Blame - Lib/ssl.py - platform/external/python/cpython3

blob: 6ec6af181b7204247cb2855c3fa269109c16020e [file] [log] [blame]

Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	1	# Wrapper module for _ssl, providing some additional facilities
				2	# implemented in Python. Written by Bill Janssen.
				3
				4	"""\
				5	This module provides some more Pythonic support for SSL.
				6
				7	Object types:
				8
				9	sslsocket -- subtype of socket.socket which does SSL over the socket
				10
				11	Exceptions:
				12
				13	sslerror -- exception raised for I/O errors
				14
				15	Functions:
				16
				17	cert_time_to_seconds -- convert time string used for certificate
				18	notBefore and notAfter functions to integer
				19	seconds past the Epoch (the time values
				20	returned from time.time())
				21
				22	fetch_server_certificate (HOST, PORT) -- fetch the certificate provided
				23	by the server running on HOST at port PORT. No
				24	validation of the certificate is performed.
				25
				26	Integer constants:
				27
				28	SSL_ERROR_ZERO_RETURN
				29	SSL_ERROR_WANT_READ
				30	SSL_ERROR_WANT_WRITE
				31	SSL_ERROR_WANT_X509_LOOKUP
				32	SSL_ERROR_SYSCALL
				33	SSL_ERROR_SSL
				34	SSL_ERROR_WANT_CONNECT
				35
				36	SSL_ERROR_EOF
				37	SSL_ERROR_INVALID_ERROR_CODE
				38
				39	The following group define certificate requirements that one side is
				40	allowing/requiring from the other side:
				41
				42	CERT_NONE - no certificates from the other side are required (or will
				43	be looked at if provided)
				44	CERT_OPTIONAL - certificates are not required, but if provided will be
				45	validated, and if validation fails, the connection will
				46	also fail
				47	CERT_REQUIRED - certificates are required, and will be validated, and
				48	if validation fails, the connection will also fail
				49
				50	The following constants identify various SSL protocol variants:
				51
				52	PROTOCOL_SSLv2
				53	PROTOCOL_SSLv3
				54	PROTOCOL_SSLv23
				55	PROTOCOL_TLSv1
				56	"""
				57
				58	import os, sys
				59
				60	import _ssl # if we can't import it, let the error propagate
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	61	from _ssl import sslerror
				62	from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
				63	from _ssl import PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	64	from _ssl import \
				65	SSL_ERROR_ZERO_RETURN, \
				66	SSL_ERROR_WANT_READ, \
				67	SSL_ERROR_WANT_WRITE, \
				68	SSL_ERROR_WANT_X509_LOOKUP, \
				69	SSL_ERROR_SYSCALL, \
				70	SSL_ERROR_SSL, \
				71	SSL_ERROR_WANT_CONNECT, \
				72	SSL_ERROR_EOF, \
				73	SSL_ERROR_INVALID_ERROR_CODE
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	74
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	75	from socket import socket
				76	from socket import getnameinfo as _getnameinfo
				77
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	78
				79	class sslsocket (socket):
				80
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	81	"""This class implements a subtype of socket.socket that wraps
				82	the underlying OS socket in an SSL context when necessary, and
				83	provides read and write methods over that channel."""
				84
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	85	def __init__(self, sock, keyfile=None, certfile=None,
				86	server_side=False, cert_reqs=CERT_NONE,
				87	ssl_version=PROTOCOL_SSLv23, ca_certs=None):
				88	socket.__init__(self, _sock=sock._sock)
				89	if certfile and not keyfile:
				90	keyfile = certfile
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	91	# see if it's connected
				92	try:
				93	socket.getpeername(self)
				94	except:
				95	# no, no connection yet
				96	self._sslobj = None
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	97	else:
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	98	# yes, create the SSL object
				99	self._sslobj = _ssl.sslwrap(self._sock, server_side,
				100	keyfile, certfile,
				101	cert_reqs, ssl_version, ca_certs)
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	102	self.keyfile = keyfile
				103	self.certfile = certfile
				104	self.cert_reqs = cert_reqs
				105	self.ssl_version = ssl_version
				106	self.ca_certs = ca_certs
				107
				108	def read(self, len=1024):
				109	return self._sslobj.read(len)
				110
				111	def write(self, data):
				112	return self._sslobj.write(data)
				113
				114	def getpeercert(self):
				115	return self._sslobj.peer_certificate()
				116
				117	def send (self, data, flags=0):
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	118	if self._sslobj:
				119	if flags != 0:
				120	raise ValueError(
				121	"non-zero flags not allowed in calls to send() on %s" %
				122	self.__class__)
				123	return self._sslobj.write(data)
				124	else:
				125	return socket.send(self, data, flags)
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	126
				127	def send_to (self, data, addr, flags=0):
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	128	if self._sslobj:
				129	raise ValueError("send_to not allowed on instances of %s" %
				130	self.__class__)
				131	else:
				132	return socket.send_to(self, data, addr, flags)
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	133
				134	def sendall (self, data, flags=0):
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	135	if self._sslobj:
				136	if flags != 0:
				137	raise ValueError(
				138	"non-zero flags not allowed in calls to sendall() on %s" %
				139	self.__class__)
				140	return self._sslobj.write(data)
				141	else:
				142	return socket.sendall(self, data, flags)
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	143
				144	def recv (self, buflen=1024, flags=0):
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	145	if self._sslobj:
				146	if flags != 0:
				147	raise ValueError(
				148	"non-zero flags not allowed in calls to sendall() on %s" %
				149	self.__class__)
				150	return self._sslobj.read(data, buflen)
				151	else:
				152	return socket.recv(self, buflen, flags)
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	153
				154	def recv_from (self, addr, buflen=1024, flags=0):
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	155	if self._sslobj:
				156	raise ValueError("recv_from not allowed on instances of %s" %
				157	self.__class__)
				158	else:
				159	return socket.recv_from(self, addr, buflen, flags)
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	160
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	161	def ssl_shutdown(self):
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	162	if self._sslobj:
				163	self._sslobj.shutdown()
				164	self._sslobj = None
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	165
				166	def shutdown(self, how):
				167	self.ssl_shutdown()
				168	socket.shutdown(self, how)
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	169
				170	def close(self):
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	171	self.ssl_shutdown()
				172	socket.close(self)
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	173
				174	def connect(self, addr):
				175	# Here we assume that the socket is client-side, and not
				176	# connected at the time of the call. We connect it, then wrap it.
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	177	if self._sslobj:
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	178	raise ValueError("attempt to connect already-connected sslsocket!")
				179	socket.connect(self, addr)
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	180	self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile,
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	181	self.cert_reqs, self.ssl_version,
				182	self.ca_certs)
				183
				184	def accept(self):
Bill Janssen	426ea0a	2007-08-29 22:35:05 +0000	[diff] [blame^]	185	newsock, addr = socket.accept(self)
				186	return (sslsocket(newsock, True, self.keyfile, self.certfile,
				187	self.cert_reqs, self.ssl_version,
				188	self.ca_certs), addr)
Guido van Rossum	4f2c3dd	2007-08-25 15:08:43 +0000	[diff] [blame]	189
				190
				191	# some utility functions
				192
				193	def cert_time_to_seconds(cert_time):
				194	import time
				195	return time.mktime(time.strptime(cert_time, "%b %d %H:%M:%S %Y GMT"))
				196
				197	# a replacement for the old socket.ssl function
				198
				199	def sslwrap_simple (sock, keyfile=None, certfile=None):
				200
				201	return _ssl.sslwrap(sock._sock, 0, keyfile, certfile, CERT_NONE,
				202	PROTOCOL_SSLv23, None)