423
451
def entry_group_state_changed(self, state, error):
424
452
"""Derived from the Avahi example code"""
425
logger.debug("Avahi entry group state change: %i", state)
453
log.debug("Avahi entry group state change: %i", state)
427
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
428
logger.debug("Zeroconf service established.")
456
log.debug("Zeroconf service established.")
429
457
elif state == avahi.ENTRY_GROUP_COLLISION:
430
logger.info("Zeroconf service name collision.")
458
log.info("Zeroconf service name collision.")
432
460
elif state == avahi.ENTRY_GROUP_FAILURE:
433
logger.critical("Avahi: Error in group state changed %s",
461
log.critical("Avahi: Error in group state changed %s",
435
463
raise AvahiGroupError("State changed: {!s}".format(error))
437
465
def cleanup(self):
496
523
class AvahiServiceToSyslog(AvahiService):
497
524
def rename(self, *args, **kwargs):
498
525
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
526
ret = super(AvahiServiceToSyslog, self).rename(*args,
500
528
syslogger.setFormatter(logging.Formatter(
501
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
529
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
502
530
.format(self.name)))
506
534
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
536
"""This isn't so much a class as it is a module-like namespace."""
511
538
library = ctypes.util.find_library("gnutls")
512
539
if library is None:
513
540
library = ctypes.util.find_library("gnutls-deb0")
514
541
_library = ctypes.cdll.LoadLibrary(library)
516
_need_version = b"3.3.0"
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
525
544
# Unless otherwise indicated, the constants and types below are
526
545
# all from the gnutls/gnutls.h C header file.
564
589
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
590
def __init__(self, message=None, code=None, args=()):
570
591
# Default usage is by a message string, but if a return
571
592
# code is passed, convert it to a string with
572
593
# gnutls.strerror()
574
595
if message is None and code is not None:
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
596
message = gnutls.strerror(code).decode(
597
"utf-8", errors="replace")
598
return super(gnutls.Error, self).__init__(
579
601
class CertificateSecurityError(Error):
605
def __init__(self, cls):
608
def from_param(self, obj):
609
if not isinstance(obj, self.cls):
610
raise TypeError("Not of type {}: {!r}"
611
.format(self.cls.__name__, obj))
612
return ctypes.byref(obj.from_param(obj))
614
class CastToVoidPointer:
615
def __init__(self, cls):
618
def from_param(self, obj):
619
if not isinstance(obj, self.cls):
620
raise TypeError("Not of type {}: {!r}"
621
.format(self.cls.__name__, obj))
622
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
class With_from_param:
626
def from_param(cls, obj):
627
return obj._as_parameter_
583
class Credentials(object):
630
class Credentials(With_from_param):
584
631
def __init__(self):
585
self._c_object = gnutls.certificate_credentials_t()
586
gnutls.certificate_allocate_credentials(
587
ctypes.byref(self._c_object))
632
self._as_parameter_ = gnutls.certificate_credentials_t()
633
gnutls.certificate_allocate_credentials(self)
588
634
self.type = gnutls.CRD_CERTIFICATE
590
636
def __del__(self):
591
gnutls.certificate_free_credentials(self._c_object)
637
gnutls.certificate_free_credentials(self)
593
class ClientSession(object):
639
class ClientSession(With_from_param):
594
640
def __init__(self, socket, credentials=None):
595
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
gnutls.set_default_priority(self._c_object)
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
gnutls.handshake_set_private_extensions(self._c_object,
641
self._as_parameter_ = gnutls.session_t()
642
gnutls_flags = gnutls.CLIENT
643
if gnutls.check_version(b"3.5.6"):
644
gnutls_flags |= gnutls.NO_TICKETS
646
gnutls_flags |= gnutls.ENABLE_RAWPK
647
gnutls.init(self, gnutls_flags)
649
gnutls.set_default_priority(self)
650
gnutls.transport_set_ptr(self, socket.fileno())
651
gnutls.handshake_set_private_extensions(self, True)
601
652
self.socket = socket
602
653
if credentials is None:
603
654
credentials = gnutls.Credentials()
604
gnutls.credentials_set(self._c_object, credentials.type,
605
ctypes.cast(credentials._c_object,
655
gnutls.credentials_set(self, credentials.type,
607
657
self.credentials = credentials
609
659
def __del__(self):
610
gnutls.deinit(self._c_object)
612
662
def handshake(self):
613
return gnutls.handshake(self._c_object)
663
return gnutls.handshake(self)
615
665
def send(self, data):
616
666
data = bytes(data)
617
667
data_len = len(data)
618
668
while data_len > 0:
619
data_len -= gnutls.record_send(self._c_object,
669
data_len -= gnutls.record_send(self, data[-data_len:],
624
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
673
return gnutls.bye(self, gnutls.SHUT_RDWR)
626
675
# Error handling functions
627
676
def _error_code(result):
628
677
"""A function to raise exceptions on errors, suitable
629
for the 'restype' attribute on ctypes functions"""
678
for the "restype" attribute on ctypes functions"""
679
if result >= gnutls.E_SUCCESS:
632
681
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
682
raise gnutls.CertificateSecurityError(code=result)
634
683
raise gnutls.Error(code=result)
636
def _retry_on_error(result, func, arguments):
685
def _retry_on_error(result, func, arguments,
686
_error_code=_error_code):
637
687
"""A function to retry on some errors, suitable
638
for the 'errcheck' attribute on ctypes functions"""
688
for the "errcheck" attribute on ctypes functions"""
689
while result < gnutls.E_SUCCESS:
640
690
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
641
691
return _error_code(result)
642
692
result = func(*arguments)
649
699
priority_set_direct = _library.gnutls_priority_set_direct
650
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
700
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
651
701
ctypes.POINTER(ctypes.c_char_p)]
652
702
priority_set_direct.restype = _error_code
654
704
init = _library.gnutls_init
655
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
705
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
656
706
init.restype = _error_code
658
708
set_default_priority = _library.gnutls_set_default_priority
659
set_default_priority.argtypes = [session_t]
709
set_default_priority.argtypes = [ClientSession]
660
710
set_default_priority.restype = _error_code
662
712
record_send = _library.gnutls_record_send
663
record_send.argtypes = [session_t, ctypes.c_void_p,
713
record_send.argtypes = [ClientSession, ctypes.c_void_p,
665
715
record_send.restype = ctypes.c_ssize_t
666
716
record_send.errcheck = _retry_on_error
668
718
certificate_allocate_credentials = (
669
719
_library.gnutls_certificate_allocate_credentials)
670
720
certificate_allocate_credentials.argtypes = [
671
ctypes.POINTER(certificate_credentials_t)]
721
PointerTo(Credentials)]
672
722
certificate_allocate_credentials.restype = _error_code
674
724
certificate_free_credentials = (
675
725
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
726
certificate_free_credentials.argtypes = [Credentials]
678
727
certificate_free_credentials.restype = None
680
729
handshake_set_private_extensions = (
681
730
_library.gnutls_handshake_set_private_extensions)
682
handshake_set_private_extensions.argtypes = [session_t,
731
handshake_set_private_extensions.argtypes = [ClientSession,
684
733
handshake_set_private_extensions.restype = None
686
735
credentials_set = _library.gnutls_credentials_set
687
credentials_set.argtypes = [session_t, credentials_type_t,
736
credentials_set.argtypes = [ClientSession, credentials_type_t,
737
CastToVoidPointer(Credentials)]
689
738
credentials_set.restype = _error_code
691
740
strerror = _library.gnutls_strerror
710
759
global_set_log_function.restype = None
712
761
deinit = _library.gnutls_deinit
713
deinit.argtypes = [session_t]
762
deinit.argtypes = [ClientSession]
714
763
deinit.restype = None
716
765
handshake = _library.gnutls_handshake
717
handshake.argtypes = [session_t]
718
handshake.restype = _error_code
766
handshake.argtypes = [ClientSession]
767
handshake.restype = ctypes.c_int
719
768
handshake.errcheck = _retry_on_error
721
770
transport_set_ptr = _library.gnutls_transport_set_ptr
722
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
771
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
723
772
transport_set_ptr.restype = None
725
774
bye = _library.gnutls_bye
726
bye.argtypes = [session_t, close_request_t]
727
bye.restype = _error_code
775
bye.argtypes = [ClientSession, close_request_t]
776
bye.restype = ctypes.c_int
728
777
bye.errcheck = _retry_on_error
730
779
check_version = _library.gnutls_check_version
731
780
check_version.argtypes = [ctypes.c_char_p]
732
781
check_version.restype = ctypes.c_char_p
734
# All the function declarations below are from gnutls/openpgp.h
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
744
openpgp_crt_import.restype = _error_code
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
761
openpgp_crt_get_fingerprint.restype = _error_code
783
_need_version = b"3.3.0"
784
if check_version(_need_version) is None:
785
raise self.Error("Needs GnuTLS {} or later"
786
.format(_need_version))
788
_tls_rawpk_version = b"3.6.6"
789
has_rawpk = bool(check_version(_tls_rawpk_version))
793
class pubkey_st(ctypes.Structure):
795
pubkey_t = ctypes.POINTER(pubkey_st)
797
x509_crt_fmt_t = ctypes.c_int
799
# All the function declarations below are from
801
pubkey_init = _library.gnutls_pubkey_init
802
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
803
pubkey_init.restype = _error_code
805
pubkey_import = _library.gnutls_pubkey_import
806
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
pubkey_import.restype = _error_code
810
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
811
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
812
ctypes.POINTER(ctypes.c_ubyte),
813
ctypes.POINTER(ctypes.c_size_t)]
814
pubkey_get_key_id.restype = _error_code
816
pubkey_deinit = _library.gnutls_pubkey_deinit
817
pubkey_deinit.argtypes = [pubkey_t]
818
pubkey_deinit.restype = None
820
# All the function declarations below are from
823
openpgp_crt_init = _library.gnutls_openpgp_crt_init
824
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
825
openpgp_crt_init.restype = _error_code
827
openpgp_crt_import = _library.gnutls_openpgp_crt_import
828
openpgp_crt_import.argtypes = [openpgp_crt_t,
829
ctypes.POINTER(datum_t),
831
openpgp_crt_import.restype = _error_code
833
openpgp_crt_verify_self = \
834
_library.gnutls_openpgp_crt_verify_self
835
openpgp_crt_verify_self.argtypes = [
838
ctypes.POINTER(ctypes.c_uint),
840
openpgp_crt_verify_self.restype = _error_code
842
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
843
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
844
openpgp_crt_deinit.restype = None
846
openpgp_crt_get_fingerprint = (
847
_library.gnutls_openpgp_crt_get_fingerprint)
848
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
852
openpgp_crt_get_fingerprint.restype = _error_code
854
if check_version(b"3.6.4"):
855
certificate_type_get2 = _library.gnutls_certificate_type_get2
856
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
857
certificate_type_get2.restype = _error_code
763
859
# Remove non-public functions
764
860
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
769
863
def call_pipe(connection, # : multiprocessing.Connection
975
1079
def __del__(self):
978
def init_checker(self):
979
# Schedule a new checker to be started an 'interval' from now,
980
# and every interval from then on.
1082
def init_checker(self, randomize_start=False):
1083
# Schedule a new checker to be started a randomly selected
1084
# time (a fraction of 'interval') from now. This spreads out
1085
# the startup of checkers over time when the server is
981
1087
if self.checker_initiator_tag is not None:
982
1088
GLib.source_remove(self.checker_initiator_tag)
1089
interval_milliseconds = int(self.interval.total_seconds()
1092
delay_milliseconds = random.randrange(
1093
interval_milliseconds + 1)
1095
delay_milliseconds = interval_milliseconds
983
1096
self.checker_initiator_tag = GLib.timeout_add(
984
int(self.interval.total_seconds() * 1000),
986
# Schedule a disable() when 'timeout' has passed
1097
delay_milliseconds, self.start_checker, randomize_start)
1098
delay = datetime.timedelta(0, 0, 0, delay_milliseconds)
1099
# A checker might take up to an 'interval' of time, so we can
1100
# expire at the soonest one interval after a checker was
1101
# started. Since the initial checker is delayed, the expire
1102
# time might have to be extended.
1103
now = datetime.datetime.utcnow()
1104
self.expires = now + delay + self.interval
1105
# Schedule a disable() at expire time
987
1106
if self.disable_initiator_tag is not None:
988
1107
GLib.source_remove(self.disable_initiator_tag)
989
1108
self.disable_initiator_tag = GLib.timeout_add(
990
int(self.timeout.total_seconds() * 1000), self.disable)
991
# Also start a new checker *right now*.
1109
int((self.expires - now).total_seconds() * 1000),
994
1112
def checker_callback(self, source, condition, connection,
996
1114
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
999
1115
# Read return code from connection (see call_pipe)
1000
1116
returncode = connection.recv()
1001
1117
connection.close()
1118
if self.checker is not None:
1120
self.checker_callback_tag = None
1003
1123
if returncode >= 0:
1004
1124
self.last_checker_status = returncode
1005
1125
self.last_checker_signal = None
1006
1126
if self.last_checker_status == 0:
1007
logger.info("Checker for %(name)s succeeded",
1127
log.info("Checker for %(name)s succeeded", vars(self))
1009
1128
self.checked_ok()
1011
logger.info("Checker for %(name)s failed", vars(self))
1130
log.info("Checker for %(name)s failed", vars(self))
1013
1132
self.last_checker_status = -1
1014
1133
self.last_checker_signal = -returncode
1015
logger.warning("Checker for %(name)s crashed?",
1134
log.warning("Checker for %(name)s crashed?", vars(self))
1019
1137
def checked_ok(self):
1055
1173
if self.checker is not None and not self.checker.is_alive():
1056
logger.warning("Checker was not alive; joining")
1174
log.warning("Checker was not alive; joining")
1057
1175
self.checker.join()
1058
1176
self.checker = None
1059
1177
# Start a new checker if needed
1060
1178
if self.checker is None:
1061
1179
# Escape attributes for the shell
1062
1180
escaped_attrs = {
1063
attr: re.escape(str(getattr(self, attr)))
1181
attr: shlex.quote(str(getattr(self, attr)))
1064
1182
for attr in self.runtime_expansions}
1066
1184
command = self.checker_command % escaped_attrs
1067
1185
except TypeError as error:
1068
logger.error('Could not format string "%s"',
1069
self.checker_command,
1186
log.error('Could not format string "%s"',
1187
self.checker_command, exc_info=error)
1071
1188
return True # Try again later
1072
1189
self.current_checker_command = command
1073
logger.info("Starting checker %r for %s", command,
1190
log.info("Starting checker %r for %s", command, self.name)
1075
1191
# We don't need to redirect stdout and stderr, since
1076
1192
# in normal mode, that is already done by daemon(),
1077
1193
# and in debug mode we don't want to. (Stdin is
1093
1209
kwargs=popen_args)
1094
1210
self.checker.start()
1095
1211
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
1212
GLib.IOChannel.unix_new(pipe[0].fileno()),
1213
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1097
1214
self.checker_callback, pipe[0], command)
1215
if start_was_randomized:
1216
# We were started after a random delay; Schedule a new
1217
# checker to be started an 'interval' from now, and every
1218
# interval from then on.
1219
now = datetime.datetime.utcnow()
1220
self.checker_initiator_tag = GLib.timeout_add(
1221
int(self.interval.total_seconds() * 1000),
1223
self.expires = max(self.expires, now + self.interval)
1224
# Don't start a new checker again after same random delay
1098
1226
# Re-run this periodically if run by GLib.timeout_add
2162
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2297
def __init__(self, child_pipe, key_id, fpr, address):
2164
2298
self._pipe = child_pipe
2165
self._pipe.send(('init', fpr, address))
2299
self._pipe.send(("init", key_id, fpr, address))
2166
2300
if not self._pipe.recv():
2301
raise KeyError(key_id or fpr)
2169
2303
def __getattribute__(self, name):
2171
2305
return super(ProxyClient, self).__getattribute__(name)
2172
self._pipe.send(('getattr', name))
2306
self._pipe.send(("getattr", name))
2173
2307
data = self._pipe.recv()
2174
if data[0] == 'data':
2308
if data[0] == "data":
2176
if data[0] == 'function':
2310
if data[0] == "function":
2178
2312
def func(*args, **kwargs):
2179
self._pipe.send(('funcall', name, args, kwargs))
2313
self._pipe.send(("funcall", name, args, kwargs))
2180
2314
return self._pipe.recv()[1]
2184
2318
def __setattr__(self, name, value):
2186
2320
return super(ProxyClient, self).__setattr__(name, value)
2187
self._pipe.send(('setattr', name, value))
2321
self._pipe.send(("setattr", name, value))
2190
2324
class ClientHandler(socketserver.BaseRequestHandler, object):
2196
2330
def handle(self):
2197
2331
with contextlib.closing(self.server.child_pipe) as child_pipe:
2198
logger.info("TCP connection from: %s",
2199
str(self.client_address))
2200
logger.debug("Pipe FD: %d",
2201
self.server.child_pipe.fileno())
2332
log.info("TCP connection from: %s",
2333
str(self.client_address))
2334
log.debug("Pipe FD: %d", self.server.child_pipe.fileno())
2203
2336
session = gnutls.ClientSession(self.request)
2205
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2338
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2206
2339
# "+AES-256-CBC", "+SHA1",
2207
2340
# "+COMP-NULL", "+CTYPE-OPENPGP",
2210
2343
priority = self.server.gnutls_priority
2211
2344
if priority is None:
2212
2345
priority = "NORMAL"
2213
gnutls.priority_set_direct(session._c_object,
2214
priority.encode("utf-8"),
2346
gnutls.priority_set_direct(session,
2347
priority.encode("utf-8"), None)
2217
2349
# Start communication using the Mandos protocol
2218
2350
# Get protocol number
2219
2351
line = self.request.makefile().readline()
2220
logger.debug("Protocol version: %r", line)
2352
log.debug("Protocol version: %r", line)
2222
2354
if int(line.strip().split()[0]) > 1:
2223
2355
raise RuntimeError(line)
2224
2356
except (ValueError, IndexError, RuntimeError) as error:
2225
logger.error("Unknown protocol version: %s", error)
2357
log.error("Unknown protocol version: %s", error)
2228
2360
# Start GnuTLS connection
2230
2362
session.handshake()
2231
2363
except gnutls.Error as error:
2232
logger.warning("Handshake failed: %s", error)
2364
log.warning("Handshake failed: %s", error)
2233
2365
# Do not run session.bye() here: the session is not
2234
2366
# established. Just abandon the request.
2236
logger.debug("Handshake succeeded")
2368
log.debug("Handshake succeeded")
2238
2370
approval_required = False
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2246
logger.debug("Fingerprint: %s", fpr)
2249
client = ProxyClient(child_pipe, fpr,
2372
if gnutls.has_rawpk:
2375
key_id = self.key_id(
2376
self.peer_certificate(session))
2377
except (TypeError, gnutls.Error) as error:
2378
log.warning("Bad certificate: %s", error)
2380
log.debug("Key ID: %s",
2381
key_id.decode("utf-8",
2387
fpr = self.fingerprint(
2388
self.peer_certificate(session))
2389
except (TypeError, gnutls.Error) as error:
2390
log.warning("Bad certificate: %s", error)
2392
log.debug("Fingerprint: %s", fpr)
2395
client = ProxyClient(child_pipe, key_id, fpr,
2250
2396
self.client_address)
2251
2397
except KeyError:
2326
2470
except gnutls.Error as error:
2327
logger.warning("GnuTLS bye failed",
2471
log.warning("GnuTLS bye failed", exc_info=error)
2331
2474
def peer_certificate(session):
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2475
"Return the peer's certificate as a bytestring"
2477
cert_type = gnutls.certificate_type_get2(
2478
session, gnutls.CTYPE_PEERS)
2479
except AttributeError:
2480
cert_type = gnutls.certificate_type_get(session)
2481
if gnutls.has_rawpk:
2482
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2484
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2485
# If not a valid certificate type...
2486
if cert_type not in valid_cert_types:
2487
log.info("Cert type %r not in %r", cert_type,
2336
2489
# ...return invalid data
2338
2491
list_size = ctypes.c_uint(1)
2339
2492
cert_list = (gnutls.certificate_get_peers
2340
(session._c_object, ctypes.byref(list_size)))
2493
(session, ctypes.byref(list_size)))
2341
2494
if not bool(cert_list) and list_size.value != 0:
2342
2495
raise gnutls.Error("error getting peer certificate")
2343
2496
if list_size.value == 0:
2346
2499
return ctypes.string_at(cert.data, cert.size)
2502
def key_id(certificate):
2503
"Convert a certificate bytestring to a hexdigit key ID"
2504
# New GnuTLS "datum" with the public key
2505
datum = gnutls.datum_t(
2506
ctypes.cast(ctypes.c_char_p(certificate),
2507
ctypes.POINTER(ctypes.c_ubyte)),
2508
ctypes.c_uint(len(certificate)))
2509
# XXX all these need to be created in the gnutls "module"
2510
# New empty GnuTLS certificate
2511
pubkey = gnutls.pubkey_t()
2512
gnutls.pubkey_init(ctypes.byref(pubkey))
2513
# Import the raw public key into the certificate
2514
gnutls.pubkey_import(pubkey,
2515
ctypes.byref(datum),
2516
gnutls.X509_FMT_DER)
2517
# New buffer for the key ID
2518
buf = ctypes.create_string_buffer(32)
2519
buf_len = ctypes.c_size_t(len(buf))
2520
# Get the key ID from the raw public key into the buffer
2521
gnutls.pubkey_get_key_id(
2523
gnutls.KEYID_USE_SHA256,
2524
ctypes.cast(ctypes.byref(buf),
2525
ctypes.POINTER(ctypes.c_ubyte)),
2526
ctypes.byref(buf_len))
2527
# Deinit the certificate
2528
gnutls.pubkey_deinit(pubkey)
2530
# Convert the buffer to a Python bytestring
2531
key_id = ctypes.string_at(buf, buf_len.value)
2532
# Convert the bytestring to hexadecimal notation
2533
hex_key_id = binascii.hexlify(key_id).upper()
2349
2537
def fingerprint(openpgp):
2350
2538
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2539
# New GnuTLS "datum" with the OpenPGP public key
2487
2675
(self.interface + "\0").encode("utf-8"))
2488
2676
except socket.error as error:
2489
2677
if error.errno == errno.EPERM:
2490
logger.error("No permission to bind to"
2491
" interface %s", self.interface)
2678
log.error("No permission to bind to interface %s",
2492
2680
elif error.errno == errno.ENOPROTOOPT:
2493
logger.error("SO_BINDTODEVICE not available;"
2494
" cannot bind to interface %s",
2681
log.error("SO_BINDTODEVICE not available; cannot"
2682
" bind to interface %s", self.interface)
2496
2683
elif error.errno == errno.ENODEV:
2497
logger.error("Interface %s does not exist,"
2498
" cannot bind", self.interface)
2684
log.error("Interface %s does not exist, cannot"
2685
" bind", self.interface)
2501
2688
# Only bind(2) the socket if we really need to.
2502
2689
if self.server_address[0] or self.server_address[1]:
2690
if self.server_address[1]:
2691
self.allow_reuse_address = True
2503
2692
if not self.server_address[0]:
2504
2693
if self.address_family == socket.AF_INET6:
2505
2694
any_address = "::" # in6addr_any
2578
2767
request = parent_pipe.recv()
2579
2768
command = request[0]
2581
if command == 'init':
2582
fpr = request[1].decode("ascii")
2583
address = request[2]
2770
if command == "init":
2771
key_id = request[1].decode("ascii")
2772
fpr = request[2].decode("ascii")
2773
address = request[3]
2585
2775
for c in self.clients.values():
2586
if c.fingerprint == fpr:
2776
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2777
"27AE41E4649B934CA495991B7852B855"):
2779
if key_id and c.key_id == key_id:
2782
if fpr and c.fingerprint == fpr:
2590
logger.info("Client not found for fingerprint: %s, ad"
2591
"dress: %s", fpr, address)
2786
log.info("Client not found for key ID: %s, address:"
2787
" %s", key_id or fpr, address)
2592
2788
if self.use_dbus:
2593
2789
# Emit D-Bus signal
2594
mandos_dbus_service.ClientNotFound(fpr,
2790
mandos_dbus_service.ClientNotFound(key_id or fpr,
2596
2792
parent_pipe.send(False)
2599
2795
GLib.io_add_watch(
2600
parent_pipe.fileno(),
2601
GLib.IO_IN | GLib.IO_HUP,
2796
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2797
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2602
2798
functools.partial(self.handle_ipc,
2603
2799
parent_pipe=parent_pipe,
2636
2832
def rfc3339_duration_to_delta(duration):
2637
2833
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2639
>>> rfc3339_duration_to_delta("P7D")
2640
datetime.timedelta(7)
2641
>>> rfc3339_duration_to_delta("PT60S")
2642
datetime.timedelta(0, 60)
2643
>>> rfc3339_duration_to_delta("PT60M")
2644
datetime.timedelta(0, 3600)
2645
>>> rfc3339_duration_to_delta("PT24H")
2646
datetime.timedelta(1)
2647
>>> rfc3339_duration_to_delta("P1W")
2648
datetime.timedelta(7)
2649
>>> rfc3339_duration_to_delta("PT5M30S")
2650
datetime.timedelta(0, 330)
2651
>>> rfc3339_duration_to_delta("P1DT3M20S")
2652
datetime.timedelta(1, 200)
2835
>>> timedelta = datetime.timedelta
2836
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2838
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2840
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2842
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2844
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2846
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2848
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2655
2853
# Parsing an RFC 3339 duration with regular expressions is not
2735
2933
def string_to_delta(interval):
2736
2934
"""Parse a string and return a datetime.timedelta
2738
>>> string_to_delta('7d')
2739
datetime.timedelta(7)
2740
>>> string_to_delta('60s')
2741
datetime.timedelta(0, 60)
2742
>>> string_to_delta('60m')
2743
datetime.timedelta(0, 3600)
2744
>>> string_to_delta('24h')
2745
datetime.timedelta(1)
2746
>>> string_to_delta('1w')
2747
datetime.timedelta(7)
2748
>>> string_to_delta('5m 30s')
2749
datetime.timedelta(0, 330)
2936
>>> string_to_delta("7d") == datetime.timedelta(7)
2938
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2940
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2942
>>> string_to_delta("24h") == datetime.timedelta(1)
2944
>>> string_to_delta("1w") == datetime.timedelta(7)
2946
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
3135
3336
for key, value in
3136
3337
bytes_old_client_settings.items()}
3137
3338
del bytes_old_client_settings
3339
# .host and .checker_command
3139
3340
for value in old_client_settings.values():
3140
if isinstance(value["host"], bytes):
3141
value["host"] = (value["host"]
3341
for attribute in ("host", "checker_command"):
3342
if isinstance(value[attribute], bytes):
3343
value[attribute] = (value[attribute]
3143
3345
os.remove(stored_state_path)
3144
3346
except IOError as e:
3145
3347
if e.errno == errno.ENOENT:
3146
logger.warning("Could not load persistent state:"
3147
" {}".format(os.strerror(e.errno)))
3348
log.warning("Could not load persistent state:"
3349
" %s", os.strerror(e.errno))
3149
logger.critical("Could not load persistent state:",
3351
log.critical("Could not load persistent state:",
3152
3354
except EOFError as e:
3153
logger.warning("Could not load persistent state: "
3355
log.warning("Could not load persistent state: EOFError:",
3157
3358
with PGPEngine() as pgp:
3158
3359
for client_name, client in clients_data.items():
3185
3386
if client["enabled"]:
3186
3387
if datetime.datetime.utcnow() >= client["expires"]:
3187
3388
if not client["last_checked_ok"]:
3189
"disabling client {} - Client never "
3190
"performed a successful checker".format(
3389
log.warning("disabling client %s - Client"
3390
" never performed a successful"
3391
" checker", client_name)
3192
3392
client["enabled"] = False
3193
3393
elif client["last_checker_status"] != 0:
3195
"disabling client {} - Client last"
3196
" checker failed with error code"
3199
client["last_checker_status"]))
3394
log.warning("disabling client %s - Client"
3395
" last checker failed with error"
3396
" code %s", client_name,
3397
client["last_checker_status"])
3200
3398
client["enabled"] = False
3202
3400
client["expires"] = (
3203
3401
datetime.datetime.utcnow()
3204
3402
+ client["timeout"])
3205
logger.debug("Last checker succeeded,"
3206
" keeping {} enabled".format(
3403
log.debug("Last checker succeeded, keeping %s"
3404
" enabled", client_name)
3209
3406
client["secret"] = pgp.decrypt(
3210
3407
client["encrypted_secret"],
3211
3408
client_settings[client_name]["secret"])
3212
3409
except PGPError:
3213
3410
# If decryption fails, we use secret from new settings
3214
logger.debug("Failed to decrypt {} old secret".format(
3411
log.debug("Failed to decrypt %s old secret",
3216
3413
client["secret"] = (client_settings[client_name]
3466
3662
service.activate()
3467
3663
except dbus.exceptions.DBusException as error:
3468
logger.critical("D-Bus Exception", exc_info=error)
3664
log.critical("D-Bus Exception", exc_info=error)
3471
3667
# End of Avahi example code
3473
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3474
lambda *args, **kwargs:
3475
(tcp_server.handle_request
3476
(*args[2:], **kwargs) or True))
3670
GLib.IOChannel.unix_new(tcp_server.fileno()),
3671
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3672
lambda *args, **kwargs: (tcp_server.handle_request
3673
(*args[2:], **kwargs) or True))
3478
logger.debug("Starting main loop")
3675
log.debug("Starting main loop")
3479
3676
main_loop.run()
3480
3677
except AvahiError as error:
3481
logger.critical("Avahi Error", exc_info=error)
3678
log.critical("Avahi Error", exc_info=error)
3484
3681
except KeyboardInterrupt:
3486
3683
print("", file=sys.stderr)
3487
logger.debug("Server received KeyboardInterrupt")
3488
logger.debug("Server exiting")
3684
log.debug("Server received KeyboardInterrupt")
3685
log.debug("Server exiting")
3489
3686
# Must run before the D-Bus bus name gets deregistered
3493
if __name__ == '__main__':
3690
def parse_test_args():
3691
# type: () -> argparse.Namespace
3692
parser = argparse.ArgumentParser(add_help=False)
3693
parser.add_argument("--check", action="store_true")
3694
parser.add_argument("--prefix", )
3695
args, unknown_args = parser.parse_known_args()
3697
# Remove test options from sys.argv
3698
sys.argv[1:] = unknown_args
3701
# Add all tests from doctest strings
3702
def load_tests(loader, tests, none):
3704
tests.addTests(doctest.DocTestSuite())
3707
if __name__ == "__main__":
3708
options = parse_test_args()
3711
extra_test_prefix = options.prefix
3712
if extra_test_prefix is not None:
3713
if not (unittest.main(argv=[""], exit=False)
3714
.result.wasSuccessful()):
3716
class ExtraTestLoader(unittest.TestLoader):
3717
testMethodPrefix = extra_test_prefix
3718
# Call using ./scriptname --test [--verbose]
3719
unittest.main(argv=[""], testLoader=ExtraTestLoader())
3721
unittest.main(argv=[""])
3729
# (lambda (&optional extra)
3730
# (if (not (funcall run-tests-in-test-buffer default-directory
3732
# (funcall show-test-buffer-in-test-window)
3733
# (funcall remove-test-window)
3734
# (if extra (message "Extra tests run successfully!"))))
3735
# run-tests-in-test-buffer:
3736
# (lambda (dir &optional extra)
3737
# (with-current-buffer (get-buffer-create "*Test*")
3738
# (setq buffer-read-only nil
3739
# default-directory dir)
3741
# (compilation-mode))
3742
# (let ((process-result
3743
# (let ((inhibit-read-only t))
3744
# (process-file-shell-command
3745
# (funcall get-command-line extra) nil "*Test*"))))
3746
# (and (numberp process-result)
3747
# (= process-result 0))))
3749
# (lambda (&optional extra)
3750
# (let ((quoted-script
3751
# (shell-quote-argument (funcall get-script-name))))
3753
# (concat "%s --check" (if extra " --prefix=atest" ""))
3757
# (if (fboundp 'file-local-name)
3758
# (file-local-name (buffer-file-name))
3759
# (or (file-remote-p (buffer-file-name) 'localname)
3760
# (buffer-file-name))))
3761
# remove-test-window:
3763
# (let ((test-window (get-buffer-window "*Test*")))
3764
# (if test-window (delete-window test-window))))
3765
# show-test-buffer-in-test-window:
3767
# (when (not (get-buffer-window-list "*Test*"))
3768
# (setq next-error-last-buffer (get-buffer "*Test*"))
3769
# (let* ((side (if (>= (window-width) 146) 'right 'bottom))
3770
# (display-buffer-overriding-action
3771
# `((display-buffer-in-side-window) (side . ,side)
3772
# (window-height . fit-window-to-buffer)
3773
# (window-width . fit-window-to-buffer))))
3774
# (display-buffer "*Test*"))))
3777
# (let* ((run-extra-tests (lambda () (interactive)
3778
# (funcall run-tests t)))
3779
# (inner-keymap `(keymap (116 . ,run-extra-tests))) ; t
3780
# (outer-keymap `(keymap (3 . ,inner-keymap)))) ; C-c
3781
# (setq minor-mode-overriding-map-alist
3782
# (cons `(run-tests . ,outer-keymap)
3783
# minor-mode-overriding-map-alist)))
3784
# (add-hook 'after-save-hook run-tests 90 t))