To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 355
- compare with another revision
- download diff
- download tarball
- view history from revision 355
- Committer: Teddy Hogeborn
- Date: 2009-08-30 03:10:29 UTC
- Revision ID: teddy@fukt.bsnet.se-20090830031029-cj8po3rc4g1cux1d
* mandos: White-space fixes only.
* mandos-ctl: - '' -
* plugin-runner.c: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/password-prompt.c: - '' -
* mandos-ctl: - '' -
* plugin-runner.c: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/password-prompt.c: - '' -
- files modified:
- TODO
added
removed
plugins.d/mandos-client.c
71
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
72
*/
73
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), seteuid(),
74
getuid(), getgid(), setuid(),
75
75
setgid() */
76
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
77
#include <iso646.h> /* not, or, and */
142
142
.dh_bits = 1024, .priority = "SECURE256"
143
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
144
145
sig_atomic_t quit_now = 0;
146
int signal_received = 0;
147
148
145
/*
149
146
* Make additional room in "buffer" for at least BUFFER_SIZE more
150
147
* bytes. "buffer_capacity" is how much is currently allocated,
167
164
*/
168
165
static bool init_gpgme(const char *seckey,
169
166
const char *pubkey, const char *tempdir){
167
int ret;
170
168
gpgme_error_t rc;
171
169
gpgme_engine_info_t engine_info;
172
170
175
173
* Helper function to insert pub and seckey to the engine keyring.
176
174
*/
177
175
bool import_key(const char *filename){
178
int ret;
179
176
int fd;
180
177
gpgme_data_t pgp_data;
181
178
477
474
static int init_gnutls_session(gnutls_session_t *session){
478
475
int ret;
479
476
/* GnuTLS session creation */
480
do {
481
ret = gnutls_init(session, GNUTLS_SERVER);
482
if(quit_now){
483
return -1;
484
}
485
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
477
ret = gnutls_init(session, GNUTLS_SERVER);
486
478
if(ret != GNUTLS_E_SUCCESS){
487
479
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
488
480
safer_gnutls_strerror(ret));
490
482
491
483
{
492
484
const char *err;
493
do {
494
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
495
if(quit_now){
496
gnutls_deinit(*session);
497
return -1;
498
}
499
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
500
486
if(ret != GNUTLS_E_SUCCESS){
501
487
fprintf(stderr, "Syntax error at: %s\n", err);
502
488
fprintf(stderr, "GnuTLS error: %s\n",
506
492
}
507
493
}
508
494
509
do {
510
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
511
mc.cred);
512
if(quit_now){
513
gnutls_deinit(*session);
514
return -1;
515
}
516
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
517
497
if(ret != GNUTLS_E_SUCCESS){
518
498
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
519
499
safer_gnutls_strerror(ret));
522
502
}
523
503
524
504
/* ignore client certificate if any. */
525
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
526
507
527
508
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
528
509
533
514
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
534
515
__attribute__((unused)) const char *txt){}
535
516
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
536
520
/* Called when a Mandos server is found */
537
521
static int start_mandos_communication(const char *ip, uint16_t port,
538
522
AvahiIfIndex if_index,
539
523
int af){
540
int ret, tcp_sd = -1;
524
int ret, tcp_sd;
541
525
ssize_t sret;
542
526
union {
543
527
struct sockaddr_in in;
547
531
char *decrypted_buffer;
548
532
size_t buffer_length = 0;
549
533
size_t buffer_capacity = 0;
534
ssize_t decrypted_buffer_size;
550
535
size_t written;
551
536
int retval = 0;
552
537
gnutls_session_t session;
553
538
int pf; /* Protocol family */
554
539
555
if(quit_now){
556
return -1;
557
}
558
559
540
switch(af){
560
541
case AF_INET6:
561
542
pf = PF_INET6;
581
562
tcp_sd = socket(pf, SOCK_STREAM, 0);
582
563
if(tcp_sd < 0){
583
564
perror("socket");
584
retval = -1;
585
goto mandos_end;
586
}
587
588
if(quit_now){
589
retval = -1;
590
goto mandos_end;
565
return -1;
591
566
}
592
567
593
568
memset(&to, 0, sizeof(to));
600
575
}
601
576
if(ret < 0 ){
602
577
perror("inet_pton");
603
retval = -1;
604
goto mandos_end;
578
return -1;
605
579
}
606
580
if(ret == 0){
607
581
fprintf(stderr, "Bad address: %s\n", ip);
608
retval = -1;
609
goto mandos_end;
582
return -1;
610
583
}
611
584
if(af == AF_INET6){
612
585
to.in6.sin6_port = htons(port); /* Spurious warnings from
619
592
if(if_index == AVAHI_IF_UNSPEC){
620
593
fprintf(stderr, "An IPv6 link-local address is incomplete"
621
594
" without a network interface\n");
622
retval = -1;
623
goto mandos_end;
595
return -1;
624
596
}
625
597
/* Set the network interface number as scope */
626
598
to.in6.sin6_scope_id = (uint32_t)if_index;
631
603
-Wunreachable-code */
632
604
}
633
605
634
if(quit_now){
635
retval = -1;
636
goto mandos_end;
637
}
638
639
606
if(debug){
640
607
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
641
608
char interface[IF_NAMESIZE];
668
635
}
669
636
}
670
637
671
if(quit_now){
672
retval = -1;
673
goto mandos_end;
674
}
675
676
638
if(af == AF_INET6){
677
639
ret = connect(tcp_sd, &to.in6, sizeof(to));
678
640
} else {
680
642
}
681
643
if(ret < 0){
682
644
perror("connect");
683
retval = -1;
684
goto mandos_end;
685
}
686
687
if(quit_now){
688
retval = -1;
689
goto mandos_end;
645
return -1;
690
646
}
691
647
692
648
const char *out = mandos_protocol_version;
711
667
break;
712
668
}
713
669
}
714
715
if(quit_now){
716
retval = -1;
717
goto mandos_end;
718
}
719
670
}
720
671
721
672
if(debug){
722
673
fprintf(stderr, "Establishing TLS session with %s\n", ip);
723
674
}
724
675
725
if(quit_now){
726
retval = -1;
727
goto mandos_end;
728
}
729
730
676
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
731
677
732
if(quit_now){
733
retval = -1;
734
goto mandos_end;
735
}
736
737
do {
678
do{
738
679
ret = gnutls_handshake(session);
739
if(quit_now){
740
retval = -1;
741
goto mandos_end;
742
}
743
680
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
744
681
745
682
if(ret != GNUTLS_E_SUCCESS){
759
696
}
760
697
761
698
while(true){
762
763
if(quit_now){
764
retval = -1;
765
goto mandos_end;
766
}
767
768
699
buffer_capacity = incbuffer(&buffer, buffer_length,
769
700
buffer_capacity);
770
701
if(buffer_capacity == 0){
773
704
goto mandos_end;
774
705
}
775
706
776
if(quit_now){
777
retval = -1;
778
goto mandos_end;
779
}
780
781
707
sret = gnutls_record_recv(session, buffer+buffer_length,
782
708
BUFFER_SIZE);
783
709
if(sret == 0){
789
715
case GNUTLS_E_AGAIN:
790
716
break;
791
717
case GNUTLS_E_REHANDSHAKE:
792
do {
718
do{
793
719
ret = gnutls_handshake(session);
794
795
if(quit_now){
796
retval = -1;
797
goto mandos_end;
798
}
799
720
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
800
721
if(ret < 0){
801
722
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
820
741
fprintf(stderr, "Closing TLS session\n");
821
742
}
822
743
823
if(quit_now){
824
retval = -1;
825
goto mandos_end;
826
}
827
828
do {
829
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
830
if(quit_now){
831
retval = -1;
832
goto mandos_end;
833
}
834
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
744
gnutls_bye(session, GNUTLS_SHUT_RDWR);
835
745
836
746
if(buffer_length > 0){
837
ssize_t decrypted_buffer_size;
838
747
decrypted_buffer_size = pgp_packet_decrypt(buffer,
839
748
buffer_length,
840
749
&decrypted_buffer);
841
750
if(decrypted_buffer_size >= 0){
842
843
751
written = 0;
844
752
while(written < (size_t) decrypted_buffer_size){
845
if(quit_now){
846
retval = -1;
847
goto mandos_end;
848
}
849
850
753
ret = (int)fwrite(decrypted_buffer + written, 1,
851
754
(size_t)decrypted_buffer_size - written,
852
755
stdout);
872
775
873
776
mandos_end:
874
777
free(buffer);
875
if(tcp_sd >= 0){
876
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
877
}
778
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
878
779
if(ret == -1){
879
780
perror("close");
880
781
}
881
782
gnutls_deinit(session);
882
if(quit_now){
883
retval = -1;
884
}
885
783
return retval;
886
784
}
887
785
950
848
/* Called whenever a new services becomes available on the LAN or
951
849
is removed from the LAN */
952
850
953
if(quit_now){
954
return;
955
}
956
957
851
switch(event){
958
852
default:
959
853
case AVAHI_BROWSER_FAILURE:
1026
920
bool gpgme_initialized = false;
1027
921
float delay = 2.5f;
1028
922
1029
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
923
struct sigaction old_sigterm_action;
1030
924
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1031
925
1032
uid = getuid();
1033
gid = getgid();
1034
1035
/* Lower any group privileges we might have, just to be safe */
1036
errno = 0;
1037
ret = setgid(gid);
1038
if(ret == -1){
1039
perror("setgid");
1040
}
1041
1042
/* Lower user privileges (temporarily) */
1043
errno = 0;
1044
ret = seteuid(uid);
1045
if(ret == -1){
1046
perror("seteuid");
1047
}
1048
1049
if(quit_now){
1050
goto end;
1051
}
1052
1053
926
{
1054
927
struct argp_option options[] = {
1055
928
{ .name = "debug", .key = 128,
1182
1055
exitcode = EXIT_FAILURE;
1183
1056
goto end;
1184
1057
}
1185
/* Need to check if the handler is SIG_IGN before handling:
1186
| [[info:libc:Initial Signal Actions]] |
1187
| [[info:libc:Basic Signal Handling]] |
1188
*/
1189
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1190
if(ret == -1){
1191
perror("sigaction");
1192
return EXIT_FAILURE;
1193
}
1194
if(old_sigterm_action.sa_handler != SIG_IGN){
1195
ret = sigaction(SIGINT, &sigterm_action, NULL);
1196
if(ret == -1){
1197
perror("sigaction");
1198
exitcode = EXIT_FAILURE;
1199
goto end;
1200
}
1201
}
1202
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1203
if(ret == -1){
1204
perror("sigaction");
1205
return EXIT_FAILURE;
1206
}
1207
if(old_sigterm_action.sa_handler != SIG_IGN){
1208
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1209
if(ret == -1){
1210
perror("sigaction");
1211
exitcode = EXIT_FAILURE;
1212
goto end;
1213
}
1214
}
1215
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1216
if(ret == -1){
1217
perror("sigaction");
1218
return EXIT_FAILURE;
1219
}
1220
if(old_sigterm_action.sa_handler != SIG_IGN){
1221
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1222
if(ret == -1){
1223
perror("sigaction");
1224
exitcode = EXIT_FAILURE;
1225
goto end;
1226
}
1058
ret = sigaction(SIGINT, &sigterm_action, &old_sigterm_action);
1059
if(ret == -1){
1060
perror("sigaction");
1061
exitcode = EXIT_FAILURE;
1062
goto end;
1063
}
1064
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1065
if(ret == -1){
1066
perror("sigaction");
1067
exitcode = EXIT_FAILURE;
1068
goto end;
1069
}
1070
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1071
if(ret == -1){
1072
perror("sigaction");
1073
exitcode = EXIT_FAILURE;
1074
goto end;
1227
1075
}
1228
1076
1229
1077
/* If the interface is down, bring it up */
1239
1087
goto end;
1240
1088
}
1241
1089
1242
/* Re-raise priviliges */
1243
errno = 0;
1244
ret = seteuid(0);
1245
if(ret == -1){
1246
perror("seteuid");
1247
}
1248
1249
1090
#ifdef __linux__
1250
1091
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1251
1092
messages to mess up the prompt */
1269
1110
}
1270
1111
}
1271
1112
#endif /* __linux__ */
1272
/* Lower privileges */
1273
errno = 0;
1274
ret = seteuid(uid);
1275
if(ret == -1){
1276
perror("seteuid");
1277
}
1278
1113
goto end;
1279
1114
}
1280
1115
strcpy(network.ifr_name, interface);
1290
1125
}
1291
1126
#endif /* __linux__ */
1292
1127
exitcode = EXIT_FAILURE;
1293
/* Lower privileges */
1294
errno = 0;
1295
ret = seteuid(uid);
1296
if(ret == -1){
1297
perror("seteuid");
1298
}
1299
1128
goto end;
1300
1129
}
1301
1130
if((network.ifr_flags & IFF_UP) == 0){
1314
1143
}
1315
1144
}
1316
1145
#endif /* __linux__ */
1317
/* Lower privileges */
1318
errno = 0;
1319
ret = seteuid(uid);
1320
if(ret == -1){
1321
perror("seteuid");
1322
}
1323
1146
goto end;
1324
1147
}
1325
1148
}
1353
1176
}
1354
1177
}
1355
1178
#endif /* __linux__ */
1356
/* Lower privileges */
1357
errno = 0;
1358
if(take_down_interface){
1359
/* Lower privileges */
1360
ret = seteuid(uid);
1361
if(ret == -1){
1362
perror("seteuid");
1363
}
1364
} else {
1365
/* Lower privileges permanently */
1366
ret = setuid(uid);
1367
if(ret == -1){
1368
perror("setuid");
1369
}
1370
}
1179
}
1180
1181
if(quit_now){
1182
goto end;
1183
}
1184
1185
uid = getuid();
1186
gid = getgid();
1187
1188
errno = 0;
1189
setgid(gid);
1190
if(ret == -1){
1191
perror("setgid");
1192
}
1193
1194
ret = setuid(uid);
1195
if(ret == -1){
1196
perror("setuid");
1371
1197
}
1372
1198
1373
1199
if(quit_now){
1547
1373
1548
1374
/* Take down the network interface */
1549
1375
if(take_down_interface){
1550
/* Re-raise priviliges */
1551
errno = 0;
1552
ret = seteuid(0);
1376
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1553
1377
if(ret == -1){
1554
perror("seteuid");
1378
perror("ioctl SIOCGIFFLAGS");
1379
} else if(network.ifr_flags & IFF_UP) {
1380
network.ifr_flags &= ~IFF_UP; /* clear flag */
1381
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1382
if(ret == -1){
1383
perror("ioctl SIOCSIFFLAGS");
1384
}
1555
1385
}
1556
if(geteuid() == 0){
1557
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1558
if(ret == -1){
1559
perror("ioctl SIOCGIFFLAGS");
1560
} else if(network.ifr_flags & IFF_UP) {
1561
network.ifr_flags &= ~IFF_UP; /* clear flag */
1562
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1563
if(ret == -1){
1564
perror("ioctl SIOCSIFFLAGS");
1565
}
1566
}
1567
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1568
if(ret == -1){
1569
perror("close");
1570
}
1571
/* Lower privileges permanently */
1572
errno = 0;
1573
ret = setuid(uid);
1574
if(ret == -1){
1575
perror("setuid");
1576
}
1386
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1387
if(ret == -1){
1388
perror("close");
1577
1389
}
1578
1390
}
1579
1391
1622
1434
}
1623
1435
1624
1436
if(quit_now){
1625
sigemptyset(&old_sigterm_action.sa_mask);
1626
old_sigterm_action.sa_handler = SIG_DFL;
1627
1437
ret = sigaction(signal_received, &old_sigterm_action, NULL);
1628
1438
if(ret == -1){
1629
1439
perror("sigaction");
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0