423
451
def entry_group_state_changed(self, state, error):
424
452
"""Derived from the Avahi example code"""
425
logger.debug("Avahi entry group state change: %i", state)
453
log.debug("Avahi entry group state change: %i", state)
427
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
428
logger.debug("Zeroconf service established.")
456
log.debug("Zeroconf service established.")
429
457
elif state == avahi.ENTRY_GROUP_COLLISION:
430
logger.info("Zeroconf service name collision.")
458
log.info("Zeroconf service name collision.")
432
460
elif state == avahi.ENTRY_GROUP_FAILURE:
433
logger.critical("Avahi: Error in group state changed %s",
461
log.critical("Avahi: Error in group state changed %s",
435
463
raise AvahiGroupError("State changed: {!s}".format(error))
437
465
def cleanup(self):
496
523
class AvahiServiceToSyslog(AvahiService):
497
524
def rename(self, *args, **kwargs):
498
525
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
526
ret = super(AvahiServiceToSyslog, self).rename(*args,
500
528
syslogger.setFormatter(logging.Formatter(
501
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
529
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
502
530
.format(self.name)))
506
534
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
536
"""This isn't so much a class as it is a module-like namespace."""
511
538
library = ctypes.util.find_library("gnutls")
512
539
if library is None:
513
540
library = ctypes.util.find_library("gnutls-deb0")
514
541
_library = ctypes.cdll.LoadLibrary(library)
516
_need_version = b"3.3.0"
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
525
544
# Unless otherwise indicated, the constants and types below are
526
545
# all from the gnutls/gnutls.h C header file.
564
589
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
590
def __init__(self, message=None, code=None, args=()):
570
591
# Default usage is by a message string, but if a return
571
592
# code is passed, convert it to a string with
572
593
# gnutls.strerror()
574
595
if message is None and code is not None:
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
596
message = gnutls.strerror(code).decode(
597
"utf-8", errors="replace")
598
return super(gnutls.Error, self).__init__(
579
601
class CertificateSecurityError(Error):
605
def __init__(self, cls):
608
def from_param(self, obj):
609
if not isinstance(obj, self.cls):
610
raise TypeError("Not of type {}: {!r}"
611
.format(self.cls.__name__, obj))
612
return ctypes.byref(obj.from_param(obj))
614
class CastToVoidPointer:
615
def __init__(self, cls):
618
def from_param(self, obj):
619
if not isinstance(obj, self.cls):
620
raise TypeError("Not of type {}: {!r}"
621
.format(self.cls.__name__, obj))
622
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
class With_from_param:
626
def from_param(cls, obj):
627
return obj._as_parameter_
583
class Credentials(object):
630
class Credentials(With_from_param):
584
631
def __init__(self):
585
self._c_object = gnutls.certificate_credentials_t()
586
gnutls.certificate_allocate_credentials(
587
ctypes.byref(self._c_object))
632
self._as_parameter_ = gnutls.certificate_credentials_t()
633
gnutls.certificate_allocate_credentials(self)
588
634
self.type = gnutls.CRD_CERTIFICATE
590
636
def __del__(self):
591
gnutls.certificate_free_credentials(self._c_object)
637
gnutls.certificate_free_credentials(self)
593
class ClientSession(object):
639
class ClientSession(With_from_param):
594
640
def __init__(self, socket, credentials=None):
595
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
gnutls.set_default_priority(self._c_object)
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
gnutls.handshake_set_private_extensions(self._c_object,
641
self._as_parameter_ = gnutls.session_t()
642
gnutls_flags = gnutls.CLIENT
643
if gnutls.check_version(b"3.5.6"):
644
gnutls_flags |= gnutls.NO_TICKETS
646
gnutls_flags |= gnutls.ENABLE_RAWPK
647
gnutls.init(self, gnutls_flags)
649
gnutls.set_default_priority(self)
650
gnutls.transport_set_ptr(self, socket.fileno())
651
gnutls.handshake_set_private_extensions(self, True)
601
652
self.socket = socket
602
653
if credentials is None:
603
654
credentials = gnutls.Credentials()
604
gnutls.credentials_set(self._c_object, credentials.type,
605
ctypes.cast(credentials._c_object,
655
gnutls.credentials_set(self, credentials.type,
607
657
self.credentials = credentials
609
659
def __del__(self):
610
gnutls.deinit(self._c_object)
612
662
def handshake(self):
613
return gnutls.handshake(self._c_object)
663
return gnutls.handshake(self)
615
665
def send(self, data):
616
666
data = bytes(data)
617
667
data_len = len(data)
618
668
while data_len > 0:
619
data_len -= gnutls.record_send(self._c_object,
669
data_len -= gnutls.record_send(self, data[-data_len:],
624
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
673
return gnutls.bye(self, gnutls.SHUT_RDWR)
626
675
# Error handling functions
627
676
def _error_code(result):
628
677
"""A function to raise exceptions on errors, suitable
629
for the 'restype' attribute on ctypes functions"""
678
for the "restype" attribute on ctypes functions"""
679
if result >= gnutls.E_SUCCESS:
632
681
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
682
raise gnutls.CertificateSecurityError(code=result)
634
683
raise gnutls.Error(code=result)
636
def _retry_on_error(result, func, arguments):
685
def _retry_on_error(result, func, arguments,
686
_error_code=_error_code):
637
687
"""A function to retry on some errors, suitable
638
for the 'errcheck' attribute on ctypes functions"""
688
for the "errcheck" attribute on ctypes functions"""
689
while result < gnutls.E_SUCCESS:
640
690
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
641
691
return _error_code(result)
642
692
result = func(*arguments)
649
699
priority_set_direct = _library.gnutls_priority_set_direct
650
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
700
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
651
701
ctypes.POINTER(ctypes.c_char_p)]
652
702
priority_set_direct.restype = _error_code
654
704
init = _library.gnutls_init
655
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
705
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
656
706
init.restype = _error_code
658
708
set_default_priority = _library.gnutls_set_default_priority
659
set_default_priority.argtypes = [session_t]
709
set_default_priority.argtypes = [ClientSession]
660
710
set_default_priority.restype = _error_code
662
712
record_send = _library.gnutls_record_send
663
record_send.argtypes = [session_t, ctypes.c_void_p,
713
record_send.argtypes = [ClientSession, ctypes.c_void_p,
665
715
record_send.restype = ctypes.c_ssize_t
666
716
record_send.errcheck = _retry_on_error
668
718
certificate_allocate_credentials = (
669
719
_library.gnutls_certificate_allocate_credentials)
670
720
certificate_allocate_credentials.argtypes = [
671
ctypes.POINTER(certificate_credentials_t)]
721
PointerTo(Credentials)]
672
722
certificate_allocate_credentials.restype = _error_code
674
724
certificate_free_credentials = (
675
725
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
726
certificate_free_credentials.argtypes = [Credentials]
678
727
certificate_free_credentials.restype = None
680
729
handshake_set_private_extensions = (
681
730
_library.gnutls_handshake_set_private_extensions)
682
handshake_set_private_extensions.argtypes = [session_t,
731
handshake_set_private_extensions.argtypes = [ClientSession,
684
733
handshake_set_private_extensions.restype = None
686
735
credentials_set = _library.gnutls_credentials_set
687
credentials_set.argtypes = [session_t, credentials_type_t,
736
credentials_set.argtypes = [ClientSession, credentials_type_t,
737
CastToVoidPointer(Credentials)]
689
738
credentials_set.restype = _error_code
691
740
strerror = _library.gnutls_strerror
710
759
global_set_log_function.restype = None
712
761
deinit = _library.gnutls_deinit
713
deinit.argtypes = [session_t]
762
deinit.argtypes = [ClientSession]
714
763
deinit.restype = None
716
765
handshake = _library.gnutls_handshake
717
handshake.argtypes = [session_t]
718
handshake.restype = _error_code
766
handshake.argtypes = [ClientSession]
767
handshake.restype = ctypes.c_int
719
768
handshake.errcheck = _retry_on_error
721
770
transport_set_ptr = _library.gnutls_transport_set_ptr
722
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
771
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
723
772
transport_set_ptr.restype = None
725
774
bye = _library.gnutls_bye
726
bye.argtypes = [session_t, close_request_t]
727
bye.restype = _error_code
775
bye.argtypes = [ClientSession, close_request_t]
776
bye.restype = ctypes.c_int
728
777
bye.errcheck = _retry_on_error
730
779
check_version = _library.gnutls_check_version
731
780
check_version.argtypes = [ctypes.c_char_p]
732
781
check_version.restype = ctypes.c_char_p
734
# All the function declarations below are from gnutls/openpgp.h
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
744
openpgp_crt_import.restype = _error_code
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
761
openpgp_crt_get_fingerprint.restype = _error_code
783
_need_version = b"3.3.0"
784
if check_version(_need_version) is None:
785
raise self.Error("Needs GnuTLS {} or later"
786
.format(_need_version))
788
_tls_rawpk_version = b"3.6.6"
789
has_rawpk = bool(check_version(_tls_rawpk_version))
793
class pubkey_st(ctypes.Structure):
795
pubkey_t = ctypes.POINTER(pubkey_st)
797
x509_crt_fmt_t = ctypes.c_int
799
# All the function declarations below are from
801
pubkey_init = _library.gnutls_pubkey_init
802
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
803
pubkey_init.restype = _error_code
805
pubkey_import = _library.gnutls_pubkey_import
806
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
pubkey_import.restype = _error_code
810
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
811
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
812
ctypes.POINTER(ctypes.c_ubyte),
813
ctypes.POINTER(ctypes.c_size_t)]
814
pubkey_get_key_id.restype = _error_code
816
pubkey_deinit = _library.gnutls_pubkey_deinit
817
pubkey_deinit.argtypes = [pubkey_t]
818
pubkey_deinit.restype = None
820
# All the function declarations below are from
823
openpgp_crt_init = _library.gnutls_openpgp_crt_init
824
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
825
openpgp_crt_init.restype = _error_code
827
openpgp_crt_import = _library.gnutls_openpgp_crt_import
828
openpgp_crt_import.argtypes = [openpgp_crt_t,
829
ctypes.POINTER(datum_t),
831
openpgp_crt_import.restype = _error_code
833
openpgp_crt_verify_self = \
834
_library.gnutls_openpgp_crt_verify_self
835
openpgp_crt_verify_self.argtypes = [
838
ctypes.POINTER(ctypes.c_uint),
840
openpgp_crt_verify_self.restype = _error_code
842
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
843
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
844
openpgp_crt_deinit.restype = None
846
openpgp_crt_get_fingerprint = (
847
_library.gnutls_openpgp_crt_get_fingerprint)
848
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
852
openpgp_crt_get_fingerprint.restype = _error_code
854
if check_version(b"3.6.4"):
855
certificate_type_get2 = _library.gnutls_certificate_type_get2
856
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
857
certificate_type_get2.restype = _error_code
763
859
# Remove non-public functions
764
860
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
769
863
def call_pipe(connection, # : multiprocessing.Connection
975
1073
def __del__(self):
978
def init_checker(self):
979
# Schedule a new checker to be started an 'interval' from now,
980
# and every interval from then on.
1076
def init_checker(self, randomize_start=False):
1077
# Schedule a new checker to be started a randomly selected
1078
# time (a fraction of 'interval') from now. This spreads out
1079
# the startup of checkers over time when the server is
981
1081
if self.checker_initiator_tag is not None:
982
1082
GLib.source_remove(self.checker_initiator_tag)
1083
interval_milliseconds = int(self.interval.total_seconds()
1086
delay_milliseconds = random.randrange(
1087
interval_milliseconds + 1)
1089
delay_milliseconds = interval_milliseconds
983
1090
self.checker_initiator_tag = GLib.timeout_add(
984
int(self.interval.total_seconds() * 1000),
986
# Schedule a disable() when 'timeout' has passed
1091
delay_milliseconds, self.start_checker, randomize_start)
1092
delay = datetime.timedelta(0, 0, 0, delay_milliseconds)
1093
# A checker might take up to an 'interval' of time, so we can
1094
# expire at the soonest one interval after a checker was
1095
# started. Since the initial checker is delayed, the expire
1096
# time might have to be extended.
1097
now = datetime.datetime.utcnow()
1098
self.expires = now + delay + self.interval
1099
# Schedule a disable() at expire time
987
1100
if self.disable_initiator_tag is not None:
988
1101
GLib.source_remove(self.disable_initiator_tag)
989
1102
self.disable_initiator_tag = GLib.timeout_add(
990
int(self.timeout.total_seconds() * 1000), self.disable)
991
# Also start a new checker *right now*.
1103
int((self.expires - now).total_seconds() * 1000),
994
1106
def checker_callback(self, source, condition, connection,
996
1108
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
999
1109
# Read return code from connection (see call_pipe)
1000
1110
returncode = connection.recv()
1001
1111
connection.close()
1112
if self.checker is not None:
1114
self.checker_callback_tag = None
1003
1117
if returncode >= 0:
1004
1118
self.last_checker_status = returncode
1005
1119
self.last_checker_signal = None
1006
1120
if self.last_checker_status == 0:
1007
logger.info("Checker for %(name)s succeeded",
1121
log.info("Checker for %(name)s succeeded", vars(self))
1009
1122
self.checked_ok()
1011
logger.info("Checker for %(name)s failed", vars(self))
1124
log.info("Checker for %(name)s failed", vars(self))
1013
1126
self.last_checker_status = -1
1014
1127
self.last_checker_signal = -returncode
1015
logger.warning("Checker for %(name)s crashed?",
1128
log.warning("Checker for %(name)s crashed?", vars(self))
1019
1131
def checked_ok(self):
1055
1167
if self.checker is not None and not self.checker.is_alive():
1056
logger.warning("Checker was not alive; joining")
1168
log.warning("Checker was not alive; joining")
1057
1169
self.checker.join()
1058
1170
self.checker = None
1059
1171
# Start a new checker if needed
1060
1172
if self.checker is None:
1061
1173
# Escape attributes for the shell
1062
1174
escaped_attrs = {
1063
attr: re.escape(str(getattr(self, attr)))
1175
attr: shlex.quote(str(getattr(self, attr)))
1064
1176
for attr in self.runtime_expansions}
1066
1178
command = self.checker_command % escaped_attrs
1067
1179
except TypeError as error:
1068
logger.error('Could not format string "%s"',
1069
self.checker_command,
1180
log.error('Could not format string "%s"',
1181
self.checker_command, exc_info=error)
1071
1182
return True # Try again later
1072
1183
self.current_checker_command = command
1073
logger.info("Starting checker %r for %s", command,
1184
log.info("Starting checker %r for %s", command, self.name)
1075
1185
# We don't need to redirect stdout and stderr, since
1076
1186
# in normal mode, that is already done by daemon(),
1077
1187
# and in debug mode we don't want to. (Stdin is
1093
1203
kwargs=popen_args)
1094
1204
self.checker.start()
1095
1205
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
1206
GLib.IOChannel.unix_new(pipe[0].fileno()),
1207
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1097
1208
self.checker_callback, pipe[0], command)
1209
if start_was_randomized:
1210
# We were started after a random delay; Schedule a new
1211
# checker to be started an 'interval' from now, and every
1212
# interval from then on.
1213
now = datetime.datetime.utcnow()
1214
self.checker_initiator_tag = GLib.timeout_add(
1215
int(self.interval.total_seconds() * 1000),
1217
self.expires = max(self.expires, now + self.interval)
1218
# Don't start a new checker again after same random delay
1098
1220
# Re-run this periodically if run by GLib.timeout_add
2162
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2291
def __init__(self, child_pipe, key_id, fpr, address):
2164
2292
self._pipe = child_pipe
2165
self._pipe.send(('init', fpr, address))
2293
self._pipe.send(("init", key_id, fpr, address))
2166
2294
if not self._pipe.recv():
2295
raise KeyError(key_id or fpr)
2169
2297
def __getattribute__(self, name):
2171
2299
return super(ProxyClient, self).__getattribute__(name)
2172
self._pipe.send(('getattr', name))
2300
self._pipe.send(("getattr", name))
2173
2301
data = self._pipe.recv()
2174
if data[0] == 'data':
2302
if data[0] == "data":
2176
if data[0] == 'function':
2304
if data[0] == "function":
2178
2306
def func(*args, **kwargs):
2179
self._pipe.send(('funcall', name, args, kwargs))
2307
self._pipe.send(("funcall", name, args, kwargs))
2180
2308
return self._pipe.recv()[1]
2184
2312
def __setattr__(self, name, value):
2186
2314
return super(ProxyClient, self).__setattr__(name, value)
2187
self._pipe.send(('setattr', name, value))
2315
self._pipe.send(("setattr", name, value))
2190
2318
class ClientHandler(socketserver.BaseRequestHandler, object):
2196
2324
def handle(self):
2197
2325
with contextlib.closing(self.server.child_pipe) as child_pipe:
2198
logger.info("TCP connection from: %s",
2199
str(self.client_address))
2200
logger.debug("Pipe FD: %d",
2201
self.server.child_pipe.fileno())
2326
log.info("TCP connection from: %s",
2327
str(self.client_address))
2328
log.debug("Pipe FD: %d", self.server.child_pipe.fileno())
2203
2330
session = gnutls.ClientSession(self.request)
2205
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2332
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2206
2333
# "+AES-256-CBC", "+SHA1",
2207
2334
# "+COMP-NULL", "+CTYPE-OPENPGP",
2210
2337
priority = self.server.gnutls_priority
2211
2338
if priority is None:
2212
2339
priority = "NORMAL"
2213
gnutls.priority_set_direct(session._c_object,
2214
priority.encode("utf-8"),
2340
gnutls.priority_set_direct(session,
2341
priority.encode("utf-8"), None)
2217
2343
# Start communication using the Mandos protocol
2218
2344
# Get protocol number
2219
2345
line = self.request.makefile().readline()
2220
logger.debug("Protocol version: %r", line)
2346
log.debug("Protocol version: %r", line)
2222
2348
if int(line.strip().split()[0]) > 1:
2223
2349
raise RuntimeError(line)
2224
2350
except (ValueError, IndexError, RuntimeError) as error:
2225
logger.error("Unknown protocol version: %s", error)
2351
log.error("Unknown protocol version: %s", error)
2228
2354
# Start GnuTLS connection
2230
2356
session.handshake()
2231
2357
except gnutls.Error as error:
2232
logger.warning("Handshake failed: %s", error)
2358
log.warning("Handshake failed: %s", error)
2233
2359
# Do not run session.bye() here: the session is not
2234
2360
# established. Just abandon the request.
2236
logger.debug("Handshake succeeded")
2362
log.debug("Handshake succeeded")
2238
2364
approval_required = False
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2246
logger.debug("Fingerprint: %s", fpr)
2249
client = ProxyClient(child_pipe, fpr,
2366
if gnutls.has_rawpk:
2369
key_id = self.key_id(
2370
self.peer_certificate(session))
2371
except (TypeError, gnutls.Error) as error:
2372
log.warning("Bad certificate: %s", error)
2374
log.debug("Key ID: %s",
2375
key_id.decode("utf-8",
2381
fpr = self.fingerprint(
2382
self.peer_certificate(session))
2383
except (TypeError, gnutls.Error) as error:
2384
log.warning("Bad certificate: %s", error)
2386
log.debug("Fingerprint: %s", fpr)
2389
client = ProxyClient(child_pipe, key_id, fpr,
2250
2390
self.client_address)
2251
2391
except KeyError:
2326
2464
except gnutls.Error as error:
2327
logger.warning("GnuTLS bye failed",
2465
log.warning("GnuTLS bye failed", exc_info=error)
2331
2468
def peer_certificate(session):
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2469
"Return the peer's certificate as a bytestring"
2471
cert_type = gnutls.certificate_type_get2(
2472
session, gnutls.CTYPE_PEERS)
2473
except AttributeError:
2474
cert_type = gnutls.certificate_type_get(session)
2475
if gnutls.has_rawpk:
2476
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2478
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2479
# If not a valid certificate type...
2480
if cert_type not in valid_cert_types:
2481
log.info("Cert type %r not in %r", cert_type,
2336
2483
# ...return invalid data
2338
2485
list_size = ctypes.c_uint(1)
2339
2486
cert_list = (gnutls.certificate_get_peers
2340
(session._c_object, ctypes.byref(list_size)))
2487
(session, ctypes.byref(list_size)))
2341
2488
if not bool(cert_list) and list_size.value != 0:
2342
2489
raise gnutls.Error("error getting peer certificate")
2343
2490
if list_size.value == 0:
2346
2493
return ctypes.string_at(cert.data, cert.size)
2496
def key_id(certificate):
2497
"Convert a certificate bytestring to a hexdigit key ID"
2498
# New GnuTLS "datum" with the public key
2499
datum = gnutls.datum_t(
2500
ctypes.cast(ctypes.c_char_p(certificate),
2501
ctypes.POINTER(ctypes.c_ubyte)),
2502
ctypes.c_uint(len(certificate)))
2503
# XXX all these need to be created in the gnutls "module"
2504
# New empty GnuTLS certificate
2505
pubkey = gnutls.pubkey_t()
2506
gnutls.pubkey_init(ctypes.byref(pubkey))
2507
# Import the raw public key into the certificate
2508
gnutls.pubkey_import(pubkey,
2509
ctypes.byref(datum),
2510
gnutls.X509_FMT_DER)
2511
# New buffer for the key ID
2512
buf = ctypes.create_string_buffer(32)
2513
buf_len = ctypes.c_size_t(len(buf))
2514
# Get the key ID from the raw public key into the buffer
2515
gnutls.pubkey_get_key_id(
2517
gnutls.KEYID_USE_SHA256,
2518
ctypes.cast(ctypes.byref(buf),
2519
ctypes.POINTER(ctypes.c_ubyte)),
2520
ctypes.byref(buf_len))
2521
# Deinit the certificate
2522
gnutls.pubkey_deinit(pubkey)
2524
# Convert the buffer to a Python bytestring
2525
key_id = ctypes.string_at(buf, buf_len.value)
2526
# Convert the bytestring to hexadecimal notation
2527
hex_key_id = binascii.hexlify(key_id).upper()
2349
2531
def fingerprint(openpgp):
2350
2532
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2533
# New GnuTLS "datum" with the OpenPGP public key
2486
2669
(self.interface + "\0").encode("utf-8"))
2487
2670
except socket.error as error:
2488
2671
if error.errno == errno.EPERM:
2489
logger.error("No permission to bind to"
2490
" interface %s", self.interface)
2672
log.error("No permission to bind to interface %s",
2491
2674
elif error.errno == errno.ENOPROTOOPT:
2492
logger.error("SO_BINDTODEVICE not available;"
2493
" cannot bind to interface %s",
2675
log.error("SO_BINDTODEVICE not available; cannot"
2676
" bind to interface %s", self.interface)
2495
2677
elif error.errno == errno.ENODEV:
2496
logger.error("Interface %s does not exist,"
2497
" cannot bind", self.interface)
2678
log.error("Interface %s does not exist, cannot"
2679
" bind", self.interface)
2500
2682
# Only bind(2) the socket if we really need to.
2501
2683
if self.server_address[0] or self.server_address[1]:
2684
if self.server_address[1]:
2685
self.allow_reuse_address = True
2502
2686
if not self.server_address[0]:
2503
2687
if self.address_family == socket.AF_INET6:
2504
2688
any_address = "::" # in6addr_any
2577
2761
request = parent_pipe.recv()
2578
2762
command = request[0]
2580
if command == 'init':
2581
fpr = request[1].decode("ascii")
2582
address = request[2]
2764
if command == "init":
2765
key_id = request[1].decode("ascii")
2766
fpr = request[2].decode("ascii")
2767
address = request[3]
2584
2769
for c in self.clients.values():
2585
if c.fingerprint == fpr:
2770
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2771
"27AE41E4649B934CA495991B7852B855"):
2773
if key_id and c.key_id == key_id:
2776
if fpr and c.fingerprint == fpr:
2589
logger.info("Client not found for fingerprint: %s, ad"
2590
"dress: %s", fpr, address)
2780
log.info("Client not found for key ID: %s, address:"
2781
" %s", key_id or fpr, address)
2591
2782
if self.use_dbus:
2592
2783
# Emit D-Bus signal
2593
mandos_dbus_service.ClientNotFound(fpr,
2784
mandos_dbus_service.ClientNotFound(key_id or fpr,
2595
2786
parent_pipe.send(False)
2598
2789
GLib.io_add_watch(
2599
parent_pipe.fileno(),
2600
GLib.IO_IN | GLib.IO_HUP,
2790
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2791
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2601
2792
functools.partial(self.handle_ipc,
2602
2793
parent_pipe=parent_pipe,
2635
2826
def rfc3339_duration_to_delta(duration):
2636
2827
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2638
>>> rfc3339_duration_to_delta("P7D")
2639
datetime.timedelta(7)
2640
>>> rfc3339_duration_to_delta("PT60S")
2641
datetime.timedelta(0, 60)
2642
>>> rfc3339_duration_to_delta("PT60M")
2643
datetime.timedelta(0, 3600)
2644
>>> rfc3339_duration_to_delta("PT24H")
2645
datetime.timedelta(1)
2646
>>> rfc3339_duration_to_delta("P1W")
2647
datetime.timedelta(7)
2648
>>> rfc3339_duration_to_delta("PT5M30S")
2649
datetime.timedelta(0, 330)
2650
>>> rfc3339_duration_to_delta("P1DT3M20S")
2651
datetime.timedelta(1, 200)
2829
>>> timedelta = datetime.timedelta
2830
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2832
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2834
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2836
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2838
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2840
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2842
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2654
2847
# Parsing an RFC 3339 duration with regular expressions is not
2734
2927
def string_to_delta(interval):
2735
2928
"""Parse a string and return a datetime.timedelta
2737
>>> string_to_delta('7d')
2738
datetime.timedelta(7)
2739
>>> string_to_delta('60s')
2740
datetime.timedelta(0, 60)
2741
>>> string_to_delta('60m')
2742
datetime.timedelta(0, 3600)
2743
>>> string_to_delta('24h')
2744
datetime.timedelta(1)
2745
>>> string_to_delta('1w')
2746
datetime.timedelta(7)
2747
>>> string_to_delta('5m 30s')
2748
datetime.timedelta(0, 330)
2930
>>> string_to_delta("7d") == datetime.timedelta(7)
2932
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2934
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2936
>>> string_to_delta("24h") == datetime.timedelta(1)
2938
>>> string_to_delta("1w") == datetime.timedelta(7)
2940
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
3134
3330
for key, value in
3135
3331
bytes_old_client_settings.items()}
3136
3332
del bytes_old_client_settings
3333
# .host and .checker_command
3138
3334
for value in old_client_settings.values():
3139
if isinstance(value["host"], bytes):
3140
value["host"] = (value["host"]
3335
for attribute in ("host", "checker_command"):
3336
if isinstance(value[attribute], bytes):
3337
value[attribute] = (value[attribute]
3142
3339
os.remove(stored_state_path)
3143
3340
except IOError as e:
3144
3341
if e.errno == errno.ENOENT:
3145
logger.warning("Could not load persistent state:"
3146
" {}".format(os.strerror(e.errno)))
3342
log.warning("Could not load persistent state:"
3343
" %s", os.strerror(e.errno))
3148
logger.critical("Could not load persistent state:",
3345
log.critical("Could not load persistent state:",
3151
3348
except EOFError as e:
3152
logger.warning("Could not load persistent state: "
3349
log.warning("Could not load persistent state: EOFError:",
3156
3352
with PGPEngine() as pgp:
3157
3353
for client_name, client in clients_data.items():
3184
3380
if client["enabled"]:
3185
3381
if datetime.datetime.utcnow() >= client["expires"]:
3186
3382
if not client["last_checked_ok"]:
3188
"disabling client {} - Client never "
3189
"performed a successful checker".format(
3383
log.warning("disabling client %s - Client"
3384
" never performed a successful"
3385
" checker", client_name)
3191
3386
client["enabled"] = False
3192
3387
elif client["last_checker_status"] != 0:
3194
"disabling client {} - Client last"
3195
" checker failed with error code"
3198
client["last_checker_status"]))
3388
log.warning("disabling client %s - Client"
3389
" last checker failed with error"
3390
" code %s", client_name,
3391
client["last_checker_status"])
3199
3392
client["enabled"] = False
3201
3394
client["expires"] = (
3202
3395
datetime.datetime.utcnow()
3203
3396
+ client["timeout"])
3204
logger.debug("Last checker succeeded,"
3205
" keeping {} enabled".format(
3397
log.debug("Last checker succeeded, keeping %s"
3398
" enabled", client_name)
3208
3400
client["secret"] = pgp.decrypt(
3209
3401
client["encrypted_secret"],
3210
3402
client_settings[client_name]["secret"])
3211
3403
except PGPError:
3212
3404
# If decryption fails, we use secret from new settings
3213
logger.debug("Failed to decrypt {} old secret".format(
3405
log.debug("Failed to decrypt %s old secret",
3215
3407
client["secret"] = (client_settings[client_name]
3465
3656
service.activate()
3466
3657
except dbus.exceptions.DBusException as error:
3467
logger.critical("D-Bus Exception", exc_info=error)
3658
log.critical("D-Bus Exception", exc_info=error)
3470
3661
# End of Avahi example code
3472
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3473
lambda *args, **kwargs:
3474
(tcp_server.handle_request
3475
(*args[2:], **kwargs) or True))
3664
GLib.IOChannel.unix_new(tcp_server.fileno()),
3665
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3666
lambda *args, **kwargs: (tcp_server.handle_request
3667
(*args[2:], **kwargs) or True))
3477
logger.debug("Starting main loop")
3669
log.debug("Starting main loop")
3478
3670
main_loop.run()
3479
3671
except AvahiError as error:
3480
logger.critical("Avahi Error", exc_info=error)
3672
log.critical("Avahi Error", exc_info=error)
3483
3675
except KeyboardInterrupt:
3485
3677
print("", file=sys.stderr)
3486
logger.debug("Server received KeyboardInterrupt")
3487
logger.debug("Server exiting")
3678
log.debug("Server received KeyboardInterrupt")
3679
log.debug("Server exiting")
3488
3680
# Must run before the D-Bus bus name gets deregistered
3492
if __name__ == '__main__':
3684
def parse_test_args():
3685
# type: () -> argparse.Namespace
3686
parser = argparse.ArgumentParser(add_help=False)
3687
parser.add_argument("--check", action="store_true")
3688
parser.add_argument("--prefix", )
3689
args, unknown_args = parser.parse_known_args()
3691
# Remove test options from sys.argv
3692
sys.argv[1:] = unknown_args
3695
# Add all tests from doctest strings
3696
def load_tests(loader, tests, none):
3698
tests.addTests(doctest.DocTestSuite())
3701
if __name__ == "__main__":
3702
options = parse_test_args()
3705
extra_test_prefix = options.prefix
3706
if extra_test_prefix is not None:
3707
if not (unittest.main(argv=[""], exit=False)
3708
.result.wasSuccessful()):
3710
class ExtraTestLoader(unittest.TestLoader):
3711
testMethodPrefix = extra_test_prefix
3712
# Call using ./scriptname --test [--verbose]
3713
unittest.main(argv=[""], testLoader=ExtraTestLoader())
3715
unittest.main(argv=[""])
3723
# (lambda (&optional extra)
3724
# (if (not (funcall run-tests-in-test-buffer default-directory
3726
# (funcall show-test-buffer-in-test-window)
3727
# (funcall remove-test-window)
3728
# (if extra (message "Extra tests run successfully!"))))
3729
# run-tests-in-test-buffer:
3730
# (lambda (dir &optional extra)
3731
# (with-current-buffer (get-buffer-create "*Test*")
3732
# (setq buffer-read-only nil
3733
# default-directory dir)
3735
# (compilation-mode))
3736
# (let ((process-result
3737
# (let ((inhibit-read-only t))
3738
# (process-file-shell-command
3739
# (funcall get-command-line extra) nil "*Test*"))))
3740
# (and (numberp process-result)
3741
# (= process-result 0))))
3743
# (lambda (&optional extra)
3744
# (let ((quoted-script
3745
# (shell-quote-argument (funcall get-script-name))))
3747
# (concat "%s --check" (if extra " --prefix=atest" ""))
3751
# (if (fboundp 'file-local-name)
3752
# (file-local-name (buffer-file-name))
3753
# (or (file-remote-p (buffer-file-name) 'localname)
3754
# (buffer-file-name))))
3755
# remove-test-window:
3757
# (let ((test-window (get-buffer-window "*Test*")))
3758
# (if test-window (delete-window test-window))))
3759
# show-test-buffer-in-test-window:
3761
# (when (not (get-buffer-window-list "*Test*"))
3762
# (setq next-error-last-buffer (get-buffer "*Test*"))
3763
# (let* ((side (if (>= (window-width) 146) 'right 'bottom))
3764
# (display-buffer-overriding-action
3765
# `((display-buffer-in-side-window) (side . ,side)
3766
# (window-height . fit-window-to-buffer)
3767
# (window-width . fit-window-to-buffer))))
3768
# (display-buffer "*Test*"))))
3771
# (let* ((run-extra-tests (lambda () (interactive)
3772
# (funcall run-tests t)))
3773
# (inner-keymap `(keymap (116 . ,run-extra-tests))) ; t
3774
# (outer-keymap `(keymap (3 . ,inner-keymap)))) ; C-c
3775
# (setq minor-mode-overriding-map-alist
3776
# (cons `(run-tests . ,outer-keymap)
3777
# minor-mode-overriding-map-alist)))
3778
# (add-hook 'after-save-hook run-tests 90 t))