Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / c75f11222c0a6c6fb2856c613a27df0a49c0695a / . / Modules / _ssl.c
blob: 906a72ac8a1e7f0ae139e455ed5be8bdc44ffcd6 [file] [log] [blame]
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]1/* SSL socket module
2
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
4
5 This module is imported by socket.py. It should *not* be used
6 directly.
7
8*/
9
10#include "Python.h"
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]11enum py_ssl_error {
12 /* these mirror ssl.h */
13 PY_SSL_ERROR_NONE,
14 PY_SSL_ERROR_SSL,
15 PY_SSL_ERROR_WANT_READ,
16 PY_SSL_ERROR_WANT_WRITE,
17 PY_SSL_ERROR_WANT_X509_LOOKUP,
18 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
19 PY_SSL_ERROR_ZERO_RETURN,
20 PY_SSL_ERROR_WANT_CONNECT,
21 /* start of non ssl.h errorcodes */
22 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
23 PY_SSL_ERROR_INVALID_ERROR_CODE
24};
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]25
26/* Include symbols from _socket module */
27#include "socketmodule.h"
28
29/* Include OpenSSL header files */
30#include "openssl/rsa.h"
31#include "openssl/crypto.h"
32#include "openssl/x509.h"
33#include "openssl/pem.h"
34#include "openssl/ssl.h"
35#include "openssl/err.h"
36#include "openssl/rand.h"
37
38/* SSL error object */
39static PyObject *PySSLErrorObject;
40
41/* SSL socket object */
42
43#define X509_NAME_MAXLEN 256
44
45/* RAND_* APIs got added to OpenSSL in 0.9.5 */
46#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
47# define HAVE_OPENSSL_RAND 1
48#else
49# undef HAVE_OPENSSL_RAND
50#endif
51
52typedef struct {
53 PyObject_HEAD
54 PySocketSockObject *Socket; /* Socket on which we're layered */
55 SSL_CTX* ctx;
56 SSL* ssl;
57 X509* server_cert;
58 BIO* sbio;
59 char server[X509_NAME_MAXLEN];
60 char issuer[X509_NAME_MAXLEN];
61
62} PySSLObject;
63
Jeremy Hylton938ace62002-07-17 16:30:39 +0000[diff] [blame]64static PyTypeObject PySSL_Type;
65static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args);
66static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args);
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]67static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
68 int writing);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]69
70#define PySSLObject_Check(v) ((v)->ob_type == &PySSL_Type)
71
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]72typedef enum {
73 SOCKET_IS_NONBLOCKING,
74 SOCKET_IS_BLOCKING,
75 SOCKET_HAS_TIMED_OUT,
76 SOCKET_HAS_BEEN_CLOSED,
77 SOCKET_OPERATION_OK
78} timeout_state;
79
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]80/* XXX It might be helpful to augment the error message generated
81 below with the name of the SSL function that generated the error.
82 I expect it's obvious most of the time.
83*/
84
85static PyObject *
86PySSL_SetError(PySSLObject *obj, int ret)
87{
88 PyObject *v, *n, *s;
89 char *errstr;
90 int err;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]91 enum py_ssl_error p;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]92
93 assert(ret <= 0);
94
95 err = SSL_get_error(obj->ssl, ret);
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]96
97 switch (err) {
98 case SSL_ERROR_ZERO_RETURN:
99 errstr = "TLS/SSL connection has been closed";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]100 p = PY_SSL_ERROR_ZERO_RETURN;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]101 break;
102 case SSL_ERROR_WANT_READ:
103 errstr = "The operation did not complete (read)";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]104 p = PY_SSL_ERROR_WANT_READ;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]105 break;
106 case SSL_ERROR_WANT_WRITE:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]107 p = PY_SSL_ERROR_WANT_WRITE;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]108 errstr = "The operation did not complete (write)";
109 break;
110 case SSL_ERROR_WANT_X509_LOOKUP:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]111 p = PY_SSL_ERROR_WANT_X509_LOOKUP;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]112 errstr = "The operation did not complete (X509 lookup)";
113 break;
114 case SSL_ERROR_WANT_CONNECT:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]115 p = PY_SSL_ERROR_WANT_CONNECT;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]116 errstr = "The operation did not complete (connect)";
117 break;
118 case SSL_ERROR_SYSCALL:
119 {
120 unsigned long e = ERR_get_error();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]121 if (e == 0) {
Neal Norwitza9002f82003-06-30 03:25:20 +0000[diff] [blame]122 if (ret == 0 || !obj->Socket) {
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]123 p = PY_SSL_ERROR_EOF;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]124 errstr = "EOF occurred in violation of protocol";
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]125 } else if (ret == -1) {
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]126 /* the underlying BIO reported an I/O error */
127 return obj->Socket->errorhandler();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]128 } else { /* possible? */
129 p = PY_SSL_ERROR_SYSCALL;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]130 errstr = "Some I/O error occurred";
131 }
132 } else {
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]133 p = PY_SSL_ERROR_SYSCALL;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]134 /* XXX Protected by global interpreter lock */
135 errstr = ERR_error_string(e, NULL);
136 }
137 break;
138 }
139 case SSL_ERROR_SSL:
140 {
141 unsigned long e = ERR_get_error();
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]142 p = PY_SSL_ERROR_SSL;
143 if (e != 0)
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]144 /* XXX Protected by global interpreter lock */
145 errstr = ERR_error_string(e, NULL);
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]146 else { /* possible? */
147 errstr = "A failure in the SSL library occurred";
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]148 }
149 break;
150 }
151 default:
Jeremy Hylton4e547302002-07-02 18:25:00 +0000[diff] [blame]152 p = PY_SSL_ERROR_INVALID_ERROR_CODE;
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]153 errstr = "Invalid error code";
154 }
155 n = PyInt_FromLong((long) p);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]156 if (n == NULL)
157 return NULL;
158 v = PyTuple_New(2);
159 if (v == NULL) {
160 Py_DECREF(n);
161 return NULL;
162 }
163
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]164 s = PyString_FromString(errstr);
165 if (s == NULL) {
166 Py_DECREF(v);
167 Py_DECREF(n);
168 }
169 PyTuple_SET_ITEM(v, 0, n);
170 PyTuple_SET_ITEM(v, 1, s);
171 PyErr_SetObject(PySSLErrorObject, v);
172 return NULL;
173}
174
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]175static PySSLObject *
176newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file)
177{
178 PySSLObject *self;
179 char *errstr = NULL;
180 int ret;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]181 int err;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]182 int sockstate;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]183
184 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
185 if (self == NULL){
186 errstr = "newPySSLObject error";
187 goto fail;
188 }
189 memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN);
190 memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN);
191 self->server_cert = NULL;
192 self->ssl = NULL;
193 self->ctx = NULL;
194 self->Socket = NULL;
195
196 if ((key_file && !cert_file) || (!key_file && cert_file)) {
197 errstr = "Both the key & certificate files must be specified";
198 goto fail;
199 }
200
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]201 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]202 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]203 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]204 if (self->ctx == NULL) {
205 errstr = "SSL_CTX_new error";
206 goto fail;
207 }
208
209 if (key_file) {
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]210 Py_BEGIN_ALLOW_THREADS
211 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
212 SSL_FILETYPE_PEM);
213 Py_END_ALLOW_THREADS
214 if (ret < 1) {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]215 errstr = "SSL_CTX_use_PrivateKey_file error";
216 goto fail;
217 }
218
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]219 Py_BEGIN_ALLOW_THREADS
220 ret = SSL_CTX_use_certificate_chain_file(self->ctx,
221 cert_file);
222 Py_END_ALLOW_THREADS
Andrew M. Kuchling27d3dda2004-07-10 21:36:55 +0000[diff] [blame]223 SSL_CTX_set_options(self->ctx, SSL_OP_ALL); /* ssl compatibility */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]224 if (ret < 1) {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]225 errstr = "SSL_CTX_use_certificate_chain_file error";
226 goto fail;
227 }
228 }
229
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]230 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]231 SSL_CTX_set_verify(self->ctx,
232 SSL_VERIFY_NONE, NULL); /* set verify lvl */
233 self->ssl = SSL_new(self->ctx); /* New ssl struct */
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]234 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]235 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]236
Walter Dörwaldf0dfc7a2003-10-20 14:01:56 +0000[diff] [blame]237 /* If the socket is in non-blocking mode or timeout mode, set the BIO
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]238 * to non-blocking mode (blocking is the default)
239 */
240 if (Sock->sock_timeout >= 0.0) {
241 /* Set both the read and write BIO's to non-blocking mode */
242 BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
243 BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
244 }
245
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]246 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]247 SSL_set_connect_state(self->ssl);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]248 Py_END_ALLOW_THREADS
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]249
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]250 /* Actually negotiate SSL connection */
251 /* XXX If SSL_connect() returns 0, it's also a failure. */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]252 sockstate = 0;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]253 do {
254 Py_BEGIN_ALLOW_THREADS
255 ret = SSL_connect(self->ssl);
256 err = SSL_get_error(self->ssl, ret);
257 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]258 if(PyErr_CheckSignals()) {
259 goto fail;
260 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]261 if (err == SSL_ERROR_WANT_READ) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]262 sockstate = check_socket_and_wait_for_timeout(Sock, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]263 } else if (err == SSL_ERROR_WANT_WRITE) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]264 sockstate = check_socket_and_wait_for_timeout(Sock, 1);
265 } else {
266 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]267 }
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]268 if (sockstate == SOCKET_HAS_TIMED_OUT) {
269 PyErr_SetString(PySSLErrorObject, "The connect operation timed out");
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]270 goto fail;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]271 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
272 PyErr_SetString(PySSLErrorObject, "Underlying socket has been closed.");
273 goto fail;
274 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
275 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]276 }
277 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]278 if (ret <= 0) {
279 PySSL_SetError(self, ret);
280 goto fail;
281 }
282 self->ssl->debug = 1;
283
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]284 Py_BEGIN_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]285 if ((self->server_cert = SSL_get_peer_certificate(self->ssl))) {
286 X509_NAME_oneline(X509_get_subject_name(self->server_cert),
287 self->server, X509_NAME_MAXLEN);
288 X509_NAME_oneline(X509_get_issuer_name(self->server_cert),
289 self->issuer, X509_NAME_MAXLEN);
290 }
Martin v. Löwis09c35f72002-07-28 09:57:45 +0000[diff] [blame]291 Py_END_ALLOW_THREADS
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]292 self->Socket = Sock;
293 Py_INCREF(self->Socket);
294 return self;
295 fail:
296 if (errstr)
297 PyErr_SetString(PySSLErrorObject, errstr);
298 Py_DECREF(self);
299 return NULL;
300}
301
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]302static PyObject *
303PySocket_ssl(PyObject *self, PyObject *args)
304{
305 PySSLObject *rv;
306 PySocketSockObject *Sock;
307 char *key_file = NULL;
308 char *cert_file = NULL;
309
310 if (!PyArg_ParseTuple(args, "O!|zz:ssl",
311 PySocketModule.Sock_Type,
312 (PyObject*)&Sock,
313 &key_file, &cert_file))
314 return NULL;
315
316 rv = newPySSLObject(Sock, key_file, cert_file);
317 if (rv == NULL)
318 return NULL;
319 return (PyObject *)rv;
320}
321
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]322PyDoc_STRVAR(ssl_doc,
323"ssl(socket, [keyfile, certfile]) -> sslobject");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]324
325/* SSL object methods */
326
327static PyObject *
328PySSL_server(PySSLObject *self)
329{
330 return PyString_FromString(self->server);
331}
332
333static PyObject *
334PySSL_issuer(PySSLObject *self)
335{
336 return PyString_FromString(self->issuer);
337}
338
339
340static void PySSL_dealloc(PySSLObject *self)
341{
342 if (self->server_cert) /* Possible not to have one? */
343 X509_free (self->server_cert);
344 if (self->ssl)
345 SSL_free(self->ssl);
346 if (self->ctx)
347 SSL_CTX_free(self->ctx);
348 Py_XDECREF(self->Socket);
349 PyObject_Del(self);
350}
351
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]352/* If the socket has a timeout, do a select() on the socket.
353 The argument writing indicates the direction.
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]354 Returns one of the possibilities in the timeout_state enum (above).
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]355 */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]356
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]357static int
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]358check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing)
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]359{
360 fd_set fds;
361 struct timeval tv;
362 int rc;
363
364 /* Nothing to do unless we're in timeout mode (not non-blocking) */
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]365 if (s->sock_timeout < 0.0)
366 return SOCKET_IS_BLOCKING;
367 else if (s->sock_timeout == 0.0)
368 return SOCKET_IS_NONBLOCKING;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]369
370 /* Guard against closed socket */
371 if (s->sock_fd < 0)
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]372 return SOCKET_HAS_BEEN_CLOSED;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]373
374 /* Construct the arguments to select */
375 tv.tv_sec = (int)s->sock_timeout;
376 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6);
377 FD_ZERO(&fds);
378 FD_SET(s->sock_fd, &fds);
379
380 /* See if the socket is ready */
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]381 Py_BEGIN_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]382 if (writing)
383 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
384 else
385 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]386 Py_END_ALLOW_THREADS
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]387
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]388 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
389 (when we are able to write or when there's something to read) */
390 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]391}
392
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]393static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args)
394{
395 char *data;
396 int len;
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]397 int count;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]398 int sockstate;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]399 int err;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]400
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]401 if (!PyArg_ParseTuple(args, "s#:write", &data, &count))
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]402 return NULL;
403
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]404 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
405 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]406 PyErr_SetString(PySSLErrorObject, "The write operation timed out");
407 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]408 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
409 PyErr_SetString(PySSLErrorObject, "Underlying socket has been closed.");
410 return NULL;
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]411 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]412 do {
413 err = 0;
414 Py_BEGIN_ALLOW_THREADS
Martin v. Löwis405a7952003-10-27 14:24:37 +0000[diff] [blame]415 len = SSL_write(self->ssl, data, count);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]416 err = SSL_get_error(self->ssl, len);
417 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]418 if(PyErr_CheckSignals()) {
419 return NULL;
420 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]421 if (err == SSL_ERROR_WANT_READ) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]422 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]423 } else if (err == SSL_ERROR_WANT_WRITE) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]424 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
425 } else {
426 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]427 }
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]428 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]429 PyErr_SetString(PySSLErrorObject, "The write operation timed out");
430 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]431 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
432 PyErr_SetString(PySSLErrorObject, "Underlying socket has been closed.");
433 return NULL;
434 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
435 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]436 }
437 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]438 if (len > 0)
439 return PyInt_FromLong(len);
440 else
441 return PySSL_SetError(self, len);
442}
443
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]444PyDoc_STRVAR(PySSL_SSLwrite_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]445"write(s) -> len\n\
446\n\
447Writes the string s into the SSL object. Returns the number\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]448of bytes written.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]449
450static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args)
451{
452 PyObject *buf;
453 int count = 0;
454 int len = 1024;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]455 int sockstate;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]456 int err;
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]457
458 if (!PyArg_ParseTuple(args, "|i:read", &len))
459 return NULL;
460
461 if (!(buf = PyString_FromStringAndSize((char *) 0, len)))
462 return NULL;
463
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]464 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
465 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]466 PyErr_SetString(PySSLErrorObject, "The read operation timed out");
Neal Norwitza9002f82003-06-30 03:25:20 +0000[diff] [blame]467 Py_DECREF(buf);
Guido van Rossum99d4abf2003-01-27 22:22:50 +0000[diff] [blame]468 return NULL;
469 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]470 do {
471 err = 0;
472 Py_BEGIN_ALLOW_THREADS
473 count = SSL_read(self->ssl, PyString_AsString(buf), len);
474 err = SSL_get_error(self->ssl, count);
475 Py_END_ALLOW_THREADS
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]476 if(PyErr_CheckSignals()) {
477 Py_DECREF(buf);
478 return NULL;
479 }
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]480 if (err == SSL_ERROR_WANT_READ) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]481 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]482 } else if (err == SSL_ERROR_WANT_WRITE) {
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]483 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
484 } else {
485 sockstate = SOCKET_OPERATION_OK;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]486 }
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]487 if (sockstate == SOCKET_HAS_TIMED_OUT) {
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]488 PyErr_SetString(PySSLErrorObject, "The read operation timed out");
Martin v. Löwisafec8e32003-06-28 07:40:23 +0000[diff] [blame]489 Py_DECREF(buf);
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]490 return NULL;
Andrew M. Kuchling9c3efe32004-07-10 21:15:17 +0000[diff] [blame]491 } else if (sockstate == SOCKET_IS_NONBLOCKING) {
492 break;
Guido van Rossum4f707ac2003-01-31 18:13:18 +0000[diff] [blame]493 }
494 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]495 if (count <= 0) {
496 Py_DECREF(buf);
497 return PySSL_SetError(self, count);
498 }
Tim Peters5de98422002-04-27 18:44:32 +0000[diff] [blame]499 if (count != len)
500 _PyString_Resize(&buf, count);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]501 return buf;
502}
503
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]504PyDoc_STRVAR(PySSL_SSLread_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]505"read([len]) -> string\n\
506\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]507Read up to len bytes from the SSL socket.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]508
509static PyMethodDef PySSLMethods[] = {
510 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
511 PySSL_SSLwrite_doc},
512 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
513 PySSL_SSLread_doc},
514 {"server", (PyCFunction)PySSL_server, METH_NOARGS},
515 {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS},
516 {NULL, NULL}
517};
518
519static PyObject *PySSL_getattr(PySSLObject *self, char *name)
520{
521 return Py_FindMethod(PySSLMethods, (PyObject *)self, name);
522}
523
Jeremy Hylton938ace62002-07-17 16:30:39 +0000[diff] [blame]524static PyTypeObject PySSL_Type = {
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]525 PyObject_HEAD_INIT(NULL)
526 0, /*ob_size*/
527 "socket.SSL", /*tp_name*/
528 sizeof(PySSLObject), /*tp_basicsize*/
529 0, /*tp_itemsize*/
530 /* methods */
531 (destructor)PySSL_dealloc, /*tp_dealloc*/
532 0, /*tp_print*/
533 (getattrfunc)PySSL_getattr, /*tp_getattr*/
534 0, /*tp_setattr*/
535 0, /*tp_compare*/
536 0, /*tp_repr*/
537 0, /*tp_as_number*/
538 0, /*tp_as_sequence*/
539 0, /*tp_as_mapping*/
540 0, /*tp_hash*/
541};
542
543#ifdef HAVE_OPENSSL_RAND
544
545/* helper routines for seeding the SSL PRNG */
546static PyObject *
547PySSL_RAND_add(PyObject *self, PyObject *args)
548{
549 char *buf;
550 int len;
551 double entropy;
552
553 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
554 return NULL;
555 RAND_add(buf, len, entropy);
556 Py_INCREF(Py_None);
557 return Py_None;
558}
559
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]560PyDoc_STRVAR(PySSL_RAND_add_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]561"RAND_add(string, entropy)\n\
562\n\
563Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]564bound on the entropy contained in string.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]565
566static PyObject *
567PySSL_RAND_status(PyObject *self)
568{
569 return PyInt_FromLong(RAND_status());
570}
571
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]572PyDoc_STRVAR(PySSL_RAND_status_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]573"RAND_status() -> 0 or 1\n\
574\n\
575Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\
576It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]577using the ssl() function.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]578
579static PyObject *
580PySSL_RAND_egd(PyObject *self, PyObject *arg)
581{
582 int bytes;
583
584 if (!PyString_Check(arg))
585 return PyErr_Format(PyExc_TypeError,
586 "RAND_egd() expected string, found %s",
587 arg->ob_type->tp_name);
588 bytes = RAND_egd(PyString_AS_STRING(arg));
589 if (bytes == -1) {
590 PyErr_SetString(PySSLErrorObject,
591 "EGD connection failed or EGD did not return "
592 "enough data to seed the PRNG");
593 return NULL;
594 }
595 return PyInt_FromLong(bytes);
596}
597
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]598PyDoc_STRVAR(PySSL_RAND_egd_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]599"RAND_egd(path) -> bytes\n\
600\n\
601Queries the entropy gather daemon (EGD) on socket path. Returns number\n\
602of bytes read. Raises socket.sslerror if connection to EGD fails or\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]603if it does provide enough data to seed PRNG.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]604
605#endif
606
607/* List of functions exported by this module. */
608
609static PyMethodDef PySSL_methods[] = {
610 {"ssl", PySocket_ssl,
611 METH_VARARGS, ssl_doc},
612#ifdef HAVE_OPENSSL_RAND
613 {"RAND_add", PySSL_RAND_add, METH_VARARGS,
614 PySSL_RAND_add_doc},
615 {"RAND_egd", PySSL_RAND_egd, METH_O,
616 PySSL_RAND_egd_doc},
617 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
618 PySSL_RAND_status_doc},
619#endif
620 {NULL, NULL} /* Sentinel */
621};
622
623
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]624PyDoc_STRVAR(module_doc,
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]625"Implementation module for SSL socket operations. See the socket module\n\
Martin v. Löwis14f8b4c2002-06-13 20:33:02 +0000[diff] [blame]626for documentation.");
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]627
Mark Hammondfe51c6d2002-08-02 02:27:13 +0000[diff] [blame]628PyMODINIT_FUNC
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]629init_ssl(void)
630{
631 PyObject *m, *d;
632
633 PySSL_Type.ob_type = &PyType_Type;
634
635 m = Py_InitModule3("_ssl", PySSL_methods, module_doc);
636 d = PyModule_GetDict(m);
637
638 /* Load _socket module and its C API */
639 if (PySocketModule_ImportModuleAndAPI())
640 return;
641
642 /* Init OpenSSL */
643 SSL_load_error_strings();
644 SSLeay_add_ssl_algorithms();
645
646 /* Add symbols to module dict */
Brett Cannon06c34792004-03-23 23:16:54 +0000[diff] [blame]647 PySSLErrorObject = PyErr_NewException("socket.sslerror",
648 PySocketModule.error,
649 NULL);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]650 if (PySSLErrorObject == NULL)
651 return;
652 PyDict_SetItemString(d, "sslerror", PySSLErrorObject);
653 if (PyDict_SetItemString(d, "SSLType",
654 (PyObject *)&PySSL_Type) != 0)
655 return;
656 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]657 PY_SSL_ERROR_ZERO_RETURN);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]658 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]659 PY_SSL_ERROR_WANT_READ);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]660 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]661 PY_SSL_ERROR_WANT_WRITE);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]662 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]663 PY_SSL_ERROR_WANT_X509_LOOKUP);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]664 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]665 PY_SSL_ERROR_SYSCALL);
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]666 PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
Martin v. Löwis6af3e2d2002-04-20 07:47:40 +0000[diff] [blame]667 PY_SSL_ERROR_SSL);
668 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
669 PY_SSL_ERROR_WANT_CONNECT);
670 /* non ssl.h errorcodes */
671 PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
672 PY_SSL_ERROR_EOF);
673 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
674 PY_SSL_ERROR_INVALID_ERROR_CODE);
675
Marc-André Lemburga5d2b4c2002-02-16 18:23:30 +0000[diff] [blame]676}