/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2018-02-06 20:03:50 UTC
  • Revision ID: teddy@recompile.se-20180206200350-jzvorueb731xkph3
Update Debian Debhelper compatibility version.

* (debian/compat): Change to "10".

Show diffs side-by-side

added added

removed removed

Lines of Context:
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
 
# Copyright © 2008-2019 Teddy Hogeborn
15
 
# Copyright © 2008-2019 Björn Påhlsson
 
14
# Copyright © 2008-2017 Teddy Hogeborn
 
15
# Copyright © 2008-2017 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
115
115
if sys.version_info.major == 2:
116
116
    str = unicode
117
117
 
118
 
version = "1.7.20"
 
118
version = "1.7.16"
119
119
stored_state_file = "clients.pickle"
120
120
 
121
121
logger = logging.getLogger()
496
496
class AvahiServiceToSyslog(AvahiService):
497
497
    def rename(self, *args, **kwargs):
498
498
        """Add the new name to the syslog messages"""
499
 
        ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
 
499
        ret = super(AvahiServiceToSyslog, self).rename(self, *args,
 
500
                                                       **kwargs)
500
501
        syslogger.setFormatter(logging.Formatter(
501
502
            'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
503
            .format(self.name)))
514
515
    _library = ctypes.cdll.LoadLibrary(library)
515
516
    del library
516
517
    _need_version = b"3.3.0"
517
 
    _tls_rawpk_version = b"3.6.6"
518
518
 
519
519
    def __init__(self):
520
520
        # Need to use "self" here, since this method is called before
531
531
    E_INTERRUPTED = -52
532
532
    E_AGAIN = -28
533
533
    CRT_OPENPGP = 2
534
 
    CRT_RAWPK = 3
535
534
    CLIENT = 2
536
535
    SHUT_RDWR = 0
537
536
    CRD_CERTIFICATE = 1
538
537
    E_NO_CERTIFICATE_FOUND = -49
539
 
    X509_FMT_DER = 0
540
 
    NO_TICKETS = 1<<10
541
 
    ENABLE_RAWPK = 1<<18
542
 
    CTYPE_PEERS = 3
543
 
    KEYID_USE_SHA256 = 1        # gnutls/x509.h
544
538
    OPENPGP_FMT_RAW = 0         # gnutls/openpgp.h
545
539
 
546
540
    # Types
600
594
    class ClientSession(object):
601
595
        def __init__(self, socket, credentials=None):
602
596
            self._c_object = gnutls.session_t()
603
 
            gnutls_flags = gnutls.CLIENT
604
 
            if gnutls.check_version("3.5.6"):
605
 
                gnutls_flags |= gnutls.NO_TICKETS
606
 
            if gnutls.has_rawpk:
607
 
                gnutls_flags |= gnutls.ENABLE_RAWPK
608
 
            gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
609
 
            del gnutls_flags
 
597
            gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
610
598
            gnutls.set_default_priority(self._c_object)
611
599
            gnutls.transport_set_ptr(self._c_object, socket.fileno())
612
600
            gnutls.handshake_set_private_extensions(self._c_object,
744
732
    check_version.argtypes = [ctypes.c_char_p]
745
733
    check_version.restype = ctypes.c_char_p
746
734
 
747
 
    has_rawpk = bool(check_version(_tls_rawpk_version))
748
 
 
749
 
    if has_rawpk:
750
 
        # Types
751
 
        class pubkey_st(ctypes.Structure):
752
 
            _fields = []
753
 
        pubkey_t = ctypes.POINTER(pubkey_st)
754
 
 
755
 
        x509_crt_fmt_t = ctypes.c_int
756
 
 
757
 
        # All the function declarations below are from gnutls/abstract.h
758
 
        pubkey_init = _library.gnutls_pubkey_init
759
 
        pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
760
 
        pubkey_init.restype = _error_code
761
 
 
762
 
        pubkey_import = _library.gnutls_pubkey_import
763
 
        pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
764
 
                                  x509_crt_fmt_t]
765
 
        pubkey_import.restype = _error_code
766
 
 
767
 
        pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
768
 
        pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
769
 
                                      ctypes.POINTER(ctypes.c_ubyte),
770
 
                                      ctypes.POINTER(ctypes.c_size_t)]
771
 
        pubkey_get_key_id.restype = _error_code
772
 
 
773
 
        pubkey_deinit = _library.gnutls_pubkey_deinit
774
 
        pubkey_deinit.argtypes = [pubkey_t]
775
 
        pubkey_deinit.restype = None
776
 
    else:
777
 
        # All the function declarations below are from gnutls/openpgp.h
778
 
 
779
 
        openpgp_crt_init = _library.gnutls_openpgp_crt_init
780
 
        openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
781
 
        openpgp_crt_init.restype = _error_code
782
 
 
783
 
        openpgp_crt_import = _library.gnutls_openpgp_crt_import
784
 
        openpgp_crt_import.argtypes = [openpgp_crt_t,
785
 
                                       ctypes.POINTER(datum_t),
786
 
                                       openpgp_crt_fmt_t]
787
 
        openpgp_crt_import.restype = _error_code
788
 
 
789
 
        openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
790
 
        openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
791
 
                                            ctypes.POINTER(ctypes.c_uint)]
792
 
        openpgp_crt_verify_self.restype = _error_code
793
 
 
794
 
        openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
795
 
        openpgp_crt_deinit.argtypes = [openpgp_crt_t]
796
 
        openpgp_crt_deinit.restype = None
797
 
 
798
 
        openpgp_crt_get_fingerprint = (
799
 
            _library.gnutls_openpgp_crt_get_fingerprint)
800
 
        openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
801
 
                                                ctypes.c_void_p,
802
 
                                                ctypes.POINTER(
803
 
                                                    ctypes.c_size_t)]
804
 
        openpgp_crt_get_fingerprint.restype = _error_code
805
 
 
806
 
    if check_version("3.6.4"):
807
 
        certificate_type_get2 = _library.gnutls_certificate_type_get2
808
 
        certificate_type_get2.argtypes = [session_t, ctypes.c_int]
809
 
        certificate_type_get2.restype = _error_code
 
735
    # All the function declarations below are from gnutls/openpgp.h
 
736
 
 
737
    openpgp_crt_init = _library.gnutls_openpgp_crt_init
 
738
    openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
 
739
    openpgp_crt_init.restype = _error_code
 
740
 
 
741
    openpgp_crt_import = _library.gnutls_openpgp_crt_import
 
742
    openpgp_crt_import.argtypes = [openpgp_crt_t,
 
743
                                   ctypes.POINTER(datum_t),
 
744
                                   openpgp_crt_fmt_t]
 
745
    openpgp_crt_import.restype = _error_code
 
746
 
 
747
    openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
 
748
    openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
 
749
                                        ctypes.POINTER(ctypes.c_uint)]
 
750
    openpgp_crt_verify_self.restype = _error_code
 
751
 
 
752
    openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
 
753
    openpgp_crt_deinit.argtypes = [openpgp_crt_t]
 
754
    openpgp_crt_deinit.restype = None
 
755
 
 
756
    openpgp_crt_get_fingerprint = (
 
757
        _library.gnutls_openpgp_crt_get_fingerprint)
 
758
    openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
 
759
                                            ctypes.c_void_p,
 
760
                                            ctypes.POINTER(
 
761
                                                ctypes.c_size_t)]
 
762
    openpgp_crt_get_fingerprint.restype = _error_code
810
763
 
811
764
    # Remove non-public functions
812
765
    del _error_code, _retry_on_error
848
801
    disable_initiator_tag: a GLib event source tag, or None
849
802
    enabled:    bool()
850
803
    fingerprint: string (40 or 32 hexadecimal digits); used to
851
 
                 uniquely identify an OpenPGP client
852
 
    key_id: string (64 hexadecimal digits); used to uniquely identify
853
 
            a client using raw public keys
 
804
                 uniquely identify the client
854
805
    host:       string; available for use by the checker command
855
806
    interval:   datetime.timedelta(); How often to start a new checker
856
807
    last_approval_request: datetime.datetime(); (UTC) or None
874
825
    """
875
826
 
876
827
    runtime_expansions = ("approval_delay", "approval_duration",
877
 
                          "created", "enabled", "expires", "key_id",
 
828
                          "created", "enabled", "expires",
878
829
                          "fingerprint", "host", "interval",
879
830
                          "last_approval_request", "last_checked_ok",
880
831
                          "last_enabled", "name", "timeout")
910
861
            client["enabled"] = config.getboolean(client_name,
911
862
                                                  "enabled")
912
863
 
913
 
            # Uppercase and remove spaces from key_id and fingerprint
914
 
            # for later comparison purposes with return value from the
915
 
            # key_id() and fingerprint() functions
916
 
            client["key_id"] = (section.get("key_id", "").upper()
917
 
                                .replace(" ", ""))
 
864
            # Uppercase and remove spaces from fingerprint for later
 
865
            # comparison purposes with return value from the
 
866
            # fingerprint() function
918
867
            client["fingerprint"] = (section["fingerprint"].upper()
919
868
                                     .replace(" ", ""))
920
869
            if "secret" in section:
964
913
            self.expires = None
965
914
 
966
915
        logger.debug("Creating client %r", self.name)
967
 
        logger.debug("  Key ID: %s", self.key_id)
968
916
        logger.debug("  Fingerprint: %s", self.fingerprint)
969
917
        self.created = settings.get("created",
970
918
                                    datetime.datetime.utcnow())
2052
2000
    def Name_dbus_property(self):
2053
2001
        return dbus.String(self.name)
2054
2002
 
2055
 
    # KeyID - property
2056
 
    @dbus_annotations(
2057
 
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2058
 
    @dbus_service_property(_interface, signature="s", access="read")
2059
 
    def KeyID_dbus_property(self):
2060
 
        return dbus.String(self.key_id)
2061
 
 
2062
2003
    # Fingerprint - property
2063
2004
    @dbus_annotations(
2064
2005
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2220
2161
 
2221
2162
 
2222
2163
class ProxyClient(object):
2223
 
    def __init__(self, child_pipe, key_id, fpr, address):
 
2164
    def __init__(self, child_pipe, fpr, address):
2224
2165
        self._pipe = child_pipe
2225
 
        self._pipe.send(('init', key_id, fpr, address))
 
2166
        self._pipe.send(('init', fpr, address))
2226
2167
        if not self._pipe.recv():
2227
 
            raise KeyError(key_id or fpr)
 
2168
            raise KeyError(fpr)
2228
2169
 
2229
2170
    def __getattribute__(self, name):
2230
2171
        if name == '_pipe':
2297
2238
 
2298
2239
            approval_required = False
2299
2240
            try:
2300
 
                if gnutls.has_rawpk:
2301
 
                    fpr = ""
2302
 
                    try:
2303
 
                        key_id = self.key_id(
2304
 
                            self.peer_certificate(session))
2305
 
                    except (TypeError, gnutls.Error) as error:
2306
 
                        logger.warning("Bad certificate: %s", error)
2307
 
                        return
2308
 
                    logger.debug("Key ID: %s", key_id)
2309
 
 
2310
 
                else:
2311
 
                    key_id = ""
2312
 
                    try:
2313
 
                        fpr = self.fingerprint(
2314
 
                            self.peer_certificate(session))
2315
 
                    except (TypeError, gnutls.Error) as error:
2316
 
                        logger.warning("Bad certificate: %s", error)
2317
 
                        return
2318
 
                    logger.debug("Fingerprint: %s", fpr)
2319
 
 
2320
 
                try:
2321
 
                    client = ProxyClient(child_pipe, key_id, fpr,
 
2241
                try:
 
2242
                    fpr = self.fingerprint(
 
2243
                        self.peer_certificate(session))
 
2244
                except (TypeError, gnutls.Error) as error:
 
2245
                    logger.warning("Bad certificate: %s", error)
 
2246
                    return
 
2247
                logger.debug("Fingerprint: %s", fpr)
 
2248
 
 
2249
                try:
 
2250
                    client = ProxyClient(child_pipe, fpr,
2322
2251
                                         self.client_address)
2323
2252
                except KeyError:
2324
2253
                    return
2401
2330
 
2402
2331
    @staticmethod
2403
2332
    def peer_certificate(session):
2404
 
        "Return the peer's certificate as a bytestring"
2405
 
        try:
2406
 
            cert_type = gnutls.certificate_type_get2(session._c_object,
2407
 
                                                     gnutls.CTYPE_PEERS)
2408
 
        except AttributeError:
2409
 
            cert_type = gnutls.certificate_type_get(session._c_object)
2410
 
        if gnutls.has_rawpk:
2411
 
            valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2412
 
        else:
2413
 
            valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2414
 
        # If not a valid certificate type...
2415
 
        if cert_type not in valid_cert_types:
2416
 
            logger.info("Cert type %r not in %r", cert_type,
2417
 
                        valid_cert_types)
 
2333
        "Return the peer's OpenPGP certificate as a bytestring"
 
2334
        # If not an OpenPGP certificate...
 
2335
        if (gnutls.certificate_type_get(session._c_object)
 
2336
            != gnutls.CRT_OPENPGP):
2418
2337
            # ...return invalid data
2419
2338
            return b""
2420
2339
        list_size = ctypes.c_uint(1)
2428
2347
        return ctypes.string_at(cert.data, cert.size)
2429
2348
 
2430
2349
    @staticmethod
2431
 
    def key_id(certificate):
2432
 
        "Convert a certificate bytestring to a hexdigit key ID"
2433
 
        # New GnuTLS "datum" with the public key
2434
 
        datum = gnutls.datum_t(
2435
 
            ctypes.cast(ctypes.c_char_p(certificate),
2436
 
                        ctypes.POINTER(ctypes.c_ubyte)),
2437
 
            ctypes.c_uint(len(certificate)))
2438
 
        # XXX all these need to be created in the gnutls "module"
2439
 
        # New empty GnuTLS certificate
2440
 
        pubkey = gnutls.pubkey_t()
2441
 
        gnutls.pubkey_init(ctypes.byref(pubkey))
2442
 
        # Import the raw public key into the certificate
2443
 
        gnutls.pubkey_import(pubkey,
2444
 
                             ctypes.byref(datum),
2445
 
                             gnutls.X509_FMT_DER)
2446
 
        # New buffer for the key ID
2447
 
        buf = ctypes.create_string_buffer(32)
2448
 
        buf_len = ctypes.c_size_t(len(buf))
2449
 
        # Get the key ID from the raw public key into the buffer
2450
 
        gnutls.pubkey_get_key_id(pubkey,
2451
 
                                 gnutls.KEYID_USE_SHA256,
2452
 
                                 ctypes.cast(ctypes.byref(buf),
2453
 
                                             ctypes.POINTER(ctypes.c_ubyte)),
2454
 
                                 ctypes.byref(buf_len))
2455
 
        # Deinit the certificate
2456
 
        gnutls.pubkey_deinit(pubkey)
2457
 
 
2458
 
        # Convert the buffer to a Python bytestring
2459
 
        key_id = ctypes.string_at(buf, buf_len.value)
2460
 
        # Convert the bytestring to hexadecimal notation
2461
 
        hex_key_id = binascii.hexlify(key_id).upper()
2462
 
        return hex_key_id
2463
 
 
2464
 
    @staticmethod
2465
2350
    def fingerprint(openpgp):
2466
2351
        "Convert an OpenPGP bytestring to a hexdigit fingerprint"
2467
2352
        # New GnuTLS "datum" with the OpenPGP public key
2481
2366
                                       ctypes.byref(crtverify))
2482
2367
        if crtverify.value != 0:
2483
2368
            gnutls.openpgp_crt_deinit(crt)
2484
 
            raise gnutls.CertificateSecurityError(code
2485
 
                                                  =crtverify.value)
 
2369
            raise gnutls.CertificateSecurityError("Verify failed")
2486
2370
        # New buffer for the fingerprint
2487
2371
        buf = ctypes.create_string_buffer(20)
2488
2372
        buf_len = ctypes.c_size_t()
2695
2579
        command = request[0]
2696
2580
 
2697
2581
        if command == 'init':
2698
 
            key_id = request[1].decode("ascii")
2699
 
            fpr = request[2].decode("ascii")
2700
 
            address = request[3]
 
2582
            fpr = request[1].decode("ascii")
 
2583
            address = request[2]
2701
2584
 
2702
2585
            for c in self.clients.values():
2703
 
                if key_id and c.key_id == key_id:
2704
 
                    client = c
2705
 
                    break
2706
 
                if fpr and c.fingerprint == fpr:
 
2586
                if c.fingerprint == fpr:
2707
2587
                    client = c
2708
2588
                    break
2709
2589
            else:
2710
 
                logger.info("Client not found for key ID: %s, address"
2711
 
                            ": %s", key_id or fpr, address)
 
2590
                logger.info("Client not found for fingerprint: %s, ad"
 
2591
                            "dress: %s", fpr, address)
2712
2592
                if self.use_dbus:
2713
2593
                    # Emit D-Bus signal
2714
 
                    mandos_dbus_service.ClientNotFound(key_id or fpr,
 
2594
                    mandos_dbus_service.ClientNotFound(fpr,
2715
2595
                                                       address[0])
2716
2596
                parent_pipe.send(False)
2717
2597
                return False
2980
2860
        sys.exit(os.EX_OK if fail_count == 0 else 1)
2981
2861
 
2982
2862
    # Default values for config file for server-global settings
2983
 
    if gnutls.has_rawpk:
2984
 
        priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2985
 
                    ":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2986
 
    else:
2987
 
        priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2988
 
                    ":+SIGN-DSA-SHA256")
2989
2863
    server_defaults = {"interface": "",
2990
2864
                       "address": "",
2991
2865
                       "port": "",
2992
2866
                       "debug": "False",
2993
 
                       "priority": priority,
 
2867
                       "priority":
 
2868
                       "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
 
2869
                       ":+SIGN-DSA-SHA256",
2994
2870
                       "servicename": "Mandos",
2995
2871
                       "use_dbus": "True",
2996
2872
                       "use_ipv6": "True",
3001
2877
                       "foreground": "False",
3002
2878
                       "zeroconf": "True",
3003
2879
                       }
3004
 
    del priority
3005
2880
 
3006
2881
    # Parse config file for server-global settings
3007
2882
    server_config = configparser.SafeConfigParser(server_defaults)
3251
3126
                        for k in ("name", "host"):
3252
3127
                            if isinstance(value[k], bytes):
3253
3128
                                value[k] = value[k].decode("utf-8")
3254
 
                        if not value.has_key("key_id"):
3255
 
                            value["key_id"] = ""
3256
 
                        elif not value.has_key("fingerprint"):
3257
 
                            value["fingerprint"] = ""
3258
3129
                    #  old_client_settings
3259
3130
                    # .keys()
3260
3131
                    old_client_settings = {
3397
3268
                pass
3398
3269
 
3399
3270
            @dbus.service.signal(_interface, signature="ss")
3400
 
            def ClientNotFound(self, key_id, address):
 
3271
            def ClientNotFound(self, fingerprint, address):
3401
3272
                "D-Bus signal"
3402
3273
                pass
3403
3274