Implemented TLS encrypted connections

Implemented TLS encrypted connections. Added command line argument and configuration file option to accept invalid (self-signed) certificates. Fixed a couple of unrelated issues.
author: Sam Chudnick <sam@chudnick.com> 2022-07-04 12:24:59 -0400
committer: Sam Chudnick <sam@chudnick.com> 2022-07-04 12:24:59 -0400
commit: 755d7f5f94b720b028d085cf971c5935c130dec1 (patch)
tree: f015e8929563e5302d2ba8e2ee7215d1231debdd /server
parent: 11a4a5edb9f0e22fe8355291942ed03c9765ced5 (diff)
1 files changed, 26 insertions, 12 deletions
diff --git a/server/mfad.py b/server/mfad.py
index 17d2585..18a048a 100755
--- a/server/mfad.py
+++ b/server/mfad.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 import socket
+import ssl
 import os
 import sys
 import time
@@ -211,8 +212,9 @@ def parse_pam_data(data):
 def handle_pam(db, conn, addr):
    # Get request and data from PAM module
    header = conn.recv(HEADER_LENGTH).decode(FORMAT)
-    if header == "":
+    if len(header) != HEADER_LENGTH:
-        die("error: lost connection to pam module")
+        conn.close()
+        die("error: invalid data from PAM module")
    data_length = int(header)
    pam_data = conn.recv(data_length).decode(FORMAT)
    print("Got pam_data: " + pam_data)
@@ -238,19 +240,31 @@ def handle_pam(db, conn, addr):
 def listen_client(db, addr, port):
-    with socket.create_server((addr, port)) as server:
+    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-        while True:
+    context.load_cert_chain(certfile="server/cert.pem", keyfile="server/key.pem")
-            conn, addr = server.accept()
+    with socket.create_server((addr, port)) as sock:
-            thread = threading.Thread(target=handle_client,args=(db, conn,addr))
+        with context.wrap_socket(sock, server_side=True) as tls_socket:
-            thread.start()
+            while True:
+                try:
+                    conn, addr = tls_socket.accept()
+                    thread = threading.Thread(target=handle_client,args=(db,conn,addr))
+                    thread.start()
+                except ssl.SSLError:
+                    print("client: ssl handshake error")
 def listen_pam(db, addr, port):
-    with socket.create_server((addr,port)) as pam_server:
+    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-        while True:
+    context.load_cert_chain(certfile="server/cert.pem", keyfile="server/key.pem")
-            conn, addr = pam_server.accept()
+    with socket.create_server((addr,port)) as sock:
-            thread = threading.Thread(target=handle_pam,args=(db, conn,addr))
+        with context.wrap_socket(sock, server_side=True) as tls_socket:
-            thread.start()
+            while True:
+                try:
+                    conn, addr = tls_socket.accept()
+                    thread = threading.Thread(target=handle_pam,args=(db, conn,addr))
+                    thread.start()
+                except ssl.SSLError:
+                    print("pam: ssl handshake error")
 ################################################################################
author	Sam Chudnick <sam@chudnick.com>	2022-07-04 12:24:59 -0400
committer	Sam Chudnick <sam@chudnick.com>	2022-07-04 12:24:59 -0400
commit	755d7f5f94b720b028d085cf971c5935c130dec1 (patch)
tree	f015e8929563e5302d2ba8e2ee7215d1231debdd /server
parent	11a4a5edb9f0e22fe8355291942ed03c9765ced5 (diff)