def m2_wrap_socket(sock, ssl_options, server_hostname=None, **kwargs): """Returns an ``M2Crypto.SSL.Connection`` wrapping the given socket. ``ssl_options`` may be either an `~M2Crypto.SSL.Context` object or a dictionary (as accepted by `ssl_options_to_m2_context`). ``server_side``: Needed ! if True, initialize M2Crypto as a server """ # Note: do not attempt to do socket.settimeout, for it is for # blocking sockets only context = ssl_options_to_m2_context(ssl_options) connection = SSL.Connection(ctx=context, sock=sock) # Set the keep alive to True connection.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, True) if server_hostname: connection.set_tlsext_host_name(server_hostname) # Add an extra attribute to the Connection so we can test on it later connection.server_side = kwargs.get('server_side', False) # Hum, why do I need that? connection.family = sock.family # Need this for writes that are larger than BIO pair buffers # the ssl module also sets it m2.ssl_set_mode(connection.ssl, m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) return connection
def m2_wrap_socket(socket, ssl_options, server_hostname=None, **kwargs): """Returns an ``M2Crypto.SSL.Connection`` wrapping the given socket. ``ssl_options`` may be either an `~M2Crypto.SSL.Context` object or a dictionary (as accepted by `ssl_options_to_m2_context`). ``server_side``: Needed ! if True, initialize M2Crypto as a server """ context = ssl_options_to_m2_context(ssl_options) connection = SSL.Connection(ctx=context, sock=socket) # TODO: maybe enable this ? # if server_hostname: # connection.set_tlsext_host_name(server_hostname) # Add an extra attribute to the Connection so we can test on it later connection.server_side = kwargs.get('server_side', False) # Hum, why do I need that? connection.family = socket.family # Need this for writes that are larger than BIO pair buffers # the ssl module also sets it m2.ssl_set_mode(connection.ssl, m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) return connection
def startTLS(self, ctx): """ Start SSL/TLS. If this is not called, this instance just passes data through untouched. """ # NOTE: This method signature must match the startTLS() method Twisted # expects transports to have. This will be called automatically # by Twisted in STARTTLS situations, for example with SMTP. if self.tlsStarted: raise Exception, 'TLS already started' if debug: print 'TwistedProtocolWrapper.startTLS' self.ctx = ctx self.internalBio = m2.bio_new(m2.bio_s_bio()) m2.bio_set_write_buf_size(self.internalBio, 0) self.networkBio = _BioProxy(m2.bio_new(m2.bio_s_bio())) m2.bio_set_write_buf_size(self.networkBio._ptr(), 0) m2.bio_make_bio_pair(self.internalBio, self.networkBio._ptr()) self.sslBio = _BioProxy(m2.bio_new(m2.bio_f_ssl())) self.ssl = _SSLProxy(m2.ssl_new(self.ctx.ctx)) if self.isClient: m2.ssl_set_connect_state(self.ssl._ptr()) else: m2.ssl_set_accept_state(self.ssl._ptr()) m2.ssl_set_bio(self.ssl._ptr(), self.internalBio, self.internalBio) m2.bio_set_ssl(self.sslBio._ptr(), self.ssl._ptr(), m2.bio_noclose) # Need this for writes that are larger than BIO pair buffers mode = m2.ssl_get_mode(self.ssl._ptr()) m2.ssl_set_mode(self.ssl._ptr(), mode | m2.SSL_MODE_ENABLE_PARTIAL_WRITE | m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) self.tlsStarted = 1
def startTLS(self, ctx): """ Start SSL/TLS. If this is not called, this instance just passes data through untouched. """ # NOTE: This method signature must match the startTLS() method Twisted # expects transports to have. This will be called automatically # by Twisted in STARTTLS situations, for example with SMTP. if self.tlsStarted: raise Exception, 'TLS already started' if debug: print 'TwistedProtocolWrapper.startTLS' self.ctx = ctx self.internalBio = m2.bio_new(m2.bio_s_bio()) m2.bio_set_write_buf_size(self.internalBio, 0) self.networkBio = m2.bio_new(m2.bio_s_bio()) m2.bio_set_write_buf_size(self.networkBio, 0) m2.bio_make_bio_pair(self.internalBio, self.networkBio) self.sslBio = _SSLBioProxy(m2.bio_new(m2.bio_f_ssl())) self.ssl = _SSLProxy(m2.ssl_new(self.ctx.ctx)) if self.isClient: m2.ssl_set_connect_state(self.ssl._ptr()) else: m2.ssl_set_accept_state(self.ssl._ptr()) m2.ssl_set_bio(self.ssl._ptr(), self.internalBio, self.internalBio) m2.bio_set_ssl(self.sslBio._ptr(), self.ssl._ptr(), m2.bio_noclose) # Need this for writes that are larger than BIO pair buffers mode = m2.ssl_get_mode(self.ssl._ptr()) m2.ssl_set_mode( self.ssl._ptr(), mode | m2.SSL_MODE_ENABLE_PARTIAL_WRITE | m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) self.tlsStarted = 1
# # [From http://www.mail-archive.com/[email protected]/msg57297.html] bio_internal = m2.bio_new(m2.bio_s_bio()) bio_network = m2.bio_new(m2.bio_s_bio()) self._m2_check_err(m2.bio_make_bio_pair(bio_internal, bio_network)) self._bio_network = _BIOWrapper(bio_network, self._ssl) self._bio_ssl = _BIOWrapper(m2.bio_new(m2.bio_f_ssl()), self._ssl) self._m2_check_err(m2.ssl_set_bio(self._ssl.obj, bio_internal, bio_internal)) self._m2_check_err(m2.bio_set_ssl(self._bio_ssl.obj, self._ssl.obj, m2.bio_noclose)) # Need this for writes that are larger than BIO pair buffers mode = m2.ssl_get_mode(self._ssl.obj) mode |= m2.SSL_MODE_ENABLE_PARTIAL_WRITE | m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER self._m2_check_err(m2.ssl_set_mode(self._ssl.obj, mode)) self._tls_started = True self._starttls_kwargs = kwargs if kwargs['client']: self._hello() return self._tls_ip def starttls_client(self, **kwargs): """ TODO: document me. Possible kwargs: cert: filename to pem cert for local side key: private key file (if None, assumes key is in cert)
bio_internal = m2.bio_new(m2.bio_s_bio()) bio_network = m2.bio_new(m2.bio_s_bio()) self._m2_check_err(m2.bio_make_bio_pair(bio_internal, bio_network)) self._bio_network = _BIOWrapper(bio_network, self._ssl) self._bio_ssl = _BIOWrapper(m2.bio_new(m2.bio_f_ssl()), self._ssl) self._m2_check_err( m2.ssl_set_bio(self._ssl.obj, bio_internal, bio_internal)) self._m2_check_err( m2.bio_set_ssl(self._bio_ssl.obj, self._ssl.obj, m2.bio_noclose)) # Need this for writes that are larger than BIO pair buffers mode = m2.ssl_get_mode(self._ssl.obj) mode |= m2.SSL_MODE_ENABLE_PARTIAL_WRITE | m2.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER self._m2_check_err(m2.ssl_set_mode(self._ssl.obj, mode)) self._tls_started = True self._starttls_kwargs = kwargs if kwargs['client']: self._hello() return self._tls_ip def starttls_client(self, **kwargs): """ TODO: document me. Possible kwargs: cert: filename to pem cert for local side key: private key file (if None, assumes key is in cert) dh: filename for Diffie-Hellman parameters (only used for server)
def ssl_set_mode(self, mode): m2.ssl_set_mode(self.ssl.ssl, mode)