Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 9e4eeae807667e5ee5e5175f05ee3cea8e1beb7f / . / OpenSSL / ssl / context.c
blob: d6c844bba81da83eae028495843f1ebcefdf2a83 [file] [log] [blame]
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1/*
2 * context.c
3 *
4 * Copyright (C) AB Strakt 2001, All rights reserved
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -0400[diff] [blame]5 * Copyright (C) Jean-Paul Calderone 2008, All rights reserved
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]6 *
7 * SSL Context objects and their methods.
8 * See the file RATIONALE for a short explanation of why this module was written.
9 *
10 * Reviewed 2001-07-23
11 */
12#include <Python.h>
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -0500[diff] [blame]13
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]14#if PY_VERSION_HEX >= 0x02050000
15# define PYARG_PARSETUPLE_FORMAT const char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]16# define PYOBJECT_GETATTRSTRING_TYPE const char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]17#else
18# define PYARG_PARSETUPLE_FORMAT char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]19# define PYOBJECT_GETATTRSTRING_TYPE char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]20#endif
21
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -0500[diff] [blame]22#ifndef MS_WINDOWS
23# include <sys/socket.h>
24# include <netinet/in.h>
25# if !(defined(__BEOS__) || defined(__CYGWIN__))
26# include <netinet/tcp.h>
27# endif
28#else
29# include <winsock.h>
30# include <wincrypt.h>
31#endif
32
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]33#define SSL_MODULE
34#include "ssl.h"
35
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]36/*
37 * CALLBACKS
38 *
39 * Callbacks work like this: We provide a "global" callback in C which
40 * transforms the arguments into a Python argument tuple and calls the
41 * corresponding Python callback, and then parsing the return value back into
42 * things the C function can return.
43 *
44 * Three caveats:
45 * + How do we find the Context object where the Python callbacks are stored?
46 * + What about multithreading and execution frames?
47 * + What about Python callbacks that raise exceptions?
48 *
49 * The solution to the first issue is trivial if the callback provides
50 * "userdata" functionality. Since the only callbacks that don't provide
51 * userdata do provide a pointer to an SSL structure, we can associate an SSL
52 * object and a Connection one-to-one via the SSL_set/get_app_data()
53 * functions.
54 *
55 * The solution to the other issue is to rewrite the Py_BEGIN_ALLOW_THREADS
56 * macro allowing it (or rather a new macro) to specify where to save the
57 * thread state (in our case, as a member of the Connection/Context object) so
58 * we can retrieve it again before calling the Python callback.
59 */
60
61/*
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]62 * Globally defined passphrase callback. This is called from OpenSSL
63 * internally. The GIL will not be held when this function is invoked. It
64 * must not be held when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]65 *
66 * Arguments: buf - Buffer to store the returned passphrase in
67 * maxlen - Maximum length of the passphrase
68 * verify - If true, the passphrase callback should ask for a
69 * password twice and verify they're equal. If false, only
70 * ask once.
71 * arg - User data, always a Context object
72 * Returns: The length of the password if successful, 0 otherwise
73 */
74static int
75global_passphrase_callback(char *buf, int maxlen, int verify, void *arg)
76{
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]77 /*
78 * Initialize len here because we're always going to return it, and we
79 * might jump to the return before it gets initialized in any other way.
80 */
81 int len = 0;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]82 char *str;
83 PyObject *argv, *ret = NULL;
84 ssl_ContextObj *ctx = (ssl_ContextObj *)arg;
85
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]86 /*
87 * GIL isn't held yet. First things first - acquire it, or any Python API
88 * we invoke might segfault or blow up the sun. The reverse will be done
89 * before returning.
90 */
91 MY_END_ALLOW_THREADS(ctx->tstate);
92
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]93 /* The Python callback is called with a (maxlen,verify,userdata) tuple */
94 argv = Py_BuildValue("(iiO)", maxlen, verify, ctx->passphrase_userdata);
95
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]96 /*
97 * XXX Didn't check argv to see if it was NULL. -exarkun
98 */
99 ret = PyEval_CallObject(ctx->passphrase_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]100 Py_DECREF(argv);
101
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]102 if (ret == NULL) {
103 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400[diff] [blame]104 * The callback raised an exception. It will be raised by whatever
105 * Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]106 */
107 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]108 }
109
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]110 if (!PyObject_IsTrue(ret)) {
111 /*
112 * Returned "", or None, or something. Treat it as no passphrase.
113 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]114 Py_DECREF(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]115 goto out;
116 }
117
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]118 if (!PyBytes_Check(ret)) {
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]119 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400[diff] [blame]120 * XXX Returned something that wasn't a string. This is bogus. We'll
121 * return 0 and OpenSSL will treat it as an error, resulting in an
122 * exception from whatever Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]123 */
124 Py_DECREF(ret);
125 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]126 }
127
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]128 len = PyBytes_Size(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]129 if (len > maxlen) {
130 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400[diff] [blame]131 * Returned more than we said they were allowed to return. Just
132 * truncate it. Might be better to raise an exception,
133 * instead. -exarkun
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]134 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]135 len = maxlen;
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]136 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]137
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]138 str = PyBytes_AsString(ret);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]139 strncpy(buf, str, len);
140 Py_XDECREF(ret);
141
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]142 out:
143 /*
144 * This function is returning into OpenSSL. Release the GIL again.
145 */
146 MY_BEGIN_ALLOW_THREADS(ctx->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]147 return len;
148}
149
150/*
151 * Globally defined verify callback
152 *
153 * Arguments: ok - True everything is OK "so far", false otherwise
154 * x509_ctx - Contains the certificate being checked, the current
155 * error number and depth, and the Connection we're
156 * dealing with
157 * Returns: True if everything is okay, false otherwise
158 */
159static int
160global_verify_callback(int ok, X509_STORE_CTX *x509_ctx)
161{
162 PyObject *argv, *ret;
163 SSL *ssl;
164 ssl_ConnectionObj *conn;
165 crypto_X509Obj *cert;
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]166 int errnum, errdepth, c_ret;
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]167
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]168 // Get Connection object to check thread state
169 ssl = (SSL *)X509_STORE_CTX_get_app_data(x509_ctx);
170 conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]171
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400[diff] [blame]172 MY_END_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]173
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]174 cert = crypto_X509_New(X509_STORE_CTX_get_current_cert(x509_ctx), 0);
175 errnum = X509_STORE_CTX_get_error(x509_ctx);
176 errdepth = X509_STORE_CTX_get_error_depth(x509_ctx);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]177
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]178 argv = Py_BuildValue("(OOiii)", (PyObject *)conn, (PyObject *)cert,
179 errnum, errdepth, ok);
180 Py_DECREF(cert);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]181 ret = PyEval_CallObject(conn->context->verify_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]182 Py_DECREF(argv);
183
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]184 if (ret != NULL && PyObject_IsTrue(ret)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]185 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]186 Py_DECREF(ret);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]187 c_ret = 1;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]188 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]189 c_ret = 0;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]190 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]191
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400[diff] [blame]192 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]193 return c_ret;
194}
195
196/*
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]197 * Globally defined info callback. This is called from OpenSSL internally.
198 * The GIL will not be held when this function is invoked. It must not be held
199 * when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]200 *
201 * Arguments: ssl - The Connection
202 * where - The part of the SSL code that called us
203 * _ret - The return code of the SSL function that called us
204 * Returns: None
205 */
206static void
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]207global_info_callback(const SSL *ssl, int where, int _ret)
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]208{
209 ssl_ConnectionObj *conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
210 PyObject *argv, *ret;
211
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]212 /*
213 * GIL isn't held yet. First things first - acquire it, or any Python API
214 * we invoke might segfault or blow up the sun. The reverse will be done
215 * before returning.
216 */
217 MY_END_ALLOW_THREADS(conn->tstate);
218
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]219 argv = Py_BuildValue("(Oii)", (PyObject *)conn, where, _ret);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]220 ret = PyEval_CallObject(conn->context->info_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]221 Py_DECREF(argv);
222
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]223 if (ret == NULL) {
224 /*
225 * XXX - This should be reported somehow. -exarkun
226 */
227 PyErr_Clear();
228 } else {
229 Py_DECREF(ret);
230 }
231
232 /*
233 * This function is returning into OpenSSL. Release the GIL again.
234 */
235 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]236 return;
237}
238
239
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]240static char ssl_Context_doc[] = "\n\
241Context(method) -> Context instance\n\
242\n\
243OpenSSL.SSL.Context instances define the parameters for setting up new SSL\n\
244connections.\n\
245\n\
246@param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or\n\
247 TLSv1_METHOD.\n\
248";
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]249
250static char ssl_Context_load_verify_locations_doc[] = "\n\
251Let SSL know where we can find trusted certificates for the certificate\n\
252chain\n\
253\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]254@param cafile: In which file we can find the certificates\n\
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]255@param capath: In which directory we can find the certificates\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]256@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]257";
258static PyObject *
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]259ssl_Context_load_verify_locations(ssl_ContextObj *self, PyObject *args) {
260 char *cafile = NULL;
261 char *capath = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]262
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]263 if (!PyArg_ParseTuple(args, "z|z:load_verify_locations", &cafile, &capath)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]264 return NULL;
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]265 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]266
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]267 if (!SSL_CTX_load_verify_locations(self->ctx, cafile, capath))
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]268 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]269 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]270 return NULL;
271 }
272 else
273 {
274 Py_INCREF(Py_None);
275 return Py_None;
276 }
277}
278
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]279static char ssl_Context_set_default_verify_paths_doc[] = "\n\
280Use the platform-specific CA certificate locations\n\
281\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]282@return: None\n\
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]283";
284static PyObject *
285ssl_Context_set_default_verify_paths(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -0400[diff] [blame]286 if (!PyArg_ParseTuple(args, ":set_default_verify_paths")) {
287 return NULL;
288 }
289
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400[diff] [blame]290 /*
291 * XXX Error handling for SSL_CTX_set_default_verify_paths is untested.
292 * -exarkun
293 */
294 if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]295 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400[diff] [blame]296 return NULL;
297 }
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]298 Py_INCREF(Py_None);
299 return Py_None;
300};
301
302
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]303static char ssl_Context_set_passwd_cb_doc[] = "\n\
304Set the passphrase callback\n\
305\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]306@param callback: The Python callback to use\n\
307@param userdata: (optional) A Python object which will be given as\n\
308 argument to the callback\n\
309@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]310";
311static PyObject *
312ssl_Context_set_passwd_cb(ssl_ContextObj *self, PyObject *args)
313{
314 PyObject *callback = NULL, *userdata = Py_None;
315
316 if (!PyArg_ParseTuple(args, "O|O:set_passwd_cb", &callback, &userdata))
317 return NULL;
318
319 if (!PyCallable_Check(callback))
320 {
321 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
322 return NULL;
323 }
324
325 Py_DECREF(self->passphrase_callback);
326 Py_INCREF(callback);
327 self->passphrase_callback = callback;
328 SSL_CTX_set_default_passwd_cb(self->ctx, global_passphrase_callback);
329
330 Py_DECREF(self->passphrase_userdata);
331 Py_INCREF(userdata);
332 self->passphrase_userdata = userdata;
333 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, (void *)self);
334
335 Py_INCREF(Py_None);
336 return Py_None;
337}
338
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]339static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]340type_modified_error(const char *name) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]341 PyErr_Format(PyExc_RuntimeError,
342 "OpenSSL.crypto's '%s' attribute has been modified",
343 name);
344 return NULL;
345}
346
347static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]348import_crypto_type(const char *name, size_t objsize) {
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]349 PyObject *module, *type, *name_attr;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]350 PyTypeObject *res;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]351 int right_name;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]352
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]353 module = PyImport_ImportModule("OpenSSL.crypto");
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]354 if (module == NULL) {
355 return NULL;
356 }
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]357 type = PyObject_GetAttrString(module, (PYOBJECT_GETATTRSTRING_TYPE)name);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]358 Py_DECREF(module);
359 if (type == NULL) {
360 return NULL;
361 }
362 if (!(PyType_Check(type))) {
363 Py_DECREF(type);
364 return type_modified_error(name);
365 }
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]366 name_attr = PyObject_GetAttrString(type, "__name__");
367 if (name_attr == NULL) {
368 Py_DECREF(type);
369 return NULL;
370 }
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400[diff] [blame]371
372#ifdef PY3
373 {
374 PyObject* asciiname = PyUnicode_AsASCIIString(name_attr);
375 Py_DECREF(name_attr);
376 name_attr = asciiname;
377 }
378#endif
Jean-Paul Calderone9e4eeae2010-08-22 21:32:52 -0400[diff] [blame^]379 right_name = (PyBytes_CheckExact(name_attr) &&
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400[diff] [blame]380 strcmp(name, PyBytes_AsString(name_attr)) == 0);
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]381 Py_DECREF(name_attr);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]382 res = (PyTypeObject *)type;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200[diff] [blame]383 if (!right_name || res->tp_basicsize != objsize) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]384 Py_DECREF(type);
385 return type_modified_error(name);
386 }
387 return res;
388}
389
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]390static crypto_X509Obj *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]391parse_certificate_argument(const char* format, PyObject* args) {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]392 static PyTypeObject *crypto_X509_type = NULL;
393 crypto_X509Obj *cert;
394
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]395 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]396 crypto_X509_type = import_crypto_type("X509", sizeof(crypto_X509Obj));
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]397 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]398 return NULL;
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]399 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]400 }
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]401 if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format,
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400[diff] [blame]402 crypto_X509_type, &cert)) {
403 return NULL;
404 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]405 return cert;
406}
407
408static char ssl_Context_add_extra_chain_cert_doc[] = "\n\
409Add certificate to chain\n\
410\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]411@param certobj: The X509 certificate object to add to the chain\n\
412@return: None\n\
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]413";
414
415static PyObject *
416ssl_Context_add_extra_chain_cert(ssl_ContextObj *self, PyObject *args)
417{
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]418 X509* cert_original;
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]419 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]420 "O!:add_extra_chain_cert", args);
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]421 if (cert == NULL)
422 {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]423 return NULL;
424 }
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]425 if (!(cert_original = X509_dup(cert->x509)))
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]426 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]427 /* exception_from_error_queue(ssl_Error); */
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500[diff] [blame]428 PyErr_SetString(PyExc_RuntimeError, "X509_dup failed");
429 return NULL;
430 }
431 if (!SSL_CTX_add_extra_chain_cert(self->ctx, cert_original))
432 {
433 X509_free(cert_original);
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]434 exception_from_error_queue(ssl_Error);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]435 return NULL;
436 }
437 else
438 {
439 Py_INCREF(Py_None);
440 return Py_None;
441 }
442}
443
444
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]445static char ssl_Context_use_certificate_chain_file_doc[] = "\n\
446Load a certificate chain from a file\n\
447\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]448@param certfile: The name of the certificate chain file\n\
449@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]450";
451static PyObject *
452ssl_Context_use_certificate_chain_file(ssl_ContextObj *self, PyObject *args)
453{
454 char *certfile;
455
456 if (!PyArg_ParseTuple(args, "s:use_certificate_chain_file", &certfile))
457 return NULL;
458
459 if (!SSL_CTX_use_certificate_chain_file(self->ctx, certfile))
460 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]461 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]462 return NULL;
463 }
464 else
465 {
466 Py_INCREF(Py_None);
467 return Py_None;
468 }
469}
470
471
472static char ssl_Context_use_certificate_file_doc[] = "\n\
473Load a certificate from a file\n\
474\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]475@param certfile: The name of the certificate file\n\
476@param filetype: (optional) The encoding of the file, default is PEM\n\
477@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]478";
479static PyObject *
480ssl_Context_use_certificate_file(ssl_ContextObj *self, PyObject *args)
481{
482 char *certfile;
483 int filetype = SSL_FILETYPE_PEM;
484
485 if (!PyArg_ParseTuple(args, "s|i:use_certificate_file", &certfile, &filetype))
486 return NULL;
487
488 if (!SSL_CTX_use_certificate_file(self->ctx, certfile, filetype))
489 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]490 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]491 return NULL;
492 }
493 else
494 {
495 Py_INCREF(Py_None);
496 return Py_None;
497 }
498}
499
500static char ssl_Context_use_certificate_doc[] = "\n\
501Load a certificate from a X509 object\n\
502\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]503@param cert: The X509 object\n\
504@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]505";
506static PyObject *
507ssl_Context_use_certificate(ssl_ContextObj *self, PyObject *args)
508{
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]509 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]510 "O!:use_certificate", args);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]511 if (cert == NULL) {
512 return NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]513 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]514
515 if (!SSL_CTX_use_certificate(self->ctx, cert->x509))
516 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]517 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]518 return NULL;
519 }
520 else
521 {
522 Py_INCREF(Py_None);
523 return Py_None;
524 }
525}
526
527static char ssl_Context_use_privatekey_file_doc[] = "\n\
528Load a private key from a file\n\
529\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]530@param keyfile: The name of the key file\n\
531@param filetype: (optional) The encoding of the file, default is PEM\n\
532@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]533";
534static PyObject *
535ssl_Context_use_privatekey_file(ssl_ContextObj *self, PyObject *args)
536{
537 char *keyfile;
538 int filetype = SSL_FILETYPE_PEM, ret;
539
540 if (!PyArg_ParseTuple(args, "s|i:use_privatekey_file", &keyfile, &filetype))
541 return NULL;
542
543 MY_BEGIN_ALLOW_THREADS(self->tstate);
544 ret = SSL_CTX_use_PrivateKey_file(self->ctx, keyfile, filetype);
545 MY_END_ALLOW_THREADS(self->tstate);
546
547 if (PyErr_Occurred())
548 {
549 flush_error_queue();
550 return NULL;
551 }
552
553 if (!ret)
554 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]555 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]556 return NULL;
557 }
558 else
559 {
560 Py_INCREF(Py_None);
561 return Py_None;
562 }
563}
564
565static char ssl_Context_use_privatekey_doc[] = "\n\
566Load a private key from a PKey object\n\
567\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]568@param pkey: The PKey object\n\
569@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]570";
571static PyObject *
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]572ssl_Context_use_privatekey(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]573 static PyTypeObject *crypto_PKey_type = NULL;
574 crypto_PKeyObj *pkey;
575
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]576 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]577 crypto_PKey_type = import_crypto_type("PKey", sizeof(crypto_PKeyObj));
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]578 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200[diff] [blame]579 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]580 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]581 }
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]582 if (!PyArg_ParseTuple(args, "O!:use_privatekey", crypto_PKey_type, &pkey)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]583 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]584 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]585
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]586 if (!SSL_CTX_use_PrivateKey(self->ctx, pkey->pkey)) {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]587 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]588 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400[diff] [blame]589 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]590 Py_INCREF(Py_None);
591 return Py_None;
592 }
593}
594
595static char ssl_Context_check_privatekey_doc[] = "\n\
596Check that the private key and certificate match up\n\
597\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]598@return: None (raises an exception if something's wrong)\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]599";
600static PyObject *
601ssl_Context_check_privatekey(ssl_ContextObj *self, PyObject *args)
602{
603 if (!PyArg_ParseTuple(args, ":check_privatekey"))
604 return NULL;
605
606 if (!SSL_CTX_check_private_key(self->ctx))
607 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]608 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]609 return NULL;
610 }
611 else
612 {
613 Py_INCREF(Py_None);
614 return Py_None;
615 }
616}
617
618static char ssl_Context_load_client_ca_doc[] = "\n\
619Load the trusted certificates that will be sent to the client (basically\n\
620telling the client \"These are the guys I trust\")\n\
621\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]622@param cafile: The name of the certificates file\n\
623@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]624";
625static PyObject *
626ssl_Context_load_client_ca(ssl_ContextObj *self, PyObject *args)
627{
628 char *cafile;
629
630 if (!PyArg_ParseTuple(args, "s:load_client_ca", &cafile))
631 return NULL;
632
633 SSL_CTX_set_client_CA_list(self->ctx, SSL_load_client_CA_file(cafile));
634
635 Py_INCREF(Py_None);
636 return Py_None;
637}
638
639static char ssl_Context_set_session_id_doc[] = "\n\
640Set the session identifier, this is needed if you want to do session\n\
641resumption (which, ironically, isn't implemented yet)\n\
642\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]643@param buf: A Python object that can be safely converted to a string\n\
644@returns: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]645";
646static PyObject *
647ssl_Context_set_session_id(ssl_ContextObj *self, PyObject *args)
648{
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500[diff] [blame]649 unsigned char *buf;
650 unsigned int len;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]651
652 if (!PyArg_ParseTuple(args, "s#:set_session_id", &buf, &len))
653 return NULL;
654
655 if (!SSL_CTX_set_session_id_context(self->ctx, buf, len))
656 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]657 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]658 return NULL;
659 }
660 else
661 {
662 Py_INCREF(Py_None);
663 return Py_None;
664 }
665}
666
667static char ssl_Context_set_verify_doc[] = "\n\
668Set the verify mode and verify callback\n\
669\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]670@param mode: The verify mode, this is either VERIFY_NONE or\n\
671 VERIFY_PEER combined with possible other flags\n\
672@param callback: The Python callback to use\n\
673@return: None\n\
Jean-Paul Calderone24aedf42008-03-06 22:01:16 -0500[diff] [blame]674\n\
675See SSL_CTX_set_verify(3SSL) for further details.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]676";
677static PyObject *
678ssl_Context_set_verify(ssl_ContextObj *self, PyObject *args)
679{
680 int mode;
681 PyObject *callback = NULL;
682
683 if (!PyArg_ParseTuple(args, "iO:set_verify", &mode, &callback))
684 return NULL;
685
686 if (!PyCallable_Check(callback))
687 {
688 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
689 return NULL;
690 }
691
692 Py_DECREF(self->verify_callback);
693 Py_INCREF(callback);
694 self->verify_callback = callback;
695 SSL_CTX_set_verify(self->ctx, mode, global_verify_callback);
696
697 Py_INCREF(Py_None);
698 return Py_None;
699}
700
701static char ssl_Context_set_verify_depth_doc[] = "\n\
702Set the verify depth\n\
703\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]704@param depth: An integer specifying the verify depth\n\
705@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]706";
707static PyObject *
708ssl_Context_set_verify_depth(ssl_ContextObj *self, PyObject *args)
709{
710 int depth;
711
712 if (!PyArg_ParseTuple(args, "i:set_verify_depth", &depth))
713 return NULL;
714
715 SSL_CTX_set_verify_depth(self->ctx, depth);
716 Py_INCREF(Py_None);
717 return Py_None;
718}
719
720static char ssl_Context_get_verify_mode_doc[] = "\n\
721Get the verify mode\n\
722\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]723@return: The verify mode\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]724";
725static PyObject *
726ssl_Context_get_verify_mode(ssl_ContextObj *self, PyObject *args)
727{
728 int mode;
729
730 if (!PyArg_ParseTuple(args, ":get_verify_mode"))
731 return NULL;
732
733 mode = SSL_CTX_get_verify_mode(self->ctx);
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]734 return PyLong_FromLong((long)mode);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]735}
736
737static char ssl_Context_get_verify_depth_doc[] = "\n\
738Get the verify depth\n\
739\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]740@return: The verify depth\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]741";
742static PyObject *
743ssl_Context_get_verify_depth(ssl_ContextObj *self, PyObject *args)
744{
745 int depth;
746
747 if (!PyArg_ParseTuple(args, ":get_verify_depth"))
748 return NULL;
749
750 depth = SSL_CTX_get_verify_depth(self->ctx);
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]751 return PyLong_FromLong((long)depth);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]752}
753
754static char ssl_Context_load_tmp_dh_doc[] = "\n\
755Load parameters for Ephemeral Diffie-Hellman\n\
756\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]757@param dhfile: The file to load EDH parameters from\n\
758@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]759";
760static PyObject *
761ssl_Context_load_tmp_dh(ssl_ContextObj *self, PyObject *args)
762{
763 char *dhfile;
764 BIO *bio;
765 DH *dh;
766
767 if (!PyArg_ParseTuple(args, "s:load_tmp_dh", &dhfile))
768 return NULL;
769
770 bio = BIO_new_file(dhfile, "r");
771 if (bio == NULL)
772 return PyErr_NoMemory();
773
774 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
775 SSL_CTX_set_tmp_dh(self->ctx, dh);
776 DH_free(dh);
777 BIO_free(bio);
778
779 Py_INCREF(Py_None);
780 return Py_None;
781}
782
783static char ssl_Context_set_cipher_list_doc[] = "\n\
784Change the cipher list\n\
785\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]786@param cipher_list: A cipher list, see ciphers(1)\n\
787@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]788";
789static PyObject *
790ssl_Context_set_cipher_list(ssl_ContextObj *self, PyObject *args)
791{
792 char *cipher_list;
793
794 if (!PyArg_ParseTuple(args, "s:set_cipher_list", &cipher_list))
795 return NULL;
796
797 if (!SSL_CTX_set_cipher_list(self->ctx, cipher_list))
798 {
Rick Deand369c932009-07-08 11:48:33 -0500[diff] [blame]799 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]800 return NULL;
801 }
802 else
803 {
804 Py_INCREF(Py_None);
805 return Py_None;
806 }
807}
808
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]809static char ssl_Context_set_client_ca_list_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]810Set the list of preferred client certificate signers for this server context.\n\
811\n\
812This list of certificate authorities will be sent to the client when the\n\
813server requests a client certificate.\n\
814\n\
815@param certificate_authorities: a sequence of X509Names.\n\
816@return: None\n\
817";
818
819static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]820ssl_Context_set_client_ca_list(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]821{
822 static PyTypeObject *X509NameType;
823 PyObject *sequence, *tuple, *item;
824 crypto_X509NameObj *name;
825 X509_NAME *sslname;
826 STACK_OF(X509_NAME) *CANames;
827 Py_ssize_t length;
828 int i;
829
830 if (X509NameType == NULL) {
831 X509NameType = import_crypto_type("X509Name", sizeof(crypto_X509NameObj));
832 if (X509NameType == NULL) {
833 return NULL;
834 }
835 }
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]836 if (!PyArg_ParseTuple(args, "O:set_client_ca_list", &sequence)) {
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]837 return NULL;
838 }
839 tuple = PySequence_Tuple(sequence);
840 if (tuple == NULL) {
841 return NULL;
842 }
843 length = PyTuple_Size(tuple);
844 if (length >= INT_MAX) {
845 PyErr_SetString(PyExc_ValueError, "client CA list is too long");
846 Py_DECREF(tuple);
847 return NULL;
848 }
849 CANames = sk_X509_NAME_new_null();
850 if (CANames == NULL) {
851 Py_DECREF(tuple);
852 exception_from_error_queue(ssl_Error);
853 return NULL;
854 }
855 for (i = 0; i < length; i++) {
856 item = PyTuple_GetItem(tuple, i);
857 if (item->ob_type != X509NameType) {
858 PyErr_Format(PyExc_TypeError,
859 "client CAs must be X509Name objects, not %s objects",
860 item->ob_type->tp_name);
861 sk_X509_NAME_free(CANames);
862 Py_DECREF(tuple);
863 return NULL;
864 }
865 name = (crypto_X509NameObj *)item;
866 sslname = X509_NAME_dup(name->x509_name);
867 if (sslname == NULL) {
868 sk_X509_NAME_free(CANames);
869 Py_DECREF(tuple);
870 exception_from_error_queue(ssl_Error);
871 return NULL;
872 }
873 if (!sk_X509_NAME_push(CANames, sslname)) {
874 X509_NAME_free(sslname);
875 sk_X509_NAME_free(CANames);
876 Py_DECREF(tuple);
877 exception_from_error_queue(ssl_Error);
878 return NULL;
879 }
880 }
881 Py_DECREF(tuple);
882 SSL_CTX_set_client_CA_list(self->ctx, CANames);
883 Py_INCREF(Py_None);
884 return Py_None;
885}
886
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]887static char ssl_Context_add_client_ca_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]888Add the CA certificate to the list of preferred signers for this context.\n\
889\n\
890The list of certificate authorities will be sent to the client when the\n\
891server requests a client certificate.\n\
892\n\
893@param certificate_authority: certificate authority's X509 certificate.\n\
894@return: None\n\
895";
896
897static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]898ssl_Context_add_client_ca(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]899{
900 crypto_X509Obj *cert;
901
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]902 cert = parse_certificate_argument("O!:add_client_ca", args);
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200[diff] [blame]903 if (cert == NULL) {
904 return NULL;
905 }
906 if (!SSL_CTX_add_client_CA(self->ctx, cert->x509)) {
907 exception_from_error_queue(ssl_Error);
908 return NULL;
909 }
910 Py_INCREF(Py_None);
911 return Py_None;
912}
913
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]914static char ssl_Context_set_timeout_doc[] = "\n\
915Set session timeout\n\
916\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]917@param timeout: The timeout in seconds\n\
918@return: The previous session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]919";
920static PyObject *
921ssl_Context_set_timeout(ssl_ContextObj *self, PyObject *args)
922{
923 long t, ret;
924
925 if (!PyArg_ParseTuple(args, "l:set_timeout", &t))
926 return NULL;
927
928 ret = SSL_CTX_set_timeout(self->ctx, t);
929 return PyLong_FromLong(ret);
930}
931
932static char ssl_Context_get_timeout_doc[] = "\n\
933Get the session timeout\n\
934\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]935@return: The session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]936";
937static PyObject *
938ssl_Context_get_timeout(ssl_ContextObj *self, PyObject *args)
939{
940 long ret;
941
942 if (!PyArg_ParseTuple(args, ":get_timeout"))
943 return NULL;
944
945 ret = SSL_CTX_get_timeout(self->ctx);
946 return PyLong_FromLong(ret);
947}
948
949static char ssl_Context_set_info_callback_doc[] = "\n\
950Set the info callback\n\
951\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]952@param callback: The Python callback to use\n\
953@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]954";
955static PyObject *
956ssl_Context_set_info_callback(ssl_ContextObj *self, PyObject *args)
957{
958 PyObject *callback;
959
960 if (!PyArg_ParseTuple(args, "O:set_info_callback", &callback))
961 return NULL;
962
963 if (!PyCallable_Check(callback))
964 {
965 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
966 return NULL;
967 }
968
969 Py_DECREF(self->info_callback);
970 Py_INCREF(callback);
971 self->info_callback = callback;
972 SSL_CTX_set_info_callback(self->ctx, global_info_callback);
973
974 Py_INCREF(Py_None);
975 return Py_None;
976}
977
978static char ssl_Context_get_app_data_doc[] = "\n\
979Get the application data (supplied via set_app_data())\n\
980\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]981@return: The application data\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]982";
983static PyObject *
984ssl_Context_get_app_data(ssl_ContextObj *self, PyObject *args)
985{
986 if (!PyArg_ParseTuple(args, ":get_app_data"))
987 return NULL;
988
989 Py_INCREF(self->app_data);
990 return self->app_data;
991}
992
993static char ssl_Context_set_app_data_doc[] = "\n\
994Set the application data (will be returned from get_app_data())\n\
995\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]996@param data: Any Python object\n\
997@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]998";
999static PyObject *
1000ssl_Context_set_app_data(ssl_ContextObj *self, PyObject *args)
1001{
1002 PyObject *data;
1003
1004 if (!PyArg_ParseTuple(args, "O:set_app_data", &data))
1005 return NULL;
1006
1007 Py_DECREF(self->app_data);
1008 Py_INCREF(data);
1009 self->app_data = data;
1010
1011 Py_INCREF(Py_None);
1012 return Py_None;
1013}
1014
1015static char ssl_Context_get_cert_store_doc[] = "\n\
1016Get the certificate store for the context\n\
1017\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]1018@return: A X509Store object\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1019";
1020static PyObject *
1021ssl_Context_get_cert_store(ssl_ContextObj *self, PyObject *args)
1022{
1023 X509_STORE *store;
1024
1025 if (!PyArg_ParseTuple(args, ":get_cert_store"))
1026 return NULL;
1027
1028 if ((store = SSL_CTX_get_cert_store(self->ctx)) == NULL)
1029 {
1030 Py_INCREF(Py_None);
1031 return Py_None;
1032 }
1033 else
1034 {
1035 return (PyObject *)crypto_X509Store_New(store, 0);
1036 }
1037}
1038
1039static char ssl_Context_set_options_doc[] = "\n\
1040Add options. Options set before are not cleared!\n\
1041\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400[diff] [blame]1042@param options: The options to add.\n\
1043@return: The new option bitmask.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1044";
1045static PyObject *
1046ssl_Context_set_options(ssl_ContextObj *self, PyObject *args)
1047{
1048 long options;
1049
1050 if (!PyArg_ParseTuple(args, "l:set_options", &options))
1051 return NULL;
1052
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400[diff] [blame]1053 return PyLong_FromLong(SSL_CTX_set_options(self->ctx, options));
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1054}
1055
1056
1057/*
1058 * Member methods in the Context object
1059 * ADD_METHOD(name) expands to a correct PyMethodDef declaration
1060 * { 'name', (PyCFunction)ssl_Context_name, METH_VARARGS }
1061 * for convenience
1062 * ADD_ALIAS(name,real) creates an "alias" of the ssl_Context_real
1063 * function with the name 'name'
1064 */
1065#define ADD_METHOD(name) { #name, (PyCFunction)ssl_Context_##name, METH_VARARGS, ssl_Context_##name##_doc }
1066static PyMethodDef ssl_Context_methods[] = {
1067 ADD_METHOD(load_verify_locations),
1068 ADD_METHOD(set_passwd_cb),
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400[diff] [blame]1069 ADD_METHOD(set_default_verify_paths),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1070 ADD_METHOD(use_certificate_chain_file),
1071 ADD_METHOD(use_certificate_file),
1072 ADD_METHOD(use_certificate),
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500[diff] [blame]1073 ADD_METHOD(add_extra_chain_cert),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1074 ADD_METHOD(use_privatekey_file),
1075 ADD_METHOD(use_privatekey),
1076 ADD_METHOD(check_privatekey),
1077 ADD_METHOD(load_client_ca),
1078 ADD_METHOD(set_session_id),
1079 ADD_METHOD(set_verify),
1080 ADD_METHOD(set_verify_depth),
1081 ADD_METHOD(get_verify_mode),
1082 ADD_METHOD(get_verify_depth),
1083 ADD_METHOD(load_tmp_dh),
1084 ADD_METHOD(set_cipher_list),
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200[diff] [blame]1085 ADD_METHOD(set_client_ca_list),
1086 ADD_METHOD(add_client_ca),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1087 ADD_METHOD(set_timeout),
1088 ADD_METHOD(get_timeout),
1089 ADD_METHOD(set_info_callback),
1090 ADD_METHOD(get_app_data),
1091 ADD_METHOD(set_app_data),
1092 ADD_METHOD(get_cert_store),
1093 ADD_METHOD(set_options),
1094 { NULL, NULL }
1095};
1096#undef ADD_METHOD
1097
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1098/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1099 * Despite the name which might suggest otherwise, this is not the tp_init for
1100 * the Context type. It's just the common initialization code shared by the
1101 * two _{Nn}ew functions below.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1102 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1103static ssl_ContextObj*
1104ssl_Context_init(ssl_ContextObj *self, int i_method) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1105 SSL_METHOD *method;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1106
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1107 switch (i_method) {
1108 case ssl_SSLv2_METHOD:
1109 method = SSLv2_method();
1110 break;
1111 case ssl_SSLv23_METHOD:
1112 method = SSLv23_method();
1113 break;
1114 case ssl_SSLv3_METHOD:
1115 method = SSLv3_method();
1116 break;
1117 case ssl_TLSv1_METHOD:
1118 method = TLSv1_method();
1119 break;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1120 default:
1121 PyErr_SetString(PyExc_ValueError, "No such protocol");
1122 return NULL;
1123 }
1124
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1125 self->ctx = SSL_CTX_new(method);
1126 Py_INCREF(Py_None);
1127 self->passphrase_callback = Py_None;
1128 Py_INCREF(Py_None);
1129 self->verify_callback = Py_None;
1130 Py_INCREF(Py_None);
1131 self->info_callback = Py_None;
1132
1133 Py_INCREF(Py_None);
1134 self->passphrase_userdata = Py_None;
1135
1136 Py_INCREF(Py_None);
1137 self->app_data = Py_None;
1138
1139 /* Some initialization that's required to operate smoothly in Python */
1140 SSL_CTX_set_app_data(self->ctx, self);
1141 SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |
1142 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
1143 SSL_MODE_AUTO_RETRY);
1144
1145 self->tstate = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1146
1147 return self;
1148}
1149
1150/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1151 * This one is exposed in the CObject API. I want to deprecate it.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1152 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1153ssl_ContextObj*
1154ssl_Context_New(int i_method) {
1155 ssl_ContextObj *self;
1156
1157 self = PyObject_GC_New(ssl_ContextObj, &ssl_Context_Type);
1158 if (self == NULL) {
1159 return (ssl_ContextObj *)PyErr_NoMemory();
1160 }
1161 self = ssl_Context_init(self, i_method);
1162 PyObject_GC_Track((PyObject *)self);
1163 return self;
1164}
1165
1166
1167/*
1168 * This one is the tp_new of the Context type. It's great.
1169 */
1170static PyObject*
1171ssl_Context_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs) {
1172 int i_method;
1173 ssl_ContextObj *self;
1174 static char *kwlist[] = {"method", NULL};
1175
1176 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "i:Context", kwlist, &i_method)) {
1177 return NULL;
1178 }
1179
1180 self = (ssl_ContextObj *)subtype->tp_alloc(subtype, 1);
1181 if (self == NULL) {
1182 return NULL;
1183 }
1184
1185 return (PyObject *)ssl_Context_init(self, i_method);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1186}
1187
1188/*
1189 * Call the visitproc on all contained objects.
1190 *
1191 * Arguments: self - The Context object
1192 * visit - Function to call
1193 * arg - Extra argument to visit
1194 * Returns: 0 if all goes well, otherwise the return code from the first
1195 * call that gave non-zero result.
1196 */
1197static int
1198ssl_Context_traverse(ssl_ContextObj *self, visitproc visit, void *arg)
1199{
1200 int ret = 0;
1201
1202 if (ret == 0 && self->passphrase_callback != NULL)
1203 ret = visit((PyObject *)self->passphrase_callback, arg);
1204 if (ret == 0 && self->passphrase_userdata != NULL)
1205 ret = visit((PyObject *)self->passphrase_userdata, arg);
1206 if (ret == 0 && self->verify_callback != NULL)
1207 ret = visit((PyObject *)self->verify_callback, arg);
1208 if (ret == 0 && self->info_callback != NULL)
1209 ret = visit((PyObject *)self->info_callback, arg);
1210 if (ret == 0 && self->app_data != NULL)
1211 ret = visit(self->app_data, arg);
1212 return ret;
1213}
1214
1215/*
1216 * Decref all contained objects and zero the pointers.
1217 *
1218 * Arguments: self - The Context object
1219 * Returns: Always 0.
1220 */
1221static int
1222ssl_Context_clear(ssl_ContextObj *self)
1223{
1224 Py_XDECREF(self->passphrase_callback);
1225 self->passphrase_callback = NULL;
1226 Py_XDECREF(self->passphrase_userdata);
1227 self->passphrase_userdata = NULL;
1228 Py_XDECREF(self->verify_callback);
1229 self->verify_callback = NULL;
1230 Py_XDECREF(self->info_callback);
1231 self->info_callback = NULL;
1232 Py_XDECREF(self->app_data);
1233 self->app_data = NULL;
1234 return 0;
1235}
1236
1237/*
1238 * Deallocate the memory used by the Context object
1239 *
1240 * Arguments: self - The Context object
1241 * Returns: None
1242 */
1243static void
1244ssl_Context_dealloc(ssl_ContextObj *self)
1245{
1246 PyObject_GC_UnTrack((PyObject *)self);
1247 SSL_CTX_free(self->ctx);
1248 ssl_Context_clear(self);
1249 PyObject_GC_Del(self);
1250}
1251
1252
1253PyTypeObject ssl_Context_Type = {
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400[diff] [blame]1254 PyOpenSSL_HEAD_INIT(&PyType_Type, 0)
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1255 "OpenSSL.SSL.Context",
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1256 sizeof(ssl_ContextObj),
1257 0,
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1258 (destructor)ssl_Context_dealloc, /* tp_dealloc */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1259 NULL, /* print */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1260 NULL, /* tp_getattr */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1261 NULL, /* setattr */
1262 NULL, /* compare */
1263 NULL, /* repr */
1264 NULL, /* as_number */
1265 NULL, /* as_sequence */
1266 NULL, /* as_mapping */
1267 NULL, /* hash */
1268 NULL, /* call */
1269 NULL, /* str */
1270 NULL, /* getattro */
1271 NULL, /* setattro */
1272 NULL, /* as_buffer */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1273 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC | Py_TPFLAGS_BASETYPE, /* tp_flags */
1274 ssl_Context_doc, /* tp_doc */
1275 (traverseproc)ssl_Context_traverse, /* tp_traverse */
1276 (inquiry)ssl_Context_clear, /* tp_clear */
1277 NULL, /* tp_richcompare */
1278 0, /* tp_weaklistoffset */
1279 NULL, /* tp_iter */
1280 NULL, /* tp_iternext */
1281 ssl_Context_methods, /* tp_methods */
1282 NULL, /* tp_members */
1283 NULL, /* tp_getset */
1284 NULL, /* tp_base */
1285 NULL, /* tp_dict */
1286 NULL, /* tp_descr_get */
1287 NULL, /* tp_descr_set */
1288 0, /* tp_dictoffset */
1289 NULL, /* tp_init */
1290 NULL, /* tp_alloc */
1291 ssl_Context_new, /* tp_new */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1292};
1293
1294
1295/*
1296 * Initialize the Context part of the SSL sub module
1297 *
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1298 * Arguments: dict - The OpenSSL.SSL module
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1299 * Returns: 1 for success, 0 otherwise
1300 */
1301int
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1302init_ssl_context(PyObject *module) {
1303
1304 if (PyType_Ready(&ssl_Context_Type) < 0) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1305 return 0;
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400[diff] [blame]1306 }
1307
1308 if (PyModule_AddObject(module, "Context", (PyObject *)&ssl_Context_Type) < 0) {
1309 return 0;
1310 }
1311
1312 if (PyModule_AddObject(module, "ContextType", (PyObject *)&ssl_Context_Type) < 0) {
1313 return 0;
1314 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500[diff] [blame]1315
1316 return 1;
1317}
1318