505
506
# Pretend that we have a GnuTLS module
506
class gnutls(object):
507
"""This isn't so much a class as it is a module-like namespace."""
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
509
511
library = ctypes.util.find_library("gnutls")
510
512
if library is None:
511
513
library = ctypes.util.find_library("gnutls-deb0")
512
514
_library = ctypes.cdll.LoadLibrary(library)
516
_need_version = b"3.3.0"
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
515
525
# Unless otherwise indicated, the constants and types below are
516
526
# all from the gnutls/gnutls.h C header file.
560
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
561
569
def __init__(self, message=None, code=None, args=()):
562
570
# Default usage is by a message string, but if a return
563
571
# code is passed, convert it to a string with
564
572
# gnutls.strerror()
566
574
if message is None and code is not None:
567
message = gnutls.strerror(code)
568
return super(gnutls.Error, self).__init__(
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
571
579
class CertificateSecurityError(Error):
585
593
class ClientSession(object):
586
594
def __init__(self, socket, credentials=None):
587
595
self._c_object = gnutls.session_t()
588
gnutls_flags = gnutls.CLIENT
589
if gnutls.check_version("3.5.6"):
590
gnutls_flags |= gnutls.NO_TICKETS
592
gnutls_flags |= gnutls.ENABLE_RAWPK
593
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
595
597
gnutls.set_default_priority(self._c_object)
596
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
597
599
gnutls.handshake_set_private_extensions(self._c_object,
729
731
check_version.argtypes = [ctypes.c_char_p]
730
732
check_version.restype = ctypes.c_char_p
732
_need_version = b"3.3.0"
733
if check_version(_need_version) is None:
734
raise self.Error("Needs GnuTLS {} or later"
735
.format(_need_version))
737
_tls_rawpk_version = b"3.6.6"
738
has_rawpk = bool(check_version(_tls_rawpk_version))
742
class pubkey_st(ctypes.Structure):
744
pubkey_t = ctypes.POINTER(pubkey_st)
746
x509_crt_fmt_t = ctypes.c_int
748
# All the function declarations below are from gnutls/abstract.h
749
pubkey_init = _library.gnutls_pubkey_init
750
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
pubkey_init.restype = _error_code
753
pubkey_import = _library.gnutls_pubkey_import
754
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
756
pubkey_import.restype = _error_code
758
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
ctypes.POINTER(ctypes.c_ubyte),
761
ctypes.POINTER(ctypes.c_size_t)]
762
pubkey_get_key_id.restype = _error_code
764
pubkey_deinit = _library.gnutls_pubkey_deinit
765
pubkey_deinit.argtypes = [pubkey_t]
766
pubkey_deinit.restype = None
768
# All the function declarations below are from gnutls/openpgp.h
770
openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
openpgp_crt_init.restype = _error_code
774
openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
openpgp_crt_import.argtypes = [openpgp_crt_t,
776
ctypes.POINTER(datum_t),
778
openpgp_crt_import.restype = _error_code
780
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
ctypes.POINTER(ctypes.c_uint)]
783
openpgp_crt_verify_self.restype = _error_code
785
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
openpgp_crt_deinit.restype = None
789
openpgp_crt_get_fingerprint = (
790
_library.gnutls_openpgp_crt_get_fingerprint)
791
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
795
openpgp_crt_get_fingerprint.restype = _error_code
797
if check_version("3.6.4"):
798
certificate_type_get2 = _library.gnutls_certificate_type_get2
799
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
certificate_type_get2.restype = _error_code
734
# All the function declarations below are from gnutls/openpgp.h
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
744
openpgp_crt_import.restype = _error_code
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
761
openpgp_crt_get_fingerprint.restype = _error_code
802
763
# Remove non-public functions
803
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
806
769
def call_pipe(connection, # : multiprocessing.Connection
865
826
runtime_expansions = ("approval_delay", "approval_duration",
866
"created", "enabled", "expires", "key_id",
827
"created", "enabled", "expires",
867
828
"fingerprint", "host", "interval",
868
829
"last_approval_request", "last_checked_ok",
869
830
"last_enabled", "name", "timeout")
2211
2162
class ProxyClient(object):
2212
def __init__(self, child_pipe, key_id, fpr, address):
2163
def __init__(self, child_pipe, fpr, address):
2213
2164
self._pipe = child_pipe
2214
self._pipe.send(('init', key_id, fpr, address))
2165
self._pipe.send(('init', fpr, address))
2215
2166
if not self._pipe.recv():
2216
raise KeyError(key_id or fpr)
2218
2169
def __getattribute__(self, name):
2219
2170
if name == '_pipe':
2287
2238
approval_required = False
2289
if gnutls.has_rawpk:
2292
key_id = self.key_id(
2293
self.peer_certificate(session))
2294
except (TypeError, gnutls.Error) as error:
2295
logger.warning("Bad certificate: %s", error)
2297
logger.debug("Key ID: %s", key_id)
2302
fpr = self.fingerprint(
2303
self.peer_certificate(session))
2304
except (TypeError, gnutls.Error) as error:
2305
logger.warning("Bad certificate: %s", error)
2307
logger.debug("Fingerprint: %s", fpr)
2310
client = ProxyClient(child_pipe, key_id, fpr,
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2246
logger.debug("Fingerprint: %s", fpr)
2249
client = ProxyClient(child_pipe, fpr,
2311
2250
self.client_address)
2312
2251
except KeyError:
2392
2331
def peer_certificate(session):
2393
"Return the peer's certificate as a bytestring"
2395
cert_type = gnutls.certificate_type_get2(session._c_object,
2397
except AttributeError:
2398
cert_type = gnutls.certificate_type_get(session._c_object)
2399
if gnutls.has_rawpk:
2400
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2402
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2403
# If not a valid certificate type...
2404
if cert_type not in valid_cert_types:
2405
logger.info("Cert type %r not in %r", cert_type,
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2407
2336
# ...return invalid data
2409
2338
list_size = ctypes.c_uint(1)
2417
2346
return ctypes.string_at(cert.data, cert.size)
2420
def key_id(certificate):
2421
"Convert a certificate bytestring to a hexdigit key ID"
2422
# New GnuTLS "datum" with the public key
2423
datum = gnutls.datum_t(
2424
ctypes.cast(ctypes.c_char_p(certificate),
2425
ctypes.POINTER(ctypes.c_ubyte)),
2426
ctypes.c_uint(len(certificate)))
2427
# XXX all these need to be created in the gnutls "module"
2428
# New empty GnuTLS certificate
2429
pubkey = gnutls.pubkey_t()
2430
gnutls.pubkey_init(ctypes.byref(pubkey))
2431
# Import the raw public key into the certificate
2432
gnutls.pubkey_import(pubkey,
2433
ctypes.byref(datum),
2434
gnutls.X509_FMT_DER)
2435
# New buffer for the key ID
2436
buf = ctypes.create_string_buffer(32)
2437
buf_len = ctypes.c_size_t(len(buf))
2438
# Get the key ID from the raw public key into the buffer
2439
gnutls.pubkey_get_key_id(pubkey,
2440
gnutls.KEYID_USE_SHA256,
2441
ctypes.cast(ctypes.byref(buf),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.byref(buf_len))
2444
# Deinit the certificate
2445
gnutls.pubkey_deinit(pubkey)
2447
# Convert the buffer to a Python bytestring
2448
key_id = ctypes.string_at(buf, buf_len.value)
2449
# Convert the bytestring to hexadecimal notation
2450
hex_key_id = binascii.hexlify(key_id).upper()
2454
2349
def fingerprint(openpgp):
2455
2350
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2456
2351
# New GnuTLS "datum" with the OpenPGP public key
2686
2579
command = request[0]
2688
2581
if command == 'init':
2689
key_id = request[1].decode("ascii")
2690
fpr = request[2].decode("ascii")
2691
address = request[3]
2582
fpr = request[1].decode("ascii")
2583
address = request[2]
2693
2585
for c in self.clients.values():
2694
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2696
if key_id and c.key_id == key_id:
2699
if fpr and c.fingerprint == fpr:
2586
if c.fingerprint == fpr:
2703
logger.info("Client not found for key ID: %s, address"
2704
": %s", key_id or fpr, address)
2590
logger.info("Client not found for fingerprint: %s, ad"
2591
"dress: %s", fpr, address)
2705
2592
if self.use_dbus:
2706
2593
# Emit D-Bus signal
2707
mandos_dbus_service.ClientNotFound(key_id or fpr,
2594
mandos_dbus_service.ClientNotFound(fpr,
2709
2596
parent_pipe.send(False)