To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.4.98
- compare with another revision
- download diff
- download tarball
- view history from revision 237.4.98
- Committer: Teddy Hogeborn
- Date: 2018-02-22 18:50:12 UTC
- mto: This revision was merged to the branch mainline in revision 943.
- Revision ID: teddy@recompile.se-20180222185012-etchk537ast7s1xg
Tags: version-1.7.19-1
* Makefile (version): Change to 1.7.19.
* NEWS (Version 1.7.19): Add new entry.
* debian/changelog (1.7.19-1): - '' -
* NEWS (Version 1.7.19): Add new entry.
* debian/changelog (1.7.19-1): - '' -
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
77
77
import itertools
78
78
import collections
79
79
import codecs
80
import unittest
81
import random
82
80
83
81
import dbus
84
82
import dbus.service
85
import gi
86
83
from gi.repository import GLib
87
84
from dbus.mainloop.glib import DBusGMainLoop
88
85
import ctypes
90
87
import xml.dom.minidom
91
88
import inspect
92
89
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
97
# Add collections.abc.Callable if it does not exist
98
try:
99
collections.abc.Callable
100
except AttributeError:
101
class abc:
102
Callable = collections.Callable
103
collections.abc = abc
104
del abc
105
106
# Show warnings by default
107
if not sys.warnoptions:
108
import warnings
109
warnings.simplefilter("default")
110
111
90
# Try to find the value of SO_BINDTODEVICE:
112
91
try:
113
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
133
112
# No value found
134
113
SO_BINDTODEVICE = None
135
114
136
if sys.version_info < (3, 2):
137
configparser.Configparser = configparser.SafeConfigParser
115
if sys.version_info.major == 2:
116
str = unicode
138
117
139
version = "1.8.9"
118
version = "1.7.19"
140
119
stored_state_file = "clients.pickle"
141
120
142
121
logger = logging.getLogger()
143
logging.captureWarnings(True) # Show warnings via the logging system
144
122
syslogger = None
145
123
146
124
try:
201
179
pass
202
180
203
181
204
class PGPEngine:
182
class PGPEngine(object):
205
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
206
184
207
185
def __init__(self):
211
189
output = subprocess.check_output(["gpgconf"])
212
190
for line in output.splitlines():
213
191
name, text, path = line.split(b":")
214
if name == b"gpg":
192
if name == "gpg":
215
193
self.gpg = path
216
194
break
217
195
except OSError as e:
222
200
'--force-mdc',
223
201
'--quiet']
224
202
# Only GPG version 1 has the --no-use-agent option.
225
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
226
204
self.gnupgargs.append("--no-use-agent")
227
205
228
206
def __enter__(self):
297
275
298
276
299
277
# Pretend that we have an Avahi module
300
class avahi:
301
"""This isn't so much a class as it is a module-like namespace."""
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
302
281
IF_UNSPEC = -1 # avahi-common/address.h
303
282
PROTO_UNSPEC = -1 # avahi-common/address.h
304
283
PROTO_INET = 0 # avahi-common/address.h
308
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
309
288
DBUS_PATH_SERVER = "/"
310
289
311
@staticmethod
312
def string_array_to_txt_array(t):
290
def string_array_to_txt_array(self, t):
313
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
314
292
for s in t), signature="ay")
315
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
320
298
SERVER_RUNNING = 2 # avahi-common/defs.h
321
299
SERVER_COLLISION = 3 # avahi-common/defs.h
322
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
323
302
324
303
325
304
class AvahiError(Exception):
337
316
pass
338
317
339
318
340
class AvahiService:
319
class AvahiService(object):
341
320
"""An Avahi (Zeroconf) service.
342
321
343
322
Attributes:
525
504
526
505
527
506
# Pretend that we have a GnuTLS module
528
class gnutls:
529
"""This isn't so much a class as it is a module-like namespace."""
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
530
510
531
511
library = ctypes.util.find_library("gnutls")
532
512
if library is None:
533
513
library = ctypes.util.find_library("gnutls-deb0")
534
514
_library = ctypes.cdll.LoadLibrary(library)
535
515
del library
516
_need_version = b"3.3.0"
517
518
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
536
524
537
525
# Unless otherwise indicated, the constants and types below are
538
526
# all from the gnutls/gnutls.h C header file.
542
530
E_INTERRUPTED = -52
543
531
E_AGAIN = -28
544
532
CRT_OPENPGP = 2
545
CRT_RAWPK = 3
546
533
CLIENT = 2
547
534
SHUT_RDWR = 0
548
535
CRD_CERTIFICATE = 1
549
536
E_NO_CERTIFICATE_FOUND = -49
550
X509_FMT_DER = 0
551
NO_TICKETS = 1<<10
552
ENABLE_RAWPK = 1<<18
553
CTYPE_PEERS = 3
554
KEYID_USE_SHA256 = 1 # gnutls/x509.h
555
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
556
538
557
539
# Types
580
562
581
563
# Exceptions
582
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
583
569
def __init__(self, message=None, code=None, args=()):
584
570
# Default usage is by a message string, but if a return
585
571
# code is passed, convert it to a string with
586
572
# gnutls.strerror()
587
573
self.code = code
588
574
if message is None and code is not None:
589
message = gnutls.strerror(code)
590
return super(gnutls.Error, self).__init__(
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
591
577
message, *args)
592
578
593
579
class CertificateSecurityError(Error):
594
580
pass
595
581
596
582
# Classes
597
class Credentials:
583
class Credentials(object):
598
584
def __init__(self):
599
585
self._c_object = gnutls.certificate_credentials_t()
600
586
gnutls.certificate_allocate_credentials(
604
590
def __del__(self):
605
591
gnutls.certificate_free_credentials(self._c_object)
606
592
607
class ClientSession:
593
class ClientSession(object):
608
594
def __init__(self, socket, credentials=None):
609
595
self._c_object = gnutls.session_t()
610
gnutls_flags = gnutls.CLIENT
611
if gnutls.check_version(b"3.5.6"):
612
gnutls_flags |= gnutls.NO_TICKETS
613
if gnutls.has_rawpk:
614
gnutls_flags |= gnutls.ENABLE_RAWPK
615
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
616
del gnutls_flags
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
617
597
gnutls.set_default_priority(self._c_object)
618
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
619
599
gnutls.handshake_set_private_extensions(self._c_object,
751
731
check_version.argtypes = [ctypes.c_char_p]
752
732
check_version.restype = ctypes.c_char_p
753
733
754
_need_version = b"3.3.0"
755
if check_version(_need_version) is None:
756
raise self.Error("Needs GnuTLS {} or later"
757
.format(_need_version))
758
759
_tls_rawpk_version = b"3.6.6"
760
has_rawpk = bool(check_version(_tls_rawpk_version))
761
762
if has_rawpk:
763
# Types
764
class pubkey_st(ctypes.Structure):
765
_fields = []
766
pubkey_t = ctypes.POINTER(pubkey_st)
767
768
x509_crt_fmt_t = ctypes.c_int
769
770
# All the function declarations below are from gnutls/abstract.h
771
pubkey_init = _library.gnutls_pubkey_init
772
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
773
pubkey_init.restype = _error_code
774
775
pubkey_import = _library.gnutls_pubkey_import
776
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
777
x509_crt_fmt_t]
778
pubkey_import.restype = _error_code
779
780
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
781
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
782
ctypes.POINTER(ctypes.c_ubyte),
783
ctypes.POINTER(ctypes.c_size_t)]
784
pubkey_get_key_id.restype = _error_code
785
786
pubkey_deinit = _library.gnutls_pubkey_deinit
787
pubkey_deinit.argtypes = [pubkey_t]
788
pubkey_deinit.restype = None
789
else:
790
# All the function declarations below are from gnutls/openpgp.h
791
792
openpgp_crt_init = _library.gnutls_openpgp_crt_init
793
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
794
openpgp_crt_init.restype = _error_code
795
796
openpgp_crt_import = _library.gnutls_openpgp_crt_import
797
openpgp_crt_import.argtypes = [openpgp_crt_t,
798
ctypes.POINTER(datum_t),
799
openpgp_crt_fmt_t]
800
openpgp_crt_import.restype = _error_code
801
802
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
803
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
804
ctypes.POINTER(ctypes.c_uint)]
805
openpgp_crt_verify_self.restype = _error_code
806
807
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
808
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
809
openpgp_crt_deinit.restype = None
810
811
openpgp_crt_get_fingerprint = (
812
_library.gnutls_openpgp_crt_get_fingerprint)
813
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
814
ctypes.c_void_p,
815
ctypes.POINTER(
816
ctypes.c_size_t)]
817
openpgp_crt_get_fingerprint.restype = _error_code
818
819
if check_version(b"3.6.4"):
820
certificate_type_get2 = _library.gnutls_certificate_type_get2
821
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
822
certificate_type_get2.restype = _error_code
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
823
762
824
763
# Remove non-public functions
825
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
826
767
827
768
828
769
def call_pipe(connection, # : multiprocessing.Connection
836
777
connection.close()
837
778
838
779
839
class Client:
780
class Client(object):
840
781
"""A representation of a client host served by this server.
841
782
842
783
Attributes:
843
784
approved: bool(); 'None' if not yet approved/disapproved
844
785
approval_delay: datetime.timedelta(); Time to wait for approval
845
786
approval_duration: datetime.timedelta(); Duration of one approval
846
checker: multiprocessing.Process(); a running checker process used
847
to see if the client lives. 'None' if no process is
848
running.
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
849
790
checker_callback_tag: a GLib event source tag, or None
850
791
checker_command: string; External command which is run to check
851
792
if client lives. %() expansions are done at
859
800
disable_initiator_tag: a GLib event source tag, or None
860
801
enabled: bool()
861
802
fingerprint: string (40 or 32 hexadecimal digits); used to
862
uniquely identify an OpenPGP client
863
key_id: string (64 hexadecimal digits); used to uniquely identify
864
a client using raw public keys
803
uniquely identify the client
865
804
host: string; available for use by the checker command
866
805
interval: datetime.timedelta(); How often to start a new checker
867
806
last_approval_request: datetime.datetime(); (UTC) or None
885
824
"""
886
825
887
826
runtime_expansions = ("approval_delay", "approval_duration",
888
"created", "enabled", "expires", "key_id",
827
"created", "enabled", "expires",
889
828
"fingerprint", "host", "interval",
890
829
"last_approval_request", "last_checked_ok",
891
830
"last_enabled", "name", "timeout")
921
860
client["enabled"] = config.getboolean(client_name,
922
861
"enabled")
923
862
924
# Uppercase and remove spaces from key_id and fingerprint
925
# for later comparison purposes with return value from the
926
# key_id() and fingerprint() functions
927
client["key_id"] = (section.get("key_id", "").upper()
928
.replace(" ", ""))
863
# Uppercase and remove spaces from fingerprint for later
864
# comparison purposes with return value from the
865
# fingerprint() function
929
866
client["fingerprint"] = (section["fingerprint"].upper()
930
867
.replace(" ", ""))
931
868
if "secret" in section:
975
912
self.expires = None
976
913
977
914
logger.debug("Creating client %r", self.name)
978
logger.debug(" Key ID: %s", self.key_id)
979
915
logger.debug(" Fingerprint: %s", self.fingerprint)
980
916
self.created = settings.get("created",
981
917
datetime.datetime.utcnow())
1045
981
if self.checker_initiator_tag is not None:
1046
982
GLib.source_remove(self.checker_initiator_tag)
1047
983
self.checker_initiator_tag = GLib.timeout_add(
1048
random.randrange(int(self.interval.total_seconds() * 1000
1049
+ 1)),
984
int(self.interval.total_seconds() * 1000),
1050
985
self.start_checker)
1051
986
# Schedule a disable() when 'timeout' has passed
1052
987
if self.disable_initiator_tag is not None:
1059
994
def checker_callback(self, source, condition, connection,
1060
995
command):
1061
996
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
998
self.checker = None
1062
999
# Read return code from connection (see call_pipe)
1063
1000
returncode = connection.recv()
1064
1001
connection.close()
1065
if self.checker is not None:
1066
self.checker.join()
1067
self.checker_callback_tag = None
1068
self.checker = None
1069
1002
1070
1003
if returncode >= 0:
1071
1004
self.last_checker_status = returncode
1160
1093
kwargs=popen_args)
1161
1094
self.checker.start()
1162
1095
self.checker_callback_tag = GLib.io_add_watch(
1163
GLib.IOChannel.unix_new(pipe[0].fileno()),
1164
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1096
pipe[0].fileno(), GLib.IO_IN,
1165
1097
self.checker_callback, pipe[0], command)
1166
1098
# Re-run this periodically if run by GLib.timeout_add
1167
1099
return True
1422
1354
raise ValueError("Byte arrays not supported for non-"
1423
1355
"'ay' signature {!r}"
1424
1356
.format(prop._dbus_signature))
1425
value = dbus.ByteArray(bytes(value))
1357
value = dbus.ByteArray(b''.join(chr(byte)
1358
for byte in value))
1426
1359
prop(value)
1427
1360
1428
1361
@dbus.service.method(dbus.PROPERTIES_IFACE,
2066
1999
def Name_dbus_property(self):
2067
2000
return dbus.String(self.name)
2068
2001
2069
# KeyID - property
2070
@dbus_annotations(
2071
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2072
@dbus_service_property(_interface, signature="s", access="read")
2073
def KeyID_dbus_property(self):
2074
return dbus.String(self.key_id)
2075
2076
2002
# Fingerprint - property
2077
2003
@dbus_annotations(
2078
2004
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2233
2159
del _interface
2234
2160
2235
2161
2236
class ProxyClient:
2237
def __init__(self, child_pipe, key_id, fpr, address):
2162
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2238
2164
self._pipe = child_pipe
2239
self._pipe.send(('init', key_id, fpr, address))
2165
self._pipe.send(('init', fpr, address))
2240
2166
if not self._pipe.recv():
2241
raise KeyError(key_id or fpr)
2167
raise KeyError(fpr)
2242
2168
2243
2169
def __getattribute__(self, name):
2244
2170
if name == '_pipe':
2311
2237
2312
2238
approval_required = False
2313
2239
try:
2314
if gnutls.has_rawpk:
2315
fpr = b""
2316
try:
2317
key_id = self.key_id(
2318
self.peer_certificate(session))
2319
except (TypeError, gnutls.Error) as error:
2320
logger.warning("Bad certificate: %s", error)
2321
return
2322
logger.debug("Key ID: %s", key_id)
2323
2324
else:
2325
key_id = b""
2326
try:
2327
fpr = self.fingerprint(
2328
self.peer_certificate(session))
2329
except (TypeError, gnutls.Error) as error:
2330
logger.warning("Bad certificate: %s", error)
2331
return
2332
logger.debug("Fingerprint: %s", fpr)
2333
2334
try:
2335
client = ProxyClient(child_pipe, key_id, fpr,
2240
try:
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2245
return
2246
logger.debug("Fingerprint: %s", fpr)
2247
2248
try:
2249
client = ProxyClient(child_pipe, fpr,
2336
2250
self.client_address)
2337
2251
except KeyError:
2338
2252
return
2415
2329
2416
2330
@staticmethod
2417
2331
def peer_certificate(session):
2418
"Return the peer's certificate as a bytestring"
2419
try:
2420
cert_type = gnutls.certificate_type_get2(session._c_object,
2421
gnutls.CTYPE_PEERS)
2422
except AttributeError:
2423
cert_type = gnutls.certificate_type_get(session._c_object)
2424
if gnutls.has_rawpk:
2425
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2426
else:
2427
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2428
# If not a valid certificate type...
2429
if cert_type not in valid_cert_types:
2430
logger.info("Cert type %r not in %r", cert_type,
2431
valid_cert_types)
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2432
2336
# ...return invalid data
2433
2337
return b""
2434
2338
list_size = ctypes.c_uint(1)
2442
2346
return ctypes.string_at(cert.data, cert.size)
2443
2347
2444
2348
@staticmethod
2445
def key_id(certificate):
2446
"Convert a certificate bytestring to a hexdigit key ID"
2447
# New GnuTLS "datum" with the public key
2448
datum = gnutls.datum_t(
2449
ctypes.cast(ctypes.c_char_p(certificate),
2450
ctypes.POINTER(ctypes.c_ubyte)),
2451
ctypes.c_uint(len(certificate)))
2452
# XXX all these need to be created in the gnutls "module"
2453
# New empty GnuTLS certificate
2454
pubkey = gnutls.pubkey_t()
2455
gnutls.pubkey_init(ctypes.byref(pubkey))
2456
# Import the raw public key into the certificate
2457
gnutls.pubkey_import(pubkey,
2458
ctypes.byref(datum),
2459
gnutls.X509_FMT_DER)
2460
# New buffer for the key ID
2461
buf = ctypes.create_string_buffer(32)
2462
buf_len = ctypes.c_size_t(len(buf))
2463
# Get the key ID from the raw public key into the buffer
2464
gnutls.pubkey_get_key_id(pubkey,
2465
gnutls.KEYID_USE_SHA256,
2466
ctypes.cast(ctypes.byref(buf),
2467
ctypes.POINTER(ctypes.c_ubyte)),
2468
ctypes.byref(buf_len))
2469
# Deinit the certificate
2470
gnutls.pubkey_deinit(pubkey)
2471
2472
# Convert the buffer to a Python bytestring
2473
key_id = ctypes.string_at(buf, buf_len.value)
2474
# Convert the bytestring to hexadecimal notation
2475
hex_key_id = binascii.hexlify(key_id).upper()
2476
return hex_key_id
2477
2478
@staticmethod
2479
2349
def fingerprint(openpgp):
2480
2350
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2481
2351
# New GnuTLS "datum" with the OpenPGP public key
2495
2365
ctypes.byref(crtverify))
2496
2366
if crtverify.value != 0:
2497
2367
gnutls.openpgp_crt_deinit(crt)
2498
raise gnutls.CertificateSecurityError(code
2499
=crtverify.value)
2368
raise gnutls.CertificateSecurityError("Verify failed")
2500
2369
# New buffer for the fingerprint
2501
2370
buf = ctypes.create_string_buffer(20)
2502
2371
buf_len = ctypes.c_size_t()
2512
2381
return hex_fpr
2513
2382
2514
2383
2515
class MultiprocessingMixIn:
2384
class MultiprocessingMixIn(object):
2516
2385
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2517
2386
2518
2387
def sub_process_main(self, request, address):
2530
2399
return proc
2531
2400
2532
2401
2533
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2402
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2534
2403
""" adds a pipe to the MixIn """
2535
2404
2536
2405
def process_request(self, request, client_address):
2551
2420
2552
2421
2553
2422
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2554
socketserver.TCPServer):
2423
socketserver.TCPServer, object):
2555
2424
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2556
2425
2557
2426
Attributes:
2630
2499
raise
2631
2500
# Only bind(2) the socket if we really need to.
2632
2501
if self.server_address[0] or self.server_address[1]:
2633
if self.server_address[1]:
2634
self.allow_reuse_address = True
2635
2502
if not self.server_address[0]:
2636
2503
if self.address_family == socket.AF_INET6:
2637
2504
any_address = "::" # in6addr_any
2690
2557
def add_pipe(self, parent_pipe, proc):
2691
2558
# Call "handle_ipc" for both data and EOF events
2692
2559
GLib.io_add_watch(
2693
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2694
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2560
parent_pipe.fileno(),
2561
GLib.IO_IN | GLib.IO_HUP,
2695
2562
functools.partial(self.handle_ipc,
2696
2563
parent_pipe=parent_pipe,
2697
2564
proc=proc))
2711
2578
command = request[0]
2712
2579
2713
2580
if command == 'init':
2714
key_id = request[1].decode("ascii")
2715
fpr = request[2].decode("ascii")
2716
address = request[3]
2581
fpr = request[1].decode("ascii")
2582
address = request[2]
2717
2583
2718
2584
for c in self.clients.values():
2719
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2720
continue
2721
if key_id and c.key_id == key_id:
2722
client = c
2723
break
2724
if fpr and c.fingerprint == fpr:
2585
if c.fingerprint == fpr:
2725
2586
client = c
2726
2587
break
2727
2588
else:
2728
logger.info("Client not found for key ID: %s, address"
2729
": %s", key_id or fpr, address)
2589
logger.info("Client not found for fingerprint: %s, ad"
2590
"dress: %s", fpr, address)
2730
2591
if self.use_dbus:
2731
2592
# Emit D-Bus signal
2732
mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
mandos_dbus_service.ClientNotFound(fpr,
2733
2594
address[0])
2734
2595
parent_pipe.send(False)
2735
2596
return False
2736
2597
2737
2598
GLib.io_add_watch(
2738
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2739
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2599
parent_pipe.fileno(),
2600
GLib.IO_IN | GLib.IO_HUP,
2740
2601
functools.partial(self.handle_ipc,
2741
2602
parent_pipe=parent_pipe,
2742
2603
proc=proc,
2757
2618
if command == 'getattr':
2758
2619
attrname = request[1]
2759
2620
if isinstance(client_object.__getattribute__(attrname),
2760
collections.abc.Callable):
2621
collections.Callable):
2761
2622
parent_pipe.send(('function', ))
2762
2623
else:
2763
2624
parent_pipe.send((
2774
2635
def rfc3339_duration_to_delta(duration):
2775
2636
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2776
2637
2777
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2778
True
2779
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2780
True
2781
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2782
True
2783
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2784
True
2785
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2786
True
2787
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2788
True
2789
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2790
True
2638
>>> rfc3339_duration_to_delta("P7D")
2639
datetime.timedelta(7)
2640
>>> rfc3339_duration_to_delta("PT60S")
2641
datetime.timedelta(0, 60)
2642
>>> rfc3339_duration_to_delta("PT60M")
2643
datetime.timedelta(0, 3600)
2644
>>> rfc3339_duration_to_delta("PT24H")
2645
datetime.timedelta(1)
2646
>>> rfc3339_duration_to_delta("P1W")
2647
datetime.timedelta(7)
2648
>>> rfc3339_duration_to_delta("PT5M30S")
2649
datetime.timedelta(0, 330)
2650
>>> rfc3339_duration_to_delta("P1DT3M20S")
2651
datetime.timedelta(1, 200)
2791
2652
"""
2792
2653
2793
2654
# Parsing an RFC 3339 duration with regular expressions is not
2873
2734
def string_to_delta(interval):
2874
2735
"""Parse a string and return a datetime.timedelta
2875
2736
2876
>>> string_to_delta('7d') == datetime.timedelta(7)
2877
True
2878
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2879
True
2880
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2881
True
2882
>>> string_to_delta('24h') == datetime.timedelta(1)
2883
True
2884
>>> string_to_delta('1w') == datetime.timedelta(7)
2885
True
2886
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2887
True
2737
>>> string_to_delta('7d')
2738
datetime.timedelta(7)
2739
>>> string_to_delta('60s')
2740
datetime.timedelta(0, 60)
2741
>>> string_to_delta('60m')
2742
datetime.timedelta(0, 3600)
2743
>>> string_to_delta('24h')
2744
datetime.timedelta(1)
2745
>>> string_to_delta('1w')
2746
datetime.timedelta(7)
2747
>>> string_to_delta('5m 30s')
2748
datetime.timedelta(0, 330)
2888
2749
"""
2889
2750
2890
2751
try:
2992
2853
2993
2854
options = parser.parse_args()
2994
2855
2856
if options.check:
2857
import doctest
2858
fail_count, test_count = doctest.testmod()
2859
sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
2995
2861
# Default values for config file for server-global settings
2996
if gnutls.has_rawpk:
2997
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2998
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2999
else:
3000
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3001
":+SIGN-DSA-SHA256")
3002
2862
server_defaults = {"interface": "",
3003
2863
"address": "",
3004
2864
"port": "",
3005
2865
"debug": "False",
3006
"priority": priority,
2866
"priority":
2867
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2868
":+SIGN-DSA-SHA256",
3007
2869
"servicename": "Mandos",
3008
2870
"use_dbus": "True",
3009
2871
"use_ipv6": "True",
3014
2876
"foreground": "False",
3015
2877
"zeroconf": "True",
3016
2878
}
3017
del priority
3018
2879
3019
2880
# Parse config file for server-global settings
3020
server_config = configparser.ConfigParser(server_defaults)
2881
server_config = configparser.SafeConfigParser(server_defaults)
3021
2882
del server_defaults
3022
2883
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3023
# Convert the ConfigParser object to a dict
2884
# Convert the SafeConfigParser object to a dict
3024
2885
server_settings = server_config.defaults()
3025
2886
# Use the appropriate methods on the non-string config options
3026
2887
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3098
2959
server_settings["servicename"])))
3099
2960
3100
2961
# Parse config file with clients
3101
client_config = configparser.ConfigParser(Client.client_defaults)
2962
client_config = configparser.SafeConfigParser(Client
2963
.client_defaults)
3102
2964
client_config.read(os.path.join(server_settings["configdir"],
3103
2965
"clients.conf"))
3104
2966
3175
3037
# Close all input and output, do double fork, etc.
3176
3038
daemon()
3177
3039
3178
if gi.version_info < (3, 10, 2):
3179
# multiprocessing will use threads, so before we use GLib we
3180
# need to inform GLib that threads will be used.
3181
GLib.threads_init()
3040
# multiprocessing will use threads, so before we use GLib we need
3041
# to inform GLib that threads will be used.
3042
GLib.threads_init()
3182
3043
3183
3044
global main_loop
3184
3045
# From the Avahi example code
3260
3121
if isinstance(s, bytes)
3261
3122
else s) for s in
3262
3123
value["client_structure"]]
3263
# .name, .host, and .checker_command
3264
for k in ("name", "host", "checker_command"):
3124
# .name & .host
3125
for k in ("name", "host"):
3265
3126
if isinstance(value[k], bytes):
3266
3127
value[k] = value[k].decode("utf-8")
3267
if "key_id" not in value:
3268
value["key_id"] = ""
3269
elif "fingerprint" not in value:
3270
value["fingerprint"] = ""
3271
3128
# old_client_settings
3272
3129
# .keys()
3273
3130
old_client_settings = {
3277
3134
for key, value in
3278
3135
bytes_old_client_settings.items()}
3279
3136
del bytes_old_client_settings
3280
# .host and .checker_command
3137
# .host
3281
3138
for value in old_client_settings.values():
3282
for attribute in ("host", "checker_command"):
3283
if isinstance(value[attribute], bytes):
3284
value[attribute] = (value[attribute]
3285
.decode("utf-8"))
3139
if isinstance(value["host"], bytes):
3140
value["host"] = (value["host"]
3141
.decode("utf-8"))
3286
3142
os.remove(stored_state_path)
3287
3143
except IOError as e:
3288
3144
if e.errno == errno.ENOENT:
3411
3267
pass
3412
3268
3413
3269
@dbus.service.signal(_interface, signature="ss")
3414
def ClientNotFound(self, key_id, address):
3270
def ClientNotFound(self, fingerprint, address):
3415
3271
"D-Bus signal"
3416
3272
pass
3417
3273
3613
3469
sys.exit(1)
3614
3470
# End of Avahi example code
3615
3471
3616
GLib.io_add_watch(
3617
GLib.IOChannel.unix_new(tcp_server.fileno()),
3618
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3619
lambda *args, **kwargs: (tcp_server.handle_request
3620
(*args[2:], **kwargs) or True))
3472
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3473
lambda *args, **kwargs:
3474
(tcp_server.handle_request
3475
(*args[2:], **kwargs) or True))
3621
3476
3622
3477
logger.debug("Starting main loop")
3623
3478
main_loop.run()
3633
3488
# Must run before the D-Bus bus name gets deregistered
3634
3489
cleanup()
3635
3490
3636
3637
def should_only_run_tests():
3638
parser = argparse.ArgumentParser(add_help=False)
3639
parser.add_argument("--check", action='store_true')
3640
args, unknown_args = parser.parse_known_args()
3641
run_tests = args.check
3642
if run_tests:
3643
# Remove --check argument from sys.argv
3644
sys.argv[1:] = unknown_args
3645
return run_tests
3646
3647
# Add all tests from doctest strings
3648
def load_tests(loader, tests, none):
3649
import doctest
3650
tests.addTests(doctest.DocTestSuite())
3651
return tests
3652
3491
3653
3492
if __name__ == '__main__':
3654
try:
3655
if should_only_run_tests():
3656
# Call using ./mandos --check [--verbose]
3657
unittest.main()
3658
else:
3659
main()
3660
finally:
3661
logging.shutdown()
3493
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0