To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 24.1.141
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.141
- Committer: Björn Påhlsson
- Date: 2009-09-21 13:13:47 UTC
- mfrom: (364 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 415.
- Revision ID: belorn@braxen-20090921131347-mhuf1qnwavhyd6l1
fixed incorrect include comments
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
44
44
#include <stdint.h> /* uint16_t, uint32_t */
45
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof(), abort() */
47
srand(), strtof() */
48
48
#include <stdbool.h> /* bool, false, true */
49
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
50
strerror(), asprintf(), strcpy() */
71
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
72
*/
73
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), seteuid(),
75
setgid(), pause() */
74
getuid(), getgid(), setuid(),
75
setgid() */
76
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
77
#include <iso646.h> /* not, or, and */
78
78
#include <argp.h> /* struct argp_option, error_t, struct
142
142
.dh_bits = 1024, .priority = "SECURE256"
143
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
144
145
sig_atomic_t quit_now = 0;
146
int signal_received = 0;
147
148
145
/*
149
146
* Make additional room in "buffer" for at least BUFFER_SIZE more
150
147
* bytes. "buffer_capacity" is how much is currently allocated,
477
474
static int init_gnutls_session(gnutls_session_t *session){
478
475
int ret;
479
476
/* GnuTLS session creation */
480
do {
481
ret = gnutls_init(session, GNUTLS_SERVER);
482
if(quit_now){
483
return -1;
484
}
485
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
477
ret = gnutls_init(session, GNUTLS_SERVER);
486
478
if(ret != GNUTLS_E_SUCCESS){
487
479
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
488
480
safer_gnutls_strerror(ret));
490
482
491
483
{
492
484
const char *err;
493
do {
494
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
495
if(quit_now){
496
gnutls_deinit(*session);
497
return -1;
498
}
499
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
500
486
if(ret != GNUTLS_E_SUCCESS){
501
487
fprintf(stderr, "Syntax error at: %s\n", err);
502
488
fprintf(stderr, "GnuTLS error: %s\n",
506
492
}
507
493
}
508
494
509
do {
510
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
511
mc.cred);
512
if(quit_now){
513
gnutls_deinit(*session);
514
return -1;
515
}
516
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
517
497
if(ret != GNUTLS_E_SUCCESS){
518
498
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
519
499
safer_gnutls_strerror(ret));
522
502
}
523
503
524
504
/* ignore client certificate if any. */
525
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
526
507
527
508
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
528
509
533
514
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
534
515
__attribute__((unused)) const char *txt){}
535
516
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
536
520
/* Called when a Mandos server is found */
537
521
static int start_mandos_communication(const char *ip, uint16_t port,
538
522
AvahiIfIndex if_index,
544
528
struct sockaddr_in6 in6;
545
529
} to;
546
530
char *buffer = NULL;
547
char *decrypted_buffer = NULL;
531
char *decrypted_buffer;
548
532
size_t buffer_length = 0;
549
533
size_t buffer_capacity = 0;
550
534
size_t written;
551
int retval = -1;
535
int retval = 0;
552
536
gnutls_session_t session;
553
537
int pf; /* Protocol family */
554
538
581
565
tcp_sd = socket(pf, SOCK_STREAM, 0);
582
566
if(tcp_sd < 0){
583
567
perror("socket");
568
retval = -1;
584
569
goto mandos_end;
585
570
}
586
571
598
583
}
599
584
if(ret < 0 ){
600
585
perror("inet_pton");
586
retval = -1;
601
587
goto mandos_end;
602
588
}
603
589
if(ret == 0){
604
590
fprintf(stderr, "Bad address: %s\n", ip);
591
retval = -1;
605
592
goto mandos_end;
606
593
}
607
594
if(af == AF_INET6){
615
602
if(if_index == AVAHI_IF_UNSPEC){
616
603
fprintf(stderr, "An IPv6 link-local address is incomplete"
617
604
" without a network interface\n");
605
retval = -1;
618
606
goto mandos_end;
619
607
}
620
608
/* Set the network interface number as scope */
673
661
}
674
662
if(ret < 0){
675
663
perror("connect");
664
retval = -1;
676
665
goto mandos_end;
677
666
}
678
667
688
677
out_size - written));
689
678
if(ret == -1){
690
679
perror("write");
680
retval = -1;
691
681
goto mandos_end;
692
682
}
693
683
written += (size_t)ret;
733
723
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
734
724
gnutls_perror(ret);
735
725
}
726
retval = -1;
736
727
goto mandos_end;
737
728
}
738
729
753
744
buffer_capacity);
754
745
if(buffer_capacity == 0){
755
746
perror("incbuffer");
747
retval = -1;
756
748
goto mandos_end;
757
749
}
758
750
781
773
if(ret < 0){
782
774
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
783
775
gnutls_perror(ret);
776
retval = -1;
784
777
goto mandos_end;
785
778
}
786
779
break;
787
780
default:
788
781
fprintf(stderr, "Unknown error while reading data from"
789
782
" encrypted session with Mandos server\n");
783
retval = -1;
790
784
gnutls_bye(session, GNUTLS_SHUT_RDWR);
791
785
goto mandos_end;
792
786
}
803
797
goto mandos_end;
804
798
}
805
799
806
do {
807
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
808
if(quit_now){
809
goto mandos_end;
810
}
811
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
800
gnutls_bye(session, GNUTLS_SHUT_RDWR);
801
802
if(quit_now){
803
goto mandos_end;
804
}
812
805
813
806
if(buffer_length > 0){
814
807
ssize_t decrypted_buffer_size;
831
824
fprintf(stderr, "Error writing encrypted data: %s\n",
832
825
strerror(errno));
833
826
}
834
goto mandos_end;
827
retval = -1;
828
break;
835
829
}
836
830
written += (size_t)ret;
837
831
}
838
retval = 0;
832
free(decrypted_buffer);
833
} else {
834
retval = -1;
839
835
}
836
} else {
837
retval = -1;
840
838
}
841
839
842
840
/* Shutdown procedure */
843
841
844
842
mandos_end:
845
free(decrypted_buffer);
846
843
free(buffer);
847
844
if(tcp_sd >= 0){
848
845
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
998
995
bool gpgme_initialized = false;
999
996
float delay = 2.5f;
1000
997
1001
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
998
struct sigaction old_sigterm_action;
1002
999
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1003
1000
1004
uid = getuid();
1005
gid = getgid();
1006
1007
/* Lower any group privileges we might have, just to be safe */
1008
errno = 0;
1009
ret = setgid(gid);
1010
if(ret == -1){
1011
perror("setgid");
1012
}
1013
1014
/* Lower user privileges (temporarily) */
1015
errno = 0;
1016
ret = seteuid(uid);
1017
if(ret == -1){
1018
perror("seteuid");
1019
}
1020
1021
if(quit_now){
1022
goto end;
1023
}
1024
1025
1001
{
1026
1002
struct argp_option options[] = {
1027
1003
{ .name = "debug", .key = 128,
1211
1187
goto end;
1212
1188
}
1213
1189
1214
/* Re-raise priviliges */
1215
errno = 0;
1216
ret = seteuid(0);
1217
if(ret == -1){
1218
perror("seteuid");
1219
}
1220
1221
1190
#ifdef __linux__
1222
1191
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1223
1192
messages to mess up the prompt */
1241
1210
}
1242
1211
}
1243
1212
#endif /* __linux__ */
1244
/* Lower privileges */
1245
errno = 0;
1246
ret = seteuid(uid);
1247
if(ret == -1){
1248
perror("seteuid");
1249
}
1250
1213
goto end;
1251
1214
}
1252
1215
strcpy(network.ifr_name, interface);
1262
1225
}
1263
1226
#endif /* __linux__ */
1264
1227
exitcode = EXIT_FAILURE;
1265
/* Lower privileges */
1266
errno = 0;
1267
ret = seteuid(uid);
1268
if(ret == -1){
1269
perror("seteuid");
1270
}
1271
1228
goto end;
1272
1229
}
1273
1230
if((network.ifr_flags & IFF_UP) == 0){
1286
1243
}
1287
1244
}
1288
1245
#endif /* __linux__ */
1289
/* Lower privileges */
1290
errno = 0;
1291
ret = seteuid(uid);
1292
if(ret == -1){
1293
perror("seteuid");
1294
}
1295
1246
goto end;
1296
1247
}
1297
1248
}
1325
1276
}
1326
1277
}
1327
1278
#endif /* __linux__ */
1328
/* Lower privileges */
1329
errno = 0;
1330
if(take_down_interface){
1331
/* Lower privileges */
1332
ret = seteuid(uid);
1333
if(ret == -1){
1334
perror("seteuid");
1335
}
1336
} else {
1337
/* Lower privileges permanently */
1338
ret = setuid(uid);
1339
if(ret == -1){
1340
perror("setuid");
1341
}
1342
}
1279
}
1280
1281
if(quit_now){
1282
goto end;
1283
}
1284
1285
uid = getuid();
1286
gid = getgid();
1287
1288
errno = 0;
1289
setgid(gid);
1290
if(ret == -1){
1291
perror("setgid");
1292
}
1293
1294
ret = setuid(uid);
1295
if(ret == -1){
1296
perror("setuid");
1343
1297
}
1344
1298
1345
1299
if(quit_now){
1519
1473
1520
1474
/* Take down the network interface */
1521
1475
if(take_down_interface){
1522
/* Re-raise priviliges */
1523
errno = 0;
1524
ret = seteuid(0);
1476
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1525
1477
if(ret == -1){
1526
perror("seteuid");
1478
perror("ioctl SIOCGIFFLAGS");
1479
} else if(network.ifr_flags & IFF_UP) {
1480
network.ifr_flags &= ~IFF_UP; /* clear flag */
1481
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1482
if(ret == -1){
1483
perror("ioctl SIOCSIFFLAGS");
1484
}
1527
1485
}
1528
if(geteuid() == 0){
1529
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1530
if(ret == -1){
1531
perror("ioctl SIOCGIFFLAGS");
1532
} else if(network.ifr_flags & IFF_UP) {
1533
network.ifr_flags &= ~IFF_UP; /* clear flag */
1534
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1535
if(ret == -1){
1536
perror("ioctl SIOCSIFFLAGS");
1537
}
1538
}
1539
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1540
if(ret == -1){
1541
perror("close");
1542
}
1543
/* Lower privileges permanently */
1544
errno = 0;
1545
ret = setuid(uid);
1546
if(ret == -1){
1547
perror("setuid");
1548
}
1486
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1487
if(ret == -1){
1488
perror("close");
1549
1489
}
1550
1490
}
1551
1491
1596
1536
if(quit_now){
1597
1537
sigemptyset(&old_sigterm_action.sa_mask);
1598
1538
old_sigterm_action.sa_handler = SIG_DFL;
1599
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1600
&old_sigterm_action,
1601
NULL));
1539
ret = sigaction(signal_received, &old_sigterm_action, NULL);
1602
1540
if(ret == -1){
1603
1541
perror("sigaction");
1604
1542
}
1605
do {
1606
ret = raise(signal_received);
1607
} while(ret != 0 and errno == EINTR);
1608
if(ret != 0){
1609
perror("raise");
1610
abort();
1611
}
1612
TEMP_FAILURE_RETRY(pause());
1543
raise(signal_received);
1613
1544
}
1614
1545
1615
1546
return exitcode;
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0