To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 310
- compare with another revision
- download diff
- download tarball
- view history from revision 310
- Committer: Teddy Hogeborn
- Date: 2009-02-12 06:09:24 UTC
- Revision ID: teddy@fukt.bsnet.se-20090212060924-vwxgitxnwr14w9e4
* mandos (Client.start_checker): Bug fix: Add extra check in case the
checker process completed quickly.
checker process completed quickly.
- files modified:
- TODO
added
removed
plugins.d/mandos-client.c
75
75
argp_state, struct argp,
76
76
argp_parse(), ARGP_KEY_ARG,
77
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction,
80
sig_atomic_t */
81
78
82
#ifdef __linux__
79
83
#include <sys/klog.h> /* klogctl() */
80
#endif
84
#endif /* __linux__ */
81
85
82
86
/* Avahi */
83
87
/* All Avahi types, constants and functions
129
133
gpgme_ctx_t ctx;
130
134
} mandos_context;
131
135
136
/* global context so signal handler can reach it*/
137
mandos_context mc = { .simple_poll = NULL, .server = NULL,
138
.dh_bits = 1024, .priority = "SECURE256"
139
":!CTYPE-X.509:+CTYPE-OPENPGP" };
140
132
141
/*
133
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
134
* "buffer_capacity" is how much is currently allocated,
142
* Make additional room in "buffer" for at least BUFFER_SIZE more
143
* bytes. "buffer_capacity" is how much is currently allocated,
135
144
* "buffer_length" is how much is already used.
136
145
*/
137
size_t adjustbuffer(char **buffer, size_t buffer_length,
146
size_t incbuffer(char **buffer, size_t buffer_length,
138
147
size_t buffer_capacity){
139
148
if(buffer_length + BUFFER_SIZE > buffer_capacity){
140
149
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
149
158
/*
150
159
* Initialize GPGME.
151
160
*/
152
static bool init_gpgme(mandos_context *mc, const char *seckey,
161
static bool init_gpgme(const char *seckey,
153
162
const char *pubkey, const char *tempdir){
154
163
int ret;
155
164
gpgme_error_t rc;
176
185
return false;
177
186
}
178
187
179
rc = gpgme_op_import(mc->ctx, pgp_data);
188
rc = gpgme_op_import(mc.ctx, pgp_data);
180
189
if(rc != GPG_ERR_NO_ERROR){
181
190
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
182
191
gpgme_strsource(rc), gpgme_strerror(rc));
192
201
}
193
202
194
203
if(debug){
195
fprintf(stderr, "Initialize gpgme\n");
204
fprintf(stderr, "Initializing GPGME\n");
196
205
}
197
206
198
207
/* Init GPGME */
225
234
}
226
235
227
236
/* Create new GPGME "context" */
228
rc = gpgme_new(&(mc->ctx));
237
rc = gpgme_new(&(mc.ctx));
229
238
if(rc != GPG_ERR_NO_ERROR){
230
239
fprintf(stderr, "bad gpgme_new: %s: %s\n",
231
240
gpgme_strsource(rc), gpgme_strerror(rc));
243
252
* Decrypt OpenPGP data.
244
253
* Returns -1 on error
245
254
*/
246
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
247
const char *cryptotext,
255
static ssize_t pgp_packet_decrypt(const char *cryptotext,
248
256
size_t crypto_size,
249
257
char **plaintext){
250
258
gpgme_data_t dh_crypto, dh_plain;
277
285
278
286
/* Decrypt data from the cryptotext data buffer to the plaintext
279
287
data buffer */
280
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
288
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
281
289
if(rc != GPG_ERR_NO_ERROR){
282
290
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
283
291
gpgme_strsource(rc), gpgme_strerror(rc));
284
292
plaintext_length = -1;
285
293
if(debug){
286
294
gpgme_decrypt_result_t result;
287
result = gpgme_op_decrypt_result(mc->ctx);
295
result = gpgme_op_decrypt_result(mc.ctx);
288
296
if(result == NULL){
289
297
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
290
298
} else {
326
334
327
335
*plaintext = NULL;
328
336
while(true){
329
plaintext_capacity = adjustbuffer(plaintext,
337
plaintext_capacity = incbuffer(plaintext,
330
338
(size_t)plaintext_length,
331
339
plaintext_capacity);
332
340
if(plaintext_capacity == 0){
333
perror("adjustbuffer");
341
perror("incbuffer");
334
342
plaintext_length = -1;
335
343
goto decrypt_end;
336
344
}
382
390
fprintf(stderr, "GnuTLS: %s", string);
383
391
}
384
392
385
static int init_gnutls_global(mandos_context *mc,
386
const char *pubkeyfilename,
393
static int init_gnutls_global(const char *pubkeyfilename,
387
394
const char *seckeyfilename){
388
395
int ret;
389
396
407
414
}
408
415
409
416
/* OpenPGP credentials */
410
gnutls_certificate_allocate_credentials(&mc->cred);
417
gnutls_certificate_allocate_credentials(&mc.cred);
411
418
if(ret != GNUTLS_E_SUCCESS){
412
419
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
413
420
from
425
432
}
426
433
427
434
ret = gnutls_certificate_set_openpgp_key_file
428
(mc->cred, pubkeyfilename, seckeyfilename,
435
(mc.cred, pubkeyfilename, seckeyfilename,
429
436
GNUTLS_OPENPGP_FMT_BASE64);
430
437
if(ret != GNUTLS_E_SUCCESS){
431
438
fprintf(stderr,
437
444
}
438
445
439
446
/* GnuTLS server initialization */
440
ret = gnutls_dh_params_init(&mc->dh_params);
447
ret = gnutls_dh_params_init(&mc.dh_params);
441
448
if(ret != GNUTLS_E_SUCCESS){
442
449
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
443
450
" %s\n", safer_gnutls_strerror(ret));
444
451
goto globalfail;
445
452
}
446
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
453
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
447
454
if(ret != GNUTLS_E_SUCCESS){
448
455
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
449
456
safer_gnutls_strerror(ret));
450
457
goto globalfail;
451
458
}
452
459
453
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
460
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
454
461
455
462
return 0;
456
463
457
464
globalfail:
458
465
459
gnutls_certificate_free_credentials(mc->cred);
466
gnutls_certificate_free_credentials(mc.cred);
460
467
gnutls_global_deinit();
461
gnutls_dh_params_deinit(mc->dh_params);
468
gnutls_dh_params_deinit(mc.dh_params);
462
469
return -1;
463
470
}
464
471
465
static int init_gnutls_session(mandos_context *mc,
466
gnutls_session_t *session){
472
static int init_gnutls_session(gnutls_session_t *session){
467
473
int ret;
468
474
/* GnuTLS session creation */
469
475
ret = gnutls_init(session, GNUTLS_SERVER);
474
480
475
481
{
476
482
const char *err;
477
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
483
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
478
484
if(ret != GNUTLS_E_SUCCESS){
479
485
fprintf(stderr, "Syntax error at: %s\n", err);
480
486
fprintf(stderr, "GnuTLS error: %s\n",
485
491
}
486
492
487
493
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
488
mc->cred);
494
mc.cred);
489
495
if(ret != GNUTLS_E_SUCCESS){
490
496
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
491
497
safer_gnutls_strerror(ret));
497
503
gnutls_certificate_server_set_request(*session,
498
504
GNUTLS_CERT_IGNORE);
499
505
500
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
506
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
501
507
502
508
return 0;
503
509
}
509
515
/* Called when a Mandos server is found */
510
516
static int start_mandos_communication(const char *ip, uint16_t port,
511
517
AvahiIfIndex if_index,
512
mandos_context *mc, int af){
518
int af){
513
519
int ret, tcp_sd;
514
520
ssize_t sret;
515
521
union {
538
544
return -1;
539
545
}
540
546
541
ret = init_gnutls_session(mc, &session);
547
ret = init_gnutls_session(&session);
542
548
if(ret != 0){
543
549
return -1;
544
550
}
685
691
}
686
692
687
693
while(true){
688
buffer_capacity = adjustbuffer(&buffer, buffer_length,
694
buffer_capacity = incbuffer(&buffer, buffer_length,
689
695
buffer_capacity);
690
696
if(buffer_capacity == 0){
691
perror("adjustbuffer");
697
perror("incbuffer");
692
698
retval = -1;
693
699
goto mandos_end;
694
700
}
733
739
gnutls_bye(session, GNUTLS_SHUT_RDWR);
734
740
735
741
if(buffer_length > 0){
736
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
742
decrypted_buffer_size = pgp_packet_decrypt(buffer,
737
743
buffer_length,
738
744
&decrypted_buffer);
739
745
if(decrypted_buffer_size >= 0){
785
791
AVAHI_GCC_UNUSED AvahiStringList *txt,
786
792
AVAHI_GCC_UNUSED AvahiLookupResultFlags
787
793
flags,
788
void* userdata){
789
mandos_context *mc = userdata;
794
AVAHI_GCC_UNUSED void* userdata){
790
795
assert(r);
791
796
792
797
/* Called whenever a service has been resolved successfully or
797
802
case AVAHI_RESOLVER_FAILURE:
798
803
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
799
804
" of type '%s' in domain '%s': %s\n", name, type, domain,
800
avahi_strerror(avahi_server_errno(mc->server)));
805
avahi_strerror(avahi_server_errno(mc.server)));
801
806
break;
802
807
803
808
case AVAHI_RESOLVER_FOUND:
809
814
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
810
815
ip, (intmax_t)interface, port);
811
816
}
812
int ret = start_mandos_communication(ip, port, interface, mc,
817
int ret = start_mandos_communication(ip, port, interface,
813
818
avahi_proto_to_af(proto));
814
819
if(ret == 0){
815
avahi_simple_poll_quit(mc->simple_poll);
820
avahi_simple_poll_quit(mc.simple_poll);
816
821
}
817
822
}
818
823
}
828
833
const char *domain,
829
834
AVAHI_GCC_UNUSED AvahiLookupResultFlags
830
835
flags,
831
void* userdata){
832
mandos_context *mc = userdata;
836
AVAHI_GCC_UNUSED void* userdata){
833
837
assert(b);
834
838
835
839
/* Called whenever a new services becomes available on the LAN or
840
844
case AVAHI_BROWSER_FAILURE:
841
845
842
846
fprintf(stderr, "(Avahi browser) %s\n",
843
avahi_strerror(avahi_server_errno(mc->server)));
844
avahi_simple_poll_quit(mc->simple_poll);
847
avahi_strerror(avahi_server_errno(mc.server)));
848
avahi_simple_poll_quit(mc.simple_poll);
845
849
return;
846
850
847
851
case AVAHI_BROWSER_NEW:
850
854
the callback function is called the Avahi server will free the
851
855
resolver for us. */
852
856
853
if(!(avahi_s_service_resolver_new(mc->server, interface,
857
if(!(avahi_s_service_resolver_new(mc.server, interface,
854
858
protocol, name, type, domain,
855
859
AVAHI_PROTO_INET6, 0,
856
resolve_callback, mc)))
860
resolve_callback, NULL)))
857
861
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
858
name, avahi_strerror(avahi_server_errno(mc->server)));
862
name, avahi_strerror(avahi_server_errno(mc.server)));
859
863
break;
860
864
861
865
case AVAHI_BROWSER_REMOVE:
870
874
}
871
875
}
872
876
877
sig_atomic_t quit_now = 0;
878
879
/* stop main loop after sigterm has been called */
880
static void handle_sigterm(__attribute__((unused)) int sig){
881
if(quit_now){
882
return;
883
}
884
quit_now = 1;
885
int old_errno = errno;
886
if(mc.simple_poll != NULL){
887
avahi_simple_poll_quit(mc.simple_poll);
888
}
889
errno = old_errno;
890
}
891
873
892
int main(int argc, char *argv[]){
874
893
AvahiSServiceBrowser *sb = NULL;
875
894
int error;
889
908
const char *seckey = PATHDIR "/" SECKEY;
890
909
const char *pubkey = PATHDIR "/" PUBKEY;
891
910
892
mandos_context mc = { .simple_poll = NULL, .server = NULL,
893
.dh_bits = 1024, .priority = "SECURE256"
894
":!CTYPE-X.509:+CTYPE-OPENPGP" };
911
/* Initialize Mandos context */
912
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
913
.dh_bits = 1024, .priority = "SECURE256"
914
":!CTYPE-X.509:+CTYPE-OPENPGP" };
895
915
bool gnutls_initialized = false;
896
916
bool gpgme_initialized = false;
897
917
double delay = 2.5;
918
919
struct sigaction old_sigterm_action;
920
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
898
921
899
922
{
900
923
struct argp_option options[] = {
992
1015
}
993
1016
}
994
1017
1018
if(not debug){
1019
avahi_set_log_function(empty_log);
1020
}
1021
1022
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1023
from the signal handler */
1024
/* Initialize the pseudo-RNG for Avahi */
1025
srand((unsigned int) time(NULL));
1026
mc.simple_poll = avahi_simple_poll_new();
1027
if(mc.simple_poll == NULL){
1028
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1029
exitcode = EXIT_FAILURE;
1030
goto end;
1031
}
1032
1033
sigemptyset(&sigterm_action.sa_mask);
1034
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1035
if(ret == -1){
1036
perror("sigaddset");
1037
exitcode = EXIT_FAILURE;
1038
goto end;
1039
}
1040
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1041
if(ret == -1){
1042
perror("sigaddset");
1043
exitcode = EXIT_FAILURE;
1044
goto end;
1045
}
1046
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1047
if(ret == -1){
1048
perror("sigaddset");
1049
exitcode = EXIT_FAILURE;
1050
goto end;
1051
}
1052
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1053
if(ret == -1){
1054
perror("sigaction");
1055
exitcode = EXIT_FAILURE;
1056
goto end;
1057
}
1058
995
1059
/* If the interface is down, bring it up */
996
1060
if(interface[0] != '\0'){
997
1061
#ifdef __linux__
1003
1067
restore_loglevel = false;
1004
1068
perror("klogctl");
1005
1069
}
1006
#endif
1070
#endif /* __linux__ */
1007
1071
1008
1072
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1009
1073
if(sd < 0){
1016
1080
perror("klogctl");
1017
1081
}
1018
1082
}
1019
#endif
1083
#endif /* __linux__ */
1020
1084
goto end;
1021
1085
}
1022
1086
strcpy(network.ifr_name, interface);
1030
1094
perror("klogctl");
1031
1095
}
1032
1096
}
1033
#endif
1097
#endif /* __linux__ */
1034
1098
exitcode = EXIT_FAILURE;
1035
1099
goto end;
1036
1100
}
1047
1111
perror("klogctl");
1048
1112
}
1049
1113
}
1050
#endif
1114
#endif /* __linux__ */
1051
1115
goto end;
1052
1116
}
1053
1117
}
1077
1141
perror("klogctl");
1078
1142
}
1079
1143
}
1080
#endif
1144
#endif /* __linux__ */
1081
1145
}
1082
1146
1083
1147
uid = getuid();
1094
1158
perror("setuid");
1095
1159
}
1096
1160
1097
ret = init_gnutls_global(&mc, pubkey, seckey);
1161
ret = init_gnutls_global(pubkey, seckey);
1098
1162
if(ret == -1){
1099
1163
fprintf(stderr, "init_gnutls_global failed\n");
1100
1164
exitcode = EXIT_FAILURE;
1109
1173
}
1110
1174
tempdir_created = true;
1111
1175
1112
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1176
if(not init_gpgme(pubkey, seckey, tempdir)){
1113
1177
fprintf(stderr, "init_gpgme failed\n");
1114
1178
exitcode = EXIT_FAILURE;
1115
1179
goto end;
1153
1217
} else {
1154
1218
af = AF_INET;
1155
1219
}
1156
ret = start_mandos_communication(address, port, if_index, &mc,
1157
af);
1220
ret = start_mandos_communication(address, port, if_index, af);
1158
1221
if(ret < 0){
1159
1222
exitcode = EXIT_FAILURE;
1160
1223
} else {
1162
1225
}
1163
1226
goto end;
1164
1227
}
1165
1166
if(not debug){
1167
avahi_set_log_function(empty_log);
1168
}
1169
1170
/* Initialize the pseudo-RNG for Avahi */
1171
srand((unsigned int) time(NULL));
1172
1173
/* Allocate main Avahi loop object */
1174
mc.simple_poll = avahi_simple_poll_new();
1175
if(mc.simple_poll == NULL){
1176
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1177
exitcode = EXIT_FAILURE;
1178
goto end;
1179
}
1180
1228
1181
1229
{
1182
1230
AvahiServerConfig config;
1183
1231
/* Do not publish any local Zeroconf records */
1207
1255
/* Create the Avahi service browser */
1208
1256
sb = avahi_s_service_browser_new(mc.server, if_index,
1209
1257
AVAHI_PROTO_INET6, "_mandos._tcp",
1210
NULL, 0, browse_callback, &mc);
1258
NULL, 0, browse_callback, NULL);
1211
1259
if(sb == NULL){
1212
1260
fprintf(stderr, "Failed to create service browser: %s\n",
1213
1261
avahi_strerror(avahi_server_errno(mc.server)));
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0