To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 356
- compare with another revision
- download diff
- download tarball
- view history from revision 356
- Committer: Teddy Hogeborn
- Date: 2017-01-25 19:24:00 UTC
- mfrom: (237.7.439 trunk)
- Revision ID: teddy@recompile.se-20170125192400-qska3g89wkwg0ccu
Merge from trunk
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
31
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
32
#
77
76
import itertools
78
77
import collections
79
78
import codecs
80
import unittest
81
import random
82
import shlex
83
79
84
80
import dbus
85
81
import dbus.service
86
import gi
87
82
from gi.repository import GLib
88
83
from dbus.mainloop.glib import DBusGMainLoop
89
84
import ctypes
91
86
import xml.dom.minidom
92
87
import inspect
93
88
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
89
# Try to find the value of SO_BINDTODEVICE:
119
90
try:
120
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
140
111
# No value found
141
112
SO_BINDTODEVICE = None
142
113
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
114
if sys.version_info.major == 2:
115
str = unicode
145
116
146
version = "1.8.14"
117
version = "1.7.13"
147
118
stored_state_file = "clients.pickle"
148
119
149
120
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
121
syslogger = None
152
122
153
123
try:
189
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
160
address="/dev/log"))
191
161
syslogger.setFormatter(logging.Formatter
192
("Mandos [%(process)d]: %(levelname)s:"
193
" %(message)s"))
162
('Mandos [%(process)d]: %(levelname)s:'
163
' %(message)s'))
194
164
logger.addHandler(syslogger)
195
165
196
166
if debug:
197
167
console = logging.StreamHandler()
198
console.setFormatter(logging.Formatter("%(asctime)s %(name)s"
199
" [%(process)d]:"
200
" %(levelname)s:"
201
" %(message)s"))
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
169
' [%(process)d]:'
170
' %(levelname)s:'
171
' %(message)s'))
202
172
logger.addHandler(console)
203
173
logger.setLevel(level)
204
174
208
178
pass
209
179
210
180
211
class PGPEngine:
181
class PGPEngine(object):
212
182
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
183
214
184
def __init__(self):
218
188
output = subprocess.check_output(["gpgconf"])
219
189
for line in output.splitlines():
220
190
name, text, path = line.split(b":")
221
if name == b"gpg":
191
if name == "gpg":
222
192
self.gpg = path
223
193
break
224
194
except OSError as e:
225
195
if e.errno != errno.ENOENT:
226
196
raise
227
self.gnupgargs = ["--batch",
228
"--homedir", self.tempdir,
229
"--force-mdc",
230
"--quiet"]
197
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
199
'--force-mdc',
200
'--quiet']
231
201
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
233
203
self.gnupgargs.append("--no-use-agent")
234
204
235
205
def __enter__(self):
272
242
dir=self.tempdir) as passfile:
273
243
passfile.write(passphrase)
274
244
passfile.flush()
275
proc = subprocess.Popen([self.gpg, "--symmetric",
276
"--passphrase-file",
245
proc = subprocess.Popen([self.gpg, '--symmetric',
246
'--passphrase-file',
277
247
passfile.name]
278
248
+ self.gnupgargs,
279
249
stdin=subprocess.PIPE,
290
260
dir=self.tempdir) as passfile:
291
261
passfile.write(passphrase)
292
262
passfile.flush()
293
proc = subprocess.Popen([self.gpg, "--decrypt",
294
"--passphrase-file",
263
proc = subprocess.Popen([self.gpg, '--decrypt',
264
'--passphrase-file',
295
265
passfile.name]
296
266
+ self.gnupgargs,
297
267
stdin=subprocess.PIPE,
304
274
305
275
306
276
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
309
280
IF_UNSPEC = -1 # avahi-common/address.h
310
281
PROTO_UNSPEC = -1 # avahi-common/address.h
311
282
PROTO_INET = 0 # avahi-common/address.h
315
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
287
DBUS_PATH_SERVER = "/"
317
288
318
@staticmethod
319
def string_array_to_txt_array(t):
289
def string_array_to_txt_array(self, t):
320
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
291
for s in t), signature="ay")
322
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
327
297
SERVER_RUNNING = 2 # avahi-common/defs.h
328
298
SERVER_COLLISION = 3 # avahi-common/defs.h
329
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
330
301
331
302
332
303
class AvahiError(Exception):
344
315
pass
345
316
346
317
347
class AvahiService:
318
class AvahiService(object):
348
319
"""An Avahi (Zeroconf) service.
349
320
350
321
Attributes:
351
322
interface: integer; avahi.IF_UNSPEC or an interface index.
352
323
Used to optionally bind to the specified interface.
353
name: string; Example: "Mandos"
354
type: string; Example: "_mandos._tcp".
324
name: string; Example: 'Mandos'
325
type: string; Example: '_mandos._tcp'.
355
326
See <https://www.iana.org/assignments/service-names-port-numbers>
356
327
port: integer; what port to announce
357
328
TXT: list of strings; TXT record for the service
435
406
avahi.DBUS_INTERFACE_ENTRY_GROUP)
436
407
self.entry_group_state_changed_match = (
437
408
self.group.connect_to_signal(
438
"StateChanged", self.entry_group_state_changed))
409
'StateChanged', self.entry_group_state_changed))
439
410
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
440
411
self.name, self.type)
441
412
self.group.AddService(
524
495
class AvahiServiceToSyslog(AvahiService):
525
496
def rename(self, *args, **kwargs):
526
497
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
498
ret = AvahiService.rename(self, *args, **kwargs)
529
499
syslogger.setFormatter(logging.Formatter(
530
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
531
501
.format(self.name)))
532
502
return ret
533
503
534
504
535
505
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
538
509
539
510
library = ctypes.util.find_library("gnutls")
540
511
if library is None:
541
512
library = ctypes.util.find_library("gnutls-deb0")
542
513
_library = ctypes.cdll.LoadLibrary(library)
543
514
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
544
523
545
524
# Unless otherwise indicated, the constants and types below are
546
525
# all from the gnutls/gnutls.h C header file.
550
529
E_INTERRUPTED = -52
551
530
E_AGAIN = -28
552
531
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
532
CLIENT = 2
555
533
SHUT_RDWR = 0
556
534
CRD_CERTIFICATE = 1
557
535
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
536
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
537
565
538
# Types
566
class _session_int(ctypes.Structure):
539
class session_int(ctypes.Structure):
567
540
_fields_ = []
568
session_t = ctypes.POINTER(_session_int)
541
session_t = ctypes.POINTER(session_int)
569
542
570
543
class certificate_credentials_st(ctypes.Structure):
571
544
_fields_ = []
574
547
certificate_type_t = ctypes.c_int
575
548
576
549
class datum_t(ctypes.Structure):
577
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
578
("size", ctypes.c_uint)]
550
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
551
('size', ctypes.c_uint)]
579
552
580
class _openpgp_crt_int(ctypes.Structure):
553
class openpgp_crt_int(ctypes.Structure):
581
554
_fields_ = []
582
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
555
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
583
556
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
557
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
558
credentials_type_t = ctypes.c_int
588
561
589
562
# Exceptions
590
563
class Error(Exception):
564
# We need to use the class name "GnuTLS" here, since this
565
# exception might be raised from within GnuTLS.__init__,
566
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
591
568
def __init__(self, message=None, code=None, args=()):
592
569
# Default usage is by a message string, but if a return
593
570
# code is passed, convert it to a string with
594
571
# gnutls.strerror()
595
572
self.code = code
596
573
if message is None and code is not None:
597
message = gnutls.strerror(code).decode(
598
"utf-8", errors="replace")
599
return super(gnutls.Error, self).__init__(
574
message = GnuTLS.strerror(code)
575
return super(GnuTLS.Error, self).__init__(
600
576
message, *args)
601
577
602
578
class CertificateSecurityError(Error):
603
579
pass
604
580
605
class PointerTo:
606
def __init__(self, cls):
607
self.cls = cls
608
609
def from_param(self, obj):
610
if not isinstance(obj, self.cls):
611
raise TypeError("Not of type {}: {!r}"
612
.format(self.cls.__name__, obj))
613
return ctypes.byref(obj.from_param(obj))
614
615
class CastToVoidPointer:
616
def __init__(self, cls):
617
self.cls = cls
618
619
def from_param(self, obj):
620
if not isinstance(obj, self.cls):
621
raise TypeError("Not of type {}: {!r}"
622
.format(self.cls.__name__, obj))
623
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
625
class With_from_param:
626
@classmethod
627
def from_param(cls, obj):
628
return obj._as_parameter_
629
630
581
# Classes
631
class Credentials(With_from_param):
582
class Credentials(object):
632
583
def __init__(self):
633
self._as_parameter_ = gnutls.certificate_credentials_t()
634
gnutls.certificate_allocate_credentials(self)
584
self._c_object = gnutls.certificate_credentials_t()
585
gnutls.certificate_allocate_credentials(
586
ctypes.byref(self._c_object))
635
587
self.type = gnutls.CRD_CERTIFICATE
636
588
637
589
def __del__(self):
638
gnutls.certificate_free_credentials(self)
590
gnutls.certificate_free_credentials(self._c_object)
639
591
640
class ClientSession(With_from_param):
592
class ClientSession(object):
641
593
def __init__(self, socket, credentials=None):
642
self._as_parameter_ = gnutls.session_t()
643
gnutls_flags = gnutls.CLIENT
644
if gnutls.check_version(b"3.5.6"):
645
gnutls_flags |= gnutls.NO_TICKETS
646
if gnutls.has_rawpk:
647
gnutls_flags |= gnutls.ENABLE_RAWPK
648
gnutls.init(self, gnutls_flags)
649
del gnutls_flags
650
gnutls.set_default_priority(self)
651
gnutls.transport_set_ptr(self, socket.fileno())
652
gnutls.handshake_set_private_extensions(self, True)
594
self._c_object = gnutls.session_t()
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
596
gnutls.set_default_priority(self._c_object)
597
gnutls.transport_set_ptr(self._c_object, socket.fileno())
598
gnutls.handshake_set_private_extensions(self._c_object,
599
True)
653
600
self.socket = socket
654
601
if credentials is None:
655
602
credentials = gnutls.Credentials()
656
gnutls.credentials_set(self, credentials.type,
657
credentials)
603
gnutls.credentials_set(self._c_object, credentials.type,
604
ctypes.cast(credentials._c_object,
605
ctypes.c_void_p))
658
606
self.credentials = credentials
659
607
660
608
def __del__(self):
661
gnutls.deinit(self)
609
gnutls.deinit(self._c_object)
662
610
663
611
def handshake(self):
664
return gnutls.handshake(self)
612
return gnutls.handshake(self._c_object)
665
613
666
614
def send(self, data):
667
615
data = bytes(data)
668
616
data_len = len(data)
669
617
while data_len > 0:
670
data_len -= gnutls.record_send(self, data[-data_len:],
618
data_len -= gnutls.record_send(self._c_object,
619
data[-data_len:],
671
620
data_len)
672
621
673
622
def bye(self):
674
return gnutls.bye(self, gnutls.SHUT_RDWR)
623
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
675
624
676
625
# Error handling functions
677
626
def _error_code(result):
678
627
"""A function to raise exceptions on errors, suitable
679
for the "restype" attribute on ctypes functions"""
680
if result >= gnutls.E_SUCCESS:
628
for the 'restype' attribute on ctypes functions"""
629
if result >= 0:
681
630
return result
682
631
if result == gnutls.E_NO_CERTIFICATE_FOUND:
683
632
raise gnutls.CertificateSecurityError(code=result)
684
633
raise gnutls.Error(code=result)
685
634
686
def _retry_on_error(result, func, arguments,
687
_error_code=_error_code):
635
def _retry_on_error(result, func, arguments):
688
636
"""A function to retry on some errors, suitable
689
for the "errcheck" attribute on ctypes functions"""
690
while result < gnutls.E_SUCCESS:
637
for the 'errcheck' attribute on ctypes functions"""
638
while result < 0:
691
639
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
692
640
return _error_code(result)
693
641
result = func(*arguments)
698
646
699
647
# Functions
700
648
priority_set_direct = _library.gnutls_priority_set_direct
701
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
649
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
702
650
ctypes.POINTER(ctypes.c_char_p)]
703
651
priority_set_direct.restype = _error_code
704
652
705
653
init = _library.gnutls_init
706
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
654
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
707
655
init.restype = _error_code
708
656
709
657
set_default_priority = _library.gnutls_set_default_priority
710
set_default_priority.argtypes = [ClientSession]
658
set_default_priority.argtypes = [session_t]
711
659
set_default_priority.restype = _error_code
712
660
713
661
record_send = _library.gnutls_record_send
714
record_send.argtypes = [ClientSession, ctypes.c_void_p,
662
record_send.argtypes = [session_t, ctypes.c_void_p,
715
663
ctypes.c_size_t]
716
664
record_send.restype = ctypes.c_ssize_t
717
665
record_send.errcheck = _retry_on_error
719
667
certificate_allocate_credentials = (
720
668
_library.gnutls_certificate_allocate_credentials)
721
669
certificate_allocate_credentials.argtypes = [
722
PointerTo(Credentials)]
670
ctypes.POINTER(certificate_credentials_t)]
723
671
certificate_allocate_credentials.restype = _error_code
724
672
725
673
certificate_free_credentials = (
726
674
_library.gnutls_certificate_free_credentials)
727
certificate_free_credentials.argtypes = [Credentials]
675
certificate_free_credentials.argtypes = [
676
certificate_credentials_t]
728
677
certificate_free_credentials.restype = None
729
678
730
679
handshake_set_private_extensions = (
731
680
_library.gnutls_handshake_set_private_extensions)
732
handshake_set_private_extensions.argtypes = [ClientSession,
681
handshake_set_private_extensions.argtypes = [session_t,
733
682
ctypes.c_int]
734
683
handshake_set_private_extensions.restype = None
735
684
736
685
credentials_set = _library.gnutls_credentials_set
737
credentials_set.argtypes = [ClientSession, credentials_type_t,
738
CastToVoidPointer(Credentials)]
686
credentials_set.argtypes = [session_t, credentials_type_t,
687
ctypes.c_void_p]
739
688
credentials_set.restype = _error_code
740
689
741
690
strerror = _library.gnutls_strerror
743
692
strerror.restype = ctypes.c_char_p
744
693
745
694
certificate_type_get = _library.gnutls_certificate_type_get
746
certificate_type_get.argtypes = [ClientSession]
695
certificate_type_get.argtypes = [session_t]
747
696
certificate_type_get.restype = _error_code
748
697
749
698
certificate_get_peers = _library.gnutls_certificate_get_peers
750
certificate_get_peers.argtypes = [ClientSession,
699
certificate_get_peers.argtypes = [session_t,
751
700
ctypes.POINTER(ctypes.c_uint)]
752
701
certificate_get_peers.restype = ctypes.POINTER(datum_t)
753
702
760
709
global_set_log_function.restype = None
761
710
762
711
deinit = _library.gnutls_deinit
763
deinit.argtypes = [ClientSession]
712
deinit.argtypes = [session_t]
764
713
deinit.restype = None
765
714
766
715
handshake = _library.gnutls_handshake
767
handshake.argtypes = [ClientSession]
768
handshake.restype = ctypes.c_int
716
handshake.argtypes = [session_t]
717
handshake.restype = _error_code
769
718
handshake.errcheck = _retry_on_error
770
719
771
720
transport_set_ptr = _library.gnutls_transport_set_ptr
772
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
721
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
773
722
transport_set_ptr.restype = None
774
723
775
724
bye = _library.gnutls_bye
776
bye.argtypes = [ClientSession, close_request_t]
777
bye.restype = ctypes.c_int
725
bye.argtypes = [session_t, close_request_t]
726
bye.restype = _error_code
778
727
bye.errcheck = _retry_on_error
779
728
780
729
check_version = _library.gnutls_check_version
781
730
check_version.argtypes = [ctypes.c_char_p]
782
731
check_version.restype = ctypes.c_char_p
783
732
784
_need_version = b"3.3.0"
785
if check_version(_need_version) is None:
786
raise self.Error("Needs GnuTLS {} or later"
787
.format(_need_version))
788
789
_tls_rawpk_version = b"3.6.6"
790
has_rawpk = bool(check_version(_tls_rawpk_version))
791
792
if has_rawpk:
793
# Types
794
class pubkey_st(ctypes.Structure):
795
_fields = []
796
pubkey_t = ctypes.POINTER(pubkey_st)
797
798
x509_crt_fmt_t = ctypes.c_int
799
800
# All the function declarations below are from
801
# gnutls/abstract.h
802
pubkey_init = _library.gnutls_pubkey_init
803
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
804
pubkey_init.restype = _error_code
805
806
pubkey_import = _library.gnutls_pubkey_import
807
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
x509_crt_fmt_t]
809
pubkey_import.restype = _error_code
810
811
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
812
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
813
ctypes.POINTER(ctypes.c_ubyte),
814
ctypes.POINTER(ctypes.c_size_t)]
815
pubkey_get_key_id.restype = _error_code
816
817
pubkey_deinit = _library.gnutls_pubkey_deinit
818
pubkey_deinit.argtypes = [pubkey_t]
819
pubkey_deinit.restype = None
820
else:
821
# All the function declarations below are from
822
# gnutls/openpgp.h
823
824
openpgp_crt_init = _library.gnutls_openpgp_crt_init
825
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
826
openpgp_crt_init.restype = _error_code
827
828
openpgp_crt_import = _library.gnutls_openpgp_crt_import
829
openpgp_crt_import.argtypes = [openpgp_crt_t,
830
ctypes.POINTER(datum_t),
831
openpgp_crt_fmt_t]
832
openpgp_crt_import.restype = _error_code
833
834
openpgp_crt_verify_self = \
835
_library.gnutls_openpgp_crt_verify_self
836
openpgp_crt_verify_self.argtypes = [
837
openpgp_crt_t,
838
ctypes.c_uint,
839
ctypes.POINTER(ctypes.c_uint),
840
]
841
openpgp_crt_verify_self.restype = _error_code
842
843
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
844
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
845
openpgp_crt_deinit.restype = None
846
847
openpgp_crt_get_fingerprint = (
848
_library.gnutls_openpgp_crt_get_fingerprint)
849
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
850
ctypes.c_void_p,
851
ctypes.POINTER(
852
ctypes.c_size_t)]
853
openpgp_crt_get_fingerprint.restype = _error_code
854
855
if check_version(b"3.6.4"):
856
certificate_type_get2 = _library.gnutls_certificate_type_get2
857
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
858
certificate_type_get2.restype = _error_code
733
# All the function declarations below are from gnutls/openpgp.h
734
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
738
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
742
openpgp_crt_fmt_t]
743
openpgp_crt_import.restype = _error_code
744
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
749
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
753
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
757
ctypes.c_void_p,
758
ctypes.POINTER(
759
ctypes.c_size_t)]
760
openpgp_crt_get_fingerprint.restype = _error_code
859
761
860
762
# Remove non-public functions
861
763
del _error_code, _retry_on_error
764
# Create the global "gnutls" object, simulating a module
765
gnutls = GnuTLS()
862
766
863
767
864
768
def call_pipe(connection, # : multiprocessing.Connection
872
776
connection.close()
873
777
874
778
875
class Client:
779
class Client(object):
876
780
"""A representation of a client host served by this server.
877
781
878
782
Attributes:
879
approved: bool(); None if not yet approved/disapproved
783
approved: bool(); 'None' if not yet approved/disapproved
880
784
approval_delay: datetime.timedelta(); Time to wait for approval
881
785
approval_duration: datetime.timedelta(); Duration of one approval
882
checker: multiprocessing.Process(); a running checker process used
883
to see if the client lives. None if no process is
884
running.
786
checker: subprocess.Popen(); a running checker process used
787
to see if the client lives.
788
'None' if no process is running.
885
789
checker_callback_tag: a GLib event source tag, or None
886
790
checker_command: string; External command which is run to check
887
791
if client lives. %() expansions are done at
895
799
disable_initiator_tag: a GLib event source tag, or None
896
800
enabled: bool()
897
801
fingerprint: string (40 or 32 hexadecimal digits); used to
898
uniquely identify an OpenPGP client
899
key_id: string (64 hexadecimal digits); used to uniquely identify
900
a client using raw public keys
802
uniquely identify the client
901
803
host: string; available for use by the checker command
902
804
interval: datetime.timedelta(); How often to start a new checker
903
805
last_approval_request: datetime.datetime(); (UTC) or None
921
823
"""
922
824
923
825
runtime_expansions = ("approval_delay", "approval_duration",
924
"created", "enabled", "expires", "key_id",
826
"created", "enabled", "expires",
925
827
"fingerprint", "host", "interval",
926
828
"last_approval_request", "last_checked_ok",
927
829
"last_enabled", "name", "timeout")
957
859
client["enabled"] = config.getboolean(client_name,
958
860
"enabled")
959
861
960
# Uppercase and remove spaces from key_id and fingerprint
961
# for later comparison purposes with return value from the
962
# key_id() and fingerprint() functions
963
client["key_id"] = (section.get("key_id", "").upper()
964
.replace(" ", ""))
862
# Uppercase and remove spaces from fingerprint for later
863
# comparison purposes with return value from the
864
# fingerprint() function
965
865
client["fingerprint"] = (section["fingerprint"].upper()
966
866
.replace(" ", ""))
967
867
if "secret" in section:
1011
911
self.expires = None
1012
912
1013
913
logger.debug("Creating client %r", self.name)
1014
logger.debug(" Key ID: %s", self.key_id)
1015
914
logger.debug(" Fingerprint: %s", self.fingerprint)
1016
915
self.created = settings.get("created",
1017
916
datetime.datetime.utcnow())
1081
980
if self.checker_initiator_tag is not None:
1082
981
GLib.source_remove(self.checker_initiator_tag)
1083
982
self.checker_initiator_tag = GLib.timeout_add(
1084
random.randrange(int(self.interval.total_seconds() * 1000
1085
+ 1)),
983
int(self.interval.total_seconds() * 1000),
1086
984
self.start_checker)
1087
985
# Schedule a disable() when 'timeout' has passed
1088
986
if self.disable_initiator_tag is not None:
1095
993
def checker_callback(self, source, condition, connection,
1096
994
command):
1097
995
"""The checker has completed, so take appropriate actions."""
996
self.checker_callback_tag = None
997
self.checker = None
1098
998
# Read return code from connection (see call_pipe)
1099
999
returncode = connection.recv()
1100
1000
connection.close()
1101
if self.checker is not None:
1102
self.checker.join()
1103
self.checker_callback_tag = None
1104
self.checker = None
1105
1001
1106
1002
if returncode >= 0:
1107
1003
self.last_checker_status = returncode
1163
1059
if self.checker is None:
1164
1060
# Escape attributes for the shell
1165
1061
escaped_attrs = {
1166
attr: shlex.quote(str(getattr(self, attr)))
1062
attr: re.escape(str(getattr(self, attr)))
1167
1063
for attr in self.runtime_expansions}
1168
1064
try:
1169
1065
command = self.checker_command % escaped_attrs
1196
1092
kwargs=popen_args)
1197
1093
self.checker.start()
1198
1094
self.checker_callback_tag = GLib.io_add_watch(
1199
GLib.IOChannel.unix_new(pipe[0].fileno()),
1200
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1095
pipe[0].fileno(), GLib.IO_IN,
1201
1096
self.checker_callback, pipe[0], command)
1202
1097
# Re-run this periodically if run by GLib.timeout_add
1203
1098
return True
1242
1137
func._dbus_name = func.__name__
1243
1138
if func._dbus_name.endswith("_dbus_property"):
1244
1139
func._dbus_name = func._dbus_name[:-14]
1245
func._dbus_get_args_options = {"byte_arrays": byte_arrays}
1140
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1246
1141
return func
1247
1142
1248
1143
return decorator
1337
1232
1338
1233
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1339
1234
out_signature="s",
1340
path_keyword="object_path",
1341
connection_keyword="connection")
1235
path_keyword='object_path',
1236
connection_keyword='connection')
1342
1237
def Introspect(self, object_path, connection):
1343
1238
"""Overloading of standard D-Bus method.
1344
1239
1458
1353
raise ValueError("Byte arrays not supported for non-"
1459
1354
"'ay' signature {!r}"
1460
1355
.format(prop._dbus_signature))
1461
value = dbus.ByteArray(bytes(value))
1356
value = dbus.ByteArray(b''.join(chr(byte)
1357
for byte in value))
1462
1358
prop(value)
1463
1359
1464
1360
@dbus.service.method(dbus.PROPERTIES_IFACE,
1497
1393
1498
1394
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1499
1395
out_signature="s",
1500
path_keyword="object_path",
1501
connection_keyword="connection")
1396
path_keyword='object_path',
1397
connection_keyword='connection')
1502
1398
def Introspect(self, object_path, connection):
1503
1399
"""Overloading of standard D-Bus method.
1504
1400
1599
1495
1600
1496
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1601
1497
out_signature="s",
1602
path_keyword="object_path",
1603
connection_keyword="connection")
1498
path_keyword='object_path',
1499
connection_keyword='connection')
1604
1500
def Introspect(self, object_path, connection):
1605
1501
"""Overloading of standard D-Bus method.
1606
1502
2102
1998
def Name_dbus_property(self):
2103
1999
return dbus.String(self.name)
2104
2000
2105
# KeyID - property
2106
@dbus_annotations(
2107
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2108
@dbus_service_property(_interface, signature="s", access="read")
2109
def KeyID_dbus_property(self):
2110
return dbus.String(self.key_id)
2111
2112
2001
# Fingerprint - property
2113
2002
@dbus_annotations(
2114
2003
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2269
2158
del _interface
2270
2159
2271
2160
2272
class ProxyClient:
2273
def __init__(self, child_pipe, key_id, fpr, address):
2161
class ProxyClient(object):
2162
def __init__(self, child_pipe, fpr, address):
2274
2163
self._pipe = child_pipe
2275
self._pipe.send(("init", key_id, fpr, address))
2164
self._pipe.send(('init', fpr, address))
2276
2165
if not self._pipe.recv():
2277
raise KeyError(key_id or fpr)
2166
raise KeyError(fpr)
2278
2167
2279
2168
def __getattribute__(self, name):
2280
if name == "_pipe":
2169
if name == '_pipe':
2281
2170
return super(ProxyClient, self).__getattribute__(name)
2282
self._pipe.send(("getattr", name))
2171
self._pipe.send(('getattr', name))
2283
2172
data = self._pipe.recv()
2284
if data[0] == "data":
2173
if data[0] == 'data':
2285
2174
return data[1]
2286
if data[0] == "function":
2175
if data[0] == 'function':
2287
2176
2288
2177
def func(*args, **kwargs):
2289
self._pipe.send(("funcall", name, args, kwargs))
2178
self._pipe.send(('funcall', name, args, kwargs))
2290
2179
return self._pipe.recv()[1]
2291
2180
2292
2181
return func
2293
2182
2294
2183
def __setattr__(self, name, value):
2295
if name == "_pipe":
2184
if name == '_pipe':
2296
2185
return super(ProxyClient, self).__setattr__(name, value)
2297
self._pipe.send(("setattr", name, value))
2186
self._pipe.send(('setattr', name, value))
2298
2187
2299
2188
2300
2189
class ClientHandler(socketserver.BaseRequestHandler, object):
2312
2201
2313
2202
session = gnutls.ClientSession(self.request)
2314
2203
2315
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2204
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2316
2205
# "+AES-256-CBC", "+SHA1",
2317
2206
# "+COMP-NULL", "+CTYPE-OPENPGP",
2318
2207
# "+DHE-DSS"))
2320
2209
priority = self.server.gnutls_priority
2321
2210
if priority is None:
2322
2211
priority = "NORMAL"
2323
gnutls.priority_set_direct(session,
2324
priority.encode("utf-8"), None)
2212
gnutls.priority_set_direct(session._c_object,
2213
priority.encode("utf-8"),
2214
None)
2325
2215
2326
2216
# Start communication using the Mandos protocol
2327
2217
# Get protocol number
2346
2236
2347
2237
approval_required = False
2348
2238
try:
2349
if gnutls.has_rawpk:
2350
fpr = b""
2351
try:
2352
key_id = self.key_id(
2353
self.peer_certificate(session))
2354
except (TypeError, gnutls.Error) as error:
2355
logger.warning("Bad certificate: %s", error)
2356
return
2357
logger.debug("Key ID: %s",
2358
key_id.decode("utf-8",
2359
errors="replace"))
2360
2361
else:
2362
key_id = b""
2363
try:
2364
fpr = self.fingerprint(
2365
self.peer_certificate(session))
2366
except (TypeError, gnutls.Error) as error:
2367
logger.warning("Bad certificate: %s", error)
2368
return
2369
logger.debug("Fingerprint: %s", fpr)
2370
2371
try:
2372
client = ProxyClient(child_pipe, key_id, fpr,
2239
try:
2240
fpr = self.fingerprint(
2241
self.peer_certificate(session))
2242
except (TypeError, gnutls.Error) as error:
2243
logger.warning("Bad certificate: %s", error)
2244
return
2245
logger.debug("Fingerprint: %s", fpr)
2246
2247
try:
2248
client = ProxyClient(child_pipe, fpr,
2373
2249
self.client_address)
2374
2250
except KeyError:
2375
2251
return
2452
2328
2453
2329
@staticmethod
2454
2330
def peer_certificate(session):
2455
"Return the peer's certificate as a bytestring"
2456
try:
2457
cert_type = gnutls.certificate_type_get2(
2458
session, gnutls.CTYPE_PEERS)
2459
except AttributeError:
2460
cert_type = gnutls.certificate_type_get(session)
2461
if gnutls.has_rawpk:
2462
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2463
else:
2464
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2465
# If not a valid certificate type...
2466
if cert_type not in valid_cert_types:
2467
logger.info("Cert type %r not in %r", cert_type,
2468
valid_cert_types)
2331
"Return the peer's OpenPGP certificate as a bytestring"
2332
# If not an OpenPGP certificate...
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2469
2335
# ...return invalid data
2470
2336
return b""
2471
2337
list_size = ctypes.c_uint(1)
2472
2338
cert_list = (gnutls.certificate_get_peers
2473
(session, ctypes.byref(list_size)))
2339
(session._c_object, ctypes.byref(list_size)))
2474
2340
if not bool(cert_list) and list_size.value != 0:
2475
2341
raise gnutls.Error("error getting peer certificate")
2476
2342
if list_size.value == 0:
2479
2345
return ctypes.string_at(cert.data, cert.size)
2480
2346
2481
2347
@staticmethod
2482
def key_id(certificate):
2483
"Convert a certificate bytestring to a hexdigit key ID"
2484
# New GnuTLS "datum" with the public key
2485
datum = gnutls.datum_t(
2486
ctypes.cast(ctypes.c_char_p(certificate),
2487
ctypes.POINTER(ctypes.c_ubyte)),
2488
ctypes.c_uint(len(certificate)))
2489
# XXX all these need to be created in the gnutls "module"
2490
# New empty GnuTLS certificate
2491
pubkey = gnutls.pubkey_t()
2492
gnutls.pubkey_init(ctypes.byref(pubkey))
2493
# Import the raw public key into the certificate
2494
gnutls.pubkey_import(pubkey,
2495
ctypes.byref(datum),
2496
gnutls.X509_FMT_DER)
2497
# New buffer for the key ID
2498
buf = ctypes.create_string_buffer(32)
2499
buf_len = ctypes.c_size_t(len(buf))
2500
# Get the key ID from the raw public key into the buffer
2501
gnutls.pubkey_get_key_id(
2502
pubkey,
2503
gnutls.KEYID_USE_SHA256,
2504
ctypes.cast(ctypes.byref(buf),
2505
ctypes.POINTER(ctypes.c_ubyte)),
2506
ctypes.byref(buf_len))
2507
# Deinit the certificate
2508
gnutls.pubkey_deinit(pubkey)
2509
2510
# Convert the buffer to a Python bytestring
2511
key_id = ctypes.string_at(buf, buf_len.value)
2512
# Convert the bytestring to hexadecimal notation
2513
hex_key_id = binascii.hexlify(key_id).upper()
2514
return hex_key_id
2515
2516
@staticmethod
2517
2348
def fingerprint(openpgp):
2518
2349
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2519
2350
# New GnuTLS "datum" with the OpenPGP public key
2533
2364
ctypes.byref(crtverify))
2534
2365
if crtverify.value != 0:
2535
2366
gnutls.openpgp_crt_deinit(crt)
2536
raise gnutls.CertificateSecurityError(code
2537
=crtverify.value)
2367
raise gnutls.CertificateSecurityError("Verify failed")
2538
2368
# New buffer for the fingerprint
2539
2369
buf = ctypes.create_string_buffer(20)
2540
2370
buf_len = ctypes.c_size_t()
2550
2380
return hex_fpr
2551
2381
2552
2382
2553
class MultiprocessingMixIn:
2383
class MultiprocessingMixIn(object):
2554
2384
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2555
2385
2556
2386
def sub_process_main(self, request, address):
2568
2398
return proc
2569
2399
2570
2400
2571
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2401
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2572
2402
""" adds a pipe to the MixIn """
2573
2403
2574
2404
def process_request(self, request, client_address):
2589
2419
2590
2420
2591
2421
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2592
socketserver.TCPServer):
2593
"""IPv6-capable TCP server. Accepts None as address and/or port
2422
socketserver.TCPServer, object):
2423
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2594
2424
2595
2425
Attributes:
2596
2426
enabled: Boolean; whether this server is activated yet
2668
2498
raise
2669
2499
# Only bind(2) the socket if we really need to.
2670
2500
if self.server_address[0] or self.server_address[1]:
2671
if self.server_address[1]:
2672
self.allow_reuse_address = True
2673
2501
if not self.server_address[0]:
2674
2502
if self.address_family == socket.AF_INET6:
2675
2503
any_address = "::" # in6addr_any
2728
2556
def add_pipe(self, parent_pipe, proc):
2729
2557
# Call "handle_ipc" for both data and EOF events
2730
2558
GLib.io_add_watch(
2731
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2732
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2559
parent_pipe.fileno(),
2560
GLib.IO_IN | GLib.IO_HUP,
2733
2561
functools.partial(self.handle_ipc,
2734
2562
parent_pipe=parent_pipe,
2735
2563
proc=proc))
2748
2576
request = parent_pipe.recv()
2749
2577
command = request[0]
2750
2578
2751
if command == "init":
2752
key_id = request[1].decode("ascii")
2753
fpr = request[2].decode("ascii")
2754
address = request[3]
2579
if command == 'init':
2580
fpr = request[1]
2581
address = request[2]
2755
2582
2756
2583
for c in self.clients.values():
2757
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2758
"27AE41E4649B934CA495991B7852B855"):
2759
continue
2760
if key_id and c.key_id == key_id:
2761
client = c
2762
break
2763
if fpr and c.fingerprint == fpr:
2584
if c.fingerprint == fpr:
2764
2585
client = c
2765
2586
break
2766
2587
else:
2767
logger.info("Client not found for key ID: %s, address"
2768
": %s", key_id or fpr, address)
2588
logger.info("Client not found for fingerprint: %s, ad"
2589
"dress: %s", fpr, address)
2769
2590
if self.use_dbus:
2770
2591
# Emit D-Bus signal
2771
mandos_dbus_service.ClientNotFound(key_id or fpr,
2592
mandos_dbus_service.ClientNotFound(fpr,
2772
2593
address[0])
2773
2594
parent_pipe.send(False)
2774
2595
return False
2775
2596
2776
2597
GLib.io_add_watch(
2777
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2778
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2598
parent_pipe.fileno(),
2599
GLib.IO_IN | GLib.IO_HUP,
2779
2600
functools.partial(self.handle_ipc,
2780
2601
parent_pipe=parent_pipe,
2781
2602
proc=proc,
2784
2605
# remove the old hook in favor of the new above hook on
2785
2606
# same fileno
2786
2607
return False
2787
if command == "funcall":
2608
if command == 'funcall':
2788
2609
funcname = request[1]
2789
2610
args = request[2]
2790
2611
kwargs = request[3]
2791
2612
2792
parent_pipe.send(("data", getattr(client_object,
2613
parent_pipe.send(('data', getattr(client_object,
2793
2614
funcname)(*args,
2794
2615
**kwargs)))
2795
2616
2796
if command == "getattr":
2617
if command == 'getattr':
2797
2618
attrname = request[1]
2798
2619
if isinstance(client_object.__getattribute__(attrname),
2799
collections.abc.Callable):
2800
parent_pipe.send(("function", ))
2620
collections.Callable):
2621
parent_pipe.send(('function', ))
2801
2622
else:
2802
2623
parent_pipe.send((
2803
"data", client_object.__getattribute__(attrname)))
2624
'data', client_object.__getattribute__(attrname)))
2804
2625
2805
if command == "setattr":
2626
if command == 'setattr':
2806
2627
attrname = request[1]
2807
2628
value = request[2]
2808
2629
setattr(client_object, attrname, value)
2813
2634
def rfc3339_duration_to_delta(duration):
2814
2635
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2815
2636
2816
>>> timedelta = datetime.timedelta
2817
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2818
True
2819
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2820
True
2821
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2822
True
2823
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2824
True
2825
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2826
True
2827
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2828
True
2829
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2830
True
2831
>>> del timedelta
2637
>>> rfc3339_duration_to_delta("P7D")
2638
datetime.timedelta(7)
2639
>>> rfc3339_duration_to_delta("PT60S")
2640
datetime.timedelta(0, 60)
2641
>>> rfc3339_duration_to_delta("PT60M")
2642
datetime.timedelta(0, 3600)
2643
>>> rfc3339_duration_to_delta("PT24H")
2644
datetime.timedelta(1)
2645
>>> rfc3339_duration_to_delta("P1W")
2646
datetime.timedelta(7)
2647
>>> rfc3339_duration_to_delta("PT5M30S")
2648
datetime.timedelta(0, 330)
2649
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
datetime.timedelta(1, 200)
2832
2651
"""
2833
2652
2834
2653
# Parsing an RFC 3339 duration with regular expressions is not
2914
2733
def string_to_delta(interval):
2915
2734
"""Parse a string and return a datetime.timedelta
2916
2735
2917
>>> string_to_delta("7d") == datetime.timedelta(7)
2918
True
2919
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2920
True
2921
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2922
True
2923
>>> string_to_delta("24h") == datetime.timedelta(1)
2924
True
2925
>>> string_to_delta("1w") == datetime.timedelta(7)
2926
True
2927
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2928
True
2736
>>> string_to_delta('7d')
2737
datetime.timedelta(7)
2738
>>> string_to_delta('60s')
2739
datetime.timedelta(0, 60)
2740
>>> string_to_delta('60m')
2741
datetime.timedelta(0, 3600)
2742
>>> string_to_delta('24h')
2743
datetime.timedelta(1)
2744
>>> string_to_delta('1w')
2745
datetime.timedelta(7)
2746
>>> string_to_delta('5m 30s')
2747
datetime.timedelta(0, 330)
2929
2748
"""
2930
2749
2931
2750
try:
3033
2852
3034
2853
options = parser.parse_args()
3035
2854
2855
if options.check:
2856
import doctest
2857
fail_count, test_count = doctest.testmod()
2858
sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
3036
2860
# Default values for config file for server-global settings
3037
if gnutls.has_rawpk:
3038
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3039
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3040
else:
3041
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3042
":+SIGN-DSA-SHA256")
3043
2861
server_defaults = {"interface": "",
3044
2862
"address": "",
3045
2863
"port": "",
3046
2864
"debug": "False",
3047
"priority": priority,
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
3048
2868
"servicename": "Mandos",
3049
2869
"use_dbus": "True",
3050
2870
"use_ipv6": "True",
3055
2875
"foreground": "False",
3056
2876
"zeroconf": "True",
3057
2877
}
3058
del priority
3059
2878
3060
2879
# Parse config file for server-global settings
3061
server_config = configparser.ConfigParser(server_defaults)
2880
server_config = configparser.SafeConfigParser(server_defaults)
3062
2881
del server_defaults
3063
2882
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3064
# Convert the ConfigParser object to a dict
2883
# Convert the SafeConfigParser object to a dict
3065
2884
server_settings = server_config.defaults()
3066
2885
# Use the appropriate methods on the non-string config options
3067
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3068
"foreground", "zeroconf"):
2886
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3069
2887
server_settings[option] = server_config.getboolean("DEFAULT",
3070
2888
option)
3071
2889
if server_settings["port"]:
3134
2952
3135
2953
if server_settings["servicename"] != "Mandos":
3136
2954
syslogger.setFormatter(
3137
logging.Formatter("Mandos ({}) [%(process)d]:"
3138
" %(levelname)s: %(message)s".format(
2955
logging.Formatter('Mandos ({}) [%(process)d]:'
2956
' %(levelname)s: %(message)s'.format(
3139
2957
server_settings["servicename"])))
3140
2958
3141
2959
# Parse config file with clients
3142
client_config = configparser.ConfigParser(Client.client_defaults)
2960
client_config = configparser.SafeConfigParser(Client
2961
.client_defaults)
3143
2962
client_config.read(os.path.join(server_settings["configdir"],
3144
2963
"clients.conf"))
3145
2964
3201
3020
3202
3021
@gnutls.log_func
3203
3022
def debug_gnutls(level, string):
3204
logger.debug("GnuTLS: %s",
3205
string[:-1].decode("utf-8",
3206
errors="replace"))
3023
logger.debug("GnuTLS: %s", string[:-1])
3207
3024
3208
3025
gnutls.global_set_log_function(debug_gnutls)
3209
3026
3218
3035
# Close all input and output, do double fork, etc.
3219
3036
daemon()
3220
3037
3221
if gi.version_info < (3, 10, 2):
3222
# multiprocessing will use threads, so before we use GLib we
3223
# need to inform GLib that threads will be used.
3224
GLib.threads_init()
3038
# multiprocessing will use threads, so before we use GLib we need
3039
# to inform GLib that threads will be used.
3040
GLib.threads_init()
3225
3041
3226
3042
global main_loop
3227
3043
# From the Avahi example code
3303
3119
if isinstance(s, bytes)
3304
3120
else s) for s in
3305
3121
value["client_structure"]]
3306
# .name, .host, and .checker_command
3307
for k in ("name", "host", "checker_command"):
3122
# .name & .host
3123
for k in ("name", "host"):
3308
3124
if isinstance(value[k], bytes):
3309
3125
value[k] = value[k].decode("utf-8")
3310
if "key_id" not in value:
3311
value["key_id"] = ""
3312
elif "fingerprint" not in value:
3313
value["fingerprint"] = ""
3314
3126
# old_client_settings
3315
3127
# .keys()
3316
3128
old_client_settings = {
3320
3132
for key, value in
3321
3133
bytes_old_client_settings.items()}
3322
3134
del bytes_old_client_settings
3323
# .host and .checker_command
3135
# .host
3324
3136
for value in old_client_settings.values():
3325
for attribute in ("host", "checker_command"):
3326
if isinstance(value[attribute], bytes):
3327
value[attribute] = (value[attribute]
3328
.decode("utf-8"))
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3139
.decode("utf-8"))
3329
3140
os.remove(stored_state_path)
3330
3141
except IOError as e:
3331
3142
if e.errno == errno.ENOENT:
3454
3265
pass
3455
3266
3456
3267
@dbus.service.signal(_interface, signature="ss")
3457
def ClientNotFound(self, key_id, address):
3268
def ClientNotFound(self, fingerprint, address):
3458
3269
"D-Bus signal"
3459
3270
pass
3460
3271
3584
3395
3585
3396
try:
3586
3397
with tempfile.NamedTemporaryFile(
3587
mode="wb",
3398
mode='wb',
3588
3399
suffix=".pickle",
3589
prefix="clients-",
3400
prefix='clients-',
3590
3401
dir=os.path.dirname(stored_state_path),
3591
3402
delete=False) as stored_state:
3592
3403
pickle.dump((clients, client_settings), stored_state,
3656
3467
sys.exit(1)
3657
3468
# End of Avahi example code
3658
3469
3659
GLib.io_add_watch(
3660
GLib.IOChannel.unix_new(tcp_server.fileno()),
3661
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3662
lambda *args, **kwargs: (tcp_server.handle_request
3663
(*args[2:], **kwargs) or True))
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3664
3474
3665
3475
logger.debug("Starting main loop")
3666
3476
main_loop.run()
3676
3486
# Must run before the D-Bus bus name gets deregistered
3677
3487
cleanup()
3678
3488
3679
3680
def should_only_run_tests():
3681
parser = argparse.ArgumentParser(add_help=False)
3682
parser.add_argument("--check", action="store_true")
3683
args, unknown_args = parser.parse_known_args()
3684
run_tests = args.check
3685
if run_tests:
3686
# Remove --check argument from sys.argv
3687
sys.argv[1:] = unknown_args
3688
return run_tests
3689
3690
# Add all tests from doctest strings
3691
def load_tests(loader, tests, none):
3692
import doctest
3693
tests.addTests(doctest.DocTestSuite())
3694
return tests
3695
3696
if __name__ == "__main__":
3697
try:
3698
if should_only_run_tests():
3699
# Call using ./mandos --check [--verbose]
3700
unittest.main()
3701
else:
3702
main()
3703
finally:
3704
logging.shutdown()
3489
3490
if __name__ == '__main__':
3491
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0