changeset e13bfb6f30c7 in /home/hg/repos/gajim
details:http://hg.gajim.org/gajim?cmd=changeset;node=e13bfb6f30c7
description: wrap IO operations on SSL.Connection objects in try, catch SSL
exceptions caused by SSL rehandshake request and simply ignore, retrying the IO
should succeed.
diffstat:
src/common/jingle_xtls.py | 9 ++-
src/common/socks5.py | 117 ++++++++++++++++++++++++++++++---------------
2 files changed, 84 insertions(+), 42 deletions(-)
diffs (219 lines):
diff -r faa3e134ebf2 -r e13bfb6f30c7 src/common/jingle_xtls.py
--- a/src/common/jingle_xtls.py Tue Jul 27 21:29:12 2010 +0800
+++ b/src/common/jingle_xtls.py Thu Jul 29 21:40:40 2010 +0800
@@ -39,13 +39,16 @@
constructs and returns the context objects
"""
ctx = SSL.Context(SSL.TLSv1_METHOD)
- ctx.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb
or default_callback)
- # TODO: set private key, set certificate, set verification path
+
if fingerprint == 'server': # for testing purposes only
+ ctx.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
verify_cb or default_callback)
+
ctx.use_privatekey_file (os.path.expanduser('~/certs/server.pkey'))
ctx.use_certificate_file(os.path.expanduser('~/certs/server.cert'))
ctx.load_verify_locations(os.path.expanduser('~/certs/CA.cert'))
- elif fingerprint == 'client':
+ elif fingerprint == 'client':
+ ctx.set_verify(SSL.VERIFY_PEER, verify_cb or default_callback)
+
ctx.use_privatekey_file (os.path.expanduser('~/certs/client.pkey'))
ctx.use_certificate_file(os.path.expanduser('~/certs/client.cert'))
ctx.load_verify_locations(os.path.expanduser('~/certs/CA.cert'))
diff -r faa3e134ebf2 -r e13bfb6f30c7 src/common/socks5.py
--- a/src/common/socks5.py Tue Jul 27 21:29:12 2010 +0800
+++ b/src/common/socks5.py Thu Jul 29 21:40:40 2010 +0800
@@ -317,7 +317,7 @@
sock_hash = sock.__hash__()
if sock_hash not in self.senders:
self.senders[sock_hash] = Socks5Sender(self.idlequeue, sock_hash,
self,
- sock[0], sock[1][0], sock[1][1])
+ sock[0], sock[1][0], sock[1][1], fingerprint='server')
self.connected += 1
def process_result(self, result, actor):
@@ -453,6 +453,10 @@
received = ''
try:
add = self._recv(64)
+ except (OpenSSL.SSL.WantReadError, OpenSSL.SSL.WantWriteError,
+ OpenSSL.SSL.WantX509LookupError), e:
+ log.info('SSL rehandshake request : ' + repr(e))
+ raise e
except Exception:
add = ''
received += add
@@ -466,7 +470,11 @@
"""
try:
self._send(raw_data)
- except Exception:
+ except (OpenSSL.SSL.WantReadError, OpenSSL.SSL.WantWriteError,
+ OpenSSL.SSL.WantX509LookupError), e:
+ log.info('SSL rehandshake request :' + repr(e))
+ raise e
+ except Exception, e:
self.disconnect()
return len(raw_data)
@@ -487,6 +495,10 @@
lenn = 0
try:
lenn = self._send(buff)
+ except (OpenSSL.SSL.WantReadError, OpenSSL.SSL.WantWriteError,
+ OpenSSL.SSL.WantX509LookupError), e:
+ log.info('SSL rehandshake request :' + repr(e))
+ raise e
except Exception, e:
if e.args[0] not in (EINTR, ENOBUFS, EWOULDBLOCK):
# peer stopped reading
@@ -557,6 +569,10 @@
return 0
try:
buff = self._recv(MAX_BUFF_LEN)
+ except (OpenSSL.SSL.WantReadError, OpenSSL.SSL.WantWriteError,
+ OpenSSL.SSL.WantX509LookupError), e:
+ log.info('SSL rehandshake request :' + repr(e))
+ raise e
except Exception:
buff = ''
current_time = self.idlequeue.current_time()
@@ -682,7 +698,12 @@
"""
Connect response: version, auth method
"""
- buff = self._recv()
+ try:
+ buff = self._recv()
+ except (SSL.WantReadError, SSL.WantWriteError,
+ SSL.WantX509LookupError), e:
+ log.info("SSL rehandshake request : " + repr(e))
+ raise e
try:
version, method = struct.unpack('!BB', buff)
except Exception:
@@ -716,11 +737,15 @@
"""
def __init__(self, idlequeue, sock_hash, parent, _sock, host=None,
- port=None):
+ port=None, fingerprint = None):
+ self.fingerprint = fingerprint
self.queue_idx = sock_hash
self.queue = parent
Socks5.__init__(self, idlequeue, host, port, None, None, None)
self._sock = _sock
+ if not self.fingerprint is None:
+ self._sock = OpenSSL.SSL.Connection(
+ jingle_xtls.get_context('server'), self._sock)
self._sock.setblocking(False)
self.fd = _sock.fileno()
self._recv = _sock.recv
@@ -782,17 +807,21 @@
def pollin(self):
if self.connected:
- if self.state < 5:
- result = self.main()
- if self.state == 4:
- self.queue.result_sha(self.sha_msg, self.queue_idx)
- if result == -1:
- self.disconnect()
-
- elif self.state == 5:
- if self.file_props is not None and self.file_props['type'] ==
'r':
- result = self.get_file_contents(0)
- self.queue.process_result(result, self)
+ try:
+ if self.state < 5:
+ result = self.main()
+ if self.state == 4:
+ self.queue.result_sha(self.sha_msg, self.queue_idx)
+ if result == -1:
+ self.disconnect()
+
+ elif self.state == 5:
+ if self.file_props is not None and self.file_props['type']
== 'r':
+ result = self.get_file_contents(0)
+ self.queue.process_result(result, self)
+ except (OpenSSL.SSL.WantReadError, OpenSSL.SSL.WantWriteError,
+ OpenSSL.SSL.WantX509LookupError), e:
+ log.info('caught SSL exception, ignored')
else:
self.disconnect()
@@ -1028,19 +1057,24 @@
def pollout(self):
self.idlequeue.remove_timeout(self.fd)
- if self.state == 0:
- self.do_connect()
- return
- elif self.state == 1: # send initially: version and auth types
- self.send_raw(self._get_auth_buff())
- elif self.state == 3: # send 'connect' request
- self.send_raw(self._get_request_buff(self._get_sha1_auth()))
- elif self.file_props['type'] != 'r':
- if self.file_props['paused']:
- self.idlequeue.plug_idle(self, False, False)
+ try:
+ if self.state == 0:
+ self.do_connect()
return
- result = self.write_next()
- self.queue.process_result(result, self)
+ elif self.state == 1: # send initially: version and auth types
+ self.send_raw(self._get_auth_buff())
+ elif self.state == 3: # send 'connect' request
+ self.send_raw(self._get_request_buff(self._get_sha1_auth()))
+ elif self.file_props['type'] != 'r':
+ if self.file_props['paused']:
+ self.idlequeue.plug_idle(self, False, False)
+ return
+ result = self.write_next()
+ self.queue.process_result(result, self)
+ return
+ except (OpenSSL.SSL.WantReadError, OpenSSL.SSL.WantWriteError,
+ OpenSSL.SSL.WantX509LookupError), e:
+ log.info('caught SSL exception, ignored')
return
self.state += 1
# unplug and plug for reading
@@ -1059,19 +1093,24 @@
def pollin(self):
self.idlequeue.remove_timeout(self.fd)
if self.connected:
- if self.file_props['paused']:
- self.idlequeue.plug_idle(self, False, False)
+ try:
+ if self.file_props['paused']:
+ self.idlequeue.plug_idle(self, False, False)
+ return
+ if self.state < 5:
+ self.idlequeue.set_read_timeout(self.fd, CONNECT_TIMEOUT)
+ result = self.main(0)
+ self.queue.process_result(result, self)
+ elif self.state == 5: # wait for proxy reply
+ pass
+ elif self.file_props['type'] == 'r':
+ self.idlequeue.set_read_timeout(self.fd, STALLED_TIMEOUT)
+ result = self.get_file_contents(0)
+ self.queue.process_result(result, self)
+ except (OpenSSL.SSL.WantReadError, OpenSSL.SSL.WantWriteError,
+ OpenSSL.SSL.WantX509LookupError), e:
+ log.info('caught SSL exception, ignored')
return
- if self.state < 5:
- self.idlequeue.set_read_timeout(self.fd, CONNECT_TIMEOUT)
- result = self.main(0)
- self.queue.process_result(result, self)
- elif self.state == 5: # wait for proxy reply
- pass
- elif self.file_props['type'] == 'r':
- self.idlequeue.set_read_timeout(self.fd, STALLED_TIMEOUT)
- result = self.get_file_contents(0)
- self.queue.process_result(result, self)
else:
self.disconnect()
_______________________________________________
Commits mailing list
[email protected]
http://lists.gajim.org/cgi-bin/listinfo/commits
