/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

  • Committer: Teddy Hogeborn
  • Date: 2015-03-10 18:03:38 UTC
  • Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

Show diffs side-by-side

added added

removed removed

Lines of Context:
240
240
  ret = clock_gettime(CLOCK_MONOTONIC, &(new_server->last_seen));
241
241
  if(ret == -1){
242
242
    perror_plus("clock_gettime");
243
 
    free(new_server->ip);
 
243
#ifdef __GNUC__
 
244
#pragma GCC diagnostic push
 
245
#pragma GCC diagnostic ignored "-Wcast-qual"
 
246
#endif
 
247
    free((char *)(new_server->ip));
 
248
#ifdef __GNUC__
 
249
#pragma GCC diagnostic pop
 
250
#endif
244
251
    free(new_server);
245
252
    return false;
246
253
  }
1069
1076
     timed out */
1070
1077
  
1071
1078
  if(quit_now){
 
1079
    avahi_s_service_resolver_free(r);
1072
1080
    return;
1073
1081
  }
1074
1082
  
1642
1650
        _exit(EXIT_FAILURE);
1643
1651
      }
1644
1652
    } else {
 
1653
      if(hook_pid == -1){
 
1654
        perror_plus("fork");
 
1655
        free(direntry);
 
1656
        continue;
 
1657
      }
1645
1658
      int status;
1646
1659
      if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1647
1660
        perror_plus("waitpid");
 
1661
        free(direntry);
1648
1662
        continue;
1649
1663
      }
1650
1664
      if(WIFEXITED(status)){
1652
1666
          fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
1653
1667
                       " with status %d\n", direntry->d_name,
1654
1668
                       WEXITSTATUS(status));
 
1669
          free(direntry);
1655
1670
          continue;
1656
1671
        }
1657
1672
      } else if(WIFSIGNALED(status)){
1658
1673
        fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
1659
1674
                     " signal %d\n", direntry->d_name,
1660
1675
                     WTERMSIG(status));
 
1676
        free(direntry);
1661
1677
        continue;
1662
1678
      } else {
1663
1679
        fprintf_plus(stderr, "Warning: network hook \"%s\""
1664
1680
                     " crashed\n", direntry->d_name);
 
1681
        free(direntry);
1665
1682
        continue;
1666
1683
      }
1667
1684
    }
1669
1686
      fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
1670
1687
                   direntry->d_name);
1671
1688
    }
 
1689
    free(direntry);
1672
1690
  }
1673
1691
  free(direntries);
1674
1692
  if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
1884
1902
int main(int argc, char *argv[]){
1885
1903
  mandos_context mc = { .server = NULL, .dh_bits = 1024,
1886
1904
                        .priority = "SECURE256:!CTYPE-X.509:"
1887
 
                        "+CTYPE-OPENPGP", .current_server = NULL,
 
1905
                        "+CTYPE-OPENPGP:!RSA", .current_server = NULL,
1888
1906
                        .interfaces = NULL, .interfaces_size = 0 };
1889
1907
  AvahiSServiceBrowser *sb = NULL;
1890
1908
  error_t ret_errno;
2268
2286
        if(ret_errno != 0){
2269
2287
          errno = ret_errno;
2270
2288
          perror_plus("argz_add");
 
2289
          free(direntries[i]);
2271
2290
          continue;
2272
2291
        }
2273
2292
        if(debug){
2274
2293
          fprintf_plus(stderr, "Will use interface \"%s\"\n",
2275
2294
                       direntries[i]->d_name);
2276
2295
        }
 
2296
        free(direntries[i]);
2277
2297
      }
2278
2298
      free(direntries);
2279
2299
    } else {
2549
2569
    mc.current_server->prev->next = NULL;
2550
2570
    while(mc.current_server != NULL){
2551
2571
      server *next = mc.current_server->next;
 
2572
#ifdef __GNUC__
 
2573
#pragma GCC diagnostic push
 
2574
#pragma GCC diagnostic ignored "-Wcast-qual"
 
2575
#endif
 
2576
      free((char *)(mc.current_server->ip));
 
2577
#ifdef __GNUC__
 
2578
#pragma GCC diagnostic pop
 
2579
#endif
2552
2580
      free(mc.current_server);
2553
2581
      mc.current_server = next;
2554
2582
    }
2623
2651
                         " \"%s\", 0): %s\n", tempdir,
2624
2652
                         direntries[i]->d_name, strerror(errno));
2625
2653
          }
 
2654
          free(direntries[i]);
2626
2655
        }
2627
2656
        
2628
2657
        /* need to clean even if 0 because man page doesn't specify */