blob: c2bdcabec265cc45de5f217f44599c486ec62312 [file] [log] [blame]
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001/*
2 * context.c
3 *
Jean-Paul Calderone8671c852011-03-02 19:26:20 -05004 * Copyright (C) AB Strakt
5 * Copyright (C) Jean-Paul Calderone
6 * See LICENSE for details.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05007 *
8 * SSL Context objects and their methods.
9 * See the file RATIONALE for a short explanation of why this module was written.
10 *
11 * Reviewed 2001-07-23
12 */
13#include <Python.h>
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -050014
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -050015#if PY_VERSION_HEX >= 0x02050000
16# define PYARG_PARSETUPLE_FORMAT const char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -040017# define PYOBJECT_GETATTRSTRING_TYPE const char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -050018#else
19# define PYARG_PARSETUPLE_FORMAT char
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -040020# define PYOBJECT_GETATTRSTRING_TYPE char*
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -050021#endif
22
Jean-Paul Calderone12ea9a02008-02-22 12:24:39 -050023#ifndef MS_WINDOWS
24# include <sys/socket.h>
25# include <netinet/in.h>
26# if !(defined(__BEOS__) || defined(__CYGWIN__))
27# include <netinet/tcp.h>
28# endif
29#else
30# include <winsock.h>
31# include <wincrypt.h>
32#endif
33
Jean-Paul Calderone897bc252008-02-18 20:50:23 -050034#define SSL_MODULE
35#include "ssl.h"
36
Jean-Paul Calderone897bc252008-02-18 20:50:23 -050037/*
38 * CALLBACKS
39 *
40 * Callbacks work like this: We provide a "global" callback in C which
41 * transforms the arguments into a Python argument tuple and calls the
42 * corresponding Python callback, and then parsing the return value back into
43 * things the C function can return.
44 *
45 * Three caveats:
46 * + How do we find the Context object where the Python callbacks are stored?
47 * + What about multithreading and execution frames?
48 * + What about Python callbacks that raise exceptions?
49 *
50 * The solution to the first issue is trivial if the callback provides
51 * "userdata" functionality. Since the only callbacks that don't provide
52 * userdata do provide a pointer to an SSL structure, we can associate an SSL
53 * object and a Connection one-to-one via the SSL_set/get_app_data()
54 * functions.
55 *
56 * The solution to the other issue is to rewrite the Py_BEGIN_ALLOW_THREADS
57 * macro allowing it (or rather a new macro) to specify where to save the
58 * thread state (in our case, as a member of the Connection/Context object) so
59 * we can retrieve it again before calling the Python callback.
60 */
61
62/*
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -040063 * Globally defined passphrase callback. This is called from OpenSSL
64 * internally. The GIL will not be held when this function is invoked. It
65 * must not be held when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -050066 *
67 * Arguments: buf - Buffer to store the returned passphrase in
68 * maxlen - Maximum length of the passphrase
69 * verify - If true, the passphrase callback should ask for a
70 * password twice and verify they're equal. If false, only
71 * ask once.
72 * arg - User data, always a Context object
73 * Returns: The length of the password if successful, 0 otherwise
74 */
75static int
76global_passphrase_callback(char *buf, int maxlen, int verify, void *arg)
77{
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -040078 /*
79 * Initialize len here because we're always going to return it, and we
80 * might jump to the return before it gets initialized in any other way.
81 */
82 int len = 0;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -050083 char *str;
84 PyObject *argv, *ret = NULL;
85 ssl_ContextObj *ctx = (ssl_ContextObj *)arg;
86
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -040087 /*
88 * GIL isn't held yet. First things first - acquire it, or any Python API
89 * we invoke might segfault or blow up the sun. The reverse will be done
90 * before returning.
91 */
92 MY_END_ALLOW_THREADS(ctx->tstate);
93
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -040094 /* The Python callback is called with a (maxlen,verify,userdata) tuple */
95 argv = Py_BuildValue("(iiO)", maxlen, verify, ctx->passphrase_userdata);
96
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -040097 /*
98 * XXX Didn't check argv to see if it was NULL. -exarkun
99 */
100 ret = PyEval_CallObject(ctx->passphrase_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500101 Py_DECREF(argv);
102
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400103 if (ret == NULL) {
104 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400105 * The callback raised an exception. It will be raised by whatever
106 * Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400107 */
108 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500109 }
110
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400111 if (!PyObject_IsTrue(ret)) {
112 /*
113 * Returned "", or None, or something. Treat it as no passphrase.
114 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500115 Py_DECREF(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400116 goto out;
117 }
118
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400119 if (!PyBytes_Check(ret)) {
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400120 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400121 * XXX Returned something that wasn't a string. This is bogus. We'll
122 * return 0 and OpenSSL will treat it as an error, resulting in an
123 * exception from whatever Python API triggered this callback.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400124 */
125 Py_DECREF(ret);
126 goto out;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500127 }
128
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400129 len = PyBytes_Size(ret);
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400130 if (len > maxlen) {
131 /*
Jean-Paul Calderonee1fc4ea2010-07-30 18:18:00 -0400132 * Returned more than we said they were allowed to return. Just
133 * truncate it. Might be better to raise an exception,
134 * instead. -exarkun
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400135 */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500136 len = maxlen;
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400137 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500138
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400139 str = PyBytes_AsString(ret);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500140 strncpy(buf, str, len);
141 Py_XDECREF(ret);
142
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400143 out:
144 /*
145 * This function is returning into OpenSSL. Release the GIL again.
146 */
147 MY_BEGIN_ALLOW_THREADS(ctx->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500148 return len;
149}
150
151/*
152 * Globally defined verify callback
153 *
154 * Arguments: ok - True everything is OK "so far", false otherwise
155 * x509_ctx - Contains the certificate being checked, the current
156 * error number and depth, and the Connection we're
157 * dealing with
158 * Returns: True if everything is okay, false otherwise
159 */
160static int
161global_verify_callback(int ok, X509_STORE_CTX *x509_ctx)
162{
163 PyObject *argv, *ret;
164 SSL *ssl;
165 ssl_ConnectionObj *conn;
166 crypto_X509Obj *cert;
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500167 int errnum, errdepth, c_ret;
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400168
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400169 // Get Connection object to check thread state
170 ssl = (SSL *)X509_STORE_CTX_get_app_data(x509_ctx);
171 conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400172
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400173 MY_END_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400174
Jean-Paul Calderone1e9312e2010-10-31 21:26:18 -0400175 cert = new_x509(X509_STORE_CTX_get_current_cert(x509_ctx), 0);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500176 errnum = X509_STORE_CTX_get_error(x509_ctx);
177 errdepth = X509_STORE_CTX_get_error_depth(x509_ctx);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400178
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500179 argv = Py_BuildValue("(OOiii)", (PyObject *)conn, (PyObject *)cert,
180 errnum, errdepth, ok);
181 Py_DECREF(cert);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400182 ret = PyEval_CallObject(conn->context->verify_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500183 Py_DECREF(argv);
184
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400185 if (ret != NULL && PyObject_IsTrue(ret)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500186 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400187 Py_DECREF(ret);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500188 c_ret = 1;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400189 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500190 c_ret = 0;
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400191 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500192
Jean-Paul Calderone26aea022008-09-21 18:47:06 -0400193 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500194 return c_ret;
195}
196
197/*
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400198 * Globally defined info callback. This is called from OpenSSL internally.
199 * The GIL will not be held when this function is invoked. It must not be held
200 * when the function returns.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500201 *
202 * Arguments: ssl - The Connection
203 * where - The part of the SSL code that called us
204 * _ret - The return code of the SSL function that called us
205 * Returns: None
206 */
207static void
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500208global_info_callback(const SSL *ssl, int where, int _ret)
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500209{
210 ssl_ConnectionObj *conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
211 PyObject *argv, *ret;
212
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400213 /*
214 * GIL isn't held yet. First things first - acquire it, or any Python API
215 * we invoke might segfault or blow up the sun. The reverse will be done
216 * before returning.
217 */
218 MY_END_ALLOW_THREADS(conn->tstate);
219
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500220 argv = Py_BuildValue("(Oii)", (PyObject *)conn, where, _ret);
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400221 ret = PyEval_CallObject(conn->context->info_callback, argv);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500222 Py_DECREF(argv);
223
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400224 if (ret == NULL) {
225 /*
226 * XXX - This should be reported somehow. -exarkun
227 */
228 PyErr_Clear();
229 } else {
230 Py_DECREF(ret);
231 }
232
233 /*
234 * This function is returning into OpenSSL. Release the GIL again.
235 */
236 MY_BEGIN_ALLOW_THREADS(conn->tstate);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500237 return;
238}
239
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400240/*
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -0400241 * Globally defined TLS extension server name callback. This is called from
242 * OpenSSL internally. The GIL will not be held when this function is invoked.
243 * It must not be held when the function returns.
244 *
245 * ssl represents the connection this callback is for
246 *
247 * alert is a pointer to the alert value which maybe will be emitted to the
248 * client if there is an error handling the client hello (which contains the
249 * server name). This is an out parameter, maybe.
250 *
251 * arg is an arbitrary pointer specified by SSL_CTX_set_tlsext_servername_arg.
252 * It will be NULL for all pyOpenSSL uses.
253 */
254static int
255global_tlsext_servername_callback(const SSL *ssl, int *alert, void *arg) {
256 int result = 0;
257 PyObject *argv, *ret;
258 ssl_ConnectionObj *conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
259
260 /*
261 * GIL isn't held yet. First things first - acquire it, or any Python API
262 * we invoke might segfault or blow up the sun. The reverse will be done
263 * before returning.
264 */
265 MY_END_ALLOW_THREADS(conn->tstate);
266
267 argv = Py_BuildValue("(O)", (PyObject *)conn);
268 ret = PyEval_CallObject(conn->context->tlsext_servername_callback, argv);
269 Py_DECREF(argv);
270 Py_DECREF(ret);
271
272 /*
273 * This function is returning into OpenSSL. Release the GIL again.
274 */
275 MY_BEGIN_ALLOW_THREADS(conn->tstate);
276 return result;
277}
278
279/*
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400280 * More recent builds of OpenSSL may have SSLv2 completely disabled.
281 */
282#ifdef OPENSSL_NO_SSL2
283#define SSLv2_METHOD_TEXT ""
284#else
285#define SSLv2_METHOD_TEXT "SSLv2_METHOD, "
286#endif
287
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500288
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400289static char ssl_Context_doc[] = "\n\
290Context(method) -> Context instance\n\
291\n\
292OpenSSL.SSL.Context instances define the parameters for setting up new SSL\n\
293connections.\n\
294\n\
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400295@param method: One of " SSLv2_METHOD_TEXT "SSLv3_METHOD, SSLv23_METHOD, or\n\
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400296 TLSv1_METHOD.\n\
297";
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500298
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400299#undef SSLv2_METHOD_TEXT
300
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500301static char ssl_Context_load_verify_locations_doc[] = "\n\
302Let SSL know where we can find trusted certificates for the certificate\n\
303chain\n\
304\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400305@param cafile: In which file we can find the certificates\n\
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -0400306@param capath: In which directory we can find the certificates\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400307@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500308";
309static PyObject *
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400310ssl_Context_load_verify_locations(ssl_ContextObj *self, PyObject *args) {
311 char *cafile = NULL;
312 char *capath = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500313
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400314 if (!PyArg_ParseTuple(args, "z|z:load_verify_locations", &cafile, &capath)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500315 return NULL;
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400316 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500317
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400318 if (!SSL_CTX_load_verify_locations(self->ctx, cafile, capath))
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500319 {
Rick Deand369c932009-07-08 11:48:33 -0500320 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500321 return NULL;
322 }
323 else
324 {
325 Py_INCREF(Py_None);
326 return Py_None;
327 }
328}
329
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400330static char ssl_Context_set_default_verify_paths_doc[] = "\n\
331Use the platform-specific CA certificate locations\n\
332\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400333@return: None\n\
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400334";
335static PyObject *
336ssl_Context_set_default_verify_paths(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -0400337 if (!PyArg_ParseTuple(args, ":set_default_verify_paths")) {
338 return NULL;
339 }
340
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400341 /*
342 * XXX Error handling for SSL_CTX_set_default_verify_paths is untested.
343 * -exarkun
344 */
345 if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
Rick Deand369c932009-07-08 11:48:33 -0500346 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone286b1922008-09-07 21:35:38 -0400347 return NULL;
348 }
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400349 Py_INCREF(Py_None);
350 return Py_None;
351};
352
353
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500354static char ssl_Context_set_passwd_cb_doc[] = "\n\
355Set the passphrase callback\n\
356\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400357@param callback: The Python callback to use\n\
358@param userdata: (optional) A Python object which will be given as\n\
359 argument to the callback\n\
360@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500361";
362static PyObject *
363ssl_Context_set_passwd_cb(ssl_ContextObj *self, PyObject *args)
364{
365 PyObject *callback = NULL, *userdata = Py_None;
366
367 if (!PyArg_ParseTuple(args, "O|O:set_passwd_cb", &callback, &userdata))
368 return NULL;
369
370 if (!PyCallable_Check(callback))
371 {
372 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
373 return NULL;
374 }
375
376 Py_DECREF(self->passphrase_callback);
377 Py_INCREF(callback);
378 self->passphrase_callback = callback;
379 SSL_CTX_set_default_passwd_cb(self->ctx, global_passphrase_callback);
380
381 Py_DECREF(self->passphrase_userdata);
382 Py_INCREF(userdata);
383 self->passphrase_userdata = userdata;
384 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, (void *)self);
385
386 Py_INCREF(Py_None);
387 return Py_None;
388}
389
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200390static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400391type_modified_error(const char *name) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200392 PyErr_Format(PyExc_RuntimeError,
393 "OpenSSL.crypto's '%s' attribute has been modified",
394 name);
395 return NULL;
396}
397
398static PyTypeObject *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400399import_crypto_type(const char *name, size_t objsize) {
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200400 PyObject *module, *type, *name_attr;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200401 PyTypeObject *res;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200402 int right_name;
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200403
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200404 module = PyImport_ImportModule("OpenSSL.crypto");
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200405 if (module == NULL) {
406 return NULL;
407 }
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400408 type = PyObject_GetAttrString(module, (PYOBJECT_GETATTRSTRING_TYPE)name);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200409 Py_DECREF(module);
410 if (type == NULL) {
411 return NULL;
412 }
413 if (!(PyType_Check(type))) {
414 Py_DECREF(type);
415 return type_modified_error(name);
416 }
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200417 name_attr = PyObject_GetAttrString(type, "__name__");
418 if (name_attr == NULL) {
419 Py_DECREF(type);
420 return NULL;
421 }
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400422
423#ifdef PY3
424 {
425 PyObject* asciiname = PyUnicode_AsASCIIString(name_attr);
426 Py_DECREF(name_attr);
427 name_attr = asciiname;
428 }
429#endif
Jean-Paul Calderone9e4eeae2010-08-22 21:32:52 -0400430 right_name = (PyBytes_CheckExact(name_attr) &&
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -0400431 strcmp(name, PyBytes_AsString(name_attr)) == 0);
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200432 Py_DECREF(name_attr);
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200433 res = (PyTypeObject *)type;
Ziga Seilnachtfdeadb12009-09-01 16:35:50 +0200434 if (!right_name || res->tp_basicsize != objsize) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200435 Py_DECREF(type);
436 return type_modified_error(name);
437 }
438 return res;
439}
440
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500441static crypto_X509Obj *
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400442parse_certificate_argument(const char* format, PyObject* args) {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500443 static PyTypeObject *crypto_X509_type = NULL;
444 crypto_X509Obj *cert;
445
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400446 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200447 crypto_X509_type = import_crypto_type("X509", sizeof(crypto_X509Obj));
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400448 if (!crypto_X509_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200449 return NULL;
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400450 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500451 }
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200452 if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format,
Jean-Paul Calderone6e2b6852009-10-24 14:04:30 -0400453 crypto_X509_type, &cert)) {
454 return NULL;
455 }
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500456 return cert;
457}
458
459static char ssl_Context_add_extra_chain_cert_doc[] = "\n\
460Add certificate to chain\n\
461\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400462@param certobj: The X509 certificate object to add to the chain\n\
463@return: None\n\
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500464";
465
466static PyObject *
467ssl_Context_add_extra_chain_cert(ssl_ContextObj *self, PyObject *args)
468{
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500469 X509* cert_original;
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500470 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200471 "O!:add_extra_chain_cert", args);
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500472 if (cert == NULL)
473 {
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500474 return NULL;
475 }
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500476 if (!(cert_original = X509_dup(cert->x509)))
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500477 {
Rick Deand369c932009-07-08 11:48:33 -0500478 /* exception_from_error_queue(ssl_Error); */
Jean-Paul Calderone0ce98072008-02-18 23:22:29 -0500479 PyErr_SetString(PyExc_RuntimeError, "X509_dup failed");
480 return NULL;
481 }
482 if (!SSL_CTX_add_extra_chain_cert(self->ctx, cert_original))
483 {
484 X509_free(cert_original);
Rick Deand369c932009-07-08 11:48:33 -0500485 exception_from_error_queue(ssl_Error);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500486 return NULL;
487 }
488 else
489 {
490 Py_INCREF(Py_None);
491 return Py_None;
492 }
493}
494
495
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500496static char ssl_Context_use_certificate_chain_file_doc[] = "\n\
497Load a certificate chain from a file\n\
498\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400499@param certfile: The name of the certificate chain file\n\
500@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500501";
502static PyObject *
503ssl_Context_use_certificate_chain_file(ssl_ContextObj *self, PyObject *args)
504{
505 char *certfile;
506
507 if (!PyArg_ParseTuple(args, "s:use_certificate_chain_file", &certfile))
508 return NULL;
509
510 if (!SSL_CTX_use_certificate_chain_file(self->ctx, certfile))
511 {
Rick Deand369c932009-07-08 11:48:33 -0500512 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500513 return NULL;
514 }
515 else
516 {
517 Py_INCREF(Py_None);
518 return Py_None;
519 }
520}
521
522
523static char ssl_Context_use_certificate_file_doc[] = "\n\
524Load a certificate from a file\n\
525\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400526@param certfile: The name of the certificate file\n\
527@param filetype: (optional) The encoding of the file, default is PEM\n\
528@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500529";
530static PyObject *
531ssl_Context_use_certificate_file(ssl_ContextObj *self, PyObject *args)
532{
533 char *certfile;
534 int filetype = SSL_FILETYPE_PEM;
535
536 if (!PyArg_ParseTuple(args, "s|i:use_certificate_file", &certfile, &filetype))
537 return NULL;
538
539 if (!SSL_CTX_use_certificate_file(self->ctx, certfile, filetype))
540 {
Rick Deand369c932009-07-08 11:48:33 -0500541 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500542 return NULL;
543 }
544 else
545 {
546 Py_INCREF(Py_None);
547 return Py_None;
548 }
549}
550
551static char ssl_Context_use_certificate_doc[] = "\n\
552Load a certificate from a X509 object\n\
553\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400554@param cert: The X509 object\n\
555@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500556";
557static PyObject *
558ssl_Context_use_certificate(ssl_ContextObj *self, PyObject *args)
559{
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500560 crypto_X509Obj *cert = parse_certificate_argument(
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200561 "O!:use_certificate", args);
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -0500562 if (cert == NULL) {
563 return NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500564 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500565
566 if (!SSL_CTX_use_certificate(self->ctx, cert->x509))
567 {
Rick Deand369c932009-07-08 11:48:33 -0500568 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500569 return NULL;
570 }
571 else
572 {
573 Py_INCREF(Py_None);
574 return Py_None;
575 }
576}
577
578static char ssl_Context_use_privatekey_file_doc[] = "\n\
579Load a private key from a file\n\
580\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400581@param keyfile: The name of the key file\n\
582@param filetype: (optional) The encoding of the file, default is PEM\n\
583@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500584";
585static PyObject *
586ssl_Context_use_privatekey_file(ssl_ContextObj *self, PyObject *args)
587{
588 char *keyfile;
589 int filetype = SSL_FILETYPE_PEM, ret;
590
591 if (!PyArg_ParseTuple(args, "s|i:use_privatekey_file", &keyfile, &filetype))
592 return NULL;
593
594 MY_BEGIN_ALLOW_THREADS(self->tstate);
595 ret = SSL_CTX_use_PrivateKey_file(self->ctx, keyfile, filetype);
596 MY_END_ALLOW_THREADS(self->tstate);
597
598 if (PyErr_Occurred())
599 {
600 flush_error_queue();
601 return NULL;
602 }
603
604 if (!ret)
605 {
Rick Deand369c932009-07-08 11:48:33 -0500606 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500607 return NULL;
608 }
609 else
610 {
611 Py_INCREF(Py_None);
612 return Py_None;
613 }
614}
615
616static char ssl_Context_use_privatekey_doc[] = "\n\
617Load a private key from a PKey object\n\
618\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400619@param pkey: The PKey object\n\
620@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500621";
622static PyObject *
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400623ssl_Context_use_privatekey(ssl_ContextObj *self, PyObject *args) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500624 static PyTypeObject *crypto_PKey_type = NULL;
625 crypto_PKeyObj *pkey;
626
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400627 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200628 crypto_PKey_type = import_crypto_type("PKey", sizeof(crypto_PKeyObj));
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400629 if (!crypto_PKey_type) {
Ziga Seilnacht6079e372009-08-31 20:52:30 +0200630 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400631 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500632 }
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400633 if (!PyArg_ParseTuple(args, "O!:use_privatekey", crypto_PKey_type, &pkey)) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500634 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400635 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500636
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400637 if (!SSL_CTX_use_PrivateKey(self->ctx, pkey->pkey)) {
Rick Deand369c932009-07-08 11:48:33 -0500638 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500639 return NULL;
Jean-Paul Calderonef606a842009-10-24 14:08:29 -0400640 } else {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500641 Py_INCREF(Py_None);
642 return Py_None;
643 }
644}
645
646static char ssl_Context_check_privatekey_doc[] = "\n\
647Check that the private key and certificate match up\n\
648\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400649@return: None (raises an exception if something's wrong)\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500650";
651static PyObject *
652ssl_Context_check_privatekey(ssl_ContextObj *self, PyObject *args)
653{
654 if (!PyArg_ParseTuple(args, ":check_privatekey"))
655 return NULL;
656
657 if (!SSL_CTX_check_private_key(self->ctx))
658 {
Rick Deand369c932009-07-08 11:48:33 -0500659 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500660 return NULL;
661 }
662 else
663 {
664 Py_INCREF(Py_None);
665 return Py_None;
666 }
667}
668
669static char ssl_Context_load_client_ca_doc[] = "\n\
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -0400670Load the trusted certificates that will be sent to the client (basically\n \
671telling the client \"These are the guys I trust\"). Does not actually\n\
672imply any of the certificates are trusted; that must be configured\n\
673separately.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500674\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400675@param cafile: The name of the certificates file\n\
676@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500677";
678static PyObject *
679ssl_Context_load_client_ca(ssl_ContextObj *self, PyObject *args)
680{
681 char *cafile;
682
683 if (!PyArg_ParseTuple(args, "s:load_client_ca", &cafile))
684 return NULL;
685
686 SSL_CTX_set_client_CA_list(self->ctx, SSL_load_client_CA_file(cafile));
687
688 Py_INCREF(Py_None);
689 return Py_None;
690}
691
692static char ssl_Context_set_session_id_doc[] = "\n\
693Set the session identifier, this is needed if you want to do session\n\
694resumption (which, ironically, isn't implemented yet)\n\
695\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400696@param buf: A Python object that can be safely converted to a string\n\
697@returns: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500698";
699static PyObject *
700ssl_Context_set_session_id(ssl_ContextObj *self, PyObject *args)
701{
Jean-Paul Calderone28ebb302008-12-29 16:25:30 -0500702 unsigned char *buf;
703 unsigned int len;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500704
705 if (!PyArg_ParseTuple(args, "s#:set_session_id", &buf, &len))
706 return NULL;
707
708 if (!SSL_CTX_set_session_id_context(self->ctx, buf, len))
709 {
Rick Deand369c932009-07-08 11:48:33 -0500710 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500711 return NULL;
712 }
713 else
714 {
715 Py_INCREF(Py_None);
716 return Py_None;
717 }
718}
719
720static char ssl_Context_set_verify_doc[] = "\n\
721Set the verify mode and verify callback\n\
722\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400723@param mode: The verify mode, this is either VERIFY_NONE or\n\
724 VERIFY_PEER combined with possible other flags\n\
725@param callback: The Python callback to use\n\
726@return: None\n\
Jean-Paul Calderone24aedf42008-03-06 22:01:16 -0500727\n\
728See SSL_CTX_set_verify(3SSL) for further details.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500729";
730static PyObject *
731ssl_Context_set_verify(ssl_ContextObj *self, PyObject *args)
732{
733 int mode;
734 PyObject *callback = NULL;
735
736 if (!PyArg_ParseTuple(args, "iO:set_verify", &mode, &callback))
737 return NULL;
738
739 if (!PyCallable_Check(callback))
740 {
741 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
742 return NULL;
743 }
744
745 Py_DECREF(self->verify_callback);
746 Py_INCREF(callback);
747 self->verify_callback = callback;
748 SSL_CTX_set_verify(self->ctx, mode, global_verify_callback);
749
750 Py_INCREF(Py_None);
751 return Py_None;
752}
753
754static char ssl_Context_set_verify_depth_doc[] = "\n\
755Set the verify depth\n\
756\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400757@param depth: An integer specifying the verify depth\n\
758@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500759";
760static PyObject *
761ssl_Context_set_verify_depth(ssl_ContextObj *self, PyObject *args)
762{
763 int depth;
764
765 if (!PyArg_ParseTuple(args, "i:set_verify_depth", &depth))
766 return NULL;
767
768 SSL_CTX_set_verify_depth(self->ctx, depth);
769 Py_INCREF(Py_None);
770 return Py_None;
771}
772
773static char ssl_Context_get_verify_mode_doc[] = "\n\
774Get the verify mode\n\
775\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400776@return: The verify mode\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500777";
778static PyObject *
779ssl_Context_get_verify_mode(ssl_ContextObj *self, PyObject *args)
780{
781 int mode;
782
783 if (!PyArg_ParseTuple(args, ":get_verify_mode"))
784 return NULL;
785
786 mode = SSL_CTX_get_verify_mode(self->ctx);
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400787 return PyLong_FromLong((long)mode);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500788}
789
790static char ssl_Context_get_verify_depth_doc[] = "\n\
791Get the verify depth\n\
792\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400793@return: The verify depth\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500794";
795static PyObject *
796ssl_Context_get_verify_depth(ssl_ContextObj *self, PyObject *args)
797{
798 int depth;
799
800 if (!PyArg_ParseTuple(args, ":get_verify_depth"))
801 return NULL;
802
803 depth = SSL_CTX_get_verify_depth(self->ctx);
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -0400804 return PyLong_FromLong((long)depth);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500805}
806
807static char ssl_Context_load_tmp_dh_doc[] = "\n\
808Load parameters for Ephemeral Diffie-Hellman\n\
809\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400810@param dhfile: The file to load EDH parameters from\n\
811@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500812";
813static PyObject *
814ssl_Context_load_tmp_dh(ssl_ContextObj *self, PyObject *args)
815{
816 char *dhfile;
817 BIO *bio;
818 DH *dh;
819
820 if (!PyArg_ParseTuple(args, "s:load_tmp_dh", &dhfile))
821 return NULL;
822
823 bio = BIO_new_file(dhfile, "r");
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -0400824 if (bio == NULL) {
825 exception_from_error_queue(ssl_Error);
826 return NULL;
827 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500828
829 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
830 SSL_CTX_set_tmp_dh(self->ctx, dh);
831 DH_free(dh);
832 BIO_free(bio);
833
834 Py_INCREF(Py_None);
835 return Py_None;
836}
837
838static char ssl_Context_set_cipher_list_doc[] = "\n\
839Change the cipher list\n\
840\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400841@param cipher_list: A cipher list, see ciphers(1)\n\
842@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500843";
844static PyObject *
845ssl_Context_set_cipher_list(ssl_ContextObj *self, PyObject *args)
846{
847 char *cipher_list;
848
849 if (!PyArg_ParseTuple(args, "s:set_cipher_list", &cipher_list))
850 return NULL;
851
852 if (!SSL_CTX_set_cipher_list(self->ctx, cipher_list))
853 {
Rick Deand369c932009-07-08 11:48:33 -0500854 exception_from_error_queue(ssl_Error);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500855 return NULL;
856 }
857 else
858 {
859 Py_INCREF(Py_None);
860 return Py_None;
861 }
862}
863
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200864static char ssl_Context_set_client_ca_list_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200865Set the list of preferred client certificate signers for this server context.\n\
866\n\
867This list of certificate authorities will be sent to the client when the\n\
868server requests a client certificate.\n\
869\n\
870@param certificate_authorities: a sequence of X509Names.\n\
871@return: None\n\
872";
873
874static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200875ssl_Context_set_client_ca_list(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200876{
877 static PyTypeObject *X509NameType;
878 PyObject *sequence, *tuple, *item;
879 crypto_X509NameObj *name;
880 X509_NAME *sslname;
881 STACK_OF(X509_NAME) *CANames;
882 Py_ssize_t length;
883 int i;
884
885 if (X509NameType == NULL) {
886 X509NameType = import_crypto_type("X509Name", sizeof(crypto_X509NameObj));
887 if (X509NameType == NULL) {
888 return NULL;
889 }
890 }
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200891 if (!PyArg_ParseTuple(args, "O:set_client_ca_list", &sequence)) {
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200892 return NULL;
893 }
894 tuple = PySequence_Tuple(sequence);
895 if (tuple == NULL) {
896 return NULL;
897 }
898 length = PyTuple_Size(tuple);
899 if (length >= INT_MAX) {
900 PyErr_SetString(PyExc_ValueError, "client CA list is too long");
901 Py_DECREF(tuple);
902 return NULL;
903 }
904 CANames = sk_X509_NAME_new_null();
905 if (CANames == NULL) {
906 Py_DECREF(tuple);
907 exception_from_error_queue(ssl_Error);
908 return NULL;
909 }
910 for (i = 0; i < length; i++) {
911 item = PyTuple_GetItem(tuple, i);
912 if (item->ob_type != X509NameType) {
913 PyErr_Format(PyExc_TypeError,
914 "client CAs must be X509Name objects, not %s objects",
915 item->ob_type->tp_name);
916 sk_X509_NAME_free(CANames);
917 Py_DECREF(tuple);
918 return NULL;
919 }
920 name = (crypto_X509NameObj *)item;
921 sslname = X509_NAME_dup(name->x509_name);
922 if (sslname == NULL) {
923 sk_X509_NAME_free(CANames);
924 Py_DECREF(tuple);
925 exception_from_error_queue(ssl_Error);
926 return NULL;
927 }
928 if (!sk_X509_NAME_push(CANames, sslname)) {
929 X509_NAME_free(sslname);
930 sk_X509_NAME_free(CANames);
931 Py_DECREF(tuple);
932 exception_from_error_queue(ssl_Error);
933 return NULL;
934 }
935 }
936 Py_DECREF(tuple);
937 SSL_CTX_set_client_CA_list(self->ctx, CANames);
938 Py_INCREF(Py_None);
939 return Py_None;
940}
941
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200942static char ssl_Context_add_client_ca_doc[] = "\n\
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200943Add the CA certificate to the list of preferred signers for this context.\n\
944\n\
945The list of certificate authorities will be sent to the client when the\n\
946server requests a client certificate.\n\
947\n\
948@param certificate_authority: certificate authority's X509 certificate.\n\
949@return: None\n\
950";
951
952static PyObject *
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200953ssl_Context_add_client_ca(ssl_ContextObj *self, PyObject *args)
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200954{
955 crypto_X509Obj *cert;
956
Ziga Seilnachtf93bf102009-10-23 09:51:07 +0200957 cert = parse_certificate_argument("O!:add_client_ca", args);
Ziga Seilnacht679c4262009-09-01 01:32:29 +0200958 if (cert == NULL) {
959 return NULL;
960 }
961 if (!SSL_CTX_add_client_CA(self->ctx, cert->x509)) {
962 exception_from_error_queue(ssl_Error);
963 return NULL;
964 }
965 Py_INCREF(Py_None);
966 return Py_None;
967}
968
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500969static char ssl_Context_set_timeout_doc[] = "\n\
970Set session timeout\n\
971\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400972@param timeout: The timeout in seconds\n\
973@return: The previous session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500974";
975static PyObject *
976ssl_Context_set_timeout(ssl_ContextObj *self, PyObject *args)
977{
978 long t, ret;
979
980 if (!PyArg_ParseTuple(args, "l:set_timeout", &t))
981 return NULL;
982
983 ret = SSL_CTX_set_timeout(self->ctx, t);
984 return PyLong_FromLong(ret);
985}
986
987static char ssl_Context_get_timeout_doc[] = "\n\
988Get the session timeout\n\
989\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -0400990@return: The session timeout\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -0500991";
992static PyObject *
993ssl_Context_get_timeout(ssl_ContextObj *self, PyObject *args)
994{
995 long ret;
996
997 if (!PyArg_ParseTuple(args, ":get_timeout"))
998 return NULL;
999
1000 ret = SSL_CTX_get_timeout(self->ctx);
1001 return PyLong_FromLong(ret);
1002}
1003
1004static char ssl_Context_set_info_callback_doc[] = "\n\
1005Set the info callback\n\
1006\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -04001007@param callback: The Python callback to use\n\
1008@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001009";
1010static PyObject *
1011ssl_Context_set_info_callback(ssl_ContextObj *self, PyObject *args)
1012{
1013 PyObject *callback;
1014
1015 if (!PyArg_ParseTuple(args, "O:set_info_callback", &callback))
1016 return NULL;
1017
1018 if (!PyCallable_Check(callback))
1019 {
1020 PyErr_SetString(PyExc_TypeError, "expected PyCallable");
1021 return NULL;
1022 }
1023
1024 Py_DECREF(self->info_callback);
1025 Py_INCREF(callback);
1026 self->info_callback = callback;
1027 SSL_CTX_set_info_callback(self->ctx, global_info_callback);
1028
1029 Py_INCREF(Py_None);
1030 return Py_None;
1031}
1032
1033static char ssl_Context_get_app_data_doc[] = "\n\
1034Get the application data (supplied via set_app_data())\n\
1035\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -04001036@return: The application data\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001037";
1038static PyObject *
1039ssl_Context_get_app_data(ssl_ContextObj *self, PyObject *args)
1040{
1041 if (!PyArg_ParseTuple(args, ":get_app_data"))
1042 return NULL;
1043
1044 Py_INCREF(self->app_data);
1045 return self->app_data;
1046}
1047
1048static char ssl_Context_set_app_data_doc[] = "\n\
1049Set the application data (will be returned from get_app_data())\n\
1050\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -04001051@param data: Any Python object\n\
1052@return: None\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001053";
1054static PyObject *
1055ssl_Context_set_app_data(ssl_ContextObj *self, PyObject *args)
1056{
1057 PyObject *data;
1058
1059 if (!PyArg_ParseTuple(args, "O:set_app_data", &data))
1060 return NULL;
1061
1062 Py_DECREF(self->app_data);
1063 Py_INCREF(data);
1064 self->app_data = data;
1065
1066 Py_INCREF(Py_None);
1067 return Py_None;
1068}
1069
1070static char ssl_Context_get_cert_store_doc[] = "\n\
1071Get the certificate store for the context\n\
1072\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -04001073@return: A X509Store object\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001074";
1075static PyObject *
1076ssl_Context_get_cert_store(ssl_ContextObj *self, PyObject *args)
1077{
1078 X509_STORE *store;
1079
1080 if (!PyArg_ParseTuple(args, ":get_cert_store"))
1081 return NULL;
1082
1083 if ((store = SSL_CTX_get_cert_store(self->ctx)) == NULL)
1084 {
1085 Py_INCREF(Py_None);
1086 return Py_None;
1087 }
1088 else
1089 {
Jean-Paul Calderone1e9312e2010-10-31 21:26:18 -04001090 return (PyObject *)new_x509store(store, 0);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001091 }
1092}
1093
1094static char ssl_Context_set_options_doc[] = "\n\
1095Add options. Options set before are not cleared!\n\
1096\n\
Jean-Paul Calderone54bcc832009-05-27 14:06:48 -04001097@param options: The options to add.\n\
1098@return: The new option bitmask.\n\
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001099";
1100static PyObject *
1101ssl_Context_set_options(ssl_ContextObj *self, PyObject *args)
1102{
1103 long options;
1104
1105 if (!PyArg_ParseTuple(args, "l:set_options", &options))
1106 return NULL;
1107
Jean-Paul Calderone83dbcfd2010-08-11 20:20:57 -04001108 return PyLong_FromLong(SSL_CTX_set_options(self->ctx, options));
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001109}
1110
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001111static char ssl_Context_set_tlsext_servername_callback_doc[] = "\n\
1112Specify a callback function to be called when clients specify a server name.\n\
1113\n\
1114@param callback: The callback function. It will be invoked with one\n\
1115 argument, the Connection instance.\n\
1116\n\
1117";
1118static PyObject *
1119ssl_Context_set_tlsext_servername_callback(ssl_ContextObj *self, PyObject *args) {
1120 PyObject *callback;
1121 PyObject *old;
1122
1123 if (!PyArg_ParseTuple(args, "O:set_tlsext_servername_callback", &callback)) {
1124 return NULL;
1125 }
1126
1127 Py_INCREF(callback);
1128 old = self->tlsext_servername_callback;
1129 self->tlsext_servername_callback = callback;
1130 Py_DECREF(old);
1131
1132 SSL_CTX_set_tlsext_servername_callback(self->ctx, global_tlsext_servername_callback);
1133 SSL_CTX_set_tlsext_servername_arg(self->ctx, NULL);
1134
1135 Py_INCREF(Py_None);
1136 return Py_None;
1137}
1138
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001139
1140/*
1141 * Member methods in the Context object
1142 * ADD_METHOD(name) expands to a correct PyMethodDef declaration
1143 * { 'name', (PyCFunction)ssl_Context_name, METH_VARARGS }
1144 * for convenience
1145 * ADD_ALIAS(name,real) creates an "alias" of the ssl_Context_real
1146 * function with the name 'name'
1147 */
1148#define ADD_METHOD(name) { #name, (PyCFunction)ssl_Context_##name, METH_VARARGS, ssl_Context_##name##_doc }
1149static PyMethodDef ssl_Context_methods[] = {
1150 ADD_METHOD(load_verify_locations),
1151 ADD_METHOD(set_passwd_cb),
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001152 ADD_METHOD(set_default_verify_paths),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001153 ADD_METHOD(use_certificate_chain_file),
1154 ADD_METHOD(use_certificate_file),
1155 ADD_METHOD(use_certificate),
Jean-Paul Calderoned3ada852008-02-18 21:17:29 -05001156 ADD_METHOD(add_extra_chain_cert),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001157 ADD_METHOD(use_privatekey_file),
1158 ADD_METHOD(use_privatekey),
1159 ADD_METHOD(check_privatekey),
1160 ADD_METHOD(load_client_ca),
1161 ADD_METHOD(set_session_id),
1162 ADD_METHOD(set_verify),
1163 ADD_METHOD(set_verify_depth),
1164 ADD_METHOD(get_verify_mode),
1165 ADD_METHOD(get_verify_depth),
1166 ADD_METHOD(load_tmp_dh),
1167 ADD_METHOD(set_cipher_list),
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02001168 ADD_METHOD(set_client_ca_list),
1169 ADD_METHOD(add_client_ca),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001170 ADD_METHOD(set_timeout),
1171 ADD_METHOD(get_timeout),
1172 ADD_METHOD(set_info_callback),
1173 ADD_METHOD(get_app_data),
1174 ADD_METHOD(set_app_data),
1175 ADD_METHOD(get_cert_store),
1176 ADD_METHOD(set_options),
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001177 ADD_METHOD(set_tlsext_servername_callback),
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001178 { NULL, NULL }
1179};
1180#undef ADD_METHOD
1181
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001182/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001183 * Despite the name which might suggest otherwise, this is not the tp_init for
1184 * the Context type. It's just the common initialization code shared by the
1185 * two _{Nn}ew functions below.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001186 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001187static ssl_ContextObj*
1188ssl_Context_init(ssl_ContextObj *self, int i_method) {
Jean-Paul Calderone1c198f92011-04-14 09:46:23 -04001189#if (OPENSSL_VERSION_NUMBER >> 28) == 0x01
1190 const
1191#endif
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001192 SSL_METHOD *method;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001193
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001194 switch (i_method) {
1195 case ssl_SSLv2_METHOD:
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -04001196#ifdef OPENSSL_NO_SSL2
1197 PyErr_SetString(PyExc_ValueError, "SSLv2_METHOD not supported by this version of OpenSSL");
1198 return NULL;
1199#else
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001200 method = SSLv2_method();
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -04001201#endif
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001202 break;
1203 case ssl_SSLv23_METHOD:
1204 method = SSLv23_method();
1205 break;
1206 case ssl_SSLv3_METHOD:
1207 method = SSLv3_method();
1208 break;
1209 case ssl_TLSv1_METHOD:
1210 method = TLSv1_method();
1211 break;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001212 default:
1213 PyErr_SetString(PyExc_ValueError, "No such protocol");
1214 return NULL;
1215 }
1216
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001217 self->ctx = SSL_CTX_new(method);
1218 Py_INCREF(Py_None);
1219 self->passphrase_callback = Py_None;
1220 Py_INCREF(Py_None);
1221 self->verify_callback = Py_None;
1222 Py_INCREF(Py_None);
1223 self->info_callback = Py_None;
1224
1225 Py_INCREF(Py_None);
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001226 self->tlsext_servername_callback = Py_None;
1227
1228 Py_INCREF(Py_None);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001229 self->passphrase_userdata = Py_None;
1230
1231 Py_INCREF(Py_None);
1232 self->app_data = Py_None;
1233
1234 /* Some initialization that's required to operate smoothly in Python */
1235 SSL_CTX_set_app_data(self->ctx, self);
1236 SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |
1237 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
1238 SSL_MODE_AUTO_RETRY);
1239
1240 self->tstate = NULL;
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001241
1242 return self;
1243}
1244
1245/*
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001246 * This one is exposed in the CObject API. I want to deprecate it.
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001247 */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001248ssl_ContextObj*
1249ssl_Context_New(int i_method) {
1250 ssl_ContextObj *self;
1251
1252 self = PyObject_GC_New(ssl_ContextObj, &ssl_Context_Type);
1253 if (self == NULL) {
1254 return (ssl_ContextObj *)PyErr_NoMemory();
1255 }
1256 self = ssl_Context_init(self, i_method);
1257 PyObject_GC_Track((PyObject *)self);
1258 return self;
1259}
1260
1261
1262/*
1263 * This one is the tp_new of the Context type. It's great.
1264 */
1265static PyObject*
1266ssl_Context_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs) {
1267 int i_method;
1268 ssl_ContextObj *self;
1269 static char *kwlist[] = {"method", NULL};
1270
1271 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "i:Context", kwlist, &i_method)) {
1272 return NULL;
1273 }
1274
1275 self = (ssl_ContextObj *)subtype->tp_alloc(subtype, 1);
1276 if (self == NULL) {
1277 return NULL;
1278 }
1279
1280 return (PyObject *)ssl_Context_init(self, i_method);
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001281}
1282
1283/*
1284 * Call the visitproc on all contained objects.
1285 *
1286 * Arguments: self - The Context object
1287 * visit - Function to call
1288 * arg - Extra argument to visit
1289 * Returns: 0 if all goes well, otherwise the return code from the first
1290 * call that gave non-zero result.
1291 */
1292static int
1293ssl_Context_traverse(ssl_ContextObj *self, visitproc visit, void *arg)
1294{
1295 int ret = 0;
1296
1297 if (ret == 0 && self->passphrase_callback != NULL)
1298 ret = visit((PyObject *)self->passphrase_callback, arg);
1299 if (ret == 0 && self->passphrase_userdata != NULL)
1300 ret = visit((PyObject *)self->passphrase_userdata, arg);
1301 if (ret == 0 && self->verify_callback != NULL)
1302 ret = visit((PyObject *)self->verify_callback, arg);
1303 if (ret == 0 && self->info_callback != NULL)
1304 ret = visit((PyObject *)self->info_callback, arg);
1305 if (ret == 0 && self->app_data != NULL)
1306 ret = visit(self->app_data, arg);
1307 return ret;
1308}
1309
1310/*
1311 * Decref all contained objects and zero the pointers.
1312 *
1313 * Arguments: self - The Context object
1314 * Returns: Always 0.
1315 */
1316static int
1317ssl_Context_clear(ssl_ContextObj *self)
1318{
1319 Py_XDECREF(self->passphrase_callback);
1320 self->passphrase_callback = NULL;
1321 Py_XDECREF(self->passphrase_userdata);
1322 self->passphrase_userdata = NULL;
1323 Py_XDECREF(self->verify_callback);
1324 self->verify_callback = NULL;
1325 Py_XDECREF(self->info_callback);
1326 self->info_callback = NULL;
1327 Py_XDECREF(self->app_data);
1328 self->app_data = NULL;
1329 return 0;
1330}
1331
1332/*
1333 * Deallocate the memory used by the Context object
1334 *
1335 * Arguments: self - The Context object
1336 * Returns: None
1337 */
1338static void
1339ssl_Context_dealloc(ssl_ContextObj *self)
1340{
1341 PyObject_GC_UnTrack((PyObject *)self);
1342 SSL_CTX_free(self->ctx);
1343 ssl_Context_clear(self);
1344 PyObject_GC_Del(self);
1345}
1346
1347
1348PyTypeObject ssl_Context_Type = {
Jean-Paul Calderoneb6d75252010-08-11 23:55:45 -04001349 PyOpenSSL_HEAD_INIT(&PyType_Type, 0)
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001350 "OpenSSL.SSL.Context",
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001351 sizeof(ssl_ContextObj),
1352 0,
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001353 (destructor)ssl_Context_dealloc, /* tp_dealloc */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001354 NULL, /* print */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001355 NULL, /* tp_getattr */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001356 NULL, /* setattr */
1357 NULL, /* compare */
1358 NULL, /* repr */
1359 NULL, /* as_number */
1360 NULL, /* as_sequence */
1361 NULL, /* as_mapping */
1362 NULL, /* hash */
1363 NULL, /* call */
1364 NULL, /* str */
1365 NULL, /* getattro */
1366 NULL, /* setattro */
1367 NULL, /* as_buffer */
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001368 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC | Py_TPFLAGS_BASETYPE, /* tp_flags */
1369 ssl_Context_doc, /* tp_doc */
1370 (traverseproc)ssl_Context_traverse, /* tp_traverse */
1371 (inquiry)ssl_Context_clear, /* tp_clear */
1372 NULL, /* tp_richcompare */
1373 0, /* tp_weaklistoffset */
1374 NULL, /* tp_iter */
1375 NULL, /* tp_iternext */
1376 ssl_Context_methods, /* tp_methods */
1377 NULL, /* tp_members */
1378 NULL, /* tp_getset */
1379 NULL, /* tp_base */
1380 NULL, /* tp_dict */
1381 NULL, /* tp_descr_get */
1382 NULL, /* tp_descr_set */
1383 0, /* tp_dictoffset */
1384 NULL, /* tp_init */
1385 NULL, /* tp_alloc */
1386 ssl_Context_new, /* tp_new */
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001387};
1388
1389
1390/*
1391 * Initialize the Context part of the SSL sub module
1392 *
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001393 * Arguments: dict - The OpenSSL.SSL module
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001394 * Returns: 1 for success, 0 otherwise
1395 */
1396int
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001397init_ssl_context(PyObject *module) {
1398
1399 if (PyType_Ready(&ssl_Context_Type) < 0) {
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001400 return 0;
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001401 }
1402
Jean-Paul Calderone86ad7112010-05-11 16:08:45 -04001403 /* PyModule_AddObject steals a reference.
1404 */
1405 Py_INCREF((PyObject *)&ssl_Context_Type);
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001406 if (PyModule_AddObject(module, "Context", (PyObject *)&ssl_Context_Type) < 0) {
1407 return 0;
1408 }
1409
Jean-Paul Calderoneaed23582011-03-12 22:45:02 -05001410 /* PyModule_AddObject steals a reference.
1411 */
1412 Py_INCREF((PyObject *)&ssl_Context_Type);
Jean-Paul Calderone1bd11fa2009-05-27 17:09:15 -04001413 if (PyModule_AddObject(module, "ContextType", (PyObject *)&ssl_Context_Type) < 0) {
1414 return 0;
1415 }
Jean-Paul Calderone897bc252008-02-18 20:50:23 -05001416
1417 return 1;
1418}
1419