| # Wrapper module for _ssl, providing some additional facilities |
| # implemented in Python. Written by Bill Janssen. |
| |
| """\ |
| This module provides some more Pythonic support for SSL. |
| |
| Object types: |
| |
| SSLSocket -- subtype of socket.socket which does SSL over the socket |
| |
| Exceptions: |
| |
| SSLError -- exception raised for I/O errors |
| |
| Functions: |
| |
| cert_time_to_seconds -- convert time string used for certificate |
| notBefore and notAfter functions to integer |
| seconds past the Epoch (the time values |
| returned from time.time()) |
| |
| fetch_server_certificate (HOST, PORT) -- fetch the certificate provided |
| by the server running on HOST at port PORT. No |
| validation of the certificate is performed. |
| |
| Integer constants: |
| |
| SSL_ERROR_ZERO_RETURN |
| SSL_ERROR_WANT_READ |
| SSL_ERROR_WANT_WRITE |
| SSL_ERROR_WANT_X509_LOOKUP |
| SSL_ERROR_SYSCALL |
| SSL_ERROR_SSL |
| SSL_ERROR_WANT_CONNECT |
| |
| SSL_ERROR_EOF |
| SSL_ERROR_INVALID_ERROR_CODE |
| |
| The following group define certificate requirements that one side is |
| allowing/requiring from the other side: |
| |
| CERT_NONE - no certificates from the other side are required (or will |
| be looked at if provided) |
| CERT_OPTIONAL - certificates are not required, but if provided will be |
| validated, and if validation fails, the connection will |
| also fail |
| CERT_REQUIRED - certificates are required, and will be validated, and |
| if validation fails, the connection will also fail |
| |
| The following constants identify various SSL protocol variants: |
| |
| PROTOCOL_SSLv2 |
| PROTOCOL_SSLv3 |
| PROTOCOL_SSLv23 |
| PROTOCOL_TLSv1 |
| """ |
| |
| import os, sys |
| |
| import _ssl # if we can't import it, let the error propagate |
| |
| from _ssl import SSLError |
| from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED |
| from _ssl import PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1 |
| from _ssl import RAND_status, RAND_egd, RAND_add |
| from _ssl import \ |
| SSL_ERROR_ZERO_RETURN, \ |
| SSL_ERROR_WANT_READ, \ |
| SSL_ERROR_WANT_WRITE, \ |
| SSL_ERROR_WANT_X509_LOOKUP, \ |
| SSL_ERROR_SYSCALL, \ |
| SSL_ERROR_SSL, \ |
| SSL_ERROR_WANT_CONNECT, \ |
| SSL_ERROR_EOF, \ |
| SSL_ERROR_INVALID_ERROR_CODE |
| |
| from socket import socket |
| from socket import getnameinfo as _getnameinfo |
| |
| def get_protocol_name (protocol_code): |
| if protocol_code == PROTOCOL_TLSv1: |
| return "TLSv1" |
| elif protocol_code == PROTOCOL_SSLv23: |
| return "SSLv23" |
| elif protocol_code == PROTOCOL_SSLv2: |
| return "SSLv2" |
| elif protocol_code == PROTOCOL_SSLv3: |
| return "SSLv3" |
| else: |
| return "<unknown>" |
| |
| |
| class SSLSocket (socket): |
| |
| """This class implements a subtype of socket.socket that wraps |
| the underlying OS socket in an SSL context when necessary, and |
| provides read and write methods over that channel.""" |
| |
| def __init__(self, sock, keyfile=None, certfile=None, |
| server_side=False, cert_reqs=CERT_NONE, |
| ssl_version=PROTOCOL_SSLv23, ca_certs=None): |
| socket.__init__(self, _sock=sock._sock) |
| if certfile and not keyfile: |
| keyfile = certfile |
| # see if it's connected |
| try: |
| socket.getpeername(self) |
| except: |
| # no, no connection yet |
| self._sslobj = None |
| else: |
| # yes, create the SSL object |
| self._sslobj = _ssl.sslwrap(self._sock, server_side, |
| keyfile, certfile, |
| cert_reqs, ssl_version, ca_certs) |
| self.keyfile = keyfile |
| self.certfile = certfile |
| self.cert_reqs = cert_reqs |
| self.ssl_version = ssl_version |
| self.ca_certs = ca_certs |
| |
| def read(self, len=1024): |
| |
| """Read up to LEN bytes and return them. |
| Return zero-length string on EOF.""" |
| |
| return self._sslobj.read(len) |
| |
| def write(self, data): |
| |
| """Write DATA to the underlying SSL channel. Returns |
| number of bytes of DATA actually transmitted.""" |
| |
| return self._sslobj.write(data) |
| |
| def getpeercert(self, binary_form=False): |
| |
| """Returns a formatted version of the data in the |
| certificate provided by the other end of the SSL channel. |
| Return None if no certificate was provided, {} if a |
| certificate was provided, but not validated.""" |
| |
| return self._sslobj.peer_certificate(binary_form) |
| |
| def cipher (self): |
| |
| if not self._sslobj: |
| return None |
| else: |
| return self._sslobj.cipher() |
| |
| def send (self, data, flags=0): |
| if self._sslobj: |
| if flags != 0: |
| raise ValueError( |
| "non-zero flags not allowed in calls to send() on %s" % |
| self.__class__) |
| return self._sslobj.write(data) |
| else: |
| return socket.send(self, data, flags) |
| |
| def send_to (self, data, addr, flags=0): |
| if self._sslobj: |
| raise ValueError("send_to not allowed on instances of %s" % |
| self.__class__) |
| else: |
| return socket.send_to(self, data, addr, flags) |
| |
| def sendall (self, data, flags=0): |
| if self._sslobj: |
| if flags != 0: |
| raise ValueError( |
| "non-zero flags not allowed in calls to sendall() on %s" % |
| self.__class__) |
| return self._sslobj.write(data) |
| else: |
| return socket.sendall(self, data, flags) |
| |
| def recv (self, buflen=1024, flags=0): |
| if self._sslobj: |
| if flags != 0: |
| raise ValueError( |
| "non-zero flags not allowed in calls to sendall() on %s" % |
| self.__class__) |
| return self._sslobj.read(data, buflen) |
| else: |
| return socket.recv(self, buflen, flags) |
| |
| def recv_from (self, addr, buflen=1024, flags=0): |
| if self._sslobj: |
| raise ValueError("recv_from not allowed on instances of %s" % |
| self.__class__) |
| else: |
| return socket.recv_from(self, addr, buflen, flags) |
| |
| def ssl_shutdown(self): |
| |
| """Shuts down the SSL channel over this socket (if active), |
| without closing the socket connection.""" |
| |
| if self._sslobj: |
| self._sslobj.shutdown() |
| self._sslobj = None |
| |
| def shutdown(self, how): |
| self.ssl_shutdown() |
| socket.shutdown(self, how) |
| |
| def close(self): |
| self.ssl_shutdown() |
| socket.close(self) |
| |
| def connect(self, addr): |
| |
| """Connects to remote ADDR, and then wraps the connection in |
| an SSL channel.""" |
| |
| # Here we assume that the socket is client-side, and not |
| # connected at the time of the call. We connect it, then wrap it. |
| if self._sslobj: |
| raise ValueError("attempt to connect already-connected SSLSocket!") |
| socket.connect(self, addr) |
| self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile, |
| self.cert_reqs, self.ssl_version, |
| self.ca_certs) |
| |
| def accept(self): |
| |
| """Accepts a new connection from a remote client, and returns |
| a tuple containing that new connection wrapped with a server-side |
| SSL channel, and the address of the remote client.""" |
| |
| newsock, addr = socket.accept(self) |
| return (SSLSocket(newsock, True, self.keyfile, self.certfile, |
| self.cert_reqs, self.ssl_version, |
| self.ca_certs), addr) |
| |
| |
| def wrap_socket(sock, keyfile=None, certfile=None, |
| server_side=False, cert_reqs=CERT_NONE, |
| ssl_version=PROTOCOL_SSLv23, ca_certs=None): |
| |
| return SSLSocket(sock, keyfile=keyfile, certfile=certfile, |
| server_side=server_side, cert_reqs=cert_reqs, |
| ssl_version=ssl_version, ca_certs=ca_certs) |
| |
| # some utility functions |
| |
| def cert_time_to_seconds(cert_time): |
| |
| """Takes a date-time string in standard ASN1_print form |
| ("MON DAY 24HOUR:MINUTE:SEC YEAR TIMEZONE") and return |
| a Python time value in seconds past the epoch.""" |
| |
| import time |
| return time.mktime(time.strptime(cert_time, "%b %d %H:%M:%S %Y GMT")) |
| |
| # a replacement for the old socket.ssl function |
| |
| def sslwrap_simple (sock, keyfile=None, certfile=None): |
| |
| """A replacement for the old socket.ssl function. Designed |
| for compability with Python 2.5 and earlier. Will disappear in |
| Python 3.0.""" |
| |
| return _ssl.sslwrap(sock._sock, 0, keyfile, certfile, CERT_NONE, |
| PROTOCOL_SSLv23, None) |