diff --git a/setstatus.py b/setstatus.py index b250f88..e3a2b1c 100755 --- a/setstatus.py +++ b/setstatus.py @@ -10,6 +10,7 @@ # input is 0 or 1. import socket +import ssl from sys import exit, argv, byteorder @@ -51,8 +52,12 @@ def read_argument(): def main(*status): - HOST = 'nr18.space' + HOST = 'localhost' PORT = 10001 + SERVER_NAME = 'server.status.kraut.space' + CLIENT_CERT = './certs/client.crt' + CLIENT_KEY = './certs/client.key' + SERVER_CERT = './certs/server.crt' BOM = byteorder STATUS = None RESPONSE = None @@ -69,21 +74,35 @@ def main(*status): if STATUS == None: STATUS = read_argument() + context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile = SERVER_CERT) + context.options &= ~ssl.PROTOCOL_TLS + context.verify_mode = ssl.CERT_OPTIONAL + # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS') + context.load_cert_chain(certfile = CLIENT_CERT, keyfile = CLIENT_KEY) + print('SSL context created') + with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: print('Socket created') try: - mySocket.connect((HOST, PORT)) + conn = context.wrap_socket(mySocket, server_side = False, \ + server_hostname = SERVER_NAME) + print('Connection wrapped with ssl.context') except Exception as e: - print('{}'.format(e)) + print('Context wrapper failed: [}'.format(e)) + try: + conn.connect((HOST, PORT)) + print('SSL established: {}'.format(conn.getpeercert())) + except Exception as e: + print('SSL handshake failed: {}'.format(e)) exit(1) try: print('Send new status: {}'.format(STATUS)) - mySocket.send(STATUS) + conn.send(STATUS) except Exception as e: print('Error: {}'.format(e)) exit(2) try: - RESPONSE = mySocket.recv(1) + RESPONSE = conn.recv(1) print('Server returns: {}'.format(RESPONSE)) if RESPONSE == STATUS: print('Status sucessfull updated') diff --git a/statusd.conf b/statusd.conf index 1559167..d5539f6 100644 --- a/statusd.conf +++ b/statusd.conf @@ -5,17 +5,22 @@ # host, where server lives (string with fqdn or ipv4). default ist # localhost. -HOST = 127.0.0.1 +HOST = '127.0.0.1' # port, where the server is listen. default is 100001 PORT = 10001 -# path for ssl key and certificate. default ist current directory. -# CERT = './certs/certificate.pem' -KEY = ./certs/key.pem +# timeout for connection +TIMEOUT = 5 -# path to api file -API = ./api +# path for ssl keys and certificates. default is the current directory. +SERVER_CERT = './certs/server.crt' +SERVER_KEY = './certs/server.key' +CLIENT_CERT = './certs/client.crt' + +# path to api files +API_TEMPLATE = './api_template' +API = './api' # loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment. -# VERBOSITY = 'debug' +VERBOSITY = 'error' diff --git a/statusd.conf.template b/statusd.conf.template new file mode 100644 index 0000000..9d53801 --- /dev/null +++ b/statusd.conf.template @@ -0,0 +1,26 @@ +# file: statusd.conf + +# Configuration file for the server, who is manage the api for door status +# from krautspace jena. + +# host, where server lives (string with fqdn or ipv4). default ist +# localhost. +HOST = 'localhost' + +# port, where the server is listen. default is 100001 +PORT = 10001 + +# timeout for connection +TIMEOUT = 5 + +# path for ssl keys and certificates. default is the current directory. +SERVER_CERT = './server.crt' +SERVER_KEY = './server.key' +CLIENT_CERT = './client.crt' + +# path to api files +API_TEMPLATE = './api_template' +API = '/path/to//api' + +# loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment. +VERBOSITY = 'info' diff --git a/statusd.py b/statusd.py index cab0926..f3060f4 100755 --- a/statusd.py +++ b/statusd.py @@ -4,9 +4,11 @@ # date: 26.07.2019 # email: berhsi@web.de -# server, who listen for ipv4 connections at port 10001. +# server, who listen for ipv4 connections at port 10001. now with ssl +# encrypted connection and client side authentication. import socket +import ssl import os import logging import json @@ -28,10 +30,11 @@ def read_config(CONFIGFILE, CONFIG): logging.debug('Configfile successfull read') for line in config.readlines(): if not line[0] in ('#', ';', '\n', '\r'): - logging.debug('Read entry') key, value = (line.strip().split('=')) - CONFIG[key.upper().strip()] = value.strip() - logging.debug('Set {} to {}'.format(key.upper().strip(), value.strip())) + key = strip_argument(key).upper() + value = strip_argument(value) + CONFIG[key] = value + logging.debug('Set {} to {}'.format(key, value)) else: logging.error('Failed to read {}'.format(CONFIGFILE)) logging.error('Using default values') @@ -39,6 +42,32 @@ def read_config(CONFIGFILE, CONFIG): return True +def certs_readable(config): + ''' + checks at start, if the needed certificates defined (no nullstring) and readable. + param 1: dictionary + return: boolean + ''' + for i in (config['SERVER_KEY'], config['SERVER_CERT'], config['CLIENT_CERT']): + if i == '' or os.access(i, os.R_OK) == False: + logging.error('Cant read {}'.format(i)) + return False + return True + + +def strip_argument(argument): + ''' + Becomes a string and strips at first whitespaces, second apostrops and + returns the clear string. + param 1: string + return: string + ''' + argument = argument.strip() + argument = argument.strip('"') + argument = argument.strip("'") + return argument + + def print_config(CONFIG): ''' Prints the used configuration, if loglevel ist debug. @@ -51,14 +80,21 @@ def print_config(CONFIG): return True +def display_peercert(cert): + for i in cert.keys(): + print(i) + for j in cert[i]: + print('\t{}'.format(j)) + return + + def receive_buffer_is_valid(raw_data): ''' checks, if the received buffer from the connection is valid or not. param 1: byte return: boolean ''' - data = bytes2int(raw_data) - if data == 0 or data == 1: + if raw_data == b'\x00' or raw_data == b'\x01': logging.debug('Argument is valid: {}'.format(raw_data)) return True else: @@ -66,23 +102,6 @@ def receive_buffer_is_valid(raw_data): return False -def bytes2int(raw_data): - ''' - Convert a given byte value into a integer. If it is possible, it returns - the integer, otherwise false. - param 1: byte - return: integer or false - ''' - bom = byteorder - - try: - data = int.from_bytes(raw_data, bom) - except Exception as e: - logging.error('Unabele to convert raw data to int: {}'.format(raw_data)) - return False - return data - - def change_status(raw_data, api): ''' Becomes the received byte and the path to API file. Grabs the content of @@ -149,33 +168,62 @@ def set_values(raw_data): return: tuple ''' timestamp = str(time()).split('.')[0] - callback = bytes2int(raw_data) - if callback == 1: + if raw_data == b'\x01': status = "true" else: status = "false" + logging.debug('Set values for timestamp: {} and status: {}'.format(timestamp, status)) return (status, timestamp) def main(): ''' - The main function - opens a socket und listen for connections. + The main function - opens a socket, create a ssl context, load certs and + listen for connections. at ssl context we set some security options like + OP_NO_SSLv2 (SSLv3): they are insecure + PROTOCOL_TLS: only use tls + OP_NO_COMPRESSION: prevention against crime attack + OP_DONT_ISERT_EMPTY_FRAGMENTS: prevention agains cbc 4 attack (cve-2011-3389) + ''' CONFIG = { 'HOST': 'localhost', 'PORT': 10001, - 'CERT': None, - 'KEY' : None, + 'SERVER_CERT': './server.crt', + 'SERVER_KEY' : './server.key', + 'CLIENT_CERT': './client.crt', 'TIMEOUT': 3.0, - 'API': './api' + 'API': './api', + 'API_TEMPLATE': './api_template', + 'VERBOSITY': 'info' } CONFIG_FILE = './statusd.conf' + FINGERPRINT = \ + '35:8E:35:FA:58:0A:DD:2B:C8:6A:F9:EA:A3:7B:10:F5:62:89:AB:D0:AB:53:3E:B5:8B:AB:E1:23:CF:93:F5:F9' loglevel = logging.DEBUG - logging.basicConfig(format='%(levelname)s: %(asctime)s: %(message)s', level=loglevel) + logging.basicConfig(format='%(levelname)s: %(message)s', level=loglevel) read_config(CONFIG_FILE, CONFIG) print_config(CONFIG) + if certs_readable(CONFIG) == False: + logging.error('Cert check failed\nExit') + exit() + + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + context.options &= ~ssl.OP_NO_SSLv2 + context.options &= ~ssl.OP_NO_SSLv3 + context.options &= ~ssl.PROTOCOL_TLS + context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE + # context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS + context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0) + # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS') + context.verify_mode = ssl.CERT_REQUIRED + context.load_cert_chain(certfile = CONFIG['SERVER_CERT'], + keyfile = CONFIG['SERVER_KEY']) + context.load_verify_locations(cafile = CONFIG['CLIENT_CERT']) + logging.debug('SSL context created') + with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: logging.debug('Socket created') try: @@ -188,15 +236,21 @@ def main(): exit() while True: try: - conn, addr = mySocket.accept() - logging.info('Connection from {}:{}'.format(addr[0], addr[1])) + fromSocket, fromAddr = mySocket.accept() + logging.info('Client connected: {}:{}'.format(fromAddr[0], fromAddr[1])) try: - conn.settimeout(float(CONFIG['TIMEOUT'])) + fromSocket.settimeout(float(CONFIG['TIMEOUT'])) logging.debug('Connection timeout set to {}'.format(CONFIG['TIMEOUT'])) except Exception as e: logging.error('Canot set timeout to {}'.format(CONFIG['TIMEOUT'])) logging.error('Use default value: 3.0') - conn.settimeout(3.0) + fromSocket.settimeout(3.0) + try: + conn = context.wrap_socket(fromSocket, server_side = True) + # display_peercert(conn.getpeercert()) + logging.debug('SSL established. Peer: {}'.format(conn.getpeercert())) + except Exception as e: + logging.error('SSL handshake failed: {}'.format(e)) raw_data = conn.recv(1) if receive_buffer_is_valid(raw_data) == True: if change_status(raw_data, CONFIG['API']) == True: @@ -205,12 +259,14 @@ def main(): # change_status returns false: else: logging.info('Failed to change status') - conn.send(b'\x03') + if conn: + conn.send(b'\x03') # recive_handle returns false: else: logging.info('Inalid argument recived: {}'.format(raw_data)) logging.debug('Send {} back'.format(b'\x03')) - conn.send(b'\x03') + if conn: + conn.send(b'\x03') sleep(0.1) # protection against dos except KeyboardInterrupt: print('\rExit') @@ -218,6 +274,8 @@ def main(): exit() except Exception as e: logging.error('{}'.format(e)) + continue + return 0 if __name__ == '__main__': diff --git a/statusd.service b/statusd.service new file mode 100644 index 0000000..7c0578a --- /dev/null +++ b/statusd.service @@ -0,0 +1,14 @@ +[Unit] +Description=Deamon for setting status API +After=systemd-network.service network.target + +[Service] +Type=simple +WorkingDirectory=/opt/doorstatus/ +ExecStart=/opt/doorstatus/statusd.py +SyslogIdentifier=statusd +User=status +Group=status + +[Install] +WantedBy=multi-user.target