/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

  • Committer: Teddy Hogeborn
  • Date: 2019-07-29 16:35:53 UTC
  • mto: This revision was merged to the branch mainline in revision 384.
  • Revision ID: teddy@recompile.se-20190729163553-1i442i2cbx64c537
Make tests and man page examples match

Make the tests test_manual_page_example[1-5] match exactly what is
written in the manual page, and add comments to manual page as
reminders to keep tests and manual page examples in sync.

* mandos-ctl (Test_commands_from_options.test_manual_page_example_1):
  Remove "--verbose" option, since the manual does not have it as the
  first example, and change assertion to match.
* mandos-ctl.xml (EXAMPLE): Add comments to all examples documenting
  which test function they correspond to.  Also remove unnecessary
  quotes from option arguments in fourth example, and clarify language
  slightly in fifth example.

Show diffs side-by-side

added added

removed removed

Lines of Context:
9
9
 * "browse_callback", and parts of "main".
10
10
 * 
11
11
 * Everything else is
12
 
 * Copyright © 2008-2018 Teddy Hogeborn
13
 
 * Copyright © 2008-2018 Björn Påhlsson
 
12
 * Copyright © 2008-2019 Teddy Hogeborn
 
13
 * Copyright © 2008-2019 Björn Påhlsson
14
14
 * 
15
15
 * This file is part of Mandos.
16
16
 * 
123
123
                                   gnutls_*
124
124
                                   init_gnutls_session(),
125
125
                                   GNUTLS_* */
 
126
#if GNUTLS_VERSION_NUMBER < 0x030600
126
127
#include <gnutls/openpgp.h>
127
128
                         /* gnutls_certificate_set_openpgp_key_file(),
128
129
                            GNUTLS_OPENPGP_FMT_BASE64 */
 
130
#elif GNUTLS_VERSION_NUMBER >= 0x030606
 
131
#include <gnutls/x509.h>        /* gnutls_pkcs_encrypt_flags_t,
 
132
                                 GNUTLS_PKCS_PLAIN,
 
133
                                 GNUTLS_PKCS_NULL_PASSWORD */
 
134
#endif
129
135
 
130
136
/* GPGME */
131
137
#include <gpgme.h>              /* All GPGME types, constants and
139
145
#define PATHDIR "/conf/conf.d/mandos"
140
146
#define SECKEY "seckey.txt"
141
147
#define PUBKEY "pubkey.txt"
 
148
#define TLS_PRIVKEY "tls-privkey.pem"
 
149
#define TLS_PUBKEY "tls-pubkey.pem"
142
150
#define HOOKDIR "/lib/mandos/network-hooks.d"
143
151
 
144
152
bool debug = false;
699
707
                              const char *dhparamsfilename,
700
708
                              mandos_context *mc){
701
709
  int ret;
702
 
  unsigned int uret;
703
710
  
704
711
  if(debug){
705
712
    fprintf_plus(stderr, "Initializing GnuTLS\n");
722
729
  }
723
730
  
724
731
  if(debug){
725
 
    fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"
726
 
                 " secret key %s as GnuTLS credentials\n",
 
732
    fprintf_plus(stderr, "Attempting to use public key %s and"
 
733
                 " private key %s as GnuTLS credentials\n",
727
734
                 pubkeyfilename,
728
735
                 seckeyfilename);
729
736
  }
730
737
  
 
738
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
739
  ret = gnutls_certificate_set_rawpk_key_file
 
740
    (mc->cred, pubkeyfilename, seckeyfilename,
 
741
     GNUTLS_X509_FMT_PEM,       /* format */
 
742
     NULL,                      /* pass */
 
743
     /* key_usage */
 
744
     GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 
745
     NULL,                      /* names */
 
746
     0,                         /* names_length */
 
747
     /* privkey_flags */
 
748
     GNUTLS_PKCS_PLAIN | GNUTLS_PKCS_NULL_PASSWORD,
 
749
     0);                        /* pkcs11_flags */
 
750
#elif GNUTLS_VERSION_NUMBER < 0x030600
731
751
  ret = gnutls_certificate_set_openpgp_key_file
732
752
    (mc->cred, pubkeyfilename, seckeyfilename,
733
753
     GNUTLS_OPENPGP_FMT_BASE64);
 
754
#else
 
755
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
 
756
#endif
734
757
  if(ret != GNUTLS_E_SUCCESS){
735
758
    fprintf_plus(stderr,
736
 
                 "Error[%d] while reading the OpenPGP key pair ('%s',"
 
759
                 "Error[%d] while reading the key pair ('%s',"
737
760
                 " '%s')\n", ret, pubkeyfilename, seckeyfilename);
738
761
    fprintf_plus(stderr, "The GnuTLS error is: %s\n",
739
762
                 safer_gnutls_strerror(ret));
810
833
  }
811
834
  if(dhparamsfilename == NULL){
812
835
    if(mc->dh_bits == 0){
 
836
#if GNUTLS_VERSION_NUMBER < 0x030600
813
837
      /* Find out the optimal number of DH bits */
814
838
      /* Try to read the private key file */
815
839
      gnutls_datum_t buffer = { .data = NULL, .size = 0 };
895
919
          }
896
920
        }
897
921
      }
898
 
      uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
 
922
      unsigned int uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
899
923
      if(uret != 0){
900
924
        mc->dh_bits = uret;
901
925
        if(debug){
913
937
                     safer_gnutls_strerror(ret));
914
938
        goto globalfail;
915
939
      }
916
 
    } else if(debug){
917
 
      fprintf_plus(stderr, "DH bits explicitly set to %u\n",
918
 
                   mc->dh_bits);
919
 
    }
920
 
    ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
921
 
    if(ret != GNUTLS_E_SUCCESS){
922
 
      fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
923
 
                   " bits): %s\n", mc->dh_bits,
924
 
                   safer_gnutls_strerror(ret));
925
 
      goto globalfail;
 
940
#endif
 
941
    } else {                    /* dh_bits != 0 */
 
942
      if(debug){
 
943
        fprintf_plus(stderr, "DH bits explicitly set to %u\n",
 
944
                     mc->dh_bits);
 
945
      }
 
946
      ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
 
947
      if(ret != GNUTLS_E_SUCCESS){
 
948
        fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
 
949
                     " bits): %s\n", mc->dh_bits,
 
950
                     safer_gnutls_strerror(ret));
 
951
        goto globalfail;
 
952
      }
 
953
      gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
926
954
    }
927
955
  }
928
 
  gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
929
956
  
930
957
  return 0;
931
958
  
942
969
  int ret;
943
970
  /* GnuTLS session creation */
944
971
  do {
945
 
    ret = gnutls_init(session, GNUTLS_SERVER);
 
972
    ret = gnutls_init(session, (GNUTLS_SERVER
 
973
#if GNUTLS_VERSION_NUMBER >= 0x030506
 
974
                                | GNUTLS_NO_TICKETS
 
975
#endif
 
976
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
977
                                | GNUTLS_ENABLE_RAWPK
 
978
#endif
 
979
                                ));
946
980
    if(quit_now){
947
981
      return -1;
948
982
    }
2427
2461
 
2428
2462
int main(int argc, char *argv[]){
2429
2463
  mandos_context mc = { .server = NULL, .dh_bits = 0,
 
2464
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2465
                        .priority = "SECURE128:!CTYPE-X.509"
 
2466
                        ":+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3"
 
2467
                        ":%PROFILE_ULTRA",
 
2468
#elif GNUTLS_VERSION_NUMBER < 0x030600
2430
2469
                        .priority = "SECURE256:!CTYPE-X.509"
2431
2470
                        ":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",
 
2471
#else
 
2472
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
 
2473
#endif
2432
2474
                        .current_server = NULL, .interfaces = NULL,
2433
2475
                        .interfaces_size = 0 };
2434
2476
  AvahiSServiceBrowser *sb = NULL;
2445
2487
  AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
2446
2488
  const char *seckey = PATHDIR "/" SECKEY;
2447
2489
  const char *pubkey = PATHDIR "/" PUBKEY;
 
2490
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2491
  const char *tls_privkey = PATHDIR "/" TLS_PRIVKEY;
 
2492
  const char *tls_pubkey = PATHDIR "/" TLS_PUBKEY;
 
2493
#endif
2448
2494
  const char *dh_params_file = NULL;
2449
2495
  char *interfaces_hooks = NULL;
2450
2496
  
2498
2544
      { .name = "pubkey", .key = 'p',
2499
2545
        .arg = "FILE",
2500
2546
        .doc = "OpenPGP public key file base name",
2501
 
        .group = 2 },
 
2547
        .group = 1 },
 
2548
      { .name = "tls-privkey", .key = 't',
 
2549
        .arg = "FILE",
 
2550
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2551
        .doc = "TLS private key file base name",
 
2552
#else
 
2553
        .doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
 
2554
#endif
 
2555
        .group = 1 },
 
2556
      { .name = "tls-pubkey", .key = 'T',
 
2557
        .arg = "FILE",
 
2558
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2559
        .doc = "TLS public key file base name",
 
2560
#else
 
2561
        .doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
 
2562
#endif
 
2563
        .group = 1 },
2502
2564
      { .name = "dh-bits", .key = 129,
2503
2565
        .arg = "BITS",
2504
2566
        .doc = "Bit length of the prime number used in the"
2560
2622
      case 'p':                 /* --pubkey */
2561
2623
        pubkey = arg;
2562
2624
        break;
 
2625
      case 't':                 /* --tls-privkey */
 
2626
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2627
        tls_privkey = arg;
 
2628
#endif
 
2629
        break;
 
2630
      case 'T':                 /* --tls-pubkey */
 
2631
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2632
        tls_pubkey = arg;
 
2633
#endif
 
2634
        break;
2563
2635
      case 129:                 /* --dh-bits */
2564
2636
        errno = 0;
2565
2637
        tmpmax = strtoimax(arg, &tmp, 10);
2600
2672
        argp_state_help(state, state->out_stream,
2601
2673
                        (ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
2602
2674
                        & ~(unsigned int)ARGP_HELP_EXIT_OK);
 
2675
        __builtin_unreachable();
2603
2676
      case -3:                  /* --usage */
2604
2677
        argp_state_help(state, state->out_stream,
2605
2678
                        ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
 
2679
        __builtin_unreachable();
2606
2680
      case 'V':                 /* --version */
2607
2681
        fprintf_plus(state->out_stream, "%s\n", argp_program_version);
2608
2682
        exit(argp_err_exit_status);
2919
2993
    goto end;
2920
2994
  }
2921
2995
  
 
2996
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2997
  ret = init_gnutls_global(tls_pubkey, tls_privkey, dh_params_file, &mc);
 
2998
#elif GNUTLS_VERSION_NUMBER < 0x030600
2922
2999
  ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);
 
3000
#else
 
3001
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
 
3002
#endif
2923
3003
  if(ret == -1){
2924
3004
    fprintf_plus(stderr, "init_gnutls_global failed\n");
2925
3005
    exitcode = EX_UNAVAILABLE;