ZeroNet/src/Crypt/CryptConnection.py

import sys
import logging
import os
import ssl

from Config import config
from util import SslPatch
from util import utils


class CryptConnectionManager:
    def __init__(self):
        # OpenSSL params
        if sys.platform.startswith("win"):
            self.openssl_bin = "src\\lib\\opensslVerify\\openssl.exe"
        else:
            self.openssl_bin = "openssl"
        self.openssl_env = {"OPENSSL_CONF": "src/lib/opensslVerify/openssl.cnf"}

        self.crypt_supported = []  # Supported cryptos

    # Select crypt that supported by both sides
    # Return: Name of the crypto
    def selectCrypt(self, client_supported):
        for crypt in self.crypt_supported:
            if crypt in client_supported:
                return crypt
        return False

    # Wrap socket for crypt
    # Return: wrapped socket
    def wrapSocket(self, sock, crypt, server=False):
        if crypt == "tls-rsa":
            ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES128-SHA256:HIGH:"
            ciphers += "!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK"
            if server:
                return ssl.wrap_socket(
                    sock, server_side=server, keyfile='%s/key-rsa.pem' % config.data_dir,
                    certfile='%s/cert-rsa.pem' % config.data_dir, ciphers=ciphers)
            else:
                return ssl.wrap_socket(sock, ciphers=ciphers)
        else:
            return sock

    def removeCerts(self):
        for file_name in ["cert-rsa.pem", "key-rsa.pem"]:
            file_path = "%s/%s" % (config.data_dir, file_name)
            if os.path.isfile(file_path):
                os.unlink(file_path)

    # Load and create cert files is necessary
    def loadCerts(self):
        if config.disable_encryption:
            return False

        if self.loadSslRsaCert():
            self.crypt_supported.append("tls-rsa")

    # Try to create RSA server cert + sign for connection encryption
    # Return: True on success
    def loadSslRsaCert(self):
        import subprocess

        if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
            return True  # Files already exits

        proc = subprocess.Popen(
            "%s req -x509 -newkey rsa:2048 -sha256 -batch -keyout %s -out %s -nodes -config %s" % utils.shellquote(
                self.openssl_bin,
                config.data_dir+"/key-rsa.pem",
                config.data_dir+"/cert-rsa.pem",
                self.openssl_env["OPENSSL_CONF"]
            ),
            shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
        )
        back = proc.stdout.read().strip()
        proc.wait()
        logging.debug("Generating RSA cert and key PEM files...%s" % back)

        if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
            return True
        else:
            logging.error("RSA ECC SSL cert generation failed, cert or key files not exits.")
            return False

    # Not used yet: Missing on some platform
    def createSslEccCert(self):
        return False
        import subprocess

        # Create ECC privatekey
        proc = subprocess.Popen(
            "%s ecparam -name prime256v1 -genkey -out %s/key-ecc.pem" % (self.openssl_bin, config.data_dir),
            shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
        )
        back = proc.stdout.read().strip()
        proc.wait()
        self.log.debug("Generating ECC privatekey PEM file...%s" % back)

        # Create ECC cert
        proc = subprocess.Popen(
            "%s req -new -key %s -x509 -nodes -out %s -config %s" % utils.shellquote(
                self.openssl_bin,
                config.data_dir+"/key-ecc.pem",
                config.data_dir+"/cert-ecc.pem",
                self.openssl_env["OPENSSL_CONF"]
            ),
            shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
        )
        back = proc.stdout.read().strip()
        proc.wait()
        self.log.debug("Generating ECC cert PEM file...%s" % back)

        if os.path.isfile("%s/cert-ecc.pem" % config.data_dir) and os.path.isfile("%s/key-ecc.pem" % config.data_dir):
            return True
        else:
            self.logging.error("ECC SSL cert generation failed, cert or key files not exits.")
            return False


manager = CryptConnectionManager()
rev245, Fix for gevent1.0.2 ssl, Disable asnyc js load (its slower on my browser) 2015-06-18 20:31:33 +02:00			`import sys`
			`import logging`
			`import os`
			`import ssl`

Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance 2015-06-10 00:29:30 +02:00			`from Config import config`
			`from util import SslPatch`
Rev431, Define coveralls rcfile, Escape shell parameters 2015-09-21 20:09:32 +02:00			`from util import utils`
Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance 2015-06-10 00:29:30 +02:00
rev245, Fix for gevent1.0.2 ssl, Disable asnyc js load (its slower on my browser) 2015-06-18 20:31:33 +02:00
Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance 2015-06-10 00:29:30 +02:00			`class CryptConnectionManager:`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`def __init__(self):`
			`# OpenSSL params`
			`if sys.platform.startswith("win"):`
			`self.openssl_bin = "src\\lib\\opensslVerify\\openssl.exe"`
			`else:`
			`self.openssl_bin = "openssl"`
			`self.openssl_env = {"OPENSSL_CONF": "src/lib/opensslVerify/openssl.cnf"}`

			`self.crypt_supported = [] # Supported cryptos`

			`# Select crypt that supported by both sides`
			`# Return: Name of the crypto`
			`def selectCrypt(self, client_supported):`
			`for crypt in self.crypt_supported:`
			`if crypt in client_supported:`
			`return crypt`
			`return False`

			`# Wrap socket for crypt`
			`# Return: wrapped socket`
			`def wrapSocket(self, sock, crypt, server=False):`
			`if crypt == "tls-rsa":`
			`ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES128-SHA256:HIGH:"`
			`ciphers += "!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK"`
			`if server:`
			`return ssl.wrap_socket(`
			`sock, server_side=server, keyfile='%s/key-rsa.pem' % config.data_dir,`
			`certfile='%s/cert-rsa.pem' % config.data_dir, ciphers=ciphers)`
			`else:`
			`return ssl.wrap_socket(sock, ciphers=ciphers)`
			`else:`
			`return sock`

			`def removeCerts(self):`
			`for file_name in ["cert-rsa.pem", "key-rsa.pem"]:`
			`file_path = "%s/%s" % (config.data_dir, file_name)`
			`if os.path.isfile(file_path):`
			`os.unlink(file_path)`

			`# Load and create cert files is necessary`
			`def loadCerts(self):`
			`if config.disable_encryption:`
			`return False`

			`if self.loadSslRsaCert():`
			`self.crypt_supported.append("tls-rsa")`

			`# Try to create RSA server cert + sign for connection encryption`
			`# Return: True on success`
			`def loadSslRsaCert(self):`
			`import subprocess`

			`if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):`
			`return True # Files already exits`

Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`proc = subprocess.Popen(`
Rev431, Define coveralls rcfile, Escape shell parameters 2015-09-21 20:09:32 +02:00			`"%s req -x509 -newkey rsa:2048 -sha256 -batch -keyout %s -out %s -nodes -config %s" % utils.shellquote(`
			`self.openssl_bin,`
			`config.data_dir+"/key-rsa.pem",`
			`config.data_dir+"/cert-rsa.pem",`
			`self.openssl_env["OPENSSL_CONF"]`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`),`
			`shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`)`
			`back = proc.stdout.read().strip()`
			`proc.wait()`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`logging.debug("Generating RSA cert and key PEM files...%s" % back)`

			`if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):`
			`return True`
			`else:`
			`logging.error("RSA ECC SSL cert generation failed, cert or key files not exits.")`
			`return False`

			`# Not used yet: Missing on some platform`
			`def createSslEccCert(self):`
			`return False`
			`import subprocess`

			`# Create ECC privatekey`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`proc = subprocess.Popen(`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`"%s ecparam -name prime256v1 -genkey -out %s/key-ecc.pem" % (self.openssl_bin, config.data_dir),`
			`shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`)`
			`back = proc.stdout.read().strip()`
			`proc.wait()`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`self.log.debug("Generating ECC privatekey PEM file...%s" % back)`

			`# Create ECC cert`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`proc = subprocess.Popen(`
Rev431, Define coveralls rcfile, Escape shell parameters 2015-09-21 20:09:32 +02:00			`"%s req -new -key %s -x509 -nodes -out %s -config %s" % utils.shellquote(`
			`self.openssl_bin,`
			`config.data_dir+"/key-ecc.pem",`
			`config.data_dir+"/cert-ecc.pem",`
			`self.openssl_env["OPENSSL_CONF"]`
			`),`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`)`
			`back = proc.stdout.read().strip()`
			`proc.wait()`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`self.log.debug("Generating ECC cert PEM file...%s" % back)`

			`if os.path.isfile("%s/cert-ecc.pem" % config.data_dir) and os.path.isfile("%s/key-ecc.pem" % config.data_dir):`
			`return True`
			`else:`
			`self.logging.error("ECC SSL cert generation failed, cert or key files not exits.")`
			`return False`


Rev377, Fix sidebar filetypes css class, Support running zeronet from Utf-8 directories, Fix multiuser plugin welcome message, Format Multiuser plugin to PEP8, Faster publish by using connected peers if possible, Prefix css backface-visibility 2015-09-08 03:07:44 +02:00			`manager = CryptConnectionManager()`