backport many ssl features from Python 3 (closes #21308)
A contribution of Alex Gaynor and David Reid with the generous support of
Rackspace. May God have mercy on their souls.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 752b033..8f4062b 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -14,22 +14,28 @@
http://bugs.python.org/issue8108#msg102867 ?
*/
+#define PY_SSIZE_T_CLEAN
#include "Python.h"
#ifdef WITH_THREAD
#include "pythread.h"
+#define PySSL_BEGIN_ALLOW_THREADS_S(save) \
+ do { if (_ssl_locks_count>0) { (save) = PyEval_SaveThread(); } } while (0)
+#define PySSL_END_ALLOW_THREADS_S(save) \
+ do { if (_ssl_locks_count>0) { PyEval_RestoreThread(save); } } while (0)
#define PySSL_BEGIN_ALLOW_THREADS { \
PyThreadState *_save = NULL; \
- if (_ssl_locks_count>0) {_save = PyEval_SaveThread();}
-#define PySSL_BLOCK_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save)};
-#define PySSL_UNBLOCK_THREADS if (_ssl_locks_count>0){_save = PyEval_SaveThread()};
-#define PySSL_END_ALLOW_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save);} \
- }
+ PySSL_BEGIN_ALLOW_THREADS_S(_save);
+#define PySSL_BLOCK_THREADS PySSL_END_ALLOW_THREADS_S(_save);
+#define PySSL_UNBLOCK_THREADS PySSL_BEGIN_ALLOW_THREADS_S(_save);
+#define PySSL_END_ALLOW_THREADS PySSL_END_ALLOW_THREADS_S(_save); }
#else /* no WITH_THREAD */
+#define PySSL_BEGIN_ALLOW_THREADS_S(save)
+#define PySSL_END_ALLOW_THREADS_S(save)
#define PySSL_BEGIN_ALLOW_THREADS
#define PySSL_BLOCK_THREADS
#define PySSL_UNBLOCK_THREADS
@@ -37,41 +43,6 @@
#endif
-enum py_ssl_error {
- /* these mirror ssl.h */
- PY_SSL_ERROR_NONE,
- PY_SSL_ERROR_SSL,
- PY_SSL_ERROR_WANT_READ,
- PY_SSL_ERROR_WANT_WRITE,
- PY_SSL_ERROR_WANT_X509_LOOKUP,
- PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
- PY_SSL_ERROR_ZERO_RETURN,
- PY_SSL_ERROR_WANT_CONNECT,
- /* start of non ssl.h errorcodes */
- PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
- PY_SSL_ERROR_INVALID_ERROR_CODE
-};
-
-enum py_ssl_server_or_client {
- PY_SSL_CLIENT,
- PY_SSL_SERVER
-};
-
-enum py_ssl_cert_requirements {
- PY_SSL_CERT_NONE,
- PY_SSL_CERT_OPTIONAL,
- PY_SSL_CERT_REQUIRED
-};
-
-enum py_ssl_version {
-#ifndef OPENSSL_NO_SSL2
- PY_SSL_VERSION_SSL2,
-#endif
- PY_SSL_VERSION_SSL3=1,
- PY_SSL_VERSION_SSL23,
- PY_SSL_VERSION_TLS1
-};
-
/* Include symbols from _socket module */
#include "socketmodule.h"
@@ -93,6 +64,86 @@
/* SSL error object */
static PyObject *PySSLErrorObject;
+static PyObject *PySSLZeroReturnErrorObject;
+static PyObject *PySSLWantReadErrorObject;
+static PyObject *PySSLWantWriteErrorObject;
+static PyObject *PySSLSyscallErrorObject;
+static PyObject *PySSLEOFErrorObject;
+
+/* Error mappings */
+static PyObject *err_codes_to_names;
+static PyObject *err_names_to_codes;
+static PyObject *lib_codes_to_names;
+
+struct py_ssl_error_code {
+ const char *mnemonic;
+ int library, reason;
+};
+struct py_ssl_library_code {
+ const char *library;
+ int code;
+};
+
+/* Include generated data (error codes) */
+#include "_ssl_data.h"
+
+/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
+ http://www.openssl.org/news/changelog.html
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+# define HAVE_TLSv1_2 1
+#else
+# define HAVE_TLSv1_2 0
+#endif
+
+/* SNI support (client- and server-side) appeared in OpenSSL 1.0.0 and 0.9.8f
+ * This includes the SSL_set_SSL_CTX() function.
+ */
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+# define HAVE_SNI 1
+#else
+# define HAVE_SNI 0
+#endif
+
+enum py_ssl_error {
+ /* these mirror ssl.h */
+ PY_SSL_ERROR_NONE,
+ PY_SSL_ERROR_SSL,
+ PY_SSL_ERROR_WANT_READ,
+ PY_SSL_ERROR_WANT_WRITE,
+ PY_SSL_ERROR_WANT_X509_LOOKUP,
+ PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
+ PY_SSL_ERROR_ZERO_RETURN,
+ PY_SSL_ERROR_WANT_CONNECT,
+ /* start of non ssl.h errorcodes */
+ PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
+ PY_SSL_ERROR_NO_SOCKET, /* socket has been GC'd */
+ PY_SSL_ERROR_INVALID_ERROR_CODE
+};
+
+enum py_ssl_server_or_client {
+ PY_SSL_CLIENT,
+ PY_SSL_SERVER
+};
+
+enum py_ssl_cert_requirements {
+ PY_SSL_CERT_NONE,
+ PY_SSL_CERT_OPTIONAL,
+ PY_SSL_CERT_REQUIRED
+};
+
+enum py_ssl_version {
+ PY_SSL_VERSION_SSL2,
+ PY_SSL_VERSION_SSL3=1,
+ PY_SSL_VERSION_SSL23,
+#if HAVE_TLSv1_2
+ PY_SSL_VERSION_TLS1,
+ PY_SSL_VERSION_TLS1_1,
+ PY_SSL_VERSION_TLS1_2
+#else
+ PY_SSL_VERSION_TLS1
+#endif
+};
#ifdef WITH_THREAD
@@ -114,27 +165,79 @@
# undef HAVE_OPENSSL_RAND
#endif
+/* SSL_CTX_clear_options() and SSL_clear_options() were first added in
+ * OpenSSL 0.9.8m but do not appear in some 0.9.9-dev versions such the
+ * 0.9.9 from "May 2008" that NetBSD 5.0 uses. */
+#if OPENSSL_VERSION_NUMBER >= 0x009080dfL && OPENSSL_VERSION_NUMBER != 0x00909000L
+# define HAVE_SSL_CTX_CLEAR_OPTIONS
+#else
+# undef HAVE_SSL_CTX_CLEAR_OPTIONS
+#endif
+
+/* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for
+ * older SSL, but let's be safe */
+#define PySSL_CB_MAXLEN 128
+
+/* SSL_get_finished got added to OpenSSL in 0.9.5 */
+#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
+# define HAVE_OPENSSL_FINISHED 1
+#else
+# define HAVE_OPENSSL_FINISHED 0
+#endif
+
+/* ECDH support got added to OpenSSL in 0.9.8 */
+#if OPENSSL_VERSION_NUMBER < 0x0090800fL && !defined(OPENSSL_NO_ECDH)
+# define OPENSSL_NO_ECDH
+#endif
+
+/* compression support got added to OpenSSL in 0.9.8 */
+#if OPENSSL_VERSION_NUMBER < 0x0090800fL && !defined(OPENSSL_NO_COMP)
+# define OPENSSL_NO_COMP
+#endif
+
+/* X509_VERIFY_PARAM got added to OpenSSL in 0.9.8 */
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+# define HAVE_OPENSSL_VERIFY_PARAM
+#endif
+
+
typedef struct {
PyObject_HEAD
- PySocketSockObject *Socket; /* Socket on which we're layered */
- SSL_CTX* ctx;
- SSL* ssl;
- X509* peer_cert;
- char server[X509_NAME_MAXLEN];
- char issuer[X509_NAME_MAXLEN];
- int shutdown_seen_zero;
+ SSL_CTX *ctx;
+#ifdef OPENSSL_NPN_NEGOTIATED
+ char *npn_protocols;
+ int npn_protocols_len;
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+ PyObject *set_hostname;
+#endif
+ int check_hostname;
+} PySSLContext;
-} PySSLObject;
+typedef struct {
+ PyObject_HEAD
+ PySocketSockObject *Socket;
+ PyObject *ssl_sock;
+ SSL *ssl;
+ PySSLContext *ctx; /* weakref to SSL context */
+ X509 *peer_cert;
+ char shutdown_seen_zero;
+ char handshake_done;
+ enum py_ssl_server_or_client socket_type;
+} PySSLSocket;
-static PyTypeObject PySSL_Type;
-static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args);
-static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args);
+static PyTypeObject PySSLContext_Type;
+static PyTypeObject PySSLSocket_Type;
+
+static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args);
+static PyObject *PySSL_SSLread(PySSLSocket *self, PyObject *args);
static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
int writing);
-static PyObject *PySSL_peercert(PySSLObject *self, PyObject *args);
-static PyObject *PySSL_cipher(PySSLObject *self);
+static PyObject *PySSL_peercert(PySSLSocket *self, PyObject *args);
+static PyObject *PySSL_cipher(PySSLSocket *self);
-#define PySSLObject_Check(v) (Py_TYPE(v) == &PySSL_Type)
+#define PySSLContext_Check(v) (Py_TYPE(v) == &PySSLContext_Type)
+#define PySSLSocket_Check(v) (Py_TYPE(v) == &PySSLSocket_Type)
typedef enum {
SOCKET_IS_NONBLOCKING,
@@ -151,36 +254,140 @@
#define ERRSTR1(x,y,z) (x ":" y ": " z)
#define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x)
-/* XXX It might be helpful to augment the error message generated
- below with the name of the SSL function that generated the error.
- I expect it's obvious most of the time.
-*/
+
+/*
+ * SSL errors.
+ */
+
+PyDoc_STRVAR(SSLError_doc,
+"An error occurred in the SSL implementation.");
+
+PyDoc_STRVAR(SSLZeroReturnError_doc,
+"SSL/TLS session closed cleanly.");
+
+PyDoc_STRVAR(SSLWantReadError_doc,
+"Non-blocking SSL socket needs to read more data\n"
+"before the requested operation can be completed.");
+
+PyDoc_STRVAR(SSLWantWriteError_doc,
+"Non-blocking SSL socket needs to write more data\n"
+"before the requested operation can be completed.");
+
+PyDoc_STRVAR(SSLSyscallError_doc,
+"System error when attempting SSL operation.");
+
+PyDoc_STRVAR(SSLEOFError_doc,
+"SSL/TLS connection terminated abruptly.");
+
static PyObject *
-PySSL_SetError(PySSLObject *obj, int ret, char *filename, int lineno)
+SSLError_str(PyEnvironmentErrorObject *self)
{
- PyObject *v;
- char buf[2048];
- char *errstr;
+ if (self->strerror != NULL) {
+ Py_INCREF(self->strerror);
+ return self->strerror;
+ }
+ else
+ return PyObject_Str(self->args);
+}
+
+static void
+fill_and_set_sslerror(PyObject *type, int ssl_errno, const char *errstr,
+ int lineno, unsigned long errcode)
+{
+ PyObject *err_value = NULL, *reason_obj = NULL, *lib_obj = NULL;
+ PyObject *init_value, *msg, *key;
+
+ if (errcode != 0) {
+ int lib, reason;
+
+ lib = ERR_GET_LIB(errcode);
+ reason = ERR_GET_REASON(errcode);
+ key = Py_BuildValue("ii", lib, reason);
+ if (key == NULL)
+ goto fail;
+ reason_obj = PyDict_GetItem(err_codes_to_names, key);
+ Py_DECREF(key);
+ if (reason_obj == NULL) {
+ /* XXX if reason < 100, it might reflect a library number (!!) */
+ PyErr_Clear();
+ }
+ key = PyLong_FromLong(lib);
+ if (key == NULL)
+ goto fail;
+ lib_obj = PyDict_GetItem(lib_codes_to_names, key);
+ Py_DECREF(key);
+ if (lib_obj == NULL) {
+ PyErr_Clear();
+ }
+ if (errstr == NULL)
+ errstr = ERR_reason_error_string(errcode);
+ }
+ if (errstr == NULL)
+ errstr = "unknown error";
+
+ if (reason_obj && lib_obj)
+ msg = PyUnicode_FromFormat("[%S: %S] %s (_ssl.c:%d)",
+ lib_obj, reason_obj, errstr, lineno);
+ else if (lib_obj)
+ msg = PyUnicode_FromFormat("[%S] %s (_ssl.c:%d)",
+ lib_obj, errstr, lineno);
+ else
+ msg = PyUnicode_FromFormat("%s (_ssl.c:%d)", errstr, lineno);
+ if (msg == NULL)
+ goto fail;
+
+ init_value = Py_BuildValue("iN", ssl_errno, msg);
+ if (init_value == NULL)
+ goto fail;
+
+ err_value = PyObject_CallObject(type, init_value);
+ Py_DECREF(init_value);
+ if (err_value == NULL)
+ goto fail;
+
+ if (reason_obj == NULL)
+ reason_obj = Py_None;
+ if (PyObject_SetAttrString(err_value, "reason", reason_obj))
+ goto fail;
+ if (lib_obj == NULL)
+ lib_obj = Py_None;
+ if (PyObject_SetAttrString(err_value, "library", lib_obj))
+ goto fail;
+ PyErr_SetObject(type, err_value);
+fail:
+ Py_XDECREF(err_value);
+}
+
+static PyObject *
+PySSL_SetError(PySSLSocket *obj, int ret, char *filename, int lineno)
+{
+ PyObject *type = PySSLErrorObject;
+ char *errstr = NULL;
int err;
enum py_ssl_error p = PY_SSL_ERROR_NONE;
+ unsigned long e = 0;
assert(ret <= 0);
+ e = ERR_peek_last_error();
if (obj->ssl != NULL) {
err = SSL_get_error(obj->ssl, ret);
switch (err) {
case SSL_ERROR_ZERO_RETURN:
- errstr = "TLS/SSL connection has been closed";
+ errstr = "TLS/SSL connection has been closed (EOF)";
+ type = PySSLZeroReturnErrorObject;
p = PY_SSL_ERROR_ZERO_RETURN;
break;
case SSL_ERROR_WANT_READ:
errstr = "The operation did not complete (read)";
+ type = PySSLWantReadErrorObject;
p = PY_SSL_ERROR_WANT_READ;
break;
case SSL_ERROR_WANT_WRITE:
p = PY_SSL_ERROR_WANT_WRITE;
+ type = PySSLWantWriteErrorObject;
errstr = "The operation did not complete (write)";
break;
case SSL_ERROR_WANT_X509_LOOKUP:
@@ -193,213 +400,109 @@
break;
case SSL_ERROR_SYSCALL:
{
- unsigned long e = ERR_get_error();
if (e == 0) {
- if (ret == 0 || !obj->Socket) {
+ PySocketSockObject *s = obj->Socket;
+ if (ret == 0) {
p = PY_SSL_ERROR_EOF;
+ type = PySSLEOFErrorObject;
errstr = "EOF occurred in violation of protocol";
} else if (ret == -1) {
/* underlying BIO reported an I/O error */
+ Py_INCREF(s);
ERR_clear_error();
- return obj->Socket->errorhandler();
+ s->errorhandler();
+ Py_DECREF(s);
+ return NULL;
} else { /* possible? */
p = PY_SSL_ERROR_SYSCALL;
+ type = PySSLSyscallErrorObject;
errstr = "Some I/O error occurred";
}
} else {
p = PY_SSL_ERROR_SYSCALL;
- /* XXX Protected by global interpreter lock */
- errstr = ERR_error_string(e, NULL);
}
break;
}
case SSL_ERROR_SSL:
{
- unsigned long e = ERR_get_error();
p = PY_SSL_ERROR_SSL;
- if (e != 0)
- /* XXX Protected by global interpreter lock */
- errstr = ERR_error_string(e, NULL);
- else { /* possible? */
+ if (e == 0)
+ /* possible? */
errstr = "A failure in the SSL library occurred";
- }
break;
}
default:
p = PY_SSL_ERROR_INVALID_ERROR_CODE;
errstr = "Invalid error code";
}
- } else {
- errstr = ERR_error_string(ERR_peek_last_error(), NULL);
}
- PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
+ fill_and_set_sslerror(type, p, errstr, lineno, e);
ERR_clear_error();
- v = Py_BuildValue("(is)", p, buf);
- if (v != NULL) {
- PyErr_SetObject(PySSLErrorObject, v);
- Py_DECREF(v);
- }
return NULL;
}
static PyObject *
_setSSLError (char *errstr, int errcode, char *filename, int lineno) {
- char buf[2048];
- PyObject *v;
-
- if (errstr == NULL) {
+ if (errstr == NULL)
errcode = ERR_peek_last_error();
- errstr = ERR_error_string(errcode, NULL);
- }
- PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
+ else
+ errcode = 0;
+ fill_and_set_sslerror(PySSLErrorObject, errcode, errstr, lineno, errcode);
ERR_clear_error();
- v = Py_BuildValue("(is)", errcode, buf);
- if (v != NULL) {
- PyErr_SetObject(PySSLErrorObject, v);
- Py_DECREF(v);
- }
return NULL;
}
-static PySSLObject *
-newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
- enum py_ssl_server_or_client socket_type,
- enum py_ssl_cert_requirements certreq,
- enum py_ssl_version proto_version,
- char *cacerts_file, char *ciphers)
-{
- PySSLObject *self;
- char *errstr = NULL;
- int ret;
- int verification_mode;
- long options;
+/*
+ * SSL objects
+ */
- self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
+static PySSLSocket *
+newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
+ enum py_ssl_server_or_client socket_type,
+ char *server_hostname, PyObject *ssl_sock)
+{
+ PySSLSocket *self;
+ SSL_CTX *ctx = sslctx->ctx;
+ long mode;
+
+ self = PyObject_New(PySSLSocket, &PySSLSocket_Type);
if (self == NULL)
return NULL;
- memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN);
- memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN);
+
self->peer_cert = NULL;
self->ssl = NULL;
- self->ctx = NULL;
self->Socket = NULL;
+ self->ssl_sock = NULL;
+ self->ctx = sslctx;
self->shutdown_seen_zero = 0;
+ self->handshake_done = 0;
+ Py_INCREF(sslctx);
/* Make sure the SSL error state is initialized */
(void) ERR_get_state();
ERR_clear_error();
- if ((key_file && !cert_file) || (!key_file && cert_file)) {
- errstr = ERRSTR("Both the key & certificate files "
- "must be specified");
- goto fail;
- }
-
- if ((socket_type == PY_SSL_SERVER) &&
- ((key_file == NULL) || (cert_file == NULL))) {
- errstr = ERRSTR("Both the key & certificate files "
- "must be specified for server-side operation");
- goto fail;
- }
-
PySSL_BEGIN_ALLOW_THREADS
- if (proto_version == PY_SSL_VERSION_TLS1)
- self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
- else if (proto_version == PY_SSL_VERSION_SSL3)
- self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
-#ifndef OPENSSL_NO_SSL2
- else if (proto_version == PY_SSL_VERSION_SSL2)
- self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
-#endif
- else if (proto_version == PY_SSL_VERSION_SSL23)
- self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
+ self->ssl = SSL_new(ctx);
PySSL_END_ALLOW_THREADS
-
- if (self->ctx == NULL) {
- errstr = ERRSTR("Invalid SSL protocol variant specified.");
- goto fail;
- }
-
- if (ciphers != NULL) {
- ret = SSL_CTX_set_cipher_list(self->ctx, ciphers);
- if (ret == 0) {
- errstr = ERRSTR("No cipher can be selected.");
- goto fail;
- }
- }
-
- if (certreq != PY_SSL_CERT_NONE) {
- if (cacerts_file == NULL) {
- errstr = ERRSTR("No root certificates specified for "
- "verification of other-side certificates.");
- goto fail;
- } else {
- PySSL_BEGIN_ALLOW_THREADS
- ret = SSL_CTX_load_verify_locations(self->ctx,
- cacerts_file,
- NULL);
- PySSL_END_ALLOW_THREADS
- if (ret != 1) {
- _setSSLError(NULL, 0, __FILE__, __LINE__);
- goto fail;
- }
- }
- }
- if (key_file) {
- PySSL_BEGIN_ALLOW_THREADS
- ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
- SSL_FILETYPE_PEM);
- PySSL_END_ALLOW_THREADS
- if (ret != 1) {
- _setSSLError(NULL, ret, __FILE__, __LINE__);
- goto fail;
- }
-
- PySSL_BEGIN_ALLOW_THREADS
- ret = SSL_CTX_use_certificate_chain_file(self->ctx,
- cert_file);
- PySSL_END_ALLOW_THREADS
- if (ret != 1) {
- /*
- fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n",
- ret, ERR_peek_error(), ERR_peek_last_error(), cert_file);
- */
- if (ERR_peek_last_error() != 0) {
- _setSSLError(NULL, ret, __FILE__, __LINE__);
- goto fail;
- }
- }
- }
-
- /* ssl compatibility */
- options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
- if (proto_version != PY_SSL_VERSION_SSL2)
- options |= SSL_OP_NO_SSLv2;
- SSL_CTX_set_options(self->ctx, options);
-
- verification_mode = SSL_VERIFY_NONE;
- if (certreq == PY_SSL_CERT_OPTIONAL)
- verification_mode = SSL_VERIFY_PEER;
- else if (certreq == PY_SSL_CERT_REQUIRED)
- verification_mode = (SSL_VERIFY_PEER |
- SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
- SSL_CTX_set_verify(self->ctx, verification_mode,
- NULL); /* set verify lvl */
-
- PySSL_BEGIN_ALLOW_THREADS
- self->ssl = SSL_new(self->ctx); /* New ssl struct */
- PySSL_END_ALLOW_THREADS
- SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
+ SSL_set_app_data(self->ssl,self);
+ SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int));
+ mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
#ifdef SSL_MODE_AUTO_RETRY
- SSL_set_mode(self->ssl, SSL_MODE_AUTO_RETRY);
+ mode |= SSL_MODE_AUTO_RETRY;
+#endif
+ SSL_set_mode(self->ssl, mode);
+
+#if HAVE_SNI
+ if (server_hostname != NULL)
+ SSL_set_tlsext_host_name(self->ssl, server_hostname);
#endif
/* If the socket is in non-blocking mode or timeout mode, set the BIO
* to non-blocking mode (blocking is the default)
*/
- if (Sock->sock_timeout >= 0.0) {
- /* Set both the read and write BIO's to non-blocking mode */
+ if (sock->sock_timeout >= 0.0) {
BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
}
@@ -411,65 +514,31 @@
SSL_set_accept_state(self->ssl);
PySSL_END_ALLOW_THREADS
- self->Socket = Sock;
+ self->socket_type = socket_type;
+ self->Socket = sock;
Py_INCREF(self->Socket);
- return self;
- fail:
- if (errstr)
- PyErr_SetString(PySSLErrorObject, errstr);
- Py_DECREF(self);
- return NULL;
-}
-
-static PyObject *
-PySSL_sslwrap(PyObject *self, PyObject *args)
-{
- PySocketSockObject *Sock;
- int server_side = 0;
- int verification_mode = PY_SSL_CERT_NONE;
- int protocol = PY_SSL_VERSION_SSL23;
- char *key_file = NULL;
- char *cert_file = NULL;
- char *cacerts_file = NULL;
- char *ciphers = NULL;
-
- if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",
- PySocketModule.Sock_Type,
- &Sock,
- &server_side,
- &key_file, &cert_file,
- &verification_mode, &protocol,
- &cacerts_file, &ciphers))
+ self->ssl_sock = PyWeakref_NewRef(ssl_sock, NULL);
+ if (self->ssl_sock == NULL) {
+ Py_DECREF(self);
return NULL;
-
- /*
- fprintf(stderr,
- "server_side is %d, keyfile %p, certfile %p, verify_mode %d, "
- "protocol %d, certs %p\n",
- server_side, key_file, cert_file, verification_mode,
- protocol, cacerts_file);
- */
-
- return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
- server_side, verification_mode,
- protocol, cacerts_file,
- ciphers);
+ }
+ return self;
}
-PyDoc_STRVAR(ssl_doc,
-"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
-" cacertsfile, ciphers]) -> sslobject");
/* SSL object methods */
-static PyObject *PySSL_SSLdo_handshake(PySSLObject *self)
+static PyObject *PySSL_SSLdo_handshake(PySSLSocket *self)
{
int ret;
int err;
int sockstate, nonblocking;
+ PySocketSockObject *sock = self->Socket;
+
+ Py_INCREF(sock);
/* just in case the blocking state of the socket has been changed */
- nonblocking = (self->Socket->sock_timeout >= 0.0);
+ nonblocking = (sock->sock_timeout >= 0.0);
BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
@@ -480,60 +549,48 @@
ret = SSL_do_handshake(self->ssl);
err = SSL_get_error(self->ssl, ret);
PySSL_END_ALLOW_THREADS
- if(PyErr_CheckSignals()) {
- return NULL;
- }
+ if (PyErr_CheckSignals())
+ goto error;
if (err == SSL_ERROR_WANT_READ) {
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
+ sockstate = check_socket_and_wait_for_timeout(sock, 0);
} else if (err == SSL_ERROR_WANT_WRITE) {
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
+ sockstate = check_socket_and_wait_for_timeout(sock, 1);
} else {
sockstate = SOCKET_OPERATION_OK;
}
if (sockstate == SOCKET_HAS_TIMED_OUT) {
PyErr_SetString(PySSLErrorObject,
ERRSTR("The handshake operation timed out"));
- return NULL;
+ goto error;
} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
PyErr_SetString(PySSLErrorObject,
ERRSTR("Underlying socket has been closed."));
- return NULL;
+ goto error;
} else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
PyErr_SetString(PySSLErrorObject,
ERRSTR("Underlying socket too large for select()."));
- return NULL;
+ goto error;
} else if (sockstate == SOCKET_IS_NONBLOCKING) {
break;
}
} while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
+ Py_DECREF(sock);
if (ret < 1)
return PySSL_SetError(self, ret, __FILE__, __LINE__);
if (self->peer_cert)
X509_free (self->peer_cert);
PySSL_BEGIN_ALLOW_THREADS
- if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) {
- X509_NAME_oneline(X509_get_subject_name(self->peer_cert),
- self->server, X509_NAME_MAXLEN);
- X509_NAME_oneline(X509_get_issuer_name(self->peer_cert),
- self->issuer, X509_NAME_MAXLEN);
- }
+ self->peer_cert = SSL_get_peer_certificate(self->ssl);
PySSL_END_ALLOW_THREADS
+ self->handshake_done = 1;
Py_INCREF(Py_None);
return Py_None;
-}
-static PyObject *
-PySSL_server(PySSLObject *self)
-{
- return PyString_FromString(self->server);
-}
-
-static PyObject *
-PySSL_issuer(PySSLObject *self)
-{
- return PyString_FromString(self->issuer);
+error:
+ Py_DECREF(sock);
+ return NULL;
}
static PyObject *
@@ -639,8 +696,8 @@
/*
fprintf(stderr, "RDN level %d, attribute %s: %s\n",
entry->set,
- PyString_AS_STRING(PyTuple_GET_ITEM(attr, 0)),
- PyString_AS_STRING(PyTuple_GET_ITEM(attr, 1)));
+ PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 0)),
+ PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 1)));
*/
if (attr == NULL)
goto fail1;
@@ -727,21 +784,24 @@
/* now decode the altName */
ext = X509_get_ext(certificate, i);
if(!(method = X509V3_EXT_get(ext))) {
- PyErr_SetString(PySSLErrorObject,
- ERRSTR("No method for internalizing subjectAltName!"));
+ PyErr_SetString
+ (PySSLErrorObject,
+ ERRSTR("No method for internalizing subjectAltName!"));
goto fail;
}
p = ext->value->data;
if (method->it)
- names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL,
- &p,
- ext->value->length,
- ASN1_ITEM_ptr(method->it)));
+ names = (GENERAL_NAMES*)
+ (ASN1_item_d2i(NULL,
+ &p,
+ ext->value->length,
+ ASN1_ITEM_ptr(method->it)));
else
- names = (GENERAL_NAMES*) (method->d2i(NULL,
- &p,
- ext->value->length));
+ names = (GENERAL_NAMES*)
+ (method->d2i(NULL,
+ &p,
+ ext->value->length));
for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
/* get a rendering of each name in the set of names */
@@ -888,7 +948,127 @@
}
static PyObject *
-_decode_certificate (X509 *certificate, int verbose) {
+_get_aia_uri(X509 *certificate, int nid) {
+ PyObject *lst = NULL, *ostr = NULL;
+ int i, result;
+ AUTHORITY_INFO_ACCESS *info;
+
+ info = X509_get_ext_d2i(certificate, NID_info_access, NULL, NULL);
+ if ((info == NULL) || (sk_ACCESS_DESCRIPTION_num(info) == 0)) {
+ return Py_None;
+ }
+
+ if ((lst = PyList_New(0)) == NULL) {
+ goto fail;
+ }
+
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
+ ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
+ ASN1_IA5STRING *uri;
+
+ if ((OBJ_obj2nid(ad->method) != nid) ||
+ (ad->location->type != GEN_URI)) {
+ continue;
+ }
+ uri = ad->location->d.uniformResourceIdentifier;
+ ostr = PyUnicode_FromStringAndSize((char *)uri->data,
+ uri->length);
+ if (ostr == NULL) {
+ goto fail;
+ }
+ result = PyList_Append(lst, ostr);
+ Py_DECREF(ostr);
+ if (result < 0) {
+ goto fail;
+ }
+ }
+ AUTHORITY_INFO_ACCESS_free(info);
+
+ /* convert to tuple or None */
+ if (PyList_Size(lst) == 0) {
+ Py_DECREF(lst);
+ return Py_None;
+ } else {
+ PyObject *tup;
+ tup = PyList_AsTuple(lst);
+ Py_DECREF(lst);
+ return tup;
+ }
+
+ fail:
+ AUTHORITY_INFO_ACCESS_free(info);
+ Py_XDECREF(lst);
+ return NULL;
+}
+
+static PyObject *
+_get_crl_dp(X509 *certificate) {
+ STACK_OF(DIST_POINT) *dps;
+ int i, j, result;
+ PyObject *lst;
+
+#if OPENSSL_VERSION_NUMBER < 0x10001000L
+ dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points,
+ NULL, NULL);
+#else
+ /* Calls x509v3_cache_extensions and sets up crldp */
+ X509_check_ca(certificate);
+ dps = certificate->crldp;
+#endif
+
+ if (dps == NULL) {
+ return Py_None;
+ }
+
+ if ((lst = PyList_New(0)) == NULL) {
+ return NULL;
+ }
+
+ for (i=0; i < sk_DIST_POINT_num(dps); i++) {
+ DIST_POINT *dp;
+ STACK_OF(GENERAL_NAME) *gns;
+
+ dp = sk_DIST_POINT_value(dps, i);
+ gns = dp->distpoint->name.fullname;
+
+ for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
+ GENERAL_NAME *gn;
+ ASN1_IA5STRING *uri;
+ PyObject *ouri;
+
+ gn = sk_GENERAL_NAME_value(gns, j);
+ if (gn->type != GEN_URI) {
+ continue;
+ }
+ uri = gn->d.uniformResourceIdentifier;
+ ouri = PyUnicode_FromStringAndSize((char *)uri->data,
+ uri->length);
+ if (ouri == NULL) {
+ Py_DECREF(lst);
+ return NULL;
+ }
+ result = PyList_Append(lst, ouri);
+ Py_DECREF(ouri);
+ if (result < 0) {
+ Py_DECREF(lst);
+ return NULL;
+ }
+ }
+ }
+ /* convert to tuple or None */
+ if (PyList_Size(lst) == 0) {
+ Py_DECREF(lst);
+ return Py_None;
+ } else {
+ PyObject *tup;
+ tup = PyList_AsTuple(lst);
+ Py_DECREF(lst);
+ return tup;
+ }
+}
+
+static PyObject *
+_decode_certificate(X509 *certificate) {
PyObject *retval = NULL;
BIO *biobuf = NULL;
@@ -897,9 +1077,10 @@
PyObject *issuer;
PyObject *version;
PyObject *sn_obj;
+ PyObject *obj;
ASN1_INTEGER *serialNumber;
char buf[2048];
- int len;
+ int len, result;
ASN1_TIME *notBefore, *notAfter;
PyObject *pnotBefore, *pnotAfter;
@@ -917,65 +1098,62 @@
}
Py_DECREF(peer);
- if (verbose) {
- issuer = _create_tuple_for_X509_NAME(
- X509_get_issuer_name(certificate));
- if (issuer == NULL)
- goto fail0;
- if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
- Py_DECREF(issuer);
- goto fail0;
- }
+ issuer = _create_tuple_for_X509_NAME(
+ X509_get_issuer_name(certificate));
+ if (issuer == NULL)
+ goto fail0;
+ if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
Py_DECREF(issuer);
-
- version = PyInt_FromLong(X509_get_version(certificate) + 1);
- if (PyDict_SetItemString(retval, "version", version) < 0) {
- Py_DECREF(version);
- goto fail0;
- }
- Py_DECREF(version);
+ goto fail0;
}
+ Py_DECREF(issuer);
+
+ version = PyLong_FromLong(X509_get_version(certificate) + 1);
+ if (version == NULL)
+ goto fail0;
+ if (PyDict_SetItemString(retval, "version", version) < 0) {
+ Py_DECREF(version);
+ goto fail0;
+ }
+ Py_DECREF(version);
/* get a memory buffer */
biobuf = BIO_new(BIO_s_mem());
- if (verbose) {
-
- (void) BIO_reset(biobuf);
- serialNumber = X509_get_serialNumber(certificate);
- /* should not exceed 20 octets, 160 bits, so buf is big enough */
- i2a_ASN1_INTEGER(biobuf, serialNumber);
- len = BIO_gets(biobuf, buf, sizeof(buf)-1);
- if (len < 0) {
- _setSSLError(NULL, 0, __FILE__, __LINE__);
- goto fail1;
- }
- sn_obj = PyString_FromStringAndSize(buf, len);
- if (sn_obj == NULL)
- goto fail1;
- if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) {
- Py_DECREF(sn_obj);
- goto fail1;
- }
- Py_DECREF(sn_obj);
-
- (void) BIO_reset(biobuf);
- notBefore = X509_get_notBefore(certificate);
- ASN1_TIME_print(biobuf, notBefore);
- len = BIO_gets(biobuf, buf, sizeof(buf)-1);
- if (len < 0) {
- _setSSLError(NULL, 0, __FILE__, __LINE__);
- goto fail1;
- }
- pnotBefore = PyString_FromStringAndSize(buf, len);
- if (pnotBefore == NULL)
- goto fail1;
- if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
- Py_DECREF(pnotBefore);
- goto fail1;
- }
- Py_DECREF(pnotBefore);
+ (void) BIO_reset(biobuf);
+ serialNumber = X509_get_serialNumber(certificate);
+ /* should not exceed 20 octets, 160 bits, so buf is big enough */
+ i2a_ASN1_INTEGER(biobuf, serialNumber);
+ len = BIO_gets(biobuf, buf, sizeof(buf)-1);
+ if (len < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto fail1;
}
+ sn_obj = PyUnicode_FromStringAndSize(buf, len);
+ if (sn_obj == NULL)
+ goto fail1;
+ if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) {
+ Py_DECREF(sn_obj);
+ goto fail1;
+ }
+ Py_DECREF(sn_obj);
+
+ (void) BIO_reset(biobuf);
+ notBefore = X509_get_notBefore(certificate);
+ ASN1_TIME_print(biobuf, notBefore);
+ len = BIO_gets(biobuf, buf, sizeof(buf)-1);
+ if (len < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto fail1;
+ }
+ pnotBefore = PyUnicode_FromStringAndSize(buf, len);
+ if (pnotBefore == NULL)
+ goto fail1;
+ if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
+ Py_DECREF(pnotBefore);
+ goto fail1;
+ }
+ Py_DECREF(pnotBefore);
(void) BIO_reset(biobuf);
notAfter = X509_get_notAfter(certificate);
@@ -1008,6 +1186,41 @@
Py_DECREF(peer_alt_names);
}
+ /* Authority Information Access: OCSP URIs */
+ obj = _get_aia_uri(certificate, NID_ad_OCSP);
+ if (obj == NULL) {
+ goto fail1;
+ } else if (obj != Py_None) {
+ result = PyDict_SetItemString(retval, "OCSP", obj);
+ Py_DECREF(obj);
+ if (result < 0) {
+ goto fail1;
+ }
+ }
+
+ obj = _get_aia_uri(certificate, NID_ad_ca_issuers);
+ if (obj == NULL) {
+ goto fail1;
+ } else if (obj != Py_None) {
+ result = PyDict_SetItemString(retval, "caIssuers", obj);
+ Py_DECREF(obj);
+ if (result < 0) {
+ goto fail1;
+ }
+ }
+
+ /* CDP (CRL distribution points) */
+ obj = _get_crl_dp(certificate);
+ if (obj == NULL) {
+ goto fail1;
+ } else if (obj != Py_None) {
+ result = PyDict_SetItemString(retval, "crlDistributionPoints", obj);
+ Py_DECREF(obj);
+ if (result < 0) {
+ goto fail1;
+ }
+ }
+
BIO_free(biobuf);
return retval;
@@ -1019,6 +1232,24 @@
return NULL;
}
+static PyObject *
+_certificate_to_der(X509 *certificate)
+{
+ unsigned char *bytes_buf = NULL;
+ int len;
+ PyObject *retval;
+
+ bytes_buf = NULL;
+ len = i2d_X509(certificate, &bytes_buf);
+ if (len < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ return NULL;
+ }
+ /* this is actually an immutable bytes sequence */
+ retval = PyBytes_FromStringAndSize((const char *) bytes_buf, len);
+ OPENSSL_free(bytes_buf);
+ return retval;
+}
static PyObject *
PySSL_test_decode_certificate (PyObject *mod, PyObject *args) {
@@ -1027,28 +1258,30 @@
char *filename = NULL;
X509 *x=NULL;
BIO *cert;
- int verbose = 1;
- if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", &filename, &verbose))
+ if (!PyArg_ParseTuple(args, "s:test_decode_certificate", &filename))
return NULL;
if ((cert=BIO_new(BIO_s_file())) == NULL) {
- PyErr_SetString(PySSLErrorObject, "Can't malloc memory to read file");
+ PyErr_SetString(PySSLErrorObject,
+ "Can't malloc memory to read file");
goto fail0;
}
if (BIO_read_filename(cert,filename) <= 0) {
- PyErr_SetString(PySSLErrorObject, "Can't open file");
+ PyErr_SetString(PySSLErrorObject,
+ "Can't open file");
goto fail0;
}
x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL);
if (x == NULL) {
- PyErr_SetString(PySSLErrorObject, "Error decoding PEM-encoded file");
+ PyErr_SetString(PySSLErrorObject,
+ "Error decoding PEM-encoded file");
goto fail0;
}
- retval = _decode_certificate(x, verbose);
+ retval = _decode_certificate(x);
X509_free(x);
fail0:
@@ -1059,10 +1292,8 @@
static PyObject *
-PySSL_peercert(PySSLObject *self, PyObject *args)
+PySSL_peercert(PySSLSocket *self, PyObject *args)
{
- PyObject *retval = NULL;
- int len;
int verification;
PyObject *binary_mode = Py_None;
int b;
@@ -1070,6 +1301,11 @@
if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode))
return NULL;
+ if (!self->handshake_done) {
+ PyErr_SetString(PyExc_ValueError,
+ "handshake not done yet");
+ return NULL;
+ }
if (!self->peer_cert)
Py_RETURN_NONE;
@@ -1078,26 +1314,13 @@
return NULL;
if (b) {
/* return cert in DER-encoded format */
-
- unsigned char *bytes_buf = NULL;
-
- bytes_buf = NULL;
- len = i2d_X509(self->peer_cert, &bytes_buf);
- if (len < 0) {
- PySSL_SetError(self, len, __FILE__, __LINE__);
- return NULL;
- }
- retval = PyString_FromStringAndSize((const char *) bytes_buf, len);
- OPENSSL_free(bytes_buf);
- return retval;
-
+ return _certificate_to_der(self->peer_cert);
} else {
-
- verification = SSL_CTX_get_verify_mode(self->ctx);
+ verification = SSL_CTX_get_verify_mode(SSL_get_SSL_CTX(self->ssl));
if ((verification & SSL_VERIFY_PEER) == 0)
return PyDict_New();
else
- return _decode_certificate (self->peer_cert, 0);
+ return _decode_certificate(self->peer_cert);
}
}
@@ -1113,7 +1336,7 @@
peer certificate, or None if no certificate was provided. This will\n\
return the certificate even if it wasn't validated.");
-static PyObject *PySSL_cipher (PySSLObject *self) {
+static PyObject *PySSL_cipher (PySSLSocket *self) {
PyObject *retval, *v;
const SSL_CIPHER *current;
@@ -1140,7 +1363,7 @@
goto fail0;
PyTuple_SET_ITEM(retval, 0, v);
}
- cipher_protocol = SSL_CIPHER_get_version(current);
+ cipher_protocol = (char *) SSL_CIPHER_get_version(current);
if (cipher_protocol == NULL) {
Py_INCREF(Py_None);
PyTuple_SET_ITEM(retval, 1, Py_None);
@@ -1161,15 +1384,85 @@
return NULL;
}
-static void PySSL_dealloc(PySSLObject *self)
+#ifdef OPENSSL_NPN_NEGOTIATED
+static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {
+ const unsigned char *out;
+ unsigned int outlen;
+
+ SSL_get0_next_proto_negotiated(self->ssl,
+ &out, &outlen);
+
+ if (out == NULL)
+ Py_RETURN_NONE;
+ return PyUnicode_FromStringAndSize((char *) out, outlen);
+}
+#endif
+
+static PyObject *PySSL_compression(PySSLSocket *self) {
+#ifdef OPENSSL_NO_COMP
+ Py_RETURN_NONE;
+#else
+ const COMP_METHOD *comp_method;
+ const char *short_name;
+
+ if (self->ssl == NULL)
+ Py_RETURN_NONE;
+ comp_method = SSL_get_current_compression(self->ssl);
+ if (comp_method == NULL || comp_method->type == NID_undef)
+ Py_RETURN_NONE;
+ short_name = OBJ_nid2sn(comp_method->type);
+ if (short_name == NULL)
+ Py_RETURN_NONE;
+ return PyBytes_FromString(short_name);
+#endif
+}
+
+static PySSLContext *PySSL_get_context(PySSLSocket *self, void *closure) {
+ Py_INCREF(self->ctx);
+ return self->ctx;
+}
+
+static int PySSL_set_context(PySSLSocket *self, PyObject *value,
+ void *closure) {
+
+ if (PyObject_TypeCheck(value, &PySSLContext_Type)) {
+#if !HAVE_SNI
+ PyErr_SetString(PyExc_NotImplementedError, "setting a socket's "
+ "context is not supported by your OpenSSL library");
+ return -1;
+#else
+ Py_INCREF(value);
+ Py_DECREF(self->ctx);
+ self->ctx = (PySSLContext *) value;
+ SSL_set_SSL_CTX(self->ssl, self->ctx->ctx);
+#endif
+ } else {
+ PyErr_SetString(PyExc_TypeError, "The value must be a SSLContext");
+ return -1;
+ }
+
+ return 0;
+}
+
+PyDoc_STRVAR(PySSL_set_context_doc,
+"_setter_context(ctx)\n\
+\
+This changes the context associated with the SSLSocket. This is typically\n\
+used from within a callback function set by the set_servername_callback\n\
+on the SSLContext to change the certificate information associated with the\n\
+SSLSocket before the cryptographic exchange handshake messages\n");
+
+
+
+static void PySSL_dealloc(PySSLSocket *self)
{
if (self->peer_cert) /* Possible not to have one? */
X509_free (self->peer_cert);
if (self->ssl)
SSL_free(self->ssl);
- if (self->ctx)
- SSL_CTX_free(self->ctx);
Py_XDECREF(self->Socket);
+ Py_XDECREF(self->ssl_sock);
+ Py_XDECREF(self->ctx);
PyObject_Del(self);
}
@@ -1241,16 +1534,21 @@
return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
}
-static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args)
+static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args)
{
Py_buffer buf;
int len;
int sockstate;
int err;
int nonblocking;
+ PySocketSockObject *sock = self->Socket;
- if (!PyArg_ParseTuple(args, "s*:write", &buf))
+ Py_INCREF(sock);
+
+ if (!PyArg_ParseTuple(args, "s*:write", &buf)) {
+ Py_DECREF(sock);
return NULL;
+ }
if (buf.len > INT_MAX) {
PyErr_Format(PyExc_OverflowError,
@@ -1259,11 +1557,11 @@
}
/* just in case the blocking state of the socket has been changed */
- nonblocking = (self->Socket->sock_timeout >= 0.0);
+ nonblocking = (sock->sock_timeout >= 0.0);
BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
+ sockstate = check_socket_and_wait_for_timeout(sock, 1);
if (sockstate == SOCKET_HAS_TIMED_OUT) {
PyErr_SetString(PySSLErrorObject,
"The write operation timed out");
@@ -1286,9 +1584,9 @@
goto error;
}
if (err == SSL_ERROR_WANT_READ) {
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
+ sockstate = check_socket_and_wait_for_timeout(sock, 0);
} else if (err == SSL_ERROR_WANT_WRITE) {
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
+ sockstate = check_socket_and_wait_for_timeout(sock, 1);
} else {
sockstate = SOCKET_OPERATION_OK;
}
@@ -1305,6 +1603,7 @@
}
} while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
+ Py_DECREF(sock);
PyBuffer_Release(&buf);
if (len > 0)
return PyInt_FromLong(len);
@@ -1312,6 +1611,7 @@
return PySSL_SetError(self, len, __FILE__, __LINE__);
error:
+ Py_DECREF(sock);
PyBuffer_Release(&buf);
return NULL;
}
@@ -1322,7 +1622,7 @@
Writes the string s into the SSL object. Returns the number\n\
of bytes written.");
-static PyObject *PySSL_SSLpending(PySSLObject *self)
+static PyObject *PySSL_SSLpending(PySSLSocket *self)
{
int count = 0;
@@ -1341,23 +1641,46 @@
Returns the number of already decrypted bytes available for read,\n\
pending on the connection.\n");
-static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args)
+static PyObject *PySSL_SSLread(PySSLSocket *self, PyObject *args)
{
- PyObject *buf;
- int count = 0;
- int len = 1024;
+ PyObject *dest = NULL;
+ Py_buffer buf;
+ char *mem;
+ int len, count;
+ int buf_passed = 0;
int sockstate;
int err;
int nonblocking;
+ PySocketSockObject *sock = self->Socket;
- if (!PyArg_ParseTuple(args, "|i:read", &len))
- return NULL;
+ Py_INCREF(sock);
- if (!(buf = PyString_FromStringAndSize((char *) 0, len)))
- return NULL;
+ buf.obj = NULL;
+ buf.buf = NULL;
+ if (!PyArg_ParseTuple(args, "i|w*:read", &len, &buf))
+ goto error;
+
+ if ((buf.buf == NULL) && (buf.obj == NULL)) {
+ dest = PyBytes_FromStringAndSize(NULL, len);
+ if (dest == NULL)
+ goto error;
+ mem = PyBytes_AS_STRING(dest);
+ }
+ else {
+ buf_passed = 1;
+ mem = buf.buf;
+ if (len <= 0 || len > buf.len) {
+ len = (int) buf.len;
+ if (buf.len != len) {
+ PyErr_SetString(PyExc_OverflowError,
+ "maximum length can't fit in a C 'int'");
+ goto error;
+ }
+ }
+ }
/* just in case the blocking state of the socket has been changed */
- nonblocking = (self->Socket->sock_timeout >= 0.0);
+ nonblocking = (sock->sock_timeout >= 0.0);
BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
@@ -1367,70 +1690,71 @@
PySSL_END_ALLOW_THREADS
if (!count) {
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
+ sockstate = check_socket_and_wait_for_timeout(sock, 0);
if (sockstate == SOCKET_HAS_TIMED_OUT) {
PyErr_SetString(PySSLErrorObject,
"The read operation timed out");
- Py_DECREF(buf);
- return NULL;
+ goto error;
} else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
PyErr_SetString(PySSLErrorObject,
"Underlying socket too large for select().");
- Py_DECREF(buf);
- return NULL;
+ goto error;
} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
- if (SSL_get_shutdown(self->ssl) !=
- SSL_RECEIVED_SHUTDOWN)
- {
- Py_DECREF(buf);
- PyErr_SetString(PySSLErrorObject,
- "Socket closed without SSL shutdown handshake");
- return NULL;
- } else {
- /* should contain a zero-length string */
- _PyString_Resize(&buf, 0);
- return buf;
- }
+ count = 0;
+ goto done;
}
}
do {
PySSL_BEGIN_ALLOW_THREADS
- count = SSL_read(self->ssl, PyString_AsString(buf), len);
+ count = SSL_read(self->ssl, mem, len);
err = SSL_get_error(self->ssl, count);
PySSL_END_ALLOW_THREADS
- if(PyErr_CheckSignals()) {
- Py_DECREF(buf);
- return NULL;
- }
+ if (PyErr_CheckSignals())
+ goto error;
if (err == SSL_ERROR_WANT_READ) {
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
+ sockstate = check_socket_and_wait_for_timeout(sock, 0);
} else if (err == SSL_ERROR_WANT_WRITE) {
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
+ sockstate = check_socket_and_wait_for_timeout(sock, 1);
} else if ((err == SSL_ERROR_ZERO_RETURN) &&
(SSL_get_shutdown(self->ssl) ==
SSL_RECEIVED_SHUTDOWN))
{
- _PyString_Resize(&buf, 0);
- return buf;
+ count = 0;
+ goto done;
} else {
sockstate = SOCKET_OPERATION_OK;
}
if (sockstate == SOCKET_HAS_TIMED_OUT) {
PyErr_SetString(PySSLErrorObject,
"The read operation timed out");
- Py_DECREF(buf);
- return NULL;
+ goto error;
} else if (sockstate == SOCKET_IS_NONBLOCKING) {
break;
}
} while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
if (count <= 0) {
- Py_DECREF(buf);
- return PySSL_SetError(self, count, __FILE__, __LINE__);
+ PySSL_SetError(self, count, __FILE__, __LINE__);
+ goto error;
}
- if (count != len)
- _PyString_Resize(&buf, count);
- return buf;
+
+done:
+ Py_DECREF(sock);
+ if (!buf_passed) {
+ _PyBytes_Resize(&dest, count);
+ return dest;
+ }
+ else {
+ PyBuffer_Release(&buf);
+ return PyLong_FromLong(count);
+ }
+
+error:
+ Py_DECREF(sock);
+ if (!buf_passed)
+ Py_XDECREF(dest);
+ else
+ PyBuffer_Release(&buf);
+ return NULL;
}
PyDoc_STRVAR(PySSL_SSLread_doc,
@@ -1438,20 +1762,22 @@
\n\
Read up to len bytes from the SSL socket.");
-static PyObject *PySSL_SSLshutdown(PySSLObject *self)
+static PyObject *PySSL_SSLshutdown(PySSLSocket *self)
{
int err, ssl_err, sockstate, nonblocking;
int zeros = 0;
+ PySocketSockObject *sock = self->Socket;
/* Guard against closed socket */
- if (self->Socket->sock_fd < 0) {
- PyErr_SetString(PySSLErrorObject,
- "Underlying socket has been closed.");
+ if (sock->sock_fd < 0) {
+ _setSSLError("Underlying socket connection gone",
+ PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
return NULL;
}
+ Py_INCREF(sock);
/* Just in case the blocking state of the socket has been changed */
- nonblocking = (self->Socket->sock_timeout >= 0.0);
+ nonblocking = (sock->sock_timeout >= 0.0);
BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
@@ -1486,9 +1812,9 @@
/* Possibly retry shutdown until timeout or failure */
ssl_err = SSL_get_error(self->ssl, err);
if (ssl_err == SSL_ERROR_WANT_READ)
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
+ sockstate = check_socket_and_wait_for_timeout(sock, 0);
else if (ssl_err == SSL_ERROR_WANT_WRITE)
- sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
+ sockstate = check_socket_and_wait_for_timeout(sock, 1);
else
break;
if (sockstate == SOCKET_HAS_TIMED_OUT) {
@@ -1498,24 +1824,29 @@
else
PyErr_SetString(PySSLErrorObject,
"The write operation timed out");
- return NULL;
+ goto error;
}
else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
PyErr_SetString(PySSLErrorObject,
"Underlying socket too large for select().");
- return NULL;
+ goto error;
}
else if (sockstate != SOCKET_OPERATION_OK)
/* Retain the SSL error code */
break;
}
- if (err < 0)
+ if (err < 0) {
+ Py_DECREF(sock);
return PySSL_SetError(self, err, __FILE__, __LINE__);
- else {
- Py_INCREF(self->Socket);
- return (PyObject *) (self->Socket);
}
+ else
+ /* It's already INCREF'ed */
+ return (PyObject *) sock;
+
+error:
+ Py_DECREF(sock);
+ return NULL;
}
PyDoc_STRVAR(PySSL_SSLshutdown_doc,
@@ -1524,6 +1855,47 @@
Does the SSL shutdown handshake with the remote end, and returns\n\
the underlying socket object.");
+#if HAVE_OPENSSL_FINISHED
+static PyObject *
+PySSL_tls_unique_cb(PySSLSocket *self)
+{
+ PyObject *retval = NULL;
+ char buf[PySSL_CB_MAXLEN];
+ size_t len;
+
+ if (SSL_session_reused(self->ssl) ^ !self->socket_type) {
+ /* if session is resumed XOR we are the client */
+ len = SSL_get_finished(self->ssl, buf, PySSL_CB_MAXLEN);
+ }
+ else {
+ /* if a new session XOR we are the server */
+ len = SSL_get_peer_finished(self->ssl, buf, PySSL_CB_MAXLEN);
+ }
+
+ /* It cannot be negative in current OpenSSL version as of July 2011 */
+ if (len == 0)
+ Py_RETURN_NONE;
+
+ retval = PyBytes_FromStringAndSize(buf, len);
+
+ return retval;
+}
+
+PyDoc_STRVAR(PySSL_tls_unique_cb_doc,
+"tls_unique_cb() -> bytes\n\
+\n\
+Returns the 'tls-unique' channel binding data, as defined by RFC 5929.\n\
+\n\
+If the TLS handshake is not yet complete, None is returned");
+
+#endif /* HAVE_OPENSSL_FINISHED */
+
+static PyGetSetDef ssl_getsetlist[] = {
+ {"context", (getter) PySSL_get_context,
+ (setter) PySSL_set_context, PySSL_set_context_doc},
+ {NULL}, /* sentinel */
+};
+
static PyMethodDef PySSLMethods[] = {
{"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS},
{"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
@@ -1532,39 +1904,1307 @@
PySSL_SSLread_doc},
{"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS,
PySSL_SSLpending_doc},
- {"server", (PyCFunction)PySSL_server, METH_NOARGS},
- {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS},
{"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS,
PySSL_peercert_doc},
{"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
+#ifdef OPENSSL_NPN_NEGOTIATED
+ {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
+#endif
+ {"compression", (PyCFunction)PySSL_compression, METH_NOARGS},
{"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS,
PySSL_SSLshutdown_doc},
+#if HAVE_OPENSSL_FINISHED
+ {"tls_unique_cb", (PyCFunction)PySSL_tls_unique_cb, METH_NOARGS,
+ PySSL_tls_unique_cb_doc},
+#endif
{NULL, NULL}
};
-static PyObject *PySSL_getattr(PySSLObject *self, char *name)
-{
- return Py_FindMethod(PySSLMethods, (PyObject *)self, name);
-}
-
-static PyTypeObject PySSL_Type = {
+static PyTypeObject PySSLSocket_Type = {
PyVarObject_HEAD_INIT(NULL, 0)
- "ssl.SSLContext", /*tp_name*/
- sizeof(PySSLObject), /*tp_basicsize*/
+ "_ssl._SSLSocket", /*tp_name*/
+ sizeof(PySSLSocket), /*tp_basicsize*/
0, /*tp_itemsize*/
/* methods */
(destructor)PySSL_dealloc, /*tp_dealloc*/
0, /*tp_print*/
- (getattrfunc)PySSL_getattr, /*tp_getattr*/
+ 0, /*tp_getattr*/
0, /*tp_setattr*/
- 0, /*tp_compare*/
+ 0, /*tp_reserved*/
0, /*tp_repr*/
0, /*tp_as_number*/
0, /*tp_as_sequence*/
0, /*tp_as_mapping*/
0, /*tp_hash*/
+ 0, /*tp_call*/
+ 0, /*tp_str*/
+ 0, /*tp_getattro*/
+ 0, /*tp_setattro*/
+ 0, /*tp_as_buffer*/
+ Py_TPFLAGS_DEFAULT, /*tp_flags*/
+ 0, /*tp_doc*/
+ 0, /*tp_traverse*/
+ 0, /*tp_clear*/
+ 0, /*tp_richcompare*/
+ 0, /*tp_weaklistoffset*/
+ 0, /*tp_iter*/
+ 0, /*tp_iternext*/
+ PySSLMethods, /*tp_methods*/
+ 0, /*tp_members*/
+ ssl_getsetlist, /*tp_getset*/
};
+
+/*
+ * _SSLContext objects
+ */
+
+static PyObject *
+context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+{
+ char *kwlist[] = {"protocol", NULL};
+ PySSLContext *self;
+ int proto_version = PY_SSL_VERSION_SSL23;
+ long options;
+ SSL_CTX *ctx = NULL;
+
+ if (!PyArg_ParseTupleAndKeywords(
+ args, kwds, "i:_SSLContext", kwlist,
+ &proto_version))
+ return NULL;
+
+ PySSL_BEGIN_ALLOW_THREADS
+ if (proto_version == PY_SSL_VERSION_TLS1)
+ ctx = SSL_CTX_new(TLSv1_method());
+#if HAVE_TLSv1_2
+ else if (proto_version == PY_SSL_VERSION_TLS1_1)
+ ctx = SSL_CTX_new(TLSv1_1_method());
+ else if (proto_version == PY_SSL_VERSION_TLS1_2)
+ ctx = SSL_CTX_new(TLSv1_2_method());
+#endif
+ else if (proto_version == PY_SSL_VERSION_SSL3)
+ ctx = SSL_CTX_new(SSLv3_method());
+#ifndef OPENSSL_NO_SSL2
+ else if (proto_version == PY_SSL_VERSION_SSL2)
+ ctx = SSL_CTX_new(SSLv2_method());
+#endif
+ else if (proto_version == PY_SSL_VERSION_SSL23)
+ ctx = SSL_CTX_new(SSLv23_method());
+ else
+ proto_version = -1;
+ PySSL_END_ALLOW_THREADS
+
+ if (proto_version == -1) {
+ PyErr_SetString(PyExc_ValueError,
+ "invalid protocol version");
+ return NULL;
+ }
+ if (ctx == NULL) {
+ PyErr_SetString(PySSLErrorObject,
+ "failed to allocate SSL context");
+ return NULL;
+ }
+
+ assert(type != NULL && type->tp_alloc != NULL);
+ self = (PySSLContext *) type->tp_alloc(type, 0);
+ if (self == NULL) {
+ SSL_CTX_free(ctx);
+ return NULL;
+ }
+ self->ctx = ctx;
+#ifdef OPENSSL_NPN_NEGOTIATED
+ self->npn_protocols = NULL;
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+ self->set_hostname = NULL;
+#endif
+ /* Don't check host name by default */
+ self->check_hostname = 0;
+ /* Defaults */
+ SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
+ options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ if (proto_version != PY_SSL_VERSION_SSL2)
+ options |= SSL_OP_NO_SSLv2;
+ SSL_CTX_set_options(self->ctx, options);
+
+#ifndef OPENSSL_NO_ECDH
+ /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+ prime256v1 by default. This is Apache mod_ssl's initialization
+ policy, so we should be safe. */
+#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(self->ctx, 1);
+#else
+ {
+ EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set_tmp_ecdh(self->ctx, key);
+ EC_KEY_free(key);
+ }
+#endif
+#endif
+
+#define SID_CTX "Python"
+ SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
+ sizeof(SID_CTX));
+#undef SID_CTX
+
+ return (PyObject *)self;
+}
+
+static int
+context_traverse(PySSLContext *self, visitproc visit, void *arg)
+{
+#ifndef OPENSSL_NO_TLSEXT
+ Py_VISIT(self->set_hostname);
+#endif
+ return 0;
+}
+
+static int
+context_clear(PySSLContext *self)
+{
+#ifndef OPENSSL_NO_TLSEXT
+ Py_CLEAR(self->set_hostname);
+#endif
+ return 0;
+}
+
+static void
+context_dealloc(PySSLContext *self)
+{
+ context_clear(self);
+ SSL_CTX_free(self->ctx);
+#ifdef OPENSSL_NPN_NEGOTIATED
+ PyMem_Free(self->npn_protocols);
+#endif
+ Py_TYPE(self)->tp_free(self);
+}
+
+static PyObject *
+set_ciphers(PySSLContext *self, PyObject *args)
+{
+ int ret;
+ const char *cipherlist;
+
+ if (!PyArg_ParseTuple(args, "s:set_ciphers", &cipherlist))
+ return NULL;
+ ret = SSL_CTX_set_cipher_list(self->ctx, cipherlist);
+ if (ret == 0) {
+ /* Clearing the error queue is necessary on some OpenSSL versions,
+ otherwise the error will be reported again when another SSL call
+ is done. */
+ ERR_clear_error();
+ PyErr_SetString(PySSLErrorObject,
+ "No cipher can be selected.");
+ return NULL;
+ }
+ Py_RETURN_NONE;
+}
+
+#ifdef OPENSSL_NPN_NEGOTIATED
+/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
+static int
+_advertiseNPN_cb(SSL *s,
+ const unsigned char **data, unsigned int *len,
+ void *args)
+{
+ PySSLContext *ssl_ctx = (PySSLContext *) args;
+
+ if (ssl_ctx->npn_protocols == NULL) {
+ *data = (unsigned char *) "";
+ *len = 0;
+ } else {
+ *data = (unsigned char *) ssl_ctx->npn_protocols;
+ *len = ssl_ctx->npn_protocols_len;
+ }
+
+ return SSL_TLSEXT_ERR_OK;
+}
+/* this callback gets passed to SSL_CTX_set_next_proto_select_cb */
+static int
+_selectNPN_cb(SSL *s,
+ unsigned char **out, unsigned char *outlen,
+ const unsigned char *server, unsigned int server_len,
+ void *args)
+{
+ PySSLContext *ssl_ctx = (PySSLContext *) args;
+
+ unsigned char *client = (unsigned char *) ssl_ctx->npn_protocols;
+ int client_len;
+
+ if (client == NULL) {
+ client = (unsigned char *) "";
+ client_len = 0;
+ } else {
+ client_len = ssl_ctx->npn_protocols_len;
+ }
+
+ SSL_select_next_proto(out, outlen,
+ server, server_len,
+ client, client_len);
+
+ return SSL_TLSEXT_ERR_OK;
+}
+#endif
+
+static PyObject *
+_set_npn_protocols(PySSLContext *self, PyObject *args)
+{
+#ifdef OPENSSL_NPN_NEGOTIATED
+ Py_buffer protos;
+
+ if (!PyArg_ParseTuple(args, "s*:set_npn_protocols", &protos))
+ return NULL;
+
+ if (self->npn_protocols != NULL) {
+ PyMem_Free(self->npn_protocols);
+ }
+
+ self->npn_protocols = PyMem_Malloc(protos.len);
+ if (self->npn_protocols == NULL) {
+ PyBuffer_Release(&protos);
+ return PyErr_NoMemory();
+ }
+ memcpy(self->npn_protocols, protos.buf, protos.len);
+ self->npn_protocols_len = (int) protos.len;
+
+ /* set both server and client callbacks, because the context can
+ * be used to create both types of sockets */
+ SSL_CTX_set_next_protos_advertised_cb(self->ctx,
+ _advertiseNPN_cb,
+ self);
+ SSL_CTX_set_next_proto_select_cb(self->ctx,
+ _selectNPN_cb,
+ self);
+
+ PyBuffer_Release(&protos);
+ Py_RETURN_NONE;
+#else
+ PyErr_SetString(PyExc_NotImplementedError,
+ "The NPN extension requires OpenSSL 1.0.1 or later.");
+ return NULL;
+#endif
+}
+
+static PyObject *
+get_verify_mode(PySSLContext *self, void *c)
+{
+ switch (SSL_CTX_get_verify_mode(self->ctx)) {
+ case SSL_VERIFY_NONE:
+ return PyLong_FromLong(PY_SSL_CERT_NONE);
+ case SSL_VERIFY_PEER:
+ return PyLong_FromLong(PY_SSL_CERT_OPTIONAL);
+ case SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT:
+ return PyLong_FromLong(PY_SSL_CERT_REQUIRED);
+ }
+ PyErr_SetString(PySSLErrorObject,
+ "invalid return value from SSL_CTX_get_verify_mode");
+ return NULL;
+}
+
+static int
+set_verify_mode(PySSLContext *self, PyObject *arg, void *c)
+{
+ int n, mode;
+ if (!PyArg_Parse(arg, "i", &n))
+ return -1;
+ if (n == PY_SSL_CERT_NONE)
+ mode = SSL_VERIFY_NONE;
+ else if (n == PY_SSL_CERT_OPTIONAL)
+ mode = SSL_VERIFY_PEER;
+ else if (n == PY_SSL_CERT_REQUIRED)
+ mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+ else {
+ PyErr_SetString(PyExc_ValueError,
+ "invalid value for verify_mode");
+ return -1;
+ }
+ if (mode == SSL_VERIFY_NONE && self->check_hostname) {
+ PyErr_SetString(PyExc_ValueError,
+ "Cannot set verify_mode to CERT_NONE when "
+ "check_hostname is enabled.");
+ return -1;
+ }
+ SSL_CTX_set_verify(self->ctx, mode, NULL);
+ return 0;
+}
+
+#ifdef HAVE_OPENSSL_VERIFY_PARAM
+static PyObject *
+get_verify_flags(PySSLContext *self, void *c)
+{
+ X509_STORE *store;
+ unsigned long flags;
+
+ store = SSL_CTX_get_cert_store(self->ctx);
+ flags = X509_VERIFY_PARAM_get_flags(store->param);
+ return PyLong_FromUnsignedLong(flags);
+}
+
+static int
+set_verify_flags(PySSLContext *self, PyObject *arg, void *c)
+{
+ X509_STORE *store;
+ unsigned long new_flags, flags, set, clear;
+
+ if (!PyArg_Parse(arg, "k", &new_flags))
+ return -1;
+ store = SSL_CTX_get_cert_store(self->ctx);
+ flags = X509_VERIFY_PARAM_get_flags(store->param);
+ clear = flags & ~new_flags;
+ set = ~flags & new_flags;
+ if (clear) {
+ if (!X509_VERIFY_PARAM_clear_flags(store->param, clear)) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ return -1;
+ }
+ }
+ if (set) {
+ if (!X509_VERIFY_PARAM_set_flags(store->param, set)) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ return -1;
+ }
+ }
+ return 0;
+}
+#endif
+
+static PyObject *
+get_options(PySSLContext *self, void *c)
+{
+ return PyLong_FromLong(SSL_CTX_get_options(self->ctx));
+}
+
+static int
+set_options(PySSLContext *self, PyObject *arg, void *c)
+{
+ long new_opts, opts, set, clear;
+ if (!PyArg_Parse(arg, "l", &new_opts))
+ return -1;
+ opts = SSL_CTX_get_options(self->ctx);
+ clear = opts & ~new_opts;
+ set = ~opts & new_opts;
+ if (clear) {
+#ifdef HAVE_SSL_CTX_CLEAR_OPTIONS
+ SSL_CTX_clear_options(self->ctx, clear);
+#else
+ PyErr_SetString(PyExc_ValueError,
+ "can't clear options before OpenSSL 0.9.8m");
+ return -1;
+#endif
+ }
+ if (set)
+ SSL_CTX_set_options(self->ctx, set);
+ return 0;
+}
+
+static PyObject *
+get_check_hostname(PySSLContext *self, void *c)
+{
+ return PyBool_FromLong(self->check_hostname);
+}
+
+static int
+set_check_hostname(PySSLContext *self, PyObject *arg, void *c)
+{
+ PyObject *py_check_hostname;
+ int check_hostname;
+ if (!PyArg_Parse(arg, "O", &py_check_hostname))
+ return -1;
+
+ check_hostname = PyObject_IsTrue(py_check_hostname);
+ if (check_hostname < 0)
+ return -1;
+ if (check_hostname &&
+ SSL_CTX_get_verify_mode(self->ctx) == SSL_VERIFY_NONE) {
+ PyErr_SetString(PyExc_ValueError,
+ "check_hostname needs a SSL context with either "
+ "CERT_OPTIONAL or CERT_REQUIRED");
+ return -1;
+ }
+ self->check_hostname = check_hostname;
+ return 0;
+}
+
+
+typedef struct {
+ PyThreadState *thread_state;
+ PyObject *callable;
+ char *password;
+ int size;
+ int error;
+} _PySSLPasswordInfo;
+
+static int
+_pwinfo_set(_PySSLPasswordInfo *pw_info, PyObject* password,
+ const char *bad_type_error)
+{
+ /* Set the password and size fields of a _PySSLPasswordInfo struct
+ from a unicode, bytes, or byte array object.
+ The password field will be dynamically allocated and must be freed
+ by the caller */
+ PyObject *password_bytes = NULL;
+ const char *data = NULL;
+ Py_ssize_t size;
+
+ if (PyUnicode_Check(password)) {
+ password_bytes = PyUnicode_AsEncodedString(password, NULL, NULL);
+ if (!password_bytes) {
+ goto error;
+ }
+ data = PyBytes_AS_STRING(password_bytes);
+ size = PyBytes_GET_SIZE(password_bytes);
+ } else if (PyBytes_Check(password)) {
+ data = PyBytes_AS_STRING(password);
+ size = PyBytes_GET_SIZE(password);
+ } else if (PyByteArray_Check(password)) {
+ data = PyByteArray_AS_STRING(password);
+ size = PyByteArray_GET_SIZE(password);
+ } else {
+ PyErr_SetString(PyExc_TypeError, bad_type_error);
+ goto error;
+ }
+
+ if (size > (Py_ssize_t)INT_MAX) {
+ PyErr_Format(PyExc_ValueError,
+ "password cannot be longer than %d bytes", INT_MAX);
+ goto error;
+ }
+
+ PyMem_Free(pw_info->password);
+ pw_info->password = PyMem_Malloc(size);
+ if (!pw_info->password) {
+ PyErr_SetString(PyExc_MemoryError,
+ "unable to allocate password buffer");
+ goto error;
+ }
+ memcpy(pw_info->password, data, size);
+ pw_info->size = (int)size;
+
+ Py_XDECREF(password_bytes);
+ return 1;
+
+error:
+ Py_XDECREF(password_bytes);
+ return 0;
+}
+
+static int
+_password_callback(char *buf, int size, int rwflag, void *userdata)
+{
+ _PySSLPasswordInfo *pw_info = (_PySSLPasswordInfo*) userdata;
+ PyObject *fn_ret = NULL;
+
+ PySSL_END_ALLOW_THREADS_S(pw_info->thread_state);
+
+ if (pw_info->callable) {
+ fn_ret = PyObject_CallFunctionObjArgs(pw_info->callable, NULL);
+ if (!fn_ret) {
+ /* TODO: It would be nice to move _ctypes_add_traceback() into the
+ core python API, so we could use it to add a frame here */
+ goto error;
+ }
+
+ if (!_pwinfo_set(pw_info, fn_ret,
+ "password callback must return a string")) {
+ goto error;
+ }
+ Py_CLEAR(fn_ret);
+ }
+
+ if (pw_info->size > size) {
+ PyErr_Format(PyExc_ValueError,
+ "password cannot be longer than %d bytes", size);
+ goto error;
+ }
+
+ PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state);
+ memcpy(buf, pw_info->password, pw_info->size);
+ return pw_info->size;
+
+error:
+ Py_XDECREF(fn_ret);
+ PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state);
+ pw_info->error = 1;
+ return -1;
+}
+
+static PyObject *
+load_cert_chain(PySSLContext *self, PyObject *args, PyObject *kwds)
+{
+ char *kwlist[] = {"certfile", "keyfile", "password", NULL};
+ PyObject *password = NULL;
+ char *certfile_bytes = NULL, *keyfile_bytes = NULL;
+ pem_password_cb *orig_passwd_cb = self->ctx->default_passwd_callback;
+ void *orig_passwd_userdata = self->ctx->default_passwd_callback_userdata;
+ _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 };
+ int r;
+
+ errno = 0;
+ ERR_clear_error();
+ if (!PyArg_ParseTupleAndKeywords(args, kwds,
+ "et|etO:load_cert_chain", kwlist,
+ Py_FileSystemDefaultEncoding, &certfile_bytes,
+ Py_FileSystemDefaultEncoding, &keyfile_bytes,
+ &password))
+ return NULL;
+ if (password && password != Py_None) {
+ if (PyCallable_Check(password)) {
+ pw_info.callable = password;
+ } else if (!_pwinfo_set(&pw_info, password,
+ "password should be a string or callable")) {
+ goto error;
+ }
+ SSL_CTX_set_default_passwd_cb(self->ctx, _password_callback);
+ SSL_CTX_set_default_passwd_cb_userdata(self->ctx, &pw_info);
+ }
+ PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
+ r = SSL_CTX_use_certificate_chain_file(self->ctx, certfile_bytes);
+ PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
+ if (r != 1) {
+ if (pw_info.error) {
+ ERR_clear_error();
+ /* the password callback has already set the error information */
+ }
+ else if (errno != 0) {
+ ERR_clear_error();
+ PyErr_SetFromErrno(PyExc_IOError);
+ }
+ else {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ }
+ goto error;
+ }
+ PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
+ r = SSL_CTX_use_PrivateKey_file(self->ctx,
+ keyfile_bytes ? keyfile_bytes : certfile_bytes,
+ SSL_FILETYPE_PEM);
+ PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
+ if (r != 1) {
+ if (pw_info.error) {
+ ERR_clear_error();
+ /* the password callback has already set the error information */
+ }
+ else if (errno != 0) {
+ ERR_clear_error();
+ PyErr_SetFromErrno(PyExc_IOError);
+ }
+ else {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ }
+ goto error;
+ }
+ PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
+ r = SSL_CTX_check_private_key(self->ctx);
+ PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
+ if (r != 1) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto error;
+ }
+ SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata);
+ PyMem_Free(pw_info.password);
+ Py_RETURN_NONE;
+
+error:
+ SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata);
+ PyMem_Free(pw_info.password);
+ PyMem_Free(keyfile_bytes);
+ PyMem_Free(certfile_bytes);
+ return NULL;
+}
+
+/* internal helper function, returns -1 on error
+ */
+static int
+_add_ca_certs(PySSLContext *self, void *data, Py_ssize_t len,
+ int filetype)
+{
+ BIO *biobuf = NULL;
+ X509_STORE *store;
+ int retval = 0, err, loaded = 0;
+
+ assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
+
+ if (len <= 0) {
+ PyErr_SetString(PyExc_ValueError,
+ "Empty certificate data");
+ return -1;
+ } else if (len > INT_MAX) {
+ PyErr_SetString(PyExc_OverflowError,
+ "Certificate data is too long.");
+ return -1;
+ }
+
+ biobuf = BIO_new_mem_buf(data, (int)len);
+ if (biobuf == NULL) {
+ _setSSLError("Can't allocate buffer", 0, __FILE__, __LINE__);
+ return -1;
+ }
+
+ store = SSL_CTX_get_cert_store(self->ctx);
+ assert(store != NULL);
+
+ while (1) {
+ X509 *cert = NULL;
+ int r;
+
+ if (filetype == SSL_FILETYPE_ASN1) {
+ cert = d2i_X509_bio(biobuf, NULL);
+ } else {
+ cert = PEM_read_bio_X509(biobuf, NULL,
+ self->ctx->default_passwd_callback,
+ self->ctx->default_passwd_callback_userdata);
+ }
+ if (cert == NULL) {
+ break;
+ }
+ r = X509_STORE_add_cert(store, cert);
+ X509_free(cert);
+ if (!r) {
+ err = ERR_peek_last_error();
+ if ((ERR_GET_LIB(err) == ERR_LIB_X509) &&
+ (ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
+ /* cert already in hash table, not an error */
+ ERR_clear_error();
+ } else {
+ break;
+ }
+ }
+ loaded++;
+ }
+
+ err = ERR_peek_last_error();
+ if ((filetype == SSL_FILETYPE_ASN1) &&
+ (loaded > 0) &&
+ (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+ (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+ /* EOF ASN1 file, not an error */
+ ERR_clear_error();
+ retval = 0;
+ } else if ((filetype == SSL_FILETYPE_PEM) &&
+ (loaded > 0) &&
+ (ERR_GET_LIB(err) == ERR_LIB_PEM) &&
+ (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+ /* EOF PEM file, not an error */
+ ERR_clear_error();
+ retval = 0;
+ } else {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ retval = -1;
+ }
+
+ BIO_free(biobuf);
+ return retval;
+}
+
+
+static PyObject *
+load_verify_locations(PySSLContext *self, PyObject *args, PyObject *kwds)
+{
+ char *kwlist[] = {"cafile", "capath", "cadata", NULL};
+ PyObject *cadata = NULL, *cafile = NULL, *capath = NULL;
+ PyObject *cafile_bytes = NULL, *capath_bytes = NULL;
+ const char *cafile_buf = NULL, *capath_buf = NULL;
+ int r = 0, ok = 1;
+
+ errno = 0;
+ if (!PyArg_ParseTupleAndKeywords(args, kwds,
+ "|OOO:load_verify_locations", kwlist,
+ &cafile, &capath, &cadata))
+ return NULL;
+
+ if (cafile == Py_None)
+ cafile = NULL;
+ if (capath == Py_None)
+ capath = NULL;
+ if (cadata == Py_None)
+ cadata = NULL;
+
+ if (cafile == NULL && capath == NULL && cadata == NULL) {
+ PyErr_SetString(PyExc_TypeError,
+ "cafile, capath and cadata cannot be all omitted");
+ goto error;
+ }
+
+ if (cafile) {
+ cafile_bytes = PyString_AsEncodedObject(
+ cafile, Py_FileSystemDefaultEncoding, "strict");
+ if (!cafile_bytes) {
+ goto error;
+ }
+ }
+ if (capath) {
+ capath_bytes = PyString_AsEncodedObject(
+ capath, Py_FileSystemDefaultEncoding, "strict");
+ if (!capath_bytes) {
+ goto error;
+ }
+ }
+
+ /* validata cadata type and load cadata */
+ if (cadata) {
+ Py_buffer buf;
+ PyObject *cadata_ascii = NULL;
+
+ if (!PyUnicode_Check(cadata) && PyObject_GetBuffer(cadata, &buf, PyBUF_SIMPLE) == 0) {
+ if (!PyBuffer_IsContiguous(&buf, 'C') || buf.ndim > 1) {
+ PyBuffer_Release(&buf);
+ PyErr_SetString(PyExc_TypeError,
+ "cadata should be a contiguous buffer with "
+ "a single dimension");
+ goto error;
+ }
+ r = _add_ca_certs(self, buf.buf, buf.len, SSL_FILETYPE_ASN1);
+ PyBuffer_Release(&buf);
+ if (r == -1) {
+ goto error;
+ }
+ } else {
+ PyErr_Clear();
+ cadata_ascii = PyUnicode_AsASCIIString(cadata);
+ if (cadata_ascii == NULL) {
+ PyErr_SetString(PyExc_TypeError,
+ "cadata should be a ASCII string or a "
+ "bytes-like object");
+ goto error;
+ }
+ r = _add_ca_certs(self,
+ PyBytes_AS_STRING(cadata_ascii),
+ PyBytes_GET_SIZE(cadata_ascii),
+ SSL_FILETYPE_PEM);
+ Py_DECREF(cadata_ascii);
+ if (r == -1) {
+ goto error;
+ }
+ }
+ }
+
+ /* load cafile or capath */
+ if (cafile_bytes || capath_bytes) {
+ if (cafile)
+ cafile_buf = PyBytes_AS_STRING(cafile_bytes);
+ if (capath)
+ capath_buf = PyBytes_AS_STRING(capath_bytes);
+ PySSL_BEGIN_ALLOW_THREADS
+ r = SSL_CTX_load_verify_locations(
+ self->ctx,
+ cafile_buf,
+ capath_buf);
+ PySSL_END_ALLOW_THREADS
+ if (r != 1) {
+ ok = 0;
+ if (errno != 0) {
+ ERR_clear_error();
+ PyErr_SetFromErrno(PyExc_IOError);
+ }
+ else {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ }
+ goto error;
+ }
+ }
+ goto end;
+
+ error:
+ ok = 0;
+ end:
+ Py_XDECREF(cafile_bytes);
+ Py_XDECREF(capath_bytes);
+ if (ok) {
+ Py_RETURN_NONE;
+ } else {
+ return NULL;
+ }
+}
+
+static PyObject *
+load_dh_params(PySSLContext *self, PyObject *filepath)
+{
+ BIO *bio;
+ DH *dh;
+ char *path = PyBytes_AsString(filepath);
+ if (!path) {
+ return NULL;
+ }
+
+ bio = BIO_new_file(path, "r");
+ if (bio == NULL) {
+ ERR_clear_error();
+ PyErr_SetFromErrnoWithFilenameObject(PyExc_IOError, filepath);
+ return NULL;
+ }
+ errno = 0;
+ PySSL_BEGIN_ALLOW_THREADS
+ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ BIO_free(bio);
+ PySSL_END_ALLOW_THREADS
+ if (dh == NULL) {
+ if (errno != 0) {
+ ERR_clear_error();
+ PyErr_SetFromErrnoWithFilenameObject(PyExc_OSError, filepath);
+ }
+ else {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ }
+ return NULL;
+ }
+ if (SSL_CTX_set_tmp_dh(self->ctx, dh) == 0)
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ DH_free(dh);
+ Py_RETURN_NONE;
+}
+
+static PyObject *
+context_wrap_socket(PySSLContext *self, PyObject *args, PyObject *kwds)
+{
+ char *kwlist[] = {"sock", "server_side", "server_hostname", "ssl_sock", NULL};
+ PySocketSockObject *sock;
+ int server_side = 0;
+ char *hostname = NULL;
+ PyObject *hostname_obj, *ssl_sock = Py_None, *res;
+
+ /* server_hostname is either None (or absent), or to be encoded
+ using the idna encoding. */
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!i|O!O:_wrap_socket", kwlist,
+ PySocketModule.Sock_Type,
+ &sock, &server_side,
+ Py_TYPE(Py_None), &hostname_obj,
+ &ssl_sock)) {
+ PyErr_Clear();
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!iet|O:_wrap_socket", kwlist,
+ PySocketModule.Sock_Type,
+ &sock, &server_side,
+ "idna", &hostname, &ssl_sock))
+ return NULL;
+#if !HAVE_SNI
+ PyMem_Free(hostname);
+ PyErr_SetString(PyExc_ValueError, "server_hostname is not supported "
+ "by your OpenSSL library");
+ return NULL;
+#endif
+ }
+
+ res = (PyObject *) newPySSLSocket(self, sock, server_side,
+ hostname, ssl_sock);
+ if (hostname != NULL)
+ PyMem_Free(hostname);
+ return res;
+}
+
+static PyObject *
+session_stats(PySSLContext *self, PyObject *unused)
+{
+ int r;
+ PyObject *value, *stats = PyDict_New();
+ if (!stats)
+ return NULL;
+
+#define ADD_STATS(SSL_NAME, KEY_NAME) \
+ value = PyLong_FromLong(SSL_CTX_sess_ ## SSL_NAME (self->ctx)); \
+ if (value == NULL) \
+ goto error; \
+ r = PyDict_SetItemString(stats, KEY_NAME, value); \
+ Py_DECREF(value); \
+ if (r < 0) \
+ goto error;
+
+ ADD_STATS(number, "number");
+ ADD_STATS(connect, "connect");
+ ADD_STATS(connect_good, "connect_good");
+ ADD_STATS(connect_renegotiate, "connect_renegotiate");
+ ADD_STATS(accept, "accept");
+ ADD_STATS(accept_good, "accept_good");
+ ADD_STATS(accept_renegotiate, "accept_renegotiate");
+ ADD_STATS(accept, "accept");
+ ADD_STATS(hits, "hits");
+ ADD_STATS(misses, "misses");
+ ADD_STATS(timeouts, "timeouts");
+ ADD_STATS(cache_full, "cache_full");
+
+#undef ADD_STATS
+
+ return stats;
+
+error:
+ Py_DECREF(stats);
+ return NULL;
+}
+
+static PyObject *
+set_default_verify_paths(PySSLContext *self, PyObject *unused)
+{
+ if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ return NULL;
+ }
+ Py_RETURN_NONE;
+}
+
+#ifndef OPENSSL_NO_ECDH
+static PyObject *
+set_ecdh_curve(PySSLContext *self, PyObject *name)
+{
+ char *name_bytes;
+ int nid;
+ EC_KEY *key;
+
+ name_bytes = PyBytes_AsString(name);
+ if (!name_bytes) {
+ return NULL;
+ }
+ nid = OBJ_sn2nid(name_bytes);
+ if (nid == 0) {
+ PyErr_Format(PyExc_ValueError,
+ "unknown elliptic curve name %R", name);
+ return NULL;
+ }
+ key = EC_KEY_new_by_curve_name(nid);
+ if (key == NULL) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ return NULL;
+ }
+ SSL_CTX_set_tmp_ecdh(self->ctx, key);
+ EC_KEY_free(key);
+ Py_RETURN_NONE;
+}
+#endif
+
+#if HAVE_SNI && !defined(OPENSSL_NO_TLSEXT)
+static int
+_servername_callback(SSL *s, int *al, void *args)
+{
+ int ret;
+ PySSLContext *ssl_ctx = (PySSLContext *) args;
+ PySSLSocket *ssl;
+ PyObject *servername_o;
+ PyObject *servername_idna;
+ PyObject *result;
+ /* The high-level ssl.SSLSocket object */
+ PyObject *ssl_socket;
+ const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+#ifdef WITH_THREAD
+ PyGILState_STATE gstate = PyGILState_Ensure();
+#endif
+
+ if (ssl_ctx->set_hostname == NULL) {
+ /* remove race condition in this the call back while if removing the
+ * callback is in progress */
+#ifdef WITH_THREAD
+ PyGILState_Release(gstate);
+#endif
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ ssl = SSL_get_app_data(s);
+ assert(PySSLSocket_Check(ssl));
+ ssl_socket = PyWeakref_GetObject(ssl->ssl_sock);
+ Py_INCREF(ssl_socket);
+ if (ssl_socket == Py_None) {
+ goto error;
+ }
+
+ if (servername == NULL) {
+ result = PyObject_CallFunctionObjArgs(ssl_ctx->set_hostname, ssl_socket,
+ Py_None, ssl_ctx, NULL);
+ }
+ else {
+ servername_o = PyBytes_FromString(servername);
+ if (servername_o == NULL) {
+ PyErr_WriteUnraisable((PyObject *) ssl_ctx);
+ goto error;
+ }
+ servername_idna = PyUnicode_FromEncodedObject(servername_o, "idna", NULL);
+ if (servername_idna == NULL) {
+ PyErr_WriteUnraisable(servername_o);
+ Py_DECREF(servername_o);
+ goto error;
+ }
+ Py_DECREF(servername_o);
+ result = PyObject_CallFunctionObjArgs(ssl_ctx->set_hostname, ssl_socket,
+ servername_idna, ssl_ctx, NULL);
+ Py_DECREF(servername_idna);
+ }
+ Py_DECREF(ssl_socket);
+
+ if (result == NULL) {
+ PyErr_WriteUnraisable(ssl_ctx->set_hostname);
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ else {
+ if (result != Py_None) {
+ *al = (int) PyLong_AsLong(result);
+ if (PyErr_Occurred()) {
+ PyErr_WriteUnraisable(result);
+ *al = SSL_AD_INTERNAL_ERROR;
+ }
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ else {
+ ret = SSL_TLSEXT_ERR_OK;
+ }
+ Py_DECREF(result);
+ }
+
+#ifdef WITH_THREAD
+ PyGILState_Release(gstate);
+#endif
+ return ret;
+
+error:
+ Py_DECREF(ssl_socket);
+ *al = SSL_AD_INTERNAL_ERROR;
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+#ifdef WITH_THREAD
+ PyGILState_Release(gstate);
+#endif
+ return ret;
+}
+#endif
+
+PyDoc_STRVAR(PySSL_set_servername_callback_doc,
+"set_servername_callback(method)\n\
+\n\
+This sets a callback that will be called when a server name is provided by\n\
+the SSL/TLS client in the SNI extension.\n\
+\n\
+If the argument is None then the callback is disabled. The method is called\n\
+with the SSLSocket, the server name as a string, and the SSLContext object.\n\
+See RFC 6066 for details of the SNI extension.");
+
+static PyObject *
+set_servername_callback(PySSLContext *self, PyObject *args)
+{
+#if HAVE_SNI && !defined(OPENSSL_NO_TLSEXT)
+ PyObject *cb;
+
+ if (!PyArg_ParseTuple(args, "O", &cb))
+ return NULL;
+
+ Py_CLEAR(self->set_hostname);
+ if (cb == Py_None) {
+ SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
+ }
+ else {
+ if (!PyCallable_Check(cb)) {
+ SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
+ PyErr_SetString(PyExc_TypeError,
+ "not a callable object");
+ return NULL;
+ }
+ Py_INCREF(cb);
+ self->set_hostname = cb;
+ SSL_CTX_set_tlsext_servername_callback(self->ctx, _servername_callback);
+ SSL_CTX_set_tlsext_servername_arg(self->ctx, self);
+ }
+ Py_RETURN_NONE;
+#else
+ PyErr_SetString(PyExc_NotImplementedError,
+ "The TLS extension servername callback, "
+ "SSL_CTX_set_tlsext_servername_callback, "
+ "is not in the current OpenSSL library.");
+ return NULL;
+#endif
+}
+
+PyDoc_STRVAR(PySSL_get_stats_doc,
+"cert_store_stats() -> {'crl': int, 'x509_ca': int, 'x509': int}\n\
+\n\
+Returns quantities of loaded X.509 certificates. X.509 certificates with a\n\
+CA extension and certificate revocation lists inside the context's cert\n\
+store.\n\
+NOTE: Certificates in a capath directory aren't loaded unless they have\n\
+been used at least once.");
+
+static PyObject *
+cert_store_stats(PySSLContext *self)
+{
+ X509_STORE *store;
+ X509_OBJECT *obj;
+ int x509 = 0, crl = 0, pkey = 0, ca = 0, i;
+
+ store = SSL_CTX_get_cert_store(self->ctx);
+ for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) {
+ obj = sk_X509_OBJECT_value(store->objs, i);
+ switch (obj->type) {
+ case X509_LU_X509:
+ x509++;
+ if (X509_check_ca(obj->data.x509)) {
+ ca++;
+ }
+ break;
+ case X509_LU_CRL:
+ crl++;
+ break;
+ case X509_LU_PKEY:
+ pkey++;
+ break;
+ default:
+ /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.
+ * As far as I can tell they are internal states and never
+ * stored in a cert store */
+ break;
+ }
+ }
+ return Py_BuildValue("{sisisi}", "x509", x509, "crl", crl,
+ "x509_ca", ca);
+}
+
+PyDoc_STRVAR(PySSL_get_ca_certs_doc,
+"get_ca_certs(binary_form=False) -> list of loaded certificate\n\
+\n\
+Returns a list of dicts with information of loaded CA certs. If the\n\
+optional argument is True, returns a DER-encoded copy of the CA certificate.\n\
+NOTE: Certificates in a capath directory aren't loaded unless they have\n\
+been used at least once.");
+
+static PyObject *
+get_ca_certs(PySSLContext *self, PyObject *args, PyObject *kwds)
+{
+ char *kwlist[] = {"binary_form", NULL};
+ X509_STORE *store;
+ PyObject *ci = NULL, *rlist = NULL, *py_binary_mode = Py_False;
+ int i;
+ int binary_mode = 0;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "|O:get_ca_certs",
+ kwlist, &py_binary_mode)) {
+ return NULL;
+ }
+ binary_mode = PyObject_IsTrue(py_binary_mode);
+ if (binary_mode < 0) {
+ return NULL;
+ }
+
+ if ((rlist = PyList_New(0)) == NULL) {
+ return NULL;
+ }
+
+ store = SSL_CTX_get_cert_store(self->ctx);
+ for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) {
+ X509_OBJECT *obj;
+ X509 *cert;
+
+ obj = sk_X509_OBJECT_value(store->objs, i);
+ if (obj->type != X509_LU_X509) {
+ /* not a x509 cert */
+ continue;
+ }
+ /* CA for any purpose */
+ cert = obj->data.x509;
+ if (!X509_check_ca(cert)) {
+ continue;
+ }
+ if (binary_mode) {
+ ci = _certificate_to_der(cert);
+ } else {
+ ci = _decode_certificate(cert);
+ }
+ if (ci == NULL) {
+ goto error;
+ }
+ if (PyList_Append(rlist, ci) == -1) {
+ goto error;
+ }
+ Py_CLEAR(ci);
+ }
+ return rlist;
+
+ error:
+ Py_XDECREF(ci);
+ Py_XDECREF(rlist);
+ return NULL;
+}
+
+
+static PyGetSetDef context_getsetlist[] = {
+ {"check_hostname", (getter) get_check_hostname,
+ (setter) set_check_hostname, NULL},
+ {"options", (getter) get_options,
+ (setter) set_options, NULL},
+#ifdef HAVE_OPENSSL_VERIFY_PARAM
+ {"verify_flags", (getter) get_verify_flags,
+ (setter) set_verify_flags, NULL},
+#endif
+ {"verify_mode", (getter) get_verify_mode,
+ (setter) set_verify_mode, NULL},
+ {NULL}, /* sentinel */
+};
+
+static struct PyMethodDef context_methods[] = {
+ {"_wrap_socket", (PyCFunction) context_wrap_socket,
+ METH_VARARGS | METH_KEYWORDS, NULL},
+ {"set_ciphers", (PyCFunction) set_ciphers,
+ METH_VARARGS, NULL},
+ {"_set_npn_protocols", (PyCFunction) _set_npn_protocols,
+ METH_VARARGS, NULL},
+ {"load_cert_chain", (PyCFunction) load_cert_chain,
+ METH_VARARGS | METH_KEYWORDS, NULL},
+ {"load_dh_params", (PyCFunction) load_dh_params,
+ METH_O, NULL},
+ {"load_verify_locations", (PyCFunction) load_verify_locations,
+ METH_VARARGS | METH_KEYWORDS, NULL},
+ {"session_stats", (PyCFunction) session_stats,
+ METH_NOARGS, NULL},
+ {"set_default_verify_paths", (PyCFunction) set_default_verify_paths,
+ METH_NOARGS, NULL},
+#ifndef OPENSSL_NO_ECDH
+ {"set_ecdh_curve", (PyCFunction) set_ecdh_curve,
+ METH_O, NULL},
+#endif
+ {"set_servername_callback", (PyCFunction) set_servername_callback,
+ METH_VARARGS, PySSL_set_servername_callback_doc},
+ {"cert_store_stats", (PyCFunction) cert_store_stats,
+ METH_NOARGS, PySSL_get_stats_doc},
+ {"get_ca_certs", (PyCFunction) get_ca_certs,
+ METH_VARARGS | METH_KEYWORDS, PySSL_get_ca_certs_doc},
+ {NULL, NULL} /* sentinel */
+};
+
+static PyTypeObject PySSLContext_Type = {
+ PyVarObject_HEAD_INIT(NULL, 0)
+ "_ssl._SSLContext", /*tp_name*/
+ sizeof(PySSLContext), /*tp_basicsize*/
+ 0, /*tp_itemsize*/
+ (destructor)context_dealloc, /*tp_dealloc*/
+ 0, /*tp_print*/
+ 0, /*tp_getattr*/
+ 0, /*tp_setattr*/
+ 0, /*tp_reserved*/
+ 0, /*tp_repr*/
+ 0, /*tp_as_number*/
+ 0, /*tp_as_sequence*/
+ 0, /*tp_as_mapping*/
+ 0, /*tp_hash*/
+ 0, /*tp_call*/
+ 0, /*tp_str*/
+ 0, /*tp_getattro*/
+ 0, /*tp_setattro*/
+ 0, /*tp_as_buffer*/
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE | Py_TPFLAGS_HAVE_GC, /*tp_flags*/
+ 0, /*tp_doc*/
+ (traverseproc) context_traverse, /*tp_traverse*/
+ (inquiry) context_clear, /*tp_clear*/
+ 0, /*tp_richcompare*/
+ 0, /*tp_weaklistoffset*/
+ 0, /*tp_iter*/
+ 0, /*tp_iternext*/
+ context_methods, /*tp_methods*/
+ 0, /*tp_members*/
+ context_getsetlist, /*tp_getset*/
+ 0, /*tp_base*/
+ 0, /*tp_dict*/
+ 0, /*tp_descr_get*/
+ 0, /*tp_descr_set*/
+ 0, /*tp_dictoffset*/
+ 0, /*tp_init*/
+ 0, /*tp_alloc*/
+ context_new, /*tp_new*/
+};
+
+
+
#ifdef HAVE_OPENSSL_RAND
/* helper routines for seeding the SSL PRNG */
@@ -1572,12 +3212,21 @@
PySSL_RAND_add(PyObject *self, PyObject *args)
{
char *buf;
- int len;
+ Py_ssize_t len, written;
double entropy;
if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
return NULL;
- RAND_add(buf, len, entropy);
+ do {
+ if (len >= INT_MAX) {
+ written = INT_MAX;
+ } else {
+ written = len;
+ }
+ RAND_add(buf, (int)written, entropy);
+ buf += written;
+ len -= written;
+ } while (len);
Py_INCREF(Py_None);
return Py_None;
}
@@ -1591,7 +3240,7 @@
static PyObject *
PySSL_RAND_status(PyObject *self)
{
- return PyInt_FromLong(RAND_status());
+ return PyLong_FromLong(RAND_status());
}
PyDoc_STRVAR(PySSL_RAND_status_doc,
@@ -1630,21 +3279,413 @@
#endif /* HAVE_OPENSSL_RAND */
+PyDoc_STRVAR(PySSL_get_default_verify_paths_doc,
+"get_default_verify_paths() -> tuple\n\
+\n\
+Return search paths and environment vars that are used by SSLContext's\n\
+set_default_verify_paths() to load default CAs. The values are\n\
+'cert_file_env', 'cert_file', 'cert_dir_env', 'cert_dir'.");
+
+static PyObject *
+PySSL_get_default_verify_paths(PyObject *self)
+{
+ PyObject *ofile_env = NULL;
+ PyObject *ofile = NULL;
+ PyObject *odir_env = NULL;
+ PyObject *odir = NULL;
+
+#define convert(info, target) { \
+ const char *tmp = (info); \
+ target = NULL; \
+ if (!tmp) { Py_INCREF(Py_None); target = Py_None; } \
+ else { target = PyBytes_FromString(tmp); } \
+ if (!target) goto error; \
+ } while(0)
+
+ convert(X509_get_default_cert_file_env(), ofile_env);
+ convert(X509_get_default_cert_file(), ofile);
+ convert(X509_get_default_cert_dir_env(), odir_env);
+ convert(X509_get_default_cert_dir(), odir);
+#undef convert
+
+ return Py_BuildValue("NNNN", ofile_env, ofile, odir_env, odir);
+
+ error:
+ Py_XDECREF(ofile_env);
+ Py_XDECREF(ofile);
+ Py_XDECREF(odir_env);
+ Py_XDECREF(odir);
+ return NULL;
+}
+
+static PyObject*
+asn1obj2py(ASN1_OBJECT *obj)
+{
+ int nid;
+ const char *ln, *sn;
+ char buf[100];
+ Py_ssize_t buflen;
+
+ nid = OBJ_obj2nid(obj);
+ if (nid == NID_undef) {
+ PyErr_Format(PyExc_ValueError, "Unknown object");
+ return NULL;
+ }
+ sn = OBJ_nid2sn(nid);
+ ln = OBJ_nid2ln(nid);
+ buflen = OBJ_obj2txt(buf, sizeof(buf), obj, 1);
+ if (buflen < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ return NULL;
+ }
+ if (buflen) {
+ return Py_BuildValue("isss#", nid, sn, ln, buf, buflen);
+ } else {
+ return Py_BuildValue("issO", nid, sn, ln, Py_None);
+ }
+}
+
+PyDoc_STRVAR(PySSL_txt2obj_doc,
+"txt2obj(txt, name=False) -> (nid, shortname, longname, oid)\n\
+\n\
+Lookup NID, short name, long name and OID of an ASN1_OBJECT. By default\n\
+objects are looked up by OID. With name=True short and long name are also\n\
+matched.");
+
+static PyObject*
+PySSL_txt2obj(PyObject *self, PyObject *args, PyObject *kwds)
+{
+ char *kwlist[] = {"txt", "name", NULL};
+ PyObject *result = NULL;
+ char *txt;
+ PyObject *pyname = Py_None;
+ int name = 0;
+ ASN1_OBJECT *obj;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|O:txt2obj",
+ kwlist, &txt, &pyname)) {
+ return NULL;
+ }
+ name = PyObject_IsTrue(pyname);
+ if (name < 0)
+ return NULL;
+ obj = OBJ_txt2obj(txt, name ? 0 : 1);
+ if (obj == NULL) {
+ PyErr_Format(PyExc_ValueError, "unknown object '%.100s'", txt);
+ return NULL;
+ }
+ result = asn1obj2py(obj);
+ ASN1_OBJECT_free(obj);
+ return result;
+}
+
+PyDoc_STRVAR(PySSL_nid2obj_doc,
+"nid2obj(nid) -> (nid, shortname, longname, oid)\n\
+\n\
+Lookup NID, short name, long name and OID of an ASN1_OBJECT by NID.");
+
+static PyObject*
+PySSL_nid2obj(PyObject *self, PyObject *args)
+{
+ PyObject *result = NULL;
+ int nid;
+ ASN1_OBJECT *obj;
+
+ if (!PyArg_ParseTuple(args, "i:nid2obj", &nid)) {
+ return NULL;
+ }
+ if (nid < NID_undef) {
+ PyErr_SetString(PyExc_ValueError, "NID must be positive.");
+ return NULL;
+ }
+ obj = OBJ_nid2obj(nid);
+ if (obj == NULL) {
+ PyErr_Format(PyExc_ValueError, "unknown NID %i", nid);
+ return NULL;
+ }
+ result = asn1obj2py(obj);
+ ASN1_OBJECT_free(obj);
+ return result;
+}
+
+#ifdef _MSC_VER
+
+static PyObject*
+certEncodingType(DWORD encodingType)
+{
+ static PyObject *x509_asn = NULL;
+ static PyObject *pkcs_7_asn = NULL;
+
+ if (x509_asn == NULL) {
+ x509_asn = PyUnicode_InternFromString("x509_asn");
+ if (x509_asn == NULL)
+ return NULL;
+ }
+ if (pkcs_7_asn == NULL) {
+ pkcs_7_asn = PyUnicode_InternFromString("pkcs_7_asn");
+ if (pkcs_7_asn == NULL)
+ return NULL;
+ }
+ switch(encodingType) {
+ case X509_ASN_ENCODING:
+ Py_INCREF(x509_asn);
+ return x509_asn;
+ case PKCS_7_ASN_ENCODING:
+ Py_INCREF(pkcs_7_asn);
+ return pkcs_7_asn;
+ default:
+ return PyLong_FromLong(encodingType);
+ }
+}
+
+static PyObject*
+parseKeyUsage(PCCERT_CONTEXT pCertCtx, DWORD flags)
+{
+ CERT_ENHKEY_USAGE *usage;
+ DWORD size, error, i;
+ PyObject *retval;
+
+ if (!CertGetEnhancedKeyUsage(pCertCtx, flags, NULL, &size)) {
+ error = GetLastError();
+ if (error == CRYPT_E_NOT_FOUND) {
+ Py_RETURN_TRUE;
+ }
+ return PyErr_SetFromWindowsErr(error);
+ }
+
+ usage = (CERT_ENHKEY_USAGE*)PyMem_Malloc(size);
+ if (usage == NULL) {
+ return PyErr_NoMemory();
+ }
+
+ /* Now get the actual enhanced usage property */
+ if (!CertGetEnhancedKeyUsage(pCertCtx, flags, usage, &size)) {
+ PyMem_Free(usage);
+ error = GetLastError();
+ if (error == CRYPT_E_NOT_FOUND) {
+ Py_RETURN_TRUE;
+ }
+ return PyErr_SetFromWindowsErr(error);
+ }
+ retval = PySet_New(NULL);
+ if (retval == NULL) {
+ goto error;
+ }
+ for (i = 0; i < usage->cUsageIdentifier; ++i) {
+ if (usage->rgpszUsageIdentifier[i]) {
+ PyObject *oid;
+ int err;
+ oid = PyUnicode_FromString(usage->rgpszUsageIdentifier[i]);
+ if (oid == NULL) {
+ Py_CLEAR(retval);
+ goto error;
+ }
+ err = PySet_Add(retval, oid);
+ Py_DECREF(oid);
+ if (err == -1) {
+ Py_CLEAR(retval);
+ goto error;
+ }
+ }
+ }
+ error:
+ PyMem_Free(usage);
+ return retval;
+}
+
+PyDoc_STRVAR(PySSL_enum_certificates_doc,
+"enum_certificates(store_name) -> []\n\
+\n\
+Retrieve certificates from Windows' cert store. store_name may be one of\n\
+'CA', 'ROOT' or 'MY'. The system may provide more cert storages, too.\n\
+The function returns a list of (bytes, encoding_type, trust) tuples. The\n\
+encoding_type flag can be interpreted with X509_ASN_ENCODING or\n\
+PKCS_7_ASN_ENCODING. The trust setting is either a set of OIDs or the\n\
+boolean True.");
+
+static PyObject *
+PySSL_enum_certificates(PyObject *self, PyObject *args, PyObject *kwds)
+{
+ char *kwlist[] = {"store_name", NULL};
+ char *store_name;
+ HCERTSTORE hStore = NULL;
+ PCCERT_CONTEXT pCertCtx = NULL;
+ PyObject *keyusage = NULL, *cert = NULL, *enc = NULL, *tup = NULL;
+ PyObject *result = NULL;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|s:enum_certificates",
+ kwlist, &store_name)) {
+ return NULL;
+ }
+ result = PyList_New(0);
+ if (result == NULL) {
+ return NULL;
+ }
+ hStore = CertOpenSystemStore((HCRYPTPROV)NULL, store_name);
+ if (hStore == NULL) {
+ Py_DECREF(result);
+ return PyErr_SetFromWindowsErr(GetLastError());
+ }
+
+ while (pCertCtx = CertEnumCertificatesInStore(hStore, pCertCtx)) {
+ cert = PyBytes_FromStringAndSize((const char*)pCertCtx->pbCertEncoded,
+ pCertCtx->cbCertEncoded);
+ if (!cert) {
+ Py_CLEAR(result);
+ break;
+ }
+ if ((enc = certEncodingType(pCertCtx->dwCertEncodingType)) == NULL) {
+ Py_CLEAR(result);
+ break;
+ }
+ keyusage = parseKeyUsage(pCertCtx, CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG);
+ if (keyusage == Py_True) {
+ Py_DECREF(keyusage);
+ keyusage = parseKeyUsage(pCertCtx, CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG);
+ }
+ if (keyusage == NULL) {
+ Py_CLEAR(result);
+ break;
+ }
+ if ((tup = PyTuple_New(3)) == NULL) {
+ Py_CLEAR(result);
+ break;
+ }
+ PyTuple_SET_ITEM(tup, 0, cert);
+ cert = NULL;
+ PyTuple_SET_ITEM(tup, 1, enc);
+ enc = NULL;
+ PyTuple_SET_ITEM(tup, 2, keyusage);
+ keyusage = NULL;
+ if (PyList_Append(result, tup) < 0) {
+ Py_CLEAR(result);
+ break;
+ }
+ Py_CLEAR(tup);
+ }
+ if (pCertCtx) {
+ /* loop ended with an error, need to clean up context manually */
+ CertFreeCertificateContext(pCertCtx);
+ }
+
+ /* In error cases cert, enc and tup may not be NULL */
+ Py_XDECREF(cert);
+ Py_XDECREF(enc);
+ Py_XDECREF(keyusage);
+ Py_XDECREF(tup);
+
+ if (!CertCloseStore(hStore, 0)) {
+ /* This error case might shadow another exception.*/
+ Py_XDECREF(result);
+ return PyErr_SetFromWindowsErr(GetLastError());
+ }
+ return result;
+}
+
+PyDoc_STRVAR(PySSL_enum_crls_doc,
+"enum_crls(store_name) -> []\n\
+\n\
+Retrieve CRLs from Windows' cert store. store_name may be one of\n\
+'CA', 'ROOT' or 'MY'. The system may provide more cert storages, too.\n\
+The function returns a list of (bytes, encoding_type) tuples. The\n\
+encoding_type flag can be interpreted with X509_ASN_ENCODING or\n\
+PKCS_7_ASN_ENCODING.");
+
+static PyObject *
+PySSL_enum_crls(PyObject *self, PyObject *args, PyObject *kwds)
+{
+ char *kwlist[] = {"store_name", NULL};
+ char *store_name;
+ HCERTSTORE hStore = NULL;
+ PCCRL_CONTEXT pCrlCtx = NULL;
+ PyObject *crl = NULL, *enc = NULL, *tup = NULL;
+ PyObject *result = NULL;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|s:enum_crls",
+ kwlist, &store_name)) {
+ return NULL;
+ }
+ result = PyList_New(0);
+ if (result == NULL) {
+ return NULL;
+ }
+ hStore = CertOpenSystemStore((HCRYPTPROV)NULL, store_name);
+ if (hStore == NULL) {
+ Py_DECREF(result);
+ return PyErr_SetFromWindowsErr(GetLastError());
+ }
+
+ while (pCrlCtx = CertEnumCRLsInStore(hStore, pCrlCtx)) {
+ crl = PyBytes_FromStringAndSize((const char*)pCrlCtx->pbCrlEncoded,
+ pCrlCtx->cbCrlEncoded);
+ if (!crl) {
+ Py_CLEAR(result);
+ break;
+ }
+ if ((enc = certEncodingType(pCrlCtx->dwCertEncodingType)) == NULL) {
+ Py_CLEAR(result);
+ break;
+ }
+ if ((tup = PyTuple_New(2)) == NULL) {
+ Py_CLEAR(result);
+ break;
+ }
+ PyTuple_SET_ITEM(tup, 0, crl);
+ crl = NULL;
+ PyTuple_SET_ITEM(tup, 1, enc);
+ enc = NULL;
+
+ if (PyList_Append(result, tup) < 0) {
+ Py_CLEAR(result);
+ break;
+ }
+ Py_CLEAR(tup);
+ }
+ if (pCrlCtx) {
+ /* loop ended with an error, need to clean up context manually */
+ CertFreeCRLContext(pCrlCtx);
+ }
+
+ /* In error cases cert, enc and tup may not be NULL */
+ Py_XDECREF(crl);
+ Py_XDECREF(enc);
+ Py_XDECREF(tup);
+
+ if (!CertCloseStore(hStore, 0)) {
+ /* This error case might shadow another exception.*/
+ Py_XDECREF(result);
+ return PyErr_SetFromWindowsErr(GetLastError());
+ }
+ return result;
+}
+
+#endif /* _MSC_VER */
+
/* List of functions exported by this module. */
static PyMethodDef PySSL_methods[] = {
- {"sslwrap", PySSL_sslwrap,
- METH_VARARGS, ssl_doc},
{"_test_decode_cert", PySSL_test_decode_certificate,
METH_VARARGS},
#ifdef HAVE_OPENSSL_RAND
{"RAND_add", PySSL_RAND_add, METH_VARARGS,
PySSL_RAND_add_doc},
- {"RAND_egd", PySSL_RAND_egd, METH_O,
+ {"RAND_egd", PySSL_RAND_egd, METH_VARARGS,
PySSL_RAND_egd_doc},
{"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
PySSL_RAND_status_doc},
#endif
+ {"get_default_verify_paths", (PyCFunction)PySSL_get_default_verify_paths,
+ METH_NOARGS, PySSL_get_default_verify_paths_doc},
+#ifdef _MSC_VER
+ {"enum_certificates", (PyCFunction)PySSL_enum_certificates,
+ METH_VARARGS | METH_KEYWORDS, PySSL_enum_certificates_doc},
+ {"enum_crls", (PyCFunction)PySSL_enum_crls,
+ METH_VARARGS | METH_KEYWORDS, PySSL_enum_crls_doc},
+#endif
+ {"txt2obj", (PyCFunction)PySSL_txt2obj,
+ METH_VARARGS | METH_KEYWORDS, PySSL_txt2obj_doc},
+ {"nid2obj", (PyCFunction)PySSL_nid2obj,
+ METH_VARARGS, PySSL_nid2obj_doc},
{NULL, NULL} /* Sentinel */
};
@@ -1672,16 +3713,17 @@
}
#endif
-static void _ssl_thread_locking_function (int mode, int n, const char *file, int line) {
+static void _ssl_thread_locking_function
+ (int mode, int n, const char *file, int line) {
/* this function is needed to perform locking on shared data
structures. (Note that OpenSSL uses a number of global data
- structures that will be implicitly shared whenever multiple threads
- use OpenSSL.) Multi-threaded applications will crash at random if
- it is not set.
+ structures that will be implicitly shared whenever multiple
+ threads use OpenSSL.) Multi-threaded applications will
+ crash at random if it is not set.
- locking_function() must be able to handle up to CRYPTO_num_locks()
- different mutex locks. It sets the n-th lock if mode & CRYPTO_LOCK, and
- releases it otherwise.
+ locking_function() must be able to handle up to
+ CRYPTO_num_locks() different mutex locks. It sets the n-th
+ lock if mode & CRYPTO_LOCK, and releases it otherwise.
file and line are the file number of the function setting the
lock. They can be useful for debugging.
@@ -1705,10 +3747,11 @@
if (_ssl_locks == NULL) {
_ssl_locks_count = CRYPTO_num_locks();
_ssl_locks = (PyThread_type_lock *)
- malloc(sizeof(PyThread_type_lock) * _ssl_locks_count);
+ PyMem_Malloc(sizeof(PyThread_type_lock) * _ssl_locks_count);
if (_ssl_locks == NULL)
return 0;
- memset(_ssl_locks, 0, sizeof(PyThread_type_lock) * _ssl_locks_count);
+ memset(_ssl_locks, 0,
+ sizeof(PyThread_type_lock) * _ssl_locks_count);
for (i = 0; i < _ssl_locks_count; i++) {
_ssl_locks[i] = PyThread_allocate_lock();
if (_ssl_locks[i] == NULL) {
@@ -1716,7 +3759,7 @@
for (j = 0; j < i; j++) {
PyThread_free_lock(_ssl_locks[j]);
}
- free(_ssl_locks);
+ PyMem_Free(_ssl_locks);
return 0;
}
}
@@ -1736,14 +3779,39 @@
"Implementation module for SSL socket operations. See the socket module\n\
for documentation.");
+
+
+
+static void
+parse_openssl_version(unsigned long libver,
+ unsigned int *major, unsigned int *minor,
+ unsigned int *fix, unsigned int *patch,
+ unsigned int *status)
+{
+ *status = libver & 0xF;
+ libver >>= 4;
+ *patch = libver & 0xFF;
+ libver >>= 8;
+ *fix = libver & 0xFF;
+ libver >>= 8;
+ *minor = libver & 0xFF;
+ libver >>= 8;
+ *major = libver & 0xFF;
+}
+
PyMODINIT_FUNC
init_ssl(void)
{
PyObject *m, *d, *r;
unsigned long libver;
unsigned int major, minor, fix, patch, status;
+ struct py_ssl_error_code *errcode;
+ struct py_ssl_library_code *libcode;
- Py_TYPE(&PySSL_Type) = &PyType_Type;
+ if (PyType_Ready(&PySSLContext_Type) < 0)
+ return;
+ if (PyType_Ready(&PySSLSocket_Type) < 0)
+ return;
m = Py_InitModule3("_ssl", PySSL_methods, module_doc);
if (m == NULL)
@@ -1766,15 +3834,53 @@
OpenSSL_add_all_algorithms();
/* Add symbols to module dict */
- PySSLErrorObject = PyErr_NewException("ssl.SSLError",
- PySocketModule.error,
- NULL);
+ PySSLErrorObject = PyErr_NewExceptionWithDoc(
+ "ssl.SSLError", SSLError_doc,
+ PySocketModule.error, NULL);
if (PySSLErrorObject == NULL)
return;
- if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0)
+ ((PyTypeObject *)PySSLErrorObject)->tp_str = (reprfunc)SSLError_str;
+
+ PySSLZeroReturnErrorObject = PyErr_NewExceptionWithDoc(
+ "ssl.SSLZeroReturnError", SSLZeroReturnError_doc,
+ PySSLErrorObject, NULL);
+ PySSLWantReadErrorObject = PyErr_NewExceptionWithDoc(
+ "ssl.SSLWantReadError", SSLWantReadError_doc,
+ PySSLErrorObject, NULL);
+ PySSLWantWriteErrorObject = PyErr_NewExceptionWithDoc(
+ "ssl.SSLWantWriteError", SSLWantWriteError_doc,
+ PySSLErrorObject, NULL);
+ PySSLSyscallErrorObject = PyErr_NewExceptionWithDoc(
+ "ssl.SSLSyscallError", SSLSyscallError_doc,
+ PySSLErrorObject, NULL);
+ PySSLEOFErrorObject = PyErr_NewExceptionWithDoc(
+ "ssl.SSLEOFError", SSLEOFError_doc,
+ PySSLErrorObject, NULL);
+ if (PySSLZeroReturnErrorObject == NULL
+ || PySSLWantReadErrorObject == NULL
+ || PySSLWantWriteErrorObject == NULL
+ || PySSLSyscallErrorObject == NULL
+ || PySSLEOFErrorObject == NULL)
return;
- if (PyDict_SetItemString(d, "SSLType",
- (PyObject *)&PySSL_Type) != 0)
+
+ ((PyTypeObject *)PySSLZeroReturnErrorObject)->tp_str = (reprfunc)SSLError_str;
+ ((PyTypeObject *)PySSLWantReadErrorObject)->tp_str = (reprfunc)SSLError_str;
+ ((PyTypeObject *)PySSLWantWriteErrorObject)->tp_str = (reprfunc)SSLError_str;
+ ((PyTypeObject *)PySSLSyscallErrorObject)->tp_str = (reprfunc)SSLError_str;
+ ((PyTypeObject *)PySSLEOFErrorObject)->tp_str = (reprfunc)SSLError_str;
+
+ if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0
+ || PyDict_SetItemString(d, "SSLZeroReturnError", PySSLZeroReturnErrorObject) != 0
+ || PyDict_SetItemString(d, "SSLWantReadError", PySSLWantReadErrorObject) != 0
+ || PyDict_SetItemString(d, "SSLWantWriteError", PySSLWantWriteErrorObject) != 0
+ || PyDict_SetItemString(d, "SSLSyscallError", PySSLSyscallErrorObject) != 0
+ || PyDict_SetItemString(d, "SSLEOFError", PySSLEOFErrorObject) != 0)
+ return;
+ if (PyDict_SetItemString(d, "_SSLContext",
+ (PyObject *)&PySSLContext_Type) != 0)
+ return;
+ if (PyDict_SetItemString(d, "_SSLSocket",
+ (PyObject *)&PySSLSocket_Type) != 0)
return;
PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
PY_SSL_ERROR_ZERO_RETURN);
@@ -1802,6 +3908,66 @@
PY_SSL_CERT_OPTIONAL);
PyModule_AddIntConstant(m, "CERT_REQUIRED",
PY_SSL_CERT_REQUIRED);
+ /* CRL verification for verification_flags */
+ PyModule_AddIntConstant(m, "VERIFY_DEFAULT",
+ 0);
+ PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_LEAF",
+ X509_V_FLAG_CRL_CHECK);
+ PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_CHAIN",
+ X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
+ X509_V_FLAG_X509_STRICT);
+
+ /* Alert Descriptions from ssl.h */
+ /* note RESERVED constants no longer intended for use have been removed */
+ /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 */
+
+#define ADD_AD_CONSTANT(s) \
+ PyModule_AddIntConstant(m, "ALERT_DESCRIPTION_"#s, \
+ SSL_AD_##s)
+
+ ADD_AD_CONSTANT(CLOSE_NOTIFY);
+ ADD_AD_CONSTANT(UNEXPECTED_MESSAGE);
+ ADD_AD_CONSTANT(BAD_RECORD_MAC);
+ ADD_AD_CONSTANT(RECORD_OVERFLOW);
+ ADD_AD_CONSTANT(DECOMPRESSION_FAILURE);
+ ADD_AD_CONSTANT(HANDSHAKE_FAILURE);
+ ADD_AD_CONSTANT(BAD_CERTIFICATE);
+ ADD_AD_CONSTANT(UNSUPPORTED_CERTIFICATE);
+ ADD_AD_CONSTANT(CERTIFICATE_REVOKED);
+ ADD_AD_CONSTANT(CERTIFICATE_EXPIRED);
+ ADD_AD_CONSTANT(CERTIFICATE_UNKNOWN);
+ ADD_AD_CONSTANT(ILLEGAL_PARAMETER);
+ ADD_AD_CONSTANT(UNKNOWN_CA);
+ ADD_AD_CONSTANT(ACCESS_DENIED);
+ ADD_AD_CONSTANT(DECODE_ERROR);
+ ADD_AD_CONSTANT(DECRYPT_ERROR);
+ ADD_AD_CONSTANT(PROTOCOL_VERSION);
+ ADD_AD_CONSTANT(INSUFFICIENT_SECURITY);
+ ADD_AD_CONSTANT(INTERNAL_ERROR);
+ ADD_AD_CONSTANT(USER_CANCELLED);
+ ADD_AD_CONSTANT(NO_RENEGOTIATION);
+ /* Not all constants are in old OpenSSL versions */
+#ifdef SSL_AD_UNSUPPORTED_EXTENSION
+ ADD_AD_CONSTANT(UNSUPPORTED_EXTENSION);
+#endif
+#ifdef SSL_AD_CERTIFICATE_UNOBTAINABLE
+ ADD_AD_CONSTANT(CERTIFICATE_UNOBTAINABLE);
+#endif
+#ifdef SSL_AD_UNRECOGNIZED_NAME
+ ADD_AD_CONSTANT(UNRECOGNIZED_NAME);
+#endif
+#ifdef SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
+ ADD_AD_CONSTANT(BAD_CERTIFICATE_STATUS_RESPONSE);
+#endif
+#ifdef SSL_AD_BAD_CERTIFICATE_HASH_VALUE
+ ADD_AD_CONSTANT(BAD_CERTIFICATE_HASH_VALUE);
+#endif
+#ifdef SSL_AD_UNKNOWN_PSK_IDENTITY
+ ADD_AD_CONSTANT(UNKNOWN_PSK_IDENTITY);
+#endif
+
+#undef ADD_AD_CONSTANT
/* protocol versions */
#ifndef OPENSSL_NO_SSL2
@@ -1814,6 +3980,109 @@
PY_SSL_VERSION_SSL23);
PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
PY_SSL_VERSION_TLS1);
+#if HAVE_TLSv1_2
+ PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_1",
+ PY_SSL_VERSION_TLS1_1);
+ PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_2",
+ PY_SSL_VERSION_TLS1_2);
+#endif
+
+ /* protocol options */
+ PyModule_AddIntConstant(m, "OP_ALL",
+ SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
+ PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
+ PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
+#if HAVE_TLSv1_2
+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1);
+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2);
+#endif
+ PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
+ SSL_OP_CIPHER_SERVER_PREFERENCE);
+ PyModule_AddIntConstant(m, "OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE);
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ PyModule_AddIntConstant(m, "OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE);
+#endif
+#ifdef SSL_OP_NO_COMPRESSION
+ PyModule_AddIntConstant(m, "OP_NO_COMPRESSION",
+ SSL_OP_NO_COMPRESSION);
+#endif
+
+#if HAVE_SNI
+ r = Py_True;
+#else
+ r = Py_False;
+#endif
+ Py_INCREF(r);
+ PyModule_AddObject(m, "HAS_SNI", r);
+
+#if HAVE_OPENSSL_FINISHED
+ r = Py_True;
+#else
+ r = Py_False;
+#endif
+ Py_INCREF(r);
+ PyModule_AddObject(m, "HAS_TLS_UNIQUE", r);
+
+#ifdef OPENSSL_NO_ECDH
+ r = Py_False;
+#else
+ r = Py_True;
+#endif
+ Py_INCREF(r);
+ PyModule_AddObject(m, "HAS_ECDH", r);
+
+#ifdef OPENSSL_NPN_NEGOTIATED
+ r = Py_True;
+#else
+ r = Py_False;
+#endif
+ Py_INCREF(r);
+ PyModule_AddObject(m, "HAS_NPN", r);
+
+ /* Mappings for error codes */
+ err_codes_to_names = PyDict_New();
+ err_names_to_codes = PyDict_New();
+ if (err_codes_to_names == NULL || err_names_to_codes == NULL)
+ return;
+ errcode = error_codes;
+ while (errcode->mnemonic != NULL) {
+ PyObject *mnemo, *key;
+ mnemo = PyUnicode_FromString(errcode->mnemonic);
+ key = Py_BuildValue("ii", errcode->library, errcode->reason);
+ if (mnemo == NULL || key == NULL)
+ return;
+ if (PyDict_SetItem(err_codes_to_names, key, mnemo))
+ return;
+ if (PyDict_SetItem(err_names_to_codes, mnemo, key))
+ return;
+ Py_DECREF(key);
+ Py_DECREF(mnemo);
+ errcode++;
+ }
+ if (PyModule_AddObject(m, "err_codes_to_names", err_codes_to_names))
+ return;
+ if (PyModule_AddObject(m, "err_names_to_codes", err_names_to_codes))
+ return;
+
+ lib_codes_to_names = PyDict_New();
+ if (lib_codes_to_names == NULL)
+ return;
+ libcode = library_codes;
+ while (libcode->library != NULL) {
+ PyObject *mnemo, *key;
+ key = PyLong_FromLong(libcode->code);
+ mnemo = PyUnicode_FromString(libcode->library);
+ if (key == NULL || mnemo == NULL)
+ return;
+ if (PyDict_SetItem(lib_codes_to_names, key, mnemo))
+ return;
+ Py_DECREF(key);
+ Py_DECREF(mnemo);
+ libcode++;
+ }
+ if (PyModule_AddObject(m, "lib_codes_to_names", lib_codes_to_names))
+ return;
/* OpenSSL version */
/* SSLeay() gives us the version of the library linked against,
@@ -1825,15 +4094,7 @@
return;
if (PyModule_AddObject(m, "OPENSSL_VERSION_NUMBER", r))
return;
- status = libver & 0xF;
- libver >>= 4;
- patch = libver & 0xFF;
- libver >>= 8;
- fix = libver & 0xFF;
- libver >>= 8;
- minor = libver & 0xFF;
- libver >>= 8;
- major = libver & 0xFF;
+ parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r))
return;
@@ -1841,4 +4102,9 @@
if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r))
return;
+ libver = OPENSSL_VERSION_NUMBER;
+ parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
+ r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
+ if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
+ return;
}
diff --git a/Modules/_ssl_data.h b/Modules/_ssl_data.h
new file mode 100644
index 0000000..81a8d7b
--- /dev/null
+++ b/Modules/_ssl_data.h
@@ -0,0 +1,1653 @@
+/* File generated by Tools/ssl/make_ssl_data.py */
+/* Generated on 2012-05-16T23:56:40.981382 */
+
+static struct py_ssl_library_code library_codes[] = {
+ {"PEM", ERR_LIB_PEM},
+ {"SSL", ERR_LIB_SSL},
+ {"X509", ERR_LIB_X509},
+ { NULL }
+};
+
+static struct py_ssl_error_code error_codes[] = {
+ #ifdef PEM_R_BAD_BASE64_DECODE
+ {"BAD_BASE64_DECODE", ERR_LIB_PEM, PEM_R_BAD_BASE64_DECODE},
+ #else
+ {"BAD_BASE64_DECODE", ERR_LIB_PEM, 100},
+ #endif
+ #ifdef PEM_R_BAD_DECRYPT
+ {"BAD_DECRYPT", ERR_LIB_PEM, PEM_R_BAD_DECRYPT},
+ #else
+ {"BAD_DECRYPT", ERR_LIB_PEM, 101},
+ #endif
+ #ifdef PEM_R_BAD_END_LINE
+ {"BAD_END_LINE", ERR_LIB_PEM, PEM_R_BAD_END_LINE},
+ #else
+ {"BAD_END_LINE", ERR_LIB_PEM, 102},
+ #endif
+ #ifdef PEM_R_BAD_IV_CHARS
+ {"BAD_IV_CHARS", ERR_LIB_PEM, PEM_R_BAD_IV_CHARS},
+ #else
+ {"BAD_IV_CHARS", ERR_LIB_PEM, 103},
+ #endif
+ #ifdef PEM_R_BAD_MAGIC_NUMBER
+ {"BAD_MAGIC_NUMBER", ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER},
+ #else
+ {"BAD_MAGIC_NUMBER", ERR_LIB_PEM, 116},
+ #endif
+ #ifdef PEM_R_BAD_PASSWORD_READ
+ {"BAD_PASSWORD_READ", ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ},
+ #else
+ {"BAD_PASSWORD_READ", ERR_LIB_PEM, 104},
+ #endif
+ #ifdef PEM_R_BAD_VERSION_NUMBER
+ {"BAD_VERSION_NUMBER", ERR_LIB_PEM, PEM_R_BAD_VERSION_NUMBER},
+ #else
+ {"BAD_VERSION_NUMBER", ERR_LIB_PEM, 117},
+ #endif
+ #ifdef PEM_R_BIO_WRITE_FAILURE
+ {"BIO_WRITE_FAILURE", ERR_LIB_PEM, PEM_R_BIO_WRITE_FAILURE},
+ #else
+ {"BIO_WRITE_FAILURE", ERR_LIB_PEM, 118},
+ #endif
+ #ifdef PEM_R_CIPHER_IS_NULL
+ {"CIPHER_IS_NULL", ERR_LIB_PEM, PEM_R_CIPHER_IS_NULL},
+ #else
+ {"CIPHER_IS_NULL", ERR_LIB_PEM, 127},
+ #endif
+ #ifdef PEM_R_ERROR_CONVERTING_PRIVATE_KEY
+ {"ERROR_CONVERTING_PRIVATE_KEY", ERR_LIB_PEM, PEM_R_ERROR_CONVERTING_PRIVATE_KEY},
+ #else
+ {"ERROR_CONVERTING_PRIVATE_KEY", ERR_LIB_PEM, 115},
+ #endif
+ #ifdef PEM_R_EXPECTING_PRIVATE_KEY_BLOB
+ {"EXPECTING_PRIVATE_KEY_BLOB", ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB},
+ #else
+ {"EXPECTING_PRIVATE_KEY_BLOB", ERR_LIB_PEM, 119},
+ #endif
+ #ifdef PEM_R_EXPECTING_PUBLIC_KEY_BLOB
+ {"EXPECTING_PUBLIC_KEY_BLOB", ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB},
+ #else
+ {"EXPECTING_PUBLIC_KEY_BLOB", ERR_LIB_PEM, 120},
+ #endif
+ #ifdef PEM_R_INCONSISTENT_HEADER
+ {"INCONSISTENT_HEADER", ERR_LIB_PEM, PEM_R_INCONSISTENT_HEADER},
+ #else
+ {"INCONSISTENT_HEADER", ERR_LIB_PEM, 121},
+ #endif
+ #ifdef PEM_R_KEYBLOB_HEADER_PARSE_ERROR
+ {"KEYBLOB_HEADER_PARSE_ERROR", ERR_LIB_PEM, PEM_R_KEYBLOB_HEADER_PARSE_ERROR},
+ #else
+ {"KEYBLOB_HEADER_PARSE_ERROR", ERR_LIB_PEM, 122},
+ #endif
+ #ifdef PEM_R_KEYBLOB_TOO_SHORT
+ {"KEYBLOB_TOO_SHORT", ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT},
+ #else
+ {"KEYBLOB_TOO_SHORT", ERR_LIB_PEM, 123},
+ #endif
+ #ifdef PEM_R_NOT_DEK_INFO
+ {"NOT_DEK_INFO", ERR_LIB_PEM, PEM_R_NOT_DEK_INFO},
+ #else
+ {"NOT_DEK_INFO", ERR_LIB_PEM, 105},
+ #endif
+ #ifdef PEM_R_NOT_ENCRYPTED
+ {"NOT_ENCRYPTED", ERR_LIB_PEM, PEM_R_NOT_ENCRYPTED},
+ #else
+ {"NOT_ENCRYPTED", ERR_LIB_PEM, 106},
+ #endif
+ #ifdef PEM_R_NOT_PROC_TYPE
+ {"NOT_PROC_TYPE", ERR_LIB_PEM, PEM_R_NOT_PROC_TYPE},
+ #else
+ {"NOT_PROC_TYPE", ERR_LIB_PEM, 107},
+ #endif
+ #ifdef PEM_R_NO_START_LINE
+ {"NO_START_LINE", ERR_LIB_PEM, PEM_R_NO_START_LINE},
+ #else
+ {"NO_START_LINE", ERR_LIB_PEM, 108},
+ #endif
+ #ifdef PEM_R_PROBLEMS_GETTING_PASSWORD
+ {"PROBLEMS_GETTING_PASSWORD", ERR_LIB_PEM, PEM_R_PROBLEMS_GETTING_PASSWORD},
+ #else
+ {"PROBLEMS_GETTING_PASSWORD", ERR_LIB_PEM, 109},
+ #endif
+ #ifdef PEM_R_PUBLIC_KEY_NO_RSA
+ {"PUBLIC_KEY_NO_RSA", ERR_LIB_PEM, PEM_R_PUBLIC_KEY_NO_RSA},
+ #else
+ {"PUBLIC_KEY_NO_RSA", ERR_LIB_PEM, 110},
+ #endif
+ #ifdef PEM_R_PVK_DATA_TOO_SHORT
+ {"PVK_DATA_TOO_SHORT", ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT},
+ #else
+ {"PVK_DATA_TOO_SHORT", ERR_LIB_PEM, 124},
+ #endif
+ #ifdef PEM_R_PVK_TOO_SHORT
+ {"PVK_TOO_SHORT", ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT},
+ #else
+ {"PVK_TOO_SHORT", ERR_LIB_PEM, 125},
+ #endif
+ #ifdef PEM_R_READ_KEY
+ {"READ_KEY", ERR_LIB_PEM, PEM_R_READ_KEY},
+ #else
+ {"READ_KEY", ERR_LIB_PEM, 111},
+ #endif
+ #ifdef PEM_R_SHORT_HEADER
+ {"SHORT_HEADER", ERR_LIB_PEM, PEM_R_SHORT_HEADER},
+ #else
+ {"SHORT_HEADER", ERR_LIB_PEM, 112},
+ #endif
+ #ifdef PEM_R_UNSUPPORTED_CIPHER
+ {"UNSUPPORTED_CIPHER", ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER},
+ #else
+ {"UNSUPPORTED_CIPHER", ERR_LIB_PEM, 113},
+ #endif
+ #ifdef PEM_R_UNSUPPORTED_ENCRYPTION
+ {"UNSUPPORTED_ENCRYPTION", ERR_LIB_PEM, PEM_R_UNSUPPORTED_ENCRYPTION},
+ #else
+ {"UNSUPPORTED_ENCRYPTION", ERR_LIB_PEM, 114},
+ #endif
+ #ifdef PEM_R_UNSUPPORTED_KEY_COMPONENTS
+ {"UNSUPPORTED_KEY_COMPONENTS", ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS},
+ #else
+ {"UNSUPPORTED_KEY_COMPONENTS", ERR_LIB_PEM, 126},
+ #endif
+ #ifdef SSL_R_APP_DATA_IN_HANDSHAKE
+ {"APP_DATA_IN_HANDSHAKE", ERR_LIB_SSL, SSL_R_APP_DATA_IN_HANDSHAKE},
+ #else
+ {"APP_DATA_IN_HANDSHAKE", ERR_LIB_SSL, 100},
+ #endif
+ #ifdef SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT
+ {"ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT", ERR_LIB_SSL, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT},
+ #else
+ {"ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT", ERR_LIB_SSL, 272},
+ #endif
+ #ifdef SSL_R_BAD_ALERT_RECORD
+ {"BAD_ALERT_RECORD", ERR_LIB_SSL, SSL_R_BAD_ALERT_RECORD},
+ #else
+ {"BAD_ALERT_RECORD", ERR_LIB_SSL, 101},
+ #endif
+ #ifdef SSL_R_BAD_AUTHENTICATION_TYPE
+ {"BAD_AUTHENTICATION_TYPE", ERR_LIB_SSL, SSL_R_BAD_AUTHENTICATION_TYPE},
+ #else
+ {"BAD_AUTHENTICATION_TYPE", ERR_LIB_SSL, 102},
+ #endif
+ #ifdef SSL_R_BAD_CHANGE_CIPHER_SPEC
+ {"BAD_CHANGE_CIPHER_SPEC", ERR_LIB_SSL, SSL_R_BAD_CHANGE_CIPHER_SPEC},
+ #else
+ {"BAD_CHANGE_CIPHER_SPEC", ERR_LIB_SSL, 103},
+ #endif
+ #ifdef SSL_R_BAD_CHECKSUM
+ {"BAD_CHECKSUM", ERR_LIB_SSL, SSL_R_BAD_CHECKSUM},
+ #else
+ {"BAD_CHECKSUM", ERR_LIB_SSL, 104},
+ #endif
+ #ifdef SSL_R_BAD_DATA_RETURNED_BY_CALLBACK
+ {"BAD_DATA_RETURNED_BY_CALLBACK", ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK},
+ #else
+ {"BAD_DATA_RETURNED_BY_CALLBACK", ERR_LIB_SSL, 106},
+ #endif
+ #ifdef SSL_R_BAD_DECOMPRESSION
+ {"BAD_DECOMPRESSION", ERR_LIB_SSL, SSL_R_BAD_DECOMPRESSION},
+ #else
+ {"BAD_DECOMPRESSION", ERR_LIB_SSL, 107},
+ #endif
+ #ifdef SSL_R_BAD_DH_G_LENGTH
+ {"BAD_DH_G_LENGTH", ERR_LIB_SSL, SSL_R_BAD_DH_G_LENGTH},
+ #else
+ {"BAD_DH_G_LENGTH", ERR_LIB_SSL, 108},
+ #endif
+ #ifdef SSL_R_BAD_DH_PUB_KEY_LENGTH
+ {"BAD_DH_PUB_KEY_LENGTH", ERR_LIB_SSL, SSL_R_BAD_DH_PUB_KEY_LENGTH},
+ #else
+ {"BAD_DH_PUB_KEY_LENGTH", ERR_LIB_SSL, 109},
+ #endif
+ #ifdef SSL_R_BAD_DH_P_LENGTH
+ {"BAD_DH_P_LENGTH", ERR_LIB_SSL, SSL_R_BAD_DH_P_LENGTH},
+ #else
+ {"BAD_DH_P_LENGTH", ERR_LIB_SSL, 110},
+ #endif
+ #ifdef SSL_R_BAD_DIGEST_LENGTH
+ {"BAD_DIGEST_LENGTH", ERR_LIB_SSL, SSL_R_BAD_DIGEST_LENGTH},
+ #else
+ {"BAD_DIGEST_LENGTH", ERR_LIB_SSL, 111},
+ #endif
+ #ifdef SSL_R_BAD_DSA_SIGNATURE
+ {"BAD_DSA_SIGNATURE", ERR_LIB_SSL, SSL_R_BAD_DSA_SIGNATURE},
+ #else
+ {"BAD_DSA_SIGNATURE", ERR_LIB_SSL, 112},
+ #endif
+ #ifdef SSL_R_BAD_ECC_CERT
+ {"BAD_ECC_CERT", ERR_LIB_SSL, SSL_R_BAD_ECC_CERT},
+ #else
+ {"BAD_ECC_CERT", ERR_LIB_SSL, 304},
+ #endif
+ #ifdef SSL_R_BAD_ECDSA_SIGNATURE
+ {"BAD_ECDSA_SIGNATURE", ERR_LIB_SSL, SSL_R_BAD_ECDSA_SIGNATURE},
+ #else
+ {"BAD_ECDSA_SIGNATURE", ERR_LIB_SSL, 305},
+ #endif
+ #ifdef SSL_R_BAD_ECPOINT
+ {"BAD_ECPOINT", ERR_LIB_SSL, SSL_R_BAD_ECPOINT},
+ #else
+ {"BAD_ECPOINT", ERR_LIB_SSL, 306},
+ #endif
+ #ifdef SSL_R_BAD_HANDSHAKE_LENGTH
+ {"BAD_HANDSHAKE_LENGTH", ERR_LIB_SSL, SSL_R_BAD_HANDSHAKE_LENGTH},
+ #else
+ {"BAD_HANDSHAKE_LENGTH", ERR_LIB_SSL, 332},
+ #endif
+ #ifdef SSL_R_BAD_HELLO_REQUEST
+ {"BAD_HELLO_REQUEST", ERR_LIB_SSL, SSL_R_BAD_HELLO_REQUEST},
+ #else
+ {"BAD_HELLO_REQUEST", ERR_LIB_SSL, 105},
+ #endif
+ #ifdef SSL_R_BAD_LENGTH
+ {"BAD_LENGTH", ERR_LIB_SSL, SSL_R_BAD_LENGTH},
+ #else
+ {"BAD_LENGTH", ERR_LIB_SSL, 271},
+ #endif
+ #ifdef SSL_R_BAD_MAC_DECODE
+ {"BAD_MAC_DECODE", ERR_LIB_SSL, SSL_R_BAD_MAC_DECODE},
+ #else
+ {"BAD_MAC_DECODE", ERR_LIB_SSL, 113},
+ #endif
+ #ifdef SSL_R_BAD_MAC_LENGTH
+ {"BAD_MAC_LENGTH", ERR_LIB_SSL, SSL_R_BAD_MAC_LENGTH},
+ #else
+ {"BAD_MAC_LENGTH", ERR_LIB_SSL, 333},
+ #endif
+ #ifdef SSL_R_BAD_MESSAGE_TYPE
+ {"BAD_MESSAGE_TYPE", ERR_LIB_SSL, SSL_R_BAD_MESSAGE_TYPE},
+ #else
+ {"BAD_MESSAGE_TYPE", ERR_LIB_SSL, 114},
+ #endif
+ #ifdef SSL_R_BAD_PACKET_LENGTH
+ {"BAD_PACKET_LENGTH", ERR_LIB_SSL, SSL_R_BAD_PACKET_LENGTH},
+ #else
+ {"BAD_PACKET_LENGTH", ERR_LIB_SSL, 115},
+ #endif
+ #ifdef SSL_R_BAD_PROTOCOL_VERSION_NUMBER
+ {"BAD_PROTOCOL_VERSION_NUMBER", ERR_LIB_SSL, SSL_R_BAD_PROTOCOL_VERSION_NUMBER},
+ #else
+ {"BAD_PROTOCOL_VERSION_NUMBER", ERR_LIB_SSL, 116},
+ #endif
+ #ifdef SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH
+ {"BAD_PSK_IDENTITY_HINT_LENGTH", ERR_LIB_SSL, SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH},
+ #else
+ {"BAD_PSK_IDENTITY_HINT_LENGTH", ERR_LIB_SSL, 316},
+ #endif
+ #ifdef SSL_R_BAD_RESPONSE_ARGUMENT
+ {"BAD_RESPONSE_ARGUMENT", ERR_LIB_SSL, SSL_R_BAD_RESPONSE_ARGUMENT},
+ #else
+ {"BAD_RESPONSE_ARGUMENT", ERR_LIB_SSL, 117},
+ #endif
+ #ifdef SSL_R_BAD_RSA_DECRYPT
+ {"BAD_RSA_DECRYPT", ERR_LIB_SSL, SSL_R_BAD_RSA_DECRYPT},
+ #else
+ {"BAD_RSA_DECRYPT", ERR_LIB_SSL, 118},
+ #endif
+ #ifdef SSL_R_BAD_RSA_ENCRYPT
+ {"BAD_RSA_ENCRYPT", ERR_LIB_SSL, SSL_R_BAD_RSA_ENCRYPT},
+ #else
+ {"BAD_RSA_ENCRYPT", ERR_LIB_SSL, 119},
+ #endif
+ #ifdef SSL_R_BAD_RSA_E_LENGTH
+ {"BAD_RSA_E_LENGTH", ERR_LIB_SSL, SSL_R_BAD_RSA_E_LENGTH},
+ #else
+ {"BAD_RSA_E_LENGTH", ERR_LIB_SSL, 120},
+ #endif
+ #ifdef SSL_R_BAD_RSA_MODULUS_LENGTH
+ {"BAD_RSA_MODULUS_LENGTH", ERR_LIB_SSL, SSL_R_BAD_RSA_MODULUS_LENGTH},
+ #else
+ {"BAD_RSA_MODULUS_LENGTH", ERR_LIB_SSL, 121},
+ #endif
+ #ifdef SSL_R_BAD_RSA_SIGNATURE
+ {"BAD_RSA_SIGNATURE", ERR_LIB_SSL, SSL_R_BAD_RSA_SIGNATURE},
+ #else
+ {"BAD_RSA_SIGNATURE", ERR_LIB_SSL, 122},
+ #endif
+ #ifdef SSL_R_BAD_SIGNATURE
+ {"BAD_SIGNATURE", ERR_LIB_SSL, SSL_R_BAD_SIGNATURE},
+ #else
+ {"BAD_SIGNATURE", ERR_LIB_SSL, 123},
+ #endif
+ #ifdef SSL_R_BAD_SSL_FILETYPE
+ {"BAD_SSL_FILETYPE", ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE},
+ #else
+ {"BAD_SSL_FILETYPE", ERR_LIB_SSL, 124},
+ #endif
+ #ifdef SSL_R_BAD_SSL_SESSION_ID_LENGTH
+ {"BAD_SSL_SESSION_ID_LENGTH", ERR_LIB_SSL, SSL_R_BAD_SSL_SESSION_ID_LENGTH},
+ #else
+ {"BAD_SSL_SESSION_ID_LENGTH", ERR_LIB_SSL, 125},
+ #endif
+ #ifdef SSL_R_BAD_STATE
+ {"BAD_STATE", ERR_LIB_SSL, SSL_R_BAD_STATE},
+ #else
+ {"BAD_STATE", ERR_LIB_SSL, 126},
+ #endif
+ #ifdef SSL_R_BAD_WRITE_RETRY
+ {"BAD_WRITE_RETRY", ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY},
+ #else
+ {"BAD_WRITE_RETRY", ERR_LIB_SSL, 127},
+ #endif
+ #ifdef SSL_R_BIO_NOT_SET
+ {"BIO_NOT_SET", ERR_LIB_SSL, SSL_R_BIO_NOT_SET},
+ #else
+ {"BIO_NOT_SET", ERR_LIB_SSL, 128},
+ #endif
+ #ifdef SSL_R_BLOCK_CIPHER_PAD_IS_WRONG
+ {"BLOCK_CIPHER_PAD_IS_WRONG", ERR_LIB_SSL, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG},
+ #else
+ {"BLOCK_CIPHER_PAD_IS_WRONG", ERR_LIB_SSL, 129},
+ #endif
+ #ifdef SSL_R_BN_LIB
+ {"BN_LIB", ERR_LIB_SSL, SSL_R_BN_LIB},
+ #else
+ {"BN_LIB", ERR_LIB_SSL, 130},
+ #endif
+ #ifdef SSL_R_CA_DN_LENGTH_MISMATCH
+ {"CA_DN_LENGTH_MISMATCH", ERR_LIB_SSL, SSL_R_CA_DN_LENGTH_MISMATCH},
+ #else
+ {"CA_DN_LENGTH_MISMATCH", ERR_LIB_SSL, 131},
+ #endif
+ #ifdef SSL_R_CA_DN_TOO_LONG
+ {"CA_DN_TOO_LONG", ERR_LIB_SSL, SSL_R_CA_DN_TOO_LONG},
+ #else
+ {"CA_DN_TOO_LONG", ERR_LIB_SSL, 132},
+ #endif
+ #ifdef SSL_R_CCS_RECEIVED_EARLY
+ {"CCS_RECEIVED_EARLY", ERR_LIB_SSL, SSL_R_CCS_RECEIVED_EARLY},
+ #else
+ {"CCS_RECEIVED_EARLY", ERR_LIB_SSL, 133},
+ #endif
+ #ifdef SSL_R_CERTIFICATE_VERIFY_FAILED
+ {"CERTIFICATE_VERIFY_FAILED", ERR_LIB_SSL, SSL_R_CERTIFICATE_VERIFY_FAILED},
+ #else
+ {"CERTIFICATE_VERIFY_FAILED", ERR_LIB_SSL, 134},
+ #endif
+ #ifdef SSL_R_CERT_LENGTH_MISMATCH
+ {"CERT_LENGTH_MISMATCH", ERR_LIB_SSL, SSL_R_CERT_LENGTH_MISMATCH},
+ #else
+ {"CERT_LENGTH_MISMATCH", ERR_LIB_SSL, 135},
+ #endif
+ #ifdef SSL_R_CHALLENGE_IS_DIFFERENT
+ {"CHALLENGE_IS_DIFFERENT", ERR_LIB_SSL, SSL_R_CHALLENGE_IS_DIFFERENT},
+ #else
+ {"CHALLENGE_IS_DIFFERENT", ERR_LIB_SSL, 136},
+ #endif
+ #ifdef SSL_R_CIPHER_CODE_WRONG_LENGTH
+ {"CIPHER_CODE_WRONG_LENGTH", ERR_LIB_SSL, SSL_R_CIPHER_CODE_WRONG_LENGTH},
+ #else
+ {"CIPHER_CODE_WRONG_LENGTH", ERR_LIB_SSL, 137},
+ #endif
+ #ifdef SSL_R_CIPHER_OR_HASH_UNAVAILABLE
+ {"CIPHER_OR_HASH_UNAVAILABLE", ERR_LIB_SSL, SSL_R_CIPHER_OR_HASH_UNAVAILABLE},
+ #else
+ {"CIPHER_OR_HASH_UNAVAILABLE", ERR_LIB_SSL, 138},
+ #endif
+ #ifdef SSL_R_CIPHER_TABLE_SRC_ERROR
+ {"CIPHER_TABLE_SRC_ERROR", ERR_LIB_SSL, SSL_R_CIPHER_TABLE_SRC_ERROR},
+ #else
+ {"CIPHER_TABLE_SRC_ERROR", ERR_LIB_SSL, 139},
+ #endif
+ #ifdef SSL_R_CLIENTHELLO_TLSEXT
+ {"CLIENTHELLO_TLSEXT", ERR_LIB_SSL, SSL_R_CLIENTHELLO_TLSEXT},
+ #else
+ {"CLIENTHELLO_TLSEXT", ERR_LIB_SSL, 226},
+ #endif
+ #ifdef SSL_R_COMPRESSED_LENGTH_TOO_LONG
+ {"COMPRESSED_LENGTH_TOO_LONG", ERR_LIB_SSL, SSL_R_COMPRESSED_LENGTH_TOO_LONG},
+ #else
+ {"COMPRESSED_LENGTH_TOO_LONG", ERR_LIB_SSL, 140},
+ #endif
+ #ifdef SSL_R_COMPRESSION_DISABLED
+ {"COMPRESSION_DISABLED", ERR_LIB_SSL, SSL_R_COMPRESSION_DISABLED},
+ #else
+ {"COMPRESSION_DISABLED", ERR_LIB_SSL, 343},
+ #endif
+ #ifdef SSL_R_COMPRESSION_FAILURE
+ {"COMPRESSION_FAILURE", ERR_LIB_SSL, SSL_R_COMPRESSION_FAILURE},
+ #else
+ {"COMPRESSION_FAILURE", ERR_LIB_SSL, 141},
+ #endif
+ #ifdef SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE
+ {"COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE", ERR_LIB_SSL, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE},
+ #else
+ {"COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE", ERR_LIB_SSL, 307},
+ #endif
+ #ifdef SSL_R_COMPRESSION_LIBRARY_ERROR
+ {"COMPRESSION_LIBRARY_ERROR", ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR},
+ #else
+ {"COMPRESSION_LIBRARY_ERROR", ERR_LIB_SSL, 142},
+ #endif
+ #ifdef SSL_R_CONNECTION_ID_IS_DIFFERENT
+ {"CONNECTION_ID_IS_DIFFERENT", ERR_LIB_SSL, SSL_R_CONNECTION_ID_IS_DIFFERENT},
+ #else
+ {"CONNECTION_ID_IS_DIFFERENT", ERR_LIB_SSL, 143},
+ #endif
+ #ifdef SSL_R_CONNECTION_TYPE_NOT_SET
+ {"CONNECTION_TYPE_NOT_SET", ERR_LIB_SSL, SSL_R_CONNECTION_TYPE_NOT_SET},
+ #else
+ {"CONNECTION_TYPE_NOT_SET", ERR_LIB_SSL, 144},
+ #endif
+ #ifdef SSL_R_COOKIE_MISMATCH
+ {"COOKIE_MISMATCH", ERR_LIB_SSL, SSL_R_COOKIE_MISMATCH},
+ #else
+ {"COOKIE_MISMATCH", ERR_LIB_SSL, 308},
+ #endif
+ #ifdef SSL_R_DATA_BETWEEN_CCS_AND_FINISHED
+ {"DATA_BETWEEN_CCS_AND_FINISHED", ERR_LIB_SSL, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED},
+ #else
+ {"DATA_BETWEEN_CCS_AND_FINISHED", ERR_LIB_SSL, 145},
+ #endif
+ #ifdef SSL_R_DATA_LENGTH_TOO_LONG
+ {"DATA_LENGTH_TOO_LONG", ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG},
+ #else
+ {"DATA_LENGTH_TOO_LONG", ERR_LIB_SSL, 146},
+ #endif
+ #ifdef SSL_R_DECRYPTION_FAILED
+ {"DECRYPTION_FAILED", ERR_LIB_SSL, SSL_R_DECRYPTION_FAILED},
+ #else
+ {"DECRYPTION_FAILED", ERR_LIB_SSL, 147},
+ #endif
+ #ifdef SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
+ {"DECRYPTION_FAILED_OR_BAD_RECORD_MAC", ERR_LIB_SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC},
+ #else
+ {"DECRYPTION_FAILED_OR_BAD_RECORD_MAC", ERR_LIB_SSL, 281},
+ #endif
+ #ifdef SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG
+ {"DH_PUBLIC_VALUE_LENGTH_IS_WRONG", ERR_LIB_SSL, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG},
+ #else
+ {"DH_PUBLIC_VALUE_LENGTH_IS_WRONG", ERR_LIB_SSL, 148},
+ #endif
+ #ifdef SSL_R_DIGEST_CHECK_FAILED
+ {"DIGEST_CHECK_FAILED", ERR_LIB_SSL, SSL_R_DIGEST_CHECK_FAILED},
+ #else
+ {"DIGEST_CHECK_FAILED", ERR_LIB_SSL, 149},
+ #endif
+ #ifdef SSL_R_DTLS_MESSAGE_TOO_BIG
+ {"DTLS_MESSAGE_TOO_BIG", ERR_LIB_SSL, SSL_R_DTLS_MESSAGE_TOO_BIG},
+ #else
+ {"DTLS_MESSAGE_TOO_BIG", ERR_LIB_SSL, 334},
+ #endif
+ #ifdef SSL_R_DUPLICATE_COMPRESSION_ID
+ {"DUPLICATE_COMPRESSION_ID", ERR_LIB_SSL, SSL_R_DUPLICATE_COMPRESSION_ID},
+ #else
+ {"DUPLICATE_COMPRESSION_ID", ERR_LIB_SSL, 309},
+ #endif
+ #ifdef SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT
+ {"ECC_CERT_NOT_FOR_KEY_AGREEMENT", ERR_LIB_SSL, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT},
+ #else
+ {"ECC_CERT_NOT_FOR_KEY_AGREEMENT", ERR_LIB_SSL, 317},
+ #endif
+ #ifdef SSL_R_ECC_CERT_NOT_FOR_SIGNING
+ {"ECC_CERT_NOT_FOR_SIGNING", ERR_LIB_SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING},
+ #else
+ {"ECC_CERT_NOT_FOR_SIGNING", ERR_LIB_SSL, 318},
+ #endif
+ #ifdef SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE
+ {"ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE", ERR_LIB_SSL, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE},
+ #else
+ {"ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE", ERR_LIB_SSL, 322},
+ #endif
+ #ifdef SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE
+ {"ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE", ERR_LIB_SSL, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE},
+ #else
+ {"ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE", ERR_LIB_SSL, 323},
+ #endif
+ #ifdef SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER
+ {"ECGROUP_TOO_LARGE_FOR_CIPHER", ERR_LIB_SSL, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER},
+ #else
+ {"ECGROUP_TOO_LARGE_FOR_CIPHER", ERR_LIB_SSL, 310},
+ #endif
+ #ifdef SSL_R_ENCRYPTED_LENGTH_TOO_LONG
+ {"ENCRYPTED_LENGTH_TOO_LONG", ERR_LIB_SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG},
+ #else
+ {"ENCRYPTED_LENGTH_TOO_LONG", ERR_LIB_SSL, 150},
+ #endif
+ #ifdef SSL_R_ERROR_GENERATING_TMP_RSA_KEY
+ {"ERROR_GENERATING_TMP_RSA_KEY", ERR_LIB_SSL, SSL_R_ERROR_GENERATING_TMP_RSA_KEY},
+ #else
+ {"ERROR_GENERATING_TMP_RSA_KEY", ERR_LIB_SSL, 282},
+ #endif
+ #ifdef SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST
+ {"ERROR_IN_RECEIVED_CIPHER_LIST", ERR_LIB_SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST},
+ #else
+ {"ERROR_IN_RECEIVED_CIPHER_LIST", ERR_LIB_SSL, 151},
+ #endif
+ #ifdef SSL_R_EXCESSIVE_MESSAGE_SIZE
+ {"EXCESSIVE_MESSAGE_SIZE", ERR_LIB_SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE},
+ #else
+ {"EXCESSIVE_MESSAGE_SIZE", ERR_LIB_SSL, 152},
+ #endif
+ #ifdef SSL_R_EXTRA_DATA_IN_MESSAGE
+ {"EXTRA_DATA_IN_MESSAGE", ERR_LIB_SSL, SSL_R_EXTRA_DATA_IN_MESSAGE},
+ #else
+ {"EXTRA_DATA_IN_MESSAGE", ERR_LIB_SSL, 153},
+ #endif
+ #ifdef SSL_R_GOT_A_FIN_BEFORE_A_CCS
+ {"GOT_A_FIN_BEFORE_A_CCS", ERR_LIB_SSL, SSL_R_GOT_A_FIN_BEFORE_A_CCS},
+ #else
+ {"GOT_A_FIN_BEFORE_A_CCS", ERR_LIB_SSL, 154},
+ #endif
+ #ifdef SSL_R_HTTPS_PROXY_REQUEST
+ {"HTTPS_PROXY_REQUEST", ERR_LIB_SSL, SSL_R_HTTPS_PROXY_REQUEST},
+ #else
+ {"HTTPS_PROXY_REQUEST", ERR_LIB_SSL, 155},
+ #endif
+ #ifdef SSL_R_HTTP_REQUEST
+ {"HTTP_REQUEST", ERR_LIB_SSL, SSL_R_HTTP_REQUEST},
+ #else
+ {"HTTP_REQUEST", ERR_LIB_SSL, 156},
+ #endif
+ #ifdef SSL_R_ILLEGAL_PADDING
+ {"ILLEGAL_PADDING", ERR_LIB_SSL, SSL_R_ILLEGAL_PADDING},
+ #else
+ {"ILLEGAL_PADDING", ERR_LIB_SSL, 283},
+ #endif
+ #ifdef SSL_R_INCONSISTENT_COMPRESSION
+ {"INCONSISTENT_COMPRESSION", ERR_LIB_SSL, SSL_R_INCONSISTENT_COMPRESSION},
+ #else
+ {"INCONSISTENT_COMPRESSION", ERR_LIB_SSL, 340},
+ #endif
+ #ifdef SSL_R_INVALID_CHALLENGE_LENGTH
+ {"INVALID_CHALLENGE_LENGTH", ERR_LIB_SSL, SSL_R_INVALID_CHALLENGE_LENGTH},
+ #else
+ {"INVALID_CHALLENGE_LENGTH", ERR_LIB_SSL, 158},
+ #endif
+ #ifdef SSL_R_INVALID_COMMAND
+ {"INVALID_COMMAND", ERR_LIB_SSL, SSL_R_INVALID_COMMAND},
+ #else
+ {"INVALID_COMMAND", ERR_LIB_SSL, 280},
+ #endif
+ #ifdef SSL_R_INVALID_COMPRESSION_ALGORITHM
+ {"INVALID_COMPRESSION_ALGORITHM", ERR_LIB_SSL, SSL_R_INVALID_COMPRESSION_ALGORITHM},
+ #else
+ {"INVALID_COMPRESSION_ALGORITHM", ERR_LIB_SSL, 341},
+ #endif
+ #ifdef SSL_R_INVALID_PURPOSE
+ {"INVALID_PURPOSE", ERR_LIB_SSL, SSL_R_INVALID_PURPOSE},
+ #else
+ {"INVALID_PURPOSE", ERR_LIB_SSL, 278},
+ #endif
+ #ifdef SSL_R_INVALID_STATUS_RESPONSE
+ {"INVALID_STATUS_RESPONSE", ERR_LIB_SSL, SSL_R_INVALID_STATUS_RESPONSE},
+ #else
+ {"INVALID_STATUS_RESPONSE", ERR_LIB_SSL, 328},
+ #endif
+ #ifdef SSL_R_INVALID_TICKET_KEYS_LENGTH
+ {"INVALID_TICKET_KEYS_LENGTH", ERR_LIB_SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH},
+ #else
+ {"INVALID_TICKET_KEYS_LENGTH", ERR_LIB_SSL, 325},
+ #endif
+ #ifdef SSL_R_INVALID_TRUST
+ {"INVALID_TRUST", ERR_LIB_SSL, SSL_R_INVALID_TRUST},
+ #else
+ {"INVALID_TRUST", ERR_LIB_SSL, 279},
+ #endif
+ #ifdef SSL_R_KEY_ARG_TOO_LONG
+ {"KEY_ARG_TOO_LONG", ERR_LIB_SSL, SSL_R_KEY_ARG_TOO_LONG},
+ #else
+ {"KEY_ARG_TOO_LONG", ERR_LIB_SSL, 284},
+ #endif
+ #ifdef SSL_R_KRB5
+ {"KRB5", ERR_LIB_SSL, SSL_R_KRB5},
+ #else
+ {"KRB5", ERR_LIB_SSL, 285},
+ #endif
+ #ifdef SSL_R_KRB5_C_CC_PRINC
+ {"KRB5_C_CC_PRINC", ERR_LIB_SSL, SSL_R_KRB5_C_CC_PRINC},
+ #else
+ {"KRB5_C_CC_PRINC", ERR_LIB_SSL, 286},
+ #endif
+ #ifdef SSL_R_KRB5_C_GET_CRED
+ {"KRB5_C_GET_CRED", ERR_LIB_SSL, SSL_R_KRB5_C_GET_CRED},
+ #else
+ {"KRB5_C_GET_CRED", ERR_LIB_SSL, 287},
+ #endif
+ #ifdef SSL_R_KRB5_C_INIT
+ {"KRB5_C_INIT", ERR_LIB_SSL, SSL_R_KRB5_C_INIT},
+ #else
+ {"KRB5_C_INIT", ERR_LIB_SSL, 288},
+ #endif
+ #ifdef SSL_R_KRB5_C_MK_REQ
+ {"KRB5_C_MK_REQ", ERR_LIB_SSL, SSL_R_KRB5_C_MK_REQ},
+ #else
+ {"KRB5_C_MK_REQ", ERR_LIB_SSL, 289},
+ #endif
+ #ifdef SSL_R_KRB5_S_BAD_TICKET
+ {"KRB5_S_BAD_TICKET", ERR_LIB_SSL, SSL_R_KRB5_S_BAD_TICKET},
+ #else
+ {"KRB5_S_BAD_TICKET", ERR_LIB_SSL, 290},
+ #endif
+ #ifdef SSL_R_KRB5_S_INIT
+ {"KRB5_S_INIT", ERR_LIB_SSL, SSL_R_KRB5_S_INIT},
+ #else
+ {"KRB5_S_INIT", ERR_LIB_SSL, 291},
+ #endif
+ #ifdef SSL_R_KRB5_S_RD_REQ
+ {"KRB5_S_RD_REQ", ERR_LIB_SSL, SSL_R_KRB5_S_RD_REQ},
+ #else
+ {"KRB5_S_RD_REQ", ERR_LIB_SSL, 292},
+ #endif
+ #ifdef SSL_R_KRB5_S_TKT_EXPIRED
+ {"KRB5_S_TKT_EXPIRED", ERR_LIB_SSL, SSL_R_KRB5_S_TKT_EXPIRED},
+ #else
+ {"KRB5_S_TKT_EXPIRED", ERR_LIB_SSL, 293},
+ #endif
+ #ifdef SSL_R_KRB5_S_TKT_NYV
+ {"KRB5_S_TKT_NYV", ERR_LIB_SSL, SSL_R_KRB5_S_TKT_NYV},
+ #else
+ {"KRB5_S_TKT_NYV", ERR_LIB_SSL, 294},
+ #endif
+ #ifdef SSL_R_KRB5_S_TKT_SKEW
+ {"KRB5_S_TKT_SKEW", ERR_LIB_SSL, SSL_R_KRB5_S_TKT_SKEW},
+ #else
+ {"KRB5_S_TKT_SKEW", ERR_LIB_SSL, 295},
+ #endif
+ #ifdef SSL_R_LENGTH_MISMATCH
+ {"LENGTH_MISMATCH", ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH},
+ #else
+ {"LENGTH_MISMATCH", ERR_LIB_SSL, 159},
+ #endif
+ #ifdef SSL_R_LENGTH_TOO_SHORT
+ {"LENGTH_TOO_SHORT", ERR_LIB_SSL, SSL_R_LENGTH_TOO_SHORT},
+ #else
+ {"LENGTH_TOO_SHORT", ERR_LIB_SSL, 160},
+ #endif
+ #ifdef SSL_R_LIBRARY_BUG
+ {"LIBRARY_BUG", ERR_LIB_SSL, SSL_R_LIBRARY_BUG},
+ #else
+ {"LIBRARY_BUG", ERR_LIB_SSL, 274},
+ #endif
+ #ifdef SSL_R_LIBRARY_HAS_NO_CIPHERS
+ {"LIBRARY_HAS_NO_CIPHERS", ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS},
+ #else
+ {"LIBRARY_HAS_NO_CIPHERS", ERR_LIB_SSL, 161},
+ #endif
+ #ifdef SSL_R_MESSAGE_TOO_LONG
+ {"MESSAGE_TOO_LONG", ERR_LIB_SSL, SSL_R_MESSAGE_TOO_LONG},
+ #else
+ {"MESSAGE_TOO_LONG", ERR_LIB_SSL, 296},
+ #endif
+ #ifdef SSL_R_MISSING_DH_DSA_CERT
+ {"MISSING_DH_DSA_CERT", ERR_LIB_SSL, SSL_R_MISSING_DH_DSA_CERT},
+ #else
+ {"MISSING_DH_DSA_CERT", ERR_LIB_SSL, 162},
+ #endif
+ #ifdef SSL_R_MISSING_DH_KEY
+ {"MISSING_DH_KEY", ERR_LIB_SSL, SSL_R_MISSING_DH_KEY},
+ #else
+ {"MISSING_DH_KEY", ERR_LIB_SSL, 163},
+ #endif
+ #ifdef SSL_R_MISSING_DH_RSA_CERT
+ {"MISSING_DH_RSA_CERT", ERR_LIB_SSL, SSL_R_MISSING_DH_RSA_CERT},
+ #else
+ {"MISSING_DH_RSA_CERT", ERR_LIB_SSL, 164},
+ #endif
+ #ifdef SSL_R_MISSING_DSA_SIGNING_CERT
+ {"MISSING_DSA_SIGNING_CERT", ERR_LIB_SSL, SSL_R_MISSING_DSA_SIGNING_CERT},
+ #else
+ {"MISSING_DSA_SIGNING_CERT", ERR_LIB_SSL, 165},
+ #endif
+ #ifdef SSL_R_MISSING_EXPORT_TMP_DH_KEY
+ {"MISSING_EXPORT_TMP_DH_KEY", ERR_LIB_SSL, SSL_R_MISSING_EXPORT_TMP_DH_KEY},
+ #else
+ {"MISSING_EXPORT_TMP_DH_KEY", ERR_LIB_SSL, 166},
+ #endif
+ #ifdef SSL_R_MISSING_EXPORT_TMP_RSA_KEY
+ {"MISSING_EXPORT_TMP_RSA_KEY", ERR_LIB_SSL, SSL_R_MISSING_EXPORT_TMP_RSA_KEY},
+ #else
+ {"MISSING_EXPORT_TMP_RSA_KEY", ERR_LIB_SSL, 167},
+ #endif
+ #ifdef SSL_R_MISSING_RSA_CERTIFICATE
+ {"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
+ #else
+ {"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, 168},
+ #endif
+ #ifdef SSL_R_MISSING_RSA_ENCRYPTING_CERT
+ {"MISSING_RSA_ENCRYPTING_CERT", ERR_LIB_SSL, SSL_R_MISSING_RSA_ENCRYPTING_CERT},
+ #else
+ {"MISSING_RSA_ENCRYPTING_CERT", ERR_LIB_SSL, 169},
+ #endif
+ #ifdef SSL_R_MISSING_RSA_SIGNING_CERT
+ {"MISSING_RSA_SIGNING_CERT", ERR_LIB_SSL, SSL_R_MISSING_RSA_SIGNING_CERT},
+ #else
+ {"MISSING_RSA_SIGNING_CERT", ERR_LIB_SSL, 170},
+ #endif
+ #ifdef SSL_R_MISSING_TMP_DH_KEY
+ {"MISSING_TMP_DH_KEY", ERR_LIB_SSL, SSL_R_MISSING_TMP_DH_KEY},
+ #else
+ {"MISSING_TMP_DH_KEY", ERR_LIB_SSL, 171},
+ #endif
+ #ifdef SSL_R_MISSING_TMP_ECDH_KEY
+ {"MISSING_TMP_ECDH_KEY", ERR_LIB_SSL, SSL_R_MISSING_TMP_ECDH_KEY},
+ #else
+ {"MISSING_TMP_ECDH_KEY", ERR_LIB_SSL, 311},
+ #endif
+ #ifdef SSL_R_MISSING_TMP_RSA_KEY
+ {"MISSING_TMP_RSA_KEY", ERR_LIB_SSL, SSL_R_MISSING_TMP_RSA_KEY},
+ #else
+ {"MISSING_TMP_RSA_KEY", ERR_LIB_SSL, 172},
+ #endif
+ #ifdef SSL_R_MISSING_TMP_RSA_PKEY
+ {"MISSING_TMP_RSA_PKEY", ERR_LIB_SSL, SSL_R_MISSING_TMP_RSA_PKEY},
+ #else
+ {"MISSING_TMP_RSA_PKEY", ERR_LIB_SSL, 173},
+ #endif
+ #ifdef SSL_R_MISSING_VERIFY_MESSAGE
+ {"MISSING_VERIFY_MESSAGE", ERR_LIB_SSL, SSL_R_MISSING_VERIFY_MESSAGE},
+ #else
+ {"MISSING_VERIFY_MESSAGE", ERR_LIB_SSL, 174},
+ #endif
+ #ifdef SSL_R_NON_SSLV2_INITIAL_PACKET
+ {"NON_SSLV2_INITIAL_PACKET", ERR_LIB_SSL, SSL_R_NON_SSLV2_INITIAL_PACKET},
+ #else
+ {"NON_SSLV2_INITIAL_PACKET", ERR_LIB_SSL, 175},
+ #endif
+ #ifdef SSL_R_NO_CERTIFICATES_RETURNED
+ {"NO_CERTIFICATES_RETURNED", ERR_LIB_SSL, SSL_R_NO_CERTIFICATES_RETURNED},
+ #else
+ {"NO_CERTIFICATES_RETURNED", ERR_LIB_SSL, 176},
+ #endif
+ #ifdef SSL_R_NO_CERTIFICATE_ASSIGNED
+ {"NO_CERTIFICATE_ASSIGNED", ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED},
+ #else
+ {"NO_CERTIFICATE_ASSIGNED", ERR_LIB_SSL, 177},
+ #endif
+ #ifdef SSL_R_NO_CERTIFICATE_RETURNED
+ {"NO_CERTIFICATE_RETURNED", ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_RETURNED},
+ #else
+ {"NO_CERTIFICATE_RETURNED", ERR_LIB_SSL, 178},
+ #endif
+ #ifdef SSL_R_NO_CERTIFICATE_SET
+ {"NO_CERTIFICATE_SET", ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_SET},
+ #else
+ {"NO_CERTIFICATE_SET", ERR_LIB_SSL, 179},
+ #endif
+ #ifdef SSL_R_NO_CERTIFICATE_SPECIFIED
+ {"NO_CERTIFICATE_SPECIFIED", ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_SPECIFIED},
+ #else
+ {"NO_CERTIFICATE_SPECIFIED", ERR_LIB_SSL, 180},
+ #endif
+ #ifdef SSL_R_NO_CIPHERS_AVAILABLE
+ {"NO_CIPHERS_AVAILABLE", ERR_LIB_SSL, SSL_R_NO_CIPHERS_AVAILABLE},
+ #else
+ {"NO_CIPHERS_AVAILABLE", ERR_LIB_SSL, 181},
+ #endif
+ #ifdef SSL_R_NO_CIPHERS_PASSED
+ {"NO_CIPHERS_PASSED", ERR_LIB_SSL, SSL_R_NO_CIPHERS_PASSED},
+ #else
+ {"NO_CIPHERS_PASSED", ERR_LIB_SSL, 182},
+ #endif
+ #ifdef SSL_R_NO_CIPHERS_SPECIFIED
+ {"NO_CIPHERS_SPECIFIED", ERR_LIB_SSL, SSL_R_NO_CIPHERS_SPECIFIED},
+ #else
+ {"NO_CIPHERS_SPECIFIED", ERR_LIB_SSL, 183},
+ #endif
+ #ifdef SSL_R_NO_CIPHER_LIST
+ {"NO_CIPHER_LIST", ERR_LIB_SSL, SSL_R_NO_CIPHER_LIST},
+ #else
+ {"NO_CIPHER_LIST", ERR_LIB_SSL, 184},
+ #endif
+ #ifdef SSL_R_NO_CIPHER_MATCH
+ {"NO_CIPHER_MATCH", ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH},
+ #else
+ {"NO_CIPHER_MATCH", ERR_LIB_SSL, 185},
+ #endif
+ #ifdef SSL_R_NO_CLIENT_CERT_METHOD
+ {"NO_CLIENT_CERT_METHOD", ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD},
+ #else
+ {"NO_CLIENT_CERT_METHOD", ERR_LIB_SSL, 331},
+ #endif
+ #ifdef SSL_R_NO_CLIENT_CERT_RECEIVED
+ {"NO_CLIENT_CERT_RECEIVED", ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_RECEIVED},
+ #else
+ {"NO_CLIENT_CERT_RECEIVED", ERR_LIB_SSL, 186},
+ #endif
+ #ifdef SSL_R_NO_COMPRESSION_SPECIFIED
+ {"NO_COMPRESSION_SPECIFIED", ERR_LIB_SSL, SSL_R_NO_COMPRESSION_SPECIFIED},
+ #else
+ {"NO_COMPRESSION_SPECIFIED", ERR_LIB_SSL, 187},
+ #endif
+ #ifdef SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER
+ {"NO_GOST_CERTIFICATE_SENT_BY_PEER", ERR_LIB_SSL, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER},
+ #else
+ {"NO_GOST_CERTIFICATE_SENT_BY_PEER", ERR_LIB_SSL, 330},
+ #endif
+ #ifdef SSL_R_NO_METHOD_SPECIFIED
+ {"NO_METHOD_SPECIFIED", ERR_LIB_SSL, SSL_R_NO_METHOD_SPECIFIED},
+ #else
+ {"NO_METHOD_SPECIFIED", ERR_LIB_SSL, 188},
+ #endif
+ #ifdef SSL_R_NO_PRIVATEKEY
+ {"NO_PRIVATEKEY", ERR_LIB_SSL, SSL_R_NO_PRIVATEKEY},
+ #else
+ {"NO_PRIVATEKEY", ERR_LIB_SSL, 189},
+ #endif
+ #ifdef SSL_R_NO_PRIVATE_KEY_ASSIGNED
+ {"NO_PRIVATE_KEY_ASSIGNED", ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED},
+ #else
+ {"NO_PRIVATE_KEY_ASSIGNED", ERR_LIB_SSL, 190},
+ #endif
+ #ifdef SSL_R_NO_PROTOCOLS_AVAILABLE
+ {"NO_PROTOCOLS_AVAILABLE", ERR_LIB_SSL, SSL_R_NO_PROTOCOLS_AVAILABLE},
+ #else
+ {"NO_PROTOCOLS_AVAILABLE", ERR_LIB_SSL, 191},
+ #endif
+ #ifdef SSL_R_NO_PUBLICKEY
+ {"NO_PUBLICKEY", ERR_LIB_SSL, SSL_R_NO_PUBLICKEY},
+ #else
+ {"NO_PUBLICKEY", ERR_LIB_SSL, 192},
+ #endif
+ #ifdef SSL_R_NO_RENEGOTIATION
+ {"NO_RENEGOTIATION", ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION},
+ #else
+ {"NO_RENEGOTIATION", ERR_LIB_SSL, 339},
+ #endif
+ #ifdef SSL_R_NO_REQUIRED_DIGEST
+ {"NO_REQUIRED_DIGEST", ERR_LIB_SSL, SSL_R_NO_REQUIRED_DIGEST},
+ #else
+ {"NO_REQUIRED_DIGEST", ERR_LIB_SSL, 324},
+ #endif
+ #ifdef SSL_R_NO_SHARED_CIPHER
+ {"NO_SHARED_CIPHER", ERR_LIB_SSL, SSL_R_NO_SHARED_CIPHER},
+ #else
+ {"NO_SHARED_CIPHER", ERR_LIB_SSL, 193},
+ #endif
+ #ifdef SSL_R_NO_VERIFY_CALLBACK
+ {"NO_VERIFY_CALLBACK", ERR_LIB_SSL, SSL_R_NO_VERIFY_CALLBACK},
+ #else
+ {"NO_VERIFY_CALLBACK", ERR_LIB_SSL, 194},
+ #endif
+ #ifdef SSL_R_NULL_SSL_CTX
+ {"NULL_SSL_CTX", ERR_LIB_SSL, SSL_R_NULL_SSL_CTX},
+ #else
+ {"NULL_SSL_CTX", ERR_LIB_SSL, 195},
+ #endif
+ #ifdef SSL_R_NULL_SSL_METHOD_PASSED
+ {"NULL_SSL_METHOD_PASSED", ERR_LIB_SSL, SSL_R_NULL_SSL_METHOD_PASSED},
+ #else
+ {"NULL_SSL_METHOD_PASSED", ERR_LIB_SSL, 196},
+ #endif
+ #ifdef SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
+ {"OLD_SESSION_CIPHER_NOT_RETURNED", ERR_LIB_SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED},
+ #else
+ {"OLD_SESSION_CIPHER_NOT_RETURNED", ERR_LIB_SSL, 197},
+ #endif
+ #ifdef SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED
+ {"OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED", ERR_LIB_SSL, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED},
+ #else
+ {"OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED", ERR_LIB_SSL, 344},
+ #endif
+ #ifdef SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE
+ {"ONLY_TLS_ALLOWED_IN_FIPS_MODE", ERR_LIB_SSL, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE},
+ #else
+ {"ONLY_TLS_ALLOWED_IN_FIPS_MODE", ERR_LIB_SSL, 297},
+ #endif
+ #ifdef SSL_R_OPAQUE_PRF_INPUT_TOO_LONG
+ {"OPAQUE_PRF_INPUT_TOO_LONG", ERR_LIB_SSL, SSL_R_OPAQUE_PRF_INPUT_TOO_LONG},
+ #else
+ {"OPAQUE_PRF_INPUT_TOO_LONG", ERR_LIB_SSL, 327},
+ #endif
+ #ifdef SSL_R_PACKET_LENGTH_TOO_LONG
+ {"PACKET_LENGTH_TOO_LONG", ERR_LIB_SSL, SSL_R_PACKET_LENGTH_TOO_LONG},
+ #else
+ {"PACKET_LENGTH_TOO_LONG", ERR_LIB_SSL, 198},
+ #endif
+ #ifdef SSL_R_PARSE_TLSEXT
+ {"PARSE_TLSEXT", ERR_LIB_SSL, SSL_R_PARSE_TLSEXT},
+ #else
+ {"PARSE_TLSEXT", ERR_LIB_SSL, 227},
+ #endif
+ #ifdef SSL_R_PATH_TOO_LONG
+ {"PATH_TOO_LONG", ERR_LIB_SSL, SSL_R_PATH_TOO_LONG},
+ #else
+ {"PATH_TOO_LONG", ERR_LIB_SSL, 270},
+ #endif
+ #ifdef SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
+ {"PEER_DID_NOT_RETURN_A_CERTIFICATE", ERR_LIB_SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE},
+ #else
+ {"PEER_DID_NOT_RETURN_A_CERTIFICATE", ERR_LIB_SSL, 199},
+ #endif
+ #ifdef SSL_R_PEER_ERROR
+ {"PEER_ERROR", ERR_LIB_SSL, SSL_R_PEER_ERROR},
+ #else
+ {"PEER_ERROR", ERR_LIB_SSL, 200},
+ #endif
+ #ifdef SSL_R_PEER_ERROR_CERTIFICATE
+ {"PEER_ERROR_CERTIFICATE", ERR_LIB_SSL, SSL_R_PEER_ERROR_CERTIFICATE},
+ #else
+ {"PEER_ERROR_CERTIFICATE", ERR_LIB_SSL, 201},
+ #endif
+ #ifdef SSL_R_PEER_ERROR_NO_CERTIFICATE
+ {"PEER_ERROR_NO_CERTIFICATE", ERR_LIB_SSL, SSL_R_PEER_ERROR_NO_CERTIFICATE},
+ #else
+ {"PEER_ERROR_NO_CERTIFICATE", ERR_LIB_SSL, 202},
+ #endif
+ #ifdef SSL_R_PEER_ERROR_NO_CIPHER
+ {"PEER_ERROR_NO_CIPHER", ERR_LIB_SSL, SSL_R_PEER_ERROR_NO_CIPHER},
+ #else
+ {"PEER_ERROR_NO_CIPHER", ERR_LIB_SSL, 203},
+ #endif
+ #ifdef SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE
+ {"PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE", ERR_LIB_SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE},
+ #else
+ {"PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE", ERR_LIB_SSL, 204},
+ #endif
+ #ifdef SSL_R_PRE_MAC_LENGTH_TOO_LONG
+ {"PRE_MAC_LENGTH_TOO_LONG", ERR_LIB_SSL, SSL_R_PRE_MAC_LENGTH_TOO_LONG},
+ #else
+ {"PRE_MAC_LENGTH_TOO_LONG", ERR_LIB_SSL, 205},
+ #endif
+ #ifdef SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS
+ {"PROBLEMS_MAPPING_CIPHER_FUNCTIONS", ERR_LIB_SSL, SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS},
+ #else
+ {"PROBLEMS_MAPPING_CIPHER_FUNCTIONS", ERR_LIB_SSL, 206},
+ #endif
+ #ifdef SSL_R_PROTOCOL_IS_SHUTDOWN
+ {"PROTOCOL_IS_SHUTDOWN", ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN},
+ #else
+ {"PROTOCOL_IS_SHUTDOWN", ERR_LIB_SSL, 207},
+ #endif
+ #ifdef SSL_R_PSK_IDENTITY_NOT_FOUND
+ {"PSK_IDENTITY_NOT_FOUND", ERR_LIB_SSL, SSL_R_PSK_IDENTITY_NOT_FOUND},
+ #else
+ {"PSK_IDENTITY_NOT_FOUND", ERR_LIB_SSL, 223},
+ #endif
+ #ifdef SSL_R_PSK_NO_CLIENT_CB
+ {"PSK_NO_CLIENT_CB", ERR_LIB_SSL, SSL_R_PSK_NO_CLIENT_CB},
+ #else
+ {"PSK_NO_CLIENT_CB", ERR_LIB_SSL, 224},
+ #endif
+ #ifdef SSL_R_PSK_NO_SERVER_CB
+ {"PSK_NO_SERVER_CB", ERR_LIB_SSL, SSL_R_PSK_NO_SERVER_CB},
+ #else
+ {"PSK_NO_SERVER_CB", ERR_LIB_SSL, 225},
+ #endif
+ #ifdef SSL_R_PUBLIC_KEY_ENCRYPT_ERROR
+ {"PUBLIC_KEY_ENCRYPT_ERROR", ERR_LIB_SSL, SSL_R_PUBLIC_KEY_ENCRYPT_ERROR},
+ #else
+ {"PUBLIC_KEY_ENCRYPT_ERROR", ERR_LIB_SSL, 208},
+ #endif
+ #ifdef SSL_R_PUBLIC_KEY_IS_NOT_RSA
+ {"PUBLIC_KEY_IS_NOT_RSA", ERR_LIB_SSL, SSL_R_PUBLIC_KEY_IS_NOT_RSA},
+ #else
+ {"PUBLIC_KEY_IS_NOT_RSA", ERR_LIB_SSL, 209},
+ #endif
+ #ifdef SSL_R_PUBLIC_KEY_NOT_RSA
+ {"PUBLIC_KEY_NOT_RSA", ERR_LIB_SSL, SSL_R_PUBLIC_KEY_NOT_RSA},
+ #else
+ {"PUBLIC_KEY_NOT_RSA", ERR_LIB_SSL, 210},
+ #endif
+ #ifdef SSL_R_READ_BIO_NOT_SET
+ {"READ_BIO_NOT_SET", ERR_LIB_SSL, SSL_R_READ_BIO_NOT_SET},
+ #else
+ {"READ_BIO_NOT_SET", ERR_LIB_SSL, 211},
+ #endif
+ #ifdef SSL_R_READ_TIMEOUT_EXPIRED
+ {"READ_TIMEOUT_EXPIRED", ERR_LIB_SSL, SSL_R_READ_TIMEOUT_EXPIRED},
+ #else
+ {"READ_TIMEOUT_EXPIRED", ERR_LIB_SSL, 312},
+ #endif
+ #ifdef SSL_R_READ_WRONG_PACKET_TYPE
+ {"READ_WRONG_PACKET_TYPE", ERR_LIB_SSL, SSL_R_READ_WRONG_PACKET_TYPE},
+ #else
+ {"READ_WRONG_PACKET_TYPE", ERR_LIB_SSL, 212},
+ #endif
+ #ifdef SSL_R_RECORD_LENGTH_MISMATCH
+ {"RECORD_LENGTH_MISMATCH", ERR_LIB_SSL, SSL_R_RECORD_LENGTH_MISMATCH},
+ #else
+ {"RECORD_LENGTH_MISMATCH", ERR_LIB_SSL, 213},
+ #endif
+ #ifdef SSL_R_RECORD_TOO_LARGE
+ {"RECORD_TOO_LARGE", ERR_LIB_SSL, SSL_R_RECORD_TOO_LARGE},
+ #else
+ {"RECORD_TOO_LARGE", ERR_LIB_SSL, 214},
+ #endif
+ #ifdef SSL_R_RECORD_TOO_SMALL
+ {"RECORD_TOO_SMALL", ERR_LIB_SSL, SSL_R_RECORD_TOO_SMALL},
+ #else
+ {"RECORD_TOO_SMALL", ERR_LIB_SSL, 298},
+ #endif
+ #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
+ {"RENEGOTIATE_EXT_TOO_LONG", ERR_LIB_SSL, SSL_R_RENEGOTIATE_EXT_TOO_LONG},
+ #else
+ {"RENEGOTIATE_EXT_TOO_LONG", ERR_LIB_SSL, 335},
+ #endif
+ #ifdef SSL_R_RENEGOTIATION_ENCODING_ERR
+ {"RENEGOTIATION_ENCODING_ERR", ERR_LIB_SSL, SSL_R_RENEGOTIATION_ENCODING_ERR},
+ #else
+ {"RENEGOTIATION_ENCODING_ERR", ERR_LIB_SSL, 336},
+ #endif
+ #ifdef SSL_R_RENEGOTIATION_MISMATCH
+ {"RENEGOTIATION_MISMATCH", ERR_LIB_SSL, SSL_R_RENEGOTIATION_MISMATCH},
+ #else
+ {"RENEGOTIATION_MISMATCH", ERR_LIB_SSL, 337},
+ #endif
+ #ifdef SSL_R_REQUIRED_CIPHER_MISSING
+ {"REQUIRED_CIPHER_MISSING", ERR_LIB_SSL, SSL_R_REQUIRED_CIPHER_MISSING},
+ #else
+ {"REQUIRED_CIPHER_MISSING", ERR_LIB_SSL, 215},
+ #endif
+ #ifdef SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING
+ {"REQUIRED_COMPRESSSION_ALGORITHM_MISSING", ERR_LIB_SSL, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING},
+ #else
+ {"REQUIRED_COMPRESSSION_ALGORITHM_MISSING", ERR_LIB_SSL, 342},
+ #endif
+ #ifdef SSL_R_REUSE_CERT_LENGTH_NOT_ZERO
+ {"REUSE_CERT_LENGTH_NOT_ZERO", ERR_LIB_SSL, SSL_R_REUSE_CERT_LENGTH_NOT_ZERO},
+ #else
+ {"REUSE_CERT_LENGTH_NOT_ZERO", ERR_LIB_SSL, 216},
+ #endif
+ #ifdef SSL_R_REUSE_CERT_TYPE_NOT_ZERO
+ {"REUSE_CERT_TYPE_NOT_ZERO", ERR_LIB_SSL, SSL_R_REUSE_CERT_TYPE_NOT_ZERO},
+ #else
+ {"REUSE_CERT_TYPE_NOT_ZERO", ERR_LIB_SSL, 217},
+ #endif
+ #ifdef SSL_R_REUSE_CIPHER_LIST_NOT_ZERO
+ {"REUSE_CIPHER_LIST_NOT_ZERO", ERR_LIB_SSL, SSL_R_REUSE_CIPHER_LIST_NOT_ZERO},
+ #else
+ {"REUSE_CIPHER_LIST_NOT_ZERO", ERR_LIB_SSL, 218},
+ #endif
+ #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
+ {"SCSV_RECEIVED_WHEN_RENEGOTIATING", ERR_LIB_SSL, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING},
+ #else
+ {"SCSV_RECEIVED_WHEN_RENEGOTIATING", ERR_LIB_SSL, 345},
+ #endif
+ #ifdef SSL_R_SERVERHELLO_TLSEXT
+ {"SERVERHELLO_TLSEXT", ERR_LIB_SSL, SSL_R_SERVERHELLO_TLSEXT},
+ #else
+ {"SERVERHELLO_TLSEXT", ERR_LIB_SSL, 275},
+ #endif
+ #ifdef SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED
+ {"SESSION_ID_CONTEXT_UNINITIALIZED", ERR_LIB_SSL, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED},
+ #else
+ {"SESSION_ID_CONTEXT_UNINITIALIZED", ERR_LIB_SSL, 277},
+ #endif
+ #ifdef SSL_R_SHORT_READ
+ {"SHORT_READ", ERR_LIB_SSL, SSL_R_SHORT_READ},
+ #else
+ {"SHORT_READ", ERR_LIB_SSL, 219},
+ #endif
+ #ifdef SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE
+ {"SIGNATURE_FOR_NON_SIGNING_CERTIFICATE", ERR_LIB_SSL, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE},
+ #else
+ {"SIGNATURE_FOR_NON_SIGNING_CERTIFICATE", ERR_LIB_SSL, 220},
+ #endif
+ #ifdef SSL_R_SSL23_DOING_SESSION_ID_REUSE
+ {"SSL23_DOING_SESSION_ID_REUSE", ERR_LIB_SSL, SSL_R_SSL23_DOING_SESSION_ID_REUSE},
+ #else
+ {"SSL23_DOING_SESSION_ID_REUSE", ERR_LIB_SSL, 221},
+ #endif
+ #ifdef SSL_R_SSL2_CONNECTION_ID_TOO_LONG
+ {"SSL2_CONNECTION_ID_TOO_LONG", ERR_LIB_SSL, SSL_R_SSL2_CONNECTION_ID_TOO_LONG},
+ #else
+ {"SSL2_CONNECTION_ID_TOO_LONG", ERR_LIB_SSL, 299},
+ #endif
+ #ifdef SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT
+ {"SSL3_EXT_INVALID_ECPOINTFORMAT", ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT},
+ #else
+ {"SSL3_EXT_INVALID_ECPOINTFORMAT", ERR_LIB_SSL, 321},
+ #endif
+ #ifdef SSL_R_SSL3_EXT_INVALID_SERVERNAME
+ {"SSL3_EXT_INVALID_SERVERNAME", ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME},
+ #else
+ {"SSL3_EXT_INVALID_SERVERNAME", ERR_LIB_SSL, 319},
+ #endif
+ #ifdef SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE
+ {"SSL3_EXT_INVALID_SERVERNAME_TYPE", ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE},
+ #else
+ {"SSL3_EXT_INVALID_SERVERNAME_TYPE", ERR_LIB_SSL, 320},
+ #endif
+ #ifdef SSL_R_SSL3_SESSION_ID_TOO_LONG
+ {"SSL3_SESSION_ID_TOO_LONG", ERR_LIB_SSL, SSL_R_SSL3_SESSION_ID_TOO_LONG},
+ #else
+ {"SSL3_SESSION_ID_TOO_LONG", ERR_LIB_SSL, 300},
+ #endif
+ #ifdef SSL_R_SSL3_SESSION_ID_TOO_SHORT
+ {"SSL3_SESSION_ID_TOO_SHORT", ERR_LIB_SSL, SSL_R_SSL3_SESSION_ID_TOO_SHORT},
+ #else
+ {"SSL3_SESSION_ID_TOO_SHORT", ERR_LIB_SSL, 222},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_BAD_CERTIFICATE
+ {"SSLV3_ALERT_BAD_CERTIFICATE", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE},
+ #else
+ {"SSLV3_ALERT_BAD_CERTIFICATE", ERR_LIB_SSL, 1042},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_BAD_RECORD_MAC
+ {"SSLV3_ALERT_BAD_RECORD_MAC", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_BAD_RECORD_MAC},
+ #else
+ {"SSLV3_ALERT_BAD_RECORD_MAC", ERR_LIB_SSL, 1020},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED
+ {"SSLV3_ALERT_CERTIFICATE_EXPIRED", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED},
+ #else
+ {"SSLV3_ALERT_CERTIFICATE_EXPIRED", ERR_LIB_SSL, 1045},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED
+ {"SSLV3_ALERT_CERTIFICATE_REVOKED", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED},
+ #else
+ {"SSLV3_ALERT_CERTIFICATE_REVOKED", ERR_LIB_SSL, 1044},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN
+ {"SSLV3_ALERT_CERTIFICATE_UNKNOWN", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN},
+ #else
+ {"SSLV3_ALERT_CERTIFICATE_UNKNOWN", ERR_LIB_SSL, 1046},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE
+ {"SSLV3_ALERT_DECOMPRESSION_FAILURE", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE},
+ #else
+ {"SSLV3_ALERT_DECOMPRESSION_FAILURE", ERR_LIB_SSL, 1030},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE
+ {"SSLV3_ALERT_HANDSHAKE_FAILURE", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE},
+ #else
+ {"SSLV3_ALERT_HANDSHAKE_FAILURE", ERR_LIB_SSL, 1040},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER
+ {"SSLV3_ALERT_ILLEGAL_PARAMETER", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER},
+ #else
+ {"SSLV3_ALERT_ILLEGAL_PARAMETER", ERR_LIB_SSL, 1047},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_NO_CERTIFICATE
+ {"SSLV3_ALERT_NO_CERTIFICATE", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_NO_CERTIFICATE},
+ #else
+ {"SSLV3_ALERT_NO_CERTIFICATE", ERR_LIB_SSL, 1041},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE
+ {"SSLV3_ALERT_UNEXPECTED_MESSAGE", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE},
+ #else
+ {"SSLV3_ALERT_UNEXPECTED_MESSAGE", ERR_LIB_SSL, 1010},
+ #endif
+ #ifdef SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE
+ {"SSLV3_ALERT_UNSUPPORTED_CERTIFICATE", ERR_LIB_SSL, SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE},
+ #else
+ {"SSLV3_ALERT_UNSUPPORTED_CERTIFICATE", ERR_LIB_SSL, 1043},
+ #endif
+ #ifdef SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION
+ {"SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION", ERR_LIB_SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION},
+ #else
+ {"SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION", ERR_LIB_SSL, 228},
+ #endif
+ #ifdef SSL_R_SSL_HANDSHAKE_FAILURE
+ {"SSL_HANDSHAKE_FAILURE", ERR_LIB_SSL, SSL_R_SSL_HANDSHAKE_FAILURE},
+ #else
+ {"SSL_HANDSHAKE_FAILURE", ERR_LIB_SSL, 229},
+ #endif
+ #ifdef SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS
+ {"SSL_LIBRARY_HAS_NO_CIPHERS", ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS},
+ #else
+ {"SSL_LIBRARY_HAS_NO_CIPHERS", ERR_LIB_SSL, 230},
+ #endif
+ #ifdef SSL_R_SSL_SESSION_ID_CALLBACK_FAILED
+ {"SSL_SESSION_ID_CALLBACK_FAILED", ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CALLBACK_FAILED},
+ #else
+ {"SSL_SESSION_ID_CALLBACK_FAILED", ERR_LIB_SSL, 301},
+ #endif
+ #ifdef SSL_R_SSL_SESSION_ID_CONFLICT
+ {"SSL_SESSION_ID_CONFLICT", ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONFLICT},
+ #else
+ {"SSL_SESSION_ID_CONFLICT", ERR_LIB_SSL, 302},
+ #endif
+ #ifdef SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG
+ {"SSL_SESSION_ID_CONTEXT_TOO_LONG", ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG},
+ #else
+ {"SSL_SESSION_ID_CONTEXT_TOO_LONG", ERR_LIB_SSL, 273},
+ #endif
+ #ifdef SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH
+ {"SSL_SESSION_ID_HAS_BAD_LENGTH", ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH},
+ #else
+ {"SSL_SESSION_ID_HAS_BAD_LENGTH", ERR_LIB_SSL, 303},
+ #endif
+ #ifdef SSL_R_SSL_SESSION_ID_IS_DIFFERENT
+ {"SSL_SESSION_ID_IS_DIFFERENT", ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_IS_DIFFERENT},
+ #else
+ {"SSL_SESSION_ID_IS_DIFFERENT", ERR_LIB_SSL, 231},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_ACCESS_DENIED
+ {"TLSV1_ALERT_ACCESS_DENIED", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_ACCESS_DENIED},
+ #else
+ {"TLSV1_ALERT_ACCESS_DENIED", ERR_LIB_SSL, 1049},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_DECODE_ERROR
+ {"TLSV1_ALERT_DECODE_ERROR", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_DECODE_ERROR},
+ #else
+ {"TLSV1_ALERT_DECODE_ERROR", ERR_LIB_SSL, 1050},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_DECRYPTION_FAILED
+ {"TLSV1_ALERT_DECRYPTION_FAILED", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_DECRYPTION_FAILED},
+ #else
+ {"TLSV1_ALERT_DECRYPTION_FAILED", ERR_LIB_SSL, 1021},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_DECRYPT_ERROR
+ {"TLSV1_ALERT_DECRYPT_ERROR", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_DECRYPT_ERROR},
+ #else
+ {"TLSV1_ALERT_DECRYPT_ERROR", ERR_LIB_SSL, 1051},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION
+ {"TLSV1_ALERT_EXPORT_RESTRICTION", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION},
+ #else
+ {"TLSV1_ALERT_EXPORT_RESTRICTION", ERR_LIB_SSL, 1060},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY
+ {"TLSV1_ALERT_INSUFFICIENT_SECURITY", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY},
+ #else
+ {"TLSV1_ALERT_INSUFFICIENT_SECURITY", ERR_LIB_SSL, 1071},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_INTERNAL_ERROR
+ {"TLSV1_ALERT_INTERNAL_ERROR", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_INTERNAL_ERROR},
+ #else
+ {"TLSV1_ALERT_INTERNAL_ERROR", ERR_LIB_SSL, 1080},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_NO_RENEGOTIATION
+ {"TLSV1_ALERT_NO_RENEGOTIATION", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_NO_RENEGOTIATION},
+ #else
+ {"TLSV1_ALERT_NO_RENEGOTIATION", ERR_LIB_SSL, 1100},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_PROTOCOL_VERSION
+ {"TLSV1_ALERT_PROTOCOL_VERSION", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_PROTOCOL_VERSION},
+ #else
+ {"TLSV1_ALERT_PROTOCOL_VERSION", ERR_LIB_SSL, 1070},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_RECORD_OVERFLOW
+ {"TLSV1_ALERT_RECORD_OVERFLOW", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_RECORD_OVERFLOW},
+ #else
+ {"TLSV1_ALERT_RECORD_OVERFLOW", ERR_LIB_SSL, 1022},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_UNKNOWN_CA
+ {"TLSV1_ALERT_UNKNOWN_CA", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_UNKNOWN_CA},
+ #else
+ {"TLSV1_ALERT_UNKNOWN_CA", ERR_LIB_SSL, 1048},
+ #endif
+ #ifdef SSL_R_TLSV1_ALERT_USER_CANCELLED
+ {"TLSV1_ALERT_USER_CANCELLED", ERR_LIB_SSL, SSL_R_TLSV1_ALERT_USER_CANCELLED},
+ #else
+ {"TLSV1_ALERT_USER_CANCELLED", ERR_LIB_SSL, 1090},
+ #endif
+ #ifdef SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE
+ {"TLSV1_BAD_CERTIFICATE_HASH_VALUE", ERR_LIB_SSL, SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE},
+ #else
+ {"TLSV1_BAD_CERTIFICATE_HASH_VALUE", ERR_LIB_SSL, 1114},
+ #endif
+ #ifdef SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE
+ {"TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE", ERR_LIB_SSL, SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE},
+ #else
+ {"TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE", ERR_LIB_SSL, 1113},
+ #endif
+ #ifdef SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE
+ {"TLSV1_CERTIFICATE_UNOBTAINABLE", ERR_LIB_SSL, SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE},
+ #else
+ {"TLSV1_CERTIFICATE_UNOBTAINABLE", ERR_LIB_SSL, 1111},
+ #endif
+ #ifdef SSL_R_TLSV1_UNRECOGNIZED_NAME
+ {"TLSV1_UNRECOGNIZED_NAME", ERR_LIB_SSL, SSL_R_TLSV1_UNRECOGNIZED_NAME},
+ #else
+ {"TLSV1_UNRECOGNIZED_NAME", ERR_LIB_SSL, 1112},
+ #endif
+ #ifdef SSL_R_TLSV1_UNSUPPORTED_EXTENSION
+ {"TLSV1_UNSUPPORTED_EXTENSION", ERR_LIB_SSL, SSL_R_TLSV1_UNSUPPORTED_EXTENSION},
+ #else
+ {"TLSV1_UNSUPPORTED_EXTENSION", ERR_LIB_SSL, 1110},
+ #endif
+ #ifdef SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER
+ {"TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER", ERR_LIB_SSL, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER},
+ #else
+ {"TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER", ERR_LIB_SSL, 232},
+ #endif
+ #ifdef SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST
+ {"TLS_INVALID_ECPOINTFORMAT_LIST", ERR_LIB_SSL, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST},
+ #else
+ {"TLS_INVALID_ECPOINTFORMAT_LIST", ERR_LIB_SSL, 157},
+ #endif
+ #ifdef SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
+ {"TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST", ERR_LIB_SSL, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST},
+ #else
+ {"TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST", ERR_LIB_SSL, 233},
+ #endif
+ #ifdef SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG
+ {"TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG", ERR_LIB_SSL, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG},
+ #else
+ {"TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG", ERR_LIB_SSL, 234},
+ #endif
+ #ifdef SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER
+ {"TRIED_TO_USE_UNSUPPORTED_CIPHER", ERR_LIB_SSL, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER},
+ #else
+ {"TRIED_TO_USE_UNSUPPORTED_CIPHER", ERR_LIB_SSL, 235},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_DECODE_DH_CERTS
+ {"UNABLE_TO_DECODE_DH_CERTS", ERR_LIB_SSL, SSL_R_UNABLE_TO_DECODE_DH_CERTS},
+ #else
+ {"UNABLE_TO_DECODE_DH_CERTS", ERR_LIB_SSL, 236},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_DECODE_ECDH_CERTS
+ {"UNABLE_TO_DECODE_ECDH_CERTS", ERR_LIB_SSL, SSL_R_UNABLE_TO_DECODE_ECDH_CERTS},
+ #else
+ {"UNABLE_TO_DECODE_ECDH_CERTS", ERR_LIB_SSL, 313},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY
+ {"UNABLE_TO_EXTRACT_PUBLIC_KEY", ERR_LIB_SSL, SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY},
+ #else
+ {"UNABLE_TO_EXTRACT_PUBLIC_KEY", ERR_LIB_SSL, 237},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_FIND_DH_PARAMETERS
+ {"UNABLE_TO_FIND_DH_PARAMETERS", ERR_LIB_SSL, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS},
+ #else
+ {"UNABLE_TO_FIND_DH_PARAMETERS", ERR_LIB_SSL, 238},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS
+ {"UNABLE_TO_FIND_ECDH_PARAMETERS", ERR_LIB_SSL, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS},
+ #else
+ {"UNABLE_TO_FIND_ECDH_PARAMETERS", ERR_LIB_SSL, 314},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS
+ {"UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS", ERR_LIB_SSL, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS},
+ #else
+ {"UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS", ERR_LIB_SSL, 239},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_FIND_SSL_METHOD
+ {"UNABLE_TO_FIND_SSL_METHOD", ERR_LIB_SSL, SSL_R_UNABLE_TO_FIND_SSL_METHOD},
+ #else
+ {"UNABLE_TO_FIND_SSL_METHOD", ERR_LIB_SSL, 240},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES
+ {"UNABLE_TO_LOAD_SSL2_MD5_ROUTINES", ERR_LIB_SSL, SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES},
+ #else
+ {"UNABLE_TO_LOAD_SSL2_MD5_ROUTINES", ERR_LIB_SSL, 241},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES
+ {"UNABLE_TO_LOAD_SSL3_MD5_ROUTINES", ERR_LIB_SSL, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES},
+ #else
+ {"UNABLE_TO_LOAD_SSL3_MD5_ROUTINES", ERR_LIB_SSL, 242},
+ #endif
+ #ifdef SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES
+ {"UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES", ERR_LIB_SSL, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES},
+ #else
+ {"UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES", ERR_LIB_SSL, 243},
+ #endif
+ #ifdef SSL_R_UNEXPECTED_MESSAGE
+ {"UNEXPECTED_MESSAGE", ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE},
+ #else
+ {"UNEXPECTED_MESSAGE", ERR_LIB_SSL, 244},
+ #endif
+ #ifdef SSL_R_UNEXPECTED_RECORD
+ {"UNEXPECTED_RECORD", ERR_LIB_SSL, SSL_R_UNEXPECTED_RECORD},
+ #else
+ {"UNEXPECTED_RECORD", ERR_LIB_SSL, 245},
+ #endif
+ #ifdef SSL_R_UNINITIALIZED
+ {"UNINITIALIZED", ERR_LIB_SSL, SSL_R_UNINITIALIZED},
+ #else
+ {"UNINITIALIZED", ERR_LIB_SSL, 276},
+ #endif
+ #ifdef SSL_R_UNKNOWN_ALERT_TYPE
+ {"UNKNOWN_ALERT_TYPE", ERR_LIB_SSL, SSL_R_UNKNOWN_ALERT_TYPE},
+ #else
+ {"UNKNOWN_ALERT_TYPE", ERR_LIB_SSL, 246},
+ #endif
+ #ifdef SSL_R_UNKNOWN_CERTIFICATE_TYPE
+ {"UNKNOWN_CERTIFICATE_TYPE", ERR_LIB_SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE},
+ #else
+ {"UNKNOWN_CERTIFICATE_TYPE", ERR_LIB_SSL, 247},
+ #endif
+ #ifdef SSL_R_UNKNOWN_CIPHER_RETURNED
+ {"UNKNOWN_CIPHER_RETURNED", ERR_LIB_SSL, SSL_R_UNKNOWN_CIPHER_RETURNED},
+ #else
+ {"UNKNOWN_CIPHER_RETURNED", ERR_LIB_SSL, 248},
+ #endif
+ #ifdef SSL_R_UNKNOWN_CIPHER_TYPE
+ {"UNKNOWN_CIPHER_TYPE", ERR_LIB_SSL, SSL_R_UNKNOWN_CIPHER_TYPE},
+ #else
+ {"UNKNOWN_CIPHER_TYPE", ERR_LIB_SSL, 249},
+ #endif
+ #ifdef SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE
+ {"UNKNOWN_KEY_EXCHANGE_TYPE", ERR_LIB_SSL, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE},
+ #else
+ {"UNKNOWN_KEY_EXCHANGE_TYPE", ERR_LIB_SSL, 250},
+ #endif
+ #ifdef SSL_R_UNKNOWN_PKEY_TYPE
+ {"UNKNOWN_PKEY_TYPE", ERR_LIB_SSL, SSL_R_UNKNOWN_PKEY_TYPE},
+ #else
+ {"UNKNOWN_PKEY_TYPE", ERR_LIB_SSL, 251},
+ #endif
+ #ifdef SSL_R_UNKNOWN_PROTOCOL
+ {"UNKNOWN_PROTOCOL", ERR_LIB_SSL, SSL_R_UNKNOWN_PROTOCOL},
+ #else
+ {"UNKNOWN_PROTOCOL", ERR_LIB_SSL, 252},
+ #endif
+ #ifdef SSL_R_UNKNOWN_REMOTE_ERROR_TYPE
+ {"UNKNOWN_REMOTE_ERROR_TYPE", ERR_LIB_SSL, SSL_R_UNKNOWN_REMOTE_ERROR_TYPE},
+ #else
+ {"UNKNOWN_REMOTE_ERROR_TYPE", ERR_LIB_SSL, 253},
+ #endif
+ #ifdef SSL_R_UNKNOWN_SSL_VERSION
+ {"UNKNOWN_SSL_VERSION", ERR_LIB_SSL, SSL_R_UNKNOWN_SSL_VERSION},
+ #else
+ {"UNKNOWN_SSL_VERSION", ERR_LIB_SSL, 254},
+ #endif
+ #ifdef SSL_R_UNKNOWN_STATE
+ {"UNKNOWN_STATE", ERR_LIB_SSL, SSL_R_UNKNOWN_STATE},
+ #else
+ {"UNKNOWN_STATE", ERR_LIB_SSL, 255},
+ #endif
+ #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
+ {"UNSAFE_LEGACY_RENEGOTIATION_DISABLED", ERR_LIB_SSL, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED},
+ #else
+ {"UNSAFE_LEGACY_RENEGOTIATION_DISABLED", ERR_LIB_SSL, 338},
+ #endif
+ #ifdef SSL_R_UNSUPPORTED_CIPHER
+ {"UNSUPPORTED_CIPHER", ERR_LIB_SSL, SSL_R_UNSUPPORTED_CIPHER},
+ #else
+ {"UNSUPPORTED_CIPHER", ERR_LIB_SSL, 256},
+ #endif
+ #ifdef SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM
+ {"UNSUPPORTED_COMPRESSION_ALGORITHM", ERR_LIB_SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM},
+ #else
+ {"UNSUPPORTED_COMPRESSION_ALGORITHM", ERR_LIB_SSL, 257},
+ #endif
+ #ifdef SSL_R_UNSUPPORTED_DIGEST_TYPE
+ {"UNSUPPORTED_DIGEST_TYPE", ERR_LIB_SSL, SSL_R_UNSUPPORTED_DIGEST_TYPE},
+ #else
+ {"UNSUPPORTED_DIGEST_TYPE", ERR_LIB_SSL, 326},
+ #endif
+ #ifdef SSL_R_UNSUPPORTED_ELLIPTIC_CURVE
+ {"UNSUPPORTED_ELLIPTIC_CURVE", ERR_LIB_SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE},
+ #else
+ {"UNSUPPORTED_ELLIPTIC_CURVE", ERR_LIB_SSL, 315},
+ #endif
+ #ifdef SSL_R_UNSUPPORTED_PROTOCOL
+ {"UNSUPPORTED_PROTOCOL", ERR_LIB_SSL, SSL_R_UNSUPPORTED_PROTOCOL},
+ #else
+ {"UNSUPPORTED_PROTOCOL", ERR_LIB_SSL, 258},
+ #endif
+ #ifdef SSL_R_UNSUPPORTED_SSL_VERSION
+ {"UNSUPPORTED_SSL_VERSION", ERR_LIB_SSL, SSL_R_UNSUPPORTED_SSL_VERSION},
+ #else
+ {"UNSUPPORTED_SSL_VERSION", ERR_LIB_SSL, 259},
+ #endif
+ #ifdef SSL_R_UNSUPPORTED_STATUS_TYPE
+ {"UNSUPPORTED_STATUS_TYPE", ERR_LIB_SSL, SSL_R_UNSUPPORTED_STATUS_TYPE},
+ #else
+ {"UNSUPPORTED_STATUS_TYPE", ERR_LIB_SSL, 329},
+ #endif
+ #ifdef SSL_R_WRITE_BIO_NOT_SET
+ {"WRITE_BIO_NOT_SET", ERR_LIB_SSL, SSL_R_WRITE_BIO_NOT_SET},
+ #else
+ {"WRITE_BIO_NOT_SET", ERR_LIB_SSL, 260},
+ #endif
+ #ifdef SSL_R_WRONG_CIPHER_RETURNED
+ {"WRONG_CIPHER_RETURNED", ERR_LIB_SSL, SSL_R_WRONG_CIPHER_RETURNED},
+ #else
+ {"WRONG_CIPHER_RETURNED", ERR_LIB_SSL, 261},
+ #endif
+ #ifdef SSL_R_WRONG_MESSAGE_TYPE
+ {"WRONG_MESSAGE_TYPE", ERR_LIB_SSL, SSL_R_WRONG_MESSAGE_TYPE},
+ #else
+ {"WRONG_MESSAGE_TYPE", ERR_LIB_SSL, 262},
+ #endif
+ #ifdef SSL_R_WRONG_NUMBER_OF_KEY_BITS
+ {"WRONG_NUMBER_OF_KEY_BITS", ERR_LIB_SSL, SSL_R_WRONG_NUMBER_OF_KEY_BITS},
+ #else
+ {"WRONG_NUMBER_OF_KEY_BITS", ERR_LIB_SSL, 263},
+ #endif
+ #ifdef SSL_R_WRONG_SIGNATURE_LENGTH
+ {"WRONG_SIGNATURE_LENGTH", ERR_LIB_SSL, SSL_R_WRONG_SIGNATURE_LENGTH},
+ #else
+ {"WRONG_SIGNATURE_LENGTH", ERR_LIB_SSL, 264},
+ #endif
+ #ifdef SSL_R_WRONG_SIGNATURE_SIZE
+ {"WRONG_SIGNATURE_SIZE", ERR_LIB_SSL, SSL_R_WRONG_SIGNATURE_SIZE},
+ #else
+ {"WRONG_SIGNATURE_SIZE", ERR_LIB_SSL, 265},
+ #endif
+ #ifdef SSL_R_WRONG_SSL_VERSION
+ {"WRONG_SSL_VERSION", ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION},
+ #else
+ {"WRONG_SSL_VERSION", ERR_LIB_SSL, 266},
+ #endif
+ #ifdef SSL_R_WRONG_VERSION_NUMBER
+ {"WRONG_VERSION_NUMBER", ERR_LIB_SSL, SSL_R_WRONG_VERSION_NUMBER},
+ #else
+ {"WRONG_VERSION_NUMBER", ERR_LIB_SSL, 267},
+ #endif
+ #ifdef SSL_R_X509_LIB
+ {"X509_LIB", ERR_LIB_SSL, SSL_R_X509_LIB},
+ #else
+ {"X509_LIB", ERR_LIB_SSL, 268},
+ #endif
+ #ifdef SSL_R_X509_VERIFICATION_SETUP_PROBLEMS
+ {"X509_VERIFICATION_SETUP_PROBLEMS", ERR_LIB_SSL, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS},
+ #else
+ {"X509_VERIFICATION_SETUP_PROBLEMS", ERR_LIB_SSL, 269},
+ #endif
+ #ifdef X509_R_BAD_X509_FILETYPE
+ {"BAD_X509_FILETYPE", ERR_LIB_X509, X509_R_BAD_X509_FILETYPE},
+ #else
+ {"BAD_X509_FILETYPE", ERR_LIB_X509, 100},
+ #endif
+ #ifdef X509_R_BASE64_DECODE_ERROR
+ {"BASE64_DECODE_ERROR", ERR_LIB_X509, X509_R_BASE64_DECODE_ERROR},
+ #else
+ {"BASE64_DECODE_ERROR", ERR_LIB_X509, 118},
+ #endif
+ #ifdef X509_R_CANT_CHECK_DH_KEY
+ {"CANT_CHECK_DH_KEY", ERR_LIB_X509, X509_R_CANT_CHECK_DH_KEY},
+ #else
+ {"CANT_CHECK_DH_KEY", ERR_LIB_X509, 114},
+ #endif
+ #ifdef X509_R_CERT_ALREADY_IN_HASH_TABLE
+ {"CERT_ALREADY_IN_HASH_TABLE", ERR_LIB_X509, X509_R_CERT_ALREADY_IN_HASH_TABLE},
+ #else
+ {"CERT_ALREADY_IN_HASH_TABLE", ERR_LIB_X509, 101},
+ #endif
+ #ifdef X509_R_ERR_ASN1_LIB
+ {"ERR_ASN1_LIB", ERR_LIB_X509, X509_R_ERR_ASN1_LIB},
+ #else
+ {"ERR_ASN1_LIB", ERR_LIB_X509, 102},
+ #endif
+ #ifdef X509_R_INVALID_DIRECTORY
+ {"INVALID_DIRECTORY", ERR_LIB_X509, X509_R_INVALID_DIRECTORY},
+ #else
+ {"INVALID_DIRECTORY", ERR_LIB_X509, 113},
+ #endif
+ #ifdef X509_R_INVALID_FIELD_NAME
+ {"INVALID_FIELD_NAME", ERR_LIB_X509, X509_R_INVALID_FIELD_NAME},
+ #else
+ {"INVALID_FIELD_NAME", ERR_LIB_X509, 119},
+ #endif
+ #ifdef X509_R_INVALID_TRUST
+ {"INVALID_TRUST", ERR_LIB_X509, X509_R_INVALID_TRUST},
+ #else
+ {"INVALID_TRUST", ERR_LIB_X509, 123},
+ #endif
+ #ifdef X509_R_KEY_TYPE_MISMATCH
+ {"KEY_TYPE_MISMATCH", ERR_LIB_X509, X509_R_KEY_TYPE_MISMATCH},
+ #else
+ {"KEY_TYPE_MISMATCH", ERR_LIB_X509, 115},
+ #endif
+ #ifdef X509_R_KEY_VALUES_MISMATCH
+ {"KEY_VALUES_MISMATCH", ERR_LIB_X509, X509_R_KEY_VALUES_MISMATCH},
+ #else
+ {"KEY_VALUES_MISMATCH", ERR_LIB_X509, 116},
+ #endif
+ #ifdef X509_R_LOADING_CERT_DIR
+ {"LOADING_CERT_DIR", ERR_LIB_X509, X509_R_LOADING_CERT_DIR},
+ #else
+ {"LOADING_CERT_DIR", ERR_LIB_X509, 103},
+ #endif
+ #ifdef X509_R_LOADING_DEFAULTS
+ {"LOADING_DEFAULTS", ERR_LIB_X509, X509_R_LOADING_DEFAULTS},
+ #else
+ {"LOADING_DEFAULTS", ERR_LIB_X509, 104},
+ #endif
+ #ifdef X509_R_METHOD_NOT_SUPPORTED
+ {"METHOD_NOT_SUPPORTED", ERR_LIB_X509, X509_R_METHOD_NOT_SUPPORTED},
+ #else
+ {"METHOD_NOT_SUPPORTED", ERR_LIB_X509, 124},
+ #endif
+ #ifdef X509_R_NO_CERT_SET_FOR_US_TO_VERIFY
+ {"NO_CERT_SET_FOR_US_TO_VERIFY", ERR_LIB_X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY},
+ #else
+ {"NO_CERT_SET_FOR_US_TO_VERIFY", ERR_LIB_X509, 105},
+ #endif
+ #ifdef X509_R_PUBLIC_KEY_DECODE_ERROR
+ {"PUBLIC_KEY_DECODE_ERROR", ERR_LIB_X509, X509_R_PUBLIC_KEY_DECODE_ERROR},
+ #else
+ {"PUBLIC_KEY_DECODE_ERROR", ERR_LIB_X509, 125},
+ #endif
+ #ifdef X509_R_PUBLIC_KEY_ENCODE_ERROR
+ {"PUBLIC_KEY_ENCODE_ERROR", ERR_LIB_X509, X509_R_PUBLIC_KEY_ENCODE_ERROR},
+ #else
+ {"PUBLIC_KEY_ENCODE_ERROR", ERR_LIB_X509, 126},
+ #endif
+ #ifdef X509_R_SHOULD_RETRY
+ {"SHOULD_RETRY", ERR_LIB_X509, X509_R_SHOULD_RETRY},
+ #else
+ {"SHOULD_RETRY", ERR_LIB_X509, 106},
+ #endif
+ #ifdef X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN
+ {"UNABLE_TO_FIND_PARAMETERS_IN_CHAIN", ERR_LIB_X509, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN},
+ #else
+ {"UNABLE_TO_FIND_PARAMETERS_IN_CHAIN", ERR_LIB_X509, 107},
+ #endif
+ #ifdef X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY
+ {"UNABLE_TO_GET_CERTS_PUBLIC_KEY", ERR_LIB_X509, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY},
+ #else
+ {"UNABLE_TO_GET_CERTS_PUBLIC_KEY", ERR_LIB_X509, 108},
+ #endif
+ #ifdef X509_R_UNKNOWN_KEY_TYPE
+ {"UNKNOWN_KEY_TYPE", ERR_LIB_X509, X509_R_UNKNOWN_KEY_TYPE},
+ #else
+ {"UNKNOWN_KEY_TYPE", ERR_LIB_X509, 117},
+ #endif
+ #ifdef X509_R_UNKNOWN_NID
+ {"UNKNOWN_NID", ERR_LIB_X509, X509_R_UNKNOWN_NID},
+ #else
+ {"UNKNOWN_NID", ERR_LIB_X509, 109},
+ #endif
+ #ifdef X509_R_UNKNOWN_PURPOSE_ID
+ {"UNKNOWN_PURPOSE_ID", ERR_LIB_X509, X509_R_UNKNOWN_PURPOSE_ID},
+ #else
+ {"UNKNOWN_PURPOSE_ID", ERR_LIB_X509, 121},
+ #endif
+ #ifdef X509_R_UNKNOWN_TRUST_ID
+ {"UNKNOWN_TRUST_ID", ERR_LIB_X509, X509_R_UNKNOWN_TRUST_ID},
+ #else
+ {"UNKNOWN_TRUST_ID", ERR_LIB_X509, 120},
+ #endif
+ #ifdef X509_R_UNSUPPORTED_ALGORITHM
+ {"UNSUPPORTED_ALGORITHM", ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM},
+ #else
+ {"UNSUPPORTED_ALGORITHM", ERR_LIB_X509, 111},
+ #endif
+ #ifdef X509_R_WRONG_LOOKUP_TYPE
+ {"WRONG_LOOKUP_TYPE", ERR_LIB_X509, X509_R_WRONG_LOOKUP_TYPE},
+ #else
+ {"WRONG_LOOKUP_TYPE", ERR_LIB_X509, 112},
+ #endif
+ #ifdef X509_R_WRONG_TYPE
+ {"WRONG_TYPE", ERR_LIB_X509, X509_R_WRONG_TYPE},
+ #else
+ {"WRONG_TYPE", ERR_LIB_X509, 122},
+ #endif
+ { NULL }
+};