/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2019-08-18 04:14:31 UTC
  • mto: This revision was merged to the branch mainline in revision 390.
  • Revision ID: teddy@recompile.se-20190818041431-jgt8pizlzjvxalj0
Debian package: Client: Install the systemd sysusers.d file

* debian/mandos-client.dirs (usr/lib/sysusers.d): New.

Show diffs side-by-side

added added

removed removed

Lines of Context:
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
 
# Copyright © 2008-2018 Teddy Hogeborn
15
 
# Copyright © 2008-2018 Björn Påhlsson
 
14
# Copyright © 2008-2019 Teddy Hogeborn
 
15
# Copyright © 2008-2019 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
80
80
 
81
81
import dbus
82
82
import dbus.service
 
83
import gi
83
84
from gi.repository import GLib
84
85
from dbus.mainloop.glib import DBusGMainLoop
85
86
import ctypes
87
88
import xml.dom.minidom
88
89
import inspect
89
90
 
 
91
if sys.version_info.major == 2:
 
92
    __metaclass__ = type
 
93
 
90
94
# Try to find the value of SO_BINDTODEVICE:
91
95
try:
92
96
    # This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
115
119
if sys.version_info.major == 2:
116
120
    str = unicode
117
121
 
118
 
version = "1.7.16"
 
122
if sys.version_info < (3, 2):
 
123
    configparser.Configparser = configparser.SafeConfigParser
 
124
 
 
125
version = "1.8.7"
119
126
stored_state_file = "clients.pickle"
120
127
 
121
128
logger = logging.getLogger()
179
186
    pass
180
187
 
181
188
 
182
 
class PGPEngine(object):
 
189
class PGPEngine:
183
190
    """A simple class for OpenPGP symmetric encryption & decryption"""
184
191
 
185
192
    def __init__(self):
275
282
 
276
283
 
277
284
# Pretend that we have an Avahi module
278
 
class Avahi(object):
279
 
    """This isn't so much a class as it is a module-like namespace.
280
 
    It is instantiated once, and simulates having an Avahi module."""
 
285
class avahi:
 
286
    """This isn't so much a class as it is a module-like namespace."""
281
287
    IF_UNSPEC = -1               # avahi-common/address.h
282
288
    PROTO_UNSPEC = -1            # avahi-common/address.h
283
289
    PROTO_INET = 0               # avahi-common/address.h
287
293
    DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
294
    DBUS_PATH_SERVER = "/"
289
295
 
290
 
    def string_array_to_txt_array(self, t):
 
296
    @staticmethod
 
297
    def string_array_to_txt_array(t):
291
298
        return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
299
                           for s in t), signature="ay")
293
300
    ENTRY_GROUP_ESTABLISHED = 2  # avahi-common/defs.h
298
305
    SERVER_RUNNING = 2           # avahi-common/defs.h
299
306
    SERVER_COLLISION = 3         # avahi-common/defs.h
300
307
    SERVER_FAILURE = 4           # avahi-common/defs.h
301
 
avahi = Avahi()
302
308
 
303
309
 
304
310
class AvahiError(Exception):
316
322
    pass
317
323
 
318
324
 
319
 
class AvahiService(object):
 
325
class AvahiService:
320
326
    """An Avahi (Zeroconf) service.
321
327
 
322
328
    Attributes:
504
510
 
505
511
 
506
512
# Pretend that we have a GnuTLS module
507
 
class GnuTLS(object):
508
 
    """This isn't so much a class as it is a module-like namespace.
509
 
    It is instantiated once, and simulates having a GnuTLS module."""
 
513
class gnutls:
 
514
    """This isn't so much a class as it is a module-like namespace."""
510
515
 
511
516
    library = ctypes.util.find_library("gnutls")
512
517
    if library is None:
513
518
        library = ctypes.util.find_library("gnutls-deb0")
514
519
    _library = ctypes.cdll.LoadLibrary(library)
515
520
    del library
516
 
    _need_version = b"3.3.0"
517
 
 
518
 
    def __init__(self):
519
 
        # Need to use "self" here, since this method is called before
520
 
        # the assignment to the "gnutls" global variable happens.
521
 
        if self.check_version(self._need_version) is None:
522
 
            raise self.Error("Needs GnuTLS {} or later"
523
 
                             .format(self._need_version))
524
521
 
525
522
    # Unless otherwise indicated, the constants and types below are
526
523
    # all from the gnutls/gnutls.h C header file.
530
527
    E_INTERRUPTED = -52
531
528
    E_AGAIN = -28
532
529
    CRT_OPENPGP = 2
 
530
    CRT_RAWPK = 3
533
531
    CLIENT = 2
534
532
    SHUT_RDWR = 0
535
533
    CRD_CERTIFICATE = 1
536
534
    E_NO_CERTIFICATE_FOUND = -49
 
535
    X509_FMT_DER = 0
 
536
    NO_TICKETS = 1<<10
 
537
    ENABLE_RAWPK = 1<<18
 
538
    CTYPE_PEERS = 3
 
539
    KEYID_USE_SHA256 = 1        # gnutls/x509.h
537
540
    OPENPGP_FMT_RAW = 0         # gnutls/openpgp.h
538
541
 
539
542
    # Types
562
565
 
563
566
    # Exceptions
564
567
    class Error(Exception):
565
 
        # We need to use the class name "GnuTLS" here, since this
566
 
        # exception might be raised from within GnuTLS.__init__,
567
 
        # which is called before the assignment to the "gnutls"
568
 
        # global variable has happened.
569
568
        def __init__(self, message=None, code=None, args=()):
570
569
            # Default usage is by a message string, but if a return
571
570
            # code is passed, convert it to a string with
572
571
            # gnutls.strerror()
573
572
            self.code = code
574
573
            if message is None and code is not None:
575
 
                message = GnuTLS.strerror(code)
576
 
            return super(GnuTLS.Error, self).__init__(
 
574
                message = gnutls.strerror(code)
 
575
            return super(gnutls.Error, self).__init__(
577
576
                message, *args)
578
577
 
579
578
    class CertificateSecurityError(Error):
580
579
        pass
581
580
 
582
581
    # Classes
583
 
    class Credentials(object):
 
582
    class Credentials:
584
583
        def __init__(self):
585
584
            self._c_object = gnutls.certificate_credentials_t()
586
585
            gnutls.certificate_allocate_credentials(
590
589
        def __del__(self):
591
590
            gnutls.certificate_free_credentials(self._c_object)
592
591
 
593
 
    class ClientSession(object):
 
592
    class ClientSession:
594
593
        def __init__(self, socket, credentials=None):
595
594
            self._c_object = gnutls.session_t()
596
 
            gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
 
595
            gnutls_flags = gnutls.CLIENT
 
596
            if gnutls.check_version(b"3.5.6"):
 
597
                gnutls_flags |= gnutls.NO_TICKETS
 
598
            if gnutls.has_rawpk:
 
599
                gnutls_flags |= gnutls.ENABLE_RAWPK
 
600
            gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
 
601
            del gnutls_flags
597
602
            gnutls.set_default_priority(self._c_object)
598
603
            gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
604
            gnutls.handshake_set_private_extensions(self._c_object,
731
736
    check_version.argtypes = [ctypes.c_char_p]
732
737
    check_version.restype = ctypes.c_char_p
733
738
 
734
 
    # All the function declarations below are from gnutls/openpgp.h
735
 
 
736
 
    openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
 
    openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
 
    openpgp_crt_init.restype = _error_code
739
 
 
740
 
    openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
 
    openpgp_crt_import.argtypes = [openpgp_crt_t,
742
 
                                   ctypes.POINTER(datum_t),
743
 
                                   openpgp_crt_fmt_t]
744
 
    openpgp_crt_import.restype = _error_code
745
 
 
746
 
    openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
 
    openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
 
                                        ctypes.POINTER(ctypes.c_uint)]
749
 
    openpgp_crt_verify_self.restype = _error_code
750
 
 
751
 
    openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
 
    openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
 
    openpgp_crt_deinit.restype = None
754
 
 
755
 
    openpgp_crt_get_fingerprint = (
756
 
        _library.gnutls_openpgp_crt_get_fingerprint)
757
 
    openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
 
                                            ctypes.c_void_p,
759
 
                                            ctypes.POINTER(
760
 
                                                ctypes.c_size_t)]
761
 
    openpgp_crt_get_fingerprint.restype = _error_code
 
739
    _need_version = b"3.3.0"
 
740
    if check_version(_need_version) is None:
 
741
        raise self.Error("Needs GnuTLS {} or later"
 
742
                         .format(_need_version))
 
743
 
 
744
    _tls_rawpk_version = b"3.6.6"
 
745
    has_rawpk = bool(check_version(_tls_rawpk_version))
 
746
 
 
747
    if has_rawpk:
 
748
        # Types
 
749
        class pubkey_st(ctypes.Structure):
 
750
            _fields = []
 
751
        pubkey_t = ctypes.POINTER(pubkey_st)
 
752
 
 
753
        x509_crt_fmt_t = ctypes.c_int
 
754
 
 
755
        # All the function declarations below are from gnutls/abstract.h
 
756
        pubkey_init = _library.gnutls_pubkey_init
 
757
        pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
 
758
        pubkey_init.restype = _error_code
 
759
 
 
760
        pubkey_import = _library.gnutls_pubkey_import
 
761
        pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
 
762
                                  x509_crt_fmt_t]
 
763
        pubkey_import.restype = _error_code
 
764
 
 
765
        pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
 
766
        pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
 
767
                                      ctypes.POINTER(ctypes.c_ubyte),
 
768
                                      ctypes.POINTER(ctypes.c_size_t)]
 
769
        pubkey_get_key_id.restype = _error_code
 
770
 
 
771
        pubkey_deinit = _library.gnutls_pubkey_deinit
 
772
        pubkey_deinit.argtypes = [pubkey_t]
 
773
        pubkey_deinit.restype = None
 
774
    else:
 
775
        # All the function declarations below are from gnutls/openpgp.h
 
776
 
 
777
        openpgp_crt_init = _library.gnutls_openpgp_crt_init
 
778
        openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
 
779
        openpgp_crt_init.restype = _error_code
 
780
 
 
781
        openpgp_crt_import = _library.gnutls_openpgp_crt_import
 
782
        openpgp_crt_import.argtypes = [openpgp_crt_t,
 
783
                                       ctypes.POINTER(datum_t),
 
784
                                       openpgp_crt_fmt_t]
 
785
        openpgp_crt_import.restype = _error_code
 
786
 
 
787
        openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
 
788
        openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
 
789
                                            ctypes.POINTER(ctypes.c_uint)]
 
790
        openpgp_crt_verify_self.restype = _error_code
 
791
 
 
792
        openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
 
793
        openpgp_crt_deinit.argtypes = [openpgp_crt_t]
 
794
        openpgp_crt_deinit.restype = None
 
795
 
 
796
        openpgp_crt_get_fingerprint = (
 
797
            _library.gnutls_openpgp_crt_get_fingerprint)
 
798
        openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
 
799
                                                ctypes.c_void_p,
 
800
                                                ctypes.POINTER(
 
801
                                                    ctypes.c_size_t)]
 
802
        openpgp_crt_get_fingerprint.restype = _error_code
 
803
 
 
804
    if check_version(b"3.6.4"):
 
805
        certificate_type_get2 = _library.gnutls_certificate_type_get2
 
806
        certificate_type_get2.argtypes = [session_t, ctypes.c_int]
 
807
        certificate_type_get2.restype = _error_code
762
808
 
763
809
    # Remove non-public functions
764
810
    del _error_code, _retry_on_error
765
 
# Create the global "gnutls" object, simulating a module
766
 
gnutls = GnuTLS()
767
811
 
768
812
 
769
813
def call_pipe(connection,       # : multiprocessing.Connection
777
821
    connection.close()
778
822
 
779
823
 
780
 
class Client(object):
 
824
class Client:
781
825
    """A representation of a client host served by this server.
782
826
 
783
827
    Attributes:
784
828
    approved:   bool(); 'None' if not yet approved/disapproved
785
829
    approval_delay: datetime.timedelta(); Time to wait for approval
786
830
    approval_duration: datetime.timedelta(); Duration of one approval
787
 
    checker:    subprocess.Popen(); a running checker process used
788
 
                                    to see if the client lives.
789
 
                                    'None' if no process is running.
 
831
    checker: multiprocessing.Process(); a running checker process used
 
832
             to see if the client lives. 'None' if no process is
 
833
             running.
790
834
    checker_callback_tag: a GLib event source tag, or None
791
835
    checker_command: string; External command which is run to check
792
836
                     if client lives.  %() expansions are done at
800
844
    disable_initiator_tag: a GLib event source tag, or None
801
845
    enabled:    bool()
802
846
    fingerprint: string (40 or 32 hexadecimal digits); used to
803
 
                 uniquely identify the client
 
847
                 uniquely identify an OpenPGP client
 
848
    key_id: string (64 hexadecimal digits); used to uniquely identify
 
849
            a client using raw public keys
804
850
    host:       string; available for use by the checker command
805
851
    interval:   datetime.timedelta(); How often to start a new checker
806
852
    last_approval_request: datetime.datetime(); (UTC) or None
824
870
    """
825
871
 
826
872
    runtime_expansions = ("approval_delay", "approval_duration",
827
 
                          "created", "enabled", "expires",
 
873
                          "created", "enabled", "expires", "key_id",
828
874
                          "fingerprint", "host", "interval",
829
875
                          "last_approval_request", "last_checked_ok",
830
876
                          "last_enabled", "name", "timeout")
860
906
            client["enabled"] = config.getboolean(client_name,
861
907
                                                  "enabled")
862
908
 
863
 
            # Uppercase and remove spaces from fingerprint for later
864
 
            # comparison purposes with return value from the
865
 
            # fingerprint() function
 
909
            # Uppercase and remove spaces from key_id and fingerprint
 
910
            # for later comparison purposes with return value from the
 
911
            # key_id() and fingerprint() functions
 
912
            client["key_id"] = (section.get("key_id", "").upper()
 
913
                                .replace(" ", ""))
866
914
            client["fingerprint"] = (section["fingerprint"].upper()
867
915
                                     .replace(" ", ""))
868
916
            if "secret" in section:
912
960
            self.expires = None
913
961
 
914
962
        logger.debug("Creating client %r", self.name)
 
963
        logger.debug("  Key ID: %s", self.key_id)
915
964
        logger.debug("  Fingerprint: %s", self.fingerprint)
916
965
        self.created = settings.get("created",
917
966
                                    datetime.datetime.utcnow())
994
1043
    def checker_callback(self, source, condition, connection,
995
1044
                         command):
996
1045
        """The checker has completed, so take appropriate actions."""
997
 
        self.checker_callback_tag = None
998
 
        self.checker = None
999
1046
        # Read return code from connection (see call_pipe)
1000
1047
        returncode = connection.recv()
1001
1048
        connection.close()
 
1049
        self.checker.join()
 
1050
        self.checker_callback_tag = None
 
1051
        self.checker = None
1002
1052
 
1003
1053
        if returncode >= 0:
1004
1054
            self.last_checker_status = returncode
1999
2049
    def Name_dbus_property(self):
2000
2050
        return dbus.String(self.name)
2001
2051
 
 
2052
    # KeyID - property
 
2053
    @dbus_annotations(
 
2054
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
 
2055
    @dbus_service_property(_interface, signature="s", access="read")
 
2056
    def KeyID_dbus_property(self):
 
2057
        return dbus.String(self.key_id)
 
2058
 
2002
2059
    # Fingerprint - property
2003
2060
    @dbus_annotations(
2004
2061
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2159
2216
    del _interface
2160
2217
 
2161
2218
 
2162
 
class ProxyClient(object):
2163
 
    def __init__(self, child_pipe, fpr, address):
 
2219
class ProxyClient:
 
2220
    def __init__(self, child_pipe, key_id, fpr, address):
2164
2221
        self._pipe = child_pipe
2165
 
        self._pipe.send(('init', fpr, address))
 
2222
        self._pipe.send(('init', key_id, fpr, address))
2166
2223
        if not self._pipe.recv():
2167
 
            raise KeyError(fpr)
 
2224
            raise KeyError(key_id or fpr)
2168
2225
 
2169
2226
    def __getattribute__(self, name):
2170
2227
        if name == '_pipe':
2237
2294
 
2238
2295
            approval_required = False
2239
2296
            try:
2240
 
                try:
2241
 
                    fpr = self.fingerprint(
2242
 
                        self.peer_certificate(session))
2243
 
                except (TypeError, gnutls.Error) as error:
2244
 
                    logger.warning("Bad certificate: %s", error)
2245
 
                    return
2246
 
                logger.debug("Fingerprint: %s", fpr)
2247
 
 
2248
 
                try:
2249
 
                    client = ProxyClient(child_pipe, fpr,
 
2297
                if gnutls.has_rawpk:
 
2298
                    fpr = b""
 
2299
                    try:
 
2300
                        key_id = self.key_id(
 
2301
                            self.peer_certificate(session))
 
2302
                    except (TypeError, gnutls.Error) as error:
 
2303
                        logger.warning("Bad certificate: %s", error)
 
2304
                        return
 
2305
                    logger.debug("Key ID: %s", key_id)
 
2306
 
 
2307
                else:
 
2308
                    key_id = b""
 
2309
                    try:
 
2310
                        fpr = self.fingerprint(
 
2311
                            self.peer_certificate(session))
 
2312
                    except (TypeError, gnutls.Error) as error:
 
2313
                        logger.warning("Bad certificate: %s", error)
 
2314
                        return
 
2315
                    logger.debug("Fingerprint: %s", fpr)
 
2316
 
 
2317
                try:
 
2318
                    client = ProxyClient(child_pipe, key_id, fpr,
2250
2319
                                         self.client_address)
2251
2320
                except KeyError:
2252
2321
                    return
2329
2398
 
2330
2399
    @staticmethod
2331
2400
    def peer_certificate(session):
2332
 
        "Return the peer's OpenPGP certificate as a bytestring"
2333
 
        # If not an OpenPGP certificate...
2334
 
        if (gnutls.certificate_type_get(session._c_object)
2335
 
            != gnutls.CRT_OPENPGP):
 
2401
        "Return the peer's certificate as a bytestring"
 
2402
        try:
 
2403
            cert_type = gnutls.certificate_type_get2(session._c_object,
 
2404
                                                     gnutls.CTYPE_PEERS)
 
2405
        except AttributeError:
 
2406
            cert_type = gnutls.certificate_type_get(session._c_object)
 
2407
        if gnutls.has_rawpk:
 
2408
            valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
 
2409
        else:
 
2410
            valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
 
2411
        # If not a valid certificate type...
 
2412
        if cert_type not in valid_cert_types:
 
2413
            logger.info("Cert type %r not in %r", cert_type,
 
2414
                        valid_cert_types)
2336
2415
            # ...return invalid data
2337
2416
            return b""
2338
2417
        list_size = ctypes.c_uint(1)
2346
2425
        return ctypes.string_at(cert.data, cert.size)
2347
2426
 
2348
2427
    @staticmethod
 
2428
    def key_id(certificate):
 
2429
        "Convert a certificate bytestring to a hexdigit key ID"
 
2430
        # New GnuTLS "datum" with the public key
 
2431
        datum = gnutls.datum_t(
 
2432
            ctypes.cast(ctypes.c_char_p(certificate),
 
2433
                        ctypes.POINTER(ctypes.c_ubyte)),
 
2434
            ctypes.c_uint(len(certificate)))
 
2435
        # XXX all these need to be created in the gnutls "module"
 
2436
        # New empty GnuTLS certificate
 
2437
        pubkey = gnutls.pubkey_t()
 
2438
        gnutls.pubkey_init(ctypes.byref(pubkey))
 
2439
        # Import the raw public key into the certificate
 
2440
        gnutls.pubkey_import(pubkey,
 
2441
                             ctypes.byref(datum),
 
2442
                             gnutls.X509_FMT_DER)
 
2443
        # New buffer for the key ID
 
2444
        buf = ctypes.create_string_buffer(32)
 
2445
        buf_len = ctypes.c_size_t(len(buf))
 
2446
        # Get the key ID from the raw public key into the buffer
 
2447
        gnutls.pubkey_get_key_id(pubkey,
 
2448
                                 gnutls.KEYID_USE_SHA256,
 
2449
                                 ctypes.cast(ctypes.byref(buf),
 
2450
                                             ctypes.POINTER(ctypes.c_ubyte)),
 
2451
                                 ctypes.byref(buf_len))
 
2452
        # Deinit the certificate
 
2453
        gnutls.pubkey_deinit(pubkey)
 
2454
 
 
2455
        # Convert the buffer to a Python bytestring
 
2456
        key_id = ctypes.string_at(buf, buf_len.value)
 
2457
        # Convert the bytestring to hexadecimal notation
 
2458
        hex_key_id = binascii.hexlify(key_id).upper()
 
2459
        return hex_key_id
 
2460
 
 
2461
    @staticmethod
2349
2462
    def fingerprint(openpgp):
2350
2463
        "Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2464
        # New GnuTLS "datum" with the OpenPGP public key
2365
2478
                                       ctypes.byref(crtverify))
2366
2479
        if crtverify.value != 0:
2367
2480
            gnutls.openpgp_crt_deinit(crt)
2368
 
            raise gnutls.CertificateSecurityError("Verify failed")
 
2481
            raise gnutls.CertificateSecurityError(code
 
2482
                                                  =crtverify.value)
2369
2483
        # New buffer for the fingerprint
2370
2484
        buf = ctypes.create_string_buffer(20)
2371
2485
        buf_len = ctypes.c_size_t()
2381
2495
        return hex_fpr
2382
2496
 
2383
2497
 
2384
 
class MultiprocessingMixIn(object):
 
2498
class MultiprocessingMixIn:
2385
2499
    """Like socketserver.ThreadingMixIn, but with multiprocessing"""
2386
2500
 
2387
2501
    def sub_process_main(self, request, address):
2399
2513
        return proc
2400
2514
 
2401
2515
 
2402
 
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
 
2516
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2403
2517
    """ adds a pipe to the MixIn """
2404
2518
 
2405
2519
    def process_request(self, request, client_address):
2420
2534
 
2421
2535
 
2422
2536
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2423
 
                     socketserver.TCPServer, object):
 
2537
                     socketserver.TCPServer):
2424
2538
    """IPv6-capable TCP server.  Accepts 'None' as address and/or port
2425
2539
 
2426
2540
    Attributes:
2499
2613
                    raise
2500
2614
        # Only bind(2) the socket if we really need to.
2501
2615
        if self.server_address[0] or self.server_address[1]:
 
2616
            if self.server_address[1]:
 
2617
                self.allow_reuse_address = True
2502
2618
            if not self.server_address[0]:
2503
2619
                if self.address_family == socket.AF_INET6:
2504
2620
                    any_address = "::"  # in6addr_any
2578
2694
        command = request[0]
2579
2695
 
2580
2696
        if command == 'init':
2581
 
            fpr = request[1].decode("ascii")
2582
 
            address = request[2]
 
2697
            key_id = request[1].decode("ascii")
 
2698
            fpr = request[2].decode("ascii")
 
2699
            address = request[3]
2583
2700
 
2584
2701
            for c in self.clients.values():
2585
 
                if c.fingerprint == fpr:
 
2702
                if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
 
2703
                    continue
 
2704
                if key_id and c.key_id == key_id:
 
2705
                    client = c
 
2706
                    break
 
2707
                if fpr and c.fingerprint == fpr:
2586
2708
                    client = c
2587
2709
                    break
2588
2710
            else:
2589
 
                logger.info("Client not found for fingerprint: %s, ad"
2590
 
                            "dress: %s", fpr, address)
 
2711
                logger.info("Client not found for key ID: %s, address"
 
2712
                            ": %s", key_id or fpr, address)
2591
2713
                if self.use_dbus:
2592
2714
                    # Emit D-Bus signal
2593
 
                    mandos_dbus_service.ClientNotFound(fpr,
 
2715
                    mandos_dbus_service.ClientNotFound(key_id or fpr,
2594
2716
                                                       address[0])
2595
2717
                parent_pipe.send(False)
2596
2718
                return False
2859
2981
        sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
2982
 
2861
2983
    # Default values for config file for server-global settings
 
2984
    if gnutls.has_rawpk:
 
2985
        priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
 
2986
                    ":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
 
2987
    else:
 
2988
        priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
 
2989
                    ":+SIGN-DSA-SHA256")
2862
2990
    server_defaults = {"interface": "",
2863
2991
                       "address": "",
2864
2992
                       "port": "",
2865
2993
                       "debug": "False",
2866
 
                       "priority":
2867
 
                       "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2868
 
                       ":+SIGN-DSA-SHA256",
 
2994
                       "priority": priority,
2869
2995
                       "servicename": "Mandos",
2870
2996
                       "use_dbus": "True",
2871
2997
                       "use_ipv6": "True",
2876
3002
                       "foreground": "False",
2877
3003
                       "zeroconf": "True",
2878
3004
                       }
 
3005
    del priority
2879
3006
 
2880
3007
    # Parse config file for server-global settings
2881
 
    server_config = configparser.SafeConfigParser(server_defaults)
 
3008
    server_config = configparser.ConfigParser(server_defaults)
2882
3009
    del server_defaults
2883
3010
    server_config.read(os.path.join(options.configdir, "mandos.conf"))
2884
 
    # Convert the SafeConfigParser object to a dict
 
3011
    # Convert the ConfigParser object to a dict
2885
3012
    server_settings = server_config.defaults()
2886
3013
    # Use the appropriate methods on the non-string config options
2887
3014
    for option in ("debug", "use_dbus", "use_ipv6", "restore",
2959
3086
                                  server_settings["servicename"])))
2960
3087
 
2961
3088
    # Parse config file with clients
2962
 
    client_config = configparser.SafeConfigParser(Client
2963
 
                                                  .client_defaults)
 
3089
    client_config = configparser.ConfigParser(Client.client_defaults)
2964
3090
    client_config.read(os.path.join(server_settings["configdir"],
2965
3091
                                    "clients.conf"))
2966
3092
 
3037
3163
        # Close all input and output, do double fork, etc.
3038
3164
        daemon()
3039
3165
 
3040
 
    # multiprocessing will use threads, so before we use GLib we need
3041
 
    # to inform GLib that threads will be used.
3042
 
    GLib.threads_init()
 
3166
    if gi.version_info < (3, 10, 2):
 
3167
        # multiprocessing will use threads, so before we use GLib we
 
3168
        # need to inform GLib that threads will be used.
 
3169
        GLib.threads_init()
3043
3170
 
3044
3171
    global main_loop
3045
3172
    # From the Avahi example code
3125
3252
                        for k in ("name", "host"):
3126
3253
                            if isinstance(value[k], bytes):
3127
3254
                                value[k] = value[k].decode("utf-8")
 
3255
                        if "key_id" not in value:
 
3256
                            value["key_id"] = ""
 
3257
                        elif "fingerprint" not in value:
 
3258
                            value["fingerprint"] = ""
3128
3259
                    #  old_client_settings
3129
3260
                    # .keys()
3130
3261
                    old_client_settings = {
3267
3398
                pass
3268
3399
 
3269
3400
            @dbus.service.signal(_interface, signature="ss")
3270
 
            def ClientNotFound(self, fingerprint, address):
 
3401
            def ClientNotFound(self, key_id, address):
3271
3402
                "D-Bus signal"
3272
3403
                pass
3273
3404