/mandos/release : revision 237.2.67

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-02-09 02:01:13 UTC
mto: (24.1.133 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 250.
Revision ID: teddy@fukt.bsnet.se-20090209020113-726hq380zvp8zt97

Four new interrelated features:

1. Support using a different network interface via both initramfs.conf
   (the DEVICE setting) and the kernel command line (sixth field of
   the "ip=" option as in Linux' Documentation/nfsroot.txt).

2. Support connecting to a specified Mandos server directly using a
   kernel command line option ("mandos=connect:<ADDRESS>:<PORT>").

3. Support connecting directly to an IPv4 address (and port) using the
   "--connect" option of mandos-client.

4. Support an empty string to the --interface option to mandos-client.

* Makefile (WARN): Increase strictness by changing to
                   "-Wstrict-aliasing=1".

* debian/mandos-client.README.Debian (Use the Correct Network
  Interface): Changed to refer to initramfs.conf and nfsroot.txt.
  (Test the Server): Improve wording.
  (Non-local Connection): New section.
* initramfs-tools-script: Obey DEVICE environment variable and setting
                          from "/conf/initramfs.conf".  Also let any
                          "ip=" kernel command line option override
                          it.  Support new "mandos=connect" option.
                          Call "configure_networking" to set up IP
                          address on interface if necessary.
* plugin-runner.conf: Change example.
* plugins.d/mandos-client.c: Some whitespace and comment changes.
  (start_mandos_communication): Take an additional argument for
                                address family, all callers changed.
                                Connect to an IPv4 address if address
                                family is AF_INET.  Only set IPv6
                                scope_id for link-local addresses.
  (main): Accept empty interface name; this will not bring up any
         interface and leave the interface as unspecified.  Also do
         not restore kernel log level if lowering it failed.
* plugins.d/mandos-client.xml (OPTIONS): Document that the
                                         "--interface" option accepts
                                         an empty string.
  (EXAMPLE): Change example IPv6 address to a link-local address.

files modified:
initramfs-tools-hook

mandos-ctl

plugin-runner.c

plugins.d/mandos-client.c

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

#include <signal.h> /* sigemptyset(), sigaddset(),

sigaction(), SIGTERM, sigaction */

#ifdef __linux__

#include <sys/klog.h> /* klogctl() */

#endif

132

129

gpgme_ctx_t ctx;

133

130

} mandos_context;

134

131

135

/* global context so signal handler can reach it*/

136

mandos_context mc;

137

138

132

139

* Make additional room in "buffer" for at least BUFFER_SIZE

140

* additional bytes. "buffer_capacity" is how much is currently

141

* allocated, "buffer_length" is how much is already used.

133

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

134

* "buffer_capacity" is how much is currently allocated,

135

* "buffer_length" is how much is already used.

142

136

143

size_t incbuffer(char **buffer, size_t buffer_length,

137

size_t adjustbuffer(char **buffer, size_t buffer_length,

144

138

size_t buffer_capacity){

145

139

if(buffer_length + BUFFER_SIZE > buffer_capacity){

146

140

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

155

149

156

150

* Initialize GPGME.

157

151

158

static bool init_gpgme(const char *seckey,

152

static bool init_gpgme(mandos_context *mc, const char *seckey,

159

153

const char *pubkey, const char *tempdir){

160

154

int ret;

161

155

gpgme_error_t rc;

182

176

return false;

183

177

}

184

178

185

rc = gpgme_op_import(mc.ctx, pgp_data);

179

rc = gpgme_op_import(mc->ctx, pgp_data);

186

180

if(rc != GPG_ERR_NO_ERROR){

187

181

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

188

182

gpgme_strsource(rc), gpgme_strerror(rc));

198

192

}

199

193

200

194

if(debug){

201

fprintf(stderr, "Initializing GPGME\n");

195

fprintf(stderr, "Initialize gpgme\n");

202

196

}

203

197

204

198

/* Init GPGME */

231

225

}

232

226

233

227

/* Create new GPGME "context" */

234

rc = gpgme_new(&(mc.ctx));

228

rc = gpgme_new(&(mc->ctx));

235

229

if(rc != GPG_ERR_NO_ERROR){

236

230

fprintf(stderr, "bad gpgme_new: %s: %s\n",

237

231

gpgme_strsource(rc), gpgme_strerror(rc));

249

243

* Decrypt OpenPGP data.

250

244

* Returns -1 on error

251

245

252

static ssize_t pgp_packet_decrypt(const char *cryptotext,

246

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

247

const char *cryptotext,

253

248

size_t crypto_size,

254

249

char **plaintext){

255

250

gpgme_data_t dh_crypto, dh_plain;

282

277

283

278

/* Decrypt data from the cryptotext data buffer to the plaintext

284

279

data buffer */

285

rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);

280

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

286

281

if(rc != GPG_ERR_NO_ERROR){

287

282

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

288

283

gpgme_strsource(rc), gpgme_strerror(rc));

289

284

plaintext_length = -1;

290

285

if(debug){

291

286

gpgme_decrypt_result_t result;

292

result = gpgme_op_decrypt_result(mc.ctx);

287

result = gpgme_op_decrypt_result(mc->ctx);

293

288

if(result == NULL){

294

289

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

295

290

} else {

331

326

332

327

*plaintext = NULL;

333

328

while(true){

334

plaintext_capacity = incbuffer(plaintext,

329

plaintext_capacity = adjustbuffer(plaintext,

335

330

(size_t)plaintext_length,

336

331

plaintext_capacity);

337

332

if(plaintext_capacity == 0){

338

perror("incbuffer");

333

perror("adjustbuffer");

339

334

plaintext_length = -1;

340

335

goto decrypt_end;

341

336

}

387

382

fprintf(stderr, "GnuTLS: %s", string);

388

383

}

389

384

390

static int init_gnutls_global(const char *pubkeyfilename,

385

static int init_gnutls_global(mandos_context *mc,

386

const char *pubkeyfilename,

391

387

const char *seckeyfilename){

392

388

int ret;

393

389

411

407

}

412

408

413

409

/* OpenPGP credentials */

414

gnutls_certificate_allocate_credentials(&mc.cred);

410

gnutls_certificate_allocate_credentials(&mc->cred);

415

411

if(ret != GNUTLS_E_SUCCESS){

416

412

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

417

413

from

429

425

}

430

426

431

427

ret = gnutls_certificate_set_openpgp_key_file

432

(mc.cred, pubkeyfilename, seckeyfilename,

428

(mc->cred, pubkeyfilename, seckeyfilename,

433

429

GNUTLS_OPENPGP_FMT_BASE64);

434

430

if(ret != GNUTLS_E_SUCCESS){

435

431

fprintf(stderr,

441

437

}

442

438

443

439

/* GnuTLS server initialization */

444

ret = gnutls_dh_params_init(&mc.dh_params);

440

ret = gnutls_dh_params_init(&mc->dh_params);

445

441

if(ret != GNUTLS_E_SUCCESS){

446

442

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

447

443

" %s\n", safer_gnutls_strerror(ret));

448

444

goto globalfail;

449

445

}

450

ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);

446

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

451

447

if(ret != GNUTLS_E_SUCCESS){

452

448

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

453

449

safer_gnutls_strerror(ret));

454

450

goto globalfail;

455

451

}

456

452

457

gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);

453

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

458

454

459

455

return 0;

460

456

461

457

globalfail:

462

458

463

gnutls_certificate_free_credentials(mc.cred);

459

gnutls_certificate_free_credentials(mc->cred);

464

460

gnutls_global_deinit();

465

gnutls_dh_params_deinit(mc.dh_params);

461

gnutls_dh_params_deinit(mc->dh_params);

466

462

return -1;

467

463

}

468

464

469

static int init_gnutls_session(gnutls_session_t *session){

465

static int init_gnutls_session(mandos_context *mc,

466

gnutls_session_t *session){

470

467

int ret;

471

468

/* GnuTLS session creation */

472

469

ret = gnutls_init(session, GNUTLS_SERVER);

477

474

478

475

{

479

476

const char *err;

480

ret = gnutls_priority_set_direct(*session, mc.priority, &err);

477

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

481

478

if(ret != GNUTLS_E_SUCCESS){

482

479

fprintf(stderr, "Syntax error at: %s\n", err);

483

480

fprintf(stderr, "GnuTLS error: %s\n",

488

485

}

489

486

490

487

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

491

mc.cred);

488

mc->cred);

492

489

if(ret != GNUTLS_E_SUCCESS){

493

490

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

494

491

safer_gnutls_strerror(ret));

500

497

gnutls_certificate_server_set_request(*session,

501

498

GNUTLS_CERT_IGNORE);

502

499

503

gnutls_dh_set_prime_bits(*session, mc.dh_bits);

500

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

504

501

505

502

return 0;

506

503

}

512

509

/* Called when a Mandos server is found */

513

510

static int start_mandos_communication(const char *ip, uint16_t port,

514

511

AvahiIfIndex if_index,

515

int af){

512

mandos_context *mc, int af){

516

513

int ret, tcp_sd;

517

514

ssize_t sret;

518

515

union {

541

538

return -1;

542

539

}

543

540

544

ret = init_gnutls_session(&session);

541

ret = init_gnutls_session(mc, &session);

545

542

if(ret != 0){

546

543

return -1;

547

544

}

688

685

}

689

686

690

687

while(true){

691

buffer_capacity = incbuffer(&buffer, buffer_length,

688

buffer_capacity = adjustbuffer(&buffer, buffer_length,

692

689

buffer_capacity);

693

690

if(buffer_capacity == 0){

694

perror("incbuffer");

691

perror("adjustbuffer");

695

692

retval = -1;

696

693

goto mandos_end;

697

694

}

736

733

gnutls_bye(session, GNUTLS_SHUT_RDWR);

737

734

738

735

if(buffer_length > 0){

739

decrypted_buffer_size = pgp_packet_decrypt(buffer,

736

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

740

737

buffer_length,

741

738

&decrypted_buffer);

742

739

if(decrypted_buffer_size >= 0){

788

785

AVAHI_GCC_UNUSED AvahiStringList *txt,

789

786

AVAHI_GCC_UNUSED AvahiLookupResultFlags

790

787

flags,

791

AVAHI_GCC_UNUSED void* userdata){

788

void* userdata){

789

mandos_context *mc = userdata;

792

790

assert(r);

793

791

794

792

/* Called whenever a service has been resolved successfully or

799

797

case AVAHI_RESOLVER_FAILURE:

800

798

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

801

799

" of type '%s' in domain '%s': %s\n", name, type, domain,

802

avahi_strerror(avahi_server_errno(mc.server)));

800

avahi_strerror(avahi_server_errno(mc->server)));

803

801

break;

804

802

805

803

case AVAHI_RESOLVER_FOUND:

811

809

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

812

810

ip, (intmax_t)interface, port);

813

811

}

814

int ret = start_mandos_communication(ip, port, interface,

812

int ret = start_mandos_communication(ip, port, interface, mc,

815

813

avahi_proto_to_af(proto));

816

814

if(ret == 0){

817

avahi_simple_poll_quit(mc.simple_poll);

815

avahi_simple_poll_quit(mc->simple_poll);

818

816

}

819

817

}

820

818

}

830

828

const char *domain,

831

829

AVAHI_GCC_UNUSED AvahiLookupResultFlags

832

830

flags,

833

AVAHI_GCC_UNUSED void* userdata){

831

void* userdata){

832

mandos_context *mc = userdata;

834

833

assert(b);

835

834

836

835

/* Called whenever a new services becomes available on the LAN or

841

840

case AVAHI_BROWSER_FAILURE:

842

841

843

842

fprintf(stderr, "(Avahi browser) %s\n",

844

avahi_strerror(avahi_server_errno(mc.server)));

845

avahi_simple_poll_quit(mc.simple_poll);

843

avahi_strerror(avahi_server_errno(mc->server)));

844

avahi_simple_poll_quit(mc->simple_poll);

846

845

return;

847

846

848

847

case AVAHI_BROWSER_NEW:

851

850

the callback function is called the Avahi server will free the

852

851

resolver for us. */

853

852

854

if(!(avahi_s_service_resolver_new(mc.server, interface,

853

if(!(avahi_s_service_resolver_new(mc->server, interface,

855

854

protocol, name, type, domain,

856

855

AVAHI_PROTO_INET6, 0,

857

resolve_callback, NULL)))

856

resolve_callback, mc)))

858

857

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

859

name, avahi_strerror(avahi_server_errno(mc.server)));

858

name, avahi_strerror(avahi_server_errno(mc->server)));

860

859

break;

861

860

862

861

case AVAHI_BROWSER_REMOVE:

871

870

}

872

871

}

873

872

874

static void handle_sigterm(__attribute__((unused)) int sig){

875

int old_errno = errno;

876

avahi_simple_poll_quit(mc.simple_poll);

877

errno = old_errno;

878

}

879

880

873

int main(int argc, char *argv[]){

881

874

AvahiSServiceBrowser *sb = NULL;

882

875

int error;

896

889

const char *seckey = PATHDIR "/" SECKEY;

897

890

const char *pubkey = PATHDIR "/" PUBKEY;

898

891

899

/* Initialize Mandos context */

900

mc = (mandos_context){ .simple_poll = NULL, .server = NULL,

901

.dh_bits = 1024, .priority = "SECURE256"

902

":!CTYPE-X.509:+CTYPE-OPENPGP" };

892

mandos_context mc = { .simple_poll = NULL, .server = NULL,

893

.dh_bits = 1024, .priority = "SECURE256"

894

":!CTYPE-X.509:+CTYPE-OPENPGP" };

903

895

bool gnutls_initialized = false;

904

896

bool gpgme_initialized = false;

905

897

double delay = 2.5;

906

907

struct sigaction old_sigterm_action;

908

struct sigaction sigterm_action = { .sa_handler = handle_sigterm };

909

898

910

899

{

911

900

struct argp_option options[] = {

1105

1094

perror("setuid");

1106

1095

}

1107

1096

1108

ret = init_gnutls_global(pubkey, seckey);

1097

ret = init_gnutls_global(&mc, pubkey, seckey);

1109

1098

if(ret == -1){

1110

1099

fprintf(stderr, "init_gnutls_global failed\n");

1111

1100

exitcode = EXIT_FAILURE;

1120

1109

}

1121

1110

tempdir_created = true;

1122

1111

1123

if(not init_gpgme(pubkey, seckey, tempdir)){

1112

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

1124

1113

fprintf(stderr, "init_gpgme failed\n");

1125

1114

exitcode = EXIT_FAILURE;

1126

1115

goto end;

1164

1153

} else {

1165

1154

af = AF_INET;

1166

1155

}

1167

ret = start_mandos_communication(address, port, if_index, af);

1156

ret = start_mandos_communication(address, port, if_index, &mc,

1157

af);

1168

1158

if(ret < 0){

1169

1159

exitcode = EXIT_FAILURE;

1170

1160

} else {

1217

1207

/* Create the Avahi service browser */

1218

1208

sb = avahi_s_service_browser_new(mc.server, if_index,

1219

1209

AVAHI_PROTO_INET6, "_mandos._tcp",

1220

NULL, 0, browse_callback, NULL);

1210

NULL, 0, browse_callback, &mc);

1221

1211

if(sb == NULL){

1222

1212

fprintf(stderr, "Failed to create service browser: %s\n",

1223

1213

avahi_strerror(avahi_server_errno(mc.server)));

1225

1215

goto end;

1226

1216

}

1227

1217

1228

sigemptyset(&sigterm_action.sa_mask);

1229

ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);

1230

if(ret == -1){

1231

perror("sigaddset");

1232

exitcode = EXIT_FAILURE;

1233

goto end;

1234

}

1235

ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);

1236

if(ret == -1){

1237

perror("sigaction");

1238

exitcode = EXIT_FAILURE;

1239

goto end;

1240

}

1241

1242

1218

/* Run the main loop */

1243

1219

1244

1220

if(debug){

Older »