/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

  • Committer: Teddy Hogeborn
  • Date: 2019-02-10 03:50:20 UTC
  • Revision ID: teddy@recompile.se-20190210035020-nttr1tybgwwixueu
http://bugs.debian.org/879538
http://bugs.debian.org/916673
Show debconf note about new TLS key IDs

If mandos-client did not see TLS keys and had to create them, or if
mandos sees GnuTLS version 3.6.6 or later, show an important notice on
package installation about the importance of adding the new key_id
options to clients.conf on the Mandos server.

* debian/control (Package: mandos, Package: mandos-client): Depend on
                                                            debconf.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.postinst (create_keys): Show notice if new TLS
                                               key files were created.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
                                      detected, show an important
                                      notice (once) about the new
                                      key_id option required in
                                      clients.conf.
* debian/mandos.templates: New.

Show diffs side-by-side

added added

removed removed

Lines of Context:
plugins.d/mandos-client.c
123
123
                                   gnutls_*
124
124
                                   init_gnutls_session(),
125
125
                                   GNUTLS_* */
 
126
#if GNUTLS_VERSION_NUMBER < 0x030600
126
127
#include <gnutls/openpgp.h>
127
128
                         /* gnutls_certificate_set_openpgp_key_file(),
128
129
                            GNUTLS_OPENPGP_FMT_BASE64 */
 
130
#elif GNUTLS_VERSION_NUMBER >= 0x030606
 
131
#include <gnutls/x509.h>        /* gnutls_pkcs_encrypt_flags_t,
 
132
                                 GNUTLS_PKCS_PLAIN,
 
133
                                 GNUTLS_PKCS_NULL_PASSWORD */
 
134
#endif
129
135
 
130
136
/* GPGME */
131
137
#include <gpgme.h>              /* All GPGME types, constants and
139
145
#define PATHDIR "/conf/conf.d/mandos"
140
146
#define SECKEY "seckey.txt"
141
147
#define PUBKEY "pubkey.txt"
 
148
#define TLS_PRIVKEY "tls-privkey.pem"
 
149
#define TLS_PUBKEY "tls-pubkey.pem"
142
150
#define HOOKDIR "/lib/mandos/network-hooks.d"
143
151
 
144
152
bool debug = false;
699
707
                              const char *dhparamsfilename,
700
708
                              mandos_context *mc){
701
709
  int ret;
702
 
  unsigned int uret;
703
710
  
704
711
  if(debug){
705
712
    fprintf_plus(stderr, "Initializing GnuTLS\n");
722
729
  }
723
730
  
724
731
  if(debug){
725
 
    fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"
726
 
                 " secret key %s as GnuTLS credentials\n",
 
732
    fprintf_plus(stderr, "Attempting to use public key %s and"
 
733
                 " private key %s as GnuTLS credentials\n",
727
734
                 pubkeyfilename,
728
735
                 seckeyfilename);
729
736
  }
730
737
  
 
738
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
739
  ret = gnutls_certificate_set_rawpk_key_file
 
740
    (mc->cred, pubkeyfilename, seckeyfilename,
 
741
     GNUTLS_X509_FMT_PEM,       /* format */
 
742
     NULL,                      /* pass */
 
743
     /* key_usage */
 
744
     GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 
745
     NULL,                      /* names */
 
746
     0,                         /* names_length */
 
747
     /* privkey_flags */
 
748
     GNUTLS_PKCS_PLAIN | GNUTLS_PKCS_NULL_PASSWORD,
 
749
     0);                        /* pkcs11_flags */
 
750
#elif GNUTLS_VERSION_NUMBER < 0x030600
731
751
  ret = gnutls_certificate_set_openpgp_key_file
732
752
    (mc->cred, pubkeyfilename, seckeyfilename,
733
753
     GNUTLS_OPENPGP_FMT_BASE64);
 
754
#else
 
755
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
 
756
#endif
734
757
  if(ret != GNUTLS_E_SUCCESS){
735
758
    fprintf_plus(stderr,
736
 
                 "Error[%d] while reading the OpenPGP key pair ('%s',"
 
759
                 "Error[%d] while reading the key pair ('%s',"
737
760
                 " '%s')\n", ret, pubkeyfilename, seckeyfilename);
738
761
    fprintf_plus(stderr, "The GnuTLS error is: %s\n",
739
762
                 safer_gnutls_strerror(ret));
810
833
  }
811
834
  if(dhparamsfilename == NULL){
812
835
    if(mc->dh_bits == 0){
 
836
#if GNUTLS_VERSION_NUMBER < 0x030600
813
837
      /* Find out the optimal number of DH bits */
814
838
      /* Try to read the private key file */
815
839
      gnutls_datum_t buffer = { .data = NULL, .size = 0 };
895
919
          }
896
920
        }
897
921
      }
898
 
      uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
 
922
      unsigned int uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
899
923
      if(uret != 0){
900
924
        mc->dh_bits = uret;
901
925
        if(debug){
913
937
                     safer_gnutls_strerror(ret));
914
938
        goto globalfail;
915
939
      }
916
 
    } else if(debug){
917
 
      fprintf_plus(stderr, "DH bits explicitly set to %u\n",
918
 
                   mc->dh_bits);
919
 
    }
920
 
    ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
921
 
    if(ret != GNUTLS_E_SUCCESS){
922
 
      fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
923
 
                   " bits): %s\n", mc->dh_bits,
924
 
                   safer_gnutls_strerror(ret));
925
 
      goto globalfail;
 
940
#endif
 
941
    } else {                    /* dh_bits != 0 */
 
942
      if(debug){
 
943
        fprintf_plus(stderr, "DH bits explicitly set to %u\n",
 
944
                     mc->dh_bits);
 
945
      }
 
946
      ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
 
947
      if(ret != GNUTLS_E_SUCCESS){
 
948
        fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
 
949
                     " bits): %s\n", mc->dh_bits,
 
950
                     safer_gnutls_strerror(ret));
 
951
        goto globalfail;
 
952
      }
 
953
      gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
926
954
    }
927
955
  }
928
 
  gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
929
956
  
930
957
  return 0;
931
958
  
942
969
  int ret;
943
970
  /* GnuTLS session creation */
944
971
  do {
945
 
    ret = gnutls_init(session, GNUTLS_SERVER);
 
972
    ret = gnutls_init(session, (GNUTLS_SERVER
 
973
#if GNUTLS_VERSION_NUMBER >= 0x030506
 
974
                                | GNUTLS_NO_TICKETS
 
975
#endif
 
976
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
977
                                | GNUTLS_ENABLE_RAWPK
 
978
#endif
 
979
                                ));
946
980
    if(quit_now){
947
981
      return -1;
948
982
    }
2427
2461
 
2428
2462
int main(int argc, char *argv[]){
2429
2463
  mandos_context mc = { .server = NULL, .dh_bits = 0,
 
2464
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2465
                        .priority = "SECURE128:!CTYPE-X.509"
 
2466
                        ":+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3"
 
2467
                        ":%PROFILE_ULTRA",
 
2468
#elif GNUTLS_VERSION_NUMBER < 0x030600
2430
2469
                        .priority = "SECURE256:!CTYPE-X.509"
2431
2470
                        ":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",
 
2471
#else
 
2472
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
 
2473
#endif
2432
2474
                        .current_server = NULL, .interfaces = NULL,
2433
2475
                        .interfaces_size = 0 };
2434
2476
  AvahiSServiceBrowser *sb = NULL;
2445
2487
  AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
2446
2488
  const char *seckey = PATHDIR "/" SECKEY;
2447
2489
  const char *pubkey = PATHDIR "/" PUBKEY;
 
2490
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2491
  const char *tls_privkey = PATHDIR "/" TLS_PRIVKEY;
 
2492
  const char *tls_pubkey = PATHDIR "/" TLS_PUBKEY;
 
2493
#endif
2448
2494
  const char *dh_params_file = NULL;
2449
2495
  char *interfaces_hooks = NULL;
2450
2496
  
2498
2544
      { .name = "pubkey", .key = 'p',
2499
2545
        .arg = "FILE",
2500
2546
        .doc = "OpenPGP public key file base name",
2501
 
        .group = 2 },
 
2547
        .group = 1 },
 
2548
      { .name = "tls-privkey", .key = 't',
 
2549
        .arg = "FILE",
 
2550
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2551
        .doc = "TLS private key file base name",
 
2552
#else
 
2553
        .doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
 
2554
#endif
 
2555
        .group = 1 },
 
2556
      { .name = "tls-pubkey", .key = 'T',
 
2557
        .arg = "FILE",
 
2558
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2559
        .doc = "TLS public key file base name",
 
2560
#else
 
2561
        .doc = "Dummy; ignored (requires GnuTLS 3.6.6)",
 
2562
#endif
 
2563
        .group = 1 },
2502
2564
      { .name = "dh-bits", .key = 129,
2503
2565
        .arg = "BITS",
2504
2566
        .doc = "Bit length of the prime number used in the"
2560
2622
      case 'p':                 /* --pubkey */
2561
2623
        pubkey = arg;
2562
2624
        break;
 
2625
      case 't':                 /* --tls-privkey */
 
2626
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2627
        tls_privkey = arg;
 
2628
#endif
 
2629
        break;
 
2630
      case 'T':                 /* --tls-pubkey */
 
2631
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2632
        tls_pubkey = arg;
 
2633
#endif
 
2634
        break;
2563
2635
      case 129:                 /* --dh-bits */
2564
2636
        errno = 0;
2565
2637
        tmpmax = strtoimax(arg, &tmp, 10);
2919
2991
    goto end;
2920
2992
  }
2921
2993
  
 
2994
#if GNUTLS_VERSION_NUMBER >= 0x030606
 
2995
  ret = init_gnutls_global(tls_pubkey, tls_privkey, dh_params_file, &mc);
 
2996
#elif GNUTLS_VERSION_NUMBER < 0x030600
2922
2997
  ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);
 
2998
#else
 
2999
#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"
 
3000
#endif
2923
3001
  if(ret == -1){
2924
3002
    fprintf_plus(stderr, "init_gnutls_global failed\n");
2925
3003
    exitcode = EX_UNAVAILABLE;