Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 1 | # Wrapper module for _ssl, providing some additional facilities |
| 2 | # implemented in Python. Written by Bill Janssen. |
| 3 | |
Guido van Rossum | 245b42e | 2007-08-29 03:59:57 +0000 | [diff] [blame] | 4 | raise ImportError("ssl.py is temporarily out of order") |
| 5 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 6 | """\ |
| 7 | This module provides some more Pythonic support for SSL. |
| 8 | |
| 9 | Object types: |
| 10 | |
| 11 | sslsocket -- subtype of socket.socket which does SSL over the socket |
| 12 | |
| 13 | Exceptions: |
| 14 | |
| 15 | sslerror -- exception raised for I/O errors |
| 16 | |
| 17 | Functions: |
| 18 | |
| 19 | cert_time_to_seconds -- convert time string used for certificate |
| 20 | notBefore and notAfter functions to integer |
| 21 | seconds past the Epoch (the time values |
| 22 | returned from time.time()) |
| 23 | |
| 24 | fetch_server_certificate (HOST, PORT) -- fetch the certificate provided |
| 25 | by the server running on HOST at port PORT. No |
| 26 | validation of the certificate is performed. |
| 27 | |
| 28 | Integer constants: |
| 29 | |
| 30 | SSL_ERROR_ZERO_RETURN |
| 31 | SSL_ERROR_WANT_READ |
| 32 | SSL_ERROR_WANT_WRITE |
| 33 | SSL_ERROR_WANT_X509_LOOKUP |
| 34 | SSL_ERROR_SYSCALL |
| 35 | SSL_ERROR_SSL |
| 36 | SSL_ERROR_WANT_CONNECT |
| 37 | |
| 38 | SSL_ERROR_EOF |
| 39 | SSL_ERROR_INVALID_ERROR_CODE |
| 40 | |
| 41 | The following group define certificate requirements that one side is |
| 42 | allowing/requiring from the other side: |
| 43 | |
| 44 | CERT_NONE - no certificates from the other side are required (or will |
| 45 | be looked at if provided) |
| 46 | CERT_OPTIONAL - certificates are not required, but if provided will be |
| 47 | validated, and if validation fails, the connection will |
| 48 | also fail |
| 49 | CERT_REQUIRED - certificates are required, and will be validated, and |
| 50 | if validation fails, the connection will also fail |
| 51 | |
| 52 | The following constants identify various SSL protocol variants: |
| 53 | |
| 54 | PROTOCOL_SSLv2 |
| 55 | PROTOCOL_SSLv3 |
| 56 | PROTOCOL_SSLv23 |
| 57 | PROTOCOL_TLSv1 |
| 58 | """ |
| 59 | |
| 60 | import os, sys |
| 61 | |
| 62 | import _ssl # if we can't import it, let the error propagate |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 63 | from _ssl import sslerror |
| 64 | from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED |
| 65 | from _ssl import PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1 |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 66 | from _ssl import \ |
| 67 | SSL_ERROR_ZERO_RETURN, \ |
| 68 | SSL_ERROR_WANT_READ, \ |
| 69 | SSL_ERROR_WANT_WRITE, \ |
| 70 | SSL_ERROR_WANT_X509_LOOKUP, \ |
| 71 | SSL_ERROR_SYSCALL, \ |
| 72 | SSL_ERROR_SSL, \ |
| 73 | SSL_ERROR_WANT_CONNECT, \ |
| 74 | SSL_ERROR_EOF, \ |
| 75 | SSL_ERROR_INVALID_ERROR_CODE |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 76 | |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 77 | from socket import socket |
| 78 | from socket import getnameinfo as _getnameinfo |
| 79 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 80 | |
| 81 | class sslsocket (socket): |
| 82 | |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 83 | """This class implements a subtype of socket.socket that wraps |
| 84 | the underlying OS socket in an SSL context when necessary, and |
| 85 | provides read and write methods over that channel.""" |
| 86 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 87 | def __init__(self, sock, keyfile=None, certfile=None, |
| 88 | server_side=False, cert_reqs=CERT_NONE, |
| 89 | ssl_version=PROTOCOL_SSLv23, ca_certs=None): |
| 90 | socket.__init__(self, _sock=sock._sock) |
| 91 | if certfile and not keyfile: |
| 92 | keyfile = certfile |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 93 | # see if it's connected |
| 94 | try: |
| 95 | socket.getpeername(self) |
| 96 | except: |
| 97 | # no, no connection yet |
| 98 | self._sslobj = None |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 99 | else: |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 100 | # yes, create the SSL object |
| 101 | self._sslobj = _ssl.sslwrap(self._sock, server_side, |
| 102 | keyfile, certfile, |
| 103 | cert_reqs, ssl_version, ca_certs) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 104 | self.keyfile = keyfile |
| 105 | self.certfile = certfile |
| 106 | self.cert_reqs = cert_reqs |
| 107 | self.ssl_version = ssl_version |
| 108 | self.ca_certs = ca_certs |
| 109 | |
| 110 | def read(self, len=1024): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 111 | |
| 112 | """Read up to LEN bytes and return them. |
| 113 | Return zero-length string on EOF.""" |
| 114 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 115 | return self._sslobj.read(len) |
| 116 | |
| 117 | def write(self, data): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 118 | |
| 119 | """Write DATA to the underlying SSL channel. Returns |
| 120 | number of bytes of DATA actually transmitted.""" |
| 121 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 122 | return self._sslobj.write(data) |
| 123 | |
| 124 | def getpeercert(self): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 125 | |
| 126 | """Returns a formatted version of the data in the |
| 127 | certificate provided by the other end of the SSL channel. |
| 128 | Return None if no certificate was provided, {} if a |
| 129 | certificate was provided, but not validated.""" |
| 130 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 131 | return self._sslobj.peer_certificate() |
| 132 | |
| 133 | def send (self, data, flags=0): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 134 | if self._sslobj: |
| 135 | if flags != 0: |
| 136 | raise ValueError( |
| 137 | "non-zero flags not allowed in calls to send() on %s" % |
| 138 | self.__class__) |
| 139 | return self._sslobj.write(data) |
| 140 | else: |
| 141 | return socket.send(self, data, flags) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 142 | |
| 143 | def send_to (self, data, addr, flags=0): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 144 | if self._sslobj: |
| 145 | raise ValueError("send_to not allowed on instances of %s" % |
| 146 | self.__class__) |
| 147 | else: |
| 148 | return socket.send_to(self, data, addr, flags) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 149 | |
| 150 | def sendall (self, data, flags=0): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 151 | if self._sslobj: |
| 152 | if flags != 0: |
| 153 | raise ValueError( |
| 154 | "non-zero flags not allowed in calls to sendall() on %s" % |
| 155 | self.__class__) |
| 156 | return self._sslobj.write(data) |
| 157 | else: |
| 158 | return socket.sendall(self, data, flags) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 159 | |
| 160 | def recv (self, buflen=1024, flags=0): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 161 | if self._sslobj: |
| 162 | if flags != 0: |
| 163 | raise ValueError( |
| 164 | "non-zero flags not allowed in calls to sendall() on %s" % |
| 165 | self.__class__) |
| 166 | return self._sslobj.read(data, buflen) |
| 167 | else: |
| 168 | return socket.recv(self, buflen, flags) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 169 | |
| 170 | def recv_from (self, addr, buflen=1024, flags=0): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 171 | if self._sslobj: |
| 172 | raise ValueError("recv_from not allowed on instances of %s" % |
| 173 | self.__class__) |
| 174 | else: |
| 175 | return socket.recv_from(self, addr, buflen, flags) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 176 | |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 177 | def ssl_shutdown(self): |
| 178 | |
| 179 | """Shuts down the SSL channel over this socket (if active), |
| 180 | without closing the socket connection.""" |
| 181 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 182 | if self._sslobj: |
| 183 | self._sslobj.shutdown() |
| 184 | self._sslobj = None |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 185 | |
| 186 | def shutdown(self, how): |
| 187 | self.ssl_shutdown() |
| 188 | socket.shutdown(self, how) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 189 | |
| 190 | def close(self): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 191 | self.ssl_shutdown() |
| 192 | socket.close(self) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 193 | |
| 194 | def connect(self, addr): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 195 | |
| 196 | """Connects to remote ADDR, and then wraps the connection in |
| 197 | an SSL channel.""" |
| 198 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 199 | # Here we assume that the socket is client-side, and not |
| 200 | # connected at the time of the call. We connect it, then wrap it. |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 201 | if self._sslobj: |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 202 | raise ValueError("attempt to connect already-connected sslsocket!") |
| 203 | socket.connect(self, addr) |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 204 | self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile, |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 205 | self.cert_reqs, self.ssl_version, |
| 206 | self.ca_certs) |
| 207 | |
| 208 | def accept(self): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 209 | |
| 210 | """Accepts a new connection from a remote client, and returns |
| 211 | a tuple containing that new connection wrapped with a server-side |
| 212 | SSL channel, and the address of the remote client.""" |
| 213 | |
| 214 | newsock, addr = socket.accept(self) |
| 215 | return (sslsocket(newsock, True, self.keyfile, self.certfile, |
| 216 | self.cert_reqs, self.ssl_version, |
| 217 | self.ca_certs), addr) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 218 | |
| 219 | |
| 220 | # some utility functions |
| 221 | |
| 222 | def cert_time_to_seconds(cert_time): |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 223 | |
| 224 | """Takes a date-time string in standard ASN1_print form |
| 225 | ("MON DAY 24HOUR:MINUTE:SEC YEAR TIMEZONE") and return |
| 226 | a Python time value in seconds past the epoch.""" |
| 227 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 228 | import time |
| 229 | return time.mktime(time.strptime(cert_time, "%b %d %H:%M:%S %Y GMT")) |
| 230 | |
| 231 | # a replacement for the old socket.ssl function |
| 232 | |
| 233 | def sslwrap_simple (sock, keyfile=None, certfile=None): |
| 234 | |
Thomas Wouters | 47b49bf | 2007-08-30 22:15:33 +0000 | [diff] [blame^] | 235 | """A replacement for the old socket.ssl function. Designed |
| 236 | for compability with Python 2.5 and earlier. Will disappear in |
| 237 | Python 3.0.""" |
| 238 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 239 | return _ssl.sslwrap(sock._sock, 0, keyfile, certfile, CERT_NONE, |
| 240 | PROTOCOL_SSLv23, None) |