To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 299
- compare with another revision
- download diff
- download tarball
- view history from revision 299
- Committer: Teddy Hogeborn
- Date: 2009-02-05 03:37:06 UTC
- Revision ID: teddy@fukt.bsnet.se-20090205033706-unwxpqdwzgv84lux
* plugin-runner.c (main): Bug fix: Do setgid before setuid.
- files modified:
- INSTALL
added
removed
mandos
66
66
import ctypes
67
67
import ctypes.util
68
68
69
try:
70
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
71
except AttributeError:
72
try:
73
from IN import SO_BINDTODEVICE
74
except ImportError:
75
# From /usr/include/asm/socket.h
76
SO_BINDTODEVICE = 25
77
78
79
version = "1.0.8"
69
version = "1.0.5"
80
70
81
71
logger = logging.Logger('mandos')
82
72
syslogger = (logging.handlers.SysLogHandler
108
98
109
99
class AvahiService(object):
110
100
"""An Avahi (Zeroconf) service.
111
112
101
Attributes:
113
102
interface: integer; avahi.IF_UNSPEC or an interface index.
114
103
Used to optionally bind to the specified interface.
125
114
"""
126
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
127
116
servicetype = None, port = None, TXT = None,
128
domain = "", host = "", max_renames = 32768,
129
protocol = avahi.PROTO_UNSPEC):
117
domain = "", host = "", max_renames = 32768):
130
118
self.interface = interface
131
119
self.name = name
132
120
self.type = servicetype
136
124
self.host = host
137
125
self.rename_count = 0
138
126
self.max_renames = max_renames
139
self.protocol = protocol
140
127
def rename(self):
141
128
"""Derived from the Avahi example code"""
142
129
if self.rename_count >= self.max_renames:
148
135
logger.info(u"Changing Zeroconf service name to %r ...",
149
136
str(self.name))
150
137
syslogger.setFormatter(logging.Formatter
151
('Mandos (%s) [%%(process)d]:'
152
' %%(levelname)s: %%(message)s'
153
% self.name))
138
('Mandos (%s): %%(levelname)s:'
139
' %%(message)s' % self.name))
154
140
self.remove()
155
141
self.add()
156
142
self.rename_count += 1
172
158
service.name, service.type)
173
159
group.AddService(
174
160
self.interface, # interface
175
self.protocol, # protocol
161
avahi.PROTO_INET6, # protocol
176
162
dbus.UInt32(0), # flags
177
163
self.name, self.type,
178
164
self.domain, self.host,
190
176
return dbus.String(dt.isoformat(), variant_level=variant_level)
191
177
192
178
193
class Client(object):
179
class Client(dbus.service.Object):
194
180
"""A representation of a client host served by this server.
195
196
181
Attributes:
197
182
name: string; from the config file, used in log messages and
198
183
D-Bus identifiers
218
203
client lives. %() expansions are done at
219
204
runtime with vars(self) as dict, so that for
220
205
instance %(name)s can be used in the command.
221
current_checker_command: string; current running checker_command
206
use_dbus: bool(); Whether to provide D-Bus interface and signals
207
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
222
208
"""
223
209
def timeout_milliseconds(self):
224
210
"Return the 'timeout' attribute in milliseconds"
232
218
+ (self.interval.seconds * 1000)
233
219
+ (self.interval.microseconds // 1000))
234
220
235
def __init__(self, name = None, disable_hook=None, config=None):
221
def __init__(self, name = None, disable_hook=None, config=None,
222
use_dbus=True):
236
223
"""Note: the 'checker' key in 'config' sets the
237
224
'checker_command' attribute and *not* the 'checker'
238
225
attribute."""
240
227
if config is None:
241
228
config = {}
242
229
logger.debug(u"Creating client %r", self.name)
230
self.use_dbus = False # During __init__
243
231
# Uppercase and remove spaces from fingerprint for later
244
232
# comparison purposes with return value from the fingerprint()
245
233
# function
269
257
self.disable_initiator_tag = None
270
258
self.checker_callback_tag = None
271
259
self.checker_command = config["checker"]
272
self.current_checker_command = None
273
260
self.last_connect = None
261
# Only now, when this client is initialized, can it show up on
262
# the D-Bus
263
self.use_dbus = use_dbus
264
if self.use_dbus:
265
self.dbus_object_path = (dbus.ObjectPath
266
("/clients/"
267
+ self.name.replace(".", "_")))
268
dbus.service.Object.__init__(self, bus,
269
self.dbus_object_path)
274
270
275
271
def enable(self):
276
272
"""Start this client's checker and timeout hooks"""
287
283
(self.timeout_milliseconds(),
288
284
self.disable))
289
285
self.enabled = True
286
if self.use_dbus:
287
# Emit D-Bus signals
288
self.PropertyChanged(dbus.String(u"enabled"),
289
dbus.Boolean(True, variant_level=1))
290
self.PropertyChanged(dbus.String(u"last_enabled"),
291
(_datetime_to_dbus(self.last_enabled,
292
variant_level=1)))
290
293
291
294
def disable(self):
292
295
"""Disable this client."""
303
306
if self.disable_hook:
304
307
self.disable_hook(self)
305
308
self.enabled = False
309
if self.use_dbus:
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"enabled"),
312
dbus.Boolean(False, variant_level=1))
306
313
# Do not run this again if called by a gobject.timeout_add
307
314
return False
308
315
314
321
"""The checker has completed, so take appropriate actions."""
315
322
self.checker_callback_tag = None
316
323
self.checker = None
324
if self.use_dbus:
325
# Emit D-Bus signal
326
self.PropertyChanged(dbus.String(u"checker_running"),
327
dbus.Boolean(False, variant_level=1))
317
328
if os.WIFEXITED(condition):
318
329
exitstatus = os.WEXITSTATUS(condition)
319
330
if exitstatus == 0:
323
334
else:
324
335
logger.info(u"Checker for %(name)s failed",
325
336
vars(self))
337
if self.use_dbus:
338
# Emit D-Bus signal
339
self.CheckerCompleted(dbus.Int16(exitstatus),
340
dbus.Int64(condition),
341
dbus.String(command))
326
342
else:
327
343
logger.warning(u"Checker for %(name)s crashed?",
328
344
vars(self))
345
if self.use_dbus:
346
# Emit D-Bus signal
347
self.CheckerCompleted(dbus.Int16(-1),
348
dbus.Int64(condition),
349
dbus.String(command))
329
350
330
351
def checked_ok(self):
331
352
"""Bump up the timeout for this client.
332
333
353
This should only be called when the client has been seen,
334
354
alive and well.
335
355
"""
338
358
self.disable_initiator_tag = (gobject.timeout_add
339
359
(self.timeout_milliseconds(),
340
360
self.disable))
361
if self.use_dbus:
362
# Emit D-Bus signal
363
self.PropertyChanged(
364
dbus.String(u"last_checked_ok"),
365
(_datetime_to_dbus(self.last_checked_ok,
366
variant_level=1)))
341
367
342
368
def start_checker(self):
343
369
"""Start a new checker subprocess if one is not running.
344
345
370
If a checker already exists, leave it running and do
346
371
nothing."""
347
372
# The reason for not killing a running checker is that if we
352
377
# checkers alone, the checker would have to take more time
353
378
# than 'timeout' for the client to be declared invalid, which
354
379
# is as it should be.
355
356
# If a checker exists, make sure it is not a zombie
357
if self.checker is not None:
358
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
359
if pid:
360
logger.warning("Checker was a zombie")
361
gobject.source_remove(self.checker_callback_tag)
362
self.checker_callback(pid, status,
363
self.current_checker_command)
364
# Start a new checker if needed
365
380
if self.checker is None:
366
381
try:
367
382
# In case checker_command has exactly one % operator
377
392
logger.error(u'Could not format string "%s":'
378
393
u' %s', self.checker_command, error)
379
394
return True # Try again later
380
self.current_checker_command = command
381
395
try:
382
396
logger.info(u"Starting checker %r for %s",
383
397
command, self.name)
388
402
self.checker = subprocess.Popen(command,
389
403
close_fds=True,
390
404
shell=True, cwd="/")
405
if self.use_dbus:
406
# Emit D-Bus signal
407
self.CheckerStarted(command)
408
self.PropertyChanged(
409
dbus.String("checker_running"),
410
dbus.Boolean(True, variant_level=1))
391
411
self.checker_callback_tag = (gobject.child_watch_add
392
412
(self.checker.pid,
393
413
self.checker_callback,
394
414
data=command))
395
# The checker may have completed before the gobject
396
# watch was added. Check for this.
397
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
398
if pid:
399
gobject.source_remove(self.checker_callback_tag)
400
self.checker_callback(pid, status, command)
401
415
except OSError, error:
402
416
logger.error(u"Failed to start subprocess: %s",
403
417
error)
421
435
if error.errno != errno.ESRCH: # No such process
422
436
raise
423
437
self.checker = None
438
if self.use_dbus:
439
self.PropertyChanged(dbus.String(u"checker_running"),
440
dbus.Boolean(False, variant_level=1))
424
441
425
442
def still_valid(self):
426
443
"""Has the timeout not yet passed for this client?"""
431
448
return now < (self.created + self.timeout)
432
449
else:
433
450
return now < (self.last_checked_ok + self.timeout)
434
435
436
class ClientDBus(Client, dbus.service.Object):
437
"""A Client class using D-Bus
438
439
Attributes:
440
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
441
"""
442
# dbus.service.Object doesn't use super(), so we can't either.
443
444
def __init__(self, *args, **kwargs):
445
Client.__init__(self, *args, **kwargs)
446
# Only now, when this client is initialized, can it show up on
447
# the D-Bus
448
self.dbus_object_path = (dbus.ObjectPath
449
("/clients/"
450
+ self.name.replace(".", "_")))
451
dbus.service.Object.__init__(self, bus,
452
self.dbus_object_path)
453
def enable(self):
454
oldstate = getattr(self, "enabled", False)
455
r = Client.enable(self)
456
if oldstate != self.enabled:
457
# Emit D-Bus signals
458
self.PropertyChanged(dbus.String(u"enabled"),
459
dbus.Boolean(True, variant_level=1))
460
self.PropertyChanged(dbus.String(u"last_enabled"),
461
(_datetime_to_dbus(self.last_enabled,
462
variant_level=1)))
463
return r
464
465
def disable(self, signal = True):
466
oldstate = getattr(self, "enabled", False)
467
r = Client.disable(self)
468
if signal and oldstate != self.enabled:
469
# Emit D-Bus signal
470
self.PropertyChanged(dbus.String(u"enabled"),
471
dbus.Boolean(False, variant_level=1))
472
return r
473
474
def __del__(self, *args, **kwargs):
475
try:
476
self.remove_from_connection()
477
except LookupError:
478
pass
479
if hasattr(dbus.service.Object, "__del__"):
480
dbus.service.Object.__del__(self, *args, **kwargs)
481
Client.__del__(self, *args, **kwargs)
482
483
def checker_callback(self, pid, condition, command,
484
*args, **kwargs):
485
self.checker_callback_tag = None
486
self.checker = None
487
# Emit D-Bus signal
488
self.PropertyChanged(dbus.String(u"checker_running"),
489
dbus.Boolean(False, variant_level=1))
490
if os.WIFEXITED(condition):
491
exitstatus = os.WEXITSTATUS(condition)
492
# Emit D-Bus signal
493
self.CheckerCompleted(dbus.Int16(exitstatus),
494
dbus.Int64(condition),
495
dbus.String(command))
496
else:
497
# Emit D-Bus signal
498
self.CheckerCompleted(dbus.Int16(-1),
499
dbus.Int64(condition),
500
dbus.String(command))
501
502
return Client.checker_callback(self, pid, condition, command,
503
*args, **kwargs)
504
505
def checked_ok(self, *args, **kwargs):
506
r = Client.checked_ok(self, *args, **kwargs)
507
# Emit D-Bus signal
508
self.PropertyChanged(
509
dbus.String(u"last_checked_ok"),
510
(_datetime_to_dbus(self.last_checked_ok,
511
variant_level=1)))
512
return r
513
514
def start_checker(self, *args, **kwargs):
515
old_checker = self.checker
516
if self.checker is not None:
517
old_checker_pid = self.checker.pid
518
else:
519
old_checker_pid = None
520
r = Client.start_checker(self, *args, **kwargs)
521
# Only if new checker process was started
522
if (self.checker is not None
523
and old_checker_pid != self.checker.pid):
524
# Emit D-Bus signal
525
self.CheckerStarted(self.current_checker_command)
526
self.PropertyChanged(
527
dbus.String("checker_running"),
528
dbus.Boolean(True, variant_level=1))
529
return r
530
531
def stop_checker(self, *args, **kwargs):
532
old_checker = getattr(self, "checker", None)
533
r = Client.stop_checker(self, *args, **kwargs)
534
if (old_checker is not None
535
and getattr(self, "checker", None) is None):
536
self.PropertyChanged(dbus.String(u"checker_running"),
537
dbus.Boolean(False, variant_level=1))
538
return r
539
451
540
452
## D-Bus methods & signals
541
453
_interface = u"se.bsnet.fukt.Mandos.Client"
599
511
}, signature="sv")
600
512
601
513
# IsStillValid - method
602
@dbus.service.method(_interface, out_signature="b")
603
def IsStillValid(self):
604
return self.still_valid()
514
IsStillValid = (dbus.service.method(_interface, out_signature="b")
515
(still_valid))
516
IsStillValid.__name__ = "IsStillValid"
605
517
606
518
# PropertyChanged - signal
607
519
@dbus.service.signal(_interface, signature="sv")
609
521
"D-Bus signal"
610
522
pass
611
523
612
# ReceivedSecret - signal
613
@dbus.service.signal(_interface)
614
def ReceivedSecret(self):
615
"D-Bus signal"
616
pass
617
618
# Rejected - signal
619
@dbus.service.signal(_interface)
620
def Rejected(self):
621
"D-Bus signal"
622
pass
623
624
524
# SetChecker - method
625
525
@dbus.service.method(_interface, in_signature="s")
626
526
def SetChecker(self, checker):
688
588
del _interface
689
589
690
590
691
class ClientHandler(SocketServer.BaseRequestHandler, object):
692
"""A class to handle client connections.
693
694
Instantiated once for each connection to handle it.
591
def peer_certificate(session):
592
"Return the peer's OpenPGP certificate as a bytestring"
593
# If not an OpenPGP certificate...
594
if (gnutls.library.functions
595
.gnutls_certificate_type_get(session._c_object)
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
597
# ...do the normal thing
598
return session.peer_certificate
599
list_size = ctypes.c_uint(1)
600
cert_list = (gnutls.library.functions
601
.gnutls_certificate_get_peers
602
(session._c_object, ctypes.byref(list_size)))
603
if not bool(cert_list) and list_size.value != 0:
604
raise gnutls.errors.GNUTLSError("error getting peer"
605
" certificate")
606
if list_size.value == 0:
607
return None
608
cert = cert_list[0]
609
return ctypes.string_at(cert.data, cert.size)
610
611
612
def fingerprint(openpgp):
613
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
614
# New GnuTLS "datum" with the OpenPGP public key
615
datum = (gnutls.library.types
616
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
617
ctypes.POINTER
618
(ctypes.c_ubyte)),
619
ctypes.c_uint(len(openpgp))))
620
# New empty GnuTLS certificate
621
crt = gnutls.library.types.gnutls_openpgp_crt_t()
622
(gnutls.library.functions
623
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
624
# Import the OpenPGP public key into the certificate
625
(gnutls.library.functions
626
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
627
gnutls.library.constants
628
.GNUTLS_OPENPGP_FMT_RAW))
629
# Verify the self signature in the key
630
crtverify = ctypes.c_uint()
631
(gnutls.library.functions
632
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
633
if crtverify.value != 0:
634
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
635
raise gnutls.errors.CertificateSecurityError("Verify failed")
636
# New buffer for the fingerprint
637
buf = ctypes.create_string_buffer(20)
638
buf_len = ctypes.c_size_t()
639
# Get the fingerprint from the certificate into the buffer
640
(gnutls.library.functions
641
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
642
ctypes.byref(buf_len)))
643
# Deinit the certificate
644
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
645
# Convert the buffer to a Python bytestring
646
fpr = ctypes.string_at(buf, buf_len.value)
647
# Convert the bytestring to hexadecimal notation
648
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
649
return hex_fpr
650
651
652
class TCP_handler(SocketServer.BaseRequestHandler, object):
653
"""A TCP request handler class.
654
Instantiated by IPv6_TCPServer for each request to handle it.
695
655
Note: This will run in its own forked process."""
696
656
697
657
def handle(self):
698
658
logger.info(u"TCP connection from: %s",
699
659
unicode(self.client_address))
700
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
701
# Open IPC pipe to parent process
702
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
703
session = (gnutls.connection
704
.ClientSession(self.request,
705
gnutls.connection
706
.X509Credentials()))
707
708
line = self.request.makefile().readline()
709
logger.debug(u"Protocol version: %r", line)
710
try:
711
if int(line.strip().split()[0]) > 1:
712
raise RuntimeError
713
except (ValueError, IndexError, RuntimeError), error:
714
logger.error(u"Unknown protocol version: %s", error)
715
return
716
717
# Note: gnutls.connection.X509Credentials is really a
718
# generic GnuTLS certificate credentials object so long as
719
# no X.509 keys are added to it. Therefore, we can use it
720
# here despite using OpenPGP certificates.
721
722
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
723
# "+AES-256-CBC", "+SHA1",
724
# "+COMP-NULL", "+CTYPE-OPENPGP",
725
# "+DHE-DSS"))
726
# Use a fallback default, since this MUST be set.
727
priority = self.server.gnutls_priority
728
if priority is None:
729
priority = "NORMAL"
730
(gnutls.library.functions
731
.gnutls_priority_set_direct(session._c_object,
732
priority, None))
733
734
try:
735
session.handshake()
736
except gnutls.errors.GNUTLSError, error:
737
logger.warning(u"Handshake failed: %s", error)
738
# Do not run session.bye() here: the session is not
739
# established. Just abandon the request.
740
return
741
logger.debug(u"Handshake succeeded")
742
try:
743
fpr = self.fingerprint(self.peer_certificate(session))
744
except (TypeError, gnutls.errors.GNUTLSError), error:
745
logger.warning(u"Bad certificate: %s", error)
746
session.bye()
747
return
748
logger.debug(u"Fingerprint: %s", fpr)
749
750
for c in self.server.clients:
751
if c.fingerprint == fpr:
752
client = c
753
break
754
else:
755
ipc.write("NOTFOUND %s\n" % fpr)
756
session.bye()
757
return
758
# Have to check if client.still_valid(), since it is
759
# possible that the client timed out while establishing
760
# the GnuTLS session.
761
if not client.still_valid():
762
ipc.write("INVALID %s\n" % client.name)
763
session.bye()
764
return
765
ipc.write("SENDING %s\n" % client.name)
766
sent_size = 0
767
while sent_size < len(client.secret):
768
sent = session.send(client.secret[sent_size:])
769
logger.debug(u"Sent: %d, remaining: %d",
770
sent, len(client.secret)
771
- (sent_size + sent))
772
sent_size += sent
773
session.bye()
774
775
@staticmethod
776
def peer_certificate(session):
777
"Return the peer's OpenPGP certificate as a bytestring"
778
# If not an OpenPGP certificate...
779
if (gnutls.library.functions
780
.gnutls_certificate_type_get(session._c_object)
781
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
782
# ...do the normal thing
783
return session.peer_certificate
784
list_size = ctypes.c_uint(1)
785
cert_list = (gnutls.library.functions
786
.gnutls_certificate_get_peers
787
(session._c_object, ctypes.byref(list_size)))
788
if not bool(cert_list) and list_size.value != 0:
789
raise gnutls.errors.GNUTLSError("error getting peer"
790
" certificate")
791
if list_size.value == 0:
792
return None
793
cert = cert_list[0]
794
return ctypes.string_at(cert.data, cert.size)
795
796
@staticmethod
797
def fingerprint(openpgp):
798
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
799
# New GnuTLS "datum" with the OpenPGP public key
800
datum = (gnutls.library.types
801
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
802
ctypes.POINTER
803
(ctypes.c_ubyte)),
804
ctypes.c_uint(len(openpgp))))
805
# New empty GnuTLS certificate
806
crt = gnutls.library.types.gnutls_openpgp_crt_t()
807
(gnutls.library.functions
808
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
809
# Import the OpenPGP public key into the certificate
810
(gnutls.library.functions
811
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
812
gnutls.library.constants
813
.GNUTLS_OPENPGP_FMT_RAW))
814
# Verify the self signature in the key
815
crtverify = ctypes.c_uint()
816
(gnutls.library.functions
817
.gnutls_openpgp_crt_verify_self(crt, 0,
818
ctypes.byref(crtverify)))
819
if crtverify.value != 0:
820
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
821
raise (gnutls.errors.CertificateSecurityError
822
("Verify failed"))
823
# New buffer for the fingerprint
824
buf = ctypes.create_string_buffer(20)
825
buf_len = ctypes.c_size_t()
826
# Get the fingerprint from the certificate into the buffer
827
(gnutls.library.functions
828
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
829
ctypes.byref(buf_len)))
830
# Deinit the certificate
831
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
832
# Convert the buffer to a Python bytestring
833
fpr = ctypes.string_at(buf, buf_len.value)
834
# Convert the bytestring to hexadecimal notation
835
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
836
return hex_fpr
837
838
839
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
840
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
841
842
Assumes a gobject.MainLoop event loop.
843
"""
844
def process_request(self, request, client_address):
845
"""Overrides and wraps the original process_request().
846
847
This function creates a new pipe in self.pipe
848
"""
849
self.pipe = os.pipe()
850
super(ForkingMixInWithPipe,
851
self).process_request(request, client_address)
852
os.close(self.pipe[1]) # close write end
853
# Call "handle_ipc" for both data and EOF events
854
gobject.io_add_watch(self.pipe[0],
855
gobject.IO_IN | gobject.IO_HUP,
856
self.handle_ipc)
857
def handle_ipc(source, condition):
858
"""Dummy function; override as necessary"""
859
os.close(source)
860
return False
861
862
863
class IPv6_TCPServer(ForkingMixInWithPipe,
660
session = (gnutls.connection
661
.ClientSession(self.request,
662
gnutls.connection
663
.X509Credentials()))
664
665
line = self.request.makefile().readline()
666
logger.debug(u"Protocol version: %r", line)
667
try:
668
if int(line.strip().split()[0]) > 1:
669
raise RuntimeError
670
except (ValueError, IndexError, RuntimeError), error:
671
logger.error(u"Unknown protocol version: %s", error)
672
return
673
674
# Note: gnutls.connection.X509Credentials is really a generic
675
# GnuTLS certificate credentials object so long as no X.509
676
# keys are added to it. Therefore, we can use it here despite
677
# using OpenPGP certificates.
678
679
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
680
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
681
# "+DHE-DSS"))
682
# Use a fallback default, since this MUST be set.
683
priority = self.server.settings.get("priority", "NORMAL")
684
(gnutls.library.functions
685
.gnutls_priority_set_direct(session._c_object,
686
priority, None))
687
688
try:
689
session.handshake()
690
except gnutls.errors.GNUTLSError, error:
691
logger.warning(u"Handshake failed: %s", error)
692
# Do not run session.bye() here: the session is not
693
# established. Just abandon the request.
694
return
695
logger.debug(u"Handshake succeeded")
696
try:
697
fpr = fingerprint(peer_certificate(session))
698
except (TypeError, gnutls.errors.GNUTLSError), error:
699
logger.warning(u"Bad certificate: %s", error)
700
session.bye()
701
return
702
logger.debug(u"Fingerprint: %s", fpr)
703
704
for c in self.server.clients:
705
if c.fingerprint == fpr:
706
client = c
707
break
708
else:
709
logger.warning(u"Client not found for fingerprint: %s",
710
fpr)
711
session.bye()
712
return
713
# Have to check if client.still_valid(), since it is possible
714
# that the client timed out while establishing the GnuTLS
715
# session.
716
if not client.still_valid():
717
logger.warning(u"Client %(name)s is invalid",
718
vars(client))
719
session.bye()
720
return
721
## This won't work here, since we're in a fork.
722
# client.checked_ok()
723
sent_size = 0
724
while sent_size < len(client.secret):
725
sent = session.send(client.secret[sent_size:])
726
logger.debug(u"Sent: %d, remaining: %d",
727
sent, len(client.secret)
728
- (sent_size + sent))
729
sent_size += sent
730
session.bye()
731
732
733
class IPv6_TCPServer(SocketServer.ForkingMixIn,
864
734
SocketServer.TCPServer, object):
865
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
866
735
"""IPv6 TCP server. Accepts 'None' as address and/or port.
867
736
Attributes:
737
settings: Server settings
738
clients: Set() of Client objects
868
739
enabled: Boolean; whether this server is activated yet
869
interface: None or a network interface name (string)
870
use_ipv6: Boolean; to use IPv6 or not
871
----
872
clients: Set() of Client objects
873
gnutls_priority GnuTLS priority string
874
use_dbus: Boolean; to emit D-Bus signals or not
875
740
"""
876
def __init__(self, server_address, RequestHandlerClass,
877
interface=None, use_ipv6=True, clients=None,
878
gnutls_priority=None, use_dbus=True):
741
address_family = socket.AF_INET6
742
def __init__(self, *args, **kwargs):
743
if "settings" in kwargs:
744
self.settings = kwargs["settings"]
745
del kwargs["settings"]
746
if "clients" in kwargs:
747
self.clients = kwargs["clients"]
748
del kwargs["clients"]
879
749
self.enabled = False
880
self.interface = interface
881
if use_ipv6:
882
self.address_family = socket.AF_INET6
883
self.clients = clients
884
self.use_dbus = use_dbus
885
self.gnutls_priority = gnutls_priority
886
SocketServer.TCPServer.__init__(self, server_address,
887
RequestHandlerClass)
750
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
888
751
def server_bind(self):
889
752
"""This overrides the normal server_bind() function
890
753
to bind to an interface if one was specified, and also NOT to
891
754
bind to an address or port if they were not specified."""
892
if self.interface is not None:
755
if self.settings["interface"]:
756
# 25 is from /usr/include/asm-i486/socket.h
757
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
893
758
try:
894
759
self.socket.setsockopt(socket.SOL_SOCKET,
895
760
SO_BINDTODEVICE,
896
self.interface + '\0')
761
self.settings["interface"])
897
762
except socket.error, error:
898
763
if error[0] == errno.EPERM:
899
764
logger.error(u"No permission to"
900
765
u" bind to interface %s",
901
self.interface)
766
self.settings["interface"])
902
767
else:
903
768
raise
904
769
# Only bind(2) the socket if we really need to.
905
770
if self.server_address[0] or self.server_address[1]:
906
771
if not self.server_address[0]:
907
if self.address_family == socket.AF_INET6:
908
any_address = "::" # in6addr_any
909
else:
910
any_address = socket.INADDR_ANY
911
self.server_address = (any_address,
772
in6addr_any = "::"
773
self.server_address = (in6addr_any,
912
774
self.server_address[1])
913
775
elif not self.server_address[1]:
914
776
self.server_address = (self.server_address[0],
915
777
0)
916
# if self.interface:
778
# if self.settings["interface"]:
917
779
# self.server_address = (self.server_address[0],
918
780
# 0, # port
919
781
# 0, # flowinfo
920
782
# if_nametoindex
921
# (self.interface))
922
return SocketServer.TCPServer.server_bind(self)
783
# (self.settings
784
# ["interface"]))
785
return super(IPv6_TCPServer, self).server_bind()
923
786
def server_activate(self):
924
787
if self.enabled:
925
return SocketServer.TCPServer.server_activate(self)
788
return super(IPv6_TCPServer, self).server_activate()
926
789
def enable(self):
927
790
self.enabled = True
928
def handle_ipc(self, source, condition, file_objects={}):
929
condition_names = {
930
gobject.IO_IN: "IN", # There is data to read.
931
gobject.IO_OUT: "OUT", # Data can be written (without
932
# blocking).
933
gobject.IO_PRI: "PRI", # There is urgent data to read.
934
gobject.IO_ERR: "ERR", # Error condition.
935
gobject.IO_HUP: "HUP" # Hung up (the connection has been
936
# broken, usually for pipes and
937
# sockets).
938
}
939
conditions_string = ' | '.join(name
940
for cond, name in
941
condition_names.iteritems()
942
if cond & condition)
943
logger.debug("Handling IPC: FD = %d, condition = %s", source,
944
conditions_string)
945
946
# Turn the pipe file descriptor into a Python file object
947
if source not in file_objects:
948
file_objects[source] = os.fdopen(source, "r", 1)
949
950
# Read a line from the file object
951
cmdline = file_objects[source].readline()
952
if not cmdline: # Empty line means end of file
953
# close the IPC pipe
954
file_objects[source].close()
955
del file_objects[source]
956
957
# Stop calling this function
958
return False
959
960
logger.debug("IPC command: %r", cmdline)
961
962
# Parse and act on command
963
cmd, args = cmdline.rstrip("\r\n").split(None, 1)
964
965
if cmd == "NOTFOUND":
966
logger.warning(u"Client not found for fingerprint: %s",
967
args)
968
if self.use_dbus:
969
# Emit D-Bus signal
970
mandos_dbus_service.ClientNotFound(args)
971
elif cmd == "INVALID":
972
for client in self.clients:
973
if client.name == args:
974
logger.warning(u"Client %s is invalid", args)
975
if self.use_dbus:
976
# Emit D-Bus signal
977
client.Rejected()
978
break
979
else:
980
logger.error(u"Unknown client %s is invalid", args)
981
elif cmd == "SENDING":
982
for client in self.clients:
983
if client.name == args:
984
logger.info(u"Sending secret to %s", client.name)
985
client.checked_ok()
986
if self.use_dbus:
987
# Emit D-Bus signal
988
client.ReceivedSecret()
989
break
990
else:
991
logger.error(u"Sending secret to unknown client %s",
992
args)
993
else:
994
logger.error("Unknown IPC command: %r", cmdline)
995
996
# Keep calling this function
997
return True
998
791
999
792
1000
793
def string_to_delta(interval):
1084
877
1085
878
def daemon(nochdir = False, noclose = False):
1086
879
"""See daemon(3). Standard BSD Unix function.
1087
1088
880
This should really exist as os.daemon, but it doesn't (yet)."""
1089
881
if os.fork():
1090
882
sys.exit()
1107
899
1108
900
1109
901
def main():
1110
1111
######################################################################
1112
# Parsing of options, both command line and config file
1113
1114
902
parser = optparse.OptionParser(version = "%%prog %s" % version)
1115
903
parser.add_option("-i", "--interface", type="string",
1116
904
metavar="IF", help="Bind to interface IF")
1135
923
dest="use_dbus",
1136
924
help="Do not provide D-Bus system bus"
1137
925
" interface")
1138
parser.add_option("--no-ipv6", action="store_false",
1139
dest="use_ipv6", help="Do not use IPv6")
1140
926
options = parser.parse_args()[0]
1141
927
1142
928
if options.check:
1153
939
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1154
940
"servicename": "Mandos",
1155
941
"use_dbus": "True",
1156
"use_ipv6": "True",
1157
942
}
1158
943
1159
944
# Parse config file for server-global settings
1167
952
"debug")
1168
953
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1169
954
"use_dbus")
1170
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1171
"use_ipv6")
1172
955
if server_settings["port"]:
1173
956
server_settings["port"] = server_config.getint("DEFAULT",
1174
957
"port")
1178
961
# options, if set.
1179
962
for option in ("interface", "address", "port", "debug",
1180
963
"priority", "servicename", "configdir",
1181
"use_dbus", "use_ipv6"):
964
"use_dbus"):
1182
965
value = getattr(options, option)
1183
966
if value is not None:
1184
967
server_settings[option] = value
1185
968
del options
1186
969
# Now we have our good server settings in "server_settings"
1187
970
1188
##################################################################
1189
1190
971
# For convenience
1191
972
debug = server_settings["debug"]
1192
973
use_dbus = server_settings["use_dbus"]
1193
use_ipv6 = server_settings["use_ipv6"]
1194
974
1195
975
if not debug:
1196
976
syslogger.setLevel(logging.WARNING)
1198
978
1199
979
if server_settings["servicename"] != "Mandos":
1200
980
syslogger.setFormatter(logging.Formatter
1201
('Mandos (%s) [%%(process)d]:'
1202
' %%(levelname)s: %%(message)s'
981
('Mandos (%s): %%(levelname)s:'
982
' %%(message)s'
1203
983
% server_settings["servicename"]))
1204
984
1205
985
# Parse config file with clients
1211
991
client_config = ConfigParser.SafeConfigParser(client_defaults)
1212
992
client_config.read(os.path.join(server_settings["configdir"],
1213
993
"clients.conf"))
1214
1215
global mandos_dbus_service
1216
mandos_dbus_service = None
1217
994
1218
995
clients = Set()
1219
996
tcp_server = IPv6_TCPServer((server_settings["address"],
1220
997
server_settings["port"]),
1221
ClientHandler,
1222
interface=
1223
server_settings["interface"],
1224
use_ipv6=use_ipv6,
1225
clients=clients,
1226
gnutls_priority=
1227
server_settings["priority"],
1228
use_dbus=use_dbus)
998
TCP_handler,
999
settings=server_settings,
1000
clients=clients)
1229
1001
pidfilename = "/var/run/mandos.pid"
1230
1002
try:
1231
1003
pidfile = open(pidfilename, "w")
1267
1039
.gnutls_global_set_log_function(debug_gnutls))
1268
1040
1269
1041
global service
1270
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1271
1042
service = AvahiService(name = server_settings["servicename"],
1272
servicetype = "_mandos._tcp",
1273
protocol = protocol)
1043
servicetype = "_mandos._tcp", )
1274
1044
if server_settings["interface"]:
1275
1045
service.interface = (if_nametoindex
1276
1046
(server_settings["interface"]))
1289
1059
if use_dbus:
1290
1060
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1291
1061
1292
client_class = Client
1293
if use_dbus:
1294
client_class = ClientDBus
1295
clients.update(Set(
1296
client_class(name = section,
1297
config= dict(client_config.items(section)))
1298
for section in client_config.sections()))
1062
clients.update(Set(Client(name = section,
1063
config
1064
= dict(client_config.items(section)),
1065
use_dbus = use_dbus)
1066
for section in client_config.sections()))
1299
1067
if not clients:
1300
1068
logger.warning(u"No clients defined")
1301
1069
1312
1080
daemon()
1313
1081
1314
1082
try:
1315
with closing(pidfile):
1316
pid = os.getpid()
1317
pidfile.write(str(pid) + "\n")
1083
pid = os.getpid()
1084
pidfile.write(str(pid) + "\n")
1085
pidfile.close()
1318
1086
del pidfile
1319
1087
except IOError:
1320
1088
logger.error(u"Could not write to file %r with PID %d",
1346
1114
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1347
1115
1348
1116
if use_dbus:
1349
class MandosDBusService(dbus.service.Object):
1117
class MandosServer(dbus.service.Object):
1350
1118
"""A D-Bus proxy object"""
1351
1119
def __init__(self):
1352
1120
dbus.service.Object.__init__(self, bus, "/")
1357
1125
"D-Bus signal"
1358
1126
pass
1359
1127
1360
@dbus.service.signal(_interface, signature="s")
1361
def ClientNotFound(self, fingerprint):
1362
"D-Bus signal"
1363
pass
1364
1365
1128
@dbus.service.signal(_interface, signature="os")
1366
1129
def ClientRemoved(self, objpath, name):
1367
1130
"D-Bus signal"
1386
1149
for c in clients:
1387
1150
if c.dbus_object_path == object_path:
1388
1151
clients.remove(c)
1389
c.remove_from_connection()
1390
1152
# Don't signal anything except ClientRemoved
1391
c.disable(signal=False)
1153
c.use_dbus = False
1154
c.disable()
1392
1155
# Emit D-Bus signal
1393
1156
self.ClientRemoved(object_path, c.name)
1394
1157
return
1396
1159
1397
1160
del _interface
1398
1161
1399
mandos_dbus_service = MandosDBusService()
1162
mandos_server = MandosServer()
1400
1163
1401
1164
for client in clients:
1402
1165
if use_dbus:
1403
1166
# Emit D-Bus signal
1404
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1405
client.GetAllProperties())
1167
mandos_server.ClientAdded(client.dbus_object_path,
1168
client.GetAllProperties())
1406
1169
client.enable()
1407
1170
1408
1171
tcp_server.enable()
1410
1173
1411
1174
# Find out what port we got
1412
1175
service.port = tcp_server.socket.getsockname()[1]
1413
if use_ipv6:
1414
logger.info(u"Now listening on address %r, port %d,"
1415
" flowinfo %d, scope_id %d"
1416
% tcp_server.socket.getsockname())
1417
else: # IPv4
1418
logger.info(u"Now listening on address %r, port %d"
1419
% tcp_server.socket.getsockname())
1176
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1177
u" scope_id %d" % tcp_server.socket.getsockname())
1420
1178
1421
1179
#service.interface = tcp_server.socket.getsockname()[3]
1422
1180
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0