Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 1 | /* SSL socket module |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2 | |
| 3 | SSL support based on patches by Brian E Gallew and Laszlo Kovacs. |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 4 | Re-worked a bit by Bill Janssen to add server-side support and |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 5 | certificate decoding. Chris Stawarz contributed some non-blocking |
| 6 | patches. |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 7 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 8 | This module is imported by ssl.py. It should *not* be used |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 9 | directly. |
| 10 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 11 | XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE? |
Antoine Pitrou | 2c4f98b | 2010-04-23 00:16:21 +0000 | [diff] [blame] | 12 | |
| 13 | XXX integrate several "shutdown modes" as suggested in |
| 14 | http://bugs.python.org/issue8108#msg102867 ? |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 15 | */ |
| 16 | |
| 17 | #include "Python.h" |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 18 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 19 | #ifdef WITH_THREAD |
| 20 | #include "pythread.h" |
| 21 | #define PySSL_BEGIN_ALLOW_THREADS { \ |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 22 | PyThreadState *_save = NULL; \ |
| 23 | if (_ssl_locks_count>0) {_save = PyEval_SaveThread();} |
| 24 | #define PySSL_BLOCK_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save)}; |
| 25 | #define PySSL_UNBLOCK_THREADS if (_ssl_locks_count>0){_save = PyEval_SaveThread()}; |
| 26 | #define PySSL_END_ALLOW_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save);} \ |
| 27 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 28 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 29 | #else /* no WITH_THREAD */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 30 | |
| 31 | #define PySSL_BEGIN_ALLOW_THREADS |
| 32 | #define PySSL_BLOCK_THREADS |
| 33 | #define PySSL_UNBLOCK_THREADS |
| 34 | #define PySSL_END_ALLOW_THREADS |
| 35 | |
| 36 | #endif |
| 37 | |
Martin v. Löwis | 6af3e2d | 2002-04-20 07:47:40 +0000 | [diff] [blame] | 38 | enum py_ssl_error { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 39 | /* these mirror ssl.h */ |
| 40 | PY_SSL_ERROR_NONE, |
| 41 | PY_SSL_ERROR_SSL, |
| 42 | PY_SSL_ERROR_WANT_READ, |
| 43 | PY_SSL_ERROR_WANT_WRITE, |
| 44 | PY_SSL_ERROR_WANT_X509_LOOKUP, |
| 45 | PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */ |
| 46 | PY_SSL_ERROR_ZERO_RETURN, |
| 47 | PY_SSL_ERROR_WANT_CONNECT, |
| 48 | /* start of non ssl.h errorcodes */ |
| 49 | PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */ |
| 50 | PY_SSL_ERROR_NO_SOCKET, /* socket has been GC'd */ |
| 51 | PY_SSL_ERROR_INVALID_ERROR_CODE |
Martin v. Löwis | 6af3e2d | 2002-04-20 07:47:40 +0000 | [diff] [blame] | 52 | }; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 53 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 54 | enum py_ssl_server_or_client { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 55 | PY_SSL_CLIENT, |
| 56 | PY_SSL_SERVER |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 57 | }; |
| 58 | |
| 59 | enum py_ssl_cert_requirements { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 60 | PY_SSL_CERT_NONE, |
| 61 | PY_SSL_CERT_OPTIONAL, |
| 62 | PY_SSL_CERT_REQUIRED |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 63 | }; |
| 64 | |
| 65 | enum py_ssl_version { |
Victor Stinner | ee18b6f | 2011-05-10 00:38:00 +0200 | [diff] [blame] | 66 | #ifndef OPENSSL_NO_SSL2 |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 67 | PY_SSL_VERSION_SSL2, |
Victor Stinner | ee18b6f | 2011-05-10 00:38:00 +0200 | [diff] [blame] | 68 | #endif |
| 69 | PY_SSL_VERSION_SSL3=1, |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 70 | PY_SSL_VERSION_SSL23, |
| 71 | PY_SSL_VERSION_TLS1 |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 72 | }; |
| 73 | |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 74 | /* Include symbols from _socket module */ |
| 75 | #include "socketmodule.h" |
| 76 | |
Benjamin Peterson | b173f78 | 2009-05-05 22:31:58 +0000 | [diff] [blame] | 77 | static PySocketModule_APIObject PySocketModule; |
| 78 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 79 | #if defined(HAVE_POLL_H) |
Thomas Wouters | 0e3f591 | 2006-08-11 14:57:12 +0000 | [diff] [blame] | 80 | #include <poll.h> |
| 81 | #elif defined(HAVE_SYS_POLL_H) |
| 82 | #include <sys/poll.h> |
| 83 | #endif |
| 84 | |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 85 | /* Include OpenSSL header files */ |
| 86 | #include "openssl/rsa.h" |
| 87 | #include "openssl/crypto.h" |
| 88 | #include "openssl/x509.h" |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 89 | #include "openssl/x509v3.h" |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 90 | #include "openssl/pem.h" |
| 91 | #include "openssl/ssl.h" |
| 92 | #include "openssl/err.h" |
| 93 | #include "openssl/rand.h" |
| 94 | |
| 95 | /* SSL error object */ |
| 96 | static PyObject *PySSLErrorObject; |
| 97 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 98 | #ifdef WITH_THREAD |
| 99 | |
| 100 | /* serves as a flag to see whether we've initialized the SSL thread support. */ |
| 101 | /* 0 means no, greater than 0 means yes */ |
| 102 | |
| 103 | static unsigned int _ssl_locks_count = 0; |
| 104 | |
| 105 | #endif /* def WITH_THREAD */ |
| 106 | |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 107 | /* SSL socket object */ |
| 108 | |
| 109 | #define X509_NAME_MAXLEN 256 |
| 110 | |
| 111 | /* RAND_* APIs got added to OpenSSL in 0.9.5 */ |
| 112 | #if OPENSSL_VERSION_NUMBER >= 0x0090500fL |
| 113 | # define HAVE_OPENSSL_RAND 1 |
| 114 | #else |
| 115 | # undef HAVE_OPENSSL_RAND |
| 116 | #endif |
| 117 | |
Gregory P. Smith | bd4dacb | 2010-10-13 03:53:21 +0000 | [diff] [blame] | 118 | /* SSL_CTX_clear_options() and SSL_clear_options() were first added in |
| 119 | * OpenSSL 0.9.8m but do not appear in some 0.9.9-dev versions such the |
| 120 | * 0.9.9 from "May 2008" that NetBSD 5.0 uses. */ |
| 121 | #if OPENSSL_VERSION_NUMBER >= 0x009080dfL && OPENSSL_VERSION_NUMBER != 0x00909000L |
Antoine Pitrou | b521877 | 2010-05-21 09:56:06 +0000 | [diff] [blame] | 122 | # define HAVE_SSL_CTX_CLEAR_OPTIONS |
| 123 | #else |
| 124 | # undef HAVE_SSL_CTX_CLEAR_OPTIONS |
| 125 | #endif |
| 126 | |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 127 | typedef struct { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 128 | PyObject_HEAD |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 129 | SSL_CTX *ctx; |
| 130 | } PySSLContext; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 131 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 132 | typedef struct { |
| 133 | PyObject_HEAD |
| 134 | PyObject *Socket; /* weakref to socket on which we're layered */ |
| 135 | SSL *ssl; |
| 136 | X509 *peer_cert; |
| 137 | int shutdown_seen_zero; |
| 138 | } PySSLSocket; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 139 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 140 | static PyTypeObject PySSLContext_Type; |
| 141 | static PyTypeObject PySSLSocket_Type; |
| 142 | |
| 143 | static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args); |
| 144 | static PyObject *PySSL_SSLread(PySSLSocket *self, PyObject *args); |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 145 | static int check_socket_and_wait_for_timeout(PySocketSockObject *s, |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 146 | int writing); |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 147 | static PyObject *PySSL_peercert(PySSLSocket *self, PyObject *args); |
| 148 | static PyObject *PySSL_cipher(PySSLSocket *self); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 149 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 150 | #define PySSLContext_Check(v) (Py_TYPE(v) == &PySSLContext_Type) |
| 151 | #define PySSLSocket_Check(v) (Py_TYPE(v) == &PySSLSocket_Type) |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 152 | |
Andrew M. Kuchling | 9c3efe3 | 2004-07-10 21:15:17 +0000 | [diff] [blame] | 153 | typedef enum { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 154 | SOCKET_IS_NONBLOCKING, |
| 155 | SOCKET_IS_BLOCKING, |
| 156 | SOCKET_HAS_TIMED_OUT, |
| 157 | SOCKET_HAS_BEEN_CLOSED, |
| 158 | SOCKET_TOO_LARGE_FOR_SELECT, |
| 159 | SOCKET_OPERATION_OK |
Andrew M. Kuchling | 9c3efe3 | 2004-07-10 21:15:17 +0000 | [diff] [blame] | 160 | } timeout_state; |
| 161 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 162 | /* Wrap error strings with filename and line # */ |
| 163 | #define STRINGIFY1(x) #x |
| 164 | #define STRINGIFY2(x) STRINGIFY1(x) |
| 165 | #define ERRSTR1(x,y,z) (x ":" y ": " z) |
| 166 | #define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x) |
| 167 | |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 168 | /* XXX It might be helpful to augment the error message generated |
| 169 | below with the name of the SSL function that generated the error. |
| 170 | I expect it's obvious most of the time. |
| 171 | */ |
| 172 | |
| 173 | static PyObject * |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 174 | PySSL_SetError(PySSLSocket *obj, int ret, char *filename, int lineno) |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 175 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 176 | PyObject *v; |
| 177 | char buf[2048]; |
| 178 | char *errstr; |
| 179 | int err; |
| 180 | enum py_ssl_error p = PY_SSL_ERROR_NONE; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 181 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 182 | assert(ret <= 0); |
Martin v. Löwis | 6af3e2d | 2002-04-20 07:47:40 +0000 | [diff] [blame] | 183 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 184 | if (obj->ssl != NULL) { |
| 185 | err = SSL_get_error(obj->ssl, ret); |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 186 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 187 | switch (err) { |
| 188 | case SSL_ERROR_ZERO_RETURN: |
| 189 | errstr = "TLS/SSL connection has been closed"; |
| 190 | p = PY_SSL_ERROR_ZERO_RETURN; |
| 191 | break; |
| 192 | case SSL_ERROR_WANT_READ: |
| 193 | errstr = "The operation did not complete (read)"; |
| 194 | p = PY_SSL_ERROR_WANT_READ; |
| 195 | break; |
| 196 | case SSL_ERROR_WANT_WRITE: |
| 197 | p = PY_SSL_ERROR_WANT_WRITE; |
| 198 | errstr = "The operation did not complete (write)"; |
| 199 | break; |
| 200 | case SSL_ERROR_WANT_X509_LOOKUP: |
| 201 | p = PY_SSL_ERROR_WANT_X509_LOOKUP; |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 202 | errstr = "The operation did not complete (X509 lookup)"; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 203 | break; |
| 204 | case SSL_ERROR_WANT_CONNECT: |
| 205 | p = PY_SSL_ERROR_WANT_CONNECT; |
| 206 | errstr = "The operation did not complete (connect)"; |
| 207 | break; |
| 208 | case SSL_ERROR_SYSCALL: |
| 209 | { |
| 210 | unsigned long e = ERR_get_error(); |
| 211 | if (e == 0) { |
| 212 | PySocketSockObject *s |
| 213 | = (PySocketSockObject *) PyWeakref_GetObject(obj->Socket); |
| 214 | if (ret == 0 || (((PyObject *)s) == Py_None)) { |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 215 | p = PY_SSL_ERROR_EOF; |
| 216 | errstr = "EOF occurred in violation of protocol"; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 217 | } else if (ret == -1) { |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 218 | /* underlying BIO reported an I/O error */ |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 219 | Py_INCREF(s); |
Antoine Pitrou | 9d74b42 | 2010-05-16 23:14:22 +0000 | [diff] [blame] | 220 | ERR_clear_error(); |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 221 | v = s->errorhandler(); |
| 222 | Py_DECREF(s); |
| 223 | return v; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 224 | } else { /* possible? */ |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 225 | p = PY_SSL_ERROR_SYSCALL; |
| 226 | errstr = "Some I/O error occurred"; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 227 | } |
| 228 | } else { |
| 229 | p = PY_SSL_ERROR_SYSCALL; |
| 230 | /* XXX Protected by global interpreter lock */ |
| 231 | errstr = ERR_error_string(e, NULL); |
| 232 | } |
| 233 | break; |
| 234 | } |
| 235 | case SSL_ERROR_SSL: |
| 236 | { |
| 237 | unsigned long e = ERR_get_error(); |
| 238 | p = PY_SSL_ERROR_SSL; |
| 239 | if (e != 0) |
| 240 | /* XXX Protected by global interpreter lock */ |
| 241 | errstr = ERR_error_string(e, NULL); |
| 242 | else { /* possible? */ |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 243 | errstr = "A failure in the SSL library occurred"; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 244 | } |
| 245 | break; |
| 246 | } |
| 247 | default: |
| 248 | p = PY_SSL_ERROR_INVALID_ERROR_CODE; |
| 249 | errstr = "Invalid error code"; |
| 250 | } |
| 251 | } else { |
| 252 | errstr = ERR_error_string(ERR_peek_last_error(), NULL); |
| 253 | } |
| 254 | PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); |
Antoine Pitrou | 9d74b42 | 2010-05-16 23:14:22 +0000 | [diff] [blame] | 255 | ERR_clear_error(); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 256 | v = Py_BuildValue("(is)", p, buf); |
| 257 | if (v != NULL) { |
| 258 | PyErr_SetObject(PySSLErrorObject, v); |
| 259 | Py_DECREF(v); |
| 260 | } |
| 261 | return NULL; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 262 | } |
| 263 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 264 | static PyObject * |
| 265 | _setSSLError (char *errstr, int errcode, char *filename, int lineno) { |
| 266 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 267 | char buf[2048]; |
| 268 | PyObject *v; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 269 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 270 | if (errstr == NULL) { |
| 271 | errcode = ERR_peek_last_error(); |
| 272 | errstr = ERR_error_string(errcode, NULL); |
| 273 | } |
| 274 | PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); |
Antoine Pitrou | 9d74b42 | 2010-05-16 23:14:22 +0000 | [diff] [blame] | 275 | ERR_clear_error(); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 276 | v = Py_BuildValue("(is)", errcode, buf); |
| 277 | if (v != NULL) { |
| 278 | PyErr_SetObject(PySSLErrorObject, v); |
| 279 | Py_DECREF(v); |
| 280 | } |
| 281 | return NULL; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 282 | } |
| 283 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 284 | static PySSLSocket * |
| 285 | newPySSLSocket(SSL_CTX *ctx, PySocketSockObject *sock, |
Antoine Pitrou | d532321 | 2010-10-22 18:19:07 +0000 | [diff] [blame] | 286 | enum py_ssl_server_or_client socket_type, |
| 287 | char *server_hostname) |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 288 | { |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 289 | PySSLSocket *self; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 290 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 291 | self = PyObject_New(PySSLSocket, &PySSLSocket_Type); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 292 | if (self == NULL) |
| 293 | return NULL; |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 294 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 295 | self->peer_cert = NULL; |
| 296 | self->ssl = NULL; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 297 | self->Socket = NULL; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 298 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 299 | /* Make sure the SSL error state is initialized */ |
| 300 | (void) ERR_get_state(); |
| 301 | ERR_clear_error(); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 302 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 303 | PySSL_BEGIN_ALLOW_THREADS |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 304 | self->ssl = SSL_new(ctx); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 305 | PySSL_END_ALLOW_THREADS |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 306 | SSL_set_fd(self->ssl, sock->sock_fd); |
Antoine Pitrou | 0ae7b58 | 2010-04-09 20:42:09 +0000 | [diff] [blame] | 307 | #ifdef SSL_MODE_AUTO_RETRY |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 308 | SSL_set_mode(self->ssl, SSL_MODE_AUTO_RETRY); |
Antoine Pitrou | 0ae7b58 | 2010-04-09 20:42:09 +0000 | [diff] [blame] | 309 | #endif |
Guido van Rossum | 4f707ac | 2003-01-31 18:13:18 +0000 | [diff] [blame] | 310 | |
Antoine Pitrou | d532321 | 2010-10-22 18:19:07 +0000 | [diff] [blame] | 311 | #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
| 312 | if (server_hostname != NULL) |
| 313 | SSL_set_tlsext_host_name(self->ssl, server_hostname); |
| 314 | #endif |
| 315 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 316 | /* If the socket is in non-blocking mode or timeout mode, set the BIO |
| 317 | * to non-blocking mode (blocking is the default) |
| 318 | */ |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 319 | if (sock->sock_timeout >= 0.0) { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 320 | BIO_set_nbio(SSL_get_rbio(self->ssl), 1); |
| 321 | BIO_set_nbio(SSL_get_wbio(self->ssl), 1); |
| 322 | } |
Guido van Rossum | 4f707ac | 2003-01-31 18:13:18 +0000 | [diff] [blame] | 323 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 324 | PySSL_BEGIN_ALLOW_THREADS |
| 325 | if (socket_type == PY_SSL_CLIENT) |
| 326 | SSL_set_connect_state(self->ssl); |
| 327 | else |
| 328 | SSL_set_accept_state(self->ssl); |
| 329 | PySSL_END_ALLOW_THREADS |
Martin v. Löwis | 09c35f7 | 2002-07-28 09:57:45 +0000 | [diff] [blame] | 330 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 331 | self->Socket = PyWeakref_NewRef((PyObject *) sock, NULL); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 332 | return self; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 333 | } |
| 334 | |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 335 | /* SSL object methods */ |
| 336 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 337 | static PyObject *PySSL_SSLdo_handshake(PySSLSocket *self) |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 338 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 339 | int ret; |
| 340 | int err; |
| 341 | int sockstate, nonblocking; |
| 342 | PySocketSockObject *sock |
| 343 | = (PySocketSockObject *) PyWeakref_GetObject(self->Socket); |
Antoine Pitrou | d3f8ab8 | 2010-04-24 21:26:44 +0000 | [diff] [blame] | 344 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 345 | if (((PyObject*)sock) == Py_None) { |
| 346 | _setSSLError("Underlying socket connection gone", |
| 347 | PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__); |
| 348 | return NULL; |
| 349 | } |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 350 | Py_INCREF(sock); |
Antoine Pitrou | d3f8ab8 | 2010-04-24 21:26:44 +0000 | [diff] [blame] | 351 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 352 | /* just in case the blocking state of the socket has been changed */ |
| 353 | nonblocking = (sock->sock_timeout >= 0.0); |
| 354 | BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); |
| 355 | BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 356 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 357 | /* Actually negotiate SSL connection */ |
| 358 | /* XXX If SSL_do_handshake() returns 0, it's also a failure. */ |
| 359 | sockstate = 0; |
| 360 | do { |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 361 | PySSL_BEGIN_ALLOW_THREADS |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 362 | ret = SSL_do_handshake(self->ssl); |
| 363 | err = SSL_get_error(self->ssl, ret); |
| 364 | PySSL_END_ALLOW_THREADS |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 365 | if (PyErr_CheckSignals()) |
| 366 | goto error; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 367 | if (err == SSL_ERROR_WANT_READ) { |
| 368 | sockstate = check_socket_and_wait_for_timeout(sock, 0); |
| 369 | } else if (err == SSL_ERROR_WANT_WRITE) { |
| 370 | sockstate = check_socket_and_wait_for_timeout(sock, 1); |
| 371 | } else { |
| 372 | sockstate = SOCKET_OPERATION_OK; |
| 373 | } |
| 374 | if (sockstate == SOCKET_HAS_TIMED_OUT) { |
Antoine Pitrou | c4df784 | 2010-12-03 19:59:41 +0000 | [diff] [blame] | 375 | PyErr_SetString(PySocketModule.timeout_error, |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 376 | ERRSTR("The handshake operation timed out")); |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 377 | goto error; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 378 | } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { |
| 379 | PyErr_SetString(PySSLErrorObject, |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 380 | ERRSTR("Underlying socket has been closed.")); |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 381 | goto error; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 382 | } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { |
| 383 | PyErr_SetString(PySSLErrorObject, |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 384 | ERRSTR("Underlying socket too large for select().")); |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 385 | goto error; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 386 | } else if (sockstate == SOCKET_IS_NONBLOCKING) { |
| 387 | break; |
| 388 | } |
| 389 | } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 390 | Py_DECREF(sock); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 391 | if (ret < 1) |
| 392 | return PySSL_SetError(self, ret, __FILE__, __LINE__); |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 393 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 394 | if (self->peer_cert) |
| 395 | X509_free (self->peer_cert); |
| 396 | PySSL_BEGIN_ALLOW_THREADS |
| 397 | self->peer_cert = SSL_get_peer_certificate(self->ssl); |
| 398 | PySSL_END_ALLOW_THREADS |
| 399 | |
| 400 | Py_INCREF(Py_None); |
| 401 | return Py_None; |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 402 | |
| 403 | error: |
| 404 | Py_DECREF(sock); |
| 405 | return NULL; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 406 | } |
| 407 | |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 408 | static PyObject * |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 409 | _create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) { |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 410 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 411 | char namebuf[X509_NAME_MAXLEN]; |
| 412 | int buflen; |
| 413 | PyObject *name_obj; |
| 414 | PyObject *value_obj; |
| 415 | PyObject *attr; |
| 416 | unsigned char *valuebuf = NULL; |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 417 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 418 | buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0); |
| 419 | if (buflen < 0) { |
| 420 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 421 | goto fail; |
| 422 | } |
| 423 | name_obj = PyUnicode_FromStringAndSize(namebuf, buflen); |
| 424 | if (name_obj == NULL) |
| 425 | goto fail; |
Guido van Rossum | f06628b | 2007-11-21 20:01:53 +0000 | [diff] [blame] | 426 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 427 | buflen = ASN1_STRING_to_UTF8(&valuebuf, value); |
| 428 | if (buflen < 0) { |
| 429 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 430 | Py_DECREF(name_obj); |
| 431 | goto fail; |
| 432 | } |
| 433 | value_obj = PyUnicode_DecodeUTF8((char *) valuebuf, |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 434 | buflen, "strict"); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 435 | OPENSSL_free(valuebuf); |
| 436 | if (value_obj == NULL) { |
| 437 | Py_DECREF(name_obj); |
| 438 | goto fail; |
| 439 | } |
| 440 | attr = PyTuple_New(2); |
| 441 | if (attr == NULL) { |
| 442 | Py_DECREF(name_obj); |
| 443 | Py_DECREF(value_obj); |
| 444 | goto fail; |
| 445 | } |
| 446 | PyTuple_SET_ITEM(attr, 0, name_obj); |
| 447 | PyTuple_SET_ITEM(attr, 1, value_obj); |
| 448 | return attr; |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 449 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 450 | fail: |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 451 | return NULL; |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 452 | } |
| 453 | |
| 454 | static PyObject * |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 455 | _create_tuple_for_X509_NAME (X509_NAME *xname) |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 456 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 457 | PyObject *dn = NULL; /* tuple which represents the "distinguished name" */ |
| 458 | PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */ |
| 459 | PyObject *rdnt; |
| 460 | PyObject *attr = NULL; /* tuple to hold an attribute */ |
| 461 | int entry_count = X509_NAME_entry_count(xname); |
| 462 | X509_NAME_ENTRY *entry; |
| 463 | ASN1_OBJECT *name; |
| 464 | ASN1_STRING *value; |
| 465 | int index_counter; |
| 466 | int rdn_level = -1; |
| 467 | int retcode; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 468 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 469 | dn = PyList_New(0); |
| 470 | if (dn == NULL) |
| 471 | return NULL; |
| 472 | /* now create another tuple to hold the top-level RDN */ |
| 473 | rdn = PyList_New(0); |
| 474 | if (rdn == NULL) |
| 475 | goto fail0; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 476 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 477 | for (index_counter = 0; |
| 478 | index_counter < entry_count; |
| 479 | index_counter++) |
| 480 | { |
| 481 | entry = X509_NAME_get_entry(xname, index_counter); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 482 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 483 | /* check to see if we've gotten to a new RDN */ |
| 484 | if (rdn_level >= 0) { |
| 485 | if (rdn_level != entry->set) { |
| 486 | /* yes, new RDN */ |
| 487 | /* add old RDN to DN */ |
| 488 | rdnt = PyList_AsTuple(rdn); |
| 489 | Py_DECREF(rdn); |
| 490 | if (rdnt == NULL) |
| 491 | goto fail0; |
| 492 | retcode = PyList_Append(dn, rdnt); |
| 493 | Py_DECREF(rdnt); |
| 494 | if (retcode < 0) |
| 495 | goto fail0; |
| 496 | /* create new RDN */ |
| 497 | rdn = PyList_New(0); |
| 498 | if (rdn == NULL) |
| 499 | goto fail0; |
| 500 | } |
| 501 | } |
| 502 | rdn_level = entry->set; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 503 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 504 | /* now add this attribute to the current RDN */ |
| 505 | name = X509_NAME_ENTRY_get_object(entry); |
| 506 | value = X509_NAME_ENTRY_get_data(entry); |
| 507 | attr = _create_tuple_for_attribute(name, value); |
| 508 | /* |
| 509 | fprintf(stderr, "RDN level %d, attribute %s: %s\n", |
| 510 | entry->set, |
| 511 | PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 0)), |
| 512 | PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 1))); |
| 513 | */ |
| 514 | if (attr == NULL) |
| 515 | goto fail1; |
| 516 | retcode = PyList_Append(rdn, attr); |
| 517 | Py_DECREF(attr); |
| 518 | if (retcode < 0) |
| 519 | goto fail1; |
| 520 | } |
| 521 | /* now, there's typically a dangling RDN */ |
Antoine Pitrou | 2f5a163 | 2012-02-15 22:25:27 +0100 | [diff] [blame] | 522 | if (rdn != NULL) { |
| 523 | if (PyList_GET_SIZE(rdn) > 0) { |
| 524 | rdnt = PyList_AsTuple(rdn); |
| 525 | Py_DECREF(rdn); |
| 526 | if (rdnt == NULL) |
| 527 | goto fail0; |
| 528 | retcode = PyList_Append(dn, rdnt); |
| 529 | Py_DECREF(rdnt); |
| 530 | if (retcode < 0) |
| 531 | goto fail0; |
| 532 | } |
| 533 | else { |
| 534 | Py_DECREF(rdn); |
| 535 | } |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 536 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 537 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 538 | /* convert list to tuple */ |
| 539 | rdnt = PyList_AsTuple(dn); |
| 540 | Py_DECREF(dn); |
| 541 | if (rdnt == NULL) |
| 542 | return NULL; |
| 543 | return rdnt; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 544 | |
| 545 | fail1: |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 546 | Py_XDECREF(rdn); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 547 | |
| 548 | fail0: |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 549 | Py_XDECREF(dn); |
| 550 | return NULL; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 551 | } |
| 552 | |
| 553 | static PyObject * |
| 554 | _get_peer_alt_names (X509 *certificate) { |
Guido van Rossum | f06628b | 2007-11-21 20:01:53 +0000 | [diff] [blame] | 555 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 556 | /* this code follows the procedure outlined in |
| 557 | OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print() |
| 558 | function to extract the STACK_OF(GENERAL_NAME), |
| 559 | then iterates through the stack to add the |
| 560 | names. */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 561 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 562 | int i, j; |
| 563 | PyObject *peer_alt_names = Py_None; |
| 564 | PyObject *v, *t; |
| 565 | X509_EXTENSION *ext = NULL; |
| 566 | GENERAL_NAMES *names = NULL; |
| 567 | GENERAL_NAME *name; |
Benjamin Peterson | eb1410f | 2010-10-13 22:06:39 +0000 | [diff] [blame] | 568 | const X509V3_EXT_METHOD *method; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 569 | BIO *biobuf = NULL; |
| 570 | char buf[2048]; |
| 571 | char *vptr; |
| 572 | int len; |
| 573 | /* Issue #2973: ASN1_item_d2i() API changed in OpenSSL 0.9.6m */ |
Victor Stinner | 7124a41 | 2010-03-02 22:48:17 +0000 | [diff] [blame] | 574 | #if OPENSSL_VERSION_NUMBER >= 0x009060dfL |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 575 | const unsigned char *p; |
Victor Stinner | 7124a41 | 2010-03-02 22:48:17 +0000 | [diff] [blame] | 576 | #else |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 577 | unsigned char *p; |
Victor Stinner | 7124a41 | 2010-03-02 22:48:17 +0000 | [diff] [blame] | 578 | #endif |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 579 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 580 | if (certificate == NULL) |
| 581 | return peer_alt_names; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 582 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 583 | /* get a memory buffer */ |
| 584 | biobuf = BIO_new(BIO_s_mem()); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 585 | |
Antoine Pitrou | d8c347a | 2011-10-01 19:20:25 +0200 | [diff] [blame] | 586 | i = -1; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 587 | while ((i = X509_get_ext_by_NID( |
| 588 | certificate, NID_subject_alt_name, i)) >= 0) { |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 589 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 590 | if (peer_alt_names == Py_None) { |
| 591 | peer_alt_names = PyList_New(0); |
| 592 | if (peer_alt_names == NULL) |
| 593 | goto fail; |
| 594 | } |
Guido van Rossum | f06628b | 2007-11-21 20:01:53 +0000 | [diff] [blame] | 595 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 596 | /* now decode the altName */ |
| 597 | ext = X509_get_ext(certificate, i); |
| 598 | if(!(method = X509V3_EXT_get(ext))) { |
| 599 | PyErr_SetString |
| 600 | (PySSLErrorObject, |
| 601 | ERRSTR("No method for internalizing subjectAltName!")); |
| 602 | goto fail; |
| 603 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 604 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 605 | p = ext->value->data; |
| 606 | if (method->it) |
| 607 | names = (GENERAL_NAMES*) |
| 608 | (ASN1_item_d2i(NULL, |
| 609 | &p, |
| 610 | ext->value->length, |
| 611 | ASN1_ITEM_ptr(method->it))); |
| 612 | else |
| 613 | names = (GENERAL_NAMES*) |
| 614 | (method->d2i(NULL, |
| 615 | &p, |
| 616 | ext->value->length)); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 617 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 618 | for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 619 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 620 | /* get a rendering of each name in the set of names */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 621 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 622 | name = sk_GENERAL_NAME_value(names, j); |
| 623 | if (name->type == GEN_DIRNAME) { |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 624 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 625 | /* we special-case DirName as a tuple of |
| 626 | tuples of attributes */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 627 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 628 | t = PyTuple_New(2); |
| 629 | if (t == NULL) { |
| 630 | goto fail; |
| 631 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 632 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 633 | v = PyUnicode_FromString("DirName"); |
| 634 | if (v == NULL) { |
| 635 | Py_DECREF(t); |
| 636 | goto fail; |
| 637 | } |
| 638 | PyTuple_SET_ITEM(t, 0, v); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 639 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 640 | v = _create_tuple_for_X509_NAME (name->d.dirn); |
| 641 | if (v == NULL) { |
| 642 | Py_DECREF(t); |
| 643 | goto fail; |
| 644 | } |
| 645 | PyTuple_SET_ITEM(t, 1, v); |
Guido van Rossum | f06628b | 2007-11-21 20:01:53 +0000 | [diff] [blame] | 646 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 647 | } else { |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 648 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 649 | /* for everything else, we use the OpenSSL print form */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 650 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 651 | (void) BIO_reset(biobuf); |
| 652 | GENERAL_NAME_print(biobuf, name); |
| 653 | len = BIO_gets(biobuf, buf, sizeof(buf)-1); |
| 654 | if (len < 0) { |
| 655 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 656 | goto fail; |
| 657 | } |
| 658 | vptr = strchr(buf, ':'); |
| 659 | if (vptr == NULL) |
| 660 | goto fail; |
| 661 | t = PyTuple_New(2); |
| 662 | if (t == NULL) |
| 663 | goto fail; |
| 664 | v = PyUnicode_FromStringAndSize(buf, (vptr - buf)); |
| 665 | if (v == NULL) { |
| 666 | Py_DECREF(t); |
| 667 | goto fail; |
| 668 | } |
| 669 | PyTuple_SET_ITEM(t, 0, v); |
| 670 | v = PyUnicode_FromStringAndSize((vptr + 1), |
| 671 | (len - (vptr - buf + 1))); |
| 672 | if (v == NULL) { |
| 673 | Py_DECREF(t); |
| 674 | goto fail; |
| 675 | } |
| 676 | PyTuple_SET_ITEM(t, 1, v); |
| 677 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 678 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 679 | /* and add that rendering to the list */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 680 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 681 | if (PyList_Append(peer_alt_names, t) < 0) { |
| 682 | Py_DECREF(t); |
| 683 | goto fail; |
| 684 | } |
| 685 | Py_DECREF(t); |
| 686 | } |
Antoine Pitrou | 116d6b9 | 2011-11-23 01:39:19 +0100 | [diff] [blame] | 687 | sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 688 | } |
| 689 | BIO_free(biobuf); |
| 690 | if (peer_alt_names != Py_None) { |
| 691 | v = PyList_AsTuple(peer_alt_names); |
| 692 | Py_DECREF(peer_alt_names); |
| 693 | return v; |
| 694 | } else { |
| 695 | return peer_alt_names; |
| 696 | } |
Guido van Rossum | f06628b | 2007-11-21 20:01:53 +0000 | [diff] [blame] | 697 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 698 | |
| 699 | fail: |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 700 | if (biobuf != NULL) |
| 701 | BIO_free(biobuf); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 702 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 703 | if (peer_alt_names != Py_None) { |
| 704 | Py_XDECREF(peer_alt_names); |
| 705 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 706 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 707 | return NULL; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 708 | } |
| 709 | |
| 710 | static PyObject * |
Antoine Pitrou | fb04691 | 2010-11-09 20:21:19 +0000 | [diff] [blame] | 711 | _decode_certificate(X509 *certificate) { |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 712 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 713 | PyObject *retval = NULL; |
| 714 | BIO *biobuf = NULL; |
| 715 | PyObject *peer; |
| 716 | PyObject *peer_alt_names = NULL; |
| 717 | PyObject *issuer; |
| 718 | PyObject *version; |
| 719 | PyObject *sn_obj; |
| 720 | ASN1_INTEGER *serialNumber; |
| 721 | char buf[2048]; |
| 722 | int len; |
| 723 | ASN1_TIME *notBefore, *notAfter; |
| 724 | PyObject *pnotBefore, *pnotAfter; |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 725 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 726 | retval = PyDict_New(); |
| 727 | if (retval == NULL) |
| 728 | return NULL; |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 729 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 730 | peer = _create_tuple_for_X509_NAME( |
| 731 | X509_get_subject_name(certificate)); |
| 732 | if (peer == NULL) |
| 733 | goto fail0; |
| 734 | if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) { |
| 735 | Py_DECREF(peer); |
| 736 | goto fail0; |
| 737 | } |
| 738 | Py_DECREF(peer); |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 739 | |
Antoine Pitrou | fb04691 | 2010-11-09 20:21:19 +0000 | [diff] [blame] | 740 | issuer = _create_tuple_for_X509_NAME( |
| 741 | X509_get_issuer_name(certificate)); |
| 742 | if (issuer == NULL) |
| 743 | goto fail0; |
| 744 | if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 745 | Py_DECREF(issuer); |
Antoine Pitrou | fb04691 | 2010-11-09 20:21:19 +0000 | [diff] [blame] | 746 | goto fail0; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 747 | } |
Antoine Pitrou | fb04691 | 2010-11-09 20:21:19 +0000 | [diff] [blame] | 748 | Py_DECREF(issuer); |
| 749 | |
| 750 | version = PyLong_FromLong(X509_get_version(certificate) + 1); |
| 751 | if (PyDict_SetItemString(retval, "version", version) < 0) { |
| 752 | Py_DECREF(version); |
| 753 | goto fail0; |
| 754 | } |
| 755 | Py_DECREF(version); |
Guido van Rossum | f06628b | 2007-11-21 20:01:53 +0000 | [diff] [blame] | 756 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 757 | /* get a memory buffer */ |
| 758 | biobuf = BIO_new(BIO_s_mem()); |
Guido van Rossum | f06628b | 2007-11-21 20:01:53 +0000 | [diff] [blame] | 759 | |
Antoine Pitrou | fb04691 | 2010-11-09 20:21:19 +0000 | [diff] [blame] | 760 | (void) BIO_reset(biobuf); |
| 761 | serialNumber = X509_get_serialNumber(certificate); |
| 762 | /* should not exceed 20 octets, 160 bits, so buf is big enough */ |
| 763 | i2a_ASN1_INTEGER(biobuf, serialNumber); |
| 764 | len = BIO_gets(biobuf, buf, sizeof(buf)-1); |
| 765 | if (len < 0) { |
| 766 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 767 | goto fail1; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 768 | } |
Antoine Pitrou | fb04691 | 2010-11-09 20:21:19 +0000 | [diff] [blame] | 769 | sn_obj = PyUnicode_FromStringAndSize(buf, len); |
| 770 | if (sn_obj == NULL) |
| 771 | goto fail1; |
| 772 | if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) { |
| 773 | Py_DECREF(sn_obj); |
| 774 | goto fail1; |
| 775 | } |
| 776 | Py_DECREF(sn_obj); |
| 777 | |
| 778 | (void) BIO_reset(biobuf); |
| 779 | notBefore = X509_get_notBefore(certificate); |
| 780 | ASN1_TIME_print(biobuf, notBefore); |
| 781 | len = BIO_gets(biobuf, buf, sizeof(buf)-1); |
| 782 | if (len < 0) { |
| 783 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 784 | goto fail1; |
| 785 | } |
| 786 | pnotBefore = PyUnicode_FromStringAndSize(buf, len); |
| 787 | if (pnotBefore == NULL) |
| 788 | goto fail1; |
| 789 | if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) { |
| 790 | Py_DECREF(pnotBefore); |
| 791 | goto fail1; |
| 792 | } |
| 793 | Py_DECREF(pnotBefore); |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 794 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 795 | (void) BIO_reset(biobuf); |
| 796 | notAfter = X509_get_notAfter(certificate); |
| 797 | ASN1_TIME_print(biobuf, notAfter); |
| 798 | len = BIO_gets(biobuf, buf, sizeof(buf)-1); |
| 799 | if (len < 0) { |
| 800 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 801 | goto fail1; |
| 802 | } |
| 803 | pnotAfter = PyUnicode_FromStringAndSize(buf, len); |
| 804 | if (pnotAfter == NULL) |
| 805 | goto fail1; |
| 806 | if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) { |
| 807 | Py_DECREF(pnotAfter); |
| 808 | goto fail1; |
| 809 | } |
| 810 | Py_DECREF(pnotAfter); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 811 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 812 | /* Now look for subjectAltName */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 813 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 814 | peer_alt_names = _get_peer_alt_names(certificate); |
| 815 | if (peer_alt_names == NULL) |
| 816 | goto fail1; |
| 817 | else if (peer_alt_names != Py_None) { |
| 818 | if (PyDict_SetItemString(retval, "subjectAltName", |
| 819 | peer_alt_names) < 0) { |
| 820 | Py_DECREF(peer_alt_names); |
| 821 | goto fail1; |
| 822 | } |
| 823 | Py_DECREF(peer_alt_names); |
| 824 | } |
Guido van Rossum | f06628b | 2007-11-21 20:01:53 +0000 | [diff] [blame] | 825 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 826 | BIO_free(biobuf); |
| 827 | return retval; |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 828 | |
| 829 | fail1: |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 830 | if (biobuf != NULL) |
| 831 | BIO_free(biobuf); |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 832 | fail0: |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 833 | Py_XDECREF(retval); |
| 834 | return NULL; |
Thomas Wouters | ed03b41 | 2007-08-28 21:37:11 +0000 | [diff] [blame] | 835 | } |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 836 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 837 | |
| 838 | static PyObject * |
| 839 | PySSL_test_decode_certificate (PyObject *mod, PyObject *args) { |
| 840 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 841 | PyObject *retval = NULL; |
Victor Stinner | 3800e1e | 2010-05-16 21:23:48 +0000 | [diff] [blame] | 842 | PyObject *filename; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 843 | X509 *x=NULL; |
| 844 | BIO *cert; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 845 | |
Antoine Pitrou | fb04691 | 2010-11-09 20:21:19 +0000 | [diff] [blame] | 846 | if (!PyArg_ParseTuple(args, "O&:test_decode_certificate", |
| 847 | PyUnicode_FSConverter, &filename)) |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 848 | return NULL; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 849 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 850 | if ((cert=BIO_new(BIO_s_file())) == NULL) { |
| 851 | PyErr_SetString(PySSLErrorObject, |
| 852 | "Can't malloc memory to read file"); |
| 853 | goto fail0; |
| 854 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 855 | |
Victor Stinner | 3800e1e | 2010-05-16 21:23:48 +0000 | [diff] [blame] | 856 | if (BIO_read_filename(cert, PyBytes_AsString(filename)) <= 0) { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 857 | PyErr_SetString(PySSLErrorObject, |
| 858 | "Can't open file"); |
| 859 | goto fail0; |
| 860 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 861 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 862 | x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL); |
| 863 | if (x == NULL) { |
| 864 | PyErr_SetString(PySSLErrorObject, |
| 865 | "Error decoding PEM-encoded file"); |
| 866 | goto fail0; |
| 867 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 868 | |
Antoine Pitrou | fb04691 | 2010-11-09 20:21:19 +0000 | [diff] [blame] | 869 | retval = _decode_certificate(x); |
Mark Dickinson | ee55df5 | 2010-08-03 18:31:54 +0000 | [diff] [blame] | 870 | X509_free(x); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 871 | |
| 872 | fail0: |
Victor Stinner | 3800e1e | 2010-05-16 21:23:48 +0000 | [diff] [blame] | 873 | Py_DECREF(filename); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 874 | if (cert != NULL) BIO_free(cert); |
| 875 | return retval; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 876 | } |
| 877 | |
| 878 | |
| 879 | static PyObject * |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 880 | PySSL_peercert(PySSLSocket *self, PyObject *args) |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 881 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 882 | PyObject *retval = NULL; |
| 883 | int len; |
| 884 | int verification; |
| 885 | PyObject *binary_mode = Py_None; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 886 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 887 | if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode)) |
| 888 | return NULL; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 889 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 890 | if (!self->peer_cert) |
| 891 | Py_RETURN_NONE; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 892 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 893 | if (PyObject_IsTrue(binary_mode)) { |
| 894 | /* return cert in DER-encoded format */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 895 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 896 | unsigned char *bytes_buf = NULL; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 897 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 898 | bytes_buf = NULL; |
| 899 | len = i2d_X509(self->peer_cert, &bytes_buf); |
| 900 | if (len < 0) { |
| 901 | PySSL_SetError(self, len, __FILE__, __LINE__); |
| 902 | return NULL; |
| 903 | } |
| 904 | /* this is actually an immutable bytes sequence */ |
| 905 | retval = PyBytes_FromStringAndSize |
| 906 | ((const char *) bytes_buf, len); |
| 907 | OPENSSL_free(bytes_buf); |
| 908 | return retval; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 909 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 910 | } else { |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 911 | verification = SSL_CTX_get_verify_mode(SSL_get_SSL_CTX(self->ssl)); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 912 | if ((verification & SSL_VERIFY_PEER) == 0) |
| 913 | return PyDict_New(); |
| 914 | else |
Antoine Pitrou | fb04691 | 2010-11-09 20:21:19 +0000 | [diff] [blame] | 915 | return _decode_certificate(self->peer_cert); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 916 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 917 | } |
| 918 | |
| 919 | PyDoc_STRVAR(PySSL_peercert_doc, |
| 920 | "peer_certificate([der=False]) -> certificate\n\ |
| 921 | \n\ |
| 922 | Returns the certificate for the peer. If no certificate was provided,\n\ |
| 923 | returns None. If a certificate was provided, but not validated, returns\n\ |
| 924 | an empty dictionary. Otherwise returns a dict containing information\n\ |
| 925 | about the peer certificate.\n\ |
| 926 | \n\ |
| 927 | If the optional argument is True, returns a DER-encoded copy of the\n\ |
| 928 | peer certificate, or None if no certificate was provided. This will\n\ |
| 929 | return the certificate even if it wasn't validated."); |
| 930 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 931 | static PyObject *PySSL_cipher (PySSLSocket *self) { |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 932 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 933 | PyObject *retval, *v; |
Benjamin Peterson | eb1410f | 2010-10-13 22:06:39 +0000 | [diff] [blame] | 934 | const SSL_CIPHER *current; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 935 | char *cipher_name; |
| 936 | char *cipher_protocol; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 937 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 938 | if (self->ssl == NULL) |
Hirokazu Yamamoto | 524f103 | 2010-12-09 10:49:00 +0000 | [diff] [blame] | 939 | Py_RETURN_NONE; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 940 | current = SSL_get_current_cipher(self->ssl); |
| 941 | if (current == NULL) |
Hirokazu Yamamoto | 524f103 | 2010-12-09 10:49:00 +0000 | [diff] [blame] | 942 | Py_RETURN_NONE; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 943 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 944 | retval = PyTuple_New(3); |
| 945 | if (retval == NULL) |
| 946 | return NULL; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 947 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 948 | cipher_name = (char *) SSL_CIPHER_get_name(current); |
| 949 | if (cipher_name == NULL) { |
Hirokazu Yamamoto | 524f103 | 2010-12-09 10:49:00 +0000 | [diff] [blame] | 950 | Py_INCREF(Py_None); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 951 | PyTuple_SET_ITEM(retval, 0, Py_None); |
| 952 | } else { |
| 953 | v = PyUnicode_FromString(cipher_name); |
| 954 | if (v == NULL) |
| 955 | goto fail0; |
| 956 | PyTuple_SET_ITEM(retval, 0, v); |
| 957 | } |
| 958 | cipher_protocol = SSL_CIPHER_get_version(current); |
| 959 | if (cipher_protocol == NULL) { |
Hirokazu Yamamoto | 524f103 | 2010-12-09 10:49:00 +0000 | [diff] [blame] | 960 | Py_INCREF(Py_None); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 961 | PyTuple_SET_ITEM(retval, 1, Py_None); |
| 962 | } else { |
| 963 | v = PyUnicode_FromString(cipher_protocol); |
| 964 | if (v == NULL) |
| 965 | goto fail0; |
| 966 | PyTuple_SET_ITEM(retval, 1, v); |
| 967 | } |
| 968 | v = PyLong_FromLong(SSL_CIPHER_get_bits(current, NULL)); |
| 969 | if (v == NULL) |
| 970 | goto fail0; |
| 971 | PyTuple_SET_ITEM(retval, 2, v); |
| 972 | return retval; |
Guido van Rossum | f06628b | 2007-11-21 20:01:53 +0000 | [diff] [blame] | 973 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 974 | fail0: |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 975 | Py_DECREF(retval); |
| 976 | return NULL; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 977 | } |
| 978 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 979 | static void PySSL_dealloc(PySSLSocket *self) |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 980 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 981 | if (self->peer_cert) /* Possible not to have one? */ |
| 982 | X509_free (self->peer_cert); |
| 983 | if (self->ssl) |
| 984 | SSL_free(self->ssl); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 985 | Py_XDECREF(self->Socket); |
| 986 | PyObject_Del(self); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 987 | } |
| 988 | |
Thomas Wouters | 0e3f591 | 2006-08-11 14:57:12 +0000 | [diff] [blame] | 989 | /* If the socket has a timeout, do a select()/poll() on the socket. |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 990 | The argument writing indicates the direction. |
Andrew M. Kuchling | 9c3efe3 | 2004-07-10 21:15:17 +0000 | [diff] [blame] | 991 | Returns one of the possibilities in the timeout_state enum (above). |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 992 | */ |
Andrew M. Kuchling | 9c3efe3 | 2004-07-10 21:15:17 +0000 | [diff] [blame] | 993 | |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 994 | static int |
Andrew M. Kuchling | 9c3efe3 | 2004-07-10 21:15:17 +0000 | [diff] [blame] | 995 | check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing) |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 996 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 997 | fd_set fds; |
| 998 | struct timeval tv; |
| 999 | int rc; |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 1000 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1001 | /* Nothing to do unless we're in timeout mode (not non-blocking) */ |
| 1002 | if (s->sock_timeout < 0.0) |
| 1003 | return SOCKET_IS_BLOCKING; |
| 1004 | else if (s->sock_timeout == 0.0) |
| 1005 | return SOCKET_IS_NONBLOCKING; |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 1006 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1007 | /* Guard against closed socket */ |
| 1008 | if (s->sock_fd < 0) |
| 1009 | return SOCKET_HAS_BEEN_CLOSED; |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 1010 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1011 | /* Prefer poll, if available, since you can poll() any fd |
| 1012 | * which can't be done with select(). */ |
Thomas Wouters | 0e3f591 | 2006-08-11 14:57:12 +0000 | [diff] [blame] | 1013 | #ifdef HAVE_POLL |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1014 | { |
| 1015 | struct pollfd pollfd; |
| 1016 | int timeout; |
Thomas Wouters | 0e3f591 | 2006-08-11 14:57:12 +0000 | [diff] [blame] | 1017 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1018 | pollfd.fd = s->sock_fd; |
| 1019 | pollfd.events = writing ? POLLOUT : POLLIN; |
Thomas Wouters | 0e3f591 | 2006-08-11 14:57:12 +0000 | [diff] [blame] | 1020 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1021 | /* s->sock_timeout is in seconds, timeout in ms */ |
| 1022 | timeout = (int)(s->sock_timeout * 1000 + 0.5); |
| 1023 | PySSL_BEGIN_ALLOW_THREADS |
| 1024 | rc = poll(&pollfd, 1, timeout); |
| 1025 | PySSL_END_ALLOW_THREADS |
Thomas Wouters | 0e3f591 | 2006-08-11 14:57:12 +0000 | [diff] [blame] | 1026 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1027 | goto normal_return; |
| 1028 | } |
Thomas Wouters | 0e3f591 | 2006-08-11 14:57:12 +0000 | [diff] [blame] | 1029 | #endif |
| 1030 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1031 | /* Guard against socket too large for select*/ |
Charles-François Natali | aa26b27 | 2011-08-28 17:51:43 +0200 | [diff] [blame] | 1032 | if (!_PyIsSelectable_fd(s->sock_fd)) |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1033 | return SOCKET_TOO_LARGE_FOR_SELECT; |
Neal Norwitz | 082b2df | 2006-02-07 07:04:46 +0000 | [diff] [blame] | 1034 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1035 | /* Construct the arguments to select */ |
| 1036 | tv.tv_sec = (int)s->sock_timeout; |
| 1037 | tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6); |
| 1038 | FD_ZERO(&fds); |
| 1039 | FD_SET(s->sock_fd, &fds); |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 1040 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1041 | /* See if the socket is ready */ |
| 1042 | PySSL_BEGIN_ALLOW_THREADS |
| 1043 | if (writing) |
| 1044 | rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv); |
| 1045 | else |
| 1046 | rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv); |
| 1047 | PySSL_END_ALLOW_THREADS |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 1048 | |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 1049 | #ifdef HAVE_POLL |
Thomas Wouters | 0e3f591 | 2006-08-11 14:57:12 +0000 | [diff] [blame] | 1050 | normal_return: |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 1051 | #endif |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1052 | /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise |
| 1053 | (when we are able to write or when there's something to read) */ |
| 1054 | return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK; |
Guido van Rossum | 99d4abf | 2003-01-27 22:22:50 +0000 | [diff] [blame] | 1055 | } |
| 1056 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1057 | static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args) |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1058 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1059 | Py_buffer buf; |
| 1060 | int len; |
| 1061 | int sockstate; |
| 1062 | int err; |
| 1063 | int nonblocking; |
| 1064 | PySocketSockObject *sock |
| 1065 | = (PySocketSockObject *) PyWeakref_GetObject(self->Socket); |
Bill Janssen | 54cc54c | 2007-12-14 22:08:56 +0000 | [diff] [blame] | 1066 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1067 | if (((PyObject*)sock) == Py_None) { |
| 1068 | _setSSLError("Underlying socket connection gone", |
| 1069 | PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__); |
| 1070 | return NULL; |
| 1071 | } |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1072 | Py_INCREF(sock); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1073 | |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1074 | if (!PyArg_ParseTuple(args, "y*:write", &buf)) { |
| 1075 | Py_DECREF(sock); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1076 | return NULL; |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1077 | } |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1078 | |
| 1079 | /* just in case the blocking state of the socket has been changed */ |
| 1080 | nonblocking = (sock->sock_timeout >= 0.0); |
| 1081 | BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); |
| 1082 | BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); |
| 1083 | |
| 1084 | sockstate = check_socket_and_wait_for_timeout(sock, 1); |
| 1085 | if (sockstate == SOCKET_HAS_TIMED_OUT) { |
Antoine Pitrou | c4df784 | 2010-12-03 19:59:41 +0000 | [diff] [blame] | 1086 | PyErr_SetString(PySocketModule.timeout_error, |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1087 | "The write operation timed out"); |
| 1088 | goto error; |
| 1089 | } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { |
| 1090 | PyErr_SetString(PySSLErrorObject, |
| 1091 | "Underlying socket has been closed."); |
| 1092 | goto error; |
| 1093 | } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { |
| 1094 | PyErr_SetString(PySSLErrorObject, |
| 1095 | "Underlying socket too large for select()."); |
| 1096 | goto error; |
| 1097 | } |
| 1098 | do { |
| 1099 | err = 0; |
| 1100 | PySSL_BEGIN_ALLOW_THREADS |
| 1101 | len = SSL_write(self->ssl, buf.buf, buf.len); |
| 1102 | err = SSL_get_error(self->ssl, len); |
| 1103 | PySSL_END_ALLOW_THREADS |
| 1104 | if (PyErr_CheckSignals()) { |
| 1105 | goto error; |
Bill Janssen | 54cc54c | 2007-12-14 22:08:56 +0000 | [diff] [blame] | 1106 | } |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1107 | if (err == SSL_ERROR_WANT_READ) { |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 1108 | sockstate = check_socket_and_wait_for_timeout(sock, 0); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1109 | } else if (err == SSL_ERROR_WANT_WRITE) { |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 1110 | sockstate = check_socket_and_wait_for_timeout(sock, 1); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1111 | } else { |
| 1112 | sockstate = SOCKET_OPERATION_OK; |
| 1113 | } |
| 1114 | if (sockstate == SOCKET_HAS_TIMED_OUT) { |
Antoine Pitrou | c4df784 | 2010-12-03 19:59:41 +0000 | [diff] [blame] | 1115 | PyErr_SetString(PySocketModule.timeout_error, |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1116 | "The write operation timed out"); |
| 1117 | goto error; |
| 1118 | } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { |
| 1119 | PyErr_SetString(PySSLErrorObject, |
| 1120 | "Underlying socket has been closed."); |
| 1121 | goto error; |
| 1122 | } else if (sockstate == SOCKET_IS_NONBLOCKING) { |
| 1123 | break; |
| 1124 | } |
| 1125 | } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1126 | |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1127 | Py_DECREF(sock); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1128 | PyBuffer_Release(&buf); |
| 1129 | if (len > 0) |
| 1130 | return PyLong_FromLong(len); |
| 1131 | else |
| 1132 | return PySSL_SetError(self, len, __FILE__, __LINE__); |
Antoine Pitrou | 7d7aede | 2009-11-25 18:55:32 +0000 | [diff] [blame] | 1133 | |
| 1134 | error: |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1135 | Py_DECREF(sock); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1136 | PyBuffer_Release(&buf); |
| 1137 | return NULL; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1138 | } |
| 1139 | |
Martin v. Löwis | 14f8b4c | 2002-06-13 20:33:02 +0000 | [diff] [blame] | 1140 | PyDoc_STRVAR(PySSL_SSLwrite_doc, |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1141 | "write(s) -> len\n\ |
| 1142 | \n\ |
| 1143 | Writes the string s into the SSL object. Returns the number\n\ |
Martin v. Löwis | 14f8b4c | 2002-06-13 20:33:02 +0000 | [diff] [blame] | 1144 | of bytes written."); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1145 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1146 | static PyObject *PySSL_SSLpending(PySSLSocket *self) |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 1147 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1148 | int count = 0; |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 1149 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1150 | PySSL_BEGIN_ALLOW_THREADS |
| 1151 | count = SSL_pending(self->ssl); |
| 1152 | PySSL_END_ALLOW_THREADS |
| 1153 | if (count < 0) |
| 1154 | return PySSL_SetError(self, count, __FILE__, __LINE__); |
| 1155 | else |
| 1156 | return PyLong_FromLong(count); |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 1157 | } |
| 1158 | |
| 1159 | PyDoc_STRVAR(PySSL_SSLpending_doc, |
| 1160 | "pending() -> count\n\ |
| 1161 | \n\ |
| 1162 | Returns the number of already decrypted bytes available for read,\n\ |
| 1163 | pending on the connection.\n"); |
| 1164 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1165 | static PyObject *PySSL_SSLread(PySSLSocket *self, PyObject *args) |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1166 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1167 | PyObject *dest = NULL; |
| 1168 | Py_buffer buf; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1169 | char *mem; |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1170 | int len, count; |
| 1171 | int buf_passed = 0; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1172 | int sockstate; |
| 1173 | int err; |
| 1174 | int nonblocking; |
| 1175 | PySocketSockObject *sock |
| 1176 | = (PySocketSockObject *) PyWeakref_GetObject(self->Socket); |
Bill Janssen | 54cc54c | 2007-12-14 22:08:56 +0000 | [diff] [blame] | 1177 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1178 | if (((PyObject*)sock) == Py_None) { |
| 1179 | _setSSLError("Underlying socket connection gone", |
| 1180 | PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__); |
| 1181 | return NULL; |
| 1182 | } |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1183 | Py_INCREF(sock); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1184 | |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1185 | buf.obj = NULL; |
| 1186 | buf.buf = NULL; |
| 1187 | if (!PyArg_ParseTuple(args, "i|w*:read", &len, &buf)) |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1188 | goto error; |
| 1189 | |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1190 | if ((buf.buf == NULL) && (buf.obj == NULL)) { |
| 1191 | dest = PyBytes_FromStringAndSize(NULL, len); |
| 1192 | if (dest == NULL) |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1193 | goto error; |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1194 | mem = PyBytes_AS_STRING(dest); |
| 1195 | } |
| 1196 | else { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1197 | buf_passed = 1; |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1198 | mem = buf.buf; |
| 1199 | if (len <= 0 || len > buf.len) { |
| 1200 | len = (int) buf.len; |
| 1201 | if (buf.len != len) { |
| 1202 | PyErr_SetString(PyExc_OverflowError, |
| 1203 | "maximum length can't fit in a C 'int'"); |
| 1204 | goto error; |
| 1205 | } |
| 1206 | } |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1207 | } |
| 1208 | |
| 1209 | /* just in case the blocking state of the socket has been changed */ |
| 1210 | nonblocking = (sock->sock_timeout >= 0.0); |
| 1211 | BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); |
| 1212 | BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); |
| 1213 | |
| 1214 | /* first check if there are bytes ready to be read */ |
| 1215 | PySSL_BEGIN_ALLOW_THREADS |
| 1216 | count = SSL_pending(self->ssl); |
| 1217 | PySSL_END_ALLOW_THREADS |
| 1218 | |
| 1219 | if (!count) { |
| 1220 | sockstate = check_socket_and_wait_for_timeout(sock, 0); |
| 1221 | if (sockstate == SOCKET_HAS_TIMED_OUT) { |
Antoine Pitrou | c4df784 | 2010-12-03 19:59:41 +0000 | [diff] [blame] | 1222 | PyErr_SetString(PySocketModule.timeout_error, |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1223 | "The read operation timed out"); |
| 1224 | goto error; |
| 1225 | } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { |
| 1226 | PyErr_SetString(PySSLErrorObject, |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 1227 | "Underlying socket too large for select()."); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1228 | goto error; |
| 1229 | } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { |
| 1230 | count = 0; |
| 1231 | goto done; |
Bill Janssen | 54cc54c | 2007-12-14 22:08:56 +0000 | [diff] [blame] | 1232 | } |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1233 | } |
| 1234 | do { |
| 1235 | err = 0; |
| 1236 | PySSL_BEGIN_ALLOW_THREADS |
| 1237 | count = SSL_read(self->ssl, mem, len); |
| 1238 | err = SSL_get_error(self->ssl, count); |
| 1239 | PySSL_END_ALLOW_THREADS |
| 1240 | if (PyErr_CheckSignals()) |
| 1241 | goto error; |
| 1242 | if (err == SSL_ERROR_WANT_READ) { |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 1243 | sockstate = check_socket_and_wait_for_timeout(sock, 0); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1244 | } else if (err == SSL_ERROR_WANT_WRITE) { |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 1245 | sockstate = check_socket_and_wait_for_timeout(sock, 1); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1246 | } else if ((err == SSL_ERROR_ZERO_RETURN) && |
| 1247 | (SSL_get_shutdown(self->ssl) == |
| 1248 | SSL_RECEIVED_SHUTDOWN)) |
| 1249 | { |
| 1250 | count = 0; |
| 1251 | goto done; |
| 1252 | } else { |
| 1253 | sockstate = SOCKET_OPERATION_OK; |
| 1254 | } |
| 1255 | if (sockstate == SOCKET_HAS_TIMED_OUT) { |
Antoine Pitrou | c4df784 | 2010-12-03 19:59:41 +0000 | [diff] [blame] | 1256 | PyErr_SetString(PySocketModule.timeout_error, |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1257 | "The read operation timed out"); |
| 1258 | goto error; |
| 1259 | } else if (sockstate == SOCKET_IS_NONBLOCKING) { |
| 1260 | break; |
| 1261 | } |
| 1262 | } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); |
| 1263 | if (count <= 0) { |
| 1264 | PySSL_SetError(self, count, __FILE__, __LINE__); |
| 1265 | goto error; |
| 1266 | } |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1267 | |
| 1268 | done: |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1269 | Py_DECREF(sock); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1270 | if (!buf_passed) { |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1271 | _PyBytes_Resize(&dest, count); |
| 1272 | return dest; |
| 1273 | } |
| 1274 | else { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1275 | PyBuffer_Release(&buf); |
| 1276 | return PyLong_FromLong(count); |
| 1277 | } |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1278 | |
| 1279 | error: |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1280 | Py_DECREF(sock); |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1281 | if (!buf_passed) |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1282 | Py_XDECREF(dest); |
Antoine Pitrou | 24e561a | 2010-09-03 18:38:17 +0000 | [diff] [blame] | 1283 | else |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1284 | PyBuffer_Release(&buf); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1285 | return NULL; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1286 | } |
| 1287 | |
Martin v. Löwis | 14f8b4c | 2002-06-13 20:33:02 +0000 | [diff] [blame] | 1288 | PyDoc_STRVAR(PySSL_SSLread_doc, |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 1289 | "read([len]) -> string\n\ |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1290 | \n\ |
Martin v. Löwis | 14f8b4c | 2002-06-13 20:33:02 +0000 | [diff] [blame] | 1291 | Read up to len bytes from the SSL socket."); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1292 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1293 | static PyObject *PySSL_SSLshutdown(PySSLSocket *self) |
Bill Janssen | 40a0f66 | 2008-08-12 16:56:25 +0000 | [diff] [blame] | 1294 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1295 | int err, ssl_err, sockstate, nonblocking; |
| 1296 | int zeros = 0; |
| 1297 | PySocketSockObject *sock |
| 1298 | = (PySocketSockObject *) PyWeakref_GetObject(self->Socket); |
Bill Janssen | 40a0f66 | 2008-08-12 16:56:25 +0000 | [diff] [blame] | 1299 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1300 | /* Guard against closed socket */ |
| 1301 | if ((((PyObject*)sock) == Py_None) || (sock->sock_fd < 0)) { |
| 1302 | _setSSLError("Underlying socket connection gone", |
| 1303 | PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__); |
| 1304 | return NULL; |
| 1305 | } |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1306 | Py_INCREF(sock); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1307 | |
| 1308 | /* Just in case the blocking state of the socket has been changed */ |
| 1309 | nonblocking = (sock->sock_timeout >= 0.0); |
| 1310 | BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); |
| 1311 | BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); |
| 1312 | |
| 1313 | while (1) { |
| 1314 | PySSL_BEGIN_ALLOW_THREADS |
| 1315 | /* Disable read-ahead so that unwrap can work correctly. |
| 1316 | * Otherwise OpenSSL might read in too much data, |
| 1317 | * eating clear text data that happens to be |
| 1318 | * transmitted after the SSL shutdown. |
| 1319 | * Should be safe to call repeatedly everytime this |
| 1320 | * function is used and the shutdown_seen_zero != 0 |
| 1321 | * condition is met. |
| 1322 | */ |
| 1323 | if (self->shutdown_seen_zero) |
| 1324 | SSL_set_read_ahead(self->ssl, 0); |
| 1325 | err = SSL_shutdown(self->ssl); |
| 1326 | PySSL_END_ALLOW_THREADS |
| 1327 | /* If err == 1, a secure shutdown with SSL_shutdown() is complete */ |
| 1328 | if (err > 0) |
| 1329 | break; |
| 1330 | if (err == 0) { |
| 1331 | /* Don't loop endlessly; instead preserve legacy |
| 1332 | behaviour of trying SSL_shutdown() only twice. |
| 1333 | This looks necessary for OpenSSL < 0.9.8m */ |
| 1334 | if (++zeros > 1) |
| 1335 | break; |
| 1336 | /* Shutdown was sent, now try receiving */ |
| 1337 | self->shutdown_seen_zero = 1; |
| 1338 | continue; |
Bill Janssen | 40a0f66 | 2008-08-12 16:56:25 +0000 | [diff] [blame] | 1339 | } |
| 1340 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1341 | /* Possibly retry shutdown until timeout or failure */ |
| 1342 | ssl_err = SSL_get_error(self->ssl, err); |
| 1343 | if (ssl_err == SSL_ERROR_WANT_READ) |
| 1344 | sockstate = check_socket_and_wait_for_timeout(sock, 0); |
| 1345 | else if (ssl_err == SSL_ERROR_WANT_WRITE) |
| 1346 | sockstate = check_socket_and_wait_for_timeout(sock, 1); |
| 1347 | else |
| 1348 | break; |
| 1349 | if (sockstate == SOCKET_HAS_TIMED_OUT) { |
| 1350 | if (ssl_err == SSL_ERROR_WANT_READ) |
Antoine Pitrou | c4df784 | 2010-12-03 19:59:41 +0000 | [diff] [blame] | 1351 | PyErr_SetString(PySocketModule.timeout_error, |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1352 | "The read operation timed out"); |
| 1353 | else |
Antoine Pitrou | c4df784 | 2010-12-03 19:59:41 +0000 | [diff] [blame] | 1354 | PyErr_SetString(PySocketModule.timeout_error, |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1355 | "The write operation timed out"); |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1356 | goto error; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1357 | } |
| 1358 | else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { |
| 1359 | PyErr_SetString(PySSLErrorObject, |
| 1360 | "Underlying socket too large for select()."); |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1361 | goto error; |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1362 | } |
| 1363 | else if (sockstate != SOCKET_OPERATION_OK) |
| 1364 | /* Retain the SSL error code */ |
| 1365 | break; |
| 1366 | } |
Antoine Pitrou | 2c4f98b | 2010-04-23 00:16:21 +0000 | [diff] [blame] | 1367 | |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1368 | if (err < 0) { |
| 1369 | Py_DECREF(sock); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1370 | return PySSL_SetError(self, err, __FILE__, __LINE__); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1371 | } |
Antoine Pitrou | 8bae4ec | 2010-06-24 22:34:04 +0000 | [diff] [blame] | 1372 | else |
| 1373 | /* It's already INCREF'ed */ |
| 1374 | return (PyObject *) sock; |
| 1375 | |
| 1376 | error: |
| 1377 | Py_DECREF(sock); |
| 1378 | return NULL; |
Bill Janssen | 40a0f66 | 2008-08-12 16:56:25 +0000 | [diff] [blame] | 1379 | } |
| 1380 | |
| 1381 | PyDoc_STRVAR(PySSL_SSLshutdown_doc, |
| 1382 | "shutdown(s) -> socket\n\ |
| 1383 | \n\ |
| 1384 | Does the SSL shutdown handshake with the remote end, and returns\n\ |
| 1385 | the underlying socket object."); |
| 1386 | |
| 1387 | |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1388 | static PyMethodDef PySSLMethods[] = { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1389 | {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS}, |
| 1390 | {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS, |
| 1391 | PySSL_SSLwrite_doc}, |
| 1392 | {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS, |
| 1393 | PySSL_SSLread_doc}, |
| 1394 | {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS, |
| 1395 | PySSL_SSLpending_doc}, |
| 1396 | {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS, |
| 1397 | PySSL_peercert_doc}, |
| 1398 | {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS}, |
| 1399 | {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS, |
| 1400 | PySSL_SSLshutdown_doc}, |
| 1401 | {NULL, NULL} |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1402 | }; |
| 1403 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1404 | static PyTypeObject PySSLSocket_Type = { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1405 | PyVarObject_HEAD_INIT(NULL, 0) |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1406 | "_ssl._SSLSocket", /*tp_name*/ |
| 1407 | sizeof(PySSLSocket), /*tp_basicsize*/ |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1408 | 0, /*tp_itemsize*/ |
| 1409 | /* methods */ |
| 1410 | (destructor)PySSL_dealloc, /*tp_dealloc*/ |
| 1411 | 0, /*tp_print*/ |
| 1412 | 0, /*tp_getattr*/ |
| 1413 | 0, /*tp_setattr*/ |
| 1414 | 0, /*tp_reserved*/ |
| 1415 | 0, /*tp_repr*/ |
| 1416 | 0, /*tp_as_number*/ |
| 1417 | 0, /*tp_as_sequence*/ |
| 1418 | 0, /*tp_as_mapping*/ |
| 1419 | 0, /*tp_hash*/ |
| 1420 | 0, /*tp_call*/ |
| 1421 | 0, /*tp_str*/ |
| 1422 | 0, /*tp_getattro*/ |
| 1423 | 0, /*tp_setattro*/ |
| 1424 | 0, /*tp_as_buffer*/ |
| 1425 | Py_TPFLAGS_DEFAULT, /*tp_flags*/ |
| 1426 | 0, /*tp_doc*/ |
| 1427 | 0, /*tp_traverse*/ |
| 1428 | 0, /*tp_clear*/ |
| 1429 | 0, /*tp_richcompare*/ |
| 1430 | 0, /*tp_weaklistoffset*/ |
| 1431 | 0, /*tp_iter*/ |
| 1432 | 0, /*tp_iternext*/ |
| 1433 | PySSLMethods, /*tp_methods*/ |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1434 | }; |
| 1435 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1436 | |
| 1437 | /* |
| 1438 | * _SSLContext objects |
| 1439 | */ |
| 1440 | |
| 1441 | static PyObject * |
| 1442 | context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) |
| 1443 | { |
| 1444 | char *kwlist[] = {"protocol", NULL}; |
| 1445 | PySSLContext *self; |
| 1446 | int proto_version = PY_SSL_VERSION_SSL23; |
| 1447 | SSL_CTX *ctx = NULL; |
| 1448 | |
| 1449 | if (!PyArg_ParseTupleAndKeywords( |
| 1450 | args, kwds, "i:_SSLContext", kwlist, |
| 1451 | &proto_version)) |
| 1452 | return NULL; |
| 1453 | |
| 1454 | PySSL_BEGIN_ALLOW_THREADS |
| 1455 | if (proto_version == PY_SSL_VERSION_TLS1) |
| 1456 | ctx = SSL_CTX_new(TLSv1_method()); |
| 1457 | else if (proto_version == PY_SSL_VERSION_SSL3) |
| 1458 | ctx = SSL_CTX_new(SSLv3_method()); |
Victor Stinner | 17ca323 | 2011-05-10 00:48:41 +0200 | [diff] [blame] | 1459 | #ifndef OPENSSL_NO_SSL2 |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1460 | else if (proto_version == PY_SSL_VERSION_SSL2) |
| 1461 | ctx = SSL_CTX_new(SSLv2_method()); |
Victor Stinner | 17ca323 | 2011-05-10 00:48:41 +0200 | [diff] [blame] | 1462 | #endif |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1463 | else if (proto_version == PY_SSL_VERSION_SSL23) |
| 1464 | ctx = SSL_CTX_new(SSLv23_method()); |
| 1465 | else |
| 1466 | proto_version = -1; |
| 1467 | PySSL_END_ALLOW_THREADS |
| 1468 | |
| 1469 | if (proto_version == -1) { |
| 1470 | PyErr_SetString(PyExc_ValueError, |
| 1471 | "invalid protocol version"); |
| 1472 | return NULL; |
| 1473 | } |
| 1474 | if (ctx == NULL) { |
| 1475 | PyErr_SetString(PySSLErrorObject, |
| 1476 | "failed to allocate SSL context"); |
| 1477 | return NULL; |
| 1478 | } |
| 1479 | |
| 1480 | assert(type != NULL && type->tp_alloc != NULL); |
| 1481 | self = (PySSLContext *) type->tp_alloc(type, 0); |
| 1482 | if (self == NULL) { |
| 1483 | SSL_CTX_free(ctx); |
| 1484 | return NULL; |
| 1485 | } |
| 1486 | self->ctx = ctx; |
| 1487 | /* Defaults */ |
| 1488 | SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); |
Antoine Pitrou | 3f36631 | 2012-01-27 09:50:45 +0100 | [diff] [blame] | 1489 | SSL_CTX_set_options(self->ctx, |
| 1490 | SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1491 | |
Antoine Pitrou | fc113ee | 2010-10-13 12:46:13 +0000 | [diff] [blame] | 1492 | #define SID_CTX "Python" |
| 1493 | SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, |
| 1494 | sizeof(SID_CTX)); |
| 1495 | #undef SID_CTX |
| 1496 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1497 | return (PyObject *)self; |
| 1498 | } |
| 1499 | |
| 1500 | static void |
| 1501 | context_dealloc(PySSLContext *self) |
| 1502 | { |
| 1503 | SSL_CTX_free(self->ctx); |
| 1504 | Py_TYPE(self)->tp_free(self); |
| 1505 | } |
| 1506 | |
| 1507 | static PyObject * |
| 1508 | set_ciphers(PySSLContext *self, PyObject *args) |
| 1509 | { |
| 1510 | int ret; |
| 1511 | const char *cipherlist; |
| 1512 | |
| 1513 | if (!PyArg_ParseTuple(args, "s:set_ciphers", &cipherlist)) |
| 1514 | return NULL; |
| 1515 | ret = SSL_CTX_set_cipher_list(self->ctx, cipherlist); |
| 1516 | if (ret == 0) { |
Antoine Pitrou | 65ec8ae | 2010-05-16 19:56:32 +0000 | [diff] [blame] | 1517 | /* Clearing the error queue is necessary on some OpenSSL versions, |
| 1518 | otherwise the error will be reported again when another SSL call |
| 1519 | is done. */ |
| 1520 | ERR_clear_error(); |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1521 | PyErr_SetString(PySSLErrorObject, |
| 1522 | "No cipher can be selected."); |
| 1523 | return NULL; |
| 1524 | } |
| 1525 | Py_RETURN_NONE; |
| 1526 | } |
| 1527 | |
| 1528 | static PyObject * |
| 1529 | get_verify_mode(PySSLContext *self, void *c) |
| 1530 | { |
| 1531 | switch (SSL_CTX_get_verify_mode(self->ctx)) { |
| 1532 | case SSL_VERIFY_NONE: |
| 1533 | return PyLong_FromLong(PY_SSL_CERT_NONE); |
| 1534 | case SSL_VERIFY_PEER: |
| 1535 | return PyLong_FromLong(PY_SSL_CERT_OPTIONAL); |
| 1536 | case SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT: |
| 1537 | return PyLong_FromLong(PY_SSL_CERT_REQUIRED); |
| 1538 | } |
| 1539 | PyErr_SetString(PySSLErrorObject, |
| 1540 | "invalid return value from SSL_CTX_get_verify_mode"); |
| 1541 | return NULL; |
| 1542 | } |
| 1543 | |
| 1544 | static int |
| 1545 | set_verify_mode(PySSLContext *self, PyObject *arg, void *c) |
| 1546 | { |
| 1547 | int n, mode; |
| 1548 | if (!PyArg_Parse(arg, "i", &n)) |
| 1549 | return -1; |
| 1550 | if (n == PY_SSL_CERT_NONE) |
| 1551 | mode = SSL_VERIFY_NONE; |
| 1552 | else if (n == PY_SSL_CERT_OPTIONAL) |
| 1553 | mode = SSL_VERIFY_PEER; |
| 1554 | else if (n == PY_SSL_CERT_REQUIRED) |
| 1555 | mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
| 1556 | else { |
| 1557 | PyErr_SetString(PyExc_ValueError, |
| 1558 | "invalid value for verify_mode"); |
| 1559 | return -1; |
| 1560 | } |
| 1561 | SSL_CTX_set_verify(self->ctx, mode, NULL); |
| 1562 | return 0; |
| 1563 | } |
| 1564 | |
| 1565 | static PyObject * |
Antoine Pitrou | b521877 | 2010-05-21 09:56:06 +0000 | [diff] [blame] | 1566 | get_options(PySSLContext *self, void *c) |
| 1567 | { |
| 1568 | return PyLong_FromLong(SSL_CTX_get_options(self->ctx)); |
| 1569 | } |
| 1570 | |
| 1571 | static int |
| 1572 | set_options(PySSLContext *self, PyObject *arg, void *c) |
| 1573 | { |
| 1574 | long new_opts, opts, set, clear; |
| 1575 | if (!PyArg_Parse(arg, "l", &new_opts)) |
| 1576 | return -1; |
| 1577 | opts = SSL_CTX_get_options(self->ctx); |
| 1578 | clear = opts & ~new_opts; |
| 1579 | set = ~opts & new_opts; |
| 1580 | if (clear) { |
| 1581 | #ifdef HAVE_SSL_CTX_CLEAR_OPTIONS |
| 1582 | SSL_CTX_clear_options(self->ctx, clear); |
| 1583 | #else |
| 1584 | PyErr_SetString(PyExc_ValueError, |
| 1585 | "can't clear options before OpenSSL 0.9.8m"); |
| 1586 | return -1; |
| 1587 | #endif |
| 1588 | } |
| 1589 | if (set) |
| 1590 | SSL_CTX_set_options(self->ctx, set); |
| 1591 | return 0; |
| 1592 | } |
| 1593 | |
| 1594 | static PyObject * |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1595 | load_cert_chain(PySSLContext *self, PyObject *args, PyObject *kwds) |
| 1596 | { |
| 1597 | char *kwlist[] = {"certfile", "keyfile", NULL}; |
| 1598 | PyObject *certfile, *keyfile = NULL; |
| 1599 | PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL; |
| 1600 | int r; |
| 1601 | |
Giampaolo Rodolà | 745ab38 | 2010-08-29 19:25:49 +0000 | [diff] [blame] | 1602 | errno = 0; |
Antoine Pitrou | 67e8e56 | 2010-09-01 20:55:41 +0000 | [diff] [blame] | 1603 | ERR_clear_error(); |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1604 | if (!PyArg_ParseTupleAndKeywords(args, kwds, |
| 1605 | "O|O:load_cert_chain", kwlist, |
| 1606 | &certfile, &keyfile)) |
| 1607 | return NULL; |
| 1608 | if (keyfile == Py_None) |
| 1609 | keyfile = NULL; |
| 1610 | if (!PyUnicode_FSConverter(certfile, &certfile_bytes)) { |
| 1611 | PyErr_SetString(PyExc_TypeError, |
| 1612 | "certfile should be a valid filesystem path"); |
| 1613 | return NULL; |
| 1614 | } |
| 1615 | if (keyfile && !PyUnicode_FSConverter(keyfile, &keyfile_bytes)) { |
| 1616 | PyErr_SetString(PyExc_TypeError, |
| 1617 | "keyfile should be a valid filesystem path"); |
| 1618 | goto error; |
| 1619 | } |
| 1620 | PySSL_BEGIN_ALLOW_THREADS |
| 1621 | r = SSL_CTX_use_certificate_chain_file(self->ctx, |
| 1622 | PyBytes_AS_STRING(certfile_bytes)); |
| 1623 | PySSL_END_ALLOW_THREADS |
| 1624 | if (r != 1) { |
Giampaolo Rodolà | 745ab38 | 2010-08-29 19:25:49 +0000 | [diff] [blame] | 1625 | if (errno != 0) { |
Giampaolo Rodolà | e0f9863 | 2010-09-01 19:28:49 +0000 | [diff] [blame] | 1626 | ERR_clear_error(); |
Giampaolo Rodolà | 745ab38 | 2010-08-29 19:25:49 +0000 | [diff] [blame] | 1627 | PyErr_SetFromErrno(PyExc_IOError); |
| 1628 | } |
| 1629 | else { |
| 1630 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 1631 | } |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1632 | goto error; |
| 1633 | } |
| 1634 | PySSL_BEGIN_ALLOW_THREADS |
Antoine Pitrou | 9c25486 | 2011-04-03 18:15:34 +0200 | [diff] [blame] | 1635 | r = SSL_CTX_use_PrivateKey_file(self->ctx, |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1636 | PyBytes_AS_STRING(keyfile ? keyfile_bytes : certfile_bytes), |
| 1637 | SSL_FILETYPE_PEM); |
| 1638 | PySSL_END_ALLOW_THREADS |
| 1639 | Py_XDECREF(keyfile_bytes); |
| 1640 | Py_XDECREF(certfile_bytes); |
| 1641 | if (r != 1) { |
Giampaolo Rodolà | 745ab38 | 2010-08-29 19:25:49 +0000 | [diff] [blame] | 1642 | if (errno != 0) { |
Giampaolo Rodolà | e0f9863 | 2010-09-01 19:28:49 +0000 | [diff] [blame] | 1643 | ERR_clear_error(); |
Giampaolo Rodolà | 745ab38 | 2010-08-29 19:25:49 +0000 | [diff] [blame] | 1644 | PyErr_SetFromErrno(PyExc_IOError); |
| 1645 | } |
| 1646 | else { |
| 1647 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 1648 | } |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1649 | return NULL; |
| 1650 | } |
| 1651 | PySSL_BEGIN_ALLOW_THREADS |
| 1652 | r = SSL_CTX_check_private_key(self->ctx); |
| 1653 | PySSL_END_ALLOW_THREADS |
| 1654 | if (r != 1) { |
| 1655 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 1656 | return NULL; |
| 1657 | } |
| 1658 | Py_RETURN_NONE; |
| 1659 | |
| 1660 | error: |
| 1661 | Py_XDECREF(keyfile_bytes); |
| 1662 | Py_XDECREF(certfile_bytes); |
| 1663 | return NULL; |
| 1664 | } |
| 1665 | |
| 1666 | static PyObject * |
| 1667 | load_verify_locations(PySSLContext *self, PyObject *args, PyObject *kwds) |
| 1668 | { |
| 1669 | char *kwlist[] = {"cafile", "capath", NULL}; |
| 1670 | PyObject *cafile = NULL, *capath = NULL; |
| 1671 | PyObject *cafile_bytes = NULL, *capath_bytes = NULL; |
| 1672 | const char *cafile_buf = NULL, *capath_buf = NULL; |
| 1673 | int r; |
| 1674 | |
Giampaolo Rodolà | 745ab38 | 2010-08-29 19:25:49 +0000 | [diff] [blame] | 1675 | errno = 0; |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1676 | if (!PyArg_ParseTupleAndKeywords(args, kwds, |
| 1677 | "|OO:load_verify_locations", kwlist, |
| 1678 | &cafile, &capath)) |
| 1679 | return NULL; |
| 1680 | if (cafile == Py_None) |
| 1681 | cafile = NULL; |
| 1682 | if (capath == Py_None) |
| 1683 | capath = NULL; |
| 1684 | if (cafile == NULL && capath == NULL) { |
| 1685 | PyErr_SetString(PyExc_TypeError, |
| 1686 | "cafile and capath cannot be both omitted"); |
| 1687 | return NULL; |
| 1688 | } |
| 1689 | if (cafile && !PyUnicode_FSConverter(cafile, &cafile_bytes)) { |
| 1690 | PyErr_SetString(PyExc_TypeError, |
| 1691 | "cafile should be a valid filesystem path"); |
| 1692 | return NULL; |
| 1693 | } |
| 1694 | if (capath && !PyUnicode_FSConverter(capath, &capath_bytes)) { |
Victor Stinner | 80f75e6 | 2011-01-29 11:31:20 +0000 | [diff] [blame] | 1695 | Py_XDECREF(cafile_bytes); |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1696 | PyErr_SetString(PyExc_TypeError, |
| 1697 | "capath should be a valid filesystem path"); |
| 1698 | return NULL; |
| 1699 | } |
| 1700 | if (cafile) |
| 1701 | cafile_buf = PyBytes_AS_STRING(cafile_bytes); |
| 1702 | if (capath) |
| 1703 | capath_buf = PyBytes_AS_STRING(capath_bytes); |
| 1704 | PySSL_BEGIN_ALLOW_THREADS |
| 1705 | r = SSL_CTX_load_verify_locations(self->ctx, cafile_buf, capath_buf); |
| 1706 | PySSL_END_ALLOW_THREADS |
| 1707 | Py_XDECREF(cafile_bytes); |
| 1708 | Py_XDECREF(capath_bytes); |
| 1709 | if (r != 1) { |
Giampaolo Rodolà | 745ab38 | 2010-08-29 19:25:49 +0000 | [diff] [blame] | 1710 | if (errno != 0) { |
Giampaolo Rodolà | e0f9863 | 2010-09-01 19:28:49 +0000 | [diff] [blame] | 1711 | ERR_clear_error(); |
Giampaolo Rodolà | 745ab38 | 2010-08-29 19:25:49 +0000 | [diff] [blame] | 1712 | PyErr_SetFromErrno(PyExc_IOError); |
| 1713 | } |
| 1714 | else { |
| 1715 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 1716 | } |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1717 | return NULL; |
| 1718 | } |
| 1719 | Py_RETURN_NONE; |
| 1720 | } |
| 1721 | |
| 1722 | static PyObject * |
| 1723 | context_wrap_socket(PySSLContext *self, PyObject *args, PyObject *kwds) |
| 1724 | { |
Antoine Pitrou | d532321 | 2010-10-22 18:19:07 +0000 | [diff] [blame] | 1725 | char *kwlist[] = {"sock", "server_side", "server_hostname", NULL}; |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1726 | PySocketSockObject *sock; |
| 1727 | int server_side = 0; |
Antoine Pitrou | d532321 | 2010-10-22 18:19:07 +0000 | [diff] [blame] | 1728 | char *hostname = NULL; |
| 1729 | PyObject *hostname_obj, *res; |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1730 | |
Antoine Pitrou | d532321 | 2010-10-22 18:19:07 +0000 | [diff] [blame] | 1731 | /* server_hostname is either None (or absent), or to be encoded |
| 1732 | using the idna encoding. */ |
| 1733 | if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!i|O!:_wrap_socket", kwlist, |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1734 | PySocketModule.Sock_Type, |
Antoine Pitrou | d532321 | 2010-10-22 18:19:07 +0000 | [diff] [blame] | 1735 | &sock, &server_side, |
| 1736 | Py_TYPE(Py_None), &hostname_obj)) { |
| 1737 | PyErr_Clear(); |
| 1738 | if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!iet:_wrap_socket", kwlist, |
| 1739 | PySocketModule.Sock_Type, |
| 1740 | &sock, &server_side, |
| 1741 | "idna", &hostname)) |
| 1742 | return NULL; |
| 1743 | #ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME |
| 1744 | PyMem_Free(hostname); |
| 1745 | PyErr_SetString(PyExc_ValueError, "server_hostname is not supported " |
| 1746 | "by your OpenSSL library"); |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1747 | return NULL; |
Antoine Pitrou | d532321 | 2010-10-22 18:19:07 +0000 | [diff] [blame] | 1748 | #endif |
| 1749 | } |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1750 | |
Antoine Pitrou | d532321 | 2010-10-22 18:19:07 +0000 | [diff] [blame] | 1751 | res = (PyObject *) newPySSLSocket(self->ctx, sock, server_side, |
| 1752 | hostname); |
| 1753 | if (hostname != NULL) |
| 1754 | PyMem_Free(hostname); |
| 1755 | return res; |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1756 | } |
| 1757 | |
Antoine Pitrou | b0182c8 | 2010-10-12 20:09:02 +0000 | [diff] [blame] | 1758 | static PyObject * |
| 1759 | session_stats(PySSLContext *self, PyObject *unused) |
| 1760 | { |
| 1761 | int r; |
| 1762 | PyObject *value, *stats = PyDict_New(); |
| 1763 | if (!stats) |
| 1764 | return NULL; |
| 1765 | |
| 1766 | #define ADD_STATS(SSL_NAME, KEY_NAME) \ |
| 1767 | value = PyLong_FromLong(SSL_CTX_sess_ ## SSL_NAME (self->ctx)); \ |
| 1768 | if (value == NULL) \ |
| 1769 | goto error; \ |
| 1770 | r = PyDict_SetItemString(stats, KEY_NAME, value); \ |
| 1771 | Py_DECREF(value); \ |
| 1772 | if (r < 0) \ |
| 1773 | goto error; |
| 1774 | |
| 1775 | ADD_STATS(number, "number"); |
| 1776 | ADD_STATS(connect, "connect"); |
| 1777 | ADD_STATS(connect_good, "connect_good"); |
| 1778 | ADD_STATS(connect_renegotiate, "connect_renegotiate"); |
| 1779 | ADD_STATS(accept, "accept"); |
| 1780 | ADD_STATS(accept_good, "accept_good"); |
| 1781 | ADD_STATS(accept_renegotiate, "accept_renegotiate"); |
| 1782 | ADD_STATS(accept, "accept"); |
| 1783 | ADD_STATS(hits, "hits"); |
| 1784 | ADD_STATS(misses, "misses"); |
| 1785 | ADD_STATS(timeouts, "timeouts"); |
| 1786 | ADD_STATS(cache_full, "cache_full"); |
| 1787 | |
| 1788 | #undef ADD_STATS |
| 1789 | |
| 1790 | return stats; |
| 1791 | |
| 1792 | error: |
| 1793 | Py_DECREF(stats); |
| 1794 | return NULL; |
| 1795 | } |
| 1796 | |
Antoine Pitrou | 664c2d1 | 2010-11-17 20:29:42 +0000 | [diff] [blame] | 1797 | static PyObject * |
| 1798 | set_default_verify_paths(PySSLContext *self, PyObject *unused) |
| 1799 | { |
| 1800 | if (!SSL_CTX_set_default_verify_paths(self->ctx)) { |
| 1801 | _setSSLError(NULL, 0, __FILE__, __LINE__); |
| 1802 | return NULL; |
| 1803 | } |
| 1804 | Py_RETURN_NONE; |
| 1805 | } |
| 1806 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1807 | static PyGetSetDef context_getsetlist[] = { |
Antoine Pitrou | b521877 | 2010-05-21 09:56:06 +0000 | [diff] [blame] | 1808 | {"options", (getter) get_options, |
| 1809 | (setter) set_options, NULL}, |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1810 | {"verify_mode", (getter) get_verify_mode, |
| 1811 | (setter) set_verify_mode, NULL}, |
| 1812 | {NULL}, /* sentinel */ |
| 1813 | }; |
| 1814 | |
| 1815 | static struct PyMethodDef context_methods[] = { |
| 1816 | {"_wrap_socket", (PyCFunction) context_wrap_socket, |
| 1817 | METH_VARARGS | METH_KEYWORDS, NULL}, |
| 1818 | {"set_ciphers", (PyCFunction) set_ciphers, |
| 1819 | METH_VARARGS, NULL}, |
| 1820 | {"load_cert_chain", (PyCFunction) load_cert_chain, |
| 1821 | METH_VARARGS | METH_KEYWORDS, NULL}, |
| 1822 | {"load_verify_locations", (PyCFunction) load_verify_locations, |
| 1823 | METH_VARARGS | METH_KEYWORDS, NULL}, |
Antoine Pitrou | b0182c8 | 2010-10-12 20:09:02 +0000 | [diff] [blame] | 1824 | {"session_stats", (PyCFunction) session_stats, |
| 1825 | METH_NOARGS, NULL}, |
Antoine Pitrou | 664c2d1 | 2010-11-17 20:29:42 +0000 | [diff] [blame] | 1826 | {"set_default_verify_paths", (PyCFunction) set_default_verify_paths, |
| 1827 | METH_NOARGS, NULL}, |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 1828 | {NULL, NULL} /* sentinel */ |
| 1829 | }; |
| 1830 | |
| 1831 | static PyTypeObject PySSLContext_Type = { |
| 1832 | PyVarObject_HEAD_INIT(NULL, 0) |
| 1833 | "_ssl._SSLContext", /*tp_name*/ |
| 1834 | sizeof(PySSLContext), /*tp_basicsize*/ |
| 1835 | 0, /*tp_itemsize*/ |
| 1836 | (destructor)context_dealloc, /*tp_dealloc*/ |
| 1837 | 0, /*tp_print*/ |
| 1838 | 0, /*tp_getattr*/ |
| 1839 | 0, /*tp_setattr*/ |
| 1840 | 0, /*tp_reserved*/ |
| 1841 | 0, /*tp_repr*/ |
| 1842 | 0, /*tp_as_number*/ |
| 1843 | 0, /*tp_as_sequence*/ |
| 1844 | 0, /*tp_as_mapping*/ |
| 1845 | 0, /*tp_hash*/ |
| 1846 | 0, /*tp_call*/ |
| 1847 | 0, /*tp_str*/ |
| 1848 | 0, /*tp_getattro*/ |
| 1849 | 0, /*tp_setattro*/ |
| 1850 | 0, /*tp_as_buffer*/ |
| 1851 | Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /*tp_flags*/ |
| 1852 | 0, /*tp_doc*/ |
| 1853 | 0, /*tp_traverse*/ |
| 1854 | 0, /*tp_clear*/ |
| 1855 | 0, /*tp_richcompare*/ |
| 1856 | 0, /*tp_weaklistoffset*/ |
| 1857 | 0, /*tp_iter*/ |
| 1858 | 0, /*tp_iternext*/ |
| 1859 | context_methods, /*tp_methods*/ |
| 1860 | 0, /*tp_members*/ |
| 1861 | context_getsetlist, /*tp_getset*/ |
| 1862 | 0, /*tp_base*/ |
| 1863 | 0, /*tp_dict*/ |
| 1864 | 0, /*tp_descr_get*/ |
| 1865 | 0, /*tp_descr_set*/ |
| 1866 | 0, /*tp_dictoffset*/ |
| 1867 | 0, /*tp_init*/ |
| 1868 | 0, /*tp_alloc*/ |
| 1869 | context_new, /*tp_new*/ |
| 1870 | }; |
| 1871 | |
| 1872 | |
| 1873 | |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1874 | #ifdef HAVE_OPENSSL_RAND |
| 1875 | |
| 1876 | /* helper routines for seeding the SSL PRNG */ |
| 1877 | static PyObject * |
| 1878 | PySSL_RAND_add(PyObject *self, PyObject *args) |
| 1879 | { |
| 1880 | char *buf; |
| 1881 | int len; |
| 1882 | double entropy; |
| 1883 | |
| 1884 | if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy)) |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 1885 | return NULL; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1886 | RAND_add(buf, len, entropy); |
| 1887 | Py_INCREF(Py_None); |
| 1888 | return Py_None; |
| 1889 | } |
| 1890 | |
Martin v. Löwis | 14f8b4c | 2002-06-13 20:33:02 +0000 | [diff] [blame] | 1891 | PyDoc_STRVAR(PySSL_RAND_add_doc, |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1892 | "RAND_add(string, entropy)\n\ |
| 1893 | \n\ |
| 1894 | Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 1895 | bound on the entropy contained in string. See RFC 1750."); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1896 | |
| 1897 | static PyObject * |
| 1898 | PySSL_RAND_status(PyObject *self) |
| 1899 | { |
Christian Heimes | 217cfd1 | 2007-12-02 14:31:20 +0000 | [diff] [blame] | 1900 | return PyLong_FromLong(RAND_status()); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1901 | } |
| 1902 | |
Martin v. Löwis | 14f8b4c | 2002-06-13 20:33:02 +0000 | [diff] [blame] | 1903 | PyDoc_STRVAR(PySSL_RAND_status_doc, |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1904 | "RAND_status() -> 0 or 1\n\ |
| 1905 | \n\ |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 1906 | Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\ |
| 1907 | It is necessary to seed the PRNG with RAND_add() on some platforms before\n\ |
| 1908 | using the ssl() function."); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1909 | |
| 1910 | static PyObject * |
Victor Stinner | f9faaad | 2010-05-16 21:36:37 +0000 | [diff] [blame] | 1911 | PySSL_RAND_egd(PyObject *self, PyObject *args) |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1912 | { |
Victor Stinner | f9faaad | 2010-05-16 21:36:37 +0000 | [diff] [blame] | 1913 | PyObject *path; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1914 | int bytes; |
| 1915 | |
Victor Stinner | f9faaad | 2010-05-16 21:36:37 +0000 | [diff] [blame] | 1916 | if (!PyArg_ParseTuple(args, "O&|i:RAND_egd", |
| 1917 | PyUnicode_FSConverter, &path)) |
| 1918 | return NULL; |
| 1919 | |
| 1920 | bytes = RAND_egd(PyBytes_AsString(path)); |
| 1921 | Py_DECREF(path); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1922 | if (bytes == -1) { |
Antoine Pitrou | 525807b | 2010-05-12 14:05:24 +0000 | [diff] [blame] | 1923 | PyErr_SetString(PySSLErrorObject, |
| 1924 | "EGD connection failed or EGD did not return " |
| 1925 | "enough data to seed the PRNG"); |
| 1926 | return NULL; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1927 | } |
Christian Heimes | 217cfd1 | 2007-12-02 14:31:20 +0000 | [diff] [blame] | 1928 | return PyLong_FromLong(bytes); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1929 | } |
| 1930 | |
Martin v. Löwis | 14f8b4c | 2002-06-13 20:33:02 +0000 | [diff] [blame] | 1931 | PyDoc_STRVAR(PySSL_RAND_egd_doc, |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1932 | "RAND_egd(path) -> bytes\n\ |
| 1933 | \n\ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 1934 | Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\ |
| 1935 | Returns number of bytes read. Raises SSLError if connection to EGD\n\ |
| 1936 | fails or if it does provide enough data to seed PRNG."); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1937 | |
| 1938 | #endif |
| 1939 | |
Bill Janssen | 40a0f66 | 2008-08-12 16:56:25 +0000 | [diff] [blame] | 1940 | |
| 1941 | |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1942 | /* List of functions exported by this module. */ |
| 1943 | |
| 1944 | static PyMethodDef PySSL_methods[] = { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1945 | {"_test_decode_cert", PySSL_test_decode_certificate, |
| 1946 | METH_VARARGS}, |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1947 | #ifdef HAVE_OPENSSL_RAND |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1948 | {"RAND_add", PySSL_RAND_add, METH_VARARGS, |
| 1949 | PySSL_RAND_add_doc}, |
Victor Stinner | f9faaad | 2010-05-16 21:36:37 +0000 | [diff] [blame] | 1950 | {"RAND_egd", PySSL_RAND_egd, METH_VARARGS, |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1951 | PySSL_RAND_egd_doc}, |
| 1952 | {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS, |
| 1953 | PySSL_RAND_status_doc}, |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1954 | #endif |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1955 | {NULL, NULL} /* Sentinel */ |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 1956 | }; |
| 1957 | |
| 1958 | |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 1959 | #ifdef WITH_THREAD |
| 1960 | |
| 1961 | /* an implementation of OpenSSL threading operations in terms |
| 1962 | of the Python C thread library */ |
| 1963 | |
| 1964 | static PyThread_type_lock *_ssl_locks = NULL; |
| 1965 | |
| 1966 | static unsigned long _ssl_thread_id_function (void) { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1967 | return PyThread_get_thread_ident(); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 1968 | } |
| 1969 | |
Bill Janssen | 6e027db | 2007-11-15 22:23:56 +0000 | [diff] [blame] | 1970 | static void _ssl_thread_locking_function |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1971 | (int mode, int n, const char *file, int line) { |
| 1972 | /* this function is needed to perform locking on shared data |
| 1973 | structures. (Note that OpenSSL uses a number of global data |
| 1974 | structures that will be implicitly shared whenever multiple |
| 1975 | threads use OpenSSL.) Multi-threaded applications will |
| 1976 | crash at random if it is not set. |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 1977 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1978 | locking_function() must be able to handle up to |
| 1979 | CRYPTO_num_locks() different mutex locks. It sets the n-th |
| 1980 | lock if mode & CRYPTO_LOCK, and releases it otherwise. |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 1981 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1982 | file and line are the file number of the function setting the |
| 1983 | lock. They can be useful for debugging. |
| 1984 | */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 1985 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1986 | if ((_ssl_locks == NULL) || |
| 1987 | (n < 0) || ((unsigned)n >= _ssl_locks_count)) |
| 1988 | return; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 1989 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1990 | if (mode & CRYPTO_LOCK) { |
| 1991 | PyThread_acquire_lock(_ssl_locks[n], 1); |
| 1992 | } else { |
| 1993 | PyThread_release_lock(_ssl_locks[n]); |
| 1994 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 1995 | } |
| 1996 | |
| 1997 | static int _setup_ssl_threads(void) { |
| 1998 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 1999 | unsigned int i; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 2000 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2001 | if (_ssl_locks == NULL) { |
| 2002 | _ssl_locks_count = CRYPTO_num_locks(); |
| 2003 | _ssl_locks = (PyThread_type_lock *) |
| 2004 | malloc(sizeof(PyThread_type_lock) * _ssl_locks_count); |
| 2005 | if (_ssl_locks == NULL) |
| 2006 | return 0; |
| 2007 | memset(_ssl_locks, 0, |
| 2008 | sizeof(PyThread_type_lock) * _ssl_locks_count); |
| 2009 | for (i = 0; i < _ssl_locks_count; i++) { |
| 2010 | _ssl_locks[i] = PyThread_allocate_lock(); |
| 2011 | if (_ssl_locks[i] == NULL) { |
| 2012 | unsigned int j; |
| 2013 | for (j = 0; j < i; j++) { |
| 2014 | PyThread_free_lock(_ssl_locks[j]); |
| 2015 | } |
| 2016 | free(_ssl_locks); |
| 2017 | return 0; |
| 2018 | } |
| 2019 | } |
| 2020 | CRYPTO_set_locking_callback(_ssl_thread_locking_function); |
| 2021 | CRYPTO_set_id_callback(_ssl_thread_id_function); |
| 2022 | } |
| 2023 | return 1; |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 2024 | } |
| 2025 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2026 | #endif /* def HAVE_THREAD */ |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 2027 | |
Martin v. Löwis | 14f8b4c | 2002-06-13 20:33:02 +0000 | [diff] [blame] | 2028 | PyDoc_STRVAR(module_doc, |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2029 | "Implementation module for SSL socket operations. See the socket module\n\ |
Martin v. Löwis | 14f8b4c | 2002-06-13 20:33:02 +0000 | [diff] [blame] | 2030 | for documentation."); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2031 | |
Martin v. Löwis | 1a21451 | 2008-06-11 05:26:20 +0000 | [diff] [blame] | 2032 | |
| 2033 | static struct PyModuleDef _sslmodule = { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2034 | PyModuleDef_HEAD_INIT, |
| 2035 | "_ssl", |
| 2036 | module_doc, |
| 2037 | -1, |
| 2038 | PySSL_methods, |
| 2039 | NULL, |
| 2040 | NULL, |
| 2041 | NULL, |
| 2042 | NULL |
Martin v. Löwis | 1a21451 | 2008-06-11 05:26:20 +0000 | [diff] [blame] | 2043 | }; |
| 2044 | |
Antoine Pitrou | b9ac25d | 2011-07-08 18:47:06 +0200 | [diff] [blame] | 2045 | |
| 2046 | static void |
| 2047 | parse_openssl_version(unsigned long libver, |
| 2048 | unsigned int *major, unsigned int *minor, |
| 2049 | unsigned int *fix, unsigned int *patch, |
| 2050 | unsigned int *status) |
| 2051 | { |
| 2052 | *status = libver & 0xF; |
| 2053 | libver >>= 4; |
| 2054 | *patch = libver & 0xFF; |
| 2055 | libver >>= 8; |
| 2056 | *fix = libver & 0xFF; |
| 2057 | libver >>= 8; |
| 2058 | *minor = libver & 0xFF; |
| 2059 | libver >>= 8; |
| 2060 | *major = libver & 0xFF; |
| 2061 | } |
| 2062 | |
Mark Hammond | fe51c6d | 2002-08-02 02:27:13 +0000 | [diff] [blame] | 2063 | PyMODINIT_FUNC |
Martin v. Löwis | 1a21451 | 2008-06-11 05:26:20 +0000 | [diff] [blame] | 2064 | PyInit__ssl(void) |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2065 | { |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2066 | PyObject *m, *d, *r; |
| 2067 | unsigned long libver; |
| 2068 | unsigned int major, minor, fix, patch, status; |
| 2069 | PySocketModule_APIObject *socket_api; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2070 | |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 2071 | if (PyType_Ready(&PySSLContext_Type) < 0) |
| 2072 | return NULL; |
| 2073 | if (PyType_Ready(&PySSLSocket_Type) < 0) |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2074 | return NULL; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2075 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2076 | m = PyModule_Create(&_sslmodule); |
| 2077 | if (m == NULL) |
| 2078 | return NULL; |
| 2079 | d = PyModule_GetDict(m); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2080 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2081 | /* Load _socket module and its C API */ |
| 2082 | socket_api = PySocketModule_ImportModuleAndAPI(); |
| 2083 | if (!socket_api) |
| 2084 | return NULL; |
| 2085 | PySocketModule = *socket_api; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2086 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2087 | /* Init OpenSSL */ |
| 2088 | SSL_load_error_strings(); |
| 2089 | SSL_library_init(); |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 2090 | #ifdef WITH_THREAD |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2091 | /* note that this will start threading if not already started */ |
| 2092 | if (!_setup_ssl_threads()) { |
| 2093 | return NULL; |
| 2094 | } |
Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame] | 2095 | #endif |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2096 | OpenSSL_add_all_algorithms(); |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2097 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2098 | /* Add symbols to module dict */ |
| 2099 | PySSLErrorObject = PyErr_NewException("ssl.SSLError", |
| 2100 | PySocketModule.error, |
| 2101 | NULL); |
| 2102 | if (PySSLErrorObject == NULL) |
| 2103 | return NULL; |
| 2104 | if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0) |
| 2105 | return NULL; |
Antoine Pitrou | 152efa2 | 2010-05-16 18:19:27 +0000 | [diff] [blame] | 2106 | if (PyDict_SetItemString(d, "_SSLContext", |
| 2107 | (PyObject *)&PySSLContext_Type) != 0) |
| 2108 | return NULL; |
| 2109 | if (PyDict_SetItemString(d, "_SSLSocket", |
| 2110 | (PyObject *)&PySSLSocket_Type) != 0) |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2111 | return NULL; |
| 2112 | PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN", |
| 2113 | PY_SSL_ERROR_ZERO_RETURN); |
| 2114 | PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ", |
| 2115 | PY_SSL_ERROR_WANT_READ); |
| 2116 | PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE", |
| 2117 | PY_SSL_ERROR_WANT_WRITE); |
| 2118 | PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP", |
| 2119 | PY_SSL_ERROR_WANT_X509_LOOKUP); |
| 2120 | PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL", |
| 2121 | PY_SSL_ERROR_SYSCALL); |
| 2122 | PyModule_AddIntConstant(m, "SSL_ERROR_SSL", |
| 2123 | PY_SSL_ERROR_SSL); |
| 2124 | PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT", |
| 2125 | PY_SSL_ERROR_WANT_CONNECT); |
| 2126 | /* non ssl.h errorcodes */ |
| 2127 | PyModule_AddIntConstant(m, "SSL_ERROR_EOF", |
| 2128 | PY_SSL_ERROR_EOF); |
| 2129 | PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE", |
| 2130 | PY_SSL_ERROR_INVALID_ERROR_CODE); |
| 2131 | /* cert requirements */ |
| 2132 | PyModule_AddIntConstant(m, "CERT_NONE", |
| 2133 | PY_SSL_CERT_NONE); |
| 2134 | PyModule_AddIntConstant(m, "CERT_OPTIONAL", |
| 2135 | PY_SSL_CERT_OPTIONAL); |
| 2136 | PyModule_AddIntConstant(m, "CERT_REQUIRED", |
| 2137 | PY_SSL_CERT_REQUIRED); |
Martin v. Löwis | 6af3e2d | 2002-04-20 07:47:40 +0000 | [diff] [blame] | 2138 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2139 | /* protocol versions */ |
Victor Stinner | ee18b6f | 2011-05-10 00:38:00 +0200 | [diff] [blame] | 2140 | #ifndef OPENSSL_NO_SSL2 |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2141 | PyModule_AddIntConstant(m, "PROTOCOL_SSLv2", |
| 2142 | PY_SSL_VERSION_SSL2); |
Victor Stinner | ee18b6f | 2011-05-10 00:38:00 +0200 | [diff] [blame] | 2143 | #endif |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2144 | PyModule_AddIntConstant(m, "PROTOCOL_SSLv3", |
| 2145 | PY_SSL_VERSION_SSL3); |
| 2146 | PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", |
| 2147 | PY_SSL_VERSION_SSL23); |
| 2148 | PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", |
| 2149 | PY_SSL_VERSION_TLS1); |
Antoine Pitrou | 04f6a32 | 2010-04-05 21:40:07 +0000 | [diff] [blame] | 2150 | |
Antoine Pitrou | b521877 | 2010-05-21 09:56:06 +0000 | [diff] [blame] | 2151 | /* protocol options */ |
Antoine Pitrou | 3f36631 | 2012-01-27 09:50:45 +0100 | [diff] [blame] | 2152 | PyModule_AddIntConstant(m, "OP_ALL", |
| 2153 | SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
Antoine Pitrou | b521877 | 2010-05-21 09:56:06 +0000 | [diff] [blame] | 2154 | PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2); |
| 2155 | PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3); |
| 2156 | PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1); |
| 2157 | |
Antoine Pitrou | d532321 | 2010-10-22 18:19:07 +0000 | [diff] [blame] | 2158 | #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
| 2159 | r = Py_True; |
| 2160 | #else |
| 2161 | r = Py_False; |
| 2162 | #endif |
| 2163 | Py_INCREF(r); |
| 2164 | PyModule_AddObject(m, "HAS_SNI", r); |
| 2165 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2166 | /* OpenSSL version */ |
| 2167 | /* SSLeay() gives us the version of the library linked against, |
| 2168 | which could be different from the headers version. |
| 2169 | */ |
| 2170 | libver = SSLeay(); |
| 2171 | r = PyLong_FromUnsignedLong(libver); |
| 2172 | if (r == NULL) |
| 2173 | return NULL; |
| 2174 | if (PyModule_AddObject(m, "OPENSSL_VERSION_NUMBER", r)) |
| 2175 | return NULL; |
Antoine Pitrou | b9ac25d | 2011-07-08 18:47:06 +0200 | [diff] [blame] | 2176 | parse_openssl_version(libver, &major, &minor, &fix, &patch, &status); |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2177 | r = Py_BuildValue("IIIII", major, minor, fix, patch, status); |
| 2178 | if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r)) |
| 2179 | return NULL; |
| 2180 | r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION)); |
| 2181 | if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r)) |
| 2182 | return NULL; |
Antoine Pitrou | 04f6a32 | 2010-04-05 21:40:07 +0000 | [diff] [blame] | 2183 | |
Antoine Pitrou | b9ac25d | 2011-07-08 18:47:06 +0200 | [diff] [blame] | 2184 | libver = OPENSSL_VERSION_NUMBER; |
| 2185 | parse_openssl_version(libver, &major, &minor, &fix, &patch, &status); |
| 2186 | r = Py_BuildValue("IIIII", major, minor, fix, patch, status); |
| 2187 | if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r)) |
| 2188 | return NULL; |
| 2189 | |
Antoine Pitrou | cbb82eb | 2010-05-05 15:57:33 +0000 | [diff] [blame] | 2190 | return m; |
Marc-André Lemburg | a5d2b4c | 2002-02-16 18:23:30 +0000 | [diff] [blame] | 2191 | } |