2
2
# -*- mode: python; coding: utf-8 -*-
4
4
# Mandos server - give out binary blobs to connecting clients.
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
17
# This file is part of Mandos.
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
32
# Contact the authors at <mandos@recompile.se>.
34
35
from __future__ import (division, absolute_import, print_function,
37
from future_builtins import *
39
from future_builtins import *
40
44
import SocketServer as socketserver
196
236
.replace(b"\n", b"\\n")
197
237
.replace(b"\0", b"\\x00"))
200
240
def encrypt(self, data, password):
201
241
passphrase = self.password_encode(password)
202
242
with tempfile.NamedTemporaryFile(
203
243
dir=self.tempdir) as passfile:
204
244
passfile.write(passphrase)
206
proc = subprocess.Popen(['gpg', '--symmetric',
246
proc = subprocess.Popen([self.gpg, '--symmetric',
207
247
'--passphrase-file',
209
249
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
214
254
if proc.returncode != 0:
215
255
raise PGPError(err)
216
256
return ciphertext
218
258
def decrypt(self, data, password):
219
259
passphrase = self.password_encode(password)
220
260
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
261
dir=self.tempdir) as passfile:
222
262
passfile.write(passphrase)
224
proc = subprocess.Popen(['gpg', '--decrypt',
264
proc = subprocess.Popen([self.gpg, '--decrypt',
225
265
'--passphrase-file',
227
267
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
232
272
if proc.returncode != 0:
233
273
raise PGPError(err)
234
274
return decrypted_plaintext
277
# Pretend that we have an Avahi module
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
237
304
class AvahiError(Exception):
238
305
def __init__(self, value, *args, **kwargs):
239
306
self.value = value
429
496
class AvahiServiceToSyslog(AvahiService):
430
497
def rename(self, *args, **kwargs):
431
498
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
500
syslogger.setFormatter(logging.Formatter(
434
501
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
502
.format(self.name)))
506
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
511
library = ctypes.util.find_library("gnutls")
513
library = ctypes.util.find_library("gnutls-deb0")
514
_library = ctypes.cdll.LoadLibrary(library)
516
_need_version = b"3.3.0"
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
525
# Unless otherwise indicated, the constants and types below are
526
# all from the gnutls/gnutls.h C header file.
536
E_NO_CERTIFICATE_FOUND = -49
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
540
class session_int(ctypes.Structure):
542
session_t = ctypes.POINTER(session_int)
544
class certificate_credentials_st(ctypes.Structure):
546
certificate_credentials_t = ctypes.POINTER(
547
certificate_credentials_st)
548
certificate_type_t = ctypes.c_int
550
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
554
class openpgp_crt_int(ctypes.Structure):
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
560
transport_ptr_t = ctypes.c_void_p
561
close_request_t = ctypes.c_int
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
def __init__(self, message=None, code=None, args=()):
570
# Default usage is by a message string, but if a return
571
# code is passed, convert it to a string with
574
if message is None and code is not None:
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
579
class CertificateSecurityError(Error):
583
class Credentials(object):
585
self._c_object = gnutls.certificate_credentials_t()
586
gnutls.certificate_allocate_credentials(
587
ctypes.byref(self._c_object))
588
self.type = gnutls.CRD_CERTIFICATE
591
gnutls.certificate_free_credentials(self._c_object)
593
class ClientSession(object):
594
def __init__(self, socket, credentials=None):
595
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
gnutls.set_default_priority(self._c_object)
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
gnutls.handshake_set_private_extensions(self._c_object,
602
if credentials is None:
603
credentials = gnutls.Credentials()
604
gnutls.credentials_set(self._c_object, credentials.type,
605
ctypes.cast(credentials._c_object,
607
self.credentials = credentials
610
gnutls.deinit(self._c_object)
613
return gnutls.handshake(self._c_object)
615
def send(self, data):
619
data_len -= gnutls.record_send(self._c_object,
624
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
626
# Error handling functions
627
def _error_code(result):
628
"""A function to raise exceptions on errors, suitable
629
for the 'restype' attribute on ctypes functions"""
632
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
raise gnutls.CertificateSecurityError(code=result)
634
raise gnutls.Error(code=result)
636
def _retry_on_error(result, func, arguments):
637
"""A function to retry on some errors, suitable
638
for the 'errcheck' attribute on ctypes functions"""
640
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
641
return _error_code(result)
642
result = func(*arguments)
645
# Unless otherwise indicated, the function declarations below are
646
# all from the gnutls/gnutls.h C header file.
649
priority_set_direct = _library.gnutls_priority_set_direct
650
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
651
ctypes.POINTER(ctypes.c_char_p)]
652
priority_set_direct.restype = _error_code
654
init = _library.gnutls_init
655
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
656
init.restype = _error_code
658
set_default_priority = _library.gnutls_set_default_priority
659
set_default_priority.argtypes = [session_t]
660
set_default_priority.restype = _error_code
662
record_send = _library.gnutls_record_send
663
record_send.argtypes = [session_t, ctypes.c_void_p,
665
record_send.restype = ctypes.c_ssize_t
666
record_send.errcheck = _retry_on_error
668
certificate_allocate_credentials = (
669
_library.gnutls_certificate_allocate_credentials)
670
certificate_allocate_credentials.argtypes = [
671
ctypes.POINTER(certificate_credentials_t)]
672
certificate_allocate_credentials.restype = _error_code
674
certificate_free_credentials = (
675
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
678
certificate_free_credentials.restype = None
680
handshake_set_private_extensions = (
681
_library.gnutls_handshake_set_private_extensions)
682
handshake_set_private_extensions.argtypes = [session_t,
684
handshake_set_private_extensions.restype = None
686
credentials_set = _library.gnutls_credentials_set
687
credentials_set.argtypes = [session_t, credentials_type_t,
689
credentials_set.restype = _error_code
691
strerror = _library.gnutls_strerror
692
strerror.argtypes = [ctypes.c_int]
693
strerror.restype = ctypes.c_char_p
695
certificate_type_get = _library.gnutls_certificate_type_get
696
certificate_type_get.argtypes = [session_t]
697
certificate_type_get.restype = _error_code
699
certificate_get_peers = _library.gnutls_certificate_get_peers
700
certificate_get_peers.argtypes = [session_t,
701
ctypes.POINTER(ctypes.c_uint)]
702
certificate_get_peers.restype = ctypes.POINTER(datum_t)
704
global_set_log_level = _library.gnutls_global_set_log_level
705
global_set_log_level.argtypes = [ctypes.c_int]
706
global_set_log_level.restype = None
708
global_set_log_function = _library.gnutls_global_set_log_function
709
global_set_log_function.argtypes = [log_func]
710
global_set_log_function.restype = None
712
deinit = _library.gnutls_deinit
713
deinit.argtypes = [session_t]
714
deinit.restype = None
716
handshake = _library.gnutls_handshake
717
handshake.argtypes = [session_t]
718
handshake.restype = _error_code
719
handshake.errcheck = _retry_on_error
721
transport_set_ptr = _library.gnutls_transport_set_ptr
722
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
723
transport_set_ptr.restype = None
725
bye = _library.gnutls_bye
726
bye.argtypes = [session_t, close_request_t]
727
bye.restype = _error_code
728
bye.errcheck = _retry_on_error
730
check_version = _library.gnutls_check_version
731
check_version.argtypes = [ctypes.c_char_p]
732
check_version.restype = ctypes.c_char_p
734
# All the function declarations below are from gnutls/openpgp.h
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
744
openpgp_crt_import.restype = _error_code
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
761
openpgp_crt_get_fingerprint.restype = _error_code
763
# Remove non-public functions
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
438
769
def call_pipe(connection, # : multiprocessing.Connection
439
770
func, *args, **kwargs):
440
771
"""This function is meant to be called by multiprocessing.Process
442
773
This function runs func(*args, **kwargs), and writes the resulting
443
774
return value on the provided multiprocessing.Connection.
445
776
connection.send(func(*args, **kwargs))
446
777
connection.close()
448
780
class Client(object):
449
781
"""A representation of a client host served by this server.
452
784
approved: bool(); 'None' if not yet approved/disapproved
453
785
approval_delay: datetime.timedelta(); Time to wait for approval
1870
2190
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2191
"""A class to handle client connections.
1873
2193
Instantiated once for each connection to handle it.
1874
2194
Note: This will run in its own forked process."""
1876
2196
def handle(self):
1877
2197
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2198
logger.info("TCP connection from: %s",
1879
2199
str(self.client_address))
1880
2200
logger.debug("Pipe FD: %d",
1881
2201
self.server.child_pipe.fileno())
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
2203
session = gnutls.ClientSession(self.request)
2205
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2206
# "+AES-256-CBC", "+SHA1",
2207
# "+COMP-NULL", "+CTYPE-OPENPGP",
1895
2209
# Use a fallback default, since this MUST be set.
1896
2210
priority = self.server.gnutls_priority
1897
2211
if priority is None:
1898
2212
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
2213
gnutls.priority_set_direct(session._c_object,
2214
priority.encode("utf-8"),
1902
2217
# Start communication using the Mandos protocol
1903
2218
# Get protocol number
1904
2219
line = self.request.makefile().readline()
1991
2305
delay -= time2 - time
1994
while sent_size < len(client.secret):
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2308
session.send(client.secret)
2309
except gnutls.Error as error:
2310
logger.warning("gnutls send failed",
2006
2314
logger.info("Sending secret to %s", client.name)
2007
2315
# bump the timeout using extended_timeout
2008
2316
client.bump_timeout(client.extended_timeout)
2009
2317
if self.server.use_dbus:
2010
2318
# Emit D-Bus signal
2011
2319
client.GotSecret()
2014
2322
if approval_required:
2015
2323
client.approvals_pending -= 1
2018
except gnutls.errors.GNUTLSError as error:
2326
except gnutls.Error as error:
2019
2327
logger.warning("GnuTLS bye failed",
2020
2328
exc_info=error)
2023
2331
def peer_certificate(session):
2024
2332
"Return the peer's OpenPGP certificate as a bytestring"
2025
2333
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2336
# ...return invalid data
2031
2338
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2339
cert_list = (gnutls.certificate_get_peers
2034
2340
(session._c_object, ctypes.byref(list_size)))
2035
2341
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2342
raise gnutls.Error("error getting peer certificate")
2038
2343
if list_size.value == 0:
2040
2345
cert = cert_list[0]
2041
2346
return ctypes.string_at(cert.data, cert.size)
2044
2349
def fingerprint(openpgp):
2045
2350
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2351
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2352
datum = gnutls.datum_t(
2048
2353
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2354
ctypes.POINTER(ctypes.c_ubyte)),
2050
2355
ctypes.c_uint(len(openpgp)))
2051
2356
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2357
crt = gnutls.openpgp_crt_t()
2358
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2359
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2360
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2361
gnutls.OPENPGP_FMT_RAW)
2059
2362
# Verify the self signature in the key
2060
2363
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2364
gnutls.openpgp_crt_verify_self(crt, 0,
2365
ctypes.byref(crtverify))
2063
2366
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2367
gnutls.openpgp_crt_deinit(crt)
2368
raise gnutls.CertificateSecurityError(code
2067
2370
# New buffer for the fingerprint
2068
2371
buf = ctypes.create_string_buffer(20)
2069
2372
buf_len = ctypes.c_size_t()
2070
2373
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2374
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2375
ctypes.byref(buf_len))
2073
2376
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2377
gnutls.openpgp_crt_deinit(crt)
2075
2378
# Convert the buffer to a Python bytestring
2076
2379
fpr = ctypes.string_at(buf, buf_len.value)
2077
2380
# Convert the bytestring to hexadecimal notation
2165
2469
# socket_wrapper(), if socketfd was set.
2166
2470
socketserver.TCPServer.__init__(self, server_address,
2167
2471
RequestHandlerClass)
2169
2473
def server_bind(self):
2170
2474
"""This overrides the normal server_bind() function
2171
2475
to bind to an interface if one was specified, and also NOT to
2172
2476
bind to an address or port if they were not specified."""
2477
global SO_BINDTODEVICE
2173
2478
if self.interface is not None:
2174
2479
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2480
# Fall back to a hard-coded value which seems to be
2482
logger.warning("SO_BINDTODEVICE not found, trying 25")
2483
SO_BINDTODEVICE = 25
2485
self.socket.setsockopt(
2486
socket.SOL_SOCKET, SO_BINDTODEVICE,
2487
(self.interface + "\0").encode("utf-8"))
2488
except socket.error as error:
2489
if error.errno == errno.EPERM:
2490
logger.error("No permission to bind to"
2491
" interface %s", self.interface)
2492
elif error.errno == errno.ENOPROTOOPT:
2493
logger.error("SO_BINDTODEVICE not available;"
2494
" cannot bind to interface %s",
2496
elif error.errno == errno.ENODEV:
2497
logger.error("Interface %s does not exist,"
2498
" cannot bind", self.interface)
2196
2501
# Only bind(2) the socket if we really need to.
2197
2502
if self.server_address[0] or self.server_address[1]:
2198
2503
if not self.server_address[0]:
2199
2504
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2505
any_address = "::" # in6addr_any
2202
any_address = "0.0.0.0" # INADDR_ANY
2507
any_address = "0.0.0.0" # INADDR_ANY
2203
2508
self.server_address = (any_address,
2204
2509
self.server_address[1])
2205
2510
elif not self.server_address[1]:
2750
3065
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3066
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
3067
name=server_settings["servicename"],
3068
servicetype="_mandos._tcp",
2756
3071
if server_settings["interface"]:
2757
3072
service.interface = if_nametoindex(
2758
3073
server_settings["interface"].encode("utf-8"))
2760
3075
global multiprocessing_manager
2761
3076
multiprocessing_manager = multiprocessing.Manager()
2763
3078
client_class = Client
2765
client_class = functools.partial(ClientDBus, bus = bus)
3080
client_class = functools.partial(ClientDBus, bus=bus)
2767
3082
client_settings = Client.config_parser(client_config)
2768
3083
old_client_settings = {}
2769
3084
clients_data = {}
2771
3086
# This is used to redirect stdout and stderr for checker processes
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3088
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3089
# Only used if server is running in foreground but not in debug
2776
3091
if debug or not foreground:
2779
3094
# Get client data and settings from last running state.
2780
3095
if server_settings["restore"]:
2782
3097
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
3098
if sys.version_info.major == 2:
3099
clients_data, old_client_settings = pickle.load(
3102
bytes_clients_data, bytes_old_client_settings = (
3103
pickle.load(stored_state, encoding="bytes"))
3104
# Fix bytes to strings
3107
clients_data = {(key.decode("utf-8")
3108
if isinstance(key, bytes)
3111
bytes_clients_data.items()}
3112
del bytes_clients_data
3113
for key in clients_data:
3114
value = {(k.decode("utf-8")
3115
if isinstance(k, bytes) else k): v
3117
clients_data[key].items()}
3118
clients_data[key] = value
3120
value["client_structure"] = [
3122
if isinstance(s, bytes)
3124
value["client_structure"]]
3126
for k in ("name", "host"):
3127
if isinstance(value[k], bytes):
3128
value[k] = value[k].decode("utf-8")
3129
# old_client_settings
3131
old_client_settings = {
3132
(key.decode("utf-8")
3133
if isinstance(key, bytes)
3136
bytes_old_client_settings.items()}
3137
del bytes_old_client_settings
3139
for value in old_client_settings.values():
3140
if isinstance(value["host"], bytes):
3141
value["host"] = (value["host"]
2785
3143
os.remove(stored_state_path)
2786
3144
except IOError as e:
2787
3145
if e.errno == errno.ENOENT: