519
506
# Pretend that we have a GnuTLS module
521
"""This isn't so much a class as it is a module-like namespace."""
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
523
511
library = ctypes.util.find_library("gnutls")
524
512
if library is None:
525
513
library = ctypes.util.find_library("gnutls-deb0")
526
514
_library = ctypes.cdll.LoadLibrary(library)
516
_need_version = b"3.3.0"
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
529
525
# Unless otherwise indicated, the constants and types below are
530
526
# all from the gnutls/gnutls.h C header file.
574
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
575
569
def __init__(self, message=None, code=None, args=()):
576
570
# Default usage is by a message string, but if a return
577
571
# code is passed, convert it to a string with
578
572
# gnutls.strerror()
580
574
if message is None and code is not None:
581
message = gnutls.strerror(code)
582
return super(gnutls.Error, self).__init__(
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
585
579
class CertificateSecurityError(Error):
583
class Credentials(object):
590
584
def __init__(self):
591
585
self._c_object = gnutls.certificate_credentials_t()
592
586
gnutls.certificate_allocate_credentials(
596
590
def __del__(self):
597
591
gnutls.certificate_free_credentials(self._c_object)
593
class ClientSession(object):
600
594
def __init__(self, socket, credentials=None):
601
595
self._c_object = gnutls.session_t()
602
gnutls_flags = gnutls.CLIENT
603
if gnutls.check_version(b"3.5.6"):
604
gnutls_flags |= gnutls.NO_TICKETS
606
gnutls_flags |= gnutls.ENABLE_RAWPK
607
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
609
597
gnutls.set_default_priority(self._c_object)
610
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
611
599
gnutls.handshake_set_private_extensions(self._c_object,
743
731
check_version.argtypes = [ctypes.c_char_p]
744
732
check_version.restype = ctypes.c_char_p
746
_need_version = b"3.3.0"
747
if check_version(_need_version) is None:
748
raise self.Error("Needs GnuTLS {} or later"
749
.format(_need_version))
751
_tls_rawpk_version = b"3.6.6"
752
has_rawpk = bool(check_version(_tls_rawpk_version))
756
class pubkey_st(ctypes.Structure):
758
pubkey_t = ctypes.POINTER(pubkey_st)
760
x509_crt_fmt_t = ctypes.c_int
762
# All the function declarations below are from gnutls/abstract.h
763
pubkey_init = _library.gnutls_pubkey_init
764
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
765
pubkey_init.restype = _error_code
767
pubkey_import = _library.gnutls_pubkey_import
768
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
770
pubkey_import.restype = _error_code
772
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
773
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
774
ctypes.POINTER(ctypes.c_ubyte),
775
ctypes.POINTER(ctypes.c_size_t)]
776
pubkey_get_key_id.restype = _error_code
778
pubkey_deinit = _library.gnutls_pubkey_deinit
779
pubkey_deinit.argtypes = [pubkey_t]
780
pubkey_deinit.restype = None
782
# All the function declarations below are from gnutls/openpgp.h
784
openpgp_crt_init = _library.gnutls_openpgp_crt_init
785
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
786
openpgp_crt_init.restype = _error_code
788
openpgp_crt_import = _library.gnutls_openpgp_crt_import
789
openpgp_crt_import.argtypes = [openpgp_crt_t,
790
ctypes.POINTER(datum_t),
792
openpgp_crt_import.restype = _error_code
794
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
795
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
796
ctypes.POINTER(ctypes.c_uint)]
797
openpgp_crt_verify_self.restype = _error_code
799
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
800
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
801
openpgp_crt_deinit.restype = None
803
openpgp_crt_get_fingerprint = (
804
_library.gnutls_openpgp_crt_get_fingerprint)
805
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
809
openpgp_crt_get_fingerprint.restype = _error_code
811
if check_version(b"3.6.4"):
812
certificate_type_get2 = _library.gnutls_certificate_type_get2
813
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
814
certificate_type_get2.restype = _error_code
734
# All the function declarations below are from gnutls/openpgp.h
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
744
openpgp_crt_import.restype = _error_code
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
761
openpgp_crt_get_fingerprint.restype = _error_code
816
763
# Remove non-public functions
817
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
820
769
def call_pipe(connection, # : multiprocessing.Connection
828
777
connection.close()
780
class Client(object):
832
781
"""A representation of a client host served by this server.
835
784
approved: bool(); 'None' if not yet approved/disapproved
836
785
approval_delay: datetime.timedelta(); Time to wait for approval
837
786
approval_duration: datetime.timedelta(); Duration of one approval
838
checker: multiprocessing.Process(); a running checker process used
839
to see if the client lives. 'None' if no process is
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
841
790
checker_callback_tag: a GLib event source tag, or None
842
791
checker_command: string; External command which is run to check
843
792
if client lives. %() expansions are done at
879
826
runtime_expansions = ("approval_delay", "approval_duration",
880
"created", "enabled", "expires", "key_id",
827
"created", "enabled", "expires",
881
828
"fingerprint", "host", "interval",
882
829
"last_approval_request", "last_checked_ok",
883
830
"last_enabled", "name", "timeout")
2229
def __init__(self, child_pipe, key_id, fpr, address):
2162
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2230
2164
self._pipe = child_pipe
2231
self._pipe.send(('init', key_id, fpr, address))
2165
self._pipe.send(('init', fpr, address))
2232
2166
if not self._pipe.recv():
2233
raise KeyError(key_id or fpr)
2235
2169
def __getattribute__(self, name):
2236
2170
if name == '_pipe':
2304
2238
approval_required = False
2306
if gnutls.has_rawpk:
2309
key_id = self.key_id(
2310
self.peer_certificate(session))
2311
except (TypeError, gnutls.Error) as error:
2312
logger.warning("Bad certificate: %s", error)
2314
logger.debug("Key ID: %s", key_id)
2319
fpr = self.fingerprint(
2320
self.peer_certificate(session))
2321
except (TypeError, gnutls.Error) as error:
2322
logger.warning("Bad certificate: %s", error)
2324
logger.debug("Fingerprint: %s", fpr)
2327
client = ProxyClient(child_pipe, key_id, fpr,
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2246
logger.debug("Fingerprint: %s", fpr)
2249
client = ProxyClient(child_pipe, fpr,
2328
2250
self.client_address)
2329
2251
except KeyError:
2409
2331
def peer_certificate(session):
2410
"Return the peer's certificate as a bytestring"
2412
cert_type = gnutls.certificate_type_get2(session._c_object,
2414
except AttributeError:
2415
cert_type = gnutls.certificate_type_get(session._c_object)
2416
if gnutls.has_rawpk:
2417
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2419
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2420
# If not a valid certificate type...
2421
if cert_type not in valid_cert_types:
2422
logger.info("Cert type %r not in %r", cert_type,
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2424
2336
# ...return invalid data
2426
2338
list_size = ctypes.c_uint(1)
2434
2346
return ctypes.string_at(cert.data, cert.size)
2437
def key_id(certificate):
2438
"Convert a certificate bytestring to a hexdigit key ID"
2439
# New GnuTLS "datum" with the public key
2440
datum = gnutls.datum_t(
2441
ctypes.cast(ctypes.c_char_p(certificate),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.c_uint(len(certificate)))
2444
# XXX all these need to be created in the gnutls "module"
2445
# New empty GnuTLS certificate
2446
pubkey = gnutls.pubkey_t()
2447
gnutls.pubkey_init(ctypes.byref(pubkey))
2448
# Import the raw public key into the certificate
2449
gnutls.pubkey_import(pubkey,
2450
ctypes.byref(datum),
2451
gnutls.X509_FMT_DER)
2452
# New buffer for the key ID
2453
buf = ctypes.create_string_buffer(32)
2454
buf_len = ctypes.c_size_t(len(buf))
2455
# Get the key ID from the raw public key into the buffer
2456
gnutls.pubkey_get_key_id(pubkey,
2457
gnutls.KEYID_USE_SHA256,
2458
ctypes.cast(ctypes.byref(buf),
2459
ctypes.POINTER(ctypes.c_ubyte)),
2460
ctypes.byref(buf_len))
2461
# Deinit the certificate
2462
gnutls.pubkey_deinit(pubkey)
2464
# Convert the buffer to a Python bytestring
2465
key_id = ctypes.string_at(buf, buf_len.value)
2466
# Convert the bytestring to hexadecimal notation
2467
hex_key_id = binascii.hexlify(key_id).upper()
2471
2349
def fingerprint(openpgp):
2472
2350
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2473
2351
# New GnuTLS "datum" with the OpenPGP public key
2703
2578
command = request[0]
2705
2580
if command == 'init':
2706
key_id = request[1].decode("ascii")
2707
fpr = request[2].decode("ascii")
2708
address = request[3]
2581
fpr = request[1].decode("ascii")
2582
address = request[2]
2710
2584
for c in self.clients.values():
2711
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2713
if key_id and c.key_id == key_id:
2716
if fpr and c.fingerprint == fpr:
2585
if c.fingerprint == fpr:
2720
logger.info("Client not found for key ID: %s, address"
2721
": %s", key_id or fpr, address)
2589
logger.info("Client not found for fingerprint: %s, ad"
2590
"dress: %s", fpr, address)
2722
2591
if self.use_dbus:
2723
2592
# Emit D-Bus signal
2724
mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
mandos_dbus_service.ClientNotFound(fpr,
2726
2595
parent_pipe.send(False)
2729
2598
GLib.io_add_watch(
2730
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2731
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2599
parent_pipe.fileno(),
2600
GLib.IO_IN | GLib.IO_HUP,
2732
2601
functools.partial(self.handle_ipc,
2733
2602
parent_pipe=parent_pipe,
2766
2635
def rfc3339_duration_to_delta(duration):
2767
2636
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2769
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2771
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2773
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2775
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2777
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2779
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2781
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2638
>>> rfc3339_duration_to_delta("P7D")
2639
datetime.timedelta(7)
2640
>>> rfc3339_duration_to_delta("PT60S")
2641
datetime.timedelta(0, 60)
2642
>>> rfc3339_duration_to_delta("PT60M")
2643
datetime.timedelta(0, 3600)
2644
>>> rfc3339_duration_to_delta("PT24H")
2645
datetime.timedelta(1)
2646
>>> rfc3339_duration_to_delta("P1W")
2647
datetime.timedelta(7)
2648
>>> rfc3339_duration_to_delta("PT5M30S")
2649
datetime.timedelta(0, 330)
2650
>>> rfc3339_duration_to_delta("P1DT3M20S")
2651
datetime.timedelta(1, 200)
2785
2654
# Parsing an RFC 3339 duration with regular expressions is not
2865
2734
def string_to_delta(interval):
2866
2735
"""Parse a string and return a datetime.timedelta
2868
>>> string_to_delta('7d') == datetime.timedelta(7)
2870
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2872
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2874
>>> string_to_delta('24h') == datetime.timedelta(1)
2876
>>> string_to_delta('1w') == datetime.timedelta(7)
2878
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2737
>>> string_to_delta('7d')
2738
datetime.timedelta(7)
2739
>>> string_to_delta('60s')
2740
datetime.timedelta(0, 60)
2741
>>> string_to_delta('60m')
2742
datetime.timedelta(0, 3600)
2743
>>> string_to_delta('24h')
2744
datetime.timedelta(1)
2745
>>> string_to_delta('1w')
2746
datetime.timedelta(7)
2747
>>> string_to_delta('5m 30s')
2748
datetime.timedelta(0, 330)
3606
3470
# End of Avahi example code
3609
GLib.IOChannel.unix_new(tcp_server.fileno()),
3610
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3611
lambda *args, **kwargs: (tcp_server.handle_request
3612
(*args[2:], **kwargs) or True))
3472
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3473
lambda *args, **kwargs:
3474
(tcp_server.handle_request
3475
(*args[2:], **kwargs) or True))
3614
3477
logger.debug("Starting main loop")
3615
3478
main_loop.run()
3625
3488
# Must run before the D-Bus bus name gets deregistered
3629
def should_only_run_tests():
3630
parser = argparse.ArgumentParser(add_help=False)
3631
parser.add_argument("--check", action='store_true')
3632
args, unknown_args = parser.parse_known_args()
3633
run_tests = args.check
3635
# Remove --check argument from sys.argv
3636
sys.argv[1:] = unknown_args
3639
# Add all tests from doctest strings
3640
def load_tests(loader, tests, none):
3642
tests.addTests(doctest.DocTestSuite())
3645
3492
if __name__ == '__main__':
3647
if should_only_run_tests():
3648
# Call using ./mandos --check [--verbose]