def __init__(self, host, port, certfile, keyfile, phrase, profileId):
"""
Peer to Peer server constructor
@param host: IP to listen on
@param port: TCP port to listen for incoming commands
@param certfile: SSL certificate file path
@param keyfile: SSL key file path
@param phrase: logged in user's pass phrase
@param profileId: logged in profile ID
@return: P2P server object
"""
self.upnpClient = UPnP()
# port forward successful
self.forwarded = False
self.server = None
self.sock = None
self.timeout = int(Config.idle_timeout)
#self.loop = asyncio.get_event_loop()
self.host = host
self.port = port
self.certfile = certfile
self.keyfile = keyfile
self.safe = SecretBox(getLocalAuth(profileId, phrase))
self.profileId = profileId
self.uid, _ = getAccount(self.safe, profileId)
self.hashchain = defaultdict(bytes)
# messages awaiting to be read. uid -> [message, ]
self.messages = defaultdict(list)
# auth tokens awaiting server storage
self.auth = []
# new avatar received
self.avatar = False
# incoming transfer requests
self.fileRequests = FileRequests(self.safe, self.profileId)
# outgoing transfers
self.fileRequestsOut = FileRequests(self.safe, self.profileId, outgoing=True)
# friend uid->mask container
self.friendMasks = Masks(self.safe, self.profileId)
logging.basicConfig(filename='Logs/{:s}.log'.format(datetime.date(datetime.now()).isoformat()),
level=logging.DEBUG,
format='%(asctime)s %(message)s')
class P2PServer:
"""
An asynchronous TLS server for quip client communication
"""
def __init__(self, host, port, certfile, keyfile, phrase, profileId):
"""
Peer to Peer server constructor
@param host: IP to listen on
@param port: TCP port to listen for incoming commands
@param certfile: SSL certificate file path
@param keyfile: SSL key file path
@param phrase: logged in user's pass phrase
@param profileId: logged in profile ID
@return: P2P server object
"""
self.upnpClient = UPnP()
# port forward successful
self.forwarded = False
self.server = None
self.sock = None
self.timeout = int(Config.idle_timeout)
#self.loop = asyncio.get_event_loop()
self.host = host
self.port = port
self.certfile = certfile
self.keyfile = keyfile
self.safe = SecretBox(getLocalAuth(profileId, phrase))
self.profileId = profileId
self.uid, _ = getAccount(self.safe, profileId)
self.hashchain = defaultdict(bytes)
# messages awaiting to be read. uid -> [message, ]
self.messages = defaultdict(list)
# auth tokens awaiting server storage
self.auth = []
# new avatar received
self.avatar = False
# incoming transfer requests
self.fileRequests = FileRequests(self.safe, self.profileId)
# outgoing transfers
self.fileRequestsOut = FileRequests(self.safe, self.profileId, outgoing=True)
# friend uid->mask container
self.friendMasks = Masks(self.safe, self.profileId)
logging.basicConfig(filename='Logs/{:s}.log'.format(datetime.date(datetime.now()).isoformat()),
level=logging.DEBUG,
format='%(asctime)s %(message)s')
def _createSocket(self):
"""
Create a TCP socket
@return: socket object
"""
# TCP socket
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind((self.host, self.port))
return self.sock
def _createSSLContext(self):
"""
Create a secure TLS context.
@return: SSLContext object
"""
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
# disallow other protocols
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3
context.options |= ssl.OP_NO_TLSv1
context.options |= ssl.OP_NO_TLSv1_1
# implement correct cipher suite setup
# NOTE: secp256k1 used until openssl 1.0.2 is stable, where brainpoolp256t1 is the potentially chosen curve.
# Additionally, see http://safecurves.cr.yp.to and http://safecurves.cr.yp.to/rigid.html for recommended curves
context.set_ecdh_curve('secp256k1')
context.set_ciphers('ECDHE-ECDSA-AES256-GCM-SHA384')
# disable compression on ssl channel due to issues like CRIME and BREACH attacks
context.options |= ssl.OP_NO_COMPRESSION
# Prevents re-use of the same ECDH key for distinct SSL sessions
context.options |= ssl.OP_SINGLE_ECDH_USE
# Add DH re-use prevention in case of future cipher change
context.options |= ssl.OP_SINGLE_DH_USE
# Enforce server's cipher ordering preference
context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
# Client certificate validation not used
context.verify_mode = ssl.CERT_NONE
# cert loading
if not self.keyfile:
context.load_cert_chain(self.certfile)
else:
context.load_cert_chain(self.certfile, self.keyfile)
return context
@asyncio.coroutine
def _close_connection(self, writer, reason=None):
"""
Close the connection
@param writer: StreamWriter object
@param reason: (Optional) bytes/bytestring reason connection is closed (API errno)
@return: True if successful, else False
"""
try:
if reason is not None:
writer.write(reason)
yield from writer.drain()
writer.close()
except Exception:
return False
return True
@asyncio.coroutine
def _command_dispatch(self, client_reader, client_writer, command, data):
"""
Process client command
@param client_reader: connected TLS client StreamReader object
@param client_writer: connected TLS client StreamWriter object
@param command: authorised command
@param data: first line of data
@return: command output
"""
returnData = b''
###############################
# Authorised Command Execution
###############################
mask = self.friendMasks[data[-36:]]
if command is receiveMessage:
msg = yield from receiveMessage(self.safe, self.profileId, mask, data)
if msg:
# uid-> [(rowid, message, tstamp), ...]
self.messages[msg[1]].append((msg[0], msg[2], None))
returnData = BTRUE
else:
returnData = BFALSE
elif command is receiveAvatar:
returnData = yield from receiveAvatar(client_reader, client_writer, self.safe, self.profileId, mask,
data[:-36 - COMMAND_LENGTH])
if len(returnData) > 3:
self.avatar = True
elif command is requestSendFile:
# timeout set to config file_timeout
fdata = yield from requestSendFile(self.safe, self.profileId, mask, data)
if fdata:
# reload available incoming file transfer requests
self.fileRequests.reload()
returnData = BTRUE if fdata else BFALSE
elif command is sendFile:
success = yield from sendFile(client_writer, self.safe, self.profileId, mask, data[:-36 - COMMAND_LENGTH],
Config.file_expiry, Config.max_chunk)
if not success and (mask, data[:-36 - COMMAND_LENGTH]) in self.fileRequestsOut.keys():
self.fileRequestsOut.reload()
# return no data as all communication is handled in the sendFile handler
returnData = b''
elif command is inviteChat:
# chat invite
returnData = yield from inviteChat(client_reader, data)
return returnData
@asyncio.coroutine
def _handle_client(self, client_reader, client_writer, address):
"""
This method actually does the work to handle the requests for a specific client. The protocol is byte AND line
oriented, the command is read first (8 bytes) and matched against available commands, the complete line (up to
64k) is read into memory and must end with newline character. The received data is verified against the received
user id's public key. Once verified, the matched command is executed.
@param client_reader: StreamReader object
@param client_writer: StreamWriter object
"""
while True:
# recevied incoming data time stamp
stamp = int(time())
# read command first, only take first 8 bytes
cmd = yield from client_reader.readexactly(COMMAND_LENGTH)
if not cmd:
# nothing received from client
break
################
# Data checking
################
# check received command is valid
try:
command = Commands[int(cmd)]
except ValueError:
logging.info("\t".join(("Invalid Command Provided By Client",
"IP: {!r}".format(address),
"Command: {!r}".format(cmd))))
yield from self._close_connection(client_writer, INVALID_COMMAND)
return
try:
# use of encoded data allows for direct readline()
data = yield from client_reader.readline()
except asyncio.futures.TimeoutError:
yield from self._close_connection(client_writer, TIMEOUT)
return
# clear up data before proceeding (i.e newline char)
data = data.strip()
################
# Authorisation
################
if command != friendAcceptance:
try:
data = a85decode(data, foldspaces=True)
except ValueError:
logging.info("Invalid data received, unable to decode as ASCII85")
yield from self._close_connection(client_writer, INVALID_COMMAND)
return
# verify data integrity
try:
# using getAuthority hits the disk db
data = VerifyKey(getAuthority(self.safe, self.profileId, self.friendMasks[data[-36:]])[0],
encoder=HexEncoder).verify(data)
except (BadSignatureError, TypeError):
# signed data does not match stored public key for provided user id
logging.warning('\t'.join(("Unable to verify sent data",
"IP: {!r}".format(address),
"Data: {!r}".format(data),
"Sent ID: {!r}".format(data[-36:]))))
yield from self._close_connection(client_writer, INVALID_DATA)
return
# data received as: timestamp, hash chain hex, destination user id, data, sender user id
tstamp, chain, dest, origin = data[:10], data[10:50], data[50:86], data[-36:]
data = data[86:-36]
###########################
# Message integrity checks
###########################
integrity = True
# validation checks
if dest != self.uid:
logging.warning("Message Integrity Failure: User id destination {!r} differs from logged in user".format(dest))
integrity = False
try:
if integrity and (stamp + LIMIT_MESSAGE_TIME) < int(tstamp) < (stamp - LIMIT_MESSAGE_TIME):
logging.warning("Message Integrity Failure: Message is either too old or in the future, current time '{}' received stamp '{}'".format(stamp, int(tstamp)))
integrity = False
except ValueError:
logging.warning("Message Integrity Failure: Message time {!r} is invalid".format(tstamp))
if integrity and isValidUUID(origin):
hchain = bytes(sha1(b''.join((self.hashchain[address], data))).hexdigest(), encoding='ascii')
if hchain != chain:
logging.warning("Message Integrity Failure: Provided hash chain {!r} does not match local {!r}".format(chain, hchain))
integrity = False
else:
logging.warning("Message Integrity Failure: Invalid UUID provided by {!r}".format(origin))
integrity = False
if not integrity:
yield from self._close_connection(client_writer, INVALID_COMMAND)
return
try:
# ensure command integrity for authorised commands
assert Commands[int(data[-COMMAND_LENGTH:])] == command
except (ValueError, AssertionError):
logging.info('\t'.join(("Client unsigned CMD data does not equal signed CMD",
"IP: {!r}".format(address),
"Unsigned Command: {!r}".format(cmd),
"Signed Command: {!r}".format(data[-COMMAND_LENGTH:]))))
yield from self._close_connection(client_writer, INVALID_DATA)
return
# all checks cleared, update hash chain
self.hashchain[address] = hchain
# data verified, execute command with data and origin user id
returnData = yield from self._command_dispatch(client_reader, client_writer, command, b''.join((data, origin)))
else:
returnData, authToken = yield from friendAcceptance(client_reader, client_writer, self.safe, self.profileId, data)
if authToken is not None:
self.auth.append(authToken)
# send command result to client
client_writer.write(returnData)
# Flush buffer
yield from client_writer.drain()
@asyncio.coroutine
def _accept_client(self, client_reader, client_writer):
"""
Callback method used by start_server (or create_server).
Accepts a new client connection and dispatch asynchronous client handling
"""
address = client_writer.transport.get_extra_info('peername')
# reset hash chain on new connection
self.hashchain[address] = b''
# start a new Task to handle this specific client connection
#task = asyncio.Task(self._handle_client(client_reader, client_writer, address))
#loop = asyncio.get_event_loop()
# task = loop.create_task(self._handle_client(client_reader, client_writer, address))
yield from self._handle_client(client_reader, client_writer, address)
def portForward(self, port=None, protocol='TCP'):
if port:
self.port = port
try:
# clear any previous port-forwarding rule on router
self.upnpClient.deleteportmapping(self.port, protocol)
except Exception as e:
# if the port is already removed, a base Exception will be thrown
pass
# (externalPort, protocol, internalHost, internalPort, desc, remoteHost)
self.forwarded = self.upnpClient.addportmapping(self.port, protocol,
self.host if self.host else self.upnpClient.lanaddr,
self.port, 'Quip Client', '')
def start(self, loop):
"""
Starts the TLS server to listen for incoming peers
For each client that connects, the accept_client method gets called. This method runs the loop until the
server sockets are ready to accept connections.
"""
# attempt automatic port-forwarding
self.upnpClient.discover()
try:
self.upnpClient.selectigd()
self.portForward()
except Exception as e:
# unable to find router which supports automatic port forwarding
pass
# use created SSLContext with create_server() or start_server() (abstracts create_server(), takes direct callback
# instead of Protocol Factory) (see PEP 3156)
self.server = loop.run_until_complete(
asyncio.streams.start_server(self._accept_client,
loop=loop,
ssl=self._createSSLContext(),
sock=self._createSocket()))
def stop(self, loop):
"""
Stops the TCP server, closes the listening socket(s).
"""
# clear port-forwarding rule on router
if self.forwarded:
try:
self.upnpClient.deleteportmapping(self.port, 'TCP')
except Exception as e:
logging.warning("Unable to delete port-forwarded port", exc_info=True)
if self.server is not None:
self.server.close()
loop.run_until_complete(self.server.wait_closed())
self.server = None
