236
195
.replace(b"\n", b"\\n")
237
196
.replace(b"\0", b"\\x00"))
240
199
def encrypt(self, data, password):
241
200
passphrase = self.password_encode(password)
242
201
with tempfile.NamedTemporaryFile(
243
202
dir=self.tempdir) as passfile:
244
203
passfile.write(passphrase)
246
proc = subprocess.Popen([self.gpg, '--symmetric',
205
proc = subprocess.Popen(['gpg', '--symmetric',
247
206
'--passphrase-file',
249
208
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
254
213
if proc.returncode != 0:
255
214
raise PGPError(err)
256
215
return ciphertext
258
217
def decrypt(self, data, password):
259
218
passphrase = self.password_encode(password)
260
219
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
220
dir = self.tempdir) as passfile:
262
221
passfile.write(passphrase)
264
proc = subprocess.Popen([self.gpg, '--decrypt',
223
proc = subprocess.Popen(['gpg', '--decrypt',
265
224
'--passphrase-file',
267
226
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
272
231
if proc.returncode != 0:
273
232
raise PGPError(err)
274
233
return decrypted_plaintext
277
# Pretend that we have an Avahi module
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
304
236
class AvahiError(Exception):
305
237
def __init__(self, value, *args, **kwargs):
306
238
self.value = value
496
428
class AvahiServiceToSyslog(AvahiService):
497
429
def rename(self, *args, **kwargs):
498
430
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
431
ret = AvahiService.rename(self, *args, **kwargs)
500
432
syslogger.setFormatter(logging.Formatter(
501
433
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
434
.format(self.name)))
506
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
511
library = ctypes.util.find_library("gnutls")
513
library = ctypes.util.find_library("gnutls-deb0")
514
_library = ctypes.cdll.LoadLibrary(library)
516
_need_version = b"3.3.0"
517
_tls_rawpk_version = b"3.6.6"
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
526
# Unless otherwise indicated, the constants and types below are
527
# all from the gnutls/gnutls.h C header file.
538
E_NO_CERTIFICATE_FOUND = -49
543
KEYID_USE_SHA256 = 1 # gnutls/x509.h
544
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
547
class session_int(ctypes.Structure):
549
session_t = ctypes.POINTER(session_int)
551
class certificate_credentials_st(ctypes.Structure):
553
certificate_credentials_t = ctypes.POINTER(
554
certificate_credentials_st)
555
certificate_type_t = ctypes.c_int
557
class datum_t(ctypes.Structure):
558
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
559
('size', ctypes.c_uint)]
561
class openpgp_crt_int(ctypes.Structure):
563
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
564
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
565
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
566
credentials_type_t = ctypes.c_int
567
transport_ptr_t = ctypes.c_void_p
568
close_request_t = ctypes.c_int
571
class Error(Exception):
572
# We need to use the class name "GnuTLS" here, since this
573
# exception might be raised from within GnuTLS.__init__,
574
# which is called before the assignment to the "gnutls"
575
# global variable has happened.
576
def __init__(self, message=None, code=None, args=()):
577
# Default usage is by a message string, but if a return
578
# code is passed, convert it to a string with
581
if message is None and code is not None:
582
message = GnuTLS.strerror(code)
583
return super(GnuTLS.Error, self).__init__(
586
class CertificateSecurityError(Error):
590
class Credentials(object):
592
self._c_object = gnutls.certificate_credentials_t()
593
gnutls.certificate_allocate_credentials(
594
ctypes.byref(self._c_object))
595
self.type = gnutls.CRD_CERTIFICATE
598
gnutls.certificate_free_credentials(self._c_object)
600
class ClientSession(object):
601
def __init__(self, socket, credentials=None):
602
self._c_object = gnutls.session_t()
603
gnutls_flags = gnutls.CLIENT
604
if gnutls.check_version("3.5.6"):
605
gnutls_flags |= gnutls.NO_TICKETS
607
gnutls_flags |= gnutls.ENABLE_RAWPK
608
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
610
gnutls.set_default_priority(self._c_object)
611
gnutls.transport_set_ptr(self._c_object, socket.fileno())
612
gnutls.handshake_set_private_extensions(self._c_object,
615
if credentials is None:
616
credentials = gnutls.Credentials()
617
gnutls.credentials_set(self._c_object, credentials.type,
618
ctypes.cast(credentials._c_object,
620
self.credentials = credentials
623
gnutls.deinit(self._c_object)
626
return gnutls.handshake(self._c_object)
628
def send(self, data):
632
data_len -= gnutls.record_send(self._c_object,
637
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
639
# Error handling functions
640
def _error_code(result):
641
"""A function to raise exceptions on errors, suitable
642
for the 'restype' attribute on ctypes functions"""
645
if result == gnutls.E_NO_CERTIFICATE_FOUND:
646
raise gnutls.CertificateSecurityError(code=result)
647
raise gnutls.Error(code=result)
649
def _retry_on_error(result, func, arguments):
650
"""A function to retry on some errors, suitable
651
for the 'errcheck' attribute on ctypes functions"""
653
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
654
return _error_code(result)
655
result = func(*arguments)
658
# Unless otherwise indicated, the function declarations below are
659
# all from the gnutls/gnutls.h C header file.
662
priority_set_direct = _library.gnutls_priority_set_direct
663
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
664
ctypes.POINTER(ctypes.c_char_p)]
665
priority_set_direct.restype = _error_code
667
init = _library.gnutls_init
668
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
669
init.restype = _error_code
671
set_default_priority = _library.gnutls_set_default_priority
672
set_default_priority.argtypes = [session_t]
673
set_default_priority.restype = _error_code
675
record_send = _library.gnutls_record_send
676
record_send.argtypes = [session_t, ctypes.c_void_p,
678
record_send.restype = ctypes.c_ssize_t
679
record_send.errcheck = _retry_on_error
681
certificate_allocate_credentials = (
682
_library.gnutls_certificate_allocate_credentials)
683
certificate_allocate_credentials.argtypes = [
684
ctypes.POINTER(certificate_credentials_t)]
685
certificate_allocate_credentials.restype = _error_code
687
certificate_free_credentials = (
688
_library.gnutls_certificate_free_credentials)
689
certificate_free_credentials.argtypes = [
690
certificate_credentials_t]
691
certificate_free_credentials.restype = None
693
handshake_set_private_extensions = (
694
_library.gnutls_handshake_set_private_extensions)
695
handshake_set_private_extensions.argtypes = [session_t,
697
handshake_set_private_extensions.restype = None
699
credentials_set = _library.gnutls_credentials_set
700
credentials_set.argtypes = [session_t, credentials_type_t,
702
credentials_set.restype = _error_code
704
strerror = _library.gnutls_strerror
705
strerror.argtypes = [ctypes.c_int]
706
strerror.restype = ctypes.c_char_p
708
certificate_type_get = _library.gnutls_certificate_type_get
709
certificate_type_get.argtypes = [session_t]
710
certificate_type_get.restype = _error_code
712
certificate_get_peers = _library.gnutls_certificate_get_peers
713
certificate_get_peers.argtypes = [session_t,
714
ctypes.POINTER(ctypes.c_uint)]
715
certificate_get_peers.restype = ctypes.POINTER(datum_t)
717
global_set_log_level = _library.gnutls_global_set_log_level
718
global_set_log_level.argtypes = [ctypes.c_int]
719
global_set_log_level.restype = None
721
global_set_log_function = _library.gnutls_global_set_log_function
722
global_set_log_function.argtypes = [log_func]
723
global_set_log_function.restype = None
725
deinit = _library.gnutls_deinit
726
deinit.argtypes = [session_t]
727
deinit.restype = None
729
handshake = _library.gnutls_handshake
730
handshake.argtypes = [session_t]
731
handshake.restype = _error_code
732
handshake.errcheck = _retry_on_error
734
transport_set_ptr = _library.gnutls_transport_set_ptr
735
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
736
transport_set_ptr.restype = None
738
bye = _library.gnutls_bye
739
bye.argtypes = [session_t, close_request_t]
740
bye.restype = _error_code
741
bye.errcheck = _retry_on_error
743
check_version = _library.gnutls_check_version
744
check_version.argtypes = [ctypes.c_char_p]
745
check_version.restype = ctypes.c_char_p
747
has_rawpk = bool(check_version(_tls_rawpk_version))
751
class pubkey_st(ctypes.Structure):
753
pubkey_t = ctypes.POINTER(pubkey_st)
755
x509_crt_fmt_t = ctypes.c_int
757
# All the function declarations below are from gnutls/abstract.h
758
pubkey_init = _library.gnutls_pubkey_init
759
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
760
pubkey_init.restype = _error_code
762
pubkey_import = _library.gnutls_pubkey_import
763
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
765
pubkey_import.restype = _error_code
767
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
768
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
769
ctypes.POINTER(ctypes.c_ubyte),
770
ctypes.POINTER(ctypes.c_size_t)]
771
pubkey_get_key_id.restype = _error_code
773
pubkey_deinit = _library.gnutls_pubkey_deinit
774
pubkey_deinit.argtypes = [pubkey_t]
775
pubkey_deinit.restype = None
777
# All the function declarations below are from gnutls/openpgp.h
779
openpgp_crt_init = _library.gnutls_openpgp_crt_init
780
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
781
openpgp_crt_init.restype = _error_code
783
openpgp_crt_import = _library.gnutls_openpgp_crt_import
784
openpgp_crt_import.argtypes = [openpgp_crt_t,
785
ctypes.POINTER(datum_t),
787
openpgp_crt_import.restype = _error_code
789
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
790
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
791
ctypes.POINTER(ctypes.c_uint)]
792
openpgp_crt_verify_self.restype = _error_code
794
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
795
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
796
openpgp_crt_deinit.restype = None
798
openpgp_crt_get_fingerprint = (
799
_library.gnutls_openpgp_crt_get_fingerprint)
800
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
804
openpgp_crt_get_fingerprint.restype = _error_code
806
if check_version("3.6.4"):
807
certificate_type_get2 = _library.gnutls_certificate_type_get2
808
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
809
certificate_type_get2.restype = _error_code
811
# Remove non-public functions
812
del _error_code, _retry_on_error
813
# Create the global "gnutls" object, simulating a module
817
437
def call_pipe(connection, # : multiprocessing.Connection
818
438
func, *args, **kwargs):
819
439
"""This function is meant to be called by multiprocessing.Process
821
441
This function runs func(*args, **kwargs), and writes the resulting
822
442
return value on the provided multiprocessing.Connection.
824
444
connection.send(func(*args, **kwargs))
825
445
connection.close()
828
447
class Client(object):
829
448
"""A representation of a client host served by this server.
832
451
approved: bool(); 'None' if not yet approved/disapproved
833
452
approval_delay: datetime.timedelta(); Time to wait for approval
2377
1990
delay -= time2 - time
2380
session.send(client.secret)
2381
except gnutls.Error as error:
2382
logger.warning("gnutls send failed",
1993
while sent_size < len(client.secret):
1995
sent = session.send(client.secret[sent_size:])
1996
except gnutls.errors.GNUTLSError as error:
1997
logger.warning("gnutls send failed",
2000
logger.debug("Sent: %d, remaining: %d", sent,
2001
len(client.secret) - (sent_size
2386
2005
logger.info("Sending secret to %s", client.name)
2387
2006
# bump the timeout using extended_timeout
2388
2007
client.bump_timeout(client.extended_timeout)
2389
2008
if self.server.use_dbus:
2390
2009
# Emit D-Bus signal
2391
2010
client.GotSecret()
2394
2013
if approval_required:
2395
2014
client.approvals_pending -= 1
2398
except gnutls.Error as error:
2017
except gnutls.errors.GNUTLSError as error:
2399
2018
logger.warning("GnuTLS bye failed",
2400
2019
exc_info=error)
2403
2022
def peer_certificate(session):
2404
"Return the peer's certificate as a bytestring"
2406
cert_type = gnutls.certificate_type_get2(session._c_object,
2408
except AttributeError:
2409
cert_type = gnutls.certificate_type_get(session._c_object)
2410
if gnutls.has_rawpk:
2411
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2413
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2414
# If not a valid certificate type...
2415
if cert_type not in valid_cert_types:
2416
logger.info("Cert type %r not in %r", cert_type,
2418
# ...return invalid data
2023
"Return the peer's OpenPGP certificate as a bytestring"
2024
# If not an OpenPGP certificate...
2025
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2028
# ...do the normal thing
2029
return session.peer_certificate
2420
2030
list_size = ctypes.c_uint(1)
2421
cert_list = (gnutls.certificate_get_peers
2031
cert_list = (gnutls.library.functions
2032
.gnutls_certificate_get_peers
2422
2033
(session._c_object, ctypes.byref(list_size)))
2423
2034
if not bool(cert_list) and list_size.value != 0:
2424
raise gnutls.Error("error getting peer certificate")
2035
raise gnutls.errors.GNUTLSError("error getting peer"
2425
2037
if list_size.value == 0:
2427
2039
cert = cert_list[0]
2428
2040
return ctypes.string_at(cert.data, cert.size)
2431
def key_id(certificate):
2432
"Convert a certificate bytestring to a hexdigit key ID"
2433
# New GnuTLS "datum" with the public key
2434
datum = gnutls.datum_t(
2435
ctypes.cast(ctypes.c_char_p(certificate),
2436
ctypes.POINTER(ctypes.c_ubyte)),
2437
ctypes.c_uint(len(certificate)))
2438
# XXX all these need to be created in the gnutls "module"
2439
# New empty GnuTLS certificate
2440
pubkey = gnutls.pubkey_t()
2441
gnutls.pubkey_init(ctypes.byref(pubkey))
2442
# Import the raw public key into the certificate
2443
gnutls.pubkey_import(pubkey,
2444
ctypes.byref(datum),
2445
gnutls.X509_FMT_DER)
2446
# New buffer for the key ID
2447
buf = ctypes.create_string_buffer(32)
2448
buf_len = ctypes.c_size_t(len(buf))
2449
# Get the key ID from the raw public key into the buffer
2450
gnutls.pubkey_get_key_id(pubkey,
2451
gnutls.KEYID_USE_SHA256,
2452
ctypes.cast(ctypes.byref(buf),
2453
ctypes.POINTER(ctypes.c_ubyte)),
2454
ctypes.byref(buf_len))
2455
# Deinit the certificate
2456
gnutls.pubkey_deinit(pubkey)
2458
# Convert the buffer to a Python bytestring
2459
key_id = ctypes.string_at(buf, buf_len.value)
2460
# Convert the bytestring to hexadecimal notation
2461
hex_key_id = binascii.hexlify(key_id).upper()
2465
2043
def fingerprint(openpgp):
2466
2044
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2467
2045
# New GnuTLS "datum" with the OpenPGP public key
2468
datum = gnutls.datum_t(
2046
datum = gnutls.library.types.gnutls_datum_t(
2469
2047
ctypes.cast(ctypes.c_char_p(openpgp),
2470
2048
ctypes.POINTER(ctypes.c_ubyte)),
2471
2049
ctypes.c_uint(len(openpgp)))
2472
2050
# New empty GnuTLS certificate
2473
crt = gnutls.openpgp_crt_t()
2474
gnutls.openpgp_crt_init(ctypes.byref(crt))
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
2475
2054
# Import the OpenPGP public key into the certificate
2476
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2477
gnutls.OPENPGP_FMT_RAW)
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2478
2058
# Verify the self signature in the key
2479
2059
crtverify = ctypes.c_uint()
2480
gnutls.openpgp_crt_verify_self(crt, 0,
2481
ctypes.byref(crtverify))
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
2482
2062
if crtverify.value != 0:
2483
gnutls.openpgp_crt_deinit(crt)
2484
raise gnutls.CertificateSecurityError(code
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2064
raise gnutls.errors.CertificateSecurityError(
2486
2066
# New buffer for the fingerprint
2487
2067
buf = ctypes.create_string_buffer(20)
2488
2068
buf_len = ctypes.c_size_t()
2489
2069
# Get the fingerprint from the certificate into the buffer
2490
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2491
ctypes.byref(buf_len))
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2492
2072
# Deinit the certificate
2493
gnutls.openpgp_crt_deinit(crt)
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2494
2074
# Convert the buffer to a Python bytestring
2495
2075
fpr = ctypes.string_at(buf, buf_len.value)
2496
2076
# Convert the bytestring to hexadecimal notation
2585
2164
# socket_wrapper(), if socketfd was set.
2586
2165
socketserver.TCPServer.__init__(self, server_address,
2587
2166
RequestHandlerClass)
2589
2168
def server_bind(self):
2590
2169
"""This overrides the normal server_bind() function
2591
2170
to bind to an interface if one was specified, and also NOT to
2592
2171
bind to an address or port if they were not specified."""
2593
global SO_BINDTODEVICE
2594
2172
if self.interface is not None:
2595
2173
if SO_BINDTODEVICE is None:
2596
# Fall back to a hard-coded value which seems to be
2598
logger.warning("SO_BINDTODEVICE not found, trying 25")
2599
SO_BINDTODEVICE = 25
2601
self.socket.setsockopt(
2602
socket.SOL_SOCKET, SO_BINDTODEVICE,
2603
(self.interface + "\0").encode("utf-8"))
2604
except socket.error as error:
2605
if error.errno == errno.EPERM:
2606
logger.error("No permission to bind to"
2607
" interface %s", self.interface)
2608
elif error.errno == errno.ENOPROTOOPT:
2609
logger.error("SO_BINDTODEVICE not available;"
2610
" cannot bind to interface %s",
2612
elif error.errno == errno.ENODEV:
2613
logger.error("Interface %s does not exist,"
2614
" cannot bind", self.interface)
2174
logger.error("SO_BINDTODEVICE does not exist;"
2175
" cannot bind to interface %s",
2179
self.socket.setsockopt(
2180
socket.SOL_SOCKET, SO_BINDTODEVICE,
2181
(self.interface + "\0").encode("utf-8"))
2182
except socket.error as error:
2183
if error.errno == errno.EPERM:
2184
logger.error("No permission to bind to"
2185
" interface %s", self.interface)
2186
elif error.errno == errno.ENOPROTOOPT:
2187
logger.error("SO_BINDTODEVICE not available;"
2188
" cannot bind to interface %s",
2190
elif error.errno == errno.ENODEV:
2191
logger.error("Interface %s does not exist,"
2192
" cannot bind", self.interface)
2617
2195
# Only bind(2) the socket if we really need to.
2618
2196
if self.server_address[0] or self.server_address[1]:
2619
2197
if not self.server_address[0]:
2620
2198
if self.address_family == socket.AF_INET6:
2621
any_address = "::" # in6addr_any
2199
any_address = "::" # in6addr_any
2623
any_address = "0.0.0.0" # INADDR_ANY
2201
any_address = "0.0.0.0" # INADDR_ANY
2624
2202
self.server_address = (any_address,
2625
2203
self.server_address[1])
2626
2204
elif not self.server_address[1]:
2660
2238
self.gnutls_priority = gnutls_priority
2661
2239
IPv6_TCPServer.__init__(self, server_address,
2662
2240
RequestHandlerClass,
2663
interface=interface,
2241
interface = interface,
2242
use_ipv6 = use_ipv6,
2243
socketfd = socketfd)
2667
2245
def server_activate(self):
2668
2246
if self.enabled:
2669
2247
return socketserver.TCPServer.server_activate(self)
2671
2249
def enable(self):
2672
2250
self.enabled = True
2674
2252
def add_pipe(self, parent_pipe, proc):
2675
2253
# Call "handle_ipc" for both data and EOF events
2254
gobject.io_add_watch(
2677
2255
parent_pipe.fileno(),
2678
GLib.IO_IN | GLib.IO_HUP,
2256
gobject.IO_IN | gobject.IO_HUP,
2679
2257
functools.partial(self.handle_ipc,
2680
parent_pipe=parent_pipe,
2258
parent_pipe = parent_pipe,
2683
2261
def handle_ipc(self, source, condition,
2684
2262
parent_pipe=None,
2686
2264
client_object=None):
2687
2265
# error, or the other end of multiprocessing.Pipe has closed
2688
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2266
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2689
2267
# Wait for other process to exit
2693
2271
# Read a request from the child
2694
2272
request = parent_pipe.recv()
2695
2273
command = request[0]
2697
2275
if command == 'init':
2698
key_id = request[1].decode("ascii")
2699
fpr = request[2].decode("ascii")
2700
address = request[3]
2702
for c in self.clients.values():
2703
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2705
if key_id and c.key_id == key_id:
2708
if fpr and c.fingerprint == fpr:
2277
address = request[2]
2279
for c in self.clients.itervalues():
2280
if c.fingerprint == fpr:
2712
logger.info("Client not found for key ID: %s, address"
2713
": %s", key_id or fpr, address)
2284
logger.info("Client not found for fingerprint: %s, ad"
2285
"dress: %s", fpr, address)
2714
2286
if self.use_dbus:
2715
2287
# Emit D-Bus signal
2716
mandos_dbus_service.ClientNotFound(key_id or fpr,
2288
mandos_dbus_service.ClientNotFound(fpr,
2718
2290
parent_pipe.send(False)
2293
gobject.io_add_watch(
2722
2294
parent_pipe.fileno(),
2723
GLib.IO_IN | GLib.IO_HUP,
2295
gobject.IO_IN | gobject.IO_HUP,
2724
2296
functools.partial(self.handle_ipc,
2725
parent_pipe=parent_pipe,
2727
client_object=client))
2297
parent_pipe = parent_pipe,
2299
client_object = client))
2728
2300
parent_pipe.send(True)
2729
2301
# remove the old hook in favor of the new above hook on
3192
2749
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3193
2750
service = AvahiServiceToSyslog(
3194
name=server_settings["servicename"],
3195
servicetype="_mandos._tcp",
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
3198
2755
if server_settings["interface"]:
3199
2756
service.interface = if_nametoindex(
3200
2757
server_settings["interface"].encode("utf-8"))
3202
2759
global multiprocessing_manager
3203
2760
multiprocessing_manager = multiprocessing.Manager()
3205
2762
client_class = Client
3207
client_class = functools.partial(ClientDBus, bus=bus)
2764
client_class = functools.partial(ClientDBus, bus = bus)
3209
2766
client_settings = Client.config_parser(client_config)
3210
2767
old_client_settings = {}
3211
2768
clients_data = {}
3213
2770
# This is used to redirect stdout and stderr for checker processes
3215
wnull = open(os.devnull, "w") # A writable /dev/null
2772
wnull = open(os.devnull, "w") # A writable /dev/null
3216
2773
# Only used if server is running in foreground but not in debug
3218
2775
if debug or not foreground:
3221
2778
# Get client data and settings from last running state.
3222
2779
if server_settings["restore"]:
3224
2781
with open(stored_state_path, "rb") as stored_state:
3225
if sys.version_info.major == 2:
3226
clients_data, old_client_settings = pickle.load(
3229
bytes_clients_data, bytes_old_client_settings = (
3230
pickle.load(stored_state, encoding="bytes"))
3231
# Fix bytes to strings
3234
clients_data = {(key.decode("utf-8")
3235
if isinstance(key, bytes)
3238
bytes_clients_data.items()}
3239
del bytes_clients_data
3240
for key in clients_data:
3241
value = {(k.decode("utf-8")
3242
if isinstance(k, bytes) else k): v
3244
clients_data[key].items()}
3245
clients_data[key] = value
3247
value["client_structure"] = [
3249
if isinstance(s, bytes)
3251
value["client_structure"]]
3253
for k in ("name", "host"):
3254
if isinstance(value[k], bytes):
3255
value[k] = value[k].decode("utf-8")
3256
if not value.has_key("key_id"):
3257
value["key_id"] = ""
3258
elif not value.has_key("fingerprint"):
3259
value["fingerprint"] = ""
3260
# old_client_settings
3262
old_client_settings = {
3263
(key.decode("utf-8")
3264
if isinstance(key, bytes)
3267
bytes_old_client_settings.items()}
3268
del bytes_old_client_settings
3270
for value in old_client_settings.values():
3271
if isinstance(value["host"], bytes):
3272
value["host"] = (value["host"]
2782
clients_data, old_client_settings = pickle.load(
3274
2784
os.remove(stored_state_path)
3275
2785
except IOError as e:
3276
2786
if e.errno == errno.ENOENT: