2 Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015,
4 Ben Kibbey <bjk@luxsci.net>
6 This file is part of pwmd.
8 Pwmd is free software: you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation, either version 2 of the License, or
11 (at your option) any later version.
13 Pwmd is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with Pwmd. If not, see <http://www.gnu.org/licenses/>.
31 #include <sys/socket.h>
45 #include <netinet/in.h>
46 #include <arpa/inet.h>
49 #include <sys/resource.h>
64 #ifdef HAVE_GETOPT_LONG
69 #include "getopt_long.h"
72 #ifdef HAVE_PR_SET_NAME
73 #include <sys/prctl.h>
76 #include "pwmd-error.h"
79 #include "util-misc.h"
85 #include "util-string.h"
90 /* In tenths of a second. */
93 /* For (tcp_)accept_thread (usec). */
94 #define ACCEPT_TIMEOUT 50000
100 static pthread_cond_t quit_cond
;
101 static pthread_mutex_t quit_mutex
;
103 static unsigned assuan_level
;
105 #ifndef HAVE_PTHREAD_CANCEL
106 static pthread_key_t signal_thread_key
;
109 pthread_t accept_tid
;
113 static int start_stop_tls (int term
);
116 static gpg_error_t
do_cache_push (struct crypto_s
*crypto
);
117 static int signal_loop (sigset_t sigset
);
119 #ifndef HAVE_PTHREAD_CANCEL
120 #define INIT_SIGNAL(s, cb) do { \
121 struct sigaction act; \
123 sigemptyset (&sigset); \
124 sigaddset (&sigset, s); \
125 pthread_sigmask (SIG_UNBLOCK, &sigset, NULL); \
126 memset (&act, 0, sizeof(act)); \
127 act.sa_flags = SA_SIGINFO; \
128 act.sa_mask = sigset; \
129 act.sa_sigaction = cb; \
130 sigaction (s, &act, NULL); \
134 #ifndef HAVE_PTHREAD_CANCEL
136 catch_thread_signal (int sig
, siginfo_t
*info
, void *ctx
)
138 int *n
= (int *) pthread_getspecific (signal_thread_key
);
141 pthread_setspecific (signal_thread_key
, n
);
148 int n
= config_get_boolean ("global", "enable_logging");
152 char *p
= config_get_string ("global", "log_path");
154 if (!p
|| (logfile
&& p
&& log_fd
!= -1 && strcmp(p
, logfile
)))
165 logfile
= expand_homedir (p
);
179 log_syslog
= config_get_boolean ("global", "syslog");
181 openlog ("pwmd", LOG_NDELAY
| LOG_PID
, LOG_DAEMON
);
185 reload_rcfile_thread (void *arg
)
187 #ifndef HAVE_PTHREAD_CANCEL
188 int *n
= xmalloc (sizeof (int));
191 pthread_setspecific (signal_thread_key
, n
);
192 INIT_SIGNAL (SIGUSR2
, catch_thread_signal
);
195 #ifdef HAVE_PR_SET_NAME
196 prctl (PR_SET_NAME
, "reload rcfile");
198 pthread_setspecific (thread_name_key
, str_asprintf ("!%s", __FUNCTION__
));
199 MUTEX_LOCK (&rcfile_mutex
);
203 struct slist_s
*keep
= NULL
;
204 struct slist_s
*config
;
205 int b
= disable_list_and_dump
;
207 char *prio
= config_get_string ("global", "tls_cipher_suite");
211 pthread_cleanup_push (cleanup_mutex_cb
, &rcfile_mutex
);
212 pthread_cond_wait (&rcfile_cond
, &rcfile_mutex
);
213 #ifndef HAVE_PTHREAD_CANCEL
214 int *cancel
= (int *) pthread_getspecific (signal_thread_key
);
219 keep
= config_keep_save ();
220 log_write (_("reloading configuration file '%s'"), rcfile
);
222 config
= config_parse (rcfile
, 1);
225 config_free (global_config
);
226 global_config
= config
;
230 config_keep_restore (keep
);
231 disable_list_and_dump
= !disable_list_and_dump
? b
: 1;
234 /* Restart listening sockets since they may have changed. */
238 prio2
= config_get_string ("global", "tls_cipher_suite");
239 if ((prio2
&& (!prio
|| strcmp (prio
, prio2
))) || (prio
&& !prio2
))
245 crypto_set_keepalive ();
246 pthread_cleanup_pop (0);
249 MUTEX_UNLOCK (&rcfile_mutex
);
254 send_error (assuan_context_t ctx
, gpg_error_t e
)
256 struct client_s
*client
= assuan_get_pointer (ctx
);
258 if (gpg_err_source (e
) == GPG_ERR_SOURCE_UNKNOWN
)
265 return assuan_process_done (ctx
, 0);
269 log_write ("ERR %i: %s", e
, pwmd_strerror (e
));
273 if (client
&& client
->xml_error
)
275 log_write ("%s", client
->xml_error
->message
);
276 xfree (client
->last_error
);
277 client
->last_error
= NULL
;
278 if (client
->xml_error
->message
)
279 client
->last_error
= str_dup (client
->xml_error
->message
);
281 e
= assuan_process_done (ctx
,
282 assuan_set_error (ctx
, e
,
283 client
->xml_error
->message
? client
->xml_error
->message
: NULL
));
284 xmlResetLastError ();
285 xmlResetError (client
->xml_error
);
286 xfree (client
->xml_error
);
287 client
->xml_error
= NULL
;
291 return assuan_process_done (ctx
,
292 assuan_set_error (ctx
, e
, pwmd_strerror (e
)));
296 log_write (const char *fmt
, ...)
302 pthread_t tid
= pthread_self ();
303 static pthread_mutex_t m
= PTHREAD_MUTEX_INITIALIZER
;
305 if ((!logfile
&& !isatty (STDERR_FILENO
) && !log_syslog
) || !fmt
)
308 pthread_mutex_lock (&m
);
309 pthread_cleanup_push ((void (*)(void *)) pthread_mutex_unlock
, &m
);
311 if (!cmdline
&& logfile
&& log_fd
== -1)
313 log_fd
= open (logfile
, O_WRONLY
| O_CREAT
| O_APPEND
, 0600);
315 warn ("%s", logfile
);
320 if (str_vasprintf (&args
, fmt
, ap
) != -1)
324 pthread_cleanup_push (xfree
, args
);
325 fprintf (stderr
, "pwmd: %s\n", args
);
327 pthread_cleanup_pop (1);
331 char *name
= pthread_getspecific (thread_name_key
);
334 pthread_cleanup_push (xfree
, args
);
335 snprintf (buf
, sizeof (buf
),
336 name
&& *name
== '!' ? "%s: " : name
? "%s(%p): " : "%s",
337 name
? *name
== '!' ? name
+1 : name
: "",
338 name
&& *name
== '!' ? 0 : name
? (pthread_t
*) tid
: 0);
341 if (!cmdline
&& log_syslog
&& !nofork
)
342 syslog (LOG_INFO
, "%s%s", name
, args
);
345 struct tm
*tm
= localtime (&now
);
347 strftime (tbuf
, sizeof (tbuf
), "%b %d %Y %H:%M:%S ", tm
);
348 tbuf
[sizeof (tbuf
) - 1] = 0;
350 if (args
[strlen (args
) - 1] == '\n')
351 args
[strlen (args
) - 1] = 0;
353 line
= str_asprintf ("%s %i %s%s\n", tbuf
, getpid (), name
,
355 pthread_cleanup_pop (1);
358 pthread_cleanup_push (xfree
, line
);
359 if (logfile
&& log_fd
!= -1)
361 ssize_t ret
= write (log_fd
, line
, strlen (line
));
368 fprintf (stdout
, "%s", line
);
372 pthread_cleanup_pop (1);
378 pthread_cleanup_pop (0);
380 if (log_fd
!= -1 && log_keepopen
<= 0)
386 pthread_mutex_unlock (&m
);
394 if (!gpgrt_check_version (REQUIRE_LIBGPGERROR_VERSION
))
396 fprintf (stderr
, _("gpgrt_check_version(): Incompatible libgpg-error. "
397 "Wanted %s, got %s.\n"), REQUIRE_LIBGPGERROR_VERSION
,
398 gpgrt_check_version (NULL
));
399 return GPG_ERR_UNKNOWN_VERSION
;
403 gpgrt_set_alloc_func (xrealloc_gpgrt
);
405 if (!assuan_check_version (REQUIRE_LIBASSUAN_VERSION
))
407 fprintf (stderr
, _("assuan_check_version(): Incompatible libassuan. "
408 "Wanted %s, got %s.\n"), REQUIRE_LIBASSUAN_VERSION
,
409 assuan_check_version (NULL
));
410 return GPG_ERR_UNKNOWN_VERSION
;
413 if (!gcry_check_version (REQUIRE_LIBGCRYPT_VERSION
))
415 fprintf (stderr
, _("gcry_check_version(): Incompatible libgcrypt. "
416 "Wanted %s, got %s.\n"), REQUIRE_LIBGCRYPT_VERSION
,
417 gcry_check_version (NULL
));
418 return GPG_ERR_UNKNOWN_VERSION
;
421 gcry_set_allocation_handler (xmalloc
, xmalloc
, NULL
, xrealloc
, xfree
);
423 if (!gpgme_check_version (REQUIRE_LIBGPGME_VERSION
))
425 fprintf (stderr
, _("gpgme_check_version(): Incompatible libgpgme. "
426 "Wanted %s, got %s.\n"), REQUIRE_LIBGPGME_VERSION
,
427 gpgme_check_version (NULL
));
428 return GPG_ERR_UNKNOWN_VERSION
;
431 rc
= gpgme_engine_check_version (GPGME_PROTOCOL_OPENPGP
);
434 fprintf (stderr
, _("gpgme_engine_check_version(GPGME_PROTOCOL_OPENPGP): %s"), gpgme_strerror (rc
));
435 return GPG_ERR_UNKNOWN_VERSION
;
438 //gpgme_set_global_flag ("require-gnupg", REQUIRE_GNUPG_VERSION);
440 gpgme_set_locale (NULL
, LC_CTYPE
, setlocale (LC_CTYPE
, NULL
));
441 gpgme_set_locale (NULL
, LC_MESSAGES
, setlocale (LC_MESSAGES
, NULL
));
445 if (gnutls_global_init ())
447 fprintf(stderr
, _("gnutls_global_init() failed.\n"));
448 return GPG_ERR_UNKNOWN_VERSION
;
451 if (!gnutls_check_version (REQUIRE_LIBGNUTLS_VERSION
))
453 fprintf (stderr
, _("gnutls_check_version(): Incompatible libgnutls. "
454 "Wanted %s, got %s.\n"), REQUIRE_LIBGNUTLS_VERSION
,
455 gnutls_check_version (NULL
));
456 return GPG_ERR_UNKNOWN_VERSION
;
459 gnutls_global_set_log_function (tls_log
);
460 gnutls_global_set_audit_log_function (tls_audit_log
);
466 do_validate_peer (assuan_context_t ctx
, const char *section
,
467 assuan_peercred_t
* peer
)
472 struct client_s
*client
= assuan_get_pointer (ctx
);
475 return GPG_ERR_FORBIDDEN
;
478 if (client
->thd
->remote
)
479 return tls_validate_access (client
, section
);
482 rc
= assuan_get_peercred (ctx
, peer
);
486 users
= config_get_list (section
, "allowed");
489 for (char **p
= users
; !rc
&& *p
; p
++)
491 rc
= acl_check_common(client
, *p
, (*peer
)->uid
, (*peer
)->gid
,
497 else if (client
->no_access_param
)
500 return allowed
&& !rc
? 0 : rc
? rc
: GPG_ERR_FORBIDDEN
;
503 /* Test if uid is a member of group 'name'. Invert when 'not' is true. */
504 #ifdef HAVE_GETGRNAM_R
506 acl_check_group (const char *name
, uid_t uid
, gid_t gid
, int not, int *allowed
)
509 struct group gr
, *gresult
;
510 size_t len
= sysconf (_SC_GETGR_R_SIZE_MAX
);
519 return GPG_ERR_ENOMEM
;
521 err
= getgrnam_r (name
, &gr
, buf
, len
, &gresult
);
524 if (gresult
->gr_gid
== gid
)
531 for (char **t
= gresult
->gr_mem
; !rc
&& *t
; t
++)
535 struct passwd
*result
= get_pwd_struct (*t
, 0, &pw
, &tbuf
, &rc
);
537 if (!rc
&& result
&& result
->pw_uid
== uid
)
551 rc
= gpg_error_from_errno (err
);
554 return rc
? rc
: !gresult
? 0 : GPG_ERR_EACCES
;
558 acl_check_group (const char *name
, uid_t uid
, gid_t gid
, int not, int *allowed
)
560 struct group
*gresult
;
564 gresult
= getgrnam (name
);
565 if (!errno
&& gresult
&& gresult
->gr_gid
== gid
)
571 rc
= gpg_error_from_syserror ();
575 for (char **t
= gresult
->gr_mem
; !rc
&& *t
; t
++)
579 struct passwd
*result
= get_pwd_struct (*t
, 0, &pw
, &buf
, &rc
);
581 if (!rc
&& result
&& result
->pw_uid
== uid
)
596 peer_is_invoker(struct client_s
*client
)
598 struct invoking_user_s
*user
;
601 if (client
->thd
->state
== CLIENT_STATE_UNKNOWN
)
602 return GPG_ERR_EACCES
;
604 for (user
= invoking_users
; user
; user
= user
->next
)
607 if (client
->thd
->remote
)
609 if (user
->type
== INVOKING_TLS
610 && !strcmp(client
->thd
->tls
->fp
, user
->id
))
611 allowed
= user
->not ? 0 : 1;
617 if (user
->type
== INVOKING_GID
)
619 gpg_error_t rc
= acl_check_group (user
->id
,
620 client
->thd
->peer
->uid
,
621 client
->thd
->peer
->gid
,
622 user
->not, &allowed
);
626 else if (user
->type
== INVOKING_UID
&& client
->thd
->peer
->uid
== user
->uid
)
627 allowed
= user
->not ? 0 : 1;
630 return allowed
? 0 : GPG_ERR_EACCES
;
633 #ifdef HAVE_GETGRNAM_R
635 acl_check_common (struct client_s
*client
, const char *user
, uid_t uid
,
636 gid_t gid
, int *allowed
)
646 if (*user
== '-' || *user
== '!')
649 if (*user
== '+') // not implemented yet
652 if (*user
== '#') // TLS fingerprint hash
655 if (not || rw
|| tls
)
661 if (client
->thd
->remote
)
663 if (!strcasecmp (client
->thd
->tls
->fp
, user
))
673 else if (client
->thd
->remote
) // Remote client with no FP in the ACL
677 if (*user
== '@') // all users in group
678 return acl_check_group (user
+1, uid
, gid
, not, allowed
);
683 struct passwd
*pwd
= get_pwd_struct (user
, 0, &pw
, &buf
, &rc
);
685 if (!rc
&& pwd
&& pwd
->pw_uid
== uid
)
695 acl_check_common (struct client_s
*client
, const char *user
, uid_t uid
,
696 gid_t gid
, int *allowed
)
706 if (*user
== '-' || *user
== '!')
709 if (*user
== '+') // not implemented yet
712 if (*user
== '#') // TLS fingerprint hash
715 if (not || rw
|| tls
)
721 if (client
->thd
->remote
)
723 if (!strcasecmp (client
->thd
->tls
->fp
, user
))
733 if (*user
== '@') // all users in group
734 return acl_check_group (user
+1, uid
, gid
, not, allowed
);
739 struct passwd
*result
= get_pwd_struct (user
, 0, &pw
, &buf
, &rc
);
741 if (!rc
&& result
&& result
->pw_uid
== uid
)
752 validate_peer (struct client_s
*cl
)
758 return tls_validate_access (cl
, NULL
);
761 MUTEX_LOCK (&cn_mutex
);
762 rc
= do_validate_peer (cl
->ctx
, "global", &cl
->thd
->peer
);
763 MUTEX_UNLOCK (&cn_mutex
);
764 log_write ("peer %s: uid=%i, gid=%i, pid=%i, rc=%u",
765 !rc
? _("accepted") : _("rejected"), cl
->thd
->peer
->uid
,
766 cl
->thd
->peer
->gid
, cl
->thd
->peer
->pid
, rc
);
771 xml_error_cb (void *data
, xmlErrorPtr e
)
773 struct client_s
*client
= data
;
776 * Keep the first reported error as the one to show in the error
777 * description. Reset in send_error().
779 if (client
->xml_error
)
782 client
->xml_error
= xcalloc (1, sizeof(xmlError
));
783 xmlCopyError (e
, client
->xml_error
);
787 hook_waitpid (assuan_context_t ctx
, pid_t pid
, int action
,
788 int *status
, int options
)
790 return waitpid (pid
, status
, options
);
794 hook_read (assuan_context_t ctx
, assuan_fd_t fd
, void *data
, size_t len
)
797 struct client_s
*client
= assuan_get_pointer (ctx
);
799 if (client
->thd
->remote
)
800 return tls_read_hook (ctx
, (int) fd
, data
, len
);
803 return read ((int) fd
, data
, len
);
807 hook_write (assuan_context_t ctx
, assuan_fd_t fd
,
808 const void *data
, size_t len
)
811 struct client_s
*client
= assuan_get_pointer (ctx
);
813 if (client
->thd
->remote
)
814 return tls_write_hook (ctx
, (int) fd
, data
, len
);
817 return write ((int) fd
, data
, len
);
821 assuan_log_cb (assuan_context_t ctx
, void *data
, unsigned cat
,
824 struct client_s
*client
= data
;
829 if (!(assuan_level
& cat
))
837 case ASSUAN_LOG_INIT
:
838 str
= "ASSUAN[INIT]";
843 case ASSUAN_LOG_ENGINE
:
844 str
= "ASSUAN[ENGINE]";
846 case ASSUAN_LOG_DATA
:
847 str
= "ASSUAN[DATA]";
849 case ASSUAN_LOG_SYSIO
:
850 str
= "ASSUAN[SYSIO]";
852 case ASSUAN_LOG_CONTROL
:
853 str
= "ASSUAN[CONTROL]";
856 str
= "ASSUAN[UNKNOWN]";
860 log_write ("%s: %s", str
, msg
);
865 new_connection (struct client_s
*cl
)
868 static struct assuan_malloc_hooks mhooks
= { xmalloc
, xrealloc
, xfree
};
869 static struct assuan_system_hooks shooks
= {
870 ASSUAN_SYSTEM_HOOKS_VERSION
,
878 NULL
, //sendmsg both are used for FD passing
889 char *prio
= config_get_string ("global", "tls_cipher_suite");
891 cl
->thd
->timeout
= config_get_integer ("global", "tls_timeout");
892 if (fcntl (cl
->thd
->fd
, F_SETFL
, O_NONBLOCK
) == -1)
895 cl
->thd
->tls
= tls_init_client (cl
->thd
->fd
, cl
->thd
->timeout
, prio
);
902 rc
= assuan_new_ext (&cl
->ctx
, GPG_ERR_SOURCE_DEFAULT
, &mhooks
,
907 assuan_ctx_set_system_hooks (cl
->ctx
, &shooks
);
908 rc
= assuan_init_socket_server (cl
->ctx
, cl
->thd
->fd
, 2);
912 assuan_set_pointer (cl
->ctx
, cl
);
913 assuan_set_hello_line (cl
->ctx
, PACKAGE_STRING
);
914 rc
= register_commands (cl
->ctx
);
918 rc
= assuan_accept (cl
->ctx
);
922 rc
= validate_peer (cl
);
923 /* May not be implemented on all platforms. */
924 if (rc
&& gpg_err_code (rc
) != GPG_ERR_ASS_GENERAL
)
927 MUTEX_LOCK (&cn_mutex
);
928 cl
->thd
->state
= CLIENT_STATE_INIT
;
929 MUTEX_UNLOCK (&cn_mutex
);
930 cl
->lock_timeout
= config_get_integer ("global", "lock_timeout");
931 xmlSetStructuredErrorFunc (cl
, xml_error_cb
);
935 log_write ("%s", pwmd_strerror (rc
));
940 * This is called after a client_thread() terminates. Set with
941 * pthread_cleanup_push().
944 cleanup_cb (void *arg
)
946 struct client_thread_s
*cn
= arg
;
947 struct client_s
*cl
= cn
->cl
;
949 MUTEX_LOCK (&cn_mutex
);
950 cn_thread_list
= slist_remove (cn_thread_list
, cn
);
951 MUTEX_UNLOCK (&cn_mutex
);
955 unlock_flock (&cl
->flock_fd
);
958 xmlResetError (cl
->xml_error
);
960 xfree (cl
->xml_error
);
965 gnutls_deinit (cn
->tls
->ses
);
971 if (!cn
->atfork
&& cl
->ctx
)
972 assuan_release (cl
->ctx
);
973 else if (!cn
->atfork
&& cl
->thd
&& cl
->thd
->fd
!= -1)
977 crypto_free (cl
->crypto
);
988 while (cn
->msg_queue
)
990 struct status_msg_s
*msg
= cn
->msg_queue
;
992 cn
->msg_queue
= msg
->next
;
997 if (!cn
->atfork
&& cn
->status_msg_pipe
[0] != -1)
998 close (cn
->status_msg_pipe
[0]);
1000 if (!cn
->atfork
&& cn
->status_msg_pipe
[1] != -1)
1001 close (cn
->status_msg_pipe
[1]);
1003 pthread_mutex_destroy (&cn
->status_mutex
);
1007 log_write (_("exiting, fd=%i"), cn
->fd
);
1008 send_status_all (STATUS_CLIENTS
, NULL
);
1013 xfree (cn
->peeraddr
);
1016 pthread_cond_signal (&quit_cond
);
1020 cleanup_all_clients (int atfork
)
1022 /* This function may be called from pthread_atfork() which requires
1023 reinitialization. */
1026 pthread_mutexattr_t attr
;
1028 pthread_mutexattr_init (&attr
);
1029 pthread_mutexattr_settype (&attr
, PTHREAD_MUTEX_RECURSIVE
);
1030 pthread_mutex_init (&cn_mutex
, &attr
);
1031 pthread_mutexattr_destroy (&attr
);
1032 cache_mutex_init ();
1035 MUTEX_LOCK (&cn_mutex
);
1037 while (slist_length (cn_thread_list
))
1039 struct client_thread_s
*thd
= slist_nth_data (cn_thread_list
, 0);
1041 thd
->atfork
= atfork
;
1046 MUTEX_UNLOCK (&cn_mutex
);
1047 cache_deinit (atfork
);
1051 send_msg_queue (struct client_thread_s
*thd
)
1053 MUTEX_LOCK (&thd
->status_mutex
);
1058 ret
= read (thd
->status_msg_pipe
[0], &c
, 1);
1059 rc
= gpg_error_from_syserror ();
1060 if (ret
== -1 && gpg_err_code (rc
) != GPG_ERR_EAGAIN
)
1061 log_write ("%s (%i): %s", __FUNCTION__
, __LINE__
, pwmd_strerror (rc
));
1065 thd
->wrote_status
= 0;
1067 while (thd
->msg_queue
)
1069 struct status_msg_s
*msg
= thd
->msg_queue
;
1071 #ifndef HAVE_PTHREAD_CANCEL
1076 thd
->msg_queue
= thd
->msg_queue
->next
;
1077 MUTEX_UNLOCK (&thd
->status_mutex
);
1078 rc
= send_status (thd
->cl
->ctx
, msg
->s
, msg
->line
);
1079 MUTEX_LOCK (&thd
->status_mutex
);
1087 MUTEX_UNLOCK (&thd
->status_mutex
);
1088 if (rc
&& gpg_err_code (rc
) != GPG_ERR_EPIPE
)
1089 log_write ("%s (%i): %s", __FUNCTION__
, __LINE__
, pwmd_strerror (rc
));
1095 client_thread (void *data
)
1097 struct client_thread_s
*thd
= data
;
1098 struct client_s
*cl
= xcalloc (1, sizeof (struct client_s
));
1100 #ifdef HAVE_PR_SET_NAME
1101 prctl (PR_SET_NAME
, "client");
1103 pthread_setspecific (thread_name_key
, str_dup (__FUNCTION__
));
1107 log_write ("%s(%i): %s", __FILE__
, __LINE__
,
1108 pwmd_strerror (GPG_ERR_ENOMEM
));
1112 MUTEX_LOCK (&cn_mutex
);
1113 pthread_cleanup_push (cleanup_cb
, thd
);
1117 MUTEX_UNLOCK (&cn_mutex
);
1119 if (new_connection (cl
))
1123 struct pollfd fds
[2];
1125 fds
[0].fd
= thd
->fd
;
1126 fds
[0].events
= POLLIN
;
1127 fds
[1].fd
= thd
->status_msg_pipe
[0];
1128 fds
[1].events
= POLLIN
;
1130 send_status_all (STATUS_CLIENTS
, NULL
);
1131 rc
= send_status (cl
->ctx
, STATUS_CACHE
, NULL
);
1134 log_write ("%s(%i): %s", __FILE__
, __LINE__
, pwmd_strerror (rc
));
1143 n
= poll (fds
, 2, 100);
1146 log_write ("%s", strerror (errno
));
1151 if (thd
->remote
&& thd
->tls
&& thd
->tls
->rehandshake
)
1157 if (thd
->tls
->rehandshake
== 1)
1159 prio
= config_get_string ("global", "tls_cipher_suite");
1162 thd
->tls
->rehandshake
= 0;
1166 ret
= gnutls_priority_set_direct (thd
->tls
->ses
, prio
, &e
);
1167 if (ret
== GNUTLS_E_SUCCESS
)
1169 rc
= send_status (cl
->ctx
, STATUS_REHANDSHAKE
, NULL
);
1172 rc
= assuan_send_data (cl
->ctx
, NULL
, 0);
1175 ret
= gnutls_rehandshake (thd
->tls
->ses
);
1178 log_write ("%s", gnutls_strerror (ret
));
1179 thd
->tls
->rehandshake
= 0;
1182 thd
->tls
->rehandshake
= 2;
1187 log_write ("%s", pwmd_strerror (rc
));
1190 log_write ("%s: %s", gnutls_strerror (ret
), e
);
1201 if (fds
[1].revents
& POLLIN
)
1204 if (!thd
->remote
|| (thd
->tls
&& !thd
->tls
->rehandshake
))
1207 rc
= send_msg_queue (thd
);
1208 if (rc
&& gpg_err_code (rc
) != GPG_ERR_EPIPE
)
1213 #ifdef HAVE_PTHREAD_CANCEL
1214 if (!(fds
[0].revents
& POLLIN
))
1216 if (thd
->fd
!= -1 && !(fds
[0].revents
& POLLIN
))
1220 rc
= assuan_process_next (cl
->ctx
, &eof
);
1223 if (gpg_err_code (rc
) == GPG_ERR_EOF
|| eof
)
1226 log_write ("assuan_process_next(): rc=%u %s", rc
,
1227 pwmd_strerror (rc
));
1228 if (rc
== gpg_error (GPG_ERR_ETIMEDOUT
))
1231 rc
= send_error (cl
->ctx
, rc
);
1234 log_write ("assuan_process_done(): rc=%u %s", rc
,
1235 pwmd_strerror (rc
));
1240 /* Since the msg queue pipe fd's are non-blocking, check for
1241 * pending status msgs here. GPG_ERR_EPIPE can be seen when the
1242 * client has already disconnected and will be converted to
1243 * GPG_ERR_EOF during assuan_process_next().
1246 if (!thd
->remote
|| (thd
->tls
&& !thd
->tls
->rehandshake
))
1249 rc
= send_msg_queue (thd
);
1250 if (rc
&& gpg_err_code (rc
) != GPG_ERR_EPIPE
)
1256 /* Don't do pthread_exit() here because any set pthread_cleanup_push
1257 * functions would be called after a command failed but then the client
1258 * exited normally which may lead to a double free. */
1259 pthread_cleanup_pop (1);
1264 xml_import (const char *filename
, const char *outfile
, char **keyid
,
1265 char **sign_keyid
, char *keyfile
, const char *keyparam
,
1274 struct crypto_s
*crypto
= NULL
;
1276 if (stat (filename
, &st
) == -1)
1278 rc
= gpg_error_from_errno (errno
);
1282 fd
= open (filename
, O_RDONLY
);
1284 return gpg_error_from_errno (errno
);
1286 xmlbuf
= xmalloc (st
.st_size
+ 1);
1290 return GPG_ERR_ENOMEM
;
1293 if (read (fd
, xmlbuf
, st
.st_size
) == -1)
1295 rc
= gpg_error_from_errno (errno
);
1302 xmlbuf
[st
.st_size
] = 0;
1303 // Be sure the document validates.
1304 doc
= xmlReadDoc (xmlbuf
, NULL
, "UTF-8", XML_PARSE_NOBLANKS
);
1307 return GPG_ERR_BAD_DATA
;
1309 xmlNodePtr n
= xmlDocGetRootElement (doc
);
1310 if (n
&& !xmlStrEqual (n
->name
, (xmlChar
*) "pwmd"))
1311 rc
= GPG_ERR_BAD_DATA
;
1315 rc
= xml_validate_import (NULL
, n
? n
->children
: n
);
1318 rc
= crypto_init (&crypto
, NULL
, filename
, keyfile
!= NULL
, keyfile
);
1323 crypto
->flags
|= CRYPTO_FLAG_KEYFILE
;
1324 crypto
->keyfile
= str_dup (keyfile
);
1327 xmlDocDumpMemory (doc
, &crypto
->plaintext
, &len
);
1329 crypto
->plaintext_size
= len
;
1331 rc
= GPG_ERR_ENOMEM
;
1338 if (!symmetric
&& (keyparam
|| !keyid
))
1344 fd
= open (keyparam
, O_RDONLY
);
1346 rc
= gpg_error_from_errno (errno
);
1350 if (stat (keyparam
, &st
) == -1)
1351 rc
= gpg_error_from_errno (errno
);
1355 buf
= xmalloc (st
.st_size
+1);
1357 rc
= GPG_ERR_ENOMEM
;
1361 len
= read (fd
, buf
, st
.st_size
);
1362 if (len
!= st
.st_size
)
1363 rc
= gpg_error_from_errno (errno
);
1376 buf
= crypto_default_key_params ();
1378 rc
= GPG_ERR_ENOMEM
;
1382 rc
= crypto_genkey (NULL
, crypto
, (unsigned char *)buf
);
1388 crypto
->save
.pubkey
= strv_dup (keyid
);
1389 crypto
->save
.sigkey
= strv_dup (sign_keyid
);
1394 crypto
->flags
|= symmetric
? CRYPTO_FLAG_SYMMETRIC
: 0;
1395 rc
= crypto_encrypt (NULL
, crypto
);
1401 if (!strcmp (outfile
, "-"))
1404 xfree (crypto
->plaintext
);
1405 crypto
->plaintext
= NULL
;
1406 xfree (crypto
->filename
);
1407 crypto
->filename
= outfile
? str_dup (outfile
) : NULL
;
1408 rc
= crypto_write_file (crypto
);
1412 crypto_free (crypto
);
1417 do_cache_push (struct crypto_s
*crypto
)
1421 struct cache_data_s
*cdata
;
1426 log_write (_("Trying to add datafile '%s' to the file cache ..."),
1429 if (valid_filename (crypto
->filename
) == 0)
1431 log_write (_("%s: Invalid characters in filename"), crypto
->filename
);
1432 return GPG_ERR_INV_VALUE
;
1435 rc
= lock_flock (NULL
, crypto
->filename
, LOCK_SH
, &fd
);
1437 rc
= crypto_decrypt (NULL
, crypto
);
1444 rc
= xml_parse_doc ((char *) crypto
->plaintext
, crypto
->plaintext_size
, &doc
);
1448 log_write ("%s", pwmd_strerror (rc
));
1452 cdata
= xcalloc (1, sizeof (struct cache_data_s
));
1457 return GPG_ERR_ENOMEM
;
1460 rc
= get_checksum (crypto
->filename
, &crc
, &len
);
1465 free_cache_data_once (cdata
);
1470 rc
= cache_encrypt (crypto
);
1473 cdata
->doc
= crypto
->plaintext
;
1474 cdata
->size
= crypto
->plaintext_size
;
1475 crypto
->plaintext
= NULL
;
1476 cdata
->pubkey
= crypto
->pubkey
;
1477 cdata
->sigkey
= crypto
->sigkey
;
1478 crypto
->pubkey
= NULL
;
1479 crypto
->sigkey
= NULL
;
1484 free_cache_data_once (cdata
);
1488 int timeout
= config_get_integer (crypto
->filename
, "cache_timeout");
1489 rc
= cache_add_file (crypto
->filename
, cdata
, timeout
);
1494 init_client (int fd
, const char *addr
)
1497 struct client_thread_s
*new = xcalloc (1, sizeof (struct client_thread_s
));
1502 log_write ("%s: %s", __FUNCTION__
, pwmd_strerror (ENOMEM
));
1503 return GPG_ERR_ENOMEM
;
1506 MUTEX_LOCK (&cn_mutex
);
1507 new->conntime
= time (NULL
);
1508 pthread_cleanup_push (cleanup_mutex_cb
, &cn_mutex
);
1510 if (pipe (new->status_msg_pipe
) == -1)
1511 rc
= gpg_error_from_errno (errno
);
1515 if (fcntl (new->status_msg_pipe
[0], F_SETFL
, O_NONBLOCK
) == -1)
1516 rc
= gpg_error_from_errno (errno
);
1519 if (fcntl (new->status_msg_pipe
[1], F_SETFL
, O_NONBLOCK
) == -1)
1520 rc
= gpg_error_from_errno (errno
);
1522 pthread_mutex_init (&new->status_mutex
, NULL
);
1528 new->remote
= addr
? 1 : 0;
1531 rc
= create_thread (client_thread
, new, &new->tid
, 1);
1534 close (new->status_msg_pipe
[0]);
1535 close (new->status_msg_pipe
[1]);
1536 pthread_mutex_destroy (&new->status_mutex
);
1542 struct slist_s
*list
= slist_append (cn_thread_list
, new);
1546 cn_thread_list
= list
;
1549 log_write (_("new connection: tid=%p, fd=%i, addr=%s"),
1550 (pthread_t
*) new->tid
, fd
, addr
);
1552 new->peeraddr
= str_dup (addr
);
1556 log_write (_("new connection: tid=%p, fd=%i"),
1557 (pthread_t
*) new->tid
, fd
);
1560 rc
= GPG_ERR_ENOMEM
;
1563 pthread_cleanup_pop (1);
1569 log_write ("%s(%i): pthread_create(): %s", __FILE__
, __LINE__
,
1570 pwmd_strerror (rc
));
1576 /* From Beej's Guide to Network Programming. It's a good tutorial. */
1578 get_in_addr (struct sockaddr
*sa
)
1580 if (sa
->sa_family
== AF_INET
)
1581 return &(((struct sockaddr_in
*) sa
)->sin_addr
);
1583 return &(((struct sockaddr_in6
*) sa
)->sin6_addr
);
1587 start_stop_tls_with_protocol (int ipv6
, int term
)
1589 struct addrinfo hints
, *servinfo
, *p
;
1590 int port
= config_get_integer ("global", "tcp_port");
1593 int *fd
= ipv6
? &tls6_fd
: &tls_fd
;
1595 if (term
|| config_get_boolean ("global", "enable_tcp") == 0)
1599 shutdown (tls6_fd
, SHUT_RDWR
);
1606 shutdown (tls_fd
, SHUT_RDWR
);
1614 memset (&hints
, 0, sizeof (hints
));
1615 hints
.ai_family
= ipv6
? AF_INET6
: AF_INET
;
1616 hints
.ai_socktype
= SOCK_STREAM
;
1617 hints
.ai_flags
= AI_PASSIVE
;
1618 snprintf (buf
, sizeof (buf
), "%i", port
);
1620 if ((n
= getaddrinfo (NULL
, buf
, &hints
, &servinfo
)) == -1)
1622 log_write ("getaddrinfo(): %s", gai_strerror (n
));
1626 for (n
= 0, p
= servinfo
; p
!= NULL
; p
= p
->ai_next
)
1630 if ((ipv6
&& p
->ai_family
!= AF_INET6
)
1631 || (!ipv6
&& p
->ai_family
!= AF_INET
))
1634 if ((*fd
= socket (p
->ai_family
, p
->ai_socktype
, p
->ai_protocol
)) == -1)
1636 log_write ("socket(): %s", strerror (errno
));
1640 if (setsockopt (*fd
, SOL_SOCKET
, SO_REUSEADDR
, &r
, sizeof (int)) == -1)
1642 log_write ("setsockopt(): %s",
1643 pwmd_strerror (gpg_error_from_errno (errno
)));
1644 freeaddrinfo (servinfo
);
1648 if (bind (*fd
, p
->ai_addr
, p
->ai_addrlen
) == -1)
1651 log_write ("bind(): %s",
1652 pwmd_strerror (gpg_error_from_errno (errno
)));
1660 freeaddrinfo (servinfo
);
1665 #if HAVE_DECL_SO_BINDTODEVICE != 0
1666 char *tmp
= config_get_string ("global", "tcp_interface");
1667 if (tmp
&& setsockopt (*fd
, SOL_SOCKET
, SO_BINDTODEVICE
, tmp
,
1668 strlen (tmp
)) == -1)
1670 log_write ("setsockopt(): %s",
1671 pwmd_strerror (gpg_error_from_errno (errno
)));
1679 if (listen (*fd
, 128) == -1)
1681 log_write ("listen(): %s", strerror (errno
));
1688 start_stop_tls_with_protocol (0, 1);
1701 start_stop_tls (int term
)
1703 char *s
= config_get_string ("global", "tcp_bind");
1709 if (!strcmp (s
, "any"))
1711 b
= start_stop_tls_with_protocol (0, term
);
1713 b
= start_stop_tls_with_protocol (1, term
);
1715 else if (!strcmp (s
, "ipv4"))
1716 b
= start_stop_tls_with_protocol (0, term
);
1717 else if (!strcmp (s
, "ipv6"))
1718 b
= start_stop_tls_with_protocol (1, term
);
1725 gpg_error_t rc
= tls_init_params ();
1728 start_stop_tls_with_protocol (0, 1);
1739 do_tls_accept (struct pollfd
*fds
)
1741 struct sockaddr_storage raddr
;
1742 socklen_t slen
= sizeof (raddr
);
1744 char s
[INET6_ADDRSTRLEN
];
1746 if (!(fds
->revents
& POLLIN
))
1749 fd
= accept (fds
->fd
, (struct sockaddr
*) &raddr
, &slen
);
1754 if (errno
!= EAGAIN
&& !quit
)
1755 log_write ("%s: %s", __FUNCTION__
,
1756 pwmd_strerror (gpg_error_from_syserror()));
1758 return gpg_error_from_errno (e
);
1761 inet_ntop (raddr
.ss_family
, get_in_addr ((struct sockaddr
*) &raddr
), s
,
1763 (void) init_client (fd
, s
);
1769 accept_thread (void *arg
)
1771 int sockfd
= *(int *) arg
;
1772 #ifndef HAVE_PTHREAD_CANCEL
1773 int *n
= xmalloc (sizeof (int));
1776 pthread_setspecific (signal_thread_key
, n
);
1777 INIT_SIGNAL (SIGUSR2
, catch_thread_signal
);
1778 fcntl (sockfd
, F_SETFL
, O_NONBLOCK
);
1781 #ifdef HAVE_PR_SET_NAME
1782 prctl (PR_SET_NAME
, "accept");
1784 pthread_setspecific (thread_name_key
, str_asprintf ("!%s", __FUNCTION__
));
1788 socklen_t slen
= sizeof (struct sockaddr_un
);
1789 struct sockaddr_un raddr
;
1791 struct pollfd fds
[3];
1792 #ifndef HAVE_PTHREAD_CANCEL
1793 int *sigusr2
= (int *) pthread_getspecific (signal_thread_key
);
1799 memset (fds
, 0, sizeof (fds
));
1801 fds
[s
++].events
= POLLIN
;
1807 fds
[s
++].events
= POLLIN
;
1814 fds
[s
].fd
= tls6_fd
;
1815 fds
[s
++].events
= POLLIN
;
1818 fds
[s
].fd
= tls6_fd
;
1821 s
= poll (fds
, s
, 500);
1825 log_write ("%s", strerror (errno
));
1831 if (fds
[0].revents
& POLLIN
)
1833 fd
= accept (sockfd
, (struct sockaddr
*) &raddr
, &slen
);
1836 if (errno
== EMFILE
|| errno
== ENFILE
)
1837 log_write ("%s: %s", __FUNCTION__
,
1838 pwmd_strerror (gpg_error_from_errno (errno
)));
1839 else if (errno
!= EAGAIN
&& errno
!= EINTR
)
1841 if (!quit
) // probably EBADF
1842 log_write ("%s: %s", __FUNCTION__
,
1843 pwmd_strerror (gpg_error_from_errno (errno
)));
1851 (void) init_client (fd
, NULL
);
1855 if (tls_fd
!= -1 && fds
[1].fd
== tls_fd
)
1856 (void)do_tls_accept (&fds
[1]);
1858 if (tls6_fd
!= -1 && fds
[1].fd
== tls6_fd
)
1859 (void)do_tls_accept (&fds
[1]);
1861 if (tls6_fd
!= -1 && fds
[2].fd
== tls6_fd
)
1862 (void)do_tls_accept (&fds
[2]);
1866 /* Just in case accept() failed for some reason other than EBADF */
1872 cache_timer_thread (void *arg
)
1875 #ifndef HAVE_PTHREAD_CANCEL
1876 int *n
= xmalloc (sizeof (int));
1879 pthread_setspecific (signal_thread_key
, n
);
1880 INIT_SIGNAL (SIGUSR2
, catch_thread_signal
);
1883 #ifdef HAVE_PR_SET_NAME
1884 prctl (PR_SET_NAME
, "timer");
1886 pthread_setspecific (thread_name_key
, str_asprintf ("!%s", __FUNCTION__
));
1890 struct timeval tv
= { 1, 0 };
1891 unsigned keepalive
= config_get_integer ("global", "keepalive_interval");
1892 #ifndef HAVE_PTHREAD_CANCEL
1895 n
= (int *) pthread_getspecific (signal_thread_key
);
1900 select (0, NULL
, NULL
, NULL
, &tv
);
1901 cache_adjust_timeout ();
1903 if (++k
>= keepalive
)
1905 send_status_all (STATUS_KEEPALIVE
, NULL
);
1914 signal_loop (sigset_t sigset
)
1923 sigwait (&sigset
, &sig
);
1926 log_write (_("caught signal %i (%s)"), sig
, strsignal (sig
));
1931 pthread_cond_signal (&rcfile_cond
);
1934 log_write (_("clearing file cache"));
1935 cache_clear (NULL
, NULL
, 1);
1936 send_status_all (STATUS_CACHE
, NULL
);
1955 log_write (_ ("Caught signal %i (%s). Exiting."), sig
, strsignal (sig
));
1956 #ifdef HAVE_BACKTRACE
1957 BACKTRACE (__FUNCTION__
);
1963 waiting_for_exit (void *arg
)
1966 #ifndef HAVE_PTHREAD_CANCEL
1967 int *n
= xmalloc (sizeof (int));
1970 pthread_setspecific (signal_thread_key
, n
);
1971 INIT_SIGNAL (SIGUSR2
, catch_thread_signal
);
1974 #ifdef HAVE_PR_SET_NAME
1975 prctl (PR_SET_NAME
, "exiting");
1977 pthread_setspecific (thread_name_key
, str_asprintf ("!%s", __FUNCTION__
));
1978 log_write (_("waiting for all clients to disconnect"));
1979 MUTEX_LOCK (&quit_mutex
);
1980 pthread_cleanup_push (cleanup_mutex_cb
, &quit_mutex
);
1987 MUTEX_LOCK (&cn_mutex
);
1988 n
= slist_length (cn_thread_list
);
1989 MUTEX_UNLOCK (&cn_mutex
);
1993 #ifndef HAVE_PTHREAD_CANCEL
1994 int *s
= (int *) pthread_getspecific (signal_thread_key
);
2001 log_write (_("%i clients remain"), n
);
2005 INIT_TIMESPEC (SIG_TIMEOUT
, ts
);
2006 pthread_cond_timedwait (&quit_cond
, &quit_mutex
, &ts
);
2009 kill (getpid (), SIGQUIT
);
2010 pthread_cleanup_pop (1);
2015 server_loop (int sockfd
, char **socketpath
)
2017 pthread_t cache_timeout_tid
;
2018 int cancel_timeout_thread
= 0, cancel_accept_thread
= 0;
2025 sigemptyset (&sigset
);
2028 sigaddset (&sigset
, SIGTERM
);
2029 sigaddset (&sigset
, SIGINT
);
2031 /* Clears the file cache. */
2032 sigaddset (&sigset
, SIGUSR1
);
2034 /* Configuration file reloading. */
2035 sigaddset (&sigset
, SIGHUP
);
2037 /* For exiting cleanly. */
2038 sigaddset (&sigset
, SIGQUIT
);
2040 #ifndef HAVE_PTHREAD_CANCEL
2042 The socket, cache and rcfile threads use this signal when
2043 pthread_cancel() is unavailable. Prevent the main thread from
2044 catching this signal from another process.
2046 sigaddset (&sigset
, SIGUSR2
);
2049 /* An assertion failure. */
2050 signal (SIGABRT
, catchsig
);
2051 sigaddset (&sigset
, SIGABRT
);
2052 sigprocmask (SIG_BLOCK
, &sigset
, NULL
);
2054 #ifndef HAVE_PTHREAD_CANCEL
2055 /* Remove this signal from the watched signals in signal_loop(). */
2056 sigdelset (&sigset
, SIGUSR2
);
2059 /* Can show a backtrace of the stack in the log. */
2060 signal (SIGSEGV
, catchsig
);
2062 pthread_mutex_init (&quit_mutex
, NULL
);
2063 pthread_cond_init (&quit_cond
, NULL
);
2064 char *p
= get_username (getuid());
2065 log_write (_("%s started for user %s"), PACKAGE_STRING
, p
);
2069 if (config_get_boolean ("global", "enable_tcp"))
2070 log_write (_("Listening on %s and TCP port %i"), *socketpath
,
2071 config_get_integer ("global", "tcp_port"));
2073 log_write (_("Listening on %s"), *socketpath
);
2075 log_write (_("Listening on %s"), *socketpath
);
2078 rc
= create_thread (reload_rcfile_thread
, NULL
, &rcfile_tid
, 0);
2081 log_write ("%s(%i): pthread_create(): %s", __FILE__
, __LINE__
,
2082 pwmd_strerror (rc
));
2086 rc
= create_thread (cache_timer_thread
, NULL
, &cache_timeout_tid
, 0);
2089 log_write ("%s(%i): pthread_create(): %s", __FILE__
, __LINE__
,
2090 pwmd_strerror (rc
));
2094 cancel_timeout_thread
= 1;
2095 rc
= create_thread (accept_thread
, &sockfd
, &accept_tid
, 0);
2098 log_write ("%s(%i): pthread_create(): %s", __FILE__
, __LINE__
,
2099 pwmd_strerror (rc
));
2103 cancel_accept_thread
= 1;
2105 signal_loop (sigset
);
2111 * We're out of the main server loop. This happens when a signal was sent
2112 * to terminate the daemon. We'll wait for all clients to disconnect
2113 * before exiting but exit immediately if another termination signal is
2116 if (cancel_accept_thread
)
2118 #ifdef HAVE_PTHREAD_CANCEL
2119 int n
= pthread_cancel (accept_tid
);
2121 int n
= pthread_kill (accept_tid
, SIGUSR2
);
2124 pthread_join (accept_tid
, NULL
);
2127 if (cancel_timeout_thread
)
2129 #ifdef HAVE_PTHREAD_CANCEL
2130 n
= pthread_cancel (cache_timeout_tid
);
2132 n
= pthread_kill (cache_timeout_tid
, SIGUSR2
);
2135 pthread_join (cache_timeout_tid
, NULL
);
2141 shutdown (sockfd
, SHUT_RDWR
);
2143 unlink (*socketpath
);
2144 xfree (*socketpath
);
2146 MUTEX_LOCK (&cn_mutex
);
2147 n
= slist_length (cn_thread_list
);
2148 MUTEX_UNLOCK (&cn_mutex
);
2154 rc
= create_thread (waiting_for_exit
, NULL
, &tid
, 0);
2157 if (signal_loop (sigset
))
2159 log_write (_("Received second termination request. Exiting."));
2160 #ifdef HAVE_PTHREAD_CANCEL
2161 pthread_cancel (tid
);
2163 pthread_kill (tid
, SIGUSR2
);
2165 pthread_join (tid
, NULL
);
2169 log_write ("%s(%i): pthread_create(): %s", __FILE__
, __LINE__
,
2170 pwmd_strerror (rc
));
2173 cleanup_all_clients (0);
2175 pthread_cond_destroy (&quit_cond
);
2176 pthread_mutex_destroy (&quit_mutex
);
2177 return segv
? EXIT_FAILURE
: EXIT_SUCCESS
;;
2184 ("Failed to add a file to the cache. Use --force to force startup. Exiting."));
2185 cache_clear (NULL
, NULL
, 1);
2189 usage (const char *pn
, int status
)
2191 FILE *fp
= status
== EXIT_FAILURE
? stderr
: stdout
;
2193 fprintf (fp
, _("Usage: %s [OPTIONS] [file1] [...]\n"
2194 " --debug=[a:..][,g:N][,t:N] enable debugging (a:[ixedsc],g:[1-9],t:[0-N])\n"
2195 " -f, --rcfile=filename load the specfied configuration file\n"
2196 " (~/.pwmd/config)\n"
2197 " --homedir alternate pwmd home directory (~/.pwmd)\n"
2198 " --kill terminate an existing instance of pwmd\n"
2199 " -n, --no-fork run as a foreground process\n"
2200 " -D, --disable-dump disable the LIST, XPATH and DUMP commands\n"
2201 " --ignore, --force ignore file errors during startup\n"
2202 " -o, --outfile=filename output file when importing or converting\n"
2203 " -C, --convert=filename convert a version 2 data file to version 3\n"
2204 " -I, --import=filename import a pwmd DTD formatted XML file)\n"
2205 " -k, --passphrase-file=file for use when importing or converting\n"
2206 " --no-passphrase-file prompt instead of using --passphrase-file when\n"
2208 " --no-passphrase when importing or converting\n"
2209 " --keyid=keyID[,..] public key to use when encrypting\n"
2210 " --sign-keyid=fpr[,..] fingerprint of the signing key to use\n"
2211 " --symmetric use conventional encryption with optional signer\n"
2212 " --keyparam=filename custom key parameters to use (gpg default)\n"
2213 " --help this help text\n"
2214 " --version show version and compile time features\n"),
2220 unlink_stale_socket (const char *sock
, const char *pidfile
)
2222 log_write (_ ("removing stale socket %s"), sock
);
2228 test_pidfile (const char *path
, const char *sock
, char *buf
, size_t buflen
,
2229 char **pidfile
, int create
, mode_t mode
, int terminate
)
2237 snprintf (buf
, buflen
, "%s/%s.pid", homedir
, sock
);
2238 *pidfile
= str_dup (buf
);
2239 fd
= open (buf
, O_RDONLY
);
2242 fd
= open (*pidfile
, O_CREAT
|O_WRONLY
|O_TRUNC
, mode
);
2246 if (!create
&& errno
!= ENOENT
)
2248 log_write ("%s: %s", buf
, pwmd_strerror (errno
));
2253 else if (!create
&& !terminate
)
2256 log_write ("%s: %s", *pidfile
, strerror (errno
));
2262 snprintf (buf
, buflen
, "%i", getpid ());
2263 ssize_t ret
= write (fd
, buf
, strlen (buf
));
2265 log_write ("%s (%i): %s", __FUNCTION__
, __LINE__
,
2266 pwmd_strerror (gpg_error_from_syserror ()));
2271 len
= read (fd
, buf
, buflen
);
2275 unlink_stale_socket (path
, *pidfile
);
2279 if (sscanf (buf
, "%5i", &pid
) != 1 || pid
== 0)
2283 unlink_stale_socket (path
, *pidfile
);
2288 if (kill (pid
, 0) == -1)
2290 unlink_stale_socket (path
, *pidfile
);
2296 if (kill (pid
, SIGTERM
) == -1)
2297 log_write ("%s: %s", path
, pwmd_strerror (errno
));
2300 log_write (_ ("an instance for socket %s is already running"), path
);
2308 parse_debug_level (const char *str
, unsigned *debug
, int *gpgme
, int *tls
)
2314 for (p
= str
; p
&& *p
; p
++)
2316 if (*p
== 'a') // assuan debug flags
2326 level
|= ASSUAN_LOG_INIT
;
2329 level
|= ASSUAN_LOG_CTX
;
2332 level
|= ASSUAN_LOG_ENGINE
;
2335 level
|= ASSUAN_LOG_DATA
;
2338 level
|= ASSUAN_LOG_SYSIO
;
2341 level
|= ASSUAN_LOG_CONTROL
;
2356 else if (*p
== 'g' || *p
== 't') // gpgme and TLS debug level
2364 if (!isdigit (*++p
))
2373 if (tl
< 0 || gl
< 0 || gl
> 9)
2376 while (isdigit (*p
))
2380 if (*(p
+1) && *(p
+1) != ',')
2400 main (int argc
, char *argv
[])
2403 struct sockaddr_un addr
;
2405 char *socketpath
= NULL
, *socketdir
, *socketname
= NULL
;
2406 char *socketarg
= NULL
;
2407 char *datadir
= NULL
;
2408 char *pidfile
= NULL
;
2412 char **cache_push
= NULL
;
2413 char *import
= NULL
, *keyid
= NULL
, *sign_keyid
= NULL
;
2414 char *keyparam
= NULL
;
2415 int estatus
= EXIT_FAILURE
;
2417 char *outfile
= NULL
;
2420 int show_version
= 0;
2423 char *keyfile
= NULL
;
2428 int gpgme_level
= -1;
2430 /* Must maintain the same order as longopts[] */
2433 OPT_VERSION
, OPT_HELP
, OPT_HOMEDIR
, OPT_NO_FORK
, OPT_DISABLE_DUMP
,
2434 OPT_FORCE
, OPT_RCFILE
, OPT_PASSPHRASE_FILE
, OPT_IMPORT
, OPT_OUTFILE
,
2435 OPT_KEYID
, OPT_SIGN_KEYID
, OPT_SYMMETRIC
, OPT_KEYPARAM
, OPT_KILL
,
2438 const char *optstring
= "nf:C:k:I:o:s";
2439 const struct option longopts
[] = {
2440 {"version", no_argument
, 0, 0},
2441 {"help", no_argument
, 0, 0},
2442 {"homedir", required_argument
, 0, 0},
2443 {"no-fork", no_argument
, 0, 'n'},
2444 {"disable_dump", no_argument
, 0, 0},
2445 {"force", no_argument
, 0, 0},
2446 {"rcfile", required_argument
, 0, 'f'},
2447 {"passphrase-file", required_argument
, 0, 'k'},
2448 {"import", required_argument
, 0, 'I'},
2449 {"outfile", required_argument
, 0, 'o'},
2450 {"keyid", required_argument
, 0, 0},
2451 {"sign-keyid", required_argument
, 0, 0},
2452 {"symmetric", no_argument
, 0, 's'},
2453 {"keyparam", required_argument
, 0, 0},
2454 {"kill", no_argument
, 0, 0},
2455 {"debug", required_argument
, 0, 0},
2463 #ifdef HAVE_SETRLIMIT
2466 rl
.rlim_cur
= rl
.rlim_max
= 0;
2468 if (setrlimit (RLIMIT_CORE
, &rl
) != 0)
2469 err (EXIT_FAILURE
, "setrlimit()");
2472 #ifdef HAVE_PR_SET_DUMPABLE
2473 prctl (PR_SET_DUMPABLE
, 0);
2478 setlocale (LC_ALL
, "");
2479 bindtextdomain ("pwmd", LOCALEDIR
);
2480 textdomain ("pwmd");
2483 if (setup_crypto ())
2484 exit (EXIT_FAILURE
);
2487 tls_level
= tls_level
== -1 ? 1 : tls_level
;
2488 gnutls_global_set_log_level (tls_level
);
2492 xmlMemSetup (xfree
, xmalloc
, xrealloc
, str_dup
);
2498 while ((opt
= getopt_long (argc
, argv
, optstring
, longopts
, &optindex
))
2519 rcfile
= str_dup (optarg
);
2525 usage (argv
[0], EXIT_FAILURE
);
2531 if (parse_debug_level (optarg
, &assuan_level
, &gpgme_level
,
2533 usage (argv
[0], EXIT_FAILURE
);
2542 usage (argv
[0], EXIT_SUCCESS
);
2545 homedir
= str_dup (optarg
);
2550 case OPT_DISABLE_DUMP
:
2557 rcfile
= str_dup (optarg
);
2559 case OPT_PASSPHRASE_FILE
:
2571 case OPT_SIGN_KEYID
:
2572 sign_keyid
= optarg
;
2581 usage (argv
[0], EXIT_FAILURE
);
2589 "Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016\n"
2591 "Released under the terms of the GPL v2. Use at your own risk.\n\n"
2592 "Compile time features:\n%s"), PACKAGE_STRING
,
2595 "+PWMD_HOMEDIR=" PWMD_HOMEDIR
"\n"
2623 exit (EXIT_SUCCESS
);
2628 homedir
= str_dup(PWMD_HOMEDIR
);
2630 homedir
= str_asprintf ("%s/.pwmd", get_home_dir());
2633 if (mkdir (homedir
, 0700) == -1 && errno
!= EEXIST
)
2634 err (EXIT_FAILURE
, "%s", homedir
);
2637 rcfile
= str_asprintf ("%s/config", homedir
);
2639 pthread_key_create (&last_error_key
, free_key
);
2640 #ifndef HAVE_PTHREAD_CANCEL
2641 pthread_key_create (&signal_thread_key
, free_key
);
2644 pthread_mutexattr_t attr
;
2645 pthread_mutexattr_init (&attr
);
2646 pthread_mutexattr_settype (&attr
, PTHREAD_MUTEX_RECURSIVE
);
2647 pthread_mutex_init (&rcfile_mutex
, &attr
);
2648 global_config
= config_parse (rcfile
, 0);
2651 pthread_mutexattr_destroy (&attr
);
2652 pthread_mutex_destroy (&rcfile_mutex
);
2653 exit (EXIT_FAILURE
);
2656 p
= config_get_string ("global", "gpg_homedir");
2658 datadir
= str_asprintf ("%s/.gnupg", homedir
);
2660 datadir
= expand_homedir (p
);
2663 if (mkdir (datadir
, 0700) == -1 && errno
!= EEXIST
)
2664 err (EXIT_FAILURE
, "%s", datadir
);
2666 if (gpgme_level
!= -1)
2668 char s
[2] = { gpgme_level
+ '0', 0 };
2670 if (getenv ("GPGME_DEBUG"))
2671 log_write (_ ("Overriding GPGME_DEBUG environment with level %u!"),
2674 gpgme_set_global_flag ("debug", s
);
2677 rc
= gpgme_set_engine_info (GPGME_PROTOCOL_OpenPGP
, NULL
, datadir
);
2680 snprintf (buf
, sizeof (buf
), "%s/data", homedir
);
2681 if (mkdir (buf
, 0700) == -1 && errno
!= EEXIST
)
2682 err (EXIT_FAILURE
, "%s", buf
);
2684 datadir
= str_dup (buf
);
2685 pthread_cond_init (&rcfile_cond
, NULL
);
2686 pthread_mutex_init (&cn_mutex
, &attr
);
2687 pthread_mutexattr_destroy (&attr
);
2691 x
= config_get_int_param (global_config
, "global", "priority", &exists
);
2692 if (exists
&& x
!= atoi(INVALID_PRIORITY
))
2695 if (setpriority (PRIO_PROCESS
, 0, x
) == -1)
2697 log_write ("setpriority(): %s",
2698 pwmd_strerror (gpg_error_from_errno (errno
)));
2702 #ifdef HAVE_MLOCKALL
2703 if (disable_mlock
== 0 && mlockall (MCL_CURRENT
| MCL_FUTURE
) == -1)
2705 log_write ("mlockall(): %s",
2706 pwmd_strerror (gpg_error_from_errno (errno
)));
2714 log_write ("pwmd: ERR %i: %s", rc
, pwmd_strerror (rc
));
2715 exit (EXIT_FAILURE
);
2720 char **keyids
= NULL
, **sign_keyids
= NULL
;
2722 if (!outfile
|| !*outfile
|| argc
!= optind
)
2723 usage (argv
[0], EXIT_FAILURE
);
2726 keyids
= str_split (keyid
, ",", 0);
2728 sign_keyids
= str_split (sign_keyid
, ",", 0);
2729 rc
= xml_import (import
, outfile
, keyids
, sign_keyids
, keyfile
, keyparam
, sym
);
2731 strv_free (sign_keyids
);
2734 if (gpg_err_source (rc
) == GPG_ERR_SOURCE_UNKNOWN
)
2735 rc
= gpg_error (rc
);
2737 log_write ("%s: %u: %s", import
, rc
, pwmd_strerror (rc
));
2740 config_free (global_config
);
2742 exit (rc
? EXIT_FAILURE
: EXIT_SUCCESS
);
2745 p
= config_get_string ("global", "socket_path");
2747 p
= str_asprintf ("%s/socket", homedir
);
2749 socketarg
= expand_homedir (p
);
2753 disable_list_and_dump
= config_get_boolean ("global",
2754 "disable_list_and_dump");
2756 disable_list_and_dump
= secure
;
2758 cache_push
= config_get_list ("global", "cache_push");
2760 while (optind
< argc
)
2762 if (strv_printf (&cache_push
, "%s", argv
[optind
++]) == 0)
2763 errx (EXIT_FAILURE
, "%s", pwmd_strerror (GPG_ERR_ENOMEM
));
2766 if (strchr (socketarg
, '/') == NULL
)
2768 socketdir
= getcwd (buf
, sizeof (buf
));
2769 socketname
= str_dup (socketarg
);
2770 socketpath
= str_asprintf ("%s/%s", socketdir
, socketname
);
2774 socketname
= str_dup (strrchr (socketarg
, '/'));
2776 socketarg
[strlen (socketarg
) - strlen (socketname
) - 1] = 0;
2777 socketdir
= str_dup (socketarg
);
2778 socketpath
= str_asprintf ("%s/%s", socketdir
, socketname
);
2781 if (chdir (datadir
))
2783 log_write ("%s: %s", datadir
,
2784 pwmd_strerror (gpg_error_from_errno (errno
)));
2785 unlink (socketpath
);
2789 x
= test_pidfile (socketpath
, socketname
, buf
, sizeof(buf
), &pidfile
, 0,
2791 if (!terminate
&& x
)
2795 estatus
= x
!= 1 ? EXIT_FAILURE
: EXIT_SUCCESS
;
2800 * bind() doesn't like the full pathname of the socket or any non alphanum
2801 * characters so change to the directory where the socket is wanted then
2802 * create it then change to datadir.
2804 if (chdir (socketdir
))
2806 log_write ("%s: %s", socketdir
,
2807 pwmd_strerror (gpg_error_from_errno (errno
)));
2813 if ((sockfd
= socket (PF_UNIX
, SOCK_STREAM
, 0)) == -1)
2815 log_write ("socket(): %s", pwmd_strerror (gpg_error_from_errno (errno
)));
2819 addr
.sun_family
= AF_UNIX
;
2820 snprintf (addr
.sun_path
, sizeof (addr
.sun_path
), "%s", socketname
);
2822 if (bind (sockfd
, (struct sockaddr
*) &addr
, sizeof (struct sockaddr
)) ==
2825 log_write ("bind(): %s", pwmd_strerror (gpg_error_from_errno (errno
)));
2827 if (errno
== EADDRINUSE
)
2830 log_write (_("Either there is another pwmd running or '%s' is a \n"
2831 "stale socket. Please remove it manually."), socketpath
);
2838 char *t
= config_get_string ("global", "socket_perms");
2843 mode
= strtol (t
, NULL
, 8);
2847 if (chmod (socketname
, mode
) == -1)
2849 log_write ("%s: %s", socketname
,
2850 pwmd_strerror (gpg_error_from_errno (errno
)));
2860 xfree (--socketname
);
2862 if (chdir (datadir
))
2864 log_write ("%s: %s", datadir
,
2865 pwmd_strerror (gpg_error_from_errno (errno
)));
2872 if (config_get_boolean ("global", "enable_tcp"))
2874 if (!start_stop_tls (0))
2883 * Set the cache entry for a file. Prompts for the password.
2887 for (opt
= 0; cache_push
[opt
]; opt
++)
2889 struct crypto_s
*crypto
= NULL
;
2890 char *pw_file
= config_get_string (cache_push
[opt
],
2892 gpg_error_t rc
= crypto_init (&crypto
, NULL
, cache_push
[opt
],
2893 pw_file
!= NULL
, pw_file
);
2897 crypto
->flags
|= pw_file
? CRYPTO_FLAG_KEYFILE
: 0;
2898 crypto
->keyfile
= pw_file
;
2905 estatus
= EXIT_FAILURE
;
2909 rc
= do_cache_push (crypto
);
2912 log_write ("ERR %u: %s", rc
, pwmd_strerror(rc
));
2913 strv_free (cache_push
);
2915 estatus
= EXIT_FAILURE
;
2916 crypto_free (crypto
);
2920 log_write ("%s: %s", crypto
->filename
, pwmd_strerror(rc
));
2922 log_write (_("Successfully added '%s' to the cache."),
2925 crypto_free (crypto
);
2928 strv_free (cache_push
);
2929 log_write (!nofork
? _("Done. Daemonizing...") :
2930 _("Done. Waiting for connections..."));
2933 if (listen (sockfd
, 128) == -1)
2935 log_write ("listen(): %s", pwmd_strerror (gpg_error_from_errno (errno
)));
2944 log_write ("fork(): %s",
2945 pwmd_strerror (gpg_error_from_errno (errno
)));
2954 _exit (EXIT_SUCCESS
);
2958 (void)test_pidfile (socketpath
, socketname
, buf
, sizeof(buf
), &pidfile
, 1,
2961 pthread_key_create (&thread_name_key
, free_key
);
2962 estatus
= server_loop (sockfd
, &socketpath
);
2965 if (socketpath
&& do_unlink
)
2967 unlink (socketpath
);
2973 gnutls_global_deinit ();
2974 tls_deinit_params ();
2978 #ifdef HAVE_PTHREAD_CANCEL
2979 pthread_cancel (rcfile_tid
);
2981 pthread_kill (rcfile_tid
, SIGUSR2
);
2982 pthread_cond_signal (&rcfile_cond
);
2984 pthread_join (rcfile_tid
, NULL
);
2987 pthread_cond_destroy (&rcfile_cond
);
2988 pthread_mutex_destroy (&rcfile_mutex
);
2989 pthread_key_delete (last_error_key
);
2990 #ifndef HAVE_PTHREAD_CANCEL
2991 pthread_key_delete (signal_thread_key
);
2995 config_free (global_config
);
2997 free_invoking_users (invoking_users
);
2999 xfree (home_directory
);
3001 xmlCleanupParser ();
3002 xmlCleanupGlobals ();
3008 if (estatus
== EXIT_SUCCESS
&& !terminate
)
3009 log_write (_("pwmd exiting normally"));
3011 pthread_key_delete (thread_name_key
);
3020 gpg_error_t
lock_flock (assuan_context_t ctx
, const char *filename
,
3026 *fd
= open (filename
, O_RDONLY
);
3028 return gpg_error_from_syserror ();
3030 TRY_FLOCK (ctx
, *fd
, type
, rc
);
3041 void unlock_flock (int *fd
)