575
559
safer_gnutls_strerror(ret));
578
if(mc->dh_bits == 0){
579
/* Find out the optimal number of DH bits */
580
/* Try to read the private key file */
581
gnutls_datum_t buffer = { .data = NULL, .size = 0 };
583
int secfile = open(seckeyfilename, O_RDONLY);
584
size_t buffer_capacity = 0;
586
buffer_capacity = incbuffer((char **)&buffer.data,
588
(size_t)buffer_capacity);
589
if(buffer_capacity == 0){
590
perror_plus("incbuffer");
595
ssize_t bytes_read = read(secfile, buffer.data + buffer.size,
601
/* check bytes_read for failure */
608
buffer.size += (unsigned int)bytes_read;
612
/* If successful, use buffer to parse private key */
613
gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;
614
if(buffer.data != NULL){
616
gnutls_openpgp_privkey_t privkey = NULL;
617
ret = gnutls_openpgp_privkey_init(&privkey);
618
if(ret != GNUTLS_E_SUCCESS){
619
fprintf_plus(stderr, "Error initializing OpenPGP key"
620
" structure: %s", safer_gnutls_strerror(ret));
624
ret = gnutls_openpgp_privkey_import(privkey, &buffer,
625
GNUTLS_OPENPGP_FMT_BASE64,
627
if(ret != GNUTLS_E_SUCCESS){
628
fprintf_plus(stderr, "Error importing OpenPGP key : %s",
629
safer_gnutls_strerror(ret));
635
/* Use private key to suggest an appropriate sec_param */
636
sec_param = gnutls_openpgp_privkey_sec_param(privkey);
637
gnutls_openpgp_privkey_deinit(privkey);
639
fprintf_plus(stderr, "This OpenPGP key implies using a"
640
" GnuTLS security parameter \"%s\".\n",
641
safe_string(gnutls_sec_param_get_name
647
if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){
648
/* Err on the side of caution */
649
sec_param = GNUTLS_SEC_PARAM_ULTRA;
651
fprintf_plus(stderr, "Falling back to security parameter"
653
safe_string(gnutls_sec_param_get_name
658
uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
662
fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"
663
" implies %u DH bits; using that.\n",
664
safe_string(gnutls_sec_param_get_name
669
fprintf_plus(stderr, "Failed to get implied number of DH"
670
" bits for security parameter \"%s\"): %s\n",
671
safe_string(gnutls_sec_param_get_name(sec_param)),
672
safer_gnutls_strerror(ret));
676
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
679
562
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
680
563
if(ret != GNUTLS_E_SUCCESS){
681
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u bits):"
682
" %s\n", mc->dh_bits, safer_gnutls_strerror(ret));
564
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
565
safer_gnutls_strerror(ret));
757
640
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
758
641
__attribute__((unused)) const char *txt){}
760
/* Set effective uid to 0, return errno */
761
__attribute__((warn_unused_result))
762
error_t raise_privileges(void){
763
error_t old_errno = errno;
764
error_t ret_errno = 0;
765
if(seteuid(0) == -1){
772
/* Set effective and real user ID to 0. Return errno. */
773
__attribute__((warn_unused_result))
774
error_t raise_privileges_permanently(void){
775
error_t old_errno = errno;
776
error_t ret_errno = raise_privileges();
788
/* Set effective user ID to unprivileged saved user ID */
789
__attribute__((warn_unused_result))
790
error_t lower_privileges(void){
791
error_t old_errno = errno;
792
error_t ret_errno = 0;
793
if(seteuid(uid) == -1){
800
/* Lower privileges permanently */
801
__attribute__((warn_unused_result))
802
error_t lower_privileges_permanently(void){
803
error_t old_errno = errno;
804
error_t ret_errno = 0;
805
if(setuid(uid) == -1){
812
/* Helper function to add_local_route() and delete_local_route() */
813
__attribute__((nonnull, warn_unused_result))
814
static bool add_delete_local_route(const bool add,
816
AvahiIfIndex if_index){
818
char helper[] = "mandos-client-iprouteadddel";
819
char add_arg[] = "add";
820
char delete_arg[] = "delete";
821
char debug_flag[] = "--debug";
822
char *pluginhelperdir = getenv("MANDOSPLUGINHELPERDIR");
823
if(pluginhelperdir == NULL){
825
fprintf_plus(stderr, "MANDOSPLUGINHELPERDIR environment"
826
" variable not set; cannot run helper\n");
831
char interface[IF_NAMESIZE];
832
if(if_indextoname((unsigned int)if_index, interface) == NULL){
833
perror_plus("if_indextoname");
837
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
839
perror_plus("open(\"/dev/null\", O_RDONLY)");
845
/* Raise privileges */
846
errno = raise_privileges_permanently();
848
perror_plus("Failed to raise privileges");
849
/* _exit(EX_NOPERM); */
855
perror_plus("setgid");
858
/* Reset supplementary groups */
860
ret = setgroups(0, NULL);
862
perror_plus("setgroups");
866
ret = dup2(devnull, STDIN_FILENO);
868
perror_plus("dup2(devnull, STDIN_FILENO)");
871
ret = (int)TEMP_FAILURE_RETRY(close(devnull));
873
perror_plus("close");
876
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
878
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
881
int helperdir_fd = (int)TEMP_FAILURE_RETRY(open(pluginhelperdir,
886
if(helperdir_fd == -1){
888
_exit(EX_UNAVAILABLE);
890
int helper_fd = (int)TEMP_FAILURE_RETRY(openat(helperdir_fd,
893
perror_plus("openat");
894
_exit(EX_UNAVAILABLE);
896
TEMP_FAILURE_RETRY(close(helperdir_fd));
898
#pragma GCC diagnostic push
899
#pragma GCC diagnostic ignored "-Wcast-qual"
901
if(fexecve(helper_fd, (char *const [])
902
{ helper, add ? add_arg : delete_arg, (char *)address,
903
interface, debug ? debug_flag : NULL, NULL },
906
#pragma GCC diagnostic pop
908
perror_plus("fexecve");
920
pret = waitpid(pid, &status, 0);
921
if(pret == -1 and errno == EINTR and quit_now){
922
int errno_raising = 0;
923
if((errno = raise_privileges()) != 0){
924
errno_raising = errno;
925
perror_plus("Failed to raise privileges in order to"
926
" kill helper program");
928
if(kill(pid, SIGTERM) == -1){
931
if((errno_raising == 0) and (errno = lower_privileges()) != 0){
932
perror_plus("Failed to lower privileges after killing"
937
} while(pret == -1 and errno == EINTR);
939
perror_plus("waitpid");
942
if(WIFEXITED(status)){
943
if(WEXITSTATUS(status) != 0){
944
fprintf_plus(stderr, "Error: iprouteadddel exited"
945
" with status %d\n", WEXITSTATUS(status));
950
if(WIFSIGNALED(status)){
951
fprintf_plus(stderr, "Error: iprouteadddel died by"
952
" signal %d\n", WTERMSIG(status));
955
fprintf_plus(stderr, "Error: iprouteadddel crashed\n");
959
__attribute__((nonnull, warn_unused_result))
960
static bool add_local_route(const char *address,
961
AvahiIfIndex if_index){
963
fprintf_plus(stderr, "Adding route to %s\n", address);
965
return add_delete_local_route(true, address, if_index);
968
__attribute__((nonnull, warn_unused_result))
969
static bool delete_local_route(const char *address,
970
AvahiIfIndex if_index){
972
fprintf_plus(stderr, "Removing route to %s\n", address);
974
return add_delete_local_route(false, address, if_index);
977
643
/* Called when a Mandos server is found */
978
644
__attribute__((nonnull, warn_unused_result))
979
645
static int start_mandos_communication(const char *ip, in_port_t port,
1149
814
goto mandos_end;
1154
ret = connect(tcp_sd, (struct sockaddr *)&to,
1155
sizeof(struct sockaddr_in6));
1157
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
1158
sizeof(struct sockaddr_in));
1161
if(errno == ENETUNREACH
1162
and if_index != AVAHI_IF_UNSPEC
1163
and connect_to == NULL
1164
and not route_added and
1165
((af == AF_INET6 and not
1166
IN6_IS_ADDR_LINKLOCAL(&(((struct sockaddr_in6 *)
1168
or (af == AF_INET and
1169
/* Not a a IPv4LL address */
1170
(ntohl(((struct sockaddr_in *)&to)->sin_addr.s_addr)
1171
& 0xFFFF0000L) != 0xA9FE0000L))){
1172
/* Work around Avahi bug - Avahi does not announce link-local
1173
addresses if it has a global address, so local hosts with
1174
*only* a link-local address (e.g. Mandos clients) cannot
1175
connect to a Mandos server announced by Avahi on a server
1176
host with a global address. Work around this by retrying
1177
with an explicit route added with the server's address.
1179
Avahi bug reference:
1180
http://lists.freedesktop.org/archives/avahi/2010-February/001833.html
1181
https://bugs.debian.org/587961
1184
fprintf_plus(stderr, "Mandos server unreachable, trying"
1188
route_added = add_local_route(ip, if_index);
1194
if(errno != ECONNREFUSED or debug){
1196
perror_plus("connect");
818
ret = connect(tcp_sd, (struct sockaddr *)&to,
819
sizeof(struct sockaddr_in6));
821
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
822
sizeof(struct sockaddr_in));
825
if((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
827
perror_plus("connect");
1209
838
const char *out = mandos_protocol_version;
1454
/* Set effective uid to 0, return errno */
1455
__attribute__((warn_unused_result))
1456
error_t raise_privileges(void){
1457
error_t old_errno = errno;
1458
error_t ret_errno = 0;
1459
if(seteuid(0) == -1){
1466
/* Set effective and real user ID to 0. Return errno. */
1467
__attribute__((warn_unused_result))
1468
error_t raise_privileges_permanently(void){
1469
error_t old_errno = errno;
1470
error_t ret_errno = raise_privileges();
1475
if(setuid(0) == -1){
1482
/* Set effective user ID to unprivileged saved user ID */
1483
__attribute__((warn_unused_result))
1484
error_t lower_privileges(void){
1485
error_t old_errno = errno;
1486
error_t ret_errno = 0;
1487
if(seteuid(uid) == -1){
1494
/* Lower privileges permanently */
1495
__attribute__((warn_unused_result))
1496
error_t lower_privileges_permanently(void){
1497
error_t old_errno = errno;
1498
error_t ret_errno = 0;
1499
if(setuid(uid) == -1){
1832
1506
__attribute__((nonnull))
1833
1507
void run_network_hooks(const char *mode, const char *interface,
1834
1508
const float delay){
1835
1509
struct dirent **direntries = NULL;
1836
1510
if(hookdir_fd == -1){
1837
hookdir_fd = open(hookdir, O_RDONLY | O_DIRECTORY | O_PATH
1511
hookdir_fd = open(hookdir, O_RDONLY);
1839
1512
if(hookdir_fd == -1){
1840
1513
if(errno == ENOENT){