Forget peers whose certificate expires

648e6774 · Julien Muchembled · a7a86341 · 648e6774 · 648e6774 · 648e6774
Commit 648e6774 authored Feb 17, 2015 by Julien Muchembled
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 19 deletions

re6st/tunnel.py re6st/tunnel.py +32 -10

re6st/utils.py re6st/utils.py +3 -0

re6st/x509.py re6st/x509.py +1 -0

re6stnet re6stnet +4 -9

No files found.
--- a/re6st/tunnel.py
+++ b/re6st/tunnel.py
@@ -164,7 +164,7 @@ class BaseTunnelManager(object):
    _forward = None
-    def __init__(self, peer_db, cert, address=()):
+    def __init__(self, peer_db, cert, cert_renew, address=()):
        self.cert = cert
        self._network = cert.network
        self._prefix = cert.prefix
@@ -185,11 +185,28 @@ class BaseTunnelManager(object):
        # about binding and anycast.
        self.sock.bind(('::', PORT))
-        # Initialize with a dummy peer (self) so that '_peers' is never empty.
+        p = x509.Peer(self._prefix)
-        self._peers = [x509.Peer(self._prefix)]
+        self._next_invalidated = p.stop_date = cert_renew
+        self._peers = [p]
    def select(self, r, w, t):
        r[self.sock] = self.handlePeerEvent
+        t.append((self._next_invalidated, self.invalidatePeers))
+    def invalidatePeers(self):
+        next = float('inf')
+        now = time.time()
+        remove = []
+        for i, peer in enumerate(self._peers):
+            if peer.stop_date < now:
+                if peer.prefix == self._prefix:
+                    raise utils.ReexecException("Restart to renew certificate")
+                remove.append(i)
+            elif peer.stop_date < next:
+                next = peer.stop_date
+        for i in reversed(remove):
+            del self._peers[i]
+        self._next_invalidated = next
    def sendto(self, prefix, msg):
        to = utils.ipFromBin(self._network + prefix), PORT
@@ -266,9 +283,10 @@ class BaseTunnelManager(object):
            try:
                cert = self.cert.loadVerify(msg,
                    True, crypto.FILETYPE_ASN1)
-            except x509.VerifyError, e:
+                stop_date = x509.notAfter(cert)
+            except (x509.VerifyError, ValueError), e:
                logging.debug('ignored invalid certificate from %r (%s)',
-                              address, e.args[2])
+                              address, e.args[-1])
                return
            p = utils.binFromSubnet(x509.subnetFromCert(cert))
            if p != peer.prefix:
@@ -279,6 +297,9 @@ class BaseTunnelManager(object):
                peer = x509.Peer(p)
                insort(self._peers, peer)
            peer.cert = cert
+            peer.stop_date = stop_date
+            if stop_date < self._next_invalidated:
+                self._next_invalidated = stop_date
            if seqno:
                self._sendto(to, peer.hello(self.cert))
            else:
@@ -335,10 +356,11 @@ class BaseTunnelManager(object):
 class TunnelManager(BaseTunnelManager):
-    def __init__(self, control_socket, peer_db, cert, openvpn_args, timeout,
+    def __init__(self, control_socket, peer_db, cert, cert_renew, openvpn_args,
-                 refresh, client_count, iface_list, address, ip_changed,
+                 timeout, refresh, client_count, iface_list, address,
-                 encrypt, remote_gateway, disable_proto, neighbour_list=()):
+                 ip_changed, encrypt, remote_gateway, disable_proto,
-        super(TunnelManager, self).__init__(peer_db, cert, address)
+                 neighbour_list=()):
+        super(TunnelManager, self).__init__(peer_db, cert, cert_renew, address)
        self.ctl = ctl.Babel(control_socket, weakref.proxy(self), self._network)
        self.encrypt = encrypt
        self.ovpn_args = openvpn_args
@@ -403,8 +425,8 @@ class TunnelManager(BaseTunnelManager):
        del self._iface_to_prefix[iface]
    def select(self, r, w, t):
+        super(TunnelManager, self).select(r, w, t)
        r[self._read_pipe] = self.handleTunnelEvent
-        r[self.sock] = self.handlePeerEvent
        if self._next_refresh:
            t.append((self._next_refresh, self.refresh))
        self.ctl.select(r, w, t)

--- a/re6st/utils.py
+++ b/re6st/utils.py
@@ -3,6 +3,9 @@ import socket, struct, subprocess, sys, textwrap, threading, time, traceback
 HMAC_LEN = len(hashlib.sha1('').digest())
+class ReexecException(Exception):
+    pass
 try:
    subprocess.CalledProcessError(0, '', '')
 except TypeError: # BBB: Python < 2.7

--- a/re6st/x509.py
+++ b/re6st/x509.py
@@ -173,6 +173,7 @@ class Peer(object):
    """
    _hello = _last = 0
    _key = newHmacSecret()
+    stop_date = float('inf')
    def __init__(self, prefix):
        assert len(prefix) == 16 or prefix == ('0' * 14 + '1' + '0' * 65), prefix

--- a/re6stnet
+++ b/re6stnet
@@ -3,10 +3,7 @@ import atexit, errno, logging, os, signal, socket
 import sqlite3, subprocess, sys, time, threading
 from collections import deque
 from re6st import ctl, db, plib, tunnel, utils, version, x509
-from re6st.utils import exit
+from re6st.utils import exit, ReexecException
-class ReexecException(Exception):
-    pass
 def getConfig():
    parser = utils.ArgParser(fromfile_prefix_chars='@',
@@ -260,7 +257,7 @@ def main():
        cleanup = [lambda: peer_db.cacheMinimize(config.client_count)]
        if config.client_count and not config.client:
            tunnel_manager = tunnel.TunnelManager(config.control_socket,
-                peer_db, cert, config.openvpn_args, timeout,
+                peer_db, cert, next_renew, config.openvpn_args, timeout,
                config.tunnel_refresh, config.client_count, config.iface_list,
                address, ip_changed, config.encrypt, remote_gateway,
                config.disable_proto, config.neighbour)
@@ -268,7 +265,7 @@ def main():
            write_pipe = tunnel_manager.write_pipe
        else:
            write_pipe = None
-            tunnel_manager = tunnel.BaseTunnelManager(peer_db, cert)
+            tunnel_manager = tunnel.BaseTunnelManager(peer_db, cert, next_renew)
        cleanup.append(tunnel_manager.sock.close)
        try:
@@ -380,12 +377,10 @@ def main():
            # main loop
            exit.release()
-            def renew():
-                raise ReexecException("Restart to renew certificate")
            select_list = [forwarder.select] if forwarder else []
            select_list += tunnel_manager.select, utils.select
            while True:
-                args = {}, {}, [(next_renew, renew)]
+                args = {}, {}, []
                for s in select_list:
                    s(*args)
        finally: