blob: eef658843e67731226ce77fa7525ba78548c4461 [file] [log] [blame]
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001/* SSL socket module
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00002
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
Bill Janssen98d19da2007-09-10 21:51:02 +00004 Re-worked a bit by Bill Janssen to add server-side support and
Bill Janssen934b16d2008-06-28 22:19:33 +00005 certificate decoding. Chris Stawarz contributed some non-blocking
6 patches.
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00007
Bill Janssen98d19da2007-09-10 21:51:02 +00008 This module is imported by ssl.py. It should *not* be used
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00009 directly.
10
Bill Janssen98d19da2007-09-10 21:51:02 +000011 XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE?
Antoine Pitroua5c4b552010-04-22 23:33:02 +000012
13 XXX integrate several "shutdown modes" as suggested in
14 http://bugs.python.org/issue8108#msg102867 ?
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000015*/
16
17#include "Python.h"
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +000018
Bill Janssen98d19da2007-09-10 21:51:02 +000019#ifdef WITH_THREAD
20#include "pythread.h"
21#define PySSL_BEGIN_ALLOW_THREADS { \
Neal Norwitze9057ff2008-01-27 17:10:35 +000022 PyThreadState *_save = NULL; \
Bill Janssen98d19da2007-09-10 21:51:02 +000023 if (_ssl_locks_count>0) {_save = PyEval_SaveThread();}
24#define PySSL_BLOCK_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save)};
25#define PySSL_UNBLOCK_THREADS if (_ssl_locks_count>0){_save = PyEval_SaveThread()};
26#define PySSL_END_ALLOW_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save);} \
27 }
28
29#else /* no WITH_THREAD */
30
31#define PySSL_BEGIN_ALLOW_THREADS
32#define PySSL_BLOCK_THREADS
33#define PySSL_UNBLOCK_THREADS
34#define PySSL_END_ALLOW_THREADS
35
36#endif
37
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +000038enum py_ssl_error {
39 /* these mirror ssl.h */
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +000040 PY_SSL_ERROR_NONE,
41 PY_SSL_ERROR_SSL,
42 PY_SSL_ERROR_WANT_READ,
43 PY_SSL_ERROR_WANT_WRITE,
44 PY_SSL_ERROR_WANT_X509_LOOKUP,
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +000045 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +000046 PY_SSL_ERROR_ZERO_RETURN,
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +000047 PY_SSL_ERROR_WANT_CONNECT,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +000048 /* start of non ssl.h errorcodes */
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +000049 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
50 PY_SSL_ERROR_INVALID_ERROR_CODE
51};
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000052
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +000053enum py_ssl_server_or_client {
54 PY_SSL_CLIENT,
55 PY_SSL_SERVER
56};
57
58enum py_ssl_cert_requirements {
59 PY_SSL_CERT_NONE,
60 PY_SSL_CERT_OPTIONAL,
61 PY_SSL_CERT_REQUIRED
62};
63
64enum py_ssl_version {
65 PY_SSL_VERSION_SSL2,
66 PY_SSL_VERSION_SSL3,
67 PY_SSL_VERSION_SSL23,
Antoine Pitrou1dc6b082010-04-27 19:09:59 +000068 PY_SSL_VERSION_TLS1
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +000069};
70
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000071/* Include symbols from _socket module */
72#include "socketmodule.h"
73
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +000074#if defined(HAVE_POLL_H)
Anthony Baxter93ab5fa2006-07-11 02:04:09 +000075#include <poll.h>
76#elif defined(HAVE_SYS_POLL_H)
77#include <sys/poll.h>
78#endif
79
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000080/* Include OpenSSL header files */
81#include "openssl/rsa.h"
82#include "openssl/crypto.h"
83#include "openssl/x509.h"
Bill Janssen98d19da2007-09-10 21:51:02 +000084#include "openssl/x509v3.h"
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000085#include "openssl/pem.h"
86#include "openssl/ssl.h"
87#include "openssl/err.h"
88#include "openssl/rand.h"
89
90/* SSL error object */
91static PyObject *PySSLErrorObject;
92
Bill Janssen98d19da2007-09-10 21:51:02 +000093#ifdef WITH_THREAD
94
95/* serves as a flag to see whether we've initialized the SSL thread support. */
96/* 0 means no, greater than 0 means yes */
97
98static unsigned int _ssl_locks_count = 0;
99
100#endif /* def WITH_THREAD */
101
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000102/* SSL socket object */
103
104#define X509_NAME_MAXLEN 256
105
106/* RAND_* APIs got added to OpenSSL in 0.9.5 */
107#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
108# define HAVE_OPENSSL_RAND 1
109#else
110# undef HAVE_OPENSSL_RAND
111#endif
112
113typedef struct {
114 PyObject_HEAD
115 PySocketSockObject *Socket; /* Socket on which we're layered */
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000116 SSL_CTX* ctx;
117 SSL* ssl;
118 X509* peer_cert;
119 char server[X509_NAME_MAXLEN];
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000120 char issuer[X509_NAME_MAXLEN];
Antoine Pitroua5c4b552010-04-22 23:33:02 +0000121 int shutdown_seen_zero;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000122
123} PySSLObject;
124
Jeremy Hylton938ace62002-07-17 16:30:39 +0000125static PyTypeObject PySSL_Type;
126static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args);
127static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000128static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000129 int writing);
Bill Janssen98d19da2007-09-10 21:51:02 +0000130static PyObject *PySSL_peercert(PySSLObject *self, PyObject *args);
131static PyObject *PySSL_cipher(PySSLObject *self);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000132
Christian Heimese93237d2007-12-19 02:37:44 +0000133#define PySSLObject_Check(v) (Py_TYPE(v) == &PySSL_Type)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000134
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000135typedef enum {
136 SOCKET_IS_NONBLOCKING,
137 SOCKET_IS_BLOCKING,
138 SOCKET_HAS_TIMED_OUT,
139 SOCKET_HAS_BEEN_CLOSED,
Neal Norwitz389cea82006-02-13 00:35:21 +0000140 SOCKET_TOO_LARGE_FOR_SELECT,
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000141 SOCKET_OPERATION_OK
142} timeout_state;
143
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000144/* Wrap error strings with filename and line # */
145#define STRINGIFY1(x) #x
146#define STRINGIFY2(x) STRINGIFY1(x)
147#define ERRSTR1(x,y,z) (x ":" y ": " z)
148#define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x)
149
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000150/* XXX It might be helpful to augment the error message generated
151 below with the name of the SSL function that generated the error.
152 I expect it's obvious most of the time.
153*/
154
155static PyObject *
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000156PySSL_SetError(PySSLObject *obj, int ret, char *filename, int lineno)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000157{
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000158 PyObject *v;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000159 char buf[2048];
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000160 char *errstr;
161 int err;
Guido van Rossum780b80d2007-08-27 18:42:23 +0000162 enum py_ssl_error p = PY_SSL_ERROR_NONE;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000163
164 assert(ret <= 0);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000165
Bill Janssen98d19da2007-09-10 21:51:02 +0000166 if (obj->ssl != NULL) {
Guido van Rossum780b80d2007-08-27 18:42:23 +0000167 err = SSL_get_error(obj->ssl, ret);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000168
Guido van Rossum780b80d2007-08-27 18:42:23 +0000169 switch (err) {
170 case SSL_ERROR_ZERO_RETURN:
171 errstr = "TLS/SSL connection has been closed";
172 p = PY_SSL_ERROR_ZERO_RETURN;
173 break;
174 case SSL_ERROR_WANT_READ:
175 errstr = "The operation did not complete (read)";
176 p = PY_SSL_ERROR_WANT_READ;
177 break;
178 case SSL_ERROR_WANT_WRITE:
179 p = PY_SSL_ERROR_WANT_WRITE;
180 errstr = "The operation did not complete (write)";
181 break;
182 case SSL_ERROR_WANT_X509_LOOKUP:
183 p = PY_SSL_ERROR_WANT_X509_LOOKUP;
184 errstr =
185 "The operation did not complete (X509 lookup)";
186 break;
187 case SSL_ERROR_WANT_CONNECT:
188 p = PY_SSL_ERROR_WANT_CONNECT;
189 errstr = "The operation did not complete (connect)";
190 break;
191 case SSL_ERROR_SYSCALL:
192 {
193 unsigned long e = ERR_get_error();
194 if (e == 0) {
195 if (ret == 0 || !obj->Socket) {
196 p = PY_SSL_ERROR_EOF;
197 errstr =
198 "EOF occurred in violation of protocol";
199 } else if (ret == -1) {
200 /* underlying BIO reported an I/O error */
201 return obj->Socket->errorhandler();
202 } else { /* possible? */
203 p = PY_SSL_ERROR_SYSCALL;
204 errstr = "Some I/O error occurred";
205 }
206 } else {
Jeremy Hylton4e547302002-07-02 18:25:00 +0000207 p = PY_SSL_ERROR_SYSCALL;
Guido van Rossum780b80d2007-08-27 18:42:23 +0000208 /* XXX Protected by global interpreter lock */
209 errstr = ERR_error_string(e, NULL);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000210 }
Guido van Rossum780b80d2007-08-27 18:42:23 +0000211 break;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000212 }
Guido van Rossum780b80d2007-08-27 18:42:23 +0000213 case SSL_ERROR_SSL:
214 {
215 unsigned long e = ERR_get_error();
216 p = PY_SSL_ERROR_SSL;
217 if (e != 0)
218 /* XXX Protected by global interpreter lock */
219 errstr = ERR_error_string(e, NULL);
220 else { /* possible? */
221 errstr =
222 "A failure in the SSL library occurred";
223 }
224 break;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000225 }
Guido van Rossum780b80d2007-08-27 18:42:23 +0000226 default:
227 p = PY_SSL_ERROR_INVALID_ERROR_CODE;
228 errstr = "Invalid error code";
229 }
230 } else {
231 errstr = ERR_error_string(ERR_peek_last_error(), NULL);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000232 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000233 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
234 v = Py_BuildValue("(is)", p, buf);
235 if (v != NULL) {
236 PyErr_SetObject(PySSLErrorObject, v);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000237 Py_DECREF(v);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000238 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000239 return NULL;
240}
241
Bill Janssen98d19da2007-09-10 21:51:02 +0000242static PyObject *
243_setSSLError (char *errstr, int errcode, char *filename, int lineno) {
244
245 char buf[2048];
246 PyObject *v;
247
248 if (errstr == NULL) {
249 errcode = ERR_peek_last_error();
250 errstr = ERR_error_string(errcode, NULL);
251 }
252 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
253 v = Py_BuildValue("(is)", errcode, buf);
254 if (v != NULL) {
255 PyErr_SetObject(PySSLErrorObject, v);
256 Py_DECREF(v);
257 }
258 return NULL;
259}
260
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000261static PySSLObject *
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000262newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
263 enum py_ssl_server_or_client socket_type,
264 enum py_ssl_cert_requirements certreq,
265 enum py_ssl_version proto_version,
Antoine Pitrou0a6373c2010-04-17 17:10:38 +0000266 char *cacerts_file, char *ciphers)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000267{
268 PySSLObject *self;
269 char *errstr = NULL;
270 int ret;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000271 int verification_mode;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000272
273 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
Neal Norwitz38e3b7d2006-05-11 07:51:59 +0000274 if (self == NULL)
Neal Norwitzc6a989a2006-05-10 06:57:58 +0000275 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000276 memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN);
277 memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000278 self->peer_cert = NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000279 self->ssl = NULL;
280 self->ctx = NULL;
281 self->Socket = NULL;
282
Bill Janssen98d19da2007-09-10 21:51:02 +0000283 /* Make sure the SSL error state is initialized */
284 (void) ERR_get_state();
285 ERR_clear_error();
286
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000287 if ((key_file && !cert_file) || (!key_file && cert_file)) {
Guido van Rossum780b80d2007-08-27 18:42:23 +0000288 errstr = ERRSTR("Both the key & certificate files "
289 "must be specified");
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000290 goto fail;
291 }
292
293 if ((socket_type == PY_SSL_SERVER) &&
294 ((key_file == NULL) || (cert_file == NULL))) {
Guido van Rossum780b80d2007-08-27 18:42:23 +0000295 errstr = ERRSTR("Both the key & certificate files "
296 "must be specified for server-side operation");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000297 goto fail;
298 }
299
Bill Janssen98d19da2007-09-10 21:51:02 +0000300 PySSL_BEGIN_ALLOW_THREADS
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000301 if (proto_version == PY_SSL_VERSION_TLS1)
302 self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
303 else if (proto_version == PY_SSL_VERSION_SSL3)
304 self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
305 else if (proto_version == PY_SSL_VERSION_SSL2)
306 self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
Bill Janssen98d19da2007-09-10 21:51:02 +0000307 else if (proto_version == PY_SSL_VERSION_SSL23)
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000308 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
Bill Janssen98d19da2007-09-10 21:51:02 +0000309 PySSL_END_ALLOW_THREADS
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000310
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000311 if (self->ctx == NULL) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000312 errstr = ERRSTR("Invalid SSL protocol variant specified.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000313 goto fail;
314 }
315
Antoine Pitrou0a6373c2010-04-17 17:10:38 +0000316 if (ciphers != NULL) {
317 ret = SSL_CTX_set_cipher_list(self->ctx, ciphers);
318 if (ret == 0) {
319 errstr = ERRSTR("No cipher can be selected.");
320 goto fail;
321 }
322 }
323
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000324 if (certreq != PY_SSL_CERT_NONE) {
325 if (cacerts_file == NULL) {
Guido van Rossum780b80d2007-08-27 18:42:23 +0000326 errstr = ERRSTR("No root certificates specified for "
327 "verification of other-side certificates.");
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000328 goto fail;
329 } else {
Bill Janssen98d19da2007-09-10 21:51:02 +0000330 PySSL_BEGIN_ALLOW_THREADS
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000331 ret = SSL_CTX_load_verify_locations(self->ctx,
Guido van Rossum780b80d2007-08-27 18:42:23 +0000332 cacerts_file,
333 NULL);
Bill Janssen98d19da2007-09-10 21:51:02 +0000334 PySSL_END_ALLOW_THREADS
Guido van Rossum780b80d2007-08-27 18:42:23 +0000335 if (ret != 1) {
Bill Janssen98d19da2007-09-10 21:51:02 +0000336 _setSSLError(NULL, 0, __FILE__, __LINE__);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000337 goto fail;
338 }
339 }
340 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000341 if (key_file) {
Bill Janssen98d19da2007-09-10 21:51:02 +0000342 PySSL_BEGIN_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000343 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000344 SSL_FILETYPE_PEM);
Bill Janssen98d19da2007-09-10 21:51:02 +0000345 PySSL_END_ALLOW_THREADS
Guido van Rossum780b80d2007-08-27 18:42:23 +0000346 if (ret != 1) {
Bill Janssen98d19da2007-09-10 21:51:02 +0000347 _setSSLError(NULL, ret, __FILE__, __LINE__);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000348 goto fail;
349 }
350
Bill Janssen98d19da2007-09-10 21:51:02 +0000351 PySSL_BEGIN_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000352 ret = SSL_CTX_use_certificate_chain_file(self->ctx,
Bill Janssen98d19da2007-09-10 21:51:02 +0000353 cert_file);
354 PySSL_END_ALLOW_THREADS
Guido van Rossum780b80d2007-08-27 18:42:23 +0000355 if (ret != 1) {
Bill Janssen98d19da2007-09-10 21:51:02 +0000356 /*
357 fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n",
358 ret, ERR_peek_error(), ERR_peek_last_error(), cert_file);
359 */
360 if (ERR_peek_last_error() != 0) {
361 _setSSLError(NULL, ret, __FILE__, __LINE__);
362 goto fail;
363 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000364 }
365 }
366
Bill Janssen98d19da2007-09-10 21:51:02 +0000367 /* ssl compatibility */
368 SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
369
Neal Norwitz049da9e2007-08-25 16:41:36 +0000370 verification_mode = SSL_VERIFY_NONE;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000371 if (certreq == PY_SSL_CERT_OPTIONAL)
372 verification_mode = SSL_VERIFY_PEER;
373 else if (certreq == PY_SSL_CERT_REQUIRED)
374 verification_mode = (SSL_VERIFY_PEER |
375 SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
376 SSL_CTX_set_verify(self->ctx, verification_mode,
377 NULL); /* set verify lvl */
378
Bill Janssen98d19da2007-09-10 21:51:02 +0000379 PySSL_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000380 self->ssl = SSL_new(self->ctx); /* New ssl struct */
Bill Janssen98d19da2007-09-10 21:51:02 +0000381 PySSL_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000382 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
Antoine Pitrou92719c52010-04-09 20:38:39 +0000383#ifdef SSL_MODE_AUTO_RETRY
Antoine Pitroueee91cd2010-03-26 19:27:16 +0000384 SSL_set_mode(self->ssl, SSL_MODE_AUTO_RETRY);
Antoine Pitrou92719c52010-04-09 20:38:39 +0000385#endif
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000386
Walter Dörwaldf0dfc7a2003-10-20 14:01:56 +0000387 /* If the socket is in non-blocking mode or timeout mode, set the BIO
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000388 * to non-blocking mode (blocking is the default)
389 */
390 if (Sock->sock_timeout >= 0.0) {
391 /* Set both the read and write BIO's to non-blocking mode */
392 BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
393 BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
394 }
395
Bill Janssen98d19da2007-09-10 21:51:02 +0000396 PySSL_BEGIN_ALLOW_THREADS
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000397 if (socket_type == PY_SSL_CLIENT)
398 SSL_set_connect_state(self->ssl);
399 else
400 SSL_set_accept_state(self->ssl);
Bill Janssen98d19da2007-09-10 21:51:02 +0000401 PySSL_END_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000402
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000403 self->Socket = Sock;
404 Py_INCREF(self->Socket);
405 return self;
406 fail:
407 if (errstr)
408 PyErr_SetString(PySSLErrorObject, errstr);
409 Py_DECREF(self);
410 return NULL;
411}
412
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000413static PyObject *
Guido van Rossum780b80d2007-08-27 18:42:23 +0000414PySSL_sslwrap(PyObject *self, PyObject *args)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000415{
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000416 PySocketSockObject *Sock;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000417 int server_side = 0;
418 int verification_mode = PY_SSL_CERT_NONE;
419 int protocol = PY_SSL_VERSION_SSL23;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000420 char *key_file = NULL;
421 char *cert_file = NULL;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000422 char *cacerts_file = NULL;
Antoine Pitrou0a6373c2010-04-17 17:10:38 +0000423 char *ciphers = NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000424
Antoine Pitrou0a6373c2010-04-17 17:10:38 +0000425 if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000426 PySocketModule.Sock_Type,
Martin v. Löwisa811c382006-10-19 11:00:37 +0000427 &Sock,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000428 &server_side,
429 &key_file, &cert_file,
430 &verification_mode, &protocol,
Antoine Pitrou0a6373c2010-04-17 17:10:38 +0000431 &cacerts_file, &ciphers))
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000432 return NULL;
433
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000434 /*
435 fprintf(stderr,
436 "server_side is %d, keyfile %p, certfile %p, verify_mode %d, "
437 "protocol %d, certs %p\n",
438 server_side, key_file, cert_file, verification_mode,
439 protocol, cacerts_file);
440 */
441
442 return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
443 server_side, verification_mode,
Antoine Pitrou0a6373c2010-04-17 17:10:38 +0000444 protocol, cacerts_file,
445 ciphers);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000446}
447
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000448PyDoc_STRVAR(ssl_doc,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000449"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
Antoine Pitrou0a6373c2010-04-17 17:10:38 +0000450" cacertsfile, ciphers]) -> sslobject");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000451
452/* SSL object methods */
453
Bill Janssen934b16d2008-06-28 22:19:33 +0000454static PyObject *PySSL_SSLdo_handshake(PySSLObject *self)
455{
456 int ret;
457 int err;
Antoine Pitrou4d3e3722010-04-24 19:57:01 +0000458 int sockstate, nonblocking;
459
460 /* just in case the blocking state of the socket has been changed */
461 nonblocking = (self->Socket->sock_timeout >= 0.0);
462 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
463 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
Bill Janssen934b16d2008-06-28 22:19:33 +0000464
465 /* Actually negotiate SSL connection */
466 /* XXX If SSL_do_handshake() returns 0, it's also a failure. */
467 sockstate = 0;
468 do {
469 PySSL_BEGIN_ALLOW_THREADS
470 ret = SSL_do_handshake(self->ssl);
471 err = SSL_get_error(self->ssl, ret);
472 PySSL_END_ALLOW_THREADS
473 if(PyErr_CheckSignals()) {
474 return NULL;
475 }
476 if (err == SSL_ERROR_WANT_READ) {
477 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
478 } else if (err == SSL_ERROR_WANT_WRITE) {
479 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
480 } else {
481 sockstate = SOCKET_OPERATION_OK;
482 }
483 if (sockstate == SOCKET_HAS_TIMED_OUT) {
484 PyErr_SetString(PySSLErrorObject,
485 ERRSTR("The handshake operation timed out"));
486 return NULL;
487 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
488 PyErr_SetString(PySSLErrorObject,
489 ERRSTR("Underlying socket has been closed."));
490 return NULL;
491 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
492 PyErr_SetString(PySSLErrorObject,
493 ERRSTR("Underlying socket too large for select()."));
494 return NULL;
495 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
496 break;
497 }
498 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
499 if (ret < 1)
500 return PySSL_SetError(self, ret, __FILE__, __LINE__);
501 self->ssl->debug = 1;
502
503 if (self->peer_cert)
504 X509_free (self->peer_cert);
505 PySSL_BEGIN_ALLOW_THREADS
506 if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) {
507 X509_NAME_oneline(X509_get_subject_name(self->peer_cert),
508 self->server, X509_NAME_MAXLEN);
509 X509_NAME_oneline(X509_get_issuer_name(self->peer_cert),
510 self->issuer, X509_NAME_MAXLEN);
511 }
512 PySSL_END_ALLOW_THREADS
513
514 Py_INCREF(Py_None);
515 return Py_None;
516}
517
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000518static PyObject *
519PySSL_server(PySSLObject *self)
520{
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000521 return PyString_FromString(self->server);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000522}
523
524static PyObject *
525PySSL_issuer(PySSLObject *self)
526{
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000527 return PyString_FromString(self->issuer);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000528}
529
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000530static PyObject *
Bill Janssen98d19da2007-09-10 21:51:02 +0000531_create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000532
Bill Janssen98d19da2007-09-10 21:51:02 +0000533 char namebuf[X509_NAME_MAXLEN];
534 int buflen;
535 PyObject *name_obj;
536 PyObject *value_obj;
537 PyObject *attr;
538 unsigned char *valuebuf = NULL;
Guido van Rossum780b80d2007-08-27 18:42:23 +0000539
Bill Janssen98d19da2007-09-10 21:51:02 +0000540 buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0);
541 if (buflen < 0) {
542 _setSSLError(NULL, 0, __FILE__, __LINE__);
543 goto fail;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000544 }
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000545 name_obj = PyString_FromStringAndSize(namebuf, buflen);
Bill Janssen98d19da2007-09-10 21:51:02 +0000546 if (name_obj == NULL)
547 goto fail;
548
549 buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
550 if (buflen < 0) {
551 _setSSLError(NULL, 0, __FILE__, __LINE__);
552 Py_DECREF(name_obj);
553 goto fail;
554 }
555 value_obj = PyUnicode_DecodeUTF8((char *) valuebuf,
556 buflen, "strict");
557 OPENSSL_free(valuebuf);
558 if (value_obj == NULL) {
559 Py_DECREF(name_obj);
560 goto fail;
561 }
562 attr = PyTuple_New(2);
563 if (attr == NULL) {
564 Py_DECREF(name_obj);
565 Py_DECREF(value_obj);
566 goto fail;
567 }
568 PyTuple_SET_ITEM(attr, 0, name_obj);
569 PyTuple_SET_ITEM(attr, 1, value_obj);
570 return attr;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000571
Bill Janssen98d19da2007-09-10 21:51:02 +0000572 fail:
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000573 return NULL;
574}
575
576static PyObject *
Bill Janssen98d19da2007-09-10 21:51:02 +0000577_create_tuple_for_X509_NAME (X509_NAME *xname)
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000578{
Bill Janssen98d19da2007-09-10 21:51:02 +0000579 PyObject *dn = NULL; /* tuple which represents the "distinguished name" */
580 PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */
581 PyObject *rdnt;
582 PyObject *attr = NULL; /* tuple to hold an attribute */
583 int entry_count = X509_NAME_entry_count(xname);
584 X509_NAME_ENTRY *entry;
585 ASN1_OBJECT *name;
586 ASN1_STRING *value;
587 int index_counter;
588 int rdn_level = -1;
589 int retcode;
590
591 dn = PyList_New(0);
592 if (dn == NULL)
593 return NULL;
594 /* now create another tuple to hold the top-level RDN */
595 rdn = PyList_New(0);
596 if (rdn == NULL)
597 goto fail0;
598
599 for (index_counter = 0;
600 index_counter < entry_count;
601 index_counter++)
602 {
603 entry = X509_NAME_get_entry(xname, index_counter);
604
605 /* check to see if we've gotten to a new RDN */
606 if (rdn_level >= 0) {
607 if (rdn_level != entry->set) {
608 /* yes, new RDN */
609 /* add old RDN to DN */
610 rdnt = PyList_AsTuple(rdn);
611 Py_DECREF(rdn);
612 if (rdnt == NULL)
613 goto fail0;
614 retcode = PyList_Append(dn, rdnt);
615 Py_DECREF(rdnt);
616 if (retcode < 0)
617 goto fail0;
618 /* create new RDN */
619 rdn = PyList_New(0);
620 if (rdn == NULL)
621 goto fail0;
622 }
623 }
624 rdn_level = entry->set;
625
626 /* now add this attribute to the current RDN */
627 name = X509_NAME_ENTRY_get_object(entry);
628 value = X509_NAME_ENTRY_get_data(entry);
629 attr = _create_tuple_for_attribute(name, value);
630 /*
631 fprintf(stderr, "RDN level %d, attribute %s: %s\n",
632 entry->set,
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000633 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 0)),
634 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 1)));
Bill Janssen98d19da2007-09-10 21:51:02 +0000635 */
636 if (attr == NULL)
637 goto fail1;
638 retcode = PyList_Append(rdn, attr);
639 Py_DECREF(attr);
640 if (retcode < 0)
641 goto fail1;
642 }
643 /* now, there's typically a dangling RDN */
644 if ((rdn != NULL) && (PyList_Size(rdn) > 0)) {
645 rdnt = PyList_AsTuple(rdn);
646 Py_DECREF(rdn);
647 if (rdnt == NULL)
648 goto fail0;
649 retcode = PyList_Append(dn, rdnt);
650 Py_DECREF(rdnt);
651 if (retcode < 0)
652 goto fail0;
653 }
654
655 /* convert list to tuple */
656 rdnt = PyList_AsTuple(dn);
657 Py_DECREF(dn);
658 if (rdnt == NULL)
659 return NULL;
660 return rdnt;
661
662 fail1:
663 Py_XDECREF(rdn);
664
665 fail0:
666 Py_XDECREF(dn);
667 return NULL;
668}
669
670static PyObject *
671_get_peer_alt_names (X509 *certificate) {
672
673 /* this code follows the procedure outlined in
674 OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print()
675 function to extract the STACK_OF(GENERAL_NAME),
676 then iterates through the stack to add the
677 names. */
678
679 int i, j;
680 PyObject *peer_alt_names = Py_None;
681 PyObject *v, *t;
682 X509_EXTENSION *ext = NULL;
683 GENERAL_NAMES *names = NULL;
684 GENERAL_NAME *name;
685 X509V3_EXT_METHOD *method;
686 BIO *biobuf = NULL;
687 char buf[2048];
688 char *vptr;
689 int len;
Victor Stinner3f75cc52010-03-02 22:44:42 +0000690 /* Issue #2973: ASN1_item_d2i() API changed in OpenSSL 0.9.6m */
691#if OPENSSL_VERSION_NUMBER >= 0x009060dfL
692 const unsigned char *p;
693#else
Jeffrey Yasskin7937d932009-05-29 03:44:31 +0000694 unsigned char *p;
Victor Stinner3f75cc52010-03-02 22:44:42 +0000695#endif
Bill Janssen98d19da2007-09-10 21:51:02 +0000696
697 if (certificate == NULL)
698 return peer_alt_names;
699
700 /* get a memory buffer */
701 biobuf = BIO_new(BIO_s_mem());
702
703 i = 0;
704 while ((i = X509_get_ext_by_NID(
705 certificate, NID_subject_alt_name, i)) >= 0) {
706
707 if (peer_alt_names == Py_None) {
708 peer_alt_names = PyList_New(0);
709 if (peer_alt_names == NULL)
710 goto fail;
711 }
712
713 /* now decode the altName */
714 ext = X509_get_ext(certificate, i);
715 if(!(method = X509V3_EXT_get(ext))) {
716 PyErr_SetString(PySSLErrorObject,
717 ERRSTR("No method for internalizing subjectAltName!"));
718 goto fail;
719 }
720
721 p = ext->value->data;
Neal Norwitze9057ff2008-01-27 17:10:35 +0000722 if (method->it)
Bill Janssen98d19da2007-09-10 21:51:02 +0000723 names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL,
724 &p,
725 ext->value->length,
726 ASN1_ITEM_ptr(method->it)));
727 else
728 names = (GENERAL_NAMES*) (method->d2i(NULL,
729 &p,
730 ext->value->length));
731
732 for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
733
734 /* get a rendering of each name in the set of names */
735
736 name = sk_GENERAL_NAME_value(names, j);
737 if (name->type == GEN_DIRNAME) {
738
739 /* we special-case DirName as a tuple of tuples of attributes */
740
741 t = PyTuple_New(2);
742 if (t == NULL) {
743 goto fail;
744 }
745
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000746 v = PyString_FromString("DirName");
Bill Janssen98d19da2007-09-10 21:51:02 +0000747 if (v == NULL) {
748 Py_DECREF(t);
749 goto fail;
750 }
751 PyTuple_SET_ITEM(t, 0, v);
752
753 v = _create_tuple_for_X509_NAME (name->d.dirn);
754 if (v == NULL) {
755 Py_DECREF(t);
756 goto fail;
757 }
758 PyTuple_SET_ITEM(t, 1, v);
759
760 } else {
761
762 /* for everything else, we use the OpenSSL print form */
763
764 (void) BIO_reset(biobuf);
765 GENERAL_NAME_print(biobuf, name);
766 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
767 if (len < 0) {
768 _setSSLError(NULL, 0, __FILE__, __LINE__);
769 goto fail;
770 }
771 vptr = strchr(buf, ':');
772 if (vptr == NULL)
773 goto fail;
774 t = PyTuple_New(2);
775 if (t == NULL)
776 goto fail;
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000777 v = PyString_FromStringAndSize(buf, (vptr - buf));
Bill Janssen98d19da2007-09-10 21:51:02 +0000778 if (v == NULL) {
779 Py_DECREF(t);
780 goto fail;
781 }
782 PyTuple_SET_ITEM(t, 0, v);
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000783 v = PyString_FromStringAndSize((vptr + 1), (len - (vptr - buf + 1)));
Bill Janssen98d19da2007-09-10 21:51:02 +0000784 if (v == NULL) {
785 Py_DECREF(t);
786 goto fail;
787 }
788 PyTuple_SET_ITEM(t, 1, v);
789 }
790
791 /* and add that rendering to the list */
792
793 if (PyList_Append(peer_alt_names, t) < 0) {
794 Py_DECREF(t);
795 goto fail;
796 }
797 Py_DECREF(t);
798 }
799 }
800 BIO_free(biobuf);
801 if (peer_alt_names != Py_None) {
802 v = PyList_AsTuple(peer_alt_names);
803 Py_DECREF(peer_alt_names);
804 return v;
805 } else {
806 return peer_alt_names;
807 }
808
809
810 fail:
811 if (biobuf != NULL)
812 BIO_free(biobuf);
813
814 if (peer_alt_names != Py_None) {
815 Py_XDECREF(peer_alt_names);
816 }
817
818 return NULL;
819}
820
821static PyObject *
822_decode_certificate (X509 *certificate, int verbose) {
823
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000824 PyObject *retval = NULL;
825 BIO *biobuf = NULL;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000826 PyObject *peer;
Bill Janssen98d19da2007-09-10 21:51:02 +0000827 PyObject *peer_alt_names = NULL;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000828 PyObject *issuer;
829 PyObject *version;
Bill Janssen98d19da2007-09-10 21:51:02 +0000830 PyObject *sn_obj;
831 ASN1_INTEGER *serialNumber;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000832 char buf[2048];
833 int len;
834 ASN1_TIME *notBefore, *notAfter;
835 PyObject *pnotBefore, *pnotAfter;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000836
837 retval = PyDict_New();
838 if (retval == NULL)
839 return NULL;
840
Bill Janssenffe576d2007-09-05 00:46:27 +0000841 peer = _create_tuple_for_X509_NAME(
Bill Janssen98d19da2007-09-10 21:51:02 +0000842 X509_get_subject_name(certificate));
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000843 if (peer == NULL)
844 goto fail0;
845 if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) {
846 Py_DECREF(peer);
847 goto fail0;
848 }
849 Py_DECREF(peer);
850
Bill Janssen98d19da2007-09-10 21:51:02 +0000851 if (verbose) {
852 issuer = _create_tuple_for_X509_NAME(
853 X509_get_issuer_name(certificate));
854 if (issuer == NULL)
855 goto fail0;
856 if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
857 Py_DECREF(issuer);
858 goto fail0;
859 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000860 Py_DECREF(issuer);
Bill Janssen98d19da2007-09-10 21:51:02 +0000861
862 version = PyInt_FromLong(X509_get_version(certificate) + 1);
863 if (PyDict_SetItemString(retval, "version", version) < 0) {
864 Py_DECREF(version);
865 goto fail0;
866 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000867 Py_DECREF(version);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000868 }
Bill Janssen98d19da2007-09-10 21:51:02 +0000869
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000870 /* get a memory buffer */
871 biobuf = BIO_new(BIO_s_mem());
Bill Janssen98d19da2007-09-10 21:51:02 +0000872
873 if (verbose) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000874
Bill Janssen98d19da2007-09-10 21:51:02 +0000875 (void) BIO_reset(biobuf);
876 serialNumber = X509_get_serialNumber(certificate);
877 /* should not exceed 20 octets, 160 bits, so buf is big enough */
878 i2a_ASN1_INTEGER(biobuf, serialNumber);
879 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
880 if (len < 0) {
881 _setSSLError(NULL, 0, __FILE__, __LINE__);
882 goto fail1;
883 }
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000884 sn_obj = PyString_FromStringAndSize(buf, len);
Bill Janssen98d19da2007-09-10 21:51:02 +0000885 if (sn_obj == NULL)
886 goto fail1;
887 if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) {
888 Py_DECREF(sn_obj);
889 goto fail1;
890 }
891 Py_DECREF(sn_obj);
892
893 (void) BIO_reset(biobuf);
894 notBefore = X509_get_notBefore(certificate);
895 ASN1_TIME_print(biobuf, notBefore);
896 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
897 if (len < 0) {
898 _setSSLError(NULL, 0, __FILE__, __LINE__);
899 goto fail1;
900 }
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000901 pnotBefore = PyString_FromStringAndSize(buf, len);
Bill Janssen98d19da2007-09-10 21:51:02 +0000902 if (pnotBefore == NULL)
903 goto fail1;
904 if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
905 Py_DECREF(pnotBefore);
906 goto fail1;
907 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000908 Py_DECREF(pnotBefore);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000909 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000910
Guido van Rossum780b80d2007-08-27 18:42:23 +0000911 (void) BIO_reset(biobuf);
Bill Janssen98d19da2007-09-10 21:51:02 +0000912 notAfter = X509_get_notAfter(certificate);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000913 ASN1_TIME_print(biobuf, notAfter);
914 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
Bill Janssen98d19da2007-09-10 21:51:02 +0000915 if (len < 0) {
916 _setSSLError(NULL, 0, __FILE__, __LINE__);
917 goto fail1;
918 }
Gregory P. Smithdd96db62008-06-09 04:58:54 +0000919 pnotAfter = PyString_FromStringAndSize(buf, len);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000920 if (pnotAfter == NULL)
Bill Janssen98d19da2007-09-10 21:51:02 +0000921 goto fail1;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000922 if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) {
923 Py_DECREF(pnotAfter);
Bill Janssen98d19da2007-09-10 21:51:02 +0000924 goto fail1;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000925 }
926 Py_DECREF(pnotAfter);
Bill Janssen98d19da2007-09-10 21:51:02 +0000927
928 /* Now look for subjectAltName */
929
930 peer_alt_names = _get_peer_alt_names(certificate);
931 if (peer_alt_names == NULL)
932 goto fail1;
933 else if (peer_alt_names != Py_None) {
934 if (PyDict_SetItemString(retval, "subjectAltName",
935 peer_alt_names) < 0) {
936 Py_DECREF(peer_alt_names);
937 goto fail1;
938 }
939 Py_DECREF(peer_alt_names);
940 }
941
942 BIO_free(biobuf);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000943 return retval;
944
945 fail1:
946 if (biobuf != NULL)
947 BIO_free(biobuf);
948 fail0:
949 Py_XDECREF(retval);
950 return NULL;
951}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000952
Bill Janssen98d19da2007-09-10 21:51:02 +0000953
954static PyObject *
955PySSL_test_decode_certificate (PyObject *mod, PyObject *args) {
956
957 PyObject *retval = NULL;
958 char *filename = NULL;
959 X509 *x=NULL;
960 BIO *cert;
961 int verbose = 1;
962
963 if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", &filename, &verbose))
964 return NULL;
965
966 if ((cert=BIO_new(BIO_s_file())) == NULL) {
967 PyErr_SetString(PySSLErrorObject, "Can't malloc memory to read file");
968 goto fail0;
969 }
970
971 if (BIO_read_filename(cert,filename) <= 0) {
972 PyErr_SetString(PySSLErrorObject, "Can't open file");
973 goto fail0;
974 }
975
976 x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL);
977 if (x == NULL) {
978 PyErr_SetString(PySSLErrorObject, "Error decoding PEM-encoded file");
979 goto fail0;
980 }
981
982 retval = _decode_certificate(x, verbose);
983
984 fail0:
985
986 if (cert != NULL) BIO_free(cert);
987 return retval;
988}
989
990
991static PyObject *
992PySSL_peercert(PySSLObject *self, PyObject *args)
993{
994 PyObject *retval = NULL;
995 int len;
996 int verification;
997 PyObject *binary_mode = Py_None;
998
999 if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode))
1000 return NULL;
1001
1002 if (!self->peer_cert)
1003 Py_RETURN_NONE;
1004
1005 if (PyObject_IsTrue(binary_mode)) {
1006 /* return cert in DER-encoded format */
1007
1008 unsigned char *bytes_buf = NULL;
1009
1010 bytes_buf = NULL;
1011 len = i2d_X509(self->peer_cert, &bytes_buf);
1012 if (len < 0) {
1013 PySSL_SetError(self, len, __FILE__, __LINE__);
1014 return NULL;
1015 }
Gregory P. Smithdd96db62008-06-09 04:58:54 +00001016 retval = PyString_FromStringAndSize((const char *) bytes_buf, len);
Bill Janssen98d19da2007-09-10 21:51:02 +00001017 OPENSSL_free(bytes_buf);
1018 return retval;
1019
1020 } else {
1021
1022 verification = SSL_CTX_get_verify_mode(self->ctx);
1023 if ((verification & SSL_VERIFY_PEER) == 0)
1024 return PyDict_New();
1025 else
1026 return _decode_certificate (self->peer_cert, 0);
1027 }
1028}
1029
1030PyDoc_STRVAR(PySSL_peercert_doc,
1031"peer_certificate([der=False]) -> certificate\n\
1032\n\
1033Returns the certificate for the peer. If no certificate was provided,\n\
1034returns None. If a certificate was provided, but not validated, returns\n\
1035an empty dictionary. Otherwise returns a dict containing information\n\
1036about the peer certificate.\n\
1037\n\
1038If the optional argument is True, returns a DER-encoded copy of the\n\
1039peer certificate, or None if no certificate was provided. This will\n\
1040return the certificate even if it wasn't validated.");
1041
1042static PyObject *PySSL_cipher (PySSLObject *self) {
1043
1044 PyObject *retval, *v;
1045 SSL_CIPHER *current;
1046 char *cipher_name;
1047 char *cipher_protocol;
1048
1049 if (self->ssl == NULL)
1050 return Py_None;
1051 current = SSL_get_current_cipher(self->ssl);
1052 if (current == NULL)
1053 return Py_None;
1054
1055 retval = PyTuple_New(3);
1056 if (retval == NULL)
1057 return NULL;
1058
1059 cipher_name = (char *) SSL_CIPHER_get_name(current);
1060 if (cipher_name == NULL) {
1061 PyTuple_SET_ITEM(retval, 0, Py_None);
1062 } else {
Gregory P. Smithdd96db62008-06-09 04:58:54 +00001063 v = PyString_FromString(cipher_name);
Bill Janssen98d19da2007-09-10 21:51:02 +00001064 if (v == NULL)
1065 goto fail0;
1066 PyTuple_SET_ITEM(retval, 0, v);
1067 }
1068 cipher_protocol = SSL_CIPHER_get_version(current);
1069 if (cipher_protocol == NULL) {
1070 PyTuple_SET_ITEM(retval, 1, Py_None);
1071 } else {
Gregory P. Smithdd96db62008-06-09 04:58:54 +00001072 v = PyString_FromString(cipher_protocol);
Bill Janssen98d19da2007-09-10 21:51:02 +00001073 if (v == NULL)
1074 goto fail0;
1075 PyTuple_SET_ITEM(retval, 1, v);
1076 }
1077 v = PyInt_FromLong(SSL_CIPHER_get_bits(current, NULL));
1078 if (v == NULL)
1079 goto fail0;
1080 PyTuple_SET_ITEM(retval, 2, v);
1081 return retval;
1082
1083 fail0:
1084 Py_DECREF(retval);
1085 return NULL;
1086}
1087
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001088static void PySSL_dealloc(PySSLObject *self)
1089{
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001090 if (self->peer_cert) /* Possible not to have one? */
1091 X509_free (self->peer_cert);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001092 if (self->ssl)
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001093 SSL_free(self->ssl);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001094 if (self->ctx)
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001095 SSL_CTX_free(self->ctx);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001096 Py_XDECREF(self->Socket);
1097 PyObject_Del(self);
1098}
1099
Anthony Baxter93ab5fa2006-07-11 02:04:09 +00001100/* If the socket has a timeout, do a select()/poll() on the socket.
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001101 The argument writing indicates the direction.
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001102 Returns one of the possibilities in the timeout_state enum (above).
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001103 */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001104
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001105static int
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001106check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing)
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001107{
1108 fd_set fds;
1109 struct timeval tv;
1110 int rc;
1111
1112 /* Nothing to do unless we're in timeout mode (not non-blocking) */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001113 if (s->sock_timeout < 0.0)
1114 return SOCKET_IS_BLOCKING;
1115 else if (s->sock_timeout == 0.0)
1116 return SOCKET_IS_NONBLOCKING;
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001117
1118 /* Guard against closed socket */
1119 if (s->sock_fd < 0)
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001120 return SOCKET_HAS_BEEN_CLOSED;
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001121
Anthony Baxter93ab5fa2006-07-11 02:04:09 +00001122 /* Prefer poll, if available, since you can poll() any fd
1123 * which can't be done with select(). */
1124#ifdef HAVE_POLL
1125 {
1126 struct pollfd pollfd;
1127 int timeout;
1128
1129 pollfd.fd = s->sock_fd;
1130 pollfd.events = writing ? POLLOUT : POLLIN;
1131
1132 /* s->sock_timeout is in seconds, timeout in ms */
1133 timeout = (int)(s->sock_timeout * 1000 + 0.5);
Bill Janssen98d19da2007-09-10 21:51:02 +00001134 PySSL_BEGIN_ALLOW_THREADS
Anthony Baxter93ab5fa2006-07-11 02:04:09 +00001135 rc = poll(&pollfd, 1, timeout);
Bill Janssen98d19da2007-09-10 21:51:02 +00001136 PySSL_END_ALLOW_THREADS
Anthony Baxter93ab5fa2006-07-11 02:04:09 +00001137
1138 goto normal_return;
1139 }
1140#endif
1141
Neal Norwitz082b2df2006-02-07 07:04:46 +00001142 /* Guard against socket too large for select*/
Martin v. Löwisf84d1b92006-02-11 09:27:05 +00001143#ifndef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE
Neal Norwitz082b2df2006-02-07 07:04:46 +00001144 if (s->sock_fd >= FD_SETSIZE)
Neal Norwitz389cea82006-02-13 00:35:21 +00001145 return SOCKET_TOO_LARGE_FOR_SELECT;
Martin v. Löwisf84d1b92006-02-11 09:27:05 +00001146#endif
Neal Norwitz082b2df2006-02-07 07:04:46 +00001147
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001148 /* Construct the arguments to select */
1149 tv.tv_sec = (int)s->sock_timeout;
1150 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6);
1151 FD_ZERO(&fds);
1152 FD_SET(s->sock_fd, &fds);
1153
1154 /* See if the socket is ready */
Bill Janssen98d19da2007-09-10 21:51:02 +00001155 PySSL_BEGIN_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001156 if (writing)
1157 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
1158 else
1159 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
Bill Janssen98d19da2007-09-10 21:51:02 +00001160 PySSL_END_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001161
Bill Janssen934b16d2008-06-28 22:19:33 +00001162#ifdef HAVE_POLL
Anthony Baxter93ab5fa2006-07-11 02:04:09 +00001163normal_return:
Bill Janssen934b16d2008-06-28 22:19:33 +00001164#endif
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001165 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
1166 (when we are able to write or when there's something to read) */
1167 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001168}
1169
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001170static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args)
1171{
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001172 Py_buffer buf;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001173 int len;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001174 int sockstate;
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001175 int err;
Bill Janssen934b16d2008-06-28 22:19:33 +00001176 int nonblocking;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001177
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001178 if (!PyArg_ParseTuple(args, "s*:write", &buf))
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001179 return NULL;
1180
Bill Janssen934b16d2008-06-28 22:19:33 +00001181 /* just in case the blocking state of the socket has been changed */
1182 nonblocking = (self->Socket->sock_timeout >= 0.0);
1183 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1184 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1185
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001186 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
1187 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum780b80d2007-08-27 18:42:23 +00001188 PyErr_SetString(PySSLErrorObject,
1189 "The write operation timed out");
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001190 goto error;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001191 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
Guido van Rossum780b80d2007-08-27 18:42:23 +00001192 PyErr_SetString(PySSLErrorObject,
1193 "Underlying socket has been closed.");
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001194 goto error;
Neal Norwitz389cea82006-02-13 00:35:21 +00001195 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
Guido van Rossum780b80d2007-08-27 18:42:23 +00001196 PyErr_SetString(PySSLErrorObject,
1197 "Underlying socket too large for select().");
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001198 goto error;
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001199 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001200 do {
1201 err = 0;
Bill Janssen98d19da2007-09-10 21:51:02 +00001202 PySSL_BEGIN_ALLOW_THREADS
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001203 len = SSL_write(self->ssl, buf.buf, buf.len);
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001204 err = SSL_get_error(self->ssl, len);
Bill Janssen98d19da2007-09-10 21:51:02 +00001205 PySSL_END_ALLOW_THREADS
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001206 if (PyErr_CheckSignals()) {
1207 goto error;
Martin v. Löwisafec8e32003-06-28 07:40:23 +00001208 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001209 if (err == SSL_ERROR_WANT_READ) {
Guido van Rossum780b80d2007-08-27 18:42:23 +00001210 sockstate =
1211 check_socket_and_wait_for_timeout(self->Socket, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001212 } else if (err == SSL_ERROR_WANT_WRITE) {
Guido van Rossum780b80d2007-08-27 18:42:23 +00001213 sockstate =
1214 check_socket_and_wait_for_timeout(self->Socket, 1);
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001215 } else {
1216 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001217 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001218 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum780b80d2007-08-27 18:42:23 +00001219 PyErr_SetString(PySSLErrorObject,
1220 "The write operation timed out");
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001221 goto error;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001222 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
Guido van Rossum780b80d2007-08-27 18:42:23 +00001223 PyErr_SetString(PySSLErrorObject,
1224 "Underlying socket has been closed.");
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001225 goto error;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001226 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
1227 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001228 }
1229 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001230
1231 PyBuffer_Release(&buf);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001232 if (len > 0)
1233 return PyInt_FromLong(len);
1234 else
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001235 return PySSL_SetError(self, len, __FILE__, __LINE__);
Antoine Pitrou5ba84912009-10-19 17:59:07 +00001236
1237error:
1238 PyBuffer_Release(&buf);
1239 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001240}
1241
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001242PyDoc_STRVAR(PySSL_SSLwrite_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001243"write(s) -> len\n\
1244\n\
1245Writes the string s into the SSL object. Returns the number\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001246of bytes written.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001247
Bill Janssen934b16d2008-06-28 22:19:33 +00001248static PyObject *PySSL_SSLpending(PySSLObject *self)
1249{
1250 int count = 0;
1251
1252 PySSL_BEGIN_ALLOW_THREADS
1253 count = SSL_pending(self->ssl);
1254 PySSL_END_ALLOW_THREADS
1255 if (count < 0)
1256 return PySSL_SetError(self, count, __FILE__, __LINE__);
1257 else
1258 return PyInt_FromLong(count);
1259}
1260
1261PyDoc_STRVAR(PySSL_SSLpending_doc,
1262"pending() -> count\n\
1263\n\
1264Returns the number of already decrypted bytes available for read,\n\
1265pending on the connection.\n");
1266
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001267static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args)
1268{
1269 PyObject *buf;
1270 int count = 0;
1271 int len = 1024;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001272 int sockstate;
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001273 int err;
Bill Janssen934b16d2008-06-28 22:19:33 +00001274 int nonblocking;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001275
1276 if (!PyArg_ParseTuple(args, "|i:read", &len))
1277 return NULL;
1278
Gregory P. Smithdd96db62008-06-09 04:58:54 +00001279 if (!(buf = PyString_FromStringAndSize((char *) 0, len)))
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001280 return NULL;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001281
Bill Janssen934b16d2008-06-28 22:19:33 +00001282 /* just in case the blocking state of the socket has been changed */
1283 nonblocking = (self->Socket->sock_timeout >= 0.0);
1284 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1285 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1286
Georg Brandl43f08a82006-03-31 18:01:16 +00001287 /* first check if there are bytes ready to be read */
Bill Janssen98d19da2007-09-10 21:51:02 +00001288 PySSL_BEGIN_ALLOW_THREADS
Georg Brandl43f08a82006-03-31 18:01:16 +00001289 count = SSL_pending(self->ssl);
Bill Janssen98d19da2007-09-10 21:51:02 +00001290 PySSL_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001291
Georg Brandl43f08a82006-03-31 18:01:16 +00001292 if (!count) {
1293 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
1294 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001295 PyErr_SetString(PySSLErrorObject,
1296 "The read operation timed out");
Georg Brandl43f08a82006-03-31 18:01:16 +00001297 Py_DECREF(buf);
1298 return NULL;
1299 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001300 PyErr_SetString(PySSLErrorObject,
1301 "Underlying socket too large for select().");
1302 Py_DECREF(buf);
Georg Brandl43f08a82006-03-31 18:01:16 +00001303 return NULL;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001304 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
Bill Janssen934b16d2008-06-28 22:19:33 +00001305 if (SSL_get_shutdown(self->ssl) !=
1306 SSL_RECEIVED_SHUTDOWN)
1307 {
1308 Py_DECREF(buf);
1309 PyErr_SetString(PySSLErrorObject,
1310 "Socket closed without SSL shutdown handshake");
1311 return NULL;
1312 } else {
1313 /* should contain a zero-length string */
1314 _PyString_Resize(&buf, 0);
1315 return buf;
1316 }
Georg Brandl43f08a82006-03-31 18:01:16 +00001317 }
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001318 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001319 do {
1320 err = 0;
Bill Janssen98d19da2007-09-10 21:51:02 +00001321 PySSL_BEGIN_ALLOW_THREADS
Gregory P. Smithdd96db62008-06-09 04:58:54 +00001322 count = SSL_read(self->ssl, PyString_AsString(buf), len);
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001323 err = SSL_get_error(self->ssl, count);
Bill Janssen98d19da2007-09-10 21:51:02 +00001324 PySSL_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +00001325 if(PyErr_CheckSignals()) {
1326 Py_DECREF(buf);
1327 return NULL;
1328 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001329 if (err == SSL_ERROR_WANT_READ) {
Guido van Rossum780b80d2007-08-27 18:42:23 +00001330 sockstate =
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001331 check_socket_and_wait_for_timeout(self->Socket, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001332 } else if (err == SSL_ERROR_WANT_WRITE) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001333 sockstate =
1334 check_socket_and_wait_for_timeout(self->Socket, 1);
1335 } else if ((err == SSL_ERROR_ZERO_RETURN) &&
1336 (SSL_get_shutdown(self->ssl) ==
Guido van Rossum780b80d2007-08-27 18:42:23 +00001337 SSL_RECEIVED_SHUTDOWN))
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001338 {
Gregory P. Smithdd96db62008-06-09 04:58:54 +00001339 _PyString_Resize(&buf, 0);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001340 return buf;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001341 } else {
1342 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001343 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001344 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1345 PyErr_SetString(PySSLErrorObject,
1346 "The read operation timed out");
Martin v. Löwisafec8e32003-06-28 07:40:23 +00001347 Py_DECREF(buf);
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001348 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001349 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
1350 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +00001351 }
1352 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001353 if (count <= 0) {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001354 Py_DECREF(buf);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001355 return PySSL_SetError(self, count, __FILE__, __LINE__);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001356 }
Tim Peters5de98422002-04-27 18:44:32 +00001357 if (count != len)
Gregory P. Smithdd96db62008-06-09 04:58:54 +00001358 _PyString_Resize(&buf, count);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001359 return buf;
1360}
1361
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001362PyDoc_STRVAR(PySSL_SSLread_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001363"read([len]) -> string\n\
1364\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001365Read up to len bytes from the SSL socket.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001366
Bill Janssen934b16d2008-06-28 22:19:33 +00001367static PyObject *PySSL_SSLshutdown(PySSLObject *self)
1368{
Antoine Pitroua5c4b552010-04-22 23:33:02 +00001369 int err, ssl_err, sockstate, nonblocking;
1370 int zeros = 0;
Bill Janssen934b16d2008-06-28 22:19:33 +00001371
1372 /* Guard against closed socket */
1373 if (self->Socket->sock_fd < 0) {
1374 PyErr_SetString(PySSLErrorObject,
1375 "Underlying socket has been closed.");
1376 return NULL;
1377 }
1378
Antoine Pitroua5c4b552010-04-22 23:33:02 +00001379 /* Just in case the blocking state of the socket has been changed */
1380 nonblocking = (self->Socket->sock_timeout >= 0.0);
1381 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1382 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1383
1384 while (1) {
1385 PySSL_BEGIN_ALLOW_THREADS
1386 /* Disable read-ahead so that unwrap can work correctly.
1387 * Otherwise OpenSSL might read in too much data,
1388 * eating clear text data that happens to be
1389 * transmitted after the SSL shutdown.
1390 * Should be safe to call repeatedly everytime this
1391 * function is used and the shutdown_seen_zero != 0
1392 * condition is met.
1393 */
1394 if (self->shutdown_seen_zero)
1395 SSL_set_read_ahead(self->ssl, 0);
Bill Janssen934b16d2008-06-28 22:19:33 +00001396 err = SSL_shutdown(self->ssl);
Antoine Pitroua5c4b552010-04-22 23:33:02 +00001397 PySSL_END_ALLOW_THREADS
1398 /* If err == 1, a secure shutdown with SSL_shutdown() is complete */
1399 if (err > 0)
1400 break;
1401 if (err == 0) {
1402 /* Don't loop endlessly; instead preserve legacy
1403 behaviour of trying SSL_shutdown() only twice.
1404 This looks necessary for OpenSSL < 0.9.8m */
1405 if (++zeros > 1)
1406 break;
1407 /* Shutdown was sent, now try receiving */
1408 self->shutdown_seen_zero = 1;
1409 continue;
1410 }
1411
1412 /* Possibly retry shutdown until timeout or failure */
1413 ssl_err = SSL_get_error(self->ssl, err);
1414 if (ssl_err == SSL_ERROR_WANT_READ)
1415 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
1416 else if (ssl_err == SSL_ERROR_WANT_WRITE)
1417 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
1418 else
1419 break;
1420 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1421 if (ssl_err == SSL_ERROR_WANT_READ)
1422 PyErr_SetString(PySSLErrorObject,
1423 "The read operation timed out");
1424 else
1425 PyErr_SetString(PySSLErrorObject,
1426 "The write operation timed out");
1427 return NULL;
1428 }
1429 else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1430 PyErr_SetString(PySSLErrorObject,
1431 "Underlying socket too large for select().");
1432 return NULL;
1433 }
1434 else if (sockstate != SOCKET_OPERATION_OK)
1435 /* Retain the SSL error code */
1436 break;
Bill Janssen934b16d2008-06-28 22:19:33 +00001437 }
Bill Janssen934b16d2008-06-28 22:19:33 +00001438
1439 if (err < 0)
1440 return PySSL_SetError(self, err, __FILE__, __LINE__);
1441 else {
1442 Py_INCREF(self->Socket);
1443 return (PyObject *) (self->Socket);
1444 }
1445}
1446
1447PyDoc_STRVAR(PySSL_SSLshutdown_doc,
1448"shutdown(s) -> socket\n\
1449\n\
1450Does the SSL shutdown handshake with the remote end, and returns\n\
1451the underlying socket object.");
1452
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001453static PyMethodDef PySSLMethods[] = {
Bill Janssen934b16d2008-06-28 22:19:33 +00001454 {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001455 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
Bill Janssen98d19da2007-09-10 21:51:02 +00001456 PySSL_SSLwrite_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001457 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
Bill Janssen98d19da2007-09-10 21:51:02 +00001458 PySSL_SSLread_doc},
Bill Janssen934b16d2008-06-28 22:19:33 +00001459 {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS,
1460 PySSL_SSLpending_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001461 {"server", (PyCFunction)PySSL_server, METH_NOARGS},
1462 {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS},
Bill Janssen98d19da2007-09-10 21:51:02 +00001463 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS,
1464 PySSL_peercert_doc},
1465 {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
Bill Janssen934b16d2008-06-28 22:19:33 +00001466 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS,
1467 PySSL_SSLshutdown_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001468 {NULL, NULL}
1469};
1470
1471static PyObject *PySSL_getattr(PySSLObject *self, char *name)
1472{
1473 return Py_FindMethod(PySSLMethods, (PyObject *)self, name);
1474}
1475
Jeremy Hylton938ace62002-07-17 16:30:39 +00001476static PyTypeObject PySSL_Type = {
Martin v. Löwis68192102007-07-21 06:55:02 +00001477 PyVarObject_HEAD_INIT(NULL, 0)
Guido van Rossum780b80d2007-08-27 18:42:23 +00001478 "ssl.SSLContext", /*tp_name*/
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001479 sizeof(PySSLObject), /*tp_basicsize*/
1480 0, /*tp_itemsize*/
1481 /* methods */
1482 (destructor)PySSL_dealloc, /*tp_dealloc*/
1483 0, /*tp_print*/
1484 (getattrfunc)PySSL_getattr, /*tp_getattr*/
1485 0, /*tp_setattr*/
1486 0, /*tp_compare*/
1487 0, /*tp_repr*/
1488 0, /*tp_as_number*/
1489 0, /*tp_as_sequence*/
1490 0, /*tp_as_mapping*/
1491 0, /*tp_hash*/
1492};
1493
1494#ifdef HAVE_OPENSSL_RAND
1495
1496/* helper routines for seeding the SSL PRNG */
1497static PyObject *
1498PySSL_RAND_add(PyObject *self, PyObject *args)
1499{
1500 char *buf;
1501 int len;
1502 double entropy;
1503
1504 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
1505 return NULL;
1506 RAND_add(buf, len, entropy);
1507 Py_INCREF(Py_None);
1508 return Py_None;
1509}
1510
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001511PyDoc_STRVAR(PySSL_RAND_add_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001512"RAND_add(string, entropy)\n\
1513\n\
1514Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\
Bill Janssen98d19da2007-09-10 21:51:02 +00001515bound on the entropy contained in string. See RFC 1750.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001516
1517static PyObject *
1518PySSL_RAND_status(PyObject *self)
1519{
1520 return PyInt_FromLong(RAND_status());
1521}
1522
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001523PyDoc_STRVAR(PySSL_RAND_status_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001524"RAND_status() -> 0 or 1\n\
1525\n\
1526Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\
1527It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001528using the ssl() function.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001529
1530static PyObject *
1531PySSL_RAND_egd(PyObject *self, PyObject *arg)
1532{
1533 int bytes;
1534
Gregory P. Smithdd96db62008-06-09 04:58:54 +00001535 if (!PyString_Check(arg))
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001536 return PyErr_Format(PyExc_TypeError,
1537 "RAND_egd() expected string, found %s",
Christian Heimese93237d2007-12-19 02:37:44 +00001538 Py_TYPE(arg)->tp_name);
Gregory P. Smithdd96db62008-06-09 04:58:54 +00001539 bytes = RAND_egd(PyString_AS_STRING(arg));
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001540 if (bytes == -1) {
1541 PyErr_SetString(PySSLErrorObject,
1542 "EGD connection failed or EGD did not return "
1543 "enough data to seed the PRNG");
1544 return NULL;
1545 }
1546 return PyInt_FromLong(bytes);
1547}
1548
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001549PyDoc_STRVAR(PySSL_RAND_egd_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001550"RAND_egd(path) -> bytes\n\
1551\n\
Bill Janssen98d19da2007-09-10 21:51:02 +00001552Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
1553Returns number of bytes read. Raises SSLError if connection to EGD\n\
1554fails or if it does provide enough data to seed PRNG.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001555
1556#endif
1557
1558/* List of functions exported by this module. */
1559
1560static PyMethodDef PySSL_methods[] = {
Guido van Rossum780b80d2007-08-27 18:42:23 +00001561 {"sslwrap", PySSL_sslwrap,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001562 METH_VARARGS, ssl_doc},
Bill Janssen98d19da2007-09-10 21:51:02 +00001563 {"_test_decode_cert", PySSL_test_decode_certificate,
1564 METH_VARARGS},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001565#ifdef HAVE_OPENSSL_RAND
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001566 {"RAND_add", PySSL_RAND_add, METH_VARARGS,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001567 PySSL_RAND_add_doc},
1568 {"RAND_egd", PySSL_RAND_egd, METH_O,
1569 PySSL_RAND_egd_doc},
1570 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
1571 PySSL_RAND_status_doc},
1572#endif
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001573 {NULL, NULL} /* Sentinel */
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001574};
1575
1576
Bill Janssen98d19da2007-09-10 21:51:02 +00001577#ifdef WITH_THREAD
1578
1579/* an implementation of OpenSSL threading operations in terms
1580 of the Python C thread library */
1581
1582static PyThread_type_lock *_ssl_locks = NULL;
1583
1584static unsigned long _ssl_thread_id_function (void) {
1585 return PyThread_get_thread_ident();
1586}
1587
1588static void _ssl_thread_locking_function (int mode, int n, const char *file, int line) {
1589 /* this function is needed to perform locking on shared data
1590 structures. (Note that OpenSSL uses a number of global data
1591 structures that will be implicitly shared whenever multiple threads
1592 use OpenSSL.) Multi-threaded applications will crash at random if
1593 it is not set.
1594
1595 locking_function() must be able to handle up to CRYPTO_num_locks()
1596 different mutex locks. It sets the n-th lock if mode & CRYPTO_LOCK, and
1597 releases it otherwise.
1598
1599 file and line are the file number of the function setting the
1600 lock. They can be useful for debugging.
1601 */
1602
1603 if ((_ssl_locks == NULL) ||
Neal Norwitz5802bb22008-03-27 05:03:11 +00001604 (n < 0) || ((unsigned)n >= _ssl_locks_count))
Bill Janssen98d19da2007-09-10 21:51:02 +00001605 return;
1606
1607 if (mode & CRYPTO_LOCK) {
1608 PyThread_acquire_lock(_ssl_locks[n], 1);
1609 } else {
1610 PyThread_release_lock(_ssl_locks[n]);
1611 }
1612}
1613
1614static int _setup_ssl_threads(void) {
1615
Neal Norwitz5802bb22008-03-27 05:03:11 +00001616 unsigned int i;
Bill Janssen98d19da2007-09-10 21:51:02 +00001617
1618 if (_ssl_locks == NULL) {
1619 _ssl_locks_count = CRYPTO_num_locks();
1620 _ssl_locks = (PyThread_type_lock *)
1621 malloc(sizeof(PyThread_type_lock) * _ssl_locks_count);
1622 if (_ssl_locks == NULL)
1623 return 0;
1624 memset(_ssl_locks, 0, sizeof(PyThread_type_lock) * _ssl_locks_count);
1625 for (i = 0; i < _ssl_locks_count; i++) {
1626 _ssl_locks[i] = PyThread_allocate_lock();
1627 if (_ssl_locks[i] == NULL) {
Raymond Hettinger354cfc12009-01-26 16:52:22 +00001628 unsigned int j;
Bill Janssen98d19da2007-09-10 21:51:02 +00001629 for (j = 0; j < i; j++) {
1630 PyThread_free_lock(_ssl_locks[j]);
1631 }
1632 free(_ssl_locks);
1633 return 0;
1634 }
1635 }
1636 CRYPTO_set_locking_callback(_ssl_thread_locking_function);
1637 CRYPTO_set_id_callback(_ssl_thread_id_function);
1638 }
1639 return 1;
1640}
1641
1642#endif /* def HAVE_THREAD */
1643
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001644PyDoc_STRVAR(module_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001645"Implementation module for SSL socket operations. See the socket module\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001646for documentation.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001647
Mark Hammondfe51c6d2002-08-02 02:27:13 +00001648PyMODINIT_FUNC
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001649init_ssl(void)
1650{
Antoine Pitrouf9de5342010-04-05 21:35:07 +00001651 PyObject *m, *d, *r;
1652 unsigned long libver;
1653 unsigned int major, minor, fix, patch, status;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001654
Christian Heimese93237d2007-12-19 02:37:44 +00001655 Py_TYPE(&PySSL_Type) = &PyType_Type;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001656
1657 m = Py_InitModule3("_ssl", PySSL_methods, module_doc);
Neal Norwitz1ac754f2006-01-19 06:09:39 +00001658 if (m == NULL)
1659 return;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001660 d = PyModule_GetDict(m);
1661
1662 /* Load _socket module and its C API */
1663 if (PySocketModule_ImportModuleAndAPI())
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001664 return;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001665
1666 /* Init OpenSSL */
1667 SSL_load_error_strings();
Antoine Pitrouc715a9e2010-04-21 19:28:03 +00001668 SSL_library_init();
Bill Janssen98d19da2007-09-10 21:51:02 +00001669#ifdef WITH_THREAD
1670 /* note that this will start threading if not already started */
1671 if (!_setup_ssl_threads()) {
1672 return;
1673 }
1674#endif
Antoine Pitrouc715a9e2010-04-21 19:28:03 +00001675 OpenSSL_add_all_algorithms();
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001676
1677 /* Add symbols to module dict */
Bill Janssen98d19da2007-09-10 21:51:02 +00001678 PySSLErrorObject = PyErr_NewException("ssl.SSLError",
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001679 PySocketModule.error,
1680 NULL);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001681 if (PySSLErrorObject == NULL)
1682 return;
Bill Janssen98d19da2007-09-10 21:51:02 +00001683 if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0)
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001684 return;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001685 if (PyDict_SetItemString(d, "SSLType",
1686 (PyObject *)&PySSL_Type) != 0)
1687 return;
1688 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +00001689 PY_SSL_ERROR_ZERO_RETURN);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001690 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +00001691 PY_SSL_ERROR_WANT_READ);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001692 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +00001693 PY_SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001694 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +00001695 PY_SSL_ERROR_WANT_X509_LOOKUP);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001696 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +00001697 PY_SSL_ERROR_SYSCALL);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001698 PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +00001699 PY_SSL_ERROR_SSL);
1700 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
1701 PY_SSL_ERROR_WANT_CONNECT);
1702 /* non ssl.h errorcodes */
1703 PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
1704 PY_SSL_ERROR_EOF);
1705 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
1706 PY_SSL_ERROR_INVALID_ERROR_CODE);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001707 /* cert requirements */
1708 PyModule_AddIntConstant(m, "CERT_NONE",
1709 PY_SSL_CERT_NONE);
1710 PyModule_AddIntConstant(m, "CERT_OPTIONAL",
1711 PY_SSL_CERT_OPTIONAL);
1712 PyModule_AddIntConstant(m, "CERT_REQUIRED",
1713 PY_SSL_CERT_REQUIRED);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +00001714
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +00001715 /* protocol versions */
1716 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
1717 PY_SSL_VERSION_SSL2);
1718 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
1719 PY_SSL_VERSION_SSL3);
1720 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
1721 PY_SSL_VERSION_SSL23);
1722 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
1723 PY_SSL_VERSION_TLS1);
Antoine Pitrouf9de5342010-04-05 21:35:07 +00001724
1725 /* OpenSSL version */
1726 /* SSLeay() gives us the version of the library linked against,
1727 which could be different from the headers version.
1728 */
1729 libver = SSLeay();
1730 r = PyLong_FromUnsignedLong(libver);
1731 if (r == NULL)
1732 return;
1733 if (PyModule_AddObject(m, "OPENSSL_VERSION_NUMBER", r))
1734 return;
1735 status = libver & 0xF;
1736 libver >>= 4;
1737 patch = libver & 0xFF;
1738 libver >>= 8;
1739 fix = libver & 0xFF;
1740 libver >>= 8;
1741 minor = libver & 0xFF;
1742 libver >>= 8;
1743 major = libver & 0xFF;
1744 r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
1745 if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r))
1746 return;
1747 r = PyString_FromString(SSLeay_version(SSLEAY_VERSION));
1748 if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r))
1749 return;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001750}