/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2019-02-13 08:45:09 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 382.
  • Revision ID: teddy@recompile.se-20190213084509-bb2uu006vip11v7l
Remove modification of debian/control file

* debian/rules (override_dh_shlibdeps-arch): Commented out.

Show diffs side-by-side

added added

removed removed

Lines of Context:
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
 
# Copyright © 2008-2017 Teddy Hogeborn
15
 
# Copyright © 2008-2017 Björn Påhlsson
 
14
# Copyright © 2008-2019 Teddy Hogeborn
 
15
# Copyright © 2008-2019 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
115
115
if sys.version_info.major == 2:
116
116
    str = unicode
117
117
 
118
 
version = "1.7.16"
 
118
version = "1.8.3"
119
119
stored_state_file = "clients.pickle"
120
120
 
121
121
logger = logging.getLogger()
496
496
class AvahiServiceToSyslog(AvahiService):
497
497
    def rename(self, *args, **kwargs):
498
498
        """Add the new name to the syslog messages"""
499
 
        ret = AvahiService.rename(self, *args, **kwargs)
 
499
        ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
500
500
        syslogger.setFormatter(logging.Formatter(
501
501
            'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
502
            .format(self.name)))
514
514
    _library = ctypes.cdll.LoadLibrary(library)
515
515
    del library
516
516
    _need_version = b"3.3.0"
 
517
    _tls_rawpk_version = b"3.6.6"
517
518
 
518
519
    def __init__(self):
519
520
        # Need to use "self" here, since this method is called before
530
531
    E_INTERRUPTED = -52
531
532
    E_AGAIN = -28
532
533
    CRT_OPENPGP = 2
 
534
    CRT_RAWPK = 3
533
535
    CLIENT = 2
534
536
    SHUT_RDWR = 0
535
537
    CRD_CERTIFICATE = 1
536
538
    E_NO_CERTIFICATE_FOUND = -49
 
539
    X509_FMT_DER = 0
 
540
    NO_TICKETS = 1<<10
 
541
    ENABLE_RAWPK = 1<<18
 
542
    CTYPE_PEERS = 3
 
543
    KEYID_USE_SHA256 = 1        # gnutls/x509.h
537
544
    OPENPGP_FMT_RAW = 0         # gnutls/openpgp.h
538
545
 
539
546
    # Types
593
600
    class ClientSession(object):
594
601
        def __init__(self, socket, credentials=None):
595
602
            self._c_object = gnutls.session_t()
596
 
            gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
 
603
            gnutls_flags = gnutls.CLIENT
 
604
            if gnutls.check_version("3.5.6"):
 
605
                gnutls_flags |= gnutls.NO_TICKETS
 
606
            if gnutls.has_rawpk:
 
607
                gnutls_flags |= gnutls.ENABLE_RAWPK
 
608
            gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
 
609
            del gnutls_flags
597
610
            gnutls.set_default_priority(self._c_object)
598
611
            gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
612
            gnutls.handshake_set_private_extensions(self._c_object,
731
744
    check_version.argtypes = [ctypes.c_char_p]
732
745
    check_version.restype = ctypes.c_char_p
733
746
 
734
 
    # All the function declarations below are from gnutls/openpgp.h
735
 
 
736
 
    openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
 
    openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
 
    openpgp_crt_init.restype = _error_code
739
 
 
740
 
    openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
 
    openpgp_crt_import.argtypes = [openpgp_crt_t,
742
 
                                   ctypes.POINTER(datum_t),
743
 
                                   openpgp_crt_fmt_t]
744
 
    openpgp_crt_import.restype = _error_code
745
 
 
746
 
    openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
 
    openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
 
                                        ctypes.POINTER(ctypes.c_uint)]
749
 
    openpgp_crt_verify_self.restype = _error_code
750
 
 
751
 
    openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
 
    openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
 
    openpgp_crt_deinit.restype = None
754
 
 
755
 
    openpgp_crt_get_fingerprint = (
756
 
        _library.gnutls_openpgp_crt_get_fingerprint)
757
 
    openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
 
                                            ctypes.c_void_p,
759
 
                                            ctypes.POINTER(
760
 
                                                ctypes.c_size_t)]
761
 
    openpgp_crt_get_fingerprint.restype = _error_code
 
747
    has_rawpk = bool(check_version(_tls_rawpk_version))
 
748
 
 
749
    if has_rawpk:
 
750
        # Types
 
751
        class pubkey_st(ctypes.Structure):
 
752
            _fields = []
 
753
        pubkey_t = ctypes.POINTER(pubkey_st)
 
754
 
 
755
        x509_crt_fmt_t = ctypes.c_int
 
756
 
 
757
        # All the function declarations below are from gnutls/abstract.h
 
758
        pubkey_init = _library.gnutls_pubkey_init
 
759
        pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
 
760
        pubkey_init.restype = _error_code
 
761
 
 
762
        pubkey_import = _library.gnutls_pubkey_import
 
763
        pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
 
764
                                  x509_crt_fmt_t]
 
765
        pubkey_import.restype = _error_code
 
766
 
 
767
        pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
 
768
        pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
 
769
                                      ctypes.POINTER(ctypes.c_ubyte),
 
770
                                      ctypes.POINTER(ctypes.c_size_t)]
 
771
        pubkey_get_key_id.restype = _error_code
 
772
 
 
773
        pubkey_deinit = _library.gnutls_pubkey_deinit
 
774
        pubkey_deinit.argtypes = [pubkey_t]
 
775
        pubkey_deinit.restype = None
 
776
    else:
 
777
        # All the function declarations below are from gnutls/openpgp.h
 
778
 
 
779
        openpgp_crt_init = _library.gnutls_openpgp_crt_init
 
780
        openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
 
781
        openpgp_crt_init.restype = _error_code
 
782
 
 
783
        openpgp_crt_import = _library.gnutls_openpgp_crt_import
 
784
        openpgp_crt_import.argtypes = [openpgp_crt_t,
 
785
                                       ctypes.POINTER(datum_t),
 
786
                                       openpgp_crt_fmt_t]
 
787
        openpgp_crt_import.restype = _error_code
 
788
 
 
789
        openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
 
790
        openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
 
791
                                            ctypes.POINTER(ctypes.c_uint)]
 
792
        openpgp_crt_verify_self.restype = _error_code
 
793
 
 
794
        openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
 
795
        openpgp_crt_deinit.argtypes = [openpgp_crt_t]
 
796
        openpgp_crt_deinit.restype = None
 
797
 
 
798
        openpgp_crt_get_fingerprint = (
 
799
            _library.gnutls_openpgp_crt_get_fingerprint)
 
800
        openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
 
801
                                                ctypes.c_void_p,
 
802
                                                ctypes.POINTER(
 
803
                                                    ctypes.c_size_t)]
 
804
        openpgp_crt_get_fingerprint.restype = _error_code
 
805
 
 
806
    if check_version("3.6.4"):
 
807
        certificate_type_get2 = _library.gnutls_certificate_type_get2
 
808
        certificate_type_get2.argtypes = [session_t, ctypes.c_int]
 
809
        certificate_type_get2.restype = _error_code
762
810
 
763
811
    # Remove non-public functions
764
812
    del _error_code, _retry_on_error
800
848
    disable_initiator_tag: a GLib event source tag, or None
801
849
    enabled:    bool()
802
850
    fingerprint: string (40 or 32 hexadecimal digits); used to
803
 
                 uniquely identify the client
 
851
                 uniquely identify an OpenPGP client
 
852
    key_id: string (64 hexadecimal digits); used to uniquely identify
 
853
            a client using raw public keys
804
854
    host:       string; available for use by the checker command
805
855
    interval:   datetime.timedelta(); How often to start a new checker
806
856
    last_approval_request: datetime.datetime(); (UTC) or None
824
874
    """
825
875
 
826
876
    runtime_expansions = ("approval_delay", "approval_duration",
827
 
                          "created", "enabled", "expires",
 
877
                          "created", "enabled", "expires", "key_id",
828
878
                          "fingerprint", "host", "interval",
829
879
                          "last_approval_request", "last_checked_ok",
830
880
                          "last_enabled", "name", "timeout")
860
910
            client["enabled"] = config.getboolean(client_name,
861
911
                                                  "enabled")
862
912
 
863
 
            # Uppercase and remove spaces from fingerprint for later
864
 
            # comparison purposes with return value from the
865
 
            # fingerprint() function
 
913
            # Uppercase and remove spaces from key_id and fingerprint
 
914
            # for later comparison purposes with return value from the
 
915
            # key_id() and fingerprint() functions
 
916
            client["key_id"] = (section.get("key_id", "").upper()
 
917
                                .replace(" ", ""))
866
918
            client["fingerprint"] = (section["fingerprint"].upper()
867
919
                                     .replace(" ", ""))
868
920
            if "secret" in section:
912
964
            self.expires = None
913
965
 
914
966
        logger.debug("Creating client %r", self.name)
 
967
        logger.debug("  Key ID: %s", self.key_id)
915
968
        logger.debug("  Fingerprint: %s", self.fingerprint)
916
969
        self.created = settings.get("created",
917
970
                                    datetime.datetime.utcnow())
1999
2052
    def Name_dbus_property(self):
2000
2053
        return dbus.String(self.name)
2001
2054
 
 
2055
    # KeyID - property
 
2056
    @dbus_annotations(
 
2057
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
 
2058
    @dbus_service_property(_interface, signature="s", access="read")
 
2059
    def KeyID_dbus_property(self):
 
2060
        return dbus.String(self.key_id)
 
2061
 
2002
2062
    # Fingerprint - property
2003
2063
    @dbus_annotations(
2004
2064
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2160
2220
 
2161
2221
 
2162
2222
class ProxyClient(object):
2163
 
    def __init__(self, child_pipe, fpr, address):
 
2223
    def __init__(self, child_pipe, key_id, fpr, address):
2164
2224
        self._pipe = child_pipe
2165
 
        self._pipe.send(('init', fpr, address))
 
2225
        self._pipe.send(('init', key_id, fpr, address))
2166
2226
        if not self._pipe.recv():
2167
 
            raise KeyError(fpr)
 
2227
            raise KeyError(key_id or fpr)
2168
2228
 
2169
2229
    def __getattribute__(self, name):
2170
2230
        if name == '_pipe':
2237
2297
 
2238
2298
            approval_required = False
2239
2299
            try:
2240
 
                try:
2241
 
                    fpr = self.fingerprint(
2242
 
                        self.peer_certificate(session))
2243
 
                except (TypeError, gnutls.Error) as error:
2244
 
                    logger.warning("Bad certificate: %s", error)
2245
 
                    return
2246
 
                logger.debug("Fingerprint: %s", fpr)
2247
 
 
2248
 
                try:
2249
 
                    client = ProxyClient(child_pipe, fpr,
 
2300
                if gnutls.has_rawpk:
 
2301
                    fpr = ""
 
2302
                    try:
 
2303
                        key_id = self.key_id(
 
2304
                            self.peer_certificate(session))
 
2305
                    except (TypeError, gnutls.Error) as error:
 
2306
                        logger.warning("Bad certificate: %s", error)
 
2307
                        return
 
2308
                    logger.debug("Key ID: %s", key_id)
 
2309
 
 
2310
                else:
 
2311
                    key_id = ""
 
2312
                    try:
 
2313
                        fpr = self.fingerprint(
 
2314
                            self.peer_certificate(session))
 
2315
                    except (TypeError, gnutls.Error) as error:
 
2316
                        logger.warning("Bad certificate: %s", error)
 
2317
                        return
 
2318
                    logger.debug("Fingerprint: %s", fpr)
 
2319
 
 
2320
                try:
 
2321
                    client = ProxyClient(child_pipe, key_id, fpr,
2250
2322
                                         self.client_address)
2251
2323
                except KeyError:
2252
2324
                    return
2329
2401
 
2330
2402
    @staticmethod
2331
2403
    def peer_certificate(session):
2332
 
        "Return the peer's OpenPGP certificate as a bytestring"
2333
 
        # If not an OpenPGP certificate...
2334
 
        if (gnutls.certificate_type_get(session._c_object)
2335
 
            != gnutls.CRT_OPENPGP):
 
2404
        "Return the peer's certificate as a bytestring"
 
2405
        try:
 
2406
            cert_type = gnutls.certificate_type_get2(session._c_object,
 
2407
                                                     gnutls.CTYPE_PEERS)
 
2408
        except AttributeError:
 
2409
            cert_type = gnutls.certificate_type_get(session._c_object)
 
2410
        if gnutls.has_rawpk:
 
2411
            valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
 
2412
        else:
 
2413
            valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
 
2414
        # If not a valid certificate type...
 
2415
        if cert_type not in valid_cert_types:
 
2416
            logger.info("Cert type %r not in %r", cert_type,
 
2417
                        valid_cert_types)
2336
2418
            # ...return invalid data
2337
2419
            return b""
2338
2420
        list_size = ctypes.c_uint(1)
2346
2428
        return ctypes.string_at(cert.data, cert.size)
2347
2429
 
2348
2430
    @staticmethod
 
2431
    def key_id(certificate):
 
2432
        "Convert a certificate bytestring to a hexdigit key ID"
 
2433
        # New GnuTLS "datum" with the public key
 
2434
        datum = gnutls.datum_t(
 
2435
            ctypes.cast(ctypes.c_char_p(certificate),
 
2436
                        ctypes.POINTER(ctypes.c_ubyte)),
 
2437
            ctypes.c_uint(len(certificate)))
 
2438
        # XXX all these need to be created in the gnutls "module"
 
2439
        # New empty GnuTLS certificate
 
2440
        pubkey = gnutls.pubkey_t()
 
2441
        gnutls.pubkey_init(ctypes.byref(pubkey))
 
2442
        # Import the raw public key into the certificate
 
2443
        gnutls.pubkey_import(pubkey,
 
2444
                             ctypes.byref(datum),
 
2445
                             gnutls.X509_FMT_DER)
 
2446
        # New buffer for the key ID
 
2447
        buf = ctypes.create_string_buffer(32)
 
2448
        buf_len = ctypes.c_size_t(len(buf))
 
2449
        # Get the key ID from the raw public key into the buffer
 
2450
        gnutls.pubkey_get_key_id(pubkey,
 
2451
                                 gnutls.KEYID_USE_SHA256,
 
2452
                                 ctypes.cast(ctypes.byref(buf),
 
2453
                                             ctypes.POINTER(ctypes.c_ubyte)),
 
2454
                                 ctypes.byref(buf_len))
 
2455
        # Deinit the certificate
 
2456
        gnutls.pubkey_deinit(pubkey)
 
2457
 
 
2458
        # Convert the buffer to a Python bytestring
 
2459
        key_id = ctypes.string_at(buf, buf_len.value)
 
2460
        # Convert the bytestring to hexadecimal notation
 
2461
        hex_key_id = binascii.hexlify(key_id).upper()
 
2462
        return hex_key_id
 
2463
 
 
2464
    @staticmethod
2349
2465
    def fingerprint(openpgp):
2350
2466
        "Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2467
        # New GnuTLS "datum" with the OpenPGP public key
2365
2481
                                       ctypes.byref(crtverify))
2366
2482
        if crtverify.value != 0:
2367
2483
            gnutls.openpgp_crt_deinit(crt)
2368
 
            raise gnutls.CertificateSecurityError("Verify failed")
 
2484
            raise gnutls.CertificateSecurityError(code
 
2485
                                                  =crtverify.value)
2369
2486
        # New buffer for the fingerprint
2370
2487
        buf = ctypes.create_string_buffer(20)
2371
2488
        buf_len = ctypes.c_size_t()
2578
2695
        command = request[0]
2579
2696
 
2580
2697
        if command == 'init':
2581
 
            fpr = request[1]
2582
 
            address = request[2]
 
2698
            key_id = request[1].decode("ascii")
 
2699
            fpr = request[2].decode("ascii")
 
2700
            address = request[3]
2583
2701
 
2584
2702
            for c in self.clients.values():
2585
 
                if c.fingerprint == fpr:
 
2703
                if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
 
2704
                    continue
 
2705
                if key_id and c.key_id == key_id:
 
2706
                    client = c
 
2707
                    break
 
2708
                if fpr and c.fingerprint == fpr:
2586
2709
                    client = c
2587
2710
                    break
2588
2711
            else:
2589
 
                logger.info("Client not found for fingerprint: %s, ad"
2590
 
                            "dress: %s", fpr, address)
 
2712
                logger.info("Client not found for key ID: %s, address"
 
2713
                            ": %s", key_id or fpr, address)
2591
2714
                if self.use_dbus:
2592
2715
                    # Emit D-Bus signal
2593
 
                    mandos_dbus_service.ClientNotFound(fpr,
 
2716
                    mandos_dbus_service.ClientNotFound(key_id or fpr,
2594
2717
                                                       address[0])
2595
2718
                parent_pipe.send(False)
2596
2719
                return False
2859
2982
        sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
2983
 
2861
2984
    # Default values for config file for server-global settings
 
2985
    if gnutls.has_rawpk:
 
2986
        priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
 
2987
                    ":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
 
2988
    else:
 
2989
        priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
 
2990
                    ":+SIGN-DSA-SHA256")
2862
2991
    server_defaults = {"interface": "",
2863
2992
                       "address": "",
2864
2993
                       "port": "",
2865
2994
                       "debug": "False",
2866
 
                       "priority":
2867
 
                       "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2868
 
                       ":+SIGN-DSA-SHA256",
 
2995
                       "priority": priority,
2869
2996
                       "servicename": "Mandos",
2870
2997
                       "use_dbus": "True",
2871
2998
                       "use_ipv6": "True",
2876
3003
                       "foreground": "False",
2877
3004
                       "zeroconf": "True",
2878
3005
                       }
 
3006
    del priority
2879
3007
 
2880
3008
    # Parse config file for server-global settings
2881
3009
    server_config = configparser.SafeConfigParser(server_defaults)
3125
3253
                        for k in ("name", "host"):
3126
3254
                            if isinstance(value[k], bytes):
3127
3255
                                value[k] = value[k].decode("utf-8")
 
3256
                        if not value.has_key("key_id"):
 
3257
                            value["key_id"] = ""
 
3258
                        elif not value.has_key("fingerprint"):
 
3259
                            value["fingerprint"] = ""
3128
3260
                    #  old_client_settings
3129
3261
                    # .keys()
3130
3262
                    old_client_settings = {
3267
3399
                pass
3268
3400
 
3269
3401
            @dbus.service.signal(_interface, signature="ss")
3270
 
            def ClientNotFound(self, fingerprint, address):
 
3402
            def ClientNotFound(self, key_id, address):
3271
3403
                "D-Bus signal"
3272
3404
                pass
3273
3405