/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),

strtof(), abort() */

#include <stdbool.h> /* bool, false, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <string.h> /* strcmp(), strlen(), strerror(),

asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

305

return false;

306

}

307

308

ret = (int)TEMP_FAILURE_RETRY(close(fd));

308

ret = close(fd);

309

if(ret == -1){

310

perror_plus("close");

311

}

493

return plaintext_length;

494

}

495

496

__attribute__((warn_unused_result, const))

497

static const char *safe_string(const char *str){

498

if(str == NULL)

499

return "(unknown)";

500

return str;

501

}

502

496

503

__attribute__((warn_unused_result))

497

504

static const char *safer_gnutls_strerror(int value){

498

505

const char *ret = gnutls_strerror(value);

499

if(ret == NULL)

500

ret = "(unknown)";

501

return ret;

506

return safe_string(ret);

502

507

}

503

508

504

509

/* GnuTLS log function callback */

511

516

__attribute__((nonnull, warn_unused_result))

512

517

static int init_gnutls_global(const char *pubkeyfilename,

513

518

const char *seckeyfilename,

519

const char *dhparamsfilename,

514

520

mandos_context *mc){

515

521

int ret;

522

unsigned int uret;

516

523

517

524

if(debug){

518

525

fprintf_plus(stderr, "Initializing GnuTLS\n");

569

576

safer_gnutls_strerror(ret));

570

577

goto globalfail;

571

578

}

572

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

573

if(ret != GNUTLS_E_SUCCESS){

574

fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",

575

safer_gnutls_strerror(ret));

576

goto globalfail;

577

}

578

579

/* If a Diffie-Hellman parameters file was given, try to use it */

580

if(dhparamsfilename != NULL){

581

gnutls_datum_t params = { .data = NULL, .size = 0 };

582

do {

583

int dhpfile = open(dhparamsfilename, O_RDONLY);

584

if(dhpfile == -1){

585

perror_plus("open");

586

dhparamsfilename = NULL;

587

break;

588

}

589

size_t params_capacity = 0;

590

while(true){

591

params_capacity = incbuffer((char **)&params.data,

592

(size_t)params.size,

593

(size_t)params_capacity);

594

if(params_capacity == 0){

595

perror_plus("incbuffer");

596

free(params.data);

597

params.data = NULL;

598

dhparamsfilename = NULL;

599

break;

600

}

601

ssize_t bytes_read = read(dhpfile,

602

params.data + params.size,

603

BUFFER_SIZE);

604

/* EOF */

605

if(bytes_read == 0){

606

break;

607

}

608

/* check bytes_read for failure */

609

if(bytes_read < 0){

610

perror_plus("read");

611

free(params.data);

612

params.data = NULL;

613

dhparamsfilename = NULL;

614

break;

615

}

616

params.size += (unsigned int)bytes_read;

617

}

618

if(params.data == NULL){

619

dhparamsfilename = NULL;

620

}

621

if(dhparamsfilename == NULL){

622

break;

623

}

624

ret = gnutls_dh_params_import_pkcs3(mc->dh_params, &params,

625

GNUTLS_X509_FMT_PEM);

626

if(ret != GNUTLS_E_SUCCESS){

627

fprintf_plus(stderr, "Failed to parse DH parameters in file"

628

" \"%s\": %s\n", dhparamsfilename,

629

safer_gnutls_strerror(ret));

630

dhparamsfilename = NULL;

631

}

632

} while(false);

633

}

634

if(dhparamsfilename == NULL){

635

if(mc->dh_bits == 0){

636

/* Find out the optimal number of DH bits */

637

/* Try to read the private key file */

638

gnutls_datum_t buffer = { .data = NULL, .size = 0 };

639

do {

640

int secfile = open(seckeyfilename, O_RDONLY);

641

if(secfile == -1){

642

perror_plus("open");

643

break;

644

}

645

size_t buffer_capacity = 0;

646

while(true){

647

buffer_capacity = incbuffer((char **)&buffer.data,

648

(size_t)buffer.size,

649

(size_t)buffer_capacity);

650

if(buffer_capacity == 0){

651

perror_plus("incbuffer");

652

free(buffer.data);

653

buffer.data = NULL;

654

break;

655

}

656

ssize_t bytes_read = read(secfile,

657

buffer.data + buffer.size,

658

BUFFER_SIZE);

659

/* EOF */

660

if(bytes_read == 0){

661

break;

662

}

663

/* check bytes_read for failure */

664

if(bytes_read < 0){

665

perror_plus("read");

666

free(buffer.data);

667

buffer.data = NULL;

668

break;

669

}

670

buffer.size += (unsigned int)bytes_read;

671

}

672

close(secfile);

673

} while(false);

674

/* If successful, use buffer to parse private key */

675

gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;

676

if(buffer.data != NULL){

677

{

678

gnutls_openpgp_privkey_t privkey = NULL;

679

ret = gnutls_openpgp_privkey_init(&privkey);

680

if(ret != GNUTLS_E_SUCCESS){

681

fprintf_plus(stderr, "Error initializing OpenPGP key"

682

" structure: %s",

683

safer_gnutls_strerror(ret));

684

free(buffer.data);

685

buffer.data = NULL;

686

} else {

687

ret = gnutls_openpgp_privkey_import

688

(privkey, &buffer, GNUTLS_OPENPGP_FMT_BASE64, "", 0);

689

if(ret != GNUTLS_E_SUCCESS){

690

fprintf_plus(stderr, "Error importing OpenPGP key : %s",

691

safer_gnutls_strerror(ret));

692

privkey = NULL;

693

}

694

free(buffer.data);

695

buffer.data = NULL;

696

if(privkey != NULL){

697

/* Use private key to suggest an appropriate

698

sec_param */

699

sec_param = gnutls_openpgp_privkey_sec_param(privkey);

700

gnutls_openpgp_privkey_deinit(privkey);

701

if(debug){

702

fprintf_plus(stderr, "This OpenPGP key implies using"

703

" a GnuTLS security parameter \"%s\".\n",

704

safe_string(gnutls_sec_param_get_name

705

(sec_param)));

706

}

707

}

708

}

709

}

710

if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){

711

/* Err on the side of caution */

712

sec_param = GNUTLS_SEC_PARAM_ULTRA;

713

if(debug){

714

fprintf_plus(stderr, "Falling back to security parameter"

715

" \"%s\"\n",

716

safe_string(gnutls_sec_param_get_name

717

(sec_param)));

718

}

719

}

720

}

721

uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);

722

if(uret != 0){

723

mc->dh_bits = uret;

724

if(debug){

725

fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"

726

" implies %u DH bits; using that.\n",

727

safe_string(gnutls_sec_param_get_name

728

(sec_param)),

729

mc->dh_bits);

730

}

731

} else {

732

fprintf_plus(stderr, "Failed to get implied number of DH"

733

" bits for security parameter \"%s\"): %s\n",

734

safe_string(gnutls_sec_param_get_name

735

(sec_param)),

736

safer_gnutls_strerror(ret));

737

goto globalfail;

738

}

739

} else if(debug){

740

fprintf_plus(stderr, "DH bits explicitly set to %u\n",

741

mc->dh_bits);

742

}

743

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

744

if(ret != GNUTLS_E_SUCCESS){

745

fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"

746

" bits): %s\n", mc->dh_bits,

747

safer_gnutls_strerror(ret));

748

goto globalfail;

749

}

750

}

579

751

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

580

752

581

753

return 0;

641

813

/* ignore client certificate if any. */

642

814

gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);

643

815

644

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

645

646

816

return 0;

647

817

}

648

818

702

872

return ret_errno;

703

873

}

704

874

705

/* Helper function to add_local_route() and remove_local_route() */

875

/* Helper function to add_local_route() and delete_local_route() */

706

876

__attribute__((nonnull, warn_unused_result))

707

static bool add_remove_local_route(const bool add,

877

static bool add_delete_local_route(const bool add,

708

878

const char *address,

709

879

AvahiIfIndex if_index){

710

880

int ret;

711

881

char helper[] = "mandos-client-iprouteadddel";

712

882

char add_arg[] = "add";

713

char remove_arg[] = "remove";

883

char delete_arg[] = "delete";

884

char debug_flag[] = "--debug";

714

885

char *pluginhelperdir = getenv("MANDOSPLUGINHELPERDIR");

715

886

if(pluginhelperdir == NULL){

716

887

if(debug){

775

946

| O_DIRECTORY

776

947

| O_PATH

777

948

| O_CLOEXEC));

949

if(helperdir_fd == -1){

950

perror_plus("open");

951

_exit(EX_UNAVAILABLE);

952

}

778

953

int helper_fd = (int)TEMP_FAILURE_RETRY(openat(helperdir_fd,

779

954

helper, O_RDONLY));

780

TEMP_FAILURE_RETRY(close(helperdir_fd));

955

if(helper_fd == -1){

956

perror_plus("openat");

957

close(helperdir_fd);

958

_exit(EX_UNAVAILABLE);

959

}

960

close(helperdir_fd);

781

961

#ifdef __GNUC__

782

962

#pragma GCC diagnostic push

783

963

#pragma GCC diagnostic ignored "-Wcast-qual"

784

964

#endif

785

965

if(fexecve(helper_fd, (char *const [])

786

{ helper, add ? add_arg : remove_arg, (char *)address,

787

interface, NULL }, environ) == -1){

966

{ helper, add ? add_arg : delete_arg, (char *)address,

967

interface, debug ? debug_flag : NULL, NULL },

968

environ) == -1){

788

969

#ifdef __GNUC__

789

970

#pragma GCC diagnostic pop

790

971

#endif

842

1023

__attribute__((nonnull, warn_unused_result))

843

1024

static bool add_local_route(const char *address,

844

1025

AvahiIfIndex if_index){

845

return add_remove_local_route(true, address, if_index);

1026

if(debug){

1027

fprintf_plus(stderr, "Adding route to %s\n", address);

1028

}

1029

return add_delete_local_route(true, address, if_index);

846

1030

}

847

1031

848

1032

__attribute__((nonnull, warn_unused_result))

849

static bool remove_local_route(const char *address,

1033

static bool delete_local_route(const char *address,

850

1034

AvahiIfIndex if_index){

851

return add_remove_local_route(false, address, if_index);

1035

if(debug){

1036

fprintf_plus(stderr, "Removing route to %s\n", address);

1037

}

1038

return add_delete_local_route(false, address, if_index);

852

1039

}

853

1040

854

1041

/* Called when a Mandos server is found */

944

1131

goto mandos_end;

945

1132

}

946

1133

947

memset(&to, 0, sizeof(to));

948

1134

if(af == AF_INET6){

949

((struct sockaddr_in6 *)&to)->sin6_family = (sa_family_t)af;

950

ret = inet_pton(af, ip, &((struct sockaddr_in6 *)&to)->sin6_addr);

1135

struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&to;

1136

*to6 = (struct sockaddr_in6){ .sin6_family = (sa_family_t)af };

1137

ret = inet_pton(af, ip, &to6->sin6_addr);

951

1138

} else { /* IPv4 */

952

((struct sockaddr_in *)&to)->sin_family = (sa_family_t)af;

953

ret = inet_pton(af, ip, &((struct sockaddr_in *)&to)->sin_addr);

1139

struct sockaddr_in *to4 = (struct sockaddr_in *)&to;

1140

*to4 = (struct sockaddr_in){ .sin_family = (sa_family_t)af };

1141

ret = inet_pton(af, ip, &to4->sin_addr);

954

1142

}

955

1143

if(ret < 0 ){

956

1144

int e = errno;

1057

1245

http://lists.freedesktop.org/archives/avahi/2010-February/001833.html

1058

1246

https://bugs.debian.org/587961

1059

1247

1248

if(debug){

1249

fprintf_plus(stderr, "Mandos server unreachable, trying"

1250

" direct route\n");

1251

}

1060

1252

int e = errno;

1061

1253

route_added = add_local_route(ip, if_index);

1062

1254

if(route_added){

1266

1458

mandos_end:

1267

1459

{

1268

1460

if(route_added){

1269

if(not remove_local_route(ip, if_index)){

1270

fprintf_plus(stderr, "Failed to remove local route to %s on"

1461

if(not delete_local_route(ip, if_index)){

1462

fprintf_plus(stderr, "Failed to delete local route to %s on"

1271

1463

" interface %d", ip, if_index);

1272

1464

}

1273

1465

}

1275

1467

free(decrypted_buffer);

1276

1468

free(buffer);

1277

1469

if(tcp_sd >= 0){

1278

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

1470

ret = close(tcp_sd);

1279

1471

}

1280

1472

if(ret == -1){

1281

1473

if(e == 0){

1813

2005

_exit(EX_OSERR);

1814

2006

}

1815

2007

}

1816

int hook_fd = TEMP_FAILURE_RETRY(openat(hookdir_fd,

1817

direntry->d_name,

1818

O_RDONLY));

2008

int hook_fd = (int)TEMP_FAILURE_RETRY(openat(hookdir_fd,

2009

direntry->d_name,

2010

O_RDONLY));

1819

2011

if(hook_fd == -1){

1820

2012

perror_plus("openat");

1821

2013

_exit(EXIT_FAILURE);

1822

2014

}

1823

if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){

2015

if(close(hookdir_fd) == -1){

1824

2016

perror_plus("close");

1825

2017

_exit(EXIT_FAILURE);

1826

2018

}

1884

2076

free(direntry);

1885

2077

}

1886

2078

free(direntries);

1887

if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){

2079

if(close(hookdir_fd) == -1){

1888

2080

perror_plus("close");

1889

2081

} else {

1890

2082

hookdir_fd = -1;

1930

2122

}

1931

2123

1932

2124

if(quit_now){

1933

ret = (int)TEMP_FAILURE_RETRY(close(sd));

2125

ret = close(sd);

1934

2126

if(ret == -1){

1935

2127

perror_plus("close");

1936

2128

}

1986

2178

}

1987

2179

1988

2180

/* Close the socket */

1989

ret = (int)TEMP_FAILURE_RETRY(close(sd));

2181

ret = close(sd);

1990

2182

if(ret == -1){

1991

2183

perror_plus("close");

1992

2184

}

2074

2266

}

2075

2267

2076

2268

/* Close the socket */

2077

int ret = (int)TEMP_FAILURE_RETRY(close(sd));

2269

int ret = close(sd);

2078

2270

if(ret == -1){

2079

2271

perror_plus("close");

2080

2272

}

2095

2287

}

2096

2288

2097

2289

int main(int argc, char *argv[]){

2098

mandos_context mc = { .server = NULL, .dh_bits = 1024,

2099

.priority = "SECURE256:!CTYPE-X.509:"

2100

"+CTYPE-OPENPGP", .current_server = NULL,

2101

.interfaces = NULL, .interfaces_size = 0 };

2290

mandos_context mc = { .server = NULL, .dh_bits = 0,

2291

.priority = "SECURE256:!CTYPE-X.509"

2292

":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",

2293

.current_server = NULL, .interfaces = NULL,

2294

.interfaces_size = 0 };

2102

2295

AvahiSServiceBrowser *sb = NULL;

2103

2296

error_t ret_errno;

2104

2297

int ret;

2113

2306

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

2114

2307

const char *seckey = PATHDIR "/" SECKEY;

2115

2308

const char *pubkey = PATHDIR "/" PUBKEY;

2309

const char *dh_params_file = NULL;

2116

2310

char *interfaces_hooks = NULL;

2117

2311

2118

2312

bool gnutls_initialized = false;

2171

2365

.doc = "Bit length of the prime number used in the"

2172

2366

" Diffie-Hellman key exchange",

2173

2367

.group = 2 },

2368

{ .name = "dh-params", .key = 134,

2369

.arg = "FILE",

2370

.doc = "PEM-encoded PKCS#3 file with pre-generated parameters"

2371

" for the Diffie-Hellman key exchange",

2372

.group = 2 },

2174

2373

{ .name = "priority", .key = 130,

2175

2374

.arg = "STRING",

2176

2375

.doc = "GnuTLS priority string for the TLS handshake",

2231

2430

}

2232

2431

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

2233

2432

break;

2433

case 134: /* --dh-params */

2434

dh_params_file = arg;

2435

break;

2234

2436

case 130: /* --priority */

2235

2437

mc.priority = arg;

2236

2438

break;

2322

2524

}

2323

2525

}

2324

2526

}

2325

TEMP_FAILURE_RETRY(close(seckey_fd));

2527

close(seckey_fd);

2326

2528

}

2327

2529

}

2328

2530

2343

2545

}

2344

2546

}

2345

2547

}

2346

TEMP_FAILURE_RETRY(close(pubkey_fd));

2548

close(pubkey_fd);

2549

}

2550

}

2551

2552

if(dh_params_file != NULL

2553

and strcmp(dh_params_file, PATHDIR "/dhparams.pem" ) == 0){

2554

int dhparams_fd = open(dh_params_file, O_RDONLY);

2555

if(dhparams_fd == -1){

2556

perror_plus("open");

2557

} else {

2558

ret = (int)TEMP_FAILURE_RETRY(fstat(dhparams_fd, &st));

2559

if(ret == -1){

2560

perror_plus("fstat");

2561

} else {

2562

if(S_ISREG(st.st_mode)

2563

and st.st_uid == 0 and st.st_gid == 0){

2564

ret = fchown(dhparams_fd, uid, gid);

2565

if(ret == -1){

2566

perror_plus("fchown");

2567

}

2568

}

2569

}

2570

close(dhparams_fd);

2347

2571

}

2348

2572

}

2349

2573

2526

2750

errno = bring_up_interface(interface, delay);

2527

2751

if(not interface_was_up){

2528

2752

if(errno != 0){

2529

perror_plus("Failed to bring up interface");

2753

fprintf_plus(stderr, "Failed to bring up interface \"%s\":"

2754

" %s\n", interface, strerror(errno));

2530

2755

} else {

2531

2756

errno = argz_add(&interfaces_to_take_down,

2532

2757

&interfaces_to_take_down_size,

2555

2780

goto end;

2556

2781

}

2557

2782

2558

ret = init_gnutls_global(pubkey, seckey, &mc);

2783

ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);

2559

2784

if(ret == -1){

2560

2785

fprintf_plus(stderr, "init_gnutls_global failed\n");

2561

2786

exitcode = EX_UNAVAILABLE;

2861

3086

perror_plus("rmdir");

2862

3087

}

2863

3088

}

2864

TEMP_FAILURE_RETRY(close(tempdir_fd));

3089

close(tempdir_fd);

2865

3090

}

2866

3091

}

2867

3092

Older »