248
196
.replace(b"\n", b"\\n")
249
197
.replace(b"\0", b"\\x00"))
252
200
def encrypt(self, data, password):
253
201
passphrase = self.password_encode(password)
254
202
with tempfile.NamedTemporaryFile(
255
203
dir=self.tempdir) as passfile:
256
204
passfile.write(passphrase)
258
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
259
207
'--passphrase-file',
261
209
+ self.gnupgargs,
262
stdin=subprocess.PIPE,
263
stdout=subprocess.PIPE,
264
stderr=subprocess.PIPE)
265
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
266
214
if proc.returncode != 0:
267
215
raise PGPError(err)
268
216
return ciphertext
270
218
def decrypt(self, data, password):
271
219
passphrase = self.password_encode(password)
272
220
with tempfile.NamedTemporaryFile(
273
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
274
222
passfile.write(passphrase)
276
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
277
225
'--passphrase-file',
279
227
+ self.gnupgargs,
280
stdin=subprocess.PIPE,
281
stdout=subprocess.PIPE,
282
stderr=subprocess.PIPE)
283
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
284
232
if proc.returncode != 0:
285
233
raise PGPError(err)
286
234
return decrypted_plaintext
289
# Pretend that we have an Avahi module
291
"""This isn't so much a class as it is a module-like namespace."""
292
IF_UNSPEC = -1 # avahi-common/address.h
293
PROTO_UNSPEC = -1 # avahi-common/address.h
294
PROTO_INET = 0 # avahi-common/address.h
295
PROTO_INET6 = 1 # avahi-common/address.h
296
DBUS_NAME = "org.freedesktop.Avahi"
297
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
298
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
299
DBUS_PATH_SERVER = "/"
302
def string_array_to_txt_array(t):
303
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
304
for s in t), signature="ay")
305
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
306
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
307
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
308
SERVER_INVALID = 0 # avahi-common/defs.h
309
SERVER_REGISTERING = 1 # avahi-common/defs.h
310
SERVER_RUNNING = 2 # avahi-common/defs.h
311
SERVER_COLLISION = 3 # avahi-common/defs.h
312
SERVER_FAILURE = 4 # avahi-common/defs.h
315
237
class AvahiError(Exception):
316
238
def __init__(self, value, *args, **kwargs):
317
239
self.value = value
507
429
class AvahiServiceToSyslog(AvahiService):
508
430
def rename(self, *args, **kwargs):
509
431
"""Add the new name to the syslog messages"""
510
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
511
433
syslogger.setFormatter(logging.Formatter(
512
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
513
435
.format(self.name)))
517
# Pretend that we have a GnuTLS module
519
"""This isn't so much a class as it is a module-like namespace."""
521
library = ctypes.util.find_library("gnutls")
523
library = ctypes.util.find_library("gnutls-deb0")
524
_library = ctypes.cdll.LoadLibrary(library)
527
# Unless otherwise indicated, the constants and types below are
528
# all from the gnutls/gnutls.h C header file.
539
E_NO_CERTIFICATE_FOUND = -49
544
KEYID_USE_SHA256 = 1 # gnutls/x509.h
545
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
548
class session_int(ctypes.Structure):
550
session_t = ctypes.POINTER(session_int)
552
class certificate_credentials_st(ctypes.Structure):
554
certificate_credentials_t = ctypes.POINTER(
555
certificate_credentials_st)
556
certificate_type_t = ctypes.c_int
558
class datum_t(ctypes.Structure):
559
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
560
('size', ctypes.c_uint)]
562
class openpgp_crt_int(ctypes.Structure):
564
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
565
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
566
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
567
credentials_type_t = ctypes.c_int
568
transport_ptr_t = ctypes.c_void_p
569
close_request_t = ctypes.c_int
572
class Error(Exception):
573
def __init__(self, message=None, code=None, args=()):
574
# Default usage is by a message string, but if a return
575
# code is passed, convert it to a string with
578
if message is None and code is not None:
579
message = gnutls.strerror(code)
580
return super(gnutls.Error, self).__init__(
583
class CertificateSecurityError(Error):
589
self._c_object = gnutls.certificate_credentials_t()
590
gnutls.certificate_allocate_credentials(
591
ctypes.byref(self._c_object))
592
self.type = gnutls.CRD_CERTIFICATE
595
gnutls.certificate_free_credentials(self._c_object)
598
def __init__(self, socket, credentials=None):
599
self._c_object = gnutls.session_t()
600
gnutls_flags = gnutls.CLIENT
601
if gnutls.check_version(b"3.5.6"):
602
gnutls_flags |= gnutls.NO_TICKETS
604
gnutls_flags |= gnutls.ENABLE_RAWPK
605
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
607
gnutls.set_default_priority(self._c_object)
608
gnutls.transport_set_ptr(self._c_object, socket.fileno())
609
gnutls.handshake_set_private_extensions(self._c_object,
612
if credentials is None:
613
credentials = gnutls.Credentials()
614
gnutls.credentials_set(self._c_object, credentials.type,
615
ctypes.cast(credentials._c_object,
617
self.credentials = credentials
620
gnutls.deinit(self._c_object)
623
return gnutls.handshake(self._c_object)
625
def send(self, data):
629
data_len -= gnutls.record_send(self._c_object,
634
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
636
# Error handling functions
637
def _error_code(result):
638
"""A function to raise exceptions on errors, suitable
639
for the 'restype' attribute on ctypes functions"""
642
if result == gnutls.E_NO_CERTIFICATE_FOUND:
643
raise gnutls.CertificateSecurityError(code=result)
644
raise gnutls.Error(code=result)
646
def _retry_on_error(result, func, arguments):
647
"""A function to retry on some errors, suitable
648
for the 'errcheck' attribute on ctypes functions"""
650
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
651
return _error_code(result)
652
result = func(*arguments)
655
# Unless otherwise indicated, the function declarations below are
656
# all from the gnutls/gnutls.h C header file.
659
priority_set_direct = _library.gnutls_priority_set_direct
660
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
661
ctypes.POINTER(ctypes.c_char_p)]
662
priority_set_direct.restype = _error_code
664
init = _library.gnutls_init
665
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
666
init.restype = _error_code
668
set_default_priority = _library.gnutls_set_default_priority
669
set_default_priority.argtypes = [session_t]
670
set_default_priority.restype = _error_code
672
record_send = _library.gnutls_record_send
673
record_send.argtypes = [session_t, ctypes.c_void_p,
675
record_send.restype = ctypes.c_ssize_t
676
record_send.errcheck = _retry_on_error
678
certificate_allocate_credentials = (
679
_library.gnutls_certificate_allocate_credentials)
680
certificate_allocate_credentials.argtypes = [
681
ctypes.POINTER(certificate_credentials_t)]
682
certificate_allocate_credentials.restype = _error_code
684
certificate_free_credentials = (
685
_library.gnutls_certificate_free_credentials)
686
certificate_free_credentials.argtypes = [
687
certificate_credentials_t]
688
certificate_free_credentials.restype = None
690
handshake_set_private_extensions = (
691
_library.gnutls_handshake_set_private_extensions)
692
handshake_set_private_extensions.argtypes = [session_t,
694
handshake_set_private_extensions.restype = None
696
credentials_set = _library.gnutls_credentials_set
697
credentials_set.argtypes = [session_t, credentials_type_t,
699
credentials_set.restype = _error_code
701
strerror = _library.gnutls_strerror
702
strerror.argtypes = [ctypes.c_int]
703
strerror.restype = ctypes.c_char_p
705
certificate_type_get = _library.gnutls_certificate_type_get
706
certificate_type_get.argtypes = [session_t]
707
certificate_type_get.restype = _error_code
709
certificate_get_peers = _library.gnutls_certificate_get_peers
710
certificate_get_peers.argtypes = [session_t,
711
ctypes.POINTER(ctypes.c_uint)]
712
certificate_get_peers.restype = ctypes.POINTER(datum_t)
714
global_set_log_level = _library.gnutls_global_set_log_level
715
global_set_log_level.argtypes = [ctypes.c_int]
716
global_set_log_level.restype = None
718
global_set_log_function = _library.gnutls_global_set_log_function
719
global_set_log_function.argtypes = [log_func]
720
global_set_log_function.restype = None
722
deinit = _library.gnutls_deinit
723
deinit.argtypes = [session_t]
724
deinit.restype = None
726
handshake = _library.gnutls_handshake
727
handshake.argtypes = [session_t]
728
handshake.restype = _error_code
729
handshake.errcheck = _retry_on_error
731
transport_set_ptr = _library.gnutls_transport_set_ptr
732
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
733
transport_set_ptr.restype = None
735
bye = _library.gnutls_bye
736
bye.argtypes = [session_t, close_request_t]
737
bye.restype = _error_code
738
bye.errcheck = _retry_on_error
740
check_version = _library.gnutls_check_version
741
check_version.argtypes = [ctypes.c_char_p]
742
check_version.restype = ctypes.c_char_p
744
_need_version = b"3.3.0"
745
if check_version(_need_version) is None:
746
raise self.Error("Needs GnuTLS {} or later"
747
.format(_need_version))
749
_tls_rawpk_version = b"3.6.6"
750
has_rawpk = bool(check_version(_tls_rawpk_version))
754
class pubkey_st(ctypes.Structure):
756
pubkey_t = ctypes.POINTER(pubkey_st)
758
x509_crt_fmt_t = ctypes.c_int
760
# All the function declarations below are from gnutls/abstract.h
761
pubkey_init = _library.gnutls_pubkey_init
762
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
763
pubkey_init.restype = _error_code
765
pubkey_import = _library.gnutls_pubkey_import
766
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
768
pubkey_import.restype = _error_code
770
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
771
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
772
ctypes.POINTER(ctypes.c_ubyte),
773
ctypes.POINTER(ctypes.c_size_t)]
774
pubkey_get_key_id.restype = _error_code
776
pubkey_deinit = _library.gnutls_pubkey_deinit
777
pubkey_deinit.argtypes = [pubkey_t]
778
pubkey_deinit.restype = None
780
# All the function declarations below are from gnutls/openpgp.h
782
openpgp_crt_init = _library.gnutls_openpgp_crt_init
783
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
784
openpgp_crt_init.restype = _error_code
786
openpgp_crt_import = _library.gnutls_openpgp_crt_import
787
openpgp_crt_import.argtypes = [openpgp_crt_t,
788
ctypes.POINTER(datum_t),
790
openpgp_crt_import.restype = _error_code
792
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
793
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
794
ctypes.POINTER(ctypes.c_uint)]
795
openpgp_crt_verify_self.restype = _error_code
797
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
798
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
799
openpgp_crt_deinit.restype = None
801
openpgp_crt_get_fingerprint = (
802
_library.gnutls_openpgp_crt_get_fingerprint)
803
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
807
openpgp_crt_get_fingerprint.restype = _error_code
809
if check_version(b"3.6.4"):
810
certificate_type_get2 = _library.gnutls_certificate_type_get2
811
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
812
certificate_type_get2.restype = _error_code
814
# Remove non-public functions
815
del _error_code, _retry_on_error
818
438
def call_pipe(connection, # : multiprocessing.Connection
819
439
func, *args, **kwargs):
820
440
"""This function is meant to be called by multiprocessing.Process
822
442
This function runs func(*args, **kwargs), and writes the resulting
823
443
return value on the provided multiprocessing.Connection.
825
445
connection.send(func(*args, **kwargs))
826
446
connection.close()
448
class Client(object):
830
449
"""A representation of a client host served by this server.
833
452
approved: bool(); 'None' if not yet approved/disapproved
834
453
approval_delay: datetime.timedelta(); Time to wait for approval
835
454
approval_duration: datetime.timedelta(); Duration of one approval
836
checker: multiprocessing.Process(); a running checker process used
837
to see if the client lives. 'None' if no process is
839
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
840
459
checker_command: string; External command which is run to check
841
460
if client lives. %() expansions are done at
842
461
runtime with vars(self) as dict, so that for
843
462
instance %(name)s can be used in the command.
844
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
845
464
created: datetime.datetime(); (UTC) object creation
846
465
client_structure: Object describing what attributes a client has
847
466
and is used for storing the client at exit
848
467
current_checker_command: string; current running checker_command
849
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
851
470
fingerprint: string (40 or 32 hexadecimal digits); used to
852
uniquely identify an OpenPGP client
853
key_id: string (64 hexadecimal digits); used to uniquely identify
854
a client using raw public keys
471
uniquely identify the client
855
472
host: string; available for use by the checker command
856
473
interval: datetime.timedelta(); How often to start a new checker
857
474
last_approval_request: datetime.datetime(); (UTC) or None
2380
1991
delay -= time2 - time
2383
session.send(client.secret)
2384
except gnutls.Error as error:
2385
logger.warning("gnutls send failed",
1994
while sent_size < len(client.secret):
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2389
2006
logger.info("Sending secret to %s", client.name)
2390
2007
# bump the timeout using extended_timeout
2391
2008
client.bump_timeout(client.extended_timeout)
2392
2009
if self.server.use_dbus:
2393
2010
# Emit D-Bus signal
2394
2011
client.GotSecret()
2397
2014
if approval_required:
2398
2015
client.approvals_pending -= 1
2401
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2402
2019
logger.warning("GnuTLS bye failed",
2403
2020
exc_info=error)
2406
2023
def peer_certificate(session):
2407
"Return the peer's certificate as a bytestring"
2409
cert_type = gnutls.certificate_type_get2(session._c_object,
2411
except AttributeError:
2412
cert_type = gnutls.certificate_type_get(session._c_object)
2413
if gnutls.has_rawpk:
2414
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2416
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2417
# If not a valid certificate type...
2418
if cert_type not in valid_cert_types:
2419
logger.info("Cert type %r not in %r", cert_type,
2421
# ...return invalid data
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2423
2031
list_size = ctypes.c_uint(1)
2424
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2425
2034
(session._c_object, ctypes.byref(list_size)))
2426
2035
if not bool(cert_list) and list_size.value != 0:
2427
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2428
2038
if list_size.value == 0:
2430
2040
cert = cert_list[0]
2431
2041
return ctypes.string_at(cert.data, cert.size)
2434
def key_id(certificate):
2435
"Convert a certificate bytestring to a hexdigit key ID"
2436
# New GnuTLS "datum" with the public key
2437
datum = gnutls.datum_t(
2438
ctypes.cast(ctypes.c_char_p(certificate),
2439
ctypes.POINTER(ctypes.c_ubyte)),
2440
ctypes.c_uint(len(certificate)))
2441
# XXX all these need to be created in the gnutls "module"
2442
# New empty GnuTLS certificate
2443
pubkey = gnutls.pubkey_t()
2444
gnutls.pubkey_init(ctypes.byref(pubkey))
2445
# Import the raw public key into the certificate
2446
gnutls.pubkey_import(pubkey,
2447
ctypes.byref(datum),
2448
gnutls.X509_FMT_DER)
2449
# New buffer for the key ID
2450
buf = ctypes.create_string_buffer(32)
2451
buf_len = ctypes.c_size_t(len(buf))
2452
# Get the key ID from the raw public key into the buffer
2453
gnutls.pubkey_get_key_id(pubkey,
2454
gnutls.KEYID_USE_SHA256,
2455
ctypes.cast(ctypes.byref(buf),
2456
ctypes.POINTER(ctypes.c_ubyte)),
2457
ctypes.byref(buf_len))
2458
# Deinit the certificate
2459
gnutls.pubkey_deinit(pubkey)
2461
# Convert the buffer to a Python bytestring
2462
key_id = ctypes.string_at(buf, buf_len.value)
2463
# Convert the bytestring to hexadecimal notation
2464
hex_key_id = binascii.hexlify(key_id).upper()
2468
2044
def fingerprint(openpgp):
2469
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2470
2046
# New GnuTLS "datum" with the OpenPGP public key
2471
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2472
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2473
2049
ctypes.POINTER(ctypes.c_ubyte)),
2474
2050
ctypes.c_uint(len(openpgp)))
2475
2051
# New empty GnuTLS certificate
2476
crt = gnutls.openpgp_crt_t()
2477
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2478
2055
# Import the OpenPGP public key into the certificate
2479
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2480
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2481
2059
# Verify the self signature in the key
2482
2060
crtverify = ctypes.c_uint()
2483
gnutls.openpgp_crt_verify_self(crt, 0,
2484
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2485
2063
if crtverify.value != 0:
2486
gnutls.openpgp_crt_deinit(crt)
2487
raise gnutls.CertificateSecurityError(code
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2489
2067
# New buffer for the fingerprint
2490
2068
buf = ctypes.create_string_buffer(20)
2491
2069
buf_len = ctypes.c_size_t()
2492
2070
# Get the fingerprint from the certificate into the buffer
2493
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2494
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2495
2073
# Deinit the certificate
2496
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2497
2075
# Convert the buffer to a Python bytestring
2498
2076
fpr = ctypes.string_at(buf, buf_len.value)
2499
2077
# Convert the bytestring to hexadecimal notation
2588
2165
# socket_wrapper(), if socketfd was set.
2589
2166
socketserver.TCPServer.__init__(self, server_address,
2590
2167
RequestHandlerClass)
2592
2169
def server_bind(self):
2593
2170
"""This overrides the normal server_bind() function
2594
2171
to bind to an interface if one was specified, and also NOT to
2595
2172
bind to an address or port if they were not specified."""
2596
global SO_BINDTODEVICE
2597
2173
if self.interface is not None:
2598
2174
if SO_BINDTODEVICE is None:
2599
# Fall back to a hard-coded value which seems to be
2601
logger.warning("SO_BINDTODEVICE not found, trying 25")
2602
SO_BINDTODEVICE = 25
2604
self.socket.setsockopt(
2605
socket.SOL_SOCKET, SO_BINDTODEVICE,
2606
(self.interface + "\0").encode("utf-8"))
2607
except socket.error as error:
2608
if error.errno == errno.EPERM:
2609
logger.error("No permission to bind to"
2610
" interface %s", self.interface)
2611
elif error.errno == errno.ENOPROTOOPT:
2612
logger.error("SO_BINDTODEVICE not available;"
2613
" cannot bind to interface %s",
2615
elif error.errno == errno.ENODEV:
2616
logger.error("Interface %s does not exist,"
2617
" cannot bind", self.interface)
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2620
2196
# Only bind(2) the socket if we really need to.
2621
2197
if self.server_address[0] or self.server_address[1]:
2622
if self.server_address[1]:
2623
self.allow_reuse_address = True
2624
2198
if not self.server_address[0]:
2625
2199
if self.address_family == socket.AF_INET6:
2626
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2628
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2629
2203
self.server_address = (any_address,
2630
2204
self.server_address[1])
2631
2205
elif not self.server_address[1]:
2665
2239
self.gnutls_priority = gnutls_priority
2666
2240
IPv6_TCPServer.__init__(self, server_address,
2667
2241
RequestHandlerClass,
2668
interface=interface,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2672
2246
def server_activate(self):
2673
2247
if self.enabled:
2674
2248
return socketserver.TCPServer.server_activate(self)
2676
2250
def enable(self):
2677
2251
self.enabled = True
2679
2253
def add_pipe(self, parent_pipe, proc):
2680
2254
# Call "handle_ipc" for both data and EOF events
2682
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2683
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2684
2258
functools.partial(self.handle_ipc,
2685
parent_pipe=parent_pipe,
2259
parent_pipe = parent_pipe,
2688
2262
def handle_ipc(self, source, condition,
2689
2263
parent_pipe=None,
2691
2265
client_object=None):
2692
2266
# error, or the other end of multiprocessing.Pipe has closed
2693
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2694
2268
# Wait for other process to exit
2698
2272
# Read a request from the child
2699
2273
request = parent_pipe.recv()
2700
2274
command = request[0]
2702
2276
if command == 'init':
2703
key_id = request[1].decode("ascii")
2704
fpr = request[2].decode("ascii")
2705
address = request[3]
2707
for c in self.clients.values():
2708
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2710
if key_id and c.key_id == key_id:
2713
if fpr and c.fingerprint == fpr:
2278
address = request[2]
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2717
logger.info("Client not found for key ID: %s, address"
2718
": %s", key_id or fpr, address)
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2719
2287
if self.use_dbus:
2720
2288
# Emit D-Bus signal
2721
mandos_dbus_service.ClientNotFound(key_id or fpr,
2289
mandos_dbus_service.ClientNotFound(fpr,
2723
2291
parent_pipe.send(False)
2727
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2728
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2729
2297
functools.partial(self.handle_ipc,
2730
parent_pipe=parent_pipe,
2732
client_object=client))
2298
parent_pipe = parent_pipe,
2300
client_object = client))
2733
2301
parent_pipe.send(True)
2734
2302
# remove the old hook in favor of the new above hook on
3192
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3193
2751
service = AvahiServiceToSyslog(
3194
name=server_settings["servicename"],
3195
servicetype="_mandos._tcp",
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
3198
2756
if server_settings["interface"]:
3199
2757
service.interface = if_nametoindex(
3200
2758
server_settings["interface"].encode("utf-8"))
3202
2760
global multiprocessing_manager
3203
2761
multiprocessing_manager = multiprocessing.Manager()
3205
2763
client_class = Client
3207
client_class = functools.partial(ClientDBus, bus=bus)
2765
client_class = functools.partial(ClientDBus, bus = bus)
3209
2767
client_settings = Client.config_parser(client_config)
3210
2768
old_client_settings = {}
3211
2769
clients_data = {}
3213
2771
# This is used to redirect stdout and stderr for checker processes
3215
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3216
2774
# Only used if server is running in foreground but not in debug
3218
2776
if debug or not foreground:
3221
2779
# Get client data and settings from last running state.
3222
2780
if server_settings["restore"]:
3224
2782
with open(stored_state_path, "rb") as stored_state:
3225
if sys.version_info.major == 2:
3226
clients_data, old_client_settings = pickle.load(
3229
bytes_clients_data, bytes_old_client_settings = (
3230
pickle.load(stored_state, encoding="bytes"))
3231
# Fix bytes to strings
3234
clients_data = {(key.decode("utf-8")
3235
if isinstance(key, bytes)
3238
bytes_clients_data.items()}
3239
del bytes_clients_data
3240
for key in clients_data:
3241
value = {(k.decode("utf-8")
3242
if isinstance(k, bytes) else k): v
3244
clients_data[key].items()}
3245
clients_data[key] = value
3247
value["client_structure"] = [
3249
if isinstance(s, bytes)
3251
value["client_structure"]]
3252
# .name, .host, and .checker_command
3253
for k in ("name", "host", "checker_command"):
3254
if isinstance(value[k], bytes):
3255
value[k] = value[k].decode("utf-8")
3256
if "key_id" not in value:
3257
value["key_id"] = ""
3258
elif "fingerprint" not in value:
3259
value["fingerprint"] = ""
3260
# old_client_settings
3262
old_client_settings = {
3263
(key.decode("utf-8")
3264
if isinstance(key, bytes)
3267
bytes_old_client_settings.items()}
3268
del bytes_old_client_settings
3269
# .host and .checker_command
3270
for value in old_client_settings.values():
3271
for attribute in ("host", "checker_command"):
3272
if isinstance(value[attribute], bytes):
3273
value[attribute] = (value[attribute]
2783
clients_data, old_client_settings = pickle.load(
3275
2785
os.remove(stored_state_path)
3276
2786
except IOError as e:
3277
2787
if e.errno == errno.ENOENT: