265
195
.replace(b"\n", b"\\n")
266
196
.replace(b"\0", b"\\x00"))
269
199
def encrypt(self, data, password):
270
200
passphrase = self.password_encode(password)
271
201
with tempfile.NamedTemporaryFile(
272
202
dir=self.tempdir) as passfile:
273
203
passfile.write(passphrase)
275
proc = subprocess.Popen([self.gpg, '--symmetric',
205
proc = subprocess.Popen(['gpg', '--symmetric',
276
206
'--passphrase-file',
278
208
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
283
213
if proc.returncode != 0:
284
214
raise PGPError(err)
285
215
return ciphertext
287
217
def decrypt(self, data, password):
288
218
passphrase = self.password_encode(password)
289
219
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
220
dir = self.tempdir) as passfile:
291
221
passfile.write(passphrase)
293
proc = subprocess.Popen([self.gpg, '--decrypt',
223
proc = subprocess.Popen(['gpg', '--decrypt',
294
224
'--passphrase-file',
296
226
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
301
231
if proc.returncode != 0:
302
232
raise PGPError(err)
303
233
return decrypted_plaintext
306
# Pretend that we have an Avahi module
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
332
236
class AvahiError(Exception):
333
237
def __init__(self, value, *args, **kwargs):
334
238
self.value = value
524
428
class AvahiServiceToSyslog(AvahiService):
525
429
def rename(self, *args, **kwargs):
526
430
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
431
ret = AvahiService.rename(self, *args, **kwargs)
528
432
syslogger.setFormatter(logging.Formatter(
529
433
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
434
.format(self.name)))
534
# Pretend that we have a GnuTLS module
536
"""This isn't so much a class as it is a module-like namespace."""
538
library = ctypes.util.find_library("gnutls")
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
544
# Unless otherwise indicated, the constants and types below are
545
# all from the gnutls/gnutls.h C header file.
556
E_NO_CERTIFICATE_FOUND = -49
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
565
class session_int(ctypes.Structure):
567
session_t = ctypes.POINTER(session_int)
569
class certificate_credentials_st(ctypes.Structure):
571
certificate_credentials_t = ctypes.POINTER(
572
certificate_credentials_st)
573
certificate_type_t = ctypes.c_int
575
class datum_t(ctypes.Structure):
576
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
577
('size', ctypes.c_uint)]
579
class openpgp_crt_int(ctypes.Structure):
581
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
credentials_type_t = ctypes.c_int
585
transport_ptr_t = ctypes.c_void_p
586
close_request_t = ctypes.c_int
589
class Error(Exception):
590
def __init__(self, message=None, code=None, args=()):
591
# Default usage is by a message string, but if a return
592
# code is passed, convert it to a string with
595
if message is None and code is not None:
596
message = gnutls.strerror(code)
597
return super(gnutls.Error, self).__init__(
600
class CertificateSecurityError(Error):
606
self._c_object = gnutls.certificate_credentials_t()
607
gnutls.certificate_allocate_credentials(
608
ctypes.byref(self._c_object))
609
self.type = gnutls.CRD_CERTIFICATE
612
gnutls.certificate_free_credentials(self._c_object)
615
def __init__(self, socket, credentials=None):
616
self._c_object = gnutls.session_t()
617
gnutls_flags = gnutls.CLIENT
618
if gnutls.check_version(b"3.5.6"):
619
gnutls_flags |= gnutls.NO_TICKETS
621
gnutls_flags |= gnutls.ENABLE_RAWPK
622
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
624
gnutls.set_default_priority(self._c_object)
625
gnutls.transport_set_ptr(self._c_object, socket.fileno())
626
gnutls.handshake_set_private_extensions(self._c_object,
629
if credentials is None:
630
credentials = gnutls.Credentials()
631
gnutls.credentials_set(self._c_object, credentials.type,
632
ctypes.cast(credentials._c_object,
634
self.credentials = credentials
637
gnutls.deinit(self._c_object)
640
return gnutls.handshake(self._c_object)
642
def send(self, data):
646
data_len -= gnutls.record_send(self._c_object,
651
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
653
# Error handling functions
654
def _error_code(result):
655
"""A function to raise exceptions on errors, suitable
656
for the 'restype' attribute on ctypes functions"""
659
if result == gnutls.E_NO_CERTIFICATE_FOUND:
660
raise gnutls.CertificateSecurityError(code=result)
661
raise gnutls.Error(code=result)
663
def _retry_on_error(result, func, arguments):
664
"""A function to retry on some errors, suitable
665
for the 'errcheck' attribute on ctypes functions"""
667
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
668
return _error_code(result)
669
result = func(*arguments)
672
# Unless otherwise indicated, the function declarations below are
673
# all from the gnutls/gnutls.h C header file.
676
priority_set_direct = _library.gnutls_priority_set_direct
677
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
678
ctypes.POINTER(ctypes.c_char_p)]
679
priority_set_direct.restype = _error_code
681
init = _library.gnutls_init
682
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
683
init.restype = _error_code
685
set_default_priority = _library.gnutls_set_default_priority
686
set_default_priority.argtypes = [session_t]
687
set_default_priority.restype = _error_code
689
record_send = _library.gnutls_record_send
690
record_send.argtypes = [session_t, ctypes.c_void_p,
692
record_send.restype = ctypes.c_ssize_t
693
record_send.errcheck = _retry_on_error
695
certificate_allocate_credentials = (
696
_library.gnutls_certificate_allocate_credentials)
697
certificate_allocate_credentials.argtypes = [
698
ctypes.POINTER(certificate_credentials_t)]
699
certificate_allocate_credentials.restype = _error_code
701
certificate_free_credentials = (
702
_library.gnutls_certificate_free_credentials)
703
certificate_free_credentials.argtypes = [
704
certificate_credentials_t]
705
certificate_free_credentials.restype = None
707
handshake_set_private_extensions = (
708
_library.gnutls_handshake_set_private_extensions)
709
handshake_set_private_extensions.argtypes = [session_t,
711
handshake_set_private_extensions.restype = None
713
credentials_set = _library.gnutls_credentials_set
714
credentials_set.argtypes = [session_t, credentials_type_t,
716
credentials_set.restype = _error_code
718
strerror = _library.gnutls_strerror
719
strerror.argtypes = [ctypes.c_int]
720
strerror.restype = ctypes.c_char_p
722
certificate_type_get = _library.gnutls_certificate_type_get
723
certificate_type_get.argtypes = [session_t]
724
certificate_type_get.restype = _error_code
726
certificate_get_peers = _library.gnutls_certificate_get_peers
727
certificate_get_peers.argtypes = [session_t,
728
ctypes.POINTER(ctypes.c_uint)]
729
certificate_get_peers.restype = ctypes.POINTER(datum_t)
731
global_set_log_level = _library.gnutls_global_set_log_level
732
global_set_log_level.argtypes = [ctypes.c_int]
733
global_set_log_level.restype = None
735
global_set_log_function = _library.gnutls_global_set_log_function
736
global_set_log_function.argtypes = [log_func]
737
global_set_log_function.restype = None
739
deinit = _library.gnutls_deinit
740
deinit.argtypes = [session_t]
741
deinit.restype = None
743
handshake = _library.gnutls_handshake
744
handshake.argtypes = [session_t]
745
handshake.restype = _error_code
746
handshake.errcheck = _retry_on_error
748
transport_set_ptr = _library.gnutls_transport_set_ptr
749
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
750
transport_set_ptr.restype = None
752
bye = _library.gnutls_bye
753
bye.argtypes = [session_t, close_request_t]
754
bye.restype = _error_code
755
bye.errcheck = _retry_on_error
757
check_version = _library.gnutls_check_version
758
check_version.argtypes = [ctypes.c_char_p]
759
check_version.restype = ctypes.c_char_p
761
_need_version = b"3.3.0"
762
if check_version(_need_version) is None:
763
raise self.Error("Needs GnuTLS {} or later"
764
.format(_need_version))
766
_tls_rawpk_version = b"3.6.6"
767
has_rawpk = bool(check_version(_tls_rawpk_version))
771
class pubkey_st(ctypes.Structure):
773
pubkey_t = ctypes.POINTER(pubkey_st)
775
x509_crt_fmt_t = ctypes.c_int
777
# All the function declarations below are from gnutls/abstract.h
778
pubkey_init = _library.gnutls_pubkey_init
779
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
pubkey_init.restype = _error_code
782
pubkey_import = _library.gnutls_pubkey_import
783
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
785
pubkey_import.restype = _error_code
787
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
788
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
789
ctypes.POINTER(ctypes.c_ubyte),
790
ctypes.POINTER(ctypes.c_size_t)]
791
pubkey_get_key_id.restype = _error_code
793
pubkey_deinit = _library.gnutls_pubkey_deinit
794
pubkey_deinit.argtypes = [pubkey_t]
795
pubkey_deinit.restype = None
797
# All the function declarations below are from gnutls/openpgp.h
799
openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
801
openpgp_crt_init.restype = _error_code
803
openpgp_crt_import = _library.gnutls_openpgp_crt_import
804
openpgp_crt_import.argtypes = [openpgp_crt_t,
805
ctypes.POINTER(datum_t),
807
openpgp_crt_import.restype = _error_code
809
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
ctypes.POINTER(ctypes.c_uint)]
812
openpgp_crt_verify_self.restype = _error_code
814
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
815
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
816
openpgp_crt_deinit.restype = None
818
openpgp_crt_get_fingerprint = (
819
_library.gnutls_openpgp_crt_get_fingerprint)
820
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
824
openpgp_crt_get_fingerprint.restype = _error_code
826
if check_version(b"3.6.4"):
827
certificate_type_get2 = _library.gnutls_certificate_type_get2
828
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
829
certificate_type_get2.restype = _error_code
831
# Remove non-public functions
832
del _error_code, _retry_on_error
835
437
def call_pipe(connection, # : multiprocessing.Connection
836
438
func, *args, **kwargs):
837
439
"""This function is meant to be called by multiprocessing.Process
839
441
This function runs func(*args, **kwargs), and writes the resulting
840
442
return value on the provided multiprocessing.Connection.
842
444
connection.send(func(*args, **kwargs))
843
445
connection.close()
447
class Client(object):
847
448
"""A representation of a client host served by this server.
850
451
approved: bool(); 'None' if not yet approved/disapproved
851
452
approval_delay: datetime.timedelta(); Time to wait for approval
852
453
approval_duration: datetime.timedelta(); Duration of one approval
853
checker: multiprocessing.Process(); a running checker process used
854
to see if the client lives. 'None' if no process is
856
checker_callback_tag: a GLib event source tag, or None
454
checker: subprocess.Popen(); a running checker process used
455
to see if the client lives.
456
'None' if no process is running.
457
checker_callback_tag: a gobject event source tag, or None
857
458
checker_command: string; External command which is run to check
858
459
if client lives. %() expansions are done at
859
460
runtime with vars(self) as dict, so that for
860
461
instance %(name)s can be used in the command.
861
checker_initiator_tag: a GLib event source tag, or None
462
checker_initiator_tag: a gobject event source tag, or None
862
463
created: datetime.datetime(); (UTC) object creation
863
464
client_structure: Object describing what attributes a client has
864
465
and is used for storing the client at exit
865
466
current_checker_command: string; current running checker_command
866
disable_initiator_tag: a GLib event source tag, or None
467
disable_initiator_tag: a gobject event source tag, or None
868
469
fingerprint: string (40 or 32 hexadecimal digits); used to
869
uniquely identify an OpenPGP client
870
key_id: string (64 hexadecimal digits); used to uniquely identify
871
a client using raw public keys
470
uniquely identify the client
872
471
host: string; available for use by the checker command
873
472
interval: datetime.timedelta(); How often to start a new checker
874
473
last_approval_request: datetime.datetime(); (UTC) or None
2398
1990
delay -= time2 - time
2401
session.send(client.secret)
2402
except gnutls.Error as error:
2403
logger.warning("gnutls send failed",
1993
while sent_size < len(client.secret):
1995
sent = session.send(client.secret[sent_size:])
1996
except gnutls.errors.GNUTLSError as error:
1997
logger.warning("gnutls send failed",
2000
logger.debug("Sent: %d, remaining: %d", sent,
2001
len(client.secret) - (sent_size
2407
2005
logger.info("Sending secret to %s", client.name)
2408
2006
# bump the timeout using extended_timeout
2409
2007
client.bump_timeout(client.extended_timeout)
2410
2008
if self.server.use_dbus:
2411
2009
# Emit D-Bus signal
2412
2010
client.GotSecret()
2415
2013
if approval_required:
2416
2014
client.approvals_pending -= 1
2419
except gnutls.Error as error:
2017
except gnutls.errors.GNUTLSError as error:
2420
2018
logger.warning("GnuTLS bye failed",
2421
2019
exc_info=error)
2424
2022
def peer_certificate(session):
2425
"Return the peer's certificate as a bytestring"
2427
cert_type = gnutls.certificate_type_get2(session._c_object,
2429
except AttributeError:
2430
cert_type = gnutls.certificate_type_get(session._c_object)
2431
if gnutls.has_rawpk:
2432
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2434
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2435
# If not a valid certificate type...
2436
if cert_type not in valid_cert_types:
2437
logger.info("Cert type %r not in %r", cert_type,
2439
# ...return invalid data
2023
"Return the peer's OpenPGP certificate as a bytestring"
2024
# If not an OpenPGP certificate...
2025
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2028
# ...do the normal thing
2029
return session.peer_certificate
2441
2030
list_size = ctypes.c_uint(1)
2442
cert_list = (gnutls.certificate_get_peers
2031
cert_list = (gnutls.library.functions
2032
.gnutls_certificate_get_peers
2443
2033
(session._c_object, ctypes.byref(list_size)))
2444
2034
if not bool(cert_list) and list_size.value != 0:
2445
raise gnutls.Error("error getting peer certificate")
2035
raise gnutls.errors.GNUTLSError("error getting peer"
2446
2037
if list_size.value == 0:
2448
2039
cert = cert_list[0]
2449
2040
return ctypes.string_at(cert.data, cert.size)
2452
def key_id(certificate):
2453
"Convert a certificate bytestring to a hexdigit key ID"
2454
# New GnuTLS "datum" with the public key
2455
datum = gnutls.datum_t(
2456
ctypes.cast(ctypes.c_char_p(certificate),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.c_uint(len(certificate)))
2459
# XXX all these need to be created in the gnutls "module"
2460
# New empty GnuTLS certificate
2461
pubkey = gnutls.pubkey_t()
2462
gnutls.pubkey_init(ctypes.byref(pubkey))
2463
# Import the raw public key into the certificate
2464
gnutls.pubkey_import(pubkey,
2465
ctypes.byref(datum),
2466
gnutls.X509_FMT_DER)
2467
# New buffer for the key ID
2468
buf = ctypes.create_string_buffer(32)
2469
buf_len = ctypes.c_size_t(len(buf))
2470
# Get the key ID from the raw public key into the buffer
2471
gnutls.pubkey_get_key_id(pubkey,
2472
gnutls.KEYID_USE_SHA256,
2473
ctypes.cast(ctypes.byref(buf),
2474
ctypes.POINTER(ctypes.c_ubyte)),
2475
ctypes.byref(buf_len))
2476
# Deinit the certificate
2477
gnutls.pubkey_deinit(pubkey)
2479
# Convert the buffer to a Python bytestring
2480
key_id = ctypes.string_at(buf, buf_len.value)
2481
# Convert the bytestring to hexadecimal notation
2482
hex_key_id = binascii.hexlify(key_id).upper()
2486
2043
def fingerprint(openpgp):
2487
2044
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2488
2045
# New GnuTLS "datum" with the OpenPGP public key
2489
datum = gnutls.datum_t(
2046
datum = gnutls.library.types.gnutls_datum_t(
2490
2047
ctypes.cast(ctypes.c_char_p(openpgp),
2491
2048
ctypes.POINTER(ctypes.c_ubyte)),
2492
2049
ctypes.c_uint(len(openpgp)))
2493
2050
# New empty GnuTLS certificate
2494
crt = gnutls.openpgp_crt_t()
2495
gnutls.openpgp_crt_init(ctypes.byref(crt))
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
2496
2054
# Import the OpenPGP public key into the certificate
2497
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2498
gnutls.OPENPGP_FMT_RAW)
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2499
2058
# Verify the self signature in the key
2500
2059
crtverify = ctypes.c_uint()
2501
gnutls.openpgp_crt_verify_self(crt, 0,
2502
ctypes.byref(crtverify))
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
2503
2062
if crtverify.value != 0:
2504
gnutls.openpgp_crt_deinit(crt)
2505
raise gnutls.CertificateSecurityError(code
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2064
raise gnutls.errors.CertificateSecurityError(
2507
2066
# New buffer for the fingerprint
2508
2067
buf = ctypes.create_string_buffer(20)
2509
2068
buf_len = ctypes.c_size_t()
2510
2069
# Get the fingerprint from the certificate into the buffer
2511
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2512
ctypes.byref(buf_len))
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2513
2072
# Deinit the certificate
2514
gnutls.openpgp_crt_deinit(crt)
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2515
2074
# Convert the buffer to a Python bytestring
2516
2075
fpr = ctypes.string_at(buf, buf_len.value)
2517
2076
# Convert the bytestring to hexadecimal notation
2606
2164
# socket_wrapper(), if socketfd was set.
2607
2165
socketserver.TCPServer.__init__(self, server_address,
2608
2166
RequestHandlerClass)
2610
2168
def server_bind(self):
2611
2169
"""This overrides the normal server_bind() function
2612
2170
to bind to an interface if one was specified, and also NOT to
2613
2171
bind to an address or port if they were not specified."""
2614
global SO_BINDTODEVICE
2615
2172
if self.interface is not None:
2616
2173
if SO_BINDTODEVICE is None:
2617
# Fall back to a hard-coded value which seems to be
2619
logger.warning("SO_BINDTODEVICE not found, trying 25")
2620
SO_BINDTODEVICE = 25
2622
self.socket.setsockopt(
2623
socket.SOL_SOCKET, SO_BINDTODEVICE,
2624
(self.interface + "\0").encode("utf-8"))
2625
except socket.error as error:
2626
if error.errno == errno.EPERM:
2627
logger.error("No permission to bind to"
2628
" interface %s", self.interface)
2629
elif error.errno == errno.ENOPROTOOPT:
2630
logger.error("SO_BINDTODEVICE not available;"
2631
" cannot bind to interface %s",
2633
elif error.errno == errno.ENODEV:
2634
logger.error("Interface %s does not exist,"
2635
" cannot bind", self.interface)
2174
logger.error("SO_BINDTODEVICE does not exist;"
2175
" cannot bind to interface %s",
2179
self.socket.setsockopt(
2180
socket.SOL_SOCKET, SO_BINDTODEVICE,
2181
(self.interface + "\0").encode("utf-8"))
2182
except socket.error as error:
2183
if error.errno == errno.EPERM:
2184
logger.error("No permission to bind to"
2185
" interface %s", self.interface)
2186
elif error.errno == errno.ENOPROTOOPT:
2187
logger.error("SO_BINDTODEVICE not available;"
2188
" cannot bind to interface %s",
2190
elif error.errno == errno.ENODEV:
2191
logger.error("Interface %s does not exist,"
2192
" cannot bind", self.interface)
2638
2195
# Only bind(2) the socket if we really need to.
2639
2196
if self.server_address[0] or self.server_address[1]:
2640
if self.server_address[1]:
2641
self.allow_reuse_address = True
2642
2197
if not self.server_address[0]:
2643
2198
if self.address_family == socket.AF_INET6:
2644
any_address = "::" # in6addr_any
2199
any_address = "::" # in6addr_any
2646
any_address = "0.0.0.0" # INADDR_ANY
2201
any_address = "0.0.0.0" # INADDR_ANY
2647
2202
self.server_address = (any_address,
2648
2203
self.server_address[1])
2649
2204
elif not self.server_address[1]:
2683
2238
self.gnutls_priority = gnutls_priority
2684
2239
IPv6_TCPServer.__init__(self, server_address,
2685
2240
RequestHandlerClass,
2686
interface=interface,
2241
interface = interface,
2242
use_ipv6 = use_ipv6,
2243
socketfd = socketfd)
2690
2245
def server_activate(self):
2691
2246
if self.enabled:
2692
2247
return socketserver.TCPServer.server_activate(self)
2694
2249
def enable(self):
2695
2250
self.enabled = True
2697
2252
def add_pipe(self, parent_pipe, proc):
2698
2253
# Call "handle_ipc" for both data and EOF events
2700
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2701
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2254
gobject.io_add_watch(
2255
parent_pipe.fileno(),
2256
gobject.IO_IN | gobject.IO_HUP,
2702
2257
functools.partial(self.handle_ipc,
2703
parent_pipe=parent_pipe,
2258
parent_pipe = parent_pipe,
2706
2261
def handle_ipc(self, source, condition,
2707
2262
parent_pipe=None,
2709
2264
client_object=None):
2710
2265
# error, or the other end of multiprocessing.Pipe has closed
2711
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2266
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2712
2267
# Wait for other process to exit
2716
2271
# Read a request from the child
2717
2272
request = parent_pipe.recv()
2718
2273
command = request[0]
2720
2275
if command == 'init':
2721
key_id = request[1].decode("ascii")
2722
fpr = request[2].decode("ascii")
2723
address = request[3]
2725
for c in self.clients.values():
2726
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2728
if key_id and c.key_id == key_id:
2731
if fpr and c.fingerprint == fpr:
2277
address = request[2]
2279
for c in self.clients.itervalues():
2280
if c.fingerprint == fpr:
2735
logger.info("Client not found for key ID: %s, address"
2736
": %s", key_id or fpr, address)
2284
logger.info("Client not found for fingerprint: %s, ad"
2285
"dress: %s", fpr, address)
2737
2286
if self.use_dbus:
2738
2287
# Emit D-Bus signal
2739
mandos_dbus_service.ClientNotFound(key_id or fpr,
2288
mandos_dbus_service.ClientNotFound(fpr,
2741
2290
parent_pipe.send(False)
2745
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2746
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2293
gobject.io_add_watch(
2294
parent_pipe.fileno(),
2295
gobject.IO_IN | gobject.IO_HUP,
2747
2296
functools.partial(self.handle_ipc,
2748
parent_pipe=parent_pipe,
2750
client_object=client))
2297
parent_pipe = parent_pipe,
2299
client_object = client))
2751
2300
parent_pipe.send(True)
2752
2301
# remove the old hook in favor of the new above hook on
3210
2749
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3211
2750
service = AvahiServiceToSyslog(
3212
name=server_settings["servicename"],
3213
servicetype="_mandos._tcp",
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
3216
2755
if server_settings["interface"]:
3217
2756
service.interface = if_nametoindex(
3218
2757
server_settings["interface"].encode("utf-8"))
3220
2759
global multiprocessing_manager
3221
2760
multiprocessing_manager = multiprocessing.Manager()
3223
2762
client_class = Client
3225
client_class = functools.partial(ClientDBus, bus=bus)
2764
client_class = functools.partial(ClientDBus, bus = bus)
3227
2766
client_settings = Client.config_parser(client_config)
3228
2767
old_client_settings = {}
3229
2768
clients_data = {}
3231
2770
# This is used to redirect stdout and stderr for checker processes
3233
wnull = open(os.devnull, "w") # A writable /dev/null
2772
wnull = open(os.devnull, "w") # A writable /dev/null
3234
2773
# Only used if server is running in foreground but not in debug
3236
2775
if debug or not foreground:
3239
2778
# Get client data and settings from last running state.
3240
2779
if server_settings["restore"]:
3242
2781
with open(stored_state_path, "rb") as stored_state:
3243
if sys.version_info.major == 2:
3244
clients_data, old_client_settings = pickle.load(
3247
bytes_clients_data, bytes_old_client_settings = (
3248
pickle.load(stored_state, encoding="bytes"))
3249
# Fix bytes to strings
3252
clients_data = {(key.decode("utf-8")
3253
if isinstance(key, bytes)
3256
bytes_clients_data.items()}
3257
del bytes_clients_data
3258
for key in clients_data:
3259
value = {(k.decode("utf-8")
3260
if isinstance(k, bytes) else k): v
3262
clients_data[key].items()}
3263
clients_data[key] = value
3265
value["client_structure"] = [
3267
if isinstance(s, bytes)
3269
value["client_structure"]]
3270
# .name, .host, and .checker_command
3271
for k in ("name", "host", "checker_command"):
3272
if isinstance(value[k], bytes):
3273
value[k] = value[k].decode("utf-8")
3274
if "key_id" not in value:
3275
value["key_id"] = ""
3276
elif "fingerprint" not in value:
3277
value["fingerprint"] = ""
3278
# old_client_settings
3280
old_client_settings = {
3281
(key.decode("utf-8")
3282
if isinstance(key, bytes)
3285
bytes_old_client_settings.items()}
3286
del bytes_old_client_settings
3287
# .host and .checker_command
3288
for value in old_client_settings.values():
3289
for attribute in ("host", "checker_command"):
3290
if isinstance(value[attribute], bytes):
3291
value[attribute] = (value[attribute]
2782
clients_data, old_client_settings = pickle.load(
3293
2784
os.remove(stored_state_path)
3294
2785
except IOError as e:
3295
2786
if e.errno == errno.ENOENT: