret;
245
int fd;
246
gpgme_data_t pgp_data;
247
248
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
249
if(fd == -1){
250
perror_plus("open");
251
return false;
252
}
253
254
rc = gpgme_data_new_from_fd(&pgp_data, fd);
255
if(rc != GPG_ERR_NO_ERROR){
256
fprintf(stderr, "Mandos plugin mandos-client: "
257
"bad gpgme_data_new_from_fd: %s: %s\n",
258
gpgme_strsource(rc), gpgme_strerror(rc));
259
return false;
260
}
261
262
rc = gpgme_op_import(mc.ctx, pgp_data);
263
if(rc != GPG_ERR_NO_ERROR){
264
fprintf(stderr, "Mandos plugin mandos-client: "
265
"bad gpgme_op_import: %s: %s\n",
266
gpgme_strsource(rc), gpgme_strerror(rc));
267
return false;
268
}
269
270
ret = (int)TEMP_FAILURE_RETRY(close(fd));
271
if(ret == -1){
272
perror_plus("close");
273
}
274
gpgme_data_release(pgp_data);
275
return true;
276
}
277
278
if(debug){
279
fprintf(stderr, "Mandos plugin mandos-client: "
280
"Initializing GPGME\n");
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
281
100
}
282
101
283
102
/* Init GPGME */
284
103
gpgme_check_version(NULL);
285
104
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
286
if(rc != GPG_ERR_NO_ERROR){
287
fprintf(stderr, "Mandos plugin mandos-client: "
288
"bad gpgme_engine_check_version: %s: %s\n",
105
if (rc != GPG_ERR_NO_ERROR){
106
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
289
107
gpgme_strsource(rc), gpgme_strerror(rc));
290
return false;
108
return -1;
291
109
}
292
110
293
/* Set GPGME home directory for the OpenPGP engine only */
294
rc = gpgme_get_engine_info(&engine_info);
295
if(rc != GPG_ERR_NO_ERROR){
296
fprintf(stderr, "Mandos plugin mandos-client: "
297
"bad gpgme_get_engine_info: %s: %s\n",
111
/* Set GPGME home directory */
112
rc = gpgme_get_engine_info (&engine_info);
113
if (rc != GPG_ERR_NO_ERROR){
114
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
298
115
gpgme_strsource(rc), gpgme_strerror(rc));
299
return false;
116
return -1;
300
117
}
301
118
while(engine_info != NULL){
302
119
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
303
120
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
304
engine_info->file_name, tempdir);
121
engine_info->file_name, homedir);
305
122
break;
306
123
}
307
124
engine_info = engine_info->next;
308
125
}
309
126
if(engine_info == NULL){
310
fprintf(stderr, "Mandos plugin mandos-client: "
311
"Could not set GPGME home dir to %s\n", tempdir);
312
return false;
313
}
314
315
/* Create new GPGME "context" */
316
rc = gpgme_new(&(mc.ctx));
317
if(rc != GPG_ERR_NO_ERROR){
318
fprintf(stderr, "Mandos plugin mandos-client: "
319
"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),
320
gpgme_strerror(rc));
321
return false;
322
}
323
324
if(not import_key(pubkey) or not import_key(seckey)){
325
return false;
326
}
327
328
return true;
329
}
330
331
/*
332
* Decrypt OpenPGP data.
333
* Returns -1 on error
334
*/
335
static ssize_t pgp_packet_decrypt(const char *cryptotext,
336
size_t crypto_size,
337
char **plaintext){
338
gpgme_data_t dh_crypto, dh_plain;
339
gpgme_error_t rc;
340
ssize_t ret;
341
size_t plaintext_capacity = 0;
342
ssize_t plaintext_length = 0;
343
344
if(debug){
345
fprintf(stderr, "Mandos plugin mandos-client: "
346
"Trying to decrypt OpenPGP data\n");
347
}
348
349
/* Create new GPGME data buffer from memory cryptotext */
350
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
351
0);
352
if(rc != GPG_ERR_NO_ERROR){
353
fprintf(stderr, "Mandos plugin mandos-client: "
354
"bad gpgme_data_new_from_mem: %s: %s\n",
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
return -1;
129
}
130
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
133
if (rc != GPG_ERR_NO_ERROR){
134
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
355
135
gpgme_strsource(rc), gpgme_strerror(rc));
356
136
return -1;
357
137
}
358
138
359
139
/* Create new empty GPGME data buffer for the plaintext */
360
140
rc = gpgme_data_new(&dh_plain);
361
if(rc != GPG_ERR_NO_ERROR){
362
fprintf(stderr, "Mandos plugin mandos-client: "
363
"bad gpgme_data_new: %s: %s\n",
364
gpgme_strsource(rc), gpgme_strerror(rc));
365
gpgme_data_release(dh_crypto);
366
return -1;
367
}
368
369
/* Decrypt data from the cryptotext data buffer to the plaintext
370
data buffer */
371
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
372
if(rc != GPG_ERR_NO_ERROR){
373
fprintf(stderr, "Mandos plugin mandos-client: "
374
"bad gpgme_op_decrypt: %s: %s\n",
375
gpgme_strsource(rc), gpgme_strerror(rc));
376
plaintext_length = -1;
377
if(debug){
378
gpgme_decrypt_result_t result;
379
result = gpgme_op_decrypt_result(mc.ctx);
380
if(result == NULL){
381
fprintf(stderr, "Mandos plugin mandos-client: "
382
"gpgme_op_decrypt_result failed\n");
383
} else {
384
fprintf(stderr, "Mandos plugin mandos-client: "
385
"Unsupported algorithm: %s\n",
386
result->unsupported_algorithm);
387
fprintf(stderr, "Mandos plugin mandos-client: "
388
"Wrong key usage: %u\n",
389
result->wrong_key_usage);
390
if(result->file_name != NULL){
391
fprintf(stderr, "Mandos plugin mandos-client: "
392
"File name: %s\n", result->file_name);
393
}
394
gpgme_recipient_t recipient;
395
recipient = result->recipients;
141
if (rc != GPG_ERR_NO_ERROR){
142
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
143
gpgme_strsource(rc), gpgme_strerror(rc));
144
return -1;
145
}
146
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
153
}
154
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
158
if (rc != GPG_ERR_NO_ERROR){
159
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
160
gpgme_strsource(rc), gpgme_strerror(rc));
161
return -1;
162
}
163
164
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
}
167
168
if (debug){
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
171
if (result == NULL){
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
173
} else {
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
180
}
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
183
if(recipient){
396
184
while(recipient != NULL){
397
fprintf(stderr, "Mandos plugin mandos-client: "
398
"Public key algorithm: %s\n",
185
fprintf(stderr, "Public key algorithm: %s\n",
399
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
400
fprintf(stderr, "Mandos plugin mandos-client: "
401
"Key ID: %s\n", recipient->keyid);
402
fprintf(stderr, "Mandos plugin mandos-client: "
403
"Secret key available: %s\n",
187
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
188
fprintf(stderr, "Secret key available: %s\n",
404
189
recipient->status == GPG_ERR_NO_SECKEY
405
190
? "No" : "Yes");
406
191
recipient = recipient->next;
407
192
}
408
193
}
409
194
}
410
goto decrypt_end;
411
195
}
412
196
413
if(debug){
414
fprintf(stderr, "Mandos plugin mandos-client: "
415
"Decryption of OpenPGP data succeeded\n");
416
}
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
417
199
418
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
419
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
420
perror_plus("gpgme_data_seek");
421
plaintext_length = -1;
422
goto decrypt_end;
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
423
203
}
424
204
425
*plaintext = NULL;
205
*new_packet = 0;
426
206
while(true){
427
plaintext_capacity = incbuffer(plaintext,
428
(size_t)plaintext_length,
429
plaintext_capacity);
430
if(plaintext_capacity == 0){
431
perror_plus("incbuffer");
432
plaintext_length = -1;
433
goto decrypt_end;
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
434
216
}
435
217
436
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
437
219
BUFFER_SIZE);
438
220
/* Print the data, if any */
439
if(ret == 0){
440
/* EOF */
221
if (ret == 0){
441
222
break;
442
223
}
443
224
if(ret < 0){
444
perror_plus("gpgme_data_read");
445
plaintext_length = -1;
446
goto decrypt_end;
447
}
448
plaintext_length += ret;
449
}
450
451
if(debug){
452
fprintf(stderr, "Mandos plugin mandos-client: "
453
"Decrypted password is: ");
454
for(ssize_t i = 0; i < plaintext_length; i++){
455
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
456
}
457
fprintf(stderr, "\n");
458
}
459
460
decrypt_end:
461
462
/* Delete the GPGME cryptotext data buffer */
463
gpgme_data_release(dh_crypto);
225
perror("gpgme_data_read");
226
return -1;
227
}
228
new_packet_length += ret;
229
}
230
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
464
238
465
239
/* Delete the GPGME plaintext data buffer */
466
240
gpgme_data_release(dh_plain);
467
return plaintext_length;
241
return new_packet_length;
468
242
}
469
243
470
static const char * safer_gnutls_strerror(int value){
471
const char *ret = gnutls_strerror(value); /* Spurious warning from
472
-Wunreachable-code */
473
if(ret == NULL)
244
static const char * safer_gnutls_strerror (int value) {
245
const char *ret = gnutls_strerror (value);
246
if (ret == NULL)
474
247
ret = "(unknown)";
475
248
return ret;
476
249
}
477
250
478
/* GnuTLS log function callback */
479
251
static void debuggnutls(__attribute__((unused)) int level,
480
252
const char* string){
481
fprintf(stderr, "Mandos plugin mandos-client: GnuTLS: %s", string);
253
fprintf(stderr, "%s", string);
482
254
}
483
255
484
static int init_gnutls_global(const char *pubkeyfilename,
485
const char *seckeyfilename){
256
static int initgnutls(encrypted_session *es){
257
const char *err;
486
258
int ret;
487
259
488
260
if(debug){
489
fprintf(stderr, "Mandos plugin mandos-client: "
490
"Initializing GnuTLS\n");
261
fprintf(stderr, "Initializing GnuTLS\n");
491
262
}
492
493
ret = gnutls_global_init();
494
if(ret != GNUTLS_E_SUCCESS){
495
fprintf(stderr, "Mandos plugin mandos-client: "
496
"GnuTLS global_init: %s\n", safer_gnutls_strerror(ret));
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
497
267
return -1;
498
268
}
499
500
if(debug){
501
/* "Use a log level over 10 to enable all debugging options."
502
* - GnuTLS manual
503
*/
269
270
if (debug){
504
271
gnutls_global_set_log_level(11);
505
272
gnutls_global_set_log_function(debuggnutls);
506
273
}
507
274
508
/* OpenPGP credentials */
509
ret = gnutls_certificate_allocate_credentials(&mc.cred);
510
if(ret != GNUTLS_E_SUCCESS){
511
fprintf(stderr, "Mandos plugin mandos-client: "
512
"GnuTLS memory error: %s\n", safer_gnutls_strerror(ret));
513
gnutls_global_deinit();
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
279
safer_gnutls_strerror(ret));
514
280
return -1;
515
281
}
516
282
517
283
if(debug){
518
fprintf(stderr, "Mandos plugin mandos-client: "
519
"Attempting to use OpenPGP public key %s and"
520
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
521
seckeyfilename);
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", certfile,
286
certkey);
522
287
}
523
288
524
289
ret = gnutls_certificate_set_openpgp_key_file
525
(mc.cred, pubkeyfilename, seckeyfilename,
526
GNUTLS_OPENPGP_FMT_BASE64);
527
if(ret != GNUTLS_E_SUCCESS){
528
fprintf(stderr,
529
"Mandos plugin mandos-client: "
530
"Error[%d] while reading the OpenPGP key pair ('%s',"
531
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
532
fprintf(stderr, "Mandos plugin mandos-client: "
533
"The GnuTLS error is: %s\n", safer_gnutls_strerror(ret));
534
goto globalfail;
535
}
536
537
/* GnuTLS server initialization */
538
ret = gnutls_dh_params_init(&mc.dh_params);
539
if(ret != GNUTLS_E_SUCCESS){
540
fprintf(stderr, "Mandos plugin mandos-client: "
541
"Error in GnuTLS DH parameter initialization:"
542
" %s\n", safer_gnutls_strerror(ret));
543
goto globalfail;
544
}
545
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
546
if(ret != GNUTLS_E_SUCCESS){
547
fprintf(stderr, "Mandos plugin mandos-client: "
548
"Error in GnuTLS prime generation: %s\n",
549
safer_gnutls_strerror(ret));
550
goto globalfail;
551
}
552
553
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
554
555
return 0;
556
557
globalfail:
558
559
gnutls_certificate_free_credentials(mc.cred);
560
gnutls_global_deinit();
561
gnutls_dh_params_deinit(mc.dh_params);
562
return -1;
563
}
564
565
static int init_gnutls_session(gnutls_session_t *session){
566
int ret;
567
/* GnuTLS session creation */
568
do {
569
ret = gnutls_init(session, GNUTLS_SERVER);
570
if(quit_now){
571
return -1;
572
}
573
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
574
if(ret != GNUTLS_E_SUCCESS){
575
fprintf(stderr, "Mandos plugin mandos-client: "
576
"Error in GnuTLS session initialization: %s\n",
577
safer_gnutls_strerror(ret));
578
}
579
580
{
581
const char *err;
582
do {
583
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
584
if(quit_now){
585
gnutls_deinit(*session);
586
return -1;
587
}
588
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
589
if(ret != GNUTLS_E_SUCCESS){
590
fprintf(stderr, "Mandos plugin mandos-client: "
591
"Syntax error at: %s\n", err);
592
fprintf(stderr, "Mandos plugin mandos-client: "
593
"GnuTLS error: %s\n", safer_gnutls_strerror(ret));
594
gnutls_deinit(*session);
595
return -1;
596
}
597
}
598
599
do {
600
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
601
mc.cred);
602
if(quit_now){
603
gnutls_deinit(*session);
604
return -1;
605
}
606
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
607
if(ret != GNUTLS_E_SUCCESS){
608
fprintf(stderr, "Mandos plugin mandos-client: "
609
"Error setting GnuTLS credentials: %s\n",
610
safer_gnutls_strerror(ret));
611
gnutls_deinit(*session);
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
291
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
322
safer_gnutls_strerror(ret));
323
}
324
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
331
}
332
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
337
safer_gnutls_strerror(ret));
612
338
return -1;
613
339
}
614
340
615
341
/* ignore client certificate if any. */
616
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
342
gnutls_certificate_server_set_request (es->session,
343
GNUTLS_CERT_IGNORE);
617
344
618
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
619
346
620
347
return 0;
621
348
}
622
349
623
/* Avahi log function callback */
624
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
625
351
__attribute__((unused)) const char *txt){}
626
352
627
/* Called when a Mandos server is found */
628
353
static int start_mandos_communication(const char *ip, uint16_t port,
629
AvahiIfIndex if_index,
630
int af){
631
int ret, tcp_sd = -1;
632
ssize_t sret;
633
union {
634
struct sockaddr_in in;
635
struct sockaddr_in6 in6;
636
} to;
354
AvahiIfIndex if_index){
355
int ret, tcp_sd;
356
struct sockaddr_in6 to;
357
encrypted_session es;
637
358
char *buffer = NULL;
638
char *decrypted_buffer = NULL;
359
char *decrypted_buffer;
639
360
size_t buffer_length = 0;
640
361
size_t buffer_capacity = 0;
641
size_t written;
642
int retval = -1;
643
gnutls_session_t session;
644
int pf; /* Protocol family */
645
646
errno = 0;
647
648
if(quit_now){
649
errno = EINTR;
650
return -1;
651
}
652
653
switch(af){
654
case AF_INET6:
655
pf = PF_INET6;
656
break;
657
case AF_INET:
658
pf = PF_INET;
659
break;
660
default:
661
fprintf(stderr, "Mandos plugin mandos-client: "
662
"Bad address family: %d\n", af);
663
errno = EINVAL;
664
return -1;
665
}
666
667
ret = init_gnutls_session(&session);
668
if(ret != 0){
669
return -1;
670
}
671
672
if(debug){
673
fprintf(stderr, "Mandos plugin mandos-client: "
674
"Setting up a TCP connection to %s, port %" PRIu16
675
"\n", ip, port);
676
}
677
678
tcp_sd = socket(pf, SOCK_STREAM, 0);
679
if(tcp_sd < 0){
680
int e = errno;
681
perror_plus("socket");
682
errno = e;
683
goto mandos_end;
684
}
685
686
if(quit_now){
687
errno = EINTR;
688
goto mandos_end;
689
}
690
691
memset(&to, 0, sizeof(to));
692
if(af == AF_INET6){
693
to.in6.sin6_family = (sa_family_t)af;
694
ret = inet_pton(af, ip, &to.in6.sin6_addr);
695
} else { /* IPv4 */
696
to.in.sin_family = (sa_family_t)af;
697
ret = inet_pton(af, ip, &to.in.sin_addr);
698
}
699
if(ret < 0 ){
700
int e = errno;
701
perror_plus("inet_pton");
702
errno = e;
703
goto mandos_end;
704
}
362
ssize_t decrypted_buffer_size;
363
size_t written = 0;
364
int retval = 0;
365
char interface[IF_NAMESIZE];
366
367
if(debug){
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
369
ip, port);
370
}
371
372
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
373
if(tcp_sd < 0) {
374
perror("socket");
375
return -1;
376
}
377
378
if(debug){
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
380
if(debug){
381
perror("if_indextoname");
382
}
383
return -1;
384
}
385
386
fprintf(stderr, "Binding to interface %s\n", interface);
387
}
388
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
392
if (ret < 0 ){
393
perror("inet_pton");
394
return -1;
395
}
705
396
if(ret == 0){
706
int e = errno;
707
fprintf(stderr, "Mandos plugin mandos-client: "
708
"Bad address: %s\n", ip);
709
errno = e;
710
goto mandos_end;
711
}
712
if(af == AF_INET6){
713
to.in6.sin6_port = htons(port); /* Spurious warnings from
714
-Wconversion and
715
-Wunreachable-code */
716
717
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
718
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
719
-Wunreachable-code*/
720
if(if_index == AVAHI_IF_UNSPEC){
721
fprintf(stderr, "Mandos plugin mandos-client: "
722
"An IPv6 link-local address is incomplete"
723
" without a network interface\n");
724
errno = EINVAL;
725
goto mandos_end;
726
}
727
/* Set the network interface number as scope */
728
to.in6.sin6_scope_id = (uint32_t)if_index;
729
}
730
} else {
731
to.in.sin_port = htons(port); /* Spurious warnings from
732
-Wconversion and
733
-Wunreachable-code */
734
}
735
736
if(quit_now){
737
errno = EINTR;
738
goto mandos_end;
739
}
740
741
if(debug){
742
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
743
char interface[IF_NAMESIZE];
744
if(if_indextoname((unsigned int)if_index, interface) == NULL){
745
perror_plus("if_indextoname");
746
} else {
747
fprintf(stderr, "Mandos plugin mandos-client: "
748
"Connection to: %s%%%s, port %" PRIu16 "\n",
749
ip, interface, port);
750
}
751
} else {
752
fprintf(stderr, "Mandos plugin mandos-client: "
753
"Connection to: %s, port %" PRIu16 "\n", ip, port);
754
}
755
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
756
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
757
const char *pcret;
758
if(af == AF_INET6){
759
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
760
sizeof(addrstr));
761
} else {
762
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
763
sizeof(addrstr));
764
}
765
if(pcret == NULL){
766
perror_plus("inet_ntop");
767
} else {
768
if(strcmp(addrstr, ip) != 0){
769
fprintf(stderr, "Mandos plugin mandos-client: "
770
"Canonical address form: %s\n", addrstr);
771
}
772
}
773
}
774
775
if(quit_now){
776
errno = EINTR;
777
goto mandos_end;
778
}
779
780
if(af == AF_INET6){
781
ret = connect(tcp_sd, &to.in6, sizeof(to));
782
} else {
783
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
784
}
785
if(ret < 0){
786
if ((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
787
int e = errno;
788
perror_plus("connect");
789
errno = e;
790
}
791
goto mandos_end;
792
}
793
794
if(quit_now){
795
errno = EINTR;
796
goto mandos_end;
797
}
798
799
const char *out = mandos_protocol_version;
800
written = 0;
801
while(true){
802
size_t out_size = strlen(out);
803
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
804
out_size - written));
805
if(ret == -1){
806
int e = errno;
807
perror_plus("write");
808
errno = e;
809
goto mandos_end;
810
}
811
written += (size_t)ret;
812
if(written < out_size){
813
continue;
814
} else {
815
if(out == mandos_protocol_version){
816
written = 0;
817
out = "\r\n";
818
} else {
819
break;
820
}
821
}
822
823
if(quit_now){
824
errno = EINTR;
825
goto mandos_end;
826
}
827
}
828
829
if(debug){
830
fprintf(stderr, "Mandos plugin mandos-client: "
831
"Establishing TLS session with %s\n", ip);
832
}
833
834
if(quit_now){
835
errno = EINTR;
836
goto mandos_end;
837
}
838
839
/* Spurious warning from -Wint-to-pointer-cast */
840
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
841
842
if(quit_now){
843
errno = EINTR;
844
goto mandos_end;
845
}
846
847
do {
848
ret = gnutls_handshake(session);
849
if(quit_now){
850
errno = EINTR;
851
goto mandos_end;
852
}
853
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
854
855
if(ret != GNUTLS_E_SUCCESS){
397
fprintf(stderr, "Bad address: %s\n", ip);
398
return -1;
399
}
400
to.sin6_port = htons(port); /* Spurious warning */
401
402
to.sin6_scope_id = (uint32_t)if_index;
403
404
if(debug){
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
410
/* } else { */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
413
/* } */
414
}
415
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
417
if (ret < 0){
418
perror("connect");
419
return -1;
420
}
421
422
ret = initgnutls (&es);
423
if (ret != 0){
424
retval = -1;
425
return -1;
426
}
427
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
430
431
if(debug){
432
fprintf(stderr, "Establishing TLS session with %s\n", ip);
433
}
434
435
ret = gnutls_handshake (es.session);
436
437
if (ret != GNUTLS_E_SUCCESS){
856
438
if(debug){
857
fprintf(stderr, "Mandos plugin mandos-client: "
858
"*** GnuTLS Handshake failed ***\n");
859
gnutls_perror(ret);
439
fprintf(stderr, "\n*** Handshake failed ***\n");
440
gnutls_perror (ret);
860
441
}
861
errno = EPROTO;
862
goto mandos_end;
442
retval = -1;
443
goto exit;
863
444
}
864
445
865
/* Read OpenPGP packet that contains the wanted password */
446
//Retrieve OpenPGP packet that contains the wanted password
866
447
867
448
if(debug){
868
fprintf(stderr, "Mandos plugin mandos-client: "
869
"Retrieving OpenPGP encrypted password from %s\n", ip);
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
450
ip);
870
451
}
871
452
872
453
while(true){
873
874
if(quit_now){
875
errno = EINTR;
876
goto mandos_end;
877
}
878
879
buffer_capacity = incbuffer(&buffer, buffer_length,
880
buffer_capacity);
881
if(buffer_capacity == 0){
882
int e = errno;
883
perror_plus("incbuffer");
884
errno = e;
885
goto mandos_end;
886
}
887
888
if(quit_now){
889
errno = EINTR;
890
goto mandos_end;
891
}
892
893
sret = gnutls_record_recv(session, buffer+buffer_length,
894
BUFFER_SIZE);
895
if(sret == 0){
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
456
if (buffer == NULL){
457
perror("realloc");
458
goto exit;
459
}
460
buffer_capacity += BUFFER_SIZE;
461
}
462
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
465
if (ret == 0){
896
466
break;
897
467
}
898
if(sret < 0){
899
switch(sret){
468
if (ret < 0){
469
switch(ret){
900
470
case GNUTLS_E_INTERRUPTED:
901
471
case GNUTLS_E_AGAIN:
902
472
break;
903
473
case GNUTLS_E_REHANDSHAKE:
904
do {
905
ret = gnutls_handshake(session);
906
907
if(quit_now){
908
errno = EINTR;
909
goto mandos_end;
910
}
911
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
912
if(ret < 0){
913
fprintf(stderr, "Mandos plugin mandos-client: "
914
"*** GnuTLS Re-handshake failed ***\n");
915
gnutls_perror(ret);
916
errno = EPROTO;
917
goto mandos_end;
474
ret = gnutls_handshake (es.session);
475
if (ret < 0){
476
fprintf(stderr, "\n*** Handshake failed ***\n");
477
gnutls_perror (ret);
478
retval = -1;
479
goto exit;
918
480
}
919
481
break;
920
482
default:
921
fprintf(stderr, "Mandos plugin mandos-client: "
922
"Unknown error while reading data from"
923
" encrypted session with Mandos server\n");
924
gnutls_bye(session, GNUTLS_SHUT_RDWR);
925
errno = EIO;
926
goto mandos_end;
483
fprintf(stderr, "Unknown error while reading data from"
484
" encrypted session with mandos server\n");
485
retval = -1;
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
goto exit;
927
488
}
928
489
} else {
929
buffer_length += (size_t) sret;
930
}
931
}
932
933
if(debug){
934
fprintf(stderr, "Mandos plugin mandos-client: "
935
"Closing TLS session\n");
936
}
937
938
if(quit_now){
939
errno = EINTR;
940
goto mandos_end;
941
}
942
943
do {
944
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
945
if(quit_now){
946
errno = EINTR;
947
goto mandos_end;
948
}
949
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
950
951
if(buffer_length > 0){
952
ssize_t decrypted_buffer_size;
953
decrypted_buffer_size = pgp_packet_decrypt(buffer, buffer_length,
954
&decrypted_buffer);
955
if(decrypted_buffer_size >= 0){
956
957
written = 0;
490
buffer_length += (size_t) ret;
491
}
492
}
493
494
if (buffer_length > 0){
495
decrypted_buffer_size = pgp_packet_decrypt(buffer,
496
buffer_length,
497
&decrypted_buffer,
498
certdir);
499
if (decrypted_buffer_size >= 0){
958
500
while(written < (size_t) decrypted_buffer_size){
959
if(quit_now){
960
errno = EINTR;
961
goto mandos_end;
962
}
963
964
ret = (int)fwrite(decrypted_buffer + written, 1,
965
(size_t)decrypted_buffer_size - written,
966
stdout);
501
ret = (int)fwrite (decrypted_buffer + written, 1,
502
(size_t)decrypted_buffer_size - written,
503
stdout);
967
504
if(ret == 0 and ferror(stdout)){
968
int e = errno;
969
505
if(debug){
970
fprintf(stderr, "Mandos plugin mandos-client: "
971
"Error writing encrypted data: %s\n",
506
fprintf(stderr, "Error writing encrypted data: %s\n",
972
507
strerror(errno));
973
508
}
974
errno = e;
975
goto mandos_end;
509
retval = -1;
510
break;
976
511
}
977
512
written += (size_t)ret;
978
513
}
979
retval = 0;
980
}
981
}
982
983
/* Shutdown procedure */
984
985
mandos_end:
986
{
987
int e = errno;
988
free(decrypted_buffer);
989
free(buffer);
990
if(tcp_sd >= 0){
991
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
992
}
993
if(ret == -1){
994
if(e == 0){
995
e = errno;
996
}
997
perror_plus("close");
998
}
999
gnutls_deinit(session);
1000
errno = e;
1001
if(quit_now){
1002
errno = EINTR;
514
free(decrypted_buffer);
515
} else {
1003
516
retval = -1;
1004
517
}
1005
518
}
519
520
//shutdown procedure
521
522
if(debug){
523
fprintf(stderr, "Closing TLS session\n");
524
}
525
526
free(buffer);
527
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
528
exit:
529
close(tcp_sd);
530
gnutls_deinit (es.session);
531
gnutls_certificate_free_credentials (es.cred);
532
gnutls_global_deinit ();
1006
533
return retval;
1007
534
}
1008
535
1009
static void resolve_callback(AvahiSServiceResolver *r,
1010
AvahiIfIndex interface,
1011
AvahiProtocol proto,
1012
AvahiResolverEvent event,
1013
const char *name,
1014
const char *type,
1015
const char *domain,
1016
const char *host_name,
1017
const AvahiAddress *address,
1018
uint16_t port,
1019
AVAHI_GCC_UNUSED AvahiStringList *txt,
1020
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1021
flags,
1022
AVAHI_GCC_UNUSED void* userdata){
1023
assert(r);
536
static AvahiSimplePoll *simple_poll = NULL;
537
static AvahiServer *server = NULL;
538
539
static void resolve_callback(
540
AvahiSServiceResolver *r,
541
AvahiIfIndex interface,
542
AVAHI_GCC_UNUSED AvahiProtocol protocol,
543
AvahiResolverEvent event,
544
const char *name,
545
const char *type,
546
const char *domain,
547
const char *host_name,
548
const AvahiAddress *address,
549
uint16_t port,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
552
AVAHI_GCC_UNUSED void* userdata) {
553
554
assert(r); /* Spurious warning */
1024
555
1025
556
/* Called whenever a service has been resolved successfully or
1026
557
timed out */
1027
558
1028
if(quit_now){
1029
return;
1030
}
1031
1032
switch(event){
559
switch (event) {
1033
560
default:
1034
561
case AVAHI_RESOLVER_FAILURE:
1035
fprintf(stderr, "Mandos plugin mandos-client: "
1036
"(Avahi Resolver) Failed to resolve service '%s'"
1037
" of type '%s' in domain '%s': %s\n", name, type, domain,
1038
avahi_strerror(avahi_server_errno(mc.server)));
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
1039
565
break;
1040
566
1041
567
case AVAHI_RESOLVER_FOUND:
1043
569
char ip[AVAHI_ADDRESS_STR_MAX];
1044
570
avahi_address_snprint(ip, sizeof(ip), address);
1045
571
if(debug){
1046
fprintf(stderr, "Mandos plugin mandos-client: "
1047
"Mandos server \"%s\" found on %s (%s, %"
1048
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
1049
ip, (intmax_t)interface, port);
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
1050
574
}
1051
int ret = start_mandos_communication(ip, port, interface,
1052
avahi_proto_to_af(proto));
1053
if(ret == 0){
1054
avahi_simple_poll_quit(mc.simple_poll);
1055
} else {
1056
ret = add_server(ip, port, interface,
1057
avahi_proto_to_af(proto));
575
int ret = start_mandos_communication(ip, port, interface);
576
if (ret == 0){
577
exit(EXIT_SUCCESS);
1058
578
}
1059
579
}
1060
580
}
1061
581
avahi_s_service_resolver_free(r);
1062
582
}
1063
583
1064
static void browse_callback(AvahiSServiceBrowser *b,
1065
AvahiIfIndex interface,
1066
AvahiProtocol protocol,
1067
AvahiBrowserEvent event,
1068
const char *name,
1069
const char *type,
1070
const char *domain,
1071
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1072
flags,
1073
AVAHI_GCC_UNUSED void* userdata){
1074
assert(b);
1075
1076
/* Called whenever a new services becomes available on the LAN or
1077
is removed from the LAN */
1078
1079
if(quit_now){
1080
return;
1081
}
1082
1083
switch(event){
1084
default:
1085
case AVAHI_BROWSER_FAILURE:
1086
1087
fprintf(stderr, "Mandos plugin mandos-client: "
1088
"(Avahi browser) %s\n",
1089
avahi_strerror(avahi_server_errno(mc.server)));
1090
avahi_simple_poll_quit(mc.simple_poll);
1091
return;
1092
1093
case AVAHI_BROWSER_NEW:
1094
/* We ignore the returned Avahi resolver object. In the callback
1095
function we free it. If the Avahi server is terminated before
1096
the callback function is called the Avahi server will free the
1097
resolver for us. */
1098
1099
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
1100
name, type, domain, protocol, 0,
1101
resolve_callback, NULL) == NULL)
1102
fprintf(stderr, "Mandos plugin mandos-client: "
1103
"Avahi: Failed to resolve service '%s': %s\n",
1104
name, avahi_strerror(avahi_server_errno(mc.server)));
1105
break;
1106
1107
case AVAHI_BROWSER_REMOVE:
1108
break;
1109
1110
case AVAHI_BROWSER_ALL_FOR_NOW:
1111
case AVAHI_BROWSER_CACHE_EXHAUSTED:
1112
if(debug){
1113
fprintf(stderr, "Mandos plugin mandos-client: "
1114
"No Mandos server found, still searching...\n");
1115
}
1116
break;
1117
}
1118
}
1119
1120
/* Signal handler that stops main loop after SIGTERM */
1121
static void handle_sigterm(int sig){
1122
if(quit_now){
1123
return;
1124
}
1125
quit_now = 1;
1126
signal_received = sig;
1127
int old_errno = errno;
1128
/* set main loop to exit */
1129
if(mc.simple_poll != NULL){
1130
avahi_simple_poll_quit(mc.simple_poll);
1131
}
1132
errno = old_errno;
1133
}
1134
1135
bool get_flags(const char *ifname, struct ifreq *ifr){
1136
int ret;
1137
1138
int s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1139
if(s < 0){
1140
perror_plus("socket");
1141
return false;
1142
}
1143
strcpy(ifr->ifr_name, ifname);
1144
ret = ioctl(s, SIOCGIFFLAGS, ifr);
1145
if(ret == -1){
1146
if(debug){
1147
perror_plus("ioctl SIOCGIFFLAGS");
1148
}
1149
return false;
1150
}
1151
return true;
1152
}
1153
1154
bool good_flags(const char *ifname, const struct ifreq *ifr){
1155
1156
/* Reject the loopback device */
1157
if(ifr->ifr_flags & IFF_LOOPBACK){
1158
if(debug){
1159
fprintf(stderr, "Mandos plugin mandos-client: "
1160
"Rejecting loopback interface \"%s\"\n", ifname);
1161
}
1162
return false;
1163
}
1164
/* Accept point-to-point devices only if connect_to is specified */
1165
if(connect_to != NULL and (ifr->ifr_flags & IFF_POINTOPOINT)){
1166
if(debug){
1167
fprintf(stderr, "Mandos plugin mandos-client: "
1168
"Accepting point-to-point interface \"%s\"\n", ifname);
1169
}
1170
return true;
1171
}
1172
/* Otherwise, reject non-broadcast-capable devices */
1173
if(not (ifr->ifr_flags & IFF_BROADCAST)){
1174
if(debug){
1175
fprintf(stderr, "Mandos plugin mandos-client: "
1176
"Rejecting non-broadcast interface \"%s\"\n", ifname);
1177
}
1178
return false;
1179
}
1180
/* Reject non-ARP interfaces (including dummy interfaces) */
1181
if(ifr->ifr_flags & IFF_NOARP){
1182
if(debug){
1183
fprintf(stderr, "Mandos plugin mandos-client: "
1184
"Rejecting non-ARP interface \"%s\"\n", ifname);
1185
}
1186
return false;
1187
}
1188
1189
/* Accept this device */
1190
if(debug){
1191
fprintf(stderr, "Mandos plugin mandos-client: "
1192
"Interface \"%s\" is good\n", ifname);
1193
}
1194
return true;
1195
}
1196
1197
/*
1198
* This function determines if a directory entry in /sys/class/net
1199
* corresponds to an acceptable network device.
1200
* (This function is passed to scandir(3) as a filter function.)
1201
*/
1202
int good_interface(const struct dirent *if_entry){
1203
if(if_entry->d_name[0] == '.'){
1204
return 0;
1205
}
1206
1207
struct ifreq ifr;
1208
if(not get_flags(if_entry->d_name, &ifr)){
1209
if(debug){
1210
fprintf(stderr, "Mandos plugin mandos-client: "
1211
"Failed to get flags for interface \"%s\"\n",
1212
if_entry->d_name);
1213
}
1214
return 0;
1215
}
1216
1217
if(not good_flags(if_entry->d_name, &ifr)){
1218
return 0;
1219
}
1220
return 1;
1221
}
1222
1223
/*
1224
* This function determines if a directory entry in /sys/class/net
1225
* corresponds to an acceptable network device which is up.
1226
* (This function is passed to scandir(3) as a filter function.)
1227
*/
1228
int up_interface(const struct dirent *if_entry){
1229
if(if_entry->d_name[0] == '.'){
1230
return 0;
1231
}
1232
1233
struct ifreq ifr;
1234
if(not get_flags(if_entry->d_name, &ifr)){
1235
if(debug){
1236
fprintf(stderr, "Mandos plugin mandos-client: "
1237
"Failed to get flags for interface \"%s\"\n",
1238
if_entry->d_name);
1239
}
1240
return 0;
1241
}
1242
1243
/* Reject down interfaces */
1244
if(not (ifr.ifr_flags & IFF_UP)){
1245
if(debug){
1246
fprintf(stderr, "Mandos plugin mandos-client: "
1247
"Rejecting down interface \"%s\"\n",
1248
if_entry->d_name);
1249
}
1250
return 0;
1251
}
1252
1253
/* Reject non-running interfaces */
1254
if(not (ifr.ifr_flags & IFF_RUNNING)){
1255
if(debug){
1256
fprintf(stderr, "Mandos plugin mandos-client: "
1257
"Rejecting non-running interface \"%s\"\n",
1258
if_entry->d_name);
1259
}
1260
return 0;
1261
}
1262
1263
if(not good_flags(if_entry->d_name, &ifr)){
1264
return 0;
1265
}
1266
return 1;
1267
}
1268
1269
int notdotentries(const struct dirent *direntry){
1270
/* Skip "." and ".." */
1271
if(direntry->d_name[0] == '.'
1272
and (direntry->d_name[1] == '\0'
1273
or (direntry->d_name[1] == '.'
1274
and direntry->d_name[2] == '\0'))){
1275
return 0;
1276
}
1277
return 1;
1278
}
1279
1280
/* Is this directory entry a runnable program? */
1281
int runnable_hook(const struct dirent *direntry){
1282
int ret;
1283
size_t sret;
1284
struct stat st;
1285
1286
if((direntry->d_name)[0] == '\0'){
1287
/* Empty name? */
1288
return 0;
1289
}
1290
1291
sret = strspn(direntry->d_name, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
1292
"abcdefghijklmnopqrstuvwxyz"
1293
"0123456789"
1294
"_-");
1295
if((direntry->d_name)[sret] != '\0'){
1296
/* Contains non-allowed characters */
1297
if(debug){
1298
fprintf(stderr, "Mandos plugin mandos-client: "
1299
"Ignoring hook \"%s\" with bad name\n",
1300
direntry->d_name);
1301
}
1302
return 0;
1303
}
1304
1305
char *fullname = NULL;
1306
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1307
if(ret < 0){
1308
perror_plus("asprintf");
1309
return 0;
1310
}
1311
1312
ret = stat(fullname, &st);
1313
if(ret == -1){
1314
if(debug){
1315
perror_plus("Could not stat hook");
1316
}
1317
return 0;
1318
}
1319
if(not (S_ISREG(st.st_mode))){
1320
/* Not a regular file */
1321
if(debug){
1322
fprintf(stderr, "Mandos plugin mandos-client: "
1323
"Ignoring hook \"%s\" - not a file\n",
1324
direntry->d_name);
1325
}
1326
return 0;
1327
}
1328
if(not (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))){
1329
/* Not executable */
1330
if(debug){
1331
fprintf(stderr, "Mandos plugin mandos-client: "
1332
"Ignoring hook \"%s\" - not executable\n",
1333
direntry->d_name);
1334
}
1335
return 0;
1336
}
1337
return 1;
1338
}
1339
1340
int avahi_loop_with_timeout(AvahiSimplePoll *s, int retry_interval){
1341
int ret;
1342
struct timespec now;
1343
struct timespec waited_time;
1344
intmax_t block_time;
1345
1346
while(true){
1347
if(mc.current_server == NULL){
1348
if (debug){
1349
fprintf(stderr, "Mandos plugin mandos-client: "
1350
"Wait until first server is found. No timeout!\n");
1351
}
1352
ret = avahi_simple_poll_iterate(s, -1);
1353
} else {
1354
if (debug){
1355
fprintf(stderr, "Mandos plugin mandos-client: "
1356
"Check current_server if we should run it,"
1357
" or wait\n");
1358
}
1359
/* the current time */
1360
ret = clock_gettime(CLOCK_MONOTONIC, &now);
1361
if(ret == -1){
1362
perror_plus("clock_gettime");
1363
return -1;
1364
}
1365
/* Calculating in ms how long time between now and server
1366
who we visted longest time ago. Now - last seen. */
1367
waited_time.tv_sec = (now.tv_sec
1368
- mc.current_server->last_seen.tv_sec);
1369
waited_time.tv_nsec = (now.tv_nsec
1370
- mc.current_server->last_seen.tv_nsec);
1371
/* total time is 10s/10,000ms.
1372
Converting to s from ms by dividing by 1,000,
1373
and ns to ms by dividing by 1,000,000. */
1374
block_time = ((retry_interval
1375
- ((intmax_t)waited_time.tv_sec * 1000))
1376
- ((intmax_t)waited_time.tv_nsec / 1000000));
1377
1378
if (debug){
1379
fprintf(stderr, "Mandos plugin mandos-client: "
1380
"Blocking for %" PRIdMAX " ms\n", block_time);
1381
}
1382
1383
if(block_time <= 0){
1384
ret = start_mandos_communication(mc.current_server->ip,
1385
mc.current_server->port,
1386
mc.current_server->if_index,
1387
mc.current_server->af);
1388
if(ret == 0){
1389
avahi_simple_poll_quit(mc.simple_poll);
1390
return 0;
1391
}
1392
ret = clock_gettime(CLOCK_MONOTONIC,
1393
&mc.current_server->last_seen);
1394
if(ret == -1){
1395
perror_plus("clock_gettime");
1396
return -1;
1397
}
1398
mc.current_server = mc.current_server->next;
1399
block_time = 0; /* Call avahi to find new Mandos
1400
servers, but don't block */
1401
}
1402
1403
ret = avahi_simple_poll_iterate(s, (int)block_time);
1404
}
1405
if(ret != 0){
1406
if (ret > 0 or errno != EINTR){
1407
return (ret != 1) ? ret : 0;
1408
}
1409
}
1410
}
1411
}
1412
1413
int main(int argc, char *argv[]){
1414
AvahiSServiceBrowser *sb = NULL;
1415
int error;
1416
int ret;
1417
intmax_t tmpmax;
1418
char *tmp;
1419
int exitcode = EXIT_SUCCESS;
1420
const char *interface = "";
1421
struct ifreq network;
1422
int sd = -1;
1423
bool take_down_interface = false;
1424
uid_t uid;
1425
gid_t gid;
1426
char tempdir[] = "/tmp/mandosXXXXXX";
1427
bool tempdir_created = false;
1428
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1429
const char *seckey = PATHDIR "/" SECKEY;
1430
const char *pubkey = PATHDIR "/" PUBKEY;
1431
1432
bool gnutls_initialized = false;
1433
bool gpgme_initialized = false;
1434
float delay = 2.5f;
1435
double retry_interval = 10; /* 10s between trying a server and
1436
retrying the same server again */
1437
1438
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1439
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1440
1441
uid = getuid();
1442
gid = getgid();
1443
1444
/* Lower any group privileges we might have, just to be safe */
1445
errno = 0;
1446
ret = setgid(gid);
1447
if(ret == -1){
1448
perror_plus("setgid");
1449
}
1450
1451
/* Lower user privileges (temporarily) */
1452
errno = 0;
1453
ret = seteuid(uid);
1454
if(ret == -1){
1455
perror_plus("seteuid");
1456
}
1457
1458
if(quit_now){
1459
goto end;
1460
}
1461
1462
{
1463
struct argp_option options[] = {
1464
{ .name = "debug", .key = 128,
1465
.doc = "Debug mode", .group = 3 },
1466
{ .name = "connect", .key = 'c',
1467
.arg = "ADDRESS:PORT",
1468
.doc = "Connect directly to a specific Mandos server",
1469
.group = 1 },
1470
{ .name = "interface", .key = 'i',
1471
.arg = "NAME",
1472
.doc = "Network interface that will be used to search for"
1473
" Mandos servers",
1474
.group = 1 },
1475
{ .name = "seckey", .key = 's',
1476
.arg = "FILE",
1477
.doc = "OpenPGP secret key file base name",
1478
.group = 1 },
1479
{ .name = "pubkey", .key = 'p',
1480
.arg = "FILE",
1481
.doc = "OpenPGP public key file base name",
1482
.group = 2 },
1483
{ .name = "dh-bits", .key = 129,
1484
.arg = "BITS",
1485
.doc = "Bit length of the prime number used in the"
1486
" Diffie-Hellman key exchange",
1487
.group = 2 },
1488
{ .name = "priority", .key = 130,
1489
.arg = "STRING",
1490
.doc = "GnuTLS priority string for the TLS handshake",
1491
.group = 1 },
1492
{ .name = "delay", .key = 131,
1493
.arg = "SECONDS",
1494
.doc = "Maximum delay to wait for interface startup",
1495
.group = 2 },
1496
{ .name = "retry", .key = 132,
1497
.arg = "SECONDS",
1498
.doc = "Retry interval used when denied by the mandos server",
1499
.group = 2 },
1500
{ .name = "network-hook-dir", .key = 133,
1501
.arg = "DIR",
1502
.doc = "Directory where network hooks are located",
1503
.group = 2 },
1504
/*
1505
* These reproduce what we would get without ARGP_NO_HELP
1506
*/
1507
{ .name = "help", .key = '?',
1508
.doc = "Give this help list", .group = -1 },
1509
{ .name = "usage", .key = -3,
1510
.doc = "Give a short usage message", .group = -1 },
1511
{ .name = "version", .key = 'V',
1512
.doc = "Print program version", .group = -1 },
1513
{ .name = NULL }
1514
};
1515
1516
error_t parse_opt(int key, char *arg,
1517
struct argp_state *state){
1518
errno = 0;
1519
switch(key){
1520
case 128: /* --debug */
1521
debug = true;
1522
break;
1523
case 'c': /* --connect */
1524
connect_to = arg;
1525
break;
1526
case 'i': /* --interface */
1527
interface = arg;
1528
break;
1529
case 's': /* --seckey */
1530
seckey = arg;
1531
break;
1532
case 'p': /* --pubkey */
1533
pubkey = arg;
1534
break;
1535
case 129: /* --dh-bits */
1536
errno = 0;
1537
tmpmax = strtoimax(arg, &tmp, 10);
1538
if(errno != 0 or tmp == arg or *tmp != '\0'
1539
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1540
argp_error(state, "Bad number of DH bits");
1541
}
1542
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1543
break;
1544
case 130: /* --priority */
1545
mc.priority = arg;
1546
break;
1547
case 131: /* --delay */
1548
errno = 0;
1549
delay = strtof(arg, &tmp);
1550
if(errno != 0 or tmp == arg or *tmp != '\0'){
1551
argp_error(state, "Bad delay");
1552
}
1553
case 132: /* --retry */
1554
errno = 0;
1555
retry_interval = strtod(arg, &tmp);
1556
if(errno != 0 or tmp == arg or *tmp != '\0'
1557
or (retry_interval * 1000) > INT_MAX
1558
or retry_interval < 0){
1559
argp_error(state, "Bad retry interval");
1560
}
1561
break;
1562
case 133: /* --network-hook-dir */
1563
hookdir = arg;
1564
break;
1565
/*
1566
* These reproduce what we would get without ARGP_NO_HELP
1567
*/
1568
case '?': /* --help */
1569
argp_state_help(state, state->out_stream,
1570
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
1571
& ~(unsigned int)ARGP_HELP_EXIT_OK);
1572
case -3: /* --usage */
1573
argp_state_help(state, state->out_stream,
1574
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
1575
case 'V': /* --version */
1576
fprintf(state->out_stream, "Mandos plugin mandos-client: ");
1577
fprintf(state->out_stream, "%s\n", argp_program_version);
1578
exit(argp_err_exit_status);
1579
break;
1580
default:
1581
return ARGP_ERR_UNKNOWN;
1582
}
1583
return errno;
1584
}
1585
1586
struct argp argp = { .options = options, .parser = parse_opt,
1587
.args_doc = "",
1588
.doc = "Mandos client -- Get and decrypt"
1589
" passwords from a Mandos server" };
1590
ret = argp_parse(&argp, argc, argv,
1591
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
1592
switch(ret){
1593
case 0:
1594
break;
1595
case ENOMEM:
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
589
const char *name,
590
const char *type,
591
const char *domain,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
593
void* userdata) {
594
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
597
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
600
601
switch (event) {
1596
602
default:
1597
errno = ret;
1598
perror_plus("argp_parse");
1599
exitcode = EX_OSERR;
1600
goto end;
1601
case EINVAL:
1602
exitcode = EX_USAGE;
1603
goto end;
1604
}
1605
}
1606
1607
{
1608
/* Work around Debian bug #633582:
1609
<http://bugs.debian.org/633582> */
1610
struct stat st;
1611
1612
/* Re-raise priviliges */
1613
errno = 0;
1614
ret = seteuid(0);
1615
if(ret == -1){
1616
perror_plus("seteuid");
1617
}
1618
1619
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
1620
int seckey_fd = open(seckey, O_RDONLY);
1621
if(seckey_fd == -1){
1622
perror_plus("open");
1623
} else {
1624
ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st));
1625
if(ret == -1){
1626
perror_plus("fstat");
1627
} else {
1628
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1629
ret = fchown(seckey_fd, uid, gid);
1630
if(ret == -1){
1631
perror_plus("fchown");
1632
}
1633
}
1634
}
1635
TEMP_FAILURE_RETRY(close(seckey_fd));
1636
}
1637
}
1638
1639
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
1640
int pubkey_fd = open(pubkey, O_RDONLY);
1641
if(pubkey_fd == -1){
1642
perror_plus("open");
1643
} else {
1644
ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st));
1645
if(ret == -1){
1646
perror_plus("fstat");
1647
} else {
1648
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1649
ret = fchown(pubkey_fd, uid, gid);
1650
if(ret == -1){
1651
perror_plus("fchown");
1652
}
1653
}
1654
}
1655
TEMP_FAILURE_RETRY(close(pubkey_fd));
1656
}
1657
}
1658
1659
/* Lower privileges */
1660
errno = 0;
1661
ret = seteuid(uid);
1662
if(ret == -1){
1663
perror_plus("seteuid");
1664
}
1665
}
1666
1667
/* Find network hooks and run them */
1668
{
1669
struct dirent **direntries;
1670
struct dirent *direntry;
1671
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1672
alphasort);
1673
if(numhooks == -1){
1674
perror_plus("scandir");
1675
} else {
1676
int devnull = open("/dev/null", O_RDONLY);
1677
for(int i = 0; i < numhooks; i++){
1678
direntry = direntries[0];
1679
char *fullname = NULL;
1680
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1681
if(ret < 0){
1682
perror_plus("asprintf");
1683
continue;
1684
}
1685
pid_t hook_pid = fork();
1686
if(hook_pid == 0){
1687
/* Child */
1688
dup2(devnull, STDIN_FILENO);
1689
close(devnull);
1690
dup2(STDERR_FILENO, STDOUT_FILENO);
1691
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1692
if(ret == -1){
1693
perror_plus("setenv");
1694
exit(1);
1695
}
1696
ret = setenv("DEVICE", interface, 1);
1697
if(ret == -1){
1698
perror_plus("setenv");
1699
exit(1);
1700
}
1701
ret = setenv("VERBOSE", debug ? "1" : "0", 1);
1702
if(ret == -1){
1703
perror_plus("setenv");
1704
exit(1);
1705
}
1706
ret = setenv("MODE", "start", 1);
1707
if(ret == -1){
1708
perror_plus("setenv");
1709
exit(1);
1710
}
1711
char *delaystring;
1712
ret = asprintf(&delaystring, "%f", delay);
1713
if(ret == -1){
1714
perror_plus("asprintf");
1715
exit(1);
1716
}
1717
ret = setenv("DELAY", delaystring, 1);
1718
if(ret == -1){
1719
free(delaystring);
1720
perror_plus("setenv");
1721
exit(1);
1722
}
1723
free(delaystring);
1724
ret = execl(fullname, direntry->d_name, "start", NULL);
1725
perror_plus("execl");
1726
} else {
1727
int status;
1728
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1729
perror_plus("waitpid");
1730
free(fullname);
1731
continue;
1732
}
1733
if(WIFEXITED(status)){
1734
if(WEXITSTATUS(status) != 0){
1735
fprintf(stderr, "Mandos plugin mandos-client: "
1736
"Warning: network hook \"%s\" exited"
1737
" with status %d\n", direntry->d_name,
1738
WEXITSTATUS(status));
1739
free(fullname);
1740
continue;
1741
}
1742
} else if(WIFSIGNALED(status)){
1743
fprintf(stderr, "Mandos plugin mandos-client: "
1744
"Warning: network hook \"%s\" died by"
1745
" signal %d\n", direntry->d_name,
1746
WTERMSIG(status));
1747
free(fullname);
1748
continue;
1749
} else {
1750
fprintf(stderr, "Mandos plugin mandos-client: "
1751
"Warning: network hook \"%s\" crashed\n",
1752
direntry->d_name);
1753
free(fullname);
1754
continue;
1755
}
1756
}
1757
free(fullname);
1758
if(quit_now){
1759
goto end;
1760
}
1761
}
1762
close(devnull);
1763
}
1764
}
1765
1766
if(not debug){
1767
avahi_set_log_function(empty_log);
1768
}
1769
1770
if(interface[0] == '\0'){
1771
struct dirent **direntries;
1772
/* First look for interfaces that are up */
1773
ret = scandir(sys_class_net, &direntries, up_interface,
1774
alphasort);
1775
if(ret == 0){
1776
/* No up interfaces, look for any good interfaces */
1777
free(direntries);
1778
ret = scandir(sys_class_net, &direntries, good_interface,
1779
alphasort);
1780
}
1781
if(ret >= 1){
1782
/* Pick the first interface returned */
1783
interface = strdup(direntries[0]->d_name);
1784
if(debug){
1785
fprintf(stderr, "Mandos plugin mandos-client: "
1786
"Using interface \"%s\"\n", interface);
1787
}
1788
if(interface == NULL){
1789
perror_plus("malloc");
1790
free(direntries);
1791
exitcode = EXIT_FAILURE;
1792
goto end;
1793
}
1794
free(direntries);
1795
} else {
1796
free(direntries);
1797
fprintf(stderr, "Mandos plugin mandos-client: "
1798
"Could not find a network interface\n");
1799
exitcode = EXIT_FAILURE;
1800
goto end;
1801
}
1802
}
1803
1804
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1805
from the signal handler */
1806
/* Initialize the pseudo-RNG for Avahi */
1807
srand((unsigned int) time(NULL));
1808
mc.simple_poll = avahi_simple_poll_new();
1809
if(mc.simple_poll == NULL){
1810
fprintf(stderr, "Mandos plugin mandos-client: "
1811
"Avahi: Failed to create simple poll object.\n");
1812
exitcode = EX_UNAVAILABLE;
1813
goto end;
1814
}
1815
1816
sigemptyset(&sigterm_action.sa_mask);
1817
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1818
if(ret == -1){
1819
perror_plus("sigaddset");
1820
exitcode = EX_OSERR;
1821
goto end;
1822
}
1823
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1824
if(ret == -1){
1825
perror_plus("sigaddset");
1826
exitcode = EX_OSERR;
1827
goto end;
1828
}
1829
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1830
if(ret == -1){
1831
perror_plus("sigaddset");
1832
exitcode = EX_OSERR;
1833
goto end;
1834
}
1835
/* Need to check if the handler is SIG_IGN before handling:
1836
| [[info:libc:Initial Signal Actions]] |
1837
| [[info:libc:Basic Signal Handling]] |
1838
*/
1839
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1840
if(ret == -1){
1841
perror_plus("sigaction");
1842
return EX_OSERR;
1843
}
1844
if(old_sigterm_action.sa_handler != SIG_IGN){
1845
ret = sigaction(SIGINT, &sigterm_action, NULL);
1846
if(ret == -1){
1847
perror_plus("sigaction");
1848
exitcode = EX_OSERR;
1849
goto end;
1850
}
1851
}
1852
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1853
if(ret == -1){
1854
perror_plus("sigaction");
1855
return EX_OSERR;
1856
}
1857
if(old_sigterm_action.sa_handler != SIG_IGN){
1858
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1859
if(ret == -1){
1860
perror_plus("sigaction");
1861
exitcode = EX_OSERR;
1862
goto end;
1863
}
1864
}
1865
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1866
if(ret == -1){
1867
perror_plus("sigaction");
1868
return EX_OSERR;
1869
}
1870
if(old_sigterm_action.sa_handler != SIG_IGN){
1871
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1872
if(ret == -1){
1873
perror_plus("sigaction");
1874
exitcode = EX_OSERR;
1875
goto end;
1876
}
1877
}
1878
1879
/* If the interface is down, bring it up */
1880
if(strcmp(interface, "none") != 0){
603
case AVAHI_BROWSER_FAILURE:
604
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
608
return;
609
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
615
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
617
type, domain,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
622
break;
623
624
case AVAHI_BROWSER_REMOVE:
625
break;
626
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
629
break;
630
}
631
}
632
633
/* Combines file name and path and returns the malloced new
634
string. some sane checks could/should be added */
635
static const char *combinepath(const char *first, const char *second){
636
size_t f_len = strlen(first);
637
size_t s_len = strlen(second);
638
char *tmp = malloc(f_len + s_len + 2);
639
if (tmp == NULL){
640
return NULL;
641
}
642
if(f_len > 0){
643
memcpy(tmp, first, f_len);
644
}
645
tmp[f_len] = '/';
646
if(s_len > 0){
647
memcpy(tmp + f_len + 1, second, s_len);
648
}
649
tmp[f_len + 1 + s_len] = '\0';
650
return tmp;
651
}
652
653
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
656
AvahiSServiceBrowser *sb = NULL;
657
int error;
658
int ret;
659
int returncode = EXIT_SUCCESS;
660
const char *interface = "eth0";
661
struct ifreq network;
662
int sd;
663
char *connect_to = NULL;
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
665
666
while (true){
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
701
break;
702
default:
703
exit(EXIT_FAILURE);
704
}
705
}
706
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
711
goto exit;
712
}
713
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
718
goto exit;
719
}
720
1881
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
1882
722
if(if_index == 0){
1883
fprintf(stderr, "Mandos plugin mandos-client: "
1884
"No such interface: \"%s\"\n", interface);
1885
exitcode = EX_UNAVAILABLE;
1886
goto end;
1887
}
1888
1889
if(quit_now){
1890
goto end;
1891
}
1892
1893
/* Re-raise priviliges */
1894
errno = 0;
1895
ret = seteuid(0);
1896
if(ret == -1){
1897
perror_plus("seteuid");
1898
}
1899
1900
#ifdef __linux__
1901
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1902
messages about the network interface to mess up the prompt */
1903
ret = klogctl(8, NULL, 5);
1904
bool restore_loglevel = true;
1905
if(ret == -1){
1906
restore_loglevel = false;
1907
perror_plus("klogctl");
1908
}
1909
#endif /* __linux__ */
723
fprintf(stderr, "No such interface: \"%s\"\n", interface);
724
exit(EXIT_FAILURE);
725
}
726
727
if(connect_to != NULL){
728
/* Connect directly, do not use Zeroconf */
729
/* (Mainly meant for debugging) */
730
char *address = strrchr(connect_to, ':');
731
if(address == NULL){
732
fprintf(stderr, "No colon in address\n");
733
exit(EXIT_FAILURE);
734
}
735
errno = 0;
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
737
if(errno){
738
perror("Bad port number");
739
exit(EXIT_FAILURE);
740
}
741
*address = '\0';
742
address = connect_to;
743
ret = start_mandos_communication(address, port, if_index);
744
if(ret < 0){
745
exit(EXIT_FAILURE);
746
} else {
747
exit(EXIT_SUCCESS);
748
}
749
}
1910
750
1911
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1912
if(sd < 0){
1913
perror_plus("socket");
1914
exitcode = EX_OSERR;
1915
#ifdef __linux__
1916
if(restore_loglevel){
1917
ret = klogctl(7, NULL, 0);
1918
if(ret == -1){
1919
perror_plus("klogctl");
1920
}
1921
}
1922
#endif /* __linux__ */
1923
/* Lower privileges */
1924
errno = 0;
1925
ret = seteuid(uid);
1926
if(ret == -1){
1927
perror_plus("seteuid");
1928
}
1929
goto end;
752
if(sd < 0) {
753
perror("socket");
754
returncode = EXIT_FAILURE;
755
goto exit;
1930
756
}
1931
strcpy(network.ifr_name, interface);
757
strcpy(network.ifr_name, interface);
1932
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1933
759
if(ret == -1){
1934
perror_plus("ioctl SIOCGIFFLAGS");
1935
#ifdef __linux__
1936
if(restore_loglevel){
1937
ret = klogctl(7, NULL, 0);
1938
if(ret == -1){
1939
perror_plus("klogctl");
1940
}
1941
}
1942
#endif /* __linux__ */
1943
exitcode = EX_OSERR;
1944
/* Lower privileges */
1945
errno = 0;
1946
ret = seteuid(uid);
1947
if(ret == -1){
1948
perror_plus("seteuid");
1949
}
1950
goto end;
760
761
perror("ioctl SIOCGIFFLAGS");
762
returncode = EXIT_FAILURE;
763
goto exit;
1951
764
}
1952
765
if((network.ifr_flags & IFF_UP) == 0){
1953
766
network.ifr_flags |= IFF_UP;
1954
take_down_interface = true;
1955
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1956
768
if(ret == -1){
1957
take_down_interface = false;
1958
perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");
1959
exitcode = EX_OSERR;
1960
#ifdef __linux__
1961
if(restore_loglevel){
1962
ret = klogctl(7, NULL, 0);
1963
if(ret == -1){
1964
perror_plus("klogctl");
1965
}
1966
}
1967
#endif /* __linux__ */
1968
/* Lower privileges */
1969
errno = 0;
1970
ret = seteuid(uid);
1971
if(ret == -1){
1972
perror_plus("seteuid");
1973
}
1974
goto end;
1975
}
1976
}
1977
/* Sleep checking until interface is running.
1978
Check every 0.25s, up to total time of delay */
1979
for(int i=0; i < delay * 4; i++){
1980
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1981
if(ret == -1){
1982
perror_plus("ioctl SIOCGIFFLAGS");
1983
} else if(network.ifr_flags & IFF_RUNNING){
1984
break;
1985
}
1986
struct timespec sleeptime = { .tv_nsec = 250000000 };
1987
ret = nanosleep(&sleeptime, NULL);
1988
if(ret == -1 and errno != EINTR){
1989
perror_plus("nanosleep");
1990
}
1991
}
1992
if(not take_down_interface){
1993
/* We won't need the socket anymore */
1994
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1995
if(ret == -1){
1996
perror_plus("close");
1997
}
1998
}
1999
#ifdef __linux__
2000
if(restore_loglevel){
2001
/* Restores kernel loglevel to default */
2002
ret = klogctl(7, NULL, 0);
2003
if(ret == -1){
2004
perror_plus("klogctl");
2005
}
2006
}
2007
#endif /* __linux__ */
2008
/* Lower privileges */
2009
errno = 0;
2010
if(take_down_interface){
2011
/* Lower privileges */
2012
ret = seteuid(uid);
2013
if(ret == -1){
2014
perror_plus("seteuid");
2015
}
2016
} else {
2017
/* Lower privileges permanently */
2018
ret = setuid(uid);
2019
if(ret == -1){
2020
perror_plus("setuid");
2021
}
2022
}
2023
}
2024
2025
if(quit_now){
2026
goto end;
2027
}
2028
2029
ret = init_gnutls_global(pubkey, seckey);
2030
if(ret == -1){
2031
fprintf(stderr, "Mandos plugin mandos-client: "
2032
"init_gnutls_global failed\n");
2033
exitcode = EX_UNAVAILABLE;
2034
goto end;
2035
} else {
2036
gnutls_initialized = true;
2037
}
2038
2039
if(quit_now){
2040
goto end;
2041
}
2042
2043
if(mkdtemp(tempdir) == NULL){
2044
perror_plus("mkdtemp");
2045
goto end;
2046
}
2047
tempdir_created = true;
2048
2049
if(quit_now){
2050
goto end;
2051
}
2052
2053
if(not init_gpgme(pubkey, seckey, tempdir)){
2054
fprintf(stderr, "Mandos plugin mandos-client: "
2055
"init_gpgme failed\n");
2056
exitcode = EX_UNAVAILABLE;
2057
goto end;
2058
} else {
2059
gpgme_initialized = true;
2060
}
2061
2062
if(quit_now){
2063
goto end;
2064
}
2065
2066
if(connect_to != NULL){
2067
/* Connect directly, do not use Zeroconf */
2068
/* (Mainly meant for debugging) */
2069
char *address = strrchr(connect_to, ':');
2070
if(address == NULL){
2071
fprintf(stderr, "Mandos plugin mandos-client: "
2072
"No colon in address\n");
2073
exitcode = EX_USAGE;
2074
goto end;
2075
}
2076
2077
if(quit_now){
2078
goto end;
2079
}
2080
2081
uint16_t port;
2082
errno = 0;
2083
tmpmax = strtoimax(address+1, &tmp, 10);
2084
if(errno != 0 or tmp == address+1 or *tmp != '\0'
2085
or tmpmax != (uint16_t)tmpmax){
2086
fprintf(stderr, "Mandos plugin mandos-client: "
2087
"Bad port number\n");
2088
exitcode = EX_USAGE;
2089
goto end;
2090
}
2091
2092
if(quit_now){
2093
goto end;
2094
}
2095
2096
port = (uint16_t)tmpmax;
2097
*address = '\0';
2098
/* Colon in address indicates IPv6 */
2099
int af;
2100
if(strchr(connect_to, ':') != NULL){
2101
af = AF_INET6;
2102
/* Accept [] around IPv6 address - see RFC 5952 */
2103
if(connect_to[0] == '[' and address[-1] == ']')
2104
{
2105
connect_to++;
2106
address[-1] = '\0';
2107
}
2108
} else {
2109
af = AF_INET;
2110
}
2111
address = connect_to;
2112
2113
if(quit_now){
2114
goto end;
2115
}
2116
2117
while(not quit_now){
2118
ret = start_mandos_communication(address, port, if_index, af);
2119
if(quit_now or ret == 0){
2120
break;
2121
}
2122
if(debug){
2123
fprintf(stderr, "Mandos plugin mandos-client: "
2124
"Retrying in %d seconds\n", (int)retry_interval);
2125
}
2126
sleep((int)retry_interval);
2127
}
2128
2129
if (not quit_now){
2130
exitcode = EXIT_SUCCESS;
2131
}
2132
2133
goto end;
2134
}
2135
2136
if(quit_now){
2137
goto end;
2138
}
2139
2140
{
2141
AvahiServerConfig config;
2142
/* Do not publish any local Zeroconf records */
769
perror("ioctl SIOCSIFFLAGS");
770
returncode = EXIT_FAILURE;
771
goto exit;
772
}
773
}
774
close(sd);
775
776
if (not debug){
777
avahi_set_log_function(empty_log);
778
}
779
780
/* Initialize the psuedo-RNG */
781
srand((unsigned int) time(NULL));
782
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
787
goto exit;
788
}
789
790
/* Do not publish any local records */
2143
791
avahi_server_config_init(&config);
2144
792
config.publish_hinfo = 0;
2145
793
config.publish_addresses = 0;
2146
794
config.publish_workstation = 0;
2147
795
config.publish_domain = 0;
2148
796
2149
797
/* Allocate a new server */
2150
mc.server = avahi_server_new(avahi_simple_poll_get
2151
(mc.simple_poll), &config, NULL,
2152
NULL, &error);
2153
2154
/* Free the Avahi configuration data */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
800
801
/* Free the configuration data */
2155
802
avahi_server_config_free(&config);
2156
}
2157
2158
/* Check if creating the Avahi server object succeeded */
2159
if(mc.server == NULL){
2160
fprintf(stderr, "Mandos plugin mandos-client: "
2161
"Failed to create Avahi server: %s\n",
2162
avahi_strerror(error));
2163
exitcode = EX_UNAVAILABLE;
2164
goto end;
2165
}
2166
2167
if(quit_now){
2168
goto end;
2169
}
2170
2171
/* Create the Avahi service browser */
2172
sb = avahi_s_service_browser_new(mc.server, if_index,
2173
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
2174
NULL, 0, browse_callback, NULL);
2175
if(sb == NULL){
2176
fprintf(stderr, "Mandos plugin mandos-client: "
2177
"Failed to create service browser: %s\n",
2178
avahi_strerror(avahi_server_errno(mc.server)));
2179
exitcode = EX_UNAVAILABLE;
2180
goto end;
2181
}
2182
2183
if(quit_now){
2184
goto end;
2185
}
2186
2187
/* Run the main loop */
2188
2189
if(debug){
2190
fprintf(stderr, "Mandos plugin mandos-client: "
2191
"Starting Avahi loop search\n");
2192
}
2193
2194
ret = avahi_loop_with_timeout(mc.simple_poll,
2195
(int)(retry_interval * 1000));
2196
if(debug){
2197
fprintf(stderr, "Mandos plugin mandos-client: "
2198
"avahi_loop_with_timeout exited %s\n",
2199
(ret == 0) ? "successfully" : "with error");
2200
}
2201
2202
end:
2203
2204
if(debug){
2205
fprintf(stderr, "Mandos plugin mandos-client: "
2206
"%s exiting\n", argv[0]);
2207
}
2208
2209
/* Cleanup things */
2210
if(sb != NULL)
2211
avahi_s_service_browser_free(sb);
2212
2213
if(mc.server != NULL)
2214
avahi_server_free(mc.server);
2215
2216
if(mc.simple_poll != NULL)
2217
avahi_simple_poll_free(mc.simple_poll);
2218
2219
if(gnutls_initialized){
2220
gnutls_certificate_free_credentials(mc.cred);
2221
gnutls_global_deinit();
2222
gnutls_dh_params_deinit(mc.dh_params);
2223
}
2224
2225
if(gpgme_initialized){
2226
gpgme_release(mc.ctx);
2227
}
2228
2229
/* Cleans up the circular linked list of Mandos servers the client
2230
has seen */
2231
if(mc.current_server != NULL){
2232
mc.current_server->prev->next = NULL;
2233
while(mc.current_server != NULL){
2234
server *next = mc.current_server->next;
2235
free(mc.current_server);
2236
mc.current_server = next;
2237
}
2238
}
2239
2240
/* XXX run network hooks "stop" here */
2241
2242
/* Take down the network interface */
2243
if(take_down_interface){
2244
/* Re-raise priviliges */
2245
errno = 0;
2246
ret = seteuid(0);
2247
if(ret == -1){
2248
perror_plus("seteuid");
2249
}
2250
if(geteuid() == 0){
2251
ret = ioctl(sd, SIOCGIFFLAGS, &network);
2252
if(ret == -1){
2253
perror_plus("ioctl SIOCGIFFLAGS");
2254
} else if(network.ifr_flags & IFF_UP){
2255
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
2256
ret = ioctl(sd, SIOCSIFFLAGS, &network);
2257
if(ret == -1){
2258
perror_plus("ioctl SIOCSIFFLAGS -IFF_UP");
2259
}
2260
}
2261
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2262
if(ret == -1){
2263
perror_plus("close");
2264
}
2265
/* Lower privileges permanently */
2266
errno = 0;
2267
ret = setuid(uid);
2268
if(ret == -1){
2269
perror_plus("setuid");
2270
}
2271
}
2272
}
2273
2274
/* Removes the GPGME temp directory and all files inside */
2275
if(tempdir_created){
2276
struct dirent **direntries = NULL;
2277
struct dirent *direntry = NULL;
2278
int numentries = scandir(tempdir, &direntries, notdotentries,
2279
alphasort);
2280
if (numentries > 0){
2281
for(int i = 0; i < numentries; i++){
2282
direntry = direntries[i];
2283
char *fullname = NULL;
2284
ret = asprintf(&fullname, "%s/%s", tempdir,
2285
direntry->d_name);
2286
if(ret < 0){
2287
perror_plus("asprintf");
2288
continue;
2289
}
2290
ret = remove(fullname);
2291
if(ret == -1){
2292
fprintf(stderr, "Mandos plugin mandos-client: "
2293
"remove(\"%s\"): %s\n", fullname, strerror(errno));
2294
}
2295
free(fullname);
2296
}
2297
}
2298
2299
/* need to clean even if 0 because man page doesn't specify */
2300
free(direntries);
2301
if (numentries == -1){
2302
perror_plus("scandir");
2303
}
2304
ret = rmdir(tempdir);
2305
if(ret == -1 and errno != ENOENT){
2306
perror_plus("rmdir");
2307
}
2308
}
2309
2310
if(quit_now){
2311
sigemptyset(&old_sigterm_action.sa_mask);
2312
old_sigterm_action.sa_handler = SIG_DFL;
2313
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
2314
&old_sigterm_action,
2315
NULL));
2316
if(ret == -1){
2317
perror_plus("sigaction");
2318
}
2319
do {
2320
ret = raise(signal_received);
2321
} while(ret != 0 and errno == EINTR);
2322
if(ret != 0){
2323
perror_plus("raise");
2324
abort();
2325
}
2326
TEMP_FAILURE_RETRY(pause());
2327
}
2328
2329
return exitcode;
803
804
/* Check if creating the server object succeeded */
805
if (!server) {
806
fprintf(stderr, "Failed to create server: %s\n",
807
avahi_strerror(error));
808
returncode = EXIT_FAILURE;
809
goto exit;
810
}
811
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
814
AVAHI_PROTO_INET6,
815
"_mandos._tcp", NULL, 0,
816
browse_callback, server);
817
if (!sb) {
818
fprintf(stderr, "Failed to create service browser: %s\n",
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
821
goto exit;
822
}
823
824
/* Run the main loop */
825
826
if (debug){
827
fprintf(stderr, "Starting avahi loop search\n");
828
}
829
830
avahi_simple_poll_loop(simple_poll);
831
832
exit:
833
834
if (debug){
835
fprintf(stderr, "%s exiting\n", argv[0]);
836
}
837
838
/* Cleanup things */
839
if (sb)
840
avahi_s_service_browser_free(sb);
841
842
if (server)
843
avahi_server_free(server);
844
845
if (simple_poll)
846
avahi_simple_poll_free(simple_poll);
847
free(certfile);
848
free(certkey);
849
850
return returncode;
2330
851
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0