/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2021-03-21 20:46:40 UTC
  • Revision ID: teddy@recompile.se-20210321204640-lpsyen8jr9lw1jma
Some cleanup of GnuTLS interface

Rename opaque internal GnuTLS structures named *_int to also start
with underscore (_), as is the custom in Python programs.

Decode byte strings from UTF-8 where needed.  (Fixing, among other
things, all "DEBUG: GnuTLS" lines having a "b'" prefix in Python 3.)

Simplify calling C functions by:
1. Using the "_as_parameter_" attribute to store the ctypes object.
2. Creating and using helper classes to automatically create pointers
   or cast typed pointers to pointers to void.
3. Providing the "from_param()" method on relevant classes.

Remove "restype" attribute on C functions where "errcheck" attribute
is already set.

* mandos (gnutls.session_int): Rename to start with "_".
  (gnutls.openpgp_crt_int): - '' -
  (gnutls.Error.__init__): Decode byte string from gnutls.strerror().
  (gnutls.PointerTo): New helper class.
  (gnutls.CastToVoidPointer): - '' -
  (gnutls.With_from_param): - '' -
  (gnutls.Credentials): Inherit from "With_from_param" and store the
  ctypes object in the "_as_parameter_" attribute instead of
  "_c_object".
  (gnutls._error_code): Use "gnutls.E_SUCCESS" instead of the unadorned
  numerical constant "0".
  (gnutls._retry_on_error): - '' -
  (gnutls.priority_set_direct.argtypes): Use "ClientSession" instead
  of "session_t", and change all callers to match.
  (gnutls.init.argtypes): Use "PointerTo(ClientSession)" instead of
  "ctypes.POINTER(session_t)", and change all callers to match.
  (gnutls.set_default_priority.argtypes): Use "ClientSession" instead
  of "session_t", and change all callers to match.
  (gnutls.record_send.argtypes): - '' -
  (gnutls.certificate_allocate_credentials.argtypes): Use
  "PointerTo(Credentials)" instead of
  "ctypes.POINTER(certificate_credentials_t)", and change all callers
  to match.
  (gnutls.certificate_free_credentials.argtypes): Use "Credentials"
  instead of "certificate_credentials_t", and change all callers to
  match.
  (gnutls.handshake_set_private_extensions.argtypes): Use
  "ClientSession" instead of "session_t", and change all callers to
  match.
  (gnutls.credentials_set.argtypes): Use
  "CastToVoidPointer(Credentials)" instead of "ctypes.c_void_p", and
  change all callers to match.
  (gnutls.certificate_type_get.argtypes): Use "ClientSession" instead
  of "session_t", and change all callers to match.
  (gnutls.certificate_get_peers.argtypes): - '' -
  (gnutls.deinit.argtypes): - '' -
  (gnutls.handshake.argtypes): - '' -
  (gnutls.handshake.restype): Change from "_error_code" to
  "ctypes.c_int".
  (gnutls.transport_set_ptr.argtypes): Use "ClientSession" instead of
  "session_t", and change all callers to match.
  (gnutls.bye.argtypes): - '' -
  (gnutls.bye.restype): Change from "_error_code" to "ctypes.c_int".
  (gnutls.certificate_type_get2.argtypes): Use "ClientSession" instead
  of "session_t", and change all callers to match.
  (ClientHandler.handle): Decode "key_id" bytes to string before
  logging it in the debug log.
  (main.debug_gnutls): Decode GnuTLS log message from bytes to string
  before logging it in the debug log.

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos
563
563
    OPENPGP_FMT_RAW = 0         # gnutls/openpgp.h
564
564
 
565
565
    # Types
566
 
    class session_int(ctypes.Structure):
 
566
    class _session_int(ctypes.Structure):
567
567
        _fields_ = []
568
 
    session_t = ctypes.POINTER(session_int)
 
568
    session_t = ctypes.POINTER(_session_int)
569
569
 
570
570
    class certificate_credentials_st(ctypes.Structure):
571
571
        _fields_ = []
577
577
        _fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
578
578
                    ('size', ctypes.c_uint)]
579
579
 
580
 
    class openpgp_crt_int(ctypes.Structure):
 
580
    class _openpgp_crt_int(ctypes.Structure):
581
581
        _fields_ = []
582
 
    openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
 
582
    openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
583
583
    openpgp_crt_fmt_t = ctypes.c_int  # gnutls/openpgp.h
584
584
    log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
585
    credentials_type_t = ctypes.c_int
594
594
            # gnutls.strerror()
595
595
            self.code = code
596
596
            if message is None and code is not None:
597
 
                message = gnutls.strerror(code)
 
597
                message = gnutls.strerror(code).decode(
 
598
                    "utf-8", errors="replace")
598
599
            return super(gnutls.Error, self).__init__(
599
600
                message, *args)
600
601
 
601
602
    class CertificateSecurityError(Error):
602
603
        pass
603
604
 
 
605
    class PointerTo:
 
606
        def __init__(self, cls):
 
607
            self.cls = cls
 
608
 
 
609
        def from_param(self, obj):
 
610
            if not isinstance(obj, self.cls):
 
611
                raise TypeError("Not of type {}: {!r}"
 
612
                                .format(self.cls.__name__, obj))
 
613
            return ctypes.byref(obj.from_param(obj))
 
614
 
 
615
    class CastToVoidPointer:
 
616
        def __init__(self, cls):
 
617
            self.cls = cls
 
618
 
 
619
        def from_param(self, obj):
 
620
            if not isinstance(obj, self.cls):
 
621
                raise TypeError("Not of type {}: {!r}"
 
622
                                .format(self.cls.__name__, obj))
 
623
            return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
 
624
 
 
625
    class With_from_param:
 
626
        @classmethod
 
627
        def from_param(cls, obj):
 
628
            return obj._as_parameter_
 
629
 
604
630
    # Classes
605
 
    class Credentials:
 
631
    class Credentials(With_from_param):
606
632
        def __init__(self):
607
 
            self._c_object = gnutls.certificate_credentials_t()
608
 
            gnutls.certificate_allocate_credentials(
609
 
                ctypes.byref(self._c_object))
 
633
            self._as_parameter_ = gnutls.certificate_credentials_t()
 
634
            gnutls.certificate_allocate_credentials(self)
610
635
            self.type = gnutls.CRD_CERTIFICATE
611
636
 
612
637
        def __del__(self):
613
 
            gnutls.certificate_free_credentials(self._c_object)
 
638
            gnutls.certificate_free_credentials(self)
614
639
 
615
 
    class ClientSession:
 
640
    class ClientSession(With_from_param):
616
641
        def __init__(self, socket, credentials=None):
617
 
            self._c_object = gnutls.session_t()
 
642
            self._as_parameter_ = gnutls.session_t()
618
643
            gnutls_flags = gnutls.CLIENT
619
644
            if gnutls.check_version(b"3.5.6"):
620
645
                gnutls_flags |= gnutls.NO_TICKETS
621
646
            if gnutls.has_rawpk:
622
647
                gnutls_flags |= gnutls.ENABLE_RAWPK
623
 
            gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
 
648
            gnutls.init(self, gnutls_flags)
624
649
            del gnutls_flags
625
 
            gnutls.set_default_priority(self._c_object)
626
 
            gnutls.transport_set_ptr(self._c_object, socket.fileno())
627
 
            gnutls.handshake_set_private_extensions(self._c_object,
628
 
                                                    True)
 
650
            gnutls.set_default_priority(self)
 
651
            gnutls.transport_set_ptr(self, socket.fileno())
 
652
            gnutls.handshake_set_private_extensions(self, True)
629
653
            self.socket = socket
630
654
            if credentials is None:
631
655
                credentials = gnutls.Credentials()
632
 
            gnutls.credentials_set(self._c_object, credentials.type,
633
 
                                   ctypes.cast(credentials._c_object,
634
 
                                               ctypes.c_void_p))
 
656
            gnutls.credentials_set(self, credentials.type,
 
657
                                   credentials)
635
658
            self.credentials = credentials
636
659
 
637
660
        def __del__(self):
638
 
            gnutls.deinit(self._c_object)
 
661
            gnutls.deinit(self)
639
662
 
640
663
        def handshake(self):
641
 
            return gnutls.handshake(self._c_object)
 
664
            return gnutls.handshake(self)
642
665
 
643
666
        def send(self, data):
644
667
            data = bytes(data)
645
668
            data_len = len(data)
646
669
            while data_len > 0:
647
 
                data_len -= gnutls.record_send(self._c_object,
648
 
                                               data[-data_len:],
 
670
                data_len -= gnutls.record_send(self, data[-data_len:],
649
671
                                               data_len)
650
672
 
651
673
        def bye(self):
652
 
            return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
 
674
            return gnutls.bye(self, gnutls.SHUT_RDWR)
653
675
 
654
676
    # Error handling functions
655
677
    def _error_code(result):
656
678
        """A function to raise exceptions on errors, suitable
657
679
        for the 'restype' attribute on ctypes functions"""
658
 
        if result >= 0:
 
680
        if result >= gnutls.E_SUCCESS:
659
681
            return result
660
682
        if result == gnutls.E_NO_CERTIFICATE_FOUND:
661
683
            raise gnutls.CertificateSecurityError(code=result)
665
687
                        _error_code=_error_code):
666
688
        """A function to retry on some errors, suitable
667
689
        for the 'errcheck' attribute on ctypes functions"""
668
 
        while result < 0:
 
690
        while result < gnutls.E_SUCCESS:
669
691
            if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
670
692
                return _error_code(result)
671
693
            result = func(*arguments)
676
698
 
677
699
    # Functions
678
700
    priority_set_direct = _library.gnutls_priority_set_direct
679
 
    priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
 
701
    priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
680
702
                                    ctypes.POINTER(ctypes.c_char_p)]
681
703
    priority_set_direct.restype = _error_code
682
704
 
683
705
    init = _library.gnutls_init
684
 
    init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
 
706
    init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
685
707
    init.restype = _error_code
686
708
 
687
709
    set_default_priority = _library.gnutls_set_default_priority
688
 
    set_default_priority.argtypes = [session_t]
 
710
    set_default_priority.argtypes = [ClientSession]
689
711
    set_default_priority.restype = _error_code
690
712
 
691
713
    record_send = _library.gnutls_record_send
692
 
    record_send.argtypes = [session_t, ctypes.c_void_p,
 
714
    record_send.argtypes = [ClientSession, ctypes.c_void_p,
693
715
                            ctypes.c_size_t]
694
716
    record_send.restype = ctypes.c_ssize_t
695
717
    record_send.errcheck = _retry_on_error
697
719
    certificate_allocate_credentials = (
698
720
        _library.gnutls_certificate_allocate_credentials)
699
721
    certificate_allocate_credentials.argtypes = [
700
 
        ctypes.POINTER(certificate_credentials_t)]
 
722
        PointerTo(Credentials)]
701
723
    certificate_allocate_credentials.restype = _error_code
702
724
 
703
725
    certificate_free_credentials = (
704
726
        _library.gnutls_certificate_free_credentials)
705
 
    certificate_free_credentials.argtypes = [
706
 
        certificate_credentials_t]
 
727
    certificate_free_credentials.argtypes = [Credentials]
707
728
    certificate_free_credentials.restype = None
708
729
 
709
730
    handshake_set_private_extensions = (
710
731
        _library.gnutls_handshake_set_private_extensions)
711
 
    handshake_set_private_extensions.argtypes = [session_t,
 
732
    handshake_set_private_extensions.argtypes = [ClientSession,
712
733
                                                 ctypes.c_int]
713
734
    handshake_set_private_extensions.restype = None
714
735
 
715
736
    credentials_set = _library.gnutls_credentials_set
716
 
    credentials_set.argtypes = [session_t, credentials_type_t,
717
 
                                ctypes.c_void_p]
 
737
    credentials_set.argtypes = [ClientSession, credentials_type_t,
 
738
                                CastToVoidPointer(Credentials)]
718
739
    credentials_set.restype = _error_code
719
740
 
720
741
    strerror = _library.gnutls_strerror
722
743
    strerror.restype = ctypes.c_char_p
723
744
 
724
745
    certificate_type_get = _library.gnutls_certificate_type_get
725
 
    certificate_type_get.argtypes = [session_t]
 
746
    certificate_type_get.argtypes = [ClientSession]
726
747
    certificate_type_get.restype = _error_code
727
748
 
728
749
    certificate_get_peers = _library.gnutls_certificate_get_peers
729
 
    certificate_get_peers.argtypes = [session_t,
 
750
    certificate_get_peers.argtypes = [ClientSession,
730
751
                                      ctypes.POINTER(ctypes.c_uint)]
731
752
    certificate_get_peers.restype = ctypes.POINTER(datum_t)
732
753
 
739
760
    global_set_log_function.restype = None
740
761
 
741
762
    deinit = _library.gnutls_deinit
742
 
    deinit.argtypes = [session_t]
 
763
    deinit.argtypes = [ClientSession]
743
764
    deinit.restype = None
744
765
 
745
766
    handshake = _library.gnutls_handshake
746
 
    handshake.argtypes = [session_t]
747
 
    handshake.restype = _error_code
 
767
    handshake.argtypes = [ClientSession]
 
768
    handshake.restype = ctypes.c_int
748
769
    handshake.errcheck = _retry_on_error
749
770
 
750
771
    transport_set_ptr = _library.gnutls_transport_set_ptr
751
 
    transport_set_ptr.argtypes = [session_t, transport_ptr_t]
 
772
    transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
752
773
    transport_set_ptr.restype = None
753
774
 
754
775
    bye = _library.gnutls_bye
755
 
    bye.argtypes = [session_t, close_request_t]
756
 
    bye.restype = _error_code
 
776
    bye.argtypes = [ClientSession, close_request_t]
 
777
    bye.restype = ctypes.c_int
757
778
    bye.errcheck = _retry_on_error
758
779
 
759
780
    check_version = _library.gnutls_check_version
833
854
 
834
855
    if check_version(b"3.6.4"):
835
856
        certificate_type_get2 = _library.gnutls_certificate_type_get2
836
 
        certificate_type_get2.argtypes = [session_t, ctypes.c_int]
 
857
        certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
837
858
        certificate_type_get2.restype = _error_code
838
859
 
839
860
    # Remove non-public functions
2299
2320
            priority = self.server.gnutls_priority
2300
2321
            if priority is None:
2301
2322
                priority = "NORMAL"
2302
 
            gnutls.priority_set_direct(session._c_object,
2303
 
                                       priority.encode("utf-8"),
2304
 
                                       None)
 
2323
            gnutls.priority_set_direct(session,
 
2324
                                       priority.encode("utf-8"), None)
2305
2325
 
2306
2326
            # Start communication using the Mandos protocol
2307
2327
            # Get protocol number
2334
2354
                    except (TypeError, gnutls.Error) as error:
2335
2355
                        logger.warning("Bad certificate: %s", error)
2336
2356
                        return
2337
 
                    logger.debug("Key ID: %s", key_id)
 
2357
                    logger.debug("Key ID: %s",
 
2358
                                 key_id.decode("utf-8",
 
2359
                                               errors="replace"))
2338
2360
 
2339
2361
                else:
2340
2362
                    key_id = b""
2432
2454
    def peer_certificate(session):
2433
2455
        "Return the peer's certificate as a bytestring"
2434
2456
        try:
2435
 
            cert_type = gnutls.certificate_type_get2(session._c_object,
2436
 
                                                     gnutls.CTYPE_PEERS)
 
2457
            cert_type = gnutls.certificate_type_get2(
 
2458
                session, gnutls.CTYPE_PEERS)
2437
2459
        except AttributeError:
2438
 
            cert_type = gnutls.certificate_type_get(session._c_object)
 
2460
            cert_type = gnutls.certificate_type_get(session)
2439
2461
        if gnutls.has_rawpk:
2440
2462
            valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2441
2463
        else:
2448
2470
            return b""
2449
2471
        list_size = ctypes.c_uint(1)
2450
2472
        cert_list = (gnutls.certificate_get_peers
2451
 
                     (session._c_object, ctypes.byref(list_size)))
 
2473
                     (session, ctypes.byref(list_size)))
2452
2474
        if not bool(cert_list) and list_size.value != 0:
2453
2475
            raise gnutls.Error("error getting peer certificate")
2454
2476
        if list_size.value == 0:
3179
3201
 
3180
3202
        @gnutls.log_func
3181
3203
        def debug_gnutls(level, string):
3182
 
            logger.debug("GnuTLS: %s", string[:-1])
 
3204
            logger.debug("GnuTLS: %s",
 
3205
                         string[:-1].decode("utf-8",
 
3206
                                            errors="replace"))
3183
3207
 
3184
3208
        gnutls.global_set_log_function(debug_gnutls)
3185
3209