mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-18 01:22:13 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

tls / gencert fixes

Browse source
This commit is contained in:
ed 2023-06-10 23:34:34 +00:00
parent 5501d49032
commit 2b2d8e4e02
4 changed files with 12 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
copyparty/__main__.py
View file

@ -729,11 +729,12 @@ def add_cert(ap, cert_path):
ap2.add_argument("--crt-ns", metavar="N,N", type=u, default="", help="comma-separated list of FQDNs (domains) to add into the certificate") ap2.add_argument("--crt-ns", metavar="N,N", type=u, default="", help="comma-separated list of FQDNs (domains) to add into the certificate")
ap2.add_argument("--crt-exact", action="store_true", help="do not add wildcard entries for each --crt-ns") ap2.add_argument("--crt-exact", action="store_true", help="do not add wildcard entries for each --crt-ns")
ap2.add_argument("--crt-noip", action="store_true", help="do not add autodetected IP addresses into cert") ap2.add_argument("--crt-noip", action="store_true", help="do not add autodetected IP addresses into cert")
ap2.add_argument("--crt-nolo", action="store_true", help="do not add 127.0.0.1 / localhost into cert")
ap2.add_argument("--crt-dir", metavar="PATH", default=cert_dir, help="where to save the CA cert") ap2.add_argument("--crt-dir", metavar="PATH", default=cert_dir, help="where to save the CA cert")
ap2.add_argument("--crt-cdays", metavar="D", type=float, default=3650, help="ca-certificate expiration time in days") ap2.add_argument("--crt-cdays", metavar="D", type=float, default=3650, help="ca-certificate expiration time in days")
ap2.add_argument("--crt-sdays", metavar="D", type=float, default=365, help="server-cert expiration time in days") ap2.add_argument("--crt-sdays", metavar="D", type=float, default=365, help="server-cert expiration time in days")
ap2.add_argument("--crt-cn", metavar="TXT", type=u, default="partyco", help="CA/server-cert common-name") ap2.add_argument("--crt-cn", metavar="TXT", type=u, default="partyco", help="CA/server-cert common-name")
ap2.add_argument("--crt-cnc", metavar="TXT", type=u, default="--crt-cn ca", help="override CA name") ap2.add_argument("--crt-cnc", metavar="TXT", type=u, default="--crt-cn", help="override CA name")
ap2.add_argument("--crt-cns", metavar="TXT", type=u, default="--crt-cn cpp", help="override server-cert name") ap2.add_argument("--crt-cns", metavar="TXT", type=u, default="--crt-cn cpp", help="override server-cert name")
ap2.add_argument("--crt-back", metavar="HRS", type=float, default=72, help="backdate in hours") ap2.add_argument("--crt-back", metavar="HRS", type=float, default=72, help="backdate in hours")
ap2.add_argument("--crt-alg", metavar="S-N", type=u, default="ecdsa-256", help="algorithm and keysize; one of these: ecdsa-256 rsa-4096 rsa-2048") ap2.add_argument("--crt-alg", metavar="S-N", type=u, default="ecdsa-256", help="algorithm and keysize; one of these: ecdsa-256 rsa-4096 rsa-2048")
@ -1282,6 +1283,7 @@ def main(argv: Optional[list[str]] = None) -> None:
configure_ssl_ciphers(al) configure_ssl_ciphers(al)
else: else:
warn("ssl module does not exist; cannot enable https") warn("ssl module does not exist; cannot enable https")
al.http_only = True
if PY2 and WINDOWS and al.e2d: if PY2 and WINDOWS and al.e2d:
warn( warn(

15
copyparty/cert.py
View file

@ -9,13 +9,6 @@ import calendar
from .util import runcmd, Netdev from .util import runcmd, Netdev
try:
HAVE_SSL = True
import ssl
except:
HAVE_SSL = False
HAVE_CFSSL = True HAVE_CFSSL = True
@ -124,8 +117,12 @@ def _gen_srv(log: "RootLogger", args, netdevs: dict[str, Netdev]):
if not args.crt_noip: if not args.crt_noip:
for ip in netdevs.keys(): for ip in netdevs.keys():
names.append(ip.split("/")[0]) names.append(ip.split("/")[0])
if args.crt_nolo:
names = [x for x in names if x not in ("localhost", "127.0.0.1", "::1")]
if not names: if not names:
names = ["127.0.0.1"] names = ["127.0.0.1"]
if "127.0.0.1" in names or "::1" in names:
names.append("localhost")
names = list({x: 1 for x in names}.keys()) names = list({x: 1 for x in names}.keys())
try: try:
@ -158,7 +155,7 @@ def _gen_srv(log: "RootLogger", args, netdevs: dict[str, Netdev]):
with open(os.path.join(args.crt_dir, "cfssl.json"), "wb") as f: with open(os.path.join(args.crt_dir, "cfssl.json"), "wb") as f:
f.write(json.dumps(cfg).encode("utf-8")) f.write(json.dumps(cfg).encode("utf-8"))
cn = args.crt_cnc.replace("--crt-cn", args.crt_cn) cn = args.crt_cns.replace("--crt-cn", args.crt_cn)
algo, ksz = args.crt_alg.split("-") algo, ksz = args.crt_alg.split("-")
req = { req = {
"key": {"algo": algo, "size": int(ksz)}, "key": {"algo": algo, "size": int(ksz)},
@ -200,7 +197,7 @@ def _gen_srv(log: "RootLogger", args, netdevs: dict[str, Netdev]):
def gencert(log: "RootLogger", args, netdevs: dict[str, Netdev]): def gencert(log: "RootLogger", args, netdevs: dict[str, Netdev]):
global HAVE_CFSSL global HAVE_CFSSL
if not HAVE_SSL or args.http_only: if args.http_only:
return return
if args.no_crt or not HAVE_CFSSL: if args.no_crt or not HAVE_CFSSL:

13
copyparty/httpconn.py
View file

@ -8,12 +8,6 @@ import socket
import threading # typechk import threading # typechk
import time import time
try:
HAVE_SSL = True
import ssl
except:
HAVE_SSL = False
from . import util as Util from . import util as Util
from .__init__ import TYPE_CHECKING, EnvParams from .__init__ import TYPE_CHECKING, EnvParams
from .authsrv import AuthSrv # typechk from .authsrv import AuthSrv # typechk
@ -54,7 +48,6 @@ class HttpConn(object):
self.args: argparse.Namespace = hsrv.args # mypy404 self.args: argparse.Namespace = hsrv.args # mypy404
self.E: EnvParams = self.args.E self.E: EnvParams = self.args.E
self.asrv: AuthSrv = hsrv.asrv # mypy404 self.asrv: AuthSrv = hsrv.asrv # mypy404
self.cert_path = hsrv.cert_path
self.u2fh: Util.FHC = hsrv.u2fh # mypy404 self.u2fh: Util.FHC = hsrv.u2fh # mypy404
self.iphash: HMaccas = hsrv.broker.iphash self.iphash: HMaccas = hsrv.broker.iphash
self.bans: dict[str, int] = hsrv.bans self.bans: dict[str, int] = hsrv.bans
@ -114,7 +107,7 @@ class HttpConn(object):
def _detect_https(self) -> bool: def _detect_https(self) -> bool:
method = None method = None
if self.cert_path: if True:
try: try:
method = self.s.recv(4, socket.MSG_PEEK) method = self.s.recv(4, socket.MSG_PEEK)
except socket.timeout: except socket.timeout:
@ -148,7 +141,7 @@ class HttpConn(object):
self.sr = None self.sr = None
if self.args.https_only: if self.args.https_only:
is_https = True is_https = True
elif self.args.http_only or not HAVE_SSL: elif self.args.http_only:
is_https = False is_https = False
else: else:
# raise Exception("asdf") # raise Exception("asdf")
@ -162,7 +155,7 @@ class HttpConn(object):
self.log_src = self.log_src.replace("[36m", "[35m") self.log_src = self.log_src.replace("[36m", "[35m")
try: try:
ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ctx.load_cert_chain(self.cert_path) ctx.load_cert_chain(self.args.cert)
if self.args.ssl_ver: if self.args.ssl_ver:
ctx.options &= ~self.args.ssl_flags_en ctx.options &= ~self.args.ssl_flags_en
ctx.options |= self.args.ssl_flags_de ctx.options |= self.args.ssl_flags_de

6
copyparty/httpsrv.py
View file

@ -148,12 +148,6 @@ class HttpSrv(object):
self.ssdp = SSDPr(broker) self.ssdp = SSDPr(broker)
cert_path = self.args.cert
if bos.path.exists(cert_path):
self.cert_path = cert_path
else:
self.cert_path = ""
if self.tp_q: if self.tp_q:
self.start_threads(4) self.start_threads(4)