To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.28
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.28
- Committer: Teddy Hogeborn
- Date: 2009-09-17 13:18:08 UTC
- mto: (24.1.170 mandos) (237.4.29 release)
- mto: This revision was merged to the branch mainline in revision 419.
- Revision ID: teddy@fukt.bsnet.se-20090917131808-wdn07kozk4wgnt4m
Tags: version-1.0.12-1
* Makefile (version): Changed to "1.0.12".
* NEWS (Version 1.0.12): New entry.
* debian/changelog (1.0.12-1): - '' -
* NEWS (Version 1.0.12): New entry.
* debian/changelog (1.0.12-1): - '' -
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
44
44
#include <stdint.h> /* uint16_t, uint32_t */
45
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof() */
47
srand(), strtof(), abort() */
48
48
#include <stdbool.h> /* bool, false, true */
49
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
50
strerror(), asprintf(), strcpy() */
71
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
72
*/
73
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
75
setgid() */
74
getuid(), getgid(), seteuid(),
75
setgid(), pause() */
76
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
77
#include <iso646.h> /* not, or, and */
78
78
#include <argp.h> /* struct argp_option, error_t, struct
80
80
argp_parse(), ARGP_KEY_ARG,
81
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sigaction,
84
sig_atomic_t */
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
85
86
86
#ifdef __linux__
87
87
#include <sys/klog.h> /* klogctl() */
142
142
.dh_bits = 1024, .priority = "SECURE256"
143
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
144
145
sig_atomic_t quit_now = 0;
146
int signal_received = 0;
147
145
148
/*
146
149
* Make additional room in "buffer" for at least BUFFER_SIZE more
147
150
* bytes. "buffer_capacity" is how much is currently allocated,
164
167
*/
165
168
static bool init_gpgme(const char *seckey,
166
169
const char *pubkey, const char *tempdir){
167
int ret;
168
170
gpgme_error_t rc;
169
171
gpgme_engine_info_t engine_info;
170
172
173
175
* Helper function to insert pub and seckey to the engine keyring.
174
176
*/
175
177
bool import_key(const char *filename){
178
int ret;
176
179
int fd;
177
180
gpgme_data_t pgp_data;
178
181
249
252
return false;
250
253
}
251
254
252
return true;
255
return true;
253
256
}
254
257
255
258
/*
474
477
static int init_gnutls_session(gnutls_session_t *session){
475
478
int ret;
476
479
/* GnuTLS session creation */
477
ret = gnutls_init(session, GNUTLS_SERVER);
480
do {
481
ret = gnutls_init(session, GNUTLS_SERVER);
482
if(quit_now){
483
return -1;
484
}
485
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
478
486
if(ret != GNUTLS_E_SUCCESS){
479
487
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
480
488
safer_gnutls_strerror(ret));
482
490
483
491
{
484
492
const char *err;
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
493
do {
494
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
495
if(quit_now){
496
gnutls_deinit(*session);
497
return -1;
498
}
499
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
486
500
if(ret != GNUTLS_E_SUCCESS){
487
501
fprintf(stderr, "Syntax error at: %s\n", err);
488
502
fprintf(stderr, "GnuTLS error: %s\n",
492
506
}
493
507
}
494
508
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
509
do {
510
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
511
mc.cred);
512
if(quit_now){
513
gnutls_deinit(*session);
514
return -1;
515
}
516
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
497
517
if(ret != GNUTLS_E_SUCCESS){
498
518
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
499
519
safer_gnutls_strerror(ret));
502
522
}
503
523
504
524
/* ignore client certificate if any. */
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
525
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
507
526
508
527
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
509
528
518
537
static int start_mandos_communication(const char *ip, uint16_t port,
519
538
AvahiIfIndex if_index,
520
539
int af){
521
int ret, tcp_sd;
540
int ret, tcp_sd = -1;
522
541
ssize_t sret;
523
542
union {
524
543
struct sockaddr_in in;
525
544
struct sockaddr_in6 in6;
526
545
} to;
527
546
char *buffer = NULL;
528
char *decrypted_buffer;
547
char *decrypted_buffer = NULL;
529
548
size_t buffer_length = 0;
530
549
size_t buffer_capacity = 0;
531
ssize_t decrypted_buffer_size;
532
550
size_t written;
533
int retval = 0;
551
int retval = -1;
534
552
gnutls_session_t session;
535
553
int pf; /* Protocol family */
536
554
555
if(quit_now){
556
return -1;
557
}
558
537
559
switch(af){
538
560
case AF_INET6:
539
561
pf = PF_INET6;
559
581
tcp_sd = socket(pf, SOCK_STREAM, 0);
560
582
if(tcp_sd < 0){
561
583
perror("socket");
562
return -1;
584
goto mandos_end;
585
}
586
587
if(quit_now){
588
goto mandos_end;
563
589
}
564
590
565
591
memset(&to, 0, sizeof(to));
572
598
}
573
599
if(ret < 0 ){
574
600
perror("inet_pton");
575
return -1;
601
goto mandos_end;
576
602
}
577
603
if(ret == 0){
578
604
fprintf(stderr, "Bad address: %s\n", ip);
579
return -1;
605
goto mandos_end;
580
606
}
581
607
if(af == AF_INET6){
582
608
to.in6.sin6_port = htons(port); /* Spurious warnings from
589
615
if(if_index == AVAHI_IF_UNSPEC){
590
616
fprintf(stderr, "An IPv6 link-local address is incomplete"
591
617
" without a network interface\n");
592
return -1;
618
goto mandos_end;
593
619
}
594
620
/* Set the network interface number as scope */
595
621
to.in6.sin6_scope_id = (uint32_t)if_index;
600
626
-Wunreachable-code */
601
627
}
602
628
629
if(quit_now){
630
goto mandos_end;
631
}
632
603
633
if(debug){
604
634
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
605
635
char interface[IF_NAMESIZE];
632
662
}
633
663
}
634
664
665
if(quit_now){
666
goto mandos_end;
667
}
668
635
669
if(af == AF_INET6){
636
670
ret = connect(tcp_sd, &to.in6, sizeof(to));
637
671
} else {
639
673
}
640
674
if(ret < 0){
641
675
perror("connect");
642
return -1;
676
goto mandos_end;
677
}
678
679
if(quit_now){
680
goto mandos_end;
643
681
}
644
682
645
683
const char *out = mandos_protocol_version;
650
688
out_size - written));
651
689
if(ret == -1){
652
690
perror("write");
653
retval = -1;
654
691
goto mandos_end;
655
692
}
656
693
written += (size_t)ret;
664
701
break;
665
702
}
666
703
}
704
705
if(quit_now){
706
goto mandos_end;
707
}
667
708
}
668
709
669
710
if(debug){
670
711
fprintf(stderr, "Establishing TLS session with %s\n", ip);
671
712
}
672
713
714
if(quit_now){
715
goto mandos_end;
716
}
717
673
718
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
674
719
675
do{
720
if(quit_now){
721
goto mandos_end;
722
}
723
724
do {
676
725
ret = gnutls_handshake(session);
726
if(quit_now){
727
goto mandos_end;
728
}
677
729
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
678
730
679
731
if(ret != GNUTLS_E_SUCCESS){
681
733
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
682
734
gnutls_perror(ret);
683
735
}
684
retval = -1;
685
736
goto mandos_end;
686
737
}
687
738
693
744
}
694
745
695
746
while(true){
747
748
if(quit_now){
749
goto mandos_end;
750
}
751
696
752
buffer_capacity = incbuffer(&buffer, buffer_length,
697
753
buffer_capacity);
698
754
if(buffer_capacity == 0){
699
755
perror("incbuffer");
700
retval = -1;
756
goto mandos_end;
757
}
758
759
if(quit_now){
701
760
goto mandos_end;
702
761
}
703
762
712
771
case GNUTLS_E_AGAIN:
713
772
break;
714
773
case GNUTLS_E_REHANDSHAKE:
715
do{
774
do {
716
775
ret = gnutls_handshake(session);
776
777
if(quit_now){
778
goto mandos_end;
779
}
717
780
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
718
781
if(ret < 0){
719
782
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
720
783
gnutls_perror(ret);
721
retval = -1;
722
784
goto mandos_end;
723
785
}
724
786
break;
725
787
default:
726
788
fprintf(stderr, "Unknown error while reading data from"
727
789
" encrypted session with Mandos server\n");
728
retval = -1;
729
790
gnutls_bye(session, GNUTLS_SHUT_RDWR);
730
791
goto mandos_end;
731
792
}
738
799
fprintf(stderr, "Closing TLS session\n");
739
800
}
740
801
741
gnutls_bye(session, GNUTLS_SHUT_RDWR);
802
if(quit_now){
803
goto mandos_end;
804
}
805
806
do {
807
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
808
if(quit_now){
809
goto mandos_end;
810
}
811
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
742
812
743
813
if(buffer_length > 0){
814
ssize_t decrypted_buffer_size;
744
815
decrypted_buffer_size = pgp_packet_decrypt(buffer,
745
816
buffer_length,
746
817
&decrypted_buffer);
747
818
if(decrypted_buffer_size >= 0){
819
748
820
written = 0;
749
821
while(written < (size_t) decrypted_buffer_size){
822
if(quit_now){
823
goto mandos_end;
824
}
825
750
826
ret = (int)fwrite(decrypted_buffer + written, 1,
751
827
(size_t)decrypted_buffer_size - written,
752
828
stdout);
755
831
fprintf(stderr, "Error writing encrypted data: %s\n",
756
832
strerror(errno));
757
833
}
758
retval = -1;
759
break;
834
goto mandos_end;
760
835
}
761
836
written += (size_t)ret;
762
837
}
763
free(decrypted_buffer);
764
} else {
765
retval = -1;
838
retval = 0;
766
839
}
767
} else {
768
retval = -1;
769
840
}
770
841
771
842
/* Shutdown procedure */
772
843
773
844
mandos_end:
845
free(decrypted_buffer);
774
846
free(buffer);
775
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
847
if(tcp_sd >= 0){
848
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
849
}
776
850
if(ret == -1){
777
851
perror("close");
778
852
}
779
853
gnutls_deinit(session);
854
if(quit_now){
855
retval = -1;
856
}
780
857
return retval;
781
858
}
782
859
783
sig_atomic_t quit_now = 0;
784
785
860
static void resolve_callback(AvahiSServiceResolver *r,
786
861
AvahiIfIndex interface,
787
862
AvahiProtocol proto,
847
922
/* Called whenever a new services becomes available on the LAN or
848
923
is removed from the LAN */
849
924
925
if(quit_now){
926
return;
927
}
928
850
929
switch(event){
851
930
default:
852
931
case AVAHI_BROWSER_FAILURE:
882
961
}
883
962
884
963
/* stop main loop after sigterm has been called */
885
static void handle_sigterm(__attribute__((unused)) int sig){
964
static void handle_sigterm(int sig){
886
965
if(quit_now){
887
966
return;
888
967
}
889
968
quit_now = 1;
969
signal_received = sig;
890
970
int old_errno = errno;
891
971
if(mc.simple_poll != NULL){
892
972
avahi_simple_poll_quit(mc.simple_poll);
918
998
bool gpgme_initialized = false;
919
999
float delay = 2.5f;
920
1000
921
struct sigaction old_sigterm_action;
1001
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
922
1002
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
923
1003
1004
uid = getuid();
1005
gid = getgid();
1006
1007
/* Lower any group privileges we might have, just to be safe */
1008
errno = 0;
1009
ret = setgid(gid);
1010
if(ret == -1){
1011
perror("setgid");
1012
}
1013
1014
/* Lower user privileges (temporarily) */
1015
errno = 0;
1016
ret = seteuid(uid);
1017
if(ret == -1){
1018
perror("seteuid");
1019
}
1020
1021
if(quit_now){
1022
goto end;
1023
}
1024
924
1025
{
925
1026
struct argp_option options[] = {
926
1027
{ .name = "debug", .key = 128,
1053
1154
exitcode = EXIT_FAILURE;
1054
1155
goto end;
1055
1156
}
1056
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1057
if(ret == -1){
1058
perror("sigaction");
1059
exitcode = EXIT_FAILURE;
1060
goto end;
1061
}
1157
/* Need to check if the handler is SIG_IGN before handling:
1158
| [[info:libc:Initial Signal Actions]] |
1159
| [[info:libc:Basic Signal Handling]] |
1160
*/
1161
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1162
if(ret == -1){
1163
perror("sigaction");
1164
return EXIT_FAILURE;
1165
}
1166
if(old_sigterm_action.sa_handler != SIG_IGN){
1167
ret = sigaction(SIGINT, &sigterm_action, NULL);
1168
if(ret == -1){
1169
perror("sigaction");
1170
exitcode = EXIT_FAILURE;
1171
goto end;
1172
}
1173
}
1174
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1175
if(ret == -1){
1176
perror("sigaction");
1177
return EXIT_FAILURE;
1178
}
1179
if(old_sigterm_action.sa_handler != SIG_IGN){
1180
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1181
if(ret == -1){
1182
perror("sigaction");
1183
exitcode = EXIT_FAILURE;
1184
goto end;
1185
}
1186
}
1187
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1188
if(ret == -1){
1189
perror("sigaction");
1190
return EXIT_FAILURE;
1191
}
1192
if(old_sigterm_action.sa_handler != SIG_IGN){
1193
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1194
if(ret == -1){
1195
perror("sigaction");
1196
exitcode = EXIT_FAILURE;
1197
goto end;
1198
}
1199
}
1062
1200
1063
1201
/* If the interface is down, bring it up */
1064
1202
if(interface[0] != '\0'){
1073
1211
goto end;
1074
1212
}
1075
1213
1214
/* Re-raise priviliges */
1215
errno = 0;
1216
ret = seteuid(0);
1217
if(ret == -1){
1218
perror("seteuid");
1219
}
1220
1076
1221
#ifdef __linux__
1077
1222
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1078
1223
messages to mess up the prompt */
1096
1241
}
1097
1242
}
1098
1243
#endif /* __linux__ */
1244
/* Lower privileges */
1245
errno = 0;
1246
ret = seteuid(uid);
1247
if(ret == -1){
1248
perror("seteuid");
1249
}
1099
1250
goto end;
1100
1251
}
1101
1252
strcpy(network.ifr_name, interface);
1111
1262
}
1112
1263
#endif /* __linux__ */
1113
1264
exitcode = EXIT_FAILURE;
1265
/* Lower privileges */
1266
errno = 0;
1267
ret = seteuid(uid);
1268
if(ret == -1){
1269
perror("seteuid");
1270
}
1114
1271
goto end;
1115
1272
}
1116
1273
if((network.ifr_flags & IFF_UP) == 0){
1129
1286
}
1130
1287
}
1131
1288
#endif /* __linux__ */
1289
/* Lower privileges */
1290
errno = 0;
1291
ret = seteuid(uid);
1292
if(ret == -1){
1293
perror("seteuid");
1294
}
1132
1295
goto end;
1133
1296
}
1134
1297
}
1162
1325
}
1163
1326
}
1164
1327
#endif /* __linux__ */
1165
}
1166
1167
if(quit_now){
1168
goto end;
1169
}
1170
1171
uid = getuid();
1172
gid = getgid();
1173
1174
errno = 0;
1175
setgid(gid);
1176
if(ret == -1){
1177
perror("setgid");
1178
}
1179
1180
ret = setuid(uid);
1181
if(ret == -1){
1182
perror("setuid");
1328
/* Lower privileges */
1329
errno = 0;
1330
if(take_down_interface){
1331
/* Lower privileges */
1332
ret = seteuid(uid);
1333
if(ret == -1){
1334
perror("seteuid");
1335
}
1336
} else {
1337
/* Lower privileges permanently */
1338
ret = setuid(uid);
1339
if(ret == -1){
1340
perror("setuid");
1341
}
1342
}
1183
1343
}
1184
1344
1185
1345
if(quit_now){
1359
1519
1360
1520
/* Take down the network interface */
1361
1521
if(take_down_interface){
1362
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1522
/* Re-raise priviliges */
1523
errno = 0;
1524
ret = seteuid(0);
1363
1525
if(ret == -1){
1364
perror("ioctl SIOCGIFFLAGS");
1365
} else if(network.ifr_flags & IFF_UP) {
1366
network.ifr_flags &= ~IFF_UP; /* clear flag */
1367
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1368
if(ret == -1){
1369
perror("ioctl SIOCSIFFLAGS");
1370
}
1526
perror("seteuid");
1371
1527
}
1372
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1373
if(ret == -1){
1374
perror("close");
1528
if(geteuid() == 0){
1529
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1530
if(ret == -1){
1531
perror("ioctl SIOCGIFFLAGS");
1532
} else if(network.ifr_flags & IFF_UP) {
1533
network.ifr_flags &= ~IFF_UP; /* clear flag */
1534
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1535
if(ret == -1){
1536
perror("ioctl SIOCSIFFLAGS");
1537
}
1538
}
1539
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1540
if(ret == -1){
1541
perror("close");
1542
}
1543
/* Lower privileges permanently */
1544
errno = 0;
1545
ret = setuid(uid);
1546
if(ret == -1){
1547
perror("setuid");
1548
}
1375
1549
}
1376
1550
}
1377
1551
1419
1593
}
1420
1594
}
1421
1595
1596
if(quit_now){
1597
sigemptyset(&old_sigterm_action.sa_mask);
1598
old_sigterm_action.sa_handler = SIG_DFL;
1599
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1600
&old_sigterm_action,
1601
NULL));
1602
if(ret == -1){
1603
perror("sigaction");
1604
}
1605
do {
1606
ret = raise(signal_received);
1607
} while(ret != 0 and errno == EINTR);
1608
if(ret != 0){
1609
perror("raise");
1610
abort();
1611
}
1612
TEMP_FAILURE_RETRY(pause());
1613
}
1614
1422
1615
return exitcode;
1423
1616
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0