ZeroNet/src/Crypt/CryptConnection.py

import sys
import logging
import os
import ssl
import hashlib

from Config import config
from util import SslPatch
from util import helper


class CryptConnectionManager:
    def __init__(self):
        # OpenSSL params
        if sys.platform.startswith("win"):
            self.openssl_bin = "src\\lib\\opensslVerify\\openssl.exe"
        else:
            self.openssl_bin = "openssl"
        self.openssl_env = {"OPENSSL_CONF": "src/lib/opensslVerify/openssl.cnf"}

        self.crypt_supported = []  # Supported cryptos

    # Select crypt that supported by both sides
    # Return: Name of the crypto
    def selectCrypt(self, client_supported):
        for crypt in self.crypt_supported:
            if crypt in client_supported:
                return crypt
        return False

    # Wrap socket for crypt
    # Return: wrapped socket
    def wrapSocket(self, sock, crypt, server=False, cert_pin=None):
        if crypt == "tls-rsa":
            ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES128-SHA256:HIGH:"
            ciphers += "!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK"
            if server:
                sock_wrapped = ssl.wrap_socket(
                    sock, server_side=server, keyfile='%s/key-rsa.pem' % config.data_dir,
                    certfile='%s/cert-rsa.pem' % config.data_dir, ciphers=ciphers)
            else:
                sock_wrapped = ssl.wrap_socket(sock, ciphers=ciphers)
            if cert_pin:
                cert_hash = hashlib.sha256(sock_wrapped.getpeercert(True)).hexdigest()
                assert cert_hash == cert_pin, "Socket certificate does not match (%s != %s)" % (cert_hash, cert_pin)
            return sock_wrapped
        else:
            return sock

    def removeCerts(self):
        if config.keep_ssl_cert:
            return False
        for file_name in ["cert-rsa.pem", "key-rsa.pem"]:
            file_path = "%s/%s" % (config.data_dir, file_name)
            if os.path.isfile(file_path):
                os.unlink(file_path)

    # Load and create cert files is necessary
    def loadCerts(self):
        if config.disable_encryption:
            return False

        if self.createSslRsaCert():
            self.crypt_supported.append("tls-rsa")

    # Try to create RSA server cert + sign for connection encryption
    # Return: True on success
    def createSslRsaCert(self):
        if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
            return True  # Files already exits

        import subprocess
        proc = subprocess.Popen(
            "%s req -x509 -newkey rsa:2048 -sha256 -batch -keyout %s -out %s -nodes -config %s" % helper.shellquote(
                self.openssl_bin,
                config.data_dir+"/key-rsa.pem",
                config.data_dir+"/cert-rsa.pem",
                self.openssl_env["OPENSSL_CONF"]
            ),
            shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
        )
        back = proc.stdout.read().strip()
        proc.wait()
        logging.debug("Generating RSA cert and key PEM files...%s" % back)

        if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
            return True
        else:
            logging.error("RSA ECC SSL cert generation failed, cert or key files not exist.")
            return False

    # Not used yet: Missing on some platform
    """def createSslEccCert(self):
        return False
        import subprocess

        # Create ECC privatekey
        proc = subprocess.Popen(
            "%s ecparam -name prime256v1 -genkey -out %s/key-ecc.pem" % (self.openssl_bin, config.data_dir),
            shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
        )
        back = proc.stdout.read().strip()
        proc.wait()
        self.log.debug("Generating ECC privatekey PEM file...%s" % back)

        # Create ECC cert
        proc = subprocess.Popen(
            "%s req -new -key %s -x509 -nodes -out %s -config %s" % helper.shellquote(
                self.openssl_bin,
                config.data_dir+"/key-ecc.pem",
                config.data_dir+"/cert-ecc.pem",
                self.openssl_env["OPENSSL_CONF"]
            ),
            shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
        )
        back = proc.stdout.read().strip()
        proc.wait()
        self.log.debug("Generating ECC cert PEM file...%s" % back)

        if os.path.isfile("%s/cert-ecc.pem" % config.data_dir) and os.path.isfile("%s/key-ecc.pem" % config.data_dir):
            return True
        else:
            self.logging.error("ECC SSL cert generation failed, cert or key files not exits.")
            return False
    """

manager = CryptConnectionManager()
rev245, Fix for gevent1.0.2 ssl, Disable asnyc js load (its slower on my browser) 2015-06-18 20:31:33 +02:00			`import sys`
			`import logging`
			`import os`
			`import ssl`
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol 2016-01-05 00:20:52 +01:00			`import hashlib`
rev245, Fix for gevent1.0.2 ssl, Disable asnyc js load (its slower on my browser) 2015-06-18 20:31:33 +02:00
Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance 2015-06-10 00:29:30 +02:00			`from Config import config`
			`from util import SslPatch`
Rev448, Better file download priority method, Some potential programming error fix, Renamed utils to helper, Moved pack and unpackaddress to helper package, Test new privatekey creation, Test site file download order, Spy test helper to log called parameters, Remove unnecessary fat arrows 2015-09-27 02:08:53 +02:00			`from util import helper`
Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance 2015-06-10 00:29:30 +02:00
rev245, Fix for gevent1.0.2 ssl, Disable asnyc js load (its slower on my browser) 2015-06-18 20:31:33 +02:00
Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance 2015-06-10 00:29:30 +02:00			`class CryptConnectionManager:`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`def __init__(self):`
			`# OpenSSL params`
			`if sys.platform.startswith("win"):`
			`self.openssl_bin = "src\\lib\\opensslVerify\\openssl.exe"`
			`else:`
			`self.openssl_bin = "openssl"`
			`self.openssl_env = {"OPENSSL_CONF": "src/lib/opensslVerify/openssl.cnf"}`

			`self.crypt_supported = [] # Supported cryptos`

			`# Select crypt that supported by both sides`
			`# Return: Name of the crypto`
			`def selectCrypt(self, client_supported):`
			`for crypt in self.crypt_supported:`
			`if crypt in client_supported:`
			`return crypt`
			`return False`

			`# Wrap socket for crypt`
			`# Return: wrapped socket`
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol 2016-01-05 00:20:52 +01:00			`def wrapSocket(self, sock, crypt, server=False, cert_pin=None):`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`if crypt == "tls-rsa":`
			`ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES128-SHA256:HIGH:"`
			`ciphers += "!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK"`
			`if server:`
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol 2016-01-05 00:20:52 +01:00			`sock_wrapped = ssl.wrap_socket(`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`sock, server_side=server, keyfile='%s/key-rsa.pem' % config.data_dir,`
			`certfile='%s/cert-rsa.pem' % config.data_dir, ciphers=ciphers)`
			`else:`
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol 2016-01-05 00:20:52 +01:00			`sock_wrapped = ssl.wrap_socket(sock, ciphers=ciphers)`
			`if cert_pin:`
			`cert_hash = hashlib.sha256(sock_wrapped.getpeercert(True)).hexdigest()`
			`assert cert_hash == cert_pin, "Socket certificate does not match (%s != %s)" % (cert_hash, cert_pin)`
			`return sock_wrapped`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`else:`
			`return sock`

			`def removeCerts(self):`
Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol 2016-01-05 00:20:52 +01:00			`if config.keep_ssl_cert:`
			`return False`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`for file_name in ["cert-rsa.pem", "key-rsa.pem"]:`
			`file_path = "%s/%s" % (config.data_dir, file_name)`
			`if os.path.isfile(file_path):`
			`os.unlink(file_path)`

			`# Load and create cert files is necessary`
			`def loadCerts(self):`
			`if config.disable_encryption:`
			`return False`

Rev445, Fix ConnectionServer peer_id handling, Faster startup by creating ssl certs on FileServer start, Per-site connection_server, Fix double Db opening, Test site downloading, Sign testsite properly, Test ConnectionServer, Test FileRequest 2015-09-24 22:08:08 +02:00			`if self.createSslRsaCert():`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`self.crypt_supported.append("tls-rsa")`

			`# Try to create RSA server cert + sign for connection encryption`
			`# Return: True on success`
Rev445, Fix ConnectionServer peer_id handling, Faster startup by creating ssl certs on FileServer start, Per-site connection_server, Fix double Db opening, Test site downloading, Sign testsite properly, Test ConnectionServer, Test FileRequest 2015-09-24 22:08:08 +02:00			`def createSslRsaCert(self):`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):`
			`return True # Files already exits`

Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol 2016-01-05 00:20:52 +01:00			`import subprocess`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`proc = subprocess.Popen(`
Rev448, Better file download priority method, Some potential programming error fix, Renamed utils to helper, Moved pack and unpackaddress to helper package, Test new privatekey creation, Test site file download order, Spy test helper to log called parameters, Remove unnecessary fat arrows 2015-09-27 02:08:53 +02:00			`"%s req -x509 -newkey rsa:2048 -sha256 -batch -keyout %s -out %s -nodes -config %s" % helper.shellquote(`
Rev431, Define coveralls rcfile, Escape shell parameters 2015-09-21 20:09:32 +02:00			`self.openssl_bin,`
			`config.data_dir+"/key-rsa.pem",`
			`config.data_dir+"/cert-rsa.pem",`
			`self.openssl_env["OPENSSL_CONF"]`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`),`
			`shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`)`
			`back = proc.stdout.read().strip()`
			`proc.wait()`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`logging.debug("Generating RSA cert and key PEM files...%s" % back)`

			`if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):`
			`return True`
			`else:`
Rev445, Fix ConnectionServer peer_id handling, Faster startup by creating ssl certs on FileServer start, Per-site connection_server, Fix double Db opening, Test site downloading, Sign testsite properly, Test ConnectionServer, Test FileRequest 2015-09-24 22:08:08 +02:00			`logging.error("RSA ECC SSL cert generation failed, cert or key files not exist.")`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`return False`

			`# Not used yet: Missing on some platform`
Rev445, Fix ConnectionServer peer_id handling, Faster startup by creating ssl certs on FileServer start, Per-site connection_server, Fix double Db opening, Test site downloading, Sign testsite properly, Test ConnectionServer, Test FileRequest 2015-09-24 22:08:08 +02:00			`"""def createSslEccCert(self):`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`return False`
			`import subprocess`

			`# Create ECC privatekey`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`proc = subprocess.Popen(`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`"%s ecparam -name prime256v1 -genkey -out %s/key-ecc.pem" % (self.openssl_bin, config.data_dir),`
			`shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`)`
			`back = proc.stdout.read().strip()`
			`proc.wait()`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`self.log.debug("Generating ECC privatekey PEM file...%s" % back)`

			`# Create ECC cert`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`proc = subprocess.Popen(`
Rev448, Better file download priority method, Some potential programming error fix, Renamed utils to helper, Moved pack and unpackaddress to helper package, Test new privatekey creation, Test site file download order, Spy test helper to log called parameters, Remove unnecessary fat arrows 2015-09-27 02:08:53 +02:00			`"%s req -new -key %s -x509 -nodes -out %s -config %s" % helper.shellquote(`
Rev431, Define coveralls rcfile, Escape shell parameters 2015-09-21 20:09:32 +02:00			`self.openssl_bin,`
			`config.data_dir+"/key-ecc.pem",`
			`config.data_dir+"/cert-ecc.pem",`
			`self.openssl_env["OPENSSL_CONF"]`
			`),`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env`
Reap child processes Previously child processes were not reaped, leaving zombies behind. Now each child process's `.wait()` method is called before proceeding. Closes #151. 2015-09-06 17:41:12 +02:00			`)`
			`back = proc.stdout.read().strip()`
			`proc.wait()`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00			`self.log.debug("Generating ECC cert PEM file...%s" % back)`

			`if os.path.isfile("%s/cert-ecc.pem" % config.data_dir) and os.path.isfile("%s/key-ecc.pem" % config.data_dir):`
			`return True`
			`else:`
			`self.logging.error("ECC SSL cert generation failed, cert or key files not exits.")`
			`return False`
Rev445, Fix ConnectionServer peer_id handling, Faster startup by creating ssl certs on FileServer start, Per-site connection_server, Fix double Db opening, Test site downloading, Sign testsite properly, Test ConnectionServer, Test FileRequest 2015-09-24 22:08:08 +02:00			`"""`
rev280, The whole project reformatted to PEP8, UiRequest getPosted to query posted variables 2015-07-12 20:36:46 +02:00
Rev448, Better file download priority method, Some potential programming error fix, Renamed utils to helper, Moved pack and unpackaddress to helper package, Test new privatekey creation, Test site file download order, Spy test helper to log called parameters, Remove unnecessary fat arrows 2015-09-27 02:08:53 +02:00			`manager = CryptConnectionManager()`