To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1218
- compare with another revision
- download diff
- download tarball
- view history from revision 1218
- Committer: teddy at recompile
- Date: 2020-07-04 11:58:52 UTC
- Revision ID: teddy@recompile.se-20200704115852-oquhnmng3zom4ldl
Update copyright year
* DBUS-API: Update copyright year to 2020
* debian/copyright: - '' -
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/password-agent.c: - '' -
* mandos: - '' -
* mandos-ctl: - '' -
* plugin-runner.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/plymouth.c: - '' -
* mandos-to-cryptroot-unlock: Update copyright year to 2019.
* DBUS-API: Update copyright year to 2020
* debian/copyright: - '' -
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/password-agent.c: - '' -
* mandos: - '' -
* mandos-ctl: - '' -
* plugin-runner.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/plymouth.c: - '' -
* mandos-to-cryptroot-unlock: Update copyright year to 2019.
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
77
77
import itertools
78
78
import collections
79
79
import codecs
80
import unittest
81
import random
82
import shlex
80
83
81
84
import dbus
82
85
import dbus.service
86
import gi
83
87
from gi.repository import GLib
84
88
from dbus.mainloop.glib import DBusGMainLoop
85
89
import ctypes
87
91
import xml.dom.minidom
88
92
import inspect
89
93
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
90
118
# Try to find the value of SO_BINDTODEVICE:
91
119
try:
92
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
112
140
# No value found
113
141
SO_BINDTODEVICE = None
114
142
115
if sys.version_info.major == 2:
116
str = unicode
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
117
145
118
version = "1.7.18"
146
version = "1.8.11"
119
147
stored_state_file = "clients.pickle"
120
148
121
149
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
122
151
syslogger = None
123
152
124
153
try:
179
208
pass
180
209
181
210
182
class PGPEngine(object):
211
class PGPEngine:
183
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
213
185
214
def __init__(self):
189
218
output = subprocess.check_output(["gpgconf"])
190
219
for line in output.splitlines():
191
220
name, text, path = line.split(b":")
192
if name == "gpg":
221
if name == b"gpg":
193
222
self.gpg = path
194
223
break
195
224
except OSError as e:
200
229
'--force-mdc',
201
230
'--quiet']
202
231
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
204
233
self.gnupgargs.append("--no-use-agent")
205
234
206
235
def __enter__(self):
275
304
276
305
277
306
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
281
309
IF_UNSPEC = -1 # avahi-common/address.h
282
310
PROTO_UNSPEC = -1 # avahi-common/address.h
283
311
PROTO_INET = 0 # avahi-common/address.h
287
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
316
DBUS_PATH_SERVER = "/"
289
317
290
def string_array_to_txt_array(self, t):
318
@staticmethod
319
def string_array_to_txt_array(t):
291
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
321
for s in t), signature="ay")
293
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
327
SERVER_RUNNING = 2 # avahi-common/defs.h
299
328
SERVER_COLLISION = 3 # avahi-common/defs.h
300
329
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
330
303
331
304
332
class AvahiError(Exception):
316
344
pass
317
345
318
346
319
class AvahiService(object):
347
class AvahiService:
320
348
"""An Avahi (Zeroconf) service.
321
349
322
350
Attributes:
504
532
505
533
506
534
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
510
537
511
538
library = ctypes.util.find_library("gnutls")
512
539
if library is None:
513
540
library = ctypes.util.find_library("gnutls-deb0")
514
541
_library = ctypes.cdll.LoadLibrary(library)
515
542
del library
516
_need_version = b"3.3.0"
517
518
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
524
543
525
544
# Unless otherwise indicated, the constants and types below are
526
545
# all from the gnutls/gnutls.h C header file.
530
549
E_INTERRUPTED = -52
531
550
E_AGAIN = -28
532
551
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
533
553
CLIENT = 2
534
554
SHUT_RDWR = 0
535
555
CRD_CERTIFICATE = 1
536
556
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
563
539
564
# Types
562
587
563
588
# Exceptions
564
589
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
590
def __init__(self, message=None, code=None, args=()):
570
591
# Default usage is by a message string, but if a return
571
592
# code is passed, convert it to a string with
572
593
# gnutls.strerror()
573
594
self.code = code
574
595
if message is None and code is not None:
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
596
message = gnutls.strerror(code)
597
return super(gnutls.Error, self).__init__(
577
598
message, *args)
578
599
579
600
class CertificateSecurityError(Error):
580
601
pass
581
602
582
603
# Classes
583
class Credentials(object):
604
class Credentials:
584
605
def __init__(self):
585
606
self._c_object = gnutls.certificate_credentials_t()
586
607
gnutls.certificate_allocate_credentials(
590
611
def __del__(self):
591
612
gnutls.certificate_free_credentials(self._c_object)
592
613
593
class ClientSession(object):
614
class ClientSession:
594
615
def __init__(self, socket, credentials=None):
595
616
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
617
gnutls_flags = gnutls.CLIENT
618
if gnutls.check_version(b"3.5.6"):
619
gnutls_flags |= gnutls.NO_TICKETS
620
if gnutls.has_rawpk:
621
gnutls_flags |= gnutls.ENABLE_RAWPK
622
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
623
del gnutls_flags
597
624
gnutls.set_default_priority(self._c_object)
598
625
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
626
gnutls.handshake_set_private_extensions(self._c_object,
731
758
check_version.argtypes = [ctypes.c_char_p]
732
759
check_version.restype = ctypes.c_char_p
733
760
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
761
_need_version = b"3.3.0"
762
if check_version(_need_version) is None:
763
raise self.Error("Needs GnuTLS {} or later"
764
.format(_need_version))
765
766
_tls_rawpk_version = b"3.6.6"
767
has_rawpk = bool(check_version(_tls_rawpk_version))
768
769
if has_rawpk:
770
# Types
771
class pubkey_st(ctypes.Structure):
772
_fields = []
773
pubkey_t = ctypes.POINTER(pubkey_st)
774
775
x509_crt_fmt_t = ctypes.c_int
776
777
# All the function declarations below are from gnutls/abstract.h
778
pubkey_init = _library.gnutls_pubkey_init
779
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
pubkey_init.restype = _error_code
781
782
pubkey_import = _library.gnutls_pubkey_import
783
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
784
x509_crt_fmt_t]
785
pubkey_import.restype = _error_code
786
787
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
788
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
789
ctypes.POINTER(ctypes.c_ubyte),
790
ctypes.POINTER(ctypes.c_size_t)]
791
pubkey_get_key_id.restype = _error_code
792
793
pubkey_deinit = _library.gnutls_pubkey_deinit
794
pubkey_deinit.argtypes = [pubkey_t]
795
pubkey_deinit.restype = None
796
else:
797
# All the function declarations below are from gnutls/openpgp.h
798
799
openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
801
openpgp_crt_init.restype = _error_code
802
803
openpgp_crt_import = _library.gnutls_openpgp_crt_import
804
openpgp_crt_import.argtypes = [openpgp_crt_t,
805
ctypes.POINTER(datum_t),
806
openpgp_crt_fmt_t]
807
openpgp_crt_import.restype = _error_code
808
809
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
ctypes.POINTER(ctypes.c_uint)]
812
openpgp_crt_verify_self.restype = _error_code
813
814
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
815
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
816
openpgp_crt_deinit.restype = None
817
818
openpgp_crt_get_fingerprint = (
819
_library.gnutls_openpgp_crt_get_fingerprint)
820
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
821
ctypes.c_void_p,
822
ctypes.POINTER(
823
ctypes.c_size_t)]
824
openpgp_crt_get_fingerprint.restype = _error_code
825
826
if check_version(b"3.6.4"):
827
certificate_type_get2 = _library.gnutls_certificate_type_get2
828
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
829
certificate_type_get2.restype = _error_code
762
830
763
831
# Remove non-public functions
764
832
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
767
833
768
834
769
835
def call_pipe(connection, # : multiprocessing.Connection
777
843
connection.close()
778
844
779
845
780
class Client(object):
846
class Client:
781
847
"""A representation of a client host served by this server.
782
848
783
849
Attributes:
784
850
approved: bool(); 'None' if not yet approved/disapproved
785
851
approval_delay: datetime.timedelta(); Time to wait for approval
786
852
approval_duration: datetime.timedelta(); Duration of one approval
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
853
checker: multiprocessing.Process(); a running checker process used
854
to see if the client lives. 'None' if no process is
855
running.
790
856
checker_callback_tag: a GLib event source tag, or None
791
857
checker_command: string; External command which is run to check
792
858
if client lives. %() expansions are done at
800
866
disable_initiator_tag: a GLib event source tag, or None
801
867
enabled: bool()
802
868
fingerprint: string (40 or 32 hexadecimal digits); used to
803
uniquely identify the client
869
uniquely identify an OpenPGP client
870
key_id: string (64 hexadecimal digits); used to uniquely identify
871
a client using raw public keys
804
872
host: string; available for use by the checker command
805
873
interval: datetime.timedelta(); How often to start a new checker
806
874
last_approval_request: datetime.datetime(); (UTC) or None
824
892
"""
825
893
826
894
runtime_expansions = ("approval_delay", "approval_duration",
827
"created", "enabled", "expires",
895
"created", "enabled", "expires", "key_id",
828
896
"fingerprint", "host", "interval",
829
897
"last_approval_request", "last_checked_ok",
830
898
"last_enabled", "name", "timeout")
860
928
client["enabled"] = config.getboolean(client_name,
861
929
"enabled")
862
930
863
# Uppercase and remove spaces from fingerprint for later
864
# comparison purposes with return value from the
865
# fingerprint() function
931
# Uppercase and remove spaces from key_id and fingerprint
932
# for later comparison purposes with return value from the
933
# key_id() and fingerprint() functions
934
client["key_id"] = (section.get("key_id", "").upper()
935
.replace(" ", ""))
866
936
client["fingerprint"] = (section["fingerprint"].upper()
867
937
.replace(" ", ""))
868
938
if "secret" in section:
912
982
self.expires = None
913
983
914
984
logger.debug("Creating client %r", self.name)
985
logger.debug(" Key ID: %s", self.key_id)
915
986
logger.debug(" Fingerprint: %s", self.fingerprint)
916
987
self.created = settings.get("created",
917
988
datetime.datetime.utcnow())
981
1052
if self.checker_initiator_tag is not None:
982
1053
GLib.source_remove(self.checker_initiator_tag)
983
1054
self.checker_initiator_tag = GLib.timeout_add(
984
int(self.interval.total_seconds() * 1000),
1055
random.randrange(int(self.interval.total_seconds() * 1000
1056
+ 1)),
985
1057
self.start_checker)
986
1058
# Schedule a disable() when 'timeout' has passed
987
1059
if self.disable_initiator_tag is not None:
994
1066
def checker_callback(self, source, condition, connection,
995
1067
command):
996
1068
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
998
self.checker = None
999
1069
# Read return code from connection (see call_pipe)
1000
1070
returncode = connection.recv()
1001
1071
connection.close()
1072
if self.checker is not None:
1073
self.checker.join()
1074
self.checker_callback_tag = None
1075
self.checker = None
1002
1076
1003
1077
if returncode >= 0:
1004
1078
self.last_checker_status = returncode
1060
1134
if self.checker is None:
1061
1135
# Escape attributes for the shell
1062
1136
escaped_attrs = {
1063
attr: re.escape(str(getattr(self, attr)))
1137
attr: shlex.quote(str(getattr(self, attr)))
1064
1138
for attr in self.runtime_expansions}
1065
1139
try:
1066
1140
command = self.checker_command % escaped_attrs
1093
1167
kwargs=popen_args)
1094
1168
self.checker.start()
1095
1169
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
1170
GLib.IOChannel.unix_new(pipe[0].fileno()),
1171
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1097
1172
self.checker_callback, pipe[0], command)
1098
1173
# Re-run this periodically if run by GLib.timeout_add
1099
1174
return True
1354
1429
raise ValueError("Byte arrays not supported for non-"
1355
1430
"'ay' signature {!r}"
1356
1431
.format(prop._dbus_signature))
1357
value = dbus.ByteArray(b''.join(chr(byte)
1358
for byte in value))
1432
value = dbus.ByteArray(bytes(value))
1359
1433
prop(value)
1360
1434
1361
1435
@dbus.service.method(dbus.PROPERTIES_IFACE,
1999
2073
def Name_dbus_property(self):
2000
2074
return dbus.String(self.name)
2001
2075
2076
# KeyID - property
2077
@dbus_annotations(
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
@dbus_service_property(_interface, signature="s", access="read")
2080
def KeyID_dbus_property(self):
2081
return dbus.String(self.key_id)
2082
2002
2083
# Fingerprint - property
2003
2084
@dbus_annotations(
2004
2085
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2159
2240
del _interface
2160
2241
2161
2242
2162
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2243
class ProxyClient:
2244
def __init__(self, child_pipe, key_id, fpr, address):
2164
2245
self._pipe = child_pipe
2165
self._pipe.send(('init', fpr, address))
2246
self._pipe.send(('init', key_id, fpr, address))
2166
2247
if not self._pipe.recv():
2167
raise KeyError(fpr)
2248
raise KeyError(key_id or fpr)
2168
2249
2169
2250
def __getattribute__(self, name):
2170
2251
if name == '_pipe':
2237
2318
2238
2319
approval_required = False
2239
2320
try:
2240
try:
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2245
return
2246
logger.debug("Fingerprint: %s", fpr)
2247
2248
try:
2249
client = ProxyClient(child_pipe, fpr,
2321
if gnutls.has_rawpk:
2322
fpr = b""
2323
try:
2324
key_id = self.key_id(
2325
self.peer_certificate(session))
2326
except (TypeError, gnutls.Error) as error:
2327
logger.warning("Bad certificate: %s", error)
2328
return
2329
logger.debug("Key ID: %s", key_id)
2330
2331
else:
2332
key_id = b""
2333
try:
2334
fpr = self.fingerprint(
2335
self.peer_certificate(session))
2336
except (TypeError, gnutls.Error) as error:
2337
logger.warning("Bad certificate: %s", error)
2338
return
2339
logger.debug("Fingerprint: %s", fpr)
2340
2341
try:
2342
client = ProxyClient(child_pipe, key_id, fpr,
2250
2343
self.client_address)
2251
2344
except KeyError:
2252
2345
return
2329
2422
2330
2423
@staticmethod
2331
2424
def peer_certificate(session):
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2425
"Return the peer's certificate as a bytestring"
2426
try:
2427
cert_type = gnutls.certificate_type_get2(session._c_object,
2428
gnutls.CTYPE_PEERS)
2429
except AttributeError:
2430
cert_type = gnutls.certificate_type_get(session._c_object)
2431
if gnutls.has_rawpk:
2432
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2433
else:
2434
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2435
# If not a valid certificate type...
2436
if cert_type not in valid_cert_types:
2437
logger.info("Cert type %r not in %r", cert_type,
2438
valid_cert_types)
2336
2439
# ...return invalid data
2337
2440
return b""
2338
2441
list_size = ctypes.c_uint(1)
2346
2449
return ctypes.string_at(cert.data, cert.size)
2347
2450
2348
2451
@staticmethod
2452
def key_id(certificate):
2453
"Convert a certificate bytestring to a hexdigit key ID"
2454
# New GnuTLS "datum" with the public key
2455
datum = gnutls.datum_t(
2456
ctypes.cast(ctypes.c_char_p(certificate),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.c_uint(len(certificate)))
2459
# XXX all these need to be created in the gnutls "module"
2460
# New empty GnuTLS certificate
2461
pubkey = gnutls.pubkey_t()
2462
gnutls.pubkey_init(ctypes.byref(pubkey))
2463
# Import the raw public key into the certificate
2464
gnutls.pubkey_import(pubkey,
2465
ctypes.byref(datum),
2466
gnutls.X509_FMT_DER)
2467
# New buffer for the key ID
2468
buf = ctypes.create_string_buffer(32)
2469
buf_len = ctypes.c_size_t(len(buf))
2470
# Get the key ID from the raw public key into the buffer
2471
gnutls.pubkey_get_key_id(pubkey,
2472
gnutls.KEYID_USE_SHA256,
2473
ctypes.cast(ctypes.byref(buf),
2474
ctypes.POINTER(ctypes.c_ubyte)),
2475
ctypes.byref(buf_len))
2476
# Deinit the certificate
2477
gnutls.pubkey_deinit(pubkey)
2478
2479
# Convert the buffer to a Python bytestring
2480
key_id = ctypes.string_at(buf, buf_len.value)
2481
# Convert the bytestring to hexadecimal notation
2482
hex_key_id = binascii.hexlify(key_id).upper()
2483
return hex_key_id
2484
2485
@staticmethod
2349
2486
def fingerprint(openpgp):
2350
2487
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2488
# New GnuTLS "datum" with the OpenPGP public key
2365
2502
ctypes.byref(crtverify))
2366
2503
if crtverify.value != 0:
2367
2504
gnutls.openpgp_crt_deinit(crt)
2368
raise gnutls.CertificateSecurityError("Verify failed")
2505
raise gnutls.CertificateSecurityError(code
2506
=crtverify.value)
2369
2507
# New buffer for the fingerprint
2370
2508
buf = ctypes.create_string_buffer(20)
2371
2509
buf_len = ctypes.c_size_t()
2381
2519
return hex_fpr
2382
2520
2383
2521
2384
class MultiprocessingMixIn(object):
2522
class MultiprocessingMixIn:
2385
2523
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2386
2524
2387
2525
def sub_process_main(self, request, address):
2399
2537
return proc
2400
2538
2401
2539
2402
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2540
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2403
2541
""" adds a pipe to the MixIn """
2404
2542
2405
2543
def process_request(self, request, client_address):
2420
2558
2421
2559
2422
2560
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2423
socketserver.TCPServer, object):
2561
socketserver.TCPServer):
2424
2562
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2425
2563
2426
2564
Attributes:
2499
2637
raise
2500
2638
# Only bind(2) the socket if we really need to.
2501
2639
if self.server_address[0] or self.server_address[1]:
2640
if self.server_address[1]:
2641
self.allow_reuse_address = True
2502
2642
if not self.server_address[0]:
2503
2643
if self.address_family == socket.AF_INET6:
2504
2644
any_address = "::" # in6addr_any
2557
2697
def add_pipe(self, parent_pipe, proc):
2558
2698
# Call "handle_ipc" for both data and EOF events
2559
2699
GLib.io_add_watch(
2560
parent_pipe.fileno(),
2561
GLib.IO_IN | GLib.IO_HUP,
2700
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2701
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2562
2702
functools.partial(self.handle_ipc,
2563
2703
parent_pipe=parent_pipe,
2564
2704
proc=proc))
2578
2718
command = request[0]
2579
2719
2580
2720
if command == 'init':
2581
fpr = request[1].decode("ascii")
2582
address = request[2]
2721
key_id = request[1].decode("ascii")
2722
fpr = request[2].decode("ascii")
2723
address = request[3]
2583
2724
2584
2725
for c in self.clients.values():
2585
if c.fingerprint == fpr:
2726
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2727
continue
2728
if key_id and c.key_id == key_id:
2729
client = c
2730
break
2731
if fpr and c.fingerprint == fpr:
2586
2732
client = c
2587
2733
break
2588
2734
else:
2589
logger.info("Client not found for fingerprint: %s, ad"
2590
"dress: %s", fpr, address)
2735
logger.info("Client not found for key ID: %s, address"
2736
": %s", key_id or fpr, address)
2591
2737
if self.use_dbus:
2592
2738
# Emit D-Bus signal
2593
mandos_dbus_service.ClientNotFound(fpr,
2739
mandos_dbus_service.ClientNotFound(key_id or fpr,
2594
2740
address[0])
2595
2741
parent_pipe.send(False)
2596
2742
return False
2597
2743
2598
2744
GLib.io_add_watch(
2599
parent_pipe.fileno(),
2600
GLib.IO_IN | GLib.IO_HUP,
2745
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2746
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2601
2747
functools.partial(self.handle_ipc,
2602
2748
parent_pipe=parent_pipe,
2603
2749
proc=proc,
2618
2764
if command == 'getattr':
2619
2765
attrname = request[1]
2620
2766
if isinstance(client_object.__getattribute__(attrname),
2621
collections.Callable):
2767
collections.abc.Callable):
2622
2768
parent_pipe.send(('function', ))
2623
2769
else:
2624
2770
parent_pipe.send((
2635
2781
def rfc3339_duration_to_delta(duration):
2636
2782
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2637
2783
2638
>>> rfc3339_duration_to_delta("P7D")
2639
datetime.timedelta(7)
2640
>>> rfc3339_duration_to_delta("PT60S")
2641
datetime.timedelta(0, 60)
2642
>>> rfc3339_duration_to_delta("PT60M")
2643
datetime.timedelta(0, 3600)
2644
>>> rfc3339_duration_to_delta("PT24H")
2645
datetime.timedelta(1)
2646
>>> rfc3339_duration_to_delta("P1W")
2647
datetime.timedelta(7)
2648
>>> rfc3339_duration_to_delta("PT5M30S")
2649
datetime.timedelta(0, 330)
2650
>>> rfc3339_duration_to_delta("P1DT3M20S")
2651
datetime.timedelta(1, 200)
2784
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2785
True
2786
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2787
True
2788
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2789
True
2790
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2791
True
2792
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2793
True
2794
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2795
True
2796
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2797
True
2652
2798
"""
2653
2799
2654
2800
# Parsing an RFC 3339 duration with regular expressions is not
2734
2880
def string_to_delta(interval):
2735
2881
"""Parse a string and return a datetime.timedelta
2736
2882
2737
>>> string_to_delta('7d')
2738
datetime.timedelta(7)
2739
>>> string_to_delta('60s')
2740
datetime.timedelta(0, 60)
2741
>>> string_to_delta('60m')
2742
datetime.timedelta(0, 3600)
2743
>>> string_to_delta('24h')
2744
datetime.timedelta(1)
2745
>>> string_to_delta('1w')
2746
datetime.timedelta(7)
2747
>>> string_to_delta('5m 30s')
2748
datetime.timedelta(0, 330)
2883
>>> string_to_delta('7d') == datetime.timedelta(7)
2884
True
2885
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2886
True
2887
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2888
True
2889
>>> string_to_delta('24h') == datetime.timedelta(1)
2890
True
2891
>>> string_to_delta('1w') == datetime.timedelta(7)
2892
True
2893
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2894
True
2749
2895
"""
2750
2896
2751
2897
try:
2853
2999
2854
3000
options = parser.parse_args()
2855
3001
2856
if options.check:
2857
import doctest
2858
fail_count, test_count = doctest.testmod()
2859
sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
2861
3002
# Default values for config file for server-global settings
3003
if gnutls.has_rawpk:
3004
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3005
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3006
else:
3007
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3008
":+SIGN-DSA-SHA256")
2862
3009
server_defaults = {"interface": "",
2863
3010
"address": "",
2864
3011
"port": "",
2865
3012
"debug": "False",
2866
"priority":
2867
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2868
":+SIGN-DSA-SHA256",
3013
"priority": priority,
2869
3014
"servicename": "Mandos",
2870
3015
"use_dbus": "True",
2871
3016
"use_ipv6": "True",
2876
3021
"foreground": "False",
2877
3022
"zeroconf": "True",
2878
3023
}
3024
del priority
2879
3025
2880
3026
# Parse config file for server-global settings
2881
server_config = configparser.SafeConfigParser(server_defaults)
3027
server_config = configparser.ConfigParser(server_defaults)
2882
3028
del server_defaults
2883
3029
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2884
# Convert the SafeConfigParser object to a dict
3030
# Convert the ConfigParser object to a dict
2885
3031
server_settings = server_config.defaults()
2886
3032
# Use the appropriate methods on the non-string config options
2887
3033
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2959
3105
server_settings["servicename"])))
2960
3106
2961
3107
# Parse config file with clients
2962
client_config = configparser.SafeConfigParser(Client
2963
.client_defaults)
3108
client_config = configparser.ConfigParser(Client.client_defaults)
2964
3109
client_config.read(os.path.join(server_settings["configdir"],
2965
3110
"clients.conf"))
2966
3111
3037
3182
# Close all input and output, do double fork, etc.
3038
3183
daemon()
3039
3184
3040
# multiprocessing will use threads, so before we use GLib we need
3041
# to inform GLib that threads will be used.
3042
GLib.threads_init()
3185
if gi.version_info < (3, 10, 2):
3186
# multiprocessing will use threads, so before we use GLib we
3187
# need to inform GLib that threads will be used.
3188
GLib.threads_init()
3043
3189
3044
3190
global main_loop
3045
3191
# From the Avahi example code
3121
3267
if isinstance(s, bytes)
3122
3268
else s) for s in
3123
3269
value["client_structure"]]
3124
# .name & .host
3125
for k in ("name", "host"):
3270
# .name, .host, and .checker_command
3271
for k in ("name", "host", "checker_command"):
3126
3272
if isinstance(value[k], bytes):
3127
3273
value[k] = value[k].decode("utf-8")
3274
if "key_id" not in value:
3275
value["key_id"] = ""
3276
elif "fingerprint" not in value:
3277
value["fingerprint"] = ""
3128
3278
# old_client_settings
3129
3279
# .keys()
3130
3280
old_client_settings = {
3134
3284
for key, value in
3135
3285
bytes_old_client_settings.items()}
3136
3286
del bytes_old_client_settings
3137
# .host
3287
# .host and .checker_command
3138
3288
for value in old_client_settings.values():
3139
if isinstance(value["host"], bytes):
3140
value["host"] = (value["host"]
3141
.decode("utf-8"))
3289
for attribute in ("host", "checker_command"):
3290
if isinstance(value[attribute], bytes):
3291
value[attribute] = (value[attribute]
3292
.decode("utf-8"))
3142
3293
os.remove(stored_state_path)
3143
3294
except IOError as e:
3144
3295
if e.errno == errno.ENOENT:
3267
3418
pass
3268
3419
3269
3420
@dbus.service.signal(_interface, signature="ss")
3270
def ClientNotFound(self, fingerprint, address):
3421
def ClientNotFound(self, key_id, address):
3271
3422
"D-Bus signal"
3272
3423
pass
3273
3424
3469
3620
sys.exit(1)
3470
3621
# End of Avahi example code
3471
3622
3472
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3473
lambda *args, **kwargs:
3474
(tcp_server.handle_request
3475
(*args[2:], **kwargs) or True))
3623
GLib.io_add_watch(
3624
GLib.IOChannel.unix_new(tcp_server.fileno()),
3625
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3626
lambda *args, **kwargs: (tcp_server.handle_request
3627
(*args[2:], **kwargs) or True))
3476
3628
3477
3629
logger.debug("Starting main loop")
3478
3630
main_loop.run()
3488
3640
# Must run before the D-Bus bus name gets deregistered
3489
3641
cleanup()
3490
3642
3643
3644
def should_only_run_tests():
3645
parser = argparse.ArgumentParser(add_help=False)
3646
parser.add_argument("--check", action='store_true')
3647
args, unknown_args = parser.parse_known_args()
3648
run_tests = args.check
3649
if run_tests:
3650
# Remove --check argument from sys.argv
3651
sys.argv[1:] = unknown_args
3652
return run_tests
3653
3654
# Add all tests from doctest strings
3655
def load_tests(loader, tests, none):
3656
import doctest
3657
tests.addTests(doctest.DocTestSuite())
3658
return tests
3491
3659
3492
3660
if __name__ == '__main__':
3493
main()
3661
try:
3662
if should_only_run_tests():
3663
# Call using ./mandos --check [--verbose]
3664
unittest.main()
3665
else:
3666
main()
3667
finally:
3668
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0