To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 896
- compare with another revision
- download diff
- download tarball
- view history from revision 896
- Committer: Teddy Hogeborn
- Date: 2017-02-21 21:42:08 UTC
- Revision ID: teddy@recompile.se-20170221214208-09wu1p4l2hjhqfoj
Use "read -r" in shell scripts to avoid backslash escapes
* initramfs-tools-hook: Use "read -r" to read filenames from network
hook given the "files" argument.
* initramfs-tools-script: Use "read -e" when parsing
"/conf/conf.d/cryptroot".
* mandos-keygen (keygen): Use "read -r" when reading passphrase.
* initramfs-tools-hook: Use "read -r" to read filenames from network
hook given the "files" argument.
* initramfs-tools-script: Use "read -e" when parsing
"/conf/conf.d/cryptroot".
* mandos-keygen (keygen): Use "read -r" when reading passphrase.
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
31
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
32
#
77
76
import itertools
78
77
import collections
79
78
import codecs
80
import unittest
81
import random
82
import shlex
83
79
84
80
import dbus
85
81
import dbus.service
86
import gi
87
82
from gi.repository import GLib
88
83
from dbus.mainloop.glib import DBusGMainLoop
89
84
import ctypes
91
86
import xml.dom.minidom
92
87
import inspect
93
88
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
89
# Try to find the value of SO_BINDTODEVICE:
119
90
try:
120
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
140
111
# No value found
141
112
SO_BINDTODEVICE = None
142
113
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
114
if sys.version_info.major == 2:
115
str = unicode
145
116
146
version = "1.8.12"
117
version = "1.7.14"
147
118
stored_state_file = "clients.pickle"
148
119
149
120
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
121
syslogger = None
152
122
153
123
try:
208
178
pass
209
179
210
180
211
class PGPEngine:
181
class PGPEngine(object):
212
182
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
183
214
184
def __init__(self):
218
188
output = subprocess.check_output(["gpgconf"])
219
189
for line in output.splitlines():
220
190
name, text, path = line.split(b":")
221
if name == b"gpg":
191
if name == "gpg":
222
192
self.gpg = path
223
193
break
224
194
except OSError as e:
229
199
'--force-mdc',
230
200
'--quiet']
231
201
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
233
203
self.gnupgargs.append("--no-use-agent")
234
204
235
205
def __enter__(self):
304
274
305
275
306
276
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
309
280
IF_UNSPEC = -1 # avahi-common/address.h
310
281
PROTO_UNSPEC = -1 # avahi-common/address.h
311
282
PROTO_INET = 0 # avahi-common/address.h
315
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
287
DBUS_PATH_SERVER = "/"
317
288
318
@staticmethod
319
def string_array_to_txt_array(t):
289
def string_array_to_txt_array(self, t):
320
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
291
for s in t), signature="ay")
322
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
327
297
SERVER_RUNNING = 2 # avahi-common/defs.h
328
298
SERVER_COLLISION = 3 # avahi-common/defs.h
329
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
330
301
331
302
332
303
class AvahiError(Exception):
344
315
pass
345
316
346
317
347
class AvahiService:
318
class AvahiService(object):
348
319
"""An Avahi (Zeroconf) service.
349
320
350
321
Attributes:
524
495
class AvahiServiceToSyslog(AvahiService):
525
496
def rename(self, *args, **kwargs):
526
497
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
498
ret = AvahiService.rename(self, *args, **kwargs)
529
499
syslogger.setFormatter(logging.Formatter(
530
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
531
501
.format(self.name)))
533
503
534
504
535
505
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
538
509
539
510
library = ctypes.util.find_library("gnutls")
540
511
if library is None:
541
512
library = ctypes.util.find_library("gnutls-deb0")
542
513
_library = ctypes.cdll.LoadLibrary(library)
543
514
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
544
523
545
524
# Unless otherwise indicated, the constants and types below are
546
525
# all from the gnutls/gnutls.h C header file.
550
529
E_INTERRUPTED = -52
551
530
E_AGAIN = -28
552
531
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
532
CLIENT = 2
555
533
SHUT_RDWR = 0
556
534
CRD_CERTIFICATE = 1
557
535
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
536
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
537
565
538
# Types
588
561
589
562
# Exceptions
590
563
class Error(Exception):
564
# We need to use the class name "GnuTLS" here, since this
565
# exception might be raised from within GnuTLS.__init__,
566
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
591
568
def __init__(self, message=None, code=None, args=()):
592
569
# Default usage is by a message string, but if a return
593
570
# code is passed, convert it to a string with
594
571
# gnutls.strerror()
595
572
self.code = code
596
573
if message is None and code is not None:
597
message = gnutls.strerror(code)
598
return super(gnutls.Error, self).__init__(
574
message = GnuTLS.strerror(code)
575
return super(GnuTLS.Error, self).__init__(
599
576
message, *args)
600
577
601
578
class CertificateSecurityError(Error):
602
579
pass
603
580
604
581
# Classes
605
class Credentials:
582
class Credentials(object):
606
583
def __init__(self):
607
584
self._c_object = gnutls.certificate_credentials_t()
608
585
gnutls.certificate_allocate_credentials(
612
589
def __del__(self):
613
590
gnutls.certificate_free_credentials(self._c_object)
614
591
615
class ClientSession:
592
class ClientSession(object):
616
593
def __init__(self, socket, credentials=None):
617
594
self._c_object = gnutls.session_t()
618
gnutls_flags = gnutls.CLIENT
619
if gnutls.check_version(b"3.5.6"):
620
gnutls_flags |= gnutls.NO_TICKETS
621
if gnutls.has_rawpk:
622
gnutls_flags |= gnutls.ENABLE_RAWPK
623
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
624
del gnutls_flags
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
625
596
gnutls.set_default_priority(self._c_object)
626
597
gnutls.transport_set_ptr(self._c_object, socket.fileno())
627
598
gnutls.handshake_set_private_extensions(self._c_object,
759
730
check_version.argtypes = [ctypes.c_char_p]
760
731
check_version.restype = ctypes.c_char_p
761
732
762
_need_version = b"3.3.0"
763
if check_version(_need_version) is None:
764
raise self.Error("Needs GnuTLS {} or later"
765
.format(_need_version))
766
767
_tls_rawpk_version = b"3.6.6"
768
has_rawpk = bool(check_version(_tls_rawpk_version))
769
770
if has_rawpk:
771
# Types
772
class pubkey_st(ctypes.Structure):
773
_fields = []
774
pubkey_t = ctypes.POINTER(pubkey_st)
775
776
x509_crt_fmt_t = ctypes.c_int
777
778
# All the function declarations below are from
779
# gnutls/abstract.h
780
pubkey_init = _library.gnutls_pubkey_init
781
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
782
pubkey_init.restype = _error_code
783
784
pubkey_import = _library.gnutls_pubkey_import
785
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
786
x509_crt_fmt_t]
787
pubkey_import.restype = _error_code
788
789
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
790
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
791
ctypes.POINTER(ctypes.c_ubyte),
792
ctypes.POINTER(ctypes.c_size_t)]
793
pubkey_get_key_id.restype = _error_code
794
795
pubkey_deinit = _library.gnutls_pubkey_deinit
796
pubkey_deinit.argtypes = [pubkey_t]
797
pubkey_deinit.restype = None
798
else:
799
# All the function declarations below are from
800
# gnutls/openpgp.h
801
802
openpgp_crt_init = _library.gnutls_openpgp_crt_init
803
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
804
openpgp_crt_init.restype = _error_code
805
806
openpgp_crt_import = _library.gnutls_openpgp_crt_import
807
openpgp_crt_import.argtypes = [openpgp_crt_t,
808
ctypes.POINTER(datum_t),
809
openpgp_crt_fmt_t]
810
openpgp_crt_import.restype = _error_code
811
812
openpgp_crt_verify_self = \
813
_library.gnutls_openpgp_crt_verify_self
814
openpgp_crt_verify_self.argtypes = [
815
openpgp_crt_t,
816
ctypes.c_uint,
817
ctypes.POINTER(ctypes.c_uint),
818
]
819
openpgp_crt_verify_self.restype = _error_code
820
821
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
822
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
823
openpgp_crt_deinit.restype = None
824
825
openpgp_crt_get_fingerprint = (
826
_library.gnutls_openpgp_crt_get_fingerprint)
827
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
828
ctypes.c_void_p,
829
ctypes.POINTER(
830
ctypes.c_size_t)]
831
openpgp_crt_get_fingerprint.restype = _error_code
832
833
if check_version(b"3.6.4"):
834
certificate_type_get2 = _library.gnutls_certificate_type_get2
835
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
836
certificate_type_get2.restype = _error_code
733
# All the function declarations below are from gnutls/openpgp.h
734
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
738
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
742
openpgp_crt_fmt_t]
743
openpgp_crt_import.restype = _error_code
744
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
749
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
753
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
757
ctypes.c_void_p,
758
ctypes.POINTER(
759
ctypes.c_size_t)]
760
openpgp_crt_get_fingerprint.restype = _error_code
837
761
838
762
# Remove non-public functions
839
763
del _error_code, _retry_on_error
764
# Create the global "gnutls" object, simulating a module
765
gnutls = GnuTLS()
840
766
841
767
842
768
def call_pipe(connection, # : multiprocessing.Connection
850
776
connection.close()
851
777
852
778
853
class Client:
779
class Client(object):
854
780
"""A representation of a client host served by this server.
855
781
856
782
Attributes:
857
783
approved: bool(); 'None' if not yet approved/disapproved
858
784
approval_delay: datetime.timedelta(); Time to wait for approval
859
785
approval_duration: datetime.timedelta(); Duration of one approval
860
checker: multiprocessing.Process(); a running checker process used
861
to see if the client lives. 'None' if no process is
862
running.
786
checker: subprocess.Popen(); a running checker process used
787
to see if the client lives.
788
'None' if no process is running.
863
789
checker_callback_tag: a GLib event source tag, or None
864
790
checker_command: string; External command which is run to check
865
791
if client lives. %() expansions are done at
873
799
disable_initiator_tag: a GLib event source tag, or None
874
800
enabled: bool()
875
801
fingerprint: string (40 or 32 hexadecimal digits); used to
876
uniquely identify an OpenPGP client
877
key_id: string (64 hexadecimal digits); used to uniquely identify
878
a client using raw public keys
802
uniquely identify the client
879
803
host: string; available for use by the checker command
880
804
interval: datetime.timedelta(); How often to start a new checker
881
805
last_approval_request: datetime.datetime(); (UTC) or None
899
823
"""
900
824
901
825
runtime_expansions = ("approval_delay", "approval_duration",
902
"created", "enabled", "expires", "key_id",
826
"created", "enabled", "expires",
903
827
"fingerprint", "host", "interval",
904
828
"last_approval_request", "last_checked_ok",
905
829
"last_enabled", "name", "timeout")
935
859
client["enabled"] = config.getboolean(client_name,
936
860
"enabled")
937
861
938
# Uppercase and remove spaces from key_id and fingerprint
939
# for later comparison purposes with return value from the
940
# key_id() and fingerprint() functions
941
client["key_id"] = (section.get("key_id", "").upper()
942
.replace(" ", ""))
862
# Uppercase and remove spaces from fingerprint for later
863
# comparison purposes with return value from the
864
# fingerprint() function
943
865
client["fingerprint"] = (section["fingerprint"].upper()
944
866
.replace(" ", ""))
945
867
if "secret" in section:
989
911
self.expires = None
990
912
991
913
logger.debug("Creating client %r", self.name)
992
logger.debug(" Key ID: %s", self.key_id)
993
914
logger.debug(" Fingerprint: %s", self.fingerprint)
994
915
self.created = settings.get("created",
995
916
datetime.datetime.utcnow())
1059
980
if self.checker_initiator_tag is not None:
1060
981
GLib.source_remove(self.checker_initiator_tag)
1061
982
self.checker_initiator_tag = GLib.timeout_add(
1062
random.randrange(int(self.interval.total_seconds() * 1000
1063
+ 1)),
983
int(self.interval.total_seconds() * 1000),
1064
984
self.start_checker)
1065
985
# Schedule a disable() when 'timeout' has passed
1066
986
if self.disable_initiator_tag is not None:
1073
993
def checker_callback(self, source, condition, connection,
1074
994
command):
1075
995
"""The checker has completed, so take appropriate actions."""
996
self.checker_callback_tag = None
997
self.checker = None
1076
998
# Read return code from connection (see call_pipe)
1077
999
returncode = connection.recv()
1078
1000
connection.close()
1079
if self.checker is not None:
1080
self.checker.join()
1081
self.checker_callback_tag = None
1082
self.checker = None
1083
1001
1084
1002
if returncode >= 0:
1085
1003
self.last_checker_status = returncode
1141
1059
if self.checker is None:
1142
1060
# Escape attributes for the shell
1143
1061
escaped_attrs = {
1144
attr: shlex.quote(str(getattr(self, attr)))
1062
attr: re.escape(str(getattr(self, attr)))
1145
1063
for attr in self.runtime_expansions}
1146
1064
try:
1147
1065
command = self.checker_command % escaped_attrs
1174
1092
kwargs=popen_args)
1175
1093
self.checker.start()
1176
1094
self.checker_callback_tag = GLib.io_add_watch(
1177
GLib.IOChannel.unix_new(pipe[0].fileno()),
1178
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1095
pipe[0].fileno(), GLib.IO_IN,
1179
1096
self.checker_callback, pipe[0], command)
1180
1097
# Re-run this periodically if run by GLib.timeout_add
1181
1098
return True
1436
1353
raise ValueError("Byte arrays not supported for non-"
1437
1354
"'ay' signature {!r}"
1438
1355
.format(prop._dbus_signature))
1439
value = dbus.ByteArray(bytes(value))
1356
value = dbus.ByteArray(b''.join(chr(byte)
1357
for byte in value))
1440
1358
prop(value)
1441
1359
1442
1360
@dbus.service.method(dbus.PROPERTIES_IFACE,
2080
1998
def Name_dbus_property(self):
2081
1999
return dbus.String(self.name)
2082
2000
2083
# KeyID - property
2084
@dbus_annotations(
2085
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2086
@dbus_service_property(_interface, signature="s", access="read")
2087
def KeyID_dbus_property(self):
2088
return dbus.String(self.key_id)
2089
2090
2001
# Fingerprint - property
2091
2002
@dbus_annotations(
2092
2003
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2247
2158
del _interface
2248
2159
2249
2160
2250
class ProxyClient:
2251
def __init__(self, child_pipe, key_id, fpr, address):
2161
class ProxyClient(object):
2162
def __init__(self, child_pipe, fpr, address):
2252
2163
self._pipe = child_pipe
2253
self._pipe.send(('init', key_id, fpr, address))
2164
self._pipe.send(('init', fpr, address))
2254
2165
if not self._pipe.recv():
2255
raise KeyError(key_id or fpr)
2166
raise KeyError(fpr)
2256
2167
2257
2168
def __getattribute__(self, name):
2258
2169
if name == '_pipe':
2325
2236
2326
2237
approval_required = False
2327
2238
try:
2328
if gnutls.has_rawpk:
2329
fpr = b""
2330
try:
2331
key_id = self.key_id(
2332
self.peer_certificate(session))
2333
except (TypeError, gnutls.Error) as error:
2334
logger.warning("Bad certificate: %s", error)
2335
return
2336
logger.debug("Key ID: %s", key_id)
2337
2338
else:
2339
key_id = b""
2340
try:
2341
fpr = self.fingerprint(
2342
self.peer_certificate(session))
2343
except (TypeError, gnutls.Error) as error:
2344
logger.warning("Bad certificate: %s", error)
2345
return
2346
logger.debug("Fingerprint: %s", fpr)
2347
2348
try:
2349
client = ProxyClient(child_pipe, key_id, fpr,
2239
try:
2240
fpr = self.fingerprint(
2241
self.peer_certificate(session))
2242
except (TypeError, gnutls.Error) as error:
2243
logger.warning("Bad certificate: %s", error)
2244
return
2245
logger.debug("Fingerprint: %s", fpr)
2246
2247
try:
2248
client = ProxyClient(child_pipe, fpr,
2350
2249
self.client_address)
2351
2250
except KeyError:
2352
2251
return
2429
2328
2430
2329
@staticmethod
2431
2330
def peer_certificate(session):
2432
"Return the peer's certificate as a bytestring"
2433
try:
2434
cert_type = gnutls.certificate_type_get2(session._c_object,
2435
gnutls.CTYPE_PEERS)
2436
except AttributeError:
2437
cert_type = gnutls.certificate_type_get(session._c_object)
2438
if gnutls.has_rawpk:
2439
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2440
else:
2441
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2442
# If not a valid certificate type...
2443
if cert_type not in valid_cert_types:
2444
logger.info("Cert type %r not in %r", cert_type,
2445
valid_cert_types)
2331
"Return the peer's OpenPGP certificate as a bytestring"
2332
# If not an OpenPGP certificate...
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2446
2335
# ...return invalid data
2447
2336
return b""
2448
2337
list_size = ctypes.c_uint(1)
2456
2345
return ctypes.string_at(cert.data, cert.size)
2457
2346
2458
2347
@staticmethod
2459
def key_id(certificate):
2460
"Convert a certificate bytestring to a hexdigit key ID"
2461
# New GnuTLS "datum" with the public key
2462
datum = gnutls.datum_t(
2463
ctypes.cast(ctypes.c_char_p(certificate),
2464
ctypes.POINTER(ctypes.c_ubyte)),
2465
ctypes.c_uint(len(certificate)))
2466
# XXX all these need to be created in the gnutls "module"
2467
# New empty GnuTLS certificate
2468
pubkey = gnutls.pubkey_t()
2469
gnutls.pubkey_init(ctypes.byref(pubkey))
2470
# Import the raw public key into the certificate
2471
gnutls.pubkey_import(pubkey,
2472
ctypes.byref(datum),
2473
gnutls.X509_FMT_DER)
2474
# New buffer for the key ID
2475
buf = ctypes.create_string_buffer(32)
2476
buf_len = ctypes.c_size_t(len(buf))
2477
# Get the key ID from the raw public key into the buffer
2478
gnutls.pubkey_get_key_id(
2479
pubkey,
2480
gnutls.KEYID_USE_SHA256,
2481
ctypes.cast(ctypes.byref(buf),
2482
ctypes.POINTER(ctypes.c_ubyte)),
2483
ctypes.byref(buf_len))
2484
# Deinit the certificate
2485
gnutls.pubkey_deinit(pubkey)
2486
2487
# Convert the buffer to a Python bytestring
2488
key_id = ctypes.string_at(buf, buf_len.value)
2489
# Convert the bytestring to hexadecimal notation
2490
hex_key_id = binascii.hexlify(key_id).upper()
2491
return hex_key_id
2492
2493
@staticmethod
2494
2348
def fingerprint(openpgp):
2495
2349
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2496
2350
# New GnuTLS "datum" with the OpenPGP public key
2510
2364
ctypes.byref(crtverify))
2511
2365
if crtverify.value != 0:
2512
2366
gnutls.openpgp_crt_deinit(crt)
2513
raise gnutls.CertificateSecurityError(code
2514
=crtverify.value)
2367
raise gnutls.CertificateSecurityError("Verify failed")
2515
2368
# New buffer for the fingerprint
2516
2369
buf = ctypes.create_string_buffer(20)
2517
2370
buf_len = ctypes.c_size_t()
2527
2380
return hex_fpr
2528
2381
2529
2382
2530
class MultiprocessingMixIn:
2383
class MultiprocessingMixIn(object):
2531
2384
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2532
2385
2533
2386
def sub_process_main(self, request, address):
2545
2398
return proc
2546
2399
2547
2400
2548
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2401
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2549
2402
""" adds a pipe to the MixIn """
2550
2403
2551
2404
def process_request(self, request, client_address):
2566
2419
2567
2420
2568
2421
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2569
socketserver.TCPServer):
2422
socketserver.TCPServer, object):
2570
2423
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2571
2424
2572
2425
Attributes:
2645
2498
raise
2646
2499
# Only bind(2) the socket if we really need to.
2647
2500
if self.server_address[0] or self.server_address[1]:
2648
if self.server_address[1]:
2649
self.allow_reuse_address = True
2650
2501
if not self.server_address[0]:
2651
2502
if self.address_family == socket.AF_INET6:
2652
2503
any_address = "::" # in6addr_any
2705
2556
def add_pipe(self, parent_pipe, proc):
2706
2557
# Call "handle_ipc" for both data and EOF events
2707
2558
GLib.io_add_watch(
2708
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2709
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2559
parent_pipe.fileno(),
2560
GLib.IO_IN | GLib.IO_HUP,
2710
2561
functools.partial(self.handle_ipc,
2711
2562
parent_pipe=parent_pipe,
2712
2563
proc=proc))
2726
2577
command = request[0]
2727
2578
2728
2579
if command == 'init':
2729
key_id = request[1].decode("ascii")
2730
fpr = request[2].decode("ascii")
2731
address = request[3]
2580
fpr = request[1]
2581
address = request[2]
2732
2582
2733
2583
for c in self.clients.values():
2734
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2735
"27AE41E4649B934CA495991B7852B855"):
2736
continue
2737
if key_id and c.key_id == key_id:
2738
client = c
2739
break
2740
if fpr and c.fingerprint == fpr:
2584
if c.fingerprint == fpr:
2741
2585
client = c
2742
2586
break
2743
2587
else:
2744
logger.info("Client not found for key ID: %s, address"
2745
": %s", key_id or fpr, address)
2588
logger.info("Client not found for fingerprint: %s, ad"
2589
"dress: %s", fpr, address)
2746
2590
if self.use_dbus:
2747
2591
# Emit D-Bus signal
2748
mandos_dbus_service.ClientNotFound(key_id or fpr,
2592
mandos_dbus_service.ClientNotFound(fpr,
2749
2593
address[0])
2750
2594
parent_pipe.send(False)
2751
2595
return False
2752
2596
2753
2597
GLib.io_add_watch(
2754
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2755
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2598
parent_pipe.fileno(),
2599
GLib.IO_IN | GLib.IO_HUP,
2756
2600
functools.partial(self.handle_ipc,
2757
2601
parent_pipe=parent_pipe,
2758
2602
proc=proc,
2773
2617
if command == 'getattr':
2774
2618
attrname = request[1]
2775
2619
if isinstance(client_object.__getattribute__(attrname),
2776
collections.abc.Callable):
2620
collections.Callable):
2777
2621
parent_pipe.send(('function', ))
2778
2622
else:
2779
2623
parent_pipe.send((
2790
2634
def rfc3339_duration_to_delta(duration):
2791
2635
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2792
2636
2793
>>> timedelta = datetime.timedelta
2794
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2795
True
2796
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2797
True
2798
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2799
True
2800
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2801
True
2802
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2803
True
2804
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2805
True
2806
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2807
True
2808
>>> del timedelta
2637
>>> rfc3339_duration_to_delta("P7D")
2638
datetime.timedelta(7)
2639
>>> rfc3339_duration_to_delta("PT60S")
2640
datetime.timedelta(0, 60)
2641
>>> rfc3339_duration_to_delta("PT60M")
2642
datetime.timedelta(0, 3600)
2643
>>> rfc3339_duration_to_delta("PT24H")
2644
datetime.timedelta(1)
2645
>>> rfc3339_duration_to_delta("P1W")
2646
datetime.timedelta(7)
2647
>>> rfc3339_duration_to_delta("PT5M30S")
2648
datetime.timedelta(0, 330)
2649
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
datetime.timedelta(1, 200)
2809
2651
"""
2810
2652
2811
2653
# Parsing an RFC 3339 duration with regular expressions is not
2891
2733
def string_to_delta(interval):
2892
2734
"""Parse a string and return a datetime.timedelta
2893
2735
2894
>>> string_to_delta('7d') == datetime.timedelta(7)
2895
True
2896
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2897
True
2898
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2899
True
2900
>>> string_to_delta('24h') == datetime.timedelta(1)
2901
True
2902
>>> string_to_delta('1w') == datetime.timedelta(7)
2903
True
2904
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2905
True
2736
>>> string_to_delta('7d')
2737
datetime.timedelta(7)
2738
>>> string_to_delta('60s')
2739
datetime.timedelta(0, 60)
2740
>>> string_to_delta('60m')
2741
datetime.timedelta(0, 3600)
2742
>>> string_to_delta('24h')
2743
datetime.timedelta(1)
2744
>>> string_to_delta('1w')
2745
datetime.timedelta(7)
2746
>>> string_to_delta('5m 30s')
2747
datetime.timedelta(0, 330)
2906
2748
"""
2907
2749
2908
2750
try:
3010
2852
3011
2853
options = parser.parse_args()
3012
2854
2855
if options.check:
2856
import doctest
2857
fail_count, test_count = doctest.testmod()
2858
sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
3013
2860
# Default values for config file for server-global settings
3014
if gnutls.has_rawpk:
3015
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3016
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3017
else:
3018
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3019
":+SIGN-DSA-SHA256")
3020
2861
server_defaults = {"interface": "",
3021
2862
"address": "",
3022
2863
"port": "",
3023
2864
"debug": "False",
3024
"priority": priority,
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
3025
2868
"servicename": "Mandos",
3026
2869
"use_dbus": "True",
3027
2870
"use_ipv6": "True",
3032
2875
"foreground": "False",
3033
2876
"zeroconf": "True",
3034
2877
}
3035
del priority
3036
2878
3037
2879
# Parse config file for server-global settings
3038
server_config = configparser.ConfigParser(server_defaults)
2880
server_config = configparser.SafeConfigParser(server_defaults)
3039
2881
del server_defaults
3040
2882
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3041
# Convert the ConfigParser object to a dict
2883
# Convert the SafeConfigParser object to a dict
3042
2884
server_settings = server_config.defaults()
3043
2885
# Use the appropriate methods on the non-string config options
3044
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3045
"foreground", "zeroconf"):
2886
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3046
2887
server_settings[option] = server_config.getboolean("DEFAULT",
3047
2888
option)
3048
2889
if server_settings["port"]:
3116
2957
server_settings["servicename"])))
3117
2958
3118
2959
# Parse config file with clients
3119
client_config = configparser.ConfigParser(Client.client_defaults)
2960
client_config = configparser.SafeConfigParser(Client
2961
.client_defaults)
3120
2962
client_config.read(os.path.join(server_settings["configdir"],
3121
2963
"clients.conf"))
3122
2964
3193
3035
# Close all input and output, do double fork, etc.
3194
3036
daemon()
3195
3037
3196
if gi.version_info < (3, 10, 2):
3197
# multiprocessing will use threads, so before we use GLib we
3198
# need to inform GLib that threads will be used.
3199
GLib.threads_init()
3038
# multiprocessing will use threads, so before we use GLib we need
3039
# to inform GLib that threads will be used.
3040
GLib.threads_init()
3200
3041
3201
3042
global main_loop
3202
3043
# From the Avahi example code
3278
3119
if isinstance(s, bytes)
3279
3120
else s) for s in
3280
3121
value["client_structure"]]
3281
# .name, .host, and .checker_command
3282
for k in ("name", "host", "checker_command"):
3122
# .name & .host
3123
for k in ("name", "host"):
3283
3124
if isinstance(value[k], bytes):
3284
3125
value[k] = value[k].decode("utf-8")
3285
if "key_id" not in value:
3286
value["key_id"] = ""
3287
elif "fingerprint" not in value:
3288
value["fingerprint"] = ""
3289
3126
# old_client_settings
3290
3127
# .keys()
3291
3128
old_client_settings = {
3295
3132
for key, value in
3296
3133
bytes_old_client_settings.items()}
3297
3134
del bytes_old_client_settings
3298
# .host and .checker_command
3135
# .host
3299
3136
for value in old_client_settings.values():
3300
for attribute in ("host", "checker_command"):
3301
if isinstance(value[attribute], bytes):
3302
value[attribute] = (value[attribute]
3303
.decode("utf-8"))
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3139
.decode("utf-8"))
3304
3140
os.remove(stored_state_path)
3305
3141
except IOError as e:
3306
3142
if e.errno == errno.ENOENT:
3429
3265
pass
3430
3266
3431
3267
@dbus.service.signal(_interface, signature="ss")
3432
def ClientNotFound(self, key_id, address):
3268
def ClientNotFound(self, fingerprint, address):
3433
3269
"D-Bus signal"
3434
3270
pass
3435
3271
3631
3467
sys.exit(1)
3632
3468
# End of Avahi example code
3633
3469
3634
GLib.io_add_watch(
3635
GLib.IOChannel.unix_new(tcp_server.fileno()),
3636
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3637
lambda *args, **kwargs: (tcp_server.handle_request
3638
(*args[2:], **kwargs) or True))
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3639
3474
3640
3475
logger.debug("Starting main loop")
3641
3476
main_loop.run()
3651
3486
# Must run before the D-Bus bus name gets deregistered
3652
3487
cleanup()
3653
3488
3654
3655
def should_only_run_tests():
3656
parser = argparse.ArgumentParser(add_help=False)
3657
parser.add_argument("--check", action='store_true')
3658
args, unknown_args = parser.parse_known_args()
3659
run_tests = args.check
3660
if run_tests:
3661
# Remove --check argument from sys.argv
3662
sys.argv[1:] = unknown_args
3663
return run_tests
3664
3665
# Add all tests from doctest strings
3666
def load_tests(loader, tests, none):
3667
import doctest
3668
tests.addTests(doctest.DocTestSuite())
3669
return tests
3670
3489
3671
3490
if __name__ == '__main__':
3672
try:
3673
if should_only_run_tests():
3674
# Call using ./mandos --check [--verbose]
3675
unittest.main()
3676
else:
3677
main()
3678
finally:
3679
logging.shutdown()
3491
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0