To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 24.1.142
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.142
- Committer: Björn Påhlsson
- Date: 2009-09-21 13:51:11 UTC
- mfrom: (379 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 415.
- Revision ID: belorn@braxen-20090921135111-zvsg8bjfglffgp51
merge
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
44
44
#include <stdint.h> /* uint16_t, uint32_t */
45
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof() */
47
srand(), strtof(), abort() */
48
48
#include <stdbool.h> /* bool, false, true */
49
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
50
strerror(), asprintf(), strcpy() */
71
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
72
*/
73
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
75
setgid() */
74
getuid(), getgid(), seteuid(),
75
setgid(), pause() */
76
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
77
#include <iso646.h> /* not, or, and */
78
78
#include <argp.h> /* struct argp_option, error_t, struct
142
142
.dh_bits = 1024, .priority = "SECURE256"
143
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
144
145
sig_atomic_t quit_now = 0;
146
int signal_received = 0;
147
145
148
/*
146
149
* Make additional room in "buffer" for at least BUFFER_SIZE more
147
150
* bytes. "buffer_capacity" is how much is currently allocated,
474
477
static int init_gnutls_session(gnutls_session_t *session){
475
478
int ret;
476
479
/* GnuTLS session creation */
477
ret = gnutls_init(session, GNUTLS_SERVER);
480
do {
481
ret = gnutls_init(session, GNUTLS_SERVER);
482
if(quit_now){
483
return -1;
484
}
485
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
478
486
if(ret != GNUTLS_E_SUCCESS){
479
487
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
480
488
safer_gnutls_strerror(ret));
482
490
483
491
{
484
492
const char *err;
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
493
do {
494
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
495
if(quit_now){
496
gnutls_deinit(*session);
497
return -1;
498
}
499
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
486
500
if(ret != GNUTLS_E_SUCCESS){
487
501
fprintf(stderr, "Syntax error at: %s\n", err);
488
502
fprintf(stderr, "GnuTLS error: %s\n",
492
506
}
493
507
}
494
508
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
509
do {
510
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
511
mc.cred);
512
if(quit_now){
513
gnutls_deinit(*session);
514
return -1;
515
}
516
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
497
517
if(ret != GNUTLS_E_SUCCESS){
498
518
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
499
519
safer_gnutls_strerror(ret));
502
522
}
503
523
504
524
/* ignore client certificate if any. */
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
525
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
507
526
508
527
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
509
528
514
533
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
515
534
__attribute__((unused)) const char *txt){}
516
535
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
520
536
/* Called when a Mandos server is found */
521
537
static int start_mandos_communication(const char *ip, uint16_t port,
522
538
AvahiIfIndex if_index,
528
544
struct sockaddr_in6 in6;
529
545
} to;
530
546
char *buffer = NULL;
531
char *decrypted_buffer;
547
char *decrypted_buffer = NULL;
532
548
size_t buffer_length = 0;
533
549
size_t buffer_capacity = 0;
534
550
size_t written;
535
int retval = 0;
551
int retval = -1;
536
552
gnutls_session_t session;
537
553
int pf; /* Protocol family */
538
554
565
581
tcp_sd = socket(pf, SOCK_STREAM, 0);
566
582
if(tcp_sd < 0){
567
583
perror("socket");
568
retval = -1;
569
584
goto mandos_end;
570
585
}
571
586
583
598
}
584
599
if(ret < 0 ){
585
600
perror("inet_pton");
586
retval = -1;
587
601
goto mandos_end;
588
602
}
589
603
if(ret == 0){
590
604
fprintf(stderr, "Bad address: %s\n", ip);
591
retval = -1;
592
605
goto mandos_end;
593
606
}
594
607
if(af == AF_INET6){
602
615
if(if_index == AVAHI_IF_UNSPEC){
603
616
fprintf(stderr, "An IPv6 link-local address is incomplete"
604
617
" without a network interface\n");
605
retval = -1;
606
618
goto mandos_end;
607
619
}
608
620
/* Set the network interface number as scope */
661
673
}
662
674
if(ret < 0){
663
675
perror("connect");
664
retval = -1;
665
676
goto mandos_end;
666
677
}
667
678
677
688
out_size - written));
678
689
if(ret == -1){
679
690
perror("write");
680
retval = -1;
681
691
goto mandos_end;
682
692
}
683
693
written += (size_t)ret;
723
733
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
724
734
gnutls_perror(ret);
725
735
}
726
retval = -1;
727
736
goto mandos_end;
728
737
}
729
738
744
753
buffer_capacity);
745
754
if(buffer_capacity == 0){
746
755
perror("incbuffer");
747
retval = -1;
748
756
goto mandos_end;
749
757
}
750
758
773
781
if(ret < 0){
774
782
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
775
783
gnutls_perror(ret);
776
retval = -1;
777
784
goto mandos_end;
778
785
}
779
786
break;
780
787
default:
781
788
fprintf(stderr, "Unknown error while reading data from"
782
789
" encrypted session with Mandos server\n");
783
retval = -1;
784
790
gnutls_bye(session, GNUTLS_SHUT_RDWR);
785
791
goto mandos_end;
786
792
}
797
803
goto mandos_end;
798
804
}
799
805
800
gnutls_bye(session, GNUTLS_SHUT_RDWR);
801
802
if(quit_now){
803
goto mandos_end;
804
}
806
do {
807
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
808
if(quit_now){
809
goto mandos_end;
810
}
811
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
805
812
806
813
if(buffer_length > 0){
807
814
ssize_t decrypted_buffer_size;
824
831
fprintf(stderr, "Error writing encrypted data: %s\n",
825
832
strerror(errno));
826
833
}
827
retval = -1;
828
break;
834
goto mandos_end;
829
835
}
830
836
written += (size_t)ret;
831
837
}
832
free(decrypted_buffer);
833
} else {
834
retval = -1;
838
retval = 0;
835
839
}
836
} else {
837
retval = -1;
838
840
}
839
841
840
842
/* Shutdown procedure */
841
843
842
844
mandos_end:
845
free(decrypted_buffer);
843
846
free(buffer);
844
847
if(tcp_sd >= 0){
845
848
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
995
998
bool gpgme_initialized = false;
996
999
float delay = 2.5f;
997
1000
998
struct sigaction old_sigterm_action;
1001
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
999
1002
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1000
1003
1004
uid = getuid();
1005
gid = getgid();
1006
1007
/* Lower any group privileges we might have, just to be safe */
1008
errno = 0;
1009
ret = setgid(gid);
1010
if(ret == -1){
1011
perror("setgid");
1012
}
1013
1014
/* Lower user privileges (temporarily) */
1015
errno = 0;
1016
ret = seteuid(uid);
1017
if(ret == -1){
1018
perror("seteuid");
1019
}
1020
1021
if(quit_now){
1022
goto end;
1023
}
1024
1001
1025
{
1002
1026
struct argp_option options[] = {
1003
1027
{ .name = "debug", .key = 128,
1187
1211
goto end;
1188
1212
}
1189
1213
1214
/* Re-raise priviliges */
1215
errno = 0;
1216
ret = seteuid(0);
1217
if(ret == -1){
1218
perror("seteuid");
1219
}
1220
1190
1221
#ifdef __linux__
1191
1222
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1192
1223
messages to mess up the prompt */
1210
1241
}
1211
1242
}
1212
1243
#endif /* __linux__ */
1244
/* Lower privileges */
1245
errno = 0;
1246
ret = seteuid(uid);
1247
if(ret == -1){
1248
perror("seteuid");
1249
}
1213
1250
goto end;
1214
1251
}
1215
1252
strcpy(network.ifr_name, interface);
1225
1262
}
1226
1263
#endif /* __linux__ */
1227
1264
exitcode = EXIT_FAILURE;
1265
/* Lower privileges */
1266
errno = 0;
1267
ret = seteuid(uid);
1268
if(ret == -1){
1269
perror("seteuid");
1270
}
1228
1271
goto end;
1229
1272
}
1230
1273
if((network.ifr_flags & IFF_UP) == 0){
1243
1286
}
1244
1287
}
1245
1288
#endif /* __linux__ */
1289
/* Lower privileges */
1290
errno = 0;
1291
ret = seteuid(uid);
1292
if(ret == -1){
1293
perror("seteuid");
1294
}
1246
1295
goto end;
1247
1296
}
1248
1297
}
1276
1325
}
1277
1326
}
1278
1327
#endif /* __linux__ */
1279
}
1280
1281
if(quit_now){
1282
goto end;
1283
}
1284
1285
uid = getuid();
1286
gid = getgid();
1287
1288
errno = 0;
1289
setgid(gid);
1290
if(ret == -1){
1291
perror("setgid");
1292
}
1293
1294
ret = setuid(uid);
1295
if(ret == -1){
1296
perror("setuid");
1328
/* Lower privileges */
1329
errno = 0;
1330
if(take_down_interface){
1331
/* Lower privileges */
1332
ret = seteuid(uid);
1333
if(ret == -1){
1334
perror("seteuid");
1335
}
1336
} else {
1337
/* Lower privileges permanently */
1338
ret = setuid(uid);
1339
if(ret == -1){
1340
perror("setuid");
1341
}
1342
}
1297
1343
}
1298
1344
1299
1345
if(quit_now){
1473
1519
1474
1520
/* Take down the network interface */
1475
1521
if(take_down_interface){
1476
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1522
/* Re-raise priviliges */
1523
errno = 0;
1524
ret = seteuid(0);
1477
1525
if(ret == -1){
1478
perror("ioctl SIOCGIFFLAGS");
1479
} else if(network.ifr_flags & IFF_UP) {
1480
network.ifr_flags &= ~IFF_UP; /* clear flag */
1481
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1482
if(ret == -1){
1483
perror("ioctl SIOCSIFFLAGS");
1484
}
1526
perror("seteuid");
1485
1527
}
1486
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1487
if(ret == -1){
1488
perror("close");
1528
if(geteuid() == 0){
1529
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1530
if(ret == -1){
1531
perror("ioctl SIOCGIFFLAGS");
1532
} else if(network.ifr_flags & IFF_UP) {
1533
network.ifr_flags &= ~IFF_UP; /* clear flag */
1534
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1535
if(ret == -1){
1536
perror("ioctl SIOCSIFFLAGS");
1537
}
1538
}
1539
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1540
if(ret == -1){
1541
perror("close");
1542
}
1543
/* Lower privileges permanently */
1544
errno = 0;
1545
ret = setuid(uid);
1546
if(ret == -1){
1547
perror("setuid");
1548
}
1489
1549
}
1490
1550
}
1491
1551
1536
1596
if(quit_now){
1537
1597
sigemptyset(&old_sigterm_action.sa_mask);
1538
1598
old_sigterm_action.sa_handler = SIG_DFL;
1539
ret = sigaction(signal_received, &old_sigterm_action, NULL);
1599
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1600
&old_sigterm_action,
1601
NULL));
1540
1602
if(ret == -1){
1541
1603
perror("sigaction");
1542
1604
}
1543
raise(signal_received);
1605
do {
1606
ret = raise(signal_received);
1607
} while(ret != 0 and errno == EINTR);
1608
if(ret != 0){
1609
perror("raise");
1610
abort();
1611
}
1612
TEMP_FAILURE_RETRY(pause());
1544
1613
}
1545
1614
1546
1615
return exitcode;
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0