def handshakeSuccessful(self, respHeader,c):
c=list(map(lambda s: s.lstrip(),c.split(b",")))
self._socketType = None
if b"proxy" not in c:
Log.error("An incoming connection has no proxy field",False)
self.doDisconnect()
return
self.uri=base64.b64decode(self.uri)
if(b"TCP" in c):
if self._policyControl.tcpAllowed():
self._socket=SocketModeFactory.TCP.generateSocket()
self._socketType="TCP"
else:
Log.policycontrol("An incoming tcp connection was rejected: TCP socket types disabled")
self.doDisconnect()
return
if(b"UNIX" in c):
if self._policyControl.unixAllowed():
self._socket=SocketModeFactory.UNIX.generateSocket()
self._socketType="UNIX"
else:
Log.policycontrol("An incoming unix connection was rejected: UNIX socket types disabled")
self.doDisconnect()
return
if(b"UDP" in c):
if self._policyControl.udpAllowed():
self._socketType="UDP"
self._socket=SocketModeFactory.UDP.generateSocket()
else:
Log.policycontrol("An incoming udp connection was rejected: UDP socket types disabled")
self.doDisconnect()
return
if self._socketType is None:
Log.warning("Incoming request has no socket specified")
self.doDisconnect()
return
if self._socketType=="UNIX":
uri=self.uri
destination=uri
else:
port=self.uri[self.uri.rfind(b":")+1:]
uri=self.uri[:self.uri.rfind(b":")]
destination=(uri,int(port))
#policy control
authStrings = list( filter(lambda elem: len(elem)>10 and ( chr(elem[0])=="H" or chr(elem[0])=="S") ,c))
if self._policyControl.hasAccess(self._socketType,self.requestHeader[b'Origin'],destination, authStrings):
self.connectRemote(destination,respHeader,c)
else:
Log.policycontrol("Access denied for: %s connection to %s"%(self._socketType,destination))
self.doDisconnect(False)
def init():
if not os.path.exists(Authentication.keyPath):
Log.warning("security token does not exist, generating new random value")
Authentication.key=Authentication.generateRandomBytes(2048)
with open(Authentication.keyPath,"wb") as f:
f.write(Authentication.key)
else:
with open(Authentication.keyPath,"rb") as f:
Authentication.key=f.read()
pass
def hasAccess(self,type_,src_,destination,auth):
'''
checks if the script has access
@param type_: TCP,UDP,UNIX
@param src: the source url of the script [is null if local]
@param destination: the destination url/ip to connect to
@param auth:
'''
#Log.debug("checking policy: \n type: %s \n src: %s \n dest: %s \n auth: %s"%(type_,src_, destination,auth))
d_uri, d_port = Policies.splitURI(destination)
src = src_.decode()
if src == "null":
src = "localhost"
incomingRequestPolicy = Policy("", d_uri, d_port,src, type_)
#print(str(self.policies))
matchcount=0
matchaction = None
for k,rule in self.policies.specificRules.items():
if self.matches(rule,incomingRequestPolicy):
if matchcount != 0 and matchaction != rule.action:
Log.warning("multiple rules with conflicting actions detected: %s"%k)
matchcount += 1
matchaction = rule.action
if matchaction != None:
return self.__proceed(matchaction,incomingRequestPolicy)
Log.debug("passed specific")
#no specific rule found:
#testing for:
# trustedSource
# trustedDest
# localSource
# general rule
SALTLEN = 8
for authElem in auth:
# trustedSource
if chr(authElem[0]) == "S":
authString1 = Authentication.hash(b"", authElem[1:SALTLEN+1])[1].encode()
if authString1 == authElem[SALTLEN+1:]:
#trusted source detected
Log.policycontrol("Sourcekey detected")
return self.__proceed(self.policies.trustedSource,incomingRequestPolicy,"sourcekey")
Log.debug("passed srckey")
# trustedDest
if chr(authElem[0]) == "H":
deststr = d_uri+":"+str(d_port)
authString1 = Authentication.hash(deststr.encode(), authElem[1:SALTLEN+1])[1].encode()
authString2 = Authentication.hash(d_uri.encode(), authElem[1:SALTLEN+1])[1].encode()
if authString1 == authElem[SALTLEN+1:] or authString2 == authElem[SALTLEN+1:]:
Log.policycontrol("Hostkey detected")
return self.__proceed(self.policies.trustedDest,incomingRequestPolicy,"hostkey")
Log.debug("passed hostkey")
# localSource
if src == b"localhost":
return self.__proceed(self.policies.localSource,incomingRequestPolicy)
Log.debug("passed local")
# general rule
return self.__proceed(self.policies.unknownPolicyRule,incomingRequestPolicy)
Log.debug("passed general")
return False
