240
196
.replace(b"\n", b"\\n")
241
197
.replace(b"\0", b"\\x00"))
244
200
def encrypt(self, data, password):
245
201
passphrase = self.password_encode(password)
246
202
with tempfile.NamedTemporaryFile(
247
203
dir=self.tempdir) as passfile:
248
204
passfile.write(passphrase)
250
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
251
207
'--passphrase-file',
253
209
+ self.gnupgargs,
254
stdin=subprocess.PIPE,
255
stdout=subprocess.PIPE,
256
stderr=subprocess.PIPE)
257
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
258
214
if proc.returncode != 0:
259
215
raise PGPError(err)
260
216
return ciphertext
262
218
def decrypt(self, data, password):
263
219
passphrase = self.password_encode(password)
264
220
with tempfile.NamedTemporaryFile(
265
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
266
222
passfile.write(passphrase)
268
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
269
225
'--passphrase-file',
271
227
+ self.gnupgargs,
272
stdin=subprocess.PIPE,
273
stdout=subprocess.PIPE,
274
stderr=subprocess.PIPE)
275
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
276
232
if proc.returncode != 0:
277
233
raise PGPError(err)
278
234
return decrypted_plaintext
281
# Pretend that we have an Avahi module
283
"""This isn't so much a class as it is a module-like namespace."""
284
IF_UNSPEC = -1 # avahi-common/address.h
285
PROTO_UNSPEC = -1 # avahi-common/address.h
286
PROTO_INET = 0 # avahi-common/address.h
287
PROTO_INET6 = 1 # avahi-common/address.h
288
DBUS_NAME = "org.freedesktop.Avahi"
289
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
290
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
291
DBUS_PATH_SERVER = "/"
294
def string_array_to_txt_array(t):
295
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
296
for s in t), signature="ay")
297
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
299
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
300
SERVER_INVALID = 0 # avahi-common/defs.h
301
SERVER_REGISTERING = 1 # avahi-common/defs.h
302
SERVER_RUNNING = 2 # avahi-common/defs.h
303
SERVER_COLLISION = 3 # avahi-common/defs.h
304
SERVER_FAILURE = 4 # avahi-common/defs.h
307
237
class AvahiError(Exception):
308
238
def __init__(self, value, *args, **kwargs):
309
239
self.value = value
499
429
class AvahiServiceToSyslog(AvahiService):
500
430
def rename(self, *args, **kwargs):
501
431
"""Add the new name to the syslog messages"""
502
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
503
433
syslogger.setFormatter(logging.Formatter(
504
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
505
435
.format(self.name)))
509
# Pretend that we have a GnuTLS module
510
class gnutls(object):
511
"""This isn't so much a class as it is a module-like namespace."""
513
library = ctypes.util.find_library("gnutls")
515
library = ctypes.util.find_library("gnutls-deb0")
516
_library = ctypes.cdll.LoadLibrary(library)
519
# Unless otherwise indicated, the constants and types below are
520
# all from the gnutls/gnutls.h C header file.
531
E_NO_CERTIFICATE_FOUND = -49
536
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
540
class session_int(ctypes.Structure):
542
session_t = ctypes.POINTER(session_int)
544
class certificate_credentials_st(ctypes.Structure):
546
certificate_credentials_t = ctypes.POINTER(
547
certificate_credentials_st)
548
certificate_type_t = ctypes.c_int
550
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
554
class openpgp_crt_int(ctypes.Structure):
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
560
transport_ptr_t = ctypes.c_void_p
561
close_request_t = ctypes.c_int
564
class Error(Exception):
565
def __init__(self, message=None, code=None, args=()):
566
# Default usage is by a message string, but if a return
567
# code is passed, convert it to a string with
570
if message is None and code is not None:
571
message = gnutls.strerror(code)
572
return super(gnutls.Error, self).__init__(
575
class CertificateSecurityError(Error):
579
class Credentials(object):
581
self._c_object = gnutls.certificate_credentials_t()
582
gnutls.certificate_allocate_credentials(
583
ctypes.byref(self._c_object))
584
self.type = gnutls.CRD_CERTIFICATE
587
gnutls.certificate_free_credentials(self._c_object)
589
class ClientSession(object):
590
def __init__(self, socket, credentials=None):
591
self._c_object = gnutls.session_t()
592
gnutls_flags = gnutls.CLIENT
593
if gnutls.check_version(b"3.5.6"):
594
gnutls_flags |= gnutls.NO_TICKETS
596
gnutls_flags |= gnutls.ENABLE_RAWPK
597
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
599
gnutls.set_default_priority(self._c_object)
600
gnutls.transport_set_ptr(self._c_object, socket.fileno())
601
gnutls.handshake_set_private_extensions(self._c_object,
604
if credentials is None:
605
credentials = gnutls.Credentials()
606
gnutls.credentials_set(self._c_object, credentials.type,
607
ctypes.cast(credentials._c_object,
609
self.credentials = credentials
612
gnutls.deinit(self._c_object)
615
return gnutls.handshake(self._c_object)
617
def send(self, data):
621
data_len -= gnutls.record_send(self._c_object,
626
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
628
# Error handling functions
629
def _error_code(result):
630
"""A function to raise exceptions on errors, suitable
631
for the 'restype' attribute on ctypes functions"""
634
if result == gnutls.E_NO_CERTIFICATE_FOUND:
635
raise gnutls.CertificateSecurityError(code=result)
636
raise gnutls.Error(code=result)
638
def _retry_on_error(result, func, arguments):
639
"""A function to retry on some errors, suitable
640
for the 'errcheck' attribute on ctypes functions"""
642
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
643
return _error_code(result)
644
result = func(*arguments)
647
# Unless otherwise indicated, the function declarations below are
648
# all from the gnutls/gnutls.h C header file.
651
priority_set_direct = _library.gnutls_priority_set_direct
652
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
653
ctypes.POINTER(ctypes.c_char_p)]
654
priority_set_direct.restype = _error_code
656
init = _library.gnutls_init
657
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
658
init.restype = _error_code
660
set_default_priority = _library.gnutls_set_default_priority
661
set_default_priority.argtypes = [session_t]
662
set_default_priority.restype = _error_code
664
record_send = _library.gnutls_record_send
665
record_send.argtypes = [session_t, ctypes.c_void_p,
667
record_send.restype = ctypes.c_ssize_t
668
record_send.errcheck = _retry_on_error
670
certificate_allocate_credentials = (
671
_library.gnutls_certificate_allocate_credentials)
672
certificate_allocate_credentials.argtypes = [
673
ctypes.POINTER(certificate_credentials_t)]
674
certificate_allocate_credentials.restype = _error_code
676
certificate_free_credentials = (
677
_library.gnutls_certificate_free_credentials)
678
certificate_free_credentials.argtypes = [
679
certificate_credentials_t]
680
certificate_free_credentials.restype = None
682
handshake_set_private_extensions = (
683
_library.gnutls_handshake_set_private_extensions)
684
handshake_set_private_extensions.argtypes = [session_t,
686
handshake_set_private_extensions.restype = None
688
credentials_set = _library.gnutls_credentials_set
689
credentials_set.argtypes = [session_t, credentials_type_t,
691
credentials_set.restype = _error_code
693
strerror = _library.gnutls_strerror
694
strerror.argtypes = [ctypes.c_int]
695
strerror.restype = ctypes.c_char_p
697
certificate_type_get = _library.gnutls_certificate_type_get
698
certificate_type_get.argtypes = [session_t]
699
certificate_type_get.restype = _error_code
701
certificate_get_peers = _library.gnutls_certificate_get_peers
702
certificate_get_peers.argtypes = [session_t,
703
ctypes.POINTER(ctypes.c_uint)]
704
certificate_get_peers.restype = ctypes.POINTER(datum_t)
706
global_set_log_level = _library.gnutls_global_set_log_level
707
global_set_log_level.argtypes = [ctypes.c_int]
708
global_set_log_level.restype = None
710
global_set_log_function = _library.gnutls_global_set_log_function
711
global_set_log_function.argtypes = [log_func]
712
global_set_log_function.restype = None
714
deinit = _library.gnutls_deinit
715
deinit.argtypes = [session_t]
716
deinit.restype = None
718
handshake = _library.gnutls_handshake
719
handshake.argtypes = [session_t]
720
handshake.restype = _error_code
721
handshake.errcheck = _retry_on_error
723
transport_set_ptr = _library.gnutls_transport_set_ptr
724
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
725
transport_set_ptr.restype = None
727
bye = _library.gnutls_bye
728
bye.argtypes = [session_t, close_request_t]
729
bye.restype = _error_code
730
bye.errcheck = _retry_on_error
732
check_version = _library.gnutls_check_version
733
check_version.argtypes = [ctypes.c_char_p]
734
check_version.restype = ctypes.c_char_p
736
_need_version = b"3.3.0"
737
if check_version(_need_version) is None:
738
raise self.Error("Needs GnuTLS {} or later"
739
.format(_need_version))
741
_tls_rawpk_version = b"3.6.6"
742
has_rawpk = bool(check_version(_tls_rawpk_version))
746
class pubkey_st(ctypes.Structure):
748
pubkey_t = ctypes.POINTER(pubkey_st)
750
x509_crt_fmt_t = ctypes.c_int
752
# All the function declarations below are from gnutls/abstract.h
753
pubkey_init = _library.gnutls_pubkey_init
754
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
755
pubkey_init.restype = _error_code
757
pubkey_import = _library.gnutls_pubkey_import
758
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
760
pubkey_import.restype = _error_code
762
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
763
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
764
ctypes.POINTER(ctypes.c_ubyte),
765
ctypes.POINTER(ctypes.c_size_t)]
766
pubkey_get_key_id.restype = _error_code
768
pubkey_deinit = _library.gnutls_pubkey_deinit
769
pubkey_deinit.argtypes = [pubkey_t]
770
pubkey_deinit.restype = None
772
# All the function declarations below are from gnutls/openpgp.h
774
openpgp_crt_init = _library.gnutls_openpgp_crt_init
775
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
776
openpgp_crt_init.restype = _error_code
778
openpgp_crt_import = _library.gnutls_openpgp_crt_import
779
openpgp_crt_import.argtypes = [openpgp_crt_t,
780
ctypes.POINTER(datum_t),
782
openpgp_crt_import.restype = _error_code
784
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
785
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
786
ctypes.POINTER(ctypes.c_uint)]
787
openpgp_crt_verify_self.restype = _error_code
789
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
790
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
791
openpgp_crt_deinit.restype = None
793
openpgp_crt_get_fingerprint = (
794
_library.gnutls_openpgp_crt_get_fingerprint)
795
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
799
openpgp_crt_get_fingerprint.restype = _error_code
801
if check_version(b"3.6.4"):
802
certificate_type_get2 = _library.gnutls_certificate_type_get2
803
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
804
certificate_type_get2.restype = _error_code
806
# Remove non-public functions
807
del _error_code, _retry_on_error
810
438
def call_pipe(connection, # : multiprocessing.Connection
811
439
func, *args, **kwargs):
812
440
"""This function is meant to be called by multiprocessing.Process
814
442
This function runs func(*args, **kwargs), and writes the resulting
815
443
return value on the provided multiprocessing.Connection.
817
445
connection.send(func(*args, **kwargs))
818
446
connection.close()
821
448
class Client(object):
822
449
"""A representation of a client host served by this server.
825
452
approved: bool(); 'None' if not yet approved/disapproved
826
453
approval_delay: datetime.timedelta(); Time to wait for approval
827
454
approval_duration: datetime.timedelta(); Duration of one approval
828
checker: multiprocessing.Process(); a running checker process used
829
to see if the client lives. 'None' if no process is
831
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
832
459
checker_command: string; External command which is run to check
833
460
if client lives. %() expansions are done at
834
461
runtime with vars(self) as dict, so that for
835
462
instance %(name)s can be used in the command.
836
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
837
464
created: datetime.datetime(); (UTC) object creation
838
465
client_structure: Object describing what attributes a client has
839
466
and is used for storing the client at exit
840
467
current_checker_command: string; current running checker_command
841
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
843
470
fingerprint: string (40 or 32 hexadecimal digits); used to
844
uniquely identify an OpenPGP client
845
key_id: string (64 hexadecimal digits); used to uniquely identify
846
a client using raw public keys
471
uniquely identify the client
847
472
host: string; available for use by the checker command
848
473
interval: datetime.timedelta(); How often to start a new checker
849
474
last_approval_request: datetime.datetime(); (UTC) or None
2371
1991
delay -= time2 - time
2374
session.send(client.secret)
2375
except gnutls.Error as error:
2376
logger.warning("gnutls send failed",
1994
while sent_size < len(client.secret):
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2380
2006
logger.info("Sending secret to %s", client.name)
2381
2007
# bump the timeout using extended_timeout
2382
2008
client.bump_timeout(client.extended_timeout)
2383
2009
if self.server.use_dbus:
2384
2010
# Emit D-Bus signal
2385
2011
client.GotSecret()
2388
2014
if approval_required:
2389
2015
client.approvals_pending -= 1
2392
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2393
2019
logger.warning("GnuTLS bye failed",
2394
2020
exc_info=error)
2397
2023
def peer_certificate(session):
2398
"Return the peer's certificate as a bytestring"
2400
cert_type = gnutls.certificate_type_get2(session._c_object,
2402
except AttributeError:
2403
cert_type = gnutls.certificate_type_get(session._c_object)
2404
if gnutls.has_rawpk:
2405
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2407
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2408
# If not a valid certificate type...
2409
if cert_type not in valid_cert_types:
2410
logger.info("Cert type %r not in %r", cert_type,
2412
# ...return invalid data
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2414
2031
list_size = ctypes.c_uint(1)
2415
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2416
2034
(session._c_object, ctypes.byref(list_size)))
2417
2035
if not bool(cert_list) and list_size.value != 0:
2418
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2419
2038
if list_size.value == 0:
2421
2040
cert = cert_list[0]
2422
2041
return ctypes.string_at(cert.data, cert.size)
2425
def key_id(certificate):
2426
"Convert a certificate bytestring to a hexdigit key ID"
2427
# New GnuTLS "datum" with the public key
2428
datum = gnutls.datum_t(
2429
ctypes.cast(ctypes.c_char_p(certificate),
2430
ctypes.POINTER(ctypes.c_ubyte)),
2431
ctypes.c_uint(len(certificate)))
2432
# XXX all these need to be created in the gnutls "module"
2433
# New empty GnuTLS certificate
2434
pubkey = gnutls.pubkey_t()
2435
gnutls.pubkey_init(ctypes.byref(pubkey))
2436
# Import the raw public key into the certificate
2437
gnutls.pubkey_import(pubkey,
2438
ctypes.byref(datum),
2439
gnutls.X509_FMT_DER)
2440
# New buffer for the key ID
2441
buf = ctypes.create_string_buffer(32)
2442
buf_len = ctypes.c_size_t(len(buf))
2443
# Get the key ID from the raw public key into the buffer
2444
gnutls.pubkey_get_key_id(pubkey,
2445
gnutls.KEYID_USE_SHA256,
2446
ctypes.cast(ctypes.byref(buf),
2447
ctypes.POINTER(ctypes.c_ubyte)),
2448
ctypes.byref(buf_len))
2449
# Deinit the certificate
2450
gnutls.pubkey_deinit(pubkey)
2452
# Convert the buffer to a Python bytestring
2453
key_id = ctypes.string_at(buf, buf_len.value)
2454
# Convert the bytestring to hexadecimal notation
2455
hex_key_id = binascii.hexlify(key_id).upper()
2459
2044
def fingerprint(openpgp):
2460
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2461
2046
# New GnuTLS "datum" with the OpenPGP public key
2462
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2463
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2464
2049
ctypes.POINTER(ctypes.c_ubyte)),
2465
2050
ctypes.c_uint(len(openpgp)))
2466
2051
# New empty GnuTLS certificate
2467
crt = gnutls.openpgp_crt_t()
2468
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2469
2055
# Import the OpenPGP public key into the certificate
2470
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2471
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2472
2059
# Verify the self signature in the key
2473
2060
crtverify = ctypes.c_uint()
2474
gnutls.openpgp_crt_verify_self(crt, 0,
2475
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2476
2063
if crtverify.value != 0:
2477
gnutls.openpgp_crt_deinit(crt)
2478
raise gnutls.CertificateSecurityError(code
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2480
2067
# New buffer for the fingerprint
2481
2068
buf = ctypes.create_string_buffer(20)
2482
2069
buf_len = ctypes.c_size_t()
2483
2070
# Get the fingerprint from the certificate into the buffer
2484
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2485
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2486
2073
# Deinit the certificate
2487
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2488
2075
# Convert the buffer to a Python bytestring
2489
2076
fpr = ctypes.string_at(buf, buf_len.value)
2490
2077
# Convert the bytestring to hexadecimal notation
2579
2165
# socket_wrapper(), if socketfd was set.
2580
2166
socketserver.TCPServer.__init__(self, server_address,
2581
2167
RequestHandlerClass)
2583
2169
def server_bind(self):
2584
2170
"""This overrides the normal server_bind() function
2585
2171
to bind to an interface if one was specified, and also NOT to
2586
2172
bind to an address or port if they were not specified."""
2587
global SO_BINDTODEVICE
2588
2173
if self.interface is not None:
2589
2174
if SO_BINDTODEVICE is None:
2590
# Fall back to a hard-coded value which seems to be
2592
logger.warning("SO_BINDTODEVICE not found, trying 25")
2593
SO_BINDTODEVICE = 25
2595
self.socket.setsockopt(
2596
socket.SOL_SOCKET, SO_BINDTODEVICE,
2597
(self.interface + "\0").encode("utf-8"))
2598
except socket.error as error:
2599
if error.errno == errno.EPERM:
2600
logger.error("No permission to bind to"
2601
" interface %s", self.interface)
2602
elif error.errno == errno.ENOPROTOOPT:
2603
logger.error("SO_BINDTODEVICE not available;"
2604
" cannot bind to interface %s",
2606
elif error.errno == errno.ENODEV:
2607
logger.error("Interface %s does not exist,"
2608
" cannot bind", self.interface)
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2611
2196
# Only bind(2) the socket if we really need to.
2612
2197
if self.server_address[0] or self.server_address[1]:
2613
if self.server_address[1]:
2614
self.allow_reuse_address = True
2615
2198
if not self.server_address[0]:
2616
2199
if self.address_family == socket.AF_INET6:
2617
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2619
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2620
2203
self.server_address = (any_address,
2621
2204
self.server_address[1])
2622
2205
elif not self.server_address[1]:
3188
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3189
2751
service = AvahiServiceToSyslog(
3190
name=server_settings["servicename"],
3191
servicetype="_mandos._tcp",
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
3194
2756
if server_settings["interface"]:
3195
2757
service.interface = if_nametoindex(
3196
2758
server_settings["interface"].encode("utf-8"))
3198
2760
global multiprocessing_manager
3199
2761
multiprocessing_manager = multiprocessing.Manager()
3201
2763
client_class = Client
3203
client_class = functools.partial(ClientDBus, bus=bus)
2765
client_class = functools.partial(ClientDBus, bus = bus)
3205
2767
client_settings = Client.config_parser(client_config)
3206
2768
old_client_settings = {}
3207
2769
clients_data = {}
3209
2771
# This is used to redirect stdout and stderr for checker processes
3211
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3212
2774
# Only used if server is running in foreground but not in debug
3214
2776
if debug or not foreground:
3217
2779
# Get client data and settings from last running state.
3218
2780
if server_settings["restore"]:
3220
2782
with open(stored_state_path, "rb") as stored_state:
3221
if sys.version_info.major == 2:
3222
clients_data, old_client_settings = pickle.load(
3225
bytes_clients_data, bytes_old_client_settings = (
3226
pickle.load(stored_state, encoding="bytes"))
3227
# Fix bytes to strings
3230
clients_data = {(key.decode("utf-8")
3231
if isinstance(key, bytes)
3234
bytes_clients_data.items()}
3235
del bytes_clients_data
3236
for key in clients_data:
3237
value = {(k.decode("utf-8")
3238
if isinstance(k, bytes) else k): v
3240
clients_data[key].items()}
3241
clients_data[key] = value
3243
value["client_structure"] = [
3245
if isinstance(s, bytes)
3247
value["client_structure"]]
3249
for k in ("name", "host"):
3250
if isinstance(value[k], bytes):
3251
value[k] = value[k].decode("utf-8")
3252
if "key_id" not in value:
3253
value["key_id"] = ""
3254
elif "fingerprint" not in value:
3255
value["fingerprint"] = ""
3256
# old_client_settings
3258
old_client_settings = {
3259
(key.decode("utf-8")
3260
if isinstance(key, bytes)
3263
bytes_old_client_settings.items()}
3264
del bytes_old_client_settings
3266
for value in old_client_settings.values():
3267
if isinstance(value["host"], bytes):
3268
value["host"] = (value["host"]
2783
clients_data, old_client_settings = pickle.load(
3270
2785
os.remove(stored_state_path)
3271
2786
except IOError as e:
3272
2787
if e.errno == errno.ENOENT: