Commit | Line | Data |
---|---|---|
060ca767 | 1 | #! @PYTHON@ |
fd42a1e5 MW |
2 | ### -*-python-*- |
3 | ### | |
4 | ### Key management and distribution | |
5 | ### | |
6 | ### (c) 2006 Straylight/Edgeware | |
7 | ### | |
8 | ||
9 | ###----- Licensing notice --------------------------------------------------- | |
10 | ### | |
11 | ### This file is part of Trivial IP Encryption (TrIPE). | |
12 | ### | |
13 | ### TrIPE is free software; you can redistribute it and/or modify | |
14 | ### it under the terms of the GNU General Public License as published by | |
15 | ### the Free Software Foundation; either version 2 of the License, or | |
16 | ### (at your option) any later version. | |
17 | ### | |
18 | ### TrIPE is distributed in the hope that it will be useful, | |
19 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
20 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
21 | ### GNU General Public License for more details. | |
22 | ### | |
23 | ### You should have received a copy of the GNU General Public License | |
24 | ### along with TrIPE; if not, write to the Free Software Foundation, | |
25 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
26 | ||
27 | ###-------------------------------------------------------------------------- | |
28 | ### External dependencies. | |
060ca767 | 29 | |
30 | import catacomb as C | |
31 | import os as OS | |
32 | import sys as SYS | |
c55f0b7c | 33 | import re as RX |
060ca767 | 34 | import getopt as O |
c77687d5 | 35 | import shutil as SH |
c2f28e4b | 36 | import time as T |
c77687d5 | 37 | import filecmp as FC |
060ca767 | 38 | from cStringIO import StringIO |
39 | from errno import * | |
40 | from stat import * | |
41 | ||
fd42a1e5 | 42 | ###-------------------------------------------------------------------------- |
060ca767 | 43 | ### Useful regular expressions |
44 | ||
fd42a1e5 | 45 | ## Match a comment or blank line. |
c77687d5 | 46 | rx_comment = RX.compile(r'^\s*(#|$)') |
fd42a1e5 MW |
47 | |
48 | ## Match a KEY = VALUE assignment. | |
c77687d5 | 49 | rx_keyval = RX.compile(r'^\s*([-\w]+)(?:\s+(?!=)|\s*=\s*)(|\S|\S.*\S)\s*$') |
fd42a1e5 MW |
50 | |
51 | ## Match a ${KEY} substitution. | |
c77687d5 | 52 | rx_dollarsubst = RX.compile(r'\$\{([-\w]+)\}') |
fd42a1e5 MW |
53 | |
54 | ## Match a @TAG@ substitution. | |
c77687d5 | 55 | rx_atsubst = RX.compile(r'@([-\w]+)@') |
fd42a1e5 MW |
56 | |
57 | ## Match a single non-alphanumeric character. | |
c77687d5 | 58 | rx_nonalpha = RX.compile(r'\W') |
fd42a1e5 MW |
59 | |
60 | ## Match the literal string "<SEQ>". | |
c77687d5 | 61 | rx_seq = RX.compile(r'\<SEQ\>') |
060ca767 | 62 | |
6005ef9b MW |
63 | ## Match a shell metacharacter. |
64 | rx_shmeta = RX.compile('[\\s`!"#$&*()\\[\\];\'|<>?\\\\]') | |
65 | ||
66 | ## Match a character which needs escaping in a shell double-quoted string. | |
67 | rx_shquote = RX.compile(r'["`$\\]') | |
68 | ||
fd42a1e5 MW |
69 | ###-------------------------------------------------------------------------- |
70 | ### Utility functions. | |
060ca767 | 71 | |
fd42a1e5 | 72 | ## Exceptions. |
060ca767 | 73 | class SubprocessError (Exception): pass |
74 | class VerifyError (Exception): pass | |
75 | ||
fd42a1e5 | 76 | ## Program name and identification. |
060ca767 | 77 | quis = OS.path.basename(SYS.argv[0]) |
78 | PACKAGE = "@PACKAGE@" | |
79 | VERSION = "@VERSION@" | |
80 | ||
81 | def moan(msg): | |
fd42a1e5 | 82 | """Report MSG to standard error.""" |
060ca767 | 83 | SYS.stderr.write('%s: %s\n' % (quis, msg)) |
84 | ||
85 | def die(msg, rc = 1): | |
fd42a1e5 | 86 | """Report MSG to standard error, and exit with code RC.""" |
060ca767 | 87 | moan(msg) |
88 | SYS.exit(rc) | |
89 | ||
90 | def subst(s, rx, map): | |
fd42a1e5 MW |
91 | """ |
92 | Substitute values into a string. | |
93 | ||
94 | Repeatedly match RX (a compiled regular expression) against the string S. | |
95 | For each match, extract group 1, and use it as a key to index the MAP; | |
96 | replace the match by the result. Finally, return the fully-substituted | |
97 | string. | |
98 | """ | |
060ca767 | 99 | out = StringIO() |
100 | i = 0 | |
101 | for m in rx.finditer(s): | |
102 | out.write(s[i:m.start()] + map[m.group(1)]) | |
103 | i = m.end() | |
104 | out.write(s[i:]) | |
105 | return out.getvalue() | |
106 | ||
6005ef9b MW |
107 | def shell_quotify(arg): |
108 | """ | |
109 | Quotify ARG to keep the shell happy. | |
110 | ||
111 | This isn't actually used for invoking commands, just for presentation | |
112 | purposes; but correctness is still nice. | |
113 | """ | |
114 | if not rx_shmeta.search(arg): | |
115 | return arg | |
116 | elif arg.find("'") == -1: | |
117 | return "'%s'" % arg | |
118 | else: | |
119 | return '"%s"' % rx_shquote.sub(lambda m: '\\' + m.group(0), arg) | |
120 | ||
060ca767 | 121 | def rmtree(path): |
fd42a1e5 | 122 | """Delete the directory tree given by PATH.""" |
060ca767 | 123 | try: |
c77687d5 | 124 | st = OS.lstat(path) |
060ca767 | 125 | except OSError, err: |
126 | if err.errno == ENOENT: | |
127 | return | |
128 | raise | |
129 | if not S_ISDIR(st.st_mode): | |
130 | OS.unlink(path) | |
131 | else: | |
132 | cwd = OS.getcwd() | |
133 | try: | |
134 | OS.chdir(path) | |
135 | for i in OS.listdir('.'): | |
136 | rmtree(i) | |
137 | finally: | |
138 | OS.chdir(cwd) | |
139 | OS.rmdir(path) | |
140 | ||
141 | def zap(file): | |
fd42a1e5 | 142 | """Delete the named FILE if it exists; otherwise do nothing.""" |
060ca767 | 143 | try: |
144 | OS.unlink(file) | |
145 | except OSError, err: | |
146 | if err.errno == ENOENT: return | |
147 | raise | |
148 | ||
149 | def run(args): | |
fd42a1e5 MW |
150 | """ |
151 | Run a subprocess whose arguments are given by the string ARGS. | |
152 | ||
153 | The ARGS are split at word boundaries, and then subjected to configuration | |
154 | variable substitution (see conf_subst). Individual argument elements | |
155 | beginning with `!' are split again into multiple arguments at word | |
156 | boundaries. | |
157 | """ | |
060ca767 | 158 | args = map(conf_subst, args.split()) |
159 | nargs = [] | |
160 | for a in args: | |
161 | if len(a) > 0 and a[0] != '!': | |
162 | nargs += [a] | |
163 | else: | |
164 | nargs += a[1:].split() | |
165 | args = nargs | |
6005ef9b | 166 | print '+ %s' % ' '.join([shell_quotify(arg) for arg in args]) |
8cae2567 | 167 | SYS.stdout.flush() |
060ca767 | 168 | rc = OS.spawnvp(OS.P_WAIT, args[0], args) |
169 | if rc != 0: | |
170 | raise SubprocessError, rc | |
171 | ||
172 | def hexhyphens(bytes): | |
fd42a1e5 MW |
173 | """ |
174 | Convert a byte string BYTES into hex, with hyphens at each 4-byte boundary. | |
175 | """ | |
060ca767 | 176 | out = StringIO() |
177 | for i in xrange(0, len(bytes)): | |
178 | if i > 0 and i % 4 == 0: out.write('-') | |
179 | out.write('%02x' % ord(bytes[i])) | |
180 | return out.getvalue() | |
181 | ||
182 | def fingerprint(kf, ktag): | |
fd42a1e5 MW |
183 | """ |
184 | Compute the fingerprint of a key, using the user's selected hash. | |
185 | ||
186 | KF is the name of a keyfile; KTAG is the tag of the key. | |
187 | """ | |
060ca767 | 188 | h = C.gchashes[conf['fingerprint-hash']]() |
189 | k = C.KeyFile(kf)[ktag].fingerprint(h, '-secret') | |
190 | return h.done() | |
191 | ||
fd42a1e5 MW |
192 | ###-------------------------------------------------------------------------- |
193 | ### The configuration file. | |
060ca767 | 194 | |
fd42a1e5 | 195 | ## Exceptions. |
060ca767 | 196 | class ConfigFileError (Exception): pass |
fd42a1e5 MW |
197 | |
198 | ## The configuration dictionary. | |
060ca767 | 199 | conf = {} |
200 | ||
fd42a1e5 MW |
201 | def conf_subst(s): |
202 | """ | |
203 | Apply configuration substitutions to S. | |
204 | ||
205 | That is, for each ${KEY} in S, replace it with the current value of the | |
206 | configuration variable KEY. | |
207 | """ | |
208 | return subst(s, rx_dollarsubst, conf) | |
060ca767 | 209 | |
060ca767 | 210 | def conf_read(f): |
fd42a1e5 MW |
211 | """ |
212 | Read the file F and insert assignments into the configuration dictionary. | |
213 | """ | |
060ca767 | 214 | lno = 0 |
215 | for line in file(f): | |
216 | lno += 1 | |
c77687d5 | 217 | if rx_comment.match(line): continue |
060ca767 | 218 | if line[-1] == '\n': line = line[:-1] |
c77687d5 | 219 | match = rx_keyval.match(line) |
060ca767 | 220 | if not match: |
221 | raise ConfigFileError, "%s:%d: bad line `%s'" % (f, lno, line) | |
222 | k, v = match.groups() | |
223 | conf[k] = conf_subst(v) | |
224 | ||
060ca767 | 225 | def conf_defaults(): |
fd42a1e5 MW |
226 | """ |
227 | Apply defaults to the configuration dictionary. | |
228 | ||
229 | Fill in all the interesting configuration variables based on the existing | |
230 | contents, as described in the manual. | |
231 | """ | |
c77687d5 | 232 | for k, v in [('repos-base', 'tripe-keys.tar.gz'), |
233 | ('sig-base', 'tripe-keys.sig-<SEQ>'), | |
234 | ('repos-url', '${base-url}${repos-base}'), | |
235 | ('sig-url', '${base-url}${sig-base}'), | |
236 | ('sig-file', '${base-dir}${sig-base}'), | |
237 | ('repos-file', '${base-dir}${repos-base}'), | |
060ca767 | 238 | ('conf-file', '${base-dir}tripe-keys.conf'), |
b14ccd2f | 239 | ('upload-hook', ': run upload hook'), |
060ca767 | 240 | ('kx', 'dh'), |
256bc8d0 | 241 | ('kx-genalg', lambda: {'dh': 'dh', |
26936c83 MW |
242 | 'ec': 'ec', |
243 | 'x25519': 'x25519', | |
244 | 'x448': 'x448'}[conf['kx']]), | |
256bc8d0 | 245 | ('kx-param-genalg', lambda: {'dh': 'dh-param', |
26936c83 MW |
246 | 'ec': 'ec-param', |
247 | 'x25519': 'empty', | |
248 | 'x448': 'empty'}[conf['kx']]), | |
ca3aaaeb | 249 | ('kx-param', lambda: {'dh': '-LS -b3072 -B256', |
26936c83 MW |
250 | 'ec': '-Cnist-p256', |
251 | 'x25519': '', | |
252 | 'x448': ''}[conf['kx']]), | |
253 | ('kx-attrs', lambda: {'dh': 'serialization=constlen', | |
254 | 'ec': 'serialization=constlen', | |
255 | 'x25519': '', | |
256 | 'x448': ''}[conf['kx']]), | |
060ca767 | 257 | ('kx-expire', 'now + 1 year'), |
c2f28e4b | 258 | ('kx-warn-days', '28'), |
39bcd193 | 259 | ('bulk', 'iiv'), |
de8edc7f MW |
260 | ('cipher', lambda: conf['bulk'] == 'naclbox' |
261 | and 'salsa20' or 'rijndael-cbc'), | |
060ca767 | 262 | ('hash', 'sha256'), |
7858dfa0 | 263 | ('master-keygen-flags', '-l'), |
67bb121f | 264 | ('master-attrs', ''), |
060ca767 | 265 | ('mgf', '${hash}-mgf'), |
de8edc7f MW |
266 | ('mac', lambda: conf['bulk'] == 'naclbox' |
267 | and 'poly1305/128' | |
268 | or '%s-hmac/%d' % | |
269 | (conf['hash'], | |
270 | C.gchashes[conf['hash']].hashsz * 4)), | |
26936c83 MW |
271 | ('sig', lambda: {'dh': 'dsa', |
272 | 'ec': 'ecdsa', | |
273 | 'x25519': 'ed25519', | |
274 | 'x448': 'ed448'}[conf['kx']]), | |
060ca767 | 275 | ('sig-fresh', 'always'), |
276 | ('sig-genalg', lambda: {'kcdsa': 'dh', | |
277 | 'dsa': 'dsa', | |
278 | 'rsapkcs1': 'rsa', | |
279 | 'rsapss': 'rsa', | |
280 | 'ecdsa': 'ec', | |
06a174df MW |
281 | 'eckcdsa': 'ec', |
282 | 'ed25519': 'ed25519', | |
283 | 'ed448': 'ed448'}[conf['sig']]), | |
ca3aaaeb MW |
284 | ('sig-param', lambda: {'dh': '-LS -b3072 -B256', |
285 | 'dsa': '-b3072 -B256', | |
060ca767 | 286 | 'ec': '-Cnist-p256', |
06a174df MW |
287 | 'rsa': '-b3072', |
288 | 'ed25519': '', | |
289 | 'ed448': ''}[conf['sig-genalg']]), | |
060ca767 | 290 | ('sig-hash', '${hash}'), |
291 | ('sig-expire', 'forever'), | |
292 | ('fingerprint-hash', '${hash}')]: | |
293 | try: | |
294 | if k in conf: continue | |
295 | if type(v) == str: | |
296 | conf[k] = conf_subst(v) | |
297 | else: | |
298 | conf[k] = v() | |
299 | except KeyError, exc: | |
300 | if len(exc.args) == 0: raise | |
301 | conf[k] = '<missing-var %s>' % exc.args[0] | |
302 | ||
fd42a1e5 MW |
303 | ###-------------------------------------------------------------------------- |
304 | ### Key-management utilities. | |
305 | ||
306 | def master_keys(): | |
307 | """ | |
308 | Iterate over the master keys. | |
309 | """ | |
310 | if not OS.path.exists('master'): | |
311 | return | |
312 | for k in C.KeyFile('master').itervalues(): | |
313 | if (k.type != 'tripe-keys-master' or | |
314 | k.expiredp or | |
315 | not k.tag.startswith('master-')): | |
316 | continue #?? | |
317 | yield k | |
318 | ||
319 | def master_sequence(k): | |
320 | """ | |
321 | Return the sequence number of the given master key as an integer. | |
322 | ||
323 | No checking is done that K is really a master key. | |
324 | """ | |
325 | return int(k.tag[7:]) | |
326 | ||
327 | def max_master_sequence(): | |
328 | """ | |
329 | Find the master key with the highest sequence number and return this | |
330 | sequence number. | |
331 | """ | |
332 | seq = -1 | |
333 | for k in master_keys(): | |
334 | q = master_sequence(k) | |
335 | if q > seq: seq = q | |
336 | return seq | |
337 | ||
338 | def seqsubst(x, q): | |
339 | """ | |
340 | Return the value of the configuration variable X, with <SEQ> replaced by | |
341 | the value Q. | |
342 | """ | |
343 | return rx_seq.sub(str(q), conf[x]) | |
344 | ||
345 | ###-------------------------------------------------------------------------- | |
346 | ### Commands: help [COMMAND...] | |
060ca767 | 347 | |
348 | def version(fp = SYS.stdout): | |
349 | fp.write('%s, %s version %s\n' % (quis, PACKAGE, VERSION)) | |
350 | ||
351 | def usage(fp): | |
352 | fp.write('Usage: %s SUBCOMMAND [ARGS...]\n' % quis) | |
353 | ||
354 | def cmd_help(args): | |
355 | if len(args) == 0: | |
356 | version(SYS.stdout) | |
357 | ||
358 | usage(SYS.stdout) | |
359 | print """ | |
360 | Key management utility for TrIPE. | |
361 | ||
362 | Options supported: | |
363 | ||
e04c2d50 MW |
364 | -h, --help Show this help message. |
365 | -v, --version Show the version number. | |
366 | -u, --usage Show pointlessly short usage string. | |
060ca767 | 367 | |
368 | Subcommands available: | |
369 | """ | |
370 | args = commands.keys() | |
371 | args.sort() | |
372 | for c in args: | |
db76b51b MW |
373 | try: func, min, max, help = commands[c] |
374 | except KeyError: die("unknown command `%s'" % c) | |
375 | print '%s%s%s' % (c, help and ' ', help) | |
060ca767 | 376 | |
fd42a1e5 MW |
377 | ###-------------------------------------------------------------------------- |
378 | ### Commands: newmaster | |
c77687d5 | 379 | |
380 | def cmd_newmaster(args): | |
381 | seq = max_master_sequence() + 1 | |
060ca767 | 382 | run('''key -kmaster add |
383 | -a${sig-genalg} !${sig-param} | |
7858dfa0 | 384 | -e${sig-expire} !${master-keygen-flags} -tmaster-%d tripe-keys-master |
67bb121f | 385 | sig=${sig} hash=${sig-hash} !${master-attrs}''' % seq) |
c77687d5 | 386 | run('key -kmaster extract -f-secret repos/master.pub') |
060ca767 | 387 | |
fd42a1e5 MW |
388 | ###-------------------------------------------------------------------------- |
389 | ### Commands: setup | |
390 | ||
c77687d5 | 391 | def cmd_setup(args): |
392 | OS.mkdir('repos') | |
060ca767 | 393 | run('''key -krepos/param add |
256bc8d0 | 394 | -a${kx-param-genalg} !${kx-param} |
fc5f4823 | 395 | -eforever -tparam tripe-param |
67bb121f | 396 | kx-group=${kx} mgf=${mgf} mac=${mac} |
39bcd193 | 397 | bulk=${bulk} cipher=${cipher} hash=${hash} ${kx-attrs}''') |
c77687d5 | 398 | cmd_newmaster(args) |
060ca767 | 399 | |
fd42a1e5 MW |
400 | ###-------------------------------------------------------------------------- |
401 | ### Commands: upload | |
402 | ||
060ca767 | 403 | def cmd_upload(args): |
404 | ||
405 | ## Sanitize the repository directory | |
406 | umask = OS.umask(0); OS.umask(umask) | |
407 | mode = 0666 & ~umask | |
408 | for f in OS.listdir('repos'): | |
409 | ff = OS.path.join('repos', f) | |
c77687d5 | 410 | if (f.startswith('master') or f.startswith('peer-')) \ |
411 | and f.endswith('.old'): | |
060ca767 | 412 | OS.unlink(ff) |
413 | continue | |
c77687d5 | 414 | OS.chmod(ff, mode) |
415 | ||
416 | rmtree('tmp') | |
417 | OS.mkdir('tmp') | |
418 | OS.symlink('../repos', 'tmp/repos') | |
419 | cwd = OS.getcwd() | |
420 | try: | |
421 | ||
422 | ## Build the configuration file | |
423 | seq = max_master_sequence() | |
424 | v = {'MASTER-SEQUENCE': str(seq), | |
425 | 'HK-MASTER': hexhyphens(fingerprint('repos/master.pub', | |
426 | 'master-%d' % seq))} | |
427 | fin = file('tripe-keys.master') | |
428 | fout = file('tmp/tripe-keys.conf', 'w') | |
429 | for line in fin: | |
430 | fout.write(subst(line, rx_atsubst, v)) | |
431 | fin.close(); fout.close() | |
432 | SH.copyfile('tmp/tripe-keys.conf', conf_subst('${conf-file}.new')) | |
433 | commit = [conf['repos-file'], conf['conf-file']] | |
434 | ||
435 | ## Make and sign the repository archive | |
436 | OS.chdir('tmp') | |
437 | run('tar chozf ${repos-file}.new .') | |
438 | OS.chdir(cwd) | |
439 | for k in master_keys(): | |
440 | seq = master_sequence(k) | |
441 | sigfile = seqsubst('sig-file', seq) | |
442 | run('''catsign -kmaster sign -abdC -kmaster-%d | |
443 | -o%s.new ${repos-file}.new''' % (seq, sigfile)) | |
444 | commit.append(sigfile) | |
445 | ||
446 | ## Commit the changes | |
447 | for base in commit: | |
448 | new = '%s.new' % base | |
449 | OS.rename(new, base) | |
838e5ce7 MW |
450 | |
451 | ## Remove files in the base-dir which don't correspond to ones we just | |
452 | ## committed | |
453 | allow = {} | |
454 | basedir = conf['base-dir'] | |
455 | bdl = len(basedir) | |
456 | for base in commit: | |
457 | if base.startswith(basedir): allow[base[bdl:]] = 1 | |
458 | for found in OS.listdir(basedir): | |
459 | if found not in allow: OS.remove(OS.path.join(basedir, found)) | |
c77687d5 | 460 | finally: |
461 | OS.chdir(cwd) | |
e04c2d50 | 462 | rmtree('tmp') |
b14ccd2f | 463 | run('sh -c ${upload-hook}') |
060ca767 | 464 | |
fd42a1e5 MW |
465 | ###-------------------------------------------------------------------------- |
466 | ### Commands: rebuild | |
467 | ||
468 | def cmd_rebuild(args): | |
469 | zap('keyring.pub') | |
470 | for i in OS.listdir('repos'): | |
471 | if i.startswith('peer-') and i.endswith('.pub'): | |
472 | run('key -kkeyring.pub merge %s' % OS.path.join('repos', i)) | |
473 | ||
474 | ###-------------------------------------------------------------------------- | |
475 | ### Commands: update | |
476 | ||
060ca767 | 477 | def cmd_update(args): |
478 | cwd = OS.getcwd() | |
479 | rmtree('tmp') | |
480 | try: | |
481 | ||
482 | ## Fetch a new distribution | |
483 | OS.mkdir('tmp') | |
484 | OS.chdir('tmp') | |
c77687d5 | 485 | seq = int(conf['master-sequence']) |
162fcf48 MW |
486 | run('curl -s -o tripe-keys.tar.gz ${repos-url}') |
487 | run('curl -s -o tripe-keys.sig %s' % seqsubst('sig-url', seq)) | |
060ca767 | 488 | run('tar xfz tripe-keys.tar.gz') |
489 | ||
490 | ## Verify the signature | |
c77687d5 | 491 | want = C.bytes(rx_nonalpha.sub('', conf['hk-master'])) |
492 | got = fingerprint('repos/master.pub', 'master-%d' % seq) | |
060ca767 | 493 | if want != got: raise VerifyError |
c77687d5 | 494 | run('''catsign -krepos/master.pub verify -avC -kmaster-%d |
495 | -t${sig-fresh} tripe-keys.sig tripe-keys.tar.gz''' % seq) | |
060ca767 | 496 | |
497 | ## OK: update our copy | |
498 | OS.chdir(cwd) | |
499 | if OS.path.exists('repos'): OS.rename('repos', 'repos.old') | |
500 | OS.rename('tmp/repos', 'repos') | |
f56dbbc4 | 501 | if not FC.cmp('tmp/tripe-keys.conf', 'tripe-keys.conf', False): |
c77687d5 | 502 | moan('configuration file changed: recommend running another update') |
503 | OS.rename('tmp/tripe-keys.conf', 'tripe-keys.conf') | |
060ca767 | 504 | rmtree('repos.old') |
505 | ||
506 | finally: | |
507 | OS.chdir(cwd) | |
508 | rmtree('tmp') | |
509 | cmd_rebuild(args) | |
510 | ||
fd42a1e5 MW |
511 | ###-------------------------------------------------------------------------- |
512 | ### Commands: generate TAG | |
060ca767 | 513 | |
514 | def cmd_generate(args): | |
515 | tag, = args | |
516 | keyring_pub = 'peer-%s.pub' % tag | |
517 | zap('keyring'); zap(keyring_pub) | |
518 | run('key -kkeyring merge repos/param') | |
256bc8d0 | 519 | run('key -kkeyring add -a${kx-genalg} -pparam -e${kx-expire} -t%s tripe' % |
c77687d5 | 520 | tag) |
ca6eb20c | 521 | run('key -kkeyring extract -f-secret %s %s' % (keyring_pub, tag)) |
060ca767 | 522 | |
fd42a1e5 MW |
523 | ###-------------------------------------------------------------------------- |
524 | ### Commands: clean | |
525 | ||
060ca767 | 526 | def cmd_clean(args): |
527 | rmtree('repos') | |
528 | rmtree('tmp') | |
c77687d5 | 529 | for i in OS.listdir('.'): |
530 | r = i | |
531 | if r.endswith('.old'): r = r[:-4] | |
532 | if (r == 'master' or r == 'param' or | |
533 | r == 'keyring' or r == 'keyring.pub' or r.startswith('peer-')): | |
534 | zap(i) | |
060ca767 | 535 | |
fd42a1e5 | 536 | ###-------------------------------------------------------------------------- |
c2f28e4b MW |
537 | ### Commands: check |
538 | ||
24285984 | 539 | def check_key(k): |
c2f28e4b MW |
540 | now = T.time() |
541 | thresh = int(conf['kx-warn-days']) * 86400 | |
24285984 MW |
542 | if k.exptime == C.KEXP_FOREVER: return None |
543 | elif k.exptime == C.KEXP_EXPIRE: left = -1 | |
544 | else: left = k.exptime - now | |
545 | if left < 0: | |
546 | return "key `%s' HAS EXPIRED" % k.tag | |
547 | elif left < thresh: | |
548 | if left >= 86400: n, u, uu = left // 86400, 'day', 'days' | |
549 | else: n, u, uu = left // 3600, 'hour', 'hours' | |
550 | return "key `%s' EXPIRES in %d %s" % (k.tag, n, n == 1 and u or uu) | |
551 | else: | |
552 | return None | |
553 | ||
554 | def cmd_check(args): | |
555 | if OS.path.exists('keyring.pub'): | |
556 | for k in C.KeyFile('keyring.pub').itervalues(): | |
557 | whinge = check_key(k) | |
558 | if whinge is not None: print whinge | |
559 | if OS.path.exists('master'): | |
560 | whinges = [] | |
561 | for k in C.KeyFile('master').itervalues(): | |
562 | whinge = check_key(k) | |
563 | if whinge is None: break | |
564 | whinges.append(whinge) | |
565 | else: | |
566 | for whinge in whinges: print whinge | |
c2f28e4b MW |
567 | |
568 | ###-------------------------------------------------------------------------- | |
65faf8df MW |
569 | ### Commands: mtu |
570 | ||
39bcd193 MW |
571 | def mac_tagsz(): |
572 | macname = conf['mac'] | |
573 | index = macname.rindex('/') | |
574 | if index == -1: tagsz = C.gcmacs[macname].tagsz | |
575 | else: tagsz = int(macname[index + 1:])/8 | |
576 | return tagsz | |
577 | ||
65faf8df MW |
578 | def cmd_mtu(args): |
579 | mtu, = (lambda mtu = '1500': (mtu,))(*args) | |
580 | mtu = int(mtu) | |
581 | ||
65faf8df MW |
582 | mtu -= 20 # Minimum IP header |
583 | mtu -= 8 # UDP header | |
584 | mtu -= 1 # TrIPE packet type octet | |
39bcd193 MW |
585 | |
586 | bulk = conf['bulk'] | |
587 | ||
588 | if bulk == 'v0': | |
589 | blksz = C.gcciphers[conf['cipher']].blksz | |
590 | mtu -= mac_tagsz() # MAC tag | |
591 | mtu -= 4 # Sequence number | |
592 | mtu -= blksz # Initialization vector | |
593 | ||
594 | elif bulk == 'iiv': | |
595 | mtu -= mac_tagsz() # MAC tag | |
596 | mtu -= 4 # Sequence number | |
597 | ||
de8edc7f MW |
598 | elif bulk == 'naclbox': |
599 | mtu -= 16 # MAC tag | |
600 | mtu -= 4 # Sequence number | |
601 | ||
39bcd193 MW |
602 | else: |
603 | die("Unknown bulk transform `%s'" % bulk) | |
65faf8df MW |
604 | |
605 | print mtu | |
606 | ||
607 | ###-------------------------------------------------------------------------- | |
fd42a1e5 | 608 | ### Main driver. |
060ca767 | 609 | |
060ca767 | 610 | commands = {'help': (cmd_help, 0, 1, ''), |
c77687d5 | 611 | 'newmaster': (cmd_newmaster, 0, 0, ''), |
060ca767 | 612 | 'setup': (cmd_setup, 0, 0, ''), |
613 | 'upload': (cmd_upload, 0, 0, ''), | |
614 | 'update': (cmd_update, 0, 0, ''), | |
615 | 'clean': (cmd_clean, 0, 0, ''), | |
65faf8df | 616 | 'mtu': (cmd_mtu, 0, 1, '[PATH-MTU]'), |
c2f28e4b | 617 | 'check': (cmd_check, 0, 0, ''), |
060ca767 | 618 | 'generate': (cmd_generate, 1, 1, 'TAG'), |
619 | 'rebuild': (cmd_rebuild, 0, 0, '')} | |
620 | ||
621 | def init(): | |
fd42a1e5 MW |
622 | """ |
623 | Load the appropriate configuration file and set up the configuration | |
624 | dictionary. | |
625 | """ | |
060ca767 | 626 | for f in ['tripe-keys.master', 'tripe-keys.conf']: |
627 | if OS.path.exists(f): | |
628 | conf_read(f) | |
629 | break | |
630 | conf_defaults() | |
fd42a1e5 | 631 | |
060ca767 | 632 | def main(argv): |
fd42a1e5 MW |
633 | """ |
634 | Main program: parse options and dispatch to appropriate command handler. | |
635 | """ | |
060ca767 | 636 | try: |
637 | opts, args = O.getopt(argv[1:], 'hvu', | |
638 | ['help', 'version', 'usage']) | |
639 | except O.GetoptError, exc: | |
640 | moan(exc) | |
641 | usage(SYS.stderr) | |
642 | SYS.exit(1) | |
643 | for o, v in opts: | |
644 | if o in ('-h', '--help'): | |
645 | cmd_help([]) | |
646 | SYS.exit(0) | |
647 | elif o in ('-v', '--version'): | |
648 | version(SYS.stdout) | |
649 | SYS.exit(0) | |
650 | elif o in ('-u', '--usage'): | |
651 | usage(SYS.stdout) | |
652 | SYS.exit(0) | |
653 | if len(argv) < 2: | |
654 | cmd_help([]) | |
655 | else: | |
656 | c = argv[1] | |
db76b51b MW |
657 | try: func, min, max, help = commands[c] |
658 | except KeyError: die("unknown command `%s'" % c) | |
060ca767 | 659 | args = argv[2:] |
db76b51b MW |
660 | if len(args) < min or (max is not None and len(args) > max): |
661 | SYS.stderr.write('Usage: %s %s%s%s\n' % (quis, c, help and ' ', help)) | |
662 | SYS.exit(1) | |
060ca767 | 663 | func(args) |
664 | ||
fd42a1e5 MW |
665 | ###----- That's all, folks -------------------------------------------------- |
666 | ||
667 | if __name__ == '__main__': | |
668 | init() | |
669 | main(SYS.argv) |