ensure mtu is in the ipif substitution set

[hippotat.git] / hippotatlib / __init__.py

diff --git a/hippotatlib/__init__.py b/hippotatlib/__init__.py
index 282266c009651b004ec940f7b79aac2b84f5c3c7..de939c86b09621dbddb7c5f1445ad1bf4ed4b717 100644 (file)
--- a/hippotatlib/__init__.py
+++ b/hippotatlib/__init__.py
@@ -50,6 +50,9 @@ from functools import partial
 
 import collections
 import time
 
 import collections
 import time

+import hmac
+import hashlib
+import base64

 import codecs
 import traceback
 
 import codecs
 import traceback
 


@@ -139,6 +142,7 @@ port = 80
 vroutes = ''
 ifname_client = hippo%%d
 ifname_server = shippo%%d
 vroutes = ''
 ifname_client = hippo%%d
 ifname_server = shippo%%d

+max_clock_skew = 300

 
 #[server] or [<client>] overrides
 ipif = userv root ipif %(local)s,%(peer)s,%(mtu)s,slip,%(ifname)s %(rnets)s
 
 #[server] or [<client>] overrides
 ipif = userv root ipif %(local)s,%(peer)s,%(mtu)s,slip,%(ifname)s %(rnets)s


@@ -367,6 +371,34 @@ def crash_on_critical(event):
   if event.get('log_level') >= LogLevel.critical:
     crash(twisted.logger.formatEvent(event))
 
   if event.get('log_level') >= LogLevel.critical:
     crash(twisted.logger.formatEvent(event))
 

+#---------- authentication tokens ----------
+
+_authtoken_digest = hashlib.sha256
+
+def _authtoken_time():
+  return int(time.time())
+
+def _authtoken_hmac(secret, hextime):
+  return hmac.new(secret, hextime, _authtoken_digest).digest()
+
+def authtoken_make(secret):
+  hextime = ('%x' % _authtoken_time()).encode('ascii')
+  mac = _authtoken_hmac(secret, hextime)
+  return hextime + b' ' + base64.b64encode(mac)
+
+def authtoken_check(secret, token, maxskew):
+  (hextime, theirmac64) = token.split(b' ')
+  now = _authtoken_time()
+  then = int(hextime, 16)
+  skew = then - now;
+  if (abs(skew) > maxskew):
+    raise ValueError('too much clock skew (client %ds ahead)' % skew)
+  theirmac = base64.b64decode(theirmac64)
+  ourmac = _authtoken_hmac(secret, hextime)
+  if not hmac.compare_digest(theirmac, ourmac):
+    raise ValueError('invalid token (wrong secret?)')
+  pass
+

 #---------- config processing ----------
 
 def _cfg_process_putatives():
 #---------- config processing ----------
 
 def _cfg_process_putatives():


@@ -545,6 +577,9 @@ def cfg_process_ipif(c, sections, varmap):
     try: v = getattr(c, s)
     except AttributeError: continue
     setattr(c, d, v)
     try: v = getattr(c, s)
     except AttributeError: continue
     setattr(c, d, v)

+  for d in ('mtu',):
+    v = cfg_search(cfg.get, d, sections)
+    setattr(c, d, v)

 
   #print('CFGIPIF',repr((varmap, sections, c.__dict__)),file=sys.stderr)
 
 
   #print('CFGIPIF',repr((varmap, sections, c.__dict__)),file=sys.stderr)