To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1250
- compare with another revision
- download diff
- download tarball
- view history from revision 1250
- Committer: Teddy Hogeborn
- Date: 2022-04-23 23:58:39 UTC
- Revision ID: teddy@recompile.se-20220423235839-cnt9aq1kjveqaydc
Bug fix in mandos-ctl: handle backslashes in password
* mandos-ctl (mode=password): When sending the password to gpg, use
"printf" instead of "echo -n". This avoids the behavior of the
"echo" builtin in "dash", which always interprets backslash escape
codes.
Reported-By: Jesse Norell <jesse@kci.net>
* mandos-ctl (mode=password): When sending the password to gpg, use
"printf" instead of "echo -n". This avoids the behavior of the
"echo" builtin in "dash", which always interprets backslash escape
codes.
Reported-By: Jesse Norell <jesse@kci.net>
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
30
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
33
#
76
77
import itertools
77
78
import collections
78
79
import codecs
80
import unittest
81
import random
82
import shlex
79
83
80
84
import dbus
81
85
import dbus.service
86
import gi
82
87
from gi.repository import GLib
83
88
from dbus.mainloop.glib import DBusGMainLoop
84
89
import ctypes
86
91
import xml.dom.minidom
87
92
import inspect
88
93
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
89
118
# Try to find the value of SO_BINDTODEVICE:
90
119
try:
91
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
111
140
# No value found
112
141
SO_BINDTODEVICE = None
113
142
114
if sys.version_info.major == 2:
115
str = unicode
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
116
145
117
version = "1.7.14"
146
version = "1.8.14"
118
147
stored_state_file = "clients.pickle"
119
148
120
149
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
121
151
syslogger = None
122
152
123
153
try:
159
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
190
address="/dev/log"))
161
191
syslogger.setFormatter(logging.Formatter
162
('Mandos [%(process)d]: %(levelname)s:'
163
' %(message)s'))
192
("Mandos [%(process)d]: %(levelname)s:"
193
" %(message)s"))
164
194
logger.addHandler(syslogger)
165
195
166
196
if debug:
167
197
console = logging.StreamHandler()
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
169
' [%(process)d]:'
170
' %(levelname)s:'
171
' %(message)s'))
198
console.setFormatter(logging.Formatter("%(asctime)s %(name)s"
199
" [%(process)d]:"
200
" %(levelname)s:"
201
" %(message)s"))
172
202
logger.addHandler(console)
173
203
logger.setLevel(level)
174
204
178
208
pass
179
209
180
210
181
class PGPEngine(object):
211
class PGPEngine:
182
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
183
213
184
214
def __init__(self):
188
218
output = subprocess.check_output(["gpgconf"])
189
219
for line in output.splitlines():
190
220
name, text, path = line.split(b":")
191
if name == "gpg":
221
if name == b"gpg":
192
222
self.gpg = path
193
223
break
194
224
except OSError as e:
195
225
if e.errno != errno.ENOENT:
196
226
raise
197
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
199
'--force-mdc',
200
'--quiet']
227
self.gnupgargs = ["--batch",
228
"--homedir", self.tempdir,
229
"--force-mdc",
230
"--quiet"]
201
231
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
203
233
self.gnupgargs.append("--no-use-agent")
204
234
205
235
def __enter__(self):
242
272
dir=self.tempdir) as passfile:
243
273
passfile.write(passphrase)
244
274
passfile.flush()
245
proc = subprocess.Popen([self.gpg, '--symmetric',
246
'--passphrase-file',
275
proc = subprocess.Popen([self.gpg, "--symmetric",
276
"--passphrase-file",
247
277
passfile.name]
248
278
+ self.gnupgargs,
249
279
stdin=subprocess.PIPE,
260
290
dir=self.tempdir) as passfile:
261
291
passfile.write(passphrase)
262
292
passfile.flush()
263
proc = subprocess.Popen([self.gpg, '--decrypt',
264
'--passphrase-file',
293
proc = subprocess.Popen([self.gpg, "--decrypt",
294
"--passphrase-file",
265
295
passfile.name]
266
296
+ self.gnupgargs,
267
297
stdin=subprocess.PIPE,
274
304
275
305
276
306
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
280
309
IF_UNSPEC = -1 # avahi-common/address.h
281
310
PROTO_UNSPEC = -1 # avahi-common/address.h
282
311
PROTO_INET = 0 # avahi-common/address.h
286
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
316
DBUS_PATH_SERVER = "/"
288
317
289
def string_array_to_txt_array(self, t):
318
@staticmethod
319
def string_array_to_txt_array(t):
290
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
321
for s in t), signature="ay")
292
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
297
327
SERVER_RUNNING = 2 # avahi-common/defs.h
298
328
SERVER_COLLISION = 3 # avahi-common/defs.h
299
329
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
330
302
331
303
332
class AvahiError(Exception):
315
344
pass
316
345
317
346
318
class AvahiService(object):
347
class AvahiService:
319
348
"""An Avahi (Zeroconf) service.
320
349
321
350
Attributes:
322
351
interface: integer; avahi.IF_UNSPEC or an interface index.
323
352
Used to optionally bind to the specified interface.
324
name: string; Example: 'Mandos'
325
type: string; Example: '_mandos._tcp'.
353
name: string; Example: "Mandos"
354
type: string; Example: "_mandos._tcp".
326
355
See <https://www.iana.org/assignments/service-names-port-numbers>
327
356
port: integer; what port to announce
328
357
TXT: list of strings; TXT record for the service
406
435
avahi.DBUS_INTERFACE_ENTRY_GROUP)
407
436
self.entry_group_state_changed_match = (
408
437
self.group.connect_to_signal(
409
'StateChanged', self.entry_group_state_changed))
438
"StateChanged", self.entry_group_state_changed))
410
439
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
411
440
self.name, self.type)
412
441
self.group.AddService(
495
524
class AvahiServiceToSyslog(AvahiService):
496
525
def rename(self, *args, **kwargs):
497
526
"""Add the new name to the syslog messages"""
498
ret = AvahiService.rename(self, *args, **kwargs)
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
499
529
syslogger.setFormatter(logging.Formatter(
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
501
531
.format(self.name)))
502
532
return ret
503
533
504
534
505
535
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
509
538
510
539
library = ctypes.util.find_library("gnutls")
511
540
if library is None:
512
541
library = ctypes.util.find_library("gnutls-deb0")
513
542
_library = ctypes.cdll.LoadLibrary(library)
514
543
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
523
544
524
545
# Unless otherwise indicated, the constants and types below are
525
546
# all from the gnutls/gnutls.h C header file.
529
550
E_INTERRUPTED = -52
530
551
E_AGAIN = -28
531
552
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
532
554
CLIENT = 2
533
555
SHUT_RDWR = 0
534
556
CRD_CERTIFICATE = 1
535
557
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
536
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
537
564
538
565
# Types
539
class session_int(ctypes.Structure):
566
class _session_int(ctypes.Structure):
540
567
_fields_ = []
541
session_t = ctypes.POINTER(session_int)
568
session_t = ctypes.POINTER(_session_int)
542
569
543
570
class certificate_credentials_st(ctypes.Structure):
544
571
_fields_ = []
547
574
certificate_type_t = ctypes.c_int
548
575
549
576
class datum_t(ctypes.Structure):
550
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
551
('size', ctypes.c_uint)]
577
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
578
("size", ctypes.c_uint)]
552
579
553
class openpgp_crt_int(ctypes.Structure):
580
class _openpgp_crt_int(ctypes.Structure):
554
581
_fields_ = []
555
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
556
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
557
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
558
585
credentials_type_t = ctypes.c_int
561
588
562
589
# Exceptions
563
590
class Error(Exception):
564
# We need to use the class name "GnuTLS" here, since this
565
# exception might be raised from within GnuTLS.__init__,
566
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
568
591
def __init__(self, message=None, code=None, args=()):
569
592
# Default usage is by a message string, but if a return
570
593
# code is passed, convert it to a string with
571
594
# gnutls.strerror()
572
595
self.code = code
573
596
if message is None and code is not None:
574
message = GnuTLS.strerror(code)
575
return super(GnuTLS.Error, self).__init__(
597
message = gnutls.strerror(code).decode(
598
"utf-8", errors="replace")
599
return super(gnutls.Error, self).__init__(
576
600
message, *args)
577
601
578
602
class CertificateSecurityError(Error):
579
603
pass
580
604
605
class PointerTo:
606
def __init__(self, cls):
607
self.cls = cls
608
609
def from_param(self, obj):
610
if not isinstance(obj, self.cls):
611
raise TypeError("Not of type {}: {!r}"
612
.format(self.cls.__name__, obj))
613
return ctypes.byref(obj.from_param(obj))
614
615
class CastToVoidPointer:
616
def __init__(self, cls):
617
self.cls = cls
618
619
def from_param(self, obj):
620
if not isinstance(obj, self.cls):
621
raise TypeError("Not of type {}: {!r}"
622
.format(self.cls.__name__, obj))
623
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
625
class With_from_param:
626
@classmethod
627
def from_param(cls, obj):
628
return obj._as_parameter_
629
581
630
# Classes
582
class Credentials(object):
631
class Credentials(With_from_param):
583
632
def __init__(self):
584
self._c_object = gnutls.certificate_credentials_t()
585
gnutls.certificate_allocate_credentials(
586
ctypes.byref(self._c_object))
633
self._as_parameter_ = gnutls.certificate_credentials_t()
634
gnutls.certificate_allocate_credentials(self)
587
635
self.type = gnutls.CRD_CERTIFICATE
588
636
589
637
def __del__(self):
590
gnutls.certificate_free_credentials(self._c_object)
638
gnutls.certificate_free_credentials(self)
591
639
592
class ClientSession(object):
640
class ClientSession(With_from_param):
593
641
def __init__(self, socket, credentials=None):
594
self._c_object = gnutls.session_t()
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
596
gnutls.set_default_priority(self._c_object)
597
gnutls.transport_set_ptr(self._c_object, socket.fileno())
598
gnutls.handshake_set_private_extensions(self._c_object,
599
True)
642
self._as_parameter_ = gnutls.session_t()
643
gnutls_flags = gnutls.CLIENT
644
if gnutls.check_version(b"3.5.6"):
645
gnutls_flags |= gnutls.NO_TICKETS
646
if gnutls.has_rawpk:
647
gnutls_flags |= gnutls.ENABLE_RAWPK
648
gnutls.init(self, gnutls_flags)
649
del gnutls_flags
650
gnutls.set_default_priority(self)
651
gnutls.transport_set_ptr(self, socket.fileno())
652
gnutls.handshake_set_private_extensions(self, True)
600
653
self.socket = socket
601
654
if credentials is None:
602
655
credentials = gnutls.Credentials()
603
gnutls.credentials_set(self._c_object, credentials.type,
604
ctypes.cast(credentials._c_object,
605
ctypes.c_void_p))
656
gnutls.credentials_set(self, credentials.type,
657
credentials)
606
658
self.credentials = credentials
607
659
608
660
def __del__(self):
609
gnutls.deinit(self._c_object)
661
gnutls.deinit(self)
610
662
611
663
def handshake(self):
612
return gnutls.handshake(self._c_object)
664
return gnutls.handshake(self)
613
665
614
666
def send(self, data):
615
667
data = bytes(data)
616
668
data_len = len(data)
617
669
while data_len > 0:
618
data_len -= gnutls.record_send(self._c_object,
619
data[-data_len:],
670
data_len -= gnutls.record_send(self, data[-data_len:],
620
671
data_len)
621
672
622
673
def bye(self):
623
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
674
return gnutls.bye(self, gnutls.SHUT_RDWR)
624
675
625
676
# Error handling functions
626
677
def _error_code(result):
627
678
"""A function to raise exceptions on errors, suitable
628
for the 'restype' attribute on ctypes functions"""
629
if result >= 0:
679
for the "restype" attribute on ctypes functions"""
680
if result >= gnutls.E_SUCCESS:
630
681
return result
631
682
if result == gnutls.E_NO_CERTIFICATE_FOUND:
632
683
raise gnutls.CertificateSecurityError(code=result)
633
684
raise gnutls.Error(code=result)
634
685
635
def _retry_on_error(result, func, arguments):
686
def _retry_on_error(result, func, arguments,
687
_error_code=_error_code):
636
688
"""A function to retry on some errors, suitable
637
for the 'errcheck' attribute on ctypes functions"""
638
while result < 0:
689
for the "errcheck" attribute on ctypes functions"""
690
while result < gnutls.E_SUCCESS:
639
691
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
640
692
return _error_code(result)
641
693
result = func(*arguments)
646
698
647
699
# Functions
648
700
priority_set_direct = _library.gnutls_priority_set_direct
649
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
701
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
650
702
ctypes.POINTER(ctypes.c_char_p)]
651
703
priority_set_direct.restype = _error_code
652
704
653
705
init = _library.gnutls_init
654
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
706
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
655
707
init.restype = _error_code
656
708
657
709
set_default_priority = _library.gnutls_set_default_priority
658
set_default_priority.argtypes = [session_t]
710
set_default_priority.argtypes = [ClientSession]
659
711
set_default_priority.restype = _error_code
660
712
661
713
record_send = _library.gnutls_record_send
662
record_send.argtypes = [session_t, ctypes.c_void_p,
714
record_send.argtypes = [ClientSession, ctypes.c_void_p,
663
715
ctypes.c_size_t]
664
716
record_send.restype = ctypes.c_ssize_t
665
717
record_send.errcheck = _retry_on_error
667
719
certificate_allocate_credentials = (
668
720
_library.gnutls_certificate_allocate_credentials)
669
721
certificate_allocate_credentials.argtypes = [
670
ctypes.POINTER(certificate_credentials_t)]
722
PointerTo(Credentials)]
671
723
certificate_allocate_credentials.restype = _error_code
672
724
673
725
certificate_free_credentials = (
674
726
_library.gnutls_certificate_free_credentials)
675
certificate_free_credentials.argtypes = [
676
certificate_credentials_t]
727
certificate_free_credentials.argtypes = [Credentials]
677
728
certificate_free_credentials.restype = None
678
729
679
730
handshake_set_private_extensions = (
680
731
_library.gnutls_handshake_set_private_extensions)
681
handshake_set_private_extensions.argtypes = [session_t,
732
handshake_set_private_extensions.argtypes = [ClientSession,
682
733
ctypes.c_int]
683
734
handshake_set_private_extensions.restype = None
684
735
685
736
credentials_set = _library.gnutls_credentials_set
686
credentials_set.argtypes = [session_t, credentials_type_t,
687
ctypes.c_void_p]
737
credentials_set.argtypes = [ClientSession, credentials_type_t,
738
CastToVoidPointer(Credentials)]
688
739
credentials_set.restype = _error_code
689
740
690
741
strerror = _library.gnutls_strerror
692
743
strerror.restype = ctypes.c_char_p
693
744
694
745
certificate_type_get = _library.gnutls_certificate_type_get
695
certificate_type_get.argtypes = [session_t]
746
certificate_type_get.argtypes = [ClientSession]
696
747
certificate_type_get.restype = _error_code
697
748
698
749
certificate_get_peers = _library.gnutls_certificate_get_peers
699
certificate_get_peers.argtypes = [session_t,
750
certificate_get_peers.argtypes = [ClientSession,
700
751
ctypes.POINTER(ctypes.c_uint)]
701
752
certificate_get_peers.restype = ctypes.POINTER(datum_t)
702
753
709
760
global_set_log_function.restype = None
710
761
711
762
deinit = _library.gnutls_deinit
712
deinit.argtypes = [session_t]
763
deinit.argtypes = [ClientSession]
713
764
deinit.restype = None
714
765
715
766
handshake = _library.gnutls_handshake
716
handshake.argtypes = [session_t]
717
handshake.restype = _error_code
767
handshake.argtypes = [ClientSession]
768
handshake.restype = ctypes.c_int
718
769
handshake.errcheck = _retry_on_error
719
770
720
771
transport_set_ptr = _library.gnutls_transport_set_ptr
721
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
772
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
722
773
transport_set_ptr.restype = None
723
774
724
775
bye = _library.gnutls_bye
725
bye.argtypes = [session_t, close_request_t]
726
bye.restype = _error_code
776
bye.argtypes = [ClientSession, close_request_t]
777
bye.restype = ctypes.c_int
727
778
bye.errcheck = _retry_on_error
728
779
729
780
check_version = _library.gnutls_check_version
730
781
check_version.argtypes = [ctypes.c_char_p]
731
782
check_version.restype = ctypes.c_char_p
732
783
733
# All the function declarations below are from gnutls/openpgp.h
734
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
738
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
742
openpgp_crt_fmt_t]
743
openpgp_crt_import.restype = _error_code
744
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
749
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
753
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
757
ctypes.c_void_p,
758
ctypes.POINTER(
759
ctypes.c_size_t)]
760
openpgp_crt_get_fingerprint.restype = _error_code
784
_need_version = b"3.3.0"
785
if check_version(_need_version) is None:
786
raise self.Error("Needs GnuTLS {} or later"
787
.format(_need_version))
788
789
_tls_rawpk_version = b"3.6.6"
790
has_rawpk = bool(check_version(_tls_rawpk_version))
791
792
if has_rawpk:
793
# Types
794
class pubkey_st(ctypes.Structure):
795
_fields = []
796
pubkey_t = ctypes.POINTER(pubkey_st)
797
798
x509_crt_fmt_t = ctypes.c_int
799
800
# All the function declarations below are from
801
# gnutls/abstract.h
802
pubkey_init = _library.gnutls_pubkey_init
803
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
804
pubkey_init.restype = _error_code
805
806
pubkey_import = _library.gnutls_pubkey_import
807
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
x509_crt_fmt_t]
809
pubkey_import.restype = _error_code
810
811
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
812
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
813
ctypes.POINTER(ctypes.c_ubyte),
814
ctypes.POINTER(ctypes.c_size_t)]
815
pubkey_get_key_id.restype = _error_code
816
817
pubkey_deinit = _library.gnutls_pubkey_deinit
818
pubkey_deinit.argtypes = [pubkey_t]
819
pubkey_deinit.restype = None
820
else:
821
# All the function declarations below are from
822
# gnutls/openpgp.h
823
824
openpgp_crt_init = _library.gnutls_openpgp_crt_init
825
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
826
openpgp_crt_init.restype = _error_code
827
828
openpgp_crt_import = _library.gnutls_openpgp_crt_import
829
openpgp_crt_import.argtypes = [openpgp_crt_t,
830
ctypes.POINTER(datum_t),
831
openpgp_crt_fmt_t]
832
openpgp_crt_import.restype = _error_code
833
834
openpgp_crt_verify_self = \
835
_library.gnutls_openpgp_crt_verify_self
836
openpgp_crt_verify_self.argtypes = [
837
openpgp_crt_t,
838
ctypes.c_uint,
839
ctypes.POINTER(ctypes.c_uint),
840
]
841
openpgp_crt_verify_self.restype = _error_code
842
843
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
844
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
845
openpgp_crt_deinit.restype = None
846
847
openpgp_crt_get_fingerprint = (
848
_library.gnutls_openpgp_crt_get_fingerprint)
849
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
850
ctypes.c_void_p,
851
ctypes.POINTER(
852
ctypes.c_size_t)]
853
openpgp_crt_get_fingerprint.restype = _error_code
854
855
if check_version(b"3.6.4"):
856
certificate_type_get2 = _library.gnutls_certificate_type_get2
857
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
858
certificate_type_get2.restype = _error_code
761
859
762
860
# Remove non-public functions
763
861
del _error_code, _retry_on_error
764
# Create the global "gnutls" object, simulating a module
765
gnutls = GnuTLS()
766
862
767
863
768
864
def call_pipe(connection, # : multiprocessing.Connection
776
872
connection.close()
777
873
778
874
779
class Client(object):
875
class Client:
780
876
"""A representation of a client host served by this server.
781
877
782
878
Attributes:
783
approved: bool(); 'None' if not yet approved/disapproved
879
approved: bool(); None if not yet approved/disapproved
784
880
approval_delay: datetime.timedelta(); Time to wait for approval
785
881
approval_duration: datetime.timedelta(); Duration of one approval
786
checker: subprocess.Popen(); a running checker process used
787
to see if the client lives.
788
'None' if no process is running.
882
checker: multiprocessing.Process(); a running checker process used
883
to see if the client lives. None if no process is
884
running.
789
885
checker_callback_tag: a GLib event source tag, or None
790
886
checker_command: string; External command which is run to check
791
887
if client lives. %() expansions are done at
799
895
disable_initiator_tag: a GLib event source tag, or None
800
896
enabled: bool()
801
897
fingerprint: string (40 or 32 hexadecimal digits); used to
802
uniquely identify the client
898
uniquely identify an OpenPGP client
899
key_id: string (64 hexadecimal digits); used to uniquely identify
900
a client using raw public keys
803
901
host: string; available for use by the checker command
804
902
interval: datetime.timedelta(); How often to start a new checker
805
903
last_approval_request: datetime.datetime(); (UTC) or None
823
921
"""
824
922
825
923
runtime_expansions = ("approval_delay", "approval_duration",
826
"created", "enabled", "expires",
924
"created", "enabled", "expires", "key_id",
827
925
"fingerprint", "host", "interval",
828
926
"last_approval_request", "last_checked_ok",
829
927
"last_enabled", "name", "timeout")
859
957
client["enabled"] = config.getboolean(client_name,
860
958
"enabled")
861
959
862
# Uppercase and remove spaces from fingerprint for later
863
# comparison purposes with return value from the
864
# fingerprint() function
960
# Uppercase and remove spaces from key_id and fingerprint
961
# for later comparison purposes with return value from the
962
# key_id() and fingerprint() functions
963
client["key_id"] = (section.get("key_id", "").upper()
964
.replace(" ", ""))
865
965
client["fingerprint"] = (section["fingerprint"].upper()
866
966
.replace(" ", ""))
867
967
if "secret" in section:
911
1011
self.expires = None
912
1012
913
1013
logger.debug("Creating client %r", self.name)
1014
logger.debug(" Key ID: %s", self.key_id)
914
1015
logger.debug(" Fingerprint: %s", self.fingerprint)
915
1016
self.created = settings.get("created",
916
1017
datetime.datetime.utcnow())
980
1081
if self.checker_initiator_tag is not None:
981
1082
GLib.source_remove(self.checker_initiator_tag)
982
1083
self.checker_initiator_tag = GLib.timeout_add(
983
int(self.interval.total_seconds() * 1000),
1084
random.randrange(int(self.interval.total_seconds() * 1000
1085
+ 1)),
984
1086
self.start_checker)
985
1087
# Schedule a disable() when 'timeout' has passed
986
1088
if self.disable_initiator_tag is not None:
993
1095
def checker_callback(self, source, condition, connection,
994
1096
command):
995
1097
"""The checker has completed, so take appropriate actions."""
996
self.checker_callback_tag = None
997
self.checker = None
998
1098
# Read return code from connection (see call_pipe)
999
1099
returncode = connection.recv()
1000
1100
connection.close()
1101
if self.checker is not None:
1102
self.checker.join()
1103
self.checker_callback_tag = None
1104
self.checker = None
1001
1105
1002
1106
if returncode >= 0:
1003
1107
self.last_checker_status = returncode
1059
1163
if self.checker is None:
1060
1164
# Escape attributes for the shell
1061
1165
escaped_attrs = {
1062
attr: re.escape(str(getattr(self, attr)))
1166
attr: shlex.quote(str(getattr(self, attr)))
1063
1167
for attr in self.runtime_expansions}
1064
1168
try:
1065
1169
command = self.checker_command % escaped_attrs
1092
1196
kwargs=popen_args)
1093
1197
self.checker.start()
1094
1198
self.checker_callback_tag = GLib.io_add_watch(
1095
pipe[0].fileno(), GLib.IO_IN,
1199
GLib.IOChannel.unix_new(pipe[0].fileno()),
1200
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1096
1201
self.checker_callback, pipe[0], command)
1097
1202
# Re-run this periodically if run by GLib.timeout_add
1098
1203
return True
1137
1242
func._dbus_name = func.__name__
1138
1243
if func._dbus_name.endswith("_dbus_property"):
1139
1244
func._dbus_name = func._dbus_name[:-14]
1140
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1245
func._dbus_get_args_options = {"byte_arrays": byte_arrays}
1141
1246
return func
1142
1247
1143
1248
return decorator
1232
1337
1233
1338
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1234
1339
out_signature="s",
1235
path_keyword='object_path',
1236
connection_keyword='connection')
1340
path_keyword="object_path",
1341
connection_keyword="connection")
1237
1342
def Introspect(self, object_path, connection):
1238
1343
"""Overloading of standard D-Bus method.
1239
1344
1353
1458
raise ValueError("Byte arrays not supported for non-"
1354
1459
"'ay' signature {!r}"
1355
1460
.format(prop._dbus_signature))
1356
value = dbus.ByteArray(b''.join(chr(byte)
1357
for byte in value))
1461
value = dbus.ByteArray(bytes(value))
1358
1462
prop(value)
1359
1463
1360
1464
@dbus.service.method(dbus.PROPERTIES_IFACE,
1393
1497
1394
1498
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1395
1499
out_signature="s",
1396
path_keyword='object_path',
1397
connection_keyword='connection')
1500
path_keyword="object_path",
1501
connection_keyword="connection")
1398
1502
def Introspect(self, object_path, connection):
1399
1503
"""Overloading of standard D-Bus method.
1400
1504
1495
1599
1496
1600
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1497
1601
out_signature="s",
1498
path_keyword='object_path',
1499
connection_keyword='connection')
1602
path_keyword="object_path",
1603
connection_keyword="connection")
1500
1604
def Introspect(self, object_path, connection):
1501
1605
"""Overloading of standard D-Bus method.
1502
1606
1998
2102
def Name_dbus_property(self):
1999
2103
return dbus.String(self.name)
2000
2104
2105
# KeyID - property
2106
@dbus_annotations(
2107
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2108
@dbus_service_property(_interface, signature="s", access="read")
2109
def KeyID_dbus_property(self):
2110
return dbus.String(self.key_id)
2111
2001
2112
# Fingerprint - property
2002
2113
@dbus_annotations(
2003
2114
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2158
2269
del _interface
2159
2270
2160
2271
2161
class ProxyClient(object):
2162
def __init__(self, child_pipe, fpr, address):
2272
class ProxyClient:
2273
def __init__(self, child_pipe, key_id, fpr, address):
2163
2274
self._pipe = child_pipe
2164
self._pipe.send(('init', fpr, address))
2275
self._pipe.send(("init", key_id, fpr, address))
2165
2276
if not self._pipe.recv():
2166
raise KeyError(fpr)
2277
raise KeyError(key_id or fpr)
2167
2278
2168
2279
def __getattribute__(self, name):
2169
if name == '_pipe':
2280
if name == "_pipe":
2170
2281
return super(ProxyClient, self).__getattribute__(name)
2171
self._pipe.send(('getattr', name))
2282
self._pipe.send(("getattr", name))
2172
2283
data = self._pipe.recv()
2173
if data[0] == 'data':
2284
if data[0] == "data":
2174
2285
return data[1]
2175
if data[0] == 'function':
2286
if data[0] == "function":
2176
2287
2177
2288
def func(*args, **kwargs):
2178
self._pipe.send(('funcall', name, args, kwargs))
2289
self._pipe.send(("funcall", name, args, kwargs))
2179
2290
return self._pipe.recv()[1]
2180
2291
2181
2292
return func
2182
2293
2183
2294
def __setattr__(self, name, value):
2184
if name == '_pipe':
2295
if name == "_pipe":
2185
2296
return super(ProxyClient, self).__setattr__(name, value)
2186
self._pipe.send(('setattr', name, value))
2297
self._pipe.send(("setattr", name, value))
2187
2298
2188
2299
2189
2300
class ClientHandler(socketserver.BaseRequestHandler, object):
2201
2312
2202
2313
session = gnutls.ClientSession(self.request)
2203
2314
2204
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2315
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2205
2316
# "+AES-256-CBC", "+SHA1",
2206
2317
# "+COMP-NULL", "+CTYPE-OPENPGP",
2207
2318
# "+DHE-DSS"))
2209
2320
priority = self.server.gnutls_priority
2210
2321
if priority is None:
2211
2322
priority = "NORMAL"
2212
gnutls.priority_set_direct(session._c_object,
2213
priority.encode("utf-8"),
2214
None)
2323
gnutls.priority_set_direct(session,
2324
priority.encode("utf-8"), None)
2215
2325
2216
2326
# Start communication using the Mandos protocol
2217
2327
# Get protocol number
2236
2346
2237
2347
approval_required = False
2238
2348
try:
2239
try:
2240
fpr = self.fingerprint(
2241
self.peer_certificate(session))
2242
except (TypeError, gnutls.Error) as error:
2243
logger.warning("Bad certificate: %s", error)
2244
return
2245
logger.debug("Fingerprint: %s", fpr)
2246
2247
try:
2248
client = ProxyClient(child_pipe, fpr,
2349
if gnutls.has_rawpk:
2350
fpr = b""
2351
try:
2352
key_id = self.key_id(
2353
self.peer_certificate(session))
2354
except (TypeError, gnutls.Error) as error:
2355
logger.warning("Bad certificate: %s", error)
2356
return
2357
logger.debug("Key ID: %s",
2358
key_id.decode("utf-8",
2359
errors="replace"))
2360
2361
else:
2362
key_id = b""
2363
try:
2364
fpr = self.fingerprint(
2365
self.peer_certificate(session))
2366
except (TypeError, gnutls.Error) as error:
2367
logger.warning("Bad certificate: %s", error)
2368
return
2369
logger.debug("Fingerprint: %s", fpr)
2370
2371
try:
2372
client = ProxyClient(child_pipe, key_id, fpr,
2249
2373
self.client_address)
2250
2374
except KeyError:
2251
2375
return
2328
2452
2329
2453
@staticmethod
2330
2454
def peer_certificate(session):
2331
"Return the peer's OpenPGP certificate as a bytestring"
2332
# If not an OpenPGP certificate...
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2455
"Return the peer's certificate as a bytestring"
2456
try:
2457
cert_type = gnutls.certificate_type_get2(
2458
session, gnutls.CTYPE_PEERS)
2459
except AttributeError:
2460
cert_type = gnutls.certificate_type_get(session)
2461
if gnutls.has_rawpk:
2462
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2463
else:
2464
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2465
# If not a valid certificate type...
2466
if cert_type not in valid_cert_types:
2467
logger.info("Cert type %r not in %r", cert_type,
2468
valid_cert_types)
2335
2469
# ...return invalid data
2336
2470
return b""
2337
2471
list_size = ctypes.c_uint(1)
2338
2472
cert_list = (gnutls.certificate_get_peers
2339
(session._c_object, ctypes.byref(list_size)))
2473
(session, ctypes.byref(list_size)))
2340
2474
if not bool(cert_list) and list_size.value != 0:
2341
2475
raise gnutls.Error("error getting peer certificate")
2342
2476
if list_size.value == 0:
2345
2479
return ctypes.string_at(cert.data, cert.size)
2346
2480
2347
2481
@staticmethod
2482
def key_id(certificate):
2483
"Convert a certificate bytestring to a hexdigit key ID"
2484
# New GnuTLS "datum" with the public key
2485
datum = gnutls.datum_t(
2486
ctypes.cast(ctypes.c_char_p(certificate),
2487
ctypes.POINTER(ctypes.c_ubyte)),
2488
ctypes.c_uint(len(certificate)))
2489
# XXX all these need to be created in the gnutls "module"
2490
# New empty GnuTLS certificate
2491
pubkey = gnutls.pubkey_t()
2492
gnutls.pubkey_init(ctypes.byref(pubkey))
2493
# Import the raw public key into the certificate
2494
gnutls.pubkey_import(pubkey,
2495
ctypes.byref(datum),
2496
gnutls.X509_FMT_DER)
2497
# New buffer for the key ID
2498
buf = ctypes.create_string_buffer(32)
2499
buf_len = ctypes.c_size_t(len(buf))
2500
# Get the key ID from the raw public key into the buffer
2501
gnutls.pubkey_get_key_id(
2502
pubkey,
2503
gnutls.KEYID_USE_SHA256,
2504
ctypes.cast(ctypes.byref(buf),
2505
ctypes.POINTER(ctypes.c_ubyte)),
2506
ctypes.byref(buf_len))
2507
# Deinit the certificate
2508
gnutls.pubkey_deinit(pubkey)
2509
2510
# Convert the buffer to a Python bytestring
2511
key_id = ctypes.string_at(buf, buf_len.value)
2512
# Convert the bytestring to hexadecimal notation
2513
hex_key_id = binascii.hexlify(key_id).upper()
2514
return hex_key_id
2515
2516
@staticmethod
2348
2517
def fingerprint(openpgp):
2349
2518
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2350
2519
# New GnuTLS "datum" with the OpenPGP public key
2364
2533
ctypes.byref(crtverify))
2365
2534
if crtverify.value != 0:
2366
2535
gnutls.openpgp_crt_deinit(crt)
2367
raise gnutls.CertificateSecurityError("Verify failed")
2536
raise gnutls.CertificateSecurityError(code
2537
=crtverify.value)
2368
2538
# New buffer for the fingerprint
2369
2539
buf = ctypes.create_string_buffer(20)
2370
2540
buf_len = ctypes.c_size_t()
2380
2550
return hex_fpr
2381
2551
2382
2552
2383
class MultiprocessingMixIn(object):
2553
class MultiprocessingMixIn:
2384
2554
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2385
2555
2386
2556
def sub_process_main(self, request, address):
2398
2568
return proc
2399
2569
2400
2570
2401
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2571
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2402
2572
""" adds a pipe to the MixIn """
2403
2573
2404
2574
def process_request(self, request, client_address):
2419
2589
2420
2590
2421
2591
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2422
socketserver.TCPServer, object):
2423
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2592
socketserver.TCPServer):
2593
"""IPv6-capable TCP server. Accepts None as address and/or port
2424
2594
2425
2595
Attributes:
2426
2596
enabled: Boolean; whether this server is activated yet
2498
2668
raise
2499
2669
# Only bind(2) the socket if we really need to.
2500
2670
if self.server_address[0] or self.server_address[1]:
2671
if self.server_address[1]:
2672
self.allow_reuse_address = True
2501
2673
if not self.server_address[0]:
2502
2674
if self.address_family == socket.AF_INET6:
2503
2675
any_address = "::" # in6addr_any
2556
2728
def add_pipe(self, parent_pipe, proc):
2557
2729
# Call "handle_ipc" for both data and EOF events
2558
2730
GLib.io_add_watch(
2559
parent_pipe.fileno(),
2560
GLib.IO_IN | GLib.IO_HUP,
2731
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2732
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2561
2733
functools.partial(self.handle_ipc,
2562
2734
parent_pipe=parent_pipe,
2563
2735
proc=proc))
2576
2748
request = parent_pipe.recv()
2577
2749
command = request[0]
2578
2750
2579
if command == 'init':
2580
fpr = request[1]
2581
address = request[2]
2751
if command == "init":
2752
key_id = request[1].decode("ascii")
2753
fpr = request[2].decode("ascii")
2754
address = request[3]
2582
2755
2583
2756
for c in self.clients.values():
2584
if c.fingerprint == fpr:
2757
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2758
"27AE41E4649B934CA495991B7852B855"):
2759
continue
2760
if key_id and c.key_id == key_id:
2761
client = c
2762
break
2763
if fpr and c.fingerprint == fpr:
2585
2764
client = c
2586
2765
break
2587
2766
else:
2588
logger.info("Client not found for fingerprint: %s, ad"
2589
"dress: %s", fpr, address)
2767
logger.info("Client not found for key ID: %s, address"
2768
": %s", key_id or fpr, address)
2590
2769
if self.use_dbus:
2591
2770
# Emit D-Bus signal
2592
mandos_dbus_service.ClientNotFound(fpr,
2771
mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
2772
address[0])
2594
2773
parent_pipe.send(False)
2595
2774
return False
2596
2775
2597
2776
GLib.io_add_watch(
2598
parent_pipe.fileno(),
2599
GLib.IO_IN | GLib.IO_HUP,
2777
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2778
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2600
2779
functools.partial(self.handle_ipc,
2601
2780
parent_pipe=parent_pipe,
2602
2781
proc=proc,
2605
2784
# remove the old hook in favor of the new above hook on
2606
2785
# same fileno
2607
2786
return False
2608
if command == 'funcall':
2787
if command == "funcall":
2609
2788
funcname = request[1]
2610
2789
args = request[2]
2611
2790
kwargs = request[3]
2612
2791
2613
parent_pipe.send(('data', getattr(client_object,
2792
parent_pipe.send(("data", getattr(client_object,
2614
2793
funcname)(*args,
2615
2794
**kwargs)))
2616
2795
2617
if command == 'getattr':
2796
if command == "getattr":
2618
2797
attrname = request[1]
2619
2798
if isinstance(client_object.__getattribute__(attrname),
2620
collections.Callable):
2621
parent_pipe.send(('function', ))
2799
collections.abc.Callable):
2800
parent_pipe.send(("function", ))
2622
2801
else:
2623
2802
parent_pipe.send((
2624
'data', client_object.__getattribute__(attrname)))
2803
"data", client_object.__getattribute__(attrname)))
2625
2804
2626
if command == 'setattr':
2805
if command == "setattr":
2627
2806
attrname = request[1]
2628
2807
value = request[2]
2629
2808
setattr(client_object, attrname, value)
2634
2813
def rfc3339_duration_to_delta(duration):
2635
2814
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2636
2815
2637
>>> rfc3339_duration_to_delta("P7D")
2638
datetime.timedelta(7)
2639
>>> rfc3339_duration_to_delta("PT60S")
2640
datetime.timedelta(0, 60)
2641
>>> rfc3339_duration_to_delta("PT60M")
2642
datetime.timedelta(0, 3600)
2643
>>> rfc3339_duration_to_delta("PT24H")
2644
datetime.timedelta(1)
2645
>>> rfc3339_duration_to_delta("P1W")
2646
datetime.timedelta(7)
2647
>>> rfc3339_duration_to_delta("PT5M30S")
2648
datetime.timedelta(0, 330)
2649
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
datetime.timedelta(1, 200)
2816
>>> timedelta = datetime.timedelta
2817
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2818
True
2819
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2820
True
2821
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2822
True
2823
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2824
True
2825
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2826
True
2827
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2828
True
2829
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2830
True
2831
>>> del timedelta
2651
2832
"""
2652
2833
2653
2834
# Parsing an RFC 3339 duration with regular expressions is not
2733
2914
def string_to_delta(interval):
2734
2915
"""Parse a string and return a datetime.timedelta
2735
2916
2736
>>> string_to_delta('7d')
2737
datetime.timedelta(7)
2738
>>> string_to_delta('60s')
2739
datetime.timedelta(0, 60)
2740
>>> string_to_delta('60m')
2741
datetime.timedelta(0, 3600)
2742
>>> string_to_delta('24h')
2743
datetime.timedelta(1)
2744
>>> string_to_delta('1w')
2745
datetime.timedelta(7)
2746
>>> string_to_delta('5m 30s')
2747
datetime.timedelta(0, 330)
2917
>>> string_to_delta("7d") == datetime.timedelta(7)
2918
True
2919
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2920
True
2921
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2922
True
2923
>>> string_to_delta("24h") == datetime.timedelta(1)
2924
True
2925
>>> string_to_delta("1w") == datetime.timedelta(7)
2926
True
2927
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2928
True
2748
2929
"""
2749
2930
2750
2931
try:
2852
3033
2853
3034
options = parser.parse_args()
2854
3035
2855
if options.check:
2856
import doctest
2857
fail_count, test_count = doctest.testmod()
2858
sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
2860
3036
# Default values for config file for server-global settings
3037
if gnutls.has_rawpk:
3038
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3039
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3040
else:
3041
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3042
":+SIGN-DSA-SHA256")
2861
3043
server_defaults = {"interface": "",
2862
3044
"address": "",
2863
3045
"port": "",
2864
3046
"debug": "False",
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
3047
"priority": priority,
2868
3048
"servicename": "Mandos",
2869
3049
"use_dbus": "True",
2870
3050
"use_ipv6": "True",
2875
3055
"foreground": "False",
2876
3056
"zeroconf": "True",
2877
3057
}
3058
del priority
2878
3059
2879
3060
# Parse config file for server-global settings
2880
server_config = configparser.SafeConfigParser(server_defaults)
3061
server_config = configparser.ConfigParser(server_defaults)
2881
3062
del server_defaults
2882
3063
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2883
# Convert the SafeConfigParser object to a dict
3064
# Convert the ConfigParser object to a dict
2884
3065
server_settings = server_config.defaults()
2885
3066
# Use the appropriate methods on the non-string config options
2886
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3067
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3068
"foreground", "zeroconf"):
2887
3069
server_settings[option] = server_config.getboolean("DEFAULT",
2888
3070
option)
2889
3071
if server_settings["port"]:
2952
3134
2953
3135
if server_settings["servicename"] != "Mandos":
2954
3136
syslogger.setFormatter(
2955
logging.Formatter('Mandos ({}) [%(process)d]:'
2956
' %(levelname)s: %(message)s'.format(
3137
logging.Formatter("Mandos ({}) [%(process)d]:"
3138
" %(levelname)s: %(message)s".format(
2957
3139
server_settings["servicename"])))
2958
3140
2959
3141
# Parse config file with clients
2960
client_config = configparser.SafeConfigParser(Client
2961
.client_defaults)
3142
client_config = configparser.ConfigParser(Client.client_defaults)
2962
3143
client_config.read(os.path.join(server_settings["configdir"],
2963
3144
"clients.conf"))
2964
3145
3020
3201
3021
3202
@gnutls.log_func
3022
3203
def debug_gnutls(level, string):
3023
logger.debug("GnuTLS: %s", string[:-1])
3204
logger.debug("GnuTLS: %s",
3205
string[:-1].decode("utf-8",
3206
errors="replace"))
3024
3207
3025
3208
gnutls.global_set_log_function(debug_gnutls)
3026
3209
3035
3218
# Close all input and output, do double fork, etc.
3036
3219
daemon()
3037
3220
3038
# multiprocessing will use threads, so before we use GLib we need
3039
# to inform GLib that threads will be used.
3040
GLib.threads_init()
3221
if gi.version_info < (3, 10, 2):
3222
# multiprocessing will use threads, so before we use GLib we
3223
# need to inform GLib that threads will be used.
3224
GLib.threads_init()
3041
3225
3042
3226
global main_loop
3043
3227
# From the Avahi example code
3119
3303
if isinstance(s, bytes)
3120
3304
else s) for s in
3121
3305
value["client_structure"]]
3122
# .name & .host
3123
for k in ("name", "host"):
3306
# .name, .host, and .checker_command
3307
for k in ("name", "host", "checker_command"):
3124
3308
if isinstance(value[k], bytes):
3125
3309
value[k] = value[k].decode("utf-8")
3310
if "key_id" not in value:
3311
value["key_id"] = ""
3312
elif "fingerprint" not in value:
3313
value["fingerprint"] = ""
3126
3314
# old_client_settings
3127
3315
# .keys()
3128
3316
old_client_settings = {
3132
3320
for key, value in
3133
3321
bytes_old_client_settings.items()}
3134
3322
del bytes_old_client_settings
3135
# .host
3323
# .host and .checker_command
3136
3324
for value in old_client_settings.values():
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3139
.decode("utf-8"))
3325
for attribute in ("host", "checker_command"):
3326
if isinstance(value[attribute], bytes):
3327
value[attribute] = (value[attribute]
3328
.decode("utf-8"))
3140
3329
os.remove(stored_state_path)
3141
3330
except IOError as e:
3142
3331
if e.errno == errno.ENOENT:
3265
3454
pass
3266
3455
3267
3456
@dbus.service.signal(_interface, signature="ss")
3268
def ClientNotFound(self, fingerprint, address):
3457
def ClientNotFound(self, key_id, address):
3269
3458
"D-Bus signal"
3270
3459
pass
3271
3460
3395
3584
3396
3585
try:
3397
3586
with tempfile.NamedTemporaryFile(
3398
mode='wb',
3587
mode="wb",
3399
3588
suffix=".pickle",
3400
prefix='clients-',
3589
prefix="clients-",
3401
3590
dir=os.path.dirname(stored_state_path),
3402
3591
delete=False) as stored_state:
3403
3592
pickle.dump((clients, client_settings), stored_state,
3467
3656
sys.exit(1)
3468
3657
# End of Avahi example code
3469
3658
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3659
GLib.io_add_watch(
3660
GLib.IOChannel.unix_new(tcp_server.fileno()),
3661
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3662
lambda *args, **kwargs: (tcp_server.handle_request
3663
(*args[2:], **kwargs) or True))
3474
3664
3475
3665
logger.debug("Starting main loop")
3476
3666
main_loop.run()
3486
3676
# Must run before the D-Bus bus name gets deregistered
3487
3677
cleanup()
3488
3678
3489
3490
if __name__ == '__main__':
3491
main()
3679
3680
def should_only_run_tests():
3681
parser = argparse.ArgumentParser(add_help=False)
3682
parser.add_argument("--check", action="store_true")
3683
args, unknown_args = parser.parse_known_args()
3684
run_tests = args.check
3685
if run_tests:
3686
# Remove --check argument from sys.argv
3687
sys.argv[1:] = unknown_args
3688
return run_tests
3689
3690
# Add all tests from doctest strings
3691
def load_tests(loader, tests, none):
3692
import doctest
3693
tests.addTests(doctest.DocTestSuite())
3694
return tests
3695
3696
if __name__ == "__main__":
3697
try:
3698
if should_only_run_tests():
3699
# Call using ./mandos --check [--verbose]
3700
unittest.main()
3701
else:
3702
main()
3703
finally:
3704
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0