To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1201
- compare with another revision
- download diff
- download tarball
- view history from revision 1201
- Committer: teddy at recompile
- Date: 2020-02-05 21:39:28 UTC
- Revision ID: teddy@recompile.se-20200205213928-vpvt0fwfg47ikv6f
Allow users to alter ask-password-mandos.service
If a user uses dracut with systemd and wishes to modify the options
passed to password-agent(8mandos) or mandos-client(8mandos), they
should be able to do so by simply creating a file
/etc/systemd/system/ask-password-mandos.service.d/override.conf,
containing, for instance:
[Service]
Environment=MANDOS_CLIENT_OPTIONS=--debug
Adding PASSWORD_AGENT_OPTIONS should also be possible (but should not
normally be needed).
* dracut-module/ask-password-mandos.service ([Service]/ExecStart): Add
$PASSWORD_AGENT_OPTIONS before "--" and "$MANDOS_CLIENT_OPTIONS" to
end of line.
* dracut-module/module-setup.sh (install): Install all files named
/etc/systemd/system/ask-password-mandos.service.d/*.conf if any
exists. Also add --dh-params before $MANDOS_CLIENT_OPTIONS instead
of at end of line.
If a user uses dracut with systemd and wishes to modify the options
passed to password-agent(8mandos) or mandos-client(8mandos), they
should be able to do so by simply creating a file
/etc/systemd/system/ask-password-mandos.service.d/override.conf,
containing, for instance:
[Service]
Environment=MANDOS_CLIENT_OPTIONS=--debug
Adding PASSWORD_AGENT_OPTIONS should also be possible (but should not
normally be needed).
* dracut-module/ask-password-mandos.service ([Service]/ExecStart): Add
$PASSWORD_AGENT_OPTIONS before "--" and "$MANDOS_CLIENT_OPTIONS" to
end of line.
* dracut-module/module-setup.sh (install): Install all files named
/etc/systemd/system/ask-password-mandos.service.d/*.conf if any
exists. Also add --dh-params before $MANDOS_CLIENT_OPTIONS instead
of at end of line.
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
77
77
import itertools
78
78
import collections
79
79
import codecs
80
import unittest
81
import random
80
82
81
83
import dbus
82
84
import dbus.service
85
import gi
83
86
from gi.repository import GLib
84
87
from dbus.mainloop.glib import DBusGMainLoop
85
88
import ctypes
87
90
import xml.dom.minidom
88
91
import inspect
89
92
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
97
# Show warnings by default
98
if not sys.warnoptions:
99
import warnings
100
warnings.simplefilter("default")
101
90
102
# Try to find the value of SO_BINDTODEVICE:
91
103
try:
92
104
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
112
124
# No value found
113
125
SO_BINDTODEVICE = None
114
126
115
if sys.version_info.major == 2:
116
str = unicode
127
if sys.version_info < (3, 2):
128
configparser.Configparser = configparser.SafeConfigParser
117
129
118
version = "1.7.20"
130
version = "1.8.9"
119
131
stored_state_file = "clients.pickle"
120
132
121
133
logger = logging.getLogger()
134
logging.captureWarnings(True) # Show warnings via the logging system
122
135
syslogger = None
123
136
124
137
try:
179
192
pass
180
193
181
194
182
class PGPEngine(object):
195
class PGPEngine:
183
196
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
197
185
198
def __init__(self):
189
202
output = subprocess.check_output(["gpgconf"])
190
203
for line in output.splitlines():
191
204
name, text, path = line.split(b":")
192
if name == "gpg":
205
if name == b"gpg":
193
206
self.gpg = path
194
207
break
195
208
except OSError as e:
200
213
'--force-mdc',
201
214
'--quiet']
202
215
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
216
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
204
217
self.gnupgargs.append("--no-use-agent")
205
218
206
219
def __enter__(self):
275
288
276
289
277
290
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
291
class avahi:
292
"""This isn't so much a class as it is a module-like namespace."""
281
293
IF_UNSPEC = -1 # avahi-common/address.h
282
294
PROTO_UNSPEC = -1 # avahi-common/address.h
283
295
PROTO_INET = 0 # avahi-common/address.h
287
299
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
300
DBUS_PATH_SERVER = "/"
289
301
290
def string_array_to_txt_array(self, t):
302
@staticmethod
303
def string_array_to_txt_array(t):
291
304
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
305
for s in t), signature="ay")
293
306
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
311
SERVER_RUNNING = 2 # avahi-common/defs.h
299
312
SERVER_COLLISION = 3 # avahi-common/defs.h
300
313
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
314
303
315
304
316
class AvahiError(Exception):
316
328
pass
317
329
318
330
319
class AvahiService(object):
331
class AvahiService:
320
332
"""An Avahi (Zeroconf) service.
321
333
322
334
Attributes:
504
516
505
517
506
518
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
519
class gnutls:
520
"""This isn't so much a class as it is a module-like namespace."""
510
521
511
522
library = ctypes.util.find_library("gnutls")
512
523
if library is None:
513
524
library = ctypes.util.find_library("gnutls-deb0")
514
525
_library = ctypes.cdll.LoadLibrary(library)
515
526
del library
516
_need_version = b"3.3.0"
517
518
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
524
527
525
528
# Unless otherwise indicated, the constants and types below are
526
529
# all from the gnutls/gnutls.h C header file.
530
533
E_INTERRUPTED = -52
531
534
E_AGAIN = -28
532
535
CRT_OPENPGP = 2
536
CRT_RAWPK = 3
533
537
CLIENT = 2
534
538
SHUT_RDWR = 0
535
539
CRD_CERTIFICATE = 1
536
540
E_NO_CERTIFICATE_FOUND = -49
541
X509_FMT_DER = 0
542
NO_TICKETS = 1<<10
543
ENABLE_RAWPK = 1<<18
544
CTYPE_PEERS = 3
545
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
546
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
547
539
548
# Types
562
571
563
572
# Exceptions
564
573
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
574
def __init__(self, message=None, code=None, args=()):
570
575
# Default usage is by a message string, but if a return
571
576
# code is passed, convert it to a string with
572
577
# gnutls.strerror()
573
578
self.code = code
574
579
if message is None and code is not None:
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
580
message = gnutls.strerror(code)
581
return super(gnutls.Error, self).__init__(
577
582
message, *args)
578
583
579
584
class CertificateSecurityError(Error):
580
585
pass
581
586
582
587
# Classes
583
class Credentials(object):
588
class Credentials:
584
589
def __init__(self):
585
590
self._c_object = gnutls.certificate_credentials_t()
586
591
gnutls.certificate_allocate_credentials(
590
595
def __del__(self):
591
596
gnutls.certificate_free_credentials(self._c_object)
592
597
593
class ClientSession(object):
598
class ClientSession:
594
599
def __init__(self, socket, credentials=None):
595
600
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
601
gnutls_flags = gnutls.CLIENT
602
if gnutls.check_version(b"3.5.6"):
603
gnutls_flags |= gnutls.NO_TICKETS
604
if gnutls.has_rawpk:
605
gnutls_flags |= gnutls.ENABLE_RAWPK
606
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
607
del gnutls_flags
597
608
gnutls.set_default_priority(self._c_object)
598
609
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
610
gnutls.handshake_set_private_extensions(self._c_object,
731
742
check_version.argtypes = [ctypes.c_char_p]
732
743
check_version.restype = ctypes.c_char_p
733
744
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
745
_need_version = b"3.3.0"
746
if check_version(_need_version) is None:
747
raise self.Error("Needs GnuTLS {} or later"
748
.format(_need_version))
749
750
_tls_rawpk_version = b"3.6.6"
751
has_rawpk = bool(check_version(_tls_rawpk_version))
752
753
if has_rawpk:
754
# Types
755
class pubkey_st(ctypes.Structure):
756
_fields = []
757
pubkey_t = ctypes.POINTER(pubkey_st)
758
759
x509_crt_fmt_t = ctypes.c_int
760
761
# All the function declarations below are from gnutls/abstract.h
762
pubkey_init = _library.gnutls_pubkey_init
763
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
764
pubkey_init.restype = _error_code
765
766
pubkey_import = _library.gnutls_pubkey_import
767
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
768
x509_crt_fmt_t]
769
pubkey_import.restype = _error_code
770
771
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
772
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
773
ctypes.POINTER(ctypes.c_ubyte),
774
ctypes.POINTER(ctypes.c_size_t)]
775
pubkey_get_key_id.restype = _error_code
776
777
pubkey_deinit = _library.gnutls_pubkey_deinit
778
pubkey_deinit.argtypes = [pubkey_t]
779
pubkey_deinit.restype = None
780
else:
781
# All the function declarations below are from gnutls/openpgp.h
782
783
openpgp_crt_init = _library.gnutls_openpgp_crt_init
784
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
785
openpgp_crt_init.restype = _error_code
786
787
openpgp_crt_import = _library.gnutls_openpgp_crt_import
788
openpgp_crt_import.argtypes = [openpgp_crt_t,
789
ctypes.POINTER(datum_t),
790
openpgp_crt_fmt_t]
791
openpgp_crt_import.restype = _error_code
792
793
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
794
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
795
ctypes.POINTER(ctypes.c_uint)]
796
openpgp_crt_verify_self.restype = _error_code
797
798
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
799
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
800
openpgp_crt_deinit.restype = None
801
802
openpgp_crt_get_fingerprint = (
803
_library.gnutls_openpgp_crt_get_fingerprint)
804
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
805
ctypes.c_void_p,
806
ctypes.POINTER(
807
ctypes.c_size_t)]
808
openpgp_crt_get_fingerprint.restype = _error_code
809
810
if check_version(b"3.6.4"):
811
certificate_type_get2 = _library.gnutls_certificate_type_get2
812
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
813
certificate_type_get2.restype = _error_code
762
814
763
815
# Remove non-public functions
764
816
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
767
817
768
818
769
819
def call_pipe(connection, # : multiprocessing.Connection
777
827
connection.close()
778
828
779
829
780
class Client(object):
830
class Client:
781
831
"""A representation of a client host served by this server.
782
832
783
833
Attributes:
784
834
approved: bool(); 'None' if not yet approved/disapproved
785
835
approval_delay: datetime.timedelta(); Time to wait for approval
786
836
approval_duration: datetime.timedelta(); Duration of one approval
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
837
checker: multiprocessing.Process(); a running checker process used
838
to see if the client lives. 'None' if no process is
839
running.
790
840
checker_callback_tag: a GLib event source tag, or None
791
841
checker_command: string; External command which is run to check
792
842
if client lives. %() expansions are done at
800
850
disable_initiator_tag: a GLib event source tag, or None
801
851
enabled: bool()
802
852
fingerprint: string (40 or 32 hexadecimal digits); used to
803
uniquely identify the client
853
uniquely identify an OpenPGP client
854
key_id: string (64 hexadecimal digits); used to uniquely identify
855
a client using raw public keys
804
856
host: string; available for use by the checker command
805
857
interval: datetime.timedelta(); How often to start a new checker
806
858
last_approval_request: datetime.datetime(); (UTC) or None
824
876
"""
825
877
826
878
runtime_expansions = ("approval_delay", "approval_duration",
827
"created", "enabled", "expires",
879
"created", "enabled", "expires", "key_id",
828
880
"fingerprint", "host", "interval",
829
881
"last_approval_request", "last_checked_ok",
830
882
"last_enabled", "name", "timeout")
860
912
client["enabled"] = config.getboolean(client_name,
861
913
"enabled")
862
914
863
# Uppercase and remove spaces from fingerprint for later
864
# comparison purposes with return value from the
865
# fingerprint() function
915
# Uppercase and remove spaces from key_id and fingerprint
916
# for later comparison purposes with return value from the
917
# key_id() and fingerprint() functions
918
client["key_id"] = (section.get("key_id", "").upper()
919
.replace(" ", ""))
866
920
client["fingerprint"] = (section["fingerprint"].upper()
867
921
.replace(" ", ""))
868
922
if "secret" in section:
912
966
self.expires = None
913
967
914
968
logger.debug("Creating client %r", self.name)
969
logger.debug(" Key ID: %s", self.key_id)
915
970
logger.debug(" Fingerprint: %s", self.fingerprint)
916
971
self.created = settings.get("created",
917
972
datetime.datetime.utcnow())
981
1036
if self.checker_initiator_tag is not None:
982
1037
GLib.source_remove(self.checker_initiator_tag)
983
1038
self.checker_initiator_tag = GLib.timeout_add(
984
int(self.interval.total_seconds() * 1000),
1039
random.randrange(int(self.interval.total_seconds() * 1000
1040
+ 1)),
985
1041
self.start_checker)
986
1042
# Schedule a disable() when 'timeout' has passed
987
1043
if self.disable_initiator_tag is not None:
994
1050
def checker_callback(self, source, condition, connection,
995
1051
command):
996
1052
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
998
self.checker = None
999
1053
# Read return code from connection (see call_pipe)
1000
1054
returncode = connection.recv()
1001
1055
connection.close()
1056
if self.checker is not None:
1057
self.checker.join()
1058
self.checker_callback_tag = None
1059
self.checker = None
1002
1060
1003
1061
if returncode >= 0:
1004
1062
self.last_checker_status = returncode
1093
1151
kwargs=popen_args)
1094
1152
self.checker.start()
1095
1153
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
1154
GLib.IOChannel.unix_new(pipe[0].fileno()),
1155
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1097
1156
self.checker_callback, pipe[0], command)
1098
1157
# Re-run this periodically if run by GLib.timeout_add
1099
1158
return True
1354
1413
raise ValueError("Byte arrays not supported for non-"
1355
1414
"'ay' signature {!r}"
1356
1415
.format(prop._dbus_signature))
1357
value = dbus.ByteArray(b''.join(chr(byte)
1358
for byte in value))
1416
value = dbus.ByteArray(bytes(value))
1359
1417
prop(value)
1360
1418
1361
1419
@dbus.service.method(dbus.PROPERTIES_IFACE,
1999
2057
def Name_dbus_property(self):
2000
2058
return dbus.String(self.name)
2001
2059
2060
# KeyID - property
2061
@dbus_annotations(
2062
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2063
@dbus_service_property(_interface, signature="s", access="read")
2064
def KeyID_dbus_property(self):
2065
return dbus.String(self.key_id)
2066
2002
2067
# Fingerprint - property
2003
2068
@dbus_annotations(
2004
2069
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2159
2224
del _interface
2160
2225
2161
2226
2162
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2227
class ProxyClient:
2228
def __init__(self, child_pipe, key_id, fpr, address):
2164
2229
self._pipe = child_pipe
2165
self._pipe.send(('init', fpr, address))
2230
self._pipe.send(('init', key_id, fpr, address))
2166
2231
if not self._pipe.recv():
2167
raise KeyError(fpr)
2232
raise KeyError(key_id or fpr)
2168
2233
2169
2234
def __getattribute__(self, name):
2170
2235
if name == '_pipe':
2237
2302
2238
2303
approval_required = False
2239
2304
try:
2240
try:
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2245
return
2246
logger.debug("Fingerprint: %s", fpr)
2247
2248
try:
2249
client = ProxyClient(child_pipe, fpr,
2305
if gnutls.has_rawpk:
2306
fpr = b""
2307
try:
2308
key_id = self.key_id(
2309
self.peer_certificate(session))
2310
except (TypeError, gnutls.Error) as error:
2311
logger.warning("Bad certificate: %s", error)
2312
return
2313
logger.debug("Key ID: %s", key_id)
2314
2315
else:
2316
key_id = b""
2317
try:
2318
fpr = self.fingerprint(
2319
self.peer_certificate(session))
2320
except (TypeError, gnutls.Error) as error:
2321
logger.warning("Bad certificate: %s", error)
2322
return
2323
logger.debug("Fingerprint: %s", fpr)
2324
2325
try:
2326
client = ProxyClient(child_pipe, key_id, fpr,
2250
2327
self.client_address)
2251
2328
except KeyError:
2252
2329
return
2329
2406
2330
2407
@staticmethod
2331
2408
def peer_certificate(session):
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2409
"Return the peer's certificate as a bytestring"
2410
try:
2411
cert_type = gnutls.certificate_type_get2(session._c_object,
2412
gnutls.CTYPE_PEERS)
2413
except AttributeError:
2414
cert_type = gnutls.certificate_type_get(session._c_object)
2415
if gnutls.has_rawpk:
2416
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2417
else:
2418
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2419
# If not a valid certificate type...
2420
if cert_type not in valid_cert_types:
2421
logger.info("Cert type %r not in %r", cert_type,
2422
valid_cert_types)
2336
2423
# ...return invalid data
2337
2424
return b""
2338
2425
list_size = ctypes.c_uint(1)
2346
2433
return ctypes.string_at(cert.data, cert.size)
2347
2434
2348
2435
@staticmethod
2436
def key_id(certificate):
2437
"Convert a certificate bytestring to a hexdigit key ID"
2438
# New GnuTLS "datum" with the public key
2439
datum = gnutls.datum_t(
2440
ctypes.cast(ctypes.c_char_p(certificate),
2441
ctypes.POINTER(ctypes.c_ubyte)),
2442
ctypes.c_uint(len(certificate)))
2443
# XXX all these need to be created in the gnutls "module"
2444
# New empty GnuTLS certificate
2445
pubkey = gnutls.pubkey_t()
2446
gnutls.pubkey_init(ctypes.byref(pubkey))
2447
# Import the raw public key into the certificate
2448
gnutls.pubkey_import(pubkey,
2449
ctypes.byref(datum),
2450
gnutls.X509_FMT_DER)
2451
# New buffer for the key ID
2452
buf = ctypes.create_string_buffer(32)
2453
buf_len = ctypes.c_size_t(len(buf))
2454
# Get the key ID from the raw public key into the buffer
2455
gnutls.pubkey_get_key_id(pubkey,
2456
gnutls.KEYID_USE_SHA256,
2457
ctypes.cast(ctypes.byref(buf),
2458
ctypes.POINTER(ctypes.c_ubyte)),
2459
ctypes.byref(buf_len))
2460
# Deinit the certificate
2461
gnutls.pubkey_deinit(pubkey)
2462
2463
# Convert the buffer to a Python bytestring
2464
key_id = ctypes.string_at(buf, buf_len.value)
2465
# Convert the bytestring to hexadecimal notation
2466
hex_key_id = binascii.hexlify(key_id).upper()
2467
return hex_key_id
2468
2469
@staticmethod
2349
2470
def fingerprint(openpgp):
2350
2471
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2472
# New GnuTLS "datum" with the OpenPGP public key
2382
2503
return hex_fpr
2383
2504
2384
2505
2385
class MultiprocessingMixIn(object):
2506
class MultiprocessingMixIn:
2386
2507
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2387
2508
2388
2509
def sub_process_main(self, request, address):
2400
2521
return proc
2401
2522
2402
2523
2403
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2524
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2404
2525
""" adds a pipe to the MixIn """
2405
2526
2406
2527
def process_request(self, request, client_address):
2421
2542
2422
2543
2423
2544
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2424
socketserver.TCPServer, object):
2545
socketserver.TCPServer):
2425
2546
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2426
2547
2427
2548
Attributes:
2500
2621
raise
2501
2622
# Only bind(2) the socket if we really need to.
2502
2623
if self.server_address[0] or self.server_address[1]:
2624
if self.server_address[1]:
2625
self.allow_reuse_address = True
2503
2626
if not self.server_address[0]:
2504
2627
if self.address_family == socket.AF_INET6:
2505
2628
any_address = "::" # in6addr_any
2558
2681
def add_pipe(self, parent_pipe, proc):
2559
2682
# Call "handle_ipc" for both data and EOF events
2560
2683
GLib.io_add_watch(
2561
parent_pipe.fileno(),
2562
GLib.IO_IN | GLib.IO_HUP,
2684
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2685
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2563
2686
functools.partial(self.handle_ipc,
2564
2687
parent_pipe=parent_pipe,
2565
2688
proc=proc))
2579
2702
command = request[0]
2580
2703
2581
2704
if command == 'init':
2582
fpr = request[1].decode("ascii")
2583
address = request[2]
2705
key_id = request[1].decode("ascii")
2706
fpr = request[2].decode("ascii")
2707
address = request[3]
2584
2708
2585
2709
for c in self.clients.values():
2586
if c.fingerprint == fpr:
2710
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2711
continue
2712
if key_id and c.key_id == key_id:
2713
client = c
2714
break
2715
if fpr and c.fingerprint == fpr:
2587
2716
client = c
2588
2717
break
2589
2718
else:
2590
logger.info("Client not found for fingerprint: %s, ad"
2591
"dress: %s", fpr, address)
2719
logger.info("Client not found for key ID: %s, address"
2720
": %s", key_id or fpr, address)
2592
2721
if self.use_dbus:
2593
2722
# Emit D-Bus signal
2594
mandos_dbus_service.ClientNotFound(fpr,
2723
mandos_dbus_service.ClientNotFound(key_id or fpr,
2595
2724
address[0])
2596
2725
parent_pipe.send(False)
2597
2726
return False
2598
2727
2599
2728
GLib.io_add_watch(
2600
parent_pipe.fileno(),
2601
GLib.IO_IN | GLib.IO_HUP,
2729
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2730
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2602
2731
functools.partial(self.handle_ipc,
2603
2732
parent_pipe=parent_pipe,
2604
2733
proc=proc,
2636
2765
def rfc3339_duration_to_delta(duration):
2637
2766
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2638
2767
2639
>>> rfc3339_duration_to_delta("P7D")
2640
datetime.timedelta(7)
2641
>>> rfc3339_duration_to_delta("PT60S")
2642
datetime.timedelta(0, 60)
2643
>>> rfc3339_duration_to_delta("PT60M")
2644
datetime.timedelta(0, 3600)
2645
>>> rfc3339_duration_to_delta("PT24H")
2646
datetime.timedelta(1)
2647
>>> rfc3339_duration_to_delta("P1W")
2648
datetime.timedelta(7)
2649
>>> rfc3339_duration_to_delta("PT5M30S")
2650
datetime.timedelta(0, 330)
2651
>>> rfc3339_duration_to_delta("P1DT3M20S")
2652
datetime.timedelta(1, 200)
2768
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2769
True
2770
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2771
True
2772
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2773
True
2774
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2775
True
2776
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2777
True
2778
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2779
True
2780
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2781
True
2653
2782
"""
2654
2783
2655
2784
# Parsing an RFC 3339 duration with regular expressions is not
2735
2864
def string_to_delta(interval):
2736
2865
"""Parse a string and return a datetime.timedelta
2737
2866
2738
>>> string_to_delta('7d')
2739
datetime.timedelta(7)
2740
>>> string_to_delta('60s')
2741
datetime.timedelta(0, 60)
2742
>>> string_to_delta('60m')
2743
datetime.timedelta(0, 3600)
2744
>>> string_to_delta('24h')
2745
datetime.timedelta(1)
2746
>>> string_to_delta('1w')
2747
datetime.timedelta(7)
2748
>>> string_to_delta('5m 30s')
2749
datetime.timedelta(0, 330)
2867
>>> string_to_delta('7d') == datetime.timedelta(7)
2868
True
2869
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2870
True
2871
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2872
True
2873
>>> string_to_delta('24h') == datetime.timedelta(1)
2874
True
2875
>>> string_to_delta('1w') == datetime.timedelta(7)
2876
True
2877
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2878
True
2750
2879
"""
2751
2880
2752
2881
try:
2854
2983
2855
2984
options = parser.parse_args()
2856
2985
2857
if options.check:
2858
import doctest
2859
fail_count, test_count = doctest.testmod()
2860
sys.exit(os.EX_OK if fail_count == 0 else 1)
2861
2862
2986
# Default values for config file for server-global settings
2987
if gnutls.has_rawpk:
2988
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2989
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2990
else:
2991
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2992
":+SIGN-DSA-SHA256")
2863
2993
server_defaults = {"interface": "",
2864
2994
"address": "",
2865
2995
"port": "",
2866
2996
"debug": "False",
2867
"priority":
2868
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
":+SIGN-DSA-SHA256",
2997
"priority": priority,
2870
2998
"servicename": "Mandos",
2871
2999
"use_dbus": "True",
2872
3000
"use_ipv6": "True",
2877
3005
"foreground": "False",
2878
3006
"zeroconf": "True",
2879
3007
}
3008
del priority
2880
3009
2881
3010
# Parse config file for server-global settings
2882
server_config = configparser.SafeConfigParser(server_defaults)
3011
server_config = configparser.ConfigParser(server_defaults)
2883
3012
del server_defaults
2884
3013
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2885
# Convert the SafeConfigParser object to a dict
3014
# Convert the ConfigParser object to a dict
2886
3015
server_settings = server_config.defaults()
2887
3016
# Use the appropriate methods on the non-string config options
2888
3017
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2960
3089
server_settings["servicename"])))
2961
3090
2962
3091
# Parse config file with clients
2963
client_config = configparser.SafeConfigParser(Client
2964
.client_defaults)
3092
client_config = configparser.ConfigParser(Client.client_defaults)
2965
3093
client_config.read(os.path.join(server_settings["configdir"],
2966
3094
"clients.conf"))
2967
3095
3038
3166
# Close all input and output, do double fork, etc.
3039
3167
daemon()
3040
3168
3041
# multiprocessing will use threads, so before we use GLib we need
3042
# to inform GLib that threads will be used.
3043
GLib.threads_init()
3169
if gi.version_info < (3, 10, 2):
3170
# multiprocessing will use threads, so before we use GLib we
3171
# need to inform GLib that threads will be used.
3172
GLib.threads_init()
3044
3173
3045
3174
global main_loop
3046
3175
# From the Avahi example code
3122
3251
if isinstance(s, bytes)
3123
3252
else s) for s in
3124
3253
value["client_structure"]]
3125
# .name & .host
3126
for k in ("name", "host"):
3254
# .name, .host, and .checker_command
3255
for k in ("name", "host", "checker_command"):
3127
3256
if isinstance(value[k], bytes):
3128
3257
value[k] = value[k].decode("utf-8")
3258
if "key_id" not in value:
3259
value["key_id"] = ""
3260
elif "fingerprint" not in value:
3261
value["fingerprint"] = ""
3129
3262
# old_client_settings
3130
3263
# .keys()
3131
3264
old_client_settings = {
3135
3268
for key, value in
3136
3269
bytes_old_client_settings.items()}
3137
3270
del bytes_old_client_settings
3138
# .host
3271
# .host and .checker_command
3139
3272
for value in old_client_settings.values():
3140
if isinstance(value["host"], bytes):
3141
value["host"] = (value["host"]
3142
.decode("utf-8"))
3273
for attribute in ("host", "checker_command"):
3274
if isinstance(value[attribute], bytes):
3275
value[attribute] = (value[attribute]
3276
.decode("utf-8"))
3143
3277
os.remove(stored_state_path)
3144
3278
except IOError as e:
3145
3279
if e.errno == errno.ENOENT:
3268
3402
pass
3269
3403
3270
3404
@dbus.service.signal(_interface, signature="ss")
3271
def ClientNotFound(self, fingerprint, address):
3405
def ClientNotFound(self, key_id, address):
3272
3406
"D-Bus signal"
3273
3407
pass
3274
3408
3470
3604
sys.exit(1)
3471
3605
# End of Avahi example code
3472
3606
3473
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3474
lambda *args, **kwargs:
3475
(tcp_server.handle_request
3476
(*args[2:], **kwargs) or True))
3607
GLib.io_add_watch(
3608
GLib.IOChannel.unix_new(tcp_server.fileno()),
3609
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3610
lambda *args, **kwargs: (tcp_server.handle_request
3611
(*args[2:], **kwargs) or True))
3477
3612
3478
3613
logger.debug("Starting main loop")
3479
3614
main_loop.run()
3489
3624
# Must run before the D-Bus bus name gets deregistered
3490
3625
cleanup()
3491
3626
3627
3628
def should_only_run_tests():
3629
parser = argparse.ArgumentParser(add_help=False)
3630
parser.add_argument("--check", action='store_true')
3631
args, unknown_args = parser.parse_known_args()
3632
run_tests = args.check
3633
if run_tests:
3634
# Remove --check argument from sys.argv
3635
sys.argv[1:] = unknown_args
3636
return run_tests
3637
3638
# Add all tests from doctest strings
3639
def load_tests(loader, tests, none):
3640
import doctest
3641
tests.addTests(doctest.DocTestSuite())
3642
return tests
3492
3643
3493
3644
if __name__ == '__main__':
3494
main()
3645
try:
3646
if should_only_run_tests():
3647
# Call using ./mandos --check [--verbose]
3648
unittest.main()
3649
else:
3650
main()
3651
finally:
3652
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0