PyBitmessage/src/network/tls.py

"""
SSL/TLS negotiation.
"""

from network.advanceddispatcher import AdvancedDispatcher
import network.asyncore_pollchoose as asyncore
import socket
import ssl
import sys

import protocol

class TLSDispatcher(AdvancedDispatcher):
    def __init__(self, address=None, sock=None,
                 certfile=None, keyfile=None, server_side=False, ciphers=protocol.sslProtocolCiphers):
        self.want_read = self.want_write = True
        if certfile is None:
            self.certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem')
        else:
            self.certfile = certfile
        if keyfile is None:
            self.keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem')
        else:
            self.keyfile = keyfile
        self.server_side = server_side
        self.ciphers = ciphers
        self.tlsStarted = False
        self.tlsDone = False
        self.isSSL = False

    def state_tls_init(self):
        self.isSSL = True
        # Once the connection has been established, it's safe to wrap the
        # socket.
        if sys.version_info >= (2,7,9):
            context = ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH if self.server_side else ssl.Purpose.CLIENT_AUTH)
            context.set_ciphers(self.ciphers)
            context.set_ecdh_curve("secp256k1")
            context.check_hostname = False
            context.verify_mode = ssl.CERT_NONE
            # also exclude TLSv1 and TLSv1.1 in the future
            context.options = ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_SINGLE_ECDH_USE | ssl.OP_CIPHER_SERVER_PREFERENCE
            self.sslSocket = context.wrap_socket(self.sock, server_side = self.server_side, do_handshake_on_connect=False)
        else:
            self.sslSocket = ssl.wrap_socket(self.socket,
                                         server_side=self.server_side,
                                         ssl_version=protocol.sslProtocolVersion,
                                         certfile=self.certfile,
                                         keyfile=self.keyfile,
                                         ciphers=self.ciphers,
                                         do_handshake_on_connect=False)
        self.sslSocket.setblocking(0)
        self.want_read = self.want_write = True
#        if hasattr(self.socket, "context"):
#            self.socket.context.set_ecdh_curve("secp256k1")

    def writable(self):
        if self.tlsStarted and not self.tlsDone:
            return self.want_write
        else:
            return AdvancedDispacher.writable(self)

    def readable(self):
        if self.tlsStarted and not self.tlsDone:
            return self.want_read
        else:
            return AdvancedDispacher.readable(self)

    def handle_read(self):
        if self.tlsStarted and not self.tlsDone:
            self._handshake()
        else:
            return AdvancedDispacher.handle_read(self)

    def handle_write(self):
        if self.tlsStarted and not not self.tlsDone:
            self._handshake()
        else:
            return AdvancedDispacher.handle_write(self)

    def state_tls_handshake(self):
        """
        Perform the handshake.
        """
        try:
            self.sslSocket.do_handshake()
        except ssl.SSLError, err:
            self.want_read = self.want_write = False
            if err.args[0] == ssl.SSL_ERROR_WANT_READ:
                self.want_read = True
            elif err.args[0] == ssl.SSL_ERROR_WANT_WRITE:
                self.want_write = True
            else:
                raise
        else:
            # The handshake has completed, so remove this channel and...
            self.del_channel()
            self.set_socket(self.sslSocket)
            self.tlsDone = True
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`"""`
			`SSL/TLS negotiation.`
			`"""`

Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`from network.advanceddispatcher import AdvancedDispatcher`
			`import network.asyncore_pollchoose as asyncore`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`import socket`
			`import ssl`
Fix minor issues - landscape.io complained - obsolete imports - ciphers -> self.ciphers 2017-01-12 07:26:04 +01:00			`import sys`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00
TLS tuning - allow TLS > 1.0 with python >= 2.7.9 - tune ssl_context with python >= 2.7.9 2017-01-11 20:47:27 +01:00			`import protocol`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`class TLSDispatcher(AdvancedDispatcher):`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`def __init__(self, address=None, sock=None,`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`certfile=None, keyfile=None, server_side=False, ciphers=protocol.sslProtocolCiphers):`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`self.want_read = self.want_write = True`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`if certfile is None:`
			`self.certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem')`
			`else:`
			`self.certfile = certfile`
			`if keyfile is None:`
			`self.keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem')`
			`else:`
			`self.keyfile = keyfile`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`self.server_side = server_side`
			`self.ciphers = ciphers`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`self.tlsStarted = False`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`self.tlsDone = False`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`self.isSSL = False`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`def state_tls_init(self):`
			`self.isSSL = True`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`# Once the connection has been established, it's safe to wrap the`
			`# socket.`
TLS tuning - allow TLS > 1.0 with python >= 2.7.9 - tune ssl_context with python >= 2.7.9 2017-01-11 20:47:27 +01:00			`if sys.version_info >= (2,7,9):`
			`context = ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH if self.server_side else ssl.Purpose.CLIENT_AUTH)`
Fix minor issues - landscape.io complained - obsolete imports - ciphers -> self.ciphers 2017-01-12 07:26:04 +01:00			`context.set_ciphers(self.ciphers)`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`context.set_ecdh_curve("secp256k1")`
TLS tuning - allow TLS > 1.0 with python >= 2.7.9 - tune ssl_context with python >= 2.7.9 2017-01-11 20:47:27 +01:00			`context.check_hostname = False`
			`context.verify_mode = ssl.CERT_NONE`
			`# also exclude TLSv1 and TLSv1.1 in the future`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`context.options = ssl.OP_ALL \| ssl.OP_NO_SSLv2 \| ssl.OP_NO_SSLv3 \| ssl.OP_SINGLE_ECDH_USE \| ssl.OP_CIPHER_SERVER_PREFERENCE`
			`self.sslSocket = context.wrap_socket(self.sock, server_side = self.server_side, do_handshake_on_connect=False)`
TLS tuning - allow TLS > 1.0 with python >= 2.7.9 - tune ssl_context with python >= 2.7.9 2017-01-11 20:47:27 +01:00			`else:`
			`self.sslSocket = ssl.wrap_socket(self.socket,`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`server_side=self.server_side,`
TLS tuning - allow TLS > 1.0 with python >= 2.7.9 - tune ssl_context with python >= 2.7.9 2017-01-11 20:47:27 +01:00			`ssl_version=protocol.sslProtocolVersion,`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`certfile=self.certfile,`
			`keyfile=self.keyfile,`
			`ciphers=self.ciphers,`
			`do_handshake_on_connect=False)`
			`self.sslSocket.setblocking(0)`
			`self.want_read = self.want_write = True`
			`# if hasattr(self.socket, "context"):`
			`# self.socket.context.set_ecdh_curve("secp256k1")`

			`def writable(self):`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`if self.tlsStarted and not self.tlsDone:`
			`return self.want_write`
			`else:`
			`return AdvancedDispacher.writable(self)`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00
			`def readable(self):`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`if self.tlsStarted and not self.tlsDone:`
			`return self.want_read`
			`else:`
			`return AdvancedDispacher.readable(self)`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00
			`def handle_read(self):`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`if self.tlsStarted and not self.tlsDone:`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`self._handshake()`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`else:`
			`return AdvancedDispacher.handle_read(self)`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00
			`def handle_write(self):`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`if self.tlsStarted and not not self.tlsDone:`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`self._handshake()`
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`else:`
			`return AdvancedDispacher.handle_write(self)`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00
Async network IO updates - WIP 2017-04-04 10:46:01 +02:00			`def state_tls_handshake(self):`
New network backend (WIP, not integrated) - current snapshot of the new network backend code - not working yet, just base classes and no integration 2016-12-01 16:48:04 +01:00			`"""`
			`Perform the handshake.`
			`"""`
			`try:`
			`self.sslSocket.do_handshake()`
			`except ssl.SSLError, err:`
			`self.want_read = self.want_write = False`
			`if err.args[0] == ssl.SSL_ERROR_WANT_READ:`
			`self.want_read = True`
			`elif err.args[0] == ssl.SSL_ERROR_WANT_WRITE:`
			`self.want_write = True`
			`else:`
			`raise`
			`else:`
			`# The handshake has completed, so remove this channel and...`
			`self.del_channel()`
			`self.set_socket(self.sslSocket)`
			`self.tlsDone = True`