/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2019-03-12 20:13:34 UTC
  • mto: This revision was merged to the branch mainline in revision 382.
  • Revision ID: teddy@recompile.se-20190312201334-my3htrprewjosuw5
mandos-ctl: Refactor

* mandos-ctl: Reorder everything into logical order; put main() first,
              and put every subsequent definition as soon as possible
              after its first use, except superclasses which need to
              be placed before the classes inheriting from them.
              Reorder all tests to match.

Show diffs side-by-side

added added

removed removed

Lines of Context:
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
 
# Copyright © 2008-2017 Teddy Hogeborn
15
 
# Copyright © 2008-2017 Björn Påhlsson
 
14
# Copyright © 2008-2019 Teddy Hogeborn
 
15
# Copyright © 2008-2019 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
115
115
if sys.version_info.major == 2:
116
116
    str = unicode
117
117
 
118
 
version = "1.7.16"
 
118
version = "1.8.3"
119
119
stored_state_file = "clients.pickle"
120
120
 
121
121
logger = logging.getLogger()
496
496
class AvahiServiceToSyslog(AvahiService):
497
497
    def rename(self, *args, **kwargs):
498
498
        """Add the new name to the syslog messages"""
499
 
        ret = AvahiService.rename(self, *args, **kwargs)
 
499
        ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
500
500
        syslogger.setFormatter(logging.Formatter(
501
501
            'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
502
            .format(self.name)))
514
514
    _library = ctypes.cdll.LoadLibrary(library)
515
515
    del library
516
516
    _need_version = b"3.3.0"
 
517
    _tls_rawpk_version = b"3.6.6"
517
518
 
518
519
    def __init__(self):
519
520
        # Need to use "self" here, since this method is called before
530
531
    E_INTERRUPTED = -52
531
532
    E_AGAIN = -28
532
533
    CRT_OPENPGP = 2
 
534
    CRT_RAWPK = 3
533
535
    CLIENT = 2
534
536
    SHUT_RDWR = 0
535
537
    CRD_CERTIFICATE = 1
536
538
    E_NO_CERTIFICATE_FOUND = -49
 
539
    X509_FMT_DER = 0
 
540
    NO_TICKETS = 1<<10
 
541
    ENABLE_RAWPK = 1<<18
 
542
    CTYPE_PEERS = 3
 
543
    KEYID_USE_SHA256 = 1        # gnutls/x509.h
537
544
    OPENPGP_FMT_RAW = 0         # gnutls/openpgp.h
538
545
 
539
546
    # Types
593
600
    class ClientSession(object):
594
601
        def __init__(self, socket, credentials=None):
595
602
            self._c_object = gnutls.session_t()
596
 
            gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
 
603
            gnutls_flags = gnutls.CLIENT
 
604
            if gnutls.check_version("3.5.6"):
 
605
                gnutls_flags |= gnutls.NO_TICKETS
 
606
            if gnutls.has_rawpk:
 
607
                gnutls_flags |= gnutls.ENABLE_RAWPK
 
608
            gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
 
609
            del gnutls_flags
597
610
            gnutls.set_default_priority(self._c_object)
598
611
            gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
612
            gnutls.handshake_set_private_extensions(self._c_object,
731
744
    check_version.argtypes = [ctypes.c_char_p]
732
745
    check_version.restype = ctypes.c_char_p
733
746
 
734
 
    # All the function declarations below are from gnutls/openpgp.h
735
 
 
736
 
    openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
 
    openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
 
    openpgp_crt_init.restype = _error_code
739
 
 
740
 
    openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
 
    openpgp_crt_import.argtypes = [openpgp_crt_t,
742
 
                                   ctypes.POINTER(datum_t),
743
 
                                   openpgp_crt_fmt_t]
744
 
    openpgp_crt_import.restype = _error_code
745
 
 
746
 
    openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
 
    openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
 
                                        ctypes.POINTER(ctypes.c_uint)]
749
 
    openpgp_crt_verify_self.restype = _error_code
750
 
 
751
 
    openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
 
    openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
 
    openpgp_crt_deinit.restype = None
754
 
 
755
 
    openpgp_crt_get_fingerprint = (
756
 
        _library.gnutls_openpgp_crt_get_fingerprint)
757
 
    openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
 
                                            ctypes.c_void_p,
759
 
                                            ctypes.POINTER(
760
 
                                                ctypes.c_size_t)]
761
 
    openpgp_crt_get_fingerprint.restype = _error_code
 
747
    has_rawpk = bool(check_version(_tls_rawpk_version))
 
748
 
 
749
    if has_rawpk:
 
750
        # Types
 
751
        class pubkey_st(ctypes.Structure):
 
752
            _fields = []
 
753
        pubkey_t = ctypes.POINTER(pubkey_st)
 
754
 
 
755
        x509_crt_fmt_t = ctypes.c_int
 
756
 
 
757
        # All the function declarations below are from gnutls/abstract.h
 
758
        pubkey_init = _library.gnutls_pubkey_init
 
759
        pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
 
760
        pubkey_init.restype = _error_code
 
761
 
 
762
        pubkey_import = _library.gnutls_pubkey_import
 
763
        pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
 
764
                                  x509_crt_fmt_t]
 
765
        pubkey_import.restype = _error_code
 
766
 
 
767
        pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
 
768
        pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
 
769
                                      ctypes.POINTER(ctypes.c_ubyte),
 
770
                                      ctypes.POINTER(ctypes.c_size_t)]
 
771
        pubkey_get_key_id.restype = _error_code
 
772
 
 
773
        pubkey_deinit = _library.gnutls_pubkey_deinit
 
774
        pubkey_deinit.argtypes = [pubkey_t]
 
775
        pubkey_deinit.restype = None
 
776
    else:
 
777
        # All the function declarations below are from gnutls/openpgp.h
 
778
 
 
779
        openpgp_crt_init = _library.gnutls_openpgp_crt_init
 
780
        openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
 
781
        openpgp_crt_init.restype = _error_code
 
782
 
 
783
        openpgp_crt_import = _library.gnutls_openpgp_crt_import
 
784
        openpgp_crt_import.argtypes = [openpgp_crt_t,
 
785
                                       ctypes.POINTER(datum_t),
 
786
                                       openpgp_crt_fmt_t]
 
787
        openpgp_crt_import.restype = _error_code
 
788
 
 
789
        openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
 
790
        openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
 
791
                                            ctypes.POINTER(ctypes.c_uint)]
 
792
        openpgp_crt_verify_self.restype = _error_code
 
793
 
 
794
        openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
 
795
        openpgp_crt_deinit.argtypes = [openpgp_crt_t]
 
796
        openpgp_crt_deinit.restype = None
 
797
 
 
798
        openpgp_crt_get_fingerprint = (
 
799
            _library.gnutls_openpgp_crt_get_fingerprint)
 
800
        openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
 
801
                                                ctypes.c_void_p,
 
802
                                                ctypes.POINTER(
 
803
                                                    ctypes.c_size_t)]
 
804
        openpgp_crt_get_fingerprint.restype = _error_code
 
805
 
 
806
    if check_version("3.6.4"):
 
807
        certificate_type_get2 = _library.gnutls_certificate_type_get2
 
808
        certificate_type_get2.argtypes = [session_t, ctypes.c_int]
 
809
        certificate_type_get2.restype = _error_code
762
810
 
763
811
    # Remove non-public functions
764
812
    del _error_code, _retry_on_error
800
848
    disable_initiator_tag: a GLib event source tag, or None
801
849
    enabled:    bool()
802
850
    fingerprint: string (40 or 32 hexadecimal digits); used to
803
 
                 uniquely identify the client
 
851
                 uniquely identify an OpenPGP client
 
852
    key_id: string (64 hexadecimal digits); used to uniquely identify
 
853
            a client using raw public keys
804
854
    host:       string; available for use by the checker command
805
855
    interval:   datetime.timedelta(); How often to start a new checker
806
856
    last_approval_request: datetime.datetime(); (UTC) or None
824
874
    """
825
875
 
826
876
    runtime_expansions = ("approval_delay", "approval_duration",
827
 
                          "created", "enabled", "expires",
 
877
                          "created", "enabled", "expires", "key_id",
828
878
                          "fingerprint", "host", "interval",
829
879
                          "last_approval_request", "last_checked_ok",
830
880
                          "last_enabled", "name", "timeout")
860
910
            client["enabled"] = config.getboolean(client_name,
861
911
                                                  "enabled")
862
912
 
863
 
            # Uppercase and remove spaces from fingerprint for later
864
 
            # comparison purposes with return value from the
865
 
            # fingerprint() function
 
913
            # Uppercase and remove spaces from key_id and fingerprint
 
914
            # for later comparison purposes with return value from the
 
915
            # key_id() and fingerprint() functions
 
916
            client["key_id"] = (section.get("key_id", "").upper()
 
917
                                .replace(" ", ""))
866
918
            client["fingerprint"] = (section["fingerprint"].upper()
867
919
                                     .replace(" ", ""))
868
920
            if "secret" in section:
912
964
            self.expires = None
913
965
 
914
966
        logger.debug("Creating client %r", self.name)
 
967
        logger.debug("  Key ID: %s", self.key_id)
915
968
        logger.debug("  Fingerprint: %s", self.fingerprint)
916
969
        self.created = settings.get("created",
917
970
                                    datetime.datetime.utcnow())
1999
2052
    def Name_dbus_property(self):
2000
2053
        return dbus.String(self.name)
2001
2054
 
 
2055
    # KeyID - property
 
2056
    @dbus_annotations(
 
2057
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
 
2058
    @dbus_service_property(_interface, signature="s", access="read")
 
2059
    def KeyID_dbus_property(self):
 
2060
        return dbus.String(self.key_id)
 
2061
 
2002
2062
    # Fingerprint - property
2003
2063
    @dbus_annotations(
2004
2064
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2160
2220
 
2161
2221
 
2162
2222
class ProxyClient(object):
2163
 
    def __init__(self, child_pipe, fpr, address):
 
2223
    def __init__(self, child_pipe, key_id, fpr, address):
2164
2224
        self._pipe = child_pipe
2165
 
        self._pipe.send(('init', fpr, address))
 
2225
        self._pipe.send(('init', key_id, fpr, address))
2166
2226
        if not self._pipe.recv():
2167
 
            raise KeyError(fpr)
 
2227
            raise KeyError(key_id or fpr)
2168
2228
 
2169
2229
    def __getattribute__(self, name):
2170
2230
        if name == '_pipe':
2237
2297
 
2238
2298
            approval_required = False
2239
2299
            try:
2240
 
                try:
2241
 
                    fpr = self.fingerprint(
2242
 
                        self.peer_certificate(session))
2243
 
                except (TypeError, gnutls.Error) as error:
2244
 
                    logger.warning("Bad certificate: %s", error)
2245
 
                    return
2246
 
                logger.debug("Fingerprint: %s", fpr)
2247
 
 
2248
 
                try:
2249
 
                    client = ProxyClient(child_pipe, fpr,
 
2300
                if gnutls.has_rawpk:
 
2301
                    fpr = ""
 
2302
                    try:
 
2303
                        key_id = self.key_id(
 
2304
                            self.peer_certificate(session))
 
2305
                    except (TypeError, gnutls.Error) as error:
 
2306
                        logger.warning("Bad certificate: %s", error)
 
2307
                        return
 
2308
                    logger.debug("Key ID: %s", key_id)
 
2309
 
 
2310
                else:
 
2311
                    key_id = ""
 
2312
                    try:
 
2313
                        fpr = self.fingerprint(
 
2314
                            self.peer_certificate(session))
 
2315
                    except (TypeError, gnutls.Error) as error:
 
2316
                        logger.warning("Bad certificate: %s", error)
 
2317
                        return
 
2318
                    logger.debug("Fingerprint: %s", fpr)
 
2319
 
 
2320
                try:
 
2321
                    client = ProxyClient(child_pipe, key_id, fpr,
2250
2322
                                         self.client_address)
2251
2323
                except KeyError:
2252
2324
                    return
2329
2401
 
2330
2402
    @staticmethod
2331
2403
    def peer_certificate(session):
2332
 
        "Return the peer's OpenPGP certificate as a bytestring"
2333
 
        # If not an OpenPGP certificate...
2334
 
        if (gnutls.certificate_type_get(session._c_object)
2335
 
            != gnutls.CRT_OPENPGP):
 
2404
        "Return the peer's certificate as a bytestring"
 
2405
        try:
 
2406
            cert_type = gnutls.certificate_type_get2(session._c_object,
 
2407
                                                     gnutls.CTYPE_PEERS)
 
2408
        except AttributeError:
 
2409
            cert_type = gnutls.certificate_type_get(session._c_object)
 
2410
        if gnutls.has_rawpk:
 
2411
            valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
 
2412
        else:
 
2413
            valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
 
2414
        # If not a valid certificate type...
 
2415
        if cert_type not in valid_cert_types:
 
2416
            logger.info("Cert type %r not in %r", cert_type,
 
2417
                        valid_cert_types)
2336
2418
            # ...return invalid data
2337
2419
            return b""
2338
2420
        list_size = ctypes.c_uint(1)
2346
2428
        return ctypes.string_at(cert.data, cert.size)
2347
2429
 
2348
2430
    @staticmethod
 
2431
    def key_id(certificate):
 
2432
        "Convert a certificate bytestring to a hexdigit key ID"
 
2433
        # New GnuTLS "datum" with the public key
 
2434
        datum = gnutls.datum_t(
 
2435
            ctypes.cast(ctypes.c_char_p(certificate),
 
2436
                        ctypes.POINTER(ctypes.c_ubyte)),
 
2437
            ctypes.c_uint(len(certificate)))
 
2438
        # XXX all these need to be created in the gnutls "module"
 
2439
        # New empty GnuTLS certificate
 
2440
        pubkey = gnutls.pubkey_t()
 
2441
        gnutls.pubkey_init(ctypes.byref(pubkey))
 
2442
        # Import the raw public key into the certificate
 
2443
        gnutls.pubkey_import(pubkey,
 
2444
                             ctypes.byref(datum),
 
2445
                             gnutls.X509_FMT_DER)
 
2446
        # New buffer for the key ID
 
2447
        buf = ctypes.create_string_buffer(32)
 
2448
        buf_len = ctypes.c_size_t(len(buf))
 
2449
        # Get the key ID from the raw public key into the buffer
 
2450
        gnutls.pubkey_get_key_id(pubkey,
 
2451
                                 gnutls.KEYID_USE_SHA256,
 
2452
                                 ctypes.cast(ctypes.byref(buf),
 
2453
                                             ctypes.POINTER(ctypes.c_ubyte)),
 
2454
                                 ctypes.byref(buf_len))
 
2455
        # Deinit the certificate
 
2456
        gnutls.pubkey_deinit(pubkey)
 
2457
 
 
2458
        # Convert the buffer to a Python bytestring
 
2459
        key_id = ctypes.string_at(buf, buf_len.value)
 
2460
        # Convert the bytestring to hexadecimal notation
 
2461
        hex_key_id = binascii.hexlify(key_id).upper()
 
2462
        return hex_key_id
 
2463
 
 
2464
    @staticmethod
2349
2465
    def fingerprint(openpgp):
2350
2466
        "Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2467
        # New GnuTLS "datum" with the OpenPGP public key
2365
2481
                                       ctypes.byref(crtverify))
2366
2482
        if crtverify.value != 0:
2367
2483
            gnutls.openpgp_crt_deinit(crt)
2368
 
            raise gnutls.CertificateSecurityError("Verify failed")
 
2484
            raise gnutls.CertificateSecurityError(code
 
2485
                                                  =crtverify.value)
2369
2486
        # New buffer for the fingerprint
2370
2487
        buf = ctypes.create_string_buffer(20)
2371
2488
        buf_len = ctypes.c_size_t()
2578
2695
        command = request[0]
2579
2696
 
2580
2697
        if command == 'init':
2581
 
            fpr = request[1]
2582
 
            address = request[2]
 
2698
            key_id = request[1].decode("ascii")
 
2699
            fpr = request[2].decode("ascii")
 
2700
            address = request[3]
2583
2701
 
2584
2702
            for c in self.clients.values():
2585
 
                if c.fingerprint == fpr:
 
2703
                if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
 
2704
                    continue
 
2705
                if key_id and c.key_id == key_id:
 
2706
                    client = c
 
2707
                    break
 
2708
                if fpr and c.fingerprint == fpr:
2586
2709
                    client = c
2587
2710
                    break
2588
2711
            else:
2589
 
                logger.info("Client not found for fingerprint: %s, ad"
2590
 
                            "dress: %s", fpr, address)
 
2712
                logger.info("Client not found for key ID: %s, address"
 
2713
                            ": %s", key_id or fpr, address)
2591
2714
                if self.use_dbus:
2592
2715
                    # Emit D-Bus signal
2593
 
                    mandos_dbus_service.ClientNotFound(fpr,
 
2716
                    mandos_dbus_service.ClientNotFound(key_id or fpr,
2594
2717
                                                       address[0])
2595
2718
                parent_pipe.send(False)
2596
2719
                return False
2859
2982
        sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
2983
 
2861
2984
    # Default values for config file for server-global settings
 
2985
    if gnutls.has_rawpk:
 
2986
        priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
 
2987
                    ":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
 
2988
    else:
 
2989
        priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
 
2990
                    ":+SIGN-DSA-SHA256")
2862
2991
    server_defaults = {"interface": "",
2863
2992
                       "address": "",
2864
2993
                       "port": "",
2865
2994
                       "debug": "False",
2866
 
                       "priority":
2867
 
                       "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2868
 
                       ":+SIGN-DSA-SHA256",
 
2995
                       "priority": priority,
2869
2996
                       "servicename": "Mandos",
2870
2997
                       "use_dbus": "True",
2871
2998
                       "use_ipv6": "True",
2876
3003
                       "foreground": "False",
2877
3004
                       "zeroconf": "True",
2878
3005
                       }
 
3006
    del priority
2879
3007
 
2880
3008
    # Parse config file for server-global settings
2881
3009
    server_config = configparser.SafeConfigParser(server_defaults)
3125
3253
                        for k in ("name", "host"):
3126
3254
                            if isinstance(value[k], bytes):
3127
3255
                                value[k] = value[k].decode("utf-8")
 
3256
                        if not value.has_key("key_id"):
 
3257
                            value["key_id"] = ""
 
3258
                        elif not value.has_key("fingerprint"):
 
3259
                            value["fingerprint"] = ""
3128
3260
                    #  old_client_settings
3129
3261
                    # .keys()
3130
3262
                    old_client_settings = {
3267
3399
                pass
3268
3400
 
3269
3401
            @dbus.service.signal(_interface, signature="ss")
3270
 
            def ClientNotFound(self, fingerprint, address):
 
3402
            def ClientNotFound(self, key_id, address):
3271
3403
                "D-Bus signal"
3272
3404
                pass
3273
3405