? dist/src/Mac/Python
? dist/src/Modules/.nfsDAA16e64.4
Index: dist/src/Lib/socket.py
===================================================================
RCS file: /cvsroot/python/python/dist/src/Lib/socket.py,v
retrieving revision 1.45
diff -c -r1.45 socket.py
*** dist/src/Lib/socket.py	9 Aug 2004 04:51:40 -0000	1.45
--- dist/src/Lib/socket.py	1 Feb 2005 22:39:03 -0000
***************
*** 32,37 ****
--- 32,40 ----
  SocketType -- type object for socket objects
  error -- exception raised for I/O errors
  has_ipv6 -- boolean value indicating if IPv6 is supported
+ ssl_ca_file -- default certificate authority file (if ssl is available)
+ ssl_ca_path -- default certificate authority path (if ssl is available)
+ ssl_verify_level -- default certificate verification level (if ssl available)
  
  Integer constants:
  
***************
*** 67,77 ****
  
  _realsocket = socket
  if _have_ssl:
      _realssl = ssl
!     def ssl(sock, keyfile=None, certfile=None):
          if hasattr(sock, "_sock"):
              sock = sock._sock
!         return _realssl(sock, keyfile, certfile)
  
  # WSA error codes
  if sys.platform.lower().startswith("win"):
--- 70,92 ----
  
  _realsocket = socket
  if _have_ssl:
+     global ssl_ca_file, ssl_ca_path, ssl_verify_level
      _realssl = ssl
!     ssl_ca_file = None
!     ssl_ca_path = None
!     ssl_verify_level = SSL_VERIFY_NONE
! 
!     def ssl(sock, keyfile=None, certfile=None, cafile=None, capath=None,
!             verify=None):
          if hasattr(sock, "_sock"):
              sock = sock._sock
!         if cafile is None:
!             cafile = ssl_ca_file
!         if capath is None:
!             capath = ssl_ca_path
!         if verify is None:
!             verify = ssl_verify_level
!         return _realssl(sock, keyfile, certfile, cafile, capath, verify)
  
  # WSA error codes
  if sys.platform.lower().startswith("win"):
Index: dist/src/Modules/_ssl.c
===================================================================
RCS file: /cvsroot/python/python/dist/src/Modules/_ssl.c,v
retrieving revision 1.19
diff -c -r1.19 _ssl.c
*** dist/src/Modules/_ssl.c	4 Aug 2004 14:59:00 -0000	1.19
--- dist/src/Modules/_ssl.c	1 Feb 2005 22:39:08 -0000
***************
*** 174,180 ****
  }
  
  static PySSLObject *
! newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file)
  {
  	PySSLObject *self;
  	char *errstr = NULL;
--- 174,181 ----
  }
  
  static PySSLObject *
! newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
!                char *ca_file, char *ca_path, int verify_level)
  {
  	PySSLObject *self;
  	char *errstr = NULL;
***************
*** 228,236 ****
  		}
  	}
  
  	Py_BEGIN_ALLOW_THREADS
! 	SSL_CTX_set_verify(self->ctx,
! 			   SSL_VERIFY_NONE, NULL); /* set verify lvl */
  	self->ssl = SSL_new(self->ctx); /* New ssl struct */
  	Py_END_ALLOW_THREADS
  	SSL_set_fd(self->ssl, Sock->sock_fd);	/* Set the socket for SSL */
--- 229,257 ----
  		}
  	}
  
+ 	if (ca_file || ca_path) {
+ 		/* Augment the trust store. */
+ 		ret = SSL_CTX_load_verify_locations(self->ctx, ca_file, ca_path);
+ 		if (ret < 1) {
+ 			/* I'd prefer to use something like "Error loading OpenSSL
+ 			 * trust store" instead, but I'll use this for consistency
+ 			 * with the rest of the error messages. -JRE
+ 			 */
+ 			errstr = "SSL_CTX_load_verify_locations error";
+ 		}
+ 	}
+ 
  	Py_BEGIN_ALLOW_THREADS
! 	/* Verifying peer certificates only makes sense if we have any
! 	 * certificates to verify against, so if the user enables certificate
! 	 * verification, but does not specify a ca_file or ca_path, then
! 	 * all verification attempts will fail.
! 	 *
! 	 * TODO: We probably should provide access to the preverification
! 	 *	   callback, but that's an advanced function, so this will
! 	 *	   work for now.
! 	 */
! 	SSL_CTX_set_verify(self->ctx, verify_level, NULL); /* set verify lvl */
  	self->ssl = SSL_new(self->ctx); /* New ssl struct */
  	Py_END_ALLOW_THREADS
  	SSL_set_fd(self->ssl, Sock->sock_fd);	/* Set the socket for SSL */
***************
*** 307,327 ****
  	PySocketSockObject *Sock;
  	char *key_file = NULL;
  	char *cert_file = NULL;
  
! 	if (!PyArg_ParseTuple(args, "O!|zz:ssl",
  			      PySocketModule.Sock_Type,
  			      (PyObject*)&Sock,
! 			      &key_file, &cert_file))
  		return NULL;
  
! 	rv = newPySSLObject(Sock, key_file, cert_file);
  	if (rv == NULL)
  		return NULL;
  	return (PyObject *)rv;
  }
  
  PyDoc_STRVAR(ssl_doc,
! "ssl(socket, [keyfile, certfile]) -> sslobject");
  
  /* SSL object methods */
  
--- 328,353 ----
  	PySocketSockObject *Sock;
  	char *key_file = NULL;
  	char *cert_file = NULL;
+ 	char *ca_file = NULL;
+ 	char *ca_path = NULL;
+ 	int verify = SSL_VERIFY_NONE;
  
! 	if (!PyArg_ParseTuple(args, "O!|zzzzi:ssl",
  			      PySocketModule.Sock_Type,
  			      (PyObject*)&Sock,
! 				  &key_file, &cert_file, 
! 				  &ca_file, &ca_path,
! 				  &verify))
  		return NULL;
  
! 	rv = newPySSLObject(Sock, key_file, cert_file, ca_file, ca_path, verify);
  	if (rv == NULL)
  		return NULL;
  	return (PyObject *)rv;
  }
  
  PyDoc_STRVAR(ssl_doc,
! "ssl(socket, [keyfile, certfile, cafile, capath, verifylevel]) -> sslobject");
  
  /* SSL object methods */
  
***************
*** 673,677 ****
  				PY_SSL_ERROR_EOF);
  	PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
  				PY_SSL_ERROR_INVALID_ERROR_CODE);
! 
  }
--- 699,711 ----
  				PY_SSL_ERROR_EOF);
  	PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
  				PY_SSL_ERROR_INVALID_ERROR_CODE);
! 	/* Certificate verification levels */
! 	PyModule_AddIntConstant(m, "SSL_VERIFY_NONE",
! 				SSL_VERIFY_NONE);
! 	PyModule_AddIntConstant(m, "SSL_VERIFY_PEER",
! 				SSL_VERIFY_PEER);
! 	PyModule_AddIntConstant(m, "SSL_VERIFY_FAIL_IF_NO_PEER_CERT",
! 				SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
! 	PyModule_AddIntConstant(m, "SSL_VERIFY_CLIENT_ONCE",
! 				SSL_VERIFY_CLIENT_ONCE);
  }