451
423
    def entry_group_state_changed(self, state, error):
 
452
424
        """Derived from the Avahi example code"""
 
453
 
        log.debug("Avahi entry group state change: %i", state)
 
 
425
        logger.debug("Avahi entry group state change: %i", state)
 
455
427
        if state == avahi.ENTRY_GROUP_ESTABLISHED:
 
456
 
            log.debug("Zeroconf service established.")
 
 
428
            logger.debug("Zeroconf service established.")
 
457
429
        elif state == avahi.ENTRY_GROUP_COLLISION:
 
458
 
            log.info("Zeroconf service name collision.")
 
 
430
            logger.info("Zeroconf service name collision.")
 
460
432
        elif state == avahi.ENTRY_GROUP_FAILURE:
 
461
 
            log.critical("Avahi: Error in group state changed %s",
 
 
433
            logger.critical("Avahi: Error in group state changed %s",
 
463
435
            raise AvahiGroupError("State changed: {!s}".format(error))
 
465
437
    def cleanup(self):
 
 
523
496
class AvahiServiceToSyslog(AvahiService):
 
524
497
    def rename(self, *args, **kwargs):
 
525
498
        """Add the new name to the syslog messages"""
 
526
 
        ret = super(AvahiServiceToSyslog, self).rename(*args,
 
 
499
        ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
 
528
500
        syslogger.setFormatter(logging.Formatter(
 
529
 
            "Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
 
 
501
            'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
 
530
502
            .format(self.name)))
 
534
506
# Pretend that we have a GnuTLS module
 
536
 
    """This isn't so much a class as it is a module-like namespace."""
 
 
507
class GnuTLS(object):
 
 
508
    """This isn't so much a class as it is a module-like namespace.
 
 
509
    It is instantiated once, and simulates having a GnuTLS module."""
 
538
511
    library = ctypes.util.find_library("gnutls")
 
539
512
    if library is None:
 
540
513
        library = ctypes.util.find_library("gnutls-deb0")
 
541
514
    _library = ctypes.cdll.LoadLibrary(library)
 
 
516
    _need_version = b"3.3.0"
 
 
519
        # Need to use "self" here, since this method is called before
 
 
520
        # the assignment to the "gnutls" global variable happens.
 
 
521
        if self.check_version(self._need_version) is None:
 
 
522
            raise self.Error("Needs GnuTLS {} or later"
 
 
523
                             .format(self._need_version))
 
544
525
    # Unless otherwise indicated, the constants and types below are
 
545
526
    # all from the gnutls/gnutls.h C header file.
 
 
589
564
    class Error(Exception):
 
 
565
        # We need to use the class name "GnuTLS" here, since this
 
 
566
        # exception might be raised from within GnuTLS.__init__,
 
 
567
        # which is called before the assignment to the "gnutls"
 
 
568
        # global variable has happened.
 
590
569
        def __init__(self, message=None, code=None, args=()):
 
591
570
            # Default usage is by a message string, but if a return
 
592
571
            # code is passed, convert it to a string with
 
593
572
            # gnutls.strerror()
 
595
574
            if message is None and code is not None:
 
596
 
                message = gnutls.strerror(code).decode(
 
597
 
                    "utf-8", errors="replace")
 
598
 
            return super(gnutls.Error, self).__init__(
 
 
575
                message = GnuTLS.strerror(code)
 
 
576
            return super(GnuTLS.Error, self).__init__(
 
601
579
    class CertificateSecurityError(Error):
 
605
 
        def __init__(self, cls):
 
608
 
        def from_param(self, obj):
 
609
 
            if not isinstance(obj, self.cls):
 
610
 
                raise TypeError("Not of type {}: {!r}"
 
611
 
                                .format(self.cls.__name__, obj))
 
612
 
            return ctypes.byref(obj.from_param(obj))
 
614
 
    class CastToVoidPointer:
 
615
 
        def __init__(self, cls):
 
618
 
        def from_param(self, obj):
 
619
 
            if not isinstance(obj, self.cls):
 
620
 
                raise TypeError("Not of type {}: {!r}"
 
621
 
                                .format(self.cls.__name__, obj))
 
622
 
            return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
 
624
 
    class With_from_param:
 
626
 
        def from_param(cls, obj):
 
627
 
            return obj._as_parameter_
 
630
 
    class Credentials(With_from_param):
 
 
583
    class Credentials(object):
 
631
584
        def __init__(self):
 
632
 
            self._as_parameter_ = gnutls.certificate_credentials_t()
 
633
 
            gnutls.certificate_allocate_credentials(self)
 
 
585
            self._c_object = gnutls.certificate_credentials_t()
 
 
586
            gnutls.certificate_allocate_credentials(
 
 
587
                ctypes.byref(self._c_object))
 
634
588
            self.type = gnutls.CRD_CERTIFICATE
 
636
590
        def __del__(self):
 
637
 
            gnutls.certificate_free_credentials(self)
 
 
591
            gnutls.certificate_free_credentials(self._c_object)
 
639
 
    class ClientSession(With_from_param):
 
 
593
    class ClientSession(object):
 
640
594
        def __init__(self, socket, credentials=None):
 
641
 
            self._as_parameter_ = gnutls.session_t()
 
642
 
            gnutls_flags = gnutls.CLIENT
 
643
 
            if gnutls.check_version(b"3.5.6"):
 
644
 
                gnutls_flags |= gnutls.NO_TICKETS
 
646
 
                gnutls_flags |= gnutls.ENABLE_RAWPK
 
647
 
            gnutls.init(self, gnutls_flags)
 
649
 
            gnutls.set_default_priority(self)
 
650
 
            gnutls.transport_set_ptr(self, socket.fileno())
 
651
 
            gnutls.handshake_set_private_extensions(self, True)
 
 
595
            self._c_object = gnutls.session_t()
 
 
596
            gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
 
 
597
            gnutls.set_default_priority(self._c_object)
 
 
598
            gnutls.transport_set_ptr(self._c_object, socket.fileno())
 
 
599
            gnutls.handshake_set_private_extensions(self._c_object,
 
652
601
            self.socket = socket
 
653
602
            if credentials is None:
 
654
603
                credentials = gnutls.Credentials()
 
655
 
            gnutls.credentials_set(self, credentials.type,
 
 
604
            gnutls.credentials_set(self._c_object, credentials.type,
 
 
605
                                   ctypes.cast(credentials._c_object,
 
657
607
            self.credentials = credentials
 
659
609
        def __del__(self):
 
 
610
            gnutls.deinit(self._c_object)
 
662
612
        def handshake(self):
 
663
 
            return gnutls.handshake(self)
 
 
613
            return gnutls.handshake(self._c_object)
 
665
615
        def send(self, data):
 
666
616
            data = bytes(data)
 
667
617
            data_len = len(data)
 
668
618
            while data_len > 0:
 
669
 
                data_len -= gnutls.record_send(self, data[-data_len:],
 
 
619
                data_len -= gnutls.record_send(self._c_object,
 
673
 
            return gnutls.bye(self, gnutls.SHUT_RDWR)
 
 
624
            return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
 
675
626
    # Error handling functions
 
676
627
    def _error_code(result):
 
677
628
        """A function to raise exceptions on errors, suitable
 
678
 
        for the "restype" attribute on ctypes functions"""
 
679
 
        if result >= gnutls.E_SUCCESS:
 
 
629
        for the 'restype' attribute on ctypes functions"""
 
681
632
        if result == gnutls.E_NO_CERTIFICATE_FOUND:
 
682
633
            raise gnutls.CertificateSecurityError(code=result)
 
683
634
        raise gnutls.Error(code=result)
 
685
 
    def _retry_on_error(result, func, arguments,
 
686
 
                        _error_code=_error_code):
 
 
636
    def _retry_on_error(result, func, arguments):
 
687
637
        """A function to retry on some errors, suitable
 
688
 
        for the "errcheck" attribute on ctypes functions"""
 
689
 
        while result < gnutls.E_SUCCESS:
 
 
638
        for the 'errcheck' attribute on ctypes functions"""
 
690
640
            if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
 
691
641
                return _error_code(result)
 
692
642
            result = func(*arguments)
 
 
699
649
    priority_set_direct = _library.gnutls_priority_set_direct
 
700
 
    priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
 
 
650
    priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
 
701
651
                                    ctypes.POINTER(ctypes.c_char_p)]
 
702
652
    priority_set_direct.restype = _error_code
 
704
654
    init = _library.gnutls_init
 
705
 
    init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
 
 
655
    init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
 
706
656
    init.restype = _error_code
 
708
658
    set_default_priority = _library.gnutls_set_default_priority
 
709
 
    set_default_priority.argtypes = [ClientSession]
 
 
659
    set_default_priority.argtypes = [session_t]
 
710
660
    set_default_priority.restype = _error_code
 
712
662
    record_send = _library.gnutls_record_send
 
713
 
    record_send.argtypes = [ClientSession, ctypes.c_void_p,
 
 
663
    record_send.argtypes = [session_t, ctypes.c_void_p,
 
715
665
    record_send.restype = ctypes.c_ssize_t
 
716
666
    record_send.errcheck = _retry_on_error
 
 
718
668
    certificate_allocate_credentials = (
 
719
669
        _library.gnutls_certificate_allocate_credentials)
 
720
670
    certificate_allocate_credentials.argtypes = [
 
721
 
        PointerTo(Credentials)]
 
 
671
        ctypes.POINTER(certificate_credentials_t)]
 
722
672
    certificate_allocate_credentials.restype = _error_code
 
724
674
    certificate_free_credentials = (
 
725
675
        _library.gnutls_certificate_free_credentials)
 
726
 
    certificate_free_credentials.argtypes = [Credentials]
 
 
676
    certificate_free_credentials.argtypes = [
 
 
677
        certificate_credentials_t]
 
727
678
    certificate_free_credentials.restype = None
 
729
680
    handshake_set_private_extensions = (
 
730
681
        _library.gnutls_handshake_set_private_extensions)
 
731
 
    handshake_set_private_extensions.argtypes = [ClientSession,
 
 
682
    handshake_set_private_extensions.argtypes = [session_t,
 
733
684
    handshake_set_private_extensions.restype = None
 
735
686
    credentials_set = _library.gnutls_credentials_set
 
736
 
    credentials_set.argtypes = [ClientSession, credentials_type_t,
 
737
 
                                CastToVoidPointer(Credentials)]
 
 
687
    credentials_set.argtypes = [session_t, credentials_type_t,
 
738
689
    credentials_set.restype = _error_code
 
740
691
    strerror = _library.gnutls_strerror
 
 
759
710
    global_set_log_function.restype = None
 
761
712
    deinit = _library.gnutls_deinit
 
762
 
    deinit.argtypes = [ClientSession]
 
 
713
    deinit.argtypes = [session_t]
 
763
714
    deinit.restype = None
 
765
716
    handshake = _library.gnutls_handshake
 
766
 
    handshake.argtypes = [ClientSession]
 
767
 
    handshake.restype = ctypes.c_int
 
 
717
    handshake.argtypes = [session_t]
 
 
718
    handshake.restype = _error_code
 
768
719
    handshake.errcheck = _retry_on_error
 
770
721
    transport_set_ptr = _library.gnutls_transport_set_ptr
 
771
 
    transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
 
 
722
    transport_set_ptr.argtypes = [session_t, transport_ptr_t]
 
772
723
    transport_set_ptr.restype = None
 
774
725
    bye = _library.gnutls_bye
 
775
 
    bye.argtypes = [ClientSession, close_request_t]
 
776
 
    bye.restype = ctypes.c_int
 
 
726
    bye.argtypes = [session_t, close_request_t]
 
 
727
    bye.restype = _error_code
 
777
728
    bye.errcheck = _retry_on_error
 
779
730
    check_version = _library.gnutls_check_version
 
780
731
    check_version.argtypes = [ctypes.c_char_p]
 
781
732
    check_version.restype = ctypes.c_char_p
 
783
 
    _need_version = b"3.3.0"
 
784
 
    if check_version(_need_version) is None:
 
785
 
        raise self.Error("Needs GnuTLS {} or later"
 
786
 
                         .format(_need_version))
 
788
 
    _tls_rawpk_version = b"3.6.6"
 
789
 
    has_rawpk = bool(check_version(_tls_rawpk_version))
 
793
 
        class pubkey_st(ctypes.Structure):
 
795
 
        pubkey_t = ctypes.POINTER(pubkey_st)
 
797
 
        x509_crt_fmt_t = ctypes.c_int
 
799
 
        # All the function declarations below are from
 
801
 
        pubkey_init = _library.gnutls_pubkey_init
 
802
 
        pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
 
803
 
        pubkey_init.restype = _error_code
 
805
 
        pubkey_import = _library.gnutls_pubkey_import
 
806
 
        pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
 
808
 
        pubkey_import.restype = _error_code
 
810
 
        pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
 
811
 
        pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
 
812
 
                                      ctypes.POINTER(ctypes.c_ubyte),
 
813
 
                                      ctypes.POINTER(ctypes.c_size_t)]
 
814
 
        pubkey_get_key_id.restype = _error_code
 
816
 
        pubkey_deinit = _library.gnutls_pubkey_deinit
 
817
 
        pubkey_deinit.argtypes = [pubkey_t]
 
818
 
        pubkey_deinit.restype = None
 
820
 
        # All the function declarations below are from
 
823
 
        openpgp_crt_init = _library.gnutls_openpgp_crt_init
 
824
 
        openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
 
825
 
        openpgp_crt_init.restype = _error_code
 
827
 
        openpgp_crt_import = _library.gnutls_openpgp_crt_import
 
828
 
        openpgp_crt_import.argtypes = [openpgp_crt_t,
 
829
 
                                       ctypes.POINTER(datum_t),
 
831
 
        openpgp_crt_import.restype = _error_code
 
833
 
        openpgp_crt_verify_self = \
 
834
 
            _library.gnutls_openpgp_crt_verify_self
 
835
 
        openpgp_crt_verify_self.argtypes = [
 
838
 
            ctypes.POINTER(ctypes.c_uint),
 
840
 
        openpgp_crt_verify_self.restype = _error_code
 
842
 
        openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
 
843
 
        openpgp_crt_deinit.argtypes = [openpgp_crt_t]
 
844
 
        openpgp_crt_deinit.restype = None
 
846
 
        openpgp_crt_get_fingerprint = (
 
847
 
            _library.gnutls_openpgp_crt_get_fingerprint)
 
848
 
        openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
 
852
 
        openpgp_crt_get_fingerprint.restype = _error_code
 
854
 
    if check_version(b"3.6.4"):
 
855
 
        certificate_type_get2 = _library.gnutls_certificate_type_get2
 
856
 
        certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
 
857
 
        certificate_type_get2.restype = _error_code
 
 
734
    # All the function declarations below are from gnutls/openpgp.h
 
 
736
    openpgp_crt_init = _library.gnutls_openpgp_crt_init
 
 
737
    openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
 
 
738
    openpgp_crt_init.restype = _error_code
 
 
740
    openpgp_crt_import = _library.gnutls_openpgp_crt_import
 
 
741
    openpgp_crt_import.argtypes = [openpgp_crt_t,
 
 
742
                                   ctypes.POINTER(datum_t),
 
 
744
    openpgp_crt_import.restype = _error_code
 
 
746
    openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
 
 
747
    openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
 
 
748
                                        ctypes.POINTER(ctypes.c_uint)]
 
 
749
    openpgp_crt_verify_self.restype = _error_code
 
 
751
    openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
 
 
752
    openpgp_crt_deinit.argtypes = [openpgp_crt_t]
 
 
753
    openpgp_crt_deinit.restype = None
 
 
755
    openpgp_crt_get_fingerprint = (
 
 
756
        _library.gnutls_openpgp_crt_get_fingerprint)
 
 
757
    openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
 
 
761
    openpgp_crt_get_fingerprint.restype = _error_code
 
859
763
    # Remove non-public functions
 
860
764
    del _error_code, _retry_on_error
 
 
765
# Create the global "gnutls" object, simulating a module
 
863
769
def call_pipe(connection,       # : multiprocessing.Connection
 
 
1073
975
    def __del__(self):
 
1076
 
    def init_checker(self, randomize_start=False):
 
1077
 
        # Schedule a new checker to be started a randomly selected
 
1078
 
        # time (a fraction of 'interval') from now.  This spreads out
 
1079
 
        # the startup of checkers over time when the server is
 
 
978
    def init_checker(self):
 
 
979
        # Schedule a new checker to be started an 'interval' from now,
 
 
980
        # and every interval from then on.
 
1081
981
        if self.checker_initiator_tag is not None:
 
1082
982
            GLib.source_remove(self.checker_initiator_tag)
 
1083
 
        interval_milliseconds = int(self.interval.total_seconds()
 
1086
 
            delay_milliseconds = random.randrange(
 
1087
 
                interval_milliseconds + 1)
 
1089
 
            delay_milliseconds = interval_milliseconds
 
1090
983
        self.checker_initiator_tag = GLib.timeout_add(
 
1091
 
            delay_milliseconds, self.start_checker, randomize_start)
 
1092
 
        delay = datetime.timedelta(0, 0, 0, delay_milliseconds)
 
1093
 
        # A checker might take up to an 'interval' of time, so we can
 
1094
 
        # expire at the soonest one interval after a checker was
 
1095
 
        # started.  Since the initial checker is delayed, the expire
 
1096
 
        # time might have to be extended.
 
1097
 
        now = datetime.datetime.utcnow()
 
1098
 
        self.expires = now + delay + self.interval
 
1099
 
        # Schedule a disable() at expire time
 
 
984
            int(self.interval.total_seconds() * 1000),
 
 
986
        # Schedule a disable() when 'timeout' has passed
 
1100
987
        if self.disable_initiator_tag is not None:
 
1101
988
            GLib.source_remove(self.disable_initiator_tag)
 
1102
989
        self.disable_initiator_tag = GLib.timeout_add(
 
1103
 
            int((self.expires - now).total_seconds() * 1000),
 
 
990
            int(self.timeout.total_seconds() * 1000), self.disable)
 
 
991
        # Also start a new checker *right now*.
 
1106
994
    def checker_callback(self, source, condition, connection,
 
1108
996
        """The checker has completed, so take appropriate actions."""
 
 
997
        self.checker_callback_tag = None
 
1109
999
        # Read return code from connection (see call_pipe)
 
1110
1000
        returncode = connection.recv()
 
1111
1001
        connection.close()
 
1112
 
        if self.checker is not None:
 
1114
 
        self.checker_callback_tag = None
 
1117
1003
        if returncode >= 0:
 
1118
1004
            self.last_checker_status = returncode
 
1119
1005
            self.last_checker_signal = None
 
1120
1006
            if self.last_checker_status == 0:
 
1121
 
                log.info("Checker for %(name)s succeeded", vars(self))
 
 
1007
                logger.info("Checker for %(name)s succeeded",
 
1122
1009
                self.checked_ok()
 
1124
 
                log.info("Checker for %(name)s failed", vars(self))
 
 
1011
                logger.info("Checker for %(name)s failed", vars(self))
 
1126
1013
            self.last_checker_status = -1
 
1127
1014
            self.last_checker_signal = -returncode
 
1128
 
            log.warning("Checker for %(name)s crashed?", vars(self))
 
 
1015
            logger.warning("Checker for %(name)s crashed?",
 
1131
1019
    def checked_ok(self):
 
 
1167
1055
        if self.checker is not None and not self.checker.is_alive():
 
1168
 
            log.warning("Checker was not alive; joining")
 
 
1056
            logger.warning("Checker was not alive; joining")
 
1169
1057
            self.checker.join()
 
1170
1058
            self.checker = None
 
1171
1059
        # Start a new checker if needed
 
1172
1060
        if self.checker is None:
 
1173
1061
            # Escape attributes for the shell
 
1174
1062
            escaped_attrs = {
 
1175
 
                attr: shlex.quote(str(getattr(self, attr)))
 
 
1063
                attr: re.escape(str(getattr(self, attr)))
 
1176
1064
                for attr in self.runtime_expansions}
 
1178
1066
                command = self.checker_command % escaped_attrs
 
1179
1067
            except TypeError as error:
 
1180
 
                log.error('Could not format string "%s"',
 
1181
 
                          self.checker_command, exc_info=error)
 
 
1068
                logger.error('Could not format string "%s"',
 
 
1069
                             self.checker_command,
 
1182
1071
                return True     # Try again later
 
1183
1072
            self.current_checker_command = command
 
1184
 
            log.info("Starting checker %r for %s", command, self.name)
 
 
1073
            logger.info("Starting checker %r for %s", command,
 
1185
1075
            # We don't need to redirect stdout and stderr, since
 
1186
1076
            # in normal mode, that is already done by daemon(),
 
1187
1077
            # and in debug mode we don't want to.  (Stdin is
 
 
1203
1093
                kwargs=popen_args)
 
1204
1094
            self.checker.start()
 
1205
1095
            self.checker_callback_tag = GLib.io_add_watch(
 
1206
 
                GLib.IOChannel.unix_new(pipe[0].fileno()),
 
1207
 
                GLib.PRIORITY_DEFAULT, GLib.IO_IN,
 
 
1096
                pipe[0].fileno(), GLib.IO_IN,
 
1208
1097
                self.checker_callback, pipe[0], command)
 
1209
 
        if start_was_randomized:
 
1210
 
            # We were started after a random delay; Schedule a new
 
1211
 
            # checker to be started an 'interval' from now, and every
 
1212
 
            # interval from then on.
 
1213
 
            now = datetime.datetime.utcnow()
 
1214
 
            self.checker_initiator_tag = GLib.timeout_add(
 
1215
 
                int(self.interval.total_seconds() * 1000),
 
1217
 
            self.expires = max(self.expires, now + self.interval)
 
1218
 
            # Don't start a new checker again after same random delay
 
1220
1098
        # Re-run this periodically if run by GLib.timeout_add
 
 
2291
 
    def __init__(self, child_pipe, key_id, fpr, address):
 
 
2162
class ProxyClient(object):
 
 
2163
    def __init__(self, child_pipe, fpr, address):
 
2292
2164
        self._pipe = child_pipe
 
2293
 
        self._pipe.send(("init", key_id, fpr, address))
 
 
2165
        self._pipe.send(('init', fpr, address))
 
2294
2166
        if not self._pipe.recv():
 
2295
 
            raise KeyError(key_id or fpr)
 
2297
2169
    def __getattribute__(self, name):
 
2299
2171
            return super(ProxyClient, self).__getattribute__(name)
 
2300
 
        self._pipe.send(("getattr", name))
 
 
2172
        self._pipe.send(('getattr', name))
 
2301
2173
        data = self._pipe.recv()
 
2302
 
        if data[0] == "data":
 
 
2174
        if data[0] == 'data':
 
2304
 
        if data[0] == "function":
 
 
2176
        if data[0] == 'function':
 
2306
2178
            def func(*args, **kwargs):
 
2307
 
                self._pipe.send(("funcall", name, args, kwargs))
 
 
2179
                self._pipe.send(('funcall', name, args, kwargs))
 
2308
2180
                return self._pipe.recv()[1]
 
2312
2184
    def __setattr__(self, name, value):
 
2314
2186
            return super(ProxyClient, self).__setattr__(name, value)
 
2315
 
        self._pipe.send(("setattr", name, value))
 
 
2187
        self._pipe.send(('setattr', name, value))
 
2318
2190
class ClientHandler(socketserver.BaseRequestHandler, object):
 
 
2324
2196
    def handle(self):
 
2325
2197
        with contextlib.closing(self.server.child_pipe) as child_pipe:
 
2326
 
            log.info("TCP connection from: %s",
 
2327
 
                     str(self.client_address))
 
2328
 
            log.debug("Pipe FD: %d", self.server.child_pipe.fileno())
 
 
2198
            logger.info("TCP connection from: %s",
 
 
2199
                        str(self.client_address))
 
 
2200
            logger.debug("Pipe FD: %d",
 
 
2201
                         self.server.child_pipe.fileno())
 
2330
2203
            session = gnutls.ClientSession(self.request)
 
2332
 
            # priority = ":".join(("NONE", "+VERS-TLS1.1",
 
 
2205
            # priority = ':'.join(("NONE", "+VERS-TLS1.1",
 
2333
2206
            #                       "+AES-256-CBC", "+SHA1",
 
2334
2207
            #                       "+COMP-NULL", "+CTYPE-OPENPGP",
 
 
2337
2210
            priority = self.server.gnutls_priority
 
2338
2211
            if priority is None:
 
2339
2212
                priority = "NORMAL"
 
2340
 
            gnutls.priority_set_direct(session,
 
2341
 
                                       priority.encode("utf-8"), None)
 
 
2213
            gnutls.priority_set_direct(session._c_object,
 
 
2214
                                       priority.encode("utf-8"),
 
2343
2217
            # Start communication using the Mandos protocol
 
2344
2218
            # Get protocol number
 
2345
2219
            line = self.request.makefile().readline()
 
2346
 
            log.debug("Protocol version: %r", line)
 
 
2220
            logger.debug("Protocol version: %r", line)
 
2348
2222
                if int(line.strip().split()[0]) > 1:
 
2349
2223
                    raise RuntimeError(line)
 
2350
2224
            except (ValueError, IndexError, RuntimeError) as error:
 
2351
 
                log.error("Unknown protocol version: %s", error)
 
 
2225
                logger.error("Unknown protocol version: %s", error)
 
2354
2228
            # Start GnuTLS connection
 
2356
2230
                session.handshake()
 
2357
2231
            except gnutls.Error as error:
 
2358
 
                log.warning("Handshake failed: %s", error)
 
 
2232
                logger.warning("Handshake failed: %s", error)
 
2359
2233
                # Do not run session.bye() here: the session is not
 
2360
2234
                # established.  Just abandon the request.
 
2362
 
            log.debug("Handshake succeeded")
 
 
2236
            logger.debug("Handshake succeeded")
 
2364
2238
            approval_required = False
 
2366
 
                if gnutls.has_rawpk:
 
2369
 
                        key_id = self.key_id(
 
2370
 
                            self.peer_certificate(session))
 
2371
 
                    except (TypeError, gnutls.Error) as error:
 
2372
 
                        log.warning("Bad certificate: %s", error)
 
2374
 
                    log.debug("Key ID: %s",
 
2375
 
                              key_id.decode("utf-8",
 
2381
 
                        fpr = self.fingerprint(
 
2382
 
                            self.peer_certificate(session))
 
2383
 
                    except (TypeError, gnutls.Error) as error:
 
2384
 
                        log.warning("Bad certificate: %s", error)
 
2386
 
                    log.debug("Fingerprint: %s", fpr)
 
2389
 
                    client = ProxyClient(child_pipe, key_id, fpr,
 
 
2241
                    fpr = self.fingerprint(
 
 
2242
                        self.peer_certificate(session))
 
 
2243
                except (TypeError, gnutls.Error) as error:
 
 
2244
                    logger.warning("Bad certificate: %s", error)
 
 
2246
                logger.debug("Fingerprint: %s", fpr)
 
 
2249
                    client = ProxyClient(child_pipe, fpr,
 
2390
2250
                                         self.client_address)
 
2391
2251
                except KeyError:
 
 
2464
2326
                except gnutls.Error as error:
 
2465
 
                    log.warning("GnuTLS bye failed", exc_info=error)
 
 
2327
                    logger.warning("GnuTLS bye failed",
 
2468
2331
    def peer_certificate(session):
 
2469
 
        "Return the peer's certificate as a bytestring"
 
2471
 
            cert_type = gnutls.certificate_type_get2(
 
2472
 
                session, gnutls.CTYPE_PEERS)
 
2473
 
        except AttributeError:
 
2474
 
            cert_type = gnutls.certificate_type_get(session)
 
2475
 
        if gnutls.has_rawpk:
 
2476
 
            valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
 
2478
 
            valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
 
2479
 
        # If not a valid certificate type...
 
2480
 
        if cert_type not in valid_cert_types:
 
2481
 
            log.info("Cert type %r not in %r", cert_type,
 
 
2332
        "Return the peer's OpenPGP certificate as a bytestring"
 
 
2333
        # If not an OpenPGP certificate...
 
 
2334
        if (gnutls.certificate_type_get(session._c_object)
 
 
2335
            != gnutls.CRT_OPENPGP):
 
2483
2336
            # ...return invalid data
 
2485
2338
        list_size = ctypes.c_uint(1)
 
2486
2339
        cert_list = (gnutls.certificate_get_peers
 
2487
 
                     (session, ctypes.byref(list_size)))
 
 
2340
                     (session._c_object, ctypes.byref(list_size)))
 
2488
2341
        if not bool(cert_list) and list_size.value != 0:
 
2489
2342
            raise gnutls.Error("error getting peer certificate")
 
2490
2343
        if list_size.value == 0:
 
 
2493
2346
        return ctypes.string_at(cert.data, cert.size)
 
2496
 
    def key_id(certificate):
 
2497
 
        "Convert a certificate bytestring to a hexdigit key ID"
 
2498
 
        # New GnuTLS "datum" with the public key
 
2499
 
        datum = gnutls.datum_t(
 
2500
 
            ctypes.cast(ctypes.c_char_p(certificate),
 
2501
 
                        ctypes.POINTER(ctypes.c_ubyte)),
 
2502
 
            ctypes.c_uint(len(certificate)))
 
2503
 
        # XXX all these need to be created in the gnutls "module"
 
2504
 
        # New empty GnuTLS certificate
 
2505
 
        pubkey = gnutls.pubkey_t()
 
2506
 
        gnutls.pubkey_init(ctypes.byref(pubkey))
 
2507
 
        # Import the raw public key into the certificate
 
2508
 
        gnutls.pubkey_import(pubkey,
 
2509
 
                             ctypes.byref(datum),
 
2510
 
                             gnutls.X509_FMT_DER)
 
2511
 
        # New buffer for the key ID
 
2512
 
        buf = ctypes.create_string_buffer(32)
 
2513
 
        buf_len = ctypes.c_size_t(len(buf))
 
2514
 
        # Get the key ID from the raw public key into the buffer
 
2515
 
        gnutls.pubkey_get_key_id(
 
2517
 
            gnutls.KEYID_USE_SHA256,
 
2518
 
            ctypes.cast(ctypes.byref(buf),
 
2519
 
                        ctypes.POINTER(ctypes.c_ubyte)),
 
2520
 
            ctypes.byref(buf_len))
 
2521
 
        # Deinit the certificate
 
2522
 
        gnutls.pubkey_deinit(pubkey)
 
2524
 
        # Convert the buffer to a Python bytestring
 
2525
 
        key_id = ctypes.string_at(buf, buf_len.value)
 
2526
 
        # Convert the bytestring to hexadecimal notation
 
2527
 
        hex_key_id = binascii.hexlify(key_id).upper()
 
2531
2349
    def fingerprint(openpgp):
 
2532
2350
        "Convert an OpenPGP bytestring to a hexdigit fingerprint"
 
2533
2351
        # New GnuTLS "datum" with the OpenPGP public key
 
 
2669
2486
                    (self.interface + "\0").encode("utf-8"))
 
2670
2487
            except socket.error as error:
 
2671
2488
                if error.errno == errno.EPERM:
 
2672
 
                    log.error("No permission to bind to interface %s",
 
 
2489
                    logger.error("No permission to bind to"
 
 
2490
                                 " interface %s", self.interface)
 
2674
2491
                elif error.errno == errno.ENOPROTOOPT:
 
2675
 
                    log.error("SO_BINDTODEVICE not available; cannot"
 
2676
 
                              " bind to interface %s", self.interface)
 
 
2492
                    logger.error("SO_BINDTODEVICE not available;"
 
 
2493
                                 " cannot bind to interface %s",
 
2677
2495
                elif error.errno == errno.ENODEV:
 
2678
 
                    log.error("Interface %s does not exist, cannot"
 
2679
 
                              " bind", self.interface)
 
 
2496
                    logger.error("Interface %s does not exist,"
 
 
2497
                                 " cannot bind", self.interface)
 
2682
2500
        # Only bind(2) the socket if we really need to.
 
2683
2501
        if self.server_address[0] or self.server_address[1]:
 
2684
 
            if self.server_address[1]:
 
2685
 
                self.allow_reuse_address = True
 
2686
2502
            if not self.server_address[0]:
 
2687
2503
                if self.address_family == socket.AF_INET6:
 
2688
2504
                    any_address = "::"  # in6addr_any
 
 
2761
2577
        request = parent_pipe.recv()
 
2762
2578
        command = request[0]
 
2764
 
        if command == "init":
 
2765
 
            key_id = request[1].decode("ascii")
 
2766
 
            fpr = request[2].decode("ascii")
 
2767
 
            address = request[3]
 
 
2580
        if command == 'init':
 
 
2581
            fpr = request[1].decode("ascii")
 
 
2582
            address = request[2]
 
2769
2584
            for c in self.clients.values():
 
2770
 
                if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
 
2771
 
                              "27AE41E4649B934CA495991B7852B855"):
 
2773
 
                if key_id and c.key_id == key_id:
 
2776
 
                if fpr and c.fingerprint == fpr:
 
 
2585
                if c.fingerprint == fpr:
 
2780
 
                log.info("Client not found for key ID: %s, address:"
 
2781
 
                         " %s", key_id or fpr, address)
 
 
2589
                logger.info("Client not found for fingerprint: %s, ad"
 
 
2590
                            "dress: %s", fpr, address)
 
2782
2591
                if self.use_dbus:
 
2783
2592
                    # Emit D-Bus signal
 
2784
 
                    mandos_dbus_service.ClientNotFound(key_id or fpr,
 
 
2593
                    mandos_dbus_service.ClientNotFound(fpr,
 
2786
2595
                parent_pipe.send(False)
 
2789
2598
            GLib.io_add_watch(
 
2790
 
                GLib.IOChannel.unix_new(parent_pipe.fileno()),
 
2791
 
                GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
 
 
2599
                parent_pipe.fileno(),
 
 
2600
                GLib.IO_IN | GLib.IO_HUP,
 
2792
2601
                functools.partial(self.handle_ipc,
 
2793
2602
                                  parent_pipe=parent_pipe,
 
 
2826
2635
def rfc3339_duration_to_delta(duration):
 
2827
2636
    """Parse an RFC 3339 "duration" and return a datetime.timedelta
 
2829
 
    >>> timedelta = datetime.timedelta
 
2830
 
    >>> rfc3339_duration_to_delta("P7D") == timedelta(7)
 
2832
 
    >>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
 
2834
 
    >>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
 
2836
 
    >>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
 
2838
 
    >>> rfc3339_duration_to_delta("P1W") == timedelta(7)
 
2840
 
    >>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
 
2842
 
    >>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
 
 
2638
    >>> rfc3339_duration_to_delta("P7D")
 
 
2639
    datetime.timedelta(7)
 
 
2640
    >>> rfc3339_duration_to_delta("PT60S")
 
 
2641
    datetime.timedelta(0, 60)
 
 
2642
    >>> rfc3339_duration_to_delta("PT60M")
 
 
2643
    datetime.timedelta(0, 3600)
 
 
2644
    >>> rfc3339_duration_to_delta("PT24H")
 
 
2645
    datetime.timedelta(1)
 
 
2646
    >>> rfc3339_duration_to_delta("P1W")
 
 
2647
    datetime.timedelta(7)
 
 
2648
    >>> rfc3339_duration_to_delta("PT5M30S")
 
 
2649
    datetime.timedelta(0, 330)
 
 
2650
    >>> rfc3339_duration_to_delta("P1DT3M20S")
 
 
2651
    datetime.timedelta(1, 200)
 
2847
2654
    # Parsing an RFC 3339 duration with regular expressions is not
 
 
2927
2734
def string_to_delta(interval):
 
2928
2735
    """Parse a string and return a datetime.timedelta
 
2930
 
    >>> string_to_delta("7d") == datetime.timedelta(7)
 
2932
 
    >>> string_to_delta("60s") == datetime.timedelta(0, 60)
 
2934
 
    >>> string_to_delta("60m") == datetime.timedelta(0, 3600)
 
2936
 
    >>> string_to_delta("24h") == datetime.timedelta(1)
 
2938
 
    >>> string_to_delta("1w") == datetime.timedelta(7)
 
2940
 
    >>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
 
 
2737
    >>> string_to_delta('7d')
 
 
2738
    datetime.timedelta(7)
 
 
2739
    >>> string_to_delta('60s')
 
 
2740
    datetime.timedelta(0, 60)
 
 
2741
    >>> string_to_delta('60m')
 
 
2742
    datetime.timedelta(0, 3600)
 
 
2743
    >>> string_to_delta('24h')
 
 
2744
    datetime.timedelta(1)
 
 
2745
    >>> string_to_delta('1w')
 
 
2746
    datetime.timedelta(7)
 
 
2747
    >>> string_to_delta('5m 30s')
 
 
2748
    datetime.timedelta(0, 330)
 
 
3330
3134
                        for key, value in
 
3331
3135
                        bytes_old_client_settings.items()}
 
3332
3136
                    del bytes_old_client_settings
 
3333
 
                    # .host and .checker_command
 
3334
3138
                    for value in old_client_settings.values():
 
3335
 
                        for attribute in ("host", "checker_command"):
 
3336
 
                            if isinstance(value[attribute], bytes):
 
3337
 
                                value[attribute] = (value[attribute]
 
 
3139
                        if isinstance(value["host"], bytes):
 
 
3140
                            value["host"] = (value["host"]
 
3339
3142
            os.remove(stored_state_path)
 
3340
3143
        except IOError as e:
 
3341
3144
            if e.errno == errno.ENOENT:
 
3342
 
                log.warning("Could not load persistent state:"
 
3343
 
                            " %s", os.strerror(e.errno))
 
 
3145
                logger.warning("Could not load persistent state:"
 
 
3146
                               " {}".format(os.strerror(e.errno)))
 
3345
 
                log.critical("Could not load persistent state:",
 
 
3148
                logger.critical("Could not load persistent state:",
 
3348
3151
        except EOFError as e:
 
3349
 
            log.warning("Could not load persistent state: EOFError:",
 
 
3152
            logger.warning("Could not load persistent state: "
 
3352
3156
    with PGPEngine() as pgp:
 
3353
3157
        for client_name, client in clients_data.items():
 
 
3380
3184
            if client["enabled"]:
 
3381
3185
                if datetime.datetime.utcnow() >= client["expires"]:
 
3382
3186
                    if not client["last_checked_ok"]:
 
3383
 
                        log.warning("disabling client %s - Client"
 
3384
 
                                    " never performed a successful"
 
3385
 
                                    " checker", client_name)
 
 
3188
                            "disabling client {} - Client never "
 
 
3189
                            "performed a successful checker".format(
 
3386
3191
                        client["enabled"] = False
 
3387
3192
                    elif client["last_checker_status"] != 0:
 
3388
 
                        log.warning("disabling client %s - Client"
 
3389
 
                                    " last checker failed with error"
 
3390
 
                                    " code %s", client_name,
 
3391
 
                                    client["last_checker_status"])
 
 
3194
                            "disabling client {} - Client last"
 
 
3195
                            " checker failed with error code"
 
 
3198
                                client["last_checker_status"]))
 
3392
3199
                        client["enabled"] = False
 
3394
3201
                        client["expires"] = (
 
3395
3202
                            datetime.datetime.utcnow()
 
3396
3203
                            + client["timeout"])
 
3397
 
                        log.debug("Last checker succeeded, keeping %s"
 
3398
 
                                  " enabled", client_name)
 
 
3204
                        logger.debug("Last checker succeeded,"
 
 
3205
                                     " keeping {} enabled".format(
 
3400
3208
                client["secret"] = pgp.decrypt(
 
3401
3209
                    client["encrypted_secret"],
 
3402
3210
                    client_settings[client_name]["secret"])
 
3403
3211
            except PGPError:
 
3404
3212
                # If decryption fails, we use secret from new settings
 
3405
 
                log.debug("Failed to decrypt %s old secret",
 
 
3213
                logger.debug("Failed to decrypt {} old secret".format(
 
3407
3215
                client["secret"] = (client_settings[client_name]
 
 
3656
3465
                service.activate()
 
3657
3466
            except dbus.exceptions.DBusException as error:
 
3658
 
                log.critical("D-Bus Exception", exc_info=error)
 
 
3467
                logger.critical("D-Bus Exception", exc_info=error)
 
3661
3470
            # End of Avahi example code
 
3664
 
            GLib.IOChannel.unix_new(tcp_server.fileno()),
 
3665
 
            GLib.PRIORITY_DEFAULT, GLib.IO_IN,
 
3666
 
            lambda *args, **kwargs: (tcp_server.handle_request
 
3667
 
                                     (*args[2:], **kwargs) or True))
 
 
3472
        GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
 
 
3473
                          lambda *args, **kwargs:
 
 
3474
                          (tcp_server.handle_request
 
 
3475
                           (*args[2:], **kwargs) or True))
 
3669
 
        log.debug("Starting main loop")
 
 
3477
        logger.debug("Starting main loop")
 
3670
3478
        main_loop.run()
 
3671
3479
    except AvahiError as error:
 
3672
 
        log.critical("Avahi Error", exc_info=error)
 
 
3480
        logger.critical("Avahi Error", exc_info=error)
 
3675
3483
    except KeyboardInterrupt:
 
3677
3485
            print("", file=sys.stderr)
 
3678
 
        log.debug("Server received KeyboardInterrupt")
 
3679
 
    log.debug("Server exiting")
 
 
3486
        logger.debug("Server received KeyboardInterrupt")
 
 
3487
    logger.debug("Server exiting")
 
3680
3488
    # Must run before the D-Bus bus name gets deregistered
 
3684
 
def parse_test_args():
 
3685
 
    # type: () -> argparse.Namespace
 
3686
 
    parser = argparse.ArgumentParser(add_help=False)
 
3687
 
    parser.add_argument("--check", action="store_true")
 
3688
 
    parser.add_argument("--prefix", )
 
3689
 
    args, unknown_args = parser.parse_known_args()
 
3691
 
        # Remove test options from sys.argv
 
3692
 
        sys.argv[1:] = unknown_args
 
3695
 
# Add all tests from doctest strings
 
3696
 
def load_tests(loader, tests, none):
 
3698
 
    tests.addTests(doctest.DocTestSuite())
 
3701
 
if __name__ == "__main__":
 
3702
 
    options = parse_test_args()
 
3705
 
            extra_test_prefix = options.prefix
 
3706
 
            if extra_test_prefix is not None:
 
3707
 
                if not (unittest.main(argv=[""], exit=False)
 
3708
 
                        .result.wasSuccessful()):
 
3710
 
                class ExtraTestLoader(unittest.TestLoader):
 
3711
 
                    testMethodPrefix = extra_test_prefix
 
3712
 
                # Call using ./scriptname --test [--verbose]
 
3713
 
                unittest.main(argv=[""], testLoader=ExtraTestLoader())
 
3715
 
                unittest.main(argv=[""])
 
3723
 
# (lambda (&optional extra)
 
3724
 
#   (if (not (funcall run-tests-in-test-buffer default-directory
 
3726
 
#       (funcall show-test-buffer-in-test-window)
 
3727
 
#     (funcall remove-test-window)
 
3728
 
#     (if extra (message "Extra tests run successfully!"))))
 
3729
 
# run-tests-in-test-buffer:
 
3730
 
# (lambda (dir &optional extra)
 
3731
 
#   (with-current-buffer (get-buffer-create "*Test*")
 
3732
 
#     (setq buffer-read-only nil
 
3733
 
#           default-directory dir)
 
3735
 
#     (compilation-mode))
 
3736
 
#   (let ((process-result
 
3737
 
#          (let ((inhibit-read-only t))
 
3738
 
#            (process-file-shell-command
 
3739
 
#             (funcall get-command-line extra) nil "*Test*"))))
 
3740
 
#     (and (numberp process-result)
 
3741
 
#          (= process-result 0))))
 
3743
 
# (lambda (&optional extra)
 
3744
 
#   (let ((quoted-script
 
3745
 
#          (shell-quote-argument (funcall get-script-name))))
 
3747
 
#      (concat "%s --check" (if extra " --prefix=atest" ""))
 
3751
 
#   (if (fboundp 'file-local-name)
 
3752
 
#       (file-local-name (buffer-file-name))
 
3753
 
#     (or (file-remote-p (buffer-file-name) 'localname)
 
3754
 
#         (buffer-file-name))))
 
3755
 
# remove-test-window:
 
3757
 
#   (let ((test-window (get-buffer-window "*Test*")))
 
3758
 
#     (if test-window (delete-window test-window))))
 
3759
 
# show-test-buffer-in-test-window:
 
3761
 
#   (when (not (get-buffer-window-list "*Test*"))
 
3762
 
#     (setq next-error-last-buffer (get-buffer "*Test*"))
 
3763
 
#     (let* ((side (if (>= (window-width) 146) 'right 'bottom))
 
3764
 
#            (display-buffer-overriding-action
 
3765
 
#             `((display-buffer-in-side-window) (side . ,side)
 
3766
 
#               (window-height . fit-window-to-buffer)
 
3767
 
#               (window-width . fit-window-to-buffer))))
 
3768
 
#       (display-buffer "*Test*"))))
 
3771
 
#   (let* ((run-extra-tests (lambda () (interactive)
 
3772
 
#                             (funcall run-tests t)))
 
3773
 
#          (inner-keymap `(keymap (116 . ,run-extra-tests))) ; t
 
3774
 
#          (outer-keymap `(keymap (3 . ,inner-keymap))))     ; C-c
 
3775
 
#     (setq minor-mode-overriding-map-alist
 
3776
 
#           (cons `(run-tests . ,outer-keymap)
 
3777
 
#                 minor-mode-overriding-map-alist)))
 
3778
 
#   (add-hook 'after-save-hook run-tests 90 t))
 
 
3492
if __name__ == '__main__':