/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.c

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
plugin-runner.c
827
827
          }
828
828
        }
829
829
      }
830
 
      TEMP_FAILURE_RETRY(close(plugindir_fd));
 
830
      close(plugindir_fd);
831
831
    }
832
832
  }
833
833
  
925
925
    ret = (int)TEMP_FAILURE_RETRY(fstat(plugin_fd, &st));
926
926
    if(ret == -1){
927
927
      error(0, errno, "stat");
928
 
      TEMP_FAILURE_RETRY(close(plugin_fd));
 
928
      close(plugin_fd);
929
929
      free(direntries[i]);
930
930
      continue;
931
931
    }
940
940
                plugindir != NULL ? plugindir : PDIR,
941
941
                direntries[i]->d_name);
942
942
      }
943
 
      TEMP_FAILURE_RETRY(close(plugin_fd));
 
943
      close(plugin_fd);
944
944
      free(direntries[i]);
945
945
      continue;
946
946
    }
948
948
    plugin *p = getplugin(direntries[i]->d_name);
949
949
    if(p == NULL){
950
950
      error(0, errno, "getplugin");
951
 
      TEMP_FAILURE_RETRY(close(plugin_fd));
 
951
      close(plugin_fd);
952
952
      free(direntries[i]);
953
953
      continue;
954
954
    }
957
957
        fprintf(stderr, "Ignoring disabled plugin \"%s\"\n",
958
958
                direntries[i]->d_name);
959
959
      }
960
 
      TEMP_FAILURE_RETRY(close(plugin_fd));
 
960
      close(plugin_fd);
961
961
      free(direntries[i]);
962
962
      continue;
963
963
    }
1003
1003
    if(pipefd[0] >= FD_SETSIZE){
1004
1004
      fprintf(stderr, "pipe()[0] (%d) >= FD_SETSIZE (%d)", pipefd[0],
1005
1005
              FD_SETSIZE);
1006
 
      TEMP_FAILURE_RETRY(close(pipefd[0]));
1007
 
      TEMP_FAILURE_RETRY(close(pipefd[1]));
 
1006
      close(pipefd[0]);
 
1007
      close(pipefd[1]);
1008
1008
      exitstatus = EX_OSERR;
1009
1009
      free(direntries[i]);
1010
1010
      goto fallback;
1014
1014
    ret = set_cloexec_flag(pipefd[0]);
1015
1015
    if(ret < 0){
1016
1016
      error(0, errno, "set_cloexec_flag");
1017
 
      TEMP_FAILURE_RETRY(close(pipefd[0]));
1018
 
      TEMP_FAILURE_RETRY(close(pipefd[1]));
 
1017
      close(pipefd[0]);
 
1018
      close(pipefd[1]);
1019
1019
      exitstatus = EX_OSERR;
1020
1020
      free(direntries[i]);
1021
1021
      goto fallback;
1023
1023
    ret = set_cloexec_flag(pipefd[1]);
1024
1024
    if(ret < 0){
1025
1025
      error(0, errno, "set_cloexec_flag");
1026
 
      TEMP_FAILURE_RETRY(close(pipefd[0]));
1027
 
      TEMP_FAILURE_RETRY(close(pipefd[1]));
 
1026
      close(pipefd[0]);
 
1027
      close(pipefd[1]);
1028
1028
      exitstatus = EX_OSERR;
1029
1029
      free(direntries[i]);
1030
1030
      goto fallback;
1049
1049
      error(0, errno, "fork");
1050
1050
      TEMP_FAILURE_RETRY(sigprocmask(SIG_UNBLOCK,
1051
1051
                                     &sigchld_action.sa_mask, NULL));
1052
 
      TEMP_FAILURE_RETRY(close(pipefd[0]));
1053
 
      TEMP_FAILURE_RETRY(close(pipefd[1]));
 
1052
      close(pipefd[0]);
 
1053
      close(pipefd[1]);
1054
1054
      exitstatus = EX_OSERR;
1055
1055
      free(direntries[i]);
1056
1056
      goto fallback;
1084
1084
      /* no return */
1085
1085
    }
1086
1086
    /* Parent process */
1087
 
    TEMP_FAILURE_RETRY(close(pipefd[1])); /* Close unused write end of
1088
 
                                             pipe */
1089
 
    TEMP_FAILURE_RETRY(close(plugin_fd));
 
1087
    close(pipefd[1]);           /* Close unused write end of pipe */
 
1088
    close(plugin_fd);
1090
1089
    plugin *new_plugin = getplugin(direntries[i]->d_name);
1091
1090
    if(new_plugin == NULL){
1092
1091
      error(0, errno, "getplugin");
1138
1137
  
1139
1138
  free(direntries);
1140
1139
  direntries = NULL;
1141
 
  TEMP_FAILURE_RETRY(close(dir_fd));
 
1140
  close(dir_fd);
1142
1141
  dir_fd = -1;
1143
1142
  free_plugin(getplugin(NULL));
1144
1143
  
1342
1341
  free(direntries);
1343
1342
  
1344
1343
  if(dir_fd != -1){
1345
 
    TEMP_FAILURE_RETRY(close(dir_fd));
 
1344
    close(dir_fd);
1346
1345
  }
1347
1346
  
1348
1347
  /* Kill the processes */