More work on SSL support.
* Much expanded test suite:
All protocols tested against all other protocols.
All protocols tested with all certificate options.
Tests for bad key and bad cert.
Test of STARTTLS functionality.
Test of RAND_* functions.
* Fixes for threading/malloc bug.
* Issue 1065 fixed:
sslsocket class renamed to SSLSocket.
sslerror class renamed to SSLError.
Function "wrap_socket" now used to wrap an existing socket.
* Issue 1583946 finally fixed:
Support for subjectAltName added.
Subject name now returned as proper DN list of RDNs.
* SSLError exported from socket as "sslerror".
* RAND_* functions properly exported from ssl.py.
* Documentation improved:
Example of how to create a self-signed certificate.
Better indexing.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index a34c3c8..45a5490 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1,14 +1,38 @@
/* SSL socket module
SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
+ Re-worked a bit by Bill Janssen to add server-side support and
+ certificate decoding.
- This module is imported by socket.py. It should *not* be used
+ This module is imported by ssl.py. It should *not* be used
directly.
+ XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE?
+
+ XXX what about SSL_MODE_AUTO_RETRY
*/
#include "Python.h"
+#ifdef WITH_THREAD
+#include "pythread.h"
+#define PySSL_BEGIN_ALLOW_THREADS { \
+ PyThreadState *_save; \
+ if (_ssl_locks_count>0) {_save = PyEval_SaveThread();}
+#define PySSL_BLOCK_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save)};
+#define PySSL_UNBLOCK_THREADS if (_ssl_locks_count>0){_save = PyEval_SaveThread()};
+#define PySSL_END_ALLOW_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save);} \
+ }
+
+#else /* no WITH_THREAD */
+
+#define PySSL_BEGIN_ALLOW_THREADS
+#define PySSL_BLOCK_THREADS
+#define PySSL_UNBLOCK_THREADS
+#define PySSL_END_ALLOW_THREADS
+
+#endif
+
enum py_ssl_error {
/* these mirror ssl.h */
PY_SSL_ERROR_NONE,
@@ -55,6 +79,7 @@
#include "openssl/rsa.h"
#include "openssl/crypto.h"
#include "openssl/x509.h"
+#include "openssl/x509v3.h"
#include "openssl/pem.h"
#include "openssl/ssl.h"
#include "openssl/err.h"
@@ -63,6 +88,15 @@
/* SSL error object */
static PyObject *PySSLErrorObject;
+#ifdef WITH_THREAD
+
+/* serves as a flag to see whether we've initialized the SSL thread support. */
+/* 0 means no, greater than 0 means yes */
+
+static unsigned int _ssl_locks_count = 0;
+
+#endif /* def WITH_THREAD */
+
/* SSL socket object */
#define X509_NAME_MAXLEN 256
@@ -90,8 +124,9 @@
static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args);
static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
int writing);
-static PyObject *PySSL_peercert(PySSLObject *self);
-
+static PyObject *PySSL_peercert(PySSLObject *self, PyObject *args);
+static PyObject *PySSL_cipher(PySSLObject *self);
+static PyObject *PySSL_SSLshutdown(PySSLObject *self);
#define PySSLObject_Check(v) (Py_Type(v) == &PySSL_Type)
@@ -126,7 +161,7 @@
assert(ret <= 0);
- if ((obj != NULL) && (obj->ssl != NULL)) {
+ if (obj->ssl != NULL) {
err = SSL_get_error(obj->ssl, ret);
switch (err) {
@@ -202,6 +237,25 @@
return NULL;
}
+static PyObject *
+_setSSLError (char *errstr, int errcode, char *filename, int lineno) {
+
+ char buf[2048];
+ PyObject *v;
+
+ if (errstr == NULL) {
+ errcode = ERR_peek_last_error();
+ errstr = ERR_error_string(errcode, NULL);
+ }
+ PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
+ v = Py_BuildValue("(is)", errcode, buf);
+ if (v != NULL) {
+ PyErr_SetObject(PySSLErrorObject, v);
+ Py_DECREF(v);
+ }
+ return NULL;
+}
+
static PySSLObject *
newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
enum py_ssl_server_or_client socket_type,
@@ -226,6 +280,10 @@
self->ctx = NULL;
self->Socket = NULL;
+ /* Make sure the SSL error state is initialized */
+ (void) ERR_get_state();
+ ERR_clear_error();
+
if ((key_file && !cert_file) || (!key_file && cert_file)) {
errstr = ERRSTR("Both the key & certificate files "
"must be specified");
@@ -239,16 +297,16 @@
goto fail;
}
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
if (proto_version == PY_SSL_VERSION_TLS1)
self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
else if (proto_version == PY_SSL_VERSION_SSL3)
self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
else if (proto_version == PY_SSL_VERSION_SSL2)
self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
- else
+ else if (proto_version == PY_SSL_VERSION_SSL23)
self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
if (self->ctx == NULL) {
errstr = ERRSTR("Invalid SSL protocol variant specified.");
@@ -261,39 +319,46 @@
"verification of other-side certificates.");
goto fail;
} else {
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
ret = SSL_CTX_load_verify_locations(self->ctx,
cacerts_file,
NULL);
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
if (ret != 1) {
- PySSL_SetError(NULL, 0, __FILE__, __LINE__);
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
goto fail;
}
}
}
if (key_file) {
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
SSL_FILETYPE_PEM);
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
if (ret != 1) {
- PySSL_SetError(NULL, 0, __FILE__, __LINE__);
+ _setSSLError(NULL, ret, __FILE__, __LINE__);
goto fail;
}
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
ret = SSL_CTX_use_certificate_chain_file(self->ctx,
- cert_file);
- Py_END_ALLOW_THREADS
+ cert_file);
+ PySSL_END_ALLOW_THREADS
if (ret != 1) {
- PySSL_SetError(NULL, 0, __FILE__, __LINE__);
- goto fail;
+ /*
+ fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n",
+ ret, ERR_peek_error(), ERR_peek_last_error(), cert_file);
+ */
+ if (ERR_peek_last_error() != 0) {
+ _setSSLError(NULL, ret, __FILE__, __LINE__);
+ goto fail;
+ }
}
- /* ssl compatibility */
- SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
}
+ /* ssl compatibility */
+ SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+
verification_mode = SSL_VERIFY_NONE;
if (certreq == PY_SSL_CERT_OPTIONAL)
verification_mode = SSL_VERIFY_PEER;
@@ -303,9 +368,9 @@
SSL_CTX_set_verify(self->ctx, verification_mode,
NULL); /* set verify lvl */
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
self->ssl = SSL_new(self->ctx); /* New ssl struct */
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
/* If the socket is in non-blocking mode or timeout mode, set the BIO
@@ -317,24 +382,24 @@
BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
}
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
if (socket_type == PY_SSL_CLIENT)
SSL_set_connect_state(self->ssl);
else
SSL_set_accept_state(self->ssl);
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
/* Actually negotiate SSL connection */
/* XXX If SSL_connect() returns 0, it's also a failure. */
sockstate = 0;
do {
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
if (socket_type == PY_SSL_CLIENT)
ret = SSL_connect(self->ssl);
else
ret = SSL_accept(self->ssl);
err = SSL_get_error(self->ssl, ret);
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
if(PyErr_CheckSignals()) {
goto fail;
}
@@ -367,14 +432,14 @@
}
self->ssl->debug = 1;
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) {
X509_NAME_oneline(X509_get_subject_name(self->peer_cert),
self->server, X509_NAME_MAXLEN);
X509_NAME_oneline(X509_get_issuer_name(self->peer_cert),
self->issuer, X509_NAME_MAXLEN);
}
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
self->Socket = Sock;
Py_INCREF(self->Socket);
return self;
@@ -437,96 +502,313 @@
}
static PyObject *
-_create_tuple_for_X509_NAME (X509_NAME *xname)
-{
- PyObject *pt = NULL;
- PyObject *entry_tuple = NULL;
- int entry_count = X509_NAME_entry_count(xname);
- int index_counter;
+_create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) {
- pt = PyTuple_New(entry_count);
- if (pt == NULL)
- return NULL;
+ char namebuf[X509_NAME_MAXLEN];
+ int buflen;
+ PyObject *name_obj;
+ PyObject *value_obj;
+ PyObject *attr;
+ unsigned char *valuebuf = NULL;
- for (index_counter = 0;
- index_counter < X509_NAME_entry_count(xname);
- index_counter++)
- {
- char namebuf[X509_NAME_MAXLEN];
- int buflen;
- PyObject *name_obj;
- ASN1_STRING *value;
- PyObject *value_obj;
- unsigned char *valuebuf = NULL;
-
- X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname,
- index_counter);
-
- ASN1_OBJECT *name = X509_NAME_ENTRY_get_object(entry);
- buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0);
- if (buflen < 0)
- goto fail0;
- name_obj = PyString_FromStringAndSize(namebuf, buflen);
- if (name_obj == NULL)
- goto fail0;
-
- value = X509_NAME_ENTRY_get_data(entry);
- buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
- if (buflen < 0) {
- Py_DECREF(name_obj);
- goto fail0;
- }
- value_obj = PyUnicode_DecodeUTF8((char *) valuebuf,
- buflen, "strict");
- OPENSSL_free(valuebuf);
- if (value_obj == NULL) {
- Py_DECREF(name_obj);
- goto fail0;
- }
- entry_tuple = PyTuple_New(2);
- if (entry_tuple == NULL) {
- Py_DECREF(name_obj);
- Py_DECREF(value_obj);
- goto fail0;
- }
- PyTuple_SET_ITEM(entry_tuple, 0, name_obj);
- PyTuple_SET_ITEM(entry_tuple, 1, value_obj);
- PyTuple_SET_ITEM(pt, index_counter, entry_tuple);
+ buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0);
+ if (buflen < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto fail;
}
- return pt;
+ name_obj = PyString_FromStringAndSize(namebuf, buflen);
+ if (name_obj == NULL)
+ goto fail;
+
+ buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
+ if (buflen < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ Py_DECREF(name_obj);
+ goto fail;
+ }
+ value_obj = PyUnicode_DecodeUTF8((char *) valuebuf,
+ buflen, "strict");
+ OPENSSL_free(valuebuf);
+ if (value_obj == NULL) {
+ Py_DECREF(name_obj);
+ goto fail;
+ }
+ attr = PyTuple_New(2);
+ if (attr == NULL) {
+ Py_DECREF(name_obj);
+ Py_DECREF(value_obj);
+ goto fail;
+ }
+ PyTuple_SET_ITEM(attr, 0, name_obj);
+ PyTuple_SET_ITEM(attr, 1, value_obj);
+ return attr;
- fail0:
- Py_XDECREF(pt);
+ fail:
return NULL;
}
static PyObject *
-PySSL_peercert(PySSLObject *self)
+_create_tuple_for_X509_NAME (X509_NAME *xname)
{
+ PyObject *dn = NULL; /* tuple which represents the "distinguished name" */
+ PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */
+ PyObject *rdnt;
+ PyObject *attr = NULL; /* tuple to hold an attribute */
+ int entry_count = X509_NAME_entry_count(xname);
+ X509_NAME_ENTRY *entry;
+ ASN1_OBJECT *name;
+ ASN1_STRING *value;
+ int index_counter;
+ int rdn_level = -1;
+ int retcode;
+
+ dn = PyList_New(0);
+ if (dn == NULL)
+ return NULL;
+ /* now create another tuple to hold the top-level RDN */
+ rdn = PyList_New(0);
+ if (rdn == NULL)
+ goto fail0;
+
+ for (index_counter = 0;
+ index_counter < entry_count;
+ index_counter++)
+ {
+ entry = X509_NAME_get_entry(xname, index_counter);
+
+ /* check to see if we've gotten to a new RDN */
+ if (rdn_level >= 0) {
+ if (rdn_level != entry->set) {
+ /* yes, new RDN */
+ /* add old RDN to DN */
+ rdnt = PyList_AsTuple(rdn);
+ Py_DECREF(rdn);
+ if (rdnt == NULL)
+ goto fail0;
+ retcode = PyList_Append(dn, rdnt);
+ Py_DECREF(rdnt);
+ if (retcode < 0)
+ goto fail0;
+ /* create new RDN */
+ rdn = PyList_New(0);
+ if (rdn == NULL)
+ goto fail0;
+ }
+ }
+ rdn_level = entry->set;
+
+ /* now add this attribute to the current RDN */
+ name = X509_NAME_ENTRY_get_object(entry);
+ value = X509_NAME_ENTRY_get_data(entry);
+ attr = _create_tuple_for_attribute(name, value);
+ /*
+ fprintf(stderr, "RDN level %d, attribute %s: %s\n",
+ entry->set,
+ PyString_AS_STRING(PyTuple_GET_ITEM(attr, 0)),
+ PyString_AS_STRING(PyTuple_GET_ITEM(attr, 1)));
+ */
+ if (attr == NULL)
+ goto fail1;
+ retcode = PyList_Append(rdn, attr);
+ Py_DECREF(attr);
+ if (retcode < 0)
+ goto fail1;
+ }
+ /* now, there's typically a dangling RDN */
+ if ((rdn != NULL) && (PyList_Size(rdn) > 0)) {
+ rdnt = PyList_AsTuple(rdn);
+ Py_DECREF(rdn);
+ if (rdnt == NULL)
+ goto fail0;
+ retcode = PyList_Append(dn, rdnt);
+ Py_DECREF(rdnt);
+ if (retcode < 0)
+ goto fail0;
+ }
+
+ /* convert list to tuple */
+ rdnt = PyList_AsTuple(dn);
+ Py_DECREF(dn);
+ if (rdnt == NULL)
+ return NULL;
+ return rdnt;
+
+ fail1:
+ Py_XDECREF(rdn);
+
+ fail0:
+ Py_XDECREF(dn);
+ return NULL;
+}
+
+static PyObject *
+_get_peer_alt_names (X509 *certificate) {
+
+ /* this code follows the procedure outlined in
+ OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print()
+ function to extract the STACK_OF(GENERAL_NAME),
+ then iterates through the stack to add the
+ names. */
+
+ int i, j;
+ PyObject *peer_alt_names = Py_None;
+ PyObject *v, *t;
+ X509_EXTENSION *ext = NULL;
+ GENERAL_NAMES *names = NULL;
+ GENERAL_NAME *name;
+ X509V3_EXT_METHOD *method;
+ BIO *biobuf = NULL;
+ char buf[2048];
+ char *vptr;
+ int len;
+ const unsigned char *p;
+
+ if (certificate == NULL)
+ return peer_alt_names;
+
+ /* get a memory buffer */
+ biobuf = BIO_new(BIO_s_mem());
+
+ i = 0;
+ while ((i = X509_get_ext_by_NID(
+ certificate, NID_subject_alt_name, i)) >= 0) {
+
+ if (peer_alt_names == Py_None) {
+ peer_alt_names = PyList_New(0);
+ if (peer_alt_names == NULL)
+ goto fail;
+ }
+
+ /* now decode the altName */
+ ext = X509_get_ext(certificate, i);
+ if(!(method = X509V3_EXT_get(ext))) {
+ PyErr_SetString(PySSLErrorObject,
+ ERRSTR("No method for internalizing subjectAltName!"));
+ goto fail;
+ }
+
+ p = ext->value->data;
+ if(method->it)
+ names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL,
+ &p,
+ ext->value->length,
+ ASN1_ITEM_ptr(method->it)));
+ else
+ names = (GENERAL_NAMES*) (method->d2i(NULL,
+ &p,
+ ext->value->length));
+
+ for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
+
+ /* get a rendering of each name in the set of names */
+
+ name = sk_GENERAL_NAME_value(names, j);
+ if (name->type == GEN_DIRNAME) {
+
+ /* we special-case DirName as a tuple of tuples of attributes */
+
+ t = PyTuple_New(2);
+ if (t == NULL) {
+ goto fail;
+ }
+
+ v = PyString_FromString("DirName");
+ if (v == NULL) {
+ Py_DECREF(t);
+ goto fail;
+ }
+ PyTuple_SET_ITEM(t, 0, v);
+
+ v = _create_tuple_for_X509_NAME (name->d.dirn);
+ if (v == NULL) {
+ Py_DECREF(t);
+ goto fail;
+ }
+ PyTuple_SET_ITEM(t, 1, v);
+
+ } else {
+
+ /* for everything else, we use the OpenSSL print form */
+
+ (void) BIO_reset(biobuf);
+ GENERAL_NAME_print(biobuf, name);
+ len = BIO_gets(biobuf, buf, sizeof(buf)-1);
+ if (len < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto fail;
+ }
+ vptr = strchr(buf, ':');
+ if (vptr == NULL)
+ goto fail;
+ t = PyTuple_New(2);
+ if (t == NULL)
+ goto fail;
+ v = PyString_FromStringAndSize(buf, (vptr - buf));
+ if (v == NULL) {
+ Py_DECREF(t);
+ goto fail;
+ }
+ PyTuple_SET_ITEM(t, 0, v);
+ v = PyString_FromStringAndSize((vptr + 1), (len - (vptr - buf + 1)));
+ if (v == NULL) {
+ Py_DECREF(t);
+ goto fail;
+ }
+ PyTuple_SET_ITEM(t, 1, v);
+ }
+
+ /* and add that rendering to the list */
+
+ if (PyList_Append(peer_alt_names, t) < 0) {
+ Py_DECREF(t);
+ goto fail;
+ }
+ Py_DECREF(t);
+ }
+ }
+ BIO_free(biobuf);
+ if (peer_alt_names != Py_None) {
+ v = PyList_AsTuple(peer_alt_names);
+ Py_DECREF(peer_alt_names);
+ return v;
+ } else {
+ return peer_alt_names;
+ }
+
+
+ fail:
+ if (biobuf != NULL)
+ BIO_free(biobuf);
+
+ if (peer_alt_names != Py_None) {
+ Py_XDECREF(peer_alt_names);
+ }
+
+ return NULL;
+}
+
+static PyObject *
+_decode_certificate (X509 *certificate, int verbose) {
+
PyObject *retval = NULL;
BIO *biobuf = NULL;
PyObject *peer;
+ PyObject *peer_alt_names = NULL;
PyObject *issuer;
PyObject *version;
+ PyObject *sn_obj;
+ ASN1_INTEGER *serialNumber;
char buf[2048];
int len;
ASN1_TIME *notBefore, *notAfter;
PyObject *pnotBefore, *pnotAfter;
- int verification;
-
- if (!self->peer_cert)
- Py_RETURN_NONE;
retval = PyDict_New();
if (retval == NULL)
return NULL;
- verification = SSL_CTX_get_verify_mode(self->ctx);
- if ((verification & SSL_VERIFY_PEER) == 0)
- return retval;
-
peer = _create_tuple_for_X509_NAME(
- X509_get_subject_name(self->peer_cert));
+ X509_get_subject_name(certificate));
if (peer == NULL)
goto fail0;
if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) {
@@ -535,51 +817,98 @@
}
Py_DECREF(peer);
- issuer = _create_tuple_for_X509_NAME(
- X509_get_issuer_name(self->peer_cert));
- if (issuer == NULL)
- goto fail0;
- if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
+ if (verbose) {
+ issuer = _create_tuple_for_X509_NAME(
+ X509_get_issuer_name(certificate));
+ if (issuer == NULL)
+ goto fail0;
+ if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
+ Py_DECREF(issuer);
+ goto fail0;
+ }
Py_DECREF(issuer);
- goto fail0;
- }
- Py_DECREF(issuer);
-
- version = PyInt_FromLong(X509_get_version(self->peer_cert));
- if (PyDict_SetItemString(retval, "version", version) < 0) {
+
+ version = PyInt_FromLong(X509_get_version(certificate) + 1);
+ if (PyDict_SetItemString(retval, "version", version) < 0) {
+ Py_DECREF(version);
+ goto fail0;
+ }
Py_DECREF(version);
- goto fail0;
}
- Py_DECREF(version);
-
+
/* get a memory buffer */
biobuf = BIO_new(BIO_s_mem());
+
+ if (verbose) {
- notBefore = X509_get_notBefore(self->peer_cert);
- ASN1_TIME_print(biobuf, notBefore);
- len = BIO_gets(biobuf, buf, sizeof(buf)-1);
- pnotBefore = PyString_FromStringAndSize(buf, len);
- if (pnotBefore == NULL)
- goto fail1;
- if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
+ (void) BIO_reset(biobuf);
+ serialNumber = X509_get_serialNumber(certificate);
+ /* should not exceed 20 octets, 160 bits, so buf is big enough */
+ i2a_ASN1_INTEGER(biobuf, serialNumber);
+ len = BIO_gets(biobuf, buf, sizeof(buf)-1);
+ if (len < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto fail1;
+ }
+ sn_obj = PyString_FromStringAndSize(buf, len);
+ if (sn_obj == NULL)
+ goto fail1;
+ if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) {
+ Py_DECREF(sn_obj);
+ goto fail1;
+ }
+ Py_DECREF(sn_obj);
+
+ (void) BIO_reset(biobuf);
+ notBefore = X509_get_notBefore(certificate);
+ ASN1_TIME_print(biobuf, notBefore);
+ len = BIO_gets(biobuf, buf, sizeof(buf)-1);
+ if (len < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto fail1;
+ }
+ pnotBefore = PyString_FromStringAndSize(buf, len);
+ if (pnotBefore == NULL)
+ goto fail1;
+ if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
+ Py_DECREF(pnotBefore);
+ goto fail1;
+ }
Py_DECREF(pnotBefore);
- goto fail1;
}
- Py_DECREF(pnotBefore);
(void) BIO_reset(biobuf);
- notAfter = X509_get_notAfter(self->peer_cert);
+ notAfter = X509_get_notAfter(certificate);
ASN1_TIME_print(biobuf, notAfter);
len = BIO_gets(biobuf, buf, sizeof(buf)-1);
- BIO_free(biobuf);
+ if (len < 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto fail1;
+ }
pnotAfter = PyString_FromStringAndSize(buf, len);
if (pnotAfter == NULL)
- goto fail0;
+ goto fail1;
if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) {
Py_DECREF(pnotAfter);
- goto fail0;
+ goto fail1;
}
Py_DECREF(pnotAfter);
+
+ /* Now look for subjectAltName */
+
+ peer_alt_names = _get_peer_alt_names(certificate);
+ if (peer_alt_names == NULL)
+ goto fail1;
+ else if (peer_alt_names != Py_None) {
+ if (PyDict_SetItemString(retval, "subjectAltName",
+ peer_alt_names) < 0) {
+ Py_DECREF(peer_alt_names);
+ goto fail1;
+ }
+ Py_DECREF(peer_alt_names);
+ }
+
+ BIO_free(biobuf);
return retval;
fail1:
@@ -590,6 +919,141 @@
return NULL;
}
+
+static PyObject *
+PySSL_test_decode_certificate (PyObject *mod, PyObject *args) {
+
+ PyObject *retval = NULL;
+ char *filename = NULL;
+ X509 *x=NULL;
+ BIO *cert;
+ int verbose = 1;
+
+ if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", &filename, &verbose))
+ return NULL;
+
+ if ((cert=BIO_new(BIO_s_file())) == NULL) {
+ PyErr_SetString(PySSLErrorObject, "Can't malloc memory to read file");
+ goto fail0;
+ }
+
+ if (BIO_read_filename(cert,filename) <= 0) {
+ PyErr_SetString(PySSLErrorObject, "Can't open file");
+ goto fail0;
+ }
+
+ x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL);
+ if (x == NULL) {
+ PyErr_SetString(PySSLErrorObject, "Error decoding PEM-encoded file");
+ goto fail0;
+ }
+
+ retval = _decode_certificate(x, verbose);
+
+ fail0:
+
+ if (cert != NULL) BIO_free(cert);
+ return retval;
+}
+
+
+static PyObject *
+PySSL_peercert(PySSLObject *self, PyObject *args)
+{
+ PyObject *retval = NULL;
+ int len;
+ int verification;
+ PyObject *binary_mode = Py_None;
+
+ if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode))
+ return NULL;
+
+ if (!self->peer_cert)
+ Py_RETURN_NONE;
+
+ if (PyObject_IsTrue(binary_mode)) {
+ /* return cert in DER-encoded format */
+
+ unsigned char *bytes_buf = NULL;
+
+ bytes_buf = NULL;
+ len = i2d_X509(self->peer_cert, &bytes_buf);
+ if (len < 0) {
+ PySSL_SetError(self, len, __FILE__, __LINE__);
+ return NULL;
+ }
+ retval = PyString_FromStringAndSize((const char *) bytes_buf, len);
+ OPENSSL_free(bytes_buf);
+ return retval;
+
+ } else {
+
+ verification = SSL_CTX_get_verify_mode(self->ctx);
+ if ((verification & SSL_VERIFY_PEER) == 0)
+ return PyDict_New();
+ else
+ return _decode_certificate (self->peer_cert, 0);
+ }
+}
+
+PyDoc_STRVAR(PySSL_peercert_doc,
+"peer_certificate([der=False]) -> certificate\n\
+\n\
+Returns the certificate for the peer. If no certificate was provided,\n\
+returns None. If a certificate was provided, but not validated, returns\n\
+an empty dictionary. Otherwise returns a dict containing information\n\
+about the peer certificate.\n\
+\n\
+If the optional argument is True, returns a DER-encoded copy of the\n\
+peer certificate, or None if no certificate was provided. This will\n\
+return the certificate even if it wasn't validated.");
+
+static PyObject *PySSL_cipher (PySSLObject *self) {
+
+ PyObject *retval, *v;
+ SSL_CIPHER *current;
+ char *cipher_name;
+ char *cipher_protocol;
+
+ if (self->ssl == NULL)
+ return Py_None;
+ current = SSL_get_current_cipher(self->ssl);
+ if (current == NULL)
+ return Py_None;
+
+ retval = PyTuple_New(3);
+ if (retval == NULL)
+ return NULL;
+
+ cipher_name = (char *) SSL_CIPHER_get_name(current);
+ if (cipher_name == NULL) {
+ PyTuple_SET_ITEM(retval, 0, Py_None);
+ } else {
+ v = PyString_FromString(cipher_name);
+ if (v == NULL)
+ goto fail0;
+ PyTuple_SET_ITEM(retval, 0, v);
+ }
+ cipher_protocol = SSL_CIPHER_get_version(current);
+ if (cipher_protocol == NULL) {
+ PyTuple_SET_ITEM(retval, 1, Py_None);
+ } else {
+ v = PyString_FromString(cipher_protocol);
+ if (v == NULL)
+ goto fail0;
+ PyTuple_SET_ITEM(retval, 1, v);
+ }
+ v = PyInt_FromLong(SSL_CIPHER_get_bits(current, NULL));
+ if (v == NULL)
+ goto fail0;
+ PyTuple_SET_ITEM(retval, 2, v);
+ return retval;
+
+ fail0:
+ Py_DECREF(retval);
+ return NULL;
+}
+
static void PySSL_dealloc(PySSLObject *self)
{
if (self->peer_cert) /* Possible not to have one? */
@@ -636,9 +1100,9 @@
/* s->sock_timeout is in seconds, timeout in ms */
timeout = (int)(s->sock_timeout * 1000 + 0.5);
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
rc = poll(&pollfd, 1, timeout);
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
goto normal_return;
}
@@ -657,12 +1121,12 @@
FD_SET(s->sock_fd, &fds);
/* See if the socket is ready */
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
if (writing)
rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
else
rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
normal_return:
/* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
@@ -697,10 +1161,10 @@
}
do {
err = 0;
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
len = SSL_write(self->ssl, data, count);
err = SSL_get_error(self->ssl, len);
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
if(PyErr_CheckSignals()) {
return NULL;
}
@@ -752,9 +1216,9 @@
return NULL;
/* first check if there are bytes ready to be read */
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
count = SSL_pending(self->ssl);
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
if (!count) {
sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
@@ -785,10 +1249,10 @@
}
do {
err = 0;
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
count = SSL_read(self->ssl, PyString_AsString(buf), len);
err = SSL_get_error(self->ssl, count);
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
if(PyErr_CheckSignals()) {
Py_DECREF(buf);
return NULL;
@@ -831,7 +1295,7 @@
\n\
Read up to len bytes from the SSL socket.");
-static PyObject *PySSL_SSLshutdown(PySSLObject *self, PyObject *args)
+static PyObject *PySSL_SSLshutdown(PySSLObject *self)
{
int err;
@@ -842,13 +1306,13 @@
return NULL;
}
- Py_BEGIN_ALLOW_THREADS
+ PySSL_BEGIN_ALLOW_THREADS
err = SSL_shutdown(self->ssl);
if (err == 0) {
/* we need to call it again to finish the shutdown */
err = SSL_shutdown(self->ssl);
}
- Py_END_ALLOW_THREADS
+ PySSL_END_ALLOW_THREADS
if (err < 0)
return PySSL_SetError(self, err, __FILE__, __LINE__);
@@ -866,12 +1330,14 @@
static PyMethodDef PySSLMethods[] = {
{"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
- PySSL_SSLwrite_doc},
+ PySSL_SSLwrite_doc},
{"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
- PySSL_SSLread_doc},
+ PySSL_SSLread_doc},
{"server", (PyCFunction)PySSL_server, METH_NOARGS},
{"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS},
- {"peer_certificate", (PyCFunction)PySSL_peercert, METH_NOARGS},
+ {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS,
+ PySSL_peercert_doc},
+ {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
{"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS,
PySSL_SSLshutdown_doc},
{NULL, NULL}
@@ -921,7 +1387,7 @@
"RAND_add(string, entropy)\n\
\n\
Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\
-bound on the entropy contained in string.");
+bound on the entropy contained in string. See RFC 1750.");
static PyObject *
PySSL_RAND_status(PyObject *self)
@@ -958,9 +1424,9 @@
PyDoc_STRVAR(PySSL_RAND_egd_doc,
"RAND_egd(path) -> bytes\n\
\n\
-Queries the entropy gather daemon (EGD) on socket path. Returns number\n\
-of bytes read. Raises ssl.sslerror if connection to EGD fails or\n\
-if it does provide enough data to seed PRNG.");
+Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
+Returns number of bytes read. Raises SSLError if connection to EGD\n\
+fails or if it does provide enough data to seed PRNG.");
#endif
@@ -969,6 +1435,8 @@
static PyMethodDef PySSL_methods[] = {
{"sslwrap", PySSL_sslwrap,
METH_VARARGS, ssl_doc},
+ {"_test_decode_cert", PySSL_test_decode_certificate,
+ METH_VARARGS},
#ifdef HAVE_OPENSSL_RAND
{"RAND_add", PySSL_RAND_add, METH_VARARGS,
PySSL_RAND_add_doc},
@@ -981,6 +1449,73 @@
};
+#ifdef WITH_THREAD
+
+/* an implementation of OpenSSL threading operations in terms
+ of the Python C thread library */
+
+static PyThread_type_lock *_ssl_locks = NULL;
+
+static unsigned long _ssl_thread_id_function (void) {
+ return PyThread_get_thread_ident();
+}
+
+static void _ssl_thread_locking_function (int mode, int n, const char *file, int line) {
+ /* this function is needed to perform locking on shared data
+ structures. (Note that OpenSSL uses a number of global data
+ structures that will be implicitly shared whenever multiple threads
+ use OpenSSL.) Multi-threaded applications will crash at random if
+ it is not set.
+
+ locking_function() must be able to handle up to CRYPTO_num_locks()
+ different mutex locks. It sets the n-th lock if mode & CRYPTO_LOCK, and
+ releases it otherwise.
+
+ file and line are the file number of the function setting the
+ lock. They can be useful for debugging.
+ */
+
+ if ((_ssl_locks == NULL) ||
+ (n < 0) || (n >= _ssl_locks_count))
+ return;
+
+ if (mode & CRYPTO_LOCK) {
+ PyThread_acquire_lock(_ssl_locks[n], 1);
+ } else {
+ PyThread_release_lock(_ssl_locks[n]);
+ }
+}
+
+static int _setup_ssl_threads(void) {
+
+ int i;
+
+ if (_ssl_locks == NULL) {
+ _ssl_locks_count = CRYPTO_num_locks();
+ _ssl_locks = (PyThread_type_lock *)
+ malloc(sizeof(PyThread_type_lock) * _ssl_locks_count);
+ if (_ssl_locks == NULL)
+ return 0;
+ memset(_ssl_locks, 0, sizeof(PyThread_type_lock) * _ssl_locks_count);
+ for (i = 0; i < _ssl_locks_count; i++) {
+ _ssl_locks[i] = PyThread_allocate_lock();
+ if (_ssl_locks[i] == NULL) {
+ int j;
+ for (j = 0; j < i; j++) {
+ PyThread_free_lock(_ssl_locks[j]);
+ }
+ free(_ssl_locks);
+ return 0;
+ }
+ }
+ CRYPTO_set_locking_callback(_ssl_thread_locking_function);
+ CRYPTO_set_id_callback(_ssl_thread_id_function);
+ }
+ return 1;
+}
+
+#endif /* def HAVE_THREAD */
+
PyDoc_STRVAR(module_doc,
"Implementation module for SSL socket operations. See the socket module\n\
for documentation.");
@@ -1003,15 +1538,21 @@
/* Init OpenSSL */
SSL_load_error_strings();
+#ifdef WITH_THREAD
+ /* note that this will start threading if not already started */
+ if (!_setup_ssl_threads()) {
+ return;
+ }
+#endif
SSLeay_add_ssl_algorithms();
/* Add symbols to module dict */
- PySSLErrorObject = PyErr_NewException("ssl.sslerror",
+ PySSLErrorObject = PyErr_NewException("ssl.SSLError",
PySocketModule.error,
NULL);
if (PySSLErrorObject == NULL)
return;
- if (PyDict_SetItemString(d, "sslerror", PySSLErrorObject) != 0)
+ if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0)
return;
if (PyDict_SetItemString(d, "SSLType",
(PyObject *)&PySSL_Type) != 0)