11
11
# "AvahiService" class, and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008-2022 Teddy Hogeborn
15
# Copyright © 2008-2022 Björn Påhlsson
17
# This file is part of Mandos.
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
32
31
# Contact the authors at <mandos@recompile.se>.
34
34
from __future__ import (division, absolute_import, print_function,
451
422
def entry_group_state_changed(self, state, error):
452
423
"""Derived from the Avahi example code"""
453
log.debug("Avahi entry group state change: %i", state)
424
logger.debug("Avahi entry group state change: %i", state)
455
426
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
log.debug("Zeroconf service established.")
427
logger.debug("Zeroconf service established.")
457
428
elif state == avahi.ENTRY_GROUP_COLLISION:
458
log.info("Zeroconf service name collision.")
429
logger.info("Zeroconf service name collision.")
460
431
elif state == avahi.ENTRY_GROUP_FAILURE:
461
log.critical("Avahi: Error in group state changed %s",
432
logger.critical("Avahi: Error in group state changed %s",
463
434
raise AvahiGroupError("State changed: {!s}".format(error))
465
436
def cleanup(self):
523
495
class AvahiServiceToSyslog(AvahiService):
524
496
def rename(self, *args, **kwargs):
525
497
"""Add the new name to the syslog messages"""
526
ret = super(AvahiServiceToSyslog, self).rename(*args,
498
ret = AvahiService.rename(self, *args, **kwargs)
528
499
syslogger.setFormatter(logging.Formatter(
529
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
501
.format(self.name)))
534
505
# Pretend that we have a GnuTLS module
536
"""This isn't so much a class as it is a module-like namespace."""
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
538
510
library = ctypes.util.find_library("gnutls")
539
511
if library is None:
540
512
library = ctypes.util.find_library("gnutls-deb0")
541
513
_library = ctypes.cdll.LoadLibrary(library)
515
_need_version = b"3.3.0"
518
# Need to use class name "GnuTLS" here, since this method is
519
# called before the assignment to the "gnutls" global variable
521
if GnuTLS.check_version(self._need_version) is None:
522
raise GnuTLS.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
544
525
# Unless otherwise indicated, the constants and types below are
545
526
# all from the gnutls/gnutls.h C header file.
589
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
590
569
def __init__(self, message=None, code=None, args=()):
591
570
# Default usage is by a message string, but if a return
592
571
# code is passed, convert it to a string with
593
572
# gnutls.strerror()
595
574
if message is None and code is not None:
596
message = gnutls.strerror(code).decode(
597
"utf-8", errors="replace")
598
return super(gnutls.Error, self).__init__(
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
601
579
class CertificateSecurityError(Error):
605
def __init__(self, cls):
608
def from_param(self, obj):
609
if not isinstance(obj, self.cls):
610
raise TypeError("Not of type {}: {!r}"
611
.format(self.cls.__name__, obj))
612
return ctypes.byref(obj.from_param(obj))
614
class CastToVoidPointer:
615
def __init__(self, cls):
618
def from_param(self, obj):
619
if not isinstance(obj, self.cls):
620
raise TypeError("Not of type {}: {!r}"
621
.format(self.cls.__name__, obj))
622
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
class With_from_param:
626
def from_param(cls, obj):
627
return obj._as_parameter_
630
class Credentials(With_from_param):
583
class Credentials(object):
631
584
def __init__(self):
632
self._as_parameter_ = gnutls.certificate_credentials_t()
633
gnutls.certificate_allocate_credentials(self)
585
self._c_object = gnutls.certificate_credentials_t()
586
gnutls.certificate_allocate_credentials(
587
ctypes.byref(self._c_object))
634
588
self.type = gnutls.CRD_CERTIFICATE
636
590
def __del__(self):
637
gnutls.certificate_free_credentials(self)
591
gnutls.certificate_free_credentials(self._c_object)
639
class ClientSession(With_from_param):
593
class ClientSession(object):
640
594
def __init__(self, socket, credentials=None):
641
self._as_parameter_ = gnutls.session_t()
642
gnutls_flags = gnutls.CLIENT
643
if gnutls.check_version(b"3.5.6"):
644
gnutls_flags |= gnutls.NO_TICKETS
646
gnutls_flags |= gnutls.ENABLE_RAWPK
647
gnutls.init(self, gnutls_flags)
649
gnutls.set_default_priority(self)
650
gnutls.transport_set_ptr(self, socket.fileno())
651
gnutls.handshake_set_private_extensions(self, True)
595
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
gnutls.set_default_priority(self._c_object)
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
gnutls.handshake_set_private_extensions(self._c_object,
652
601
self.socket = socket
653
602
if credentials is None:
654
603
credentials = gnutls.Credentials()
655
gnutls.credentials_set(self, credentials.type,
604
gnutls.credentials_set(self._c_object, credentials.type,
605
ctypes.cast(credentials._c_object,
657
607
self.credentials = credentials
659
609
def __del__(self):
610
gnutls.deinit(self._c_object)
662
612
def handshake(self):
663
return gnutls.handshake(self)
613
return gnutls.handshake(self._c_object)
665
615
def send(self, data):
666
616
data = bytes(data)
667
617
data_len = len(data)
668
618
while data_len > 0:
669
data_len -= gnutls.record_send(self, data[-data_len:],
619
data_len -= gnutls.record_send(self._c_object,
673
return gnutls.bye(self, gnutls.SHUT_RDWR)
624
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
675
626
# Error handling functions
676
627
def _error_code(result):
677
628
"""A function to raise exceptions on errors, suitable
678
for the "restype" attribute on ctypes functions"""
679
if result >= gnutls.E_SUCCESS:
629
for the 'restype' attribute on ctypes functions"""
681
632
if result == gnutls.E_NO_CERTIFICATE_FOUND:
682
633
raise gnutls.CertificateSecurityError(code=result)
683
634
raise gnutls.Error(code=result)
685
def _retry_on_error(result, func, arguments,
686
_error_code=_error_code):
636
def _retry_on_error(result, func, arguments):
687
637
"""A function to retry on some errors, suitable
688
for the "errcheck" attribute on ctypes functions"""
689
while result < gnutls.E_SUCCESS:
638
for the 'errcheck' attribute on ctypes functions"""
690
640
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
691
641
return _error_code(result)
692
642
result = func(*arguments)
699
649
priority_set_direct = _library.gnutls_priority_set_direct
700
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
650
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
701
651
ctypes.POINTER(ctypes.c_char_p)]
702
652
priority_set_direct.restype = _error_code
704
654
init = _library.gnutls_init
705
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
655
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
706
656
init.restype = _error_code
708
658
set_default_priority = _library.gnutls_set_default_priority
709
set_default_priority.argtypes = [ClientSession]
659
set_default_priority.argtypes = [session_t]
710
660
set_default_priority.restype = _error_code
712
662
record_send = _library.gnutls_record_send
713
record_send.argtypes = [ClientSession, ctypes.c_void_p,
663
record_send.argtypes = [session_t, ctypes.c_void_p,
715
665
record_send.restype = ctypes.c_ssize_t
716
666
record_send.errcheck = _retry_on_error
718
668
certificate_allocate_credentials = (
719
669
_library.gnutls_certificate_allocate_credentials)
720
670
certificate_allocate_credentials.argtypes = [
721
PointerTo(Credentials)]
671
ctypes.POINTER(certificate_credentials_t)]
722
672
certificate_allocate_credentials.restype = _error_code
724
674
certificate_free_credentials = (
725
675
_library.gnutls_certificate_free_credentials)
726
certificate_free_credentials.argtypes = [Credentials]
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
727
678
certificate_free_credentials.restype = None
729
680
handshake_set_private_extensions = (
730
681
_library.gnutls_handshake_set_private_extensions)
731
handshake_set_private_extensions.argtypes = [ClientSession,
682
handshake_set_private_extensions.argtypes = [session_t,
733
684
handshake_set_private_extensions.restype = None
735
686
credentials_set = _library.gnutls_credentials_set
736
credentials_set.argtypes = [ClientSession, credentials_type_t,
737
CastToVoidPointer(Credentials)]
687
credentials_set.argtypes = [session_t, credentials_type_t,
738
689
credentials_set.restype = _error_code
740
691
strerror = _library.gnutls_strerror
759
710
global_set_log_function.restype = None
761
712
deinit = _library.gnutls_deinit
762
deinit.argtypes = [ClientSession]
713
deinit.argtypes = [session_t]
763
714
deinit.restype = None
765
716
handshake = _library.gnutls_handshake
766
handshake.argtypes = [ClientSession]
767
handshake.restype = ctypes.c_int
717
handshake.argtypes = [session_t]
718
handshake.restype = _error_code
768
719
handshake.errcheck = _retry_on_error
770
721
transport_set_ptr = _library.gnutls_transport_set_ptr
771
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
722
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
772
723
transport_set_ptr.restype = None
774
725
bye = _library.gnutls_bye
775
bye.argtypes = [ClientSession, close_request_t]
776
bye.restype = ctypes.c_int
726
bye.argtypes = [session_t, close_request_t]
727
bye.restype = _error_code
777
728
bye.errcheck = _retry_on_error
779
730
check_version = _library.gnutls_check_version
780
731
check_version.argtypes = [ctypes.c_char_p]
781
732
check_version.restype = ctypes.c_char_p
783
_need_version = b"3.3.0"
784
if check_version(_need_version) is None:
785
raise self.Error("Needs GnuTLS {} or later"
786
.format(_need_version))
788
_tls_rawpk_version = b"3.6.6"
789
has_rawpk = bool(check_version(_tls_rawpk_version))
793
class pubkey_st(ctypes.Structure):
795
pubkey_t = ctypes.POINTER(pubkey_st)
797
x509_crt_fmt_t = ctypes.c_int
799
# All the function declarations below are from
801
pubkey_init = _library.gnutls_pubkey_init
802
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
803
pubkey_init.restype = _error_code
805
pubkey_import = _library.gnutls_pubkey_import
806
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
pubkey_import.restype = _error_code
810
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
811
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
812
ctypes.POINTER(ctypes.c_ubyte),
813
ctypes.POINTER(ctypes.c_size_t)]
814
pubkey_get_key_id.restype = _error_code
816
pubkey_deinit = _library.gnutls_pubkey_deinit
817
pubkey_deinit.argtypes = [pubkey_t]
818
pubkey_deinit.restype = None
820
# All the function declarations below are from
823
openpgp_crt_init = _library.gnutls_openpgp_crt_init
824
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
825
openpgp_crt_init.restype = _error_code
827
openpgp_crt_import = _library.gnutls_openpgp_crt_import
828
openpgp_crt_import.argtypes = [openpgp_crt_t,
829
ctypes.POINTER(datum_t),
831
openpgp_crt_import.restype = _error_code
833
openpgp_crt_verify_self = \
834
_library.gnutls_openpgp_crt_verify_self
835
openpgp_crt_verify_self.argtypes = [
838
ctypes.POINTER(ctypes.c_uint),
840
openpgp_crt_verify_self.restype = _error_code
842
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
843
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
844
openpgp_crt_deinit.restype = None
846
openpgp_crt_get_fingerprint = (
847
_library.gnutls_openpgp_crt_get_fingerprint)
848
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
852
openpgp_crt_get_fingerprint.restype = _error_code
854
if check_version(b"3.6.4"):
855
certificate_type_get2 = _library.gnutls_certificate_type_get2
856
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
857
certificate_type_get2.restype = _error_code
734
# All the function declarations below are from gnutls/openpgp.h
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
744
openpgp_crt_import.restype = _error_code
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
761
openpgp_crt_get_fingerprint.restype = _error_code
859
763
# Remove non-public functions
860
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
863
769
def call_pipe(connection, # : multiprocessing.Connection
1094
994
def checker_callback(self, source, condition, connection,
1096
996
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
1097
999
# Read return code from connection (see call_pipe)
1098
1000
returncode = connection.recv()
1099
1001
connection.close()
1100
if self.checker is not None:
1102
self.checker_callback_tag = None
1105
1003
if returncode >= 0:
1106
1004
self.last_checker_status = returncode
1107
1005
self.last_checker_signal = None
1108
1006
if self.last_checker_status == 0:
1109
log.info("Checker for %(name)s succeeded", vars(self))
1007
logger.info("Checker for %(name)s succeeded",
1110
1009
self.checked_ok()
1112
log.info("Checker for %(name)s failed", vars(self))
1011
logger.info("Checker for %(name)s failed", vars(self))
1114
1013
self.last_checker_status = -1
1115
1014
self.last_checker_signal = -returncode
1116
log.warning("Checker for %(name)s crashed?", vars(self))
1015
logger.warning("Checker for %(name)s crashed?",
1119
1019
def checked_ok(self):
1155
1055
if self.checker is not None and not self.checker.is_alive():
1156
log.warning("Checker was not alive; joining")
1056
logger.warning("Checker was not alive; joining")
1157
1057
self.checker.join()
1158
1058
self.checker = None
1159
1059
# Start a new checker if needed
1160
1060
if self.checker is None:
1161
1061
# Escape attributes for the shell
1162
1062
escaped_attrs = {
1163
attr: shlex.quote(str(getattr(self, attr)))
1063
attr: re.escape(str(getattr(self, attr)))
1164
1064
for attr in self.runtime_expansions}
1166
1066
command = self.checker_command % escaped_attrs
1167
1067
except TypeError as error:
1168
log.error('Could not format string "%s"',
1169
self.checker_command, exc_info=error)
1068
logger.error('Could not format string "%s"',
1069
self.checker_command,
1170
1071
return True # Try again later
1171
1072
self.current_checker_command = command
1172
log.info("Starting checker %r for %s", command, self.name)
1073
logger.info("Starting checker %r for %s", command,
1173
1075
# We don't need to redirect stdout and stderr, since
1174
1076
# in normal mode, that is already done by daemon(),
1175
1077
# and in debug mode we don't want to. (Stdin is
2268
def __init__(self, child_pipe, key_id, fpr, address):
2161
class ProxyClient(object):
2162
def __init__(self, child_pipe, fpr, address):
2269
2163
self._pipe = child_pipe
2270
self._pipe.send(("init", key_id, fpr, address))
2164
self._pipe.send(('init', fpr, address))
2271
2165
if not self._pipe.recv():
2272
raise KeyError(key_id or fpr)
2274
2168
def __getattribute__(self, name):
2276
2170
return super(ProxyClient, self).__getattribute__(name)
2277
self._pipe.send(("getattr", name))
2171
self._pipe.send(('getattr', name))
2278
2172
data = self._pipe.recv()
2279
if data[0] == "data":
2173
if data[0] == 'data':
2281
if data[0] == "function":
2175
if data[0] == 'function':
2283
2177
def func(*args, **kwargs):
2284
self._pipe.send(("funcall", name, args, kwargs))
2178
self._pipe.send(('funcall', name, args, kwargs))
2285
2179
return self._pipe.recv()[1]
2289
2183
def __setattr__(self, name, value):
2291
2185
return super(ProxyClient, self).__setattr__(name, value)
2292
self._pipe.send(("setattr", name, value))
2186
self._pipe.send(('setattr', name, value))
2295
2189
class ClientHandler(socketserver.BaseRequestHandler, object):
2301
2195
def handle(self):
2302
2196
with contextlib.closing(self.server.child_pipe) as child_pipe:
2303
log.info("TCP connection from: %s",
2304
str(self.client_address))
2305
log.debug("Pipe FD: %d", self.server.child_pipe.fileno())
2197
logger.info("TCP connection from: %s",
2198
str(self.client_address))
2199
logger.debug("Pipe FD: %d",
2200
self.server.child_pipe.fileno())
2307
2202
session = gnutls.ClientSession(self.request)
2309
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2204
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2310
2205
# "+AES-256-CBC", "+SHA1",
2311
2206
# "+COMP-NULL", "+CTYPE-OPENPGP",
2314
2209
priority = self.server.gnutls_priority
2315
2210
if priority is None:
2316
2211
priority = "NORMAL"
2317
gnutls.priority_set_direct(session,
2318
priority.encode("utf-8"), None)
2212
gnutls.priority_set_direct(session._c_object,
2213
priority.encode("utf-8"),
2320
2216
# Start communication using the Mandos protocol
2321
2217
# Get protocol number
2322
2218
line = self.request.makefile().readline()
2323
log.debug("Protocol version: %r", line)
2219
logger.debug("Protocol version: %r", line)
2325
2221
if int(line.strip().split()[0]) > 1:
2326
2222
raise RuntimeError(line)
2327
2223
except (ValueError, IndexError, RuntimeError) as error:
2328
log.error("Unknown protocol version: %s", error)
2224
logger.error("Unknown protocol version: %s", error)
2331
2227
# Start GnuTLS connection
2333
2229
session.handshake()
2334
2230
except gnutls.Error as error:
2335
log.warning("Handshake failed: %s", error)
2231
logger.warning("Handshake failed: %s", error)
2336
2232
# Do not run session.bye() here: the session is not
2337
2233
# established. Just abandon the request.
2339
log.debug("Handshake succeeded")
2235
logger.debug("Handshake succeeded")
2341
2237
approval_required = False
2343
if gnutls.has_rawpk:
2346
key_id = self.key_id(
2347
self.peer_certificate(session))
2348
except (TypeError, gnutls.Error) as error:
2349
log.warning("Bad certificate: %s", error)
2351
log.debug("Key ID: %s",
2352
key_id.decode("utf-8",
2358
fpr = self.fingerprint(
2359
self.peer_certificate(session))
2360
except (TypeError, gnutls.Error) as error:
2361
log.warning("Bad certificate: %s", error)
2363
log.debug("Fingerprint: %s", fpr)
2366
client = ProxyClient(child_pipe, key_id, fpr,
2240
fpr = self.fingerprint(
2241
self.peer_certificate(session))
2242
except (TypeError, gnutls.Error) as error:
2243
logger.warning("Bad certificate: %s", error)
2245
logger.debug("Fingerprint: %s", fpr)
2248
client = ProxyClient(child_pipe, fpr,
2367
2249
self.client_address)
2368
2250
except KeyError:
2441
2325
except gnutls.Error as error:
2442
log.warning("GnuTLS bye failed", exc_info=error)
2326
logger.warning("GnuTLS bye failed",
2445
2330
def peer_certificate(session):
2446
"Return the peer's certificate as a bytestring"
2448
cert_type = gnutls.certificate_type_get2(
2449
session, gnutls.CTYPE_PEERS)
2450
except AttributeError:
2451
cert_type = gnutls.certificate_type_get(session)
2452
if gnutls.has_rawpk:
2453
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2455
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2456
# If not a valid certificate type...
2457
if cert_type not in valid_cert_types:
2458
log.info("Cert type %r not in %r", cert_type,
2331
"Return the peer's OpenPGP certificate as a bytestring"
2332
# If not an OpenPGP certificate...
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2460
2335
# ...return invalid data
2462
2337
list_size = ctypes.c_uint(1)
2463
2338
cert_list = (gnutls.certificate_get_peers
2464
(session, ctypes.byref(list_size)))
2339
(session._c_object, ctypes.byref(list_size)))
2465
2340
if not bool(cert_list) and list_size.value != 0:
2466
2341
raise gnutls.Error("error getting peer certificate")
2467
2342
if list_size.value == 0:
2470
2345
return ctypes.string_at(cert.data, cert.size)
2473
def key_id(certificate):
2474
"Convert a certificate bytestring to a hexdigit key ID"
2475
# New GnuTLS "datum" with the public key
2476
datum = gnutls.datum_t(
2477
ctypes.cast(ctypes.c_char_p(certificate),
2478
ctypes.POINTER(ctypes.c_ubyte)),
2479
ctypes.c_uint(len(certificate)))
2480
# XXX all these need to be created in the gnutls "module"
2481
# New empty GnuTLS certificate
2482
pubkey = gnutls.pubkey_t()
2483
gnutls.pubkey_init(ctypes.byref(pubkey))
2484
# Import the raw public key into the certificate
2485
gnutls.pubkey_import(pubkey,
2486
ctypes.byref(datum),
2487
gnutls.X509_FMT_DER)
2488
# New buffer for the key ID
2489
buf = ctypes.create_string_buffer(32)
2490
buf_len = ctypes.c_size_t(len(buf))
2491
# Get the key ID from the raw public key into the buffer
2492
gnutls.pubkey_get_key_id(
2494
gnutls.KEYID_USE_SHA256,
2495
ctypes.cast(ctypes.byref(buf),
2496
ctypes.POINTER(ctypes.c_ubyte)),
2497
ctypes.byref(buf_len))
2498
# Deinit the certificate
2499
gnutls.pubkey_deinit(pubkey)
2501
# Convert the buffer to a Python bytestring
2502
key_id = ctypes.string_at(buf, buf_len.value)
2503
# Convert the bytestring to hexadecimal notation
2504
hex_key_id = binascii.hexlify(key_id).upper()
2508
2348
def fingerprint(openpgp):
2509
2349
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2510
2350
# New GnuTLS "datum" with the OpenPGP public key
2646
2485
(self.interface + "\0").encode("utf-8"))
2647
2486
except socket.error as error:
2648
2487
if error.errno == errno.EPERM:
2649
log.error("No permission to bind to interface %s",
2488
logger.error("No permission to bind to"
2489
" interface %s", self.interface)
2651
2490
elif error.errno == errno.ENOPROTOOPT:
2652
log.error("SO_BINDTODEVICE not available; cannot"
2653
" bind to interface %s", self.interface)
2491
logger.error("SO_BINDTODEVICE not available;"
2492
" cannot bind to interface %s",
2654
2494
elif error.errno == errno.ENODEV:
2655
log.error("Interface %s does not exist, cannot"
2656
" bind", self.interface)
2495
logger.error("Interface %s does not exist,"
2496
" cannot bind", self.interface)
2659
2499
# Only bind(2) the socket if we really need to.
2660
2500
if self.server_address[0] or self.server_address[1]:
2661
if self.server_address[1]:
2662
self.allow_reuse_address = True
2663
2501
if not self.server_address[0]:
2664
2502
if self.address_family == socket.AF_INET6:
2665
2503
any_address = "::" # in6addr_any
2738
2576
request = parent_pipe.recv()
2739
2577
command = request[0]
2741
if command == "init":
2742
key_id = request[1].decode("ascii")
2743
fpr = request[2].decode("ascii")
2744
address = request[3]
2579
if command == 'init':
2581
address = request[2]
2746
2583
for c in self.clients.values():
2747
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2748
"27AE41E4649B934CA495991B7852B855"):
2750
if key_id and c.key_id == key_id:
2753
if fpr and c.fingerprint == fpr:
2584
if c.fingerprint == fpr:
2757
log.info("Client not found for key ID: %s, address:"
2758
" %s", key_id or fpr, address)
2588
logger.info("Client not found for fingerprint: %s, ad"
2589
"dress: %s", fpr, address)
2759
2590
if self.use_dbus:
2760
2591
# Emit D-Bus signal
2761
mandos_dbus_service.ClientNotFound(key_id or fpr,
2592
mandos_dbus_service.ClientNotFound(fpr,
2763
2594
parent_pipe.send(False)
2766
2597
GLib.io_add_watch(
2767
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2768
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2598
parent_pipe.fileno(),
2599
GLib.IO_IN | GLib.IO_HUP,
2769
2600
functools.partial(self.handle_ipc,
2770
2601
parent_pipe=parent_pipe,
2803
2634
def rfc3339_duration_to_delta(duration):
2804
2635
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2806
>>> timedelta = datetime.timedelta
2807
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2809
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2811
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2813
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2815
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2817
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2819
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2637
>>> rfc3339_duration_to_delta("P7D")
2638
datetime.timedelta(7)
2639
>>> rfc3339_duration_to_delta("PT60S")
2640
datetime.timedelta(0, 60)
2641
>>> rfc3339_duration_to_delta("PT60M")
2642
datetime.timedelta(0, 3600)
2643
>>> rfc3339_duration_to_delta("PT24H")
2644
datetime.timedelta(1)
2645
>>> rfc3339_duration_to_delta("P1W")
2646
datetime.timedelta(7)
2647
>>> rfc3339_duration_to_delta("PT5M30S")
2648
datetime.timedelta(0, 330)
2649
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
datetime.timedelta(1, 200)
2824
2653
# Parsing an RFC 3339 duration with regular expressions is not
2904
2733
def string_to_delta(interval):
2905
2734
"""Parse a string and return a datetime.timedelta
2907
>>> string_to_delta("7d") == datetime.timedelta(7)
2909
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2911
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2913
>>> string_to_delta("24h") == datetime.timedelta(1)
2915
>>> string_to_delta("1w") == datetime.timedelta(7)
2917
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2736
>>> string_to_delta('7d')
2737
datetime.timedelta(7)
2738
>>> string_to_delta('60s')
2739
datetime.timedelta(0, 60)
2740
>>> string_to_delta('60m')
2741
datetime.timedelta(0, 3600)
2742
>>> string_to_delta('24h')
2743
datetime.timedelta(1)
2744
>>> string_to_delta('1w')
2745
datetime.timedelta(7)
2746
>>> string_to_delta('5m 30s')
2747
datetime.timedelta(0, 330)
3045
2875
"foreground": "False",
3046
2876
"zeroconf": "True",
3050
2879
# Parse config file for server-global settings
3051
server_config = configparser.ConfigParser(server_defaults)
2880
server_config = configparser.SafeConfigParser(server_defaults)
3052
2881
del server_defaults
3053
2882
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3054
# Convert the ConfigParser object to a dict
2883
# Convert the SafeConfigParser object to a dict
3055
2884
server_settings = server_config.defaults()
3056
2885
# Use the appropriate methods on the non-string config options
3057
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3058
"foreground", "zeroconf"):
2886
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3059
2887
server_settings[option] = server_config.getboolean("DEFAULT",
3061
2889
if server_settings["port"]:
3307
3132
for key, value in
3308
3133
bytes_old_client_settings.items()}
3309
3134
del bytes_old_client_settings
3310
# .host and .checker_command
3311
3136
for value in old_client_settings.values():
3312
for attribute in ("host", "checker_command"):
3313
if isinstance(value[attribute], bytes):
3314
value[attribute] = (value[attribute]
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3316
3140
os.remove(stored_state_path)
3317
3141
except IOError as e:
3318
3142
if e.errno == errno.ENOENT:
3319
log.warning("Could not load persistent state:"
3320
" %s", os.strerror(e.errno))
3143
logger.warning("Could not load persistent state:"
3144
" {}".format(os.strerror(e.errno)))
3322
log.critical("Could not load persistent state:",
3146
logger.critical("Could not load persistent state:",
3325
3149
except EOFError as e:
3326
log.warning("Could not load persistent state: EOFError:",
3150
logger.warning("Could not load persistent state: "
3329
3154
with PGPEngine() as pgp:
3330
3155
for client_name, client in clients_data.items():
3357
3182
if client["enabled"]:
3358
3183
if datetime.datetime.utcnow() >= client["expires"]:
3359
3184
if not client["last_checked_ok"]:
3360
log.warning("disabling client %s - Client"
3361
" never performed a successful"
3362
" checker", client_name)
3186
"disabling client {} - Client never "
3187
"performed a successful checker".format(
3363
3189
client["enabled"] = False
3364
3190
elif client["last_checker_status"] != 0:
3365
log.warning("disabling client %s - Client"
3366
" last checker failed with error"
3367
" code %s", client_name,
3368
client["last_checker_status"])
3192
"disabling client {} - Client last"
3193
" checker failed with error code"
3196
client["last_checker_status"]))
3369
3197
client["enabled"] = False
3371
3199
client["expires"] = (
3372
3200
datetime.datetime.utcnow()
3373
3201
+ client["timeout"])
3374
log.debug("Last checker succeeded, keeping %s"
3375
" enabled", client_name)
3202
logger.debug("Last checker succeeded,"
3203
" keeping {} enabled".format(
3377
3206
client["secret"] = pgp.decrypt(
3378
3207
client["encrypted_secret"],
3379
3208
client_settings[client_name]["secret"])
3380
3209
except PGPError:
3381
3210
# If decryption fails, we use secret from new settings
3382
log.debug("Failed to decrypt %s old secret",
3211
logger.debug("Failed to decrypt {} old secret".format(
3384
3213
client["secret"] = (client_settings[client_name]
3633
3463
service.activate()
3634
3464
except dbus.exceptions.DBusException as error:
3635
log.critical("D-Bus Exception", exc_info=error)
3465
logger.critical("D-Bus Exception", exc_info=error)
3638
3468
# End of Avahi example code
3641
GLib.IOChannel.unix_new(tcp_server.fileno()),
3642
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3643
lambda *args, **kwargs: (tcp_server.handle_request
3644
(*args[2:], **kwargs) or True))
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3646
log.debug("Starting main loop")
3475
logger.debug("Starting main loop")
3647
3476
main_loop.run()
3648
3477
except AvahiError as error:
3649
log.critical("Avahi Error", exc_info=error)
3478
logger.critical("Avahi Error", exc_info=error)
3652
3481
except KeyboardInterrupt:
3654
3483
print("", file=sys.stderr)
3655
log.debug("Server received KeyboardInterrupt")
3656
log.debug("Server exiting")
3484
logger.debug("Server received KeyboardInterrupt")
3485
logger.debug("Server exiting")
3657
3486
# Must run before the D-Bus bus name gets deregistered
3661
def parse_test_args():
3662
# type: () -> argparse.Namespace
3663
parser = argparse.ArgumentParser(add_help=False)
3664
parser.add_argument("--check", action="store_true")
3665
parser.add_argument("--prefix", )
3666
args, unknown_args = parser.parse_known_args()
3668
# Remove test options from sys.argv
3669
sys.argv[1:] = unknown_args
3672
# Add all tests from doctest strings
3673
def load_tests(loader, tests, none):
3675
tests.addTests(doctest.DocTestSuite())
3678
if __name__ == "__main__":
3679
options = parse_test_args()
3682
extra_test_prefix = options.prefix
3683
if extra_test_prefix is not None:
3684
if not (unittest.main(argv=[""], exit=False)
3685
.result.wasSuccessful()):
3687
class ExtraTestLoader(unittest.TestLoader):
3688
testMethodPrefix = extra_test_prefix
3689
# Call using ./scriptname --test [--verbose]
3690
unittest.main(argv=[""], testLoader=ExtraTestLoader())
3692
unittest.main(argv=[""])
3700
# (lambda (&optional extra)
3701
# (if (not (funcall run-tests-in-test-buffer default-directory
3703
# (funcall show-test-buffer-in-test-window)
3704
# (funcall remove-test-window)
3705
# (if extra (message "Extra tests run successfully!"))))
3706
# run-tests-in-test-buffer:
3707
# (lambda (dir &optional extra)
3708
# (with-current-buffer (get-buffer-create "*Test*")
3709
# (setq buffer-read-only nil
3710
# default-directory dir)
3712
# (compilation-mode))
3713
# (let ((process-result
3714
# (let ((inhibit-read-only t))
3715
# (process-file-shell-command
3716
# (funcall get-command-line extra) nil "*Test*"))))
3717
# (and (numberp process-result)
3718
# (= process-result 0))))
3720
# (lambda (&optional extra)
3721
# (let ((quoted-script
3722
# (shell-quote-argument (funcall get-script-name))))
3724
# (concat "%s --check" (if extra " --prefix=atest" ""))
3728
# (if (fboundp 'file-local-name)
3729
# (file-local-name (buffer-file-name))
3730
# (or (file-remote-p (buffer-file-name) 'localname)
3731
# (buffer-file-name))))
3732
# remove-test-window:
3734
# (let ((test-window (get-buffer-window "*Test*")))
3735
# (if test-window (delete-window test-window))))
3736
# show-test-buffer-in-test-window:
3738
# (when (not (get-buffer-window-list "*Test*"))
3739
# (setq next-error-last-buffer (get-buffer "*Test*"))
3740
# (let* ((side (if (>= (window-width) 146) 'right 'bottom))
3741
# (display-buffer-overriding-action
3742
# `((display-buffer-in-side-window) (side . ,side)
3743
# (window-height . fit-window-to-buffer)
3744
# (window-width . fit-window-to-buffer))))
3745
# (display-buffer "*Test*"))))
3748
# (let* ((run-extra-tests (lambda () (interactive)
3749
# (funcall run-tests t)))
3750
# (inner-keymap `(keymap (116 . ,run-extra-tests))) ; t
3751
# (outer-keymap `(keymap (3 . ,inner-keymap)))) ; C-c
3752
# (setq minor-mode-overriding-map-alist
3753
# (cons `(run-tests . ,outer-keymap)
3754
# minor-mode-overriding-map-alist)))
3755
# (add-hook 'after-save-hook run-tests 90 t))
3490
if __name__ == '__main__':