9
9
* "browse_callback", and parts of "main".
11
11
* Everything else is
12
* Copyright © 2008-2018 Teddy Hogeborn
13
* Copyright © 2008-2018 Björn Påhlsson
15
* This file is part of Mandos.
17
* Mandos is free software: you can redistribute it and/or modify it
18
* under the terms of the GNU General Public License as published by
19
* the Free Software Foundation, either version 3 of the License, or
20
* (at your option) any later version.
22
* Mandos is distributed in the hope that it will be useful, but
12
* Copyright © 2008-2014 Teddy Hogeborn
13
* Copyright © 2008-2014 Björn Påhlsson
15
* This program is free software: you can redistribute it and/or
16
* modify it under the terms of the GNU General Public License as
17
* published by the Free Software Foundation, either version 3 of the
18
* License, or (at your option) any later version.
20
* This program is distributed in the hope that it will be useful, but
23
21
* WITHOUT ANY WARRANTY; without even the implied warranty of
24
22
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
25
23
* General Public License for more details.
27
25
* You should have received a copy of the GNU General Public License
28
* along with Mandos. If not, see <http://www.gnu.org/licenses/>.
26
* along with this program. If not, see
27
* <http://www.gnu.org/licenses/>.
30
29
* Contact the authors at <mandos@recompile.se>.
47
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
48
47
strtof(), abort() */
49
48
#include <stdbool.h> /* bool, false, true */
50
#include <string.h> /* strcmp(), strlen(), strerror(),
51
asprintf(), strncpy(), strsignal()
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
53
51
#include <sys/ioctl.h> /* ioctl */
54
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
55
53
sockaddr_in6, PF_INET6,
59
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
60
58
inet_pton(), connect(),
62
#include <fcntl.h> /* open(), unlinkat(), AT_REMOVEDIR */
60
#include <fcntl.h> /* open(), unlinkat() */
63
61
#include <dirent.h> /* opendir(), struct dirent, readdir()
65
63
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
67
#include <errno.h> /* perror(), errno, EINTR, EINVAL,
68
EAI_SYSTEM, ENETUNREACH,
69
EHOSTUNREACH, ECONNREFUSED, EPROTO,
70
EIO, ENOENT, ENXIO, ENOMEM, EISDIR,
65
#include <errno.h> /* perror(), errno,
72
66
program_invocation_short_name */
73
67
#include <time.h> /* nanosleep(), time(), sleep() */
74
68
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
420
407
if(result == NULL){
421
408
fprintf_plus(stderr, "gpgme_op_decrypt_result failed\n");
423
if(result->unsupported_algorithm != NULL) {
424
fprintf_plus(stderr, "Unsupported algorithm: %s\n",
425
result->unsupported_algorithm);
427
fprintf_plus(stderr, "Wrong key usage: %s\n",
428
result->wrong_key_usage ? "Yes" : "No");
410
fprintf_plus(stderr, "Unsupported algorithm: %s\n",
411
result->unsupported_algorithm);
412
fprintf_plus(stderr, "Wrong key usage: %u\n",
413
result->wrong_key_usage);
429
414
if(result->file_name != NULL){
430
415
fprintf_plus(stderr, "File name: %s\n", result->file_name);
521
501
fprintf_plus(stderr, "GnuTLS: %s", string);
524
__attribute__((nonnull(1, 2, 4), warn_unused_result))
504
__attribute__((nonnull, warn_unused_result))
525
505
static int init_gnutls_global(const char *pubkeyfilename,
526
506
const char *seckeyfilename,
527
const char *dhparamsfilename,
528
507
mandos_context *mc){
533
511
fprintf_plus(stderr, "Initializing GnuTLS\n");
514
ret = gnutls_global_init();
515
if(ret != GNUTLS_E_SUCCESS){
516
fprintf_plus(stderr, "GnuTLS global_init: %s\n",
517
safer_gnutls_strerror(ret));
537
522
/* "Use a log level over 10 to enable all debugging options."
538
523
* - GnuTLS manual
576
562
safer_gnutls_strerror(ret));
579
/* If a Diffie-Hellman parameters file was given, try to use it */
580
if(dhparamsfilename != NULL){
581
gnutls_datum_t params = { .data = NULL, .size = 0 };
583
int dhpfile = open(dhparamsfilename, O_RDONLY);
586
dhparamsfilename = NULL;
589
size_t params_capacity = 0;
591
params_capacity = incbuffer((char **)¶ms.data,
593
(size_t)params_capacity);
594
if(params_capacity == 0){
595
perror_plus("incbuffer");
598
dhparamsfilename = NULL;
601
ssize_t bytes_read = read(dhpfile,
602
params.data + params.size,
608
/* check bytes_read for failure */
613
dhparamsfilename = NULL;
616
params.size += (unsigned int)bytes_read;
618
ret = close(dhpfile);
620
perror_plus("close");
622
if(params.data == NULL){
623
dhparamsfilename = NULL;
625
if(dhparamsfilename == NULL){
628
ret = gnutls_dh_params_import_pkcs3(mc->dh_params, ¶ms,
629
GNUTLS_X509_FMT_PEM);
630
if(ret != GNUTLS_E_SUCCESS){
631
fprintf_plus(stderr, "Failed to parse DH parameters in file"
632
" \"%s\": %s\n", dhparamsfilename,
633
safer_gnutls_strerror(ret));
634
dhparamsfilename = NULL;
639
if(dhparamsfilename == NULL){
640
if(mc->dh_bits == 0){
641
/* Find out the optimal number of DH bits */
642
/* Try to read the private key file */
643
gnutls_datum_t buffer = { .data = NULL, .size = 0 };
645
int secfile = open(seckeyfilename, O_RDONLY);
650
size_t buffer_capacity = 0;
652
buffer_capacity = incbuffer((char **)&buffer.data,
654
(size_t)buffer_capacity);
655
if(buffer_capacity == 0){
656
perror_plus("incbuffer");
661
ssize_t bytes_read = read(secfile,
662
buffer.data + buffer.size,
668
/* check bytes_read for failure */
675
buffer.size += (unsigned int)bytes_read;
679
/* If successful, use buffer to parse private key */
680
gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;
681
if(buffer.data != NULL){
683
gnutls_openpgp_privkey_t privkey = NULL;
684
ret = gnutls_openpgp_privkey_init(&privkey);
685
if(ret != GNUTLS_E_SUCCESS){
686
fprintf_plus(stderr, "Error initializing OpenPGP key"
688
safer_gnutls_strerror(ret));
692
ret = gnutls_openpgp_privkey_import
693
(privkey, &buffer, GNUTLS_OPENPGP_FMT_BASE64, "", 0);
694
if(ret != GNUTLS_E_SUCCESS){
695
fprintf_plus(stderr, "Error importing OpenPGP key : %s",
696
safer_gnutls_strerror(ret));
702
/* Use private key to suggest an appropriate
704
sec_param = gnutls_openpgp_privkey_sec_param(privkey);
705
gnutls_openpgp_privkey_deinit(privkey);
707
fprintf_plus(stderr, "This OpenPGP key implies using"
708
" a GnuTLS security parameter \"%s\".\n",
709
safe_string(gnutls_sec_param_get_name
715
if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){
716
/* Err on the side of caution */
717
sec_param = GNUTLS_SEC_PARAM_ULTRA;
719
fprintf_plus(stderr, "Falling back to security parameter"
721
safe_string(gnutls_sec_param_get_name
726
uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
730
fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"
731
" implies %u DH bits; using that.\n",
732
safe_string(gnutls_sec_param_get_name
737
fprintf_plus(stderr, "Failed to get implied number of DH"
738
" bits for security parameter \"%s\"): %s\n",
739
safe_string(gnutls_sec_param_get_name
741
safer_gnutls_strerror(ret));
745
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
748
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
749
if(ret != GNUTLS_E_SUCCESS){
750
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
751
" bits): %s\n", mc->dh_bits,
752
safer_gnutls_strerror(ret));
565
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
566
if(ret != GNUTLS_E_SUCCESS){
567
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
568
safer_gnutls_strerror(ret));
756
572
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
824
643
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
825
644
__attribute__((unused)) const char *txt){}
827
/* Set effective uid to 0, return errno */
828
__attribute__((warn_unused_result))
829
int raise_privileges(void){
830
int old_errno = errno;
832
if(seteuid(0) == -1){
839
/* Set effective and real user ID to 0. Return errno. */
840
__attribute__((warn_unused_result))
841
int raise_privileges_permanently(void){
842
int old_errno = errno;
843
int ret = raise_privileges();
855
/* Set effective user ID to unprivileged saved user ID */
856
__attribute__((warn_unused_result))
857
int lower_privileges(void){
858
int old_errno = errno;
860
if(seteuid(uid) == -1){
867
/* Lower privileges permanently */
868
__attribute__((warn_unused_result))
869
int lower_privileges_permanently(void){
870
int old_errno = errno;
872
if(setuid(uid) == -1){
879
/* Helper function to add_local_route() and delete_local_route() */
880
__attribute__((nonnull, warn_unused_result))
881
static bool add_delete_local_route(const bool add,
883
AvahiIfIndex if_index){
885
char helper[] = "mandos-client-iprouteadddel";
886
char add_arg[] = "add";
887
char delete_arg[] = "delete";
888
char debug_flag[] = "--debug";
889
char *pluginhelperdir = getenv("MANDOSPLUGINHELPERDIR");
890
if(pluginhelperdir == NULL){
892
fprintf_plus(stderr, "MANDOSPLUGINHELPERDIR environment"
893
" variable not set; cannot run helper\n");
898
char interface[IF_NAMESIZE];
899
if(if_indextoname((unsigned int)if_index, interface) == NULL){
900
perror_plus("if_indextoname");
904
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
906
perror_plus("open(\"/dev/null\", O_RDONLY)");
912
/* Raise privileges */
913
errno = raise_privileges_permanently();
915
perror_plus("Failed to raise privileges");
916
/* _exit(EX_NOPERM); */
922
perror_plus("setgid");
925
/* Reset supplementary groups */
927
ret = setgroups(0, NULL);
929
perror_plus("setgroups");
933
ret = dup2(devnull, STDIN_FILENO);
935
perror_plus("dup2(devnull, STDIN_FILENO)");
938
ret = close(devnull);
940
perror_plus("close");
943
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
945
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
948
int helperdir_fd = (int)TEMP_FAILURE_RETRY(open(pluginhelperdir,
953
if(helperdir_fd == -1){
955
_exit(EX_UNAVAILABLE);
957
int helper_fd = (int)TEMP_FAILURE_RETRY(openat(helperdir_fd,
960
perror_plus("openat");
962
_exit(EX_UNAVAILABLE);
966
#pragma GCC diagnostic push
967
#pragma GCC diagnostic ignored "-Wcast-qual"
969
if(fexecve(helper_fd, (char *const [])
970
{ helper, add ? add_arg : delete_arg, (char *)address,
971
interface, debug ? debug_flag : NULL, NULL },
974
#pragma GCC diagnostic pop
976
perror_plus("fexecve");
988
pret = waitpid(pid, &status, 0);
989
if(pret == -1 and errno == EINTR and quit_now){
990
int errno_raising = 0;
991
if((errno = raise_privileges()) != 0){
992
errno_raising = errno;
993
perror_plus("Failed to raise privileges in order to"
994
" kill helper program");
996
if(kill(pid, SIGTERM) == -1){
999
if((errno_raising == 0) and (errno = lower_privileges()) != 0){
1000
perror_plus("Failed to lower privileges after killing"
1005
} while(pret == -1 and errno == EINTR);
1007
perror_plus("waitpid");
1010
if(WIFEXITED(status)){
1011
if(WEXITSTATUS(status) != 0){
1012
fprintf_plus(stderr, "Error: iprouteadddel exited"
1013
" with status %d\n", WEXITSTATUS(status));
1018
if(WIFSIGNALED(status)){
1019
fprintf_plus(stderr, "Error: iprouteadddel died by"
1020
" signal %d\n", WTERMSIG(status));
1023
fprintf_plus(stderr, "Error: iprouteadddel crashed\n");
1027
__attribute__((nonnull, warn_unused_result))
1028
static bool add_local_route(const char *address,
1029
AvahiIfIndex if_index){
1031
fprintf_plus(stderr, "Adding route to %s\n", address);
1033
return add_delete_local_route(true, address, if_index);
1036
__attribute__((nonnull, warn_unused_result))
1037
static bool delete_local_route(const char *address,
1038
AvahiIfIndex if_index){
1040
fprintf_plus(stderr, "Removing route to %s\n", address);
1042
return add_delete_local_route(false, address, if_index);
1045
646
/* Called when a Mandos server is found */
1046
647
__attribute__((nonnull, warn_unused_result))
1047
648
static int start_mandos_communication(const char *ip, in_port_t port,
1136
735
goto mandos_end;
738
memset(&to, 0, sizeof(to));
1139
739
if(af == AF_INET6){
1140
struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&to;
1141
*to6 = (struct sockaddr_in6){ .sin6_family = (sa_family_t)af };
1142
ret = inet_pton(af, ip, &to6->sin6_addr);
740
((struct sockaddr_in6 *)&to)->sin6_family = (sa_family_t)af;
741
ret = inet_pton(af, ip, &((struct sockaddr_in6 *)&to)->sin6_addr);
1143
742
} else { /* IPv4 */
1144
struct sockaddr_in *to4 = (struct sockaddr_in *)&to;
1145
*to4 = (struct sockaddr_in){ .sin_family = (sa_family_t)af };
1146
ret = inet_pton(af, ip, &to4->sin_addr);
743
((struct sockaddr_in *)&to)->sin_family = (sa_family_t)af;
744
ret = inet_pton(af, ip, &((struct sockaddr_in *)&to)->sin_addr);
1219
817
goto mandos_end;
1224
ret = connect(tcp_sd, (struct sockaddr *)&to,
1225
sizeof(struct sockaddr_in6));
1227
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
1228
sizeof(struct sockaddr_in));
1231
if(((errno == ENETUNREACH) or (errno == EHOSTUNREACH))
1232
and if_index != AVAHI_IF_UNSPEC
1233
and connect_to == NULL
1234
and not route_added and
1235
((af == AF_INET6 and not
1236
IN6_IS_ADDR_LINKLOCAL(&(((struct sockaddr_in6 *)
1238
or (af == AF_INET and
1239
/* Not a a IPv4LL address */
1240
(ntohl(((struct sockaddr_in *)&to)->sin_addr.s_addr)
1241
& 0xFFFF0000L) != 0xA9FE0000L))){
1242
/* Work around Avahi bug - Avahi does not announce link-local
1243
addresses if it has a global address, so local hosts with
1244
*only* a link-local address (e.g. Mandos clients) cannot
1245
connect to a Mandos server announced by Avahi on a server
1246
host with a global address. Work around this by retrying
1247
with an explicit route added with the server's address.
1249
Avahi bug reference:
1250
https://lists.freedesktop.org/archives/avahi/2010-February/001833.html
1251
https://bugs.debian.org/587961
1254
fprintf_plus(stderr, "Mandos server unreachable, trying"
1258
route_added = add_local_route(ip, if_index);
1264
if(errno != ECONNREFUSED or debug){
1266
perror_plus("connect");
821
ret = connect(tcp_sd, (struct sockaddr *)&to,
822
sizeof(struct sockaddr_in6));
824
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
825
sizeof(struct sockaddr_in));
828
if((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
830
perror_plus("connect");
1279
841
const char *out = mandos_protocol_version;
1457
/* Set effective uid to 0, return errno */
1458
__attribute__((warn_unused_result))
1459
error_t raise_privileges(void){
1460
error_t old_errno = errno;
1461
error_t ret_errno = 0;
1462
if(seteuid(0) == -1){
1469
/* Set effective and real user ID to 0. Return errno. */
1470
__attribute__((warn_unused_result))
1471
error_t raise_privileges_permanently(void){
1472
error_t old_errno = errno;
1473
error_t ret_errno = raise_privileges();
1478
if(setuid(0) == -1){
1485
/* Set effective user ID to unprivileged saved user ID */
1486
__attribute__((warn_unused_result))
1487
error_t lower_privileges(void){
1488
error_t old_errno = errno;
1489
error_t ret_errno = 0;
1490
if(seteuid(uid) == -1){
1497
/* Lower privileges permanently */
1498
__attribute__((warn_unused_result))
1499
error_t lower_privileges_permanently(void){
1500
error_t old_errno = errno;
1501
error_t ret_errno = 0;
1502
if(setuid(uid) == -1){
1923
1509
__attribute__((nonnull))
1924
1510
void run_network_hooks(const char *mode, const char *interface,
1925
1511
const float delay){
1926
1512
struct dirent **direntries = NULL;
1927
1513
if(hookdir_fd == -1){
1928
hookdir_fd = open(hookdir, O_RDONLY | O_DIRECTORY | O_PATH
1514
hookdir_fd = open(hookdir, O_RDONLY);
1930
1515
if(hookdir_fd == -1){
1931
1516
if(errno == ENOENT){
1942
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
1944
perror_plus("open(\"/dev/null\", O_RDONLY)");
1528
#if __GLIBC_PREREQ(2, 15)
1947
1529
int numhooks = scandirat(hookdir_fd, ".", &direntries,
1948
1530
runnable_hook, alphasort);
1531
#else /* not __GLIBC_PREREQ(2, 15) */
1532
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1534
#endif /* not __GLIBC_PREREQ(2, 15) */
1535
#else /* not __GLIBC__ */
1536
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1538
#endif /* not __GLIBC__ */
1949
1539
if(numhooks == -1){
1950
1540
perror_plus("scandir");
1954
1543
struct dirent *direntry;
1545
int devnull = open("/dev/null", O_RDONLY);
1956
1546
for(int i = 0; i < numhooks; i++){
1957
1547
direntry = direntries[i];
3067
2595
free(interfaces_to_take_down);
3068
2596
free(interfaces_hooks);
3070
void clean_dir_at(int base, const char * const dirname,
3072
struct dirent **direntries = NULL;
3074
int dir_fd = (int)TEMP_FAILURE_RETRY(openat(base, dirname,
3080
perror_plus("open");
3083
int numentries = scandirat(dir_fd, ".", &direntries,
3084
notdotentries, alphasort);
3085
if(numentries >= 0){
3086
for(int i = 0; i < numentries; i++){
3088
fprintf_plus(stderr, "Unlinking \"%s/%s\"\n",
3089
dirname, direntries[i]->d_name);
3091
dret = unlinkat(dir_fd, direntries[i]->d_name, 0);
3093
if(errno == EISDIR){
3094
dret = unlinkat(dir_fd, direntries[i]->d_name,
3097
if((dret == -1) and (errno == ENOTEMPTY)
3098
and (strcmp(direntries[i]->d_name, "private-keys-v1.d")
3099
== 0) and (level == 0)){
3100
/* Recurse only in this special case */
3101
clean_dir_at(dir_fd, direntries[i]->d_name, level+1);
3104
if((dret == -1) and (errno != ENOENT)){
3105
fprintf_plus(stderr, "unlink(\"%s/%s\"): %s\n", dirname,
3106
direntries[i]->d_name, strerror(errno));
3109
free(direntries[i]);
3112
/* need to clean even if 0 because man page doesn't specify */
3114
dret = unlinkat(base, dirname, AT_REMOVEDIR);
3115
if(dret == -1 and errno != ENOENT){
3116
perror_plus("rmdir");
3119
perror_plus("scandirat");
3124
2598
/* Removes the GPGME temp directory and all files inside */
3125
2599
if(tempdir != NULL){
3126
clean_dir_at(-1, tempdir, 0);
2600
struct dirent **direntries = NULL;
2601
int tempdir_fd = (int)TEMP_FAILURE_RETRY(open(tempdir, O_RDONLY |
2603
if(tempdir_fd == -1){
2604
perror_plus("open");
2607
#if __GLIBC_PREREQ(2, 15)
2608
int numentries = scandirat(tempdir_fd, ".", &direntries,
2609
notdotentries, alphasort);
2610
#else /* not __GLIBC_PREREQ(2, 15) */
2611
int numentries = scandir(tempdir, &direntries, notdotentries,
2613
#endif /* not __GLIBC_PREREQ(2, 15) */
2614
#else /* not __GLIBC__ */
2615
int numentries = scandir(tempdir, &direntries, notdotentries,
2617
#endif /* not __GLIBC__ */
2618
if(numentries >= 0){
2619
for(int i = 0; i < numentries; i++){
2620
ret = unlinkat(tempdir_fd, direntries[i]->d_name, 0);
2622
fprintf_plus(stderr, "unlinkat(open(\"%s\", O_RDONLY),"
2623
" \"%s\", 0): %s\n", tempdir,
2624
direntries[i]->d_name, strerror(errno));
2628
/* need to clean even if 0 because man page doesn't specify */
2630
if(numentries == -1){
2631
perror_plus("scandir");
2633
ret = rmdir(tempdir);
2634
if(ret == -1 and errno != ENOENT){
2635
perror_plus("rmdir");
2638
TEMP_FAILURE_RETRY(close(tempdir_fd));