/mandos/trunk : revision 723.1.1

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2014-07-25 22:44:20 UTC
mto: This revision was merged to the branch mainline in revision 724.
Revision ID: teddy@recompile.se-20140725224420-4a5ct2ptt0hsc92z

Require Python 2.7.

This is in preparation for the eventual move to Python 3, which will
happen as soon as all Python modules required by Mandos are available.
The mandos-ctl and mandos-monitor programs are already portable
between Python 2.6 and Python 3 without changes; this change will
bring the requirement up to Python 2.7.

* INSTALL (Prerequisites/Libraries/Mandos Server): Document
                                                   requirement of
                                                   Python 2.7; remove
                                                   Python-argparse
                                                   which is in the
                                                   Python 2.7 standard
                                                   library.
* debian/control (Source: mandos/Build-Depends-Indep): Depend on
                                                       exactly the
                                                       python2.7
                                                       package and all
                                                       the Python 2.7
                                                       versions of the
                                                       python modules.
  (Package: mandos/Depends): - '' - but still depend on python (<=2.7)
                            and the generic versions of the Python
                            modules; this is for mandos-ctl and
                            mandos-monitor, both of which are
                            compatible with Python 3, and use
                            #!/usr/bin/python.
* mandos: Use #!/usr/bin/python2.7 instead of #!/usr/bin/python.

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

493

return plaintext_length;

494

}

495

496

__attribute__((warn_unused_result, const))

497

static const char *safe_string(const char *str){

498

if(str == NULL)

499

return "(unknown)";

500

return str;

501

}

502

503

496

__attribute__((warn_unused_result))

504

497

static const char *safer_gnutls_strerror(int value){

505

498

const char *ret = gnutls_strerror(value);

506

return safe_string(ret);

499

if(ret == NULL)

500

ret = "(unknown)";

501

return ret;

507

502

}

508

503

509

504

/* GnuTLS log function callback */

518

513

const char *seckeyfilename,

519

514

mandos_context *mc){

520

515

int ret;

521

unsigned int uret;

522

516

523

517

if(debug){

524

518

fprintf_plus(stderr, "Initializing GnuTLS\n");

575

569

safer_gnutls_strerror(ret));

576

570

goto globalfail;

577

571

}

578

if(mc->dh_bits == 0){

579

/* Find out the optimal number of DH bits */

580

/* Try to read the private key file */

581

gnutls_datum_t buffer = { .data = NULL, .size = 0 };

582

{

583

int secfile = open(seckeyfilename, O_RDONLY);

584

size_t buffer_capacity = 0;

585

while(true){

586

buffer_capacity = incbuffer((char **)&buffer.data,

587

(size_t)buffer.size,

588

(size_t)buffer_capacity);

589

if(buffer_capacity == 0){

590

perror_plus("incbuffer");

591

free(buffer.data);

592

buffer.data = NULL;

593

break;

594

}

595

ssize_t bytes_read = read(secfile, buffer.data + buffer.size,

596

BUFFER_SIZE);

597

/* EOF */

598

if(bytes_read == 0){

599

break;

600

}

601

/* check bytes_read for failure */

602

if(bytes_read < 0){

603

perror_plus("read");

604

free(buffer.data);

605

buffer.data = NULL;

606

break;

607

}

608

buffer.size += (unsigned int)bytes_read;

609

}

610

close(secfile);

611

}

612

/* If successful, use buffer to parse private key */

613

gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;

614

if(buffer.data != NULL){

615

{

616

gnutls_openpgp_privkey_t privkey = NULL;

617

ret = gnutls_openpgp_privkey_init(&privkey);

618

if(ret != GNUTLS_E_SUCCESS){

619

fprintf_plus(stderr, "Error initializing OpenPGP key"

620

" structure: %s", safer_gnutls_strerror(ret));

621

free(buffer.data);

622

buffer.data = NULL;

623

} else {

624

ret = gnutls_openpgp_privkey_import(privkey, &buffer,

625

GNUTLS_OPENPGP_FMT_BASE64,

626

"", 0);

627

if(ret != GNUTLS_E_SUCCESS){

628

fprintf_plus(stderr, "Error importing OpenPGP key : %s",

629

safer_gnutls_strerror(ret));

630

privkey = NULL;

631

}

632

free(buffer.data);

633

buffer.data = NULL;

634

if(privkey != NULL){

635

/* Use private key to suggest an appropriate sec_param */

636

sec_param = gnutls_openpgp_privkey_sec_param(privkey);

637

gnutls_openpgp_privkey_deinit(privkey);

638

if(debug){

639

fprintf_plus(stderr, "This OpenPGP key implies using a"

640

" GnuTLS security parameter \"%s\".\n",

641

safe_string(gnutls_sec_param_get_name

642

(sec_param)));

643

}

644

}

645

}

646

}

647

if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){

648

/* Err on the side of caution */

649

sec_param = GNUTLS_SEC_PARAM_ULTRA;

650

if(debug){

651

fprintf_plus(stderr, "Falling back to security parameter"

652

" \"%s\"\n",

653

safe_string(gnutls_sec_param_get_name

654

(sec_param)));

655

}

656

}

657

}

658

uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);

659

if(uret != 0){

660

mc->dh_bits = uret;

661

if(debug){

662

fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"

663

" implies %u DH bits; using that.\n",

664

safe_string(gnutls_sec_param_get_name

665

(sec_param)),

666

mc->dh_bits);

667

}

668

} else {

669

fprintf_plus(stderr, "Failed to get implied number of DH"

670

" bits for security parameter \"%s\"): %s\n",

671

safe_string(gnutls_sec_param_get_name(sec_param)),

672

safer_gnutls_strerror(ret));

673

goto globalfail;

674

}

675

} else if(debug){

676

fprintf_plus(stderr, "DH bits explicitly set to %u\n",

677

mc->dh_bits);

678

}

679

572

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

680

573

if(ret != GNUTLS_E_SUCCESS){

681

fprintf_plus(stderr, "Error in GnuTLS prime generation (%u bits):"

682

" %s\n", mc->dh_bits, safer_gnutls_strerror(ret));

574

fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",

575

safer_gnutls_strerror(ret));

683

576

goto globalfail;

684

577

}

685

578

1757

1650

_exit(EXIT_FAILURE);

1758

1651

}

1759

1652

} else {

1760

if(hook_pid == -1){

1761

perror_plus("fork");

1762

free(direntry);

1763

continue;

1764

}

1765

1653

int status;

1766

1654

if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){

1767

1655

perror_plus("waitpid");

2007

1895

}

2008

1896

2009

1897

int main(int argc, char *argv[]){

2010

mandos_context mc = { .server = NULL, .dh_bits = 0,

1898

mandos_context mc = { .server = NULL, .dh_bits = 1024,

2011

1899

.priority = "SECURE256:!CTYPE-X.509:"

2012

"+CTYPE-OPENPGP:!RSA", .current_server = NULL,

1900

"+CTYPE-OPENPGP", .current_server = NULL,

2013

1901

.interfaces = NULL, .interfaces_size = 0 };

2014

1902

AvahiSServiceBrowser *sb = NULL;

2015

1903

error_t ret_errno;

Older »