From d3534afaa345d7e0f0b0fc4c274b68127029ed4d Mon Sep 17 00:00:00 2001 From: berhsi Date: Mon, 29 Jul 2019 18:32:27 +0200 Subject: [PATCH] statusd.py: add support for ssl server now speaks tls. new functions strip_argument() and display_peercert() --- statusd.py | 102 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 65 insertions(+), 37 deletions(-) diff --git a/statusd.py b/statusd.py index 10aeffe..454b004 100755 --- a/statusd.py +++ b/statusd.py @@ -4,9 +4,11 @@ # date: 26.07.2019 # email: berhsi@web.de -# server, who listen for ipv4 connections at port 10001. +# server, who listen for ipv4 connections at port 10001. now with ssl +# encrypted connection and client side authentication. import socket +import ssl import os import logging from time import time, ctime, sleep @@ -27,10 +29,11 @@ def read_config(CONFIGFILE, CONFIG): logging.debug('Configfile successfull read') for line in config.readlines(): if not line[0] in ('#', ';', '\n', '\r'): - logging.debug('Read entry') key, value = (line.strip().split('=')) - CONFIG[key.upper().strip()] = value.strip() - logging.debug('Set {} to {}'.format(key.upper().strip(), value.strip())) + key = strip_argument(key).upper() + value = strip_argument(value) + CONFIG[key] = value + logging.debug('Set {} to {}'.format(key, value)) else: logging.error('Failed to read {}'.format(CONFIGFILE)) logging.error('Using default values') @@ -38,6 +41,19 @@ def read_config(CONFIGFILE, CONFIG): return True +def strip_argument(argument): + ''' + Becomes a string and strips at first whitespaces, second apostrops and + returns the clear string. + param 1: string + return: string + ''' + argument = argument.strip() + argument = argument.strip('"') + argument = argument.strip("'") + return argument + + def print_config(CONFIG): ''' Prints the used configuration, if loglevel ist debug. @@ -50,14 +66,21 @@ def print_config(CONFIG): return True +def display_peercert(cert): + for i in cert.keys(): + print(i) + for j in cert[i]: + print('\t{}'.format(j)) + return + + def receive_buffer_is_valid(raw_data): ''' checks, if the received buffer from the connection is valid or not. param 1: byte return: boolean ''' - data = bytes2int(raw_data) - if data == 0 or data == 1: + if raw_data == b'\x00' or raw_data == b'\x01': logging.debug('Argument is valid: {}'.format(raw_data)) return True else: @@ -65,23 +88,6 @@ def receive_buffer_is_valid(raw_data): return False -def bytes2int(raw_data): - ''' - Convert a given byte value into a integer. If it is possible, it returns - the integer, otherwise false. - param 1: byte - return: integer or false - ''' - bom = byteorder - - try: - data = int.from_bytes(raw_data, bom) - except Exception as e: - logging.error('Unabele to convert raw data to int: {}'.format(raw_data)) - return False - return data - - def replace_entry(line, new): ''' The function becomes two strings and replaces the second part of the @@ -101,7 +107,6 @@ def replace_entry(line, new): return line - def change_status(raw_data, api): ''' Becomes the received byte and the path to API file. Grabs the content of @@ -176,8 +181,7 @@ def set_values(raw_data): return: tuple ''' timestamp = str(time()).split('.')[0] - callback = bytes2int(raw_data) - if callback == 1: + if raw_data == 'b\x01': status = "true" else: status = "false" @@ -186,23 +190,38 @@ def set_values(raw_data): def main(): ''' - The main function - opens a socket und listen for connections. + The main function - opens a socket, create a ssl context, load certs and + listen for connections. ''' CONFIG = { 'HOST': 'localhost', 'PORT': 10001, - 'CERT': None, - 'KEY' : None, + 'SERVER_CERT': './server.crt', + 'SERVER_KEY' : './server.key', + 'CLIENT_CERT': './client.crt', 'TIMEOUT': 3.0, - 'API': './api' + 'API': './api', + 'API_TEMPLATE': './api_template', + 'VERBOSITY': 'info' } CONFIG_FILE = './statusd.conf' + FINGERPRINT = \ + '35:8E:35:FA:58:0A:DD:2B:C8:6A:F9:EA:A3:7B:10:F5:62:89:AB:D0:AB:53:3E:B5:8B:AB:E1:23:CF:93:F5:F9' loglevel = logging.DEBUG - logging.basicConfig(format='%(levelname)s: %(asctime)s: %(message)s', level=loglevel) + logging.basicConfig(format='%(levelname)s: %(message)s', level=loglevel) read_config(CONFIG_FILE, CONFIG) print_config(CONFIG) + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + context.options &= ~ssl.PROTOCOL_TLS + context.verify_mode = ssl.CERT_REQUIRED + context.load_cert_chain(certfile = CONFIG['SERVER_CERT'], + keyfile = CONFIG['SERVER_KEY']) + context.load_verify_locations(cafile = CONFIG['CLIENT_CERT']) + context.options &= ~ssl.OP_NO_SSLv3 + logging.debug('SSL context created') + with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: logging.debug('Socket created') try: @@ -215,15 +234,21 @@ def main(): exit() while True: try: - conn, addr = mySocket.accept() - logging.info('Connection from {}:{}'.format(addr[0], addr[1])) + fromSocket, fromAddr = mySocket.accept() + logging.info('Client connected: {}:{}'.format(fromAddr[0], fromAddr[1])) try: - conn.settimeout(float(CONFIG['TIMEOUT'])) + fromSocket.settimeout(float(CONFIG['TIMEOUT'])) logging.debug('Connection timeout set to {}'.format(CONFIG['TIMEOUT'])) except Exception as e: logging.error('Canot set timeout to {}'.format(CONFIG['TIMEOUT'])) logging.error('Use default value: 3.0') - conn.settimeout(3.0) + fromSocket.settimeout(3.0) + try: + conn = context.wrap_socket(fromSocket, server_side = True) + # display_peercert(conn.getpeercert()) + logging.debug('SSL established. Peer: {}'.format(conn.getpeercert())) + except Exception as e: + logging.error('SSL handshake failed: {}'.format(e)) raw_data = conn.recv(1) if receive_buffer_is_valid(raw_data) == True: if change_status(raw_data, CONFIG['API']) == True: @@ -232,12 +257,14 @@ def main(): # change_status returns false: else: logging.info('Failed to change status') - conn.send(b'\x03') + if conn: + conn.send(b'\x03') # recive_handle returns false: else: logging.info('Inalid argument recived: {}'.format(raw_data)) logging.debug('Send {} back'.format(b'\x03')) - conn.send(b'\x03') + if conn: + conn.send(b'\x03') sleep(0.1) # protection against dos except KeyboardInterrupt: print('\rExit') @@ -245,6 +272,7 @@ def main(): exit() except Exception as e: logging.error('{}'.format(e)) + continue if __name__ == '__main__':