/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos

  • Committer: teddy at recompile
  • Date: 2020-02-07 20:53:34 UTC
  • mto: This revision was merged to the branch mainline in revision 396.
  • Revision ID: teddy@recompile.se-20200207205334-dp41p8c8vw0ytik5
Allow users to more easily alter mandos.service

The sysvinit script uses /etc/default/mandos as an environment file,
and supports adding additional server options to a DAEMON_ARGS
environment variable.  This should be supported by the systemd
service, too.

* mandos.service ([Service]/EnvironmentFile): New; set to
  "/etc/default/mandos ".
  ([Service]/ExecStart): Append "$DAEMON_ARGS".

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
#!/usr/bin/python
2
 
# -*- mode: python; coding: utf-8 -*-
 
1
#!/usr/bin/python3 -bI
 
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
 
# Copyright © 2008-2017 Teddy Hogeborn
15
 
# Copyright © 2008-2017 Björn Påhlsson
 
14
# Copyright © 2008-2019 Teddy Hogeborn
 
15
# Copyright © 2008-2019 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
77
77
import itertools
78
78
import collections
79
79
import codecs
 
80
import unittest
 
81
import random
80
82
 
81
83
import dbus
82
84
import dbus.service
 
85
import gi
83
86
from gi.repository import GLib
84
87
from dbus.mainloop.glib import DBusGMainLoop
85
88
import ctypes
87
90
import xml.dom.minidom
88
91
import inspect
89
92
 
 
93
if sys.version_info.major == 2:
 
94
    __metaclass__ = type
 
95
    str = unicode
 
96
 
 
97
# Add collections.abc.Callable if it does not exist
 
98
try:
 
99
    collections.abc.Callable
 
100
except AttributeError:
 
101
    class abc:
 
102
        Callable = collections.Callable
 
103
    collections.abc = abc
 
104
    del abc
 
105
 
 
106
# Show warnings by default
 
107
if not sys.warnoptions:
 
108
    import warnings
 
109
    warnings.simplefilter("default")
 
110
 
90
111
# Try to find the value of SO_BINDTODEVICE:
91
112
try:
92
113
    # This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
112
133
            # No value found
113
134
            SO_BINDTODEVICE = None
114
135
 
115
 
if sys.version_info.major == 2:
116
 
    str = unicode
 
136
if sys.version_info < (3, 2):
 
137
    configparser.Configparser = configparser.SafeConfigParser
117
138
 
118
 
version = "1.7.16"
 
139
version = "1.8.9"
119
140
stored_state_file = "clients.pickle"
120
141
 
121
142
logger = logging.getLogger()
 
143
logging.captureWarnings(True)   # Show warnings via the logging system
122
144
syslogger = None
123
145
 
124
146
try:
179
201
    pass
180
202
 
181
203
 
182
 
class PGPEngine(object):
 
204
class PGPEngine:
183
205
    """A simple class for OpenPGP symmetric encryption & decryption"""
184
206
 
185
207
    def __init__(self):
189
211
            output = subprocess.check_output(["gpgconf"])
190
212
            for line in output.splitlines():
191
213
                name, text, path = line.split(b":")
192
 
                if name == "gpg":
 
214
                if name == b"gpg":
193
215
                    self.gpg = path
194
216
                    break
195
217
        except OSError as e:
200
222
                          '--force-mdc',
201
223
                          '--quiet']
202
224
        # Only GPG version 1 has the --no-use-agent option.
203
 
        if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
 
225
        if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
204
226
            self.gnupgargs.append("--no-use-agent")
205
227
 
206
228
    def __enter__(self):
275
297
 
276
298
 
277
299
# Pretend that we have an Avahi module
278
 
class Avahi(object):
279
 
    """This isn't so much a class as it is a module-like namespace.
280
 
    It is instantiated once, and simulates having an Avahi module."""
 
300
class avahi:
 
301
    """This isn't so much a class as it is a module-like namespace."""
281
302
    IF_UNSPEC = -1               # avahi-common/address.h
282
303
    PROTO_UNSPEC = -1            # avahi-common/address.h
283
304
    PROTO_INET = 0               # avahi-common/address.h
287
308
    DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
309
    DBUS_PATH_SERVER = "/"
289
310
 
290
 
    def string_array_to_txt_array(self, t):
 
311
    @staticmethod
 
312
    def string_array_to_txt_array(t):
291
313
        return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
314
                           for s in t), signature="ay")
293
315
    ENTRY_GROUP_ESTABLISHED = 2  # avahi-common/defs.h
298
320
    SERVER_RUNNING = 2           # avahi-common/defs.h
299
321
    SERVER_COLLISION = 3         # avahi-common/defs.h
300
322
    SERVER_FAILURE = 4           # avahi-common/defs.h
301
 
avahi = Avahi()
302
323
 
303
324
 
304
325
class AvahiError(Exception):
316
337
    pass
317
338
 
318
339
 
319
 
class AvahiService(object):
 
340
class AvahiService:
320
341
    """An Avahi (Zeroconf) service.
321
342
 
322
343
    Attributes:
496
517
class AvahiServiceToSyslog(AvahiService):
497
518
    def rename(self, *args, **kwargs):
498
519
        """Add the new name to the syslog messages"""
499
 
        ret = super(AvahiServiceToSyslog, self).rename(self, *args,
500
 
                                                       **kwargs)
 
520
        ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
501
521
        syslogger.setFormatter(logging.Formatter(
502
522
            'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
503
523
            .format(self.name)))
505
525
 
506
526
 
507
527
# Pretend that we have a GnuTLS module
508
 
class GnuTLS(object):
509
 
    """This isn't so much a class as it is a module-like namespace.
510
 
    It is instantiated once, and simulates having a GnuTLS module."""
 
528
class gnutls:
 
529
    """This isn't so much a class as it is a module-like namespace."""
511
530
 
512
531
    library = ctypes.util.find_library("gnutls")
513
532
    if library is None:
514
533
        library = ctypes.util.find_library("gnutls-deb0")
515
534
    _library = ctypes.cdll.LoadLibrary(library)
516
535
    del library
517
 
    _need_version = b"3.3.0"
518
 
 
519
 
    def __init__(self):
520
 
        # Need to use "self" here, since this method is called before
521
 
        # the assignment to the "gnutls" global variable happens.
522
 
        if self.check_version(self._need_version) is None:
523
 
            raise self.Error("Needs GnuTLS {} or later"
524
 
                             .format(self._need_version))
525
536
 
526
537
    # Unless otherwise indicated, the constants and types below are
527
538
    # all from the gnutls/gnutls.h C header file.
531
542
    E_INTERRUPTED = -52
532
543
    E_AGAIN = -28
533
544
    CRT_OPENPGP = 2
 
545
    CRT_RAWPK = 3
534
546
    CLIENT = 2
535
547
    SHUT_RDWR = 0
536
548
    CRD_CERTIFICATE = 1
537
549
    E_NO_CERTIFICATE_FOUND = -49
 
550
    X509_FMT_DER = 0
 
551
    NO_TICKETS = 1<<10
 
552
    ENABLE_RAWPK = 1<<18
 
553
    CTYPE_PEERS = 3
 
554
    KEYID_USE_SHA256 = 1        # gnutls/x509.h
538
555
    OPENPGP_FMT_RAW = 0         # gnutls/openpgp.h
539
556
 
540
557
    # Types
563
580
 
564
581
    # Exceptions
565
582
    class Error(Exception):
566
 
        # We need to use the class name "GnuTLS" here, since this
567
 
        # exception might be raised from within GnuTLS.__init__,
568
 
        # which is called before the assignment to the "gnutls"
569
 
        # global variable has happened.
570
583
        def __init__(self, message=None, code=None, args=()):
571
584
            # Default usage is by a message string, but if a return
572
585
            # code is passed, convert it to a string with
573
586
            # gnutls.strerror()
574
587
            self.code = code
575
588
            if message is None and code is not None:
576
 
                message = GnuTLS.strerror(code)
577
 
            return super(GnuTLS.Error, self).__init__(
 
589
                message = gnutls.strerror(code)
 
590
            return super(gnutls.Error, self).__init__(
578
591
                message, *args)
579
592
 
580
593
    class CertificateSecurityError(Error):
581
594
        pass
582
595
 
583
596
    # Classes
584
 
    class Credentials(object):
 
597
    class Credentials:
585
598
        def __init__(self):
586
599
            self._c_object = gnutls.certificate_credentials_t()
587
600
            gnutls.certificate_allocate_credentials(
591
604
        def __del__(self):
592
605
            gnutls.certificate_free_credentials(self._c_object)
593
606
 
594
 
    class ClientSession(object):
 
607
    class ClientSession:
595
608
        def __init__(self, socket, credentials=None):
596
609
            self._c_object = gnutls.session_t()
597
 
            gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
 
610
            gnutls_flags = gnutls.CLIENT
 
611
            if gnutls.check_version(b"3.5.6"):
 
612
                gnutls_flags |= gnutls.NO_TICKETS
 
613
            if gnutls.has_rawpk:
 
614
                gnutls_flags |= gnutls.ENABLE_RAWPK
 
615
            gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
 
616
            del gnutls_flags
598
617
            gnutls.set_default_priority(self._c_object)
599
618
            gnutls.transport_set_ptr(self._c_object, socket.fileno())
600
619
            gnutls.handshake_set_private_extensions(self._c_object,
732
751
    check_version.argtypes = [ctypes.c_char_p]
733
752
    check_version.restype = ctypes.c_char_p
734
753
 
735
 
    # All the function declarations below are from gnutls/openpgp.h
736
 
 
737
 
    openpgp_crt_init = _library.gnutls_openpgp_crt_init
738
 
    openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
739
 
    openpgp_crt_init.restype = _error_code
740
 
 
741
 
    openpgp_crt_import = _library.gnutls_openpgp_crt_import
742
 
    openpgp_crt_import.argtypes = [openpgp_crt_t,
743
 
                                   ctypes.POINTER(datum_t),
744
 
                                   openpgp_crt_fmt_t]
745
 
    openpgp_crt_import.restype = _error_code
746
 
 
747
 
    openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
748
 
    openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
749
 
                                        ctypes.POINTER(ctypes.c_uint)]
750
 
    openpgp_crt_verify_self.restype = _error_code
751
 
 
752
 
    openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
753
 
    openpgp_crt_deinit.argtypes = [openpgp_crt_t]
754
 
    openpgp_crt_deinit.restype = None
755
 
 
756
 
    openpgp_crt_get_fingerprint = (
757
 
        _library.gnutls_openpgp_crt_get_fingerprint)
758
 
    openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
759
 
                                            ctypes.c_void_p,
760
 
                                            ctypes.POINTER(
761
 
                                                ctypes.c_size_t)]
762
 
    openpgp_crt_get_fingerprint.restype = _error_code
 
754
    _need_version = b"3.3.0"
 
755
    if check_version(_need_version) is None:
 
756
        raise self.Error("Needs GnuTLS {} or later"
 
757
                         .format(_need_version))
 
758
 
 
759
    _tls_rawpk_version = b"3.6.6"
 
760
    has_rawpk = bool(check_version(_tls_rawpk_version))
 
761
 
 
762
    if has_rawpk:
 
763
        # Types
 
764
        class pubkey_st(ctypes.Structure):
 
765
            _fields = []
 
766
        pubkey_t = ctypes.POINTER(pubkey_st)
 
767
 
 
768
        x509_crt_fmt_t = ctypes.c_int
 
769
 
 
770
        # All the function declarations below are from gnutls/abstract.h
 
771
        pubkey_init = _library.gnutls_pubkey_init
 
772
        pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
 
773
        pubkey_init.restype = _error_code
 
774
 
 
775
        pubkey_import = _library.gnutls_pubkey_import
 
776
        pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
 
777
                                  x509_crt_fmt_t]
 
778
        pubkey_import.restype = _error_code
 
779
 
 
780
        pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
 
781
        pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
 
782
                                      ctypes.POINTER(ctypes.c_ubyte),
 
783
                                      ctypes.POINTER(ctypes.c_size_t)]
 
784
        pubkey_get_key_id.restype = _error_code
 
785
 
 
786
        pubkey_deinit = _library.gnutls_pubkey_deinit
 
787
        pubkey_deinit.argtypes = [pubkey_t]
 
788
        pubkey_deinit.restype = None
 
789
    else:
 
790
        # All the function declarations below are from gnutls/openpgp.h
 
791
 
 
792
        openpgp_crt_init = _library.gnutls_openpgp_crt_init
 
793
        openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
 
794
        openpgp_crt_init.restype = _error_code
 
795
 
 
796
        openpgp_crt_import = _library.gnutls_openpgp_crt_import
 
797
        openpgp_crt_import.argtypes = [openpgp_crt_t,
 
798
                                       ctypes.POINTER(datum_t),
 
799
                                       openpgp_crt_fmt_t]
 
800
        openpgp_crt_import.restype = _error_code
 
801
 
 
802
        openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
 
803
        openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
 
804
                                            ctypes.POINTER(ctypes.c_uint)]
 
805
        openpgp_crt_verify_self.restype = _error_code
 
806
 
 
807
        openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
 
808
        openpgp_crt_deinit.argtypes = [openpgp_crt_t]
 
809
        openpgp_crt_deinit.restype = None
 
810
 
 
811
        openpgp_crt_get_fingerprint = (
 
812
            _library.gnutls_openpgp_crt_get_fingerprint)
 
813
        openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
 
814
                                                ctypes.c_void_p,
 
815
                                                ctypes.POINTER(
 
816
                                                    ctypes.c_size_t)]
 
817
        openpgp_crt_get_fingerprint.restype = _error_code
 
818
 
 
819
    if check_version(b"3.6.4"):
 
820
        certificate_type_get2 = _library.gnutls_certificate_type_get2
 
821
        certificate_type_get2.argtypes = [session_t, ctypes.c_int]
 
822
        certificate_type_get2.restype = _error_code
763
823
 
764
824
    # Remove non-public functions
765
825
    del _error_code, _retry_on_error
766
 
# Create the global "gnutls" object, simulating a module
767
 
gnutls = GnuTLS()
768
826
 
769
827
 
770
828
def call_pipe(connection,       # : multiprocessing.Connection
778
836
    connection.close()
779
837
 
780
838
 
781
 
class Client(object):
 
839
class Client:
782
840
    """A representation of a client host served by this server.
783
841
 
784
842
    Attributes:
785
843
    approved:   bool(); 'None' if not yet approved/disapproved
786
844
    approval_delay: datetime.timedelta(); Time to wait for approval
787
845
    approval_duration: datetime.timedelta(); Duration of one approval
788
 
    checker:    subprocess.Popen(); a running checker process used
789
 
                                    to see if the client lives.
790
 
                                    'None' if no process is running.
 
846
    checker: multiprocessing.Process(); a running checker process used
 
847
             to see if the client lives. 'None' if no process is
 
848
             running.
791
849
    checker_callback_tag: a GLib event source tag, or None
792
850
    checker_command: string; External command which is run to check
793
851
                     if client lives.  %() expansions are done at
801
859
    disable_initiator_tag: a GLib event source tag, or None
802
860
    enabled:    bool()
803
861
    fingerprint: string (40 or 32 hexadecimal digits); used to
804
 
                 uniquely identify the client
 
862
                 uniquely identify an OpenPGP client
 
863
    key_id: string (64 hexadecimal digits); used to uniquely identify
 
864
            a client using raw public keys
805
865
    host:       string; available for use by the checker command
806
866
    interval:   datetime.timedelta(); How often to start a new checker
807
867
    last_approval_request: datetime.datetime(); (UTC) or None
825
885
    """
826
886
 
827
887
    runtime_expansions = ("approval_delay", "approval_duration",
828
 
                          "created", "enabled", "expires",
 
888
                          "created", "enabled", "expires", "key_id",
829
889
                          "fingerprint", "host", "interval",
830
890
                          "last_approval_request", "last_checked_ok",
831
891
                          "last_enabled", "name", "timeout")
861
921
            client["enabled"] = config.getboolean(client_name,
862
922
                                                  "enabled")
863
923
 
864
 
            # Uppercase and remove spaces from fingerprint for later
865
 
            # comparison purposes with return value from the
866
 
            # fingerprint() function
 
924
            # Uppercase and remove spaces from key_id and fingerprint
 
925
            # for later comparison purposes with return value from the
 
926
            # key_id() and fingerprint() functions
 
927
            client["key_id"] = (section.get("key_id", "").upper()
 
928
                                .replace(" ", ""))
867
929
            client["fingerprint"] = (section["fingerprint"].upper()
868
930
                                     .replace(" ", ""))
869
931
            if "secret" in section:
913
975
            self.expires = None
914
976
 
915
977
        logger.debug("Creating client %r", self.name)
 
978
        logger.debug("  Key ID: %s", self.key_id)
916
979
        logger.debug("  Fingerprint: %s", self.fingerprint)
917
980
        self.created = settings.get("created",
918
981
                                    datetime.datetime.utcnow())
982
1045
        if self.checker_initiator_tag is not None:
983
1046
            GLib.source_remove(self.checker_initiator_tag)
984
1047
        self.checker_initiator_tag = GLib.timeout_add(
985
 
            int(self.interval.total_seconds() * 1000),
 
1048
            random.randrange(int(self.interval.total_seconds() * 1000
 
1049
                                 + 1)),
986
1050
            self.start_checker)
987
1051
        # Schedule a disable() when 'timeout' has passed
988
1052
        if self.disable_initiator_tag is not None:
995
1059
    def checker_callback(self, source, condition, connection,
996
1060
                         command):
997
1061
        """The checker has completed, so take appropriate actions."""
998
 
        self.checker_callback_tag = None
999
 
        self.checker = None
1000
1062
        # Read return code from connection (see call_pipe)
1001
1063
        returncode = connection.recv()
1002
1064
        connection.close()
 
1065
        if self.checker is not None:
 
1066
            self.checker.join()
 
1067
        self.checker_callback_tag = None
 
1068
        self.checker = None
1003
1069
 
1004
1070
        if returncode >= 0:
1005
1071
            self.last_checker_status = returncode
1094
1160
                kwargs=popen_args)
1095
1161
            self.checker.start()
1096
1162
            self.checker_callback_tag = GLib.io_add_watch(
1097
 
                pipe[0].fileno(), GLib.IO_IN,
 
1163
                GLib.IOChannel.unix_new(pipe[0].fileno()),
 
1164
                GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1098
1165
                self.checker_callback, pipe[0], command)
1099
1166
        # Re-run this periodically if run by GLib.timeout_add
1100
1167
        return True
1355
1422
                raise ValueError("Byte arrays not supported for non-"
1356
1423
                                 "'ay' signature {!r}"
1357
1424
                                 .format(prop._dbus_signature))
1358
 
            value = dbus.ByteArray(b''.join(chr(byte)
1359
 
                                            for byte in value))
 
1425
            value = dbus.ByteArray(bytes(value))
1360
1426
        prop(value)
1361
1427
 
1362
1428
    @dbus.service.method(dbus.PROPERTIES_IFACE,
2000
2066
    def Name_dbus_property(self):
2001
2067
        return dbus.String(self.name)
2002
2068
 
 
2069
    # KeyID - property
 
2070
    @dbus_annotations(
 
2071
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
 
2072
    @dbus_service_property(_interface, signature="s", access="read")
 
2073
    def KeyID_dbus_property(self):
 
2074
        return dbus.String(self.key_id)
 
2075
 
2003
2076
    # Fingerprint - property
2004
2077
    @dbus_annotations(
2005
2078
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2160
2233
    del _interface
2161
2234
 
2162
2235
 
2163
 
class ProxyClient(object):
2164
 
    def __init__(self, child_pipe, fpr, address):
 
2236
class ProxyClient:
 
2237
    def __init__(self, child_pipe, key_id, fpr, address):
2165
2238
        self._pipe = child_pipe
2166
 
        self._pipe.send(('init', fpr, address))
 
2239
        self._pipe.send(('init', key_id, fpr, address))
2167
2240
        if not self._pipe.recv():
2168
 
            raise KeyError(fpr)
 
2241
            raise KeyError(key_id or fpr)
2169
2242
 
2170
2243
    def __getattribute__(self, name):
2171
2244
        if name == '_pipe':
2238
2311
 
2239
2312
            approval_required = False
2240
2313
            try:
2241
 
                try:
2242
 
                    fpr = self.fingerprint(
2243
 
                        self.peer_certificate(session))
2244
 
                except (TypeError, gnutls.Error) as error:
2245
 
                    logger.warning("Bad certificate: %s", error)
2246
 
                    return
2247
 
                logger.debug("Fingerprint: %s", fpr)
2248
 
 
2249
 
                try:
2250
 
                    client = ProxyClient(child_pipe, fpr,
 
2314
                if gnutls.has_rawpk:
 
2315
                    fpr = b""
 
2316
                    try:
 
2317
                        key_id = self.key_id(
 
2318
                            self.peer_certificate(session))
 
2319
                    except (TypeError, gnutls.Error) as error:
 
2320
                        logger.warning("Bad certificate: %s", error)
 
2321
                        return
 
2322
                    logger.debug("Key ID: %s", key_id)
 
2323
 
 
2324
                else:
 
2325
                    key_id = b""
 
2326
                    try:
 
2327
                        fpr = self.fingerprint(
 
2328
                            self.peer_certificate(session))
 
2329
                    except (TypeError, gnutls.Error) as error:
 
2330
                        logger.warning("Bad certificate: %s", error)
 
2331
                        return
 
2332
                    logger.debug("Fingerprint: %s", fpr)
 
2333
 
 
2334
                try:
 
2335
                    client = ProxyClient(child_pipe, key_id, fpr,
2251
2336
                                         self.client_address)
2252
2337
                except KeyError:
2253
2338
                    return
2330
2415
 
2331
2416
    @staticmethod
2332
2417
    def peer_certificate(session):
2333
 
        "Return the peer's OpenPGP certificate as a bytestring"
2334
 
        # If not an OpenPGP certificate...
2335
 
        if (gnutls.certificate_type_get(session._c_object)
2336
 
            != gnutls.CRT_OPENPGP):
 
2418
        "Return the peer's certificate as a bytestring"
 
2419
        try:
 
2420
            cert_type = gnutls.certificate_type_get2(session._c_object,
 
2421
                                                     gnutls.CTYPE_PEERS)
 
2422
        except AttributeError:
 
2423
            cert_type = gnutls.certificate_type_get(session._c_object)
 
2424
        if gnutls.has_rawpk:
 
2425
            valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
 
2426
        else:
 
2427
            valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
 
2428
        # If not a valid certificate type...
 
2429
        if cert_type not in valid_cert_types:
 
2430
            logger.info("Cert type %r not in %r", cert_type,
 
2431
                        valid_cert_types)
2337
2432
            # ...return invalid data
2338
2433
            return b""
2339
2434
        list_size = ctypes.c_uint(1)
2347
2442
        return ctypes.string_at(cert.data, cert.size)
2348
2443
 
2349
2444
    @staticmethod
 
2445
    def key_id(certificate):
 
2446
        "Convert a certificate bytestring to a hexdigit key ID"
 
2447
        # New GnuTLS "datum" with the public key
 
2448
        datum = gnutls.datum_t(
 
2449
            ctypes.cast(ctypes.c_char_p(certificate),
 
2450
                        ctypes.POINTER(ctypes.c_ubyte)),
 
2451
            ctypes.c_uint(len(certificate)))
 
2452
        # XXX all these need to be created in the gnutls "module"
 
2453
        # New empty GnuTLS certificate
 
2454
        pubkey = gnutls.pubkey_t()
 
2455
        gnutls.pubkey_init(ctypes.byref(pubkey))
 
2456
        # Import the raw public key into the certificate
 
2457
        gnutls.pubkey_import(pubkey,
 
2458
                             ctypes.byref(datum),
 
2459
                             gnutls.X509_FMT_DER)
 
2460
        # New buffer for the key ID
 
2461
        buf = ctypes.create_string_buffer(32)
 
2462
        buf_len = ctypes.c_size_t(len(buf))
 
2463
        # Get the key ID from the raw public key into the buffer
 
2464
        gnutls.pubkey_get_key_id(pubkey,
 
2465
                                 gnutls.KEYID_USE_SHA256,
 
2466
                                 ctypes.cast(ctypes.byref(buf),
 
2467
                                             ctypes.POINTER(ctypes.c_ubyte)),
 
2468
                                 ctypes.byref(buf_len))
 
2469
        # Deinit the certificate
 
2470
        gnutls.pubkey_deinit(pubkey)
 
2471
 
 
2472
        # Convert the buffer to a Python bytestring
 
2473
        key_id = ctypes.string_at(buf, buf_len.value)
 
2474
        # Convert the bytestring to hexadecimal notation
 
2475
        hex_key_id = binascii.hexlify(key_id).upper()
 
2476
        return hex_key_id
 
2477
 
 
2478
    @staticmethod
2350
2479
    def fingerprint(openpgp):
2351
2480
        "Convert an OpenPGP bytestring to a hexdigit fingerprint"
2352
2481
        # New GnuTLS "datum" with the OpenPGP public key
2366
2495
                                       ctypes.byref(crtverify))
2367
2496
        if crtverify.value != 0:
2368
2497
            gnutls.openpgp_crt_deinit(crt)
2369
 
            raise gnutls.CertificateSecurityError("Verify failed")
 
2498
            raise gnutls.CertificateSecurityError(code
 
2499
                                                  =crtverify.value)
2370
2500
        # New buffer for the fingerprint
2371
2501
        buf = ctypes.create_string_buffer(20)
2372
2502
        buf_len = ctypes.c_size_t()
2382
2512
        return hex_fpr
2383
2513
 
2384
2514
 
2385
 
class MultiprocessingMixIn(object):
 
2515
class MultiprocessingMixIn:
2386
2516
    """Like socketserver.ThreadingMixIn, but with multiprocessing"""
2387
2517
 
2388
2518
    def sub_process_main(self, request, address):
2400
2530
        return proc
2401
2531
 
2402
2532
 
2403
 
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
 
2533
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2404
2534
    """ adds a pipe to the MixIn """
2405
2535
 
2406
2536
    def process_request(self, request, client_address):
2421
2551
 
2422
2552
 
2423
2553
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2424
 
                     socketserver.TCPServer, object):
 
2554
                     socketserver.TCPServer):
2425
2555
    """IPv6-capable TCP server.  Accepts 'None' as address and/or port
2426
2556
 
2427
2557
    Attributes:
2500
2630
                    raise
2501
2631
        # Only bind(2) the socket if we really need to.
2502
2632
        if self.server_address[0] or self.server_address[1]:
 
2633
            if self.server_address[1]:
 
2634
                self.allow_reuse_address = True
2503
2635
            if not self.server_address[0]:
2504
2636
                if self.address_family == socket.AF_INET6:
2505
2637
                    any_address = "::"  # in6addr_any
2558
2690
    def add_pipe(self, parent_pipe, proc):
2559
2691
        # Call "handle_ipc" for both data and EOF events
2560
2692
        GLib.io_add_watch(
2561
 
            parent_pipe.fileno(),
2562
 
            GLib.IO_IN | GLib.IO_HUP,
 
2693
            GLib.IOChannel.unix_new(parent_pipe.fileno()),
 
2694
            GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2563
2695
            functools.partial(self.handle_ipc,
2564
2696
                              parent_pipe=parent_pipe,
2565
2697
                              proc=proc))
2579
2711
        command = request[0]
2580
2712
 
2581
2713
        if command == 'init':
2582
 
            fpr = request[1].decode("ascii")
2583
 
            address = request[2]
 
2714
            key_id = request[1].decode("ascii")
 
2715
            fpr = request[2].decode("ascii")
 
2716
            address = request[3]
2584
2717
 
2585
2718
            for c in self.clients.values():
2586
 
                if c.fingerprint == fpr:
 
2719
                if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
 
2720
                    continue
 
2721
                if key_id and c.key_id == key_id:
 
2722
                    client = c
 
2723
                    break
 
2724
                if fpr and c.fingerprint == fpr:
2587
2725
                    client = c
2588
2726
                    break
2589
2727
            else:
2590
 
                logger.info("Client not found for fingerprint: %s, ad"
2591
 
                            "dress: %s", fpr, address)
 
2728
                logger.info("Client not found for key ID: %s, address"
 
2729
                            ": %s", key_id or fpr, address)
2592
2730
                if self.use_dbus:
2593
2731
                    # Emit D-Bus signal
2594
 
                    mandos_dbus_service.ClientNotFound(fpr,
 
2732
                    mandos_dbus_service.ClientNotFound(key_id or fpr,
2595
2733
                                                       address[0])
2596
2734
                parent_pipe.send(False)
2597
2735
                return False
2598
2736
 
2599
2737
            GLib.io_add_watch(
2600
 
                parent_pipe.fileno(),
2601
 
                GLib.IO_IN | GLib.IO_HUP,
 
2738
                GLib.IOChannel.unix_new(parent_pipe.fileno()),
 
2739
                GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2602
2740
                functools.partial(self.handle_ipc,
2603
2741
                                  parent_pipe=parent_pipe,
2604
2742
                                  proc=proc,
2619
2757
        if command == 'getattr':
2620
2758
            attrname = request[1]
2621
2759
            if isinstance(client_object.__getattribute__(attrname),
2622
 
                          collections.Callable):
 
2760
                          collections.abc.Callable):
2623
2761
                parent_pipe.send(('function', ))
2624
2762
            else:
2625
2763
                parent_pipe.send((
2636
2774
def rfc3339_duration_to_delta(duration):
2637
2775
    """Parse an RFC 3339 "duration" and return a datetime.timedelta
2638
2776
 
2639
 
    >>> rfc3339_duration_to_delta("P7D")
2640
 
    datetime.timedelta(7)
2641
 
    >>> rfc3339_duration_to_delta("PT60S")
2642
 
    datetime.timedelta(0, 60)
2643
 
    >>> rfc3339_duration_to_delta("PT60M")
2644
 
    datetime.timedelta(0, 3600)
2645
 
    >>> rfc3339_duration_to_delta("PT24H")
2646
 
    datetime.timedelta(1)
2647
 
    >>> rfc3339_duration_to_delta("P1W")
2648
 
    datetime.timedelta(7)
2649
 
    >>> rfc3339_duration_to_delta("PT5M30S")
2650
 
    datetime.timedelta(0, 330)
2651
 
    >>> rfc3339_duration_to_delta("P1DT3M20S")
2652
 
    datetime.timedelta(1, 200)
 
2777
    >>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
 
2778
    True
 
2779
    >>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
 
2780
    True
 
2781
    >>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
 
2782
    True
 
2783
    >>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
 
2784
    True
 
2785
    >>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
 
2786
    True
 
2787
    >>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
 
2788
    True
 
2789
    >>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
 
2790
    True
2653
2791
    """
2654
2792
 
2655
2793
    # Parsing an RFC 3339 duration with regular expressions is not
2735
2873
def string_to_delta(interval):
2736
2874
    """Parse a string and return a datetime.timedelta
2737
2875
 
2738
 
    >>> string_to_delta('7d')
2739
 
    datetime.timedelta(7)
2740
 
    >>> string_to_delta('60s')
2741
 
    datetime.timedelta(0, 60)
2742
 
    >>> string_to_delta('60m')
2743
 
    datetime.timedelta(0, 3600)
2744
 
    >>> string_to_delta('24h')
2745
 
    datetime.timedelta(1)
2746
 
    >>> string_to_delta('1w')
2747
 
    datetime.timedelta(7)
2748
 
    >>> string_to_delta('5m 30s')
2749
 
    datetime.timedelta(0, 330)
 
2876
    >>> string_to_delta('7d') == datetime.timedelta(7)
 
2877
    True
 
2878
    >>> string_to_delta('60s') == datetime.timedelta(0, 60)
 
2879
    True
 
2880
    >>> string_to_delta('60m') == datetime.timedelta(0, 3600)
 
2881
    True
 
2882
    >>> string_to_delta('24h') == datetime.timedelta(1)
 
2883
    True
 
2884
    >>> string_to_delta('1w') == datetime.timedelta(7)
 
2885
    True
 
2886
    >>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
 
2887
    True
2750
2888
    """
2751
2889
 
2752
2890
    try:
2854
2992
 
2855
2993
    options = parser.parse_args()
2856
2994
 
2857
 
    if options.check:
2858
 
        import doctest
2859
 
        fail_count, test_count = doctest.testmod()
2860
 
        sys.exit(os.EX_OK if fail_count == 0 else 1)
2861
 
 
2862
2995
    # Default values for config file for server-global settings
 
2996
    if gnutls.has_rawpk:
 
2997
        priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
 
2998
                    ":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
 
2999
    else:
 
3000
        priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
 
3001
                    ":+SIGN-DSA-SHA256")
2863
3002
    server_defaults = {"interface": "",
2864
3003
                       "address": "",
2865
3004
                       "port": "",
2866
3005
                       "debug": "False",
2867
 
                       "priority":
2868
 
                       "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
 
                       ":+SIGN-DSA-SHA256",
 
3006
                       "priority": priority,
2870
3007
                       "servicename": "Mandos",
2871
3008
                       "use_dbus": "True",
2872
3009
                       "use_ipv6": "True",
2877
3014
                       "foreground": "False",
2878
3015
                       "zeroconf": "True",
2879
3016
                       }
 
3017
    del priority
2880
3018
 
2881
3019
    # Parse config file for server-global settings
2882
 
    server_config = configparser.SafeConfigParser(server_defaults)
 
3020
    server_config = configparser.ConfigParser(server_defaults)
2883
3021
    del server_defaults
2884
3022
    server_config.read(os.path.join(options.configdir, "mandos.conf"))
2885
 
    # Convert the SafeConfigParser object to a dict
 
3023
    # Convert the ConfigParser object to a dict
2886
3024
    server_settings = server_config.defaults()
2887
3025
    # Use the appropriate methods on the non-string config options
2888
3026
    for option in ("debug", "use_dbus", "use_ipv6", "restore",
2960
3098
                                  server_settings["servicename"])))
2961
3099
 
2962
3100
    # Parse config file with clients
2963
 
    client_config = configparser.SafeConfigParser(Client
2964
 
                                                  .client_defaults)
 
3101
    client_config = configparser.ConfigParser(Client.client_defaults)
2965
3102
    client_config.read(os.path.join(server_settings["configdir"],
2966
3103
                                    "clients.conf"))
2967
3104
 
3038
3175
        # Close all input and output, do double fork, etc.
3039
3176
        daemon()
3040
3177
 
3041
 
    # multiprocessing will use threads, so before we use GLib we need
3042
 
    # to inform GLib that threads will be used.
3043
 
    GLib.threads_init()
 
3178
    if gi.version_info < (3, 10, 2):
 
3179
        # multiprocessing will use threads, so before we use GLib we
 
3180
        # need to inform GLib that threads will be used.
 
3181
        GLib.threads_init()
3044
3182
 
3045
3183
    global main_loop
3046
3184
    # From the Avahi example code
3122
3260
                             if isinstance(s, bytes)
3123
3261
                             else s) for s in
3124
3262
                            value["client_structure"]]
3125
 
                        # .name & .host
3126
 
                        for k in ("name", "host"):
 
3263
                        # .name, .host, and .checker_command
 
3264
                        for k in ("name", "host", "checker_command"):
3127
3265
                            if isinstance(value[k], bytes):
3128
3266
                                value[k] = value[k].decode("utf-8")
 
3267
                        if "key_id" not in value:
 
3268
                            value["key_id"] = ""
 
3269
                        elif "fingerprint" not in value:
 
3270
                            value["fingerprint"] = ""
3129
3271
                    #  old_client_settings
3130
3272
                    # .keys()
3131
3273
                    old_client_settings = {
3135
3277
                        for key, value in
3136
3278
                        bytes_old_client_settings.items()}
3137
3279
                    del bytes_old_client_settings
3138
 
                    # .host
 
3280
                    # .host and .checker_command
3139
3281
                    for value in old_client_settings.values():
3140
 
                        if isinstance(value["host"], bytes):
3141
 
                            value["host"] = (value["host"]
3142
 
                                             .decode("utf-8"))
 
3282
                        for attribute in ("host", "checker_command"):
 
3283
                            if isinstance(value[attribute], bytes):
 
3284
                                value[attribute] = (value[attribute]
 
3285
                                                    .decode("utf-8"))
3143
3286
            os.remove(stored_state_path)
3144
3287
        except IOError as e:
3145
3288
            if e.errno == errno.ENOENT:
3268
3411
                pass
3269
3412
 
3270
3413
            @dbus.service.signal(_interface, signature="ss")
3271
 
            def ClientNotFound(self, fingerprint, address):
 
3414
            def ClientNotFound(self, key_id, address):
3272
3415
                "D-Bus signal"
3273
3416
                pass
3274
3417
 
3470
3613
                sys.exit(1)
3471
3614
            # End of Avahi example code
3472
3615
 
3473
 
        GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3474
 
                          lambda *args, **kwargs:
3475
 
                          (tcp_server.handle_request
3476
 
                           (*args[2:], **kwargs) or True))
 
3616
        GLib.io_add_watch(
 
3617
            GLib.IOChannel.unix_new(tcp_server.fileno()),
 
3618
            GLib.PRIORITY_DEFAULT, GLib.IO_IN,
 
3619
            lambda *args, **kwargs: (tcp_server.handle_request
 
3620
                                     (*args[2:], **kwargs) or True))
3477
3621
 
3478
3622
        logger.debug("Starting main loop")
3479
3623
        main_loop.run()
3489
3633
    # Must run before the D-Bus bus name gets deregistered
3490
3634
    cleanup()
3491
3635
 
 
3636
 
 
3637
def should_only_run_tests():
 
3638
    parser = argparse.ArgumentParser(add_help=False)
 
3639
    parser.add_argument("--check", action='store_true')
 
3640
    args, unknown_args = parser.parse_known_args()
 
3641
    run_tests = args.check
 
3642
    if run_tests:
 
3643
        # Remove --check argument from sys.argv
 
3644
        sys.argv[1:] = unknown_args
 
3645
    return run_tests
 
3646
 
 
3647
# Add all tests from doctest strings
 
3648
def load_tests(loader, tests, none):
 
3649
    import doctest
 
3650
    tests.addTests(doctest.DocTestSuite())
 
3651
    return tests
3492
3652
 
3493
3653
if __name__ == '__main__':
3494
 
    main()
 
3654
    try:
 
3655
        if should_only_run_tests():
 
3656
            # Call using ./mandos --check [--verbose]
 
3657
            unittest.main()
 
3658
        else:
 
3659
            main()
 
3660
    finally:
 
3661
        logging.shutdown()