Merge pull request #149 from usableprivacy/v2.1

roles/arp/files/apate/lib/apate_redis.py

@@ -267,13 +267,14 @@ def check_device_disabled(self, mac):
         """
         # True if devices is disabled
         # return self.redis.get(self._get_device_name(mac, network or self.network, enabled=False)) is not None
-        return self.redis.sismember(self.get_excluded_key(), mac)
+        return self.redis.sismember(self.get_excluded_key(), str(mac).lower())
 
     def _toggle_device(self, mac, ip, network, enabled):
         # add new device first and delete old device afterwards
         # this is done to avoid race conditions
         # self.add_device(mac, self.get_device_ip(mac, network, enabled=not enabled), network, enabled=enabled, force=True)
         # self.remove_device(mac, network, enabled=not enabled)
+        mac = str(mac).lower()
         if not enabled:
             self.redis.sadd(self.get_excluded_key(), mac)
         else:

roles/arp/files/apate/lib/daemon_app.py

@@ -255,7 +255,7 @@ def __init__(self, logger, interface, pidfile, stdout, stderr, dns_file):
 
     def exit(self, signal_number, stack_frame):
         """This method is called from the python-daemon when the daemon is stopping.
-        Threads are stopped and clients are despoofed via _return_to_normal().
+        Processes are stopped and clients are despoofed via the processes _return_to_normal().
         """
         if self.processv4:
             self.processv4.shutdown()
@@ -282,7 +282,7 @@ def run(self):
 
         # a child-process object has to be created in the same parent process as the process that wants to start the child
         # __init__ is called inside the initial process, whereas run() is called inside the newly created deamon process
-        # therefore create the process here
+        # therefore create the processes here
         if self.ipv4:
             self.processv4 = SelectiveIPv4Process(self.logger, self.interface, self.ipv4)
             self.processv4.start()

roles/arp/files/apate/lib/daemon_process.py

@@ -148,10 +148,7 @@ def __init__(self, logger, interface, ipv6):
         Args:
             logger (logging.Logger): Used for logging messages.
             interface (str): The network interface which should be used. (e.g. eth0)
-            pidfile (str): Path of the pidfile, used by the daemon.
-            stdout (str): Path of stdout, used by the daemon.
-            stderr (str): Path of stderr, used by the daemon.
-            dns_file (str): Path of file containing the nameservers.
+            ipv6 (collection.namedtuple): collection of network information
 
         Raises:
             DaemonError: Signalises the failure of the daemon.
@@ -182,18 +179,16 @@ def __init__(self, logger, interface, ipv6):
 
     def _return_to_normal(self):
         """This method is called when the daemon is stopping.
-        First, sends a GARP broadcast request to all clients to tell them the real gateway.
-        Then ARP replies for existing clients are sent to the gateway.
-        If IPv6 is enabled, Apate tells the clients the real gateway via neighbor advertisements.
+        Apate tells the clients the real gateway via neighbor advertisements.
         """
-        # spoof clients with GARP broadcast request
+        # spoof clients with nd advertisements
         with self.sleeper:
             # check if the impersonation of the DNS server is necessary
             tgt = (self.ipv6.gateway, self.ipv6.dns_servers[0]) if util.is_spoof_dns(self.ipv6) else (self.ipv6.gateway,)
 
             for source in tgt:
                 sendp(Ether(dst=ETHER_BROADCAST) / IPv6(src=source, dst=MulticastPingDiscoveryThread._MULTICAST_DEST) /
-                      ICMPv6ND_NA(tgt=source, R=0, S=0) / ICMPv6NDOptDstLLAddr(lladdr=self.ipv6.gate_mac))
+                      ICMPv6ND_NA(tgt=source, R=1, S=0, O=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ipv6.gate_mac))
 
     def shutdown(self):
         self.exit.set()
@@ -228,7 +223,7 @@ def run(self):
 
                 for source in tgt:
                     packets.extend([Ether(dst=dev[1]) / IPv6(src=source, dst=dev[0]) /
-                                    ICMPv6ND_NA(tgt=source, R=0, S=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ipv6.mac)
+                                    ICMPv6ND_NA(tgt=source, R=1, S=1, O=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ipv6.mac)
                                     for dev in self.ipv6.redis.get_devices_values(filter_values=True)])
 
                 sendp(packets)
@@ -257,7 +252,7 @@ def spoof_devices(ip, devs, logger):
             for source in tgt:
                 if not ip.redis.check_device_disabled(util.get_device_mac(entry)):
                     sendp([Ether(dst=dev_hw) / IPv6(src=source, dst=dev_ip) /
-                           ICMPv6ND_NA(tgt=source, R=0, S=1) / ICMPv6NDOptDstLLAddr(lladdr=ip.mac)])
+                           ICMPv6ND_NA(tgt=source, R=1, S=1) / ICMPv6NDOptDstLLAddr(lladdr=ip.mac)])
                 else:
                     sendp([Ether(dst=dev_hw) / IPv6(src=source, dst=dev_ip) /
-                           ICMPv6ND_NA(tgt=source, R=0, S=1) / ICMPv6NDOptDstLLAddr(lladdr=ip.gate_mac)])
+                           ICMPv6ND_NA(tgt=source, R=1, S=1) / ICMPv6NDOptDstLLAddr(lladdr=ip.gate_mac)])

roles/arp/files/apate/lib/misc_thread.py

@@ -122,6 +122,7 @@ class PubSubThread(threading.Thread):
     __SUBSCRIBE_TO = "__keyevent@{}__:expired"
     """Used to subscribe to the keyspace event expired."""
     __SUBSCRIBE_TOO = "__keyspace@{}__:{}"
+    """Used to subscribe to the keyspace event creation for a specific key."""
 
     def __init__(self, ip, logger, handler):
         """Initialises the thread.

roles/arp/files/apate/lib/sniff_thread.py

@@ -280,7 +280,7 @@ def _packet_handler(self, pkt):
             self.logger.exception(e)
 
     def _icmpv6_handler(self, pkt):
-        """"This method is called for each ICMPv6 echo reply packet or multicast listener report packet
+        """This method is called for each ICMPv6 echo reply packet or multicast listener report packet
         received through scapy's sniff function.
         Incoming packets are used to spoof involved devices and add new devices
         to the redis db.
@@ -293,7 +293,7 @@ def _icmpv6_handler(self, pkt):
         # impersonate gateway
         if not self.ip.redis.check_device_disabled(pkt[Ether].src):
             sendp(
-                Ether(dst=pkt[Ether].src) / IPv6(src=self.ip.gateway, dst=pkt[IPv6].src) / ICMPv6ND_NA(tgt=self.ip.gateway, R=0, S=1) /
+                Ether(dst=pkt[Ether].src) / IPv6(src=self.ip.gateway, dst=pkt[IPv6].src) / ICMPv6ND_NA(tgt=self.ip.gateway, R=1, S=1) /
                 ICMPv6NDOptDstLLAddr(lladdr=self.ip.mac)
             )
 
@@ -302,5 +302,5 @@ def _icmpv6_handler(self, pkt):
             if not self.ip.redis.check_device_disabled(pkt[Ether].src):
                 sendp(
                     Ether(dst=pkt[Ether].src) / IPv6(src=self.ip.dns_servers[0], dst=pkt[IPv6].src) /
-                    ICMPv6ND_NA(tgt=self.ip.dns_servers[0], R=0, S=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ip.mac)
+                    ICMPv6ND_NA(tgt=self.ip.dns_servers[0], R=1, S=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ip.mac)
                 )

roles/arp/files/apate/requirements.txt

@@ -3,5 +3,5 @@ netaddr==0.7.19
 netifaces==0.10.5
 python-daemon==2.1.2
 redis==2.10.5
-scapy==2.3.3
+scapy==2.4.3
 dnspython==1.15.0

roles/common/tasks/main.yml

@@ -21,6 +21,10 @@
   file: path=/var/log/log state=directory owner=root group=tmp-logger mode=0771
   when: env == "development"
 
+- name: try to disable swapfile
+  service: name=dphys-swapfile state=stopped enabled=no
+  ignore_errors: yes
+
 - name: create tmpfs for logging
   lineinfile:
     dest: /etc/fstab

roles/common/templates/logrotate_rsyslog

@@ -3,11 +3,12 @@
     su root tmp-logger
 	rotate 0
 	daily
-    maxsize 10M
+    maxsize 5M
 	missingok
 	notifempty
 	postrotate
-		invoke-rc.d rsyslog rotate > /dev/null
+		service rsyslog rotate > /dev/null
+		service rsyslog restart > /dev/null
 	endscript
 }
 
@@ -32,6 +33,7 @@
     maxsize 10M
 	sharedscripts
 	postrotate
-		invoke-rc.d rsyslog rotate > /dev/null
+		service rsyslog rotate > /dev/null
+		service rsyslog restart > /dev/null
 	endscript
 }

roles/fingerprinting/files/registrar/lib/misc_thread.py

@@ -63,8 +63,10 @@ def run(self):
                         if devices:
                             ans, unans = arping(devices, iface=None, verbose=0)
                             for device in ans:
-                                if check_preconditions(device[1][ARP].psrc, device[1][ARP].hwsrc):
-                                    insert_or_update_fingerprint(self.conn, ip=device[1][ARP].psrc, mac=device[1][ARP].hwsrc)
+                                ip_addr = device[1][ARP].psrc
+                                mac_addr = str(device[1][ARP].hwsrc).lower()
+                                if check_preconditions(ip_addr, mac_addr):
+                                    insert_or_update_fingerprint(self.conn, ip=ip_addr, mac=mac_addr)
 
                         self.logger.info("checked no mode devices: " + str(devices))
 

roles/fingerprinting/files/registrar/requirements.txt

@@ -1,5 +1,5 @@
 python-daemon==2.1.2
-scapy==2.3.3
+scapy==2.4.3
 netaddr==0.7.19
 http-parser==0.8.3
 xmltodict==0.11.0

roles/nginx/templates/sites-available/upri_interface

@@ -14,8 +14,8 @@ server {
     # the port your site will be served on
     listen 80;
     listen [::]:80;
-    listen 4300 ssl;
-    listen [::]:4300 ssl;
+    listen 4300 ssl http2;
+    listen [::]:4300 ssl http2;
     ssl_certificate     /etc/ssl/certs/interfaceCert.pem;
     ssl_certificate_key /etc/ssl/private/interfaceKey.pem;
     ssl_protocols TLSv1.2;
@@ -33,6 +33,11 @@ server {
     error_log {{default_settings.log.general.path}}/{{default_settings.log.nginx.logfiles.interface_error}} error;
 
     location /static {
+        gzip on;
+        gzip_vary on;
+        gzip_min_length 10240;
+        gzip_types text/plain text/css text/javascript application/javascript;
+        gzip_disable "MSIE [1-6]\.";
         alias /usr/local/static/upribox_interface/; # your Django project's static files - amend as required
     }
 

roles/privoxy/tasks/main.yml

@@ -58,5 +58,5 @@
   file: path={{other_env.default_settings.log.general.path}}/{{other_env.default_settings.log.privoxy.subdir}} state=absent
   when: res|changed
 
-- name: modify logrotate.d entry
-  file: path=/etc/logrotate.d/privoxy state=absent
+- name: create logrotate.d entry
+  template: src=privoxy-logrotate.j2 dest=/etc/logrotate.d/privoxy

roles/privoxy/templates/privoxy-logrotate.j2

@@ -0,0 +1,13 @@
+{{default_settings.log.general.path}}/{{default_settings.log.privoxy.subdir}}/{{ default_settings.log.privoxy.logfiles.logname }}
+{
+  su root tmp-logger
+  rotate 0
+  daily
+  missingok
+  notifempty
+  maxsize 10M
+  sharedscripts
+  postrotate
+        /etc/init.d/privoxy restart > /dev/null
+  endscript
+}

roles/squid/templates/conf

@@ -53,7 +53,7 @@ http_port 3128 intercept
 #
 cache_peer 127.0.0.1 parent 8118 0 no-query default no-digest no-netdb-exchange
 cache_peer ::1 parent 8119 0 no-query default no-digest no-netdb-exchange
-cache_mem 128 MB
+cache_mem 64 MB
 
 logformat useragent_short %>eui;|;%>a;|;%"{User-Agent}>h;|;%ts.%tu
 access_log daemon:{{ default_settings.log.general.path }}/{{ default_settings.log.squid.subdir }}/{{ default_settings.log.squid.logfiles.logname }} useragent_short

roles/upri_config/files/upri-config/requirements.txt

@@ -4,6 +4,6 @@ redis==2.10.5
 netifaces==0.10.5
 netaddr==0.7.19
 argcomplete==1.8.2
-scapy==2.3.3
+scapy==2.4.3
 requests[security]==2.20.0
 miniupnpc==1.9

roles/vpn/tasks/main.yml

@@ -136,6 +136,9 @@
     - restart openvpn
     - restart openvpn-su
 
+- name: deploy Server Certificate renewal cronjob
+  template: src=server-cert-renewal.sh dest=/etc/cron.weekly/openvpn-server-cert owner=root group=root mode=0755
+
 - name: deleting unused files
   file: path={{item}} state=absent
   with_items:

roles/vpn/templates/server-cert-renewal.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+days=60
+
+#Test if certificate expires in the next 60 days
+/usr/bin/openssl x509 -checkend $(($days * 24 * 3600)) -in /etc/openvpn/ca/serverCert.pem
+
+if [ $? -eq 1 ]
+then
+  openssl ca -in /etc/openvpn/ca/serverReq.pem -days 730 -batch -out /etc/openvpn/ca/serverCert.pem -notext -cert /etc/openvpn/ca/caCert.pem -keyfile /etc/openvpn/ca/caKey.pem
+  service openvpn-su restart
+fi

upribox_interface/www/templates/base.html

@@ -99,7 +99,7 @@ <h1>
 		<!--<script type="text/javascript" src="{% static "js/vendor/chartist.min.js" %}"></script>
 		<script type="text/javascript" src="{% static "js/vendor/chartist-plugin-fill-donut.min.js" %}"></script>-->
 
-		<script type="text/javascript" src="{% static "js/vendor/plotly_customized.js" %}"></script>
+		<script async type="text/javascript" src="{% static "js/vendor/plotly_customized.js" %}"></script>
 		<!--
             there are two things customized in ploty.js.
              For this two changes, three (very small) parts in the code have been added and one line has been slightly changed.
@@ -112,7 +112,7 @@ <h1>
 		<script type="text/javascript" src="{% static "js/vendor/zxcvbn.js" %}"></script>
 
         <script type="text/javascript" src="{% static "js/vendor/js-cookie-2.0.2.js" %}"></script>
-        <script type="text/javascript" src="{% static "js/vendor/qrcode.min.js" %}"></script>
+        <script async type="text/javascript" src="{% static "js/vendor/qrcode.min.js" %}"></script>
 
         {% block mainjs %}
 		      <script type="text/javascript" src="{% static "js/main.js" %}"></script>