/mandos/release : revision 237.7.455

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos

Committer: Teddy Hogeborn
Date: 2017-08-20 16:20:54 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 360.
Revision ID: teddy@recompile.se-20170820162054-jwig602syxx2k4l0

Alter copyright notices slightly.  Actual license is unchanged!

This alters all copyright notices to use the Free Software
Foundation's recommendations for license notices; from
<https://www.gnu.org/licenses/gpl-howto.html>:

  For programs that are more than one file, it is better to replace
  “this program” with the name of the program, and begin the statement
  with a line saying “This file is part of NAME”.

* DBUS-API: Use program name "Mandos" explicitly in license notice.
* debian/copyright: - '' -
* initramfs-unpack: - '' -
* legalnotice.xml: - '' -
* mandos: - '' -
* mandos-ctl: - '' -
* mandos-keygen: - '' -
* mandos-monitor: - '' -
* plugin-helpers/mandos-client-iprouteadddel.c: - '' -
* plugin-runner.c: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/plymouth.c: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/usplash.c: - '' -

files added:
initramfs-tools-hook-conf

files removed:
debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/en_US.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos

# "AvahiService" class, and some lines in "main".

# Everything else is

# This file is part of Mandos.

import dbus

import dbus.service

import gi

from gi.repository import GLib

from dbus.mainloop.glib import DBusGMainLoop

import ctypes

116

115

if sys.version_info.major == 2:

117

116

str = unicode

118

117

119

if sys.version_info < (3, 2):

120

configparser.Configparser = configparser.SafeConfigParser

121

122

version = "1.8.7"

118

version = "1.7.15"

123

119

stored_state_file = "clients.pickle"

124

120

125

121

logger = logging.getLogger()

279

275

280

276

281

277

# Pretend that we have an Avahi module

282

class avahi(object):

283

"""This isn't so much a class as it is a module-like namespace."""

278

class Avahi(object):

279

"""This isn't so much a class as it is a module-like namespace.

280

It is instantiated once, and simulates having an Avahi module."""

284

281

IF_UNSPEC = -1 # avahi-common/address.h

285

282

PROTO_UNSPEC = -1 # avahi-common/address.h

286

283

PROTO_INET = 0 # avahi-common/address.h

290

287

DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"

291

288

DBUS_PATH_SERVER = "/"

292

289

293

@staticmethod

294

def string_array_to_txt_array(t):

290

def string_array_to_txt_array(self, t):

295

291

return dbus.Array((dbus.ByteArray(s.encode("utf-8"))

296

292

for s in t), signature="ay")

297

293

ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h

302

298

SERVER_RUNNING = 2 # avahi-common/defs.h

303

299

SERVER_COLLISION = 3 # avahi-common/defs.h

304

300

SERVER_FAILURE = 4 # avahi-common/defs.h

301

avahi = Avahi()

305

302

306

303

307

304

class AvahiError(Exception):

499

496

class AvahiServiceToSyslog(AvahiService):

500

497

def rename(self, *args, **kwargs):

501

498

"""Add the new name to the syslog messages"""

502

ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)

499

ret = AvahiService.rename(self, *args, **kwargs)

503

500

syslogger.setFormatter(logging.Formatter(

504

501

'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'

505

502

.format(self.name)))

507

504

508

505

509

506

# Pretend that we have a GnuTLS module

510

class gnutls(object):

511

"""This isn't so much a class as it is a module-like namespace."""

507

class GnuTLS(object):

508

"""This isn't so much a class as it is a module-like namespace.

509

It is instantiated once, and simulates having a GnuTLS module."""

512

510

513

511

library = ctypes.util.find_library("gnutls")

514

512

if library is None:

515

513

library = ctypes.util.find_library("gnutls-deb0")

516

514

_library = ctypes.cdll.LoadLibrary(library)

517

515

del library

516

_need_version = b"3.3.0"

517

518

def __init__(self):

519

# Need to use "self" here, since this method is called before

520

# the assignment to the "gnutls" global variable happens.

521

if self.check_version(self._need_version) is None:

522

raise self.Error("Needs GnuTLS {} or later"

523

.format(self._need_version))

518

524

519

525

# Unless otherwise indicated, the constants and types below are

520

526

# all from the gnutls/gnutls.h C header file.

524

530

E_INTERRUPTED = -52

525

531

E_AGAIN = -28

526

532

CRT_OPENPGP = 2

527

CRT_RAWPK = 3

528

533

CLIENT = 2

529

534

SHUT_RDWR = 0

530

535

CRD_CERTIFICATE = 1

531

536

E_NO_CERTIFICATE_FOUND = -49

532

X509_FMT_DER = 0

533

NO_TICKETS = 1<<10

534

ENABLE_RAWPK = 1<<18

535

CTYPE_PEERS = 3

536

KEYID_USE_SHA256 = 1 # gnutls/x509.h

537

OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h

538

539

# Types

562

563

# Exceptions

564

class Error(Exception):

565

# We need to use the class name "GnuTLS" here, since this

566

# exception might be raised from within GnuTLS.__init__,

567

# which is called before the assignment to the "gnutls"

568

# global variable has happened.

565

569

def __init__(self, message=None, code=None, args=()):

566

570

# Default usage is by a message string, but if a return

567

571

# code is passed, convert it to a string with

568

572

# gnutls.strerror()

569

573

self.code = code

570

574

if message is None and code is not None:

571

message = gnutls.strerror(code)

572

return super(gnutls.Error, self).__init__(

575

message = GnuTLS.strerror(code)

576

return super(GnuTLS.Error, self).__init__(

573

577

message, *args)

574

578

575

579

class CertificateSecurityError(Error):

589

593

class ClientSession(object):

590

594

def __init__(self, socket, credentials=None):

591

595

self._c_object = gnutls.session_t()

592

gnutls_flags = gnutls.CLIENT

593

if gnutls.check_version(b"3.5.6"):

594

gnutls_flags |= gnutls.NO_TICKETS

595

if gnutls.has_rawpk:

596

gnutls_flags |= gnutls.ENABLE_RAWPK

597

gnutls.init(ctypes.byref(self._c_object), gnutls_flags)

598

del gnutls_flags

596

gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)

599

597

gnutls.set_default_priority(self._c_object)

600

598

gnutls.transport_set_ptr(self._c_object, socket.fileno())

601

599

gnutls.handshake_set_private_extensions(self._c_object,

733

731

check_version.argtypes = [ctypes.c_char_p]

734

732

check_version.restype = ctypes.c_char_p

735

733

736

_need_version = b"3.3.0"

737

if check_version(_need_version) is None:

738

raise self.Error("Needs GnuTLS {} or later"

739

.format(_need_version))

740

741

_tls_rawpk_version = b"3.6.6"

742

has_rawpk = bool(check_version(_tls_rawpk_version))

743

744

if has_rawpk:

745

# Types

746

class pubkey_st(ctypes.Structure):

747

_fields = []

748

pubkey_t = ctypes.POINTER(pubkey_st)

749

750

x509_crt_fmt_t = ctypes.c_int

751

752

# All the function declarations below are from gnutls/abstract.h

753

pubkey_init = _library.gnutls_pubkey_init

754

pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]

755

pubkey_init.restype = _error_code

756

757

pubkey_import = _library.gnutls_pubkey_import

758

pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),

759

x509_crt_fmt_t]

760

pubkey_import.restype = _error_code

761

762

pubkey_get_key_id = _library.gnutls_pubkey_get_key_id

763

pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,

764

ctypes.POINTER(ctypes.c_ubyte),

765

ctypes.POINTER(ctypes.c_size_t)]

766

pubkey_get_key_id.restype = _error_code

767

768

pubkey_deinit = _library.gnutls_pubkey_deinit

769

pubkey_deinit.argtypes = [pubkey_t]

770

pubkey_deinit.restype = None

771

else:

772

# All the function declarations below are from gnutls/openpgp.h

773

774

openpgp_crt_init = _library.gnutls_openpgp_crt_init

775

openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]

776

openpgp_crt_init.restype = _error_code

777

778

openpgp_crt_import = _library.gnutls_openpgp_crt_import

779

openpgp_crt_import.argtypes = [openpgp_crt_t,

780

ctypes.POINTER(datum_t),

781

openpgp_crt_fmt_t]

782

openpgp_crt_import.restype = _error_code

783

784

openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self

785

openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,

786

ctypes.POINTER(ctypes.c_uint)]

787

openpgp_crt_verify_self.restype = _error_code

788

789

openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit

790

openpgp_crt_deinit.argtypes = [openpgp_crt_t]

791

openpgp_crt_deinit.restype = None

792

793

openpgp_crt_get_fingerprint = (

794

_library.gnutls_openpgp_crt_get_fingerprint)

795

openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,

796

ctypes.c_void_p,

797

ctypes.POINTER(

798

ctypes.c_size_t)]

799

openpgp_crt_get_fingerprint.restype = _error_code

800

801

if check_version(b"3.6.4"):

802

certificate_type_get2 = _library.gnutls_certificate_type_get2

803

certificate_type_get2.argtypes = [session_t, ctypes.c_int]

804

certificate_type_get2.restype = _error_code

734

# All the function declarations below are from gnutls/openpgp.h

735

736

openpgp_crt_init = _library.gnutls_openpgp_crt_init

737

openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]

738

openpgp_crt_init.restype = _error_code

739

740

openpgp_crt_import = _library.gnutls_openpgp_crt_import

741

openpgp_crt_import.argtypes = [openpgp_crt_t,

742

ctypes.POINTER(datum_t),

743

openpgp_crt_fmt_t]

744

openpgp_crt_import.restype = _error_code

745

746

openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self

747

openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,

748

ctypes.POINTER(ctypes.c_uint)]

749

openpgp_crt_verify_self.restype = _error_code

750

751

openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit

752

openpgp_crt_deinit.argtypes = [openpgp_crt_t]

753

openpgp_crt_deinit.restype = None

754

755

openpgp_crt_get_fingerprint = (

756

_library.gnutls_openpgp_crt_get_fingerprint)

757

openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,

758

ctypes.c_void_p,

759

ctypes.POINTER(

760

ctypes.c_size_t)]

761

openpgp_crt_get_fingerprint.restype = _error_code

805

762

806

763

# Remove non-public functions

807

764

del _error_code, _retry_on_error

765

# Create the global "gnutls" object, simulating a module

766

gnutls = GnuTLS()

808

767

809

768

810

769

def call_pipe(connection, # : multiprocessing.Connection

825

784

approved: bool(); 'None' if not yet approved/disapproved

826

785

approval_delay: datetime.timedelta(); Time to wait for approval

827

786

approval_duration: datetime.timedelta(); Duration of one approval

828

checker: multiprocessing.Process(); a running checker process used

829

to see if the client lives. 'None' if no process is

830

running.

787

checker: subprocess.Popen(); a running checker process used

788

to see if the client lives.

789

'None' if no process is running.

831

790

checker_callback_tag: a GLib event source tag, or None

832

791

checker_command: string; External command which is run to check

833

792

if client lives. %() expansions are done at

841

800

disable_initiator_tag: a GLib event source tag, or None

842

801

enabled: bool()

843

802

fingerprint: string (40 or 32 hexadecimal digits); used to

844

uniquely identify an OpenPGP client

845

key_id: string (64 hexadecimal digits); used to uniquely identify

846

a client using raw public keys

803

uniquely identify the client

847

804

host: string; available for use by the checker command

848

805

interval: datetime.timedelta(); How often to start a new checker

849

806

last_approval_request: datetime.datetime(); (UTC) or None

867

824

"""

868

825

869

826

runtime_expansions = ("approval_delay", "approval_duration",

870

"created", "enabled", "expires", "key_id",

827

"created", "enabled", "expires",

871

828

"fingerprint", "host", "interval",

872

829

"last_approval_request", "last_checked_ok",

873

830

"last_enabled", "name", "timeout")

903

860

client["enabled"] = config.getboolean(client_name,

904

861

"enabled")

905

862

906

# Uppercase and remove spaces from key_id and fingerprint

907

# for later comparison purposes with return value from the

908

# key_id() and fingerprint() functions

909

client["key_id"] = (section.get("key_id", "").upper()

910

.replace(" ", ""))

863

# Uppercase and remove spaces from fingerprint for later

864

# comparison purposes with return value from the

865

# fingerprint() function

911

866

client["fingerprint"] = (section["fingerprint"].upper()

912

867

.replace(" ", ""))

913

868

if "secret" in section:

957

912

self.expires = None

958

913

959

914

logger.debug("Creating client %r", self.name)

960

logger.debug(" Key ID: %s", self.key_id)

961

915

logger.debug(" Fingerprint: %s", self.fingerprint)

962

916

self.created = settings.get("created",

963

917

datetime.datetime.utcnow())

1040

994

def checker_callback(self, source, condition, connection,

1041

995

command):

1042

996

"""The checker has completed, so take appropriate actions."""

997

self.checker_callback_tag = None

998

self.checker = None

1043

999

# Read return code from connection (see call_pipe)

1044

1000

returncode = connection.recv()

1045

1001

connection.close()

1046

self.checker.join()

1047

self.checker_callback_tag = None

1048

self.checker = None

1049

1002

1050

1003

if returncode >= 0:

1051

1004

self.last_checker_status = returncode

2046

1999

def Name_dbus_property(self):

2047

2000

return dbus.String(self.name)

2048

2001

2049

# KeyID - property

2050

@dbus_annotations(

2051

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

2052

@dbus_service_property(_interface, signature="s", access="read")

2053

def KeyID_dbus_property(self):

2054

return dbus.String(self.key_id)

2055

2056

2002

# Fingerprint - property

2057

2003

@dbus_annotations(

2058

2004

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

2214

2160

2215

2161

2216

2162

class ProxyClient(object):

2217

def __init__(self, child_pipe, key_id, fpr, address):

2163

def __init__(self, child_pipe, fpr, address):

2218

2164

self._pipe = child_pipe

2219

self._pipe.send(('init', key_id, fpr, address))

2165

self._pipe.send(('init', fpr, address))

2220

2166

if not self._pipe.recv():

2221

raise KeyError(key_id or fpr)

2167

raise KeyError(fpr)

2222

2168

2223

2169

def __getattribute__(self, name):

2224

2170

if name == '_pipe':

2291

2237

2292

2238

approval_required = False

2293

2239

try:

2294

if gnutls.has_rawpk:

2295

fpr = b""

2296

try:

2297

key_id = self.key_id(

2298

self.peer_certificate(session))

2299

except (TypeError, gnutls.Error) as error:

2300

logger.warning("Bad certificate: %s", error)

2301

return

2302

logger.debug("Key ID: %s", key_id)

2303

2304

else:

2305

key_id = b""

2306

try:

2307

fpr = self.fingerprint(

2308

self.peer_certificate(session))

2309

except (TypeError, gnutls.Error) as error:

2310

logger.warning("Bad certificate: %s", error)

2311

return

2312

logger.debug("Fingerprint: %s", fpr)

2313

2314

try:

2315

client = ProxyClient(child_pipe, key_id, fpr,

2240

try:

2241

fpr = self.fingerprint(

2242

self.peer_certificate(session))

2243

except (TypeError, gnutls.Error) as error:

2244

logger.warning("Bad certificate: %s", error)

2245

return

2246

logger.debug("Fingerprint: %s", fpr)

2247

2248

try:

2249

client = ProxyClient(child_pipe, fpr,

2316

2250

self.client_address)

2317

2251

except KeyError:

2318

2252

return

2395

2329

2396

2330

@staticmethod

2397

2331

def peer_certificate(session):

2398

"Return the peer's certificate as a bytestring"

2399

try:

2400

cert_type = gnutls.certificate_type_get2(session._c_object,

2401

gnutls.CTYPE_PEERS)

2402

except AttributeError:

2403

cert_type = gnutls.certificate_type_get(session._c_object)

2404

if gnutls.has_rawpk:

2405

valid_cert_types = frozenset((gnutls.CRT_RAWPK,))

2406

else:

2407

valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))

2408

# If not a valid certificate type...

2409

if cert_type not in valid_cert_types:

2410

logger.info("Cert type %r not in %r", cert_type,

2411

valid_cert_types)

2332

"Return the peer's OpenPGP certificate as a bytestring"

2333

# If not an OpenPGP certificate...

2334

if (gnutls.certificate_type_get(session._c_object)

2335

!= gnutls.CRT_OPENPGP):

2412

2336

# ...return invalid data

2413

2337

return b""

2414

2338

list_size = ctypes.c_uint(1)

2422

2346

return ctypes.string_at(cert.data, cert.size)

2423

2347

2424

2348

@staticmethod

2425

def key_id(certificate):

2426

"Convert a certificate bytestring to a hexdigit key ID"

2427

# New GnuTLS "datum" with the public key

2428

datum = gnutls.datum_t(

2429

ctypes.cast(ctypes.c_char_p(certificate),

2430

ctypes.POINTER(ctypes.c_ubyte)),

2431

ctypes.c_uint(len(certificate)))

2432

# XXX all these need to be created in the gnutls "module"

2433

# New empty GnuTLS certificate

2434

pubkey = gnutls.pubkey_t()

2435

gnutls.pubkey_init(ctypes.byref(pubkey))

2436

# Import the raw public key into the certificate

2437

gnutls.pubkey_import(pubkey,

2438

ctypes.byref(datum),

2439

gnutls.X509_FMT_DER)

2440

# New buffer for the key ID

2441

buf = ctypes.create_string_buffer(32)

2442

buf_len = ctypes.c_size_t(len(buf))

2443

# Get the key ID from the raw public key into the buffer

2444

gnutls.pubkey_get_key_id(pubkey,

2445

gnutls.KEYID_USE_SHA256,

2446

ctypes.cast(ctypes.byref(buf),

2447

ctypes.POINTER(ctypes.c_ubyte)),

2448

ctypes.byref(buf_len))

2449

# Deinit the certificate

2450

gnutls.pubkey_deinit(pubkey)

2451

2452

# Convert the buffer to a Python bytestring

2453

key_id = ctypes.string_at(buf, buf_len.value)

2454

# Convert the bytestring to hexadecimal notation

2455

hex_key_id = binascii.hexlify(key_id).upper()

2456

return hex_key_id

2457

2458

@staticmethod

2459

2349

def fingerprint(openpgp):

2460

2350

"Convert an OpenPGP bytestring to a hexdigit fingerprint"

2461

2351

# New GnuTLS "datum" with the OpenPGP public key

2475

2365

ctypes.byref(crtverify))

2476

2366

if crtverify.value != 0:

2477

2367

gnutls.openpgp_crt_deinit(crt)

2478

raise gnutls.CertificateSecurityError(code

2479

=crtverify.value)

2368

raise gnutls.CertificateSecurityError("Verify failed")

2480

2369

# New buffer for the fingerprint

2481

2370

buf = ctypes.create_string_buffer(20)

2482

2371

buf_len = ctypes.c_size_t()

2610

2499

raise

2611

2500

# Only bind(2) the socket if we really need to.

2612

2501

if self.server_address[0] or self.server_address[1]:

2613

if self.server_address[1]:

2614

self.allow_reuse_address = True

2615

2502

if not self.server_address[0]:

2616

2503

if self.address_family == socket.AF_INET6:

2617

2504

any_address = "::" # in6addr_any

2691

2578

command = request[0]

2692

2579

2693

2580

if command == 'init':

2694

key_id = request[1].decode("ascii")

2695

fpr = request[2].decode("ascii")

2696

address = request[3]

2581

fpr = request[1]

2582

address = request[2]

2697

2583

2698

2584

for c in self.clients.values():

2699

if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":

2700

continue

2701

if key_id and c.key_id == key_id:

2702

client = c

2703

break

2704

if fpr and c.fingerprint == fpr:

2585

if c.fingerprint == fpr:

2705

2586

client = c

2706

2587

break

2707

2588

else:

2708

logger.info("Client not found for key ID: %s, address"

2709

": %s", key_id or fpr, address)

2589

logger.info("Client not found for fingerprint: %s, ad"

2590

"dress: %s", fpr, address)

2710

2591

if self.use_dbus:

2711

2592

# Emit D-Bus signal

2712

mandos_dbus_service.ClientNotFound(key_id or fpr,

2593

mandos_dbus_service.ClientNotFound(fpr,

2713

2594

address[0])

2714

2595

parent_pipe.send(False)

2715

2596

return False

2978

2859

sys.exit(os.EX_OK if fail_count == 0 else 1)

2979

2860

2980

2861

# Default values for config file for server-global settings

2981

if gnutls.has_rawpk:

2982

priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"

2983

":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")

2984

else:

2985

priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"

2986

":+SIGN-DSA-SHA256")

2987

2862

server_defaults = {"interface": "",

2988

2863

"address": "",

2989

2864

"port": "",

2990

2865

"debug": "False",

2991

"priority": priority,

2866

"priority":

2867

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"

2868

":+SIGN-DSA-SHA256",

2992

2869

"servicename": "Mandos",

2993

2870

"use_dbus": "True",

2994

2871

"use_ipv6": "True",

2999

2876

"foreground": "False",

3000

2877

"zeroconf": "True",

3001

2878

}

3002

del priority

3003

2879

3004

2880

# Parse config file for server-global settings

3005

server_config = configparser.ConfigParser(server_defaults)

2881

server_config = configparser.SafeConfigParser(server_defaults)

3006

2882

del server_defaults

3007

2883

server_config.read(os.path.join(options.configdir, "mandos.conf"))

3008

# Convert the ConfigParser object to a dict

2884

# Convert the SafeConfigParser object to a dict

3009

2885

server_settings = server_config.defaults()

3010

2886

# Use the appropriate methods on the non-string config options

3011

2887

for option in ("debug", "use_dbus", "use_ipv6", "restore",

3083

2959

server_settings["servicename"])))

3084

2960

3085

2961

# Parse config file with clients

3086

client_config = configparser.ConfigParser(Client.client_defaults)

2962

client_config = configparser.SafeConfigParser(Client

2963

.client_defaults)

3087

2964

client_config.read(os.path.join(server_settings["configdir"],

3088

2965

"clients.conf"))

3089

2966

3160

3037

# Close all input and output, do double fork, etc.

3161

3038

daemon()

3162

3039

3163

if gi.version_info < (3, 10, 2):

3164

# multiprocessing will use threads, so before we use GLib we

3165

# need to inform GLib that threads will be used.

3166

GLib.threads_init()

3040

# multiprocessing will use threads, so before we use GLib we need

3041

# to inform GLib that threads will be used.

3042

GLib.threads_init()

3167

3043

3168

3044

global main_loop

3169

3045

# From the Avahi example code

3249

3125

for k in ("name", "host"):

3250

3126

if isinstance(value[k], bytes):

3251

3127

value[k] = value[k].decode("utf-8")

3252

if "key_id" not in value:

3253

value["key_id"] = ""

3254

elif "fingerprint" not in value:

3255

value["fingerprint"] = ""

3256

3128

# old_client_settings

3257

3129

# .keys()

3258

3130

old_client_settings = {

3395

3267

pass

3396

3268

3397

3269

@dbus.service.signal(_interface, signature="ss")

3398

def ClientNotFound(self, key_id, address):

3270

def ClientNotFound(self, fingerprint, address):

3399

3271

"D-Bus signal"

3400

3272

pass

3401

3273

Older »