185
167
# End of Avahi example code
188
def _datetime_to_dbus(dt, variant_level=0):
189
"""Convert a UTC datetime.datetime() to a D-Bus type."""
190
return dbus.String(dt.isoformat(), variant_level=variant_level)
193
170
class Client(object):
194
171
"""A representation of a client host served by this server.
197
name: string; from the config file, used in log messages and
173
name: string; from the config file, used in log messages
199
174
fingerprint: string (40 or 32 hexadecimal digits); used to
200
175
uniquely identify the client
201
secret: bytestring; sent verbatim (over TLS) to client
202
host: string; available for use by the checker command
203
created: datetime.datetime(); (UTC) object creation
204
last_enabled: datetime.datetime(); (UTC)
206
last_checked_ok: datetime.datetime(); (UTC) or None
207
timeout: datetime.timedelta(); How long from last_checked_ok
208
until this client is invalid
209
interval: datetime.timedelta(); How often to start a new checker
210
disable_hook: If set, called by disable() as disable_hook(self)
211
checker: subprocess.Popen(); a running checker process used
212
to see if the client lives.
213
'None' if no process is running.
176
secret: bytestring; sent verbatim (over TLS) to client
177
fqdn: string (FQDN); available for use by the checker command
178
created: datetime.datetime(); object creation, not client host
179
last_checked_ok: datetime.datetime() or None if not yet checked OK
180
timeout: datetime.timedelta(); How long from last_checked_ok
181
until this client is invalid
182
interval: datetime.timedelta(); How often to start a new checker
183
stop_hook: If set, called by stop() as stop_hook(self)
184
checker: subprocess.Popen(); a running checker process used
185
to see if the client lives.
186
'None' if no process is running.
214
187
checker_initiator_tag: a gobject event source tag, or None
215
disable_initiator_tag: - '' -
188
stop_initiator_tag: - '' -
216
189
checker_callback_tag: - '' -
217
190
checker_command: string; External command which is run to check if
218
191
client lives. %() expansions are done at
219
192
runtime with vars(self) as dict, so that for
220
193
instance %(name)s can be used in the command.
221
current_checker_command: string; current running checker_command
195
_timeout: Real variable for 'timeout'
196
_interval: Real variable for 'interval'
197
_timeout_milliseconds: Used when calling gobject.timeout_add()
198
_interval_milliseconds: - '' -
223
def timeout_milliseconds(self):
224
"Return the 'timeout' attribute in milliseconds"
225
return ((self.timeout.days * 24 * 60 * 60 * 1000)
226
+ (self.timeout.seconds * 1000)
227
+ (self.timeout.microseconds // 1000))
229
def interval_milliseconds(self):
230
"Return the 'interval' attribute in milliseconds"
231
return ((self.interval.days * 24 * 60 * 60 * 1000)
232
+ (self.interval.seconds * 1000)
233
+ (self.interval.microseconds // 1000))
235
def __init__(self, name = None, disable_hook=None, config=None):
200
def _set_timeout(self, timeout):
201
"Setter function for 'timeout' attribute"
202
self._timeout = timeout
203
self._timeout_milliseconds = ((self.timeout.days
204
* 24 * 60 * 60 * 1000)
205
+ (self.timeout.seconds * 1000)
206
+ (self.timeout.microseconds
208
timeout = property(lambda self: self._timeout,
211
def _set_interval(self, interval):
212
"Setter function for 'interval' attribute"
213
self._interval = interval
214
self._interval_milliseconds = ((self.interval.days
215
* 24 * 60 * 60 * 1000)
216
+ (self.interval.seconds
218
+ (self.interval.microseconds
220
interval = property(lambda self: self._interval,
223
def __init__(self, name = None, stop_hook=None, config={}):
236
224
"""Note: the 'checker' key in 'config' sets the
237
225
'checker_command' attribute and *not* the 'checker'
242
228
logger.debug(u"Creating client %r", self.name)
243
229
# Uppercase and remove spaces from fingerprint for later
244
230
# comparison purposes with return value from the fingerprint()
246
self.fingerprint = (config["fingerprint"].upper()
232
self.fingerprint = config["fingerprint"].upper()\
248
234
logger.debug(u" Fingerprint: %s", self.fingerprint)
249
235
if "secret" in config:
250
236
self.secret = config["secret"].decode(u"base64")
251
237
elif "secfile" in config:
252
with closing(open(os.path.expanduser
254
(config["secfile"])))) as secfile:
255
self.secret = secfile.read()
238
sf = open(config["secfile"])
239
self.secret = sf.read()
257
242
raise TypeError(u"No secret or secfile for client %s"
259
self.host = config.get("host", "")
260
self.created = datetime.datetime.utcnow()
262
self.last_enabled = None
244
self.fqdn = config.get("fqdn", "")
245
self.created = datetime.datetime.now()
263
246
self.last_checked_ok = None
264
247
self.timeout = string_to_delta(config["timeout"])
265
248
self.interval = string_to_delta(config["interval"])
266
self.disable_hook = disable_hook
249
self.stop_hook = stop_hook
267
250
self.checker = None
268
251
self.checker_initiator_tag = None
269
self.disable_initiator_tag = None
252
self.stop_initiator_tag = None
270
253
self.checker_callback_tag = None
271
self.checker_command = config["checker"]
272
self.current_checker_command = None
273
self.last_connect = None
254
self.check_command = config["checker"]
276
256
"""Start this client's checker and timeout hooks"""
277
self.last_enabled = datetime.datetime.utcnow()
278
257
# Schedule a new checker to be started an 'interval' from now,
279
258
# and every interval from then on.
280
self.checker_initiator_tag = (gobject.timeout_add
281
(self.interval_milliseconds(),
259
self.checker_initiator_tag = gobject.timeout_add\
260
(self._interval_milliseconds,
283
262
# Also start a new checker *right now*.
284
263
self.start_checker()
285
# Schedule a disable() when 'timeout' has passed
286
self.disable_initiator_tag = (gobject.timeout_add
287
(self.timeout_milliseconds(),
292
"""Disable this client."""
293
if not getattr(self, "enabled", False):
264
# Schedule a stop() when 'timeout' has passed
265
self.stop_initiator_tag = gobject.timeout_add\
266
(self._timeout_milliseconds,
270
The possibility that a client might be restarted is left open,
271
but not currently used."""
272
# If this client doesn't have a secret, it is already stopped.
274
logger.info(u"Stopping client %s", self.name)
295
logger.info(u"Disabling client %s", self.name)
296
if getattr(self, "disable_initiator_tag", False):
297
gobject.source_remove(self.disable_initiator_tag)
298
self.disable_initiator_tag = None
278
if getattr(self, "stop_initiator_tag", False):
279
gobject.source_remove(self.stop_initiator_tag)
280
self.stop_initiator_tag = None
299
281
if getattr(self, "checker_initiator_tag", False):
300
282
gobject.source_remove(self.checker_initiator_tag)
301
283
self.checker_initiator_tag = None
302
284
self.stop_checker()
303
if self.disable_hook:
304
self.disable_hook(self)
306
287
# Do not run this again if called by a gobject.timeout_add
309
289
def __del__(self):
310
self.disable_hook = None
313
def checker_callback(self, pid, condition, command):
290
self.stop_hook = None
292
def checker_callback(self, pid, condition):
314
293
"""The checker has completed, so take appropriate actions."""
294
now = datetime.datetime.now()
315
295
self.checker_callback_tag = None
316
296
self.checker = None
317
if os.WIFEXITED(condition):
318
exitstatus = os.WEXITSTATUS(condition)
320
logger.info(u"Checker for %(name)s succeeded",
324
logger.info(u"Checker for %(name)s failed",
297
if os.WIFEXITED(condition) \
298
and (os.WEXITSTATUS(condition) == 0):
299
logger.info(u"Checker for %(name)s succeeded",
301
self.last_checked_ok = now
302
gobject.source_remove(self.stop_initiator_tag)
303
self.stop_initiator_tag = gobject.timeout_add\
304
(self._timeout_milliseconds,
306
elif not os.WIFEXITED(condition):
327
307
logger.warning(u"Checker for %(name)s crashed?",
330
def checked_ok(self):
331
"""Bump up the timeout for this client.
333
This should only be called when the client has been seen,
336
self.last_checked_ok = datetime.datetime.utcnow()
337
gobject.source_remove(self.disable_initiator_tag)
338
self.disable_initiator_tag = (gobject.timeout_add
339
(self.timeout_milliseconds(),
310
logger.info(u"Checker for %(name)s failed",
342
312
def start_checker(self):
343
313
"""Start a new checker subprocess if one is not running.
345
314
If a checker already exists, leave it running and do
347
316
# The reason for not killing a running checker is that if we
421
367
if error.errno != errno.ESRCH: # No such process
423
369
self.checker = None
425
370
def still_valid(self):
426
371
"""Has the timeout not yet passed for this client?"""
427
if not getattr(self, "enabled", False):
429
now = datetime.datetime.utcnow()
372
now = datetime.datetime.now()
430
373
if self.last_checked_ok is None:
431
374
return now < (self.created + self.timeout)
433
376
return now < (self.last_checked_ok + self.timeout)
436
class ClientDBus(Client, dbus.service.Object):
437
"""A Client class using D-Bus
440
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
442
# dbus.service.Object doesn't use super(), so we can't either.
444
def __init__(self, *args, **kwargs):
445
Client.__init__(self, *args, **kwargs)
446
# Only now, when this client is initialized, can it show up on
448
self.dbus_object_path = (dbus.ObjectPath
450
+ self.name.replace(".", "_")))
451
dbus.service.Object.__init__(self, bus,
452
self.dbus_object_path)
454
oldstate = getattr(self, "enabled", False)
455
r = Client.enable(self)
456
if oldstate != self.enabled:
458
self.PropertyChanged(dbus.String(u"enabled"),
459
dbus.Boolean(True, variant_level=1))
460
self.PropertyChanged(dbus.String(u"last_enabled"),
461
(_datetime_to_dbus(self.last_enabled,
465
def disable(self, signal = True):
466
oldstate = getattr(self, "enabled", False)
467
r = Client.disable(self)
468
if signal and oldstate != self.enabled:
470
self.PropertyChanged(dbus.String(u"enabled"),
471
dbus.Boolean(False, variant_level=1))
474
def __del__(self, *args, **kwargs):
476
self.remove_from_connection()
479
if hasattr(dbus.service.Object, "__del__"):
480
dbus.service.Object.__del__(self, *args, **kwargs)
481
Client.__del__(self, *args, **kwargs)
483
def checker_callback(self, pid, condition, command,
485
self.checker_callback_tag = None
488
self.PropertyChanged(dbus.String(u"checker_running"),
489
dbus.Boolean(False, variant_level=1))
490
if os.WIFEXITED(condition):
491
exitstatus = os.WEXITSTATUS(condition)
493
self.CheckerCompleted(dbus.Int16(exitstatus),
494
dbus.Int64(condition),
495
dbus.String(command))
498
self.CheckerCompleted(dbus.Int16(-1),
499
dbus.Int64(condition),
500
dbus.String(command))
502
return Client.checker_callback(self, pid, condition, command,
505
def checked_ok(self, *args, **kwargs):
506
r = Client.checked_ok(self, *args, **kwargs)
508
self.PropertyChanged(
509
dbus.String(u"last_checked_ok"),
510
(_datetime_to_dbus(self.last_checked_ok,
514
def start_checker(self, *args, **kwargs):
515
old_checker = self.checker
516
if self.checker is not None:
517
old_checker_pid = self.checker.pid
519
old_checker_pid = None
520
r = Client.start_checker(self, *args, **kwargs)
521
# Only if new checker process was started
522
if (self.checker is not None
523
and old_checker_pid != self.checker.pid):
525
self.CheckerStarted(self.current_checker_command)
526
self.PropertyChanged(
527
dbus.String("checker_running"),
528
dbus.Boolean(True, variant_level=1))
531
def stop_checker(self, *args, **kwargs):
532
old_checker = getattr(self, "checker", None)
533
r = Client.stop_checker(self, *args, **kwargs)
534
if (old_checker is not None
535
and getattr(self, "checker", None) is None):
536
self.PropertyChanged(dbus.String(u"checker_running"),
537
dbus.Boolean(False, variant_level=1))
540
## D-Bus methods & signals
541
_interface = u"se.bsnet.fukt.Mandos.Client"
544
CheckedOK = dbus.service.method(_interface)(checked_ok)
545
CheckedOK.__name__ = "CheckedOK"
547
# CheckerCompleted - signal
548
@dbus.service.signal(_interface, signature="nxs")
549
def CheckerCompleted(self, exitcode, waitstatus, command):
553
# CheckerStarted - signal
554
@dbus.service.signal(_interface, signature="s")
555
def CheckerStarted(self, command):
559
# GetAllProperties - method
560
@dbus.service.method(_interface, out_signature="a{sv}")
561
def GetAllProperties(self):
563
return dbus.Dictionary({
565
dbus.String(self.name, variant_level=1),
566
dbus.String("fingerprint"):
567
dbus.String(self.fingerprint, variant_level=1),
569
dbus.String(self.host, variant_level=1),
570
dbus.String("created"):
571
_datetime_to_dbus(self.created, variant_level=1),
572
dbus.String("last_enabled"):
573
(_datetime_to_dbus(self.last_enabled,
575
if self.last_enabled is not None
576
else dbus.Boolean(False, variant_level=1)),
577
dbus.String("enabled"):
578
dbus.Boolean(self.enabled, variant_level=1),
579
dbus.String("last_checked_ok"):
580
(_datetime_to_dbus(self.last_checked_ok,
582
if self.last_checked_ok is not None
583
else dbus.Boolean (False, variant_level=1)),
584
dbus.String("timeout"):
585
dbus.UInt64(self.timeout_milliseconds(),
587
dbus.String("interval"):
588
dbus.UInt64(self.interval_milliseconds(),
590
dbus.String("checker"):
591
dbus.String(self.checker_command,
593
dbus.String("checker_running"):
594
dbus.Boolean(self.checker is not None,
596
dbus.String("object_path"):
597
dbus.ObjectPath(self.dbus_object_path,
601
# IsStillValid - method
602
@dbus.service.method(_interface, out_signature="b")
603
def IsStillValid(self):
604
return self.still_valid()
606
# PropertyChanged - signal
607
@dbus.service.signal(_interface, signature="sv")
608
def PropertyChanged(self, property, value):
612
# ReceivedSecret - signal
613
@dbus.service.signal(_interface)
614
def ReceivedSecret(self):
619
@dbus.service.signal(_interface)
624
# SetChecker - method
625
@dbus.service.method(_interface, in_signature="s")
626
def SetChecker(self, checker):
627
"D-Bus setter method"
628
self.checker_command = checker
630
self.PropertyChanged(dbus.String(u"checker"),
631
dbus.String(self.checker_command,
635
@dbus.service.method(_interface, in_signature="s")
636
def SetHost(self, host):
637
"D-Bus setter method"
640
self.PropertyChanged(dbus.String(u"host"),
641
dbus.String(self.host, variant_level=1))
643
# SetInterval - method
644
@dbus.service.method(_interface, in_signature="t")
645
def SetInterval(self, milliseconds):
646
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
648
self.PropertyChanged(dbus.String(u"interval"),
649
(dbus.UInt64(self.interval_milliseconds(),
653
@dbus.service.method(_interface, in_signature="ay",
655
def SetSecret(self, secret):
656
"D-Bus setter method"
657
self.secret = str(secret)
659
# SetTimeout - method
660
@dbus.service.method(_interface, in_signature="t")
661
def SetTimeout(self, milliseconds):
662
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
664
self.PropertyChanged(dbus.String(u"timeout"),
665
(dbus.UInt64(self.timeout_milliseconds(),
669
Enable = dbus.service.method(_interface)(enable)
670
Enable.__name__ = "Enable"
672
# StartChecker - method
673
@dbus.service.method(_interface)
674
def StartChecker(self):
679
@dbus.service.method(_interface)
684
# StopChecker - method
685
StopChecker = dbus.service.method(_interface)(stop_checker)
686
StopChecker.__name__ = "StopChecker"
691
class ClientHandler(SocketServer.BaseRequestHandler, object):
692
"""A class to handle client connections.
694
Instantiated once for each connection to handle it.
379
def peer_certificate(session):
380
"Return the peer's OpenPGP certificate as a bytestring"
381
# If not an OpenPGP certificate...
382
if gnutls.library.functions.gnutls_certificate_type_get\
383
(session._c_object) \
384
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
385
# ...do the normal thing
386
return session.peer_certificate
387
list_size = ctypes.c_uint()
388
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
389
(session._c_object, ctypes.byref(list_size))
390
if list_size.value == 0:
393
return ctypes.string_at(cert.data, cert.size)
396
def fingerprint(openpgp):
397
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
398
# New GnuTLS "datum" with the OpenPGP public key
399
datum = gnutls.library.types.gnutls_datum_t\
400
(ctypes.cast(ctypes.c_char_p(openpgp),
401
ctypes.POINTER(ctypes.c_ubyte)),
402
ctypes.c_uint(len(openpgp)))
403
# New empty GnuTLS certificate
404
crt = gnutls.library.types.gnutls_openpgp_crt_t()
405
gnutls.library.functions.gnutls_openpgp_crt_init\
407
# Import the OpenPGP public key into the certificate
408
gnutls.library.functions.gnutls_openpgp_crt_import\
409
(crt, ctypes.byref(datum),
410
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
411
# New buffer for the fingerprint
412
buffer = ctypes.create_string_buffer(20)
413
buffer_length = ctypes.c_size_t()
414
# Get the fingerprint from the certificate into the buffer
415
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
416
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
417
# Deinit the certificate
418
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
419
# Convert the buffer to a Python bytestring
420
fpr = ctypes.string_at(buffer, buffer_length.value)
421
# Convert the bytestring to hexadecimal notation
422
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
426
class tcp_handler(SocketServer.BaseRequestHandler, object):
427
"""A TCP request handler class.
428
Instantiated by IPv6_TCPServer for each request to handle it.
695
429
Note: This will run in its own forked process."""
697
431
def handle(self):
698
432
logger.info(u"TCP connection from: %s",
699
unicode(self.client_address))
700
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
701
# Open IPC pipe to parent process
702
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
703
session = (gnutls.connection
704
.ClientSession(self.request,
708
line = self.request.makefile().readline()
709
logger.debug(u"Protocol version: %r", line)
711
if int(line.strip().split()[0]) > 1:
713
except (ValueError, IndexError, RuntimeError), error:
714
logger.error(u"Unknown protocol version: %s", error)
717
# Note: gnutls.connection.X509Credentials is really a
718
# generic GnuTLS certificate credentials object so long as
719
# no X.509 keys are added to it. Therefore, we can use it
720
# here despite using OpenPGP certificates.
722
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
723
# "+AES-256-CBC", "+SHA1",
724
# "+COMP-NULL", "+CTYPE-OPENPGP",
726
# Use a fallback default, since this MUST be set.
727
priority = self.server.gnutls_priority
730
(gnutls.library.functions
731
.gnutls_priority_set_direct(session._c_object,
736
except gnutls.errors.GNUTLSError, error:
737
logger.warning(u"Handshake failed: %s", error)
738
# Do not run session.bye() here: the session is not
739
# established. Just abandon the request.
741
logger.debug(u"Handshake succeeded")
743
fpr = self.fingerprint(self.peer_certificate(session))
744
except (TypeError, gnutls.errors.GNUTLSError), error:
745
logger.warning(u"Bad certificate: %s", error)
748
logger.debug(u"Fingerprint: %s", fpr)
750
for c in self.server.clients:
751
if c.fingerprint == fpr:
755
ipc.write("NOTFOUND %s\n" % fpr)
758
# Have to check if client.still_valid(), since it is
759
# possible that the client timed out while establishing
760
# the GnuTLS session.
761
if not client.still_valid():
762
ipc.write("INVALID %s\n" % client.name)
765
ipc.write("SENDING %s\n" % client.name)
767
while sent_size < len(client.secret):
768
sent = session.send(client.secret[sent_size:])
769
logger.debug(u"Sent: %d, remaining: %d",
770
sent, len(client.secret)
771
- (sent_size + sent))
776
def peer_certificate(session):
777
"Return the peer's OpenPGP certificate as a bytestring"
778
# If not an OpenPGP certificate...
779
if (gnutls.library.functions
780
.gnutls_certificate_type_get(session._c_object)
781
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
782
# ...do the normal thing
783
return session.peer_certificate
784
list_size = ctypes.c_uint(1)
785
cert_list = (gnutls.library.functions
786
.gnutls_certificate_get_peers
787
(session._c_object, ctypes.byref(list_size)))
788
if not bool(cert_list) and list_size.value != 0:
789
raise gnutls.errors.GNUTLSError("error getting peer"
791
if list_size.value == 0:
794
return ctypes.string_at(cert.data, cert.size)
797
def fingerprint(openpgp):
798
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
799
# New GnuTLS "datum" with the OpenPGP public key
800
datum = (gnutls.library.types
801
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
804
ctypes.c_uint(len(openpgp))))
805
# New empty GnuTLS certificate
806
crt = gnutls.library.types.gnutls_openpgp_crt_t()
807
(gnutls.library.functions
808
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
809
# Import the OpenPGP public key into the certificate
810
(gnutls.library.functions
811
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
812
gnutls.library.constants
813
.GNUTLS_OPENPGP_FMT_RAW))
814
# Verify the self signature in the key
815
crtverify = ctypes.c_uint()
816
(gnutls.library.functions
817
.gnutls_openpgp_crt_verify_self(crt, 0,
818
ctypes.byref(crtverify)))
819
if crtverify.value != 0:
820
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
821
raise (gnutls.errors.CertificateSecurityError
823
# New buffer for the fingerprint
824
buf = ctypes.create_string_buffer(20)
825
buf_len = ctypes.c_size_t()
826
# Get the fingerprint from the certificate into the buffer
827
(gnutls.library.functions
828
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
829
ctypes.byref(buf_len)))
830
# Deinit the certificate
831
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
832
# Convert the buffer to a Python bytestring
833
fpr = ctypes.string_at(buf, buf_len.value)
834
# Convert the bytestring to hexadecimal notation
835
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
839
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
840
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
842
Assumes a gobject.MainLoop event loop.
844
def process_request(self, request, client_address):
845
"""Overrides and wraps the original process_request().
847
This function creates a new pipe in self.pipe
849
self.pipe = os.pipe()
850
super(ForkingMixInWithPipe,
851
self).process_request(request, client_address)
852
os.close(self.pipe[1]) # close write end
853
# Call "handle_ipc" for both data and EOF events
854
gobject.io_add_watch(self.pipe[0],
855
gobject.IO_IN | gobject.IO_HUP,
857
def handle_ipc(source, condition):
858
"""Dummy function; override as necessary"""
863
class IPv6_TCPServer(ForkingMixInWithPipe,
864
SocketServer.TCPServer, object):
865
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
433
unicode(self.client_address))
434
session = gnutls.connection.ClientSession\
435
(self.request, gnutls.connection.X509Credentials())
437
line = self.request.makefile().readline()
438
logger.debug(u"Protocol version: %r", line)
440
if int(line.strip().split()[0]) > 1:
442
except (ValueError, IndexError, RuntimeError), error:
443
logger.error(u"Unknown protocol version: %s", error)
446
# Note: gnutls.connection.X509Credentials is really a generic
447
# GnuTLS certificate credentials object so long as no X.509
448
# keys are added to it. Therefore, we can use it here despite
449
# using OpenPGP certificates.
451
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
452
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
454
priority = "NORMAL" # Fallback default, since this
456
if self.server.settings["priority"]:
457
priority = self.server.settings["priority"]
458
gnutls.library.functions.gnutls_priority_set_direct\
459
(session._c_object, priority, None);
463
except gnutls.errors.GNUTLSError, error:
464
logger.warning(u"Handshake failed: %s", error)
465
# Do not run session.bye() here: the session is not
466
# established. Just abandon the request.
469
fpr = fingerprint(peer_certificate(session))
470
except (TypeError, gnutls.errors.GNUTLSError), error:
471
logger.warning(u"Bad certificate: %s", error)
474
logger.debug(u"Fingerprint: %s", fpr)
476
for c in self.server.clients:
477
if c.fingerprint == fpr:
481
logger.warning(u"Client not found for fingerprint: %s",
485
# Have to check if client.still_valid(), since it is possible
486
# that the client timed out while establishing the GnuTLS
488
if not client.still_valid():
489
logger.warning(u"Client %(name)s is invalid",
494
while sent_size < len(client.secret):
495
sent = session.send(client.secret[sent_size:])
496
logger.debug(u"Sent: %d, remaining: %d",
497
sent, len(client.secret)
498
- (sent_size + sent))
503
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
504
"""IPv6 TCP server. Accepts 'None' as address and/or port.
868
enabled: Boolean; whether this server is activated yet
869
interface: None or a network interface name (string)
870
use_ipv6: Boolean; to use IPv6 or not
506
settings: Server settings
872
507
clients: Set() of Client objects
873
gnutls_priority GnuTLS priority string
874
use_dbus: Boolean; to emit D-Bus signals or not
876
def __init__(self, server_address, RequestHandlerClass,
877
interface=None, use_ipv6=True, clients=None,
878
gnutls_priority=None, use_dbus=True):
880
self.interface = interface
882
self.address_family = socket.AF_INET6
883
self.clients = clients
884
self.use_dbus = use_dbus
885
self.gnutls_priority = gnutls_priority
886
SocketServer.TCPServer.__init__(self, server_address,
509
address_family = socket.AF_INET6
510
def __init__(self, *args, **kwargs):
511
if "settings" in kwargs:
512
self.settings = kwargs["settings"]
513
del kwargs["settings"]
514
if "clients" in kwargs:
515
self.clients = kwargs["clients"]
516
del kwargs["clients"]
517
return super(type(self), self).__init__(*args, **kwargs)
888
518
def server_bind(self):
889
519
"""This overrides the normal server_bind() function
890
520
to bind to an interface if one was specified, and also NOT to
891
521
bind to an address or port if they were not specified."""
892
if self.interface is not None:
522
if self.settings["interface"]:
523
# 25 is from /usr/include/asm-i486/socket.h
524
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
894
526
self.socket.setsockopt(socket.SOL_SOCKET,
896
self.interface + '\0')
528
self.settings["interface"])
897
529
except socket.error, error:
898
530
if error[0] == errno.EPERM:
899
531
logger.error(u"No permission to"
900
532
u" bind to interface %s",
533
self.settings["interface"])
904
536
# Only bind(2) the socket if we really need to.
905
537
if self.server_address[0] or self.server_address[1]:
906
538
if not self.server_address[0]:
907
if self.address_family == socket.AF_INET6:
908
any_address = "::" # in6addr_any
910
any_address = socket.INADDR_ANY
911
self.server_address = (any_address,
540
self.server_address = (in6addr_any,
912
541
self.server_address[1])
913
elif not self.server_address[1]:
542
elif self.server_address[1] is None:
914
543
self.server_address = (self.server_address[0],
917
# self.server_address = (self.server_address[0],
922
return SocketServer.TCPServer.server_bind(self)
923
def server_activate(self):
925
return SocketServer.TCPServer.server_activate(self)
928
def handle_ipc(self, source, condition, file_objects={}):
930
gobject.IO_IN: "IN", # There is data to read.
931
gobject.IO_OUT: "OUT", # Data can be written (without
933
gobject.IO_PRI: "PRI", # There is urgent data to read.
934
gobject.IO_ERR: "ERR", # Error condition.
935
gobject.IO_HUP: "HUP" # Hung up (the connection has been
936
# broken, usually for pipes and
939
conditions_string = ' | '.join(name
941
condition_names.iteritems()
943
logger.debug("Handling IPC: FD = %d, condition = %s", source,
946
# Turn the pipe file descriptor into a Python file object
947
if source not in file_objects:
948
file_objects[source] = os.fdopen(source, "r", 1)
950
# Read a line from the file object
951
cmdline = file_objects[source].readline()
952
if not cmdline: # Empty line means end of file
954
file_objects[source].close()
955
del file_objects[source]
957
# Stop calling this function
960
logger.debug("IPC command: %r", cmdline)
962
# Parse and act on command
963
cmd, args = cmdline.rstrip("\r\n").split(None, 1)
965
if cmd == "NOTFOUND":
966
logger.warning(u"Client not found for fingerprint: %s",
970
mandos_dbus_service.ClientNotFound(args)
971
elif cmd == "INVALID":
972
for client in self.clients:
973
if client.name == args:
974
logger.warning(u"Client %s is invalid", args)
980
logger.error(u"Unknown client %s is invalid", args)
981
elif cmd == "SENDING":
982
for client in self.clients:
983
if client.name == args:
984
logger.info(u"Sending secret to %s", client.name)
988
client.ReceivedSecret()
991
logger.error(u"Sending secret to unknown client %s",
994
logger.error("Unknown IPC command: %r", cmdline)
996
# Keep calling this function
545
return super(type(self), self).server_bind()
1000
548
def string_to_delta(interval):
1001
549
"""Parse a string and return a datetime.timedelta
1003
551
>>> string_to_delta('7d')
1004
552
datetime.timedelta(7)
1005
553
>>> string_to_delta('60s')