To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.502
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.502
- Committer: Teddy Hogeborn
- Date: 2018-08-19 14:06:55 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 368.
- Revision ID: teddy@recompile.se-20180819140655-ghsl0d4jsx8xwg44
Move UMASK setting to more proper place
* Makefile (install-client-nokey): Also install new conf files
"initramfs-tools-conf".
* debian/mandos-client.dirs: Add "usr/share/initramfs-tools/conf.d".
* initramfs-tools-conf: New file which sets UMASK.
* initramfs-tools-hook: Change comment to correctly state new location
of UMASK setting.
* initramfs-tools-hook-conf: Remove UMASK setting.
* Makefile (install-client-nokey): Also install new conf files
"initramfs-tools-conf".
* debian/mandos-client.dirs: Add "usr/share/initramfs-tools/conf.d".
* initramfs-tools-conf: New file which sets UMASK.
* initramfs-tools-hook: Change comment to correctly state new location
of UMASK setting.
* initramfs-tools-hook-conf: Remove UMASK setting.
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
- initramfs-tools-script-stop *
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
77
77
import itertools
78
78
import collections
79
79
import codecs
80
import unittest
81
80
82
81
import dbus
83
82
import dbus.service
84
import gi
85
83
from gi.repository import GLib
86
84
from dbus.mainloop.glib import DBusGMainLoop
87
85
import ctypes
89
87
import xml.dom.minidom
90
88
import inspect
91
89
92
if sys.version_info.major == 2:
93
__metaclass__ = type
94
95
# Show warnings by default
96
if not sys.warnoptions:
97
import warnings
98
warnings.simplefilter("default")
99
100
90
# Try to find the value of SO_BINDTODEVICE:
101
91
try:
102
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
125
115
if sys.version_info.major == 2:
126
116
str = unicode
127
117
128
if sys.version_info < (3, 2):
129
configparser.Configparser = configparser.SafeConfigParser
130
131
version = "1.8.9"
118
version = "1.7.19"
132
119
stored_state_file = "clients.pickle"
133
120
134
121
logger = logging.getLogger()
135
logging.captureWarnings(True) # Show warnings via the logging system
136
122
syslogger = None
137
123
138
124
try:
193
179
pass
194
180
195
181
196
class PGPEngine:
182
class PGPEngine(object):
197
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
198
184
199
185
def __init__(self):
203
189
output = subprocess.check_output(["gpgconf"])
204
190
for line in output.splitlines():
205
191
name, text, path = line.split(b":")
206
if name == b"gpg":
192
if name == "gpg":
207
193
self.gpg = path
208
194
break
209
195
except OSError as e:
214
200
'--force-mdc',
215
201
'--quiet']
216
202
# Only GPG version 1 has the --no-use-agent option.
217
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
218
204
self.gnupgargs.append("--no-use-agent")
219
205
220
206
def __enter__(self):
289
275
290
276
291
277
# Pretend that we have an Avahi module
292
class avahi:
293
"""This isn't so much a class as it is a module-like namespace."""
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
294
281
IF_UNSPEC = -1 # avahi-common/address.h
295
282
PROTO_UNSPEC = -1 # avahi-common/address.h
296
283
PROTO_INET = 0 # avahi-common/address.h
300
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
301
288
DBUS_PATH_SERVER = "/"
302
289
303
@staticmethod
304
def string_array_to_txt_array(t):
290
def string_array_to_txt_array(self, t):
305
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
306
292
for s in t), signature="ay")
307
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
312
298
SERVER_RUNNING = 2 # avahi-common/defs.h
313
299
SERVER_COLLISION = 3 # avahi-common/defs.h
314
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
315
302
316
303
317
304
class AvahiError(Exception):
329
316
pass
330
317
331
318
332
class AvahiService:
319
class AvahiService(object):
333
320
"""An Avahi (Zeroconf) service.
334
321
335
322
Attributes:
517
504
518
505
519
506
# Pretend that we have a GnuTLS module
520
class gnutls:
521
"""This isn't so much a class as it is a module-like namespace."""
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
522
510
523
511
library = ctypes.util.find_library("gnutls")
524
512
if library is None:
525
513
library = ctypes.util.find_library("gnutls-deb0")
526
514
_library = ctypes.cdll.LoadLibrary(library)
527
515
del library
516
_need_version = b"3.3.0"
517
518
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
528
524
529
525
# Unless otherwise indicated, the constants and types below are
530
526
# all from the gnutls/gnutls.h C header file.
534
530
E_INTERRUPTED = -52
535
531
E_AGAIN = -28
536
532
CRT_OPENPGP = 2
537
CRT_RAWPK = 3
538
533
CLIENT = 2
539
534
SHUT_RDWR = 0
540
535
CRD_CERTIFICATE = 1
541
536
E_NO_CERTIFICATE_FOUND = -49
542
X509_FMT_DER = 0
543
NO_TICKETS = 1<<10
544
ENABLE_RAWPK = 1<<18
545
CTYPE_PEERS = 3
546
KEYID_USE_SHA256 = 1 # gnutls/x509.h
547
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
548
538
549
539
# Types
572
562
573
563
# Exceptions
574
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
575
569
def __init__(self, message=None, code=None, args=()):
576
570
# Default usage is by a message string, but if a return
577
571
# code is passed, convert it to a string with
578
572
# gnutls.strerror()
579
573
self.code = code
580
574
if message is None and code is not None:
581
message = gnutls.strerror(code)
582
return super(gnutls.Error, self).__init__(
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
583
577
message, *args)
584
578
585
579
class CertificateSecurityError(Error):
586
580
pass
587
581
588
582
# Classes
589
class Credentials:
583
class Credentials(object):
590
584
def __init__(self):
591
585
self._c_object = gnutls.certificate_credentials_t()
592
586
gnutls.certificate_allocate_credentials(
596
590
def __del__(self):
597
591
gnutls.certificate_free_credentials(self._c_object)
598
592
599
class ClientSession:
593
class ClientSession(object):
600
594
def __init__(self, socket, credentials=None):
601
595
self._c_object = gnutls.session_t()
602
gnutls_flags = gnutls.CLIENT
603
if gnutls.check_version(b"3.5.6"):
604
gnutls_flags |= gnutls.NO_TICKETS
605
if gnutls.has_rawpk:
606
gnutls_flags |= gnutls.ENABLE_RAWPK
607
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
608
del gnutls_flags
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
609
597
gnutls.set_default_priority(self._c_object)
610
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
611
599
gnutls.handshake_set_private_extensions(self._c_object,
743
731
check_version.argtypes = [ctypes.c_char_p]
744
732
check_version.restype = ctypes.c_char_p
745
733
746
_need_version = b"3.3.0"
747
if check_version(_need_version) is None:
748
raise self.Error("Needs GnuTLS {} or later"
749
.format(_need_version))
750
751
_tls_rawpk_version = b"3.6.6"
752
has_rawpk = bool(check_version(_tls_rawpk_version))
753
754
if has_rawpk:
755
# Types
756
class pubkey_st(ctypes.Structure):
757
_fields = []
758
pubkey_t = ctypes.POINTER(pubkey_st)
759
760
x509_crt_fmt_t = ctypes.c_int
761
762
# All the function declarations below are from gnutls/abstract.h
763
pubkey_init = _library.gnutls_pubkey_init
764
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
765
pubkey_init.restype = _error_code
766
767
pubkey_import = _library.gnutls_pubkey_import
768
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
769
x509_crt_fmt_t]
770
pubkey_import.restype = _error_code
771
772
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
773
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
774
ctypes.POINTER(ctypes.c_ubyte),
775
ctypes.POINTER(ctypes.c_size_t)]
776
pubkey_get_key_id.restype = _error_code
777
778
pubkey_deinit = _library.gnutls_pubkey_deinit
779
pubkey_deinit.argtypes = [pubkey_t]
780
pubkey_deinit.restype = None
781
else:
782
# All the function declarations below are from gnutls/openpgp.h
783
784
openpgp_crt_init = _library.gnutls_openpgp_crt_init
785
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
786
openpgp_crt_init.restype = _error_code
787
788
openpgp_crt_import = _library.gnutls_openpgp_crt_import
789
openpgp_crt_import.argtypes = [openpgp_crt_t,
790
ctypes.POINTER(datum_t),
791
openpgp_crt_fmt_t]
792
openpgp_crt_import.restype = _error_code
793
794
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
795
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
796
ctypes.POINTER(ctypes.c_uint)]
797
openpgp_crt_verify_self.restype = _error_code
798
799
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
800
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
801
openpgp_crt_deinit.restype = None
802
803
openpgp_crt_get_fingerprint = (
804
_library.gnutls_openpgp_crt_get_fingerprint)
805
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
806
ctypes.c_void_p,
807
ctypes.POINTER(
808
ctypes.c_size_t)]
809
openpgp_crt_get_fingerprint.restype = _error_code
810
811
if check_version(b"3.6.4"):
812
certificate_type_get2 = _library.gnutls_certificate_type_get2
813
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
814
certificate_type_get2.restype = _error_code
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
815
762
816
763
# Remove non-public functions
817
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
818
767
819
768
820
769
def call_pipe(connection, # : multiprocessing.Connection
828
777
connection.close()
829
778
830
779
831
class Client:
780
class Client(object):
832
781
"""A representation of a client host served by this server.
833
782
834
783
Attributes:
835
784
approved: bool(); 'None' if not yet approved/disapproved
836
785
approval_delay: datetime.timedelta(); Time to wait for approval
837
786
approval_duration: datetime.timedelta(); Duration of one approval
838
checker: multiprocessing.Process(); a running checker process used
839
to see if the client lives. 'None' if no process is
840
running.
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
841
790
checker_callback_tag: a GLib event source tag, or None
842
791
checker_command: string; External command which is run to check
843
792
if client lives. %() expansions are done at
851
800
disable_initiator_tag: a GLib event source tag, or None
852
801
enabled: bool()
853
802
fingerprint: string (40 or 32 hexadecimal digits); used to
854
uniquely identify an OpenPGP client
855
key_id: string (64 hexadecimal digits); used to uniquely identify
856
a client using raw public keys
803
uniquely identify the client
857
804
host: string; available for use by the checker command
858
805
interval: datetime.timedelta(); How often to start a new checker
859
806
last_approval_request: datetime.datetime(); (UTC) or None
877
824
"""
878
825
879
826
runtime_expansions = ("approval_delay", "approval_duration",
880
"created", "enabled", "expires", "key_id",
827
"created", "enabled", "expires",
881
828
"fingerprint", "host", "interval",
882
829
"last_approval_request", "last_checked_ok",
883
830
"last_enabled", "name", "timeout")
913
860
client["enabled"] = config.getboolean(client_name,
914
861
"enabled")
915
862
916
# Uppercase and remove spaces from key_id and fingerprint
917
# for later comparison purposes with return value from the
918
# key_id() and fingerprint() functions
919
client["key_id"] = (section.get("key_id", "").upper()
920
.replace(" ", ""))
863
# Uppercase and remove spaces from fingerprint for later
864
# comparison purposes with return value from the
865
# fingerprint() function
921
866
client["fingerprint"] = (section["fingerprint"].upper()
922
867
.replace(" ", ""))
923
868
if "secret" in section:
967
912
self.expires = None
968
913
969
914
logger.debug("Creating client %r", self.name)
970
logger.debug(" Key ID: %s", self.key_id)
971
915
logger.debug(" Fingerprint: %s", self.fingerprint)
972
916
self.created = settings.get("created",
973
917
datetime.datetime.utcnow())
1050
994
def checker_callback(self, source, condition, connection,
1051
995
command):
1052
996
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
998
self.checker = None
1053
999
# Read return code from connection (see call_pipe)
1054
1000
returncode = connection.recv()
1055
1001
connection.close()
1056
if self.checker is not None:
1057
self.checker.join()
1058
self.checker_callback_tag = None
1059
self.checker = None
1060
1002
1061
1003
if returncode >= 0:
1062
1004
self.last_checker_status = returncode
1151
1093
kwargs=popen_args)
1152
1094
self.checker.start()
1153
1095
self.checker_callback_tag = GLib.io_add_watch(
1154
GLib.IOChannel.unix_new(pipe[0].fileno()),
1155
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1096
pipe[0].fileno(), GLib.IO_IN,
1156
1097
self.checker_callback, pipe[0], command)
1157
1098
# Re-run this periodically if run by GLib.timeout_add
1158
1099
return True
2058
1999
def Name_dbus_property(self):
2059
2000
return dbus.String(self.name)
2060
2001
2061
# KeyID - property
2062
@dbus_annotations(
2063
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2064
@dbus_service_property(_interface, signature="s", access="read")
2065
def KeyID_dbus_property(self):
2066
return dbus.String(self.key_id)
2067
2068
2002
# Fingerprint - property
2069
2003
@dbus_annotations(
2070
2004
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2225
2159
del _interface
2226
2160
2227
2161
2228
class ProxyClient:
2229
def __init__(self, child_pipe, key_id, fpr, address):
2162
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2230
2164
self._pipe = child_pipe
2231
self._pipe.send(('init', key_id, fpr, address))
2165
self._pipe.send(('init', fpr, address))
2232
2166
if not self._pipe.recv():
2233
raise KeyError(key_id or fpr)
2167
raise KeyError(fpr)
2234
2168
2235
2169
def __getattribute__(self, name):
2236
2170
if name == '_pipe':
2303
2237
2304
2238
approval_required = False
2305
2239
try:
2306
if gnutls.has_rawpk:
2307
fpr = b""
2308
try:
2309
key_id = self.key_id(
2310
self.peer_certificate(session))
2311
except (TypeError, gnutls.Error) as error:
2312
logger.warning("Bad certificate: %s", error)
2313
return
2314
logger.debug("Key ID: %s", key_id)
2315
2316
else:
2317
key_id = b""
2318
try:
2319
fpr = self.fingerprint(
2320
self.peer_certificate(session))
2321
except (TypeError, gnutls.Error) as error:
2322
logger.warning("Bad certificate: %s", error)
2323
return
2324
logger.debug("Fingerprint: %s", fpr)
2325
2326
try:
2327
client = ProxyClient(child_pipe, key_id, fpr,
2240
try:
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2245
return
2246
logger.debug("Fingerprint: %s", fpr)
2247
2248
try:
2249
client = ProxyClient(child_pipe, fpr,
2328
2250
self.client_address)
2329
2251
except KeyError:
2330
2252
return
2407
2329
2408
2330
@staticmethod
2409
2331
def peer_certificate(session):
2410
"Return the peer's certificate as a bytestring"
2411
try:
2412
cert_type = gnutls.certificate_type_get2(session._c_object,
2413
gnutls.CTYPE_PEERS)
2414
except AttributeError:
2415
cert_type = gnutls.certificate_type_get(session._c_object)
2416
if gnutls.has_rawpk:
2417
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2418
else:
2419
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2420
# If not a valid certificate type...
2421
if cert_type not in valid_cert_types:
2422
logger.info("Cert type %r not in %r", cert_type,
2423
valid_cert_types)
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2424
2336
# ...return invalid data
2425
2337
return b""
2426
2338
list_size = ctypes.c_uint(1)
2434
2346
return ctypes.string_at(cert.data, cert.size)
2435
2347
2436
2348
@staticmethod
2437
def key_id(certificate):
2438
"Convert a certificate bytestring to a hexdigit key ID"
2439
# New GnuTLS "datum" with the public key
2440
datum = gnutls.datum_t(
2441
ctypes.cast(ctypes.c_char_p(certificate),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.c_uint(len(certificate)))
2444
# XXX all these need to be created in the gnutls "module"
2445
# New empty GnuTLS certificate
2446
pubkey = gnutls.pubkey_t()
2447
gnutls.pubkey_init(ctypes.byref(pubkey))
2448
# Import the raw public key into the certificate
2449
gnutls.pubkey_import(pubkey,
2450
ctypes.byref(datum),
2451
gnutls.X509_FMT_DER)
2452
# New buffer for the key ID
2453
buf = ctypes.create_string_buffer(32)
2454
buf_len = ctypes.c_size_t(len(buf))
2455
# Get the key ID from the raw public key into the buffer
2456
gnutls.pubkey_get_key_id(pubkey,
2457
gnutls.KEYID_USE_SHA256,
2458
ctypes.cast(ctypes.byref(buf),
2459
ctypes.POINTER(ctypes.c_ubyte)),
2460
ctypes.byref(buf_len))
2461
# Deinit the certificate
2462
gnutls.pubkey_deinit(pubkey)
2463
2464
# Convert the buffer to a Python bytestring
2465
key_id = ctypes.string_at(buf, buf_len.value)
2466
# Convert the bytestring to hexadecimal notation
2467
hex_key_id = binascii.hexlify(key_id).upper()
2468
return hex_key_id
2469
2470
@staticmethod
2471
2349
def fingerprint(openpgp):
2472
2350
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2473
2351
# New GnuTLS "datum" with the OpenPGP public key
2504
2382
return hex_fpr
2505
2383
2506
2384
2507
class MultiprocessingMixIn:
2385
class MultiprocessingMixIn(object):
2508
2386
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2509
2387
2510
2388
def sub_process_main(self, request, address):
2522
2400
return proc
2523
2401
2524
2402
2525
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2403
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2526
2404
""" adds a pipe to the MixIn """
2527
2405
2528
2406
def process_request(self, request, client_address):
2543
2421
2544
2422
2545
2423
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2546
socketserver.TCPServer):
2424
socketserver.TCPServer, object):
2547
2425
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2548
2426
2549
2427
Attributes:
2622
2500
raise
2623
2501
# Only bind(2) the socket if we really need to.
2624
2502
if self.server_address[0] or self.server_address[1]:
2625
if self.server_address[1]:
2626
self.allow_reuse_address = True
2627
2503
if not self.server_address[0]:
2628
2504
if self.address_family == socket.AF_INET6:
2629
2505
any_address = "::" # in6addr_any
2682
2558
def add_pipe(self, parent_pipe, proc):
2683
2559
# Call "handle_ipc" for both data and EOF events
2684
2560
GLib.io_add_watch(
2685
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2686
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2561
parent_pipe.fileno(),
2562
GLib.IO_IN | GLib.IO_HUP,
2687
2563
functools.partial(self.handle_ipc,
2688
2564
parent_pipe=parent_pipe,
2689
2565
proc=proc))
2703
2579
command = request[0]
2704
2580
2705
2581
if command == 'init':
2706
key_id = request[1].decode("ascii")
2707
fpr = request[2].decode("ascii")
2708
address = request[3]
2582
fpr = request[1].decode("ascii")
2583
address = request[2]
2709
2584
2710
2585
for c in self.clients.values():
2711
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2712
continue
2713
if key_id and c.key_id == key_id:
2714
client = c
2715
break
2716
if fpr and c.fingerprint == fpr:
2586
if c.fingerprint == fpr:
2717
2587
client = c
2718
2588
break
2719
2589
else:
2720
logger.info("Client not found for key ID: %s, address"
2721
": %s", key_id or fpr, address)
2590
logger.info("Client not found for fingerprint: %s, ad"
2591
"dress: %s", fpr, address)
2722
2592
if self.use_dbus:
2723
2593
# Emit D-Bus signal
2724
mandos_dbus_service.ClientNotFound(key_id or fpr,
2594
mandos_dbus_service.ClientNotFound(fpr,
2725
2595
address[0])
2726
2596
parent_pipe.send(False)
2727
2597
return False
2728
2598
2729
2599
GLib.io_add_watch(
2730
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2731
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2600
parent_pipe.fileno(),
2601
GLib.IO_IN | GLib.IO_HUP,
2732
2602
functools.partial(self.handle_ipc,
2733
2603
parent_pipe=parent_pipe,
2734
2604
proc=proc,
2766
2636
def rfc3339_duration_to_delta(duration):
2767
2637
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2768
2638
2769
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2770
True
2771
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2772
True
2773
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2774
True
2775
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2776
True
2777
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2778
True
2779
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2780
True
2781
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2782
True
2639
>>> rfc3339_duration_to_delta("P7D")
2640
datetime.timedelta(7)
2641
>>> rfc3339_duration_to_delta("PT60S")
2642
datetime.timedelta(0, 60)
2643
>>> rfc3339_duration_to_delta("PT60M")
2644
datetime.timedelta(0, 3600)
2645
>>> rfc3339_duration_to_delta("PT24H")
2646
datetime.timedelta(1)
2647
>>> rfc3339_duration_to_delta("P1W")
2648
datetime.timedelta(7)
2649
>>> rfc3339_duration_to_delta("PT5M30S")
2650
datetime.timedelta(0, 330)
2651
>>> rfc3339_duration_to_delta("P1DT3M20S")
2652
datetime.timedelta(1, 200)
2783
2653
"""
2784
2654
2785
2655
# Parsing an RFC 3339 duration with regular expressions is not
2865
2735
def string_to_delta(interval):
2866
2736
"""Parse a string and return a datetime.timedelta
2867
2737
2868
>>> string_to_delta('7d') == datetime.timedelta(7)
2869
True
2870
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2871
True
2872
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2873
True
2874
>>> string_to_delta('24h') == datetime.timedelta(1)
2875
True
2876
>>> string_to_delta('1w') == datetime.timedelta(7)
2877
True
2878
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2879
True
2738
>>> string_to_delta('7d')
2739
datetime.timedelta(7)
2740
>>> string_to_delta('60s')
2741
datetime.timedelta(0, 60)
2742
>>> string_to_delta('60m')
2743
datetime.timedelta(0, 3600)
2744
>>> string_to_delta('24h')
2745
datetime.timedelta(1)
2746
>>> string_to_delta('1w')
2747
datetime.timedelta(7)
2748
>>> string_to_delta('5m 30s')
2749
datetime.timedelta(0, 330)
2880
2750
"""
2881
2751
2882
2752
try:
2984
2854
2985
2855
options = parser.parse_args()
2986
2856
2857
if options.check:
2858
import doctest
2859
fail_count, test_count = doctest.testmod()
2860
sys.exit(os.EX_OK if fail_count == 0 else 1)
2861
2987
2862
# Default values for config file for server-global settings
2988
if gnutls.has_rawpk:
2989
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2990
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2991
else:
2992
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2993
":+SIGN-DSA-SHA256")
2994
2863
server_defaults = {"interface": "",
2995
2864
"address": "",
2996
2865
"port": "",
2997
2866
"debug": "False",
2998
"priority": priority,
2867
"priority":
2868
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
":+SIGN-DSA-SHA256",
2999
2870
"servicename": "Mandos",
3000
2871
"use_dbus": "True",
3001
2872
"use_ipv6": "True",
3006
2877
"foreground": "False",
3007
2878
"zeroconf": "True",
3008
2879
}
3009
del priority
3010
2880
3011
2881
# Parse config file for server-global settings
3012
server_config = configparser.ConfigParser(server_defaults)
2882
server_config = configparser.SafeConfigParser(server_defaults)
3013
2883
del server_defaults
3014
2884
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3015
# Convert the ConfigParser object to a dict
2885
# Convert the SafeConfigParser object to a dict
3016
2886
server_settings = server_config.defaults()
3017
2887
# Use the appropriate methods on the non-string config options
3018
2888
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3090
2960
server_settings["servicename"])))
3091
2961
3092
2962
# Parse config file with clients
3093
client_config = configparser.ConfigParser(Client.client_defaults)
2963
client_config = configparser.SafeConfigParser(Client
2964
.client_defaults)
3094
2965
client_config.read(os.path.join(server_settings["configdir"],
3095
2966
"clients.conf"))
3096
2967
3167
3038
# Close all input and output, do double fork, etc.
3168
3039
daemon()
3169
3040
3170
if gi.version_info < (3, 10, 2):
3171
# multiprocessing will use threads, so before we use GLib we
3172
# need to inform GLib that threads will be used.
3173
GLib.threads_init()
3041
# multiprocessing will use threads, so before we use GLib we need
3042
# to inform GLib that threads will be used.
3043
GLib.threads_init()
3174
3044
3175
3045
global main_loop
3176
3046
# From the Avahi example code
3252
3122
if isinstance(s, bytes)
3253
3123
else s) for s in
3254
3124
value["client_structure"]]
3255
# .name, .host, and .checker_command
3256
for k in ("name", "host", "checker_command"):
3125
# .name & .host
3126
for k in ("name", "host"):
3257
3127
if isinstance(value[k], bytes):
3258
3128
value[k] = value[k].decode("utf-8")
3259
if "key_id" not in value:
3260
value["key_id"] = ""
3261
elif "fingerprint" not in value:
3262
value["fingerprint"] = ""
3263
3129
# old_client_settings
3264
3130
# .keys()
3265
3131
old_client_settings = {
3269
3135
for key, value in
3270
3136
bytes_old_client_settings.items()}
3271
3137
del bytes_old_client_settings
3272
# .host and .checker_command
3138
# .host
3273
3139
for value in old_client_settings.values():
3274
for attribute in ("host", "checker_command"):
3275
if isinstance(value[attribute], bytes):
3276
value[attribute] = (value[attribute]
3277
.decode("utf-8"))
3140
if isinstance(value["host"], bytes):
3141
value["host"] = (value["host"]
3142
.decode("utf-8"))
3278
3143
os.remove(stored_state_path)
3279
3144
except IOError as e:
3280
3145
if e.errno == errno.ENOENT:
3403
3268
pass
3404
3269
3405
3270
@dbus.service.signal(_interface, signature="ss")
3406
def ClientNotFound(self, key_id, address):
3271
def ClientNotFound(self, fingerprint, address):
3407
3272
"D-Bus signal"
3408
3273
pass
3409
3274
3605
3470
sys.exit(1)
3606
3471
# End of Avahi example code
3607
3472
3608
GLib.io_add_watch(
3609
GLib.IOChannel.unix_new(tcp_server.fileno()),
3610
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3611
lambda *args, **kwargs: (tcp_server.handle_request
3612
(*args[2:], **kwargs) or True))
3473
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3474
lambda *args, **kwargs:
3475
(tcp_server.handle_request
3476
(*args[2:], **kwargs) or True))
3613
3477
3614
3478
logger.debug("Starting main loop")
3615
3479
main_loop.run()
3625
3489
# Must run before the D-Bus bus name gets deregistered
3626
3490
cleanup()
3627
3491
3628
3629
def should_only_run_tests():
3630
parser = argparse.ArgumentParser(add_help=False)
3631
parser.add_argument("--check", action='store_true')
3632
args, unknown_args = parser.parse_known_args()
3633
run_tests = args.check
3634
if run_tests:
3635
# Remove --check argument from sys.argv
3636
sys.argv[1:] = unknown_args
3637
return run_tests
3638
3639
# Add all tests from doctest strings
3640
def load_tests(loader, tests, none):
3641
import doctest
3642
tests.addTests(doctest.DocTestSuite())
3643
return tests
3644
3492
3645
3493
if __name__ == '__main__':
3646
try:
3647
if should_only_run_tests():
3648
# Call using ./mandos --check [--verbose]
3649
unittest.main()
3650
else:
3651
main()
3652
finally:
3653
logging.shutdown()
3494
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0