265
196
.replace(b"\n", b"\\n")
266
197
.replace(b"\0", b"\\x00"))
269
200
def encrypt(self, data, password):
270
201
passphrase = self.password_encode(password)
271
202
with tempfile.NamedTemporaryFile(
272
203
dir=self.tempdir) as passfile:
273
204
passfile.write(passphrase)
275
proc = subprocess.Popen([self.gpg, "--symmetric",
206
proc = subprocess.Popen(['gpg', '--symmetric',
278
209
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
283
214
if proc.returncode != 0:
284
215
raise PGPError(err)
285
216
return ciphertext
287
218
def decrypt(self, data, password):
288
219
passphrase = self.password_encode(password)
289
220
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
291
222
passfile.write(passphrase)
293
proc = subprocess.Popen([self.gpg, "--decrypt",
224
proc = subprocess.Popen(['gpg', '--decrypt',
296
227
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
301
232
if proc.returncode != 0:
302
233
raise PGPError(err)
303
234
return decrypted_plaintext
306
# Pretend that we have an Avahi module
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
332
237
class AvahiError(Exception):
333
238
def __init__(self, value, *args, **kwargs):
334
239
self.value = value
524
429
class AvahiServiceToSyslog(AvahiService):
525
430
def rename(self, *args, **kwargs):
526
431
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
432
ret = AvahiService.rename(self, *args, **kwargs)
529
433
syslogger.setFormatter(logging.Formatter(
530
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
531
435
.format(self.name)))
535
# Pretend that we have a GnuTLS module
537
"""This isn't so much a class as it is a module-like namespace."""
539
library = ctypes.util.find_library("gnutls")
541
library = ctypes.util.find_library("gnutls-deb0")
542
_library = ctypes.cdll.LoadLibrary(library)
545
# Unless otherwise indicated, the constants and types below are
546
# all from the gnutls/gnutls.h C header file.
557
E_NO_CERTIFICATE_FOUND = -49
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
566
class _session_int(ctypes.Structure):
568
session_t = ctypes.POINTER(_session_int)
570
class certificate_credentials_st(ctypes.Structure):
572
certificate_credentials_t = ctypes.POINTER(
573
certificate_credentials_st)
574
certificate_type_t = ctypes.c_int
576
class datum_t(ctypes.Structure):
577
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
578
("size", ctypes.c_uint)]
580
class _openpgp_crt_int(ctypes.Structure):
582
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
credentials_type_t = ctypes.c_int
586
transport_ptr_t = ctypes.c_void_p
587
close_request_t = ctypes.c_int
590
class Error(Exception):
591
def __init__(self, message=None, code=None, args=()):
592
# Default usage is by a message string, but if a return
593
# code is passed, convert it to a string with
596
if message is None and code is not None:
597
message = gnutls.strerror(code).decode(
598
"utf-8", errors="replace")
599
return super(gnutls.Error, self).__init__(
602
class CertificateSecurityError(Error):
606
def __init__(self, cls):
609
def from_param(self, obj):
610
if not isinstance(obj, self.cls):
611
raise TypeError("Not of type {}: {!r}"
612
.format(self.cls.__name__, obj))
613
return ctypes.byref(obj.from_param(obj))
615
class CastToVoidPointer:
616
def __init__(self, cls):
619
def from_param(self, obj):
620
if not isinstance(obj, self.cls):
621
raise TypeError("Not of type {}: {!r}"
622
.format(self.cls.__name__, obj))
623
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
625
class With_from_param:
627
def from_param(cls, obj):
628
return obj._as_parameter_
631
class Credentials(With_from_param):
633
self._as_parameter_ = gnutls.certificate_credentials_t()
634
gnutls.certificate_allocate_credentials(self)
635
self.type = gnutls.CRD_CERTIFICATE
638
gnutls.certificate_free_credentials(self)
640
class ClientSession(With_from_param):
641
def __init__(self, socket, credentials=None):
642
self._as_parameter_ = gnutls.session_t()
643
gnutls_flags = gnutls.CLIENT
644
if gnutls.check_version(b"3.5.6"):
645
gnutls_flags |= gnutls.NO_TICKETS
647
gnutls_flags |= gnutls.ENABLE_RAWPK
648
gnutls.init(self, gnutls_flags)
650
gnutls.set_default_priority(self)
651
gnutls.transport_set_ptr(self, socket.fileno())
652
gnutls.handshake_set_private_extensions(self, True)
654
if credentials is None:
655
credentials = gnutls.Credentials()
656
gnutls.credentials_set(self, credentials.type,
658
self.credentials = credentials
664
return gnutls.handshake(self)
666
def send(self, data):
670
data_len -= gnutls.record_send(self, data[-data_len:],
674
return gnutls.bye(self, gnutls.SHUT_RDWR)
676
# Error handling functions
677
def _error_code(result):
678
"""A function to raise exceptions on errors, suitable
679
for the "restype" attribute on ctypes functions"""
680
if result >= gnutls.E_SUCCESS:
682
if result == gnutls.E_NO_CERTIFICATE_FOUND:
683
raise gnutls.CertificateSecurityError(code=result)
684
raise gnutls.Error(code=result)
686
def _retry_on_error(result, func, arguments,
687
_error_code=_error_code):
688
"""A function to retry on some errors, suitable
689
for the "errcheck" attribute on ctypes functions"""
690
while result < gnutls.E_SUCCESS:
691
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
692
return _error_code(result)
693
result = func(*arguments)
696
# Unless otherwise indicated, the function declarations below are
697
# all from the gnutls/gnutls.h C header file.
700
priority_set_direct = _library.gnutls_priority_set_direct
701
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
702
ctypes.POINTER(ctypes.c_char_p)]
703
priority_set_direct.restype = _error_code
705
init = _library.gnutls_init
706
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
707
init.restype = _error_code
709
set_default_priority = _library.gnutls_set_default_priority
710
set_default_priority.argtypes = [ClientSession]
711
set_default_priority.restype = _error_code
713
record_send = _library.gnutls_record_send
714
record_send.argtypes = [ClientSession, ctypes.c_void_p,
716
record_send.restype = ctypes.c_ssize_t
717
record_send.errcheck = _retry_on_error
719
certificate_allocate_credentials = (
720
_library.gnutls_certificate_allocate_credentials)
721
certificate_allocate_credentials.argtypes = [
722
PointerTo(Credentials)]
723
certificate_allocate_credentials.restype = _error_code
725
certificate_free_credentials = (
726
_library.gnutls_certificate_free_credentials)
727
certificate_free_credentials.argtypes = [Credentials]
728
certificate_free_credentials.restype = None
730
handshake_set_private_extensions = (
731
_library.gnutls_handshake_set_private_extensions)
732
handshake_set_private_extensions.argtypes = [ClientSession,
734
handshake_set_private_extensions.restype = None
736
credentials_set = _library.gnutls_credentials_set
737
credentials_set.argtypes = [ClientSession, credentials_type_t,
738
CastToVoidPointer(Credentials)]
739
credentials_set.restype = _error_code
741
strerror = _library.gnutls_strerror
742
strerror.argtypes = [ctypes.c_int]
743
strerror.restype = ctypes.c_char_p
745
certificate_type_get = _library.gnutls_certificate_type_get
746
certificate_type_get.argtypes = [ClientSession]
747
certificate_type_get.restype = _error_code
749
certificate_get_peers = _library.gnutls_certificate_get_peers
750
certificate_get_peers.argtypes = [ClientSession,
751
ctypes.POINTER(ctypes.c_uint)]
752
certificate_get_peers.restype = ctypes.POINTER(datum_t)
754
global_set_log_level = _library.gnutls_global_set_log_level
755
global_set_log_level.argtypes = [ctypes.c_int]
756
global_set_log_level.restype = None
758
global_set_log_function = _library.gnutls_global_set_log_function
759
global_set_log_function.argtypes = [log_func]
760
global_set_log_function.restype = None
762
deinit = _library.gnutls_deinit
763
deinit.argtypes = [ClientSession]
764
deinit.restype = None
766
handshake = _library.gnutls_handshake
767
handshake.argtypes = [ClientSession]
768
handshake.restype = ctypes.c_int
769
handshake.errcheck = _retry_on_error
771
transport_set_ptr = _library.gnutls_transport_set_ptr
772
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
773
transport_set_ptr.restype = None
775
bye = _library.gnutls_bye
776
bye.argtypes = [ClientSession, close_request_t]
777
bye.restype = ctypes.c_int
778
bye.errcheck = _retry_on_error
780
check_version = _library.gnutls_check_version
781
check_version.argtypes = [ctypes.c_char_p]
782
check_version.restype = ctypes.c_char_p
784
_need_version = b"3.3.0"
785
if check_version(_need_version) is None:
786
raise self.Error("Needs GnuTLS {} or later"
787
.format(_need_version))
789
_tls_rawpk_version = b"3.6.6"
790
has_rawpk = bool(check_version(_tls_rawpk_version))
794
class pubkey_st(ctypes.Structure):
796
pubkey_t = ctypes.POINTER(pubkey_st)
798
x509_crt_fmt_t = ctypes.c_int
800
# All the function declarations below are from
802
pubkey_init = _library.gnutls_pubkey_init
803
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
804
pubkey_init.restype = _error_code
806
pubkey_import = _library.gnutls_pubkey_import
807
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
809
pubkey_import.restype = _error_code
811
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
812
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
813
ctypes.POINTER(ctypes.c_ubyte),
814
ctypes.POINTER(ctypes.c_size_t)]
815
pubkey_get_key_id.restype = _error_code
817
pubkey_deinit = _library.gnutls_pubkey_deinit
818
pubkey_deinit.argtypes = [pubkey_t]
819
pubkey_deinit.restype = None
821
# All the function declarations below are from
824
openpgp_crt_init = _library.gnutls_openpgp_crt_init
825
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
826
openpgp_crt_init.restype = _error_code
828
openpgp_crt_import = _library.gnutls_openpgp_crt_import
829
openpgp_crt_import.argtypes = [openpgp_crt_t,
830
ctypes.POINTER(datum_t),
832
openpgp_crt_import.restype = _error_code
834
openpgp_crt_verify_self = \
835
_library.gnutls_openpgp_crt_verify_self
836
openpgp_crt_verify_self.argtypes = [
839
ctypes.POINTER(ctypes.c_uint),
841
openpgp_crt_verify_self.restype = _error_code
843
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
844
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
845
openpgp_crt_deinit.restype = None
847
openpgp_crt_get_fingerprint = (
848
_library.gnutls_openpgp_crt_get_fingerprint)
849
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
853
openpgp_crt_get_fingerprint.restype = _error_code
855
if check_version(b"3.6.4"):
856
certificate_type_get2 = _library.gnutls_certificate_type_get2
857
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
858
certificate_type_get2.restype = _error_code
860
# Remove non-public functions
861
del _error_code, _retry_on_error
864
438
def call_pipe(connection, # : multiprocessing.Connection
865
439
func, *args, **kwargs):
866
440
"""This function is meant to be called by multiprocessing.Process
868
442
This function runs func(*args, **kwargs), and writes the resulting
869
443
return value on the provided multiprocessing.Connection.
871
445
connection.send(func(*args, **kwargs))
872
446
connection.close()
448
class Client(object):
876
449
"""A representation of a client host served by this server.
879
approved: bool(); None if not yet approved/disapproved
452
approved: bool(); 'None' if not yet approved/disapproved
880
453
approval_delay: datetime.timedelta(); Time to wait for approval
881
454
approval_duration: datetime.timedelta(); Duration of one approval
882
checker: multiprocessing.Process(); a running checker process used
883
to see if the client lives. None if no process is
885
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
886
459
checker_command: string; External command which is run to check
887
460
if client lives. %() expansions are done at
888
461
runtime with vars(self) as dict, so that for
889
462
instance %(name)s can be used in the command.
890
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
891
464
created: datetime.datetime(); (UTC) object creation
892
465
client_structure: Object describing what attributes a client has
893
466
and is used for storing the client at exit
894
467
current_checker_command: string; current running checker_command
895
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
897
470
fingerprint: string (40 or 32 hexadecimal digits); used to
898
uniquely identify an OpenPGP client
899
key_id: string (64 hexadecimal digits); used to uniquely identify
900
a client using raw public keys
471
uniquely identify the client
901
472
host: string; available for use by the checker command
902
473
interval: datetime.timedelta(); How often to start a new checker
903
474
last_approval_request: datetime.datetime(); (UTC) or None
2265
1835
byte_arrays=True)
2266
1836
def Secret_dbus_property(self, value):
2267
1837
self.secret = bytes(value)
2273
def __init__(self, child_pipe, key_id, fpr, address):
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2274
1844
self._pipe = child_pipe
2275
self._pipe.send(("init", key_id, fpr, address))
1845
self._pipe.send(('init', fpr, address))
2276
1846
if not self._pipe.recv():
2277
raise KeyError(key_id or fpr)
2279
1849
def __getattribute__(self, name):
2281
1851
return super(ProxyClient, self).__getattribute__(name)
2282
self._pipe.send(("getattr", name))
1852
self._pipe.send(('getattr', name))
2283
1853
data = self._pipe.recv()
2284
if data[0] == "data":
1854
if data[0] == 'data':
2286
if data[0] == "function":
1856
if data[0] == 'function':
2288
1858
def func(*args, **kwargs):
2289
self._pipe.send(("funcall", name, args, kwargs))
1859
self._pipe.send(('funcall', name, args, kwargs))
2290
1860
return self._pipe.recv()[1]
2294
1864
def __setattr__(self, name, value):
2296
1866
return super(ProxyClient, self).__setattr__(name, value)
2297
self._pipe.send(("setattr", name, value))
1867
self._pipe.send(('setattr', name, value))
2300
1870
class ClientHandler(socketserver.BaseRequestHandler, object):
2301
1871
"""A class to handle client connections.
2303
1873
Instantiated once for each connection to handle it.
2304
1874
Note: This will run in its own forked process."""
2306
1876
def handle(self):
2307
1877
with contextlib.closing(self.server.child_pipe) as child_pipe:
2308
1878
logger.info("TCP connection from: %s",
2309
1879
str(self.client_address))
2310
1880
logger.debug("Pipe FD: %d",
2311
1881
self.server.child_pipe.fileno())
2313
session = gnutls.ClientSession(self.request)
2315
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2316
# "+AES-256-CBC", "+SHA1",
2317
# "+COMP-NULL", "+CTYPE-OPENPGP",
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
2319
1895
# Use a fallback default, since this MUST be set.
2320
1896
priority = self.server.gnutls_priority
2321
1897
if priority is None:
2322
1898
priority = "NORMAL"
2323
gnutls.priority_set_direct(session,
2324
priority.encode("utf-8"), None)
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
2326
1902
# Start communication using the Mandos protocol
2327
1903
# Get protocol number
2328
1904
line = self.request.makefile().readline()
2428
1991
delay -= time2 - time
2431
session.send(client.secret)
2432
except gnutls.Error as error:
2433
logger.warning("gnutls send failed",
1994
while sent_size < len(client.secret):
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2437
2006
logger.info("Sending secret to %s", client.name)
2438
2007
# bump the timeout using extended_timeout
2439
2008
client.bump_timeout(client.extended_timeout)
2440
2009
if self.server.use_dbus:
2441
2010
# Emit D-Bus signal
2442
2011
client.GotSecret()
2445
2014
if approval_required:
2446
2015
client.approvals_pending -= 1
2449
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2450
2019
logger.warning("GnuTLS bye failed",
2451
2020
exc_info=error)
2454
2023
def peer_certificate(session):
2455
"Return the peer's certificate as a bytestring"
2457
cert_type = gnutls.certificate_type_get2(
2458
session, gnutls.CTYPE_PEERS)
2459
except AttributeError:
2460
cert_type = gnutls.certificate_type_get(session)
2461
if gnutls.has_rawpk:
2462
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2464
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2465
# If not a valid certificate type...
2466
if cert_type not in valid_cert_types:
2467
logger.info("Cert type %r not in %r", cert_type,
2469
# ...return invalid data
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2471
2031
list_size = ctypes.c_uint(1)
2472
cert_list = (gnutls.certificate_get_peers
2473
(session, ctypes.byref(list_size)))
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2034
(session._c_object, ctypes.byref(list_size)))
2474
2035
if not bool(cert_list) and list_size.value != 0:
2475
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2476
2038
if list_size.value == 0:
2478
2040
cert = cert_list[0]
2479
2041
return ctypes.string_at(cert.data, cert.size)
2482
def key_id(certificate):
2483
"Convert a certificate bytestring to a hexdigit key ID"
2484
# New GnuTLS "datum" with the public key
2485
datum = gnutls.datum_t(
2486
ctypes.cast(ctypes.c_char_p(certificate),
2487
ctypes.POINTER(ctypes.c_ubyte)),
2488
ctypes.c_uint(len(certificate)))
2489
# XXX all these need to be created in the gnutls "module"
2490
# New empty GnuTLS certificate
2491
pubkey = gnutls.pubkey_t()
2492
gnutls.pubkey_init(ctypes.byref(pubkey))
2493
# Import the raw public key into the certificate
2494
gnutls.pubkey_import(pubkey,
2495
ctypes.byref(datum),
2496
gnutls.X509_FMT_DER)
2497
# New buffer for the key ID
2498
buf = ctypes.create_string_buffer(32)
2499
buf_len = ctypes.c_size_t(len(buf))
2500
# Get the key ID from the raw public key into the buffer
2501
gnutls.pubkey_get_key_id(
2503
gnutls.KEYID_USE_SHA256,
2504
ctypes.cast(ctypes.byref(buf),
2505
ctypes.POINTER(ctypes.c_ubyte)),
2506
ctypes.byref(buf_len))
2507
# Deinit the certificate
2508
gnutls.pubkey_deinit(pubkey)
2510
# Convert the buffer to a Python bytestring
2511
key_id = ctypes.string_at(buf, buf_len.value)
2512
# Convert the bytestring to hexadecimal notation
2513
hex_key_id = binascii.hexlify(key_id).upper()
2517
2044
def fingerprint(openpgp):
2518
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2519
2046
# New GnuTLS "datum" with the OpenPGP public key
2520
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2521
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2522
2049
ctypes.POINTER(ctypes.c_ubyte)),
2523
2050
ctypes.c_uint(len(openpgp)))
2524
2051
# New empty GnuTLS certificate
2525
crt = gnutls.openpgp_crt_t()
2526
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2527
2055
# Import the OpenPGP public key into the certificate
2528
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2529
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2530
2059
# Verify the self signature in the key
2531
2060
crtverify = ctypes.c_uint()
2532
gnutls.openpgp_crt_verify_self(crt, 0,
2533
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2534
2063
if crtverify.value != 0:
2535
gnutls.openpgp_crt_deinit(crt)
2536
raise gnutls.CertificateSecurityError(code
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2538
2067
# New buffer for the fingerprint
2539
2068
buf = ctypes.create_string_buffer(20)
2540
2069
buf_len = ctypes.c_size_t()
2541
2070
# Get the fingerprint from the certificate into the buffer
2542
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2543
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2544
2073
# Deinit the certificate
2545
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2546
2075
# Convert the buffer to a Python bytestring
2547
2076
fpr = ctypes.string_at(buf, buf_len.value)
2548
2077
# Convert the bytestring to hexadecimal notation
2637
2165
# socket_wrapper(), if socketfd was set.
2638
2166
socketserver.TCPServer.__init__(self, server_address,
2639
2167
RequestHandlerClass)
2641
2169
def server_bind(self):
2642
2170
"""This overrides the normal server_bind() function
2643
2171
to bind to an interface if one was specified, and also NOT to
2644
2172
bind to an address or port if they were not specified."""
2645
global SO_BINDTODEVICE
2646
2173
if self.interface is not None:
2647
2174
if SO_BINDTODEVICE is None:
2648
# Fall back to a hard-coded value which seems to be
2650
logger.warning("SO_BINDTODEVICE not found, trying 25")
2651
SO_BINDTODEVICE = 25
2653
self.socket.setsockopt(
2654
socket.SOL_SOCKET, SO_BINDTODEVICE,
2655
(self.interface + "\0").encode("utf-8"))
2656
except socket.error as error:
2657
if error.errno == errno.EPERM:
2658
logger.error("No permission to bind to"
2659
" interface %s", self.interface)
2660
elif error.errno == errno.ENOPROTOOPT:
2661
logger.error("SO_BINDTODEVICE not available;"
2662
" cannot bind to interface %s",
2664
elif error.errno == errno.ENODEV:
2665
logger.error("Interface %s does not exist,"
2666
" cannot bind", self.interface)
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2669
2196
# Only bind(2) the socket if we really need to.
2670
2197
if self.server_address[0] or self.server_address[1]:
2671
if self.server_address[1]:
2672
self.allow_reuse_address = True
2673
2198
if not self.server_address[0]:
2674
2199
if self.address_family == socket.AF_INET6:
2675
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2677
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2678
2203
self.server_address = (any_address,
2679
2204
self.server_address[1])
2680
2205
elif not self.server_address[1]:
2714
2239
self.gnutls_priority = gnutls_priority
2715
2240
IPv6_TCPServer.__init__(self, server_address,
2716
2241
RequestHandlerClass,
2717
interface=interface,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2721
2246
def server_activate(self):
2722
2247
if self.enabled:
2723
2248
return socketserver.TCPServer.server_activate(self)
2725
2250
def enable(self):
2726
2251
self.enabled = True
2728
2253
def add_pipe(self, parent_pipe, proc):
2729
2254
# Call "handle_ipc" for both data and EOF events
2731
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2732
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2733
2258
functools.partial(self.handle_ipc,
2734
parent_pipe=parent_pipe,
2259
parent_pipe = parent_pipe,
2737
2262
def handle_ipc(self, source, condition,
2738
2263
parent_pipe=None,
2740
2265
client_object=None):
2741
2266
# error, or the other end of multiprocessing.Pipe has closed
2742
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2743
2268
# Wait for other process to exit
2747
2272
# Read a request from the child
2748
2273
request = parent_pipe.recv()
2749
2274
command = request[0]
2751
if command == "init":
2752
key_id = request[1].decode("ascii")
2753
fpr = request[2].decode("ascii")
2754
address = request[3]
2756
for c in self.clients.values():
2757
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2758
"27AE41E4649B934CA495991B7852B855"):
2760
if key_id and c.key_id == key_id:
2763
if fpr and c.fingerprint == fpr:
2276
if command == 'init':
2278
address = request[2]
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2767
logger.info("Client not found for key ID: %s, address"
2768
": %s", key_id or fpr, address)
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2769
2287
if self.use_dbus:
2770
2288
# Emit D-Bus signal
2771
mandos_dbus_service.ClientNotFound(key_id or fpr,
2289
mandos_dbus_service.ClientNotFound(fpr,
2773
2291
parent_pipe.send(False)
2777
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2778
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2779
2297
functools.partial(self.handle_ipc,
2780
parent_pipe=parent_pipe,
2782
client_object=client))
2298
parent_pipe = parent_pipe,
2300
client_object = client))
2783
2301
parent_pipe.send(True)
2784
2302
# remove the old hook in favor of the new above hook on
2787
if command == "funcall":
2305
if command == 'funcall':
2788
2306
funcname = request[1]
2789
2307
args = request[2]
2790
2308
kwargs = request[3]
2792
parent_pipe.send(("data", getattr(client_object,
2310
parent_pipe.send(('data', getattr(client_object,
2793
2311
funcname)(*args,
2796
if command == "getattr":
2314
if command == 'getattr':
2797
2315
attrname = request[1]
2798
2316
if isinstance(client_object.__getattribute__(attrname),
2799
collections.abc.Callable):
2800
parent_pipe.send(("function", ))
2317
collections.Callable):
2318
parent_pipe.send(('function', ))
2802
2320
parent_pipe.send((
2803
"data", client_object.__getattribute__(attrname)))
2805
if command == "setattr":
2321
'data', client_object.__getattribute__(attrname)))
2323
if command == 'setattr':
2806
2324
attrname = request[1]
2807
2325
value = request[2]
2808
2326
setattr(client_object, attrname, value)
2813
2331
def rfc3339_duration_to_delta(duration):
2814
2332
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2816
>>> timedelta = datetime.timedelta
2817
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2819
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2821
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2823
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2825
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2827
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2829
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2834
2350
# Parsing an RFC 3339 duration with regular expressions is not
2835
2351
# possible - there would have to be multiple places for the same
2836
2352
# values, like seconds. The current code, while more esoteric, is
2837
2353
# cleaner without depending on a parsing library. If Python had a
2838
2354
# built-in library for parsing we would use it, but we'd like to
2839
2355
# avoid excessive use of external libraries.
2841
2357
# New type for defining tokens, syntax, and semantics all-in-one
2842
2358
Token = collections.namedtuple("Token", (
2843
2359
"regexp", # To match token; if "value" is not None, must have
3246
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3247
2751
service = AvahiServiceToSyslog(
3248
name=server_settings["servicename"],
3249
servicetype="_mandos._tcp",
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
3252
2756
if server_settings["interface"]:
3253
2757
service.interface = if_nametoindex(
3254
2758
server_settings["interface"].encode("utf-8"))
3256
2760
global multiprocessing_manager
3257
2761
multiprocessing_manager = multiprocessing.Manager()
3259
2763
client_class = Client
3261
client_class = functools.partial(ClientDBus, bus=bus)
2765
client_class = functools.partial(ClientDBus, bus = bus)
3263
2767
client_settings = Client.config_parser(client_config)
3264
2768
old_client_settings = {}
3265
2769
clients_data = {}
3267
2771
# This is used to redirect stdout and stderr for checker processes
3269
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3270
2774
# Only used if server is running in foreground but not in debug
3272
2776
if debug or not foreground:
3275
2779
# Get client data and settings from last running state.
3276
2780
if server_settings["restore"]:
3278
2782
with open(stored_state_path, "rb") as stored_state:
3279
if sys.version_info.major == 2:
3280
clients_data, old_client_settings = pickle.load(
3283
bytes_clients_data, bytes_old_client_settings = (
3284
pickle.load(stored_state, encoding="bytes"))
3285
# Fix bytes to strings
3288
clients_data = {(key.decode("utf-8")
3289
if isinstance(key, bytes)
3292
bytes_clients_data.items()}
3293
del bytes_clients_data
3294
for key in clients_data:
3295
value = {(k.decode("utf-8")
3296
if isinstance(k, bytes) else k): v
3298
clients_data[key].items()}
3299
clients_data[key] = value
3301
value["client_structure"] = [
3303
if isinstance(s, bytes)
3305
value["client_structure"]]
3306
# .name, .host, and .checker_command
3307
for k in ("name", "host", "checker_command"):
3308
if isinstance(value[k], bytes):
3309
value[k] = value[k].decode("utf-8")
3310
if "key_id" not in value:
3311
value["key_id"] = ""
3312
elif "fingerprint" not in value:
3313
value["fingerprint"] = ""
3314
# old_client_settings
3316
old_client_settings = {
3317
(key.decode("utf-8")
3318
if isinstance(key, bytes)
3321
bytes_old_client_settings.items()}
3322
del bytes_old_client_settings
3323
# .host and .checker_command
3324
for value in old_client_settings.values():
3325
for attribute in ("host", "checker_command"):
3326
if isinstance(value[attribute], bytes):
3327
value[attribute] = (value[attribute]
2783
clients_data, old_client_settings = pickle.load(
3329
2785
os.remove(stored_state_path)
3330
2786
except IOError as e:
3331
2787
if e.errno == errno.ENOENT: