196
265
.replace(b"\n", b"\\n")
197
266
.replace(b"\0", b"\\x00"))
200
269
def encrypt(self, data, password):
201
270
passphrase = self.password_encode(password)
202
271
with tempfile.NamedTemporaryFile(
203
272
dir=self.tempdir) as passfile:
204
273
passfile.write(passphrase)
206
proc = subprocess.Popen(['gpg', '--symmetric',
275
proc = subprocess.Popen([self.gpg, '--symmetric',
207
276
'--passphrase-file',
209
278
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
214
283
if proc.returncode != 0:
215
284
raise PGPError(err)
216
285
return ciphertext
218
287
def decrypt(self, data, password):
219
288
passphrase = self.password_encode(password)
220
289
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
290
dir=self.tempdir) as passfile:
222
291
passfile.write(passphrase)
224
proc = subprocess.Popen(['gpg', '--decrypt',
293
proc = subprocess.Popen([self.gpg, '--decrypt',
225
294
'--passphrase-file',
227
296
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
232
301
if proc.returncode != 0:
233
302
raise PGPError(err)
234
303
return decrypted_plaintext
306
# Pretend that we have an Avahi module
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
237
332
class AvahiError(Exception):
238
333
def __init__(self, value, *args, **kwargs):
239
334
self.value = value
429
524
class AvahiServiceToSyslog(AvahiService):
430
525
def rename(self, *args, **kwargs):
431
526
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
527
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
528
syslogger.setFormatter(logging.Formatter(
434
529
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
530
.format(self.name)))
534
# Pretend that we have a GnuTLS module
536
"""This isn't so much a class as it is a module-like namespace."""
538
library = ctypes.util.find_library("gnutls")
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
544
# Unless otherwise indicated, the constants and types below are
545
# all from the gnutls/gnutls.h C header file.
556
E_NO_CERTIFICATE_FOUND = -49
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
565
class session_int(ctypes.Structure):
567
session_t = ctypes.POINTER(session_int)
569
class certificate_credentials_st(ctypes.Structure):
571
certificate_credentials_t = ctypes.POINTER(
572
certificate_credentials_st)
573
certificate_type_t = ctypes.c_int
575
class datum_t(ctypes.Structure):
576
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
577
('size', ctypes.c_uint)]
579
class openpgp_crt_int(ctypes.Structure):
581
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
credentials_type_t = ctypes.c_int
585
transport_ptr_t = ctypes.c_void_p
586
close_request_t = ctypes.c_int
589
class Error(Exception):
590
def __init__(self, message=None, code=None, args=()):
591
# Default usage is by a message string, but if a return
592
# code is passed, convert it to a string with
595
if message is None and code is not None:
596
message = gnutls.strerror(code)
597
return super(gnutls.Error, self).__init__(
600
class CertificateSecurityError(Error):
606
self._c_object = gnutls.certificate_credentials_t()
607
gnutls.certificate_allocate_credentials(
608
ctypes.byref(self._c_object))
609
self.type = gnutls.CRD_CERTIFICATE
612
gnutls.certificate_free_credentials(self._c_object)
615
def __init__(self, socket, credentials=None):
616
self._c_object = gnutls.session_t()
617
gnutls_flags = gnutls.CLIENT
618
if gnutls.check_version(b"3.5.6"):
619
gnutls_flags |= gnutls.NO_TICKETS
621
gnutls_flags |= gnutls.ENABLE_RAWPK
622
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
624
gnutls.set_default_priority(self._c_object)
625
gnutls.transport_set_ptr(self._c_object, socket.fileno())
626
gnutls.handshake_set_private_extensions(self._c_object,
629
if credentials is None:
630
credentials = gnutls.Credentials()
631
gnutls.credentials_set(self._c_object, credentials.type,
632
ctypes.cast(credentials._c_object,
634
self.credentials = credentials
637
gnutls.deinit(self._c_object)
640
return gnutls.handshake(self._c_object)
642
def send(self, data):
646
data_len -= gnutls.record_send(self._c_object,
651
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
653
# Error handling functions
654
def _error_code(result):
655
"""A function to raise exceptions on errors, suitable
656
for the 'restype' attribute on ctypes functions"""
659
if result == gnutls.E_NO_CERTIFICATE_FOUND:
660
raise gnutls.CertificateSecurityError(code=result)
661
raise gnutls.Error(code=result)
663
def _retry_on_error(result, func, arguments):
664
"""A function to retry on some errors, suitable
665
for the 'errcheck' attribute on ctypes functions"""
667
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
668
return _error_code(result)
669
result = func(*arguments)
672
# Unless otherwise indicated, the function declarations below are
673
# all from the gnutls/gnutls.h C header file.
676
priority_set_direct = _library.gnutls_priority_set_direct
677
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
678
ctypes.POINTER(ctypes.c_char_p)]
679
priority_set_direct.restype = _error_code
681
init = _library.gnutls_init
682
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
683
init.restype = _error_code
685
set_default_priority = _library.gnutls_set_default_priority
686
set_default_priority.argtypes = [session_t]
687
set_default_priority.restype = _error_code
689
record_send = _library.gnutls_record_send
690
record_send.argtypes = [session_t, ctypes.c_void_p,
692
record_send.restype = ctypes.c_ssize_t
693
record_send.errcheck = _retry_on_error
695
certificate_allocate_credentials = (
696
_library.gnutls_certificate_allocate_credentials)
697
certificate_allocate_credentials.argtypes = [
698
ctypes.POINTER(certificate_credentials_t)]
699
certificate_allocate_credentials.restype = _error_code
701
certificate_free_credentials = (
702
_library.gnutls_certificate_free_credentials)
703
certificate_free_credentials.argtypes = [
704
certificate_credentials_t]
705
certificate_free_credentials.restype = None
707
handshake_set_private_extensions = (
708
_library.gnutls_handshake_set_private_extensions)
709
handshake_set_private_extensions.argtypes = [session_t,
711
handshake_set_private_extensions.restype = None
713
credentials_set = _library.gnutls_credentials_set
714
credentials_set.argtypes = [session_t, credentials_type_t,
716
credentials_set.restype = _error_code
718
strerror = _library.gnutls_strerror
719
strerror.argtypes = [ctypes.c_int]
720
strerror.restype = ctypes.c_char_p
722
certificate_type_get = _library.gnutls_certificate_type_get
723
certificate_type_get.argtypes = [session_t]
724
certificate_type_get.restype = _error_code
726
certificate_get_peers = _library.gnutls_certificate_get_peers
727
certificate_get_peers.argtypes = [session_t,
728
ctypes.POINTER(ctypes.c_uint)]
729
certificate_get_peers.restype = ctypes.POINTER(datum_t)
731
global_set_log_level = _library.gnutls_global_set_log_level
732
global_set_log_level.argtypes = [ctypes.c_int]
733
global_set_log_level.restype = None
735
global_set_log_function = _library.gnutls_global_set_log_function
736
global_set_log_function.argtypes = [log_func]
737
global_set_log_function.restype = None
739
deinit = _library.gnutls_deinit
740
deinit.argtypes = [session_t]
741
deinit.restype = None
743
handshake = _library.gnutls_handshake
744
handshake.argtypes = [session_t]
745
handshake.restype = _error_code
746
handshake.errcheck = _retry_on_error
748
transport_set_ptr = _library.gnutls_transport_set_ptr
749
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
750
transport_set_ptr.restype = None
752
bye = _library.gnutls_bye
753
bye.argtypes = [session_t, close_request_t]
754
bye.restype = _error_code
755
bye.errcheck = _retry_on_error
757
check_version = _library.gnutls_check_version
758
check_version.argtypes = [ctypes.c_char_p]
759
check_version.restype = ctypes.c_char_p
761
_need_version = b"3.3.0"
762
if check_version(_need_version) is None:
763
raise self.Error("Needs GnuTLS {} or later"
764
.format(_need_version))
766
_tls_rawpk_version = b"3.6.6"
767
has_rawpk = bool(check_version(_tls_rawpk_version))
771
class pubkey_st(ctypes.Structure):
773
pubkey_t = ctypes.POINTER(pubkey_st)
775
x509_crt_fmt_t = ctypes.c_int
777
# All the function declarations below are from gnutls/abstract.h
778
pubkey_init = _library.gnutls_pubkey_init
779
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
pubkey_init.restype = _error_code
782
pubkey_import = _library.gnutls_pubkey_import
783
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
785
pubkey_import.restype = _error_code
787
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
788
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
789
ctypes.POINTER(ctypes.c_ubyte),
790
ctypes.POINTER(ctypes.c_size_t)]
791
pubkey_get_key_id.restype = _error_code
793
pubkey_deinit = _library.gnutls_pubkey_deinit
794
pubkey_deinit.argtypes = [pubkey_t]
795
pubkey_deinit.restype = None
797
# All the function declarations below are from gnutls/openpgp.h
799
openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
801
openpgp_crt_init.restype = _error_code
803
openpgp_crt_import = _library.gnutls_openpgp_crt_import
804
openpgp_crt_import.argtypes = [openpgp_crt_t,
805
ctypes.POINTER(datum_t),
807
openpgp_crt_import.restype = _error_code
809
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
ctypes.POINTER(ctypes.c_uint)]
812
openpgp_crt_verify_self.restype = _error_code
814
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
815
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
816
openpgp_crt_deinit.restype = None
818
openpgp_crt_get_fingerprint = (
819
_library.gnutls_openpgp_crt_get_fingerprint)
820
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
824
openpgp_crt_get_fingerprint.restype = _error_code
826
if check_version(b"3.6.4"):
827
certificate_type_get2 = _library.gnutls_certificate_type_get2
828
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
829
certificate_type_get2.restype = _error_code
831
# Remove non-public functions
832
del _error_code, _retry_on_error
438
835
def call_pipe(connection, # : multiprocessing.Connection
439
836
func, *args, **kwargs):
440
837
"""This function is meant to be called by multiprocessing.Process
442
839
This function runs func(*args, **kwargs), and writes the resulting
443
840
return value on the provided multiprocessing.Connection.
445
842
connection.send(func(*args, **kwargs))
446
843
connection.close()
448
class Client(object):
449
847
"""A representation of a client host served by this server.
452
850
approved: bool(); 'None' if not yet approved/disapproved
453
851
approval_delay: datetime.timedelta(); Time to wait for approval
454
852
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
853
checker: multiprocessing.Process(); a running checker process used
854
to see if the client lives. 'None' if no process is
856
checker_callback_tag: a GLib event source tag, or None
459
857
checker_command: string; External command which is run to check
460
858
if client lives. %() expansions are done at
461
859
runtime with vars(self) as dict, so that for
462
860
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
861
checker_initiator_tag: a GLib event source tag, or None
464
862
created: datetime.datetime(); (UTC) object creation
465
863
client_structure: Object describing what attributes a client has
466
864
and is used for storing the client at exit
467
865
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
866
disable_initiator_tag: a GLib event source tag, or None
470
868
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
869
uniquely identify an OpenPGP client
870
key_id: string (64 hexadecimal digits); used to uniquely identify
871
a client using raw public keys
472
872
host: string; available for use by the checker command
473
873
interval: datetime.timedelta(); How often to start a new checker
474
874
last_approval_request: datetime.datetime(); (UTC) or None
1986
2398
delay -= time2 - time
1989
while sent_size < len(client.secret):
1991
sent = session.send(client.secret[sent_size:])
1992
except gnutls.errors.GNUTLSError as error:
1993
logger.warning("gnutls send failed",
1996
logger.debug("Sent: %d, remaining: %d", sent,
1997
len(client.secret) - (sent_size
2401
session.send(client.secret)
2402
except gnutls.Error as error:
2403
logger.warning("gnutls send failed",
2001
2407
logger.info("Sending secret to %s", client.name)
2002
2408
# bump the timeout using extended_timeout
2003
2409
client.bump_timeout(client.extended_timeout)
2004
2410
if self.server.use_dbus:
2005
2411
# Emit D-Bus signal
2006
2412
client.GotSecret()
2009
2415
if approval_required:
2010
2416
client.approvals_pending -= 1
2013
except gnutls.errors.GNUTLSError as error:
2419
except gnutls.Error as error:
2014
2420
logger.warning("GnuTLS bye failed",
2015
2421
exc_info=error)
2018
2424
def peer_certificate(session):
2019
"Return the peer's OpenPGP certificate as a bytestring"
2020
# If not an OpenPGP certificate...
2021
if (gnutls.library.functions.gnutls_certificate_type_get(
2023
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2024
# ...do the normal thing
2025
return session.peer_certificate
2425
"Return the peer's certificate as a bytestring"
2427
cert_type = gnutls.certificate_type_get2(session._c_object,
2429
except AttributeError:
2430
cert_type = gnutls.certificate_type_get(session._c_object)
2431
if gnutls.has_rawpk:
2432
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2434
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2435
# If not a valid certificate type...
2436
if cert_type not in valid_cert_types:
2437
logger.info("Cert type %r not in %r", cert_type,
2439
# ...return invalid data
2026
2441
list_size = ctypes.c_uint(1)
2027
cert_list = (gnutls.library.functions
2028
.gnutls_certificate_get_peers
2442
cert_list = (gnutls.certificate_get_peers
2029
2443
(session._c_object, ctypes.byref(list_size)))
2030
2444
if not bool(cert_list) and list_size.value != 0:
2031
raise gnutls.errors.GNUTLSError("error getting peer"
2445
raise gnutls.Error("error getting peer certificate")
2033
2446
if list_size.value == 0:
2035
2448
cert = cert_list[0]
2036
2449
return ctypes.string_at(cert.data, cert.size)
2452
def key_id(certificate):
2453
"Convert a certificate bytestring to a hexdigit key ID"
2454
# New GnuTLS "datum" with the public key
2455
datum = gnutls.datum_t(
2456
ctypes.cast(ctypes.c_char_p(certificate),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.c_uint(len(certificate)))
2459
# XXX all these need to be created in the gnutls "module"
2460
# New empty GnuTLS certificate
2461
pubkey = gnutls.pubkey_t()
2462
gnutls.pubkey_init(ctypes.byref(pubkey))
2463
# Import the raw public key into the certificate
2464
gnutls.pubkey_import(pubkey,
2465
ctypes.byref(datum),
2466
gnutls.X509_FMT_DER)
2467
# New buffer for the key ID
2468
buf = ctypes.create_string_buffer(32)
2469
buf_len = ctypes.c_size_t(len(buf))
2470
# Get the key ID from the raw public key into the buffer
2471
gnutls.pubkey_get_key_id(pubkey,
2472
gnutls.KEYID_USE_SHA256,
2473
ctypes.cast(ctypes.byref(buf),
2474
ctypes.POINTER(ctypes.c_ubyte)),
2475
ctypes.byref(buf_len))
2476
# Deinit the certificate
2477
gnutls.pubkey_deinit(pubkey)
2479
# Convert the buffer to a Python bytestring
2480
key_id = ctypes.string_at(buf, buf_len.value)
2481
# Convert the bytestring to hexadecimal notation
2482
hex_key_id = binascii.hexlify(key_id).upper()
2039
2486
def fingerprint(openpgp):
2040
2487
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2041
2488
# New GnuTLS "datum" with the OpenPGP public key
2042
datum = gnutls.library.types.gnutls_datum_t(
2489
datum = gnutls.datum_t(
2043
2490
ctypes.cast(ctypes.c_char_p(openpgp),
2044
2491
ctypes.POINTER(ctypes.c_ubyte)),
2045
2492
ctypes.c_uint(len(openpgp)))
2046
2493
# New empty GnuTLS certificate
2047
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2048
gnutls.library.functions.gnutls_openpgp_crt_init(
2494
crt = gnutls.openpgp_crt_t()
2495
gnutls.openpgp_crt_init(ctypes.byref(crt))
2050
2496
# Import the OpenPGP public key into the certificate
2051
gnutls.library.functions.gnutls_openpgp_crt_import(
2052
crt, ctypes.byref(datum),
2053
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2497
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2498
gnutls.OPENPGP_FMT_RAW)
2054
2499
# Verify the self signature in the key
2055
2500
crtverify = ctypes.c_uint()
2056
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2057
crt, 0, ctypes.byref(crtverify))
2501
gnutls.openpgp_crt_verify_self(crt, 0,
2502
ctypes.byref(crtverify))
2058
2503
if crtverify.value != 0:
2059
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2060
raise gnutls.errors.CertificateSecurityError(
2504
gnutls.openpgp_crt_deinit(crt)
2505
raise gnutls.CertificateSecurityError(code
2062
2507
# New buffer for the fingerprint
2063
2508
buf = ctypes.create_string_buffer(20)
2064
2509
buf_len = ctypes.c_size_t()
2065
2510
# Get the fingerprint from the certificate into the buffer
2066
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2067
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2511
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2512
ctypes.byref(buf_len))
2068
2513
# Deinit the certificate
2069
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2514
gnutls.openpgp_crt_deinit(crt)
2070
2515
# Convert the buffer to a Python bytestring
2071
2516
fpr = ctypes.string_at(buf, buf_len.value)
2072
2517
# Convert the bytestring to hexadecimal notation
2160
2606
# socket_wrapper(), if socketfd was set.
2161
2607
socketserver.TCPServer.__init__(self, server_address,
2162
2608
RequestHandlerClass)
2164
2610
def server_bind(self):
2165
2611
"""This overrides the normal server_bind() function
2166
2612
to bind to an interface if one was specified, and also NOT to
2167
2613
bind to an address or port if they were not specified."""
2614
global SO_BINDTODEVICE
2168
2615
if self.interface is not None:
2169
2616
if SO_BINDTODEVICE is None:
2170
logger.error("SO_BINDTODEVICE does not exist;"
2171
" cannot bind to interface %s",
2175
self.socket.setsockopt(
2176
socket.SOL_SOCKET, SO_BINDTODEVICE,
2177
(self.interface + "\0").encode("utf-8"))
2178
except socket.error as error:
2179
if error.errno == errno.EPERM:
2180
logger.error("No permission to bind to"
2181
" interface %s", self.interface)
2182
elif error.errno == errno.ENOPROTOOPT:
2183
logger.error("SO_BINDTODEVICE not available;"
2184
" cannot bind to interface %s",
2186
elif error.errno == errno.ENODEV:
2187
logger.error("Interface %s does not exist,"
2188
" cannot bind", self.interface)
2617
# Fall back to a hard-coded value which seems to be
2619
logger.warning("SO_BINDTODEVICE not found, trying 25")
2620
SO_BINDTODEVICE = 25
2622
self.socket.setsockopt(
2623
socket.SOL_SOCKET, SO_BINDTODEVICE,
2624
(self.interface + "\0").encode("utf-8"))
2625
except socket.error as error:
2626
if error.errno == errno.EPERM:
2627
logger.error("No permission to bind to"
2628
" interface %s", self.interface)
2629
elif error.errno == errno.ENOPROTOOPT:
2630
logger.error("SO_BINDTODEVICE not available;"
2631
" cannot bind to interface %s",
2633
elif error.errno == errno.ENODEV:
2634
logger.error("Interface %s does not exist,"
2635
" cannot bind", self.interface)
2191
2638
# Only bind(2) the socket if we really need to.
2192
2639
if self.server_address[0] or self.server_address[1]:
2640
if self.server_address[1]:
2641
self.allow_reuse_address = True
2193
2642
if not self.server_address[0]:
2194
2643
if self.address_family == socket.AF_INET6:
2195
any_address = "::" # in6addr_any
2644
any_address = "::" # in6addr_any
2197
any_address = "0.0.0.0" # INADDR_ANY
2646
any_address = "0.0.0.0" # INADDR_ANY
2198
2647
self.server_address = (any_address,
2199
2648
self.server_address[1])
2200
2649
elif not self.server_address[1]:
2234
2683
self.gnutls_priority = gnutls_priority
2235
2684
IPv6_TCPServer.__init__(self, server_address,
2236
2685
RequestHandlerClass,
2237
interface = interface,
2238
use_ipv6 = use_ipv6,
2239
socketfd = socketfd)
2686
interface=interface,
2241
2690
def server_activate(self):
2242
2691
if self.enabled:
2243
2692
return socketserver.TCPServer.server_activate(self)
2245
2694
def enable(self):
2246
2695
self.enabled = True
2248
2697
def add_pipe(self, parent_pipe, proc):
2249
2698
# Call "handle_ipc" for both data and EOF events
2250
gobject.io_add_watch(
2251
parent_pipe.fileno(),
2252
gobject.IO_IN | gobject.IO_HUP,
2700
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2701
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2253
2702
functools.partial(self.handle_ipc,
2254
parent_pipe = parent_pipe,
2703
parent_pipe=parent_pipe,
2257
2706
def handle_ipc(self, source, condition,
2258
2707
parent_pipe=None,
2260
2709
client_object=None):
2261
2710
# error, or the other end of multiprocessing.Pipe has closed
2262
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2711
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2263
2712
# Wait for other process to exit
2267
2716
# Read a request from the child
2268
2717
request = parent_pipe.recv()
2269
2718
command = request[0]
2271
2720
if command == 'init':
2273
address = request[2]
2275
for c in self.clients.itervalues():
2276
if c.fingerprint == fpr:
2721
key_id = request[1].decode("ascii")
2722
fpr = request[2].decode("ascii")
2723
address = request[3]
2725
for c in self.clients.values():
2726
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2728
if key_id and c.key_id == key_id:
2731
if fpr and c.fingerprint == fpr:
2280
logger.info("Client not found for fingerprint: %s, ad"
2281
"dress: %s", fpr, address)
2735
logger.info("Client not found for key ID: %s, address"
2736
": %s", key_id or fpr, address)
2282
2737
if self.use_dbus:
2283
2738
# Emit D-Bus signal
2284
mandos_dbus_service.ClientNotFound(fpr,
2739
mandos_dbus_service.ClientNotFound(key_id or fpr,
2286
2741
parent_pipe.send(False)
2289
gobject.io_add_watch(
2290
parent_pipe.fileno(),
2291
gobject.IO_IN | gobject.IO_HUP,
2745
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2746
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2292
2747
functools.partial(self.handle_ipc,
2293
parent_pipe = parent_pipe,
2295
client_object = client))
2748
parent_pipe=parent_pipe,
2750
client_object=client))
2296
2751
parent_pipe.send(True)
2297
2752
# remove the old hook in favor of the new above hook on
2745
3210
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2746
3211
service = AvahiServiceToSyslog(
2747
name = server_settings["servicename"],
2748
servicetype = "_mandos._tcp",
2749
protocol = protocol,
3212
name=server_settings["servicename"],
3213
servicetype="_mandos._tcp",
2751
3216
if server_settings["interface"]:
2752
3217
service.interface = if_nametoindex(
2753
3218
server_settings["interface"].encode("utf-8"))
2755
3220
global multiprocessing_manager
2756
3221
multiprocessing_manager = multiprocessing.Manager()
2758
3223
client_class = Client
2760
client_class = functools.partial(ClientDBus, bus = bus)
3225
client_class = functools.partial(ClientDBus, bus=bus)
2762
3227
client_settings = Client.config_parser(client_config)
2763
3228
old_client_settings = {}
2764
3229
clients_data = {}
2766
3231
# This is used to redirect stdout and stderr for checker processes
2768
wnull = open(os.devnull, "w") # A writable /dev/null
3233
wnull = open(os.devnull, "w") # A writable /dev/null
2769
3234
# Only used if server is running in foreground but not in debug
2771
3236
if debug or not foreground:
2774
3239
# Get client data and settings from last running state.
2775
3240
if server_settings["restore"]:
2777
3242
with open(stored_state_path, "rb") as stored_state:
2778
clients_data, old_client_settings = pickle.load(
3243
if sys.version_info.major == 2:
3244
clients_data, old_client_settings = pickle.load(
3247
bytes_clients_data, bytes_old_client_settings = (
3248
pickle.load(stored_state, encoding="bytes"))
3249
# Fix bytes to strings
3252
clients_data = {(key.decode("utf-8")
3253
if isinstance(key, bytes)
3256
bytes_clients_data.items()}
3257
del bytes_clients_data
3258
for key in clients_data:
3259
value = {(k.decode("utf-8")
3260
if isinstance(k, bytes) else k): v
3262
clients_data[key].items()}
3263
clients_data[key] = value
3265
value["client_structure"] = [
3267
if isinstance(s, bytes)
3269
value["client_structure"]]
3270
# .name, .host, and .checker_command
3271
for k in ("name", "host", "checker_command"):
3272
if isinstance(value[k], bytes):
3273
value[k] = value[k].decode("utf-8")
3274
if "key_id" not in value:
3275
value["key_id"] = ""
3276
elif "fingerprint" not in value:
3277
value["fingerprint"] = ""
3278
# old_client_settings
3280
old_client_settings = {
3281
(key.decode("utf-8")
3282
if isinstance(key, bytes)
3285
bytes_old_client_settings.items()}
3286
del bytes_old_client_settings
3287
# .host and .checker_command
3288
for value in old_client_settings.values():
3289
for attribute in ("host", "checker_command"):
3290
if isinstance(value[attribute], bytes):
3291
value[attribute] = (value[attribute]
2780
3293
os.remove(stored_state_path)
2781
3294
except IOError as e:
2782
3295
if e.errno == errno.ENOENT: