/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

  • Committer: Teddy Hogeborn
  • Date: 2019-02-11 06:14:29 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 376.
  • Revision ID: teddy@recompile.se-20190211061429-n6n5zk29iatshlb3
Fix Debian package dependencies

* debian/control (Build-Depends): Changed GnuTLS dependencies to
                                  "libgnutls30 (>= 3.3.0),
                                  libgnutls28-dev (>= 3.6.6) |
                                  libgnutls28-dev (<< 3.6.0)".  (We
                                  can't depend on the virtual package
                                  "gnutls-dev", since we need the
                                  version restrictions.)
  (Package: mandos/Depends): Remove dependency on libgnutls28-dev
                             package.
  (Package: mandos/Suggests): New; set to "libc6-dev,
                              c-compiler". (Used to find value of
                              "SO_BINDTODEVICE").
  (Package: mandos-client/Depends): Don't depend on openssl anymore;
                                    instead depend on either a
                                    gnutls-bin (>= 3.6.6) (in which
                                    case TLS key generation will
                                    work), or on libgnutls30 (<<
                                    3.6.0) (in which case TLS key
                                    generation will not be needed).

Show diffs side-by-side

added added

removed removed

Lines of Context:
9
9
 * "browse_callback", and parts of "main".
10
10
 * 
11
11
 * Everything else is
12
 
 * Copyright © 2008-2018 Teddy Hogeborn
13
 
 * Copyright © 2008-2018 Björn Påhlsson
 
12
 * Copyright © 2008-2019 Teddy Hogeborn
 
13
 * Copyright © 2008-2019 Björn Påhlsson
14
14
 * 
15
15
 * This file is part of Mandos.
16
16
 * 
123
123
                                   gnutls_*
124
124
                                   init_gnutls_session(),
125
125
                                   GNUTLS_* */
 
126
#if GNUTLS_VERSION_NUMBER < 0x030600
126
127
#include <gnutls/openpgp.h>
127
128
                         /* gnutls_certificate_set_openpgp_key_file(),
128
129
                            GNUTLS_OPENPGP_FMT_BASE64 */
 
130
#elif GNUTLS_VERSION_NUMBER >= 0x030606
 
131
#include <gnutls/x509.h>        /* gnutls_pkcs_encrypt_flags_t,
 
132
                                 GNUTLS_PKCS_PLAIN,
 
133
                                 GNUTLS_PKCS_NULL_PASSWORD */
 
134
#endif
129
135
 
130
136
/* GPGME */
131
137
#include <gpgme.h>              /* All GPGME types, constants and
139
145
#define PATHDIR "/conf/conf.d/mandos"
140
146
#define SECKEY "seckey.txt"
141
147
#define PUBKEY "pubkey.txt"
 
148
#define TLS_PRIVKEY "tls-privkey.pem"
 
149
#define TLS_PUBKEY "tls-pubkey.pem"
142
150
#define HOOKDIR "/lib/mandos/network-hooks.d"
143
151
 
144
152
bool debug = false;
699
707
                              const char *dhparamsfilename,
700
708
                              mandos_context *mc){
701
709
  int ret;
702
 
  unsigned int uret;
703
710
  
704
711
  if(debug){
705
712
    fprintf_plus(stderr, "Initializing GnuTLS\n");
722
729
  }
723
730
  
724
731
  if(debug){
725
 
    fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"
726
 
                 " secret key %s as GnuTLS credentials\n",
 
732
    fprintf_plus(stderr, "Attempting to use public key %s and"
 
733
                 " private key %s as GnuTLS credentials\n",
727
734
                 pubkeyfilename,
728
735
                 seckeyfilename);
729
736
  }
730
737
  
 
738
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
739
  ret = gnutls_certificate_set_rawpk_key_file
 
740
    (mc->cred, pubkeyfilename, seckeyfilename,
 
741
     GNUTLS_X509_FMT_PEM,       /* format */
 
742
     NULL,                      /* pass */
 
743
     /* key_usage */
 
744
     GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 
745
     NULL,                      /* names */
 
746
     0,                         /* names_length */
 
747
     /* privkey_flags */
 
748
     GNUTLS_PKCS_PLAIN | GNUTLS_PKCS_NULL_PASSWORD,
 
749
     0);                        /* pkcs11_flags */
 
750
#elif GNUTLS_VERSION_NUMBER < 0x030600
731
751
  ret = gnutls_certificate_set_openpgp_key_file
732
752
    (mc->cred, pubkeyfilename, seckeyfilename,
733
753
     GNUTLS_OPENPGP_FMT_BASE64);
 
754
#else
 
755
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
 
756
#endif
734
757
  if(ret != GNUTLS_E_SUCCESS){
735
758
    fprintf_plus(stderr,
736
 
                 "Error[%d] while reading the OpenPGP key pair ('%s',"
 
759
                 "Error[%d] while reading the key pair ('%s',"
737
760
                 " '%s')\n", ret, pubkeyfilename, seckeyfilename);
738
761
    fprintf_plus(stderr, "The GnuTLS error is: %s\n",
739
762
                 safer_gnutls_strerror(ret));
810
833
  }
811
834
  if(dhparamsfilename == NULL){
812
835
    if(mc->dh_bits == 0){
 
836
#if GNUTLS_VERSION_NUMBER < 0x030600
813
837
      /* Find out the optimal number of DH bits */
814
838
      /* Try to read the private key file */
815
839
      gnutls_datum_t buffer = { .data = NULL, .size = 0 };
895
919
          }
896
920
        }
897
921
      }
898
 
      uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
 
922
      unsigned int uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
899
923
      if(uret != 0){
900
924
        mc->dh_bits = uret;
901
925
        if(debug){
913
937
                     safer_gnutls_strerror(ret));
914
938
        goto globalfail;
915
939
      }
916
 
    } else if(debug){
917
 
      fprintf_plus(stderr, "DH bits explicitly set to %u\n",
918
 
                   mc->dh_bits);
919
 
    }
920
 
    ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
921
 
    if(ret != GNUTLS_E_SUCCESS){
922
 
      fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
923
 
                   " bits): %s\n", mc->dh_bits,
924
 
                   safer_gnutls_strerror(ret));
925
 
      goto globalfail;
 
940
#endif
 
941
    } else {                    /* dh_bits != 0 */
 
942
      if(debug){
 
943
        fprintf_plus(stderr, "DH bits explicitly set to %u\n",
 
944
                     mc->dh_bits);
 
945
      }
 
946
      ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
 
947
      if(ret != GNUTLS_E_SUCCESS){
 
948
        fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
 
949
                     " bits): %s\n", mc->dh_bits,
 
950
                     safer_gnutls_strerror(ret));
 
951
        goto globalfail;
 
952
      }
 
953
      gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
926
954
    }
927
955
  }
928
 
  gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
929
956
  
930
957
  return 0;
931
958
  
942
969
  int ret;
943
970
  /* GnuTLS session creation */
944
971
  do {
945
 
    ret = gnutls_init(session, GNUTLS_SERVER);
 
972
    ret = gnutls_init(session, (GNUTLS_SERVER
 
973
#if GNUTLS_VERSION_NUMBER >= 0x030506
 
974
                                | GNUTLS_NO_TICKETS
 
975
#endif
 
976
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
977
                                | GNUTLS_ENABLE_RAWPK
 
978
#endif
 
979
                                ));
946
980
    if(quit_now){
947
981
      return -1;
948
982
    }
2427
2461
 
2428
2462
int main(int argc, char *argv[]){
2429
2463
  mandos_context mc = { .server = NULL, .dh_bits = 0,
 
2464
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2465
                        .priority = "SECURE128:!CTYPE-X.509"
 
2466
                        ":+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3"
 
2467
                        ":%PROFILE_ULTRA",
 
2468
#elif GNUTLS_VERSION_NUMBER < 0x030600
2430
2469
                        .priority = "SECURE256:!CTYPE-X.509"
2431
2470
                        ":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",
 
2471
#else
 
2472
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
 
2473
#endif
2432
2474
                        .current_server = NULL, .interfaces = NULL,
2433
2475
                        .interfaces_size = 0 };
2434
2476
  AvahiSServiceBrowser *sb = NULL;
2445
2487
  AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
2446
2488
  const char *seckey = PATHDIR "/" SECKEY;
2447
2489
  const char *pubkey = PATHDIR "/" PUBKEY;
 
2490
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2491
  const char *tls_privkey = PATHDIR "/" TLS_PRIVKEY;
 
2492
  const char *tls_pubkey = PATHDIR "/" TLS_PUBKEY;
 
2493
#endif
2448
2494
  const char *dh_params_file = NULL;
2449
2495
  char *interfaces_hooks = NULL;
2450
2496
  
2498
2544
      { .name = "pubkey", .key = 'p',
2499
2545
        .arg = "FILE",
2500
2546
        .doc = "OpenPGP public key file base name",
2501
 
        .group = 2 },
 
2547
        .group = 1 },
 
2548
      { .name = "tls-privkey", .key = 't',
 
2549
        .arg = "FILE",
 
2550
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2551
        .doc = "TLS private key file base name",
 
2552
#else
 
2553
        .doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
 
2554
#endif
 
2555
        .group = 1 },
 
2556
      { .name = "tls-pubkey", .key = 'T',
 
2557
        .arg = "FILE",
 
2558
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2559
        .doc = "TLS public key file base name",
 
2560
#else
 
2561
        .doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
 
2562
#endif
 
2563
        .group = 1 },
2502
2564
      { .name = "dh-bits", .key = 129,
2503
2565
        .arg = "BITS",
2504
2566
        .doc = "Bit length of the prime number used in the"
2560
2622
      case 'p':                 /* --pubkey */
2561
2623
        pubkey = arg;
2562
2624
        break;
 
2625
      case 't':                 /* --tls-privkey */
 
2626
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2627
        tls_privkey = arg;
 
2628
#endif
 
2629
        break;
 
2630
      case 'T':                 /* --tls-pubkey */
 
2631
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2632
        tls_pubkey = arg;
 
2633
#endif
 
2634
        break;
2563
2635
      case 129:                 /* --dh-bits */
2564
2636
        errno = 0;
2565
2637
        tmpmax = strtoimax(arg, &tmp, 10);
2600
2672
        argp_state_help(state, state->out_stream,
2601
2673
                        (ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
2602
2674
                        & ~(unsigned int)ARGP_HELP_EXIT_OK);
 
2675
        __builtin_unreachable();
2603
2676
      case -3:                  /* --usage */
2604
2677
        argp_state_help(state, state->out_stream,
2605
2678
                        ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
 
2679
        __builtin_unreachable();
2606
2680
      case 'V':                 /* --version */
2607
2681
        fprintf_plus(state->out_stream, "%s\n", argp_program_version);
2608
2682
        exit(argp_err_exit_status);
2919
2993
    goto end;
2920
2994
  }
2921
2995
  
 
2996
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2997
  ret = init_gnutls_global(tls_pubkey, tls_privkey, dh_params_file, &mc);
 
2998
#elif GNUTLS_VERSION_NUMBER < 0x030600
2922
2999
  ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);
 
3000
#else
 
3001
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
 
3002
#endif
2923
3003
  if(ret == -1){
2924
3004
    fprintf_plus(stderr, "init_gnutls_global failed\n");
2925
3005
    exitcode = EX_UNAVAILABLE;