# # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # import socket from qpid.util import connect TRANSPORTS = {} class SocketTransport: def __init__(self, conn, host, port): self.socket = connect(host, port) if conn.tcp_nodelay: self.socket.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1) def fileno(self): return self.socket.fileno() class tcp(SocketTransport): def reading(self, reading): return reading def writing(self, writing): return writing def send(self, bytes): return self.socket.send(bytes) def recv(self, n): return self.socket.recv(n) def close(self): self.socket.close() TRANSPORTS["tcp"] = tcp try: from ssl import wrap_socket, SSLError, SSL_ERROR_WANT_READ, \ SSL_ERROR_WANT_WRITE, CERT_REQUIRED, CERT_NONE except ImportError: ## try the older python SSL api: from socket import ssl class old_ssl(SocketTransport): def __init__(self, conn, host, port): SocketTransport.__init__(self, conn, host, port) # Bug (QPID-4337): this is the "old" version of python SSL. # The private key is required. If a certificate is given, but no # keyfile, assume the key is contained in the certificate ssl_keyfile = conn.ssl_keyfile ssl_certfile = conn.ssl_certfile if ssl_certfile and not ssl_keyfile: ssl_keyfile = ssl_certfile # this version of SSL does NOT perform certificate validation. If the # connection has been configured with CA certs (via ssl_trustfile), then # the application expects the certificate to be validated against the # supplied CA certs. Since this version cannot validate, the peer cannot # be trusted. if conn.ssl_trustfile: raise socket.error("This version of Python does not support verification of the peer's certificate.") self.ssl = ssl(self.socket, keyfile=ssl_keyfile, certfile=ssl_certfile) self.socket.setblocking(1) def reading(self, reading): return reading def writing(self, writing): return writing def recv(self, n): return self.ssl.read(n) def send(self, s): return self.ssl.write(s) def close(self): self.socket.close() TRANSPORTS["ssl"] = old_ssl TRANSPORTS["tcp+tls"] = old_ssl else: class tls(SocketTransport): def __init__(self, conn, host, port): SocketTransport.__init__(self, conn, host, port) if conn.ssl_trustfile: validate = CERT_REQUIRED else: validate = CERT_NONE # if user manually set flag to false then require cert actual = getattr(conn, "_ssl_skip_hostname_check_actual", None) if actual is not None and conn.ssl_skip_hostname_check is False: validate = CERT_REQUIRED self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile, certfile=conn.ssl_certfile, ca_certs=conn.ssl_trustfile, cert_reqs=validate) if validate == CERT_REQUIRED and not conn.ssl_skip_hostname_check: verify_hostname(self.tls.getpeercert(), host) self.socket.setblocking(0) self.state = None # See qpid-4872: need to store the parameters last passed to tls.write() # in case the calls fail with an SSL_ERROR_WANT_* error and we have to # retry the call with the same parameters. self.write_retry = None # buffer passed to last call of tls.write() def reading(self, reading): if self.state is None: return reading else: return self.state == SSL_ERROR_WANT_READ def writing(self, writing): if self.state is None: return writing else: return self.state == SSL_ERROR_WANT_WRITE def send(self, bytes): if self.write_retry is None: self.write_retry = bytes self._clear_state() try: n = self.tls.write( self.write_retry ) self.write_retry = None return n except SSLError, e: if self._update_state(e.args[0]): # will retry on next invokation return 0 self.write_retry = None raise except: self.write_retry = None raise def recv(self, n): self._clear_state() try: return self.tls.read(n) except SSLError, e: if self._update_state(e.args[0]): # will retry later: return None else: raise def _clear_state(self): self.state = None def _update_state(self, code): if code in (SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE): self.state = code return True else: return False def close(self): self.socket.setblocking(1) # this closes the underlying socket self.tls.close() def verify_hostname(peer_certificate, hostname): match_found = False peer_names = [] if peer_certificate: if 'subjectAltName' in peer_certificate: for san in peer_certificate['subjectAltName']: if san[0] == 'DNS': peer_names.append(san[1].lower()) if 'subject' in peer_certificate: for sub in peer_certificate['subject']: while isinstance(sub, tuple) and isinstance(sub[0], tuple): sub = sub[0] # why the extra level of indirection??? if sub[0] == 'commonName': peer_names.append(sub[1].lower()) for pattern in peer_names: if _match_dns_pattern(hostname.lower(), pattern): match_found = True break if not match_found: raise SSLError("Connection hostname '%s' does not match names from peer certificate: %s" % (hostname, peer_names)) def _match_dns_pattern( hostname, pattern ): """ For checking the hostnames provided by the peer's certificate """ if pattern.find("*") == -1: return hostname == pattern # DNS wildcarded pattern - see RFC2818 h_labels = hostname.split(".") p_labels = pattern.split(".") while h_labels and p_labels: if p_labels[0].find("*") == -1: if p_labels[0] != h_labels[0]: return False else: p = p_labels[0].split("*") if not h_labels[0].startswith(p[0]): return False if not h_labels[0].endswith(p[1]): return False h_labels.pop(0) p_labels.pop(0) return not h_labels and not p_labels TRANSPORTS["ssl"] = tls TRANSPORTS["tcp+tls"] = tls