/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

  • Committer: Teddy Hogeborn
  • Date: 2015-03-10 18:03:38 UTC
  • mto: (237.7.304 trunk)
  • mto: This revision was merged to the branch mainline in revision 325.
  • Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

Show diffs side-by-side

added added

removed removed

Lines of Context:
plugins.d/mandos-client.c
234
234
                          .af = af };
235
235
  if(new_server->ip == NULL){
236
236
    perror_plus("strdup");
 
237
    free(new_server);
237
238
    return false;
238
239
  }
239
240
  ret = clock_gettime(CLOCK_MONOTONIC, &(new_server->last_seen));
240
241
  if(ret == -1){
241
242
    perror_plus("clock_gettime");
 
243
#ifdef __GNUC__
 
244
#pragma GCC diagnostic push
 
245
#pragma GCC diagnostic ignored "-Wcast-qual"
 
246
#endif
 
247
    free((char *)(new_server->ip));
 
248
#ifdef __GNUC__
 
249
#pragma GCC diagnostic pop
 
250
#endif
 
251
    free(new_server);
242
252
    return false;
243
253
  }
244
254
  /* Special case of first server */
1066
1076
     timed out */
1067
1077
  
1068
1078
  if(quit_now){
 
1079
    avahi_s_service_resolver_free(r);
1069
1080
    return;
1070
1081
  }
1071
1082
  
1639
1650
        _exit(EXIT_FAILURE);
1640
1651
      }
1641
1652
    } else {
 
1653
      if(hook_pid == -1){
 
1654
        perror_plus("fork");
 
1655
        free(direntry);
 
1656
        continue;
 
1657
      }
1642
1658
      int status;
1643
1659
      if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1644
1660
        perror_plus("waitpid");
 
1661
        free(direntry);
1645
1662
        continue;
1646
1663
      }
1647
1664
      if(WIFEXITED(status)){
1649
1666
          fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
1650
1667
                       " with status %d\n", direntry->d_name,
1651
1668
                       WEXITSTATUS(status));
 
1669
          free(direntry);
1652
1670
          continue;
1653
1671
        }
1654
1672
      } else if(WIFSIGNALED(status)){
1655
1673
        fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
1656
1674
                     " signal %d\n", direntry->d_name,
1657
1675
                     WTERMSIG(status));
 
1676
        free(direntry);
1658
1677
        continue;
1659
1678
      } else {
1660
1679
        fprintf_plus(stderr, "Warning: network hook \"%s\""
1661
1680
                     " crashed\n", direntry->d_name);
 
1681
        free(direntry);
1662
1682
        continue;
1663
1683
      }
1664
1684
    }
1666
1686
      fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
1667
1687
                   direntry->d_name);
1668
1688
    }
 
1689
    free(direntry);
1669
1690
  }
1670
1691
  free(direntries);
1671
1692
  if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
1881
1902
int main(int argc, char *argv[]){
1882
1903
  mandos_context mc = { .server = NULL, .dh_bits = 1024,
1883
1904
                        .priority = "SECURE256:!CTYPE-X.509:"
1884
 
                        "+CTYPE-OPENPGP", .current_server = NULL,
 
1905
                        "+CTYPE-OPENPGP:!RSA", .current_server = NULL,
1885
1906
                        .interfaces = NULL, .interfaces_size = 0 };
1886
1907
  AvahiSServiceBrowser *sb = NULL;
1887
1908
  error_t ret_errno;
2265
2286
        if(ret_errno != 0){
2266
2287
          errno = ret_errno;
2267
2288
          perror_plus("argz_add");
 
2289
          free(direntries[i]);
2268
2290
          continue;
2269
2291
        }
2270
2292
        if(debug){
2271
2293
          fprintf_plus(stderr, "Will use interface \"%s\"\n",
2272
2294
                       direntries[i]->d_name);
2273
2295
        }
 
2296
        free(direntries[i]);
2274
2297
      }
2275
2298
      free(direntries);
2276
2299
    } else {
2546
2569
    mc.current_server->prev->next = NULL;
2547
2570
    while(mc.current_server != NULL){
2548
2571
      server *next = mc.current_server->next;
 
2572
#ifdef __GNUC__
 
2573
#pragma GCC diagnostic push
 
2574
#pragma GCC diagnostic ignored "-Wcast-qual"
 
2575
#endif
 
2576
      free((char *)(mc.current_server->ip));
 
2577
#ifdef __GNUC__
 
2578
#pragma GCC diagnostic pop
 
2579
#endif
2549
2580
      free(mc.current_server);
2550
2581
      mc.current_server = next;
2551
2582
    }
2620
2651
                         " \"%s\", 0): %s\n", tempdir,
2621
2652
                         direntries[i]->d_name, strerror(errno));
2622
2653
          }
 
2654
          free(direntries[i]);
2623
2655
        }
2624
2656
        
2625
2657
        /* need to clean even if 0 because man page doesn't specify */