def m2_wrap_socket(sock, ssl_options, server_hostname=None, **kwargs):
"""Returns an ``M2Crypto.SSL.Connection`` wrapping the given socket.
``ssl_options`` may be either an `~M2Crypto.SSL.Context` object or a
dictionary (as accepted by `ssl_options_to_m2_context`).
``server_side``: Needed ! if True, initialize M2Crypto as a server
"""
# Note: do not attempt to do socket.settimeout, for it is for
# blocking sockets only
context = ssl_options_to_m2_context(ssl_options)
connection = SSL.Connection(ctx=context, sock=sock)
# Set the keep alive to True
connection.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, True)
if server_hostname:
connection.set_tlsext_host_name(server_hostname)
# Add an extra attribute to the Connection so we can test on it later
connection.server_side = kwargs.get('server_side', False)
# Hum, why do I need that?
connection.family = sock.family
# Need this for writes that are larger than BIO pair buffers
# the ssl module also sets it
m2.ssl_set_mode(connection.ssl, m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
return connection
def m2_wrap_socket(socket, ssl_options, server_hostname=None, **kwargs):
"""Returns an ``M2Crypto.SSL.Connection`` wrapping the given socket.
``ssl_options`` may be either an `~M2Crypto.SSL.Context` object or a
dictionary (as accepted by `ssl_options_to_m2_context`).
``server_side``: Needed ! if True, initialize M2Crypto as a server
"""
context = ssl_options_to_m2_context(ssl_options)
connection = SSL.Connection(ctx=context, sock=socket)
# TODO: maybe enable this ?
# if server_hostname:
# connection.set_tlsext_host_name(server_hostname)
# Add an extra attribute to the Connection so we can test on it later
connection.server_side = kwargs.get('server_side', False)
# Hum, why do I need that?
connection.family = socket.family
# Need this for writes that are larger than BIO pair buffers
# the ssl module also sets it
m2.ssl_set_mode(connection.ssl, m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
return connection
def startTLS(self, ctx):
"""
Start SSL/TLS. If this is not called, this instance just passes data
through untouched.
"""
# NOTE: This method signature must match the startTLS() method Twisted
# expects transports to have. This will be called automatically
# by Twisted in STARTTLS situations, for example with SMTP.
if self.tlsStarted:
raise Exception, 'TLS already started'
if debug:
print 'TwistedProtocolWrapper.startTLS'
self.ctx = ctx
self.internalBio = m2.bio_new(m2.bio_s_bio())
m2.bio_set_write_buf_size(self.internalBio, 0)
self.networkBio = _BioProxy(m2.bio_new(m2.bio_s_bio()))
m2.bio_set_write_buf_size(self.networkBio._ptr(), 0)
m2.bio_make_bio_pair(self.internalBio, self.networkBio._ptr())
self.sslBio = _BioProxy(m2.bio_new(m2.bio_f_ssl()))
self.ssl = _SSLProxy(m2.ssl_new(self.ctx.ctx))
if self.isClient:
m2.ssl_set_connect_state(self.ssl._ptr())
else:
m2.ssl_set_accept_state(self.ssl._ptr())
m2.ssl_set_bio(self.ssl._ptr(), self.internalBio, self.internalBio)
m2.bio_set_ssl(self.sslBio._ptr(), self.ssl._ptr(), m2.bio_noclose)
# Need this for writes that are larger than BIO pair buffers
mode = m2.ssl_get_mode(self.ssl._ptr())
m2.ssl_set_mode(self.ssl._ptr(),
mode |
m2.SSL_MODE_ENABLE_PARTIAL_WRITE |
m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
self.tlsStarted = 1
def startTLS(self, ctx):
"""
Start SSL/TLS. If this is not called, this instance just passes data
through untouched.
"""
# NOTE: This method signature must match the startTLS() method Twisted
# expects transports to have. This will be called automatically
# by Twisted in STARTTLS situations, for example with SMTP.
if self.tlsStarted:
raise Exception, 'TLS already started'
if debug:
print 'TwistedProtocolWrapper.startTLS'
self.ctx = ctx
self.internalBio = m2.bio_new(m2.bio_s_bio())
m2.bio_set_write_buf_size(self.internalBio, 0)
self.networkBio = m2.bio_new(m2.bio_s_bio())
m2.bio_set_write_buf_size(self.networkBio, 0)
m2.bio_make_bio_pair(self.internalBio, self.networkBio)
self.sslBio = _SSLBioProxy(m2.bio_new(m2.bio_f_ssl()))
self.ssl = _SSLProxy(m2.ssl_new(self.ctx.ctx))
if self.isClient:
m2.ssl_set_connect_state(self.ssl._ptr())
else:
m2.ssl_set_accept_state(self.ssl._ptr())
m2.ssl_set_bio(self.ssl._ptr(), self.internalBio, self.internalBio)
m2.bio_set_ssl(self.sslBio._ptr(), self.ssl._ptr(), m2.bio_noclose)
# Need this for writes that are larger than BIO pair buffers
mode = m2.ssl_get_mode(self.ssl._ptr())
m2.ssl_set_mode(
self.ssl._ptr(), mode | m2.SSL_MODE_ENABLE_PARTIAL_WRITE
| m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
self.tlsStarted = 1
#
# [From http://www.mail-archive.com/[email protected]/msg57297.html]
bio_internal = m2.bio_new(m2.bio_s_bio())
bio_network = m2.bio_new(m2.bio_s_bio())
self._m2_check_err(m2.bio_make_bio_pair(bio_internal, bio_network))
self._bio_network = _BIOWrapper(bio_network, self._ssl)
self._bio_ssl = _BIOWrapper(m2.bio_new(m2.bio_f_ssl()), self._ssl)
self._m2_check_err(m2.ssl_set_bio(self._ssl.obj, bio_internal, bio_internal))
self._m2_check_err(m2.bio_set_ssl(self._bio_ssl.obj, self._ssl.obj, m2.bio_noclose))
# Need this for writes that are larger than BIO pair buffers
mode = m2.ssl_get_mode(self._ssl.obj)
mode |= m2.SSL_MODE_ENABLE_PARTIAL_WRITE | m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
self._m2_check_err(m2.ssl_set_mode(self._ssl.obj, mode))
self._tls_started = True
self._starttls_kwargs = kwargs
if kwargs['client']:
self._hello()
return self._tls_ip
def starttls_client(self, **kwargs):
"""
TODO: document me.
Possible kwargs:
cert: filename to pem cert for local side
key: private key file (if None, assumes key is in cert)
bio_internal = m2.bio_new(m2.bio_s_bio())
bio_network = m2.bio_new(m2.bio_s_bio())
self._m2_check_err(m2.bio_make_bio_pair(bio_internal, bio_network))
self._bio_network = _BIOWrapper(bio_network, self._ssl)
self._bio_ssl = _BIOWrapper(m2.bio_new(m2.bio_f_ssl()), self._ssl)
self._m2_check_err(
m2.ssl_set_bio(self._ssl.obj, bio_internal, bio_internal))
self._m2_check_err(
m2.bio_set_ssl(self._bio_ssl.obj, self._ssl.obj, m2.bio_noclose))
# Need this for writes that are larger than BIO pair buffers
mode = m2.ssl_get_mode(self._ssl.obj)
mode |= m2.SSL_MODE_ENABLE_PARTIAL_WRITE | m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
self._m2_check_err(m2.ssl_set_mode(self._ssl.obj, mode))
self._tls_started = True
self._starttls_kwargs = kwargs
if kwargs['client']:
self._hello()
return self._tls_ip
def starttls_client(self, **kwargs):
"""
TODO: document me.
Possible kwargs:
cert: filename to pem cert for local side
key: private key file (if None, assumes key is in cert)
dh: filename for Diffie-Hellman parameters (only used for server)
def ssl_set_mode(self, mode):
m2.ssl_set_mode(self.ssl.ssl, mode)
