To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 1213
- compare with another revision
- download diff
- download tarball
- view history from revision 1213
- Committer: teddy at recompile
- Date: 2020-04-05 21:30:59 UTC
- Revision ID: teddy@recompile.se-20200405213059-fb2a61ckqynrmatk
Fix file descriptor leak in mandos-client
When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.) The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.
This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route. If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.
Fix this by eliminating the file descriptor leak in the client.
* plugins.d/mandos-client.c (add_delete_local_route): Do
close(devnull) also in parent process, also if fork() fails, and on
any failure in child process.
When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.) The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.
This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route. If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.
Fix this by eliminating the file descriptor leak in the client.
* plugins.d/mandos-client.c (add_delete_local_route): Do
close(devnull) also in parent process, also if fork() fails, and on
any failure in child process.
- files added:
- bugs.xml
- debian/tests
- dracut-module
- plugin-helpers
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008-2014 Teddy Hogeborn
13
* Copyright © 2008-2014 Björn Påhlsson
14
*
15
* This program is free software: you can redistribute it and/or
16
* modify it under the terms of the GNU General Public License as
17
* published by the Free Software Foundation, either version 3 of the
18
* License, or (at your option) any later version.
19
*
20
* This program is distributed in the hope that it will be useful, but
12
* Copyright © 2008-2019 Teddy Hogeborn
13
* Copyright © 2008-2019 Björn Påhlsson
14
*
15
* This file is part of Mandos.
16
*
17
* Mandos is free software: you can redistribute it and/or modify it
18
* under the terms of the GNU General Public License as published by
19
* the Free Software Foundation, either version 3 of the License, or
20
* (at your option) any later version.
21
*
22
* Mandos is distributed in the hope that it will be useful, but
21
23
* WITHOUT ANY WARRANTY; without even the implied warranty of
22
24
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
23
25
* General Public License for more details.
24
26
*
25
27
* You should have received a copy of the GNU General Public License
26
* along with this program. If not, see
27
* <http://www.gnu.org/licenses/>.
28
* along with Mandos. If not, see <http://www.gnu.org/licenses/>.
28
29
*
29
30
* Contact the authors at <mandos@recompile.se>.
30
31
*/
46
47
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
48
strtof(), abort() */
48
49
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
50
#include <string.h> /* strcmp(), strlen(), strerror(),
51
asprintf(), strncpy(), strsignal()
52
*/
51
53
#include <sys/ioctl.h> /* ioctl */
52
54
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
55
sockaddr_in6, PF_INET6,
57
59
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
60
inet_pton(), connect(),
59
61
getnameinfo() */
60
#include <fcntl.h> /* open(), unlinkat() */
62
#include <fcntl.h> /* open(), unlinkat(), AT_REMOVEDIR */
61
63
#include <dirent.h> /* opendir(), struct dirent, readdir()
62
64
*/
63
65
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
64
66
strtoimax() */
65
#include <errno.h> /* perror(), errno,
67
#include <errno.h> /* perror(), errno, EINTR, EINVAL,
68
EAI_SYSTEM, ENETUNREACH,
69
EHOSTUNREACH, ECONNREFUSED, EPROTO,
70
EIO, ENOENT, ENXIO, ENOMEM, EISDIR,
71
ENOTEMPTY,
66
72
program_invocation_short_name */
67
73
#include <time.h> /* nanosleep(), time(), sleep() */
68
74
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
117
123
gnutls_*
118
124
init_gnutls_session(),
119
125
GNUTLS_* */
126
#if GNUTLS_VERSION_NUMBER < 0x030600
120
127
#include <gnutls/openpgp.h>
121
128
/* gnutls_certificate_set_openpgp_key_file(),
122
129
GNUTLS_OPENPGP_FMT_BASE64 */
130
#elif GNUTLS_VERSION_NUMBER >= 0x030606
131
#include <gnutls/x509.h> /* gnutls_pkcs_encrypt_flags_t,
132
GNUTLS_PKCS_PLAIN,
133
GNUTLS_PKCS_NULL_PASSWORD */
134
#endif
123
135
124
136
/* GPGME */
125
137
#include <gpgme.h> /* All GPGME types, constants and
133
145
#define PATHDIR "/conf/conf.d/mandos"
134
146
#define SECKEY "seckey.txt"
135
147
#define PUBKEY "pubkey.txt"
148
#define TLS_PRIVKEY "tls-privkey.pem"
149
#define TLS_PUBKEY "tls-pubkey.pem"
136
150
#define HOOKDIR "/lib/mandos/network-hooks.d"
137
151
138
152
bool debug = false;
240
254
ret = clock_gettime(CLOCK_MONOTONIC, &(new_server->last_seen));
241
255
if(ret == -1){
242
256
perror_plus("clock_gettime");
243
free(new_server->ip);
257
#ifdef __GNUC__
258
#pragma GCC diagnostic push
259
#pragma GCC diagnostic ignored "-Wcast-qual"
260
#endif
261
free((char *)(new_server->ip));
262
#ifdef __GNUC__
263
#pragma GCC diagnostic pop
264
#endif
244
265
free(new_server);
245
266
return false;
246
267
}
259
280
return true;
260
281
}
261
282
283
/* Set effective uid to 0, return errno */
284
__attribute__((warn_unused_result))
285
int raise_privileges(void){
286
int old_errno = errno;
287
int ret = 0;
288
if(seteuid(0) == -1){
289
ret = errno;
290
}
291
errno = old_errno;
292
return ret;
293
}
294
295
/* Set effective and real user ID to 0. Return errno. */
296
__attribute__((warn_unused_result))
297
int raise_privileges_permanently(void){
298
int old_errno = errno;
299
int ret = raise_privileges();
300
if(ret != 0){
301
errno = old_errno;
302
return ret;
303
}
304
if(setuid(0) == -1){
305
ret = errno;
306
}
307
errno = old_errno;
308
return ret;
309
}
310
311
/* Set effective user ID to unprivileged saved user ID */
312
__attribute__((warn_unused_result))
313
int lower_privileges(void){
314
int old_errno = errno;
315
int ret = 0;
316
if(seteuid(uid) == -1){
317
ret = errno;
318
}
319
errno = old_errno;
320
return ret;
321
}
322
323
/* Lower privileges permanently */
324
__attribute__((warn_unused_result))
325
int lower_privileges_permanently(void){
326
int old_errno = errno;
327
int ret = 0;
328
if(setuid(uid) == -1){
329
ret = errno;
330
}
331
errno = old_errno;
332
return ret;
333
}
334
262
335
/*
263
336
* Initialize GPGME.
264
337
*/
284
357
return false;
285
358
}
286
359
360
/* Workaround for systems without a real-time clock; see also
361
Debian bug #894495: <https://bugs.debian.org/894495> */
362
do {
363
{
364
time_t currtime = time(NULL);
365
if(currtime != (time_t)-1){
366
struct tm tm;
367
if(gmtime_r(&currtime, &tm) == NULL) {
368
perror_plus("gmtime_r");
369
break;
370
}
371
if(tm.tm_year != 70 or tm.tm_mon != 0){
372
break;
373
}
374
if(debug){
375
fprintf_plus(stderr, "System clock is January 1970");
376
}
377
} else {
378
if(debug){
379
fprintf_plus(stderr, "System clock is invalid");
380
}
381
}
382
}
383
struct stat keystat;
384
ret = fstat(fd, &keystat);
385
if(ret != 0){
386
perror_plus("fstat");
387
break;
388
}
389
ret = raise_privileges();
390
if(ret != 0){
391
errno = ret;
392
perror_plus("Failed to raise privileges");
393
break;
394
}
395
if(debug){
396
fprintf_plus(stderr,
397
"Setting system clock to key file mtime");
398
}
399
time_t keytime = keystat.st_mtim.tv_sec;
400
if(stime(&keytime) != 0){
401
perror_plus("stime");
402
}
403
ret = lower_privileges();
404
if(ret != 0){
405
errno = ret;
406
perror_plus("Failed to lower privileges");
407
}
408
} while(false);
409
287
410
rc = gpgme_data_new_from_fd(&pgp_data, fd);
288
411
if(rc != GPG_ERR_NO_ERROR){
289
412
fprintf_plus(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
297
420
gpgme_strsource(rc), gpgme_strerror(rc));
298
421
return false;
299
422
}
423
{
424
gpgme_import_result_t import_result
425
= gpgme_op_import_result(mc->ctx);
426
if((import_result->imported < 1
427
or import_result->not_imported > 0)
428
and import_result->unchanged == 0){
429
fprintf_plus(stderr, "bad gpgme_op_import_results:\n");
430
fprintf_plus(stderr,
431
"The total number of considered keys: %d\n",
432
import_result->considered);
433
fprintf_plus(stderr,
434
"The number of keys without user ID: %d\n",
435
import_result->no_user_id);
436
fprintf_plus(stderr,
437
"The total number of imported keys: %d\n",
438
import_result->imported);
439
fprintf_plus(stderr, "The number of imported RSA keys: %d\n",
440
import_result->imported_rsa);
441
fprintf_plus(stderr, "The number of unchanged keys: %d\n",
442
import_result->unchanged);
443
fprintf_plus(stderr, "The number of new user IDs: %d\n",
444
import_result->new_user_ids);
445
fprintf_plus(stderr, "The number of new sub keys: %d\n",
446
import_result->new_sub_keys);
447
fprintf_plus(stderr, "The number of new signatures: %d\n",
448
import_result->new_signatures);
449
fprintf_plus(stderr, "The number of new revocations: %d\n",
450
import_result->new_revocations);
451
fprintf_plus(stderr,
452
"The total number of secret keys read: %d\n",
453
import_result->secret_read);
454
fprintf_plus(stderr,
455
"The number of imported secret keys: %d\n",
456
import_result->secret_imported);
457
fprintf_plus(stderr,
458
"The number of unchanged secret keys: %d\n",
459
import_result->secret_unchanged);
460
fprintf_plus(stderr, "The number of keys not imported: %d\n",
461
import_result->not_imported);
462
for(gpgme_import_status_t import_status
463
= import_result->imports;
464
import_status != NULL;
465
import_status = import_status->next){
466
fprintf_plus(stderr, "Import status for key: %s\n",
467
import_status->fpr);
468
if(import_status->result != GPG_ERR_NO_ERROR){
469
fprintf_plus(stderr, "Import result: %s: %s\n",
470
gpgme_strsource(import_status->result),
471
gpgme_strerror(import_status->result));
472
}
473
fprintf_plus(stderr, "Key status:\n");
474
fprintf_plus(stderr,
475
import_status->status & GPGME_IMPORT_NEW
476
? "The key was new.\n"
477
: "The key was not new.\n");
478
fprintf_plus(stderr,
479
import_status->status & GPGME_IMPORT_UID
480
? "The key contained new user IDs.\n"
481
: "The key did not contain new user IDs.\n");
482
fprintf_plus(stderr,
483
import_status->status & GPGME_IMPORT_SIG
484
? "The key contained new signatures.\n"
485
: "The key did not contain new signatures.\n");
486
fprintf_plus(stderr,
487
import_status->status & GPGME_IMPORT_SUBKEY
488
? "The key contained new sub keys.\n"
489
: "The key did not contain new sub keys.\n");
490
fprintf_plus(stderr,
491
import_status->status & GPGME_IMPORT_SECRET
492
? "The key contained a secret key.\n"
493
: "The key did not contain a secret key.\n");
494
}
495
return false;
496
}
497
}
300
498
301
ret = (int)TEMP_FAILURE_RETRY(close(fd));
499
ret = close(fd);
302
500
if(ret == -1){
303
501
perror_plus("close");
304
502
}
343
541
/* Create new GPGME "context" */
344
542
rc = gpgme_new(&(mc->ctx));
345
543
if(rc != GPG_ERR_NO_ERROR){
346
fprintf_plus(stderr, "Mandos plugin mandos-client: "
347
"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),
348
gpgme_strerror(rc));
544
fprintf_plus(stderr, "bad gpgme_new: %s: %s\n",
545
gpgme_strsource(rc), gpgme_strerror(rc));
349
546
return false;
350
547
}
351
548
387
584
/* Create new empty GPGME data buffer for the plaintext */
388
585
rc = gpgme_data_new(&dh_plain);
389
586
if(rc != GPG_ERR_NO_ERROR){
390
fprintf_plus(stderr, "Mandos plugin mandos-client: "
391
"bad gpgme_data_new: %s: %s\n",
587
fprintf_plus(stderr, "bad gpgme_data_new: %s: %s\n",
392
588
gpgme_strsource(rc), gpgme_strerror(rc));
393
589
gpgme_data_release(dh_crypto);
394
590
return -1;
407
603
if(result == NULL){
408
604
fprintf_plus(stderr, "gpgme_op_decrypt_result failed\n");
409
605
} else {
410
fprintf_plus(stderr, "Unsupported algorithm: %s\n",
411
result->unsupported_algorithm);
412
fprintf_plus(stderr, "Wrong key usage: %u\n",
413
result->wrong_key_usage);
606
if(result->unsupported_algorithm != NULL) {
607
fprintf_plus(stderr, "Unsupported algorithm: %s\n",
608
result->unsupported_algorithm);
609
}
610
fprintf_plus(stderr, "Wrong key usage: %s\n",
611
result->wrong_key_usage ? "Yes" : "No");
414
612
if(result->file_name != NULL){
415
613
fprintf_plus(stderr, "File name: %s\n", result->file_name);
416
614
}
417
gpgme_recipient_t recipient;
418
recipient = result->recipients;
419
while(recipient != NULL){
615
616
for(gpgme_recipient_t r = result->recipients; r != NULL;
617
r = r->next){
420
618
fprintf_plus(stderr, "Public key algorithm: %s\n",
421
gpgme_pubkey_algo_name
422
(recipient->pubkey_algo));
423
fprintf_plus(stderr, "Key ID: %s\n", recipient->keyid);
619
gpgme_pubkey_algo_name(r->pubkey_algo));
620
fprintf_plus(stderr, "Key ID: %s\n", r->keyid);
424
621
fprintf_plus(stderr, "Secret key available: %s\n",
425
recipient->status == GPG_ERR_NO_SECKEY
426
? "No" : "Yes");
427
recipient = recipient->next;
622
r->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
428
623
}
429
624
}
430
625
}
486
681
return plaintext_length;
487
682
}
488
683
684
__attribute__((warn_unused_result, const))
685
static const char *safe_string(const char *str){
686
if(str == NULL)
687
return "(unknown)";
688
return str;
689
}
690
489
691
__attribute__((warn_unused_result))
490
692
static const char *safer_gnutls_strerror(int value){
491
693
const char *ret = gnutls_strerror(value);
492
if(ret == NULL)
493
ret = "(unknown)";
494
return ret;
694
return safe_string(ret);
495
695
}
496
696
497
697
/* GnuTLS log function callback */
501
701
fprintf_plus(stderr, "GnuTLS: %s", string);
502
702
}
503
703
504
__attribute__((nonnull, warn_unused_result))
704
__attribute__((nonnull(1, 2, 4), warn_unused_result))
505
705
static int init_gnutls_global(const char *pubkeyfilename,
506
706
const char *seckeyfilename,
707
const char *dhparamsfilename,
507
708
mandos_context *mc){
508
709
int ret;
509
710
511
712
fprintf_plus(stderr, "Initializing GnuTLS\n");
512
713
}
513
714
514
ret = gnutls_global_init();
515
if(ret != GNUTLS_E_SUCCESS){
516
fprintf_plus(stderr, "GnuTLS global_init: %s\n",
517
safer_gnutls_strerror(ret));
518
return -1;
519
}
520
521
715
if(debug){
522
716
/* "Use a log level over 10 to enable all debugging options."
523
717
* - GnuTLS manual
531
725
if(ret != GNUTLS_E_SUCCESS){
532
726
fprintf_plus(stderr, "GnuTLS memory error: %s\n",
533
727
safer_gnutls_strerror(ret));
534
gnutls_global_deinit();
535
728
return -1;
536
729
}
537
730
538
731
if(debug){
539
fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"
540
" secret key %s as GnuTLS credentials\n",
732
fprintf_plus(stderr, "Attempting to use public key %s and"
733
" private key %s as GnuTLS credentials\n",
541
734
pubkeyfilename,
542
735
seckeyfilename);
543
736
}
544
737
738
#if GNUTLS_VERSION_NUMBER >= 0x030606
739
ret = gnutls_certificate_set_rawpk_key_file
740
(mc->cred, pubkeyfilename, seckeyfilename,
741
GNUTLS_X509_FMT_PEM, /* format */
742
NULL, /* pass */
743
/* key_usage */
744
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
745
NULL, /* names */
746
0, /* names_length */
747
/* privkey_flags */
748
GNUTLS_PKCS_PLAIN | GNUTLS_PKCS_NULL_PASSWORD,
749
0); /* pkcs11_flags */
750
#elif GNUTLS_VERSION_NUMBER < 0x030600
545
751
ret = gnutls_certificate_set_openpgp_key_file
546
752
(mc->cred, pubkeyfilename, seckeyfilename,
547
753
GNUTLS_OPENPGP_FMT_BASE64);
754
#else
755
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
756
#endif
548
757
if(ret != GNUTLS_E_SUCCESS){
549
758
fprintf_plus(stderr,
550
"Error[%d] while reading the OpenPGP key pair ('%s',"
759
"Error[%d] while reading the key pair ('%s',"
551
760
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
552
761
fprintf_plus(stderr, "The GnuTLS error is: %s\n",
553
762
safer_gnutls_strerror(ret));
562
771
safer_gnutls_strerror(ret));
563
772
goto globalfail;
564
773
}
565
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
566
if(ret != GNUTLS_E_SUCCESS){
567
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
568
safer_gnutls_strerror(ret));
569
goto globalfail;
570
}
571
572
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
774
/* If a Diffie-Hellman parameters file was given, try to use it */
775
if(dhparamsfilename != NULL){
776
gnutls_datum_t params = { .data = NULL, .size = 0 };
777
do {
778
int dhpfile = open(dhparamsfilename, O_RDONLY);
779
if(dhpfile == -1){
780
perror_plus("open");
781
dhparamsfilename = NULL;
782
break;
783
}
784
size_t params_capacity = 0;
785
while(true){
786
params_capacity = incbuffer((char **)¶ms.data,
787
(size_t)params.size,
788
(size_t)params_capacity);
789
if(params_capacity == 0){
790
perror_plus("incbuffer");
791
free(params.data);
792
params.data = NULL;
793
dhparamsfilename = NULL;
794
break;
795
}
796
ssize_t bytes_read = read(dhpfile,
797
params.data + params.size,
798
BUFFER_SIZE);
799
/* EOF */
800
if(bytes_read == 0){
801
break;
802
}
803
/* check bytes_read for failure */
804
if(bytes_read < 0){
805
perror_plus("read");
806
free(params.data);
807
params.data = NULL;
808
dhparamsfilename = NULL;
809
break;
810
}
811
params.size += (unsigned int)bytes_read;
812
}
813
ret = close(dhpfile);
814
if(ret == -1){
815
perror_plus("close");
816
}
817
if(params.data == NULL){
818
dhparamsfilename = NULL;
819
}
820
if(dhparamsfilename == NULL){
821
break;
822
}
823
ret = gnutls_dh_params_import_pkcs3(mc->dh_params, ¶ms,
824
GNUTLS_X509_FMT_PEM);
825
if(ret != GNUTLS_E_SUCCESS){
826
fprintf_plus(stderr, "Failed to parse DH parameters in file"
827
" \"%s\": %s\n", dhparamsfilename,
828
safer_gnutls_strerror(ret));
829
dhparamsfilename = NULL;
830
}
831
free(params.data);
832
} while(false);
833
}
834
if(dhparamsfilename == NULL){
835
if(mc->dh_bits == 0){
836
#if GNUTLS_VERSION_NUMBER < 0x030600
837
/* Find out the optimal number of DH bits */
838
/* Try to read the private key file */
839
gnutls_datum_t buffer = { .data = NULL, .size = 0 };
840
do {
841
int secfile = open(seckeyfilename, O_RDONLY);
842
if(secfile == -1){
843
perror_plus("open");
844
break;
845
}
846
size_t buffer_capacity = 0;
847
while(true){
848
buffer_capacity = incbuffer((char **)&buffer.data,
849
(size_t)buffer.size,
850
(size_t)buffer_capacity);
851
if(buffer_capacity == 0){
852
perror_plus("incbuffer");
853
free(buffer.data);
854
buffer.data = NULL;
855
break;
856
}
857
ssize_t bytes_read = read(secfile,
858
buffer.data + buffer.size,
859
BUFFER_SIZE);
860
/* EOF */
861
if(bytes_read == 0){
862
break;
863
}
864
/* check bytes_read for failure */
865
if(bytes_read < 0){
866
perror_plus("read");
867
free(buffer.data);
868
buffer.data = NULL;
869
break;
870
}
871
buffer.size += (unsigned int)bytes_read;
872
}
873
close(secfile);
874
} while(false);
875
/* If successful, use buffer to parse private key */
876
gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;
877
if(buffer.data != NULL){
878
{
879
gnutls_openpgp_privkey_t privkey = NULL;
880
ret = gnutls_openpgp_privkey_init(&privkey);
881
if(ret != GNUTLS_E_SUCCESS){
882
fprintf_plus(stderr, "Error initializing OpenPGP key"
883
" structure: %s",
884
safer_gnutls_strerror(ret));
885
free(buffer.data);
886
buffer.data = NULL;
887
} else {
888
ret = gnutls_openpgp_privkey_import
889
(privkey, &buffer, GNUTLS_OPENPGP_FMT_BASE64, "", 0);
890
if(ret != GNUTLS_E_SUCCESS){
891
fprintf_plus(stderr, "Error importing OpenPGP key : %s",
892
safer_gnutls_strerror(ret));
893
privkey = NULL;
894
}
895
free(buffer.data);
896
buffer.data = NULL;
897
if(privkey != NULL){
898
/* Use private key to suggest an appropriate
899
sec_param */
900
sec_param = gnutls_openpgp_privkey_sec_param(privkey);
901
gnutls_openpgp_privkey_deinit(privkey);
902
if(debug){
903
fprintf_plus(stderr, "This OpenPGP key implies using"
904
" a GnuTLS security parameter \"%s\".\n",
905
safe_string(gnutls_sec_param_get_name
906
(sec_param)));
907
}
908
}
909
}
910
}
911
if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){
912
/* Err on the side of caution */
913
sec_param = GNUTLS_SEC_PARAM_ULTRA;
914
if(debug){
915
fprintf_plus(stderr, "Falling back to security parameter"
916
" \"%s\"\n",
917
safe_string(gnutls_sec_param_get_name
918
(sec_param)));
919
}
920
}
921
}
922
unsigned int uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
923
if(uret != 0){
924
mc->dh_bits = uret;
925
if(debug){
926
fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"
927
" implies %u DH bits; using that.\n",
928
safe_string(gnutls_sec_param_get_name
929
(sec_param)),
930
mc->dh_bits);
931
}
932
} else {
933
fprintf_plus(stderr, "Failed to get implied number of DH"
934
" bits for security parameter \"%s\"): %s\n",
935
safe_string(gnutls_sec_param_get_name
936
(sec_param)),
937
safer_gnutls_strerror(ret));
938
goto globalfail;
939
}
940
#endif
941
} else { /* dh_bits != 0 */
942
if(debug){
943
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
944
mc->dh_bits);
945
}
946
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
947
if(ret != GNUTLS_E_SUCCESS){
948
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
949
" bits): %s\n", mc->dh_bits,
950
safer_gnutls_strerror(ret));
951
goto globalfail;
952
}
953
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
954
}
955
}
573
956
574
957
return 0;
575
958
576
959
globalfail:
577
960
578
961
gnutls_certificate_free_credentials(mc->cred);
579
gnutls_global_deinit();
580
962
gnutls_dh_params_deinit(mc->dh_params);
581
963
return -1;
582
964
}
587
969
int ret;
588
970
/* GnuTLS session creation */
589
971
do {
590
ret = gnutls_init(session, GNUTLS_SERVER);
972
ret = gnutls_init(session, (GNUTLS_SERVER
973
#if GNUTLS_VERSION_NUMBER >= 0x030506
974
| GNUTLS_NO_TICKETS
975
#endif
976
#if GNUTLS_VERSION_NUMBER >= 0x030606
977
| GNUTLS_ENABLE_RAWPK
978
#endif
979
));
591
980
if(quit_now){
592
981
return -1;
593
982
}
634
1023
/* ignore client certificate if any. */
635
1024
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
636
1025
637
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
638
639
1026
return 0;
640
1027
}
641
1028
643
1030
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
644
1031
__attribute__((unused)) const char *txt){}
645
1032
1033
/* Helper function to add_local_route() and delete_local_route() */
1034
__attribute__((nonnull, warn_unused_result))
1035
static bool add_delete_local_route(const bool add,
1036
const char *address,
1037
AvahiIfIndex if_index){
1038
int ret;
1039
char helper[] = "mandos-client-iprouteadddel";
1040
char add_arg[] = "add";
1041
char delete_arg[] = "delete";
1042
char debug_flag[] = "--debug";
1043
char *pluginhelperdir = getenv("MANDOSPLUGINHELPERDIR");
1044
if(pluginhelperdir == NULL){
1045
if(debug){
1046
fprintf_plus(stderr, "MANDOSPLUGINHELPERDIR environment"
1047
" variable not set; cannot run helper\n");
1048
}
1049
return false;
1050
}
1051
1052
char interface[IF_NAMESIZE];
1053
if(if_indextoname((unsigned int)if_index, interface) == NULL){
1054
perror_plus("if_indextoname");
1055
return false;
1056
}
1057
1058
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
1059
if(devnull == -1){
1060
perror_plus("open(\"/dev/null\", O_RDONLY)");
1061
return false;
1062
}
1063
pid_t pid = fork();
1064
if(pid == 0){
1065
/* Child */
1066
/* Raise privileges */
1067
errno = raise_privileges_permanently();
1068
if(errno != 0){
1069
perror_plus("Failed to raise privileges");
1070
/* _exit(EX_NOPERM); */
1071
} else {
1072
/* Set group */
1073
errno = 0;
1074
ret = setgid(0);
1075
if(ret == -1){
1076
perror_plus("setgid");
1077
close(devnull);
1078
_exit(EX_NOPERM);
1079
}
1080
/* Reset supplementary groups */
1081
errno = 0;
1082
ret = setgroups(0, NULL);
1083
if(ret == -1){
1084
perror_plus("setgroups");
1085
close(devnull);
1086
_exit(EX_NOPERM);
1087
}
1088
}
1089
ret = dup2(devnull, STDIN_FILENO);
1090
if(ret == -1){
1091
perror_plus("dup2(devnull, STDIN_FILENO)");
1092
close(devnull);
1093
_exit(EX_OSERR);
1094
}
1095
ret = close(devnull);
1096
if(ret == -1){
1097
perror_plus("close");
1098
}
1099
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
1100
if(ret == -1){
1101
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
1102
_exit(EX_OSERR);
1103
}
1104
int helperdir_fd = (int)TEMP_FAILURE_RETRY(open(pluginhelperdir,
1105
O_RDONLY
1106
| O_DIRECTORY
1107
| O_PATH
1108
| O_CLOEXEC));
1109
if(helperdir_fd == -1){
1110
perror_plus("open");
1111
_exit(EX_UNAVAILABLE);
1112
}
1113
int helper_fd = (int)TEMP_FAILURE_RETRY(openat(helperdir_fd,
1114
helper, O_RDONLY));
1115
if(helper_fd == -1){
1116
perror_plus("openat");
1117
close(helperdir_fd);
1118
_exit(EX_UNAVAILABLE);
1119
}
1120
close(helperdir_fd);
1121
#ifdef __GNUC__
1122
#pragma GCC diagnostic push
1123
#pragma GCC diagnostic ignored "-Wcast-qual"
1124
#endif
1125
if(fexecve(helper_fd, (char *const [])
1126
{ helper, add ? add_arg : delete_arg, (char *)address,
1127
interface, debug ? debug_flag : NULL, NULL },
1128
environ) == -1){
1129
#ifdef __GNUC__
1130
#pragma GCC diagnostic pop
1131
#endif
1132
perror_plus("fexecve");
1133
_exit(EXIT_FAILURE);
1134
}
1135
}
1136
if(pid == -1){
1137
perror_plus("fork");
1138
close(devnull);
1139
return false;
1140
}
1141
ret = close(devnull);
1142
if(ret == -1){
1143
perror_plus("close");
1144
}
1145
int status;
1146
pid_t pret = -1;
1147
errno = 0;
1148
do {
1149
pret = waitpid(pid, &status, 0);
1150
if(pret == -1 and errno == EINTR and quit_now){
1151
int errno_raising = 0;
1152
if((errno = raise_privileges()) != 0){
1153
errno_raising = errno;
1154
perror_plus("Failed to raise privileges in order to"
1155
" kill helper program");
1156
}
1157
if(kill(pid, SIGTERM) == -1){
1158
perror_plus("kill");
1159
}
1160
if((errno_raising == 0) and (errno = lower_privileges()) != 0){
1161
perror_plus("Failed to lower privileges after killing"
1162
" helper program");
1163
}
1164
return false;
1165
}
1166
} while(pret == -1 and errno == EINTR);
1167
if(pret == -1){
1168
perror_plus("waitpid");
1169
return false;
1170
}
1171
if(WIFEXITED(status)){
1172
if(WEXITSTATUS(status) != 0){
1173
fprintf_plus(stderr, "Error: iprouteadddel exited"
1174
" with status %d\n", WEXITSTATUS(status));
1175
return false;
1176
}
1177
return true;
1178
}
1179
if(WIFSIGNALED(status)){
1180
fprintf_plus(stderr, "Error: iprouteadddel died by"
1181
" signal %d\n", WTERMSIG(status));
1182
return false;
1183
}
1184
fprintf_plus(stderr, "Error: iprouteadddel crashed\n");
1185
return false;
1186
}
1187
1188
__attribute__((nonnull, warn_unused_result))
1189
static bool add_local_route(const char *address,
1190
AvahiIfIndex if_index){
1191
if(debug){
1192
fprintf_plus(stderr, "Adding route to %s\n", address);
1193
}
1194
return add_delete_local_route(true, address, if_index);
1195
}
1196
1197
__attribute__((nonnull, warn_unused_result))
1198
static bool delete_local_route(const char *address,
1199
AvahiIfIndex if_index){
1200
if(debug){
1201
fprintf_plus(stderr, "Removing route to %s\n", address);
1202
}
1203
return add_delete_local_route(false, address, if_index);
1204
}
1205
646
1206
/* Called when a Mandos server is found */
647
1207
__attribute__((nonnull, warn_unused_result))
648
1208
static int start_mandos_communication(const char *ip, in_port_t port,
659
1219
int retval = -1;
660
1220
gnutls_session_t session;
661
1221
int pf; /* Protocol family */
1222
bool route_added = false;
662
1223
663
1224
errno = 0;
664
1225
686
1247
bool match = false;
687
1248
{
688
1249
char *interface = NULL;
689
while((interface=argz_next(mc->interfaces, mc->interfaces_size,
690
interface))){
1250
while((interface = argz_next(mc->interfaces,
1251
mc->interfaces_size,
1252
interface))){
691
1253
if(if_nametoindex(interface) == (unsigned int)if_index){
692
1254
match = true;
693
1255
break;
722
1284
PRIuMAX "\n", ip, (uintmax_t)port);
723
1285
}
724
1286
725
tcp_sd = socket(pf, SOCK_STREAM, 0);
1287
tcp_sd = socket(pf, SOCK_STREAM | SOCK_CLOEXEC, 0);
726
1288
if(tcp_sd < 0){
727
1289
int e = errno;
728
1290
perror_plus("socket");
735
1297
goto mandos_end;
736
1298
}
737
1299
738
memset(&to, 0, sizeof(to));
739
1300
if(af == AF_INET6){
740
((struct sockaddr_in6 *)&to)->sin6_family = (sa_family_t)af;
741
ret = inet_pton(af, ip, &((struct sockaddr_in6 *)&to)->sin6_addr);
1301
struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&to;
1302
*to6 = (struct sockaddr_in6){ .sin6_family = (sa_family_t)af };
1303
ret = inet_pton(af, ip, &to6->sin6_addr);
742
1304
} else { /* IPv4 */
743
((struct sockaddr_in *)&to)->sin_family = (sa_family_t)af;
744
ret = inet_pton(af, ip, &((struct sockaddr_in *)&to)->sin_addr);
1305
struct sockaddr_in *to4 = (struct sockaddr_in *)&to;
1306
*to4 = (struct sockaddr_in){ .sin_family = (sa_family_t)af };
1307
ret = inet_pton(af, ip, &to4->sin_addr);
745
1308
}
746
1309
if(ret < 0 ){
747
1310
int e = errno;
817
1380
goto mandos_end;
818
1381
}
819
1382
820
if(af == AF_INET6){
821
ret = connect(tcp_sd, (struct sockaddr *)&to,
822
sizeof(struct sockaddr_in6));
823
} else {
824
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
825
sizeof(struct sockaddr_in));
826
}
827
if(ret < 0){
828
if((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
829
int e = errno;
830
perror_plus("connect");
831
errno = e;
832
}
833
goto mandos_end;
834
}
835
836
if(quit_now){
837
errno = EINTR;
838
goto mandos_end;
1383
while(true){
1384
if(af == AF_INET6){
1385
ret = connect(tcp_sd, (struct sockaddr *)&to,
1386
sizeof(struct sockaddr_in6));
1387
} else {
1388
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
1389
sizeof(struct sockaddr_in));
1390
}
1391
if(ret < 0){
1392
if(((errno == ENETUNREACH) or (errno == EHOSTUNREACH))
1393
and if_index != AVAHI_IF_UNSPEC
1394
and connect_to == NULL
1395
and not route_added and
1396
((af == AF_INET6 and not
1397
IN6_IS_ADDR_LINKLOCAL(&(((struct sockaddr_in6 *)
1398
&to)->sin6_addr)))
1399
or (af == AF_INET and
1400
/* Not a a IPv4LL address */
1401
(ntohl(((struct sockaddr_in *)&to)->sin_addr.s_addr)
1402
& 0xFFFF0000L) != 0xA9FE0000L))){
1403
/* Work around Avahi bug - Avahi does not announce link-local
1404
addresses if it has a global address, so local hosts with
1405
*only* a link-local address (e.g. Mandos clients) cannot
1406
connect to a Mandos server announced by Avahi on a server
1407
host with a global address. Work around this by retrying
1408
with an explicit route added with the server's address.
1409
1410
Avahi bug reference:
1411
https://lists.freedesktop.org/archives/avahi/2010-February/001833.html
1412
https://bugs.debian.org/587961
1413
*/
1414
if(debug){
1415
fprintf_plus(stderr, "Mandos server unreachable, trying"
1416
" direct route\n");
1417
}
1418
int e = errno;
1419
route_added = add_local_route(ip, if_index);
1420
if(route_added){
1421
continue;
1422
}
1423
errno = e;
1424
}
1425
if(errno != ECONNREFUSED or debug){
1426
int e = errno;
1427
perror_plus("connect");
1428
errno = e;
1429
}
1430
goto mandos_end;
1431
}
1432
1433
if(quit_now){
1434
errno = EINTR;
1435
goto mandos_end;
1436
}
1437
break;
839
1438
}
840
1439
841
1440
const char *out = mandos_protocol_version;
995
1594
&decrypted_buffer, mc);
996
1595
if(decrypted_buffer_size >= 0){
997
1596
1597
clearerr(stdout);
998
1598
written = 0;
999
1599
while(written < (size_t) decrypted_buffer_size){
1000
1600
if(quit_now){
1016
1616
}
1017
1617
written += (size_t)ret;
1018
1618
}
1619
ret = fflush(stdout);
1620
if(ret != 0){
1621
int e = errno;
1622
if(debug){
1623
fprintf_plus(stderr, "Error writing encrypted data: %s\n",
1624
strerror(errno));
1625
}
1626
errno = e;
1627
goto mandos_end;
1628
}
1019
1629
retval = 0;
1020
1630
}
1021
1631
}
1024
1634
1025
1635
mandos_end:
1026
1636
{
1637
if(route_added){
1638
if(not delete_local_route(ip, if_index)){
1639
fprintf_plus(stderr, "Failed to delete local route to %s on"
1640
" interface %d", ip, if_index);
1641
}
1642
}
1027
1643
int e = errno;
1028
1644
free(decrypted_buffer);
1029
1645
free(buffer);
1030
1646
if(tcp_sd >= 0){
1031
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
1647
ret = close(tcp_sd);
1032
1648
}
1033
1649
if(ret == -1){
1034
1650
if(e == 0){
1046
1662
return retval;
1047
1663
}
1048
1664
1049
__attribute__((nonnull))
1050
1665
static void resolve_callback(AvahiSServiceResolver *r,
1051
1666
AvahiIfIndex interface,
1052
1667
AvahiProtocol proto,
1069
1684
timed out */
1070
1685
1071
1686
if(quit_now){
1687
avahi_s_service_resolver_free(r);
1072
1688
return;
1073
1689
}
1074
1690
1188
1804
__attribute__((nonnull, warn_unused_result))
1189
1805
bool get_flags(const char *ifname, struct ifreq *ifr){
1190
1806
int ret;
1191
error_t ret_errno;
1807
int old_errno;
1192
1808
1193
1809
int s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1194
1810
if(s < 0){
1195
ret_errno = errno;
1811
old_errno = errno;
1196
1812
perror_plus("socket");
1197
errno = ret_errno;
1813
errno = old_errno;
1198
1814
return false;
1199
1815
}
1200
strcpy(ifr->ifr_name, ifname);
1816
strncpy(ifr->ifr_name, ifname, IF_NAMESIZE);
1817
ifr->ifr_name[IF_NAMESIZE-1] = '\0'; /* NUL terminate */
1201
1818
ret = ioctl(s, SIOCGIFFLAGS, ifr);
1202
1819
if(ret == -1){
1203
1820
if(debug){
1204
ret_errno = errno;
1821
old_errno = errno;
1205
1822
perror_plus("ioctl SIOCGIFFLAGS");
1206
errno = ret_errno;
1823
errno = old_errno;
1824
}
1825
if((close(s) == -1) and debug){
1826
old_errno = errno;
1827
perror_plus("close");
1828
errno = old_errno;
1207
1829
}
1208
1830
return false;
1209
1831
}
1832
if((close(s) == -1) and debug){
1833
old_errno = errno;
1834
perror_plus("close");
1835
errno = old_errno;
1836
}
1210
1837
return true;
1211
1838
}
1212
1839
1454
2081
}
1455
2082
}
1456
2083
1457
/* Set effective uid to 0, return errno */
1458
__attribute__((warn_unused_result))
1459
error_t raise_privileges(void){
1460
error_t old_errno = errno;
1461
error_t ret_errno = 0;
1462
if(seteuid(0) == -1){
1463
ret_errno = errno;
1464
}
1465
errno = old_errno;
1466
return ret_errno;
1467
}
1468
1469
/* Set effective and real user ID to 0. Return errno. */
1470
__attribute__((warn_unused_result))
1471
error_t raise_privileges_permanently(void){
1472
error_t old_errno = errno;
1473
error_t ret_errno = raise_privileges();
1474
if(ret_errno != 0){
1475
errno = old_errno;
1476
return ret_errno;
1477
}
1478
if(setuid(0) == -1){
1479
ret_errno = errno;
1480
}
1481
errno = old_errno;
1482
return ret_errno;
1483
}
1484
1485
/* Set effective user ID to unprivileged saved user ID */
1486
__attribute__((warn_unused_result))
1487
error_t lower_privileges(void){
1488
error_t old_errno = errno;
1489
error_t ret_errno = 0;
1490
if(seteuid(uid) == -1){
1491
ret_errno = errno;
1492
}
1493
errno = old_errno;
1494
return ret_errno;
1495
}
1496
1497
/* Lower privileges permanently */
1498
__attribute__((warn_unused_result))
1499
error_t lower_privileges_permanently(void){
1500
error_t old_errno = errno;
1501
error_t ret_errno = 0;
1502
if(setuid(uid) == -1){
1503
ret_errno = errno;
1504
}
1505
errno = old_errno;
1506
return ret_errno;
1507
}
1508
1509
2084
__attribute__((nonnull))
1510
2085
void run_network_hooks(const char *mode, const char *interface,
1511
2086
const float delay){
1512
2087
struct dirent **direntries = NULL;
1513
2088
if(hookdir_fd == -1){
1514
hookdir_fd = open(hookdir, O_RDONLY);
2089
hookdir_fd = open(hookdir, O_RDONLY | O_DIRECTORY | O_PATH
2090
| O_CLOEXEC);
1515
2091
if(hookdir_fd == -1){
1516
2092
if(errno == ENOENT){
1517
2093
if(debug){
1524
2100
return;
1525
2101
}
1526
2102
}
1527
#ifdef __GLIBC__
1528
#if __GLIBC_PREREQ(2, 15)
2103
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
2104
if(devnull == -1){
2105
perror_plus("open(\"/dev/null\", O_RDONLY)");
2106
return;
2107
}
1529
2108
int numhooks = scandirat(hookdir_fd, ".", &direntries,
1530
2109
runnable_hook, alphasort);
1531
#else /* not __GLIBC_PREREQ(2, 15) */
1532
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1533
alphasort);
1534
#endif /* not __GLIBC_PREREQ(2, 15) */
1535
#else /* not __GLIBC__ */
1536
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1537
alphasort);
1538
#endif /* not __GLIBC__ */
1539
2110
if(numhooks == -1){
1540
2111
perror_plus("scandir");
2112
close(devnull);
1541
2113
return;
1542
2114
}
1543
2115
struct dirent *direntry;
1544
2116
int ret;
1545
int devnull = open("/dev/null", O_RDONLY);
1546
2117
for(int i = 0; i < numhooks; i++){
1547
2118
direntry = direntries[i];
1548
2119
if(debug){
1572
2143
perror_plus("setgroups");
1573
2144
_exit(EX_NOPERM);
1574
2145
}
1575
ret = dup2(devnull, STDIN_FILENO);
1576
if(ret == -1){
1577
perror_plus("dup2(devnull, STDIN_FILENO)");
1578
_exit(EX_OSERR);
1579
}
1580
ret = close(devnull);
1581
if(ret == -1){
1582
perror_plus("close");
1583
_exit(EX_OSERR);
1584
}
1585
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
1586
if(ret == -1){
1587
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
1588
_exit(EX_OSERR);
1589
}
1590
2146
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1591
2147
if(ret == -1){
1592
2148
perror_plus("setenv");
1627
2183
_exit(EX_OSERR);
1628
2184
}
1629
2185
}
1630
int hook_fd = openat(hookdir_fd, direntry->d_name, O_RDONLY);
2186
int hook_fd = (int)TEMP_FAILURE_RETRY(openat(hookdir_fd,
2187
direntry->d_name,
2188
O_RDONLY));
1631
2189
if(hook_fd == -1){
1632
2190
perror_plus("openat");
1633
2191
_exit(EXIT_FAILURE);
1634
2192
}
1635
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
2193
if(close(hookdir_fd) == -1){
1636
2194
perror_plus("close");
1637
2195
_exit(EXIT_FAILURE);
1638
2196
}
2197
ret = dup2(devnull, STDIN_FILENO);
2198
if(ret == -1){
2199
perror_plus("dup2(devnull, STDIN_FILENO)");
2200
_exit(EX_OSERR);
2201
}
2202
ret = close(devnull);
2203
if(ret == -1){
2204
perror_plus("close");
2205
_exit(EX_OSERR);
2206
}
2207
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
2208
if(ret == -1){
2209
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
2210
_exit(EX_OSERR);
2211
}
1639
2212
if(fexecve(hook_fd, (char *const []){ direntry->d_name, NULL },
1640
2213
environ) == -1){
1641
2214
perror_plus("fexecve");
1642
2215
_exit(EXIT_FAILURE);
1643
2216
}
1644
2217
} else {
2218
if(hook_pid == -1){
2219
perror_plus("fork");
2220
free(direntry);
2221
continue;
2222
}
1645
2223
int status;
1646
2224
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1647
2225
perror_plus("waitpid");
2226
free(direntry);
1648
2227
continue;
1649
2228
}
1650
2229
if(WIFEXITED(status)){
1652
2231
fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
1653
2232
" with status %d\n", direntry->d_name,
1654
2233
WEXITSTATUS(status));
2234
free(direntry);
1655
2235
continue;
1656
2236
}
1657
2237
} else if(WIFSIGNALED(status)){
1658
2238
fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
1659
2239
" signal %d\n", direntry->d_name,
1660
2240
WTERMSIG(status));
2241
free(direntry);
1661
2242
continue;
1662
2243
} else {
1663
2244
fprintf_plus(stderr, "Warning: network hook \"%s\""
1664
2245
" crashed\n", direntry->d_name);
2246
free(direntry);
1665
2247
continue;
1666
2248
}
1667
2249
}
1669
2251
fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
1670
2252
direntry->d_name);
1671
2253
}
2254
free(direntry);
1672
2255
}
1673
2256
free(direntries);
1674
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
2257
if(close(hookdir_fd) == -1){
1675
2258
perror_plus("close");
1676
2259
} else {
1677
2260
hookdir_fd = -1;
1680
2263
}
1681
2264
1682
2265
__attribute__((nonnull, warn_unused_result))
1683
error_t bring_up_interface(const char *const interface,
1684
const float delay){
1685
error_t old_errno = errno;
2266
int bring_up_interface(const char *const interface,
2267
const float delay){
2268
int old_errno = errno;
1686
2269
int ret;
1687
2270
struct ifreq network;
1688
2271
unsigned int if_index = if_nametoindex(interface);
1698
2281
}
1699
2282
1700
2283
if(not interface_is_up(interface)){
1701
error_t ret_errno = 0, ioctl_errno = 0;
2284
int ret_errno = 0;
2285
int ioctl_errno = 0;
1702
2286
if(not get_flags(interface, &network)){
1703
2287
ret_errno = errno;
1704
2288
fprintf_plus(stderr, "Failed to get flags for interface "
1717
2301
}
1718
2302
1719
2303
if(quit_now){
1720
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2304
ret = close(sd);
1721
2305
if(ret == -1){
1722
2306
perror_plus("close");
1723
2307
}
1773
2357
}
1774
2358
1775
2359
/* Close the socket */
1776
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2360
ret = close(sd);
1777
2361
if(ret == -1){
1778
2362
perror_plus("close");
1779
2363
}
1791
2375
1792
2376
/* Sleep checking until interface is running.
1793
2377
Check every 0.25s, up to total time of delay */
1794
for(int i=0; i < delay * 4; i++){
2378
for(int i = 0; i < delay * 4; i++){
1795
2379
if(interface_is_running(interface)){
1796
2380
break;
1797
2381
}
1807
2391
}
1808
2392
1809
2393
__attribute__((nonnull, warn_unused_result))
1810
error_t take_down_interface(const char *const interface){
1811
error_t old_errno = errno;
2394
int take_down_interface(const char *const interface){
2395
int old_errno = errno;
1812
2396
struct ifreq network;
1813
2397
unsigned int if_index = if_nametoindex(interface);
1814
2398
if(if_index == 0){
1817
2401
return ENXIO;
1818
2402
}
1819
2403
if(interface_is_up(interface)){
1820
error_t ret_errno = 0, ioctl_errno = 0;
2404
int ret_errno = 0;
2405
int ioctl_errno = 0;
1821
2406
if(not get_flags(interface, &network) and debug){
1822
2407
ret_errno = errno;
1823
2408
fprintf_plus(stderr, "Failed to get flags for interface "
1861
2446
}
1862
2447
1863
2448
/* Close the socket */
1864
int ret = (int)TEMP_FAILURE_RETRY(close(sd));
2449
int ret = close(sd);
1865
2450
if(ret == -1){
1866
2451
perror_plus("close");
1867
2452
}
1882
2467
}
1883
2468
1884
2469
int main(int argc, char *argv[]){
1885
mandos_context mc = { .server = NULL, .dh_bits = 1024,
1886
.priority = "SECURE256:!CTYPE-X.509:"
1887
"+CTYPE-OPENPGP", .current_server = NULL,
1888
.interfaces = NULL, .interfaces_size = 0 };
2470
mandos_context mc = { .server = NULL, .dh_bits = 0,
2471
#if GNUTLS_VERSION_NUMBER >= 0x030606
2472
.priority = "SECURE128:!CTYPE-X.509"
2473
":+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3"
2474
":%PROFILE_ULTRA",
2475
#elif GNUTLS_VERSION_NUMBER < 0x030600
2476
.priority = "SECURE256:!CTYPE-X.509"
2477
":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",
2478
#else
2479
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
2480
#endif
2481
.current_server = NULL, .interfaces = NULL,
2482
.interfaces_size = 0 };
1889
2483
AvahiSServiceBrowser *sb = NULL;
1890
2484
error_t ret_errno;
1891
2485
int ret;
1900
2494
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1901
2495
const char *seckey = PATHDIR "/" SECKEY;
1902
2496
const char *pubkey = PATHDIR "/" PUBKEY;
2497
#if GNUTLS_VERSION_NUMBER >= 0x030606
2498
const char *tls_privkey = PATHDIR "/" TLS_PRIVKEY;
2499
const char *tls_pubkey = PATHDIR "/" TLS_PUBKEY;
2500
#endif
2501
const char *dh_params_file = NULL;
1903
2502
char *interfaces_hooks = NULL;
1904
2503
1905
2504
bool gnutls_initialized = false;
1952
2551
{ .name = "pubkey", .key = 'p',
1953
2552
.arg = "FILE",
1954
2553
.doc = "OpenPGP public key file base name",
1955
.group = 2 },
2554
.group = 1 },
2555
{ .name = "tls-privkey", .key = 't',
2556
.arg = "FILE",
2557
#if GNUTLS_VERSION_NUMBER >= 0x030606
2558
.doc = "TLS private key file base name",
2559
#else
2560
.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
2561
#endif
2562
.group = 1 },
2563
{ .name = "tls-pubkey", .key = 'T',
2564
.arg = "FILE",
2565
#if GNUTLS_VERSION_NUMBER >= 0x030606
2566
.doc = "TLS public key file base name",
2567
#else
2568
.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
2569
#endif
2570
.group = 1 },
1956
2571
{ .name = "dh-bits", .key = 129,
1957
2572
.arg = "BITS",
1958
2573
.doc = "Bit length of the prime number used in the"
1959
2574
" Diffie-Hellman key exchange",
1960
2575
.group = 2 },
2576
{ .name = "dh-params", .key = 134,
2577
.arg = "FILE",
2578
.doc = "PEM-encoded PKCS#3 file with pre-generated parameters"
2579
" for the Diffie-Hellman key exchange",
2580
.group = 2 },
1961
2581
{ .name = "priority", .key = 130,
1962
2582
.arg = "STRING",
1963
2583
.doc = "GnuTLS priority string for the TLS handshake",
2009
2629
case 'p': /* --pubkey */
2010
2630
pubkey = arg;
2011
2631
break;
2632
case 't': /* --tls-privkey */
2633
#if GNUTLS_VERSION_NUMBER >= 0x030606
2634
tls_privkey = arg;
2635
#endif
2636
break;
2637
case 'T': /* --tls-pubkey */
2638
#if GNUTLS_VERSION_NUMBER >= 0x030606
2639
tls_pubkey = arg;
2640
#endif
2641
break;
2012
2642
case 129: /* --dh-bits */
2013
2643
errno = 0;
2014
2644
tmpmax = strtoimax(arg, &tmp, 10);
2018
2648
}
2019
2649
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
2020
2650
break;
2651
case 134: /* --dh-params */
2652
dh_params_file = arg;
2653
break;
2021
2654
case 130: /* --priority */
2022
2655
mc.priority = arg;
2023
2656
break;
2046
2679
argp_state_help(state, state->out_stream,
2047
2680
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
2048
2681
& ~(unsigned int)ARGP_HELP_EXIT_OK);
2682
__builtin_unreachable();
2049
2683
case -3: /* --usage */
2050
2684
argp_state_help(state, state->out_stream,
2051
2685
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
2686
__builtin_unreachable();
2052
2687
case 'V': /* --version */
2053
2688
fprintf_plus(state->out_stream, "%s\n", argp_program_version);
2054
2689
exit(argp_err_exit_status);
2063
2698
.args_doc = "",
2064
2699
.doc = "Mandos client -- Get and decrypt"
2065
2700
" passwords from a Mandos server" };
2066
ret = argp_parse(&argp, argc, argv,
2067
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
2068
switch(ret){
2701
ret_errno = argp_parse(&argp, argc, argv,
2702
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
2703
switch(ret_errno){
2069
2704
case 0:
2070
2705
break;
2071
2706
case ENOMEM:
2072
2707
default:
2073
errno = ret;
2708
errno = ret_errno;
2074
2709
perror_plus("argp_parse");
2075
2710
exitcode = EX_OSERR;
2076
2711
goto end;
2079
2714
goto end;
2080
2715
}
2081
2716
}
2082
2717
2083
2718
{
2084
2719
/* Work around Debian bug #633582:
2085
<http://bugs.debian.org/633582> */
2720
<https://bugs.debian.org/633582> */
2086
2721
2087
2722
/* Re-raise privileges */
2088
ret_errno = raise_privileges();
2089
if(ret_errno != 0){
2090
errno = ret_errno;
2723
ret = raise_privileges();
2724
if(ret != 0){
2725
errno = ret;
2091
2726
perror_plus("Failed to raise privileges");
2092
2727
} else {
2093
2728
struct stat st;
2109
2744
}
2110
2745
}
2111
2746
}
2112
TEMP_FAILURE_RETRY(close(seckey_fd));
2747
close(seckey_fd);
2113
2748
}
2114
2749
}
2115
2750
2116
2751
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
2117
2752
int pubkey_fd = open(pubkey, O_RDONLY);
2118
2753
if(pubkey_fd == -1){
2130
2765
}
2131
2766
}
2132
2767
}
2133
TEMP_FAILURE_RETRY(close(pubkey_fd));
2134
}
2135
}
2136
2768
close(pubkey_fd);
2769
}
2770
}
2771
2772
if(dh_params_file != NULL
2773
and strcmp(dh_params_file, PATHDIR "/dhparams.pem" ) == 0){
2774
int dhparams_fd = open(dh_params_file, O_RDONLY);
2775
if(dhparams_fd == -1){
2776
perror_plus("open");
2777
} else {
2778
ret = (int)TEMP_FAILURE_RETRY(fstat(dhparams_fd, &st));
2779
if(ret == -1){
2780
perror_plus("fstat");
2781
} else {
2782
if(S_ISREG(st.st_mode)
2783
and st.st_uid == 0 and st.st_gid == 0){
2784
ret = fchown(dhparams_fd, uid, gid);
2785
if(ret == -1){
2786
perror_plus("fchown");
2787
}
2788
}
2789
}
2790
close(dhparams_fd);
2791
}
2792
}
2793
2137
2794
/* Lower privileges */
2138
ret_errno = lower_privileges();
2139
if(ret_errno != 0){
2140
errno = ret_errno;
2795
ret = lower_privileges();
2796
if(ret != 0){
2797
errno = ret;
2141
2798
perror_plus("Failed to lower privileges");
2142
2799
}
2143
2800
}
2268
2925
if(ret_errno != 0){
2269
2926
errno = ret_errno;
2270
2927
perror_plus("argz_add");
2928
free(direntries[i]);
2271
2929
continue;
2272
2930
}
2273
2931
if(debug){
2274
2932
fprintf_plus(stderr, "Will use interface \"%s\"\n",
2275
2933
direntries[i]->d_name);
2276
2934
}
2935
free(direntries[i]);
2277
2936
}
2278
2937
free(direntries);
2279
2938
} else {
2311
2970
errno = bring_up_interface(interface, delay);
2312
2971
if(not interface_was_up){
2313
2972
if(errno != 0){
2314
perror_plus("Failed to bring up interface");
2973
fprintf_plus(stderr, "Failed to bring up interface \"%s\":"
2974
" %s\n", interface, strerror(errno));
2315
2975
} else {
2316
2976
errno = argz_add(&interfaces_to_take_down,
2317
2977
&interfaces_to_take_down_size,
2340
3000
goto end;
2341
3001
}
2342
3002
2343
ret = init_gnutls_global(pubkey, seckey, &mc);
3003
#if GNUTLS_VERSION_NUMBER >= 0x030606
3004
ret = init_gnutls_global(tls_pubkey, tls_privkey, dh_params_file, &mc);
3005
#elif GNUTLS_VERSION_NUMBER < 0x030600
3006
ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);
3007
#else
3008
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
3009
#endif
2344
3010
if(ret == -1){
2345
3011
fprintf_plus(stderr, "init_gnutls_global failed\n");
2346
3012
exitcode = EX_UNAVAILABLE;
2468
3134
2469
3135
/* Allocate a new server */
2470
3136
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
2471
&config, NULL, NULL, &ret_errno);
3137
&config, NULL, NULL, &ret);
2472
3138
2473
3139
/* Free the Avahi configuration data */
2474
3140
avahi_server_config_free(&config);
2477
3143
/* Check if creating the Avahi server object succeeded */
2478
3144
if(mc.server == NULL){
2479
3145
fprintf_plus(stderr, "Failed to create Avahi server: %s\n",
2480
avahi_strerror(ret_errno));
3146
avahi_strerror(ret));
2481
3147
exitcode = EX_UNAVAILABLE;
2482
3148
goto end;
2483
3149
}
2518
3184
end:
2519
3185
2520
3186
if(debug){
2521
fprintf_plus(stderr, "%s exiting\n", argv[0]);
3187
if(signal_received){
3188
fprintf_plus(stderr, "%s exiting due to signal %d: %s\n",
3189
argv[0], signal_received,
3190
strsignal(signal_received));
3191
} else {
3192
fprintf_plus(stderr, "%s exiting\n", argv[0]);
3193
}
2522
3194
}
2523
3195
2524
3196
/* Cleanup things */
2535
3207
2536
3208
if(gnutls_initialized){
2537
3209
gnutls_certificate_free_credentials(mc.cred);
2538
gnutls_global_deinit();
2539
3210
gnutls_dh_params_deinit(mc.dh_params);
2540
3211
}
2541
3212
2549
3220
mc.current_server->prev->next = NULL;
2550
3221
while(mc.current_server != NULL){
2551
3222
server *next = mc.current_server->next;
3223
#ifdef __GNUC__
3224
#pragma GCC diagnostic push
3225
#pragma GCC diagnostic ignored "-Wcast-qual"
3226
#endif
3227
free((char *)(mc.current_server->ip));
3228
#ifdef __GNUC__
3229
#pragma GCC diagnostic pop
3230
#endif
2552
3231
free(mc.current_server);
2553
3232
mc.current_server = next;
2554
3233
}
2556
3235
2557
3236
/* Re-raise privileges */
2558
3237
{
2559
ret_errno = raise_privileges();
2560
if(ret_errno != 0){
2561
errno = ret_errno;
3238
ret = raise_privileges();
3239
if(ret != 0){
3240
errno = ret;
2562
3241
perror_plus("Failed to raise privileges");
2563
3242
} else {
2564
3243
2569
3248
/* Take down the network interfaces which were brought up */
2570
3249
{
2571
3250
char *interface = NULL;
2572
while((interface=argz_next(interfaces_to_take_down,
2573
interfaces_to_take_down_size,
2574
interface))){
2575
ret_errno = take_down_interface(interface);
2576
if(ret_errno != 0){
2577
errno = ret_errno;
3251
while((interface = argz_next(interfaces_to_take_down,
3252
interfaces_to_take_down_size,
3253
interface))){
3254
ret = take_down_interface(interface);
3255
if(ret != 0){
3256
errno = ret;
2578
3257
perror_plus("Failed to take down interface");
2579
3258
}
2580
3259
}
2585
3264
}
2586
3265
}
2587
3266
2588
ret_errno = lower_privileges_permanently();
2589
if(ret_errno != 0){
2590
errno = ret_errno;
3267
ret = lower_privileges_permanently();
3268
if(ret != 0){
3269
errno = ret;
2591
3270
perror_plus("Failed to lower privileges permanently");
2592
3271
}
2593
3272
}
2595
3274
free(interfaces_to_take_down);
2596
3275
free(interfaces_hooks);
2597
3276
3277
void clean_dir_at(int base, const char * const dirname,
3278
uintmax_t level){
3279
struct dirent **direntries = NULL;
3280
int dret;
3281
int dir_fd = (int)TEMP_FAILURE_RETRY(openat(base, dirname,
3282
O_RDONLY
3283
| O_NOFOLLOW
3284
| O_DIRECTORY
3285
| O_PATH));
3286
if(dir_fd == -1){
3287
perror_plus("open");
3288
return;
3289
}
3290
int numentries = scandirat(dir_fd, ".", &direntries,
3291
notdotentries, alphasort);
3292
if(numentries >= 0){
3293
for(int i = 0; i < numentries; i++){
3294
if(debug){
3295
fprintf_plus(stderr, "Unlinking \"%s/%s\"\n",
3296
dirname, direntries[i]->d_name);
3297
}
3298
dret = unlinkat(dir_fd, direntries[i]->d_name, 0);
3299
if(dret == -1){
3300
if(errno == EISDIR){
3301
dret = unlinkat(dir_fd, direntries[i]->d_name,
3302
AT_REMOVEDIR);
3303
}
3304
if((dret == -1) and (errno == ENOTEMPTY)
3305
and (strcmp(direntries[i]->d_name, "private-keys-v1.d")
3306
== 0) and (level == 0)){
3307
/* Recurse only in this special case */
3308
clean_dir_at(dir_fd, direntries[i]->d_name, level+1);
3309
dret = 0;
3310
}
3311
if((dret == -1) and (errno != ENOENT)){
3312
fprintf_plus(stderr, "unlink(\"%s/%s\"): %s\n", dirname,
3313
direntries[i]->d_name, strerror(errno));
3314
}
3315
}
3316
free(direntries[i]);
3317
}
3318
3319
/* need to clean even if 0 because man page doesn't specify */
3320
free(direntries);
3321
dret = unlinkat(base, dirname, AT_REMOVEDIR);
3322
if(dret == -1 and errno != ENOENT){
3323
perror_plus("rmdir");
3324
}
3325
} else {
3326
perror_plus("scandirat");
3327
}
3328
close(dir_fd);
3329
}
3330
2598
3331
/* Removes the GPGME temp directory and all files inside */
2599
3332
if(tempdir != NULL){
2600
struct dirent **direntries = NULL;
2601
int tempdir_fd = (int)TEMP_FAILURE_RETRY(open(tempdir, O_RDONLY |
2602
O_NOFOLLOW));
2603
if(tempdir_fd == -1){
2604
perror_plus("open");
2605
} else {
2606
#ifdef __GLIBC__
2607
#if __GLIBC_PREREQ(2, 15)
2608
int numentries = scandirat(tempdir_fd, ".", &direntries,
2609
notdotentries, alphasort);
2610
#else /* not __GLIBC_PREREQ(2, 15) */
2611
int numentries = scandir(tempdir, &direntries, notdotentries,
2612
alphasort);
2613
#endif /* not __GLIBC_PREREQ(2, 15) */
2614
#else /* not __GLIBC__ */
2615
int numentries = scandir(tempdir, &direntries, notdotentries,
2616
alphasort);
2617
#endif /* not __GLIBC__ */
2618
if(numentries >= 0){
2619
for(int i = 0; i < numentries; i++){
2620
ret = unlinkat(tempdir_fd, direntries[i]->d_name, 0);
2621
if(ret == -1){
2622
fprintf_plus(stderr, "unlinkat(open(\"%s\", O_RDONLY),"
2623
" \"%s\", 0): %s\n", tempdir,
2624
direntries[i]->d_name, strerror(errno));
2625
}
2626
}
2627
2628
/* need to clean even if 0 because man page doesn't specify */
2629
free(direntries);
2630
if(numentries == -1){
2631
perror_plus("scandir");
2632
}
2633
ret = rmdir(tempdir);
2634
if(ret == -1 and errno != ENOENT){
2635
perror_plus("rmdir");
2636
}
2637
}
2638
TEMP_FAILURE_RETRY(close(tempdir_fd));
2639
}
3333
clean_dir_at(-1, tempdir, 0);
2640
3334
}
2641
3335
2642
3336
if(quit_now){
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0