To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.502
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.502
- Committer: Teddy Hogeborn
- Date: 2018-08-19 14:06:55 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 368.
- Revision ID: teddy@recompile.se-20180819140655-ghsl0d4jsx8xwg44
Move UMASK setting to more proper place
* Makefile (install-client-nokey): Also install new conf files
"initramfs-tools-conf".
* debian/mandos-client.dirs: Add "usr/share/initramfs-tools/conf.d".
* initramfs-tools-conf: New file which sets UMASK.
* initramfs-tools-hook: Change comment to correctly state new location
of UMASK setting.
* initramfs-tools-hook-conf: Remove UMASK setting.
* Makefile (install-client-nokey): Also install new conf files
"initramfs-tools-conf".
* debian/mandos-client.dirs: Add "usr/share/initramfs-tools/conf.d".
* initramfs-tools-conf: New file which sets UMASK.
* initramfs-tools-hook: Change comment to correctly state new location
of UMASK setting.
* initramfs-tools-hook-conf: Remove UMASK setting.
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
- initramfs-tools-script-stop *
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
115
115
if sys.version_info.major == 2:
116
116
str = unicode
117
117
118
version = "1.8.5"
118
version = "1.7.19"
119
119
stored_state_file = "clients.pickle"
120
120
121
121
logger = logging.getLogger()
275
275
276
276
277
277
# Pretend that we have an Avahi module
278
class avahi(object):
279
"""This isn't so much a class as it is a module-like namespace."""
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
280
281
IF_UNSPEC = -1 # avahi-common/address.h
281
282
PROTO_UNSPEC = -1 # avahi-common/address.h
282
283
PROTO_INET = 0 # avahi-common/address.h
286
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
288
DBUS_PATH_SERVER = "/"
288
289
289
@staticmethod
290
def string_array_to_txt_array(t):
290
def string_array_to_txt_array(self, t):
291
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
292
for s in t), signature="ay")
293
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
301
302
302
303
303
304
class AvahiError(Exception):
503
504
504
505
505
506
# Pretend that we have a GnuTLS module
506
class gnutls(object):
507
"""This isn't so much a class as it is a module-like namespace."""
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
508
510
509
511
library = ctypes.util.find_library("gnutls")
510
512
if library is None:
511
513
library = ctypes.util.find_library("gnutls-deb0")
512
514
_library = ctypes.cdll.LoadLibrary(library)
513
515
del library
516
_need_version = b"3.3.0"
517
518
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
514
524
515
525
# Unless otherwise indicated, the constants and types below are
516
526
# all from the gnutls/gnutls.h C header file.
520
530
E_INTERRUPTED = -52
521
531
E_AGAIN = -28
522
532
CRT_OPENPGP = 2
523
CRT_RAWPK = 3
524
533
CLIENT = 2
525
534
SHUT_RDWR = 0
526
535
CRD_CERTIFICATE = 1
527
536
E_NO_CERTIFICATE_FOUND = -49
528
X509_FMT_DER = 0
529
NO_TICKETS = 1<<10
530
ENABLE_RAWPK = 1<<18
531
CTYPE_PEERS = 3
532
KEYID_USE_SHA256 = 1 # gnutls/x509.h
533
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
534
538
535
539
# Types
558
562
559
563
# Exceptions
560
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
561
569
def __init__(self, message=None, code=None, args=()):
562
570
# Default usage is by a message string, but if a return
563
571
# code is passed, convert it to a string with
564
572
# gnutls.strerror()
565
573
self.code = code
566
574
if message is None and code is not None:
567
message = gnutls.strerror(code)
568
return super(gnutls.Error, self).__init__(
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
569
577
message, *args)
570
578
571
579
class CertificateSecurityError(Error):
585
593
class ClientSession(object):
586
594
def __init__(self, socket, credentials=None):
587
595
self._c_object = gnutls.session_t()
588
gnutls_flags = gnutls.CLIENT
589
if gnutls.check_version(b"3.5.6"):
590
gnutls_flags |= gnutls.NO_TICKETS
591
if gnutls.has_rawpk:
592
gnutls_flags |= gnutls.ENABLE_RAWPK
593
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
594
del gnutls_flags
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
595
597
gnutls.set_default_priority(self._c_object)
596
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
597
599
gnutls.handshake_set_private_extensions(self._c_object,
729
731
check_version.argtypes = [ctypes.c_char_p]
730
732
check_version.restype = ctypes.c_char_p
731
733
732
_need_version = b"3.3.0"
733
if check_version(_need_version) is None:
734
raise self.Error("Needs GnuTLS {} or later"
735
.format(_need_version))
736
737
_tls_rawpk_version = b"3.6.6"
738
has_rawpk = bool(check_version(_tls_rawpk_version))
739
740
if has_rawpk:
741
# Types
742
class pubkey_st(ctypes.Structure):
743
_fields = []
744
pubkey_t = ctypes.POINTER(pubkey_st)
745
746
x509_crt_fmt_t = ctypes.c_int
747
748
# All the function declarations below are from gnutls/abstract.h
749
pubkey_init = _library.gnutls_pubkey_init
750
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
pubkey_init.restype = _error_code
752
753
pubkey_import = _library.gnutls_pubkey_import
754
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
755
x509_crt_fmt_t]
756
pubkey_import.restype = _error_code
757
758
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
ctypes.POINTER(ctypes.c_ubyte),
761
ctypes.POINTER(ctypes.c_size_t)]
762
pubkey_get_key_id.restype = _error_code
763
764
pubkey_deinit = _library.gnutls_pubkey_deinit
765
pubkey_deinit.argtypes = [pubkey_t]
766
pubkey_deinit.restype = None
767
else:
768
# All the function declarations below are from gnutls/openpgp.h
769
770
openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
openpgp_crt_init.restype = _error_code
773
774
openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
openpgp_crt_import.argtypes = [openpgp_crt_t,
776
ctypes.POINTER(datum_t),
777
openpgp_crt_fmt_t]
778
openpgp_crt_import.restype = _error_code
779
780
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
ctypes.POINTER(ctypes.c_uint)]
783
openpgp_crt_verify_self.restype = _error_code
784
785
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
openpgp_crt_deinit.restype = None
788
789
openpgp_crt_get_fingerprint = (
790
_library.gnutls_openpgp_crt_get_fingerprint)
791
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
792
ctypes.c_void_p,
793
ctypes.POINTER(
794
ctypes.c_size_t)]
795
openpgp_crt_get_fingerprint.restype = _error_code
796
797
if check_version(b"3.6.4"):
798
certificate_type_get2 = _library.gnutls_certificate_type_get2
799
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
certificate_type_get2.restype = _error_code
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
801
762
802
763
# Remove non-public functions
803
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
804
767
805
768
806
769
def call_pipe(connection, # : multiprocessing.Connection
821
784
approved: bool(); 'None' if not yet approved/disapproved
822
785
approval_delay: datetime.timedelta(); Time to wait for approval
823
786
approval_duration: datetime.timedelta(); Duration of one approval
824
checker: multiprocessing.Process(); a running checker process used
825
to see if the client lives. 'None' if no process is
826
running.
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
827
790
checker_callback_tag: a GLib event source tag, or None
828
791
checker_command: string; External command which is run to check
829
792
if client lives. %() expansions are done at
837
800
disable_initiator_tag: a GLib event source tag, or None
838
801
enabled: bool()
839
802
fingerprint: string (40 or 32 hexadecimal digits); used to
840
uniquely identify an OpenPGP client
841
key_id: string (64 hexadecimal digits); used to uniquely identify
842
a client using raw public keys
803
uniquely identify the client
843
804
host: string; available for use by the checker command
844
805
interval: datetime.timedelta(); How often to start a new checker
845
806
last_approval_request: datetime.datetime(); (UTC) or None
863
824
"""
864
825
865
826
runtime_expansions = ("approval_delay", "approval_duration",
866
"created", "enabled", "expires", "key_id",
827
"created", "enabled", "expires",
867
828
"fingerprint", "host", "interval",
868
829
"last_approval_request", "last_checked_ok",
869
830
"last_enabled", "name", "timeout")
899
860
client["enabled"] = config.getboolean(client_name,
900
861
"enabled")
901
862
902
# Uppercase and remove spaces from key_id and fingerprint
903
# for later comparison purposes with return value from the
904
# key_id() and fingerprint() functions
905
client["key_id"] = (section.get("key_id", "").upper()
906
.replace(" ", ""))
863
# Uppercase and remove spaces from fingerprint for later
864
# comparison purposes with return value from the
865
# fingerprint() function
907
866
client["fingerprint"] = (section["fingerprint"].upper()
908
867
.replace(" ", ""))
909
868
if "secret" in section:
953
912
self.expires = None
954
913
955
914
logger.debug("Creating client %r", self.name)
956
logger.debug(" Key ID: %s", self.key_id)
957
915
logger.debug(" Fingerprint: %s", self.fingerprint)
958
916
self.created = settings.get("created",
959
917
datetime.datetime.utcnow())
1036
994
def checker_callback(self, source, condition, connection,
1037
995
command):
1038
996
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
998
self.checker = None
1039
999
# Read return code from connection (see call_pipe)
1040
1000
returncode = connection.recv()
1041
1001
connection.close()
1042
self.checker.join()
1043
self.checker_callback_tag = None
1044
self.checker = None
1045
1002
1046
1003
if returncode >= 0:
1047
1004
self.last_checker_status = returncode
2042
1999
def Name_dbus_property(self):
2043
2000
return dbus.String(self.name)
2044
2001
2045
# KeyID - property
2046
@dbus_annotations(
2047
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2048
@dbus_service_property(_interface, signature="s", access="read")
2049
def KeyID_dbus_property(self):
2050
return dbus.String(self.key_id)
2051
2052
2002
# Fingerprint - property
2053
2003
@dbus_annotations(
2054
2004
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2210
2160
2211
2161
2212
2162
class ProxyClient(object):
2213
def __init__(self, child_pipe, key_id, fpr, address):
2163
def __init__(self, child_pipe, fpr, address):
2214
2164
self._pipe = child_pipe
2215
self._pipe.send(('init', key_id, fpr, address))
2165
self._pipe.send(('init', fpr, address))
2216
2166
if not self._pipe.recv():
2217
raise KeyError(key_id or fpr)
2167
raise KeyError(fpr)
2218
2168
2219
2169
def __getattribute__(self, name):
2220
2170
if name == '_pipe':
2287
2237
2288
2238
approval_required = False
2289
2239
try:
2290
if gnutls.has_rawpk:
2291
fpr = b""
2292
try:
2293
key_id = self.key_id(
2294
self.peer_certificate(session))
2295
except (TypeError, gnutls.Error) as error:
2296
logger.warning("Bad certificate: %s", error)
2297
return
2298
logger.debug("Key ID: %s", key_id)
2299
2300
else:
2301
key_id = b""
2302
try:
2303
fpr = self.fingerprint(
2304
self.peer_certificate(session))
2305
except (TypeError, gnutls.Error) as error:
2306
logger.warning("Bad certificate: %s", error)
2307
return
2308
logger.debug("Fingerprint: %s", fpr)
2309
2310
try:
2311
client = ProxyClient(child_pipe, key_id, fpr,
2240
try:
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2245
return
2246
logger.debug("Fingerprint: %s", fpr)
2247
2248
try:
2249
client = ProxyClient(child_pipe, fpr,
2312
2250
self.client_address)
2313
2251
except KeyError:
2314
2252
return
2391
2329
2392
2330
@staticmethod
2393
2331
def peer_certificate(session):
2394
"Return the peer's certificate as a bytestring"
2395
try:
2396
cert_type = gnutls.certificate_type_get2(session._c_object,
2397
gnutls.CTYPE_PEERS)
2398
except AttributeError:
2399
cert_type = gnutls.certificate_type_get(session._c_object)
2400
if gnutls.has_rawpk:
2401
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2402
else:
2403
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2404
# If not a valid certificate type...
2405
if cert_type not in valid_cert_types:
2406
logger.info("Cert type %r not in %r", cert_type,
2407
valid_cert_types)
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2408
2336
# ...return invalid data
2409
2337
return b""
2410
2338
list_size = ctypes.c_uint(1)
2418
2346
return ctypes.string_at(cert.data, cert.size)
2419
2347
2420
2348
@staticmethod
2421
def key_id(certificate):
2422
"Convert a certificate bytestring to a hexdigit key ID"
2423
# New GnuTLS "datum" with the public key
2424
datum = gnutls.datum_t(
2425
ctypes.cast(ctypes.c_char_p(certificate),
2426
ctypes.POINTER(ctypes.c_ubyte)),
2427
ctypes.c_uint(len(certificate)))
2428
# XXX all these need to be created in the gnutls "module"
2429
# New empty GnuTLS certificate
2430
pubkey = gnutls.pubkey_t()
2431
gnutls.pubkey_init(ctypes.byref(pubkey))
2432
# Import the raw public key into the certificate
2433
gnutls.pubkey_import(pubkey,
2434
ctypes.byref(datum),
2435
gnutls.X509_FMT_DER)
2436
# New buffer for the key ID
2437
buf = ctypes.create_string_buffer(32)
2438
buf_len = ctypes.c_size_t(len(buf))
2439
# Get the key ID from the raw public key into the buffer
2440
gnutls.pubkey_get_key_id(pubkey,
2441
gnutls.KEYID_USE_SHA256,
2442
ctypes.cast(ctypes.byref(buf),
2443
ctypes.POINTER(ctypes.c_ubyte)),
2444
ctypes.byref(buf_len))
2445
# Deinit the certificate
2446
gnutls.pubkey_deinit(pubkey)
2447
2448
# Convert the buffer to a Python bytestring
2449
key_id = ctypes.string_at(buf, buf_len.value)
2450
# Convert the bytestring to hexadecimal notation
2451
hex_key_id = binascii.hexlify(key_id).upper()
2452
return hex_key_id
2453
2454
@staticmethod
2455
2349
def fingerprint(openpgp):
2456
2350
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2457
2351
# New GnuTLS "datum" with the OpenPGP public key
2606
2500
raise
2607
2501
# Only bind(2) the socket if we really need to.
2608
2502
if self.server_address[0] or self.server_address[1]:
2609
if self.server_address[1]:
2610
self.allow_reuse_address = True
2611
2503
if not self.server_address[0]:
2612
2504
if self.address_family == socket.AF_INET6:
2613
2505
any_address = "::" # in6addr_any
2687
2579
command = request[0]
2688
2580
2689
2581
if command == 'init':
2690
key_id = request[1].decode("ascii")
2691
fpr = request[2].decode("ascii")
2692
address = request[3]
2582
fpr = request[1].decode("ascii")
2583
address = request[2]
2693
2584
2694
2585
for c in self.clients.values():
2695
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2696
continue
2697
if key_id and c.key_id == key_id:
2698
client = c
2699
break
2700
if fpr and c.fingerprint == fpr:
2586
if c.fingerprint == fpr:
2701
2587
client = c
2702
2588
break
2703
2589
else:
2704
logger.info("Client not found for key ID: %s, address"
2705
": %s", key_id or fpr, address)
2590
logger.info("Client not found for fingerprint: %s, ad"
2591
"dress: %s", fpr, address)
2706
2592
if self.use_dbus:
2707
2593
# Emit D-Bus signal
2708
mandos_dbus_service.ClientNotFound(key_id or fpr,
2594
mandos_dbus_service.ClientNotFound(fpr,
2709
2595
address[0])
2710
2596
parent_pipe.send(False)
2711
2597
return False
2974
2860
sys.exit(os.EX_OK if fail_count == 0 else 1)
2975
2861
2976
2862
# Default values for config file for server-global settings
2977
if gnutls.has_rawpk:
2978
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2979
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2980
else:
2981
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2982
":+SIGN-DSA-SHA256")
2983
2863
server_defaults = {"interface": "",
2984
2864
"address": "",
2985
2865
"port": "",
2986
2866
"debug": "False",
2987
"priority": priority,
2867
"priority":
2868
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
":+SIGN-DSA-SHA256",
2988
2870
"servicename": "Mandos",
2989
2871
"use_dbus": "True",
2990
2872
"use_ipv6": "True",
2995
2877
"foreground": "False",
2996
2878
"zeroconf": "True",
2997
2879
}
2998
del priority
2999
2880
3000
2881
# Parse config file for server-global settings
3001
2882
server_config = configparser.SafeConfigParser(server_defaults)
3245
3126
for k in ("name", "host"):
3246
3127
if isinstance(value[k], bytes):
3247
3128
value[k] = value[k].decode("utf-8")
3248
if "key_id" not in value:
3249
value["key_id"] = ""
3250
elif "fingerprint" not in value:
3251
value["fingerprint"] = ""
3252
3129
# old_client_settings
3253
3130
# .keys()
3254
3131
old_client_settings = {
3391
3268
pass
3392
3269
3393
3270
@dbus.service.signal(_interface, signature="ss")
3394
def ClientNotFound(self, key_id, address):
3271
def ClientNotFound(self, fingerprint, address):
3395
3272
"D-Bus signal"
3396
3273
pass
3397
3274
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0