11
11
# "AvahiService" class, and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
17
# This file is part of Mandos.
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
32
31
# Contact the authors at <mandos@recompile.se>.
509
505
# Pretend that we have a GnuTLS module
510
class gnutls(object):
511
"""This isn't so much a class as it is a module-like namespace."""
513
library = ctypes.util.find_library("gnutls")
515
library = ctypes.util.find_library("gnutls-deb0")
516
_library = ctypes.cdll.LoadLibrary(library)
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
510
_library = ctypes.cdll.LoadLibrary(
511
ctypes.util.find_library("gnutls"))
512
_need_version = b"3.3.0"
515
# Need to use class name "GnuTLS" here, since this method is
516
# called before the assignment to the "gnutls" global variable
518
if GnuTLS.check_version(self._need_version) is None:
519
raise GnuTLS.Error("Needs GnuTLS {} or later"
520
.format(self._need_version))
519
522
# Unless otherwise indicated, the constants and types below are
520
523
# all from the gnutls/gnutls.h C header file.
564
561
class Error(Exception):
562
# We need to use the class name "GnuTLS" here, since this
563
# exception might be raised from within GnuTLS.__init__,
564
# which is called before the assignment to the "gnutls"
565
# global variable has happened.
565
566
def __init__(self, message=None, code=None, args=()):
566
567
# Default usage is by a message string, but if a return
567
568
# code is passed, convert it to a string with
568
569
# gnutls.strerror()
570
571
if message is None and code is not None:
571
message = gnutls.strerror(code)
572
return super(gnutls.Error, self).__init__(
572
message = GnuTLS.strerror(code)
573
return super(GnuTLS.Error, self).__init__(
575
576
class CertificateSecurityError(Error):
589
590
class ClientSession(object):
590
591
def __init__(self, socket, credentials=None):
591
592
self._c_object = gnutls.session_t()
592
gnutls_flags = gnutls.CLIENT
593
if gnutls.check_version(b"3.5.6"):
594
gnutls_flags |= gnutls.NO_TICKETS
596
gnutls_flags |= gnutls.ENABLE_RAWPK
597
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
593
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
599
594
gnutls.set_default_priority(self._c_object)
600
595
gnutls.transport_set_ptr(self._c_object, socket.fileno())
601
596
gnutls.handshake_set_private_extensions(self._c_object,
733
728
check_version.argtypes = [ctypes.c_char_p]
734
729
check_version.restype = ctypes.c_char_p
736
_need_version = b"3.3.0"
737
if check_version(_need_version) is None:
738
raise self.Error("Needs GnuTLS {} or later"
739
.format(_need_version))
741
_tls_rawpk_version = b"3.6.6"
742
has_rawpk = bool(check_version(_tls_rawpk_version))
746
class pubkey_st(ctypes.Structure):
748
pubkey_t = ctypes.POINTER(pubkey_st)
750
x509_crt_fmt_t = ctypes.c_int
752
# All the function declarations below are from gnutls/abstract.h
753
pubkey_init = _library.gnutls_pubkey_init
754
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
755
pubkey_init.restype = _error_code
757
pubkey_import = _library.gnutls_pubkey_import
758
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
760
pubkey_import.restype = _error_code
762
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
763
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
764
ctypes.POINTER(ctypes.c_ubyte),
765
ctypes.POINTER(ctypes.c_size_t)]
766
pubkey_get_key_id.restype = _error_code
768
pubkey_deinit = _library.gnutls_pubkey_deinit
769
pubkey_deinit.argtypes = [pubkey_t]
770
pubkey_deinit.restype = None
772
# All the function declarations below are from gnutls/openpgp.h
774
openpgp_crt_init = _library.gnutls_openpgp_crt_init
775
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
776
openpgp_crt_init.restype = _error_code
778
openpgp_crt_import = _library.gnutls_openpgp_crt_import
779
openpgp_crt_import.argtypes = [openpgp_crt_t,
780
ctypes.POINTER(datum_t),
782
openpgp_crt_import.restype = _error_code
784
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
785
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
786
ctypes.POINTER(ctypes.c_uint)]
787
openpgp_crt_verify_self.restype = _error_code
789
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
790
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
791
openpgp_crt_deinit.restype = None
793
openpgp_crt_get_fingerprint = (
794
_library.gnutls_openpgp_crt_get_fingerprint)
795
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
799
openpgp_crt_get_fingerprint.restype = _error_code
801
if check_version(b"3.6.4"):
802
certificate_type_get2 = _library.gnutls_certificate_type_get2
803
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
804
certificate_type_get2.restype = _error_code
731
# All the function declarations below are from gnutls/openpgp.h
733
openpgp_crt_init = _library.gnutls_openpgp_crt_init
734
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
735
openpgp_crt_init.restype = _error_code
737
openpgp_crt_import = _library.gnutls_openpgp_crt_import
738
openpgp_crt_import.argtypes = [openpgp_crt_t,
739
ctypes.POINTER(datum_t),
741
openpgp_crt_import.restype = _error_code
743
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
744
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
745
ctypes.POINTER(ctypes.c_uint)]
746
openpgp_crt_verify_self.restype = _error_code
748
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
749
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
750
openpgp_crt_deinit.restype = None
752
openpgp_crt_get_fingerprint = (
753
_library.gnutls_openpgp_crt_get_fingerprint)
754
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
openpgp_crt_get_fingerprint.restype = _error_code
806
760
# Remove non-public functions
807
761
del _error_code, _retry_on_error
762
# Create the global "gnutls" object, simulating a module
810
766
def call_pipe(connection, # : multiprocessing.Connection
825
781
approved: bool(); 'None' if not yet approved/disapproved
826
782
approval_delay: datetime.timedelta(); Time to wait for approval
827
783
approval_duration: datetime.timedelta(); Duration of one approval
828
checker: multiprocessing.Process(); a running checker process used
829
to see if the client lives. 'None' if no process is
784
checker: subprocess.Popen(); a running checker process used
785
to see if the client lives.
786
'None' if no process is running.
831
787
checker_callback_tag: a GLib event source tag, or None
832
788
checker_command: string; External command which is run to check
833
789
if client lives. %() expansions are done at
869
823
runtime_expansions = ("approval_delay", "approval_duration",
870
"created", "enabled", "expires", "key_id",
824
"created", "enabled", "expires",
871
825
"fingerprint", "host", "interval",
872
826
"last_approval_request", "last_checked_ok",
873
827
"last_enabled", "name", "timeout")
2216
2158
class ProxyClient(object):
2217
def __init__(self, child_pipe, key_id, fpr, address):
2159
def __init__(self, child_pipe, fpr, address):
2218
2160
self._pipe = child_pipe
2219
self._pipe.send(('init', key_id, fpr, address))
2161
self._pipe.send(('init', fpr, address))
2220
2162
if not self._pipe.recv():
2221
raise KeyError(key_id or fpr)
2223
2165
def __getattribute__(self, name):
2224
2166
if name == '_pipe':
2292
2234
approval_required = False
2294
if gnutls.has_rawpk:
2297
key_id = self.key_id(
2298
self.peer_certificate(session))
2299
except (TypeError, gnutls.Error) as error:
2300
logger.warning("Bad certificate: %s", error)
2302
logger.debug("Key ID: %s", key_id)
2307
fpr = self.fingerprint(
2308
self.peer_certificate(session))
2309
except (TypeError, gnutls.Error) as error:
2310
logger.warning("Bad certificate: %s", error)
2312
logger.debug("Fingerprint: %s", fpr)
2315
client = ProxyClient(child_pipe, key_id, fpr,
2237
fpr = self.fingerprint(
2238
self.peer_certificate(session))
2239
except (TypeError, gnutls.Error) as error:
2240
logger.warning("Bad certificate: %s", error)
2242
logger.debug("Fingerprint: %s", fpr)
2245
client = ProxyClient(child_pipe, fpr,
2316
2246
self.client_address)
2317
2247
except KeyError:
2397
2327
def peer_certificate(session):
2398
"Return the peer's certificate as a bytestring"
2400
cert_type = gnutls.certificate_type_get2(session._c_object,
2402
except AttributeError:
2403
cert_type = gnutls.certificate_type_get(session._c_object)
2404
if gnutls.has_rawpk:
2405
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2407
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2408
# If not a valid certificate type...
2409
if cert_type not in valid_cert_types:
2410
logger.info("Cert type %r not in %r", cert_type,
2328
"Return the peer's OpenPGP certificate as a bytestring"
2329
# If not an OpenPGP certificate...
2330
if (gnutls.certificate_type_get(session._c_object)
2331
!= gnutls.CRT_OPENPGP):
2412
2332
# ...return invalid data
2414
2334
list_size = ctypes.c_uint(1)
2422
2342
return ctypes.string_at(cert.data, cert.size)
2425
def key_id(certificate):
2426
"Convert a certificate bytestring to a hexdigit key ID"
2427
# New GnuTLS "datum" with the public key
2428
datum = gnutls.datum_t(
2429
ctypes.cast(ctypes.c_char_p(certificate),
2430
ctypes.POINTER(ctypes.c_ubyte)),
2431
ctypes.c_uint(len(certificate)))
2432
# XXX all these need to be created in the gnutls "module"
2433
# New empty GnuTLS certificate
2434
pubkey = gnutls.pubkey_t()
2435
gnutls.pubkey_init(ctypes.byref(pubkey))
2436
# Import the raw public key into the certificate
2437
gnutls.pubkey_import(pubkey,
2438
ctypes.byref(datum),
2439
gnutls.X509_FMT_DER)
2440
# New buffer for the key ID
2441
buf = ctypes.create_string_buffer(32)
2442
buf_len = ctypes.c_size_t(len(buf))
2443
# Get the key ID from the raw public key into the buffer
2444
gnutls.pubkey_get_key_id(pubkey,
2445
gnutls.KEYID_USE_SHA256,
2446
ctypes.cast(ctypes.byref(buf),
2447
ctypes.POINTER(ctypes.c_ubyte)),
2448
ctypes.byref(buf_len))
2449
# Deinit the certificate
2450
gnutls.pubkey_deinit(pubkey)
2452
# Convert the buffer to a Python bytestring
2453
key_id = ctypes.string_at(buf, buf_len.value)
2454
# Convert the bytestring to hexadecimal notation
2455
hex_key_id = binascii.hexlify(key_id).upper()
2459
2345
def fingerprint(openpgp):
2460
2346
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2461
2347
# New GnuTLS "datum" with the OpenPGP public key
2691
2574
command = request[0]
2693
2576
if command == 'init':
2694
key_id = request[1].decode("ascii")
2695
fpr = request[2].decode("ascii")
2696
address = request[3]
2578
address = request[2]
2698
2580
for c in self.clients.values():
2699
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2701
if key_id and c.key_id == key_id:
2704
if fpr and c.fingerprint == fpr:
2581
if c.fingerprint == fpr:
2708
logger.info("Client not found for key ID: %s, address"
2709
": %s", key_id or fpr, address)
2585
logger.info("Client not found for fingerprint: %s, ad"
2586
"dress: %s", fpr, address)
2710
2587
if self.use_dbus:
2711
2588
# Emit D-Bus signal
2712
mandos_dbus_service.ClientNotFound(key_id or fpr,
2589
mandos_dbus_service.ClientNotFound(fpr,
2714
2591
parent_pipe.send(False)
2999
2872
"foreground": "False",
3000
2873
"zeroconf": "True",
3004
2876
# Parse config file for server-global settings
3005
server_config = configparser.ConfigParser(server_defaults)
2877
server_config = configparser.SafeConfigParser(server_defaults)
3006
2878
del server_defaults
3007
2879
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3008
# Convert the ConfigParser object to a dict
2880
# Convert the SafeConfigParser object to a dict
3009
2881
server_settings = server_config.defaults()
3010
2882
# Use the appropriate methods on the non-string config options
3011
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3012
"foreground", "zeroconf"):
2883
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3013
2884
server_settings[option] = server_config.getboolean("DEFAULT",
3015
2886
if server_settings["port"]: