Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 1e9312e7c307a25ad6e5df5baccd3c942a7567dd / . / OpenSSL / ssl / context.c
blob: a0b9a72404a8c57ecd433ca1a7c7bd8fc8109345 [file] [log] [blame]
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1/*
2 * context.c
3 *
4 * Copyright (C) AB Strakt 2001, All rights reserved
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -0400[diff] [blame]5 * Copyright (C) Jean-Paul Calderone 2008, All rights reserved
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]6 *
7 * SSL Context objects and their methods.
8 * See the file RATIONALE for a short explanation of why this module was written.
9 *
10 * Reviewed 2001-07-23
11 */
12#include <Python.h>
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -0500[diff] [blame]13
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]14#if PY_VERSION_HEX >= 0x02050000
15# define PYARG_PARSETUPLE_FORMAT const char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]16# define PYOBJECT_GETATTRSTRING_TYPE const char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]17#else
18# define PYARG_PARSETUPLE_FORMAT char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]19# define PYOBJECT_GETATTRSTRING_TYPE char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]20#endif
21
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -0500[diff] [blame]22#ifndef MS_WINDOWS
23# include <sys/socket.h>
24# include <netinet/in.h>
25# if !(defined(__BEOS__) || defined(__CYGWIN__))
26# include <netinet/tcp.h>
27# endif
28#else
29# include <winsock.h>
30# include <wincrypt.h>
31#endif
32
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]33#define SSL_MODULE
34#include "ssl.h"
35
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]36/*
37 * CALLBACKS
38 *
39 * Callbacks work like this: We provide a "global" callback in C which
40 * transforms the arguments into a Python argument tuple and calls the
41 * corresponding Python callback, and then parsing the return value back into
42 * things the C function can return.
43 *
44 * Three caveats:
45 * + How do we find the Context object where the Python callbacks are stored?
46 * + What about multithreading and execution frames?
47 * + What about Python callbacks that raise exceptions?
48 *
49 * The solution to the first issue is trivial if the callback provides
50 * "userdata" functionality. Since the only callbacks that don't provide
51 * userdata do provide a pointer to an SSL structure, we can associate an SSL
52 * object and a Connection one-to-one via the SSL_set/get_app_data()
53 * functions.
54 *
55 * The solution to the other issue is to rewrite the Py_BEGIN_ALLOW_THREADS
56 * macro allowing it (or rather a new macro) to specify where to save the
57 * thread state (in our case, as a member of the Connection/Context object) so
58 * we can retrieve it again before calling the Python callback.
59 */
60
61/*
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]62 * Globally defined passphrase callback. This is called from OpenSSL
63 * internally. The GIL will not be held when this function is invoked. It
64 * must not be held when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]65 *
66 * Arguments: buf - Buffer to store the returned passphrase in
67 * maxlen - Maximum length of the passphrase
68 * verify - If true, the passphrase callback should ask for a
69 * password twice and verify they're equal. If false, only
70 * ask once.
71 * arg - User data, always a Context object
72 * Returns: The length of the password if successful, 0 otherwise
73 */
74static int
75global_passphrase_callback(char *buf, int maxlen, int verify, void *arg)
76{
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]77 /*
78 * Initialize len here because we're always going to return it, and we
79 * might jump to the return before it gets initialized in any other way.
80 */
81 int len = 0;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]82 char *str;
83 PyObject *argv, *ret = NULL;
84 ssl_ContextObj *ctx = (ssl_ContextObj *)arg;
85
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]86 /*
87 * GIL isn't held yet. First things first - acquire it, or any Python API
88 * we invoke might segfault or blow up the sun. The reverse will be done
89 * before returning.
90 */
91 MY_END_ALLOW_THREADS(ctx->tstate);
92
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]93 /* The Python callback is called with a (maxlen,verify,userdata) tuple */
94 argv = Py_BuildValue("(iiO)", maxlen, verify, ctx->passphrase_userdata);
95
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]96 /*
97 * XXX Didn't check argv to see if it was NULL. -exarkun
98 */
99 ret = PyEval_CallObject(ctx->passphrase_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]100 Py_DECREF(argv);
101
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]102 if (ret == NULL) {
103 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400[diff] [blame]104 * The callback raised an exception. It will be raised by whatever
105 * Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]106 */
107 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]108 }
109
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]110 if (!PyObject_IsTrue(ret)) {
111 /*
112 * Returned "", or None, or something. Treat it as no passphrase.
113 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]114 Py_DECREF(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]115 goto out;
116 }
117
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]118 if (!PyBytes_Check(ret)) {
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]119 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400[diff] [blame]120 * XXX Returned something that wasn't a string. This is bogus. We'll
121 * return 0 and OpenSSL will treat it as an error, resulting in an
122 * exception from whatever Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]123 */
124 Py_DECREF(ret);
125 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]126 }
127
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]128 len = PyBytes_Size(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]129 if (len > maxlen) {
130 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400[diff] [blame]131 * Returned more than we said they were allowed to return. Just
132 * truncate it. Might be better to raise an exception,
133 * instead. -exarkun
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]134 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]135 len = maxlen;
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]136 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]137
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]138 str = PyBytes_AsString(ret);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]139 strncpy(buf, str, len);
140 Py_XDECREF(ret);
141
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]142 out:
143 /*
144 * This function is returning into OpenSSL. Release the GIL again.
145 */
146 MY_BEGIN_ALLOW_THREADS(ctx->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]147 return len;
148}
149
150/*
151 * Globally defined verify callback
152 *
153 * Arguments: ok - True everything is OK "so far", false otherwise
154 * x509_ctx - Contains the certificate being checked, the current
155 * error number and depth, and the Connection we're
156 * dealing with
157 * Returns: True if everything is okay, false otherwise
158 */
159static int
160global_verify_callback(int ok, X509_STORE_CTX *x509_ctx)
161{
162 PyObject *argv, *ret;
163 SSL *ssl;
164 ssl_ConnectionObj *conn;
165 crypto_X509Obj *cert;
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]166 int errnum, errdepth, c_ret;
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]167
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]168 // Get Connection object to check thread state
169 ssl = (SSL *)X509_STORE_CTX_get_app_data(x509_ctx);
170 conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]171
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400[diff] [blame]172 MY_END_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]173
Jean-Paul Calderone1e9312e2010-10-31 21:26:18 -0400[diff] [blame^]174 cert = new_x509(X509_STORE_CTX_get_current_cert(x509_ctx), 0);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]175 errnum = X509_STORE_CTX_get_error(x509_ctx);
176 errdepth = X509_STORE_CTX_get_error_depth(x509_ctx);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]177
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]178 argv = Py_BuildValue("(OOiii)", (PyObject *)conn, (PyObject *)cert,
179 errnum, errdepth, ok);
180 Py_DECREF(cert);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]181 ret = PyEval_CallObject(conn->context->verify_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]182 Py_DECREF(argv);
183
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]184 if (ret != NULL && PyObject_IsTrue(ret)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]185 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]186 Py_DECREF(ret);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]187 c_ret = 1;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]188 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]189 c_ret = 0;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]190 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]191
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400[diff] [blame]192 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]193 return c_ret;
194}
195
196/*
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]197 * Globally defined info callback. This is called from OpenSSL internally.
198 * The GIL will not be held when this function is invoked. It must not be held
199 * when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]200 *
201 * Arguments: ssl - The Connection
202 * where - The part of the SSL code that called us
203 * _ret - The return code of the SSL function that called us
204 * Returns: None
205 */
206static void
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]207global_info_callback(const SSL *ssl, int where, int _ret)
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]208{
209 ssl_ConnectionObj *conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
210 PyObject *argv, *ret;
211
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]212 /*
213 * GIL isn't held yet. First things first - acquire it, or any Python API
214 * we invoke might segfault or blow up the sun. The reverse will be done
215 * before returning.
216 */
217 MY_END_ALLOW_THREADS(conn->tstate);
218
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]219 argv = Py_BuildValue("(Oii)", (PyObject *)conn, where, _ret);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]220 ret = PyEval_CallObject(conn->context->info_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]221 Py_DECREF(argv);
222
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]223 if (ret == NULL) {
224 /*
225 * XXX - This should be reported somehow. -exarkun
226 */
227 PyErr_Clear();
228 } else {
229 Py_DECREF(ret);
230 }
231
232 /*
233 * This function is returning into OpenSSL. Release the GIL again.
234 */
235 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]236 return;
237}
238
239
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]240static char ssl_Context_doc[] = "\n\
241Context(method) -> Context instance\n\
242\n\
243OpenSSL.SSL.Context instances define the parameters for setting up new SSL\n\
244connections.\n\
245\n\
246@param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or\n\
247 TLSv1_METHOD.\n\
248";
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]249
250static char ssl_Context_load_verify_locations_doc[] = "\n\
251Let SSL know where we can find trusted certificates for the certificate\n\
252chain\n\
253\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]254@param cafile: In which file we can find the certificates\n\
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]255@param capath: In which directory we can find the certificates\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]256@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]257";
258static PyObject *
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]259ssl_Context_load_verify_locations(ssl_ContextObj *self, PyObject *args) {
260 char *cafile = NULL;
261 char *capath = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]262
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]263 if (!PyArg_ParseTuple(args, "z|z:load_verify_locations", &cafile, &capath)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]264 return NULL;
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]265 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]266
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]267 if (!SSL_CTX_load_verify_locations(self->ctx, cafile, capath))
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]268 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]269 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]270 return NULL;
271 }
272 else
273 {
274 Py_INCREF(Py_None);
275 return Py_None;
276 }
277}
278
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]279static char ssl_Context_set_default_verify_paths_doc[] = "\n\
280Use the platform-specific CA certificate locations\n\
281\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]282@return: None\n\
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]283";
284static PyObject *
285ssl_Context_set_default_verify_paths(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -0400[diff] [blame]286 if (!PyArg_ParseTuple(args, ":set_default_verify_paths")) {
287 return NULL;
288 }
289
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400[diff] [blame]290 /*
291 * XXX Error handling for SSL_CTX_set_default_verify_paths is untested.
292 * -exarkun
293 */
294 if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]295 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400[diff] [blame]296 return NULL;
297 }
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]298 Py_INCREF(Py_None);
299 return Py_None;
300};
301
302
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]303static char ssl_Context_set_passwd_cb_doc[] = "\n\
304Set the passphrase callback\n\
305\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]306@param callback: The Python callback to use\n\
307@param userdata: (optional) A Python object which will be given as\n\
308 argument to the callback\n\
309@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]310";
311static PyObject *
312ssl_Context_set_passwd_cb(ssl_ContextObj *self, PyObject *args)
313{
314 PyObject *callback = NULL, *userdata = Py_None;
315
316 if (!PyArg_ParseTuple(args, "O|O:set_passwd_cb", &callback, &userdata))
317 return NULL;
318
319 if (!PyCallable_Check(callback))
320 {
321 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
322 return NULL;
323 }
324
325 Py_DECREF(self->passphrase_callback);
326 Py_INCREF(callback);
327 self->passphrase_callback = callback;
328 SSL_CTX_set_default_passwd_cb(self->ctx, global_passphrase_callback);
329
330 Py_DECREF(self->passphrase_userdata);
331 Py_INCREF(userdata);
332 self->passphrase_userdata = userdata;
333 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, (void *)self);
334
335 Py_INCREF(Py_None);
336 return Py_None;
337}
338
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]339static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]340type_modified_error(const char *name) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]341 PyErr_Format(PyExc_RuntimeError,
342 "OpenSSL.crypto's '%s' attribute has been modified",
343 name);
344 return NULL;
345}
346
347static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]348import_crypto_type(const char *name, size_t objsize) {
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]349 PyObject *module, *type, *name_attr;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]350 PyTypeObject *res;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]351 int right_name;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]352
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]353 module = PyImport_ImportModule("OpenSSL.crypto");
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]354 if (module == NULL) {
355 return NULL;
356 }
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]357 type = PyObject_GetAttrString(module, (PYOBJECT_GETATTRSTRING_TYPE)name);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]358 Py_DECREF(module);
359 if (type == NULL) {
360 return NULL;
361 }
362 if (!(PyType_Check(type))) {
363 Py_DECREF(type);
364 return type_modified_error(name);
365 }
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]366 name_attr = PyObject_GetAttrString(type, "__name__");
367 if (name_attr == NULL) {
368 Py_DECREF(type);
369 return NULL;
370 }
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400[diff] [blame]371
372#ifdef PY3
373 {
374 PyObject* asciiname = PyUnicode_AsASCIIString(name_attr);
375 Py_DECREF(name_attr);
376 name_attr = asciiname;
377 }
378#endif
Jean-Paul Calderone9e4eeae2010-08-22 21:32:52 -0400[diff] [blame]379 right_name = (PyBytes_CheckExact(name_attr) &&
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400[diff] [blame]380 strcmp(name, PyBytes_AsString(name_attr)) == 0);
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]381 Py_DECREF(name_attr);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]382 res = (PyTypeObject *)type;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]383 if (!right_name || res->tp_basicsize != objsize) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]384 Py_DECREF(type);
385 return type_modified_error(name);
386 }
387 return res;
388}
389
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]390static crypto_X509Obj *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]391parse_certificate_argument(const char* format, PyObject* args) {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]392 static PyTypeObject *crypto_X509_type = NULL;
393 crypto_X509Obj *cert;
394
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]395 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]396 crypto_X509_type = import_crypto_type("X509", sizeof(crypto_X509Obj));
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]397 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]398 return NULL;
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]399 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]400 }
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]401 if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format,
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]402 crypto_X509_type, &cert)) {
403 return NULL;
404 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]405 return cert;
406}
407
408static char ssl_Context_add_extra_chain_cert_doc[] = "\n\
409Add certificate to chain\n\
410\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]411@param certobj: The X509 certificate object to add to the chain\n\
412@return: None\n\
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]413";
414
415static PyObject *
416ssl_Context_add_extra_chain_cert(ssl_ContextObj *self, PyObject *args)
417{
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]418 X509* cert_original;
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]419 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]420 "O!:add_extra_chain_cert", args);
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]421 if (cert == NULL)
422 {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]423 return NULL;
424 }
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]425 if (!(cert_original = X509_dup(cert->x509)))
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]426 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]427 /* exception_from_error_queue(ssl_Error); */
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]428 PyErr_SetString(PyExc_RuntimeError, "X509_dup failed");
429 return NULL;
430 }
431 if (!SSL_CTX_add_extra_chain_cert(self->ctx, cert_original))
432 {
433 X509_free(cert_original);
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]434 exception_from_error_queue(ssl_Error);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]435 return NULL;
436 }
437 else
438 {
439 Py_INCREF(Py_None);
440 return Py_None;
441 }
442}
443
444
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]445static char ssl_Context_use_certificate_chain_file_doc[] = "\n\
446Load a certificate chain from a file\n\
447\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]448@param certfile: The name of the certificate chain file\n\
449@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]450";
451static PyObject *
452ssl_Context_use_certificate_chain_file(ssl_ContextObj *self, PyObject *args)
453{
454 char *certfile;
455
456 if (!PyArg_ParseTuple(args, "s:use_certificate_chain_file", &certfile))
457 return NULL;
458
459 if (!SSL_CTX_use_certificate_chain_file(self->ctx, certfile))
460 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]461 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]462 return NULL;
463 }
464 else
465 {
466 Py_INCREF(Py_None);
467 return Py_None;
468 }
469}
470
471
472static char ssl_Context_use_certificate_file_doc[] = "\n\
473Load a certificate from a file\n\
474\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]475@param certfile: The name of the certificate file\n\
476@param filetype: (optional) The encoding of the file, default is PEM\n\
477@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]478";
479static PyObject *
480ssl_Context_use_certificate_file(ssl_ContextObj *self, PyObject *args)
481{
482 char *certfile;
483 int filetype = SSL_FILETYPE_PEM;
484
485 if (!PyArg_ParseTuple(args, "s|i:use_certificate_file", &certfile, &filetype))
486 return NULL;
487
488 if (!SSL_CTX_use_certificate_file(self->ctx, certfile, filetype))
489 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]490 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]491 return NULL;
492 }
493 else
494 {
495 Py_INCREF(Py_None);
496 return Py_None;
497 }
498}
499
500static char ssl_Context_use_certificate_doc[] = "\n\
501Load a certificate from a X509 object\n\
502\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]503@param cert: The X509 object\n\
504@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]505";
506static PyObject *
507ssl_Context_use_certificate(ssl_ContextObj *self, PyObject *args)
508{
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]509 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]510 "O!:use_certificate", args);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]511 if (cert == NULL) {
512 return NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]513 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]514
515 if (!SSL_CTX_use_certificate(self->ctx, cert->x509))
516 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]517 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]518 return NULL;
519 }
520 else
521 {
522 Py_INCREF(Py_None);
523 return Py_None;
524 }
525}
526
527static char ssl_Context_use_privatekey_file_doc[] = "\n\
528Load a private key from a file\n\
529\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]530@param keyfile: The name of the key file\n\
531@param filetype: (optional) The encoding of the file, default is PEM\n\
532@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]533";
534static PyObject *
535ssl_Context_use_privatekey_file(ssl_ContextObj *self, PyObject *args)
536{
537 char *keyfile;
538 int filetype = SSL_FILETYPE_PEM, ret;
539
540 if (!PyArg_ParseTuple(args, "s|i:use_privatekey_file", &keyfile, &filetype))
541 return NULL;
542
543 MY_BEGIN_ALLOW_THREADS(self->tstate);
544 ret = SSL_CTX_use_PrivateKey_file(self->ctx, keyfile, filetype);
545 MY_END_ALLOW_THREADS(self->tstate);
546
547 if (PyErr_Occurred())
548 {
549 flush_error_queue();
550 return NULL;
551 }
552
553 if (!ret)
554 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]555 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]556 return NULL;
557 }
558 else
559 {
560 Py_INCREF(Py_None);
561 return Py_None;
562 }
563}
564
565static char ssl_Context_use_privatekey_doc[] = "\n\
566Load a private key from a PKey object\n\
567\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]568@param pkey: The PKey object\n\
569@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]570";
571static PyObject *
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]572ssl_Context_use_privatekey(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]573 static PyTypeObject *crypto_PKey_type = NULL;
574 crypto_PKeyObj *pkey;
575
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]576 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]577 crypto_PKey_type = import_crypto_type("PKey", sizeof(crypto_PKeyObj));
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]578 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]579 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]580 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]581 }
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]582 if (!PyArg_ParseTuple(args, "O!:use_privatekey", crypto_PKey_type, &pkey)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]583 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]584 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]585
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]586 if (!SSL_CTX_use_PrivateKey(self->ctx, pkey->pkey)) {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]587 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]588 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]589 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]590 Py_INCREF(Py_None);
591 return Py_None;
592 }
593}
594
595static char ssl_Context_check_privatekey_doc[] = "\n\
596Check that the private key and certificate match up\n\
597\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]598@return: None (raises an exception if something's wrong)\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]599";
600static PyObject *
601ssl_Context_check_privatekey(ssl_ContextObj *self, PyObject *args)
602{
603 if (!PyArg_ParseTuple(args, ":check_privatekey"))
604 return NULL;
605
606 if (!SSL_CTX_check_private_key(self->ctx))
607 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]608 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]609 return NULL;
610 }
611 else
612 {
613 Py_INCREF(Py_None);
614 return Py_None;
615 }
616}
617
618static char ssl_Context_load_client_ca_doc[] = "\n\
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -0400[diff] [blame]619Load the trusted certificates that will be sent to the client (basically\n \
620telling the client \"These are the guys I trust\"). Does not actually\n\
621imply any of the certificates are trusted; that must be configured\n\
622separately.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]623\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]624@param cafile: The name of the certificates file\n\
625@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]626";
627static PyObject *
628ssl_Context_load_client_ca(ssl_ContextObj *self, PyObject *args)
629{
630 char *cafile;
631
632 if (!PyArg_ParseTuple(args, "s:load_client_ca", &cafile))
633 return NULL;
634
635 SSL_CTX_set_client_CA_list(self->ctx, SSL_load_client_CA_file(cafile));
636
637 Py_INCREF(Py_None);
638 return Py_None;
639}
640
641static char ssl_Context_set_session_id_doc[] = "\n\
642Set the session identifier, this is needed if you want to do session\n\
643resumption (which, ironically, isn't implemented yet)\n\
644\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]645@param buf: A Python object that can be safely converted to a string\n\
646@returns: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]647";
648static PyObject *
649ssl_Context_set_session_id(ssl_ContextObj *self, PyObject *args)
650{
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]651 unsigned char *buf;
652 unsigned int len;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]653
654 if (!PyArg_ParseTuple(args, "s#:set_session_id", &buf, &len))
655 return NULL;
656
657 if (!SSL_CTX_set_session_id_context(self->ctx, buf, len))
658 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]659 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]660 return NULL;
661 }
662 else
663 {
664 Py_INCREF(Py_None);
665 return Py_None;
666 }
667}
668
669static char ssl_Context_set_verify_doc[] = "\n\
670Set the verify mode and verify callback\n\
671\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]672@param mode: The verify mode, this is either VERIFY_NONE or\n\
673 VERIFY_PEER combined with possible other flags\n\
674@param callback: The Python callback to use\n\
675@return: None\n\
Jean-Paul Calderone24aedf42008-03-06 22:01:16 -0500[diff] [blame]676\n\
677See SSL_CTX_set_verify(3SSL) for further details.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]678";
679static PyObject *
680ssl_Context_set_verify(ssl_ContextObj *self, PyObject *args)
681{
682 int mode;
683 PyObject *callback = NULL;
684
685 if (!PyArg_ParseTuple(args, "iO:set_verify", &mode, &callback))
686 return NULL;
687
688 if (!PyCallable_Check(callback))
689 {
690 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
691 return NULL;
692 }
693
694 Py_DECREF(self->verify_callback);
695 Py_INCREF(callback);
696 self->verify_callback = callback;
697 SSL_CTX_set_verify(self->ctx, mode, global_verify_callback);
698
699 Py_INCREF(Py_None);
700 return Py_None;
701}
702
703static char ssl_Context_set_verify_depth_doc[] = "\n\
704Set the verify depth\n\
705\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]706@param depth: An integer specifying the verify depth\n\
707@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]708";
709static PyObject *
710ssl_Context_set_verify_depth(ssl_ContextObj *self, PyObject *args)
711{
712 int depth;
713
714 if (!PyArg_ParseTuple(args, "i:set_verify_depth", &depth))
715 return NULL;
716
717 SSL_CTX_set_verify_depth(self->ctx, depth);
718 Py_INCREF(Py_None);
719 return Py_None;
720}
721
722static char ssl_Context_get_verify_mode_doc[] = "\n\
723Get the verify mode\n\
724\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]725@return: The verify mode\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]726";
727static PyObject *
728ssl_Context_get_verify_mode(ssl_ContextObj *self, PyObject *args)
729{
730 int mode;
731
732 if (!PyArg_ParseTuple(args, ":get_verify_mode"))
733 return NULL;
734
735 mode = SSL_CTX_get_verify_mode(self->ctx);
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]736 return PyLong_FromLong((long)mode);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]737}
738
739static char ssl_Context_get_verify_depth_doc[] = "\n\
740Get the verify depth\n\
741\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]742@return: The verify depth\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]743";
744static PyObject *
745ssl_Context_get_verify_depth(ssl_ContextObj *self, PyObject *args)
746{
747 int depth;
748
749 if (!PyArg_ParseTuple(args, ":get_verify_depth"))
750 return NULL;
751
752 depth = SSL_CTX_get_verify_depth(self->ctx);
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]753 return PyLong_FromLong((long)depth);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]754}
755
756static char ssl_Context_load_tmp_dh_doc[] = "\n\
757Load parameters for Ephemeral Diffie-Hellman\n\
758\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]759@param dhfile: The file to load EDH parameters from\n\
760@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]761";
762static PyObject *
763ssl_Context_load_tmp_dh(ssl_ContextObj *self, PyObject *args)
764{
765 char *dhfile;
766 BIO *bio;
767 DH *dh;
768
769 if (!PyArg_ParseTuple(args, "s:load_tmp_dh", &dhfile))
770 return NULL;
771
772 bio = BIO_new_file(dhfile, "r");
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -0400[diff] [blame]773 if (bio == NULL) {
774 exception_from_error_queue(ssl_Error);
775 return NULL;
776 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]777
778 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
779 SSL_CTX_set_tmp_dh(self->ctx, dh);
780 DH_free(dh);
781 BIO_free(bio);
782
783 Py_INCREF(Py_None);
784 return Py_None;
785}
786
787static char ssl_Context_set_cipher_list_doc[] = "\n\
788Change the cipher list\n\
789\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]790@param cipher_list: A cipher list, see ciphers(1)\n\
791@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]792";
793static PyObject *
794ssl_Context_set_cipher_list(ssl_ContextObj *self, PyObject *args)
795{
796 char *cipher_list;
797
798 if (!PyArg_ParseTuple(args, "s:set_cipher_list", &cipher_list))
799 return NULL;
800
801 if (!SSL_CTX_set_cipher_list(self->ctx, cipher_list))
802 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]803 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]804 return NULL;
805 }
806 else
807 {
808 Py_INCREF(Py_None);
809 return Py_None;
810 }
811}
812
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]813static char ssl_Context_set_client_ca_list_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]814Set the list of preferred client certificate signers for this server context.\n\
815\n\
816This list of certificate authorities will be sent to the client when the\n\
817server requests a client certificate.\n\
818\n\
819@param certificate_authorities: a sequence of X509Names.\n\
820@return: None\n\
821";
822
823static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]824ssl_Context_set_client_ca_list(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]825{
826 static PyTypeObject *X509NameType;
827 PyObject *sequence, *tuple, *item;
828 crypto_X509NameObj *name;
829 X509_NAME *sslname;
830 STACK_OF(X509_NAME) *CANames;
831 Py_ssize_t length;
832 int i;
833
834 if (X509NameType == NULL) {
835 X509NameType = import_crypto_type("X509Name", sizeof(crypto_X509NameObj));
836 if (X509NameType == NULL) {
837 return NULL;
838 }
839 }
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]840 if (!PyArg_ParseTuple(args, "O:set_client_ca_list", &sequence)) {
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]841 return NULL;
842 }
843 tuple = PySequence_Tuple(sequence);
844 if (tuple == NULL) {
845 return NULL;
846 }
847 length = PyTuple_Size(tuple);
848 if (length >= INT_MAX) {
849 PyErr_SetString(PyExc_ValueError, "client CA list is too long");
850 Py_DECREF(tuple);
851 return NULL;
852 }
853 CANames = sk_X509_NAME_new_null();
854 if (CANames == NULL) {
855 Py_DECREF(tuple);
856 exception_from_error_queue(ssl_Error);
857 return NULL;
858 }
859 for (i = 0; i < length; i++) {
860 item = PyTuple_GetItem(tuple, i);
861 if (item->ob_type != X509NameType) {
862 PyErr_Format(PyExc_TypeError,
863 "client CAs must be X509Name objects, not %s objects",
864 item->ob_type->tp_name);
865 sk_X509_NAME_free(CANames);
866 Py_DECREF(tuple);
867 return NULL;
868 }
869 name = (crypto_X509NameObj *)item;
870 sslname = X509_NAME_dup(name->x509_name);
871 if (sslname == NULL) {
872 sk_X509_NAME_free(CANames);
873 Py_DECREF(tuple);
874 exception_from_error_queue(ssl_Error);
875 return NULL;
876 }
877 if (!sk_X509_NAME_push(CANames, sslname)) {
878 X509_NAME_free(sslname);
879 sk_X509_NAME_free(CANames);
880 Py_DECREF(tuple);
881 exception_from_error_queue(ssl_Error);
882 return NULL;
883 }
884 }
885 Py_DECREF(tuple);
886 SSL_CTX_set_client_CA_list(self->ctx, CANames);
887 Py_INCREF(Py_None);
888 return Py_None;
889}
890
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]891static char ssl_Context_add_client_ca_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]892Add the CA certificate to the list of preferred signers for this context.\n\
893\n\
894The list of certificate authorities will be sent to the client when the\n\
895server requests a client certificate.\n\
896\n\
897@param certificate_authority: certificate authority's X509 certificate.\n\
898@return: None\n\
899";
900
901static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]902ssl_Context_add_client_ca(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]903{
904 crypto_X509Obj *cert;
905
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]906 cert = parse_certificate_argument("O!:add_client_ca", args);
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]907 if (cert == NULL) {
908 return NULL;
909 }
910 if (!SSL_CTX_add_client_CA(self->ctx, cert->x509)) {
911 exception_from_error_queue(ssl_Error);
912 return NULL;
913 }
914 Py_INCREF(Py_None);
915 return Py_None;
916}
917
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]918static char ssl_Context_set_timeout_doc[] = "\n\
919Set session timeout\n\
920\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]921@param timeout: The timeout in seconds\n\
922@return: The previous session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]923";
924static PyObject *
925ssl_Context_set_timeout(ssl_ContextObj *self, PyObject *args)
926{
927 long t, ret;
928
929 if (!PyArg_ParseTuple(args, "l:set_timeout", &t))
930 return NULL;
931
932 ret = SSL_CTX_set_timeout(self->ctx, t);
933 return PyLong_FromLong(ret);
934}
935
936static char ssl_Context_get_timeout_doc[] = "\n\
937Get the session timeout\n\
938\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]939@return: The session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]940";
941static PyObject *
942ssl_Context_get_timeout(ssl_ContextObj *self, PyObject *args)
943{
944 long ret;
945
946 if (!PyArg_ParseTuple(args, ":get_timeout"))
947 return NULL;
948
949 ret = SSL_CTX_get_timeout(self->ctx);
950 return PyLong_FromLong(ret);
951}
952
953static char ssl_Context_set_info_callback_doc[] = "\n\
954Set the info callback\n\
955\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]956@param callback: The Python callback to use\n\
957@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]958";
959static PyObject *
960ssl_Context_set_info_callback(ssl_ContextObj *self, PyObject *args)
961{
962 PyObject *callback;
963
964 if (!PyArg_ParseTuple(args, "O:set_info_callback", &callback))
965 return NULL;
966
967 if (!PyCallable_Check(callback))
968 {
969 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
970 return NULL;
971 }
972
973 Py_DECREF(self->info_callback);
974 Py_INCREF(callback);
975 self->info_callback = callback;
976 SSL_CTX_set_info_callback(self->ctx, global_info_callback);
977
978 Py_INCREF(Py_None);
979 return Py_None;
980}
981
982static char ssl_Context_get_app_data_doc[] = "\n\
983Get the application data (supplied via set_app_data())\n\
984\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]985@return: The application data\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]986";
987static PyObject *
988ssl_Context_get_app_data(ssl_ContextObj *self, PyObject *args)
989{
990 if (!PyArg_ParseTuple(args, ":get_app_data"))
991 return NULL;
992
993 Py_INCREF(self->app_data);
994 return self->app_data;
995}
996
997static char ssl_Context_set_app_data_doc[] = "\n\
998Set the application data (will be returned from get_app_data())\n\
999\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]1000@param data: Any Python object\n\
1001@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1002";
1003static PyObject *
1004ssl_Context_set_app_data(ssl_ContextObj *self, PyObject *args)
1005{
1006 PyObject *data;
1007
1008 if (!PyArg_ParseTuple(args, "O:set_app_data", &data))
1009 return NULL;
1010
1011 Py_DECREF(self->app_data);
1012 Py_INCREF(data);
1013 self->app_data = data;
1014
1015 Py_INCREF(Py_None);
1016 return Py_None;
1017}
1018
1019static char ssl_Context_get_cert_store_doc[] = "\n\
1020Get the certificate store for the context\n\
1021\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]1022@return: A X509Store object\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1023";
1024static PyObject *
1025ssl_Context_get_cert_store(ssl_ContextObj *self, PyObject *args)
1026{
1027 X509_STORE *store;
1028
1029 if (!PyArg_ParseTuple(args, ":get_cert_store"))
1030 return NULL;
1031
1032 if ((store = SSL_CTX_get_cert_store(self->ctx)) == NULL)
1033 {
1034 Py_INCREF(Py_None);
1035 return Py_None;
1036 }
1037 else
1038 {
Jean-Paul Calderone1e9312e2010-10-31 21:26:18 -0400[diff] [blame^]1039 return (PyObject *)new_x509store(store, 0);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1040 }
1041}
1042
1043static char ssl_Context_set_options_doc[] = "\n\
1044Add options. Options set before are not cleared!\n\
1045\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]1046@param options: The options to add.\n\
1047@return: The new option bitmask.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1048";
1049static PyObject *
1050ssl_Context_set_options(ssl_ContextObj *self, PyObject *args)
1051{
1052 long options;
1053
1054 if (!PyArg_ParseTuple(args, "l:set_options", &options))
1055 return NULL;
1056
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]1057 return PyLong_FromLong(SSL_CTX_set_options(self->ctx, options));
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1058}
1059
1060
1061/*
1062 * Member methods in the Context object
1063 * ADD_METHOD(name) expands to a correct PyMethodDef declaration
1064 * { 'name', (PyCFunction)ssl_Context_name, METH_VARARGS }
1065 * for convenience
1066 * ADD_ALIAS(name,real) creates an "alias" of the ssl_Context_real
1067 * function with the name 'name'
1068 */
1069#define ADD_METHOD(name) { #name, (PyCFunction)ssl_Context_##name, METH_VARARGS, ssl_Context_##name##_doc }
1070static PyMethodDef ssl_Context_methods[] = {
1071 ADD_METHOD(load_verify_locations),
1072 ADD_METHOD(set_passwd_cb),
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]1073 ADD_METHOD(set_default_verify_paths),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1074 ADD_METHOD(use_certificate_chain_file),
1075 ADD_METHOD(use_certificate_file),
1076 ADD_METHOD(use_certificate),
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]1077 ADD_METHOD(add_extra_chain_cert),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1078 ADD_METHOD(use_privatekey_file),
1079 ADD_METHOD(use_privatekey),
1080 ADD_METHOD(check_privatekey),
1081 ADD_METHOD(load_client_ca),
1082 ADD_METHOD(set_session_id),
1083 ADD_METHOD(set_verify),
1084 ADD_METHOD(set_verify_depth),
1085 ADD_METHOD(get_verify_mode),
1086 ADD_METHOD(get_verify_depth),
1087 ADD_METHOD(load_tmp_dh),
1088 ADD_METHOD(set_cipher_list),
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]1089 ADD_METHOD(set_client_ca_list),
1090 ADD_METHOD(add_client_ca),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1091 ADD_METHOD(set_timeout),
1092 ADD_METHOD(get_timeout),
1093 ADD_METHOD(set_info_callback),
1094 ADD_METHOD(get_app_data),
1095 ADD_METHOD(set_app_data),
1096 ADD_METHOD(get_cert_store),
1097 ADD_METHOD(set_options),
1098 { NULL, NULL }
1099};
1100#undef ADD_METHOD
1101
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1102/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1103 * Despite the name which might suggest otherwise, this is not the tp_init for
1104 * the Context type. It's just the common initialization code shared by the
1105 * two _{Nn}ew functions below.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1106 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1107static ssl_ContextObj*
1108ssl_Context_init(ssl_ContextObj *self, int i_method) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1109 SSL_METHOD *method;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1110
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1111 switch (i_method) {
1112 case ssl_SSLv2_METHOD:
1113 method = SSLv2_method();
1114 break;
1115 case ssl_SSLv23_METHOD:
1116 method = SSLv23_method();
1117 break;
1118 case ssl_SSLv3_METHOD:
1119 method = SSLv3_method();
1120 break;
1121 case ssl_TLSv1_METHOD:
1122 method = TLSv1_method();
1123 break;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1124 default:
1125 PyErr_SetString(PyExc_ValueError, "No such protocol");
1126 return NULL;
1127 }
1128
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1129 self->ctx = SSL_CTX_new(method);
1130 Py_INCREF(Py_None);
1131 self->passphrase_callback = Py_None;
1132 Py_INCREF(Py_None);
1133 self->verify_callback = Py_None;
1134 Py_INCREF(Py_None);
1135 self->info_callback = Py_None;
1136
1137 Py_INCREF(Py_None);
1138 self->passphrase_userdata = Py_None;
1139
1140 Py_INCREF(Py_None);
1141 self->app_data = Py_None;
1142
1143 /* Some initialization that's required to operate smoothly in Python */
1144 SSL_CTX_set_app_data(self->ctx, self);
1145 SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |
1146 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
1147 SSL_MODE_AUTO_RETRY);
1148
1149 self->tstate = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1150
1151 return self;
1152}
1153
1154/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1155 * This one is exposed in the CObject API. I want to deprecate it.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1156 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1157ssl_ContextObj*
1158ssl_Context_New(int i_method) {
1159 ssl_ContextObj *self;
1160
1161 self = PyObject_GC_New(ssl_ContextObj, &ssl_Context_Type);
1162 if (self == NULL) {
1163 return (ssl_ContextObj *)PyErr_NoMemory();
1164 }
1165 self = ssl_Context_init(self, i_method);
1166 PyObject_GC_Track((PyObject *)self);
1167 return self;
1168}
1169
1170
1171/*
1172 * This one is the tp_new of the Context type. It's great.
1173 */
1174static PyObject*
1175ssl_Context_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs) {
1176 int i_method;
1177 ssl_ContextObj *self;
1178 static char *kwlist[] = {"method", NULL};
1179
1180 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "i:Context", kwlist, &i_method)) {
1181 return NULL;
1182 }
1183
1184 self = (ssl_ContextObj *)subtype->tp_alloc(subtype, 1);
1185 if (self == NULL) {
1186 return NULL;
1187 }
1188
1189 return (PyObject *)ssl_Context_init(self, i_method);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1190}
1191
1192/*
1193 * Call the visitproc on all contained objects.
1194 *
1195 * Arguments: self - The Context object
1196 * visit - Function to call
1197 * arg - Extra argument to visit
1198 * Returns: 0 if all goes well, otherwise the return code from the first
1199 * call that gave non-zero result.
1200 */
1201static int
1202ssl_Context_traverse(ssl_ContextObj *self, visitproc visit, void *arg)
1203{
1204 int ret = 0;
1205
1206 if (ret == 0 && self->passphrase_callback != NULL)
1207 ret = visit((PyObject *)self->passphrase_callback, arg);
1208 if (ret == 0 && self->passphrase_userdata != NULL)
1209 ret = visit((PyObject *)self->passphrase_userdata, arg);
1210 if (ret == 0 && self->verify_callback != NULL)
1211 ret = visit((PyObject *)self->verify_callback, arg);
1212 if (ret == 0 && self->info_callback != NULL)
1213 ret = visit((PyObject *)self->info_callback, arg);
1214 if (ret == 0 && self->app_data != NULL)
1215 ret = visit(self->app_data, arg);
1216 return ret;
1217}
1218
1219/*
1220 * Decref all contained objects and zero the pointers.
1221 *
1222 * Arguments: self - The Context object
1223 * Returns: Always 0.
1224 */
1225static int
1226ssl_Context_clear(ssl_ContextObj *self)
1227{
1228 Py_XDECREF(self->passphrase_callback);
1229 self->passphrase_callback = NULL;
1230 Py_XDECREF(self->passphrase_userdata);
1231 self->passphrase_userdata = NULL;
1232 Py_XDECREF(self->verify_callback);
1233 self->verify_callback = NULL;
1234 Py_XDECREF(self->info_callback);
1235 self->info_callback = NULL;
1236 Py_XDECREF(self->app_data);
1237 self->app_data = NULL;
1238 return 0;
1239}
1240
1241/*
1242 * Deallocate the memory used by the Context object
1243 *
1244 * Arguments: self - The Context object
1245 * Returns: None
1246 */
1247static void
1248ssl_Context_dealloc(ssl_ContextObj *self)
1249{
1250 PyObject_GC_UnTrack((PyObject *)self);
1251 SSL_CTX_free(self->ctx);
1252 ssl_Context_clear(self);
1253 PyObject_GC_Del(self);
1254}
1255
1256
1257PyTypeObject ssl_Context_Type = {
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400[diff] [blame]1258 PyOpenSSL_HEAD_INIT(&PyType_Type, 0)
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1259 "OpenSSL.SSL.Context",
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1260 sizeof(ssl_ContextObj),
1261 0,
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1262 (destructor)ssl_Context_dealloc, /* tp_dealloc */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1263 NULL, /* print */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1264 NULL, /* tp_getattr */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1265 NULL, /* setattr */
1266 NULL, /* compare */
1267 NULL, /* repr */
1268 NULL, /* as_number */
1269 NULL, /* as_sequence */
1270 NULL, /* as_mapping */
1271 NULL, /* hash */
1272 NULL, /* call */
1273 NULL, /* str */
1274 NULL, /* getattro */
1275 NULL, /* setattro */
1276 NULL, /* as_buffer */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1277 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC | Py_TPFLAGS_BASETYPE, /* tp_flags */
1278 ssl_Context_doc, /* tp_doc */
1279 (traverseproc)ssl_Context_traverse, /* tp_traverse */
1280 (inquiry)ssl_Context_clear, /* tp_clear */
1281 NULL, /* tp_richcompare */
1282 0, /* tp_weaklistoffset */
1283 NULL, /* tp_iter */
1284 NULL, /* tp_iternext */
1285 ssl_Context_methods, /* tp_methods */
1286 NULL, /* tp_members */
1287 NULL, /* tp_getset */
1288 NULL, /* tp_base */
1289 NULL, /* tp_dict */
1290 NULL, /* tp_descr_get */
1291 NULL, /* tp_descr_set */
1292 0, /* tp_dictoffset */
1293 NULL, /* tp_init */
1294 NULL, /* tp_alloc */
1295 ssl_Context_new, /* tp_new */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1296};
1297
1298
1299/*
1300 * Initialize the Context part of the SSL sub module
1301 *
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1302 * Arguments: dict - The OpenSSL.SSL module
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1303 * Returns: 1 for success, 0 otherwise
1304 */
1305int
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1306init_ssl_context(PyObject *module) {
1307
1308 if (PyType_Ready(&ssl_Context_Type) < 0) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1309 return 0;
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1310 }
1311
1312 if (PyModule_AddObject(module, "Context", (PyObject *)&ssl_Context_Type) < 0) {
1313 return 0;
1314 }
1315
1316 if (PyModule_AddObject(module, "ContextType", (PyObject *)&ssl_Context_Type) < 0) {
1317 return 0;
1318 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1319
1320 return 1;
1321}
1322