Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 20d60803d520a40ea79e1f1bb00dd9fb548d761c / . / Modules / _ssl.c
blob: 268ae93137619589e8291e8a041773092d590717 [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1/* SSL socket module
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]4 Re-worked a bit by Bill Janssen to add server-side support and
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]5 certificate decoding. Chris Stawarz contributed some non-blocking
6 patches.
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]7
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]8 This module is imported by ssl.py. It should *not* be used
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]9 directly.
10
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]11 XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE?
Antoine Pitrou2c4f98b2010-04-23 00:16:21 +0000[diff] [blame]12
13 XXX integrate several "shutdown modes" as suggested in
14 http://bugs.python.org/issue8108#msg102867 ?
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]15*/
16
17#include "Python.h"
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]18
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]19#ifdef WITH_THREAD
20#include "pythread.h"
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]21#define PySSL_BEGIN_ALLOW_THREADS_S(save) \
22 do { if (_ssl_locks_count>0) { (save) = PyEval_SaveThread(); } } while (0)
23#define PySSL_END_ALLOW_THREADS_S(save) \
24 do { if (_ssl_locks_count>0) { PyEval_RestoreThread(save); } } while (0)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]25#define PySSL_BEGIN_ALLOW_THREADS { \
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]26 PyThreadState *_save = NULL; \
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]27 PySSL_BEGIN_ALLOW_THREADS_S(_save);
28#define PySSL_BLOCK_THREADS PySSL_END_ALLOW_THREADS_S(_save);
29#define PySSL_UNBLOCK_THREADS PySSL_BEGIN_ALLOW_THREADS_S(_save);
30#define PySSL_END_ALLOW_THREADS PySSL_END_ALLOW_THREADS_S(_save); }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]31
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]32#else /* no WITH_THREAD */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]33
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]34#define PySSL_BEGIN_ALLOW_THREADS_S(save)
35#define PySSL_END_ALLOW_THREADS_S(save)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]36#define PySSL_BEGIN_ALLOW_THREADS
37#define PySSL_BLOCK_THREADS
38#define PySSL_UNBLOCK_THREADS
39#define PySSL_END_ALLOW_THREADS
40
41#endif
42
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]43enum py_ssl_error {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]44 /* these mirror ssl.h */
45 PY_SSL_ERROR_NONE,
46 PY_SSL_ERROR_SSL,
47 PY_SSL_ERROR_WANT_READ,
48 PY_SSL_ERROR_WANT_WRITE,
49 PY_SSL_ERROR_WANT_X509_LOOKUP,
50 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
51 PY_SSL_ERROR_ZERO_RETURN,
52 PY_SSL_ERROR_WANT_CONNECT,
53 /* start of non ssl.h errorcodes */
54 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
55 PY_SSL_ERROR_NO_SOCKET, /* socket has been GC'd */
56 PY_SSL_ERROR_INVALID_ERROR_CODE
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]57};
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]58
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]59enum py_ssl_server_or_client {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]60 PY_SSL_CLIENT,
61 PY_SSL_SERVER
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]62};
63
64enum py_ssl_cert_requirements {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]65 PY_SSL_CERT_NONE,
66 PY_SSL_CERT_OPTIONAL,
67 PY_SSL_CERT_REQUIRED
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]68};
69
70enum py_ssl_version {
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]71#ifndef OPENSSL_NO_SSL2
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]72 PY_SSL_VERSION_SSL2,
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]73#endif
74 PY_SSL_VERSION_SSL3=1,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]75 PY_SSL_VERSION_SSL23,
76 PY_SSL_VERSION_TLS1
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]77};
78
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]79struct py_ssl_error_code {
80 const char *mnemonic;
81 int library, reason;
82};
83
84struct py_ssl_library_code {
85 const char *library;
86 int code;
87};
88
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]89/* Include symbols from _socket module */
90#include "socketmodule.h"
91
Benjamin Petersonb173f782009-05-05 22:31:58 +0000[diff] [blame]92static PySocketModule_APIObject PySocketModule;
93
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]94#if defined(HAVE_POLL_H)
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]95#include <poll.h>
96#elif defined(HAVE_SYS_POLL_H)
97#include <sys/poll.h>
98#endif
99
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]100/* Include OpenSSL header files */
101#include "openssl/rsa.h"
102#include "openssl/crypto.h"
103#include "openssl/x509.h"
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]104#include "openssl/x509v3.h"
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]105#include "openssl/pem.h"
106#include "openssl/ssl.h"
107#include "openssl/err.h"
108#include "openssl/rand.h"
109
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]110/* Include generated data (error codes) */
111#include "_ssl_data.h"
112
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]113/* SSL error object */
114static PyObject *PySSLErrorObject;
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]115static PyObject *PySSLZeroReturnErrorObject;
116static PyObject *PySSLWantReadErrorObject;
117static PyObject *PySSLWantWriteErrorObject;
118static PyObject *PySSLSyscallErrorObject;
119static PyObject *PySSLEOFErrorObject;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]120
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]121/* Error mappings */
122static PyObject *err_codes_to_names;
123static PyObject *err_names_to_codes;
124static PyObject *lib_codes_to_names;
125
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]126#ifdef WITH_THREAD
127
128/* serves as a flag to see whether we've initialized the SSL thread support. */
129/* 0 means no, greater than 0 means yes */
130
131static unsigned int _ssl_locks_count = 0;
132
133#endif /* def WITH_THREAD */
134
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]135/* SSL socket object */
136
137#define X509_NAME_MAXLEN 256
138
139/* RAND_* APIs got added to OpenSSL in 0.9.5 */
140#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
141# define HAVE_OPENSSL_RAND 1
142#else
143# undef HAVE_OPENSSL_RAND
144#endif
145
Gregory P. Smithbd4dacb2010-10-13 03:53:21 +0000[diff] [blame]146/* SSL_CTX_clear_options() and SSL_clear_options() were first added in
147 * OpenSSL 0.9.8m but do not appear in some 0.9.9-dev versions such the
148 * 0.9.9 from "May 2008" that NetBSD 5.0 uses. */
149#if OPENSSL_VERSION_NUMBER >= 0x009080dfL && OPENSSL_VERSION_NUMBER != 0x00909000L
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]150# define HAVE_SSL_CTX_CLEAR_OPTIONS
151#else
152# undef HAVE_SSL_CTX_CLEAR_OPTIONS
153#endif
154
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]155/* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for
156 * older SSL, but let's be safe */
157#define PySSL_CB_MAXLEN 128
158
159/* SSL_get_finished got added to OpenSSL in 0.9.5 */
160#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
161# define HAVE_OPENSSL_FINISHED 1
162#else
163# define HAVE_OPENSSL_FINISHED 0
164#endif
165
Antoine Pitroua9bf2ac2012-02-17 18:47:54 +0100[diff] [blame]166/* ECDH support got added to OpenSSL in 0.9.8 */
167#if OPENSSL_VERSION_NUMBER < 0x0090800fL && !defined(OPENSSL_NO_ECDH)
168# define OPENSSL_NO_ECDH
169#endif
170
Antoine Pitrouc135fa42012-02-19 21:22:39 +0100[diff] [blame]171/* compression support got added to OpenSSL in 0.9.8 */
172#if OPENSSL_VERSION_NUMBER < 0x0090800fL && !defined(OPENSSL_NO_COMP)
173# define OPENSSL_NO_COMP
174#endif
175
Antoine Pitroua9bf2ac2012-02-17 18:47:54 +0100[diff] [blame]176
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]177typedef struct {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]178 PyObject_HEAD
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]179 SSL_CTX *ctx;
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]180#ifdef OPENSSL_NPN_NEGOTIATED
181 char *npn_protocols;
182 int npn_protocols_len;
183#endif
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]184#ifndef OPENSSL_NO_TLSEXT
185 PyObject *set_hostname;
186#endif
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]187} PySSLContext;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]188
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]189typedef struct {
190 PyObject_HEAD
191 PyObject *Socket; /* weakref to socket on which we're layered */
192 SSL *ssl;
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]193 PySSLContext *ctx; /* weakref to SSL context */
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]194 X509 *peer_cert;
195 int shutdown_seen_zero;
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]196 enum py_ssl_server_or_client socket_type;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]197} PySSLSocket;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]198
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]199static PyTypeObject PySSLContext_Type;
200static PyTypeObject PySSLSocket_Type;
201
202static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args);
203static PyObject *PySSL_SSLread(PySSLSocket *self, PyObject *args);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]204static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]205 int writing);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]206static PyObject *PySSL_peercert(PySSLSocket *self, PyObject *args);
207static PyObject *PySSL_cipher(PySSLSocket *self);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]208
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]209#define PySSLContext_Check(v) (Py_TYPE(v) == &PySSLContext_Type)
210#define PySSLSocket_Check(v) (Py_TYPE(v) == &PySSLSocket_Type)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]211
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]212typedef enum {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]213 SOCKET_IS_NONBLOCKING,
214 SOCKET_IS_BLOCKING,
215 SOCKET_HAS_TIMED_OUT,
216 SOCKET_HAS_BEEN_CLOSED,
217 SOCKET_TOO_LARGE_FOR_SELECT,
218 SOCKET_OPERATION_OK
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]219} timeout_state;
220
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]221/* Wrap error strings with filename and line # */
222#define STRINGIFY1(x) #x
223#define STRINGIFY2(x) STRINGIFY1(x)
224#define ERRSTR1(x,y,z) (x ":" y ": " z)
225#define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x)
226
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]227
228/*
229 * SSL errors.
230 */
231
232PyDoc_STRVAR(SSLError_doc,
233"An error occurred in the SSL implementation.");
234
235PyDoc_STRVAR(SSLZeroReturnError_doc,
236"SSL/TLS session closed cleanly.");
237
238PyDoc_STRVAR(SSLWantReadError_doc,
239"Non-blocking SSL socket needs to read more data\n"
240"before the requested operation can be completed.");
241
242PyDoc_STRVAR(SSLWantWriteError_doc,
243"Non-blocking SSL socket needs to write more data\n"
244"before the requested operation can be completed.");
245
246PyDoc_STRVAR(SSLSyscallError_doc,
247"System error when attempting SSL operation.");
248
249PyDoc_STRVAR(SSLEOFError_doc,
250"SSL/TLS connection terminated abruptly.");
251
252static PyObject *
253SSLError_str(PyOSErrorObject *self)
254{
255 if (self->strerror != NULL && PyUnicode_Check(self->strerror)) {
256 Py_INCREF(self->strerror);
257 return self->strerror;
258 }
259 else
260 return PyObject_Str(self->args);
261}
262
263static PyType_Slot sslerror_type_slots[] = {
264 {Py_tp_base, NULL}, /* Filled out in module init as it's not a constant */
265 {Py_tp_doc, SSLError_doc},
266 {Py_tp_str, SSLError_str},
267 {0, 0},
268};
269
270static PyType_Spec sslerror_type_spec = {
271 "ssl.SSLError",
272 sizeof(PyOSErrorObject),
273 0,
274 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
275 sslerror_type_slots
276};
277
278static void
279fill_and_set_sslerror(PyObject *type, int ssl_errno, const char *errstr,
280 int lineno, unsigned long errcode)
281{
282 PyObject *err_value = NULL, *reason_obj = NULL, *lib_obj = NULL;
283 PyObject *init_value, *msg, *key;
284 _Py_IDENTIFIER(reason);
285 _Py_IDENTIFIER(library);
286
287 if (errcode != 0) {
288 int lib, reason;
289
290 lib = ERR_GET_LIB(errcode);
291 reason = ERR_GET_REASON(errcode);
292 key = Py_BuildValue("ii", lib, reason);
293 if (key == NULL)
294 goto fail;
295 reason_obj = PyDict_GetItem(err_codes_to_names, key);
296 Py_DECREF(key);
297 if (reason_obj == NULL) {
298 /* XXX if reason < 100, it might reflect a library number (!!) */
299 PyErr_Clear();
300 }
301 key = PyLong_FromLong(lib);
302 if (key == NULL)
303 goto fail;
304 lib_obj = PyDict_GetItem(lib_codes_to_names, key);
305 Py_DECREF(key);
306 if (lib_obj == NULL) {
307 PyErr_Clear();
308 }
309 if (errstr == NULL)
310 errstr = ERR_reason_error_string(errcode);
311 }
312 if (errstr == NULL)
313 errstr = "unknown error";
314
315 if (reason_obj && lib_obj)
316 msg = PyUnicode_FromFormat("[%S: %S] %s (_ssl.c:%d)",
317 lib_obj, reason_obj, errstr, lineno);
318 else if (lib_obj)
319 msg = PyUnicode_FromFormat("[%S] %s (_ssl.c:%d)",
320 lib_obj, errstr, lineno);
321 else
322 msg = PyUnicode_FromFormat("%s (_ssl.c:%d)", errstr, lineno);
323
324 if (msg == NULL)
325 goto fail;
326 init_value = Py_BuildValue("iN", ssl_errno, msg);
327 err_value = PyObject_CallObject(type, init_value);
328 Py_DECREF(init_value);
329 if (err_value == NULL)
330 goto fail;
331 if (reason_obj == NULL)
332 reason_obj = Py_None;
333 if (_PyObject_SetAttrId(err_value, &PyId_reason, reason_obj))
334 goto fail;
335 if (lib_obj == NULL)
336 lib_obj = Py_None;
337 if (_PyObject_SetAttrId(err_value, &PyId_library, lib_obj))
338 goto fail;
339 PyErr_SetObject(type, err_value);
340fail:
341 Py_XDECREF(err_value);
342}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]343
344static PyObject *
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]345PySSL_SetError(PySSLSocket *obj, int ret, char *filename, int lineno)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]346{
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]347 PyObject *type = PySSLErrorObject;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]348 char *errstr = NULL;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]349 int err;
350 enum py_ssl_error p = PY_SSL_ERROR_NONE;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]351 unsigned long e = 0;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]352
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]353 assert(ret <= 0);
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]354 e = ERR_peek_last_error();
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]355
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]356 if (obj->ssl != NULL) {
357 err = SSL_get_error(obj->ssl, ret);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]358
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]359 switch (err) {
360 case SSL_ERROR_ZERO_RETURN:
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]361 errstr = "TLS/SSL connection has been closed (EOF)";
362 type = PySSLZeroReturnErrorObject;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]363 p = PY_SSL_ERROR_ZERO_RETURN;
364 break;
365 case SSL_ERROR_WANT_READ:
366 errstr = "The operation did not complete (read)";
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]367 type = PySSLWantReadErrorObject;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]368 p = PY_SSL_ERROR_WANT_READ;
369 break;
370 case SSL_ERROR_WANT_WRITE:
371 p = PY_SSL_ERROR_WANT_WRITE;
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]372 type = PySSLWantWriteErrorObject;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]373 errstr = "The operation did not complete (write)";
374 break;
375 case SSL_ERROR_WANT_X509_LOOKUP:
376 p = PY_SSL_ERROR_WANT_X509_LOOKUP;
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]377 errstr = "The operation did not complete (X509 lookup)";
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]378 break;
379 case SSL_ERROR_WANT_CONNECT:
380 p = PY_SSL_ERROR_WANT_CONNECT;
381 errstr = "The operation did not complete (connect)";
382 break;
383 case SSL_ERROR_SYSCALL:
384 {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]385 if (e == 0) {
386 PySocketSockObject *s
387 = (PySocketSockObject *) PyWeakref_GetObject(obj->Socket);
388 if (ret == 0 || (((PyObject *)s) == Py_None)) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]389 p = PY_SSL_ERROR_EOF;
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]390 type = PySSLEOFErrorObject;
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]391 errstr = "EOF occurred in violation of protocol";
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]392 } else if (ret == -1) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]393 /* underlying BIO reported an I/O error */
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]394 Py_INCREF(s);
Antoine Pitrou9d74b422010-05-16 23:14:22 +0000[diff] [blame]395 ERR_clear_error();
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]396 s->errorhandler();
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]397 Py_DECREF(s);
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]398 return NULL;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]399 } else { /* possible? */
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]400 p = PY_SSL_ERROR_SYSCALL;
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]401 type = PySSLSyscallErrorObject;
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]402 errstr = "Some I/O error occurred";
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]403 }
404 } else {
405 p = PY_SSL_ERROR_SYSCALL;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]406 }
407 break;
408 }
409 case SSL_ERROR_SSL:
410 {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]411 p = PY_SSL_ERROR_SSL;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]412 if (e == 0)
413 /* possible? */
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]414 errstr = "A failure in the SSL library occurred";
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]415 break;
416 }
417 default:
418 p = PY_SSL_ERROR_INVALID_ERROR_CODE;
419 errstr = "Invalid error code";
420 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]421 }
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]422 fill_and_set_sslerror(type, p, errstr, lineno, e);
Antoine Pitrou9d74b422010-05-16 23:14:22 +0000[diff] [blame]423 ERR_clear_error();
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]424 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]425}
426
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]427static PyObject *
428_setSSLError (char *errstr, int errcode, char *filename, int lineno) {
429
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]430 if (errstr == NULL)
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]431 errcode = ERR_peek_last_error();
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]432 else
433 errcode = 0;
434 fill_and_set_sslerror(PySSLErrorObject, errcode, errstr, lineno, errcode);
Antoine Pitrou9d74b422010-05-16 23:14:22 +0000[diff] [blame]435 ERR_clear_error();
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]436 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]437}
438
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]439/*
440 * SSL objects
441 */
442
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]443static PySSLSocket *
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]444newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]445 enum py_ssl_server_or_client socket_type,
446 char *server_hostname)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]447{
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]448 PySSLSocket *self;
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]449 SSL_CTX *ctx = sslctx->ctx;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]450
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]451 self = PyObject_New(PySSLSocket, &PySSLSocket_Type);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]452 if (self == NULL)
453 return NULL;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]454
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]455 self->peer_cert = NULL;
456 self->ssl = NULL;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]457 self->Socket = NULL;
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]458 self->ctx = sslctx;
459 Py_INCREF(sslctx);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]460
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]461 /* Make sure the SSL error state is initialized */
462 (void) ERR_get_state();
463 ERR_clear_error();
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]464
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]465 PySSL_BEGIN_ALLOW_THREADS
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]466 self->ssl = SSL_new(ctx);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]467 PySSL_END_ALLOW_THREADS
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]468 SSL_set_app_data(self->ssl,self);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]469 SSL_set_fd(self->ssl, sock->sock_fd);
Antoine Pitrou0ae7b582010-04-09 20:42:09 +0000[diff] [blame]470#ifdef SSL_MODE_AUTO_RETRY
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]471 SSL_set_mode(self->ssl, SSL_MODE_AUTO_RETRY);
Antoine Pitrou0ae7b582010-04-09 20:42:09 +0000[diff] [blame]472#endif
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]473
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]474#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
475 if (server_hostname != NULL)
476 SSL_set_tlsext_host_name(self->ssl, server_hostname);
477#endif
478
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]479 /* If the socket is in non-blocking mode or timeout mode, set the BIO
480 * to non-blocking mode (blocking is the default)
481 */
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]482 if (sock->sock_timeout >= 0.0) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]483 BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
484 BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
485 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]486
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]487 PySSL_BEGIN_ALLOW_THREADS
488 if (socket_type == PY_SSL_CLIENT)
489 SSL_set_connect_state(self->ssl);
490 else
491 SSL_set_accept_state(self->ssl);
492 PySSL_END_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]493
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]494 self->socket_type = socket_type;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]495 self->Socket = PyWeakref_NewRef((PyObject *) sock, NULL);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]496 return self;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]497}
498
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]499/* SSL object methods */
500
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]501static PyObject *PySSL_SSLdo_handshake(PySSLSocket *self)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]502{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]503 int ret;
504 int err;
505 int sockstate, nonblocking;
506 PySocketSockObject *sock
507 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]508
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]509 if (((PyObject*)sock) == Py_None) {
510 _setSSLError("Underlying socket connection gone",
511 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
512 return NULL;
513 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]514 Py_INCREF(sock);
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]515
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]516 /* just in case the blocking state of the socket has been changed */
517 nonblocking = (sock->sock_timeout >= 0.0);
518 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
519 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]520
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]521 /* Actually negotiate SSL connection */
522 /* XXX If SSL_do_handshake() returns 0, it's also a failure. */
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]523 do {
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]524 PySSL_BEGIN_ALLOW_THREADS
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]525 ret = SSL_do_handshake(self->ssl);
526 err = SSL_get_error(self->ssl, ret);
527 PySSL_END_ALLOW_THREADS
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]528 if (PyErr_CheckSignals())
529 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]530 if (err == SSL_ERROR_WANT_READ) {
531 sockstate = check_socket_and_wait_for_timeout(sock, 0);
532 } else if (err == SSL_ERROR_WANT_WRITE) {
533 sockstate = check_socket_and_wait_for_timeout(sock, 1);
534 } else {
535 sockstate = SOCKET_OPERATION_OK;
536 }
537 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]538 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]539 ERRSTR("The handshake operation timed out"));
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]540 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]541 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
542 PyErr_SetString(PySSLErrorObject,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]543 ERRSTR("Underlying socket has been closed."));
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]544 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]545 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
546 PyErr_SetString(PySSLErrorObject,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]547 ERRSTR("Underlying socket too large for select()."));
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]548 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]549 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
550 break;
551 }
552 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]553 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]554 if (ret < 1)
555 return PySSL_SetError(self, ret, __FILE__, __LINE__);
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]556
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]557 if (self->peer_cert)
558 X509_free (self->peer_cert);
559 PySSL_BEGIN_ALLOW_THREADS
560 self->peer_cert = SSL_get_peer_certificate(self->ssl);
561 PySSL_END_ALLOW_THREADS
562
563 Py_INCREF(Py_None);
564 return Py_None;
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]565
566error:
567 Py_DECREF(sock);
568 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]569}
570
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]571static PyObject *
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]572_create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) {
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]573
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]574 char namebuf[X509_NAME_MAXLEN];
575 int buflen;
576 PyObject *name_obj;
577 PyObject *value_obj;
578 PyObject *attr;
579 unsigned char *valuebuf = NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]580
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]581 buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0);
582 if (buflen < 0) {
583 _setSSLError(NULL, 0, __FILE__, __LINE__);
584 goto fail;
585 }
586 name_obj = PyUnicode_FromStringAndSize(namebuf, buflen);
587 if (name_obj == NULL)
588 goto fail;
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]589
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]590 buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
591 if (buflen < 0) {
592 _setSSLError(NULL, 0, __FILE__, __LINE__);
593 Py_DECREF(name_obj);
594 goto fail;
595 }
596 value_obj = PyUnicode_DecodeUTF8((char *) valuebuf,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]597 buflen, "strict");
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]598 OPENSSL_free(valuebuf);
599 if (value_obj == NULL) {
600 Py_DECREF(name_obj);
601 goto fail;
602 }
603 attr = PyTuple_New(2);
604 if (attr == NULL) {
605 Py_DECREF(name_obj);
606 Py_DECREF(value_obj);
607 goto fail;
608 }
609 PyTuple_SET_ITEM(attr, 0, name_obj);
610 PyTuple_SET_ITEM(attr, 1, value_obj);
611 return attr;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]612
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]613 fail:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]614 return NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]615}
616
617static PyObject *
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]618_create_tuple_for_X509_NAME (X509_NAME *xname)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]619{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]620 PyObject *dn = NULL; /* tuple which represents the "distinguished name" */
621 PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */
622 PyObject *rdnt;
623 PyObject *attr = NULL; /* tuple to hold an attribute */
624 int entry_count = X509_NAME_entry_count(xname);
625 X509_NAME_ENTRY *entry;
626 ASN1_OBJECT *name;
627 ASN1_STRING *value;
628 int index_counter;
629 int rdn_level = -1;
630 int retcode;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]631
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]632 dn = PyList_New(0);
633 if (dn == NULL)
634 return NULL;
635 /* now create another tuple to hold the top-level RDN */
636 rdn = PyList_New(0);
637 if (rdn == NULL)
638 goto fail0;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]639
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]640 for (index_counter = 0;
641 index_counter < entry_count;
642 index_counter++)
643 {
644 entry = X509_NAME_get_entry(xname, index_counter);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]645
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]646 /* check to see if we've gotten to a new RDN */
647 if (rdn_level >= 0) {
648 if (rdn_level != entry->set) {
649 /* yes, new RDN */
650 /* add old RDN to DN */
651 rdnt = PyList_AsTuple(rdn);
652 Py_DECREF(rdn);
653 if (rdnt == NULL)
654 goto fail0;
655 retcode = PyList_Append(dn, rdnt);
656 Py_DECREF(rdnt);
657 if (retcode < 0)
658 goto fail0;
659 /* create new RDN */
660 rdn = PyList_New(0);
661 if (rdn == NULL)
662 goto fail0;
663 }
664 }
665 rdn_level = entry->set;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]666
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]667 /* now add this attribute to the current RDN */
668 name = X509_NAME_ENTRY_get_object(entry);
669 value = X509_NAME_ENTRY_get_data(entry);
670 attr = _create_tuple_for_attribute(name, value);
671 /*
672 fprintf(stderr, "RDN level %d, attribute %s: %s\n",
673 entry->set,
674 PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 0)),
675 PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 1)));
676 */
677 if (attr == NULL)
678 goto fail1;
679 retcode = PyList_Append(rdn, attr);
680 Py_DECREF(attr);
681 if (retcode < 0)
682 goto fail1;
683 }
684 /* now, there's typically a dangling RDN */
Antoine Pitrou2f5a1632012-02-15 22:25:27 +0100[diff] [blame]685 if (rdn != NULL) {
686 if (PyList_GET_SIZE(rdn) > 0) {
687 rdnt = PyList_AsTuple(rdn);
688 Py_DECREF(rdn);
689 if (rdnt == NULL)
690 goto fail0;
691 retcode = PyList_Append(dn, rdnt);
692 Py_DECREF(rdnt);
693 if (retcode < 0)
694 goto fail0;
695 }
696 else {
697 Py_DECREF(rdn);
698 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]699 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]700
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]701 /* convert list to tuple */
702 rdnt = PyList_AsTuple(dn);
703 Py_DECREF(dn);
704 if (rdnt == NULL)
705 return NULL;
706 return rdnt;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]707
708 fail1:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]709 Py_XDECREF(rdn);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]710
711 fail0:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]712 Py_XDECREF(dn);
713 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]714}
715
716static PyObject *
717_get_peer_alt_names (X509 *certificate) {
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]718
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]719 /* this code follows the procedure outlined in
720 OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print()
721 function to extract the STACK_OF(GENERAL_NAME),
722 then iterates through the stack to add the
723 names. */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]724
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]725 int i, j;
726 PyObject *peer_alt_names = Py_None;
727 PyObject *v, *t;
728 X509_EXTENSION *ext = NULL;
729 GENERAL_NAMES *names = NULL;
730 GENERAL_NAME *name;
Benjamin Petersoneb1410f2010-10-13 22:06:39 +0000[diff] [blame]731 const X509V3_EXT_METHOD *method;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]732 BIO *biobuf = NULL;
733 char buf[2048];
734 char *vptr;
735 int len;
736 /* Issue #2973: ASN1_item_d2i() API changed in OpenSSL 0.9.6m */
Victor Stinner7124a412010-03-02 22:48:17 +0000[diff] [blame]737#if OPENSSL_VERSION_NUMBER >= 0x009060dfL
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]738 const unsigned char *p;
Victor Stinner7124a412010-03-02 22:48:17 +0000[diff] [blame]739#else
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]740 unsigned char *p;
Victor Stinner7124a412010-03-02 22:48:17 +0000[diff] [blame]741#endif
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]742
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]743 if (certificate == NULL)
744 return peer_alt_names;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]745
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]746 /* get a memory buffer */
747 biobuf = BIO_new(BIO_s_mem());
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]748
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]749 i = -1;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]750 while ((i = X509_get_ext_by_NID(
751 certificate, NID_subject_alt_name, i)) >= 0) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]752
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]753 if (peer_alt_names == Py_None) {
754 peer_alt_names = PyList_New(0);
755 if (peer_alt_names == NULL)
756 goto fail;
757 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]758
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]759 /* now decode the altName */
760 ext = X509_get_ext(certificate, i);
761 if(!(method = X509V3_EXT_get(ext))) {
762 PyErr_SetString
763 (PySSLErrorObject,
764 ERRSTR("No method for internalizing subjectAltName!"));
765 goto fail;
766 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]767
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]768 p = ext->value->data;
769 if (method->it)
770 names = (GENERAL_NAMES*)
771 (ASN1_item_d2i(NULL,
772 &p,
773 ext->value->length,
774 ASN1_ITEM_ptr(method->it)));
775 else
776 names = (GENERAL_NAMES*)
777 (method->d2i(NULL,
778 &p,
779 ext->value->length));
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]780
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]781 for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]782
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]783 /* get a rendering of each name in the set of names */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]784
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]785 name = sk_GENERAL_NAME_value(names, j);
786 if (name->type == GEN_DIRNAME) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]787
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]788 /* we special-case DirName as a tuple of
789 tuples of attributes */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]790
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]791 t = PyTuple_New(2);
792 if (t == NULL) {
793 goto fail;
794 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]795
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]796 v = PyUnicode_FromString("DirName");
797 if (v == NULL) {
798 Py_DECREF(t);
799 goto fail;
800 }
801 PyTuple_SET_ITEM(t, 0, v);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]802
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]803 v = _create_tuple_for_X509_NAME (name->d.dirn);
804 if (v == NULL) {
805 Py_DECREF(t);
806 goto fail;
807 }
808 PyTuple_SET_ITEM(t, 1, v);
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]809
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]810 } else {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]811
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]812 /* for everything else, we use the OpenSSL print form */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]813
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]814 (void) BIO_reset(biobuf);
815 GENERAL_NAME_print(biobuf, name);
816 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
817 if (len < 0) {
818 _setSSLError(NULL, 0, __FILE__, __LINE__);
819 goto fail;
820 }
821 vptr = strchr(buf, ':');
822 if (vptr == NULL)
823 goto fail;
824 t = PyTuple_New(2);
825 if (t == NULL)
826 goto fail;
827 v = PyUnicode_FromStringAndSize(buf, (vptr - buf));
828 if (v == NULL) {
829 Py_DECREF(t);
830 goto fail;
831 }
832 PyTuple_SET_ITEM(t, 0, v);
833 v = PyUnicode_FromStringAndSize((vptr + 1),
834 (len - (vptr - buf + 1)));
835 if (v == NULL) {
836 Py_DECREF(t);
837 goto fail;
838 }
839 PyTuple_SET_ITEM(t, 1, v);
840 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]841
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]842 /* and add that rendering to the list */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]843
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]844 if (PyList_Append(peer_alt_names, t) < 0) {
845 Py_DECREF(t);
846 goto fail;
847 }
848 Py_DECREF(t);
849 }
Antoine Pitrou116d6b92011-11-23 01:39:19 +0100[diff] [blame]850 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]851 }
852 BIO_free(biobuf);
853 if (peer_alt_names != Py_None) {
854 v = PyList_AsTuple(peer_alt_names);
855 Py_DECREF(peer_alt_names);
856 return v;
857 } else {
858 return peer_alt_names;
859 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]860
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]861
862 fail:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]863 if (biobuf != NULL)
864 BIO_free(biobuf);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]865
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]866 if (peer_alt_names != Py_None) {
867 Py_XDECREF(peer_alt_names);
868 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]869
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]870 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]871}
872
873static PyObject *
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]874_decode_certificate(X509 *certificate) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]875
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]876 PyObject *retval = NULL;
877 BIO *biobuf = NULL;
878 PyObject *peer;
879 PyObject *peer_alt_names = NULL;
880 PyObject *issuer;
881 PyObject *version;
882 PyObject *sn_obj;
883 ASN1_INTEGER *serialNumber;
884 char buf[2048];
885 int len;
886 ASN1_TIME *notBefore, *notAfter;
887 PyObject *pnotBefore, *pnotAfter;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]888
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]889 retval = PyDict_New();
890 if (retval == NULL)
891 return NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]892
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]893 peer = _create_tuple_for_X509_NAME(
894 X509_get_subject_name(certificate));
895 if (peer == NULL)
896 goto fail0;
897 if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) {
898 Py_DECREF(peer);
899 goto fail0;
900 }
901 Py_DECREF(peer);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]902
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]903 issuer = _create_tuple_for_X509_NAME(
904 X509_get_issuer_name(certificate));
905 if (issuer == NULL)
906 goto fail0;
907 if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]908 Py_DECREF(issuer);
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]909 goto fail0;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]910 }
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]911 Py_DECREF(issuer);
912
913 version = PyLong_FromLong(X509_get_version(certificate) + 1);
914 if (PyDict_SetItemString(retval, "version", version) < 0) {
915 Py_DECREF(version);
916 goto fail0;
917 }
918 Py_DECREF(version);
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]919
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]920 /* get a memory buffer */
921 biobuf = BIO_new(BIO_s_mem());
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]922
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]923 (void) BIO_reset(biobuf);
924 serialNumber = X509_get_serialNumber(certificate);
925 /* should not exceed 20 octets, 160 bits, so buf is big enough */
926 i2a_ASN1_INTEGER(biobuf, serialNumber);
927 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
928 if (len < 0) {
929 _setSSLError(NULL, 0, __FILE__, __LINE__);
930 goto fail1;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]931 }
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]932 sn_obj = PyUnicode_FromStringAndSize(buf, len);
933 if (sn_obj == NULL)
934 goto fail1;
935 if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) {
936 Py_DECREF(sn_obj);
937 goto fail1;
938 }
939 Py_DECREF(sn_obj);
940
941 (void) BIO_reset(biobuf);
942 notBefore = X509_get_notBefore(certificate);
943 ASN1_TIME_print(biobuf, notBefore);
944 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
945 if (len < 0) {
946 _setSSLError(NULL, 0, __FILE__, __LINE__);
947 goto fail1;
948 }
949 pnotBefore = PyUnicode_FromStringAndSize(buf, len);
950 if (pnotBefore == NULL)
951 goto fail1;
952 if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
953 Py_DECREF(pnotBefore);
954 goto fail1;
955 }
956 Py_DECREF(pnotBefore);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]957
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]958 (void) BIO_reset(biobuf);
959 notAfter = X509_get_notAfter(certificate);
960 ASN1_TIME_print(biobuf, notAfter);
961 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
962 if (len < 0) {
963 _setSSLError(NULL, 0, __FILE__, __LINE__);
964 goto fail1;
965 }
966 pnotAfter = PyUnicode_FromStringAndSize(buf, len);
967 if (pnotAfter == NULL)
968 goto fail1;
969 if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) {
970 Py_DECREF(pnotAfter);
971 goto fail1;
972 }
973 Py_DECREF(pnotAfter);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]974
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]975 /* Now look for subjectAltName */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]976
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]977 peer_alt_names = _get_peer_alt_names(certificate);
978 if (peer_alt_names == NULL)
979 goto fail1;
980 else if (peer_alt_names != Py_None) {
981 if (PyDict_SetItemString(retval, "subjectAltName",
982 peer_alt_names) < 0) {
983 Py_DECREF(peer_alt_names);
984 goto fail1;
985 }
986 Py_DECREF(peer_alt_names);
987 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]988
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]989 BIO_free(biobuf);
990 return retval;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]991
992 fail1:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]993 if (biobuf != NULL)
994 BIO_free(biobuf);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]995 fail0:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]996 Py_XDECREF(retval);
997 return NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]998}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]999
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1000
1001static PyObject *
1002PySSL_test_decode_certificate (PyObject *mod, PyObject *args) {
1003
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1004 PyObject *retval = NULL;
Victor Stinner3800e1e2010-05-16 21:23:48 +0000[diff] [blame]1005 PyObject *filename;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1006 X509 *x=NULL;
1007 BIO *cert;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1008
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]1009 if (!PyArg_ParseTuple(args, "O&:test_decode_certificate",
1010 PyUnicode_FSConverter, &filename))
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1011 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1012
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1013 if ((cert=BIO_new(BIO_s_file())) == NULL) {
1014 PyErr_SetString(PySSLErrorObject,
1015 "Can't malloc memory to read file");
1016 goto fail0;
1017 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1018
Victor Stinner3800e1e2010-05-16 21:23:48 +0000[diff] [blame]1019 if (BIO_read_filename(cert, PyBytes_AsString(filename)) <= 0) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1020 PyErr_SetString(PySSLErrorObject,
1021 "Can't open file");
1022 goto fail0;
1023 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1024
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1025 x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL);
1026 if (x == NULL) {
1027 PyErr_SetString(PySSLErrorObject,
1028 "Error decoding PEM-encoded file");
1029 goto fail0;
1030 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1031
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]1032 retval = _decode_certificate(x);
Mark Dickinsonee55df52010-08-03 18:31:54 +0000[diff] [blame]1033 X509_free(x);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1034
1035 fail0:
Victor Stinner3800e1e2010-05-16 21:23:48 +0000[diff] [blame]1036 Py_DECREF(filename);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1037 if (cert != NULL) BIO_free(cert);
1038 return retval;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1039}
1040
1041
1042static PyObject *
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1043PySSL_peercert(PySSLSocket *self, PyObject *args)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1044{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1045 PyObject *retval = NULL;
1046 int len;
1047 int verification;
Antoine Pitrou721738f2012-08-15 23:20:39 +0200[diff] [blame]1048 int binary_mode = 0;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1049
Antoine Pitrou721738f2012-08-15 23:20:39 +0200[diff] [blame]1050 if (!PyArg_ParseTuple(args, "|p:peer_certificate", &binary_mode))
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1051 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1052
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1053 if (!self->peer_cert)
1054 Py_RETURN_NONE;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1055
Antoine Pitrou721738f2012-08-15 23:20:39 +0200[diff] [blame]1056 if (binary_mode) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1057 /* return cert in DER-encoded format */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1058
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1059 unsigned char *bytes_buf = NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1060
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1061 bytes_buf = NULL;
1062 len = i2d_X509(self->peer_cert, &bytes_buf);
1063 if (len < 0) {
1064 PySSL_SetError(self, len, __FILE__, __LINE__);
1065 return NULL;
1066 }
1067 /* this is actually an immutable bytes sequence */
1068 retval = PyBytes_FromStringAndSize
1069 ((const char *) bytes_buf, len);
1070 OPENSSL_free(bytes_buf);
1071 return retval;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1072
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1073 } else {
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1074 verification = SSL_CTX_get_verify_mode(SSL_get_SSL_CTX(self->ssl));
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1075 if ((verification & SSL_VERIFY_PEER) == 0)
1076 return PyDict_New();
1077 else
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]1078 return _decode_certificate(self->peer_cert);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1079 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1080}
1081
1082PyDoc_STRVAR(PySSL_peercert_doc,
1083"peer_certificate([der=False]) -> certificate\n\
1084\n\
1085Returns the certificate for the peer. If no certificate was provided,\n\
1086returns None. If a certificate was provided, but not validated, returns\n\
1087an empty dictionary. Otherwise returns a dict containing information\n\
1088about the peer certificate.\n\
1089\n\
1090If the optional argument is True, returns a DER-encoded copy of the\n\
1091peer certificate, or None if no certificate was provided. This will\n\
1092return the certificate even if it wasn't validated.");
1093
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1094static PyObject *PySSL_cipher (PySSLSocket *self) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1095
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1096 PyObject *retval, *v;
Benjamin Petersoneb1410f2010-10-13 22:06:39 +0000[diff] [blame]1097 const SSL_CIPHER *current;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1098 char *cipher_name;
1099 char *cipher_protocol;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1100
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1101 if (self->ssl == NULL)
Hirokazu Yamamoto524f1032010-12-09 10:49:00 +0000[diff] [blame]1102 Py_RETURN_NONE;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1103 current = SSL_get_current_cipher(self->ssl);
1104 if (current == NULL)
Hirokazu Yamamoto524f1032010-12-09 10:49:00 +0000[diff] [blame]1105 Py_RETURN_NONE;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1106
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1107 retval = PyTuple_New(3);
1108 if (retval == NULL)
1109 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1110
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1111 cipher_name = (char *) SSL_CIPHER_get_name(current);
1112 if (cipher_name == NULL) {
Hirokazu Yamamoto524f1032010-12-09 10:49:00 +0000[diff] [blame]1113 Py_INCREF(Py_None);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1114 PyTuple_SET_ITEM(retval, 0, Py_None);
1115 } else {
1116 v = PyUnicode_FromString(cipher_name);
1117 if (v == NULL)
1118 goto fail0;
1119 PyTuple_SET_ITEM(retval, 0, v);
1120 }
1121 cipher_protocol = SSL_CIPHER_get_version(current);
1122 if (cipher_protocol == NULL) {
Hirokazu Yamamoto524f1032010-12-09 10:49:00 +0000[diff] [blame]1123 Py_INCREF(Py_None);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1124 PyTuple_SET_ITEM(retval, 1, Py_None);
1125 } else {
1126 v = PyUnicode_FromString(cipher_protocol);
1127 if (v == NULL)
1128 goto fail0;
1129 PyTuple_SET_ITEM(retval, 1, v);
1130 }
1131 v = PyLong_FromLong(SSL_CIPHER_get_bits(current, NULL));
1132 if (v == NULL)
1133 goto fail0;
1134 PyTuple_SET_ITEM(retval, 2, v);
1135 return retval;
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]1136
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1137 fail0:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1138 Py_DECREF(retval);
1139 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1140}
1141
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1142#ifdef OPENSSL_NPN_NEGOTIATED
1143static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {
1144 const unsigned char *out;
1145 unsigned int outlen;
1146
1147 SSL_get0_next_proto_negotiated(self->ssl,
1148 &out, &outlen);
1149
1150 if (out == NULL)
1151 Py_RETURN_NONE;
1152 return PyUnicode_FromStringAndSize((char *) out, outlen);
1153}
1154#endif
1155
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]1156static PyObject *PySSL_compression(PySSLSocket *self) {
1157#ifdef OPENSSL_NO_COMP
1158 Py_RETURN_NONE;
1159#else
1160 const COMP_METHOD *comp_method;
1161 const char *short_name;
1162
1163 if (self->ssl == NULL)
1164 Py_RETURN_NONE;
1165 comp_method = SSL_get_current_compression(self->ssl);
1166 if (comp_method == NULL || comp_method->type == NID_undef)
1167 Py_RETURN_NONE;
1168 short_name = OBJ_nid2sn(comp_method->type);
1169 if (short_name == NULL)
1170 Py_RETURN_NONE;
1171 return PyUnicode_DecodeFSDefault(short_name);
1172#endif
1173}
1174
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1175static PySSLContext *PySSL_get_context(PySSLSocket *self, void *closure) {
1176 Py_INCREF(self->ctx);
1177 return self->ctx;
1178}
1179
1180static int PySSL_set_context(PySSLSocket *self, PyObject *value,
1181 void *closure) {
1182
1183 if (PyObject_TypeCheck(value, &PySSLContext_Type)) {
1184
1185 Py_INCREF(value);
1186 Py_DECREF(self->ctx);
1187 self->ctx = (PySSLContext *) value;
1188 SSL_set_SSL_CTX(self->ssl, self->ctx->ctx);
1189 } else {
1190 PyErr_SetString(PyExc_TypeError, "The value must be a SSLContext");
1191 return -1;
1192 }
1193
1194 return 0;
1195}
1196
1197PyDoc_STRVAR(PySSL_set_context_doc,
1198"_setter_context(ctx)\n\
1199\
1200This changes the context associated with the SSLSocket. This is typically\n\
1201used from within a callback function set by the set_servername_callback\n\
1202on the SSLContext to change the certificate information associated with the\n\
1203SSLSocket before the cryptographic exchange handshake messages\n");
1204
1205
1206
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1207static void PySSL_dealloc(PySSLSocket *self)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1208{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1209 if (self->peer_cert) /* Possible not to have one? */
1210 X509_free (self->peer_cert);
1211 if (self->ssl)
1212 SSL_free(self->ssl);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1213 Py_XDECREF(self->Socket);
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1214 Py_XDECREF(self->ctx);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1215 PyObject_Del(self);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1216}
1217
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1218/* If the socket has a timeout, do a select()/poll() on the socket.
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1219 The argument writing indicates the direction.
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]1220 Returns one of the possibilities in the timeout_state enum (above).
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1221 */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]1222
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1223static int
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]1224check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing)
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1225{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1226 fd_set fds;
1227 struct timeval tv;
1228 int rc;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1229
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1230 /* Nothing to do unless we're in timeout mode (not non-blocking) */
1231 if (s->sock_timeout < 0.0)
1232 return SOCKET_IS_BLOCKING;
1233 else if (s->sock_timeout == 0.0)
1234 return SOCKET_IS_NONBLOCKING;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1235
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1236 /* Guard against closed socket */
1237 if (s->sock_fd < 0)
1238 return SOCKET_HAS_BEEN_CLOSED;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1239
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1240 /* Prefer poll, if available, since you can poll() any fd
1241 * which can't be done with select(). */
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1242#ifdef HAVE_POLL
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1243 {
1244 struct pollfd pollfd;
1245 int timeout;
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1246
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1247 pollfd.fd = s->sock_fd;
1248 pollfd.events = writing ? POLLOUT : POLLIN;
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1249
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1250 /* s->sock_timeout is in seconds, timeout in ms */
1251 timeout = (int)(s->sock_timeout * 1000 + 0.5);
1252 PySSL_BEGIN_ALLOW_THREADS
1253 rc = poll(&pollfd, 1, timeout);
1254 PySSL_END_ALLOW_THREADS
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1255
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1256 goto normal_return;
1257 }
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1258#endif
1259
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1260 /* Guard against socket too large for select*/
Charles-François Nataliaa26b272011-08-28 17:51:43 +0200[diff] [blame]1261 if (!_PyIsSelectable_fd(s->sock_fd))
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1262 return SOCKET_TOO_LARGE_FOR_SELECT;
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]1263
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1264 /* Construct the arguments to select */
1265 tv.tv_sec = (int)s->sock_timeout;
1266 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6);
1267 FD_ZERO(&fds);
1268 FD_SET(s->sock_fd, &fds);
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1269
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1270 /* See if the socket is ready */
1271 PySSL_BEGIN_ALLOW_THREADS
1272 if (writing)
1273 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
1274 else
1275 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
1276 PySSL_END_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1277
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1278#ifdef HAVE_POLL
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1279normal_return:
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1280#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1281 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
1282 (when we are able to write or when there's something to read) */
1283 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1284}
1285
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1286static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1287{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1288 Py_buffer buf;
1289 int len;
1290 int sockstate;
1291 int err;
1292 int nonblocking;
1293 PySocketSockObject *sock
1294 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1295
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1296 if (((PyObject*)sock) == Py_None) {
1297 _setSSLError("Underlying socket connection gone",
1298 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1299 return NULL;
1300 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1301 Py_INCREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1302
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1303 if (!PyArg_ParseTuple(args, "y*:write", &buf)) {
1304 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1305 return NULL;
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1306 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1307
1308 /* just in case the blocking state of the socket has been changed */
1309 nonblocking = (sock->sock_timeout >= 0.0);
1310 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1311 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1312
1313 sockstate = check_socket_and_wait_for_timeout(sock, 1);
1314 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1315 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1316 "The write operation timed out");
1317 goto error;
1318 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1319 PyErr_SetString(PySSLErrorObject,
1320 "Underlying socket has been closed.");
1321 goto error;
1322 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1323 PyErr_SetString(PySSLErrorObject,
1324 "Underlying socket too large for select().");
1325 goto error;
1326 }
1327 do {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1328 PySSL_BEGIN_ALLOW_THREADS
1329 len = SSL_write(self->ssl, buf.buf, buf.len);
1330 err = SSL_get_error(self->ssl, len);
1331 PySSL_END_ALLOW_THREADS
1332 if (PyErr_CheckSignals()) {
1333 goto error;
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1334 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1335 if (err == SSL_ERROR_WANT_READ) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1336 sockstate = check_socket_and_wait_for_timeout(sock, 0);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1337 } else if (err == SSL_ERROR_WANT_WRITE) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1338 sockstate = check_socket_and_wait_for_timeout(sock, 1);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1339 } else {
1340 sockstate = SOCKET_OPERATION_OK;
1341 }
1342 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1343 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1344 "The write operation timed out");
1345 goto error;
1346 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1347 PyErr_SetString(PySSLErrorObject,
1348 "Underlying socket has been closed.");
1349 goto error;
1350 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
1351 break;
1352 }
1353 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1354
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1355 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1356 PyBuffer_Release(&buf);
1357 if (len > 0)
1358 return PyLong_FromLong(len);
1359 else
1360 return PySSL_SetError(self, len, __FILE__, __LINE__);
Antoine Pitrou7d7aede2009-11-25 18:55:32 +0000[diff] [blame]1361
1362error:
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1363 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1364 PyBuffer_Release(&buf);
1365 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1366}
1367
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]1368PyDoc_STRVAR(PySSL_SSLwrite_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1369"write(s) -> len\n\
1370\n\
1371Writes the string s into the SSL object. Returns the number\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]1372of bytes written.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1373
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1374static PyObject *PySSL_SSLpending(PySSLSocket *self)
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1375{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1376 int count = 0;
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1377
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1378 PySSL_BEGIN_ALLOW_THREADS
1379 count = SSL_pending(self->ssl);
1380 PySSL_END_ALLOW_THREADS
1381 if (count < 0)
1382 return PySSL_SetError(self, count, __FILE__, __LINE__);
1383 else
1384 return PyLong_FromLong(count);
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1385}
1386
1387PyDoc_STRVAR(PySSL_SSLpending_doc,
1388"pending() -> count\n\
1389\n\
1390Returns the number of already decrypted bytes available for read,\n\
1391pending on the connection.\n");
1392
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1393static PyObject *PySSL_SSLread(PySSLSocket *self, PyObject *args)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1394{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1395 PyObject *dest = NULL;
1396 Py_buffer buf;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1397 char *mem;
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1398 int len, count;
1399 int buf_passed = 0;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1400 int sockstate;
1401 int err;
1402 int nonblocking;
1403 PySocketSockObject *sock
1404 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1405
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1406 if (((PyObject*)sock) == Py_None) {
1407 _setSSLError("Underlying socket connection gone",
1408 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1409 return NULL;
1410 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1411 Py_INCREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1412
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1413 buf.obj = NULL;
1414 buf.buf = NULL;
1415 if (!PyArg_ParseTuple(args, "i|w*:read", &len, &buf))
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1416 goto error;
1417
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1418 if ((buf.buf == NULL) && (buf.obj == NULL)) {
1419 dest = PyBytes_FromStringAndSize(NULL, len);
1420 if (dest == NULL)
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1421 goto error;
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1422 mem = PyBytes_AS_STRING(dest);
1423 }
1424 else {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1425 buf_passed = 1;
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1426 mem = buf.buf;
1427 if (len <= 0 || len > buf.len) {
1428 len = (int) buf.len;
1429 if (buf.len != len) {
1430 PyErr_SetString(PyExc_OverflowError,
1431 "maximum length can't fit in a C 'int'");
1432 goto error;
1433 }
1434 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1435 }
1436
1437 /* just in case the blocking state of the socket has been changed */
1438 nonblocking = (sock->sock_timeout >= 0.0);
1439 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1440 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1441
1442 /* first check if there are bytes ready to be read */
1443 PySSL_BEGIN_ALLOW_THREADS
1444 count = SSL_pending(self->ssl);
1445 PySSL_END_ALLOW_THREADS
1446
1447 if (!count) {
1448 sockstate = check_socket_and_wait_for_timeout(sock, 0);
1449 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1450 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1451 "The read operation timed out");
1452 goto error;
1453 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1454 PyErr_SetString(PySSLErrorObject,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1455 "Underlying socket too large for select().");
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1456 goto error;
1457 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1458 count = 0;
1459 goto done;
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1460 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1461 }
1462 do {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1463 PySSL_BEGIN_ALLOW_THREADS
1464 count = SSL_read(self->ssl, mem, len);
1465 err = SSL_get_error(self->ssl, count);
1466 PySSL_END_ALLOW_THREADS
1467 if (PyErr_CheckSignals())
1468 goto error;
1469 if (err == SSL_ERROR_WANT_READ) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1470 sockstate = check_socket_and_wait_for_timeout(sock, 0);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1471 } else if (err == SSL_ERROR_WANT_WRITE) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1472 sockstate = check_socket_and_wait_for_timeout(sock, 1);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1473 } else if ((err == SSL_ERROR_ZERO_RETURN) &&
1474 (SSL_get_shutdown(self->ssl) ==
1475 SSL_RECEIVED_SHUTDOWN))
1476 {
1477 count = 0;
1478 goto done;
1479 } else {
1480 sockstate = SOCKET_OPERATION_OK;
1481 }
1482 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1483 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1484 "The read operation timed out");
1485 goto error;
1486 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
1487 break;
1488 }
1489 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
1490 if (count <= 0) {
1491 PySSL_SetError(self, count, __FILE__, __LINE__);
1492 goto error;
1493 }
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1494
1495done:
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1496 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1497 if (!buf_passed) {
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1498 _PyBytes_Resize(&dest, count);
1499 return dest;
1500 }
1501 else {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1502 PyBuffer_Release(&buf);
1503 return PyLong_FromLong(count);
1504 }
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1505
1506error:
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1507 Py_DECREF(sock);
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1508 if (!buf_passed)
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1509 Py_XDECREF(dest);
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1510 else
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1511 PyBuffer_Release(&buf);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1512 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1513}
1514
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]1515PyDoc_STRVAR(PySSL_SSLread_doc,
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1516"read([len]) -> string\n\
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1517\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]1518Read up to len bytes from the SSL socket.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1519
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1520static PyObject *PySSL_SSLshutdown(PySSLSocket *self)
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1521{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1522 int err, ssl_err, sockstate, nonblocking;
1523 int zeros = 0;
1524 PySocketSockObject *sock
1525 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1526
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1527 /* Guard against closed socket */
1528 if ((((PyObject*)sock) == Py_None) || (sock->sock_fd < 0)) {
1529 _setSSLError("Underlying socket connection gone",
1530 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1531 return NULL;
1532 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1533 Py_INCREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1534
1535 /* Just in case the blocking state of the socket has been changed */
1536 nonblocking = (sock->sock_timeout >= 0.0);
1537 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1538 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1539
1540 while (1) {
1541 PySSL_BEGIN_ALLOW_THREADS
1542 /* Disable read-ahead so that unwrap can work correctly.
1543 * Otherwise OpenSSL might read in too much data,
1544 * eating clear text data that happens to be
1545 * transmitted after the SSL shutdown.
1546 * Should be safe to call repeatedly everytime this
1547 * function is used and the shutdown_seen_zero != 0
1548 * condition is met.
1549 */
1550 if (self->shutdown_seen_zero)
1551 SSL_set_read_ahead(self->ssl, 0);
1552 err = SSL_shutdown(self->ssl);
1553 PySSL_END_ALLOW_THREADS
1554 /* If err == 1, a secure shutdown with SSL_shutdown() is complete */
1555 if (err > 0)
1556 break;
1557 if (err == 0) {
1558 /* Don't loop endlessly; instead preserve legacy
1559 behaviour of trying SSL_shutdown() only twice.
1560 This looks necessary for OpenSSL < 0.9.8m */
1561 if (++zeros > 1)
1562 break;
1563 /* Shutdown was sent, now try receiving */
1564 self->shutdown_seen_zero = 1;
1565 continue;
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1566 }
1567
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1568 /* Possibly retry shutdown until timeout or failure */
1569 ssl_err = SSL_get_error(self->ssl, err);
1570 if (ssl_err == SSL_ERROR_WANT_READ)
1571 sockstate = check_socket_and_wait_for_timeout(sock, 0);
1572 else if (ssl_err == SSL_ERROR_WANT_WRITE)
1573 sockstate = check_socket_and_wait_for_timeout(sock, 1);
1574 else
1575 break;
1576 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1577 if (ssl_err == SSL_ERROR_WANT_READ)
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1578 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1579 "The read operation timed out");
1580 else
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1581 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1582 "The write operation timed out");
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1583 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1584 }
1585 else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1586 PyErr_SetString(PySSLErrorObject,
1587 "Underlying socket too large for select().");
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1588 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1589 }
1590 else if (sockstate != SOCKET_OPERATION_OK)
1591 /* Retain the SSL error code */
1592 break;
1593 }
Antoine Pitrou2c4f98b2010-04-23 00:16:21 +0000[diff] [blame]1594
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1595 if (err < 0) {
1596 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1597 return PySSL_SetError(self, err, __FILE__, __LINE__);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1598 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1599 else
1600 /* It's already INCREF'ed */
1601 return (PyObject *) sock;
1602
1603error:
1604 Py_DECREF(sock);
1605 return NULL;
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1606}
1607
1608PyDoc_STRVAR(PySSL_SSLshutdown_doc,
1609"shutdown(s) -> socket\n\
1610\n\
1611Does the SSL shutdown handshake with the remote end, and returns\n\
1612the underlying socket object.");
1613
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]1614#if HAVE_OPENSSL_FINISHED
1615static PyObject *
1616PySSL_tls_unique_cb(PySSLSocket *self)
1617{
1618 PyObject *retval = NULL;
1619 char buf[PySSL_CB_MAXLEN];
1620 int len;
1621
1622 if (SSL_session_reused(self->ssl) ^ !self->socket_type) {
1623 /* if session is resumed XOR we are the client */
1624 len = SSL_get_finished(self->ssl, buf, PySSL_CB_MAXLEN);
1625 }
1626 else {
1627 /* if a new session XOR we are the server */
1628 len = SSL_get_peer_finished(self->ssl, buf, PySSL_CB_MAXLEN);
1629 }
1630
1631 /* It cannot be negative in current OpenSSL version as of July 2011 */
1632 assert(len >= 0);
1633 if (len == 0)
1634 Py_RETURN_NONE;
1635
1636 retval = PyBytes_FromStringAndSize(buf, len);
1637
1638 return retval;
1639}
1640
1641PyDoc_STRVAR(PySSL_tls_unique_cb_doc,
1642"tls_unique_cb() -> bytes\n\
1643\n\
1644Returns the 'tls-unique' channel binding data, as defined by RFC 5929.\n\
1645\n\
1646If the TLS handshake is not yet complete, None is returned");
1647
1648#endif /* HAVE_OPENSSL_FINISHED */
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1649
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1650static PyGetSetDef ssl_getsetlist[] = {
1651 {"context", (getter) PySSL_get_context,
1652 (setter) PySSL_set_context, PySSL_set_context_doc},
1653 {NULL}, /* sentinel */
1654};
1655
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1656static PyMethodDef PySSLMethods[] = {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1657 {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS},
1658 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
1659 PySSL_SSLwrite_doc},
1660 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
1661 PySSL_SSLread_doc},
1662 {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS,
1663 PySSL_SSLpending_doc},
1664 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS,
1665 PySSL_peercert_doc},
1666 {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1667#ifdef OPENSSL_NPN_NEGOTIATED
1668 {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
1669#endif
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]1670 {"compression", (PyCFunction)PySSL_compression, METH_NOARGS},
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1671 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS,
1672 PySSL_SSLshutdown_doc},
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]1673#if HAVE_OPENSSL_FINISHED
1674 {"tls_unique_cb", (PyCFunction)PySSL_tls_unique_cb, METH_NOARGS,
1675 PySSL_tls_unique_cb_doc},
1676#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1677 {NULL, NULL}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1678};
1679
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1680static PyTypeObject PySSLSocket_Type = {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1681 PyVarObject_HEAD_INIT(NULL, 0)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1682 "_ssl._SSLSocket", /*tp_name*/
1683 sizeof(PySSLSocket), /*tp_basicsize*/
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1684 0, /*tp_itemsize*/
1685 /* methods */
1686 (destructor)PySSL_dealloc, /*tp_dealloc*/
1687 0, /*tp_print*/
1688 0, /*tp_getattr*/
1689 0, /*tp_setattr*/
1690 0, /*tp_reserved*/
1691 0, /*tp_repr*/
1692 0, /*tp_as_number*/
1693 0, /*tp_as_sequence*/
1694 0, /*tp_as_mapping*/
1695 0, /*tp_hash*/
1696 0, /*tp_call*/
1697 0, /*tp_str*/
1698 0, /*tp_getattro*/
1699 0, /*tp_setattro*/
1700 0, /*tp_as_buffer*/
1701 Py_TPFLAGS_DEFAULT, /*tp_flags*/
1702 0, /*tp_doc*/
1703 0, /*tp_traverse*/
1704 0, /*tp_clear*/
1705 0, /*tp_richcompare*/
1706 0, /*tp_weaklistoffset*/
1707 0, /*tp_iter*/
1708 0, /*tp_iternext*/
1709 PySSLMethods, /*tp_methods*/
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1710 0, /*tp_members*/
1711 ssl_getsetlist, /*tp_getset*/
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1712};
1713
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1714
1715/*
1716 * _SSLContext objects
1717 */
1718
1719static PyObject *
1720context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
1721{
1722 char *kwlist[] = {"protocol", NULL};
1723 PySSLContext *self;
1724 int proto_version = PY_SSL_VERSION_SSL23;
1725 SSL_CTX *ctx = NULL;
1726
1727 if (!PyArg_ParseTupleAndKeywords(
1728 args, kwds, "i:_SSLContext", kwlist,
1729 &proto_version))
1730 return NULL;
1731
1732 PySSL_BEGIN_ALLOW_THREADS
1733 if (proto_version == PY_SSL_VERSION_TLS1)
1734 ctx = SSL_CTX_new(TLSv1_method());
1735 else if (proto_version == PY_SSL_VERSION_SSL3)
1736 ctx = SSL_CTX_new(SSLv3_method());
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]1737#ifndef OPENSSL_NO_SSL2
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1738 else if (proto_version == PY_SSL_VERSION_SSL2)
1739 ctx = SSL_CTX_new(SSLv2_method());
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]1740#endif
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1741 else if (proto_version == PY_SSL_VERSION_SSL23)
1742 ctx = SSL_CTX_new(SSLv23_method());
1743 else
1744 proto_version = -1;
1745 PySSL_END_ALLOW_THREADS
1746
1747 if (proto_version == -1) {
1748 PyErr_SetString(PyExc_ValueError,
1749 "invalid protocol version");
1750 return NULL;
1751 }
1752 if (ctx == NULL) {
1753 PyErr_SetString(PySSLErrorObject,
1754 "failed to allocate SSL context");
1755 return NULL;
1756 }
1757
1758 assert(type != NULL && type->tp_alloc != NULL);
1759 self = (PySSLContext *) type->tp_alloc(type, 0);
1760 if (self == NULL) {
1761 SSL_CTX_free(ctx);
1762 return NULL;
1763 }
1764 self->ctx = ctx;
Christian Heimes5cb31c92012-09-20 12:42:54 +0200[diff] [blame]1765#ifdef OPENSSL_NPN_NEGOTIATED
1766 self->npn_protocols = NULL;
1767#endif
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1768#ifndef OPENSSL_NO_TLSEXT
1769 self->set_hostname = NULL;
1770#endif
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1771 /* Defaults */
1772 SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
Antoine Pitrou3f366312012-01-27 09:50:45 +0100[diff] [blame]1773 SSL_CTX_set_options(self->ctx,
1774 SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1775
Antoine Pitroufc113ee2010-10-13 12:46:13 +0000[diff] [blame]1776#define SID_CTX "Python"
1777 SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
1778 sizeof(SID_CTX));
1779#undef SID_CTX
1780
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1781 return (PyObject *)self;
1782}
1783
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1784static int
1785context_traverse(PySSLContext *self, visitproc visit, void *arg)
1786{
1787#ifndef OPENSSL_NO_TLSEXT
1788 Py_VISIT(self->set_hostname);
1789#endif
1790 return 0;
1791}
1792
1793static int
1794context_clear(PySSLContext *self)
1795{
1796#ifndef OPENSSL_NO_TLSEXT
1797 Py_CLEAR(self->set_hostname);
1798#endif
1799 return 0;
1800}
1801
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1802static void
1803context_dealloc(PySSLContext *self)
1804{
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1805 context_clear(self);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1806 SSL_CTX_free(self->ctx);
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1807#ifdef OPENSSL_NPN_NEGOTIATED
1808 PyMem_Free(self->npn_protocols);
1809#endif
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1810 Py_TYPE(self)->tp_free(self);
1811}
1812
1813static PyObject *
1814set_ciphers(PySSLContext *self, PyObject *args)
1815{
1816 int ret;
1817 const char *cipherlist;
1818
1819 if (!PyArg_ParseTuple(args, "s:set_ciphers", &cipherlist))
1820 return NULL;
1821 ret = SSL_CTX_set_cipher_list(self->ctx, cipherlist);
1822 if (ret == 0) {
Antoine Pitrou65ec8ae2010-05-16 19:56:32 +0000[diff] [blame]1823 /* Clearing the error queue is necessary on some OpenSSL versions,
1824 otherwise the error will be reported again when another SSL call
1825 is done. */
1826 ERR_clear_error();
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1827 PyErr_SetString(PySSLErrorObject,
1828 "No cipher can be selected.");
1829 return NULL;
1830 }
1831 Py_RETURN_NONE;
1832}
1833
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1834#ifdef OPENSSL_NPN_NEGOTIATED
1835/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
1836static int
1837_advertiseNPN_cb(SSL *s,
1838 const unsigned char **data, unsigned int *len,
1839 void *args)
1840{
1841 PySSLContext *ssl_ctx = (PySSLContext *) args;
1842
1843 if (ssl_ctx->npn_protocols == NULL) {
1844 *data = (unsigned char *) "";
1845 *len = 0;
1846 } else {
1847 *data = (unsigned char *) ssl_ctx->npn_protocols;
1848 *len = ssl_ctx->npn_protocols_len;
1849 }
1850
1851 return SSL_TLSEXT_ERR_OK;
1852}
1853/* this callback gets passed to SSL_CTX_set_next_proto_select_cb */
1854static int
1855_selectNPN_cb(SSL *s,
1856 unsigned char **out, unsigned char *outlen,
1857 const unsigned char *server, unsigned int server_len,
1858 void *args)
1859{
1860 PySSLContext *ssl_ctx = (PySSLContext *) args;
1861
1862 unsigned char *client = (unsigned char *) ssl_ctx->npn_protocols;
1863 int client_len;
1864
1865 if (client == NULL) {
1866 client = (unsigned char *) "";
1867 client_len = 0;
1868 } else {
1869 client_len = ssl_ctx->npn_protocols_len;
1870 }
1871
1872 SSL_select_next_proto(out, outlen,
1873 server, server_len,
1874 client, client_len);
1875
1876 return SSL_TLSEXT_ERR_OK;
1877}
1878#endif
1879
1880static PyObject *
1881_set_npn_protocols(PySSLContext *self, PyObject *args)
1882{
1883#ifdef OPENSSL_NPN_NEGOTIATED
1884 Py_buffer protos;
1885
1886 if (!PyArg_ParseTuple(args, "y*:set_npn_protocols", &protos))
1887 return NULL;
1888
Christian Heimes5cb31c92012-09-20 12:42:54 +0200[diff] [blame]1889 if (self->npn_protocols != NULL) {
1890 PyMem_Free(self->npn_protocols);
1891 }
1892
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1893 self->npn_protocols = PyMem_Malloc(protos.len);
1894 if (self->npn_protocols == NULL) {
1895 PyBuffer_Release(&protos);
1896 return PyErr_NoMemory();
1897 }
1898 memcpy(self->npn_protocols, protos.buf, protos.len);
1899 self->npn_protocols_len = (int) protos.len;
1900
1901 /* set both server and client callbacks, because the context can
1902 * be used to create both types of sockets */
1903 SSL_CTX_set_next_protos_advertised_cb(self->ctx,
1904 _advertiseNPN_cb,
1905 self);
1906 SSL_CTX_set_next_proto_select_cb(self->ctx,
1907 _selectNPN_cb,
1908 self);
1909
1910 PyBuffer_Release(&protos);
1911 Py_RETURN_NONE;
1912#else
1913 PyErr_SetString(PyExc_NotImplementedError,
1914 "The NPN extension requires OpenSSL 1.0.1 or later.");
1915 return NULL;
1916#endif
1917}
1918
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1919static PyObject *
1920get_verify_mode(PySSLContext *self, void *c)
1921{
1922 switch (SSL_CTX_get_verify_mode(self->ctx)) {
1923 case SSL_VERIFY_NONE:
1924 return PyLong_FromLong(PY_SSL_CERT_NONE);
1925 case SSL_VERIFY_PEER:
1926 return PyLong_FromLong(PY_SSL_CERT_OPTIONAL);
1927 case SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT:
1928 return PyLong_FromLong(PY_SSL_CERT_REQUIRED);
1929 }
1930 PyErr_SetString(PySSLErrorObject,
1931 "invalid return value from SSL_CTX_get_verify_mode");
1932 return NULL;
1933}
1934
1935static int
1936set_verify_mode(PySSLContext *self, PyObject *arg, void *c)
1937{
1938 int n, mode;
1939 if (!PyArg_Parse(arg, "i", &n))
1940 return -1;
1941 if (n == PY_SSL_CERT_NONE)
1942 mode = SSL_VERIFY_NONE;
1943 else if (n == PY_SSL_CERT_OPTIONAL)
1944 mode = SSL_VERIFY_PEER;
1945 else if (n == PY_SSL_CERT_REQUIRED)
1946 mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1947 else {
1948 PyErr_SetString(PyExc_ValueError,
1949 "invalid value for verify_mode");
1950 return -1;
1951 }
1952 SSL_CTX_set_verify(self->ctx, mode, NULL);
1953 return 0;
1954}
1955
1956static PyObject *
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1957get_options(PySSLContext *self, void *c)
1958{
1959 return PyLong_FromLong(SSL_CTX_get_options(self->ctx));
1960}
1961
1962static int
1963set_options(PySSLContext *self, PyObject *arg, void *c)
1964{
1965 long new_opts, opts, set, clear;
1966 if (!PyArg_Parse(arg, "l", &new_opts))
1967 return -1;
1968 opts = SSL_CTX_get_options(self->ctx);
1969 clear = opts & ~new_opts;
1970 set = ~opts & new_opts;
1971 if (clear) {
1972#ifdef HAVE_SSL_CTX_CLEAR_OPTIONS
1973 SSL_CTX_clear_options(self->ctx, clear);
1974#else
1975 PyErr_SetString(PyExc_ValueError,
1976 "can't clear options before OpenSSL 0.9.8m");
1977 return -1;
1978#endif
1979 }
1980 if (set)
1981 SSL_CTX_set_options(self->ctx, set);
1982 return 0;
1983}
1984
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]1985typedef struct {
1986 PyThreadState *thread_state;
1987 PyObject *callable;
1988 char *password;
1989 Py_ssize_t size;
1990 int error;
1991} _PySSLPasswordInfo;
1992
1993static int
1994_pwinfo_set(_PySSLPasswordInfo *pw_info, PyObject* password,
1995 const char *bad_type_error)
1996{
1997 /* Set the password and size fields of a _PySSLPasswordInfo struct
1998 from a unicode, bytes, or byte array object.
1999 The password field will be dynamically allocated and must be freed
2000 by the caller */
2001 PyObject *password_bytes = NULL;
2002 const char *data = NULL;
2003 Py_ssize_t size;
2004
2005 if (PyUnicode_Check(password)) {
2006 password_bytes = PyUnicode_AsEncodedString(password, NULL, NULL);
2007 if (!password_bytes) {
2008 goto error;
2009 }
2010 data = PyBytes_AS_STRING(password_bytes);
2011 size = PyBytes_GET_SIZE(password_bytes);
2012 } else if (PyBytes_Check(password)) {
2013 data = PyBytes_AS_STRING(password);
2014 size = PyBytes_GET_SIZE(password);
2015 } else if (PyByteArray_Check(password)) {
2016 data = PyByteArray_AS_STRING(password);
2017 size = PyByteArray_GET_SIZE(password);
2018 } else {
2019 PyErr_SetString(PyExc_TypeError, bad_type_error);
2020 goto error;
2021 }
2022
2023 free(pw_info->password);
2024 pw_info->password = malloc(size);
2025 if (!pw_info->password) {
2026 PyErr_SetString(PyExc_MemoryError,
2027 "unable to allocate password buffer");
2028 goto error;
2029 }
2030 memcpy(pw_info->password, data, size);
2031 pw_info->size = size;
2032
2033 Py_XDECREF(password_bytes);
2034 return 1;
2035
2036error:
2037 Py_XDECREF(password_bytes);
2038 return 0;
2039}
2040
2041static int
2042_password_callback(char *buf, int size, int rwflag, void *userdata)
2043{
2044 _PySSLPasswordInfo *pw_info = (_PySSLPasswordInfo*) userdata;
2045 PyObject *fn_ret = NULL;
2046
2047 PySSL_END_ALLOW_THREADS_S(pw_info->thread_state);
2048
2049 if (pw_info->callable) {
2050 fn_ret = PyObject_CallFunctionObjArgs(pw_info->callable, NULL);
2051 if (!fn_ret) {
2052 /* TODO: It would be nice to move _ctypes_add_traceback() into the
2053 core python API, so we could use it to add a frame here */
2054 goto error;
2055 }
2056
2057 if (!_pwinfo_set(pw_info, fn_ret,
2058 "password callback must return a string")) {
2059 goto error;
2060 }
2061 Py_CLEAR(fn_ret);
2062 }
2063
2064 if (pw_info->size > size) {
2065 PyErr_Format(PyExc_ValueError,
2066 "password cannot be longer than %d bytes", size);
2067 goto error;
2068 }
2069
2070 PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state);
2071 memcpy(buf, pw_info->password, pw_info->size);
2072 return pw_info->size;
2073
2074error:
2075 Py_XDECREF(fn_ret);
2076 PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state);
2077 pw_info->error = 1;
2078 return -1;
2079}
2080
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2081static PyObject *
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2082load_cert_chain(PySSLContext *self, PyObject *args, PyObject *kwds)
2083{
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2084 char *kwlist[] = {"certfile", "keyfile", "password", NULL};
2085 PyObject *certfile, *keyfile = NULL, *password = NULL;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2086 PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL;
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2087 pem_password_cb *orig_passwd_cb = self->ctx->default_passwd_callback;
2088 void *orig_passwd_userdata = self->ctx->default_passwd_callback_userdata;
2089 _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 };
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2090 int r;
2091
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2092 errno = 0;
Antoine Pitrou67e8e562010-09-01 20:55:41 +0000[diff] [blame]2093 ERR_clear_error();
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2094 if (!PyArg_ParseTupleAndKeywords(args, kwds,
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2095 "O|OO:load_cert_chain", kwlist,
2096 &certfile, &keyfile, &password))
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2097 return NULL;
2098 if (keyfile == Py_None)
2099 keyfile = NULL;
2100 if (!PyUnicode_FSConverter(certfile, &certfile_bytes)) {
2101 PyErr_SetString(PyExc_TypeError,
2102 "certfile should be a valid filesystem path");
2103 return NULL;
2104 }
2105 if (keyfile && !PyUnicode_FSConverter(keyfile, &keyfile_bytes)) {
2106 PyErr_SetString(PyExc_TypeError,
2107 "keyfile should be a valid filesystem path");
2108 goto error;
2109 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2110 if (password && password != Py_None) {
2111 if (PyCallable_Check(password)) {
2112 pw_info.callable = password;
2113 } else if (!_pwinfo_set(&pw_info, password,
2114 "password should be a string or callable")) {
2115 goto error;
2116 }
2117 SSL_CTX_set_default_passwd_cb(self->ctx, _password_callback);
2118 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, &pw_info);
2119 }
2120 PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2121 r = SSL_CTX_use_certificate_chain_file(self->ctx,
2122 PyBytes_AS_STRING(certfile_bytes));
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2123 PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2124 if (r != 1) {
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2125 if (pw_info.error) {
2126 ERR_clear_error();
2127 /* the password callback has already set the error information */
2128 }
2129 else if (errno != 0) {
Giampaolo Rodolàe0f98632010-09-01 19:28:49 +0000[diff] [blame]2130 ERR_clear_error();
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2131 PyErr_SetFromErrno(PyExc_IOError);
2132 }
2133 else {
2134 _setSSLError(NULL, 0, __FILE__, __LINE__);
2135 }
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2136 goto error;
2137 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2138 PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou9c254862011-04-03 18:15:34 +0200[diff] [blame]2139 r = SSL_CTX_use_PrivateKey_file(self->ctx,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2140 PyBytes_AS_STRING(keyfile ? keyfile_bytes : certfile_bytes),
2141 SSL_FILETYPE_PEM);
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2142 PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
2143 Py_CLEAR(keyfile_bytes);
2144 Py_CLEAR(certfile_bytes);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2145 if (r != 1) {
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2146 if (pw_info.error) {
2147 ERR_clear_error();
2148 /* the password callback has already set the error information */
2149 }
2150 else if (errno != 0) {
Giampaolo Rodolàe0f98632010-09-01 19:28:49 +0000[diff] [blame]2151 ERR_clear_error();
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2152 PyErr_SetFromErrno(PyExc_IOError);
2153 }
2154 else {
2155 _setSSLError(NULL, 0, __FILE__, __LINE__);
2156 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2157 goto error;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2158 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2159 PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2160 r = SSL_CTX_check_private_key(self->ctx);
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2161 PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2162 if (r != 1) {
2163 _setSSLError(NULL, 0, __FILE__, __LINE__);
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2164 goto error;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2165 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2166 SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb);
2167 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata);
2168 free(pw_info.password);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2169 Py_RETURN_NONE;
2170
2171error:
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2172 SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb);
2173 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata);
2174 free(pw_info.password);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2175 Py_XDECREF(keyfile_bytes);
2176 Py_XDECREF(certfile_bytes);
2177 return NULL;
2178}
2179
2180static PyObject *
2181load_verify_locations(PySSLContext *self, PyObject *args, PyObject *kwds)
2182{
2183 char *kwlist[] = {"cafile", "capath", NULL};
2184 PyObject *cafile = NULL, *capath = NULL;
2185 PyObject *cafile_bytes = NULL, *capath_bytes = NULL;
2186 const char *cafile_buf = NULL, *capath_buf = NULL;
2187 int r;
2188
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2189 errno = 0;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2190 if (!PyArg_ParseTupleAndKeywords(args, kwds,
2191 "|OO:load_verify_locations", kwlist,
2192 &cafile, &capath))
2193 return NULL;
2194 if (cafile == Py_None)
2195 cafile = NULL;
2196 if (capath == Py_None)
2197 capath = NULL;
2198 if (cafile == NULL && capath == NULL) {
2199 PyErr_SetString(PyExc_TypeError,
2200 "cafile and capath cannot be both omitted");
2201 return NULL;
2202 }
2203 if (cafile && !PyUnicode_FSConverter(cafile, &cafile_bytes)) {
2204 PyErr_SetString(PyExc_TypeError,
2205 "cafile should be a valid filesystem path");
2206 return NULL;
2207 }
2208 if (capath && !PyUnicode_FSConverter(capath, &capath_bytes)) {
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]2209 Py_XDECREF(cafile_bytes);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2210 PyErr_SetString(PyExc_TypeError,
2211 "capath should be a valid filesystem path");
2212 return NULL;
2213 }
2214 if (cafile)
2215 cafile_buf = PyBytes_AS_STRING(cafile_bytes);
2216 if (capath)
2217 capath_buf = PyBytes_AS_STRING(capath_bytes);
2218 PySSL_BEGIN_ALLOW_THREADS
2219 r = SSL_CTX_load_verify_locations(self->ctx, cafile_buf, capath_buf);
2220 PySSL_END_ALLOW_THREADS
2221 Py_XDECREF(cafile_bytes);
2222 Py_XDECREF(capath_bytes);
2223 if (r != 1) {
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2224 if (errno != 0) {
Giampaolo Rodolàe0f98632010-09-01 19:28:49 +0000[diff] [blame]2225 ERR_clear_error();
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2226 PyErr_SetFromErrno(PyExc_IOError);
2227 }
2228 else {
2229 _setSSLError(NULL, 0, __FILE__, __LINE__);
2230 }
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2231 return NULL;
2232 }
2233 Py_RETURN_NONE;
2234}
2235
2236static PyObject *
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]2237load_dh_params(PySSLContext *self, PyObject *filepath)
2238{
2239 FILE *f;
2240 DH *dh;
2241
2242 f = _Py_fopen(filepath, "rb");
2243 if (f == NULL) {
2244 if (!PyErr_Occurred())
2245 PyErr_SetFromErrnoWithFilenameObject(PyExc_OSError, filepath);
2246 return NULL;
2247 }
2248 errno = 0;
2249 PySSL_BEGIN_ALLOW_THREADS
2250 dh = PEM_read_DHparams(f, NULL, NULL, NULL);
Antoine Pitrou457a2292013-01-12 21:43:45 +0100[diff] [blame]2251 fclose(f);
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]2252 PySSL_END_ALLOW_THREADS
2253 if (dh == NULL) {
2254 if (errno != 0) {
2255 ERR_clear_error();
2256 PyErr_SetFromErrnoWithFilenameObject(PyExc_OSError, filepath);
2257 }
2258 else {
2259 _setSSLError(NULL, 0, __FILE__, __LINE__);
2260 }
2261 return NULL;
2262 }
2263 if (SSL_CTX_set_tmp_dh(self->ctx, dh) == 0)
2264 _setSSLError(NULL, 0, __FILE__, __LINE__);
2265 DH_free(dh);
2266 Py_RETURN_NONE;
2267}
2268
2269static PyObject *
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2270context_wrap_socket(PySSLContext *self, PyObject *args, PyObject *kwds)
2271{
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2272 char *kwlist[] = {"sock", "server_side", "server_hostname", NULL};
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2273 PySocketSockObject *sock;
2274 int server_side = 0;
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2275 char *hostname = NULL;
2276 PyObject *hostname_obj, *res;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2277
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2278 /* server_hostname is either None (or absent), or to be encoded
2279 using the idna encoding. */
2280 if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!i|O!:_wrap_socket", kwlist,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2281 PySocketModule.Sock_Type,
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2282 &sock, &server_side,
2283 Py_TYPE(Py_None), &hostname_obj)) {
2284 PyErr_Clear();
2285 if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!iet:_wrap_socket", kwlist,
2286 PySocketModule.Sock_Type,
2287 &sock, &server_side,
2288 "idna", &hostname))
2289 return NULL;
2290#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
2291 PyMem_Free(hostname);
2292 PyErr_SetString(PyExc_ValueError, "server_hostname is not supported "
2293 "by your OpenSSL library");
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2294 return NULL;
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2295#endif
2296 }
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2297
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2298 res = (PyObject *) newPySSLSocket(self, sock, server_side,
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2299 hostname);
2300 if (hostname != NULL)
2301 PyMem_Free(hostname);
2302 return res;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2303}
2304
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]2305static PyObject *
2306session_stats(PySSLContext *self, PyObject *unused)
2307{
2308 int r;
2309 PyObject *value, *stats = PyDict_New();
2310 if (!stats)
2311 return NULL;
2312
2313#define ADD_STATS(SSL_NAME, KEY_NAME) \
2314 value = PyLong_FromLong(SSL_CTX_sess_ ## SSL_NAME (self->ctx)); \
2315 if (value == NULL) \
2316 goto error; \
2317 r = PyDict_SetItemString(stats, KEY_NAME, value); \
2318 Py_DECREF(value); \
2319 if (r < 0) \
2320 goto error;
2321
2322 ADD_STATS(number, "number");
2323 ADD_STATS(connect, "connect");
2324 ADD_STATS(connect_good, "connect_good");
2325 ADD_STATS(connect_renegotiate, "connect_renegotiate");
2326 ADD_STATS(accept, "accept");
2327 ADD_STATS(accept_good, "accept_good");
2328 ADD_STATS(accept_renegotiate, "accept_renegotiate");
2329 ADD_STATS(accept, "accept");
2330 ADD_STATS(hits, "hits");
2331 ADD_STATS(misses, "misses");
2332 ADD_STATS(timeouts, "timeouts");
2333 ADD_STATS(cache_full, "cache_full");
2334
2335#undef ADD_STATS
2336
2337 return stats;
2338
2339error:
2340 Py_DECREF(stats);
2341 return NULL;
2342}
2343
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]2344static PyObject *
2345set_default_verify_paths(PySSLContext *self, PyObject *unused)
2346{
2347 if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
2348 _setSSLError(NULL, 0, __FILE__, __LINE__);
2349 return NULL;
2350 }
2351 Py_RETURN_NONE;
2352}
2353
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]2354#ifndef OPENSSL_NO_ECDH
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]2355static PyObject *
2356set_ecdh_curve(PySSLContext *self, PyObject *name)
2357{
2358 PyObject *name_bytes;
2359 int nid;
2360 EC_KEY *key;
2361
2362 if (!PyUnicode_FSConverter(name, &name_bytes))
2363 return NULL;
2364 assert(PyBytes_Check(name_bytes));
2365 nid = OBJ_sn2nid(PyBytes_AS_STRING(name_bytes));
2366 Py_DECREF(name_bytes);
2367 if (nid == 0) {
2368 PyErr_Format(PyExc_ValueError,
2369 "unknown elliptic curve name %R", name);
2370 return NULL;
2371 }
2372 key = EC_KEY_new_by_curve_name(nid);
2373 if (key == NULL) {
2374 _setSSLError(NULL, 0, __FILE__, __LINE__);
2375 return NULL;
2376 }
2377 SSL_CTX_set_tmp_ecdh(self->ctx, key);
2378 EC_KEY_free(key);
2379 Py_RETURN_NONE;
2380}
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]2381#endif
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]2382
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2383#ifndef OPENSSL_NO_TLSEXT
2384static int
2385_servername_callback(SSL *s, int *al, void *args)
2386{
2387 int ret;
2388 PySSLContext *ssl_ctx = (PySSLContext *) args;
2389 PySSLSocket *ssl;
2390 PyObject *servername_o;
2391 PyObject *servername_idna;
2392 PyObject *result;
2393 /* The high-level ssl.SSLSocket object */
2394 PyObject *ssl_socket;
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2395 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
Stefan Krah20d60802013-01-17 17:07:17 +0100[diff] [blame^]2396#ifdef WITH_THREAD
2397 PyGILState_STATE gstate = PyGILState_Ensure();
2398#endif
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2399
2400 if (ssl_ctx->set_hostname == NULL) {
2401 /* remove race condition in this the call back while if removing the
2402 * callback is in progress */
Stefan Krah20d60802013-01-17 17:07:17 +0100[diff] [blame^]2403#ifdef WITH_THREAD
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2404 PyGILState_Release(gstate);
Stefan Krah20d60802013-01-17 17:07:17 +0100[diff] [blame^]2405#endif
Antoine Pitrou5dd12a52013-01-06 15:25:36 +0100[diff] [blame]2406 return SSL_TLSEXT_ERR_OK;
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2407 }
2408
2409 ssl = SSL_get_app_data(s);
2410 assert(PySSLSocket_Check(ssl));
2411 ssl_socket = PyWeakref_GetObject(ssl->Socket);
2412 Py_INCREF(ssl_socket);
2413 if (ssl_socket == Py_None) {
2414 goto error;
2415 }
2416
2417 servername_o = PyBytes_FromString(servername);
2418 if (servername_o == NULL) {
2419 PyErr_WriteUnraisable((PyObject *) ssl_ctx);
2420 goto error;
2421 }
2422 servername_idna = PyUnicode_FromEncodedObject(servername_o, "idna", NULL);
2423 if (servername_idna == NULL) {
2424 PyErr_WriteUnraisable(servername_o);
2425 Py_DECREF(servername_o);
2426 goto error;
2427 }
2428 Py_DECREF(servername_o);
2429 result = PyObject_CallFunctionObjArgs(ssl_ctx->set_hostname, ssl_socket,
2430 servername_idna, ssl_ctx, NULL);
2431 Py_DECREF(ssl_socket);
2432 Py_DECREF(servername_idna);
2433
2434 if (result == NULL) {
2435 PyErr_WriteUnraisable(ssl_ctx->set_hostname);
2436 *al = SSL_AD_HANDSHAKE_FAILURE;
2437 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2438 }
2439 else {
2440 if (result != Py_None) {
2441 *al = (int) PyLong_AsLong(result);
2442 if (PyErr_Occurred()) {
2443 PyErr_WriteUnraisable(result);
2444 *al = SSL_AD_INTERNAL_ERROR;
2445 }
2446 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2447 }
2448 else {
2449 ret = SSL_TLSEXT_ERR_OK;
2450 }
2451 Py_DECREF(result);
2452 }
2453
Stefan Krah20d60802013-01-17 17:07:17 +0100[diff] [blame^]2454#ifdef WITH_THREAD
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2455 PyGILState_Release(gstate);
Stefan Krah20d60802013-01-17 17:07:17 +0100[diff] [blame^]2456#endif
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2457 return ret;
2458
2459error:
2460 Py_DECREF(ssl_socket);
2461 *al = SSL_AD_INTERNAL_ERROR;
2462 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
Stefan Krah20d60802013-01-17 17:07:17 +0100[diff] [blame^]2463#ifdef WITH_THREAD
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2464 PyGILState_Release(gstate);
Stefan Krah20d60802013-01-17 17:07:17 +0100[diff] [blame^]2465#endif
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2466 return ret;
2467}
2468
2469PyDoc_STRVAR(PySSL_set_servername_callback_doc,
2470"set_servername_callback(method)\n\
2471\
2472This sets a callback that will be called when a server name is provided by\n\
2473the SSL/TLS client in the SNI extension.\n\
2474\
2475If the argument is None then the callback is disabled. The method is called\n\
2476with the SSLSocket, the server name as a string, and the SSLContext object.\n\
2477See RFC 6066 for details of the SNI");
2478#endif
2479
2480static PyObject *
2481set_servername_callback(PySSLContext *self, PyObject *args)
2482{
2483#ifndef OPENSSL_NO_TLSEXT
2484 PyObject *cb;
2485
2486 if (!PyArg_ParseTuple(args, "O", &cb))
2487 return NULL;
2488
2489 Py_CLEAR(self->set_hostname);
2490 if (cb == Py_None) {
2491 SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
2492 }
2493 else {
2494 if (!PyCallable_Check(cb)) {
2495 SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
2496 PyErr_SetString(PyExc_TypeError,
2497 "not a callable object");
2498 return NULL;
2499 }
2500 Py_INCREF(cb);
2501 self->set_hostname = cb;
2502 SSL_CTX_set_tlsext_servername_callback(self->ctx, _servername_callback);
2503 SSL_CTX_set_tlsext_servername_arg(self->ctx, self);
2504 }
2505 Py_RETURN_NONE;
2506#else
2507 PyErr_SetString(PyExc_NotImplementedError,
2508 "The TLS extension servername callback, "
2509 "SSL_CTX_set_tlsext_servername_callback, "
2510 "is not in the current OpenSSL library.");
2511#endif
2512}
2513
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2514static PyGetSetDef context_getsetlist[] = {
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2515 {"options", (getter) get_options,
2516 (setter) set_options, NULL},
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2517 {"verify_mode", (getter) get_verify_mode,
2518 (setter) set_verify_mode, NULL},
2519 {NULL}, /* sentinel */
2520};
2521
2522static struct PyMethodDef context_methods[] = {
2523 {"_wrap_socket", (PyCFunction) context_wrap_socket,
2524 METH_VARARGS | METH_KEYWORDS, NULL},
2525 {"set_ciphers", (PyCFunction) set_ciphers,
2526 METH_VARARGS, NULL},
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]2527 {"_set_npn_protocols", (PyCFunction) _set_npn_protocols,
2528 METH_VARARGS, NULL},
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2529 {"load_cert_chain", (PyCFunction) load_cert_chain,
2530 METH_VARARGS | METH_KEYWORDS, NULL},
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]2531 {"load_dh_params", (PyCFunction) load_dh_params,
2532 METH_O, NULL},
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2533 {"load_verify_locations", (PyCFunction) load_verify_locations,
2534 METH_VARARGS | METH_KEYWORDS, NULL},
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]2535 {"session_stats", (PyCFunction) session_stats,
2536 METH_NOARGS, NULL},
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]2537 {"set_default_verify_paths", (PyCFunction) set_default_verify_paths,
2538 METH_NOARGS, NULL},
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]2539#ifndef OPENSSL_NO_ECDH
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]2540 {"set_ecdh_curve", (PyCFunction) set_ecdh_curve,
2541 METH_O, NULL},
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]2542#endif
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2543 {"set_servername_callback", (PyCFunction) set_servername_callback,
2544 METH_VARARGS, PySSL_set_servername_callback_doc},
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2545 {NULL, NULL} /* sentinel */
2546};
2547
2548static PyTypeObject PySSLContext_Type = {
2549 PyVarObject_HEAD_INIT(NULL, 0)
2550 "_ssl._SSLContext", /*tp_name*/
2551 sizeof(PySSLContext), /*tp_basicsize*/
2552 0, /*tp_itemsize*/
2553 (destructor)context_dealloc, /*tp_dealloc*/
2554 0, /*tp_print*/
2555 0, /*tp_getattr*/
2556 0, /*tp_setattr*/
2557 0, /*tp_reserved*/
2558 0, /*tp_repr*/
2559 0, /*tp_as_number*/
2560 0, /*tp_as_sequence*/
2561 0, /*tp_as_mapping*/
2562 0, /*tp_hash*/
2563 0, /*tp_call*/
2564 0, /*tp_str*/
2565 0, /*tp_getattro*/
2566 0, /*tp_setattro*/
2567 0, /*tp_as_buffer*/
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2568 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE | Py_TPFLAGS_HAVE_GC, /*tp_flags*/
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2569 0, /*tp_doc*/
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2570 (traverseproc) context_traverse, /*tp_traverse*/
2571 (inquiry) context_clear, /*tp_clear*/
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2572 0, /*tp_richcompare*/
2573 0, /*tp_weaklistoffset*/
2574 0, /*tp_iter*/
2575 0, /*tp_iternext*/
2576 context_methods, /*tp_methods*/
2577 0, /*tp_members*/
2578 context_getsetlist, /*tp_getset*/
2579 0, /*tp_base*/
2580 0, /*tp_dict*/
2581 0, /*tp_descr_get*/
2582 0, /*tp_descr_set*/
2583 0, /*tp_dictoffset*/
2584 0, /*tp_init*/
2585 0, /*tp_alloc*/
2586 context_new, /*tp_new*/
2587};
2588
2589
2590
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2591#ifdef HAVE_OPENSSL_RAND
2592
2593/* helper routines for seeding the SSL PRNG */
2594static PyObject *
2595PySSL_RAND_add(PyObject *self, PyObject *args)
2596{
2597 char *buf;
2598 int len;
2599 double entropy;
2600
2601 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]2602 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2603 RAND_add(buf, len, entropy);
2604 Py_INCREF(Py_None);
2605 return Py_None;
2606}
2607
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2608PyDoc_STRVAR(PySSL_RAND_add_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2609"RAND_add(string, entropy)\n\
2610\n\
2611Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2612bound on the entropy contained in string. See RFC 1750.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2613
2614static PyObject *
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]2615PySSL_RAND(int len, int pseudo)
2616{
2617 int ok;
2618 PyObject *bytes;
2619 unsigned long err;
2620 const char *errstr;
2621 PyObject *v;
2622
2623 bytes = PyBytes_FromStringAndSize(NULL, len);
2624 if (bytes == NULL)
2625 return NULL;
2626 if (pseudo) {
2627 ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
2628 if (ok == 0 || ok == 1)
2629 return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
2630 }
2631 else {
2632 ok = RAND_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
2633 if (ok == 1)
2634 return bytes;
2635 }
2636 Py_DECREF(bytes);
2637
2638 err = ERR_get_error();
2639 errstr = ERR_reason_error_string(err);
2640 v = Py_BuildValue("(ks)", err, errstr);
2641 if (v != NULL) {
2642 PyErr_SetObject(PySSLErrorObject, v);
2643 Py_DECREF(v);
2644 }
2645 return NULL;
2646}
2647
2648static PyObject *
2649PySSL_RAND_bytes(PyObject *self, PyObject *args)
2650{
2651 int len;
2652 if (!PyArg_ParseTuple(args, "i:RAND_bytes", &len))
2653 return NULL;
2654 return PySSL_RAND(len, 0);
2655}
2656
2657PyDoc_STRVAR(PySSL_RAND_bytes_doc,
2658"RAND_bytes(n) -> bytes\n\
2659\n\
2660Generate n cryptographically strong pseudo-random bytes.");
2661
2662static PyObject *
2663PySSL_RAND_pseudo_bytes(PyObject *self, PyObject *args)
2664{
2665 int len;
2666 if (!PyArg_ParseTuple(args, "i:RAND_pseudo_bytes", &len))
2667 return NULL;
2668 return PySSL_RAND(len, 1);
2669}
2670
2671PyDoc_STRVAR(PySSL_RAND_pseudo_bytes_doc,
2672"RAND_pseudo_bytes(n) -> (bytes, is_cryptographic)\n\
2673\n\
2674Generate n pseudo-random bytes. is_cryptographic is True if the bytes\
2675generated are cryptographically strong.");
2676
2677static PyObject *
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2678PySSL_RAND_status(PyObject *self)
2679{
Christian Heimes217cfd12007-12-02 14:31:20 +0000[diff] [blame]2680 return PyLong_FromLong(RAND_status());
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2681}
2682
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2683PyDoc_STRVAR(PySSL_RAND_status_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2684"RAND_status() -> 0 or 1\n\
2685\n\
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]2686Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\
2687It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
2688using the ssl() function.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2689
2690static PyObject *
Victor Stinnerf9faaad2010-05-16 21:36:37 +0000[diff] [blame]2691PySSL_RAND_egd(PyObject *self, PyObject *args)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2692{
Victor Stinnerf9faaad2010-05-16 21:36:37 +0000[diff] [blame]2693 PyObject *path;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2694 int bytes;
2695
Jesus Ceac8754a12012-09-11 02:00:58 +0200[diff] [blame]2696 if (!PyArg_ParseTuple(args, "O&:RAND_egd",
Victor Stinnerf9faaad2010-05-16 21:36:37 +0000[diff] [blame]2697 PyUnicode_FSConverter, &path))
2698 return NULL;
2699
2700 bytes = RAND_egd(PyBytes_AsString(path));
2701 Py_DECREF(path);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2702 if (bytes == -1) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]2703 PyErr_SetString(PySSLErrorObject,
2704 "EGD connection failed or EGD did not return "
2705 "enough data to seed the PRNG");
2706 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2707 }
Christian Heimes217cfd12007-12-02 14:31:20 +0000[diff] [blame]2708 return PyLong_FromLong(bytes);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2709}
2710
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2711PyDoc_STRVAR(PySSL_RAND_egd_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2712"RAND_egd(path) -> bytes\n\
2713\n\
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2714Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
2715Returns number of bytes read. Raises SSLError if connection to EGD\n\
2716fails or if it does provide enough data to seed PRNG.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2717
2718#endif
2719
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]2720
2721
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2722/* List of functions exported by this module. */
2723
2724static PyMethodDef PySSL_methods[] = {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2725 {"_test_decode_cert", PySSL_test_decode_certificate,
2726 METH_VARARGS},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2727#ifdef HAVE_OPENSSL_RAND
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2728 {"RAND_add", PySSL_RAND_add, METH_VARARGS,
2729 PySSL_RAND_add_doc},
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]2730 {"RAND_bytes", PySSL_RAND_bytes, METH_VARARGS,
2731 PySSL_RAND_bytes_doc},
2732 {"RAND_pseudo_bytes", PySSL_RAND_pseudo_bytes, METH_VARARGS,
2733 PySSL_RAND_pseudo_bytes_doc},
Victor Stinnerf9faaad2010-05-16 21:36:37 +0000[diff] [blame]2734 {"RAND_egd", PySSL_RAND_egd, METH_VARARGS,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2735 PySSL_RAND_egd_doc},
2736 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
2737 PySSL_RAND_status_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2738#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2739 {NULL, NULL} /* Sentinel */
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2740};
2741
2742
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2743#ifdef WITH_THREAD
2744
2745/* an implementation of OpenSSL threading operations in terms
2746 of the Python C thread library */
2747
2748static PyThread_type_lock *_ssl_locks = NULL;
2749
2750static unsigned long _ssl_thread_id_function (void) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2751 return PyThread_get_thread_ident();
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2752}
2753
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]2754static void _ssl_thread_locking_function
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2755 (int mode, int n, const char *file, int line) {
2756 /* this function is needed to perform locking on shared data
2757 structures. (Note that OpenSSL uses a number of global data
2758 structures that will be implicitly shared whenever multiple
2759 threads use OpenSSL.) Multi-threaded applications will
2760 crash at random if it is not set.
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2761
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2762 locking_function() must be able to handle up to
2763 CRYPTO_num_locks() different mutex locks. It sets the n-th
2764 lock if mode & CRYPTO_LOCK, and releases it otherwise.
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2765
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2766 file and line are the file number of the function setting the
2767 lock. They can be useful for debugging.
2768 */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2769
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2770 if ((_ssl_locks == NULL) ||
2771 (n < 0) || ((unsigned)n >= _ssl_locks_count))
2772 return;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2773
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2774 if (mode & CRYPTO_LOCK) {
2775 PyThread_acquire_lock(_ssl_locks[n], 1);
2776 } else {
2777 PyThread_release_lock(_ssl_locks[n]);
2778 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2779}
2780
2781static int _setup_ssl_threads(void) {
2782
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2783 unsigned int i;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2784
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2785 if (_ssl_locks == NULL) {
2786 _ssl_locks_count = CRYPTO_num_locks();
2787 _ssl_locks = (PyThread_type_lock *)
2788 malloc(sizeof(PyThread_type_lock) * _ssl_locks_count);
2789 if (_ssl_locks == NULL)
2790 return 0;
2791 memset(_ssl_locks, 0,
2792 sizeof(PyThread_type_lock) * _ssl_locks_count);
2793 for (i = 0; i < _ssl_locks_count; i++) {
2794 _ssl_locks[i] = PyThread_allocate_lock();
2795 if (_ssl_locks[i] == NULL) {
2796 unsigned int j;
2797 for (j = 0; j < i; j++) {
2798 PyThread_free_lock(_ssl_locks[j]);
2799 }
2800 free(_ssl_locks);
2801 return 0;
2802 }
2803 }
2804 CRYPTO_set_locking_callback(_ssl_thread_locking_function);
2805 CRYPTO_set_id_callback(_ssl_thread_id_function);
2806 }
2807 return 1;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2808}
2809
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2810#endif /* def HAVE_THREAD */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2811
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2812PyDoc_STRVAR(module_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2813"Implementation module for SSL socket operations. See the socket module\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2814for documentation.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2815
Martin v. Löwis1a214512008-06-11 05:26:20 +0000[diff] [blame]2816
2817static struct PyModuleDef _sslmodule = {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2818 PyModuleDef_HEAD_INIT,
2819 "_ssl",
2820 module_doc,
2821 -1,
2822 PySSL_methods,
2823 NULL,
2824 NULL,
2825 NULL,
2826 NULL
Martin v. Löwis1a214512008-06-11 05:26:20 +0000[diff] [blame]2827};
2828
Antoine Pitroub9ac25d2011-07-08 18:47:06 +0200[diff] [blame]2829
2830static void
2831parse_openssl_version(unsigned long libver,
2832 unsigned int *major, unsigned int *minor,
2833 unsigned int *fix, unsigned int *patch,
2834 unsigned int *status)
2835{
2836 *status = libver & 0xF;
2837 libver >>= 4;
2838 *patch = libver & 0xFF;
2839 libver >>= 8;
2840 *fix = libver & 0xFF;
2841 libver >>= 8;
2842 *minor = libver & 0xFF;
2843 libver >>= 8;
2844 *major = libver & 0xFF;
2845}
2846
Mark Hammondfe51c6d2002-08-02 02:27:13 +0000[diff] [blame]2847PyMODINIT_FUNC
Martin v. Löwis1a214512008-06-11 05:26:20 +0000[diff] [blame]2848PyInit__ssl(void)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2849{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2850 PyObject *m, *d, *r;
2851 unsigned long libver;
2852 unsigned int major, minor, fix, patch, status;
2853 PySocketModule_APIObject *socket_api;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]2854 struct py_ssl_error_code *errcode;
2855 struct py_ssl_library_code *libcode;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2856
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2857 if (PyType_Ready(&PySSLContext_Type) < 0)
2858 return NULL;
2859 if (PyType_Ready(&PySSLSocket_Type) < 0)
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2860 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2861
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2862 m = PyModule_Create(&_sslmodule);
2863 if (m == NULL)
2864 return NULL;
2865 d = PyModule_GetDict(m);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2866
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2867 /* Load _socket module and its C API */
2868 socket_api = PySocketModule_ImportModuleAndAPI();
2869 if (!socket_api)
2870 return NULL;
2871 PySocketModule = *socket_api;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2872
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2873 /* Init OpenSSL */
2874 SSL_load_error_strings();
2875 SSL_library_init();
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2876#ifdef WITH_THREAD
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2877 /* note that this will start threading if not already started */
2878 if (!_setup_ssl_threads()) {
2879 return NULL;
2880 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2881#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2882 OpenSSL_add_all_algorithms();
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2883
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2884 /* Add symbols to module dict */
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]2885 sslerror_type_slots[0].pfunc = PyExc_OSError;
2886 PySSLErrorObject = PyType_FromSpec(&sslerror_type_spec);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2887 if (PySSLErrorObject == NULL)
2888 return NULL;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]2889
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]2890 PySSLZeroReturnErrorObject = PyErr_NewExceptionWithDoc(
2891 "ssl.SSLZeroReturnError", SSLZeroReturnError_doc,
2892 PySSLErrorObject, NULL);
2893 PySSLWantReadErrorObject = PyErr_NewExceptionWithDoc(
2894 "ssl.SSLWantReadError", SSLWantReadError_doc,
2895 PySSLErrorObject, NULL);
2896 PySSLWantWriteErrorObject = PyErr_NewExceptionWithDoc(
2897 "ssl.SSLWantWriteError", SSLWantWriteError_doc,
2898 PySSLErrorObject, NULL);
2899 PySSLSyscallErrorObject = PyErr_NewExceptionWithDoc(
2900 "ssl.SSLSyscallError", SSLSyscallError_doc,
2901 PySSLErrorObject, NULL);
2902 PySSLEOFErrorObject = PyErr_NewExceptionWithDoc(
2903 "ssl.SSLEOFError", SSLEOFError_doc,
2904 PySSLErrorObject, NULL);
2905 if (PySSLZeroReturnErrorObject == NULL
2906 || PySSLWantReadErrorObject == NULL
2907 || PySSLWantWriteErrorObject == NULL
2908 || PySSLSyscallErrorObject == NULL
2909 || PySSLEOFErrorObject == NULL)
2910 return NULL;
2911 if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0
2912 || PyDict_SetItemString(d, "SSLZeroReturnError", PySSLZeroReturnErrorObject) != 0
2913 || PyDict_SetItemString(d, "SSLWantReadError", PySSLWantReadErrorObject) != 0
2914 || PyDict_SetItemString(d, "SSLWantWriteError", PySSLWantWriteErrorObject) != 0
2915 || PyDict_SetItemString(d, "SSLSyscallError", PySSLSyscallErrorObject) != 0
2916 || PyDict_SetItemString(d, "SSLEOFError", PySSLEOFErrorObject) != 0)
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2917 return NULL;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2918 if (PyDict_SetItemString(d, "_SSLContext",
2919 (PyObject *)&PySSLContext_Type) != 0)
2920 return NULL;
2921 if (PyDict_SetItemString(d, "_SSLSocket",
2922 (PyObject *)&PySSLSocket_Type) != 0)
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2923 return NULL;
2924 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
2925 PY_SSL_ERROR_ZERO_RETURN);
2926 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
2927 PY_SSL_ERROR_WANT_READ);
2928 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
2929 PY_SSL_ERROR_WANT_WRITE);
2930 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
2931 PY_SSL_ERROR_WANT_X509_LOOKUP);
2932 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
2933 PY_SSL_ERROR_SYSCALL);
2934 PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
2935 PY_SSL_ERROR_SSL);
2936 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
2937 PY_SSL_ERROR_WANT_CONNECT);
2938 /* non ssl.h errorcodes */
2939 PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
2940 PY_SSL_ERROR_EOF);
2941 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
2942 PY_SSL_ERROR_INVALID_ERROR_CODE);
2943 /* cert requirements */
2944 PyModule_AddIntConstant(m, "CERT_NONE",
2945 PY_SSL_CERT_NONE);
2946 PyModule_AddIntConstant(m, "CERT_OPTIONAL",
2947 PY_SSL_CERT_OPTIONAL);
2948 PyModule_AddIntConstant(m, "CERT_REQUIRED",
2949 PY_SSL_CERT_REQUIRED);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]2950
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2951 /* Alert Descriptions from ssl.h */
2952 /* note RESERVED constants no longer intended for use have been removed */
2953 /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 */
2954
2955#define ADD_AD_CONSTANT(s) \
2956 PyModule_AddIntConstant(m, "ALERT_DESCRIPTION_"#s, \
2957 SSL_AD_##s)
2958
2959 ADD_AD_CONSTANT(CLOSE_NOTIFY);
2960 ADD_AD_CONSTANT(UNEXPECTED_MESSAGE);
2961 ADD_AD_CONSTANT(BAD_RECORD_MAC);
2962 ADD_AD_CONSTANT(RECORD_OVERFLOW);
2963 ADD_AD_CONSTANT(DECOMPRESSION_FAILURE);
2964 ADD_AD_CONSTANT(HANDSHAKE_FAILURE);
2965 ADD_AD_CONSTANT(BAD_CERTIFICATE);
2966 ADD_AD_CONSTANT(UNSUPPORTED_CERTIFICATE);
2967 ADD_AD_CONSTANT(CERTIFICATE_REVOKED);
2968 ADD_AD_CONSTANT(CERTIFICATE_EXPIRED);
2969 ADD_AD_CONSTANT(CERTIFICATE_UNKNOWN);
2970 ADD_AD_CONSTANT(ILLEGAL_PARAMETER);
2971 ADD_AD_CONSTANT(UNKNOWN_CA);
2972 ADD_AD_CONSTANT(ACCESS_DENIED);
2973 ADD_AD_CONSTANT(DECODE_ERROR);
2974 ADD_AD_CONSTANT(DECRYPT_ERROR);
2975 ADD_AD_CONSTANT(PROTOCOL_VERSION);
2976 ADD_AD_CONSTANT(INSUFFICIENT_SECURITY);
2977 ADD_AD_CONSTANT(INTERNAL_ERROR);
2978 ADD_AD_CONSTANT(USER_CANCELLED);
2979 ADD_AD_CONSTANT(NO_RENEGOTIATION);
2980 ADD_AD_CONSTANT(UNSUPPORTED_EXTENSION);
2981 ADD_AD_CONSTANT(CERTIFICATE_UNOBTAINABLE);
2982 ADD_AD_CONSTANT(UNRECOGNIZED_NAME);
2983 /* Not all constants are in old OpenSSL versions */
2984#ifdef SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
2985 ADD_AD_CONSTANT(BAD_CERTIFICATE_STATUS_RESPONSE);
2986#endif
2987#ifdef SSL_AD_BAD_CERTIFICATE_HASH_VALUE
2988 ADD_AD_CONSTANT(BAD_CERTIFICATE_HASH_VALUE);
2989#endif
2990#ifdef SSL_AD_UNKNOWN_PSK_IDENTITY
2991 ADD_AD_CONSTANT(UNKNOWN_PSK_IDENTITY);
2992#endif
2993
2994#undef ADD_AD_CONSTANT
2995
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2996 /* protocol versions */
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]2997#ifndef OPENSSL_NO_SSL2
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2998 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
2999 PY_SSL_VERSION_SSL2);
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]3000#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]3001 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
3002 PY_SSL_VERSION_SSL3);
3003 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
3004 PY_SSL_VERSION_SSL23);
3005 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
3006 PY_SSL_VERSION_TLS1);
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]3007
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]3008 /* protocol options */
Antoine Pitrou3f366312012-01-27 09:50:45 +0100[diff] [blame]3009 PyModule_AddIntConstant(m, "OP_ALL",
3010 SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]3011 PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
3012 PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
3013 PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
Antoine Pitrou6db49442011-12-19 13:27:11 +0100[diff] [blame]3014 PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
3015 SSL_OP_CIPHER_SERVER_PREFERENCE);
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]3016 PyModule_AddIntConstant(m, "OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE);
Antoine Pitroue9fccb32012-02-17 11:53:10 +0100[diff] [blame]3017#ifdef SSL_OP_SINGLE_ECDH_USE
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]3018 PyModule_AddIntConstant(m, "OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE);
Antoine Pitroue9fccb32012-02-17 11:53:10 +0100[diff] [blame]3019#endif
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3020#ifdef SSL_OP_NO_COMPRESSION
3021 PyModule_AddIntConstant(m, "OP_NO_COMPRESSION",
3022 SSL_OP_NO_COMPRESSION);
3023#endif
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]3024
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]3025#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
3026 r = Py_True;
3027#else
3028 r = Py_False;
3029#endif
3030 Py_INCREF(r);
3031 PyModule_AddObject(m, "HAS_SNI", r);
3032
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3033#if HAVE_OPENSSL_FINISHED
3034 r = Py_True;
3035#else
3036 r = Py_False;
3037#endif
3038 Py_INCREF(r);
3039 PyModule_AddObject(m, "HAS_TLS_UNIQUE", r);
3040
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]3041#ifdef OPENSSL_NO_ECDH
3042 r = Py_False;
3043#else
3044 r = Py_True;
3045#endif
3046 Py_INCREF(r);
3047 PyModule_AddObject(m, "HAS_ECDH", r);
3048
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]3049#ifdef OPENSSL_NPN_NEGOTIATED
3050 r = Py_True;
3051#else
3052 r = Py_False;
3053#endif
3054 Py_INCREF(r);
3055 PyModule_AddObject(m, "HAS_NPN", r);
3056
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]3057 /* Mappings for error codes */
3058 err_codes_to_names = PyDict_New();
3059 err_names_to_codes = PyDict_New();
3060 if (err_codes_to_names == NULL || err_names_to_codes == NULL)
3061 return NULL;
3062 errcode = error_codes;
3063 while (errcode->mnemonic != NULL) {
3064 PyObject *mnemo, *key;
3065 mnemo = PyUnicode_FromString(errcode->mnemonic);
3066 key = Py_BuildValue("ii", errcode->library, errcode->reason);
3067 if (mnemo == NULL || key == NULL)
3068 return NULL;
3069 if (PyDict_SetItem(err_codes_to_names, key, mnemo))
3070 return NULL;
3071 if (PyDict_SetItem(err_names_to_codes, mnemo, key))
3072 return NULL;
3073 Py_DECREF(key);
3074 Py_DECREF(mnemo);
3075 errcode++;
3076 }
3077 if (PyModule_AddObject(m, "err_codes_to_names", err_codes_to_names))
3078 return NULL;
3079 if (PyModule_AddObject(m, "err_names_to_codes", err_names_to_codes))
3080 return NULL;
3081
3082 lib_codes_to_names = PyDict_New();
3083 if (lib_codes_to_names == NULL)
3084 return NULL;
3085 libcode = library_codes;
3086 while (libcode->library != NULL) {
3087 PyObject *mnemo, *key;
3088 key = PyLong_FromLong(libcode->code);
3089 mnemo = PyUnicode_FromString(libcode->library);
3090 if (key == NULL || mnemo == NULL)
3091 return NULL;
3092 if (PyDict_SetItem(lib_codes_to_names, key, mnemo))
3093 return NULL;
3094 Py_DECREF(key);
3095 Py_DECREF(mnemo);
3096 libcode++;
3097 }
3098 if (PyModule_AddObject(m, "lib_codes_to_names", lib_codes_to_names))
3099 return NULL;
3100
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]3101 /* OpenSSL version */
3102 /* SSLeay() gives us the version of the library linked against,
3103 which could be different from the headers version.
3104 */
3105 libver = SSLeay();
3106 r = PyLong_FromUnsignedLong(libver);
3107 if (r == NULL)
3108 return NULL;
3109 if (PyModule_AddObject(m, "OPENSSL_VERSION_NUMBER", r))
3110 return NULL;
Antoine Pitroub9ac25d2011-07-08 18:47:06 +0200[diff] [blame]3111 parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]3112 r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
3113 if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r))
3114 return NULL;
3115 r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION));
3116 if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r))
3117 return NULL;
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]3118
Antoine Pitroub9ac25d2011-07-08 18:47:06 +0200[diff] [blame]3119 libver = OPENSSL_VERSION_NUMBER;
3120 parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
3121 r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
3122 if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
3123 return NULL;
3124
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]3125 return m;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]3126}