Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / 2303b1c19abd79c94da327d630cbac6f4e83a05c / . / Modules / _ssl.c
blob: 5fcf84ca2e9e97d505ae8d8d81a5f18451ced715 [file] [log] [blame]
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1/* SSL socket module
2
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
4
5 This module is imported by socket.py. It should *not* be used
6 directly.
7
8*/
9
10#include "Python.h"
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]11enum py_ssl_error {
12 /* these mirror ssl.h */
13 PY_SSL_ERROR_NONE,
14 PY_SSL_ERROR_SSL,
15 PY_SSL_ERROR_WANT_READ,
16 PY_SSL_ERROR_WANT_WRITE,
17 PY_SSL_ERROR_WANT_X509_LOOKUP,
18 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
19 PY_SSL_ERROR_ZERO_RETURN,
20 PY_SSL_ERROR_WANT_CONNECT,
21 /* start of non ssl.h errorcodes */
22 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
23 PY_SSL_ERROR_INVALID_ERROR_CODE
24};
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]25
26/* Include symbols from _socket module */
27#include "socketmodule.h"
28
29/* Include OpenSSL header files */
30#include "openssl/rsa.h"
31#include "openssl/crypto.h"
32#include "openssl/x509.h"
33#include "openssl/pem.h"
34#include "openssl/ssl.h"
35#include "openssl/err.h"
36#include "openssl/rand.h"
37
38/* SSL error object */
39static PyObject *PySSLErrorObject;
40
41/* SSL socket object */
42
43#define X509_NAME_MAXLEN 256
44
45/* RAND_* APIs got added to OpenSSL in 0.9.5 */
46#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
47# define HAVE_OPENSSL_RAND 1
48#else
49# undef HAVE_OPENSSL_RAND
50#endif
51
52typedef struct {
53 PyObject_HEAD
54 PySocketSockObject *Socket; /* Socket on which we're layered */
55 SSL_CTX* ctx;
56 SSL* ssl;
57 X509* server_cert;
58 BIO* sbio;
59 char server[X509_NAME_MAXLEN];
60 char issuer[X509_NAME_MAXLEN];
61
62} PySSLObject;
63
Jeremy Hylton938ace62002-07-17 16:30:39 +0000[diff] [blame]64static PyTypeObject PySSL_Type;
65static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args);
66static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args);
Neal Norwitz529baf22003-02-02 17:08:33 +0000[diff] [blame]67static int wait_for_timeout(PySocketSockObject *s, int writing);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]68
69#define PySSLObject_Check(v) ((v)->ob_type == &PySSL_Type)
70
71/* XXX It might be helpful to augment the error message generated
72 below with the name of the SSL function that generated the error.
73 I expect it's obvious most of the time.
74*/
75
76static PyObject *
77PySSL_SetError(PySSLObject *obj, int ret)
78{
79 PyObject *v, *n, *s;
80 char *errstr;
81 int err;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]82 enum py_ssl_error p;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]83
84 assert(ret <= 0);
85
86 err = SSL_get_error(obj->ssl, ret);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]87
88 switch (err) {
89 case SSL_ERROR_ZERO_RETURN:
90 errstr = "TLS/SSL connection has been closed";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]91 p = PY_SSL_ERROR_ZERO_RETURN;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]92 break;
93 case SSL_ERROR_WANT_READ:
94 errstr = "The operation did not complete (read)";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]95 p = PY_SSL_ERROR_WANT_READ;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]96 break;
97 case SSL_ERROR_WANT_WRITE:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]98 p = PY_SSL_ERROR_WANT_WRITE;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]99 errstr = "The operation did not complete (write)";
100 break;
101 case SSL_ERROR_WANT_X509_LOOKUP:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]102 p = PY_SSL_ERROR_WANT_X509_LOOKUP;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]103 errstr = "The operation did not complete (X509 lookup)";
104 break;
105 case SSL_ERROR_WANT_CONNECT:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]106 p = PY_SSL_ERROR_WANT_CONNECT;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]107 errstr = "The operation did not complete (connect)";
108 break;
109 case SSL_ERROR_SYSCALL:
110 {
111 unsigned long e = ERR_get_error();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]112 if (e == 0) {
Neal Norwitza9002f82003-06-30 03:25:20 +0000[diff] [blame]113 if (ret == 0 || !obj->Socket) {
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]114 p = PY_SSL_ERROR_EOF;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]115 errstr = "EOF occurred in violation of protocol";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]116 } else if (ret == -1) {
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]117 /* the underlying BIO reported an I/O error */
118 return obj->Socket->errorhandler();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]119 } else { /* possible? */
120 p = PY_SSL_ERROR_SYSCALL;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]121 errstr = "Some I/O error occurred";
122 }
123 } else {
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]124 p = PY_SSL_ERROR_SYSCALL;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]125 /* XXX Protected by global interpreter lock */
126 errstr = ERR_error_string(e, NULL);
127 }
128 break;
129 }
130 case SSL_ERROR_SSL:
131 {
132 unsigned long e = ERR_get_error();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]133 p = PY_SSL_ERROR_SSL;
134 if (e != 0)
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]135 /* XXX Protected by global interpreter lock */
136 errstr = ERR_error_string(e, NULL);
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]137 else { /* possible? */
138 errstr = "A failure in the SSL library occurred";
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]139 }
140 break;
141 }
142 default:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]143 p = PY_SSL_ERROR_INVALID_ERROR_CODE;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]144 errstr = "Invalid error code";
145 }
146 n = PyInt_FromLong((long) p);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]147 if (n == NULL)
148 return NULL;
149 v = PyTuple_New(2);
150 if (v == NULL) {
151 Py_DECREF(n);
152 return NULL;
153 }
154
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]155 s = PyString_FromString(errstr);
156 if (s == NULL) {
157 Py_DECREF(v);
158 Py_DECREF(n);
159 }
160 PyTuple_SET_ITEM(v, 0, n);
161 PyTuple_SET_ITEM(v, 1, s);
162 PyErr_SetObject(PySSLErrorObject, v);
163 return NULL;
164}
165
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]166static PySSLObject *
167newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file)
168{
169 PySSLObject *self;
170 char *errstr = NULL;
171 int ret;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]172 int err;
173 int timedout;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]174
175 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
176 if (self == NULL){
177 errstr = "newPySSLObject error";
178 goto fail;
179 }
180 memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN);
181 memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN);
182 self->server_cert = NULL;
183 self->ssl = NULL;
184 self->ctx = NULL;
185 self->Socket = NULL;
186
187 if ((key_file && !cert_file) || (!key_file && cert_file)) {
188 errstr = "Both the key & certificate files must be specified";
189 goto fail;
190 }
191
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]192 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]193 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]194 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]195 if (self->ctx == NULL) {
196 errstr = "SSL_CTX_new error";
197 goto fail;
198 }
199
200 if (key_file) {
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]201 Py_BEGIN_ALLOW_THREADS
202 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
203 SSL_FILETYPE_PEM);
204 Py_END_ALLOW_THREADS
205 if (ret < 1) {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]206 errstr = "SSL_CTX_use_PrivateKey_file error";
207 goto fail;
208 }
209
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]210 Py_BEGIN_ALLOW_THREADS
211 ret = SSL_CTX_use_certificate_chain_file(self->ctx,
212 cert_file);
213 Py_END_ALLOW_THREADS
214 if (ret < 1) {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]215 errstr = "SSL_CTX_use_certificate_chain_file error";
216 goto fail;
217 }
218 }
219
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]220 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]221 SSL_CTX_set_verify(self->ctx,
222 SSL_VERIFY_NONE, NULL); /* set verify lvl */
223 self->ssl = SSL_new(self->ctx); /* New ssl struct */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]224 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]225 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]226
Walter Dörwaldf0dfc7a2003-10-20 14:01:56 +0000[diff] [blame]227 /* If the socket is in non-blocking mode or timeout mode, set the BIO
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]228 * to non-blocking mode (blocking is the default)
229 */
230 if (Sock->sock_timeout >= 0.0) {
231 /* Set both the read and write BIO's to non-blocking mode */
232 BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
233 BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
234 }
235
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]236 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]237 SSL_set_connect_state(self->ssl);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]238 Py_END_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]239
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]240 /* Actually negotiate SSL connection */
241 /* XXX If SSL_connect() returns 0, it's also a failure. */
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]242 timedout = 0;
243 do {
244 Py_BEGIN_ALLOW_THREADS
245 ret = SSL_connect(self->ssl);
246 err = SSL_get_error(self->ssl, ret);
247 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]248 if(PyErr_CheckSignals()) {
249 goto fail;
250 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]251 if (err == SSL_ERROR_WANT_READ) {
252 timedout = wait_for_timeout(Sock, 0);
253 } else if (err == SSL_ERROR_WANT_WRITE) {
254 timedout = wait_for_timeout(Sock, 1);
255 }
256 if (timedout) {
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]257 errstr = "The connect operation timed out";
258 goto fail;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]259 }
260 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]261 if (ret <= 0) {
262 PySSL_SetError(self, ret);
263 goto fail;
264 }
265 self->ssl->debug = 1;
266
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]267 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]268 if ((self->server_cert = SSL_get_peer_certificate(self->ssl))) {
269 X509_NAME_oneline(X509_get_subject_name(self->server_cert),
270 self->server, X509_NAME_MAXLEN);
271 X509_NAME_oneline(X509_get_issuer_name(self->server_cert),
272 self->issuer, X509_NAME_MAXLEN);
273 }
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]274 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]275 self->Socket = Sock;
276 Py_INCREF(self->Socket);
277 return self;
278 fail:
279 if (errstr)
280 PyErr_SetString(PySSLErrorObject, errstr);
281 Py_DECREF(self);
282 return NULL;
283}
284
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]285static PyObject *
286PySocket_ssl(PyObject *self, PyObject *args)
287{
288 PySSLObject *rv;
289 PySocketSockObject *Sock;
290 char *key_file = NULL;
291 char *cert_file = NULL;
292
293 if (!PyArg_ParseTuple(args, "O!|zz:ssl",
294 PySocketModule.Sock_Type,
295 (PyObject*)&Sock,
296 &key_file, &cert_file))
297 return NULL;
298
299 rv = newPySSLObject(Sock, key_file, cert_file);
300 if (rv == NULL)
301 return NULL;
302 return (PyObject *)rv;
303}
304
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]305PyDoc_STRVAR(ssl_doc,
306"ssl(socket, [keyfile, certfile]) -> sslobject");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]307
308/* SSL object methods */
309
310static PyObject *
311PySSL_server(PySSLObject *self)
312{
313 return PyString_FromString(self->server);
314}
315
316static PyObject *
317PySSL_issuer(PySSLObject *self)
318{
319 return PyString_FromString(self->issuer);
320}
321
322
323static void PySSL_dealloc(PySSLObject *self)
324{
325 if (self->server_cert) /* Possible not to have one? */
326 X509_free (self->server_cert);
327 if (self->ssl)
328 SSL_free(self->ssl);
329 if (self->ctx)
330 SSL_CTX_free(self->ctx);
331 Py_XDECREF(self->Socket);
332 PyObject_Del(self);
333}
334
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]335/* If the socket has a timeout, do a select() on the socket.
336 The argument writing indicates the direction.
337 Return non-zero if the socket timed out, zero otherwise.
338 */
339static int
340wait_for_timeout(PySocketSockObject *s, int writing)
341{
342 fd_set fds;
343 struct timeval tv;
344 int rc;
345
346 /* Nothing to do unless we're in timeout mode (not non-blocking) */
347 if (s->sock_timeout <= 0.0)
348 return 0;
349
350 /* Guard against closed socket */
351 if (s->sock_fd < 0)
352 return 0;
353
354 /* Construct the arguments to select */
355 tv.tv_sec = (int)s->sock_timeout;
356 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6);
357 FD_ZERO(&fds);
358 FD_SET(s->sock_fd, &fds);
359
360 /* See if the socket is ready */
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]361 Py_BEGIN_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]362 if (writing)
363 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
364 else
365 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]366 Py_END_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]367
368 /* Return 1 on timeout, 0 otherwise */
369 return rc == 0;
370}
371
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]372static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args)
373{
374 char *data;
375 int len;
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]376 int count;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]377 int timedout;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]378 int err;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]379
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]380 if (!PyArg_ParseTuple(args, "s#:write", &data, &count))
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]381 return NULL;
382
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]383 timedout = wait_for_timeout(self->Socket, 1);
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]384 if (timedout) {
385 PyErr_SetString(PySSLErrorObject, "The write operation timed out");
386 return NULL;
387 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]388 do {
389 err = 0;
390 Py_BEGIN_ALLOW_THREADS
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]391 len = SSL_write(self->ssl, data, count);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]392 err = SSL_get_error(self->ssl, len);
393 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]394 if(PyErr_CheckSignals()) {
395 return NULL;
396 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]397 if (err == SSL_ERROR_WANT_READ) {
398 timedout = wait_for_timeout(self->Socket, 0);
399 } else if (err == SSL_ERROR_WANT_WRITE) {
400 timedout = wait_for_timeout(self->Socket, 1);
401 }
402 if (timedout) {
403 PyErr_SetString(PySSLErrorObject, "The write operation timed out");
404 return NULL;
405 }
406 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]407 if (len > 0)
408 return PyInt_FromLong(len);
409 else
410 return PySSL_SetError(self, len);
411}
412
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]413PyDoc_STRVAR(PySSL_SSLwrite_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]414"write(s) -> len\n\
415\n\
416Writes the string s into the SSL object. Returns the number\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]417of bytes written.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]418
419static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args)
420{
421 PyObject *buf;
422 int count = 0;
423 int len = 1024;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]424 int timedout;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]425 int err;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]426
427 if (!PyArg_ParseTuple(args, "|i:read", &len))
428 return NULL;
429
430 if (!(buf = PyString_FromStringAndSize((char *) 0, len)))
431 return NULL;
432
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]433 timedout = wait_for_timeout(self->Socket, 0);
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]434 if (timedout) {
435 PyErr_SetString(PySSLErrorObject, "The read operation timed out");
Neal Norwitza9002f82003-06-30 03:25:20 +0000[diff] [blame]436 Py_DECREF(buf);
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]437 return NULL;
438 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]439 do {
440 err = 0;
441 Py_BEGIN_ALLOW_THREADS
442 count = SSL_read(self->ssl, PyString_AsString(buf), len);
443 err = SSL_get_error(self->ssl, count);
444 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]445 if(PyErr_CheckSignals()) {
446 Py_DECREF(buf);
447 return NULL;
448 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]449 if (err == SSL_ERROR_WANT_READ) {
450 timedout = wait_for_timeout(self->Socket, 0);
451 } else if (err == SSL_ERROR_WANT_WRITE) {
452 timedout = wait_for_timeout(self->Socket, 1);
453 }
454 if (timedout) {
455 PyErr_SetString(PySSLErrorObject, "The read operation timed out");
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]456 Py_DECREF(buf);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]457 return NULL;
458 }
459 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]460 if (count <= 0) {
461 Py_DECREF(buf);
462 return PySSL_SetError(self, count);
463 }
Tim Peters5de98422002-04-27 18:44:32 +0000[diff] [blame]464 if (count != len)
465 _PyString_Resize(&buf, count);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]466 return buf;
467}
468
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]469PyDoc_STRVAR(PySSL_SSLread_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]470"read([len]) -> string\n\
471\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]472Read up to len bytes from the SSL socket.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]473
474static PyMethodDef PySSLMethods[] = {
475 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
476 PySSL_SSLwrite_doc},
477 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
478 PySSL_SSLread_doc},
479 {"server", (PyCFunction)PySSL_server, METH_NOARGS},
480 {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS},
481 {NULL, NULL}
482};
483
484static PyObject *PySSL_getattr(PySSLObject *self, char *name)
485{
486 return Py_FindMethod(PySSLMethods, (PyObject *)self, name);
487}
488
Jeremy Hylton938ace62002-07-17 16:30:39 +0000[diff] [blame]489static PyTypeObject PySSL_Type = {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]490 PyObject_HEAD_INIT(NULL)
491 0, /*ob_size*/
492 "socket.SSL", /*tp_name*/
493 sizeof(PySSLObject), /*tp_basicsize*/
494 0, /*tp_itemsize*/
495 /* methods */
496 (destructor)PySSL_dealloc, /*tp_dealloc*/
497 0, /*tp_print*/
498 (getattrfunc)PySSL_getattr, /*tp_getattr*/
499 0, /*tp_setattr*/
500 0, /*tp_compare*/
501 0, /*tp_repr*/
502 0, /*tp_as_number*/
503 0, /*tp_as_sequence*/
504 0, /*tp_as_mapping*/
505 0, /*tp_hash*/
506};
507
508#ifdef HAVE_OPENSSL_RAND
509
510/* helper routines for seeding the SSL PRNG */
511static PyObject *
512PySSL_RAND_add(PyObject *self, PyObject *args)
513{
514 char *buf;
515 int len;
516 double entropy;
517
518 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
519 return NULL;
520 RAND_add(buf, len, entropy);
521 Py_INCREF(Py_None);
522 return Py_None;
523}
524
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]525PyDoc_STRVAR(PySSL_RAND_add_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]526"RAND_add(string, entropy)\n\
527\n\
528Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]529bound on the entropy contained in string.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]530
531static PyObject *
532PySSL_RAND_status(PyObject *self)
533{
534 return PyInt_FromLong(RAND_status());
535}
536
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]537PyDoc_STRVAR(PySSL_RAND_status_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]538"RAND_status() -> 0 or 1\n\
539\n\
540Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\
541It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]542using the ssl() function.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]543
544static PyObject *
545PySSL_RAND_egd(PyObject *self, PyObject *arg)
546{
547 int bytes;
548
549 if (!PyString_Check(arg))
550 return PyErr_Format(PyExc_TypeError,
551 "RAND_egd() expected string, found %s",
552 arg->ob_type->tp_name);
553 bytes = RAND_egd(PyString_AS_STRING(arg));
554 if (bytes == -1) {
555 PyErr_SetString(PySSLErrorObject,
556 "EGD connection failed or EGD did not return "
557 "enough data to seed the PRNG");
558 return NULL;
559 }
560 return PyInt_FromLong(bytes);
561}
562
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]563PyDoc_STRVAR(PySSL_RAND_egd_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]564"RAND_egd(path) -> bytes\n\
565\n\
566Queries the entropy gather daemon (EGD) on socket path. Returns number\n\
567of bytes read. Raises socket.sslerror if connection to EGD fails or\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]568if it does provide enough data to seed PRNG.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]569
570#endif
571
572/* List of functions exported by this module. */
573
574static PyMethodDef PySSL_methods[] = {
575 {"ssl", PySocket_ssl,
576 METH_VARARGS, ssl_doc},
577#ifdef HAVE_OPENSSL_RAND
578 {"RAND_add", PySSL_RAND_add, METH_VARARGS,
579 PySSL_RAND_add_doc},
580 {"RAND_egd", PySSL_RAND_egd, METH_O,
581 PySSL_RAND_egd_doc},
582 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
583 PySSL_RAND_status_doc},
584#endif
585 {NULL, NULL} /* Sentinel */
586};
587
588
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]589PyDoc_STRVAR(module_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]590"Implementation module for SSL socket operations. See the socket module\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]591for documentation.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]592
Mark Hammondfe51c6d2002-08-02 02:27:13 +0000[diff] [blame]593PyMODINIT_FUNC
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]594init_ssl(void)
595{
596 PyObject *m, *d;
597
598 PySSL_Type.ob_type = &PyType_Type;
599
600 m = Py_InitModule3("_ssl", PySSL_methods, module_doc);
601 d = PyModule_GetDict(m);
602
603 /* Load _socket module and its C API */
604 if (PySocketModule_ImportModuleAndAPI())
605 return;
606
607 /* Init OpenSSL */
608 SSL_load_error_strings();
609 SSLeay_add_ssl_algorithms();
610
611 /* Add symbols to module dict */
612 PySSLErrorObject = PyErr_NewException("socket.sslerror", NULL, NULL);
613 if (PySSLErrorObject == NULL)
614 return;
615 PyDict_SetItemString(d, "sslerror", PySSLErrorObject);
616 if (PyDict_SetItemString(d, "SSLType",
617 (PyObject *)&PySSL_Type) != 0)
618 return;
619 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]620 PY_SSL_ERROR_ZERO_RETURN);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]621 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]622 PY_SSL_ERROR_WANT_READ);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]623 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]624 PY_SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]625 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]626 PY_SSL_ERROR_WANT_X509_LOOKUP);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]627 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]628 PY_SSL_ERROR_SYSCALL);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]629 PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]630 PY_SSL_ERROR_SSL);
631 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
632 PY_SSL_ERROR_WANT_CONNECT);
633 /* non ssl.h errorcodes */
634 PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
635 PY_SSL_ERROR_EOF);
636 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
637 PY_SSL_ERROR_INVALID_ERROR_CODE);
638
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]639}