merge with ssl branch

branch ssl merged into master. new files statusd.conf, statusd.conf.template, statusd.service. statusd.py conflicts resolved.
2019-09-10 12:38:06 +02:00 · 2019-09-10 12:38:06 +02:00 · c8814f322b
parent 39d6e9acee 78151fcafa
commit c8814f322b
5 changed files with 170 additions and 48 deletions
--- a/setstatus.py
+++ b/setstatus.py
@ -10,6 +10,7 @@
 # input is 0 or 1.

 import socket
+import ssl
 from sys import exit, argv, byteorder


@ -51,8 +52,12 @@ def read_argument():

 def main(*status):

-    HOST = 'nr18.space'
+    HOST = 'localhost'
    PORT = 10001
+    SERVER_NAME = 'server.status.kraut.space'
+    CLIENT_CERT = './certs/client.crt'
+    CLIENT_KEY = './certs/client.key'
+    SERVER_CERT = './certs/server.crt'
    BOM = byteorder
    STATUS = None
    RESPONSE = None
@ -69,21 +74,35 @@ def main(*status):
            if STATUS == None:
                STATUS = read_argument()

+    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile = SERVER_CERT)
+    context.options &= ~ssl.PROTOCOL_TLS
+    context.verify_mode = ssl.CERT_OPTIONAL
+    # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
+    context.load_cert_chain(certfile = CLIENT_CERT, keyfile = CLIENT_KEY)
+    print('SSL context created')
+
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
        print('Socket created')
        try:
-            mySocket.connect((HOST, PORT))
+            conn = context.wrap_socket(mySocket, server_side = False, \
+                                      server_hostname = SERVER_NAME)
+            print('Connection wrapped with ssl.context')
        except Exception as e:
-            print('{}'.format(e))
+            print('Context wrapper failed: [}'.format(e))
+        try:
+            conn.connect((HOST, PORT))
+            print('SSL established: {}'.format(conn.getpeercert()))
+        except Exception as e:
+            print('SSL handshake failed: {}'.format(e))
            exit(1)
        try:
            print('Send new status: {}'.format(STATUS))
-            mySocket.send(STATUS)
+            conn.send(STATUS)
        except Exception as e:
            print('Error: {}'.format(e))
            exit(2)
        try:
-            RESPONSE = mySocket.recv(1)
+            RESPONSE = conn.recv(1)
            print('Server returns: {}'.format(RESPONSE))
            if RESPONSE == STATUS:
                print('Status sucessfull updated')
--- a/statusd.conf
+++ b/statusd.conf
@ -5,17 +5,22 @@

 # host, where server lives (string with fqdn or ipv4). default ist
 # localhost.
-HOST = 127.0.0.1
+HOST = '127.0.0.1'

 # port, where the server is listen. default is 100001
 PORT = 10001

-# path for ssl key and certificate. default ist current directory.
-# CERT = './certs/certificate.pem'
-KEY = ./certs/key.pem
+# timeout for connection
+TIMEOUT = 5

-# path to api file
-API = ./api
+# path for ssl keys and certificates. default is the current directory.
+SERVER_CERT = './certs/server.crt'
+SERVER_KEY = './certs/server.key'
+CLIENT_CERT = './certs/client.crt'
+
+# path to api files
+API_TEMPLATE = './api_template'
+API = './api'

 # loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment.
-# VERBOSITY = 'debug'
+VERBOSITY = 'error'
--- a/statusd.conf.template
+++ b/statusd.conf.template
@ -0,0 +1,26 @@
+# file: statusd.conf
+
+# Configuration file for the server, who is manage the api for door status
+# from krautspace jena.
+
+# host, where server lives (string with fqdn or ipv4). default ist
+# localhost.
+HOST = 'localhost'
+
+# port, where the server is listen. default is 100001
+PORT = 10001
+
+# timeout for connection
+TIMEOUT = 5
+
+# path for ssl keys and certificates. default is the current directory.
+SERVER_CERT = './server.crt'
+SERVER_KEY = './server.key'
+CLIENT_CERT = './client.crt'
+
+# path to api files
+API_TEMPLATE = './api_template'
+API = '/path/to//api'
+
+# loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment.
+VERBOSITY = 'info'
--- a/statusd.py
+++ b/statusd.py
@ -4,9 +4,11 @@
 # date: 26.07.2019
 # email: berhsi@web.de

-# server, who listen for ipv4 connections at port 10001.
+# server, who listen for ipv4 connections at port 10001. now with ssl
+# encrypted connection and client side authentication.

 import socket
+import ssl
 import os
 import logging
 import json
@ -28,10 +30,11 @@ def read_config(CONFIGFILE, CONFIG):
            logging.debug('Configfile successfull read')
            for line in config.readlines():
                if not line[0] in ('#', ';', '\n', '\r'):
-                    logging.debug('Read entry')
                    key, value = (line.strip().split('='))
-                    CONFIG[key.upper().strip()] = value.strip()
-                    logging.debug('Set {} to {}'.format(key.upper().strip(), value.strip()))
+                    key = strip_argument(key).upper()
+                    value = strip_argument(value)
+                    CONFIG[key] = value
+                    logging.debug('Set {} to {}'.format(key, value))
    else:
        logging.error('Failed to read {}'.format(CONFIGFILE))
        logging.error('Using default values')
@ -39,6 +42,32 @@ def read_config(CONFIGFILE, CONFIG):
    return True


+def certs_readable(config):
+    '''
+    checks at start, if the needed certificates defined (no nullstring) and readable.
+    param 1: dictionary
+    return: boolean
+    '''
+    for i in (config['SERVER_KEY'], config['SERVER_CERT'], config['CLIENT_CERT']):
+        if  i == '' or os.access(i, os.R_OK) == False:
+            logging.error('Cant read {}'.format(i))
+            return False
+    return True
+
+
+def strip_argument(argument):
+    '''
+    Becomes a string and strips at first whitespaces, second apostrops and
+    returns the clear string.
+    param 1: string
+    return: string
+    '''
+    argument = argument.strip()
+    argument = argument.strip('"')
+    argument = argument.strip("'")
+    return argument
+
+
 def print_config(CONFIG):
    '''
    Prints the used configuration, if loglevel ist debug.
@ -51,14 +80,21 @@ def print_config(CONFIG):
    return True


+def display_peercert(cert):
+    for i in cert.keys():
+        print(i)
+        for j in cert[i]:
+            print('\t{}'.format(j))
+    return
+
+
 def receive_buffer_is_valid(raw_data):
    '''
    checks, if the received buffer from the connection is valid or not.
    param 1: byte
    return: boolean
    '''
-    data = bytes2int(raw_data)
-    if data == 0 or data == 1:
+    if raw_data == b'\x00' or raw_data == b'\x01':
        logging.debug('Argument is valid: {}'.format(raw_data))
        return True
    else:
@ -66,23 +102,6 @@ def receive_buffer_is_valid(raw_data):
        return False


-def bytes2int(raw_data):
-    '''
-    Convert a given byte value into a integer. If it is possible, it returns
-    the integer, otherwise false.
-    param 1: byte
-    return: integer or false
-    '''
-    bom = byteorder
-
-    try:
-        data = int.from_bytes(raw_data, bom)
-    except Exception as e:
-        logging.error('Unabele to convert raw data to int: {}'.format(raw_data))
-        return False
-    return data
-
-
 def change_status(raw_data, api):
    '''
    Becomes the received byte and the path to API file. Grabs the content of
@ -149,33 +168,62 @@ def set_values(raw_data):
    return: tuple
    '''
    timestamp = str(time()).split('.')[0]
-    callback = bytes2int(raw_data)
-    if callback == 1:
+    if raw_data == b'\x01':
        status = "true"
    else:
        status = "false"
+    logging.debug('Set values for timestamp: {} and status: {}'.format(timestamp, status))
    return (status, timestamp)


 def main():
    '''
-    The main function - opens a socket und listen for connections.
+    The main function - opens a socket, create a ssl context, load certs and
+    listen for connections. at ssl context we set some security options like 
+    OP_NO_SSLv2 (SSLv3): they are insecure
+    PROTOCOL_TLS: only use tls
+    OP_NO_COMPRESSION: prevention against crime attack
+    OP_DONT_ISERT_EMPTY_FRAGMENTS: prevention agains cbc 4 attack (cve-2011-3389)
+
    '''
    CONFIG = {
        'HOST': 'localhost',
        'PORT': 10001,
-        'CERT': None,
-        'KEY' : None,
+        'SERVER_CERT': './server.crt',
+        'SERVER_KEY' : './server.key',
+        'CLIENT_CERT': './client.crt',
        'TIMEOUT': 3.0,
-        'API': './api'
+        'API': './api',
+        'API_TEMPLATE': './api_template',
+        'VERBOSITY': 'info'
        }
    CONFIG_FILE = './statusd.conf'
+    FINGERPRINT = \
+    '35:8E:35:FA:58:0A:DD:2B:C8:6A:F9:EA:A3:7B:10:F5:62:89:AB:D0:AB:53:3E:B5:8B:AB:E1:23:CF:93:F5:F9'

    loglevel = logging.DEBUG
-    logging.basicConfig(format='%(levelname)s: %(asctime)s: %(message)s', level=loglevel)
+    logging.basicConfig(format='%(levelname)s: %(message)s', level=loglevel)
    read_config(CONFIG_FILE, CONFIG)
    print_config(CONFIG)

+    if certs_readable(CONFIG) == False:
+        logging.error('Cert check failed\nExit')
+        exit()
+
+    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+    context.options &= ~ssl.OP_NO_SSLv2
+    context.options &= ~ssl.OP_NO_SSLv3
+    context.options &= ~ssl.PROTOCOL_TLS
+    context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE
+    # context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
+    context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
+    # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
+    context.verify_mode = ssl.CERT_REQUIRED
+    context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
+                            keyfile = CONFIG['SERVER_KEY'])
+    context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
+    logging.debug('SSL context created')
+
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
        logging.debug('Socket created')
        try:
@ -188,15 +236,21 @@ def main():
            exit()
        while True:
            try:
-                conn, addr = mySocket.accept()
-                logging.info('Connection from {}:{}'.format(addr[0], addr[1]))
+                fromSocket, fromAddr = mySocket.accept()
+                logging.info('Client connected: {}:{}'.format(fromAddr[0], fromAddr[1]))
                try:
-                    conn.settimeout(float(CONFIG['TIMEOUT']))
+                    fromSocket.settimeout(float(CONFIG['TIMEOUT']))
                    logging.debug('Connection timeout set to {}'.format(CONFIG['TIMEOUT']))
                except Exception as e:
                    logging.error('Canot set timeout to {}'.format(CONFIG['TIMEOUT']))
                    logging.error('Use default value: 3.0')
-                    conn.settimeout(3.0)
+                    fromSocket.settimeout(3.0)
+                try:
+                    conn = context.wrap_socket(fromSocket, server_side = True)
+                    # display_peercert(conn.getpeercert())
+                    logging.debug('SSL established. Peer: {}'.format(conn.getpeercert()))
+                except Exception as e:
+                    logging.error('SSL handshake failed: {}'.format(e))
                raw_data = conn.recv(1)
                if receive_buffer_is_valid(raw_data) == True:
                    if change_status(raw_data, CONFIG['API']) == True:
@ -205,12 +259,14 @@ def main():
                    # change_status returns false:
                    else:
                        logging.info('Failed to change status')
-                        conn.send(b'\x03')
+                        if conn:
+                            conn.send(b'\x03')
                # recive_handle returns false:
                else:
                    logging.info('Inalid argument recived: {}'.format(raw_data))
                    logging.debug('Send {} back'.format(b'\x03'))
-                    conn.send(b'\x03')
+                    if conn:
+                        conn.send(b'\x03')
                sleep(0.1) # protection against dos
            except KeyboardInterrupt:
                print('\rExit')
@ -218,6 +274,8 @@ def main():
                exit()
            except Exception as e:
                logging.error('{}'.format(e))
+                continue
+    return 0


 if __name__ == '__main__':
--- a/statusd.service
+++ b/statusd.service
@ -0,0 +1,14 @@
+[Unit]
+Description=Deamon for setting status API
+After=systemd-network.service network.target
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/doorstatus/
+ExecStart=/opt/doorstatus/statusd.py
+SyslogIdentifier=statusd
+User=status
+Group=status
+
+[Install]
+WantedBy=multi-user.target