/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos

  • Committer: teddy at recompile
  • Date: 2020-12-03 20:30:45 UTC
  • Revision ID: teddy@recompile.se-20201203203045-iqd6nq9y5nwalh1x
Minor fix of a test function

In dracut-module/password-agent, the test function
test_send_password_to_socket_EMSGSIZE() (which tests that the
send_password_to_socket() task function aborts properly when getting
EMSGSIZE when writing to the password socket), part of the test code
is supposed to find a message size which definitely does trigger
EMSGSIZE when send()ing to a socket.  Without a "break" in the proper
place, however, the size given is always exactly 1024 bytes too large.

This is very probably not a problem, since a too large message will
still be too large if it is increased by 1024 bytes, and send(2) in
practice checks the size before reading the buffer.  The biggest issue
would be if some version of send(2) would try to look at the last 1024
bytes of the message buffer before checking the message size; this
would then lead to a buffer over-read when running this test function.
(But even then there would be no security implications since the tests
are not run in the normal operation of the program.)

* dracut-module/password-agent.c
  (test_send_password_to_socket_EMSGSIZE): Break out early when ssret
  < 0 and errno == EMSGSIZE; don't allow loop to increase message_size
  again.

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
 
# Copyright © 2008-2019 Teddy Hogeborn
15
 
# Copyright © 2008-2019 Björn Påhlsson
 
14
# Copyright © 2008-2020 Teddy Hogeborn
 
15
# Copyright © 2008-2020 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
143
143
if sys.version_info < (3, 2):
144
144
    configparser.Configparser = configparser.SafeConfigParser
145
145
 
146
 
version = "1.8.9"
 
146
version = "1.8.13"
147
147
stored_state_file = "clients.pickle"
148
148
 
149
149
logger = logging.getLogger()
524
524
class AvahiServiceToSyslog(AvahiService):
525
525
    def rename(self, *args, **kwargs):
526
526
        """Add the new name to the syslog messages"""
527
 
        ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
 
527
        ret = super(AvahiServiceToSyslog, self).rename(*args,
 
528
                                                       **kwargs)
528
529
        syslogger.setFormatter(logging.Formatter(
529
530
            'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
531
            .format(self.name)))
774
775
 
775
776
        x509_crt_fmt_t = ctypes.c_int
776
777
 
777
 
        # All the function declarations below are from gnutls/abstract.h
 
778
        # All the function declarations below are from
 
779
        # gnutls/abstract.h
778
780
        pubkey_init = _library.gnutls_pubkey_init
779
781
        pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
782
        pubkey_init.restype = _error_code
794
796
        pubkey_deinit.argtypes = [pubkey_t]
795
797
        pubkey_deinit.restype = None
796
798
    else:
797
 
        # All the function declarations below are from gnutls/openpgp.h
 
799
        # All the function declarations below are from
 
800
        # gnutls/openpgp.h
798
801
 
799
802
        openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
803
        openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
806
809
                                       openpgp_crt_fmt_t]
807
810
        openpgp_crt_import.restype = _error_code
808
811
 
809
 
        openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
 
        openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
 
                                            ctypes.POINTER(ctypes.c_uint)]
 
812
        openpgp_crt_verify_self = \
 
813
            _library.gnutls_openpgp_crt_verify_self
 
814
        openpgp_crt_verify_self.argtypes = [
 
815
            openpgp_crt_t,
 
816
            ctypes.c_uint,
 
817
            ctypes.POINTER(ctypes.c_uint),
 
818
        ]
812
819
        openpgp_crt_verify_self.restype = _error_code
813
820
 
814
821
        openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
2468
2475
        buf = ctypes.create_string_buffer(32)
2469
2476
        buf_len = ctypes.c_size_t(len(buf))
2470
2477
        # Get the key ID from the raw public key into the buffer
2471
 
        gnutls.pubkey_get_key_id(pubkey,
2472
 
                                 gnutls.KEYID_USE_SHA256,
2473
 
                                 ctypes.cast(ctypes.byref(buf),
2474
 
                                             ctypes.POINTER(ctypes.c_ubyte)),
2475
 
                                 ctypes.byref(buf_len))
 
2478
        gnutls.pubkey_get_key_id(
 
2479
            pubkey,
 
2480
            gnutls.KEYID_USE_SHA256,
 
2481
            ctypes.cast(ctypes.byref(buf),
 
2482
                        ctypes.POINTER(ctypes.c_ubyte)),
 
2483
            ctypes.byref(buf_len))
2476
2484
        # Deinit the certificate
2477
2485
        gnutls.pubkey_deinit(pubkey)
2478
2486
 
2723
2731
            address = request[3]
2724
2732
 
2725
2733
            for c in self.clients.values():
2726
 
                if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
 
2734
                if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
 
2735
                              "27AE41E4649B934CA495991B7852B855"):
2727
2736
                    continue
2728
2737
                if key_id and c.key_id == key_id:
2729
2738
                    client = c
2781
2790
def rfc3339_duration_to_delta(duration):
2782
2791
    """Parse an RFC 3339 "duration" and return a datetime.timedelta
2783
2792
 
2784
 
    >>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2785
 
    True
2786
 
    >>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2787
 
    True
2788
 
    >>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2789
 
    True
2790
 
    >>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2791
 
    True
2792
 
    >>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2793
 
    True
2794
 
    >>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2795
 
    True
2796
 
    >>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2797
 
    True
 
2793
    >>> timedelta = datetime.timedelta
 
2794
    >>> rfc3339_duration_to_delta("P7D") == timedelta(7)
 
2795
    True
 
2796
    >>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
 
2797
    True
 
2798
    >>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
 
2799
    True
 
2800
    >>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
 
2801
    True
 
2802
    >>> rfc3339_duration_to_delta("P1W") == timedelta(7)
 
2803
    True
 
2804
    >>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
 
2805
    True
 
2806
    >>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
 
2807
    True
 
2808
    >>> del timedelta
2798
2809
    """
2799
2810
 
2800
2811
    # Parsing an RFC 3339 duration with regular expressions is not