Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / ba8c5653cc9d2777f8becacad122801a388d6cff / . / Modules / _ssl.c
blob: 4d6c38cc3b12d463ac38dec6557d0f722029e5b7 [file] [log] [blame]
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]1/* SSL socket module
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]2
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
4
5 This module is imported by socket.py. It should *not* be used
6 directly.
7
8*/
9
10#include "Python.h"
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]11
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]12enum py_ssl_error {
13 /* these mirror ssl.h */
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]14 PY_SSL_ERROR_NONE,
15 PY_SSL_ERROR_SSL,
16 PY_SSL_ERROR_WANT_READ,
17 PY_SSL_ERROR_WANT_WRITE,
18 PY_SSL_ERROR_WANT_X509_LOOKUP,
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]19 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]20 PY_SSL_ERROR_ZERO_RETURN,
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]21 PY_SSL_ERROR_WANT_CONNECT,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]22 /* start of non ssl.h errorcodes */
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]23 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
24 PY_SSL_ERROR_INVALID_ERROR_CODE
25};
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]26
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]27enum py_ssl_server_or_client {
28 PY_SSL_CLIENT,
29 PY_SSL_SERVER
30};
31
32enum py_ssl_cert_requirements {
33 PY_SSL_CERT_NONE,
34 PY_SSL_CERT_OPTIONAL,
35 PY_SSL_CERT_REQUIRED
36};
37
38enum py_ssl_version {
39 PY_SSL_VERSION_SSL2,
40 PY_SSL_VERSION_SSL3,
41 PY_SSL_VERSION_SSL23,
42 PY_SSL_VERSION_TLS1,
43};
44
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]45/* Include symbols from _socket module */
46#include "socketmodule.h"
47
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]48#if defined(HAVE_POLL_H)
Anthony Baxter93ab5fa2006-07-11 02:04:09 +0000[diff] [blame]49#include <poll.h>
50#elif defined(HAVE_SYS_POLL_H)
51#include <sys/poll.h>
52#endif
53
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]54/* Include OpenSSL header files */
55#include "openssl/rsa.h"
56#include "openssl/crypto.h"
57#include "openssl/x509.h"
58#include "openssl/pem.h"
59#include "openssl/ssl.h"
60#include "openssl/err.h"
61#include "openssl/rand.h"
62
63/* SSL error object */
64static PyObject *PySSLErrorObject;
65
66/* SSL socket object */
67
68#define X509_NAME_MAXLEN 256
69
70/* RAND_* APIs got added to OpenSSL in 0.9.5 */
71#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
72# define HAVE_OPENSSL_RAND 1
73#else
74# undef HAVE_OPENSSL_RAND
75#endif
76
77typedef struct {
78 PyObject_HEAD
79 PySocketSockObject *Socket; /* Socket on which we're layered */
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]80 SSL_CTX* ctx;
81 SSL* ssl;
82 X509* peer_cert;
83 char server[X509_NAME_MAXLEN];
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]84 char issuer[X509_NAME_MAXLEN];
85
86} PySSLObject;
87
Jeremy Hylton938ace62002-07-17 16:30:39 +0000[diff] [blame]88static PyTypeObject PySSL_Type;
89static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args);
90static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]91static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]92 int writing);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]93static PyObject *PySSL_peercert(PySSLObject *self);
94
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]95
Martin v. Löwis68192102007-07-21 06:55:02 +0000[diff] [blame]96#define PySSLObject_Check(v) (Py_Type(v) == &PySSL_Type)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]97
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]98typedef enum {
99 SOCKET_IS_NONBLOCKING,
100 SOCKET_IS_BLOCKING,
101 SOCKET_HAS_TIMED_OUT,
102 SOCKET_HAS_BEEN_CLOSED,
Neal Norwitz389cea82006-02-13 00:35:21 +0000[diff] [blame]103 SOCKET_TOO_LARGE_FOR_SELECT,
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]104 SOCKET_OPERATION_OK
105} timeout_state;
106
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]107/* Wrap error strings with filename and line # */
108#define STRINGIFY1(x) #x
109#define STRINGIFY2(x) STRINGIFY1(x)
110#define ERRSTR1(x,y,z) (x ":" y ": " z)
111#define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x)
112
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]113/* XXX It might be helpful to augment the error message generated
114 below with the name of the SSL function that generated the error.
115 I expect it's obvious most of the time.
116*/
117
118static PyObject *
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]119PySSL_SetError(PySSLObject *obj, int ret, char *filename, int lineno)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]120{
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]121 PyObject *v;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]122 char buf[2048];
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]123 char *errstr;
124 int err;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]125 enum py_ssl_error p;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]126
127 assert(ret <= 0);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]128
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]129 err = SSL_get_error(obj->ssl, ret);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]130
131 switch (err) {
132 case SSL_ERROR_ZERO_RETURN:
133 errstr = "TLS/SSL connection has been closed";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]134 p = PY_SSL_ERROR_ZERO_RETURN;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]135 break;
136 case SSL_ERROR_WANT_READ:
137 errstr = "The operation did not complete (read)";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]138 p = PY_SSL_ERROR_WANT_READ;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]139 break;
140 case SSL_ERROR_WANT_WRITE:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]141 p = PY_SSL_ERROR_WANT_WRITE;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]142 errstr = "The operation did not complete (write)";
143 break;
144 case SSL_ERROR_WANT_X509_LOOKUP:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]145 p = PY_SSL_ERROR_WANT_X509_LOOKUP;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]146 errstr = "The operation did not complete (X509 lookup)";
147 break;
148 case SSL_ERROR_WANT_CONNECT:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]149 p = PY_SSL_ERROR_WANT_CONNECT;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]150 errstr = "The operation did not complete (connect)";
151 break;
152 case SSL_ERROR_SYSCALL:
153 {
154 unsigned long e = ERR_get_error();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]155 if (e == 0) {
Neal Norwitza9002f82003-06-30 03:25:20 +0000[diff] [blame]156 if (ret == 0 || !obj->Socket) {
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]157 p = PY_SSL_ERROR_EOF;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]158 errstr = "EOF occurred in violation of protocol";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]159 } else if (ret == -1) {
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]160 /* the underlying BIO reported an I/O error */
161 return obj->Socket->errorhandler();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]162 } else { /* possible? */
163 p = PY_SSL_ERROR_SYSCALL;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]164 errstr = "Some I/O error occurred";
165 }
166 } else {
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]167 p = PY_SSL_ERROR_SYSCALL;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]168 /* XXX Protected by global interpreter lock */
169 errstr = ERR_error_string(e, NULL);
170 }
171 break;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]172 }
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]173 case SSL_ERROR_SSL:
174 {
175 unsigned long e = ERR_get_error();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]176 p = PY_SSL_ERROR_SSL;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]177 if (e != 0)
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]178 /* XXX Protected by global interpreter lock */
179 errstr = ERR_error_string(e, NULL);
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]180 else { /* possible? */
181 errstr = "A failure in the SSL library occurred";
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]182 }
183 break;
184 }
185 default:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]186 p = PY_SSL_ERROR_INVALID_ERROR_CODE;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]187 errstr = "Invalid error code";
188 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]189
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]190 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
191 v = Py_BuildValue("(is)", p, buf);
192 if (v != NULL) {
193 PyErr_SetObject(PySSLErrorObject, v);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]194 Py_DECREF(v);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]195 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]196 return NULL;
197}
198
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]199static PySSLObject *
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]200newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
201 enum py_ssl_server_or_client socket_type,
202 enum py_ssl_cert_requirements certreq,
203 enum py_ssl_version proto_version,
204 char *cacerts_file)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]205{
206 PySSLObject *self;
207 char *errstr = NULL;
208 int ret;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]209 int err;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]210 int sockstate;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]211 int verification_mode;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]212
213 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
Neal Norwitz38e3b7d2006-05-11 07:51:59 +0000[diff] [blame]214 if (self == NULL)
Neal Norwitzc6a989a2006-05-10 06:57:58 +0000[diff] [blame]215 return NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]216 memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN);
217 memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]218 self->peer_cert = NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]219 self->ssl = NULL;
220 self->ctx = NULL;
221 self->Socket = NULL;
222
223 if ((key_file && !cert_file) || (!key_file && cert_file)) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]224 errstr = ERRSTR("Both the key & certificate files must be specified");
225 goto fail;
226 }
227
228 if ((socket_type == PY_SSL_SERVER) &&
229 ((key_file == NULL) || (cert_file == NULL))) {
230 errstr = ERRSTR("Both the key & certificate files must be specified for server-side operation");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]231 goto fail;
232 }
233
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]234 Py_BEGIN_ALLOW_THREADS
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]235 if (proto_version == PY_SSL_VERSION_TLS1)
236 self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
237 else if (proto_version == PY_SSL_VERSION_SSL3)
238 self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
239 else if (proto_version == PY_SSL_VERSION_SSL2)
240 self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
241 else
242 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]243 Py_END_ALLOW_THREADS
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]244
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]245 if (self->ctx == NULL) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]246 errstr = ERRSTR("Invalid SSL protocol variant specified.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]247 goto fail;
248 }
249
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]250 if (certreq != PY_SSL_CERT_NONE) {
251 if (cacerts_file == NULL) {
252 errstr = ERRSTR("No root certificates specified for verification of other-side certificates.");
253 goto fail;
254 } else {
255 Py_BEGIN_ALLOW_THREADS
256 ret = SSL_CTX_load_verify_locations(self->ctx,
257 cacerts_file, NULL);
258 Py_END_ALLOW_THREADS
259 if (ret < 1) {
260 errstr = ERRSTR("SSL_CTX_load_verify_locations");
261 goto fail;
262 }
263 }
264 }
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]265 if (key_file) {
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]266 Py_BEGIN_ALLOW_THREADS
267 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]268 SSL_FILETYPE_PEM);
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]269 Py_END_ALLOW_THREADS
270 if (ret < 1) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]271 errstr = ERRSTR("SSL_CTX_use_PrivateKey_file error");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]272 goto fail;
273 }
274
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]275 Py_BEGIN_ALLOW_THREADS
276 ret = SSL_CTX_use_certificate_chain_file(self->ctx,
277 cert_file);
278 Py_END_ALLOW_THREADS
279 if (ret < 1) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]280 errstr = ERRSTR("SSL_CTX_use_certificate_chain_file error") ;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]281 goto fail;
282 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]283 SSL_CTX_set_options(self->ctx, SSL_OP_ALL); /* ssl compatibility */
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]284 }
285
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]286 verification_mode = SSL_VERIFY_NONE;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]287 if (certreq == PY_SSL_CERT_OPTIONAL)
288 verification_mode = SSL_VERIFY_PEER;
289 else if (certreq == PY_SSL_CERT_REQUIRED)
290 verification_mode = (SSL_VERIFY_PEER |
291 SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
292 SSL_CTX_set_verify(self->ctx, verification_mode,
293 NULL); /* set verify lvl */
294
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]295 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]296 self->ssl = SSL_new(self->ctx); /* New ssl struct */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]297 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]298 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]299
Walter Dörwaldf0dfc7a2003-10-20 14:01:56 +0000[diff] [blame]300 /* If the socket is in non-blocking mode or timeout mode, set the BIO
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]301 * to non-blocking mode (blocking is the default)
302 */
303 if (Sock->sock_timeout >= 0.0) {
304 /* Set both the read and write BIO's to non-blocking mode */
305 BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
306 BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
307 }
308
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]309 Py_BEGIN_ALLOW_THREADS
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]310 if (socket_type == PY_SSL_CLIENT)
311 SSL_set_connect_state(self->ssl);
312 else
313 SSL_set_accept_state(self->ssl);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]314 Py_END_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]315
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]316 /* Actually negotiate SSL connection */
317 /* XXX If SSL_connect() returns 0, it's also a failure. */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]318 sockstate = 0;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]319 do {
320 Py_BEGIN_ALLOW_THREADS
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]321 if (socket_type == PY_SSL_CLIENT)
322 ret = SSL_connect(self->ssl);
323 else
324 ret = SSL_accept(self->ssl);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]325 err = SSL_get_error(self->ssl, ret);
326 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]327 if(PyErr_CheckSignals()) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]328 goto fail;
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]329 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]330 if (err == SSL_ERROR_WANT_READ) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]331 sockstate = check_socket_and_wait_for_timeout(Sock, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]332 } else if (err == SSL_ERROR_WANT_WRITE) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]333 sockstate = check_socket_and_wait_for_timeout(Sock, 1);
334 } else {
335 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]336 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]337 if (sockstate == SOCKET_HAS_TIMED_OUT) {
338 PyErr_SetString(PySSLErrorObject,
339 ERRSTR("The connect operation timed out"));
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]340 goto fail;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]341 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]342 PyErr_SetString(PySSLErrorObject,
343 ERRSTR("Underlying socket has been closed."));
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]344 goto fail;
Neal Norwitz389cea82006-02-13 00:35:21 +0000[diff] [blame]345 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]346 PyErr_SetString(PySSLErrorObject,
347 ERRSTR("Underlying socket too large for select()."));
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]348 goto fail;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]349 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
350 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]351 }
352 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]353 if (ret < 1) {
354 PySSL_SetError(self, ret, __FILE__, __LINE__);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]355 goto fail;
356 }
357 self->ssl->debug = 1;
358
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]359 Py_BEGIN_ALLOW_THREADS
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]360 if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) {
361 X509_NAME_oneline(X509_get_subject_name(self->peer_cert),
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]362 self->server, X509_NAME_MAXLEN);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]363 X509_NAME_oneline(X509_get_issuer_name(self->peer_cert),
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]364 self->issuer, X509_NAME_MAXLEN);
365 }
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]366 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]367 self->Socket = Sock;
368 Py_INCREF(self->Socket);
369 return self;
370 fail:
371 if (errstr)
372 PyErr_SetString(PySSLErrorObject, errstr);
373 Py_DECREF(self);
374 return NULL;
375}
376
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]377static PyObject *
378PySocket_ssl(PyObject *self, PyObject *args)
379{
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]380 PySocketSockObject *Sock;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]381 int server_side = 0;
382 int verification_mode = PY_SSL_CERT_NONE;
383 int protocol = PY_SSL_VERSION_SSL23;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]384 char *key_file = NULL;
385 char *cert_file = NULL;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]386 char *cacerts_file = NULL;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]387
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]388 if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap",
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]389 PySocketModule.Sock_Type,
Martin v. Löwisa811c382006-10-19 11:00:37 +0000[diff] [blame]390 &Sock,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]391 &server_side,
392 &key_file, &cert_file,
393 &verification_mode, &protocol,
394 &cacerts_file))
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]395 return NULL;
396
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]397 /*
398 fprintf(stderr,
399 "server_side is %d, keyfile %p, certfile %p, verify_mode %d, "
400 "protocol %d, certs %p\n",
401 server_side, key_file, cert_file, verification_mode,
402 protocol, cacerts_file);
403 */
404
405 return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
406 server_side, verification_mode,
407 protocol, cacerts_file);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]408}
409
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]410PyDoc_STRVAR(ssl_doc,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]411"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
412" cacertsfile]) -> sslobject");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]413
414/* SSL object methods */
415
416static PyObject *
417PySSL_server(PySSLObject *self)
418{
419 return PyString_FromString(self->server);
420}
421
422static PyObject *
423PySSL_issuer(PySSLObject *self)
424{
425 return PyString_FromString(self->issuer);
426}
427
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]428static PyObject *
429_create_dict_for_X509_NAME (X509_NAME *xname)
430{
431 PyObject *pd = PyDict_New();
432 int index_counter;
433
434 for (index_counter = 0;
435 index_counter < X509_NAME_entry_count(xname);
436 index_counter++)
437 {
438 char namebuf[X509_NAME_MAXLEN];
439 int buflen;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]440 PyObject *name_obj;
441 ASN1_STRING *value;
442 PyObject *value_obj;
Neal Norwitzdc988112007-08-25 16:58:09 +0000[diff] [blame]443 unsigned char *valuebuf = NULL;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]444
445 X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname,
446 index_counter);
447
448 ASN1_OBJECT *name = X509_NAME_ENTRY_get_object(entry);
449 buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0);
450 if (buflen < 0)
451 goto fail0;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]452 name_obj = PyString_FromStringAndSize(namebuf, buflen);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]453 if (name_obj == NULL)
454 goto fail0;
455
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]456 value = X509_NAME_ENTRY_get_data(entry);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]457 buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
458 if (buflen < 0) {
459 Py_DECREF(name_obj);
460 goto fail0;
461 }
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]462 value_obj = PyUnicode_DecodeUTF8((char *) valuebuf,
463 buflen, "strict");
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]464 OPENSSL_free(valuebuf);
465 if (value_obj == NULL) {
466 Py_DECREF(name_obj);
467 goto fail0;
468 }
469 if (PyDict_SetItem(pd, name_obj, value_obj) < 0) {
470 Py_DECREF(name_obj);
471 Py_DECREF(value_obj);
472 goto fail0;
473 }
474 Py_DECREF(name_obj);
475 Py_DECREF(value_obj);
476 }
477 return pd;
478
479 fail0:
480 Py_XDECREF(pd);
481 return NULL;
482}
483
484static PyObject *
485PySSL_peercert(PySSLObject *self)
486{
487 PyObject *retval = NULL;
488 BIO *biobuf = NULL;
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]489 PyObject *peer;
490 PyObject *issuer;
491 PyObject *version;
492 char buf[2048];
493 int len;
494 ASN1_TIME *notBefore, *notAfter;
495 PyObject *pnotBefore, *pnotAfter;
Neal Norwitzdc988112007-08-25 16:58:09 +0000[diff] [blame]496 int verification;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]497
498 if (!self->peer_cert)
499 Py_RETURN_NONE;
500
501 retval = PyDict_New();
502 if (retval == NULL)
503 return NULL;
504
Neal Norwitzdc988112007-08-25 16:58:09 +0000[diff] [blame]505 verification = SSL_CTX_get_verify_mode(self->ctx);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]506 if ((verification & SSL_VERIFY_PEER) == 0)
507 return retval;
508
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]509 peer = _create_dict_for_X509_NAME(
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]510 X509_get_subject_name(self->peer_cert));
511 if (peer == NULL)
512 goto fail0;
513 if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) {
514 Py_DECREF(peer);
515 goto fail0;
516 }
517 Py_DECREF(peer);
518
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]519 issuer = _create_dict_for_X509_NAME(
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]520 X509_get_issuer_name(self->peer_cert));
521 if (issuer == NULL)
522 goto fail0;
523 if (PyDict_SetItemString(retval, (const char *) "issuer", issuer) < 0) {
524 Py_DECREF(issuer);
525 goto fail0;
526 }
527 Py_DECREF(issuer);
528
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]529 version = PyInt_FromLong(X509_get_version(self->peer_cert));
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]530 if (PyDict_SetItemString(retval, "version", version) < 0) {
531 Py_DECREF(version);
532 goto fail0;
533 }
534 Py_DECREF(version);
535
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]536 /* get a memory buffer */
537 biobuf = BIO_new(BIO_s_mem());
538
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]539 notBefore = X509_get_notBefore(self->peer_cert);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]540 ASN1_TIME_print(biobuf, notBefore);
541 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]542 pnotBefore = PyString_FromStringAndSize(buf, len);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]543 if (pnotBefore == NULL)
544 goto fail1;
545 if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
546 Py_DECREF(pnotBefore);
547 goto fail1;
548 }
549 Py_DECREF(pnotBefore);
550
551 BIO_reset(biobuf);
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]552 notAfter = X509_get_notAfter(self->peer_cert);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]553 ASN1_TIME_print(biobuf, notAfter);
554 len = BIO_gets(biobuf, buf, sizeof(buf)-1);
555 BIO_free(biobuf);
Neal Norwitz049da9e2007-08-25 16:41:36 +0000[diff] [blame]556 pnotAfter = PyString_FromStringAndSize(buf, len);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]557 if (pnotAfter == NULL)
558 goto fail0;
559 if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) {
560 Py_DECREF(pnotAfter);
561 goto fail0;
562 }
563 Py_DECREF(pnotAfter);
564 return retval;
565
566 fail1:
567 if (biobuf != NULL)
568 BIO_free(biobuf);
569 fail0:
570 Py_XDECREF(retval);
571 return NULL;
572}
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]573
574static void PySSL_dealloc(PySSLObject *self)
575{
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]576 if (self->peer_cert) /* Possible not to have one? */
577 X509_free (self->peer_cert);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]578 if (self->ssl)
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]579 SSL_free(self->ssl);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]580 if (self->ctx)
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]581 SSL_CTX_free(self->ctx);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]582 Py_XDECREF(self->Socket);
583 PyObject_Del(self);
584}
585
Anthony Baxter93ab5fa2006-07-11 02:04:09 +0000[diff] [blame]586/* If the socket has a timeout, do a select()/poll() on the socket.
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]587 The argument writing indicates the direction.
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]588 Returns one of the possibilities in the timeout_state enum (above).
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]589 */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]590
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]591static int
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]592check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing)
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]593{
594 fd_set fds;
595 struct timeval tv;
596 int rc;
597
598 /* Nothing to do unless we're in timeout mode (not non-blocking) */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]599 if (s->sock_timeout < 0.0)
600 return SOCKET_IS_BLOCKING;
601 else if (s->sock_timeout == 0.0)
602 return SOCKET_IS_NONBLOCKING;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]603
604 /* Guard against closed socket */
605 if (s->sock_fd < 0)
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]606 return SOCKET_HAS_BEEN_CLOSED;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]607
Anthony Baxter93ab5fa2006-07-11 02:04:09 +0000[diff] [blame]608 /* Prefer poll, if available, since you can poll() any fd
609 * which can't be done with select(). */
610#ifdef HAVE_POLL
611 {
612 struct pollfd pollfd;
613 int timeout;
614
615 pollfd.fd = s->sock_fd;
616 pollfd.events = writing ? POLLOUT : POLLIN;
617
618 /* s->sock_timeout is in seconds, timeout in ms */
619 timeout = (int)(s->sock_timeout * 1000 + 0.5);
620 Py_BEGIN_ALLOW_THREADS
621 rc = poll(&pollfd, 1, timeout);
622 Py_END_ALLOW_THREADS
623
624 goto normal_return;
625 }
626#endif
627
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]628 /* Guard against socket too large for select*/
Martin v. Löwisf84d1b92006-02-11 09:27:05 +0000[diff] [blame]629#ifndef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]630 if (s->sock_fd >= FD_SETSIZE)
Neal Norwitz389cea82006-02-13 00:35:21 +0000[diff] [blame]631 return SOCKET_TOO_LARGE_FOR_SELECT;
Martin v. Löwisf84d1b92006-02-11 09:27:05 +0000[diff] [blame]632#endif
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]633
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]634 /* Construct the arguments to select */
635 tv.tv_sec = (int)s->sock_timeout;
636 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6);
637 FD_ZERO(&fds);
638 FD_SET(s->sock_fd, &fds);
639
640 /* See if the socket is ready */
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]641 Py_BEGIN_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]642 if (writing)
643 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
644 else
645 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]646 Py_END_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]647
Anthony Baxter93ab5fa2006-07-11 02:04:09 +0000[diff] [blame]648normal_return:
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]649 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
650 (when we are able to write or when there's something to read) */
651 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]652}
653
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]654static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args)
655{
656 char *data;
657 int len;
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]658 int count;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]659 int sockstate;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]660 int err;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]661
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]662 if (!PyArg_ParseTuple(args, "s#:write", &data, &count))
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]663 return NULL;
664
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]665 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
666 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]667 PyErr_SetString(PySSLErrorObject, "The write operation timed out");
668 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]669 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
670 PyErr_SetString(PySSLErrorObject, "Underlying socket has been closed.");
671 return NULL;
Neal Norwitz389cea82006-02-13 00:35:21 +0000[diff] [blame]672 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
Neal Norwitz082b2df2006-02-07 07:04:46 +0000[diff] [blame]673 PyErr_SetString(PySSLErrorObject, "Underlying socket too large for select().");
674 return NULL;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]675 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]676 do {
677 err = 0;
678 Py_BEGIN_ALLOW_THREADS
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]679 len = SSL_write(self->ssl, data, count);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]680 err = SSL_get_error(self->ssl, len);
681 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]682 if(PyErr_CheckSignals()) {
683 return NULL;
684 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]685 if (err == SSL_ERROR_WANT_READ) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]686 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]687 } else if (err == SSL_ERROR_WANT_WRITE) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]688 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
689 } else {
690 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]691 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]692 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]693 PyErr_SetString(PySSLErrorObject, "The write operation timed out");
694 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]695 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
696 PyErr_SetString(PySSLErrorObject, "Underlying socket has been closed.");
697 return NULL;
698 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
699 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]700 }
701 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]702 if (len > 0)
703 return PyInt_FromLong(len);
704 else
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]705 return PySSL_SetError(self, len, __FILE__, __LINE__);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]706}
707
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]708PyDoc_STRVAR(PySSL_SSLwrite_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]709"write(s) -> len\n\
710\n\
711Writes the string s into the SSL object. Returns the number\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]712of bytes written.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]713
714static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args)
715{
716 PyObject *buf;
717 int count = 0;
718 int len = 1024;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]719 int sockstate;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]720 int err;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]721
722 if (!PyArg_ParseTuple(args, "|i:read", &len))
723 return NULL;
724
725 if (!(buf = PyString_FromStringAndSize((char *) 0, len)))
726 return NULL;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]727
Georg Brandl43f08a82006-03-31 18:01:16 +0000[diff] [blame]728 /* first check if there are bytes ready to be read */
729 Py_BEGIN_ALLOW_THREADS
730 count = SSL_pending(self->ssl);
731 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]732
Georg Brandl43f08a82006-03-31 18:01:16 +0000[diff] [blame]733 if (!count) {
734 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
735 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]736 PyErr_SetString(PySSLErrorObject,
737 "The read operation timed out");
Georg Brandl43f08a82006-03-31 18:01:16 +0000[diff] [blame]738 Py_DECREF(buf);
739 return NULL;
740 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]741 PyErr_SetString(PySSLErrorObject,
742 "Underlying socket too large for select().");
743 Py_DECREF(buf);
Georg Brandl43f08a82006-03-31 18:01:16 +0000[diff] [blame]744 return NULL;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]745 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
746 if (SSL_get_shutdown(self->ssl) !=
747 SSL_RECEIVED_SHUTDOWN)
748 {
749 Py_DECREF(buf);
750 PyErr_SetString(PySSLErrorObject,
751 "Socket closed without SSL shutdown handshake");
752 return NULL;
753 } else {
754 /* should contain a zero-length string */
755 _PyString_Resize(&buf, 0);
756 return buf;
757 }
Georg Brandl43f08a82006-03-31 18:01:16 +0000[diff] [blame]758 }
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]759 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]760 do {
761 err = 0;
762 Py_BEGIN_ALLOW_THREADS
763 count = SSL_read(self->ssl, PyString_AsString(buf), len);
764 err = SSL_get_error(self->ssl, count);
765 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]766 if(PyErr_CheckSignals()) {
767 Py_DECREF(buf);
768 return NULL;
769 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]770 if (err == SSL_ERROR_WANT_READ) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]771 sockstate =
772 check_socket_and_wait_for_timeout(self->Socket, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]773 } else if (err == SSL_ERROR_WANT_WRITE) {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]774 sockstate =
775 check_socket_and_wait_for_timeout(self->Socket, 1);
776 } else if ((err == SSL_ERROR_ZERO_RETURN) &&
777 (SSL_get_shutdown(self->ssl) ==
778 SSL_RECEIVED_SHUTDOWN))
779 {
780 _PyString_Resize(&buf, 0);
781 return buf;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]782 } else {
783 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]784 }
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]785 if (sockstate == SOCKET_HAS_TIMED_OUT) {
786 PyErr_SetString(PySSLErrorObject,
787 "The read operation timed out");
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]788 Py_DECREF(buf);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]789 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]790 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
791 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]792 }
793 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]794 if (count <= 0) {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]795 Py_DECREF(buf);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]796 return PySSL_SetError(self, count, __FILE__, __LINE__);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]797 }
Tim Peters5de98422002-04-27 18:44:32 +0000[diff] [blame]798 if (count != len)
799 _PyString_Resize(&buf, count);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]800 return buf;
801}
802
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]803PyDoc_STRVAR(PySSL_SSLread_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]804"read([len]) -> string\n\
805\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]806Read up to len bytes from the SSL socket.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]807
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]808static PyObject *PySSL_SSLshutdown(PySSLObject *self, PyObject *args)
809{
810 int err;
811
812 /* Guard against closed socket */
813 if (self->Socket->sock_fd < 0) {
814 PyErr_SetString(PySSLErrorObject,
815 "Underlying socket has been closed.");
816 return NULL;
817 }
818
819 Py_BEGIN_ALLOW_THREADS
820 err = SSL_shutdown(self->ssl);
821 if (err == 0) {
822 /* we need to call it again to finish the shutdown */
823 err = SSL_shutdown(self->ssl);
824 }
825 Py_END_ALLOW_THREADS
826
827 if (err < 0)
828 return PySSL_SetError(self, err, __FILE__, __LINE__);
829 else {
830 Py_INCREF(self->Socket);
831 return (PyObject *) (self->Socket);
832 }
833}
834
835PyDoc_STRVAR(PySSL_SSLshutdown_doc,
836"shutdown(s) -> socket\n\
837\n\
838Does the SSL shutdown handshake with the remote end, and returns\n\
839the underlying socket object.");
840
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]841static PyMethodDef PySSLMethods[] = {
842 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]843 PySSL_SSLwrite_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]844 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]845 PySSL_SSLread_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]846 {"server", (PyCFunction)PySSL_server, METH_NOARGS},
847 {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS},
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]848 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_NOARGS},
849 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS, PySSL_SSLshutdown_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]850 {NULL, NULL}
851};
852
853static PyObject *PySSL_getattr(PySSLObject *self, char *name)
854{
855 return Py_FindMethod(PySSLMethods, (PyObject *)self, name);
856}
857
Jeremy Hylton938ace62002-07-17 16:30:39 +0000[diff] [blame]858static PyTypeObject PySSL_Type = {
Martin v. Löwis68192102007-07-21 06:55:02 +0000[diff] [blame]859 PyVarObject_HEAD_INIT(NULL, 0)
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]860 "socket.SSL", /*tp_name*/
861 sizeof(PySSLObject), /*tp_basicsize*/
862 0, /*tp_itemsize*/
863 /* methods */
864 (destructor)PySSL_dealloc, /*tp_dealloc*/
865 0, /*tp_print*/
866 (getattrfunc)PySSL_getattr, /*tp_getattr*/
867 0, /*tp_setattr*/
868 0, /*tp_compare*/
869 0, /*tp_repr*/
870 0, /*tp_as_number*/
871 0, /*tp_as_sequence*/
872 0, /*tp_as_mapping*/
873 0, /*tp_hash*/
874};
875
876#ifdef HAVE_OPENSSL_RAND
877
878/* helper routines for seeding the SSL PRNG */
879static PyObject *
880PySSL_RAND_add(PyObject *self, PyObject *args)
881{
882 char *buf;
883 int len;
884 double entropy;
885
886 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
887 return NULL;
888 RAND_add(buf, len, entropy);
889 Py_INCREF(Py_None);
890 return Py_None;
891}
892
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]893PyDoc_STRVAR(PySSL_RAND_add_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]894"RAND_add(string, entropy)\n\
895\n\
896Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]897bound on the entropy contained in string.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]898
899static PyObject *
900PySSL_RAND_status(PyObject *self)
901{
902 return PyInt_FromLong(RAND_status());
903}
904
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]905PyDoc_STRVAR(PySSL_RAND_status_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]906"RAND_status() -> 0 or 1\n\
907\n\
908Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\
909It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]910using the ssl() function.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]911
912static PyObject *
913PySSL_RAND_egd(PyObject *self, PyObject *arg)
914{
915 int bytes;
916
917 if (!PyString_Check(arg))
918 return PyErr_Format(PyExc_TypeError,
919 "RAND_egd() expected string, found %s",
Martin v. Löwis68192102007-07-21 06:55:02 +0000[diff] [blame]920 Py_Type(arg)->tp_name);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]921 bytes = RAND_egd(PyString_AS_STRING(arg));
922 if (bytes == -1) {
923 PyErr_SetString(PySSLErrorObject,
924 "EGD connection failed or EGD did not return "
925 "enough data to seed the PRNG");
926 return NULL;
927 }
928 return PyInt_FromLong(bytes);
929}
930
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]931PyDoc_STRVAR(PySSL_RAND_egd_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]932"RAND_egd(path) -> bytes\n\
933\n\
934Queries the entropy gather daemon (EGD) on socket path. Returns number\n\
935of bytes read. Raises socket.sslerror if connection to EGD fails or\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]936if it does provide enough data to seed PRNG.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]937
938#endif
939
940/* List of functions exported by this module. */
941
942static PyMethodDef PySSL_methods[] = {
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]943 {"sslwrap", PySocket_ssl,
944 METH_VARARGS, ssl_doc},
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]945#ifdef HAVE_OPENSSL_RAND
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]946 {"RAND_add", PySSL_RAND_add, METH_VARARGS,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]947 PySSL_RAND_add_doc},
948 {"RAND_egd", PySSL_RAND_egd, METH_O,
949 PySSL_RAND_egd_doc},
950 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
951 PySSL_RAND_status_doc},
952#endif
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]953 {NULL, NULL} /* Sentinel */
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]954};
955
956
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]957PyDoc_STRVAR(module_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]958"Implementation module for SSL socket operations. See the socket module\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]959for documentation.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]960
Mark Hammondfe51c6d2002-08-02 02:27:13 +0000[diff] [blame]961PyMODINIT_FUNC
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]962init_ssl(void)
963{
964 PyObject *m, *d;
965
Martin v. Löwis68192102007-07-21 06:55:02 +0000[diff] [blame]966 Py_Type(&PySSL_Type) = &PyType_Type;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]967
968 m = Py_InitModule3("_ssl", PySSL_methods, module_doc);
Neal Norwitz1ac754f2006-01-19 06:09:39 +0000[diff] [blame]969 if (m == NULL)
970 return;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]971 d = PyModule_GetDict(m);
972
973 /* Load _socket module and its C API */
974 if (PySocketModule_ImportModuleAndAPI())
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]975 return;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]976
977 /* Init OpenSSL */
978 SSL_load_error_strings();
979 SSLeay_add_ssl_algorithms();
980
981 /* Add symbols to module dict */
Brett Cannon06c34792004-03-23 23:16:54 +0000[diff] [blame]982 PySSLErrorObject = PyErr_NewException("socket.sslerror",
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]983 PySocketModule.error,
984 NULL);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]985 if (PySSLErrorObject == NULL)
986 return;
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]987 if (PyDict_SetItemString(d, "sslerror", PySSLErrorObject) != 0)
988 return;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]989 if (PyDict_SetItemString(d, "SSLType",
990 (PyObject *)&PySSL_Type) != 0)
991 return;
992 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]993 PY_SSL_ERROR_ZERO_RETURN);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]994 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]995 PY_SSL_ERROR_WANT_READ);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]996 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]997 PY_SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]998 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]999 PY_SSL_ERROR_WANT_X509_LOOKUP);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1000 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]1001 PY_SSL_ERROR_SYSCALL);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1002 PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]1003 PY_SSL_ERROR_SSL);
1004 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
1005 PY_SSL_ERROR_WANT_CONNECT);
1006 /* non ssl.h errorcodes */
1007 PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
1008 PY_SSL_ERROR_EOF);
1009 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
1010 PY_SSL_ERROR_INVALID_ERROR_CODE);
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]1011 /* cert requirements */
1012 PyModule_AddIntConstant(m, "CERT_NONE",
1013 PY_SSL_CERT_NONE);
1014 PyModule_AddIntConstant(m, "CERT_OPTIONAL",
1015 PY_SSL_CERT_OPTIONAL);
1016 PyModule_AddIntConstant(m, "CERT_REQUIRED",
1017 PY_SSL_CERT_REQUIRED);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]1018
Guido van Rossum4f2c3dd2007-08-25 15:08:43 +0000[diff] [blame]1019 /* protocol versions */
1020 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
1021 PY_SSL_VERSION_SSL2);
1022 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
1023 PY_SSL_VERSION_SSL3);
1024 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
1025 PY_SSL_VERSION_SSL23);
1026 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
1027 PY_SSL_VERSION_TLS1);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1028}