2014-08-16 13:53:07 +00:00
|
|
|
from __future__ import (absolute_import, print_function, division)
|
2015-02-27 15:59:29 +00:00
|
|
|
import os
|
2014-09-08 22:08:56 +00:00
|
|
|
import select
|
|
|
|
|
import socket
|
|
|
|
|
import sys
|
|
|
|
|
import threading
|
|
|
|
|
import time
|
|
|
|
|
import traceback
|
2015-06-08 09:29:01 +00:00
|
|
|
|
2015-06-16 18:11:10 +00:00
|
|
|
import certifi
|
2015-09-10 23:17:39 +00:00
|
|
|
import six
|
2015-06-08 09:29:01 +00:00
|
|
|
import OpenSSL
|
2012-06-18 21:42:32 +00:00
|
|
|
from OpenSSL import SSL
|
2014-09-08 22:08:56 +00:00
|
|
|
|
2015-08-03 16:06:31 +00:00
|
|
|
from . import certutils, version_check
|
|
|
|
|
|
|
|
|
|
# This is a rather hackish way to make sure that
|
|
|
|
|
# the latest version of pyOpenSSL is actually installed.
|
|
|
|
|
version_check.check_pyopenssl_version()
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2014-03-02 08:37:28 +00:00
|
|
|
|
2014-03-02 03:47:10 +00:00
|
|
|
EINTR = 4
|
|
|
|
|
|
2015-06-22 18:39:30 +00:00
|
|
|
# To enable all SSL methods use: SSLv23
|
|
|
|
|
# then add options to disable certain methods
|
|
|
|
|
# https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
|
2015-08-28 15:35:48 +00:00
|
|
|
SSL_DEFAULT_METHOD = SSL.SSLv23_METHOD
|
2015-06-18 00:18:22 +00:00
|
|
|
SSL_DEFAULT_OPTIONS = (
|
|
|
|
|
SSL.OP_NO_SSLv2 |
|
|
|
|
|
SSL.OP_NO_SSLv3 |
|
|
|
|
|
SSL.OP_CIPHER_SERVER_PREFERENCE
|
|
|
|
|
)
|
|
|
|
|
if hasattr(SSL, "OP_NO_COMPRESSION"):
|
|
|
|
|
SSL_DEFAULT_OPTIONS |= SSL.OP_NO_COMPRESSION
|
|
|
|
|
|
2015-08-29 10:30:35 +00:00
|
|
|
"""
|
|
|
|
|
Map a reasonable SSL version specification into the format OpenSSL expects.
|
|
|
|
|
Don't ask...
|
|
|
|
|
https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
|
|
|
|
|
"""
|
|
|
|
|
sslversion_choices = {
|
|
|
|
|
"all": (SSL.SSLv23_METHOD, 0),
|
|
|
|
|
# SSLv23_METHOD + NO_SSLv2 + NO_SSLv3 == TLS 1.0+
|
|
|
|
|
# TLSv1_METHOD would be TLS 1.0 only
|
|
|
|
|
"secure": (SSL.SSLv23_METHOD, (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)),
|
|
|
|
|
"SSLv2": (SSL.SSLv2_METHOD, 0),
|
|
|
|
|
"SSLv3": (SSL.SSLv3_METHOD, 0),
|
|
|
|
|
"TLSv1": (SSL.TLSv1_METHOD, 0),
|
|
|
|
|
"TLSv1_1": (SSL.TLSv1_1_METHOD, 0),
|
|
|
|
|
"TLSv1_2": (SSL.TLSv1_2_METHOD, 0),
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-18 00:18:22 +00:00
|
|
|
|
2015-05-27 09:18:54 +00:00
|
|
|
class NetLibError(Exception):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class NetLibDisconnect(NetLibError):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class NetLibIncomplete(NetLibError):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class NetLibTimeout(NetLibError):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class NetLibSSLError(NetLibError):
|
|
|
|
|
pass
|
2012-07-08 11:50:38 +00:00
|
|
|
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2015-07-24 14:47:28 +00:00
|
|
|
class NetLibInvalidCertificateError(NetLibSSLError):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
2015-02-27 15:59:29 +00:00
|
|
|
class SSLKeyLogger(object):
|
2015-05-27 09:18:54 +00:00
|
|
|
|
2015-02-27 15:59:29 +00:00
|
|
|
def __init__(self, filename):
|
|
|
|
|
self.filename = filename
|
|
|
|
|
self.f = None
|
|
|
|
|
self.lock = threading.Lock()
|
|
|
|
|
|
2015-05-30 00:02:58 +00:00
|
|
|
# required for functools.wraps, which pyOpenSSL uses.
|
|
|
|
|
__name__ = "SSLKeyLogger"
|
2015-02-27 15:59:29 +00:00
|
|
|
|
|
|
|
|
def __call__(self, connection, where, ret):
|
|
|
|
|
if where == SSL.SSL_CB_HANDSHAKE_DONE and ret == 1:
|
|
|
|
|
with self.lock:
|
|
|
|
|
if not self.f:
|
2015-02-27 21:02:52 +00:00
|
|
|
d = os.path.dirname(self.filename)
|
|
|
|
|
if not os.path.isdir(d):
|
|
|
|
|
os.makedirs(d)
|
2015-02-27 15:59:29 +00:00
|
|
|
self.f = open(self.filename, "ab")
|
|
|
|
|
self.f.write("\r\n")
|
|
|
|
|
client_random = connection.client_random().encode("hex")
|
|
|
|
|
masterkey = connection.master_key().encode("hex")
|
2015-05-30 00:02:58 +00:00
|
|
|
self.f.write(
|
|
|
|
|
"CLIENT_RANDOM {} {}\r\n".format(
|
|
|
|
|
client_random,
|
|
|
|
|
masterkey))
|
2015-02-27 15:59:29 +00:00
|
|
|
self.f.flush()
|
|
|
|
|
|
|
|
|
|
def close(self):
|
|
|
|
|
with self.lock:
|
|
|
|
|
if self.f:
|
|
|
|
|
self.f.close()
|
|
|
|
|
|
2015-02-27 21:02:52 +00:00
|
|
|
@staticmethod
|
|
|
|
|
def create_logfun(filename):
|
|
|
|
|
if filename:
|
|
|
|
|
return SSLKeyLogger(filename)
|
|
|
|
|
return False
|
|
|
|
|
|
2015-05-30 00:02:58 +00:00
|
|
|
log_ssl_key = SSLKeyLogger.create_logfun(
|
|
|
|
|
os.getenv("MITMPROXY_SSLKEYLOGFILE") or os.getenv("SSLKEYLOGFILE"))
|
2015-02-27 15:59:29 +00:00
|
|
|
|
|
|
|
|
|
2015-04-09 00:09:33 +00:00
|
|
|
class _FileLike(object):
|
2012-07-23 23:39:49 +00:00
|
|
|
BLOCKSIZE = 1024 * 32
|
2015-05-27 09:18:54 +00:00
|
|
|
|
2012-06-18 21:42:32 +00:00
|
|
|
def __init__(self, o):
|
|
|
|
|
self.o = o
|
2012-09-23 23:10:21 +00:00
|
|
|
self._log = None
|
2013-01-16 20:30:19 +00:00
|
|
|
self.first_byte_timestamp = None
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2012-09-23 22:47:41 +00:00
|
|
|
def set_descriptor(self, o):
|
|
|
|
|
self.o = o
|
|
|
|
|
|
2012-06-18 21:42:32 +00:00
|
|
|
def __getattr__(self, attr):
|
|
|
|
|
return getattr(self.o, attr)
|
|
|
|
|
|
2012-09-23 23:10:21 +00:00
|
|
|
def start_log(self):
|
|
|
|
|
"""
|
|
|
|
|
Starts or resets the log.
|
|
|
|
|
|
|
|
|
|
This will store all bytes read or written.
|
|
|
|
|
"""
|
|
|
|
|
self._log = []
|
|
|
|
|
|
|
|
|
|
def stop_log(self):
|
|
|
|
|
"""
|
|
|
|
|
Stops the log.
|
|
|
|
|
"""
|
|
|
|
|
self._log = None
|
|
|
|
|
|
|
|
|
|
def is_logging(self):
|
|
|
|
|
return self._log is not None
|
|
|
|
|
|
|
|
|
|
def get_log(self):
|
|
|
|
|
"""
|
|
|
|
|
Returns the log as a string.
|
|
|
|
|
"""
|
|
|
|
|
if not self.is_logging():
|
|
|
|
|
raise ValueError("Not logging!")
|
|
|
|
|
return "".join(self._log)
|
|
|
|
|
|
|
|
|
|
def add_log(self, v):
|
|
|
|
|
if self.is_logging():
|
|
|
|
|
self._log.append(v)
|
|
|
|
|
|
2013-01-16 20:30:19 +00:00
|
|
|
def reset_timestamps(self):
|
|
|
|
|
self.first_byte_timestamp = None
|
2012-09-23 23:10:21 +00:00
|
|
|
|
2013-01-25 02:54:41 +00:00
|
|
|
|
2012-09-23 23:10:21 +00:00
|
|
|
class Writer(_FileLike):
|
2015-05-27 09:18:54 +00:00
|
|
|
|
2012-06-18 21:42:32 +00:00
|
|
|
def flush(self):
|
2013-01-26 08:19:35 +00:00
|
|
|
"""
|
|
|
|
|
May raise NetLibDisconnect
|
|
|
|
|
"""
|
2013-01-25 02:54:41 +00:00
|
|
|
if hasattr(self.o, "flush"):
|
|
|
|
|
try:
|
2012-07-29 23:30:31 +00:00
|
|
|
self.o.flush()
|
2015-05-27 09:18:54 +00:00
|
|
|
except (socket.error, IOError) as v:
|
2013-01-25 02:54:41 +00:00
|
|
|
raise NetLibDisconnect(str(v))
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2012-09-23 23:10:21 +00:00
|
|
|
def write(self, v):
|
2013-01-26 08:19:35 +00:00
|
|
|
"""
|
|
|
|
|
May raise NetLibDisconnect
|
|
|
|
|
"""
|
2012-09-23 23:10:21 +00:00
|
|
|
if v:
|
2015-05-31 04:54:14 +00:00
|
|
|
self.first_byte_timestamp = self.first_byte_timestamp or time.time()
|
2012-09-23 23:10:21 +00:00
|
|
|
try:
|
|
|
|
|
if hasattr(self.o, "sendall"):
|
|
|
|
|
self.add_log(v)
|
|
|
|
|
return self.o.sendall(v)
|
|
|
|
|
else:
|
|
|
|
|
r = self.o.write(v)
|
|
|
|
|
self.add_log(v[:r])
|
|
|
|
|
return r
|
2015-05-27 09:18:54 +00:00
|
|
|
except (SSL.Error, socket.error) as e:
|
2015-04-09 00:09:33 +00:00
|
|
|
raise NetLibDisconnect(str(e))
|
2012-09-23 23:10:21 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class Reader(_FileLike):
|
2015-05-27 09:18:54 +00:00
|
|
|
|
2012-06-18 21:42:32 +00:00
|
|
|
def read(self, length):
|
2012-07-23 23:39:49 +00:00
|
|
|
"""
|
2012-10-09 03:25:15 +00:00
|
|
|
If length is -1, we read until connection closes.
|
2012-07-23 23:39:49 +00:00
|
|
|
"""
|
2012-06-18 21:42:32 +00:00
|
|
|
result = ''
|
2012-07-21 04:10:54 +00:00
|
|
|
start = time.time()
|
2012-07-23 23:39:49 +00:00
|
|
|
while length == -1 or length > 0:
|
2012-10-09 03:25:15 +00:00
|
|
|
if length == -1 or length > self.BLOCKSIZE:
|
|
|
|
|
rlen = self.BLOCKSIZE
|
|
|
|
|
else:
|
|
|
|
|
rlen = length
|
2012-06-18 21:42:32 +00:00
|
|
|
try:
|
2012-10-09 03:25:15 +00:00
|
|
|
data = self.o.read(rlen)
|
2012-07-21 08:51:05 +00:00
|
|
|
except SSL.ZeroReturnError:
|
2012-06-18 21:42:32 +00:00
|
|
|
break
|
2012-07-21 04:10:54 +00:00
|
|
|
except SSL.WantReadError:
|
|
|
|
|
if (time.time() - start) < self.o.gettimeout():
|
|
|
|
|
time.sleep(0.1)
|
|
|
|
|
continue
|
|
|
|
|
else:
|
|
|
|
|
raise NetLibTimeout
|
|
|
|
|
except socket.timeout:
|
|
|
|
|
raise NetLibTimeout
|
2014-01-09 04:33:21 +00:00
|
|
|
except socket.error:
|
|
|
|
|
raise NetLibDisconnect
|
2014-03-10 16:43:39 +00:00
|
|
|
except SSL.SysCallError as e:
|
|
|
|
|
if e.args == (-1, 'Unexpected EOF'):
|
|
|
|
|
break
|
2015-02-27 21:02:52 +00:00
|
|
|
raise NetLibSSLError(e.message)
|
|
|
|
|
except SSL.Error as e:
|
|
|
|
|
raise NetLibSSLError(e.message)
|
2013-01-16 20:30:19 +00:00
|
|
|
self.first_byte_timestamp = self.first_byte_timestamp or time.time()
|
2012-06-18 21:42:32 +00:00
|
|
|
if not data:
|
|
|
|
|
break
|
|
|
|
|
result += data
|
2012-07-23 23:39:49 +00:00
|
|
|
if length != -1:
|
|
|
|
|
length -= len(data)
|
2012-09-23 23:10:21 +00:00
|
|
|
self.add_log(result)
|
2012-06-18 21:42:32 +00:00
|
|
|
return result
|
|
|
|
|
|
2015-05-27 09:18:54 +00:00
|
|
|
def readline(self, size=None):
|
2012-06-18 21:42:32 +00:00
|
|
|
result = ''
|
|
|
|
|
bytes_read = 0
|
|
|
|
|
while True:
|
|
|
|
|
if size is not None and bytes_read >= size:
|
|
|
|
|
break
|
2015-02-27 21:02:52 +00:00
|
|
|
ch = self.read(1)
|
2012-06-18 21:42:32 +00:00
|
|
|
bytes_read += 1
|
|
|
|
|
if not ch:
|
|
|
|
|
break
|
|
|
|
|
else:
|
|
|
|
|
result += ch
|
|
|
|
|
if ch == '\n':
|
|
|
|
|
break
|
|
|
|
|
return result
|
|
|
|
|
|
2015-05-04 22:47:02 +00:00
|
|
|
def safe_read(self, length):
|
|
|
|
|
"""
|
|
|
|
|
Like .read, but is guaranteed to either return length bytes, or
|
|
|
|
|
raise an exception.
|
|
|
|
|
"""
|
|
|
|
|
result = self.read(length)
|
|
|
|
|
if length != -1 and len(result) != length:
|
2015-05-31 05:18:55 +00:00
|
|
|
if not result:
|
|
|
|
|
raise NetLibDisconnect()
|
|
|
|
|
else:
|
|
|
|
|
raise NetLibIncomplete(
|
|
|
|
|
"Expected %s bytes, got %s" % (length, len(result))
|
|
|
|
|
)
|
2015-05-04 22:47:02 +00:00
|
|
|
return result
|
|
|
|
|
|
2015-07-25 11:31:04 +00:00
|
|
|
def peek(self, length):
|
|
|
|
|
"""
|
|
|
|
|
Tries to peek into the underlying file object.
|
|
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
|
Up to the next N bytes if peeking is successful.
|
|
|
|
|
|
|
|
|
|
Raises:
|
2015-08-19 14:05:42 +00:00
|
|
|
NetLibError if there was an error with the socket
|
2015-07-25 11:31:04 +00:00
|
|
|
NetLibSSLError if there was an error with pyOpenSSL.
|
2015-08-19 14:05:42 +00:00
|
|
|
NotImplementedError if the underlying file object is not a (pyOpenSSL) socket
|
2015-07-25 11:31:04 +00:00
|
|
|
"""
|
2015-08-19 14:05:42 +00:00
|
|
|
if isinstance(self.o, socket._fileobject):
|
2015-07-25 11:31:04 +00:00
|
|
|
try:
|
|
|
|
|
return self.o._sock.recv(length, socket.MSG_PEEK)
|
2015-08-19 14:05:42 +00:00
|
|
|
except socket.error as e:
|
2015-08-25 16:33:55 +00:00
|
|
|
raise NetLibError(repr(e))
|
2015-08-19 14:05:42 +00:00
|
|
|
elif isinstance(self.o, SSL.Connection):
|
|
|
|
|
try:
|
|
|
|
|
if tuple(int(x) for x in OpenSSL.__version__.split(".")[:2]) > (0, 15):
|
|
|
|
|
return self.o.recv(length, socket.MSG_PEEK)
|
|
|
|
|
else:
|
|
|
|
|
# Polyfill for pyOpenSSL <= 0.15.1
|
|
|
|
|
# Taken from https://github.com/pyca/pyopenssl/commit/1d95dea7fea03c7c0df345a5ea30c12d8a0378d2
|
|
|
|
|
buf = SSL._ffi.new("char[]", length)
|
|
|
|
|
result = SSL._lib.SSL_peek(self.o._ssl, buf, length)
|
|
|
|
|
self.o._raise_ssl_error(self.o._ssl, result)
|
|
|
|
|
return SSL._ffi.buffer(buf, result)[:]
|
2015-07-25 11:31:04 +00:00
|
|
|
except SSL.Error as e:
|
2015-09-10 23:17:39 +00:00
|
|
|
six.reraise(NetLibSSLError, NetLibSSLError(str(e)), sys.exc_info()[2])
|
2015-08-19 14:05:42 +00:00
|
|
|
else:
|
|
|
|
|
raise NotImplementedError("Can only peek into (pyOpenSSL) sockets")
|
2015-07-25 11:31:04 +00:00
|
|
|
|
|
|
|
|
|
2014-01-31 00:06:53 +00:00
|
|
|
class Address(object):
|
2015-05-27 09:18:54 +00:00
|
|
|
|
2014-01-28 16:26:35 +00:00
|
|
|
"""
|
2015-05-04 22:47:02 +00:00
|
|
|
This class wraps an IPv4/IPv6 tuple to provide named attributes and
|
|
|
|
|
ipv6 information.
|
2014-01-28 16:26:35 +00:00
|
|
|
"""
|
2015-05-27 09:18:54 +00:00
|
|
|
|
2014-01-30 19:07:30 +00:00
|
|
|
def __init__(self, address, use_ipv6=False):
|
2014-02-05 20:34:14 +00:00
|
|
|
self.address = tuple(address)
|
2014-01-31 00:06:53 +00:00
|
|
|
self.use_ipv6 = use_ipv6
|
2014-01-28 16:26:35 +00:00
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def wrap(cls, t):
|
|
|
|
|
if isinstance(t, cls):
|
|
|
|
|
return t
|
|
|
|
|
else:
|
|
|
|
|
return cls(t)
|
|
|
|
|
|
2014-01-30 19:07:30 +00:00
|
|
|
def __call__(self):
|
|
|
|
|
return self.address
|
|
|
|
|
|
2014-01-28 16:26:35 +00:00
|
|
|
@property
|
|
|
|
|
def host(self):
|
2014-01-30 19:07:30 +00:00
|
|
|
return self.address[0]
|
2014-01-28 16:26:35 +00:00
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def port(self):
|
2014-01-30 19:07:30 +00:00
|
|
|
return self.address[1]
|
2014-01-28 16:26:35 +00:00
|
|
|
|
|
|
|
|
@property
|
2014-01-30 19:07:30 +00:00
|
|
|
def use_ipv6(self):
|
2014-01-28 16:26:35 +00:00
|
|
|
return self.family == socket.AF_INET6
|
|
|
|
|
|
2014-01-31 00:06:53 +00:00
|
|
|
@use_ipv6.setter
|
|
|
|
|
def use_ipv6(self, b):
|
|
|
|
|
self.family = socket.AF_INET6 if b else socket.AF_INET
|
2014-01-30 19:07:30 +00:00
|
|
|
|
2014-09-03 23:10:44 +00:00
|
|
|
def __repr__(self):
|
2015-05-18 15:16:42 +00:00
|
|
|
return "{}:{}".format(self.host, self.port)
|
|
|
|
|
|
|
|
|
|
def __str__(self):
|
|
|
|
|
return str(self.address)
|
2014-09-03 23:10:44 +00:00
|
|
|
|
2014-02-04 03:51:41 +00:00
|
|
|
def __eq__(self, other):
|
2015-08-15 18:30:22 +00:00
|
|
|
if not other:
|
|
|
|
|
return False
|
2014-02-04 03:51:41 +00:00
|
|
|
other = Address.wrap(other)
|
|
|
|
|
return (self.address, self.family) == (other.address, other.family)
|
2014-01-28 16:26:35 +00:00
|
|
|
|
2014-09-03 23:10:44 +00:00
|
|
|
def __ne__(self, other):
|
|
|
|
|
return not self.__eq__(other)
|
|
|
|
|
|
2015-09-08 19:31:27 +00:00
|
|
|
def __hash__(self):
|
|
|
|
|
return hash(self.address) ^ 42 # different hash than the tuple alone.
|
|
|
|
|
|
2014-02-04 03:51:41 +00:00
|
|
|
|
2015-09-10 09:30:17 +00:00
|
|
|
def ssl_read_select(rlist, timeout):
|
|
|
|
|
"""
|
|
|
|
|
This is a wrapper around select.select() which also works for SSL.Connections
|
|
|
|
|
by taking ssl_connection.pending() into account.
|
|
|
|
|
|
|
|
|
|
Caveats:
|
|
|
|
|
If .pending() > 0 for any of the connections in rlist, we avoid the select syscall
|
|
|
|
|
and **will not include any other connections which may or may not be ready**.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
rlist: wait until ready for reading
|
|
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
|
subset of rlist which is ready for reading.
|
|
|
|
|
"""
|
|
|
|
|
return [
|
|
|
|
|
conn for conn in rlist
|
|
|
|
|
if isinstance(conn, SSL.Connection) and conn.pending() > 0
|
|
|
|
|
] or select.select(rlist, (), (), timeout)[0]
|
|
|
|
|
|
|
|
|
|
|
2014-10-22 15:54:20 +00:00
|
|
|
def close_socket(sock):
|
|
|
|
|
"""
|
|
|
|
|
Does a hard close of a socket, without emitting a RST.
|
|
|
|
|
"""
|
|
|
|
|
try:
|
|
|
|
|
# We already indicate that we close our end.
|
2015-06-17 11:10:27 +00:00
|
|
|
# may raise "Transport endpoint is not connected" on Linux
|
2015-05-04 22:47:02 +00:00
|
|
|
sock.shutdown(socket.SHUT_WR)
|
2014-10-22 15:54:20 +00:00
|
|
|
|
2015-05-04 22:47:02 +00:00
|
|
|
# Section 4.2.2.13 of RFC 1122 tells us that a close() with any pending
|
|
|
|
|
# readable data could lead to an immediate RST being sent (which is the
|
|
|
|
|
# case on Windows).
|
2014-10-22 15:54:20 +00:00
|
|
|
# http://ia600609.us.archive.org/22/items/TheUltimateSo_lingerPageOrWhyIsMyTcpNotReliable/the-ultimate-so_linger-page-or-why-is-my-tcp-not-reliable.html
|
|
|
|
|
#
|
2015-05-04 22:47:02 +00:00
|
|
|
# This in turn results in the following issue: If we send an error page
|
|
|
|
|
# to the client and then close the socket, the RST may be received by
|
|
|
|
|
# the client before the error page and the users sees a connection
|
|
|
|
|
# error rather than the error page. Thus, we try to empty the read
|
|
|
|
|
# buffer on Windows first. (see
|
|
|
|
|
# https://github.com/mitmproxy/mitmproxy/issues/527#issuecomment-93782988)
|
2015-04-17 14:29:09 +00:00
|
|
|
#
|
2015-05-04 22:47:02 +00:00
|
|
|
|
2015-04-17 14:29:09 +00:00
|
|
|
if os.name == "nt": # pragma: no cover
|
2015-05-04 22:47:02 +00:00
|
|
|
# We cannot rely on the shutdown()-followed-by-read()-eof technique
|
|
|
|
|
# proposed by the page above: Some remote machines just don't send
|
|
|
|
|
# a TCP FIN, which would leave us in the unfortunate situation that
|
|
|
|
|
# recv() would block infinitely. As a workaround, we set a timeout
|
|
|
|
|
# here even if we are in blocking mode.
|
2015-04-17 14:29:09 +00:00
|
|
|
sock.settimeout(sock.gettimeout() or 20)
|
|
|
|
|
|
|
|
|
|
# limit at a megabyte so that we don't read infinitely
|
|
|
|
|
for _ in xrange(1024 ** 3 // 4096):
|
|
|
|
|
# may raise a timeout/disconnect exception.
|
|
|
|
|
if not sock.recv(4096):
|
|
|
|
|
break
|
|
|
|
|
|
|
|
|
|
# Now we can close the other half as well.
|
|
|
|
|
sock.shutdown(socket.SHUT_RD)
|
2014-10-22 15:54:20 +00:00
|
|
|
|
|
|
|
|
except socket.error:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
sock.close()
|
|
|
|
|
|
|
|
|
|
|
2014-03-02 08:37:28 +00:00
|
|
|
class _Connection(object):
|
2015-05-27 09:18:54 +00:00
|
|
|
|
2015-08-19 14:06:33 +00:00
|
|
|
rbufsize = -1
|
|
|
|
|
wbufsize = -1
|
|
|
|
|
|
|
|
|
|
def __init__(self, connection):
|
|
|
|
|
if connection:
|
|
|
|
|
self.connection = connection
|
|
|
|
|
self.rfile = Reader(self.connection.makefile('rb', self.rbufsize))
|
|
|
|
|
self.wfile = Writer(self.connection.makefile('wb', self.wbufsize))
|
|
|
|
|
else:
|
|
|
|
|
self.connection = None
|
|
|
|
|
self.rfile = None
|
|
|
|
|
self.wfile = None
|
|
|
|
|
|
|
|
|
|
self.ssl_established = False
|
|
|
|
|
self.finished = False
|
|
|
|
|
|
2014-03-02 08:37:28 +00:00
|
|
|
def get_current_cipher(self):
|
|
|
|
|
if not self.ssl_established:
|
|
|
|
|
return None
|
2015-05-27 08:21:50 +00:00
|
|
|
|
|
|
|
|
name = self.connection.get_cipher_name()
|
|
|
|
|
bits = self.connection.get_cipher_bits()
|
|
|
|
|
version = self.connection.get_cipher_version()
|
2014-03-02 08:37:28 +00:00
|
|
|
return name, bits, version
|
|
|
|
|
|
2014-01-09 04:33:21 +00:00
|
|
|
def finish(self):
|
|
|
|
|
self.finished = True
|
2014-10-22 15:54:20 +00:00
|
|
|
# If we have an SSL connection, wfile.close == connection.close
|
|
|
|
|
# (We call _FileLike.set_descriptor(conn))
|
2015-05-04 22:47:02 +00:00
|
|
|
# Closing the socket is not our task, therefore we don't call close
|
|
|
|
|
# then.
|
2015-05-27 09:18:54 +00:00
|
|
|
if not isinstance(self.connection, SSL.Connection):
|
2014-01-09 04:33:21 +00:00
|
|
|
if not getattr(self.wfile, "closed", False):
|
2014-11-07 03:01:41 +00:00
|
|
|
try:
|
|
|
|
|
self.wfile.flush()
|
2014-11-14 23:31:13 +00:00
|
|
|
self.wfile.close()
|
2014-11-07 03:01:41 +00:00
|
|
|
except NetLibDisconnect:
|
|
|
|
|
pass
|
2014-10-22 15:54:20 +00:00
|
|
|
|
2014-01-09 04:33:21 +00:00
|
|
|
self.rfile.close()
|
2014-10-22 15:54:20 +00:00
|
|
|
else:
|
|
|
|
|
try:
|
2014-01-09 04:33:21 +00:00
|
|
|
self.connection.shutdown()
|
2014-10-22 15:54:20 +00:00
|
|
|
except SSL.Error:
|
|
|
|
|
pass
|
2014-01-09 04:33:21 +00:00
|
|
|
|
2015-03-07 00:22:02 +00:00
|
|
|
def _create_ssl_context(self,
|
2015-06-22 18:39:30 +00:00
|
|
|
method=SSL_DEFAULT_METHOD,
|
2015-06-18 00:18:22 +00:00
|
|
|
options=SSL_DEFAULT_OPTIONS,
|
2015-06-15 07:47:43 +00:00
|
|
|
verify_options=SSL.VERIFY_NONE,
|
2015-06-26 21:57:00 +00:00
|
|
|
ca_path=None,
|
2015-06-15 17:16:44 +00:00
|
|
|
ca_pemfile=None,
|
2015-05-28 15:46:44 +00:00
|
|
|
cipher_list=None,
|
|
|
|
|
alpn_protos=None,
|
|
|
|
|
alpn_select=None,
|
2015-08-16 09:41:34 +00:00
|
|
|
alpn_select_callback=None,
|
2015-03-07 00:22:02 +00:00
|
|
|
):
|
|
|
|
|
"""
|
2015-06-17 11:10:27 +00:00
|
|
|
Creates an SSL Context.
|
|
|
|
|
|
2015-06-12 14:03:01 +00:00
|
|
|
:param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD, TLSv1_1_METHOD, or TLSv1_2_METHOD
|
2015-03-07 00:22:02 +00:00
|
|
|
:param options: A bit field consisting of OpenSSL.SSL.OP_* values
|
2015-06-15 17:16:44 +00:00
|
|
|
:param verify_options: A bit field consisting of OpenSSL.SSL.VERIFY_* values
|
|
|
|
|
:param ca_path: Path to a directory of trusted CA certificates prepared using the c_rehash tool
|
|
|
|
|
:param ca_pemfile: Path to a PEM formatted trusted CA certificate
|
2015-03-07 00:22:02 +00:00
|
|
|
:param cipher_list: A textual OpenSSL cipher list, see https://www.openssl.org/docs/apps/ciphers.html
|
|
|
|
|
:rtype : SSL.Context
|
|
|
|
|
"""
|
|
|
|
|
context = SSL.Context(method)
|
|
|
|
|
# Options (NO_SSLv2/3)
|
|
|
|
|
if options is not None:
|
|
|
|
|
context.set_options(options)
|
|
|
|
|
|
2015-06-20 20:07:23 +00:00
|
|
|
# Verify Options (NONE/PEER and trusted CAs)
|
|
|
|
|
if verify_options is not None:
|
|
|
|
|
def verify_cert(conn, x509, errno, err_depth, is_cert_verified):
|
|
|
|
|
if not is_cert_verified:
|
|
|
|
|
self.ssl_verification_error = dict(errno=errno,
|
|
|
|
|
depth=err_depth)
|
|
|
|
|
return is_cert_verified
|
2015-06-15 17:16:44 +00:00
|
|
|
|
|
|
|
|
context.set_verify(verify_options, verify_cert)
|
2015-06-26 21:57:00 +00:00
|
|
|
if ca_path is None and ca_pemfile is None:
|
2015-07-22 01:01:51 +00:00
|
|
|
ca_pemfile = certifi.where()
|
2015-06-16 18:11:10 +00:00
|
|
|
context.load_verify_locations(ca_pemfile, ca_path)
|
2015-06-15 17:16:44 +00:00
|
|
|
|
2015-03-07 00:22:02 +00:00
|
|
|
# Workaround for
|
|
|
|
|
# https://github.com/pyca/pyopenssl/issues/190
|
|
|
|
|
# https://github.com/mitmproxy/mitmproxy/issues/472
|
2015-05-30 00:02:58 +00:00
|
|
|
# Options already set before are not cleared.
|
|
|
|
|
context.set_mode(SSL._lib.SSL_MODE_AUTO_RETRY)
|
2015-03-07 00:22:02 +00:00
|
|
|
|
|
|
|
|
# Cipher List
|
|
|
|
|
if cipher_list:
|
|
|
|
|
try:
|
|
|
|
|
context.set_cipher_list(cipher_list)
|
2015-06-15 15:31:08 +00:00
|
|
|
|
|
|
|
|
# TODO: maybe change this to with newer pyOpenSSL APIs
|
|
|
|
|
context.set_tmp_ecdh(OpenSSL.crypto.get_elliptic_curve('prime256v1'))
|
2015-05-27 09:18:54 +00:00
|
|
|
except SSL.Error as v:
|
|
|
|
|
raise NetLibError("SSL cipher specification error: %s" % str(v))
|
2015-03-07 00:22:02 +00:00
|
|
|
|
|
|
|
|
# SSLKEYLOGFILE
|
|
|
|
|
if log_ssl_key:
|
|
|
|
|
context.set_info_callback(log_ssl_key)
|
|
|
|
|
|
2015-06-08 09:29:01 +00:00
|
|
|
if OpenSSL._util.lib.Cryptography_HAS_ALPN:
|
|
|
|
|
if alpn_protos is not None:
|
2015-06-11 13:37:17 +00:00
|
|
|
# advertise application layer protocols
|
2015-06-08 09:29:01 +00:00
|
|
|
context.set_alpn_protos(alpn_protos)
|
2015-08-16 09:41:34 +00:00
|
|
|
elif alpn_select is not None and alpn_select_callback is None:
|
2015-06-11 13:37:17 +00:00
|
|
|
# select application layer protocol
|
2015-06-18 13:32:52 +00:00
|
|
|
def alpn_select_callback(conn_, options):
|
2015-06-11 13:37:17 +00:00
|
|
|
if alpn_select in options:
|
|
|
|
|
return bytes(alpn_select)
|
2015-06-12 13:21:23 +00:00
|
|
|
else: # pragma no cover
|
2015-06-11 13:37:17 +00:00
|
|
|
return options[0]
|
|
|
|
|
context.set_alpn_select_callback(alpn_select_callback)
|
2015-08-16 09:41:34 +00:00
|
|
|
elif alpn_select_callback is not None and alpn_select is None:
|
|
|
|
|
context.set_alpn_select_callback(alpn_select_callback)
|
|
|
|
|
elif alpn_select_callback is not None and alpn_select is not None:
|
|
|
|
|
raise NetLibError("ALPN error: only define alpn_select (string) OR alpn_select_callback (method).")
|
2015-05-28 15:46:44 +00:00
|
|
|
|
2015-03-07 00:22:02 +00:00
|
|
|
return context
|
|
|
|
|
|
2014-01-09 04:33:21 +00:00
|
|
|
|
2014-03-02 08:37:28 +00:00
|
|
|
class TCPClient(_Connection):
|
2014-09-08 22:08:56 +00:00
|
|
|
|
2015-08-16 21:33:11 +00:00
|
|
|
def __init__(self, address, source_address=None):
|
2015-08-19 14:06:33 +00:00
|
|
|
super(TCPClient, self).__init__(None)
|
2015-08-16 21:33:11 +00:00
|
|
|
self.address = address
|
|
|
|
|
self.source_address = Address.wrap(
|
|
|
|
|
source_address) if source_address else None
|
|
|
|
|
self.cert = None
|
|
|
|
|
self.ssl_verification_error = None
|
|
|
|
|
self.sni = None
|
|
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def address(self):
|
|
|
|
|
return self.__address
|
|
|
|
|
|
|
|
|
|
@address.setter
|
|
|
|
|
def address(self, address):
|
|
|
|
|
if self.connection:
|
|
|
|
|
raise RuntimeError("Cannot change server address after establishing connection")
|
|
|
|
|
if address:
|
|
|
|
|
self.__address = Address.wrap(address)
|
|
|
|
|
else:
|
|
|
|
|
self.__address = None
|
|
|
|
|
|
2014-10-22 15:54:20 +00:00
|
|
|
def close(self):
|
|
|
|
|
# Make sure to close the real socket, not the SSL proxy.
|
|
|
|
|
# OpenSSL is really good at screwing up, i.e. when trying to recv from a failed connection,
|
|
|
|
|
# it tries to renegotiate...
|
2015-05-27 09:18:54 +00:00
|
|
|
if isinstance(self.connection, SSL.Connection):
|
2014-10-22 15:54:20 +00:00
|
|
|
close_socket(self.connection._socket)
|
|
|
|
|
else:
|
|
|
|
|
close_socket(self.connection)
|
|
|
|
|
|
2015-05-28 15:46:44 +00:00
|
|
|
def create_ssl_context(self, cert=None, alpn_protos=None, **sslctx_kwargs):
|
2015-05-30 00:02:58 +00:00
|
|
|
context = self._create_ssl_context(
|
|
|
|
|
alpn_protos=alpn_protos,
|
|
|
|
|
**sslctx_kwargs)
|
2015-03-07 00:22:02 +00:00
|
|
|
# Client Certs
|
2013-02-24 02:36:15 +00:00
|
|
|
if cert:
|
2013-01-20 09:36:54 +00:00
|
|
|
try:
|
2013-02-24 02:36:15 +00:00
|
|
|
context.use_privatekey_file(cert)
|
|
|
|
|
context.use_certificate_file(cert)
|
2015-05-27 09:18:54 +00:00
|
|
|
except SSL.Error as v:
|
|
|
|
|
raise NetLibError("SSL client certificate error: %s" % str(v))
|
2015-03-07 00:22:02 +00:00
|
|
|
return context
|
|
|
|
|
|
2015-05-28 15:46:44 +00:00
|
|
|
def convert_to_ssl(self, sni=None, alpn_protos=None, **sslctx_kwargs):
|
2015-03-07 00:22:02 +00:00
|
|
|
"""
|
|
|
|
|
cert: Path to a file containing both client cert and private key.
|
|
|
|
|
|
|
|
|
|
options: A bit field consisting of OpenSSL.SSL.OP_* values
|
2015-06-15 17:16:44 +00:00
|
|
|
verify_options: A bit field consisting of OpenSSL.SSL.VERIFY_* values
|
|
|
|
|
ca_path: Path to a directory of trusted CA certificates prepared using the c_rehash tool
|
|
|
|
|
ca_pemfile: Path to a PEM formatted trusted CA certificate
|
2015-03-07 00:22:02 +00:00
|
|
|
"""
|
2015-05-30 00:02:58 +00:00
|
|
|
context = self.create_ssl_context(
|
|
|
|
|
alpn_protos=alpn_protos,
|
|
|
|
|
**sslctx_kwargs)
|
2012-06-25 02:42:15 +00:00
|
|
|
self.connection = SSL.Connection(context, self.connection)
|
2012-06-25 21:50:42 +00:00
|
|
|
if sni:
|
2014-02-04 03:51:41 +00:00
|
|
|
self.sni = sni
|
2012-06-25 21:50:42 +00:00
|
|
|
self.connection.set_tlsext_host_name(sni)
|
2012-06-25 02:42:15 +00:00
|
|
|
self.connection.set_connect_state()
|
2012-06-26 02:49:23 +00:00
|
|
|
try:
|
|
|
|
|
self.connection.do_handshake()
|
2015-05-27 09:18:54 +00:00
|
|
|
except SSL.Error as v:
|
2015-07-24 14:47:28 +00:00
|
|
|
if self.ssl_verification_error:
|
|
|
|
|
raise NetLibInvalidCertificateError("SSL handshake error: %s" % repr(v))
|
|
|
|
|
else:
|
|
|
|
|
raise NetLibError("SSL handshake error: %s" % repr(v))
|
2015-07-22 02:06:20 +00:00
|
|
|
|
|
|
|
|
# Fix for pre v1.0 OpenSSL, which doesn't throw an exception on
|
|
|
|
|
# certificate validation failure
|
|
|
|
|
verification_mode = sslctx_kwargs.get('verify_options', None)
|
|
|
|
|
if self.ssl_verification_error is not None and verification_mode == SSL.VERIFY_PEER:
|
2015-07-24 14:47:28 +00:00
|
|
|
raise NetLibInvalidCertificateError("SSL handshake error: certificate verify failed")
|
2015-07-22 02:06:20 +00:00
|
|
|
|
2014-10-08 16:40:46 +00:00
|
|
|
self.ssl_established = True
|
2012-06-27 22:59:03 +00:00
|
|
|
self.cert = certutils.SSLCert(self.connection.get_peer_certificate())
|
2012-09-23 22:47:41 +00:00
|
|
|
self.rfile.set_descriptor(self.connection)
|
|
|
|
|
self.wfile.set_descriptor(self.connection)
|
2012-06-25 02:42:15 +00:00
|
|
|
|
2012-06-18 21:42:32 +00:00
|
|
|
def connect(self):
|
|
|
|
|
try:
|
2014-01-28 16:26:35 +00:00
|
|
|
connection = socket.socket(self.address.family, socket.SOCK_STREAM)
|
2013-07-07 05:33:56 +00:00
|
|
|
if self.source_address:
|
2014-01-30 19:07:30 +00:00
|
|
|
connection.bind(self.source_address())
|
|
|
|
|
connection.connect(self.address())
|
2014-09-04 14:55:02 +00:00
|
|
|
if not self.source_address:
|
|
|
|
|
self.source_address = Address(connection.getsockname())
|
2012-09-23 23:10:21 +00:00
|
|
|
self.rfile = Reader(connection.makefile('rb', self.rbufsize))
|
|
|
|
|
self.wfile = Writer(connection.makefile('wb', self.wbufsize))
|
2015-05-27 09:18:54 +00:00
|
|
|
except (socket.error, IOError) as err:
|
2015-05-30 00:02:58 +00:00
|
|
|
raise NetLibError(
|
|
|
|
|
'Error connecting to "%s": %s' %
|
|
|
|
|
(self.address.host, err))
|
2012-06-25 02:42:15 +00:00
|
|
|
self.connection = connection
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2012-07-21 04:10:54 +00:00
|
|
|
def settimeout(self, n):
|
|
|
|
|
self.connection.settimeout(n)
|
|
|
|
|
|
|
|
|
|
def gettimeout(self):
|
2013-01-26 08:29:45 +00:00
|
|
|
return self.connection.gettimeout()
|
2012-07-21 04:10:54 +00:00
|
|
|
|
2015-05-28 15:46:44 +00:00
|
|
|
def get_alpn_proto_negotiated(self):
|
2015-06-12 13:21:23 +00:00
|
|
|
if OpenSSL._util.lib.Cryptography_HAS_ALPN and self.ssl_established:
|
2015-06-08 11:25:42 +00:00
|
|
|
return self.connection.get_alpn_proto_negotiated()
|
2015-06-12 13:21:23 +00:00
|
|
|
else:
|
2015-06-15 15:31:08 +00:00
|
|
|
return ""
|
2015-05-28 15:46:44 +00:00
|
|
|
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2014-03-02 08:37:28 +00:00
|
|
|
class BaseHandler(_Connection):
|
2015-05-27 09:18:54 +00:00
|
|
|
|
2012-06-24 23:23:04 +00:00
|
|
|
"""
|
|
|
|
|
The instantiator is expected to call the handle() and finish() methods.
|
|
|
|
|
"""
|
2014-01-28 19:30:16 +00:00
|
|
|
|
|
|
|
|
def __init__(self, connection, address, server):
|
2015-08-19 14:06:33 +00:00
|
|
|
super(BaseHandler, self).__init__(connection)
|
2014-01-28 16:26:35 +00:00
|
|
|
self.address = Address.wrap(address)
|
2014-01-28 19:30:16 +00:00
|
|
|
self.server = server
|
2013-01-20 09:13:38 +00:00
|
|
|
self.clientcert = None
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2015-03-07 00:22:02 +00:00
|
|
|
def create_ssl_context(self,
|
|
|
|
|
cert, key,
|
|
|
|
|
handle_sni=None,
|
|
|
|
|
request_client_cert=None,
|
|
|
|
|
chain_file=None,
|
|
|
|
|
dhparams=None,
|
|
|
|
|
**sslctx_kwargs):
|
2012-07-04 09:30:07 +00:00
|
|
|
"""
|
2015-06-20 19:54:03 +00:00
|
|
|
cert: A certutils.SSLCert object or the path to a certificate
|
|
|
|
|
chain file.
|
2014-09-08 22:08:56 +00:00
|
|
|
|
2013-02-25 08:11:09 +00:00
|
|
|
handle_sni: SNI handler, should take a connection object. Server
|
|
|
|
|
name can be retrieved like this:
|
|
|
|
|
|
2014-09-08 22:08:56 +00:00
|
|
|
connection.get_servername()
|
|
|
|
|
|
|
|
|
|
And you can specify the connection keys as follows:
|
2013-02-25 08:11:09 +00:00
|
|
|
|
2014-09-08 22:08:56 +00:00
|
|
|
new_context = Context(TLSv1_METHOD)
|
|
|
|
|
new_context.use_privatekey(key)
|
|
|
|
|
new_context.use_certificate(cert)
|
|
|
|
|
connection.set_context(new_context)
|
2013-05-12 20:48:21 +00:00
|
|
|
|
|
|
|
|
The request_client_cert argument requires some explanation. We're
|
|
|
|
|
supposed to be able to do this with no negative effects - if the
|
|
|
|
|
client has no cert to present, we're notified and proceed as usual.
|
|
|
|
|
Unfortunately, Android seems to have a bug (tested on 4.2.2) - when
|
|
|
|
|
an Android client is asked to present a certificate it does not
|
|
|
|
|
have, it hangs up, which is frankly bogus. Some time down the track
|
|
|
|
|
we may be able to make the proper behaviour the default again, but
|
|
|
|
|
until then we're conservative.
|
2012-07-04 09:30:07 +00:00
|
|
|
"""
|
2015-05-28 15:46:44 +00:00
|
|
|
|
2015-06-14 17:50:35 +00:00
|
|
|
context = self._create_ssl_context(**sslctx_kwargs)
|
2015-03-07 00:22:02 +00:00
|
|
|
|
|
|
|
|
context.use_privatekey(key)
|
2015-06-20 19:54:03 +00:00
|
|
|
if isinstance(cert, certutils.SSLCert):
|
|
|
|
|
context.use_certificate(cert.x509)
|
|
|
|
|
else:
|
|
|
|
|
context.use_certificate_chain_file(cert)
|
2015-03-07 00:22:02 +00:00
|
|
|
|
2013-02-25 08:11:09 +00:00
|
|
|
if handle_sni:
|
|
|
|
|
# SNI callback happens during do_handshake()
|
2015-03-07 00:22:02 +00:00
|
|
|
context.set_tlsext_servername_callback(handle_sni)
|
|
|
|
|
|
2013-05-12 20:48:21 +00:00
|
|
|
if request_client_cert:
|
2015-06-18 13:32:52 +00:00
|
|
|
def save_cert(conn_, cert, errno_, depth_, preverify_ok_):
|
2015-03-07 00:22:02 +00:00
|
|
|
self.clientcert = certutils.SSLCert(cert)
|
2013-12-07 21:15:19 +00:00
|
|
|
# Return true to prevent cert verification error
|
|
|
|
|
return True
|
2015-03-07 00:22:02 +00:00
|
|
|
context.set_verify(SSL.VERIFY_PEER, save_cert)
|
|
|
|
|
|
|
|
|
|
# Cert Verify
|
|
|
|
|
if chain_file:
|
|
|
|
|
context.load_verify_locations(chain_file)
|
|
|
|
|
|
|
|
|
|
if dhparams:
|
|
|
|
|
SSL._lib.SSL_CTX_set_tmp_dh(context._context, dhparams)
|
|
|
|
|
|
|
|
|
|
return context
|
2014-05-15 11:51:59 +00:00
|
|
|
|
2015-06-14 17:50:35 +00:00
|
|
|
def convert_to_ssl(self, cert, key, **sslctx_kwargs):
|
2014-05-15 11:51:59 +00:00
|
|
|
"""
|
|
|
|
|
Convert connection to SSL.
|
|
|
|
|
For a list of parameters, see BaseHandler._create_ssl_context(...)
|
|
|
|
|
"""
|
2015-05-28 15:46:44 +00:00
|
|
|
|
2015-05-30 00:02:58 +00:00
|
|
|
context = self.create_ssl_context(
|
|
|
|
|
cert,
|
|
|
|
|
key,
|
|
|
|
|
**sslctx_kwargs)
|
2015-03-07 00:22:02 +00:00
|
|
|
self.connection = SSL.Connection(context, self.connection)
|
2012-06-18 21:42:32 +00:00
|
|
|
self.connection.set_accept_state()
|
2012-06-26 02:49:23 +00:00
|
|
|
try:
|
|
|
|
|
self.connection.do_handshake()
|
2015-05-27 09:18:54 +00:00
|
|
|
except SSL.Error as v:
|
|
|
|
|
raise NetLibError("SSL handshake error: %s" % repr(v))
|
2014-10-08 16:40:46 +00:00
|
|
|
self.ssl_established = True
|
2012-09-23 22:47:41 +00:00
|
|
|
self.rfile.set_descriptor(self.connection)
|
|
|
|
|
self.wfile.set_descriptor(self.connection)
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2015-03-07 00:22:02 +00:00
|
|
|
def handle(self): # pragma: no cover
|
2012-06-18 21:42:32 +00:00
|
|
|
raise NotImplementedError
|
|
|
|
|
|
2012-09-30 22:30:02 +00:00
|
|
|
def settimeout(self, n):
|
|
|
|
|
self.connection.settimeout(n)
|
|
|
|
|
|
2015-06-11 13:37:17 +00:00
|
|
|
def get_alpn_proto_negotiated(self):
|
|
|
|
|
if OpenSSL._util.lib.Cryptography_HAS_ALPN and self.ssl_established:
|
|
|
|
|
return self.connection.get_alpn_proto_negotiated()
|
2015-06-12 13:21:23 +00:00
|
|
|
else:
|
2015-06-15 15:31:08 +00:00
|
|
|
return ""
|
2015-06-11 13:37:17 +00:00
|
|
|
|
2012-07-20 02:43:51 +00:00
|
|
|
|
2014-02-15 22:16:28 +00:00
|
|
|
class TCPServer(object):
|
2012-06-18 21:42:32 +00:00
|
|
|
request_queue_size = 20
|
2015-03-07 00:22:02 +00:00
|
|
|
|
2014-01-28 16:26:35 +00:00
|
|
|
def __init__(self, address):
|
|
|
|
|
self.address = Address.wrap(address)
|
2012-06-18 21:42:32 +00:00
|
|
|
self.__is_shut_down = threading.Event()
|
|
|
|
|
self.__shutdown_request = False
|
2014-01-28 16:26:35 +00:00
|
|
|
self.socket = socket.socket(self.address.family, socket.SOCK_STREAM)
|
2012-06-18 21:42:32 +00:00
|
|
|
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
2014-01-30 19:07:30 +00:00
|
|
|
self.socket.bind(self.address())
|
2014-01-28 16:26:35 +00:00
|
|
|
self.address = Address.wrap(self.socket.getsockname())
|
2012-06-18 21:42:32 +00:00
|
|
|
self.socket.listen(self.request_queue_size)
|
|
|
|
|
|
2014-01-09 00:57:37 +00:00
|
|
|
def connection_thread(self, connection, client_address):
|
2014-01-28 16:26:35 +00:00
|
|
|
client_address = Address(client_address)
|
2012-06-18 21:42:32 +00:00
|
|
|
try:
|
2014-01-09 00:57:37 +00:00
|
|
|
self.handle_client_connection(connection, client_address)
|
2012-06-18 21:42:32 +00:00
|
|
|
except:
|
2014-01-09 00:57:37 +00:00
|
|
|
self.handle_error(connection, client_address)
|
|
|
|
|
finally:
|
2014-10-22 15:54:20 +00:00
|
|
|
close_socket(connection)
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2012-06-19 23:01:40 +00:00
|
|
|
def serve_forever(self, poll_interval=0.1):
|
2012-06-18 21:42:32 +00:00
|
|
|
self.__is_shut_down.clear()
|
|
|
|
|
try:
|
|
|
|
|
while not self.__shutdown_request:
|
2013-08-24 22:22:09 +00:00
|
|
|
try:
|
2015-06-18 13:32:52 +00:00
|
|
|
r, w_, e_ = select.select(
|
2015-05-30 00:02:58 +00:00
|
|
|
[self.socket], [], [], poll_interval)
|
2015-03-07 00:22:02 +00:00
|
|
|
except select.error as ex: # pragma: no cover
|
2015-04-09 00:09:33 +00:00
|
|
|
if ex[0] == EINTR:
|
|
|
|
|
continue
|
|
|
|
|
else:
|
|
|
|
|
raise
|
2012-06-18 21:42:32 +00:00
|
|
|
if self.socket in r:
|
2014-01-09 00:57:37 +00:00
|
|
|
connection, client_address = self.socket.accept()
|
2013-01-27 06:21:18 +00:00
|
|
|
t = threading.Thread(
|
2015-03-07 00:22:02 +00:00
|
|
|
target=self.connection_thread,
|
|
|
|
|
args=(connection, client_address),
|
|
|
|
|
name="ConnectionThread (%s:%s -> %s:%s)" %
|
|
|
|
|
(client_address[0], client_address[1],
|
|
|
|
|
self.address.host, self.address.port)
|
|
|
|
|
)
|
2013-01-27 06:21:18 +00:00
|
|
|
t.setDaemon(1)
|
2015-04-08 22:12:41 +00:00
|
|
|
try:
|
|
|
|
|
t.start()
|
|
|
|
|
except threading.ThreadError:
|
|
|
|
|
self.handle_error(connection, Address(client_address))
|
|
|
|
|
connection.close()
|
2012-06-18 21:42:32 +00:00
|
|
|
finally:
|
|
|
|
|
self.__shutdown_request = False
|
|
|
|
|
self.__is_shut_down.set()
|
|
|
|
|
|
|
|
|
|
def shutdown(self):
|
|
|
|
|
self.__shutdown_request = True
|
|
|
|
|
self.__is_shut_down.wait()
|
2012-06-19 22:51:02 +00:00
|
|
|
self.socket.close()
|
2012-06-18 21:42:32 +00:00
|
|
|
self.handle_shutdown()
|
|
|
|
|
|
2015-06-18 13:32:52 +00:00
|
|
|
def handle_error(self, connection_, client_address, fp=sys.stderr):
|
2012-06-18 21:42:32 +00:00
|
|
|
"""
|
2014-01-09 00:57:37 +00:00
|
|
|
Called when handle_client_connection raises an exception.
|
2012-06-18 21:42:32 +00:00
|
|
|
"""
|
2012-07-10 04:22:45 +00:00
|
|
|
# If a thread has persisted after interpreter exit, the module might be
|
2012-07-20 02:43:51 +00:00
|
|
|
# none.
|
2012-07-10 04:22:45 +00:00
|
|
|
if traceback:
|
|
|
|
|
exc = traceback.format_exc()
|
2014-09-28 01:15:26 +00:00
|
|
|
print('-' * 40, file=fp)
|
2014-09-06 23:24:41 +00:00
|
|
|
print(
|
|
|
|
|
"Error in processing of request from %s:%s" % (
|
|
|
|
|
client_address.host, client_address.port
|
|
|
|
|
), file=fp)
|
2014-09-03 15:15:50 +00:00
|
|
|
print(exc, file=fp)
|
2014-09-28 01:15:26 +00:00
|
|
|
print('-' * 40, file=fp)
|
2012-06-18 21:42:32 +00:00
|
|
|
|
2014-02-15 22:16:28 +00:00
|
|
|
def handle_client_connection(self, conn, client_address): # pragma: no cover
|
2012-06-18 21:42:32 +00:00
|
|
|
"""
|
|
|
|
|
Called after client connection.
|
|
|
|
|
"""
|
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
|
|
|
|
def handle_shutdown(self):
|
|
|
|
|
"""
|
|
|
|
|
Called after server shutdown.
|
|
|
|
|
"""
|
