/mandos/release : revision 237.7.349

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos

Committer: Teddy Hogeborn
Date: 2016-02-28 03:01:43 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 331.
Revision ID: teddy@recompile.se-20160228030143-i6w90r7wzkvlx9kq

Stop using python-gnutls.  Use GnuTLS 3.3 or later directly.

* INSTALL: Document dependency on GnuTLS 3.3 and remove dependency on
          Python-GnuTLS.

* debian/control (Source: mandos/Build-Depends): Add (>= 3.3.0) to
                                                 "libgnutls28-dev" and
                                                 "gnutls-dev".
  (Source: mandos/Build-Depends-Indep): Remove "python2.7-gnutls".
  (Package: mandos/Depends): Remove "python-gnutls" and
                             "python2.7-gnutls", add "libgnutls28-dev
                             (>= 3.3.0) | libgnutls30 (>= 3.3.0)"
* mandos: Remove imports of "gnutls" and all submodules.
  (GnuTLS, gnutls): New; simulate a "gnutls" module.  Change all
                    callers to match new shorter names.

files modified:
INSTALL

debian/control

mandos

Show diffs side-by-side

added added

removed removed

mandos

import argparse

import datetime

import errno

import gnutls.connection

import gnutls.errors

import gnutls.library.functions

import gnutls.library.constants

import gnutls.library.types

try:

import ConfigParser as configparser

except ImportError:

434

429

.format(self.name)))

435

430

return ret

436

431

432

# Pretend that we have a GnuTLS module

433

class GnuTLS(object):

434

"""This isn't so much a class as it is a module-like namespace.

435

It is instantiated once, and simulates having a GnuTLS module."""

436

437

_library = ctypes.cdll.LoadLibrary(

438

ctypes.util.find_library("gnutls"))

439

_need_version = "3.3.0"

440

def __init__(self):

441

# Need to use class name "GnuTLS" here, since this method is

442

# called before the assignment to the "gnutls" global variable

443

# happens.

444

if GnuTLS.check_version(self._need_version) is None:

445

raise GnuTLS.Error("Needs GnuTLS {} or later"

446

.format(self._need_version))

447

448

# Unless otherwise indicated, the constants and types below are

449

# all from the gnutls/gnutls.h C header file.

450

451

# Constants

452

E_SUCCESS = 0

453

CRT_OPENPGP = 2

454

CLIENT = 2

455

SHUT_RDWR = 0

456

CRD_CERTIFICATE = 1

457

E_NO_CERTIFICATE_FOUND = -49

458

OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h

459

460

# Types

461

class session_int(ctypes.Structure):

462

_fields_ = []

463

session_t = ctypes.POINTER(session_int)

464

class certificate_credentials_st(ctypes.Structure):

465

_fields_ = []

466

certificate_credentials_t = ctypes.POINTER(

467

certificate_credentials_st)

468

certificate_type_t = ctypes.c_int

469

class datum_t(ctypes.Structure):

470

_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),

471

('size', ctypes.c_uint)]

472

class openpgp_crt_int(ctypes.Structure):

473

_fields_ = []

474

openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)

475

openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h

476

log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)

477

credentials_type_t = ctypes.c_int #

478

transport_ptr_t = ctypes.c_void_p

479

close_request_t = ctypes.c_int

480

481

# Exceptions

482

class Error(Exception):

483

# We need to use the class name "GnuTLS" here, since this

484

# exception might be raised from within GnuTLS.__init__,

485

# which is called before the assignment to the "gnutls"

486

# global variable happens.

487

def __init__(self, message = None, code = None, args=()):

488

# Default usage is by a message string, but if a return

489

# code is passed, convert it to a string with

490

# gnutls.strerror()

491

if message is None and code is not None:

492

message = GnuTLS.strerror(code)

493

return super(GnuTLS.Error, self).__init__(

494

message, *args)

495

496

class CertificateSecurityError(Error):

497

pass

498

499

# Classes

500

class Credentials(object):

501

def __init__(self):

502

self._c_object = gnutls.certificate_credentials_t()

503

gnutls.certificate_allocate_credentials(

504

ctypes.byref(self._c_object))

505

self.type = gnutls.CRD_CERTIFICATE

506

507

def __del__(self):

508

gnutls.certificate_free_credentials(self._c_object)

509

510

class ClientSession(object):

511

def __init__(self, socket, credentials = None):

512

self._c_object = gnutls.session_t()

513

gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)

514

gnutls.set_default_priority(self._c_object)

515

gnutls.transport_set_ptr(self._c_object, socket.fileno())

516

gnutls.handshake_set_private_extensions(self._c_object,

517

True)

518

self.socket = socket

519

if credentials is None:

520

credentials = gnutls.Credentials()

521

gnutls.credentials_set(self._c_object, credentials.type,

522

ctypes.cast(credentials._c_object,

523

ctypes.c_void_p))

524

self.credentials = credentials

525

526

def __del__(self):

527

gnutls.deinit(self._c_object)

528

529

def handshake(self):

530

return gnutls.handshake(self._c_object)

531

532

def send(self, data):

533

data = bytes(data)

534

if not data:

535

return 0

536

return gnutls.record_send(self._c_object, data, len(data))

537

538

def bye(self):

539

return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)

540

541

# Error handling function

542

def _error_code(result):

543

"""A function to raise exceptions on errors, suitable

544

for the 'restype' attribute on ctypes functions"""

545

if result >= 0:

546

return result

547

if result == gnutls.E_NO_CERTIFICATE_FOUND:

548

raise gnutls.CertificateSecurityError(code = result)

549

raise gnutls.Error(code = result)

550

551

# Unless otherwise indicated, the function declarations below are

552

# all from the gnutls/gnutls.h C header file.

553

554

# Functions

555

priority_set_direct = _library.gnutls_priority_set_direct

556

priority_set_direct.argtypes = [session_t, ctypes.c_char_p,

557

ctypes.POINTER(ctypes.c_char_p)]

558

priority_set_direct.restype = _error_code

559

560

init = _library.gnutls_init

561

init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]

562

init.restype = _error_code

563

564

set_default_priority = _library.gnutls_set_default_priority

565

set_default_priority.argtypes = [session_t]

566

set_default_priority.restype = _error_code

567

568

record_send = _library.gnutls_record_send

569

record_send.argtypes = [session_t, ctypes.c_void_p,

570

ctypes.c_size_t]

571

record_send.restype = ctypes.c_ssize_t

572

573

certificate_allocate_credentials = (

574

_library.gnutls_certificate_allocate_credentials)

575

certificate_allocate_credentials.argtypes = [

576

ctypes.POINTER(certificate_credentials_t)]

577

certificate_allocate_credentials.restype = _error_code

578

579

certificate_free_credentials = (

580

_library.gnutls_certificate_free_credentials)

581

certificate_free_credentials.argtypes = [certificate_credentials_t]

582

certificate_free_credentials.restype = None

583

584

handshake_set_private_extensions = (

585

_library.gnutls_handshake_set_private_extensions)

586

handshake_set_private_extensions.argtypes = [session_t,

587

ctypes.c_int]

588

handshake_set_private_extensions.restype = None

589

590

credentials_set = _library.gnutls_credentials_set

591

credentials_set.argtypes = [session_t, credentials_type_t,

592

ctypes.c_void_p]

593

credentials_set.restype = _error_code

594

595

strerror = _library.gnutls_strerror

596

strerror.argtypes = [ctypes.c_int]

597

strerror.restype = ctypes.c_char_p

598

599

certificate_type_get = _library.gnutls_certificate_type_get

600

certificate_type_get.argtypes = [session_t]

601

certificate_type_get.restype = _error_code

602

603

certificate_get_peers = _library.gnutls_certificate_get_peers

604

certificate_get_peers.argtypes = [session_t,

605

ctypes.POINTER(ctypes.c_uint)]

606

certificate_get_peers.restype = ctypes.POINTER(datum_t)

607

608

global_set_log_level = _library.gnutls_global_set_log_level

609

global_set_log_level.argtypes = [ctypes.c_int]

610

global_set_log_level.restype = None

611

612

global_set_log_function = _library.gnutls_global_set_log_function

613

global_set_log_function.argtypes = [log_func]

614

global_set_log_function.restype = None

615

616

deinit = _library.gnutls_deinit

617

deinit.argtypes = [session_t]

618

deinit.restype = None

619

620

handshake = _library.gnutls_handshake

621

handshake.argtypes = [session_t]

622

handshake.restype = _error_code

623

624

transport_set_ptr = _library.gnutls_transport_set_ptr

625

transport_set_ptr.argtypes = [session_t, transport_ptr_t]

626

transport_set_ptr.restype = None

627

628

bye = _library.gnutls_bye

629

bye.argtypes = [session_t, close_request_t]

630

bye.restype = _error_code

631

632

check_version = _library.gnutls_check_version

633

check_version.argtypes = [ctypes.c_char_p]

634

check_version.restype = ctypes.c_char_p

635

636

# All the function declarations below are from gnutls/openpgp.h

637

638

openpgp_crt_init = _library.gnutls_openpgp_crt_init

639

openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]

640

openpgp_crt_init.restype = _error_code

641

642

openpgp_crt_import = _library.gnutls_openpgp_crt_import

643

openpgp_crt_import.argtypes = [openpgp_crt_t,

644

ctypes.POINTER(datum_t),

645

openpgp_crt_fmt_t]

646

openpgp_crt_import.restype = _error_code

647

648

openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self

649

openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,

650

ctypes.POINTER(ctypes.c_uint)]

651

openpgp_crt_verify_self.restype = _error_code

652

653

openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit

654

openpgp_crt_deinit.argtypes = [openpgp_crt_t]

655

openpgp_crt_deinit.restype = None

656

657

openpgp_crt_get_fingerprint = (

658

_library.gnutls_openpgp_crt_get_fingerprint)

659

openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,

660

ctypes.c_void_p,

661

ctypes.POINTER(

662

ctypes.c_size_t)]

663

openpgp_crt_get_fingerprint.restype = _error_code

664

665

# Remove non-public function

666

del _error_code

667

# Create the global "gnutls" object, simulating a module

668

gnutls = GnuTLS()

669

437

670

def call_pipe(connection, # : multiprocessing.Connection

438

671

func, *args, **kwargs):

439

672

"""This function is meant to be called by multiprocessing.Process

1879

2112

logger.debug("Pipe FD: %d",

1880

2113

self.server.child_pipe.fileno())

1881

2114

1882

session = gnutls.connection.ClientSession(

1883

self.request, gnutls.connection.X509Credentials())

1884

1885

# Note: gnutls.connection.X509Credentials is really a

1886

# generic GnuTLS certificate credentials object so long as

1887

# no X.509 keys are added to it. Therefore, we can use it

1888

# here despite using OpenPGP certificates.

2115

session = gnutls.ClientSession(self.request)

1889

2116

1890

2117

#priority = ':'.join(("NONE", "+VERS-TLS1.1",

1891

2118

# "+AES-256-CBC", "+SHA1",

1895

2122

priority = self.server.gnutls_priority

1896

2123

if priority is None:

1897

2124

priority = "NORMAL"

1898

gnutls.library.functions.gnutls_priority_set_direct(

1899

session._c_object, priority, None)

2125

gnutls.priority_set_direct(session._c_object, priority,

2126

None)

1900

2127

1901

2128

# Start communication using the Mandos protocol

1902

2129

# Get protocol number

1912

2139

# Start GnuTLS connection

1913

2140

try:

1914

2141

session.handshake()

1915

except gnutls.errors.GNUTLSError as error:

2142

except gnutls.Error as error:

1916

2143

logger.warning("Handshake failed: %s", error)

1917

2144

# Do not run session.bye() here: the session is not

1918

2145

# established. Just abandon the request.

1924

2151

try:

1925

2152

fpr = self.fingerprint(

1926

2153

self.peer_certificate(session))

1927

except (TypeError,

1928

gnutls.errors.GNUTLSError) as error:

2154

except (TypeError, gnutls.Error) as error:

1929

2155

logger.warning("Bad certificate: %s", error)

1930

2156

return

1931

2157

logger.debug("Fingerprint: %s", fpr)

1993

2219

while sent_size < len(client.secret):

1994

2220

try:

1995

2221

sent = session.send(client.secret[sent_size:])

1996

except gnutls.errors.GNUTLSError as error:

2222

except gnutls.Error as error:

1997

2223

logger.warning("gnutls send failed",

1998

2224

exc_info=error)

1999

2225

return

2014

2240

client.approvals_pending -= 1

2015

2241

try:

2016

2242

session.bye()

2017

except gnutls.errors.GNUTLSError as error:

2243

except gnutls.Error as error:

2018

2244

logger.warning("GnuTLS bye failed",

2019

2245

exc_info=error)

2020

2246

2022

2248

def peer_certificate(session):

2023

2249

"Return the peer's OpenPGP certificate as a bytestring"

2024

2250

# If not an OpenPGP certificate...

2025

if (gnutls.library.functions.gnutls_certificate_type_get(

2026

session._c_object)

2027

!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):

2028

# ...do the normal thing

2029

return session.peer_certificate

2251

if (gnutls.certificate_type_get(session._c_object)

2252

!= gnutls.CRT_OPENPGP):

2253

# ...return invalid data

2254

return b""

2030

2255

list_size = ctypes.c_uint(1)

2031

cert_list = (gnutls.library.functions

2032

.gnutls_certificate_get_peers

2256

cert_list = (gnutls.certificate_get_peers

2033

2257

(session._c_object, ctypes.byref(list_size)))

2034

2258

if not bool(cert_list) and list_size.value != 0:

2035

raise gnutls.errors.GNUTLSError("error getting peer"

2036

" certificate")

2259

raise gnutls.Error("error getting peer certificate")

2037

2260

if list_size.value == 0:

2038

2261

return None

2039

2262

cert = cert_list[0]

2043

2266

def fingerprint(openpgp):

2044

2267

"Convert an OpenPGP bytestring to a hexdigit fingerprint"

2045

2268

# New GnuTLS "datum" with the OpenPGP public key

2046

datum = gnutls.library.types.gnutls_datum_t(

2269

datum = gnutls.datum_t(

2047

2270

ctypes.cast(ctypes.c_char_p(openpgp),

2048

2271

ctypes.POINTER(ctypes.c_ubyte)),

2049

2272

ctypes.c_uint(len(openpgp)))

2050

2273

# New empty GnuTLS certificate

2051

crt = gnutls.library.types.gnutls_openpgp_crt_t()

2052

gnutls.library.functions.gnutls_openpgp_crt_init(

2053

ctypes.byref(crt))

2274

crt = gnutls.openpgp_crt_t()

2275

gnutls.openpgp_crt_init(ctypes.byref(crt))

2054

2276

# Import the OpenPGP public key into the certificate

2055

gnutls.library.functions.gnutls_openpgp_crt_import(

2056

crt, ctypes.byref(datum),

2057

gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)

2277

gnutls.openpgp_crt_import(crt, ctypes.byref(datum),

2278

gnutls.OPENPGP_FMT_RAW)

2058

2279

# Verify the self signature in the key

2059

2280

crtverify = ctypes.c_uint()

2060

gnutls.library.functions.gnutls_openpgp_crt_verify_self(

2061

crt, 0, ctypes.byref(crtverify))

2281

gnutls.openpgp_crt_verify_self(crt, 0,

2282

ctypes.byref(crtverify))

2062

2283

if crtverify.value != 0:

2063

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

2064

raise gnutls.errors.CertificateSecurityError(

2065

"Verify failed")

2284

gnutls.openpgp_crt_deinit(crt)

2285

raise gnutls.CertificateSecurityError("Verify failed")

2066

2286

# New buffer for the fingerprint

2067

2287

buf = ctypes.create_string_buffer(20)

2068

2288

buf_len = ctypes.c_size_t()

2069

2289

# Get the fingerprint from the certificate into the buffer

2070

gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(

2071

crt, ctypes.byref(buf), ctypes.byref(buf_len))

2290

gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),

2291

ctypes.byref(buf_len))

2072

2292

# Deinit the certificate

2073

gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)

2293

gnutls.openpgp_crt_deinit(crt)

2074

2294

# Convert the buffer to a Python bytestring

2075

2295

fpr = ctypes.string_at(buf, buf_len.value)

2076

2296

# Convert the bytestring to hexadecimal notation

2702

2922

2703

2923

# "Use a log level over 10 to enable all debugging options."

2704

2924

# - GnuTLS manual

2705

gnutls.library.functions.gnutls_global_set_log_level(11)

2925

gnutls.global_set_log_level(11)

2706

2926

2707

@gnutls.library.types.gnutls_log_func

2927

@gnutls.log_func

2708

2928

def debug_gnutls(level, string):

2709

2929

logger.debug("GnuTLS: %s", string[:-1])

2710

2930

2711

gnutls.library.functions.gnutls_global_set_log_function(

2712

debug_gnutls)

2931

gnutls.global_set_log_function(debug_gnutls)

2713

2932

2714

2933

# Redirect stdin so all checkers get /dev/null

2715

2934

null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)

Older »