To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1167
- compare with another revision
- download diff
- download tarball
- view history from revision 1167
- Committer: Teddy Hogeborn
- Date: 2019-08-24 14:52:59 UTC
- Revision ID: teddy@recompile.se-20190824145259-ifatm1r12kyp4z25
Server: Use new GLib.io_add_watch() call signature
* INSTALL: Increase version requirement of PyGObject to 3.8.
* mandos: When calling GLib.io_add_watch(), always pass priority as
the second argument, which is supported by PyGObject 3.8 or
later.
* INSTALL: Increase version requirement of PyGObject to 3.8.
* mandos: When calling GLib.io_add_watch(), always pass priority as
the second argument, which is supported by PyGObject 3.8 or
later.
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2017 Teddy Hogeborn
15
# Copyright © 2008-2017 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
30
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
33
#
76
77
import itertools
77
78
import collections
78
79
import codecs
80
import unittest
79
81
80
82
import dbus
81
83
import dbus.service
84
import gi
82
85
from gi.repository import GLib
83
86
from dbus.mainloop.glib import DBusGMainLoop
84
87
import ctypes
86
89
import xml.dom.minidom
87
90
import inspect
88
91
92
if sys.version_info.major == 2:
93
__metaclass__ = type
94
95
# Show warnings by default
96
if not sys.warnoptions:
97
import warnings
98
warnings.simplefilter("default")
99
89
100
# Try to find the value of SO_BINDTODEVICE:
90
101
try:
91
102
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
114
125
if sys.version_info.major == 2:
115
126
str = unicode
116
127
117
version = "1.7.15"
128
if sys.version_info < (3, 2):
129
configparser.Configparser = configparser.SafeConfigParser
130
131
version = "1.8.8"
118
132
stored_state_file = "clients.pickle"
119
133
120
134
logger = logging.getLogger()
135
logging.captureWarnings(True) # Show warnings via the logging system
121
136
syslogger = None
122
137
123
138
try:
178
193
pass
179
194
180
195
181
class PGPEngine(object):
196
class PGPEngine:
182
197
"""A simple class for OpenPGP symmetric encryption & decryption"""
183
198
184
199
def __init__(self):
274
289
275
290
276
291
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
292
class avahi:
293
"""This isn't so much a class as it is a module-like namespace."""
280
294
IF_UNSPEC = -1 # avahi-common/address.h
281
295
PROTO_UNSPEC = -1 # avahi-common/address.h
282
296
PROTO_INET = 0 # avahi-common/address.h
286
300
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
301
DBUS_PATH_SERVER = "/"
288
302
289
def string_array_to_txt_array(self, t):
303
@staticmethod
304
def string_array_to_txt_array(t):
290
305
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
306
for s in t), signature="ay")
292
307
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
297
312
SERVER_RUNNING = 2 # avahi-common/defs.h
298
313
SERVER_COLLISION = 3 # avahi-common/defs.h
299
314
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
315
302
316
303
317
class AvahiError(Exception):
315
329
pass
316
330
317
331
318
class AvahiService(object):
332
class AvahiService:
319
333
"""An Avahi (Zeroconf) service.
320
334
321
335
Attributes:
495
509
class AvahiServiceToSyslog(AvahiService):
496
510
def rename(self, *args, **kwargs):
497
511
"""Add the new name to the syslog messages"""
498
ret = AvahiService.rename(self, *args, **kwargs)
512
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
499
513
syslogger.setFormatter(logging.Formatter(
500
514
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
501
515
.format(self.name)))
503
517
504
518
505
519
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
520
class gnutls:
521
"""This isn't so much a class as it is a module-like namespace."""
509
522
510
523
library = ctypes.util.find_library("gnutls")
511
524
if library is None:
512
525
library = ctypes.util.find_library("gnutls-deb0")
513
526
_library = ctypes.cdll.LoadLibrary(library)
514
527
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
523
528
524
529
# Unless otherwise indicated, the constants and types below are
525
530
# all from the gnutls/gnutls.h C header file.
529
534
E_INTERRUPTED = -52
530
535
E_AGAIN = -28
531
536
CRT_OPENPGP = 2
537
CRT_RAWPK = 3
532
538
CLIENT = 2
533
539
SHUT_RDWR = 0
534
540
CRD_CERTIFICATE = 1
535
541
E_NO_CERTIFICATE_FOUND = -49
542
X509_FMT_DER = 0
543
NO_TICKETS = 1<<10
544
ENABLE_RAWPK = 1<<18
545
CTYPE_PEERS = 3
546
KEYID_USE_SHA256 = 1 # gnutls/x509.h
536
547
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
537
548
538
549
# Types
561
572
562
573
# Exceptions
563
574
class Error(Exception):
564
# We need to use the class name "GnuTLS" here, since this
565
# exception might be raised from within GnuTLS.__init__,
566
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
568
575
def __init__(self, message=None, code=None, args=()):
569
576
# Default usage is by a message string, but if a return
570
577
# code is passed, convert it to a string with
571
578
# gnutls.strerror()
572
579
self.code = code
573
580
if message is None and code is not None:
574
message = GnuTLS.strerror(code)
575
return super(GnuTLS.Error, self).__init__(
581
message = gnutls.strerror(code)
582
return super(gnutls.Error, self).__init__(
576
583
message, *args)
577
584
578
585
class CertificateSecurityError(Error):
579
586
pass
580
587
581
588
# Classes
582
class Credentials(object):
589
class Credentials:
583
590
def __init__(self):
584
591
self._c_object = gnutls.certificate_credentials_t()
585
592
gnutls.certificate_allocate_credentials(
589
596
def __del__(self):
590
597
gnutls.certificate_free_credentials(self._c_object)
591
598
592
class ClientSession(object):
599
class ClientSession:
593
600
def __init__(self, socket, credentials=None):
594
601
self._c_object = gnutls.session_t()
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
602
gnutls_flags = gnutls.CLIENT
603
if gnutls.check_version(b"3.5.6"):
604
gnutls_flags |= gnutls.NO_TICKETS
605
if gnutls.has_rawpk:
606
gnutls_flags |= gnutls.ENABLE_RAWPK
607
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
608
del gnutls_flags
596
609
gnutls.set_default_priority(self._c_object)
597
610
gnutls.transport_set_ptr(self._c_object, socket.fileno())
598
611
gnutls.handshake_set_private_extensions(self._c_object,
730
743
check_version.argtypes = [ctypes.c_char_p]
731
744
check_version.restype = ctypes.c_char_p
732
745
733
# All the function declarations below are from gnutls/openpgp.h
734
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
738
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
742
openpgp_crt_fmt_t]
743
openpgp_crt_import.restype = _error_code
744
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
749
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
753
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
757
ctypes.c_void_p,
758
ctypes.POINTER(
759
ctypes.c_size_t)]
760
openpgp_crt_get_fingerprint.restype = _error_code
746
_need_version = b"3.3.0"
747
if check_version(_need_version) is None:
748
raise self.Error("Needs GnuTLS {} or later"
749
.format(_need_version))
750
751
_tls_rawpk_version = b"3.6.6"
752
has_rawpk = bool(check_version(_tls_rawpk_version))
753
754
if has_rawpk:
755
# Types
756
class pubkey_st(ctypes.Structure):
757
_fields = []
758
pubkey_t = ctypes.POINTER(pubkey_st)
759
760
x509_crt_fmt_t = ctypes.c_int
761
762
# All the function declarations below are from gnutls/abstract.h
763
pubkey_init = _library.gnutls_pubkey_init
764
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
765
pubkey_init.restype = _error_code
766
767
pubkey_import = _library.gnutls_pubkey_import
768
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
769
x509_crt_fmt_t]
770
pubkey_import.restype = _error_code
771
772
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
773
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
774
ctypes.POINTER(ctypes.c_ubyte),
775
ctypes.POINTER(ctypes.c_size_t)]
776
pubkey_get_key_id.restype = _error_code
777
778
pubkey_deinit = _library.gnutls_pubkey_deinit
779
pubkey_deinit.argtypes = [pubkey_t]
780
pubkey_deinit.restype = None
781
else:
782
# All the function declarations below are from gnutls/openpgp.h
783
784
openpgp_crt_init = _library.gnutls_openpgp_crt_init
785
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
786
openpgp_crt_init.restype = _error_code
787
788
openpgp_crt_import = _library.gnutls_openpgp_crt_import
789
openpgp_crt_import.argtypes = [openpgp_crt_t,
790
ctypes.POINTER(datum_t),
791
openpgp_crt_fmt_t]
792
openpgp_crt_import.restype = _error_code
793
794
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
795
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
796
ctypes.POINTER(ctypes.c_uint)]
797
openpgp_crt_verify_self.restype = _error_code
798
799
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
800
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
801
openpgp_crt_deinit.restype = None
802
803
openpgp_crt_get_fingerprint = (
804
_library.gnutls_openpgp_crt_get_fingerprint)
805
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
806
ctypes.c_void_p,
807
ctypes.POINTER(
808
ctypes.c_size_t)]
809
openpgp_crt_get_fingerprint.restype = _error_code
810
811
if check_version(b"3.6.4"):
812
certificate_type_get2 = _library.gnutls_certificate_type_get2
813
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
814
certificate_type_get2.restype = _error_code
761
815
762
816
# Remove non-public functions
763
817
del _error_code, _retry_on_error
764
# Create the global "gnutls" object, simulating a module
765
gnutls = GnuTLS()
766
818
767
819
768
820
def call_pipe(connection, # : multiprocessing.Connection
776
828
connection.close()
777
829
778
830
779
class Client(object):
831
class Client:
780
832
"""A representation of a client host served by this server.
781
833
782
834
Attributes:
783
835
approved: bool(); 'None' if not yet approved/disapproved
784
836
approval_delay: datetime.timedelta(); Time to wait for approval
785
837
approval_duration: datetime.timedelta(); Duration of one approval
786
checker: subprocess.Popen(); a running checker process used
787
to see if the client lives.
788
'None' if no process is running.
838
checker: multiprocessing.Process(); a running checker process used
839
to see if the client lives. 'None' if no process is
840
running.
789
841
checker_callback_tag: a GLib event source tag, or None
790
842
checker_command: string; External command which is run to check
791
843
if client lives. %() expansions are done at
799
851
disable_initiator_tag: a GLib event source tag, or None
800
852
enabled: bool()
801
853
fingerprint: string (40 or 32 hexadecimal digits); used to
802
uniquely identify the client
854
uniquely identify an OpenPGP client
855
key_id: string (64 hexadecimal digits); used to uniquely identify
856
a client using raw public keys
803
857
host: string; available for use by the checker command
804
858
interval: datetime.timedelta(); How often to start a new checker
805
859
last_approval_request: datetime.datetime(); (UTC) or None
823
877
"""
824
878
825
879
runtime_expansions = ("approval_delay", "approval_duration",
826
"created", "enabled", "expires",
880
"created", "enabled", "expires", "key_id",
827
881
"fingerprint", "host", "interval",
828
882
"last_approval_request", "last_checked_ok",
829
883
"last_enabled", "name", "timeout")
859
913
client["enabled"] = config.getboolean(client_name,
860
914
"enabled")
861
915
862
# Uppercase and remove spaces from fingerprint for later
863
# comparison purposes with return value from the
864
# fingerprint() function
916
# Uppercase and remove spaces from key_id and fingerprint
917
# for later comparison purposes with return value from the
918
# key_id() and fingerprint() functions
919
client["key_id"] = (section.get("key_id", "").upper()
920
.replace(" ", ""))
865
921
client["fingerprint"] = (section["fingerprint"].upper()
866
922
.replace(" ", ""))
867
923
if "secret" in section:
911
967
self.expires = None
912
968
913
969
logger.debug("Creating client %r", self.name)
970
logger.debug(" Key ID: %s", self.key_id)
914
971
logger.debug(" Fingerprint: %s", self.fingerprint)
915
972
self.created = settings.get("created",
916
973
datetime.datetime.utcnow())
993
1050
def checker_callback(self, source, condition, connection,
994
1051
command):
995
1052
"""The checker has completed, so take appropriate actions."""
996
self.checker_callback_tag = None
997
self.checker = None
998
1053
# Read return code from connection (see call_pipe)
999
1054
returncode = connection.recv()
1000
1055
connection.close()
1056
self.checker.join()
1057
self.checker_callback_tag = None
1058
self.checker = None
1001
1059
1002
1060
if returncode >= 0:
1003
1061
self.last_checker_status = returncode
1092
1150
kwargs=popen_args)
1093
1151
self.checker.start()
1094
1152
self.checker_callback_tag = GLib.io_add_watch(
1095
pipe[0].fileno(), GLib.IO_IN,
1153
pipe[0].fileno(), GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1096
1154
self.checker_callback, pipe[0], command)
1097
1155
# Re-run this periodically if run by GLib.timeout_add
1098
1156
return True
1998
2056
def Name_dbus_property(self):
1999
2057
return dbus.String(self.name)
2000
2058
2059
# KeyID - property
2060
@dbus_annotations(
2061
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2062
@dbus_service_property(_interface, signature="s", access="read")
2063
def KeyID_dbus_property(self):
2064
return dbus.String(self.key_id)
2065
2001
2066
# Fingerprint - property
2002
2067
@dbus_annotations(
2003
2068
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2158
2223
del _interface
2159
2224
2160
2225
2161
class ProxyClient(object):
2162
def __init__(self, child_pipe, fpr, address):
2226
class ProxyClient:
2227
def __init__(self, child_pipe, key_id, fpr, address):
2163
2228
self._pipe = child_pipe
2164
self._pipe.send(('init', fpr, address))
2229
self._pipe.send(('init', key_id, fpr, address))
2165
2230
if not self._pipe.recv():
2166
raise KeyError(fpr)
2231
raise KeyError(key_id or fpr)
2167
2232
2168
2233
def __getattribute__(self, name):
2169
2234
if name == '_pipe':
2236
2301
2237
2302
approval_required = False
2238
2303
try:
2239
try:
2240
fpr = self.fingerprint(
2241
self.peer_certificate(session))
2242
except (TypeError, gnutls.Error) as error:
2243
logger.warning("Bad certificate: %s", error)
2244
return
2245
logger.debug("Fingerprint: %s", fpr)
2246
2247
try:
2248
client = ProxyClient(child_pipe, fpr,
2304
if gnutls.has_rawpk:
2305
fpr = b""
2306
try:
2307
key_id = self.key_id(
2308
self.peer_certificate(session))
2309
except (TypeError, gnutls.Error) as error:
2310
logger.warning("Bad certificate: %s", error)
2311
return
2312
logger.debug("Key ID: %s", key_id)
2313
2314
else:
2315
key_id = b""
2316
try:
2317
fpr = self.fingerprint(
2318
self.peer_certificate(session))
2319
except (TypeError, gnutls.Error) as error:
2320
logger.warning("Bad certificate: %s", error)
2321
return
2322
logger.debug("Fingerprint: %s", fpr)
2323
2324
try:
2325
client = ProxyClient(child_pipe, key_id, fpr,
2249
2326
self.client_address)
2250
2327
except KeyError:
2251
2328
return
2328
2405
2329
2406
@staticmethod
2330
2407
def peer_certificate(session):
2331
"Return the peer's OpenPGP certificate as a bytestring"
2332
# If not an OpenPGP certificate...
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2408
"Return the peer's certificate as a bytestring"
2409
try:
2410
cert_type = gnutls.certificate_type_get2(session._c_object,
2411
gnutls.CTYPE_PEERS)
2412
except AttributeError:
2413
cert_type = gnutls.certificate_type_get(session._c_object)
2414
if gnutls.has_rawpk:
2415
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2416
else:
2417
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2418
# If not a valid certificate type...
2419
if cert_type not in valid_cert_types:
2420
logger.info("Cert type %r not in %r", cert_type,
2421
valid_cert_types)
2335
2422
# ...return invalid data
2336
2423
return b""
2337
2424
list_size = ctypes.c_uint(1)
2345
2432
return ctypes.string_at(cert.data, cert.size)
2346
2433
2347
2434
@staticmethod
2435
def key_id(certificate):
2436
"Convert a certificate bytestring to a hexdigit key ID"
2437
# New GnuTLS "datum" with the public key
2438
datum = gnutls.datum_t(
2439
ctypes.cast(ctypes.c_char_p(certificate),
2440
ctypes.POINTER(ctypes.c_ubyte)),
2441
ctypes.c_uint(len(certificate)))
2442
# XXX all these need to be created in the gnutls "module"
2443
# New empty GnuTLS certificate
2444
pubkey = gnutls.pubkey_t()
2445
gnutls.pubkey_init(ctypes.byref(pubkey))
2446
# Import the raw public key into the certificate
2447
gnutls.pubkey_import(pubkey,
2448
ctypes.byref(datum),
2449
gnutls.X509_FMT_DER)
2450
# New buffer for the key ID
2451
buf = ctypes.create_string_buffer(32)
2452
buf_len = ctypes.c_size_t(len(buf))
2453
# Get the key ID from the raw public key into the buffer
2454
gnutls.pubkey_get_key_id(pubkey,
2455
gnutls.KEYID_USE_SHA256,
2456
ctypes.cast(ctypes.byref(buf),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.byref(buf_len))
2459
# Deinit the certificate
2460
gnutls.pubkey_deinit(pubkey)
2461
2462
# Convert the buffer to a Python bytestring
2463
key_id = ctypes.string_at(buf, buf_len.value)
2464
# Convert the bytestring to hexadecimal notation
2465
hex_key_id = binascii.hexlify(key_id).upper()
2466
return hex_key_id
2467
2468
@staticmethod
2348
2469
def fingerprint(openpgp):
2349
2470
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2350
2471
# New GnuTLS "datum" with the OpenPGP public key
2364
2485
ctypes.byref(crtverify))
2365
2486
if crtverify.value != 0:
2366
2487
gnutls.openpgp_crt_deinit(crt)
2367
raise gnutls.CertificateSecurityError("Verify failed")
2488
raise gnutls.CertificateSecurityError(code
2489
=crtverify.value)
2368
2490
# New buffer for the fingerprint
2369
2491
buf = ctypes.create_string_buffer(20)
2370
2492
buf_len = ctypes.c_size_t()
2380
2502
return hex_fpr
2381
2503
2382
2504
2383
class MultiprocessingMixIn(object):
2505
class MultiprocessingMixIn:
2384
2506
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2385
2507
2386
2508
def sub_process_main(self, request, address):
2398
2520
return proc
2399
2521
2400
2522
2401
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2523
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2402
2524
""" adds a pipe to the MixIn """
2403
2525
2404
2526
def process_request(self, request, client_address):
2419
2541
2420
2542
2421
2543
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2422
socketserver.TCPServer, object):
2544
socketserver.TCPServer):
2423
2545
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2424
2546
2425
2547
Attributes:
2498
2620
raise
2499
2621
# Only bind(2) the socket if we really need to.
2500
2622
if self.server_address[0] or self.server_address[1]:
2623
if self.server_address[1]:
2624
self.allow_reuse_address = True
2501
2625
if not self.server_address[0]:
2502
2626
if self.address_family == socket.AF_INET6:
2503
2627
any_address = "::" # in6addr_any
2556
2680
def add_pipe(self, parent_pipe, proc):
2557
2681
# Call "handle_ipc" for both data and EOF events
2558
2682
GLib.io_add_watch(
2559
parent_pipe.fileno(),
2683
parent_pipe.fileno(), GLib.PRIORITY_DEFAULT,
2560
2684
GLib.IO_IN | GLib.IO_HUP,
2561
2685
functools.partial(self.handle_ipc,
2562
2686
parent_pipe=parent_pipe,
2577
2701
command = request[0]
2578
2702
2579
2703
if command == 'init':
2580
fpr = request[1]
2581
address = request[2]
2704
key_id = request[1].decode("ascii")
2705
fpr = request[2].decode("ascii")
2706
address = request[3]
2582
2707
2583
2708
for c in self.clients.values():
2584
if c.fingerprint == fpr:
2709
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2710
continue
2711
if key_id and c.key_id == key_id:
2712
client = c
2713
break
2714
if fpr and c.fingerprint == fpr:
2585
2715
client = c
2586
2716
break
2587
2717
else:
2588
logger.info("Client not found for fingerprint: %s, ad"
2589
"dress: %s", fpr, address)
2718
logger.info("Client not found for key ID: %s, address"
2719
": %s", key_id or fpr, address)
2590
2720
if self.use_dbus:
2591
2721
# Emit D-Bus signal
2592
mandos_dbus_service.ClientNotFound(fpr,
2722
mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
2723
address[0])
2594
2724
parent_pipe.send(False)
2595
2725
return False
2596
2726
2597
2727
GLib.io_add_watch(
2598
parent_pipe.fileno(),
2728
parent_pipe.fileno(), GLib.PRIORITY_DEFAULT,
2599
2729
GLib.IO_IN | GLib.IO_HUP,
2600
2730
functools.partial(self.handle_ipc,
2601
2731
parent_pipe=parent_pipe,
2852
2982
2853
2983
options = parser.parse_args()
2854
2984
2855
if options.check:
2856
import doctest
2857
fail_count, test_count = doctest.testmod()
2858
sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
2860
2985
# Default values for config file for server-global settings
2986
if gnutls.has_rawpk:
2987
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2988
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2989
else:
2990
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2991
":+SIGN-DSA-SHA256")
2861
2992
server_defaults = {"interface": "",
2862
2993
"address": "",
2863
2994
"port": "",
2864
2995
"debug": "False",
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
2996
"priority": priority,
2868
2997
"servicename": "Mandos",
2869
2998
"use_dbus": "True",
2870
2999
"use_ipv6": "True",
2875
3004
"foreground": "False",
2876
3005
"zeroconf": "True",
2877
3006
}
3007
del priority
2878
3008
2879
3009
# Parse config file for server-global settings
2880
server_config = configparser.SafeConfigParser(server_defaults)
3010
server_config = configparser.ConfigParser(server_defaults)
2881
3011
del server_defaults
2882
3012
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2883
# Convert the SafeConfigParser object to a dict
3013
# Convert the ConfigParser object to a dict
2884
3014
server_settings = server_config.defaults()
2885
3015
# Use the appropriate methods on the non-string config options
2886
3016
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2958
3088
server_settings["servicename"])))
2959
3089
2960
3090
# Parse config file with clients
2961
client_config = configparser.SafeConfigParser(Client
2962
.client_defaults)
3091
client_config = configparser.ConfigParser(Client.client_defaults)
2963
3092
client_config.read(os.path.join(server_settings["configdir"],
2964
3093
"clients.conf"))
2965
3094
3036
3165
# Close all input and output, do double fork, etc.
3037
3166
daemon()
3038
3167
3039
# multiprocessing will use threads, so before we use GLib we need
3040
# to inform GLib that threads will be used.
3041
GLib.threads_init()
3168
if gi.version_info < (3, 10, 2):
3169
# multiprocessing will use threads, so before we use GLib we
3170
# need to inform GLib that threads will be used.
3171
GLib.threads_init()
3042
3172
3043
3173
global main_loop
3044
3174
# From the Avahi example code
3124
3254
for k in ("name", "host"):
3125
3255
if isinstance(value[k], bytes):
3126
3256
value[k] = value[k].decode("utf-8")
3257
if "key_id" not in value:
3258
value["key_id"] = ""
3259
elif "fingerprint" not in value:
3260
value["fingerprint"] = ""
3127
3261
# old_client_settings
3128
3262
# .keys()
3129
3263
old_client_settings = {
3266
3400
pass
3267
3401
3268
3402
@dbus.service.signal(_interface, signature="ss")
3269
def ClientNotFound(self, fingerprint, address):
3403
def ClientNotFound(self, key_id, address):
3270
3404
"D-Bus signal"
3271
3405
pass
3272
3406
3468
3602
sys.exit(1)
3469
3603
# End of Avahi example code
3470
3604
3471
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3605
GLib.io_add_watch(tcp_server.fileno(), GLib.PRIORITY_DEFAULT,
3606
GLib.IO_IN,
3472
3607
lambda *args, **kwargs:
3473
3608
(tcp_server.handle_request
3474
3609
(*args[2:], **kwargs) or True))
3487
3622
# Must run before the D-Bus bus name gets deregistered
3488
3623
cleanup()
3489
3624
3625
3626
def should_only_run_tests():
3627
parser = argparse.ArgumentParser(add_help=False)
3628
parser.add_argument("--check", action='store_true')
3629
args, unknown_args = parser.parse_known_args()
3630
run_tests = args.check
3631
if run_tests:
3632
# Remove --check argument from sys.argv
3633
sys.argv[1:] = unknown_args
3634
return run_tests
3635
3636
# Add all tests from doctest strings
3637
def load_tests(loader, tests, none):
3638
import doctest
3639
tests.addTests(doctest.DocTestSuite())
3640
return tests
3490
3641
3491
3642
if __name__ == '__main__':
3492
main()
3643
try:
3644
if should_only_run_tests():
3645
# Call using ./mandos --check [--verbose]
3646
unittest.main()
3647
else:
3648
main()
3649
finally:
3650
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0