import catacomb as C
import os as OS
import sys as SYS
-import sre as RX
+import re as RX
import getopt as O
import shutil as SH
+import time as T
import filecmp as FC
from cStringIO import StringIO
from errno import *
## Match the literal string "<SEQ>".
rx_seq = RX.compile(r'\<SEQ\>')
+## Match a shell metacharacter.
+rx_shmeta = RX.compile('[\\s`!"#$&*()\\[\\];\'|<>?\\\\]')
+
+## Match a character which needs escaping in a shell double-quoted string.
+rx_shquote = RX.compile(r'["`$\\]')
+
###--------------------------------------------------------------------------
### Utility functions.
out.write(s[i:])
return out.getvalue()
+def shell_quotify(arg):
+ """
+ Quotify ARG to keep the shell happy.
+
+ This isn't actually used for invoking commands, just for presentation
+ purposes; but correctness is still nice.
+ """
+ if not rx_shmeta.search(arg):
+ return arg
+ elif arg.find("'") == -1:
+ return "'%s'" % arg
+ else:
+ return '"%s"' % rx_shquote.sub(lambda m: '\\' + m.group(0), arg)
+
def rmtree(path):
"""Delete the directory tree given by PATH."""
try:
else:
nargs += a[1:].split()
args = nargs
- print '+ %s' % ' '.join(args)
+ print '+ %s' % ' '.join([shell_quotify(arg) for arg in args])
+ SYS.stdout.flush()
rc = OS.spawnvp(OS.P_WAIT, args[0], args)
if rc != 0:
raise SubprocessError, rc
('conf-file', '${base-dir}tripe-keys.conf'),
('upload-hook', ': run upload hook'),
('kx', 'dh'),
- ('kx-param', lambda: {'dh': '-LS -b2048 -B256',
+ ('kx-param', lambda: {'dh': '-LS -b3072 -B256',
'ec': '-Cnist-p256'}[conf['kx']]),
('kx-expire', 'now + 1 year'),
- ('cipher', 'blowfish-cbc'),
+ ('kx-warn-days', '28'),
+ ('cipher', 'rijndael-cbc'),
('hash', 'sha256'),
('master-keygen-flags', '-l'),
('mgf', '${hash}-mgf'),
'rsapss': 'rsa',
'ecdsa': 'ec',
'eckcdsa': 'ec'}[conf['sig']]),
- ('sig-param', lambda: {'dh': '-LS -b2048 -B256',
- 'dsa': '-b2048 -B256',
+ ('sig-param', lambda: {'dh': '-LS -b3072 -B256',
+ 'dsa': '-b3072 -B256',
'ec': '-Cnist-p256',
- 'rsa': '-b2048'}[conf['sig-genalg']]),
+ 'rsa': '-b3072'}[conf['sig-genalg']]),
('sig-hash', '${hash}'),
('sig-expire', 'forever'),
('fingerprint-hash', '${hash}')]:
OS.mkdir('repos')
run('''key -krepos/param add
-a${kx}-param !${kx-param}
- -eforever -tparam tripe-${kx}-param
- cipher=${cipher} hash=${hash} mac=${mac} mgf=${mgf}''')
+ -eforever -tparam tripe-param
+ kx-group=${kx} cipher=${cipher} hash=${hash} mac=${mac} mgf=${mgf}''')
cmd_newmaster(args)
###--------------------------------------------------------------------------
keyring_pub = 'peer-%s.pub' % tag
zap('keyring'); zap(keyring_pub)
run('key -kkeyring merge repos/param')
- run('key -kkeyring add -a${kx} -pparam -e${kx-expire} -t%s tripe-${kx}' %
+ run('key -kkeyring add -a${kx} -pparam -e${kx-expire} -t%s tripe' %
tag)
run('key -kkeyring extract -f-secret %s %s' % (keyring_pub, tag))
r == 'keyring' or r == 'keyring.pub' or r.startswith('peer-')):
zap(i)
+###--------------------------------------------------------------------------
+### Commands: check
+
+def check_key(k):
+ now = T.time()
+ thresh = int(conf['kx-warn-days']) * 86400
+ if k.exptime == C.KEXP_FOREVER: return None
+ elif k.exptime == C.KEXP_EXPIRE: left = -1
+ else: left = k.exptime - now
+ if left < 0:
+ return "key `%s' HAS EXPIRED" % k.tag
+ elif left < thresh:
+ if left >= 86400: n, u, uu = left // 86400, 'day', 'days'
+ else: n, u, uu = left // 3600, 'hour', 'hours'
+ return "key `%s' EXPIRES in %d %s" % (k.tag, n, n == 1 and u or uu)
+ else:
+ return None
+
+def cmd_check(args):
+ if OS.path.exists('keyring.pub'):
+ for k in C.KeyFile('keyring.pub').itervalues():
+ whinge = check_key(k)
+ if whinge is not None: print whinge
+ if OS.path.exists('master'):
+ whinges = []
+ for k in C.KeyFile('master').itervalues():
+ whinge = check_key(k)
+ if whinge is None: break
+ whinges.append(whinge)
+ else:
+ for whinge in whinges: print whinge
+
+###--------------------------------------------------------------------------
+### Commands: mtu
+
+def cmd_mtu(args):
+ mtu, = (lambda mtu = '1500': (mtu,))(*args)
+ mtu = int(mtu)
+
+ blksz = C.gcciphers[conf['cipher']].blksz
+
+ index = conf['mac'].find('/')
+ if index == -1:
+ tagsz = C.gcmacs[conf['mac']].tagsz
+ else:
+ tagsz = int(conf['mac'][index + 1:])/8
+
+ mtu -= 20 # Minimum IP header
+ mtu -= 8 # UDP header
+ mtu -= 1 # TrIPE packet type octet
+ mtu -= tagsz # MAC tag
+ mtu -= 4 # Sequence number
+ mtu -= blksz # Initialization vector
+
+ print mtu
+
###--------------------------------------------------------------------------
### Main driver.
'upload': (cmd_upload, 0, 0, ''),
'update': (cmd_update, 0, 0, ''),
'clean': (cmd_clean, 0, 0, ''),
+ 'mtu': (cmd_mtu, 0, 1, '[PATH-MTU]'),
+ 'check': (cmd_check, 0, 0, ''),
'generate': (cmd_generate, 1, 1, 'TAG'),
'rebuild': (cmd_rebuild, 0, 0, '')}