Version 0.3.1, rev238, Connection encryption using TLS, One click site clone feature, Encryption stats, Disable encryption startup parameter, Disable ssl compression startup parameter, Exchange supported encryption methods at handshake, Alternative open port checker, Option to store site privatekey in users.json, Torrent tracker swap, Test for bip32 based site creation, cloning and sslcert creation, Fix for Chrome plugin on OSX, Separate siteSign websocket command, Update pybitcointools to major speedup, Re-add sslwrap for python 0.2.9+, Disable SSL compression to save memory and better performance

2015-06-10 00:29:30 +02:00 · 2015-06-10 00:29:30 +02:00 · a78907cc9d
commit a78907cc9d
parent f0597afe1f
64 changed files with 4141 additions and 213 deletions
--- a/src/Crypt/CryptConnection.py
+++ b/src/Crypt/CryptConnection.py
@ -0,0 +1,101 @@
+import sys, logging, os
+from Config import config
+import gevent
+from util import SslPatch
+
+class CryptConnectionManager:
+	def __init__(self):
+		# OpenSSL params
+		if sys.platform.startswith("win"): 
+			self.openssl_bin = "src\\lib\\opensslVerify\\openssl.exe"
+		else: 
+			self.openssl_bin = "openssl"
+		self.openssl_env = {"OPENSSL_CONF": "src/lib/opensslVerify/openssl.cnf"}
+
+		self.crypt_supported = [] # Supported cryptos
+
+
+	# Select crypt that supported by both sides
+	# Return: Name of the crypto
+	def selectCrypt(self, client_supported):
+		for crypt in self.crypt_supported:
+			if crypt in client_supported:
+				return crypt
+		return False
+
+
+	# Wrap socket for crypt
+	# Return: wrapped socket
+	def wrapSocket(self, sock, crypt, server=False):
+		if crypt == "tls-rsa":
+			ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES128-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK" 
+			if server:
+				return gevent.ssl.wrap_socket(sock, server_side=server, keyfile='%s/key-rsa.pem' % config.data_dir, certfile='%s/cert-rsa.pem' % config.data_dir, ciphers=ciphers)
+			else:
+				return gevent.ssl.wrap_socket(sock, ciphers=ciphers)
+		else:
+			return sock
+
+
+	def removeCerts(self):
+		for file_name in ["cert-rsa.pem", "key-rsa.pem"]:
+			file_path = "%s/%s" % (config.data_dir, file_name)
+			if os.path.isfile(file_path): os.unlink(file_path)
+
+
+	# Loand and create cert files is necessary
+	def loadCerts(self):
+		if config.disable_encryption: return False
+		
+		if self.loadSslRsaCert():
+			self.crypt_supported.append("tls-rsa")
+			
+
+	# Try to create RSA server cert + sign for connection encryption
+	# Return: True on success
+	def loadSslRsaCert(self):
+		import subprocess
+
+		if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
+			return True # Files already exits
+
+		back = subprocess.Popen(
+			"%s req -x509 -newkey rsa:2048 -sha256 -batch -keyout %s/key-rsa.pem -out %s/cert-rsa.pem -nodes -config %s" % (self.openssl_bin, config.data_dir, config.data_dir, self.openssl_env["OPENSSL_CONF"]),
+			shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
+		).stdout.read().strip()
+		logging.debug("Generating RSA cert and key PEM files...%s" % back)
+
+		if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
+			return True
+		else:
+			logging.error("RSA ECC SSL cert generation failed, cert or key files not exits.")
+			return False
+
+
+	# Not used yet: Missing on some platform
+	def createSslEccCert(self):
+		return False
+		import subprocess
+
+		# Create ECC privatekey
+		back = subprocess.Popen(
+			"%s ecparam -name prime256v1 -genkey -out %s/key-ecc.pem" % (self.openssl_bin, config.data_dir), 
+			shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
+		).stdout.read().strip()
+		self.log.debug("Generating ECC privatekey PEM file...%s" % back)
+
+		# Create ECC cert
+		back = subprocess.Popen(
+			"%s req -new -key %s/key-ecc.pem -x509 -nodes -out %s/cert-ecc.pem -config %s" % (self.openssl_bin, config.data_dir, config.data_dir, self.openssl_env["OPENSSL_CONF"]), 
+			shell=True, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, env=self.openssl_env
+		).stdout.read().strip()
+		self.log.debug("Generating ECC cert PEM file...%s" % back)
+
+		if os.path.isfile("%s/cert-ecc.pem" % config.data_dir) and os.path.isfile("%s/key-ecc.pem" % config.data_dir):
+			return True
+		else:
+			self.logging.error("ECC SSL cert generation failed, cert or key files not exits.")
+			return False
+
+
+manager = CryptConnectionManager()