/mandos/trunk : revision 962

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-prompt.c

Committer: Teddy Hogeborn
Date: 2019-02-09 23:23:26 UTC
Revision ID: teddy@recompile.se-20190209232326-z1z2kzpgfixz7iaj

Add support for using raw public keys in TLS (RFC 7250)

Since GnuTLS removed support for OpenPGP keys in TLS (RFC 6091), and
no other library supports it, we have to change the protocol to use
something else.  We choose to use "raw public keys" (RFC 7250).  Since
we still use OpenPGP keys to decrypt the secret password, this means
that each client will have two keys: One OpenPGP key and one TLS
public/private key, and the key ID of the latter key is used to
identify clients instead of the fingerprint of the OpenPGP key.

Note that this code is still compatible with GnuTLS before version
3.6.0 (when OpenPGP key support was removed).  This commit merely adds
support for using raw pulic keys instead with GnuTLS 3.6.6. or later.

* DBUS-API (Signals/ClientNotFound): Change name of first parameter
                                     from "Fingerprint" to "KeyID".
  (Mandos Client Interface/Properties/KeyID): New.
* INSTALL: Document conflict with GnuTLS 3.6.0 (which removed OpenPGP
           key support) up until 3.6.6, when support for raw public
           keys was added.  Also document new dependency of client on
           "gnutls-bin" package (for certtool).
* Makefile (run-client): Depend on TLS key files, and also pass them
                         as arguments to client.
  (keydir/tls-privkey.pem, keydir/tls-pubkey.pem): New.
  (confdir/clients.conf): Add dependency on TLS public key.
  (purge-client): Add removal of TLS key files.
* clients.conf ([foo]/key_id, [bar]/key_id): New.
* debian/control (Source: mandos/Build-Depends): Also allow
                                                 libgnutls30 (>= 3.6.6)
  (Package: mandos/Depends): - '' -
  (Package: mandos/Description): Alter description to match new
                                 design.
  (Package: mandos-client/Description): - '' -
  (Package: mandos-client/Depends): Move "gnutls-bin | openssl" to
                                    here from "Recommends".
* debian/mandos-client.README.Debian: Add --tls-privkey and
                                      --tls-pubkey options to test
                                      command.
* debian/mandos-client.postinst (create_key): Renamed to "create_keys"
                                             (all callers changed),
                                             and also create TLS key.
* debian/mandos-client.postrm (purge): Also remove TLS key files.
* intro.xml (DESCRIPTION): Describe new dual-key design.
* mandos (GnuTLS): Define different functions depending on whether
                   support for raw public keys is detected.
  (Client.key_id): New attribute.
  (ClientDBus.KeyID_dbus_property): New method.
  (ProxyClient.__init__): Take new "key_id" parameter.
  (ClientHandler.handle): Use key IDs when using raw public keys and
                          use fingerprints when using OpenPGP keys.
  (ClientHandler.peer_certificate): Also handle raw public keys.
  (ClientHandler.key_id): New.
  (MandosServer.handle_ipc): Pass key ID over the pipe IPC.  Also
                             check for key ID matches when looking up
                             clients.
  (main): Default GnuTLS priority string depends on whether we are
          using raw public keys or not.  When unpickling clients, set
          key_id if not set in the pickle.
  (main/MandosDBusService.ClientNotFound): Change name of first
                                           parameter from
                                           "Fingerprint" to "KeyID".
* mandos-clients.conf.xml (OPTIONS): Document new "key_id" option.
  (OPTIONS/secret): Mention new key ID matchning.
  (EXPANSION/RUNTIME EXPANSION): Add new "key_id" option.
  (EXAMPLE): - '' -
* mandos-ctl (tablewords, main/keywords): Add new "KeyID" property.
* mandos-keygen: Create TLS key files.  New "--tls-keytype" (-T)
                 option.  Alter help text to be more clear about key
                 types.  When in password mode, also output "key_id"
                 option.
* mandos-keygen.xml (SYNOPSIS): Add new "--tls-keytype" (-T) option.
  (DESCRIPTION): Alter to match new dual-key design.
  (OVERVIEW): - '' -
  (FILES): Add TLS key files.
* mandos-options.xml (priority): Document new default priority string
                                 when using raw public keys.
* mandos.xml (NETWORK PROTOCOL): Describe new protocol using key ID.
  (BUGS): Remove issue about checking expire times of OpenPGP keys,
          since TLS public keys do not have expiration times.
  (SECURITY/CLIENT): Alter description to match new design.
  (SEE ALSO/GnuTLS): - '' -
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.
* overview.xml: Alter text to match new design.
* plugin-runner.xml (EXAMPLE): Add --tls-pubkey and --tls-privkey
                               options to mandos-client options.
* plugins.d/mandos-client.c: Use raw public keys when compiling with
                             supporting GnuTLS versions. Add new
                             "--tls-pubkey" and "--tls-privkey"
                             options (which do nothing if GnuTLS
                             library does not support raw public
                             keys).  Alter text throughout to reflect
                             new design.  Only generate new DH
                             parameters (based on size of OpenPGP key)
                             when using OpenPGP in TLS.  Default
                             GnuTLS priority string depends on whether
                             we are using raw public keys or not.
* plugins.d/mandos-client.xml (SYNOPSIS): Add new "--tls-privkey" (-t)
                                          and "--tls-pubkey" (-T)
                                          options.
  (DESCRIPTION): Describe new dual-key design.
  (OPTIONS): Document new "--tls-privkey" (-t) and "--tls-pubkey" (-T)
             options.
  (OPTIONS/--dh-bits): No longer necessarily depends on OpenPGP key
                       size.
  (FILES): Add default locations for TLS public and private key files.
  (EXAMPLE): Use new --tls-pubkey and --tls-privkey options.
  (SECURITY): Alter wording slightly to reflect new dual-key design.
  (SEE ALSO/GnuTLS): Alter description to match new design.
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.

files added:
bugs.xml

debian/mandos-client.examples

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-prompt.c

* Password-prompt - Read a password from the terminal and print it

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* published by the Free Software Foundation, either version 3 of the

* License, or (at your option) any later version.

* This program is distributed in the hope that it will be useful, but

* This file is part of Mandos.

* Mandos is free software: you can redistribute it and/or modify it

* under the terms of the GNU General Public License as published by

* the Free Software Foundation, either version 3 of the License, or

* (at your option) any later version.

* Mandos is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* along with Mandos. If not, see <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

* Contact the authors at <mandos@recompile.se>.

#define _GNU_SOURCE /* getline(), asprintf() */

#include <termios.h> /* struct termios, tcsetattr(),

TCSAFLUSH, tcgetattr(), ECHO */

#include <unistd.h> /* struct termios, tcsetattr(),

STDIN_FILENO, TCSAFLUSH,

getenv(), free() */

#include <dirent.h> /* scandir(), alphasort() */

#include <stdio.h> /* fprintf(), stderr, getline(),

stdin, feof(), fputc()

stdin, feof(), fputc(), vfprintf(),

vasprintf() */

#include <errno.h> /* errno, EBADF, ENOTTY, EINVAL,

EFAULT, EFBIG, EIO, ENOSPC, EINTR

#include <iso646.h> /* or, not */

#include <stdbool.h> /* bool, false, true */

#include <inttypes.h> /* strtoumax() */

#include <sys/stat.h> /* struct stat, lstat(), open() */

#include <string.h> /* strlen, rindex, memcmp */

#include <sys/stat.h> /* struct stat, lstat(), open() */

#include <string.h> /* strlen, rindex, memcmp, strerror()

#include <argp.h> /* struct argp_option, struct

argp_state, struct argp,

argp_parse(), error_t,

#include <sysexits.h> /* EX_SOFTWARE, EX_OSERR,

EX_UNAVAILABLE, EX_IOERR, EX_OK */

#include <fcntl.h> /* open() */

#include <stdarg.h> /* va_list, va_start(), ... */

volatile sig_atomic_t quit_now = 0;

int signal_received;

bool debug = false;

const char *argp_program_version = "password-prompt " VERSION;

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

/* Needed for conflic resolution */

const char plymouthd_name[] = "plymouthd";

const char *argp_program_bug_address = "<mandos@recompile.se>";

/* Needed for conflict resolution */

const char plymouth_name[] = "plymouthd";

/* Function to use when printing errors */

__attribute__((format (gnu_printf, 3, 4)))

void error_plus(int status, int errnum, const char *formatstring,

...){

va_list ap;

char *text;

int ret;

va_start(ap, formatstring);

ret = vasprintf(&text, formatstring, ap);

if(ret == -1){

fprintf(stderr, "Mandos plugin %s: ",

program_invocation_short_name);

vfprintf(stderr, formatstring, ap);

fprintf(stderr, ": %s\n", strerror(errnum));

error(status, errno, "vasprintf while printing error");

return;

}

fprintf(stderr, "Mandos plugin ");

error(status, errnum, "%s", text);

free(text);

}

static void termination_handler(int signum){

100

if(quit_now){

110

from the terminal. Password-prompt will exit if it detects

111

plymouth since plymouth performs the same functionality.

112

113

__attribute__((nonnull))

114

int is_plymouth(const struct dirent *proc_entry){

115

int ret;

116

int cl_fd;

117

{

uintmax_t maxvalue;

118

uintmax_t proc_id;

119

char *tmp;

120

errno = 0;

maxvalue = strtoumax(proc_entry->d_name, &tmp, 10);

121

proc_id = strtoumax(proc_entry->d_name, &tmp, 10);

122

123

if(errno != 0 or *tmp != '\0'

or maxvalue != (uintmax_t)((pid_t)maxvalue)){

124

or proc_id != (uintmax_t)((pid_t)proc_id)){

125

return 0;

100

126

}

101

127

}

102

128

103

129

char *cmdline_filename;

104

ret = asprintf(&cmdline_filename, "/proc/%s/cmdline", proc_entry->d_name);

130

ret = asprintf(&cmdline_filename, "/proc/%s/cmdline",

131

proc_entry->d_name);

105

132

if(ret == -1){

106

error(0, errno, "asprintf");

133

error_plus(0, errno, "asprintf");

107

134

return 0;

108

135

}

109

136

110

/* Open /proc/<pid>/cmdline */

137

/* Open /proc/<pid>/cmdline */

111

138

cl_fd = open(cmdline_filename, O_RDONLY);

112

139

free(cmdline_filename);

113

140

if(cl_fd == -1){

114

error(0, errno, "open");

141

if(errno != ENOENT){

142

error_plus(0, errno, "open");

143

}

115

144

return 0;

116

145

}

117

146

127

156

if(cmdline_len + blocksize + 1 > cmdline_allocated){

128

157

tmp = realloc(cmdline, cmdline_allocated + blocksize + 1);

129

158

if(tmp == NULL){

130

error(0, errno, "realloc");

159

error_plus(0, errno, "realloc");

131

160

free(cmdline);

132

161

close(cl_fd);

133

162

return 0;

140

169

sret = read(cl_fd, cmdline + cmdline_len,

141

170

cmdline_allocated - cmdline_len);

142

171

if(sret == -1){

143

error(0, errno, "read");

172

error_plus(0, errno, "read");

144

173

free(cmdline);

145

174

close(cl_fd);

146

175

return 0;

149

178

} while(sret != 0);

150

179

ret = close(cl_fd);

151

180

if(ret == -1){

152

error(0, errno, "close");

181

error_plus(0, errno, "close");

153

182

free(cmdline);

154

183

return 0;

155

184

}

165

194

cmdline_base = cmdline;

166

195

}

167

196

168

if(strcmp(cmdline_base, plymouthd_name) != 0){

197

if(strcmp(cmdline_base, plymouth_name) != 0){

198

if(debug){

199

fprintf(stderr, "\"%s\" is not \"%s\"\n", cmdline_base,

200

plymouth_name);

201

}

169

202

free(cmdline);

170

203

return 0;

171

204

}

205

if(debug){

206

fprintf(stderr, "\"%s\" equals \"%s\"\n", cmdline_base,

207

plymouth_name);

208

}

172

209

free(cmdline);

173

210

return 1;

174

211

}

175

176

struct dirent **direntries;

212

213

struct dirent **direntries = NULL;

177

214

int ret;

178

215

ret = scandir("/proc", &direntries, is_plymouth, alphasort);

179

if (ret == -1){

180

error(1, errno, "scandir");

181

}

216

if(ret == -1){

217

error_plus(1, errno, "scandir");

218

}

219

{

220

int i = ret;

221

while(i--){

222

free(direntries[i]);

223

}

224

}

225

free(direntries);

182

226

return ret > 0;

183

227

}

184

228

213

257

{ .name = NULL }

214

258

};

215

259

260

__attribute__((nonnull(3)))

216

261

error_t parse_opt (int key, char *arg, struct argp_state *state){

217

262

errno = 0;

218

263

switch (key){

254

299

case ENOMEM:

255

300

default:

256

301

errno = ret;

257

error(0, errno, "argp_parse");

302

error_plus(0, errno, "argp_parse");

258

303

return EX_OSERR;

259

304

case EINVAL:

260

305

return EX_USAGE;

265

310

fprintf(stderr, "Starting %s\n", argv[0]);

266

311

}

267

312

268

if (conflict_detection()){

313

if(conflict_detection()){

269

314

if(debug){

270

fprintf(stderr, "Stopping %s because of conflict", argv[0]);

315

fprintf(stderr, "Stopping %s because of conflict\n", argv[0]);

271

316

}

272

317

return EXIT_FAILURE;

273

318

}

278

323

279

324

if(tcgetattr(STDIN_FILENO, &t_old) != 0){

280

325

int e = errno;

281

error(0, errno, "tcgetattr");

326

error_plus(0, errno, "tcgetattr");

282

327

switch(e){

283

328

case EBADF:

284

329

case ENOTTY:

291

336

sigemptyset(&new_action.sa_mask);

292

337

ret = sigaddset(&new_action.sa_mask, SIGINT);

293

338

if(ret == -1){

294

error(0, errno, "sigaddset");

339

error_plus(0, errno, "sigaddset");

295

340

return EX_OSERR;

296

341

}

297

342

ret = sigaddset(&new_action.sa_mask, SIGHUP);

298

343

if(ret == -1){

299

error(0, errno, "sigaddset");

344

error_plus(0, errno, "sigaddset");

300

345

return EX_OSERR;

301

346

}

302

347

ret = sigaddset(&new_action.sa_mask, SIGTERM);

303

348

if(ret == -1){

304

error(0, errno, "sigaddset");

349

error_plus(0, errno, "sigaddset");

305

350

return EX_OSERR;

306

351

}

307

352

/* Need to check if the handler is SIG_IGN before handling:

310

355

311

356

ret = sigaction(SIGINT, NULL, &old_action);

312

357

if(ret == -1){

313

error(0, errno, "sigaction");

358

error_plus(0, errno, "sigaction");

314

359

return EX_OSERR;

315

360

}

316

361

if(old_action.sa_handler != SIG_IGN){

317

362

ret = sigaction(SIGINT, &new_action, NULL);

318

363

if(ret == -1){

319

error(0, errno, "sigaction");

364

error_plus(0, errno, "sigaction");

320

365

return EX_OSERR;

321

366

}

322

367

}

323

368

ret = sigaction(SIGHUP, NULL, &old_action);

324

369

if(ret == -1){

325

error(0, errno, "sigaction");

370

error_plus(0, errno, "sigaction");

326

371

return EX_OSERR;

327

372

}

328

373

if(old_action.sa_handler != SIG_IGN){

329

374

ret = sigaction(SIGHUP, &new_action, NULL);

330

375

if(ret == -1){

331

error(0, errno, "sigaction");

376

error_plus(0, errno, "sigaction");

332

377

return EX_OSERR;

333

378

}

334

379

}

335

380

ret = sigaction(SIGTERM, NULL, &old_action);

336

381

if(ret == -1){

337

error(0, errno, "sigaction");

382

error_plus(0, errno, "sigaction");

338

383

return EX_OSERR;

339

384

}

340

385

if(old_action.sa_handler != SIG_IGN){

341

386

ret = sigaction(SIGTERM, &new_action, NULL);

342

387

if(ret == -1){

343

error(0, errno, "sigaction");

388

error_plus(0, errno, "sigaction");

344

389

return EX_OSERR;

345

390

}

346

391

}

354

399

t_new.c_lflag &= ~(tcflag_t)ECHO;

355

400

if(tcsetattr(STDIN_FILENO, TCSAFLUSH, &t_new) != 0){

356

401

int e = errno;

357

error(0, errno, "tcsetattr-echo");

402

error_plus(0, errno, "tcsetattr-echo");

358

403

switch(e){

359

404

case EBADF:

360

405

case ENOTTY:

424

469

sret = write(STDOUT_FILENO, buffer + written, n - written);

425

470

if(sret < 0){

426

471

int e = errno;

427

error(0, errno, "write");

472

error_plus(0, errno, "write");

428

473

switch(e){

429

474

case EBADF:

430

475

case EFAULT:

446

491

sret = close(STDOUT_FILENO);

447

492

if(sret == -1){

448

493

int e = errno;

449

error(0, errno, "close");

494

error_plus(0, errno, "close");

450

495

switch(e){

451

496

case EBADF:

452

497

status = EX_OSFILE;

462

507

if(sret < 0){

463

508

int e = errno;

464

509

if(errno != EINTR and not feof(stdin)){

465

error(0, errno, "getline");

510

error_plus(0, errno, "getline");

466

511

switch(e){

467

512

case EBADF:

468

513

status = EX_UNAVAILABLE;

514

break;

469

515

case EIO:

470

516

case EINVAL:

471

517

default:

475

521

break;

476

522

}

477

523

}

478

/* if(sret == 0), then the only sensible thing to do is to retry to

479

read from stdin */

524

/* if(sret == 0), then the only sensible thing to do is to retry

525

to read from stdin */

480

526

fputc('\n', stderr);

481

527

if(debug and not quit_now){

482

528

/* If quit_now is nonzero, we were interrupted by a signal, and

491

537

fprintf(stderr, "Restoring terminal attributes\n");

492

538

}

493

539

if(tcsetattr(STDIN_FILENO, TCSAFLUSH, &t_old) != 0){

494

error(0, errno, "tcsetattr+echo");

540

error_plus(0, errno, "tcsetattr+echo");

495

541

}

496

542

497

543

if(quit_now){

499

545

old_action.sa_handler = SIG_DFL;

500

546

ret = sigaction(signal_received, &old_action, NULL);

501

547

if(ret == -1){

502

error(0, errno, "sigaction");

548

error_plus(0, errno, "sigaction");

503

549

}

504

550

raise(signal_received);

505

551

}

Older »