/mandos/release : revision 237.7.475

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos

Committer: Teddy Hogeborn
Date: 2018-02-10 13:23:58 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 362.
Revision ID: teddy@recompile.se-20180210132358-8pfvo9vshq9l32y5

Remove unnecessary text left from old example init.d file

* init.d-mandos: Remove unnecessary text left from old example init.d
file.

files added:
initramfs-tools-hook-conf

files removed:
initramfs-tools-conf

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.lintian-overrides

initramfs-tools-hook

initramfs-tools-script

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-options.xml

mandos.lsm

mandos.xml

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

Show diffs side-by-side

added added

removed removed

mandos

115

if sys.version_info.major == 2:

116

str = unicode

117

118

version = "1.7.20"

118

version = "1.7.16"

119

stored_state_file = "clients.pickle"

120

121

logger = logging.getLogger()

514

_library = ctypes.cdll.LoadLibrary(library)

515

del library

516

_need_version = b"3.3.0"

517

_tls_rawpk_version = b"3.6.6"

518

517

519

518

def __init__(self):

520

519

# Need to use "self" here, since this method is called before

531

530

E_INTERRUPTED = -52

532

531

E_AGAIN = -28

533

532

CRT_OPENPGP = 2

534

CRT_RAWPK = 3

535

533

CLIENT = 2

536

534

SHUT_RDWR = 0

537

535

CRD_CERTIFICATE = 1

538

536

E_NO_CERTIFICATE_FOUND = -49

539

X509_FMT_DER = 0

540

NO_TICKETS = 1<<10

541

ENABLE_RAWPK = 1<<18

542

CTYPE_PEERS = 3

543

KEYID_USE_SHA256 = 1 # gnutls/x509.h

544

537

OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h

545

538

546

539

# Types

600

593

class ClientSession(object):

601

594

def __init__(self, socket, credentials=None):

602

595

self._c_object = gnutls.session_t()

603

gnutls_flags = gnutls.CLIENT

604

if gnutls.check_version("3.5.6"):

605

gnutls_flags |= gnutls.NO_TICKETS

606

if gnutls.has_rawpk:

607

gnutls_flags |= gnutls.ENABLE_RAWPK

608

gnutls.init(ctypes.byref(self._c_object), gnutls_flags)

609

del gnutls_flags

596

gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)

610

597

gnutls.set_default_priority(self._c_object)

611

598

gnutls.transport_set_ptr(self._c_object, socket.fileno())

612

599

gnutls.handshake_set_private_extensions(self._c_object,

744

731

check_version.argtypes = [ctypes.c_char_p]

745

732

check_version.restype = ctypes.c_char_p

746

733

747

has_rawpk = bool(check_version(_tls_rawpk_version))

748

749

if has_rawpk:

750

# Types

751

class pubkey_st(ctypes.Structure):

752

_fields = []

753

pubkey_t = ctypes.POINTER(pubkey_st)

754

755

x509_crt_fmt_t = ctypes.c_int

756

757

# All the function declarations below are from gnutls/abstract.h

758

pubkey_init = _library.gnutls_pubkey_init

759

pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]

760

pubkey_init.restype = _error_code

761

762

pubkey_import = _library.gnutls_pubkey_import

763

pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),

764

x509_crt_fmt_t]

765

pubkey_import.restype = _error_code

766

767

pubkey_get_key_id = _library.gnutls_pubkey_get_key_id

768

pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,

769

ctypes.POINTER(ctypes.c_ubyte),

770

ctypes.POINTER(ctypes.c_size_t)]

771

pubkey_get_key_id.restype = _error_code

772

773

pubkey_deinit = _library.gnutls_pubkey_deinit

774

pubkey_deinit.argtypes = [pubkey_t]

775

pubkey_deinit.restype = None

776

else:

777

# All the function declarations below are from gnutls/openpgp.h

778

779

openpgp_crt_init = _library.gnutls_openpgp_crt_init

780

openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]

781

openpgp_crt_init.restype = _error_code

782

783

openpgp_crt_import = _library.gnutls_openpgp_crt_import

784

openpgp_crt_import.argtypes = [openpgp_crt_t,

785

ctypes.POINTER(datum_t),

786

openpgp_crt_fmt_t]

787

openpgp_crt_import.restype = _error_code

788

789

openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self

790

openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,

791

ctypes.POINTER(ctypes.c_uint)]

792

openpgp_crt_verify_self.restype = _error_code

793

794

openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit

795

openpgp_crt_deinit.argtypes = [openpgp_crt_t]

796

openpgp_crt_deinit.restype = None

797

798

openpgp_crt_get_fingerprint = (

799

_library.gnutls_openpgp_crt_get_fingerprint)

800

openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,

801

ctypes.c_void_p,

802

ctypes.POINTER(

803

ctypes.c_size_t)]

804

openpgp_crt_get_fingerprint.restype = _error_code

805

806

if check_version("3.6.4"):

807

certificate_type_get2 = _library.gnutls_certificate_type_get2

808

certificate_type_get2.argtypes = [session_t, ctypes.c_int]

809

certificate_type_get2.restype = _error_code

734

# All the function declarations below are from gnutls/openpgp.h

735

736

openpgp_crt_init = _library.gnutls_openpgp_crt_init

737

openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]

738

openpgp_crt_init.restype = _error_code

739

740

openpgp_crt_import = _library.gnutls_openpgp_crt_import

741

openpgp_crt_import.argtypes = [openpgp_crt_t,

742

ctypes.POINTER(datum_t),

743

openpgp_crt_fmt_t]

744

openpgp_crt_import.restype = _error_code

745

746

openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self

747

openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,

748

ctypes.POINTER(ctypes.c_uint)]

749

openpgp_crt_verify_self.restype = _error_code

750

751

openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit

752

openpgp_crt_deinit.argtypes = [openpgp_crt_t]

753

openpgp_crt_deinit.restype = None

754

755

openpgp_crt_get_fingerprint = (

756

_library.gnutls_openpgp_crt_get_fingerprint)

757

openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,

758

ctypes.c_void_p,

759

ctypes.POINTER(

760

ctypes.c_size_t)]

761

openpgp_crt_get_fingerprint.restype = _error_code

810

762

811

763

# Remove non-public functions

812

764

del _error_code, _retry_on_error

848

800

disable_initiator_tag: a GLib event source tag, or None

849

801

enabled: bool()

850

802

fingerprint: string (40 or 32 hexadecimal digits); used to

851

uniquely identify an OpenPGP client

852

key_id: string (64 hexadecimal digits); used to uniquely identify

853

a client using raw public keys

803

uniquely identify the client

854

804

host: string; available for use by the checker command

855

805

interval: datetime.timedelta(); How often to start a new checker

856

806

last_approval_request: datetime.datetime(); (UTC) or None

874

824

"""

875

825

876

826

runtime_expansions = ("approval_delay", "approval_duration",

877

"created", "enabled", "expires", "key_id",

827

"created", "enabled", "expires",

878

828

"fingerprint", "host", "interval",

879

829

"last_approval_request", "last_checked_ok",

880

830

"last_enabled", "name", "timeout")

910

860

client["enabled"] = config.getboolean(client_name,

911

861

"enabled")

912

862

913

# Uppercase and remove spaces from key_id and fingerprint

914

# for later comparison purposes with return value from the

915

# key_id() and fingerprint() functions

916

client["key_id"] = (section.get("key_id", "").upper()

917

.replace(" ", ""))

863

# Uppercase and remove spaces from fingerprint for later

864

# comparison purposes with return value from the

865

# fingerprint() function

918

866

client["fingerprint"] = (section["fingerprint"].upper()

919

867

.replace(" ", ""))

920

868

if "secret" in section:

964

912

self.expires = None

965

913

966

914

logger.debug("Creating client %r", self.name)

967

logger.debug(" Key ID: %s", self.key_id)

968

915

logger.debug(" Fingerprint: %s", self.fingerprint)

969

916

self.created = settings.get("created",

970

917

datetime.datetime.utcnow())

2052

1999

def Name_dbus_property(self):

2053

2000

return dbus.String(self.name)

2054

2001

2055

# KeyID - property

2056

@dbus_annotations(

2057

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

2058

@dbus_service_property(_interface, signature="s", access="read")

2059

def KeyID_dbus_property(self):

2060

return dbus.String(self.key_id)

2061

2062

2002

# Fingerprint - property

2063

2003

@dbus_annotations(

2064

2004

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

2220

2160

2221

2161

2222

2162

class ProxyClient(object):

2223

def __init__(self, child_pipe, key_id, fpr, address):

2163

def __init__(self, child_pipe, fpr, address):

2224

2164

self._pipe = child_pipe

2225

self._pipe.send(('init', key_id, fpr, address))

2165

self._pipe.send(('init', fpr, address))

2226

2166

if not self._pipe.recv():

2227

raise KeyError(key_id or fpr)

2167

raise KeyError(fpr)

2228

2168

2229

2169

def __getattribute__(self, name):

2230

2170

if name == '_pipe':

2297

2237

2298

2238

approval_required = False

2299

2239

try:

2300

if gnutls.has_rawpk:

2301

fpr = ""

2302

try:

2303

key_id = self.key_id(

2304

self.peer_certificate(session))

2305

except (TypeError, gnutls.Error) as error:

2306

logger.warning("Bad certificate: %s", error)

2307

return

2308

logger.debug("Key ID: %s", key_id)

2309

2310

else:

2311

key_id = ""

2312

try:

2313

fpr = self.fingerprint(

2314

self.peer_certificate(session))

2315

except (TypeError, gnutls.Error) as error:

2316

logger.warning("Bad certificate: %s", error)

2317

return

2318

logger.debug("Fingerprint: %s", fpr)

2319

2320

try:

2321

client = ProxyClient(child_pipe, key_id, fpr,

2240

try:

2241

fpr = self.fingerprint(

2242

self.peer_certificate(session))

2243

except (TypeError, gnutls.Error) as error:

2244

logger.warning("Bad certificate: %s", error)

2245

return

2246

logger.debug("Fingerprint: %s", fpr)

2247

2248

try:

2249

client = ProxyClient(child_pipe, fpr,

2322

2250

self.client_address)

2323

2251

except KeyError:

2324

2252

return

2401

2329

2402

2330

@staticmethod

2403

2331

def peer_certificate(session):

2404

"Return the peer's certificate as a bytestring"

2405

try:

2406

cert_type = gnutls.certificate_type_get2(session._c_object,

2407

gnutls.CTYPE_PEERS)

2408

except AttributeError:

2409

cert_type = gnutls.certificate_type_get(session._c_object)

2410

if gnutls.has_rawpk:

2411

valid_cert_types = frozenset((gnutls.CRT_RAWPK,))

2412

else:

2413

valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))

2414

# If not a valid certificate type...

2415

if cert_type not in valid_cert_types:

2416

logger.info("Cert type %r not in %r", cert_type,

2417

valid_cert_types)

2332

"Return the peer's OpenPGP certificate as a bytestring"

2333

# If not an OpenPGP certificate...

2334

if (gnutls.certificate_type_get(session._c_object)

2335

!= gnutls.CRT_OPENPGP):

2418

2336

# ...return invalid data

2419

2337

return b""

2420

2338

list_size = ctypes.c_uint(1)

2428

2346

return ctypes.string_at(cert.data, cert.size)

2429

2347

2430

2348

@staticmethod

2431

def key_id(certificate):

2432

"Convert a certificate bytestring to a hexdigit key ID"

2433

# New GnuTLS "datum" with the public key

2434

datum = gnutls.datum_t(

2435

ctypes.cast(ctypes.c_char_p(certificate),

2436

ctypes.POINTER(ctypes.c_ubyte)),

2437

ctypes.c_uint(len(certificate)))

2438

# XXX all these need to be created in the gnutls "module"

2439

# New empty GnuTLS certificate

2440

pubkey = gnutls.pubkey_t()

2441

gnutls.pubkey_init(ctypes.byref(pubkey))

2442

# Import the raw public key into the certificate

2443

gnutls.pubkey_import(pubkey,

2444

ctypes.byref(datum),

2445

gnutls.X509_FMT_DER)

2446

# New buffer for the key ID

2447

buf = ctypes.create_string_buffer(32)

2448

buf_len = ctypes.c_size_t(len(buf))

2449

# Get the key ID from the raw public key into the buffer

2450

gnutls.pubkey_get_key_id(pubkey,

2451

gnutls.KEYID_USE_SHA256,

2452

ctypes.cast(ctypes.byref(buf),

2453

ctypes.POINTER(ctypes.c_ubyte)),

2454

ctypes.byref(buf_len))

2455

# Deinit the certificate

2456

gnutls.pubkey_deinit(pubkey)

2457

2458

# Convert the buffer to a Python bytestring

2459

key_id = ctypes.string_at(buf, buf_len.value)

2460

# Convert the bytestring to hexadecimal notation

2461

hex_key_id = binascii.hexlify(key_id).upper()

2462

return hex_key_id

2463

2464

@staticmethod

2465

2349

def fingerprint(openpgp):

2466

2350

"Convert an OpenPGP bytestring to a hexdigit fingerprint"

2467

2351

# New GnuTLS "datum" with the OpenPGP public key

2481

2365

ctypes.byref(crtverify))

2482

2366

if crtverify.value != 0:

2483

2367

gnutls.openpgp_crt_deinit(crt)

2484

raise gnutls.CertificateSecurityError(code

2485

=crtverify.value)

2368

raise gnutls.CertificateSecurityError("Verify failed")

2486

2369

# New buffer for the fingerprint

2487

2370

buf = ctypes.create_string_buffer(20)

2488

2371

buf_len = ctypes.c_size_t()

2695

2578

command = request[0]

2696

2579

2697

2580

if command == 'init':

2698

key_id = request[1].decode("ascii")

2699

fpr = request[2].decode("ascii")

2700

address = request[3]

2581

fpr = request[1].decode("ascii")

2582

address = request[2]

2701

2583

2702

2584

for c in self.clients.values():

2703

if key_id and c.key_id == key_id:

2704

client = c

2705

break

2706

if fpr and c.fingerprint == fpr:

2585

if c.fingerprint == fpr:

2707

2586

client = c

2708

2587

break

2709

2588

else:

2710

logger.info("Client not found for key ID: %s, address"

2711

": %s", key_id or fpr, address)

2589

logger.info("Client not found for fingerprint: %s, ad"

2590

"dress: %s", fpr, address)

2712

2591

if self.use_dbus:

2713

2592

# Emit D-Bus signal

2714

mandos_dbus_service.ClientNotFound(key_id or fpr,

2593

mandos_dbus_service.ClientNotFound(fpr,

2715

2594

address[0])

2716

2595

parent_pipe.send(False)

2717

2596

return False

2980

2859

sys.exit(os.EX_OK if fail_count == 0 else 1)

2981

2860

2982

2861

# Default values for config file for server-global settings

2983

if gnutls.has_rawpk:

2984

priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"

2985

":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")

2986

else:

2987

priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"

2988

":+SIGN-DSA-SHA256")

2989

2862

server_defaults = {"interface": "",

2990

2863

"address": "",

2991

2864

"port": "",

2992

2865

"debug": "False",

2993

"priority": priority,

2866

"priority":

2867

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"

2868

":+SIGN-DSA-SHA256",

2994

2869

"servicename": "Mandos",

2995

2870

"use_dbus": "True",

2996

2871

"use_ipv6": "True",

3001

2876

"foreground": "False",

3002

2877

"zeroconf": "True",

3003

2878

}

3004

del priority

3005

2879

3006

2880

# Parse config file for server-global settings

3007

2881

server_config = configparser.SafeConfigParser(server_defaults)

3251

3125

for k in ("name", "host"):

3252

3126

if isinstance(value[k], bytes):

3253

3127

value[k] = value[k].decode("utf-8")

3254

if not value.has_key("key_id"):

3255

value["key_id"] = ""

3256

elif not value.has_key("fingerprint"):

3257

value["fingerprint"] = ""

3258

3128

# old_client_settings

3259

3129

# .keys()

3260

3130

old_client_settings = {

3397

3267

pass

3398

3268

3399

3269

@dbus.service.signal(_interface, signature="ss")

3400

def ClientNotFound(self, key_id, address):

3270

def ClientNotFound(self, fingerprint, address):

3401

3271

"D-Bus signal"

3402

3272

pass

3403

3273

Older »