Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 2ae3c91db290af53360571e06f76a7e0c5549b3f / . / Modules / _ssl.c
blob: 5f541f5aba504853b852351cf36d51144fc9f38d [file] [log] [blame]
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1/* SSL socket module
2
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
4
5 This module is imported by socket.py. It should *not* be used
6 directly.
7
8*/
9
10#include "Python.h"
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]11enum py_ssl_error {
12 /* these mirror ssl.h */
13 PY_SSL_ERROR_NONE,
14 PY_SSL_ERROR_SSL,
15 PY_SSL_ERROR_WANT_READ,
16 PY_SSL_ERROR_WANT_WRITE,
17 PY_SSL_ERROR_WANT_X509_LOOKUP,
18 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
19 PY_SSL_ERROR_ZERO_RETURN,
20 PY_SSL_ERROR_WANT_CONNECT,
21 /* start of non ssl.h errorcodes */
22 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
23 PY_SSL_ERROR_INVALID_ERROR_CODE
24};
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]25
26/* Include symbols from _socket module */
27#include "socketmodule.h"
28
29/* Include OpenSSL header files */
30#include "openssl/rsa.h"
31#include "openssl/crypto.h"
32#include "openssl/x509.h"
33#include "openssl/pem.h"
34#include "openssl/ssl.h"
35#include "openssl/err.h"
36#include "openssl/rand.h"
37
38/* SSL error object */
39static PyObject *PySSLErrorObject;
40
41/* SSL socket object */
42
43#define X509_NAME_MAXLEN 256
44
45/* RAND_* APIs got added to OpenSSL in 0.9.5 */
46#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
47# define HAVE_OPENSSL_RAND 1
48#else
49# undef HAVE_OPENSSL_RAND
50#endif
51
52typedef struct {
53 PyObject_HEAD
54 PySocketSockObject *Socket; /* Socket on which we're layered */
55 SSL_CTX* ctx;
56 SSL* ssl;
57 X509* server_cert;
58 BIO* sbio;
59 char server[X509_NAME_MAXLEN];
60 char issuer[X509_NAME_MAXLEN];
61
62} PySSLObject;
63
Jeremy Hylton938ace62002-07-17 16:30:39 +0000[diff] [blame]64static PyTypeObject PySSL_Type;
65static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args);
66static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args);
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]67static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
68 int writing);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]69
70#define PySSLObject_Check(v) ((v)->ob_type == &PySSL_Type)
71
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]72typedef enum {
73 SOCKET_IS_NONBLOCKING,
74 SOCKET_IS_BLOCKING,
75 SOCKET_HAS_TIMED_OUT,
76 SOCKET_HAS_BEEN_CLOSED,
Neal Norwitz389cea82006-02-13 00:35:21 +0000[diff] [blame]77 SOCKET_TOO_LARGE_FOR_SELECT,
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]78 SOCKET_OPERATION_OK
79} timeout_state;
80
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]81/* XXX It might be helpful to augment the error message generated
82 below with the name of the SSL function that generated the error.
83 I expect it's obvious most of the time.
84*/
85
86static PyObject *
87PySSL_SetError(PySSLObject *obj, int ret)
88{
89 PyObject *v, *n, *s;
90 char *errstr;
91 int err;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]92 enum py_ssl_error p;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]93
94 assert(ret <= 0);
95
96 err = SSL_get_error(obj->ssl, ret);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]97
98 switch (err) {
99 case SSL_ERROR_ZERO_RETURN:
100 errstr = "TLS/SSL connection has been closed";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]101 p = PY_SSL_ERROR_ZERO_RETURN;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]102 break;
103 case SSL_ERROR_WANT_READ:
104 errstr = "The operation did not complete (read)";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]105 p = PY_SSL_ERROR_WANT_READ;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]106 break;
107 case SSL_ERROR_WANT_WRITE:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]108 p = PY_SSL_ERROR_WANT_WRITE;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]109 errstr = "The operation did not complete (write)";
110 break;
111 case SSL_ERROR_WANT_X509_LOOKUP:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]112 p = PY_SSL_ERROR_WANT_X509_LOOKUP;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]113 errstr = "The operation did not complete (X509 lookup)";
114 break;
115 case SSL_ERROR_WANT_CONNECT:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]116 p = PY_SSL_ERROR_WANT_CONNECT;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]117 errstr = "The operation did not complete (connect)";
118 break;
119 case SSL_ERROR_SYSCALL:
120 {
121 unsigned long e = ERR_get_error();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]122 if (e == 0) {
Neal Norwitza9002f82003-06-30 03:25:20 +0000[diff] [blame]123 if (ret == 0 || !obj->Socket) {
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]124 p = PY_SSL_ERROR_EOF;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]125 errstr = "EOF occurred in violation of protocol";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]126 } else if (ret == -1) {
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]127 /* the underlying BIO reported an I/O error */
128 return obj->Socket->errorhandler();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]129 } else { /* possible? */
130 p = PY_SSL_ERROR_SYSCALL;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]131 errstr = "Some I/O error occurred";
132 }
133 } else {
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]134 p = PY_SSL_ERROR_SYSCALL;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]135 /* XXX Protected by global interpreter lock */
136 errstr = ERR_error_string(e, NULL);
137 }
138 break;
139 }
140 case SSL_ERROR_SSL:
141 {
142 unsigned long e = ERR_get_error();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]143 p = PY_SSL_ERROR_SSL;
144 if (e != 0)
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]145 /* XXX Protected by global interpreter lock */
146 errstr = ERR_error_string(e, NULL);
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]147 else { /* possible? */
148 errstr = "A failure in the SSL library occurred";
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]149 }
150 break;
151 }
152 default:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]153 p = PY_SSL_ERROR_INVALID_ERROR_CODE;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]154 errstr = "Invalid error code";
155 }
156 n = PyInt_FromLong((long) p);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]157 if (n == NULL)
158 return NULL;
159 v = PyTuple_New(2);
160 if (v == NULL) {
161 Py_DECREF(n);
162 return NULL;
163 }
164
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]165 s = PyString_FromString(errstr);
166 if (s == NULL) {
167 Py_DECREF(v);
168 Py_DECREF(n);
169 }
170 PyTuple_SET_ITEM(v, 0, n);
171 PyTuple_SET_ITEM(v, 1, s);
172 PyErr_SetObject(PySSLErrorObject, v);
Michael W. Hudson5910d812004-08-04 14:59:00 +0000[diff] [blame]173 Py_DECREF(v);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]174 return NULL;
175}
176
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]177static PySSLObject *
178newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file)
179{
180 PySSLObject *self;
181 char *errstr = NULL;
182 int ret;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]183 int err;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]184 int sockstate;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]185
186 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
187 if (self == NULL){
188 errstr = "newPySSLObject error";
189 goto fail;
190 }
191 memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN);
192 memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN);
193 self->server_cert = NULL;
194 self->ssl = NULL;
195 self->ctx = NULL;
196 self->Socket = NULL;
197
198 if ((key_file && !cert_file) || (!key_file && cert_file)) {
199 errstr = "Both the key & certificate files must be specified";
200 goto fail;
201 }
202
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]203 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]204 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]205 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]206 if (self->ctx == NULL) {
207 errstr = "SSL_CTX_new error";
208 goto fail;
209 }
210
211 if (key_file) {
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]212 Py_BEGIN_ALLOW_THREADS
213 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
214 SSL_FILETYPE_PEM);
215 Py_END_ALLOW_THREADS
216 if (ret < 1) {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]217 errstr = "SSL_CTX_use_PrivateKey_file error";
218 goto fail;
219 }
220
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]221 Py_BEGIN_ALLOW_THREADS
222 ret = SSL_CTX_use_certificate_chain_file(self->ctx,
223 cert_file);
224 Py_END_ALLOW_THREADS
Andrew M. Kuchling27d3dda2004-07-10 21:36:55 +0000[diff] [blame]225 SSL_CTX_set_options(self->ctx, SSL_OP_ALL); /* ssl compatibility */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]226 if (ret < 1) {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]227 errstr = "SSL_CTX_use_certificate_chain_file error";
228 goto fail;
229 }
230 }
231
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]232 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]233 SSL_CTX_set_verify(self->ctx,
234 SSL_VERIFY_NONE, NULL); /* set verify lvl */
235 self->ssl = SSL_new(self->ctx); /* New ssl struct */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]236 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]237 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]238
Walter Dörwaldf0dfc7a2003-10-20 14:01:56 +0000[diff] [blame]239 /* If the socket is in non-blocking mode or timeout mode, set the BIO
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]240 * to non-blocking mode (blocking is the default)
241 */
242 if (Sock->sock_timeout >= 0.0) {
243 /* Set both the read and write BIO's to non-blocking mode */
244 BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
245 BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
246 }
247
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]248 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]249 SSL_set_connect_state(self->ssl);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]250 Py_END_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]251
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]252 /* Actually negotiate SSL connection */
253 /* XXX If SSL_connect() returns 0, it's also a failure. */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]254 sockstate = 0;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]255 do {
256 Py_BEGIN_ALLOW_THREADS
257 ret = SSL_connect(self->ssl);
258 err = SSL_get_error(self->ssl, ret);
259 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]260 if(PyErr_CheckSignals()) {
261 goto fail;
262 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]263 if (err == SSL_ERROR_WANT_READ) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]264 sockstate = check_socket_and_wait_for_timeout(Sock, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]265 } else if (err == SSL_ERROR_WANT_WRITE) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]266 sockstate = check_socket_and_wait_for_timeout(Sock, 1);
267 } else {
268 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]269 }
Neal Norwitz19cbcad2006-02-07 06:59:20 +0000[diff] [blame]270 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]271 PyErr_SetString(PySSLErrorObject, "The connect operation timed out");
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]272 goto fail;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]273 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
274 PyErr_SetString(PySSLErrorObject, "Underlying socket has been closed.");
275 goto fail;
Neal Norwitz389cea82006-02-13 00:35:21 +0000[diff] [blame]276 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]277 PyErr_SetString(PySSLErrorObject, "Underlying socket too large for select().");
278 goto fail;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]279 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
280 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]281 }
282 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]283 if (ret <= 0) {
284 PySSL_SetError(self, ret);
285 goto fail;
286 }
287 self->ssl->debug = 1;
288
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]289 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]290 if ((self->server_cert = SSL_get_peer_certificate(self->ssl))) {
291 X509_NAME_oneline(X509_get_subject_name(self->server_cert),
292 self->server, X509_NAME_MAXLEN);
293 X509_NAME_oneline(X509_get_issuer_name(self->server_cert),
294 self->issuer, X509_NAME_MAXLEN);
295 }
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]296 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]297 self->Socket = Sock;
298 Py_INCREF(self->Socket);
299 return self;
300 fail:
301 if (errstr)
302 PyErr_SetString(PySSLErrorObject, errstr);
303 Py_DECREF(self);
304 return NULL;
305}
306
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]307static PyObject *
308PySocket_ssl(PyObject *self, PyObject *args)
309{
310 PySSLObject *rv;
311 PySocketSockObject *Sock;
312 char *key_file = NULL;
313 char *cert_file = NULL;
314
315 if (!PyArg_ParseTuple(args, "O!|zz:ssl",
316 PySocketModule.Sock_Type,
317 (PyObject*)&Sock,
318 &key_file, &cert_file))
319 return NULL;
320
321 rv = newPySSLObject(Sock, key_file, cert_file);
322 if (rv == NULL)
323 return NULL;
324 return (PyObject *)rv;
325}
326
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]327PyDoc_STRVAR(ssl_doc,
328"ssl(socket, [keyfile, certfile]) -> sslobject");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]329
330/* SSL object methods */
331
332static PyObject *
333PySSL_server(PySSLObject *self)
334{
335 return PyString_FromString(self->server);
336}
337
338static PyObject *
339PySSL_issuer(PySSLObject *self)
340{
341 return PyString_FromString(self->issuer);
342}
343
344
345static void PySSL_dealloc(PySSLObject *self)
346{
347 if (self->server_cert) /* Possible not to have one? */
348 X509_free (self->server_cert);
349 if (self->ssl)
350 SSL_free(self->ssl);
351 if (self->ctx)
352 SSL_CTX_free(self->ctx);
353 Py_XDECREF(self->Socket);
354 PyObject_Del(self);
355}
356
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]357/* If the socket has a timeout, do a select() on the socket.
358 The argument writing indicates the direction.
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]359 Returns one of the possibilities in the timeout_state enum (above).
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]360 */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]361
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]362static int
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]363check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing)
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]364{
365 fd_set fds;
366 struct timeval tv;
367 int rc;
368
369 /* Nothing to do unless we're in timeout mode (not non-blocking) */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]370 if (s->sock_timeout < 0.0)
371 return SOCKET_IS_BLOCKING;
372 else if (s->sock_timeout == 0.0)
373 return SOCKET_IS_NONBLOCKING;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]374
375 /* Guard against closed socket */
376 if (s->sock_fd < 0)
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]377 return SOCKET_HAS_BEEN_CLOSED;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]378
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]379 /* Guard against socket too large for select*/
Martin v. Löwisf84d1b92006-02-11 09:27:05 +0000[diff] [blame]380#ifndef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]381 if (s->sock_fd >= FD_SETSIZE)
Neal Norwitz389cea82006-02-13 00:35:21 +0000[diff] [blame]382 return SOCKET_TOO_LARGE_FOR_SELECT;
Martin v. Löwisf84d1b92006-02-11 09:27:05 +0000[diff] [blame]383#endif
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]384
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]385 /* Construct the arguments to select */
386 tv.tv_sec = (int)s->sock_timeout;
387 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6);
388 FD_ZERO(&fds);
389 FD_SET(s->sock_fd, &fds);
390
391 /* See if the socket is ready */
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]392 Py_BEGIN_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]393 if (writing)
394 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
395 else
396 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]397 Py_END_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]398
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]399 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
400 (when we are able to write or when there's something to read) */
401 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]402}
403
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]404static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args)
405{
406 char *data;
407 int len;
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]408 int count;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]409 int sockstate;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]410 int err;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]411
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]412 if (!PyArg_ParseTuple(args, "s#:write", &data, &count))
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]413 return NULL;
414
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]415 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
416 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]417 PyErr_SetString(PySSLErrorObject, "The write operation timed out");
418 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]419 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
420 PyErr_SetString(PySSLErrorObject, "Underlying socket has been closed.");
421 return NULL;
Neal Norwitz389cea82006-02-13 00:35:21 +0000[diff] [blame]422 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]423 PyErr_SetString(PySSLErrorObject, "Underlying socket too large for select().");
424 return NULL;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]425 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]426 do {
427 err = 0;
428 Py_BEGIN_ALLOW_THREADS
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]429 len = SSL_write(self->ssl, data, count);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]430 err = SSL_get_error(self->ssl, len);
431 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]432 if(PyErr_CheckSignals()) {
433 return NULL;
434 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]435 if (err == SSL_ERROR_WANT_READ) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]436 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]437 } else if (err == SSL_ERROR_WANT_WRITE) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]438 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
439 } else {
440 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]441 }
Neal Norwitz19cbcad2006-02-07 06:59:20 +0000[diff] [blame]442 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]443 PyErr_SetString(PySSLErrorObject, "The write operation timed out");
444 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]445 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
446 PyErr_SetString(PySSLErrorObject, "Underlying socket has been closed.");
447 return NULL;
448 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
449 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]450 }
451 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]452 if (len > 0)
453 return PyInt_FromLong(len);
454 else
455 return PySSL_SetError(self, len);
456}
457
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]458PyDoc_STRVAR(PySSL_SSLwrite_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]459"write(s) -> len\n\
460\n\
461Writes the string s into the SSL object. Returns the number\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]462of bytes written.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]463
464static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args)
465{
466 PyObject *buf;
467 int count = 0;
468 int len = 1024;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]469 int sockstate;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]470 int err;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]471
472 if (!PyArg_ParseTuple(args, "|i:read", &len))
473 return NULL;
474
475 if (!(buf = PyString_FromStringAndSize((char *) 0, len)))
476 return NULL;
477
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]478 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
479 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]480 PyErr_SetString(PySSLErrorObject, "The read operation timed out");
Neal Norwitza9002f82003-06-30 03:25:20 +0000[diff] [blame]481 Py_DECREF(buf);
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]482 return NULL;
Neal Norwitz389cea82006-02-13 00:35:21 +0000[diff] [blame]483 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]484 PyErr_SetString(PySSLErrorObject, "Underlying socket too large for select().");
485 return NULL;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]486 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]487 do {
488 err = 0;
489 Py_BEGIN_ALLOW_THREADS
490 count = SSL_read(self->ssl, PyString_AsString(buf), len);
491 err = SSL_get_error(self->ssl, count);
492 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]493 if(PyErr_CheckSignals()) {
494 Py_DECREF(buf);
495 return NULL;
496 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]497 if (err == SSL_ERROR_WANT_READ) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]498 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]499 } else if (err == SSL_ERROR_WANT_WRITE) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]500 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
501 } else {
502 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]503 }
Neal Norwitz19cbcad2006-02-07 06:59:20 +0000[diff] [blame]504 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]505 PyErr_SetString(PySSLErrorObject, "The read operation timed out");
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]506 Py_DECREF(buf);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]507 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]508 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
509 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]510 }
511 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]512 if (count <= 0) {
513 Py_DECREF(buf);
514 return PySSL_SetError(self, count);
515 }
Tim Peters5de98422002-04-27 18:44:32 +0000[diff] [blame]516 if (count != len)
517 _PyString_Resize(&buf, count);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]518 return buf;
519}
520
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]521PyDoc_STRVAR(PySSL_SSLread_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]522"read([len]) -> string\n\
523\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]524Read up to len bytes from the SSL socket.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]525
526static PyMethodDef PySSLMethods[] = {
527 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
528 PySSL_SSLwrite_doc},
529 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
530 PySSL_SSLread_doc},
531 {"server", (PyCFunction)PySSL_server, METH_NOARGS},
532 {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS},
533 {NULL, NULL}
534};
535
536static PyObject *PySSL_getattr(PySSLObject *self, char *name)
537{
538 return Py_FindMethod(PySSLMethods, (PyObject *)self, name);
539}
540
Jeremy Hylton938ace62002-07-17 16:30:39 +0000[diff] [blame]541static PyTypeObject PySSL_Type = {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]542 PyObject_HEAD_INIT(NULL)
543 0, /*ob_size*/
544 "socket.SSL", /*tp_name*/
545 sizeof(PySSLObject), /*tp_basicsize*/
546 0, /*tp_itemsize*/
547 /* methods */
548 (destructor)PySSL_dealloc, /*tp_dealloc*/
549 0, /*tp_print*/
550 (getattrfunc)PySSL_getattr, /*tp_getattr*/
551 0, /*tp_setattr*/
552 0, /*tp_compare*/
553 0, /*tp_repr*/
554 0, /*tp_as_number*/
555 0, /*tp_as_sequence*/
556 0, /*tp_as_mapping*/
557 0, /*tp_hash*/
558};
559
560#ifdef HAVE_OPENSSL_RAND
561
562/* helper routines for seeding the SSL PRNG */
563static PyObject *
564PySSL_RAND_add(PyObject *self, PyObject *args)
565{
566 char *buf;
567 int len;
568 double entropy;
569
570 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
571 return NULL;
572 RAND_add(buf, len, entropy);
573 Py_INCREF(Py_None);
574 return Py_None;
575}
576
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]577PyDoc_STRVAR(PySSL_RAND_add_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]578"RAND_add(string, entropy)\n\
579\n\
580Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]581bound on the entropy contained in string.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]582
583static PyObject *
584PySSL_RAND_status(PyObject *self)
585{
586 return PyInt_FromLong(RAND_status());
587}
588
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]589PyDoc_STRVAR(PySSL_RAND_status_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]590"RAND_status() -> 0 or 1\n\
591\n\
592Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\
593It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]594using the ssl() function.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]595
596static PyObject *
597PySSL_RAND_egd(PyObject *self, PyObject *arg)
598{
599 int bytes;
600
601 if (!PyString_Check(arg))
602 return PyErr_Format(PyExc_TypeError,
603 "RAND_egd() expected string, found %s",
604 arg->ob_type->tp_name);
605 bytes = RAND_egd(PyString_AS_STRING(arg));
606 if (bytes == -1) {
607 PyErr_SetString(PySSLErrorObject,
608 "EGD connection failed or EGD did not return "
609 "enough data to seed the PRNG");
610 return NULL;
611 }
612 return PyInt_FromLong(bytes);
613}
614
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]615PyDoc_STRVAR(PySSL_RAND_egd_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]616"RAND_egd(path) -> bytes\n\
617\n\
618Queries the entropy gather daemon (EGD) on socket path. Returns number\n\
619of bytes read. Raises socket.sslerror if connection to EGD fails or\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]620if it does provide enough data to seed PRNG.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]621
622#endif
623
624/* List of functions exported by this module. */
625
626static PyMethodDef PySSL_methods[] = {
627 {"ssl", PySocket_ssl,
628 METH_VARARGS, ssl_doc},
629#ifdef HAVE_OPENSSL_RAND
630 {"RAND_add", PySSL_RAND_add, METH_VARARGS,
631 PySSL_RAND_add_doc},
632 {"RAND_egd", PySSL_RAND_egd, METH_O,
633 PySSL_RAND_egd_doc},
634 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
635 PySSL_RAND_status_doc},
636#endif
637 {NULL, NULL} /* Sentinel */
638};
639
640
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]641PyDoc_STRVAR(module_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]642"Implementation module for SSL socket operations. See the socket module\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]643for documentation.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]644
Mark Hammondfe51c6d2002-08-02 02:27:13 +0000[diff] [blame]645PyMODINIT_FUNC
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]646init_ssl(void)
647{
648 PyObject *m, *d;
649
650 PySSL_Type.ob_type = &PyType_Type;
651
652 m = Py_InitModule3("_ssl", PySSL_methods, module_doc);
Neal Norwitz1ac754f2006-01-19 06:09:39 +0000[diff] [blame]653 if (m == NULL)
654 return;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]655 d = PyModule_GetDict(m);
656
657 /* Load _socket module and its C API */
658 if (PySocketModule_ImportModuleAndAPI())
659 return;
660
661 /* Init OpenSSL */
662 SSL_load_error_strings();
663 SSLeay_add_ssl_algorithms();
664
665 /* Add symbols to module dict */
Brett Cannon06c34792004-03-23 23:16:54 +0000[diff] [blame]666 PySSLErrorObject = PyErr_NewException("socket.sslerror",
667 PySocketModule.error,
668 NULL);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]669 if (PySSLErrorObject == NULL)
670 return;
671 PyDict_SetItemString(d, "sslerror", PySSLErrorObject);
672 if (PyDict_SetItemString(d, "SSLType",
673 (PyObject *)&PySSL_Type) != 0)
674 return;
675 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]676 PY_SSL_ERROR_ZERO_RETURN);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]677 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]678 PY_SSL_ERROR_WANT_READ);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]679 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]680 PY_SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]681 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]682 PY_SSL_ERROR_WANT_X509_LOOKUP);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]683 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]684 PY_SSL_ERROR_SYSCALL);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]685 PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]686 PY_SSL_ERROR_SSL);
687 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
688 PY_SSL_ERROR_WANT_CONNECT);
689 /* non ssl.h errorcodes */
690 PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
691 PY_SSL_ERROR_EOF);
692 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
693 PY_SSL_ERROR_INVALID_ERROR_CODE);
694
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]695}