240
195
.replace(b"\n", b"\\n")
241
196
.replace(b"\0", b"\\x00"))
244
199
def encrypt(self, data, password):
245
200
passphrase = self.password_encode(password)
246
201
with tempfile.NamedTemporaryFile(
247
202
dir=self.tempdir) as passfile:
248
203
passfile.write(passphrase)
250
proc = subprocess.Popen([self.gpg, '--symmetric',
205
proc = subprocess.Popen(['gpg', '--symmetric',
251
206
'--passphrase-file',
253
208
+ self.gnupgargs,
254
stdin=subprocess.PIPE,
255
stdout=subprocess.PIPE,
256
stderr=subprocess.PIPE)
257
ciphertext, err = proc.communicate(input=data)
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
258
213
if proc.returncode != 0:
259
214
raise PGPError(err)
260
215
return ciphertext
262
217
def decrypt(self, data, password):
263
218
passphrase = self.password_encode(password)
264
219
with tempfile.NamedTemporaryFile(
265
dir=self.tempdir) as passfile:
220
dir = self.tempdir) as passfile:
266
221
passfile.write(passphrase)
268
proc = subprocess.Popen([self.gpg, '--decrypt',
223
proc = subprocess.Popen(['gpg', '--decrypt',
269
224
'--passphrase-file',
271
226
+ self.gnupgargs,
272
stdin=subprocess.PIPE,
273
stdout=subprocess.PIPE,
274
stderr=subprocess.PIPE)
275
decrypted_plaintext, err = proc.communicate(input=data)
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
276
231
if proc.returncode != 0:
277
232
raise PGPError(err)
278
233
return decrypted_plaintext
281
# Pretend that we have an Avahi module
283
"""This isn't so much a class as it is a module-like namespace."""
284
IF_UNSPEC = -1 # avahi-common/address.h
285
PROTO_UNSPEC = -1 # avahi-common/address.h
286
PROTO_INET = 0 # avahi-common/address.h
287
PROTO_INET6 = 1 # avahi-common/address.h
288
DBUS_NAME = "org.freedesktop.Avahi"
289
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
290
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
291
DBUS_PATH_SERVER = "/"
294
def string_array_to_txt_array(t):
295
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
296
for s in t), signature="ay")
297
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
299
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
300
SERVER_INVALID = 0 # avahi-common/defs.h
301
SERVER_REGISTERING = 1 # avahi-common/defs.h
302
SERVER_RUNNING = 2 # avahi-common/defs.h
303
SERVER_COLLISION = 3 # avahi-common/defs.h
304
SERVER_FAILURE = 4 # avahi-common/defs.h
307
236
class AvahiError(Exception):
308
237
def __init__(self, value, *args, **kwargs):
309
238
self.value = value
499
428
class AvahiServiceToSyslog(AvahiService):
500
429
def rename(self, *args, **kwargs):
501
430
"""Add the new name to the syslog messages"""
502
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
431
ret = AvahiService.rename(self, *args, **kwargs)
503
432
syslogger.setFormatter(logging.Formatter(
504
433
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
505
434
.format(self.name)))
509
# Pretend that we have a GnuTLS module
510
class gnutls(object):
511
"""This isn't so much a class as it is a module-like namespace."""
513
library = ctypes.util.find_library("gnutls")
515
library = ctypes.util.find_library("gnutls-deb0")
516
_library = ctypes.cdll.LoadLibrary(library)
519
# Unless otherwise indicated, the constants and types below are
520
# all from the gnutls/gnutls.h C header file.
531
E_NO_CERTIFICATE_FOUND = -49
536
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
540
class session_int(ctypes.Structure):
542
session_t = ctypes.POINTER(session_int)
544
class certificate_credentials_st(ctypes.Structure):
546
certificate_credentials_t = ctypes.POINTER(
547
certificate_credentials_st)
548
certificate_type_t = ctypes.c_int
550
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
554
class openpgp_crt_int(ctypes.Structure):
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
560
transport_ptr_t = ctypes.c_void_p
561
close_request_t = ctypes.c_int
564
class Error(Exception):
565
def __init__(self, message=None, code=None, args=()):
566
# Default usage is by a message string, but if a return
567
# code is passed, convert it to a string with
570
if message is None and code is not None:
571
message = gnutls.strerror(code)
572
return super(gnutls.Error, self).__init__(
575
class CertificateSecurityError(Error):
579
class Credentials(object):
581
self._c_object = gnutls.certificate_credentials_t()
582
gnutls.certificate_allocate_credentials(
583
ctypes.byref(self._c_object))
584
self.type = gnutls.CRD_CERTIFICATE
587
gnutls.certificate_free_credentials(self._c_object)
589
class ClientSession(object):
590
def __init__(self, socket, credentials=None):
591
self._c_object = gnutls.session_t()
592
gnutls_flags = gnutls.CLIENT
593
if gnutls.check_version(b"3.5.6"):
594
gnutls_flags |= gnutls.NO_TICKETS
596
gnutls_flags |= gnutls.ENABLE_RAWPK
597
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
599
gnutls.set_default_priority(self._c_object)
600
gnutls.transport_set_ptr(self._c_object, socket.fileno())
601
gnutls.handshake_set_private_extensions(self._c_object,
604
if credentials is None:
605
credentials = gnutls.Credentials()
606
gnutls.credentials_set(self._c_object, credentials.type,
607
ctypes.cast(credentials._c_object,
609
self.credentials = credentials
612
gnutls.deinit(self._c_object)
615
return gnutls.handshake(self._c_object)
617
def send(self, data):
621
data_len -= gnutls.record_send(self._c_object,
626
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
628
# Error handling functions
629
def _error_code(result):
630
"""A function to raise exceptions on errors, suitable
631
for the 'restype' attribute on ctypes functions"""
634
if result == gnutls.E_NO_CERTIFICATE_FOUND:
635
raise gnutls.CertificateSecurityError(code=result)
636
raise gnutls.Error(code=result)
638
def _retry_on_error(result, func, arguments):
639
"""A function to retry on some errors, suitable
640
for the 'errcheck' attribute on ctypes functions"""
642
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
643
return _error_code(result)
644
result = func(*arguments)
647
# Unless otherwise indicated, the function declarations below are
648
# all from the gnutls/gnutls.h C header file.
651
priority_set_direct = _library.gnutls_priority_set_direct
652
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
653
ctypes.POINTER(ctypes.c_char_p)]
654
priority_set_direct.restype = _error_code
656
init = _library.gnutls_init
657
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
658
init.restype = _error_code
660
set_default_priority = _library.gnutls_set_default_priority
661
set_default_priority.argtypes = [session_t]
662
set_default_priority.restype = _error_code
664
record_send = _library.gnutls_record_send
665
record_send.argtypes = [session_t, ctypes.c_void_p,
667
record_send.restype = ctypes.c_ssize_t
668
record_send.errcheck = _retry_on_error
670
certificate_allocate_credentials = (
671
_library.gnutls_certificate_allocate_credentials)
672
certificate_allocate_credentials.argtypes = [
673
ctypes.POINTER(certificate_credentials_t)]
674
certificate_allocate_credentials.restype = _error_code
676
certificate_free_credentials = (
677
_library.gnutls_certificate_free_credentials)
678
certificate_free_credentials.argtypes = [
679
certificate_credentials_t]
680
certificate_free_credentials.restype = None
682
handshake_set_private_extensions = (
683
_library.gnutls_handshake_set_private_extensions)
684
handshake_set_private_extensions.argtypes = [session_t,
686
handshake_set_private_extensions.restype = None
688
credentials_set = _library.gnutls_credentials_set
689
credentials_set.argtypes = [session_t, credentials_type_t,
691
credentials_set.restype = _error_code
693
strerror = _library.gnutls_strerror
694
strerror.argtypes = [ctypes.c_int]
695
strerror.restype = ctypes.c_char_p
697
certificate_type_get = _library.gnutls_certificate_type_get
698
certificate_type_get.argtypes = [session_t]
699
certificate_type_get.restype = _error_code
701
certificate_get_peers = _library.gnutls_certificate_get_peers
702
certificate_get_peers.argtypes = [session_t,
703
ctypes.POINTER(ctypes.c_uint)]
704
certificate_get_peers.restype = ctypes.POINTER(datum_t)
706
global_set_log_level = _library.gnutls_global_set_log_level
707
global_set_log_level.argtypes = [ctypes.c_int]
708
global_set_log_level.restype = None
710
global_set_log_function = _library.gnutls_global_set_log_function
711
global_set_log_function.argtypes = [log_func]
712
global_set_log_function.restype = None
714
deinit = _library.gnutls_deinit
715
deinit.argtypes = [session_t]
716
deinit.restype = None
718
handshake = _library.gnutls_handshake
719
handshake.argtypes = [session_t]
720
handshake.restype = _error_code
721
handshake.errcheck = _retry_on_error
723
transport_set_ptr = _library.gnutls_transport_set_ptr
724
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
725
transport_set_ptr.restype = None
727
bye = _library.gnutls_bye
728
bye.argtypes = [session_t, close_request_t]
729
bye.restype = _error_code
730
bye.errcheck = _retry_on_error
732
check_version = _library.gnutls_check_version
733
check_version.argtypes = [ctypes.c_char_p]
734
check_version.restype = ctypes.c_char_p
736
_need_version = b"3.3.0"
737
if check_version(_need_version) is None:
738
raise self.Error("Needs GnuTLS {} or later"
739
.format(_need_version))
741
_tls_rawpk_version = b"3.6.6"
742
has_rawpk = bool(check_version(_tls_rawpk_version))
746
class pubkey_st(ctypes.Structure):
748
pubkey_t = ctypes.POINTER(pubkey_st)
750
x509_crt_fmt_t = ctypes.c_int
752
# All the function declarations below are from gnutls/abstract.h
753
pubkey_init = _library.gnutls_pubkey_init
754
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
755
pubkey_init.restype = _error_code
757
pubkey_import = _library.gnutls_pubkey_import
758
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
760
pubkey_import.restype = _error_code
762
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
763
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
764
ctypes.POINTER(ctypes.c_ubyte),
765
ctypes.POINTER(ctypes.c_size_t)]
766
pubkey_get_key_id.restype = _error_code
768
pubkey_deinit = _library.gnutls_pubkey_deinit
769
pubkey_deinit.argtypes = [pubkey_t]
770
pubkey_deinit.restype = None
772
# All the function declarations below are from gnutls/openpgp.h
774
openpgp_crt_init = _library.gnutls_openpgp_crt_init
775
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
776
openpgp_crt_init.restype = _error_code
778
openpgp_crt_import = _library.gnutls_openpgp_crt_import
779
openpgp_crt_import.argtypes = [openpgp_crt_t,
780
ctypes.POINTER(datum_t),
782
openpgp_crt_import.restype = _error_code
784
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
785
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
786
ctypes.POINTER(ctypes.c_uint)]
787
openpgp_crt_verify_self.restype = _error_code
789
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
790
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
791
openpgp_crt_deinit.restype = None
793
openpgp_crt_get_fingerprint = (
794
_library.gnutls_openpgp_crt_get_fingerprint)
795
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
799
openpgp_crt_get_fingerprint.restype = _error_code
801
if check_version(b"3.6.4"):
802
certificate_type_get2 = _library.gnutls_certificate_type_get2
803
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
804
certificate_type_get2.restype = _error_code
806
# Remove non-public functions
807
del _error_code, _retry_on_error
810
437
def call_pipe(connection, # : multiprocessing.Connection
811
438
func, *args, **kwargs):
812
439
"""This function is meant to be called by multiprocessing.Process
814
441
This function runs func(*args, **kwargs), and writes the resulting
815
442
return value on the provided multiprocessing.Connection.
817
444
connection.send(func(*args, **kwargs))
818
445
connection.close()
821
447
class Client(object):
822
448
"""A representation of a client host served by this server.
825
451
approved: bool(); 'None' if not yet approved/disapproved
826
452
approval_delay: datetime.timedelta(); Time to wait for approval
827
453
approval_duration: datetime.timedelta(); Duration of one approval
828
checker: multiprocessing.Process(); a running checker process used
829
to see if the client lives. 'None' if no process is
831
checker_callback_tag: a GLib event source tag, or None
454
checker: subprocess.Popen(); a running checker process used
455
to see if the client lives.
456
'None' if no process is running.
457
checker_callback_tag: a gobject event source tag, or None
832
458
checker_command: string; External command which is run to check
833
459
if client lives. %() expansions are done at
834
460
runtime with vars(self) as dict, so that for
835
461
instance %(name)s can be used in the command.
836
checker_initiator_tag: a GLib event source tag, or None
462
checker_initiator_tag: a gobject event source tag, or None
837
463
created: datetime.datetime(); (UTC) object creation
838
464
client_structure: Object describing what attributes a client has
839
465
and is used for storing the client at exit
840
466
current_checker_command: string; current running checker_command
841
disable_initiator_tag: a GLib event source tag, or None
467
disable_initiator_tag: a gobject event source tag, or None
843
469
fingerprint: string (40 or 32 hexadecimal digits); used to
844
uniquely identify an OpenPGP client
845
key_id: string (64 hexadecimal digits); used to uniquely identify
846
a client using raw public keys
470
uniquely identify the client
847
471
host: string; available for use by the checker command
848
472
interval: datetime.timedelta(); How often to start a new checker
849
473
last_approval_request: datetime.datetime(); (UTC) or None
2371
1990
delay -= time2 - time
2374
session.send(client.secret)
2375
except gnutls.Error as error:
2376
logger.warning("gnutls send failed",
1993
while sent_size < len(client.secret):
1995
sent = session.send(client.secret[sent_size:])
1996
except gnutls.errors.GNUTLSError as error:
1997
logger.warning("gnutls send failed",
2000
logger.debug("Sent: %d, remaining: %d", sent,
2001
len(client.secret) - (sent_size
2380
2005
logger.info("Sending secret to %s", client.name)
2381
2006
# bump the timeout using extended_timeout
2382
2007
client.bump_timeout(client.extended_timeout)
2383
2008
if self.server.use_dbus:
2384
2009
# Emit D-Bus signal
2385
2010
client.GotSecret()
2388
2013
if approval_required:
2389
2014
client.approvals_pending -= 1
2392
except gnutls.Error as error:
2017
except gnutls.errors.GNUTLSError as error:
2393
2018
logger.warning("GnuTLS bye failed",
2394
2019
exc_info=error)
2397
2022
def peer_certificate(session):
2398
"Return the peer's certificate as a bytestring"
2400
cert_type = gnutls.certificate_type_get2(session._c_object,
2402
except AttributeError:
2403
cert_type = gnutls.certificate_type_get(session._c_object)
2404
if gnutls.has_rawpk:
2405
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2407
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2408
# If not a valid certificate type...
2409
if cert_type not in valid_cert_types:
2410
logger.info("Cert type %r not in %r", cert_type,
2412
# ...return invalid data
2023
"Return the peer's OpenPGP certificate as a bytestring"
2024
# If not an OpenPGP certificate...
2025
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2028
# ...do the normal thing
2029
return session.peer_certificate
2414
2030
list_size = ctypes.c_uint(1)
2415
cert_list = (gnutls.certificate_get_peers
2031
cert_list = (gnutls.library.functions
2032
.gnutls_certificate_get_peers
2416
2033
(session._c_object, ctypes.byref(list_size)))
2417
2034
if not bool(cert_list) and list_size.value != 0:
2418
raise gnutls.Error("error getting peer certificate")
2035
raise gnutls.errors.GNUTLSError("error getting peer"
2419
2037
if list_size.value == 0:
2421
2039
cert = cert_list[0]
2422
2040
return ctypes.string_at(cert.data, cert.size)
2425
def key_id(certificate):
2426
"Convert a certificate bytestring to a hexdigit key ID"
2427
# New GnuTLS "datum" with the public key
2428
datum = gnutls.datum_t(
2429
ctypes.cast(ctypes.c_char_p(certificate),
2430
ctypes.POINTER(ctypes.c_ubyte)),
2431
ctypes.c_uint(len(certificate)))
2432
# XXX all these need to be created in the gnutls "module"
2433
# New empty GnuTLS certificate
2434
pubkey = gnutls.pubkey_t()
2435
gnutls.pubkey_init(ctypes.byref(pubkey))
2436
# Import the raw public key into the certificate
2437
gnutls.pubkey_import(pubkey,
2438
ctypes.byref(datum),
2439
gnutls.X509_FMT_DER)
2440
# New buffer for the key ID
2441
buf = ctypes.create_string_buffer(32)
2442
buf_len = ctypes.c_size_t(len(buf))
2443
# Get the key ID from the raw public key into the buffer
2444
gnutls.pubkey_get_key_id(pubkey,
2445
gnutls.KEYID_USE_SHA256,
2446
ctypes.cast(ctypes.byref(buf),
2447
ctypes.POINTER(ctypes.c_ubyte)),
2448
ctypes.byref(buf_len))
2449
# Deinit the certificate
2450
gnutls.pubkey_deinit(pubkey)
2452
# Convert the buffer to a Python bytestring
2453
key_id = ctypes.string_at(buf, buf_len.value)
2454
# Convert the bytestring to hexadecimal notation
2455
hex_key_id = binascii.hexlify(key_id).upper()
2459
2043
def fingerprint(openpgp):
2460
2044
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2461
2045
# New GnuTLS "datum" with the OpenPGP public key
2462
datum = gnutls.datum_t(
2046
datum = gnutls.library.types.gnutls_datum_t(
2463
2047
ctypes.cast(ctypes.c_char_p(openpgp),
2464
2048
ctypes.POINTER(ctypes.c_ubyte)),
2465
2049
ctypes.c_uint(len(openpgp)))
2466
2050
# New empty GnuTLS certificate
2467
crt = gnutls.openpgp_crt_t()
2468
gnutls.openpgp_crt_init(ctypes.byref(crt))
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
2469
2054
# Import the OpenPGP public key into the certificate
2470
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2471
gnutls.OPENPGP_FMT_RAW)
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2472
2058
# Verify the self signature in the key
2473
2059
crtverify = ctypes.c_uint()
2474
gnutls.openpgp_crt_verify_self(crt, 0,
2475
ctypes.byref(crtverify))
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
2476
2062
if crtverify.value != 0:
2477
gnutls.openpgp_crt_deinit(crt)
2478
raise gnutls.CertificateSecurityError(code
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2064
raise gnutls.errors.CertificateSecurityError(
2480
2066
# New buffer for the fingerprint
2481
2067
buf = ctypes.create_string_buffer(20)
2482
2068
buf_len = ctypes.c_size_t()
2483
2069
# Get the fingerprint from the certificate into the buffer
2484
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2485
ctypes.byref(buf_len))
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2486
2072
# Deinit the certificate
2487
gnutls.openpgp_crt_deinit(crt)
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2488
2074
# Convert the buffer to a Python bytestring
2489
2075
fpr = ctypes.string_at(buf, buf_len.value)
2490
2076
# Convert the bytestring to hexadecimal notation
2579
2164
# socket_wrapper(), if socketfd was set.
2580
2165
socketserver.TCPServer.__init__(self, server_address,
2581
2166
RequestHandlerClass)
2583
2168
def server_bind(self):
2584
2169
"""This overrides the normal server_bind() function
2585
2170
to bind to an interface if one was specified, and also NOT to
2586
2171
bind to an address or port if they were not specified."""
2587
global SO_BINDTODEVICE
2588
2172
if self.interface is not None:
2589
2173
if SO_BINDTODEVICE is None:
2590
# Fall back to a hard-coded value which seems to be
2592
logger.warning("SO_BINDTODEVICE not found, trying 25")
2593
SO_BINDTODEVICE = 25
2595
self.socket.setsockopt(
2596
socket.SOL_SOCKET, SO_BINDTODEVICE,
2597
(self.interface + "\0").encode("utf-8"))
2598
except socket.error as error:
2599
if error.errno == errno.EPERM:
2600
logger.error("No permission to bind to"
2601
" interface %s", self.interface)
2602
elif error.errno == errno.ENOPROTOOPT:
2603
logger.error("SO_BINDTODEVICE not available;"
2604
" cannot bind to interface %s",
2606
elif error.errno == errno.ENODEV:
2607
logger.error("Interface %s does not exist,"
2608
" cannot bind", self.interface)
2174
logger.error("SO_BINDTODEVICE does not exist;"
2175
" cannot bind to interface %s",
2179
self.socket.setsockopt(
2180
socket.SOL_SOCKET, SO_BINDTODEVICE,
2181
(self.interface + "\0").encode("utf-8"))
2182
except socket.error as error:
2183
if error.errno == errno.EPERM:
2184
logger.error("No permission to bind to"
2185
" interface %s", self.interface)
2186
elif error.errno == errno.ENOPROTOOPT:
2187
logger.error("SO_BINDTODEVICE not available;"
2188
" cannot bind to interface %s",
2190
elif error.errno == errno.ENODEV:
2191
logger.error("Interface %s does not exist,"
2192
" cannot bind", self.interface)
2611
2195
# Only bind(2) the socket if we really need to.
2612
2196
if self.server_address[0] or self.server_address[1]:
2613
if self.server_address[1]:
2614
self.allow_reuse_address = True
2615
2197
if not self.server_address[0]:
2616
2198
if self.address_family == socket.AF_INET6:
2617
any_address = "::" # in6addr_any
2199
any_address = "::" # in6addr_any
2619
any_address = "0.0.0.0" # INADDR_ANY
2201
any_address = "0.0.0.0" # INADDR_ANY
2620
2202
self.server_address = (any_address,
2621
2203
self.server_address[1])
2622
2204
elif not self.server_address[1]:
3188
2749
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3189
2750
service = AvahiServiceToSyslog(
3190
name=server_settings["servicename"],
3191
servicetype="_mandos._tcp",
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
3194
2755
if server_settings["interface"]:
3195
2756
service.interface = if_nametoindex(
3196
2757
server_settings["interface"].encode("utf-8"))
3198
2759
global multiprocessing_manager
3199
2760
multiprocessing_manager = multiprocessing.Manager()
3201
2762
client_class = Client
3203
client_class = functools.partial(ClientDBus, bus=bus)
2764
client_class = functools.partial(ClientDBus, bus = bus)
3205
2766
client_settings = Client.config_parser(client_config)
3206
2767
old_client_settings = {}
3207
2768
clients_data = {}
3209
2770
# This is used to redirect stdout and stderr for checker processes
3211
wnull = open(os.devnull, "w") # A writable /dev/null
2772
wnull = open(os.devnull, "w") # A writable /dev/null
3212
2773
# Only used if server is running in foreground but not in debug
3214
2775
if debug or not foreground:
3217
2778
# Get client data and settings from last running state.
3218
2779
if server_settings["restore"]:
3220
2781
with open(stored_state_path, "rb") as stored_state:
3221
if sys.version_info.major == 2:
3222
clients_data, old_client_settings = pickle.load(
3225
bytes_clients_data, bytes_old_client_settings = (
3226
pickle.load(stored_state, encoding="bytes"))
3227
# Fix bytes to strings
3230
clients_data = {(key.decode("utf-8")
3231
if isinstance(key, bytes)
3234
bytes_clients_data.items()}
3235
del bytes_clients_data
3236
for key in clients_data:
3237
value = {(k.decode("utf-8")
3238
if isinstance(k, bytes) else k): v
3240
clients_data[key].items()}
3241
clients_data[key] = value
3243
value["client_structure"] = [
3245
if isinstance(s, bytes)
3247
value["client_structure"]]
3249
for k in ("name", "host"):
3250
if isinstance(value[k], bytes):
3251
value[k] = value[k].decode("utf-8")
3252
if "key_id" not in value:
3253
value["key_id"] = ""
3254
elif "fingerprint" not in value:
3255
value["fingerprint"] = ""
3256
# old_client_settings
3258
old_client_settings = {
3259
(key.decode("utf-8")
3260
if isinstance(key, bytes)
3263
bytes_old_client_settings.items()}
3264
del bytes_old_client_settings
3266
for value in old_client_settings.values():
3267
if isinstance(value["host"], bytes):
3268
value["host"] = (value["host"]
2782
clients_data, old_client_settings = pickle.load(
3270
2784
os.remove(stored_state_path)
3271
2785
except IOError as e:
3272
2786
if e.errno == errno.ENOENT: