def main():
"""
The main routine of this program.
"""
global venueServer, log
import threading
M2Crypto_threading.init()
# Init toolkit with standard environment.
app = Service.instance()
# build options for this application
portOption = Option("-p", "--port", type="int", dest="port",
default=8000, metavar="PORT",
help="Set the port the service manager should run on.")
app.AddCmdLineOption(portOption)
# set default options
app.SetCmdLineDefault('secure',1)
# Try to initialize
try:
args = app.Initialize("VenueServer")
except MissingDependencyError, e:
print "Toolkit Initialization failed, exiting."
print " Initialization Error: Missing Dependency: ", e
sys.exit(-1)
def main():
"""
The main routine of this program.
"""
global venueServer, log
import threading
M2Crypto_threading.init()
# Init toolkit with standard environment.
app = Service.instance()
# build options for this application
portOption = Option("-p",
"--port",
type="int",
dest="port",
default=8000,
metavar="PORT",
help="Set the port the service manager should run on.")
app.AddCmdLineOption(portOption)
# set default options
app.SetCmdLineDefault('secure', 1)
# Try to initialize
try:
args = app.Initialize("VenueServer")
except MissingDependencyError, e:
print "Toolkit Initialization failed, exiting."
print " Initialization Error: Missing Dependency: ", e
sys.exit(-1)
def startup(profileDir):
"""
Initialize the cryptographic services before doing any other
cryptographic operations.
@param profileDir: The profile directory. Additional entropy will be loaded
from a file in this directory. It is not a fatal error
if the file does not exist.
"""
m2threading.init()
Rand.load_file(_randpoolPath(profileDir), -1)
def startup(profileDir):
"""
Initialize the cryptographic services before doing any other
cryptographic operations.
@param profileDir: The profile directory. Additional entropy will be loaded
from a file in this directory. It is not a fatal error
if the file does not exist.
"""
m2threading.init()
Rand.load_file(_randpoolPath(profileDir), -1)
def main(args):
parser = optparse.OptionParser()
# Generate CA mode
parser.add_option("-a", "--new-ca", action="store_true",
help="Generate a self-sign CA certificate")
parser.add_option("-s", "--self-sign", action="store_true",
help="Generate a self-sign client certificate")
parser.add_option("-n", "--new-client", action="store_true",
help="Generate a signed client certificate")
# Generate client mode
parser.add_option("-c", "--ca-cert", help="Path to the CA certificate")
parser.add_option("-C", "--ca-key",
help="Path to the CA's key, if not stored with the certificate")
# Options
parser.add_option("-o", "--output", metavar="FILE",
help="Write the new certificate to FILE")
parser.add_option("-O", "--output-key", metavar="FILE",
help="Write the new key to FILE (default: same as certificate)")
parser.add_option("-L", "--key-length", metavar="BITS", type="int",
help="Generate keys of size BITS")
parser.add_option("-e", "--expiry", type="int",
help="Certificate expires after this many days")
parser.add_option("--site-user",
help="Add a site-user altSubjectName field")
for field in ('C', 'ST', 'L', 'O', 'OU', 'CN'):
parser.add_option("--" + field, help="Add to the subject's name")
parser.add_option("-i", "--index-file", metavar="FILE",
help="File to use as the serial index")
parser.set_defaults(key_length=2048, expiry=7, index_file='index.txt')
options, args = parser.parse_args(args)
if args:
print "Unexpected argument"
parser.print_help()
return 1
m2threading.init()
if options.new_ca:
return new_ca(options)
elif options.self_sign:
return new_ca(options, False)
elif options.new_client:
return new_client(options)
else:
print "Must specify a command, one of -a -s -n"
parser.print_help()
return 1
def __init__(self, *args, **kwargs):
""" Create an SSLTransport object, parameters are the same
as for other transports. If ctx is specified (as an instance of
SSL.Context) then use that rather than creating a new context.
kwargs can contain all the parameters defined in BaseClient,
in particular timeout
"""
# The thread init of M2Crypto is not really thread safe.
# So we put it a second time
M2Threading.init()
self.remoteAddress = None
self.peerCredentials = {}
# The timeout used here is different from what it was in pyGSI.
# It is to be understood here as the timeout for socket operations
# involved in the RPC call, but NOT the establishment of the connection,
# for which there is a different timeout.
#
# The timeout management of pyGSI was a bit off.
# This is proven by that type of trace (look at the timestamp):
#
# 2020-07-16 09:48:55 UTC dirac-proxy-init [140013698656064] DEBUG: Connection timeout set to: 1
# 2020-07-16 09:58:55 UTC dirac-proxy-init [140013698656064] WARN: Issue getting socket:
#
self.__timeout = kwargs.get(SSLTransport.KW_TIMEOUT,
DEFAULT_RPC_TIMEOUT)
self.__locked = False # We don't support locking, so this is always false.
# If not specified in the arguments (never is in DIRAC code...)
# and we are setting up a server listing connection, set the accepted
# ssl methods and ciphers
if kwargs.get('bServerMode'):
if 'sslMethods' not in kwargs:
kwargs['sslMethods'] = os.environ.get(
'DIRAC_M2CRYPTO_SSL_METHODS')
if 'sslCiphers' not in kwargs:
kwargs['sslCiphers'] = os.environ.get(
'DIRAC_M2CRYPTO_SSL_CIPHERS')
self.__ctx = kwargs.pop('ctx', None)
if not self.__ctx:
self.__ctx = getM2SSLContext(**kwargs)
# Note that kwargs is already kept in BaseTransport
# as self.extraArgsDict, but at least I am sure that
# self.__kwargs will never be modified
self.__kwargs = kwargs
BaseTransport.__init__(self, *args, **kwargs)
def main():
import wx
log = None
signal.signal(signal.SIGINT, SignalHandler)
signal.signal(signal.SIGTERM, SignalHandler)
m2threading.init()
# Init the toolkit with the standard environment.
app = WXGUIApplication()
# build options for this application
portOption = Option("-p",
"--port",
type="int",
dest="port",
default=0,
metavar="PORT",
help="Set the port the venueclient control interface\
should listen on.")
app.AddCmdLineOption(portOption)
pnodeOption = Option(
"--personalNode",
type="int",
dest="pnode",
default=None,
help="Run NodeService and ServiceManager with the client.")
app.AddCmdLineOption(pnodeOption)
urlOption = Option("--url",
type="string",
dest="url",
default="",
metavar="URL",
help="URL of venue to enter on startup.")
app.AddCmdLineOption(urlOption)
# Try to initialize
try:
args = app.Initialize("VenueClient")
except MissingDependencyError, e:
if e.args[0] == 'SSL':
msg = "The installed version of Python has no SSL support. Check that you\n"\
"have installed Python from python.org, or ensure SSL support by\n"\
"some other means."
else:
msg = "The following dependency software is required, but not available:\n\t%s\n"\
"Please satisfy this dependency and restart the software"
msg = msg % e.args[0]
MessageDialog(None, msg, "Initialization Error", style=wx.ICON_ERROR)
sys.exit(-1)
def __init__(self, handler, host='localhost', port=8000):
threading.init()
Rand.load_file('../randpool.dat', -1)
ctx=echod_lib.init_context('sslv3','server.pem', 'ca.pem',
SSL.verify_peer)
ctx.set_tmp_dh('dh1024.pem')
config = Config()
server = TCPServer.__connection(self, host, port)
while 1:
server.OpenConnection()
server.HandleConnection(handler,config.config,ctx)
server.CloseConnection()
Rand.save_file('../randpool.dat')
threading.cleanup()
def __init__(self, server_address, RequestHandlerClass,
ssl_context=None, request_queue_size=None,
ssl_certificate=None):
# This overrides the implementation of __init__ in python's
# SocketServer.TCPServer (which BaseHTTPServer.HTTPServer
# does not override, thankfully).
httpserver.HTTPServer.__init__(self, server_address, RequestHandlerClass)
self.socket = socket.socket(self.address_family,
self.socket_type)
self.ssl_context = ssl_context
self.ssl_certificate = ssl_certificate
self.static_ssl_environ = {}
self.stack_cache = dict()
if ssl_context:
assert ssl_certificate
m2_threading.init()
self.socket = SSL.Connection(ssl_context, self.socket)
self.ssl_context.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert,
20, self.verify_callback)
# pylint: disable-msg=W0511
# XXX: better to use X509_VERIFY_PARAM_set_flags on ctx->param
os.environ['OPENSSL_ALLOW_PROXY_CERTS'] = '1'
ssl_environ = {
"wsgi.url_scheme": "https",
"HTTPS": "on",
"SSL_SERVER_M_VERSION": ssl_certificate.get_version(),
"SSL_SERVER_M_SERIAL": ssl_certificate.get_serial_number(),
"SSL_SERVER_V_START": ssl_certificate.get_not_before().get_datetime().strftime("%c %Z"),
"SSL_SERVER_V_END": ssl_certificate.get_not_after().get_datetime().strftime("%c %Z")
}
for prefix, dn in [("I", ssl_certificate.get_issuer()),
("S", ssl_certificate.get_subject())]:
wsgikey = 'SSL_SERVER_%s_DN' % prefix
ssl_environ[wsgikey] = str(dn)
for name_entry in dn:
wsgikey = 'SSL_SERVER_%s_DN_%s' % (prefix,
name_entry.get_object().get_sn())
ssl_environ[wsgikey] = name_entry.get_data().as_text()
self.static_ssl_environ.update(ssl_environ)
self.server_bind()
if request_queue_size:
self.socket.listen(request_queue_size)
self.server_activate()
def RunClient(*args, **kw):
m2threading.init()
id = kw['id']
venueUri = kw['url']
app = kw['app']
iter = app.GetOption("rt")
verbose = kw['verbose']
profile = ClientProfile()
profile.name = "Test Client %s" % id
profile.publicId = str(GUID())
client = MyVenueClient(profile, app)
for i in range(iter):
try:
if verbose:
print "Entering Venue: %s" % venueUri
ret = client.EnterVenue(venueUri)
if ret:
print '** EnterVenue ret = ', ret
print "Client %d Entered %s %d times" % (id, venueUri,i)
except:
print traceback.print_exc()
continue
if verbose:
client.PrintVenueState()
# Pick next one
if client.venueState is not None:
exits = client.venueState.connections.values()
if len(exits):
next_index = random.randint(0, len(exits)-1)
venueUri = exits[next_index].uri
try:
time.sleep(1)
client.ExitVenue()
if verbose:
print "Exited venue !"
except:
print traceback.print_exc()
client.Shutdown()
m2threading.cleanup()
def RunClient(*args, **kw):
m2threading.init()
id = kw["id"]
venueUri = kw["url"]
app = kw["app"]
iter = app.GetOption("rt")
verbose = kw["verbose"]
profile = ClientProfile()
profile.name = "Test Client %s" % id
profile.publicId = str(GUID())
client = MyVenueClient(profile, app)
for i in range(iter):
try:
if verbose:
print "Entering Venue: %s" % venueUri
ret = client.EnterVenue(venueUri)
if ret:
print "** EnterVenue ret = ", ret
print "Client %d Entered %s %d times" % (id, venueUri, i)
except:
print traceback.print_exc()
continue
if verbose:
client.PrintVenueState()
# Pick next one
if client.venueState is not None:
exits = client.venueState.connections.values()
if len(exits):
next_index = random.randint(0, len(exits) - 1)
venueUri = exits[next_index].uri
try:
time.sleep(1)
client.ExitVenue()
if verbose:
print "Exited venue !"
except:
print traceback.print_exc()
client.Shutdown()
m2threading.cleanup()
def main():
import wx
log = None
signal.signal(signal.SIGINT, SignalHandler)
signal.signal(signal.SIGTERM, SignalHandler)
m2threading.init()
# Init the toolkit with the standard environment.
app = WXGUIApplication()
# build options for this application
portOption = Option("-p", "--port", type="int", dest="port",
default=0, metavar="PORT",
help="Set the port the venueclient control interface\
should listen on.")
app.AddCmdLineOption(portOption)
pnodeOption = Option("--personalNode", type="int", dest="pnode",
default=None,
help="Run NodeService and ServiceManager with the client.")
app.AddCmdLineOption(pnodeOption)
urlOption = Option("--url", type="string", dest="url",
default="", metavar="URL",
help="URL of venue to enter on startup.")
app.AddCmdLineOption(urlOption)
# Try to initialize
try:
args = app.Initialize("VenueClient")
except MissingDependencyError, e:
if e.args[0] == 'SSL':
msg = "The installed version of Python has no SSL support. Check that you\n"\
"have installed Python from python.org, or ensure SSL support by\n"\
"some other means."
else:
msg = "The following dependency software is required, but not available:\n\t%s\n"\
"Please satisfy this dependency and restart the software"
msg = msg % e.args[0]
MessageDialog(None,msg, "Initialization Error",
style=wx.ICON_ERROR )
sys.exit(-1)
def __init__(self, *args, **kwargs):
""" Create an SSLTransport object, parameters are the same
as for other transports. If ctx is specified (as an instance of
SSL.Context) then use that rather than creating a new context.
"""
# The thread init of M2Crypto is not really thread safe.
# So we put it a second time
M2Threading.init()
self.remoteAddress = None
self.peerCredentials = {}
self.__timeout = 1
self.__locked = False # We don't support locking, so this is always false.
self.__ctx = kwargs.pop('ctx', None)
if not self.__ctx:
self.__ctx = getM2SSLContext(**kwargs)
self.__kwargs = kwargs
BaseTransport.__init__(self, *args, **kwargs)
def init(data_dir):
"""Sets the directory in which to store crypto data/randfile
@param data_dir: path to directory
@type data_dir: string
"""
threading.init()
global get_rand
global global_cryptodir, global_randfile, global_dd, global_certpath
if None not in (global_cryptodir, global_randfile):
log.warning("Crypto already initialized with root directory: %s. Not using %s." % (global_dd, data_dir))
return
# Initialize directory structure
global_dd = data_dir
global_cryptodir = os.path.join(data_dir, 'crypto')
if not os.path.exists(data_dir):
os.mkdir(data_dir, 0700)
if not os.path.exists(global_cryptodir):
os.mkdir(global_cryptodir, 0700)
# Copy the default certificates into the user's crypto dir
global_certpath = os.path.join(global_cryptodir, 'default_certificates')
if not os.path.exists(global_certpath):
from Anomos import app_root
shutil.copytree(os.path.join(app_root, 'default_certificates'), global_certpath)
# Initialize randfile
global_randfile = os.path.join(global_cryptodir, 'randpool.dat')
if Rand.save_file(global_randfile) == 0:
raise CryptoError('Rand file not writable')
@use_rand_file
def randfunc(numBytes=32):
rb = Rand.rand_bytes(numBytes);
return rb
get_rand = randfunc
# Make Crypto objects accessible now that init has been called.
global AESKey, Certificate, PeerCert
import _AESKey, _Certificate, _PeerCert
AESKey = _AESKey.AESKey
Certificate = _Certificate.Certificate
PeerCert = _PeerCert.PeerCert
def test_multiInitCleanup(self):
m2threading.init()
m2threading.init()
m2threading.cleanup()
m2threading.cleanup()
m2threading.init()
m2threading.cleanup()
def test_multiInitCleanup(self):
m2threading.init()
m2threading.init()
m2threading.cleanup()
m2threading.cleanup()
m2threading.init()
m2threading.cleanup()
def setup():
m2_threading.init()
testutil.create_tmp_directory()
ssl.gen_ssl_all()
ssl.gen_ssl_node(CLIENT_NODE_NAME)
ssl.gen_ssl_node(SERVER_NODE_NAME)
def passive():
ctx = SSL.Context('sslv23')
f = ftpslib.FTP_TLS(ssl_ctx=ctx)
f.connect('127.0.0.1', 39021)
f.auth_tls()
f.set_pasv(1)
f.login('ftp', 'ngps@')
f.prot_p()
f.retrlines('LIST')
f.quit()
def active():
ctx = SSL.Context('sslv23')
f = ftpslib.FTP_TLS(ssl_ctx=ctx)
f.connect('127.0.0.1', 39021)
f.auth_tls()
f.set_pasv(0)
f.login('ftp', 'ngps@')
f.prot_p()
f.retrlines('LIST')
f.quit()
if __name__ == '__main__':
threading.init()
active()
passive()
threading.cleanup()
def setUp(self):
m2threading.init()
if verbose:
print "Exited venue !"
except:
print traceback.print_exc()
client.Shutdown()
m2threading.cleanup()
if __name__ == "__main__":
import os, sys, threading, time
from optparse import Option
from AccessGrid.Toolkit import CmdlineApplication
from AccessGrid.interfaces.VenueServer_client import VenueServerIW
from AccessGrid.ClientProfile import ClientProfile
m2threading.init()
verbose =1
random.seed(time.time())
app = CmdlineApplication()
urlOption = Option("-u", "--url", dest="url",
default="https://localhost/VenueServer",
help="URL to the venue server to test.")
app.AddCmdLineOption(urlOption)
nvcOption = Option("-n", "--num-clients", dest="nc", type="int",
default=1, help="number of clients to use.")
app.AddCmdLineOption(nvcOption)
def main(args):
parser = optparse.OptionParser()
# Generate CA mode
parser.add_option("-a",
"--new-ca",
action="store_true",
help="Generate a self-sign CA certificate")
parser.add_option("-s",
"--self-sign",
action="store_true",
help="Generate a self-sign client certificate")
parser.add_option("-n",
"--new-client",
action="store_true",
help="Generate a signed client certificate")
# Generate client mode
parser.add_option("-c", "--ca-cert", help="Path to the CA certificate")
parser.add_option(
"-C",
"--ca-key",
help="Path to the CA's key, if not stored with the certificate")
# Options
parser.add_option("-o",
"--output",
metavar="FILE",
help="Write the new certificate to FILE")
parser.add_option(
"-O",
"--output-key",
metavar="FILE",
help="Write the new key to FILE (default: same as certificate)")
parser.add_option("-L",
"--key-length",
metavar="BITS",
type="int",
help="Generate keys of size BITS")
parser.add_option("-e",
"--expiry",
type="int",
help="Certificate expires after this many days")
parser.add_option("--site-user",
help="Add a site-user altSubjectName field")
for field in ('C', 'ST', 'L', 'O', 'OU', 'CN'):
parser.add_option("--" + field, help="Add to the subject's name")
parser.add_option("-i",
"--index-file",
metavar="FILE",
help="File to use as the serial index")
parser.set_defaults(key_length=2048, expiry=7, index_file='index.txt')
options, args = parser.parse_args(args)
if args:
print "Unexpected argument"
parser.print_help()
return 1
m2threading.init()
if options.new_ca:
return new_ca(options)
elif options.self_sign:
return new_ca(options, False)
elif options.new_client:
return new_client(options)
else:
print "Must specify a command, one of -a -s -n"
parser.print_help()
return 1
while not handshake_complete:
input_token = new_sock.recv(1024)
readbio.write(input_token)
ret = self.sslbio.do_handshake()
if ret <= 0:
if not self.sslbio.should_retry() or not self.sslbio.should_read():
sys.exit("unrecoverable error in handshake - server")
else:
handshake_complete = True
output_token = writebio.read()
if output_token is not None:
new_sock.sendall(output_token)
handshake_client.join()
sock.close()
new_sock.close()
def suite():
return unittest.makeSuite(SSLTestCase)
if __name__ == '__main__':
Rand.load_file('randpool.dat', -1)
m2threading.init()
unittest.TextTestRunner().run(suite())
m2threading.cleanup()
Rand.save_file('randpool.dat')
__RCSID__ = "$Id$"
import os
import socket
from M2Crypto import SSL, threading as M2Threading
from M2Crypto.SSL.Checker import SSLVerificationError
from DIRAC.Core.Utilities.ReturnValues import S_OK, S_ERROR
from DIRAC.Core.DISET.private.Transports.BaseTransport import BaseTransport
from DIRAC.Core.DISET.private.Transports.SSL.M2Utils import getM2SSLContext, getM2PeerInfo
# TODO: For now we have to set an environment variable for proxy support in OpenSSL
# Eventually we may need to add API support for this to M2Crypto...
os.environ['OPENSSL_ALLOW_PROXY_CERTS'] = '1'
M2Threading.init()
# TODO: CRL checking should be implemented but this will require support adding
# to M2Crypto: Quite a few functions will need mapping through from OpenSSL to
# allow the CRL stack to be set on the X509 CTX used for verification.
# TODO: Log useful messages to the logger
class SSLTransport(BaseTransport):
""" SSL Transport implementaiton using the M2Crypto library. """
def __getConnection(self):
""" Helper function to get a connection object,
Tries IPv6 (AF_INET6) first, then falls back to IPv4 (AF_INET).
"""
try:
import socket
import ssl
import xmlrpclib
from vdsm.utils import (
monotonic_time,
)
from M2Crypto import SSL, X509, threading
DEFAULT_ACCEPT_TIMEOUT = 5
SOCKET_DEFAULT_TIMEOUT = socket._GLOBAL_DEFAULT_TIMEOUT
# M2Crypto.threading needs initialization.
# See https://bugzilla.redhat.com/482420
threading.init()
class SSLSocket(object):
def __init__(self, connection):
self.connection = connection
self._data = ''
def gettimeout(self):
return self.connection.socket.gettimeout()
def settimeout(self, *args, **kwargs):
settimeout = getattr(self.connection, 'settimeout',
self.connection.socket.settimeout)
return settimeout(*args, **kwargs)
def setUp(self):
m2threading.init()
