To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 829
- compare with another revision
- download diff
- download tarball
- view history from revision 829
- Committer: Teddy Hogeborn
- Date: 2016-03-12 20:23:15 UTC
- Revision ID: teddy@recompile.se-20160312202315-hu7b87ivetlxqbw3
Server: Fix minor thing with Python 3 compatibility
Fix another small thing with unpickling string values.
* mandos (main): When restoring pickled client data, only decode byte
string for "host" key if it really is a byte string.
Fix another small thing with unpickling string values.
* mandos (main): When restoring pickled client data, only decode byte
string for "host" key if it really is a byte string.
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
from future_builtins import *
37
try:
38
from future_builtins import *
39
except ImportError:
40
pass
38
41
39
42
try:
40
43
import SocketServer as socketserver
44
47
import argparse
45
48
import datetime
46
49
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
50
try:
54
51
import ConfigParser as configparser
55
52
except ImportError:
83
80
import dbus
84
81
import dbus.service
85
82
try:
86
import gobject
83
from gi.repository import GObject
87
84
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
85
import gobject as GObject
90
86
from dbus.mainloop.glib import DBusGMainLoop
91
87
import ctypes
92
88
import ctypes.util
104
100
if sys.version_info.major == 2:
105
101
str = unicode
106
102
107
version = "1.7.0"
103
version = "1.7.5"
108
104
stored_state_file = "clients.pickle"
109
105
110
106
logger = logging.getLogger()
125
121
return interface_index
126
122
127
123
124
def copy_function(func):
125
"""Make a copy of a function"""
126
if sys.version_info.major == 2:
127
return types.FunctionType(func.func_code,
128
func.func_globals,
129
func.func_name,
130
func.func_defaults,
131
func.func_closure)
132
else:
133
return types.FunctionType(func.__code__,
134
func.__globals__,
135
func.__name__,
136
func.__defaults__,
137
func.__closure__)
138
139
128
140
def initlogger(debug, level=logging.WARNING):
129
141
"""init logger and add loglevel"""
130
142
157
169
158
170
def __init__(self):
159
171
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
172
self.gpg = "gpg"
173
try:
174
output = subprocess.check_output(["gpgconf"])
175
for line in output.splitlines():
176
name, text, path = line.split(b":")
177
if name == "gpg":
178
self.gpg = path
179
break
180
except OSError as e:
181
if e.errno != errno.ENOENT:
182
raise
160
183
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
184
'--homedir', self.tempdir,
162
185
'--force-mdc',
163
186
'--quiet',
164
187
'--no-use-agent']
203
226
dir=self.tempdir) as passfile:
204
227
passfile.write(passphrase)
205
228
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
229
proc = subprocess.Popen([self.gpg, '--symmetric',
207
230
'--passphrase-file',
208
231
passfile.name]
209
232
+ self.gnupgargs,
221
244
dir = self.tempdir) as passfile:
222
245
passfile.write(passphrase)
223
246
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
247
proc = subprocess.Popen([self.gpg, '--decrypt',
225
248
'--passphrase-file',
226
249
passfile.name]
227
250
+ self.gnupgargs,
233
256
raise PGPError(err)
234
257
return decrypted_plaintext
235
258
259
# Pretend that we have an Avahi module
260
class Avahi(object):
261
"""This isn't so much a class as it is a module-like namespace.
262
It is instantiated once, and simulates having an Avahi module."""
263
IF_UNSPEC = -1 # avahi-common/address.h
264
PROTO_UNSPEC = -1 # avahi-common/address.h
265
PROTO_INET = 0 # avahi-common/address.h
266
PROTO_INET6 = 1 # avahi-common/address.h
267
DBUS_NAME = "org.freedesktop.Avahi"
268
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
269
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
270
DBUS_PATH_SERVER = "/"
271
def string_array_to_txt_array(self, t):
272
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
273
for s in t), signature="ay")
274
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
275
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
276
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
277
SERVER_INVALID = 0 # avahi-common/defs.h
278
SERVER_REGISTERING = 1 # avahi-common/defs.h
279
SERVER_RUNNING = 2 # avahi-common/defs.h
280
SERVER_COLLISION = 3 # avahi-common/defs.h
281
SERVER_FAILURE = 4 # avahi-common/defs.h
282
avahi = Avahi()
236
283
237
284
class AvahiError(Exception):
238
285
def __init__(self, value, *args, **kwargs):
435
482
.format(self.name)))
436
483
return ret
437
484
485
# Pretend that we have a GnuTLS module
486
class GnuTLS(object):
487
"""This isn't so much a class as it is a module-like namespace.
488
It is instantiated once, and simulates having a GnuTLS module."""
489
490
_library = ctypes.cdll.LoadLibrary(
491
ctypes.util.find_library("gnutls"))
492
_need_version = b"3.3.0"
493
def __init__(self):
494
# Need to use class name "GnuTLS" here, since this method is
495
# called before the assignment to the "gnutls" global variable
496
# happens.
497
if GnuTLS.check_version(self._need_version) is None:
498
raise GnuTLS.Error("Needs GnuTLS {} or later"
499
.format(self._need_version))
500
501
# Unless otherwise indicated, the constants and types below are
502
# all from the gnutls/gnutls.h C header file.
503
504
# Constants
505
E_SUCCESS = 0
506
E_INTERRUPTED = -52
507
E_AGAIN = -28
508
CRT_OPENPGP = 2
509
CLIENT = 2
510
SHUT_RDWR = 0
511
CRD_CERTIFICATE = 1
512
E_NO_CERTIFICATE_FOUND = -49
513
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
514
515
# Types
516
class session_int(ctypes.Structure):
517
_fields_ = []
518
session_t = ctypes.POINTER(session_int)
519
class certificate_credentials_st(ctypes.Structure):
520
_fields_ = []
521
certificate_credentials_t = ctypes.POINTER(
522
certificate_credentials_st)
523
certificate_type_t = ctypes.c_int
524
class datum_t(ctypes.Structure):
525
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
526
('size', ctypes.c_uint)]
527
class openpgp_crt_int(ctypes.Structure):
528
_fields_ = []
529
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
530
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
531
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
532
credentials_type_t = ctypes.c_int
533
transport_ptr_t = ctypes.c_void_p
534
close_request_t = ctypes.c_int
535
536
# Exceptions
537
class Error(Exception):
538
# We need to use the class name "GnuTLS" here, since this
539
# exception might be raised from within GnuTLS.__init__,
540
# which is called before the assignment to the "gnutls"
541
# global variable has happened.
542
def __init__(self, message = None, code = None, args=()):
543
# Default usage is by a message string, but if a return
544
# code is passed, convert it to a string with
545
# gnutls.strerror()
546
self.code = code
547
if message is None and code is not None:
548
message = GnuTLS.strerror(code)
549
return super(GnuTLS.Error, self).__init__(
550
message, *args)
551
552
class CertificateSecurityError(Error):
553
pass
554
555
# Classes
556
class Credentials(object):
557
def __init__(self):
558
self._c_object = gnutls.certificate_credentials_t()
559
gnutls.certificate_allocate_credentials(
560
ctypes.byref(self._c_object))
561
self.type = gnutls.CRD_CERTIFICATE
562
563
def __del__(self):
564
gnutls.certificate_free_credentials(self._c_object)
565
566
class ClientSession(object):
567
def __init__(self, socket, credentials = None):
568
self._c_object = gnutls.session_t()
569
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
570
gnutls.set_default_priority(self._c_object)
571
gnutls.transport_set_ptr(self._c_object, socket.fileno())
572
gnutls.handshake_set_private_extensions(self._c_object,
573
True)
574
self.socket = socket
575
if credentials is None:
576
credentials = gnutls.Credentials()
577
gnutls.credentials_set(self._c_object, credentials.type,
578
ctypes.cast(credentials._c_object,
579
ctypes.c_void_p))
580
self.credentials = credentials
581
582
def __del__(self):
583
gnutls.deinit(self._c_object)
584
585
def handshake(self):
586
return gnutls.handshake(self._c_object)
587
588
def send(self, data):
589
data = bytes(data)
590
data_len = len(data)
591
while data_len > 0:
592
data_len -= gnutls.record_send(self._c_object,
593
data[-data_len:],
594
data_len)
595
596
def bye(self):
597
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
598
599
# Error handling functions
600
def _error_code(result):
601
"""A function to raise exceptions on errors, suitable
602
for the 'restype' attribute on ctypes functions"""
603
if result >= 0:
604
return result
605
if result == gnutls.E_NO_CERTIFICATE_FOUND:
606
raise gnutls.CertificateSecurityError(code = result)
607
raise gnutls.Error(code = result)
608
609
def _retry_on_error(result, func, arguments):
610
"""A function to retry on some errors, suitable
611
for the 'errcheck' attribute on ctypes functions"""
612
while result < 0:
613
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
614
return _error_code(result)
615
result = func(*arguments)
616
return result
617
618
# Unless otherwise indicated, the function declarations below are
619
# all from the gnutls/gnutls.h C header file.
620
621
# Functions
622
priority_set_direct = _library.gnutls_priority_set_direct
623
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
624
ctypes.POINTER(ctypes.c_char_p)]
625
priority_set_direct.restype = _error_code
626
627
init = _library.gnutls_init
628
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
629
init.restype = _error_code
630
631
set_default_priority = _library.gnutls_set_default_priority
632
set_default_priority.argtypes = [session_t]
633
set_default_priority.restype = _error_code
634
635
record_send = _library.gnutls_record_send
636
record_send.argtypes = [session_t, ctypes.c_void_p,
637
ctypes.c_size_t]
638
record_send.restype = ctypes.c_ssize_t
639
record_send.errcheck = _retry_on_error
640
641
certificate_allocate_credentials = (
642
_library.gnutls_certificate_allocate_credentials)
643
certificate_allocate_credentials.argtypes = [
644
ctypes.POINTER(certificate_credentials_t)]
645
certificate_allocate_credentials.restype = _error_code
646
647
certificate_free_credentials = (
648
_library.gnutls_certificate_free_credentials)
649
certificate_free_credentials.argtypes = [certificate_credentials_t]
650
certificate_free_credentials.restype = None
651
652
handshake_set_private_extensions = (
653
_library.gnutls_handshake_set_private_extensions)
654
handshake_set_private_extensions.argtypes = [session_t,
655
ctypes.c_int]
656
handshake_set_private_extensions.restype = None
657
658
credentials_set = _library.gnutls_credentials_set
659
credentials_set.argtypes = [session_t, credentials_type_t,
660
ctypes.c_void_p]
661
credentials_set.restype = _error_code
662
663
strerror = _library.gnutls_strerror
664
strerror.argtypes = [ctypes.c_int]
665
strerror.restype = ctypes.c_char_p
666
667
certificate_type_get = _library.gnutls_certificate_type_get
668
certificate_type_get.argtypes = [session_t]
669
certificate_type_get.restype = _error_code
670
671
certificate_get_peers = _library.gnutls_certificate_get_peers
672
certificate_get_peers.argtypes = [session_t,
673
ctypes.POINTER(ctypes.c_uint)]
674
certificate_get_peers.restype = ctypes.POINTER(datum_t)
675
676
global_set_log_level = _library.gnutls_global_set_log_level
677
global_set_log_level.argtypes = [ctypes.c_int]
678
global_set_log_level.restype = None
679
680
global_set_log_function = _library.gnutls_global_set_log_function
681
global_set_log_function.argtypes = [log_func]
682
global_set_log_function.restype = None
683
684
deinit = _library.gnutls_deinit
685
deinit.argtypes = [session_t]
686
deinit.restype = None
687
688
handshake = _library.gnutls_handshake
689
handshake.argtypes = [session_t]
690
handshake.restype = _error_code
691
handshake.errcheck = _retry_on_error
692
693
transport_set_ptr = _library.gnutls_transport_set_ptr
694
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
695
transport_set_ptr.restype = None
696
697
bye = _library.gnutls_bye
698
bye.argtypes = [session_t, close_request_t]
699
bye.restype = _error_code
700
bye.errcheck = _retry_on_error
701
702
check_version = _library.gnutls_check_version
703
check_version.argtypes = [ctypes.c_char_p]
704
check_version.restype = ctypes.c_char_p
705
706
# All the function declarations below are from gnutls/openpgp.h
707
708
openpgp_crt_init = _library.gnutls_openpgp_crt_init
709
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
710
openpgp_crt_init.restype = _error_code
711
712
openpgp_crt_import = _library.gnutls_openpgp_crt_import
713
openpgp_crt_import.argtypes = [openpgp_crt_t,
714
ctypes.POINTER(datum_t),
715
openpgp_crt_fmt_t]
716
openpgp_crt_import.restype = _error_code
717
718
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
719
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
720
ctypes.POINTER(ctypes.c_uint)]
721
openpgp_crt_verify_self.restype = _error_code
722
723
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
724
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
725
openpgp_crt_deinit.restype = None
726
727
openpgp_crt_get_fingerprint = (
728
_library.gnutls_openpgp_crt_get_fingerprint)
729
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
730
ctypes.c_void_p,
731
ctypes.POINTER(
732
ctypes.c_size_t)]
733
openpgp_crt_get_fingerprint.restype = _error_code
734
735
# Remove non-public functions
736
del _error_code, _retry_on_error
737
# Create the global "gnutls" object, simulating a module
738
gnutls = GnuTLS()
739
438
740
def call_pipe(connection, # : multiprocessing.Connection
439
741
func, *args, **kwargs):
440
742
"""This function is meant to be called by multiprocessing.Process
455
757
checker: subprocess.Popen(); a running checker process used
456
758
to see if the client lives.
457
759
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
760
checker_callback_tag: a GObject event source tag, or None
459
761
checker_command: string; External command which is run to check
460
762
if client lives. %() expansions are done at
461
763
runtime with vars(self) as dict, so that for
462
764
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
765
checker_initiator_tag: a GObject event source tag, or None
464
766
created: datetime.datetime(); (UTC) object creation
465
767
client_structure: Object describing what attributes a client has
466
768
and is used for storing the client at exit
467
769
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
770
disable_initiator_tag: a GObject event source tag, or None
469
771
enabled: bool()
470
772
fingerprint: string (40 or 32 hexadecimal digits); used to
471
773
uniquely identify the client
534
836
client["fingerprint"] = (section["fingerprint"].upper()
535
837
.replace(" ", ""))
536
838
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
839
client["secret"] = codecs.decode(section["secret"]
840
.encode("utf-8"),
841
"base64")
538
842
elif "secfile" in section:
539
843
with open(os.path.expanduser(os.path.expandvars
540
844
(section["secfile"])),
593
897
self.changedstate = multiprocessing_manager.Condition(
594
898
multiprocessing_manager.Lock())
595
899
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
900
for attr in self.__dict__.keys()
597
901
if not attr.startswith("_")]
598
902
self.client_structure.append("client_structure")
599
903
625
929
if not quiet:
626
930
logger.info("Disabling client %s", self.name)
627
931
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
932
GObject.source_remove(self.disable_initiator_tag)
629
933
self.disable_initiator_tag = None
630
934
self.expires = None
631
935
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
936
GObject.source_remove(self.checker_initiator_tag)
633
937
self.checker_initiator_tag = None
634
938
self.stop_checker()
635
939
self.enabled = False
636
940
if not quiet:
637
941
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
942
# Do not run this again if called by a GObject.timeout_add
639
943
return False
640
944
641
945
def __del__(self):
645
949
# Schedule a new checker to be started an 'interval' from now,
646
950
# and every interval from then on.
647
951
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
952
GObject.source_remove(self.checker_initiator_tag)
953
self.checker_initiator_tag = GObject.timeout_add(
650
954
int(self.interval.total_seconds() * 1000),
651
955
self.start_checker)
652
956
# Schedule a disable() when 'timeout' has passed
653
957
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
958
GObject.source_remove(self.disable_initiator_tag)
959
self.disable_initiator_tag = GObject.timeout_add(
656
960
int(self.timeout.total_seconds() * 1000), self.disable)
657
961
# Also start a new checker *right now*.
658
962
self.start_checker()
694
998
if timeout is None:
695
999
timeout = self.timeout
696
1000
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1001
GObject.source_remove(self.disable_initiator_tag)
698
1002
self.disable_initiator_tag = None
699
1003
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1004
self.disable_initiator_tag = GObject.timeout_add(
701
1005
int(timeout.total_seconds() * 1000), self.disable)
702
1006
self.expires = datetime.datetime.utcnow() + timeout
703
1007
758
1062
args = (pipe[1], subprocess.call, command),
759
1063
kwargs = popen_args)
760
1064
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1065
self.checker_callback_tag = GObject.io_add_watch(
1066
pipe[0].fileno(), GObject.IO_IN,
763
1067
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1068
# Re-run this periodically if run by GObject.timeout_add
765
1069
return True
766
1070
767
1071
def stop_checker(self):
768
1072
"""Force the checker process, if any, to stop."""
769
1073
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1074
GObject.source_remove(self.checker_callback_tag)
771
1075
self.checker_callback_tag = None
772
1076
if getattr(self, "checker", None) is None:
773
1077
return
1247
1551
interface_names.add(alt_interface)
1248
1552
# Is this a D-Bus signal?
1249
1553
if getattr(attribute, "_dbus_is_signal", False):
1554
# Extract the original non-method undecorated
1555
# function by black magic
1250
1556
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1557
nonmethod_func = (dict(
1254
1558
zip(attribute.func_code.co_freevars,
1255
1559
attribute.__closure__))
1256
1560
["func"].cell_contents)
1257
1561
else:
1258
nonmethod_func = attribute
1562
nonmethod_func = (dict(
1563
zip(attribute.__code__.co_freevars,
1564
attribute.__closure__))
1565
["func"].cell_contents)
1259
1566
# Create a new, but exactly alike, function
1260
1567
# object, and decorate it to be a new D-Bus signal
1261
1568
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1569
new_function = copy_function(nonmethod_func)
1276
1570
new_function = (dbus.service.signal(
1277
1571
alt_interface,
1278
1572
attribute._dbus_signature)(new_function))
1317
1611
alt_interface,
1318
1612
attribute._dbus_in_signature,
1319
1613
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1614
(copy_function(attribute)))
1325
1615
# Copy annotations, if any
1326
1616
try:
1327
1617
attr[attrname]._dbus_annotations = dict(
1339
1629
attribute._dbus_access,
1340
1630
attribute._dbus_get_args_options
1341
1631
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1632
(copy_function(attribute)))
1348
1633
# Copy annotations, if any
1349
1634
try:
1350
1635
attr[attrname]._dbus_annotations = dict(
1359
1644
# to the class.
1360
1645
attr[attrname] = (
1361
1646
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1647
(copy_function(attribute)))
1367
1648
if deprecate:
1368
1649
# Deprecate all alternate interfaces
1369
1650
iname="_AlternateDBusNames_interface_annotation{}"
1382
1663
if interface_names:
1383
1664
# Replace the class with a new subclass of it with
1384
1665
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1666
if sys.version_info.major == 2:
1667
cls = type(b"{}Alternate".format(cls.__name__),
1668
(cls, ), attr)
1669
else:
1670
cls = type("{}Alternate".format(cls.__name__),
1671
(cls, ), attr)
1387
1672
return cls
1388
1673
1389
1674
return wrapper
1547
1832
1548
1833
def approve(self, value=True):
1549
1834
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1835
GObject.timeout_add(int(self.approval_duration.total_seconds()
1551
1836
* 1000), self._reset_approved)
1552
1837
self.send_changedstate()
1553
1838
1764
2049
if (getattr(self, "disable_initiator_tag", None)
1765
2050
is None):
1766
2051
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2052
GObject.source_remove(self.disable_initiator_tag)
2053
self.disable_initiator_tag = GObject.timeout_add(
1769
2054
int((self.expires - now).total_seconds() * 1000),
1770
2055
self.disable)
1771
2056
1791
2076
return
1792
2077
if self.enabled:
1793
2078
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2079
GObject.source_remove(self.checker_initiator_tag)
2080
self.checker_initiator_tag = GObject.timeout_add(
1796
2081
value, self.start_checker)
1797
2082
self.start_checker() # Start one now, too
1798
2083
1880
2165
logger.debug("Pipe FD: %d",
1881
2166
self.server.child_pipe.fileno())
1882
2167
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
2168
session = gnutls.ClientSession(self.request)
1890
2169
1891
2170
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
2171
# "+AES-256-CBC", "+SHA1",
1896
2175
priority = self.server.gnutls_priority
1897
2176
if priority is None:
1898
2177
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
2178
gnutls.priority_set_direct(session._c_object, priority,
2179
None)
1901
2180
1902
2181
# Start communication using the Mandos protocol
1903
2182
# Get protocol number
1913
2192
# Start GnuTLS connection
1914
2193
try:
1915
2194
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2195
except gnutls.Error as error:
1917
2196
logger.warning("Handshake failed: %s", error)
1918
2197
# Do not run session.bye() here: the session is not
1919
2198
# established. Just abandon the request.
1925
2204
try:
1926
2205
fpr = self.fingerprint(
1927
2206
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
2207
except (TypeError, gnutls.Error) as error:
1930
2208
logger.warning("Bad certificate: %s", error)
1931
2209
return
1932
2210
logger.debug("Fingerprint: %s", fpr)
1990
2268
else:
1991
2269
delay -= time2 - time
1992
2270
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2271
try:
2272
session.send(client.secret)
2273
except gnutls.Error as error:
2274
logger.warning("gnutls send failed",
2275
exc_info = error)
2276
return
2005
2277
2006
2278
logger.info("Sending secret to %s", client.name)
2007
2279
# bump the timeout using extended_timeout
2015
2287
client.approvals_pending -= 1
2016
2288
try:
2017
2289
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2290
except gnutls.Error as error:
2019
2291
logger.warning("GnuTLS bye failed",
2020
2292
exc_info=error)
2021
2293
2023
2295
def peer_certificate(session):
2024
2296
"Return the peer's OpenPGP certificate as a bytestring"
2025
2297
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2298
if (gnutls.certificate_type_get(session._c_object)
2299
!= gnutls.CRT_OPENPGP):
2300
# ...return invalid data
2301
return b""
2031
2302
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2303
cert_list = (gnutls.certificate_get_peers
2034
2304
(session._c_object, ctypes.byref(list_size)))
2035
2305
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2306
raise gnutls.Error("error getting peer certificate")
2038
2307
if list_size.value == 0:
2039
2308
return None
2040
2309
cert = cert_list[0]
2044
2313
def fingerprint(openpgp):
2045
2314
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2315
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2316
datum = gnutls.datum_t(
2048
2317
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2318
ctypes.POINTER(ctypes.c_ubyte)),
2050
2319
ctypes.c_uint(len(openpgp)))
2051
2320
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2321
crt = gnutls.openpgp_crt_t()
2322
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2323
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2324
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2325
gnutls.OPENPGP_FMT_RAW)
2059
2326
# Verify the self signature in the key
2060
2327
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2328
gnutls.openpgp_crt_verify_self(crt, 0,
2329
ctypes.byref(crtverify))
2063
2330
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2331
gnutls.openpgp_crt_deinit(crt)
2332
raise gnutls.CertificateSecurityError("Verify failed")
2067
2333
# New buffer for the fingerprint
2068
2334
buf = ctypes.create_string_buffer(20)
2069
2335
buf_len = ctypes.c_size_t()
2070
2336
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2337
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2338
ctypes.byref(buf_len))
2073
2339
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2340
gnutls.openpgp_crt_deinit(crt)
2075
2341
# Convert the buffer to a Python bytestring
2076
2342
fpr = ctypes.string_at(buf, buf_len.value)
2077
2343
# Convert the bytestring to hexadecimal notation
2221
2487
gnutls_priority GnuTLS priority string
2222
2488
use_dbus: Boolean; to emit D-Bus signals or not
2223
2489
2224
Assumes a gobject.MainLoop event loop.
2490
Assumes a GObject.MainLoop event loop.
2225
2491
"""
2226
2492
2227
2493
def __init__(self, server_address, RequestHandlerClass,
2252
2518
2253
2519
def add_pipe(self, parent_pipe, proc):
2254
2520
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2521
GObject.io_add_watch(
2256
2522
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2523
GObject.IO_IN | GObject.IO_HUP,
2258
2524
functools.partial(self.handle_ipc,
2259
2525
parent_pipe = parent_pipe,
2260
2526
proc = proc))
2264
2530
proc = None,
2265
2531
client_object=None):
2266
2532
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2533
if condition & (GObject.IO_ERR | GObject.IO_HUP):
2268
2534
# Wait for other process to exit
2269
2535
proc.join()
2270
2536
return False
2277
2543
fpr = request[1]
2278
2544
address = request[2]
2279
2545
2280
for c in self.clients.itervalues():
2546
for c in self.clients.values():
2281
2547
if c.fingerprint == fpr:
2282
2548
client = c
2283
2549
break
2291
2557
parent_pipe.send(False)
2292
2558
return False
2293
2559
2294
gobject.io_add_watch(
2560
GObject.io_add_watch(
2295
2561
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2562
GObject.IO_IN | GObject.IO_HUP,
2297
2563
functools.partial(self.handle_ipc,
2298
2564
parent_pipe = parent_pipe,
2299
2565
proc = proc,
2681
2947
logger.error("Could not open file %r", pidfilename,
2682
2948
exc_info=e)
2683
2949
2684
for name in ("_mandos", "mandos", "nobody"):
2950
for name, group in (("_mandos", "_mandos"),
2951
("mandos", "mandos"),
2952
("nobody", "nogroup")):
2685
2953
try:
2686
2954
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
2955
gid = pwd.getpwnam(group).pw_gid
2688
2956
break
2689
2957
except KeyError:
2690
2958
continue
2694
2962
try:
2695
2963
os.setgid(gid)
2696
2964
os.setuid(uid)
2965
if debug:
2966
logger.debug("Did setuid/setgid to {}:{}".format(uid,
2967
gid))
2697
2968
except OSError as error:
2969
logger.warning("Failed to setuid/setgid to {}:{}: {}"
2970
.format(uid, gid, os.strerror(error.errno)))
2698
2971
if error.errno != errno.EPERM:
2699
2972
raise
2700
2973
2703
2976
2704
2977
# "Use a log level over 10 to enable all debugging options."
2705
2978
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2979
gnutls.global_set_log_level(11)
2707
2980
2708
@gnutls.library.types.gnutls_log_func
2981
@gnutls.log_func
2709
2982
def debug_gnutls(level, string):
2710
2983
logger.debug("GnuTLS: %s", string[:-1])
2711
2984
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2985
gnutls.global_set_log_function(debug_gnutls)
2714
2986
2715
2987
# Redirect stdin so all checkers get /dev/null
2716
2988
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2723
2995
# Close all input and output, do double fork, etc.
2724
2996
daemon()
2725
2997
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2998
# multiprocessing will use threads, so before we use GObject we
2999
# need to inform GObject that threads will be used.
3000
GObject.threads_init()
2729
3001
2730
3002
global main_loop
2731
3003
# From the Avahi example code
2732
3004
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3005
main_loop = GObject.MainLoop()
2734
3006
bus = dbus.SystemBus()
2735
3007
# End of Avahi example code
2736
3008
if use_dbus:
2780
3052
if server_settings["restore"]:
2781
3053
try:
2782
3054
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3055
if sys.version_info.major == 2:
3056
clients_data, old_client_settings = pickle.load(
3057
stored_state)
3058
else:
3059
bytes_clients_data, bytes_old_client_settings = (
3060
pickle.load(stored_state, encoding = "bytes"))
3061
### Fix bytes to strings
3062
## clients_data
3063
# .keys()
3064
clients_data = { (key.decode("utf-8")
3065
if isinstance(key, bytes)
3066
else key): value
3067
for key, value in
3068
bytes_clients_data.items() }
3069
del bytes_clients_data
3070
for key in clients_data:
3071
value = { (k.decode("utf-8")
3072
if isinstance(k, bytes) else k): v
3073
for k, v in
3074
clients_data[key].items() }
3075
clients_data[key] = value
3076
# .client_structure
3077
value["client_structure"] = [
3078
(s.decode("utf-8")
3079
if isinstance(s, bytes)
3080
else s) for s in
3081
value["client_structure"] ]
3082
# .name & .host
3083
for k in ("name", "host"):
3084
if isinstance(value[k], bytes):
3085
value[k] = value[k].decode("utf-8")
3086
## old_client_settings
3087
# .keys()
3088
old_client_settings = {
3089
(key.decode("utf-8")
3090
if isinstance(key, bytes)
3091
else key): value
3092
for key, value in
3093
bytes_old_client_settings.items() }
3094
del bytes_old_client_settings
3095
# .host
3096
for value in old_client_settings.values():
3097
if isinstance(value["host"], bytes):
3098
value["host"] = (value["host"]
3099
.decode("utf-8"))
2785
3100
os.remove(stored_state_path)
2786
3101
except IOError as e:
2787
3102
if e.errno == errno.ENOENT:
2926
3241
def GetAllClients(self):
2927
3242
"D-Bus method"
2928
3243
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
3244
tcp_server.clients.values())
2930
3245
2931
3246
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3247
"true"})
2937
3252
return dbus.Dictionary(
2938
3253
{ c.dbus_object_path: c.GetAll(
2939
3254
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3255
for c in tcp_server.clients.values() },
2941
3256
signature="oa{sv}")
2942
3257
2943
3258
@dbus.service.method(_interface, in_signature="o")
2944
3259
def RemoveClient(self, object_path):
2945
3260
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3261
for c in tcp_server.clients.values():
2947
3262
if c.dbus_object_path == object_path:
2948
3263
del tcp_server.clients[c.name]
2949
3264
c.remove_from_connection()
3009
3324
# removed/edited, old secret will thus be unrecovable.
3010
3325
clients = {}
3011
3326
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3327
for client in tcp_server.clients.values():
3013
3328
key = client_settings[client.name]["secret"]
3014
3329
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3330
key)
3039
3354
prefix='clients-',
3040
3355
dir=os.path.dirname(stored_state_path),
3041
3356
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3357
pickle.dump((clients, client_settings), stored_state,
3358
protocol = 2)
3043
3359
tempname = stored_state.name
3044
3360
os.rename(tempname, stored_state_path)
3045
3361
except (IOError, OSError) as e:
3064
3380
# Don't signal the disabling
3065
3381
client.disable(quiet=True)
3066
3382
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3383
if use_dbus:
3384
mandos_dbus_service.client_removed_signal(client)
3068
3385
client_settings.clear()
3069
3386
3070
3387
atexit.register(cleanup)
3071
3388
3072
for client in tcp_server.clients.itervalues():
3389
for client in tcp_server.clients.values():
3073
3390
if use_dbus:
3074
3391
# Emit D-Bus signal for adding
3075
3392
mandos_dbus_service.client_added_signal(client)
3104
3421
sys.exit(1)
3105
3422
# End of Avahi example code
3106
3423
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3424
GObject.io_add_watch(tcp_server.fileno(), GObject.IO_IN,
3108
3425
lambda *args, **kwargs:
3109
3426
(tcp_server.handle_request
3110
3427
(*args[2:], **kwargs) or True))
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0