/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2019-07-27 10:11:45 UTC
  • Revision ID: teddy@recompile.se-20190727101145-jnpbpf8220gldbcd
Add dracut(8) support

Add support for the dracut(8) system for generating initramfs image
files; dracut is an alternative to the "initramfs-tools" package.

* .bzrignore (dracut-module/password-agent): Ignore new binary file.
* dracut-module: New directory for the dracut module.
* INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an
                                                   alternative to
                                                   initramfs-tools,
                                                   and also add GLib.
* Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New.
  (CPROGS): Add "dracut-module/password-agent".
  (DOCS): Add "dracut-module/password-agent.8mandos".
  (dracut-module/password-agent.8mandos): New.
  (dracut-module/password-agent.8mandos.xhtml): - '' -
  (dracut-module/password-agent): - '' -
  (check): Add command to run tests of password-agent(8mandos).
  (install-client-nokey): Also install the dracut module directory,
                          its files, and the password-agent(8mandos)
                          manual page.
  (install-client): To update the initramfs image file, run
                    update-initramfs or dracut depending on what is
                    installed.
  (uninstall-client): - '' - and also uninstall the the files in the
                      dracut module directory, that directory itself,
                      and the password-agent(8mandos) manual page.
* debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)".
  (Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an
                                    alternative dependency to
                                    initramfs-tools.
  (Package: mandos-client/Conflicts): New; set to
                                      "dracut-config-generic".
  (debian/mandos-client.README.Debian): Document alternative commands
                                        to update the initramfs image
                                        for when dracut is used.
* debian/mandos-client.postinst (update_initramfs): Use alternative
                                                    commands to update
                                                    the initramfs
                                                    image for when
                                                    dracut is used.
* debian/tests/control (password-agent, password-agent-suid): Add two
                                                              new tests.
* dracut-module/ask-password-mandos.path: New.
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/cmdline-mandos.sh: - '' -
* dracut-module/module-setup.sh: - '' -
* dracut-module/password-agent.c: - '' -
* dracut-module/password-agent.xml: - '' -
* initramfs-unpack: Use the dracut "skipcpio" command, if available.
                    Also be more flexible and try hard to detect where
                    compressed data starts.
* plugins.d/mandos-client.xml (SECURITY): Be more precise that the
                                          mandos-client binary might
                                          not always be setuid, but
                                          that the program assumes
                                          that it has been started
                                          that way.
* plugins.d/password-prompt.c: Add new "--prompt" option.
  (conflict_detection): First try to detect the new PID file of
                        plymouth.
  (main): Define and use new "prompt" variable.
* plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option.
  (DESCRIPTION): Describe new behavior of looking for plymouth PID
                 file.
  (OPTIONS): Document new "--prompt" option.
  (ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME
                 environment variables are not used if the --prompt
                 option is used.  Remove unnecessarily specific
                 details about where the CRYPTTAB_SOURCE and
                 CRYPTTAB_NAME comes from, since this can now be
                 either initramfs-tools or dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference, and add commas
              to separate the other references.
* plugins.d/plymouth.c: Add new "--prompt" and "--debug" options.
  (debug): New global flag.
  (fprintf_plus): New function, used for debug output.
  (exec_and_wait): Add extra "const" to "argv" argument.
  (main): Define and use new "prompt" variable.  Add debug output.
  (main/options, main/parse_opt): New; used to parse options.
* plugins.d/plymouth.xml (SYNOPSIS): Show new options.
  (OPTIONS): Document new options.
  (ENVIRONMENT): Clarify that the cryptsource and crypttarget
                 environment variables are not used if the --prompt
                 option is used.  Remove unnecessarily specific
                 details about where the cryptsource and crypttarget
                 comes from, since this can now be either
                 initramfs-tools or dracut.
  (EXAMPLE): Add an example using an option.
  (SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource
                                       and crypttarget environment
                                       variables are not used if the
                                       --prompt option is used.
                                       Remove unnecessarily specific
                                       details about where the
                                       cryptsource and crypttarget
                                       comes from, since this can now
                                       be either initramfs-tools or
                                       dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource
                                       and crypttarget environment
                                       variables are not used if the
                                       --prompt option is used.
                                       Remove unnecessarily specific
                                       details about where the
                                       cryptsource and crypttarget
                                       comes from, since this can now
                                       be either initramfs-tools or
                                       dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference.

Show diffs side-by-side

added added

removed removed

Lines of Context:
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
 
# Copyright © 2008-2016 Teddy Hogeborn
15
 
# Copyright © 2008-2016 Björn Påhlsson
16
 
#
17
 
# This program is free software: you can redistribute it and/or modify
18
 
# it under the terms of the GNU General Public License as published by
 
14
# Copyright © 2008-2019 Teddy Hogeborn
 
15
# Copyright © 2008-2019 Björn Påhlsson
 
16
#
 
17
# This file is part of Mandos.
 
18
#
 
19
# Mandos is free software: you can redistribute it and/or modify it
 
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
 
#     This program is distributed in the hope that it will be useful,
23
 
#     but WITHOUT ANY WARRANTY; without even the implied warranty of
 
24
#     Mandos is distributed in the hope that it will be useful, but
 
25
#     WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
25
27
#     GNU General Public License for more details.
26
28
#
27
29
# You should have received a copy of the GNU General Public License
28
 
# along with this program.  If not, see
29
 
# <http://www.gnu.org/licenses/>.
 
30
# along with Mandos.  If not, see <http://www.gnu.org/licenses/>.
30
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
33
#
114
115
if sys.version_info.major == 2:
115
116
    str = unicode
116
117
 
117
 
version = "1.7.10"
 
118
version = "1.8.4"
118
119
stored_state_file = "clients.pickle"
119
120
 
120
121
logger = logging.getLogger()
274
275
 
275
276
 
276
277
# Pretend that we have an Avahi module
277
 
class Avahi(object):
278
 
    """This isn't so much a class as it is a module-like namespace.
279
 
    It is instantiated once, and simulates having an Avahi module."""
 
278
class avahi(object):
 
279
    """This isn't so much a class as it is a module-like namespace."""
280
280
    IF_UNSPEC = -1               # avahi-common/address.h
281
281
    PROTO_UNSPEC = -1            # avahi-common/address.h
282
282
    PROTO_INET = 0               # avahi-common/address.h
286
286
    DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
287
    DBUS_PATH_SERVER = "/"
288
288
 
289
 
    def string_array_to_txt_array(self, t):
 
289
    @staticmethod
 
290
    def string_array_to_txt_array(t):
290
291
        return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
292
                           for s in t), signature="ay")
292
293
    ENTRY_GROUP_ESTABLISHED = 2  # avahi-common/defs.h
297
298
    SERVER_RUNNING = 2           # avahi-common/defs.h
298
299
    SERVER_COLLISION = 3         # avahi-common/defs.h
299
300
    SERVER_FAILURE = 4           # avahi-common/defs.h
300
 
avahi = Avahi()
301
301
 
302
302
 
303
303
class AvahiError(Exception):
495
495
class AvahiServiceToSyslog(AvahiService):
496
496
    def rename(self, *args, **kwargs):
497
497
        """Add the new name to the syslog messages"""
498
 
        ret = AvahiService.rename(self, *args, **kwargs)
 
498
        ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
499
499
        syslogger.setFormatter(logging.Formatter(
500
500
            'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
501
501
            .format(self.name)))
503
503
 
504
504
 
505
505
# Pretend that we have a GnuTLS module
506
 
class GnuTLS(object):
507
 
    """This isn't so much a class as it is a module-like namespace.
508
 
    It is instantiated once, and simulates having a GnuTLS module."""
 
506
class gnutls(object):
 
507
    """This isn't so much a class as it is a module-like namespace."""
509
508
 
510
509
    library = ctypes.util.find_library("gnutls")
511
510
    if library is None:
512
511
        library = ctypes.util.find_library("gnutls-deb0")
513
512
    _library = ctypes.cdll.LoadLibrary(library)
514
513
    del library
515
 
    _need_version = b"3.3.0"
516
 
 
517
 
    def __init__(self):
518
 
        # Need to use class name "GnuTLS" here, since this method is
519
 
        # called before the assignment to the "gnutls" global variable
520
 
        # happens.
521
 
        if GnuTLS.check_version(self._need_version) is None:
522
 
            raise GnuTLS.Error("Needs GnuTLS {} or later"
523
 
                               .format(self._need_version))
524
514
 
525
515
    # Unless otherwise indicated, the constants and types below are
526
516
    # all from the gnutls/gnutls.h C header file.
530
520
    E_INTERRUPTED = -52
531
521
    E_AGAIN = -28
532
522
    CRT_OPENPGP = 2
 
523
    CRT_RAWPK = 3
533
524
    CLIENT = 2
534
525
    SHUT_RDWR = 0
535
526
    CRD_CERTIFICATE = 1
536
527
    E_NO_CERTIFICATE_FOUND = -49
 
528
    X509_FMT_DER = 0
 
529
    NO_TICKETS = 1<<10
 
530
    ENABLE_RAWPK = 1<<18
 
531
    CTYPE_PEERS = 3
 
532
    KEYID_USE_SHA256 = 1        # gnutls/x509.h
537
533
    OPENPGP_FMT_RAW = 0         # gnutls/openpgp.h
538
534
 
539
535
    # Types
562
558
 
563
559
    # Exceptions
564
560
    class Error(Exception):
565
 
        # We need to use the class name "GnuTLS" here, since this
566
 
        # exception might be raised from within GnuTLS.__init__,
567
 
        # which is called before the assignment to the "gnutls"
568
 
        # global variable has happened.
569
561
        def __init__(self, message=None, code=None, args=()):
570
562
            # Default usage is by a message string, but if a return
571
563
            # code is passed, convert it to a string with
572
564
            # gnutls.strerror()
573
565
            self.code = code
574
566
            if message is None and code is not None:
575
 
                message = GnuTLS.strerror(code)
576
 
            return super(GnuTLS.Error, self).__init__(
 
567
                message = gnutls.strerror(code)
 
568
            return super(gnutls.Error, self).__init__(
577
569
                message, *args)
578
570
 
579
571
    class CertificateSecurityError(Error):
593
585
    class ClientSession(object):
594
586
        def __init__(self, socket, credentials=None):
595
587
            self._c_object = gnutls.session_t()
596
 
            gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
 
588
            gnutls_flags = gnutls.CLIENT
 
589
            if gnutls.check_version("3.5.6"):
 
590
                gnutls_flags |= gnutls.NO_TICKETS
 
591
            if gnutls.has_rawpk:
 
592
                gnutls_flags |= gnutls.ENABLE_RAWPK
 
593
            gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
 
594
            del gnutls_flags
597
595
            gnutls.set_default_priority(self._c_object)
598
596
            gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
597
            gnutls.handshake_set_private_extensions(self._c_object,
731
729
    check_version.argtypes = [ctypes.c_char_p]
732
730
    check_version.restype = ctypes.c_char_p
733
731
 
734
 
    # All the function declarations below are from gnutls/openpgp.h
735
 
 
736
 
    openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
 
    openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
 
    openpgp_crt_init.restype = _error_code
739
 
 
740
 
    openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
 
    openpgp_crt_import.argtypes = [openpgp_crt_t,
742
 
                                   ctypes.POINTER(datum_t),
743
 
                                   openpgp_crt_fmt_t]
744
 
    openpgp_crt_import.restype = _error_code
745
 
 
746
 
    openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
 
    openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
 
                                        ctypes.POINTER(ctypes.c_uint)]
749
 
    openpgp_crt_verify_self.restype = _error_code
750
 
 
751
 
    openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
 
    openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
 
    openpgp_crt_deinit.restype = None
754
 
 
755
 
    openpgp_crt_get_fingerprint = (
756
 
        _library.gnutls_openpgp_crt_get_fingerprint)
757
 
    openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
 
                                            ctypes.c_void_p,
759
 
                                            ctypes.POINTER(
760
 
                                                ctypes.c_size_t)]
761
 
    openpgp_crt_get_fingerprint.restype = _error_code
 
732
    _need_version = b"3.3.0"
 
733
    if check_version(_need_version) is None:
 
734
        raise self.Error("Needs GnuTLS {} or later"
 
735
                         .format(_need_version))
 
736
 
 
737
    _tls_rawpk_version = b"3.6.6"
 
738
    has_rawpk = bool(check_version(_tls_rawpk_version))
 
739
 
 
740
    if has_rawpk:
 
741
        # Types
 
742
        class pubkey_st(ctypes.Structure):
 
743
            _fields = []
 
744
        pubkey_t = ctypes.POINTER(pubkey_st)
 
745
 
 
746
        x509_crt_fmt_t = ctypes.c_int
 
747
 
 
748
        # All the function declarations below are from gnutls/abstract.h
 
749
        pubkey_init = _library.gnutls_pubkey_init
 
750
        pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
 
751
        pubkey_init.restype = _error_code
 
752
 
 
753
        pubkey_import = _library.gnutls_pubkey_import
 
754
        pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
 
755
                                  x509_crt_fmt_t]
 
756
        pubkey_import.restype = _error_code
 
757
 
 
758
        pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
 
759
        pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
 
760
                                      ctypes.POINTER(ctypes.c_ubyte),
 
761
                                      ctypes.POINTER(ctypes.c_size_t)]
 
762
        pubkey_get_key_id.restype = _error_code
 
763
 
 
764
        pubkey_deinit = _library.gnutls_pubkey_deinit
 
765
        pubkey_deinit.argtypes = [pubkey_t]
 
766
        pubkey_deinit.restype = None
 
767
    else:
 
768
        # All the function declarations below are from gnutls/openpgp.h
 
769
 
 
770
        openpgp_crt_init = _library.gnutls_openpgp_crt_init
 
771
        openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
 
772
        openpgp_crt_init.restype = _error_code
 
773
 
 
774
        openpgp_crt_import = _library.gnutls_openpgp_crt_import
 
775
        openpgp_crt_import.argtypes = [openpgp_crt_t,
 
776
                                       ctypes.POINTER(datum_t),
 
777
                                       openpgp_crt_fmt_t]
 
778
        openpgp_crt_import.restype = _error_code
 
779
 
 
780
        openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
 
781
        openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
 
782
                                            ctypes.POINTER(ctypes.c_uint)]
 
783
        openpgp_crt_verify_self.restype = _error_code
 
784
 
 
785
        openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
 
786
        openpgp_crt_deinit.argtypes = [openpgp_crt_t]
 
787
        openpgp_crt_deinit.restype = None
 
788
 
 
789
        openpgp_crt_get_fingerprint = (
 
790
            _library.gnutls_openpgp_crt_get_fingerprint)
 
791
        openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
 
792
                                                ctypes.c_void_p,
 
793
                                                ctypes.POINTER(
 
794
                                                    ctypes.c_size_t)]
 
795
        openpgp_crt_get_fingerprint.restype = _error_code
 
796
 
 
797
    if check_version("3.6.4"):
 
798
        certificate_type_get2 = _library.gnutls_certificate_type_get2
 
799
        certificate_type_get2.argtypes = [session_t, ctypes.c_int]
 
800
        certificate_type_get2.restype = _error_code
762
801
 
763
802
    # Remove non-public functions
764
803
    del _error_code, _retry_on_error
765
 
# Create the global "gnutls" object, simulating a module
766
 
gnutls = GnuTLS()
767
804
 
768
805
 
769
806
def call_pipe(connection,       # : multiprocessing.Connection
800
837
    disable_initiator_tag: a GLib event source tag, or None
801
838
    enabled:    bool()
802
839
    fingerprint: string (40 or 32 hexadecimal digits); used to
803
 
                 uniquely identify the client
 
840
                 uniquely identify an OpenPGP client
 
841
    key_id: string (64 hexadecimal digits); used to uniquely identify
 
842
            a client using raw public keys
804
843
    host:       string; available for use by the checker command
805
844
    interval:   datetime.timedelta(); How often to start a new checker
806
845
    last_approval_request: datetime.datetime(); (UTC) or None
824
863
    """
825
864
 
826
865
    runtime_expansions = ("approval_delay", "approval_duration",
827
 
                          "created", "enabled", "expires",
 
866
                          "created", "enabled", "expires", "key_id",
828
867
                          "fingerprint", "host", "interval",
829
868
                          "last_approval_request", "last_checked_ok",
830
869
                          "last_enabled", "name", "timeout")
860
899
            client["enabled"] = config.getboolean(client_name,
861
900
                                                  "enabled")
862
901
 
863
 
            # Uppercase and remove spaces from fingerprint for later
864
 
            # comparison purposes with return value from the
865
 
            # fingerprint() function
 
902
            # Uppercase and remove spaces from key_id and fingerprint
 
903
            # for later comparison purposes with return value from the
 
904
            # key_id() and fingerprint() functions
 
905
            client["key_id"] = (section.get("key_id", "").upper()
 
906
                                .replace(" ", ""))
866
907
            client["fingerprint"] = (section["fingerprint"].upper()
867
908
                                     .replace(" ", ""))
868
909
            if "secret" in section:
912
953
            self.expires = None
913
954
 
914
955
        logger.debug("Creating client %r", self.name)
 
956
        logger.debug("  Key ID: %s", self.key_id)
915
957
        logger.debug("  Fingerprint: %s", self.fingerprint)
916
958
        self.created = settings.get("created",
917
959
                                    datetime.datetime.utcnow())
1461
1503
                         exc_info=error)
1462
1504
        return xmlstring
1463
1505
 
 
1506
 
1464
1507
try:
1465
1508
    dbus.OBJECT_MANAGER_IFACE
1466
1509
except AttributeError:
1998
2041
    def Name_dbus_property(self):
1999
2042
        return dbus.String(self.name)
2000
2043
 
 
2044
    # KeyID - property
 
2045
    @dbus_annotations(
 
2046
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
 
2047
    @dbus_service_property(_interface, signature="s", access="read")
 
2048
    def KeyID_dbus_property(self):
 
2049
        return dbus.String(self.key_id)
 
2050
 
2001
2051
    # Fingerprint - property
2002
2052
    @dbus_annotations(
2003
2053
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2159
2209
 
2160
2210
 
2161
2211
class ProxyClient(object):
2162
 
    def __init__(self, child_pipe, fpr, address):
 
2212
    def __init__(self, child_pipe, key_id, fpr, address):
2163
2213
        self._pipe = child_pipe
2164
 
        self._pipe.send(('init', fpr, address))
 
2214
        self._pipe.send(('init', key_id, fpr, address))
2165
2215
        if not self._pipe.recv():
2166
 
            raise KeyError(fpr)
 
2216
            raise KeyError(key_id or fpr)
2167
2217
 
2168
2218
    def __getattribute__(self, name):
2169
2219
        if name == '_pipe':
2236
2286
 
2237
2287
            approval_required = False
2238
2288
            try:
2239
 
                try:
2240
 
                    fpr = self.fingerprint(
2241
 
                        self.peer_certificate(session))
2242
 
                except (TypeError, gnutls.Error) as error:
2243
 
                    logger.warning("Bad certificate: %s", error)
2244
 
                    return
2245
 
                logger.debug("Fingerprint: %s", fpr)
2246
 
 
2247
 
                try:
2248
 
                    client = ProxyClient(child_pipe, fpr,
 
2289
                if gnutls.has_rawpk:
 
2290
                    fpr = ""
 
2291
                    try:
 
2292
                        key_id = self.key_id(
 
2293
                            self.peer_certificate(session))
 
2294
                    except (TypeError, gnutls.Error) as error:
 
2295
                        logger.warning("Bad certificate: %s", error)
 
2296
                        return
 
2297
                    logger.debug("Key ID: %s", key_id)
 
2298
 
 
2299
                else:
 
2300
                    key_id = ""
 
2301
                    try:
 
2302
                        fpr = self.fingerprint(
 
2303
                            self.peer_certificate(session))
 
2304
                    except (TypeError, gnutls.Error) as error:
 
2305
                        logger.warning("Bad certificate: %s", error)
 
2306
                        return
 
2307
                    logger.debug("Fingerprint: %s", fpr)
 
2308
 
 
2309
                try:
 
2310
                    client = ProxyClient(child_pipe, key_id, fpr,
2249
2311
                                         self.client_address)
2250
2312
                except KeyError:
2251
2313
                    return
2328
2390
 
2329
2391
    @staticmethod
2330
2392
    def peer_certificate(session):
2331
 
        "Return the peer's OpenPGP certificate as a bytestring"
2332
 
        # If not an OpenPGP certificate...
2333
 
        if (gnutls.certificate_type_get(session._c_object)
2334
 
            != gnutls.CRT_OPENPGP):
 
2393
        "Return the peer's certificate as a bytestring"
 
2394
        try:
 
2395
            cert_type = gnutls.certificate_type_get2(session._c_object,
 
2396
                                                     gnutls.CTYPE_PEERS)
 
2397
        except AttributeError:
 
2398
            cert_type = gnutls.certificate_type_get(session._c_object)
 
2399
        if gnutls.has_rawpk:
 
2400
            valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
 
2401
        else:
 
2402
            valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
 
2403
        # If not a valid certificate type...
 
2404
        if cert_type not in valid_cert_types:
 
2405
            logger.info("Cert type %r not in %r", cert_type,
 
2406
                        valid_cert_types)
2335
2407
            # ...return invalid data
2336
2408
            return b""
2337
2409
        list_size = ctypes.c_uint(1)
2345
2417
        return ctypes.string_at(cert.data, cert.size)
2346
2418
 
2347
2419
    @staticmethod
 
2420
    def key_id(certificate):
 
2421
        "Convert a certificate bytestring to a hexdigit key ID"
 
2422
        # New GnuTLS "datum" with the public key
 
2423
        datum = gnutls.datum_t(
 
2424
            ctypes.cast(ctypes.c_char_p(certificate),
 
2425
                        ctypes.POINTER(ctypes.c_ubyte)),
 
2426
            ctypes.c_uint(len(certificate)))
 
2427
        # XXX all these need to be created in the gnutls "module"
 
2428
        # New empty GnuTLS certificate
 
2429
        pubkey = gnutls.pubkey_t()
 
2430
        gnutls.pubkey_init(ctypes.byref(pubkey))
 
2431
        # Import the raw public key into the certificate
 
2432
        gnutls.pubkey_import(pubkey,
 
2433
                             ctypes.byref(datum),
 
2434
                             gnutls.X509_FMT_DER)
 
2435
        # New buffer for the key ID
 
2436
        buf = ctypes.create_string_buffer(32)
 
2437
        buf_len = ctypes.c_size_t(len(buf))
 
2438
        # Get the key ID from the raw public key into the buffer
 
2439
        gnutls.pubkey_get_key_id(pubkey,
 
2440
                                 gnutls.KEYID_USE_SHA256,
 
2441
                                 ctypes.cast(ctypes.byref(buf),
 
2442
                                             ctypes.POINTER(ctypes.c_ubyte)),
 
2443
                                 ctypes.byref(buf_len))
 
2444
        # Deinit the certificate
 
2445
        gnutls.pubkey_deinit(pubkey)
 
2446
 
 
2447
        # Convert the buffer to a Python bytestring
 
2448
        key_id = ctypes.string_at(buf, buf_len.value)
 
2449
        # Convert the bytestring to hexadecimal notation
 
2450
        hex_key_id = binascii.hexlify(key_id).upper()
 
2451
        return hex_key_id
 
2452
 
 
2453
    @staticmethod
2348
2454
    def fingerprint(openpgp):
2349
2455
        "Convert an OpenPGP bytestring to a hexdigit fingerprint"
2350
2456
        # New GnuTLS "datum" with the OpenPGP public key
2364
2470
                                       ctypes.byref(crtverify))
2365
2471
        if crtverify.value != 0:
2366
2472
            gnutls.openpgp_crt_deinit(crt)
2367
 
            raise gnutls.CertificateSecurityError("Verify failed")
 
2473
            raise gnutls.CertificateSecurityError(code
 
2474
                                                  =crtverify.value)
2368
2475
        # New buffer for the fingerprint
2369
2476
        buf = ctypes.create_string_buffer(20)
2370
2477
        buf_len = ctypes.c_size_t()
2498
2605
                    raise
2499
2606
        # Only bind(2) the socket if we really need to.
2500
2607
        if self.server_address[0] or self.server_address[1]:
 
2608
            if self.server_address[1]:
 
2609
                self.allow_reuse_address = True
2501
2610
            if not self.server_address[0]:
2502
2611
                if self.address_family == socket.AF_INET6:
2503
2612
                    any_address = "::"  # in6addr_any
2577
2686
        command = request[0]
2578
2687
 
2579
2688
        if command == 'init':
2580
 
            fpr = request[1]
2581
 
            address = request[2]
 
2689
            key_id = request[1].decode("ascii")
 
2690
            fpr = request[2].decode("ascii")
 
2691
            address = request[3]
2582
2692
 
2583
2693
            for c in self.clients.values():
2584
 
                if c.fingerprint == fpr:
 
2694
                if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
 
2695
                    continue
 
2696
                if key_id and c.key_id == key_id:
 
2697
                    client = c
 
2698
                    break
 
2699
                if fpr and c.fingerprint == fpr:
2585
2700
                    client = c
2586
2701
                    break
2587
2702
            else:
2588
 
                logger.info("Client not found for fingerprint: %s, ad"
2589
 
                            "dress: %s", fpr, address)
 
2703
                logger.info("Client not found for key ID: %s, address"
 
2704
                            ": %s", key_id or fpr, address)
2590
2705
                if self.use_dbus:
2591
2706
                    # Emit D-Bus signal
2592
 
                    mandos_dbus_service.ClientNotFound(fpr,
 
2707
                    mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
2708
                                                       address[0])
2594
2709
                parent_pipe.send(False)
2595
2710
                return False
2858
2973
        sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
2974
 
2860
2975
    # Default values for config file for server-global settings
 
2976
    if gnutls.has_rawpk:
 
2977
        priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
 
2978
                    ":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
 
2979
    else:
 
2980
        priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
 
2981
                    ":+SIGN-DSA-SHA256")
2861
2982
    server_defaults = {"interface": "",
2862
2983
                       "address": "",
2863
2984
                       "port": "",
2864
2985
                       "debug": "False",
2865
 
                       "priority":
2866
 
                       "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
 
                       ":+SIGN-DSA-SHA256",
 
2986
                       "priority": priority,
2868
2987
                       "servicename": "Mandos",
2869
2988
                       "use_dbus": "True",
2870
2989
                       "use_ipv6": "True",
2875
2994
                       "foreground": "False",
2876
2995
                       "zeroconf": "True",
2877
2996
                       }
 
2997
    del priority
2878
2998
 
2879
2999
    # Parse config file for server-global settings
2880
3000
    server_config = configparser.SafeConfigParser(server_defaults)
2883
3003
    # Convert the SafeConfigParser object to a dict
2884
3004
    server_settings = server_config.defaults()
2885
3005
    # Use the appropriate methods on the non-string config options
2886
 
    for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
 
3006
    for option in ("debug", "use_dbus", "use_ipv6", "restore",
 
3007
                   "foreground", "zeroconf"):
2887
3008
        server_settings[option] = server_config.getboolean("DEFAULT",
2888
3009
                                                           option)
2889
3010
    if server_settings["port"]:
3123
3244
                        for k in ("name", "host"):
3124
3245
                            if isinstance(value[k], bytes):
3125
3246
                                value[k] = value[k].decode("utf-8")
 
3247
                        if not value.has_key("key_id"):
 
3248
                            value["key_id"] = ""
 
3249
                        elif not value.has_key("fingerprint"):
 
3250
                            value["fingerprint"] = ""
3126
3251
                    #  old_client_settings
3127
3252
                    # .keys()
3128
3253
                    old_client_settings = {
3265
3390
                pass
3266
3391
 
3267
3392
            @dbus.service.signal(_interface, signature="ss")
3268
 
            def ClientNotFound(self, fingerprint, address):
 
3393
            def ClientNotFound(self, key_id, address):
3269
3394
                "D-Bus signal"
3270
3395
                pass
3271
3396