265
196
.replace(b"\n", b"\\n")
266
197
.replace(b"\0", b"\\x00"))
269
200
def encrypt(self, data, password):
270
201
passphrase = self.password_encode(password)
271
202
with tempfile.NamedTemporaryFile(
272
203
dir=self.tempdir) as passfile:
273
204
passfile.write(passphrase)
275
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
276
207
'--passphrase-file',
278
209
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
283
214
if proc.returncode != 0:
284
215
raise PGPError(err)
285
216
return ciphertext
287
218
def decrypt(self, data, password):
288
219
passphrase = self.password_encode(password)
289
220
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
291
222
passfile.write(passphrase)
293
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
294
225
'--passphrase-file',
296
227
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
301
232
if proc.returncode != 0:
302
233
raise PGPError(err)
303
234
return decrypted_plaintext
306
# Pretend that we have an Avahi module
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
332
237
class AvahiError(Exception):
333
238
def __init__(self, value, *args, **kwargs):
334
239
self.value = value
524
429
class AvahiServiceToSyslog(AvahiService):
525
430
def rename(self, *args, **kwargs):
526
431
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
432
ret = AvahiService.rename(self, *args, **kwargs)
529
433
syslogger.setFormatter(logging.Formatter(
530
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
531
435
.format(self.name)))
535
# Pretend that we have a GnuTLS module
537
"""This isn't so much a class as it is a module-like namespace."""
539
library = ctypes.util.find_library("gnutls")
541
library = ctypes.util.find_library("gnutls-deb0")
542
_library = ctypes.cdll.LoadLibrary(library)
545
# Unless otherwise indicated, the constants and types below are
546
# all from the gnutls/gnutls.h C header file.
557
E_NO_CERTIFICATE_FOUND = -49
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
566
class _session_int(ctypes.Structure):
568
session_t = ctypes.POINTER(_session_int)
570
class certificate_credentials_st(ctypes.Structure):
572
certificate_credentials_t = ctypes.POINTER(
573
certificate_credentials_st)
574
certificate_type_t = ctypes.c_int
576
class datum_t(ctypes.Structure):
577
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
578
('size', ctypes.c_uint)]
580
class _openpgp_crt_int(ctypes.Structure):
582
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
credentials_type_t = ctypes.c_int
586
transport_ptr_t = ctypes.c_void_p
587
close_request_t = ctypes.c_int
590
class Error(Exception):
591
def __init__(self, message=None, code=None, args=()):
592
# Default usage is by a message string, but if a return
593
# code is passed, convert it to a string with
596
if message is None and code is not None:
597
message = gnutls.strerror(code).decode(
598
"utf-8", errors="replace")
599
return super(gnutls.Error, self).__init__(
602
class CertificateSecurityError(Error):
606
def __init__(self, cls):
609
def from_param(self, obj):
610
if not isinstance(obj, self.cls):
611
raise TypeError("Not of type {}: {!r}"
612
.format(self.cls.__name__, obj))
613
return ctypes.byref(obj.from_param(obj))
615
class CastToVoidPointer:
616
def __init__(self, cls):
619
def from_param(self, obj):
620
if not isinstance(obj, self.cls):
621
raise TypeError("Not of type {}: {!r}"
622
.format(self.cls.__name__, obj))
623
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
625
class With_from_param:
627
def from_param(cls, obj):
628
return obj._as_parameter_
631
class Credentials(With_from_param):
633
self._as_parameter_ = gnutls.certificate_credentials_t()
634
gnutls.certificate_allocate_credentials(self)
635
self.type = gnutls.CRD_CERTIFICATE
638
gnutls.certificate_free_credentials(self)
640
class ClientSession(With_from_param):
641
def __init__(self, socket, credentials=None):
642
self._as_parameter_ = gnutls.session_t()
643
gnutls_flags = gnutls.CLIENT
644
if gnutls.check_version(b"3.5.6"):
645
gnutls_flags |= gnutls.NO_TICKETS
647
gnutls_flags |= gnutls.ENABLE_RAWPK
648
gnutls.init(self, gnutls_flags)
650
gnutls.set_default_priority(self)
651
gnutls.transport_set_ptr(self, socket.fileno())
652
gnutls.handshake_set_private_extensions(self, True)
654
if credentials is None:
655
credentials = gnutls.Credentials()
656
gnutls.credentials_set(self, credentials.type,
658
self.credentials = credentials
664
return gnutls.handshake(self)
666
def send(self, data):
670
data_len -= gnutls.record_send(self, data[-data_len:],
674
return gnutls.bye(self, gnutls.SHUT_RDWR)
676
# Error handling functions
677
def _error_code(result):
678
"""A function to raise exceptions on errors, suitable
679
for the 'restype' attribute on ctypes functions"""
680
if result >= gnutls.E_SUCCESS:
682
if result == gnutls.E_NO_CERTIFICATE_FOUND:
683
raise gnutls.CertificateSecurityError(code=result)
684
raise gnutls.Error(code=result)
686
def _retry_on_error(result, func, arguments,
687
_error_code=_error_code):
688
"""A function to retry on some errors, suitable
689
for the 'errcheck' attribute on ctypes functions"""
690
while result < gnutls.E_SUCCESS:
691
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
692
return _error_code(result)
693
result = func(*arguments)
696
# Unless otherwise indicated, the function declarations below are
697
# all from the gnutls/gnutls.h C header file.
700
priority_set_direct = _library.gnutls_priority_set_direct
701
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
702
ctypes.POINTER(ctypes.c_char_p)]
703
priority_set_direct.restype = _error_code
705
init = _library.gnutls_init
706
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
707
init.restype = _error_code
709
set_default_priority = _library.gnutls_set_default_priority
710
set_default_priority.argtypes = [ClientSession]
711
set_default_priority.restype = _error_code
713
record_send = _library.gnutls_record_send
714
record_send.argtypes = [ClientSession, ctypes.c_void_p,
716
record_send.restype = ctypes.c_ssize_t
717
record_send.errcheck = _retry_on_error
719
certificate_allocate_credentials = (
720
_library.gnutls_certificate_allocate_credentials)
721
certificate_allocate_credentials.argtypes = [
722
PointerTo(Credentials)]
723
certificate_allocate_credentials.restype = _error_code
725
certificate_free_credentials = (
726
_library.gnutls_certificate_free_credentials)
727
certificate_free_credentials.argtypes = [Credentials]
728
certificate_free_credentials.restype = None
730
handshake_set_private_extensions = (
731
_library.gnutls_handshake_set_private_extensions)
732
handshake_set_private_extensions.argtypes = [ClientSession,
734
handshake_set_private_extensions.restype = None
736
credentials_set = _library.gnutls_credentials_set
737
credentials_set.argtypes = [ClientSession, credentials_type_t,
738
CastToVoidPointer(Credentials)]
739
credentials_set.restype = _error_code
741
strerror = _library.gnutls_strerror
742
strerror.argtypes = [ctypes.c_int]
743
strerror.restype = ctypes.c_char_p
745
certificate_type_get = _library.gnutls_certificate_type_get
746
certificate_type_get.argtypes = [ClientSession]
747
certificate_type_get.restype = _error_code
749
certificate_get_peers = _library.gnutls_certificate_get_peers
750
certificate_get_peers.argtypes = [ClientSession,
751
ctypes.POINTER(ctypes.c_uint)]
752
certificate_get_peers.restype = ctypes.POINTER(datum_t)
754
global_set_log_level = _library.gnutls_global_set_log_level
755
global_set_log_level.argtypes = [ctypes.c_int]
756
global_set_log_level.restype = None
758
global_set_log_function = _library.gnutls_global_set_log_function
759
global_set_log_function.argtypes = [log_func]
760
global_set_log_function.restype = None
762
deinit = _library.gnutls_deinit
763
deinit.argtypes = [ClientSession]
764
deinit.restype = None
766
handshake = _library.gnutls_handshake
767
handshake.argtypes = [ClientSession]
768
handshake.restype = ctypes.c_int
769
handshake.errcheck = _retry_on_error
771
transport_set_ptr = _library.gnutls_transport_set_ptr
772
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
773
transport_set_ptr.restype = None
775
bye = _library.gnutls_bye
776
bye.argtypes = [ClientSession, close_request_t]
777
bye.restype = ctypes.c_int
778
bye.errcheck = _retry_on_error
780
check_version = _library.gnutls_check_version
781
check_version.argtypes = [ctypes.c_char_p]
782
check_version.restype = ctypes.c_char_p
784
_need_version = b"3.3.0"
785
if check_version(_need_version) is None:
786
raise self.Error("Needs GnuTLS {} or later"
787
.format(_need_version))
789
_tls_rawpk_version = b"3.6.6"
790
has_rawpk = bool(check_version(_tls_rawpk_version))
794
class pubkey_st(ctypes.Structure):
796
pubkey_t = ctypes.POINTER(pubkey_st)
798
x509_crt_fmt_t = ctypes.c_int
800
# All the function declarations below are from
802
pubkey_init = _library.gnutls_pubkey_init
803
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
804
pubkey_init.restype = _error_code
806
pubkey_import = _library.gnutls_pubkey_import
807
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
809
pubkey_import.restype = _error_code
811
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
812
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
813
ctypes.POINTER(ctypes.c_ubyte),
814
ctypes.POINTER(ctypes.c_size_t)]
815
pubkey_get_key_id.restype = _error_code
817
pubkey_deinit = _library.gnutls_pubkey_deinit
818
pubkey_deinit.argtypes = [pubkey_t]
819
pubkey_deinit.restype = None
821
# All the function declarations below are from
824
openpgp_crt_init = _library.gnutls_openpgp_crt_init
825
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
826
openpgp_crt_init.restype = _error_code
828
openpgp_crt_import = _library.gnutls_openpgp_crt_import
829
openpgp_crt_import.argtypes = [openpgp_crt_t,
830
ctypes.POINTER(datum_t),
832
openpgp_crt_import.restype = _error_code
834
openpgp_crt_verify_self = \
835
_library.gnutls_openpgp_crt_verify_self
836
openpgp_crt_verify_self.argtypes = [
839
ctypes.POINTER(ctypes.c_uint),
841
openpgp_crt_verify_self.restype = _error_code
843
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
844
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
845
openpgp_crt_deinit.restype = None
847
openpgp_crt_get_fingerprint = (
848
_library.gnutls_openpgp_crt_get_fingerprint)
849
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
853
openpgp_crt_get_fingerprint.restype = _error_code
855
if check_version(b"3.6.4"):
856
certificate_type_get2 = _library.gnutls_certificate_type_get2
857
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
858
certificate_type_get2.restype = _error_code
860
# Remove non-public functions
861
del _error_code, _retry_on_error
864
438
def call_pipe(connection, # : multiprocessing.Connection
865
439
func, *args, **kwargs):
866
440
"""This function is meant to be called by multiprocessing.Process
868
442
This function runs func(*args, **kwargs), and writes the resulting
869
443
return value on the provided multiprocessing.Connection.
871
445
connection.send(func(*args, **kwargs))
872
446
connection.close()
448
class Client(object):
876
449
"""A representation of a client host served by this server.
879
452
approved: bool(); 'None' if not yet approved/disapproved
880
453
approval_delay: datetime.timedelta(); Time to wait for approval
881
454
approval_duration: datetime.timedelta(); Duration of one approval
882
checker: multiprocessing.Process(); a running checker process used
883
to see if the client lives. 'None' if no process is
885
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
886
459
checker_command: string; External command which is run to check
887
460
if client lives. %() expansions are done at
888
461
runtime with vars(self) as dict, so that for
889
462
instance %(name)s can be used in the command.
890
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
891
464
created: datetime.datetime(); (UTC) object creation
892
465
client_structure: Object describing what attributes a client has
893
466
and is used for storing the client at exit
894
467
current_checker_command: string; current running checker_command
895
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
897
470
fingerprint: string (40 or 32 hexadecimal digits); used to
898
uniquely identify an OpenPGP client
899
key_id: string (64 hexadecimal digits); used to uniquely identify
900
a client using raw public keys
471
uniquely identify the client
901
472
host: string; available for use by the checker command
902
473
interval: datetime.timedelta(); How often to start a new checker
903
474
last_approval_request: datetime.datetime(); (UTC) or None
2428
1991
delay -= time2 - time
2431
session.send(client.secret)
2432
except gnutls.Error as error:
2433
logger.warning("gnutls send failed",
1994
while sent_size < len(client.secret):
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2437
2006
logger.info("Sending secret to %s", client.name)
2438
2007
# bump the timeout using extended_timeout
2439
2008
client.bump_timeout(client.extended_timeout)
2440
2009
if self.server.use_dbus:
2441
2010
# Emit D-Bus signal
2442
2011
client.GotSecret()
2445
2014
if approval_required:
2446
2015
client.approvals_pending -= 1
2449
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2450
2019
logger.warning("GnuTLS bye failed",
2451
2020
exc_info=error)
2454
2023
def peer_certificate(session):
2455
"Return the peer's certificate as a bytestring"
2457
cert_type = gnutls.certificate_type_get2(
2458
session, gnutls.CTYPE_PEERS)
2459
except AttributeError:
2460
cert_type = gnutls.certificate_type_get(session)
2461
if gnutls.has_rawpk:
2462
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2464
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2465
# If not a valid certificate type...
2466
if cert_type not in valid_cert_types:
2467
logger.info("Cert type %r not in %r", cert_type,
2469
# ...return invalid data
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2471
2031
list_size = ctypes.c_uint(1)
2472
cert_list = (gnutls.certificate_get_peers
2473
(session, ctypes.byref(list_size)))
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2034
(session._c_object, ctypes.byref(list_size)))
2474
2035
if not bool(cert_list) and list_size.value != 0:
2475
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2476
2038
if list_size.value == 0:
2478
2040
cert = cert_list[0]
2479
2041
return ctypes.string_at(cert.data, cert.size)
2482
def key_id(certificate):
2483
"Convert a certificate bytestring to a hexdigit key ID"
2484
# New GnuTLS "datum" with the public key
2485
datum = gnutls.datum_t(
2486
ctypes.cast(ctypes.c_char_p(certificate),
2487
ctypes.POINTER(ctypes.c_ubyte)),
2488
ctypes.c_uint(len(certificate)))
2489
# XXX all these need to be created in the gnutls "module"
2490
# New empty GnuTLS certificate
2491
pubkey = gnutls.pubkey_t()
2492
gnutls.pubkey_init(ctypes.byref(pubkey))
2493
# Import the raw public key into the certificate
2494
gnutls.pubkey_import(pubkey,
2495
ctypes.byref(datum),
2496
gnutls.X509_FMT_DER)
2497
# New buffer for the key ID
2498
buf = ctypes.create_string_buffer(32)
2499
buf_len = ctypes.c_size_t(len(buf))
2500
# Get the key ID from the raw public key into the buffer
2501
gnutls.pubkey_get_key_id(
2503
gnutls.KEYID_USE_SHA256,
2504
ctypes.cast(ctypes.byref(buf),
2505
ctypes.POINTER(ctypes.c_ubyte)),
2506
ctypes.byref(buf_len))
2507
# Deinit the certificate
2508
gnutls.pubkey_deinit(pubkey)
2510
# Convert the buffer to a Python bytestring
2511
key_id = ctypes.string_at(buf, buf_len.value)
2512
# Convert the bytestring to hexadecimal notation
2513
hex_key_id = binascii.hexlify(key_id).upper()
2517
2044
def fingerprint(openpgp):
2518
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2519
2046
# New GnuTLS "datum" with the OpenPGP public key
2520
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2521
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2522
2049
ctypes.POINTER(ctypes.c_ubyte)),
2523
2050
ctypes.c_uint(len(openpgp)))
2524
2051
# New empty GnuTLS certificate
2525
crt = gnutls.openpgp_crt_t()
2526
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2527
2055
# Import the OpenPGP public key into the certificate
2528
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2529
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2530
2059
# Verify the self signature in the key
2531
2060
crtverify = ctypes.c_uint()
2532
gnutls.openpgp_crt_verify_self(crt, 0,
2533
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2534
2063
if crtverify.value != 0:
2535
gnutls.openpgp_crt_deinit(crt)
2536
raise gnutls.CertificateSecurityError(code
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2538
2067
# New buffer for the fingerprint
2539
2068
buf = ctypes.create_string_buffer(20)
2540
2069
buf_len = ctypes.c_size_t()
2541
2070
# Get the fingerprint from the certificate into the buffer
2542
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2543
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2544
2073
# Deinit the certificate
2545
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2546
2075
# Convert the buffer to a Python bytestring
2547
2076
fpr = ctypes.string_at(buf, buf_len.value)
2548
2077
# Convert the bytestring to hexadecimal notation
2637
2165
# socket_wrapper(), if socketfd was set.
2638
2166
socketserver.TCPServer.__init__(self, server_address,
2639
2167
RequestHandlerClass)
2641
2169
def server_bind(self):
2642
2170
"""This overrides the normal server_bind() function
2643
2171
to bind to an interface if one was specified, and also NOT to
2644
2172
bind to an address or port if they were not specified."""
2645
global SO_BINDTODEVICE
2646
2173
if self.interface is not None:
2647
2174
if SO_BINDTODEVICE is None:
2648
# Fall back to a hard-coded value which seems to be
2650
logger.warning("SO_BINDTODEVICE not found, trying 25")
2651
SO_BINDTODEVICE = 25
2653
self.socket.setsockopt(
2654
socket.SOL_SOCKET, SO_BINDTODEVICE,
2655
(self.interface + "\0").encode("utf-8"))
2656
except socket.error as error:
2657
if error.errno == errno.EPERM:
2658
logger.error("No permission to bind to"
2659
" interface %s", self.interface)
2660
elif error.errno == errno.ENOPROTOOPT:
2661
logger.error("SO_BINDTODEVICE not available;"
2662
" cannot bind to interface %s",
2664
elif error.errno == errno.ENODEV:
2665
logger.error("Interface %s does not exist,"
2666
" cannot bind", self.interface)
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2669
2196
# Only bind(2) the socket if we really need to.
2670
2197
if self.server_address[0] or self.server_address[1]:
2671
if self.server_address[1]:
2672
self.allow_reuse_address = True
2673
2198
if not self.server_address[0]:
2674
2199
if self.address_family == socket.AF_INET6:
2675
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2677
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2678
2203
self.server_address = (any_address,
2679
2204
self.server_address[1])
2680
2205
elif not self.server_address[1]:
3246
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3247
2751
service = AvahiServiceToSyslog(
3248
name=server_settings["servicename"],
3249
servicetype="_mandos._tcp",
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
3252
2756
if server_settings["interface"]:
3253
2757
service.interface = if_nametoindex(
3254
2758
server_settings["interface"].encode("utf-8"))
3256
2760
global multiprocessing_manager
3257
2761
multiprocessing_manager = multiprocessing.Manager()
3259
2763
client_class = Client
3261
client_class = functools.partial(ClientDBus, bus=bus)
2765
client_class = functools.partial(ClientDBus, bus = bus)
3263
2767
client_settings = Client.config_parser(client_config)
3264
2768
old_client_settings = {}
3265
2769
clients_data = {}
3267
2771
# This is used to redirect stdout and stderr for checker processes
3269
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3270
2774
# Only used if server is running in foreground but not in debug
3272
2776
if debug or not foreground:
3275
2779
# Get client data and settings from last running state.
3276
2780
if server_settings["restore"]:
3278
2782
with open(stored_state_path, "rb") as stored_state:
3279
if sys.version_info.major == 2:
3280
clients_data, old_client_settings = pickle.load(
3283
bytes_clients_data, bytes_old_client_settings = (
3284
pickle.load(stored_state, encoding="bytes"))
3285
# Fix bytes to strings
3288
clients_data = {(key.decode("utf-8")
3289
if isinstance(key, bytes)
3292
bytes_clients_data.items()}
3293
del bytes_clients_data
3294
for key in clients_data:
3295
value = {(k.decode("utf-8")
3296
if isinstance(k, bytes) else k): v
3298
clients_data[key].items()}
3299
clients_data[key] = value
3301
value["client_structure"] = [
3303
if isinstance(s, bytes)
3305
value["client_structure"]]
3306
# .name, .host, and .checker_command
3307
for k in ("name", "host", "checker_command"):
3308
if isinstance(value[k], bytes):
3309
value[k] = value[k].decode("utf-8")
3310
if "key_id" not in value:
3311
value["key_id"] = ""
3312
elif "fingerprint" not in value:
3313
value["fingerprint"] = ""
3314
# old_client_settings
3316
old_client_settings = {
3317
(key.decode("utf-8")
3318
if isinstance(key, bytes)
3321
bytes_old_client_settings.items()}
3322
del bytes_old_client_settings
3323
# .host and .checker_command
3324
for value in old_client_settings.values():
3325
for attribute in ("host", "checker_command"):
3326
if isinstance(value[attribute], bytes):
3327
value[attribute] = (value[attribute]
2783
clients_data, old_client_settings = pickle.load(
3329
2785
os.remove(stored_state_path)
3330
2786
except IOError as e:
3331
2787
if e.errno == errno.ENOENT: