/mandos/release : revision 237.7.510

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to initramfs-tools-hook

Committer: Teddy Hogeborn
Date: 2019-02-09 23:23:26 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 370.
Revision ID: teddy@recompile.se-20190209232326-z1z2kzpgfixz7iaj

Add support for using raw public keys in TLS (RFC 7250)

Since GnuTLS removed support for OpenPGP keys in TLS (RFC 6091), and
no other library supports it, we have to change the protocol to use
something else.  We choose to use "raw public keys" (RFC 7250).  Since
we still use OpenPGP keys to decrypt the secret password, this means
that each client will have two keys: One OpenPGP key and one TLS
public/private key, and the key ID of the latter key is used to
identify clients instead of the fingerprint of the OpenPGP key.

Note that this code is still compatible with GnuTLS before version
3.6.0 (when OpenPGP key support was removed).  This commit merely adds
support for using raw pulic keys instead with GnuTLS 3.6.6. or later.

* DBUS-API (Signals/ClientNotFound): Change name of first parameter
                                     from "Fingerprint" to "KeyID".
  (Mandos Client Interface/Properties/KeyID): New.
* INSTALL: Document conflict with GnuTLS 3.6.0 (which removed OpenPGP
           key support) up until 3.6.6, when support for raw public
           keys was added.  Also document new dependency of client on
           "gnutls-bin" package (for certtool).
* Makefile (run-client): Depend on TLS key files, and also pass them
                         as arguments to client.
  (keydir/tls-privkey.pem, keydir/tls-pubkey.pem): New.
  (confdir/clients.conf): Add dependency on TLS public key.
  (purge-client): Add removal of TLS key files.
* clients.conf ([foo]/key_id, [bar]/key_id): New.
* debian/control (Source: mandos/Build-Depends): Also allow
                                                 libgnutls30 (>= 3.6.6)
  (Package: mandos/Depends): - '' -
  (Package: mandos/Description): Alter description to match new
                                 design.
  (Package: mandos-client/Description): - '' -
  (Package: mandos-client/Depends): Move "gnutls-bin | openssl" to
                                    here from "Recommends".
* debian/mandos-client.README.Debian: Add --tls-privkey and
                                      --tls-pubkey options to test
                                      command.
* debian/mandos-client.postinst (create_key): Renamed to "create_keys"
                                             (all callers changed),
                                             and also create TLS key.
* debian/mandos-client.postrm (purge): Also remove TLS key files.
* intro.xml (DESCRIPTION): Describe new dual-key design.
* mandos (GnuTLS): Define different functions depending on whether
                   support for raw public keys is detected.
  (Client.key_id): New attribute.
  (ClientDBus.KeyID_dbus_property): New method.
  (ProxyClient.__init__): Take new "key_id" parameter.
  (ClientHandler.handle): Use key IDs when using raw public keys and
                          use fingerprints when using OpenPGP keys.
  (ClientHandler.peer_certificate): Also handle raw public keys.
  (ClientHandler.key_id): New.
  (MandosServer.handle_ipc): Pass key ID over the pipe IPC.  Also
                             check for key ID matches when looking up
                             clients.
  (main): Default GnuTLS priority string depends on whether we are
          using raw public keys or not.  When unpickling clients, set
          key_id if not set in the pickle.
  (main/MandosDBusService.ClientNotFound): Change name of first
                                           parameter from
                                           "Fingerprint" to "KeyID".
* mandos-clients.conf.xml (OPTIONS): Document new "key_id" option.
  (OPTIONS/secret): Mention new key ID matchning.
  (EXPANSION/RUNTIME EXPANSION): Add new "key_id" option.
  (EXAMPLE): - '' -
* mandos-ctl (tablewords, main/keywords): Add new "KeyID" property.
* mandos-keygen: Create TLS key files.  New "--tls-keytype" (-T)
                 option.  Alter help text to be more clear about key
                 types.  When in password mode, also output "key_id"
                 option.
* mandos-keygen.xml (SYNOPSIS): Add new "--tls-keytype" (-T) option.
  (DESCRIPTION): Alter to match new dual-key design.
  (OVERVIEW): - '' -
  (FILES): Add TLS key files.
* mandos-options.xml (priority): Document new default priority string
                                 when using raw public keys.
* mandos.xml (NETWORK PROTOCOL): Describe new protocol using key ID.
  (BUGS): Remove issue about checking expire times of OpenPGP keys,
          since TLS public keys do not have expiration times.
  (SECURITY/CLIENT): Alter description to match new design.
  (SEE ALSO/GnuTLS): - '' -
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.
* overview.xml: Alter text to match new design.
* plugin-runner.xml (EXAMPLE): Add --tls-pubkey and --tls-privkey
                               options to mandos-client options.
* plugins.d/mandos-client.c: Use raw public keys when compiling with
                             supporting GnuTLS versions. Add new
                             "--tls-pubkey" and "--tls-privkey"
                             options (which do nothing if GnuTLS
                             library does not support raw public
                             keys).  Alter text throughout to reflect
                             new design.  Only generate new DH
                             parameters (based on size of OpenPGP key)
                             when using OpenPGP in TLS.  Default
                             GnuTLS priority string depends on whether
                             we are using raw public keys or not.
* plugins.d/mandos-client.xml (SYNOPSIS): Add new "--tls-privkey" (-t)
                                          and "--tls-pubkey" (-T)
                                          options.
  (DESCRIPTION): Describe new dual-key design.
  (OPTIONS): Document new "--tls-privkey" (-t) and "--tls-pubkey" (-T)
             options.
  (OPTIONS/--dh-bits): No longer necessarily depends on OpenPGP key
                       size.
  (FILES): Add default locations for TLS public and private key files.
  (EXAMPLE): Use new --tls-pubkey and --tls-privkey options.
  (SECURITY): Alter wording slightly to reflect new dual-key design.
  (SEE ALSO/GnuTLS): Alter description to match new design.
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-script

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

network-protocol.txt

files renamed:
mandos-client.c => plugin-runner.c

mandos-client.xml => plugin-runner.xml

plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

mandos

mandos-clients.conf.xml

mandos-keygen

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

initramfs-tools-hook

#!/bin/sh

# This is an example hook script. It will be run by 'mkinitramfs'

# when it creates the image. It's job is to decide which files to

# install, then install them into the staging area, where the

# initramfs is being created. This happens when a new 'linux-image'

# package is installed, or when the administrator runs 'mkinitramfs'

# by hand to update an initramfs image.

# TODO: What about the case where you install something that should be

# added to the initramfs, but the linux-image it relates to has

# already been installed previously? Does this happen often

# enough that it needs to be handled? How can it be handled?

# * Think about the 'usplash'. The initramfs will need to be

# updated if a theme change or update is desired. Maybe it

# should not be totally automatic, but offered on upgrade

# predicated on a user response to a debconf question? That

# issue needs to be explored and a solution specified.

# * Do not assume that any needed subdirectories have been created

# yet, but don't bail out if they are already there.

# * All of the standard system tools are available, of course, since

# this hook is running in the real system, not the initramfs.

# * TODO: ... ? Anything else to tell them in this bullet-list?

# This script will be run by 'mkinitramfs' when it creates the image.

# Its job is to decide which files to install, then install them into

# the staging area, where the initramfs is being created. This

# happens when a new 'linux-image' package is installed, or when an

# administrator runs 'update-initramfs' by hand to update an initramfs

# image.

# The environment contains at least:

# CONFDIR -- usually /etc/mkinitramfs, can be set on mkinitramfs

# command line.

# DESTDIR -- The staging directory where we are building the image.

# TODO: Decide what environment variables are meaningful and defined

# in this context, then document them as part of the interface.

# TODO: May need a version_compare function for comparison of VERSION?

# List the soft prerequisites here. This is a space separated list of

# names, of scripts that are in the same directory as this one, that

# must be run before this one can be.

# DESTDIR -- The staging directory where the image is being built.

# No initramfs pre-requirements

PREREQ="cryptroot"

prereqs()

;;

esac

# You can do anything you need to from here on.

# Source the optional 'hook-functions' scriptlet, if you need the

# functions defined within it. Read it to see what is available to

# you. It contains functions for copying dynamically linked program

# binaries, and kernel modules into the DESTDIR.

. /usr/share/initramfs-tools/hook-functions

for d in /usr/lib \

"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \

"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/local/lib; do

if [ -d "$d"/mandos ]; then

libdir="$d"

break

done

if [ -z "$libdir" ]; then

# Mandos not found

exit 1

for d in /etc/keys/mandos /etc/mandos/keys; do

if [ -d "$d" ]; then

keydir="$d"

break

done

if [ -z "$keydir" ]; then

# Mandos key directory not found

exit 1

set `{ getent passwd _mandos \

|| getent passwd nobody \

|| echo ::65534:65534:::; } \

| cut --delimiter=: --fields=3,4 --only-delimited \

--output-delimiter=" "`

mandos_user="$1"

mandos_group="$2"

# The Mandos network client uses the network

auto_add_modules net

# force_load tg3

# The Mandos network client uses IPv6

force_load ipv6

# These are directories inside the initrd

CONFDIR="/conf/conf.d/mandos"

DESTCONFDIR="${DESTDIR}${CONFDIR}"

mkdir --parents "${DESTCONFDIR}"

PLUGINDIR="${CONFDIR}/plugins.d"

mkdir --parents "${DESTDIR}${PLUGINDIR}"

# We don't need to copy_exec mandos-client, hooks/cryptroot will do

# that. That will not copy the plugins, however, so we do that here.

# The standard plugins

for file in /usr/lib/mandos/plugins.d/*; do

MANDOSDIR="/lib/mandos"

PLUGINDIR="${MANDOSDIR}/plugins.d"

PLUGINHELPERDIR="${MANDOSDIR}/plugin-helpers"

HOOKDIR="${MANDOSDIR}/network-hooks.d"

# Make directories

install --directory --mode=u=rwx,go=rx "${DESTDIR}${CONFDIR}" \

"${DESTDIR}${MANDOSDIR}" "${DESTDIR}${HOOKDIR}"

install --owner=${mandos_user} --group=${mandos_group} --directory \

--mode=u=rwx "${DESTDIR}${PLUGINDIR}" \

"${DESTDIR}${PLUGINHELPERDIR}"

copy_exec "$libdir"/mandos/mandos-to-cryptroot-unlock "${MANDOSDIR}"

# Copy the Mandos plugin runner

copy_exec "$libdir"/mandos/plugin-runner "${MANDOSDIR}"

# Copy the plugins

# Copy the packaged plugins

for file in "$libdir"/mandos/plugins.d/*; do

base="`basename \"$file\"`"

# Is this plugin overridden?

if [ -e "/etc/mandos/plugins.d/$base" ]; then

continue

case "$base" in

*~|.*|\#*\#|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;;

*) copy_exec "$file" "${PLUGINDIR}";;

esac

100

done

101

102

# Any user-supplied plugins

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

: ;;

100

"*") echo "W: Mandos client plugin directory is empty." >&2 ;;

101

*) copy_exec "$file" "${PLUGINDIR}" ;;

102

esac

103

done

104

105

# Copy the packaged plugin helpers

106

for file in "$libdir"/mandos/plugin-helpers/*; do

107

base="`basename \"$file\"`"

108

# Is this plugin overridden?

109

if [ -e "/etc/mandos/plugin-helpers/$base" ]; then

110

continue

111

112

case "$base" in

113

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

114

: ;;

115

"*") : ;;

116

*) copy_exec "$file" "${PLUGINHELPERDIR}" ;;

117

esac

118

done

119

120

# Copy any user-supplied plugins

103

121

for file in /etc/mandos/plugins.d/*; do

104

122

base="`basename \"$file\"`"

105

123

case "$base" in

106

*~|.*|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;;

107

*) copy_exec "$file" "${PLUGINDIR}";;

108

esac

109

done

110

111

# GPGME needs /usr/bin/gpg

112

if [ -n "`ls \"${DESTDIR}\"/usr/lib/libgpgme.so* 2>/dev/null`" ]; then

113

copy_exec /usr/bin/gpg

124

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

125

: ;;

126

"*") : ;;

127

*) copy_exec "$file" "${PLUGINDIR}" ;;

128

esac

129

done

130

131

# Copy any user-supplied plugin helpers

132

for file in /etc/mandos/plugin-helpers/*; do

133

base="`basename \"$file\"`"

134

case "$base" in

135

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

136

: ;;

137

"*") : ;;

138

*) copy_exec "$file" "${PLUGINHELPERDIR}" ;;

139

esac

140

done

141

142

# Get DEVICE from initramfs.conf and other files

143

. /etc/initramfs-tools/initramfs.conf

144

for conf in /etc/initramfs-tools/conf.d/*; do

145

if [ -n `basename \"$conf\" | grep '^[[:alnum:]][[:alnum:]\._-]*$' \

146

| grep -v '\.dpkg-.*$'` ]; then

147

[ -f "${conf}" ] && . "${conf}"

148

149

done

150

export DEVICE

151

152

# Copy network hooks

153

for hook in /etc/mandos/network-hooks.d/*; do

154

case "`basename \"$hook\"`" in

155

"*") continue ;;

156

*[!A-Za-z0-9_.-]*) continue ;;

157

*) test -d "$hook" || copy_exec "$hook" "${HOOKDIR}" ;;

158

esac

159

if [ -x "$hook" ]; then

160

# Copy any files needed by the network hook

161

MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=files \

162

VERBOSITY=0 "$hook" files | while read -r file target; do

163

if [ ! -e "${file}" ]; then

164

echo "WARNING: file ${file} not found, requested by Mandos network hook '${hook##*/}'" >&2

165

166

if [ -z "${target}" ]; then

167

copy_exec "$file"

168

else

169

copy_exec "$file" "$target"

170

171

done

172

# Copy and load any modules needed by the network hook

173

MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=modules \

174

VERBOSITY=0 "$hook" modules | while read -r module; do

175

force_load "$module"

176

done

177

178

done

179

180

# GPGME needs GnuPG

181

gpg=/usr/bin/gpg

182

libgpgme11_version="`dpkg-query --showformat='${Version}' --show libgpgme11`"

183

if dpkg --compare-versions "$libgpgme11_version" ge 1.5.0-0.1; then

184

if [ -e /usr/bin/gpgconf ]; then

185

if [ ! -e "${DESTDIR}/usr/bin/gpgconf" ]; then

186

copy_exec /usr/bin/gpgconf

187

188

gpg="`/usr/bin/gpgconf|sed --quiet --expression='s/^gpg:[^:]*://p'`"

189

gpgagent="`/usr/bin/gpgconf|sed --quiet --expression='s/^gpg-agent:[^:]*://p'`"

190

# Newer versions of GnuPG 2 requires the gpg-agent binary

191

if [ -e "$gpgagent" ] && [ ! -e "${DESTDIR}$gpgagent" ]; then

192

copy_exec "$gpgagent"

193

194

195

elif dpkg --compare-versions "$libgpgme11_version" ge 1.4.1-0.1; then

196

gpg=/usr/bin/gpg2

197

198

if [ ! -e "${DESTDIR}$gpg" ]; then

199

copy_exec "$gpg"

200

201

unset gpg

202

unset libgpgme11_version

203

204

# Config files

205

for file in /etc/mandos/plugin-runner.conf; do

206

if [ -d "$file" ]; then

207

continue

208

209

cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}"

210

done

211

212

if [ ${mandos_user} != 65534 ]; then

213

sed --in-place --expression="1i--userid=${mandos_user}" \

214

"${DESTDIR}${CONFDIR}/plugin-runner.conf"

215

216

217

if [ ${mandos_group} != 65534 ]; then

218

sed --in-place --expression="1i--groupid=${mandos_group}" \

219

"${DESTDIR}${CONFDIR}/plugin-runner.conf"

114

220

115

221

116

222

# Key files

117

for file in /etc/mandos/*; do

223

for file in "$keydir"/*; do

118

224

if [ -d "$file" ]; then

119

225

continue

120

226

121

cp --archive --sparse=always "$file" "${DESTCONFDIR}"

227

case "$file" in

228

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

229

: ;;

230

"*") : ;;

231

232

cp --archive --sparse=always "$file" \

233

"${DESTDIR}${CONFDIR}"

234

chown ${mandos_user}:${mandos_group} \

235

"${DESTDIR}${CONFDIR}/`basename \"$file\"`"

236

;;

237

esac

122

238

done

123

# Create key ring files

124

gpg --no-random-seed-file --quiet --batch --no-tty \

125

--no-default-keyring --no-options --homedir "${DESTCONFDIR}" \

126

--no-permission-warning --import-options import-minimal \

127

--import "${DESTCONFDIR}/seckey.txt"

128

chown nobody "${DESTCONFDIR}/secring.gpg"

239

# Use Diffie-Hellman parameters file if available

240

if [ -e "${DESTDIR}${CONFDIR}"/dhparams.pem ]; then

241

sed --in-place \

242

--expression="1i--options-for=mandos-client:--dh-params=${CONFDIR}/dhparams.pem" \

243

"${DESTDIR}/${CONFDIR}/plugin-runner.conf"

244

129

245

130

# /keyscripts/mandos-client will drop priviliges, but needs access to

131

# its plugin directory. However, since almost all files in initrd

132

# have been created with umask 027, this opening of permissions is needed.

246

# /lib/mandos/plugin-runner will drop priviliges, but needs access to

247

# its plugin directory and its config file. However, since almost all

248

# files in initrd have been created with umask 027, this opening of

249

# permissions is needed.

133

250

134

251

# (The umask is not really intended to affect the files inside the

135

# initrd, but the initrd.img file itself, since it now contains secret

136

# key files. There is, however, no other way to set the permission of

137

# the initrd.img file without a race condition. This umask is set by

138

# "/usr/share/initramfs-tools/conf-hooks.d/mandos".)

252

# initrd; it is intended to affect the initrd.img file itself, since

253

# it now contains secret key files. There is, however, no other way

254

# to set the permission of the initrd.img file without a race

255

# condition. This umask is set by "initramfs-tools-conf", installed

256

# as "/usr/share/initramfs-tools/conf.d/mandos-conf".)

139

257

140

full="${PLUGINDIR}"

141

while [ "$full" != "/" ]; do

142

chmod a+rX "${DESTDIR}$full"

143

full="`dirname \"$full\"`"

258

for full in "${MANDOSDIR}" "${CONFDIR}"; do

259

while [ "$full" != "/" ]; do

260

chmod a+rX "${DESTDIR}$full"

261

full="`dirname \"$full\"`"

262

done

144

263

done

264

265

# Reset some other things to sane permissions which we have

266

# inadvertently affected with our umask setting.

145

267

for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin; do

146

chmod a+rX "${DESTDIR}$dir"

268

if [ -d "${DESTDIR}$dir" ]; then

269

chmod a+rX "${DESTDIR}$dir"

270

147

271

done

148

for dir in /lib /usr/lib; do

149

chmod --recursive a+rX "${DESTDIR}$dir"

272

for dir in "${DESTDIR}"/lib* "${DESTDIR}"/usr/lib*; do

273

if [ -d "$dir" ]; then

274

find "$dir" \! -perm -u+rw,g+r -prune -or \! -type l -print0 \

275

| xargs --null --no-run-if-empty chmod a+rX --

276

150

277

done

Older »