/mandos/trunk : revision 1213

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: teddy at recompile
Date: 2020-04-05 21:30:59 UTC
Revision ID: teddy@recompile.se-20200405213059-fb2a61ckqynrmatk

Fix file descriptor leak in mandos-client

When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.)  The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.

This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route.  If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.

Fix this by eliminating the file descriptor leak in the client.

* plugins.d/mandos-client.c (add_delete_local_route): Do
  close(devnull) also in parent process, also if fork() fails, and on
  any failure in child process.

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.6.9"

VERSION="1.8.10"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYEMAIL=""

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is RSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 4096.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is RSA.

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 4096.

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

104

109

-e|--email) KEYEMAIL="$2"; shift 2;;

105

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

106

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

107

113

-f|--force) FORCE=yes; shift;;

108

114

-S|--no-ssh) SSH=no; shift;;

109

115

-v|--version) echo "$0 $VERSION"; exit;;

119

125

120

126

SECKEYFILE="$KEYDIR/seckey.txt"

121

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

122

130

123

131

# Check for some invalid values

124

132

if [ ! -d "$KEYDIR" ]; then

161

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

162

170

esac

163

171

164

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

165

-a "$FORCE" -eq 0 ]; then

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

175

&& [ "$FORCE" -eq 0 ]; then

166

176

echo "Refusing to overwrite old key files; use --force" >&2

167

177

exit 1

168

178

177

187

178

188

# Create temporary gpg batch file

179

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

180

191

181

192

182

193

if [ "$mode" = password ]; then

191

202

trap "

192

203

set +e; \

193

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

194

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

195

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

196

208

rm --recursive --force \"$RINGDIR\";

218

230

#Handle: <no-spaces>

219

231

#%pubring pubring.gpg

220

232

#%secring secring.gpg

233

%no-protection

221

234

%commit

222

235

EOF

223

236

230

243

echo -n "Started: "

231

244

date

232

245

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

233

279

234

280

# Make sure trustdb.gpg exists;

235

281

# this is a workaround for Debian bug #737128

250

296

# Backup any old key files

251

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

252

298

2>/dev/null; then

253

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

254

300

255

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

256

302

2>/dev/null; then

285

331

esac

286

332

287

333

if [ $SSH -eq 1 ]; then

288

for ssh_keytype in ed25519 rsa; do

334

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

289

335

set +e

290

336

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

337

err=$?

291

338

set -e

292

if [ $? -ne 0 ]; then

339

if [ $err -ne 0 ]; then

293

340

ssh_fingerprint=""

294

341

continue

295

342

317

364

318

365

test -n "$FINGERPRINT"

319

366

367

if [ -r "$TLS_PUBKEYFILE" ]; then

368

KEY_ID="$(certtool --key-id --hash=sha256 \

369

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

370

371

if [ -z "$KEY_ID" ]; then

372

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

373

-outform der \

374

| openssl sha256 \

375

| sed --expression='s/^.*[^[:xdigit:]]//')

376

377

test -n "$KEY_ID"

378

379

320

380

FILECOMMENT="Encrypted password for a Mandos client"

321

381

322

382

while [ ! -s "$SECFILE" ]; do

323

383

if [ -n "$PASSFILE" ]; then

324

cat "$PASSFILE"

384

cat -- "$PASSFILE"

325

385

else

326

386

tty --quiet && stty -echo

327

echo -n "Enter passphrase: " >&2

328

read first

387

echo -n "Enter passphrase: " >/dev/tty

388

read -r first

329

389

tty --quiet && echo >&2

330

echo -n "Repeat passphrase: " >&2

331

read second

390

echo -n "Repeat passphrase: " >/dev/tty

391

read -r second

332

392

if tty --quiet; then

333

393

echo >&2

334

394

stty echo

356

416

cat <<-EOF

357

417

[$KEYNAME]

358

418

host = $KEYNAME

419

EOF

420

if [ -n "$KEY_ID" ]; then

421

echo "key_id = $KEY_ID"

422

423

cat <<-EOF

359

424

fingerprint = $FINGERPRINT

360

425

secret =

361

426

EOF

379

444

set +e

380

445

# Remove the password file, if any

381

446

if [ -n "$SECFILE" ]; then

382

shred --remove "$SECFILE"

447

shred --remove "$SECFILE" 2>/dev/null

383

448

384

449

# Remove the key rings

385

450

shred --remove "$RINGDIR"/sec* 2>/dev/null

Older »