Version 0.3.5, Rev830, Full Tor mode support with hidden services, Onion stats in Sidebar, GeoDB download fix using Tor, Gray out disabled sites in Stats page, Tor hidden service status in stat page, Benchmark sha256, Skyts tracker out expodie in, 2 new tracker using ZeroNet protocol, Keep SSL cert option between restarts, SSL Certificate pinning support for connections, Site lock support for connections, Certificate pinned connections using implicit SSL, Flood protection whitelist support, Foreign keys support for DB layer, Not support for SQL query helper, 0 length file get bugfix, Pex onion address support, Faster port testing, Faster uPnP port opening, Need connections more often on owned sites, Delay ZeroHello startup message if port check or Tor manager not ready yet, Use lockfiles to avoid double start, Save original socket on proxy monkey patching to get ability to connect localhost directly, Handle atomic write errors, Broken gevent https workaround helper, Rsa crypt functions, Plugin to Bootstrap using ZeroNet protocol

2016-01-05 00:20:52 +01:00 · 2016-01-05 00:20:52 +01:00 · e9d2cdfd37
commit e9d2cdfd37
parent c9578e9037
99 changed files with 9476 additions and 267 deletions
--- a/src/Crypt/CryptConnection.py
+++ b/src/Crypt/CryptConnection.py
@ -2,6 +2,7 @@ import sys
 import logging
 import os
 import ssl
+import hashlib

 from Config import config
 from util import SslPatch
@ -29,20 +30,26 @@ class CryptConnectionManager:

    # Wrap socket for crypt
    # Return: wrapped socket
-    def wrapSocket(self, sock, crypt, server=False):
+    def wrapSocket(self, sock, crypt, server=False, cert_pin=None):
        if crypt == "tls-rsa":
            ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES128-SHA256:HIGH:"
            ciphers += "!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK"
            if server:
-                return ssl.wrap_socket(
+                sock_wrapped = ssl.wrap_socket(
                    sock, server_side=server, keyfile='%s/key-rsa.pem' % config.data_dir,
                    certfile='%s/cert-rsa.pem' % config.data_dir, ciphers=ciphers)
            else:
-                return ssl.wrap_socket(sock, ciphers=ciphers)
+                sock_wrapped = ssl.wrap_socket(sock, ciphers=ciphers)
+            if cert_pin:
+                cert_hash = hashlib.sha256(sock_wrapped.getpeercert(True)).hexdigest()
+                assert cert_hash == cert_pin, "Socket certificate does not match (%s != %s)" % (cert_hash, cert_pin)
+            return sock_wrapped
        else:
            return sock

    def removeCerts(self):
+        if config.keep_ssl_cert:
+            return False
        for file_name in ["cert-rsa.pem", "key-rsa.pem"]:
            file_path = "%s/%s" % (config.data_dir, file_name)
            if os.path.isfile(file_path):
@ -59,11 +66,10 @@ class CryptConnectionManager:
    # Try to create RSA server cert + sign for connection encryption
    # Return: True on success
    def createSslRsaCert(self):
-        import subprocess
-
        if os.path.isfile("%s/cert-rsa.pem" % config.data_dir) and os.path.isfile("%s/key-rsa.pem" % config.data_dir):
            return True  # Files already exits

+        import subprocess
        proc = subprocess.Popen(
            "%s req -x509 -newkey rsa:2048 -sha256 -batch -keyout %s -out %s -nodes -config %s" % helper.shellquote(
                self.openssl_bin,