def dataReceived(self, data): # type: (bytes) -> None if not self.tlsStarted: ProtocolWrapper.dataReceived(self, data) return self.encrypted += data try: while 1: decryptedData = self._decrypt() self._check() encryptedData = self._encrypt() ProtocolWrapper.write(self, encryptedData) ProtocolWrapper.dataReceived(self, decryptedData) if decryptedData == b'' and encryptedData == b'': break except BIO.BIOError as e: # See http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS # for the error codes returned by SSL_get_verify_result. e.args = (m2.ssl_get_verify_result(self.ssl._ptr()), e.args[0]) raise e
def _check(self): if self._validated or not m2.ssl_is_init_finished(self._ssl.obj): return kwargs = self._starttls_kwargs if kwargs.get('verify'): # See http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS # for the error codes returned by SSL_get_verify_result. if m2.ssl_get_verify_result(self._ssl.obj) != m2.X509_V_OK: raise TLSVerificationError('Peer certificate is not signed by a known CA') x509 = self._m2_check_err(m2.ssl_get_peer_cert(self._ssl.obj), TLSVerificationError) if x509 is not None: self.peer_cert = X509.X509(x509, 1) else: self.peer_cert = None if 'check' in kwargs or self.peer_cert: check = kwargs.get('check', (None, None)) if check[0] is None: # Validate peer CN by default. host = self.peer[5] elif check[0] is False: # User requested to disable CN verification. host = None else: # User override for peer CN. host = check[0] fingerprint = check[1] if len(check) > 1 else None # TODO: normalize exceptions raised by Checker. M2Crypto.SSL.Checker.Checker(host, fingerprint)(self.peer_cert) self._validated = True
def _check(self): if self._validated or not m2.ssl_is_init_finished(self._ssl.obj): return kwargs = self._starttls_kwargs if kwargs.get('verify'): # See http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS # for the error codes returned by SSL_get_verify_result. if m2.ssl_get_verify_result(self._ssl.obj) != m2.X509_V_OK: raise TLSVerificationError( 'Peer certificate is not signed by a known CA') x509 = self._m2_check_err(m2.ssl_get_peer_cert(self._ssl.obj), TLSVerificationError) if x509 is not None: self.peer_cert = X509.X509(x509, 1) else: self.peer_cert = None if 'check' in kwargs or self.peer_cert: check = kwargs.get('check', (None, None)) if check[0] is None: # Validate peer CN by default. host = self.peer[5] elif check[0] is False: # User requested to disable CN verification. host = None else: # User override for peer CN. host = check[0] fingerprint = check[1] if len(check) > 1 else None # TODO: normalize exceptions raised by Checker. M2Crypto.SSL.Checker.Checker(host, fingerprint)(self.peer_cert) self._validated = True
def _clientHello(self): try: # We rely on OpenSSL implicitly starting with client hello # when we haven't yet established an SSL connection encryptedData = self._encrypt(clientHello=1) ProtocolWrapper.write(self, encryptedData) self.helloDone = 1 except BIO.BIOError as e: # See http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS # for the error codes returned by SSL_get_verify_result. e.args = (m2.ssl_get_verify_result(self.ssl._ptr()), e.args[0]) raise e
def write(self, data): if not self.tlsStarted: ProtocolWrapper.write(self, data) return try: encryptedData = self._encrypt(data) ProtocolWrapper.write(self, encryptedData) self.helloDone = 1 except M2Crypto.BIO.BIOError as e: # See http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS # for the error codes returned by SSL_get_verify_result. e.args = (m2.ssl_get_verify_result(self.ssl._ptr()), e.args[0]) raise e
def get_verify_result(self): """Return the peer certificate verification result.""" return m2.ssl_get_verify_result(self.ssl)
def verify_ok(self): return (m2.ssl_get_verify_result(self.ssl) == m2.X509_V_OK)
def verify_ok(self): # type: () -> bool return (m2.ssl_get_verify_result(self.ssl) == m2.X509_V_OK)