blob: 16268d8f913880ca06ddb0ccba8975d8e56eb627 [file] [log] [blame]
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001/*
2 * context.c
3 *
Jean-Paul Calderone8671c852011-03-02 19:26:20 -05004 * Copyright (C) AB Strakt
5 * Copyright (C) Jean-Paul Calderone
6 * See LICENSE for details.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05007 *
8 * SSL Context objects and their methods.
9 * See the file RATIONALE for a short explanation of why this module was written.
10 *
11 * Reviewed 2001-07-23
12 */
13#include <Python.h>
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -050014
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -050015#if PY_VERSION_HEX >= 0x02050000
16# define PYARG_PARSETUPLE_FORMAT const char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -040017# define PYOBJECT_GETATTRSTRING_TYPE const char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -050018#else
19# define PYARG_PARSETUPLE_FORMAT char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -040020# define PYOBJECT_GETATTRSTRING_TYPE char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -050021#endif
22
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -050023#ifndef MS_WINDOWS
24# include <sys/socket.h>
25# include <netinet/in.h>
26# if !(defined(__BEOS__) || defined(__CYGWIN__))
27# include <netinet/tcp.h>
28# endif
29#else
30# include <winsock.h>
31# include <wincrypt.h>
32#endif
33
Jean-Paul Calderone897bc252008-02-18 20:50:23 -050034#define SSL_MODULE
35#include "ssl.h"
36
Jean-Paul Calderone897bc252008-02-18 20:50:23 -050037/*
38 * CALLBACKS
39 *
40 * Callbacks work like this: We provide a "global" callback in C which
41 * transforms the arguments into a Python argument tuple and calls the
42 * corresponding Python callback, and then parsing the return value back into
43 * things the C function can return.
44 *
45 * Three caveats:
46 * + How do we find the Context object where the Python callbacks are stored?
47 * + What about multithreading and execution frames?
48 * + What about Python callbacks that raise exceptions?
49 *
50 * The solution to the first issue is trivial if the callback provides
51 * "userdata" functionality. Since the only callbacks that don't provide
52 * userdata do provide a pointer to an SSL structure, we can associate an SSL
53 * object and a Connection one-to-one via the SSL_set/get_app_data()
54 * functions.
55 *
56 * The solution to the other issue is to rewrite the Py_BEGIN_ALLOW_THREADS
57 * macro allowing it (or rather a new macro) to specify where to save the
58 * thread state (in our case, as a member of the Connection/Context object) so
59 * we can retrieve it again before calling the Python callback.
60 */
61
62/*
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -040063 * Globally defined passphrase callback. This is called from OpenSSL
64 * internally. The GIL will not be held when this function is invoked. It
65 * must not be held when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -050066 *
67 * Arguments: buf - Buffer to store the returned passphrase in
68 * maxlen - Maximum length of the passphrase
69 * verify - If true, the passphrase callback should ask for a
70 * password twice and verify they're equal. If false, only
71 * ask once.
72 * arg - User data, always a Context object
73 * Returns: The length of the password if successful, 0 otherwise
74 */
75static int
76global_passphrase_callback(char *buf, int maxlen, int verify, void *arg)
77{
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -040078 /*
79 * Initialize len here because we're always going to return it, and we
80 * might jump to the return before it gets initialized in any other way.
81 */
82 int len = 0;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -050083 char *str;
84 PyObject *argv, *ret = NULL;
85 ssl_ContextObj *ctx = (ssl_ContextObj *)arg;
86
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -040087 /*
88 * GIL isn't held yet. First things first - acquire it, or any Python API
89 * we invoke might segfault or blow up the sun. The reverse will be done
90 * before returning.
91 */
92 MY_END_ALLOW_THREADS(ctx->tstate);
93
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -040094 /* The Python callback is called with a (maxlen,verify,userdata) tuple */
95 argv = Py_BuildValue("(iiO)", maxlen, verify, ctx->passphrase_userdata);
96
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -040097 /*
98 * XXX Didn't check argv to see if it was NULL. -exarkun
99 */
100 ret = PyEval_CallObject(ctx->passphrase_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500101 Py_DECREF(argv);
102
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400103 if (ret == NULL) {
104 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400105 * The callback raised an exception. It will be raised by whatever
106 * Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400107 */
108 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500109 }
110
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400111 if (!PyObject_IsTrue(ret)) {
112 /*
113 * Returned "", or None, or something. Treat it as no passphrase.
114 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500115 Py_DECREF(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400116 goto out;
117 }
118
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400119 if (!PyBytes_Check(ret)) {
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400120 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400121 * XXX Returned something that wasn't a string. This is bogus. We'll
122 * return 0 and OpenSSL will treat it as an error, resulting in an
123 * exception from whatever Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400124 */
125 Py_DECREF(ret);
126 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500127 }
128
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400129 len = PyBytes_Size(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400130 if (len > maxlen) {
131 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400132 * Returned more than we said they were allowed to return. Just
133 * truncate it. Might be better to raise an exception,
134 * instead. -exarkun
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400135 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500136 len = maxlen;
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400137 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500138
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400139 str = PyBytes_AsString(ret);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500140 strncpy(buf, str, len);
141 Py_XDECREF(ret);
142
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400143 out:
144 /*
145 * This function is returning into OpenSSL. Release the GIL again.
146 */
147 MY_BEGIN_ALLOW_THREADS(ctx->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500148 return len;
149}
150
151/*
152 * Globally defined verify callback
153 *
154 * Arguments: ok - True everything is OK "so far", false otherwise
155 * x509_ctx - Contains the certificate being checked, the current
156 * error number and depth, and the Connection we're
157 * dealing with
158 * Returns: True if everything is okay, false otherwise
159 */
160static int
161global_verify_callback(int ok, X509_STORE_CTX *x509_ctx)
162{
163 PyObject *argv, *ret;
164 SSL *ssl;
165 ssl_ConnectionObj *conn;
166 crypto_X509Obj *cert;
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500167 int errnum, errdepth, c_ret;
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400168
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400169 // Get Connection object to check thread state
170 ssl = (SSL *)X509_STORE_CTX_get_app_data(x509_ctx);
171 conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400172
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400173 MY_END_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400174
Jean-Paul Calderone1e9312e2010-10-31 21:26:18 -0400175 cert = new_x509(X509_STORE_CTX_get_current_cert(x509_ctx), 0);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500176 errnum = X509_STORE_CTX_get_error(x509_ctx);
177 errdepth = X509_STORE_CTX_get_error_depth(x509_ctx);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400178
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500179 argv = Py_BuildValue("(OOiii)", (PyObject *)conn, (PyObject *)cert,
180 errnum, errdepth, ok);
181 Py_DECREF(cert);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400182 ret = PyEval_CallObject(conn->context->verify_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500183 Py_DECREF(argv);
184
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400185 if (ret != NULL && PyObject_IsTrue(ret)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500186 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400187 Py_DECREF(ret);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500188 c_ret = 1;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400189 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500190 c_ret = 0;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400191 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500192
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400193 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500194 return c_ret;
195}
196
197/*
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400198 * Globally defined info callback. This is called from OpenSSL internally.
199 * The GIL will not be held when this function is invoked. It must not be held
200 * when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500201 *
202 * Arguments: ssl - The Connection
203 * where - The part of the SSL code that called us
204 * _ret - The return code of the SSL function that called us
205 * Returns: None
206 */
207static void
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500208global_info_callback(const SSL *ssl, int where, int _ret)
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500209{
210 ssl_ConnectionObj *conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
211 PyObject *argv, *ret;
212
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400213 /*
214 * GIL isn't held yet. First things first - acquire it, or any Python API
215 * we invoke might segfault or blow up the sun. The reverse will be done
216 * before returning.
217 */
218 MY_END_ALLOW_THREADS(conn->tstate);
219
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500220 argv = Py_BuildValue("(Oii)", (PyObject *)conn, where, _ret);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400221 ret = PyEval_CallObject(conn->context->info_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500222 Py_DECREF(argv);
223
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400224 if (ret == NULL) {
225 /*
226 * XXX - This should be reported somehow. -exarkun
227 */
228 PyErr_Clear();
229 } else {
230 Py_DECREF(ret);
231 }
232
233 /*
234 * This function is returning into OpenSSL. Release the GIL again.
235 */
236 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500237 return;
238}
239
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400240/*
241 * More recent builds of OpenSSL may have SSLv2 completely disabled.
242 */
243#ifdef OPENSSL_NO_SSL2
244#define SSLv2_METHOD_TEXT ""
245#else
246#define SSLv2_METHOD_TEXT "SSLv2_METHOD, "
247#endif
248
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500249
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400250static char ssl_Context_doc[] = "\n\
251Context(method) -> Context instance\n\
252\n\
253OpenSSL.SSL.Context instances define the parameters for setting up new SSL\n\
254connections.\n\
255\n\
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400256@param method: One of " SSLv2_METHOD_TEXT "SSLv3_METHOD, SSLv23_METHOD, or\n\
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400257 TLSv1_METHOD.\n\
258";
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500259
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400260#undef SSLv2_METHOD_TEXT
261
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500262static char ssl_Context_load_verify_locations_doc[] = "\n\
263Let SSL know where we can find trusted certificates for the certificate\n\
264chain\n\
265\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400266@param cafile: In which file we can find the certificates\n\
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400267@param capath: In which directory we can find the certificates\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400268@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500269";
270static PyObject *
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400271ssl_Context_load_verify_locations(ssl_ContextObj *self, PyObject *args) {
272 char *cafile = NULL;
273 char *capath = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500274
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400275 if (!PyArg_ParseTuple(args, "z|z:load_verify_locations", &cafile, &capath)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500276 return NULL;
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400277 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500278
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400279 if (!SSL_CTX_load_verify_locations(self->ctx, cafile, capath))
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500280 {
Rick Deand369c932009-07-08 11:48:33 -0500281 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500282 return NULL;
283 }
284 else
285 {
286 Py_INCREF(Py_None);
287 return Py_None;
288 }
289}
290
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400291static char ssl_Context_set_default_verify_paths_doc[] = "\n\
292Use the platform-specific CA certificate locations\n\
293\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400294@return: None\n\
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400295";
296static PyObject *
297ssl_Context_set_default_verify_paths(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -0400298 if (!PyArg_ParseTuple(args, ":set_default_verify_paths")) {
299 return NULL;
300 }
301
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400302 /*
303 * XXX Error handling for SSL_CTX_set_default_verify_paths is untested.
304 * -exarkun
305 */
306 if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
Rick Deand369c932009-07-08 11:48:33 -0500307 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400308 return NULL;
309 }
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400310 Py_INCREF(Py_None);
311 return Py_None;
312};
313
314
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500315static char ssl_Context_set_passwd_cb_doc[] = "\n\
316Set the passphrase callback\n\
317\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400318@param callback: The Python callback to use\n\
319@param userdata: (optional) A Python object which will be given as\n\
320 argument to the callback\n\
321@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500322";
323static PyObject *
324ssl_Context_set_passwd_cb(ssl_ContextObj *self, PyObject *args)
325{
326 PyObject *callback = NULL, *userdata = Py_None;
327
328 if (!PyArg_ParseTuple(args, "O|O:set_passwd_cb", &callback, &userdata))
329 return NULL;
330
331 if (!PyCallable_Check(callback))
332 {
333 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
334 return NULL;
335 }
336
337 Py_DECREF(self->passphrase_callback);
338 Py_INCREF(callback);
339 self->passphrase_callback = callback;
340 SSL_CTX_set_default_passwd_cb(self->ctx, global_passphrase_callback);
341
342 Py_DECREF(self->passphrase_userdata);
343 Py_INCREF(userdata);
344 self->passphrase_userdata = userdata;
345 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, (void *)self);
346
347 Py_INCREF(Py_None);
348 return Py_None;
349}
350
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200351static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400352type_modified_error(const char *name) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200353 PyErr_Format(PyExc_RuntimeError,
354 "OpenSSL.crypto's '%s' attribute has been modified",
355 name);
356 return NULL;
357}
358
359static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400360import_crypto_type(const char *name, size_t objsize) {
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200361 PyObject *module, *type, *name_attr;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200362 PyTypeObject *res;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200363 int right_name;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200364
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200365 module = PyImport_ImportModule("OpenSSL.crypto");
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200366 if (module == NULL) {
367 return NULL;
368 }
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400369 type = PyObject_GetAttrString(module, (PYOBJECT_GETATTRSTRING_TYPE)name);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200370 Py_DECREF(module);
371 if (type == NULL) {
372 return NULL;
373 }
374 if (!(PyType_Check(type))) {
375 Py_DECREF(type);
376 return type_modified_error(name);
377 }
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200378 name_attr = PyObject_GetAttrString(type, "__name__");
379 if (name_attr == NULL) {
380 Py_DECREF(type);
381 return NULL;
382 }
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400383
384#ifdef PY3
385 {
386 PyObject* asciiname = PyUnicode_AsASCIIString(name_attr);
387 Py_DECREF(name_attr);
388 name_attr = asciiname;
389 }
390#endif
Jean-Paul Calderone9e4eeae2010-08-22 21:32:52 -0400391 right_name = (PyBytes_CheckExact(name_attr) &&
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400392 strcmp(name, PyBytes_AsString(name_attr)) == 0);
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200393 Py_DECREF(name_attr);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200394 res = (PyTypeObject *)type;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200395 if (!right_name || res->tp_basicsize != objsize) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200396 Py_DECREF(type);
397 return type_modified_error(name);
398 }
399 return res;
400}
401
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500402static crypto_X509Obj *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400403parse_certificate_argument(const char* format, PyObject* args) {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500404 static PyTypeObject *crypto_X509_type = NULL;
405 crypto_X509Obj *cert;
406
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400407 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200408 crypto_X509_type = import_crypto_type("X509", sizeof(crypto_X509Obj));
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400409 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200410 return NULL;
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400411 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500412 }
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200413 if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format,
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400414 crypto_X509_type, &cert)) {
415 return NULL;
416 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500417 return cert;
418}
419
420static char ssl_Context_add_extra_chain_cert_doc[] = "\n\
421Add certificate to chain\n\
422\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400423@param certobj: The X509 certificate object to add to the chain\n\
424@return: None\n\
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500425";
426
427static PyObject *
428ssl_Context_add_extra_chain_cert(ssl_ContextObj *self, PyObject *args)
429{
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500430 X509* cert_original;
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500431 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200432 "O!:add_extra_chain_cert", args);
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500433 if (cert == NULL)
434 {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500435 return NULL;
436 }
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500437 if (!(cert_original = X509_dup(cert->x509)))
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500438 {
Rick Deand369c932009-07-08 11:48:33 -0500439 /* exception_from_error_queue(ssl_Error); */
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500440 PyErr_SetString(PyExc_RuntimeError, "X509_dup failed");
441 return NULL;
442 }
443 if (!SSL_CTX_add_extra_chain_cert(self->ctx, cert_original))
444 {
445 X509_free(cert_original);
Rick Deand369c932009-07-08 11:48:33 -0500446 exception_from_error_queue(ssl_Error);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500447 return NULL;
448 }
449 else
450 {
451 Py_INCREF(Py_None);
452 return Py_None;
453 }
454}
455
456
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500457static char ssl_Context_use_certificate_chain_file_doc[] = "\n\
458Load a certificate chain from a file\n\
459\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400460@param certfile: The name of the certificate chain file\n\
461@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500462";
463static PyObject *
464ssl_Context_use_certificate_chain_file(ssl_ContextObj *self, PyObject *args)
465{
466 char *certfile;
467
468 if (!PyArg_ParseTuple(args, "s:use_certificate_chain_file", &certfile))
469 return NULL;
470
471 if (!SSL_CTX_use_certificate_chain_file(self->ctx, certfile))
472 {
Rick Deand369c932009-07-08 11:48:33 -0500473 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500474 return NULL;
475 }
476 else
477 {
478 Py_INCREF(Py_None);
479 return Py_None;
480 }
481}
482
483
484static char ssl_Context_use_certificate_file_doc[] = "\n\
485Load a certificate from a file\n\
486\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400487@param certfile: The name of the certificate file\n\
488@param filetype: (optional) The encoding of the file, default is PEM\n\
489@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500490";
491static PyObject *
492ssl_Context_use_certificate_file(ssl_ContextObj *self, PyObject *args)
493{
494 char *certfile;
495 int filetype = SSL_FILETYPE_PEM;
496
497 if (!PyArg_ParseTuple(args, "s|i:use_certificate_file", &certfile, &filetype))
498 return NULL;
499
500 if (!SSL_CTX_use_certificate_file(self->ctx, certfile, filetype))
501 {
Rick Deand369c932009-07-08 11:48:33 -0500502 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500503 return NULL;
504 }
505 else
506 {
507 Py_INCREF(Py_None);
508 return Py_None;
509 }
510}
511
512static char ssl_Context_use_certificate_doc[] = "\n\
513Load a certificate from a X509 object\n\
514\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400515@param cert: The X509 object\n\
516@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500517";
518static PyObject *
519ssl_Context_use_certificate(ssl_ContextObj *self, PyObject *args)
520{
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500521 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200522 "O!:use_certificate", args);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500523 if (cert == NULL) {
524 return NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500525 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500526
527 if (!SSL_CTX_use_certificate(self->ctx, cert->x509))
528 {
Rick Deand369c932009-07-08 11:48:33 -0500529 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500530 return NULL;
531 }
532 else
533 {
534 Py_INCREF(Py_None);
535 return Py_None;
536 }
537}
538
539static char ssl_Context_use_privatekey_file_doc[] = "\n\
540Load a private key from a file\n\
541\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400542@param keyfile: The name of the key file\n\
543@param filetype: (optional) The encoding of the file, default is PEM\n\
544@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500545";
546static PyObject *
547ssl_Context_use_privatekey_file(ssl_ContextObj *self, PyObject *args)
548{
549 char *keyfile;
550 int filetype = SSL_FILETYPE_PEM, ret;
551
552 if (!PyArg_ParseTuple(args, "s|i:use_privatekey_file", &keyfile, &filetype))
553 return NULL;
554
555 MY_BEGIN_ALLOW_THREADS(self->tstate);
556 ret = SSL_CTX_use_PrivateKey_file(self->ctx, keyfile, filetype);
557 MY_END_ALLOW_THREADS(self->tstate);
558
559 if (PyErr_Occurred())
560 {
561 flush_error_queue();
562 return NULL;
563 }
564
565 if (!ret)
566 {
Rick Deand369c932009-07-08 11:48:33 -0500567 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500568 return NULL;
569 }
570 else
571 {
572 Py_INCREF(Py_None);
573 return Py_None;
574 }
575}
576
577static char ssl_Context_use_privatekey_doc[] = "\n\
578Load a private key from a PKey object\n\
579\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400580@param pkey: The PKey object\n\
581@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500582";
583static PyObject *
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400584ssl_Context_use_privatekey(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500585 static PyTypeObject *crypto_PKey_type = NULL;
586 crypto_PKeyObj *pkey;
587
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400588 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200589 crypto_PKey_type = import_crypto_type("PKey", sizeof(crypto_PKeyObj));
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400590 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200591 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400592 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500593 }
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400594 if (!PyArg_ParseTuple(args, "O!:use_privatekey", crypto_PKey_type, &pkey)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500595 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400596 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500597
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400598 if (!SSL_CTX_use_PrivateKey(self->ctx, pkey->pkey)) {
Rick Deand369c932009-07-08 11:48:33 -0500599 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500600 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400601 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500602 Py_INCREF(Py_None);
603 return Py_None;
604 }
605}
606
607static char ssl_Context_check_privatekey_doc[] = "\n\
608Check that the private key and certificate match up\n\
609\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400610@return: None (raises an exception if something's wrong)\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500611";
612static PyObject *
613ssl_Context_check_privatekey(ssl_ContextObj *self, PyObject *args)
614{
615 if (!PyArg_ParseTuple(args, ":check_privatekey"))
616 return NULL;
617
618 if (!SSL_CTX_check_private_key(self->ctx))
619 {
Rick Deand369c932009-07-08 11:48:33 -0500620 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500621 return NULL;
622 }
623 else
624 {
625 Py_INCREF(Py_None);
626 return Py_None;
627 }
628}
629
630static char ssl_Context_load_client_ca_doc[] = "\n\
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -0400631Load the trusted certificates that will be sent to the client (basically\n \
632telling the client \"These are the guys I trust\"). Does not actually\n\
633imply any of the certificates are trusted; that must be configured\n\
634separately.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500635\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400636@param cafile: The name of the certificates file\n\
637@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500638";
639static PyObject *
640ssl_Context_load_client_ca(ssl_ContextObj *self, PyObject *args)
641{
642 char *cafile;
643
644 if (!PyArg_ParseTuple(args, "s:load_client_ca", &cafile))
645 return NULL;
646
647 SSL_CTX_set_client_CA_list(self->ctx, SSL_load_client_CA_file(cafile));
648
649 Py_INCREF(Py_None);
650 return Py_None;
651}
652
653static char ssl_Context_set_session_id_doc[] = "\n\
654Set the session identifier, this is needed if you want to do session\n\
655resumption (which, ironically, isn't implemented yet)\n\
656\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400657@param buf: A Python object that can be safely converted to a string\n\
658@returns: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500659";
660static PyObject *
661ssl_Context_set_session_id(ssl_ContextObj *self, PyObject *args)
662{
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500663 unsigned char *buf;
664 unsigned int len;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500665
666 if (!PyArg_ParseTuple(args, "s#:set_session_id", &buf, &len))
667 return NULL;
668
669 if (!SSL_CTX_set_session_id_context(self->ctx, buf, len))
670 {
Rick Deand369c932009-07-08 11:48:33 -0500671 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500672 return NULL;
673 }
674 else
675 {
676 Py_INCREF(Py_None);
677 return Py_None;
678 }
679}
680
681static char ssl_Context_set_verify_doc[] = "\n\
682Set the verify mode and verify callback\n\
683\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400684@param mode: The verify mode, this is either VERIFY_NONE or\n\
685 VERIFY_PEER combined with possible other flags\n\
686@param callback: The Python callback to use\n\
687@return: None\n\
Jean-Paul Calderone24aedf42008-03-06 22:01:16 -0500688\n\
689See SSL_CTX_set_verify(3SSL) for further details.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500690";
691static PyObject *
692ssl_Context_set_verify(ssl_ContextObj *self, PyObject *args)
693{
694 int mode;
695 PyObject *callback = NULL;
696
697 if (!PyArg_ParseTuple(args, "iO:set_verify", &mode, &callback))
698 return NULL;
699
700 if (!PyCallable_Check(callback))
701 {
702 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
703 return NULL;
704 }
705
706 Py_DECREF(self->verify_callback);
707 Py_INCREF(callback);
708 self->verify_callback = callback;
709 SSL_CTX_set_verify(self->ctx, mode, global_verify_callback);
710
711 Py_INCREF(Py_None);
712 return Py_None;
713}
714
715static char ssl_Context_set_verify_depth_doc[] = "\n\
716Set the verify depth\n\
717\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400718@param depth: An integer specifying the verify depth\n\
719@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500720";
721static PyObject *
722ssl_Context_set_verify_depth(ssl_ContextObj *self, PyObject *args)
723{
724 int depth;
725
726 if (!PyArg_ParseTuple(args, "i:set_verify_depth", &depth))
727 return NULL;
728
729 SSL_CTX_set_verify_depth(self->ctx, depth);
730 Py_INCREF(Py_None);
731 return Py_None;
732}
733
734static char ssl_Context_get_verify_mode_doc[] = "\n\
735Get the verify mode\n\
736\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400737@return: The verify mode\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500738";
739static PyObject *
740ssl_Context_get_verify_mode(ssl_ContextObj *self, PyObject *args)
741{
742 int mode;
743
744 if (!PyArg_ParseTuple(args, ":get_verify_mode"))
745 return NULL;
746
747 mode = SSL_CTX_get_verify_mode(self->ctx);
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400748 return PyLong_FromLong((long)mode);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500749}
750
751static char ssl_Context_get_verify_depth_doc[] = "\n\
752Get the verify depth\n\
753\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400754@return: The verify depth\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500755";
756static PyObject *
757ssl_Context_get_verify_depth(ssl_ContextObj *self, PyObject *args)
758{
759 int depth;
760
761 if (!PyArg_ParseTuple(args, ":get_verify_depth"))
762 return NULL;
763
764 depth = SSL_CTX_get_verify_depth(self->ctx);
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400765 return PyLong_FromLong((long)depth);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500766}
767
768static char ssl_Context_load_tmp_dh_doc[] = "\n\
769Load parameters for Ephemeral Diffie-Hellman\n\
770\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400771@param dhfile: The file to load EDH parameters from\n\
772@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500773";
774static PyObject *
775ssl_Context_load_tmp_dh(ssl_ContextObj *self, PyObject *args)
776{
777 char *dhfile;
778 BIO *bio;
779 DH *dh;
780
781 if (!PyArg_ParseTuple(args, "s:load_tmp_dh", &dhfile))
782 return NULL;
783
784 bio = BIO_new_file(dhfile, "r");
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -0400785 if (bio == NULL) {
786 exception_from_error_queue(ssl_Error);
787 return NULL;
788 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500789
790 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
791 SSL_CTX_set_tmp_dh(self->ctx, dh);
792 DH_free(dh);
793 BIO_free(bio);
794
795 Py_INCREF(Py_None);
796 return Py_None;
797}
798
799static char ssl_Context_set_cipher_list_doc[] = "\n\
800Change the cipher list\n\
801\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400802@param cipher_list: A cipher list, see ciphers(1)\n\
803@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500804";
805static PyObject *
806ssl_Context_set_cipher_list(ssl_ContextObj *self, PyObject *args)
807{
808 char *cipher_list;
809
810 if (!PyArg_ParseTuple(args, "s:set_cipher_list", &cipher_list))
811 return NULL;
812
813 if (!SSL_CTX_set_cipher_list(self->ctx, cipher_list))
814 {
Rick Deand369c932009-07-08 11:48:33 -0500815 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500816 return NULL;
817 }
818 else
819 {
820 Py_INCREF(Py_None);
821 return Py_None;
822 }
823}
824
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200825static char ssl_Context_set_client_ca_list_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200826Set the list of preferred client certificate signers for this server context.\n\
827\n\
828This list of certificate authorities will be sent to the client when the\n\
829server requests a client certificate.\n\
830\n\
831@param certificate_authorities: a sequence of X509Names.\n\
832@return: None\n\
833";
834
835static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200836ssl_Context_set_client_ca_list(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200837{
838 static PyTypeObject *X509NameType;
839 PyObject *sequence, *tuple, *item;
840 crypto_X509NameObj *name;
841 X509_NAME *sslname;
842 STACK_OF(X509_NAME) *CANames;
843 Py_ssize_t length;
844 int i;
845
846 if (X509NameType == NULL) {
847 X509NameType = import_crypto_type("X509Name", sizeof(crypto_X509NameObj));
848 if (X509NameType == NULL) {
849 return NULL;
850 }
851 }
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200852 if (!PyArg_ParseTuple(args, "O:set_client_ca_list", &sequence)) {
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200853 return NULL;
854 }
855 tuple = PySequence_Tuple(sequence);
856 if (tuple == NULL) {
857 return NULL;
858 }
859 length = PyTuple_Size(tuple);
860 if (length >= INT_MAX) {
861 PyErr_SetString(PyExc_ValueError, "client CA list is too long");
862 Py_DECREF(tuple);
863 return NULL;
864 }
865 CANames = sk_X509_NAME_new_null();
866 if (CANames == NULL) {
867 Py_DECREF(tuple);
868 exception_from_error_queue(ssl_Error);
869 return NULL;
870 }
871 for (i = 0; i < length; i++) {
872 item = PyTuple_GetItem(tuple, i);
873 if (item->ob_type != X509NameType) {
874 PyErr_Format(PyExc_TypeError,
875 "client CAs must be X509Name objects, not %s objects",
876 item->ob_type->tp_name);
877 sk_X509_NAME_free(CANames);
878 Py_DECREF(tuple);
879 return NULL;
880 }
881 name = (crypto_X509NameObj *)item;
882 sslname = X509_NAME_dup(name->x509_name);
883 if (sslname == NULL) {
884 sk_X509_NAME_free(CANames);
885 Py_DECREF(tuple);
886 exception_from_error_queue(ssl_Error);
887 return NULL;
888 }
889 if (!sk_X509_NAME_push(CANames, sslname)) {
890 X509_NAME_free(sslname);
891 sk_X509_NAME_free(CANames);
892 Py_DECREF(tuple);
893 exception_from_error_queue(ssl_Error);
894 return NULL;
895 }
896 }
897 Py_DECREF(tuple);
898 SSL_CTX_set_client_CA_list(self->ctx, CANames);
899 Py_INCREF(Py_None);
900 return Py_None;
901}
902
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200903static char ssl_Context_add_client_ca_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200904Add the CA certificate to the list of preferred signers for this context.\n\
905\n\
906The list of certificate authorities will be sent to the client when the\n\
907server requests a client certificate.\n\
908\n\
909@param certificate_authority: certificate authority's X509 certificate.\n\
910@return: None\n\
911";
912
913static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200914ssl_Context_add_client_ca(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200915{
916 crypto_X509Obj *cert;
917
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200918 cert = parse_certificate_argument("O!:add_client_ca", args);
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200919 if (cert == NULL) {
920 return NULL;
921 }
922 if (!SSL_CTX_add_client_CA(self->ctx, cert->x509)) {
923 exception_from_error_queue(ssl_Error);
924 return NULL;
925 }
926 Py_INCREF(Py_None);
927 return Py_None;
928}
929
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500930static char ssl_Context_set_timeout_doc[] = "\n\
931Set session timeout\n\
932\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400933@param timeout: The timeout in seconds\n\
934@return: The previous session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500935";
936static PyObject *
937ssl_Context_set_timeout(ssl_ContextObj *self, PyObject *args)
938{
939 long t, ret;
940
941 if (!PyArg_ParseTuple(args, "l:set_timeout", &t))
942 return NULL;
943
944 ret = SSL_CTX_set_timeout(self->ctx, t);
945 return PyLong_FromLong(ret);
946}
947
948static char ssl_Context_get_timeout_doc[] = "\n\
949Get the session timeout\n\
950\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400951@return: The session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500952";
953static PyObject *
954ssl_Context_get_timeout(ssl_ContextObj *self, PyObject *args)
955{
956 long ret;
957
958 if (!PyArg_ParseTuple(args, ":get_timeout"))
959 return NULL;
960
961 ret = SSL_CTX_get_timeout(self->ctx);
962 return PyLong_FromLong(ret);
963}
964
965static char ssl_Context_set_info_callback_doc[] = "\n\
966Set the info callback\n\
967\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400968@param callback: The Python callback to use\n\
969@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500970";
971static PyObject *
972ssl_Context_set_info_callback(ssl_ContextObj *self, PyObject *args)
973{
974 PyObject *callback;
975
976 if (!PyArg_ParseTuple(args, "O:set_info_callback", &callback))
977 return NULL;
978
979 if (!PyCallable_Check(callback))
980 {
981 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
982 return NULL;
983 }
984
985 Py_DECREF(self->info_callback);
986 Py_INCREF(callback);
987 self->info_callback = callback;
988 SSL_CTX_set_info_callback(self->ctx, global_info_callback);
989
990 Py_INCREF(Py_None);
991 return Py_None;
992}
993
994static char ssl_Context_get_app_data_doc[] = "\n\
995Get the application data (supplied via set_app_data())\n\
996\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400997@return: The application data\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500998";
999static PyObject *
1000ssl_Context_get_app_data(ssl_ContextObj *self, PyObject *args)
1001{
1002 if (!PyArg_ParseTuple(args, ":get_app_data"))
1003 return NULL;
1004
1005 Py_INCREF(self->app_data);
1006 return self->app_data;
1007}
1008
1009static char ssl_Context_set_app_data_doc[] = "\n\
1010Set the application data (will be returned from get_app_data())\n\
1011\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -04001012@param data: Any Python object\n\
1013@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001014";
1015static PyObject *
1016ssl_Context_set_app_data(ssl_ContextObj *self, PyObject *args)
1017{
1018 PyObject *data;
1019
1020 if (!PyArg_ParseTuple(args, "O:set_app_data", &data))
1021 return NULL;
1022
1023 Py_DECREF(self->app_data);
1024 Py_INCREF(data);
1025 self->app_data = data;
1026
1027 Py_INCREF(Py_None);
1028 return Py_None;
1029}
1030
1031static char ssl_Context_get_cert_store_doc[] = "\n\
1032Get the certificate store for the context\n\
1033\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -04001034@return: A X509Store object\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001035";
1036static PyObject *
1037ssl_Context_get_cert_store(ssl_ContextObj *self, PyObject *args)
1038{
1039 X509_STORE *store;
1040
1041 if (!PyArg_ParseTuple(args, ":get_cert_store"))
1042 return NULL;
1043
1044 if ((store = SSL_CTX_get_cert_store(self->ctx)) == NULL)
1045 {
1046 Py_INCREF(Py_None);
1047 return Py_None;
1048 }
1049 else
1050 {
Jean-Paul Calderone1e9312e2010-10-31 21:26:18 -04001051 return (PyObject *)new_x509store(store, 0);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001052 }
1053}
1054
1055static char ssl_Context_set_options_doc[] = "\n\
1056Add options. Options set before are not cleared!\n\
1057\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -04001058@param options: The options to add.\n\
1059@return: The new option bitmask.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001060";
1061static PyObject *
1062ssl_Context_set_options(ssl_ContextObj *self, PyObject *args)
1063{
1064 long options;
1065
1066 if (!PyArg_ParseTuple(args, "l:set_options", &options))
1067 return NULL;
1068
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -04001069 return PyLong_FromLong(SSL_CTX_set_options(self->ctx, options));
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001070}
1071
1072
1073/*
1074 * Member methods in the Context object
1075 * ADD_METHOD(name) expands to a correct PyMethodDef declaration
1076 * { 'name', (PyCFunction)ssl_Context_name, METH_VARARGS }
1077 * for convenience
1078 * ADD_ALIAS(name,real) creates an "alias" of the ssl_Context_real
1079 * function with the name 'name'
1080 */
1081#define ADD_METHOD(name) { #name, (PyCFunction)ssl_Context_##name, METH_VARARGS, ssl_Context_##name##_doc }
1082static PyMethodDef ssl_Context_methods[] = {
1083 ADD_METHOD(load_verify_locations),
1084 ADD_METHOD(set_passwd_cb),
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001085 ADD_METHOD(set_default_verify_paths),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001086 ADD_METHOD(use_certificate_chain_file),
1087 ADD_METHOD(use_certificate_file),
1088 ADD_METHOD(use_certificate),
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -05001089 ADD_METHOD(add_extra_chain_cert),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001090 ADD_METHOD(use_privatekey_file),
1091 ADD_METHOD(use_privatekey),
1092 ADD_METHOD(check_privatekey),
1093 ADD_METHOD(load_client_ca),
1094 ADD_METHOD(set_session_id),
1095 ADD_METHOD(set_verify),
1096 ADD_METHOD(set_verify_depth),
1097 ADD_METHOD(get_verify_mode),
1098 ADD_METHOD(get_verify_depth),
1099 ADD_METHOD(load_tmp_dh),
1100 ADD_METHOD(set_cipher_list),
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02001101 ADD_METHOD(set_client_ca_list),
1102 ADD_METHOD(add_client_ca),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001103 ADD_METHOD(set_timeout),
1104 ADD_METHOD(get_timeout),
1105 ADD_METHOD(set_info_callback),
1106 ADD_METHOD(get_app_data),
1107 ADD_METHOD(set_app_data),
1108 ADD_METHOD(get_cert_store),
1109 ADD_METHOD(set_options),
1110 { NULL, NULL }
1111};
1112#undef ADD_METHOD
1113
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001114/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001115 * Despite the name which might suggest otherwise, this is not the tp_init for
1116 * the Context type. It's just the common initialization code shared by the
1117 * two _{Nn}ew functions below.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001118 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001119static ssl_ContextObj*
1120ssl_Context_init(ssl_ContextObj *self, int i_method) {
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -04001121 const SSL_METHOD *method;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001122
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001123 switch (i_method) {
1124 case ssl_SSLv2_METHOD:
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -04001125#ifdef OPENSSL_NO_SSL2
1126 PyErr_SetString(PyExc_ValueError, "SSLv2_METHOD not supported by this version of OpenSSL");
1127 return NULL;
1128#else
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001129 method = SSLv2_method();
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -04001130#endif
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001131 break;
1132 case ssl_SSLv23_METHOD:
1133 method = SSLv23_method();
1134 break;
1135 case ssl_SSLv3_METHOD:
1136 method = SSLv3_method();
1137 break;
1138 case ssl_TLSv1_METHOD:
1139 method = TLSv1_method();
1140 break;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001141 default:
1142 PyErr_SetString(PyExc_ValueError, "No such protocol");
1143 return NULL;
1144 }
1145
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001146 self->ctx = SSL_CTX_new(method);
1147 Py_INCREF(Py_None);
1148 self->passphrase_callback = Py_None;
1149 Py_INCREF(Py_None);
1150 self->verify_callback = Py_None;
1151 Py_INCREF(Py_None);
1152 self->info_callback = Py_None;
1153
1154 Py_INCREF(Py_None);
1155 self->passphrase_userdata = Py_None;
1156
1157 Py_INCREF(Py_None);
1158 self->app_data = Py_None;
1159
1160 /* Some initialization that's required to operate smoothly in Python */
1161 SSL_CTX_set_app_data(self->ctx, self);
1162 SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |
1163 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
1164 SSL_MODE_AUTO_RETRY);
1165
1166 self->tstate = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001167
1168 return self;
1169}
1170
1171/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001172 * This one is exposed in the CObject API. I want to deprecate it.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001173 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001174ssl_ContextObj*
1175ssl_Context_New(int i_method) {
1176 ssl_ContextObj *self;
1177
1178 self = PyObject_GC_New(ssl_ContextObj, &ssl_Context_Type);
1179 if (self == NULL) {
1180 return (ssl_ContextObj *)PyErr_NoMemory();
1181 }
1182 self = ssl_Context_init(self, i_method);
1183 PyObject_GC_Track((PyObject *)self);
1184 return self;
1185}
1186
1187
1188/*
1189 * This one is the tp_new of the Context type. It's great.
1190 */
1191static PyObject*
1192ssl_Context_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs) {
1193 int i_method;
1194 ssl_ContextObj *self;
1195 static char *kwlist[] = {"method", NULL};
1196
1197 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "i:Context", kwlist, &i_method)) {
1198 return NULL;
1199 }
1200
1201 self = (ssl_ContextObj *)subtype->tp_alloc(subtype, 1);
1202 if (self == NULL) {
1203 return NULL;
1204 }
1205
1206 return (PyObject *)ssl_Context_init(self, i_method);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001207}
1208
1209/*
1210 * Call the visitproc on all contained objects.
1211 *
1212 * Arguments: self - The Context object
1213 * visit - Function to call
1214 * arg - Extra argument to visit
1215 * Returns: 0 if all goes well, otherwise the return code from the first
1216 * call that gave non-zero result.
1217 */
1218static int
1219ssl_Context_traverse(ssl_ContextObj *self, visitproc visit, void *arg)
1220{
1221 int ret = 0;
1222
1223 if (ret == 0 && self->passphrase_callback != NULL)
1224 ret = visit((PyObject *)self->passphrase_callback, arg);
1225 if (ret == 0 && self->passphrase_userdata != NULL)
1226 ret = visit((PyObject *)self->passphrase_userdata, arg);
1227 if (ret == 0 && self->verify_callback != NULL)
1228 ret = visit((PyObject *)self->verify_callback, arg);
1229 if (ret == 0 && self->info_callback != NULL)
1230 ret = visit((PyObject *)self->info_callback, arg);
1231 if (ret == 0 && self->app_data != NULL)
1232 ret = visit(self->app_data, arg);
1233 return ret;
1234}
1235
1236/*
1237 * Decref all contained objects and zero the pointers.
1238 *
1239 * Arguments: self - The Context object
1240 * Returns: Always 0.
1241 */
1242static int
1243ssl_Context_clear(ssl_ContextObj *self)
1244{
1245 Py_XDECREF(self->passphrase_callback);
1246 self->passphrase_callback = NULL;
1247 Py_XDECREF(self->passphrase_userdata);
1248 self->passphrase_userdata = NULL;
1249 Py_XDECREF(self->verify_callback);
1250 self->verify_callback = NULL;
1251 Py_XDECREF(self->info_callback);
1252 self->info_callback = NULL;
1253 Py_XDECREF(self->app_data);
1254 self->app_data = NULL;
1255 return 0;
1256}
1257
1258/*
1259 * Deallocate the memory used by the Context object
1260 *
1261 * Arguments: self - The Context object
1262 * Returns: None
1263 */
1264static void
1265ssl_Context_dealloc(ssl_ContextObj *self)
1266{
1267 PyObject_GC_UnTrack((PyObject *)self);
1268 SSL_CTX_free(self->ctx);
1269 ssl_Context_clear(self);
1270 PyObject_GC_Del(self);
1271}
1272
1273
1274PyTypeObject ssl_Context_Type = {
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -04001275 PyOpenSSL_HEAD_INIT(&PyType_Type, 0)
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001276 "OpenSSL.SSL.Context",
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001277 sizeof(ssl_ContextObj),
1278 0,
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001279 (destructor)ssl_Context_dealloc, /* tp_dealloc */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001280 NULL, /* print */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001281 NULL, /* tp_getattr */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001282 NULL, /* setattr */
1283 NULL, /* compare */
1284 NULL, /* repr */
1285 NULL, /* as_number */
1286 NULL, /* as_sequence */
1287 NULL, /* as_mapping */
1288 NULL, /* hash */
1289 NULL, /* call */
1290 NULL, /* str */
1291 NULL, /* getattro */
1292 NULL, /* setattro */
1293 NULL, /* as_buffer */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001294 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC | Py_TPFLAGS_BASETYPE, /* tp_flags */
1295 ssl_Context_doc, /* tp_doc */
1296 (traverseproc)ssl_Context_traverse, /* tp_traverse */
1297 (inquiry)ssl_Context_clear, /* tp_clear */
1298 NULL, /* tp_richcompare */
1299 0, /* tp_weaklistoffset */
1300 NULL, /* tp_iter */
1301 NULL, /* tp_iternext */
1302 ssl_Context_methods, /* tp_methods */
1303 NULL, /* tp_members */
1304 NULL, /* tp_getset */
1305 NULL, /* tp_base */
1306 NULL, /* tp_dict */
1307 NULL, /* tp_descr_get */
1308 NULL, /* tp_descr_set */
1309 0, /* tp_dictoffset */
1310 NULL, /* tp_init */
1311 NULL, /* tp_alloc */
1312 ssl_Context_new, /* tp_new */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001313};
1314
1315
1316/*
1317 * Initialize the Context part of the SSL sub module
1318 *
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001319 * Arguments: dict - The OpenSSL.SSL module
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001320 * Returns: 1 for success, 0 otherwise
1321 */
1322int
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001323init_ssl_context(PyObject *module) {
1324
1325 if (PyType_Ready(&ssl_Context_Type) < 0) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001326 return 0;
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001327 }
1328
1329 if (PyModule_AddObject(module, "Context", (PyObject *)&ssl_Context_Type) < 0) {
1330 return 0;
1331 }
1332
1333 if (PyModule_AddObject(module, "ContextType", (PyObject *)&ssl_Context_Type) < 0) {
1334 return 0;
1335 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001336
1337 return 1;
1338}
1339