Merge branch 'proto' into re6st-slapos

63a812b1 · Alain Takoudjou · e70bead5 · abae0b5d · 63a812b1 · 63a812b1
Commit 63a812b1 authored Apr 14, 2015 by Alain Takoudjou
Showing with 32 additions and 10 deletions

demo/demo demo/demo +1 -1

re6st-conf re6st-conf +1 -1

re6st/registry.py re6st/registry.py +1 -1

re6st/tunnel.py re6st/tunnel.py +12 -0

re6st/x509.py re6st/x509.py +8 -4

setup.py setup.py +9 -3

No files found.
--- a/demo/demo
+++ b/demo/demo
@@ -172,7 +172,7 @@ if 1:
        " -set_serial 0x120010db80042 -days %u" % CA_DAYS, shell=True)
    with open('ca.crt') as f:
        ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
-    fingerprint = "sha1:" + hashlib.sha1(
+    fingerprint = "sha256:" + hashlib.sha256(
        crypto.dump_certificate(crypto.FILETYPE_ASN1, ca)).hexdigest()
    db_path = 'registry/registry.db'
    registry.screen('./py re6st-registry @registry/re6st-registry.conf'

--- a/re6st-conf
+++ b/re6st-conf
@@ -119,7 +119,7 @@ def main():
            create(key_path, key, 0600)

        req.set_pubkey(pkey)
-        req.sign(pkey, 'sha1')
+        req.sign(pkey, 'sha512')
        req = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)

        # First make sure we can open certificate file for writing,

--- a/re6st/registry.py
+++ b/re6st/registry.py
@@ -409,7 +409,7 @@ class RegistryServer(object):
        serial = 1 + self.getConfig('serial', 0)
        self.setConfig('serial', serial)
        cert.set_serial_number(serial)
-        cert.sign(self.cert.key, 'sha1')
+        cert.sign(self.cert.key, 'sha512')
        cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
        self.db.execute("UPDATE cert SET cert = ? WHERE prefix = ?",
                        (cert, client_prefix))

--- a/re6st/tunnel.py
+++ b/re6st/tunnel.py
@@ -607,12 +607,24 @@ class TunnelManager(BaseTunnelManager):
        return disconnected

    def _tunnelScore(self, prefix):
+        # First try to not kill a persistent tunnel (see --neighbour option).
+        # Then sort by the number of routed nodes.
        n = 0
        try:
            for x in self.ctl.neighbours[prefix][1]:
+                # Ignore the default route, which is redundant with the
+                # border gateway node.
                if x:
                    n += 1
        except KeyError:
+            # XXX: The route for this neighbour is not direct. In this case,
+            #      a KeyError was raised because babeld dump doesn't give us
+            #      enough information to match the neighbour prefix with its
+            #      link-local address. This is a good candidate (so we return
+            #      ()), but for the same reason, such tunnel can't be killed.
+            #      In order not to remain indefinitely in a state where we
+            #      never delete any tunnel because we would always select an
+            #      unkillable one, we should return an higher score.
            pass
        return (prefix in self._neighbour_set, n) if n else ()


--- a/re6st/x509.py
+++ b/re6st/x509.py
@@ -138,10 +138,10 @@ class Cert(object):
        return r

    def verify(self, sign, data):
-        crypto.verify(self.ca, sign, data, 'sha1')
+        crypto.verify(self.ca, sign, data, 'sha512')

    def sign(self, data):
-        return crypto.sign(self.key, data, 'sha1')
+        return crypto.sign(self.key, data, 'sha512')

    def decrypt(self, data):
        p = openssl('rsautl', '-decrypt', '-inkey', self.key_path)
@@ -179,6 +179,11 @@ class Peer(object):
    - hello0 packets (0 & 1) are subject to DoS, because verifying a
      certificate uses much CPU. A solution would be to use TCP until the
      secret is exchanged and continue with UDP.
+
+    The fingerprint is only used to quickly know if peer's certificate has
+    changed. It must be short enough to not exceed packet size when using
+    certificates with 4096-bit keys. A weak algorithm is ok as long as there
+    is no accidental collision. So SHA-1 looks fine.
    """
    _hello = _last = 0
    _key = newHmacSecret()
@@ -187,7 +192,6 @@ class Peer(object):
    version = ''

    def __init__(self, prefix):
-        assert len(prefix) == 16 or prefix == ('0' * 14 + '1' + '0' * 65), prefix
        self.prefix = prefix

    @property
@@ -233,7 +237,7 @@ class Peer(object):
        self._last = None

    def verify(self, sign, data):
-        crypto.verify(self.cert, sign, data, 'sha1')
+        crypto.verify(self.cert, sign, data, 'sha512')

    seqno_struct = struct.Struct("!L")


--- a/setup.py
+++ b/setup.py
@@ -4,7 +4,6 @@
 from setuptools import setup, find_packages
 from setuptools.command import sdist as _sdist, build_py as _build_py
 from distutils import log
-from re6st import version

 version = {"__file__": "re6st/version.py"}
 execfile(version["__file__"], version)
@@ -38,9 +37,16 @@ Topic :: Internet
 Topic :: System :: Networking
 """

+egg_version = "0.%(revision)s" % version
+
+git_rev = """
+
+Git Revision: %s == %s
+""" % (egg_version, version["short"])
+
 setup(
    name = 're6stnet',
-    version = version["version"],
+    version = egg_version,
    description = __doc__.strip(),
    author = 'Nexedi',
    author_email = 're6stnet@erp5.org',
@@ -49,7 +55,7 @@ setup(
    platforms = ["any"],
    classifiers=classifiers.splitlines(),
    long_description = ".. contents::\n\n" + open('README').read()
-                     + "\n" + open('CHANGES').read(),
+                     + "\n" + open('CHANGES').read() + git_rev,
    packages = find_packages(),
    scripts = [
            're6stnet',