blob: 73a76bbc0586f1a9e9e0d656918018dcdc9ef9c2 [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +00001/* SSL socket module
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00002
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
Thomas Wouters1b7f8912007-09-19 03:06:30 +00004 Re-worked a bit by Bill Janssen to add server-side support and
Bill Janssen6e027db2007-11-15 22:23:56 +00005 certificate decoding. Chris Stawarz contributed some non-blocking
6 patches.
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00007
Thomas Wouters1b7f8912007-09-19 03:06:30 +00008 This module is imported by ssl.py. It should *not* be used
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00009 directly.
10
Thomas Wouters1b7f8912007-09-19 03:06:30 +000011 XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE?
Antoine Pitrou5a1c4d12010-04-23 21:11:10 +000012
13 XXX integrate several "shutdown modes" as suggested in
14 http://bugs.python.org/issue8108#msg102867 ?
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000015*/
16
17#include "Python.h"
Thomas Woutersed03b412007-08-28 21:37:11 +000018
Thomas Wouters1b7f8912007-09-19 03:06:30 +000019#ifdef WITH_THREAD
20#include "pythread.h"
21#define PySSL_BEGIN_ALLOW_THREADS { \
Antoine Pitrou30dc1a72010-05-05 16:01:14 +000022 PyThreadState *_save = NULL; \
23 if (_ssl_locks_count>0) {_save = PyEval_SaveThread();}
24#define PySSL_BLOCK_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save)};
25#define PySSL_UNBLOCK_THREADS if (_ssl_locks_count>0){_save = PyEval_SaveThread()};
26#define PySSL_END_ALLOW_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save);} \
27 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +000028
Antoine Pitrou30dc1a72010-05-05 16:01:14 +000029#else /* no WITH_THREAD */
Thomas Wouters1b7f8912007-09-19 03:06:30 +000030
31#define PySSL_BEGIN_ALLOW_THREADS
32#define PySSL_BLOCK_THREADS
33#define PySSL_UNBLOCK_THREADS
34#define PySSL_END_ALLOW_THREADS
35
36#endif
37
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +000038enum py_ssl_error {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +000039 /* these mirror ssl.h */
40 PY_SSL_ERROR_NONE,
41 PY_SSL_ERROR_SSL,
42 PY_SSL_ERROR_WANT_READ,
43 PY_SSL_ERROR_WANT_WRITE,
44 PY_SSL_ERROR_WANT_X509_LOOKUP,
45 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
46 PY_SSL_ERROR_ZERO_RETURN,
47 PY_SSL_ERROR_WANT_CONNECT,
48 /* start of non ssl.h errorcodes */
49 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
50 PY_SSL_ERROR_NO_SOCKET, /* socket has been GC'd */
51 PY_SSL_ERROR_INVALID_ERROR_CODE
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +000052};
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000053
Thomas Woutersed03b412007-08-28 21:37:11 +000054enum py_ssl_server_or_client {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +000055 PY_SSL_CLIENT,
56 PY_SSL_SERVER
Thomas Woutersed03b412007-08-28 21:37:11 +000057};
58
59enum py_ssl_cert_requirements {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +000060 PY_SSL_CERT_NONE,
61 PY_SSL_CERT_OPTIONAL,
62 PY_SSL_CERT_REQUIRED
Thomas Woutersed03b412007-08-28 21:37:11 +000063};
64
65enum py_ssl_version {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +000066 PY_SSL_VERSION_SSL2,
67 PY_SSL_VERSION_SSL3,
68 PY_SSL_VERSION_SSL23,
69 PY_SSL_VERSION_TLS1
Thomas Woutersed03b412007-08-28 21:37:11 +000070};
71
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000072/* Include symbols from _socket module */
73#include "socketmodule.h"
74
Benjamin Petersonb173f782009-05-05 22:31:58 +000075static PySocketModule_APIObject PySocketModule;
76
Thomas Woutersed03b412007-08-28 21:37:11 +000077#if defined(HAVE_POLL_H)
Thomas Wouters0e3f5912006-08-11 14:57:12 +000078#include <poll.h>
79#elif defined(HAVE_SYS_POLL_H)
80#include <sys/poll.h>
81#endif
82
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000083/* Include OpenSSL header files */
84#include "openssl/rsa.h"
85#include "openssl/crypto.h"
86#include "openssl/x509.h"
Thomas Wouters1b7f8912007-09-19 03:06:30 +000087#include "openssl/x509v3.h"
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +000088#include "openssl/pem.h"
89#include "openssl/ssl.h"
90#include "openssl/err.h"
91#include "openssl/rand.h"
92
93/* SSL error object */
94static PyObject *PySSLErrorObject;
95
Thomas Wouters1b7f8912007-09-19 03:06:30 +000096#ifdef WITH_THREAD
97
98/* serves as a flag to see whether we've initialized the SSL thread support. */
99/* 0 means no, greater than 0 means yes */
100
101static unsigned int _ssl_locks_count = 0;
102
103#endif /* def WITH_THREAD */
104
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000105/* SSL socket object */
106
107#define X509_NAME_MAXLEN 256
108
109/* RAND_* APIs got added to OpenSSL in 0.9.5 */
110#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
111# define HAVE_OPENSSL_RAND 1
112#else
113# undef HAVE_OPENSSL_RAND
114#endif
115
116typedef struct {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000117 PyObject_HEAD
118 PyObject *Socket; /* weakref to socket on which we're layered */
119 SSL_CTX* ctx;
120 SSL* ssl;
121 X509* peer_cert;
122 int shutdown_seen_zero;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000123
124} PySSLObject;
125
Jeremy Hylton938ace62002-07-17 16:30:39 +0000126static PyTypeObject PySSL_Type;
127static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args);
128static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args);
Thomas Woutersed03b412007-08-28 21:37:11 +0000129static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000130 int writing);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000131static PyObject *PySSL_peercert(PySSLObject *self, PyObject *args);
132static PyObject *PySSL_cipher(PySSLObject *self);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000133
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000134#define PySSLObject_Check(v) (Py_TYPE(v) == &PySSL_Type)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000135
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000136typedef enum {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000137 SOCKET_IS_NONBLOCKING,
138 SOCKET_IS_BLOCKING,
139 SOCKET_HAS_TIMED_OUT,
140 SOCKET_HAS_BEEN_CLOSED,
141 SOCKET_TOO_LARGE_FOR_SELECT,
142 SOCKET_OPERATION_OK
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000143} timeout_state;
144
Thomas Woutersed03b412007-08-28 21:37:11 +0000145/* Wrap error strings with filename and line # */
146#define STRINGIFY1(x) #x
147#define STRINGIFY2(x) STRINGIFY1(x)
148#define ERRSTR1(x,y,z) (x ":" y ": " z)
149#define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x)
150
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000151/* XXX It might be helpful to augment the error message generated
152 below with the name of the SSL function that generated the error.
153 I expect it's obvious most of the time.
154*/
155
156static PyObject *
Thomas Woutersed03b412007-08-28 21:37:11 +0000157PySSL_SetError(PySSLObject *obj, int ret, char *filename, int lineno)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000158{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000159 PyObject *v;
160 char buf[2048];
161 char *errstr;
162 int err;
163 enum py_ssl_error p = PY_SSL_ERROR_NONE;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000164
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000165 assert(ret <= 0);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000166
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000167 if (obj->ssl != NULL) {
168 err = SSL_get_error(obj->ssl, ret);
Thomas Woutersed03b412007-08-28 21:37:11 +0000169
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000170 switch (err) {
171 case SSL_ERROR_ZERO_RETURN:
172 errstr = "TLS/SSL connection has been closed";
173 p = PY_SSL_ERROR_ZERO_RETURN;
174 break;
175 case SSL_ERROR_WANT_READ:
176 errstr = "The operation did not complete (read)";
177 p = PY_SSL_ERROR_WANT_READ;
178 break;
179 case SSL_ERROR_WANT_WRITE:
180 p = PY_SSL_ERROR_WANT_WRITE;
181 errstr = "The operation did not complete (write)";
182 break;
183 case SSL_ERROR_WANT_X509_LOOKUP:
184 p = PY_SSL_ERROR_WANT_X509_LOOKUP;
Antoine Pitroua29b1812010-05-12 14:08:45 +0000185 errstr = "The operation did not complete (X509 lookup)";
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000186 break;
187 case SSL_ERROR_WANT_CONNECT:
188 p = PY_SSL_ERROR_WANT_CONNECT;
189 errstr = "The operation did not complete (connect)";
190 break;
191 case SSL_ERROR_SYSCALL:
192 {
193 unsigned long e = ERR_get_error();
194 if (e == 0) {
195 PySocketSockObject *s
196 = (PySocketSockObject *) PyWeakref_GetObject(obj->Socket);
197 if (ret == 0 || (((PyObject *)s) == Py_None)) {
Antoine Pitroua29b1812010-05-12 14:08:45 +0000198 p = PY_SSL_ERROR_EOF;
199 errstr = "EOF occurred in violation of protocol";
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000200 } else if (ret == -1) {
Antoine Pitroua29b1812010-05-12 14:08:45 +0000201 /* underlying BIO reported an I/O error */
Antoine Pitrou94fbaac2010-06-24 22:49:57 +0000202 Py_INCREF(s);
Antoine Pitrou321257d2010-05-16 23:18:00 +0000203 ERR_clear_error();
Antoine Pitrou94fbaac2010-06-24 22:49:57 +0000204 v = s->errorhandler();
205 Py_DECREF(s);
206 return v;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000207 } else { /* possible? */
Antoine Pitroua29b1812010-05-12 14:08:45 +0000208 p = PY_SSL_ERROR_SYSCALL;
209 errstr = "Some I/O error occurred";
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000210 }
211 } else {
212 p = PY_SSL_ERROR_SYSCALL;
213 /* XXX Protected by global interpreter lock */
214 errstr = ERR_error_string(e, NULL);
215 }
216 break;
217 }
218 case SSL_ERROR_SSL:
219 {
220 unsigned long e = ERR_get_error();
221 p = PY_SSL_ERROR_SSL;
222 if (e != 0)
223 /* XXX Protected by global interpreter lock */
224 errstr = ERR_error_string(e, NULL);
225 else { /* possible? */
Antoine Pitroua29b1812010-05-12 14:08:45 +0000226 errstr = "A failure in the SSL library occurred";
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000227 }
228 break;
229 }
230 default:
231 p = PY_SSL_ERROR_INVALID_ERROR_CODE;
232 errstr = "Invalid error code";
233 }
234 } else {
235 errstr = ERR_error_string(ERR_peek_last_error(), NULL);
236 }
237 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
Antoine Pitrou321257d2010-05-16 23:18:00 +0000238 ERR_clear_error();
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000239 v = Py_BuildValue("(is)", p, buf);
240 if (v != NULL) {
241 PyErr_SetObject(PySSLErrorObject, v);
242 Py_DECREF(v);
243 }
244 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000245}
246
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000247static PyObject *
248_setSSLError (char *errstr, int errcode, char *filename, int lineno) {
249
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000250 char buf[2048];
251 PyObject *v;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000252
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000253 if (errstr == NULL) {
254 errcode = ERR_peek_last_error();
255 errstr = ERR_error_string(errcode, NULL);
256 }
257 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
Antoine Pitrou321257d2010-05-16 23:18:00 +0000258 ERR_clear_error();
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000259 v = Py_BuildValue("(is)", errcode, buf);
260 if (v != NULL) {
261 PyErr_SetObject(PySSLErrorObject, v);
262 Py_DECREF(v);
263 }
264 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000265}
266
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000267static PySSLObject *
Thomas Woutersed03b412007-08-28 21:37:11 +0000268newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000269 enum py_ssl_server_or_client socket_type,
270 enum py_ssl_cert_requirements certreq,
271 enum py_ssl_version proto_version,
272 char *cacerts_file)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000273{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000274 PySSLObject *self;
275 char *errstr = NULL;
276 int ret;
277 int verification_mode;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000278
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000279 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
280 if (self == NULL)
281 return NULL;
282 self->peer_cert = NULL;
283 self->ssl = NULL;
284 self->ctx = NULL;
285 self->Socket = NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000286
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000287 /* Make sure the SSL error state is initialized */
288 (void) ERR_get_state();
289 ERR_clear_error();
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000290
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000291 if ((key_file && !cert_file) || (!key_file && cert_file)) {
292 errstr = ERRSTR("Both the key & certificate files "
293 "must be specified");
294 goto fail;
295 }
Thomas Woutersed03b412007-08-28 21:37:11 +0000296
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000297 if ((socket_type == PY_SSL_SERVER) &&
298 ((key_file == NULL) || (cert_file == NULL))) {
299 errstr = ERRSTR("Both the key & certificate files "
300 "must be specified for server-side operation");
301 goto fail;
302 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000303
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000304 PySSL_BEGIN_ALLOW_THREADS
305 if (proto_version == PY_SSL_VERSION_TLS1)
306 self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
307 else if (proto_version == PY_SSL_VERSION_SSL3)
308 self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
309 else if (proto_version == PY_SSL_VERSION_SSL2)
310 self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
311 else if (proto_version == PY_SSL_VERSION_SSL23)
312 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
313 PySSL_END_ALLOW_THREADS
Thomas Woutersed03b412007-08-28 21:37:11 +0000314
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000315 if (self->ctx == NULL) {
316 errstr = ERRSTR("Invalid SSL protocol variant specified.");
317 goto fail;
318 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000319
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000320 if (certreq != PY_SSL_CERT_NONE) {
321 if (cacerts_file == NULL) {
322 errstr = ERRSTR("No root certificates specified for "
Antoine Pitroua29b1812010-05-12 14:08:45 +0000323 "verification of other-side certificates.");
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000324 goto fail;
325 } else {
326 PySSL_BEGIN_ALLOW_THREADS
327 ret = SSL_CTX_load_verify_locations(self->ctx,
328 cacerts_file,
329 NULL);
330 PySSL_END_ALLOW_THREADS
331 if (ret != 1) {
332 _setSSLError(NULL, 0, __FILE__, __LINE__);
333 goto fail;
334 }
335 }
336 }
337 if (key_file) {
338 PySSL_BEGIN_ALLOW_THREADS
339 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
340 SSL_FILETYPE_PEM);
341 PySSL_END_ALLOW_THREADS
342 if (ret != 1) {
343 _setSSLError(NULL, ret, __FILE__, __LINE__);
344 goto fail;
345 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000346
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000347 PySSL_BEGIN_ALLOW_THREADS
348 ret = SSL_CTX_use_certificate_chain_file(self->ctx,
349 cert_file);
350 PySSL_END_ALLOW_THREADS
351 if (ret != 1) {
352 /*
353 fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n",
354 ret, ERR_peek_error(), ERR_peek_last_error(), cert_file);
355 */
356 if (ERR_peek_last_error() != 0) {
357 _setSSLError(NULL, ret, __FILE__, __LINE__);
358 goto fail;
359 }
360 }
361 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000362
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000363 /* ssl compatibility */
364 SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000365
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000366 verification_mode = SSL_VERIFY_NONE;
367 if (certreq == PY_SSL_CERT_OPTIONAL)
368 verification_mode = SSL_VERIFY_PEER;
369 else if (certreq == PY_SSL_CERT_REQUIRED)
370 verification_mode = (SSL_VERIFY_PEER |
371 SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
372 SSL_CTX_set_verify(self->ctx, verification_mode,
373 NULL); /* set verify lvl */
Thomas Woutersed03b412007-08-28 21:37:11 +0000374
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000375 PySSL_BEGIN_ALLOW_THREADS
376 self->ssl = SSL_new(self->ctx); /* New ssl struct */
377 PySSL_END_ALLOW_THREADS
378 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
Antoine Pitroud59ceb52010-04-09 20:47:00 +0000379#ifdef SSL_MODE_AUTO_RETRY
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000380 SSL_set_mode(self->ssl, SSL_MODE_AUTO_RETRY);
Antoine Pitroud59ceb52010-04-09 20:47:00 +0000381#endif
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000382
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000383 /* If the socket is in non-blocking mode or timeout mode, set the BIO
384 * to non-blocking mode (blocking is the default)
385 */
386 if (Sock->sock_timeout >= 0.0) {
387 /* Set both the read and write BIO's to non-blocking mode */
388 BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
389 BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
390 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000391
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000392 PySSL_BEGIN_ALLOW_THREADS
393 if (socket_type == PY_SSL_CLIENT)
394 SSL_set_connect_state(self->ssl);
395 else
396 SSL_set_accept_state(self->ssl);
397 PySSL_END_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000398
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000399 self->Socket = PyWeakref_NewRef((PyObject *) Sock, Py_None);
400 return self;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000401 fail:
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000402 if (errstr)
403 PyErr_SetString(PySSLErrorObject, errstr);
404 Py_DECREF(self);
405 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000406}
407
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000408static PyObject *
Thomas Woutersed03b412007-08-28 21:37:11 +0000409PySSL_sslwrap(PyObject *self, PyObject *args)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000410{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000411 PySocketSockObject *Sock;
412 int server_side = 0;
413 int verification_mode = PY_SSL_CERT_NONE;
414 int protocol = PY_SSL_VERSION_SSL23;
415 char *key_file = NULL;
416 char *cert_file = NULL;
417 char *cacerts_file = NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000418
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000419 if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap",
420 PySocketModule.Sock_Type,
421 &Sock,
422 &server_side,
423 &key_file, &cert_file,
424 &verification_mode, &protocol,
425 &cacerts_file))
426 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000427
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000428 /*
429 fprintf(stderr,
430 "server_side is %d, keyfile %p, certfile %p, verify_mode %d, "
431 "protocol %d, certs %p\n",
432 server_side, key_file, cert_file, verification_mode,
433 protocol, cacerts_file);
434 */
Thomas Woutersed03b412007-08-28 21:37:11 +0000435
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000436 return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
437 server_side, verification_mode,
438 protocol, cacerts_file);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000439}
440
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000441PyDoc_STRVAR(ssl_doc,
Thomas Woutersed03b412007-08-28 21:37:11 +0000442"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
443" cacertsfile]) -> sslobject");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000444
445/* SSL object methods */
446
Bill Janssen6e027db2007-11-15 22:23:56 +0000447static PyObject *PySSL_SSLdo_handshake(PySSLObject *self)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000448{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000449 int ret;
450 int err;
451 int sockstate, nonblocking;
452 PySocketSockObject *sock
453 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Antoine Pitrouec146182010-04-24 21:30:20 +0000454
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000455 if (((PyObject*)sock) == Py_None) {
456 _setSSLError("Underlying socket connection gone",
457 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
458 return NULL;
459 }
Antoine Pitrou94fbaac2010-06-24 22:49:57 +0000460 Py_INCREF(sock);
Antoine Pitrouec146182010-04-24 21:30:20 +0000461
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000462 /* just in case the blocking state of the socket has been changed */
463 nonblocking = (sock->sock_timeout >= 0.0);
464 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
465 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000466
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000467 /* Actually negotiate SSL connection */
468 /* XXX If SSL_do_handshake() returns 0, it's also a failure. */
469 sockstate = 0;
470 do {
Bill Janssen6e027db2007-11-15 22:23:56 +0000471 PySSL_BEGIN_ALLOW_THREADS
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000472 ret = SSL_do_handshake(self->ssl);
473 err = SSL_get_error(self->ssl, ret);
474 PySSL_END_ALLOW_THREADS
Antoine Pitrou94fbaac2010-06-24 22:49:57 +0000475 if (PyErr_CheckSignals())
476 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000477 if (err == SSL_ERROR_WANT_READ) {
478 sockstate = check_socket_and_wait_for_timeout(sock, 0);
479 } else if (err == SSL_ERROR_WANT_WRITE) {
480 sockstate = check_socket_and_wait_for_timeout(sock, 1);
481 } else {
482 sockstate = SOCKET_OPERATION_OK;
483 }
484 if (sockstate == SOCKET_HAS_TIMED_OUT) {
485 PyErr_SetString(PySSLErrorObject,
Antoine Pitroua29b1812010-05-12 14:08:45 +0000486 ERRSTR("The handshake operation timed out"));
Antoine Pitrou94fbaac2010-06-24 22:49:57 +0000487 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000488 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
489 PyErr_SetString(PySSLErrorObject,
Antoine Pitroua29b1812010-05-12 14:08:45 +0000490 ERRSTR("Underlying socket has been closed."));
Antoine Pitrou94fbaac2010-06-24 22:49:57 +0000491 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000492 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
493 PyErr_SetString(PySSLErrorObject,
Antoine Pitroua29b1812010-05-12 14:08:45 +0000494 ERRSTR("Underlying socket too large for select()."));
Antoine Pitrou94fbaac2010-06-24 22:49:57 +0000495 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000496 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
497 break;
498 }
499 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Antoine Pitrou94fbaac2010-06-24 22:49:57 +0000500 Py_DECREF(sock);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000501 if (ret < 1)
502 return PySSL_SetError(self, ret, __FILE__, __LINE__);
Bill Janssen6e027db2007-11-15 22:23:56 +0000503
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000504 if (self->peer_cert)
505 X509_free (self->peer_cert);
506 PySSL_BEGIN_ALLOW_THREADS
507 self->peer_cert = SSL_get_peer_certificate(self->ssl);
508 PySSL_END_ALLOW_THREADS
509
510 Py_INCREF(Py_None);
511 return Py_None;
Antoine Pitrou94fbaac2010-06-24 22:49:57 +0000512
513error:
514 Py_DECREF(sock);
515 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000516}
517
Thomas Woutersed03b412007-08-28 21:37:11 +0000518static PyObject *
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000519_create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) {
Thomas Woutersed03b412007-08-28 21:37:11 +0000520
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000521 char namebuf[X509_NAME_MAXLEN];
522 int buflen;
523 PyObject *name_obj;
524 PyObject *value_obj;
525 PyObject *attr;
526 unsigned char *valuebuf = NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000527
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000528 buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0);
529 if (buflen < 0) {
530 _setSSLError(NULL, 0, __FILE__, __LINE__);
531 goto fail;
532 }
533 name_obj = PyUnicode_FromStringAndSize(namebuf, buflen);
534 if (name_obj == NULL)
535 goto fail;
Guido van Rossumf06628b2007-11-21 20:01:53 +0000536
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000537 buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
538 if (buflen < 0) {
539 _setSSLError(NULL, 0, __FILE__, __LINE__);
540 Py_DECREF(name_obj);
541 goto fail;
542 }
543 value_obj = PyUnicode_DecodeUTF8((char *) valuebuf,
Antoine Pitroua29b1812010-05-12 14:08:45 +0000544 buflen, "strict");
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000545 OPENSSL_free(valuebuf);
546 if (value_obj == NULL) {
547 Py_DECREF(name_obj);
548 goto fail;
549 }
550 attr = PyTuple_New(2);
551 if (attr == NULL) {
552 Py_DECREF(name_obj);
553 Py_DECREF(value_obj);
554 goto fail;
555 }
556 PyTuple_SET_ITEM(attr, 0, name_obj);
557 PyTuple_SET_ITEM(attr, 1, value_obj);
558 return attr;
Thomas Woutersed03b412007-08-28 21:37:11 +0000559
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000560 fail:
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000561 return NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000562}
563
564static PyObject *
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000565_create_tuple_for_X509_NAME (X509_NAME *xname)
Thomas Woutersed03b412007-08-28 21:37:11 +0000566{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000567 PyObject *dn = NULL; /* tuple which represents the "distinguished name" */
568 PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */
569 PyObject *rdnt;
570 PyObject *attr = NULL; /* tuple to hold an attribute */
571 int entry_count = X509_NAME_entry_count(xname);
572 X509_NAME_ENTRY *entry;
573 ASN1_OBJECT *name;
574 ASN1_STRING *value;
575 int index_counter;
576 int rdn_level = -1;
577 int retcode;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000578
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000579 dn = PyList_New(0);
580 if (dn == NULL)
581 return NULL;
582 /* now create another tuple to hold the top-level RDN */
583 rdn = PyList_New(0);
584 if (rdn == NULL)
585 goto fail0;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000586
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000587 for (index_counter = 0;
588 index_counter < entry_count;
589 index_counter++)
590 {
591 entry = X509_NAME_get_entry(xname, index_counter);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000592
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000593 /* check to see if we've gotten to a new RDN */
594 if (rdn_level >= 0) {
595 if (rdn_level != entry->set) {
596 /* yes, new RDN */
597 /* add old RDN to DN */
598 rdnt = PyList_AsTuple(rdn);
599 Py_DECREF(rdn);
600 if (rdnt == NULL)
601 goto fail0;
602 retcode = PyList_Append(dn, rdnt);
603 Py_DECREF(rdnt);
604 if (retcode < 0)
605 goto fail0;
606 /* create new RDN */
607 rdn = PyList_New(0);
608 if (rdn == NULL)
609 goto fail0;
610 }
611 }
612 rdn_level = entry->set;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000613
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000614 /* now add this attribute to the current RDN */
615 name = X509_NAME_ENTRY_get_object(entry);
616 value = X509_NAME_ENTRY_get_data(entry);
617 attr = _create_tuple_for_attribute(name, value);
618 /*
619 fprintf(stderr, "RDN level %d, attribute %s: %s\n",
620 entry->set,
621 PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 0)),
622 PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 1)));
623 */
624 if (attr == NULL)
625 goto fail1;
626 retcode = PyList_Append(rdn, attr);
627 Py_DECREF(attr);
628 if (retcode < 0)
629 goto fail1;
630 }
631 /* now, there's typically a dangling RDN */
632 if ((rdn != NULL) && (PyList_Size(rdn) > 0)) {
633 rdnt = PyList_AsTuple(rdn);
634 Py_DECREF(rdn);
635 if (rdnt == NULL)
636 goto fail0;
637 retcode = PyList_Append(dn, rdnt);
638 Py_DECREF(rdnt);
639 if (retcode < 0)
640 goto fail0;
641 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000642
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000643 /* convert list to tuple */
644 rdnt = PyList_AsTuple(dn);
645 Py_DECREF(dn);
646 if (rdnt == NULL)
647 return NULL;
648 return rdnt;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000649
650 fail1:
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000651 Py_XDECREF(rdn);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000652
653 fail0:
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000654 Py_XDECREF(dn);
655 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000656}
657
658static PyObject *
659_get_peer_alt_names (X509 *certificate) {
Guido van Rossumf06628b2007-11-21 20:01:53 +0000660
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000661 /* this code follows the procedure outlined in
662 OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print()
663 function to extract the STACK_OF(GENERAL_NAME),
664 then iterates through the stack to add the
665 names. */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000666
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000667 int i, j;
668 PyObject *peer_alt_names = Py_None;
669 PyObject *v, *t;
670 X509_EXTENSION *ext = NULL;
671 GENERAL_NAMES *names = NULL;
672 GENERAL_NAME *name;
Benjamin Peterson31370952010-10-13 22:20:48 +0000673 const X509V3_EXT_METHOD *method;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000674 BIO *biobuf = NULL;
675 char buf[2048];
676 char *vptr;
677 int len;
678 /* Issue #2973: ASN1_item_d2i() API changed in OpenSSL 0.9.6m */
Victor Stinner117ff172010-03-02 22:49:30 +0000679#if OPENSSL_VERSION_NUMBER >= 0x009060dfL
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000680 const unsigned char *p;
Victor Stinner117ff172010-03-02 22:49:30 +0000681#else
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000682 unsigned char *p;
Victor Stinner117ff172010-03-02 22:49:30 +0000683#endif
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000684
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000685 if (certificate == NULL)
686 return peer_alt_names;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000687
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000688 /* get a memory buffer */
689 biobuf = BIO_new(BIO_s_mem());
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000690
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000691 i = 0;
692 while ((i = X509_get_ext_by_NID(
693 certificate, NID_subject_alt_name, i)) >= 0) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000694
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000695 if (peer_alt_names == Py_None) {
696 peer_alt_names = PyList_New(0);
697 if (peer_alt_names == NULL)
698 goto fail;
699 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000700
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000701 /* now decode the altName */
702 ext = X509_get_ext(certificate, i);
703 if(!(method = X509V3_EXT_get(ext))) {
704 PyErr_SetString
705 (PySSLErrorObject,
706 ERRSTR("No method for internalizing subjectAltName!"));
707 goto fail;
708 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000709
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000710 p = ext->value->data;
711 if (method->it)
712 names = (GENERAL_NAMES*)
713 (ASN1_item_d2i(NULL,
714 &p,
715 ext->value->length,
716 ASN1_ITEM_ptr(method->it)));
717 else
718 names = (GENERAL_NAMES*)
719 (method->d2i(NULL,
720 &p,
721 ext->value->length));
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000722
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000723 for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000724
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000725 /* get a rendering of each name in the set of names */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000726
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000727 name = sk_GENERAL_NAME_value(names, j);
728 if (name->type == GEN_DIRNAME) {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000729
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000730 /* we special-case DirName as a tuple of
731 tuples of attributes */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000732
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000733 t = PyTuple_New(2);
734 if (t == NULL) {
735 goto fail;
736 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000737
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000738 v = PyUnicode_FromString("DirName");
739 if (v == NULL) {
740 Py_DECREF(t);
741 goto fail;
742 }
743 PyTuple_SET_ITEM(t, 0, v);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000744
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000745 v = _create_tuple_for_X509_NAME (name->d.dirn);
746 if (v == NULL) {
747 Py_DECREF(t);
748 goto fail;
749 }
750 PyTuple_SET_ITEM(t, 1, v);
Guido van Rossumf06628b2007-11-21 20:01:53 +0000751
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000752 } else {
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000753
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000754 /* for everything else, we use the OpenSSL print form */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000755
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000756 (void) BIO_reset(biobuf);
757 GENERAL_NAME_print(biobuf, name);
758 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
759 if (len < 0) {
760 _setSSLError(NULL, 0, __FILE__, __LINE__);
761 goto fail;
762 }
763 vptr = strchr(buf, ':');
764 if (vptr == NULL)
765 goto fail;
766 t = PyTuple_New(2);
767 if (t == NULL)
768 goto fail;
769 v = PyUnicode_FromStringAndSize(buf, (vptr - buf));
770 if (v == NULL) {
771 Py_DECREF(t);
772 goto fail;
773 }
774 PyTuple_SET_ITEM(t, 0, v);
775 v = PyUnicode_FromStringAndSize((vptr + 1),
776 (len - (vptr - buf + 1)));
777 if (v == NULL) {
778 Py_DECREF(t);
779 goto fail;
780 }
781 PyTuple_SET_ITEM(t, 1, v);
782 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000783
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000784 /* and add that rendering to the list */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000785
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000786 if (PyList_Append(peer_alt_names, t) < 0) {
787 Py_DECREF(t);
788 goto fail;
789 }
790 Py_DECREF(t);
791 }
792 }
793 BIO_free(biobuf);
794 if (peer_alt_names != Py_None) {
795 v = PyList_AsTuple(peer_alt_names);
796 Py_DECREF(peer_alt_names);
797 return v;
798 } else {
799 return peer_alt_names;
800 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000801
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000802
803 fail:
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000804 if (biobuf != NULL)
805 BIO_free(biobuf);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000806
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000807 if (peer_alt_names != Py_None) {
808 Py_XDECREF(peer_alt_names);
809 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000810
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000811 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000812}
813
814static PyObject *
815_decode_certificate (X509 *certificate, int verbose) {
816
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000817 PyObject *retval = NULL;
818 BIO *biobuf = NULL;
819 PyObject *peer;
820 PyObject *peer_alt_names = NULL;
821 PyObject *issuer;
822 PyObject *version;
823 PyObject *sn_obj;
824 ASN1_INTEGER *serialNumber;
825 char buf[2048];
826 int len;
827 ASN1_TIME *notBefore, *notAfter;
828 PyObject *pnotBefore, *pnotAfter;
Thomas Woutersed03b412007-08-28 21:37:11 +0000829
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000830 retval = PyDict_New();
831 if (retval == NULL)
832 return NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000833
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000834 peer = _create_tuple_for_X509_NAME(
835 X509_get_subject_name(certificate));
836 if (peer == NULL)
837 goto fail0;
838 if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) {
839 Py_DECREF(peer);
840 goto fail0;
841 }
842 Py_DECREF(peer);
Thomas Woutersed03b412007-08-28 21:37:11 +0000843
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000844 if (verbose) {
845 issuer = _create_tuple_for_X509_NAME(
846 X509_get_issuer_name(certificate));
847 if (issuer == NULL)
848 goto fail0;
849 if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
850 Py_DECREF(issuer);
851 goto fail0;
852 }
853 Py_DECREF(issuer);
Guido van Rossumf06628b2007-11-21 20:01:53 +0000854
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000855 version = PyLong_FromLong(X509_get_version(certificate) + 1);
856 if (PyDict_SetItemString(retval, "version", version) < 0) {
857 Py_DECREF(version);
858 goto fail0;
859 }
860 Py_DECREF(version);
861 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000862
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000863 /* get a memory buffer */
864 biobuf = BIO_new(BIO_s_mem());
Guido van Rossumf06628b2007-11-21 20:01:53 +0000865
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000866 if (verbose) {
Thomas Woutersed03b412007-08-28 21:37:11 +0000867
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000868 (void) BIO_reset(biobuf);
869 serialNumber = X509_get_serialNumber(certificate);
870 /* should not exceed 20 octets, 160 bits, so buf is big enough */
871 i2a_ASN1_INTEGER(biobuf, serialNumber);
872 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
873 if (len < 0) {
874 _setSSLError(NULL, 0, __FILE__, __LINE__);
875 goto fail1;
876 }
877 sn_obj = PyUnicode_FromStringAndSize(buf, len);
878 if (sn_obj == NULL)
879 goto fail1;
880 if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) {
881 Py_DECREF(sn_obj);
882 goto fail1;
883 }
884 Py_DECREF(sn_obj);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000885
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000886 (void) BIO_reset(biobuf);
887 notBefore = X509_get_notBefore(certificate);
888 ASN1_TIME_print(biobuf, notBefore);
889 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
890 if (len < 0) {
891 _setSSLError(NULL, 0, __FILE__, __LINE__);
892 goto fail1;
893 }
894 pnotBefore = PyUnicode_FromStringAndSize(buf, len);
895 if (pnotBefore == NULL)
896 goto fail1;
897 if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
898 Py_DECREF(pnotBefore);
899 goto fail1;
900 }
901 Py_DECREF(pnotBefore);
902 }
Thomas Woutersed03b412007-08-28 21:37:11 +0000903
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000904 (void) BIO_reset(biobuf);
905 notAfter = X509_get_notAfter(certificate);
906 ASN1_TIME_print(biobuf, notAfter);
907 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
908 if (len < 0) {
909 _setSSLError(NULL, 0, __FILE__, __LINE__);
910 goto fail1;
911 }
912 pnotAfter = PyUnicode_FromStringAndSize(buf, len);
913 if (pnotAfter == NULL)
914 goto fail1;
915 if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) {
916 Py_DECREF(pnotAfter);
917 goto fail1;
918 }
919 Py_DECREF(pnotAfter);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000920
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000921 /* Now look for subjectAltName */
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000922
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000923 peer_alt_names = _get_peer_alt_names(certificate);
924 if (peer_alt_names == NULL)
925 goto fail1;
926 else if (peer_alt_names != Py_None) {
927 if (PyDict_SetItemString(retval, "subjectAltName",
928 peer_alt_names) < 0) {
929 Py_DECREF(peer_alt_names);
930 goto fail1;
931 }
932 Py_DECREF(peer_alt_names);
933 }
Guido van Rossumf06628b2007-11-21 20:01:53 +0000934
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000935 BIO_free(biobuf);
936 return retval;
Thomas Woutersed03b412007-08-28 21:37:11 +0000937
938 fail1:
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000939 if (biobuf != NULL)
940 BIO_free(biobuf);
Thomas Woutersed03b412007-08-28 21:37:11 +0000941 fail0:
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000942 Py_XDECREF(retval);
943 return NULL;
Thomas Woutersed03b412007-08-28 21:37:11 +0000944}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000945
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000946
947static PyObject *
948PySSL_test_decode_certificate (PyObject *mod, PyObject *args) {
949
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000950 PyObject *retval = NULL;
951 char *filename = NULL;
952 X509 *x=NULL;
953 BIO *cert;
954 int verbose = 1;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000955
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000956 if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate",
957 &filename, &verbose))
958 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000959
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000960 if ((cert=BIO_new(BIO_s_file())) == NULL) {
961 PyErr_SetString(PySSLErrorObject,
962 "Can't malloc memory to read file");
963 goto fail0;
964 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000965
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000966 if (BIO_read_filename(cert,filename) <= 0) {
967 PyErr_SetString(PySSLErrorObject,
968 "Can't open file");
969 goto fail0;
970 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000971
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000972 x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL);
973 if (x == NULL) {
974 PyErr_SetString(PySSLErrorObject,
975 "Error decoding PEM-encoded file");
976 goto fail0;
977 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000978
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000979 retval = _decode_certificate(x, verbose);
Mark Dickinson732cc9b2010-08-03 18:33:11 +0000980 X509_free(x);
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000981
982 fail0:
Guido van Rossumf06628b2007-11-21 20:01:53 +0000983
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000984 if (cert != NULL) BIO_free(cert);
985 return retval;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000986}
987
988
989static PyObject *
990PySSL_peercert(PySSLObject *self, PyObject *args)
991{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000992 PyObject *retval = NULL;
993 int len;
994 int verification;
995 PyObject *binary_mode = Py_None;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000996
Antoine Pitrou30dc1a72010-05-05 16:01:14 +0000997 if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode))
998 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000999
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001000 if (!self->peer_cert)
1001 Py_RETURN_NONE;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001002
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001003 if (PyObject_IsTrue(binary_mode)) {
1004 /* return cert in DER-encoded format */
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001005
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001006 unsigned char *bytes_buf = NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001007
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001008 bytes_buf = NULL;
1009 len = i2d_X509(self->peer_cert, &bytes_buf);
1010 if (len < 0) {
1011 PySSL_SetError(self, len, __FILE__, __LINE__);
1012 return NULL;
1013 }
1014 /* this is actually an immutable bytes sequence */
1015 retval = PyBytes_FromStringAndSize
1016 ((const char *) bytes_buf, len);
1017 OPENSSL_free(bytes_buf);
1018 return retval;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001019
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001020 } else {
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001021
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001022 verification = SSL_CTX_get_verify_mode(self->ctx);
1023 if ((verification & SSL_VERIFY_PEER) == 0)
1024 return PyDict_New();
1025 else
1026 return _decode_certificate (self->peer_cert, 0);
1027 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001028}
1029
1030PyDoc_STRVAR(PySSL_peercert_doc,
1031"peer_certificate([der=False]) -> certificate\n\
1032\n\
1033Returns the certificate for the peer. If no certificate was provided,\n\
1034returns None. If a certificate was provided, but not validated, returns\n\
1035an empty dictionary. Otherwise returns a dict containing information\n\
1036about the peer certificate.\n\
1037\n\
1038If the optional argument is True, returns a DER-encoded copy of the\n\
1039peer certificate, or None if no certificate was provided. This will\n\
1040return the certificate even if it wasn't validated.");
1041
1042static PyObject *PySSL_cipher (PySSLObject *self) {
1043
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001044 PyObject *retval, *v;
Benjamin Peterson31370952010-10-13 22:20:48 +00001045 const SSL_CIPHER *current;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001046 char *cipher_name;
1047 char *cipher_protocol;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001048
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001049 if (self->ssl == NULL)
Hirokazu Yamamoto8e63c682010-12-09 12:30:05 +00001050 Py_RETURN_NONE;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001051 current = SSL_get_current_cipher(self->ssl);
1052 if (current == NULL)
Hirokazu Yamamoto8e63c682010-12-09 12:30:05 +00001053 Py_RETURN_NONE;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001054
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001055 retval = PyTuple_New(3);
1056 if (retval == NULL)
1057 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001058
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001059 cipher_name = (char *) SSL_CIPHER_get_name(current);
1060 if (cipher_name == NULL) {
Hirokazu Yamamoto8e63c682010-12-09 12:30:05 +00001061 Py_INCREF(Py_None);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001062 PyTuple_SET_ITEM(retval, 0, Py_None);
1063 } else {
1064 v = PyUnicode_FromString(cipher_name);
1065 if (v == NULL)
1066 goto fail0;
1067 PyTuple_SET_ITEM(retval, 0, v);
1068 }
1069 cipher_protocol = SSL_CIPHER_get_version(current);
1070 if (cipher_protocol == NULL) {
Hirokazu Yamamoto8e63c682010-12-09 12:30:05 +00001071 Py_INCREF(Py_None);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001072 PyTuple_SET_ITEM(retval, 1, Py_None);
1073 } else {
1074 v = PyUnicode_FromString(cipher_protocol);
1075 if (v == NULL)
1076 goto fail0;
1077 PyTuple_SET_ITEM(retval, 1, v);
1078 }
1079 v = PyLong_FromLong(SSL_CIPHER_get_bits(current, NULL));
1080 if (v == NULL)
1081 goto fail0;
1082 PyTuple_SET_ITEM(retval, 2, v);
1083 return retval;
Guido van Rossumf06628b2007-11-21 20:01:53 +00001084
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001085 fail0:
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001086 Py_DECREF(retval);
1087 return NULL;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001088}
1089
Guido van Rossume6650f92007-12-06 19:05:55 +00001090static void PySSL_dealloc(PySSLObject *self)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001091{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001092 if (self->peer_cert) /* Possible not to have one? */
1093 X509_free (self->peer_cert);
1094 if (self->ssl)
1095 SSL_free(self->ssl);
1096 if (self->ctx)
1097 SSL_CTX_free(self->ctx);
1098 Py_XDECREF(self->Socket);
1099 PyObject_Del(self);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001100}
1101
Thomas Wouters0e3f5912006-08-11 14:57:12 +00001102/* If the socket has a timeout, do a select()/poll() on the socket.
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001103 The argument writing indicates the direction.
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001104 Returns one of the possibilities in the timeout_state enum (above).
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001105 */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001106
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001107static int
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +00001108check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing)
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001109{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001110 fd_set fds;
1111 struct timeval tv;
1112 int rc;
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001113
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001114 /* Nothing to do unless we're in timeout mode (not non-blocking) */
1115 if (s->sock_timeout < 0.0)
1116 return SOCKET_IS_BLOCKING;
1117 else if (s->sock_timeout == 0.0)
1118 return SOCKET_IS_NONBLOCKING;
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001119
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001120 /* Guard against closed socket */
1121 if (s->sock_fd < 0)
1122 return SOCKET_HAS_BEEN_CLOSED;
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001123
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001124 /* Prefer poll, if available, since you can poll() any fd
1125 * which can't be done with select(). */
Thomas Wouters0e3f5912006-08-11 14:57:12 +00001126#ifdef HAVE_POLL
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001127 {
1128 struct pollfd pollfd;
1129 int timeout;
Thomas Wouters0e3f5912006-08-11 14:57:12 +00001130
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001131 pollfd.fd = s->sock_fd;
1132 pollfd.events = writing ? POLLOUT : POLLIN;
Thomas Wouters0e3f5912006-08-11 14:57:12 +00001133
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001134 /* s->sock_timeout is in seconds, timeout in ms */
1135 timeout = (int)(s->sock_timeout * 1000 + 0.5);
1136 PySSL_BEGIN_ALLOW_THREADS
1137 rc = poll(&pollfd, 1, timeout);
1138 PySSL_END_ALLOW_THREADS
Thomas Wouters0e3f5912006-08-11 14:57:12 +00001139
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001140 goto normal_return;
1141 }
Thomas Wouters0e3f5912006-08-11 14:57:12 +00001142#endif
1143
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001144 /* Guard against socket too large for select*/
Martin v. Löwisf84d1b92006-02-11 09:27:05 +00001145#ifndef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001146 if (s->sock_fd >= FD_SETSIZE)
1147 return SOCKET_TOO_LARGE_FOR_SELECT;
Martin v. Löwisf84d1b92006-02-11 09:27:05 +00001148#endif
Neal Norwitz082b2df2006-02-07 07:04:46 +00001149
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001150 /* Construct the arguments to select */
1151 tv.tv_sec = (int)s->sock_timeout;
1152 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6);
1153 FD_ZERO(&fds);
1154 FD_SET(s->sock_fd, &fds);
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001155
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001156 /* See if the socket is ready */
1157 PySSL_BEGIN_ALLOW_THREADS
1158 if (writing)
1159 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
1160 else
1161 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
1162 PySSL_END_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001163
Bill Janssen6e027db2007-11-15 22:23:56 +00001164#ifdef HAVE_POLL
Thomas Wouters0e3f5912006-08-11 14:57:12 +00001165normal_return:
Bill Janssen6e027db2007-11-15 22:23:56 +00001166#endif
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001167 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
1168 (when we are able to write or when there's something to read) */
1169 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
Guido van Rossum99d4abf2003-01-27 22:22:50 +00001170}
1171
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001172static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args)
1173{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001174 char *data;
1175 int len;
1176 int count;
1177 int sockstate;
1178 int err;
1179 int nonblocking;
1180 PySocketSockObject *sock
1181 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Bill Janssen54cc54c2007-12-14 22:08:56 +00001182
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001183 if (((PyObject*)sock) == Py_None) {
1184 _setSSLError("Underlying socket connection gone",
1185 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1186 return NULL;
1187 }
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001188 Py_INCREF(sock);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001189
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001190 if (!PyArg_ParseTuple(args, "y#:write", &data, &count)) {
1191 Py_DECREF(sock);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001192 return NULL;
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001193 }
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001194
1195 /* just in case the blocking state of the socket has been changed */
1196 nonblocking = (sock->sock_timeout >= 0.0);
1197 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1198 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1199
1200 sockstate = check_socket_and_wait_for_timeout(sock, 1);
1201 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1202 PyErr_SetString(PySSLErrorObject,
1203 "The write operation timed out");
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001204 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001205 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1206 PyErr_SetString(PySSLErrorObject,
1207 "Underlying socket has been closed.");
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001208 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001209 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1210 PyErr_SetString(PySSLErrorObject,
1211 "Underlying socket too large for select().");
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001212 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001213 }
1214 do {
1215 err = 0;
1216 PySSL_BEGIN_ALLOW_THREADS
1217 len = SSL_write(self->ssl, data, count);
1218 err = SSL_get_error(self->ssl, len);
1219 PySSL_END_ALLOW_THREADS
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001220 if (PyErr_CheckSignals())
1221 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001222 if (err == SSL_ERROR_WANT_READ) {
Antoine Pitroua29b1812010-05-12 14:08:45 +00001223 sockstate = check_socket_and_wait_for_timeout(sock, 0);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001224 } else if (err == SSL_ERROR_WANT_WRITE) {
Antoine Pitroua29b1812010-05-12 14:08:45 +00001225 sockstate = check_socket_and_wait_for_timeout(sock, 1);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001226 } else {
1227 sockstate = SOCKET_OPERATION_OK;
1228 }
1229 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1230 PyErr_SetString(PySSLErrorObject,
1231 "The write operation timed out");
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001232 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001233 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1234 PyErr_SetString(PySSLErrorObject,
1235 "Underlying socket has been closed.");
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001236 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001237 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
1238 break;
1239 }
1240 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001241
1242 Py_DECREF(sock);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001243 if (len > 0)
1244 return PyLong_FromLong(len);
1245 else
1246 return PySSL_SetError(self, len, __FILE__, __LINE__);
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001247
1248error:
1249 Py_DECREF(sock);
1250 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001251}
1252
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001253PyDoc_STRVAR(PySSL_SSLwrite_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001254"write(s) -> len\n\
1255\n\
1256Writes the string s into the SSL object. Returns the number\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001257of bytes written.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001258
Bill Janssen6e027db2007-11-15 22:23:56 +00001259static PyObject *PySSL_SSLpending(PySSLObject *self)
1260{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001261 int count = 0;
Bill Janssen6e027db2007-11-15 22:23:56 +00001262
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001263 PySSL_BEGIN_ALLOW_THREADS
1264 count = SSL_pending(self->ssl);
1265 PySSL_END_ALLOW_THREADS
1266 if (count < 0)
1267 return PySSL_SetError(self, count, __FILE__, __LINE__);
1268 else
1269 return PyLong_FromLong(count);
Bill Janssen6e027db2007-11-15 22:23:56 +00001270}
1271
1272PyDoc_STRVAR(PySSL_SSLpending_doc,
1273"pending() -> count\n\
1274\n\
1275Returns the number of already decrypted bytes available for read,\n\
1276pending on the connection.\n");
1277
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001278static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args)
1279{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001280 PyObject *dest = NULL;
1281 Py_buffer buf;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001282 char *mem;
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001283 int len, count;
1284 int buf_passed = 0;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001285 int sockstate;
1286 int err;
1287 int nonblocking;
1288 PySocketSockObject *sock
1289 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Bill Janssen54cc54c2007-12-14 22:08:56 +00001290
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001291 if (((PyObject*)sock) == Py_None) {
1292 _setSSLError("Underlying socket connection gone",
1293 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1294 return NULL;
1295 }
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001296 Py_INCREF(sock);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001297
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001298 buf.obj = NULL;
1299 buf.buf = NULL;
1300 if (!PyArg_ParseTuple(args, "i|w*:read", &len, &buf))
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001301 goto error;
1302
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001303 if ((buf.buf == NULL) && (buf.obj == NULL)) {
1304 dest = PyBytes_FromStringAndSize(NULL, len);
1305 if (dest == NULL)
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001306 goto error;
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001307 mem = PyBytes_AS_STRING(dest);
1308 }
1309 else {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001310 buf_passed = 1;
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001311 mem = buf.buf;
1312 if (len <= 0 || len > buf.len) {
1313 len = (int) buf.len;
1314 if (buf.len != len) {
1315 PyErr_SetString(PyExc_OverflowError,
1316 "maximum length can't fit in a C 'int'");
1317 goto error;
1318 }
1319 }
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001320 }
1321
1322 /* just in case the blocking state of the socket has been changed */
1323 nonblocking = (sock->sock_timeout >= 0.0);
1324 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1325 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1326
1327 /* first check if there are bytes ready to be read */
1328 PySSL_BEGIN_ALLOW_THREADS
1329 count = SSL_pending(self->ssl);
1330 PySSL_END_ALLOW_THREADS
1331
1332 if (!count) {
1333 sockstate = check_socket_and_wait_for_timeout(sock, 0);
1334 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1335 PyErr_SetString(PySSLErrorObject,
1336 "The read operation timed out");
1337 goto error;
1338 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1339 PyErr_SetString(PySSLErrorObject,
Antoine Pitroua29b1812010-05-12 14:08:45 +00001340 "Underlying socket too large for select().");
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001341 goto error;
1342 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1343 count = 0;
1344 goto done;
Bill Janssen54cc54c2007-12-14 22:08:56 +00001345 }
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001346 }
1347 do {
1348 err = 0;
1349 PySSL_BEGIN_ALLOW_THREADS
1350 count = SSL_read(self->ssl, mem, len);
1351 err = SSL_get_error(self->ssl, count);
1352 PySSL_END_ALLOW_THREADS
1353 if (PyErr_CheckSignals())
1354 goto error;
1355 if (err == SSL_ERROR_WANT_READ) {
Antoine Pitroua29b1812010-05-12 14:08:45 +00001356 sockstate = check_socket_and_wait_for_timeout(sock, 0);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001357 } else if (err == SSL_ERROR_WANT_WRITE) {
Antoine Pitroua29b1812010-05-12 14:08:45 +00001358 sockstate = check_socket_and_wait_for_timeout(sock, 1);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001359 } else if ((err == SSL_ERROR_ZERO_RETURN) &&
1360 (SSL_get_shutdown(self->ssl) ==
1361 SSL_RECEIVED_SHUTDOWN))
1362 {
1363 count = 0;
1364 goto done;
1365 } else {
1366 sockstate = SOCKET_OPERATION_OK;
1367 }
1368 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1369 PyErr_SetString(PySSLErrorObject,
1370 "The read operation timed out");
1371 goto error;
1372 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
1373 break;
1374 }
1375 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
1376 if (count <= 0) {
1377 PySSL_SetError(self, count, __FILE__, __LINE__);
1378 goto error;
1379 }
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001380
1381done:
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001382 Py_DECREF(sock);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001383 if (!buf_passed) {
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001384 _PyBytes_Resize(&dest, count);
1385 return dest;
1386 }
1387 else {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001388 PyBuffer_Release(&buf);
1389 return PyLong_FromLong(count);
1390 }
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001391
1392error:
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001393 Py_DECREF(sock);
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001394 if (!buf_passed)
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001395 Py_XDECREF(dest);
Antoine Pitrou10c4c232010-09-03 18:39:47 +00001396 else
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001397 PyBuffer_Release(&buf);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001398 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001399}
1400
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001401PyDoc_STRVAR(PySSL_SSLread_doc,
Bill Janssen6e027db2007-11-15 22:23:56 +00001402"read([len]) -> string\n\
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001403\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001404Read up to len bytes from the SSL socket.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001405
Bill Janssen40a0f662008-08-12 16:56:25 +00001406static PyObject *PySSL_SSLshutdown(PySSLObject *self)
1407{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001408 int err, ssl_err, sockstate, nonblocking;
1409 int zeros = 0;
1410 PySocketSockObject *sock
1411 = (PySocketSockObject *) PyWeakref_GetObject(self->Socket);
Bill Janssen40a0f662008-08-12 16:56:25 +00001412
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001413 /* Guard against closed socket */
1414 if ((((PyObject*)sock) == Py_None) || (sock->sock_fd < 0)) {
1415 _setSSLError("Underlying socket connection gone",
1416 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1417 return NULL;
1418 }
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001419 Py_INCREF(sock);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001420
1421 /* Just in case the blocking state of the socket has been changed */
1422 nonblocking = (sock->sock_timeout >= 0.0);
1423 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1424 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1425
1426 while (1) {
1427 PySSL_BEGIN_ALLOW_THREADS
1428 /* Disable read-ahead so that unwrap can work correctly.
1429 * Otherwise OpenSSL might read in too much data,
1430 * eating clear text data that happens to be
1431 * transmitted after the SSL shutdown.
1432 * Should be safe to call repeatedly everytime this
1433 * function is used and the shutdown_seen_zero != 0
1434 * condition is met.
1435 */
1436 if (self->shutdown_seen_zero)
1437 SSL_set_read_ahead(self->ssl, 0);
1438 err = SSL_shutdown(self->ssl);
1439 PySSL_END_ALLOW_THREADS
1440 /* If err == 1, a secure shutdown with SSL_shutdown() is complete */
1441 if (err > 0)
1442 break;
1443 if (err == 0) {
1444 /* Don't loop endlessly; instead preserve legacy
1445 behaviour of trying SSL_shutdown() only twice.
1446 This looks necessary for OpenSSL < 0.9.8m */
1447 if (++zeros > 1)
1448 break;
1449 /* Shutdown was sent, now try receiving */
1450 self->shutdown_seen_zero = 1;
1451 continue;
Bill Janssen40a0f662008-08-12 16:56:25 +00001452 }
1453
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001454 /* Possibly retry shutdown until timeout or failure */
1455 ssl_err = SSL_get_error(self->ssl, err);
1456 if (ssl_err == SSL_ERROR_WANT_READ)
1457 sockstate = check_socket_and_wait_for_timeout(sock, 0);
1458 else if (ssl_err == SSL_ERROR_WANT_WRITE)
1459 sockstate = check_socket_and_wait_for_timeout(sock, 1);
1460 else
1461 break;
1462 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1463 if (ssl_err == SSL_ERROR_WANT_READ)
1464 PyErr_SetString(PySSLErrorObject,
1465 "The read operation timed out");
1466 else
1467 PyErr_SetString(PySSLErrorObject,
1468 "The write operation timed out");
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001469 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001470 }
1471 else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1472 PyErr_SetString(PySSLErrorObject,
1473 "Underlying socket too large for select().");
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001474 goto error;
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001475 }
1476 else if (sockstate != SOCKET_OPERATION_OK)
1477 /* Retain the SSL error code */
1478 break;
1479 }
Antoine Pitrou5a1c4d12010-04-23 21:11:10 +00001480
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001481 if (err < 0) {
1482 Py_DECREF(sock);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001483 return PySSL_SetError(self, err, __FILE__, __LINE__);
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001484 }
Antoine Pitrou94fbaac2010-06-24 22:49:57 +00001485 else
1486 /* It's already INCREF'ed */
1487 return (PyObject *) sock;
1488
1489error:
1490 Py_DECREF(sock);
1491 return NULL;
Bill Janssen40a0f662008-08-12 16:56:25 +00001492}
1493
1494PyDoc_STRVAR(PySSL_SSLshutdown_doc,
1495"shutdown(s) -> socket\n\
1496\n\
1497Does the SSL shutdown handshake with the remote end, and returns\n\
1498the underlying socket object.");
1499
1500
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001501static PyMethodDef PySSLMethods[] = {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001502 {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS},
1503 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
1504 PySSL_SSLwrite_doc},
1505 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
1506 PySSL_SSLread_doc},
1507 {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS,
1508 PySSL_SSLpending_doc},
1509 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS,
1510 PySSL_peercert_doc},
1511 {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
1512 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS,
1513 PySSL_SSLshutdown_doc},
1514 {NULL, NULL}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001515};
1516
Jeremy Hylton938ace62002-07-17 16:30:39 +00001517static PyTypeObject PySSL_Type = {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001518 PyVarObject_HEAD_INIT(NULL, 0)
1519 "ssl.SSLContext", /*tp_name*/
1520 sizeof(PySSLObject), /*tp_basicsize*/
1521 0, /*tp_itemsize*/
1522 /* methods */
1523 (destructor)PySSL_dealloc, /*tp_dealloc*/
1524 0, /*tp_print*/
1525 0, /*tp_getattr*/
1526 0, /*tp_setattr*/
1527 0, /*tp_reserved*/
1528 0, /*tp_repr*/
1529 0, /*tp_as_number*/
1530 0, /*tp_as_sequence*/
1531 0, /*tp_as_mapping*/
1532 0, /*tp_hash*/
1533 0, /*tp_call*/
1534 0, /*tp_str*/
1535 0, /*tp_getattro*/
1536 0, /*tp_setattro*/
1537 0, /*tp_as_buffer*/
1538 Py_TPFLAGS_DEFAULT, /*tp_flags*/
1539 0, /*tp_doc*/
1540 0, /*tp_traverse*/
1541 0, /*tp_clear*/
1542 0, /*tp_richcompare*/
1543 0, /*tp_weaklistoffset*/
1544 0, /*tp_iter*/
1545 0, /*tp_iternext*/
1546 PySSLMethods, /*tp_methods*/
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001547};
1548
1549#ifdef HAVE_OPENSSL_RAND
1550
1551/* helper routines for seeding the SSL PRNG */
1552static PyObject *
1553PySSL_RAND_add(PyObject *self, PyObject *args)
1554{
1555 char *buf;
1556 int len;
1557 double entropy;
1558
1559 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
Antoine Pitroua29b1812010-05-12 14:08:45 +00001560 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001561 RAND_add(buf, len, entropy);
1562 Py_INCREF(Py_None);
1563 return Py_None;
1564}
1565
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001566PyDoc_STRVAR(PySSL_RAND_add_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001567"RAND_add(string, entropy)\n\
1568\n\
1569Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001570bound on the entropy contained in string. See RFC 1750.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001571
1572static PyObject *
1573PySSL_RAND_status(PyObject *self)
1574{
Christian Heimes217cfd12007-12-02 14:31:20 +00001575 return PyLong_FromLong(RAND_status());
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001576}
1577
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001578PyDoc_STRVAR(PySSL_RAND_status_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001579"RAND_status() -> 0 or 1\n\
1580\n\
Bill Janssen6e027db2007-11-15 22:23:56 +00001581Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\
1582It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
1583using the ssl() function.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001584
1585static PyObject *
1586PySSL_RAND_egd(PyObject *self, PyObject *arg)
1587{
1588 int bytes;
1589
Bill Janssen6e027db2007-11-15 22:23:56 +00001590 if (!PyUnicode_Check(arg))
Antoine Pitroua29b1812010-05-12 14:08:45 +00001591 return PyErr_Format(PyExc_TypeError,
1592 "RAND_egd() expected string, found %s",
1593 Py_TYPE(arg)->tp_name);
Marc-André Lemburg4cc0f242008-08-07 18:54:33 +00001594 bytes = RAND_egd(_PyUnicode_AsString(arg));
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001595 if (bytes == -1) {
Antoine Pitroua29b1812010-05-12 14:08:45 +00001596 PyErr_SetString(PySSLErrorObject,
1597 "EGD connection failed or EGD did not return "
1598 "enough data to seed the PRNG");
1599 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001600 }
Christian Heimes217cfd12007-12-02 14:31:20 +00001601 return PyLong_FromLong(bytes);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001602}
1603
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001604PyDoc_STRVAR(PySSL_RAND_egd_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001605"RAND_egd(path) -> bytes\n\
1606\n\
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001607Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
1608Returns number of bytes read. Raises SSLError if connection to EGD\n\
1609fails or if it does provide enough data to seed PRNG.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001610
1611#endif
1612
Bill Janssen40a0f662008-08-12 16:56:25 +00001613
1614
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001615/* List of functions exported by this module. */
1616
1617static PyMethodDef PySSL_methods[] = {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001618 {"sslwrap", PySSL_sslwrap,
1619 METH_VARARGS, ssl_doc},
1620 {"_test_decode_cert", PySSL_test_decode_certificate,
1621 METH_VARARGS},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001622#ifdef HAVE_OPENSSL_RAND
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001623 {"RAND_add", PySSL_RAND_add, METH_VARARGS,
1624 PySSL_RAND_add_doc},
1625 {"RAND_egd", PySSL_RAND_egd, METH_O,
1626 PySSL_RAND_egd_doc},
1627 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
1628 PySSL_RAND_status_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001629#endif
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001630 {NULL, NULL} /* Sentinel */
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001631};
1632
1633
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001634#ifdef WITH_THREAD
1635
1636/* an implementation of OpenSSL threading operations in terms
1637 of the Python C thread library */
1638
1639static PyThread_type_lock *_ssl_locks = NULL;
1640
1641static unsigned long _ssl_thread_id_function (void) {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001642 return PyThread_get_thread_ident();
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001643}
1644
Bill Janssen6e027db2007-11-15 22:23:56 +00001645static void _ssl_thread_locking_function
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001646 (int mode, int n, const char *file, int line) {
1647 /* this function is needed to perform locking on shared data
1648 structures. (Note that OpenSSL uses a number of global data
1649 structures that will be implicitly shared whenever multiple
1650 threads use OpenSSL.) Multi-threaded applications will
1651 crash at random if it is not set.
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001652
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001653 locking_function() must be able to handle up to
1654 CRYPTO_num_locks() different mutex locks. It sets the n-th
1655 lock if mode & CRYPTO_LOCK, and releases it otherwise.
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001656
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001657 file and line are the file number of the function setting the
1658 lock. They can be useful for debugging.
1659 */
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001660
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001661 if ((_ssl_locks == NULL) ||
1662 (n < 0) || ((unsigned)n >= _ssl_locks_count))
1663 return;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001664
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001665 if (mode & CRYPTO_LOCK) {
1666 PyThread_acquire_lock(_ssl_locks[n], 1);
1667 } else {
1668 PyThread_release_lock(_ssl_locks[n]);
1669 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001670}
1671
1672static int _setup_ssl_threads(void) {
1673
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001674 unsigned int i;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001675
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001676 if (_ssl_locks == NULL) {
1677 _ssl_locks_count = CRYPTO_num_locks();
1678 _ssl_locks = (PyThread_type_lock *)
1679 malloc(sizeof(PyThread_type_lock) * _ssl_locks_count);
1680 if (_ssl_locks == NULL)
1681 return 0;
1682 memset(_ssl_locks, 0,
1683 sizeof(PyThread_type_lock) * _ssl_locks_count);
1684 for (i = 0; i < _ssl_locks_count; i++) {
1685 _ssl_locks[i] = PyThread_allocate_lock();
1686 if (_ssl_locks[i] == NULL) {
1687 unsigned int j;
1688 for (j = 0; j < i; j++) {
1689 PyThread_free_lock(_ssl_locks[j]);
1690 }
1691 free(_ssl_locks);
1692 return 0;
1693 }
1694 }
1695 CRYPTO_set_locking_callback(_ssl_thread_locking_function);
1696 CRYPTO_set_id_callback(_ssl_thread_id_function);
1697 }
1698 return 1;
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001699}
1700
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001701#endif /* def HAVE_THREAD */
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001702
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001703PyDoc_STRVAR(module_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001704"Implementation module for SSL socket operations. See the socket module\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +00001705for documentation.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001706
Martin v. Löwis1a214512008-06-11 05:26:20 +00001707
1708static struct PyModuleDef _sslmodule = {
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001709 PyModuleDef_HEAD_INIT,
1710 "_ssl",
1711 module_doc,
1712 -1,
1713 PySSL_methods,
1714 NULL,
1715 NULL,
1716 NULL,
1717 NULL
Martin v. Löwis1a214512008-06-11 05:26:20 +00001718};
1719
Mark Hammondfe51c6d2002-08-02 02:27:13 +00001720PyMODINIT_FUNC
Martin v. Löwis1a214512008-06-11 05:26:20 +00001721PyInit__ssl(void)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001722{
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001723 PyObject *m, *d;
1724 PySocketModule_APIObject *socket_api;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001725
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001726 if (PyType_Ready(&PySSL_Type) < 0)
1727 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001728
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001729 m = PyModule_Create(&_sslmodule);
1730 if (m == NULL)
1731 return NULL;
1732 d = PyModule_GetDict(m);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001733
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001734 /* Load _socket module and its C API */
1735 socket_api = PySocketModule_ImportModuleAndAPI();
1736 if (!socket_api)
1737 return NULL;
1738 PySocketModule = *socket_api;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001739
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001740 /* Init OpenSSL */
1741 SSL_load_error_strings();
1742 SSL_library_init();
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001743#ifdef WITH_THREAD
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001744 /* note that this will start threading if not already started */
1745 if (!_setup_ssl_threads()) {
1746 return NULL;
1747 }
Thomas Wouters1b7f8912007-09-19 03:06:30 +00001748#endif
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001749 OpenSSL_add_all_algorithms();
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001750
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001751 /* Add symbols to module dict */
1752 PySSLErrorObject = PyErr_NewException("ssl.SSLError",
1753 PySocketModule.error,
1754 NULL);
1755 if (PySSLErrorObject == NULL)
1756 return NULL;
1757 if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0)
1758 return NULL;
1759 if (PyDict_SetItemString(d, "SSLType",
1760 (PyObject *)&PySSL_Type) != 0)
1761 return NULL;
1762 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
1763 PY_SSL_ERROR_ZERO_RETURN);
1764 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
1765 PY_SSL_ERROR_WANT_READ);
1766 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
1767 PY_SSL_ERROR_WANT_WRITE);
1768 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
1769 PY_SSL_ERROR_WANT_X509_LOOKUP);
1770 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
1771 PY_SSL_ERROR_SYSCALL);
1772 PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
1773 PY_SSL_ERROR_SSL);
1774 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
1775 PY_SSL_ERROR_WANT_CONNECT);
1776 /* non ssl.h errorcodes */
1777 PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
1778 PY_SSL_ERROR_EOF);
1779 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
1780 PY_SSL_ERROR_INVALID_ERROR_CODE);
1781 /* cert requirements */
1782 PyModule_AddIntConstant(m, "CERT_NONE",
1783 PY_SSL_CERT_NONE);
1784 PyModule_AddIntConstant(m, "CERT_OPTIONAL",
1785 PY_SSL_CERT_OPTIONAL);
1786 PyModule_AddIntConstant(m, "CERT_REQUIRED",
1787 PY_SSL_CERT_REQUIRED);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +00001788
Antoine Pitrou30dc1a72010-05-05 16:01:14 +00001789 /* protocol versions */
1790 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
1791 PY_SSL_VERSION_SSL2);
1792 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
1793 PY_SSL_VERSION_SSL3);
1794 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
1795 PY_SSL_VERSION_SSL23);
1796 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
1797 PY_SSL_VERSION_TLS1);
1798 return m;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +00001799}