11
11
# "AvahiService" class, and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008-2014 Teddy Hogeborn
15
# Copyright © 2008-2014 Björn Påhlsson
14
# Copyright © 2008-2012 Teddy Hogeborn
15
# Copyright © 2008-2012 Björn Påhlsson
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
114
117
def initlogger(debug, level=logging.WARNING):
115
118
"""init logger and add loglevel"""
118
syslogger = (logging.handlers.SysLogHandler
120
logging.handlers.SysLogHandler.LOG_DAEMON,
121
address = str("/dev/log")))
122
120
syslogger.setFormatter(logging.Formatter
123
121
('Mandos [%(process)d]: %(levelname)s:'
142
140
class PGPEngine(object):
143
141
"""A simple class for OpenPGP symmetric encryption & decryption"""
144
142
def __init__(self):
143
self.gnupg = GnuPGInterface.GnuPG()
145
144
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
146
self.gnupgargs = ['--batch',
147
'--home', self.tempdir,
145
self.gnupg = GnuPGInterface.GnuPG()
146
self.gnupg.options.meta_interactive = False
147
self.gnupg.options.homedir = self.tempdir
148
self.gnupg.options.extra_args.extend(['--force-mdc',
152
152
def __enter__(self):
175
175
def password_encode(self, password):
176
176
# Passphrase can not be empty and can not contain newlines or
177
177
# NUL bytes. So we prefix it and hex encode it.
178
encoded = b"mandos" + binascii.hexlify(password)
179
if len(encoded) > 2048:
180
# GnuPG can't handle long passwords, so encode differently
181
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
182
.replace(b"\n", b"\\n")
183
.replace(b"\0", b"\\x00"))
178
return b"mandos" + binascii.hexlify(password)
186
180
def encrypt(self, data, password):
187
passphrase = self.password_encode(password)
188
with tempfile.NamedTemporaryFile(dir=self.tempdir
190
passfile.write(passphrase)
192
proc = subprocess.Popen(['gpg', '--symmetric',
196
stdin = subprocess.PIPE,
197
stdout = subprocess.PIPE,
198
stderr = subprocess.PIPE)
199
ciphertext, err = proc.communicate(input = data)
200
if proc.returncode != 0:
181
self.gnupg.passphrase = self.password_encode(password)
182
with open(os.devnull, "w") as devnull:
184
proc = self.gnupg.run(['--symmetric'],
185
create_fhs=['stdin', 'stdout'],
186
attach_fhs={'stderr': devnull})
187
with contextlib.closing(proc.handles['stdin']) as f:
189
with contextlib.closing(proc.handles['stdout']) as f:
190
ciphertext = f.read()
194
self.gnupg.passphrase = None
202
195
return ciphertext
204
197
def decrypt(self, data, password):
205
passphrase = self.password_encode(password)
206
with tempfile.NamedTemporaryFile(dir = self.tempdir
208
passfile.write(passphrase)
210
proc = subprocess.Popen(['gpg', '--decrypt',
214
stdin = subprocess.PIPE,
215
stdout = subprocess.PIPE,
216
stderr = subprocess.PIPE)
217
decrypted_plaintext, err = proc.communicate(input
219
if proc.returncode != 0:
198
self.gnupg.passphrase = self.password_encode(password)
199
with open(os.devnull, "w") as devnull:
201
proc = self.gnupg.run(['--decrypt'],
202
create_fhs=['stdin', 'stdout'],
203
attach_fhs={'stderr': devnull})
204
with contextlib.closing(proc.handles['stdin']) as f:
206
with contextlib.closing(proc.handles['stdout']) as f:
207
decrypted_plaintext = f.read()
211
self.gnupg.passphrase = None
221
212
return decrypted_plaintext
243
234
Used to optionally bind to the specified interface.
244
235
name: string; Example: 'Mandos'
245
236
type: string; Example: '_mandos._tcp'.
246
See <https://www.iana.org/assignments/service-names-port-numbers>
237
See <http://www.dns-sd.org/ServiceTypes.html>
247
238
port: integer; what port to announce
248
239
TXT: list of strings; TXT record for the service
249
240
domain: string; Domain to publish on, default to .local if empty.
533
def __init__(self, settings, name = None, server_settings=None):
523
def __init__(self, settings, name = None):
535
if server_settings is None:
537
self.server_settings = server_settings
538
525
# adding all client settings
539
526
for setting, value in settings.iteritems():
540
527
setattr(self, setting, value)
693
680
# If a checker exists, make sure it is not a zombie
695
682
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
696
except AttributeError:
698
except OSError as error:
699
if error.errno != errno.ECHILD:
683
except (AttributeError, OSError) as error:
684
if (isinstance(error, OSError)
685
and error.errno != errno.ECHILD):
703
689
logger.warning("Checker was a zombie")
725
711
# in normal mode, that is already done by daemon(),
726
712
# and in debug mode we don't want to. (Stdin is
727
713
# always replaced by /dev/null.)
728
# The exception is when not debugging but nevertheless
729
# running in the foreground; use the previously
732
if (not self.server_settings["debug"]
733
and self.server_settings["foreground"]):
734
popen_args.update({"stdout": wnull,
736
714
self.checker = subprocess.Popen(command,
740
717
except OSError as error:
741
718
logger.error("Failed to start subprocess",
744
720
self.checker_callback_tag = (gobject.child_watch_add
745
721
(self.checker.pid,
746
722
self.checker_callback,
748
724
# The checker may have completed before the gobject
749
725
# watch was added. Check for this.
751
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
752
except OSError as error:
753
if error.errno == errno.ECHILD:
754
# This should never happen
755
logger.error("Child process vanished",
726
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
760
728
gobject.source_remove(self.checker_callback_tag)
761
729
self.checker_callback(pid, status, command)
1103
1069
interface_names.add(alt_interface)
1104
1070
# Is this a D-Bus signal?
1105
1071
if getattr(attribute, "_dbus_is_signal", False):
1106
# Extract the original non-method undecorated
1107
# function by black magic
1072
# Extract the original non-method function by
1108
1074
nonmethod_func = (dict(
1109
1075
zip(attribute.func_code.co_freevars,
1110
1076
attribute.__closure__))["func"]
1353
1319
*args, **kwargs)
1355
1321
def start_checker(self, *args, **kwargs):
1356
old_checker_pid = getattr(self.checker, "pid", None)
1322
old_checker = self.checker
1323
if self.checker is not None:
1324
old_checker_pid = self.checker.pid
1326
old_checker_pid = None
1357
1327
r = Client.start_checker(self, *args, **kwargs)
1358
1328
# Only if new checker process was started
1359
1329
if (self.checker is not None
2310
2280
help="Run self-test")
2311
2281
parser.add_argument("--debug", action="store_true",
2312
2282
help="Debug mode; run in foreground and log"
2313
" to terminal", default=None)
2314
2284
parser.add_argument("--debuglevel", metavar="LEVEL",
2315
2285
help="Debug level for stdout output")
2316
2286
parser.add_argument("--priority", help="GnuTLS"
2324
2294
parser.add_argument("--no-dbus", action="store_false",
2325
2295
dest="use_dbus", help="Do not provide D-Bus"
2326
" system bus interface", default=None)
2296
" system bus interface")
2327
2297
parser.add_argument("--no-ipv6", action="store_false",
2328
dest="use_ipv6", help="Do not use IPv6",
2298
dest="use_ipv6", help="Do not use IPv6")
2330
2299
parser.add_argument("--no-restore", action="store_false",
2331
2300
dest="restore", help="Do not restore stored"
2332
" state", default=None)
2333
2302
parser.add_argument("--socket", type=int,
2334
2303
help="Specify a file descriptor to a network"
2335
2304
" socket to use instead of creating one")
2336
2305
parser.add_argument("--statedir", metavar="DIR",
2337
2306
help="Directory to save/restore state in")
2338
2307
parser.add_argument("--foreground", action="store_true",
2339
help="Run in foreground", default=None)
2340
parser.add_argument("--no-zeroconf", action="store_false",
2341
dest="zeroconf", help="Do not use Zeroconf",
2308
help="Run in foreground")
2344
2310
options = parser.parse_args()
2346
2312
if options.check:
2348
fail_count, test_count = doctest.testmod()
2349
sys.exit(os.EX_OK if fail_count == 0 else 1)
2351
2317
# Default values for config file for server-global settings
2352
2318
server_defaults = { "interface": "",
2396
2361
for option in ("interface", "address", "port", "debug",
2397
2362
"priority", "servicename", "configdir",
2398
2363
"use_dbus", "use_ipv6", "debuglevel", "restore",
2399
"statedir", "socket", "foreground", "zeroconf"):
2364
"statedir", "socket", "foreground"):
2400
2365
value = getattr(options, option)
2401
2366
if value is not None:
2402
2367
server_settings[option] = value
2405
2370
for option in server_settings.keys():
2406
2371
if type(server_settings[option]) is str:
2407
2372
server_settings[option] = unicode(server_settings[option])
2408
# Force all boolean options to be boolean
2409
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2410
"foreground", "zeroconf"):
2411
server_settings[option] = bool(server_settings[option])
2412
2373
# Debug implies foreground
2413
2374
if server_settings["debug"]:
2414
2375
server_settings["foreground"] = True
2417
2378
##################################################################
2419
if (not server_settings["zeroconf"] and
2420
not (server_settings["port"]
2421
or server_settings["socket"] != "")):
2422
parser.error("Needs port or socket to work without"
2425
2380
# For convenience
2426
2381
debug = server_settings["debug"]
2427
2382
debuglevel = server_settings["debuglevel"]
2469
2420
gnutls_priority=
2470
2421
server_settings["priority"],
2471
2422
use_dbus=use_dbus,
2423
socketfd=(server_settings["socket"]
2473
2425
if not foreground:
2474
pidfilename = "/run/mandos.pid"
2475
if not os.path.isdir("/run/."):
2476
pidfilename = "/var/run/mandos.pid"
2426
pidfilename = "/var/run/mandos.pid"
2479
2429
pidfile = open(pidfilename, "w")
2545
2495
use_dbus = False
2546
2496
server_settings["use_dbus"] = False
2547
2497
tcp_server.use_dbus = False
2549
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2550
service = AvahiServiceToSyslog(name =
2551
server_settings["servicename"],
2552
servicetype = "_mandos._tcp",
2553
protocol = protocol, bus = bus)
2554
if server_settings["interface"]:
2555
service.interface = (if_nametoindex
2556
(str(server_settings["interface"])))
2498
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2499
service = AvahiServiceToSyslog(name =
2500
server_settings["servicename"],
2501
servicetype = "_mandos._tcp",
2502
protocol = protocol, bus = bus)
2503
if server_settings["interface"]:
2504
service.interface = (if_nametoindex
2505
(str(server_settings["interface"])))
2558
2507
global multiprocessing_manager
2559
2508
multiprocessing_manager = multiprocessing.Manager()
2666
2603
# Create all client objects
2667
2604
for client_name, client in clients_data.iteritems():
2668
2605
tcp_server.clients[client_name] = client_class(
2669
name = client_name, settings = client,
2670
server_settings = server_settings)
2606
name = client_name, settings = client)
2672
2608
if not tcp_server.clients:
2673
2609
logger.warning("No clients defined")
2839
2773
tcp_server.server_activate()
2841
2775
# Find out what port we got
2843
service.port = tcp_server.socket.getsockname()[1]
2776
service.port = tcp_server.socket.getsockname()[1]
2845
2778
logger.info("Now listening on address %r, port %d,"
2846
2779
" flowinfo %d, scope_id %d",
2852
2785
#service.interface = tcp_server.socket.getsockname()[3]
2856
# From the Avahi example code
2859
except dbus.exceptions.DBusException as error:
2860
logger.critical("D-Bus Exception", exc_info=error)
2863
# End of Avahi example code
2788
# From the Avahi example code
2791
except dbus.exceptions.DBusException as error:
2792
logger.critical("D-Bus Exception", exc_info=error)
2795
# End of Avahi example code
2865
2797
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2866
2798
lambda *args, **kwargs: