To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.475
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.475
- Committer: Teddy Hogeborn
- Date: 2018-02-10 13:23:58 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 362.
- Revision ID: teddy@recompile.se-20180210132358-8pfvo9vshq9l32y5
Remove unnecessary text left from old example init.d file
* init.d-mandos: Remove unnecessary text left from old example init.d
file.
* init.d-mandos: Remove unnecessary text left from old example init.d
file.
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
77
77
import itertools
78
78
import collections
79
79
import codecs
80
import unittest
81
import random
82
import shlex
83
80
84
81
import dbus
85
82
import dbus.service
86
import gi
87
83
from gi.repository import GLib
88
84
from dbus.mainloop.glib import DBusGMainLoop
89
85
import ctypes
91
87
import xml.dom.minidom
92
88
import inspect
93
89
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
90
# Try to find the value of SO_BINDTODEVICE:
119
91
try:
120
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
140
112
# No value found
141
113
SO_BINDTODEVICE = None
142
114
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
115
if sys.version_info.major == 2:
116
str = unicode
145
117
146
version = "1.8.13"
118
version = "1.7.16"
147
119
stored_state_file = "clients.pickle"
148
120
149
121
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
122
syslogger = None
152
123
153
124
try:
208
179
pass
209
180
210
181
211
class PGPEngine:
182
class PGPEngine(object):
212
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
184
214
185
def __init__(self):
218
189
output = subprocess.check_output(["gpgconf"])
219
190
for line in output.splitlines():
220
191
name, text, path = line.split(b":")
221
if name == b"gpg":
192
if name == "gpg":
222
193
self.gpg = path
223
194
break
224
195
except OSError as e:
229
200
'--force-mdc',
230
201
'--quiet']
231
202
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
233
204
self.gnupgargs.append("--no-use-agent")
234
205
235
206
def __enter__(self):
304
275
305
276
306
277
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
309
281
IF_UNSPEC = -1 # avahi-common/address.h
310
282
PROTO_UNSPEC = -1 # avahi-common/address.h
311
283
PROTO_INET = 0 # avahi-common/address.h
315
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
288
DBUS_PATH_SERVER = "/"
317
289
318
@staticmethod
319
def string_array_to_txt_array(t):
290
def string_array_to_txt_array(self, t):
320
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
292
for s in t), signature="ay")
322
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
327
298
SERVER_RUNNING = 2 # avahi-common/defs.h
328
299
SERVER_COLLISION = 3 # avahi-common/defs.h
329
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
330
302
331
303
332
304
class AvahiError(Exception):
344
316
pass
345
317
346
318
347
class AvahiService:
319
class AvahiService(object):
348
320
"""An Avahi (Zeroconf) service.
349
321
350
322
Attributes:
524
496
class AvahiServiceToSyslog(AvahiService):
525
497
def rename(self, *args, **kwargs):
526
498
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
529
500
syslogger.setFormatter(logging.Formatter(
530
501
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
531
502
.format(self.name)))
533
504
534
505
535
506
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
538
510
539
511
library = ctypes.util.find_library("gnutls")
540
512
if library is None:
541
513
library = ctypes.util.find_library("gnutls-deb0")
542
514
_library = ctypes.cdll.LoadLibrary(library)
543
515
del library
516
_need_version = b"3.3.0"
517
518
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
544
524
545
525
# Unless otherwise indicated, the constants and types below are
546
526
# all from the gnutls/gnutls.h C header file.
550
530
E_INTERRUPTED = -52
551
531
E_AGAIN = -28
552
532
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
533
CLIENT = 2
555
534
SHUT_RDWR = 0
556
535
CRD_CERTIFICATE = 1
557
536
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
538
565
539
# Types
588
562
589
563
# Exceptions
590
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
591
569
def __init__(self, message=None, code=None, args=()):
592
570
# Default usage is by a message string, but if a return
593
571
# code is passed, convert it to a string with
594
572
# gnutls.strerror()
595
573
self.code = code
596
574
if message is None and code is not None:
597
message = gnutls.strerror(code)
598
return super(gnutls.Error, self).__init__(
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
599
577
message, *args)
600
578
601
579
class CertificateSecurityError(Error):
602
580
pass
603
581
604
582
# Classes
605
class Credentials:
583
class Credentials(object):
606
584
def __init__(self):
607
585
self._c_object = gnutls.certificate_credentials_t()
608
586
gnutls.certificate_allocate_credentials(
612
590
def __del__(self):
613
591
gnutls.certificate_free_credentials(self._c_object)
614
592
615
class ClientSession:
593
class ClientSession(object):
616
594
def __init__(self, socket, credentials=None):
617
595
self._c_object = gnutls.session_t()
618
gnutls_flags = gnutls.CLIENT
619
if gnutls.check_version(b"3.5.6"):
620
gnutls_flags |= gnutls.NO_TICKETS
621
if gnutls.has_rawpk:
622
gnutls_flags |= gnutls.ENABLE_RAWPK
623
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
624
del gnutls_flags
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
625
597
gnutls.set_default_priority(self._c_object)
626
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
627
599
gnutls.handshake_set_private_extensions(self._c_object,
759
731
check_version.argtypes = [ctypes.c_char_p]
760
732
check_version.restype = ctypes.c_char_p
761
733
762
_need_version = b"3.3.0"
763
if check_version(_need_version) is None:
764
raise self.Error("Needs GnuTLS {} or later"
765
.format(_need_version))
766
767
_tls_rawpk_version = b"3.6.6"
768
has_rawpk = bool(check_version(_tls_rawpk_version))
769
770
if has_rawpk:
771
# Types
772
class pubkey_st(ctypes.Structure):
773
_fields = []
774
pubkey_t = ctypes.POINTER(pubkey_st)
775
776
x509_crt_fmt_t = ctypes.c_int
777
778
# All the function declarations below are from
779
# gnutls/abstract.h
780
pubkey_init = _library.gnutls_pubkey_init
781
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
782
pubkey_init.restype = _error_code
783
784
pubkey_import = _library.gnutls_pubkey_import
785
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
786
x509_crt_fmt_t]
787
pubkey_import.restype = _error_code
788
789
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
790
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
791
ctypes.POINTER(ctypes.c_ubyte),
792
ctypes.POINTER(ctypes.c_size_t)]
793
pubkey_get_key_id.restype = _error_code
794
795
pubkey_deinit = _library.gnutls_pubkey_deinit
796
pubkey_deinit.argtypes = [pubkey_t]
797
pubkey_deinit.restype = None
798
else:
799
# All the function declarations below are from
800
# gnutls/openpgp.h
801
802
openpgp_crt_init = _library.gnutls_openpgp_crt_init
803
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
804
openpgp_crt_init.restype = _error_code
805
806
openpgp_crt_import = _library.gnutls_openpgp_crt_import
807
openpgp_crt_import.argtypes = [openpgp_crt_t,
808
ctypes.POINTER(datum_t),
809
openpgp_crt_fmt_t]
810
openpgp_crt_import.restype = _error_code
811
812
openpgp_crt_verify_self = \
813
_library.gnutls_openpgp_crt_verify_self
814
openpgp_crt_verify_self.argtypes = [
815
openpgp_crt_t,
816
ctypes.c_uint,
817
ctypes.POINTER(ctypes.c_uint),
818
]
819
openpgp_crt_verify_self.restype = _error_code
820
821
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
822
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
823
openpgp_crt_deinit.restype = None
824
825
openpgp_crt_get_fingerprint = (
826
_library.gnutls_openpgp_crt_get_fingerprint)
827
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
828
ctypes.c_void_p,
829
ctypes.POINTER(
830
ctypes.c_size_t)]
831
openpgp_crt_get_fingerprint.restype = _error_code
832
833
if check_version(b"3.6.4"):
834
certificate_type_get2 = _library.gnutls_certificate_type_get2
835
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
836
certificate_type_get2.restype = _error_code
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
837
762
838
763
# Remove non-public functions
839
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
840
767
841
768
842
769
def call_pipe(connection, # : multiprocessing.Connection
850
777
connection.close()
851
778
852
779
853
class Client:
780
class Client(object):
854
781
"""A representation of a client host served by this server.
855
782
856
783
Attributes:
857
784
approved: bool(); 'None' if not yet approved/disapproved
858
785
approval_delay: datetime.timedelta(); Time to wait for approval
859
786
approval_duration: datetime.timedelta(); Duration of one approval
860
checker: multiprocessing.Process(); a running checker process used
861
to see if the client lives. 'None' if no process is
862
running.
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
863
790
checker_callback_tag: a GLib event source tag, or None
864
791
checker_command: string; External command which is run to check
865
792
if client lives. %() expansions are done at
873
800
disable_initiator_tag: a GLib event source tag, or None
874
801
enabled: bool()
875
802
fingerprint: string (40 or 32 hexadecimal digits); used to
876
uniquely identify an OpenPGP client
877
key_id: string (64 hexadecimal digits); used to uniquely identify
878
a client using raw public keys
803
uniquely identify the client
879
804
host: string; available for use by the checker command
880
805
interval: datetime.timedelta(); How often to start a new checker
881
806
last_approval_request: datetime.datetime(); (UTC) or None
899
824
"""
900
825
901
826
runtime_expansions = ("approval_delay", "approval_duration",
902
"created", "enabled", "expires", "key_id",
827
"created", "enabled", "expires",
903
828
"fingerprint", "host", "interval",
904
829
"last_approval_request", "last_checked_ok",
905
830
"last_enabled", "name", "timeout")
935
860
client["enabled"] = config.getboolean(client_name,
936
861
"enabled")
937
862
938
# Uppercase and remove spaces from key_id and fingerprint
939
# for later comparison purposes with return value from the
940
# key_id() and fingerprint() functions
941
client["key_id"] = (section.get("key_id", "").upper()
942
.replace(" ", ""))
863
# Uppercase and remove spaces from fingerprint for later
864
# comparison purposes with return value from the
865
# fingerprint() function
943
866
client["fingerprint"] = (section["fingerprint"].upper()
944
867
.replace(" ", ""))
945
868
if "secret" in section:
989
912
self.expires = None
990
913
991
914
logger.debug("Creating client %r", self.name)
992
logger.debug(" Key ID: %s", self.key_id)
993
915
logger.debug(" Fingerprint: %s", self.fingerprint)
994
916
self.created = settings.get("created",
995
917
datetime.datetime.utcnow())
1059
981
if self.checker_initiator_tag is not None:
1060
982
GLib.source_remove(self.checker_initiator_tag)
1061
983
self.checker_initiator_tag = GLib.timeout_add(
1062
random.randrange(int(self.interval.total_seconds() * 1000
1063
+ 1)),
984
int(self.interval.total_seconds() * 1000),
1064
985
self.start_checker)
1065
986
# Schedule a disable() when 'timeout' has passed
1066
987
if self.disable_initiator_tag is not None:
1073
994
def checker_callback(self, source, condition, connection,
1074
995
command):
1075
996
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
998
self.checker = None
1076
999
# Read return code from connection (see call_pipe)
1077
1000
returncode = connection.recv()
1078
1001
connection.close()
1079
if self.checker is not None:
1080
self.checker.join()
1081
self.checker_callback_tag = None
1082
self.checker = None
1083
1002
1084
1003
if returncode >= 0:
1085
1004
self.last_checker_status = returncode
1141
1060
if self.checker is None:
1142
1061
# Escape attributes for the shell
1143
1062
escaped_attrs = {
1144
attr: shlex.quote(str(getattr(self, attr)))
1063
attr: re.escape(str(getattr(self, attr)))
1145
1064
for attr in self.runtime_expansions}
1146
1065
try:
1147
1066
command = self.checker_command % escaped_attrs
1174
1093
kwargs=popen_args)
1175
1094
self.checker.start()
1176
1095
self.checker_callback_tag = GLib.io_add_watch(
1177
GLib.IOChannel.unix_new(pipe[0].fileno()),
1178
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1096
pipe[0].fileno(), GLib.IO_IN,
1179
1097
self.checker_callback, pipe[0], command)
1180
1098
# Re-run this periodically if run by GLib.timeout_add
1181
1099
return True
1436
1354
raise ValueError("Byte arrays not supported for non-"
1437
1355
"'ay' signature {!r}"
1438
1356
.format(prop._dbus_signature))
1439
value = dbus.ByteArray(bytes(value))
1357
value = dbus.ByteArray(b''.join(chr(byte)
1358
for byte in value))
1440
1359
prop(value)
1441
1360
1442
1361
@dbus.service.method(dbus.PROPERTIES_IFACE,
2080
1999
def Name_dbus_property(self):
2081
2000
return dbus.String(self.name)
2082
2001
2083
# KeyID - property
2084
@dbus_annotations(
2085
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2086
@dbus_service_property(_interface, signature="s", access="read")
2087
def KeyID_dbus_property(self):
2088
return dbus.String(self.key_id)
2089
2090
2002
# Fingerprint - property
2091
2003
@dbus_annotations(
2092
2004
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2247
2159
del _interface
2248
2160
2249
2161
2250
class ProxyClient:
2251
def __init__(self, child_pipe, key_id, fpr, address):
2162
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2252
2164
self._pipe = child_pipe
2253
self._pipe.send(('init', key_id, fpr, address))
2165
self._pipe.send(('init', fpr, address))
2254
2166
if not self._pipe.recv():
2255
raise KeyError(key_id or fpr)
2167
raise KeyError(fpr)
2256
2168
2257
2169
def __getattribute__(self, name):
2258
2170
if name == '_pipe':
2325
2237
2326
2238
approval_required = False
2327
2239
try:
2328
if gnutls.has_rawpk:
2329
fpr = b""
2330
try:
2331
key_id = self.key_id(
2332
self.peer_certificate(session))
2333
except (TypeError, gnutls.Error) as error:
2334
logger.warning("Bad certificate: %s", error)
2335
return
2336
logger.debug("Key ID: %s", key_id)
2337
2338
else:
2339
key_id = b""
2340
try:
2341
fpr = self.fingerprint(
2342
self.peer_certificate(session))
2343
except (TypeError, gnutls.Error) as error:
2344
logger.warning("Bad certificate: %s", error)
2345
return
2346
logger.debug("Fingerprint: %s", fpr)
2347
2348
try:
2349
client = ProxyClient(child_pipe, key_id, fpr,
2240
try:
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2245
return
2246
logger.debug("Fingerprint: %s", fpr)
2247
2248
try:
2249
client = ProxyClient(child_pipe, fpr,
2350
2250
self.client_address)
2351
2251
except KeyError:
2352
2252
return
2429
2329
2430
2330
@staticmethod
2431
2331
def peer_certificate(session):
2432
"Return the peer's certificate as a bytestring"
2433
try:
2434
cert_type = gnutls.certificate_type_get2(session._c_object,
2435
gnutls.CTYPE_PEERS)
2436
except AttributeError:
2437
cert_type = gnutls.certificate_type_get(session._c_object)
2438
if gnutls.has_rawpk:
2439
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2440
else:
2441
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2442
# If not a valid certificate type...
2443
if cert_type not in valid_cert_types:
2444
logger.info("Cert type %r not in %r", cert_type,
2445
valid_cert_types)
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2446
2336
# ...return invalid data
2447
2337
return b""
2448
2338
list_size = ctypes.c_uint(1)
2456
2346
return ctypes.string_at(cert.data, cert.size)
2457
2347
2458
2348
@staticmethod
2459
def key_id(certificate):
2460
"Convert a certificate bytestring to a hexdigit key ID"
2461
# New GnuTLS "datum" with the public key
2462
datum = gnutls.datum_t(
2463
ctypes.cast(ctypes.c_char_p(certificate),
2464
ctypes.POINTER(ctypes.c_ubyte)),
2465
ctypes.c_uint(len(certificate)))
2466
# XXX all these need to be created in the gnutls "module"
2467
# New empty GnuTLS certificate
2468
pubkey = gnutls.pubkey_t()
2469
gnutls.pubkey_init(ctypes.byref(pubkey))
2470
# Import the raw public key into the certificate
2471
gnutls.pubkey_import(pubkey,
2472
ctypes.byref(datum),
2473
gnutls.X509_FMT_DER)
2474
# New buffer for the key ID
2475
buf = ctypes.create_string_buffer(32)
2476
buf_len = ctypes.c_size_t(len(buf))
2477
# Get the key ID from the raw public key into the buffer
2478
gnutls.pubkey_get_key_id(
2479
pubkey,
2480
gnutls.KEYID_USE_SHA256,
2481
ctypes.cast(ctypes.byref(buf),
2482
ctypes.POINTER(ctypes.c_ubyte)),
2483
ctypes.byref(buf_len))
2484
# Deinit the certificate
2485
gnutls.pubkey_deinit(pubkey)
2486
2487
# Convert the buffer to a Python bytestring
2488
key_id = ctypes.string_at(buf, buf_len.value)
2489
# Convert the bytestring to hexadecimal notation
2490
hex_key_id = binascii.hexlify(key_id).upper()
2491
return hex_key_id
2492
2493
@staticmethod
2494
2349
def fingerprint(openpgp):
2495
2350
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2496
2351
# New GnuTLS "datum" with the OpenPGP public key
2510
2365
ctypes.byref(crtverify))
2511
2366
if crtverify.value != 0:
2512
2367
gnutls.openpgp_crt_deinit(crt)
2513
raise gnutls.CertificateSecurityError(code
2514
=crtverify.value)
2368
raise gnutls.CertificateSecurityError("Verify failed")
2515
2369
# New buffer for the fingerprint
2516
2370
buf = ctypes.create_string_buffer(20)
2517
2371
buf_len = ctypes.c_size_t()
2527
2381
return hex_fpr
2528
2382
2529
2383
2530
class MultiprocessingMixIn:
2384
class MultiprocessingMixIn(object):
2531
2385
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2532
2386
2533
2387
def sub_process_main(self, request, address):
2545
2399
return proc
2546
2400
2547
2401
2548
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2402
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2549
2403
""" adds a pipe to the MixIn """
2550
2404
2551
2405
def process_request(self, request, client_address):
2566
2420
2567
2421
2568
2422
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2569
socketserver.TCPServer):
2423
socketserver.TCPServer, object):
2570
2424
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2571
2425
2572
2426
Attributes:
2645
2499
raise
2646
2500
# Only bind(2) the socket if we really need to.
2647
2501
if self.server_address[0] or self.server_address[1]:
2648
if self.server_address[1]:
2649
self.allow_reuse_address = True
2650
2502
if not self.server_address[0]:
2651
2503
if self.address_family == socket.AF_INET6:
2652
2504
any_address = "::" # in6addr_any
2705
2557
def add_pipe(self, parent_pipe, proc):
2706
2558
# Call "handle_ipc" for both data and EOF events
2707
2559
GLib.io_add_watch(
2708
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2709
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2560
parent_pipe.fileno(),
2561
GLib.IO_IN | GLib.IO_HUP,
2710
2562
functools.partial(self.handle_ipc,
2711
2563
parent_pipe=parent_pipe,
2712
2564
proc=proc))
2726
2578
command = request[0]
2727
2579
2728
2580
if command == 'init':
2729
key_id = request[1].decode("ascii")
2730
fpr = request[2].decode("ascii")
2731
address = request[3]
2581
fpr = request[1].decode("ascii")
2582
address = request[2]
2732
2583
2733
2584
for c in self.clients.values():
2734
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2735
"27AE41E4649B934CA495991B7852B855"):
2736
continue
2737
if key_id and c.key_id == key_id:
2738
client = c
2739
break
2740
if fpr and c.fingerprint == fpr:
2585
if c.fingerprint == fpr:
2741
2586
client = c
2742
2587
break
2743
2588
else:
2744
logger.info("Client not found for key ID: %s, address"
2745
": %s", key_id or fpr, address)
2589
logger.info("Client not found for fingerprint: %s, ad"
2590
"dress: %s", fpr, address)
2746
2591
if self.use_dbus:
2747
2592
# Emit D-Bus signal
2748
mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
mandos_dbus_service.ClientNotFound(fpr,
2749
2594
address[0])
2750
2595
parent_pipe.send(False)
2751
2596
return False
2752
2597
2753
2598
GLib.io_add_watch(
2754
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2755
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2599
parent_pipe.fileno(),
2600
GLib.IO_IN | GLib.IO_HUP,
2756
2601
functools.partial(self.handle_ipc,
2757
2602
parent_pipe=parent_pipe,
2758
2603
proc=proc,
2773
2618
if command == 'getattr':
2774
2619
attrname = request[1]
2775
2620
if isinstance(client_object.__getattribute__(attrname),
2776
collections.abc.Callable):
2621
collections.Callable):
2777
2622
parent_pipe.send(('function', ))
2778
2623
else:
2779
2624
parent_pipe.send((
2790
2635
def rfc3339_duration_to_delta(duration):
2791
2636
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2792
2637
2793
>>> timedelta = datetime.timedelta
2794
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2795
True
2796
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2797
True
2798
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2799
True
2800
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2801
True
2802
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2803
True
2804
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2805
True
2806
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2807
True
2808
>>> del timedelta
2638
>>> rfc3339_duration_to_delta("P7D")
2639
datetime.timedelta(7)
2640
>>> rfc3339_duration_to_delta("PT60S")
2641
datetime.timedelta(0, 60)
2642
>>> rfc3339_duration_to_delta("PT60M")
2643
datetime.timedelta(0, 3600)
2644
>>> rfc3339_duration_to_delta("PT24H")
2645
datetime.timedelta(1)
2646
>>> rfc3339_duration_to_delta("P1W")
2647
datetime.timedelta(7)
2648
>>> rfc3339_duration_to_delta("PT5M30S")
2649
datetime.timedelta(0, 330)
2650
>>> rfc3339_duration_to_delta("P1DT3M20S")
2651
datetime.timedelta(1, 200)
2809
2652
"""
2810
2653
2811
2654
# Parsing an RFC 3339 duration with regular expressions is not
2891
2734
def string_to_delta(interval):
2892
2735
"""Parse a string and return a datetime.timedelta
2893
2736
2894
>>> string_to_delta('7d') == datetime.timedelta(7)
2895
True
2896
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2897
True
2898
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2899
True
2900
>>> string_to_delta('24h') == datetime.timedelta(1)
2901
True
2902
>>> string_to_delta('1w') == datetime.timedelta(7)
2903
True
2904
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2905
True
2737
>>> string_to_delta('7d')
2738
datetime.timedelta(7)
2739
>>> string_to_delta('60s')
2740
datetime.timedelta(0, 60)
2741
>>> string_to_delta('60m')
2742
datetime.timedelta(0, 3600)
2743
>>> string_to_delta('24h')
2744
datetime.timedelta(1)
2745
>>> string_to_delta('1w')
2746
datetime.timedelta(7)
2747
>>> string_to_delta('5m 30s')
2748
datetime.timedelta(0, 330)
2906
2749
"""
2907
2750
2908
2751
try:
3010
2853
3011
2854
options = parser.parse_args()
3012
2855
2856
if options.check:
2857
import doctest
2858
fail_count, test_count = doctest.testmod()
2859
sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
3013
2861
# Default values for config file for server-global settings
3014
if gnutls.has_rawpk:
3015
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3016
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3017
else:
3018
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3019
":+SIGN-DSA-SHA256")
3020
2862
server_defaults = {"interface": "",
3021
2863
"address": "",
3022
2864
"port": "",
3023
2865
"debug": "False",
3024
"priority": priority,
2866
"priority":
2867
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2868
":+SIGN-DSA-SHA256",
3025
2869
"servicename": "Mandos",
3026
2870
"use_dbus": "True",
3027
2871
"use_ipv6": "True",
3032
2876
"foreground": "False",
3033
2877
"zeroconf": "True",
3034
2878
}
3035
del priority
3036
2879
3037
2880
# Parse config file for server-global settings
3038
server_config = configparser.ConfigParser(server_defaults)
2881
server_config = configparser.SafeConfigParser(server_defaults)
3039
2882
del server_defaults
3040
2883
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3041
# Convert the ConfigParser object to a dict
2884
# Convert the SafeConfigParser object to a dict
3042
2885
server_settings = server_config.defaults()
3043
2886
# Use the appropriate methods on the non-string config options
3044
2887
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3116
2959
server_settings["servicename"])))
3117
2960
3118
2961
# Parse config file with clients
3119
client_config = configparser.ConfigParser(Client.client_defaults)
2962
client_config = configparser.SafeConfigParser(Client
2963
.client_defaults)
3120
2964
client_config.read(os.path.join(server_settings["configdir"],
3121
2965
"clients.conf"))
3122
2966
3193
3037
# Close all input and output, do double fork, etc.
3194
3038
daemon()
3195
3039
3196
if gi.version_info < (3, 10, 2):
3197
# multiprocessing will use threads, so before we use GLib we
3198
# need to inform GLib that threads will be used.
3199
GLib.threads_init()
3040
# multiprocessing will use threads, so before we use GLib we need
3041
# to inform GLib that threads will be used.
3042
GLib.threads_init()
3200
3043
3201
3044
global main_loop
3202
3045
# From the Avahi example code
3278
3121
if isinstance(s, bytes)
3279
3122
else s) for s in
3280
3123
value["client_structure"]]
3281
# .name, .host, and .checker_command
3282
for k in ("name", "host", "checker_command"):
3124
# .name & .host
3125
for k in ("name", "host"):
3283
3126
if isinstance(value[k], bytes):
3284
3127
value[k] = value[k].decode("utf-8")
3285
if "key_id" not in value:
3286
value["key_id"] = ""
3287
elif "fingerprint" not in value:
3288
value["fingerprint"] = ""
3289
3128
# old_client_settings
3290
3129
# .keys()
3291
3130
old_client_settings = {
3295
3134
for key, value in
3296
3135
bytes_old_client_settings.items()}
3297
3136
del bytes_old_client_settings
3298
# .host and .checker_command
3137
# .host
3299
3138
for value in old_client_settings.values():
3300
for attribute in ("host", "checker_command"):
3301
if isinstance(value[attribute], bytes):
3302
value[attribute] = (value[attribute]
3303
.decode("utf-8"))
3139
if isinstance(value["host"], bytes):
3140
value["host"] = (value["host"]
3141
.decode("utf-8"))
3304
3142
os.remove(stored_state_path)
3305
3143
except IOError as e:
3306
3144
if e.errno == errno.ENOENT:
3429
3267
pass
3430
3268
3431
3269
@dbus.service.signal(_interface, signature="ss")
3432
def ClientNotFound(self, key_id, address):
3270
def ClientNotFound(self, fingerprint, address):
3433
3271
"D-Bus signal"
3434
3272
pass
3435
3273
3631
3469
sys.exit(1)
3632
3470
# End of Avahi example code
3633
3471
3634
GLib.io_add_watch(
3635
GLib.IOChannel.unix_new(tcp_server.fileno()),
3636
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3637
lambda *args, **kwargs: (tcp_server.handle_request
3638
(*args[2:], **kwargs) or True))
3472
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3473
lambda *args, **kwargs:
3474
(tcp_server.handle_request
3475
(*args[2:], **kwargs) or True))
3639
3476
3640
3477
logger.debug("Starting main loop")
3641
3478
main_loop.run()
3651
3488
# Must run before the D-Bus bus name gets deregistered
3652
3489
cleanup()
3653
3490
3654
3655
def should_only_run_tests():
3656
parser = argparse.ArgumentParser(add_help=False)
3657
parser.add_argument("--check", action='store_true')
3658
args, unknown_args = parser.parse_known_args()
3659
run_tests = args.check
3660
if run_tests:
3661
# Remove --check argument from sys.argv
3662
sys.argv[1:] = unknown_args
3663
return run_tests
3664
3665
# Add all tests from doctest strings
3666
def load_tests(loader, tests, none):
3667
import doctest
3668
tests.addTests(doctest.DocTestSuite())
3669
return tests
3670
3491
3671
3492
if __name__ == '__main__':
3672
try:
3673
if should_only_run_tests():
3674
# Call using ./mandos --check [--verbose]
3675
unittest.main()
3676
else:
3677
main()
3678
finally:
3679
logging.shutdown()
3493
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0