Merged revisions 58095-58132,58136-58148,58151-58197 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk
........
r58096 | brett.cannon | 2007-09-10 23:38:27 +0200 (Mon, 10 Sep 2007) | 4 lines
Fix a possible segfault from recursing too deep to get the repr of a list.
Closes issue #1096.
........
r58097 | bill.janssen | 2007-09-10 23:51:02 +0200 (Mon, 10 Sep 2007) | 33 lines
More work on SSL support.
* Much expanded test suite:
All protocols tested against all other protocols.
All protocols tested with all certificate options.
Tests for bad key and bad cert.
Test of STARTTLS functionality.
Test of RAND_* functions.
* Fixes for threading/malloc bug.
* Issue 1065 fixed:
sslsocket class renamed to SSLSocket.
sslerror class renamed to SSLError.
Function "wrap_socket" now used to wrap an existing socket.
* Issue 1583946 finally fixed:
Support for subjectAltName added.
Subject name now returned as proper DN list of RDNs.
* SSLError exported from socket as "sslerror".
* RAND_* functions properly exported from ssl.py.
* Documentation improved:
Example of how to create a self-signed certificate.
Better indexing.
........
r58098 | guido.van.rossum | 2007-09-11 00:02:25 +0200 (Tue, 11 Sep 2007) | 9 lines
Patch # 1140 (my code, approved by Effbot).
Make sure the type of the return value of re.sub(x, y, z) is the type
of y+x (i.e. unicode if either is unicode, str if they are both str)
even if there are no substitutions or if x==z (which triggered various
special cases in join_list()).
Could be backported to 2.5; no need to port to 3.0.
........
r58099 | guido.van.rossum | 2007-09-11 00:36:02 +0200 (Tue, 11 Sep 2007) | 8 lines
Patch # 1026 by Benjamin Aranguren (with Alex Martelli):
Backport abc.py and isinstance/issubclass overloading to 2.6.
I had to backport test_typechecks.py myself, and make one small change
to abc.py to avoid duplicate work when x.__class__ and type(x) are the
same.
........
r58100 | bill.janssen | 2007-09-11 01:41:24 +0200 (Tue, 11 Sep 2007) | 3 lines
A better way of finding an open port to test with.
........
r58101 | bill.janssen | 2007-09-11 03:09:19 +0200 (Tue, 11 Sep 2007) | 4 lines
Make sure test_ssl doesn't reference the ssl module in a
context where it can't be imported.
........
r58102 | bill.janssen | 2007-09-11 04:42:07 +0200 (Tue, 11 Sep 2007) | 3 lines
Fix some documentation bugs.
........
r58103 | nick.coghlan | 2007-09-11 16:01:18 +0200 (Tue, 11 Sep 2007) | 1 line
Always use the -E flag when spawning subprocesses in test_cmd_line (Issue 1056)
........
r58106 | thomas.heller | 2007-09-11 21:17:48 +0200 (Tue, 11 Sep 2007) | 3 lines
Disable some tests that fail on the 'ppc Debian unstable' buildbot to
find out if they cause the segfault on the 'alpha Debian' machine.
........
r58108 | brett.cannon | 2007-09-11 23:02:28 +0200 (Tue, 11 Sep 2007) | 6 lines
Generators had their throw() method allowing string exceptions. That's a
no-no.
Fixes issue #1147. Need to fix 2.5 to raise a proper warning if a string
exception is passed in.
........
r58112 | georg.brandl | 2007-09-12 20:03:51 +0200 (Wed, 12 Sep 2007) | 3 lines
New documentation page for the bdb module.
(This doesn't need to be merged to Py3k.)
........
r58114 | georg.brandl | 2007-09-12 20:05:57 +0200 (Wed, 12 Sep 2007) | 2 lines
Bug #1152: use non-deprecated name in example.
........
r58115 | georg.brandl | 2007-09-12 20:08:33 +0200 (Wed, 12 Sep 2007) | 2 lines
Fix #1122: wrong return type documented for various _Size() functions.
........
r58117 | georg.brandl | 2007-09-12 20:10:56 +0200 (Wed, 12 Sep 2007) | 2 lines
Fix #1139: PyFile_Encoding really is PyFile_SetEncoding.
........
r58119 | georg.brandl | 2007-09-12 20:29:18 +0200 (Wed, 12 Sep 2007) | 2 lines
bug #1154: release memory allocated by "es" PyArg_ParseTuple format specifier.
........
r58121 | bill.janssen | 2007-09-12 20:52:05 +0200 (Wed, 12 Sep 2007) | 1 line
root certificate for https://svn.python.org/, used in test_ssl
........
r58122 | georg.brandl | 2007-09-12 21:00:07 +0200 (Wed, 12 Sep 2007) | 3 lines
Bug #1153: repr.repr() now doesn't require set and dictionary items
to be orderable to properly represent them.
........
r58125 | georg.brandl | 2007-09-12 21:29:28 +0200 (Wed, 12 Sep 2007) | 4 lines
#1120: put explicit version in the shebang lines of pydoc, idle
and smtpd.py scripts that are installed by setup.py. That way, they
work when only "make altinstall" is used.
........
r58139 | mark.summerfield | 2007-09-13 16:54:30 +0200 (Thu, 13 Sep 2007) | 9 lines
Replaced variable o with obj in operator.rst because o is easy to
confuse.
Added a note about Python 3's collections.Mapping etc., above section
that describes isMappingType() etc.
Added xrefs between os, os.path, fileinput, and open().
........
r58143 | facundo.batista | 2007-09-13 20:13:15 +0200 (Thu, 13 Sep 2007) | 7 lines
Merged the decimal-branch (revisions 54886 to 58140). Decimal is now
fully updated to the latests Decimal Specification (v1.66) and the
latests test cases (v2.56).
Thanks to Mark Dickinson for all his help during this process.
........
r58145 | facundo.batista | 2007-09-13 20:42:09 +0200 (Thu, 13 Sep 2007) | 7 lines
Put the parameter watchexp back in (changed watchexp from an int
to a bool). Also second argument to watchexp is now converted
to Decimal, just as with all the other two-argument operations.
Thanks Mark Dickinson.
........
r58147 | andrew.kuchling | 2007-09-14 00:49:34 +0200 (Fri, 14 Sep 2007) | 1 line
Add various items
........
r58148 | andrew.kuchling | 2007-09-14 00:50:10 +0200 (Fri, 14 Sep 2007) | 1 line
Make target unique
........
r58154 | facundo.batista | 2007-09-14 20:58:34 +0200 (Fri, 14 Sep 2007) | 3 lines
Included the new functions, and new descriptions.
........
r58155 | thomas.heller | 2007-09-14 21:40:35 +0200 (Fri, 14 Sep 2007) | 2 lines
ctypes.util.find_library uses dump(1) instead of objdump(1) on Solaris.
Fixes issue #1777530; will backport to release25-maint.
........
r58159 | facundo.batista | 2007-09-14 23:29:52 +0200 (Fri, 14 Sep 2007) | 3 lines
Some additions (examples and a bit on the tutorial).
........
r58160 | georg.brandl | 2007-09-15 18:53:36 +0200 (Sat, 15 Sep 2007) | 2 lines
Remove bdb from the "undocumented modules" list.
........
r58164 | bill.janssen | 2007-09-17 00:06:00 +0200 (Mon, 17 Sep 2007) | 15 lines
Add support for asyncore server-side SSL support. This requires
adding the 'makefile' method to ssl.SSLSocket, and importing the
requisite fakefile class from socket.py, and making the appropriate
changes to it to make it use the SSL connection.
Added sample HTTPS server to test_ssl.py, and test that uses it.
Change SSL tests to use https://svn.python.org/, instead of
www.sf.net and pop.gmail.com.
Added utility function to ssl module, get_server_certificate,
to wrap up the several things to be done to pull a certificate
from a remote server.
........
r58173 | bill.janssen | 2007-09-17 01:16:46 +0200 (Mon, 17 Sep 2007) | 1 line
use binary mode when reading files for testAsyncore to make Windows happy
........
r58175 | raymond.hettinger | 2007-09-17 02:55:00 +0200 (Mon, 17 Sep 2007) | 7 lines
Sync-up named tuples with the latest version of the ASPN recipe.
Allows optional commas in the field-name spec (help when named tuples are used in conjuction with sql queries).
Adds the __fields__ attribute for introspection and to support conversion to dictionary form.
Adds a __replace__() method similar to str.replace() but using a named field as a target.
Clean-up spelling and presentation in doc-strings.
........
r58176 | brett.cannon | 2007-09-17 05:28:34 +0200 (Mon, 17 Sep 2007) | 5 lines
Add a bunch of GIL release/acquire points in tp_print implementations and for
PyObject_Print().
Closes issue #1164.
........
r58177 | sean.reifschneider | 2007-09-17 07:45:04 +0200 (Mon, 17 Sep 2007) | 2 lines
issue1597011: Fix for bz2 module corner-case error due to error checking bug.
........
r58180 | facundo.batista | 2007-09-17 18:26:50 +0200 (Mon, 17 Sep 2007) | 3 lines
Decimal is updated, :)
........
r58181 | facundo.batista | 2007-09-17 19:30:13 +0200 (Mon, 17 Sep 2007) | 5 lines
The methods always return Decimal classes, even if they're
executed through a subclass (thanks Mark Dickinson).
Added a bit of testing for this.
........
r58183 | sean.reifschneider | 2007-09-17 22:53:21 +0200 (Mon, 17 Sep 2007) | 2 lines
issue1082: Fixing platform and system for Vista.
........
r58185 | andrew.kuchling | 2007-09-18 03:36:16 +0200 (Tue, 18 Sep 2007) | 1 line
Add item; sort properly
........
r58186 | raymond.hettinger | 2007-09-18 05:33:19 +0200 (Tue, 18 Sep 2007) | 1 line
Handle corner cased on 0-tuples and 1-tuples. Add verbose option so people can see how it works.
........
r58192 | georg.brandl | 2007-09-18 09:24:40 +0200 (Tue, 18 Sep 2007) | 2 lines
A bit of reordering, also show more subheadings in the lang ref index.
........
r58193 | facundo.batista | 2007-09-18 18:53:18 +0200 (Tue, 18 Sep 2007) | 4 lines
Speed up of the various division operations (remainder, divide,
divideint and divmod). Thanks Mark Dickinson.
........
r58197 | raymond.hettinger | 2007-09-19 00:18:02 +0200 (Wed, 19 Sep 2007) | 1 line
Cleanup docs for NamedTuple.
........
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 388c931..9a120f2 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -8,11 +8,11 @@
Object types:
- sslsocket -- subtype of socket.socket which does SSL over the socket
+ SSLSocket -- subtype of socket.socket which does SSL over the socket
Exceptions:
- sslerror -- exception raised for I/O errors
+ SSLError -- exception raised for I/O errors
Functions:
@@ -57,12 +57,14 @@
PROTOCOL_TLSv1
"""
-import os, sys
+import os, sys, textwrap
import _ssl # if we can't import it, let the error propagate
-from _ssl import sslerror
+
+from _ssl import SSLError
from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
from _ssl import PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1
+from _ssl import RAND_status, RAND_egd, RAND_add
from _ssl import \
SSL_ERROR_ZERO_RETURN, \
SSL_ERROR_WANT_READ, \
@@ -76,9 +78,9 @@
from socket import socket
from socket import getnameinfo as _getnameinfo
+import base64 # for DER-to-PEM translation
-
-class sslsocket (socket):
+class SSLSocket (socket):
"""This class implements a subtype of socket.socket that wraps
the underlying OS socket in an SSL context when necessary, and
@@ -121,14 +123,21 @@
return self._sslobj.write(data)
- def getpeercert(self):
+ def getpeercert(self, binary_form=False):
"""Returns a formatted version of the data in the
certificate provided by the other end of the SSL channel.
Return None if no certificate was provided, {} if a
certificate was provided, but not validated."""
- return self._sslobj.peer_certificate()
+ return self._sslobj.peer_certificate(binary_form)
+
+ def cipher (self):
+
+ if not self._sslobj:
+ return None
+ else:
+ return self._sslobj.cipher()
def send (self, data, flags=0):
if self._sslobj:
@@ -174,21 +183,12 @@
else:
return socket.recv_from(self, addr, buflen, flags)
- def ssl_shutdown(self):
-
- """Shuts down the SSL channel over this socket (if active),
- without closing the socket connection."""
-
- if self._sslobj:
- self._sslobj.shutdown()
- self._sslobj = None
-
def shutdown(self, how):
- self.ssl_shutdown()
+ self._sslobj = None
socket.shutdown(self, how)
def close(self):
- self.ssl_shutdown()
+ self._sslobj = None
socket.close(self)
def connect(self, addr):
@@ -199,7 +199,7 @@
# Here we assume that the socket is client-side, and not
# connected at the time of the call. We connect it, then wrap it.
if self._sslobj:
- raise ValueError("attempt to connect already-connected sslsocket!")
+ raise ValueError("attempt to connect already-connected SSLSocket!")
socket.connect(self, addr)
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile,
self.cert_reqs, self.ssl_version,
@@ -212,11 +212,261 @@
SSL channel, and the address of the remote client."""
newsock, addr = socket.accept(self)
- return (sslsocket(newsock, True, self.keyfile, self.certfile,
- self.cert_reqs, self.ssl_version,
- self.ca_certs), addr)
+ return (SSLSocket(newsock, True, self.keyfile, self.certfile,
+ self.cert_reqs, self.ssl_version,
+ self.ca_certs), addr)
+ def makefile(self, mode='r', bufsize=-1):
+
+ """Ouch. Need to make and return a file-like object that
+ works with the SSL connection."""
+
+ if self._sslobj:
+ return SSLFileStream(self._sslobj, mode, bufsize)
+ else:
+ return socket.makefile(self, mode, bufsize)
+
+
+class SSLFileStream:
+
+ """A class to simulate a file stream on top of a socket.
+ Most of this is just lifted from the socket module, and
+ adjusted to work with an SSL stream instead of a socket."""
+
+
+ default_bufsize = 8192
+ name = "<SSL stream>"
+
+ __slots__ = ["mode", "bufsize", "softspace",
+ # "closed" is a property, see below
+ "_sslobj", "_rbufsize", "_wbufsize", "_rbuf", "_wbuf",
+ "_close", "_fileno"]
+
+ def __init__(self, sslobj, mode='rb', bufsize=-1, close=False):
+ self._sslobj = sslobj
+ self.mode = mode # Not actually used in this version
+ if bufsize < 0:
+ bufsize = self.default_bufsize
+ self.bufsize = bufsize
+ self.softspace = False
+ if bufsize == 0:
+ self._rbufsize = 1
+ elif bufsize == 1:
+ self._rbufsize = self.default_bufsize
+ else:
+ self._rbufsize = bufsize
+ self._wbufsize = bufsize
+ self._rbuf = "" # A string
+ self._wbuf = [] # A list of strings
+ self._close = close
+ self._fileno = -1
+
+ def _getclosed(self):
+ return self._sslobj is None
+ closed = property(_getclosed, doc="True if the file is closed")
+
+ def fileno(self):
+ return self._fileno
+
+ def close(self):
+ try:
+ if self._sslobj:
+ self.flush()
+ finally:
+ if self._close and self._sslobj:
+ self._sslobj.close()
+ self._sslobj = None
+
+ def __del__(self):
+ try:
+ self.close()
+ except:
+ # close() may fail if __init__ didn't complete
+ pass
+
+ def flush(self):
+ if self._wbuf:
+ buffer = "".join(self._wbuf)
+ self._wbuf = []
+ count = 0
+ while (count < len(buffer)):
+ written = self._sslobj.write(buffer)
+ count += written
+ buffer = buffer[written:]
+
+ def write(self, data):
+ data = str(data) # XXX Should really reject non-string non-buffers
+ if not data:
+ return
+ self._wbuf.append(data)
+ if (self._wbufsize == 0 or
+ self._wbufsize == 1 and '\n' in data or
+ self._get_wbuf_len() >= self._wbufsize):
+ self.flush()
+
+ def writelines(self, list):
+ # XXX We could do better here for very long lists
+ # XXX Should really reject non-string non-buffers
+ self._wbuf.extend(filter(None, map(str, list)))
+ if (self._wbufsize <= 1 or
+ self._get_wbuf_len() >= self._wbufsize):
+ self.flush()
+
+ def _get_wbuf_len(self):
+ buf_len = 0
+ for x in self._wbuf:
+ buf_len += len(x)
+ return buf_len
+
+ def read(self, size=-1):
+ data = self._rbuf
+ if size < 0:
+ # Read until EOF
+ buffers = []
+ if data:
+ buffers.append(data)
+ self._rbuf = ""
+ if self._rbufsize <= 1:
+ recv_size = self.default_bufsize
+ else:
+ recv_size = self._rbufsize
+ while True:
+ data = self._sslobj.read(recv_size)
+ if not data:
+ break
+ buffers.append(data)
+ return "".join(buffers)
+ else:
+ # Read until size bytes or EOF seen, whichever comes first
+ buf_len = len(data)
+ if buf_len >= size:
+ self._rbuf = data[size:]
+ return data[:size]
+ buffers = []
+ if data:
+ buffers.append(data)
+ self._rbuf = ""
+ while True:
+ left = size - buf_len
+ recv_size = max(self._rbufsize, left)
+ data = self._sslobj.read(recv_size)
+ if not data:
+ break
+ buffers.append(data)
+ n = len(data)
+ if n >= left:
+ self._rbuf = data[left:]
+ buffers[-1] = data[:left]
+ break
+ buf_len += n
+ return "".join(buffers)
+
+ def readline(self, size=-1):
+ data = self._rbuf
+ if size < 0:
+ # Read until \n or EOF, whichever comes first
+ if self._rbufsize <= 1:
+ # Speed up unbuffered case
+ assert data == ""
+ buffers = []
+ while data != "\n":
+ data = self._sslobj.read(1)
+ if not data:
+ break
+ buffers.append(data)
+ return "".join(buffers)
+ nl = data.find('\n')
+ if nl >= 0:
+ nl += 1
+ self._rbuf = data[nl:]
+ return data[:nl]
+ buffers = []
+ if data:
+ buffers.append(data)
+ self._rbuf = ""
+ while True:
+ data = self._sslobj.read(self._rbufsize)
+ if not data:
+ break
+ buffers.append(data)
+ nl = data.find('\n')
+ if nl >= 0:
+ nl += 1
+ self._rbuf = data[nl:]
+ buffers[-1] = data[:nl]
+ break
+ return "".join(buffers)
+ else:
+ # Read until size bytes or \n or EOF seen, whichever comes first
+ nl = data.find('\n', 0, size)
+ if nl >= 0:
+ nl += 1
+ self._rbuf = data[nl:]
+ return data[:nl]
+ buf_len = len(data)
+ if buf_len >= size:
+ self._rbuf = data[size:]
+ return data[:size]
+ buffers = []
+ if data:
+ buffers.append(data)
+ self._rbuf = ""
+ while True:
+ data = self._sslobj.read(self._rbufsize)
+ if not data:
+ break
+ buffers.append(data)
+ left = size - buf_len
+ nl = data.find('\n', 0, left)
+ if nl >= 0:
+ nl += 1
+ self._rbuf = data[nl:]
+ buffers[-1] = data[:nl]
+ break
+ n = len(data)
+ if n >= left:
+ self._rbuf = data[left:]
+ buffers[-1] = data[:left]
+ break
+ buf_len += n
+ return "".join(buffers)
+
+ def readlines(self, sizehint=0):
+ total = 0
+ list = []
+ while True:
+ line = self.readline()
+ if not line:
+ break
+ list.append(line)
+ total += len(line)
+ if sizehint and total >= sizehint:
+ break
+ return list
+
+ # Iterator protocols
+
+ def __iter__(self):
+ return self
+
+ def next(self):
+ line = self.readline()
+ if not line:
+ raise StopIteration
+ return line
+
+
+
+
+def wrap_socket(sock, keyfile=None, certfile=None,
+ server_side=False, cert_reqs=CERT_NONE,
+ ssl_version=PROTOCOL_SSLv23, ca_certs=None):
+
+ return SSLSocket(sock, keyfile=keyfile, certfile=certfile,
+ server_side=server_side, cert_reqs=cert_reqs,
+ ssl_version=ssl_version, ca_certs=ca_certs)
+
# some utility functions
def cert_time_to_seconds(cert_time):
@@ -228,6 +478,71 @@
import time
return time.mktime(time.strptime(cert_time, "%b %d %H:%M:%S %Y GMT"))
+PEM_HEADER = "-----BEGIN CERTIFICATE-----"
+PEM_FOOTER = "-----END CERTIFICATE-----"
+
+def DER_cert_to_PEM_cert(der_cert_bytes):
+
+ """Takes a certificate in binary DER format and returns the
+ PEM version of it as a string."""
+
+ if hasattr(base64, 'standard_b64encode'):
+ # preferred because older API gets line-length wrong
+ f = base64.standard_b64encode(der_cert_bytes)
+ return (PEM_HEADER + '\n' +
+ textwrap.fill(f, 64) +
+ PEM_FOOTER + '\n')
+ else:
+ return (PEM_HEADER + '\n' +
+ base64.encodestring(der_cert_bytes) +
+ PEM_FOOTER + '\n')
+
+def PEM_cert_to_DER_cert(pem_cert_string):
+
+ """Takes a certificate in ASCII PEM format and returns the
+ DER-encoded version of it as a byte sequence"""
+
+ if not pem_cert_string.startswith(PEM_HEADER):
+ raise ValueError("Invalid PEM encoding; must start with %s"
+ % PEM_HEADER)
+ if not pem_cert_string.strip().endswith(PEM_FOOTER):
+ raise ValueError("Invalid PEM encoding; must end with %s"
+ % PEM_FOOTER)
+ d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
+ return base64.decodestring(d)
+
+def get_server_certificate (addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
+
+ """Retrieve the certificate from the server at the specified address,
+ and return it as a PEM-encoded string.
+ If 'ca_certs' is specified, validate the server cert against it.
+ If 'ssl_version' is specified, use it in the connection attempt."""
+
+ host, port = addr
+ if (ca_certs is not None):
+ cert_reqs = CERT_REQUIRED
+ else:
+ cert_reqs = CERT_NONE
+ s = wrap_socket(socket(), ssl_version=ssl_version,
+ cert_reqs=cert_reqs, ca_certs=ca_certs)
+ s.connect(addr)
+ dercert = s.getpeercert(True)
+ s.close()
+ return DER_cert_to_PEM_cert(dercert)
+
+def get_protocol_name (protocol_code):
+ if protocol_code == PROTOCOL_TLSv1:
+ return "TLSv1"
+ elif protocol_code == PROTOCOL_SSLv23:
+ return "SSLv23"
+ elif protocol_code == PROTOCOL_SSLv2:
+ return "SSLv2"
+ elif protocol_code == PROTOCOL_SSLv3:
+ return "SSLv3"
+ else:
+ return "<unknown>"
+
+
# a replacement for the old socket.ssl function
def sslwrap_simple (sock, keyfile=None, certfile=None):