To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 967
- compare with another revision
- download diff
- download tarball
- view history from revision 967
- Committer: Teddy Hogeborn
- Date: 2019-02-10 03:50:20 UTC
- Revision ID: teddy@recompile.se-20190210035020-nttr1tybgwwixueu
Show debconf note about new TLS key IDs
If mandos-client did not see TLS keys and had to create them, or if
mandos sees GnuTLS version 3.6.6 or later, show an important notice on
package installation about the importance of adding the new key_id
options to clients.conf on the Mandos server.
* debian/control (Package: mandos, Package: mandos-client): Depend on
debconf.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.postinst (create_keys): Show notice if new TLS
key files were created.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
detected, show an important
notice (once) about the new
key_id option required in
clients.conf.
* debian/mandos.templates: New.
If mandos-client did not see TLS keys and had to create them, or if
mandos sees GnuTLS version 3.6.6 or later, show an important notice on
package installation about the importance of adding the new key_id
options to clients.conf on the Mandos server.
* debian/control (Package: mandos, Package: mandos-client): Depend on
debconf.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.postinst (create_keys): Show notice if new TLS
key files were created.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
detected, show an important
notice (once) about the new
key_id option required in
clients.conf.
* debian/mandos.templates: New.
- files added:
- debian/mandos-client.templates
- files removed:
- initramfs-tools-hook-conf
- files modified:
- DBUS-API
added
removed
plugins.d/mandos-client.c
123
123
gnutls_*
124
124
init_gnutls_session(),
125
125
GNUTLS_* */
126
#if GNUTLS_VERSION_NUMBER < 0x030600
126
127
#include <gnutls/openpgp.h>
127
128
/* gnutls_certificate_set_openpgp_key_file(),
128
129
GNUTLS_OPENPGP_FMT_BASE64 */
130
#elif GNUTLS_VERSION_NUMBER >= 0x030606
131
#include <gnutls/x509.h> /* gnutls_pkcs_encrypt_flags_t,
132
GNUTLS_PKCS_PLAIN,
133
GNUTLS_PKCS_NULL_PASSWORD */
134
#endif
129
135
130
136
/* GPGME */
131
137
#include <gpgme.h> /* All GPGME types, constants and
139
145
#define PATHDIR "/conf/conf.d/mandos"
140
146
#define SECKEY "seckey.txt"
141
147
#define PUBKEY "pubkey.txt"
148
#define TLS_PRIVKEY "tls-privkey.pem"
149
#define TLS_PUBKEY "tls-pubkey.pem"
142
150
#define HOOKDIR "/lib/mandos/network-hooks.d"
143
151
144
152
bool debug = false;
272
280
return true;
273
281
}
274
282
283
/* Set effective uid to 0, return errno */
284
__attribute__((warn_unused_result))
285
int raise_privileges(void){
286
int old_errno = errno;
287
int ret = 0;
288
if(seteuid(0) == -1){
289
ret = errno;
290
}
291
errno = old_errno;
292
return ret;
293
}
294
295
/* Set effective and real user ID to 0. Return errno. */
296
__attribute__((warn_unused_result))
297
int raise_privileges_permanently(void){
298
int old_errno = errno;
299
int ret = raise_privileges();
300
if(ret != 0){
301
errno = old_errno;
302
return ret;
303
}
304
if(setuid(0) == -1){
305
ret = errno;
306
}
307
errno = old_errno;
308
return ret;
309
}
310
311
/* Set effective user ID to unprivileged saved user ID */
312
__attribute__((warn_unused_result))
313
int lower_privileges(void){
314
int old_errno = errno;
315
int ret = 0;
316
if(seteuid(uid) == -1){
317
ret = errno;
318
}
319
errno = old_errno;
320
return ret;
321
}
322
323
/* Lower privileges permanently */
324
__attribute__((warn_unused_result))
325
int lower_privileges_permanently(void){
326
int old_errno = errno;
327
int ret = 0;
328
if(setuid(uid) == -1){
329
ret = errno;
330
}
331
errno = old_errno;
332
return ret;
333
}
334
275
335
/*
276
336
* Initialize GPGME.
277
337
*/
297
357
return false;
298
358
}
299
359
360
/* Workaround for systems without a real-time clock; see also
361
Debian bug #894495: <https://bugs.debian.org/894495> */
362
do {
363
{
364
time_t currtime = time(NULL);
365
if(currtime != (time_t)-1){
366
struct tm tm;
367
if(gmtime_r(&currtime, &tm) == NULL) {
368
perror_plus("gmtime_r");
369
break;
370
}
371
if(tm.tm_year != 70 or tm.tm_mon != 0){
372
break;
373
}
374
if(debug){
375
fprintf_plus(stderr, "System clock is January 1970");
376
}
377
} else {
378
if(debug){
379
fprintf_plus(stderr, "System clock is invalid");
380
}
381
}
382
}
383
struct stat keystat;
384
ret = fstat(fd, &keystat);
385
if(ret != 0){
386
perror_plus("fstat");
387
break;
388
}
389
ret = raise_privileges();
390
if(ret != 0){
391
errno = ret;
392
perror_plus("Failed to raise privileges");
393
break;
394
}
395
if(debug){
396
fprintf_plus(stderr,
397
"Setting system clock to key file mtime");
398
}
399
time_t keytime = keystat.st_mtim.tv_sec;
400
if(stime(&keytime) != 0){
401
perror_plus("stime");
402
}
403
ret = lower_privileges();
404
if(ret != 0){
405
errno = ret;
406
perror_plus("Failed to lower privileges");
407
}
408
} while(false);
409
300
410
rc = gpgme_data_new_from_fd(&pgp_data, fd);
301
411
if(rc != GPG_ERR_NO_ERROR){
302
412
fprintf_plus(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
597
707
const char *dhparamsfilename,
598
708
mandos_context *mc){
599
709
int ret;
600
unsigned int uret;
601
710
602
711
if(debug){
603
712
fprintf_plus(stderr, "Initializing GnuTLS\n");
620
729
}
621
730
622
731
if(debug){
623
fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"
624
" secret key %s as GnuTLS credentials\n",
732
fprintf_plus(stderr, "Attempting to use public key %s and"
733
" private key %s as GnuTLS credentials\n",
625
734
pubkeyfilename,
626
735
seckeyfilename);
627
736
}
628
737
738
#if GNUTLS_VERSION_NUMBER >= 0x030606
739
ret = gnutls_certificate_set_rawpk_key_file
740
(mc->cred, pubkeyfilename, seckeyfilename,
741
GNUTLS_X509_FMT_PEM, /* format */
742
NULL, /* pass */
743
/* key_usage */
744
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
745
NULL, /* names */
746
0, /* names_length */
747
/* privkey_flags */
748
GNUTLS_PKCS_PLAIN | GNUTLS_PKCS_NULL_PASSWORD,
749
0); /* pkcs11_flags */
750
#elif GNUTLS_VERSION_NUMBER < 0x030600
629
751
ret = gnutls_certificate_set_openpgp_key_file
630
752
(mc->cred, pubkeyfilename, seckeyfilename,
631
753
GNUTLS_OPENPGP_FMT_BASE64);
754
#else
755
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
756
#endif
632
757
if(ret != GNUTLS_E_SUCCESS){
633
758
fprintf_plus(stderr,
634
"Error[%d] while reading the OpenPGP key pair ('%s',"
759
"Error[%d] while reading the key pair ('%s',"
635
760
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
636
761
fprintf_plus(stderr, "The GnuTLS error is: %s\n",
637
762
safer_gnutls_strerror(ret));
708
833
}
709
834
if(dhparamsfilename == NULL){
710
835
if(mc->dh_bits == 0){
836
#if GNUTLS_VERSION_NUMBER < 0x030600
711
837
/* Find out the optimal number of DH bits */
712
838
/* Try to read the private key file */
713
839
gnutls_datum_t buffer = { .data = NULL, .size = 0 };
793
919
}
794
920
}
795
921
}
796
uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
922
unsigned int uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
797
923
if(uret != 0){
798
924
mc->dh_bits = uret;
799
925
if(debug){
811
937
safer_gnutls_strerror(ret));
812
938
goto globalfail;
813
939
}
814
} else if(debug){
815
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
816
mc->dh_bits);
817
}
818
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
819
if(ret != GNUTLS_E_SUCCESS){
820
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
821
" bits): %s\n", mc->dh_bits,
822
safer_gnutls_strerror(ret));
823
goto globalfail;
940
#endif
941
} else { /* dh_bits != 0 */
942
if(debug){
943
fprintf_plus(stderr, "DH bits explicitly set to %u\n",
944
mc->dh_bits);
945
}
946
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
947
if(ret != GNUTLS_E_SUCCESS){
948
fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
949
" bits): %s\n", mc->dh_bits,
950
safer_gnutls_strerror(ret));
951
goto globalfail;
952
}
953
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
824
954
}
825
955
}
826
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
827
956
828
957
return 0;
829
958
840
969
int ret;
841
970
/* GnuTLS session creation */
842
971
do {
843
ret = gnutls_init(session, GNUTLS_SERVER);
972
ret = gnutls_init(session, (GNUTLS_SERVER
973
#if GNUTLS_VERSION_NUMBER >= 0x030506
974
| GNUTLS_NO_TICKETS
975
#endif
976
#if GNUTLS_VERSION_NUMBER >= 0x030606
977
| GNUTLS_ENABLE_RAWPK
978
#endif
979
));
844
980
if(quit_now){
845
981
return -1;
846
982
}
894
1030
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
895
1031
__attribute__((unused)) const char *txt){}
896
1032
897
/* Set effective uid to 0, return errno */
898
__attribute__((warn_unused_result))
899
int raise_privileges(void){
900
int old_errno = errno;
901
int ret = 0;
902
if(seteuid(0) == -1){
903
ret = errno;
904
}
905
errno = old_errno;
906
return ret;
907
}
908
909
/* Set effective and real user ID to 0. Return errno. */
910
__attribute__((warn_unused_result))
911
int raise_privileges_permanently(void){
912
int old_errno = errno;
913
int ret = raise_privileges();
914
if(ret != 0){
915
errno = old_errno;
916
return ret;
917
}
918
if(setuid(0) == -1){
919
ret = errno;
920
}
921
errno = old_errno;
922
return ret;
923
}
924
925
/* Set effective user ID to unprivileged saved user ID */
926
__attribute__((warn_unused_result))
927
int lower_privileges(void){
928
int old_errno = errno;
929
int ret = 0;
930
if(seteuid(uid) == -1){
931
ret = errno;
932
}
933
errno = old_errno;
934
return ret;
935
}
936
937
/* Lower privileges permanently */
938
__attribute__((warn_unused_result))
939
int lower_privileges_permanently(void){
940
int old_errno = errno;
941
int ret = 0;
942
if(setuid(uid) == -1){
943
ret = errno;
944
}
945
errno = old_errno;
946
return ret;
947
}
948
949
1033
/* Helper function to add_local_route() and delete_local_route() */
950
1034
__attribute__((nonnull, warn_unused_result))
951
1035
static bool add_delete_local_route(const bool add,
2377
2461
2378
2462
int main(int argc, char *argv[]){
2379
2463
mandos_context mc = { .server = NULL, .dh_bits = 0,
2464
#if GNUTLS_VERSION_NUMBER >= 0x030606
2465
.priority = "SECURE128:!CTYPE-X.509"
2466
":+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3"
2467
":%PROFILE_ULTRA",
2468
#elif GNUTLS_VERSION_NUMBER < 0x030600
2380
2469
.priority = "SECURE256:!CTYPE-X.509"
2381
2470
":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",
2471
#else
2472
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
2473
#endif
2382
2474
.current_server = NULL, .interfaces = NULL,
2383
2475
.interfaces_size = 0 };
2384
2476
AvahiSServiceBrowser *sb = NULL;
2395
2487
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
2396
2488
const char *seckey = PATHDIR "/" SECKEY;
2397
2489
const char *pubkey = PATHDIR "/" PUBKEY;
2490
#if GNUTLS_VERSION_NUMBER >= 0x030606
2491
const char *tls_privkey = PATHDIR "/" TLS_PRIVKEY;
2492
const char *tls_pubkey = PATHDIR "/" TLS_PUBKEY;
2493
#endif
2398
2494
const char *dh_params_file = NULL;
2399
2495
char *interfaces_hooks = NULL;
2400
2496
2448
2544
{ .name = "pubkey", .key = 'p',
2449
2545
.arg = "FILE",
2450
2546
.doc = "OpenPGP public key file base name",
2451
.group = 2 },
2547
.group = 1 },
2548
{ .name = "tls-privkey", .key = 't',
2549
.arg = "FILE",
2550
#if GNUTLS_VERSION_NUMBER >= 0x030606
2551
.doc = "TLS private key file base name",
2552
#else
2553
.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
2554
#endif
2555
.group = 1 },
2556
{ .name = "tls-pubkey", .key = 'T',
2557
.arg = "FILE",
2558
#if GNUTLS_VERSION_NUMBER >= 0x030606
2559
.doc = "TLS public key file base name",
2560
#else
2561
.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
2562
#endif
2563
.group = 1 },
2452
2564
{ .name = "dh-bits", .key = 129,
2453
2565
.arg = "BITS",
2454
2566
.doc = "Bit length of the prime number used in the"
2510
2622
case 'p': /* --pubkey */
2511
2623
pubkey = arg;
2512
2624
break;
2625
case 't': /* --tls-privkey */
2626
#if GNUTLS_VERSION_NUMBER >= 0x030606
2627
tls_privkey = arg;
2628
#endif
2629
break;
2630
case 'T': /* --tls-pubkey */
2631
#if GNUTLS_VERSION_NUMBER >= 0x030606
2632
tls_pubkey = arg;
2633
#endif
2634
break;
2513
2635
case 129: /* --dh-bits */
2514
2636
errno = 0;
2515
2637
tmpmax = strtoimax(arg, &tmp, 10);
2869
2991
goto end;
2870
2992
}
2871
2993
2994
#if GNUTLS_VERSION_NUMBER >= 0x030606
2995
ret = init_gnutls_global(tls_pubkey, tls_privkey, dh_params_file, &mc);
2996
#elif GNUTLS_VERSION_NUMBER < 0x030600
2872
2997
ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);
2998
#else
2999
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
3000
#endif
2873
3001
if(ret == -1){
2874
3002
fprintf_plus(stderr, "init_gnutls_global failed\n");
2875
3003
exitcode = EX_UNAVAILABLE;
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0