11
11
# "AvahiService" class, and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
17
# This file is part of Mandos.
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
32
31
# Contact the authors at <mandos@recompile.se>.
535
505
# Pretend that we have a GnuTLS module
537
"""This isn't so much a class as it is a module-like namespace."""
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
539
510
library = ctypes.util.find_library("gnutls")
540
511
if library is None:
541
512
library = ctypes.util.find_library("gnutls-deb0")
542
513
_library = ctypes.cdll.LoadLibrary(library)
515
_need_version = b"3.3.0"
518
# Need to use class name "GnuTLS" here, since this method is
519
# called before the assignment to the "gnutls" global variable
521
if GnuTLS.check_version(self._need_version) is None:
522
raise GnuTLS.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
545
525
# Unless otherwise indicated, the constants and types below are
546
526
# all from the gnutls/gnutls.h C header file.
590
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
591
569
def __init__(self, message=None, code=None, args=()):
592
570
# Default usage is by a message string, but if a return
593
571
# code is passed, convert it to a string with
594
572
# gnutls.strerror()
596
574
if message is None and code is not None:
597
message = gnutls.strerror(code)
598
return super(gnutls.Error, self).__init__(
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
601
579
class CertificateSecurityError(Error):
583
class Credentials(object):
606
584
def __init__(self):
607
585
self._c_object = gnutls.certificate_credentials_t()
608
586
gnutls.certificate_allocate_credentials(
612
590
def __del__(self):
613
591
gnutls.certificate_free_credentials(self._c_object)
593
class ClientSession(object):
616
594
def __init__(self, socket, credentials=None):
617
595
self._c_object = gnutls.session_t()
618
gnutls_flags = gnutls.CLIENT
619
if gnutls.check_version(b"3.5.6"):
620
gnutls_flags |= gnutls.NO_TICKETS
622
gnutls_flags |= gnutls.ENABLE_RAWPK
623
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
625
597
gnutls.set_default_priority(self._c_object)
626
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
627
599
gnutls.handshake_set_private_extensions(self._c_object,
759
731
check_version.argtypes = [ctypes.c_char_p]
760
732
check_version.restype = ctypes.c_char_p
762
_need_version = b"3.3.0"
763
if check_version(_need_version) is None:
764
raise self.Error("Needs GnuTLS {} or later"
765
.format(_need_version))
767
_tls_rawpk_version = b"3.6.6"
768
has_rawpk = bool(check_version(_tls_rawpk_version))
772
class pubkey_st(ctypes.Structure):
774
pubkey_t = ctypes.POINTER(pubkey_st)
776
x509_crt_fmt_t = ctypes.c_int
778
# All the function declarations below are from
780
pubkey_init = _library.gnutls_pubkey_init
781
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
782
pubkey_init.restype = _error_code
784
pubkey_import = _library.gnutls_pubkey_import
785
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
787
pubkey_import.restype = _error_code
789
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
790
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
791
ctypes.POINTER(ctypes.c_ubyte),
792
ctypes.POINTER(ctypes.c_size_t)]
793
pubkey_get_key_id.restype = _error_code
795
pubkey_deinit = _library.gnutls_pubkey_deinit
796
pubkey_deinit.argtypes = [pubkey_t]
797
pubkey_deinit.restype = None
799
# All the function declarations below are from
802
openpgp_crt_init = _library.gnutls_openpgp_crt_init
803
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
804
openpgp_crt_init.restype = _error_code
806
openpgp_crt_import = _library.gnutls_openpgp_crt_import
807
openpgp_crt_import.argtypes = [openpgp_crt_t,
808
ctypes.POINTER(datum_t),
810
openpgp_crt_import.restype = _error_code
812
openpgp_crt_verify_self = \
813
_library.gnutls_openpgp_crt_verify_self
814
openpgp_crt_verify_self.argtypes = [
817
ctypes.POINTER(ctypes.c_uint),
819
openpgp_crt_verify_self.restype = _error_code
821
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
822
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
823
openpgp_crt_deinit.restype = None
825
openpgp_crt_get_fingerprint = (
826
_library.gnutls_openpgp_crt_get_fingerprint)
827
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
831
openpgp_crt_get_fingerprint.restype = _error_code
833
if check_version(b"3.6.4"):
834
certificate_type_get2 = _library.gnutls_certificate_type_get2
835
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
836
certificate_type_get2.restype = _error_code
734
# All the function declarations below are from gnutls/openpgp.h
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
744
openpgp_crt_import.restype = _error_code
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
761
openpgp_crt_get_fingerprint.restype = _error_code
838
763
# Remove non-public functions
839
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
842
769
def call_pipe(connection, # : multiprocessing.Connection
850
777
connection.close()
780
class Client(object):
854
781
"""A representation of a client host served by this server.
857
784
approved: bool(); 'None' if not yet approved/disapproved
858
785
approval_delay: datetime.timedelta(); Time to wait for approval
859
786
approval_duration: datetime.timedelta(); Duration of one approval
860
checker: multiprocessing.Process(); a running checker process used
861
to see if the client lives. 'None' if no process is
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
863
790
checker_callback_tag: a GLib event source tag, or None
864
791
checker_command: string; External command which is run to check
865
792
if client lives. %() expansions are done at
901
826
runtime_expansions = ("approval_delay", "approval_duration",
902
"created", "enabled", "expires", "key_id",
827
"created", "enabled", "expires",
903
828
"fingerprint", "host", "interval",
904
829
"last_approval_request", "last_checked_ok",
905
830
"last_enabled", "name", "timeout")
2251
def __init__(self, child_pipe, key_id, fpr, address):
2161
class ProxyClient(object):
2162
def __init__(self, child_pipe, fpr, address):
2252
2163
self._pipe = child_pipe
2253
self._pipe.send(('init', key_id, fpr, address))
2164
self._pipe.send(('init', fpr, address))
2254
2165
if not self._pipe.recv():
2255
raise KeyError(key_id or fpr)
2257
2168
def __getattribute__(self, name):
2258
2169
if name == '_pipe':
2326
2237
approval_required = False
2328
if gnutls.has_rawpk:
2331
key_id = self.key_id(
2332
self.peer_certificate(session))
2333
except (TypeError, gnutls.Error) as error:
2334
logger.warning("Bad certificate: %s", error)
2336
logger.debug("Key ID: %s", key_id)
2341
fpr = self.fingerprint(
2342
self.peer_certificate(session))
2343
except (TypeError, gnutls.Error) as error:
2344
logger.warning("Bad certificate: %s", error)
2346
logger.debug("Fingerprint: %s", fpr)
2349
client = ProxyClient(child_pipe, key_id, fpr,
2240
fpr = self.fingerprint(
2241
self.peer_certificate(session))
2242
except (TypeError, gnutls.Error) as error:
2243
logger.warning("Bad certificate: %s", error)
2245
logger.debug("Fingerprint: %s", fpr)
2248
client = ProxyClient(child_pipe, fpr,
2350
2249
self.client_address)
2351
2250
except KeyError:
2431
2330
def peer_certificate(session):
2432
"Return the peer's certificate as a bytestring"
2434
cert_type = gnutls.certificate_type_get2(session._c_object,
2436
except AttributeError:
2437
cert_type = gnutls.certificate_type_get(session._c_object)
2438
if gnutls.has_rawpk:
2439
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2441
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2442
# If not a valid certificate type...
2443
if cert_type not in valid_cert_types:
2444
logger.info("Cert type %r not in %r", cert_type,
2331
"Return the peer's OpenPGP certificate as a bytestring"
2332
# If not an OpenPGP certificate...
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2446
2335
# ...return invalid data
2448
2337
list_size = ctypes.c_uint(1)
2456
2345
return ctypes.string_at(cert.data, cert.size)
2459
def key_id(certificate):
2460
"Convert a certificate bytestring to a hexdigit key ID"
2461
# New GnuTLS "datum" with the public key
2462
datum = gnutls.datum_t(
2463
ctypes.cast(ctypes.c_char_p(certificate),
2464
ctypes.POINTER(ctypes.c_ubyte)),
2465
ctypes.c_uint(len(certificate)))
2466
# XXX all these need to be created in the gnutls "module"
2467
# New empty GnuTLS certificate
2468
pubkey = gnutls.pubkey_t()
2469
gnutls.pubkey_init(ctypes.byref(pubkey))
2470
# Import the raw public key into the certificate
2471
gnutls.pubkey_import(pubkey,
2472
ctypes.byref(datum),
2473
gnutls.X509_FMT_DER)
2474
# New buffer for the key ID
2475
buf = ctypes.create_string_buffer(32)
2476
buf_len = ctypes.c_size_t(len(buf))
2477
# Get the key ID from the raw public key into the buffer
2478
gnutls.pubkey_get_key_id(
2480
gnutls.KEYID_USE_SHA256,
2481
ctypes.cast(ctypes.byref(buf),
2482
ctypes.POINTER(ctypes.c_ubyte)),
2483
ctypes.byref(buf_len))
2484
# Deinit the certificate
2485
gnutls.pubkey_deinit(pubkey)
2487
# Convert the buffer to a Python bytestring
2488
key_id = ctypes.string_at(buf, buf_len.value)
2489
# Convert the bytestring to hexadecimal notation
2490
hex_key_id = binascii.hexlify(key_id).upper()
2494
2348
def fingerprint(openpgp):
2495
2349
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2496
2350
# New GnuTLS "datum" with the OpenPGP public key
2726
2577
command = request[0]
2728
2579
if command == 'init':
2729
key_id = request[1].decode("ascii")
2730
fpr = request[2].decode("ascii")
2731
address = request[3]
2581
address = request[2]
2733
2583
for c in self.clients.values():
2734
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2735
"27AE41E4649B934CA495991B7852B855"):
2737
if key_id and c.key_id == key_id:
2740
if fpr and c.fingerprint == fpr:
2584
if c.fingerprint == fpr:
2744
logger.info("Client not found for key ID: %s, address"
2745
": %s", key_id or fpr, address)
2588
logger.info("Client not found for fingerprint: %s, ad"
2589
"dress: %s", fpr, address)
2746
2590
if self.use_dbus:
2747
2591
# Emit D-Bus signal
2748
mandos_dbus_service.ClientNotFound(key_id or fpr,
2592
mandos_dbus_service.ClientNotFound(fpr,
2750
2594
parent_pipe.send(False)
2753
2597
GLib.io_add_watch(
2754
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2755
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2598
parent_pipe.fileno(),
2599
GLib.IO_IN | GLib.IO_HUP,
2756
2600
functools.partial(self.handle_ipc,
2757
2601
parent_pipe=parent_pipe,
2790
2634
def rfc3339_duration_to_delta(duration):
2791
2635
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2793
>>> timedelta = datetime.timedelta
2794
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2796
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2798
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2800
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2802
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2804
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2806
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2637
>>> rfc3339_duration_to_delta("P7D")
2638
datetime.timedelta(7)
2639
>>> rfc3339_duration_to_delta("PT60S")
2640
datetime.timedelta(0, 60)
2641
>>> rfc3339_duration_to_delta("PT60M")
2642
datetime.timedelta(0, 3600)
2643
>>> rfc3339_duration_to_delta("PT24H")
2644
datetime.timedelta(1)
2645
>>> rfc3339_duration_to_delta("P1W")
2646
datetime.timedelta(7)
2647
>>> rfc3339_duration_to_delta("PT5M30S")
2648
datetime.timedelta(0, 330)
2649
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
datetime.timedelta(1, 200)
2811
2653
# Parsing an RFC 3339 duration with regular expressions is not
2891
2733
def string_to_delta(interval):
2892
2734
"""Parse a string and return a datetime.timedelta
2894
>>> string_to_delta('7d') == datetime.timedelta(7)
2896
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2898
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2900
>>> string_to_delta('24h') == datetime.timedelta(1)
2902
>>> string_to_delta('1w') == datetime.timedelta(7)
2904
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2736
>>> string_to_delta('7d')
2737
datetime.timedelta(7)
2738
>>> string_to_delta('60s')
2739
datetime.timedelta(0, 60)
2740
>>> string_to_delta('60m')
2741
datetime.timedelta(0, 3600)
2742
>>> string_to_delta('24h')
2743
datetime.timedelta(1)
2744
>>> string_to_delta('1w')
2745
datetime.timedelta(7)
2746
>>> string_to_delta('5m 30s')
2747
datetime.timedelta(0, 330)
3032
2875
"foreground": "False",
3033
2876
"zeroconf": "True",
3037
2879
# Parse config file for server-global settings
3038
server_config = configparser.ConfigParser(server_defaults)
2880
server_config = configparser.SafeConfigParser(server_defaults)
3039
2881
del server_defaults
3040
2882
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3041
# Convert the ConfigParser object to a dict
2883
# Convert the SafeConfigParser object to a dict
3042
2884
server_settings = server_config.defaults()
3043
2885
# Use the appropriate methods on the non-string config options
3044
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3045
"foreground", "zeroconf"):
2886
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3046
2887
server_settings[option] = server_config.getboolean("DEFAULT",
3048
2889
if server_settings["port"]:
3632
3468
# End of Avahi example code
3635
GLib.IOChannel.unix_new(tcp_server.fileno()),
3636
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3637
lambda *args, **kwargs: (tcp_server.handle_request
3638
(*args[2:], **kwargs) or True))
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3640
3475
logger.debug("Starting main loop")
3641
3476
main_loop.run()
3651
3486
# Must run before the D-Bus bus name gets deregistered
3655
def should_only_run_tests():
3656
parser = argparse.ArgumentParser(add_help=False)
3657
parser.add_argument("--check", action='store_true')
3658
args, unknown_args = parser.parse_known_args()
3659
run_tests = args.check
3661
# Remove --check argument from sys.argv
3662
sys.argv[1:] = unknown_args
3665
# Add all tests from doctest strings
3666
def load_tests(loader, tests, none):
3668
tests.addTests(doctest.DocTestSuite())
3671
3490
if __name__ == '__main__':
3673
if should_only_run_tests():
3674
# Call using ./mandos --check [--verbose]