517
507
# Pretend that we have a GnuTLS module
519
"""This isn't so much a class as it is a module-like namespace."""
508
class GnuTLS(object):
509
"""This isn't so much a class as it is a module-like namespace.
510
It is instantiated once, and simulates having a GnuTLS module."""
521
512
library = ctypes.util.find_library("gnutls")
522
513
if library is None:
523
514
library = ctypes.util.find_library("gnutls-deb0")
524
515
_library = ctypes.cdll.LoadLibrary(library)
517
_need_version = b"3.3.0"
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
527
526
# Unless otherwise indicated, the constants and types below are
528
527
# all from the gnutls/gnutls.h C header file.
572
565
class Error(Exception):
566
# We need to use the class name "GnuTLS" here, since this
567
# exception might be raised from within GnuTLS.__init__,
568
# which is called before the assignment to the "gnutls"
569
# global variable has happened.
573
570
def __init__(self, message=None, code=None, args=()):
574
571
# Default usage is by a message string, but if a return
575
572
# code is passed, convert it to a string with
576
573
# gnutls.strerror()
578
575
if message is None and code is not None:
579
message = gnutls.strerror(code)
580
return super(gnutls.Error, self).__init__(
576
message = GnuTLS.strerror(code)
577
return super(GnuTLS.Error, self).__init__(
583
580
class CertificateSecurityError(Error):
584
class Credentials(object):
588
585
def __init__(self):
589
586
self._c_object = gnutls.certificate_credentials_t()
590
587
gnutls.certificate_allocate_credentials(
594
591
def __del__(self):
595
592
gnutls.certificate_free_credentials(self._c_object)
594
class ClientSession(object):
598
595
def __init__(self, socket, credentials=None):
599
596
self._c_object = gnutls.session_t()
600
gnutls_flags = gnutls.CLIENT
601
if gnutls.check_version(b"3.5.6"):
602
gnutls_flags |= gnutls.NO_TICKETS
604
gnutls_flags |= gnutls.ENABLE_RAWPK
605
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
597
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
607
598
gnutls.set_default_priority(self._c_object)
608
599
gnutls.transport_set_ptr(self._c_object, socket.fileno())
609
600
gnutls.handshake_set_private_extensions(self._c_object,
741
732
check_version.argtypes = [ctypes.c_char_p]
742
733
check_version.restype = ctypes.c_char_p
744
_need_version = b"3.3.0"
745
if check_version(_need_version) is None:
746
raise self.Error("Needs GnuTLS {} or later"
747
.format(_need_version))
749
_tls_rawpk_version = b"3.6.6"
750
has_rawpk = bool(check_version(_tls_rawpk_version))
754
class pubkey_st(ctypes.Structure):
756
pubkey_t = ctypes.POINTER(pubkey_st)
758
x509_crt_fmt_t = ctypes.c_int
760
# All the function declarations below are from gnutls/abstract.h
761
pubkey_init = _library.gnutls_pubkey_init
762
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
763
pubkey_init.restype = _error_code
765
pubkey_import = _library.gnutls_pubkey_import
766
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
768
pubkey_import.restype = _error_code
770
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
771
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
772
ctypes.POINTER(ctypes.c_ubyte),
773
ctypes.POINTER(ctypes.c_size_t)]
774
pubkey_get_key_id.restype = _error_code
776
pubkey_deinit = _library.gnutls_pubkey_deinit
777
pubkey_deinit.argtypes = [pubkey_t]
778
pubkey_deinit.restype = None
780
# All the function declarations below are from gnutls/openpgp.h
782
openpgp_crt_init = _library.gnutls_openpgp_crt_init
783
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
784
openpgp_crt_init.restype = _error_code
786
openpgp_crt_import = _library.gnutls_openpgp_crt_import
787
openpgp_crt_import.argtypes = [openpgp_crt_t,
788
ctypes.POINTER(datum_t),
790
openpgp_crt_import.restype = _error_code
792
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
793
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
794
ctypes.POINTER(ctypes.c_uint)]
795
openpgp_crt_verify_self.restype = _error_code
797
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
798
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
799
openpgp_crt_deinit.restype = None
801
openpgp_crt_get_fingerprint = (
802
_library.gnutls_openpgp_crt_get_fingerprint)
803
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
807
openpgp_crt_get_fingerprint.restype = _error_code
809
if check_version(b"3.6.4"):
810
certificate_type_get2 = _library.gnutls_certificate_type_get2
811
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
812
certificate_type_get2.restype = _error_code
735
# All the function declarations below are from gnutls/openpgp.h
737
openpgp_crt_init = _library.gnutls_openpgp_crt_init
738
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
739
openpgp_crt_init.restype = _error_code
741
openpgp_crt_import = _library.gnutls_openpgp_crt_import
742
openpgp_crt_import.argtypes = [openpgp_crt_t,
743
ctypes.POINTER(datum_t),
745
openpgp_crt_import.restype = _error_code
747
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
748
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
749
ctypes.POINTER(ctypes.c_uint)]
750
openpgp_crt_verify_self.restype = _error_code
752
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
753
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
754
openpgp_crt_deinit.restype = None
756
openpgp_crt_get_fingerprint = (
757
_library.gnutls_openpgp_crt_get_fingerprint)
758
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
762
openpgp_crt_get_fingerprint.restype = _error_code
814
764
# Remove non-public functions
815
765
del _error_code, _retry_on_error
766
# Create the global "gnutls" object, simulating a module
818
770
def call_pipe(connection, # : multiprocessing.Connection
826
778
connection.close()
781
class Client(object):
830
782
"""A representation of a client host served by this server.
833
785
approved: bool(); 'None' if not yet approved/disapproved
834
786
approval_delay: datetime.timedelta(); Time to wait for approval
835
787
approval_duration: datetime.timedelta(); Duration of one approval
836
checker: multiprocessing.Process(); a running checker process used
837
to see if the client lives. 'None' if no process is
788
checker: subprocess.Popen(); a running checker process used
789
to see if the client lives.
790
'None' if no process is running.
839
791
checker_callback_tag: a GLib event source tag, or None
840
792
checker_command: string; External command which is run to check
841
793
if client lives. %() expansions are done at
877
827
runtime_expansions = ("approval_delay", "approval_duration",
878
"created", "enabled", "expires", "key_id",
828
"created", "enabled", "expires",
879
829
"fingerprint", "host", "interval",
880
830
"last_approval_request", "last_checked_ok",
881
831
"last_enabled", "name", "timeout")
2226
def __init__(self, child_pipe, key_id, fpr, address):
2163
class ProxyClient(object):
2164
def __init__(self, child_pipe, fpr, address):
2227
2165
self._pipe = child_pipe
2228
self._pipe.send(('init', key_id, fpr, address))
2166
self._pipe.send(('init', fpr, address))
2229
2167
if not self._pipe.recv():
2230
raise KeyError(key_id or fpr)
2232
2170
def __getattribute__(self, name):
2233
2171
if name == '_pipe':
2301
2239
approval_required = False
2303
if gnutls.has_rawpk:
2306
key_id = self.key_id(
2307
self.peer_certificate(session))
2308
except (TypeError, gnutls.Error) as error:
2309
logger.warning("Bad certificate: %s", error)
2311
logger.debug("Key ID: %s", key_id)
2316
fpr = self.fingerprint(
2317
self.peer_certificate(session))
2318
except (TypeError, gnutls.Error) as error:
2319
logger.warning("Bad certificate: %s", error)
2321
logger.debug("Fingerprint: %s", fpr)
2324
client = ProxyClient(child_pipe, key_id, fpr,
2242
fpr = self.fingerprint(
2243
self.peer_certificate(session))
2244
except (TypeError, gnutls.Error) as error:
2245
logger.warning("Bad certificate: %s", error)
2247
logger.debug("Fingerprint: %s", fpr)
2250
client = ProxyClient(child_pipe, fpr,
2325
2251
self.client_address)
2326
2252
except KeyError:
2406
2332
def peer_certificate(session):
2407
"Return the peer's certificate as a bytestring"
2409
cert_type = gnutls.certificate_type_get2(session._c_object,
2411
except AttributeError:
2412
cert_type = gnutls.certificate_type_get(session._c_object)
2413
if gnutls.has_rawpk:
2414
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2416
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2417
# If not a valid certificate type...
2418
if cert_type not in valid_cert_types:
2419
logger.info("Cert type %r not in %r", cert_type,
2333
"Return the peer's OpenPGP certificate as a bytestring"
2334
# If not an OpenPGP certificate...
2335
if (gnutls.certificate_type_get(session._c_object)
2336
!= gnutls.CRT_OPENPGP):
2421
2337
# ...return invalid data
2423
2339
list_size = ctypes.c_uint(1)
2431
2347
return ctypes.string_at(cert.data, cert.size)
2434
def key_id(certificate):
2435
"Convert a certificate bytestring to a hexdigit key ID"
2436
# New GnuTLS "datum" with the public key
2437
datum = gnutls.datum_t(
2438
ctypes.cast(ctypes.c_char_p(certificate),
2439
ctypes.POINTER(ctypes.c_ubyte)),
2440
ctypes.c_uint(len(certificate)))
2441
# XXX all these need to be created in the gnutls "module"
2442
# New empty GnuTLS certificate
2443
pubkey = gnutls.pubkey_t()
2444
gnutls.pubkey_init(ctypes.byref(pubkey))
2445
# Import the raw public key into the certificate
2446
gnutls.pubkey_import(pubkey,
2447
ctypes.byref(datum),
2448
gnutls.X509_FMT_DER)
2449
# New buffer for the key ID
2450
buf = ctypes.create_string_buffer(32)
2451
buf_len = ctypes.c_size_t(len(buf))
2452
# Get the key ID from the raw public key into the buffer
2453
gnutls.pubkey_get_key_id(pubkey,
2454
gnutls.KEYID_USE_SHA256,
2455
ctypes.cast(ctypes.byref(buf),
2456
ctypes.POINTER(ctypes.c_ubyte)),
2457
ctypes.byref(buf_len))
2458
# Deinit the certificate
2459
gnutls.pubkey_deinit(pubkey)
2461
# Convert the buffer to a Python bytestring
2462
key_id = ctypes.string_at(buf, buf_len.value)
2463
# Convert the bytestring to hexadecimal notation
2464
hex_key_id = binascii.hexlify(key_id).upper()
2468
2350
def fingerprint(openpgp):
2469
2351
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2470
2352
# New GnuTLS "datum" with the OpenPGP public key
2700
2579
command = request[0]
2702
2581
if command == 'init':
2703
key_id = request[1].decode("ascii")
2704
fpr = request[2].decode("ascii")
2705
address = request[3]
2582
fpr = request[1].decode("ascii")
2583
address = request[2]
2707
2585
for c in self.clients.values():
2708
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2710
if key_id and c.key_id == key_id:
2713
if fpr and c.fingerprint == fpr:
2586
if c.fingerprint == fpr:
2717
logger.info("Client not found for key ID: %s, address"
2718
": %s", key_id or fpr, address)
2590
logger.info("Client not found for fingerprint: %s, ad"
2591
"dress: %s", fpr, address)
2719
2592
if self.use_dbus:
2720
2593
# Emit D-Bus signal
2721
mandos_dbus_service.ClientNotFound(key_id or fpr,
2594
mandos_dbus_service.ClientNotFound(fpr,
2723
2596
parent_pipe.send(False)
2726
2599
GLib.io_add_watch(
2727
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2728
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2600
parent_pipe.fileno(),
2601
GLib.IO_IN | GLib.IO_HUP,
2729
2602
functools.partial(self.handle_ipc,
2730
2603
parent_pipe=parent_pipe,
2763
2636
def rfc3339_duration_to_delta(duration):
2764
2637
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2766
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2768
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2770
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2772
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2774
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2776
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2778
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2639
>>> rfc3339_duration_to_delta("P7D")
2640
datetime.timedelta(7)
2641
>>> rfc3339_duration_to_delta("PT60S")
2642
datetime.timedelta(0, 60)
2643
>>> rfc3339_duration_to_delta("PT60M")
2644
datetime.timedelta(0, 3600)
2645
>>> rfc3339_duration_to_delta("PT24H")
2646
datetime.timedelta(1)
2647
>>> rfc3339_duration_to_delta("P1W")
2648
datetime.timedelta(7)
2649
>>> rfc3339_duration_to_delta("PT5M30S")
2650
datetime.timedelta(0, 330)
2651
>>> rfc3339_duration_to_delta("P1DT3M20S")
2652
datetime.timedelta(1, 200)
2782
2655
# Parsing an RFC 3339 duration with regular expressions is not
2862
2735
def string_to_delta(interval):
2863
2736
"""Parse a string and return a datetime.timedelta
2865
>>> string_to_delta('7d') == datetime.timedelta(7)
2867
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2869
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2871
>>> string_to_delta('24h') == datetime.timedelta(1)
2873
>>> string_to_delta('1w') == datetime.timedelta(7)
2875
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2738
>>> string_to_delta('7d')
2739
datetime.timedelta(7)
2740
>>> string_to_delta('60s')
2741
datetime.timedelta(0, 60)
2742
>>> string_to_delta('60m')
2743
datetime.timedelta(0, 3600)
2744
>>> string_to_delta('24h')
2745
datetime.timedelta(1)
2746
>>> string_to_delta('1w')
2747
datetime.timedelta(7)
2748
>>> string_to_delta('5m 30s')
2749
datetime.timedelta(0, 330)
3603
3471
# End of Avahi example code
3606
GLib.IOChannel.unix_new(tcp_server.fileno()),
3607
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3608
lambda *args, **kwargs: (tcp_server.handle_request
3609
(*args[2:], **kwargs) or True))
3473
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3474
lambda *args, **kwargs:
3475
(tcp_server.handle_request
3476
(*args[2:], **kwargs) or True))
3611
3478
logger.debug("Starting main loop")
3612
3479
main_loop.run()
3622
3489
# Must run before the D-Bus bus name gets deregistered
3626
def should_only_run_tests():
3627
parser = argparse.ArgumentParser(add_help=False)
3628
parser.add_argument("--check", action='store_true')
3629
args, unknown_args = parser.parse_known_args()
3630
run_tests = args.check
3632
# Remove --check argument from sys.argv
3633
sys.argv[1:] = unknown_args
3636
# Add all tests from doctest strings
3637
def load_tests(loader, tests, none):
3639
tests.addTests(doctest.DocTestSuite())
3642
3493
if __name__ == '__main__':
3644
if should_only_run_tests():
3645
# Call using ./mandos --check [--verbose]