Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 6ace478989f75732ff81e57d1938f2baa074a80f / . / OpenSSL / ssl / context.c
blob: ef599617e92f3c3356744e69033dd3c3019cf3f2 [file] [log] [blame]
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1/*
2 * context.c
3 *
4 * Copyright (C) AB Strakt 2001, All rights reserved
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -0400[diff] [blame]5 * Copyright (C) Jean-Paul Calderone 2008, All rights reserved
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]6 *
7 * SSL Context objects and their methods.
8 * See the file RATIONALE for a short explanation of why this module was written.
9 *
10 * Reviewed 2001-07-23
11 */
12#include <Python.h>
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -0500[diff] [blame]13
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]14#if PY_VERSION_HEX >= 0x02050000
15# define PYARG_PARSETUPLE_FORMAT const char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]16# define PYOBJECT_GETATTRSTRING_TYPE const char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]17#else
18# define PYARG_PARSETUPLE_FORMAT char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]19# define PYOBJECT_GETATTRSTRING_TYPE char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]20#endif
21
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -0500[diff] [blame]22#ifndef MS_WINDOWS
23# include <sys/socket.h>
24# include <netinet/in.h>
25# if !(defined(__BEOS__) || defined(__CYGWIN__))
26# include <netinet/tcp.h>
27# endif
28#else
29# include <winsock.h>
30# include <wincrypt.h>
31#endif
32
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]33#define SSL_MODULE
34#include "ssl.h"
35
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]36/*
37 * CALLBACKS
38 *
39 * Callbacks work like this: We provide a "global" callback in C which
40 * transforms the arguments into a Python argument tuple and calls the
41 * corresponding Python callback, and then parsing the return value back into
42 * things the C function can return.
43 *
44 * Three caveats:
45 * + How do we find the Context object where the Python callbacks are stored?
46 * + What about multithreading and execution frames?
47 * + What about Python callbacks that raise exceptions?
48 *
49 * The solution to the first issue is trivial if the callback provides
50 * "userdata" functionality. Since the only callbacks that don't provide
51 * userdata do provide a pointer to an SSL structure, we can associate an SSL
52 * object and a Connection one-to-one via the SSL_set/get_app_data()
53 * functions.
54 *
55 * The solution to the other issue is to rewrite the Py_BEGIN_ALLOW_THREADS
56 * macro allowing it (or rather a new macro) to specify where to save the
57 * thread state (in our case, as a member of the Connection/Context object) so
58 * we can retrieve it again before calling the Python callback.
59 */
60
61/*
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]62 * Globally defined passphrase callback. This is called from OpenSSL
63 * internally. The GIL will not be held when this function is invoked. It
64 * must not be held when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]65 *
66 * Arguments: buf - Buffer to store the returned passphrase in
67 * maxlen - Maximum length of the passphrase
68 * verify - If true, the passphrase callback should ask for a
69 * password twice and verify they're equal. If false, only
70 * ask once.
71 * arg - User data, always a Context object
72 * Returns: The length of the password if successful, 0 otherwise
73 */
74static int
75global_passphrase_callback(char *buf, int maxlen, int verify, void *arg)
76{
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]77 /*
78 * Initialize len here because we're always going to return it, and we
79 * might jump to the return before it gets initialized in any other way.
80 */
81 int len = 0;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]82 char *str;
83 PyObject *argv, *ret = NULL;
84 ssl_ContextObj *ctx = (ssl_ContextObj *)arg;
85
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]86 /*
87 * GIL isn't held yet. First things first - acquire it, or any Python API
88 * we invoke might segfault or blow up the sun. The reverse will be done
89 * before returning.
90 */
91 MY_END_ALLOW_THREADS(ctx->tstate);
92
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]93 /* The Python callback is called with a (maxlen,verify,userdata) tuple */
94 argv = Py_BuildValue("(iiO)", maxlen, verify, ctx->passphrase_userdata);
95
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]96 /*
97 * XXX Didn't check argv to see if it was NULL. -exarkun
98 */
99 ret = PyEval_CallObject(ctx->passphrase_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]100 Py_DECREF(argv);
101
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]102 if (ret == NULL) {
103 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400[diff] [blame]104 * The callback raised an exception. It will be raised by whatever
105 * Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]106 */
107 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]108 }
109
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]110 if (!PyObject_IsTrue(ret)) {
111 /*
112 * Returned "", or None, or something. Treat it as no passphrase.
113 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]114 Py_DECREF(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]115 goto out;
116 }
117
118 if (!PyString_Check(ret)) {
119 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400[diff] [blame]120 * XXX Returned something that wasn't a string. This is bogus. We'll
121 * return 0 and OpenSSL will treat it as an error, resulting in an
122 * exception from whatever Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]123 */
124 Py_DECREF(ret);
125 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]126 }
127
128 len = PyString_Size(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]129 if (len > maxlen) {
130 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400[diff] [blame]131 * Returned more than we said they were allowed to return. Just
132 * truncate it. Might be better to raise an exception,
133 * instead. -exarkun
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]134 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]135 len = maxlen;
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]136 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]137
138 str = PyString_AsString(ret);
139 strncpy(buf, str, len);
140 Py_XDECREF(ret);
141
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]142 out:
143 /*
144 * This function is returning into OpenSSL. Release the GIL again.
145 */
146 MY_BEGIN_ALLOW_THREADS(ctx->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]147 return len;
148}
149
150/*
151 * Globally defined verify callback
152 *
153 * Arguments: ok - True everything is OK "so far", false otherwise
154 * x509_ctx - Contains the certificate being checked, the current
155 * error number and depth, and the Connection we're
156 * dealing with
157 * Returns: True if everything is okay, false otherwise
158 */
159static int
160global_verify_callback(int ok, X509_STORE_CTX *x509_ctx)
161{
162 PyObject *argv, *ret;
163 SSL *ssl;
164 ssl_ConnectionObj *conn;
165 crypto_X509Obj *cert;
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]166 int errnum, errdepth, c_ret;
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]167
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]168 // Get Connection object to check thread state
169 ssl = (SSL *)X509_STORE_CTX_get_app_data(x509_ctx);
170 conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]171
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400[diff] [blame]172 MY_END_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]173
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]174 cert = crypto_X509_New(X509_STORE_CTX_get_current_cert(x509_ctx), 0);
175 errnum = X509_STORE_CTX_get_error(x509_ctx);
176 errdepth = X509_STORE_CTX_get_error_depth(x509_ctx);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]177
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]178 argv = Py_BuildValue("(OOiii)", (PyObject *)conn, (PyObject *)cert,
179 errnum, errdepth, ok);
180 Py_DECREF(cert);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]181 ret = PyEval_CallObject(conn->context->verify_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]182 Py_DECREF(argv);
183
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]184 if (ret != NULL && PyObject_IsTrue(ret)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]185 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]186 Py_DECREF(ret);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]187 c_ret = 1;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]188 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]189 c_ret = 0;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]190 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]191
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400[diff] [blame]192 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]193 return c_ret;
194}
195
196/*
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]197 * Globally defined info callback. This is called from OpenSSL internally.
198 * The GIL will not be held when this function is invoked. It must not be held
199 * when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]200 *
201 * Arguments: ssl - The Connection
202 * where - The part of the SSL code that called us
203 * _ret - The return code of the SSL function that called us
204 * Returns: None
205 */
206static void
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]207global_info_callback(const SSL *ssl, int where, int _ret)
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]208{
209 ssl_ConnectionObj *conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
210 PyObject *argv, *ret;
211
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]212 /*
213 * GIL isn't held yet. First things first - acquire it, or any Python API
214 * we invoke might segfault or blow up the sun. The reverse will be done
215 * before returning.
216 */
217 MY_END_ALLOW_THREADS(conn->tstate);
218
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]219 argv = Py_BuildValue("(Oii)", (PyObject *)conn, where, _ret);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]220 ret = PyEval_CallObject(conn->context->info_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]221 Py_DECREF(argv);
222
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]223 if (ret == NULL) {
224 /*
225 * XXX - This should be reported somehow. -exarkun
226 */
227 PyErr_Clear();
228 } else {
229 Py_DECREF(ret);
230 }
231
232 /*
233 * This function is returning into OpenSSL. Release the GIL again.
234 */
235 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]236 return;
237}
238
239
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]240static char ssl_Context_doc[] = "\n\
241Context(method) -> Context instance\n\
242\n\
243OpenSSL.SSL.Context instances define the parameters for setting up new SSL\n\
244connections.\n\
245\n\
246@param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or\n\
247 TLSv1_METHOD.\n\
248";
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]249
250static char ssl_Context_load_verify_locations_doc[] = "\n\
251Let SSL know where we can find trusted certificates for the certificate\n\
252chain\n\
253\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]254@param cafile: In which file we can find the certificates\n\
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]255@param capath: In which directory we can find the certificates\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]256@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]257";
258static PyObject *
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]259ssl_Context_load_verify_locations(ssl_ContextObj *self, PyObject *args) {
260 char *cafile = NULL;
261 char *capath = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]262
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]263 if (!PyArg_ParseTuple(args, "z|z:load_verify_locations", &cafile, &capath)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]264 return NULL;
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]265 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]266
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]267 if (!SSL_CTX_load_verify_locations(self->ctx, cafile, capath))
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]268 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]269 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]270 return NULL;
271 }
272 else
273 {
274 Py_INCREF(Py_None);
275 return Py_None;
276 }
277}
278
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]279static char ssl_Context_set_default_verify_paths_doc[] = "\n\
280Use the platform-specific CA certificate locations\n\
281\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]282@return: None\n\
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]283";
284static PyObject *
285ssl_Context_set_default_verify_paths(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -0400[diff] [blame]286 if (!PyArg_ParseTuple(args, ":set_default_verify_paths")) {
287 return NULL;
288 }
289
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400[diff] [blame]290 /*
291 * XXX Error handling for SSL_CTX_set_default_verify_paths is untested.
292 * -exarkun
293 */
294 if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]295 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400[diff] [blame]296 return NULL;
297 }
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]298 Py_INCREF(Py_None);
299 return Py_None;
300};
301
302
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]303static char ssl_Context_set_passwd_cb_doc[] = "\n\
304Set the passphrase callback\n\
305\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]306@param callback: The Python callback to use\n\
307@param userdata: (optional) A Python object which will be given as\n\
308 argument to the callback\n\
309@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]310";
311static PyObject *
312ssl_Context_set_passwd_cb(ssl_ContextObj *self, PyObject *args)
313{
314 PyObject *callback = NULL, *userdata = Py_None;
315
316 if (!PyArg_ParseTuple(args, "O|O:set_passwd_cb", &callback, &userdata))
317 return NULL;
318
319 if (!PyCallable_Check(callback))
320 {
321 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
322 return NULL;
323 }
324
325 Py_DECREF(self->passphrase_callback);
326 Py_INCREF(callback);
327 self->passphrase_callback = callback;
328 SSL_CTX_set_default_passwd_cb(self->ctx, global_passphrase_callback);
329
330 Py_DECREF(self->passphrase_userdata);
331 Py_INCREF(userdata);
332 self->passphrase_userdata = userdata;
333 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, (void *)self);
334
335 Py_INCREF(Py_None);
336 return Py_None;
337}
338
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]339static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]340type_modified_error(const char *name) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]341 PyErr_Format(PyExc_RuntimeError,
342 "OpenSSL.crypto's '%s' attribute has been modified",
343 name);
344 return NULL;
345}
346
347static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]348import_crypto_type(const char *name, size_t objsize) {
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]349 PyObject *module, *type, *name_attr;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]350 PyTypeObject *res;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]351 int right_name;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]352
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]353 module = PyImport_ImportModule("OpenSSL.crypto");
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]354 if (module == NULL) {
355 return NULL;
356 }
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]357 type = PyObject_GetAttrString(module, (PYOBJECT_GETATTRSTRING_TYPE)name);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]358 Py_DECREF(module);
359 if (type == NULL) {
360 return NULL;
361 }
362 if (!(PyType_Check(type))) {
363 Py_DECREF(type);
364 return type_modified_error(name);
365 }
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]366 name_attr = PyObject_GetAttrString(type, "__name__");
367 if (name_attr == NULL) {
368 Py_DECREF(type);
369 return NULL;
370 }
371 right_name = (PyString_CheckExact(name_attr) &&
372 strcmp(name, PyString_AsString(name_attr)) == 0);
373 Py_DECREF(name_attr);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]374 res = (PyTypeObject *)type;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]375 if (!right_name || res->tp_basicsize != objsize) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]376 Py_DECREF(type);
377 return type_modified_error(name);
378 }
379 return res;
380}
381
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]382static crypto_X509Obj *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]383parse_certificate_argument(const char* format, PyObject* args) {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]384 static PyTypeObject *crypto_X509_type = NULL;
385 crypto_X509Obj *cert;
386
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]387 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]388 crypto_X509_type = import_crypto_type("X509", sizeof(crypto_X509Obj));
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]389 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]390 return NULL;
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]391 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]392 }
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]393 if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format,
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]394 crypto_X509_type, &cert)) {
395 return NULL;
396 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]397 return cert;
398}
399
400static char ssl_Context_add_extra_chain_cert_doc[] = "\n\
401Add certificate to chain\n\
402\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]403@param certobj: The X509 certificate object to add to the chain\n\
404@return: None\n\
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]405";
406
407static PyObject *
408ssl_Context_add_extra_chain_cert(ssl_ContextObj *self, PyObject *args)
409{
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]410 X509* cert_original;
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]411 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]412 "O!:add_extra_chain_cert", args);
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]413 if (cert == NULL)
414 {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]415 return NULL;
416 }
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]417 if (!(cert_original = X509_dup(cert->x509)))
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]418 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]419 /* exception_from_error_queue(ssl_Error); */
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]420 PyErr_SetString(PyExc_RuntimeError, "X509_dup failed");
421 return NULL;
422 }
423 if (!SSL_CTX_add_extra_chain_cert(self->ctx, cert_original))
424 {
425 X509_free(cert_original);
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]426 exception_from_error_queue(ssl_Error);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]427 return NULL;
428 }
429 else
430 {
431 Py_INCREF(Py_None);
432 return Py_None;
433 }
434}
435
436
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]437static char ssl_Context_use_certificate_chain_file_doc[] = "\n\
438Load a certificate chain from a file\n\
439\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]440@param certfile: The name of the certificate chain file\n\
441@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]442";
443static PyObject *
444ssl_Context_use_certificate_chain_file(ssl_ContextObj *self, PyObject *args)
445{
446 char *certfile;
447
448 if (!PyArg_ParseTuple(args, "s:use_certificate_chain_file", &certfile))
449 return NULL;
450
451 if (!SSL_CTX_use_certificate_chain_file(self->ctx, certfile))
452 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]453 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]454 return NULL;
455 }
456 else
457 {
458 Py_INCREF(Py_None);
459 return Py_None;
460 }
461}
462
463
464static char ssl_Context_use_certificate_file_doc[] = "\n\
465Load a certificate from a file\n\
466\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]467@param certfile: The name of the certificate file\n\
468@param filetype: (optional) The encoding of the file, default is PEM\n\
469@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]470";
471static PyObject *
472ssl_Context_use_certificate_file(ssl_ContextObj *self, PyObject *args)
473{
474 char *certfile;
475 int filetype = SSL_FILETYPE_PEM;
476
477 if (!PyArg_ParseTuple(args, "s|i:use_certificate_file", &certfile, &filetype))
478 return NULL;
479
480 if (!SSL_CTX_use_certificate_file(self->ctx, certfile, filetype))
481 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]482 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]483 return NULL;
484 }
485 else
486 {
487 Py_INCREF(Py_None);
488 return Py_None;
489 }
490}
491
492static char ssl_Context_use_certificate_doc[] = "\n\
493Load a certificate from a X509 object\n\
494\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]495@param cert: The X509 object\n\
496@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]497";
498static PyObject *
499ssl_Context_use_certificate(ssl_ContextObj *self, PyObject *args)
500{
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]501 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]502 "O!:use_certificate", args);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]503 if (cert == NULL) {
504 return NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]505 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]506
507 if (!SSL_CTX_use_certificate(self->ctx, cert->x509))
508 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]509 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]510 return NULL;
511 }
512 else
513 {
514 Py_INCREF(Py_None);
515 return Py_None;
516 }
517}
518
519static char ssl_Context_use_privatekey_file_doc[] = "\n\
520Load a private key from a file\n\
521\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]522@param keyfile: The name of the key file\n\
523@param filetype: (optional) The encoding of the file, default is PEM\n\
524@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]525";
526static PyObject *
527ssl_Context_use_privatekey_file(ssl_ContextObj *self, PyObject *args)
528{
529 char *keyfile;
530 int filetype = SSL_FILETYPE_PEM, ret;
531
532 if (!PyArg_ParseTuple(args, "s|i:use_privatekey_file", &keyfile, &filetype))
533 return NULL;
534
535 MY_BEGIN_ALLOW_THREADS(self->tstate);
536 ret = SSL_CTX_use_PrivateKey_file(self->ctx, keyfile, filetype);
537 MY_END_ALLOW_THREADS(self->tstate);
538
539 if (PyErr_Occurred())
540 {
541 flush_error_queue();
542 return NULL;
543 }
544
545 if (!ret)
546 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]547 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]548 return NULL;
549 }
550 else
551 {
552 Py_INCREF(Py_None);
553 return Py_None;
554 }
555}
556
557static char ssl_Context_use_privatekey_doc[] = "\n\
558Load a private key from a PKey object\n\
559\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]560@param pkey: The PKey object\n\
561@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]562";
563static PyObject *
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]564ssl_Context_use_privatekey(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]565 static PyTypeObject *crypto_PKey_type = NULL;
566 crypto_PKeyObj *pkey;
567
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]568 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]569 crypto_PKey_type = import_crypto_type("PKey", sizeof(crypto_PKeyObj));
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]570 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]571 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]572 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]573 }
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]574 if (!PyArg_ParseTuple(args, "O!:use_privatekey", crypto_PKey_type, &pkey)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]575 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]576 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]577
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]578 if (!SSL_CTX_use_PrivateKey(self->ctx, pkey->pkey)) {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]579 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]580 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]581 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]582 Py_INCREF(Py_None);
583 return Py_None;
584 }
585}
586
587static char ssl_Context_check_privatekey_doc[] = "\n\
588Check that the private key and certificate match up\n\
589\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]590@return: None (raises an exception if something's wrong)\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]591";
592static PyObject *
593ssl_Context_check_privatekey(ssl_ContextObj *self, PyObject *args)
594{
595 if (!PyArg_ParseTuple(args, ":check_privatekey"))
596 return NULL;
597
598 if (!SSL_CTX_check_private_key(self->ctx))
599 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]600 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]601 return NULL;
602 }
603 else
604 {
605 Py_INCREF(Py_None);
606 return Py_None;
607 }
608}
609
610static char ssl_Context_load_client_ca_doc[] = "\n\
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -0400[diff] [blame]611Load the trusted certificates that will be sent to the client (basically\n \
612telling the client \"These are the guys I trust\"). Does not actually\n\
613imply any of the certificates are trusted; that must be configured\n\
614separately.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]615\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]616@param cafile: The name of the certificates file\n\
617@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]618";
619static PyObject *
620ssl_Context_load_client_ca(ssl_ContextObj *self, PyObject *args)
621{
622 char *cafile;
623
624 if (!PyArg_ParseTuple(args, "s:load_client_ca", &cafile))
625 return NULL;
626
627 SSL_CTX_set_client_CA_list(self->ctx, SSL_load_client_CA_file(cafile));
628
629 Py_INCREF(Py_None);
630 return Py_None;
631}
632
633static char ssl_Context_set_session_id_doc[] = "\n\
634Set the session identifier, this is needed if you want to do session\n\
635resumption (which, ironically, isn't implemented yet)\n\
636\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]637@param buf: A Python object that can be safely converted to a string\n\
638@returns: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]639";
640static PyObject *
641ssl_Context_set_session_id(ssl_ContextObj *self, PyObject *args)
642{
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]643 unsigned char *buf;
644 unsigned int len;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]645
646 if (!PyArg_ParseTuple(args, "s#:set_session_id", &buf, &len))
647 return NULL;
648
649 if (!SSL_CTX_set_session_id_context(self->ctx, buf, len))
650 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]651 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]652 return NULL;
653 }
654 else
655 {
656 Py_INCREF(Py_None);
657 return Py_None;
658 }
659}
660
661static char ssl_Context_set_verify_doc[] = "\n\
662Set the verify mode and verify callback\n\
663\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]664@param mode: The verify mode, this is either VERIFY_NONE or\n\
665 VERIFY_PEER combined with possible other flags\n\
666@param callback: The Python callback to use\n\
667@return: None\n\
Jean-Paul Calderone24aedf42008-03-06 22:01:16 -0500[diff] [blame]668\n\
669See SSL_CTX_set_verify(3SSL) for further details.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]670";
671static PyObject *
672ssl_Context_set_verify(ssl_ContextObj *self, PyObject *args)
673{
674 int mode;
675 PyObject *callback = NULL;
676
677 if (!PyArg_ParseTuple(args, "iO:set_verify", &mode, &callback))
678 return NULL;
679
680 if (!PyCallable_Check(callback))
681 {
682 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
683 return NULL;
684 }
685
686 Py_DECREF(self->verify_callback);
687 Py_INCREF(callback);
688 self->verify_callback = callback;
689 SSL_CTX_set_verify(self->ctx, mode, global_verify_callback);
690
691 Py_INCREF(Py_None);
692 return Py_None;
693}
694
695static char ssl_Context_set_verify_depth_doc[] = "\n\
696Set the verify depth\n\
697\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]698@param depth: An integer specifying the verify depth\n\
699@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]700";
701static PyObject *
702ssl_Context_set_verify_depth(ssl_ContextObj *self, PyObject *args)
703{
704 int depth;
705
706 if (!PyArg_ParseTuple(args, "i:set_verify_depth", &depth))
707 return NULL;
708
709 SSL_CTX_set_verify_depth(self->ctx, depth);
710 Py_INCREF(Py_None);
711 return Py_None;
712}
713
714static char ssl_Context_get_verify_mode_doc[] = "\n\
715Get the verify mode\n\
716\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]717@return: The verify mode\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]718";
719static PyObject *
720ssl_Context_get_verify_mode(ssl_ContextObj *self, PyObject *args)
721{
722 int mode;
723
724 if (!PyArg_ParseTuple(args, ":get_verify_mode"))
725 return NULL;
726
727 mode = SSL_CTX_get_verify_mode(self->ctx);
728 return PyInt_FromLong((long)mode);
729}
730
731static char ssl_Context_get_verify_depth_doc[] = "\n\
732Get the verify depth\n\
733\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]734@return: The verify depth\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]735";
736static PyObject *
737ssl_Context_get_verify_depth(ssl_ContextObj *self, PyObject *args)
738{
739 int depth;
740
741 if (!PyArg_ParseTuple(args, ":get_verify_depth"))
742 return NULL;
743
744 depth = SSL_CTX_get_verify_depth(self->ctx);
745 return PyInt_FromLong((long)depth);
746}
747
748static char ssl_Context_load_tmp_dh_doc[] = "\n\
749Load parameters for Ephemeral Diffie-Hellman\n\
750\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]751@param dhfile: The file to load EDH parameters from\n\
752@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]753";
754static PyObject *
755ssl_Context_load_tmp_dh(ssl_ContextObj *self, PyObject *args)
756{
757 char *dhfile;
758 BIO *bio;
759 DH *dh;
760
761 if (!PyArg_ParseTuple(args, "s:load_tmp_dh", &dhfile))
762 return NULL;
763
764 bio = BIO_new_file(dhfile, "r");
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -0400[diff] [blame^]765 if (bio == NULL) {
766 exception_from_error_queue(ssl_Error);
767 return NULL;
768 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]769
770 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
771 SSL_CTX_set_tmp_dh(self->ctx, dh);
772 DH_free(dh);
773 BIO_free(bio);
774
775 Py_INCREF(Py_None);
776 return Py_None;
777}
778
779static char ssl_Context_set_cipher_list_doc[] = "\n\
780Change the cipher list\n\
781\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]782@param cipher_list: A cipher list, see ciphers(1)\n\
783@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]784";
785static PyObject *
786ssl_Context_set_cipher_list(ssl_ContextObj *self, PyObject *args)
787{
788 char *cipher_list;
789
790 if (!PyArg_ParseTuple(args, "s:set_cipher_list", &cipher_list))
791 return NULL;
792
793 if (!SSL_CTX_set_cipher_list(self->ctx, cipher_list))
794 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]795 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]796 return NULL;
797 }
798 else
799 {
800 Py_INCREF(Py_None);
801 return Py_None;
802 }
803}
804
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]805static char ssl_Context_set_client_ca_list_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]806Set the list of preferred client certificate signers for this server context.\n\
807\n\
808This list of certificate authorities will be sent to the client when the\n\
809server requests a client certificate.\n\
810\n\
811@param certificate_authorities: a sequence of X509Names.\n\
812@return: None\n\
813";
814
815static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]816ssl_Context_set_client_ca_list(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]817{
818 static PyTypeObject *X509NameType;
819 PyObject *sequence, *tuple, *item;
820 crypto_X509NameObj *name;
821 X509_NAME *sslname;
822 STACK_OF(X509_NAME) *CANames;
823 Py_ssize_t length;
824 int i;
825
826 if (X509NameType == NULL) {
827 X509NameType = import_crypto_type("X509Name", sizeof(crypto_X509NameObj));
828 if (X509NameType == NULL) {
829 return NULL;
830 }
831 }
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]832 if (!PyArg_ParseTuple(args, "O:set_client_ca_list", &sequence)) {
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]833 return NULL;
834 }
835 tuple = PySequence_Tuple(sequence);
836 if (tuple == NULL) {
837 return NULL;
838 }
839 length = PyTuple_Size(tuple);
840 if (length >= INT_MAX) {
841 PyErr_SetString(PyExc_ValueError, "client CA list is too long");
842 Py_DECREF(tuple);
843 return NULL;
844 }
845 CANames = sk_X509_NAME_new_null();
846 if (CANames == NULL) {
847 Py_DECREF(tuple);
848 exception_from_error_queue(ssl_Error);
849 return NULL;
850 }
851 for (i = 0; i < length; i++) {
852 item = PyTuple_GetItem(tuple, i);
853 if (item->ob_type != X509NameType) {
854 PyErr_Format(PyExc_TypeError,
855 "client CAs must be X509Name objects, not %s objects",
856 item->ob_type->tp_name);
857 sk_X509_NAME_free(CANames);
858 Py_DECREF(tuple);
859 return NULL;
860 }
861 name = (crypto_X509NameObj *)item;
862 sslname = X509_NAME_dup(name->x509_name);
863 if (sslname == NULL) {
864 sk_X509_NAME_free(CANames);
865 Py_DECREF(tuple);
866 exception_from_error_queue(ssl_Error);
867 return NULL;
868 }
869 if (!sk_X509_NAME_push(CANames, sslname)) {
870 X509_NAME_free(sslname);
871 sk_X509_NAME_free(CANames);
872 Py_DECREF(tuple);
873 exception_from_error_queue(ssl_Error);
874 return NULL;
875 }
876 }
877 Py_DECREF(tuple);
878 SSL_CTX_set_client_CA_list(self->ctx, CANames);
879 Py_INCREF(Py_None);
880 return Py_None;
881}
882
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]883static char ssl_Context_add_client_ca_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]884Add the CA certificate to the list of preferred signers for this context.\n\
885\n\
886The list of certificate authorities will be sent to the client when the\n\
887server requests a client certificate.\n\
888\n\
889@param certificate_authority: certificate authority's X509 certificate.\n\
890@return: None\n\
891";
892
893static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]894ssl_Context_add_client_ca(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]895{
896 crypto_X509Obj *cert;
897
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]898 cert = parse_certificate_argument("O!:add_client_ca", args);
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]899 if (cert == NULL) {
900 return NULL;
901 }
902 if (!SSL_CTX_add_client_CA(self->ctx, cert->x509)) {
903 exception_from_error_queue(ssl_Error);
904 return NULL;
905 }
906 Py_INCREF(Py_None);
907 return Py_None;
908}
909
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]910static char ssl_Context_set_timeout_doc[] = "\n\
911Set session timeout\n\
912\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]913@param timeout: The timeout in seconds\n\
914@return: The previous session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]915";
916static PyObject *
917ssl_Context_set_timeout(ssl_ContextObj *self, PyObject *args)
918{
919 long t, ret;
920
921 if (!PyArg_ParseTuple(args, "l:set_timeout", &t))
922 return NULL;
923
924 ret = SSL_CTX_set_timeout(self->ctx, t);
925 return PyLong_FromLong(ret);
926}
927
928static char ssl_Context_get_timeout_doc[] = "\n\
929Get the session timeout\n\
930\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]931@return: The session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]932";
933static PyObject *
934ssl_Context_get_timeout(ssl_ContextObj *self, PyObject *args)
935{
936 long ret;
937
938 if (!PyArg_ParseTuple(args, ":get_timeout"))
939 return NULL;
940
941 ret = SSL_CTX_get_timeout(self->ctx);
942 return PyLong_FromLong(ret);
943}
944
945static char ssl_Context_set_info_callback_doc[] = "\n\
946Set the info callback\n\
947\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]948@param callback: The Python callback to use\n\
949@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]950";
951static PyObject *
952ssl_Context_set_info_callback(ssl_ContextObj *self, PyObject *args)
953{
954 PyObject *callback;
955
956 if (!PyArg_ParseTuple(args, "O:set_info_callback", &callback))
957 return NULL;
958
959 if (!PyCallable_Check(callback))
960 {
961 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
962 return NULL;
963 }
964
965 Py_DECREF(self->info_callback);
966 Py_INCREF(callback);
967 self->info_callback = callback;
968 SSL_CTX_set_info_callback(self->ctx, global_info_callback);
969
970 Py_INCREF(Py_None);
971 return Py_None;
972}
973
974static char ssl_Context_get_app_data_doc[] = "\n\
975Get the application data (supplied via set_app_data())\n\
976\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]977@return: The application data\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]978";
979static PyObject *
980ssl_Context_get_app_data(ssl_ContextObj *self, PyObject *args)
981{
982 if (!PyArg_ParseTuple(args, ":get_app_data"))
983 return NULL;
984
985 Py_INCREF(self->app_data);
986 return self->app_data;
987}
988
989static char ssl_Context_set_app_data_doc[] = "\n\
990Set the application data (will be returned from get_app_data())\n\
991\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]992@param data: Any Python object\n\
993@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]994";
995static PyObject *
996ssl_Context_set_app_data(ssl_ContextObj *self, PyObject *args)
997{
998 PyObject *data;
999
1000 if (!PyArg_ParseTuple(args, "O:set_app_data", &data))
1001 return NULL;
1002
1003 Py_DECREF(self->app_data);
1004 Py_INCREF(data);
1005 self->app_data = data;
1006
1007 Py_INCREF(Py_None);
1008 return Py_None;
1009}
1010
1011static char ssl_Context_get_cert_store_doc[] = "\n\
1012Get the certificate store for the context\n\
1013\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]1014@return: A X509Store object\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1015";
1016static PyObject *
1017ssl_Context_get_cert_store(ssl_ContextObj *self, PyObject *args)
1018{
1019 X509_STORE *store;
1020
1021 if (!PyArg_ParseTuple(args, ":get_cert_store"))
1022 return NULL;
1023
1024 if ((store = SSL_CTX_get_cert_store(self->ctx)) == NULL)
1025 {
1026 Py_INCREF(Py_None);
1027 return Py_None;
1028 }
1029 else
1030 {
1031 return (PyObject *)crypto_X509Store_New(store, 0);
1032 }
1033}
1034
1035static char ssl_Context_set_options_doc[] = "\n\
1036Add options. Options set before are not cleared!\n\
1037\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]1038@param options: The options to add.\n\
1039@return: The new option bitmask.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1040";
1041static PyObject *
1042ssl_Context_set_options(ssl_ContextObj *self, PyObject *args)
1043{
1044 long options;
1045
1046 if (!PyArg_ParseTuple(args, "l:set_options", &options))
1047 return NULL;
1048
1049 return PyInt_FromLong(SSL_CTX_set_options(self->ctx, options));
1050}
1051
1052
1053/*
1054 * Member methods in the Context object
1055 * ADD_METHOD(name) expands to a correct PyMethodDef declaration
1056 * { 'name', (PyCFunction)ssl_Context_name, METH_VARARGS }
1057 * for convenience
1058 * ADD_ALIAS(name,real) creates an "alias" of the ssl_Context_real
1059 * function with the name 'name'
1060 */
1061#define ADD_METHOD(name) { #name, (PyCFunction)ssl_Context_##name, METH_VARARGS, ssl_Context_##name##_doc }
1062static PyMethodDef ssl_Context_methods[] = {
1063 ADD_METHOD(load_verify_locations),
1064 ADD_METHOD(set_passwd_cb),
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]1065 ADD_METHOD(set_default_verify_paths),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1066 ADD_METHOD(use_certificate_chain_file),
1067 ADD_METHOD(use_certificate_file),
1068 ADD_METHOD(use_certificate),
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]1069 ADD_METHOD(add_extra_chain_cert),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1070 ADD_METHOD(use_privatekey_file),
1071 ADD_METHOD(use_privatekey),
1072 ADD_METHOD(check_privatekey),
1073 ADD_METHOD(load_client_ca),
1074 ADD_METHOD(set_session_id),
1075 ADD_METHOD(set_verify),
1076 ADD_METHOD(set_verify_depth),
1077 ADD_METHOD(get_verify_mode),
1078 ADD_METHOD(get_verify_depth),
1079 ADD_METHOD(load_tmp_dh),
1080 ADD_METHOD(set_cipher_list),
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]1081 ADD_METHOD(set_client_ca_list),
1082 ADD_METHOD(add_client_ca),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1083 ADD_METHOD(set_timeout),
1084 ADD_METHOD(get_timeout),
1085 ADD_METHOD(set_info_callback),
1086 ADD_METHOD(get_app_data),
1087 ADD_METHOD(set_app_data),
1088 ADD_METHOD(get_cert_store),
1089 ADD_METHOD(set_options),
1090 { NULL, NULL }
1091};
1092#undef ADD_METHOD
1093
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1094/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1095 * Despite the name which might suggest otherwise, this is not the tp_init for
1096 * the Context type. It's just the common initialization code shared by the
1097 * two _{Nn}ew functions below.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1098 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1099static ssl_ContextObj*
1100ssl_Context_init(ssl_ContextObj *self, int i_method) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1101 SSL_METHOD *method;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1102
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1103 switch (i_method) {
1104 case ssl_SSLv2_METHOD:
1105 method = SSLv2_method();
1106 break;
1107 case ssl_SSLv23_METHOD:
1108 method = SSLv23_method();
1109 break;
1110 case ssl_SSLv3_METHOD:
1111 method = SSLv3_method();
1112 break;
1113 case ssl_TLSv1_METHOD:
1114 method = TLSv1_method();
1115 break;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1116 default:
1117 PyErr_SetString(PyExc_ValueError, "No such protocol");
1118 return NULL;
1119 }
1120
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1121 self->ctx = SSL_CTX_new(method);
1122 Py_INCREF(Py_None);
1123 self->passphrase_callback = Py_None;
1124 Py_INCREF(Py_None);
1125 self->verify_callback = Py_None;
1126 Py_INCREF(Py_None);
1127 self->info_callback = Py_None;
1128
1129 Py_INCREF(Py_None);
1130 self->passphrase_userdata = Py_None;
1131
1132 Py_INCREF(Py_None);
1133 self->app_data = Py_None;
1134
1135 /* Some initialization that's required to operate smoothly in Python */
1136 SSL_CTX_set_app_data(self->ctx, self);
1137 SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |
1138 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
1139 SSL_MODE_AUTO_RETRY);
1140
1141 self->tstate = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1142
1143 return self;
1144}
1145
1146/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1147 * This one is exposed in the CObject API. I want to deprecate it.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1148 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1149ssl_ContextObj*
1150ssl_Context_New(int i_method) {
1151 ssl_ContextObj *self;
1152
1153 self = PyObject_GC_New(ssl_ContextObj, &ssl_Context_Type);
1154 if (self == NULL) {
1155 return (ssl_ContextObj *)PyErr_NoMemory();
1156 }
1157 self = ssl_Context_init(self, i_method);
1158 PyObject_GC_Track((PyObject *)self);
1159 return self;
1160}
1161
1162
1163/*
1164 * This one is the tp_new of the Context type. It's great.
1165 */
1166static PyObject*
1167ssl_Context_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs) {
1168 int i_method;
1169 ssl_ContextObj *self;
1170 static char *kwlist[] = {"method", NULL};
1171
1172 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "i:Context", kwlist, &i_method)) {
1173 return NULL;
1174 }
1175
1176 self = (ssl_ContextObj *)subtype->tp_alloc(subtype, 1);
1177 if (self == NULL) {
1178 return NULL;
1179 }
1180
1181 return (PyObject *)ssl_Context_init(self, i_method);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1182}
1183
1184/*
1185 * Call the visitproc on all contained objects.
1186 *
1187 * Arguments: self - The Context object
1188 * visit - Function to call
1189 * arg - Extra argument to visit
1190 * Returns: 0 if all goes well, otherwise the return code from the first
1191 * call that gave non-zero result.
1192 */
1193static int
1194ssl_Context_traverse(ssl_ContextObj *self, visitproc visit, void *arg)
1195{
1196 int ret = 0;
1197
1198 if (ret == 0 && self->passphrase_callback != NULL)
1199 ret = visit((PyObject *)self->passphrase_callback, arg);
1200 if (ret == 0 && self->passphrase_userdata != NULL)
1201 ret = visit((PyObject *)self->passphrase_userdata, arg);
1202 if (ret == 0 && self->verify_callback != NULL)
1203 ret = visit((PyObject *)self->verify_callback, arg);
1204 if (ret == 0 && self->info_callback != NULL)
1205 ret = visit((PyObject *)self->info_callback, arg);
1206 if (ret == 0 && self->app_data != NULL)
1207 ret = visit(self->app_data, arg);
1208 return ret;
1209}
1210
1211/*
1212 * Decref all contained objects and zero the pointers.
1213 *
1214 * Arguments: self - The Context object
1215 * Returns: Always 0.
1216 */
1217static int
1218ssl_Context_clear(ssl_ContextObj *self)
1219{
1220 Py_XDECREF(self->passphrase_callback);
1221 self->passphrase_callback = NULL;
1222 Py_XDECREF(self->passphrase_userdata);
1223 self->passphrase_userdata = NULL;
1224 Py_XDECREF(self->verify_callback);
1225 self->verify_callback = NULL;
1226 Py_XDECREF(self->info_callback);
1227 self->info_callback = NULL;
1228 Py_XDECREF(self->app_data);
1229 self->app_data = NULL;
1230 return 0;
1231}
1232
1233/*
1234 * Deallocate the memory used by the Context object
1235 *
1236 * Arguments: self - The Context object
1237 * Returns: None
1238 */
1239static void
1240ssl_Context_dealloc(ssl_ContextObj *self)
1241{
1242 PyObject_GC_UnTrack((PyObject *)self);
1243 SSL_CTX_free(self->ctx);
1244 ssl_Context_clear(self);
1245 PyObject_GC_Del(self);
1246}
1247
1248
1249PyTypeObject ssl_Context_Type = {
1250 PyObject_HEAD_INIT(NULL)
1251 0,
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1252 "OpenSSL.SSL.Context",
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1253 sizeof(ssl_ContextObj),
1254 0,
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1255 (destructor)ssl_Context_dealloc, /* tp_dealloc */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1256 NULL, /* print */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1257 NULL, /* tp_getattr */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1258 NULL, /* setattr */
1259 NULL, /* compare */
1260 NULL, /* repr */
1261 NULL, /* as_number */
1262 NULL, /* as_sequence */
1263 NULL, /* as_mapping */
1264 NULL, /* hash */
1265 NULL, /* call */
1266 NULL, /* str */
1267 NULL, /* getattro */
1268 NULL, /* setattro */
1269 NULL, /* as_buffer */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1270 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC | Py_TPFLAGS_BASETYPE, /* tp_flags */
1271 ssl_Context_doc, /* tp_doc */
1272 (traverseproc)ssl_Context_traverse, /* tp_traverse */
1273 (inquiry)ssl_Context_clear, /* tp_clear */
1274 NULL, /* tp_richcompare */
1275 0, /* tp_weaklistoffset */
1276 NULL, /* tp_iter */
1277 NULL, /* tp_iternext */
1278 ssl_Context_methods, /* tp_methods */
1279 NULL, /* tp_members */
1280 NULL, /* tp_getset */
1281 NULL, /* tp_base */
1282 NULL, /* tp_dict */
1283 NULL, /* tp_descr_get */
1284 NULL, /* tp_descr_set */
1285 0, /* tp_dictoffset */
1286 NULL, /* tp_init */
1287 NULL, /* tp_alloc */
1288 ssl_Context_new, /* tp_new */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1289};
1290
1291
1292/*
1293 * Initialize the Context part of the SSL sub module
1294 *
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1295 * Arguments: dict - The OpenSSL.SSL module
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1296 * Returns: 1 for success, 0 otherwise
1297 */
1298int
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1299init_ssl_context(PyObject *module) {
1300
1301 if (PyType_Ready(&ssl_Context_Type) < 0) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1302 return 0;
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1303 }
1304
1305 if (PyModule_AddObject(module, "Context", (PyObject *)&ssl_Context_Type) < 0) {
1306 return 0;
1307 }
1308
1309 if (PyModule_AddObject(module, "ContextType", (PyObject *)&ssl_Context_Type) < 0) {
1310 return 0;
1311 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1312
1313 return 1;
1314}
1315