Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
R
re6stnet
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
2
Issues
2
List
Boards
Labels
Milestones
Merge Requests
4
Merge Requests
4
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
re6stnet
Commits
63a812b1
Commit
63a812b1
authored
Apr 14, 2015
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'proto' into re6st-slapos
parents
e70bead5
abae0b5d
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
32 additions
and
10 deletions
+32
-10
demo/demo
demo/demo
+1
-1
re6st-conf
re6st-conf
+1
-1
re6st/registry.py
re6st/registry.py
+1
-1
re6st/tunnel.py
re6st/tunnel.py
+12
-0
re6st/x509.py
re6st/x509.py
+8
-4
setup.py
setup.py
+9
-3
No files found.
demo/demo
View file @
63a812b1
...
...
@@ -172,7 +172,7 @@ if 1:
" -set_serial 0x120010db80042 -days %u" % CA_DAYS, shell=True)
with open('ca.crt') as f:
ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
fingerprint = "sha
1:" + hashlib.sha1
(
fingerprint = "sha
256:" + hashlib.sha256
(
crypto.dump_certificate(crypto.FILETYPE_ASN1, ca)).hexdigest()
db_path = 'registry/registry.db'
registry.screen('./py re6st-registry @registry/re6st-registry.conf'
...
...
re6st-conf
View file @
63a812b1
...
...
@@ -119,7 +119,7 @@ def main():
create
(
key_path
,
key
,
0600
)
req
.
set_pubkey
(
pkey
)
req
.
sign
(
pkey
,
'sha
1
'
)
req
.
sign
(
pkey
,
'sha
512
'
)
req
=
crypto
.
dump_certificate_request
(
crypto
.
FILETYPE_PEM
,
req
)
# First make sure we can open certificate file for writing,
...
...
re6st/registry.py
View file @
63a812b1
...
...
@@ -409,7 +409,7 @@ class RegistryServer(object):
serial
=
1
+
self
.
getConfig
(
'serial'
,
0
)
self
.
setConfig
(
'serial'
,
serial
)
cert
.
set_serial_number
(
serial
)
cert
.
sign
(
self
.
cert
.
key
,
'sha
1
'
)
cert
.
sign
(
self
.
cert
.
key
,
'sha
512
'
)
cert
=
crypto
.
dump_certificate
(
crypto
.
FILETYPE_PEM
,
cert
)
self
.
db
.
execute
(
"UPDATE cert SET cert = ? WHERE prefix = ?"
,
(
cert
,
client_prefix
))
...
...
re6st/tunnel.py
View file @
63a812b1
...
...
@@ -607,12 +607,24 @@ class TunnelManager(BaseTunnelManager):
return
disconnected
def
_tunnelScore
(
self
,
prefix
):
# First try to not kill a persistent tunnel (see --neighbour option).
# Then sort by the number of routed nodes.
n
=
0
try
:
for
x
in
self
.
ctl
.
neighbours
[
prefix
][
1
]:
# Ignore the default route, which is redundant with the
# border gateway node.
if
x
:
n
+=
1
except
KeyError
:
# XXX: The route for this neighbour is not direct. In this case,
# a KeyError was raised because babeld dump doesn't give us
# enough information to match the neighbour prefix with its
# link-local address. This is a good candidate (so we return
# ()), but for the same reason, such tunnel can't be killed.
# In order not to remain indefinitely in a state where we
# never delete any tunnel because we would always select an
# unkillable one, we should return an higher score.
pass
return
(
prefix
in
self
.
_neighbour_set
,
n
)
if
n
else
()
...
...
re6st/x509.py
View file @
63a812b1
...
...
@@ -138,10 +138,10 @@ class Cert(object):
return
r
def
verify
(
self
,
sign
,
data
):
crypto
.
verify
(
self
.
ca
,
sign
,
data
,
'sha
1
'
)
crypto
.
verify
(
self
.
ca
,
sign
,
data
,
'sha
512
'
)
def
sign
(
self
,
data
):
return
crypto
.
sign
(
self
.
key
,
data
,
'sha
1
'
)
return
crypto
.
sign
(
self
.
key
,
data
,
'sha
512
'
)
def
decrypt
(
self
,
data
):
p
=
openssl
(
'rsautl'
,
'-decrypt'
,
'-inkey'
,
self
.
key_path
)
...
...
@@ -179,6 +179,11 @@ class Peer(object):
- hello0 packets (0 & 1) are subject to DoS, because verifying a
certificate uses much CPU. A solution would be to use TCP until the
secret is exchanged and continue with UDP.
The fingerprint is only used to quickly know if peer's certificate has
changed. It must be short enough to not exceed packet size when using
certificates with 4096-bit keys. A weak algorithm is ok as long as there
is no accidental collision. So SHA-1 looks fine.
"""
_hello
=
_last
=
0
_key
=
newHmacSecret
()
...
...
@@ -187,7 +192,6 @@ class Peer(object):
version
=
''
def
__init__
(
self
,
prefix
):
assert
len
(
prefix
)
==
16
or
prefix
==
(
'0'
*
14
+
'1'
+
'0'
*
65
),
prefix
self
.
prefix
=
prefix
@
property
...
...
@@ -233,7 +237,7 @@ class Peer(object):
self
.
_last
=
None
def
verify
(
self
,
sign
,
data
):
crypto
.
verify
(
self
.
cert
,
sign
,
data
,
'sha
1
'
)
crypto
.
verify
(
self
.
cert
,
sign
,
data
,
'sha
512
'
)
seqno_struct
=
struct
.
Struct
(
"!L"
)
...
...
setup.py
View file @
63a812b1
...
...
@@ -4,7 +4,6 @@
from
setuptools
import
setup
,
find_packages
from
setuptools.command
import
sdist
as
_sdist
,
build_py
as
_build_py
from
distutils
import
log
from
re6st
import
version
version
=
{
"__file__"
:
"re6st/version.py"
}
execfile
(
version
[
"__file__"
],
version
)
...
...
@@ -38,9 +37,16 @@ Topic :: Internet
Topic :: System :: Networking
"""
egg_version
=
"0.%(revision)s"
%
version
git_rev
=
"""
Git Revision: %s == %s
"""
%
(
egg_version
,
version
[
"short"
])
setup
(
name
=
're6stnet'
,
version
=
version
[
"version"
]
,
version
=
egg_version
,
description
=
__doc__
.
strip
(),
author
=
'Nexedi'
,
author_email
=
're6stnet@erp5.org'
,
...
...
@@ -49,7 +55,7 @@ setup(
platforms
=
[
"any"
],
classifiers
=
classifiers
.
splitlines
(),
long_description
=
".. contents::
\
n
\
n
"
+
open
(
'README'
).
read
()
+
"
\
n
"
+
open
(
'CHANGES'
).
read
(),
+
"
\
n
"
+
open
(
'CHANGES'
).
read
()
+
git_rev
,
packages
=
find_packages
(),
scripts
=
[
're6stnet'
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment