Ñò #8Zc@s¥dZddkZddkZddklZddklZlZlZddklZlZl Z l Z ddkl Z l Z l Z ddklZlZlZlZlZlZlZlZlZddklZlZlZdd klZdd klZddkZddkZd efd „ƒYZ dde"ee de#e#d „Z$d„Z%dZ&dZ'd„Z(d„Z)edd„Z*d„Z+ddd„Z,dS(sThis module provides some more Pythonic support for SSL. Object types: SSLSocket -- subtype of socket.socket which does SSL over the socket Exceptions: SSLError -- exception raised for I/O errors Functions: cert_time_to_seconds -- convert time string used for certificate notBefore and notAfter functions to integer seconds past the Epoch (the time values returned from time.time()) fetch_server_certificate (HOST, PORT) -- fetch the certificate provided by the server running on HOST at port PORT. No validation of the certificate is performed. Integer constants: SSL_ERROR_ZERO_RETURN SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE SSL_ERROR_WANT_X509_LOOKUP SSL_ERROR_SYSCALL SSL_ERROR_SSL SSL_ERROR_WANT_CONNECT SSL_ERROR_EOF SSL_ERROR_INVALID_ERROR_CODE The following group define certificate requirements that one side is allowing/requiring from the other side: CERT_NONE - no certificates from the other side are required (or will be looked at if provided) CERT_OPTIONAL - certificates are not required, but if provided will be validated, and if validation fails, the connection will also fail CERT_REQUIRED - certificates are required, and will be validated, and if validation fails, the connection will also fail The following constants identify various SSL protocol variants: PROTOCOL_SSLv2 PROTOCOL_SSLv3 PROTOCOL_SSLv23 PROTOCOL_TLSv1 iÿÿÿÿN(tSSLError(t CERT_NONEt CERT_OPTIONALt CERT_REQUIRED(tPROTOCOL_SSLv2tPROTOCOL_SSLv3tPROTOCOL_SSLv23tPROTOCOL_TLSv1(t RAND_statustRAND_egdtRAND_add( tSSL_ERROR_ZERO_RETURNtSSL_ERROR_WANT_READtSSL_ERROR_WANT_WRITEtSSL_ERROR_WANT_X509_LOOKUPtSSL_ERROR_SYSCALLt SSL_ERROR_SSLtSSL_ERROR_WANT_CONNECTt SSL_ERROR_EOFtSSL_ERROR_INVALID_ERROR_CODE(tsockett _fileobjectt_delegate_methods(terror(t getnameinfot SSLSocketc BseZdZddeeedeed„Zdd„Z d„Z ed„Z d„Z dd„Z dd „Zdd „Zddd „Zddd „Zddd „Zddd„Zd„Zd„Zd„Zd„Zd„Zd„Zd„Zddd„ZRS(sµThis class implements a subtype of socket.socket that wraps the underlying OS socket in an SSL context when necessary, and provides read and write methods over that channel.c Cs;ti|d|iƒx5tD]-} yt|| ƒWqtj oqXqW|o| o |}nyti|ƒWn8tj o,} | iti jo‚nd|_ n>Xt i |i||||||ƒ|_ |o|iƒn||_||_||_||_||_||_| |_d|_dS(Nt_socki(Rt__init__RRtdelattrtAttributeErrort getpeernamet socket_errorterrnotENOTCONNtNonet_sslobjt_ssltsslwrapt do_handshaketkeyfiletcertfilet cert_reqst ssl_versiontca_certstdo_handshake_on_connecttsuppress_ragged_eofst_makefile_refs( tselftsockR'R(t server_sideR)R*R+R,R-tattrte((s/usr/lib/python2.6/ssl.pyRYs8         icCsVy|ii|ƒSWn;tj o/}|idtjo|iodS‚nXdS(sORead up to LEN bytes and return them. Return zero-length string on EOF.itN(R#treadRtargsRR-(R/tlentx((s/usr/lib/python2.6/ssl.pyR5‚s cCs|ii|ƒS(shWrite DATA to the underlying SSL channel. Returns number of bytes of DATA actually transmitted.(R#twrite(R/tdata((s/usr/lib/python2.6/ssl.pyR9scCs|ii|ƒS(sáReturns a formatted version of the data in the certificate provided by the other end of the SSL channel. Return None if no certificate was provided, {} if a certificate was provided, but not validated.(R#tpeer_certificate(R/t binary_form((s/usr/lib/python2.6/ssl.pyt getpeercert–scCs |ipdS|iiƒSdS(N(R#R"tcipher(R/((s/usr/lib/python2.6/ssl.pyR>Ÿs icCs¿|iož|djotd|iƒ‚nxŠtoky|ii|ƒ}WnJtj o>}|idtjodS|idtjodS‚q1X|Sq1Wn|i i ||ƒSdS(Nis3non-zero flags not allowed in calls to send() on %s( R#t ValueErrort __class__tTrueR9RR6R R Rtsend(R/R:tflagstvR8((s/usr/lib/python2.6/ssl.pyRB¦s"   cCs;|iotd|iƒ‚n|ii|||ƒSdS(Ns%sendto not allowed on instances of %s(R#R?R@Rtsendto(R/R:taddrRC((s/usr/lib/python2.6/ssl.pyRE»s cCsŽ|iom|djotd|iƒ‚nt|ƒ}d}x/||jo!|i||ƒ}||7}qCW|Sti|||ƒSdS(Nis6non-zero flags not allowed in calls to sendall() on %s(R#R?R@R7RBRtsendall(R/R:RCtamounttcountRD((s/usr/lib/python2.6/ssl.pyRGÂs    cCsS|io2|djotd|iƒ‚n|i|ƒS|ii||ƒSdS(Nis3non-zero flags not allowed in calls to recv() on %s(R#R?R@R5Rtrecv(R/tbuflenRC((s/usr/lib/python2.6/ssl.pyRJÑs  cCs­|o|djot|ƒ}n|djo d}n|ioN|djotd|iƒ‚n|i|ƒ}t|ƒ}|||*|S|ii|||ƒSdS(Niis8non-zero flags not allowed in calls to recv_into() on %s(R"R7R#R?R@R5Rt recv_into(R/tbuffertnbytesRCt tmp_bufferRD((s/usr/lib/python2.6/ssl.pyRLÛs      cCs8|iotd|iƒ‚n|ii||ƒSdS(Ns'recvfrom not allowed on instances of %s(R#R?R@Rtrecvfrom(R/RFRKRC((s/usr/lib/python2.6/ssl.pyRPìs cCs;|iotd|iƒ‚n|ii|||ƒSdS(Ns,recvfrom_into not allowed on instances of %s(R#R?R@Rt recvfrom_into(R/RMRNRC((s/usr/lib/python2.6/ssl.pyRQós cCs |io|iiƒSdSdS(Ni(R#tpending(R/((s/usr/lib/python2.6/ssl.pyRRús cCsA|io|iiƒ}d|_|Stdt|ƒƒ‚dS(NsNo SSL wrapper around (R#tshutdownR"R?tstr(R/ts((s/usr/lib/python2.6/ssl.pytunwraps   cCsd|_ti||ƒdS(N(R"R#RRS(R/thow((s/usr/lib/python2.6/ssl.pyRSs cCs=|idjod|_ti|ƒn|id8_dS(Ni(R.R"R#Rtclose(R/((s/usr/lib/python2.6/ssl.pyRX s cCs|iiƒdS(sPerform a TLS/SSL handshake.N(R#R&(R/((s/usr/lib/python2.6/ssl.pyR&scCs||iotdƒ‚nti||ƒti|it|i|i |i |i |i ƒ|_|i o|iƒndS(sQConnects to remote ADDR, and then wraps the connection in an SSL channel.s/attempt to connect already-connected SSLSocket!N(R#R?RtconnectR$R%RtFalseR'R(R)R*R+R,R&(R/RF((s/usr/lib/python2.6/ssl.pyRYs   cCsjti|ƒ\}}t|d|id|idtd|id|id|id|i d|i ƒ|fS( s¿Accepts a new connection from a remote client, and returns a tuple containing that new connection wrapped with a server-side SSL channel, and the address of the remote client.R'R(R1R)R*R+R,R-( RtacceptRR'R(RAR)R*R+R,R-(R/tnewsockRF((s/usr/lib/python2.6/ssl.pyR[)s        triÿÿÿÿcCs%|id7_t|||dtƒS(sMake and return a file-like object that works with the SSL connection. Just use the code from the socket module.iRX(R.RRA(R/tmodetbufsize((s/usr/lib/python2.6/ssl.pytmakefile;sN(t__name__t __module__t__doc__R"RZRRRARR5R9R=R>RBRERGRJRLRPRQRRRVRSRXR&RYR[R`(((s/usr/lib/python2.6/ssl.pyRSs2 %             c Cs:t|d|d|d|d|d|d|d|d|ƒS( NR'R(R1R)R*R+R,R-(R( R0R'R(R1R)R*R+R,R-((s/usr/lib/python2.6/ssl.pyt wrap_socketHs   cCs%ddk}|i|i|dƒƒS(s¢Takes a date-time string in standard ASN1_print form ("MON DAY 24HOUR:MINUTE:SEC YEAR TIMEZONE") and return a Python time value in seconds past the epoch.iÿÿÿÿNs%b %d %H:%M:%S %Y GMT(ttimetmktimetstrptime(t cert_timeRe((s/usr/lib/python2.6/ssl.pytcert_time_to_secondsWs s-----BEGIN CERTIFICATE-----s-----END CERTIFICATE-----cCsettdƒo4ti|ƒ}tdti|dƒdtdStdti|ƒtdSdS(s[Takes a certificate in binary DER format and returns the PEM version of it as a string.tstandard_b64encodes i@N(thasattrtbase64Rjt PEM_HEADERttextwraptfillt PEM_FOOTERt encodestring(tder_cert_bytestf((s/usr/lib/python2.6/ssl.pytDER_cert_to_PEM_certcs%cCs{|itƒptdtƒ‚n|iƒitƒptdtƒ‚n|iƒttƒttƒ !}ti|ƒS(shTakes a certificate in ASCII PEM format and returns the DER-encoded version of it as a byte sequences(Invalid PEM encoding; must start with %ss&Invalid PEM encoding; must end with %s( t startswithRmR?tstriptendswithRpR7Rlt decodestring(tpem_cert_stringtd((s/usr/lib/python2.6/ssl.pytPEM_cert_to_DER_certss cCsz|\}}|dj o t}nt}ttƒd|d|d|ƒ}|i|ƒ|itƒ}|iƒt |ƒS(s÷Retrieve the certificate from the server at the specified address, and return it as a PEM-encoded string. If 'ca_certs' is specified, validate the server cert against it. If 'ssl_version' is specified, use it in the connection attempt.R*R)R+N( R"RRRdRRYR=RARXRt(RFR*R+thosttportR)RUtdercert((s/usr/lib/python2.6/ssl.pytget_server_certificates     cCsP|tjodS|tjodS|tjodS|tjodSdSdS(NtTLSv1tSSLv23tSSLv2tSSLv3s (RRRR(t protocol_code((s/usr/lib/python2.6/ssl.pytget_protocol_name”s    cCsdt|dƒo |i}nti|d||ttdƒ}y|iƒWnn X|iƒ|S(sŒA replacement for the old socket.ssl function. Designed for compability with Python 2.5 and earlier. Will disappear in Python 3.0.RiN( RkRR$R%RRR"RR&(R0R'R(tssl_sock((s/usr/lib/python2.6/ssl.pytsslwrap_simple£s   (-RcRnR$RRRRRRRRRR R R R R RRRRRRRRRRRRt _getnameinfoRlR RR"RZRARdRiRmRpRtR{RR…R‡(((s/usr/lib/python2.6/ssl.pyt8s4  "@   õ