/mandos/trunk : revision 1213

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: teddy at recompile
Date: 2020-04-05 21:30:59 UTC
Revision ID: teddy@recompile.se-20200405213059-fb2a61ckqynrmatk

Fix file descriptor leak in mandos-client

When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.)  The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.

This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route.  If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.

Fix this by eliminating the file descriptor leak in the client.

* plugins.d/mandos-client.c (add_delete_local_route): Do
  close(devnull) also in parent process, also if fork() fails, and on
  any failure in child process.

files added:
debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

* "browse_callback", and parts of "main".

* Everything else is

* This file is part of Mandos.

123

gnutls_*

124

init_gnutls_session(),

125

GNUTLS_* */

126

#if GNUTLS_VERSION_NUMBER < 0x030600

126

127

#include <gnutls/openpgp.h>

127

128

/* gnutls_certificate_set_openpgp_key_file(),

128

129

GNUTLS_OPENPGP_FMT_BASE64 */

130

#elif GNUTLS_VERSION_NUMBER >= 0x030606

131

#include <gnutls/x509.h> /* gnutls_pkcs_encrypt_flags_t,

132

GNUTLS_PKCS_PLAIN,

133

GNUTLS_PKCS_NULL_PASSWORD */

134

#endif

129

135

130

136

/* GPGME */

131

137

#include <gpgme.h> /* All GPGME types, constants and

139

145

#define PATHDIR "/conf/conf.d/mandos"

140

146

#define SECKEY "seckey.txt"

141

147

#define PUBKEY "pubkey.txt"

148

#define TLS_PRIVKEY "tls-privkey.pem"

149

#define TLS_PUBKEY "tls-pubkey.pem"

142

150

#define HOOKDIR "/lib/mandos/network-hooks.d"

143

151

144

152

bool debug = false;

699

707

const char *dhparamsfilename,

700

708

mandos_context *mc){

701

709

int ret;

702

unsigned int uret;

703

710

704

711

if(debug){

705

712

fprintf_plus(stderr, "Initializing GnuTLS\n");

722

729

}

723

730

724

731

if(debug){

725

fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"

726

" secret key %s as GnuTLS credentials\n",

732

fprintf_plus(stderr, "Attempting to use public key %s and"

733

" private key %s as GnuTLS credentials\n",

727

734

pubkeyfilename,

728

735

seckeyfilename);

729

736

}

730

737

738

#if GNUTLS_VERSION_NUMBER >= 0x030606

739

ret = gnutls_certificate_set_rawpk_key_file

740

(mc->cred, pubkeyfilename, seckeyfilename,

741

GNUTLS_X509_FMT_PEM, /* format */

742

NULL, /* pass */

743

/* key_usage */

744

GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,

745

NULL, /* names */

746

0, /* names_length */

747

/* privkey_flags */

748

GNUTLS_PKCS_PLAIN | GNUTLS_PKCS_NULL_PASSWORD,

749

0); /* pkcs11_flags */

750

#elif GNUTLS_VERSION_NUMBER < 0x030600

731

751

ret = gnutls_certificate_set_openpgp_key_file

732

752

(mc->cred, pubkeyfilename, seckeyfilename,

733

753

GNUTLS_OPENPGP_FMT_BASE64);

754

#else

755

#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"

756

#endif

734

757

if(ret != GNUTLS_E_SUCCESS){

735

758

fprintf_plus(stderr,

736

"Error[%d] while reading the OpenPGP key pair ('%s',"

759

"Error[%d] while reading the key pair ('%s',"

737

760

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

738

761

fprintf_plus(stderr, "The GnuTLS error is: %s\n",

739

762

safer_gnutls_strerror(ret));

810

833

}

811

834

if(dhparamsfilename == NULL){

812

835

if(mc->dh_bits == 0){

836

#if GNUTLS_VERSION_NUMBER < 0x030600

813

837

/* Find out the optimal number of DH bits */

814

838

/* Try to read the private key file */

815

839

gnutls_datum_t buffer = { .data = NULL, .size = 0 };

895

919

}

896

920

}

897

921

}

898

uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);

922

unsigned int uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);

899

923

if(uret != 0){

900

924

mc->dh_bits = uret;

901

925

if(debug){

913

937

safer_gnutls_strerror(ret));

914

938

goto globalfail;

915

939

}

916

} else if(debug){

917

fprintf_plus(stderr, "DH bits explicitly set to %u\n",

918

mc->dh_bits);

919

}

920

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

921

if(ret != GNUTLS_E_SUCCESS){

922

fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"

923

" bits): %s\n", mc->dh_bits,

924

safer_gnutls_strerror(ret));

925

goto globalfail;

940

#endif

941

} else { /* dh_bits != 0 */

942

if(debug){

943

fprintf_plus(stderr, "DH bits explicitly set to %u\n",

944

mc->dh_bits);

945

}

946

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

947

if(ret != GNUTLS_E_SUCCESS){

948

fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"

949

" bits): %s\n", mc->dh_bits,

950

safer_gnutls_strerror(ret));

951

goto globalfail;

952

}

953

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

926

954

}

927

955

}

928

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

929

956

930

957

return 0;

931

958

942

969

int ret;

943

970

/* GnuTLS session creation */

944

971

do {

945

ret = gnutls_init(session, GNUTLS_SERVER);

972

ret = gnutls_init(session, (GNUTLS_SERVER

973

#if GNUTLS_VERSION_NUMBER >= 0x030506

974

| GNUTLS_NO_TICKETS

975

#endif

976

#if GNUTLS_VERSION_NUMBER >= 0x030606

977

| GNUTLS_ENABLE_RAWPK

978

#endif

979

));

946

980

if(quit_now){

947

981

return -1;

948

982

}

1040

1074

ret = setgid(0);

1041

1075

if(ret == -1){

1042

1076

perror_plus("setgid");

1077

close(devnull);

1043

1078

_exit(EX_NOPERM);

1044

1079

}

1045

1080

/* Reset supplementary groups */

1047

1082

ret = setgroups(0, NULL);

1048

1083

if(ret == -1){

1049

1084

perror_plus("setgroups");

1085

close(devnull);

1050

1086

_exit(EX_NOPERM);

1051

1087

}

1052

1088

}

1053

1089

ret = dup2(devnull, STDIN_FILENO);

1054

1090

if(ret == -1){

1055

1091

perror_plus("dup2(devnull, STDIN_FILENO)");

1092

close(devnull);

1056

1093

_exit(EX_OSERR);

1057

1094

}

1058

1095

ret = close(devnull);

1059

1096

if(ret == -1){

1060

1097

perror_plus("close");

1061

_exit(EX_OSERR);

1062

1098

}

1063

1099

ret = dup2(STDERR_FILENO, STDOUT_FILENO);

1064

1100

if(ret == -1){

1099

1135

}

1100

1136

if(pid == -1){

1101

1137

perror_plus("fork");

1138

close(devnull);

1102

1139

return false;

1103

1140

}

1141

ret = close(devnull);

1142

if(ret == -1){

1143

perror_plus("close");

1144

}

1104

1145

int status;

1105

1146

pid_t pret = -1;

1106

1147

errno = 0;

2427

2468

2428

2469

int main(int argc, char *argv[]){

2429

2470

mandos_context mc = { .server = NULL, .dh_bits = 0,

2471

#if GNUTLS_VERSION_NUMBER >= 0x030606

2472

.priority = "SECURE128:!CTYPE-X.509"

2473

":+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3"

2474

":%PROFILE_ULTRA",

2475

#elif GNUTLS_VERSION_NUMBER < 0x030600

2430

2476

.priority = "SECURE256:!CTYPE-X.509"

2431

2477

":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",

2478

#else

2479

#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"

2480

#endif

2432

2481

.current_server = NULL, .interfaces = NULL,

2433

2482

.interfaces_size = 0 };

2434

2483

AvahiSServiceBrowser *sb = NULL;

2445

2494

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

2446

2495

const char *seckey = PATHDIR "/" SECKEY;

2447

2496

const char *pubkey = PATHDIR "/" PUBKEY;

2497

#if GNUTLS_VERSION_NUMBER >= 0x030606

2498

const char *tls_privkey = PATHDIR "/" TLS_PRIVKEY;

2499

const char *tls_pubkey = PATHDIR "/" TLS_PUBKEY;

2500

#endif

2448

2501

const char *dh_params_file = NULL;

2449

2502

char *interfaces_hooks = NULL;

2450

2503

2498

2551

{ .name = "pubkey", .key = 'p',

2499

2552

.arg = "FILE",

2500

2553

.doc = "OpenPGP public key file base name",

2501

.group = 2 },

2554

.group = 1 },

2555

{ .name = "tls-privkey", .key = 't',

2556

.arg = "FILE",

2557

#if GNUTLS_VERSION_NUMBER >= 0x030606

2558

.doc = "TLS private key file base name",

2559

#else

2560

.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",

2561

#endif

2562

.group = 1 },

2563

{ .name = "tls-pubkey", .key = 'T',

2564

.arg = "FILE",

2565

#if GNUTLS_VERSION_NUMBER >= 0x030606

2566

.doc = "TLS public key file base name",

2567

#else

2568

.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",

2569

#endif

2570

.group = 1 },

2502

2571

{ .name = "dh-bits", .key = 129,

2503

2572

.arg = "BITS",

2504

2573

.doc = "Bit length of the prime number used in the"

2560

2629

case 'p': /* --pubkey */

2561

2630

pubkey = arg;

2562

2631

break;

2632

case 't': /* --tls-privkey */

2633

#if GNUTLS_VERSION_NUMBER >= 0x030606

2634

tls_privkey = arg;

2635

#endif

2636

break;

2637

case 'T': /* --tls-pubkey */

2638

#if GNUTLS_VERSION_NUMBER >= 0x030606

2639

tls_pubkey = arg;

2640

#endif

2641

break;

2563

2642

case 129: /* --dh-bits */

2564

2643

errno = 0;

2565

2644

tmpmax = strtoimax(arg, &tmp, 10);

2600

2679

argp_state_help(state, state->out_stream,

2601

2680

(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)

2602

2681

& ~(unsigned int)ARGP_HELP_EXIT_OK);

2682

__builtin_unreachable();

2603

2683

case -3: /* --usage */

2604

2684

argp_state_help(state, state->out_stream,

2605

2685

ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);

2686

__builtin_unreachable();

2606

2687

case 'V': /* --version */

2607

2688

fprintf_plus(state->out_stream, "%s\n", argp_program_version);

2608

2689

exit(argp_err_exit_status);

2919

3000

goto end;

2920

3001

}

2921

3002

3003

#if GNUTLS_VERSION_NUMBER >= 0x030606

3004

ret = init_gnutls_global(tls_pubkey, tls_privkey, dh_params_file, &mc);

3005

#elif GNUTLS_VERSION_NUMBER < 0x030600

2922

3006

ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);

3007

#else

3008

#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"

3009

#endif

2923

3010

if(ret == -1){

2924

3011

fprintf_plus(stderr, "init_gnutls_global failed\n");

2925

3012

exitcode = EX_UNAVAILABLE;

Older »