To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 364
- compare with another revision
- download diff
- download tarball
- view history from revision 364
- Committer: Teddy Hogeborn
- Date: 2009-09-07 23:48:17 UTC
- Revision ID: teddy@fukt.bsnet.se-20090907234817-op1lgg9gpruejsiv
* initramfs-tools-hook: Bug fix: Really install user-supplied plugins.
Bug fix: Warn about empty plugin directory.
Bug fix: Warn about empty plugin directory.
added
removed
plugins.d/mandos-client.c
71
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
72
*/
73
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), seteuid(),
74
getuid(), getgid(), setuid(),
75
75
setgid() */
76
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
77
#include <iso646.h> /* not, or, and */
142
142
.dh_bits = 1024, .priority = "SECURE256"
143
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
144
145
sig_atomic_t quit_now = 0;
146
int signal_received = 0;
147
148
145
/*
149
146
* Make additional room in "buffer" for at least BUFFER_SIZE more
150
147
* bytes. "buffer_capacity" is how much is currently allocated,
477
474
static int init_gnutls_session(gnutls_session_t *session){
478
475
int ret;
479
476
/* GnuTLS session creation */
480
do {
481
ret = gnutls_init(session, GNUTLS_SERVER);
482
if(quit_now){
483
return -1;
484
}
485
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
477
ret = gnutls_init(session, GNUTLS_SERVER);
486
478
if(ret != GNUTLS_E_SUCCESS){
487
479
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
488
480
safer_gnutls_strerror(ret));
490
482
491
483
{
492
484
const char *err;
493
do {
494
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
495
if(quit_now){
496
gnutls_deinit(*session);
497
return -1;
498
}
499
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
500
486
if(ret != GNUTLS_E_SUCCESS){
501
487
fprintf(stderr, "Syntax error at: %s\n", err);
502
488
fprintf(stderr, "GnuTLS error: %s\n",
506
492
}
507
493
}
508
494
509
do {
510
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
511
mc.cred);
512
if(quit_now){
513
gnutls_deinit(*session);
514
return -1;
515
}
516
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
517
497
if(ret != GNUTLS_E_SUCCESS){
518
498
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
519
499
safer_gnutls_strerror(ret));
522
502
}
523
503
524
504
/* ignore client certificate if any. */
525
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
526
507
527
508
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
528
509
533
514
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
534
515
__attribute__((unused)) const char *txt){}
535
516
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
536
520
/* Called when a Mandos server is found */
537
521
static int start_mandos_communication(const char *ip, uint16_t port,
538
522
AvahiIfIndex if_index,
586
570
}
587
571
588
572
if(quit_now){
589
retval = -1;
590
573
goto mandos_end;
591
574
}
592
575
632
615
}
633
616
634
617
if(quit_now){
635
retval = -1;
636
618
goto mandos_end;
637
619
}
638
620
669
651
}
670
652
671
653
if(quit_now){
672
retval = -1;
673
654
goto mandos_end;
674
655
}
675
656
685
666
}
686
667
687
668
if(quit_now){
688
retval = -1;
689
669
goto mandos_end;
690
670
}
691
671
713
693
}
714
694
715
695
if(quit_now){
716
retval = -1;
717
696
goto mandos_end;
718
697
}
719
698
}
723
702
}
724
703
725
704
if(quit_now){
726
retval = -1;
727
705
goto mandos_end;
728
706
}
729
707
730
708
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
731
709
732
710
if(quit_now){
733
retval = -1;
734
711
goto mandos_end;
735
712
}
736
713
737
714
do {
738
715
ret = gnutls_handshake(session);
739
716
if(quit_now){
740
retval = -1;
741
717
goto mandos_end;
742
718
}
743
719
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
761
737
while(true){
762
738
763
739
if(quit_now){
764
retval = -1;
765
740
goto mandos_end;
766
741
}
767
742
774
749
}
775
750
776
751
if(quit_now){
777
retval = -1;
778
752
goto mandos_end;
779
753
}
780
754
793
767
ret = gnutls_handshake(session);
794
768
795
769
if(quit_now){
796
retval = -1;
797
770
goto mandos_end;
798
771
}
799
772
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
821
794
}
822
795
823
796
if(quit_now){
824
retval = -1;
825
goto mandos_end;
826
}
827
828
do {
829
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
830
if(quit_now){
831
retval = -1;
832
goto mandos_end;
833
}
834
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
797
goto mandos_end;
798
}
799
800
gnutls_bye(session, GNUTLS_SHUT_RDWR);
801
802
if(quit_now){
803
goto mandos_end;
804
}
835
805
836
806
if(buffer_length > 0){
837
807
ssize_t decrypted_buffer_size;
843
813
written = 0;
844
814
while(written < (size_t) decrypted_buffer_size){
845
815
if(quit_now){
846
retval = -1;
847
816
goto mandos_end;
848
817
}
849
818
1026
995
bool gpgme_initialized = false;
1027
996
float delay = 2.5f;
1028
997
1029
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
998
struct sigaction old_sigterm_action;
1030
999
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1031
1000
1032
uid = getuid();
1033
gid = getgid();
1034
1035
/* Lower any group privileges we might have, just to be safe */
1036
errno = 0;
1037
ret = setgid(gid);
1038
if(ret == -1){
1039
perror("setgid");
1040
}
1041
1042
/* Lower user privileges (temporarily) */
1043
errno = 0;
1044
ret = seteuid(uid);
1045
if(ret == -1){
1046
perror("seteuid");
1047
}
1048
1049
if(quit_now){
1050
goto end;
1051
}
1052
1053
1001
{
1054
1002
struct argp_option options[] = {
1055
1003
{ .name = "debug", .key = 128,
1239
1187
goto end;
1240
1188
}
1241
1189
1242
/* Re-raise priviliges */
1243
errno = 0;
1244
ret = seteuid(0);
1245
if(ret == -1){
1246
perror("seteuid");
1247
}
1248
1249
1190
#ifdef __linux__
1250
1191
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1251
1192
messages to mess up the prompt */
1269
1210
}
1270
1211
}
1271
1212
#endif /* __linux__ */
1272
/* Lower privileges */
1273
errno = 0;
1274
ret = seteuid(uid);
1275
if(ret == -1){
1276
perror("seteuid");
1277
}
1278
1213
goto end;
1279
1214
}
1280
1215
strcpy(network.ifr_name, interface);
1290
1225
}
1291
1226
#endif /* __linux__ */
1292
1227
exitcode = EXIT_FAILURE;
1293
/* Lower privileges */
1294
errno = 0;
1295
ret = seteuid(uid);
1296
if(ret == -1){
1297
perror("seteuid");
1298
}
1299
1228
goto end;
1300
1229
}
1301
1230
if((network.ifr_flags & IFF_UP) == 0){
1314
1243
}
1315
1244
}
1316
1245
#endif /* __linux__ */
1317
/* Lower privileges */
1318
errno = 0;
1319
ret = seteuid(uid);
1320
if(ret == -1){
1321
perror("seteuid");
1322
}
1323
1246
goto end;
1324
1247
}
1325
1248
}
1353
1276
}
1354
1277
}
1355
1278
#endif /* __linux__ */
1356
/* Lower privileges */
1357
errno = 0;
1358
if(take_down_interface){
1359
/* Lower privileges */
1360
ret = seteuid(uid);
1361
if(ret == -1){
1362
perror("seteuid");
1363
}
1364
} else {
1365
/* Lower privileges permanently */
1366
ret = setuid(uid);
1367
if(ret == -1){
1368
perror("setuid");
1369
}
1370
}
1279
}
1280
1281
if(quit_now){
1282
goto end;
1283
}
1284
1285
uid = getuid();
1286
gid = getgid();
1287
1288
errno = 0;
1289
setgid(gid);
1290
if(ret == -1){
1291
perror("setgid");
1292
}
1293
1294
ret = setuid(uid);
1295
if(ret == -1){
1296
perror("setuid");
1371
1297
}
1372
1298
1373
1299
if(quit_now){
1547
1473
1548
1474
/* Take down the network interface */
1549
1475
if(take_down_interface){
1550
/* Re-raise priviliges */
1551
errno = 0;
1552
ret = seteuid(0);
1476
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1553
1477
if(ret == -1){
1554
perror("seteuid");
1478
perror("ioctl SIOCGIFFLAGS");
1479
} else if(network.ifr_flags & IFF_UP) {
1480
network.ifr_flags &= ~IFF_UP; /* clear flag */
1481
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1482
if(ret == -1){
1483
perror("ioctl SIOCSIFFLAGS");
1484
}
1555
1485
}
1556
if(geteuid() == 0){
1557
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1558
if(ret == -1){
1559
perror("ioctl SIOCGIFFLAGS");
1560
} else if(network.ifr_flags & IFF_UP) {
1561
network.ifr_flags &= ~IFF_UP; /* clear flag */
1562
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1563
if(ret == -1){
1564
perror("ioctl SIOCSIFFLAGS");
1565
}
1566
}
1567
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1568
if(ret == -1){
1569
perror("close");
1570
}
1571
/* Lower privileges permanently */
1572
errno = 0;
1573
ret = setuid(uid);
1574
if(ret == -1){
1575
perror("setuid");
1576
}
1486
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1487
if(ret == -1){
1488
perror("close");
1577
1489
}
1578
1490
}
1579
1491
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0