From 84865a37bfbd73a203593a1ceaad0638a19e35da Mon Sep 17 00:00:00 2001 From: berhsi Date: Mon, 29 Jul 2019 18:23:45 +0200 Subject: [PATCH 01/11] statusd.conf: add any variables TIMEOUT, CLIENT_CERT, API_TEMPLATE added. CERT and KEY changed to SERVER_CERT and SERVER_KEY --- statusd.conf | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/statusd.conf b/statusd.conf index 1559167..d5539f6 100644 --- a/statusd.conf +++ b/statusd.conf @@ -5,17 +5,22 @@ # host, where server lives (string with fqdn or ipv4). default ist # localhost. -HOST = 127.0.0.1 +HOST = '127.0.0.1' # port, where the server is listen. default is 100001 PORT = 10001 -# path for ssl key and certificate. default ist current directory. -# CERT = './certs/certificate.pem' -KEY = ./certs/key.pem +# timeout for connection +TIMEOUT = 5 -# path to api file -API = ./api +# path for ssl keys and certificates. default is the current directory. +SERVER_CERT = './certs/server.crt' +SERVER_KEY = './certs/server.key' +CLIENT_CERT = './certs/client.crt' + +# path to api files +API_TEMPLATE = './api_template' +API = './api' # loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment. -# VERBOSITY = 'debug' +VERBOSITY = 'error' From 60fccc57d40b112508ca86131f93a07b5f2ef148 Mon Sep 17 00:00:00 2001 From: berhsi Date: Mon, 29 Jul 2019 18:27:53 +0200 Subject: [PATCH 02/11] setstatus.py: add support for ssl client now connect to server via tls. --- setstatus.py | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/setstatus.py b/setstatus.py index b250f88..e3a2b1c 100755 --- a/setstatus.py +++ b/setstatus.py @@ -10,6 +10,7 @@ # input is 0 or 1. import socket +import ssl from sys import exit, argv, byteorder @@ -51,8 +52,12 @@ def read_argument(): def main(*status): - HOST = 'nr18.space' + HOST = 'localhost' PORT = 10001 + SERVER_NAME = 'server.status.kraut.space' + CLIENT_CERT = './certs/client.crt' + CLIENT_KEY = './certs/client.key' + SERVER_CERT = './certs/server.crt' BOM = byteorder STATUS = None RESPONSE = None @@ -69,21 +74,35 @@ def main(*status): if STATUS == None: STATUS = read_argument() + context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile = SERVER_CERT) + context.options &= ~ssl.PROTOCOL_TLS + context.verify_mode = ssl.CERT_OPTIONAL + # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS') + context.load_cert_chain(certfile = CLIENT_CERT, keyfile = CLIENT_KEY) + print('SSL context created') + with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: print('Socket created') try: - mySocket.connect((HOST, PORT)) + conn = context.wrap_socket(mySocket, server_side = False, \ + server_hostname = SERVER_NAME) + print('Connection wrapped with ssl.context') except Exception as e: - print('{}'.format(e)) + print('Context wrapper failed: [}'.format(e)) + try: + conn.connect((HOST, PORT)) + print('SSL established: {}'.format(conn.getpeercert())) + except Exception as e: + print('SSL handshake failed: {}'.format(e)) exit(1) try: print('Send new status: {}'.format(STATUS)) - mySocket.send(STATUS) + conn.send(STATUS) except Exception as e: print('Error: {}'.format(e)) exit(2) try: - RESPONSE = mySocket.recv(1) + RESPONSE = conn.recv(1) print('Server returns: {}'.format(RESPONSE)) if RESPONSE == STATUS: print('Status sucessfull updated') From d3534afaa345d7e0f0b0fc4c274b68127029ed4d Mon Sep 17 00:00:00 2001 From: berhsi Date: Mon, 29 Jul 2019 18:32:27 +0200 Subject: [PATCH 03/11] statusd.py: add support for ssl server now speaks tls. new functions strip_argument() and display_peercert() --- statusd.py | 102 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 65 insertions(+), 37 deletions(-) diff --git a/statusd.py b/statusd.py index 10aeffe..454b004 100755 --- a/statusd.py +++ b/statusd.py @@ -4,9 +4,11 @@ # date: 26.07.2019 # email: berhsi@web.de -# server, who listen for ipv4 connections at port 10001. +# server, who listen for ipv4 connections at port 10001. now with ssl +# encrypted connection and client side authentication. import socket +import ssl import os import logging from time import time, ctime, sleep @@ -27,10 +29,11 @@ def read_config(CONFIGFILE, CONFIG): logging.debug('Configfile successfull read') for line in config.readlines(): if not line[0] in ('#', ';', '\n', '\r'): - logging.debug('Read entry') key, value = (line.strip().split('=')) - CONFIG[key.upper().strip()] = value.strip() - logging.debug('Set {} to {}'.format(key.upper().strip(), value.strip())) + key = strip_argument(key).upper() + value = strip_argument(value) + CONFIG[key] = value + logging.debug('Set {} to {}'.format(key, value)) else: logging.error('Failed to read {}'.format(CONFIGFILE)) logging.error('Using default values') @@ -38,6 +41,19 @@ def read_config(CONFIGFILE, CONFIG): return True +def strip_argument(argument): + ''' + Becomes a string and strips at first whitespaces, second apostrops and + returns the clear string. + param 1: string + return: string + ''' + argument = argument.strip() + argument = argument.strip('"') + argument = argument.strip("'") + return argument + + def print_config(CONFIG): ''' Prints the used configuration, if loglevel ist debug. @@ -50,14 +66,21 @@ def print_config(CONFIG): return True +def display_peercert(cert): + for i in cert.keys(): + print(i) + for j in cert[i]: + print('\t{}'.format(j)) + return + + def receive_buffer_is_valid(raw_data): ''' checks, if the received buffer from the connection is valid or not. param 1: byte return: boolean ''' - data = bytes2int(raw_data) - if data == 0 or data == 1: + if raw_data == b'\x00' or raw_data == b'\x01': logging.debug('Argument is valid: {}'.format(raw_data)) return True else: @@ -65,23 +88,6 @@ def receive_buffer_is_valid(raw_data): return False -def bytes2int(raw_data): - ''' - Convert a given byte value into a integer. If it is possible, it returns - the integer, otherwise false. - param 1: byte - return: integer or false - ''' - bom = byteorder - - try: - data = int.from_bytes(raw_data, bom) - except Exception as e: - logging.error('Unabele to convert raw data to int: {}'.format(raw_data)) - return False - return data - - def replace_entry(line, new): ''' The function becomes two strings and replaces the second part of the @@ -101,7 +107,6 @@ def replace_entry(line, new): return line - def change_status(raw_data, api): ''' Becomes the received byte and the path to API file. Grabs the content of @@ -176,8 +181,7 @@ def set_values(raw_data): return: tuple ''' timestamp = str(time()).split('.')[0] - callback = bytes2int(raw_data) - if callback == 1: + if raw_data == 'b\x01': status = "true" else: status = "false" @@ -186,23 +190,38 @@ def set_values(raw_data): def main(): ''' - The main function - opens a socket und listen for connections. + The main function - opens a socket, create a ssl context, load certs and + listen for connections. ''' CONFIG = { 'HOST': 'localhost', 'PORT': 10001, - 'CERT': None, - 'KEY' : None, + 'SERVER_CERT': './server.crt', + 'SERVER_KEY' : './server.key', + 'CLIENT_CERT': './client.crt', 'TIMEOUT': 3.0, - 'API': './api' + 'API': './api', + 'API_TEMPLATE': './api_template', + 'VERBOSITY': 'info' } CONFIG_FILE = './statusd.conf' + FINGERPRINT = \ + '35:8E:35:FA:58:0A:DD:2B:C8:6A:F9:EA:A3:7B:10:F5:62:89:AB:D0:AB:53:3E:B5:8B:AB:E1:23:CF:93:F5:F9' loglevel = logging.DEBUG - logging.basicConfig(format='%(levelname)s: %(asctime)s: %(message)s', level=loglevel) + logging.basicConfig(format='%(levelname)s: %(message)s', level=loglevel) read_config(CONFIG_FILE, CONFIG) print_config(CONFIG) + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + context.options &= ~ssl.PROTOCOL_TLS + context.verify_mode = ssl.CERT_REQUIRED + context.load_cert_chain(certfile = CONFIG['SERVER_CERT'], + keyfile = CONFIG['SERVER_KEY']) + context.load_verify_locations(cafile = CONFIG['CLIENT_CERT']) + context.options &= ~ssl.OP_NO_SSLv3 + logging.debug('SSL context created') + with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: logging.debug('Socket created') try: @@ -215,15 +234,21 @@ def main(): exit() while True: try: - conn, addr = mySocket.accept() - logging.info('Connection from {}:{}'.format(addr[0], addr[1])) + fromSocket, fromAddr = mySocket.accept() + logging.info('Client connected: {}:{}'.format(fromAddr[0], fromAddr[1])) try: - conn.settimeout(float(CONFIG['TIMEOUT'])) + fromSocket.settimeout(float(CONFIG['TIMEOUT'])) logging.debug('Connection timeout set to {}'.format(CONFIG['TIMEOUT'])) except Exception as e: logging.error('Canot set timeout to {}'.format(CONFIG['TIMEOUT'])) logging.error('Use default value: 3.0') - conn.settimeout(3.0) + fromSocket.settimeout(3.0) + try: + conn = context.wrap_socket(fromSocket, server_side = True) + # display_peercert(conn.getpeercert()) + logging.debug('SSL established. Peer: {}'.format(conn.getpeercert())) + except Exception as e: + logging.error('SSL handshake failed: {}'.format(e)) raw_data = conn.recv(1) if receive_buffer_is_valid(raw_data) == True: if change_status(raw_data, CONFIG['API']) == True: @@ -232,12 +257,14 @@ def main(): # change_status returns false: else: logging.info('Failed to change status') - conn.send(b'\x03') + if conn: + conn.send(b'\x03') # recive_handle returns false: else: logging.info('Inalid argument recived: {}'.format(raw_data)) logging.debug('Send {} back'.format(b'\x03')) - conn.send(b'\x03') + if conn: + conn.send(b'\x03') sleep(0.1) # protection against dos except KeyboardInterrupt: print('\rExit') @@ -245,6 +272,7 @@ def main(): exit() except Exception as e: logging.error('{}'.format(e)) + continue if __name__ == '__main__': From c6c0eac5bf9572a64aa64938794acc9ab0a0e8bb Mon Sep 17 00:00:00 2001 From: berhsi Date: Mon, 29 Jul 2019 18:33:19 +0200 Subject: [PATCH 04/11] add unit for systemd: statusd.service --- statusd.service | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 statusd.service diff --git a/statusd.service b/statusd.service new file mode 100644 index 0000000..7c0578a --- /dev/null +++ b/statusd.service @@ -0,0 +1,14 @@ +[Unit] +Description=Deamon for setting status API +After=systemd-network.service network.target + +[Service] +Type=simple +WorkingDirectory=/opt/doorstatus/ +ExecStart=/opt/doorstatus/statusd.py +SyslogIdentifier=statusd +User=status +Group=status + +[Install] +WantedBy=multi-user.target From 7d5753c8793bf7c701875face97645640a6c9966 Mon Sep 17 00:00:00 2001 From: +++ Date: Tue, 30 Jul 2019 21:26:43 +0200 Subject: [PATCH 05/11] delete server-clear.py --- server-clear.py | 77 ------------------------------------------------- 1 file changed, 77 deletions(-) delete mode 100755 server-clear.py diff --git a/server-clear.py b/server-clear.py deleted file mode 100755 index 286a9ca..0000000 --- a/server-clear.py +++ /dev/null @@ -1,77 +0,0 @@ -#!/usr/bin/python3 - -# file: server-clear.py -# date: 26.07.2019 -# email: berhsi@web.de - -# server, who listen for connections for localhost, port 64000 and ipv4. - -import socket -from time import time, ctime -from sys import exit, byteorder - - -def connection_handle(conn): - - bom = byteorder - - raw_data = conn.recv(1) - print('Data recived: {}'.format(raw_data)) - data = int.from_bytes(raw_data, bom) - if data == 0 or data == 1: - if update_status(data) == True: - conn.send(data.to_bytes(1, bom)) - else: - conn.send(b'\x03') - else: - print('Invalid argument') - conn.send(b'3') - return False - return True - - -def update_status(data): - - try: - print('Update status ...') - if data == 0: - status = 'false' - else: - status = 'true' - lastchange = str(time()).split('.')[0] - print('Change status: {}: {}'.format(lastchange, status)) - except Exception as e: - print('Error: {}'.format(e)) - return False - return True - - -def main(): - - HOST = 'nr18.space' - PORT = 10001 - - with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: - print('Socket created') - try: - mySocket.bind((HOST, PORT)) - mySocket.listen(5) - print('Listen on {} at Port {}'.format(HOST, PORT)) - except Exception as e: - print('Error: unable to bind and listen') - print('Error: {}'.format(e)) - while True: - try: - conn, addr = mySocket.accept() - print('Connection from {}:{}'.format(addr[0], addr[1])) - conn.settimeout(3.0) - connection_handle(conn) - except KeyboardInterrupt: - print('\b\bExit') - exit() - except Exception as e: - print('Error: {}'.format(e)) - - -if __name__ == '__main__': - main() From 35d46f266ab2c8deac8d8899fdde3cd3cd4d6818 Mon Sep 17 00:00:00 2001 From: +++ Date: Tue, 30 Jul 2019 22:06:07 +0200 Subject: [PATCH 06/11] statusd.py: add function certs_readable() add a function to test at start, if needed certs are readable --- statusd.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/statusd.py b/statusd.py index 454b004..dc68d3c 100755 --- a/statusd.py +++ b/statusd.py @@ -41,6 +41,15 @@ def read_config(CONFIGFILE, CONFIG): return True +def certs_readable(config): + + for i in (config['SERVER_KEY'], config['SERVER_CERT'], config['CLIENT_CERT']): + if os.access(i, os.R_OK) == False: + logging.error('Cant read {}'.format(i)) + return False + return True + + def strip_argument(argument): ''' Becomes a string and strips at first whitespaces, second apostrops and @@ -213,6 +222,10 @@ def main(): read_config(CONFIG_FILE, CONFIG) print_config(CONFIG) + if certs_readable(CONFIG) == False: + logging.error('Cert check failed\nExit') + exit() + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) context.options &= ~ssl.PROTOCOL_TLS context.verify_mode = ssl.CERT_REQUIRED From fa772012d65ab23c0c7ad3dc386e9de6d53845eb Mon Sep 17 00:00:00 2001 From: +++ Date: Tue, 30 Jul 2019 22:20:45 +0200 Subject: [PATCH 07/11] statusd.py: certs_readable() checks if cert is defined --- statusd.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/statusd.py b/statusd.py index dc68d3c..53a324a 100755 --- a/statusd.py +++ b/statusd.py @@ -42,9 +42,13 @@ def read_config(CONFIGFILE, CONFIG): def certs_readable(config): - + ''' + checks at start, if the needed certificates defined (no nullstring) and readable. + param 1: dictionary + return: boolean + ''' for i in (config['SERVER_KEY'], config['SERVER_CERT'], config['CLIENT_CERT']): - if os.access(i, os.R_OK) == False: + if i == '' or os.access(i, os.R_OK) == False: logging.error('Cant read {}'.format(i)) return False return True From 8755e355848a1a636ed40f451cc3ca5a75686365 Mon Sep 17 00:00:00 2001 From: +++ Date: Tue, 30 Jul 2019 22:59:59 +0200 Subject: [PATCH 08/11] statusd.template added --- statusd.template | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 statusd.template diff --git a/statusd.template b/statusd.template new file mode 100644 index 0000000..9d53801 --- /dev/null +++ b/statusd.template @@ -0,0 +1,26 @@ +# file: statusd.conf + +# Configuration file for the server, who is manage the api for door status +# from krautspace jena. + +# host, where server lives (string with fqdn or ipv4). default ist +# localhost. +HOST = 'localhost' + +# port, where the server is listen. default is 100001 +PORT = 10001 + +# timeout for connection +TIMEOUT = 5 + +# path for ssl keys and certificates. default is the current directory. +SERVER_CERT = './server.crt' +SERVER_KEY = './server.key' +CLIENT_CERT = './client.crt' + +# path to api files +API_TEMPLATE = './api_template' +API = '/path/to//api' + +# loglevel (maybe ERROR, INFO, DEBUG) - not implementet at the moment. +VERBOSITY = 'info' From 0e405f894deec51dd4bfaa41fe380a95def7e7da Mon Sep 17 00:00:00 2001 From: berhsi Date: Fri, 2 Aug 2019 14:20:08 +0200 Subject: [PATCH 09/11] statusd.py: set some ssl-options --- statusd.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/statusd.py b/statusd.py index 53a324a..b44288d 100755 --- a/statusd.py +++ b/statusd.py @@ -204,7 +204,12 @@ def set_values(raw_data): def main(): ''' The main function - opens a socket, create a ssl context, load certs and - listen for connections. + listen for connections. at ssl context we set some security options like + OP_NO_SSLv2 (SSLv3): they are insecure + PROTOCOL_TLS: only use tls + OP_NO_COMPRESSION: prevention against crime attack + OP_DONT_ISERT_EMPTY_FRAGMENTS: prevention agains cbc 4 attack (cve-2011-3389) + ''' CONFIG = { 'HOST': 'localhost', @@ -231,12 +236,17 @@ def main(): exit() context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + context.options &= ~ssl.OP_NO_SSLv2 + context.options &= ~ssl.OP_NO_SSLv3 context.options &= ~ssl.PROTOCOL_TLS + context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE + # context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS + context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0) + # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS') context.verify_mode = ssl.CERT_REQUIRED context.load_cert_chain(certfile = CONFIG['SERVER_CERT'], keyfile = CONFIG['SERVER_KEY']) context.load_verify_locations(cafile = CONFIG['CLIENT_CERT']) - context.options &= ~ssl.OP_NO_SSLv3 logging.debug('SSL context created') with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: @@ -290,6 +300,7 @@ def main(): except Exception as e: logging.error('{}'.format(e)) continue + return 0 if __name__ == '__main__': From 943c060b60b7482f9a9112469a44bc6e8e76ed02 Mon Sep 17 00:00:00 2001 From: berhsi Date: Tue, 10 Sep 2019 09:47:53 +0200 Subject: [PATCH 10/11] statusd.py now works with json modul, fix bug in set_values() read and write the api file now uses the json modul. correct a bug in function set_values(). --- statusd.py | 51 +++++++++++++-------------------------------------- 1 file changed, 13 insertions(+), 38 deletions(-) diff --git a/statusd.py b/statusd.py index b44288d..f3060f4 100755 --- a/statusd.py +++ b/statusd.py @@ -11,6 +11,7 @@ import socket import ssl import os import logging +import json from time import time, ctime, sleep from sys import exit, byteorder @@ -101,25 +102,6 @@ def receive_buffer_is_valid(raw_data): return False -def replace_entry(line, new): - ''' - The function becomes two strings and replaces the second part of the - first string from ":" until end with the second string. Than appends a - "," and returns the result. - - !!! Todo: needs exception handling !!! - - param 1: string - param 2: string - return: string - ''' - array = line.split(':') - logging.debug('Replace {} with {}'.format(array[1], new)) - array[1] = ''.join((new, ',')) - line = ':'.join((array[0], array[1])) - return line - - def change_status(raw_data, api): ''' Becomes the received byte and the path to API file. Grabs the content of @@ -139,21 +121,13 @@ def change_status(raw_data, api): logging.debug('API file is writable') with open(api, 'w') as api_file: logging.debug('API file open successfull') - for line in data.splitlines(): - if line.strip().startswith('"state":'): - edit = True - elif edit == True and line.strip().startswith('"open":'): - line = replace_entry(line, status) - elif edit == True and line.strip().startswith('"lastchange":'): - line = replace_entry(line, timestamp) - edit = False - try: - api_file.write(line) - api_file.write('\n') - except Exception as e: - logging.error('Failed to write line to API file') - logging.error('Line: {}'.format(line)) - logging.error('{}'.format(e)) + data["state"]["open"] = status + data["state"]["lastchange"] = timestamp + try: + json.dump(data, api_file, indent=4) + except Exception as e: + logging.error('Failed to change API file') + logging.error('{}'.format(e)) logging.debug('API file changed') else: logging.error('API file is not writable. Wrong permissions?') @@ -176,12 +150,12 @@ def read_api(api): with open(api, 'r') as api_file: logging.debug('API opened successfull') try: - api_data = api_file.read() - logging.debug('API read successfull') + api_json_data = json.load(api_file) + logging.debug('API file read successfull') except Exception as e: logging.error('Failed to read API file(): {}'.format(e)) return False - return (api_data) + return (api_json_data) logging.error('Failed to read API file') return False @@ -194,10 +168,11 @@ def set_values(raw_data): return: tuple ''' timestamp = str(time()).split('.')[0] - if raw_data == 'b\x01': + if raw_data == b'\x01': status = "true" else: status = "false" + logging.debug('Set values for timestamp: {} and status: {}'.format(timestamp, status)) return (status, timestamp) From 78151fcafaea251e19bf7e75f946cea470c2543b Mon Sep 17 00:00:00 2001 From: berhsi Date: Tue, 10 Sep 2019 10:07:53 +0200 Subject: [PATCH 11/11] rename file statusd.template to statusd.conf.template --- statusd.template => statusd.conf.template | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename statusd.template => statusd.conf.template (100%) diff --git a/statusd.template b/statusd.conf.template similarity index 100% rename from statusd.template rename to statusd.conf.template