ó [³XMc@s1dZddlmZmZmZddlmZmZmZyeeeƒeƒWn7e k rŽZ e e ƒdkr‚ne dƒ‚nXddl mZddlmZddlmZmZdd lmZmZdd lmZdd lmZmZd efd „ƒYZdefd„ƒYZdS(sö Implementation of a TLS transport (L{ISSLTransport}) as an L{IProtocol} layered on top of any L{ITransport} implementation, based on OpenSSL's memory BIO features. L{TLSMemoryBIOFactory} is a L{WrappingFactory} which wraps protocols created by the factory it wraps with L{TLSMemoryBIOProtocol}. L{TLSMemoryBIOProtocol} intercedes between the underlying transport and the wrapped protocol to implement SSL and TLS. Typical usage of this module looks like this:: from twisted.protocols.tls import TLSMemoryBIOFactory from twisted.internet.protocol import ServerFactory from twisted.internet.ssl import PrivateCertificate from twisted.internet import reactor from someapplication import ApplicationProtocol serverFactory = ServerFactory() serverFactory.protocol = ApplicationProtocol certificate = PrivateCertificate.loadPEM(certPEMData) contextFactory = certificate.options() tlsFactory = TLSMemoryBIOFactory(contextFactory, False, serverFactory) reactor.listenTCP(12345, tlsFactory) reactor.run() Because the reactor's SSL and TLS APIs are likely implemented in a more efficient way, it is more common to use them (see L{IReactorSSL} and L{ITLSTransport}). However, this API offers somewhat more flexibility; for example, a L{TLSMemoryBIOProtocol} instance can use another instance of L{TLSMemoryBIOProtocol} as its transport, yielding TLS over TLS - useful to implement onion routing. Or it can be used to run TLS over a UNIX socket, or over stdio to a child process. iÿÿÿÿ(tErrortZeroReturnErrort WantReadError(t TLSv1_METHODtContextt Connections3argument must be an int, or have a fileno() method.s7twisted.protocols.tls requires pyOpenSSL 0.10 or newer.(t implements(tFailure(t ISystemHandlet ISSLTransport(tCONNECTION_DONEtCONNECTION_LOST(tProtocol(tProtocolWrappertWrappingFactorytTLSMemoryBIOProtocolcBs™eZdZeeeƒd ZeZ eZ eZ e d„Z d„Zd„Zd„Zd„Zd„Zd„Zd„Zd „Zd „Zd „ZRS( s} L{TLSMemoryBIOProtocol} is a protocol wrapper which uses OpenSSL via a memory BIO to encrypt bytes written to it before sending them on to the underlying transport and decrypts bytes received from the underlying transport before delivering them to the wrapped protocol. @ivar _tlsConnection: The L{OpenSSL.SSL.Connection} instance which is encrypted and decrypting this connection. @ivar _lostConnection: A flag indicating whether connection loss has already been dealt with (C{True}) or not (C{False}). @ivar _writeBlockedOnRead: A flag indicating whether further writing must wait for data to be received (C{True}) or not (C{False}). @ivar _appSendBuffer: A C{list} of C{str} of application-level (cleartext) data which is waiting for C{_writeBlockedOnRead} to be reset to C{False} so it can be passed to and perhaps accepted by C{_tlsConnection.send}. @ivar _connectWrapped: A flag indicating whether or not to call C{makeConnection} on the wrapped protocol. This is for the reactor's L{ITLSTransport.startTLS} implementation, since it has a protocol which it has already called C{makeConnection} on, and which has no interest in a new transport. See #3821. @ivar _handshakeDone: A flag indicating whether or not the handshake is known to have completed successfully (C{True}) or not (C{False}). This is used to control error reporting behavior. If the handshake has not completed, the underlying L{OpenSSL.SSL.Error} will be passed to the application's C{connectionLost} method. If it has completed, any unexpected L{OpenSSL.SSL.Error} will be turned into a L{ConnectionLost}. This is weird; however, it is simply an attempt at a faithful re-implementation of the behavior provided by L{twisted.internet.ssl}. @ivar _reason: If an unexpected L{OpenSSL.SSL.Error} occurs which causes the connection to be lost, it is saved here. If appropriate, this may be used as the reason passed to the application protocol's C{connectionLost} method. cCs tj|||ƒ||_dS(N(R t__init__t_connectWrapped(tselftfactorytwrappedProtocolR((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyRlscCs|jS(si Return the L{OpenSSL.SSL.Connection} object being used to encrypt and decrypt this connection. This is done for the benefit of L{twisted.internet.ssl.Certificate}'s C{peerFromTransport} and C{hostFromTransport} methods only. A different system handle may be returned by future versions of this method. (t_tlsConnection(R((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyt getHandleqs cCsÅ|jjjƒ}t|dƒ|_|jjr@|jjƒn |jjƒg|_ t j ||ƒ|jj |ƒ|j r’tj ||ƒny|jjƒWntk rÀ|jƒnXdS(s Connect this wrapper to the given transport and initialize the necessary L{OpenSSL.SSL.Connection} with a memory BIO. N(Rt_contextFactoryt getContextRtNoneRt _isClienttset_connect_statetset_accept_statet_appSendBufferR tmakeConnectiontregisterProtocolRR t do_handshakeRt _flushSendBIO(Rt transportt tlsContext((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyR~s     cCs>y|jjdƒ}Wntk r)nX|jj|ƒdS(sh Read any bytes out of the send BIO and write them to the underlying transport. iiNi€(Rtbio_readRR"twrite(Rtbytes((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyR!¢s  cCsRxA|jsCy|jjdƒ}Wntk r6Pqtk r¦t|_|jjƒ|j r~|j dk r~|j }n t t ƒ}d|_ t j||ƒqtk r&}|jƒt|_|jddkrý|jddkrýt tƒ}n t ƒ}t j||ƒ|jjƒqXt|_t j||ƒqW|jƒdS( se Try to receive any application-level bytes which are now available because of a previous write into the receive BIO. This will take care of delivering any application-level bytes which are received to the protocol, as well as handling of the various exceptions which can come from trying to get such bytes. iiiiÿÿÿÿisUnexpected EOFNi€(t_lostConnectionRtrecvRRtTrueR"tloseConnectiont_handshakeDonet_reasonRRR R tconnectionLostRR!targsR t dataReceived(RR&tfailurete((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyt_flushReceiveBIO°s0          &  cCsƒ|jj|ƒ|jrut|_|j}g|_x|D]}|j|ƒq;W|j ru|jru|jƒqun|jƒdS(sÄ Deliver any received bytes to the receive BIO and then read and deliver to the application any application-level data which becomes available as a result of this. N( Rt bio_writet_writeBlockedOnReadtFalseRR%t disconnectingR*R2(RR&t appSendBuffer((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyR/ìs     cCs'|js#|jjƒ|jƒndS(sî Handle the possible repetition of calls to this method (due to either the underlying transport going away or due to an error at the TLS layer) and make sure the base implementation only gets invoked once. N(R'Rt bio_shutdownR2(Rtreason((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyR-s  cCs=t|_|js9|jjƒ|jƒ|jjƒndS(sM Send a TLS close alert and close the underlying connection. N(R)R6R4RtshutdownR!R"R*(R((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyR*s     cCs±|jr dS|}x—|r¬y|jj|ƒ}WnWtk r_t|_|jj|ƒPqtk r‹}t ƒ|_ |j j ƒPqXt|_ |jƒ||}qWdS(s Process the given application bytes and send any resulting TLS traffic which arrives in the send BIO. N(R'RtsendRR)R4RtappendRRR,R"R*R+R!(RR&t leftToSendtsentR1((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyR%s"        cCs|jdj|ƒƒdS(s} Write a sequence of application bytes by joining them into one string and passing them to L{write}. tN(R%tjoin(Rtiovec((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyt writeSequence=scCs |jjƒS(N(Rtget_peer_certificate(R((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pytgetPeerCertificateEsN(t__name__t __module__t__doc__RRR RR,R5R+R'R4R)RRRR!R2R/R-R*R%RBRD(((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyR;s")   $  <  # tTLSMemoryBIOFactorycBseZdZeZd„ZRS(s: L{TLSMemoryBIOFactory} adds TLS to connections. @ivar _contextFactory: The TLS context factory which will be used to define certain TLS connection parameters. @ivar _isClient: A flag which is C{True} if this is a client TLS connection, C{False} if it is a server TLS connection. cCs&tj||ƒ||_||_dS(N(RRRR(RtcontextFactorytisClienttwrappedFactory((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyRVs (RERFRGRtprotocolR(((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyRHJs N(RGt OpenSSL.SSLRRRRRRRt TypeErrorR1tstrt ImportErrortzope.interfaceRttwisted.python.failureRttwisted.internet.interfacesRR ttwisted.internet.mainR R ttwisted.internet.protocolR ttwisted.protocols.policiesR RRRH(((s9/usr/lib/python2.7/dist-packages/twisted/protocols/tls.pyt%s"ÿ