To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 1239
- compare with another revision
- download diff
- download tarball
- view history from revision 1239
- Committer: Teddy Hogeborn
- Date: 2021-02-04 17:59:45 UTC
- Revision ID: teddy@recompile.se-20210204175945-8druo6d88ipc1z58
Fix issue with french translation
Initial white space was missing in both msgid and msgstr of the french
translation, leading to checking tools reporing an incomplete
translation. The string is a raw key id, and therefore did not need
translation, so this was never a user-visible issue.
* debian/po/fr.po: Add missing whitespace to the id and translation
for msgid " ${key_id}".
Initial white space was missing in both msgid and msgstr of the french
translation, leading to checking tools reporing an incomplete
translation. The string is a raw key id, and therefore did not need
translation, so this was never a user-visible issue.
* debian/po/fr.po: Add missing whitespace to the id and translation
for msgid " ${key_id}".
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008-2017 Teddy Hogeborn
13
* Copyright © 2008-2017 Björn Påhlsson
12
* Copyright © 2008-2021 Teddy Hogeborn
13
* Copyright © 2008-2021 Björn Påhlsson
14
14
*
15
15
* This file is part of Mandos.
16
16
*
38
38
#define _FILE_OFFSET_BITS 64
39
39
#endif /* not _FILE_OFFSET_BITS */
40
40
41
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
42
43
#include <stdio.h> /* fprintf(), stderr, fwrite(),
44
stdout, ferror() */
45
#include <stdint.h> /* uint16_t, uint32_t, intptr_t */
46
#include <stddef.h> /* NULL, size_t, ssize_t */
47
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
48
strtof(), abort() */
41
#define _GNU_SOURCE /* program_invocation_short_name,
42
TEMP_FAILURE_RETRY(), O_CLOEXEC,
43
scandirat(), asprintf() */
49
44
#include <stdbool.h> /* bool, false, true */
50
#include <string.h> /* strcmp(), strlen(), strerror(),
51
asprintf(), strncpy(), strsignal()
52
*/
53
#include <sys/ioctl.h> /* ioctl */
54
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
55
sockaddr_in6, PF_INET6,
56
SOCK_STREAM, uid_t, gid_t, open(),
57
opendir(), DIR */
58
#include <sys/stat.h> /* open(), S_ISREG */
59
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
60
inet_pton(), connect(),
61
getnameinfo() */
62
#include <fcntl.h> /* open(), unlinkat(), AT_REMOVEDIR */
63
#include <dirent.h> /* opendir(), struct dirent, readdir()
64
*/
65
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
66
strtoimax() */
67
#include <errno.h> /* perror(), errno, EINTR, EINVAL,
68
EAI_SYSTEM, ENETUNREACH,
45
#include <argp.h> /* argp_program_version,
46
argp_program_bug_address,
47
struct argp_option,
48
struct argp_state, argp_error(),
49
argp_state_help,
50
ARGP_HELP_STD_HELP,
51
ARGP_HELP_EXIT_ERR,
52
ARGP_HELP_EXIT_OK, ARGP_HELP_USAGE,
53
argp_err_exit_status,
54
ARGP_ERR_UNKNOWN, struct argp,
55
argp_parse(), ARGP_IN_ORDER,
56
ARGP_NO_HELP */
57
#include <stddef.h> /* NULL, size_t */
58
#include <sys/types.h> /* uid_t, gid_t, sig_atomic_t,
59
seteuid(), setuid(), pid_t,
60
setgid(), getuid(), getgid() */
61
#include <unistd.h> /* uid_t, gid_t, TEMP_FAILURE_RETRY(),
62
seteuid(), setuid(), close(),
63
ssize_t, read(), fork(), setgid(),
64
_exit(), dup2(), STDIN_FILENO,
65
STDERR_FILENO, STDOUT_FILENO,
66
fexecve(), write(), getuid(),
67
getgid(), fchown(), symlink(),
68
sleep(), unlinkat(), pause() */
69
#include <netinet/in.h> /* in_port_t, struct sockaddr_in6,
70
sa_family_t, struct sockaddr_in,
71
htons(), IN6_IS_ADDR_LINKLOCAL,
72
INET_ADDRSTRLEN, INET6_ADDRSTRLEN,
73
ntohl(), IPPROTO_IP */
74
#include <time.h> /* struct timespec, clock_gettime(),
75
CLOCK_MONOTONIC, time_t, struct tm,
76
gmtime_r(), clock_settime(),
77
CLOCK_REALTIME, nanosleep() */
78
#include <errno.h> /* errno,
79
program_invocation_short_name,
80
EINTR, EINVAL, ENETUNREACH,
69
81
EHOSTUNREACH, ECONNREFUSED, EPROTO,
70
EIO, ENOENT, ENXIO, ENOMEM, EISDIR,
71
ENOTEMPTY,
72
program_invocation_short_name */
73
#include <time.h> /* nanosleep(), time(), sleep() */
74
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
75
SIOCSIFFLAGS, if_indextoname(),
76
if_nametoindex(), IF_NAMESIZE */
77
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
78
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
79
*/
80
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
81
getuid(), getgid(), seteuid(),
82
setgid(), pause(), _exit(),
83
unlinkat() */
84
#include <arpa/inet.h> /* inet_pton(), htons() */
85
#include <iso646.h> /* not, or, and */
86
#include <argp.h> /* struct argp_option, error_t, struct
87
argp_state, struct argp,
88
argp_parse(), ARGP_KEY_ARG,
89
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
90
#include <signal.h> /* sigemptyset(), sigaddset(),
91
sigaction(), SIGTERM, sig_atomic_t,
92
raise() */
93
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
94
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
82
EIO, ENOENT, ENXIO, error_t,
83
ENOMEM, EISDIR, ENOTEMPTY */
84
#include <stdio.h> /* fprintf(), stderr, perror(), FILE,
85
vfprintf(), off_t, SEEK_SET,
86
stdout, fwrite(), ferror(),
87
fflush(), asprintf() */
88
#include <stdarg.h> /* va_list, va_start(), vfprintf() */
89
#include <stdlib.h> /* realloc(), free(), malloc(),
90
getenv(), EXIT_FAILURE, setenv(),
91
EXIT_SUCCESS, strtof(), strtod(),
92
srand(), mkdtemp(), abort() */
93
#include <string.h> /* strdup(), strcmp(), strlen(),
94
strerror(), strncpy(), strspn(),
95
memcpy(), strrchr(), strchr(),
96
strsignal() */
97
#include <fcntl.h> /* open(), O_RDONLY, O_DIRECTORY,
98
O_PATH, O_CLOEXEC, openat(),
99
O_NOFOLLOW, AT_REMOVEDIR */
100
#include <iso646.h> /* or, and, not */
101
#include <sys/stat.h> /* struct stat, fstat(), fstatat(),
102
S_ISREG(), S_IXUSR, S_IXGRP,
103
S_IXOTH, lstat() */
104
#include <net/if.h> /* IF_NAMESIZE, if_indextoname(),
105
if_nametoindex(), SIOCGIFFLAGS,
106
IFF_LOOPBACK, IFF_POINTOPOINT,
107
IFF_BROADCAST, IFF_NOARP, IFF_UP,
108
IFF_RUNNING, SIOCSIFFLAGS */
109
#include <sysexits.h> /* EX_NOPERM, EX_OSERR,
110
EX_UNAVAILABLE, EX_USAGE */
111
#include <grp.h> /* setgroups() */
95
112
#include <sys/wait.h> /* waitpid(), WIFEXITED(),
96
WEXITSTATUS(), WTERMSIG() */
97
#include <grp.h> /* setgroups() */
98
#include <argz.h> /* argz_add_sep(), argz_next(),
99
argz_delete(), argz_append(),
100
argz_stringify(), argz_add(),
101
argz_count() */
113
WEXITSTATUS(), WIFSIGNALED(),
114
WTERMSIG() */
115
#include <signal.h> /* kill(), SIGTERM, struct sigaction,
116
SIG_DFL, sigemptyset(),
117
sigaddset(), SIGINT, SIGHUP,
118
SIG_IGN, raise() */
119
#include <sys/socket.h> /* struct sockaddr_storage, AF_INET6,
120
PF_INET6, AF_INET, PF_INET,
121
socket(), SOCK_STREAM,
122
SOCK_CLOEXEC, struct sockaddr,
123
connect(), SOCK_DGRAM */
124
#include <argz.h> /* argz_next(), argz_add_sep(),
125
argz_delete(), argz_stringify(),
126
argz_add(), argz_count() */
127
#include <inttypes.h> /* PRIuMAX, uintmax_t, uint32_t,
128
PRIdMAX, PRIu16, intmax_t,
129
strtoimax() */
130
#include <arpa/inet.h> /* inet_pton() */
131
#include <stdint.h> /* uint32_t, intptr_t, uint16_t */
102
132
#include <netdb.h> /* getnameinfo(), NI_NUMERICHOST,
103
133
EAI_SYSTEM, gai_strerror() */
134
#include <sys/ioctl.h> /* ioctl() */
135
#include <dirent.h> /* struct dirent, scandirat(),
136
alphasort(), scandir() */
137
#include <limits.h> /* INT_MAX */
104
138
105
139
#ifdef __linux__
106
140
#include <sys/klog.h> /* klogctl() */
119
153
120
154
/* GnuTLS */
121
155
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
122
functions:
123
gnutls_*
124
init_gnutls_session(),
125
GNUTLS_* */
156
functions: gnutls_*, GNUTLS_* */
157
#if GNUTLS_VERSION_NUMBER < 0x030600
126
158
#include <gnutls/openpgp.h>
127
159
/* gnutls_certificate_set_openpgp_key_file(),
128
160
GNUTLS_OPENPGP_FMT_BASE64 */
161
#elif GNUTLS_VERSION_NUMBER >= 0x030606
162
#include <gnutls/x509.h> /* GNUTLS_PKCS_PLAIN,
163
GNUTLS_PKCS_NULL_PASSWORD */
164
#endif
129
165
130
166
/* GPGME */
131
167
#include <gpgme.h> /* All GPGME types, constants and
132
168
functions:
133
gpgme_*
134
GPGME_PROTOCOL_OpenPGP,
135
GPG_ERR_NO_* */
169
gpgme_*, GPG_ERR_NO_*,
170
GPGME_IMPORT_*
171
GPGME_PROTOCOL_OpenPGP */
136
172
137
173
#define BUFFER_SIZE 256
138
174
139
175
#define PATHDIR "/conf/conf.d/mandos"
140
176
#define SECKEY "seckey.txt"
141
177
#define PUBKEY "pubkey.txt"
178
#define TLS_PRIVKEY "tls-privkey.pem"
179
#define TLS_PUBKEY "tls-pubkey.pem"
142
180
#define HOOKDIR "/lib/mandos/network-hooks.d"
143
181
144
182
bool debug = false;
272
310
return true;
273
311
}
274
312
313
/* Set effective uid to 0, return errno */
314
__attribute__((warn_unused_result))
315
int raise_privileges(void){
316
int old_errno = errno;
317
int ret = 0;
318
if(seteuid(0) == -1){
319
ret = errno;
320
}
321
errno = old_errno;
322
return ret;
323
}
324
325
/* Set effective and real user ID to 0. Return errno. */
326
__attribute__((warn_unused_result))
327
int raise_privileges_permanently(void){
328
int old_errno = errno;
329
int ret = raise_privileges();
330
if(ret != 0){
331
errno = old_errno;
332
return ret;
333
}
334
if(setuid(0) == -1){
335
ret = errno;
336
}
337
errno = old_errno;
338
return ret;
339
}
340
341
/* Set effective user ID to unprivileged saved user ID */
342
__attribute__((warn_unused_result))
343
int lower_privileges(void){
344
int old_errno = errno;
345
int ret = 0;
346
if(seteuid(uid) == -1){
347
ret = errno;
348
}
349
errno = old_errno;
350
return ret;
351
}
352
353
/* Lower privileges permanently */
354
__attribute__((warn_unused_result))
355
int lower_privileges_permanently(void){
356
int old_errno = errno;
357
int ret = 0;
358
if(setuid(uid) == -1){
359
ret = errno;
360
}
361
errno = old_errno;
362
return ret;
363
}
364
275
365
/*
276
366
* Initialize GPGME.
277
367
*/
297
387
return false;
298
388
}
299
389
390
/* Workaround for systems without a real-time clock; see also
391
Debian bug #894495: <https://bugs.debian.org/894495> */
392
do {
393
{
394
time_t currtime = time(NULL);
395
if(currtime != (time_t)-1){
396
struct tm tm;
397
if(gmtime_r(&currtime, &tm) == NULL) {
398
perror_plus("gmtime_r");
399
break;
400
}
401
if(tm.tm_year != 70 or tm.tm_mon != 0){
402
break;
403
}
404
if(debug){
405
fprintf_plus(stderr, "System clock is January 1970");
406
}
407
} else {
408
if(debug){
409
fprintf_plus(stderr, "System clock is invalid");
410
}
411
}
412
}
413
struct stat keystat;
414
ret = fstat(fd, &keystat);
415
if(ret != 0){
416
perror_plus("fstat");
417
break;
418
}
419
ret = raise_privileges();
420
if(ret != 0){
421
errno = ret;
422
perror_plus("Failed to raise privileges");
423
break;
424
}
425
if(debug){
426
fprintf_plus(stderr,
427
"Setting system clock to key file mtime");
428
}
429
if(clock_settime(CLOCK_REALTIME, &keystat.st_mtim) != 0){
430
perror_plus("clock_settime");
431
}
432
ret = lower_privileges();
433
if(ret != 0){
434
errno = ret;
435
perror_plus("Failed to lower privileges");
436
}
437
} while(false);
438
300
439
rc = gpgme_data_new_from_fd(&pgp_data, fd);
301
440
if(rc != GPG_ERR_NO_ERROR){
302
441
fprintf_plus(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
310
449
gpgme_strsource(rc), gpgme_strerror(rc));
311
450
return false;
312
451
}
452
{
453
gpgme_import_result_t import_result
454
= gpgme_op_import_result(mc->ctx);
455
if((import_result->imported < 1
456
or import_result->not_imported > 0)
457
and import_result->unchanged == 0){
458
fprintf_plus(stderr, "bad gpgme_op_import_results:\n");
459
fprintf_plus(stderr,
460
"The total number of considered keys: %d\n",
461
import_result->considered);
462
fprintf_plus(stderr,
463
"The number of keys without user ID: %d\n",
464
import_result->no_user_id);
465
fprintf_plus(stderr,
466
"The total number of imported keys: %d\n",
467
import_result->imported);
468
fprintf_plus(stderr, "The number of imported RSA keys: %d\n",
469
import_result->imported_rsa);
470
fprintf_plus(stderr, "The number of unchanged keys: %d\n",
471
import_result->unchanged);
472
fprintf_plus(stderr, "The number of new user IDs: %d\n",
473
import_result->new_user_ids);
474
fprintf_plus(stderr, "The number of new sub keys: %d\n",
475
import_result->new_sub_keys);
476
fprintf_plus(stderr, "The number of new signatures: %d\n",
477
import_result->new_signatures);
478
fprintf_plus(stderr, "The number of new revocations: %d\n",
479
import_result->new_revocations);
480
fprintf_plus(stderr,
481
"The total number of secret keys read: %d\n",
482
import_result->secret_read);
483
fprintf_plus(stderr,
484
"The number of imported secret keys: %d\n",
485
import_result->secret_imported);
486
fprintf_plus(stderr,
487
"The number of unchanged secret keys: %d\n",
488
import_result->secret_unchanged);
489
fprintf_plus(stderr, "The number of keys not imported: %d\n",
490
import_result->not_imported);
491
for(gpgme_import_status_t import_status
492
= import_result->imports;
493
import_status != NULL;
494
import_status = import_status->next){
495
fprintf_plus(stderr, "Import status for key: %s\n",
496
import_status->fpr);
497
if(import_status->result != GPG_ERR_NO_ERROR){
498
fprintf_plus(stderr, "Import result: %s: %s\n",
499
gpgme_strsource(import_status->result),
500
gpgme_strerror(import_status->result));
501
}
502
fprintf_plus(stderr, "Key status:\n");
503
fprintf_plus(stderr,
504
import_status->status & GPGME_IMPORT_NEW
505
? "The key was new.\n"
506
: "The key was not new.\n");
507
fprintf_plus(stderr,
508
import_status->status & GPGME_IMPORT_UID
509
? "The key contained new user IDs.\n"
510
: "The key did not contain new user IDs.\n");
511
fprintf_plus(stderr,
512
import_status->status & GPGME_IMPORT_SIG
513
? "The key contained new signatures.\n"
514
: "The key did not contain new signatures.\n");
515
fprintf_plus(stderr,
516
import_status->status & GPGME_IMPORT_SUBKEY
517
? "The key contained new sub keys.\n"
518
: "The key did not contain new sub keys.\n");
519
fprintf_plus(stderr,
520
import_status->status & GPGME_IMPORT_SECRET
521
? "The key contained a secret key.\n"
522
: "The key did not contain a secret key.\n");
523
}
524
return false;
525
}
526
}
313
527
314
528
ret = close(fd);
315
529
if(ret == -1){
356
570
/* Create new GPGME "context" */
357
571
rc = gpgme_new(&(mc->ctx));
358
572
if(rc != GPG_ERR_NO_ERROR){
359
fprintf_plus(stderr, "Mandos plugin mandos-client: "
360
"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),
361
gpgme_strerror(rc));
573
fprintf_plus(stderr, "bad gpgme_new: %s: %s\n",
574
gpgme_strsource(rc), gpgme_strerror(rc));
362
575
return false;
363
576
}
364
577
400
613
/* Create new empty GPGME data buffer for the plaintext */
401
614
rc = gpgme_data_new(&dh_plain);
402
615
if(rc != GPG_ERR_NO_ERROR){
403
fprintf_plus(stderr, "Mandos plugin mandos-client: "
404
"bad gpgme_data_new: %s: %s\n",
616
fprintf_plus(stderr, "bad gpgme_data_new: %s: %s\n",
405
617
gpgme_strsource(rc), gpgme_strerror(rc));
406
618
gpgme_data_release(dh_crypto);
407
619
return -1;
420
632
if(result == NULL){
421
633
fprintf_plus(stderr, "gpgme_op_decrypt_result failed\n");
422
634
} else {
423
fprintf_plus(stderr, "Unsupported algorithm: %s\n",
424
result->unsupported_algorithm);
425
fprintf_plus(stderr, "Wrong key usage: %u\n",
426
result->wrong_key_usage);
635
if(result->unsupported_algorithm != NULL) {
636
fprintf_plus(stderr, "Unsupported algorithm: %s\n",
637
result->unsupported_algorithm);
638
}
639
fprintf_plus(stderr, "Wrong key usage: %s\n",
640
result->wrong_key_usage ? "Yes" : "No");
427
641
if(result->file_name != NULL){
428
642
fprintf_plus(stderr, "File name: %s\n", result->file_name);
429
643
}
430
gpgme_recipient_t recipient;
431
recipient = result->recipients;
432
while(recipient != NULL){
644
645
for(gpgme_recipient_t r = result->recipients; r != NULL;
646
r = r->next){
433
647
fprintf_plus(stderr, "Public key algorithm: %s\n",
434
gpgme_pubkey_algo_name
435
(recipient->pubkey_algo));
436
fprintf_plus(stderr, "Key ID: %s\n", recipient->keyid);
648
gpgme_pubkey_algo_name(r->pubkey_algo));
649
fprintf_plus(stderr, "Key ID: %s\n", r->keyid);
437
650
fprintf_plus(stderr, "Secret key available: %s\n",
438
recipient->status == GPG_ERR_NO_SECKEY
439
? "No" : "Yes");
440
recipient = recipient->next;
651
r->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
441
652
}
442
653
}
443
654
}
525
736
const char *dhparamsfilename,
526
737
mandos_context *mc){
527
738
int ret;
528
unsigned int uret;
529
739
530
740
if(debug){
531
741
fprintf_plus(stderr, "Initializing GnuTLS\n");
548
758
}
549
759
550
760
if(debug){
551
fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"
552
" secret key %s as GnuTLS credentials\n",
761
fprintf_plus(stderr, "Attempting to use public key %s and"
762
" private key %s as GnuTLS credentials\n",
553
763
pubkeyfilename,
554
764
seckeyfilename);
555
765
}
556
766
767
#if GNUTLS_VERSION_NUMBER >= 0x030606
768
ret = gnutls_certificate_set_rawpk_key_file
769
(mc->cred, pubkeyfilename, seckeyfilename,
770
GNUTLS_X509_FMT_PEM, /* format */
771
NULL, /* pass */
772
/* key_usage */
773
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
774
NULL, /* names */
775
0, /* names_length */
776
/* privkey_flags */
777
GNUTLS_PKCS_PLAIN | GNUTLS_PKCS_NULL_PASSWORD,
778
0); /* pkcs11_flags */
779
#elif GNUTLS_VERSION_NUMBER < 0x030600
557
780
ret = gnutls_certificate_set_openpgp_key_file
558
781
(mc->cred, pubkeyfilename, seckeyfilename,
559
782
GNUTLS_OPENPGP_FMT_BASE64);
783
#else
784
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
785
#endif
560
786
if(ret != GNUTLS_E_SUCCESS){
561
787
fprintf_plus(stderr,
562
"Error[%d] while reading the OpenPGP key pair ('%s',"
788
"Error[%d] while reading the key pair ('%s',"
563
789
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
564
790
fprintf_plus(stderr, "The GnuTLS error is: %s\n",
565
791
safer_gnutls_strerror(ret));
613
839
}
614
840
params.size += (unsigned int)bytes_read;
615
841
}
842
ret = close(dhpfile);
843
if(ret == -1){
844
perror_plus("close");
845
}
616
846
if(params.data == NULL){
617
847
dhparamsfilename = NULL;
618
848
}
632
862
}
633
863
if(dhparamsfilename == NULL){
634
864
if(mc->dh_bits == 0){
865
#if GNUTLS_VERSION_NUMBER < 0x030600
635
866
/* Find out the optimal number of DH bits */
636
867
/* Try to read the private key file */
637
868
gnutls_datum_t buffer = { .data = NULL, .size = 0 };
717
948
}
718
949
}
719
950
}
720
uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
951
unsigned int uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
721
952
if(uret != 0){
722
953
mc->dh_bits = uret;
723
954
if(debug){
735
966
safer_gnutls_strerror(ret));
736
967
goto globalfail;
737
968
}
738
} else if(debug){
739
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
740
mc->dh_bits);
741
}
742
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
743
if(ret != GNUTLS_E_SUCCESS){
744
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
745
" bits): %s\n", mc->dh_bits,
746
safer_gnutls_strerror(ret));
747
goto globalfail;
969
#endif
970
} else { /* dh_bits != 0 */
971
if(debug){
972
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
973
mc->dh_bits);
974
}
975
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
976
if(ret != GNUTLS_E_SUCCESS){
977
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
978
" bits): %s\n", mc->dh_bits,
979
safer_gnutls_strerror(ret));
980
goto globalfail;
981
}
982
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
748
983
}
749
984
}
750
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
751
985
752
986
return 0;
753
987
764
998
int ret;
765
999
/* GnuTLS session creation */
766
1000
do {
767
ret = gnutls_init(session, GNUTLS_SERVER);
1001
ret = gnutls_init(session, (GNUTLS_SERVER
1002
#if GNUTLS_VERSION_NUMBER >= 0x030506
1003
| GNUTLS_NO_TICKETS
1004
#endif
1005
#if GNUTLS_VERSION_NUMBER >= 0x030606
1006
| GNUTLS_ENABLE_RAWPK
1007
#endif
1008
));
768
1009
if(quit_now){
769
1010
return -1;
770
1011
}
818
1059
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
819
1060
__attribute__((unused)) const char *txt){}
820
1061
821
/* Set effective uid to 0, return errno */
822
__attribute__((warn_unused_result))
823
int raise_privileges(void){
824
int old_errno = errno;
825
int ret = 0;
826
if(seteuid(0) == -1){
827
ret = errno;
828
}
829
errno = old_errno;
830
return ret;
831
}
832
833
/* Set effective and real user ID to 0. Return errno. */
834
__attribute__((warn_unused_result))
835
int raise_privileges_permanently(void){
836
int old_errno = errno;
837
int ret = raise_privileges();
838
if(ret != 0){
839
errno = old_errno;
840
return ret;
841
}
842
if(setuid(0) == -1){
843
ret = errno;
844
}
845
errno = old_errno;
846
return ret;
847
}
848
849
/* Set effective user ID to unprivileged saved user ID */
850
__attribute__((warn_unused_result))
851
int lower_privileges(void){
852
int old_errno = errno;
853
int ret = 0;
854
if(seteuid(uid) == -1){
855
ret = errno;
856
}
857
errno = old_errno;
858
return ret;
859
}
860
861
/* Lower privileges permanently */
862
__attribute__((warn_unused_result))
863
int lower_privileges_permanently(void){
864
int old_errno = errno;
865
int ret = 0;
866
if(setuid(uid) == -1){
867
ret = errno;
868
}
869
errno = old_errno;
870
return ret;
871
}
872
873
1062
/* Helper function to add_local_route() and delete_local_route() */
874
1063
__attribute__((nonnull, warn_unused_result))
875
1064
static bool add_delete_local_route(const bool add,
914
1103
ret = setgid(0);
915
1104
if(ret == -1){
916
1105
perror_plus("setgid");
1106
close(devnull);
917
1107
_exit(EX_NOPERM);
918
1108
}
919
1109
/* Reset supplementary groups */
921
1111
ret = setgroups(0, NULL);
922
1112
if(ret == -1){
923
1113
perror_plus("setgroups");
1114
close(devnull);
924
1115
_exit(EX_NOPERM);
925
1116
}
926
1117
}
927
1118
ret = dup2(devnull, STDIN_FILENO);
928
1119
if(ret == -1){
929
1120
perror_plus("dup2(devnull, STDIN_FILENO)");
1121
close(devnull);
930
1122
_exit(EX_OSERR);
931
1123
}
932
1124
ret = close(devnull);
933
1125
if(ret == -1){
934
1126
perror_plus("close");
935
_exit(EX_OSERR);
936
1127
}
937
1128
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
938
1129
if(ret == -1){
973
1164
}
974
1165
if(pid == -1){
975
1166
perror_plus("fork");
1167
close(devnull);
976
1168
return false;
977
1169
}
1170
ret = close(devnull);
1171
if(ret == -1){
1172
perror_plus("close");
1173
}
978
1174
int status;
979
1175
pid_t pret = -1;
980
1176
errno = 0;
1655
1851
perror_plus("ioctl SIOCGIFFLAGS");
1656
1852
errno = old_errno;
1657
1853
}
1854
if((close(s) == -1) and debug){
1855
old_errno = errno;
1856
perror_plus("close");
1857
errno = old_errno;
1858
}
1658
1859
return false;
1659
1860
}
1861
if((close(s) == -1) and debug){
1862
old_errno = errno;
1863
perror_plus("close");
1864
errno = old_errno;
1865
}
1660
1866
return true;
1661
1867
}
1662
1868
1923
2129
return;
1924
2130
}
1925
2131
}
2132
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
2133
if(devnull == -1){
2134
perror_plus("open(\"/dev/null\", O_RDONLY)");
2135
return;
2136
}
1926
2137
int numhooks = scandirat(hookdir_fd, ".", &direntries,
1927
2138
runnable_hook, alphasort);
1928
2139
if(numhooks == -1){
1929
2140
perror_plus("scandir");
2141
close(devnull);
1930
2142
return;
1931
2143
}
1932
2144
struct dirent *direntry;
1933
2145
int ret;
1934
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
1935
if(devnull == -1){
1936
perror_plus("open(\"/dev/null\", O_RDONLY)");
1937
return;
1938
}
1939
2146
for(int i = 0; i < numhooks; i++){
1940
2147
direntry = direntries[i];
1941
2148
if(debug){
2290
2497
2291
2498
int main(int argc, char *argv[]){
2292
2499
mandos_context mc = { .server = NULL, .dh_bits = 0,
2500
#if GNUTLS_VERSION_NUMBER >= 0x030606
2501
.priority = "SECURE128:!CTYPE-X.509"
2502
":+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3"
2503
":%PROFILE_ULTRA",
2504
#elif GNUTLS_VERSION_NUMBER < 0x030600
2293
2505
.priority = "SECURE256:!CTYPE-X.509"
2294
2506
":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",
2507
#else
2508
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
2509
#endif
2295
2510
.current_server = NULL, .interfaces = NULL,
2296
2511
.interfaces_size = 0 };
2297
2512
AvahiSServiceBrowser *sb = NULL;
2308
2523
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
2309
2524
const char *seckey = PATHDIR "/" SECKEY;
2310
2525
const char *pubkey = PATHDIR "/" PUBKEY;
2526
#if GNUTLS_VERSION_NUMBER >= 0x030606
2527
const char *tls_privkey = PATHDIR "/" TLS_PRIVKEY;
2528
const char *tls_pubkey = PATHDIR "/" TLS_PUBKEY;
2529
#endif
2311
2530
const char *dh_params_file = NULL;
2312
2531
char *interfaces_hooks = NULL;
2313
2532
2361
2580
{ .name = "pubkey", .key = 'p',
2362
2581
.arg = "FILE",
2363
2582
.doc = "OpenPGP public key file base name",
2364
.group = 2 },
2583
.group = 1 },
2584
{ .name = "tls-privkey", .key = 't',
2585
.arg = "FILE",
2586
#if GNUTLS_VERSION_NUMBER >= 0x030606
2587
.doc = "TLS private key file base name",
2588
#else
2589
.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
2590
#endif
2591
.group = 1 },
2592
{ .name = "tls-pubkey", .key = 'T',
2593
.arg = "FILE",
2594
#if GNUTLS_VERSION_NUMBER >= 0x030606
2595
.doc = "TLS public key file base name",
2596
#else
2597
.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
2598
#endif
2599
.group = 1 },
2365
2600
{ .name = "dh-bits", .key = 129,
2366
2601
.arg = "BITS",
2367
2602
.doc = "Bit length of the prime number used in the"
2423
2658
case 'p': /* --pubkey */
2424
2659
pubkey = arg;
2425
2660
break;
2661
case 't': /* --tls-privkey */
2662
#if GNUTLS_VERSION_NUMBER >= 0x030606
2663
tls_privkey = arg;
2664
#endif
2665
break;
2666
case 'T': /* --tls-pubkey */
2667
#if GNUTLS_VERSION_NUMBER >= 0x030606
2668
tls_pubkey = arg;
2669
#endif
2670
break;
2426
2671
case 129: /* --dh-bits */
2427
2672
errno = 0;
2428
2673
tmpmax = strtoimax(arg, &tmp, 10);
2463
2708
argp_state_help(state, state->out_stream,
2464
2709
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
2465
2710
& ~(unsigned int)ARGP_HELP_EXIT_OK);
2711
__builtin_unreachable();
2466
2712
case -3: /* --usage */
2467
2713
argp_state_help(state, state->out_stream,
2468
2714
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
2715
__builtin_unreachable();
2469
2716
case 'V': /* --version */
2470
2717
fprintf_plus(state->out_stream, "%s\n", argp_program_version);
2471
2718
exit(argp_err_exit_status);
2498
2745
}
2499
2746
2500
2747
{
2501
/* Work around Debian bug #633582:
2502
<https://bugs.debian.org/633582> */
2503
2504
2748
/* Re-raise privileges */
2505
2749
ret = raise_privileges();
2506
2750
if(ret != 0){
2509
2753
} else {
2510
2754
struct stat st;
2511
2755
2756
/* Work around Debian bug #633582:
2757
<https://bugs.debian.org/633582> */
2758
2512
2759
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
2513
2760
int seckey_fd = open(seckey, O_RDONLY);
2514
2761
if(seckey_fd == -1){
2573
2820
}
2574
2821
}
2575
2822
2823
/* Work around Debian bug #981302
2824
<https://bugs.debian.org/981302> */
2825
if(lstat("/dev/fd", &st) != 0 and errno == ENOENT){
2826
ret = symlink("/proc/self/fd", "/dev/fd");
2827
if(ret == -1){
2828
perror_plus("Failed to create /dev/fd symlink");
2829
}
2830
}
2831
2576
2832
/* Lower privileges */
2577
2833
ret = lower_privileges();
2578
2834
if(ret != 0){
2782
3038
goto end;
2783
3039
}
2784
3040
3041
#if GNUTLS_VERSION_NUMBER >= 0x030606
3042
ret = init_gnutls_global(tls_pubkey, tls_privkey, dh_params_file, &mc);
3043
#elif GNUTLS_VERSION_NUMBER < 0x030600
2785
3044
ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);
3045
#else
3046
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
3047
#endif
2786
3048
if(ret == -1){
2787
3049
fprintf_plus(stderr, "init_gnutls_global failed\n");
2788
3050
exitcode = EX_UNAVAILABLE;
3061
3323
| O_PATH));
3062
3324
if(dir_fd == -1){
3063
3325
perror_plus("open");
3326
return;
3064
3327
}
3065
3328
int numentries = scandirat(dir_fd, ".", &direntries,
3066
3329
notdotentries, alphasort);
3083
3346
clean_dir_at(dir_fd, direntries[i]->d_name, level+1);
3084
3347
dret = 0;
3085
3348
}
3086
if(dret == -1){
3349
if((dret == -1) and (errno != ENOENT)){
3087
3350
fprintf_plus(stderr, "unlink(\"%s/%s\"): %s\n", dirname,
3088
3351
direntries[i]->d_name, strerror(errno));
3089
3352
}
3093
3356
3094
3357
/* need to clean even if 0 because man page doesn't specify */
3095
3358
free(direntries);
3096
if(numentries == -1){
3097
perror_plus("scandirat");
3098
}
3099
3359
dret = unlinkat(base, dirname, AT_REMOVEDIR);
3100
3360
if(dret == -1 and errno != ENOENT){
3101
3361
perror_plus("rmdir");
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0