import collections
import time
+import hmac
+import hashlib
+import base64
import codecs
import traceback
vroutes = ''
ifname_client = hippo%%d
ifname_server = shippo%%d
+max_clock_skew = 300
#[server] or [<client>] overrides
ipif = userv root ipif %(local)s,%(peer)s,%(mtu)s,slip,%(ifname)s %(rnets)s
#---------- ipif (SLIP) subprocess ----------
class SlipStreamDecoder():
- def __init__(self, desc, on_packet):
+ def __init__(self, desc, on_packet, mtu):
self._buffer = b''
self._on_packet = on_packet
self._desc = desc
self._maybe_packet(packets[0])
class _IpifProcessProtocol(twisted.internet.protocol.ProcessProtocol):
- def __init__(self, router):
+ def __init__(self, router, mtu):
self._router = router
- self._decoder = SlipStreamDecoder('ipif', self.slip_on_packet)
+ self._decoder = SlipStreamDecoder('ipif', self.slip_on_packet, mtu)
def connectionMade(self): pass
def outReceived(self, data):
self._decoder.inputdata(data)
def processEnded(self, status):
status.raiseException()
-def start_ipif(command, router):
- ipif = _IpifProcessProtocol(router)
+def start_ipif(command, router, mtu):
+ ipif = _IpifProcessProtocol(router, mtu)
reactor.spawnProcess(ipif,
'/bin/sh',['sh','-xc', command],
childFDs={0:'w', 1:'r', 2:2},
if event.get('log_level') >= LogLevel.critical:
crash(twisted.logger.formatEvent(event))
+#---------- authentication tokens ----------
+
+_authtoken_digest = hashlib.sha256
+
+def _authtoken_time():
+ return int(time.time())
+
+def _authtoken_hmac(secret, hextime):
+ return hmac.new(secret, hextime, _authtoken_digest).digest()
+
+def authtoken_make(secret):
+ hextime = ('%x' % _authtoken_time()).encode('ascii')
+ mac = _authtoken_hmac(secret, hextime)
+ return hextime + b' ' + base64.b64encode(mac)
+
+def authtoken_check(secret, token, maxskew):
+ (hextime, theirmac64) = token.split(b' ')
+ now = _authtoken_time()
+ then = int(hextime, 16)
+ skew = then - now;
+ if (abs(skew) > maxskew):
+ raise ValueError('too much clock skew (client %ds ahead)' % skew)
+ theirmac = base64.b64decode(theirmac64)
+ ourmac = _authtoken_hmac(secret, hextime)
+ if not hmac.compare_digest(theirmac, ourmac):
+ raise ValueError('invalid token (wrong secret?)')
+ pass
+
#---------- config processing ----------
def _cfg_process_putatives():
def cfg_process_vaddr(c, ss):
try:
- c.vaddr = cfg1get(ss,'vaddr')
+ c.vaddr = ipaddr(cfg1get(ss,'vaddr'))
except NoOptionError:
cfg_process_vnetwork(c, ss)
c.vaddr = next(c.vnetwork.hosts())
try: v = getattr(c, s)
except AttributeError: continue
setattr(c, d, v)
+ for d in ('mtu',):
+ v = cfg_search(cfg1getint, d, sections)
+ setattr(c, d, v)
#print('CFGIPIF',repr((varmap, sections, c.__dict__)),file=sys.stderr)