/mandos/trunk : revision 1127

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos

Committer: Teddy Hogeborn
Date: 2019-07-27 10:11:45 UTC
Revision ID: teddy@recompile.se-20190727101145-jnpbpf8220gldbcd

Add dracut(8) support

Add support for the dracut(8) system for generating initramfs image
files; dracut is an alternative to the "initramfs-tools" package.

* .bzrignore (dracut-module/password-agent): Ignore new binary file.
* dracut-module: New directory for the dracut module.
* INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an
                                                   alternative to
                                                   initramfs-tools,
                                                   and also add GLib.
* Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New.
  (CPROGS): Add "dracut-module/password-agent".
  (DOCS): Add "dracut-module/password-agent.8mandos".
  (dracut-module/password-agent.8mandos): New.
  (dracut-module/password-agent.8mandos.xhtml): - '' -
  (dracut-module/password-agent): - '' -
  (check): Add command to run tests of password-agent(8mandos).
  (install-client-nokey): Also install the dracut module directory,
                          its files, and the password-agent(8mandos)
                          manual page.
  (install-client): To update the initramfs image file, run
                    update-initramfs or dracut depending on what is
                    installed.
  (uninstall-client): - '' - and also uninstall the the files in the
                      dracut module directory, that directory itself,
                      and the password-agent(8mandos) manual page.
* debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)".
  (Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an
                                    alternative dependency to
                                    initramfs-tools.
  (Package: mandos-client/Conflicts): New; set to
                                      "dracut-config-generic".
  (debian/mandos-client.README.Debian): Document alternative commands
                                        to update the initramfs image
                                        for when dracut is used.
* debian/mandos-client.postinst (update_initramfs): Use alternative
                                                    commands to update
                                                    the initramfs
                                                    image for when
                                                    dracut is used.
* debian/tests/control (password-agent, password-agent-suid): Add two
                                                              new tests.
* dracut-module/ask-password-mandos.path: New.
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/cmdline-mandos.sh: - '' -
* dracut-module/module-setup.sh: - '' -
* dracut-module/password-agent.c: - '' -
* dracut-module/password-agent.xml: - '' -
* initramfs-unpack: Use the dracut "skipcpio" command, if available.
                    Also be more flexible and try hard to detect where
                    compressed data starts.
* plugins.d/mandos-client.xml (SECURITY): Be more precise that the
                                          mandos-client binary might
                                          not always be setuid, but
                                          that the program assumes
                                          that it has been started
                                          that way.
* plugins.d/password-prompt.c: Add new "--prompt" option.
  (conflict_detection): First try to detect the new PID file of
                        plymouth.
  (main): Define and use new "prompt" variable.
* plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option.
  (DESCRIPTION): Describe new behavior of looking for plymouth PID
                 file.
  (OPTIONS): Document new "--prompt" option.
  (ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME
                 environment variables are not used if the --prompt
                 option is used.  Remove unnecessarily specific
                 details about where the CRYPTTAB_SOURCE and
                 CRYPTTAB_NAME comes from, since this can now be
                 either initramfs-tools or dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference, and add commas
              to separate the other references.
* plugins.d/plymouth.c: Add new "--prompt" and "--debug" options.
  (debug): New global flag.
  (fprintf_plus): New function, used for debug output.
  (exec_and_wait): Add extra "const" to "argv" argument.
  (main): Define and use new "prompt" variable.  Add debug output.
  (main/options, main/parse_opt): New; used to parse options.
* plugins.d/plymouth.xml (SYNOPSIS): Show new options.
  (OPTIONS): Document new options.
  (ENVIRONMENT): Clarify that the cryptsource and crypttarget
                 environment variables are not used if the --prompt
                 option is used.  Remove unnecessarily specific
                 details about where the cryptsource and crypttarget
                 comes from, since this can now be either
                 initramfs-tools or dracut.
  (EXAMPLE): Add an example using an option.
  (SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource
                                       and crypttarget environment
                                       variables are not used if the
                                       --prompt option is used.
                                       Remove unnecessarily specific
                                       details about where the
                                       cryptsource and crypttarget
                                       comes from, since this can now
                                       be either initramfs-tools or
                                       dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource
                                       and crypttarget environment
                                       variables are not used if the
                                       --prompt option is used.
                                       Remove unnecessarily specific
                                       details about where the
                                       cryptsource and crypttarget
                                       comes from, since this can now
                                       be either initramfs-tools or
                                       dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference.

files added:
debian/mandos-client.templates

debian/mandos.templates

debian/tests

debian/tests/control

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos

# "AvahiService" class, and some lines in "main".

# Everything else is

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see

# <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

114

115

if sys.version_info.major == 2:

115

116

str = unicode

116

117

version = "1.7.15"

118

version = "1.8.4"

118

119

stored_state_file = "clients.pickle"

119

120

121

logger = logging.getLogger()

274

275

276

277

# Pretend that we have an Avahi module

277

class Avahi(object):

278

"""This isn't so much a class as it is a module-like namespace.

279

It is instantiated once, and simulates having an Avahi module."""

278

class avahi(object):

279

"""This isn't so much a class as it is a module-like namespace."""

280

IF_UNSPEC = -1 # avahi-common/address.h

281

PROTO_UNSPEC = -1 # avahi-common/address.h

282

PROTO_INET = 0 # avahi-common/address.h

286

DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"

287

DBUS_PATH_SERVER = "/"

288

289

def string_array_to_txt_array(self, t):

289

@staticmethod

290

def string_array_to_txt_array(t):

290

291

return dbus.Array((dbus.ByteArray(s.encode("utf-8"))

291

292

for s in t), signature="ay")

292

293

ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h

297

298

SERVER_RUNNING = 2 # avahi-common/defs.h

298

299

SERVER_COLLISION = 3 # avahi-common/defs.h

299

300

SERVER_FAILURE = 4 # avahi-common/defs.h

300

avahi = Avahi()

301

302

303

class AvahiError(Exception):

495

class AvahiServiceToSyslog(AvahiService):

496

def rename(self, *args, **kwargs):

497

"""Add the new name to the syslog messages"""

498

ret = AvahiService.rename(self, *args, **kwargs)

498

ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)

499

syslogger.setFormatter(logging.Formatter(

500

'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'

501

.format(self.name)))

503

504

505

# Pretend that we have a GnuTLS module

506

class GnuTLS(object):

507

"""This isn't so much a class as it is a module-like namespace.

508

It is instantiated once, and simulates having a GnuTLS module."""

506

class gnutls(object):

507

"""This isn't so much a class as it is a module-like namespace."""

509

508

510

509

library = ctypes.util.find_library("gnutls")

511

510

if library is None:

512

511

library = ctypes.util.find_library("gnutls-deb0")

513

512

_library = ctypes.cdll.LoadLibrary(library)

514

513

del library

515

_need_version = b"3.3.0"

516

517

def __init__(self):

518

# Need to use "self" here, since this method is called before

519

# the assignment to the "gnutls" global variable happens.

520

if self.check_version(self._need_version) is None:

521

raise self.Error("Needs GnuTLS {} or later"

522

.format(self._need_version))

523

514

524

515

# Unless otherwise indicated, the constants and types below are

525

516

# all from the gnutls/gnutls.h C header file.

529

520

E_INTERRUPTED = -52

530

521

E_AGAIN = -28

531

522

CRT_OPENPGP = 2

523

CRT_RAWPK = 3

532

524

CLIENT = 2

533

525

SHUT_RDWR = 0

534

526

CRD_CERTIFICATE = 1

535

527

E_NO_CERTIFICATE_FOUND = -49

528

X509_FMT_DER = 0

529

NO_TICKETS = 1<<10

530

ENABLE_RAWPK = 1<<18

531

CTYPE_PEERS = 3

532

KEYID_USE_SHA256 = 1 # gnutls/x509.h

536

533

OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h

537

534

538

535

# Types

561

558

562

559

# Exceptions

563

560

class Error(Exception):

564

# We need to use the class name "GnuTLS" here, since this

565

# exception might be raised from within GnuTLS.__init__,

566

# which is called before the assignment to the "gnutls"

567

# global variable has happened.

568

561

def __init__(self, message=None, code=None, args=()):

569

562

# Default usage is by a message string, but if a return

570

563

# code is passed, convert it to a string with

571

564

# gnutls.strerror()

572

565

self.code = code

573

566

if message is None and code is not None:

574

message = GnuTLS.strerror(code)

575

return super(GnuTLS.Error, self).__init__(

567

message = gnutls.strerror(code)

568

return super(gnutls.Error, self).__init__(

576

569

message, *args)

577

570

578

571

class CertificateSecurityError(Error):

592

585

class ClientSession(object):

593

586

def __init__(self, socket, credentials=None):

594

587

self._c_object = gnutls.session_t()

595

gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)

588

gnutls_flags = gnutls.CLIENT

589

if gnutls.check_version("3.5.6"):

590

gnutls_flags |= gnutls.NO_TICKETS

591

if gnutls.has_rawpk:

592

gnutls_flags |= gnutls.ENABLE_RAWPK

593

gnutls.init(ctypes.byref(self._c_object), gnutls_flags)

594

del gnutls_flags

596

595

gnutls.set_default_priority(self._c_object)

597

596

gnutls.transport_set_ptr(self._c_object, socket.fileno())

598

597

gnutls.handshake_set_private_extensions(self._c_object,

730

729

check_version.argtypes = [ctypes.c_char_p]

731

730

check_version.restype = ctypes.c_char_p

732

731

733

# All the function declarations below are from gnutls/openpgp.h

734

735

openpgp_crt_init = _library.gnutls_openpgp_crt_init

736

openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]

737

openpgp_crt_init.restype = _error_code

738

739

openpgp_crt_import = _library.gnutls_openpgp_crt_import

740

openpgp_crt_import.argtypes = [openpgp_crt_t,

741

ctypes.POINTER(datum_t),

742

openpgp_crt_fmt_t]

743

openpgp_crt_import.restype = _error_code

744

745

openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self

746

openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,

747

ctypes.POINTER(ctypes.c_uint)]

748

openpgp_crt_verify_self.restype = _error_code

749

750

openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit

751

openpgp_crt_deinit.argtypes = [openpgp_crt_t]

752

openpgp_crt_deinit.restype = None

753

754

openpgp_crt_get_fingerprint = (

755

_library.gnutls_openpgp_crt_get_fingerprint)

756

openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,

757

ctypes.c_void_p,

758

ctypes.POINTER(

759

ctypes.c_size_t)]

760

openpgp_crt_get_fingerprint.restype = _error_code

732

_need_version = b"3.3.0"

733

if check_version(_need_version) is None:

734

raise self.Error("Needs GnuTLS {} or later"

735

.format(_need_version))

736

737

_tls_rawpk_version = b"3.6.6"

738

has_rawpk = bool(check_version(_tls_rawpk_version))

739

740

if has_rawpk:

741

# Types

742

class pubkey_st(ctypes.Structure):

743

_fields = []

744

pubkey_t = ctypes.POINTER(pubkey_st)

745

746

x509_crt_fmt_t = ctypes.c_int

747

748

# All the function declarations below are from gnutls/abstract.h

749

pubkey_init = _library.gnutls_pubkey_init

750

pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]

751

pubkey_init.restype = _error_code

752

753

pubkey_import = _library.gnutls_pubkey_import

754

pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),

755

x509_crt_fmt_t]

756

pubkey_import.restype = _error_code

757

758

pubkey_get_key_id = _library.gnutls_pubkey_get_key_id

759

pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,

760

ctypes.POINTER(ctypes.c_ubyte),

761

ctypes.POINTER(ctypes.c_size_t)]

762

pubkey_get_key_id.restype = _error_code

763

764

pubkey_deinit = _library.gnutls_pubkey_deinit

765

pubkey_deinit.argtypes = [pubkey_t]

766

pubkey_deinit.restype = None

767

else:

768

# All the function declarations below are from gnutls/openpgp.h

769

770

openpgp_crt_init = _library.gnutls_openpgp_crt_init

771

openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]

772

openpgp_crt_init.restype = _error_code

773

774

openpgp_crt_import = _library.gnutls_openpgp_crt_import

775

openpgp_crt_import.argtypes = [openpgp_crt_t,

776

ctypes.POINTER(datum_t),

777

openpgp_crt_fmt_t]

778

openpgp_crt_import.restype = _error_code

779

780

openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self

781

openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,

782

ctypes.POINTER(ctypes.c_uint)]

783

openpgp_crt_verify_self.restype = _error_code

784

785

openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit

786

openpgp_crt_deinit.argtypes = [openpgp_crt_t]

787

openpgp_crt_deinit.restype = None

788

789

openpgp_crt_get_fingerprint = (

790

_library.gnutls_openpgp_crt_get_fingerprint)

791

openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,

792

ctypes.c_void_p,

793

ctypes.POINTER(

794

ctypes.c_size_t)]

795

openpgp_crt_get_fingerprint.restype = _error_code

796

797

if check_version("3.6.4"):

798

certificate_type_get2 = _library.gnutls_certificate_type_get2

799

certificate_type_get2.argtypes = [session_t, ctypes.c_int]

800

certificate_type_get2.restype = _error_code

761

801

762

802

# Remove non-public functions

763

803

del _error_code, _retry_on_error

764

# Create the global "gnutls" object, simulating a module

765

gnutls = GnuTLS()

766

804

767

805

768

806

def call_pipe(connection, # : multiprocessing.Connection

799

837

disable_initiator_tag: a GLib event source tag, or None

800

838

enabled: bool()

801

839

fingerprint: string (40 or 32 hexadecimal digits); used to

802

uniquely identify the client

840

uniquely identify an OpenPGP client

841

key_id: string (64 hexadecimal digits); used to uniquely identify

842

a client using raw public keys

803

843

host: string; available for use by the checker command

804

844

interval: datetime.timedelta(); How often to start a new checker

805

845

last_approval_request: datetime.datetime(); (UTC) or None

823

863

"""

824

864

825

865

runtime_expansions = ("approval_delay", "approval_duration",

826

"created", "enabled", "expires",

866

"created", "enabled", "expires", "key_id",

827

867

"fingerprint", "host", "interval",

828

868

"last_approval_request", "last_checked_ok",

829

869

"last_enabled", "name", "timeout")

859

899

client["enabled"] = config.getboolean(client_name,

860

900

"enabled")

861

901

862

# Uppercase and remove spaces from fingerprint for later

863

# comparison purposes with return value from the

864

# fingerprint() function

902

# Uppercase and remove spaces from key_id and fingerprint

903

# for later comparison purposes with return value from the

904

# key_id() and fingerprint() functions

905

client["key_id"] = (section.get("key_id", "").upper()

906

.replace(" ", ""))

865

907

client["fingerprint"] = (section["fingerprint"].upper()

866

908

.replace(" ", ""))

867

909

if "secret" in section:

911

953

self.expires = None

912

954

913

955

logger.debug("Creating client %r", self.name)

956

logger.debug(" Key ID: %s", self.key_id)

914

957

logger.debug(" Fingerprint: %s", self.fingerprint)

915

958

self.created = settings.get("created",

916

959

datetime.datetime.utcnow())

1998

2041

def Name_dbus_property(self):

1999

2042

return dbus.String(self.name)

2000

2043

2044

# KeyID - property

2045

@dbus_annotations(

2046

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

2047

@dbus_service_property(_interface, signature="s", access="read")

2048

def KeyID_dbus_property(self):

2049

return dbus.String(self.key_id)

2050

2001

2051

# Fingerprint - property

2002

2052

@dbus_annotations(

2003

2053

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

2159

2209

2160

2210

2161

2211

class ProxyClient(object):

2162

def __init__(self, child_pipe, fpr, address):

2212

def __init__(self, child_pipe, key_id, fpr, address):

2163

2213

self._pipe = child_pipe

2164

self._pipe.send(('init', fpr, address))

2214

self._pipe.send(('init', key_id, fpr, address))

2165

2215

if not self._pipe.recv():

2166

raise KeyError(fpr)

2216

raise KeyError(key_id or fpr)

2167

2217

2168

2218

def __getattribute__(self, name):

2169

2219

if name == '_pipe':

2236

2286

2237

2287

approval_required = False

2238

2288

try:

2239

try:

2240

fpr = self.fingerprint(

2241

self.peer_certificate(session))

2242

except (TypeError, gnutls.Error) as error:

2243

logger.warning("Bad certificate: %s", error)

2244

return

2245

logger.debug("Fingerprint: %s", fpr)

2246

2247

try:

2248

client = ProxyClient(child_pipe, fpr,

2289

if gnutls.has_rawpk:

2290

fpr = ""

2291

try:

2292

key_id = self.key_id(

2293

self.peer_certificate(session))

2294

except (TypeError, gnutls.Error) as error:

2295

logger.warning("Bad certificate: %s", error)

2296

return

2297

logger.debug("Key ID: %s", key_id)

2298

2299

else:

2300

key_id = ""

2301

try:

2302

fpr = self.fingerprint(

2303

self.peer_certificate(session))

2304

except (TypeError, gnutls.Error) as error:

2305

logger.warning("Bad certificate: %s", error)

2306

return

2307

logger.debug("Fingerprint: %s", fpr)

2308

2309

try:

2310

client = ProxyClient(child_pipe, key_id, fpr,

2249

2311

self.client_address)

2250

2312

except KeyError:

2251

2313

return

2328

2390

2329

2391

@staticmethod

2330

2392

def peer_certificate(session):

2331

"Return the peer's OpenPGP certificate as a bytestring"

2332

# If not an OpenPGP certificate...

2333

if (gnutls.certificate_type_get(session._c_object)

2334

!= gnutls.CRT_OPENPGP):

2393

"Return the peer's certificate as a bytestring"

2394

try:

2395

cert_type = gnutls.certificate_type_get2(session._c_object,

2396

gnutls.CTYPE_PEERS)

2397

except AttributeError:

2398

cert_type = gnutls.certificate_type_get(session._c_object)

2399

if gnutls.has_rawpk:

2400

valid_cert_types = frozenset((gnutls.CRT_RAWPK,))

2401

else:

2402

valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))

2403

# If not a valid certificate type...

2404

if cert_type not in valid_cert_types:

2405

logger.info("Cert type %r not in %r", cert_type,

2406

valid_cert_types)

2335

2407

# ...return invalid data

2336

2408

return b""

2337

2409

list_size = ctypes.c_uint(1)

2345

2417

return ctypes.string_at(cert.data, cert.size)

2346

2418

2347

2419

@staticmethod

2420

def key_id(certificate):

2421

"Convert a certificate bytestring to a hexdigit key ID"

2422

# New GnuTLS "datum" with the public key

2423

datum = gnutls.datum_t(

2424

ctypes.cast(ctypes.c_char_p(certificate),

2425

ctypes.POINTER(ctypes.c_ubyte)),

2426

ctypes.c_uint(len(certificate)))

2427

# XXX all these need to be created in the gnutls "module"

2428

# New empty GnuTLS certificate

2429

pubkey = gnutls.pubkey_t()

2430

gnutls.pubkey_init(ctypes.byref(pubkey))

2431

# Import the raw public key into the certificate

2432

gnutls.pubkey_import(pubkey,

2433

ctypes.byref(datum),

2434

gnutls.X509_FMT_DER)

2435

# New buffer for the key ID

2436

buf = ctypes.create_string_buffer(32)

2437

buf_len = ctypes.c_size_t(len(buf))

2438

# Get the key ID from the raw public key into the buffer

2439

gnutls.pubkey_get_key_id(pubkey,

2440

gnutls.KEYID_USE_SHA256,

2441

ctypes.cast(ctypes.byref(buf),

2442

ctypes.POINTER(ctypes.c_ubyte)),

2443

ctypes.byref(buf_len))

2444

# Deinit the certificate

2445

gnutls.pubkey_deinit(pubkey)

2446

2447

# Convert the buffer to a Python bytestring

2448

key_id = ctypes.string_at(buf, buf_len.value)

2449

# Convert the bytestring to hexadecimal notation

2450

hex_key_id = binascii.hexlify(key_id).upper()

2451

return hex_key_id

2452

2453

@staticmethod

2348

2454

def fingerprint(openpgp):

2349

2455

"Convert an OpenPGP bytestring to a hexdigit fingerprint"

2350

2456

# New GnuTLS "datum" with the OpenPGP public key

2364

2470

ctypes.byref(crtverify))

2365

2471

if crtverify.value != 0:

2366

2472

gnutls.openpgp_crt_deinit(crt)

2367

raise gnutls.CertificateSecurityError("Verify failed")

2473

raise gnutls.CertificateSecurityError(code

2474

=crtverify.value)

2368

2475

# New buffer for the fingerprint

2369

2476

buf = ctypes.create_string_buffer(20)

2370

2477

buf_len = ctypes.c_size_t()

2498

2605

raise

2499

2606

# Only bind(2) the socket if we really need to.

2500

2607

if self.server_address[0] or self.server_address[1]:

2608

if self.server_address[1]:

2609

self.allow_reuse_address = True

2501

2610

if not self.server_address[0]:

2502

2611

if self.address_family == socket.AF_INET6:

2503

2612

any_address = "::" # in6addr_any

2577

2686

command = request[0]

2578

2687

2579

2688

if command == 'init':

2580

fpr = request[1]

2581

address = request[2]

2689

key_id = request[1].decode("ascii")

2690

fpr = request[2].decode("ascii")

2691

address = request[3]

2582

2692

2583

2693

for c in self.clients.values():

2584

if c.fingerprint == fpr:

2694

if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":

2695

continue

2696

if key_id and c.key_id == key_id:

2697

client = c

2698

break

2699

if fpr and c.fingerprint == fpr:

2585

2700

client = c

2586

2701

break

2587

2702

else:

2588

logger.info("Client not found for fingerprint: %s, ad"

2589

"dress: %s", fpr, address)

2703

logger.info("Client not found for key ID: %s, address"

2704

": %s", key_id or fpr, address)

2590

2705

if self.use_dbus:

2591

2706

# Emit D-Bus signal

2592

mandos_dbus_service.ClientNotFound(fpr,

2707

mandos_dbus_service.ClientNotFound(key_id or fpr,

2593

2708

address[0])

2594

2709

parent_pipe.send(False)

2595

2710

return False

2858

2973

sys.exit(os.EX_OK if fail_count == 0 else 1)

2859

2974

2860

2975

# Default values for config file for server-global settings

2976

if gnutls.has_rawpk:

2977

priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"

2978

":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")

2979

else:

2980

priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"

2981

":+SIGN-DSA-SHA256")

2861

2982

server_defaults = {"interface": "",

2862

2983

"address": "",

2863

2984

"port": "",

2864

2985

"debug": "False",

2865

"priority":

2866

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"

2867

":+SIGN-DSA-SHA256",

2986

"priority": priority,

2868

2987

"servicename": "Mandos",

2869

2988

"use_dbus": "True",

2870

2989

"use_ipv6": "True",

2875

2994

"foreground": "False",

2876

2995

"zeroconf": "True",

2877

2996

}

2997

del priority

2878

2998

2879

2999

# Parse config file for server-global settings

2880

3000

server_config = configparser.SafeConfigParser(server_defaults)

3124

3244

for k in ("name", "host"):

3125

3245

if isinstance(value[k], bytes):

3126

3246

value[k] = value[k].decode("utf-8")

3247

if not value.has_key("key_id"):

3248

value["key_id"] = ""

3249

elif not value.has_key("fingerprint"):

3250

value["fingerprint"] = ""

3127

3251

# old_client_settings

3128

3252

# .keys()

3129

3253

old_client_settings = {

3266

3390

pass

3267

3391

3268

3392

@dbus.service.signal(_interface, signature="ss")

3269

def ClientNotFound(self, fingerprint, address):

3393

def ClientNotFound(self, key_id, address):

3270

3394

"D-Bus signal"

3271

3395

pass

3272

3396

Older »