def seed_rnd(): # Some platforms lack kernel supported random numbers, on those we have to explicitly seed the RNG. # using a fixed RND input does not matter as we are not protecting real data in this test program. try: import base64 import socket import ssl rnd = base64.decodestring( """k/zFvqjGWdhStmhfOeTNtTs89P8soknF1J9kSQrz8hKdrjIutqTXMfIqCNUb7DXrMykMW+wKd1Pg DwaUwxKmlaU1ItOek+jNUWVw9ZOSI1EmsXVgu+Hu7URgmeyY0A3WsDmMzR0Z2wTcRFSuINgBP8LC 8SG27gJZVOoVv09pfY9WyjvUYwg1jBdTfEM+qcDQKOACx4DH+SzO0bOOJMfMbR2iFaq18b/TCeQN kRy9Lz2WvBsByQoXw/afxiu5xzn0MHoxTMCZCTjIyhGXzO/R2yj3eBVc5vxc5oxG3/EdjGnhmn/L HEFVgc6EJ5OF1ye8hDIHFdZFehCAPbso3LL/3r8oJn+Axmc2sOrvhzMLpCV2KWdy8haiv3WZ9hZP iJkC0pGBR+vhrdYE7qh2RzcdYoHRCvX5tpaOG+SE8+Az2WPHPOD7j4j+4KbhW+YbzYfUAsmwOQb4 R3vIyGO6Og4fg+AmKcycpv9Bo17zidbQe9zdZO6X4Df+ychK+yRSCMHLUyrEry7IFt60ivLAjc8b Ladp70v7icWO+J9P/3pXIzKuQuaeT7J1q2xlCc/srV2pNV4+EhKJ8qSe+hG4LzpXWRGKo72h6BvL Wgcp3S/wy1e6ov8XsVKjkWeQH8Nh3xOMWGYh6/yXSN44BLIBUdqk4I3TCKy1DawJQd1ivytEF0Xh BstGzSoyeR92mN/K5/gy9wKFZffTbE7DmysKflRAN85ht7IVqxrTNXQ+UPWvlGZDAQ0NY45rQI3K S1q0ahQivgGUZmEhuZkAUlYGWAqtCeDz3rZvrp5r2WJFGTZ+9yJZC5T2L+erDGBYxmcwxDzz8AvS Ybp4aIBEtTK71cx9DtFTtSaQ6aW9rI5nc/owo0gv4Ddm5BYjMAd7kcc9TWnb1DZ9AJQAnSxgcuJM acbYkFcqtMnafh/VnGekZ8yM0ZZqQPKBhysx+u2UBXib7Vvb6x6Y/xglNcqBWGFmzruKt6hx0pR2 x9IunzeIwdlcwIhLEKfIiy9ULwi7RTjVSeqgwucWoC0lw0BTotGeLDcFxTlQsE3T/UneLa8H6iSH VW5iRZrvI0sdxt5Ud0TjNqXRGxuVczSuwpQwwxBn0ogr9DoRnp375PwGGh1/yqimW/+OStwP3cRR yXEg6Zq1CvuYF/E6el4h9GylxkU7wEM2Ti9QJY4n3YsHyesalERqdd9xx5t7ADRodpMpZXoZGbrS vccp3zMzS/aEZRuxky1/qjrAEh8OVA58e82jQqTdY8OQ/kKOu/gUgKBnHAvLkB/020p0CNbq6HjY l625DLckaYmOPTh0ECFKzhaPF+/LNmzD36ToOAeuNjfbUjiUVGfntr2mc4E8mUFyo+TskrkSfw== """.encode()) ssl.RAND_add(rnd, 1024) if not ssl.RAND_status(): raise "PRNG not seeded" except ImportError: return
def process_request(self, request, client_address): try: return super().process_request(request, client_address) finally: # Modify OpenSSL's RNG state, in case process forked # See https://docs.python.org/3.7/library/ssl.html#multi-processing ssl.RAND_add(os.urandom(8), 0.0)
def _build_ssl_options(self): '''Create the SSL options. The options must be accepted by the `ssl` module. Returns: dict ''' ssl_options = {} if self._args.check_certificate: ssl_options['cert_reqs'] = ssl.CERT_REQUIRED ssl_options['ca_certs'] = self._load_ca_certs() else: ssl_options['cert_reqs'] = ssl.CERT_NONE ssl_options['ssl_version'] = self._args.secure_protocol if self._args.certificate: ssl_options['certfile'] = self._args.certificate ssl_options['keyfile'] = self._args.private_key if self._args.edg_file: ssl.RAND_egd(self._args.edg_file) if self._args.random_file: with open(self._args.random_file, 'rb') as in_file: # Use 16KB because Wget ssl.RAND_add(in_file.read(15360), 0.0) return ssl_options
def seed_rnd(): # Some platforms lack kernel supported random numbers, on those we have to explicitly seed the RNG. # using a fixed RND input does not matter as we are not protecting real data in this test program. try: import socket import ssl rnd = get_seed_input() ssl.RAND_add(rnd, 1024) if not ssl.RAND_status(): raise "PRNG not seeded" except ImportError: return
def testRAND(self): v = ssl.RAND_status() if support.verbose: sys.stdout.write("\n RAND_status is %d (%s)\n" % (v, (v and "sufficient randomness") or "insufficient randomness")) try: ssl.RAND_egd(1) except TypeError: pass else: print("didn't raise TypeError") ssl.RAND_add("this is a random string", 75.0)
def _build_ssl_context(cls, session: AppSession) -> ssl.SSLContext: '''Create the SSL options. The options must be accepted by the `ssl` module. ''' args = session.args # Logic is based on tornado.netutil.ssl_options_to_context ssl_context = ssl.SSLContext(args.secure_protocol) if args.check_certificate: ssl_context.verify_mode = ssl.CERT_REQUIRED cls._load_ca_certs(session) ssl_context.load_verify_locations(session.ca_certs_filename) else: ssl_context.verify_mode = ssl.CERT_NONE if args.strong_crypto: ssl_context.options |= ssl.OP_NO_SSLv2 ssl_context.options |= ssl.OP_NO_SSLv3 # POODLE if hasattr(ssl, 'OP_NO_COMPRESSION'): ssl_context.options |= ssl.OP_NO_COMPRESSION # CRIME else: _logger.warning(_('Unable to disable TLS compression.')) if args.certificate: ssl_context.load_cert_chain(args.certificate, args.private_key) if args.edg_file: ssl.RAND_egd(args.edg_file) if args.random_file: with open(args.random_file, 'rb') as in_file: # Use 16KB because Wget ssl.RAND_add(in_file.read(15360), 0.0) return ssl_context
def randomize_ssl_after_fork(): ssl.RAND_add(ssl.RAND_bytes(10), 0.0)
def main(): ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ctx.load_cert_chain(certfile=ssl_cert, keyfile=ssl_key) socket.setdefaulttimeout(timeout) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) try: s.bind((address, port)) except socket.error as msg: print('Bind failed. Error Code : %s Message: %s' % (str(msg[0]), msg[1])) sys.exit() #Start listening on socket s.listen() kids = [] try: # main loop while 1: #wait to accept a connection - blocking call try: conn, addr = s.accept() except socket.timeout: try: pid, status = os.waitpid(-1, os.WNOHANG) if pid != 0: print("remove pid", pid) kids.remove(pid) continue except ChildProcessError: continue except: raise if verbose: print('{} Connection from {}:{}'.format( datetime.datetime.now(), addr[0], addr[1])) conn = ctx.wrap_socket(conn, server_side=True) while (len(kids) > max_kids): pid, status = os.waitpid(0, 0) kids.remove(pid) pid = os.fork() if pid == 0: ssl.RAND_add(os.urandom(16), 0.0) try: ratelimit(conn) except: print("fail") raise finally: try: conn.shutdown(socket.SHUT_RDWR) except OSError: pass conn.close() sys.exit(0) else: kids.append(pid) try: pid, status = os.waitpid(-1, os.WNOHANG) if pid != 0: kids.remove(pid) except ChildProcessError: pass except KeyboardInterrupt: pass s.close()
def update_event(self, inp=-1): self.set_output_val(0, ssl.RAND_add(self.input(0), self.input(1)))