/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.c

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

plugin-runner.c

#define BUFFER_SIZE 256

#define PDIR "/lib/mandos/plugins.d"

#define PHDIR "/lib/mandos/plugin-helpers"

#define AFILE "/conf/conf.d/mandos/plugin-runner.conf"

const char *argp_program_version = "plugin-runner " VERSION;

347

348

349

int main(int argc, char *argv[]){

349

350

char *plugindir = NULL;

351

char *pluginhelperdir = NULL;

350

352

char *argfile = NULL;

351

353

FILE *conffp;

352

354

struct dirent **direntries = NULL;

414

416

.doc = "Group ID the plugins will run as", .group = 3 },

415

417

{ .name = "debug", .key = 132,

416

418

.doc = "Debug mode", .group = 4 },

419

{ .name = "plugin-helper-dir", .key = 133,

420

.arg = "DIRECTORY",

421

.doc = "Specify a different plugin helper directory",

422

.group = 2 },

417

423

418

424

* These reproduce what we would get without ARGP_NO_HELP

419

425

545

551

case 132: /* --debug */

546

552

debug = true;

547

553

break;

554

case 133: /* --plugin-helper-dir */

555

free(pluginhelperdir);

556

pluginhelperdir = strdup(arg);

557

if(pluginhelperdir != NULL){

558

errno = 0;

559

}

560

break;

548

561

549

562

* These reproduce what we would get without ARGP_NO_HELP

550

563

601

614

case 130: /* --userid */

602

615

case 131: /* --groupid */

603

616

case 132: /* --debug */

617

case 133: /* --plugin-helper-dir */

604

618

case '?': /* --help */

605

619

case -3: /* --usage */

606

620

case 'V': /* --version */

761

775

goto fallback;

762

776

}

763

777

778

{

779

char *pluginhelperenv;

780

bool bret = true;

781

ret = asprintf(&pluginhelperenv, "MANDOSPLUGINHELPERDIR=%s",

782

pluginhelperdir != NULL ? pluginhelperdir : PHDIR);

783

if(ret != -1){

784

bret = add_environment(getplugin(NULL), pluginhelperenv, true);

785

}

786

if(ret == -1 or not bret){

787

error(0, errno, "Failed to set MANDOSPLUGINHELPERDIR"

788

" environment variable to \"%s\" for all plugins\n",

789

pluginhelperdir != NULL ? pluginhelperdir : PHDIR);

790

}

791

if(ret != -1){

792

free(pluginhelperenv);

793

}

794

}

795

764

796

if(debug){

765

797

for(plugin *p = plugin_list; p != NULL; p=p->next){

766

798

fprintf(stderr, "Plugin: %s has %d arguments\n",

795

827

}

796

828

}

797

829

}

798

TEMP_FAILURE_RETRY(close(plugindir_fd));

830

close(plugindir_fd);

799

831

}

800

832

}

801

833

893

925

ret = (int)TEMP_FAILURE_RETRY(fstat(plugin_fd, &st));

894

926

if(ret == -1){

895

927

error(0, errno, "stat");

896

TEMP_FAILURE_RETRY(close(plugin_fd));

928

close(plugin_fd);

897

929

free(direntries[i]);

898

930

continue;

899

931

}

908

940

plugindir != NULL ? plugindir : PDIR,

909

941

direntries[i]->d_name);

910

942

}

911

TEMP_FAILURE_RETRY(close(plugin_fd));

943

close(plugin_fd);

912

944

free(direntries[i]);

913

945

continue;

914

946

}

916

948

plugin *p = getplugin(direntries[i]->d_name);

917

949

if(p == NULL){

918

950

error(0, errno, "getplugin");

919

TEMP_FAILURE_RETRY(close(plugin_fd));

951

close(plugin_fd);

920

952

free(direntries[i]);

921

953

continue;

922

954

}

925

957

fprintf(stderr, "Ignoring disabled plugin \"%s\"\n",

926

958

direntries[i]->d_name);

927

959

}

928

TEMP_FAILURE_RETRY(close(plugin_fd));

960

close(plugin_fd);

929

961

free(direntries[i]);

930

962

continue;

931

963

}

971

1003

if(pipefd[0] >= FD_SETSIZE){

972

1004

fprintf(stderr, "pipe()[0] (%d) >= FD_SETSIZE (%d)", pipefd[0],

973

1005

FD_SETSIZE);

974

TEMP_FAILURE_RETRY(close(pipefd[0]));

975

TEMP_FAILURE_RETRY(close(pipefd[1]));

1006

close(pipefd[0]);

1007

close(pipefd[1]);

976

1008

exitstatus = EX_OSERR;

977

1009

free(direntries[i]);

978

1010

goto fallback;

982

1014

ret = set_cloexec_flag(pipefd[0]);

983

1015

if(ret < 0){

984

1016

error(0, errno, "set_cloexec_flag");

985

TEMP_FAILURE_RETRY(close(pipefd[0]));

986

TEMP_FAILURE_RETRY(close(pipefd[1]));

1017

close(pipefd[0]);

1018

close(pipefd[1]);

987

1019

exitstatus = EX_OSERR;

988

1020

free(direntries[i]);

989

1021

goto fallback;

991

1023

ret = set_cloexec_flag(pipefd[1]);

992

1024

if(ret < 0){

993

1025

error(0, errno, "set_cloexec_flag");

994

TEMP_FAILURE_RETRY(close(pipefd[0]));

995

TEMP_FAILURE_RETRY(close(pipefd[1]));

1026

close(pipefd[0]);

1027

close(pipefd[1]);

996

1028

exitstatus = EX_OSERR;

997

1029

free(direntries[i]);

998

1030

goto fallback;

1017

1049

error(0, errno, "fork");

1018

1050

TEMP_FAILURE_RETRY(sigprocmask(SIG_UNBLOCK,

1019

1051

&sigchld_action.sa_mask, NULL));

1020

TEMP_FAILURE_RETRY(close(pipefd[0]));

1021

TEMP_FAILURE_RETRY(close(pipefd[1]));

1052

close(pipefd[0]);

1053

close(pipefd[1]);

1022

1054

exitstatus = EX_OSERR;

1023

1055

free(direntries[i]);

1024

1056

goto fallback;

1052

1084

/* no return */

1053

1085

}

1054

1086

/* Parent process */

1055

TEMP_FAILURE_RETRY(close(pipefd[1])); /* Close unused write end of

1056

pipe */

1057

TEMP_FAILURE_RETRY(close(plugin_fd));

1087

close(pipefd[1]); /* Close unused write end of pipe */

1088

close(plugin_fd);

1058

1089

plugin *new_plugin = getplugin(direntries[i]->d_name);

1059

1090

if(new_plugin == NULL){

1060

1091

error(0, errno, "getplugin");

1106

1137

1107

1138

free(direntries);

1108

1139

direntries = NULL;

1109

TEMP_FAILURE_RETRY(close(dir_fd));

1140

close(dir_fd);

1110

1141

dir_fd = -1;

1111

1142

free_plugin(getplugin(NULL));

1112

1143

1310

1341

free(direntries);

1311

1342

1312

1343

if(dir_fd != -1){

1313

TEMP_FAILURE_RETRY(close(dir_fd));

1344

close(dir_fd);

1314

1345

}

1315

1346

1316

1347

/* Kill the processes */

1336

1367

free_plugin_list();

1337

1368

1338

1369

free(plugindir);

1370

free(pluginhelperdir);

1339

1371

free(argfile);

1340

1372

1341

1373

return exitstatus;

Older »