Merged revisions 57620-57771 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/trunk

........
  r57771 | thomas.wouters | 2007-08-30 23:54:39 +0200 (Thu, 30 Aug 2007) | 5 lines


  Don't lie in __all__ attributes when SSL is not available: only add the SSL
  classes when they are actually created.

........
  r57620 | walter.doerwald | 2007-08-28 18:38:26 +0200 (Tue, 28 Aug 2007) | 5 lines

  Fix title endtag in HTMLCalender.formatyearpage(). Fix documentation for
  HTMLCalender.formatyearpage() (there's no themonth parameter).

  This fixes issue1046.
........
  r57622 | georg.brandl | 2007-08-28 20:54:44 +0200 (Tue, 28 Aug 2007) | 2 lines

  Add a crasher for the thread-unsafety of file objects.
........
  r57626 | skip.montanaro | 2007-08-29 01:22:52 +0200 (Wed, 29 Aug 2007) | 1 line

  fixes 813986
........
  r57628 | walter.doerwald | 2007-08-29 01:35:33 +0200 (Wed, 29 Aug 2007) | 2 lines

  Fix test output.
........
  r57631 | skip.montanaro | 2007-08-29 03:24:11 +0200 (Wed, 29 Aug 2007) | 2 lines

  Install pygettext (once the scriptsinstall target is working again).
........
  r57633 | skip.montanaro | 2007-08-29 03:33:45 +0200 (Wed, 29 Aug 2007) | 2 lines

  Recent items.
........
  r57650 | neal.norwitz | 2007-08-29 08:15:33 +0200 (Wed, 29 Aug 2007) | 1 line

  Add Bill as a developer
........
  r57651 | facundo.batista | 2007-08-29 12:28:28 +0200 (Wed, 29 Aug 2007) | 5 lines


  Ignore test failures caused by 'resource temporarily unavailable'
  exceptions raised during FailingServerTestCase tests.
  [GSoC - Alan McIntyre]
........
  r57680 | bill.janssen | 2007-08-30 00:35:05 +0200 (Thu, 30 Aug 2007) | 17 lines

  This contains a number of things:

  1) Improve the documentation of the SSL module, with a fuller
     explanation of certificate usage, another reference, proper
     formatting of this and that.

  2) Fix Windows bug in ssl.py, and general bug in sslsocket.close().
     Remove some unused code from ssl.py.  Allow accept() to be called on
     sslsocket sockets.

  3) Use try-except-else in import of ssl in socket.py.  Deprecate use of
     socket.ssl().

  4) Remove use of socket.ssl() in every library module, except for
     test_socket_ssl.py and test_ssl.py.
........
  r57714 | georg.brandl | 2007-08-30 12:09:42 +0200 (Thu, 30 Aug 2007) | 2 lines

  Stronger urge to convert filenames to str before using them as argument to ZipFile.write().
........
  r57716 | georg.brandl | 2007-08-30 12:38:56 +0200 (Thu, 30 Aug 2007) | 2 lines

  Patch #1680959: add test suite for pipes module.
........
  r57717 | georg.brandl | 2007-08-30 14:32:23 +0200 (Thu, 30 Aug 2007) | 3 lines

  * Skip test_pipes on non-POSIX.
  * Don't raise TestSkipped within a test function.
........
  r57723 | mark.summerfield | 2007-08-30 17:03:03 +0200 (Thu, 30 Aug 2007) | 3 lines

  Added more cross-references.
........
  r57726 | walter.doerwald | 2007-08-30 17:30:09 +0200 (Thu, 30 Aug 2007) | 2 lines

  Rewrap line.
........
  r57727 | walter.doerwald | 2007-08-30 17:34:55 +0200 (Thu, 30 Aug 2007) | 2 lines

  Set startinpos before calling the error handler.
........
  r57730 | bill.janssen | 2007-08-30 19:07:28 +0200 (Thu, 30 Aug 2007) | 3 lines

  Added docstrings to methods and functions.
........
  r57743 | bill.janssen | 2007-08-30 20:08:06 +0200 (Thu, 30 Aug 2007) | 1 line

  added note on new ssl module and deprecation of socket.ssl
........
  r57747 | martin.v.loewis | 2007-08-30 20:14:01 +0200 (Thu, 30 Aug 2007) | 1 line

  Fix popen usage.
........
  r57748 | martin.v.loewis | 2007-08-30 20:15:22 +0200 (Thu, 30 Aug 2007) | 1 line

  Fix typo.
........
  r57750 | martin.v.loewis | 2007-08-30 20:25:47 +0200 (Thu, 30 Aug 2007) | 1 line

  Bug #1746880: Correctly install DLLs into system32 folder on Win64.
........
  r57760 | martin.v.loewis | 2007-08-30 21:04:09 +0200 (Thu, 30 Aug 2007) | 1 line

  Bug #1709599: Run test_1565150 only if the file system is NTFS.
........
  r57762 | martin.v.loewis | 2007-08-30 22:10:57 +0200 (Thu, 30 Aug 2007) | 2 lines

  Bump autoconf minimum version to 2.61.
........
  r57764 | lars.gustaebel | 2007-08-30 22:24:31 +0200 (Thu, 30 Aug 2007) | 2 lines

  Warn about possible risks when extracting untrusted archives.
........
  r57769 | thomas.wouters | 2007-08-30 23:01:17 +0200 (Thu, 30 Aug 2007) | 7 lines


  Somewhat-preliminary slice-object and extended slicing support for ctypes.
  The exact behaviour of omitted and negative indices for the Pointer type may
  need a closer look (especially as it's subtly different from simple slices)
  but there's time yet before 2.6, and not enough before 3.0a1 :-)
........

1 files changed, 110 insertions, 125 deletions

diff --git a/Lib/ssl.py b/Lib/ssl.py
index 77a2ceb..388c931 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -60,55 +60,47 @@ PROTOCOL_TLSv1
 import os, sys
 
 import _ssl             # if we can't import it, let the error propagate
-from socket import socket
 from _ssl import sslerror
 from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
 from _ssl import PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1
+from _ssl import \
+     SSL_ERROR_ZERO_RETURN, \
+     SSL_ERROR_WANT_READ, \
+     SSL_ERROR_WANT_WRITE, \
+     SSL_ERROR_WANT_X509_LOOKUP, \
+     SSL_ERROR_SYSCALL, \
+     SSL_ERROR_SSL, \
+     SSL_ERROR_WANT_CONNECT, \
+     SSL_ERROR_EOF, \
+     SSL_ERROR_INVALID_ERROR_CODE
+
+from socket import socket
+from socket import getnameinfo as _getnameinfo
 
-# Root certs:
-#
-# The "ca_certs" argument to sslsocket() expects a file containing one or more
-# certificates that are roots of various certificate signing chains.  This file
-# contains the certificates in PEM format (RFC ) where each certificate is
-# encoded in base64 encoding and surrounded with a header and footer:
-# -----BEGIN CERTIFICATE-----
-# ... (CA certificate in base64 encoding) ...
-# -----END CERTIFICATE-----
-# The various certificates in the file are just concatenated together:
-# -----BEGIN CERTIFICATE-----
-# ... (CA certificate in base64 encoding) ...
-# -----END CERTIFICATE-----
-# -----BEGIN CERTIFICATE-----
-# ... (a second CA certificate in base64 encoding) ...
-# -----END CERTIFICATE-----
-#
-# Some "standard" root certificates are available at
-#
-# http://www.thawte.com/roots/  (for Thawte roots)
-# http://www.verisign.com/support/roots.html  (for Verisign)
 
 class sslsocket (socket):
 
+    """This class implements a subtype of socket.socket that wraps
+    the underlying OS socket in an SSL context when necessary, and
+    provides read and write methods over that channel."""
+
     def __init__(self, sock, keyfile=None, certfile=None,
                  server_side=False, cert_reqs=CERT_NONE,
                  ssl_version=PROTOCOL_SSLv23, ca_certs=None):
         socket.__init__(self, _sock=sock._sock)
         if certfile and not keyfile:
             keyfile = certfile
-        if server_side:
-            self._sslobj = _ssl.sslwrap(self._sock, 1, keyfile, certfile,
-                                        cert_reqs, ssl_version, ca_certs)
+        # see if it's connected
+        try:
+            socket.getpeername(self)
+        except:
+            # no, no connection yet
+            self._sslobj = None
         else:
-            # see if it's connected
-            try:
-                socket.getpeername(self)
-            except:
-                # no, no connection yet
-                self._sslobj = None
-            else:
-                # yes, create the SSL object
-                self._sslobj = _ssl.sslwrap(self._sock, 0, keyfile, certfile,
-                                            cert_reqs, ssl_version, ca_certs)
+            # yes, create the SSL object
+            self._sslobj = _ssl.sslwrap(self._sock, server_side,
+                                        keyfile, certfile,
+                                        cert_reqs, ssl_version, ca_certs)
         self.keyfile = keyfile
         self.certfile = certfile
         self.cert_reqs = cert_reqs
@@ -116,73 +108,123 @@ class sslsocket (socket):
         self.ca_certs = ca_certs
 
     def read(self, len=1024):
+
+        """Read up to LEN bytes and return them.
+        Return zero-length string on EOF."""
+
         return self._sslobj.read(len)
 
     def write(self, data):
+
+        """Write DATA to the underlying SSL channel.  Returns
+        number of bytes of DATA actually transmitted."""
+
         return self._sslobj.write(data)
 
     def getpeercert(self):
+
+        """Returns a formatted version of the data in the
+        certificate provided by the other end of the SSL channel.
+        Return None if no certificate was provided, {} if a
+        certificate was provided, but not validated."""
+
         return self._sslobj.peer_certificate()
 
     def send (self, data, flags=0):
-        if flags != 0:
-            raise ValueError(
-                "non-zero flags not allowed in calls to send() on %s" %
-                self.__class__)
-        return self._sslobj.write(data)
+        if self._sslobj:
+            if flags != 0:
+                raise ValueError(
+                    "non-zero flags not allowed in calls to send() on %s" %
+                    self.__class__)
+            return self._sslobj.write(data)
+        else:
+            return socket.send(self, data, flags)
 
     def send_to (self, data, addr, flags=0):
-        raise ValueError("send_to not allowed on instances of %s" %
-                         self.__class__)
+        if self._sslobj:
+            raise ValueError("send_to not allowed on instances of %s" %
+                             self.__class__)
+        else:
+            return socket.send_to(self, data, addr, flags)
 
     def sendall (self, data, flags=0):
-        if flags != 0:
-            raise ValueError(
-                "non-zero flags not allowed in calls to sendall() on %s" %
-                self.__class__)
-        return self._sslobj.write(data)
+        if self._sslobj:
+            if flags != 0:
+                raise ValueError(
+                    "non-zero flags not allowed in calls to sendall() on %s" %
+                    self.__class__)
+            return self._sslobj.write(data)
+        else:
+            return socket.sendall(self, data, flags)
 
     def recv (self, buflen=1024, flags=0):
-        if flags != 0:
-            raise ValueError(
-                "non-zero flags not allowed in calls to sendall() on %s" %
-                self.__class__)
-        return self._sslobj.read(data, buflen)
+        if self._sslobj:
+            if flags != 0:
+                raise ValueError(
+                    "non-zero flags not allowed in calls to sendall() on %s" %
+                    self.__class__)
+            return self._sslobj.read(data, buflen)
+        else:
+            return socket.recv(self, buflen, flags)
 
     def recv_from (self, addr, buflen=1024, flags=0):
-        raise ValueError("recv_from not allowed on instances of %s" %
-                         self.__class__)
+        if self._sslobj:
+            raise ValueError("recv_from not allowed on instances of %s" %
+                             self.__class__)
+        else:
+            return socket.recv_from(self, addr, buflen, flags)
+
+    def ssl_shutdown(self):
+
+        """Shuts down the SSL channel over this socket (if active),
+        without closing the socket connection."""
 
-    def shutdown(self):
         if self._sslobj:
             self._sslobj.shutdown()
             self._sslobj = None
-        else:
-            socket.shutdown(self)
+
+    def shutdown(self, how):
+        self.ssl_shutdown()
+        socket.shutdown(self, how)
 
     def close(self):
-        if self._sslobj:
-            self.shutdown()
-        else:
-            socket.close(self)
+        self.ssl_shutdown()
+        socket.close(self)
 
     def connect(self, addr):
+
+        """Connects to remote ADDR, and then wraps the connection in
+        an SSL channel."""
+
         # Here we assume that the socket is client-side, and not
         # connected at the time of the call.  We connect it, then wrap it.
-        if self._sslobj or (self.getsockname()[1] != 0):
+        if self._sslobj:
             raise ValueError("attempt to connect already-connected sslsocket!")
         socket.connect(self, addr)
-        self._sslobj = _ssl.sslwrap(self._sock, 0, self.keyfile, self.certfile,
+        self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile,
                                     self.cert_reqs, self.ssl_version,
                                     self.ca_certs)
 
     def accept(self):
-        raise ValueError("accept() not supported on an sslsocket")
+
+        """Accepts a new connection from a remote client, and returns
+        a tuple containing that new connection wrapped with a server-side
+        SSL channel, and the address of the remote client."""
+
+        newsock, addr = socket.accept(self)
+        return (sslsocket(newsock, True, self.keyfile, self.certfile,
+                         self.cert_reqs, self.ssl_version,
+                         self.ca_certs), addr)
 
 
 # some utility functions
 
 def cert_time_to_seconds(cert_time):
+
+    """Takes a date-time string in standard ASN1_print form
+    ("MON DAY 24HOUR:MINUTE:SEC YEAR TIMEZONE") and return
+    a Python time value in seconds past the epoch."""
+
     import time
     return time.mktime(time.strptime(cert_time, "%b %d %H:%M:%S %Y GMT"))
 
@@ -190,66 +232,9 @@ def cert_time_to_seconds(cert_time):
 
 def sslwrap_simple (sock, keyfile=None, certfile=None):
 
+    """A replacement for the old socket.ssl function.  Designed
+    for compability with Python 2.5 and earlier.  Will disappear in
+    Python 3.0."""
+
     return _ssl.sslwrap(sock._sock, 0, keyfile, certfile, CERT_NONE,
                         PROTOCOL_SSLv23, None)
-
-# fetch the certificate that the server is providing in PEM form
-
-def fetch_server_certificate (host, port):
-
-    import re, tempfile, os
-
-    def subproc(cmd):
-        from subprocess import Popen, PIPE, STDOUT
-        proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
-        status = proc.wait()
-        output = proc.stdout.read()
-        return status, output
-
-    def strip_to_x509_cert(certfile_contents, outfile=None):
-        m = re.search(r"^([-]+BEGIN CERTIFICATE[-]+[\r]*\n"
-                      r".*[\r]*^[-]+END CERTIFICATE[-]+)$",
-                      certfile_contents, re.MULTILINE | re.DOTALL)
-        if not m:
-            return None
-        else:
-            tn = tempfile.mktemp()
-            fp = open(tn, "w")
-            fp.write(m.group(1) + "\n")
-            fp.close()
-            try:
-                tn2 = (outfile or tempfile.mktemp())
-                status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %
-                                         (tn, tn2))
-                if status != 0:
-                    raise OperationError(status, tsig, output)
-                fp = open(tn2, 'rb')
-                data = fp.read()
-                fp.close()
-                os.unlink(tn2)
-                return data
-            finally:
-                os.unlink(tn)
-
-    if sys.platform.startswith("win"):
-        tfile = tempfile.mktemp()
-        fp = open(tfile, "w")
-        fp.write("quit\n")
-        fp.close()
-        try:
-            status, output = subproc(
-                'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
-                (host, port, tfile))
-        finally:
-            os.unlink(tfile)
-    else:
-        status, output = subproc(
-            'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
-            (host, port))
-    if status != 0:
-        raise OSError(status)
-    certtext = strip_to_x509_cert(output)
-    if not certtext:
-        raise ValueError("Invalid response received from server at %s:%s" %
-                         (host, port))
-    return certtext