Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 5dd12a5978389ec3dfa7063bbe9a9763b1294027 / . / Modules / _ssl.c
blob: 0de541ce7a05ccc4138e5e2428d9d4933e5be363 [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1/* SSL socket module
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]4 Re-worked a bit by Bill Janssen to add server-side support and
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]5 certificate decoding. Chris Stawarz contributed some non-blocking
6 patches.
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]7
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]8 This module is imported by ssl.py. It should *not* be used
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]9 directly.
10
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]11 XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE?
Antoine Pitrou2c4f98b2010-04-23 00:16:21 +0000[diff] [blame]12
13 XXX integrate several "shutdown modes" as suggested in
14 http://bugs.python.org/issue8108#msg102867 ?
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]15*/
16
17#include "Python.h"
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]18
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]19#ifdef WITH_THREAD
20#include "pythread.h"
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]21#define PySSL_BEGIN_ALLOW_THREADS_S(save) \
22 do { if (_ssl_locks_count>0) { (save) = PyEval_SaveThread(); } } while (0)
23#define PySSL_END_ALLOW_THREADS_S(save) \
24 do { if (_ssl_locks_count>0) { PyEval_RestoreThread(save); } } while (0)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]25#define PySSL_BEGIN_ALLOW_THREADS { \
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]26 PyThreadState *_save = NULL; \
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]27 PySSL_BEGIN_ALLOW_THREADS_S(_save);
28#define PySSL_BLOCK_THREADS PySSL_END_ALLOW_THREADS_S(_save);
29#define PySSL_UNBLOCK_THREADS PySSL_BEGIN_ALLOW_THREADS_S(_save);
30#define PySSL_END_ALLOW_THREADS PySSL_END_ALLOW_THREADS_S(_save); }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]31
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]32#else /* no WITH_THREAD */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]33
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]34#define PySSL_BEGIN_ALLOW_THREADS_S(save)
35#define PySSL_END_ALLOW_THREADS_S(save)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]36#define PySSL_BEGIN_ALLOW_THREADS
37#define PySSL_BLOCK_THREADS
38#define PySSL_UNBLOCK_THREADS
39#define PySSL_END_ALLOW_THREADS
40
41#endif
42
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]43enum py_ssl_error {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]44 /* these mirror ssl.h */
45 PY_SSL_ERROR_NONE,
46 PY_SSL_ERROR_SSL,
47 PY_SSL_ERROR_WANT_READ,
48 PY_SSL_ERROR_WANT_WRITE,
49 PY_SSL_ERROR_WANT_X509_LOOKUP,
50 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
51 PY_SSL_ERROR_ZERO_RETURN,
52 PY_SSL_ERROR_WANT_CONNECT,
53 /* start of non ssl.h errorcodes */
54 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
55 PY_SSL_ERROR_NO_SOCKET, /* socket has been GC'd */
56 PY_SSL_ERROR_INVALID_ERROR_CODE
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]57};
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]58
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]59enum py_ssl_server_or_client {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]60 PY_SSL_CLIENT,
61 PY_SSL_SERVER
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]62};
63
64enum py_ssl_cert_requirements {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]65 PY_SSL_CERT_NONE,
66 PY_SSL_CERT_OPTIONAL,
67 PY_SSL_CERT_REQUIRED
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]68};
69
70enum py_ssl_version {
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]71#ifndef OPENSSL_NO_SSL2
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]72 PY_SSL_VERSION_SSL2,
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]73#endif
74 PY_SSL_VERSION_SSL3=1,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]75 PY_SSL_VERSION_SSL23,
76 PY_SSL_VERSION_TLS1
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]77};
78
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]79struct py_ssl_error_code {
80 const char *mnemonic;
81 int library, reason;
82};
83
84struct py_ssl_library_code {
85 const char *library;
86 int code;
87};
88
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]89/* Include symbols from _socket module */
90#include "socketmodule.h"
91
Benjamin Petersonb173f782009-05-05 22:31:58 +0000[diff] [blame]92static PySocketModule_APIObject PySocketModule;
93
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]94#if defined(HAVE_POLL_H)
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]95#include <poll.h>
96#elif defined(HAVE_SYS_POLL_H)
97#include <sys/poll.h>
98#endif
99
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]100/* Include OpenSSL header files */
101#include "openssl/rsa.h"
102#include "openssl/crypto.h"
103#include "openssl/x509.h"
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]104#include "openssl/x509v3.h"
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]105#include "openssl/pem.h"
106#include "openssl/ssl.h"
107#include "openssl/err.h"
108#include "openssl/rand.h"
109
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]110/* Include generated data (error codes) */
111#include "_ssl_data.h"
112
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]113/* SSL error object */
114static PyObject *PySSLErrorObject;
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]115static PyObject *PySSLZeroReturnErrorObject;
116static PyObject *PySSLWantReadErrorObject;
117static PyObject *PySSLWantWriteErrorObject;
118static PyObject *PySSLSyscallErrorObject;
119static PyObject *PySSLEOFErrorObject;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]120
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]121/* Error mappings */
122static PyObject *err_codes_to_names;
123static PyObject *err_names_to_codes;
124static PyObject *lib_codes_to_names;
125
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]126#ifdef WITH_THREAD
127
128/* serves as a flag to see whether we've initialized the SSL thread support. */
129/* 0 means no, greater than 0 means yes */
130
131static unsigned int _ssl_locks_count = 0;
132
133#endif /* def WITH_THREAD */
134
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]135/* SSL socket object */
136
137#define X509_NAME_MAXLEN 256
138
139/* RAND_* APIs got added to OpenSSL in 0.9.5 */
140#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
141# define HAVE_OPENSSL_RAND 1
142#else
143# undef HAVE_OPENSSL_RAND
144#endif
145
Gregory P. Smithbd4dacb2010-10-13 03:53:21 +0000[diff] [blame]146/* SSL_CTX_clear_options() and SSL_clear_options() were first added in
147 * OpenSSL 0.9.8m but do not appear in some 0.9.9-dev versions such the
148 * 0.9.9 from "May 2008" that NetBSD 5.0 uses. */
149#if OPENSSL_VERSION_NUMBER >= 0x009080dfL && OPENSSL_VERSION_NUMBER != 0x00909000L
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]150# define HAVE_SSL_CTX_CLEAR_OPTIONS
151#else
152# undef HAVE_SSL_CTX_CLEAR_OPTIONS
153#endif
154
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]155/* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for
156 * older SSL, but let's be safe */
157#define PySSL_CB_MAXLEN 128
158
159/* SSL_get_finished got added to OpenSSL in 0.9.5 */
160#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
161# define HAVE_OPENSSL_FINISHED 1
162#else
163# define HAVE_OPENSSL_FINISHED 0
164#endif
165
Antoine Pitroua9bf2ac2012-02-17 18:47:54 +0100[diff] [blame]166/* ECDH support got added to OpenSSL in 0.9.8 */
167#if OPENSSL_VERSION_NUMBER < 0x0090800fL && !defined(OPENSSL_NO_ECDH)
168# define OPENSSL_NO_ECDH
169#endif
170
Antoine Pitrouc135fa42012-02-19 21:22:39 +0100[diff] [blame]171/* compression support got added to OpenSSL in 0.9.8 */
172#if OPENSSL_VERSION_NUMBER < 0x0090800fL && !defined(OPENSSL_NO_COMP)
173# define OPENSSL_NO_COMP
174#endif
175
Antoine Pitroua9bf2ac2012-02-17 18:47:54 +0100[diff] [blame]176
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]177typedef struct {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]178 PyObject_HEAD
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]179 SSL_CTX *ctx;
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]180#ifdef OPENSSL_NPN_NEGOTIATED
181 char *npn_protocols;
182 int npn_protocols_len;
183#endif
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]184#ifndef OPENSSL_NO_TLSEXT
185 PyObject *set_hostname;
186#endif
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]187} PySSLContext;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]188
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]189typedef struct {
190 PyObject_HEAD
191 PyObject *Socket; /* weakref to socket on which we're layered */
192 SSL *ssl;
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]193 PySSLContext *ctx; /* weakref to SSL context */
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]194 X509 *peer_cert;
195 int shutdown_seen_zero;
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]196 enum py_ssl_server_or_client socket_type;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]197} PySSLSocket;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]198
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]199static PyTypeObject PySSLContext_Type;
200static PyTypeObject PySSLSocket_Type;
201
202static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args);
203static PyObject *PySSL_SSLread(PySSLSocket *self, PyObject *args);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]204static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]205 int writing);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]206static PyObject *PySSL_peercert(PySSLSocket *self, PyObject *args);
207static PyObject *PySSL_cipher(PySSLSocket *self);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]208
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]209#define PySSLContext_Check(v) (Py_TYPE(v) == &PySSLContext_Type)
210#define PySSLSocket_Check(v) (Py_TYPE(v) == &PySSLSocket_Type)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]211
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]212typedef enum {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]213 SOCKET_IS_NONBLOCKING,
214 SOCKET_IS_BLOCKING,
215 SOCKET_HAS_TIMED_OUT,
216 SOCKET_HAS_BEEN_CLOSED,
217 SOCKET_TOO_LARGE_FOR_SELECT,
218 SOCKET_OPERATION_OK
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]219} timeout_state;
220
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]221/* Wrap error strings with filename and line # */
222#define STRINGIFY1(x) #x
223#define STRINGIFY2(x) STRINGIFY1(x)
224#define ERRSTR1(x,y,z) (x ":" y ": " z)
225#define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x)
226
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]227
228/*
229 * SSL errors.
230 */
231
232PyDoc_STRVAR(SSLError_doc,
233"An error occurred in the SSL implementation.");
234
235PyDoc_STRVAR(SSLZeroReturnError_doc,
236"SSL/TLS session closed cleanly.");
237
238PyDoc_STRVAR(SSLWantReadError_doc,
239"Non-blocking SSL socket needs to read more data\n"
240"before the requested operation can be completed.");
241
242PyDoc_STRVAR(SSLWantWriteError_doc,
243"Non-blocking SSL socket needs to write more data\n"
244"before the requested operation can be completed.");
245
246PyDoc_STRVAR(SSLSyscallError_doc,
247"System error when attempting SSL operation.");
248
249PyDoc_STRVAR(SSLEOFError_doc,
250"SSL/TLS connection terminated abruptly.");
251
252static PyObject *
253SSLError_str(PyOSErrorObject *self)
254{
255 if (self->strerror != NULL && PyUnicode_Check(self->strerror)) {
256 Py_INCREF(self->strerror);
257 return self->strerror;
258 }
259 else
260 return PyObject_Str(self->args);
261}
262
263static PyType_Slot sslerror_type_slots[] = {
264 {Py_tp_base, NULL}, /* Filled out in module init as it's not a constant */
265 {Py_tp_doc, SSLError_doc},
266 {Py_tp_str, SSLError_str},
267 {0, 0},
268};
269
270static PyType_Spec sslerror_type_spec = {
271 "ssl.SSLError",
272 sizeof(PyOSErrorObject),
273 0,
274 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
275 sslerror_type_slots
276};
277
278static void
279fill_and_set_sslerror(PyObject *type, int ssl_errno, const char *errstr,
280 int lineno, unsigned long errcode)
281{
282 PyObject *err_value = NULL, *reason_obj = NULL, *lib_obj = NULL;
283 PyObject *init_value, *msg, *key;
284 _Py_IDENTIFIER(reason);
285 _Py_IDENTIFIER(library);
286
287 if (errcode != 0) {
288 int lib, reason;
289
290 lib = ERR_GET_LIB(errcode);
291 reason = ERR_GET_REASON(errcode);
292 key = Py_BuildValue("ii", lib, reason);
293 if (key == NULL)
294 goto fail;
295 reason_obj = PyDict_GetItem(err_codes_to_names, key);
296 Py_DECREF(key);
297 if (reason_obj == NULL) {
298 /* XXX if reason < 100, it might reflect a library number (!!) */
299 PyErr_Clear();
300 }
301 key = PyLong_FromLong(lib);
302 if (key == NULL)
303 goto fail;
304 lib_obj = PyDict_GetItem(lib_codes_to_names, key);
305 Py_DECREF(key);
306 if (lib_obj == NULL) {
307 PyErr_Clear();
308 }
309 if (errstr == NULL)
310 errstr = ERR_reason_error_string(errcode);
311 }
312 if (errstr == NULL)
313 errstr = "unknown error";
314
315 if (reason_obj && lib_obj)
316 msg = PyUnicode_FromFormat("[%S: %S] %s (_ssl.c:%d)",
317 lib_obj, reason_obj, errstr, lineno);
318 else if (lib_obj)
319 msg = PyUnicode_FromFormat("[%S] %s (_ssl.c:%d)",
320 lib_obj, errstr, lineno);
321 else
322 msg = PyUnicode_FromFormat("%s (_ssl.c:%d)", errstr, lineno);
323
324 if (msg == NULL)
325 goto fail;
326 init_value = Py_BuildValue("iN", ssl_errno, msg);
327 err_value = PyObject_CallObject(type, init_value);
328 Py_DECREF(init_value);
329 if (err_value == NULL)
330 goto fail;
331 if (reason_obj == NULL)
332 reason_obj = Py_None;
333 if (_PyObject_SetAttrId(err_value, &PyId_reason, reason_obj))
334 goto fail;
335 if (lib_obj == NULL)
336 lib_obj = Py_None;
337 if (_PyObject_SetAttrId(err_value, &PyId_library, lib_obj))
338 goto fail;
339 PyErr_SetObject(type, err_value);
340fail:
341 Py_XDECREF(err_value);
342}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]343
344static PyObject *
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]345PySSL_SetError(PySSLSocket *obj, int ret, char *filename, int lineno)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]346{
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]347 PyObject *type = PySSLErrorObject;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]348 char *errstr = NULL;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]349 int err;
350 enum py_ssl_error p = PY_SSL_ERROR_NONE;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]351 unsigned long e = 0;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]352
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]353 assert(ret <= 0);
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]354 e = ERR_peek_last_error();
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]355
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]356 if (obj->ssl != NULL) {
357 err = SSL_get_error(obj->ssl, ret);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]358
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]359 switch (err) {
360 case SSL_ERROR_ZERO_RETURN:
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]361 errstr = "TLS/SSL connection has been closed (EOF)";
362 type = PySSLZeroReturnErrorObject;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]363 p = PY_SSL_ERROR_ZERO_RETURN;
364 break;
365 case SSL_ERROR_WANT_READ:
366 errstr = "The operation did not complete (read)";
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]367 type = PySSLWantReadErrorObject;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]368 p = PY_SSL_ERROR_WANT_READ;
369 break;
370 case SSL_ERROR_WANT_WRITE:
371 p = PY_SSL_ERROR_WANT_WRITE;
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]372 type = PySSLWantWriteErrorObject;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]373 errstr = "The operation did not complete (write)";
374 break;
375 case SSL_ERROR_WANT_X509_LOOKUP:
376 p = PY_SSL_ERROR_WANT_X509_LOOKUP;
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]377 errstr = "The operation did not complete (X509 lookup)";
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]378 break;
379 case SSL_ERROR_WANT_CONNECT:
380 p = PY_SSL_ERROR_WANT_CONNECT;
381 errstr = "The operation did not complete (connect)";
382 break;
383 case SSL_ERROR_SYSCALL:
384 {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]385 if (e == 0) {
386 PySocketSockObject *s
387 = (PySocketSockObject *) PyWeakref_GetObject(obj->Socket);
388 if (ret == 0 || (((PyObject *)s) == Py_None)) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]389 p = PY_SSL_ERROR_EOF;
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]390 type = PySSLEOFErrorObject;
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]391 errstr = "EOF occurred in violation of protocol";
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]392 } else if (ret == -1) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]393 /* underlying BIO reported an I/O error */
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]394 Py_INCREF(s);
Antoine Pitrou9d74b422010-05-16 23:14:22 +0000[diff] [blame]395 ERR_clear_error();
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]396 s->errorhandler();
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]397 Py_DECREF(s);
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]398 return NULL;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]399 } else { /* possible? */
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]400 p = PY_SSL_ERROR_SYSCALL;
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]401 type = PySSLSyscallErrorObject;
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]402 errstr = "Some I/O error occurred";
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]403 }
404 } else {
405 p = PY_SSL_ERROR_SYSCALL;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]406 }
407 break;
408 }
409 case SSL_ERROR_SSL:
410 {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]411 p = PY_SSL_ERROR_SSL;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]412 if (e == 0)
413 /* possible? */
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]414 errstr = "A failure in the SSL library occurred";
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]415 break;
416 }
417 default:
418 p = PY_SSL_ERROR_INVALID_ERROR_CODE;
419 errstr = "Invalid error code";
420 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]421 }
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]422 fill_and_set_sslerror(type, p, errstr, lineno, e);
Antoine Pitrou9d74b422010-05-16 23:14:22 +0000[diff] [blame]423 ERR_clear_error();
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]424 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]425}
426
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]427static PyObject *
428_setSSLError (char *errstr, int errcode, char *filename, int lineno) {
429
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]430 if (errstr == NULL)
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]431 errcode = ERR_peek_last_error();
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]432 else
433 errcode = 0;
434 fill_and_set_sslerror(PySSLErrorObject, errcode, errstr, lineno, errcode);
Antoine Pitrou9d74b422010-05-16 23:14:22 +0000[diff] [blame]435 ERR_clear_error();
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]436 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]437}
438
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]439/*
440 * SSL objects
441 */
442
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]443static PySSLSocket *
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]444newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]445 enum py_ssl_server_or_client socket_type,
446 char *server_hostname)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]447{
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]448 PySSLSocket *self;
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]449 SSL_CTX *ctx = sslctx->ctx;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]450
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]451 self = PyObject_New(PySSLSocket, &PySSLSocket_Type);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]452 if (self == NULL)
453 return NULL;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]454
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]455 self->peer_cert = NULL;
456 self->ssl = NULL;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]457 self->Socket = NULL;
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]458 self->ctx = sslctx;
459 Py_INCREF(sslctx);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]460
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]461 /* Make sure the SSL error state is initialized */
462 (void) ERR_get_state();
463 ERR_clear_error();
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]464
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]465 PySSL_BEGIN_ALLOW_THREADS
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]466 self->ssl = SSL_new(ctx);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]467 PySSL_END_ALLOW_THREADS
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]468 SSL_set_app_data(self->ssl,self);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]469 SSL_set_fd(self->ssl, sock->sock_fd);
Antoine Pitrou0ae7b582010-04-09 20:42:09 +0000[diff] [blame]470#ifdef SSL_MODE_AUTO_RETRY
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]471 SSL_set_mode(self->ssl, SSL_MODE_AUTO_RETRY);
Antoine Pitrou0ae7b582010-04-09 20:42:09 +0000[diff] [blame]472#endif
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]473
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]474#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
475 if (server_hostname != NULL)
476 SSL_set_tlsext_host_name(self->ssl, server_hostname);
477#endif
478
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]479 /* If the socket is in non-blocking mode or timeout mode, set the BIO
480 * to non-blocking mode (blocking is the default)
481 */
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]482 if (sock->sock_timeout >= 0.0) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]483 BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
484 BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
485 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]486
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]487 PySSL_BEGIN_ALLOW_THREADS
488 if (socket_type == PY_SSL_CLIENT)
489 SSL_set_connect_state(self->ssl);
490 else
491 SSL_set_accept_state(self->ssl);
492 PySSL_END_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]493
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]494 self->socket_type = socket_type;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]495 self->Socket = PyWeakref_NewRef((PyObject *) sock, NULL);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]496 return self;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]497}
498
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]499/* SSL object methods */
500
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]501static PyObject *PySSL_SSLdo_handshake(PySSLSocket *self)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]502{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]503 int ret;
504 int err;
505 int sockstate, nonblocking;
506 PySocketSockObject *sock
507 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]508
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]509 if (((PyObject*)sock) == Py_None) {
510 _setSSLError("Underlying socket connection gone",
511 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
512 return NULL;
513 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]514 Py_INCREF(sock);
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]515
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]516 /* just in case the blocking state of the socket has been changed */
517 nonblocking = (sock->sock_timeout >= 0.0);
518 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
519 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]520
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]521 /* Actually negotiate SSL connection */
522 /* XXX If SSL_do_handshake() returns 0, it's also a failure. */
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]523 do {
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]524 PySSL_BEGIN_ALLOW_THREADS
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]525 ret = SSL_do_handshake(self->ssl);
526 err = SSL_get_error(self->ssl, ret);
527 PySSL_END_ALLOW_THREADS
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]528 if (PyErr_CheckSignals())
529 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]530 if (err == SSL_ERROR_WANT_READ) {
531 sockstate = check_socket_and_wait_for_timeout(sock, 0);
532 } else if (err == SSL_ERROR_WANT_WRITE) {
533 sockstate = check_socket_and_wait_for_timeout(sock, 1);
534 } else {
535 sockstate = SOCKET_OPERATION_OK;
536 }
537 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]538 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]539 ERRSTR("The handshake operation timed out"));
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]540 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]541 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
542 PyErr_SetString(PySSLErrorObject,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]543 ERRSTR("Underlying socket has been closed."));
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]544 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]545 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
546 PyErr_SetString(PySSLErrorObject,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]547 ERRSTR("Underlying socket too large for select()."));
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]548 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]549 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
550 break;
551 }
552 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]553 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]554 if (ret < 1)
555 return PySSL_SetError(self, ret, __FILE__, __LINE__);
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]556
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]557 if (self->peer_cert)
558 X509_free (self->peer_cert);
559 PySSL_BEGIN_ALLOW_THREADS
560 self->peer_cert = SSL_get_peer_certificate(self->ssl);
561 PySSL_END_ALLOW_THREADS
562
563 Py_INCREF(Py_None);
564 return Py_None;
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]565
566error:
567 Py_DECREF(sock);
568 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]569}
570
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]571static PyObject *
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]572_create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) {
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]573
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]574 char namebuf[X509_NAME_MAXLEN];
575 int buflen;
576 PyObject *name_obj;
577 PyObject *value_obj;
578 PyObject *attr;
579 unsigned char *valuebuf = NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]580
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]581 buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0);
582 if (buflen < 0) {
583 _setSSLError(NULL, 0, __FILE__, __LINE__);
584 goto fail;
585 }
586 name_obj = PyUnicode_FromStringAndSize(namebuf, buflen);
587 if (name_obj == NULL)
588 goto fail;
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]589
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]590 buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
591 if (buflen < 0) {
592 _setSSLError(NULL, 0, __FILE__, __LINE__);
593 Py_DECREF(name_obj);
594 goto fail;
595 }
596 value_obj = PyUnicode_DecodeUTF8((char *) valuebuf,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]597 buflen, "strict");
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]598 OPENSSL_free(valuebuf);
599 if (value_obj == NULL) {
600 Py_DECREF(name_obj);
601 goto fail;
602 }
603 attr = PyTuple_New(2);
604 if (attr == NULL) {
605 Py_DECREF(name_obj);
606 Py_DECREF(value_obj);
607 goto fail;
608 }
609 PyTuple_SET_ITEM(attr, 0, name_obj);
610 PyTuple_SET_ITEM(attr, 1, value_obj);
611 return attr;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]612
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]613 fail:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]614 return NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]615}
616
617static PyObject *
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]618_create_tuple_for_X509_NAME (X509_NAME *xname)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]619{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]620 PyObject *dn = NULL; /* tuple which represents the "distinguished name" */
621 PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */
622 PyObject *rdnt;
623 PyObject *attr = NULL; /* tuple to hold an attribute */
624 int entry_count = X509_NAME_entry_count(xname);
625 X509_NAME_ENTRY *entry;
626 ASN1_OBJECT *name;
627 ASN1_STRING *value;
628 int index_counter;
629 int rdn_level = -1;
630 int retcode;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]631
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]632 dn = PyList_New(0);
633 if (dn == NULL)
634 return NULL;
635 /* now create another tuple to hold the top-level RDN */
636 rdn = PyList_New(0);
637 if (rdn == NULL)
638 goto fail0;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]639
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]640 for (index_counter = 0;
641 index_counter < entry_count;
642 index_counter++)
643 {
644 entry = X509_NAME_get_entry(xname, index_counter);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]645
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]646 /* check to see if we've gotten to a new RDN */
647 if (rdn_level >= 0) {
648 if (rdn_level != entry->set) {
649 /* yes, new RDN */
650 /* add old RDN to DN */
651 rdnt = PyList_AsTuple(rdn);
652 Py_DECREF(rdn);
653 if (rdnt == NULL)
654 goto fail0;
655 retcode = PyList_Append(dn, rdnt);
656 Py_DECREF(rdnt);
657 if (retcode < 0)
658 goto fail0;
659 /* create new RDN */
660 rdn = PyList_New(0);
661 if (rdn == NULL)
662 goto fail0;
663 }
664 }
665 rdn_level = entry->set;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]666
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]667 /* now add this attribute to the current RDN */
668 name = X509_NAME_ENTRY_get_object(entry);
669 value = X509_NAME_ENTRY_get_data(entry);
670 attr = _create_tuple_for_attribute(name, value);
671 /*
672 fprintf(stderr, "RDN level %d, attribute %s: %s\n",
673 entry->set,
674 PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 0)),
675 PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 1)));
676 */
677 if (attr == NULL)
678 goto fail1;
679 retcode = PyList_Append(rdn, attr);
680 Py_DECREF(attr);
681 if (retcode < 0)
682 goto fail1;
683 }
684 /* now, there's typically a dangling RDN */
Antoine Pitrou2f5a1632012-02-15 22:25:27 +0100[diff] [blame]685 if (rdn != NULL) {
686 if (PyList_GET_SIZE(rdn) > 0) {
687 rdnt = PyList_AsTuple(rdn);
688 Py_DECREF(rdn);
689 if (rdnt == NULL)
690 goto fail0;
691 retcode = PyList_Append(dn, rdnt);
692 Py_DECREF(rdnt);
693 if (retcode < 0)
694 goto fail0;
695 }
696 else {
697 Py_DECREF(rdn);
698 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]699 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]700
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]701 /* convert list to tuple */
702 rdnt = PyList_AsTuple(dn);
703 Py_DECREF(dn);
704 if (rdnt == NULL)
705 return NULL;
706 return rdnt;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]707
708 fail1:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]709 Py_XDECREF(rdn);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]710
711 fail0:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]712 Py_XDECREF(dn);
713 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]714}
715
716static PyObject *
717_get_peer_alt_names (X509 *certificate) {
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]718
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]719 /* this code follows the procedure outlined in
720 OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print()
721 function to extract the STACK_OF(GENERAL_NAME),
722 then iterates through the stack to add the
723 names. */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]724
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]725 int i, j;
726 PyObject *peer_alt_names = Py_None;
727 PyObject *v, *t;
728 X509_EXTENSION *ext = NULL;
729 GENERAL_NAMES *names = NULL;
730 GENERAL_NAME *name;
Benjamin Petersoneb1410f2010-10-13 22:06:39 +0000[diff] [blame]731 const X509V3_EXT_METHOD *method;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]732 BIO *biobuf = NULL;
733 char buf[2048];
734 char *vptr;
735 int len;
736 /* Issue #2973: ASN1_item_d2i() API changed in OpenSSL 0.9.6m */
Victor Stinner7124a412010-03-02 22:48:17 +0000[diff] [blame]737#if OPENSSL_VERSION_NUMBER >= 0x009060dfL
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]738 const unsigned char *p;
Victor Stinner7124a412010-03-02 22:48:17 +0000[diff] [blame]739#else
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]740 unsigned char *p;
Victor Stinner7124a412010-03-02 22:48:17 +0000[diff] [blame]741#endif
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]742
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]743 if (certificate == NULL)
744 return peer_alt_names;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]745
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]746 /* get a memory buffer */
747 biobuf = BIO_new(BIO_s_mem());
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]748
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]749 i = -1;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]750 while ((i = X509_get_ext_by_NID(
751 certificate, NID_subject_alt_name, i)) >= 0) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]752
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]753 if (peer_alt_names == Py_None) {
754 peer_alt_names = PyList_New(0);
755 if (peer_alt_names == NULL)
756 goto fail;
757 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]758
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]759 /* now decode the altName */
760 ext = X509_get_ext(certificate, i);
761 if(!(method = X509V3_EXT_get(ext))) {
762 PyErr_SetString
763 (PySSLErrorObject,
764 ERRSTR("No method for internalizing subjectAltName!"));
765 goto fail;
766 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]767
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]768 p = ext->value->data;
769 if (method->it)
770 names = (GENERAL_NAMES*)
771 (ASN1_item_d2i(NULL,
772 &p,
773 ext->value->length,
774 ASN1_ITEM_ptr(method->it)));
775 else
776 names = (GENERAL_NAMES*)
777 (method->d2i(NULL,
778 &p,
779 ext->value->length));
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]780
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]781 for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]782
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]783 /* get a rendering of each name in the set of names */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]784
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]785 name = sk_GENERAL_NAME_value(names, j);
786 if (name->type == GEN_DIRNAME) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]787
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]788 /* we special-case DirName as a tuple of
789 tuples of attributes */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]790
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]791 t = PyTuple_New(2);
792 if (t == NULL) {
793 goto fail;
794 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]795
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]796 v = PyUnicode_FromString("DirName");
797 if (v == NULL) {
798 Py_DECREF(t);
799 goto fail;
800 }
801 PyTuple_SET_ITEM(t, 0, v);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]802
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]803 v = _create_tuple_for_X509_NAME (name->d.dirn);
804 if (v == NULL) {
805 Py_DECREF(t);
806 goto fail;
807 }
808 PyTuple_SET_ITEM(t, 1, v);
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]809
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]810 } else {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]811
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]812 /* for everything else, we use the OpenSSL print form */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]813
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]814 (void) BIO_reset(biobuf);
815 GENERAL_NAME_print(biobuf, name);
816 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
817 if (len < 0) {
818 _setSSLError(NULL, 0, __FILE__, __LINE__);
819 goto fail;
820 }
821 vptr = strchr(buf, ':');
822 if (vptr == NULL)
823 goto fail;
824 t = PyTuple_New(2);
825 if (t == NULL)
826 goto fail;
827 v = PyUnicode_FromStringAndSize(buf, (vptr - buf));
828 if (v == NULL) {
829 Py_DECREF(t);
830 goto fail;
831 }
832 PyTuple_SET_ITEM(t, 0, v);
833 v = PyUnicode_FromStringAndSize((vptr + 1),
834 (len - (vptr - buf + 1)));
835 if (v == NULL) {
836 Py_DECREF(t);
837 goto fail;
838 }
839 PyTuple_SET_ITEM(t, 1, v);
840 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]841
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]842 /* and add that rendering to the list */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]843
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]844 if (PyList_Append(peer_alt_names, t) < 0) {
845 Py_DECREF(t);
846 goto fail;
847 }
848 Py_DECREF(t);
849 }
Antoine Pitrou116d6b92011-11-23 01:39:19 +0100[diff] [blame]850 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]851 }
852 BIO_free(biobuf);
853 if (peer_alt_names != Py_None) {
854 v = PyList_AsTuple(peer_alt_names);
855 Py_DECREF(peer_alt_names);
856 return v;
857 } else {
858 return peer_alt_names;
859 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]860
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]861
862 fail:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]863 if (biobuf != NULL)
864 BIO_free(biobuf);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]865
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]866 if (peer_alt_names != Py_None) {
867 Py_XDECREF(peer_alt_names);
868 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]869
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]870 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]871}
872
873static PyObject *
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]874_decode_certificate(X509 *certificate) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]875
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]876 PyObject *retval = NULL;
877 BIO *biobuf = NULL;
878 PyObject *peer;
879 PyObject *peer_alt_names = NULL;
880 PyObject *issuer;
881 PyObject *version;
882 PyObject *sn_obj;
883 ASN1_INTEGER *serialNumber;
884 char buf[2048];
885 int len;
886 ASN1_TIME *notBefore, *notAfter;
887 PyObject *pnotBefore, *pnotAfter;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]888
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]889 retval = PyDict_New();
890 if (retval == NULL)
891 return NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]892
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]893 peer = _create_tuple_for_X509_NAME(
894 X509_get_subject_name(certificate));
895 if (peer == NULL)
896 goto fail0;
897 if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) {
898 Py_DECREF(peer);
899 goto fail0;
900 }
901 Py_DECREF(peer);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]902
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]903 issuer = _create_tuple_for_X509_NAME(
904 X509_get_issuer_name(certificate));
905 if (issuer == NULL)
906 goto fail0;
907 if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]908 Py_DECREF(issuer);
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]909 goto fail0;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]910 }
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]911 Py_DECREF(issuer);
912
913 version = PyLong_FromLong(X509_get_version(certificate) + 1);
914 if (PyDict_SetItemString(retval, "version", version) < 0) {
915 Py_DECREF(version);
916 goto fail0;
917 }
918 Py_DECREF(version);
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]919
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]920 /* get a memory buffer */
921 biobuf = BIO_new(BIO_s_mem());
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]922
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]923 (void) BIO_reset(biobuf);
924 serialNumber = X509_get_serialNumber(certificate);
925 /* should not exceed 20 octets, 160 bits, so buf is big enough */
926 i2a_ASN1_INTEGER(biobuf, serialNumber);
927 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
928 if (len < 0) {
929 _setSSLError(NULL, 0, __FILE__, __LINE__);
930 goto fail1;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]931 }
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]932 sn_obj = PyUnicode_FromStringAndSize(buf, len);
933 if (sn_obj == NULL)
934 goto fail1;
935 if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) {
936 Py_DECREF(sn_obj);
937 goto fail1;
938 }
939 Py_DECREF(sn_obj);
940
941 (void) BIO_reset(biobuf);
942 notBefore = X509_get_notBefore(certificate);
943 ASN1_TIME_print(biobuf, notBefore);
944 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
945 if (len < 0) {
946 _setSSLError(NULL, 0, __FILE__, __LINE__);
947 goto fail1;
948 }
949 pnotBefore = PyUnicode_FromStringAndSize(buf, len);
950 if (pnotBefore == NULL)
951 goto fail1;
952 if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
953 Py_DECREF(pnotBefore);
954 goto fail1;
955 }
956 Py_DECREF(pnotBefore);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]957
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]958 (void) BIO_reset(biobuf);
959 notAfter = X509_get_notAfter(certificate);
960 ASN1_TIME_print(biobuf, notAfter);
961 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
962 if (len < 0) {
963 _setSSLError(NULL, 0, __FILE__, __LINE__);
964 goto fail1;
965 }
966 pnotAfter = PyUnicode_FromStringAndSize(buf, len);
967 if (pnotAfter == NULL)
968 goto fail1;
969 if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) {
970 Py_DECREF(pnotAfter);
971 goto fail1;
972 }
973 Py_DECREF(pnotAfter);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]974
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]975 /* Now look for subjectAltName */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]976
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]977 peer_alt_names = _get_peer_alt_names(certificate);
978 if (peer_alt_names == NULL)
979 goto fail1;
980 else if (peer_alt_names != Py_None) {
981 if (PyDict_SetItemString(retval, "subjectAltName",
982 peer_alt_names) < 0) {
983 Py_DECREF(peer_alt_names);
984 goto fail1;
985 }
986 Py_DECREF(peer_alt_names);
987 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]988
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]989 BIO_free(biobuf);
990 return retval;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]991
992 fail1:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]993 if (biobuf != NULL)
994 BIO_free(biobuf);
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]995 fail0:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]996 Py_XDECREF(retval);
997 return NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]998}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]999
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1000
1001static PyObject *
1002PySSL_test_decode_certificate (PyObject *mod, PyObject *args) {
1003
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1004 PyObject *retval = NULL;
Victor Stinner3800e1e2010-05-16 21:23:48 +0000[diff] [blame]1005 PyObject *filename;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1006 X509 *x=NULL;
1007 BIO *cert;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1008
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]1009 if (!PyArg_ParseTuple(args, "O&:test_decode_certificate",
1010 PyUnicode_FSConverter, &filename))
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1011 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1012
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1013 if ((cert=BIO_new(BIO_s_file())) == NULL) {
1014 PyErr_SetString(PySSLErrorObject,
1015 "Can't malloc memory to read file");
1016 goto fail0;
1017 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1018
Victor Stinner3800e1e2010-05-16 21:23:48 +0000[diff] [blame]1019 if (BIO_read_filename(cert, PyBytes_AsString(filename)) <= 0) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1020 PyErr_SetString(PySSLErrorObject,
1021 "Can't open file");
1022 goto fail0;
1023 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1024
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1025 x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL);
1026 if (x == NULL) {
1027 PyErr_SetString(PySSLErrorObject,
1028 "Error decoding PEM-encoded file");
1029 goto fail0;
1030 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1031
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]1032 retval = _decode_certificate(x);
Mark Dickinsonee55df52010-08-03 18:31:54 +0000[diff] [blame]1033 X509_free(x);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1034
1035 fail0:
Victor Stinner3800e1e2010-05-16 21:23:48 +0000[diff] [blame]1036 Py_DECREF(filename);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1037 if (cert != NULL) BIO_free(cert);
1038 return retval;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1039}
1040
1041
1042static PyObject *
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1043PySSL_peercert(PySSLSocket *self, PyObject *args)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1044{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1045 PyObject *retval = NULL;
1046 int len;
1047 int verification;
Antoine Pitrou721738f2012-08-15 23:20:39 +0200[diff] [blame]1048 int binary_mode = 0;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1049
Antoine Pitrou721738f2012-08-15 23:20:39 +0200[diff] [blame]1050 if (!PyArg_ParseTuple(args, "|p:peer_certificate", &binary_mode))
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1051 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1052
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1053 if (!self->peer_cert)
1054 Py_RETURN_NONE;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1055
Antoine Pitrou721738f2012-08-15 23:20:39 +0200[diff] [blame]1056 if (binary_mode) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1057 /* return cert in DER-encoded format */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1058
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1059 unsigned char *bytes_buf = NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1060
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1061 bytes_buf = NULL;
1062 len = i2d_X509(self->peer_cert, &bytes_buf);
1063 if (len < 0) {
1064 PySSL_SetError(self, len, __FILE__, __LINE__);
1065 return NULL;
1066 }
1067 /* this is actually an immutable bytes sequence */
1068 retval = PyBytes_FromStringAndSize
1069 ((const char *) bytes_buf, len);
1070 OPENSSL_free(bytes_buf);
1071 return retval;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1072
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1073 } else {
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1074 verification = SSL_CTX_get_verify_mode(SSL_get_SSL_CTX(self->ssl));
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1075 if ((verification & SSL_VERIFY_PEER) == 0)
1076 return PyDict_New();
1077 else
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]1078 return _decode_certificate(self->peer_cert);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1079 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1080}
1081
1082PyDoc_STRVAR(PySSL_peercert_doc,
1083"peer_certificate([der=False]) -> certificate\n\
1084\n\
1085Returns the certificate for the peer. If no certificate was provided,\n\
1086returns None. If a certificate was provided, but not validated, returns\n\
1087an empty dictionary. Otherwise returns a dict containing information\n\
1088about the peer certificate.\n\
1089\n\
1090If the optional argument is True, returns a DER-encoded copy of the\n\
1091peer certificate, or None if no certificate was provided. This will\n\
1092return the certificate even if it wasn't validated.");
1093
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1094static PyObject *PySSL_cipher (PySSLSocket *self) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1095
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1096 PyObject *retval, *v;
Benjamin Petersoneb1410f2010-10-13 22:06:39 +0000[diff] [blame]1097 const SSL_CIPHER *current;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1098 char *cipher_name;
1099 char *cipher_protocol;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1100
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1101 if (self->ssl == NULL)
Hirokazu Yamamoto524f1032010-12-09 10:49:00 +0000[diff] [blame]1102 Py_RETURN_NONE;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1103 current = SSL_get_current_cipher(self->ssl);
1104 if (current == NULL)
Hirokazu Yamamoto524f1032010-12-09 10:49:00 +0000[diff] [blame]1105 Py_RETURN_NONE;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1106
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1107 retval = PyTuple_New(3);
1108 if (retval == NULL)
1109 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1110
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1111 cipher_name = (char *) SSL_CIPHER_get_name(current);
1112 if (cipher_name == NULL) {
Hirokazu Yamamoto524f1032010-12-09 10:49:00 +0000[diff] [blame]1113 Py_INCREF(Py_None);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1114 PyTuple_SET_ITEM(retval, 0, Py_None);
1115 } else {
1116 v = PyUnicode_FromString(cipher_name);
1117 if (v == NULL)
1118 goto fail0;
1119 PyTuple_SET_ITEM(retval, 0, v);
1120 }
1121 cipher_protocol = SSL_CIPHER_get_version(current);
1122 if (cipher_protocol == NULL) {
Hirokazu Yamamoto524f1032010-12-09 10:49:00 +0000[diff] [blame]1123 Py_INCREF(Py_None);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1124 PyTuple_SET_ITEM(retval, 1, Py_None);
1125 } else {
1126 v = PyUnicode_FromString(cipher_protocol);
1127 if (v == NULL)
1128 goto fail0;
1129 PyTuple_SET_ITEM(retval, 1, v);
1130 }
1131 v = PyLong_FromLong(SSL_CIPHER_get_bits(current, NULL));
1132 if (v == NULL)
1133 goto fail0;
1134 PyTuple_SET_ITEM(retval, 2, v);
1135 return retval;
Guido van Rossumf06628b2007-11-21 20:01:53 +0000[diff] [blame]1136
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1137 fail0:
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1138 Py_DECREF(retval);
1139 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1140}
1141
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1142#ifdef OPENSSL_NPN_NEGOTIATED
1143static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {
1144 const unsigned char *out;
1145 unsigned int outlen;
1146
1147 SSL_get0_next_proto_negotiated(self->ssl,
1148 &out, &outlen);
1149
1150 if (out == NULL)
1151 Py_RETURN_NONE;
1152 return PyUnicode_FromStringAndSize((char *) out, outlen);
1153}
1154#endif
1155
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]1156static PyObject *PySSL_compression(PySSLSocket *self) {
1157#ifdef OPENSSL_NO_COMP
1158 Py_RETURN_NONE;
1159#else
1160 const COMP_METHOD *comp_method;
1161 const char *short_name;
1162
1163 if (self->ssl == NULL)
1164 Py_RETURN_NONE;
1165 comp_method = SSL_get_current_compression(self->ssl);
1166 if (comp_method == NULL || comp_method->type == NID_undef)
1167 Py_RETURN_NONE;
1168 short_name = OBJ_nid2sn(comp_method->type);
1169 if (short_name == NULL)
1170 Py_RETURN_NONE;
1171 return PyUnicode_DecodeFSDefault(short_name);
1172#endif
1173}
1174
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1175static PySSLContext *PySSL_get_context(PySSLSocket *self, void *closure) {
1176 Py_INCREF(self->ctx);
1177 return self->ctx;
1178}
1179
1180static int PySSL_set_context(PySSLSocket *self, PyObject *value,
1181 void *closure) {
1182
1183 if (PyObject_TypeCheck(value, &PySSLContext_Type)) {
1184
1185 Py_INCREF(value);
1186 Py_DECREF(self->ctx);
1187 self->ctx = (PySSLContext *) value;
1188 SSL_set_SSL_CTX(self->ssl, self->ctx->ctx);
1189 } else {
1190 PyErr_SetString(PyExc_TypeError, "The value must be a SSLContext");
1191 return -1;
1192 }
1193
1194 return 0;
1195}
1196
1197PyDoc_STRVAR(PySSL_set_context_doc,
1198"_setter_context(ctx)\n\
1199\
1200This changes the context associated with the SSLSocket. This is typically\n\
1201used from within a callback function set by the set_servername_callback\n\
1202on the SSLContext to change the certificate information associated with the\n\
1203SSLSocket before the cryptographic exchange handshake messages\n");
1204
1205
1206
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1207static void PySSL_dealloc(PySSLSocket *self)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1208{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1209 if (self->peer_cert) /* Possible not to have one? */
1210 X509_free (self->peer_cert);
1211 if (self->ssl)
1212 SSL_free(self->ssl);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1213 Py_XDECREF(self->Socket);
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1214 Py_XDECREF(self->ctx);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1215 PyObject_Del(self);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1216}
1217
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1218/* If the socket has a timeout, do a select()/poll() on the socket.
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1219 The argument writing indicates the direction.
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]1220 Returns one of the possibilities in the timeout_state enum (above).
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1221 */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]1222
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1223static int
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]1224check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing)
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1225{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1226 fd_set fds;
1227 struct timeval tv;
1228 int rc;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1229
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1230 /* Nothing to do unless we're in timeout mode (not non-blocking) */
1231 if (s->sock_timeout < 0.0)
1232 return SOCKET_IS_BLOCKING;
1233 else if (s->sock_timeout == 0.0)
1234 return SOCKET_IS_NONBLOCKING;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1235
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1236 /* Guard against closed socket */
1237 if (s->sock_fd < 0)
1238 return SOCKET_HAS_BEEN_CLOSED;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1239
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1240 /* Prefer poll, if available, since you can poll() any fd
1241 * which can't be done with select(). */
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1242#ifdef HAVE_POLL
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1243 {
1244 struct pollfd pollfd;
1245 int timeout;
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1246
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1247 pollfd.fd = s->sock_fd;
1248 pollfd.events = writing ? POLLOUT : POLLIN;
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1249
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1250 /* s->sock_timeout is in seconds, timeout in ms */
1251 timeout = (int)(s->sock_timeout * 1000 + 0.5);
1252 PySSL_BEGIN_ALLOW_THREADS
1253 rc = poll(&pollfd, 1, timeout);
1254 PySSL_END_ALLOW_THREADS
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1255
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1256 goto normal_return;
1257 }
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1258#endif
1259
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1260 /* Guard against socket too large for select*/
Charles-François Nataliaa26b272011-08-28 17:51:43 +0200[diff] [blame]1261 if (!_PyIsSelectable_fd(s->sock_fd))
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1262 return SOCKET_TOO_LARGE_FOR_SELECT;
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]1263
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1264 /* Construct the arguments to select */
1265 tv.tv_sec = (int)s->sock_timeout;
1266 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6);
1267 FD_ZERO(&fds);
1268 FD_SET(s->sock_fd, &fds);
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1269
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1270 /* See if the socket is ready */
1271 PySSL_BEGIN_ALLOW_THREADS
1272 if (writing)
1273 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
1274 else
1275 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
1276 PySSL_END_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1277
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1278#ifdef HAVE_POLL
Thomas Wouters0e3f5912006-08-11 14:57:12 +0000[diff] [blame]1279normal_return:
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1280#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1281 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
1282 (when we are able to write or when there's something to read) */
1283 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]1284}
1285
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1286static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1287{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1288 Py_buffer buf;
1289 int len;
1290 int sockstate;
1291 int err;
1292 int nonblocking;
1293 PySocketSockObject *sock
1294 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1295
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1296 if (((PyObject*)sock) == Py_None) {
1297 _setSSLError("Underlying socket connection gone",
1298 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1299 return NULL;
1300 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1301 Py_INCREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1302
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1303 if (!PyArg_ParseTuple(args, "y*:write", &buf)) {
1304 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1305 return NULL;
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1306 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1307
1308 /* just in case the blocking state of the socket has been changed */
1309 nonblocking = (sock->sock_timeout >= 0.0);
1310 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1311 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1312
1313 sockstate = check_socket_and_wait_for_timeout(sock, 1);
1314 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1315 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1316 "The write operation timed out");
1317 goto error;
1318 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1319 PyErr_SetString(PySSLErrorObject,
1320 "Underlying socket has been closed.");
1321 goto error;
1322 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1323 PyErr_SetString(PySSLErrorObject,
1324 "Underlying socket too large for select().");
1325 goto error;
1326 }
1327 do {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1328 PySSL_BEGIN_ALLOW_THREADS
1329 len = SSL_write(self->ssl, buf.buf, buf.len);
1330 err = SSL_get_error(self->ssl, len);
1331 PySSL_END_ALLOW_THREADS
1332 if (PyErr_CheckSignals()) {
1333 goto error;
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1334 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1335 if (err == SSL_ERROR_WANT_READ) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1336 sockstate = check_socket_and_wait_for_timeout(sock, 0);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1337 } else if (err == SSL_ERROR_WANT_WRITE) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1338 sockstate = check_socket_and_wait_for_timeout(sock, 1);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1339 } else {
1340 sockstate = SOCKET_OPERATION_OK;
1341 }
1342 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1343 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1344 "The write operation timed out");
1345 goto error;
1346 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1347 PyErr_SetString(PySSLErrorObject,
1348 "Underlying socket has been closed.");
1349 goto error;
1350 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
1351 break;
1352 }
1353 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1354
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1355 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1356 PyBuffer_Release(&buf);
1357 if (len > 0)
1358 return PyLong_FromLong(len);
1359 else
1360 return PySSL_SetError(self, len, __FILE__, __LINE__);
Antoine Pitrou7d7aede2009-11-25 18:55:32 +0000[diff] [blame]1361
1362error:
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1363 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1364 PyBuffer_Release(&buf);
1365 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1366}
1367
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]1368PyDoc_STRVAR(PySSL_SSLwrite_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1369"write(s) -> len\n\
1370\n\
1371Writes the string s into the SSL object. Returns the number\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]1372of bytes written.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1373
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1374static PyObject *PySSL_SSLpending(PySSLSocket *self)
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1375{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1376 int count = 0;
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1377
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1378 PySSL_BEGIN_ALLOW_THREADS
1379 count = SSL_pending(self->ssl);
1380 PySSL_END_ALLOW_THREADS
1381 if (count < 0)
1382 return PySSL_SetError(self, count, __FILE__, __LINE__);
1383 else
1384 return PyLong_FromLong(count);
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1385}
1386
1387PyDoc_STRVAR(PySSL_SSLpending_doc,
1388"pending() -> count\n\
1389\n\
1390Returns the number of already decrypted bytes available for read,\n\
1391pending on the connection.\n");
1392
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1393static PyObject *PySSL_SSLread(PySSLSocket *self, PyObject *args)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1394{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1395 PyObject *dest = NULL;
1396 Py_buffer buf;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1397 char *mem;
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1398 int len, count;
1399 int buf_passed = 0;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1400 int sockstate;
1401 int err;
1402 int nonblocking;
1403 PySocketSockObject *sock
1404 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1405
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1406 if (((PyObject*)sock) == Py_None) {
1407 _setSSLError("Underlying socket connection gone",
1408 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1409 return NULL;
1410 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1411 Py_INCREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1412
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1413 buf.obj = NULL;
1414 buf.buf = NULL;
1415 if (!PyArg_ParseTuple(args, "i|w*:read", &len, &buf))
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1416 goto error;
1417
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1418 if ((buf.buf == NULL) && (buf.obj == NULL)) {
1419 dest = PyBytes_FromStringAndSize(NULL, len);
1420 if (dest == NULL)
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1421 goto error;
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1422 mem = PyBytes_AS_STRING(dest);
1423 }
1424 else {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1425 buf_passed = 1;
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1426 mem = buf.buf;
1427 if (len <= 0 || len > buf.len) {
1428 len = (int) buf.len;
1429 if (buf.len != len) {
1430 PyErr_SetString(PyExc_OverflowError,
1431 "maximum length can't fit in a C 'int'");
1432 goto error;
1433 }
1434 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1435 }
1436
1437 /* just in case the blocking state of the socket has been changed */
1438 nonblocking = (sock->sock_timeout >= 0.0);
1439 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1440 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1441
1442 /* first check if there are bytes ready to be read */
1443 PySSL_BEGIN_ALLOW_THREADS
1444 count = SSL_pending(self->ssl);
1445 PySSL_END_ALLOW_THREADS
1446
1447 if (!count) {
1448 sockstate = check_socket_and_wait_for_timeout(sock, 0);
1449 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1450 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1451 "The read operation timed out");
1452 goto error;
1453 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1454 PyErr_SetString(PySSLErrorObject,
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1455 "Underlying socket too large for select().");
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1456 goto error;
1457 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1458 count = 0;
1459 goto done;
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1460 }
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1461 }
1462 do {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1463 PySSL_BEGIN_ALLOW_THREADS
1464 count = SSL_read(self->ssl, mem, len);
1465 err = SSL_get_error(self->ssl, count);
1466 PySSL_END_ALLOW_THREADS
1467 if (PyErr_CheckSignals())
1468 goto error;
1469 if (err == SSL_ERROR_WANT_READ) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1470 sockstate = check_socket_and_wait_for_timeout(sock, 0);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1471 } else if (err == SSL_ERROR_WANT_WRITE) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]1472 sockstate = check_socket_and_wait_for_timeout(sock, 1);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1473 } else if ((err == SSL_ERROR_ZERO_RETURN) &&
1474 (SSL_get_shutdown(self->ssl) ==
1475 SSL_RECEIVED_SHUTDOWN))
1476 {
1477 count = 0;
1478 goto done;
1479 } else {
1480 sockstate = SOCKET_OPERATION_OK;
1481 }
1482 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1483 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1484 "The read operation timed out");
1485 goto error;
1486 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
1487 break;
1488 }
1489 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
1490 if (count <= 0) {
1491 PySSL_SetError(self, count, __FILE__, __LINE__);
1492 goto error;
1493 }
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1494
1495done:
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1496 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1497 if (!buf_passed) {
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1498 _PyBytes_Resize(&dest, count);
1499 return dest;
1500 }
1501 else {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1502 PyBuffer_Release(&buf);
1503 return PyLong_FromLong(count);
1504 }
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1505
1506error:
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1507 Py_DECREF(sock);
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1508 if (!buf_passed)
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1509 Py_XDECREF(dest);
Antoine Pitrou24e561a2010-09-03 18:38:17 +0000[diff] [blame]1510 else
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1511 PyBuffer_Release(&buf);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1512 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1513}
1514
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]1515PyDoc_STRVAR(PySSL_SSLread_doc,
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1516"read([len]) -> string\n\
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1517\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]1518Read up to len bytes from the SSL socket.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1519
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1520static PyObject *PySSL_SSLshutdown(PySSLSocket *self)
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1521{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1522 int err, ssl_err, sockstate, nonblocking;
1523 int zeros = 0;
1524 PySocketSockObject *sock
1525 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1526
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1527 /* Guard against closed socket */
1528 if ((((PyObject*)sock) == Py_None) || (sock->sock_fd < 0)) {
1529 _setSSLError("Underlying socket connection gone",
1530 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1531 return NULL;
1532 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1533 Py_INCREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1534
1535 /* Just in case the blocking state of the socket has been changed */
1536 nonblocking = (sock->sock_timeout >= 0.0);
1537 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1538 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1539
1540 while (1) {
1541 PySSL_BEGIN_ALLOW_THREADS
1542 /* Disable read-ahead so that unwrap can work correctly.
1543 * Otherwise OpenSSL might read in too much data,
1544 * eating clear text data that happens to be
1545 * transmitted after the SSL shutdown.
1546 * Should be safe to call repeatedly everytime this
1547 * function is used and the shutdown_seen_zero != 0
1548 * condition is met.
1549 */
1550 if (self->shutdown_seen_zero)
1551 SSL_set_read_ahead(self->ssl, 0);
1552 err = SSL_shutdown(self->ssl);
1553 PySSL_END_ALLOW_THREADS
1554 /* If err == 1, a secure shutdown with SSL_shutdown() is complete */
1555 if (err > 0)
1556 break;
1557 if (err == 0) {
1558 /* Don't loop endlessly; instead preserve legacy
1559 behaviour of trying SSL_shutdown() only twice.
1560 This looks necessary for OpenSSL < 0.9.8m */
1561 if (++zeros > 1)
1562 break;
1563 /* Shutdown was sent, now try receiving */
1564 self->shutdown_seen_zero = 1;
1565 continue;
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1566 }
1567
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1568 /* Possibly retry shutdown until timeout or failure */
1569 ssl_err = SSL_get_error(self->ssl, err);
1570 if (ssl_err == SSL_ERROR_WANT_READ)
1571 sockstate = check_socket_and_wait_for_timeout(sock, 0);
1572 else if (ssl_err == SSL_ERROR_WANT_WRITE)
1573 sockstate = check_socket_and_wait_for_timeout(sock, 1);
1574 else
1575 break;
1576 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1577 if (ssl_err == SSL_ERROR_WANT_READ)
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1578 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1579 "The read operation timed out");
1580 else
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1581 PyErr_SetString(PySocketModule.timeout_error,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1582 "The write operation timed out");
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1583 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1584 }
1585 else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1586 PyErr_SetString(PySSLErrorObject,
1587 "Underlying socket too large for select().");
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1588 goto error;
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1589 }
1590 else if (sockstate != SOCKET_OPERATION_OK)
1591 /* Retain the SSL error code */
1592 break;
1593 }
Antoine Pitrou2c4f98b2010-04-23 00:16:21 +0000[diff] [blame]1594
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1595 if (err < 0) {
1596 Py_DECREF(sock);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1597 return PySSL_SetError(self, err, __FILE__, __LINE__);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1598 }
Antoine Pitrou8bae4ec2010-06-24 22:34:04 +0000[diff] [blame]1599 else
1600 /* It's already INCREF'ed */
1601 return (PyObject *) sock;
1602
1603error:
1604 Py_DECREF(sock);
1605 return NULL;
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1606}
1607
1608PyDoc_STRVAR(PySSL_SSLshutdown_doc,
1609"shutdown(s) -> socket\n\
1610\n\
1611Does the SSL shutdown handshake with the remote end, and returns\n\
1612the underlying socket object.");
1613
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]1614#if HAVE_OPENSSL_FINISHED
1615static PyObject *
1616PySSL_tls_unique_cb(PySSLSocket *self)
1617{
1618 PyObject *retval = NULL;
1619 char buf[PySSL_CB_MAXLEN];
1620 int len;
1621
1622 if (SSL_session_reused(self->ssl) ^ !self->socket_type) {
1623 /* if session is resumed XOR we are the client */
1624 len = SSL_get_finished(self->ssl, buf, PySSL_CB_MAXLEN);
1625 }
1626 else {
1627 /* if a new session XOR we are the server */
1628 len = SSL_get_peer_finished(self->ssl, buf, PySSL_CB_MAXLEN);
1629 }
1630
1631 /* It cannot be negative in current OpenSSL version as of July 2011 */
1632 assert(len >= 0);
1633 if (len == 0)
1634 Py_RETURN_NONE;
1635
1636 retval = PyBytes_FromStringAndSize(buf, len);
1637
1638 return retval;
1639}
1640
1641PyDoc_STRVAR(PySSL_tls_unique_cb_doc,
1642"tls_unique_cb() -> bytes\n\
1643\n\
1644Returns the 'tls-unique' channel binding data, as defined by RFC 5929.\n\
1645\n\
1646If the TLS handshake is not yet complete, None is returned");
1647
1648#endif /* HAVE_OPENSSL_FINISHED */
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1649
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1650static PyGetSetDef ssl_getsetlist[] = {
1651 {"context", (getter) PySSL_get_context,
1652 (setter) PySSL_set_context, PySSL_set_context_doc},
1653 {NULL}, /* sentinel */
1654};
1655
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1656static PyMethodDef PySSLMethods[] = {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1657 {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS},
1658 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
1659 PySSL_SSLwrite_doc},
1660 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
1661 PySSL_SSLread_doc},
1662 {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS,
1663 PySSL_SSLpending_doc},
1664 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS,
1665 PySSL_peercert_doc},
1666 {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1667#ifdef OPENSSL_NPN_NEGOTIATED
1668 {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
1669#endif
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]1670 {"compression", (PyCFunction)PySSL_compression, METH_NOARGS},
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1671 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS,
1672 PySSL_SSLshutdown_doc},
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]1673#if HAVE_OPENSSL_FINISHED
1674 {"tls_unique_cb", (PyCFunction)PySSL_tls_unique_cb, METH_NOARGS,
1675 PySSL_tls_unique_cb_doc},
1676#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1677 {NULL, NULL}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1678};
1679
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1680static PyTypeObject PySSLSocket_Type = {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1681 PyVarObject_HEAD_INIT(NULL, 0)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1682 "_ssl._SSLSocket", /*tp_name*/
1683 sizeof(PySSLSocket), /*tp_basicsize*/
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]1684 0, /*tp_itemsize*/
1685 /* methods */
1686 (destructor)PySSL_dealloc, /*tp_dealloc*/
1687 0, /*tp_print*/
1688 0, /*tp_getattr*/
1689 0, /*tp_setattr*/
1690 0, /*tp_reserved*/
1691 0, /*tp_repr*/
1692 0, /*tp_as_number*/
1693 0, /*tp_as_sequence*/
1694 0, /*tp_as_mapping*/
1695 0, /*tp_hash*/
1696 0, /*tp_call*/
1697 0, /*tp_str*/
1698 0, /*tp_getattro*/
1699 0, /*tp_setattro*/
1700 0, /*tp_as_buffer*/
1701 Py_TPFLAGS_DEFAULT, /*tp_flags*/
1702 0, /*tp_doc*/
1703 0, /*tp_traverse*/
1704 0, /*tp_clear*/
1705 0, /*tp_richcompare*/
1706 0, /*tp_weaklistoffset*/
1707 0, /*tp_iter*/
1708 0, /*tp_iternext*/
1709 PySSLMethods, /*tp_methods*/
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1710 0, /*tp_members*/
1711 ssl_getsetlist, /*tp_getset*/
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1712};
1713
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1714
1715/*
1716 * _SSLContext objects
1717 */
1718
1719static PyObject *
1720context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
1721{
1722 char *kwlist[] = {"protocol", NULL};
1723 PySSLContext *self;
1724 int proto_version = PY_SSL_VERSION_SSL23;
1725 SSL_CTX *ctx = NULL;
1726
1727 if (!PyArg_ParseTupleAndKeywords(
1728 args, kwds, "i:_SSLContext", kwlist,
1729 &proto_version))
1730 return NULL;
1731
1732 PySSL_BEGIN_ALLOW_THREADS
1733 if (proto_version == PY_SSL_VERSION_TLS1)
1734 ctx = SSL_CTX_new(TLSv1_method());
1735 else if (proto_version == PY_SSL_VERSION_SSL3)
1736 ctx = SSL_CTX_new(SSLv3_method());
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]1737#ifndef OPENSSL_NO_SSL2
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1738 else if (proto_version == PY_SSL_VERSION_SSL2)
1739 ctx = SSL_CTX_new(SSLv2_method());
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]1740#endif
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1741 else if (proto_version == PY_SSL_VERSION_SSL23)
1742 ctx = SSL_CTX_new(SSLv23_method());
1743 else
1744 proto_version = -1;
1745 PySSL_END_ALLOW_THREADS
1746
1747 if (proto_version == -1) {
1748 PyErr_SetString(PyExc_ValueError,
1749 "invalid protocol version");
1750 return NULL;
1751 }
1752 if (ctx == NULL) {
1753 PyErr_SetString(PySSLErrorObject,
1754 "failed to allocate SSL context");
1755 return NULL;
1756 }
1757
1758 assert(type != NULL && type->tp_alloc != NULL);
1759 self = (PySSLContext *) type->tp_alloc(type, 0);
1760 if (self == NULL) {
1761 SSL_CTX_free(ctx);
1762 return NULL;
1763 }
1764 self->ctx = ctx;
Christian Heimes5cb31c92012-09-20 12:42:54 +0200[diff] [blame]1765#ifdef OPENSSL_NPN_NEGOTIATED
1766 self->npn_protocols = NULL;
1767#endif
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1768#ifndef OPENSSL_NO_TLSEXT
1769 self->set_hostname = NULL;
1770#endif
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1771 /* Defaults */
1772 SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
Antoine Pitrou3f366312012-01-27 09:50:45 +0100[diff] [blame]1773 SSL_CTX_set_options(self->ctx,
1774 SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1775
Antoine Pitroufc113ee2010-10-13 12:46:13 +0000[diff] [blame]1776#define SID_CTX "Python"
1777 SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
1778 sizeof(SID_CTX));
1779#undef SID_CTX
1780
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1781 return (PyObject *)self;
1782}
1783
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1784static int
1785context_traverse(PySSLContext *self, visitproc visit, void *arg)
1786{
1787#ifndef OPENSSL_NO_TLSEXT
1788 Py_VISIT(self->set_hostname);
1789#endif
1790 return 0;
1791}
1792
1793static int
1794context_clear(PySSLContext *self)
1795{
1796#ifndef OPENSSL_NO_TLSEXT
1797 Py_CLEAR(self->set_hostname);
1798#endif
1799 return 0;
1800}
1801
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1802static void
1803context_dealloc(PySSLContext *self)
1804{
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1805 context_clear(self);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1806 SSL_CTX_free(self->ctx);
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1807#ifdef OPENSSL_NPN_NEGOTIATED
1808 PyMem_Free(self->npn_protocols);
1809#endif
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1810 Py_TYPE(self)->tp_free(self);
1811}
1812
1813static PyObject *
1814set_ciphers(PySSLContext *self, PyObject *args)
1815{
1816 int ret;
1817 const char *cipherlist;
1818
1819 if (!PyArg_ParseTuple(args, "s:set_ciphers", &cipherlist))
1820 return NULL;
1821 ret = SSL_CTX_set_cipher_list(self->ctx, cipherlist);
1822 if (ret == 0) {
Antoine Pitrou65ec8ae2010-05-16 19:56:32 +0000[diff] [blame]1823 /* Clearing the error queue is necessary on some OpenSSL versions,
1824 otherwise the error will be reported again when another SSL call
1825 is done. */
1826 ERR_clear_error();
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1827 PyErr_SetString(PySSLErrorObject,
1828 "No cipher can be selected.");
1829 return NULL;
1830 }
1831 Py_RETURN_NONE;
1832}
1833
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1834#ifdef OPENSSL_NPN_NEGOTIATED
1835/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
1836static int
1837_advertiseNPN_cb(SSL *s,
1838 const unsigned char **data, unsigned int *len,
1839 void *args)
1840{
1841 PySSLContext *ssl_ctx = (PySSLContext *) args;
1842
1843 if (ssl_ctx->npn_protocols == NULL) {
1844 *data = (unsigned char *) "";
1845 *len = 0;
1846 } else {
1847 *data = (unsigned char *) ssl_ctx->npn_protocols;
1848 *len = ssl_ctx->npn_protocols_len;
1849 }
1850
1851 return SSL_TLSEXT_ERR_OK;
1852}
1853/* this callback gets passed to SSL_CTX_set_next_proto_select_cb */
1854static int
1855_selectNPN_cb(SSL *s,
1856 unsigned char **out, unsigned char *outlen,
1857 const unsigned char *server, unsigned int server_len,
1858 void *args)
1859{
1860 PySSLContext *ssl_ctx = (PySSLContext *) args;
1861
1862 unsigned char *client = (unsigned char *) ssl_ctx->npn_protocols;
1863 int client_len;
1864
1865 if (client == NULL) {
1866 client = (unsigned char *) "";
1867 client_len = 0;
1868 } else {
1869 client_len = ssl_ctx->npn_protocols_len;
1870 }
1871
1872 SSL_select_next_proto(out, outlen,
1873 server, server_len,
1874 client, client_len);
1875
1876 return SSL_TLSEXT_ERR_OK;
1877}
1878#endif
1879
1880static PyObject *
1881_set_npn_protocols(PySSLContext *self, PyObject *args)
1882{
1883#ifdef OPENSSL_NPN_NEGOTIATED
1884 Py_buffer protos;
1885
1886 if (!PyArg_ParseTuple(args, "y*:set_npn_protocols", &protos))
1887 return NULL;
1888
Christian Heimes5cb31c92012-09-20 12:42:54 +0200[diff] [blame]1889 if (self->npn_protocols != NULL) {
1890 PyMem_Free(self->npn_protocols);
1891 }
1892
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1893 self->npn_protocols = PyMem_Malloc(protos.len);
1894 if (self->npn_protocols == NULL) {
1895 PyBuffer_Release(&protos);
1896 return PyErr_NoMemory();
1897 }
1898 memcpy(self->npn_protocols, protos.buf, protos.len);
1899 self->npn_protocols_len = (int) protos.len;
1900
1901 /* set both server and client callbacks, because the context can
1902 * be used to create both types of sockets */
1903 SSL_CTX_set_next_protos_advertised_cb(self->ctx,
1904 _advertiseNPN_cb,
1905 self);
1906 SSL_CTX_set_next_proto_select_cb(self->ctx,
1907 _selectNPN_cb,
1908 self);
1909
1910 PyBuffer_Release(&protos);
1911 Py_RETURN_NONE;
1912#else
1913 PyErr_SetString(PyExc_NotImplementedError,
1914 "The NPN extension requires OpenSSL 1.0.1 or later.");
1915 return NULL;
1916#endif
1917}
1918
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1919static PyObject *
1920get_verify_mode(PySSLContext *self, void *c)
1921{
1922 switch (SSL_CTX_get_verify_mode(self->ctx)) {
1923 case SSL_VERIFY_NONE:
1924 return PyLong_FromLong(PY_SSL_CERT_NONE);
1925 case SSL_VERIFY_PEER:
1926 return PyLong_FromLong(PY_SSL_CERT_OPTIONAL);
1927 case SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT:
1928 return PyLong_FromLong(PY_SSL_CERT_REQUIRED);
1929 }
1930 PyErr_SetString(PySSLErrorObject,
1931 "invalid return value from SSL_CTX_get_verify_mode");
1932 return NULL;
1933}
1934
1935static int
1936set_verify_mode(PySSLContext *self, PyObject *arg, void *c)
1937{
1938 int n, mode;
1939 if (!PyArg_Parse(arg, "i", &n))
1940 return -1;
1941 if (n == PY_SSL_CERT_NONE)
1942 mode = SSL_VERIFY_NONE;
1943 else if (n == PY_SSL_CERT_OPTIONAL)
1944 mode = SSL_VERIFY_PEER;
1945 else if (n == PY_SSL_CERT_REQUIRED)
1946 mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1947 else {
1948 PyErr_SetString(PyExc_ValueError,
1949 "invalid value for verify_mode");
1950 return -1;
1951 }
1952 SSL_CTX_set_verify(self->ctx, mode, NULL);
1953 return 0;
1954}
1955
1956static PyObject *
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1957get_options(PySSLContext *self, void *c)
1958{
1959 return PyLong_FromLong(SSL_CTX_get_options(self->ctx));
1960}
1961
1962static int
1963set_options(PySSLContext *self, PyObject *arg, void *c)
1964{
1965 long new_opts, opts, set, clear;
1966 if (!PyArg_Parse(arg, "l", &new_opts))
1967 return -1;
1968 opts = SSL_CTX_get_options(self->ctx);
1969 clear = opts & ~new_opts;
1970 set = ~opts & new_opts;
1971 if (clear) {
1972#ifdef HAVE_SSL_CTX_CLEAR_OPTIONS
1973 SSL_CTX_clear_options(self->ctx, clear);
1974#else
1975 PyErr_SetString(PyExc_ValueError,
1976 "can't clear options before OpenSSL 0.9.8m");
1977 return -1;
1978#endif
1979 }
1980 if (set)
1981 SSL_CTX_set_options(self->ctx, set);
1982 return 0;
1983}
1984
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]1985typedef struct {
1986 PyThreadState *thread_state;
1987 PyObject *callable;
1988 char *password;
1989 Py_ssize_t size;
1990 int error;
1991} _PySSLPasswordInfo;
1992
1993static int
1994_pwinfo_set(_PySSLPasswordInfo *pw_info, PyObject* password,
1995 const char *bad_type_error)
1996{
1997 /* Set the password and size fields of a _PySSLPasswordInfo struct
1998 from a unicode, bytes, or byte array object.
1999 The password field will be dynamically allocated and must be freed
2000 by the caller */
2001 PyObject *password_bytes = NULL;
2002 const char *data = NULL;
2003 Py_ssize_t size;
2004
2005 if (PyUnicode_Check(password)) {
2006 password_bytes = PyUnicode_AsEncodedString(password, NULL, NULL);
2007 if (!password_bytes) {
2008 goto error;
2009 }
2010 data = PyBytes_AS_STRING(password_bytes);
2011 size = PyBytes_GET_SIZE(password_bytes);
2012 } else if (PyBytes_Check(password)) {
2013 data = PyBytes_AS_STRING(password);
2014 size = PyBytes_GET_SIZE(password);
2015 } else if (PyByteArray_Check(password)) {
2016 data = PyByteArray_AS_STRING(password);
2017 size = PyByteArray_GET_SIZE(password);
2018 } else {
2019 PyErr_SetString(PyExc_TypeError, bad_type_error);
2020 goto error;
2021 }
2022
2023 free(pw_info->password);
2024 pw_info->password = malloc(size);
2025 if (!pw_info->password) {
2026 PyErr_SetString(PyExc_MemoryError,
2027 "unable to allocate password buffer");
2028 goto error;
2029 }
2030 memcpy(pw_info->password, data, size);
2031 pw_info->size = size;
2032
2033 Py_XDECREF(password_bytes);
2034 return 1;
2035
2036error:
2037 Py_XDECREF(password_bytes);
2038 return 0;
2039}
2040
2041static int
2042_password_callback(char *buf, int size, int rwflag, void *userdata)
2043{
2044 _PySSLPasswordInfo *pw_info = (_PySSLPasswordInfo*) userdata;
2045 PyObject *fn_ret = NULL;
2046
2047 PySSL_END_ALLOW_THREADS_S(pw_info->thread_state);
2048
2049 if (pw_info->callable) {
2050 fn_ret = PyObject_CallFunctionObjArgs(pw_info->callable, NULL);
2051 if (!fn_ret) {
2052 /* TODO: It would be nice to move _ctypes_add_traceback() into the
2053 core python API, so we could use it to add a frame here */
2054 goto error;
2055 }
2056
2057 if (!_pwinfo_set(pw_info, fn_ret,
2058 "password callback must return a string")) {
2059 goto error;
2060 }
2061 Py_CLEAR(fn_ret);
2062 }
2063
2064 if (pw_info->size > size) {
2065 PyErr_Format(PyExc_ValueError,
2066 "password cannot be longer than %d bytes", size);
2067 goto error;
2068 }
2069
2070 PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state);
2071 memcpy(buf, pw_info->password, pw_info->size);
2072 return pw_info->size;
2073
2074error:
2075 Py_XDECREF(fn_ret);
2076 PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state);
2077 pw_info->error = 1;
2078 return -1;
2079}
2080
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2081static PyObject *
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2082load_cert_chain(PySSLContext *self, PyObject *args, PyObject *kwds)
2083{
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2084 char *kwlist[] = {"certfile", "keyfile", "password", NULL};
2085 PyObject *certfile, *keyfile = NULL, *password = NULL;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2086 PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL;
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2087 pem_password_cb *orig_passwd_cb = self->ctx->default_passwd_callback;
2088 void *orig_passwd_userdata = self->ctx->default_passwd_callback_userdata;
2089 _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 };
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2090 int r;
2091
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2092 errno = 0;
Antoine Pitrou67e8e562010-09-01 20:55:41 +0000[diff] [blame]2093 ERR_clear_error();
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2094 if (!PyArg_ParseTupleAndKeywords(args, kwds,
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2095 "O|OO:load_cert_chain", kwlist,
2096 &certfile, &keyfile, &password))
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2097 return NULL;
2098 if (keyfile == Py_None)
2099 keyfile = NULL;
2100 if (!PyUnicode_FSConverter(certfile, &certfile_bytes)) {
2101 PyErr_SetString(PyExc_TypeError,
2102 "certfile should be a valid filesystem path");
2103 return NULL;
2104 }
2105 if (keyfile && !PyUnicode_FSConverter(keyfile, &keyfile_bytes)) {
2106 PyErr_SetString(PyExc_TypeError,
2107 "keyfile should be a valid filesystem path");
2108 goto error;
2109 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2110 if (password && password != Py_None) {
2111 if (PyCallable_Check(password)) {
2112 pw_info.callable = password;
2113 } else if (!_pwinfo_set(&pw_info, password,
2114 "password should be a string or callable")) {
2115 goto error;
2116 }
2117 SSL_CTX_set_default_passwd_cb(self->ctx, _password_callback);
2118 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, &pw_info);
2119 }
2120 PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2121 r = SSL_CTX_use_certificate_chain_file(self->ctx,
2122 PyBytes_AS_STRING(certfile_bytes));
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2123 PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2124 if (r != 1) {
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2125 if (pw_info.error) {
2126 ERR_clear_error();
2127 /* the password callback has already set the error information */
2128 }
2129 else if (errno != 0) {
Giampaolo Rodolàe0f98632010-09-01 19:28:49 +0000[diff] [blame]2130 ERR_clear_error();
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2131 PyErr_SetFromErrno(PyExc_IOError);
2132 }
2133 else {
2134 _setSSLError(NULL, 0, __FILE__, __LINE__);
2135 }
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2136 goto error;
2137 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2138 PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou9c254862011-04-03 18:15:34 +0200[diff] [blame]2139 r = SSL_CTX_use_PrivateKey_file(self->ctx,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2140 PyBytes_AS_STRING(keyfile ? keyfile_bytes : certfile_bytes),
2141 SSL_FILETYPE_PEM);
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2142 PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
2143 Py_CLEAR(keyfile_bytes);
2144 Py_CLEAR(certfile_bytes);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2145 if (r != 1) {
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2146 if (pw_info.error) {
2147 ERR_clear_error();
2148 /* the password callback has already set the error information */
2149 }
2150 else if (errno != 0) {
Giampaolo Rodolàe0f98632010-09-01 19:28:49 +0000[diff] [blame]2151 ERR_clear_error();
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2152 PyErr_SetFromErrno(PyExc_IOError);
2153 }
2154 else {
2155 _setSSLError(NULL, 0, __FILE__, __LINE__);
2156 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2157 goto error;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2158 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2159 PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2160 r = SSL_CTX_check_private_key(self->ctx);
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2161 PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2162 if (r != 1) {
2163 _setSSLError(NULL, 0, __FILE__, __LINE__);
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2164 goto error;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2165 }
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2166 SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb);
2167 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata);
2168 free(pw_info.password);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2169 Py_RETURN_NONE;
2170
2171error:
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]2172 SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb);
2173 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata);
2174 free(pw_info.password);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2175 Py_XDECREF(keyfile_bytes);
2176 Py_XDECREF(certfile_bytes);
2177 return NULL;
2178}
2179
2180static PyObject *
2181load_verify_locations(PySSLContext *self, PyObject *args, PyObject *kwds)
2182{
2183 char *kwlist[] = {"cafile", "capath", NULL};
2184 PyObject *cafile = NULL, *capath = NULL;
2185 PyObject *cafile_bytes = NULL, *capath_bytes = NULL;
2186 const char *cafile_buf = NULL, *capath_buf = NULL;
2187 int r;
2188
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2189 errno = 0;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2190 if (!PyArg_ParseTupleAndKeywords(args, kwds,
2191 "|OO:load_verify_locations", kwlist,
2192 &cafile, &capath))
2193 return NULL;
2194 if (cafile == Py_None)
2195 cafile = NULL;
2196 if (capath == Py_None)
2197 capath = NULL;
2198 if (cafile == NULL && capath == NULL) {
2199 PyErr_SetString(PyExc_TypeError,
2200 "cafile and capath cannot be both omitted");
2201 return NULL;
2202 }
2203 if (cafile && !PyUnicode_FSConverter(cafile, &cafile_bytes)) {
2204 PyErr_SetString(PyExc_TypeError,
2205 "cafile should be a valid filesystem path");
2206 return NULL;
2207 }
2208 if (capath && !PyUnicode_FSConverter(capath, &capath_bytes)) {
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]2209 Py_XDECREF(cafile_bytes);
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2210 PyErr_SetString(PyExc_TypeError,
2211 "capath should be a valid filesystem path");
2212 return NULL;
2213 }
2214 if (cafile)
2215 cafile_buf = PyBytes_AS_STRING(cafile_bytes);
2216 if (capath)
2217 capath_buf = PyBytes_AS_STRING(capath_bytes);
2218 PySSL_BEGIN_ALLOW_THREADS
2219 r = SSL_CTX_load_verify_locations(self->ctx, cafile_buf, capath_buf);
2220 PySSL_END_ALLOW_THREADS
2221 Py_XDECREF(cafile_bytes);
2222 Py_XDECREF(capath_bytes);
2223 if (r != 1) {
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2224 if (errno != 0) {
Giampaolo Rodolàe0f98632010-09-01 19:28:49 +0000[diff] [blame]2225 ERR_clear_error();
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]2226 PyErr_SetFromErrno(PyExc_IOError);
2227 }
2228 else {
2229 _setSSLError(NULL, 0, __FILE__, __LINE__);
2230 }
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2231 return NULL;
2232 }
2233 Py_RETURN_NONE;
2234}
2235
2236static PyObject *
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]2237load_dh_params(PySSLContext *self, PyObject *filepath)
2238{
2239 FILE *f;
2240 DH *dh;
2241
2242 f = _Py_fopen(filepath, "rb");
2243 if (f == NULL) {
2244 if (!PyErr_Occurred())
2245 PyErr_SetFromErrnoWithFilenameObject(PyExc_OSError, filepath);
2246 return NULL;
2247 }
2248 errno = 0;
2249 PySSL_BEGIN_ALLOW_THREADS
2250 dh = PEM_read_DHparams(f, NULL, NULL, NULL);
2251 PySSL_END_ALLOW_THREADS
2252 if (dh == NULL) {
2253 if (errno != 0) {
2254 ERR_clear_error();
2255 PyErr_SetFromErrnoWithFilenameObject(PyExc_OSError, filepath);
2256 }
2257 else {
2258 _setSSLError(NULL, 0, __FILE__, __LINE__);
2259 }
2260 return NULL;
2261 }
2262 if (SSL_CTX_set_tmp_dh(self->ctx, dh) == 0)
2263 _setSSLError(NULL, 0, __FILE__, __LINE__);
2264 DH_free(dh);
2265 Py_RETURN_NONE;
2266}
2267
2268static PyObject *
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2269context_wrap_socket(PySSLContext *self, PyObject *args, PyObject *kwds)
2270{
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2271 char *kwlist[] = {"sock", "server_side", "server_hostname", NULL};
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2272 PySocketSockObject *sock;
2273 int server_side = 0;
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2274 char *hostname = NULL;
2275 PyObject *hostname_obj, *res;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2276
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2277 /* server_hostname is either None (or absent), or to be encoded
2278 using the idna encoding. */
2279 if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!i|O!:_wrap_socket", kwlist,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2280 PySocketModule.Sock_Type,
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2281 &sock, &server_side,
2282 Py_TYPE(Py_None), &hostname_obj)) {
2283 PyErr_Clear();
2284 if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!iet:_wrap_socket", kwlist,
2285 PySocketModule.Sock_Type,
2286 &sock, &server_side,
2287 "idna", &hostname))
2288 return NULL;
2289#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
2290 PyMem_Free(hostname);
2291 PyErr_SetString(PyExc_ValueError, "server_hostname is not supported "
2292 "by your OpenSSL library");
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2293 return NULL;
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2294#endif
2295 }
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2296
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2297 res = (PyObject *) newPySSLSocket(self, sock, server_side,
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2298 hostname);
2299 if (hostname != NULL)
2300 PyMem_Free(hostname);
2301 return res;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2302}
2303
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]2304static PyObject *
2305session_stats(PySSLContext *self, PyObject *unused)
2306{
2307 int r;
2308 PyObject *value, *stats = PyDict_New();
2309 if (!stats)
2310 return NULL;
2311
2312#define ADD_STATS(SSL_NAME, KEY_NAME) \
2313 value = PyLong_FromLong(SSL_CTX_sess_ ## SSL_NAME (self->ctx)); \
2314 if (value == NULL) \
2315 goto error; \
2316 r = PyDict_SetItemString(stats, KEY_NAME, value); \
2317 Py_DECREF(value); \
2318 if (r < 0) \
2319 goto error;
2320
2321 ADD_STATS(number, "number");
2322 ADD_STATS(connect, "connect");
2323 ADD_STATS(connect_good, "connect_good");
2324 ADD_STATS(connect_renegotiate, "connect_renegotiate");
2325 ADD_STATS(accept, "accept");
2326 ADD_STATS(accept_good, "accept_good");
2327 ADD_STATS(accept_renegotiate, "accept_renegotiate");
2328 ADD_STATS(accept, "accept");
2329 ADD_STATS(hits, "hits");
2330 ADD_STATS(misses, "misses");
2331 ADD_STATS(timeouts, "timeouts");
2332 ADD_STATS(cache_full, "cache_full");
2333
2334#undef ADD_STATS
2335
2336 return stats;
2337
2338error:
2339 Py_DECREF(stats);
2340 return NULL;
2341}
2342
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]2343static PyObject *
2344set_default_verify_paths(PySSLContext *self, PyObject *unused)
2345{
2346 if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
2347 _setSSLError(NULL, 0, __FILE__, __LINE__);
2348 return NULL;
2349 }
2350 Py_RETURN_NONE;
2351}
2352
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]2353#ifndef OPENSSL_NO_ECDH
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]2354static PyObject *
2355set_ecdh_curve(PySSLContext *self, PyObject *name)
2356{
2357 PyObject *name_bytes;
2358 int nid;
2359 EC_KEY *key;
2360
2361 if (!PyUnicode_FSConverter(name, &name_bytes))
2362 return NULL;
2363 assert(PyBytes_Check(name_bytes));
2364 nid = OBJ_sn2nid(PyBytes_AS_STRING(name_bytes));
2365 Py_DECREF(name_bytes);
2366 if (nid == 0) {
2367 PyErr_Format(PyExc_ValueError,
2368 "unknown elliptic curve name %R", name);
2369 return NULL;
2370 }
2371 key = EC_KEY_new_by_curve_name(nid);
2372 if (key == NULL) {
2373 _setSSLError(NULL, 0, __FILE__, __LINE__);
2374 return NULL;
2375 }
2376 SSL_CTX_set_tmp_ecdh(self->ctx, key);
2377 EC_KEY_free(key);
2378 Py_RETURN_NONE;
2379}
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]2380#endif
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]2381
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2382#ifndef OPENSSL_NO_TLSEXT
2383static int
2384_servername_callback(SSL *s, int *al, void *args)
2385{
2386 int ret;
2387 PySSLContext *ssl_ctx = (PySSLContext *) args;
2388 PySSLSocket *ssl;
2389 PyObject *servername_o;
2390 PyObject *servername_idna;
2391 PyObject *result;
2392 /* The high-level ssl.SSLSocket object */
2393 PyObject *ssl_socket;
2394 PyGILState_STATE gstate;
2395 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2396
2397 gstate = PyGILState_Ensure();
2398
2399 if (ssl_ctx->set_hostname == NULL) {
2400 /* remove race condition in this the call back while if removing the
2401 * callback is in progress */
2402 PyGILState_Release(gstate);
Antoine Pitrou5dd12a52013-01-06 15:25:36 +0100[diff] [blame^]2403 return SSL_TLSEXT_ERR_OK;
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2404 }
2405
2406 ssl = SSL_get_app_data(s);
2407 assert(PySSLSocket_Check(ssl));
2408 ssl_socket = PyWeakref_GetObject(ssl->Socket);
2409 Py_INCREF(ssl_socket);
2410 if (ssl_socket == Py_None) {
2411 goto error;
2412 }
2413
2414 servername_o = PyBytes_FromString(servername);
2415 if (servername_o == NULL) {
2416 PyErr_WriteUnraisable((PyObject *) ssl_ctx);
2417 goto error;
2418 }
2419 servername_idna = PyUnicode_FromEncodedObject(servername_o, "idna", NULL);
2420 if (servername_idna == NULL) {
2421 PyErr_WriteUnraisable(servername_o);
2422 Py_DECREF(servername_o);
2423 goto error;
2424 }
2425 Py_DECREF(servername_o);
2426 result = PyObject_CallFunctionObjArgs(ssl_ctx->set_hostname, ssl_socket,
2427 servername_idna, ssl_ctx, NULL);
2428 Py_DECREF(ssl_socket);
2429 Py_DECREF(servername_idna);
2430
2431 if (result == NULL) {
2432 PyErr_WriteUnraisable(ssl_ctx->set_hostname);
2433 *al = SSL_AD_HANDSHAKE_FAILURE;
2434 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2435 }
2436 else {
2437 if (result != Py_None) {
2438 *al = (int) PyLong_AsLong(result);
2439 if (PyErr_Occurred()) {
2440 PyErr_WriteUnraisable(result);
2441 *al = SSL_AD_INTERNAL_ERROR;
2442 }
2443 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2444 }
2445 else {
2446 ret = SSL_TLSEXT_ERR_OK;
2447 }
2448 Py_DECREF(result);
2449 }
2450
2451 PyGILState_Release(gstate);
2452 return ret;
2453
2454error:
2455 Py_DECREF(ssl_socket);
2456 *al = SSL_AD_INTERNAL_ERROR;
2457 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2458 PyGILState_Release(gstate);
2459 return ret;
2460}
2461
2462PyDoc_STRVAR(PySSL_set_servername_callback_doc,
2463"set_servername_callback(method)\n\
2464\
2465This sets a callback that will be called when a server name is provided by\n\
2466the SSL/TLS client in the SNI extension.\n\
2467\
2468If the argument is None then the callback is disabled. The method is called\n\
2469with the SSLSocket, the server name as a string, and the SSLContext object.\n\
2470See RFC 6066 for details of the SNI");
2471#endif
2472
2473static PyObject *
2474set_servername_callback(PySSLContext *self, PyObject *args)
2475{
2476#ifndef OPENSSL_NO_TLSEXT
2477 PyObject *cb;
2478
2479 if (!PyArg_ParseTuple(args, "O", &cb))
2480 return NULL;
2481
2482 Py_CLEAR(self->set_hostname);
2483 if (cb == Py_None) {
2484 SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
2485 }
2486 else {
2487 if (!PyCallable_Check(cb)) {
2488 SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
2489 PyErr_SetString(PyExc_TypeError,
2490 "not a callable object");
2491 return NULL;
2492 }
2493 Py_INCREF(cb);
2494 self->set_hostname = cb;
2495 SSL_CTX_set_tlsext_servername_callback(self->ctx, _servername_callback);
2496 SSL_CTX_set_tlsext_servername_arg(self->ctx, self);
2497 }
2498 Py_RETURN_NONE;
2499#else
2500 PyErr_SetString(PyExc_NotImplementedError,
2501 "The TLS extension servername callback, "
2502 "SSL_CTX_set_tlsext_servername_callback, "
2503 "is not in the current OpenSSL library.");
2504#endif
2505}
2506
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2507static PyGetSetDef context_getsetlist[] = {
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2508 {"options", (getter) get_options,
2509 (setter) set_options, NULL},
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2510 {"verify_mode", (getter) get_verify_mode,
2511 (setter) set_verify_mode, NULL},
2512 {NULL}, /* sentinel */
2513};
2514
2515static struct PyMethodDef context_methods[] = {
2516 {"_wrap_socket", (PyCFunction) context_wrap_socket,
2517 METH_VARARGS | METH_KEYWORDS, NULL},
2518 {"set_ciphers", (PyCFunction) set_ciphers,
2519 METH_VARARGS, NULL},
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]2520 {"_set_npn_protocols", (PyCFunction) _set_npn_protocols,
2521 METH_VARARGS, NULL},
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2522 {"load_cert_chain", (PyCFunction) load_cert_chain,
2523 METH_VARARGS | METH_KEYWORDS, NULL},
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]2524 {"load_dh_params", (PyCFunction) load_dh_params,
2525 METH_O, NULL},
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2526 {"load_verify_locations", (PyCFunction) load_verify_locations,
2527 METH_VARARGS | METH_KEYWORDS, NULL},
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]2528 {"session_stats", (PyCFunction) session_stats,
2529 METH_NOARGS, NULL},
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]2530 {"set_default_verify_paths", (PyCFunction) set_default_verify_paths,
2531 METH_NOARGS, NULL},
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]2532#ifndef OPENSSL_NO_ECDH
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]2533 {"set_ecdh_curve", (PyCFunction) set_ecdh_curve,
2534 METH_O, NULL},
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]2535#endif
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2536 {"set_servername_callback", (PyCFunction) set_servername_callback,
2537 METH_VARARGS, PySSL_set_servername_callback_doc},
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2538 {NULL, NULL} /* sentinel */
2539};
2540
2541static PyTypeObject PySSLContext_Type = {
2542 PyVarObject_HEAD_INIT(NULL, 0)
2543 "_ssl._SSLContext", /*tp_name*/
2544 sizeof(PySSLContext), /*tp_basicsize*/
2545 0, /*tp_itemsize*/
2546 (destructor)context_dealloc, /*tp_dealloc*/
2547 0, /*tp_print*/
2548 0, /*tp_getattr*/
2549 0, /*tp_setattr*/
2550 0, /*tp_reserved*/
2551 0, /*tp_repr*/
2552 0, /*tp_as_number*/
2553 0, /*tp_as_sequence*/
2554 0, /*tp_as_mapping*/
2555 0, /*tp_hash*/
2556 0, /*tp_call*/
2557 0, /*tp_str*/
2558 0, /*tp_getattro*/
2559 0, /*tp_setattro*/
2560 0, /*tp_as_buffer*/
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2561 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE | Py_TPFLAGS_HAVE_GC, /*tp_flags*/
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2562 0, /*tp_doc*/
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2563 (traverseproc) context_traverse, /*tp_traverse*/
2564 (inquiry) context_clear, /*tp_clear*/
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2565 0, /*tp_richcompare*/
2566 0, /*tp_weaklistoffset*/
2567 0, /*tp_iter*/
2568 0, /*tp_iternext*/
2569 context_methods, /*tp_methods*/
2570 0, /*tp_members*/
2571 context_getsetlist, /*tp_getset*/
2572 0, /*tp_base*/
2573 0, /*tp_dict*/
2574 0, /*tp_descr_get*/
2575 0, /*tp_descr_set*/
2576 0, /*tp_dictoffset*/
2577 0, /*tp_init*/
2578 0, /*tp_alloc*/
2579 context_new, /*tp_new*/
2580};
2581
2582
2583
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2584#ifdef HAVE_OPENSSL_RAND
2585
2586/* helper routines for seeding the SSL PRNG */
2587static PyObject *
2588PySSL_RAND_add(PyObject *self, PyObject *args)
2589{
2590 char *buf;
2591 int len;
2592 double entropy;
2593
2594 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]2595 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2596 RAND_add(buf, len, entropy);
2597 Py_INCREF(Py_None);
2598 return Py_None;
2599}
2600
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2601PyDoc_STRVAR(PySSL_RAND_add_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2602"RAND_add(string, entropy)\n\
2603\n\
2604Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2605bound on the entropy contained in string. See RFC 1750.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2606
2607static PyObject *
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]2608PySSL_RAND(int len, int pseudo)
2609{
2610 int ok;
2611 PyObject *bytes;
2612 unsigned long err;
2613 const char *errstr;
2614 PyObject *v;
2615
2616 bytes = PyBytes_FromStringAndSize(NULL, len);
2617 if (bytes == NULL)
2618 return NULL;
2619 if (pseudo) {
2620 ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
2621 if (ok == 0 || ok == 1)
2622 return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
2623 }
2624 else {
2625 ok = RAND_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
2626 if (ok == 1)
2627 return bytes;
2628 }
2629 Py_DECREF(bytes);
2630
2631 err = ERR_get_error();
2632 errstr = ERR_reason_error_string(err);
2633 v = Py_BuildValue("(ks)", err, errstr);
2634 if (v != NULL) {
2635 PyErr_SetObject(PySSLErrorObject, v);
2636 Py_DECREF(v);
2637 }
2638 return NULL;
2639}
2640
2641static PyObject *
2642PySSL_RAND_bytes(PyObject *self, PyObject *args)
2643{
2644 int len;
2645 if (!PyArg_ParseTuple(args, "i:RAND_bytes", &len))
2646 return NULL;
2647 return PySSL_RAND(len, 0);
2648}
2649
2650PyDoc_STRVAR(PySSL_RAND_bytes_doc,
2651"RAND_bytes(n) -> bytes\n\
2652\n\
2653Generate n cryptographically strong pseudo-random bytes.");
2654
2655static PyObject *
2656PySSL_RAND_pseudo_bytes(PyObject *self, PyObject *args)
2657{
2658 int len;
2659 if (!PyArg_ParseTuple(args, "i:RAND_pseudo_bytes", &len))
2660 return NULL;
2661 return PySSL_RAND(len, 1);
2662}
2663
2664PyDoc_STRVAR(PySSL_RAND_pseudo_bytes_doc,
2665"RAND_pseudo_bytes(n) -> (bytes, is_cryptographic)\n\
2666\n\
2667Generate n pseudo-random bytes. is_cryptographic is True if the bytes\
2668generated are cryptographically strong.");
2669
2670static PyObject *
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2671PySSL_RAND_status(PyObject *self)
2672{
Christian Heimes217cfd12007-12-02 14:31:20 +0000[diff] [blame]2673 return PyLong_FromLong(RAND_status());
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2674}
2675
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2676PyDoc_STRVAR(PySSL_RAND_status_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2677"RAND_status() -> 0 or 1\n\
2678\n\
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]2679Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\
2680It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
2681using the ssl() function.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2682
2683static PyObject *
Victor Stinnerf9faaad2010-05-16 21:36:37 +0000[diff] [blame]2684PySSL_RAND_egd(PyObject *self, PyObject *args)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2685{
Victor Stinnerf9faaad2010-05-16 21:36:37 +0000[diff] [blame]2686 PyObject *path;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2687 int bytes;
2688
Jesus Ceac8754a12012-09-11 02:00:58 +0200[diff] [blame]2689 if (!PyArg_ParseTuple(args, "O&:RAND_egd",
Victor Stinnerf9faaad2010-05-16 21:36:37 +0000[diff] [blame]2690 PyUnicode_FSConverter, &path))
2691 return NULL;
2692
2693 bytes = RAND_egd(PyBytes_AsString(path));
2694 Py_DECREF(path);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2695 if (bytes == -1) {
Antoine Pitrou525807b2010-05-12 14:05:24 +0000[diff] [blame]2696 PyErr_SetString(PySSLErrorObject,
2697 "EGD connection failed or EGD did not return "
2698 "enough data to seed the PRNG");
2699 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2700 }
Christian Heimes217cfd12007-12-02 14:31:20 +0000[diff] [blame]2701 return PyLong_FromLong(bytes);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2702}
2703
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2704PyDoc_STRVAR(PySSL_RAND_egd_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2705"RAND_egd(path) -> bytes\n\
2706\n\
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2707Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
2708Returns number of bytes read. Raises SSLError if connection to EGD\n\
2709fails or if it does provide enough data to seed PRNG.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2710
2711#endif
2712
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]2713
2714
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2715/* List of functions exported by this module. */
2716
2717static PyMethodDef PySSL_methods[] = {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2718 {"_test_decode_cert", PySSL_test_decode_certificate,
2719 METH_VARARGS},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2720#ifdef HAVE_OPENSSL_RAND
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2721 {"RAND_add", PySSL_RAND_add, METH_VARARGS,
2722 PySSL_RAND_add_doc},
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]2723 {"RAND_bytes", PySSL_RAND_bytes, METH_VARARGS,
2724 PySSL_RAND_bytes_doc},
2725 {"RAND_pseudo_bytes", PySSL_RAND_pseudo_bytes, METH_VARARGS,
2726 PySSL_RAND_pseudo_bytes_doc},
Victor Stinnerf9faaad2010-05-16 21:36:37 +0000[diff] [blame]2727 {"RAND_egd", PySSL_RAND_egd, METH_VARARGS,
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2728 PySSL_RAND_egd_doc},
2729 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
2730 PySSL_RAND_status_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2731#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2732 {NULL, NULL} /* Sentinel */
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2733};
2734
2735
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2736#ifdef WITH_THREAD
2737
2738/* an implementation of OpenSSL threading operations in terms
2739 of the Python C thread library */
2740
2741static PyThread_type_lock *_ssl_locks = NULL;
2742
2743static unsigned long _ssl_thread_id_function (void) {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2744 return PyThread_get_thread_ident();
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2745}
2746
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]2747static void _ssl_thread_locking_function
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2748 (int mode, int n, const char *file, int line) {
2749 /* this function is needed to perform locking on shared data
2750 structures. (Note that OpenSSL uses a number of global data
2751 structures that will be implicitly shared whenever multiple
2752 threads use OpenSSL.) Multi-threaded applications will
2753 crash at random if it is not set.
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2754
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2755 locking_function() must be able to handle up to
2756 CRYPTO_num_locks() different mutex locks. It sets the n-th
2757 lock if mode & CRYPTO_LOCK, and releases it otherwise.
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2758
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2759 file and line are the file number of the function setting the
2760 lock. They can be useful for debugging.
2761 */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2762
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2763 if ((_ssl_locks == NULL) ||
2764 (n < 0) || ((unsigned)n >= _ssl_locks_count))
2765 return;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2766
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2767 if (mode & CRYPTO_LOCK) {
2768 PyThread_acquire_lock(_ssl_locks[n], 1);
2769 } else {
2770 PyThread_release_lock(_ssl_locks[n]);
2771 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2772}
2773
2774static int _setup_ssl_threads(void) {
2775
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2776 unsigned int i;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2777
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2778 if (_ssl_locks == NULL) {
2779 _ssl_locks_count = CRYPTO_num_locks();
2780 _ssl_locks = (PyThread_type_lock *)
2781 malloc(sizeof(PyThread_type_lock) * _ssl_locks_count);
2782 if (_ssl_locks == NULL)
2783 return 0;
2784 memset(_ssl_locks, 0,
2785 sizeof(PyThread_type_lock) * _ssl_locks_count);
2786 for (i = 0; i < _ssl_locks_count; i++) {
2787 _ssl_locks[i] = PyThread_allocate_lock();
2788 if (_ssl_locks[i] == NULL) {
2789 unsigned int j;
2790 for (j = 0; j < i; j++) {
2791 PyThread_free_lock(_ssl_locks[j]);
2792 }
2793 free(_ssl_locks);
2794 return 0;
2795 }
2796 }
2797 CRYPTO_set_locking_callback(_ssl_thread_locking_function);
2798 CRYPTO_set_id_callback(_ssl_thread_id_function);
2799 }
2800 return 1;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2801}
2802
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2803#endif /* def HAVE_THREAD */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2804
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2805PyDoc_STRVAR(module_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2806"Implementation module for SSL socket operations. See the socket module\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]2807for documentation.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2808
Martin v. Löwis1a214512008-06-11 05:26:20 +0000[diff] [blame]2809
2810static struct PyModuleDef _sslmodule = {
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2811 PyModuleDef_HEAD_INIT,
2812 "_ssl",
2813 module_doc,
2814 -1,
2815 PySSL_methods,
2816 NULL,
2817 NULL,
2818 NULL,
2819 NULL
Martin v. Löwis1a214512008-06-11 05:26:20 +0000[diff] [blame]2820};
2821
Antoine Pitroub9ac25d2011-07-08 18:47:06 +0200[diff] [blame]2822
2823static void
2824parse_openssl_version(unsigned long libver,
2825 unsigned int *major, unsigned int *minor,
2826 unsigned int *fix, unsigned int *patch,
2827 unsigned int *status)
2828{
2829 *status = libver & 0xF;
2830 libver >>= 4;
2831 *patch = libver & 0xFF;
2832 libver >>= 8;
2833 *fix = libver & 0xFF;
2834 libver >>= 8;
2835 *minor = libver & 0xFF;
2836 libver >>= 8;
2837 *major = libver & 0xFF;
2838}
2839
Mark Hammondfe51c6d2002-08-02 02:27:13 +0000[diff] [blame]2840PyMODINIT_FUNC
Martin v. Löwis1a214512008-06-11 05:26:20 +0000[diff] [blame]2841PyInit__ssl(void)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2842{
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2843 PyObject *m, *d, *r;
2844 unsigned long libver;
2845 unsigned int major, minor, fix, patch, status;
2846 PySocketModule_APIObject *socket_api;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]2847 struct py_ssl_error_code *errcode;
2848 struct py_ssl_library_code *libcode;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2849
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2850 if (PyType_Ready(&PySSLContext_Type) < 0)
2851 return NULL;
2852 if (PyType_Ready(&PySSLSocket_Type) < 0)
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2853 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2854
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2855 m = PyModule_Create(&_sslmodule);
2856 if (m == NULL)
2857 return NULL;
2858 d = PyModule_GetDict(m);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2859
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2860 /* Load _socket module and its C API */
2861 socket_api = PySocketModule_ImportModuleAndAPI();
2862 if (!socket_api)
2863 return NULL;
2864 PySocketModule = *socket_api;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2865
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2866 /* Init OpenSSL */
2867 SSL_load_error_strings();
2868 SSL_library_init();
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2869#ifdef WITH_THREAD
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2870 /* note that this will start threading if not already started */
2871 if (!_setup_ssl_threads()) {
2872 return NULL;
2873 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2874#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2875 OpenSSL_add_all_algorithms();
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2876
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2877 /* Add symbols to module dict */
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]2878 sslerror_type_slots[0].pfunc = PyExc_OSError;
2879 PySSLErrorObject = PyType_FromSpec(&sslerror_type_spec);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2880 if (PySSLErrorObject == NULL)
2881 return NULL;
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]2882
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]2883 PySSLZeroReturnErrorObject = PyErr_NewExceptionWithDoc(
2884 "ssl.SSLZeroReturnError", SSLZeroReturnError_doc,
2885 PySSLErrorObject, NULL);
2886 PySSLWantReadErrorObject = PyErr_NewExceptionWithDoc(
2887 "ssl.SSLWantReadError", SSLWantReadError_doc,
2888 PySSLErrorObject, NULL);
2889 PySSLWantWriteErrorObject = PyErr_NewExceptionWithDoc(
2890 "ssl.SSLWantWriteError", SSLWantWriteError_doc,
2891 PySSLErrorObject, NULL);
2892 PySSLSyscallErrorObject = PyErr_NewExceptionWithDoc(
2893 "ssl.SSLSyscallError", SSLSyscallError_doc,
2894 PySSLErrorObject, NULL);
2895 PySSLEOFErrorObject = PyErr_NewExceptionWithDoc(
2896 "ssl.SSLEOFError", SSLEOFError_doc,
2897 PySSLErrorObject, NULL);
2898 if (PySSLZeroReturnErrorObject == NULL
2899 || PySSLWantReadErrorObject == NULL
2900 || PySSLWantWriteErrorObject == NULL
2901 || PySSLSyscallErrorObject == NULL
2902 || PySSLEOFErrorObject == NULL)
2903 return NULL;
2904 if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0
2905 || PyDict_SetItemString(d, "SSLZeroReturnError", PySSLZeroReturnErrorObject) != 0
2906 || PyDict_SetItemString(d, "SSLWantReadError", PySSLWantReadErrorObject) != 0
2907 || PyDict_SetItemString(d, "SSLWantWriteError", PySSLWantWriteErrorObject) != 0
2908 || PyDict_SetItemString(d, "SSLSyscallError", PySSLSyscallErrorObject) != 0
2909 || PyDict_SetItemString(d, "SSLEOFError", PySSLEOFErrorObject) != 0)
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2910 return NULL;
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2911 if (PyDict_SetItemString(d, "_SSLContext",
2912 (PyObject *)&PySSLContext_Type) != 0)
2913 return NULL;
2914 if (PyDict_SetItemString(d, "_SSLSocket",
2915 (PyObject *)&PySSLSocket_Type) != 0)
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2916 return NULL;
2917 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
2918 PY_SSL_ERROR_ZERO_RETURN);
2919 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
2920 PY_SSL_ERROR_WANT_READ);
2921 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
2922 PY_SSL_ERROR_WANT_WRITE);
2923 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
2924 PY_SSL_ERROR_WANT_X509_LOOKUP);
2925 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
2926 PY_SSL_ERROR_SYSCALL);
2927 PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
2928 PY_SSL_ERROR_SSL);
2929 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
2930 PY_SSL_ERROR_WANT_CONNECT);
2931 /* non ssl.h errorcodes */
2932 PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
2933 PY_SSL_ERROR_EOF);
2934 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
2935 PY_SSL_ERROR_INVALID_ERROR_CODE);
2936 /* cert requirements */
2937 PyModule_AddIntConstant(m, "CERT_NONE",
2938 PY_SSL_CERT_NONE);
2939 PyModule_AddIntConstant(m, "CERT_OPTIONAL",
2940 PY_SSL_CERT_OPTIONAL);
2941 PyModule_AddIntConstant(m, "CERT_REQUIRED",
2942 PY_SSL_CERT_REQUIRED);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]2943
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2944 /* Alert Descriptions from ssl.h */
2945 /* note RESERVED constants no longer intended for use have been removed */
2946 /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 */
2947
2948#define ADD_AD_CONSTANT(s) \
2949 PyModule_AddIntConstant(m, "ALERT_DESCRIPTION_"#s, \
2950 SSL_AD_##s)
2951
2952 ADD_AD_CONSTANT(CLOSE_NOTIFY);
2953 ADD_AD_CONSTANT(UNEXPECTED_MESSAGE);
2954 ADD_AD_CONSTANT(BAD_RECORD_MAC);
2955 ADD_AD_CONSTANT(RECORD_OVERFLOW);
2956 ADD_AD_CONSTANT(DECOMPRESSION_FAILURE);
2957 ADD_AD_CONSTANT(HANDSHAKE_FAILURE);
2958 ADD_AD_CONSTANT(BAD_CERTIFICATE);
2959 ADD_AD_CONSTANT(UNSUPPORTED_CERTIFICATE);
2960 ADD_AD_CONSTANT(CERTIFICATE_REVOKED);
2961 ADD_AD_CONSTANT(CERTIFICATE_EXPIRED);
2962 ADD_AD_CONSTANT(CERTIFICATE_UNKNOWN);
2963 ADD_AD_CONSTANT(ILLEGAL_PARAMETER);
2964 ADD_AD_CONSTANT(UNKNOWN_CA);
2965 ADD_AD_CONSTANT(ACCESS_DENIED);
2966 ADD_AD_CONSTANT(DECODE_ERROR);
2967 ADD_AD_CONSTANT(DECRYPT_ERROR);
2968 ADD_AD_CONSTANT(PROTOCOL_VERSION);
2969 ADD_AD_CONSTANT(INSUFFICIENT_SECURITY);
2970 ADD_AD_CONSTANT(INTERNAL_ERROR);
2971 ADD_AD_CONSTANT(USER_CANCELLED);
2972 ADD_AD_CONSTANT(NO_RENEGOTIATION);
2973 ADD_AD_CONSTANT(UNSUPPORTED_EXTENSION);
2974 ADD_AD_CONSTANT(CERTIFICATE_UNOBTAINABLE);
2975 ADD_AD_CONSTANT(UNRECOGNIZED_NAME);
2976 /* Not all constants are in old OpenSSL versions */
2977#ifdef SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
2978 ADD_AD_CONSTANT(BAD_CERTIFICATE_STATUS_RESPONSE);
2979#endif
2980#ifdef SSL_AD_BAD_CERTIFICATE_HASH_VALUE
2981 ADD_AD_CONSTANT(BAD_CERTIFICATE_HASH_VALUE);
2982#endif
2983#ifdef SSL_AD_UNKNOWN_PSK_IDENTITY
2984 ADD_AD_CONSTANT(UNKNOWN_PSK_IDENTITY);
2985#endif
2986
2987#undef ADD_AD_CONSTANT
2988
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2989 /* protocol versions */
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]2990#ifndef OPENSSL_NO_SSL2
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2991 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
2992 PY_SSL_VERSION_SSL2);
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]2993#endif
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]2994 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
2995 PY_SSL_VERSION_SSL3);
2996 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
2997 PY_SSL_VERSION_SSL23);
2998 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
2999 PY_SSL_VERSION_TLS1);
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]3000
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]3001 /* protocol options */
Antoine Pitrou3f366312012-01-27 09:50:45 +0100[diff] [blame]3002 PyModule_AddIntConstant(m, "OP_ALL",
3003 SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]3004 PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
3005 PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
3006 PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
Antoine Pitrou6db49442011-12-19 13:27:11 +0100[diff] [blame]3007 PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
3008 SSL_OP_CIPHER_SERVER_PREFERENCE);
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]3009 PyModule_AddIntConstant(m, "OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE);
Antoine Pitroue9fccb32012-02-17 11:53:10 +0100[diff] [blame]3010#ifdef SSL_OP_SINGLE_ECDH_USE
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]3011 PyModule_AddIntConstant(m, "OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE);
Antoine Pitroue9fccb32012-02-17 11:53:10 +0100[diff] [blame]3012#endif
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3013#ifdef SSL_OP_NO_COMPRESSION
3014 PyModule_AddIntConstant(m, "OP_NO_COMPRESSION",
3015 SSL_OP_NO_COMPRESSION);
3016#endif
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]3017
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]3018#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
3019 r = Py_True;
3020#else
3021 r = Py_False;
3022#endif
3023 Py_INCREF(r);
3024 PyModule_AddObject(m, "HAS_SNI", r);
3025
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3026#if HAVE_OPENSSL_FINISHED
3027 r = Py_True;
3028#else
3029 r = Py_False;
3030#endif
3031 Py_INCREF(r);
3032 PyModule_AddObject(m, "HAS_TLS_UNIQUE", r);
3033
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]3034#ifdef OPENSSL_NO_ECDH
3035 r = Py_False;
3036#else
3037 r = Py_True;
3038#endif
3039 Py_INCREF(r);
3040 PyModule_AddObject(m, "HAS_ECDH", r);
3041
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]3042#ifdef OPENSSL_NPN_NEGOTIATED
3043 r = Py_True;
3044#else
3045 r = Py_False;
3046#endif
3047 Py_INCREF(r);
3048 PyModule_AddObject(m, "HAS_NPN", r);
3049
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]3050 /* Mappings for error codes */
3051 err_codes_to_names = PyDict_New();
3052 err_names_to_codes = PyDict_New();
3053 if (err_codes_to_names == NULL || err_names_to_codes == NULL)
3054 return NULL;
3055 errcode = error_codes;
3056 while (errcode->mnemonic != NULL) {
3057 PyObject *mnemo, *key;
3058 mnemo = PyUnicode_FromString(errcode->mnemonic);
3059 key = Py_BuildValue("ii", errcode->library, errcode->reason);
3060 if (mnemo == NULL || key == NULL)
3061 return NULL;
3062 if (PyDict_SetItem(err_codes_to_names, key, mnemo))
3063 return NULL;
3064 if (PyDict_SetItem(err_names_to_codes, mnemo, key))
3065 return NULL;
3066 Py_DECREF(key);
3067 Py_DECREF(mnemo);
3068 errcode++;
3069 }
3070 if (PyModule_AddObject(m, "err_codes_to_names", err_codes_to_names))
3071 return NULL;
3072 if (PyModule_AddObject(m, "err_names_to_codes", err_names_to_codes))
3073 return NULL;
3074
3075 lib_codes_to_names = PyDict_New();
3076 if (lib_codes_to_names == NULL)
3077 return NULL;
3078 libcode = library_codes;
3079 while (libcode->library != NULL) {
3080 PyObject *mnemo, *key;
3081 key = PyLong_FromLong(libcode->code);
3082 mnemo = PyUnicode_FromString(libcode->library);
3083 if (key == NULL || mnemo == NULL)
3084 return NULL;
3085 if (PyDict_SetItem(lib_codes_to_names, key, mnemo))
3086 return NULL;
3087 Py_DECREF(key);
3088 Py_DECREF(mnemo);
3089 libcode++;
3090 }
3091 if (PyModule_AddObject(m, "lib_codes_to_names", lib_codes_to_names))
3092 return NULL;
3093
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]3094 /* OpenSSL version */
3095 /* SSLeay() gives us the version of the library linked against,
3096 which could be different from the headers version.
3097 */
3098 libver = SSLeay();
3099 r = PyLong_FromUnsignedLong(libver);
3100 if (r == NULL)
3101 return NULL;
3102 if (PyModule_AddObject(m, "OPENSSL_VERSION_NUMBER", r))
3103 return NULL;
Antoine Pitroub9ac25d2011-07-08 18:47:06 +0200[diff] [blame]3104 parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]3105 r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
3106 if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r))
3107 return NULL;
3108 r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION));
3109 if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r))
3110 return NULL;
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]3111
Antoine Pitroub9ac25d2011-07-08 18:47:06 +0200[diff] [blame]3112 libver = OPENSSL_VERSION_NUMBER;
3113 parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
3114 r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
3115 if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
3116 return NULL;
3117
Antoine Pitroucbb82eb2010-05-05 15:57:33 +0000[diff] [blame]3118 return m;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]3119}