Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol

src/Crypt/CryptConnection.py

@@ -2,6 +2,7 @@ import sys
 import logging
 import os
 import ssl
+import hashlib
 
 from Config import config
 from util import SslPatch
@@ -29,20 +30,26 @@ class CryptConnectionManager:
 
     # Wrap socket for crypt
     # Return: wrapped socket
-    def wrapSocket(self, sock, crypt, server=False):
+    def wrapSocket(self, sock, crypt, server=False, cert_pin=None):
         if crypt == "tls-rsa":
             ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES128-SHA256:HIGH:"
             ciphers += "!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK"
             if server:
-                return ssl.wrap_socket(
+                sock_wrapped = ssl.wrap_socket(
                     sock, server_side=server, keyfile='%s/key-rsa.pem' % config.data_dir,
                     certfile='%s/cert-rsa.pem' % config.data_dir, ciphers=ciphers)
             else:
-                return ssl.wrap_socket(sock, ciphers=ciphers)
+                sock_wrapped = ssl.wrap_socket(sock, ciphers=ciphers)
+            if cert_pin:
+                cert_hash = hashlib.sha256(sock_wrapped.getpeercert(True)).hexdigest()
+                assert cert_hash == cert_pin, "Socket certificate does not match (%s != %s)" % (cert_hash, cert_pin)
+            return sock_wrapped
         else:
             return sock
 
     def removeCerts(self):
+        if config.keep_ssl_cert:
+            return False
         for file_name in ["cert-rsa.pem", "key-rsa.pem"]:
             file_path = "%s/%s" % (config.data_dir, file_name)
             if os.path.isfile(file_path):
@@ -59,11 +66,10 @@ class CryptConnectionManager:
     # Try to create RSA server cert + sign for connection encryption
     # Return: True on success
     def createSslRsaCert(self):
-        import subprocess
-
         if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
             return True  # Files already exits
 
+        import subprocess
         proc = subprocess.Popen(
             "%s req -x509 -newkey rsa:2048 -sha256 -batch -keyout %s -out %s -nodes -config %s" % helper.shellquote(
                 self.openssl_bin,

src/Crypt/CryptHash.py

@@ -21,6 +21,15 @@ def sha512sum(file, blocksize=65536):
     return hash.hexdigest()[0:64]  # Truncate to 256bits is good enough
 
 
+def sha256sum(file, blocksize=65536):
+    if hasattr(file, "endswith"):  # Its a string open it
+        file = open(file, "rb")
+    hash = hashlib.sha256()
+    for block in iter(lambda: file.read(blocksize), ""):
+        hash.update(block)
+    return hash.hexdigest()
+
+
 def random(length=64, encoding="hex"):
     if encoding == "base64":  # Characters: A-Za-z0-9
         hash = hashlib.sha512(os.urandom(256)).digest()

src/Crypt/CryptRsa.py

@@ -0,0 +1,38 @@
+import base64
+import hashlib
+
+def sign(data, privatekey):
+    from lib import rsa
+    from lib.rsa import pkcs1
+
+    if "BEGIN RSA PRIVATE KEY" not in privatekey:
+        privatekey = "-----BEGIN RSA PRIVATE KEY-----\n%s\n-----END RSA PRIVATE KEY-----" % privatekey
+
+    priv = rsa.PrivateKey.load_pkcs1(privatekey)
+    sign = rsa.pkcs1.sign(data, priv, 'SHA-256')
+    return sign
+
+def verify(data, publickey, sign):
+    from lib import rsa
+    from lib.rsa import pkcs1
+
+    pub = rsa.PublicKey.load_pkcs1(publickey, format="DER")
+    try:
+        valid = rsa.pkcs1.verify(data, sign, pub)
+    except pkcs1.VerificationError:
+        valid = False
+    return valid
+
+def privatekeyToPublickey(privatekey):
+    from lib import rsa
+    from lib.rsa import pkcs1
+
+    if "BEGIN RSA PRIVATE KEY" not in privatekey:
+        privatekey = "-----BEGIN RSA PRIVATE KEY-----\n%s\n-----END RSA PRIVATE KEY-----" % privatekey
+
+    priv = rsa.PrivateKey.load_pkcs1(privatekey)
+    pub = rsa.PublicKey(priv.n, priv.e)
+    return pub.save_pkcs1("DER")
+
+def publickeyToOnion(publickey):
+    return base64.b32encode(hashlib.sha1(publickey).digest()[:10]).lower()