To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1250
- compare with another revision
- download diff
- download tarball
- view history from revision 1250
- Committer: Teddy Hogeborn
- Date: 2022-04-23 23:58:39 UTC
- Revision ID: teddy@recompile.se-20220423235839-cnt9aq1kjveqaydc
Bug fix in mandos-ctl: handle backslashes in password
* mandos-ctl (mode=password): When sending the password to gpg, use
"printf" instead of "echo -n". This avoids the behavior of the
"echo" builtin in "dash", which always interprets backslash escape
codes.
Reported-By: Jesse Norell <jesse@kci.net>
* mandos-ctl (mode=password): When sending the password to gpg, use
"printf" instead of "echo -n". This avoids the behavior of the
"echo" builtin in "dash", which always interprets backslash escape
codes.
Reported-By: Jesse Norell <jesse@kci.net>
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
30
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
33
#
76
77
import itertools
77
78
import collections
78
79
import codecs
80
import unittest
81
import random
82
import shlex
79
83
80
84
import dbus
81
85
import dbus.service
86
import gi
82
87
from gi.repository import GLib
83
88
from dbus.mainloop.glib import DBusGMainLoop
84
89
import ctypes
86
91
import xml.dom.minidom
87
92
import inspect
88
93
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
89
118
# Try to find the value of SO_BINDTODEVICE:
90
119
try:
91
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
111
140
# No value found
112
141
SO_BINDTODEVICE = None
113
142
114
if sys.version_info.major == 2:
115
str = unicode
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
116
145
117
version = "1.7.13"
146
version = "1.8.14"
118
147
stored_state_file = "clients.pickle"
119
148
120
149
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
121
151
syslogger = None
122
152
123
153
try:
159
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
190
address="/dev/log"))
161
191
syslogger.setFormatter(logging.Formatter
162
('Mandos [%(process)d]: %(levelname)s:'
163
' %(message)s'))
192
("Mandos [%(process)d]: %(levelname)s:"
193
" %(message)s"))
164
194
logger.addHandler(syslogger)
165
195
166
196
if debug:
167
197
console = logging.StreamHandler()
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
169
' [%(process)d]:'
170
' %(levelname)s:'
171
' %(message)s'))
198
console.setFormatter(logging.Formatter("%(asctime)s %(name)s"
199
" [%(process)d]:"
200
" %(levelname)s:"
201
" %(message)s"))
172
202
logger.addHandler(console)
173
203
logger.setLevel(level)
174
204
178
208
pass
179
209
180
210
181
class PGPEngine(object):
211
class PGPEngine:
182
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
183
213
184
214
def __init__(self):
188
218
output = subprocess.check_output(["gpgconf"])
189
219
for line in output.splitlines():
190
220
name, text, path = line.split(b":")
191
if name == "gpg":
221
if name == b"gpg":
192
222
self.gpg = path
193
223
break
194
224
except OSError as e:
195
225
if e.errno != errno.ENOENT:
196
226
raise
197
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
199
'--force-mdc',
200
'--quiet']
227
self.gnupgargs = ["--batch",
228
"--homedir", self.tempdir,
229
"--force-mdc",
230
"--quiet"]
201
231
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
203
233
self.gnupgargs.append("--no-use-agent")
204
234
205
235
def __enter__(self):
242
272
dir=self.tempdir) as passfile:
243
273
passfile.write(passphrase)
244
274
passfile.flush()
245
proc = subprocess.Popen([self.gpg, '--symmetric',
246
'--passphrase-file',
275
proc = subprocess.Popen([self.gpg, "--symmetric",
276
"--passphrase-file",
247
277
passfile.name]
248
278
+ self.gnupgargs,
249
279
stdin=subprocess.PIPE,
260
290
dir=self.tempdir) as passfile:
261
291
passfile.write(passphrase)
262
292
passfile.flush()
263
proc = subprocess.Popen([self.gpg, '--decrypt',
264
'--passphrase-file',
293
proc = subprocess.Popen([self.gpg, "--decrypt",
294
"--passphrase-file",
265
295
passfile.name]
266
296
+ self.gnupgargs,
267
297
stdin=subprocess.PIPE,
274
304
275
305
276
306
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
280
309
IF_UNSPEC = -1 # avahi-common/address.h
281
310
PROTO_UNSPEC = -1 # avahi-common/address.h
282
311
PROTO_INET = 0 # avahi-common/address.h
286
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
316
DBUS_PATH_SERVER = "/"
288
317
289
def string_array_to_txt_array(self, t):
318
@staticmethod
319
def string_array_to_txt_array(t):
290
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
321
for s in t), signature="ay")
292
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
297
327
SERVER_RUNNING = 2 # avahi-common/defs.h
298
328
SERVER_COLLISION = 3 # avahi-common/defs.h
299
329
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
330
302
331
303
332
class AvahiError(Exception):
315
344
pass
316
345
317
346
318
class AvahiService(object):
347
class AvahiService:
319
348
"""An Avahi (Zeroconf) service.
320
349
321
350
Attributes:
322
351
interface: integer; avahi.IF_UNSPEC or an interface index.
323
352
Used to optionally bind to the specified interface.
324
name: string; Example: 'Mandos'
325
type: string; Example: '_mandos._tcp'.
353
name: string; Example: "Mandos"
354
type: string; Example: "_mandos._tcp".
326
355
See <https://www.iana.org/assignments/service-names-port-numbers>
327
356
port: integer; what port to announce
328
357
TXT: list of strings; TXT record for the service
406
435
avahi.DBUS_INTERFACE_ENTRY_GROUP)
407
436
self.entry_group_state_changed_match = (
408
437
self.group.connect_to_signal(
409
'StateChanged', self.entry_group_state_changed))
438
"StateChanged", self.entry_group_state_changed))
410
439
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
411
440
self.name, self.type)
412
441
self.group.AddService(
495
524
class AvahiServiceToSyslog(AvahiService):
496
525
def rename(self, *args, **kwargs):
497
526
"""Add the new name to the syslog messages"""
498
ret = AvahiService.rename(self, *args, **kwargs)
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
499
529
syslogger.setFormatter(logging.Formatter(
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
501
531
.format(self.name)))
502
532
return ret
503
533
504
534
505
535
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
509
538
510
539
library = ctypes.util.find_library("gnutls")
511
540
if library is None:
512
541
library = ctypes.util.find_library("gnutls-deb0")
513
542
_library = ctypes.cdll.LoadLibrary(library)
514
543
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use class name "GnuTLS" here, since this method is
519
# called before the assignment to the "gnutls" global variable
520
# happens.
521
if GnuTLS.check_version(self._need_version) is None:
522
raise GnuTLS.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
524
544
525
545
# Unless otherwise indicated, the constants and types below are
526
546
# all from the gnutls/gnutls.h C header file.
530
550
E_INTERRUPTED = -52
531
551
E_AGAIN = -28
532
552
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
533
554
CLIENT = 2
534
555
SHUT_RDWR = 0
535
556
CRD_CERTIFICATE = 1
536
557
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
564
539
565
# Types
540
class session_int(ctypes.Structure):
566
class _session_int(ctypes.Structure):
541
567
_fields_ = []
542
session_t = ctypes.POINTER(session_int)
568
session_t = ctypes.POINTER(_session_int)
543
569
544
570
class certificate_credentials_st(ctypes.Structure):
545
571
_fields_ = []
548
574
certificate_type_t = ctypes.c_int
549
575
550
576
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
577
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
578
("size", ctypes.c_uint)]
553
579
554
class openpgp_crt_int(ctypes.Structure):
580
class _openpgp_crt_int(ctypes.Structure):
555
581
_fields_ = []
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
557
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
585
credentials_type_t = ctypes.c_int
562
588
563
589
# Exceptions
564
590
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
591
def __init__(self, message=None, code=None, args=()):
570
592
# Default usage is by a message string, but if a return
571
593
# code is passed, convert it to a string with
572
594
# gnutls.strerror()
573
595
self.code = code
574
596
if message is None and code is not None:
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
597
message = gnutls.strerror(code).decode(
598
"utf-8", errors="replace")
599
return super(gnutls.Error, self).__init__(
577
600
message, *args)
578
601
579
602
class CertificateSecurityError(Error):
580
603
pass
581
604
605
class PointerTo:
606
def __init__(self, cls):
607
self.cls = cls
608
609
def from_param(self, obj):
610
if not isinstance(obj, self.cls):
611
raise TypeError("Not of type {}: {!r}"
612
.format(self.cls.__name__, obj))
613
return ctypes.byref(obj.from_param(obj))
614
615
class CastToVoidPointer:
616
def __init__(self, cls):
617
self.cls = cls
618
619
def from_param(self, obj):
620
if not isinstance(obj, self.cls):
621
raise TypeError("Not of type {}: {!r}"
622
.format(self.cls.__name__, obj))
623
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
625
class With_from_param:
626
@classmethod
627
def from_param(cls, obj):
628
return obj._as_parameter_
629
582
630
# Classes
583
class Credentials(object):
631
class Credentials(With_from_param):
584
632
def __init__(self):
585
self._c_object = gnutls.certificate_credentials_t()
586
gnutls.certificate_allocate_credentials(
587
ctypes.byref(self._c_object))
633
self._as_parameter_ = gnutls.certificate_credentials_t()
634
gnutls.certificate_allocate_credentials(self)
588
635
self.type = gnutls.CRD_CERTIFICATE
589
636
590
637
def __del__(self):
591
gnutls.certificate_free_credentials(self._c_object)
638
gnutls.certificate_free_credentials(self)
592
639
593
class ClientSession(object):
640
class ClientSession(With_from_param):
594
641
def __init__(self, socket, credentials=None):
595
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
gnutls.set_default_priority(self._c_object)
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
gnutls.handshake_set_private_extensions(self._c_object,
600
True)
642
self._as_parameter_ = gnutls.session_t()
643
gnutls_flags = gnutls.CLIENT
644
if gnutls.check_version(b"3.5.6"):
645
gnutls_flags |= gnutls.NO_TICKETS
646
if gnutls.has_rawpk:
647
gnutls_flags |= gnutls.ENABLE_RAWPK
648
gnutls.init(self, gnutls_flags)
649
del gnutls_flags
650
gnutls.set_default_priority(self)
651
gnutls.transport_set_ptr(self, socket.fileno())
652
gnutls.handshake_set_private_extensions(self, True)
601
653
self.socket = socket
602
654
if credentials is None:
603
655
credentials = gnutls.Credentials()
604
gnutls.credentials_set(self._c_object, credentials.type,
605
ctypes.cast(credentials._c_object,
606
ctypes.c_void_p))
656
gnutls.credentials_set(self, credentials.type,
657
credentials)
607
658
self.credentials = credentials
608
659
609
660
def __del__(self):
610
gnutls.deinit(self._c_object)
661
gnutls.deinit(self)
611
662
612
663
def handshake(self):
613
return gnutls.handshake(self._c_object)
664
return gnutls.handshake(self)
614
665
615
666
def send(self, data):
616
667
data = bytes(data)
617
668
data_len = len(data)
618
669
while data_len > 0:
619
data_len -= gnutls.record_send(self._c_object,
620
data[-data_len:],
670
data_len -= gnutls.record_send(self, data[-data_len:],
621
671
data_len)
622
672
623
673
def bye(self):
624
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
674
return gnutls.bye(self, gnutls.SHUT_RDWR)
625
675
626
676
# Error handling functions
627
677
def _error_code(result):
628
678
"""A function to raise exceptions on errors, suitable
629
for the 'restype' attribute on ctypes functions"""
630
if result >= 0:
679
for the "restype" attribute on ctypes functions"""
680
if result >= gnutls.E_SUCCESS:
631
681
return result
632
682
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
683
raise gnutls.CertificateSecurityError(code=result)
634
684
raise gnutls.Error(code=result)
635
685
636
def _retry_on_error(result, func, arguments):
686
def _retry_on_error(result, func, arguments,
687
_error_code=_error_code):
637
688
"""A function to retry on some errors, suitable
638
for the 'errcheck' attribute on ctypes functions"""
639
while result < 0:
689
for the "errcheck" attribute on ctypes functions"""
690
while result < gnutls.E_SUCCESS:
640
691
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
641
692
return _error_code(result)
642
693
result = func(*arguments)
647
698
648
699
# Functions
649
700
priority_set_direct = _library.gnutls_priority_set_direct
650
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
701
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
651
702
ctypes.POINTER(ctypes.c_char_p)]
652
703
priority_set_direct.restype = _error_code
653
704
654
705
init = _library.gnutls_init
655
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
706
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
656
707
init.restype = _error_code
657
708
658
709
set_default_priority = _library.gnutls_set_default_priority
659
set_default_priority.argtypes = [session_t]
710
set_default_priority.argtypes = [ClientSession]
660
711
set_default_priority.restype = _error_code
661
712
662
713
record_send = _library.gnutls_record_send
663
record_send.argtypes = [session_t, ctypes.c_void_p,
714
record_send.argtypes = [ClientSession, ctypes.c_void_p,
664
715
ctypes.c_size_t]
665
716
record_send.restype = ctypes.c_ssize_t
666
717
record_send.errcheck = _retry_on_error
668
719
certificate_allocate_credentials = (
669
720
_library.gnutls_certificate_allocate_credentials)
670
721
certificate_allocate_credentials.argtypes = [
671
ctypes.POINTER(certificate_credentials_t)]
722
PointerTo(Credentials)]
672
723
certificate_allocate_credentials.restype = _error_code
673
724
674
725
certificate_free_credentials = (
675
726
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
727
certificate_free_credentials.argtypes = [Credentials]
678
728
certificate_free_credentials.restype = None
679
729
680
730
handshake_set_private_extensions = (
681
731
_library.gnutls_handshake_set_private_extensions)
682
handshake_set_private_extensions.argtypes = [session_t,
732
handshake_set_private_extensions.argtypes = [ClientSession,
683
733
ctypes.c_int]
684
734
handshake_set_private_extensions.restype = None
685
735
686
736
credentials_set = _library.gnutls_credentials_set
687
credentials_set.argtypes = [session_t, credentials_type_t,
688
ctypes.c_void_p]
737
credentials_set.argtypes = [ClientSession, credentials_type_t,
738
CastToVoidPointer(Credentials)]
689
739
credentials_set.restype = _error_code
690
740
691
741
strerror = _library.gnutls_strerror
693
743
strerror.restype = ctypes.c_char_p
694
744
695
745
certificate_type_get = _library.gnutls_certificate_type_get
696
certificate_type_get.argtypes = [session_t]
746
certificate_type_get.argtypes = [ClientSession]
697
747
certificate_type_get.restype = _error_code
698
748
699
749
certificate_get_peers = _library.gnutls_certificate_get_peers
700
certificate_get_peers.argtypes = [session_t,
750
certificate_get_peers.argtypes = [ClientSession,
701
751
ctypes.POINTER(ctypes.c_uint)]
702
752
certificate_get_peers.restype = ctypes.POINTER(datum_t)
703
753
710
760
global_set_log_function.restype = None
711
761
712
762
deinit = _library.gnutls_deinit
713
deinit.argtypes = [session_t]
763
deinit.argtypes = [ClientSession]
714
764
deinit.restype = None
715
765
716
766
handshake = _library.gnutls_handshake
717
handshake.argtypes = [session_t]
718
handshake.restype = _error_code
767
handshake.argtypes = [ClientSession]
768
handshake.restype = ctypes.c_int
719
769
handshake.errcheck = _retry_on_error
720
770
721
771
transport_set_ptr = _library.gnutls_transport_set_ptr
722
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
772
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
723
773
transport_set_ptr.restype = None
724
774
725
775
bye = _library.gnutls_bye
726
bye.argtypes = [session_t, close_request_t]
727
bye.restype = _error_code
776
bye.argtypes = [ClientSession, close_request_t]
777
bye.restype = ctypes.c_int
728
778
bye.errcheck = _retry_on_error
729
779
730
780
check_version = _library.gnutls_check_version
731
781
check_version.argtypes = [ctypes.c_char_p]
732
782
check_version.restype = ctypes.c_char_p
733
783
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
784
_need_version = b"3.3.0"
785
if check_version(_need_version) is None:
786
raise self.Error("Needs GnuTLS {} or later"
787
.format(_need_version))
788
789
_tls_rawpk_version = b"3.6.6"
790
has_rawpk = bool(check_version(_tls_rawpk_version))
791
792
if has_rawpk:
793
# Types
794
class pubkey_st(ctypes.Structure):
795
_fields = []
796
pubkey_t = ctypes.POINTER(pubkey_st)
797
798
x509_crt_fmt_t = ctypes.c_int
799
800
# All the function declarations below are from
801
# gnutls/abstract.h
802
pubkey_init = _library.gnutls_pubkey_init
803
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
804
pubkey_init.restype = _error_code
805
806
pubkey_import = _library.gnutls_pubkey_import
807
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
x509_crt_fmt_t]
809
pubkey_import.restype = _error_code
810
811
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
812
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
813
ctypes.POINTER(ctypes.c_ubyte),
814
ctypes.POINTER(ctypes.c_size_t)]
815
pubkey_get_key_id.restype = _error_code
816
817
pubkey_deinit = _library.gnutls_pubkey_deinit
818
pubkey_deinit.argtypes = [pubkey_t]
819
pubkey_deinit.restype = None
820
else:
821
# All the function declarations below are from
822
# gnutls/openpgp.h
823
824
openpgp_crt_init = _library.gnutls_openpgp_crt_init
825
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
826
openpgp_crt_init.restype = _error_code
827
828
openpgp_crt_import = _library.gnutls_openpgp_crt_import
829
openpgp_crt_import.argtypes = [openpgp_crt_t,
830
ctypes.POINTER(datum_t),
831
openpgp_crt_fmt_t]
832
openpgp_crt_import.restype = _error_code
833
834
openpgp_crt_verify_self = \
835
_library.gnutls_openpgp_crt_verify_self
836
openpgp_crt_verify_self.argtypes = [
837
openpgp_crt_t,
838
ctypes.c_uint,
839
ctypes.POINTER(ctypes.c_uint),
840
]
841
openpgp_crt_verify_self.restype = _error_code
842
843
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
844
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
845
openpgp_crt_deinit.restype = None
846
847
openpgp_crt_get_fingerprint = (
848
_library.gnutls_openpgp_crt_get_fingerprint)
849
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
850
ctypes.c_void_p,
851
ctypes.POINTER(
852
ctypes.c_size_t)]
853
openpgp_crt_get_fingerprint.restype = _error_code
854
855
if check_version(b"3.6.4"):
856
certificate_type_get2 = _library.gnutls_certificate_type_get2
857
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
858
certificate_type_get2.restype = _error_code
762
859
763
860
# Remove non-public functions
764
861
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
767
862
768
863
769
864
def call_pipe(connection, # : multiprocessing.Connection
777
872
connection.close()
778
873
779
874
780
class Client(object):
875
class Client:
781
876
"""A representation of a client host served by this server.
782
877
783
878
Attributes:
784
approved: bool(); 'None' if not yet approved/disapproved
879
approved: bool(); None if not yet approved/disapproved
785
880
approval_delay: datetime.timedelta(); Time to wait for approval
786
881
approval_duration: datetime.timedelta(); Duration of one approval
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
882
checker: multiprocessing.Process(); a running checker process used
883
to see if the client lives. None if no process is
884
running.
790
885
checker_callback_tag: a GLib event source tag, or None
791
886
checker_command: string; External command which is run to check
792
887
if client lives. %() expansions are done at
800
895
disable_initiator_tag: a GLib event source tag, or None
801
896
enabled: bool()
802
897
fingerprint: string (40 or 32 hexadecimal digits); used to
803
uniquely identify the client
898
uniquely identify an OpenPGP client
899
key_id: string (64 hexadecimal digits); used to uniquely identify
900
a client using raw public keys
804
901
host: string; available for use by the checker command
805
902
interval: datetime.timedelta(); How often to start a new checker
806
903
last_approval_request: datetime.datetime(); (UTC) or None
824
921
"""
825
922
826
923
runtime_expansions = ("approval_delay", "approval_duration",
827
"created", "enabled", "expires",
924
"created", "enabled", "expires", "key_id",
828
925
"fingerprint", "host", "interval",
829
926
"last_approval_request", "last_checked_ok",
830
927
"last_enabled", "name", "timeout")
860
957
client["enabled"] = config.getboolean(client_name,
861
958
"enabled")
862
959
863
# Uppercase and remove spaces from fingerprint for later
864
# comparison purposes with return value from the
865
# fingerprint() function
960
# Uppercase and remove spaces from key_id and fingerprint
961
# for later comparison purposes with return value from the
962
# key_id() and fingerprint() functions
963
client["key_id"] = (section.get("key_id", "").upper()
964
.replace(" ", ""))
866
965
client["fingerprint"] = (section["fingerprint"].upper()
867
966
.replace(" ", ""))
868
967
if "secret" in section:
912
1011
self.expires = None
913
1012
914
1013
logger.debug("Creating client %r", self.name)
1014
logger.debug(" Key ID: %s", self.key_id)
915
1015
logger.debug(" Fingerprint: %s", self.fingerprint)
916
1016
self.created = settings.get("created",
917
1017
datetime.datetime.utcnow())
981
1081
if self.checker_initiator_tag is not None:
982
1082
GLib.source_remove(self.checker_initiator_tag)
983
1083
self.checker_initiator_tag = GLib.timeout_add(
984
int(self.interval.total_seconds() * 1000),
1084
random.randrange(int(self.interval.total_seconds() * 1000
1085
+ 1)),
985
1086
self.start_checker)
986
1087
# Schedule a disable() when 'timeout' has passed
987
1088
if self.disable_initiator_tag is not None:
994
1095
def checker_callback(self, source, condition, connection,
995
1096
command):
996
1097
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
998
self.checker = None
999
1098
# Read return code from connection (see call_pipe)
1000
1099
returncode = connection.recv()
1001
1100
connection.close()
1101
if self.checker is not None:
1102
self.checker.join()
1103
self.checker_callback_tag = None
1104
self.checker = None
1002
1105
1003
1106
if returncode >= 0:
1004
1107
self.last_checker_status = returncode
1060
1163
if self.checker is None:
1061
1164
# Escape attributes for the shell
1062
1165
escaped_attrs = {
1063
attr: re.escape(str(getattr(self, attr)))
1166
attr: shlex.quote(str(getattr(self, attr)))
1064
1167
for attr in self.runtime_expansions}
1065
1168
try:
1066
1169
command = self.checker_command % escaped_attrs
1093
1196
kwargs=popen_args)
1094
1197
self.checker.start()
1095
1198
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
1199
GLib.IOChannel.unix_new(pipe[0].fileno()),
1200
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1097
1201
self.checker_callback, pipe[0], command)
1098
1202
# Re-run this periodically if run by GLib.timeout_add
1099
1203
return True
1138
1242
func._dbus_name = func.__name__
1139
1243
if func._dbus_name.endswith("_dbus_property"):
1140
1244
func._dbus_name = func._dbus_name[:-14]
1141
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1245
func._dbus_get_args_options = {"byte_arrays": byte_arrays}
1142
1246
return func
1143
1247
1144
1248
return decorator
1233
1337
1234
1338
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1235
1339
out_signature="s",
1236
path_keyword='object_path',
1237
connection_keyword='connection')
1340
path_keyword="object_path",
1341
connection_keyword="connection")
1238
1342
def Introspect(self, object_path, connection):
1239
1343
"""Overloading of standard D-Bus method.
1240
1344
1354
1458
raise ValueError("Byte arrays not supported for non-"
1355
1459
"'ay' signature {!r}"
1356
1460
.format(prop._dbus_signature))
1357
value = dbus.ByteArray(b''.join(chr(byte)
1358
for byte in value))
1461
value = dbus.ByteArray(bytes(value))
1359
1462
prop(value)
1360
1463
1361
1464
@dbus.service.method(dbus.PROPERTIES_IFACE,
1394
1497
1395
1498
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1396
1499
out_signature="s",
1397
path_keyword='object_path',
1398
connection_keyword='connection')
1500
path_keyword="object_path",
1501
connection_keyword="connection")
1399
1502
def Introspect(self, object_path, connection):
1400
1503
"""Overloading of standard D-Bus method.
1401
1504
1461
1564
exc_info=error)
1462
1565
return xmlstring
1463
1566
1567
1464
1568
try:
1465
1569
dbus.OBJECT_MANAGER_IFACE
1466
1570
except AttributeError:
1495
1599
1496
1600
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1497
1601
out_signature="s",
1498
path_keyword='object_path',
1499
connection_keyword='connection')
1602
path_keyword="object_path",
1603
connection_keyword="connection")
1500
1604
def Introspect(self, object_path, connection):
1501
1605
"""Overloading of standard D-Bus method.
1502
1606
1998
2102
def Name_dbus_property(self):
1999
2103
return dbus.String(self.name)
2000
2104
2105
# KeyID - property
2106
@dbus_annotations(
2107
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2108
@dbus_service_property(_interface, signature="s", access="read")
2109
def KeyID_dbus_property(self):
2110
return dbus.String(self.key_id)
2111
2001
2112
# Fingerprint - property
2002
2113
@dbus_annotations(
2003
2114
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2158
2269
del _interface
2159
2270
2160
2271
2161
class ProxyClient(object):
2162
def __init__(self, child_pipe, fpr, address):
2272
class ProxyClient:
2273
def __init__(self, child_pipe, key_id, fpr, address):
2163
2274
self._pipe = child_pipe
2164
self._pipe.send(('init', fpr, address))
2275
self._pipe.send(("init", key_id, fpr, address))
2165
2276
if not self._pipe.recv():
2166
raise KeyError(fpr)
2277
raise KeyError(key_id or fpr)
2167
2278
2168
2279
def __getattribute__(self, name):
2169
if name == '_pipe':
2280
if name == "_pipe":
2170
2281
return super(ProxyClient, self).__getattribute__(name)
2171
self._pipe.send(('getattr', name))
2282
self._pipe.send(("getattr", name))
2172
2283
data = self._pipe.recv()
2173
if data[0] == 'data':
2284
if data[0] == "data":
2174
2285
return data[1]
2175
if data[0] == 'function':
2286
if data[0] == "function":
2176
2287
2177
2288
def func(*args, **kwargs):
2178
self._pipe.send(('funcall', name, args, kwargs))
2289
self._pipe.send(("funcall", name, args, kwargs))
2179
2290
return self._pipe.recv()[1]
2180
2291
2181
2292
return func
2182
2293
2183
2294
def __setattr__(self, name, value):
2184
if name == '_pipe':
2295
if name == "_pipe":
2185
2296
return super(ProxyClient, self).__setattr__(name, value)
2186
self._pipe.send(('setattr', name, value))
2297
self._pipe.send(("setattr", name, value))
2187
2298
2188
2299
2189
2300
class ClientHandler(socketserver.BaseRequestHandler, object):
2201
2312
2202
2313
session = gnutls.ClientSession(self.request)
2203
2314
2204
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2315
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2205
2316
# "+AES-256-CBC", "+SHA1",
2206
2317
# "+COMP-NULL", "+CTYPE-OPENPGP",
2207
2318
# "+DHE-DSS"))
2209
2320
priority = self.server.gnutls_priority
2210
2321
if priority is None:
2211
2322
priority = "NORMAL"
2212
gnutls.priority_set_direct(session._c_object,
2213
priority.encode("utf-8"),
2214
None)
2323
gnutls.priority_set_direct(session,
2324
priority.encode("utf-8"), None)
2215
2325
2216
2326
# Start communication using the Mandos protocol
2217
2327
# Get protocol number
2236
2346
2237
2347
approval_required = False
2238
2348
try:
2239
try:
2240
fpr = self.fingerprint(
2241
self.peer_certificate(session))
2242
except (TypeError, gnutls.Error) as error:
2243
logger.warning("Bad certificate: %s", error)
2244
return
2245
logger.debug("Fingerprint: %s", fpr)
2246
2247
try:
2248
client = ProxyClient(child_pipe, fpr,
2349
if gnutls.has_rawpk:
2350
fpr = b""
2351
try:
2352
key_id = self.key_id(
2353
self.peer_certificate(session))
2354
except (TypeError, gnutls.Error) as error:
2355
logger.warning("Bad certificate: %s", error)
2356
return
2357
logger.debug("Key ID: %s",
2358
key_id.decode("utf-8",
2359
errors="replace"))
2360
2361
else:
2362
key_id = b""
2363
try:
2364
fpr = self.fingerprint(
2365
self.peer_certificate(session))
2366
except (TypeError, gnutls.Error) as error:
2367
logger.warning("Bad certificate: %s", error)
2368
return
2369
logger.debug("Fingerprint: %s", fpr)
2370
2371
try:
2372
client = ProxyClient(child_pipe, key_id, fpr,
2249
2373
self.client_address)
2250
2374
except KeyError:
2251
2375
return
2328
2452
2329
2453
@staticmethod
2330
2454
def peer_certificate(session):
2331
"Return the peer's OpenPGP certificate as a bytestring"
2332
# If not an OpenPGP certificate...
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2455
"Return the peer's certificate as a bytestring"
2456
try:
2457
cert_type = gnutls.certificate_type_get2(
2458
session, gnutls.CTYPE_PEERS)
2459
except AttributeError:
2460
cert_type = gnutls.certificate_type_get(session)
2461
if gnutls.has_rawpk:
2462
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2463
else:
2464
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2465
# If not a valid certificate type...
2466
if cert_type not in valid_cert_types:
2467
logger.info("Cert type %r not in %r", cert_type,
2468
valid_cert_types)
2335
2469
# ...return invalid data
2336
2470
return b""
2337
2471
list_size = ctypes.c_uint(1)
2338
2472
cert_list = (gnutls.certificate_get_peers
2339
(session._c_object, ctypes.byref(list_size)))
2473
(session, ctypes.byref(list_size)))
2340
2474
if not bool(cert_list) and list_size.value != 0:
2341
2475
raise gnutls.Error("error getting peer certificate")
2342
2476
if list_size.value == 0:
2345
2479
return ctypes.string_at(cert.data, cert.size)
2346
2480
2347
2481
@staticmethod
2482
def key_id(certificate):
2483
"Convert a certificate bytestring to a hexdigit key ID"
2484
# New GnuTLS "datum" with the public key
2485
datum = gnutls.datum_t(
2486
ctypes.cast(ctypes.c_char_p(certificate),
2487
ctypes.POINTER(ctypes.c_ubyte)),
2488
ctypes.c_uint(len(certificate)))
2489
# XXX all these need to be created in the gnutls "module"
2490
# New empty GnuTLS certificate
2491
pubkey = gnutls.pubkey_t()
2492
gnutls.pubkey_init(ctypes.byref(pubkey))
2493
# Import the raw public key into the certificate
2494
gnutls.pubkey_import(pubkey,
2495
ctypes.byref(datum),
2496
gnutls.X509_FMT_DER)
2497
# New buffer for the key ID
2498
buf = ctypes.create_string_buffer(32)
2499
buf_len = ctypes.c_size_t(len(buf))
2500
# Get the key ID from the raw public key into the buffer
2501
gnutls.pubkey_get_key_id(
2502
pubkey,
2503
gnutls.KEYID_USE_SHA256,
2504
ctypes.cast(ctypes.byref(buf),
2505
ctypes.POINTER(ctypes.c_ubyte)),
2506
ctypes.byref(buf_len))
2507
# Deinit the certificate
2508
gnutls.pubkey_deinit(pubkey)
2509
2510
# Convert the buffer to a Python bytestring
2511
key_id = ctypes.string_at(buf, buf_len.value)
2512
# Convert the bytestring to hexadecimal notation
2513
hex_key_id = binascii.hexlify(key_id).upper()
2514
return hex_key_id
2515
2516
@staticmethod
2348
2517
def fingerprint(openpgp):
2349
2518
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2350
2519
# New GnuTLS "datum" with the OpenPGP public key
2364
2533
ctypes.byref(crtverify))
2365
2534
if crtverify.value != 0:
2366
2535
gnutls.openpgp_crt_deinit(crt)
2367
raise gnutls.CertificateSecurityError("Verify failed")
2536
raise gnutls.CertificateSecurityError(code
2537
=crtverify.value)
2368
2538
# New buffer for the fingerprint
2369
2539
buf = ctypes.create_string_buffer(20)
2370
2540
buf_len = ctypes.c_size_t()
2380
2550
return hex_fpr
2381
2551
2382
2552
2383
class MultiprocessingMixIn(object):
2553
class MultiprocessingMixIn:
2384
2554
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2385
2555
2386
2556
def sub_process_main(self, request, address):
2398
2568
return proc
2399
2569
2400
2570
2401
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2571
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2402
2572
""" adds a pipe to the MixIn """
2403
2573
2404
2574
def process_request(self, request, client_address):
2419
2589
2420
2590
2421
2591
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2422
socketserver.TCPServer, object):
2423
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2592
socketserver.TCPServer):
2593
"""IPv6-capable TCP server. Accepts None as address and/or port
2424
2594
2425
2595
Attributes:
2426
2596
enabled: Boolean; whether this server is activated yet
2498
2668
raise
2499
2669
# Only bind(2) the socket if we really need to.
2500
2670
if self.server_address[0] or self.server_address[1]:
2671
if self.server_address[1]:
2672
self.allow_reuse_address = True
2501
2673
if not self.server_address[0]:
2502
2674
if self.address_family == socket.AF_INET6:
2503
2675
any_address = "::" # in6addr_any
2556
2728
def add_pipe(self, parent_pipe, proc):
2557
2729
# Call "handle_ipc" for both data and EOF events
2558
2730
GLib.io_add_watch(
2559
parent_pipe.fileno(),
2560
GLib.IO_IN | GLib.IO_HUP,
2731
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2732
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2561
2733
functools.partial(self.handle_ipc,
2562
2734
parent_pipe=parent_pipe,
2563
2735
proc=proc))
2576
2748
request = parent_pipe.recv()
2577
2749
command = request[0]
2578
2750
2579
if command == 'init':
2580
fpr = request[1]
2581
address = request[2]
2751
if command == "init":
2752
key_id = request[1].decode("ascii")
2753
fpr = request[2].decode("ascii")
2754
address = request[3]
2582
2755
2583
2756
for c in self.clients.values():
2584
if c.fingerprint == fpr:
2757
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2758
"27AE41E4649B934CA495991B7852B855"):
2759
continue
2760
if key_id and c.key_id == key_id:
2761
client = c
2762
break
2763
if fpr and c.fingerprint == fpr:
2585
2764
client = c
2586
2765
break
2587
2766
else:
2588
logger.info("Client not found for fingerprint: %s, ad"
2589
"dress: %s", fpr, address)
2767
logger.info("Client not found for key ID: %s, address"
2768
": %s", key_id or fpr, address)
2590
2769
if self.use_dbus:
2591
2770
# Emit D-Bus signal
2592
mandos_dbus_service.ClientNotFound(fpr,
2771
mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
2772
address[0])
2594
2773
parent_pipe.send(False)
2595
2774
return False
2596
2775
2597
2776
GLib.io_add_watch(
2598
parent_pipe.fileno(),
2599
GLib.IO_IN | GLib.IO_HUP,
2777
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2778
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2600
2779
functools.partial(self.handle_ipc,
2601
2780
parent_pipe=parent_pipe,
2602
2781
proc=proc,
2605
2784
# remove the old hook in favor of the new above hook on
2606
2785
# same fileno
2607
2786
return False
2608
if command == 'funcall':
2787
if command == "funcall":
2609
2788
funcname = request[1]
2610
2789
args = request[2]
2611
2790
kwargs = request[3]
2612
2791
2613
parent_pipe.send(('data', getattr(client_object,
2792
parent_pipe.send(("data", getattr(client_object,
2614
2793
funcname)(*args,
2615
2794
**kwargs)))
2616
2795
2617
if command == 'getattr':
2796
if command == "getattr":
2618
2797
attrname = request[1]
2619
2798
if isinstance(client_object.__getattribute__(attrname),
2620
collections.Callable):
2621
parent_pipe.send(('function', ))
2799
collections.abc.Callable):
2800
parent_pipe.send(("function", ))
2622
2801
else:
2623
2802
parent_pipe.send((
2624
'data', client_object.__getattribute__(attrname)))
2803
"data", client_object.__getattribute__(attrname)))
2625
2804
2626
if command == 'setattr':
2805
if command == "setattr":
2627
2806
attrname = request[1]
2628
2807
value = request[2]
2629
2808
setattr(client_object, attrname, value)
2634
2813
def rfc3339_duration_to_delta(duration):
2635
2814
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2636
2815
2637
>>> rfc3339_duration_to_delta("P7D")
2638
datetime.timedelta(7)
2639
>>> rfc3339_duration_to_delta("PT60S")
2640
datetime.timedelta(0, 60)
2641
>>> rfc3339_duration_to_delta("PT60M")
2642
datetime.timedelta(0, 3600)
2643
>>> rfc3339_duration_to_delta("PT24H")
2644
datetime.timedelta(1)
2645
>>> rfc3339_duration_to_delta("P1W")
2646
datetime.timedelta(7)
2647
>>> rfc3339_duration_to_delta("PT5M30S")
2648
datetime.timedelta(0, 330)
2649
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
datetime.timedelta(1, 200)
2816
>>> timedelta = datetime.timedelta
2817
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2818
True
2819
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2820
True
2821
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2822
True
2823
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2824
True
2825
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2826
True
2827
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2828
True
2829
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2830
True
2831
>>> del timedelta
2651
2832
"""
2652
2833
2653
2834
# Parsing an RFC 3339 duration with regular expressions is not
2733
2914
def string_to_delta(interval):
2734
2915
"""Parse a string and return a datetime.timedelta
2735
2916
2736
>>> string_to_delta('7d')
2737
datetime.timedelta(7)
2738
>>> string_to_delta('60s')
2739
datetime.timedelta(0, 60)
2740
>>> string_to_delta('60m')
2741
datetime.timedelta(0, 3600)
2742
>>> string_to_delta('24h')
2743
datetime.timedelta(1)
2744
>>> string_to_delta('1w')
2745
datetime.timedelta(7)
2746
>>> string_to_delta('5m 30s')
2747
datetime.timedelta(0, 330)
2917
>>> string_to_delta("7d") == datetime.timedelta(7)
2918
True
2919
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2920
True
2921
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2922
True
2923
>>> string_to_delta("24h") == datetime.timedelta(1)
2924
True
2925
>>> string_to_delta("1w") == datetime.timedelta(7)
2926
True
2927
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2928
True
2748
2929
"""
2749
2930
2750
2931
try:
2852
3033
2853
3034
options = parser.parse_args()
2854
3035
2855
if options.check:
2856
import doctest
2857
fail_count, test_count = doctest.testmod()
2858
sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
2860
3036
# Default values for config file for server-global settings
3037
if gnutls.has_rawpk:
3038
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3039
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3040
else:
3041
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3042
":+SIGN-DSA-SHA256")
2861
3043
server_defaults = {"interface": "",
2862
3044
"address": "",
2863
3045
"port": "",
2864
3046
"debug": "False",
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
3047
"priority": priority,
2868
3048
"servicename": "Mandos",
2869
3049
"use_dbus": "True",
2870
3050
"use_ipv6": "True",
2875
3055
"foreground": "False",
2876
3056
"zeroconf": "True",
2877
3057
}
3058
del priority
2878
3059
2879
3060
# Parse config file for server-global settings
2880
server_config = configparser.SafeConfigParser(server_defaults)
3061
server_config = configparser.ConfigParser(server_defaults)
2881
3062
del server_defaults
2882
3063
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2883
# Convert the SafeConfigParser object to a dict
3064
# Convert the ConfigParser object to a dict
2884
3065
server_settings = server_config.defaults()
2885
3066
# Use the appropriate methods on the non-string config options
2886
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3067
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3068
"foreground", "zeroconf"):
2887
3069
server_settings[option] = server_config.getboolean("DEFAULT",
2888
3070
option)
2889
3071
if server_settings["port"]:
2952
3134
2953
3135
if server_settings["servicename"] != "Mandos":
2954
3136
syslogger.setFormatter(
2955
logging.Formatter('Mandos ({}) [%(process)d]:'
2956
' %(levelname)s: %(message)s'.format(
3137
logging.Formatter("Mandos ({}) [%(process)d]:"
3138
" %(levelname)s: %(message)s".format(
2957
3139
server_settings["servicename"])))
2958
3140
2959
3141
# Parse config file with clients
2960
client_config = configparser.SafeConfigParser(Client
2961
.client_defaults)
3142
client_config = configparser.ConfigParser(Client.client_defaults)
2962
3143
client_config.read(os.path.join(server_settings["configdir"],
2963
3144
"clients.conf"))
2964
3145
3020
3201
3021
3202
@gnutls.log_func
3022
3203
def debug_gnutls(level, string):
3023
logger.debug("GnuTLS: %s", string[:-1])
3204
logger.debug("GnuTLS: %s",
3205
string[:-1].decode("utf-8",
3206
errors="replace"))
3024
3207
3025
3208
gnutls.global_set_log_function(debug_gnutls)
3026
3209
3035
3218
# Close all input and output, do double fork, etc.
3036
3219
daemon()
3037
3220
3038
# multiprocessing will use threads, so before we use GLib we need
3039
# to inform GLib that threads will be used.
3040
GLib.threads_init()
3221
if gi.version_info < (3, 10, 2):
3222
# multiprocessing will use threads, so before we use GLib we
3223
# need to inform GLib that threads will be used.
3224
GLib.threads_init()
3041
3225
3042
3226
global main_loop
3043
3227
# From the Avahi example code
3119
3303
if isinstance(s, bytes)
3120
3304
else s) for s in
3121
3305
value["client_structure"]]
3122
# .name & .host
3123
for k in ("name", "host"):
3306
# .name, .host, and .checker_command
3307
for k in ("name", "host", "checker_command"):
3124
3308
if isinstance(value[k], bytes):
3125
3309
value[k] = value[k].decode("utf-8")
3310
if "key_id" not in value:
3311
value["key_id"] = ""
3312
elif "fingerprint" not in value:
3313
value["fingerprint"] = ""
3126
3314
# old_client_settings
3127
3315
# .keys()
3128
3316
old_client_settings = {
3132
3320
for key, value in
3133
3321
bytes_old_client_settings.items()}
3134
3322
del bytes_old_client_settings
3135
# .host
3323
# .host and .checker_command
3136
3324
for value in old_client_settings.values():
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3139
.decode("utf-8"))
3325
for attribute in ("host", "checker_command"):
3326
if isinstance(value[attribute], bytes):
3327
value[attribute] = (value[attribute]
3328
.decode("utf-8"))
3140
3329
os.remove(stored_state_path)
3141
3330
except IOError as e:
3142
3331
if e.errno == errno.ENOENT:
3265
3454
pass
3266
3455
3267
3456
@dbus.service.signal(_interface, signature="ss")
3268
def ClientNotFound(self, fingerprint, address):
3457
def ClientNotFound(self, key_id, address):
3269
3458
"D-Bus signal"
3270
3459
pass
3271
3460
3395
3584
3396
3585
try:
3397
3586
with tempfile.NamedTemporaryFile(
3398
mode='wb',
3587
mode="wb",
3399
3588
suffix=".pickle",
3400
prefix='clients-',
3589
prefix="clients-",
3401
3590
dir=os.path.dirname(stored_state_path),
3402
3591
delete=False) as stored_state:
3403
3592
pickle.dump((clients, client_settings), stored_state,
3467
3656
sys.exit(1)
3468
3657
# End of Avahi example code
3469
3658
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3659
GLib.io_add_watch(
3660
GLib.IOChannel.unix_new(tcp_server.fileno()),
3661
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3662
lambda *args, **kwargs: (tcp_server.handle_request
3663
(*args[2:], **kwargs) or True))
3474
3664
3475
3665
logger.debug("Starting main loop")
3476
3666
main_loop.run()
3486
3676
# Must run before the D-Bus bus name gets deregistered
3487
3677
cleanup()
3488
3678
3489
3490
if __name__ == '__main__':
3491
main()
3679
3680
def should_only_run_tests():
3681
parser = argparse.ArgumentParser(add_help=False)
3682
parser.add_argument("--check", action="store_true")
3683
args, unknown_args = parser.parse_known_args()
3684
run_tests = args.check
3685
if run_tests:
3686
# Remove --check argument from sys.argv
3687
sys.argv[1:] = unknown_args
3688
return run_tests
3689
3690
# Add all tests from doctest strings
3691
def load_tests(loader, tests, none):
3692
import doctest
3693
tests.addTests(doctest.DocTestSuite())
3694
return tests
3695
3696
if __name__ == "__main__":
3697
try:
3698
if should_only_run_tests():
3699
# Call using ./mandos --check [--verbose]
3700
unittest.main()
3701
else:
3702
main()
3703
finally:
3704
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0