To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 370
- compare with another revision
- download diff
- download tarball
- view history from revision 370
- Committer: Teddy Hogeborn
- Date: 2009-09-17 01:21:27 UTC
- Revision ID: teddy@fukt.bsnet.se-20090917012127-4kwzquwuvudwucuv
* debian/control (Standards-Version): Updated to "2.8.3".
* mandos-client.conf.xml (OPTIONS/timeout): Add that a successful
client request will also
reset the timeout.
* mandos.xml (CHECKING): - '' -
* mandos-client.conf.xml (OPTIONS/timeout): Add that a successful
client request will also
reset the timeout.
* mandos.xml (CHECKING): - '' -
- files modified:
- TODO
added
removed
plugins.d/mandos-client.c
71
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
72
*/
73
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
74
getuid(), getgid(), seteuid(),
75
75
setgid() */
76
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
77
#include <iso646.h> /* not, or, and */
164
164
*/
165
165
static bool init_gpgme(const char *seckey,
166
166
const char *pubkey, const char *tempdir){
167
int ret;
168
167
gpgme_error_t rc;
169
168
gpgme_engine_info_t engine_info;
170
169
173
172
* Helper function to insert pub and seckey to the engine keyring.
174
173
*/
175
174
bool import_key(const char *filename){
175
int ret;
176
176
int fd;
177
177
gpgme_data_t pgp_data;
178
178
474
474
static int init_gnutls_session(gnutls_session_t *session){
475
475
int ret;
476
476
/* GnuTLS session creation */
477
ret = gnutls_init(session, GNUTLS_SERVER);
477
do {
478
ret = gnutls_init(session, GNUTLS_SERVER);
479
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
478
480
if(ret != GNUTLS_E_SUCCESS){
479
481
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
480
482
safer_gnutls_strerror(ret));
482
484
483
485
{
484
486
const char *err;
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
487
do {
488
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
489
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
486
490
if(ret != GNUTLS_E_SUCCESS){
487
491
fprintf(stderr, "Syntax error at: %s\n", err);
488
492
fprintf(stderr, "GnuTLS error: %s\n",
492
496
}
493
497
}
494
498
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
499
do {
500
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
501
mc.cred);
502
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
497
503
if(ret != GNUTLS_E_SUCCESS){
498
504
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
499
505
safer_gnutls_strerror(ret));
502
508
}
503
509
504
510
/* ignore client certificate if any. */
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
511
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
507
512
508
513
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
509
514
531
536
char *decrypted_buffer;
532
537
size_t buffer_length = 0;
533
538
size_t buffer_capacity = 0;
534
ssize_t decrypted_buffer_size;
535
539
size_t written;
536
540
int retval = 0;
537
541
gnutls_session_t session;
712
716
goto mandos_end;
713
717
}
714
718
715
do{
719
do {
716
720
ret = gnutls_handshake(session);
717
721
if(quit_now){
718
722
goto mandos_end;
764
768
case GNUTLS_E_AGAIN:
765
769
break;
766
770
case GNUTLS_E_REHANDSHAKE:
767
do{
771
do {
768
772
ret = gnutls_handshake(session);
769
773
770
774
if(quit_now){
805
809
}
806
810
807
811
if(buffer_length > 0){
812
ssize_t decrypted_buffer_size;
808
813
decrypted_buffer_size = pgp_packet_decrypt(buffer,
809
814
buffer_length,
810
815
&decrypted_buffer);
811
816
if(decrypted_buffer_size >= 0){
817
812
818
written = 0;
813
819
while(written < (size_t) decrypted_buffer_size){
814
820
if(quit_now){
994
1000
bool gpgme_initialized = false;
995
1001
float delay = 2.5f;
996
1002
997
struct sigaction old_sigterm_action;
1003
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
998
1004
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
999
1005
1006
uid = getuid();
1007
gid = getgid();
1008
1009
/* Lower any group privileges we might have, just to be safe */
1010
errno = 0;
1011
ret = setgid(gid);
1012
if(ret == -1){
1013
perror("setgid");
1014
}
1015
1016
/* Lower user privileges (temporarily) */
1017
errno = 0;
1018
ret = seteuid(uid);
1019
if(ret == -1){
1020
perror("seteuid");
1021
}
1022
1023
if(quit_now){
1024
goto end;
1025
}
1026
1000
1027
{
1001
1028
struct argp_option options[] = {
1002
1029
{ .name = "debug", .key = 128,
1186
1213
goto end;
1187
1214
}
1188
1215
1216
/* Re-raise priviliges */
1217
errno = 0;
1218
ret = seteuid(0);
1219
if(ret == -1){
1220
perror("seteuid");
1221
}
1222
1189
1223
#ifdef __linux__
1190
1224
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1191
1225
messages to mess up the prompt */
1209
1243
}
1210
1244
}
1211
1245
#endif /* __linux__ */
1246
/* Lower privileges */
1247
errno = 0;
1248
ret = seteuid(uid);
1249
if(ret == -1){
1250
perror("seteuid");
1251
}
1212
1252
goto end;
1213
1253
}
1214
1254
strcpy(network.ifr_name, interface);
1224
1264
}
1225
1265
#endif /* __linux__ */
1226
1266
exitcode = EXIT_FAILURE;
1267
/* Lower privileges */
1268
errno = 0;
1269
ret = seteuid(uid);
1270
if(ret == -1){
1271
perror("seteuid");
1272
}
1227
1273
goto end;
1228
1274
}
1229
1275
if((network.ifr_flags & IFF_UP) == 0){
1242
1288
}
1243
1289
}
1244
1290
#endif /* __linux__ */
1291
/* Lower privileges */
1292
errno = 0;
1293
ret = seteuid(uid);
1294
if(ret == -1){
1295
perror("seteuid");
1296
}
1245
1297
goto end;
1246
1298
}
1247
1299
}
1275
1327
}
1276
1328
}
1277
1329
#endif /* __linux__ */
1278
}
1279
1280
if(quit_now){
1281
goto end;
1282
}
1283
1284
uid = getuid();
1285
gid = getgid();
1286
1287
errno = 0;
1288
setgid(gid);
1289
if(ret == -1){
1290
perror("setgid");
1291
}
1292
1293
ret = setuid(uid);
1294
if(ret == -1){
1295
perror("setuid");
1330
/* Lower privileges */
1331
errno = 0;
1332
if(take_down_interface){
1333
/* Lower privileges */
1334
ret = seteuid(uid);
1335
if(ret == -1){
1336
perror("seteuid");
1337
}
1338
} else {
1339
/* Lower privileges permanently */
1340
ret = setuid(uid);
1341
if(ret == -1){
1342
perror("setuid");
1343
}
1344
}
1296
1345
}
1297
1346
1298
1347
if(quit_now){
1472
1521
1473
1522
/* Take down the network interface */
1474
1523
if(take_down_interface){
1475
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1524
/* Re-raise priviliges */
1525
errno = 0;
1526
ret = seteuid(0);
1476
1527
if(ret == -1){
1477
perror("ioctl SIOCGIFFLAGS");
1478
} else if(network.ifr_flags & IFF_UP) {
1479
network.ifr_flags &= ~IFF_UP; /* clear flag */
1480
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1481
if(ret == -1){
1482
perror("ioctl SIOCSIFFLAGS");
1483
}
1528
perror("seteuid");
1484
1529
}
1485
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1486
if(ret == -1){
1487
perror("close");
1530
if(geteuid() == 0){
1531
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1532
if(ret == -1){
1533
perror("ioctl SIOCGIFFLAGS");
1534
} else if(network.ifr_flags & IFF_UP) {
1535
network.ifr_flags &= ~IFF_UP; /* clear flag */
1536
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1537
if(ret == -1){
1538
perror("ioctl SIOCSIFFLAGS");
1539
}
1540
}
1541
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1542
if(ret == -1){
1543
perror("close");
1544
}
1545
/* Lower privileges permanently */
1546
errno = 0;
1547
ret = setuid(uid);
1548
if(ret == -1){
1549
perror("setuid");
1550
}
1488
1551
}
1489
1552
}
1490
1553
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0