March 2014 - tor-commits - lists.torproject.org

[bridgedb/master] Use RSA and HMAC captcha keys in resource init in addWebServer().
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit a7efb1df76433851bd92a51166450a413a76be18 Author: Isis Lovecruft <isis(a)torproject.org> Date: Wed Mar 12 00:35:03 2014 +0000 Use RSA and HMAC captcha keys in resource init in addWebServer(). --- lib/bridgedb/HTTPServer.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/bridgedb/HTTPServer.py b/lib/bridgedb/HTTPServer.py index 51c1351..05315de 100644 --- a/lib/bridgedb/HTTPServer.py +++ b/lib/bridgedb/HTTPServer.py @@ -747,8 +747,20 @@ def addWebServer(cfg, dist, sched): useForwardedHeader=cfg.HTTP_USE_IP_FROM_FORWARDED_HEADER, resource=resource) httpdist.putChild('bridges', protected) + elif cfg.GIMP_CAPTCHA_ENABLED: + # Get the HMAC secret key for CAPTCHA challenges and create a new key + # from it for use on the server: + captchaKey = crypto.getKey(cfg.GIMP_CAPTCHA_HMAC_KEYFILE) + hmacKey = crypto.getHMAC(captchaKey, "Captcha-Key") + + # Load or create our encryption keys: + secretKey, publicKey = crypto.getRSAKey(cfg.GIMP_CAPTCHA_RSA_KEYFILE) + protected = GimpCaptchaProtectedResource( + secretKey=secretKey, + publicKey=publicKey, + hmacKey=hmacKey, captchaDir=cfg.GIMP_CAPTCHA_DIR, useForwardedHeader=cfg.HTTP_USE_IP_FROM_FORWARDED_HEADER, resource=resource)

1 0

[bridgedb/master] Change assertTrue(a == b) in unittest to assertEquals.
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit d3ce8311f9091ebec4175f2e4f342912097c8ed8 Author: Isis Lovecruft <isis(a)torproject.org> Date: Wed Mar 12 05:42:22 2014 +0000 Change assertTrue(a == b) in unittest to assertEquals. --- lib/bridgedb/test/test_captcha.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bridgedb/test/test_captcha.py b/lib/bridgedb/test/test_captcha.py index 2e4a1cf..27dd6e0 100644 --- a/lib/bridgedb/test/test_captcha.py +++ b/lib/bridgedb/test/test_captcha.py @@ -163,7 +163,7 @@ class GimpCaptchaTests(unittest.TestCase): decoded = urlsafe_b64decode(challenge) hmac, orig = decoded.split(';', 1) correctHMAC = crypto.getHMAC(self.hmacKey, orig) - self.assertTrue(hmac == correctHMAC) + self.assertEquals(hmac, correctHMAC) def test_createChallenge_decryptedAnswerMatches(self): """The HMAC in createChallenge() return value should be valid."""

1 0

[bridgedb/master] Add example CAPTCHA for unittests.
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit d4fbd5e675479f09511b8c44409a16458b39effd Author: Isis Lovecruft <isis(a)torproject.org> Date: Wed Mar 12 04:25:34 2014 +0000 Add example CAPTCHA for unittests. --- captchas/Tvx74PMy.jpg | Bin 0 -> 61434 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/captchas/Tvx74PMy.jpg b/captchas/Tvx74PMy.jpg new file mode 100644 index 0000000..47e3d76 Binary files /dev/null and b/captchas/Tvx74PMy.jpg differ

1 0

[bridgedb/master] Two whitespace fixes in lib/bridgedb/test/test_captcha.py.
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit f508c2d449805072d33b0ea3b9121f0b7f69c6d0 Author: Isis Lovecruft <isis(a)torproject.org> Date: Wed Mar 12 06:02:41 2014 +0000 Two whitespace fixes in lib/bridgedb/test/test_captcha.py. [ci-skip] --- lib/bridgedb/test/test_captcha.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bridgedb/test/test_captcha.py b/lib/bridgedb/test/test_captcha.py index 27dd6e0..b2e67b3 100644 --- a/lib/bridgedb/test/test_captcha.py +++ b/lib/bridgedb/test/test_captcha.py @@ -52,7 +52,7 @@ class ReCaptchaTests(unittest.TestCase): """Check the ReCaptcha class stored the private and public keys.""" self.assertEquals(self.c.privkey, 'sekrit') self.assertEquals(self.c.pubkey, 'publik') - + def test_get(self): """Test get() method.""" @@ -71,7 +71,7 @@ class ReCaptchaTests(unittest.TestCase): try: # There isn't really a reliable way to test this function! :( self.c.get() - except Exception as error: + except Exception as error: reason = "ReCaptcha.get() test requires an active network " reason += "connection.\nThis test failed with: %s" % error raise unittest.SkipTest(reason)

1 0

[bridgedb/master] Add unittests for bridgedb.crypto.SSLVerifyingContextFactory.
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit 9091a9220e05e9c2006a08b247466084150c8df4 Author: Isis Lovecruft <isis(a)torproject.org> Date: Tue Mar 4 04:58:56 2014 +0000 Add unittests for bridgedb.crypto.SSLVerifyingContextFactory. --- lib/bridgedb/test/test_crypto.py | 104 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) diff --git a/lib/bridgedb/test/test_crypto.py b/lib/bridgedb/test/test_crypto.py index cc1ee9a..5d69a55 100644 --- a/lib/bridgedb/test/test_crypto.py +++ b/lib/bridgedb/test/test_crypto.py @@ -14,16 +14,38 @@ from __future__ import print_function from __future__ import unicode_literals +import logging import os +import OpenSSL + +from twisted.internet import defer from twisted.trial import unittest +from twisted.test.proto_helpers import StringTransport +from twisted.web.test import test_agent as txtagent + from bridgedb import crypto +from bridgedb import txrecaptcha +logging.disable(50) + SEKRIT_KEY = b'v\x16Xm\xfc\x1b}\x063\x85\xaa\xa5\xf9\xad\x18\xb2P\x93\xc6k\xf9' SEKRIT_KEY += b'\x8bI\xd9\xb8xw\xf5\xec\x1b\x7f\xa8' +class DummyEndpoint(object): + """An endpoint that uses a fake transport.""" + + def connect(self, factory): + """Returns a connection to a + :api:`twisted.test.proto_helpers.StringTransport`. + """ + protocol = factory.buildProtocol(None) + protocol.makeConnection(StringTransport()) + return defer.succeed(protocol) + + class GetKeyTests(unittest.TestCase): """Tests for :func:`bridgedb.crypto.getKey`.""" @@ -56,3 +78,85 @@ class GetKeyTests(unittest.TestCase): key (in hex): %s SEKRIT_KEY (in hex): %s""" % (key.encode('hex'), SEKRIT_KEY.encode('hex'))) + + +class SSLVerifyingContextFactoryTests(unittest.TestCase, + txtagent.FakeReactorAndConnectMixin): + """Tests for :class:`bridgedb.crypto.SSLVerifyingContextFactory`.""" + + _certificateText = ( + "-----BEGIN CERTIFICATE-----\n" + "MIIEdjCCA16gAwIBAgIITcyHZlE/AhQwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE\n" + "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl\n" + "cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMjEyMTUxMTE2WhcNMTQwNjEyMDAwMDAw\n" + "WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN\n" + "TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3\n" + "Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt3TOf\n" + "VOf4vfy4IROcEyiFzAJA+B3xkMccwA4anaD6VyGSFglRn5Oht3t+G0Mnu/LMuGba\n" + "EE6NEBEUEbH8KMlAcVRj58LoFIzulaRCdkVX7JK9R+kU05sggvIl1Q2quaWSjiMQ\n" + "SpyvKz1I2cmU5Gm4MfW/66M5ZJO323VrV19ydrgAtdbNnvVj85asrSyzwEBNxzNC\n" + "N6OQtOmTt4I7KLXqkROtTmTFvhAGBsvhG0hJZWhoP1aVsFO+KcE2OaIIxWQ4ckW7\n" + "BJEgYaXfgHo01LdR55aevGUqLfsdyT+GMZrG9k7eqAw4cq3ML2Y6RiyzskqoQL30\n" + "3OdYjKTIcU+i3BoFAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI\n" + "KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE\n" + "XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0\n" + "MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G\n" + "A1UdDgQWBBQN7uQBzGDjvKRna111g9iPPtaXVTAMBgNVHRMBAf8EAjAAMB8GA1Ud\n" + "IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW\n" + "eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB\n" + "RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBrVp/xys2ABQvWPxpVrYaXiaoBXdxu\n" + "RVVXp5Lyu8IipKqFJli81hOX9eqPG7biYeph9HiKnW31xsXebaVlWWL3NXOh5X83\n" + "wpzozL0AkxskTMHQknrbIGLtmG67H71aKYyCthHEjawLmYjjvkcF6f9fKdYENM4C\n" + "skz/yjtlPBQFAuT6J9w0b3qtc42sHNlpgIOdIRQc2YCD0p6jAo+wKjoRuRu3ILKj\n" + "oCVrOPbDMPN4a2gSmK8Ur0aHuEpcNghg6HJsVSANokIIwQ/r4niqL5yotsangP/5\n" + "rR97EIYKFz7C6LMy/PIe8xFTIyKMtM59IcpUDIwCLlM9JtNdwN4VpyKy\n" + "-----END CERTIFICATE-----\n") + + def setUp(self): + """Create a fake reactor for these tests.""" + self.reactor = self.Reactor() + self.url = 'https://www.example.com/someresource.html#andatag' + + def test_getHostnameFromURL(self): + """``getHostnameFromURL()`` should return a hostname from a URI.""" + agent = txrecaptcha._getAgent(self.reactor, self.url) + contextFactory = agent._contextFactory + self.assertRegexpMatches(contextFactory.hostname, + '.*www\.example\.com') + + def test_verifyHostname_mismatching(self): + """Check that ``verifyHostname()`` returns ``False`` when the + ``SSLVerifyingContextFactory.hostname`` does not match the one found + in the level 0 certificate subject CN. + """ + agent = txrecaptcha._getAgent(self.reactor, self.url) + contextFactory = agent._contextFactory + x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, + self._certificateText) + conn = DummyEndpoint() + result = contextFactory.verifyHostname(conn, x509, 0, 0, True) + self.assertIs(result, False) + + def test_verifyHostname_matching(self): + """Check that ``verifyHostname()`` returns ``True`` when the + ``SSLVerifyingContextFactory.hostname`` matches the one found in the + level 0 certificate subject CN. + """ + hostname = 'www.google.com' + url = 'https://' + hostname + '/recaptcha' + contextFactory = crypto.SSLVerifyingContextFactory(url) + self.assertEqual(contextFactory.hostname, hostname) + + x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, + self._certificateText) + conn = DummyEndpoint() + result = contextFactory.verifyHostname(conn, x509, 0, 0, True) + self.assertTrue(result) + + def test_getContext(self): + """The context factory's ``getContext()`` method should produce an + ``OpenSSL.SSL.Context`` object. + """ + contextFactory = crypto.SSLVerifyingContextFactory(self.url) + self.assertIsInstance(contextFactory.getContext(), + OpenSSL.SSL.Context)

1 0

[bridgedb/master] Add unittests for bridgedb.txrecaptcha module.
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit cb4300ed1e48e1a818f535cecf8f052f985e996a Author: Isis Lovecruft <isis(a)torproject.org> Date: Tue Mar 4 05:08:54 2014 +0000 Add unittests for bridgedb.txrecaptcha module. --- lib/bridgedb/test/test_txrecaptcha.py | 253 +++++++++++++++++++++++++++++++++ 1 file changed, 253 insertions(+) diff --git a/lib/bridgedb/test/test_txrecaptcha.py b/lib/bridgedb/test/test_txrecaptcha.py new file mode 100644 index 0000000..dc41df4 --- /dev/null +++ b/lib/bridgedb/test/test_txrecaptcha.py @@ -0,0 +1,253 @@ +# -*- coding: utf-8 -*- +# +# This file is part of BridgeDB, a Tor bridge distribution system. +# +# :authors: Isis Lovecruft 0xA3ADB67A2CDB8B35 <isis(a)torproject.org> +# :copyright: (c) 2013-2014, Isis Lovecruft +# (c) 2007-2014, The Tor Project, Inc. +# :license: 3-Clause BSD, see LICENSE for licensing information + +"""Unittests for the bridgedb.txrecaptcha module.""" + +import logging + +from twisted.internet import defer +from twisted.internet import reactor +from twisted.internet.base import DelayedCall +from twisted.internet.error import ConnectionLost +from twisted.internet.error import ConnectionRefusedError +from twisted.test import proto_helpers +from twisted.trial import unittest +from twisted.python import failure +from twisted.web.client import ResponseDone +from twisted.web.http_headers import Headers +from twisted.web.iweb import IBodyProducer + +from zope.interface.verify import verifyObject + +from bridgedb import txrecaptcha + + +logging.disable(50) + +# Set ``DelayedCall.debug=True``, because the following traceback was occuring: +# +# Traceback (most recent call last): +# Failure: twisted.trial.util.DirtyReactorAggregateError: Reactor was unclean. +# DelayedCalls: (set twisted.internet.base.DelayedCall.debug = True to debug) +# <DelayedCall 0x1ba5b90 [29.991571188s] called=0 cancelled=0 +# Client.failIfNotConnected(TimeoutError('',))> +# <DelayedCall 0x1baa3f8 [59.9993360043s] called=0 cancelled=0 +# ThreadedResolver._cleanup('www.google.com', <Deferred at 0x1baa320>)> +DelayedCall.debug = True + + +class MockResponse(object): + """Fake :api:`twisted.internet.interfaces.IResponse` for testing readBody + that just captures the protocol passed to deliverBody. + + :ivar protocol: After :meth:`deliverBody` is called, the protocol it was + called with. + """ + code = 200 + phrase = "OK" + + def __init__(self, headers=None): + """Create a mock response. + + :type headers: :api:`twisted.web.http_headers.Headers` + :param headers: The headers for this response. If ``None``, an empty + ``Headers`` instance will be used. + """ + if headers is None: + headers = Headers() + self.headers = headers + + def deliverBody(self, protocol): + """Just record the given protocol without actually delivering anything + to it. + """ + self.protocol = protocol + + +class RecaptchaResponseProtocolTests(unittest.TestCase): + """Tests for bridgedb.txrecaptcha.RecaptchaResponseProtocol.""" + + def setUp(self): + """Setup the tests.""" + self.finished = defer.Deferred() + self.proto = txrecaptcha.RecaptchaResponseProtocol(self.finished) + + def _test(self, responseBody, connCloseError): + """Deliver the **responseBody** to + ``RecaptchaResponseProtocol.dataReceived``, and then lose the transport + connection with a **connCloseError**. + + The resulting ``RecaptchaResponseProtocol.response`` should be equal + to the original **responseBody**. + """ + self.proto.dataReceived(responseBody) + self.proto.connectionLost(failure.Failure(connCloseError())) + self.assertEqual(responseBody, self.proto.response) + response = self.successResultOf(self.finished) + return response + + def test_trueResponse(self): + """A valid API response which states 'true' should result in + ``RecaptchaResponse.is_valid`` being ``True``. + """ + responseBody = "true\nsome-reason-or-another\n" + response = self._test(responseBody, ResponseDone) + self.assertIsInstance(response, txrecaptcha.RecaptchaResponse) + self.assertTrue(response.is_valid) + self.assertEqual(response.error_code, "some-reason-or-another") + + def test_falseResponse(self): + """A valid API response which states 'false' should result in + ``RecaptchaResponse.is_valid`` being ``false``. + """ + responseBody = "false\nsome-reason-or-another\n" + response = self._test(responseBody, ResponseDone) + self.assertIsInstance(response, txrecaptcha.RecaptchaResponse) + self.assertIs(response.is_valid, False) + self.assertEqual(response.error_code, "some-reason-or-another") + + def test_responseDone(self): + """A valid response body with a ``ResponseDone`` should result in + ``RecaptchaResponse.is_valid`` which is ``True``. + """ + responseBody = "true\nsome-reason-or-another\n" + response = self._test(responseBody, ResponseDone) + self.assertIsInstance(response, txrecaptcha.RecaptchaResponse) + self.assertTrue(response.is_valid) + self.assertEqual(response.error_code, "some-reason-or-another") + + def test_incompleteResponse(self): + """ConnectionLost with an incomplete response should produce a specific + RecaptchaResponse.error_code message. + """ + responseBody = "true" + response = self._test(responseBody, ConnectionLost) + self.assertIs(response.is_valid, False) + self.assertEqual(response.error_code, + "Couldn't parse response from reCaptcha API server") + + +class BodyProducerTests(unittest.TestCase): + """Test for :class:`bridgedb.txrecaptcha.BodyProducer`.""" + + def setUp(self): + """Setup the tests.""" + self.content = 'Line 1\r\nLine 2\r\n' + self.producer = txrecaptcha._BodyProducer(self.content) + + def test_interface(self): + """BodyProducer should correctly implement IBodyProducer interface.""" + self.assertTrue(verifyObject(IBodyProducer, self.producer)) + + def test_length(self): + """BodyProducer.length should be equal to the total contect length.""" + self.assertEqual(self.producer.length, len(self.content)) + + def test_body(self): + """BodyProducer.body should be the content.""" + self.assertEqual(self.producer.body, self.content) + + def test_startProducing(self): + """:func:`txrecaptcha.BodyProducer.startProducing` should deliver the + original content to an IConsumer implementation. + """ + consumer = proto_helpers.StringTransport() + consumer.registerProducer(self.producer, False) + self.producer.startProducing(consumer) + self.assertEqual(consumer.value(), self.content) + consumer.clear() + + +class SubmitTests(unittest.TestCase): + """Tests for :func:`bridgedb.txrecaptcha.submit`.""" + + def setUp(self): + """Setup the tests.""" + self.challenge = ( + "03AHJ_Vutbkv3jolF5JXfJTFf5wtbdkwIJF7WA77WYjLfOUEvKW7eHBiEDKQB__7" + "GHtUOmXC13GFYIt09HuS-ZN1j5EuDmC7bzHpHUAlpI5rbOvByypYt1vtskwnN24g" + "zwWkrtKj8yGBWRNFljFMvtqYqHeHwJitRktSfKmV4q9VVgLBwkwlbvGUICmGaDrx" + "dg5lYV3hpijIkmnwXygWIwoqQ0VeCgPQQ1Yw") + self.response = "cknwnlym+ullyHLy" + self.key = '6BdkT-18FFHAAA349auGabiqntjRJAiEM2cqPMaM8' + self.ip = "1.2.3.4" + + def test_submit_emptyResponseField(self): + """An empty 'recaptcha_response_field' should immediately return a + RecaptchaResponse whose error_code is 'incorrect-captcha-sol'.""" + response = txrecaptcha.submit(self.challenge, '', self.key, self.ip) + self.assertIsInstance(response, txrecaptcha.RecaptchaResponse) + self.assertIs(response.is_valid, False) + self.assertEqual(response.error_code, 'incorrect-captcha-sol') + + def test_submit_returnsDeferred(self): + """:func:`txrecaptcha.submit` should return a deferred.""" + response = txrecaptcha.submit(self.challenge, self.response, self.key, + self.ip) + self.assertIsInstance(response, defer.Deferred) + + def test_submit_resultIsRecaptchaResponse(self): + """Regardless of success or failure, the deferred returned from + :func:`txrecaptcha.submit` should be a + :class:`txcaptcha.RecaptchaResponse`. + """ + def checkResponse(response): + """Check that the response is a + :class:`txcaptcha.RecaptchaResponse`. + """ + self.assertIsInstance(response, txrecaptcha.RecaptchaResponse) + self.assertIsInstance(response.is_valid, bool) + self.assertIsInstance(response.error_code, basestring) + + d = txrecaptcha.submit(self.challenge, self.response, self.key, + self.ip) + d.addCallback(checkResponse) + return d + + def tearDown(self): + """Cleanup method for removing timed out connections on the reactor.""" + for delay in reactor.getDelayedCalls(): + try: + delay.cancel() + except (AlreadyCalled, AlreadyCancelled): + pass + + +class MiscTests(unittest.TestCase): + """Tests for :func:`~bridgedb.txrecaptcha._cbRequest`.""" + + def test_cbRequest(self): + """Send a :class:`MockResponse` and check that thee resulting protocol + is a :class:`~bridgedb.txrecaptcha.RecaptchaResponseProtocol`. + """ + response = MockResponse() + result = txrecaptcha._cbRequest(response) + self.assertIsInstance(result, defer.Deferred) + self.assertIsInstance(response.protocol, + txrecaptcha.RecaptchaResponseProtocol) + + def test_ebRequest(self): + """Send a :api:`twisted.python.failure.Failure` and check that the + resulting protocol is a + :class:`~bridgedb.txrecaptcha.RecaptchaResponseProtocol`. + """ + msg = "Einhorn" + fail = failure.Failure(ConnectionRefusedError(msg)) + result = txrecaptcha._ebRequest(fail) + self.assertIsInstance(result, txrecaptcha.RecaptchaResponse) + self.assertRegexpMatches(result.error_code, msg) + + def test_encodeIfNecessary(self): + """:func:`txrecapcha._encodeIfNecessary` should convert unicode objects + into strings. + """ + origString = unicode('abc') + self.assertIsInstance(origString, unicode) + newString = txrecaptcha._encodeIfNecessary(origString) + self.assertIsInstance(newString, str)

1 0

[bridgedb/master] Implement cert-chain and hostname checking OpenSSL.SSL.Context factory.
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit c171a250c1dfea890f5e6f965361e0829838264e Author: Isis Lovecruft <isis(a)torproject.org> Date: Tue Mar 4 05:21:48 2014 +0000 Implement cert-chain and hostname checking OpenSSL.SSL.Context factory. * ADD bridgedb.crypto.SSLVerifyingContextFactory class, which verifies certificate chains and checks certificate hostnames for a requested resource. --- lib/bridgedb/crypto.py | 98 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 97 insertions(+), 1 deletion(-) diff --git a/lib/bridgedb/crypto.py b/lib/bridgedb/crypto.py index 6c0101b..7f6d597 100644 --- a/lib/bridgedb/crypto.py +++ b/lib/bridgedb/crypto.py @@ -33,12 +33,16 @@ import hashlib import hmac import logging import os +import re +import urllib -import OpenSSL.rand +import OpenSSL from Crypto.Cipher import PKCS1_OAEP from Crypto.PublicKey import RSA +from twisted.internet import ssl + #: The hash digest to use for HMACs. DIGESTMOD = hashlib.sha1 @@ -189,3 +193,95 @@ def getHMACFunc(key, hex=True): else: return h_tmp.digest() return hmac_fn + + +class SSLVerifyingContextFactory(ssl.CertificateOptions): + """``OpenSSL.SSL.Context`` factory which does full certificate-chain and + hostname verfication. + """ + isClient = True + + def __init__(self, url, **kwargs): + """Create a client-side verifying SSL Context factory. + + To pass acceptable certificates for a server which does + client-authentication checks: initialise with a ``caCerts=[]`` keyword + argument, which should be a list of ``OpenSSL.crypto.X509`` instances + (one for each peer certificate to add to the store), and set + ``SSLVerifyingContextFactory.isClient=False``. + + :param str url: The URL being requested by an + :api:`twisted.web.client.Agent`. + :param bool isClient: True if we're being used in a client + implementation; False if we're a server. + """ + self.hostname = self.getHostnameFromURL(url) + + # ``verify`` here refers to server-side verification of certificates + # presented by a client: + self.verify = False if self.isClient else True + super(SSLVerifyingContextFactory, self).__init__(verify=self.verify, + fixBrokenPeers=True, + **kwargs) + + def getContext(self, hostname=None, port=None): + """Retrieve a configured ``OpenSSL.SSL.Context``. + + Any certificates in the ``caCerts`` list given during initialisation + are added to the ``Context``'s certificate store. + + The **hostname** and **port** arguments seem unused, but they are + required due to some Twisted and pyOpenSSL internals. See + :api:`twisted.web.client.Agent._wrapContextFactory`. + + :rtype: ``OpenSSL.SSL.Context`` + :returns: An SSL Context which verifies certificates. + """ + ctx = super(SSLVerifyingContextFactory, self).getContext() + store = ctx.get_cert_store() + verifyOptions = OpenSSL.SSL.VERIFY_PEER + ctx.set_verify(verifyOptions, self.verifyHostname) + return ctx + + def getHostnameFromURL(self, url): + """Parse the hostname from the originally requested URL. + + :param str url: The URL being requested by an + :api:`twisted.web.client.Agent`. + :rtype: str + :returns: The full hostname (including any subdomains). + """ + hostname = urllib.splithost(urllib.splittype(url)[1])[0] + logging.debug("Parsed hostname %r for cert CN matching." % hostname) + return hostname + + def verifyHostname(self, connection, x509, errnum, depth, okay): + """Callback method for additional SSL certificate validation. + + If the certificate is signed by a valid CA, and the chain is valid, + verify that the level 0 certificate has a subject common name which is + valid for the hostname of the originally requested URL. + + :param connection: An ``OpenSSL.SSL.Connection``. + :param x509: An ``OpenSSL.crypto.X509`` object. + :param errnum: A pyOpenSSL error number. See that project's docs. + :param depth: The depth which the current certificate is at in the + certificate chain. + :param bool okay: True if all the pyOpenSSL default checks on the + certificate passed. False otherwise. + """ + commonName = x509.get_subject().commonName + logging.debug("Received cert at level %d: '%s'" % (depth, commonName)) + + # We only want to verify that the hostname matches for the level 0 + # certificate: + if okay and (depth == 0): + cn = commonName.replace('*', '.*') + hostnamesMatch = re.search(cn, self.hostname) + if not hostnamesMatch: + logging.warn("Invalid certificate subject CN for '%s': '%s'" + % (self.hostname, commonName)) + return False + logging.debug("Valid certificate subject CN for '%s': '%s'" + % (self.hostname, commonName)) + return True

1 0

[bridgedb/master] Change duplicate txrecaptcha unittest to check ConnectionDone result.
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit d1f22a1d8e081b0e2bd6bf6858f85c909a04a7da Author: Isis Lovecruft <isis(a)torproject.org> Date: Wed Mar 12 21:41:49 2014 +0000 Change duplicate txrecaptcha unittest to check ConnectionDone result. --- lib/bridgedb/test/test_txrecaptcha.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/bridgedb/test/test_txrecaptcha.py b/lib/bridgedb/test/test_txrecaptcha.py index dc41df4..1755011 100644 --- a/lib/bridgedb/test/test_txrecaptcha.py +++ b/lib/bridgedb/test/test_txrecaptcha.py @@ -14,6 +14,7 @@ import logging from twisted.internet import defer from twisted.internet import reactor from twisted.internet.base import DelayedCall +from twisted.internet.error import ConnectionDone from twisted.internet.error import ConnectionLost from twisted.internet.error import ConnectionRefusedError from twisted.test import proto_helpers @@ -94,10 +95,11 @@ class RecaptchaResponseProtocolTests(unittest.TestCase): def test_trueResponse(self): """A valid API response which states 'true' should result in - ``RecaptchaResponse.is_valid`` being ``True``. + ``RecaptchaResponse.is_valid`` being ``True`` after receiving a + ``ConnectionDone``. """ responseBody = "true\nsome-reason-or-another\n" - response = self._test(responseBody, ResponseDone) + response = self._test(responseBody, ConnectionDone) self.assertIsInstance(response, txrecaptcha.RecaptchaResponse) self.assertTrue(response.is_valid) self.assertEqual(response.error_code, "some-reason-or-another")

1 0

[bridgedb/master] Use txrecaptcha in bridgedb.HTTPServer.ReCaptchaProtectedResource.
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit d3ebc3c2d49a008608ab962fdd1ddd7de53ecb21 Author: Isis Lovecruft <isis(a)torproject.org> Date: Wed Mar 12 06:55:14 2014 +0000 Use txrecaptcha in bridgedb.HTTPServer.ReCaptchaProtectedResource. --- lib/bridgedb/HTTPServer.py | 7 ++++--- lib/bridgedb/captcha.py | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/bridgedb/HTTPServer.py b/lib/bridgedb/HTTPServer.py index 05315de..49700c5 100644 --- a/lib/bridgedb/HTTPServer.py +++ b/lib/bridgedb/HTTPServer.py @@ -26,13 +26,14 @@ import bridgedb.Dist import bridgedb.I18n as I18n import bridgedb.Util as Util -from recaptcha.client import captcha as recaptcha from bridgedb import captcha from bridgedb import crypto from bridgedb.Filters import filterBridgesByIP6, filterBridgesByIP4 from bridgedb.Filters import filterBridgesByTransport from bridgedb.Filters import filterBridgesByNotBlockedIn from bridgedb.parse import headers +from bridgedb import txrecaptcha + from ipaddr import IPv4Address, IPv6Address from random import randint import mako.exceptions @@ -423,8 +424,8 @@ class ReCaptchaProtectedResource(CaptchaProtectedResource): challenge, response = self.extractClientSolution(request) clientIP = self.getClientIP(request) remoteIP = self.getRemoteIP() - solution = recaptcha.submit(challenge, response, - self.recaptchaPrivKey, remoteIP) + solution = txrecaptcha.submit(challenge, response, + self.recaptchaPrivKey, remoteIP) logging.debug("Captcha from %r. Parameters: %r" % (Util.logSafely(clientIP), request.args)) diff --git a/lib/bridgedb/captcha.py b/lib/bridgedb/captcha.py index e508d21..e5bf5e5 100644 --- a/lib/bridgedb/captcha.py +++ b/lib/bridgedb/captcha.py @@ -41,10 +41,11 @@ import os import urllib2 from BeautifulSoup import BeautifulSoup -from recaptcha.client.captcha import API_SSL_SERVER + from zope.interface import Interface, Attribute, implements from bridgedb import crypto +from bridgedb.txrecaptcha import API_SSL_SERVER class ReCaptchaKeyError(Exception):

1 0

[bridgedb/master] Twisted implementation of reCaptcha's submit(); use SSL for CAPTCHA verify.
by isis＠torproject.org 16 Mar '14

16 Mar '14

commit fa8bf463adbf7bc5e308527e29959d57f1754185 Author: Isis Lovecruft <isis(a)torproject.org> Date: Tue Mar 4 05:26:01 2014 +0000 Twisted implementation of reCaptcha's submit(); use SSL for CAPTCHA verify. * ADD module bridgedb.txrecaptcha. * FIXES #11127 --- lib/bridgedb/txrecaptcha.py | 215 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 215 insertions(+) diff --git a/lib/bridgedb/txrecaptcha.py b/lib/bridgedb/txrecaptcha.py new file mode 100644 index 0000000..96c813b --- /dev/null +++ b/lib/bridgedb/txrecaptcha.py @@ -0,0 +1,215 @@ +# -*- coding: utf-8 ; test-case-name: bridgedb.test.test_txrecaptcha -*- +# +# This file is part of BridgeDB, a Tor bridge distribution system. +# +# :authors: Isis Lovecruft 0xA3ADB67A2CDB8B35 <isis(a)torproject.org> +# :copyright: (c) 2013-2014, Isis Lovecruft +# (c) 2007-2014, The Tor Project, Inc. +# :license: 3-Clause BSD, see LICENSE for licensing information + + +import logging +import urllib + +from recaptcha.client.captcha import API_SSL_SERVER +from recaptcha.client.captcha import RecaptchaResponse +from recaptcha.client.captcha import displayhtml + +from twisted.internet import defer +from twisted.internet import protocol +from twisted.internet import reactor +from twisted.python import failure +from twisted.web import client +from twisted.web.http_headers import Headers +from twisted.web.iweb import IBodyProducer + +from zope.interface import implements + +from bridgedb.crypto import SSLVerifyingContextFactory + + +API_SERVER = API_SSL_SERVER +API_SSL_VERIFY_URL = "%s/verify" % API_SSL_SERVER + +_pool = client.HTTPConnectionPool(reactor, persistent=False) +_pool.maxPersistentPerHost = 5 +_pool.cachedConnectionTimeout = 30 +_agent = client.Agent(reactor, pool=_pool) + + +def _setAgent(agent): + """Set the global :attr:`agent`. + + :param agent: An :api:`twisted.web.client.Agent` for issuing requests. + """ + global _agent + _agent = agent + +def _getAgent(reactor=reactor, url=API_SSL_VERIFY_URL, pool=_pool, + connectTimeout=30, **kwargs): + """Create a :api:`twisted.web.client.Agent` which will verify the + certificate chain and hostname for the given **url**. + + :param reactor: A provider of the + :api:`twisted.internet.interface.IReactorTCP` interface. + :param str url: The full URL which will be requested with the + ``Agent``. (default: :attr:`API_SSL_VERIFY_URL`) + :param pool: An :api:`twisted.web.client.HTTPConnectionPool` + instance. (default: :attr:`_pool`) + :type connectTimeout: None or int + :param connectTimeout: If not ``None``, the timeout passed to + :api:`twisted.internet.reactor.connectTCP` or + :api:`twisted.internet.reactor.connectSSL` for specifying the + connection timeout. (default: ``30``) + """ + return client.Agent(reactor, + contextFactory=SSLVerifyingContextFactory(url), + connectTimeout=connectTimeout, + pool=pool, + **kwargs) + +_setAgent(_getAgent()) + + +class RecaptchaResponseError(ValueError): + """There was an error with the reCaptcha API server's response.""" + + +class RecaptchaResponseProtocol(protocol.Protocol): + """HTML parser which creates a :class:`RecaptchaResponse` from the body of + the reCaptcha API server's response. + """ + def __init__(self, finished): + """Create a protocol for creating :class:`RecaptchaResponse`s. + + :type finished: :api:`~twisted.internet.defer.Deferred` + :param finished: A deferred which will have its ``callback()`` called + with a :class:`RecaptchaResponse`. + """ + self.finished = finished + self.remaining = 1024 * 10 + self.response = '' + + def dataReceived(self, data): + """Called when some data is received from the connection.""" + if self.remaining: + received = data[:self.remaining] + self.response += received + self.remaining -= len(received) + + def connectionLost(self, reason): + """Called when the connection was closed. + + :type reason: :api:`twisted.python.failure.Failure` + :param reason: A string explaning why the connection was closed, + wrapped in a ``Failure`` instance. + + :raises: A :api:`twisted.internet.error.ConnectError` if the + """ + valid = False + error = reason.getErrorMessage() + try: + (valid, error) = self.response.strip().split('\n', 1) + except ValueError: + error = "Couldn't parse response from reCaptcha API server" + + valid = bool(valid == "true") + result = RecaptchaResponse(is_valid=valid, error_code=error) + logging.debug( + "ReCaptcha API server response: %s(is_valid=%s, error_code=%s)" + % (result.__class__.__name__, valid, error)) + self.finished.callback(result) + + +class _BodyProducer(object): + """I write a string into the HTML body of an open request.""" + implements(IBodyProducer) + + def __init__(self, body): + self.body = body + self.length = len(body) + + def startProducing(self, consumer): + """Start writing the HTML body.""" + consumer.write(self.body) + return defer.succeed(None) + + def pauseProducing(self): + pass + + def stopProducing(self): + pass + + def resumeProducing(self): + pass + + +def _cbRequest(response): + """Callback for a :api:`twisted.web.client.Agent.request` which delivers + the result to a :class:`RecaptchaResponseProtocol`. + + :returns: A :api:`~twisted.internet.defer.Deferred` which will callback + with a ``recaptcha.RecaptchaResponse`` for the request. + """ + finished = defer.Deferred() + response.deliverBody(RecaptchaResponseProtocol(finished)) + return finished + +def _ebRequest(fail): + """Errback for a :api:`twisted.web.client.Agent.request`. + + :param fail: A :api:`twisted.python.failure.Failure` which occurred during + the request. + """ + logging.debug("txrecaptcha._ebRequest() called with %r" % fail) + error = fail.getErrorMessage() or "possible problem in _ebRequest()" + return RecaptchaResponse(is_valid=False, error_code=error) + +def _encodeIfNecessary(string): + """Encode unicode objects in utf-8 if necessary.""" + if isinstance(string, unicode): + return string.encode('utf-8') + return string + +def submit(recaptcha_challenge_field, recaptcha_response_field, + private_key, remoteip, agent=_agent): + """Submits a reCaptcha request for verification. This function is a patched + version of the ``recaptcha.client.captcha.submit()`` function in + reCaptcha's Python API. + + It does two things differently: + 1. It uses Twisted for everything. + 2. It uses SSL/TLS for everything. + + This function returns a :api:`~twisted.internet.defer.Deferred`. If you + need a ``recaptcha.client.captcha.RecaptchaResponse`` to be returned, use + the :func:`submit` function, which is an ``@inlineCallbacks`` wrapper for + this function. + + :param str recaptcha_challenge_field: The value of the HTTP POST + ``recaptcha_challenge_field`` argument from the form. + :param recaptcha_response_field: The value of the HTTP POST + ``recaptcha_response_field`` argument from the form. + :param private_key: The reCAPTCHA API private key. + :param remoteip: An IP address to give to the reCaptcha API server. + :returns: A :api:`~twisted.internet.defer.Deferred` which will callback + with a ``recaptcha.RecaptchaResponse`` for the request. + """ + if not (recaptcha_response_field and + recaptcha_challenge_field and + len(recaptcha_response_field) and + len(recaptcha_challenge_field)): + return RecaptchaResponse(is_valid=False, + error_code='incorrect-captcha-sol') + + params = urllib.urlencode({ + 'privatekey': _encodeIfNecessary(private_key), + 'remoteip': _encodeIfNecessary(remoteip), + 'challenge': _encodeIfNecessary(recaptcha_challenge_field), + 'response': _encodeIfNecessary(recaptcha_response_field)}) + body = _BodyProducer(params) + headers = Headers({"Content-type": ["application/x-www-form-urlencoded"], + "User-agent": ["reCAPTCHA Python"]}) + d = agent.request('POST', API_SSL_VERIFY_URL, headers, body) + d.addCallbacks(_cbRequest, _ebRequest) + return d

1 0