2015-06-18 20:31:33 +02:00
|
|
|
import sys
|
|
|
|
import logging
|
|
|
|
import os
|
|
|
|
import ssl
|
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol
2016-01-05 00:20:52 +01:00
|
|
|
import hashlib
|
2015-06-18 20:31:33 +02:00
|
|
|
|
Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance
2015-06-10 00:29:30 +02:00
|
|
|
from Config import config
|
|
|
|
from util import SslPatch
|
2015-09-27 02:08:53 +02:00
|
|
|
from util import helper
|
Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance
2015-06-10 00:29:30 +02:00
|
|
|
|
2015-06-18 20:31:33 +02:00
|
|
|
|
Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance
2015-06-10 00:29:30 +02:00
|
|
|
class CryptConnectionManager:
|
2015-07-12 20:36:46 +02:00
|
|
|
def __init__(self):
|
|
|
|
# OpenSSL params
|
|
|
|
if sys.platform.startswith("win"):
|
|
|
|
self.openssl_bin = "src\\lib\\opensslVerify\\openssl.exe"
|
|
|
|
else:
|
|
|
|
self.openssl_bin = "openssl"
|
|
|
|
self.openssl_env = {"OPENSSL_CONF": "src/lib/opensslVerify/openssl.cnf"}
|
|
|
|
|
|
|
|
self.crypt_supported = [] # Supported cryptos
|
|
|
|
|
|
|
|
# Select crypt that supported by both sides
|
|
|
|
# Return: Name of the crypto
|
|
|
|
def selectCrypt(self, client_supported):
|
|
|
|
for crypt in self.crypt_supported:
|
|
|
|
if crypt in client_supported:
|
|
|
|
return crypt
|
|
|
|
return False
|
|
|
|
|
|
|
|
# Wrap socket for crypt
|
|
|
|
# Return: wrapped socket
|
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol
2016-01-05 00:20:52 +01:00
|
|
|
def wrapSocket(self, sock, crypt, server=False, cert_pin=None):
|
2015-07-12 20:36:46 +02:00
|
|
|
if crypt == "tls-rsa":
|
|
|
|
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES128-SHA256:HIGH:"
|
|
|
|
ciphers += "!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK"
|
|
|
|
if server:
|
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol
2016-01-05 00:20:52 +01:00
|
|
|
sock_wrapped = ssl.wrap_socket(
|
2015-07-12 20:36:46 +02:00
|
|
|
sock, server_side=server, keyfile='%s/key-rsa.pem' % config.data_dir,
|
|
|
|
certfile='%s/cert-rsa.pem' % config.data_dir, ciphers=ciphers)
|
|
|
|
else:
|
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol
2016-01-05 00:20:52 +01:00
|
|
|
sock_wrapped = ssl.wrap_socket(sock, ciphers=ciphers)
|
|
|
|
if cert_pin:
|
|
|
|
cert_hash = hashlib.sha256(sock_wrapped.getpeercert(True)).hexdigest()
|
|
|
|
assert cert_hash == cert_pin, "Socket certificate does not match (%s != %s)" % (cert_hash, cert_pin)
|
|
|
|
return sock_wrapped
|
2015-07-12 20:36:46 +02:00
|
|
|
else:
|
|
|
|
return sock
|
|
|
|
|
|
|
|
def removeCerts(self):
|
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol
2016-01-05 00:20:52 +01:00
|
|
|
if config.keep_ssl_cert:
|
|
|
|
return False
|
2015-07-12 20:36:46 +02:00
|
|
|
for file_name in ["cert-rsa.pem", "key-rsa.pem"]:
|
|
|
|
file_path = "%s/%s" % (config.data_dir, file_name)
|
|
|
|
if os.path.isfile(file_path):
|
|
|
|
os.unlink(file_path)
|
|
|
|
|
|
|
|
# Load and create cert files is necessary
|
|
|
|
def loadCerts(self):
|
|
|
|
if config.disable_encryption:
|
|
|
|
return False
|
|
|
|
|
2015-09-24 22:08:08 +02:00
|
|
|
if self.createSslRsaCert():
|
2015-07-12 20:36:46 +02:00
|
|
|
self.crypt_supported.append("tls-rsa")
|
|
|
|
|
|
|
|
# Try to create RSA server cert + sign for connection encryption
|
|
|
|
# Return: True on success
|
2015-09-24 22:08:08 +02:00
|
|
|
def createSslRsaCert(self):
|
2015-07-12 20:36:46 +02:00
|
|
|
if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
|
|
|
|
return True # Files already exits
|
|
|
|
|
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol
2016-01-05 00:20:52 +01:00
|
|
|
import subprocess
|
2015-09-06 17:41:12 +02:00
|
|
|
proc = subprocess.Popen(
|
2015-09-27 02:08:53 +02:00
|
|
|
"%s req -x509 -newkey rsa:2048 -sha256 -batch -keyout %s -out %s -nodes -config %s" % helper.shellquote(
|
2015-09-21 20:09:32 +02:00
|
|
|
self.openssl_bin,
|
|
|
|
config.data_dir+"/key-rsa.pem",
|
|
|
|
config.data_dir+"/cert-rsa.pem",
|
|
|
|
self.openssl_env["OPENSSL_CONF"]
|
2015-07-12 20:36:46 +02:00
|
|
|
),
|
|
|
|
shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
|
2015-09-06 17:41:12 +02:00
|
|
|
)
|
|
|
|
back = proc.stdout.read().strip()
|
|
|
|
proc.wait()
|
2015-07-12 20:36:46 +02:00
|
|
|
logging.debug("Generating RSA cert and key PEM files...%s" % back)
|
|
|
|
|
|
|
|
if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
|
|
|
|
return True
|
|
|
|
else:
|
2015-09-24 22:08:08 +02:00
|
|
|
logging.error("RSA ECC SSL cert generation failed, cert or key files not exist.")
|
2015-07-12 20:36:46 +02:00
|
|
|
return False
|
|
|
|
|
|
|
|
# Not used yet: Missing on some platform
|
2015-09-24 22:08:08 +02:00
|
|
|
"""def createSslEccCert(self):
|
2015-07-12 20:36:46 +02:00
|
|
|
return False
|
|
|
|
import subprocess
|
|
|
|
|
|
|
|
# Create ECC privatekey
|
2015-09-06 17:41:12 +02:00
|
|
|
proc = subprocess.Popen(
|
2015-07-12 20:36:46 +02:00
|
|
|
"%s ecparam -name prime256v1 -genkey -out %s/key-ecc.pem" % (self.openssl_bin, config.data_dir),
|
|
|
|
shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
|
2015-09-06 17:41:12 +02:00
|
|
|
)
|
|
|
|
back = proc.stdout.read().strip()
|
|
|
|
proc.wait()
|
2015-07-12 20:36:46 +02:00
|
|
|
self.log.debug("Generating ECC privatekey PEM file...%s" % back)
|
|
|
|
|
|
|
|
# Create ECC cert
|
2015-09-06 17:41:12 +02:00
|
|
|
proc = subprocess.Popen(
|
2015-09-27 02:08:53 +02:00
|
|
|
"%s req -new -key %s -x509 -nodes -out %s -config %s" % helper.shellquote(
|
2015-09-21 20:09:32 +02:00
|
|
|
self.openssl_bin,
|
|
|
|
config.data_dir+"/key-ecc.pem",
|
|
|
|
config.data_dir+"/cert-ecc.pem",
|
|
|
|
self.openssl_env["OPENSSL_CONF"]
|
|
|
|
),
|
2015-07-12 20:36:46 +02:00
|
|
|
shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
|
2015-09-06 17:41:12 +02:00
|
|
|
)
|
|
|
|
back = proc.stdout.read().strip()
|
|
|
|
proc.wait()
|
2015-07-12 20:36:46 +02:00
|
|
|
self.log.debug("Generating ECC cert PEM file...%s" % back)
|
|
|
|
|
|
|
|
if os.path.isfile("%s/cert-ecc.pem" % config.data_dir) and os.path.isfile("%s/key-ecc.pem" % config.data_dir):
|
|
|
|
return True
|
|
|
|
else:
|
|
|
|
self.logging.error("ECC SSL cert generation failed, cert or key files not exits.")
|
|
|
|
return False
|
2015-09-24 22:08:08 +02:00
|
|
|
"""
|
2015-07-12 20:36:46 +02:00
|
|
|
|
2015-09-27 02:08:53 +02:00
|
|
|
manager = CryptConnectionManager()
|