merge with ssl branch

branch ssl merged into master. new files statusd.conf, statusd.conf.template, statusd.service.
statusd.py conflicts resolved.
This commit is contained in:
berhsi 2019-09-10 12:38:06 +02:00
commit c8814f322b
5 changed files with 170 additions and 48 deletions

View file

@ -10,6 +10,7 @@
# input is 0 or 1.
import socket
import ssl
from sys import exit, argv, byteorder
@ -51,8 +52,12 @@ def read_argument():
def main(*status):
HOST = 'nr18.space'
HOST = 'localhost'
PORT = 10001
SERVER_NAME = 'server.status.kraut.space'
CLIENT_CERT = './certs/client.crt'
CLIENT_KEY = './certs/client.key'
SERVER_CERT = './certs/server.crt'
BOM = byteorder
STATUS = None
RESPONSE = None
@ -69,21 +74,35 @@ def main(*status):
if STATUS == None:
STATUS = read_argument()
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile = SERVER_CERT)
context.options &= ~ssl.PROTOCOL_TLS
context.verify_mode = ssl.CERT_OPTIONAL
# context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
context.load_cert_chain(certfile = CLIENT_CERT, keyfile = CLIENT_KEY)
print('SSL context created')
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
print('Socket created')
try:
mySocket.connect((HOST, PORT))
conn = context.wrap_socket(mySocket, server_side = False, \
server_hostname = SERVER_NAME)
print('Connection wrapped with ssl.context')
except Exception as e:
print('{}'.format(e))
print('Context wrapper failed: [}'.format(e))
try:
conn.connect((HOST, PORT))
print('SSL established: {}'.format(conn.getpeercert()))
except Exception as e:
print('SSL handshake failed: {}'.format(e))
exit(1)
try:
print('Send new status: {}'.format(STATUS))
mySocket.send(STATUS)
conn.send(STATUS)
except Exception as e:
print('Error: {}'.format(e))
exit(2)
try:
RESPONSE = mySocket.recv(1)
RESPONSE = conn.recv(1)
print('Server returns: {}'.format(RESPONSE))
if RESPONSE == STATUS:
print('Status sucessfull updated')

View file

@ -5,17 +5,22 @@
# host, where server lives (string with fqdn or ipv4). default ist
# localhost.
HOST = 127.0.0.1
HOST = '127.0.0.1'
# port, where the server is listen. default is 100001
PORT = 10001
# path for ssl key and certificate. default ist current directory.
# CERT = './certs/certificate.pem'
KEY = ./certs/key.pem
# timeout for connection
TIMEOUT = 5
# path to api file
API = ./api
# path for ssl keys and certificates. default is the current directory.
SERVER_CERT = './certs/server.crt'
SERVER_KEY = './certs/server.key'
CLIENT_CERT = './certs/client.crt'
# path to api files
API_TEMPLATE = './api_template'
API = './api'
# loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment.
# VERBOSITY = 'debug'
VERBOSITY = 'error'

26
statusd.conf.template Normal file
View file

@ -0,0 +1,26 @@
# file: statusd.conf
# Configuration file for the server, who is manage the api for door status
# from krautspace jena.
# host, where server lives (string with fqdn or ipv4). default ist
# localhost.
HOST = 'localhost'
# port, where the server is listen. default is 100001
PORT = 10001
# timeout for connection
TIMEOUT = 5
# path for ssl keys and certificates. default is the current directory.
SERVER_CERT = './server.crt'
SERVER_KEY = './server.key'
CLIENT_CERT = './client.crt'
# path to api files
API_TEMPLATE = './api_template'
API = '/path/to//api'
# loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment.
VERBOSITY = 'info'

View file

@ -4,9 +4,11 @@
# date: 26.07.2019
# email: berhsi@web.de
# server, who listen for ipv4 connections at port 10001.
# server, who listen for ipv4 connections at port 10001. now with ssl
# encrypted connection and client side authentication.
import socket
import ssl
import os
import logging
import json
@ -28,10 +30,11 @@ def read_config(CONFIGFILE, CONFIG):
logging.debug('Configfile successfull read')
for line in config.readlines():
if not line[0] in ('#', ';', '\n', '\r'):
logging.debug('Read entry')
key, value = (line.strip().split('='))
CONFIG[key.upper().strip()] = value.strip()
logging.debug('Set {} to {}'.format(key.upper().strip(), value.strip()))
key = strip_argument(key).upper()
value = strip_argument(value)
CONFIG[key] = value
logging.debug('Set {} to {}'.format(key, value))
else:
logging.error('Failed to read {}'.format(CONFIGFILE))
logging.error('Using default values')
@ -39,6 +42,32 @@ def read_config(CONFIGFILE, CONFIG):
return True
def certs_readable(config):
'''
checks at start, if the needed certificates defined (no nullstring) and readable.
param 1: dictionary
return: boolean
'''
for i in (config['SERVER_KEY'], config['SERVER_CERT'], config['CLIENT_CERT']):
if i == '' or os.access(i, os.R_OK) == False:
logging.error('Cant read {}'.format(i))
return False
return True
def strip_argument(argument):
'''
Becomes a string and strips at first whitespaces, second apostrops and
returns the clear string.
param 1: string
return: string
'''
argument = argument.strip()
argument = argument.strip('"')
argument = argument.strip("'")
return argument
def print_config(CONFIG):
'''
Prints the used configuration, if loglevel ist debug.
@ -51,14 +80,21 @@ def print_config(CONFIG):
return True
def display_peercert(cert):
for i in cert.keys():
print(i)
for j in cert[i]:
print('\t{}'.format(j))
return
def receive_buffer_is_valid(raw_data):
'''
checks, if the received buffer from the connection is valid or not.
param 1: byte
return: boolean
'''
data = bytes2int(raw_data)
if data == 0 or data == 1:
if raw_data == b'\x00' or raw_data == b'\x01':
logging.debug('Argument is valid: {}'.format(raw_data))
return True
else:
@ -66,23 +102,6 @@ def receive_buffer_is_valid(raw_data):
return False
def bytes2int(raw_data):
'''
Convert a given byte value into a integer. If it is possible, it returns
the integer, otherwise false.
param 1: byte
return: integer or false
'''
bom = byteorder
try:
data = int.from_bytes(raw_data, bom)
except Exception as e:
logging.error('Unabele to convert raw data to int: {}'.format(raw_data))
return False
return data
def change_status(raw_data, api):
'''
Becomes the received byte and the path to API file. Grabs the content of
@ -149,33 +168,62 @@ def set_values(raw_data):
return: tuple
'''
timestamp = str(time()).split('.')[0]
callback = bytes2int(raw_data)
if callback == 1:
if raw_data == b'\x01':
status = "true"
else:
status = "false"
logging.debug('Set values for timestamp: {} and status: {}'.format(timestamp, status))
return (status, timestamp)
def main():
'''
The main function - opens a socket und listen for connections.
The main function - opens a socket, create a ssl context, load certs and
listen for connections. at ssl context we set some security options like
OP_NO_SSLv2 (SSLv3): they are insecure
PROTOCOL_TLS: only use tls
OP_NO_COMPRESSION: prevention against crime attack
OP_DONT_ISERT_EMPTY_FRAGMENTS: prevention agains cbc 4 attack (cve-2011-3389)
'''
CONFIG = {
'HOST': 'localhost',
'PORT': 10001,
'CERT': None,
'KEY' : None,
'SERVER_CERT': './server.crt',
'SERVER_KEY' : './server.key',
'CLIENT_CERT': './client.crt',
'TIMEOUT': 3.0,
'API': './api'
'API': './api',
'API_TEMPLATE': './api_template',
'VERBOSITY': 'info'
}
CONFIG_FILE = './statusd.conf'
FINGERPRINT = \
'35:8E:35:FA:58:0A:DD:2B:C8:6A:F9:EA:A3:7B:10:F5:62:89:AB:D0:AB:53:3E:B5:8B:AB:E1:23:CF:93:F5:F9'
loglevel = logging.DEBUG
logging.basicConfig(format='%(levelname)s: %(asctime)s: %(message)s', level=loglevel)
logging.basicConfig(format='%(levelname)s: %(message)s', level=loglevel)
read_config(CONFIG_FILE, CONFIG)
print_config(CONFIG)
if certs_readable(CONFIG) == False:
logging.error('Cert check failed\nExit')
exit()
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.options &= ~ssl.OP_NO_SSLv2
context.options &= ~ssl.OP_NO_SSLv3
context.options &= ~ssl.PROTOCOL_TLS
context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE
# context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
# context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
keyfile = CONFIG['SERVER_KEY'])
context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
logging.debug('SSL context created')
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
logging.debug('Socket created')
try:
@ -188,15 +236,21 @@ def main():
exit()
while True:
try:
conn, addr = mySocket.accept()
logging.info('Connection from {}:{}'.format(addr[0], addr[1]))
fromSocket, fromAddr = mySocket.accept()
logging.info('Client connected: {}:{}'.format(fromAddr[0], fromAddr[1]))
try:
conn.settimeout(float(CONFIG['TIMEOUT']))
fromSocket.settimeout(float(CONFIG['TIMEOUT']))
logging.debug('Connection timeout set to {}'.format(CONFIG['TIMEOUT']))
except Exception as e:
logging.error('Canot set timeout to {}'.format(CONFIG['TIMEOUT']))
logging.error('Use default value: 3.0')
conn.settimeout(3.0)
fromSocket.settimeout(3.0)
try:
conn = context.wrap_socket(fromSocket, server_side = True)
# display_peercert(conn.getpeercert())
logging.debug('SSL established. Peer: {}'.format(conn.getpeercert()))
except Exception as e:
logging.error('SSL handshake failed: {}'.format(e))
raw_data = conn.recv(1)
if receive_buffer_is_valid(raw_data) == True:
if change_status(raw_data, CONFIG['API']) == True:
@ -205,12 +259,14 @@ def main():
# change_status returns false:
else:
logging.info('Failed to change status')
conn.send(b'\x03')
if conn:
conn.send(b'\x03')
# recive_handle returns false:
else:
logging.info('Inalid argument recived: {}'.format(raw_data))
logging.debug('Send {} back'.format(b'\x03'))
conn.send(b'\x03')
if conn:
conn.send(b'\x03')
sleep(0.1) # protection against dos
except KeyboardInterrupt:
print('\rExit')
@ -218,6 +274,8 @@ def main():
exit()
except Exception as e:
logging.error('{}'.format(e))
continue
return 0
if __name__ == '__main__':

14
statusd.service Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=Deamon for setting status API
After=systemd-network.service network.target
[Service]
Type=simple
WorkingDirectory=/opt/doorstatus/
ExecStart=/opt/doorstatus/statusd.py
SyslogIdentifier=statusd
User=status
Group=status
[Install]
WantedBy=multi-user.target