X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/3cbd2d89482ab48adea16aef781b191b793d9a26..add23883a6378567be6b7866bc2ff2c32400a346:/server/admin.c diff --git a/server/admin.c b/server/admin.c index 045727f7..25581f65 100644 --- a/server/admin.c +++ b/server/admin.c @@ -40,6 +40,7 @@ const trace_opt tr_opts[] = { { 'x', T_KEYEXCH, "key exchange" }, { 'm', T_KEYMGMT, "key management" }, { 'l', T_CHAL, "challenge management" }, + { 'v', T_PRIVSEP, "privilege separation" }, { 'p', T_PACKET, "packet contents" }, { 'c', T_CRYPTO, "crypto details" }, { 'A', T_ALL, "all of the above" }, @@ -50,7 +51,9 @@ unsigned tr_flags = 0; #endif static const trace_opt w_opts[] = { +#ifndef NTRACE { 't', AF_TRACE, "trace messages" }, +#endif { 'n', AF_NOTE, "asynchronous notifications" }, { 'w', AF_WARN, "warnings" }, { 'A', AF_ALLMSGS, "all of the above" }, @@ -238,16 +241,34 @@ static void a_flush(int fd, unsigned mode, void *v) * * Returns: --- * - * Use: Main message token formatting driver. + * Use: Main message token formatting driver. The arguments are + * interleaved formatting tokens and their parameters, finally + * terminated by an entry @A_END@. + * + * Tokens recognized: + * + * * "*..." ... -- pretokenized @dstr_putf@-like string + * + * * "?ADDR" SOCKADDR -- a socket address, to be converted + * + * * "?B64" BUFFER SIZE -- binary data to be base64-encoded + * + * * "?TOKENS" VECTOR -- null-terminated vector of tokens + * + * * "?PEER" PEER -- peer's name + * + * * "?ERRNO" ERRNO -- system error code + * + * * "[!]..." ... -- @dstr_putf@-like string as single token */ -static void a_vformat(dstr *d, const char *fmt, va_list ap) +void a_vformat(dstr *d, const char *fmt, va_list ap) { dstr dd = DSTR_INIT; while (fmt) { if (*fmt == '*') { - dstr_putc(d, ' '); + if (d->len) dstr_putc(d, ' '); dstr_vputf(d, fmt + 1, &ap); } else if (*fmt == '?') { if (strcmp(fmt, "?ADDR") == 0) { @@ -294,6 +315,26 @@ static void a_vformat(dstr *d, const char *fmt, va_list ap) dstr_destroy(&dd); } +/* --- @a_format@ --- * + * + * Arguments: @dstr *d@ = where to leave the formatted message + * @const char *fmt@ = pointer to format string + * + * Returns: --- + * + * Use: Writes a tokenized message into a string, for later + * presentation. + */ + +void a_format(dstr *d, const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + a_vformat(d, fmt, ap); + va_end(ap); +} + /* --- @a_write@, @a_vwrite@ --- * * * Arguments: @admin *a@ = admin connection to write to @@ -503,6 +544,7 @@ void a_quit(void) close(sock.fd); unlink(sockname); FOREACH_PEER(p, { p_destroy(p); }); + ps_quit(); exit(0); } @@ -1185,6 +1227,7 @@ static void a_doadd(admin_resop *r, int rc) a_bgok(&add->r.bg); } + if (add->peer.tag) xfree(add->peer.tag); xfree(add->peer.name); } @@ -1208,9 +1251,11 @@ static void acmd_add(admin *a, unsigned ac, char *av[]) add = xmalloc(sizeof(*add)); add->peer.name = 0; + add->peer.tag = 0; + add->peer.privtag = 0; add->peer.t_ka = 0; add->peer.tops = tun_default; - add->peer.kxf = 0; + add->peer.f = 0; /* --- Parse options --- */ @@ -1230,7 +1275,18 @@ static void acmd_add(admin *a, unsigned ac, char *av[]) } }) OPTTIME("-keepalive", t, { add->peer.t_ka = t; }) - OPT("-cork", { add->peer.kxf |= KXF_CORK; }) + OPT("-cork", { add->peer.f |= KXF_CORK; }) + OPTARG("-key", arg, { + if (add->peer.tag) + xfree(add->peer.tag); + add->peer.tag = xstrdup(arg); + }) + OPT("-mobile", { add->peer.f |= PSF_MOBILE; }) + OPTARG("-priv", arg, { + if (add->peer.privtag) + xfree(add->peer.privtag); + add->peer.privtag = xstrdup(arg); + }) }); /* --- Make sure someone's not got there already --- */ @@ -1255,6 +1311,8 @@ bad_syntax: a_fail(a, "bad-syntax", "add", "[OPTIONS] PEER ADDR ...", A_END); fail: if (add->peer.name) xfree(add->peer.name); + if (add->peer.tag) xfree(add->peer.tag); + if (add->peer.privtag) xfree(add->peer.privtag); xfree(add); return; } @@ -1648,29 +1706,58 @@ static void acmd_bgcancel(admin *a, unsigned ac, char *av[]) static void acmd_algs(admin *a, unsigned ac, char *av[]) { + peer *p; + const kdata *kd; + const group *g; + const algswitch *algs; + + if (!ac) + kd = master; + else { + if ((p = a_findpeer(a, av[0])) == 0) return; + kd = p->kx.kpriv; + } + g = kd->g; + algs = &kd->algs; + a_info(a, - "kx-group=%s", gg->ops->name, - "kx-group-order-bits=%lu", (unsigned long)mp_bits(gg->r), - "kx-group-elt-bits=%lu", (unsigned long)gg->nbits, - A_END); - a_info(a, - "hash=%s", algs.h->name, - "mgf=%s", algs.mgf->name, - "hash-sz=%lu", (unsigned long)algs.h->hashsz, + "kx-group=%s", g->ops->name, + "kx-group-order-bits=%lu", (unsigned long)mp_bits(g->r), + "kx-group-elt-bits=%lu", (unsigned long)g->nbits, A_END); a_info(a, - "cipher=%s", algs.c->name, - "cipher-keysz=%lu", (unsigned long)algs.cksz, - "cipher-blksz=%lu", (unsigned long)algs.c->blksz, + "hash=%s", algs->h->name, + "mgf=%s", algs->mgf->name, + "hash-sz=%lu", (unsigned long)algs->h->hashsz, A_END); a_info(a, - "cipher-data-limit=%lu", (unsigned long)algs.expsz, + "bulk-transform=%s", algs->bulk->name, + "bulk-overhead=%lu", (unsigned long)algs->bulk->overhead(algs), A_END); + if (algs->c) { + a_info(a, + "cipher=%s", algs->c->name, + "cipher-keysz=%lu", (unsigned long)algs->cksz, + "cipher-blksz=%lu", (unsigned long)algs->c->blksz, + A_END); + } a_info(a, - "mac=%s", algs.m->name, - "mac-keysz=%lu", (unsigned long)algs.mksz, - "mac-tagsz=%lu", (unsigned long)algs.tagsz, + "cipher-data-limit=%lu", (unsigned long)algs->expsz, A_END); + if (algs->m) { + a_info(a, + "mac=%s", algs->m->name, + "mac-keysz=%lu", (unsigned long)algs->mksz, + "mac-tagsz=%lu", (unsigned long)algs->tagsz, + A_END); + } + if (algs->b) { + a_info(a, + "blkc=%.*s", strlen(algs->b->name) - 4, algs->b->name, + "blkc-keysz=%lu", (unsigned long)algs->bksz, + "blkc-blksz=%lu", (unsigned long)algs->b->blksz, + A_END); + } a_ok(a); } @@ -1761,10 +1848,16 @@ static void acmd_peerinfo(admin *a, unsigned ac, char *av[]) { peer *p; const peerspec *ps; + const char *ptag; if ((p = a_findpeer(a, av[0])) != 0) { ps = p_spec(p); a_info(a, "tunnel=%s", ps->tops->name, A_END); + a_info(a, "key=%s", p_tag(p), + "current-key=%s", p->kx.kpub->tag, A_END); + if ((ptag = p_privtag(p)) == 0) ptag = "(default)"; + a_info(a, "private-key=%s", ptag, + "current-private-key=%s", p->kx.kpriv->tag, A_END); a_info(a, "keepalive=%lu", ps->t_ka, A_END); a_ok(a); } @@ -1874,7 +1967,7 @@ static void acmd_help(admin */*a*/, unsigned /*ac*/, char */*av*/[]); static const acmd acmdtab[] = { { "add", "[OPTIONS] PEER ADDR ...", 2, 0xffff, acmd_add }, { "addr", "PEER", 1, 1, acmd_addr }, - { "algs", 0, 0, 0, acmd_algs }, + { "algs", "[PEER]", 0, 1, acmd_algs }, { "bgcancel", "TAG", 1, 1, acmd_bgcancel }, { "checkchal", "CHAL", 1, 1, acmd_checkchal }, { "daemon", 0, 0, 0, acmd_daemon }, @@ -2182,19 +2275,23 @@ void a_daemon(void) { flags |= F_DAEMON; } /* --- @a_init@ --- * * * Arguments: @const char *name@ = socket name to create + * @uid_t u@ = user to own the socket + * @gid_t g@ = group to own the socket + * @mode_t m@ = permissions to set on the socket * * Returns: --- * * Use: Creates the admin listening socket. */ -void a_init(const char *name) +void a_init(const char *name, uid_t u, gid_t g, mode_t m) { int fd; int n = 5; struct sockaddr_un sun; struct sigaction sa; size_t sz; + mode_t omask; /* --- Create services table --- */ @@ -2212,7 +2309,7 @@ void a_init(const char *name) /* --- Attempt to bind to the socket --- */ - umask(0077); + omask = umask(0077); again: if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) die(EXIT_FAILURE, "couldn't create socket: %s", strerror(errno)); @@ -2243,7 +2340,15 @@ again: close(fd); goto again; } - chmod(sun.sun_path, 0600); + if (chown(sun.sun_path, u, g)) { + die(EXIT_FAILURE, "failed to set socket owner: %s", + strerror(errno)); + } + if (chmod(sun.sun_path, m)) { + die(EXIT_FAILURE, "failed to set socket permissions: %s", + strerror(errno)); + } + umask(omask); fdflags(fd, O_NONBLOCK, O_NONBLOCK, FD_CLOEXEC, FD_CLOEXEC); if (listen(fd, 5)) die(EXIT_FAILURE, "couldn't listen on socket: %s", strerror(errno));