To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 850
- compare with another revision
- download diff
- download tarball
- view history from revision 850
- Committer: Teddy Hogeborn
- Date: 2016-06-03 17:27:03 UTC
- Revision ID: teddy@recompile.se-20160603172703-mc6tjor6rhq4xy74
mandos: Bug fix: Do multiprocessing cleanup correctly on exit
* mandos (main): Save module "multiprocessing" and open file "wnull"
as scope variables accessible by function cleanup(),
since the module and global variable may not be
accessible when the cleanup() function is run as
scheduled by atexit().
* mandos (main): Save module "multiprocessing" and open file "wnull"
as scope variables accessible by function cleanup(),
since the module and global variable may not be
accessible when the cleanup() function is run as
scheduled by atexit().
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008-2015 Teddy Hogeborn
13
* Copyright © 2008-2015 Björn Påhlsson
12
* Copyright © 2008-2016 Teddy Hogeborn
13
* Copyright © 2008-2016 Björn Påhlsson
14
14
*
15
15
* This program is free software: you can redistribute it and/or
16
16
* modify it under the terms of the GNU General Public License as
46
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
47
strtof(), abort() */
48
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
49
#include <string.h> /* strcmp(), strlen(), strerror(),
50
asprintf(), strncpy() */
51
51
#include <sys/ioctl.h> /* ioctl */
52
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
53
sockaddr_in6, PF_INET6,
57
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
58
inet_pton(), connect(),
59
59
getnameinfo() */
60
#include <fcntl.h> /* open(), unlinkat() */
60
#include <fcntl.h> /* open(), unlinkat(), AT_REMOVEDIR */
61
61
#include <dirent.h> /* opendir(), struct dirent, readdir()
62
62
*/
63
63
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
64
64
strtoimax() */
65
#include <errno.h> /* perror(), errno,
65
#include <errno.h> /* perror(), errno, EINTR, EINVAL,
66
EAI_SYSTEM, ENETUNREACH,
67
EHOSTUNREACH, ECONNREFUSED, EPROTO,
68
EIO, ENOENT, ENXIO, ENOMEM, EISDIR,
69
ENOTEMPTY,
66
70
program_invocation_short_name */
67
71
#include <time.h> /* nanosleep(), time(), sleep() */
68
72
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
305
309
return false;
306
310
}
307
311
308
ret = (int)TEMP_FAILURE_RETRY(close(fd));
312
ret = close(fd);
309
313
if(ret == -1){
310
314
perror_plus("close");
311
315
}
493
497
return plaintext_length;
494
498
}
495
499
500
__attribute__((warn_unused_result, const))
501
static const char *safe_string(const char *str){
502
if(str == NULL)
503
return "(unknown)";
504
return str;
505
}
506
496
507
__attribute__((warn_unused_result))
497
508
static const char *safer_gnutls_strerror(int value){
498
509
const char *ret = gnutls_strerror(value);
499
if(ret == NULL)
500
ret = "(unknown)";
501
return ret;
510
return safe_string(ret);
502
511
}
503
512
504
513
/* GnuTLS log function callback */
508
517
fprintf_plus(stderr, "GnuTLS: %s", string);
509
518
}
510
519
511
__attribute__((nonnull, warn_unused_result))
520
__attribute__((nonnull(1, 2, 4), warn_unused_result))
512
521
static int init_gnutls_global(const char *pubkeyfilename,
513
522
const char *seckeyfilename,
523
const char *dhparamsfilename,
514
524
mandos_context *mc){
515
525
int ret;
526
unsigned int uret;
516
527
517
528
if(debug){
518
529
fprintf_plus(stderr, "Initializing GnuTLS\n");
519
530
}
520
531
521
ret = gnutls_global_init();
522
if(ret != GNUTLS_E_SUCCESS){
523
fprintf_plus(stderr, "GnuTLS global_init: %s\n",
524
safer_gnutls_strerror(ret));
525
return -1;
526
}
527
528
532
if(debug){
529
533
/* "Use a log level over 10 to enable all debugging options."
530
534
* - GnuTLS manual
538
542
if(ret != GNUTLS_E_SUCCESS){
539
543
fprintf_plus(stderr, "GnuTLS memory error: %s\n",
540
544
safer_gnutls_strerror(ret));
541
gnutls_global_deinit();
542
545
return -1;
543
546
}
544
547
569
572
safer_gnutls_strerror(ret));
570
573
goto globalfail;
571
574
}
572
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
573
if(ret != GNUTLS_E_SUCCESS){
574
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
575
safer_gnutls_strerror(ret));
576
goto globalfail;
577
}
578
575
/* If a Diffie-Hellman parameters file was given, try to use it */
576
if(dhparamsfilename != NULL){
577
gnutls_datum_t params = { .data = NULL, .size = 0 };
578
do {
579
int dhpfile = open(dhparamsfilename, O_RDONLY);
580
if(dhpfile == -1){
581
perror_plus("open");
582
dhparamsfilename = NULL;
583
break;
584
}
585
size_t params_capacity = 0;
586
while(true){
587
params_capacity = incbuffer((char **)¶ms.data,
588
(size_t)params.size,
589
(size_t)params_capacity);
590
if(params_capacity == 0){
591
perror_plus("incbuffer");
592
free(params.data);
593
params.data = NULL;
594
dhparamsfilename = NULL;
595
break;
596
}
597
ssize_t bytes_read = read(dhpfile,
598
params.data + params.size,
599
BUFFER_SIZE);
600
/* EOF */
601
if(bytes_read == 0){
602
break;
603
}
604
/* check bytes_read for failure */
605
if(bytes_read < 0){
606
perror_plus("read");
607
free(params.data);
608
params.data = NULL;
609
dhparamsfilename = NULL;
610
break;
611
}
612
params.size += (unsigned int)bytes_read;
613
}
614
if(params.data == NULL){
615
dhparamsfilename = NULL;
616
}
617
if(dhparamsfilename == NULL){
618
break;
619
}
620
ret = gnutls_dh_params_import_pkcs3(mc->dh_params, ¶ms,
621
GNUTLS_X509_FMT_PEM);
622
if(ret != GNUTLS_E_SUCCESS){
623
fprintf_plus(stderr, "Failed to parse DH parameters in file"
624
" \"%s\": %s\n", dhparamsfilename,
625
safer_gnutls_strerror(ret));
626
dhparamsfilename = NULL;
627
}
628
} while(false);
629
}
630
if(dhparamsfilename == NULL){
631
if(mc->dh_bits == 0){
632
/* Find out the optimal number of DH bits */
633
/* Try to read the private key file */
634
gnutls_datum_t buffer = { .data = NULL, .size = 0 };
635
do {
636
int secfile = open(seckeyfilename, O_RDONLY);
637
if(secfile == -1){
638
perror_plus("open");
639
break;
640
}
641
size_t buffer_capacity = 0;
642
while(true){
643
buffer_capacity = incbuffer((char **)&buffer.data,
644
(size_t)buffer.size,
645
(size_t)buffer_capacity);
646
if(buffer_capacity == 0){
647
perror_plus("incbuffer");
648
free(buffer.data);
649
buffer.data = NULL;
650
break;
651
}
652
ssize_t bytes_read = read(secfile,
653
buffer.data + buffer.size,
654
BUFFER_SIZE);
655
/* EOF */
656
if(bytes_read == 0){
657
break;
658
}
659
/* check bytes_read for failure */
660
if(bytes_read < 0){
661
perror_plus("read");
662
free(buffer.data);
663
buffer.data = NULL;
664
break;
665
}
666
buffer.size += (unsigned int)bytes_read;
667
}
668
close(secfile);
669
} while(false);
670
/* If successful, use buffer to parse private key */
671
gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;
672
if(buffer.data != NULL){
673
{
674
gnutls_openpgp_privkey_t privkey = NULL;
675
ret = gnutls_openpgp_privkey_init(&privkey);
676
if(ret != GNUTLS_E_SUCCESS){
677
fprintf_plus(stderr, "Error initializing OpenPGP key"
678
" structure: %s",
679
safer_gnutls_strerror(ret));
680
free(buffer.data);
681
buffer.data = NULL;
682
} else {
683
ret = gnutls_openpgp_privkey_import
684
(privkey, &buffer, GNUTLS_OPENPGP_FMT_BASE64, "", 0);
685
if(ret != GNUTLS_E_SUCCESS){
686
fprintf_plus(stderr, "Error importing OpenPGP key : %s",
687
safer_gnutls_strerror(ret));
688
privkey = NULL;
689
}
690
free(buffer.data);
691
buffer.data = NULL;
692
if(privkey != NULL){
693
/* Use private key to suggest an appropriate
694
sec_param */
695
sec_param = gnutls_openpgp_privkey_sec_param(privkey);
696
gnutls_openpgp_privkey_deinit(privkey);
697
if(debug){
698
fprintf_plus(stderr, "This OpenPGP key implies using"
699
" a GnuTLS security parameter \"%s\".\n",
700
safe_string(gnutls_sec_param_get_name
701
(sec_param)));
702
}
703
}
704
}
705
}
706
if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){
707
/* Err on the side of caution */
708
sec_param = GNUTLS_SEC_PARAM_ULTRA;
709
if(debug){
710
fprintf_plus(stderr, "Falling back to security parameter"
711
" \"%s\"\n",
712
safe_string(gnutls_sec_param_get_name
713
(sec_param)));
714
}
715
}
716
}
717
uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
718
if(uret != 0){
719
mc->dh_bits = uret;
720
if(debug){
721
fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"
722
" implies %u DH bits; using that.\n",
723
safe_string(gnutls_sec_param_get_name
724
(sec_param)),
725
mc->dh_bits);
726
}
727
} else {
728
fprintf_plus(stderr, "Failed to get implied number of DH"
729
" bits for security parameter \"%s\"): %s\n",
730
safe_string(gnutls_sec_param_get_name
731
(sec_param)),
732
safer_gnutls_strerror(ret));
733
goto globalfail;
734
}
735
} else if(debug){
736
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
737
mc->dh_bits);
738
}
739
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
740
if(ret != GNUTLS_E_SUCCESS){
741
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
742
" bits): %s\n", mc->dh_bits,
743
safer_gnutls_strerror(ret));
744
goto globalfail;
745
}
746
}
579
747
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
580
748
581
749
return 0;
583
751
globalfail:
584
752
585
753
gnutls_certificate_free_credentials(mc->cred);
586
gnutls_global_deinit();
587
754
gnutls_dh_params_deinit(mc->dh_params);
588
755
return -1;
589
756
}
641
808
/* ignore client certificate if any. */
642
809
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
643
810
644
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
645
646
811
return 0;
647
812
}
648
813
652
817
653
818
/* Set effective uid to 0, return errno */
654
819
__attribute__((warn_unused_result))
655
error_t raise_privileges(void){
656
error_t old_errno = errno;
657
error_t ret_errno = 0;
820
int raise_privileges(void){
821
int old_errno = errno;
822
int ret = 0;
658
823
if(seteuid(0) == -1){
659
ret_errno = errno;
824
ret = errno;
660
825
}
661
826
errno = old_errno;
662
return ret_errno;
827
return ret;
663
828
}
664
829
665
830
/* Set effective and real user ID to 0. Return errno. */
666
831
__attribute__((warn_unused_result))
667
error_t raise_privileges_permanently(void){
668
error_t old_errno = errno;
669
error_t ret_errno = raise_privileges();
670
if(ret_errno != 0){
832
int raise_privileges_permanently(void){
833
int old_errno = errno;
834
int ret = raise_privileges();
835
if(ret != 0){
671
836
errno = old_errno;
672
return ret_errno;
837
return ret;
673
838
}
674
839
if(setuid(0) == -1){
675
ret_errno = errno;
840
ret = errno;
676
841
}
677
842
errno = old_errno;
678
return ret_errno;
843
return ret;
679
844
}
680
845
681
846
/* Set effective user ID to unprivileged saved user ID */
682
847
__attribute__((warn_unused_result))
683
error_t lower_privileges(void){
684
error_t old_errno = errno;
685
error_t ret_errno = 0;
848
int lower_privileges(void){
849
int old_errno = errno;
850
int ret = 0;
686
851
if(seteuid(uid) == -1){
687
ret_errno = errno;
852
ret = errno;
688
853
}
689
854
errno = old_errno;
690
return ret_errno;
855
return ret;
691
856
}
692
857
693
858
/* Lower privileges permanently */
694
859
__attribute__((warn_unused_result))
695
error_t lower_privileges_permanently(void){
696
error_t old_errno = errno;
697
error_t ret_errno = 0;
860
int lower_privileges_permanently(void){
861
int old_errno = errno;
862
int ret = 0;
698
863
if(setuid(uid) == -1){
699
ret_errno = errno;
864
ret = errno;
700
865
}
701
866
errno = old_errno;
702
return ret_errno;
867
return ret;
703
868
}
704
869
705
870
/* Helper function to add_local_route() and delete_local_route() */
761
926
perror_plus("dup2(devnull, STDIN_FILENO)");
762
927
_exit(EX_OSERR);
763
928
}
764
ret = (int)TEMP_FAILURE_RETRY(close(devnull));
929
ret = close(devnull);
765
930
if(ret == -1){
766
931
perror_plus("close");
767
932
_exit(EX_OSERR);
784
949
helper, O_RDONLY));
785
950
if(helper_fd == -1){
786
951
perror_plus("openat");
952
close(helperdir_fd);
787
953
_exit(EX_UNAVAILABLE);
788
954
}
789
TEMP_FAILURE_RETRY(close(helperdir_fd));
955
close(helperdir_fd);
790
956
#ifdef __GNUC__
791
957
#pragma GCC diagnostic push
792
958
#pragma GCC diagnostic ignored "-Wcast-qual"
960
1126
goto mandos_end;
961
1127
}
962
1128
963
memset(&to, 0, sizeof(to));
964
1129
if(af == AF_INET6){
965
((struct sockaddr_in6 *)&to)->sin6_family = (sa_family_t)af;
966
ret = inet_pton(af, ip, &((struct sockaddr_in6 *)&to)->sin6_addr);
1130
struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&to;
1131
*to6 = (struct sockaddr_in6){ .sin6_family = (sa_family_t)af };
1132
ret = inet_pton(af, ip, &to6->sin6_addr);
967
1133
} else { /* IPv4 */
968
((struct sockaddr_in *)&to)->sin_family = (sa_family_t)af;
969
ret = inet_pton(af, ip, &((struct sockaddr_in *)&to)->sin_addr);
1134
struct sockaddr_in *to4 = (struct sockaddr_in *)&to;
1135
*to4 = (struct sockaddr_in){ .sin_family = (sa_family_t)af };
1136
ret = inet_pton(af, ip, &to4->sin_addr);
970
1137
}
971
1138
if(ret < 0 ){
972
1139
int e = errno;
1051
1218
sizeof(struct sockaddr_in));
1052
1219
}
1053
1220
if(ret < 0){
1054
if(errno == ENETUNREACH
1221
if(((errno == ENETUNREACH) or (errno == EHOSTUNREACH))
1055
1222
and if_index != AVAHI_IF_UNSPEC
1056
1223
and connect_to == NULL
1057
1224
and not route_added and
1295
1462
free(decrypted_buffer);
1296
1463
free(buffer);
1297
1464
if(tcp_sd >= 0){
1298
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
1465
ret = close(tcp_sd);
1299
1466
}
1300
1467
if(ret == -1){
1301
1468
if(e == 0){
1456
1623
__attribute__((nonnull, warn_unused_result))
1457
1624
bool get_flags(const char *ifname, struct ifreq *ifr){
1458
1625
int ret;
1459
error_t ret_errno;
1626
int old_errno;
1460
1627
1461
1628
int s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1462
1629
if(s < 0){
1463
ret_errno = errno;
1630
old_errno = errno;
1464
1631
perror_plus("socket");
1465
errno = ret_errno;
1632
errno = old_errno;
1466
1633
return false;
1467
1634
}
1468
strcpy(ifr->ifr_name, ifname);
1635
strncpy(ifr->ifr_name, ifname, IF_NAMESIZE);
1636
ifr->ifr_name[IF_NAMESIZE-1] = '\0'; /* NUL terminate */
1469
1637
ret = ioctl(s, SIOCGIFFLAGS, ifr);
1470
1638
if(ret == -1){
1471
1639
if(debug){
1472
ret_errno = errno;
1640
old_errno = errno;
1473
1641
perror_plus("ioctl SIOCGIFFLAGS");
1474
errno = ret_errno;
1642
errno = old_errno;
1475
1643
}
1476
1644
return false;
1477
1645
}
1741
1909
return;
1742
1910
}
1743
1911
}
1744
#ifdef __GLIBC__
1745
#if __GLIBC_PREREQ(2, 15)
1746
1912
int numhooks = scandirat(hookdir_fd, ".", &direntries,
1747
1913
runnable_hook, alphasort);
1748
#else /* not __GLIBC_PREREQ(2, 15) */
1749
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1750
alphasort);
1751
#endif /* not __GLIBC_PREREQ(2, 15) */
1752
#else /* not __GLIBC__ */
1753
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1754
alphasort);
1755
#endif /* not __GLIBC__ */
1756
1914
if(numhooks == -1){
1757
1915
perror_plus("scandir");
1758
1916
return;
1840
1998
perror_plus("openat");
1841
1999
_exit(EXIT_FAILURE);
1842
2000
}
1843
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
2001
if(close(hookdir_fd) == -1){
1844
2002
perror_plus("close");
1845
2003
_exit(EXIT_FAILURE);
1846
2004
}
1849
2007
perror_plus("dup2(devnull, STDIN_FILENO)");
1850
2008
_exit(EX_OSERR);
1851
2009
}
1852
ret = (int)TEMP_FAILURE_RETRY(close(devnull));
2010
ret = close(devnull);
1853
2011
if(ret == -1){
1854
2012
perror_plus("close");
1855
2013
_exit(EX_OSERR);
1904
2062
free(direntry);
1905
2063
}
1906
2064
free(direntries);
1907
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
2065
if(close(hookdir_fd) == -1){
1908
2066
perror_plus("close");
1909
2067
} else {
1910
2068
hookdir_fd = -1;
1913
2071
}
1914
2072
1915
2073
__attribute__((nonnull, warn_unused_result))
1916
error_t bring_up_interface(const char *const interface,
1917
const float delay){
1918
error_t old_errno = errno;
2074
int bring_up_interface(const char *const interface,
2075
const float delay){
2076
int old_errno = errno;
1919
2077
int ret;
1920
2078
struct ifreq network;
1921
2079
unsigned int if_index = if_nametoindex(interface);
1931
2089
}
1932
2090
1933
2091
if(not interface_is_up(interface)){
1934
error_t ret_errno = 0, ioctl_errno = 0;
2092
int ret_errno = 0;
2093
int ioctl_errno = 0;
1935
2094
if(not get_flags(interface, &network)){
1936
2095
ret_errno = errno;
1937
2096
fprintf_plus(stderr, "Failed to get flags for interface "
1950
2109
}
1951
2110
1952
2111
if(quit_now){
1953
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2112
ret = close(sd);
1954
2113
if(ret == -1){
1955
2114
perror_plus("close");
1956
2115
}
2006
2165
}
2007
2166
2008
2167
/* Close the socket */
2009
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2168
ret = close(sd);
2010
2169
if(ret == -1){
2011
2170
perror_plus("close");
2012
2171
}
2040
2199
}
2041
2200
2042
2201
__attribute__((nonnull, warn_unused_result))
2043
error_t take_down_interface(const char *const interface){
2044
error_t old_errno = errno;
2202
int take_down_interface(const char *const interface){
2203
int old_errno = errno;
2045
2204
struct ifreq network;
2046
2205
unsigned int if_index = if_nametoindex(interface);
2047
2206
if(if_index == 0){
2050
2209
return ENXIO;
2051
2210
}
2052
2211
if(interface_is_up(interface)){
2053
error_t ret_errno = 0, ioctl_errno = 0;
2212
int ret_errno = 0;
2213
int ioctl_errno = 0;
2054
2214
if(not get_flags(interface, &network) and debug){
2055
2215
ret_errno = errno;
2056
2216
fprintf_plus(stderr, "Failed to get flags for interface "
2094
2254
}
2095
2255
2096
2256
/* Close the socket */
2097
int ret = (int)TEMP_FAILURE_RETRY(close(sd));
2257
int ret = close(sd);
2098
2258
if(ret == -1){
2099
2259
perror_plus("close");
2100
2260
}
2115
2275
}
2116
2276
2117
2277
int main(int argc, char *argv[]){
2118
mandos_context mc = { .server = NULL, .dh_bits = 1024,
2119
.priority = "SECURE256:!CTYPE-X.509:"
2120
"+CTYPE-OPENPGP", .current_server = NULL,
2121
.interfaces = NULL, .interfaces_size = 0 };
2278
mandos_context mc = { .server = NULL, .dh_bits = 0,
2279
.priority = "SECURE256:!CTYPE-X.509"
2280
":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",
2281
.current_server = NULL, .interfaces = NULL,
2282
.interfaces_size = 0 };
2122
2283
AvahiSServiceBrowser *sb = NULL;
2123
2284
error_t ret_errno;
2124
2285
int ret;
2133
2294
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
2134
2295
const char *seckey = PATHDIR "/" SECKEY;
2135
2296
const char *pubkey = PATHDIR "/" PUBKEY;
2297
const char *dh_params_file = NULL;
2136
2298
char *interfaces_hooks = NULL;
2137
2299
2138
2300
bool gnutls_initialized = false;
2191
2353
.doc = "Bit length of the prime number used in the"
2192
2354
" Diffie-Hellman key exchange",
2193
2355
.group = 2 },
2356
{ .name = "dh-params", .key = 134,
2357
.arg = "FILE",
2358
.doc = "PEM-encoded PKCS#3 file with pre-generated parameters"
2359
" for the Diffie-Hellman key exchange",
2360
.group = 2 },
2194
2361
{ .name = "priority", .key = 130,
2195
2362
.arg = "STRING",
2196
2363
.doc = "GnuTLS priority string for the TLS handshake",
2251
2418
}
2252
2419
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
2253
2420
break;
2421
case 134: /* --dh-params */
2422
dh_params_file = arg;
2423
break;
2254
2424
case 130: /* --priority */
2255
2425
mc.priority = arg;
2256
2426
break;
2296
2466
.args_doc = "",
2297
2467
.doc = "Mandos client -- Get and decrypt"
2298
2468
" passwords from a Mandos server" };
2299
ret = argp_parse(&argp, argc, argv,
2300
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
2301
switch(ret){
2469
ret_errno = argp_parse(&argp, argc, argv,
2470
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
2471
switch(ret_errno){
2302
2472
case 0:
2303
2473
break;
2304
2474
case ENOMEM:
2305
2475
default:
2306
errno = ret;
2476
errno = ret_errno;
2307
2477
perror_plus("argp_parse");
2308
2478
exitcode = EX_OSERR;
2309
2479
goto end;
2318
2488
<http://bugs.debian.org/633582> */
2319
2489
2320
2490
/* Re-raise privileges */
2321
ret_errno = raise_privileges();
2322
if(ret_errno != 0){
2323
errno = ret_errno;
2491
ret = raise_privileges();
2492
if(ret != 0){
2493
errno = ret;
2324
2494
perror_plus("Failed to raise privileges");
2325
2495
} else {
2326
2496
struct stat st;
2342
2512
}
2343
2513
}
2344
2514
}
2345
TEMP_FAILURE_RETRY(close(seckey_fd));
2515
close(seckey_fd);
2346
2516
}
2347
2517
}
2348
2518
2363
2533
}
2364
2534
}
2365
2535
}
2366
TEMP_FAILURE_RETRY(close(pubkey_fd));
2536
close(pubkey_fd);
2537
}
2538
}
2539
2540
if(dh_params_file != NULL
2541
and strcmp(dh_params_file, PATHDIR "/dhparams.pem" ) == 0){
2542
int dhparams_fd = open(dh_params_file, O_RDONLY);
2543
if(dhparams_fd == -1){
2544
perror_plus("open");
2545
} else {
2546
ret = (int)TEMP_FAILURE_RETRY(fstat(dhparams_fd, &st));
2547
if(ret == -1){
2548
perror_plus("fstat");
2549
} else {
2550
if(S_ISREG(st.st_mode)
2551
and st.st_uid == 0 and st.st_gid == 0){
2552
ret = fchown(dhparams_fd, uid, gid);
2553
if(ret == -1){
2554
perror_plus("fchown");
2555
}
2556
}
2557
}
2558
close(dhparams_fd);
2367
2559
}
2368
2560
}
2369
2561
2370
2562
/* Lower privileges */
2371
ret_errno = lower_privileges();
2372
if(ret_errno != 0){
2373
errno = ret_errno;
2563
ret = lower_privileges();
2564
if(ret != 0){
2565
errno = ret;
2374
2566
perror_plus("Failed to lower privileges");
2375
2567
}
2376
2568
}
2546
2738
errno = bring_up_interface(interface, delay);
2547
2739
if(not interface_was_up){
2548
2740
if(errno != 0){
2549
perror_plus("Failed to bring up interface");
2741
fprintf_plus(stderr, "Failed to bring up interface \"%s\":"
2742
" %s\n", interface, strerror(errno));
2550
2743
} else {
2551
2744
errno = argz_add(&interfaces_to_take_down,
2552
2745
&interfaces_to_take_down_size,
2575
2768
goto end;
2576
2769
}
2577
2770
2578
ret = init_gnutls_global(pubkey, seckey, &mc);
2771
ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);
2579
2772
if(ret == -1){
2580
2773
fprintf_plus(stderr, "init_gnutls_global failed\n");
2581
2774
exitcode = EX_UNAVAILABLE;
2703
2896
2704
2897
/* Allocate a new server */
2705
2898
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
2706
&config, NULL, NULL, &ret_errno);
2899
&config, NULL, NULL, &ret);
2707
2900
2708
2901
/* Free the Avahi configuration data */
2709
2902
avahi_server_config_free(&config);
2712
2905
/* Check if creating the Avahi server object succeeded */
2713
2906
if(mc.server == NULL){
2714
2907
fprintf_plus(stderr, "Failed to create Avahi server: %s\n",
2715
avahi_strerror(ret_errno));
2908
avahi_strerror(ret));
2716
2909
exitcode = EX_UNAVAILABLE;
2717
2910
goto end;
2718
2911
}
2770
2963
2771
2964
if(gnutls_initialized){
2772
2965
gnutls_certificate_free_credentials(mc.cred);
2773
gnutls_global_deinit();
2774
2966
gnutls_dh_params_deinit(mc.dh_params);
2775
2967
}
2776
2968
2799
2991
2800
2992
/* Re-raise privileges */
2801
2993
{
2802
ret_errno = raise_privileges();
2803
if(ret_errno != 0){
2804
errno = ret_errno;
2994
ret = raise_privileges();
2995
if(ret != 0){
2996
errno = ret;
2805
2997
perror_plus("Failed to raise privileges");
2806
2998
} else {
2807
2999
2815
3007
while((interface=argz_next(interfaces_to_take_down,
2816
3008
interfaces_to_take_down_size,
2817
3009
interface))){
2818
ret_errno = take_down_interface(interface);
2819
if(ret_errno != 0){
2820
errno = ret_errno;
3010
ret = take_down_interface(interface);
3011
if(ret != 0){
3012
errno = ret;
2821
3013
perror_plus("Failed to take down interface");
2822
3014
}
2823
3015
}
2828
3020
}
2829
3021
}
2830
3022
2831
ret_errno = lower_privileges_permanently();
2832
if(ret_errno != 0){
2833
errno = ret_errno;
3023
ret = lower_privileges_permanently();
3024
if(ret != 0){
3025
errno = ret;
2834
3026
perror_plus("Failed to lower privileges permanently");
2835
3027
}
2836
3028
}
2838
3030
free(interfaces_to_take_down);
2839
3031
free(interfaces_hooks);
2840
3032
3033
void clean_dir_at(int base, const char * const dirname,
3034
uintmax_t level){
3035
struct dirent **direntries = NULL;
3036
int dret;
3037
int dir_fd = (int)TEMP_FAILURE_RETRY(openat(base, dirname,
3038
O_RDONLY
3039
| O_NOFOLLOW
3040
| O_DIRECTORY
3041
| O_PATH));
3042
if(dir_fd == -1){
3043
perror_plus("open");
3044
}
3045
int numentries = scandirat(dir_fd, ".", &direntries,
3046
notdotentries, alphasort);
3047
if(numentries >= 0){
3048
for(int i = 0; i < numentries; i++){
3049
if(debug){
3050
fprintf_plus(stderr, "Unlinking \"%s/%s\"\n",
3051
dirname, direntries[i]->d_name);
3052
}
3053
dret = unlinkat(dir_fd, direntries[i]->d_name, 0);
3054
if(dret == -1){
3055
if(errno == EISDIR){
3056
dret = unlinkat(dir_fd, direntries[i]->d_name,
3057
AT_REMOVEDIR);
3058
}
3059
if((dret == -1) and (errno == ENOTEMPTY)
3060
and (strcmp(direntries[i]->d_name, "private-keys-v1.d")
3061
== 0) and (level == 0)){
3062
/* Recurse only in this special case */
3063
clean_dir_at(dir_fd, direntries[i]->d_name, level+1);
3064
dret = 0;
3065
}
3066
if(dret == -1){
3067
fprintf_plus(stderr, "unlink(\"%s/%s\"): %s\n", dirname,
3068
direntries[i]->d_name, strerror(errno));
3069
}
3070
}
3071
free(direntries[i]);
3072
}
3073
3074
/* need to clean even if 0 because man page doesn't specify */
3075
free(direntries);
3076
if(numentries == -1){
3077
perror_plus("scandirat");
3078
}
3079
dret = unlinkat(base, dirname, AT_REMOVEDIR);
3080
if(dret == -1 and errno != ENOENT){
3081
perror_plus("rmdir");
3082
}
3083
} else {
3084
perror_plus("scandirat");
3085
}
3086
close(dir_fd);
3087
}
3088
2841
3089
/* Removes the GPGME temp directory and all files inside */
2842
3090
if(tempdir != NULL){
2843
struct dirent **direntries = NULL;
2844
int tempdir_fd = (int)TEMP_FAILURE_RETRY(open(tempdir, O_RDONLY
2845
| O_NOFOLLOW
2846
| O_DIRECTORY
2847
| O_PATH));
2848
if(tempdir_fd == -1){
2849
perror_plus("open");
2850
} else {
2851
#ifdef __GLIBC__
2852
#if __GLIBC_PREREQ(2, 15)
2853
int numentries = scandirat(tempdir_fd, ".", &direntries,
2854
notdotentries, alphasort);
2855
#else /* not __GLIBC_PREREQ(2, 15) */
2856
int numentries = scandir(tempdir, &direntries, notdotentries,
2857
alphasort);
2858
#endif /* not __GLIBC_PREREQ(2, 15) */
2859
#else /* not __GLIBC__ */
2860
int numentries = scandir(tempdir, &direntries, notdotentries,
2861
alphasort);
2862
#endif /* not __GLIBC__ */
2863
if(numentries >= 0){
2864
for(int i = 0; i < numentries; i++){
2865
ret = unlinkat(tempdir_fd, direntries[i]->d_name, 0);
2866
if(ret == -1){
2867
fprintf_plus(stderr, "unlinkat(open(\"%s\", O_RDONLY),"
2868
" \"%s\", 0): %s\n", tempdir,
2869
direntries[i]->d_name, strerror(errno));
2870
}
2871
free(direntries[i]);
2872
}
2873
2874
/* need to clean even if 0 because man page doesn't specify */
2875
free(direntries);
2876
if(numentries == -1){
2877
perror_plus("scandir");
2878
}
2879
ret = rmdir(tempdir);
2880
if(ret == -1 and errno != ENOENT){
2881
perror_plus("rmdir");
2882
}
2883
}
2884
TEMP_FAILURE_RETRY(close(tempdir_fd));
2885
}
3091
clean_dir_at(-1, tempdir, 0);
2886
3092
}
2887
3093
2888
3094
if(quit_now){
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0