Mandos-client fails decode

Teddy Hogeborn teddy at recompile.se
Sat Mar 5 23:59:59 CET 2016 

Dick Middleton <dick at lingbrae.com> writes:

> On 03/04/16 23:17, Teddy Hogeborn wrote:
> 
> > > > > I'm now using mandos-client 1.7.3 on a Stretch system.
> > > > > 
> > > > > If I test mandos-client fetching passcode it is successful.
> > > > > However at boot time it consistently fails to unlock the disk.
> > > > > It reports:
> > > > > 
> > > > > bad gpme_op_decode: GPME decryption failed
> > > > 
> > > Where is the default location for the file?  Installer puts it in
> > > /etc/keys/mandos/dhparams.pem ?
> > > 
> > > It's got 600 permissions and owned by root.
> 
> > Yes.  It's not actually used from there; it's copied into the
> > initramfs and used from there at boot, just like the key files.
> 
> I looked a initramfs image and the dhparams file is included.  It
> suggests to me that mandos-client is not picking up the dhparms file
> correctly.

Hmm, is the plugin-runner passing the --dh-params option to
mandos-client?  You could add a "--debug" option to
/etc/mandos/plugin-runner.conf to find out.  (I mean the bare "--debug"
option, not "--options-for=mandos-client:--debug".)

> all the mandos content is in <initramfs>/conf/conf.d/mandos

All as it should be.

> > > But, on my desktop (amd64) it segfaults when dh-params option given:
> > >
> > > Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/S.gpg-agent"
> > > Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/private-keys-v1.d"
> > > Mandos plugin mandos-client: Unlinking "private-keys-v1.d/13DBD26E0DC10CE96543319E414937C7EEC55184.key"
> > > Mandos plugin mandos-client: Unlinking "private-keys-v1.d/CBCE568BDECE4A0147CA114196184F834909A49E.key"
> > > Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/pubring.kbx"
> > > Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/pubring.kbx~"
> > > Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/trustdb.gpg"
> > > Floating point exception
> > 
> > That is very strange. 
> 
> Today it reports just "Segmentation fault" at the same point.  If I
> run it without debug it reports "illegal instruction".  I look forward
> to tomorrow's variation :)

Ack.  That sounds weird.  Maybe you could try to recompile without some
of the more exotic C compiler flags?  Maybe compile with debugging
information (uncomment the DEBUG setting in the Makefile), and run it
under a debugger?

> I've been playing about with initramfs trying to find anything not
> working.  This is a bit of a long shot but if I chroot into the
> initramfs file system and try to run plugin-runner I get the
> following:
> 
>  Mandos plugin mandos-client: Initializing GnuTLS
> Mandos plugin mandos-client: Attempting to use OpenPGP public key /conf/conf.d/mandos/pubkey.txt and secret key /conf/conf.d/mandos/seckey.txt as GnuTLS credentials
> 
> I get the same if I run mandos-client directly:
> 
> Mandos plugin mandos-client: Error[-64] while reading the OpenPGP key pair
> ('./pubkey.txt', './seckey.txt')
> Mandos plugin mandos-client: The GnuTLS error is: Error while reading file.
> Mandos plugin mandos-client: init_gnutls_global failed

What options are you passing to mandos-client when running it manually
in a chrooted initramfs?  Any --pubkey or --seckey options should not be
necessary.

> N.B /proc, /sys and /dev/exist in the chroot and I've added debug and
> interface to plugin-runner.conf.
> 
> It can find plugin-runner and plugin-runner.conf but croaks on the
> keyfiles.  Both keyfiles exist and are accessible.
> 
> These all work if I'm not chrooted which suggest there's something
> missing from initramfs.  What is gnu/pgp using to access these files?

GnuPG is not involved in reading the key files, it is read by the GnuTLS
library directly by giving it a pair of file names.  The file names
"./pubkey.txt" and "./seckey.txt" look wrong; it should be using the
default values of "/conf/conf.d/mandos/pubkey.txt" and
"/conf/conf.d/mandos/seckey.txt", respectively; this is also where you
said that the key files were located, so this should work.

/Teddy Hogeborn

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20160305/250a0d15/attachment.sig>

More information about the Mandos-Dev mailing list