11
11
# "AvahiService" class, and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
17
# This file is part of Mandos.
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
32
# Contact the authors at <mandos@recompile.se>.
505
527
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
529
"""This isn't so much a class as it is a module-like namespace."""
510
531
library = ctypes.util.find_library("gnutls")
511
532
if library is None:
512
533
library = ctypes.util.find_library("gnutls-deb0")
513
534
_library = ctypes.cdll.LoadLibrary(library)
515
_need_version = b"3.3.0"
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
524
537
# Unless otherwise indicated, the constants and types below are
525
538
# all from the gnutls/gnutls.h C header file.
563
582
class Error(Exception):
564
# We need to use the class name "GnuTLS" here, since this
565
# exception might be raised from within GnuTLS.__init__,
566
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
568
583
def __init__(self, message=None, code=None, args=()):
569
584
# Default usage is by a message string, but if a return
570
585
# code is passed, convert it to a string with
571
586
# gnutls.strerror()
573
588
if message is None and code is not None:
574
message = GnuTLS.strerror(code)
575
return super(GnuTLS.Error, self).__init__(
589
message = gnutls.strerror(code)
590
return super(gnutls.Error, self).__init__(
578
593
class CertificateSecurityError(Error):
582
class Credentials(object):
583
598
def __init__(self):
584
599
self._c_object = gnutls.certificate_credentials_t()
585
600
gnutls.certificate_allocate_credentials(
589
604
def __del__(self):
590
605
gnutls.certificate_free_credentials(self._c_object)
592
class ClientSession(object):
593
608
def __init__(self, socket, credentials=None):
594
609
self._c_object = gnutls.session_t()
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
610
gnutls_flags = gnutls.CLIENT
611
if gnutls.check_version(b"3.5.6"):
612
gnutls_flags |= gnutls.NO_TICKETS
614
gnutls_flags |= gnutls.ENABLE_RAWPK
615
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
596
617
gnutls.set_default_priority(self._c_object)
597
618
gnutls.transport_set_ptr(self._c_object, socket.fileno())
598
619
gnutls.handshake_set_private_extensions(self._c_object,
730
751
check_version.argtypes = [ctypes.c_char_p]
731
752
check_version.restype = ctypes.c_char_p
733
# All the function declarations below are from gnutls/openpgp.h
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
743
openpgp_crt_import.restype = _error_code
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
760
openpgp_crt_get_fingerprint.restype = _error_code
754
_need_version = b"3.3.0"
755
if check_version(_need_version) is None:
756
raise self.Error("Needs GnuTLS {} or later"
757
.format(_need_version))
759
_tls_rawpk_version = b"3.6.6"
760
has_rawpk = bool(check_version(_tls_rawpk_version))
764
class pubkey_st(ctypes.Structure):
766
pubkey_t = ctypes.POINTER(pubkey_st)
768
x509_crt_fmt_t = ctypes.c_int
770
# All the function declarations below are from gnutls/abstract.h
771
pubkey_init = _library.gnutls_pubkey_init
772
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
773
pubkey_init.restype = _error_code
775
pubkey_import = _library.gnutls_pubkey_import
776
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
778
pubkey_import.restype = _error_code
780
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
781
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
782
ctypes.POINTER(ctypes.c_ubyte),
783
ctypes.POINTER(ctypes.c_size_t)]
784
pubkey_get_key_id.restype = _error_code
786
pubkey_deinit = _library.gnutls_pubkey_deinit
787
pubkey_deinit.argtypes = [pubkey_t]
788
pubkey_deinit.restype = None
790
# All the function declarations below are from gnutls/openpgp.h
792
openpgp_crt_init = _library.gnutls_openpgp_crt_init
793
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
794
openpgp_crt_init.restype = _error_code
796
openpgp_crt_import = _library.gnutls_openpgp_crt_import
797
openpgp_crt_import.argtypes = [openpgp_crt_t,
798
ctypes.POINTER(datum_t),
800
openpgp_crt_import.restype = _error_code
802
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
803
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
804
ctypes.POINTER(ctypes.c_uint)]
805
openpgp_crt_verify_self.restype = _error_code
807
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
808
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
809
openpgp_crt_deinit.restype = None
811
openpgp_crt_get_fingerprint = (
812
_library.gnutls_openpgp_crt_get_fingerprint)
813
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
817
openpgp_crt_get_fingerprint.restype = _error_code
819
if check_version(b"3.6.4"):
820
certificate_type_get2 = _library.gnutls_certificate_type_get2
821
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
822
certificate_type_get2.restype = _error_code
762
824
# Remove non-public functions
763
825
del _error_code, _retry_on_error
764
# Create the global "gnutls" object, simulating a module
768
828
def call_pipe(connection, # : multiprocessing.Connection
776
836
connection.close()
779
class Client(object):
780
840
"""A representation of a client host served by this server.
783
843
approved: bool(); 'None' if not yet approved/disapproved
784
844
approval_delay: datetime.timedelta(); Time to wait for approval
785
845
approval_duration: datetime.timedelta(); Duration of one approval
786
checker: subprocess.Popen(); a running checker process used
787
to see if the client lives.
788
'None' if no process is running.
846
checker: multiprocessing.Process(); a running checker process used
847
to see if the client lives. 'None' if no process is
789
849
checker_callback_tag: a GLib event source tag, or None
790
850
checker_command: string; External command which is run to check
791
851
if client lives. %() expansions are done at
825
887
runtime_expansions = ("approval_delay", "approval_duration",
826
"created", "enabled", "expires",
888
"created", "enabled", "expires", "key_id",
827
889
"fingerprint", "host", "interval",
828
890
"last_approval_request", "last_checked_ok",
829
891
"last_enabled", "name", "timeout")
2160
class ProxyClient(object):
2161
def __init__(self, child_pipe, fpr, address):
2237
def __init__(self, child_pipe, key_id, fpr, address):
2162
2238
self._pipe = child_pipe
2163
self._pipe.send(('init', fpr, address))
2239
self._pipe.send(('init', key_id, fpr, address))
2164
2240
if not self._pipe.recv():
2241
raise KeyError(key_id or fpr)
2167
2243
def __getattribute__(self, name):
2168
2244
if name == '_pipe':
2236
2312
approval_required = False
2239
fpr = self.fingerprint(
2240
self.peer_certificate(session))
2241
except (TypeError, gnutls.Error) as error:
2242
logger.warning("Bad certificate: %s", error)
2244
logger.debug("Fingerprint: %s", fpr)
2247
client = ProxyClient(child_pipe, fpr,
2314
if gnutls.has_rawpk:
2317
key_id = self.key_id(
2318
self.peer_certificate(session))
2319
except (TypeError, gnutls.Error) as error:
2320
logger.warning("Bad certificate: %s", error)
2322
logger.debug("Key ID: %s", key_id)
2327
fpr = self.fingerprint(
2328
self.peer_certificate(session))
2329
except (TypeError, gnutls.Error) as error:
2330
logger.warning("Bad certificate: %s", error)
2332
logger.debug("Fingerprint: %s", fpr)
2335
client = ProxyClient(child_pipe, key_id, fpr,
2248
2336
self.client_address)
2249
2337
except KeyError:
2329
2417
def peer_certificate(session):
2330
"Return the peer's OpenPGP certificate as a bytestring"
2331
# If not an OpenPGP certificate...
2332
if (gnutls.certificate_type_get(session._c_object)
2333
!= gnutls.CRT_OPENPGP):
2418
"Return the peer's certificate as a bytestring"
2420
cert_type = gnutls.certificate_type_get2(session._c_object,
2422
except AttributeError:
2423
cert_type = gnutls.certificate_type_get(session._c_object)
2424
if gnutls.has_rawpk:
2425
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2427
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2428
# If not a valid certificate type...
2429
if cert_type not in valid_cert_types:
2430
logger.info("Cert type %r not in %r", cert_type,
2334
2432
# ...return invalid data
2336
2434
list_size = ctypes.c_uint(1)
2344
2442
return ctypes.string_at(cert.data, cert.size)
2445
def key_id(certificate):
2446
"Convert a certificate bytestring to a hexdigit key ID"
2447
# New GnuTLS "datum" with the public key
2448
datum = gnutls.datum_t(
2449
ctypes.cast(ctypes.c_char_p(certificate),
2450
ctypes.POINTER(ctypes.c_ubyte)),
2451
ctypes.c_uint(len(certificate)))
2452
# XXX all these need to be created in the gnutls "module"
2453
# New empty GnuTLS certificate
2454
pubkey = gnutls.pubkey_t()
2455
gnutls.pubkey_init(ctypes.byref(pubkey))
2456
# Import the raw public key into the certificate
2457
gnutls.pubkey_import(pubkey,
2458
ctypes.byref(datum),
2459
gnutls.X509_FMT_DER)
2460
# New buffer for the key ID
2461
buf = ctypes.create_string_buffer(32)
2462
buf_len = ctypes.c_size_t(len(buf))
2463
# Get the key ID from the raw public key into the buffer
2464
gnutls.pubkey_get_key_id(pubkey,
2465
gnutls.KEYID_USE_SHA256,
2466
ctypes.cast(ctypes.byref(buf),
2467
ctypes.POINTER(ctypes.c_ubyte)),
2468
ctypes.byref(buf_len))
2469
# Deinit the certificate
2470
gnutls.pubkey_deinit(pubkey)
2472
# Convert the buffer to a Python bytestring
2473
key_id = ctypes.string_at(buf, buf_len.value)
2474
# Convert the bytestring to hexadecimal notation
2475
hex_key_id = binascii.hexlify(key_id).upper()
2347
2479
def fingerprint(openpgp):
2348
2480
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2349
2481
# New GnuTLS "datum" with the OpenPGP public key
2576
2711
command = request[0]
2578
2713
if command == 'init':
2580
address = request[2]
2714
key_id = request[1].decode("ascii")
2715
fpr = request[2].decode("ascii")
2716
address = request[3]
2582
2718
for c in self.clients.values():
2583
if c.fingerprint == fpr:
2719
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2721
if key_id and c.key_id == key_id:
2724
if fpr and c.fingerprint == fpr:
2587
logger.info("Client not found for fingerprint: %s, ad"
2588
"dress: %s", fpr, address)
2728
logger.info("Client not found for key ID: %s, address"
2729
": %s", key_id or fpr, address)
2589
2730
if self.use_dbus:
2590
2731
# Emit D-Bus signal
2591
mandos_dbus_service.ClientNotFound(fpr,
2732
mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
2734
parent_pipe.send(False)
2596
2737
GLib.io_add_watch(
2597
parent_pipe.fileno(),
2598
GLib.IO_IN | GLib.IO_HUP,
2738
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2739
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2599
2740
functools.partial(self.handle_ipc,
2600
2741
parent_pipe=parent_pipe,
2633
2774
def rfc3339_duration_to_delta(duration):
2634
2775
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2636
>>> rfc3339_duration_to_delta("P7D")
2637
datetime.timedelta(7)
2638
>>> rfc3339_duration_to_delta("PT60S")
2639
datetime.timedelta(0, 60)
2640
>>> rfc3339_duration_to_delta("PT60M")
2641
datetime.timedelta(0, 3600)
2642
>>> rfc3339_duration_to_delta("PT24H")
2643
datetime.timedelta(1)
2644
>>> rfc3339_duration_to_delta("P1W")
2645
datetime.timedelta(7)
2646
>>> rfc3339_duration_to_delta("PT5M30S")
2647
datetime.timedelta(0, 330)
2648
>>> rfc3339_duration_to_delta("P1DT3M20S")
2649
datetime.timedelta(1, 200)
2777
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2779
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2781
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2783
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2785
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2787
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2789
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2652
2793
# Parsing an RFC 3339 duration with regular expressions is not
2732
2873
def string_to_delta(interval):
2733
2874
"""Parse a string and return a datetime.timedelta
2735
>>> string_to_delta('7d')
2736
datetime.timedelta(7)
2737
>>> string_to_delta('60s')
2738
datetime.timedelta(0, 60)
2739
>>> string_to_delta('60m')
2740
datetime.timedelta(0, 3600)
2741
>>> string_to_delta('24h')
2742
datetime.timedelta(1)
2743
>>> string_to_delta('1w')
2744
datetime.timedelta(7)
2745
>>> string_to_delta('5m 30s')
2746
datetime.timedelta(0, 330)
2876
>>> string_to_delta('7d') == datetime.timedelta(7)
2878
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2880
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2882
>>> string_to_delta('24h') == datetime.timedelta(1)
2884
>>> string_to_delta('1w') == datetime.timedelta(7)
2886
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2874
3014
"foreground": "False",
2875
3015
"zeroconf": "True",
2878
3019
# Parse config file for server-global settings
2879
server_config = configparser.SafeConfigParser(server_defaults)
3020
server_config = configparser.ConfigParser(server_defaults)
2880
3021
del server_defaults
2881
3022
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2882
# Convert the SafeConfigParser object to a dict
3023
# Convert the ConfigParser object to a dict
2883
3024
server_settings = server_config.defaults()
2884
3025
# Use the appropriate methods on the non-string config options
2885
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3026
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3027
"foreground", "zeroconf"):
2886
3028
server_settings[option] = server_config.getboolean("DEFAULT",
2888
3030
if server_settings["port"]:
3467
3614
# End of Avahi example code
3469
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3470
lambda *args, **kwargs:
3471
(tcp_server.handle_request
3472
(*args[2:], **kwargs) or True))
3617
GLib.IOChannel.unix_new(tcp_server.fileno()),
3618
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3619
lambda *args, **kwargs: (tcp_server.handle_request
3620
(*args[2:], **kwargs) or True))
3474
3622
logger.debug("Starting main loop")
3475
3623
main_loop.run()
3485
3633
# Must run before the D-Bus bus name gets deregistered
3637
def should_only_run_tests():
3638
parser = argparse.ArgumentParser(add_help=False)
3639
parser.add_argument("--check", action='store_true')
3640
args, unknown_args = parser.parse_known_args()
3641
run_tests = args.check
3643
# Remove --check argument from sys.argv
3644
sys.argv[1:] = unknown_args
3647
# Add all tests from doctest strings
3648
def load_tests(loader, tests, none):
3650
tests.addTests(doctest.DocTestSuite())
3489
3653
if __name__ == '__main__':
3655
if should_only_run_tests():
3656
# Call using ./mandos --check [--verbose]