11
11
# "AvahiService" class, and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
17
# This file is part of Mandos.
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
32
31
# Contact the authors at <mandos@recompile.se>.
600
592
class ClientSession(object):
601
593
def __init__(self, socket, credentials=None):
602
594
self._c_object = gnutls.session_t()
603
gnutls_flags = gnutls.CLIENT
604
if gnutls.check_version("3.5.6"):
605
gnutls_flags |= gnutls.NO_TICKETS
607
gnutls_flags |= gnutls.ENABLE_RAWPK
608
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
610
596
gnutls.set_default_priority(self._c_object)
611
597
gnutls.transport_set_ptr(self._c_object, socket.fileno())
612
598
gnutls.handshake_set_private_extensions(self._c_object,
744
730
check_version.argtypes = [ctypes.c_char_p]
745
731
check_version.restype = ctypes.c_char_p
747
has_rawpk = bool(check_version(_tls_rawpk_version))
751
class pubkey_st(ctypes.Structure):
753
pubkey_t = ctypes.POINTER(pubkey_st)
755
x509_crt_fmt_t = ctypes.c_int
757
# All the function declarations below are from gnutls/abstract.h
758
pubkey_init = _library.gnutls_pubkey_init
759
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
760
pubkey_init.restype = _error_code
762
pubkey_import = _library.gnutls_pubkey_import
763
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
765
pubkey_import.restype = _error_code
767
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
768
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
769
ctypes.POINTER(ctypes.c_ubyte),
770
ctypes.POINTER(ctypes.c_size_t)]
771
pubkey_get_key_id.restype = _error_code
773
pubkey_deinit = _library.gnutls_pubkey_deinit
774
pubkey_deinit.argtypes = [pubkey_t]
775
pubkey_deinit.restype = None
777
# All the function declarations below are from gnutls/openpgp.h
779
openpgp_crt_init = _library.gnutls_openpgp_crt_init
780
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
781
openpgp_crt_init.restype = _error_code
783
openpgp_crt_import = _library.gnutls_openpgp_crt_import
784
openpgp_crt_import.argtypes = [openpgp_crt_t,
785
ctypes.POINTER(datum_t),
787
openpgp_crt_import.restype = _error_code
789
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
790
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
791
ctypes.POINTER(ctypes.c_uint)]
792
openpgp_crt_verify_self.restype = _error_code
794
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
795
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
796
openpgp_crt_deinit.restype = None
798
openpgp_crt_get_fingerprint = (
799
_library.gnutls_openpgp_crt_get_fingerprint)
800
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
804
openpgp_crt_get_fingerprint.restype = _error_code
806
if check_version("3.6.4"):
807
certificate_type_get2 = _library.gnutls_certificate_type_get2
808
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
809
certificate_type_get2.restype = _error_code
733
# All the function declarations below are from gnutls/openpgp.h
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
743
openpgp_crt_import.restype = _error_code
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
760
openpgp_crt_get_fingerprint.restype = _error_code
811
762
# Remove non-public functions
812
763
del _error_code, _retry_on_error
876
825
runtime_expansions = ("approval_delay", "approval_duration",
877
"created", "enabled", "expires", "key_id",
826
"created", "enabled", "expires",
878
827
"fingerprint", "host", "interval",
879
828
"last_approval_request", "last_checked_ok",
880
829
"last_enabled", "name", "timeout")
2222
2160
class ProxyClient(object):
2223
def __init__(self, child_pipe, key_id, fpr, address):
2161
def __init__(self, child_pipe, fpr, address):
2224
2162
self._pipe = child_pipe
2225
self._pipe.send(('init', key_id, fpr, address))
2163
self._pipe.send(('init', fpr, address))
2226
2164
if not self._pipe.recv():
2227
raise KeyError(key_id or fpr)
2229
2167
def __getattribute__(self, name):
2230
2168
if name == '_pipe':
2298
2236
approval_required = False
2300
if gnutls.has_rawpk:
2303
key_id = self.key_id(
2304
self.peer_certificate(session))
2305
except (TypeError, gnutls.Error) as error:
2306
logger.warning("Bad certificate: %s", error)
2308
logger.debug("Key ID: %s", key_id)
2313
fpr = self.fingerprint(
2314
self.peer_certificate(session))
2315
except (TypeError, gnutls.Error) as error:
2316
logger.warning("Bad certificate: %s", error)
2318
logger.debug("Fingerprint: %s", fpr)
2321
client = ProxyClient(child_pipe, key_id, fpr,
2239
fpr = self.fingerprint(
2240
self.peer_certificate(session))
2241
except (TypeError, gnutls.Error) as error:
2242
logger.warning("Bad certificate: %s", error)
2244
logger.debug("Fingerprint: %s", fpr)
2247
client = ProxyClient(child_pipe, fpr,
2322
2248
self.client_address)
2323
2249
except KeyError:
2403
2329
def peer_certificate(session):
2404
"Return the peer's certificate as a bytestring"
2406
cert_type = gnutls.certificate_type_get2(session._c_object,
2408
except AttributeError:
2409
cert_type = gnutls.certificate_type_get(session._c_object)
2410
if gnutls.has_rawpk:
2411
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2413
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2414
# If not a valid certificate type...
2415
if cert_type not in valid_cert_types:
2416
logger.info("Cert type %r not in %r", cert_type,
2330
"Return the peer's OpenPGP certificate as a bytestring"
2331
# If not an OpenPGP certificate...
2332
if (gnutls.certificate_type_get(session._c_object)
2333
!= gnutls.CRT_OPENPGP):
2418
2334
# ...return invalid data
2420
2336
list_size = ctypes.c_uint(1)
2428
2344
return ctypes.string_at(cert.data, cert.size)
2431
def key_id(certificate):
2432
"Convert a certificate bytestring to a hexdigit key ID"
2433
# New GnuTLS "datum" with the public key
2434
datum = gnutls.datum_t(
2435
ctypes.cast(ctypes.c_char_p(certificate),
2436
ctypes.POINTER(ctypes.c_ubyte)),
2437
ctypes.c_uint(len(certificate)))
2438
# XXX all these need to be created in the gnutls "module"
2439
# New empty GnuTLS certificate
2440
pubkey = gnutls.pubkey_t()
2441
gnutls.pubkey_init(ctypes.byref(pubkey))
2442
# Import the raw public key into the certificate
2443
gnutls.pubkey_import(pubkey,
2444
ctypes.byref(datum),
2445
gnutls.X509_FMT_DER)
2446
# New buffer for the key ID
2447
buf = ctypes.create_string_buffer(32)
2448
buf_len = ctypes.c_size_t(len(buf))
2449
# Get the key ID from the raw public key into the buffer
2450
gnutls.pubkey_get_key_id(pubkey,
2451
gnutls.KEYID_USE_SHA256,
2452
ctypes.cast(ctypes.byref(buf),
2453
ctypes.POINTER(ctypes.c_ubyte)),
2454
ctypes.byref(buf_len))
2455
# Deinit the certificate
2456
gnutls.pubkey_deinit(pubkey)
2458
# Convert the buffer to a Python bytestring
2459
key_id = ctypes.string_at(buf, buf_len.value)
2460
# Convert the bytestring to hexadecimal notation
2461
hex_key_id = binascii.hexlify(key_id).upper()
2465
2347
def fingerprint(openpgp):
2466
2348
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2467
2349
# New GnuTLS "datum" with the OpenPGP public key
2695
2576
command = request[0]
2697
2578
if command == 'init':
2698
key_id = request[1].decode("ascii")
2699
fpr = request[2].decode("ascii")
2700
address = request[3]
2580
address = request[2]
2702
2582
for c in self.clients.values():
2703
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2705
if key_id and c.key_id == key_id:
2708
if fpr and c.fingerprint == fpr:
2583
if c.fingerprint == fpr:
2712
logger.info("Client not found for key ID: %s, address"
2713
": %s", key_id or fpr, address)
2587
logger.info("Client not found for fingerprint: %s, ad"
2588
"dress: %s", fpr, address)
2714
2589
if self.use_dbus:
2715
2590
# Emit D-Bus signal
2716
mandos_dbus_service.ClientNotFound(key_id or fpr,
2591
mandos_dbus_service.ClientNotFound(fpr,
2718
2593
parent_pipe.send(False)
3012
2882
# Convert the SafeConfigParser object to a dict
3013
2883
server_settings = server_config.defaults()
3014
2884
# Use the appropriate methods on the non-string config options
3015
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3016
"foreground", "zeroconf"):
2885
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3017
2886
server_settings[option] = server_config.getboolean("DEFAULT",
3019
2888
if server_settings["port"]: