To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 977
- compare with another revision
- download diff
- download tarball
- view history from revision 977
- Committer: Teddy Hogeborn
- Date: 2019-02-11 06:14:29 UTC
- Revision ID: teddy@recompile.se-20190211061429-n6n5zk29iatshlb3
Fix Debian package dependencies
* debian/control (Build-Depends): Changed GnuTLS dependencies to
"libgnutls30 (>= 3.3.0),
libgnutls28-dev (>= 3.6.6) |
libgnutls28-dev (<< 3.6.0)". (We
can't depend on the virtual package
"gnutls-dev", since we need the
version restrictions.)
(Package: mandos/Depends): Remove dependency on libgnutls28-dev
package.
(Package: mandos/Suggests): New; set to "libc6-dev,
c-compiler". (Used to find value of
"SO_BINDTODEVICE").
(Package: mandos-client/Depends): Don't depend on openssl anymore;
instead depend on either a
gnutls-bin (>= 3.6.6) (in which
case TLS key generation will
work), or on libgnutls30 (<<
3.6.0) (in which case TLS key
generation will not be needed).
* debian/control (Build-Depends): Changed GnuTLS dependencies to
"libgnutls30 (>= 3.3.0),
libgnutls28-dev (>= 3.6.6) |
libgnutls28-dev (<< 3.6.0)". (We
can't depend on the virtual package
"gnutls-dev", since we need the
version restrictions.)
(Package: mandos/Depends): Remove dependency on libgnutls28-dev
package.
(Package: mandos/Suggests): New; set to "libc6-dev,
c-compiler". (Used to find value of
"SO_BINDTODEVICE").
(Package: mandos-client/Depends): Don't depend on openssl anymore;
instead depend on either a
gnutls-bin (>= 3.6.6) (in which
case TLS key generation will
work), or on libgnutls30 (<<
3.6.0) (in which case TLS key
generation will not be needed).
- files added:
- debian/mandos-client.templates
- files removed:
- initramfs-tools-hook-conf
- files modified:
- DBUS-API
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
115
115
if sys.version_info.major == 2:
116
116
str = unicode
117
117
118
version = "1.7.19"
118
version = "1.8.2"
119
119
stored_state_file = "clients.pickle"
120
120
121
121
logger = logging.getLogger()
514
514
_library = ctypes.cdll.LoadLibrary(library)
515
515
del library
516
516
_need_version = b"3.3.0"
517
_tls_rawpk_version = b"3.6.6"
517
518
518
519
def __init__(self):
519
520
# Need to use "self" here, since this method is called before
530
531
E_INTERRUPTED = -52
531
532
E_AGAIN = -28
532
533
CRT_OPENPGP = 2
534
CRT_RAWPK = 3
533
535
CLIENT = 2
534
536
SHUT_RDWR = 0
535
537
CRD_CERTIFICATE = 1
536
538
E_NO_CERTIFICATE_FOUND = -49
539
X509_FMT_DER = 0
540
NO_TICKETS = 1<<10
541
ENABLE_RAWPK = 1<<18
542
CTYPE_PEERS = 3
543
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
544
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
545
539
546
# Types
593
600
class ClientSession(object):
594
601
def __init__(self, socket, credentials=None):
595
602
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
603
gnutls_flags = gnutls.CLIENT
604
if gnutls.check_version("3.5.6"):
605
gnutls_flags |= gnutls.NO_TICKETS
606
if gnutls.has_rawpk:
607
gnutls_flags |= gnutls.ENABLE_RAWPK
608
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
609
del gnutls_flags
597
610
gnutls.set_default_priority(self._c_object)
598
611
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
612
gnutls.handshake_set_private_extensions(self._c_object,
731
744
check_version.argtypes = [ctypes.c_char_p]
732
745
check_version.restype = ctypes.c_char_p
733
746
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
747
has_rawpk = bool(check_version(_tls_rawpk_version))
748
749
if has_rawpk:
750
# Types
751
class pubkey_st(ctypes.Structure):
752
_fields = []
753
pubkey_t = ctypes.POINTER(pubkey_st)
754
755
x509_crt_fmt_t = ctypes.c_int
756
757
# All the function declarations below are from gnutls/abstract.h
758
pubkey_init = _library.gnutls_pubkey_init
759
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
760
pubkey_init.restype = _error_code
761
762
pubkey_import = _library.gnutls_pubkey_import
763
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
764
x509_crt_fmt_t]
765
pubkey_import.restype = _error_code
766
767
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
768
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
769
ctypes.POINTER(ctypes.c_ubyte),
770
ctypes.POINTER(ctypes.c_size_t)]
771
pubkey_get_key_id.restype = _error_code
772
773
pubkey_deinit = _library.gnutls_pubkey_deinit
774
pubkey_deinit.argtypes = [pubkey_t]
775
pubkey_deinit.restype = None
776
else:
777
# All the function declarations below are from gnutls/openpgp.h
778
779
openpgp_crt_init = _library.gnutls_openpgp_crt_init
780
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
781
openpgp_crt_init.restype = _error_code
782
783
openpgp_crt_import = _library.gnutls_openpgp_crt_import
784
openpgp_crt_import.argtypes = [openpgp_crt_t,
785
ctypes.POINTER(datum_t),
786
openpgp_crt_fmt_t]
787
openpgp_crt_import.restype = _error_code
788
789
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
790
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
791
ctypes.POINTER(ctypes.c_uint)]
792
openpgp_crt_verify_self.restype = _error_code
793
794
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
795
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
796
openpgp_crt_deinit.restype = None
797
798
openpgp_crt_get_fingerprint = (
799
_library.gnutls_openpgp_crt_get_fingerprint)
800
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
801
ctypes.c_void_p,
802
ctypes.POINTER(
803
ctypes.c_size_t)]
804
openpgp_crt_get_fingerprint.restype = _error_code
805
806
if check_version("3.6.4"):
807
certificate_type_get2 = _library.gnutls_certificate_type_get2
808
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
809
certificate_type_get2.restype = _error_code
762
810
763
811
# Remove non-public functions
764
812
del _error_code, _retry_on_error
800
848
disable_initiator_tag: a GLib event source tag, or None
801
849
enabled: bool()
802
850
fingerprint: string (40 or 32 hexadecimal digits); used to
803
uniquely identify the client
851
uniquely identify an OpenPGP client
852
key_id: string (64 hexadecimal digits); used to uniquely identify
853
a client using raw public keys
804
854
host: string; available for use by the checker command
805
855
interval: datetime.timedelta(); How often to start a new checker
806
856
last_approval_request: datetime.datetime(); (UTC) or None
824
874
"""
825
875
826
876
runtime_expansions = ("approval_delay", "approval_duration",
827
"created", "enabled", "expires",
877
"created", "enabled", "expires", "key_id",
828
878
"fingerprint", "host", "interval",
829
879
"last_approval_request", "last_checked_ok",
830
880
"last_enabled", "name", "timeout")
860
910
client["enabled"] = config.getboolean(client_name,
861
911
"enabled")
862
912
863
# Uppercase and remove spaces from fingerprint for later
864
# comparison purposes with return value from the
865
# fingerprint() function
913
# Uppercase and remove spaces from key_id and fingerprint
914
# for later comparison purposes with return value from the
915
# key_id() and fingerprint() functions
916
client["key_id"] = (section.get("key_id", "").upper()
917
.replace(" ", ""))
866
918
client["fingerprint"] = (section["fingerprint"].upper()
867
919
.replace(" ", ""))
868
920
if "secret" in section:
912
964
self.expires = None
913
965
914
966
logger.debug("Creating client %r", self.name)
967
logger.debug(" Key ID: %s", self.key_id)
915
968
logger.debug(" Fingerprint: %s", self.fingerprint)
916
969
self.created = settings.get("created",
917
970
datetime.datetime.utcnow())
1999
2052
def Name_dbus_property(self):
2000
2053
return dbus.String(self.name)
2001
2054
2055
# KeyID - property
2056
@dbus_annotations(
2057
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2058
@dbus_service_property(_interface, signature="s", access="read")
2059
def KeyID_dbus_property(self):
2060
return dbus.String(self.key_id)
2061
2002
2062
# Fingerprint - property
2003
2063
@dbus_annotations(
2004
2064
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2160
2220
2161
2221
2162
2222
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2223
def __init__(self, child_pipe, key_id, fpr, address):
2164
2224
self._pipe = child_pipe
2165
self._pipe.send(('init', fpr, address))
2225
self._pipe.send(('init', key_id, fpr, address))
2166
2226
if not self._pipe.recv():
2167
raise KeyError(fpr)
2227
raise KeyError(key_id or fpr)
2168
2228
2169
2229
def __getattribute__(self, name):
2170
2230
if name == '_pipe':
2237
2297
2238
2298
approval_required = False
2239
2299
try:
2240
try:
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2245
return
2246
logger.debug("Fingerprint: %s", fpr)
2247
2248
try:
2249
client = ProxyClient(child_pipe, fpr,
2300
if gnutls.has_rawpk:
2301
fpr = ""
2302
try:
2303
key_id = self.key_id(
2304
self.peer_certificate(session))
2305
except (TypeError, gnutls.Error) as error:
2306
logger.warning("Bad certificate: %s", error)
2307
return
2308
logger.debug("Key ID: %s", key_id)
2309
2310
else:
2311
key_id = ""
2312
try:
2313
fpr = self.fingerprint(
2314
self.peer_certificate(session))
2315
except (TypeError, gnutls.Error) as error:
2316
logger.warning("Bad certificate: %s", error)
2317
return
2318
logger.debug("Fingerprint: %s", fpr)
2319
2320
try:
2321
client = ProxyClient(child_pipe, key_id, fpr,
2250
2322
self.client_address)
2251
2323
except KeyError:
2252
2324
return
2329
2401
2330
2402
@staticmethod
2331
2403
def peer_certificate(session):
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2404
"Return the peer's certificate as a bytestring"
2405
try:
2406
cert_type = gnutls.certificate_type_get2(session._c_object,
2407
gnutls.CTYPE_PEERS)
2408
except AttributeError:
2409
cert_type = gnutls.certificate_type_get(session._c_object)
2410
if gnutls.has_rawpk:
2411
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2412
else:
2413
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2414
# If not a valid certificate type...
2415
if cert_type not in valid_cert_types:
2416
logger.info("Cert type %r not in %r", cert_type,
2417
valid_cert_types)
2336
2418
# ...return invalid data
2337
2419
return b""
2338
2420
list_size = ctypes.c_uint(1)
2346
2428
return ctypes.string_at(cert.data, cert.size)
2347
2429
2348
2430
@staticmethod
2431
def key_id(certificate):
2432
"Convert a certificate bytestring to a hexdigit key ID"
2433
# New GnuTLS "datum" with the public key
2434
datum = gnutls.datum_t(
2435
ctypes.cast(ctypes.c_char_p(certificate),
2436
ctypes.POINTER(ctypes.c_ubyte)),
2437
ctypes.c_uint(len(certificate)))
2438
# XXX all these need to be created in the gnutls "module"
2439
# New empty GnuTLS certificate
2440
pubkey = gnutls.pubkey_t()
2441
gnutls.pubkey_init(ctypes.byref(pubkey))
2442
# Import the raw public key into the certificate
2443
gnutls.pubkey_import(pubkey,
2444
ctypes.byref(datum),
2445
gnutls.X509_FMT_DER)
2446
# New buffer for the key ID
2447
buf = ctypes.create_string_buffer(32)
2448
buf_len = ctypes.c_size_t(len(buf))
2449
# Get the key ID from the raw public key into the buffer
2450
gnutls.pubkey_get_key_id(pubkey,
2451
gnutls.KEYID_USE_SHA256,
2452
ctypes.cast(ctypes.byref(buf),
2453
ctypes.POINTER(ctypes.c_ubyte)),
2454
ctypes.byref(buf_len))
2455
# Deinit the certificate
2456
gnutls.pubkey_deinit(pubkey)
2457
2458
# Convert the buffer to a Python bytestring
2459
key_id = ctypes.string_at(buf, buf_len.value)
2460
# Convert the bytestring to hexadecimal notation
2461
hex_key_id = binascii.hexlify(key_id).upper()
2462
return hex_key_id
2463
2464
@staticmethod
2349
2465
def fingerprint(openpgp):
2350
2466
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2467
# New GnuTLS "datum" with the OpenPGP public key
2579
2695
command = request[0]
2580
2696
2581
2697
if command == 'init':
2582
fpr = request[1].decode("ascii")
2583
address = request[2]
2698
key_id = request[1].decode("ascii")
2699
fpr = request[2].decode("ascii")
2700
address = request[3]
2584
2701
2585
2702
for c in self.clients.values():
2586
if c.fingerprint == fpr:
2703
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2704
continue
2705
if key_id and c.key_id == key_id:
2706
client = c
2707
break
2708
if fpr and c.fingerprint == fpr:
2587
2709
client = c
2588
2710
break
2589
2711
else:
2590
logger.info("Client not found for fingerprint: %s, ad"
2591
"dress: %s", fpr, address)
2712
logger.info("Client not found for key ID: %s, address"
2713
": %s", key_id or fpr, address)
2592
2714
if self.use_dbus:
2593
2715
# Emit D-Bus signal
2594
mandos_dbus_service.ClientNotFound(fpr,
2716
mandos_dbus_service.ClientNotFound(key_id or fpr,
2595
2717
address[0])
2596
2718
parent_pipe.send(False)
2597
2719
return False
2860
2982
sys.exit(os.EX_OK if fail_count == 0 else 1)
2861
2983
2862
2984
# Default values for config file for server-global settings
2985
if gnutls.has_rawpk:
2986
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2987
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2988
else:
2989
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2990
":+SIGN-DSA-SHA256")
2863
2991
server_defaults = {"interface": "",
2864
2992
"address": "",
2865
2993
"port": "",
2866
2994
"debug": "False",
2867
"priority":
2868
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
":+SIGN-DSA-SHA256",
2995
"priority": priority,
2870
2996
"servicename": "Mandos",
2871
2997
"use_dbus": "True",
2872
2998
"use_ipv6": "True",
2877
3003
"foreground": "False",
2878
3004
"zeroconf": "True",
2879
3005
}
3006
del priority
2880
3007
2881
3008
# Parse config file for server-global settings
2882
3009
server_config = configparser.SafeConfigParser(server_defaults)
3126
3253
for k in ("name", "host"):
3127
3254
if isinstance(value[k], bytes):
3128
3255
value[k] = value[k].decode("utf-8")
3256
if not value.has_key("key_id"):
3257
value["key_id"] = ""
3258
elif not value.has_key("fingerprint"):
3259
value["fingerprint"] = ""
3129
3260
# old_client_settings
3130
3261
# .keys()
3131
3262
old_client_settings = {
3268
3399
pass
3269
3400
3270
3401
@dbus.service.signal(_interface, signature="ss")
3271
def ClientNotFound(self, fingerprint, address):
3402
def ClientNotFound(self, key_id, address):
3272
3403
"D-Bus signal"
3273
3404
pass
3274
3405
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0