diff options
| -rw-r--r-- | CHANGELOG | 25 | ||||
| -rw-r--r-- | client/src/leap/soledad/client/__init__.py | 24 | ||||
| -rw-r--r-- | client/src/leap/soledad/client/sqlcipher.py | 5 | ||||
| -rw-r--r-- | client/src/leap/soledad/client/target.py | 3 | ||||
| -rw-r--r-- | common/MANIFEST.in | 4 | ||||
| -rw-r--r-- | common/setup.py | 5 | ||||
| -rw-r--r-- | common/src/leap/soledad/common/couch.py | 8 | ||||
| -rw-r--r-- | server/pkg/soledad | 27 | ||||
| -rw-r--r-- | server/src/leap/soledad/server/__init__.py | 5 |
9 files changed, 77 insertions, 29 deletions
@@ -1,3 +1,28 @@ +0.6.5 Apr 09 2015: +Server: + o Remove unneeded parameters from CouchServerState initialization. Closes + #6833. + +0.6.4 Jan 23 2015: +Common: + o Bail out if cdocs/ dir does not exist. Closes: #6671 + +0.6.3 Dec 16 2014: +Client: + o Fix deferred encryption/decryption parameters (#6500). + +0.6.2 Dec 11 2014: +Client: + o Fix incorrect ssl context setup. + +0.6.1 Dec 08 2014: +Client: + o Use TLS v1 in soledad client. Fixes partially #6437 + +Server: + o Run daemon as user soledad (#6436). + o Avoid use of SSLv3 (#6437). + 0.6.0 Jul 18, 2014: Client: o Close all connections after syncing. Fixes #5518. diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 586e3389..07255406 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -224,7 +224,7 @@ class Soledad(object): def __init__(self, uuid, passphrase, secrets_path, local_db_path, server_url, cert_file, - auth_token=None, secret_id=None, defer_encryption=False): + auth_token=None, secret_id=None, defer_encryption=True): """ Initialize configuration, cryptographic keys and dbs. @@ -1333,9 +1333,25 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = sock self._tunnel() - self.sock = ssl.wrap_socket(sock, - ca_certs=SOLEDAD_CERT, - cert_reqs=ssl.CERT_REQUIRED) + highest_supported = ssl.PROTOCOL_SSLv23 + + try: + # needs python 2.7.9+ + # negotiate the best available version, + # but explicitely disabled bad ones. + ctx = ssl.SSLContext(highest_supported) + ctx.options |= ssl.OP_NO_SSLv2 + ctx.options |= ssl.OP_NO_SSLv3 + + ctx.load_verify_locations(cafile=SOLEDAD_CERT) + ctx.verify_mode = ssl.CERT_REQUIRED + self.sock = ctx.wrap_socket(sock) + + except AttributeError: + self.sock = ssl.wrap_socket( + sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED, + ssl_version=highest_supported) + match_hostname(self.sock.getpeercert(), self.host) diff --git a/client/src/leap/soledad/client/sqlcipher.py b/client/src/leap/soledad/client/sqlcipher.py index 2df9606e..fded2119 100644 --- a/client/src/leap/soledad/client/sqlcipher.py +++ b/client/src/leap/soledad/client/sqlcipher.py @@ -452,6 +452,11 @@ class SQLCipherDatabase(sqlite_backend.SQLitePartialExpandDatabase): # XXX could mark the critical section here... try: + if defer_decryption and not self.defer_encryption: + logger.warning("Can't defer decryption without first having " + "created a sync db. Falling back to normal " + "syncing mode.") + defer_decryption = False res = syncer.sync(autocreate=autocreate, defer_decryption=defer_decryption) diff --git a/client/src/leap/soledad/client/target.py b/client/src/leap/soledad/client/target.py index 70e4d3a2..1eb84e64 100644 --- a/client/src/leap/soledad/client/target.py +++ b/client/src/leap/soledad/client/target.py @@ -28,12 +28,10 @@ import logging import re import urllib import threading -import urlparse from collections import defaultdict from time import sleep from uuid import uuid4 -from contextlib import contextmanager import simplejson as json from taskthread import TimerTask @@ -44,7 +42,6 @@ from u1db.remote.http_client import _encode_query_parameter, HTTPClientBase from zope.proxy import ProxyBase from zope.proxy import sameProxiedObjects, setProxiedObject -from leap.soledad.common import soledad_assert from leap.soledad.common.document import SoledadDocument from leap.soledad.client.auth import TokenBasedAuth from leap.soledad.client.crypto import is_symmetrically_encrypted diff --git a/common/MANIFEST.in b/common/MANIFEST.in index 7f6148ef..a26a12a6 100644 --- a/common/MANIFEST.in +++ b/common/MANIFEST.in @@ -2,3 +2,7 @@ include pkg/* include versioneer.py include LICENSE include CHANGELOG + +# What do we want the ddocs folder in the source package for? -- kali +# it should be enough with having the compiled stuff. +recursive-include src/leap/soledad/common/ddocs * diff --git a/common/setup.py b/common/setup.py index 6ee166ef..365006b2 100644 --- a/common/setup.py +++ b/common/setup.py @@ -155,6 +155,11 @@ def build_ddocs_py(basedir=None, with_src=True): dest_prefix = join(basedir, *dest_common_path) ddocs_prefix = join(prefix, 'ddocs') + + if not isdir(ddocs_prefix): + print "No ddocs/ folder, bailing out..." + return + ddocs = {} # design docs are represented by subdirectories of `ddocs_prefix` diff --git a/common/src/leap/soledad/common/couch.py b/common/src/leap/soledad/common/couch.py index 5658f4ce..b38b5b96 100644 --- a/common/src/leap/soledad/common/couch.py +++ b/common/src/leap/soledad/common/couch.py @@ -1529,20 +1529,14 @@ class CouchServerState(ServerState): Inteface of the WSGI server with the CouchDB backend. """ - def __init__(self, couch_url, shared_db_name, tokens_db_name): + def __init__(self, couch_url): """ Initialize the couch server state. :param couch_url: The URL for the couch database. :type couch_url: str - :param shared_db_name: The name of the shared database. - :type shared_db_name: str - :param tokens_db_name: The name of the tokens database. - :type tokens_db_name: str """ self._couch_url = couch_url - self._shared_db_name = shared_db_name - self._tokens_db_name = tokens_db_name def open_database(self, dbname): """ diff --git a/server/pkg/soledad b/server/pkg/soledad index 841233d1..ccb3e9b0 100644 --- a/server/pkg/soledad +++ b/server/pkg/soledad @@ -19,6 +19,9 @@ CERT_PATH=/etc/leap/soledad-server.pem PRIVKEY_PATH=/etc/leap/soledad-server.key TWISTD_PATH=/usr/bin/twistd HOME=/var/lib/soledad/ +SSL_METHOD=SSLv23_METHOD +USER=soledad +GROUP=soledad [ -r /etc/default/soledad ] && . /etc/default/soledad @@ -27,36 +30,38 @@ test -r /etc/leap/ || exit 0 . /lib/lsb/init-functions -case "$1" in +case "${1}" in start) echo -n "Starting soledad: twistd" - start-stop-daemon --start --quiet --exec $TWISTD_PATH -- \ - --pidfile=$PIDFILE \ - --logfile=$LOGFILE \ + start-stop-daemon --start --quiet \ + --user=${USER} --group=${GROUP} \ + --exec ${TWISTD_PATH} -- \ + --pidfile=${PIDFILE} \ + --logfile=${LOGFILE} \ web \ - --wsgi=$OBJ \ - --port=ssl:$HTTPS_PORT:privateKey=$PRIVKEY_PATH:certKey=$CERT_PATH + --wsgi=${OBJ} \ + --port=ssl:${HTTPS_PORT}:privateKey=${PRIVKEY_PATH}:certKey=${CERT_PATH}:sslmethod=${SSL_METHOD} echo "." ;; stop) echo -n "Stopping soledad: twistd" start-stop-daemon --stop --quiet \ - --pidfile $PIDFILE + --pidfile ${PIDFILE} echo "." ;; restart) - $0 stop - $0 start + ${0} stop + ${0} start ;; force-reload) - $0 restart + ${0} restart ;; status) - status_of_proc -p $PIDFILE $TWISTD_PATH soledad && exit 0 || exit $? + status_of_proc -p ${PIDFILE} ${TWISTD_PATH} soledad && exit 0 || exit ${?} ;; *) diff --git a/server/src/leap/soledad/server/__init__.py b/server/src/leap/soledad/server/__init__.py index cd006f51..adb5b561 100644 --- a/server/src/leap/soledad/server/__init__.py +++ b/server/src/leap/soledad/server/__init__.py @@ -296,10 +296,7 @@ def load_configuration(file_path): def application(environ, start_response): conf = load_configuration('/etc/leap/soledad-server.conf') - state = CouchServerState( - conf['couch_url'], - SoledadApp.SHARED_DB_NAME, - SoledadTokenAuthMiddleware.TOKENS_DB) + state = CouchServerState(conf['couch_url']) # WSGI application that may be used by `twistd -web` application = GzipMiddleware( SoledadTokenAuthMiddleware(SoledadApp(state))) |