Blame - Lib/asyncio/sslproto.py - platform/external/python/cpython3

blob: 68499e5aeeae7eed7a924f01225e60e92d9b8ee1 [file] [log] [blame]

Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	1	import collections
Victor Stinner	978a9af	2015-01-29 17:50:58 +0100	[diff] [blame]	2	import warnings
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	3	try:
				4	import ssl
				5	except ImportError: # pragma: no cover
				6	ssl = None
				7
Yury Selivanov	77bc04a	2016-06-28 10:55:36 -0400	[diff] [blame]	8	from . import base_events
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	9	from . import protocols
				10	from . import transports
				11	from .log import logger
				12
				13
				14	def _create_transport_context(server_side, server_hostname):
				15	if server_side:
				16	raise ValueError('Server side SSL needs a valid SSLContext')
				17
				18	# Client side may pass ssl=True to use a default
				19	# context; in that case the sslcontext passed is None.
				20	# The default is secure for client connections.
				21	if hasattr(ssl, 'create_default_context'):
				22	# Python 3.4+: use up-to-date strong settings.
				23	sslcontext = ssl.create_default_context()
				24	if not server_hostname:
				25	sslcontext.check_hostname = False
				26	else:
				27	# Fallback for Python 3.3.
				28	sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
				29	sslcontext.options \|= ssl.OP_NO_SSLv2
				30	sslcontext.options \|= ssl.OP_NO_SSLv3
				31	sslcontext.set_default_verify_paths()
				32	sslcontext.verify_mode = ssl.CERT_REQUIRED
				33	return sslcontext
				34
				35
				36	def _is_sslproto_available():
				37	return hasattr(ssl, "MemoryBIO")
				38
				39
				40	# States of an _SSLPipe.
				41	_UNWRAPPED = "UNWRAPPED"
				42	_DO_HANDSHAKE = "DO_HANDSHAKE"
				43	_WRAPPED = "WRAPPED"
				44	_SHUTDOWN = "SHUTDOWN"
				45
				46
				47	class _SSLPipe(object):
				48	"""An SSL "Pipe".
				49
				50	An SSL pipe allows you to communicate with an SSL/TLS protocol instance
				51	through memory buffers. It can be used to implement a security layer for an
				52	existing connection where you don't have access to the connection's file
				53	descriptor, or for some reason you don't want to use it.
				54
				55	An SSL pipe can be in "wrapped" and "unwrapped" mode. In unwrapped mode,
				56	data is passed through untransformed. In wrapped mode, application level
				57	data is encrypted to SSL record level data and vice versa. The SSL record
				58	level is the lowest level in the SSL protocol suite and is what travels
				59	as-is over the wire.
				60
				61	An SslPipe initially is in "unwrapped" mode. To start SSL, call
				62	do_handshake(). To shutdown SSL again, call unwrap().
				63	"""
				64
				65	max_size = 256 * 1024 # Buffer size passed to read()
				66
				67	def __init__(self, context, server_side, server_hostname=None):
				68	"""
				69	The context argument specifies the ssl.SSLContext to use.
				70
				71	The server_side argument indicates whether this is a server side or
				72	client side transport.
				73
				74	The optional server_hostname argument can be used to specify the
				75	hostname you are connecting to. You may only specify this parameter if
				76	the _ssl module supports Server Name Indication (SNI).
				77	"""
				78	self._context = context
				79	self._server_side = server_side
				80	self._server_hostname = server_hostname
				81	self._state = _UNWRAPPED
				82	self._incoming = ssl.MemoryBIO()
				83	self._outgoing = ssl.MemoryBIO()
				84	self._sslobj = None
				85	self._need_ssldata = False
				86	self._handshake_cb = None
				87	self._shutdown_cb = None
				88
				89	@property
				90	def context(self):
				91	"""The SSL context passed to the constructor."""
				92	return self._context
				93
				94	@property
				95	def ssl_object(self):
				96	"""The internal ssl.SSLObject instance.
				97
				98	Return None if the pipe is not wrapped.
				99	"""
				100	return self._sslobj
				101
				102	@property
				103	def need_ssldata(self):
				104	"""Whether more record level data is needed to complete a handshake
				105	that is currently in progress."""
				106	return self._need_ssldata
				107
				108	@property
				109	def wrapped(self):
				110	"""
				111	Whether a security layer is currently in effect.
				112
				113	Return False during handshake.
				114	"""
				115	return self._state == _WRAPPED
				116
				117	def do_handshake(self, callback=None):
				118	"""Start the SSL handshake.
				119
				120	Return a list of ssldata. A ssldata element is a list of buffers
				121
				122	The optional callback argument can be used to install a callback that
				123	will be called when the handshake is complete. The callback will be
				124	called with None if successful, else an exception instance.
				125	"""
				126	if self._state != _UNWRAPPED:
				127	raise RuntimeError('handshake in progress or completed')
				128	self._sslobj = self._context.wrap_bio(
				129	self._incoming, self._outgoing,
				130	server_side=self._server_side,
				131	server_hostname=self._server_hostname)
				132	self._state = _DO_HANDSHAKE
				133	self._handshake_cb = callback
				134	ssldata, appdata = self.feed_ssldata(b'', only_handshake=True)
				135	assert len(appdata) == 0
				136	return ssldata
				137
				138	def shutdown(self, callback=None):
				139	"""Start the SSL shutdown sequence.
				140
				141	Return a list of ssldata. A ssldata element is a list of buffers
				142
				143	The optional callback argument can be used to install a callback that
				144	will be called when the shutdown is complete. The callback will be
				145	called without arguments.
				146	"""
				147	if self._state == _UNWRAPPED:
				148	raise RuntimeError('no security layer present')
				149	if self._state == _SHUTDOWN:
				150	raise RuntimeError('shutdown in progress')
				151	assert self._state in (_WRAPPED, _DO_HANDSHAKE)
				152	self._state = _SHUTDOWN
				153	self._shutdown_cb = callback
				154	ssldata, appdata = self.feed_ssldata(b'')
				155	assert appdata == [] or appdata == [b'']
				156	return ssldata
				157
				158	def feed_eof(self):
				159	"""Send a potentially "ragged" EOF.
				160
				161	This method will raise an SSL_ERROR_EOF exception if the EOF is
				162	unexpected.
				163	"""
				164	self._incoming.write_eof()
				165	ssldata, appdata = self.feed_ssldata(b'')
				166	assert appdata == [] or appdata == [b'']
				167
				168	def feed_ssldata(self, data, only_handshake=False):
				169	"""Feed SSL record level data into the pipe.
				170
				171	The data must be a bytes instance. It is OK to send an empty bytes
				172	instance. This can be used to get ssldata for a handshake initiated by
				173	this endpoint.
				174
				175	Return a (ssldata, appdata) tuple. The ssldata element is a list of
				176	buffers containing SSL data that needs to be sent to the remote SSL.
				177
				178	The appdata element is a list of buffers containing plaintext data that
				179	needs to be forwarded to the application. The appdata list may contain
				180	an empty buffer indicating an SSL "close_notify" alert. This alert must
				181	be acknowledged by calling shutdown().
				182	"""
				183	if self._state == _UNWRAPPED:
				184	# If unwrapped, pass plaintext data straight through.
				185	if data:
				186	appdata = [data]
				187	else:
				188	appdata = []
				189	return ([], appdata)
				190
				191	self._need_ssldata = False
				192	if data:
				193	self._incoming.write(data)
				194
				195	ssldata = []
				196	appdata = []
				197	try:
				198	if self._state == _DO_HANDSHAKE:
				199	# Call do_handshake() until it doesn't raise anymore.
				200	self._sslobj.do_handshake()
				201	self._state = _WRAPPED
				202	if self._handshake_cb:
				203	self._handshake_cb(None)
				204	if only_handshake:
				205	return (ssldata, appdata)
				206	# Handshake done: execute the wrapped block
				207
				208	if self._state == _WRAPPED:
				209	# Main state: read data from SSL until close_notify
				210	while True:
				211	chunk = self._sslobj.read(self.max_size)
				212	appdata.append(chunk)
				213	if not chunk: # close_notify
				214	break
				215
				216	elif self._state == _SHUTDOWN:
				217	# Call shutdown() until it doesn't raise anymore.
				218	self._sslobj.unwrap()
				219	self._sslobj = None
				220	self._state = _UNWRAPPED
				221	if self._shutdown_cb:
				222	self._shutdown_cb()
				223
				224	elif self._state == _UNWRAPPED:
				225	# Drain possible plaintext data after close_notify.
				226	appdata.append(self._incoming.read())
				227	except (ssl.SSLError, ssl.CertificateError) as exc:
				228	if getattr(exc, 'errno', None) not in (
				229	ssl.SSL_ERROR_WANT_READ, ssl.SSL_ERROR_WANT_WRITE,
				230	ssl.SSL_ERROR_SYSCALL):
				231	if self._state == _DO_HANDSHAKE and self._handshake_cb:
				232	self._handshake_cb(exc)
				233	raise
				234	self._need_ssldata = (exc.errno == ssl.SSL_ERROR_WANT_READ)
				235
				236	# Check for record level data that needs to be sent back.
				237	# Happens for the initial handshake and renegotiations.
				238	if self._outgoing.pending:
				239	ssldata.append(self._outgoing.read())
				240	return (ssldata, appdata)
				241
				242	def feed_appdata(self, data, offset=0):
				243	"""Feed plaintext data into the pipe.
				244
				245	Return an (ssldata, offset) tuple. The ssldata element is a list of
				246	buffers containing record level data that needs to be sent to the
				247	remote SSL instance. The offset is the number of plaintext bytes that
				248	were processed, which may be less than the length of data.
				249
				250	NOTE: In case of short writes, this call MUST be retried with the SAME
				251	buffer passed into the data argument (i.e. the id() must be the
				252	same). This is an OpenSSL requirement. A further particularity is that
				253	a short write will always have offset == 0, because the _ssl module
				254	does not enable partial writes. And even though the offset is zero,
				255	there will still be encrypted data in ssldata.
				256	"""
				257	assert 0 <= offset <= len(data)
				258	if self._state == _UNWRAPPED:
				259	# pass through data in unwrapped mode
				260	if offset < len(data):
				261	ssldata = [data[offset:]]
				262	else:
				263	ssldata = []
				264	return (ssldata, len(data))
				265
				266	ssldata = []
				267	view = memoryview(data)
				268	while True:
				269	self._need_ssldata = False
				270	try:
				271	if offset < len(view):
				272	offset += self._sslobj.write(view[offset:])
				273	except ssl.SSLError as exc:
				274	# It is not allowed to call write() after unwrap() until the
				275	# close_notify is acknowledged. We return the condition to the
				276	# caller as a short write.
				277	if exc.reason == 'PROTOCOL_IS_SHUTDOWN':
				278	exc.errno = ssl.SSL_ERROR_WANT_READ
				279	if exc.errno not in (ssl.SSL_ERROR_WANT_READ,
				280	ssl.SSL_ERROR_WANT_WRITE,
				281	ssl.SSL_ERROR_SYSCALL):
				282	raise
				283	self._need_ssldata = (exc.errno == ssl.SSL_ERROR_WANT_READ)
				284
				285	# See if there's any record level data back for us.
				286	if self._outgoing.pending:
				287	ssldata.append(self._outgoing.read())
				288	if offset == len(view) or self._need_ssldata:
				289	break
				290	return (ssldata, offset)
				291
				292
				293	class _SSLProtocolTransport(transports._FlowControlMixin,
				294	transports.Transport):
				295
				296	def __init__(self, loop, ssl_protocol, app_protocol):
				297	self._loop = loop
Victor Stinner	f7dc7fb	2015-09-21 18:06:17 +0200	[diff] [blame]	298	# SSLProtocol instance
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	299	self._ssl_protocol = ssl_protocol
				300	self._app_protocol = app_protocol
Victor Stinner	978a9af	2015-01-29 17:50:58 +0100	[diff] [blame]	301	self._closed = False
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	302
				303	def get_extra_info(self, name, default=None):
				304	"""Get optional transport information."""
				305	return self._ssl_protocol._get_extra_info(name, default)
				306
Yury Selivanov	a05a6ef	2016-09-11 21:11:02 -0400	[diff] [blame]	307	def set_protocol(self, protocol):
				308	self._app_protocol = protocol
				309
				310	def get_protocol(self):
				311	return self._app_protocol
				312
Yury Selivanov	5bb1afb	2015-11-16 12:43:21 -0500	[diff] [blame]	313	def is_closing(self):
				314	return self._closed
				315
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	316	def close(self):
				317	"""Close the transport.
				318
				319	Buffered data will be flushed asynchronously. No more data
				320	will be received. After all buffered data is flushed, the
				321	protocol's connection_lost() method will (eventually) called
				322	with None as its argument.
				323	"""
Victor Stinner	978a9af	2015-01-29 17:50:58 +0100	[diff] [blame]	324	self._closed = True
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	325	self._ssl_protocol._start_shutdown()
				326
INADA Naoki	3e2ad8e	2017-04-25 10:57:18 +0900	[diff] [blame]	327	def __del__(self):
				328	if not self._closed:
				329	warnings.warn("unclosed transport %r" % self, ResourceWarning,
				330	source=self)
				331	self.close()
Victor Stinner	978a9af	2015-01-29 17:50:58 +0100	[diff] [blame]	332
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	333	def pause_reading(self):
				334	"""Pause the receiving end.
				335
				336	No data will be passed to the protocol's data_received()
				337	method until resume_reading() is called.
				338	"""
				339	self._ssl_protocol._transport.pause_reading()
				340
				341	def resume_reading(self):
				342	"""Resume the receiving end.
				343
				344	Data received will once again be passed to the protocol's
				345	data_received() method.
				346	"""
				347	self._ssl_protocol._transport.resume_reading()
				348
				349	def set_write_buffer_limits(self, high=None, low=None):
				350	"""Set the high- and low-water limits for write flow control.
				351
				352	These two values control when to call the protocol's
				353	pause_writing() and resume_writing() methods. If specified,
				354	the low-water limit must be less than or equal to the
				355	high-water limit. Neither value can be negative.
				356
				357	The defaults are implementation-specific. If only the
Serhiy Storchaka	d65c949	2015-11-02 14:10:23 +0200	[diff] [blame]	358	high-water limit is given, the low-water limit defaults to an
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	359	implementation-specific value less than or equal to the
				360	high-water limit. Setting high to zero forces low to zero as
				361	well, and causes pause_writing() to be called whenever the
				362	buffer becomes non-empty. Setting low to zero causes
				363	resume_writing() to be called only once the buffer is empty.
				364	Use of zero for either limit is generally sub-optimal as it
				365	reduces opportunities for doing I/O and computation
				366	concurrently.
				367	"""
				368	self._ssl_protocol._transport.set_write_buffer_limits(high, low)
				369
				370	def get_write_buffer_size(self):
				371	"""Return the current size of the write buffer."""
				372	return self._ssl_protocol._transport.get_write_buffer_size()
				373
				374	def write(self, data):
				375	"""Write some data bytes to the transport.
				376
				377	This does not block; it buffers the data and arranges for it
				378	to be sent out asynchronously.
				379	"""
				380	if not isinstance(data, (bytes, bytearray, memoryview)):
				381	raise TypeError("data: expecting a bytes-like instance, got {!r}"
				382	.format(type(data).__name__))
				383	if not data:
				384	return
				385	self._ssl_protocol._write_appdata(data)
				386
				387	def can_write_eof(self):
				388	"""Return True if this transport supports write_eof(), False if not."""
				389	return False
				390
				391	def abort(self):
				392	"""Close the transport immediately.
				393
				394	Buffered data will be lost. No more data will be received.
				395	The protocol's connection_lost() method will (eventually) be
				396	called with None as its argument.
				397	"""
				398	self._ssl_protocol._abort()
				399
				400
				401	class SSLProtocol(protocols.Protocol):
				402	"""SSL protocol.
				403
				404	Implementation of SSL on top of a socket using incoming and outgoing
				405	buffers which are ssl.MemoryBIO objects.
				406	"""
				407
				408	def __init__(self, loop, app_protocol, sslcontext, waiter,
Yury Selivanov	92e7c7f	2016-10-05 19:39:54 -0400	[diff] [blame]	409	server_side=False, server_hostname=None,
				410	call_connection_made=True):
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	411	if ssl is None:
				412	raise RuntimeError('stdlib ssl module not available')
				413
				414	if not sslcontext:
				415	sslcontext = _create_transport_context(server_side, server_hostname)
				416
				417	self._server_side = server_side
				418	if server_hostname and not server_side:
				419	self._server_hostname = server_hostname
				420	else:
				421	self._server_hostname = None
				422	self._sslcontext = sslcontext
				423	# SSL-specific extra info. More info are set when the handshake
				424	# completes.
				425	self._extra = dict(sslcontext=sslcontext)
				426
				427	# App data write buffering
				428	self._write_backlog = collections.deque()
				429	self._write_buffer_size = 0
				430
				431	self._waiter = waiter
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	432	self._loop = loop
				433	self._app_protocol = app_protocol
				434	self._app_transport = _SSLProtocolTransport(self._loop,
				435	self, self._app_protocol)
Victor Stinner	f7dc7fb	2015-09-21 18:06:17 +0200	[diff] [blame]	436	# _SSLPipe instance (None until the connection is made)
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	437	self._sslpipe = None
				438	self._session_established = False
				439	self._in_handshake = False
				440	self._in_shutdown = False
Victor Stinner	f7dc7fb	2015-09-21 18:06:17 +0200	[diff] [blame]	441	# transport, ex: SelectorSocketTransport
Victor Stinner	7e222f4	2015-01-15 13:16:27 +0100	[diff] [blame]	442	self._transport = None
Yury Selivanov	92e7c7f	2016-10-05 19:39:54 -0400	[diff] [blame]	443	self._call_connection_made = call_connection_made
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	444
Victor Stinner	f07801b	2015-01-29 00:36:35 +0100	[diff] [blame]	445	def _wakeup_waiter(self, exc=None):
				446	if self._waiter is None:
				447	return
				448	if not self._waiter.cancelled():
				449	if exc is not None:
				450	self._waiter.set_exception(exc)
				451	else:
				452	self._waiter.set_result(None)
				453	self._waiter = None
				454
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	455	def connection_made(self, transport):
				456	"""Called when the low-level connection is made.
				457
				458	Start the SSL handshake.
				459	"""
				460	self._transport = transport
				461	self._sslpipe = _SSLPipe(self._sslcontext,
				462	self._server_side,
				463	self._server_hostname)
				464	self._start_handshake()
				465
				466	def connection_lost(self, exc):
				467	"""Called when the low-level connection is lost or closed.
				468
				469	The argument is an exception object or None (the latter
				470	meaning a regular EOF is received or the connection was
				471	aborted or closed).
				472	"""
				473	if self._session_established:
				474	self._session_established = False
				475	self._loop.call_soon(self._app_protocol.connection_lost, exc)
				476	self._transport = None
				477	self._app_transport = None
Yury Selivanov	b1461aa	2016-12-16 11:50:41 -0500	[diff] [blame]	478	self._wakeup_waiter(exc)
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	479
				480	def pause_writing(self):
				481	"""Called when the low-level transport's buffer goes over
				482	the high-water mark.
				483	"""
				484	self._app_protocol.pause_writing()
				485
				486	def resume_writing(self):
				487	"""Called when the low-level transport's buffer drains below
				488	the low-water mark.
				489	"""
				490	self._app_protocol.resume_writing()
				491
				492	def data_received(self, data):
				493	"""Called when some SSL data is received.
				494
				495	The argument is a bytes object.
				496	"""
				497	try:
				498	ssldata, appdata = self._sslpipe.feed_ssldata(data)
				499	except ssl.SSLError as e:
				500	if self._loop.get_debug():
				501	logger.warning('%r: SSL error %s (reason %s)',
				502	self, e.errno, e.reason)
				503	self._abort()
				504	return
				505
				506	for chunk in ssldata:
				507	self._transport.write(chunk)
				508
				509	for chunk in appdata:
				510	if chunk:
				511	self._app_protocol.data_received(chunk)
				512	else:
				513	self._start_shutdown()
				514	break
				515
				516	def eof_received(self):
				517	"""Called when the other end of the low-level stream
				518	is half-closed.
				519
				520	If this returns a false value (including None), the transport
				521	will close itself. If it returns a true value, closing the
				522	transport is up to the protocol.
				523	"""
				524	try:
				525	if self._loop.get_debug():
				526	logger.debug("%r received EOF", self)
Victor Stinner	b507cba	2015-01-29 00:35:56 +0100	[diff] [blame]	527
Victor Stinner	f07801b	2015-01-29 00:36:35 +0100	[diff] [blame]	528	self._wakeup_waiter(ConnectionResetError)
Victor Stinner	b507cba	2015-01-29 00:35:56 +0100	[diff] [blame]	529
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	530	if not self._in_handshake:
				531	keep_open = self._app_protocol.eof_received()
				532	if keep_open:
				533	logger.warning('returning true from eof_received() '
				534	'has no effect when using ssl')
				535	finally:
				536	self._transport.close()
				537
				538	def _get_extra_info(self, name, default=None):
				539	if name in self._extra:
				540	return self._extra[name]
Nikolay Kim	2b27e2e	2017-03-12 12:23:30 -0700	[diff] [blame]	541	elif self._transport is not None:
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	542	return self._transport.get_extra_info(name, default)
Nikolay Kim	2b27e2e	2017-03-12 12:23:30 -0700	[diff] [blame]	543	else:
				544	return default
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	545
				546	def _start_shutdown(self):
				547	if self._in_shutdown:
				548	return
Nikolay Kim	a0e3d2d	2017-06-09 14:46:14 -0700	[diff] [blame]	549	if self._in_handshake:
				550	self._abort()
				551	else:
				552	self._in_shutdown = True
				553	self._write_appdata(b'')
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	554
				555	def _write_appdata(self, data):
				556	self._write_backlog.append((data, 0))
				557	self._write_buffer_size += len(data)
				558	self._process_write_backlog()
				559
				560	def _start_handshake(self):
				561	if self._loop.get_debug():
				562	logger.debug("%r starts SSL handshake", self)
				563	self._handshake_start_time = self._loop.time()
				564	else:
				565	self._handshake_start_time = None
				566	self._in_handshake = True
				567	# (b'', 1) is a special value in _process_write_backlog() to do
				568	# the SSL handshake
				569	self._write_backlog.append((b'', 1))
				570	self._loop.call_soon(self._process_write_backlog)
				571
				572	def _on_handshake_complete(self, handshake_exc):
				573	self._in_handshake = False
				574
				575	sslobj = self._sslpipe.ssl_object
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	576	try:
				577	if handshake_exc is not None:
				578	raise handshake_exc
Victor Stinner	177e9f0	2015-01-14 16:56:20 +0100	[diff] [blame]	579
				580	peercert = sslobj.getpeercert()
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	581	if not hasattr(self._sslcontext, 'check_hostname'):
				582	# Verify hostname if requested, Python 3.4+ uses check_hostname
				583	# and checks the hostname in do_handshake()
				584	if (self._server_hostname
				585	and self._sslcontext.verify_mode != ssl.CERT_NONE):
				586	ssl.match_hostname(peercert, self._server_hostname)
				587	except BaseException as exc:
				588	if self._loop.get_debug():
				589	if isinstance(exc, ssl.CertificateError):
				590	logger.warning("%r: SSL handshake failed "
				591	"on verifying the certificate",
				592	self, exc_info=True)
				593	else:
				594	logger.warning("%r: SSL handshake failed",
				595	self, exc_info=True)
				596	self._transport.close()
				597	if isinstance(exc, Exception):
Victor Stinner	f07801b	2015-01-29 00:36:35 +0100	[diff] [blame]	598	self._wakeup_waiter(exc)
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	599	return
				600	else:
				601	raise
				602
				603	if self._loop.get_debug():
				604	dt = self._loop.time() - self._handshake_start_time
				605	logger.debug("%r: SSL handshake took %.1f ms", self, dt * 1e3)
				606
				607	# Add extra info that becomes available after handshake.
				608	self._extra.update(peercert=peercert,
				609	cipher=sslobj.cipher(),
				610	compression=sslobj.compression(),
Victor Stinner	f7dc7fb	2015-09-21 18:06:17 +0200	[diff] [blame]	611	ssl_object=sslobj,
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	612	)
Yury Selivanov	92e7c7f	2016-10-05 19:39:54 -0400	[diff] [blame]	613	if self._call_connection_made:
				614	self._app_protocol.connection_made(self._app_transport)
Victor Stinner	f07801b	2015-01-29 00:36:35 +0100	[diff] [blame]	615	self._wakeup_waiter()
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	616	self._session_established = True
Victor Stinner	042dad7	2015-01-15 09:41:48 +0100	[diff] [blame]	617	# In case transport.write() was already called. Don't call
Martin Panter	46f5072	2016-05-26 05:35:26 +0000	[diff] [blame]	618	# immediately _process_write_backlog(), but schedule it:
Victor Stinner	042dad7	2015-01-15 09:41:48 +0100	[diff] [blame]	619	# _on_handshake_complete() can be called indirectly from
				620	# _process_write_backlog(), and _process_write_backlog() is not
				621	# reentrant.
Victor Stinner	72bdefb	2015-01-15 09:44:13 +0100	[diff] [blame]	622	self._loop.call_soon(self._process_write_backlog)
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	623
				624	def _process_write_backlog(self):
				625	# Try to make progress on the write backlog.
				626	if self._transport is None:
				627	return
				628
				629	try:
				630	for i in range(len(self._write_backlog)):
				631	data, offset = self._write_backlog[0]
				632	if data:
				633	ssldata, offset = self._sslpipe.feed_appdata(data, offset)
				634	elif offset:
Yury Selivanov	8c125eb	2015-08-05 14:06:23 -0400	[diff] [blame]	635	ssldata = self._sslpipe.do_handshake(
				636	self._on_handshake_complete)
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	637	offset = 1
				638	else:
				639	ssldata = self._sslpipe.shutdown(self._finalize)
				640	offset = 1
				641
				642	for chunk in ssldata:
				643	self._transport.write(chunk)
				644
				645	if offset < len(data):
				646	self._write_backlog[0] = (data, offset)
				647	# A short write means that a write is blocked on a read
				648	# We need to enable reading if it is paused!
				649	assert self._sslpipe.need_ssldata
				650	if self._transport._paused:
				651	self._transport.resume_reading()
				652	break
				653
				654	# An entire chunk from the backlog was processed. We can
				655	# delete it and reduce the outstanding buffer size.
				656	del self._write_backlog[0]
				657	self._write_buffer_size -= len(data)
				658	except BaseException as exc:
				659	if self._in_handshake:
Yury Selivanov	8c125eb	2015-08-05 14:06:23 -0400	[diff] [blame]	660	# BaseExceptions will be re-raised in _on_handshake_complete.
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	661	self._on_handshake_complete(exc)
				662	else:
				663	self._fatal_error(exc, 'Fatal error on SSL transport')
Yury Selivanov	8c125eb	2015-08-05 14:06:23 -0400	[diff] [blame]	664	if not isinstance(exc, Exception):
				665	# BaseException
				666	raise
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	667
				668	def _fatal_error(self, exc, message='Fatal error on transport'):
				669	# Should be called from exception handler only.
Victor Stinner	c94a93a	2016-04-01 21:43:39 +0200	[diff] [blame]	670	if isinstance(exc, base_events._FATAL_ERROR_IGNORE):
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	671	if self._loop.get_debug():
				672	logger.debug("%r: %s", self, message, exc_info=True)
				673	else:
				674	self._loop.call_exception_handler({
				675	'message': message,
				676	'exception': exc,
				677	'transport': self._transport,
				678	'protocol': self,
				679	})
				680	if self._transport:
				681	self._transport._force_close(exc)
				682
				683	def _finalize(self):
Michaël Sghaïer	d1f5751	2017-06-09 18:29:46 -0400	[diff] [blame^]	684	self._sslpipe = None
				685
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	686	if self._transport is not None:
				687	self._transport.close()
				688
				689	def _abort(self):
Michaël Sghaïer	d1f5751	2017-06-09 18:29:46 -0400	[diff] [blame^]	690	try:
				691	if self._transport is not None:
Victor Stinner	231b404	2015-01-14 00:19:09 +0100	[diff] [blame]	692	self._transport.abort()
Michaël Sghaïer	d1f5751	2017-06-09 18:29:46 -0400	[diff] [blame^]	693	finally:
				694	self._finalize()