/mandos/trunk : revision 962

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2019-02-09 23:23:26 UTC
Revision ID: teddy@recompile.se-20190209232326-z1z2kzpgfixz7iaj

Add support for using raw public keys in TLS (RFC 7250)

Since GnuTLS removed support for OpenPGP keys in TLS (RFC 6091), and
no other library supports it, we have to change the protocol to use
something else.  We choose to use "raw public keys" (RFC 7250).  Since
we still use OpenPGP keys to decrypt the secret password, this means
that each client will have two keys: One OpenPGP key and one TLS
public/private key, and the key ID of the latter key is used to
identify clients instead of the fingerprint of the OpenPGP key.

Note that this code is still compatible with GnuTLS before version
3.6.0 (when OpenPGP key support was removed).  This commit merely adds
support for using raw pulic keys instead with GnuTLS 3.6.6. or later.

* DBUS-API (Signals/ClientNotFound): Change name of first parameter
                                     from "Fingerprint" to "KeyID".
  (Mandos Client Interface/Properties/KeyID): New.
* INSTALL: Document conflict with GnuTLS 3.6.0 (which removed OpenPGP
           key support) up until 3.6.6, when support for raw public
           keys was added.  Also document new dependency of client on
           "gnutls-bin" package (for certtool).
* Makefile (run-client): Depend on TLS key files, and also pass them
                         as arguments to client.
  (keydir/tls-privkey.pem, keydir/tls-pubkey.pem): New.
  (confdir/clients.conf): Add dependency on TLS public key.
  (purge-client): Add removal of TLS key files.
* clients.conf ([foo]/key_id, [bar]/key_id): New.
* debian/control (Source: mandos/Build-Depends): Also allow
                                                 libgnutls30 (>= 3.6.6)
  (Package: mandos/Depends): - '' -
  (Package: mandos/Description): Alter description to match new
                                 design.
  (Package: mandos-client/Description): - '' -
  (Package: mandos-client/Depends): Move "gnutls-bin | openssl" to
                                    here from "Recommends".
* debian/mandos-client.README.Debian: Add --tls-privkey and
                                      --tls-pubkey options to test
                                      command.
* debian/mandos-client.postinst (create_key): Renamed to "create_keys"
                                             (all callers changed),
                                             and also create TLS key.
* debian/mandos-client.postrm (purge): Also remove TLS key files.
* intro.xml (DESCRIPTION): Describe new dual-key design.
* mandos (GnuTLS): Define different functions depending on whether
                   support for raw public keys is detected.
  (Client.key_id): New attribute.
  (ClientDBus.KeyID_dbus_property): New method.
  (ProxyClient.__init__): Take new "key_id" parameter.
  (ClientHandler.handle): Use key IDs when using raw public keys and
                          use fingerprints when using OpenPGP keys.
  (ClientHandler.peer_certificate): Also handle raw public keys.
  (ClientHandler.key_id): New.
  (MandosServer.handle_ipc): Pass key ID over the pipe IPC.  Also
                             check for key ID matches when looking up
                             clients.
  (main): Default GnuTLS priority string depends on whether we are
          using raw public keys or not.  When unpickling clients, set
          key_id if not set in the pickle.
  (main/MandosDBusService.ClientNotFound): Change name of first
                                           parameter from
                                           "Fingerprint" to "KeyID".
* mandos-clients.conf.xml (OPTIONS): Document new "key_id" option.
  (OPTIONS/secret): Mention new key ID matchning.
  (EXPANSION/RUNTIME EXPANSION): Add new "key_id" option.
  (EXAMPLE): - '' -
* mandos-ctl (tablewords, main/keywords): Add new "KeyID" property.
* mandos-keygen: Create TLS key files.  New "--tls-keytype" (-T)
                 option.  Alter help text to be more clear about key
                 types.  When in password mode, also output "key_id"
                 option.
* mandos-keygen.xml (SYNOPSIS): Add new "--tls-keytype" (-T) option.
  (DESCRIPTION): Alter to match new dual-key design.
  (OVERVIEW): - '' -
  (FILES): Add TLS key files.
* mandos-options.xml (priority): Document new default priority string
                                 when using raw public keys.
* mandos.xml (NETWORK PROTOCOL): Describe new protocol using key ID.
  (BUGS): Remove issue about checking expire times of OpenPGP keys,
          since TLS public keys do not have expiration times.
  (SECURITY/CLIENT): Alter description to match new design.
  (SEE ALSO/GnuTLS): - '' -
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.
* overview.xml: Alter text to match new design.
* plugin-runner.xml (EXAMPLE): Add --tls-pubkey and --tls-privkey
                               options to mandos-client options.
* plugins.d/mandos-client.c: Use raw public keys when compiling with
                             supporting GnuTLS versions. Add new
                             "--tls-pubkey" and "--tls-privkey"
                             options (which do nothing if GnuTLS
                             library does not support raw public
                             keys).  Alter text throughout to reflect
                             new design.  Only generate new DH
                             parameters (based on size of OpenPGP key)
                             when using OpenPGP in TLS.  Default
                             GnuTLS priority string depends on whether
                             we are using raw public keys or not.
* plugins.d/mandos-client.xml (SYNOPSIS): Add new "--tls-privkey" (-t)
                                          and "--tls-pubkey" (-T)
                                          options.
  (DESCRIPTION): Describe new dual-key design.
  (OPTIONS): Document new "--tls-privkey" (-t) and "--tls-pubkey" (-T)
             options.
  (OPTIONS/--dh-bits): No longer necessarily depends on OpenPGP key
                       size.
  (FILES): Add default locations for TLS public and private key files.
  (EXAMPLE): Use new --tls-pubkey and --tls-privkey options.
  (SECURITY): Alter wording slightly to reflect new dual-key design.
  (SEE ALSO/GnuTLS): Alter description to match new design.
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.

files added:
initramfs-tools-conf

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

files removed:
initramfs-tools-hook-conf

files modified:
DBUS-API

INSTALL

Makefile

NEWS

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.lintian-overrides

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

* "browse_callback", and parts of "main".

* Everything else is

* This file is part of Mandos.

123

gnutls_*

124

init_gnutls_session(),

125

GNUTLS_* */

126

#if GNUTLS_VERSION_NUMBER < 0x030600

126

127

#include <gnutls/openpgp.h>

127

128

/* gnutls_certificate_set_openpgp_key_file(),

128

129

GNUTLS_OPENPGP_FMT_BASE64 */

130

#elif GNUTLS_VERSION_NUMBER >= 0x030606

131

#include <gnutls/x509.h> /* gnutls_pkcs_encrypt_flags_t,

132

GNUTLS_PKCS_PLAIN,

133

GNUTLS_PKCS_NULL_PASSWORD */

134

#endif

129

135

130

136

/* GPGME */

131

137

#include <gpgme.h> /* All GPGME types, constants and

139

145

#define PATHDIR "/conf/conf.d/mandos"

140

146

#define SECKEY "seckey.txt"

141

147

#define PUBKEY "pubkey.txt"

148

#define TLS_PRIVKEY "tls-privkey.pem"

149

#define TLS_PUBKEY "tls-pubkey.pem"

142

150

#define HOOKDIR "/lib/mandos/network-hooks.d"

143

151

144

152

bool debug = false;

272

280

return true;

273

281

}

274

282

283

/* Set effective uid to 0, return errno */

284

__attribute__((warn_unused_result))

285

int raise_privileges(void){

286

int old_errno = errno;

287

int ret = 0;

288

if(seteuid(0) == -1){

289

ret = errno;

290

}

291

errno = old_errno;

292

return ret;

293

}

294

295

/* Set effective and real user ID to 0. Return errno. */

296

__attribute__((warn_unused_result))

297

int raise_privileges_permanently(void){

298

int old_errno = errno;

299

int ret = raise_privileges();

300

if(ret != 0){

301

errno = old_errno;

302

return ret;

303

}

304

if(setuid(0) == -1){

305

ret = errno;

306

}

307

errno = old_errno;

308

return ret;

309

}

310

311

/* Set effective user ID to unprivileged saved user ID */

312

__attribute__((warn_unused_result))

313

int lower_privileges(void){

314

int old_errno = errno;

315

int ret = 0;

316

if(seteuid(uid) == -1){

317

ret = errno;

318

}

319

errno = old_errno;

320

return ret;

321

}

322

323

/* Lower privileges permanently */

324

__attribute__((warn_unused_result))

325

int lower_privileges_permanently(void){

326

int old_errno = errno;

327

int ret = 0;

328

if(setuid(uid) == -1){

329

ret = errno;

330

}

331

errno = old_errno;

332

return ret;

333

}

334

275

335

276

336

* Initialize GPGME.

277

337

297

357

return false;

298

358

}

299

359

360

/* Workaround for systems without a real-time clock; see also

361

Debian bug #894495: <https://bugs.debian.org/894495> */

362

do {

363

{

364

time_t currtime = time(NULL);

365

if(currtime != (time_t)-1){

366

struct tm tm;

367

if(gmtime_r(&currtime, &tm) == NULL) {

368

perror_plus("gmtime_r");

369

break;

370

}

371

if(tm.tm_year != 70 or tm.tm_mon != 0){

372

break;

373

}

374

if(debug){

375

fprintf_plus(stderr, "System clock is January 1970");

376

}

377

} else {

378

if(debug){

379

fprintf_plus(stderr, "System clock is invalid");

380

}

381

}

382

}

383

struct stat keystat;

384

ret = fstat(fd, &keystat);

385

if(ret != 0){

386

perror_plus("fstat");

387

break;

388

}

389

ret = raise_privileges();

390

if(ret != 0){

391

errno = ret;

392

perror_plus("Failed to raise privileges");

393

break;

394

}

395

if(debug){

396

fprintf_plus(stderr,

397

"Setting system clock to key file mtime");

398

}

399

time_t keytime = keystat.st_mtim.tv_sec;

400

if(stime(&keytime) != 0){

401

perror_plus("stime");

402

}

403

ret = lower_privileges();

404

if(ret != 0){

405

errno = ret;

406

perror_plus("Failed to lower privileges");

407

}

408

} while(false);

409

300

410

rc = gpgme_data_new_from_fd(&pgp_data, fd);

301

411

if(rc != GPG_ERR_NO_ERROR){

302

412

fprintf_plus(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

310

420

gpgme_strsource(rc), gpgme_strerror(rc));

311

421

return false;

312

422

}

423

{

424

gpgme_import_result_t import_result

425

= gpgme_op_import_result(mc->ctx);

426

if((import_result->imported < 1

427

or import_result->not_imported > 0)

428

and import_result->unchanged == 0){

429

fprintf_plus(stderr, "bad gpgme_op_import_results:\n");

430

fprintf_plus(stderr,

431

"The total number of considered keys: %d\n",

432

import_result->considered);

433

fprintf_plus(stderr,

434

"The number of keys without user ID: %d\n",

435

import_result->no_user_id);

436

fprintf_plus(stderr,

437

"The total number of imported keys: %d\n",

438

import_result->imported);

439

fprintf_plus(stderr, "The number of imported RSA keys: %d\n",

440

import_result->imported_rsa);

441

fprintf_plus(stderr, "The number of unchanged keys: %d\n",

442

import_result->unchanged);

443

fprintf_plus(stderr, "The number of new user IDs: %d\n",

444

import_result->new_user_ids);

445

fprintf_plus(stderr, "The number of new sub keys: %d\n",

446

import_result->new_sub_keys);

447

fprintf_plus(stderr, "The number of new signatures: %d\n",

448

import_result->new_signatures);

449

fprintf_plus(stderr, "The number of new revocations: %d\n",

450

import_result->new_revocations);

451

fprintf_plus(stderr,

452

"The total number of secret keys read: %d\n",

453

import_result->secret_read);

454

fprintf_plus(stderr,

455

"The number of imported secret keys: %d\n",

456

import_result->secret_imported);

457

fprintf_plus(stderr,

458

"The number of unchanged secret keys: %d\n",

459

import_result->secret_unchanged);

460

fprintf_plus(stderr, "The number of keys not imported: %d\n",

461

import_result->not_imported);

462

for(gpgme_import_status_t import_status

463

= import_result->imports;

464

import_status != NULL;

465

import_status = import_status->next){

466

fprintf_plus(stderr, "Import status for key: %s\n",

467

import_status->fpr);

468

if(import_status->result != GPG_ERR_NO_ERROR){

469

fprintf_plus(stderr, "Import result: %s: %s\n",

470

gpgme_strsource(import_status->result),

471

gpgme_strerror(import_status->result));

472

}

473

fprintf_plus(stderr, "Key status:\n");

474

fprintf_plus(stderr,

475

import_status->status & GPGME_IMPORT_NEW

476

? "The key was new.\n"

477

: "The key was not new.\n");

478

fprintf_plus(stderr,

479

import_status->status & GPGME_IMPORT_UID

480

? "The key contained new user IDs.\n"

481

: "The key did not contain new user IDs.\n");

482

fprintf_plus(stderr,

483

import_status->status & GPGME_IMPORT_SIG

484

? "The key contained new signatures.\n"

485

: "The key did not contain new signatures.\n");

486

fprintf_plus(stderr,

487

import_status->status & GPGME_IMPORT_SUBKEY

488

? "The key contained new sub keys.\n"

489

: "The key did not contain new sub keys.\n");

490

fprintf_plus(stderr,

491

import_status->status & GPGME_IMPORT_SECRET

492

? "The key contained a secret key.\n"

493

: "The key did not contain a secret key.\n");

494

}

495

return false;

496

}

497

}

313

498

314

499

ret = close(fd);

315

500

if(ret == -1){

356

541

/* Create new GPGME "context" */

357

542

rc = gpgme_new(&(mc->ctx));

358

543

if(rc != GPG_ERR_NO_ERROR){

359

fprintf_plus(stderr, "Mandos plugin mandos-client: "

360

"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),

361

gpgme_strerror(rc));

544

fprintf_plus(stderr, "bad gpgme_new: %s: %s\n",

545

gpgme_strsource(rc), gpgme_strerror(rc));

362

546

return false;

363

547

}

364

548

400

584

/* Create new empty GPGME data buffer for the plaintext */

401

585

rc = gpgme_data_new(&dh_plain);

402

586

if(rc != GPG_ERR_NO_ERROR){

403

fprintf_plus(stderr, "Mandos plugin mandos-client: "

404

"bad gpgme_data_new: %s: %s\n",

587

fprintf_plus(stderr, "bad gpgme_data_new: %s: %s\n",

405

588

gpgme_strsource(rc), gpgme_strerror(rc));

406

589

gpgme_data_release(dh_crypto);

407

590

return -1;

420

603

if(result == NULL){

421

604

fprintf_plus(stderr, "gpgme_op_decrypt_result failed\n");

422

605

} else {

423

fprintf_plus(stderr, "Unsupported algorithm: %s\n",

424

result->unsupported_algorithm);

425

fprintf_plus(stderr, "Wrong key usage: %u\n",

426

result->wrong_key_usage);

606

if(result->unsupported_algorithm != NULL) {

607

fprintf_plus(stderr, "Unsupported algorithm: %s\n",

608

result->unsupported_algorithm);

609

}

610

fprintf_plus(stderr, "Wrong key usage: %s\n",

611

result->wrong_key_usage ? "Yes" : "No");

427

612

if(result->file_name != NULL){

428

613

fprintf_plus(stderr, "File name: %s\n", result->file_name);

429

614

}

430

gpgme_recipient_t recipient;

431

recipient = result->recipients;

432

while(recipient != NULL){

615

616

for(gpgme_recipient_t r = result->recipients; r != NULL;

617

r = r->next){

433

618

fprintf_plus(stderr, "Public key algorithm: %s\n",

434

gpgme_pubkey_algo_name

435

(recipient->pubkey_algo));

436

fprintf_plus(stderr, "Key ID: %s\n", recipient->keyid);

619

gpgme_pubkey_algo_name(r->pubkey_algo));

620

fprintf_plus(stderr, "Key ID: %s\n", r->keyid);

437

621

fprintf_plus(stderr, "Secret key available: %s\n",

438

recipient->status == GPG_ERR_NO_SECKEY

439

? "No" : "Yes");

440

recipient = recipient->next;

622

r->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");

441

623

}

442

624

}

443

625

}

525

707

const char *dhparamsfilename,

526

708

mandos_context *mc){

527

709

int ret;

528

unsigned int uret;

529

710

530

711

if(debug){

531

712

fprintf_plus(stderr, "Initializing GnuTLS\n");

548

729

}

549

730

550

731

if(debug){

551

fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"

552

" secret key %s as GnuTLS credentials\n",

732

fprintf_plus(stderr, "Attempting to use public key %s and"

733

" private key %s as GnuTLS credentials\n",

553

734

pubkeyfilename,

554

735

seckeyfilename);

555

736

}

556

737

738

#if GNUTLS_VERSION_NUMBER >= 0x030606

739

ret = gnutls_certificate_set_rawpk_key_file

740

(mc->cred, pubkeyfilename, seckeyfilename,

741

GNUTLS_X509_FMT_PEM, /* format */

742

NULL, /* pass */

743

/* key_usage */

744

GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,

745

NULL, /* names */

746

0, /* names_length */

747

/* privkey_flags */

748

GNUTLS_PKCS_PLAIN | GNUTLS_PKCS_NULL_PASSWORD,

749

0); /* pkcs11_flags */

750

#elif GNUTLS_VERSION_NUMBER < 0x030600

557

751

ret = gnutls_certificate_set_openpgp_key_file

558

752

(mc->cred, pubkeyfilename, seckeyfilename,

559

753

GNUTLS_OPENPGP_FMT_BASE64);

754

#else

755

#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"

756

#endif

560

757

if(ret != GNUTLS_E_SUCCESS){

561

758

fprintf_plus(stderr,

562

"Error[%d] while reading the OpenPGP key pair ('%s',"

759

"Error[%d] while reading the key pair ('%s',"

563

760

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

564

761

fprintf_plus(stderr, "The GnuTLS error is: %s\n",

565

762

safer_gnutls_strerror(ret));

613

810

}

614

811

params.size += (unsigned int)bytes_read;

615

812

}

813

ret = close(dhpfile);

814

if(ret == -1){

815

perror_plus("close");

816

}

616

817

if(params.data == NULL){

617

818

dhparamsfilename = NULL;

618

819

}

632

833

}

633

834

if(dhparamsfilename == NULL){

634

835

if(mc->dh_bits == 0){

836

#if GNUTLS_VERSION_NUMBER < 0x030600

635

837

/* Find out the optimal number of DH bits */

636

838

/* Try to read the private key file */

637

839

gnutls_datum_t buffer = { .data = NULL, .size = 0 };

717

919

}

718

920

}

719

921

}

720

uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);

922

unsigned int uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);

721

923

if(uret != 0){

722

924

mc->dh_bits = uret;

723

925

if(debug){

735

937

safer_gnutls_strerror(ret));

736

938

goto globalfail;

737

939

}

738

} else if(debug){

739

fprintf_plus(stderr, "DH bits explicitly set to %u\n",

740

mc->dh_bits);

741

}

742

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

743

if(ret != GNUTLS_E_SUCCESS){

744

fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"

745

" bits): %s\n", mc->dh_bits,

746

safer_gnutls_strerror(ret));

747

goto globalfail;

940

#endif

941

} else { /* dh_bits != 0 */

942

if(debug){

943

fprintf_plus(stderr, "DH bits explicitly set to %u\n",

944

mc->dh_bits);

945

}

946

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

947

if(ret != GNUTLS_E_SUCCESS){

948

fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"

949

" bits): %s\n", mc->dh_bits,

950

safer_gnutls_strerror(ret));

951

goto globalfail;

952

}

953

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

748

954

}

749

955

}

750

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

751

956

752

957

return 0;

753

958

764

969

int ret;

765

970

/* GnuTLS session creation */

766

971

do {

767

ret = gnutls_init(session, GNUTLS_SERVER);

972

ret = gnutls_init(session, (GNUTLS_SERVER

973

#if GNUTLS_VERSION_NUMBER >= 0x030506

974

| GNUTLS_NO_TICKETS

975

#endif

976

#if GNUTLS_VERSION_NUMBER >= 0x030606

977

| GNUTLS_ENABLE_RAWPK

978

#endif

979

));

768

980

if(quit_now){

769

981

return -1;

770

982

}

818

1030

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

819

1031

__attribute__((unused)) const char *txt){}

820

1032

821

/* Set effective uid to 0, return errno */

822

__attribute__((warn_unused_result))

823

int raise_privileges(void){

824

int old_errno = errno;

825

int ret = 0;

826

if(seteuid(0) == -1){

827

ret = errno;

828

}

829

errno = old_errno;

830

return ret;

831

}

832

833

/* Set effective and real user ID to 0. Return errno. */

834

__attribute__((warn_unused_result))

835

int raise_privileges_permanently(void){

836

int old_errno = errno;

837

int ret = raise_privileges();

838

if(ret != 0){

839

errno = old_errno;

840

return ret;

841

}

842

if(setuid(0) == -1){

843

ret = errno;

844

}

845

errno = old_errno;

846

return ret;

847

}

848

849

/* Set effective user ID to unprivileged saved user ID */

850

__attribute__((warn_unused_result))

851

int lower_privileges(void){

852

int old_errno = errno;

853

int ret = 0;

854

if(seteuid(uid) == -1){

855

ret = errno;

856

}

857

errno = old_errno;

858

return ret;

859

}

860

861

/* Lower privileges permanently */

862

__attribute__((warn_unused_result))

863

int lower_privileges_permanently(void){

864

int old_errno = errno;

865

int ret = 0;

866

if(setuid(uid) == -1){

867

ret = errno;

868

}

869

errno = old_errno;

870

return ret;

871

}

872

873

1033

/* Helper function to add_local_route() and delete_local_route() */

874

1034

__attribute__((nonnull, warn_unused_result))

875

1035

static bool add_delete_local_route(const bool add,

1655

1815

perror_plus("ioctl SIOCGIFFLAGS");

1656

1816

errno = old_errno;

1657

1817

}

1818

if((close(s) == -1) and debug){

1819

old_errno = errno;

1820

perror_plus("close");

1821

errno = old_errno;

1822

}

1658

1823

return false;

1659

1824

}

1825

if((close(s) == -1) and debug){

1826

old_errno = errno;

1827

perror_plus("close");

1828

errno = old_errno;

1829

}

1660

1830

return true;

1661

1831

}

1662

1832

1923

2093

return;

1924

2094

}

1925

2095

}

2096

int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));

2097

if(devnull == -1){

2098

perror_plus("open(\"/dev/null\", O_RDONLY)");

2099

return;

2100

}

1926

2101

int numhooks = scandirat(hookdir_fd, ".", &direntries,

1927

2102

runnable_hook, alphasort);

1928

2103

if(numhooks == -1){

1929

2104

perror_plus("scandir");

2105

close(devnull);

1930

2106

return;

1931

2107

}

1932

2108

struct dirent *direntry;

1933

2109

int ret;

1934

int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));

1935

if(devnull == -1){

1936

perror_plus("open(\"/dev/null\", O_RDONLY)");

1937

return;

1938

}

1939

2110

for(int i = 0; i < numhooks; i++){

1940

2111

direntry = direntries[i];

1941

2112

if(debug){

2290

2461

2291

2462

int main(int argc, char *argv[]){

2292

2463

mandos_context mc = { .server = NULL, .dh_bits = 0,

2464

#if GNUTLS_VERSION_NUMBER >= 0x030606

2465

.priority = "SECURE128:!CTYPE-X.509"

2466

":+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3"

2467

":%PROFILE_ULTRA",

2468

#elif GNUTLS_VERSION_NUMBER < 0x030600

2293

2469

.priority = "SECURE256:!CTYPE-X.509"

2294

2470

":+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256",

2471

#else

2472

#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"

2473

#endif

2295

2474

.current_server = NULL, .interfaces = NULL,

2296

2475

.interfaces_size = 0 };

2297

2476

AvahiSServiceBrowser *sb = NULL;

2308

2487

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

2309

2488

const char *seckey = PATHDIR "/" SECKEY;

2310

2489

const char *pubkey = PATHDIR "/" PUBKEY;

2490

#if GNUTLS_VERSION_NUMBER >= 0x030606

2491

const char *tls_privkey = PATHDIR "/" TLS_PRIVKEY;

2492

const char *tls_pubkey = PATHDIR "/" TLS_PUBKEY;

2493

#endif

2311

2494

const char *dh_params_file = NULL;

2312

2495

char *interfaces_hooks = NULL;

2313

2496

2361

2544

{ .name = "pubkey", .key = 'p',

2362

2545

.arg = "FILE",

2363

2546

.doc = "OpenPGP public key file base name",

2364

.group = 2 },

2547

.group = 1 },

2548

{ .name = "tls-privkey", .key = 't',

2549

.arg = "FILE",

2550

#if GNUTLS_VERSION_NUMBER >= 0x030606

2551

.doc = "TLS private key file base name",

2552

#else

2553

.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",

2554

#endif

2555

.group = 1 },

2556

{ .name = "tls-pubkey", .key = 'T',

2557

.arg = "FILE",

2558

#if GNUTLS_VERSION_NUMBER >= 0x030606

2559

.doc = "TLS public key file base name",

2560

#else

2561

.doc = "Dummy; ignored (requires GnuTLS 3.6.6)",

2562

#endif

2563

.group = 1 },

2365

2564

{ .name = "dh-bits", .key = 129,

2366

2565

.arg = "BITS",

2367

2566

.doc = "Bit length of the prime number used in the"

2423

2622

case 'p': /* --pubkey */

2424

2623

pubkey = arg;

2425

2624

break;

2625

case 't': /* --tls-privkey */

2626

#if GNUTLS_VERSION_NUMBER >= 0x030606

2627

tls_privkey = arg;

2628

#endif

2629

break;

2630

case 'T': /* --tls-pubkey */

2631

#if GNUTLS_VERSION_NUMBER >= 0x030606

2632

tls_pubkey = arg;

2633

#endif

2634

break;

2426

2635

case 129: /* --dh-bits */

2427

2636

errno = 0;

2428

2637

tmpmax = strtoimax(arg, &tmp, 10);

2782

2991

goto end;

2783

2992

}

2784

2993

2994

#if GNUTLS_VERSION_NUMBER >= 0x030606

2995

ret = init_gnutls_global(tls_pubkey, tls_privkey, dh_params_file, &mc);

2996

#elif GNUTLS_VERSION_NUMBER < 0x030600

2785

2997

ret = init_gnutls_global(pubkey, seckey, dh_params_file, &mc);

2998

#else

2999

#error "Needs GnuTLS 3.6.6 or later, or before 3.6.0"

3000

#endif

2786

3001

if(ret == -1){

2787

3002

fprintf_plus(stderr, "init_gnutls_global failed\n");

2788

3003

exitcode = EX_UNAVAILABLE;

3061

3276

| O_PATH));

3062

3277

if(dir_fd == -1){

3063

3278

perror_plus("open");

3279

return;

3064

3280

}

3065

3281

int numentries = scandirat(dir_fd, ".", &direntries,

3066

3282

notdotentries, alphasort);

3083

3299

clean_dir_at(dir_fd, direntries[i]->d_name, level+1);

3084

3300

dret = 0;

3085

3301

}

3086

if(dret == -1){

3302

if((dret == -1) and (errno != ENOENT)){

3087

3303

fprintf_plus(stderr, "unlink(\"%s/%s\"): %s\n", dirname,

3088

3304

direntries[i]->d_name, strerror(errno));

3089

3305

}

3093

3309

3094

3310

/* need to clean even if 0 because man page doesn't specify */

3095

3311

free(direntries);

3096

if(numentries == -1){

3097

perror_plus("scandirat");

3098

}

3099

3312

dret = unlinkat(base, dirname, AT_REMOVEDIR);

3100

3313

if(dret == -1 and errno != ENOENT){

3101

3314

perror_plus("rmdir");

Older »