To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 317
- compare with another revision
- download diff
- download tarball
- view history from revision 317
- Committer: Teddy Hogeborn
- Date: 2009-02-14 18:07:05 UTC
- Revision ID: teddy@fukt.bsnet.se-20090214180705-vu6b7j4i2v2hibgg
Use "getconf" to get correct LFS compile and link flags.
* Makefile (GPGME_CFLAGS): Added output of "getconf LFS_CFLAGS".
(GPGME_LIBS): Added output of "getconf LFS_LIBS" and
"getconf LFS_LDFLAGS".
* plugins.d/mandos-client.c: Only define "_LARGEFILE_SOURCE" and
"_FILE_OFFSET_BITS" if they are not
already defined.
* Makefile (GPGME_CFLAGS): Added output of "getconf LFS_CFLAGS".
(GPGME_LIBS): Added output of "getconf LFS_LIBS" and
"getconf LFS_LDFLAGS".
* plugins.d/mandos-client.c: Only define "_LARGEFILE_SOURCE" and
"_FILE_OFFSET_BITS" if they are not
already defined.
added
removed
mandos
66
66
import ctypes
67
67
import ctypes.util
68
68
69
try:
70
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
71
except AttributeError:
72
try:
73
from IN import SO_BINDTODEVICE
74
except ImportError:
75
# From /usr/include/asm/socket.h
76
SO_BINDTODEVICE = 25
77
78
79
version = "1.0.8"
69
version = "1.0.6"
80
70
81
71
logger = logging.Logger('mandos')
82
72
syslogger = (logging.handlers.SysLogHandler
108
98
109
99
class AvahiService(object):
110
100
"""An Avahi (Zeroconf) service.
111
112
101
Attributes:
113
102
interface: integer; avahi.IF_UNSPEC or an interface index.
114
103
Used to optionally bind to the specified interface.
148
137
logger.info(u"Changing Zeroconf service name to %r ...",
149
138
str(self.name))
150
139
syslogger.setFormatter(logging.Formatter
151
('Mandos (%s) [%%(process)d]:'
152
' %%(levelname)s: %%(message)s'
153
% self.name))
140
('Mandos (%s): %%(levelname)s:'
141
' %%(message)s' % self.name))
154
142
self.remove()
155
143
self.add()
156
144
self.rename_count += 1
190
178
return dbus.String(dt.isoformat(), variant_level=variant_level)
191
179
192
180
193
class Client(object):
181
class Client(dbus.service.Object):
194
182
"""A representation of a client host served by this server.
195
196
183
Attributes:
197
184
name: string; from the config file, used in log messages and
198
185
D-Bus identifiers
219
206
runtime with vars(self) as dict, so that for
220
207
instance %(name)s can be used in the command.
221
208
current_checker_command: string; current running checker_command
209
use_dbus: bool(); Whether to provide D-Bus interface and signals
210
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
222
211
"""
223
212
def timeout_milliseconds(self):
224
213
"Return the 'timeout' attribute in milliseconds"
232
221
+ (self.interval.seconds * 1000)
233
222
+ (self.interval.microseconds // 1000))
234
223
235
def __init__(self, name = None, disable_hook=None, config=None):
224
def __init__(self, name = None, disable_hook=None, config=None,
225
use_dbus=True):
236
226
"""Note: the 'checker' key in 'config' sets the
237
227
'checker_command' attribute and *not* the 'checker'
238
228
attribute."""
240
230
if config is None:
241
231
config = {}
242
232
logger.debug(u"Creating client %r", self.name)
233
self.use_dbus = False # During __init__
243
234
# Uppercase and remove spaces from fingerprint for later
244
235
# comparison purposes with return value from the fingerprint()
245
236
# function
271
262
self.checker_command = config["checker"]
272
263
self.current_checker_command = None
273
264
self.last_connect = None
265
# Only now, when this client is initialized, can it show up on
266
# the D-Bus
267
self.use_dbus = use_dbus
268
if self.use_dbus:
269
self.dbus_object_path = (dbus.ObjectPath
270
("/clients/"
271
+ self.name.replace(".", "_")))
272
dbus.service.Object.__init__(self, bus,
273
self.dbus_object_path)
274
274
275
275
def enable(self):
276
276
"""Start this client's checker and timeout hooks"""
287
287
(self.timeout_milliseconds(),
288
288
self.disable))
289
289
self.enabled = True
290
if self.use_dbus:
291
# Emit D-Bus signals
292
self.PropertyChanged(dbus.String(u"enabled"),
293
dbus.Boolean(True, variant_level=1))
294
self.PropertyChanged(dbus.String(u"last_enabled"),
295
(_datetime_to_dbus(self.last_enabled,
296
variant_level=1)))
290
297
291
298
def disable(self):
292
299
"""Disable this client."""
303
310
if self.disable_hook:
304
311
self.disable_hook(self)
305
312
self.enabled = False
313
if self.use_dbus:
314
# Emit D-Bus signal
315
self.PropertyChanged(dbus.String(u"enabled"),
316
dbus.Boolean(False, variant_level=1))
306
317
# Do not run this again if called by a gobject.timeout_add
307
318
return False
308
319
314
325
"""The checker has completed, so take appropriate actions."""
315
326
self.checker_callback_tag = None
316
327
self.checker = None
328
if self.use_dbus:
329
# Emit D-Bus signal
330
self.PropertyChanged(dbus.String(u"checker_running"),
331
dbus.Boolean(False, variant_level=1))
317
332
if os.WIFEXITED(condition):
318
333
exitstatus = os.WEXITSTATUS(condition)
319
334
if exitstatus == 0:
323
338
else:
324
339
logger.info(u"Checker for %(name)s failed",
325
340
vars(self))
341
if self.use_dbus:
342
# Emit D-Bus signal
343
self.CheckerCompleted(dbus.Int16(exitstatus),
344
dbus.Int64(condition),
345
dbus.String(command))
326
346
else:
327
347
logger.warning(u"Checker for %(name)s crashed?",
328
348
vars(self))
349
if self.use_dbus:
350
# Emit D-Bus signal
351
self.CheckerCompleted(dbus.Int16(-1),
352
dbus.Int64(condition),
353
dbus.String(command))
329
354
330
355
def checked_ok(self):
331
356
"""Bump up the timeout for this client.
332
333
357
This should only be called when the client has been seen,
334
358
alive and well.
335
359
"""
338
362
self.disable_initiator_tag = (gobject.timeout_add
339
363
(self.timeout_milliseconds(),
340
364
self.disable))
365
if self.use_dbus:
366
# Emit D-Bus signal
367
self.PropertyChanged(
368
dbus.String(u"last_checked_ok"),
369
(_datetime_to_dbus(self.last_checked_ok,
370
variant_level=1)))
341
371
342
372
def start_checker(self):
343
373
"""Start a new checker subprocess if one is not running.
344
345
374
If a checker already exists, leave it running and do
346
375
nothing."""
347
376
# The reason for not killing a running checker is that if we
377
406
logger.error(u'Could not format string "%s":'
378
407
u' %s', self.checker_command, error)
379
408
return True # Try again later
380
self.current_checker_command = command
409
self.current_checker_command = command
381
410
try:
382
411
logger.info(u"Starting checker %r for %s",
383
412
command, self.name)
388
417
self.checker = subprocess.Popen(command,
389
418
close_fds=True,
390
419
shell=True, cwd="/")
420
if self.use_dbus:
421
# Emit D-Bus signal
422
self.CheckerStarted(command)
423
self.PropertyChanged(
424
dbus.String("checker_running"),
425
dbus.Boolean(True, variant_level=1))
391
426
self.checker_callback_tag = (gobject.child_watch_add
392
427
(self.checker.pid,
393
428
self.checker_callback,
421
456
if error.errno != errno.ESRCH: # No such process
422
457
raise
423
458
self.checker = None
459
if self.use_dbus:
460
self.PropertyChanged(dbus.String(u"checker_running"),
461
dbus.Boolean(False, variant_level=1))
424
462
425
463
def still_valid(self):
426
464
"""Has the timeout not yet passed for this client?"""
431
469
return now < (self.created + self.timeout)
432
470
else:
433
471
return now < (self.last_checked_ok + self.timeout)
434
435
436
class ClientDBus(Client, dbus.service.Object):
437
"""A Client class using D-Bus
438
439
Attributes:
440
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
441
"""
442
# dbus.service.Object doesn't use super(), so we can't either.
443
444
def __init__(self, *args, **kwargs):
445
Client.__init__(self, *args, **kwargs)
446
# Only now, when this client is initialized, can it show up on
447
# the D-Bus
448
self.dbus_object_path = (dbus.ObjectPath
449
("/clients/"
450
+ self.name.replace(".", "_")))
451
dbus.service.Object.__init__(self, bus,
452
self.dbus_object_path)
453
def enable(self):
454
oldstate = getattr(self, "enabled", False)
455
r = Client.enable(self)
456
if oldstate != self.enabled:
457
# Emit D-Bus signals
458
self.PropertyChanged(dbus.String(u"enabled"),
459
dbus.Boolean(True, variant_level=1))
460
self.PropertyChanged(dbus.String(u"last_enabled"),
461
(_datetime_to_dbus(self.last_enabled,
462
variant_level=1)))
463
return r
464
465
def disable(self, signal = True):
466
oldstate = getattr(self, "enabled", False)
467
r = Client.disable(self)
468
if signal and oldstate != self.enabled:
469
# Emit D-Bus signal
470
self.PropertyChanged(dbus.String(u"enabled"),
471
dbus.Boolean(False, variant_level=1))
472
return r
473
474
def __del__(self, *args, **kwargs):
475
try:
476
self.remove_from_connection()
477
except LookupError:
478
pass
479
if hasattr(dbus.service.Object, "__del__"):
480
dbus.service.Object.__del__(self, *args, **kwargs)
481
Client.__del__(self, *args, **kwargs)
482
483
def checker_callback(self, pid, condition, command,
484
*args, **kwargs):
485
self.checker_callback_tag = None
486
self.checker = None
487
# Emit D-Bus signal
488
self.PropertyChanged(dbus.String(u"checker_running"),
489
dbus.Boolean(False, variant_level=1))
490
if os.WIFEXITED(condition):
491
exitstatus = os.WEXITSTATUS(condition)
492
# Emit D-Bus signal
493
self.CheckerCompleted(dbus.Int16(exitstatus),
494
dbus.Int64(condition),
495
dbus.String(command))
496
else:
497
# Emit D-Bus signal
498
self.CheckerCompleted(dbus.Int16(-1),
499
dbus.Int64(condition),
500
dbus.String(command))
501
502
return Client.checker_callback(self, pid, condition, command,
503
*args, **kwargs)
504
505
def checked_ok(self, *args, **kwargs):
506
r = Client.checked_ok(self, *args, **kwargs)
507
# Emit D-Bus signal
508
self.PropertyChanged(
509
dbus.String(u"last_checked_ok"),
510
(_datetime_to_dbus(self.last_checked_ok,
511
variant_level=1)))
512
return r
513
514
def start_checker(self, *args, **kwargs):
515
old_checker = self.checker
516
if self.checker is not None:
517
old_checker_pid = self.checker.pid
518
else:
519
old_checker_pid = None
520
r = Client.start_checker(self, *args, **kwargs)
521
# Only if new checker process was started
522
if (self.checker is not None
523
and old_checker_pid != self.checker.pid):
524
# Emit D-Bus signal
525
self.CheckerStarted(self.current_checker_command)
526
self.PropertyChanged(
527
dbus.String("checker_running"),
528
dbus.Boolean(True, variant_level=1))
529
return r
530
531
def stop_checker(self, *args, **kwargs):
532
old_checker = getattr(self, "checker", None)
533
r = Client.stop_checker(self, *args, **kwargs)
534
if (old_checker is not None
535
and getattr(self, "checker", None) is None):
536
self.PropertyChanged(dbus.String(u"checker_running"),
537
dbus.Boolean(False, variant_level=1))
538
return r
539
472
540
473
## D-Bus methods & signals
541
474
_interface = u"se.bsnet.fukt.Mandos.Client"
599
532
}, signature="sv")
600
533
601
534
# IsStillValid - method
602
@dbus.service.method(_interface, out_signature="b")
603
def IsStillValid(self):
604
return self.still_valid()
535
IsStillValid = (dbus.service.method(_interface, out_signature="b")
536
(still_valid))
537
IsStillValid.__name__ = "IsStillValid"
605
538
606
539
# PropertyChanged - signal
607
540
@dbus.service.signal(_interface, signature="sv")
609
542
"D-Bus signal"
610
543
pass
611
544
612
# ReceivedSecret - signal
613
@dbus.service.signal(_interface)
614
def ReceivedSecret(self):
615
"D-Bus signal"
616
pass
617
618
# Rejected - signal
619
@dbus.service.signal(_interface)
620
def Rejected(self):
621
"D-Bus signal"
622
pass
623
624
545
# SetChecker - method
625
546
@dbus.service.method(_interface, in_signature="s")
626
547
def SetChecker(self, checker):
688
609
del _interface
689
610
690
611
691
class ClientHandler(SocketServer.BaseRequestHandler, object):
692
"""A class to handle client connections.
693
694
Instantiated once for each connection to handle it.
612
def peer_certificate(session):
613
"Return the peer's OpenPGP certificate as a bytestring"
614
# If not an OpenPGP certificate...
615
if (gnutls.library.functions
616
.gnutls_certificate_type_get(session._c_object)
617
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
618
# ...do the normal thing
619
return session.peer_certificate
620
list_size = ctypes.c_uint(1)
621
cert_list = (gnutls.library.functions
622
.gnutls_certificate_get_peers
623
(session._c_object, ctypes.byref(list_size)))
624
if not bool(cert_list) and list_size.value != 0:
625
raise gnutls.errors.GNUTLSError("error getting peer"
626
" certificate")
627
if list_size.value == 0:
628
return None
629
cert = cert_list[0]
630
return ctypes.string_at(cert.data, cert.size)
631
632
633
def fingerprint(openpgp):
634
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
635
# New GnuTLS "datum" with the OpenPGP public key
636
datum = (gnutls.library.types
637
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
638
ctypes.POINTER
639
(ctypes.c_ubyte)),
640
ctypes.c_uint(len(openpgp))))
641
# New empty GnuTLS certificate
642
crt = gnutls.library.types.gnutls_openpgp_crt_t()
643
(gnutls.library.functions
644
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
645
# Import the OpenPGP public key into the certificate
646
(gnutls.library.functions
647
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
648
gnutls.library.constants
649
.GNUTLS_OPENPGP_FMT_RAW))
650
# Verify the self signature in the key
651
crtverify = ctypes.c_uint()
652
(gnutls.library.functions
653
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
654
if crtverify.value != 0:
655
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
656
raise gnutls.errors.CertificateSecurityError("Verify failed")
657
# New buffer for the fingerprint
658
buf = ctypes.create_string_buffer(20)
659
buf_len = ctypes.c_size_t()
660
# Get the fingerprint from the certificate into the buffer
661
(gnutls.library.functions
662
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
663
ctypes.byref(buf_len)))
664
# Deinit the certificate
665
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
666
# Convert the buffer to a Python bytestring
667
fpr = ctypes.string_at(buf, buf_len.value)
668
# Convert the bytestring to hexadecimal notation
669
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
670
return hex_fpr
671
672
673
class TCP_handler(SocketServer.BaseRequestHandler, object):
674
"""A TCP request handler class.
675
Instantiated by IPv6_TCPServer for each request to handle it.
695
676
Note: This will run in its own forked process."""
696
677
697
678
def handle(self):
698
679
logger.info(u"TCP connection from: %s",
699
680
unicode(self.client_address))
700
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
701
# Open IPC pipe to parent process
702
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
703
session = (gnutls.connection
704
.ClientSession(self.request,
705
gnutls.connection
706
.X509Credentials()))
707
708
line = self.request.makefile().readline()
709
logger.debug(u"Protocol version: %r", line)
710
try:
711
if int(line.strip().split()[0]) > 1:
712
raise RuntimeError
713
except (ValueError, IndexError, RuntimeError), error:
714
logger.error(u"Unknown protocol version: %s", error)
715
return
716
717
# Note: gnutls.connection.X509Credentials is really a
718
# generic GnuTLS certificate credentials object so long as
719
# no X.509 keys are added to it. Therefore, we can use it
720
# here despite using OpenPGP certificates.
721
722
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
723
# "+AES-256-CBC", "+SHA1",
724
# "+COMP-NULL", "+CTYPE-OPENPGP",
725
# "+DHE-DSS"))
726
# Use a fallback default, since this MUST be set.
727
priority = self.server.gnutls_priority
728
if priority is None:
729
priority = "NORMAL"
730
(gnutls.library.functions
731
.gnutls_priority_set_direct(session._c_object,
732
priority, None))
733
734
try:
735
session.handshake()
736
except gnutls.errors.GNUTLSError, error:
737
logger.warning(u"Handshake failed: %s", error)
738
# Do not run session.bye() here: the session is not
739
# established. Just abandon the request.
740
return
741
logger.debug(u"Handshake succeeded")
742
try:
743
fpr = self.fingerprint(self.peer_certificate(session))
744
except (TypeError, gnutls.errors.GNUTLSError), error:
745
logger.warning(u"Bad certificate: %s", error)
746
session.bye()
747
return
748
logger.debug(u"Fingerprint: %s", fpr)
749
750
for c in self.server.clients:
751
if c.fingerprint == fpr:
752
client = c
753
break
754
else:
755
ipc.write("NOTFOUND %s\n" % fpr)
756
session.bye()
757
return
758
# Have to check if client.still_valid(), since it is
759
# possible that the client timed out while establishing
760
# the GnuTLS session.
761
if not client.still_valid():
762
ipc.write("INVALID %s\n" % client.name)
763
session.bye()
764
return
765
ipc.write("SENDING %s\n" % client.name)
766
sent_size = 0
767
while sent_size < len(client.secret):
768
sent = session.send(client.secret[sent_size:])
769
logger.debug(u"Sent: %d, remaining: %d",
770
sent, len(client.secret)
771
- (sent_size + sent))
772
sent_size += sent
773
session.bye()
774
775
@staticmethod
776
def peer_certificate(session):
777
"Return the peer's OpenPGP certificate as a bytestring"
778
# If not an OpenPGP certificate...
779
if (gnutls.library.functions
780
.gnutls_certificate_type_get(session._c_object)
781
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
782
# ...do the normal thing
783
return session.peer_certificate
784
list_size = ctypes.c_uint(1)
785
cert_list = (gnutls.library.functions
786
.gnutls_certificate_get_peers
787
(session._c_object, ctypes.byref(list_size)))
788
if not bool(cert_list) and list_size.value != 0:
789
raise gnutls.errors.GNUTLSError("error getting peer"
790
" certificate")
791
if list_size.value == 0:
792
return None
793
cert = cert_list[0]
794
return ctypes.string_at(cert.data, cert.size)
795
796
@staticmethod
797
def fingerprint(openpgp):
798
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
799
# New GnuTLS "datum" with the OpenPGP public key
800
datum = (gnutls.library.types
801
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
802
ctypes.POINTER
803
(ctypes.c_ubyte)),
804
ctypes.c_uint(len(openpgp))))
805
# New empty GnuTLS certificate
806
crt = gnutls.library.types.gnutls_openpgp_crt_t()
807
(gnutls.library.functions
808
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
809
# Import the OpenPGP public key into the certificate
810
(gnutls.library.functions
811
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
812
gnutls.library.constants
813
.GNUTLS_OPENPGP_FMT_RAW))
814
# Verify the self signature in the key
815
crtverify = ctypes.c_uint()
816
(gnutls.library.functions
817
.gnutls_openpgp_crt_verify_self(crt, 0,
818
ctypes.byref(crtverify)))
819
if crtverify.value != 0:
820
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
821
raise (gnutls.errors.CertificateSecurityError
822
("Verify failed"))
823
# New buffer for the fingerprint
824
buf = ctypes.create_string_buffer(20)
825
buf_len = ctypes.c_size_t()
826
# Get the fingerprint from the certificate into the buffer
827
(gnutls.library.functions
828
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
829
ctypes.byref(buf_len)))
830
# Deinit the certificate
831
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
832
# Convert the buffer to a Python bytestring
833
fpr = ctypes.string_at(buf, buf_len.value)
834
# Convert the bytestring to hexadecimal notation
835
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
836
return hex_fpr
837
838
839
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
840
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
841
842
Assumes a gobject.MainLoop event loop.
843
"""
844
def process_request(self, request, client_address):
845
"""Overrides and wraps the original process_request().
846
847
This function creates a new pipe in self.pipe
848
"""
849
self.pipe = os.pipe()
850
super(ForkingMixInWithPipe,
851
self).process_request(request, client_address)
852
os.close(self.pipe[1]) # close write end
853
# Call "handle_ipc" for both data and EOF events
854
gobject.io_add_watch(self.pipe[0],
855
gobject.IO_IN | gobject.IO_HUP,
856
self.handle_ipc)
857
def handle_ipc(source, condition):
858
"""Dummy function; override as necessary"""
859
os.close(source)
860
return False
861
862
863
class IPv6_TCPServer(ForkingMixInWithPipe,
681
session = (gnutls.connection
682
.ClientSession(self.request,
683
gnutls.connection
684
.X509Credentials()))
685
686
line = self.request.makefile().readline()
687
logger.debug(u"Protocol version: %r", line)
688
try:
689
if int(line.strip().split()[0]) > 1:
690
raise RuntimeError
691
except (ValueError, IndexError, RuntimeError), error:
692
logger.error(u"Unknown protocol version: %s", error)
693
return
694
695
# Note: gnutls.connection.X509Credentials is really a generic
696
# GnuTLS certificate credentials object so long as no X.509
697
# keys are added to it. Therefore, we can use it here despite
698
# using OpenPGP certificates.
699
700
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
701
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
702
# "+DHE-DSS"))
703
# Use a fallback default, since this MUST be set.
704
priority = self.server.settings.get("priority", "NORMAL")
705
(gnutls.library.functions
706
.gnutls_priority_set_direct(session._c_object,
707
priority, None))
708
709
try:
710
session.handshake()
711
except gnutls.errors.GNUTLSError, error:
712
logger.warning(u"Handshake failed: %s", error)
713
# Do not run session.bye() here: the session is not
714
# established. Just abandon the request.
715
return
716
logger.debug(u"Handshake succeeded")
717
try:
718
fpr = fingerprint(peer_certificate(session))
719
except (TypeError, gnutls.errors.GNUTLSError), error:
720
logger.warning(u"Bad certificate: %s", error)
721
session.bye()
722
return
723
logger.debug(u"Fingerprint: %s", fpr)
724
725
for c in self.server.clients:
726
if c.fingerprint == fpr:
727
client = c
728
break
729
else:
730
logger.warning(u"Client not found for fingerprint: %s",
731
fpr)
732
session.bye()
733
return
734
# Have to check if client.still_valid(), since it is possible
735
# that the client timed out while establishing the GnuTLS
736
# session.
737
if not client.still_valid():
738
logger.warning(u"Client %(name)s is invalid",
739
vars(client))
740
session.bye()
741
return
742
## This won't work here, since we're in a fork.
743
# client.checked_ok()
744
sent_size = 0
745
while sent_size < len(client.secret):
746
sent = session.send(client.secret[sent_size:])
747
logger.debug(u"Sent: %d, remaining: %d",
748
sent, len(client.secret)
749
- (sent_size + sent))
750
sent_size += sent
751
session.bye()
752
753
754
class IPv6_TCPServer(SocketServer.ForkingMixIn,
864
755
SocketServer.TCPServer, object):
865
756
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
866
867
757
Attributes:
758
settings: Server settings
759
clients: Set() of Client objects
868
760
enabled: Boolean; whether this server is activated yet
869
interface: None or a network interface name (string)
870
use_ipv6: Boolean; to use IPv6 or not
871
----
872
clients: Set() of Client objects
873
gnutls_priority GnuTLS priority string
874
use_dbus: Boolean; to emit D-Bus signals or not
875
761
"""
876
def __init__(self, server_address, RequestHandlerClass,
877
interface=None, use_ipv6=True, clients=None,
878
gnutls_priority=None, use_dbus=True):
762
address_family = socket.AF_INET6
763
def __init__(self, *args, **kwargs):
764
if "settings" in kwargs:
765
self.settings = kwargs["settings"]
766
del kwargs["settings"]
767
if "clients" in kwargs:
768
self.clients = kwargs["clients"]
769
del kwargs["clients"]
770
if "use_ipv6" in kwargs:
771
if not kwargs["use_ipv6"]:
772
self.address_family = socket.AF_INET
773
del kwargs["use_ipv6"]
879
774
self.enabled = False
880
self.interface = interface
881
if use_ipv6:
882
self.address_family = socket.AF_INET6
883
self.clients = clients
884
self.use_dbus = use_dbus
885
self.gnutls_priority = gnutls_priority
886
SocketServer.TCPServer.__init__(self, server_address,
887
RequestHandlerClass)
775
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
888
776
def server_bind(self):
889
777
"""This overrides the normal server_bind() function
890
778
to bind to an interface if one was specified, and also NOT to
891
779
bind to an address or port if they were not specified."""
892
if self.interface is not None:
780
if self.settings["interface"]:
781
# 25 is from /usr/include/asm-i486/socket.h
782
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
893
783
try:
894
784
self.socket.setsockopt(socket.SOL_SOCKET,
895
785
SO_BINDTODEVICE,
896
self.interface + '\0')
786
self.settings["interface"])
897
787
except socket.error, error:
898
788
if error[0] == errno.EPERM:
899
789
logger.error(u"No permission to"
900
790
u" bind to interface %s",
901
self.interface)
791
self.settings["interface"])
902
792
else:
903
793
raise
904
794
# Only bind(2) the socket if we really need to.
913
803
elif not self.server_address[1]:
914
804
self.server_address = (self.server_address[0],
915
805
0)
916
# if self.interface:
806
# if self.settings["interface"]:
917
807
# self.server_address = (self.server_address[0],
918
808
# 0, # port
919
809
# 0, # flowinfo
920
810
# if_nametoindex
921
# (self.interface))
922
return SocketServer.TCPServer.server_bind(self)
811
# (self.settings
812
# ["interface"]))
813
return super(IPv6_TCPServer, self).server_bind()
923
814
def server_activate(self):
924
815
if self.enabled:
925
return SocketServer.TCPServer.server_activate(self)
816
return super(IPv6_TCPServer, self).server_activate()
926
817
def enable(self):
927
818
self.enabled = True
928
def handle_ipc(self, source, condition, file_objects={}):
929
condition_names = {
930
gobject.IO_IN: "IN", # There is data to read.
931
gobject.IO_OUT: "OUT", # Data can be written (without
932
# blocking).
933
gobject.IO_PRI: "PRI", # There is urgent data to read.
934
gobject.IO_ERR: "ERR", # Error condition.
935
gobject.IO_HUP: "HUP" # Hung up (the connection has been
936
# broken, usually for pipes and
937
# sockets).
938
}
939
conditions_string = ' | '.join(name
940
for cond, name in
941
condition_names.iteritems()
942
if cond & condition)
943
logger.debug("Handling IPC: FD = %d, condition = %s", source,
944
conditions_string)
945
946
# Turn the pipe file descriptor into a Python file object
947
if source not in file_objects:
948
file_objects[source] = os.fdopen(source, "r", 1)
949
950
# Read a line from the file object
951
cmdline = file_objects[source].readline()
952
if not cmdline: # Empty line means end of file
953
# close the IPC pipe
954
file_objects[source].close()
955
del file_objects[source]
956
957
# Stop calling this function
958
return False
959
960
logger.debug("IPC command: %r", cmdline)
961
962
# Parse and act on command
963
cmd, args = cmdline.rstrip("\r\n").split(None, 1)
964
965
if cmd == "NOTFOUND":
966
logger.warning(u"Client not found for fingerprint: %s",
967
args)
968
if self.use_dbus:
969
# Emit D-Bus signal
970
mandos_dbus_service.ClientNotFound(args)
971
elif cmd == "INVALID":
972
for client in self.clients:
973
if client.name == args:
974
logger.warning(u"Client %s is invalid", args)
975
if self.use_dbus:
976
# Emit D-Bus signal
977
client.Rejected()
978
break
979
else:
980
logger.error(u"Unknown client %s is invalid", args)
981
elif cmd == "SENDING":
982
for client in self.clients:
983
if client.name == args:
984
logger.info(u"Sending secret to %s", client.name)
985
client.checked_ok()
986
if self.use_dbus:
987
# Emit D-Bus signal
988
client.ReceivedSecret()
989
break
990
else:
991
logger.error(u"Sending secret to unknown client %s",
992
args)
993
else:
994
logger.error("Unknown IPC command: %r", cmdline)
995
996
# Keep calling this function
997
return True
998
819
999
820
1000
821
def string_to_delta(interval):
1084
905
1085
906
def daemon(nochdir = False, noclose = False):
1086
907
"""See daemon(3). Standard BSD Unix function.
1087
1088
908
This should really exist as os.daemon, but it doesn't (yet)."""
1089
909
if os.fork():
1090
910
sys.exit()
1107
927
1108
928
1109
929
def main():
1110
1111
######################################################################
1112
# Parsing of options, both command line and config file
1113
1114
930
parser = optparse.OptionParser(version = "%%prog %s" % version)
1115
931
parser.add_option("-i", "--interface", type="string",
1116
932
metavar="IF", help="Bind to interface IF")
1185
1001
del options
1186
1002
# Now we have our good server settings in "server_settings"
1187
1003
1188
##################################################################
1189
1190
1004
# For convenience
1191
1005
debug = server_settings["debug"]
1192
1006
use_dbus = server_settings["use_dbus"]
1198
1012
1199
1013
if server_settings["servicename"] != "Mandos":
1200
1014
syslogger.setFormatter(logging.Formatter
1201
('Mandos (%s) [%%(process)d]:'
1202
' %%(levelname)s: %%(message)s'
1015
('Mandos (%s): %%(levelname)s:'
1016
' %%(message)s'
1203
1017
% server_settings["servicename"]))
1204
1018
1205
1019
# Parse config file with clients
1211
1025
client_config = ConfigParser.SafeConfigParser(client_defaults)
1212
1026
client_config.read(os.path.join(server_settings["configdir"],
1213
1027
"clients.conf"))
1214
1215
global mandos_dbus_service
1216
mandos_dbus_service = None
1217
1028
1218
1029
clients = Set()
1219
1030
tcp_server = IPv6_TCPServer((server_settings["address"],
1220
1031
server_settings["port"]),
1221
ClientHandler,
1222
interface=
1223
server_settings["interface"],
1224
use_ipv6=use_ipv6,
1225
clients=clients,
1226
gnutls_priority=
1227
server_settings["priority"],
1228
use_dbus=use_dbus)
1032
TCP_handler,
1033
settings=server_settings,
1034
clients=clients, use_ipv6=use_ipv6)
1229
1035
pidfilename = "/var/run/mandos.pid"
1230
1036
try:
1231
1037
pidfile = open(pidfilename, "w")
1289
1095
if use_dbus:
1290
1096
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1291
1097
1292
client_class = Client
1293
if use_dbus:
1294
client_class = ClientDBus
1295
clients.update(Set(
1296
client_class(name = section,
1297
config= dict(client_config.items(section)))
1298
for section in client_config.sections()))
1098
clients.update(Set(Client(name = section,
1099
config
1100
= dict(client_config.items(section)),
1101
use_dbus = use_dbus)
1102
for section in client_config.sections()))
1299
1103
if not clients:
1300
1104
logger.warning(u"No clients defined")
1301
1105
1312
1116
daemon()
1313
1117
1314
1118
try:
1315
with closing(pidfile):
1316
pid = os.getpid()
1317
pidfile.write(str(pid) + "\n")
1119
pid = os.getpid()
1120
pidfile.write(str(pid) + "\n")
1121
pidfile.close()
1318
1122
del pidfile
1319
1123
except IOError:
1320
1124
logger.error(u"Could not write to file %r with PID %d",
1346
1150
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1347
1151
1348
1152
if use_dbus:
1349
class MandosDBusService(dbus.service.Object):
1153
class MandosServer(dbus.service.Object):
1350
1154
"""A D-Bus proxy object"""
1351
1155
def __init__(self):
1352
1156
dbus.service.Object.__init__(self, bus, "/")
1357
1161
"D-Bus signal"
1358
1162
pass
1359
1163
1360
@dbus.service.signal(_interface, signature="s")
1361
def ClientNotFound(self, fingerprint):
1362
"D-Bus signal"
1363
pass
1364
1365
1164
@dbus.service.signal(_interface, signature="os")
1366
1165
def ClientRemoved(self, objpath, name):
1367
1166
"D-Bus signal"
1386
1185
for c in clients:
1387
1186
if c.dbus_object_path == object_path:
1388
1187
clients.remove(c)
1389
c.remove_from_connection()
1390
1188
# Don't signal anything except ClientRemoved
1391
c.disable(signal=False)
1189
c.use_dbus = False
1190
c.disable()
1392
1191
# Emit D-Bus signal
1393
1192
self.ClientRemoved(object_path, c.name)
1394
1193
return
1396
1195
1397
1196
del _interface
1398
1197
1399
mandos_dbus_service = MandosDBusService()
1198
mandos_server = MandosServer()
1400
1199
1401
1200
for client in clients:
1402
1201
if use_dbus:
1403
1202
# Emit D-Bus signal
1404
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1405
client.GetAllProperties())
1203
mandos_server.ClientAdded(client.dbus_object_path,
1204
client.GetAllProperties())
1406
1205
client.enable()
1407
1206
1408
1207
tcp_server.enable()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0