bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
3
by Björn Påhlsson
Python based server |
1 |
#!/usr/bin/python
|
2 |
||
3 |
import SocketServer |
|
4 |
import socket |
|
5 |
import select |
|
6 |
from optparse import OptionParser |
|
7 |
import datetime |
|
8 |
import errno |
|
9 |
import gnutls.crypto |
|
10 |
import gnutls.connection |
|
11 |
import gnutls.errors |
|
12 |
import ConfigParser |
|
13 |
||
14 |
class Client(object): |
|
15 |
def __init__(self, name=None, dn=None, password=None, |
|
16 |
passfile=None, fqdn=None, timeout=None, |
|
17 |
interval=-1): |
|
18 |
self.name = name |
|
19 |
self.dn = dn |
|
20 |
if password: |
|
21 |
self.password = password |
|
22 |
elif passfile: |
|
23 |
self.password = open(passfile).readall() |
|
24 |
else: |
|
25 |
print "No Password or Passfile in client config file" |
|
26 |
# raise RuntimeError XXX
|
|
27 |
self.password = "gazonk" |
|
28 |
self.fqdn = fqdn |
|
29 |
# self.created = ...
|
|
30 |
self.last_seen = None |
|
31 |
if timeout is None: |
|
32 |
timeout = self.server.options.timeout |
|
33 |
self.timeout = timeout |
|
34 |
if interval == -1: |
|
35 |
interval = self.server.options.interval |
|
36 |
self.interval = interval |
|
37 |
||
38 |
def server_bind(self): |
|
39 |
if self.options.interface: |
|
40 |
if not hasattr(socket, "SO_BINDTODEVICE"): |
|
41 |
# From /usr/include/asm-i486/socket.h
|
|
42 |
socket.SO_BINDTODEVICE = 25 |
|
43 |
try: |
|
44 |
self.socket.setsockopt(socket.SOL_SOCKET, |
|
45 |
socket.SO_BINDTODEVICE, |
|
46 |
self.options.interface) |
|
47 |
except socket.error, error: |
|
48 |
if error[0] == errno.EPERM: |
|
49 |
print "Warning: Denied permission to bind to interface", \ |
|
50 |
self.options.interface |
|
51 |
else: |
|
52 |
raise error |
|
53 |
return super(type(self), self).server_bind() |
|
54 |
||
55 |
||
56 |
def init_with_options(self, *args, **kwargs): |
|
57 |
if "options" in kwargs: |
|
58 |
self.options = kwargs["options"] |
|
59 |
del kwargs["options"] |
|
60 |
if "clients" in kwargs: |
|
61 |
self.clients = kwargs["clients"] |
|
62 |
del kwargs["clients"] |
|
63 |
if "credentials" in kwargs: |
|
64 |
self.credentials = kwargs["credentials"] |
|
65 |
del kwargs["credentials"] |
|
66 |
return super(type(self), self).__init__(*args, **kwargs) |
|
67 |
||
68 |
||
69 |
class udp_handler(SocketServer.DatagramRequestHandler, object): |
|
70 |
def handle(self): |
|
71 |
self.wfile.write("Polo") |
|
72 |
print "UDP request answered" |
|
73 |
||
74 |
||
75 |
class IPv6_UDPServer(SocketServer.UDPServer, object): |
|
76 |
__init__ = init_with_options |
|
77 |
address_family = socket.AF_INET6 |
|
78 |
allow_reuse_address = True |
|
79 |
server_bind = server_bind |
|
80 |
def verify_request(self, request, client_address): |
|
81 |
print "UDP request came" |
|
82 |
return request[0] == "Marco" |
|
83 |
||
84 |
||
85 |
class tcp_handler(SocketServer.BaseRequestHandler, object): |
|
86 |
def handle(self): |
|
87 |
print "TCP request came" |
|
88 |
print "Request:", self.request |
|
89 |
print "Client Address:", self.client_address |
|
90 |
print "Server:", self.server |
|
91 |
session = gnutls.connection.ServerSession(self.request, |
|
92 |
self.server.credentials) |
|
93 |
session.handshake() |
|
94 |
if session.peer_certificate: |
|
95 |
print "DN:", session.peer_certificate.subject |
|
96 |
try: |
|
97 |
session.verify_peer() |
|
98 |
except gnutls.errors.CertificateError, error: |
|
99 |
print "Verify failed", error |
|
100 |
session.bye() |
|
101 |
return
|
|
102 |
try: |
|
103 |
session.send(dict((client.dn, client.password) |
|
104 |
for client in self.server.clients) |
|
105 |
[session.peer_certificate.subject]) |
|
106 |
except KeyError: |
|
107 |
session.send("gazonk") |
|
108 |
# Log maybe? XXX
|
|
109 |
session.bye() |
|
110 |
||
111 |
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object): |
|
112 |
__init__ = init_with_options |
|
113 |
address_family = socket.AF_INET6 |
|
114 |
allow_reuse_address = True |
|
115 |
request_queue_size = 1024 |
|
116 |
server_bind = server_bind |
|
117 |
||
118 |
||
119 |
in6addr_any = "::" |
|
120 |
||
121 |
cred = None |
|
122 |
||
123 |
def main(): |
|
124 |
parser = OptionParser() |
|
125 |
parser.add_option("-i", "--interface", type="string", |
|
126 |
default="eth0", metavar="IF", |
|
127 |
help="Interface to bind to") |
|
128 |
parser.add_option("--cert", type="string", default="cert.pem", |
|
129 |
metavar="FILE", |
|
130 |
help="Public key certificate to use") |
|
131 |
parser.add_option("--key", type="string", default="key.pem", |
|
132 |
metavar="FILE", |
|
133 |
help="Private key to use") |
|
134 |
parser.add_option("--ca", type="string", default="ca.pem", |
|
135 |
metavar="FILE", |
|
136 |
help="Certificate Authority certificate to use") |
|
137 |
parser.add_option("--crl", type="string", default="crl.pem", |
|
138 |
metavar="FILE", |
|
139 |
help="Certificate Revokation List to use") |
|
140 |
parser.add_option("-p", "--port", type="int", default=49001, |
|
141 |
help="Port number to receive requests on") |
|
142 |
parser.add_option("--dh", type="int", metavar="BITS", |
|
143 |
help="DH group to use") |
|
144 |
parser.add_option("-t", "--timeout", type="string", # Parsed later |
|
145 |
default="15m", |
|
146 |
help="Amount of downtime allowed for clients") |
|
147 |
(options, args) = parser.parse_args() |
|
148 |
||
149 |
# Parse the time argument
|
|
150 |
try: |
|
151 |
suffix=options.timeout[-1] |
|
152 |
value=int(options.timeout[:-1]) |
|
153 |
if suffix == "d": |
|
154 |
options.timeout = datetime.timedelta(value) |
|
155 |
elif suffix == "s": |
|
156 |
options.timeout = datetime.timedelta(0, value) |
|
157 |
elif suffix == "m": |
|
158 |
options.timeout = datetime.timedelta(0, 0, 0, 0, value) |
|
159 |
elif suffix == "h": |
|
160 |
options.timeout = datetime.timedelta(0, 0, 0, 0, 0, value) |
|
161 |
elif suffix == "w": |
|
162 |
options.timeout = datetime.timedelta(0, 0, 0, 0, 0, 0, |
|
163 |
value) |
|
164 |
else: |
|
165 |
raise ValueError |
|
166 |
except (ValueError, IndexError): |
|
167 |
parser.error("option --timeout: Unparseable time") |
|
168 |
||
169 |
cert = gnutls.crypto.X509Certificate(open(options.cert).read()) |
|
170 |
key = gnutls.crypto.X509PrivateKey(open(options.key).read()) |
|
171 |
ca = gnutls.crypto.X509Certificate(open(options.ca).read()) |
|
172 |
crl = gnutls.crypto.X509CRL(open(options.crl).read()) |
|
173 |
cred = gnutls.connection.X509Credentials(cert, key, [ca], [crl]) |
|
174 |
||
175 |
# Parse config file
|
|
176 |
defaults = {} |
|
177 |
client_config_object = ConfigParser.SafeConfigParser(defaults) |
|
178 |
client_config_object.read("mandos-clients.conf") |
|
179 |
clients = [Client(name=section, |
|
180 |
**(dict(client_config_object.items(section)))) |
|
181 |
for section in client_config_object.sections()] |
|
182 |
||
183 |
udp_server = IPv6_UDPServer((in6addr_any, options.port), |
|
184 |
udp_handler, |
|
185 |
options=options) |
|
186 |
||
187 |
tcp_server = IPv6_TCPServer((in6addr_any, options.port), |
|
188 |
tcp_handler, |
|
189 |
options=options, |
|
190 |
clients=clients, |
|
191 |
credentials=cred) |
|
192 |
||
193 |
while True: |
|
194 |
in_, out, err = select.select((udp_server, |
|
195 |
tcp_server), (), ()) |
|
196 |
for server in in_: |
|
197 |
server.handle_request() |
|
198 |
||
199 |
||
200 |
if __name__ == "__main__": |
|
201 |
main() |
|
202 |