To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 777
- compare with another revision
- download diff
- download tarball
- view history from revision 777
- Committer: Teddy Hogeborn
- Date: 2015-07-20 03:03:33 UTC
- Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.
The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string. This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:
SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256
* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
(/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.
The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string. This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:
SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256
* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
(/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.
- files added:
- debian/upstream
- plugin-helpers
- files removed:
- debian/upstream-signing-key.pgp
- files modified:
- DBUS-API
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008-2013 Teddy Hogeborn
13
* Copyright © 2008-2013 Björn Påhlsson
12
* Copyright © 2008-2015 Teddy Hogeborn
13
* Copyright © 2008-2015 Björn Påhlsson
14
14
*
15
15
* This program is free software: you can redistribute it and/or
16
16
* modify it under the terms of the GNU General Public License as
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
33
#ifndef _LARGEFILE_SOURCE
34
34
#define _LARGEFILE_SOURCE
35
#endif
35
#endif /* not _LARGEFILE_SOURCE */
36
36
#ifndef _FILE_OFFSET_BITS
37
37
#define _FILE_OFFSET_BITS 64
38
#endif
38
#endif /* not _FILE_OFFSET_BITS */
39
39
40
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
41
42
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
43
stdout, ferror() */
44
44
#include <stdint.h> /* uint16_t, uint32_t, intptr_t */
45
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
47
strtof(), abort() */
48
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
49
#include <string.h> /* strcmp(), strlen(), strerror(),
50
asprintf(), strcpy() */
51
51
#include <sys/ioctl.h> /* ioctl */
52
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
53
sockaddr_in6, PF_INET6,
55
55
opendir(), DIR */
56
56
#include <sys/stat.h> /* open(), S_ISREG */
57
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
58
inet_pton(), connect(),
59
getnameinfo() */
60
#include <fcntl.h> /* open(), unlinkat() */
60
61
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
62
*/
62
63
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
72
73
*/
73
74
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
75
getuid(), getgid(), seteuid(),
75
setgid(), pause(), _exit() */
76
#include <arpa/inet.h> /* inet_pton(), htons, inet_ntop() */
76
setgid(), pause(), _exit(),
77
unlinkat() */
78
#include <arpa/inet.h> /* inet_pton(), htons() */
77
79
#include <iso646.h> /* not, or, and */
78
80
#include <argp.h> /* struct argp_option, error_t, struct
79
81
argp_state, struct argp,
91
93
argz_delete(), argz_append(),
92
94
argz_stringify(), argz_add(),
93
95
argz_count() */
96
#include <netdb.h> /* getnameinfo(), NI_NUMERICHOST,
97
EAI_SYSTEM, gai_strerror() */
94
98
95
99
#ifdef __linux__
96
100
#include <sys/klog.h> /* klogctl() */
138
142
static const char sys_class_net[] = "/sys/class/net";
139
143
char *connect_to = NULL;
140
144
const char *hookdir = HOOKDIR;
145
int hookdir_fd = -1;
141
146
uid_t uid = 65534;
142
147
gid_t gid = 65534;
143
148
180
185
perror(print_text);
181
186
}
182
187
183
__attribute__((format (gnu_printf, 2, 3)))
188
__attribute__((format (gnu_printf, 2, 3), nonnull))
184
189
int fprintf_plus(FILE *stream, const char *format, ...){
185
190
va_list ap;
186
191
va_start (ap, format);
195
200
* bytes. "buffer_capacity" is how much is currently allocated,
196
201
* "buffer_length" is how much is already used.
197
202
*/
203
__attribute__((nonnull, warn_unused_result))
198
204
size_t incbuffer(char **buffer, size_t buffer_length,
199
205
size_t buffer_capacity){
200
206
if(buffer_length + BUFFER_SIZE > buffer_capacity){
213
219
}
214
220
215
221
/* Add server to set of servers to retry periodically */
222
__attribute__((nonnull, warn_unused_result))
216
223
bool add_server(const char *ip, in_port_t port, AvahiIfIndex if_index,
217
224
int af, server **current_server){
218
225
int ret;
227
234
.af = af };
228
235
if(new_server->ip == NULL){
229
236
perror_plus("strdup");
237
free(new_server);
238
return false;
239
}
240
ret = clock_gettime(CLOCK_MONOTONIC, &(new_server->last_seen));
241
if(ret == -1){
242
perror_plus("clock_gettime");
243
#ifdef __GNUC__
244
#pragma GCC diagnostic push
245
#pragma GCC diagnostic ignored "-Wcast-qual"
246
#endif
247
free((char *)(new_server->ip));
248
#ifdef __GNUC__
249
#pragma GCC diagnostic pop
250
#endif
251
free(new_server);
230
252
return false;
231
253
}
232
254
/* Special case of first server */
234
256
new_server->next = new_server;
235
257
new_server->prev = new_server;
236
258
*current_server = new_server;
237
/* Place the new server last in the list */
238
259
} else {
260
/* Place the new server last in the list */
239
261
new_server->next = *current_server;
240
262
new_server->prev = (*current_server)->prev;
241
263
new_server->prev->next = new_server;
242
264
(*current_server)->prev = new_server;
243
265
}
244
ret = clock_gettime(CLOCK_MONOTONIC, &(*current_server)->last_seen);
245
if(ret == -1){
246
perror_plus("clock_gettime");
247
return false;
248
}
249
266
return true;
250
267
}
251
268
252
269
/*
253
270
* Initialize GPGME.
254
271
*/
255
static bool init_gpgme(const char *seckey, const char *pubkey,
256
const char *tempdir, mandos_context *mc){
272
__attribute__((nonnull, warn_unused_result))
273
static bool init_gpgme(const char * const seckey,
274
const char * const pubkey,
275
const char * const tempdir,
276
mandos_context *mc){
257
277
gpgme_error_t rc;
258
278
gpgme_engine_info_t engine_info;
259
279
260
280
/*
261
281
* Helper function to insert pub and seckey to the engine keyring.
262
282
*/
263
bool import_key(const char *filename){
283
bool import_key(const char * const filename){
264
284
int ret;
265
285
int fd;
266
286
gpgme_data_t pgp_data;
285
305
return false;
286
306
}
287
307
288
ret = (int)TEMP_FAILURE_RETRY(close(fd));
308
ret = close(fd);
289
309
if(ret == -1){
290
310
perror_plus("close");
291
311
}
347
367
* Decrypt OpenPGP data.
348
368
* Returns -1 on error
349
369
*/
370
__attribute__((nonnull, warn_unused_result))
350
371
static ssize_t pgp_packet_decrypt(const char *cryptotext,
351
372
size_t crypto_size,
352
373
char **plaintext,
472
493
return plaintext_length;
473
494
}
474
495
475
static const char * safer_gnutls_strerror(int value){
496
__attribute__((warn_unused_result, const))
497
static const char *safe_string(const char *str){
498
if(str == NULL)
499
return "(unknown)";
500
return str;
501
}
502
503
__attribute__((warn_unused_result))
504
static const char *safer_gnutls_strerror(int value){
476
505
const char *ret = gnutls_strerror(value);
477
if(ret == NULL)
478
ret = "(unknown)";
479
return ret;
506
return safe_string(ret);
480
507
}
481
508
482
509
/* GnuTLS log function callback */
510
__attribute__((nonnull))
483
511
static void debuggnutls(__attribute__((unused)) int level,
484
512
const char* string){
485
513
fprintf_plus(stderr, "GnuTLS: %s", string);
486
514
}
487
515
516
__attribute__((nonnull, warn_unused_result))
488
517
static int init_gnutls_global(const char *pubkeyfilename,
489
518
const char *seckeyfilename,
519
const char *dhparamsfilename,
490
520
mandos_context *mc){
491
521
int ret;
522
unsigned int uret;
492
523
493
524
if(debug){
494
525
fprintf_plus(stderr, "Initializing GnuTLS\n");
545
576
safer_gnutls_strerror(ret));
546
577
goto globalfail;
547
578
}
548
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
549
if(ret != GNUTLS_E_SUCCESS){
550
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
551
safer_gnutls_strerror(ret));
552
goto globalfail;
553
}
554
579
/* If a Diffie-Hellman parameters file was given, try to use it */
580
if(dhparamsfilename != NULL){
581
gnutls_datum_t params = { .data = NULL, .size = 0 };
582
do {
583
int dhpfile = open(dhparamsfilename, O_RDONLY);
584
if(dhpfile == -1){
585
perror_plus("open");
586
dhparamsfilename = NULL;
587
break;
588
}
589
size_t params_capacity = 0;
590
while(true){
591
params_capacity = incbuffer((char **)¶ms.data,
592
(size_t)params.size,
593
(size_t)params_capacity);
594
if(params_capacity == 0){
595
perror_plus("incbuffer");
596
free(params.data);
597
params.data = NULL;
598
dhparamsfilename = NULL;
599
break;
600
}
601
ssize_t bytes_read = read(dhpfile,
602
params.data + params.size,
603
BUFFER_SIZE);
604
/* EOF */
605
if(bytes_read == 0){
606
break;
607
}
608
/* check bytes_read for failure */
609
if(bytes_read < 0){
610
perror_plus("read");
611
free(params.data);
612
params.data = NULL;
613
dhparamsfilename = NULL;
614
break;
615
}
616
params.size += (unsigned int)bytes_read;
617
}
618
if(params.data == NULL){
619
dhparamsfilename = NULL;
620
}
621
if(dhparamsfilename == NULL){
622
break;
623
}
624
ret = gnutls_dh_params_import_pkcs3(mc->dh_params, ¶ms,
625
GNUTLS_X509_FMT_PEM);
626
if(ret != GNUTLS_E_SUCCESS){
627
fprintf_plus(stderr, "Failed to parse DH parameters in file"
628
" \"%s\": %s\n", dhparamsfilename,
629
safer_gnutls_strerror(ret));
630
dhparamsfilename = NULL;
631
}
632
} while(false);
633
}
634
if(dhparamsfilename == NULL){
635
if(mc->dh_bits == 0){
636
/* Find out the optimal number of DH bits */
637
/* Try to read the private key file */
638
gnutls_datum_t buffer = { .data = NULL, .size = 0 };
639
do {
640
int secfile = open(seckeyfilename, O_RDONLY);
641
if(secfile == -1){
642
perror_plus("open");
643
break;
644
}
645
size_t buffer_capacity = 0;
646
while(true){
647
buffer_capacity = incbuffer((char **)&buffer.data,
648
(size_t)buffer.size,
649
(size_t)buffer_capacity);
650
if(buffer_capacity == 0){
651
perror_plus("incbuffer");
652
free(buffer.data);
653
buffer.data = NULL;
654
break;
655
}
656
ssize_t bytes_read = read(secfile,
657
buffer.data + buffer.size,
658
BUFFER_SIZE);
659
/* EOF */
660
if(bytes_read == 0){
661
break;
662
}
663
/* check bytes_read for failure */
664
if(bytes_read < 0){
665
perror_plus("read");
666
free(buffer.data);
667
buffer.data = NULL;
668
break;
669
}
670
buffer.size += (unsigned int)bytes_read;
671
}
672
close(secfile);
673
} while(false);
674
/* If successful, use buffer to parse private key */
675
gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;
676
if(buffer.data != NULL){
677
{
678
gnutls_openpgp_privkey_t privkey = NULL;
679
ret = gnutls_openpgp_privkey_init(&privkey);
680
if(ret != GNUTLS_E_SUCCESS){
681
fprintf_plus(stderr, "Error initializing OpenPGP key"
682
" structure: %s",
683
safer_gnutls_strerror(ret));
684
free(buffer.data);
685
buffer.data = NULL;
686
} else {
687
ret = gnutls_openpgp_privkey_import
688
(privkey, &buffer, GNUTLS_OPENPGP_FMT_BASE64, "", 0);
689
if(ret != GNUTLS_E_SUCCESS){
690
fprintf_plus(stderr, "Error importing OpenPGP key : %s",
691
safer_gnutls_strerror(ret));
692
privkey = NULL;
693
}
694
free(buffer.data);
695
buffer.data = NULL;
696
if(privkey != NULL){
697
/* Use private key to suggest an appropriate
698
sec_param */
699
sec_param = gnutls_openpgp_privkey_sec_param(privkey);
700
gnutls_openpgp_privkey_deinit(privkey);
701
if(debug){
702
fprintf_plus(stderr, "This OpenPGP key implies using"
703
" a GnuTLS security parameter \"%s\".\n",
704
safe_string(gnutls_sec_param_get_name
705
(sec_param)));
706
}
707
}
708
}
709
}
710
if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){
711
/* Err on the side of caution */
712
sec_param = GNUTLS_SEC_PARAM_ULTRA;
713
if(debug){
714
fprintf_plus(stderr, "Falling back to security parameter"
715
" \"%s\"\n",
716
safe_string(gnutls_sec_param_get_name
717
(sec_param)));
718
}
719
}
720
}
721
uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
722
if(uret != 0){
723
mc->dh_bits = uret;
724
if(debug){
725
fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"
726
" implies %u DH bits; using that.\n",
727
safe_string(gnutls_sec_param_get_name
728
(sec_param)),
729
mc->dh_bits);
730
}
731
} else {
732
fprintf_plus(stderr, "Failed to get implied number of DH"
733
" bits for security parameter \"%s\"): %s\n",
734
safe_string(gnutls_sec_param_get_name
735
(sec_param)),
736
safer_gnutls_strerror(ret));
737
goto globalfail;
738
}
739
} else if(debug){
740
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
741
mc->dh_bits);
742
}
743
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
744
if(ret != GNUTLS_E_SUCCESS){
745
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
746
" bits): %s\n", mc->dh_bits,
747
safer_gnutls_strerror(ret));
748
goto globalfail;
749
}
750
}
555
751
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
556
752
557
753
return 0;
564
760
return -1;
565
761
}
566
762
763
__attribute__((nonnull, warn_unused_result))
567
764
static int init_gnutls_session(gnutls_session_t *session,
568
765
mandos_context *mc){
569
766
int ret;
616
813
/* ignore client certificate if any. */
617
814
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
618
815
619
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
620
621
816
return 0;
622
817
}
623
818
625
820
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
626
821
__attribute__((unused)) const char *txt){}
627
822
823
/* Set effective uid to 0, return errno */
824
__attribute__((warn_unused_result))
825
error_t raise_privileges(void){
826
error_t old_errno = errno;
827
error_t ret_errno = 0;
828
if(seteuid(0) == -1){
829
ret_errno = errno;
830
}
831
errno = old_errno;
832
return ret_errno;
833
}
834
835
/* Set effective and real user ID to 0. Return errno. */
836
__attribute__((warn_unused_result))
837
error_t raise_privileges_permanently(void){
838
error_t old_errno = errno;
839
error_t ret_errno = raise_privileges();
840
if(ret_errno != 0){
841
errno = old_errno;
842
return ret_errno;
843
}
844
if(setuid(0) == -1){
845
ret_errno = errno;
846
}
847
errno = old_errno;
848
return ret_errno;
849
}
850
851
/* Set effective user ID to unprivileged saved user ID */
852
__attribute__((warn_unused_result))
853
error_t lower_privileges(void){
854
error_t old_errno = errno;
855
error_t ret_errno = 0;
856
if(seteuid(uid) == -1){
857
ret_errno = errno;
858
}
859
errno = old_errno;
860
return ret_errno;
861
}
862
863
/* Lower privileges permanently */
864
__attribute__((warn_unused_result))
865
error_t lower_privileges_permanently(void){
866
error_t old_errno = errno;
867
error_t ret_errno = 0;
868
if(setuid(uid) == -1){
869
ret_errno = errno;
870
}
871
errno = old_errno;
872
return ret_errno;
873
}
874
875
/* Helper function to add_local_route() and delete_local_route() */
876
__attribute__((nonnull, warn_unused_result))
877
static bool add_delete_local_route(const bool add,
878
const char *address,
879
AvahiIfIndex if_index){
880
int ret;
881
char helper[] = "mandos-client-iprouteadddel";
882
char add_arg[] = "add";
883
char delete_arg[] = "delete";
884
char debug_flag[] = "--debug";
885
char *pluginhelperdir = getenv("MANDOSPLUGINHELPERDIR");
886
if(pluginhelperdir == NULL){
887
if(debug){
888
fprintf_plus(stderr, "MANDOSPLUGINHELPERDIR environment"
889
" variable not set; cannot run helper\n");
890
}
891
return false;
892
}
893
894
char interface[IF_NAMESIZE];
895
if(if_indextoname((unsigned int)if_index, interface) == NULL){
896
perror_plus("if_indextoname");
897
return false;
898
}
899
900
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
901
if(devnull == -1){
902
perror_plus("open(\"/dev/null\", O_RDONLY)");
903
return false;
904
}
905
pid_t pid = fork();
906
if(pid == 0){
907
/* Child */
908
/* Raise privileges */
909
errno = raise_privileges_permanently();
910
if(errno != 0){
911
perror_plus("Failed to raise privileges");
912
/* _exit(EX_NOPERM); */
913
} else {
914
/* Set group */
915
errno = 0;
916
ret = setgid(0);
917
if(ret == -1){
918
perror_plus("setgid");
919
_exit(EX_NOPERM);
920
}
921
/* Reset supplementary groups */
922
errno = 0;
923
ret = setgroups(0, NULL);
924
if(ret == -1){
925
perror_plus("setgroups");
926
_exit(EX_NOPERM);
927
}
928
}
929
ret = dup2(devnull, STDIN_FILENO);
930
if(ret == -1){
931
perror_plus("dup2(devnull, STDIN_FILENO)");
932
_exit(EX_OSERR);
933
}
934
ret = close(devnull);
935
if(ret == -1){
936
perror_plus("close");
937
_exit(EX_OSERR);
938
}
939
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
940
if(ret == -1){
941
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
942
_exit(EX_OSERR);
943
}
944
int helperdir_fd = (int)TEMP_FAILURE_RETRY(open(pluginhelperdir,
945
O_RDONLY
946
| O_DIRECTORY
947
| O_PATH
948
| O_CLOEXEC));
949
if(helperdir_fd == -1){
950
perror_plus("open");
951
_exit(EX_UNAVAILABLE);
952
}
953
int helper_fd = (int)TEMP_FAILURE_RETRY(openat(helperdir_fd,
954
helper, O_RDONLY));
955
if(helper_fd == -1){
956
perror_plus("openat");
957
close(helperdir_fd);
958
_exit(EX_UNAVAILABLE);
959
}
960
close(helperdir_fd);
961
#ifdef __GNUC__
962
#pragma GCC diagnostic push
963
#pragma GCC diagnostic ignored "-Wcast-qual"
964
#endif
965
if(fexecve(helper_fd, (char *const [])
966
{ helper, add ? add_arg : delete_arg, (char *)address,
967
interface, debug ? debug_flag : NULL, NULL },
968
environ) == -1){
969
#ifdef __GNUC__
970
#pragma GCC diagnostic pop
971
#endif
972
perror_plus("fexecve");
973
_exit(EXIT_FAILURE);
974
}
975
}
976
if(pid == -1){
977
perror_plus("fork");
978
return false;
979
}
980
int status;
981
pid_t pret = -1;
982
errno = 0;
983
do {
984
pret = waitpid(pid, &status, 0);
985
if(pret == -1 and errno == EINTR and quit_now){
986
int errno_raising = 0;
987
if((errno = raise_privileges()) != 0){
988
errno_raising = errno;
989
perror_plus("Failed to raise privileges in order to"
990
" kill helper program");
991
}
992
if(kill(pid, SIGTERM) == -1){
993
perror_plus("kill");
994
}
995
if((errno_raising == 0) and (errno = lower_privileges()) != 0){
996
perror_plus("Failed to lower privileges after killing"
997
" helper program");
998
}
999
return false;
1000
}
1001
} while(pret == -1 and errno == EINTR);
1002
if(pret == -1){
1003
perror_plus("waitpid");
1004
return false;
1005
}
1006
if(WIFEXITED(status)){
1007
if(WEXITSTATUS(status) != 0){
1008
fprintf_plus(stderr, "Error: iprouteadddel exited"
1009
" with status %d\n", WEXITSTATUS(status));
1010
return false;
1011
}
1012
return true;
1013
}
1014
if(WIFSIGNALED(status)){
1015
fprintf_plus(stderr, "Error: iprouteadddel died by"
1016
" signal %d\n", WTERMSIG(status));
1017
return false;
1018
}
1019
fprintf_plus(stderr, "Error: iprouteadddel crashed\n");
1020
return false;
1021
}
1022
1023
__attribute__((nonnull, warn_unused_result))
1024
static bool add_local_route(const char *address,
1025
AvahiIfIndex if_index){
1026
if(debug){
1027
fprintf_plus(stderr, "Adding route to %s\n", address);
1028
}
1029
return add_delete_local_route(true, address, if_index);
1030
}
1031
1032
__attribute__((nonnull, warn_unused_result))
1033
static bool delete_local_route(const char *address,
1034
AvahiIfIndex if_index){
1035
if(debug){
1036
fprintf_plus(stderr, "Removing route to %s\n", address);
1037
}
1038
return add_delete_local_route(false, address, if_index);
1039
}
1040
628
1041
/* Called when a Mandos server is found */
1042
__attribute__((nonnull, warn_unused_result))
629
1043
static int start_mandos_communication(const char *ip, in_port_t port,
630
1044
AvahiIfIndex if_index,
631
1045
int af, mandos_context *mc){
632
1046
int ret, tcp_sd = -1;
633
1047
ssize_t sret;
634
union {
635
struct sockaddr_in in;
636
struct sockaddr_in6 in6;
637
} to;
1048
struct sockaddr_storage to;
638
1049
char *buffer = NULL;
639
1050
char *decrypted_buffer = NULL;
640
1051
size_t buffer_length = 0;
643
1054
int retval = -1;
644
1055
gnutls_session_t session;
645
1056
int pf; /* Protocol family */
1057
bool route_added = false;
646
1058
647
1059
errno = 0;
648
1060
706
1118
PRIuMAX "\n", ip, (uintmax_t)port);
707
1119
}
708
1120
709
tcp_sd = socket(pf, SOCK_STREAM, 0);
1121
tcp_sd = socket(pf, SOCK_STREAM | SOCK_CLOEXEC, 0);
710
1122
if(tcp_sd < 0){
711
1123
int e = errno;
712
1124
perror_plus("socket");
719
1131
goto mandos_end;
720
1132
}
721
1133
722
memset(&to, 0, sizeof(to));
723
1134
if(af == AF_INET6){
724
to.in6.sin6_family = (sa_family_t)af;
725
ret = inet_pton(af, ip, &to.in6.sin6_addr);
1135
struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&to;
1136
*to6 = (struct sockaddr_in6){ .sin6_family = (sa_family_t)af };
1137
ret = inet_pton(af, ip, &to6->sin6_addr);
726
1138
} else { /* IPv4 */
727
to.in.sin_family = (sa_family_t)af;
728
ret = inet_pton(af, ip, &to.in.sin_addr);
1139
struct sockaddr_in *to4 = (struct sockaddr_in *)&to;
1140
*to4 = (struct sockaddr_in){ .sin_family = (sa_family_t)af };
1141
ret = inet_pton(af, ip, &to4->sin_addr);
729
1142
}
730
1143
if(ret < 0 ){
731
1144
int e = errno;
740
1153
goto mandos_end;
741
1154
}
742
1155
if(af == AF_INET6){
743
to.in6.sin6_port = htons(port);
744
#ifdef __GNUC__
745
#pragma GCC diagnostic push
746
#pragma GCC diagnostic ignored "-Wstrict-aliasing"
747
#endif
748
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
749
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower */
750
#ifdef __GNUC__
751
#pragma GCC diagnostic pop
752
#endif
1156
((struct sockaddr_in6 *)&to)->sin6_port = htons(port);
1157
if(IN6_IS_ADDR_LINKLOCAL
1158
(&((struct sockaddr_in6 *)&to)->sin6_addr)){
753
1159
if(if_index == AVAHI_IF_UNSPEC){
754
1160
fprintf_plus(stderr, "An IPv6 link-local address is"
755
1161
" incomplete without a network interface\n");
757
1163
goto mandos_end;
758
1164
}
759
1165
/* Set the network interface number as scope */
760
to.in6.sin6_scope_id = (uint32_t)if_index;
1166
((struct sockaddr_in6 *)&to)->sin6_scope_id = (uint32_t)if_index;
761
1167
}
762
1168
} else {
763
to.in.sin_port = htons(port);
1169
((struct sockaddr_in *)&to)->sin_port = htons(port);
764
1170
}
765
1171
766
1172
if(quit_now){
783
1189
}
784
1190
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
785
1191
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
786
const char *pcret;
787
if(af == AF_INET6){
788
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
789
sizeof(addrstr));
790
} else {
791
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
792
sizeof(addrstr));
793
}
794
if(pcret == NULL){
795
perror_plus("inet_ntop");
796
} else {
797
if(strcmp(addrstr, ip) != 0){
798
fprintf_plus(stderr, "Canonical address form: %s\n", addrstr);
799
}
800
}
801
}
802
803
if(quit_now){
804
errno = EINTR;
805
goto mandos_end;
806
}
807
808
if(af == AF_INET6){
809
ret = connect(tcp_sd, &to.in6, sizeof(to));
810
} else {
811
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
812
}
813
if(ret < 0){
814
if ((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
815
int e = errno;
816
perror_plus("connect");
817
errno = e;
818
}
819
goto mandos_end;
820
}
821
822
if(quit_now){
823
errno = EINTR;
824
goto mandos_end;
1192
if(af == AF_INET6){
1193
ret = getnameinfo((struct sockaddr *)&to,
1194
sizeof(struct sockaddr_in6),
1195
addrstr, sizeof(addrstr), NULL, 0,
1196
NI_NUMERICHOST);
1197
} else {
1198
ret = getnameinfo((struct sockaddr *)&to,
1199
sizeof(struct sockaddr_in),
1200
addrstr, sizeof(addrstr), NULL, 0,
1201
NI_NUMERICHOST);
1202
}
1203
if(ret == EAI_SYSTEM){
1204
perror_plus("getnameinfo");
1205
} else if(ret != 0) {
1206
fprintf_plus(stderr, "getnameinfo: %s", gai_strerror(ret));
1207
} else if(strcmp(addrstr, ip) != 0){
1208
fprintf_plus(stderr, "Canonical address form: %s\n", addrstr);
1209
}
1210
}
1211
1212
if(quit_now){
1213
errno = EINTR;
1214
goto mandos_end;
1215
}
1216
1217
while(true){
1218
if(af == AF_INET6){
1219
ret = connect(tcp_sd, (struct sockaddr *)&to,
1220
sizeof(struct sockaddr_in6));
1221
} else {
1222
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
1223
sizeof(struct sockaddr_in));
1224
}
1225
if(ret < 0){
1226
if(errno == ENETUNREACH
1227
and if_index != AVAHI_IF_UNSPEC
1228
and connect_to == NULL
1229
and not route_added and
1230
((af == AF_INET6 and not
1231
IN6_IS_ADDR_LINKLOCAL(&(((struct sockaddr_in6 *)
1232
&to)->sin6_addr)))
1233
or (af == AF_INET and
1234
/* Not a a IPv4LL address */
1235
(ntohl(((struct sockaddr_in *)&to)->sin_addr.s_addr)
1236
& 0xFFFF0000L) != 0xA9FE0000L))){
1237
/* Work around Avahi bug - Avahi does not announce link-local
1238
addresses if it has a global address, so local hosts with
1239
*only* a link-local address (e.g. Mandos clients) cannot
1240
connect to a Mandos server announced by Avahi on a server
1241
host with a global address. Work around this by retrying
1242
with an explicit route added with the server's address.
1243
1244
Avahi bug reference:
1245
http://lists.freedesktop.org/archives/avahi/2010-February/001833.html
1246
https://bugs.debian.org/587961
1247
*/
1248
if(debug){
1249
fprintf_plus(stderr, "Mandos server unreachable, trying"
1250
" direct route\n");
1251
}
1252
int e = errno;
1253
route_added = add_local_route(ip, if_index);
1254
if(route_added){
1255
continue;
1256
}
1257
errno = e;
1258
}
1259
if(errno != ECONNREFUSED or debug){
1260
int e = errno;
1261
perror_plus("connect");
1262
errno = e;
1263
}
1264
goto mandos_end;
1265
}
1266
1267
if(quit_now){
1268
errno = EINTR;
1269
goto mandos_end;
1270
}
1271
break;
825
1272
}
826
1273
827
1274
const char *out = mandos_protocol_version;
1010
1457
1011
1458
mandos_end:
1012
1459
{
1460
if(route_added){
1461
if(not delete_local_route(ip, if_index)){
1462
fprintf_plus(stderr, "Failed to delete local route to %s on"
1463
" interface %d", ip, if_index);
1464
}
1465
}
1013
1466
int e = errno;
1014
1467
free(decrypted_buffer);
1015
1468
free(buffer);
1016
1469
if(tcp_sd >= 0){
1017
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
1470
ret = close(tcp_sd);
1018
1471
}
1019
1472
if(ret == -1){
1020
1473
if(e == 0){
1032
1485
return retval;
1033
1486
}
1034
1487
1488
__attribute__((nonnull))
1035
1489
static void resolve_callback(AvahiSServiceResolver *r,
1036
1490
AvahiIfIndex interface,
1037
1491
AvahiProtocol proto,
1045
1499
AVAHI_GCC_UNUSED AvahiStringList *txt,
1046
1500
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1047
1501
flags,
1048
void* mc){
1502
void *mc){
1049
1503
if(r == NULL){
1050
1504
return;
1051
1505
}
1054
1508
timed out */
1055
1509
1056
1510
if(quit_now){
1511
avahi_s_service_resolver_free(r);
1057
1512
return;
1058
1513
}
1059
1514
1104
1559
const char *domain,
1105
1560
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1106
1561
flags,
1107
void* mc){
1562
void *mc){
1108
1563
if(b == NULL){
1109
1564
return;
1110
1565
}
1170
1625
errno = old_errno;
1171
1626
}
1172
1627
1628
__attribute__((nonnull, warn_unused_result))
1173
1629
bool get_flags(const char *ifname, struct ifreq *ifr){
1174
1630
int ret;
1175
1631
error_t ret_errno;
1194
1650
return true;
1195
1651
}
1196
1652
1653
__attribute__((nonnull, warn_unused_result))
1197
1654
bool good_flags(const char *ifname, const struct ifreq *ifr){
1198
1655
1199
1656
/* Reject the loopback device */
1241
1698
* corresponds to an acceptable network device.
1242
1699
* (This function is passed to scandir(3) as a filter function.)
1243
1700
*/
1701
__attribute__((nonnull, warn_unused_result))
1244
1702
int good_interface(const struct dirent *if_entry){
1245
1703
if(if_entry->d_name[0] == '.'){
1246
1704
return 0;
1264
1722
/*
1265
1723
* This function determines if a network interface is up.
1266
1724
*/
1725
__attribute__((nonnull, warn_unused_result))
1267
1726
bool interface_is_up(const char *interface){
1268
1727
struct ifreq ifr;
1269
1728
if(not get_flags(interface, &ifr)){
1280
1739
/*
1281
1740
* This function determines if a network interface is running
1282
1741
*/
1742
__attribute__((nonnull, warn_unused_result))
1283
1743
bool interface_is_running(const char *interface){
1284
1744
struct ifreq ifr;
1285
1745
if(not get_flags(interface, &ifr)){
1293
1753
return (bool)(ifr.ifr_flags & IFF_RUNNING);
1294
1754
}
1295
1755
1756
__attribute__((nonnull, pure, warn_unused_result))
1296
1757
int notdotentries(const struct dirent *direntry){
1297
1758
/* Skip "." and ".." */
1298
1759
if(direntry->d_name[0] == '.'
1305
1766
}
1306
1767
1307
1768
/* Is this directory entry a runnable program? */
1769
__attribute__((nonnull, warn_unused_result))
1308
1770
int runnable_hook(const struct dirent *direntry){
1309
1771
int ret;
1310
1772
size_t sret;
1318
1780
sret = strspn(direntry->d_name, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
1319
1781
"abcdefghijklmnopqrstuvwxyz"
1320
1782
"0123456789"
1321
"_-");
1783
"_.-");
1322
1784
if((direntry->d_name)[sret] != '\0'){
1323
1785
/* Contains non-allowed characters */
1324
1786
if(debug){
1328
1790
return 0;
1329
1791
}
1330
1792
1331
char *fullname = NULL;
1332
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1333
if(ret < 0){
1334
perror_plus("asprintf");
1335
return 0;
1336
}
1337
1338
ret = stat(fullname, &st);
1793
ret = fstatat(hookdir_fd, direntry->d_name, &st, 0);
1339
1794
if(ret == -1){
1340
1795
if(debug){
1341
1796
perror_plus("Could not stat hook");
1365
1820
return 1;
1366
1821
}
1367
1822
1823
__attribute__((nonnull, warn_unused_result))
1368
1824
int avahi_loop_with_timeout(AvahiSimplePoll *s, int retry_interval,
1369
1825
mandos_context *mc){
1370
1826
int ret;
1374
1830
1375
1831
while(true){
1376
1832
if(mc->current_server == NULL){
1377
if (debug){
1833
if(debug){
1378
1834
fprintf_plus(stderr, "Wait until first server is found."
1379
1835
" No timeout!\n");
1380
1836
}
1381
1837
ret = avahi_simple_poll_iterate(s, -1);
1382
1838
} else {
1383
if (debug){
1839
if(debug){
1384
1840
fprintf_plus(stderr, "Check current_server if we should run"
1385
1841
" it, or wait\n");
1386
1842
}
1403
1859
- ((intmax_t)waited_time.tv_sec * 1000))
1404
1860
- ((intmax_t)waited_time.tv_nsec / 1000000));
1405
1861
1406
if (debug){
1862
if(debug){
1407
1863
fprintf_plus(stderr, "Blocking for %" PRIdMAX " ms\n",
1408
1864
block_time);
1409
1865
}
1431
1887
ret = avahi_simple_poll_iterate(s, (int)block_time);
1432
1888
}
1433
1889
if(ret != 0){
1434
if (ret > 0 or errno != EINTR){
1890
if(ret > 0 or errno != EINTR){
1435
1891
return (ret != 1) ? ret : 0;
1436
1892
}
1437
1893
}
1438
1894
}
1439
1895
}
1440
1896
1441
/* Set effective uid to 0, return errno */
1442
error_t raise_privileges(void){
1443
error_t old_errno = errno;
1444
error_t ret_errno = 0;
1445
if(seteuid(0) == -1){
1446
ret_errno = errno;
1447
perror_plus("seteuid");
1448
}
1449
errno = old_errno;
1450
return ret_errno;
1451
}
1452
1453
/* Set effective and real user ID to 0. Return errno. */
1454
error_t raise_privileges_permanently(void){
1455
error_t old_errno = errno;
1456
error_t ret_errno = raise_privileges();
1457
if(ret_errno != 0){
1458
errno = old_errno;
1459
return ret_errno;
1460
}
1461
if(setuid(0) == -1){
1462
ret_errno = errno;
1463
perror_plus("seteuid");
1464
}
1465
errno = old_errno;
1466
return ret_errno;
1467
}
1468
1469
/* Set effective user ID to unprivileged saved user ID */
1470
error_t lower_privileges(void){
1471
error_t old_errno = errno;
1472
error_t ret_errno = 0;
1473
if(seteuid(uid) == -1){
1474
ret_errno = errno;
1475
perror_plus("seteuid");
1476
}
1477
errno = old_errno;
1478
return ret_errno;
1479
}
1480
1481
/* Lower privileges permanently */
1482
error_t lower_privileges_permanently(void){
1483
error_t old_errno = errno;
1484
error_t ret_errno = 0;
1485
if(setuid(uid) == -1){
1486
ret_errno = errno;
1487
perror_plus("setuid");
1488
}
1489
errno = old_errno;
1490
return ret_errno;
1491
}
1492
1493
bool run_network_hooks(const char *mode, const char *interface,
1897
__attribute__((nonnull))
1898
void run_network_hooks(const char *mode, const char *interface,
1494
1899
const float delay){
1495
struct dirent **direntries;
1496
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1497
alphasort);
1900
struct dirent **direntries = NULL;
1901
if(hookdir_fd == -1){
1902
hookdir_fd = open(hookdir, O_RDONLY | O_DIRECTORY | O_PATH
1903
| O_CLOEXEC);
1904
if(hookdir_fd == -1){
1905
if(errno == ENOENT){
1906
if(debug){
1907
fprintf_plus(stderr, "Network hook directory \"%s\" not"
1908
" found\n", hookdir);
1909
}
1910
} else {
1911
perror_plus("open");
1912
}
1913
return;
1914
}
1915
}
1916
#ifdef __GLIBC__
1917
#if __GLIBC_PREREQ(2, 15)
1918
int numhooks = scandirat(hookdir_fd, ".", &direntries,
1919
runnable_hook, alphasort);
1920
#else /* not __GLIBC_PREREQ(2, 15) */
1921
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1922
alphasort);
1923
#endif /* not __GLIBC_PREREQ(2, 15) */
1924
#else /* not __GLIBC__ */
1925
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1926
alphasort);
1927
#endif /* not __GLIBC__ */
1498
1928
if(numhooks == -1){
1499
if(errno == ENOENT){
1500
if(debug){
1501
fprintf_plus(stderr, "Network hook directory \"%s\" not"
1502
" found\n", hookdir);
1503
}
1504
} else {
1505
perror_plus("scandir");
1929
perror_plus("scandir");
1930
return;
1931
}
1932
struct dirent *direntry;
1933
int ret;
1934
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
1935
if(devnull == -1){
1936
perror_plus("open(\"/dev/null\", O_RDONLY)");
1937
return;
1938
}
1939
for(int i = 0; i < numhooks; i++){
1940
direntry = direntries[i];
1941
if(debug){
1942
fprintf_plus(stderr, "Running network hook \"%s\"\n",
1943
direntry->d_name);
1506
1944
}
1507
} else {
1508
struct dirent *direntry;
1509
int ret;
1510
int devnull = open("/dev/null", O_RDONLY);
1511
for(int i = 0; i < numhooks; i++){
1512
direntry = direntries[i];
1513
char *fullname = NULL;
1514
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1515
if(ret < 0){
1945
pid_t hook_pid = fork();
1946
if(hook_pid == 0){
1947
/* Child */
1948
/* Raise privileges */
1949
errno = raise_privileges_permanently();
1950
if(errno != 0){
1951
perror_plus("Failed to raise privileges");
1952
_exit(EX_NOPERM);
1953
}
1954
/* Set group */
1955
errno = 0;
1956
ret = setgid(0);
1957
if(ret == -1){
1958
perror_plus("setgid");
1959
_exit(EX_NOPERM);
1960
}
1961
/* Reset supplementary groups */
1962
errno = 0;
1963
ret = setgroups(0, NULL);
1964
if(ret == -1){
1965
perror_plus("setgroups");
1966
_exit(EX_NOPERM);
1967
}
1968
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1969
if(ret == -1){
1970
perror_plus("setenv");
1971
_exit(EX_OSERR);
1972
}
1973
ret = setenv("DEVICE", interface, 1);
1974
if(ret == -1){
1975
perror_plus("setenv");
1976
_exit(EX_OSERR);
1977
}
1978
ret = setenv("VERBOSITY", debug ? "1" : "0", 1);
1979
if(ret == -1){
1980
perror_plus("setenv");
1981
_exit(EX_OSERR);
1982
}
1983
ret = setenv("MODE", mode, 1);
1984
if(ret == -1){
1985
perror_plus("setenv");
1986
_exit(EX_OSERR);
1987
}
1988
char *delaystring;
1989
ret = asprintf(&delaystring, "%f", (double)delay);
1990
if(ret == -1){
1516
1991
perror_plus("asprintf");
1517
continue;
1518
}
1519
if(debug){
1520
fprintf_plus(stderr, "Running network hook \"%s\"\n",
1521
direntry->d_name);
1522
}
1523
pid_t hook_pid = fork();
1524
if(hook_pid == 0){
1525
/* Child */
1526
/* Raise privileges */
1527
raise_privileges_permanently();
1528
/* Set group */
1529
errno = 0;
1530
ret = setgid(0);
1531
if(ret == -1){
1532
perror_plus("setgid");
1533
}
1534
/* Reset supplementary groups */
1535
errno = 0;
1536
ret = setgroups(0, NULL);
1537
if(ret == -1){
1538
perror_plus("setgroups");
1539
}
1540
dup2(devnull, STDIN_FILENO);
1541
close(devnull);
1542
dup2(STDERR_FILENO, STDOUT_FILENO);
1543
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1544
if(ret == -1){
1545
perror_plus("setenv");
1546
_exit(EX_OSERR);
1547
}
1548
ret = setenv("DEVICE", interface, 1);
1549
if(ret == -1){
1550
perror_plus("setenv");
1551
_exit(EX_OSERR);
1552
}
1553
ret = setenv("VERBOSITY", debug ? "1" : "0", 1);
1554
if(ret == -1){
1555
perror_plus("setenv");
1556
_exit(EX_OSERR);
1557
}
1558
ret = setenv("MODE", mode, 1);
1559
if(ret == -1){
1560
perror_plus("setenv");
1561
_exit(EX_OSERR);
1562
}
1563
char *delaystring;
1564
ret = asprintf(&delaystring, "%f", delay);
1565
if(ret == -1){
1566
perror_plus("asprintf");
1567
_exit(EX_OSERR);
1568
}
1569
ret = setenv("DELAY", delaystring, 1);
1570
if(ret == -1){
1571
free(delaystring);
1572
perror_plus("setenv");
1573
_exit(EX_OSERR);
1574
}
1992
_exit(EX_OSERR);
1993
}
1994
ret = setenv("DELAY", delaystring, 1);
1995
if(ret == -1){
1575
1996
free(delaystring);
1576
if(connect_to != NULL){
1577
ret = setenv("CONNECT", connect_to, 1);
1578
if(ret == -1){
1579
perror_plus("setenv");
1580
_exit(EX_OSERR);
1581
}
1582
}
1583
if(execl(fullname, direntry->d_name, mode, NULL) == -1){
1584
perror_plus("execl");
1585
_exit(EXIT_FAILURE);
1586
}
1997
perror_plus("setenv");
1998
_exit(EX_OSERR);
1999
}
2000
free(delaystring);
2001
if(connect_to != NULL){
2002
ret = setenv("CONNECT", connect_to, 1);
2003
if(ret == -1){
2004
perror_plus("setenv");
2005
_exit(EX_OSERR);
2006
}
2007
}
2008
int hook_fd = (int)TEMP_FAILURE_RETRY(openat(hookdir_fd,
2009
direntry->d_name,
2010
O_RDONLY));
2011
if(hook_fd == -1){
2012
perror_plus("openat");
2013
_exit(EXIT_FAILURE);
2014
}
2015
if(close(hookdir_fd) == -1){
2016
perror_plus("close");
2017
_exit(EXIT_FAILURE);
2018
}
2019
ret = dup2(devnull, STDIN_FILENO);
2020
if(ret == -1){
2021
perror_plus("dup2(devnull, STDIN_FILENO)");
2022
_exit(EX_OSERR);
2023
}
2024
ret = close(devnull);
2025
if(ret == -1){
2026
perror_plus("close");
2027
_exit(EX_OSERR);
2028
}
2029
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
2030
if(ret == -1){
2031
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
2032
_exit(EX_OSERR);
2033
}
2034
if(fexecve(hook_fd, (char *const []){ direntry->d_name, NULL },
2035
environ) == -1){
2036
perror_plus("fexecve");
2037
_exit(EXIT_FAILURE);
2038
}
2039
} else {
2040
if(hook_pid == -1){
2041
perror_plus("fork");
2042
free(direntry);
2043
continue;
2044
}
2045
int status;
2046
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
2047
perror_plus("waitpid");
2048
free(direntry);
2049
continue;
2050
}
2051
if(WIFEXITED(status)){
2052
if(WEXITSTATUS(status) != 0){
2053
fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
2054
" with status %d\n", direntry->d_name,
2055
WEXITSTATUS(status));
2056
free(direntry);
2057
continue;
2058
}
2059
} else if(WIFSIGNALED(status)){
2060
fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
2061
" signal %d\n", direntry->d_name,
2062
WTERMSIG(status));
2063
free(direntry);
2064
continue;
1587
2065
} else {
1588
int status;
1589
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1590
perror_plus("waitpid");
1591
free(fullname);
1592
continue;
1593
}
1594
if(WIFEXITED(status)){
1595
if(WEXITSTATUS(status) != 0){
1596
fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
1597
" with status %d\n", direntry->d_name,
1598
WEXITSTATUS(status));
1599
free(fullname);
1600
continue;
1601
}
1602
} else if(WIFSIGNALED(status)){
1603
fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
1604
" signal %d\n", direntry->d_name,
1605
WTERMSIG(status));
1606
free(fullname);
1607
continue;
1608
} else {
1609
fprintf_plus(stderr, "Warning: network hook \"%s\""
1610
" crashed\n", direntry->d_name);
1611
free(fullname);
1612
continue;
1613
}
1614
}
1615
free(fullname);
1616
if(debug){
1617
fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
1618
direntry->d_name);
1619
}
1620
}
1621
close(devnull);
1622
}
1623
return true;
2066
fprintf_plus(stderr, "Warning: network hook \"%s\""
2067
" crashed\n", direntry->d_name);
2068
free(direntry);
2069
continue;
2070
}
2071
}
2072
if(debug){
2073
fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
2074
direntry->d_name);
2075
}
2076
free(direntry);
2077
}
2078
free(direntries);
2079
if(close(hookdir_fd) == -1){
2080
perror_plus("close");
2081
} else {
2082
hookdir_fd = -1;
2083
}
2084
close(devnull);
1624
2085
}
1625
2086
2087
__attribute__((nonnull, warn_unused_result))
1626
2088
error_t bring_up_interface(const char *const interface,
1627
2089
const float delay){
1628
int sd = -1;
1629
2090
error_t old_errno = errno;
1630
error_t ret_errno = 0;
1631
int ret, ret_setflags;
2091
int ret;
1632
2092
struct ifreq network;
1633
2093
unsigned int if_index = if_nametoindex(interface);
1634
2094
if(if_index == 0){
1643
2103
}
1644
2104
1645
2105
if(not interface_is_up(interface)){
1646
if(not get_flags(interface, &network) and debug){
2106
error_t ret_errno = 0, ioctl_errno = 0;
2107
if(not get_flags(interface, &network)){
1647
2108
ret_errno = errno;
1648
2109
fprintf_plus(stderr, "Failed to get flags for interface "
1649
2110
"\"%s\"\n", interface);
2111
errno = old_errno;
1650
2112
return ret_errno;
1651
2113
}
1652
network.ifr_flags |= IFF_UP;
2114
network.ifr_flags |= IFF_UP; /* set flag */
1653
2115
1654
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1655
if(sd < 0){
2116
int sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
2117
if(sd == -1){
1656
2118
ret_errno = errno;
1657
2119
perror_plus("socket");
1658
2120
errno = old_errno;
1659
2121
return ret_errno;
1660
2122
}
1661
2123
1662
2124
if(quit_now){
1663
close(sd);
2125
ret = close(sd);
2126
if(ret == -1){
2127
perror_plus("close");
2128
}
1664
2129
errno = old_errno;
1665
2130
return EINTR;
1666
2131
}
1670
2135
interface);
1671
2136
}
1672
2137
1673
/* Raise priviliges */
1674
raise_privileges();
2138
/* Raise privileges */
2139
ret_errno = raise_privileges();
2140
if(ret_errno != 0){
2141
errno = ret_errno;
2142
perror_plus("Failed to raise privileges");
2143
}
1675
2144
1676
2145
#ifdef __linux__
1677
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1678
messages about the network interface to mess up the prompt */
1679
int ret_linux = klogctl(8, NULL, 5);
1680
bool restore_loglevel = true;
1681
if(ret_linux == -1){
1682
restore_loglevel = false;
1683
perror_plus("klogctl");
2146
int ret_linux;
2147
bool restore_loglevel = false;
2148
if(ret_errno == 0){
2149
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
2150
messages about the network interface to mess up the prompt */
2151
ret_linux = klogctl(8, NULL, 5);
2152
if(ret_linux == -1){
2153
perror_plus("klogctl");
2154
} else {
2155
restore_loglevel = true;
2156
}
1684
2157
}
1685
2158
#endif /* __linux__ */
1686
ret_setflags = ioctl(sd, SIOCSIFFLAGS, &network);
1687
ret_errno = errno;
2159
int ret_setflags = ioctl(sd, SIOCSIFFLAGS, &network);
2160
ioctl_errno = errno;
1688
2161
#ifdef __linux__
1689
2162
if(restore_loglevel){
1690
2163
ret_linux = klogctl(7, NULL, 0);
1694
2167
}
1695
2168
#endif /* __linux__ */
1696
2169
1697
/* Lower privileges */
1698
lower_privileges();
2170
/* If raise_privileges() succeeded above */
2171
if(ret_errno == 0){
2172
/* Lower privileges */
2173
ret_errno = lower_privileges();
2174
if(ret_errno != 0){
2175
errno = ret_errno;
2176
perror_plus("Failed to lower privileges");
2177
}
2178
}
1699
2179
1700
2180
/* Close the socket */
1701
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2181
ret = close(sd);
1702
2182
if(ret == -1){
1703
2183
perror_plus("close");
1704
2184
}
1705
2185
1706
2186
if(ret_setflags == -1){
1707
errno = ret_errno;
2187
errno = ioctl_errno;
1708
2188
perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");
1709
2189
errno = old_errno;
1710
return ret_errno;
2190
return ioctl_errno;
1711
2191
}
1712
2192
} else if(debug){
1713
2193
fprintf_plus(stderr, "Interface \"%s\" is already up; good\n",
1731
2211
return 0;
1732
2212
}
1733
2213
2214
__attribute__((nonnull, warn_unused_result))
1734
2215
error_t take_down_interface(const char *const interface){
1735
2216
error_t old_errno = errno;
1736
2217
struct ifreq network;
1741
2222
return ENXIO;
1742
2223
}
1743
2224
if(interface_is_up(interface)){
1744
error_t ret_errno = 0;
2225
error_t ret_errno = 0, ioctl_errno = 0;
1745
2226
if(not get_flags(interface, &network) and debug){
1746
2227
ret_errno = errno;
1747
2228
fprintf_plus(stderr, "Failed to get flags for interface "
1748
2229
"\"%s\"\n", interface);
2230
errno = old_errno;
1749
2231
return ret_errno;
1750
2232
}
1751
2233
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
1752
2234
1753
2235
int sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1754
if(sd < 0){
2236
if(sd == -1){
1755
2237
ret_errno = errno;
1756
2238
perror_plus("socket");
1757
2239
errno = old_errno;
1763
2245
interface);
1764
2246
}
1765
2247
1766
/* Raise priviliges */
1767
raise_privileges();
2248
/* Raise privileges */
2249
ret_errno = raise_privileges();
2250
if(ret_errno != 0){
2251
errno = ret_errno;
2252
perror_plus("Failed to raise privileges");
2253
}
1768
2254
1769
2255
int ret_setflags = ioctl(sd, SIOCSIFFLAGS, &network);
1770
ret_errno = errno;
2256
ioctl_errno = errno;
1771
2257
1772
/* Lower privileges */
1773
lower_privileges();
2258
/* If raise_privileges() succeeded above */
2259
if(ret_errno == 0){
2260
/* Lower privileges */
2261
ret_errno = lower_privileges();
2262
if(ret_errno != 0){
2263
errno = ret_errno;
2264
perror_plus("Failed to lower privileges");
2265
}
2266
}
1774
2267
1775
2268
/* Close the socket */
1776
int ret = (int)TEMP_FAILURE_RETRY(close(sd));
2269
int ret = close(sd);
1777
2270
if(ret == -1){
1778
2271
perror_plus("close");
1779
2272
}
1780
2273
1781
2274
if(ret_setflags == -1){
1782
errno = ret_errno;
2275
errno = ioctl_errno;
1783
2276
perror_plus("ioctl SIOCSIFFLAGS -IFF_UP");
1784
2277
errno = old_errno;
1785
return ret_errno;
2278
return ioctl_errno;
1786
2279
}
1787
2280
} else if(debug){
1788
2281
fprintf_plus(stderr, "Interface \"%s\" is already down; odd\n",
1794
2287
}
1795
2288
1796
2289
int main(int argc, char *argv[]){
1797
mandos_context mc = { .server = NULL, .dh_bits = 1024,
1798
.priority = "SECURE256:!CTYPE-X.509:"
1799
"+CTYPE-OPENPGP", .current_server = NULL,
1800
.interfaces = NULL, .interfaces_size = 0 };
2290
mandos_context mc = { .server = NULL, .dh_bits = 0,
2291
.priority = "SECURE256:!CTYPE-X.509"
2292
":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",
2293
.current_server = NULL, .interfaces = NULL,
2294
.interfaces_size = 0 };
1801
2295
AvahiSServiceBrowser *sb = NULL;
1802
2296
error_t ret_errno;
1803
2297
int ret;
1806
2300
int exitcode = EXIT_SUCCESS;
1807
2301
char *interfaces_to_take_down = NULL;
1808
2302
size_t interfaces_to_take_down_size = 0;
1809
char tempdir[] = "/tmp/mandosXXXXXX";
1810
bool tempdir_created = false;
2303
char run_tempdir[] = "/run/tmp/mandosXXXXXX";
2304
char old_tempdir[] = "/tmp/mandosXXXXXX";
2305
char *tempdir = NULL;
1811
2306
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1812
2307
const char *seckey = PATHDIR "/" SECKEY;
1813
2308
const char *pubkey = PATHDIR "/" PUBKEY;
2309
const char *dh_params_file = NULL;
1814
2310
char *interfaces_hooks = NULL;
1815
2311
1816
2312
bool gnutls_initialized = false;
1869
2365
.doc = "Bit length of the prime number used in the"
1870
2366
" Diffie-Hellman key exchange",
1871
2367
.group = 2 },
2368
{ .name = "dh-params", .key = 134,
2369
.arg = "FILE",
2370
.doc = "PEM-encoded PKCS#3 file with pre-generated parameters"
2371
" for the Diffie-Hellman key exchange",
2372
.group = 2 },
1872
2373
{ .name = "priority", .key = 130,
1873
2374
.arg = "STRING",
1874
2375
.doc = "GnuTLS priority string for the TLS handshake",
1929
2430
}
1930
2431
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1931
2432
break;
2433
case 134: /* --dh-params */
2434
dh_params_file = arg;
2435
break;
1932
2436
case 130: /* --priority */
1933
2437
mc.priority = arg;
1934
2438
break;
1990
2494
goto end;
1991
2495
}
1992
2496
}
1993
2497
1994
2498
{
1995
2499
/* Work around Debian bug #633582:
1996
2500
<http://bugs.debian.org/633582> */
1997
2501
1998
/* Re-raise priviliges */
1999
if(raise_privileges() == 0){
2502
/* Re-raise privileges */
2503
ret_errno = raise_privileges();
2504
if(ret_errno != 0){
2505
errno = ret_errno;
2506
perror_plus("Failed to raise privileges");
2507
} else {
2000
2508
struct stat st;
2001
2509
2002
2510
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
2016
2524
}
2017
2525
}
2018
2526
}
2019
TEMP_FAILURE_RETRY(close(seckey_fd));
2527
close(seckey_fd);
2020
2528
}
2021
2529
}
2022
2530
2023
2531
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
2024
2532
int pubkey_fd = open(pubkey, O_RDONLY);
2025
2533
if(pubkey_fd == -1){
2037
2545
}
2038
2546
}
2039
2547
}
2040
TEMP_FAILURE_RETRY(close(pubkey_fd));
2041
}
2042
}
2043
2548
close(pubkey_fd);
2549
}
2550
}
2551
2552
if(dh_params_file != NULL
2553
and strcmp(dh_params_file, PATHDIR "/dhparams.pem" ) == 0){
2554
int dhparams_fd = open(dh_params_file, O_RDONLY);
2555
if(dhparams_fd == -1){
2556
perror_plus("open");
2557
} else {
2558
ret = (int)TEMP_FAILURE_RETRY(fstat(dhparams_fd, &st));
2559
if(ret == -1){
2560
perror_plus("fstat");
2561
} else {
2562
if(S_ISREG(st.st_mode)
2563
and st.st_uid == 0 and st.st_gid == 0){
2564
ret = fchown(dhparams_fd, uid, gid);
2565
if(ret == -1){
2566
perror_plus("fchown");
2567
}
2568
}
2569
}
2570
close(dhparams_fd);
2571
}
2572
}
2573
2044
2574
/* Lower privileges */
2045
lower_privileges();
2575
ret_errno = lower_privileges();
2576
if(ret_errno != 0){
2577
errno = ret_errno;
2578
perror_plus("Failed to lower privileges");
2579
}
2046
2580
}
2047
2581
}
2048
2582
2074
2608
memcpy(interfaces_hooks, mc.interfaces, mc.interfaces_size);
2075
2609
argz_stringify(interfaces_hooks, mc.interfaces_size, (int)',');
2076
2610
}
2077
if(not run_network_hooks("start", interfaces_hooks != NULL ?
2078
interfaces_hooks : "", delay)){
2079
goto end;
2080
}
2611
run_network_hooks("start", interfaces_hooks != NULL ?
2612
interfaces_hooks : "", delay);
2081
2613
}
2082
2614
2083
2615
if(not debug){
2161
2693
2162
2694
/* If no interfaces were specified, make a list */
2163
2695
if(mc.interfaces == NULL){
2164
struct dirent **direntries;
2696
struct dirent **direntries = NULL;
2165
2697
/* Look for any good interfaces */
2166
2698
ret = scandir(sys_class_net, &direntries, good_interface,
2167
2699
alphasort);
2173
2705
if(ret_errno != 0){
2174
2706
errno = ret_errno;
2175
2707
perror_plus("argz_add");
2708
free(direntries[i]);
2176
2709
continue;
2177
2710
}
2178
2711
if(debug){
2179
2712
fprintf_plus(stderr, "Will use interface \"%s\"\n",
2180
2713
direntries[i]->d_name);
2181
2714
}
2715
free(direntries[i]);
2182
2716
}
2183
2717
free(direntries);
2184
2718
} else {
2185
free(direntries);
2719
if(ret == 0){
2720
free(direntries);
2721
}
2186
2722
fprintf_plus(stderr, "Could not find a network interface\n");
2187
2723
exitcode = EXIT_FAILURE;
2188
2724
goto end;
2211
2747
break;
2212
2748
}
2213
2749
bool interface_was_up = interface_is_up(interface);
2214
ret = bring_up_interface(interface, delay);
2750
errno = bring_up_interface(interface, delay);
2215
2751
if(not interface_was_up){
2216
if(ret != 0){
2217
errno = ret;
2218
perror_plus("Failed to bring up interface");
2752
if(errno != 0){
2753
fprintf_plus(stderr, "Failed to bring up interface \"%s\":"
2754
" %s\n", interface, strerror(errno));
2219
2755
} else {
2220
ret_errno = argz_add(&interfaces_to_take_down,
2221
&interfaces_to_take_down_size,
2222
interface);
2223
if(ret_errno != 0){
2224
errno = ret_errno;
2756
errno = argz_add(&interfaces_to_take_down,
2757
&interfaces_to_take_down_size,
2758
interface);
2759
if(errno != 0){
2225
2760
perror_plus("argz_add");
2226
2761
}
2227
2762
}
2245
2780
goto end;
2246
2781
}
2247
2782
2248
ret = init_gnutls_global(pubkey, seckey, &mc);
2783
ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);
2249
2784
if(ret == -1){
2250
2785
fprintf_plus(stderr, "init_gnutls_global failed\n");
2251
2786
exitcode = EX_UNAVAILABLE;
2258
2793
goto end;
2259
2794
}
2260
2795
2261
if(mkdtemp(tempdir) == NULL){
2796
/* Try /run/tmp before /tmp */
2797
tempdir = mkdtemp(run_tempdir);
2798
if(tempdir == NULL and errno == ENOENT){
2799
if(debug){
2800
fprintf_plus(stderr, "Tempdir %s did not work, trying %s\n",
2801
run_tempdir, old_tempdir);
2802
}
2803
tempdir = mkdtemp(old_tempdir);
2804
}
2805
if(tempdir == NULL){
2262
2806
perror_plus("mkdtemp");
2263
2807
goto end;
2264
2808
}
2265
tempdir_created = true;
2266
2809
2267
2810
if(quit_now){
2268
2811
goto end;
2343
2886
sleep((unsigned int)retry_interval);
2344
2887
}
2345
2888
2346
if (not quit_now){
2889
if(not quit_now){
2347
2890
exitcode = EXIT_SUCCESS;
2348
2891
}
2349
2892
2404
2947
if(debug){
2405
2948
fprintf_plus(stderr, "Starting Avahi loop search\n");
2406
2949
}
2407
2950
2408
2951
ret = avahi_loop_with_timeout(simple_poll,
2409
2952
(int)(retry_interval * 1000), &mc);
2410
2953
if(debug){
2446
2989
mc.current_server->prev->next = NULL;
2447
2990
while(mc.current_server != NULL){
2448
2991
server *next = mc.current_server->next;
2992
#ifdef __GNUC__
2993
#pragma GCC diagnostic push
2994
#pragma GCC diagnostic ignored "-Wcast-qual"
2995
#endif
2996
free((char *)(mc.current_server->ip));
2997
#ifdef __GNUC__
2998
#pragma GCC diagnostic pop
2999
#endif
2449
3000
free(mc.current_server);
2450
3001
mc.current_server = next;
2451
3002
}
2452
3003
}
2453
3004
2454
/* Re-raise priviliges */
3005
/* Re-raise privileges */
2455
3006
{
2456
raise_privileges();
2457
2458
/* Run network hooks */
2459
run_network_hooks("stop", interfaces_hooks != NULL ?
2460
interfaces_hooks : "", delay);
2461
2462
/* Take down the network interfaces which were brought up */
2463
{
2464
char *interface = NULL;
2465
while((interface=argz_next(interfaces_to_take_down,
2466
interfaces_to_take_down_size,
2467
interface))){
2468
ret_errno = take_down_interface(interface);
2469
if(ret_errno != 0){
2470
errno = ret_errno;
2471
perror_plus("Failed to take down interface");
2472
}
2473
}
2474
if(debug and (interfaces_to_take_down == NULL)){
2475
fprintf_plus(stderr, "No interfaces needed to be taken"
2476
" down\n");
2477
}
2478
}
2479
2480
lower_privileges_permanently();
3007
ret_errno = raise_privileges();
3008
if(ret_errno != 0){
3009
errno = ret_errno;
3010
perror_plus("Failed to raise privileges");
3011
} else {
3012
3013
/* Run network hooks */
3014
run_network_hooks("stop", interfaces_hooks != NULL ?
3015
interfaces_hooks : "", delay);
3016
3017
/* Take down the network interfaces which were brought up */
3018
{
3019
char *interface = NULL;
3020
while((interface=argz_next(interfaces_to_take_down,
3021
interfaces_to_take_down_size,
3022
interface))){
3023
ret_errno = take_down_interface(interface);
3024
if(ret_errno != 0){
3025
errno = ret_errno;
3026
perror_plus("Failed to take down interface");
3027
}
3028
}
3029
if(debug and (interfaces_to_take_down == NULL)){
3030
fprintf_plus(stderr, "No interfaces needed to be taken"
3031
" down\n");
3032
}
3033
}
3034
}
3035
3036
ret_errno = lower_privileges_permanently();
3037
if(ret_errno != 0){
3038
errno = ret_errno;
3039
perror_plus("Failed to lower privileges permanently");
3040
}
2481
3041
}
2482
3042
2483
3043
free(interfaces_to_take_down);
2484
3044
free(interfaces_hooks);
2485
3045
2486
3046
/* Removes the GPGME temp directory and all files inside */
2487
if(tempdir_created){
3047
if(tempdir != NULL){
2488
3048
struct dirent **direntries = NULL;
2489
struct dirent *direntry = NULL;
2490
int numentries = scandir(tempdir, &direntries, notdotentries,
2491
alphasort);
2492
if (numentries > 0){
2493
for(int i = 0; i < numentries; i++){
2494
direntry = direntries[i];
2495
char *fullname = NULL;
2496
ret = asprintf(&fullname, "%s/%s", tempdir,
2497
direntry->d_name);
2498
if(ret < 0){
2499
perror_plus("asprintf");
2500
continue;
2501
}
2502
ret = remove(fullname);
2503
if(ret == -1){
2504
fprintf_plus(stderr, "remove(\"%s\"): %s\n", fullname,
2505
strerror(errno));
2506
}
2507
free(fullname);
3049
int tempdir_fd = (int)TEMP_FAILURE_RETRY(open(tempdir, O_RDONLY
3050
| O_NOFOLLOW
3051
| O_DIRECTORY
3052
| O_PATH));
3053
if(tempdir_fd == -1){
3054
perror_plus("open");
3055
} else {
3056
#ifdef __GLIBC__
3057
#if __GLIBC_PREREQ(2, 15)
3058
int numentries = scandirat(tempdir_fd, ".", &direntries,
3059
notdotentries, alphasort);
3060
#else /* not __GLIBC_PREREQ(2, 15) */
3061
int numentries = scandir(tempdir, &direntries, notdotentries,
3062
alphasort);
3063
#endif /* not __GLIBC_PREREQ(2, 15) */
3064
#else /* not __GLIBC__ */
3065
int numentries = scandir(tempdir, &direntries, notdotentries,
3066
alphasort);
3067
#endif /* not __GLIBC__ */
3068
if(numentries >= 0){
3069
for(int i = 0; i < numentries; i++){
3070
ret = unlinkat(tempdir_fd, direntries[i]->d_name, 0);
3071
if(ret == -1){
3072
fprintf_plus(stderr, "unlinkat(open(\"%s\", O_RDONLY),"
3073
" \"%s\", 0): %s\n", tempdir,
3074
direntries[i]->d_name, strerror(errno));
3075
}
3076
free(direntries[i]);
3077
}
3078
3079
/* need to clean even if 0 because man page doesn't specify */
3080
free(direntries);
3081
if(numentries == -1){
3082
perror_plus("scandir");
3083
}
3084
ret = rmdir(tempdir);
3085
if(ret == -1 and errno != ENOENT){
3086
perror_plus("rmdir");
3087
}
2508
3088
}
2509
}
2510
2511
/* need to clean even if 0 because man page doesn't specify */
2512
free(direntries);
2513
if (numentries == -1){
2514
perror_plus("scandir");
2515
}
2516
ret = rmdir(tempdir);
2517
if(ret == -1 and errno != ENOENT){
2518
perror_plus("rmdir");
3089
close(tempdir_fd);
2519
3090
}
2520
3091
}
2521
3092
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0