/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2016-10-29 14:22:26 UTC
  • Revision ID: teddy@recompile.se-20161029142226-n4s9d70tuk615pg1
Makefile: Clarify message when running client.

* Makefile (run-client): Clarify message.

Show diffs side-by-side

added added

removed removed

Lines of Context:
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
 
# Copyright © 2008-2019 Teddy Hogeborn
15
 
# Copyright © 2008-2019 Björn Påhlsson
16
 
#
17
 
# This file is part of Mandos.
18
 
#
19
 
# Mandos is free software: you can redistribute it and/or modify it
20
 
# under the terms of the GNU General Public License as published by
 
14
# Copyright © 2008-2016 Teddy Hogeborn
 
15
# Copyright © 2008-2016 Björn Påhlsson
 
16
#
 
17
# This program is free software: you can redistribute it and/or modify
 
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
 
#     Mandos is distributed in the hope that it will be useful, but
25
 
#     WITHOUT ANY WARRANTY; without even the implied warranty of
 
22
#     This program is distributed in the hope that it will be useful,
 
23
#     but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
27
25
#     GNU General Public License for more details.
28
26
#
29
27
# You should have received a copy of the GNU General Public License
30
 
# along with Mandos.  If not, see <http://www.gnu.org/licenses/>.
 
28
# along with this program.  If not, see
 
29
# <http://www.gnu.org/licenses/>.
31
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
32
#
115
114
if sys.version_info.major == 2:
116
115
    str = unicode
117
116
 
118
 
version = "1.8.4"
 
117
version = "1.7.13"
119
118
stored_state_file = "clients.pickle"
120
119
 
121
120
logger = logging.getLogger()
275
274
 
276
275
 
277
276
# Pretend that we have an Avahi module
278
 
class avahi(object):
279
 
    """This isn't so much a class as it is a module-like namespace."""
 
277
class Avahi(object):
 
278
    """This isn't so much a class as it is a module-like namespace.
 
279
    It is instantiated once, and simulates having an Avahi module."""
280
280
    IF_UNSPEC = -1               # avahi-common/address.h
281
281
    PROTO_UNSPEC = -1            # avahi-common/address.h
282
282
    PROTO_INET = 0               # avahi-common/address.h
286
286
    DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
287
    DBUS_PATH_SERVER = "/"
288
288
 
289
 
    @staticmethod
290
 
    def string_array_to_txt_array(t):
 
289
    def string_array_to_txt_array(self, t):
291
290
        return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
291
                           for s in t), signature="ay")
293
292
    ENTRY_GROUP_ESTABLISHED = 2  # avahi-common/defs.h
298
297
    SERVER_RUNNING = 2           # avahi-common/defs.h
299
298
    SERVER_COLLISION = 3         # avahi-common/defs.h
300
299
    SERVER_FAILURE = 4           # avahi-common/defs.h
 
300
avahi = Avahi()
301
301
 
302
302
 
303
303
class AvahiError(Exception):
495
495
class AvahiServiceToSyslog(AvahiService):
496
496
    def rename(self, *args, **kwargs):
497
497
        """Add the new name to the syslog messages"""
498
 
        ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
 
498
        ret = AvahiService.rename(self, *args, **kwargs)
499
499
        syslogger.setFormatter(logging.Formatter(
500
500
            'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
501
501
            .format(self.name)))
503
503
 
504
504
 
505
505
# Pretend that we have a GnuTLS module
506
 
class gnutls(object):
507
 
    """This isn't so much a class as it is a module-like namespace."""
 
506
class GnuTLS(object):
 
507
    """This isn't so much a class as it is a module-like namespace.
 
508
    It is instantiated once, and simulates having a GnuTLS module."""
508
509
 
509
510
    library = ctypes.util.find_library("gnutls")
510
511
    if library is None:
511
512
        library = ctypes.util.find_library("gnutls-deb0")
512
513
    _library = ctypes.cdll.LoadLibrary(library)
513
514
    del library
 
515
    _need_version = b"3.3.0"
 
516
 
 
517
    def __init__(self):
 
518
        # Need to use "self" here, since this method is called before
 
519
        # the assignment to the "gnutls" global variable happens.
 
520
        if self.check_version(self._need_version) is None:
 
521
            raise self.Error("Needs GnuTLS {} or later"
 
522
                             .format(self._need_version))
514
523
 
515
524
    # Unless otherwise indicated, the constants and types below are
516
525
    # all from the gnutls/gnutls.h C header file.
520
529
    E_INTERRUPTED = -52
521
530
    E_AGAIN = -28
522
531
    CRT_OPENPGP = 2
523
 
    CRT_RAWPK = 3
524
532
    CLIENT = 2
525
533
    SHUT_RDWR = 0
526
534
    CRD_CERTIFICATE = 1
527
535
    E_NO_CERTIFICATE_FOUND = -49
528
 
    X509_FMT_DER = 0
529
 
    NO_TICKETS = 1<<10
530
 
    ENABLE_RAWPK = 1<<18
531
 
    CTYPE_PEERS = 3
532
 
    KEYID_USE_SHA256 = 1        # gnutls/x509.h
533
536
    OPENPGP_FMT_RAW = 0         # gnutls/openpgp.h
534
537
 
535
538
    # Types
558
561
 
559
562
    # Exceptions
560
563
    class Error(Exception):
 
564
        # We need to use the class name "GnuTLS" here, since this
 
565
        # exception might be raised from within GnuTLS.__init__,
 
566
        # which is called before the assignment to the "gnutls"
 
567
        # global variable has happened.
561
568
        def __init__(self, message=None, code=None, args=()):
562
569
            # Default usage is by a message string, but if a return
563
570
            # code is passed, convert it to a string with
564
571
            # gnutls.strerror()
565
572
            self.code = code
566
573
            if message is None and code is not None:
567
 
                message = gnutls.strerror(code)
568
 
            return super(gnutls.Error, self).__init__(
 
574
                message = GnuTLS.strerror(code)
 
575
            return super(GnuTLS.Error, self).__init__(
569
576
                message, *args)
570
577
 
571
578
    class CertificateSecurityError(Error):
585
592
    class ClientSession(object):
586
593
        def __init__(self, socket, credentials=None):
587
594
            self._c_object = gnutls.session_t()
588
 
            gnutls_flags = gnutls.CLIENT
589
 
            if gnutls.check_version("3.5.6"):
590
 
                gnutls_flags |= gnutls.NO_TICKETS
591
 
            if gnutls.has_rawpk:
592
 
                gnutls_flags |= gnutls.ENABLE_RAWPK
593
 
            gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
594
 
            del gnutls_flags
 
595
            gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
595
596
            gnutls.set_default_priority(self._c_object)
596
597
            gnutls.transport_set_ptr(self._c_object, socket.fileno())
597
598
            gnutls.handshake_set_private_extensions(self._c_object,
729
730
    check_version.argtypes = [ctypes.c_char_p]
730
731
    check_version.restype = ctypes.c_char_p
731
732
 
732
 
    _need_version = b"3.3.0"
733
 
    if check_version(_need_version) is None:
734
 
        raise self.Error("Needs GnuTLS {} or later"
735
 
                         .format(_need_version))
736
 
 
737
 
    _tls_rawpk_version = b"3.6.6"
738
 
    has_rawpk = bool(check_version(_tls_rawpk_version))
739
 
 
740
 
    if has_rawpk:
741
 
        # Types
742
 
        class pubkey_st(ctypes.Structure):
743
 
            _fields = []
744
 
        pubkey_t = ctypes.POINTER(pubkey_st)
745
 
 
746
 
        x509_crt_fmt_t = ctypes.c_int
747
 
 
748
 
        # All the function declarations below are from gnutls/abstract.h
749
 
        pubkey_init = _library.gnutls_pubkey_init
750
 
        pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
 
        pubkey_init.restype = _error_code
752
 
 
753
 
        pubkey_import = _library.gnutls_pubkey_import
754
 
        pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
755
 
                                  x509_crt_fmt_t]
756
 
        pubkey_import.restype = _error_code
757
 
 
758
 
        pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
 
        pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
 
                                      ctypes.POINTER(ctypes.c_ubyte),
761
 
                                      ctypes.POINTER(ctypes.c_size_t)]
762
 
        pubkey_get_key_id.restype = _error_code
763
 
 
764
 
        pubkey_deinit = _library.gnutls_pubkey_deinit
765
 
        pubkey_deinit.argtypes = [pubkey_t]
766
 
        pubkey_deinit.restype = None
767
 
    else:
768
 
        # All the function declarations below are from gnutls/openpgp.h
769
 
 
770
 
        openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
 
        openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
 
        openpgp_crt_init.restype = _error_code
773
 
 
774
 
        openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
 
        openpgp_crt_import.argtypes = [openpgp_crt_t,
776
 
                                       ctypes.POINTER(datum_t),
777
 
                                       openpgp_crt_fmt_t]
778
 
        openpgp_crt_import.restype = _error_code
779
 
 
780
 
        openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
 
        openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
 
                                            ctypes.POINTER(ctypes.c_uint)]
783
 
        openpgp_crt_verify_self.restype = _error_code
784
 
 
785
 
        openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
 
        openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
 
        openpgp_crt_deinit.restype = None
788
 
 
789
 
        openpgp_crt_get_fingerprint = (
790
 
            _library.gnutls_openpgp_crt_get_fingerprint)
791
 
        openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
792
 
                                                ctypes.c_void_p,
793
 
                                                ctypes.POINTER(
794
 
                                                    ctypes.c_size_t)]
795
 
        openpgp_crt_get_fingerprint.restype = _error_code
796
 
 
797
 
    if check_version("3.6.4"):
798
 
        certificate_type_get2 = _library.gnutls_certificate_type_get2
799
 
        certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
 
        certificate_type_get2.restype = _error_code
 
733
    # All the function declarations below are from gnutls/openpgp.h
 
734
 
 
735
    openpgp_crt_init = _library.gnutls_openpgp_crt_init
 
736
    openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
 
737
    openpgp_crt_init.restype = _error_code
 
738
 
 
739
    openpgp_crt_import = _library.gnutls_openpgp_crt_import
 
740
    openpgp_crt_import.argtypes = [openpgp_crt_t,
 
741
                                   ctypes.POINTER(datum_t),
 
742
                                   openpgp_crt_fmt_t]
 
743
    openpgp_crt_import.restype = _error_code
 
744
 
 
745
    openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
 
746
    openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
 
747
                                        ctypes.POINTER(ctypes.c_uint)]
 
748
    openpgp_crt_verify_self.restype = _error_code
 
749
 
 
750
    openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
 
751
    openpgp_crt_deinit.argtypes = [openpgp_crt_t]
 
752
    openpgp_crt_deinit.restype = None
 
753
 
 
754
    openpgp_crt_get_fingerprint = (
 
755
        _library.gnutls_openpgp_crt_get_fingerprint)
 
756
    openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
 
757
                                            ctypes.c_void_p,
 
758
                                            ctypes.POINTER(
 
759
                                                ctypes.c_size_t)]
 
760
    openpgp_crt_get_fingerprint.restype = _error_code
801
761
 
802
762
    # Remove non-public functions
803
763
    del _error_code, _retry_on_error
 
764
# Create the global "gnutls" object, simulating a module
 
765
gnutls = GnuTLS()
804
766
 
805
767
 
806
768
def call_pipe(connection,       # : multiprocessing.Connection
837
799
    disable_initiator_tag: a GLib event source tag, or None
838
800
    enabled:    bool()
839
801
    fingerprint: string (40 or 32 hexadecimal digits); used to
840
 
                 uniquely identify an OpenPGP client
841
 
    key_id: string (64 hexadecimal digits); used to uniquely identify
842
 
            a client using raw public keys
 
802
                 uniquely identify the client
843
803
    host:       string; available for use by the checker command
844
804
    interval:   datetime.timedelta(); How often to start a new checker
845
805
    last_approval_request: datetime.datetime(); (UTC) or None
863
823
    """
864
824
 
865
825
    runtime_expansions = ("approval_delay", "approval_duration",
866
 
                          "created", "enabled", "expires", "key_id",
 
826
                          "created", "enabled", "expires",
867
827
                          "fingerprint", "host", "interval",
868
828
                          "last_approval_request", "last_checked_ok",
869
829
                          "last_enabled", "name", "timeout")
899
859
            client["enabled"] = config.getboolean(client_name,
900
860
                                                  "enabled")
901
861
 
902
 
            # Uppercase and remove spaces from key_id and fingerprint
903
 
            # for later comparison purposes with return value from the
904
 
            # key_id() and fingerprint() functions
905
 
            client["key_id"] = (section.get("key_id", "").upper()
906
 
                                .replace(" ", ""))
 
862
            # Uppercase and remove spaces from fingerprint for later
 
863
            # comparison purposes with return value from the
 
864
            # fingerprint() function
907
865
            client["fingerprint"] = (section["fingerprint"].upper()
908
866
                                     .replace(" ", ""))
909
867
            if "secret" in section:
953
911
            self.expires = None
954
912
 
955
913
        logger.debug("Creating client %r", self.name)
956
 
        logger.debug("  Key ID: %s", self.key_id)
957
914
        logger.debug("  Fingerprint: %s", self.fingerprint)
958
915
        self.created = settings.get("created",
959
916
                                    datetime.datetime.utcnow())
1503
1460
                         exc_info=error)
1504
1461
        return xmlstring
1505
1462
 
1506
 
 
1507
1463
try:
1508
1464
    dbus.OBJECT_MANAGER_IFACE
1509
1465
except AttributeError:
2041
1997
    def Name_dbus_property(self):
2042
1998
        return dbus.String(self.name)
2043
1999
 
2044
 
    # KeyID - property
2045
 
    @dbus_annotations(
2046
 
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2047
 
    @dbus_service_property(_interface, signature="s", access="read")
2048
 
    def KeyID_dbus_property(self):
2049
 
        return dbus.String(self.key_id)
2050
 
 
2051
2000
    # Fingerprint - property
2052
2001
    @dbus_annotations(
2053
2002
        {"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2209
2158
 
2210
2159
 
2211
2160
class ProxyClient(object):
2212
 
    def __init__(self, child_pipe, key_id, fpr, address):
 
2161
    def __init__(self, child_pipe, fpr, address):
2213
2162
        self._pipe = child_pipe
2214
 
        self._pipe.send(('init', key_id, fpr, address))
 
2163
        self._pipe.send(('init', fpr, address))
2215
2164
        if not self._pipe.recv():
2216
 
            raise KeyError(key_id or fpr)
 
2165
            raise KeyError(fpr)
2217
2166
 
2218
2167
    def __getattribute__(self, name):
2219
2168
        if name == '_pipe':
2286
2235
 
2287
2236
            approval_required = False
2288
2237
            try:
2289
 
                if gnutls.has_rawpk:
2290
 
                    fpr = ""
2291
 
                    try:
2292
 
                        key_id = self.key_id(
2293
 
                            self.peer_certificate(session))
2294
 
                    except (TypeError, gnutls.Error) as error:
2295
 
                        logger.warning("Bad certificate: %s", error)
2296
 
                        return
2297
 
                    logger.debug("Key ID: %s", key_id)
2298
 
 
2299
 
                else:
2300
 
                    key_id = ""
2301
 
                    try:
2302
 
                        fpr = self.fingerprint(
2303
 
                            self.peer_certificate(session))
2304
 
                    except (TypeError, gnutls.Error) as error:
2305
 
                        logger.warning("Bad certificate: %s", error)
2306
 
                        return
2307
 
                    logger.debug("Fingerprint: %s", fpr)
2308
 
 
2309
 
                try:
2310
 
                    client = ProxyClient(child_pipe, key_id, fpr,
 
2238
                try:
 
2239
                    fpr = self.fingerprint(
 
2240
                        self.peer_certificate(session))
 
2241
                except (TypeError, gnutls.Error) as error:
 
2242
                    logger.warning("Bad certificate: %s", error)
 
2243
                    return
 
2244
                logger.debug("Fingerprint: %s", fpr)
 
2245
 
 
2246
                try:
 
2247
                    client = ProxyClient(child_pipe, fpr,
2311
2248
                                         self.client_address)
2312
2249
                except KeyError:
2313
2250
                    return
2390
2327
 
2391
2328
    @staticmethod
2392
2329
    def peer_certificate(session):
2393
 
        "Return the peer's certificate as a bytestring"
2394
 
        try:
2395
 
            cert_type = gnutls.certificate_type_get2(session._c_object,
2396
 
                                                     gnutls.CTYPE_PEERS)
2397
 
        except AttributeError:
2398
 
            cert_type = gnutls.certificate_type_get(session._c_object)
2399
 
        if gnutls.has_rawpk:
2400
 
            valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2401
 
        else:
2402
 
            valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2403
 
        # If not a valid certificate type...
2404
 
        if cert_type not in valid_cert_types:
2405
 
            logger.info("Cert type %r not in %r", cert_type,
2406
 
                        valid_cert_types)
 
2330
        "Return the peer's OpenPGP certificate as a bytestring"
 
2331
        # If not an OpenPGP certificate...
 
2332
        if (gnutls.certificate_type_get(session._c_object)
 
2333
            != gnutls.CRT_OPENPGP):
2407
2334
            # ...return invalid data
2408
2335
            return b""
2409
2336
        list_size = ctypes.c_uint(1)
2417
2344
        return ctypes.string_at(cert.data, cert.size)
2418
2345
 
2419
2346
    @staticmethod
2420
 
    def key_id(certificate):
2421
 
        "Convert a certificate bytestring to a hexdigit key ID"
2422
 
        # New GnuTLS "datum" with the public key
2423
 
        datum = gnutls.datum_t(
2424
 
            ctypes.cast(ctypes.c_char_p(certificate),
2425
 
                        ctypes.POINTER(ctypes.c_ubyte)),
2426
 
            ctypes.c_uint(len(certificate)))
2427
 
        # XXX all these need to be created in the gnutls "module"
2428
 
        # New empty GnuTLS certificate
2429
 
        pubkey = gnutls.pubkey_t()
2430
 
        gnutls.pubkey_init(ctypes.byref(pubkey))
2431
 
        # Import the raw public key into the certificate
2432
 
        gnutls.pubkey_import(pubkey,
2433
 
                             ctypes.byref(datum),
2434
 
                             gnutls.X509_FMT_DER)
2435
 
        # New buffer for the key ID
2436
 
        buf = ctypes.create_string_buffer(32)
2437
 
        buf_len = ctypes.c_size_t(len(buf))
2438
 
        # Get the key ID from the raw public key into the buffer
2439
 
        gnutls.pubkey_get_key_id(pubkey,
2440
 
                                 gnutls.KEYID_USE_SHA256,
2441
 
                                 ctypes.cast(ctypes.byref(buf),
2442
 
                                             ctypes.POINTER(ctypes.c_ubyte)),
2443
 
                                 ctypes.byref(buf_len))
2444
 
        # Deinit the certificate
2445
 
        gnutls.pubkey_deinit(pubkey)
2446
 
 
2447
 
        # Convert the buffer to a Python bytestring
2448
 
        key_id = ctypes.string_at(buf, buf_len.value)
2449
 
        # Convert the bytestring to hexadecimal notation
2450
 
        hex_key_id = binascii.hexlify(key_id).upper()
2451
 
        return hex_key_id
2452
 
 
2453
 
    @staticmethod
2454
2347
    def fingerprint(openpgp):
2455
2348
        "Convert an OpenPGP bytestring to a hexdigit fingerprint"
2456
2349
        # New GnuTLS "datum" with the OpenPGP public key
2470
2363
                                       ctypes.byref(crtverify))
2471
2364
        if crtverify.value != 0:
2472
2365
            gnutls.openpgp_crt_deinit(crt)
2473
 
            raise gnutls.CertificateSecurityError(code
2474
 
                                                  =crtverify.value)
 
2366
            raise gnutls.CertificateSecurityError("Verify failed")
2475
2367
        # New buffer for the fingerprint
2476
2368
        buf = ctypes.create_string_buffer(20)
2477
2369
        buf_len = ctypes.c_size_t()
2605
2497
                    raise
2606
2498
        # Only bind(2) the socket if we really need to.
2607
2499
        if self.server_address[0] or self.server_address[1]:
2608
 
            if self.server_address[1]:
2609
 
                self.allow_reuse_address = True
2610
2500
            if not self.server_address[0]:
2611
2501
                if self.address_family == socket.AF_INET6:
2612
2502
                    any_address = "::"  # in6addr_any
2686
2576
        command = request[0]
2687
2577
 
2688
2578
        if command == 'init':
2689
 
            key_id = request[1].decode("ascii")
2690
 
            fpr = request[2].decode("ascii")
2691
 
            address = request[3]
 
2579
            fpr = request[1]
 
2580
            address = request[2]
2692
2581
 
2693
2582
            for c in self.clients.values():
2694
 
                if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2695
 
                    continue
2696
 
                if key_id and c.key_id == key_id:
2697
 
                    client = c
2698
 
                    break
2699
 
                if fpr and c.fingerprint == fpr:
 
2583
                if c.fingerprint == fpr:
2700
2584
                    client = c
2701
2585
                    break
2702
2586
            else:
2703
 
                logger.info("Client not found for key ID: %s, address"
2704
 
                            ": %s", key_id or fpr, address)
 
2587
                logger.info("Client not found for fingerprint: %s, ad"
 
2588
                            "dress: %s", fpr, address)
2705
2589
                if self.use_dbus:
2706
2590
                    # Emit D-Bus signal
2707
 
                    mandos_dbus_service.ClientNotFound(key_id or fpr,
 
2591
                    mandos_dbus_service.ClientNotFound(fpr,
2708
2592
                                                       address[0])
2709
2593
                parent_pipe.send(False)
2710
2594
                return False
2973
2857
        sys.exit(os.EX_OK if fail_count == 0 else 1)
2974
2858
 
2975
2859
    # Default values for config file for server-global settings
2976
 
    if gnutls.has_rawpk:
2977
 
        priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2978
 
                    ":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2979
 
    else:
2980
 
        priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2981
 
                    ":+SIGN-DSA-SHA256")
2982
2860
    server_defaults = {"interface": "",
2983
2861
                       "address": "",
2984
2862
                       "port": "",
2985
2863
                       "debug": "False",
2986
 
                       "priority": priority,
 
2864
                       "priority":
 
2865
                       "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
 
2866
                       ":+SIGN-DSA-SHA256",
2987
2867
                       "servicename": "Mandos",
2988
2868
                       "use_dbus": "True",
2989
2869
                       "use_ipv6": "True",
2994
2874
                       "foreground": "False",
2995
2875
                       "zeroconf": "True",
2996
2876
                       }
2997
 
    del priority
2998
2877
 
2999
2878
    # Parse config file for server-global settings
3000
2879
    server_config = configparser.SafeConfigParser(server_defaults)
3003
2882
    # Convert the SafeConfigParser object to a dict
3004
2883
    server_settings = server_config.defaults()
3005
2884
    # Use the appropriate methods on the non-string config options
3006
 
    for option in ("debug", "use_dbus", "use_ipv6", "restore",
3007
 
                   "foreground", "zeroconf"):
 
2885
    for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3008
2886
        server_settings[option] = server_config.getboolean("DEFAULT",
3009
2887
                                                           option)
3010
2888
    if server_settings["port"]:
3244
3122
                        for k in ("name", "host"):
3245
3123
                            if isinstance(value[k], bytes):
3246
3124
                                value[k] = value[k].decode("utf-8")
3247
 
                        if not value.has_key("key_id"):
3248
 
                            value["key_id"] = ""
3249
 
                        elif not value.has_key("fingerprint"):
3250
 
                            value["fingerprint"] = ""
3251
3125
                    #  old_client_settings
3252
3126
                    # .keys()
3253
3127
                    old_client_settings = {
3390
3264
                pass
3391
3265
 
3392
3266
            @dbus.service.signal(_interface, signature="ss")
3393
 
            def ClientNotFound(self, key_id, address):
 
3267
            def ClientNotFound(self, fingerprint, address):
3394
3268
                "D-Bus signal"
3395
3269
                pass
3396
3270