/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-helpers/mandos-client-iprouteadddel.c

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
DBUS-API

dbus-mandos.conf

debian/mandos-client.examples

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

intro.xml

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugin-helpers/mandos-client-iprouteadddel.c

/* -*- coding: utf-8 -*- */

* iprouteadddel - Add or delete direct route to a local IP address

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* published by the Free Software Foundation, either version 3 of the

* License, or (at your option) any later version.

* This program is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@recompile.se>.

#define _GNU_SOURCE /* asprintf(),

program_invocation_short_name */

#include <stdbool.h> /* bool, false, true */

#include <stdio.h> /* fprintf(), stderr, FILE, vfprintf */

#include <errno.h> /* program_invocation_short_name,

errno, perror(), EINVAL, ENOMEM */

#include <stdarg.h> /* va_list, va_start */

#include <stdlib.h> /* EXIT_SUCCESS */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, ARGP_KEY_ARG,

argp_usage(), ARGP_KEY_END,

ARGP_ERR_UNKNOWN, struct argp,

argp_parse() */

#include <sysexits.h> /* EX_USAGE, EX_OSERR */

#include <netinet/ip.h> /* sa_family_t, AF_INET6, AF_INET */

#include <inttypes.h> /* PRIdMAX, intmax_t */

#include <netlink/netlink.h> /* struct nl_addr, nl_addr_parse(),

nl_geterror(),

nl_addr_get_family(),

nl_addr_put() */

#include <netlink/route/route.h> /* struct rtnl_route,

struct rtnl_nexthop,

rtnl_route_alloc(),

rtnl_route_set_family(),

rtnl_route_set_protocol(),

RTPROT_BOOT,

rtnl_route_set_scope(),

RT_SCOPE_LINK,

rtnl_route_set_type(),

RTN_UNICAST,

rtnl_route_set_dst(),

rtnl_route_set_table(),

RT_TABLE_MAIN,

rtnl_route_nh_alloc(),

rtnl_route_nh_set_ifindex(),

rtnl_route_add_nexthop(),

rtnl_route_add(),

rtnl_route_delete(),

rtnl_route_put(),

rtnl_route_nh_free() */

#include <netlink/socket.h> /* struct nl_sock, nl_socket_alloc(),

nl_connect(), nl_socket_free() */

#include <netlink/route/link.h> /* rtnl_link_get_kernel(),

rtnl_link_get_ifindex(),

rtnl_link_put() */

bool debug = false;

const char *argp_program_version = "mandos-client-iprouteadddel " VERSION;

const char *argp_program_bug_address = "<mandos@recompile.se>";

/* Function to use when printing errors */

void perror_plus(const char *print_text){

int e = errno;

fprintf(stderr, "Mandos plugin helper %s: ",

program_invocation_short_name);

errno = e;

perror(print_text);

}

__attribute__((format (gnu_printf, 2, 3), nonnull))

int fprintf_plus(FILE *stream, const char *format, ...){

va_list ap;

va_start (ap, format);

fprintf(stream, "Mandos plugin helper %s: ",

program_invocation_short_name);

return vfprintf(stream, format, ap);

}

int main(int argc, char *argv[]){

int ret;

int exitcode = EXIT_SUCCESS;

struct arguments {

bool add; /* true: add, false: delete */

100

char *address; /* IP address as string */

101

struct nl_addr *nl_addr; /* Netlink IP address */

102

char *interface; /* interface name */

103

} arguments = { .add = true, .address = NULL, .interface = NULL };

104

struct argp_option options[] = {

105

{ .name = "debug", .key = 128,

106

.doc = "Debug mode" },

107

{ .name = NULL }

108

};

109

struct rtnl_route *route = NULL;

110

struct rtnl_nexthop *nexthop = NULL;

111

struct nl_sock *sk = NULL;

112

113

error_t parse_opt(int key, char *arg, struct argp_state *state){

114

int lret;

115

errno = 0;

116

switch(key){

117

case 128: /* --debug */

118

debug = true;

119

break;

120

case ARGP_KEY_ARG:

121

switch(state->arg_num){

122

case 0:

123

if(strcasecmp(arg, "add") == 0){

124

((struct arguments *)(state->input))->add = true;

125

} else if(strcasecmp(arg, "delete") == 0){

126

((struct arguments *)(state->input))->add = false;

127

} else {

128

fprintf_plus(stderr, "Unrecognized command: %s\n", arg);

129

argp_usage(state);

130

}

131

break;

132

case 1:

133

((struct arguments *)(state->input))->address = arg;

134

lret = nl_addr_parse(arg, AF_UNSPEC, &(((struct arguments *)

135

(state->input))

136

->nl_addr));

137

if(lret != 0){

138

fprintf_plus(stderr, "Failed to parse address %s: %s\n",

139

arg, nl_geterror(lret));

140

argp_usage(state);

141

}

142

break;

143

case 2:

144

((struct arguments *)(state->input))->interface = arg;

145

break;

146

default:

147

argp_usage(state);

148

}

149

break;

150

case ARGP_KEY_END:

151

if(state->arg_num < 3){

152

argp_usage(state);

153

}

154

break;

155

default:

156

return ARGP_ERR_UNKNOWN;

157

}

158

return errno;

159

}

160

161

struct argp argp = { .options = options, .parser = parse_opt,

162

.args_doc = "[ add | delete ] ADDRESS INTERFACE",

163

.doc = "Mandos client helper -- Add or delete"

164

" local route to IP address on interface" };

165

166

ret = argp_parse(&argp, argc, argv, ARGP_IN_ORDER, 0, &arguments);

167

switch(ret){

168

case 0:

169

break;

170

case EINVAL:

171

exit(EX_USAGE);

172

case ENOMEM:

173

default:

174

errno = ret;

175

perror_plus("argp_parse");

176

exitcode = EX_OSERR;

177

goto end;

178

}

179

/* Get netlink socket */

180

sk = nl_socket_alloc();

181

if(sk == NULL){

182

fprintf_plus(stderr, "Failed to allocate netlink socket: %s\n",

183

nl_geterror(ret));

184

exitcode = EX_OSERR;

185

goto end;

186

}

187

/* Connect socket to netlink */

188

ret = nl_connect(sk, NETLINK_ROUTE);

189

if(ret < 0){

190

fprintf_plus(stderr, "Failed to connect socket to netlink: %s\n",

191

nl_geterror(ret));

192

exitcode = EX_OSERR;

193

goto end;

194

}

195

/* Get link object of specified interface */

196

struct rtnl_link *link = NULL;

197

ret = rtnl_link_get_kernel(sk, 0, arguments.interface, &link);

198

if(ret < 0){

199

fprintf_plus(stderr, "Failed to use interface %s: %s\n",

200

arguments.interface, nl_geterror(ret));

201

exitcode = EX_OSERR;

202

goto end;

203

}

204

/* Get netlink route object */

205

route = rtnl_route_alloc();

206

if(route == NULL){

207

fprintf_plus(stderr, "Failed to get netlink route:\n");

208

exitcode = EX_OSERR;

209

goto end;

210

}

211

/* Get address family of specified address */

212

sa_family_t af = (sa_family_t)nl_addr_get_family(arguments.nl_addr);

213

if(debug){

214

fprintf_plus(stderr, "Address family of %s is %s (%" PRIdMAX

215

")\n", arguments.address,

216

af == AF_INET6 ? "AF_INET6" :

217

( af == AF_INET ? "AF_INET" : "UNKNOWN"),

218

(intmax_t)af);

219

}

220

/* Set route parameters: */

221

rtnl_route_set_family(route, (uint8_t)af); /* Address family */

222

rtnl_route_set_protocol(route, RTPROT_BOOT); /* protocol - see

223

ip-route(8) */

224

rtnl_route_set_scope(route, RT_SCOPE_LINK); /* link scope */

225

rtnl_route_set_type(route, RTN_UNICAST); /* normal unicast

226

address route */

227

rtnl_route_set_dst(route, arguments.nl_addr); /* Destination

228

address */

229

rtnl_route_set_table(route, RT_TABLE_MAIN); /* "main" routing

230

table */

231

/* Create nexthop */

232

nexthop = rtnl_route_nh_alloc();

233

if(nexthop == NULL){

234

fprintf_plus(stderr, "Failed to get netlink route nexthop\n");

235

exitcode = EX_OSERR;

236

goto end;

237

}

238

/* Get index number of specified interface */

239

int ifindex = rtnl_link_get_ifindex(link);

240

if(debug){

241

fprintf_plus(stderr, "ifindex of %s is %d\n", arguments.interface,

242

ifindex);

243

}

244

/* Set interface index number on nexthop object */

245

rtnl_route_nh_set_ifindex(nexthop, ifindex);

246

/* Set route tu use nexthop object */

247

rtnl_route_add_nexthop(route, nexthop);

248

/* Add or delete route? */

249

if(arguments.add){

250

ret = rtnl_route_add(sk, route, NLM_F_EXCL);

251

} else {

252

ret = rtnl_route_delete(sk, route, 0);

253

}

254

if(ret < 0){

255

fprintf_plus(stderr, "Failed to %s route: %s\n",

256

arguments.add ? "add" : "delete",

257

nl_geterror(ret));

258

exitcode = EX_OSERR;

259

goto end;

260

}

261

end:

262

/* Deallocate route */

263

if(route){

264

rtnl_route_put(route);

265

} else if(nexthop) {

266

/* Deallocate route nexthop */

267

rtnl_route_nh_free(nexthop);

268

}

269

/* Deallocate parsed address */

270

if(arguments.nl_addr){

271

nl_addr_put(arguments.nl_addr);

272

}

273

/* Deallocate link struct */

274

if(link){

275

rtnl_link_put(link);

276

}

277

/* Deallocate netlink socket struct */

278

if(sk){

279

nl_socket_free(sk);

280

}

281

return exitcode;

282

}

Older »