Merged revisions 57620-57771 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk
........
r57771 | thomas.wouters | 2007-08-30 23:54:39 +0200 (Thu, 30 Aug 2007) | 5 lines
Don't lie in __all__ attributes when SSL is not available: only add the SSL
classes when they are actually created.
........
r57620 | walter.doerwald | 2007-08-28 18:38:26 +0200 (Tue, 28 Aug 2007) | 5 lines
Fix title endtag in HTMLCalender.formatyearpage(). Fix documentation for
HTMLCalender.formatyearpage() (there's no themonth parameter).
This fixes issue1046.
........
r57622 | georg.brandl | 2007-08-28 20:54:44 +0200 (Tue, 28 Aug 2007) | 2 lines
Add a crasher for the thread-unsafety of file objects.
........
r57626 | skip.montanaro | 2007-08-29 01:22:52 +0200 (Wed, 29 Aug 2007) | 1 line
fixes 813986
........
r57628 | walter.doerwald | 2007-08-29 01:35:33 +0200 (Wed, 29 Aug 2007) | 2 lines
Fix test output.
........
r57631 | skip.montanaro | 2007-08-29 03:24:11 +0200 (Wed, 29 Aug 2007) | 2 lines
Install pygettext (once the scriptsinstall target is working again).
........
r57633 | skip.montanaro | 2007-08-29 03:33:45 +0200 (Wed, 29 Aug 2007) | 2 lines
Recent items.
........
r57650 | neal.norwitz | 2007-08-29 08:15:33 +0200 (Wed, 29 Aug 2007) | 1 line
Add Bill as a developer
........
r57651 | facundo.batista | 2007-08-29 12:28:28 +0200 (Wed, 29 Aug 2007) | 5 lines
Ignore test failures caused by 'resource temporarily unavailable'
exceptions raised during FailingServerTestCase tests.
[GSoC - Alan McIntyre]
........
r57680 | bill.janssen | 2007-08-30 00:35:05 +0200 (Thu, 30 Aug 2007) | 17 lines
This contains a number of things:
1) Improve the documentation of the SSL module, with a fuller
explanation of certificate usage, another reference, proper
formatting of this and that.
2) Fix Windows bug in ssl.py, and general bug in sslsocket.close().
Remove some unused code from ssl.py. Allow accept() to be called on
sslsocket sockets.
3) Use try-except-else in import of ssl in socket.py. Deprecate use of
socket.ssl().
4) Remove use of socket.ssl() in every library module, except for
test_socket_ssl.py and test_ssl.py.
........
r57714 | georg.brandl | 2007-08-30 12:09:42 +0200 (Thu, 30 Aug 2007) | 2 lines
Stronger urge to convert filenames to str before using them as argument to ZipFile.write().
........
r57716 | georg.brandl | 2007-08-30 12:38:56 +0200 (Thu, 30 Aug 2007) | 2 lines
Patch #1680959: add test suite for pipes module.
........
r57717 | georg.brandl | 2007-08-30 14:32:23 +0200 (Thu, 30 Aug 2007) | 3 lines
* Skip test_pipes on non-POSIX.
* Don't raise TestSkipped within a test function.
........
r57723 | mark.summerfield | 2007-08-30 17:03:03 +0200 (Thu, 30 Aug 2007) | 3 lines
Added more cross-references.
........
r57726 | walter.doerwald | 2007-08-30 17:30:09 +0200 (Thu, 30 Aug 2007) | 2 lines
Rewrap line.
........
r57727 | walter.doerwald | 2007-08-30 17:34:55 +0200 (Thu, 30 Aug 2007) | 2 lines
Set startinpos before calling the error handler.
........
r57730 | bill.janssen | 2007-08-30 19:07:28 +0200 (Thu, 30 Aug 2007) | 3 lines
Added docstrings to methods and functions.
........
r57743 | bill.janssen | 2007-08-30 20:08:06 +0200 (Thu, 30 Aug 2007) | 1 line
added note on new ssl module and deprecation of socket.ssl
........
r57747 | martin.v.loewis | 2007-08-30 20:14:01 +0200 (Thu, 30 Aug 2007) | 1 line
Fix popen usage.
........
r57748 | martin.v.loewis | 2007-08-30 20:15:22 +0200 (Thu, 30 Aug 2007) | 1 line
Fix typo.
........
r57750 | martin.v.loewis | 2007-08-30 20:25:47 +0200 (Thu, 30 Aug 2007) | 1 line
Bug #1746880: Correctly install DLLs into system32 folder on Win64.
........
r57760 | martin.v.loewis | 2007-08-30 21:04:09 +0200 (Thu, 30 Aug 2007) | 1 line
Bug #1709599: Run test_1565150 only if the file system is NTFS.
........
r57762 | martin.v.loewis | 2007-08-30 22:10:57 +0200 (Thu, 30 Aug 2007) | 2 lines
Bump autoconf minimum version to 2.61.
........
r57764 | lars.gustaebel | 2007-08-30 22:24:31 +0200 (Thu, 30 Aug 2007) | 2 lines
Warn about possible risks when extracting untrusted archives.
........
r57769 | thomas.wouters | 2007-08-30 23:01:17 +0200 (Thu, 30 Aug 2007) | 7 lines
Somewhat-preliminary slice-object and extended slicing support for ctypes.
The exact behaviour of omitted and negative indices for the Pointer type may
need a closer look (especially as it's subtly different from simple slices)
but there's time yet before 2.6, and not enough before 3.0a1 :-)
........
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 77a2ceb..388c931 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -60,55 +60,47 @@
import os, sys
import _ssl # if we can't import it, let the error propagate
-from socket import socket
from _ssl import sslerror
from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
from _ssl import PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1
+from _ssl import \
+ SSL_ERROR_ZERO_RETURN, \
+ SSL_ERROR_WANT_READ, \
+ SSL_ERROR_WANT_WRITE, \
+ SSL_ERROR_WANT_X509_LOOKUP, \
+ SSL_ERROR_SYSCALL, \
+ SSL_ERROR_SSL, \
+ SSL_ERROR_WANT_CONNECT, \
+ SSL_ERROR_EOF, \
+ SSL_ERROR_INVALID_ERROR_CODE
-# Root certs:
-#
-# The "ca_certs" argument to sslsocket() expects a file containing one or more
-# certificates that are roots of various certificate signing chains. This file
-# contains the certificates in PEM format (RFC ) where each certificate is
-# encoded in base64 encoding and surrounded with a header and footer:
-# -----BEGIN CERTIFICATE-----
-# ... (CA certificate in base64 encoding) ...
-# -----END CERTIFICATE-----
-# The various certificates in the file are just concatenated together:
-# -----BEGIN CERTIFICATE-----
-# ... (CA certificate in base64 encoding) ...
-# -----END CERTIFICATE-----
-# -----BEGIN CERTIFICATE-----
-# ... (a second CA certificate in base64 encoding) ...
-# -----END CERTIFICATE-----
-#
-# Some "standard" root certificates are available at
-#
-# http://www.thawte.com/roots/ (for Thawte roots)
-# http://www.verisign.com/support/roots.html (for Verisign)
+from socket import socket
+from socket import getnameinfo as _getnameinfo
+
class sslsocket (socket):
+ """This class implements a subtype of socket.socket that wraps
+ the underlying OS socket in an SSL context when necessary, and
+ provides read and write methods over that channel."""
+
def __init__(self, sock, keyfile=None, certfile=None,
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None):
socket.__init__(self, _sock=sock._sock)
if certfile and not keyfile:
keyfile = certfile
- if server_side:
- self._sslobj = _ssl.sslwrap(self._sock, 1, keyfile, certfile,
- cert_reqs, ssl_version, ca_certs)
+ # see if it's connected
+ try:
+ socket.getpeername(self)
+ except:
+ # no, no connection yet
+ self._sslobj = None
else:
- # see if it's connected
- try:
- socket.getpeername(self)
- except:
- # no, no connection yet
- self._sslobj = None
- else:
- # yes, create the SSL object
- self._sslobj = _ssl.sslwrap(self._sock, 0, keyfile, certfile,
- cert_reqs, ssl_version, ca_certs)
+ # yes, create the SSL object
+ self._sslobj = _ssl.sslwrap(self._sock, server_side,
+ keyfile, certfile,
+ cert_reqs, ssl_version, ca_certs)
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
@@ -116,73 +108,123 @@
self.ca_certs = ca_certs
def read(self, len=1024):
+
+ """Read up to LEN bytes and return them.
+ Return zero-length string on EOF."""
+
return self._sslobj.read(len)
def write(self, data):
+
+ """Write DATA to the underlying SSL channel. Returns
+ number of bytes of DATA actually transmitted."""
+
return self._sslobj.write(data)
def getpeercert(self):
+
+ """Returns a formatted version of the data in the
+ certificate provided by the other end of the SSL channel.
+ Return None if no certificate was provided, {} if a
+ certificate was provided, but not validated."""
+
return self._sslobj.peer_certificate()
def send (self, data, flags=0):
- if flags != 0:
- raise ValueError(
- "non-zero flags not allowed in calls to send() on %s" %
- self.__class__)
- return self._sslobj.write(data)
+ if self._sslobj:
+ if flags != 0:
+ raise ValueError(
+ "non-zero flags not allowed in calls to send() on %s" %
+ self.__class__)
+ return self._sslobj.write(data)
+ else:
+ return socket.send(self, data, flags)
def send_to (self, data, addr, flags=0):
- raise ValueError("send_to not allowed on instances of %s" %
- self.__class__)
+ if self._sslobj:
+ raise ValueError("send_to not allowed on instances of %s" %
+ self.__class__)
+ else:
+ return socket.send_to(self, data, addr, flags)
def sendall (self, data, flags=0):
- if flags != 0:
- raise ValueError(
- "non-zero flags not allowed in calls to sendall() on %s" %
- self.__class__)
- return self._sslobj.write(data)
+ if self._sslobj:
+ if flags != 0:
+ raise ValueError(
+ "non-zero flags not allowed in calls to sendall() on %s" %
+ self.__class__)
+ return self._sslobj.write(data)
+ else:
+ return socket.sendall(self, data, flags)
def recv (self, buflen=1024, flags=0):
- if flags != 0:
- raise ValueError(
- "non-zero flags not allowed in calls to sendall() on %s" %
- self.__class__)
- return self._sslobj.read(data, buflen)
+ if self._sslobj:
+ if flags != 0:
+ raise ValueError(
+ "non-zero flags not allowed in calls to sendall() on %s" %
+ self.__class__)
+ return self._sslobj.read(data, buflen)
+ else:
+ return socket.recv(self, buflen, flags)
def recv_from (self, addr, buflen=1024, flags=0):
- raise ValueError("recv_from not allowed on instances of %s" %
- self.__class__)
+ if self._sslobj:
+ raise ValueError("recv_from not allowed on instances of %s" %
+ self.__class__)
+ else:
+ return socket.recv_from(self, addr, buflen, flags)
- def shutdown(self):
+ def ssl_shutdown(self):
+
+ """Shuts down the SSL channel over this socket (if active),
+ without closing the socket connection."""
+
if self._sslobj:
self._sslobj.shutdown()
self._sslobj = None
- else:
- socket.shutdown(self)
+
+ def shutdown(self, how):
+ self.ssl_shutdown()
+ socket.shutdown(self, how)
def close(self):
- if self._sslobj:
- self.shutdown()
- else:
- socket.close(self)
+ self.ssl_shutdown()
+ socket.close(self)
def connect(self, addr):
+
+ """Connects to remote ADDR, and then wraps the connection in
+ an SSL channel."""
+
# Here we assume that the socket is client-side, and not
# connected at the time of the call. We connect it, then wrap it.
- if self._sslobj or (self.getsockname()[1] != 0):
+ if self._sslobj:
raise ValueError("attempt to connect already-connected sslsocket!")
socket.connect(self, addr)
- self._sslobj = _ssl.sslwrap(self._sock, 0, self.keyfile, self.certfile,
+ self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile,
self.cert_reqs, self.ssl_version,
self.ca_certs)
def accept(self):
- raise ValueError("accept() not supported on an sslsocket")
+
+ """Accepts a new connection from a remote client, and returns
+ a tuple containing that new connection wrapped with a server-side
+ SSL channel, and the address of the remote client."""
+
+ newsock, addr = socket.accept(self)
+ return (sslsocket(newsock, True, self.keyfile, self.certfile,
+ self.cert_reqs, self.ssl_version,
+ self.ca_certs), addr)
# some utility functions
def cert_time_to_seconds(cert_time):
+
+ """Takes a date-time string in standard ASN1_print form
+ ("MON DAY 24HOUR:MINUTE:SEC YEAR TIMEZONE") and return
+ a Python time value in seconds past the epoch."""
+
import time
return time.mktime(time.strptime(cert_time, "%b %d %H:%M:%S %Y GMT"))
@@ -190,66 +232,9 @@
def sslwrap_simple (sock, keyfile=None, certfile=None):
+ """A replacement for the old socket.ssl function. Designed
+ for compability with Python 2.5 and earlier. Will disappear in
+ Python 3.0."""
+
return _ssl.sslwrap(sock._sock, 0, keyfile, certfile, CERT_NONE,
PROTOCOL_SSLv23, None)
-
-# fetch the certificate that the server is providing in PEM form
-
-def fetch_server_certificate (host, port):
-
- import re, tempfile, os
-
- def subproc(cmd):
- from subprocess import Popen, PIPE, STDOUT
- proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
- status = proc.wait()
- output = proc.stdout.read()
- return status, output
-
- def strip_to_x509_cert(certfile_contents, outfile=None):
- m = re.search(r"^([-]+BEGIN CERTIFICATE[-]+[\r]*\n"
- r".*[\r]*^[-]+END CERTIFICATE[-]+)$",
- certfile_contents, re.MULTILINE | re.DOTALL)
- if not m:
- return None
- else:
- tn = tempfile.mktemp()
- fp = open(tn, "w")
- fp.write(m.group(1) + "\n")
- fp.close()
- try:
- tn2 = (outfile or tempfile.mktemp())
- status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %
- (tn, tn2))
- if status != 0:
- raise OperationError(status, tsig, output)
- fp = open(tn2, 'rb')
- data = fp.read()
- fp.close()
- os.unlink(tn2)
- return data
- finally:
- os.unlink(tn)
-
- if sys.platform.startswith("win"):
- tfile = tempfile.mktemp()
- fp = open(tfile, "w")
- fp.write("quit\n")
- fp.close()
- try:
- status, output = subproc(
- 'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
- (host, port, tfile))
- finally:
- os.unlink(tfile)
- else:
- status, output = subproc(
- 'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
- (host, port))
- if status != 0:
- raise OSError(status)
- certtext = strip_to_x509_cert(output)
- if not certtext:
- raise ValueError("Invalid response received from server at %s:%s" %
- (host, port))
- return certtext