To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.651
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.651
- Committer: Teddy Hogeborn
- Date: 2019-04-10 20:33:13 UTC
- mto: This revision was merged to the branch mainline in revision 384.
- Revision ID: teddy@recompile.se-20190410203313-d3ufer20hfws7i3h
Improve language in intro(8mandos) manual page
* intro.xml (INTRODUCTION): Replace "it" with "the data" to fix bad
reference, and clarify that it is the
client which continues booting.
* intro.xml (INTRODUCTION): Replace "it" with "the data" to fix bad
reference, and clarify that it is the
client which continues booting.
- files added:
- debian/mandos-client.templates
- files removed:
- initramfs-tools-hook-conf
- files modified:
- DBUS-API
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
30
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
33
#
114
115
if sys.version_info.major == 2:
115
116
str = unicode
116
117
117
version = "1.7.14"
118
version = "1.8.4"
118
119
stored_state_file = "clients.pickle"
119
120
120
121
logger = logging.getLogger()
274
275
275
276
276
277
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
278
class avahi(object):
279
"""This isn't so much a class as it is a module-like namespace."""
280
280
IF_UNSPEC = -1 # avahi-common/address.h
281
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
282
PROTO_INET = 0 # avahi-common/address.h
286
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
287
DBUS_PATH_SERVER = "/"
288
288
289
def string_array_to_txt_array(self, t):
289
@staticmethod
290
def string_array_to_txt_array(t):
290
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
292
for s in t), signature="ay")
292
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
297
298
SERVER_RUNNING = 2 # avahi-common/defs.h
298
299
SERVER_COLLISION = 3 # avahi-common/defs.h
299
300
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
301
302
302
303
303
class AvahiError(Exception):
495
495
class AvahiServiceToSyslog(AvahiService):
496
496
def rename(self, *args, **kwargs):
497
497
"""Add the new name to the syslog messages"""
498
ret = AvahiService.rename(self, *args, **kwargs)
498
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
499
499
syslogger.setFormatter(logging.Formatter(
500
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
501
501
.format(self.name)))
503
503
504
504
505
505
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
506
class gnutls(object):
507
"""This isn't so much a class as it is a module-like namespace."""
509
508
510
509
library = ctypes.util.find_library("gnutls")
511
510
if library is None:
512
511
library = ctypes.util.find_library("gnutls-deb0")
513
512
_library = ctypes.cdll.LoadLibrary(library)
514
513
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
523
514
524
515
# Unless otherwise indicated, the constants and types below are
525
516
# all from the gnutls/gnutls.h C header file.
529
520
E_INTERRUPTED = -52
530
521
E_AGAIN = -28
531
522
CRT_OPENPGP = 2
523
CRT_RAWPK = 3
532
524
CLIENT = 2
533
525
SHUT_RDWR = 0
534
526
CRD_CERTIFICATE = 1
535
527
E_NO_CERTIFICATE_FOUND = -49
528
X509_FMT_DER = 0
529
NO_TICKETS = 1<<10
530
ENABLE_RAWPK = 1<<18
531
CTYPE_PEERS = 3
532
KEYID_USE_SHA256 = 1 # gnutls/x509.h
536
533
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
537
534
538
535
# Types
561
558
562
559
# Exceptions
563
560
class Error(Exception):
564
# We need to use the class name "GnuTLS" here, since this
565
# exception might be raised from within GnuTLS.__init__,
566
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
568
561
def __init__(self, message=None, code=None, args=()):
569
562
# Default usage is by a message string, but if a return
570
563
# code is passed, convert it to a string with
571
564
# gnutls.strerror()
572
565
self.code = code
573
566
if message is None and code is not None:
574
message = GnuTLS.strerror(code)
575
return super(GnuTLS.Error, self).__init__(
567
message = gnutls.strerror(code)
568
return super(gnutls.Error, self).__init__(
576
569
message, *args)
577
570
578
571
class CertificateSecurityError(Error):
592
585
class ClientSession(object):
593
586
def __init__(self, socket, credentials=None):
594
587
self._c_object = gnutls.session_t()
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
588
gnutls_flags = gnutls.CLIENT
589
if gnutls.check_version("3.5.6"):
590
gnutls_flags |= gnutls.NO_TICKETS
591
if gnutls.has_rawpk:
592
gnutls_flags |= gnutls.ENABLE_RAWPK
593
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
594
del gnutls_flags
596
595
gnutls.set_default_priority(self._c_object)
597
596
gnutls.transport_set_ptr(self._c_object, socket.fileno())
598
597
gnutls.handshake_set_private_extensions(self._c_object,
730
729
check_version.argtypes = [ctypes.c_char_p]
731
730
check_version.restype = ctypes.c_char_p
732
731
733
# All the function declarations below are from gnutls/openpgp.h
734
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
738
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
742
openpgp_crt_fmt_t]
743
openpgp_crt_import.restype = _error_code
744
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
749
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
753
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
757
ctypes.c_void_p,
758
ctypes.POINTER(
759
ctypes.c_size_t)]
760
openpgp_crt_get_fingerprint.restype = _error_code
732
_need_version = b"3.3.0"
733
if check_version(_need_version) is None:
734
raise self.Error("Needs GnuTLS {} or later"
735
.format(_need_version))
736
737
_tls_rawpk_version = b"3.6.6"
738
has_rawpk = bool(check_version(_tls_rawpk_version))
739
740
if has_rawpk:
741
# Types
742
class pubkey_st(ctypes.Structure):
743
_fields = []
744
pubkey_t = ctypes.POINTER(pubkey_st)
745
746
x509_crt_fmt_t = ctypes.c_int
747
748
# All the function declarations below are from gnutls/abstract.h
749
pubkey_init = _library.gnutls_pubkey_init
750
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
pubkey_init.restype = _error_code
752
753
pubkey_import = _library.gnutls_pubkey_import
754
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
755
x509_crt_fmt_t]
756
pubkey_import.restype = _error_code
757
758
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
ctypes.POINTER(ctypes.c_ubyte),
761
ctypes.POINTER(ctypes.c_size_t)]
762
pubkey_get_key_id.restype = _error_code
763
764
pubkey_deinit = _library.gnutls_pubkey_deinit
765
pubkey_deinit.argtypes = [pubkey_t]
766
pubkey_deinit.restype = None
767
else:
768
# All the function declarations below are from gnutls/openpgp.h
769
770
openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
openpgp_crt_init.restype = _error_code
773
774
openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
openpgp_crt_import.argtypes = [openpgp_crt_t,
776
ctypes.POINTER(datum_t),
777
openpgp_crt_fmt_t]
778
openpgp_crt_import.restype = _error_code
779
780
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
ctypes.POINTER(ctypes.c_uint)]
783
openpgp_crt_verify_self.restype = _error_code
784
785
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
openpgp_crt_deinit.restype = None
788
789
openpgp_crt_get_fingerprint = (
790
_library.gnutls_openpgp_crt_get_fingerprint)
791
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
792
ctypes.c_void_p,
793
ctypes.POINTER(
794
ctypes.c_size_t)]
795
openpgp_crt_get_fingerprint.restype = _error_code
796
797
if check_version("3.6.4"):
798
certificate_type_get2 = _library.gnutls_certificate_type_get2
799
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
certificate_type_get2.restype = _error_code
761
801
762
802
# Remove non-public functions
763
803
del _error_code, _retry_on_error
764
# Create the global "gnutls" object, simulating a module
765
gnutls = GnuTLS()
766
804
767
805
768
806
def call_pipe(connection, # : multiprocessing.Connection
799
837
disable_initiator_tag: a GLib event source tag, or None
800
838
enabled: bool()
801
839
fingerprint: string (40 or 32 hexadecimal digits); used to
802
uniquely identify the client
840
uniquely identify an OpenPGP client
841
key_id: string (64 hexadecimal digits); used to uniquely identify
842
a client using raw public keys
803
843
host: string; available for use by the checker command
804
844
interval: datetime.timedelta(); How often to start a new checker
805
845
last_approval_request: datetime.datetime(); (UTC) or None
823
863
"""
824
864
825
865
runtime_expansions = ("approval_delay", "approval_duration",
826
"created", "enabled", "expires",
866
"created", "enabled", "expires", "key_id",
827
867
"fingerprint", "host", "interval",
828
868
"last_approval_request", "last_checked_ok",
829
869
"last_enabled", "name", "timeout")
859
899
client["enabled"] = config.getboolean(client_name,
860
900
"enabled")
861
901
862
# Uppercase and remove spaces from fingerprint for later
863
# comparison purposes with return value from the
864
# fingerprint() function
902
# Uppercase and remove spaces from key_id and fingerprint
903
# for later comparison purposes with return value from the
904
# key_id() and fingerprint() functions
905
client["key_id"] = (section.get("key_id", "").upper()
906
.replace(" ", ""))
865
907
client["fingerprint"] = (section["fingerprint"].upper()
866
908
.replace(" ", ""))
867
909
if "secret" in section:
911
953
self.expires = None
912
954
913
955
logger.debug("Creating client %r", self.name)
956
logger.debug(" Key ID: %s", self.key_id)
914
957
logger.debug(" Fingerprint: %s", self.fingerprint)
915
958
self.created = settings.get("created",
916
959
datetime.datetime.utcnow())
1998
2041
def Name_dbus_property(self):
1999
2042
return dbus.String(self.name)
2000
2043
2044
# KeyID - property
2045
@dbus_annotations(
2046
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2047
@dbus_service_property(_interface, signature="s", access="read")
2048
def KeyID_dbus_property(self):
2049
return dbus.String(self.key_id)
2050
2001
2051
# Fingerprint - property
2002
2052
@dbus_annotations(
2003
2053
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2159
2209
2160
2210
2161
2211
class ProxyClient(object):
2162
def __init__(self, child_pipe, fpr, address):
2212
def __init__(self, child_pipe, key_id, fpr, address):
2163
2213
self._pipe = child_pipe
2164
self._pipe.send(('init', fpr, address))
2214
self._pipe.send(('init', key_id, fpr, address))
2165
2215
if not self._pipe.recv():
2166
raise KeyError(fpr)
2216
raise KeyError(key_id or fpr)
2167
2217
2168
2218
def __getattribute__(self, name):
2169
2219
if name == '_pipe':
2236
2286
2237
2287
approval_required = False
2238
2288
try:
2239
try:
2240
fpr = self.fingerprint(
2241
self.peer_certificate(session))
2242
except (TypeError, gnutls.Error) as error:
2243
logger.warning("Bad certificate: %s", error)
2244
return
2245
logger.debug("Fingerprint: %s", fpr)
2246
2247
try:
2248
client = ProxyClient(child_pipe, fpr,
2289
if gnutls.has_rawpk:
2290
fpr = ""
2291
try:
2292
key_id = self.key_id(
2293
self.peer_certificate(session))
2294
except (TypeError, gnutls.Error) as error:
2295
logger.warning("Bad certificate: %s", error)
2296
return
2297
logger.debug("Key ID: %s", key_id)
2298
2299
else:
2300
key_id = ""
2301
try:
2302
fpr = self.fingerprint(
2303
self.peer_certificate(session))
2304
except (TypeError, gnutls.Error) as error:
2305
logger.warning("Bad certificate: %s", error)
2306
return
2307
logger.debug("Fingerprint: %s", fpr)
2308
2309
try:
2310
client = ProxyClient(child_pipe, key_id, fpr,
2249
2311
self.client_address)
2250
2312
except KeyError:
2251
2313
return
2328
2390
2329
2391
@staticmethod
2330
2392
def peer_certificate(session):
2331
"Return the peer's OpenPGP certificate as a bytestring"
2332
# If not an OpenPGP certificate...
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2393
"Return the peer's certificate as a bytestring"
2394
try:
2395
cert_type = gnutls.certificate_type_get2(session._c_object,
2396
gnutls.CTYPE_PEERS)
2397
except AttributeError:
2398
cert_type = gnutls.certificate_type_get(session._c_object)
2399
if gnutls.has_rawpk:
2400
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2401
else:
2402
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2403
# If not a valid certificate type...
2404
if cert_type not in valid_cert_types:
2405
logger.info("Cert type %r not in %r", cert_type,
2406
valid_cert_types)
2335
2407
# ...return invalid data
2336
2408
return b""
2337
2409
list_size = ctypes.c_uint(1)
2345
2417
return ctypes.string_at(cert.data, cert.size)
2346
2418
2347
2419
@staticmethod
2420
def key_id(certificate):
2421
"Convert a certificate bytestring to a hexdigit key ID"
2422
# New GnuTLS "datum" with the public key
2423
datum = gnutls.datum_t(
2424
ctypes.cast(ctypes.c_char_p(certificate),
2425
ctypes.POINTER(ctypes.c_ubyte)),
2426
ctypes.c_uint(len(certificate)))
2427
# XXX all these need to be created in the gnutls "module"
2428
# New empty GnuTLS certificate
2429
pubkey = gnutls.pubkey_t()
2430
gnutls.pubkey_init(ctypes.byref(pubkey))
2431
# Import the raw public key into the certificate
2432
gnutls.pubkey_import(pubkey,
2433
ctypes.byref(datum),
2434
gnutls.X509_FMT_DER)
2435
# New buffer for the key ID
2436
buf = ctypes.create_string_buffer(32)
2437
buf_len = ctypes.c_size_t(len(buf))
2438
# Get the key ID from the raw public key into the buffer
2439
gnutls.pubkey_get_key_id(pubkey,
2440
gnutls.KEYID_USE_SHA256,
2441
ctypes.cast(ctypes.byref(buf),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.byref(buf_len))
2444
# Deinit the certificate
2445
gnutls.pubkey_deinit(pubkey)
2446
2447
# Convert the buffer to a Python bytestring
2448
key_id = ctypes.string_at(buf, buf_len.value)
2449
# Convert the bytestring to hexadecimal notation
2450
hex_key_id = binascii.hexlify(key_id).upper()
2451
return hex_key_id
2452
2453
@staticmethod
2348
2454
def fingerprint(openpgp):
2349
2455
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2350
2456
# New GnuTLS "datum" with the OpenPGP public key
2364
2470
ctypes.byref(crtverify))
2365
2471
if crtverify.value != 0:
2366
2472
gnutls.openpgp_crt_deinit(crt)
2367
raise gnutls.CertificateSecurityError("Verify failed")
2473
raise gnutls.CertificateSecurityError(code
2474
=crtverify.value)
2368
2475
# New buffer for the fingerprint
2369
2476
buf = ctypes.create_string_buffer(20)
2370
2477
buf_len = ctypes.c_size_t()
2577
2684
command = request[0]
2578
2685
2579
2686
if command == 'init':
2580
fpr = request[1]
2581
address = request[2]
2687
key_id = request[1].decode("ascii")
2688
fpr = request[2].decode("ascii")
2689
address = request[3]
2582
2690
2583
2691
for c in self.clients.values():
2584
if c.fingerprint == fpr:
2692
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2693
continue
2694
if key_id and c.key_id == key_id:
2695
client = c
2696
break
2697
if fpr and c.fingerprint == fpr:
2585
2698
client = c
2586
2699
break
2587
2700
else:
2588
logger.info("Client not found for fingerprint: %s, ad"
2589
"dress: %s", fpr, address)
2701
logger.info("Client not found for key ID: %s, address"
2702
": %s", key_id or fpr, address)
2590
2703
if self.use_dbus:
2591
2704
# Emit D-Bus signal
2592
mandos_dbus_service.ClientNotFound(fpr,
2705
mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
2706
address[0])
2594
2707
parent_pipe.send(False)
2595
2708
return False
2858
2971
sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
2972
2860
2973
# Default values for config file for server-global settings
2974
if gnutls.has_rawpk:
2975
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2976
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2977
else:
2978
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2979
":+SIGN-DSA-SHA256")
2861
2980
server_defaults = {"interface": "",
2862
2981
"address": "",
2863
2982
"port": "",
2864
2983
"debug": "False",
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
2984
"priority": priority,
2868
2985
"servicename": "Mandos",
2869
2986
"use_dbus": "True",
2870
2987
"use_ipv6": "True",
2875
2992
"foreground": "False",
2876
2993
"zeroconf": "True",
2877
2994
}
2995
del priority
2878
2996
2879
2997
# Parse config file for server-global settings
2880
2998
server_config = configparser.SafeConfigParser(server_defaults)
2883
3001
# Convert the SafeConfigParser object to a dict
2884
3002
server_settings = server_config.defaults()
2885
3003
# Use the appropriate methods on the non-string config options
2886
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3004
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3005
"foreground", "zeroconf"):
2887
3006
server_settings[option] = server_config.getboolean("DEFAULT",
2888
3007
option)
2889
3008
if server_settings["port"]:
3123
3242
for k in ("name", "host"):
3124
3243
if isinstance(value[k], bytes):
3125
3244
value[k] = value[k].decode("utf-8")
3245
if not value.has_key("key_id"):
3246
value["key_id"] = ""
3247
elif not value.has_key("fingerprint"):
3248
value["fingerprint"] = ""
3126
3249
# old_client_settings
3127
3250
# .keys()
3128
3251
old_client_settings = {
3265
3388
pass
3266
3389
3267
3390
@dbus.service.signal(_interface, signature="ss")
3268
def ClientNotFound(self, fingerprint, address):
3391
def ClientNotFound(self, key_id, address):
3269
3392
"D-Bus signal"
3270
3393
pass
3271
3394
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0