40
9
import gnutls.crypto
41
10
import gnutls.connection
42
11
import gnutls.errors
43
import gnutls.library.functions
44
import gnutls.library.constants
45
import gnutls.library.types
46
12
import ConfigParser
56
import logging.handlers
61
from dbus.mainloop.glib import DBusGMainLoop
66
logger = logging.Logger('mandos')
67
syslogger = logging.handlers.SysLogHandler\
68
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
70
syslogger.setFormatter(logging.Formatter\
71
('Mandos: %(levelname)s: %(message)s'))
72
logger.addHandler(syslogger)
75
class AvahiError(Exception):
76
def __init__(self, value):
79
return repr(self.value)
81
class AvahiServiceError(AvahiError):
84
class AvahiGroupError(AvahiError):
88
class AvahiService(object):
89
"""An Avahi (Zeroconf) service.
91
interface: integer; avahi.IF_UNSPEC or an interface index.
92
Used to optionally bind to the specified interface.
93
name: string; Example: 'Mandos'
94
type: string; Example: '_mandos._tcp'.
95
See <http://www.dns-sd.org/ServiceTypes.html>
96
port: integer; what port to announce
97
TXT: list of strings; TXT record for the service
98
domain: string; Domain to publish on, default to .local if empty.
99
host: string; Host to publish records for, default is localhost
100
max_renames: integer; maximum number of renames
101
rename_count: integer; counter so we only rename after collisions
102
a sensible number of times
104
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
105
type = None, port = None, TXT = None, domain = "",
106
host = "", max_renames = 32768):
107
self.interface = interface
117
self.rename_count = 0
119
"""Derived from the Avahi example code"""
120
if self.rename_count >= self.max_renames:
121
logger.critical(u"No suitable service name found after %i"
122
u" retries, exiting.", rename_count)
123
raise AvahiServiceError("Too many renames")
124
name = server.GetAlternativeServiceName(name)
125
logger.error(u"Changing name to %r ...", name)
126
syslogger.setFormatter(logging.Formatter\
127
('Mandos (%s): %%(levelname)s:'
128
' %%(message)s' % name))
131
self.rename_count += 1
133
"""Derived from the Avahi example code"""
134
if group is not None:
137
"""Derived from the Avahi example code"""
140
group = dbus.Interface\
141
(bus.get_object(avahi.DBUS_NAME,
142
server.EntryGroupNew()),
143
avahi.DBUS_INTERFACE_ENTRY_GROUP)
144
group.connect_to_signal('StateChanged',
145
entry_group_state_changed)
146
logger.debug(u"Adding service '%s' of type '%s' ...",
147
service.name, service.type)
149
self.interface, # interface
150
avahi.PROTO_INET6, # protocol
151
dbus.UInt32(0), # flags
152
self.name, self.type,
153
self.domain, self.host,
154
dbus.UInt16(self.port),
155
avahi.string_array_to_txt_array(self.TXT))
158
# From the Avahi example code:
159
group = None # our entry group
160
# End of Avahi example code
163
16
class Client(object):
164
"""A representation of a client host served by this server.
166
name: string; from the config file, used in log messages
167
fingerprint: string (40 or 32 hexadecimal digits); used to
168
uniquely identify the client
169
secret: bytestring; sent verbatim (over TLS) to client
170
host: string; available for use by the checker command
171
created: datetime.datetime(); object creation, not client host
172
last_checked_ok: datetime.datetime() or None if not yet checked OK
173
timeout: datetime.timedelta(); How long from last_checked_ok
174
until this client is invalid
175
interval: datetime.timedelta(); How often to start a new checker
176
stop_hook: If set, called by stop() as stop_hook(self)
177
checker: subprocess.Popen(); a running checker process used
178
to see if the client lives.
179
'None' if no process is running.
180
checker_initiator_tag: a gobject event source tag, or None
181
stop_initiator_tag: - '' -
182
checker_callback_tag: - '' -
183
checker_command: string; External command which is run to check if
184
client lives. %() expansions are done at
185
runtime with vars(self) as dict, so that for
186
instance %(name)s can be used in the command.
188
_timeout: Real variable for 'timeout'
189
_interval: Real variable for 'interval'
190
_timeout_milliseconds: Used when calling gobject.timeout_add()
191
_interval_milliseconds: - '' -
193
def _set_timeout(self, timeout):
194
"Setter function for 'timeout' attribute"
195
self._timeout = timeout
196
self._timeout_milliseconds = ((self.timeout.days
197
* 24 * 60 * 60 * 1000)
198
+ (self.timeout.seconds * 1000)
199
+ (self.timeout.microseconds
201
timeout = property(lambda self: self._timeout,
204
def _set_interval(self, interval):
205
"Setter function for 'interval' attribute"
206
self._interval = interval
207
self._interval_milliseconds = ((self.interval.days
208
* 24 * 60 * 60 * 1000)
209
+ (self.interval.seconds
211
+ (self.interval.microseconds
213
interval = property(lambda self: self._interval,
216
def __init__(self, name = None, stop_hook=None, config={}):
217
"""Note: the 'checker' key in 'config' sets the
218
'checker_command' attribute and *not* the 'checker'
17
def __init__(self, name=None, options=None, dn=None,
18
password=None, passfile=None, fqdn=None,
19
timeout=None, interval=-1):
221
logger.debug(u"Creating client %r", self.name)
222
# Uppercase and remove spaces from fingerprint for later
223
# comparison purposes with return value from the fingerprint()
225
self.fingerprint = config["fingerprint"].upper()\
227
logger.debug(u" Fingerprint: %s", self.fingerprint)
228
if "secret" in config:
229
self.secret = config["secret"].decode(u"base64")
230
elif "secfile" in config:
231
sf = open(config["secfile"])
232
self.secret = sf.read()
23
self.password = password
25
self.password = open(passfile).readall()
235
raise TypeError(u"No secret or secfile for client %s"
237
self.host = config.get("host", "")
27
print "No Password or Passfile in client config file"
28
# raise RuntimeError XXX
29
self.password = "gazonk"
238
31
self.created = datetime.datetime.now()
239
self.last_checked_ok = None
240
self.timeout = string_to_delta(config["timeout"])
241
self.interval = string_to_delta(config["interval"])
242
self.stop_hook = stop_hook
244
self.checker_initiator_tag = None
245
self.stop_initiator_tag = None
246
self.checker_callback_tag = None
247
self.check_command = config["checker"]
249
"""Start this client's checker and timeout hooks"""
250
# Schedule a new checker to be started an 'interval' from now,
251
# and every interval from then on.
252
self.checker_initiator_tag = gobject.timeout_add\
253
(self._interval_milliseconds,
255
# Also start a new checker *right now*.
257
# Schedule a stop() when 'timeout' has passed
258
self.stop_initiator_tag = gobject.timeout_add\
259
(self._timeout_milliseconds,
263
The possibility that a client might be restarted is left open,
264
but not currently used."""
265
# If this client doesn't have a secret, it is already stopped.
266
if hasattr(self, "secret") and self.secret:
267
logger.info(u"Stopping client %s", self.name)
271
if getattr(self, "stop_initiator_tag", False):
272
gobject.source_remove(self.stop_initiator_tag)
273
self.stop_initiator_tag = None
274
if getattr(self, "checker_initiator_tag", False):
275
gobject.source_remove(self.checker_initiator_tag)
276
self.checker_initiator_tag = None
280
# Do not run this again if called by a gobject.timeout_add
283
self.stop_hook = None
285
def checker_callback(self, pid, condition):
286
"""The checker has completed, so take appropriate actions."""
287
now = datetime.datetime.now()
288
self.checker_callback_tag = None
290
if os.WIFEXITED(condition) \
291
and (os.WEXITSTATUS(condition) == 0):
292
logger.info(u"Checker for %(name)s succeeded",
294
self.last_checked_ok = now
295
gobject.source_remove(self.stop_initiator_tag)
296
self.stop_initiator_tag = gobject.timeout_add\
297
(self._timeout_milliseconds,
299
elif not os.WIFEXITED(condition):
300
logger.warning(u"Checker for %(name)s crashed?",
303
logger.info(u"Checker for %(name)s failed",
305
def start_checker(self):
306
"""Start a new checker subprocess if one is not running.
307
If a checker already exists, leave it running and do
309
# The reason for not killing a running checker is that if we
310
# did that, then if a checker (for some reason) started
311
# running slowly and taking more than 'interval' time, the
312
# client would inevitably timeout, since no checker would get
313
# a chance to run to completion. If we instead leave running
314
# checkers alone, the checker would have to take more time
315
# than 'timeout' for the client to be declared invalid, which
316
# is as it should be.
317
if self.checker is None:
319
# In case check_command has exactly one % operator
320
command = self.check_command % self.host
322
# Escape attributes for the shell
323
escaped_attrs = dict((key, re.escape(str(val)))
325
vars(self).iteritems())
34
timeout = options.timeout
35
self.timeout = timeout
37
interval = options.interval
38
self.interval = interval
39
self.next_check = datetime.datetime.now()
42
class server_metaclass(type):
43
"Common behavior for the UDP and TCP server classes"
44
def __new__(cls, name, bases, attrs):
45
attrs["address_family"] = socket.AF_INET6
46
attrs["allow_reuse_address"] = True
47
def server_bind(self):
48
if self.options.interface:
49
if not hasattr(socket, "SO_BINDTODEVICE"):
50
# From /usr/include/asm-i486/socket.h
51
socket.SO_BINDTODEVICE = 25
327
command = self.check_command % escaped_attrs
328
except TypeError, error:
329
logger.error(u'Could not format string "%s":'
330
u' %s', self.check_command, error)
331
return True # Try again later
333
logger.info(u"Starting checker %r for %s",
335
self.checker = subprocess.Popen(command,
338
self.checker_callback_tag = gobject.child_watch_add\
340
self.checker_callback)
341
except subprocess.OSError, error:
342
logger.error(u"Failed to start subprocess: %s",
344
# Re-run this periodically if run by gobject.timeout_add
346
def stop_checker(self):
347
"""Force the checker process, if any, to stop."""
348
if self.checker_callback_tag:
349
gobject.source_remove(self.checker_callback_tag)
350
self.checker_callback_tag = None
351
if getattr(self, "checker", None) is None:
353
logger.debug(u"Stopping checker for %(name)s", vars(self))
355
os.kill(self.checker.pid, signal.SIGTERM)
357
#if self.checker.poll() is None:
358
# os.kill(self.checker.pid, signal.SIGKILL)
359
except OSError, error:
360
if error.errno != errno.ESRCH: # No such process
363
def still_valid(self):
364
"""Has the timeout not yet passed for this client?"""
365
now = datetime.datetime.now()
366
if self.last_checked_ok is None:
367
return now < (self.created + self.timeout)
369
return now < (self.last_checked_ok + self.timeout)
372
def peer_certificate(session):
373
"Return the peer's OpenPGP certificate as a bytestring"
374
# If not an OpenPGP certificate...
375
if gnutls.library.functions.gnutls_certificate_type_get\
376
(session._c_object) \
377
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP:
378
# ...do the normal thing
379
return session.peer_certificate
380
list_size = ctypes.c_uint()
381
cert_list = gnutls.library.functions.gnutls_certificate_get_peers\
382
(session._c_object, ctypes.byref(list_size))
383
if list_size.value == 0:
386
return ctypes.string_at(cert.data, cert.size)
389
def fingerprint(openpgp):
390
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
391
# New GnuTLS "datum" with the OpenPGP public key
392
datum = gnutls.library.types.gnutls_datum_t\
393
(ctypes.cast(ctypes.c_char_p(openpgp),
394
ctypes.POINTER(ctypes.c_ubyte)),
395
ctypes.c_uint(len(openpgp)))
396
# New empty GnuTLS certificate
397
crt = gnutls.library.types.gnutls_openpgp_crt_t()
398
gnutls.library.functions.gnutls_openpgp_crt_init\
400
# Import the OpenPGP public key into the certificate
401
gnutls.library.functions.gnutls_openpgp_crt_import\
402
(crt, ctypes.byref(datum),
403
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
404
# New buffer for the fingerprint
405
buffer = ctypes.create_string_buffer(20)
406
buffer_length = ctypes.c_size_t()
407
# Get the fingerprint from the certificate into the buffer
408
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
409
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
410
# Deinit the certificate
411
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
412
# Convert the buffer to a Python bytestring
413
fpr = ctypes.string_at(buffer, buffer_length.value)
414
# Convert the bytestring to hexadecimal notation
415
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
53
self.socket.setsockopt(socket.SOL_SOCKET,
54
socket.SO_BINDTODEVICE,
55
self.options.interface)
56
except socket.error, error:
57
if error[0] == errno.EPERM:
58
print "Warning: No permission to bind to interface", \
59
self.options.interface
62
return super(type(self), self).server_bind()
63
attrs["server_bind"] = server_bind
64
def init(self, *args, **kwargs):
65
if "options" in kwargs:
66
self.options = kwargs["options"]
68
if "clients" in kwargs:
69
self.clients = kwargs["clients"]
71
if "credentials" in kwargs:
72
self.credentials = kwargs["credentials"]
73
del kwargs["credentials"]
74
return super(type(self), self).__init__(*args, **kwargs)
75
attrs["__init__"] = init
76
return type.__new__(cls, name, bases, attrs)
79
class udp_handler(SocketServer.DatagramRequestHandler, object):
81
self.wfile.write("Polo")
82
print "UDP request answered"
85
class IPv6_UDPServer(SocketServer.UDPServer, object):
86
__metaclass__ = server_metaclass
87
def verify_request(self, request, client_address):
88
print "UDP request came"
89
return request[0] == "Marco"
419
92
class tcp_handler(SocketServer.BaseRequestHandler, object):
420
"""A TCP request handler class.
421
Instantiated by IPv6_TCPServer for each request to handle it.
422
Note: This will run in its own forked process."""
425
logger.info(u"TCP connection from: %s",
426
unicode(self.client_address))
427
session = gnutls.connection.ClientSession\
428
(self.request, gnutls.connection.X509Credentials())
430
line = self.request.makefile().readline()
431
logger.debug(u"Protocol version: %r", line)
433
if int(line.strip().split()[0]) > 1:
435
except (ValueError, IndexError, RuntimeError), error:
436
logger.error(u"Unknown protocol version: %s", error)
439
# Note: gnutls.connection.X509Credentials is really a generic
440
# GnuTLS certificate credentials object so long as no X.509
441
# keys are added to it. Therefore, we can use it here despite
442
# using OpenPGP certificates.
444
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
445
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
447
priority = "NORMAL" # Fallback default, since this
449
if self.server.settings["priority"]:
450
priority = self.server.settings["priority"]
451
gnutls.library.functions.gnutls_priority_set_direct\
452
(session._c_object, priority, None);
456
except gnutls.errors.GNUTLSError, error:
457
logger.warning(u"Handshake failed: %s", error)
458
# Do not run session.bye() here: the session is not
459
# established. Just abandon the request.
462
fpr = fingerprint(peer_certificate(session))
463
except (TypeError, gnutls.errors.GNUTLSError), error:
464
logger.warning(u"Bad certificate: %s", error)
467
logger.debug(u"Fingerprint: %s", fpr)
469
for c in self.server.clients:
470
if c.fingerprint == fpr:
474
logger.warning(u"Client not found for fingerprint: %s",
478
# Have to check if client.still_valid(), since it is possible
479
# that the client timed out while establishing the GnuTLS
481
if not client.still_valid():
482
logger.warning(u"Client %(name)s is invalid",
487
while sent_size < len(client.secret):
488
sent = session.send(client.secret[sent_size:])
489
logger.debug(u"Sent: %d, remaining: %d",
490
sent, len(client.secret)
491
- (sent_size + sent))
94
print "TCP request came"
95
print "Request:", self.request
96
print "Client Address:", self.client_address
97
print "Server:", self.server
98
session = gnutls.connection.ServerSession(self.request,
99
self.server.credentials)
101
if session.peer_certificate:
102
print "DN:", session.peer_certificate.subject
104
session.verify_peer()
105
except gnutls.errors.CertificateError, error:
106
print "Verify failed", error
110
session.send(dict((client.dn, client.password)
111
for client in self.server.clients)
112
[session.peer_certificate.subject])
114
session.send("gazonk")
496
119
class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):
497
"""IPv6 TCP server. Accepts 'None' as address and/or port.
499
settings: Server settings
500
clients: Set() of Client objects
502
address_family = socket.AF_INET6
503
def __init__(self, *args, **kwargs):
504
if "settings" in kwargs:
505
self.settings = kwargs["settings"]
506
del kwargs["settings"]
507
if "clients" in kwargs:
508
self.clients = kwargs["clients"]
509
del kwargs["clients"]
510
return super(type(self), self).__init__(*args, **kwargs)
511
def server_bind(self):
512
"""This overrides the normal server_bind() function
513
to bind to an interface if one was specified, and also NOT to
514
bind to an address or port if they were not specified."""
515
if self.settings["interface"]:
516
# 25 is from /usr/include/asm-i486/socket.h
517
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
519
self.socket.setsockopt(socket.SOL_SOCKET,
521
self.settings["interface"])
522
except socket.error, error:
523
if error[0] == errno.EPERM:
524
logger.error(u"No permission to"
525
u" bind to interface %s",
526
self.settings["interface"])
529
# Only bind(2) the socket if we really need to.
530
if self.server_address[0] or self.server_address[1]:
531
if not self.server_address[0]:
533
self.server_address = (in6addr_any,
534
self.server_address[1])
535
elif not self.server_address[1]:
536
self.server_address = (self.server_address[0],
538
# if self.settings["interface"]:
539
# self.server_address = (self.server_address[0],
545
return super(type(self), self).server_bind()
120
__metaclass__ = server_metaclass
121
request_queue_size = 1024
548
128
def string_to_delta(interval):
549
129
"""Parse a string and return a datetime.timedelta
582
def server_state_changed(state):
583
"""Derived from the Avahi example code"""
584
if state == avahi.SERVER_COLLISION:
585
logger.error(u"Server name collision")
587
elif state == avahi.SERVER_RUNNING:
591
def entry_group_state_changed(state, error):
592
"""Derived from the Avahi example code"""
593
logger.debug(u"state change: %i", state)
595
if state == avahi.ENTRY_GROUP_ESTABLISHED:
596
logger.debug(u"Service established.")
597
elif state == avahi.ENTRY_GROUP_COLLISION:
598
logger.warning(u"Service name collision.")
600
elif state == avahi.ENTRY_GROUP_FAILURE:
601
logger.critical(u"Error in group state changed %s",
603
raise AvahiGroupError("State changed: %s", str(error))
605
def if_nametoindex(interface):
606
"""Call the C function if_nametoindex(), or equivalent"""
607
global if_nametoindex
609
if "ctypes.util" not in sys.modules:
611
if_nametoindex = ctypes.cdll.LoadLibrary\
612
(ctypes.util.find_library("c")).if_nametoindex
613
except (OSError, AttributeError):
614
if "struct" not in sys.modules:
616
if "fcntl" not in sys.modules:
618
def if_nametoindex(interface):
619
"Get an interface index the hard way, i.e. using fcntl()"
620
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
622
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
623
struct.pack("16s16x", interface))
625
interface_index = struct.unpack("I", ifreq[16:20])[0]
626
return interface_index
627
return if_nametoindex(interface)
630
def daemon(nochdir = False, noclose = False):
631
"""See daemon(3). Standard BSD Unix function.
632
This should really exist as os.daemon, but it doesn't (yet)."""
641
# Close all standard open file descriptors
642
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
643
if not stat.S_ISCHR(os.fstat(null).st_mode):
644
raise OSError(errno.ENODEV,
645
"/dev/null not a character device")
646
os.dup2(null, sys.stdin.fileno())
647
os.dup2(null, sys.stdout.fileno())
648
os.dup2(null, sys.stderr.fileno())
654
global main_loop_started
655
main_loop_started = False
657
parser = OptionParser(version = "Mandos server %s" % version)
162
parser = OptionParser()
658
163
parser.add_option("-i", "--interface", type="string",
659
metavar="IF", help="Bind to interface IF")
660
parser.add_option("-a", "--address", type="string",
661
help="Address to listen for requests on")
662
parser.add_option("-p", "--port", type="int",
164
default="eth0", metavar="IF",
165
help="Interface to bind to")
166
parser.add_option("--cert", type="string", default="cert.pem",
168
help="Public key certificate to use")
169
parser.add_option("--key", type="string", default="key.pem",
171
help="Private key to use")
172
parser.add_option("--ca", type="string", default="ca.pem",
174
help="Certificate Authority certificate to use")
175
parser.add_option("--crl", type="string", default="crl.pem",
177
help="Certificate Revokation List to use")
178
parser.add_option("-p", "--port", type="int", default=49001,
663
179
help="Port number to receive requests on")
180
parser.add_option("--dh", type="int", metavar="BITS",
181
help="DH group to use")
182
parser.add_option("-t", "--timeout", type="string", # Parsed later
184
help="Amount of downtime allowed for clients")
185
parser.add_option("--interval", type="string", # Parsed later
187
help="How often to check that a client is up")
664
188
parser.add_option("--check", action="store_true", default=False,
665
189
help="Run self-test")
666
parser.add_option("--debug", action="store_true",
667
help="Debug mode; run in foreground and log to"
669
parser.add_option("--priority", type="string", help="GnuTLS"
670
" priority string (see GnuTLS documentation)")
671
parser.add_option("--servicename", type="string", metavar="NAME",
672
help="Zeroconf service name")
673
parser.add_option("--configdir", type="string",
674
default="/etc/mandos", metavar="DIR",
675
help="Directory to search for configuration"
677
190
(options, args) = parser.parse_args()
679
192
if options.check:
681
194
doctest.testmod()
684
# Default values for config file for server-global settings
685
server_defaults = { "interface": "",
690
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
691
"servicename": "Mandos",
694
# Parse config file for server-global settings
695
server_config = ConfigParser.SafeConfigParser(server_defaults)
697
server_config.read(os.path.join(options.configdir, "mandos.conf"))
698
server_section = "server"
699
# Convert the SafeConfigParser object to a dict
700
server_settings = dict(server_config.items(server_section))
701
# Use getboolean on the boolean config option
702
server_settings["debug"] = server_config.getboolean\
703
(server_section, "debug")
706
# Override the settings from the config file with command line
708
for option in ("interface", "address", "port", "debug",
709
"priority", "servicename", "configdir"):
710
value = getattr(options, option)
711
if value is not None:
712
server_settings[option] = value
714
# Now we have our good server settings in "server_settings"
716
debug = server_settings["debug"]
719
syslogger.setLevel(logging.WARNING)
721
if server_settings["servicename"] != "Mandos":
722
syslogger.setFormatter(logging.Formatter\
723
('Mandos (%s): %%(levelname)s:'
725
% server_settings["servicename"]))
727
# Parse config file with clients
728
client_defaults = { "timeout": "1h",
730
"checker": "fping -q -- %%(host)s",
732
client_config = ConfigParser.SafeConfigParser(client_defaults)
733
client_config.read(os.path.join(server_settings["configdir"],
737
service = AvahiService(name = server_settings["servicename"],
738
type = "_mandos._tcp", );
739
if server_settings["interface"]:
740
service.interface = if_nametoindex(server_settings["interface"])
745
# From the Avahi example code
746
DBusGMainLoop(set_as_default=True )
747
main_loop = gobject.MainLoop()
748
bus = dbus.SystemBus()
749
server = dbus.Interface(
750
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
751
avahi.DBUS_INTERFACE_SERVER )
752
# End of Avahi example code
755
console = logging.StreamHandler()
756
# console.setLevel(logging.DEBUG)
757
console.setFormatter(logging.Formatter\
758
('%(levelname)s: %(message)s'))
759
logger.addHandler(console)
763
def remove_from_clients(client):
764
clients.remove(client)
766
logger.critical(u"No clients left, exiting")
769
clients.update(Set(Client(name = section,
770
stop_hook = remove_from_clients,
772
= dict(client_config.items(section)))
773
for section in client_config.sections()))
775
logger.critical(u"No clients defined")
781
pidfilename = "/var/run/mandos/mandos.pid"
784
pidfile = open(pidfilename, "w")
785
pidfile.write(str(pid) + "\n")
789
logger.error(u"Could not write %s file with PID %d",
790
pidfilename, os.getpid())
793
"Cleanup function; run on exit"
795
# From the Avahi example code
796
if not group is None:
799
# End of Avahi example code
802
client = clients.pop()
803
client.stop_hook = None
806
atexit.register(cleanup)
809
signal.signal(signal.SIGINT, signal.SIG_IGN)
810
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
811
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
813
for client in clients:
816
tcp_server = IPv6_TCPServer((server_settings["address"],
817
server_settings["port"]),
197
# Parse the time arguments
199
options.timeout = string_to_delta(options.timeout)
201
parser.error("option --timeout: Unparseable time")
204
options.interval = string_to_delta(options.interval)
206
parser.error("option --interval: Unparseable time")
208
cert = gnutls.crypto.X509Certificate(open(options.cert).read())
209
key = gnutls.crypto.X509PrivateKey(open(options.key).read())
210
ca = gnutls.crypto.X509Certificate(open(options.ca).read())
211
crl = gnutls.crypto.X509CRL(open(options.crl).read())
212
cred = gnutls.connection.X509Credentials(cert, key, [ca], [crl])
216
client_config_object = ConfigParser.SafeConfigParser(defaults)
217
client_config_object.read("mandos-clients.conf")
218
clients = [Client(name=section, options=options,
219
**(dict(client_config_object.items(section))))
220
for section in client_config_object.sections()]
222
udp_server = IPv6_UDPServer((in6addr_any, options.port),
226
tcp_server = IPv6_TCPServer((in6addr_any, options.port),
819
settings=server_settings,
821
# Find out what port we got
822
service.port = tcp_server.socket.getsockname()[1]
823
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
824
u" scope_id %d" % tcp_server.socket.getsockname())
826
#service.interface = tcp_server.socket.getsockname()[3]
829
# From the Avahi example code
830
server.connect_to_signal("StateChanged", server_state_changed)
832
server_state_changed(server.GetState())
833
except dbus.exceptions.DBusException, error:
834
logger.critical(u"DBusException: %s", error)
836
# End of Avahi example code
838
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
839
lambda *args, **kwargs:
840
tcp_server.handle_request\
841
(*args[2:], **kwargs) or True)
843
logger.debug(u"Starting main loop")
844
main_loop_started = True
846
except AvahiError, error:
847
logger.critical(u"AvahiError: %s" + unicode(error))
849
except KeyboardInterrupt:
853
if __name__ == '__main__':
233
in_, out, err = select.select((udp_server,
236
server.handle_request()
239
if __name__ == "__main__":