Imported Debian patch 4.0.5-6~numeezy

2016-02-17 15:07:45 +01:00
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -18,9 +18,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #

-from __future__ import print_function
-
 import sys
+import httplib
 import getpass
 import socket
 from ipapython.ipa_log_manager import *
@@ -30,24 +29,16 @@ import nss.io as io
 import nss.nss as nss
 import nss.ssl as ssl
 import nss.error as error
-
-# Python 3 rename. The package is available in "six.moves.http_client", but
-# pylint cannot handle classes from that alias
-try:
-    import httplib
-except ImportError:
-    import http.client as httplib
-
 from ipaplatform.paths import paths

-# NSS database currently open
-current_dbdir = None
-
 def auth_certificate_callback(sock, check_sig, is_server, certdb):
    cert_is_valid = False

    cert = sock.get_peer_certificate()

+    root_logger.debug("auth_certificate_callback: check_sig=%s is_server=%s\n%s",
+                              check_sig, is_server, str(cert))
+
    pin_args = sock.get_pkcs11_pin_arg()
    if pin_args is None:
        pin_args = ()
@@ -65,10 +56,8 @@ def auth_certificate_callback(sock, check_sig, is_server, certdb):
        # will be set to the error code matching the reason why the validation failed
        # and the strerror attribute will contain a string describing the reason.
        approved_usage = cert.verify_now(certdb, check_sig, intended_usage, *pin_args)
-    except Exception as e:
-        root_logger.error(
-            'cert validation failed for "%s" (%s)', cert.subject,
-            e.strerror)  # pylint: disable=no-member
+    except Exception, e:
+        root_logger.error('cert validation failed for "%s" (%s)', cert.subject, e.strerror)
        cert_is_valid = False
        return cert_is_valid

@@ -96,10 +85,9 @@ def auth_certificate_callback(sock, check_sig, is_server, certdb):
    try:
        # If the cert fails validation it will raise an exception
        cert_is_valid = cert.verify_hostname(hostname)
-    except Exception as e:
+    except Exception, e:
        root_logger.error('failed verifying socket hostname "%s" matches cert subject "%s" (%s)',
-                          hostname, cert.subject,
-                          e.strerror)  # pylint: disable=no-member
+                                  hostname, cert.subject, e.strerror)
        cert_is_valid = False
        return cert_is_valid

@@ -168,7 +156,7 @@ class NSSAddressFamilyFallback(object):
                self._create_socket()
                self.sock.connect(net_addr)
                return
-            except Exception as e:
+            except Exception, e:
                root_logger.debug("Could not connect socket to %s, error: %s",
                        net_addr, str(e))
                root_logger.debug("Try to continue with next family...")
@@ -183,8 +171,7 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
    default_port = httplib.HTTPSConnection.default_port

    def __init__(self, host, port=None, strict=None,
-                 dbdir=None, family=socket.AF_UNSPEC, no_init=False,
-                 tls_version_min='tls1.1', tls_version_max='tls1.2'):
+                 dbdir=None, family=socket.AF_UNSPEC, no_init=False):
        """
        :param host: the server to connect to
        :param port: the port to use (default is set in HTTPConnection)
@@ -193,37 +180,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
        :param no_init: do not initialize the NSS database. This requires
                        that the database has already been initialized or
                        the request will fail.
-        :param tls_min_version: mininum version of SSL/TLS supported
-        :param tls_max_version: maximum version of SSL/TLS supported.
        """
        httplib.HTTPConnection.__init__(self, host, port, strict)
        NSSAddressFamilyFallback.__init__(self, family)

+        if not dbdir:
+            raise RuntimeError("dbdir is required")
+
        root_logger.debug('%s init %s', self.__class__.__name__, host)
-
-        # If initialization is requested, initialize the new database.
-        if not no_init:
-
-            if nss.nss_is_initialized():
-                ssl.clear_session_cache()
-                try:
-                    nss.nss_shutdown()
-                except NSPRError as e:
-                    if e.errno != error.SEC_ERROR_NOT_INITIALIZED:
-                        raise e
-
-            if not dbdir:
-                raise RuntimeError("dbdir is required")
-
-            nss.nss_init(dbdir)
-
-            global current_dbdir
-            current_dbdir = dbdir
-
+        if not no_init and nss.nss_is_initialized():
+            # close any open NSS database and use the new one
+            ssl.clear_session_cache()
+            try:
+                nss.nss_shutdown()
+            except NSPRError, e:
+                if e.errno != error.SEC_ERROR_NOT_INITIALIZED:
+                    raise e
+        nss.nss_init(dbdir)
        ssl.set_domestic_policy()
        nss.set_password_callback(self.password_callback)
-        self.tls_version_min = str(tls_version_min)
-        self.tls_version_max = str(tls_version_max)

    def _create_socket(self):
        # TODO: remove the try block once python-nss is guaranteed to contain
@@ -243,11 +218,6 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
        self.sock = ssl.SSLSocket(family=self.family)
        self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
        self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-        try:
-            self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max)
-        except NSPRError as e:
-            root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max))
-            raise
        self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
        self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
        # Provide a callback which notifies us when the SSL handshake is complete
@@ -266,11 +236,8 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
        """
        Verify callback. If we get here then the certificate is ok.
        """
-        channel = sock.get_ssl_channel_info()
-        suite = ssl.get_cipher_suite_info(channel.cipher_suite)
        root_logger.debug("handshake complete, peer = %s", sock.get_peer_name())
-        root_logger.debug('Protocol: %s' % channel.protocol_version_str.upper())
-        root_logger.debug('Cipher: %s' % suite.cipher_suite_name)
+        pass

    def connect(self):
        self.connect_socket(self.host, self.port)
@@ -291,7 +258,80 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
        """
        try:
            # FIXME: httplib uses old-style classes so super doesn't work
-            httplib.HTTPConnection.endheaders(self, message)
-        except NSPRError as e:
+            # Python 2.7 changed the API for endheaders. This is an attempt
+            # to work across versions
+            (major, minor, micro, releaselevel, serial) = sys.version_info
+            if major == 2 and minor < 7:
+                httplib.HTTPConnection.endheaders(self)
+            else:
+                httplib.HTTPConnection.endheaders(self, message)
+        except NSPRError, e:
            self.close()
            raise e
+
+class NSSHTTPS(httplib.HTTP):
+    # We would like to use HTTP 1.1 not the older HTTP 1.0 but xmlrpclib
+    # and httplib do not play well together. httplib when the protocol
+    # is 1.1 will add a host header in the request. But xmlrpclib
+    # always adds a host header irregardless of the HTTP protocol
+    # version. That means the request ends up with 2 host headers,
+    # but Apache freaks out if it sees 2 host headers, a known Apache
+    # issue. httplib has a mechanism to skip adding the host header
+    # (i.e. skip_host in HTTPConnection.putrequest()) but xmlrpclib
+    # doesn't use it. Oh well, back to 1.0  :-(
+    #
+    #_http_vsn = 11
+    #_http_vsn_str = 'HTTP/1.1'
+
+    _connection_class = NSSConnection
+
+    def __init__(self, host='', port=None, strict=None, dbdir=None, no_init=False):
+        # provide a default host, pass the X509 cert info
+
+        # urf. compensate for bad input.
+        if port == 0:
+            port = None
+        self._setup(self._connection_class(host, port, strict, dbdir=dbdir, no_init=no_init))
+
+    def getreply(self):
+        """
+        Override so we can close duplicated file connection on non-200
+        responses. This was causing nss_shutdown() to fail with a busy
+        error.
+        """
+        (status, reason, msg) = httplib.HTTP.getreply(self)
+        if status != 200:
+            self.file.close()
+        return (status, reason, msg)
+
+#------------------------------------------------------------------------------
+
+if __name__ == "__main__":
+    standard_logging_setup('nsslib.log', debug=True, filemode='a')
+    root_logger.info("Start")
+
+    if False:
+        conn = NSSConnection("www.verisign.com", 443, dbdir=paths.NSS_DB_DIR)
+        conn.set_debuglevel(1)
+        conn.connect()
+        conn.request("GET", "/")
+        response = conn.getresponse()
+        print response.status
+        #print response.msg
+        print response.getheaders()
+        data = response.read()
+        #print data
+        conn.close()
+
+    if True:
+        h = NSSHTTPS("www.verisign.com", 443, dbdir=paths.NSS_DB_DIR)
+        h.connect()
+        h.putrequest('GET', '/')
+        h.endheaders()
+        http_status, http_reason, headers = h.getreply()
+        print "status = %s %s" % (http_status, http_reason)
+        print "headers:\n%s" % headers
+        f = h.getfile()
+        data = f.read() # Get the raw HTML
+        f.close()
+        #print data