Add support for using raw public keys in TLS (RFC 7250)
Since GnuTLS removed support for OpenPGP keys in TLS (RFC 6091), and no other library supports it, we have to change the protocol to use something else. We choose to use "raw public keys" (RFC 7250). Since we still use OpenPGP keys to decrypt the secret password, this means that each client will have two keys: One OpenPGP key and one TLS public/private key, and the key ID of the latter key is used to identify clients instead of the fingerprint of the OpenPGP key.
Note that this code is still compatible with GnuTLS before version 3.6.0 (when OpenPGP key support was removed). This commit merely adds support for using raw pulic keys instead with GnuTLS 3.6.6. or later.
* DBUS-API (Signals/ClientNotFound): Change name of first parameter from "Fingerprint" to "KeyID". (Mandos Client Interface/Properties/KeyID): New. * INSTALL: Document conflict with GnuTLS 3.6.0 (which removed OpenPGP key support) up until 3.6.6, when support for raw public keys was added. Also document new dependency of client on "gnutls-bin" package (for certtool). * Makefile (run-client): Depend on TLS key files, and also pass them as arguments to client. (keydir/tls-privkey.pem, keydir/tls-pubkey.pem): New. (confdir/clients.conf): Add dependency on TLS public key. (purge-client): Add removal of TLS key files. * clients.conf ([foo]/key_id, [bar]/key_id): New. * debian/control (Source: mandos/Build-Depends): Also allow libgnutls30 (>= 3.6.6) (Package: mandos/Depends): - '' - (Package: mandos/Description): Alter description to match new design. (Package: mandos-client/Description): - '' - (Package: mandos-client/Depends): Move "gnutls-bin | openssl" to here from "Recommends". * debian/mandos-client.README.Debian: Add --tls-privkey and --tls-pubkey options to test command. * debian/mandos-client.postinst (create_key): Renamed to "create_keys" (all callers changed), and also create TLS key. * debian/mandos-client.postrm (purge): Also remove TLS key files. * intro.xml (DESCRIPTION): Describe new dual-key design. * mandos (GnuTLS): Define different functions depending on whether support for raw public keys is detected. (Client.key_id): New attribute. (ClientDBus.KeyID_dbus_property): New method. (ProxyClient.__init__): Take new "key_id" parameter. (ClientHandler.handle): Use key IDs when using raw public keys and use fingerprints when using OpenPGP keys. (ClientHandler.peer_certificate): Also handle raw public keys. (ClientHandler.key_id): New. (MandosServer.handle_ipc): Pass key ID over the pipe IPC. Also check for key ID matches when looking up clients. (main): Default GnuTLS priority string depends on whether we are using raw public keys or not. When unpickling clients, set key_id if not set in the pickle. (main/MandosDBusService.ClientNotFound): Change name of first parameter from "Fingerprint" to "KeyID". * mandos-clients.conf.xml (OPTIONS): Document new "key_id" option. (OPTIONS/secret): Mention new key ID matchning. (EXPANSION/RUNTIME EXPANSION): Add new "key_id" option. (EXAMPLE): - '' - * mandos-ctl (tablewords, main/keywords): Add new "KeyID" property. * mandos-keygen: Create TLS key files. New "--tls-keytype" (-T) option. Alter help text to be more clear about key types. When in password mode, also output "key_id" option. * mandos-keygen.xml (SYNOPSIS): Add new "--tls-keytype" (-T) option. (DESCRIPTION): Alter to match new dual-key design. (OVERVIEW): - '' - (FILES): Add TLS key files. * mandos-options.xml (priority): Document new default priority string when using raw public keys. * mandos.xml (NETWORK PROTOCOL): Describe new protocol using key ID. (BUGS): Remove issue about checking expire times of OpenPGP keys, since TLS public keys do not have expiration times. (SECURITY/CLIENT): Alter description to match new design. (SEE ALSO/GnuTLS): - '' - (SEE ALSO): Add reference to RFC 7250, and alter description of when RFC 6091 is used. * overview.xml: Alter text to match new design. * plugin-runner.xml (EXAMPLE): Add --tls-pubkey and --tls-privkey options to mandos-client options. * plugins.d/mandos-client.c: Use raw public keys when compiling with supporting GnuTLS versions. Add new "--tls-pubkey" and "--tls-privkey" options (which do nothing if GnuTLS library does not support raw public keys). Alter text throughout to reflect new design. Only generate new DH parameters (based on size of OpenPGP key) when using OpenPGP in TLS. Default GnuTLS priority string depends on whether we are using raw public keys or not. * plugins.d/mandos-client.xml (SYNOPSIS): Add new "--tls-privkey" (-t) and "--tls-pubkey" (-T) options. (DESCRIPTION): Describe new dual-key design. (OPTIONS): Document new "--tls-privkey" (-t) and "--tls-pubkey" (-T) options. (OPTIONS/--dh-bits): No longer necessarily depends on OpenPGP key size. (FILES): Add default locations for TLS public and private key files. (EXAMPLE): Use new --tls-pubkey and --tls-privkey options. (SECURITY): Alter wording slightly to reflect new dual-key design. (SEE ALSO/GnuTLS): Alter description to match new design. (SEE ALSO): Add reference to RFC 7250, and alter description of when RFC 6091 is used.
|| dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then
71
if grep --quiet --regexp='^[[:space:]]*key_id[[:space:]]*=[[:space:]]*[Ee]3[Bb]0[Cc]44298[Ff][Cc]1[Cc]149[Aa][Ff][Bb][Ff]4[Cc]8996[Ff][Bb]92427[Aa][Ee]41[Ee]4649[Bb]934[Cc][Aa]495991[Bb]7852[Bb]855[[:space:]]*$' /etc/mandos/clients.conf; then