Merge branch 'openssl' into 'master'

Make OpenSSL a hard dependency

See merge request gajim/python-nbxmpp!29

nbxmpp/tls_nb.py

@@ -15,7 +15,6 @@
 ##   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 ##   GNU General Public License for more details.
 
-import ssl
 import sys
 import os
 import time
@@ -26,24 +25,10 @@ from .plugin import PlugIn
 
 log = logging.getLogger('nbxmpp.tls_nb')
 
-USE_PYOPENSSL = False
-
 PYOPENSSL = 'PYOPENSSL'
-PYSTDLIB  = 'PYSTDLIB'
-
-try:
-    #raise ImportError("Manually disabled PyOpenSSL")
-    import OpenSSL.SSL
-    import OpenSSL.crypto
-    USE_PYOPENSSL = True
-    log.info("PyOpenSSL loaded")
-except ImportError:
-    log.debug("Import of PyOpenSSL failed:", exc_info=True)
-
-    # FIXME: Remove these prints before release, replace with a warning dialog.
-    print("=" * 79, file=sys.stderr)
-    print("PyOpenSSL not found, falling back to Python builtin SSL objects (insecure).", file=sys.stderr)
-    print("=" * 79, file=sys.stderr)
+
+import OpenSSL.SSL
+import OpenSSL.crypto
 
 def gattr(obj, attr, default=None):
     try:
@@ -209,44 +194,11 @@ class PyOpenSSLWrapper(SSLWrapper):
         return 0
 
 
-class StdlibSSLWrapper(SSLWrapper):
-    """
-    Wrapper class for Python socket.ssl read() and write() methods
-    """
-
-    def __init__(self, *args):
-        self.parent = SSLWrapper
-        self.parent.__init__(self, *args)
-
-    def recv(self, bufsize, flags=None):
-        # we simply ignore flags since ssl object doesn't support it
-        try:
-            return self.sslobj.read(bufsize)
-        except ssl.SSLError as e:
-            log.debug("Recv: Caught ssl.SSLError: " + repr(e), exc_info=True)
-            if e.args[0] not in (ssl.SSL_ERROR_WANT_READ,
-            ssl.SSL_ERROR_WANT_WRITE):
-                raise SSLWrapper.Error(self.sock or self.sslobj, e)
-        return None
-
-    def send(self, data, flags=None, now=False):
-        # we simply ignore flags since ssl object doesn't support it
-        try:
-            return self.sslobj.write(data)
-        except ssl.SSLError as e:
-            log.debug("Send: Caught socket.sslerror:", exc_info=True)
-            if e.args[0] not in (ssl.SSL_ERROR_WANT_READ,
-            ssl.SSL_ERROR_WANT_WRITE):
-                raise SSLWrapper.Error(self.sock or self.sslobj, e)
-        return 0
-
-
 class NonBlockingTLS(PlugIn):
     """
-    TLS connection used to encrypts already estabilished tcp connection
+    TLS connection used to encrypt already estabilished tcp connection
 
-    Can be plugged into NonBlockingTCP and will make use of StdlibSSLWrapper or
-    PyOpenSSLWrapper.
+    Can be plugged into NonBlockingTCP and will make use of PyOpenSSLWrapper.
     """
 
     def __init__(self, cacerts, mycerts, tls_version, cipher_list, alpn):
@@ -315,10 +267,7 @@ class NonBlockingTLS(PlugIn):
         """
         log.debug("_startSSL called")
 
-        if USE_PYOPENSSL:
-            result = self._startSSL_pyOpenSSL()
-        else:
-            result = self._startSSL_stdlib()
+        result = self._startSSL_pyOpenSSL()
 
         if result:
             log.debug('Synchronous handshake completed')
@@ -447,34 +396,6 @@ class NonBlockingTLS(PlugIn):
         self._owner.ssl_lib = PYOPENSSL
         return True
 
-    def _startSSL_stdlib(self):
-        log.debug("_startSSL_stdlib called")
-        tcpsock=self._owner
-        try:
-            tcpsock._sslObj = ssl.wrap_socket(tcpsock._sock,
-                ssl_version=ssl.PROTOCOL_TLSv1, do_handshake_on_connect=False)
-            wrapper = StdlibSSLWrapper(tcpsock._sslObj, tcpsock._sock)
-            tcpsock._recv = wrapper.recv
-            tcpsock._send = wrapper.send
-            log.debug("Initiating handshake...")
-            try:
-                tcpsock._sslObj.do_handshake()
-            except (ssl.SSLError) as e:
-                if e.args[0] in (ssl.SSL_ERROR_WANT_READ,
-                ssl.SSL_ERROR_WANT_WRITE):
-                    pass
-                else:
-                    log.error('Error while TLS handshake: ', exc_info=True)
-                    return False
-            except:
-                log.error('Error while TLS handshake: ', exc_info=True)
-                return False
-        except:
-            log.error("Exception caught in _startSSL_stdlib:", exc_info=True)
-            return False
-        self._owner.ssl_lib = PYSTDLIB
-        return True
-
     def _ssl_verify_callback(self, sslconn, cert, errnum, depth, ok):
         # Exceptions can't propagate up through this callback, so print them here.
         try:
@@ -500,9 +421,6 @@ class NonBlockingTLS(PlugIn):
         """
         sslObj = self._owner._sslObj
         try:
-            if USE_PYOPENSSL:
-                return sslObj.get_finished()
-            else:
-                return sslObj.get_channel_binding()
+            return sslObj.get_finished()
         except AttributeError:
             raise NotImplementedError

nbxmpp/transports_nb.py

@@ -619,9 +619,7 @@ class NonBlockingTCP(NonBlockingTransport, IdleObject):
             errstr = 'zero bytes on recv'
 
         if (self.ssl_lib is None and received == '') or \
-        (self.ssl_lib == tls_nb.PYSTDLIB  and errnum ==  8 ) or \
         (self.ssl_lib == tls_nb.PYOPENSSL and errnum == -1 ):
-            #  8 in stdlib: errstr == EOF occured in violation of protocol
             # -1 in pyopenssl: errstr == Unexpected EOF
             log.info("Disconnected by remote server: #%s, %s" % (errnum, errstr))
             self.on_remote_disconnect()

setup.cfg

@@ -4,7 +4,7 @@ version = attr: nbxmpp.__version__
 description = Non blocking Jabber/XMPP module
 author = Yann Leboulanger, Philipp Hoerist
 author_email = gajim-devel@gajim.org
-url = http://dev.gajim.org/gajim/python-nbxmpp
+url = https://dev.gajim.org/gajim/python-nbxmpp
 license_file = COPYING
 license = GPL v3
 classifiers =
@@ -15,6 +15,7 @@ python_requires = >=3.5
 packages = find:
 install_requires =
     precis-i18n>=1.0.0
+    pyOpenSSL>=16.2
 
 [options.packages.find]
 exclude =