=== modified file 'DBUS-API' --- DBUS-API 2015-08-10 09:00:23 +0000 +++ DBUS-API 2016-02-28 14:22:10 +0000 @@ -130,8 +130,8 @@ * Copyright - Copyright © 2010-2015 Teddy Hogeborn - Copyright © 2010-2015 Björn Påhlsson + Copyright © 2010-2016 Teddy Hogeborn + Copyright © 2010-2016 Björn Påhlsson ** License: === modified file 'INSTALL' --- INSTALL 2014-07-25 22:44:20 +0000 +++ INSTALL 2016-02-28 03:01:43 +0000 @@ -4,7 +4,7 @@ ** Operating System - Debian 6.0 "squeeze" or Ubuntu 10.10 "Maverick Meerkat" (or later). + Debian 8.0 "jessie" or Ubuntu 15.10 "Wily Werewolf" (or later). This is mostly for the support scripts which make sure that the client is installed and started in the initial RAM disk environment @@ -38,11 +38,9 @@ "man -l mandos.8". *** Mandos Server - + GnuTLS 2.4 http://www.gnutls.org/ - Note: GnuTLS 3 will only work with Python-GnuTLS 2 + + GnuTLS 3.3 http://www.gnutls.org/ + Avahi 0.6.16 http://www.avahi.org/ + Python 2.7 https://www.python.org/ - + Python-GnuTLS 1.1.5 https://pypi.python.org/pypi/python-gnutls/ + dbus-python 0.82.4 http://dbus.freedesktop.org/doc/dbus-python/ + PyGObject 2.14.2 https://developer.gnome.org/pygobject/ + pkg-config http://www.freedesktop.org/wiki/Software/pkg-config/ @@ -54,13 +52,13 @@ + ssh-keyscan from OpenSSH http://www.openssh.com/ Package names: - python-gnutls avahi-daemon python python-avahi python-dbus - python-gobject python-urwid pkg-config fping ssh-client + avahi-daemon python python-avahi python-dbus python-gobject + python-urwid pkg-config fping ssh-client *** Mandos Client + initramfs-tools 0.85i https://tracker.debian.org/pkg/initramfs-tools - + GnuTLS 2.4 http://www.gnutls.org/ + + GnuTLS 3.3 http://www.gnutls.org/ + Avahi 0.6.16 http://www.avahi.org/ + GnuPG 1.4.9 https://www.gnupg.org/ + GPGME 1.1.6 https://www.gnupg.org/related_software/gpgme/ === modified file 'Makefile' --- Makefile 2015-10-24 17:48:13 +0000 +++ Makefile 2016-02-21 14:24:01 +0000 @@ -14,6 +14,24 @@ # For info about _FORTIFY_SOURCE, see feature_test_macros(7) # and . FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC +# +# The sanitizing options are available in GCC 4.9 and above. +ifeq ($(shell test $(shell $(CC) -dumpversion) \> 4.9-; echo $$?),0) +SANITIZE:=-fsanitize=address -fsanitize=undefined -fsanitize=shift \ + -fsanitize=integer-divide-by-zero -fsanitize=unreachable \ + -fsanitize=vla-bound -fsanitize=null -fsanitize=return \ + -fsanitize=signed-integer-overflow +# GCC 5.3 has some more sanitizing options +ifeq ($(shell test $(shell $(CC) -dumpversion) \> 5.3-; echo $$?),0) +SANITIZE+=-fsanitize=bounds -fsanitize=alignment \ + -fsanitize=object-size -fsanitize=float-divide-by-zero \ + -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \ + -fsanitize=returns-nonnull-attribute -fsanitize=bool \ + -fsanitize=enum +endif +else +SANITIZE:= +endif LINK_FORTIFY_LD=-z relro -z now LINK_FORTIFY= @@ -73,9 +91,9 @@ LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0) # Do not change these two -CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \ - $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \ - -DVERSION='"$(version)"' +CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \ + $(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \ + $(GPGME_CFLAGS) -DVERSION='"$(version)"' LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag)) # Commands to format a DocBook document into a manual page === modified file 'debian/control' --- debian/control 2015-12-03 21:04:24 +0000 +++ debian/control 2016-02-28 14:33:54 +0000 @@ -5,22 +5,23 @@ Uploaders: Teddy Hogeborn , Björn Påhlsson Build-Depends: debhelper (>= 9), docbook-xml, docbook-xsl, - libavahi-core-dev, libgpgme11-dev, libgnutls28-dev - | gnutls-dev, xsltproc, pkg-config, libnl-route-3-dev -Build-Depends-Indep: systemd, python2.7, python2.7-gnutls, - python2.7-dbus, python2.7-avahi, python2.7-gobject -Standards-Version: 3.9.6 + libavahi-core-dev, libgpgme11-dev, libgnutls28-dev (>= 3.3.0) + | gnutls-dev (>= 3.3.0), xsltproc, pkg-config, + libnl-route-3-dev +Build-Depends-Indep: systemd, python (>= 2.7), python (<< 3), + python-dbus, python-avahi, python-gobject | python-gi +Standards-Version: 3.9.7 Vcs-Bzr: http://ftp.recompile.se/pub/mandos/trunk Vcs-Browser: http://bzr.recompile.se/loggerhead/mandos/trunk/files Homepage: http://www.recompile.se/mandos Package: mandos Architecture: all -Depends: ${misc:Depends}, python (>= 2.7), python2.7, python-gnutls, - python2.7-gnutls, python-dbus, python2.7-dbus, python-avahi, - python2.7-avahi, python-gobject, python2.7-gobject, - avahi-daemon, adduser, python-urwid, python2.7-urwid, - gnupg (<< 2) +Depends: ${misc:Depends}, python (>= 2.7), python (<< 3), + libgnutls28-dev (>= 3.3.0) | libgnutls30 (>= 3.3.0), + python-dbus, python-dbus, python-avahi, + python-gobject | python-gi, avahi-daemon, adduser, + python-urwid, gnupg Recommends: ssh-client | fping Description: server giving encrypted passwords to Mandos clients This is the server part of the Mandos system, which allows @@ -40,7 +41,7 @@ Package: mandos-client Architecture: linux-any Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, cryptsetup, - gnupg (<< 2), initramfs-tools, dpkg-dev (>=1.16.0) + initramfs-tools, dpkg-dev (>=1.16.0) Recommends: ssh, gnutls-bin | openssl Breaks: dropbear (<= 0.53.1-1) Enhances: cryptsetup === modified file 'debian/copyright' --- debian/copyright 2015-07-20 04:03:32 +0000 +++ debian/copyright 2016-02-28 14:22:10 +0000 @@ -4,8 +4,8 @@ Source: Files: * -Copyright: Copyright © 2008-2015 Teddy Hogeborn - Copyright © 2008-2015 Björn Påhlsson +Copyright: Copyright © 2008-2016 Teddy Hogeborn + Copyright © 2008-2016 Björn Påhlsson License: GPL-3+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as === modified file 'intro.xml' --- intro.xml 2015-07-20 04:03:32 +0000 +++ intro.xml 2016-02-28 14:22:10 +0000 @@ -1,7 +1,7 @@ + %common; ]> @@ -35,6 +35,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'mandos' --- mandos 2015-10-24 17:48:13 +0000 +++ mandos 2016-02-28 14:22:10 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/python2.7 +#!/usr/bin/python # -*- mode: python; coding: utf-8 -*- # # Mandos server - give out binary blobs to connecting clients. @@ -11,8 +11,8 @@ # "AvahiService" class, and some lines in "main". # # Everything else is -# Copyright © 2008-2015 Teddy Hogeborn -# Copyright © 2008-2015 Björn Påhlsson +# Copyright © 2008-2016 Teddy Hogeborn +# Copyright © 2008-2016 Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -44,12 +44,6 @@ import argparse import datetime import errno -import gnutls.crypto -import gnutls.connection -import gnutls.errors -import gnutls.library.functions -import gnutls.library.constants -import gnutls.library.types try: import ConfigParser as configparser except ImportError: @@ -157,8 +151,19 @@ def __init__(self): self.tempdir = tempfile.mkdtemp(prefix="mandos-") + self.gpg = "gpg" + try: + output = subprocess.check_output(["gpgconf"]) + for line in output.splitlines(): + name, text, path = line.split(":") + if name == "gpg": + self.gpg = path + break + except OSError as e: + if e.errno != errno.ENOENT: + raise self.gnupgargs = ['--batch', - '--home', self.tempdir, + '--homedir', self.tempdir, '--force-mdc', '--quiet', '--no-use-agent'] @@ -203,7 +208,7 @@ dir=self.tempdir) as passfile: passfile.write(passphrase) passfile.flush() - proc = subprocess.Popen(['gpg', '--symmetric', + proc = subprocess.Popen([self.gpg, '--symmetric', '--passphrase-file', passfile.name] + self.gnupgargs, @@ -221,7 +226,7 @@ dir = self.tempdir) as passfile: passfile.write(passphrase) passfile.flush() - proc = subprocess.Popen(['gpg', '--decrypt', + proc = subprocess.Popen([self.gpg, '--decrypt', '--passphrase-file', passfile.name] + self.gnupgargs, @@ -435,6 +440,261 @@ .format(self.name))) return ret +# Pretend that we have a GnuTLS module +class GnuTLS(object): + """This isn't so much a class as it is a module-like namespace. + It is instantiated once, and simulates having a GnuTLS module.""" + + _library = ctypes.cdll.LoadLibrary( + ctypes.util.find_library("gnutls")) + _need_version = "3.3.0" + def __init__(self): + # Need to use class name "GnuTLS" here, since this method is + # called before the assignment to the "gnutls" global variable + # happens. + if GnuTLS.check_version(self._need_version) is None: + raise GnuTLS.Error("Needs GnuTLS {} or later" + .format(self._need_version)) + + # Unless otherwise indicated, the constants and types below are + # all from the gnutls/gnutls.h C header file. + + # Constants + E_SUCCESS = 0 + E_INTERRUPTED = -52 + E_AGAIN = -28 + CRT_OPENPGP = 2 + CLIENT = 2 + SHUT_RDWR = 0 + CRD_CERTIFICATE = 1 + E_NO_CERTIFICATE_FOUND = -49 + OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h + + # Types + class session_int(ctypes.Structure): + _fields_ = [] + session_t = ctypes.POINTER(session_int) + class certificate_credentials_st(ctypes.Structure): + _fields_ = [] + certificate_credentials_t = ctypes.POINTER( + certificate_credentials_st) + certificate_type_t = ctypes.c_int + class datum_t(ctypes.Structure): + _fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)), + ('size', ctypes.c_uint)] + class openpgp_crt_int(ctypes.Structure): + _fields_ = [] + openpgp_crt_t = ctypes.POINTER(openpgp_crt_int) + openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h + log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p) + credentials_type_t = ctypes.c_int # + transport_ptr_t = ctypes.c_void_p + close_request_t = ctypes.c_int + + # Exceptions + class Error(Exception): + # We need to use the class name "GnuTLS" here, since this + # exception might be raised from within GnuTLS.__init__, + # which is called before the assignment to the "gnutls" + # global variable has happened. + def __init__(self, message = None, code = None, args=()): + # Default usage is by a message string, but if a return + # code is passed, convert it to a string with + # gnutls.strerror() + self.code = code + if message is None and code is not None: + message = GnuTLS.strerror(code) + return super(GnuTLS.Error, self).__init__( + message, *args) + + class CertificateSecurityError(Error): + pass + + # Classes + class Credentials(object): + def __init__(self): + self._c_object = gnutls.certificate_credentials_t() + gnutls.certificate_allocate_credentials( + ctypes.byref(self._c_object)) + self.type = gnutls.CRD_CERTIFICATE + + def __del__(self): + gnutls.certificate_free_credentials(self._c_object) + + class ClientSession(object): + def __init__(self, socket, credentials = None): + self._c_object = gnutls.session_t() + gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT) + gnutls.set_default_priority(self._c_object) + gnutls.transport_set_ptr(self._c_object, socket.fileno()) + gnutls.handshake_set_private_extensions(self._c_object, + True) + self.socket = socket + if credentials is None: + credentials = gnutls.Credentials() + gnutls.credentials_set(self._c_object, credentials.type, + ctypes.cast(credentials._c_object, + ctypes.c_void_p)) + self.credentials = credentials + + def __del__(self): + gnutls.deinit(self._c_object) + + def handshake(self): + return gnutls.handshake(self._c_object) + + def send(self, data): + data = bytes(data) + data_len = len(data) + while data_len > 0: + data_len -= gnutls.record_send(self._c_object, + data[-data_len:], + data_len) + + def bye(self): + return gnutls.bye(self._c_object, gnutls.SHUT_RDWR) + + # Error handling functions + def _error_code(result): + """A function to raise exceptions on errors, suitable + for the 'restype' attribute on ctypes functions""" + if result >= 0: + return result + if result == gnutls.E_NO_CERTIFICATE_FOUND: + raise gnutls.CertificateSecurityError(code = result) + raise gnutls.Error(code = result) + + def _retry_on_error(result, func, arguments): + """A function to retry on some errors, suitable + for the 'errcheck' attribute on ctypes functions""" + while result < 0: + if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN): + return _error_code(result) + result = func(*arguments) + return result + + # Unless otherwise indicated, the function declarations below are + # all from the gnutls/gnutls.h C header file. + + # Functions + priority_set_direct = _library.gnutls_priority_set_direct + priority_set_direct.argtypes = [session_t, ctypes.c_char_p, + ctypes.POINTER(ctypes.c_char_p)] + priority_set_direct.restype = _error_code + + init = _library.gnutls_init + init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int] + init.restype = _error_code + + set_default_priority = _library.gnutls_set_default_priority + set_default_priority.argtypes = [session_t] + set_default_priority.restype = _error_code + + record_send = _library.gnutls_record_send + record_send.argtypes = [session_t, ctypes.c_void_p, + ctypes.c_size_t] + record_send.restype = ctypes.c_ssize_t + record_send.errcheck = _retry_on_error + + certificate_allocate_credentials = ( + _library.gnutls_certificate_allocate_credentials) + certificate_allocate_credentials.argtypes = [ + ctypes.POINTER(certificate_credentials_t)] + certificate_allocate_credentials.restype = _error_code + + certificate_free_credentials = ( + _library.gnutls_certificate_free_credentials) + certificate_free_credentials.argtypes = [certificate_credentials_t] + certificate_free_credentials.restype = None + + handshake_set_private_extensions = ( + _library.gnutls_handshake_set_private_extensions) + handshake_set_private_extensions.argtypes = [session_t, + ctypes.c_int] + handshake_set_private_extensions.restype = None + + credentials_set = _library.gnutls_credentials_set + credentials_set.argtypes = [session_t, credentials_type_t, + ctypes.c_void_p] + credentials_set.restype = _error_code + + strerror = _library.gnutls_strerror + strerror.argtypes = [ctypes.c_int] + strerror.restype = ctypes.c_char_p + + certificate_type_get = _library.gnutls_certificate_type_get + certificate_type_get.argtypes = [session_t] + certificate_type_get.restype = _error_code + + certificate_get_peers = _library.gnutls_certificate_get_peers + certificate_get_peers.argtypes = [session_t, + ctypes.POINTER(ctypes.c_uint)] + certificate_get_peers.restype = ctypes.POINTER(datum_t) + + global_set_log_level = _library.gnutls_global_set_log_level + global_set_log_level.argtypes = [ctypes.c_int] + global_set_log_level.restype = None + + global_set_log_function = _library.gnutls_global_set_log_function + global_set_log_function.argtypes = [log_func] + global_set_log_function.restype = None + + deinit = _library.gnutls_deinit + deinit.argtypes = [session_t] + deinit.restype = None + + handshake = _library.gnutls_handshake + handshake.argtypes = [session_t] + handshake.restype = _error_code + handshake.errcheck = _retry_on_error + + transport_set_ptr = _library.gnutls_transport_set_ptr + transport_set_ptr.argtypes = [session_t, transport_ptr_t] + transport_set_ptr.restype = None + + bye = _library.gnutls_bye + bye.argtypes = [session_t, close_request_t] + bye.restype = _error_code + bye.errcheck = _retry_on_error + + check_version = _library.gnutls_check_version + check_version.argtypes = [ctypes.c_char_p] + check_version.restype = ctypes.c_char_p + + # All the function declarations below are from gnutls/openpgp.h + + openpgp_crt_init = _library.gnutls_openpgp_crt_init + openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)] + openpgp_crt_init.restype = _error_code + + openpgp_crt_import = _library.gnutls_openpgp_crt_import + openpgp_crt_import.argtypes = [openpgp_crt_t, + ctypes.POINTER(datum_t), + openpgp_crt_fmt_t] + openpgp_crt_import.restype = _error_code + + openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self + openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint, + ctypes.POINTER(ctypes.c_uint)] + openpgp_crt_verify_self.restype = _error_code + + openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit + openpgp_crt_deinit.argtypes = [openpgp_crt_t] + openpgp_crt_deinit.restype = None + + openpgp_crt_get_fingerprint = ( + _library.gnutls_openpgp_crt_get_fingerprint) + openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t, + ctypes.c_void_p, + ctypes.POINTER( + ctypes.c_size_t)] + openpgp_crt_get_fingerprint.restype = _error_code + + # Remove non-public functions + del _error_code, _retry_on_error +# Create the global "gnutls" object, simulating a module +gnutls = GnuTLS() + def call_pipe(connection, # : multiprocessing.Connection func, *args, **kwargs): """This function is meant to be called by multiprocessing.Process @@ -1880,13 +2140,7 @@ logger.debug("Pipe FD: %d", self.server.child_pipe.fileno()) - session = gnutls.connection.ClientSession( - self.request, gnutls.connection .X509Credentials()) - - # Note: gnutls.connection.X509Credentials is really a - # generic GnuTLS certificate credentials object so long as - # no X.509 keys are added to it. Therefore, we can use it - # here despite using OpenPGP certificates. + session = gnutls.ClientSession(self.request) #priority = ':'.join(("NONE", "+VERS-TLS1.1", # "+AES-256-CBC", "+SHA1", @@ -1896,8 +2150,8 @@ priority = self.server.gnutls_priority if priority is None: priority = "NORMAL" - gnutls.library.functions.gnutls_priority_set_direct( - session._c_object, priority, None) + gnutls.priority_set_direct(session._c_object, priority, + None) # Start communication using the Mandos protocol # Get protocol number @@ -1913,7 +2167,7 @@ # Start GnuTLS connection try: session.handshake() - except gnutls.errors.GNUTLSError as error: + except gnutls.Error as error: logger.warning("Handshake failed: %s", error) # Do not run session.bye() here: the session is not # established. Just abandon the request. @@ -1925,8 +2179,7 @@ try: fpr = self.fingerprint( self.peer_certificate(session)) - except (TypeError, - gnutls.errors.GNUTLSError) as error: + except (TypeError, gnutls.Error) as error: logger.warning("Bad certificate: %s", error) return logger.debug("Fingerprint: %s", fpr) @@ -1990,18 +2243,12 @@ else: delay -= time2 - time - sent_size = 0 - while sent_size < len(client.secret): - try: - sent = session.send(client.secret[sent_size:]) - except gnutls.errors.GNUTLSError as error: - logger.warning("gnutls send failed", - exc_info=error) - return - logger.debug("Sent: %d, remaining: %d", sent, - len(client.secret) - (sent_size - + sent)) - sent_size += sent + try: + session.send(client.secret) + except gnutls.Error as error: + logger.warning("gnutls send failed", + exc_info = error) + return logger.info("Sending secret to %s", client.name) # bump the timeout using extended_timeout @@ -2015,7 +2262,7 @@ client.approvals_pending -= 1 try: session.bye() - except gnutls.errors.GNUTLSError as error: + except gnutls.Error as error: logger.warning("GnuTLS bye failed", exc_info=error) @@ -2023,18 +2270,15 @@ def peer_certificate(session): "Return the peer's OpenPGP certificate as a bytestring" # If not an OpenPGP certificate... - if (gnutls.library.functions.gnutls_certificate_type_get( - session._c_object) - != gnutls.library.constants.GNUTLS_CRT_OPENPGP): - # ...do the normal thing - return session.peer_certificate + if (gnutls.certificate_type_get(session._c_object) + != gnutls.CRT_OPENPGP): + # ...return invalid data + return b"" list_size = ctypes.c_uint(1) - cert_list = (gnutls.library.functions - .gnutls_certificate_get_peers + cert_list = (gnutls.certificate_get_peers (session._c_object, ctypes.byref(list_size))) if not bool(cert_list) and list_size.value != 0: - raise gnutls.errors.GNUTLSError("error getting peer" - " certificate") + raise gnutls.Error("error getting peer certificate") if list_size.value == 0: return None cert = cert_list[0] @@ -2044,34 +2288,31 @@ def fingerprint(openpgp): "Convert an OpenPGP bytestring to a hexdigit fingerprint" # New GnuTLS "datum" with the OpenPGP public key - datum = gnutls.library.types.gnutls_datum_t( + datum = gnutls.datum_t( ctypes.cast(ctypes.c_char_p(openpgp), ctypes.POINTER(ctypes.c_ubyte)), ctypes.c_uint(len(openpgp))) # New empty GnuTLS certificate - crt = gnutls.library.types.gnutls_openpgp_crt_t() - gnutls.library.functions.gnutls_openpgp_crt_init( - ctypes.byref(crt)) + crt = gnutls.openpgp_crt_t() + gnutls.openpgp_crt_init(ctypes.byref(crt)) # Import the OpenPGP public key into the certificate - gnutls.library.functions.gnutls_openpgp_crt_import( - crt, ctypes.byref(datum), - gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW) + gnutls.openpgp_crt_import(crt, ctypes.byref(datum), + gnutls.OPENPGP_FMT_RAW) # Verify the self signature in the key crtverify = ctypes.c_uint() - gnutls.library.functions.gnutls_openpgp_crt_verify_self( - crt, 0, ctypes.byref(crtverify)) + gnutls.openpgp_crt_verify_self(crt, 0, + ctypes.byref(crtverify)) if crtverify.value != 0: - gnutls.library.functions.gnutls_openpgp_crt_deinit(crt) - raise gnutls.errors.CertificateSecurityError( - "Verify failed") + gnutls.openpgp_crt_deinit(crt) + raise gnutls.CertificateSecurityError("Verify failed") # New buffer for the fingerprint buf = ctypes.create_string_buffer(20) buf_len = ctypes.c_size_t() # Get the fingerprint from the certificate into the buffer - gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint( - crt, ctypes.byref(buf), ctypes.byref(buf_len)) + gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf), + ctypes.byref(buf_len)) # Deinit the certificate - gnutls.library.functions.gnutls_openpgp_crt_deinit(crt) + gnutls.openpgp_crt_deinit(crt) # Convert the buffer to a Python bytestring fpr = ctypes.string_at(buf, buf_len.value) # Convert the bytestring to hexadecimal notation @@ -2703,14 +2944,13 @@ # "Use a log level over 10 to enable all debugging options." # - GnuTLS manual - gnutls.library.functions.gnutls_global_set_log_level(11) + gnutls.global_set_log_level(11) - @gnutls.library.types.gnutls_log_func + @gnutls.log_func def debug_gnutls(level, string): logger.debug("GnuTLS: %s", string[:-1]) - gnutls.library.functions.gnutls_global_set_log_function( - debug_gnutls) + gnutls.global_set_log_function(debug_gnutls) # Redirect stdin so all checkers get /dev/null null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR) @@ -3064,7 +3304,8 @@ # Don't signal the disabling client.disable(quiet=True) # Emit D-Bus signal for removal - mandos_dbus_service.client_removed_signal(client) + if use_dbus: + mandos_dbus_service.client_removed_signal(client) client_settings.clear() atexit.register(cleanup) === modified file 'mandos-clients.conf.xml' --- mandos-clients.conf.xml 2015-07-20 04:03:32 +0000 +++ mandos-clients.conf.xml 2016-02-28 14:22:10 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ /etc/mandos/clients.conf"> - + %common; ]> @@ -40,6 +40,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'mandos-ctl' --- mandos-ctl 2015-10-24 17:48:13 +0000 +++ mandos-ctl 2016-02-28 14:22:10 +0000 @@ -3,8 +3,8 @@ # # Mandos Monitor - Control and monitor the Mandos server # -# Copyright © 2008-2015 Teddy Hogeborn -# Copyright © 2008-2015 Björn Påhlsson +# Copyright © 2008-2016 Teddy Hogeborn +# Copyright © 2008-2016 Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by === modified file 'mandos-ctl.xml' --- mandos-ctl.xml 2015-07-20 04:03:32 +0000 +++ mandos-ctl.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -37,6 +37,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'mandos-keygen' --- mandos-keygen 2015-10-24 17:48:13 +0000 +++ mandos-keygen 2016-02-28 14:22:10 +0000 @@ -2,8 +2,8 @@ # # Mandos key generator - create a new OpenPGP key for a Mandos client # -# Copyright © 2008-2015 Teddy Hogeborn -# Copyright © 2008-2015 Björn Påhlsson +# Copyright © 2008-2016 Teddy Hogeborn +# Copyright © 2008-2016 Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by === modified file 'mandos-keygen.xml' --- mandos-keygen.xml 2015-07-20 04:03:32 +0000 +++ mandos-keygen.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -39,6 +39,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'mandos-monitor' --- mandos-monitor 2015-10-24 17:48:13 +0000 +++ mandos-monitor 2016-02-28 14:22:10 +0000 @@ -3,8 +3,8 @@ # # Mandos Monitor - Control and monitor the Mandos server # -# Copyright © 2009-2015 Teddy Hogeborn -# Copyright © 2009-2015 Björn Påhlsson +# Copyright © 2009-2016 Teddy Hogeborn +# Copyright © 2009-2016 Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by === modified file 'mandos-monitor.xml' --- mandos-monitor.xml 2015-07-20 04:03:32 +0000 +++ mandos-monitor.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -37,6 +37,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'mandos.conf.xml' --- mandos.conf.xml 2015-07-20 04:03:32 +0000 +++ mandos.conf.xml 2016-02-28 14:22:10 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ /etc/mandos/mandos.conf"> - + %common; ]> @@ -40,6 +40,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'mandos.xml' --- mandos.xml 2015-07-20 04:03:32 +0000 +++ mandos.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -39,6 +39,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson @@ -541,9 +542,6 @@ - /dev/log - - /var/lib/mandos @@ -555,7 +553,7 @@ - /dev/log + /dev/log The Unix domain socket to where local syslog messages are === modified file 'plugin-helpers/mandos-client-iprouteadddel.c' --- plugin-helpers/mandos-client-iprouteadddel.c 2015-07-05 21:38:01 +0000 +++ plugin-helpers/mandos-client-iprouteadddel.c 2016-02-28 14:22:10 +0000 @@ -2,8 +2,8 @@ /* * iprouteadddel - Add or delete direct route to a local IP address * - * Copyright © 2015 Teddy Hogeborn - * Copyright © 2015 Björn Påhlsson + * Copyright © 2015-2016 Teddy Hogeborn + * Copyright © 2015-2016 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as === modified file 'plugin-runner.c' --- plugin-runner.c 2015-07-20 04:03:32 +0000 +++ plugin-runner.c 2016-02-28 14:22:10 +0000 @@ -2,8 +2,8 @@ /* * Mandos plugin runner - Run Mandos plugins * - * Copyright © 2008-2015 Teddy Hogeborn - * Copyright © 2008-2015 Björn Påhlsson + * Copyright © 2008-2016 Teddy Hogeborn + * Copyright © 2008-2016 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as @@ -701,8 +701,7 @@ custom_argc += 1; { char **new_argv = realloc(custom_argv, sizeof(char *) - * ((unsigned int) - custom_argc + 1)); + * ((size_t)custom_argc + 1)); if(new_argv == NULL){ error(0, errno, "realloc"); exitstatus = EX_OSERR; === modified file 'plugin-runner.xml' --- plugin-runner.xml 2015-07-20 04:03:32 +0000 +++ plugin-runner.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -39,6 +39,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'plugins.d/askpass-fifo.c' --- plugins.d/askpass-fifo.c 2015-07-20 04:03:32 +0000 +++ plugins.d/askpass-fifo.c 2016-02-28 14:22:10 +0000 @@ -2,8 +2,8 @@ /* * Askpass-FIFO - Read a password from a FIFO and output it * - * Copyright © 2008-2015 Teddy Hogeborn - * Copyright © 2008-2015 Björn Påhlsson + * Copyright © 2008-2016 Teddy Hogeborn + * Copyright © 2008-2016 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as === modified file 'plugins.d/askpass-fifo.xml' --- plugins.d/askpass-fifo.xml 2015-07-20 04:03:32 +0000 +++ plugins.d/askpass-fifo.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -39,6 +39,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'plugins.d/mandos-client.c' --- plugins.d/mandos-client.c 2015-10-04 13:44:40 +0000 +++ plugins.d/mandos-client.c 2016-02-28 14:22:10 +0000 @@ -9,8 +9,8 @@ * "browse_callback", and parts of "main". * * Everything else is - * Copyright © 2008-2015 Teddy Hogeborn - * Copyright © 2008-2015 Björn Påhlsson + * Copyright © 2008-2016 Teddy Hogeborn + * Copyright © 2008-2016 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as @@ -47,7 +47,7 @@ strtof(), abort() */ #include /* bool, false, true */ #include /* strcmp(), strlen(), strerror(), - asprintf(), strcpy() */ + asprintf(), strncpy() */ #include /* ioctl */ #include /* socket(), inet_pton(), sockaddr, sockaddr_in6, PF_INET6, @@ -1637,7 +1637,8 @@ errno = ret_errno; return false; } - strcpy(ifr->ifr_name, ifname); + strncpy(ifr->ifr_name, ifname, IF_NAMESIZE); + ifr->ifr_name[IF_NAMESIZE-1] = '\0'; /* NUL terminate */ ret = ioctl(s, SIOCGIFFLAGS, ifr); if(ret == -1){ if(debug){ === modified file 'plugins.d/mandos-client.xml' --- plugins.d/mandos-client.xml 2015-07-20 04:03:32 +0000 +++ plugins.d/mandos-client.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -39,6 +39,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'plugins.d/password-prompt.c' --- plugins.d/password-prompt.c 2015-07-20 04:03:32 +0000 +++ plugins.d/password-prompt.c 2016-02-28 14:22:10 +0000 @@ -2,8 +2,8 @@ /* * Password-prompt - Read a password from the terminal and print it * - * Copyright © 2008-2015 Teddy Hogeborn - * Copyright © 2008-2015 Björn Påhlsson + * Copyright © 2008-2016 Teddy Hogeborn + * Copyright © 2008-2016 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as === modified file 'plugins.d/password-prompt.xml' --- plugins.d/password-prompt.xml 2015-07-20 04:03:32 +0000 +++ plugins.d/password-prompt.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -39,6 +39,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'plugins.d/plymouth.c' --- plugins.d/plymouth.c 2015-07-20 04:03:32 +0000 +++ plugins.d/plymouth.c 2016-02-28 14:22:10 +0000 @@ -2,8 +2,8 @@ /* * Plymouth - Read a password from Plymouth and output it * - * Copyright © 2010-2015 Teddy Hogeborn - * Copyright © 2010-2015 Björn Påhlsson + * Copyright © 2010-2016 Teddy Hogeborn + * Copyright © 2010-2016 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as === modified file 'plugins.d/plymouth.xml' --- plugins.d/plymouth.xml 2015-07-20 04:03:32 +0000 +++ plugins.d/plymouth.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -37,6 +37,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'plugins.d/splashy.c' --- plugins.d/splashy.c 2015-07-20 04:03:32 +0000 +++ plugins.d/splashy.c 2016-02-28 14:22:10 +0000 @@ -2,8 +2,8 @@ /* * Splashy - Read a password from splashy and output it * - * Copyright © 2008-2015 Teddy Hogeborn - * Copyright © 2008-2015 Björn Påhlsson + * Copyright © 2008-2016 Teddy Hogeborn + * Copyright © 2008-2016 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as === modified file 'plugins.d/splashy.xml' --- plugins.d/splashy.xml 2015-07-20 04:03:32 +0000 +++ plugins.d/splashy.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -39,6 +39,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson === modified file 'plugins.d/usplash.c' --- plugins.d/usplash.c 2015-07-20 04:03:32 +0000 +++ plugins.d/usplash.c 2016-02-28 14:22:10 +0000 @@ -2,8 +2,8 @@ /* * Usplash - Read a password from usplash and output it * - * Copyright © 2008-2015 Teddy Hogeborn - * Copyright © 2008-2015 Björn Påhlsson + * Copyright © 2008-2016 Teddy Hogeborn + * Copyright © 2008-2016 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as === modified file 'plugins.d/usplash.xml' --- plugins.d/usplash.xml 2015-07-20 04:03:32 +0000 +++ plugins.d/usplash.xml 2016-02-28 14:22:10 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -39,6 +39,7 @@ 2013 2014 2015 + 2016 Teddy Hogeborn Björn Påhlsson