/mandos/trunk : revision 801

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2016-02-28 03:01:43 UTC
Revision ID: teddy@recompile.se-20160228030143-i6w90r7wzkvlx9kq

Stop using python-gnutls.  Use GnuTLS 3.3 or later directly.

* INSTALL: Document dependency on GnuTLS 3.3 and remove dependency on
          Python-GnuTLS.

* debian/control (Source: mandos/Build-Depends): Add (>= 3.3.0) to
                                                 "libgnutls28-dev" and
                                                 "gnutls-dev".
  (Source: mandos/Build-Depends-Indep): Remove "python2.7-gnutls".
  (Package: mandos/Depends): Remove "python-gnutls" and
                             "python2.7-gnutls", add "libgnutls28-dev
                             (>= 3.3.0) | libgnutls30 (>= 3.3.0)"
* mandos: Remove imports of "gnutls" and all submodules.
  (GnuTLS, gnutls): New; simulate a "gnutls" module.  Change all
                    callers to match new shorter names.

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.prerm

debian/rules

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),

strtof(), abort() */

#include <stdbool.h> /* bool, false, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <string.h> /* strcmp(), strlen(), strerror(),

asprintf(), strncpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

305

return false;

306

}

307

308

ret = (int)TEMP_FAILURE_RETRY(close(fd));

308

ret = close(fd);

309

if(ret == -1){

310

perror_plus("close");

311

}

493

return plaintext_length;

494

}

495

496

__attribute__((warn_unused_result, const))

497

static const char *safe_string(const char *str){

498

if(str == NULL)

499

return "(unknown)";

500

return str;

501

}

502

496

503

__attribute__((warn_unused_result))

497

504

static const char *safer_gnutls_strerror(int value){

498

505

const char *ret = gnutls_strerror(value);

499

if(ret == NULL)

500

ret = "(unknown)";

501

return ret;

506

return safe_string(ret);

502

507

}

503

508

504

509

/* GnuTLS log function callback */

511

516

__attribute__((nonnull, warn_unused_result))

512

517

static int init_gnutls_global(const char *pubkeyfilename,

513

518

const char *seckeyfilename,

519

const char *dhparamsfilename,

514

520

mandos_context *mc){

515

521

int ret;

522

unsigned int uret;

516

523

517

524

if(debug){

518

525

fprintf_plus(stderr, "Initializing GnuTLS\n");

569

576

safer_gnutls_strerror(ret));

570

577

goto globalfail;

571

578

}

572

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

573

if(ret != GNUTLS_E_SUCCESS){

574

fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",

575

safer_gnutls_strerror(ret));

576

goto globalfail;

577

}

578

579

/* If a Diffie-Hellman parameters file was given, try to use it */

580

if(dhparamsfilename != NULL){

581

gnutls_datum_t params = { .data = NULL, .size = 0 };

582

do {

583

int dhpfile = open(dhparamsfilename, O_RDONLY);

584

if(dhpfile == -1){

585

perror_plus("open");

586

dhparamsfilename = NULL;

587

break;

588

}

589

size_t params_capacity = 0;

590

while(true){

591

params_capacity = incbuffer((char **)&params.data,

592

(size_t)params.size,

593

(size_t)params_capacity);

594

if(params_capacity == 0){

595

perror_plus("incbuffer");

596

free(params.data);

597

params.data = NULL;

598

dhparamsfilename = NULL;

599

break;

600

}

601

ssize_t bytes_read = read(dhpfile,

602

params.data + params.size,

603

BUFFER_SIZE);

604

/* EOF */

605

if(bytes_read == 0){

606

break;

607

}

608

/* check bytes_read for failure */

609

if(bytes_read < 0){

610

perror_plus("read");

611

free(params.data);

612

params.data = NULL;

613

dhparamsfilename = NULL;

614

break;

615

}

616

params.size += (unsigned int)bytes_read;

617

}

618

if(params.data == NULL){

619

dhparamsfilename = NULL;

620

}

621

if(dhparamsfilename == NULL){

622

break;

623

}

624

ret = gnutls_dh_params_import_pkcs3(mc->dh_params, &params,

625

GNUTLS_X509_FMT_PEM);

626

if(ret != GNUTLS_E_SUCCESS){

627

fprintf_plus(stderr, "Failed to parse DH parameters in file"

628

" \"%s\": %s\n", dhparamsfilename,

629

safer_gnutls_strerror(ret));

630

dhparamsfilename = NULL;

631

}

632

} while(false);

633

}

634

if(dhparamsfilename == NULL){

635

if(mc->dh_bits == 0){

636

/* Find out the optimal number of DH bits */

637

/* Try to read the private key file */

638

gnutls_datum_t buffer = { .data = NULL, .size = 0 };

639

do {

640

int secfile = open(seckeyfilename, O_RDONLY);

641

if(secfile == -1){

642

perror_plus("open");

643

break;

644

}

645

size_t buffer_capacity = 0;

646

while(true){

647

buffer_capacity = incbuffer((char **)&buffer.data,

648

(size_t)buffer.size,

649

(size_t)buffer_capacity);

650

if(buffer_capacity == 0){

651

perror_plus("incbuffer");

652

free(buffer.data);

653

buffer.data = NULL;

654

break;

655

}

656

ssize_t bytes_read = read(secfile,

657

buffer.data + buffer.size,

658

BUFFER_SIZE);

659

/* EOF */

660

if(bytes_read == 0){

661

break;

662

}

663

/* check bytes_read for failure */

664

if(bytes_read < 0){

665

perror_plus("read");

666

free(buffer.data);

667

buffer.data = NULL;

668

break;

669

}

670

buffer.size += (unsigned int)bytes_read;

671

}

672

close(secfile);

673

} while(false);

674

/* If successful, use buffer to parse private key */

675

gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;

676

if(buffer.data != NULL){

677

{

678

gnutls_openpgp_privkey_t privkey = NULL;

679

ret = gnutls_openpgp_privkey_init(&privkey);

680

if(ret != GNUTLS_E_SUCCESS){

681

fprintf_plus(stderr, "Error initializing OpenPGP key"

682

" structure: %s",

683

safer_gnutls_strerror(ret));

684

free(buffer.data);

685

buffer.data = NULL;

686

} else {

687

ret = gnutls_openpgp_privkey_import

688

(privkey, &buffer, GNUTLS_OPENPGP_FMT_BASE64, "", 0);

689

if(ret != GNUTLS_E_SUCCESS){

690

fprintf_plus(stderr, "Error importing OpenPGP key : %s",

691

safer_gnutls_strerror(ret));

692

privkey = NULL;

693

}

694

free(buffer.data);

695

buffer.data = NULL;

696

if(privkey != NULL){

697

/* Use private key to suggest an appropriate

698

sec_param */

699

sec_param = gnutls_openpgp_privkey_sec_param(privkey);

700

gnutls_openpgp_privkey_deinit(privkey);

701

if(debug){

702

fprintf_plus(stderr, "This OpenPGP key implies using"

703

" a GnuTLS security parameter \"%s\".\n",

704

safe_string(gnutls_sec_param_get_name

705

(sec_param)));

706

}

707

}

708

}

709

}

710

if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){

711

/* Err on the side of caution */

712

sec_param = GNUTLS_SEC_PARAM_ULTRA;

713

if(debug){

714

fprintf_plus(stderr, "Falling back to security parameter"

715

" \"%s\"\n",

716

safe_string(gnutls_sec_param_get_name

717

(sec_param)));

718

}

719

}

720

}

721

uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);

722

if(uret != 0){

723

mc->dh_bits = uret;

724

if(debug){

725

fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"

726

" implies %u DH bits; using that.\n",

727

safe_string(gnutls_sec_param_get_name

728

(sec_param)),

729

mc->dh_bits);

730

}

731

} else {

732

fprintf_plus(stderr, "Failed to get implied number of DH"

733

" bits for security parameter \"%s\"): %s\n",

734

safe_string(gnutls_sec_param_get_name

735

(sec_param)),

736

safer_gnutls_strerror(ret));

737

goto globalfail;

738

}

739

} else if(debug){

740

fprintf_plus(stderr, "DH bits explicitly set to %u\n",

741

mc->dh_bits);

742

}

743

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

744

if(ret != GNUTLS_E_SUCCESS){

745

fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"

746

" bits): %s\n", mc->dh_bits,

747

safer_gnutls_strerror(ret));

748

goto globalfail;

749

}

750

}

579

751

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

580

752

581

753

return 0;

641

813

/* ignore client certificate if any. */

642

814

gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);

643

815

644

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

645

646

816

return 0;

647

817

}

648

818

702

872

return ret_errno;

703

873

}

704

874

705

/* Helper function to add_local_route() and remove_local_route() */

875

/* Helper function to add_local_route() and delete_local_route() */

706

876

__attribute__((nonnull, warn_unused_result))

707

static bool add_remove_local_route(const bool add,

877

static bool add_delete_local_route(const bool add,

708

878

const char *address,

709

879

AvahiIfIndex if_index){

710

880

int ret;

711

881

char helper[] = "mandos-client-iprouteadddel";

712

882

char add_arg[] = "add";

713

883

char delete_arg[] = "delete";

884

char debug_flag[] = "--debug";

714

885

char *pluginhelperdir = getenv("MANDOSPLUGINHELPERDIR");

715

886

if(pluginhelperdir == NULL){

716

887

if(debug){

760

931

perror_plus("dup2(devnull, STDIN_FILENO)");

761

932

_exit(EX_OSERR);

762

933

}

763

ret = (int)TEMP_FAILURE_RETRY(close(devnull));

934

ret = close(devnull);

764

935

if(ret == -1){

765

936

perror_plus("close");

766

937

_exit(EX_OSERR);

783

954

helper, O_RDONLY));

784

955

if(helper_fd == -1){

785

956

perror_plus("openat");

957

close(helperdir_fd);

786

958

_exit(EX_UNAVAILABLE);

787

959

}

788

TEMP_FAILURE_RETRY(close(helperdir_fd));

960

close(helperdir_fd);

789

961

#ifdef __GNUC__

790

962

#pragma GCC diagnostic push

791

963

#pragma GCC diagnostic ignored "-Wcast-qual"

792

964

#endif

793

965

if(fexecve(helper_fd, (char *const [])

794

966

{ helper, add ? add_arg : delete_arg, (char *)address,

795

interface, NULL }, environ) == -1){

967

interface, debug ? debug_flag : NULL, NULL },

968

environ) == -1){

796

969

#ifdef __GNUC__

797

970

#pragma GCC diagnostic pop

798

971

#endif

850

1023

__attribute__((nonnull, warn_unused_result))

851

1024

static bool add_local_route(const char *address,

852

1025

AvahiIfIndex if_index){

853

return add_remove_local_route(true, address, if_index);

1026

if(debug){

1027

fprintf_plus(stderr, "Adding route to %s\n", address);

1028

}

1029

return add_delete_local_route(true, address, if_index);

854

1030

}

855

1031

856

1032

__attribute__((nonnull, warn_unused_result))

857

static bool remove_local_route(const char *address,

1033

static bool delete_local_route(const char *address,

858

1034

AvahiIfIndex if_index){

859

return add_remove_local_route(false, address, if_index);

1035

if(debug){

1036

fprintf_plus(stderr, "Removing route to %s\n", address);

1037

}

1038

return add_delete_local_route(false, address, if_index);

860

1039

}

861

1040

862

1041

/* Called when a Mandos server is found */

952

1131

goto mandos_end;

953

1132

}

954

1133

955

memset(&to, 0, sizeof(to));

956

1134

if(af == AF_INET6){

957

((struct sockaddr_in6 *)&to)->sin6_family = (sa_family_t)af;

958

ret = inet_pton(af, ip, &((struct sockaddr_in6 *)&to)->sin6_addr);

1135

struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&to;

1136

*to6 = (struct sockaddr_in6){ .sin6_family = (sa_family_t)af };

1137

ret = inet_pton(af, ip, &to6->sin6_addr);

959

1138

} else { /* IPv4 */

960

((struct sockaddr_in *)&to)->sin_family = (sa_family_t)af;

961

ret = inet_pton(af, ip, &((struct sockaddr_in *)&to)->sin_addr);

1139

struct sockaddr_in *to4 = (struct sockaddr_in *)&to;

1140

*to4 = (struct sockaddr_in){ .sin_family = (sa_family_t)af };

1141

ret = inet_pton(af, ip, &to4->sin_addr);

962

1142

}

963

1143

if(ret < 0 ){

964

1144

int e = errno;

1043

1223

sizeof(struct sockaddr_in));

1044

1224

}

1045

1225

if(ret < 0){

1046

if(errno == ENETUNREACH

1226

if(((errno == ENETUNREACH) or (errno == EHOSTUNREACH))

1047

1227

and if_index != AVAHI_IF_UNSPEC

1048

1228

and connect_to == NULL

1049

1229

and not route_added and

1065

1245

http://lists.freedesktop.org/archives/avahi/2010-February/001833.html

1066

1246

https://bugs.debian.org/587961

1067

1247

1248

if(debug){

1249

fprintf_plus(stderr, "Mandos server unreachable, trying"

1250

" direct route\n");

1251

}

1068

1252

int e = errno;

1069

1253

route_added = add_local_route(ip, if_index);

1070

1254

if(route_added){

1274

1458

mandos_end:

1275

1459

{

1276

1460

if(route_added){

1277

if(not remove_local_route(ip, if_index)){

1278

fprintf_plus(stderr, "Failed to remove local route to %s on"

1461

if(not delete_local_route(ip, if_index)){

1462

fprintf_plus(stderr, "Failed to delete local route to %s on"

1279

1463

" interface %d", ip, if_index);

1280

1464

}

1281

1465

}

1283

1467

free(decrypted_buffer);

1284

1468

free(buffer);

1285

1469

if(tcp_sd >= 0){

1286

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

1470

ret = close(tcp_sd);

1287

1471

}

1288

1472

if(ret == -1){

1289

1473

if(e == 0){

1453

1637

errno = ret_errno;

1454

1638

return false;

1455

1639

}

1456

strcpy(ifr->ifr_name, ifname);

1640

strncpy(ifr->ifr_name, ifname, IF_NAMESIZE);

1641

ifr->ifr_name[IF_NAMESIZE-1] = '\0'; /* NUL terminate */

1457

1642

ret = ioctl(s, SIOCGIFFLAGS, ifr);

1458

1643

if(ret == -1){

1459

1644

if(debug){

1828

2013

perror_plus("openat");

1829

2014

_exit(EXIT_FAILURE);

1830

2015

}

1831

if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){

2016

if(close(hookdir_fd) == -1){

1832

2017

perror_plus("close");

1833

2018

_exit(EXIT_FAILURE);

1834

2019

}

1837

2022

perror_plus("dup2(devnull, STDIN_FILENO)");

1838

2023

_exit(EX_OSERR);

1839

2024

}

1840

ret = (int)TEMP_FAILURE_RETRY(close(devnull));

2025

ret = close(devnull);

1841

2026

if(ret == -1){

1842

2027

perror_plus("close");

1843

2028

_exit(EX_OSERR);

1892

2077

free(direntry);

1893

2078

}

1894

2079

free(direntries);

1895

if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){

2080

if(close(hookdir_fd) == -1){

1896

2081

perror_plus("close");

1897

2082

} else {

1898

2083

hookdir_fd = -1;

1938

2123

}

1939

2124

1940

2125

if(quit_now){

1941

ret = (int)TEMP_FAILURE_RETRY(close(sd));

2126

ret = close(sd);

1942

2127

if(ret == -1){

1943

2128

perror_plus("close");

1944

2129

}

1994

2179

}

1995

2180

1996

2181

/* Close the socket */

1997

ret = (int)TEMP_FAILURE_RETRY(close(sd));

2182

ret = close(sd);

1998

2183

if(ret == -1){

1999

2184

perror_plus("close");

2000

2185

}

2082

2267

}

2083

2268

2084

2269

/* Close the socket */

2085

int ret = (int)TEMP_FAILURE_RETRY(close(sd));

2270

int ret = close(sd);

2086

2271

if(ret == -1){

2087

2272

perror_plus("close");

2088

2273

}

2103

2288

}

2104

2289

2105

2290

int main(int argc, char *argv[]){

2106

mandos_context mc = { .server = NULL, .dh_bits = 1024,

2107

.priority = "SECURE256:!CTYPE-X.509:"

2108

"+CTYPE-OPENPGP", .current_server = NULL,

2109

.interfaces = NULL, .interfaces_size = 0 };

2291

mandos_context mc = { .server = NULL, .dh_bits = 0,

2292

.priority = "SECURE256:!CTYPE-X.509"

2293

":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",

2294

.current_server = NULL, .interfaces = NULL,

2295

.interfaces_size = 0 };

2110

2296

AvahiSServiceBrowser *sb = NULL;

2111

2297

error_t ret_errno;

2112

2298

int ret;

2121

2307

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

2122

2308

const char *seckey = PATHDIR "/" SECKEY;

2123

2309

const char *pubkey = PATHDIR "/" PUBKEY;

2310

const char *dh_params_file = NULL;

2124

2311

char *interfaces_hooks = NULL;

2125

2312

2126

2313

bool gnutls_initialized = false;

2179

2366

.doc = "Bit length of the prime number used in the"

2180

2367

" Diffie-Hellman key exchange",

2181

2368

.group = 2 },

2369

{ .name = "dh-params", .key = 134,

2370

.arg = "FILE",

2371

.doc = "PEM-encoded PKCS#3 file with pre-generated parameters"

2372

" for the Diffie-Hellman key exchange",

2373

.group = 2 },

2182

2374

{ .name = "priority", .key = 130,

2183

2375

.arg = "STRING",

2184

2376

.doc = "GnuTLS priority string for the TLS handshake",

2239

2431

}

2240

2432

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

2241

2433

break;

2434

case 134: /* --dh-params */

2435

dh_params_file = arg;

2436

break;

2242

2437

case 130: /* --priority */

2243

2438

mc.priority = arg;

2244

2439

break;

2330

2525

}

2331

2526

}

2332

2527

}

2333

TEMP_FAILURE_RETRY(close(seckey_fd));

2528

close(seckey_fd);

2334

2529

}

2335

2530

}

2336

2531

2351

2546

}

2352

2547

}

2353

2548

}

2354

TEMP_FAILURE_RETRY(close(pubkey_fd));

2549

close(pubkey_fd);

2550

}

2551

}

2552

2553

if(dh_params_file != NULL

2554

and strcmp(dh_params_file, PATHDIR "/dhparams.pem" ) == 0){

2555

int dhparams_fd = open(dh_params_file, O_RDONLY);

2556

if(dhparams_fd == -1){

2557

perror_plus("open");

2558

} else {

2559

ret = (int)TEMP_FAILURE_RETRY(fstat(dhparams_fd, &st));

2560

if(ret == -1){

2561

perror_plus("fstat");

2562

} else {

2563

if(S_ISREG(st.st_mode)

2564

and st.st_uid == 0 and st.st_gid == 0){

2565

ret = fchown(dhparams_fd, uid, gid);

2566

if(ret == -1){

2567

perror_plus("fchown");

2568

}

2569

}

2570

}

2571

close(dhparams_fd);

2355

2572

}

2356

2573

}

2357

2574

2534

2751

errno = bring_up_interface(interface, delay);

2535

2752

if(not interface_was_up){

2536

2753

if(errno != 0){

2537

perror_plus("Failed to bring up interface");

2754

fprintf_plus(stderr, "Failed to bring up interface \"%s\":"

2755

" %s\n", interface, strerror(errno));

2538

2756

} else {

2539

2757

errno = argz_add(&interfaces_to_take_down,

2540

2758

&interfaces_to_take_down_size,

2563

2781

goto end;

2564

2782

}

2565

2783

2566

ret = init_gnutls_global(pubkey, seckey, &mc);

2784

ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);

2567

2785

if(ret == -1){

2568

2786

fprintf_plus(stderr, "init_gnutls_global failed\n");

2569

2787

exitcode = EX_UNAVAILABLE;

2869

3087

perror_plus("rmdir");

2870

3088

}

2871

3089

}

2872

TEMP_FAILURE_RETRY(close(tempdir_fd));

3090

close(tempdir_fd);

2873

3091

}

2874

3092

}

2875

3093

Older »