def _check(self):
if self._validated or not m2.ssl_is_init_finished(self._ssl.obj):
return
kwargs = self._starttls_kwargs
if kwargs.get('verify'):
# See http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS
# for the error codes returned by SSL_get_verify_result.
if m2.ssl_get_verify_result(self._ssl.obj) != m2.X509_V_OK:
raise TLSVerificationError('Peer certificate is not signed by a known CA')
x509 = self._m2_check_err(m2.ssl_get_peer_cert(self._ssl.obj), TLSVerificationError)
if x509 is not None:
self.peer_cert = X509.X509(x509, 1)
else:
self.peer_cert = None
if 'check' in kwargs or self.peer_cert:
check = kwargs.get('check', (None, None))
if check[0] is None:
# Validate peer CN by default.
host = self.peer[5]
elif check[0] is False:
# User requested to disable CN verification.
host = None
else:
# User override for peer CN.
host = check[0]
fingerprint = check[1] if len(check) > 1 else None
# TODO: normalize exceptions raised by Checker.
M2Crypto.SSL.Checker.Checker(host, fingerprint)(self.peer_cert)
self._validated = True
def _check(self):
if self._validated or not m2.ssl_is_init_finished(self._ssl.obj):
return
kwargs = self._starttls_kwargs
if kwargs.get('verify'):
# See http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS
# for the error codes returned by SSL_get_verify_result.
if m2.ssl_get_verify_result(self._ssl.obj) != m2.X509_V_OK:
raise TLSVerificationError(
'Peer certificate is not signed by a known CA')
x509 = self._m2_check_err(m2.ssl_get_peer_cert(self._ssl.obj),
TLSVerificationError)
if x509 is not None:
self.peer_cert = X509.X509(x509, 1)
else:
self.peer_cert = None
if 'check' in kwargs or self.peer_cert:
check = kwargs.get('check', (None, None))
if check[0] is None:
# Validate peer CN by default.
host = self.peer[5]
elif check[0] is False:
# User requested to disable CN verification.
host = None
else:
# User override for peer CN.
host = check[0]
fingerprint = check[1] if len(check) > 1 else None
# TODO: normalize exceptions raised by Checker.
M2Crypto.SSL.Checker.Checker(host, fingerprint)(self.peer_cert)
self._validated = True
def _check(self):
if not self.checked and m2.ssl_is_init_finished(self.ssl._ptr()):
x509 = m2.ssl_get_peer_cert(self.ssl._ptr())
if x509 is not None:
x509 = X509.X509(x509, 1)
if self.isClient:
host = self.transport.addr[0]
else:
host = self.transport.getPeer().host
if not self.postConnectionCheck(x509, host):
raise Checker.SSLVerificationError('post connection check')
self.checked = 1
def _check(self):
if not self.checked and m2.ssl_is_init_finished(self.ssl._ptr()):
x509 = m2.ssl_get_peer_cert(self.ssl._ptr())
if x509 is not None:
x509 = X509.X509(x509, 1)
if self.isClient:
host = self.transport.addr[0]
else:
host = self.transport.getPeer().host
if not self.postConnectionCheck(x509, host):
raise SSLVerificationError('post connection check')
self.checked = 1
def _check(self):
if debug:
print 'TwistedProtocolWrapper._check'
if not self.checked and m2.ssl_is_init_finished(self.ssl._ptr()):
x509 = m2.ssl_get_peer_cert(self.ssl._ptr())
if x509 is not None:
x509 = X509.X509(x509, 1)
if self.isClient:
host = self.transport.addr[0]
else:
host = self.transport.getPeer().host
if not self.postConnectionCheck(x509, host):
raise Checker.SSLVerificationError, 'post connection check'
self.checked = 1
def _check(self):
if debug:
print 'TwistedProtocolWrapper._check'
if not self.checked and m2.ssl_is_init_finished(self.ssl._ptr()):
x = m2.ssl_get_peer_cert(self.ssl._ptr())
if x:
x509 = X509.X509(x, 1)
else:
x509 = None
if self.isClient:
host = self.transport.addr[0]
else:
host = self.transport.getPeer().host
if not self.postConnectionCheck(x509, host):
raise Checker.SSLVerificationError, 'post connection check'
self.checked = 1
plaintext = self._decrypt()
self._check()
ciphertext = self._encrypt()
if ciphertext:
super(M2TLSSocket, self).write(ciphertext)
if not plaintext and not ciphertext:
break
decrypted += plaintext
except M2Crypto.BIO.BIOError, e:
e = TLSProtocolError(e.args[0])
if not self._tls_ip.finished:
self._tls_ip.throw(e.__class__, e, None)
raise e
if not self._tls_ip.finished and m2.ssl_is_init_finished(self._ssl.obj):
# TLS handshake completed successfully, peer cert validated.
self._handshake = False
self._update_read_monitor()
self._tls_ip.finish(True)
if decrypted and not self._is_read_connected() and not self._is_readline_connected():
# There is decrypted (user) data from the socket, but no one external is wants
# it yet. So this data was decrypted as a consequence of our handshaking.
# (SSL BIO said we should read in _translate()). We can stuff this data
# into the read queue (from IOChannel superclass), so subsequent user reads
# will consume it.
if len(decrypted) + self.read_queue_used > self.queue_size + self.chunk_size:
# This shouldn't happen in normal circumstances. It's more of a sanity
# check.
raise TLSError('Read queue overflow')
plaintext = self._decrypt()
self._check()
ciphertext = self._encrypt()
if ciphertext:
super(M2TLSSocket, self).write(ciphertext)
if not plaintext and not ciphertext:
break
decrypted += plaintext
except M2Crypto.BIO.BIOError, e:
e = TLSProtocolError(e.args[0])
if not self._tls_ip.finished:
self._tls_ip.throw(e.__class__, e, None)
raise e
if not self._tls_ip.finished and m2.ssl_is_init_finished(
self._ssl.obj):
# TLS handshake completed successfully, peer cert validated.
self._handshake = False
self._update_read_monitor()
self._tls_ip.finish(True)
if decrypted and not self._is_read_connected(
) and not self._is_readline_connected():
# There is decrypted (user) data from the socket, but no one external is wants
# it yet. So this data was decrypted as a consequence of our handshaking.
# (SSL BIO said we should read in _translate()). We can stuff this data
# into the read queue (from IOChannel superclass), so subsequent user reads
# will consume it.
if len(
decrypted
) + self.read_queue_used > self.queue_size + self.chunk_size: