def f(*args, **kwargs):
try:
s = socket.socket(socket.AF_INET)
_ssl.sslwrap(s._sock, 0, None, None, ssl.CERT_NONE, ssl.PROTOCOL_SSLv2, None, None)
except ssl.SSLError as e:
if (
ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15)
and platform.linux_distribution() == ("debian", "squeeze/sid", "")
and "Invalid SSL protocol variant specified" in str(e)
):
raise unittest.SkipTest("Patched Ubuntu OpenSSL breaks behaviour")
return func(*args, **kwargs)
def test_SSLType_server(self):
#--Positive
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
self.assertEqual(ssl_s.server(), '') #http://ironpython.codeplex.com/WorkItem/View.aspx?WorkItemId=24281
ssl_s.do_handshake()
if is_cli:
#Incompat, but a good one at that
self.assertTrue("Returns a string that describes the issuer of the server's certificate" in ssl_s.issuer.__doc__)
else:
self.assertEqual(ssl_s.server.__doc__, None)
server = ssl_s.server()
#If we can get the server once, we should be able to do it again
self.assertEqual(server, ssl_s.server())
self.assertTrue(SSL_SERVER in server)
#--Negative
self.assertRaisesMessage(TypeError, "server() takes no arguments (1 given)",
ssl_s.server, None)
self.assertRaisesMessage(TypeError, "server() takes no arguments (1 given)",
ssl_s.server, 1)
self.assertRaisesMessage(TypeError, "server() takes no arguments (2 given)",
ssl_s.server, 3.14, "abc")
#Cleanup
ssl_s.shutdown()
s.close()
def wrap_bio(ctx, incoming, outgoing, server_side=False, server_hostname=None):
"""Create a new SSL protocol instance from a context and a BIO pair."""
if hasattr(ctx, 'wrap_bio'):
# Python 3.5
return ctx.wrap_bio(incoming, outgoing, server_side, server_hostname)
# Allocate a single global dummy socket to wrap on Python < 3.5
global _sock
if _sock is None:
_sock = get_dummy_socket()
if hasattr(ctx, '_wrap_socket'):
# Python 2.7.9+, Python 3.x
sslobj = ctx._wrap_socket(_sock, server_side, server_hostname)
else:
# Python 2.7.x, x <= 8
#
# We need to do some magic to support anonymous DH authentication. Anon
# DH doesn't need a certfile and a keyfile, but the Python 2.x
# _ssl.sslwrap raises an exception if these are absent for server side
# sockets. So the workaround is to create the socket as a client-side
# socket and then flip it afterwards if needed.
sslobj = _ssl.sslwrap(_sock, False, *ctx._ssl_args)
if ctx._dh_params:
_sslcompat.load_dh_params(sslobj, ctx._dh_params)
if server_side:
_sslcompat.set_accept_state(sslobj)
_sslcompat.set_options(sslobj, ctx._options)
if server_hostname:
_sslcompat.set_tlsext_host_name(server_hostname)
_sslcompat.set_bio(sslobj, incoming, outgoing)
pyobj = SSLObject(sslobj, ctx, server_side, server_hostname)
return pyobj
def wrap_bio(ctx, incoming, outgoing, server_side=False, server_hostname=None):
"""Create a new SSL protocol instance from a context and a BIO pair."""
if hasattr(ctx, 'wrap_bio'):
# Python 3.5
return ctx.wrap_bio(incoming, outgoing, server_side, server_hostname)
# Allocate a single global dummy socket to wrap on Python < 3.5
global _sock
if _sock is None:
_sock = get_dummy_socket()
if hasattr(ctx, '_wrap_socket'):
# Python 2.7.9+, Python 3.x
sslobj = ctx._wrap_socket(_sock, server_side, server_hostname)
else:
# Python 2.7.x, x <= 8
#
# We need to do some magic to support anonymous DH authentication. Anon
# DH doesn't need a certfile and a keyfile, but the Python 2.x
# _ssl.sslwrap raises an exception if these are absent for server side
# sockets. So the workaround is to create the socket as a client-side
# socket and then flip it afterwards if needed.
sslobj = _ssl.sslwrap(_sock, False, *ctx._ssl_args)
if ctx._dh_params:
_sslcompat.load_dh_params(sslobj, ctx._dh_params)
if server_side:
_sslcompat.set_accept_state(sslobj)
_sslcompat.set_options(sslobj, ctx._options)
if server_hostname:
_sslcompat.set_tlsext_host_name(server_hostname)
_sslcompat.set_bio(sslobj, incoming, outgoing)
pyobj = SSLObject(sslobj, ctx, server_side, server_hostname)
return pyobj
def __init__(self, sock, keyfile = None, certfile = None, server_side = False, cert_reqs = CERT_NONE, ssl_version = PROTOCOL_SSLv23, ca_certs = None, do_handshake_on_connect = True, suppress_ragged_eofs = True, ciphers = None):
socket.__init__(self, _sock=sock._sock)
for attr in _delegate_methods:
try:
delattr(self, attr)
except AttributeError:
pass
if certfile and not keyfile:
keyfile = certfile
try:
socket.getpeername(self)
except socket_error as e:
if e.errno != errno.ENOTCONN:
raise
self._sslobj = None
else:
self._sslobj = _ssl.sslwrap(self._sock, server_side, keyfile, certfile, cert_reqs, ssl_version, ca_certs, ciphers)
if do_handshake_on_connect:
self.do_handshake()
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.ciphers = ciphers
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
def test_SSLType_issuer():
#--Positive
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
AreEqual(ssl_s.issuer(
), '') #http://ironpython.codeplex.com/WorkItem/View.aspx?WorkItemId=24281
ssl_s.do_handshake()
if is_cpython:
AreEqual(ssl_s.issuer.__doc__, None)
else:
#Incompat, but a good one at that
Assert(
"Returns a string that describes the issuer of the server's certificate"
in ssl_s.issuer.__doc__)
issuer = ssl_s.issuer()
#If we can get the issuer once, we should be able to do it again
AreEqual(issuer, ssl_s.issuer())
Assert(SSL_ISSUER in issuer)
#--Negative
AssertErrorWithMessage(TypeError, "issuer() takes no arguments (1 given)",
ssl_s.issuer, None)
AssertErrorWithMessage(TypeError, "issuer() takes no arguments (1 given)",
ssl_s.issuer, 1)
AssertErrorWithMessage(TypeError, "issuer() takes no arguments (2 given)",
ssl_s.issuer, 3.14, "abc")
#Cleanup
if is_cpython:
pass #ssl_s.shutdown() #Too slow
s.close()
def connect(self, addr):
if self._sslobj:
raise ValueError('attempt to connect already-connected SSLSocket!')
socket.connect(self, addr)
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile, self.cert_reqs, self.ssl_version, self.ca_certs, self.ciphers)
if self.do_handshake_on_connect:
self.do_handshake()
def test_SSLType_read_and_write():
#--Positive
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
ssl_s.do_handshake()
if is_cpython:
Assert(
"Writes the string s into the SSL object" in ssl_s.write.__doc__)
Assert(
"Read up to len bytes from the SSL socket" in ssl_s.read.__doc__)
else:
#Incompat, but we can live with this
Assert("Writes the string s through the SSL connection" in
ssl_s.write.__doc__)
Assert("If n is present, reads up to n bytes from the SSL connection"
in ssl_s.read.__doc__)
#Write
AreEqual(ssl_s.write(SSL_REQUEST), len(SSL_REQUEST))
#Read
AreEqual(ssl_s.read(4).lower(), "http")
response = ssl_s.read(5000)
Assert(SSL_RESPONSE in response)
#Cleanup
if is_cpython:
pass #ssl_s.shutdown() #Too slow
s.close()
def connect(self, addr):
if self._sslobj:
raise ValueError('attempt to connect already-connected SSLSocket!')
socket.connect(self, addr)
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile, self.cert_reqs, self.ssl_version, self.ca_certs, self.ciphers)
if self.do_handshake_on_connect:
self.do_handshake()
def test_SSLType_read_and_write(self):
#--Positive
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = _ssl.sslwrap(s, False)
ssl_s.do_handshake()
self.assertIn("Writes the string s into the SSL object.", ssl_s.write.__doc__)
self.assertIn("Read up to len bytes from the SSL socket.", ssl_s.read.__doc__)
#Write
self.assertEqual(ssl_s.write(SSL_REQUEST),
len(SSL_REQUEST))
#Read
self.assertEqual(ssl_s.read(4).lower(), b"http")
max_response_length = 5000
response = b''
while len(response) < max_response_length:
r = ssl_s.read(max_response_length - len(response))
if not r: break
response += r
self.assertIn(SSL_RESPONSE, response)
#Cleanup
ssl_s.shutdown()
s.close()
def test_SSLType_issuer():
#--Positive
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
AreEqual(ssl_s.issuer(), '') #http://ironpython.codeplex.com/WorkItem/View.aspx?WorkItemId=24281
ssl_s.do_handshake()
if is_cpython:
AreEqual(ssl_s.issuer.__doc__, None)
else:
#Incompat, but a good one at that
Assert("Returns a string that describes the issuer of the server's certificate" in ssl_s.issuer.__doc__)
issuer = ssl_s.issuer()
#If we can get the issuer once, we should be able to do it again
AreEqual(issuer, ssl_s.issuer())
Assert(SSL_ISSUER in issuer)
#--Negative
AssertErrorWithMessage(TypeError, "issuer() takes no arguments (1 given)",
ssl_s.issuer, None)
AssertErrorWithMessage(TypeError, "issuer() takes no arguments (1 given)",
ssl_s.issuer, 1)
AssertErrorWithMessage(TypeError, "issuer() takes no arguments (2 given)",
ssl_s.issuer, 3.14, "abc")
#Cleanup
if is_cpython:
pass #ssl_s.shutdown() #Too slow
s.close()
def __init__(self, sock, keyfile = None, certfile = None, server_side = False, cert_reqs = CERT_NONE, ssl_version = PROTOCOL_SSLv23, ca_certs = None, do_handshake_on_connect = True, suppress_ragged_eofs = True, ciphers = None):
socket.__init__(self, _sock=sock._sock)
for attr in _delegate_methods:
try:
delattr(self, attr)
except AttributeError:
pass
if certfile and not keyfile:
keyfile = certfile
try:
socket.getpeername(self)
except socket_error as e:
if e.errno != errno.ENOTCONN:
raise
self._sslobj = None
else:
self._sslobj = _ssl.sslwrap(self._sock, server_side, keyfile, certfile, cert_reqs, ssl_version, ca_certs, ciphers)
if do_handshake_on_connect:
self.do_handshake()
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.ciphers = ciphers
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
def test_SSLType_read_and_write():
#--Positive
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
ssl_s.do_handshake()
if is_cpython:
Assert("Writes the string s into the SSL object" in ssl_s.write.__doc__)
Assert("Read up to len bytes from the SSL socket" in ssl_s.read.__doc__)
else:
#Incompat, but we can live with this
Assert("Writes the string s through the SSL connection" in ssl_s.write.__doc__)
Assert("If n is present, reads up to n bytes from the SSL connection" in ssl_s.read.__doc__)
#Write
AreEqual(ssl_s.write(SSL_REQUEST),
len(SSL_REQUEST))
#Read
AreEqual(ssl_s.read(4).lower(), "http")
response = ssl_s.read(5000)
Assert(SSL_RESPONSE in response)
#Cleanup
if is_cpython:
pass #ssl_s.shutdown() #Too slow
s.close()
def test_SSLType_server(self):
#--Positive
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
self.assertEqual(ssl_s.server(), '') #http://ironpython.codeplex.com/WorkItem/View.aspx?WorkItemId=24281
ssl_s.do_handshake()
if is_cli:
#Incompat, but a good one at that
self.assertTrue("Returns a string that describes the issuer of the server's certificate" in ssl_s.issuer.__doc__)
else:
self.assertEqual(ssl_s.server.__doc__, None)
server = ssl_s.server()
#If we can get the server once, we should be able to do it again
self.assertEqual(server, ssl_s.server())
self.assertTrue(SSL_SERVER in server)
#--Negative
self.assertRaisesMessage(TypeError, "server() takes no arguments (1 given)",
ssl_s.server, None)
self.assertRaisesMessage(TypeError, "server() takes no arguments (1 given)",
ssl_s.server, 1)
self.assertRaisesMessage(TypeError, "server() takes no arguments (2 given)",
ssl_s.server, 3.14, "abc")
#Cleanup
ssl_s.shutdown()
s.close()
def _real_connect(self, addr, return_errno):
# Here we assume that the socket is client-side, and not
# connected at the time of the call. We connect it, then wrap it.
if self._connected:
raise ValueError("attempt to connect already-connected SSLSocket!")
self._sslobj = _ssl.sslwrap(
self._sock,
False,
self.keyfile,
self.certfile,
self.cert_reqs,
self.ssl_version,
self.ca_certs,
self.ciphers,
)
try:
socket.connect(self, addr)
if self.do_handshake_on_connect:
self.do_handshake()
except socket_error as e:
if return_errno:
return e.errno
else:
self._sslobj = None
raise e
self._connected = True
return 0
def test_async_closed(self):
import _ssl, _socket
s = _socket.socket()
s.settimeout(3)
ss = _ssl.sslwrap(s, 0)
s.close()
exc = raises(_ssl.SSLError, ss.write, "data")
assert exc.value.strerror == "Underlying socket has been closed."
def handle_connect(self):
self.socket._sslobj = _ssl.sslwrap(
self.socket._sock, False, self.socket.keyfile, self.socket.certfile,
self.socket.cert_reqs, self.socket.ssl_version,
self.socket.ca_certs
)
self.socket.getpeername()
self._do_handshake()
def test_async_closed(self):
import _ssl, _socket, gc
s = _socket.socket()
s.settimeout(3)
ss = _ssl.sslwrap(s, 0)
s.close()
exc = raises(_ssl.SSLError, ss.write, "data")
assert exc.value.strerror == "Underlying socket has been closed."
del exc, ss, s
gc.collect() # force the destructor() to be called now
def test_async_closed(self):
import _ssl, _socket, gc
s = _socket.socket()
s.settimeout(3)
ss = _ssl.sslwrap(s, 0)
s.close()
exc = raises(_ssl.SSLError, ss.write, "data")
assert exc.value.strerror == "Underlying socket has been closed."
del exc, ss, s
gc.collect() # force the destructor() to be called now
def sslwrap_simple (sock, keyfile=None, certfile=None):
"""A replacement for the old socket.ssl function. Designed
for compability with Python 2.5 and earlier. Will disappear in
Python 3.0."""
ssl_sock = _ssl.sslwrap(sock._sock, 0, keyfile, certfile, CERT_NONE,
PROTOCOL_SSLv23, None)
ssl_sock.do_handshake()
return ssl_sock
def __init__(self,
sock,
keyfile=None,
certfile=None,
server_side=False,
cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23,
ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True,
ciphers=None,
server_hostname=None):
socket.__init__(self, _sock=sock._sock)
# The initializer for socket overrides the methods send(), recv(), etc.
# in the instancce, which we don't need -- but we want to provide the
# methods defined in SSLSocket.
for attr in _delegate_methods:
try:
delattr(self, attr)
except AttributeError:
pass
if ciphers is None and ssl_version != _SSLv2_IF_EXISTS:
ciphers = _DEFAULT_CIPHERS
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
try:
socket.getpeername(self)
except socket_error as e:
if e.errno != errno.ENOTCONN:
raise
# no, no connection yet
self._connected = False
self._sslobj = None
else:
# yes, create the SSL object
self._connected = True
self._sslobj = _ssl.sslwrap(self._sock, server_side, keyfile,
certfile, cert_reqs, ssl_version,
ca_certs, ciphers, server_hostname)
if do_handshake_on_connect:
self.do_handshake()
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.ciphers = ciphers
self.server_hostname = server_hostname
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
def sslwrap_simple(sock, keyfile=None, certfile=None):
if hasattr(sock, '_sock'):
sock = sock._sock
ssl_sock = _ssl.sslwrap(sock, 0, keyfile, certfile, CERT_NONE, PROTOCOL_SSLv23, None)
try:
sock.getpeername()
except socket_error:
pass
else:
ssl_sock.do_handshake()
return ssl_sock
def test_sslwrap(self):
import _ssl, _socket, sys
if sys.platform == "darwin":
skip("hangs indefinitely on OSX (also on CPython)")
s = _socket.socket()
ss = _ssl.sslwrap(s, 0)
exc = raises(_socket.error, ss.do_handshake)
if sys.platform == "win32":
assert exc.value.errno == 2 # Cannot find file (=not a socket)
else:
assert exc.value.errno == 32 # Broken pipe
def connect(self, addr):
"""Connects to remote ADDR, and then wraps the connection in
an SSL channel."""
if self._sslobj:
raise ValueError('attempt to connect already-connected SSLSocket!')
socket.connect(self, addr)
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile,
self.certfile, self.cert_reqs,
self.ssl_version, self.ca_certs,
self.ciphers)
if self.do_handshake_on_connect:
self.do_handshake()
def __init__(self, sock=None, keyfile=None, certfile=None,
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,
do_handshake_on_connect=True,
family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
suppress_ragged_eofs=True):
if sock is not None:
socket.__init__(self,
family=sock.family,
type=sock.type,
proto=sock.proto,
fileno=_dup(sock.fileno()))
sock.close()
elif fileno is not None:
socket.__init__(self, fileno=fileno)
else:
socket.__init__(self, family=family, type=type, proto=proto)
self._closed = False
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
try:
socket.getpeername(self)
except socket_error:
# no, no connection yet
self._sslobj = None
else:
# yes, create the SSL object
try:
self._sslobj = _ssl.sslwrap(self, server_side,
keyfile, certfile,
cert_reqs, ssl_version, ca_certs)
if do_handshake_on_connect:
timeout = self.gettimeout()
if timeout == 0.0:
# non-blocking
raise ValueError("do_handshake_on_connect should not be specified for non-blocking sockets")
self.do_handshake()
except socket_error as x:
self.close()
raise x
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
def sslwrap_simple(sock, keyfile = None, certfile = None):
if hasattr(sock, '_sock'):
sock = sock._sock
ssl_sock = _ssl.sslwrap(sock, 0, keyfile, certfile, CERT_NONE, PROTOCOL_SSLv23, None)
try:
sock.getpeername()
except socket_error:
pass
else:
ssl_sock.do_handshake()
return ssl_sock
def __init__(self,
sock,
keyfile=None,
certfile=None,
server_side=False,
cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23,
ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True):
socket.__init__(self, _sock=sock._sock)
# the initializer for socket trashes the methods (tsk, tsk), so...
self.send = lambda data, flags=0: SSLSocket.send(self, data, flags)
self.sendto = lambda data, addr, flags=0: SSLSocket.sendto(
self, data, addr, flags)
self.recv = lambda buflen=1024, flags=0: SSLSocket.recv(
self, buflen, flags)
self.recvfrom = lambda addr, buflen=1024, flags=0: SSLSocket.recvfrom(
self, addr, buflen, flags)
self.recv_into = lambda buffer, nbytes=None, flags=0: SSLSocket.recv_into(
self, buffer, nbytes, flags)
self.recvfrom_into = lambda buffer, nbytes=None, flags=0: SSLSocket.recvfrom_into(
self, buffer, nbytes, flags)
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
try:
socket.getpeername(self)
except:
# no, no connection yet
self._sslobj = None
else:
# yes, create the SSL object
self._sslobj = _ssl.sslwrap(self._sock, server_side, keyfile,
certfile, cert_reqs, ssl_version,
ca_certs)
if do_handshake_on_connect:
timeout = self.gettimeout()
try:
self.settimeout(None)
self.do_handshake()
finally:
self.settimeout(timeout)
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
def test_async_closed(self):
import _ssl, _socket, sys, gc
s = _socket.socket()
s.settimeout(3)
if sys.version_info < (2, 7, 9):
ss = _ssl.sslwrap(s, 0)
else:
ss = _ssl._SSLContext(_ssl.PROTOCOL_TLS)._wrap_socket(s, 0)
s.close()
exc = raises(_ssl.SSLError, ss.write, "data")
assert exc.value.message == 'Underlying socket has been closed.'
del exc, ss, s
gc.collect() # force the destructor() to be called now
def test_sslwrap(self):
import _ssl, _socket, sys, gc
if sys.platform == 'darwin':
skip("hangs indefinitely on OSX (also on CPython)")
s = _socket.socket()
ss = _ssl.sslwrap(s, 0)
exc = raises(_socket.error, ss.do_handshake)
if sys.platform == 'win32':
assert exc.value.errno == 10057 # WSAENOTCONN
else:
assert exc.value.errno == 32 # Broken pipe
del exc, ss, s
gc.collect() # force the destructor() to be called now
def test_async_closed(self):
import _ssl, _socket, sys, gc
s = _socket.socket()
s.settimeout(3)
if sys.version_info < (2, 7, 9):
ss = _ssl.sslwrap(s, 0)
else:
ss = _ssl._SSLContext(_ssl.PROTOCOL_TLSv1)._wrap_socket(s, 0)
s.close()
exc = raises(_ssl.SSLError, ss.write, "data")
assert exc.value.message == 'Underlying socket has been closed.'
del exc, ss, s
gc.collect() # force the destructor() to be called now
def test_sslwrap(self):
import _ssl, _socket, sys, gc
if sys.platform == 'darwin' or 'freebsd' in sys.platform:
skip("hangs indefinitely on OSX & FreeBSD (also on CPython)")
s = _socket.socket()
ss = _ssl.sslwrap(s, 0)
exc = raises(_socket.error, ss.do_handshake)
if sys.platform == 'win32':
assert exc.value.errno == 10057 # WSAENOTCONN
else:
assert exc.value.errno == 32 # Broken pipe
del exc, ss, s
gc.collect() # force the destructor() to be called now
def connect(self, addr):
"""Connects to remote ADDR, and then wraps the connection in
an SSL channel."""
# Here we assume that the socket is client-side, and not
# connected at the time of the call. We connect it, then wrap it.
if self._sslobj:
raise ValueError("attempt to connect already-connected SSLSocket!")
socket.connect(self, addr)
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile,
self.cert_reqs, self.ssl_version,
self.ca_certs)
if self.do_handshake_on_connect:
self.do_handshake()
def connect(self, addr):
"""Connects to remote ADDR, and then wraps the connection in
an SSL channel."""
# Here we assume that the socket is client-side, and not
# connected at the time of the call. We connect it, then wrap it.
if self._sslobj:
raise ValueError("attempt to connect already-connected SSLSocket!")
socket.connect(self, addr)
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile,
self.certfile, self.cert_reqs,
self.ssl_version, self.ca_certs)
if self.do_handshake_on_connect:
self.do_handshake()
def __init__(self,
sock,
keyfile=None,
certfile=None,
server_side=False,
cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23,
ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True,
ciphers=None):
if sock.getsockopt(SOL_SOCKET, SO_TYPE) != SOCK_STREAM:
raise NotImplementedError('only stream sockets are supported')
socket.__init__(self, _sock=sock._sock)
for attr in _delegate_methods:
try:
delattr(self, attr)
except AttributeError:
pass
if ciphers is None and ssl_version != _SSLv2_IF_EXISTS:
ciphers = _DEFAULT_CIPHERS
if certfile and not keyfile:
keyfile = certfile
try:
socket.getpeername(self)
except socket_error as e:
if e.errno != errno.ENOTCONN:
raise
self._connected = False
self._sslobj = None
else:
self._connected = True
self._sslobj = _ssl.sslwrap(self._sock, server_side, keyfile,
certfile, cert_reqs, ssl_version,
ca_certs, ciphers)
if do_handshake_on_connect:
self.do_handshake()
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.ciphers = ciphers
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
return
def sslwrap_simple(sock, keyfile = None, certfile = None):
"""A replacement for the old socket.ssl function. Designed
for compability with Python 2.5 and earlier. Will disappear in
Python 3.0."""
if hasattr(sock, '_sock'):
sock = sock._sock
ssl_sock = _ssl.sslwrap(sock, 0, keyfile, certfile, CERT_NONE, PROTOCOL_SSLv23, None)
try:
sock.getpeername()
except socket_error:
pass
else:
ssl_sock.do_handshake()
return ssl_sock
def _connect(self, address, timeout):
if self._connected:
raise ValueError("attempt to connect already-connected SSLSocket!")
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile,
self.certfile, self.cert_reqs, self.ssl_version,
self.ca_certs, self.ciphers)
err = super(SSLSocket, self).connect_ex(address)
if err: return err
try:
if self.do_handshake_on_connect:
self.do_handshake(timeout)
except socket.error, exc:
return exc.args[0]
def __init__(self, sock, keyfile=None, certfile=None,
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True, ciphers=None, server_hostname=None):
socket.__init__(self, _sock=sock._sock)
# The initializer for socket overrides the methods send(), recv(), etc.
# in the instancce, which we don't need -- but we want to provide the
# methods defined in SSLSocket.
for attr in _delegate_methods:
try:
delattr(self, attr)
except AttributeError:
pass
if ciphers is None and ssl_version != _SSLv2_IF_EXISTS:
ciphers = _DEFAULT_CIPHERS
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
try:
socket.getpeername(self)
except socket_error as e:
if e.errno != errno.ENOTCONN:
raise
# no, no connection yet
self._connected = False
self._sslobj = None
else:
# yes, create the SSL object
self._connected = True
self._sslobj = _ssl.sslwrap(self._sock, server_side,
keyfile, certfile,
cert_reqs, ssl_version, ca_certs,
ciphers, server_hostname)
if do_handshake_on_connect:
self.do_handshake()
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.ciphers = ciphers
self.server_hostname = server_hostname
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
def sslwrap_simple(sock, keyfile=None, certfile=None):
"""A replacement for the old socket.ssl function. Designed
for compability with Python 2.5 and earlier. Will disappear in
Python 3.0."""
if hasattr(sock, '_sock'):
sock = sock._sock
ssl_sock = _ssl.sslwrap(sock, 0, keyfile, certfile, CERT_NONE,
PROTOCOL_SSLv23, None)
try:
sock.getpeername()
except socket_error:
pass
else:
ssl_sock.do_handshake()
return ssl_sock
def _real_connect(self, addr, return_errno):
if self._connected:
raise ValueError('attempt to connect already-connected SSLSocket!')
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile, self.cert_reqs, self.ssl_version, self.ca_certs, self.ciphers, self.ca_certs_string)
try:
socket.connect(self, addr)
if self.do_handshake_on_connect:
self.do_handshake()
except socket_error as e:
if return_errno:
return e.errno
self._sslobj = None
raise e
self._connected = True
return 0
def _connect(self, address, timeout):
if self._connected:
raise ValueError("attempt to connect already-connected SSLSocket!")
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile,
self.certfile, self.cert_reqs,
self.ssl_version, self.ca_certs,
self.ciphers)
err = super(SSLSocket, self).connect_ex(address)
if err:
return err
try:
if self.do_handshake_on_connect:
self.do_handshake(timeout)
except socket.error, exc:
return exc.args[0]
def test_SSLType_ssl(self):
'''
Should be essentially the same as _ssl.sslwrap. It's not though and will
simply be tested as implemented for the time being.
ssl(PythonSocket.socket sock,
[DefaultParameterValue(null)] string keyfile,
[DefaultParameterValue(null)] string certfile)
'''
#--Positive
#sock
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
ssl_s.shutdown()
s.close()
def test_SSLType_ssl(self):
'''
Should be essentially the same as _ssl.sslwrap. It's not though and will
simply be tested as implemented for the time being.
ssl(PythonSocket.socket sock,
[DefaultParameterValue(null)] string keyfile,
[DefaultParameterValue(null)] string certfile)
'''
#--Positive
#sock
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
ssl_s.shutdown()
s.close()
def test_sslwrap(self):
import _ssl, _socket, sys, gc
if sys.platform == 'darwin' or 'freebsd' in sys.platform:
skip("hangs indefinitely on OSX & FreeBSD (also on CPython)")
s = _socket.socket()
if sys.version_info < (2, 7, 9):
ss = _ssl.sslwrap(s, 0)
else:
ctx = _ssl._SSLContext(_ssl.PROTOCOL_TLSv1)
ss = ctx._wrap_socket(s, 0)
assert ss.context is ctx
exc = raises(_socket.error, ss.do_handshake)
if sys.platform == 'win32':
assert exc.value.errno == 10057 # WSAENOTCONN
else:
assert exc.value.errno == 32 # Broken pipe
del exc, ss, s
gc.collect() # force the destructor() to be called now
def test_sslwrap(self):
import _ssl, _socket, sys, gc
if sys.platform == 'darwin' or 'freebsd' in sys.platform:
skip("hangs indefinitely on OSX & FreeBSD (also on CPython)")
s = _socket.socket()
if sys.version_info < (2, 7, 9):
ss = _ssl.sslwrap(s, 0)
else:
ctx = _ssl._SSLContext(_ssl.PROTOCOL_TLSv1)
ss = ctx._wrap_socket(s, 0)
assert ss.context is ctx
exc = raises(_socket.error, ss.do_handshake)
if sys.platform == 'win32':
assert exc.value.errno == 10057 # WSAENOTCONN
else:
assert exc.value.errno == 32 # Broken pipe
del exc, ss, s
gc.collect() # force the destructor() to be called now
def _do_handshake(self):
"""Performs the SSL handshake."""
if self.sock._sslobj is None:
# FIXME This wrapping is ugly as it is using SSL internal stuff. It
# is really necessary?
if PY2:
self.sock._sslobj = _ssl.sslwrap(self.sock._sock, False,
self.sock.keyfile,
self.sock.certfile,
self.sock.cert_reqs,
self.sock.ssl_version,
self.sock.ca_certs)
else:
self.sock._sslobj = self.sock.context._wrap_socket(
self.sock, False, self.sock.server_hostname)
if self._ssl_event is not None:
self._ssl_event.succeed()
self._ssl_event = None
try:
self.sock.do_handshake()
except ssl.SSLError as err:
if err.args[0] == ssl.SSL_ERROR_WANT_READ:
self._ssl_handshake_read()
return
elif err.args[0] == ssl.SSL_ERROR_WANT_WRITE:
self._ssl_handshake_write()
return
else:
raise
except SocketError as e:
pass
# Handshake has completed. Resume normal operation.
self._ready_read = self._do_read
self._ready_write = self._do_write
self._try_read = self._do_read
self._try_write = self._do_write
if self._reader is not None:
self._try_read()
if self._writer is not None:
self._try_write()
def _real_connect(self, addr, return_errno):
if self._connected:
raise ValueError('attempt to connect already-connected SSLSocket!')
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile,
self.certfile, self.cert_reqs,
self.ssl_version, self.ca_certs,
self.ciphers)
try:
socket.connect(self, addr)
if self.do_handshake_on_connect:
self.do_handshake()
except socket_error as e:
if return_errno:
return e.errno
self._sslobj = None
raise e
self._connected = True
return 0
def __init__(self, sock, keyfile=None, certfile=None,
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True):
socket.__init__(self, _sock=sock._sock)
# the initializer for socket trashes the methods (tsk, tsk), so...
self.send = lambda data, flags=0: SSLSocket.send(self, data, flags)
self.sendto = lambda data, addr, flags=0: SSLSocket.sendto(self, data, addr, flags)
self.recv = lambda buflen=1024, flags=0: SSLSocket.recv(self, buflen, flags)
self.recvfrom = lambda addr, buflen=1024, flags=0: SSLSocket.recvfrom(self, addr, buflen, flags)
self.recv_into = lambda buffer, nbytes=None, flags=0: SSLSocket.recv_into(self, buffer, nbytes, flags)
self.recvfrom_into = lambda buffer, nbytes=None, flags=0: SSLSocket.recvfrom_into(self, buffer, nbytes, flags)
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
try:
socket.getpeername(self)
except:
# no, no connection yet
self._sslobj = None
else:
# yes, create the SSL object
self._sslobj = _ssl.sslwrap(self._sock, server_side,
keyfile, certfile,
cert_reqs, ssl_version, ca_certs)
if do_handshake_on_connect:
timeout = self.gettimeout()
try:
if timeout == 0:
self.settimeout(None)
self.do_handshake()
finally:
self.settimeout(timeout)
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
def _real_connect(self, addr, return_errno):
if self._connected:
raise ValueError('attempt to connect already-connected SSLSocket!')
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile, self.cert_reqs, self.ssl_version, self.ca_certs, self.ciphers)
try:
if return_errno:
rc = socket.connect_ex(self, addr)
else:
rc = None
socket.connect(self, addr)
if not rc:
if self.do_handshake_on_connect:
self.do_handshake()
self._connected = True
return rc
except socket_error:
self._sslobj = None
raise
return
def ssl_real_connect(self, addr, return_errno):
if isinstance(addr, basestring):
addr = (addr, 443)
if LOGGER.isEnabledFor(logging.DEBUG):
LOGGER.debug("vpn ssl connect %s:%s" % addr)
if self._connected:
raise ValueError('attempt to connect already-connected SSLSocket!')
try:
socket.socket.connect(self, addr)
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile, self.cert_reqs, self.ssl_version, self.ca_certs, self.ciphers)
if self.do_handshake_on_connect:
self.do_handshake()
except socket.error as e:
if return_errno:
return e.errno
self._sslobj = None
raise e
self._connected = True
return 0
def sslwrap_simple (sock, keyfile=None, certfile=None):
"""A replacement for the old socket.ssl function. Designed
for compability with Python 2.5 and earlier. Will disappear in
Python 3.0."""
if hasattr(sock, "_sock"):
sock = sock._sock
ssl_sock = _ssl.sslwrap(sock, keyfile, certfile)
try:
sock.getpeername()
except socket_error:
# no, no connection yet
pass
else:
# yes, do the handshake
ssl_sock.do_handshake()
return ssl_sock
def _real_connect(self, addr, return_errno):
# Here we assume that the socket is client-side, and not
# connected at the time of the call. We connect it, then wrap it.
if self._connected:
raise ValueError("attempt to connect already-connected SSLSocket!")
self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile,
self.cert_reqs, self.ssl_version,
self.ca_certs, self.ciphers)
try:
socket.connect(self, addr)
if self.do_handshake_on_connect:
self.do_handshake()
except socket_error as e:
if return_errno:
return e.errno
else:
self._sslobj = None
raise e
self._connected = True
return 0
def test_SSLType_read_and_write(self):
#--Positive
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
ssl_s.do_handshake()
self.assertTrue("Writes the string s into the SSL object." in ssl_s.write.__doc__)
self.assertTrue("Read up to len bytes from the SSL socket." in ssl_s.read.__doc__)
#Write
self.assertEqual(ssl_s.write(SSL_REQUEST),
len(SSL_REQUEST))
#Read
self.assertEqual(ssl_s.read(4).lower(), "http")
response = ssl_s.read(5000)
self.assertTrue(SSL_RESPONSE in response)
#Cleanup
ssl_s.shutdown()
s.close()
def test_SSLType_read_and_write(self):
#--Positive
s = socket.socket(socket.AF_INET)
s.connect((SSL_URL, SSL_PORT))
ssl_s = real_ssl.sslwrap(s._sock, False)
ssl_s.do_handshake()
self.assertTrue("Writes the string s into the SSL object." in ssl_s.write.__doc__)
self.assertTrue("Read up to len bytes from the SSL socket." in ssl_s.read.__doc__)
#Write
self.assertEqual(ssl_s.write(SSL_REQUEST),
len(SSL_REQUEST))
#Read
self.assertEqual(ssl_s.read(4).lower(), "http")
response = ssl_s.read(5000)
self.assertTrue(SSL_RESPONSE in response)
#Cleanup
ssl_s.shutdown()
s.close()
def __init__(self, sock, keyfile = None, certfile = None, server_side = False, cert_reqs = CERT_NONE, ssl_version = PROTOCOL_SSLv23, ca_certs = None, do_handshake_on_connect = True, suppress_ragged_eofs = True, ciphers = None):
if sock.getsockopt(SOL_SOCKET, SO_TYPE) != SOCK_STREAM:
raise NotImplementedError('only stream sockets are supported')
socket.__init__(self, _sock=sock._sock)
for attr in _delegate_methods:
try:
delattr(self, attr)
except AttributeError:
pass
if ciphers is None and ssl_version != _SSLv2_IF_EXISTS:
ciphers = _DEFAULT_CIPHERS
if certfile and not keyfile:
keyfile = certfile
try:
socket.getpeername(self)
except socket_error as e:
if e.errno != errno.ENOTCONN:
raise
self._connected = False
self._sslobj = None
else:
self._connected = True
self._sslobj = _ssl.sslwrap(self._sock, server_side, keyfile, certfile, cert_reqs, ssl_version, ca_certs, ciphers)
if do_handshake_on_connect:
self.do_handshake()
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.ciphers = ciphers
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
return
def sslwrap_simple(sock, keyfile=None, certfile=None):
"""A replacement for the old socket.ssl function. Designed
for compability with Python 2.5 and earlier. Will disappear in
Python 3.0."""
if hasattr(sock, "_sock"):
sock = sock._sock
ssl_sock = _ssl.sslwrap(sock, 0, keyfile, certfile, CERT_NONE,
PROTOCOL_SSLv23, None)
try:
sock.getpeername()
except socket_error:
# no, no connection yet
pass
else:
# yes, do the handshake
ssl_sock.do_handshake()
return ssl_sock
#defined for libcloud.base line:
#class SSLError(IOError) : pass
def __init__(self,
sock=None,
keyfile=None,
certfile=None,
server_side=False,
cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23,
ca_certs=None,
do_handshake_on_connect=True,
family=AF_INET,
type=SOCK_STREAM,
proto=0,
fileno=None,
suppress_ragged_eofs=True):
if sock is not None:
socket.__init__(self,
family=sock.family,
type=sock.type,
proto=sock.proto,
fileno=_dup(sock.fileno()))
sock.close()
elif fileno is not None:
socket.__init__(self, fileno=fileno)
else:
socket.__init__(self, family=family, type=type, proto=proto)
self._closed = False
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
try:
socket.getpeername(self)
except socket_error:
# no, no connection yet
self._sslobj = None
else:
# yes, create the SSL object
try:
self._sslobj = _ssl.sslwrap(self, server_side, keyfile,
certfile, cert_reqs, ssl_version,
ca_certs)
if do_handshake_on_connect:
timeout = self.gettimeout()
if timeout == 0.0:
# non-blocking
raise ValueError(
"do_handshake_on_connect should not be specified for non-blocking sockets"
)
self.do_handshake()
except socket_error as x:
self.close()
raise x
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
pass
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
try:
socket.getpeername(self)
except socket_error, e:
if e.errno != errno.ENOTCONN:
raise
# no, no connection yet
self._sslobj = None
else:
# yes, create the SSL object
self._sslobj = _ssl.sslwrap(self._sock, server_side, keyfile,
certfile, cert_reqs, ssl_version,
ca_certs)
if do_handshake_on_connect:
self.do_handshake()
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
def read(self, len=1024):
"""Read up to LEN bytes and return them.
Return zero-length string on EOF."""
