def seed_rnd():
# Some platforms lack kernel supported random numbers, on those we have to explicitly seed the RNG.
# using a fixed RND input does not matter as we are not protecting real data in this test program.
try:
import base64
import socket
import ssl
rnd = base64.decodestring(
"""k/zFvqjGWdhStmhfOeTNtTs89P8soknF1J9kSQrz8hKdrjIutqTXMfIqCNUb7DXrMykMW+wKd1Pg
DwaUwxKmlaU1ItOek+jNUWVw9ZOSI1EmsXVgu+Hu7URgmeyY0A3WsDmMzR0Z2wTcRFSuINgBP8LC
8SG27gJZVOoVv09pfY9WyjvUYwg1jBdTfEM+qcDQKOACx4DH+SzO0bOOJMfMbR2iFaq18b/TCeQN
kRy9Lz2WvBsByQoXw/afxiu5xzn0MHoxTMCZCTjIyhGXzO/R2yj3eBVc5vxc5oxG3/EdjGnhmn/L
HEFVgc6EJ5OF1ye8hDIHFdZFehCAPbso3LL/3r8oJn+Axmc2sOrvhzMLpCV2KWdy8haiv3WZ9hZP
iJkC0pGBR+vhrdYE7qh2RzcdYoHRCvX5tpaOG+SE8+Az2WPHPOD7j4j+4KbhW+YbzYfUAsmwOQb4
R3vIyGO6Og4fg+AmKcycpv9Bo17zidbQe9zdZO6X4Df+ychK+yRSCMHLUyrEry7IFt60ivLAjc8b
Ladp70v7icWO+J9P/3pXIzKuQuaeT7J1q2xlCc/srV2pNV4+EhKJ8qSe+hG4LzpXWRGKo72h6BvL
Wgcp3S/wy1e6ov8XsVKjkWeQH8Nh3xOMWGYh6/yXSN44BLIBUdqk4I3TCKy1DawJQd1ivytEF0Xh
BstGzSoyeR92mN/K5/gy9wKFZffTbE7DmysKflRAN85ht7IVqxrTNXQ+UPWvlGZDAQ0NY45rQI3K
S1q0ahQivgGUZmEhuZkAUlYGWAqtCeDz3rZvrp5r2WJFGTZ+9yJZC5T2L+erDGBYxmcwxDzz8AvS
Ybp4aIBEtTK71cx9DtFTtSaQ6aW9rI5nc/owo0gv4Ddm5BYjMAd7kcc9TWnb1DZ9AJQAnSxgcuJM
acbYkFcqtMnafh/VnGekZ8yM0ZZqQPKBhysx+u2UBXib7Vvb6x6Y/xglNcqBWGFmzruKt6hx0pR2
x9IunzeIwdlcwIhLEKfIiy9ULwi7RTjVSeqgwucWoC0lw0BTotGeLDcFxTlQsE3T/UneLa8H6iSH
VW5iRZrvI0sdxt5Ud0TjNqXRGxuVczSuwpQwwxBn0ogr9DoRnp375PwGGh1/yqimW/+OStwP3cRR
yXEg6Zq1CvuYF/E6el4h9GylxkU7wEM2Ti9QJY4n3YsHyesalERqdd9xx5t7ADRodpMpZXoZGbrS
vccp3zMzS/aEZRuxky1/qjrAEh8OVA58e82jQqTdY8OQ/kKOu/gUgKBnHAvLkB/020p0CNbq6HjY
l625DLckaYmOPTh0ECFKzhaPF+/LNmzD36ToOAeuNjfbUjiUVGfntr2mc4E8mUFyo+TskrkSfw==
""".encode())
ssl.RAND_add(rnd, 1024)
if not ssl.RAND_status():
raise "PRNG not seeded"
except ImportError:
return
def process_request(self, request, client_address):
try:
return super().process_request(request, client_address)
finally:
# Modify OpenSSL's RNG state, in case process forked
# See https://docs.python.org/3.7/library/ssl.html#multi-processing
ssl.RAND_add(os.urandom(8), 0.0)
def _build_ssl_options(self):
'''Create the SSL options.
The options must be accepted by the `ssl` module.
Returns:
dict
'''
ssl_options = {}
if self._args.check_certificate:
ssl_options['cert_reqs'] = ssl.CERT_REQUIRED
ssl_options['ca_certs'] = self._load_ca_certs()
else:
ssl_options['cert_reqs'] = ssl.CERT_NONE
ssl_options['ssl_version'] = self._args.secure_protocol
if self._args.certificate:
ssl_options['certfile'] = self._args.certificate
ssl_options['keyfile'] = self._args.private_key
if self._args.edg_file:
ssl.RAND_egd(self._args.edg_file)
if self._args.random_file:
with open(self._args.random_file, 'rb') as in_file:
# Use 16KB because Wget
ssl.RAND_add(in_file.read(15360), 0.0)
return ssl_options
def seed_rnd():
# Some platforms lack kernel supported random numbers, on those we have to explicitly seed the RNG.
# using a fixed RND input does not matter as we are not protecting real data in this test program.
try:
import socket
import ssl
rnd = get_seed_input()
ssl.RAND_add(rnd, 1024)
if not ssl.RAND_status():
raise "PRNG not seeded"
except ImportError:
return
def testRAND(self):
v = ssl.RAND_status()
if support.verbose:
sys.stdout.write("\n RAND_status is %d (%s)\n"
% (v, (v and "sufficient randomness") or
"insufficient randomness"))
try:
ssl.RAND_egd(1)
except TypeError:
pass
else:
print("didn't raise TypeError")
ssl.RAND_add("this is a random string", 75.0)
def _build_ssl_context(cls, session: AppSession) -> ssl.SSLContext:
'''Create the SSL options.
The options must be accepted by the `ssl` module.
'''
args = session.args
# Logic is based on tornado.netutil.ssl_options_to_context
ssl_context = ssl.SSLContext(args.secure_protocol)
if args.check_certificate:
ssl_context.verify_mode = ssl.CERT_REQUIRED
cls._load_ca_certs(session)
ssl_context.load_verify_locations(session.ca_certs_filename)
else:
ssl_context.verify_mode = ssl.CERT_NONE
if args.strong_crypto:
ssl_context.options |= ssl.OP_NO_SSLv2
ssl_context.options |= ssl.OP_NO_SSLv3 # POODLE
if hasattr(ssl, 'OP_NO_COMPRESSION'):
ssl_context.options |= ssl.OP_NO_COMPRESSION # CRIME
else:
_logger.warning(_('Unable to disable TLS compression.'))
if args.certificate:
ssl_context.load_cert_chain(args.certificate, args.private_key)
if args.edg_file:
ssl.RAND_egd(args.edg_file)
if args.random_file:
with open(args.random_file, 'rb') as in_file:
# Use 16KB because Wget
ssl.RAND_add(in_file.read(15360), 0.0)
return ssl_context
def randomize_ssl_after_fork():
ssl.RAND_add(ssl.RAND_bytes(10), 0.0)
def main():
ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ctx.load_cert_chain(certfile=ssl_cert, keyfile=ssl_key)
socket.setdefaulttimeout(timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
try:
s.bind((address, port))
except socket.error as msg:
print('Bind failed. Error Code : %s Message: %s' %
(str(msg[0]), msg[1]))
sys.exit()
#Start listening on socket
s.listen()
kids = []
try:
# main loop
while 1:
#wait to accept a connection - blocking call
try:
conn, addr = s.accept()
except socket.timeout:
try:
pid, status = os.waitpid(-1, os.WNOHANG)
if pid != 0:
print("remove pid", pid)
kids.remove(pid)
continue
except ChildProcessError:
continue
except:
raise
if verbose:
print('{} Connection from {}:{}'.format(
datetime.datetime.now(), addr[0], addr[1]))
conn = ctx.wrap_socket(conn, server_side=True)
while (len(kids) > max_kids):
pid, status = os.waitpid(0, 0)
kids.remove(pid)
pid = os.fork()
if pid == 0:
ssl.RAND_add(os.urandom(16), 0.0)
try:
ratelimit(conn)
except:
print("fail")
raise
finally:
try:
conn.shutdown(socket.SHUT_RDWR)
except OSError:
pass
conn.close()
sys.exit(0)
else:
kids.append(pid)
try:
pid, status = os.waitpid(-1, os.WNOHANG)
if pid != 0:
kids.remove(pid)
except ChildProcessError:
pass
except KeyboardInterrupt:
pass
s.close()
def update_event(self, inp=-1):
self.set_output_val(0, ssl.RAND_add(self.input(0), self.input(1)))
