X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=hippotat.git;a=blobdiff_plain;f=hippotatlib%2F__init__.py;h=de939c86b09621dbddb7c5f1445ad1bf4ed4b717;hp=282266c009651b004ec940f7b79aac2b84f5c3c7;hb=a14782d3bb7fe3e65f19e45d913d2e5f5d8662bb;hpb=dce21e00c38132b17ec973923f4f7d0cbf47049f diff --git a/hippotatlib/__init__.py b/hippotatlib/__init__.py index 282266c..de939c8 100644 --- a/hippotatlib/__init__.py +++ b/hippotatlib/__init__.py @@ -50,6 +50,9 @@ from functools import partial import collections import time +import hmac +import hashlib +import base64 import codecs import traceback @@ -139,6 +142,7 @@ port = 80 vroutes = '' ifname_client = hippo%%d ifname_server = shippo%%d +max_clock_skew = 300 #[server] or [] overrides ipif = userv root ipif %(local)s,%(peer)s,%(mtu)s,slip,%(ifname)s %(rnets)s @@ -367,6 +371,34 @@ def crash_on_critical(event): if event.get('log_level') >= LogLevel.critical: crash(twisted.logger.formatEvent(event)) +#---------- authentication tokens ---------- + +_authtoken_digest = hashlib.sha256 + +def _authtoken_time(): + return int(time.time()) + +def _authtoken_hmac(secret, hextime): + return hmac.new(secret, hextime, _authtoken_digest).digest() + +def authtoken_make(secret): + hextime = ('%x' % _authtoken_time()).encode('ascii') + mac = _authtoken_hmac(secret, hextime) + return hextime + b' ' + base64.b64encode(mac) + +def authtoken_check(secret, token, maxskew): + (hextime, theirmac64) = token.split(b' ') + now = _authtoken_time() + then = int(hextime, 16) + skew = then - now; + if (abs(skew) > maxskew): + raise ValueError('too much clock skew (client %ds ahead)' % skew) + theirmac = base64.b64decode(theirmac64) + ourmac = _authtoken_hmac(secret, hextime) + if not hmac.compare_digest(theirmac, ourmac): + raise ValueError('invalid token (wrong secret?)') + pass + #---------- config processing ---------- def _cfg_process_putatives(): @@ -545,6 +577,9 @@ def cfg_process_ipif(c, sections, varmap): try: v = getattr(c, s) except AttributeError: continue setattr(c, d, v) + for d in ('mtu',): + v = cfg_search(cfg.get, d, sections) + setattr(c, d, v) #print('CFGIPIF',repr((varmap, sections, c.__dict__)),file=sys.stderr)