From 76555b1aa7d5d5084ad102032ce130724dee2ac1 Mon Sep 17 00:00:00 2001 From: "jai.s" Date: Sat, 4 Apr 2020 21:38:50 +0530 Subject: [PATCH] Solved SSL issue --- src/bmconfigparser.py | 2 -- src/depends.py | 5 +++- src/network/bmproto.py | 8 ++---- src/network/tls.py | 56 +++++++++++++++++++-------------------- src/protocol.py | 1 - src/pyelliptic/openssl.py | 2 +- 6 files changed, 34 insertions(+), 40 deletions(-) diff --git a/src/bmconfigparser.py b/src/bmconfigparser.py index c19db688..3056741d 100644 --- a/src/bmconfigparser.py +++ b/src/bmconfigparser.py @@ -57,9 +57,7 @@ class BMConfigParser(configparser.ConfigParser): return configparser.ConfigParser.set(self, section, option, value) def get(self, section, option, raw=False, vars=None): - # import pdb;pdb.set_trace() # pylint: disable=unused-argument - # import pdb; pdb.set_trace() try: if section == "bitmessagesettings" and option == "timeformat": return configparser.ConfigParser.get( diff --git a/src/depends.py b/src/depends.py index ead33cae..e359724f 100755 --- a/src/depends.py +++ b/src/depends.py @@ -304,7 +304,10 @@ def check_openssl(): ' OpenSSL 0.9.8b or later with AES, Elliptic Curves (EC),' ' ECDH, and ECDSA enabled.') return False - matches = cflags_regex.findall(openssl_cflags) + if sys.version_info >=(3,0,0): + matches = cflags_regex.findall(str(openssl_cflags)) + else: + matches = cflags_regex.findall(openssl_cflags) if matches: logger.error( 'This OpenSSL library is missing the following required' diff --git a/src/network/bmproto.py b/src/network/bmproto.py index 066da94c..9530ef8d 100644 --- a/src/network/bmproto.py +++ b/src/network/bmproto.py @@ -542,15 +542,11 @@ class BMProto(AdvancedDispatcher, ObjectTracker): '%(host)s:%(port)i sending version', self.destination._asdict()) if self.services & protocol.NODE_SSL == protocol.NODE_SSL: - # self.isSSL = True - pass + self.isSSL = True if not self.verackReceived: return True - # self.set_state( - # "tls_init" if self.isSSL else "connection_fully_established", - # length=self.payloadLength, expectBytes=0) self.set_state( - "connection_fully_established", + "tls_init" if self.isSSL else "connection_fully_established", length=self.payloadLength, expectBytes=0) return False diff --git a/src/network/tls.py b/src/network/tls.py index 5b80f8ef..c8bee8b8 100644 --- a/src/network/tls.py +++ b/src/network/tls.py @@ -68,6 +68,7 @@ class TLSDispatcher(AdvancedDispatcher): self.tlsDone = False self.tlsVersion = "N/A" self.isSSL = False + self.sslSocket = None def state_tls_init(self): """Prepare sockets for TLS handshake""" @@ -76,28 +77,6 @@ class TLSDispatcher(AdvancedDispatcher): self.tlsStarted = True # Once the connection has been established, # it's safe to wrap the socket. - if sys.version_info >= (2, 7, 9): - context = ssl.create_default_context( - purpose=ssl.Purpose.SERVER_AUTH - if self.server_side else ssl.Purpose.CLIENT_AUTH) - context.set_ciphers(self.ciphers) - context.set_ecdh_curve("secp256k1") - context.check_hostname = False - context.verify_mode = ssl.CERT_NONE - # also exclude TLSv1 and TLSv1.1 in the future - context.options = ssl.OP_ALL | ssl.OP_NO_SSLv2 |\ - ssl.OP_NO_SSLv3 | ssl.OP_SINGLE_ECDH_USE |\ - ssl.OP_CIPHER_SERVER_PREFERENCE - self.sslSocket = context.wrap_socket( - self.socket, server_side=self.server_side, - do_handshake_on_connect=False) - else: - self.sslSocket = ssl.wrap_socket( - self.socket, server_side=self.server_side, - ssl_version=sslProtocolVersion, - certfile=self.certfile, keyfile=self.keyfile, - ciphers=self.ciphers, do_handshake_on_connect=False) - self.sslSocket.setblocking(0) self.want_read = self.want_write = True self.set_state("tls_handshake") return False @@ -127,7 +106,6 @@ class TLSDispatcher(AdvancedDispatcher): # during TLS handshake, and after flushing write buffer, # return status of last handshake attempt if self.tlsStarted and not self.tlsDone and not self.write_buf: - # print "tls readable, %r" % (self.want_read) return self.want_read # prior to TLS handshake, # receiveDataThread should emulate synchronous behaviour @@ -145,7 +123,6 @@ class TLSDispatcher(AdvancedDispatcher): and normal reads must be ignored. """ try: - # wait for write buffer flush if self.tlsStarted and not self.tlsDone and not self.write_buf: # logger.debug( # "%s:%i TLS handshaking (read)", self.destination.host, @@ -182,9 +159,6 @@ class TLSDispatcher(AdvancedDispatcher): # self.destination.port) self.tls_handshake() else: - # logger.debug( - # "%s:%i Not TLS handshaking (write)", self.destination.host, - # self.destination.port) return AdvancedDispatcher.handle_write(self) except AttributeError: return AdvancedDispatcher.handle_write(self) @@ -201,8 +175,34 @@ class TLSDispatcher(AdvancedDispatcher): def tls_handshake(self): """Perform TLS handshake and handle its stages""" # wait for flush + # self.sslSocket.setblocking(0) if self.write_buf: return False + if not self.sslSocket: + self.del_channel() + if sys.version_info >= (2, 7, 9): + context = ssl.create_default_context( + purpose=ssl.Purpose.SERVER_AUTH + if self.server_side else ssl.Purpose.CLIENT_AUTH) + context.set_ciphers(self.ciphers) + context.set_ecdh_curve("secp256k1") + context.check_hostname = False + context.verify_mode = ssl.CERT_NONE + # also exclude TLSv1 and TLSv1.1 in the future + context.options = ssl.OP_ALL | ssl.OP_NO_SSLv2 |\ + ssl.OP_NO_SSLv3 | ssl.OP_SINGLE_ECDH_USE |\ + ssl.OP_CIPHER_SERVER_PREFERENCE + self.sslSocket = context.wrap_socket( + self.socket, server_side=self.server_side, + do_handshake_on_connect=False) + else: + self.sslSocket = ssl.wrap_socket( + self.socket, server_side=self.server_side, + ssl_version=sslProtocolVersion, + certfile=self.certfile, keyfile=self.keyfile, + ciphers=self.ciphers, do_handshake_on_connect=False) + self.sslSocket.setblocking(0) + self.set_socket(self.sslSocket) # Perform the handshake. try: self.sslSocket.do_handshake() @@ -233,8 +233,6 @@ class TLSDispatcher(AdvancedDispatcher): '%s:%i: TLS handshake success', self.destination.host, self.destination.port) # The handshake has completed, so remove this channel and... - self.del_channel() - self.set_socket(self.sslSocket) self.tlsDone = True self.bm_proto_reset() diff --git a/src/protocol.py b/src/protocol.py index 53223b3c..a9886819 100644 --- a/src/protocol.py +++ b/src/protocol.py @@ -231,7 +231,6 @@ def haveSSL(server=False): python < 2.7.9's ssl library does not support ECDSA server due to missing initialisation of available curves, but client works ok """ - return False if not server: return True elif sys.version_info >= (2, 7, 9): diff --git a/src/pyelliptic/openssl.py b/src/pyelliptic/openssl.py index 20d2100f..68364504 100644 --- a/src/pyelliptic/openssl.py +++ b/src/pyelliptic/openssl.py @@ -82,7 +82,7 @@ class _OpenSSL(object): """Build the wrapper""" self._lib = ctypes.CDLL(library) self._version, self._hexversion, self._cflags = get_version(self._lib) - self._libreSSL = (self._version).decode("utf-8").startswith("OpenSSL") + self._libreSSL = (self._version).decode("utf-8").startswith("LibreSSL") self.pointer = ctypes.pointer self.c_int = ctypes.c_int