Ñò mÈKc@sƒdZddkZddkZddklZddklZlZlZddklZlZl Z l Z ddkl Z l Z l Z ddklZlZlZlZlZlZlZlZlZddklZlZdd klZddkZd efd „ƒYZeeeee eeed „Z d „Z!dZ"dZ#d„Z$d„Z%eed„Z&d„Z'eed„Z(dS(sThis module provides some more Pythonic support for SSL. Object types: SSLSocket -- subtype of socket.socket which does SSL over the socket Exceptions: SSLError -- exception raised for I/O errors Functions: cert_time_to_seconds -- convert time string used for certificate notBefore and notAfter functions to integer seconds past the Epoch (the time values returned from time.time()) fetch_server_certificate (HOST, PORT) -- fetch the certificate provided by the server running on HOST at port PORT. No validation of the certificate is performed. Integer constants: SSL_ERROR_ZERO_RETURN SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE SSL_ERROR_WANT_X509_LOOKUP SSL_ERROR_SYSCALL SSL_ERROR_SSL SSL_ERROR_WANT_CONNECT SSL_ERROR_EOF SSL_ERROR_INVALID_ERROR_CODE The following group define certificate requirements that one side is allowing/requiring from the other side: CERT_NONE - no certificates from the other side are required (or will be looked at if provided) CERT_OPTIONAL - certificates are not required, but if provided will be validated, and if validation fails, the connection will also fail CERT_REQUIRED - certificates are required, and will be validated, and if validation fails, the connection will also fail The following constants identify various SSL protocol variants: PROTOCOL_SSLv2 PROTOCOL_SSLv3 PROTOCOL_SSLv23 PROTOCOL_TLSv1 iÿÿÿÿN(tSSLError(t CERT_NONEt CERT_OPTIONALt CERT_REQUIRED(tPROTOCOL_SSLv2tPROTOCOL_SSLv3tPROTOCOL_SSLv23tPROTOCOL_TLSv1(t RAND_statustRAND_egdtRAND_add( tSSL_ERROR_ZERO_RETURNtSSL_ERROR_WANT_READtSSL_ERROR_WANT_WRITEtSSL_ERROR_WANT_X509_LOOKUPtSSL_ERROR_SYSCALLt SSL_ERROR_SSLtSSL_ERROR_WANT_CONNECTt SSL_ERROR_EOFtSSL_ERROR_INVALID_ERROR_CODE(tsockett _fileobject(t getnameinfot SSLSocketc BseZdZddeeedeed„Zdd„Z d„Z ed„Z d„Z dd„Z dd „Zdd „Zddd „Zddd „Zddd „Zddd„Zd„Zd„Zd„Zd„Zd„Zd„Zd„Zddd„ZRS(sµThis class implements a subtype of socket.socket that wraps the underlying OS socket in an SSL context when necessary, and provides read and write methods over that channel.c s“tiˆd|iƒd‡fd†ˆ_d‡fd†ˆ_dd‡fd†ˆ_dd‡fd†ˆ_dd‡fd†ˆ_dd‡fd †ˆ_ |o| o |}nyti ˆƒWndˆ_ nkXt i ˆi||||||ƒˆ_ |o<ˆiƒ} zˆidƒˆiƒWdˆi| ƒXn|ˆ_|ˆ_|ˆ_|ˆ_|ˆ_|ˆ_| ˆ_dˆ_dS( Nt_sockicstiˆ||ƒS((Rtsend(tdatatflags(tself(s/usr/lib/python2.6/ssl.pyt^scstiˆ|||ƒS((Rtsendto(RtaddrR(R(s/usr/lib/python2.6/ssl.pyR_sicstiˆ||ƒS((Rtrecv(tbuflenR(R(s/usr/lib/python2.6/ssl.pyR`scstiˆ|||ƒS((Rtrecvfrom(RR!R(R(s/usr/lib/python2.6/ssl.pyRascstiˆ|||ƒS((Rt recv_into(tbuffertnbytesR(R(s/usr/lib/python2.6/ssl.pyRbscstiˆ|||ƒS((Rt recvfrom_into(R$R%R(R(s/usr/lib/python2.6/ssl.pyRcs(Rt__init__RRRR R"tNoneR#R&t getpeernamet_sslobjt_ssltsslwrapt gettimeoutt settimeoutt do_handshaketkeyfiletcertfilet cert_reqst ssl_versiontca_certstdo_handshake_on_connecttsuppress_ragged_eofst_makefile_refs( RtsockR0R1t server_sideR2R3R4R5R6ttimeout((Rs/usr/lib/python2.6/ssl.pyR'Ws<           icCsVy|ii|ƒSWn;tj o/}|idtjo|iodS‚nXdS(sORead up to LEN bytes and return them. Return zero-length string on EOF.itN(R*treadRtargsRR6(Rtlentx((s/usr/lib/python2.6/ssl.pyR<‚s cCs|ii|ƒS(shWrite DATA to the underlying SSL channel. Returns number of bytes of DATA actually transmitted.(R*twrite(RR((s/usr/lib/python2.6/ssl.pyR@scCs|ii|ƒS(sáReturns a formatted version of the data in the certificate provided by the other end of the SSL channel. Return None if no certificate was provided, {} if a certificate was provided, but not validated.(R*tpeer_certificate(Rt binary_form((s/usr/lib/python2.6/ssl.pyt getpeercert–scCs |ipdS|iiƒSdS(N(R*R(tcipher(R((s/usr/lib/python2.6/ssl.pyRDŸs icCs¿|iož|djotd|iƒ‚nxŠtoky|ii|ƒ}WnJtj o>}|idtjodS|idtjodS‚q1X|Sq1Wnt i |||ƒSdS(Nis3non-zero flags not allowed in calls to send() on %s( R*t ValueErrort __class__tTrueR@RR=R R RR(RRRtvR?((s/usr/lib/python2.6/ssl.pyR¦s"   cCs;|iotd|iƒ‚nti||||ƒSdS(Ns%sendto not allowed on instances of %s(R*RERFRR(RRRR((s/usr/lib/python2.6/ssl.pyR»s cCsŽ|iom|djotd|iƒ‚nt|ƒ}d}x/||jo!|i||ƒ}||7}qCW|Sti|||ƒSdS(Nis6non-zero flags not allowed in calls to sendall() on %s(R*RERFR>RRtsendall(RRRtamounttcountRH((s/usr/lib/python2.6/ssl.pyRIÂs    cCs¢|io|djotd|iƒ‚nxmtoNy|i|ƒSWq1tj o*}|idtjoq1q‚|‚q1Xq1Wnti |||ƒSdS(Nis6non-zero flags not allowed in calls to sendall() on %s( R*RERFRGR<RR=R RR (RR!RR?((s/usr/lib/python2.6/ssl.pyR Ñs  cCsü|o|djot|ƒ}n|djo d}n|io|djotd|iƒ‚nxŒtojy-|i|ƒ}t|ƒ}|||*|SWqltj o*}|idt joqlqÙ|‚qlXqlWnt i ||||ƒSdS(Niis8non-zero flags not allowed in calls to recv_into() on %s( R(R>R*RERFRGR<RR=R RR#(RR$R%Rt tmp_bufferRHR?((s/usr/lib/python2.6/ssl.pyR#âs*      cCs;|iotd|iƒ‚nti||||ƒSdS(Ns'recvfrom not allowed on instances of %s(R*RERFRR"(RRR!R((s/usr/lib/python2.6/ssl.pyR"ús cCs;|iotd|iƒ‚nti||||ƒSdS(Ns,recvfrom_into not allowed on instances of %s(R*RERFRR&(RR$R%R((s/usr/lib/python2.6/ssl.pyR&s cCs |io|iiƒSdSdS(Ni(R*tpending(R((s/usr/lib/python2.6/ssl.pyRMs cCsA|io|iiƒ}d|_|Stdt|ƒƒ‚dS(NsNo SSL wrapper around (R*tshutdownR(REtstr(Rts((s/usr/lib/python2.6/ssl.pytunwraps   cCsd|_ti||ƒdS(N(R(R*RRN(Rthow((s/usr/lib/python2.6/ssl.pyRNs cCs=|idjod|_ti|ƒn|id8_dS(Ni(R7R(R*Rtclose(R((s/usr/lib/python2.6/ssl.pyRSs cCs|iiƒdS(sPerform a TLS/SSL handshake.N(R*R/(R((s/usr/lib/python2.6/ssl.pyR/!scCs||iotdƒ‚nti||ƒti|it|i|i |i |i |i ƒ|_|i o|iƒndS(sQConnects to remote ADDR, and then wraps the connection in an SSL channel.s/attempt to connect already-connected SSLSocket!N(R*RERtconnectR+R,RtFalseR0R1R2R3R4R5R/(RR((s/usr/lib/python2.6/ssl.pyRT's   cCsjti|ƒ\}}t|d|id|idtd|id|id|id|i d|i ƒ|fS( s¿Accepts a new connection from a remote client, and returns a tuple containing that new connection wrapped with a server-side SSL channel, and the address of the remote client.R0R1R9R2R3R4R5R6( RtacceptRR0R1RGR2R3R4R5R6(RtnewsockR((s/usr/lib/python2.6/ssl.pyRV7s        triÿÿÿÿcCs|id7_t|||ƒS(sMake and return a file-like object that works with the SSL connection. Just use the code from the socket module.i(R7R(Rtmodetbufsize((s/usr/lib/python2.6/ssl.pytmakefileIsN(t__name__t __module__t__doc__R(RURRRGR'R<R@RCRDRRRIR R#R"R&RMRQRNRSR/RTRVR[(((s/usr/lib/python2.6/ssl.pyRQs2 '            c Cs:t|d|d|d|d|d|d|d|d|ƒS( NR0R1R9R2R3R4R5R6(R( R8R0R1R9R2R3R4R5R6((s/usr/lib/python2.6/ssl.pyt wrap_socketTs   cCs%ddk}|i|i|dƒƒS(s¢Takes a date-time string in standard ASN1_print form ("MON DAY 24HOUR:MINUTE:SEC YEAR TIMEZONE") and return a Python time value in seconds past the epoch.iÿÿÿÿNs%b %d %H:%M:%S %Y GMT(ttimetmktimetstrptime(t cert_timeR`((s/usr/lib/python2.6/ssl.pytcert_time_to_secondscs s-----BEGIN CERTIFICATE-----s-----END CERTIFICATE-----cCsattdƒo0ti|ƒ}tdti|dƒtdStdti|ƒtdSdS(s[Takes a certificate in binary DER format and returns the PEM version of it as a string.tstandard_b64encodes i@N(thasattrtbase64Ret PEM_HEADERttextwraptfillt PEM_FOOTERt encodestring(tder_cert_bytestf((s/usr/lib/python2.6/ssl.pytDER_cert_to_PEM_certos!cCs{|itƒptdtƒ‚n|iƒitƒptdtƒ‚n|iƒttƒttƒ !}ti|ƒS(shTakes a certificate in ASCII PEM format and returns the DER-encoded version of it as a byte sequences(Invalid PEM encoding; must start with %ss&Invalid PEM encoding; must end with %s( t startswithRhREtstriptendswithRkR>Rgt decodestring(tpem_cert_stringtd((s/usr/lib/python2.6/ssl.pytPEM_cert_to_DER_certs cCsz|\}}|dj o t}nt}ttƒd|d|d|ƒ}|i|ƒ|itƒ}|iƒt |ƒS(s÷Retrieve the certificate from the server at the specified address, and return it as a PEM-encoded string. If 'ca_certs' is specified, validate the server cert against it. If 'ssl_version' is specified, use it in the connection attempt.R3R2R4N( R(RRR_RRTRCRGRSRo(RR3R4thosttportR2RPtdercert((s/usr/lib/python2.6/ssl.pytget_server_certificates     cCsP|tjodS|tjodS|tjodS|tjodSdSdS(NtTLSv1tSSLv23tSSLv2tSSLv3s (RRRR(t protocol_code((s/usr/lib/python2.6/ssl.pytget_protocol_name s    cCsdt|dƒo |i}nti|d||ttdƒ}y|iƒWnn X|iƒ|S(sŒA replacement for the old socket.ssl function. Designed for compability with Python 2.5 and earlier. Will disappear in Python 3.0.RiN( RfRR+R,RRR(R)R/(R8R0R1tssl_sock((s/usr/lib/python2.6/ssl.pytsslwrap_simple¯s   ()R^RiR+RRRRRRRRRR R R R R RRRRRRRRRt _getnameinfoRgRR(RURGR_RdRhRkRoRvRzR€R‚(((s/usr/lib/python2.6/ssl.pyt8s2  "@  ÿ