Changeset 391 for python/trunk/Modules/_ssl.c
- Timestamp:
- Mar 19, 2014, 11:31:01 PM (11 years ago)
- Location:
- python/trunk
- Files:
-
- 2 edited
-
. (modified) (1 prop)
-
Modules/_ssl.c (modified) (27 diffs)
Legend:
- Unmodified
- Added
- Removed
-
python/trunk
-
Property svn:mergeinfo
set to
/python/vendor/Python-2.7.6 merged eligible /python/vendor/current merged eligible
-
Property svn:mergeinfo
set to
-
python/trunk/Modules/_ssl.c
r2 r391 11 11 XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE? 12 12 13 XXX what about SSL_MODE_AUTO_RETRY? 13 XXX integrate several "shutdown modes" as suggested in 14 http://bugs.python.org/issue8108#msg102867 ? 14 15 */ 15 16 … … 18 19 #ifdef WITH_THREAD 19 20 #include "pythread.h" 21 22 20 23 #define PySSL_BEGIN_ALLOW_THREADS { \ 21 22 23 #define PySSL_BLOCK_THREADS 24 #define PySSL_UNBLOCK_THREADS 25 #define PySSL_END_ALLOW_THREADS 26 27 28 #else 24 PyThreadState *_save = NULL; \ 25 if (_ssl_locks_count>0) {_save = PyEval_SaveThread();} 26 #define PySSL_BLOCK_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save)}; 27 #define PySSL_UNBLOCK_THREADS if (_ssl_locks_count>0){_save = PyEval_SaveThread()}; 28 #define PySSL_END_ALLOW_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save);} \ 29 } 30 31 #else /* no WITH_THREAD */ 29 32 30 33 #define PySSL_BEGIN_ALLOW_THREADS … … 36 39 37 40 enum py_ssl_error { 38 39 40 41 42 43 44 45 46 47 48 49 41 /* these mirror ssl.h */ 42 PY_SSL_ERROR_NONE, 43 PY_SSL_ERROR_SSL, 44 PY_SSL_ERROR_WANT_READ, 45 PY_SSL_ERROR_WANT_WRITE, 46 PY_SSL_ERROR_WANT_X509_LOOKUP, 47 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */ 48 PY_SSL_ERROR_ZERO_RETURN, 49 PY_SSL_ERROR_WANT_CONNECT, 50 /* start of non ssl.h errorcodes */ 51 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */ 52 PY_SSL_ERROR_INVALID_ERROR_CODE 50 53 }; 51 54 52 55 enum py_ssl_server_or_client { 53 54 56 PY_SSL_CLIENT, 57 PY_SSL_SERVER 55 58 }; 56 59 57 60 enum py_ssl_cert_requirements { 58 59 60 61 PY_SSL_CERT_NONE, 62 PY_SSL_CERT_OPTIONAL, 63 PY_SSL_CERT_REQUIRED 61 64 }; 62 65 63 66 enum py_ssl_version { 64 PY_SSL_VERSION_SSL2, 65 PY_SSL_VERSION_SSL3, 66 PY_SSL_VERSION_SSL23, 67 PY_SSL_VERSION_TLS1, 67 #ifndef OPENSSL_NO_SSL2 68 PY_SSL_VERSION_SSL2, 69 #endif 70 PY_SSL_VERSION_SSL3=1, 71 PY_SSL_VERSION_SSL23, 72 PY_SSL_VERSION_TLS1 68 73 }; 69 74 … … 111 116 112 117 typedef struct { 113 PyObject_HEAD 114 PySocketSockObject *Socket; /* Socket on which we're layered */ 115 SSL_CTX* ctx; 116 SSL* ssl; 117 X509* peer_cert; 118 char server[X509_NAME_MAXLEN]; 119 char issuer[X509_NAME_MAXLEN]; 118 PyObject_HEAD 119 PySocketSockObject *Socket; /* Socket on which we're layered */ 120 SSL_CTX* ctx; 121 SSL* ssl; 122 X509* peer_cert; 123 char server[X509_NAME_MAXLEN]; 124 char issuer[X509_NAME_MAXLEN]; 125 int shutdown_seen_zero; 120 126 121 127 } PySSLObject; … … 125 131 static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args); 126 132 static int check_socket_and_wait_for_timeout(PySocketSockObject *s, 127 133 int writing); 128 134 static PyObject *PySSL_peercert(PySSLObject *self, PyObject *args); 129 135 static PyObject *PySSL_cipher(PySSLObject *self); 130 136 131 #define PySSLObject_Check(v) 137 #define PySSLObject_Check(v) (Py_TYPE(v) == &PySSL_Type) 132 138 133 139 typedef enum { 134 135 136 137 138 139 140 SOCKET_IS_NONBLOCKING, 141 SOCKET_IS_BLOCKING, 142 SOCKET_HAS_TIMED_OUT, 143 SOCKET_HAS_BEEN_CLOSED, 144 SOCKET_TOO_LARGE_FOR_SELECT, 145 SOCKET_OPERATION_OK 140 146 } timeout_state; 141 147 … … 154 160 PySSL_SetError(PySSLObject *obj, int ret, char *filename, int lineno) 155 161 { 156 PyObject *v; 157 char buf[2048]; 158 char *errstr; 159 int err; 160 enum py_ssl_error p = PY_SSL_ERROR_NONE; 161 162 assert(ret <= 0); 163 164 if (obj->ssl != NULL) { 165 err = SSL_get_error(obj->ssl, ret); 166 167 switch (err) { 168 case SSL_ERROR_ZERO_RETURN: 169 errstr = "TLS/SSL connection has been closed"; 170 p = PY_SSL_ERROR_ZERO_RETURN; 171 break; 172 case SSL_ERROR_WANT_READ: 173 errstr = "The operation did not complete (read)"; 174 p = PY_SSL_ERROR_WANT_READ; 175 break; 176 case SSL_ERROR_WANT_WRITE: 177 p = PY_SSL_ERROR_WANT_WRITE; 178 errstr = "The operation did not complete (write)"; 179 break; 180 case SSL_ERROR_WANT_X509_LOOKUP: 181 p = PY_SSL_ERROR_WANT_X509_LOOKUP; 182 errstr = 183 "The operation did not complete (X509 lookup)"; 184 break; 185 case SSL_ERROR_WANT_CONNECT: 186 p = PY_SSL_ERROR_WANT_CONNECT; 187 errstr = "The operation did not complete (connect)"; 188 break; 189 case SSL_ERROR_SYSCALL: 190 { 191 unsigned long e = ERR_get_error(); 192 if (e == 0) { 193 if (ret == 0 || !obj->Socket) { 194 p = PY_SSL_ERROR_EOF; 195 errstr = 196 "EOF occurred in violation of protocol"; 197 } else if (ret == -1) { 198 /* underlying BIO reported an I/O error */ 199 return obj->Socket->errorhandler(); 200 } else { /* possible? */ 201 p = PY_SSL_ERROR_SYSCALL; 202 errstr = "Some I/O error occurred"; 203 } 204 } else { 205 p = PY_SSL_ERROR_SYSCALL; 206 /* XXX Protected by global interpreter lock */ 207 errstr = ERR_error_string(e, NULL); 208 } 209 break; 210 } 211 case SSL_ERROR_SSL: 212 { 213 unsigned long e = ERR_get_error(); 214 p = PY_SSL_ERROR_SSL; 215 if (e != 0) 216 /* XXX Protected by global interpreter lock */ 217 errstr = ERR_error_string(e, NULL); 218 else { /* possible? */ 219 errstr = 220 "A failure in the SSL library occurred"; 221 } 222 break; 223 } 224 default: 225 p = PY_SSL_ERROR_INVALID_ERROR_CODE; 226 errstr = "Invalid error code"; 227 } 228 } else { 229 errstr = ERR_error_string(ERR_peek_last_error(), NULL); 230 } 231 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); 232 v = Py_BuildValue("(is)", p, buf); 233 if (v != NULL) { 234 PyErr_SetObject(PySSLErrorObject, v); 235 Py_DECREF(v); 236 } 237 return NULL; 162 PyObject *v; 163 char buf[2048]; 164 char *errstr; 165 int err; 166 enum py_ssl_error p = PY_SSL_ERROR_NONE; 167 168 assert(ret <= 0); 169 170 if (obj->ssl != NULL) { 171 err = SSL_get_error(obj->ssl, ret); 172 173 switch (err) { 174 case SSL_ERROR_ZERO_RETURN: 175 errstr = "TLS/SSL connection has been closed"; 176 p = PY_SSL_ERROR_ZERO_RETURN; 177 break; 178 case SSL_ERROR_WANT_READ: 179 errstr = "The operation did not complete (read)"; 180 p = PY_SSL_ERROR_WANT_READ; 181 break; 182 case SSL_ERROR_WANT_WRITE: 183 p = PY_SSL_ERROR_WANT_WRITE; 184 errstr = "The operation did not complete (write)"; 185 break; 186 case SSL_ERROR_WANT_X509_LOOKUP: 187 p = PY_SSL_ERROR_WANT_X509_LOOKUP; 188 errstr = "The operation did not complete (X509 lookup)"; 189 break; 190 case SSL_ERROR_WANT_CONNECT: 191 p = PY_SSL_ERROR_WANT_CONNECT; 192 errstr = "The operation did not complete (connect)"; 193 break; 194 case SSL_ERROR_SYSCALL: 195 { 196 unsigned long e = ERR_get_error(); 197 if (e == 0) { 198 if (ret == 0 || !obj->Socket) { 199 p = PY_SSL_ERROR_EOF; 200 errstr = "EOF occurred in violation of protocol"; 201 } else if (ret == -1) { 202 /* underlying BIO reported an I/O error */ 203 ERR_clear_error(); 204 return obj->Socket->errorhandler(); 205 } else { /* possible? */ 206 p = PY_SSL_ERROR_SYSCALL; 207 errstr = "Some I/O error occurred"; 208 } 209 } else { 210 p = PY_SSL_ERROR_SYSCALL; 211 /* XXX Protected by global interpreter lock */ 212 errstr = ERR_error_string(e, NULL); 213 } 214 break; 215 } 216 case SSL_ERROR_SSL: 217 { 218 unsigned long e = ERR_get_error(); 219 p = PY_SSL_ERROR_SSL; 220 if (e != 0) 221 /* XXX Protected by global interpreter lock */ 222 errstr = ERR_error_string(e, NULL); 223 else { /* possible? */ 224 errstr = "A failure in the SSL library occurred"; 225 } 226 break; 227 } 228 default: 229 p = PY_SSL_ERROR_INVALID_ERROR_CODE; 230 errstr = "Invalid error code"; 231 } 232 } else { 233 errstr = ERR_error_string(ERR_peek_last_error(), NULL); 234 } 235 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); 236 ERR_clear_error(); 237 v = Py_BuildValue("(is)", p, buf); 238 if (v != NULL) { 239 PyErr_SetObject(PySSLErrorObject, v); 240 Py_DECREF(v); 241 } 242 return NULL; 238 243 } 239 244 … … 241 246 _setSSLError (char *errstr, int errcode, char *filename, int lineno) { 242 247 243 char buf[2048]; 244 PyObject *v; 245 246 if (errstr == NULL) { 247 errcode = ERR_peek_last_error(); 248 errstr = ERR_error_string(errcode, NULL); 249 } 250 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); 251 v = Py_BuildValue("(is)", errcode, buf); 252 if (v != NULL) { 253 PyErr_SetObject(PySSLErrorObject, v); 254 Py_DECREF(v); 255 } 256 return NULL; 248 char buf[2048]; 249 PyObject *v; 250 251 if (errstr == NULL) { 252 errcode = ERR_peek_last_error(); 253 errstr = ERR_error_string(errcode, NULL); 254 } 255 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); 256 ERR_clear_error(); 257 v = Py_BuildValue("(is)", errcode, buf); 258 if (v != NULL) { 259 PyErr_SetObject(PySSLErrorObject, v); 260 Py_DECREF(v); 261 } 262 return NULL; 257 263 } 258 264 259 265 static PySSLObject * 260 266 newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, 261 enum py_ssl_server_or_client socket_type, 262 enum py_ssl_cert_requirements certreq, 263 enum py_ssl_version proto_version, 264 char *cacerts_file) 265 { 266 PySSLObject *self; 267 char *errstr = NULL; 268 int ret; 269 int verification_mode; 270 271 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ 272 if (self == NULL) 273 return NULL; 274 memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN); 275 memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN); 276 self->peer_cert = NULL; 277 self->ssl = NULL; 278 self->ctx = NULL; 279 self->Socket = NULL; 280 281 /* Make sure the SSL error state is initialized */ 282 (void) ERR_get_state(); 283 ERR_clear_error(); 284 285 if ((key_file && !cert_file) || (!key_file && cert_file)) { 286 errstr = ERRSTR("Both the key & certificate files " 287 "must be specified"); 288 goto fail; 289 } 290 291 if ((socket_type == PY_SSL_SERVER) && 292 ((key_file == NULL) || (cert_file == NULL))) { 293 errstr = ERRSTR("Both the key & certificate files " 294 "must be specified for server-side operation"); 295 goto fail; 296 } 297 298 PySSL_BEGIN_ALLOW_THREADS 299 if (proto_version == PY_SSL_VERSION_TLS1) 300 self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */ 301 else if (proto_version == PY_SSL_VERSION_SSL3) 302 self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */ 303 else if (proto_version == PY_SSL_VERSION_SSL2) 304 self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */ 305 else if (proto_version == PY_SSL_VERSION_SSL23) 306 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */ 307 PySSL_END_ALLOW_THREADS 308 309 if (self->ctx == NULL) { 310 errstr = ERRSTR("Invalid SSL protocol variant specified."); 311 goto fail; 312 } 313 314 if (certreq != PY_SSL_CERT_NONE) { 315 if (cacerts_file == NULL) { 316 errstr = ERRSTR("No root certificates specified for " 317 "verification of other-side certificates."); 318 goto fail; 319 } else { 320 PySSL_BEGIN_ALLOW_THREADS 321 ret = SSL_CTX_load_verify_locations(self->ctx, 322 cacerts_file, 323 NULL); 324 PySSL_END_ALLOW_THREADS 325 if (ret != 1) { 326 _setSSLError(NULL, 0, __FILE__, __LINE__); 327 goto fail; 328 } 329 } 330 } 331 if (key_file) { 332 PySSL_BEGIN_ALLOW_THREADS 333 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file, 334 SSL_FILETYPE_PEM); 335 PySSL_END_ALLOW_THREADS 336 if (ret != 1) { 337 _setSSLError(NULL, ret, __FILE__, __LINE__); 338 goto fail; 339 } 340 341 PySSL_BEGIN_ALLOW_THREADS 342 ret = SSL_CTX_use_certificate_chain_file(self->ctx, 343 cert_file); 344 PySSL_END_ALLOW_THREADS 345 if (ret != 1) { 346 /* 347 fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n", 348 ret, ERR_peek_error(), ERR_peek_last_error(), cert_file); 349 */ 350 if (ERR_peek_last_error() != 0) { 351 _setSSLError(NULL, ret, __FILE__, __LINE__); 352 goto fail; 353 } 354 } 355 } 356 357 /* ssl compatibility */ 358 SSL_CTX_set_options(self->ctx, SSL_OP_ALL); 359 360 verification_mode = SSL_VERIFY_NONE; 361 if (certreq == PY_SSL_CERT_OPTIONAL) 362 verification_mode = SSL_VERIFY_PEER; 363 else if (certreq == PY_SSL_CERT_REQUIRED) 364 verification_mode = (SSL_VERIFY_PEER | 365 SSL_VERIFY_FAIL_IF_NO_PEER_CERT); 366 SSL_CTX_set_verify(self->ctx, verification_mode, 367 NULL); /* set verify lvl */ 368 369 PySSL_BEGIN_ALLOW_THREADS 370 self->ssl = SSL_new(self->ctx); /* New ssl struct */ 371 PySSL_END_ALLOW_THREADS 372 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */ 373 374 /* If the socket is in non-blocking mode or timeout mode, set the BIO 375 * to non-blocking mode (blocking is the default) 376 */ 377 if (Sock->sock_timeout >= 0.0) { 378 /* Set both the read and write BIO's to non-blocking mode */ 379 BIO_set_nbio(SSL_get_rbio(self->ssl), 1); 380 BIO_set_nbio(SSL_get_wbio(self->ssl), 1); 381 } 382 383 PySSL_BEGIN_ALLOW_THREADS 384 if (socket_type == PY_SSL_CLIENT) 385 SSL_set_connect_state(self->ssl); 386 else 387 SSL_set_accept_state(self->ssl); 388 PySSL_END_ALLOW_THREADS 389 390 self->Socket = Sock; 391 Py_INCREF(self->Socket); 392 return self; 267 enum py_ssl_server_or_client socket_type, 268 enum py_ssl_cert_requirements certreq, 269 enum py_ssl_version proto_version, 270 char *cacerts_file, char *ciphers) 271 { 272 PySSLObject *self; 273 char *errstr = NULL; 274 int ret; 275 int verification_mode; 276 277 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ 278 if (self == NULL) 279 return NULL; 280 memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN); 281 memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN); 282 self->peer_cert = NULL; 283 self->ssl = NULL; 284 self->ctx = NULL; 285 self->Socket = NULL; 286 self->shutdown_seen_zero = 0; 287 288 /* Make sure the SSL error state is initialized */ 289 (void) ERR_get_state(); 290 ERR_clear_error(); 291 292 if ((key_file && !cert_file) || (!key_file && cert_file)) { 293 errstr = ERRSTR("Both the key & certificate files " 294 "must be specified"); 295 goto fail; 296 } 297 298 if ((socket_type == PY_SSL_SERVER) && 299 ((key_file == NULL) || (cert_file == NULL))) { 300 errstr = ERRSTR("Both the key & certificate files " 301 "must be specified for server-side operation"); 302 goto fail; 303 } 304 305 PySSL_BEGIN_ALLOW_THREADS 306 if (proto_version == PY_SSL_VERSION_TLS1) 307 self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */ 308 else if (proto_version == PY_SSL_VERSION_SSL3) 309 self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */ 310 #ifndef OPENSSL_NO_SSL2 311 else if (proto_version == PY_SSL_VERSION_SSL2) 312 self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */ 313 #endif 314 else if (proto_version == PY_SSL_VERSION_SSL23) 315 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */ 316 PySSL_END_ALLOW_THREADS 317 318 if (self->ctx == NULL) { 319 errstr = ERRSTR("Invalid SSL protocol variant specified."); 320 goto fail; 321 } 322 323 if (ciphers != NULL) { 324 ret = SSL_CTX_set_cipher_list(self->ctx, ciphers); 325 if (ret == 0) { 326 errstr = ERRSTR("No cipher can be selected."); 327 goto fail; 328 } 329 } 330 331 if (certreq != PY_SSL_CERT_NONE) { 332 if (cacerts_file == NULL) { 333 errstr = ERRSTR("No root certificates specified for " 334 "verification of other-side certificates."); 335 goto fail; 336 } else { 337 PySSL_BEGIN_ALLOW_THREADS 338 ret = SSL_CTX_load_verify_locations(self->ctx, 339 cacerts_file, 340 NULL); 341 PySSL_END_ALLOW_THREADS 342 if (ret != 1) { 343 _setSSLError(NULL, 0, __FILE__, __LINE__); 344 goto fail; 345 } 346 } 347 } 348 if (key_file) { 349 PySSL_BEGIN_ALLOW_THREADS 350 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file, 351 SSL_FILETYPE_PEM); 352 PySSL_END_ALLOW_THREADS 353 if (ret != 1) { 354 _setSSLError(NULL, ret, __FILE__, __LINE__); 355 goto fail; 356 } 357 358 PySSL_BEGIN_ALLOW_THREADS 359 ret = SSL_CTX_use_certificate_chain_file(self->ctx, 360 cert_file); 361 PySSL_END_ALLOW_THREADS 362 if (ret != 1) { 363 /* 364 fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n", 365 ret, ERR_peek_error(), ERR_peek_last_error(), cert_file); 366 */ 367 if (ERR_peek_last_error() != 0) { 368 _setSSLError(NULL, ret, __FILE__, __LINE__); 369 goto fail; 370 } 371 } 372 } 373 374 /* ssl compatibility */ 375 SSL_CTX_set_options(self->ctx, 376 SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); 377 378 verification_mode = SSL_VERIFY_NONE; 379 if (certreq == PY_SSL_CERT_OPTIONAL) 380 verification_mode = SSL_VERIFY_PEER; 381 else if (certreq == PY_SSL_CERT_REQUIRED) 382 verification_mode = (SSL_VERIFY_PEER | 383 SSL_VERIFY_FAIL_IF_NO_PEER_CERT); 384 SSL_CTX_set_verify(self->ctx, verification_mode, 385 NULL); /* set verify lvl */ 386 387 PySSL_BEGIN_ALLOW_THREADS 388 self->ssl = SSL_new(self->ctx); /* New ssl struct */ 389 PySSL_END_ALLOW_THREADS 390 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */ 391 #ifdef SSL_MODE_AUTO_RETRY 392 SSL_set_mode(self->ssl, SSL_MODE_AUTO_RETRY); 393 #endif 394 395 /* If the socket is in non-blocking mode or timeout mode, set the BIO 396 * to non-blocking mode (blocking is the default) 397 */ 398 if (Sock->sock_timeout >= 0.0) { 399 /* Set both the read and write BIO's to non-blocking mode */ 400 BIO_set_nbio(SSL_get_rbio(self->ssl), 1); 401 BIO_set_nbio(SSL_get_wbio(self->ssl), 1); 402 } 403 404 PySSL_BEGIN_ALLOW_THREADS 405 if (socket_type == PY_SSL_CLIENT) 406 SSL_set_connect_state(self->ssl); 407 else 408 SSL_set_accept_state(self->ssl); 409 PySSL_END_ALLOW_THREADS 410 411 self->Socket = Sock; 412 Py_INCREF(self->Socket); 413 return self; 393 414 fail: 394 395 396 397 415 if (errstr) 416 PyErr_SetString(PySSLErrorObject, errstr); 417 Py_DECREF(self); 418 return NULL; 398 419 } 399 420 … … 401 422 PySSL_sslwrap(PyObject *self, PyObject *args) 402 423 { 403 PySocketSockObject *Sock; 404 int server_side = 0; 405 int verification_mode = PY_SSL_CERT_NONE; 406 int protocol = PY_SSL_VERSION_SSL23; 407 char *key_file = NULL; 408 char *cert_file = NULL; 409 char *cacerts_file = NULL; 410 411 if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap", 412 PySocketModule.Sock_Type, 413 &Sock, 414 &server_side, 415 &key_file, &cert_file, 416 &verification_mode, &protocol, 417 &cacerts_file)) 418 return NULL; 419 420 /* 421 fprintf(stderr, 422 "server_side is %d, keyfile %p, certfile %p, verify_mode %d, " 423 "protocol %d, certs %p\n", 424 server_side, key_file, cert_file, verification_mode, 425 protocol, cacerts_file); 426 */ 427 428 return (PyObject *) newPySSLObject(Sock, key_file, cert_file, 429 server_side, verification_mode, 430 protocol, cacerts_file); 424 PySocketSockObject *Sock; 425 int server_side = 0; 426 int verification_mode = PY_SSL_CERT_NONE; 427 int protocol = PY_SSL_VERSION_SSL23; 428 char *key_file = NULL; 429 char *cert_file = NULL; 430 char *cacerts_file = NULL; 431 char *ciphers = NULL; 432 433 if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap", 434 PySocketModule.Sock_Type, 435 &Sock, 436 &server_side, 437 &key_file, &cert_file, 438 &verification_mode, &protocol, 439 &cacerts_file, &ciphers)) 440 return NULL; 441 442 /* 443 fprintf(stderr, 444 "server_side is %d, keyfile %p, certfile %p, verify_mode %d, " 445 "protocol %d, certs %p\n", 446 server_side, key_file, cert_file, verification_mode, 447 protocol, cacerts_file); 448 */ 449 450 return (PyObject *) newPySSLObject(Sock, key_file, cert_file, 451 server_side, verification_mode, 452 protocol, cacerts_file, 453 ciphers); 431 454 } 432 455 433 456 PyDoc_STRVAR(ssl_doc, 434 457 "sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n" 435 " cacertsfile ]) -> sslobject");458 " cacertsfile, ciphers]) -> sslobject"); 436 459 437 460 /* SSL object methods */ … … 439 462 static PyObject *PySSL_SSLdo_handshake(PySSLObject *self) 440 463 { 441 int ret; 442 int err; 443 int sockstate; 444 445 /* Actually negotiate SSL connection */ 446 /* XXX If SSL_do_handshake() returns 0, it's also a failure. */ 447 sockstate = 0; 448 do { 449 PySSL_BEGIN_ALLOW_THREADS 450 ret = SSL_do_handshake(self->ssl); 451 err = SSL_get_error(self->ssl, ret); 452 PySSL_END_ALLOW_THREADS 453 if(PyErr_CheckSignals()) { 454 return NULL; 455 } 456 if (err == SSL_ERROR_WANT_READ) { 457 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); 458 } else if (err == SSL_ERROR_WANT_WRITE) { 459 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); 460 } else { 461 sockstate = SOCKET_OPERATION_OK; 462 } 463 if (sockstate == SOCKET_HAS_TIMED_OUT) { 464 PyErr_SetString(PySSLErrorObject, 465 ERRSTR("The handshake operation timed out")); 466 return NULL; 467 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 468 PyErr_SetString(PySSLErrorObject, 469 ERRSTR("Underlying socket has been closed.")); 470 return NULL; 471 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 472 PyErr_SetString(PySSLErrorObject, 473 ERRSTR("Underlying socket too large for select().")); 474 return NULL; 475 } else if (sockstate == SOCKET_IS_NONBLOCKING) { 476 break; 477 } 478 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); 479 if (ret < 1) 480 return PySSL_SetError(self, ret, __FILE__, __LINE__); 481 self->ssl->debug = 1; 482 483 if (self->peer_cert) 484 X509_free (self->peer_cert); 485 PySSL_BEGIN_ALLOW_THREADS 486 if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) { 487 X509_NAME_oneline(X509_get_subject_name(self->peer_cert), 488 self->server, X509_NAME_MAXLEN); 489 X509_NAME_oneline(X509_get_issuer_name(self->peer_cert), 490 self->issuer, X509_NAME_MAXLEN); 491 } 492 PySSL_END_ALLOW_THREADS 493 494 Py_INCREF(Py_None); 495 return Py_None; 464 int ret; 465 int err; 466 int sockstate, nonblocking; 467 468 /* just in case the blocking state of the socket has been changed */ 469 nonblocking = (self->Socket->sock_timeout >= 0.0); 470 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 471 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 472 473 /* Actually negotiate SSL connection */ 474 /* XXX If SSL_do_handshake() returns 0, it's also a failure. */ 475 do { 476 PySSL_BEGIN_ALLOW_THREADS 477 ret = SSL_do_handshake(self->ssl); 478 err = SSL_get_error(self->ssl, ret); 479 PySSL_END_ALLOW_THREADS 480 if(PyErr_CheckSignals()) { 481 return NULL; 482 } 483 if (err == SSL_ERROR_WANT_READ) { 484 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); 485 } else if (err == SSL_ERROR_WANT_WRITE) { 486 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); 487 } else { 488 sockstate = SOCKET_OPERATION_OK; 489 } 490 if (sockstate == SOCKET_HAS_TIMED_OUT) { 491 PyErr_SetString(PySSLErrorObject, 492 ERRSTR("The handshake operation timed out")); 493 return NULL; 494 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 495 PyErr_SetString(PySSLErrorObject, 496 ERRSTR("Underlying socket has been closed.")); 497 return NULL; 498 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 499 PyErr_SetString(PySSLErrorObject, 500 ERRSTR("Underlying socket too large for select().")); 501 return NULL; 502 } else if (sockstate == SOCKET_IS_NONBLOCKING) { 503 break; 504 } 505 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); 506 if (ret < 1) 507 return PySSL_SetError(self, ret, __FILE__, __LINE__); 508 509 if (self->peer_cert) 510 X509_free (self->peer_cert); 511 PySSL_BEGIN_ALLOW_THREADS 512 if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) { 513 X509_NAME_oneline(X509_get_subject_name(self->peer_cert), 514 self->server, X509_NAME_MAXLEN); 515 X509_NAME_oneline(X509_get_issuer_name(self->peer_cert), 516 self->issuer, X509_NAME_MAXLEN); 517 } 518 PySSL_END_ALLOW_THREADS 519 520 Py_INCREF(Py_None); 521 return Py_None; 496 522 } 497 523 … … 499 525 PySSL_server(PySSLObject *self) 500 526 { 501 527 return PyString_FromString(self->server); 502 528 } 503 529 … … 505 531 PySSL_issuer(PySSLObject *self) 506 532 { 507 533 return PyString_FromString(self->issuer); 508 534 } 509 535 … … 511 537 _create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) { 512 538 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 539 char namebuf[X509_NAME_MAXLEN]; 540 int buflen; 541 PyObject *name_obj; 542 PyObject *value_obj; 543 PyObject *attr; 544 unsigned char *valuebuf = NULL; 545 546 buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0); 547 if (buflen < 0) { 548 _setSSLError(NULL, 0, __FILE__, __LINE__); 549 goto fail; 550 } 551 name_obj = PyString_FromStringAndSize(namebuf, buflen); 552 if (name_obj == NULL) 553 goto fail; 554 555 buflen = ASN1_STRING_to_UTF8(&valuebuf, value); 556 if (buflen < 0) { 557 _setSSLError(NULL, 0, __FILE__, __LINE__); 558 Py_DECREF(name_obj); 559 goto fail; 560 } 561 value_obj = PyUnicode_DecodeUTF8((char *) valuebuf, 562 buflen, "strict"); 563 OPENSSL_free(valuebuf); 564 if (value_obj == NULL) { 565 Py_DECREF(name_obj); 566 goto fail; 567 } 568 attr = PyTuple_New(2); 569 if (attr == NULL) { 570 Py_DECREF(name_obj); 571 Py_DECREF(value_obj); 572 goto fail; 573 } 574 PyTuple_SET_ITEM(attr, 0, name_obj); 575 PyTuple_SET_ITEM(attr, 1, value_obj); 576 return attr; 551 577 552 578 fail: 553 579 return NULL; 554 580 } 555 581 … … 557 583 _create_tuple_for_X509_NAME (X509_NAME *xname) 558 584 { 559 PyObject *dn = NULL; /* tuple which represents the "distinguished name" */ 560 PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */ 561 PyObject *rdnt; 562 PyObject *attr = NULL; /* tuple to hold an attribute */ 563 int entry_count = X509_NAME_entry_count(xname); 564 X509_NAME_ENTRY *entry; 565 ASN1_OBJECT *name; 566 ASN1_STRING *value; 567 int index_counter; 568 int rdn_level = -1; 569 int retcode; 570 571 dn = PyList_New(0); 572 if (dn == NULL) 573 return NULL; 574 /* now create another tuple to hold the top-level RDN */ 575 rdn = PyList_New(0); 576 if (rdn == NULL) 577 goto fail0; 578 579 for (index_counter = 0; 580 index_counter < entry_count; 581 index_counter++) 582 { 583 entry = X509_NAME_get_entry(xname, index_counter); 584 585 /* check to see if we've gotten to a new RDN */ 586 if (rdn_level >= 0) { 587 if (rdn_level != entry->set) { 588 /* yes, new RDN */ 589 /* add old RDN to DN */ 590 rdnt = PyList_AsTuple(rdn); 591 Py_DECREF(rdn); 592 if (rdnt == NULL) 593 goto fail0; 594 retcode = PyList_Append(dn, rdnt); 595 Py_DECREF(rdnt); 596 if (retcode < 0) 597 goto fail0; 598 /* create new RDN */ 599 rdn = PyList_New(0); 600 if (rdn == NULL) 601 goto fail0; 602 } 603 } 604 rdn_level = entry->set; 605 606 /* now add this attribute to the current RDN */ 607 name = X509_NAME_ENTRY_get_object(entry); 608 value = X509_NAME_ENTRY_get_data(entry); 609 attr = _create_tuple_for_attribute(name, value); 610 /* 611 fprintf(stderr, "RDN level %d, attribute %s: %s\n", 612 entry->set, 613 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 0)), 614 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 1))); 615 */ 616 if (attr == NULL) 617 goto fail1; 618 retcode = PyList_Append(rdn, attr); 619 Py_DECREF(attr); 620 if (retcode < 0) 621 goto fail1; 622 } 623 /* now, there's typically a dangling RDN */ 624 if ((rdn != NULL) && (PyList_Size(rdn) > 0)) { 625 rdnt = PyList_AsTuple(rdn); 626 Py_DECREF(rdn); 627 if (rdnt == NULL) 628 goto fail0; 629 retcode = PyList_Append(dn, rdnt); 630 Py_DECREF(rdnt); 631 if (retcode < 0) 632 goto fail0; 633 } 634 635 /* convert list to tuple */ 636 rdnt = PyList_AsTuple(dn); 637 Py_DECREF(dn); 638 if (rdnt == NULL) 639 return NULL; 640 return rdnt; 585 PyObject *dn = NULL; /* tuple which represents the "distinguished name" */ 586 PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */ 587 PyObject *rdnt; 588 PyObject *attr = NULL; /* tuple to hold an attribute */ 589 int entry_count = X509_NAME_entry_count(xname); 590 X509_NAME_ENTRY *entry; 591 ASN1_OBJECT *name; 592 ASN1_STRING *value; 593 int index_counter; 594 int rdn_level = -1; 595 int retcode; 596 597 dn = PyList_New(0); 598 if (dn == NULL) 599 return NULL; 600 /* now create another tuple to hold the top-level RDN */ 601 rdn = PyList_New(0); 602 if (rdn == NULL) 603 goto fail0; 604 605 for (index_counter = 0; 606 index_counter < entry_count; 607 index_counter++) 608 { 609 entry = X509_NAME_get_entry(xname, index_counter); 610 611 /* check to see if we've gotten to a new RDN */ 612 if (rdn_level >= 0) { 613 if (rdn_level != entry->set) { 614 /* yes, new RDN */ 615 /* add old RDN to DN */ 616 rdnt = PyList_AsTuple(rdn); 617 Py_DECREF(rdn); 618 if (rdnt == NULL) 619 goto fail0; 620 retcode = PyList_Append(dn, rdnt); 621 Py_DECREF(rdnt); 622 if (retcode < 0) 623 goto fail0; 624 /* create new RDN */ 625 rdn = PyList_New(0); 626 if (rdn == NULL) 627 goto fail0; 628 } 629 } 630 rdn_level = entry->set; 631 632 /* now add this attribute to the current RDN */ 633 name = X509_NAME_ENTRY_get_object(entry); 634 value = X509_NAME_ENTRY_get_data(entry); 635 attr = _create_tuple_for_attribute(name, value); 636 /* 637 fprintf(stderr, "RDN level %d, attribute %s: %s\n", 638 entry->set, 639 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 0)), 640 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 1))); 641 */ 642 if (attr == NULL) 643 goto fail1; 644 retcode = PyList_Append(rdn, attr); 645 Py_DECREF(attr); 646 if (retcode < 0) 647 goto fail1; 648 } 649 /* now, there's typically a dangling RDN */ 650 if (rdn != NULL) { 651 if (PyList_GET_SIZE(rdn) > 0) { 652 rdnt = PyList_AsTuple(rdn); 653 Py_DECREF(rdn); 654 if (rdnt == NULL) 655 goto fail0; 656 retcode = PyList_Append(dn, rdnt); 657 Py_DECREF(rdnt); 658 if (retcode < 0) 659 goto fail0; 660 } 661 else { 662 Py_DECREF(rdn); 663 } 664 } 665 666 /* convert list to tuple */ 667 rdnt = PyList_AsTuple(dn); 668 Py_DECREF(dn); 669 if (rdnt == NULL) 670 return NULL; 671 return rdnt; 641 672 642 673 fail1: 643 674 Py_XDECREF(rdn); 644 675 645 676 fail0: 646 647 677 Py_XDECREF(dn); 678 return NULL; 648 679 } 649 680 650 681 static PyObject * 651 682 _get_peer_alt_names (X509 *certificate) { 652 653 /* this code follows the procedure outlined in 654 OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print() 655 function to extract the STACK_OF(GENERAL_NAME), 656 then iterates through the stack to add the 657 names. */ 658 659 int i, j; 660 PyObject *peer_alt_names = Py_None; 661 PyObject *v, *t; 662 X509_EXTENSION *ext = NULL; 663 GENERAL_NAMES *names = NULL; 664 GENERAL_NAME *name; 665 X509V3_EXT_METHOD *method; 666 BIO *biobuf = NULL; 667 char buf[2048]; 668 char *vptr; 669 int len; 670 const unsigned char *p; 671 672 if (certificate == NULL) 673 return peer_alt_names; 674 675 /* get a memory buffer */ 676 biobuf = BIO_new(BIO_s_mem()); 677 678 i = 0; 679 while ((i = X509_get_ext_by_NID( 680 certificate, NID_subject_alt_name, i)) >= 0) { 681 682 if (peer_alt_names == Py_None) { 683 peer_alt_names = PyList_New(0); 684 if (peer_alt_names == NULL) 685 goto fail; 686 } 687 688 /* now decode the altName */ 689 ext = X509_get_ext(certificate, i); 690 if(!(method = X509V3_EXT_get(ext))) { 691 PyErr_SetString(PySSLErrorObject, 692 ERRSTR("No method for internalizing subjectAltName!")); 693 goto fail; 694 } 695 696 p = ext->value->data; 697 if (method->it) 698 names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL, 699 &p, 700 ext->value->length, 701 ASN1_ITEM_ptr(method->it))); 702 else 703 names = (GENERAL_NAMES*) (method->d2i(NULL, 704 &p, 705 ext->value->length)); 706 707 for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { 708 709 /* get a rendering of each name in the set of names */ 710 711 name = sk_GENERAL_NAME_value(names, j); 712 if (name->type == GEN_DIRNAME) { 713 714 /* we special-case DirName as a tuple of tuples of attributes */ 715 716 t = PyTuple_New(2); 717 if (t == NULL) { 718 goto fail; 719 } 720 721 v = PyString_FromString("DirName"); 722 if (v == NULL) { 723 Py_DECREF(t); 724 goto fail; 725 } 726 PyTuple_SET_ITEM(t, 0, v); 727 728 v = _create_tuple_for_X509_NAME (name->d.dirn); 729 if (v == NULL) { 730 Py_DECREF(t); 731 goto fail; 732 } 733 PyTuple_SET_ITEM(t, 1, v); 734 735 } else { 736 737 /* for everything else, we use the OpenSSL print form */ 738 739 (void) BIO_reset(biobuf); 740 GENERAL_NAME_print(biobuf, name); 741 len = BIO_gets(biobuf, buf, sizeof(buf)-1); 742 if (len < 0) { 743 _setSSLError(NULL, 0, __FILE__, __LINE__); 744 goto fail; 745 } 746 vptr = strchr(buf, ':'); 747 if (vptr == NULL) 748 goto fail; 749 t = PyTuple_New(2); 750 if (t == NULL) 751 goto fail; 752 v = PyString_FromStringAndSize(buf, (vptr - buf)); 753 if (v == NULL) { 754 Py_DECREF(t); 755 goto fail; 756 } 757 PyTuple_SET_ITEM(t, 0, v); 758 v = PyString_FromStringAndSize((vptr + 1), (len - (vptr - buf + 1))); 759 if (v == NULL) { 760 Py_DECREF(t); 761 goto fail; 762 } 763 PyTuple_SET_ITEM(t, 1, v); 764 } 765 766 /* and add that rendering to the list */ 767 768 if (PyList_Append(peer_alt_names, t) < 0) { 769 Py_DECREF(t); 770 goto fail; 771 } 772 Py_DECREF(t); 773 } 774 } 775 BIO_free(biobuf); 776 if (peer_alt_names != Py_None) { 777 v = PyList_AsTuple(peer_alt_names); 778 Py_DECREF(peer_alt_names); 779 return v; 780 } else { 781 return peer_alt_names; 782 } 783 683 684 /* this code follows the procedure outlined in 685 OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print() 686 function to extract the STACK_OF(GENERAL_NAME), 687 then iterates through the stack to add the 688 names. */ 689 690 int i, j; 691 PyObject *peer_alt_names = Py_None; 692 PyObject *v = NULL, *t; 693 X509_EXTENSION *ext = NULL; 694 GENERAL_NAMES *names = NULL; 695 GENERAL_NAME *name; 696 const X509V3_EXT_METHOD *method; 697 BIO *biobuf = NULL; 698 char buf[2048]; 699 char *vptr; 700 int len; 701 /* Issue #2973: ASN1_item_d2i() API changed in OpenSSL 0.9.6m */ 702 #if OPENSSL_VERSION_NUMBER >= 0x009060dfL 703 const unsigned char *p; 704 #else 705 unsigned char *p; 706 #endif 707 708 if (certificate == NULL) 709 return peer_alt_names; 710 711 /* get a memory buffer */ 712 biobuf = BIO_new(BIO_s_mem()); 713 714 i = -1; 715 while ((i = X509_get_ext_by_NID( 716 certificate, NID_subject_alt_name, i)) >= 0) { 717 718 if (peer_alt_names == Py_None) { 719 peer_alt_names = PyList_New(0); 720 if (peer_alt_names == NULL) 721 goto fail; 722 } 723 724 /* now decode the altName */ 725 ext = X509_get_ext(certificate, i); 726 if(!(method = X509V3_EXT_get(ext))) { 727 PyErr_SetString(PySSLErrorObject, 728 ERRSTR("No method for internalizing subjectAltName!")); 729 goto fail; 730 } 731 732 p = ext->value->data; 733 if (method->it) 734 names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL, 735 &p, 736 ext->value->length, 737 ASN1_ITEM_ptr(method->it))); 738 else 739 names = (GENERAL_NAMES*) (method->d2i(NULL, 740 &p, 741 ext->value->length)); 742 743 for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { 744 /* get a rendering of each name in the set of names */ 745 int gntype; 746 ASN1_STRING *as = NULL; 747 748 name = sk_GENERAL_NAME_value(names, j); 749 gntype = name->type; 750 switch (gntype) { 751 case GEN_DIRNAME: 752 /* we special-case DirName as a tuple of 753 tuples of attributes */ 754 755 t = PyTuple_New(2); 756 if (t == NULL) { 757 goto fail; 758 } 759 760 v = PyString_FromString("DirName"); 761 if (v == NULL) { 762 Py_DECREF(t); 763 goto fail; 764 } 765 PyTuple_SET_ITEM(t, 0, v); 766 767 v = _create_tuple_for_X509_NAME (name->d.dirn); 768 if (v == NULL) { 769 Py_DECREF(t); 770 goto fail; 771 } 772 PyTuple_SET_ITEM(t, 1, v); 773 break; 774 775 case GEN_EMAIL: 776 case GEN_DNS: 777 case GEN_URI: 778 /* GENERAL_NAME_print() doesn't handle NULL bytes in ASN1_string 779 correctly, CVE-2013-4238 */ 780 t = PyTuple_New(2); 781 if (t == NULL) 782 goto fail; 783 switch (gntype) { 784 case GEN_EMAIL: 785 v = PyString_FromString("email"); 786 as = name->d.rfc822Name; 787 break; 788 case GEN_DNS: 789 v = PyString_FromString("DNS"); 790 as = name->d.dNSName; 791 break; 792 case GEN_URI: 793 v = PyString_FromString("URI"); 794 as = name->d.uniformResourceIdentifier; 795 break; 796 } 797 if (v == NULL) { 798 Py_DECREF(t); 799 goto fail; 800 } 801 PyTuple_SET_ITEM(t, 0, v); 802 v = PyString_FromStringAndSize((char *)ASN1_STRING_data(as), 803 ASN1_STRING_length(as)); 804 if (v == NULL) { 805 Py_DECREF(t); 806 goto fail; 807 } 808 PyTuple_SET_ITEM(t, 1, v); 809 break; 810 811 default: 812 /* for everything else, we use the OpenSSL print form */ 813 switch (gntype) { 814 /* check for new general name type */ 815 case GEN_OTHERNAME: 816 case GEN_X400: 817 case GEN_EDIPARTY: 818 case GEN_IPADD: 819 case GEN_RID: 820 break; 821 default: 822 if (PyErr_Warn(PyExc_RuntimeWarning, 823 "Unknown general name type") == -1) { 824 goto fail; 825 } 826 break; 827 } 828 (void) BIO_reset(biobuf); 829 GENERAL_NAME_print(biobuf, name); 830 len = BIO_gets(biobuf, buf, sizeof(buf)-1); 831 if (len < 0) { 832 _setSSLError(NULL, 0, __FILE__, __LINE__); 833 goto fail; 834 } 835 vptr = strchr(buf, ':'); 836 if (vptr == NULL) 837 goto fail; 838 t = PyTuple_New(2); 839 if (t == NULL) 840 goto fail; 841 v = PyString_FromStringAndSize(buf, (vptr - buf)); 842 if (v == NULL) { 843 Py_DECREF(t); 844 goto fail; 845 } 846 PyTuple_SET_ITEM(t, 0, v); 847 v = PyString_FromStringAndSize((vptr + 1), (len - (vptr - buf + 1))); 848 if (v == NULL) { 849 Py_DECREF(t); 850 goto fail; 851 } 852 PyTuple_SET_ITEM(t, 1, v); 853 break; 854 } 855 856 /* and add that rendering to the list */ 857 858 if (PyList_Append(peer_alt_names, t) < 0) { 859 Py_DECREF(t); 860 goto fail; 861 } 862 Py_DECREF(t); 863 } 864 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); 865 } 866 BIO_free(biobuf); 867 if (peer_alt_names != Py_None) { 868 v = PyList_AsTuple(peer_alt_names); 869 Py_DECREF(peer_alt_names); 870 return v; 871 } else { 872 return peer_alt_names; 873 } 874 784 875 785 876 fail: 786 787 788 789 790 791 792 793 877 if (biobuf != NULL) 878 BIO_free(biobuf); 879 880 if (peer_alt_names != Py_None) { 881 Py_XDECREF(peer_alt_names); 882 } 883 884 return NULL; 794 885 } 795 886 … … 797 888 _decode_certificate (X509 *certificate, int verbose) { 798 889 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 890 PyObject *retval = NULL; 891 BIO *biobuf = NULL; 892 PyObject *peer; 893 PyObject *peer_alt_names = NULL; 894 PyObject *issuer; 895 PyObject *version; 896 PyObject *sn_obj; 897 ASN1_INTEGER *serialNumber; 898 char buf[2048]; 899 int len; 900 ASN1_TIME *notBefore, *notAfter; 901 PyObject *pnotBefore, *pnotAfter; 902 903 retval = PyDict_New(); 904 if (retval == NULL) 905 return NULL; 906 907 peer = _create_tuple_for_X509_NAME( 908 X509_get_subject_name(certificate)); 909 if (peer == NULL) 910 goto fail0; 911 if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) { 912 Py_DECREF(peer); 913 goto fail0; 914 } 915 Py_DECREF(peer); 916 917 if (verbose) { 918 issuer = _create_tuple_for_X509_NAME( 919 X509_get_issuer_name(certificate)); 920 if (issuer == NULL) 921 goto fail0; 922 if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) { 923 Py_DECREF(issuer); 924 goto fail0; 925 } 926 Py_DECREF(issuer); 927 928 version = PyInt_FromLong(X509_get_version(certificate) + 1); 929 if (PyDict_SetItemString(retval, "version", version) < 0) { 930 Py_DECREF(version); 931 goto fail0; 932 } 933 Py_DECREF(version); 934 } 935 936 /* get a memory buffer */ 937 biobuf = BIO_new(BIO_s_mem()); 938 939 if (verbose) { 940 941 (void) BIO_reset(biobuf); 942 serialNumber = X509_get_serialNumber(certificate); 943 /* should not exceed 20 octets, 160 bits, so buf is big enough */ 944 i2a_ASN1_INTEGER(biobuf, serialNumber); 945 len = BIO_gets(biobuf, buf, sizeof(buf)-1); 946 if (len < 0) { 947 _setSSLError(NULL, 0, __FILE__, __LINE__); 948 goto fail1; 949 } 950 sn_obj = PyString_FromStringAndSize(buf, len); 951 if (sn_obj == NULL) 952 goto fail1; 953 if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) { 954 Py_DECREF(sn_obj); 955 goto fail1; 956 } 957 Py_DECREF(sn_obj); 958 959 (void) BIO_reset(biobuf); 960 notBefore = X509_get_notBefore(certificate); 961 ASN1_TIME_print(biobuf, notBefore); 962 len = BIO_gets(biobuf, buf, sizeof(buf)-1); 963 if (len < 0) { 964 _setSSLError(NULL, 0, __FILE__, __LINE__); 965 goto fail1; 966 } 967 pnotBefore = PyString_FromStringAndSize(buf, len); 968 if (pnotBefore == NULL) 969 goto fail1; 970 if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) { 971 Py_DECREF(pnotBefore); 972 goto fail1; 973 } 974 Py_DECREF(pnotBefore); 975 } 976 977 (void) BIO_reset(biobuf); 978 notAfter = X509_get_notAfter(certificate); 979 ASN1_TIME_print(biobuf, notAfter); 980 len = BIO_gets(biobuf, buf, sizeof(buf)-1); 981 if (len < 0) { 982 _setSSLError(NULL, 0, __FILE__, __LINE__); 983 goto fail1; 984 } 985 pnotAfter = PyString_FromStringAndSize(buf, len); 986 if (pnotAfter == NULL) 987 goto fail1; 988 if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) { 989 Py_DECREF(pnotAfter); 990 goto fail1; 991 } 992 Py_DECREF(pnotAfter); 993 994 /* Now look for subjectAltName */ 995 996 peer_alt_names = _get_peer_alt_names(certificate); 997 if (peer_alt_names == NULL) 998 goto fail1; 999 else if (peer_alt_names != Py_None) { 1000 if (PyDict_SetItemString(retval, "subjectAltName", 1001 peer_alt_names) < 0) { 1002 Py_DECREF(peer_alt_names); 1003 goto fail1; 1004 } 1005 Py_DECREF(peer_alt_names); 1006 } 1007 1008 BIO_free(biobuf); 1009 return retval; 919 1010 920 1011 fail1: 921 922 1012 if (biobuf != NULL) 1013 BIO_free(biobuf); 923 1014 fail0: 924 925 1015 Py_XDECREF(retval); 1016 return NULL; 926 1017 } 927 1018 … … 930 1021 PySSL_test_decode_certificate (PyObject *mod, PyObject *args) { 931 1022 932 PyObject *retval = NULL; 933 char *filename = NULL; 934 X509 *x=NULL; 935 BIO *cert; 936 int verbose = 1; 937 938 if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", &filename, &verbose)) 939 return NULL; 940 941 if ((cert=BIO_new(BIO_s_file())) == NULL) { 942 PyErr_SetString(PySSLErrorObject, "Can't malloc memory to read file"); 943 goto fail0; 944 } 945 946 if (BIO_read_filename(cert,filename) <= 0) { 947 PyErr_SetString(PySSLErrorObject, "Can't open file"); 948 goto fail0; 949 } 950 951 x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL); 952 if (x == NULL) { 953 PyErr_SetString(PySSLErrorObject, "Error decoding PEM-encoded file"); 954 goto fail0; 955 } 956 957 retval = _decode_certificate(x, verbose); 1023 PyObject *retval = NULL; 1024 char *filename = NULL; 1025 X509 *x=NULL; 1026 BIO *cert; 1027 int verbose = 1; 1028 1029 if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", &filename, &verbose)) 1030 return NULL; 1031 1032 if ((cert=BIO_new(BIO_s_file())) == NULL) { 1033 PyErr_SetString(PySSLErrorObject, "Can't malloc memory to read file"); 1034 goto fail0; 1035 } 1036 1037 if (BIO_read_filename(cert,filename) <= 0) { 1038 PyErr_SetString(PySSLErrorObject, "Can't open file"); 1039 goto fail0; 1040 } 1041 1042 x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL); 1043 if (x == NULL) { 1044 PyErr_SetString(PySSLErrorObject, "Error decoding PEM-encoded file"); 1045 goto fail0; 1046 } 1047 1048 retval = _decode_certificate(x, verbose); 1049 X509_free(x); 958 1050 959 1051 fail0: 960 961 962 1052 1053 if (cert != NULL) BIO_free(cert); 1054 return retval; 963 1055 } 964 1056 … … 967 1059 PySSL_peercert(PySSLObject *self, PyObject *args) 968 1060 { 969 PyObject *retval = NULL; 970 int len; 971 int verification; 972 PyObject *binary_mode = Py_None; 973 974 if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode)) 975 return NULL; 976 977 if (!self->peer_cert) 978 Py_RETURN_NONE; 979 980 if (PyObject_IsTrue(binary_mode)) { 981 /* return cert in DER-encoded format */ 982 983 unsigned char *bytes_buf = NULL; 984 985 bytes_buf = NULL; 986 len = i2d_X509(self->peer_cert, &bytes_buf); 987 if (len < 0) { 988 PySSL_SetError(self, len, __FILE__, __LINE__); 989 return NULL; 990 } 991 retval = PyString_FromStringAndSize((const char *) bytes_buf, len); 992 OPENSSL_free(bytes_buf); 993 return retval; 994 995 } else { 996 997 verification = SSL_CTX_get_verify_mode(self->ctx); 998 if ((verification & SSL_VERIFY_PEER) == 0) 999 return PyDict_New(); 1000 else 1001 return _decode_certificate (self->peer_cert, 0); 1002 } 1061 PyObject *retval = NULL; 1062 int len; 1063 int verification; 1064 PyObject *binary_mode = Py_None; 1065 int b; 1066 1067 if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode)) 1068 return NULL; 1069 1070 if (!self->peer_cert) 1071 Py_RETURN_NONE; 1072 1073 b = PyObject_IsTrue(binary_mode); 1074 if (b < 0) 1075 return NULL; 1076 if (b) { 1077 /* return cert in DER-encoded format */ 1078 1079 unsigned char *bytes_buf = NULL; 1080 1081 bytes_buf = NULL; 1082 len = i2d_X509(self->peer_cert, &bytes_buf); 1083 if (len < 0) { 1084 PySSL_SetError(self, len, __FILE__, __LINE__); 1085 return NULL; 1086 } 1087 retval = PyString_FromStringAndSize((const char *) bytes_buf, len); 1088 OPENSSL_free(bytes_buf); 1089 return retval; 1090 1091 } else { 1092 1093 verification = SSL_CTX_get_verify_mode(self->ctx); 1094 if ((verification & SSL_VERIFY_PEER) == 0) 1095 return PyDict_New(); 1096 else 1097 return _decode_certificate (self->peer_cert, 0); 1098 } 1003 1099 } 1004 1100 … … 1017 1113 static PyObject *PySSL_cipher (PySSLObject *self) { 1018 1114 1019 PyObject *retval, *v; 1020 SSL_CIPHER *current; 1021 char *cipher_name; 1022 char *cipher_protocol; 1023 1024 if (self->ssl == NULL) 1025 return Py_None; 1026 current = SSL_get_current_cipher(self->ssl); 1027 if (current == NULL) 1028 return Py_None; 1029 1030 retval = PyTuple_New(3); 1031 if (retval == NULL) 1032 return NULL; 1033 1034 cipher_name = (char *) SSL_CIPHER_get_name(current); 1035 if (cipher_name == NULL) { 1036 PyTuple_SET_ITEM(retval, 0, Py_None); 1037 } else { 1038 v = PyString_FromString(cipher_name); 1039 if (v == NULL) 1040 goto fail0; 1041 PyTuple_SET_ITEM(retval, 0, v); 1042 } 1043 cipher_protocol = SSL_CIPHER_get_version(current); 1044 if (cipher_protocol == NULL) { 1045 PyTuple_SET_ITEM(retval, 1, Py_None); 1046 } else { 1047 v = PyString_FromString(cipher_protocol); 1048 if (v == NULL) 1049 goto fail0; 1050 PyTuple_SET_ITEM(retval, 1, v); 1051 } 1052 v = PyInt_FromLong(SSL_CIPHER_get_bits(current, NULL)); 1053 if (v == NULL) 1054 goto fail0; 1055 PyTuple_SET_ITEM(retval, 2, v); 1056 return retval; 1057 1115 PyObject *retval, *v; 1116 const SSL_CIPHER *current; 1117 char *cipher_name; 1118 char *cipher_protocol; 1119 1120 if (self->ssl == NULL) 1121 Py_RETURN_NONE; 1122 current = SSL_get_current_cipher(self->ssl); 1123 if (current == NULL) 1124 Py_RETURN_NONE; 1125 1126 retval = PyTuple_New(3); 1127 if (retval == NULL) 1128 return NULL; 1129 1130 cipher_name = (char *) SSL_CIPHER_get_name(current); 1131 if (cipher_name == NULL) { 1132 Py_INCREF(Py_None); 1133 PyTuple_SET_ITEM(retval, 0, Py_None); 1134 } else { 1135 v = PyString_FromString(cipher_name); 1136 if (v == NULL) 1137 goto fail0; 1138 PyTuple_SET_ITEM(retval, 0, v); 1139 } 1140 cipher_protocol = SSL_CIPHER_get_version(current); 1141 if (cipher_protocol == NULL) { 1142 Py_INCREF(Py_None); 1143 PyTuple_SET_ITEM(retval, 1, Py_None); 1144 } else { 1145 v = PyString_FromString(cipher_protocol); 1146 if (v == NULL) 1147 goto fail0; 1148 PyTuple_SET_ITEM(retval, 1, v); 1149 } 1150 v = PyInt_FromLong(SSL_CIPHER_get_bits(current, NULL)); 1151 if (v == NULL) 1152 goto fail0; 1153 PyTuple_SET_ITEM(retval, 2, v); 1154 return retval; 1155 1058 1156 fail0: 1059 1060 1157 Py_DECREF(retval); 1158 return NULL; 1061 1159 } 1062 1160 1063 1161 static void PySSL_dealloc(PySSLObject *self) 1064 1162 { 1065 if (self->peer_cert)/* Possible not to have one? */1066 1067 1068 1069 1070 1071 1072 1163 if (self->peer_cert) /* Possible not to have one? */ 1164 X509_free (self->peer_cert); 1165 if (self->ssl) 1166 SSL_free(self->ssl); 1167 if (self->ctx) 1168 SSL_CTX_free(self->ctx); 1169 Py_XDECREF(self->Socket); 1170 PyObject_Del(self); 1073 1171 } 1074 1172 … … 1081 1179 check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing) 1082 1180 { 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1181 fd_set fds; 1182 struct timeval tv; 1183 int rc; 1184 1185 /* Nothing to do unless we're in timeout mode (not non-blocking) */ 1186 if (s->sock_timeout < 0.0) 1187 return SOCKET_IS_BLOCKING; 1188 else if (s->sock_timeout == 0.0) 1189 return SOCKET_IS_NONBLOCKING; 1190 1191 /* Guard against closed socket */ 1192 if (s->sock_fd < 0) 1193 return SOCKET_HAS_BEEN_CLOSED; 1194 1195 /* Prefer poll, if available, since you can poll() any fd 1196 * which can't be done with select(). */ 1099 1197 #ifdef HAVE_POLL 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1198 { 1199 struct pollfd pollfd; 1200 int timeout; 1201 1202 pollfd.fd = s->sock_fd; 1203 pollfd.events = writing ? POLLOUT : POLLIN; 1204 1205 /* s->sock_timeout is in seconds, timeout in ms */ 1206 timeout = (int)(s->sock_timeout * 1000 + 0.5); 1207 PySSL_BEGIN_ALLOW_THREADS 1208 rc = poll(&pollfd, 1, timeout); 1209 PySSL_END_ALLOW_THREADS 1210 1211 goto normal_return; 1212 } 1115 1213 #endif 1116 1214 1117 /* Guard against socket too large for select*/ 1118 #ifndef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE 1119 if (s->sock_fd >= FD_SETSIZE) 1120 return SOCKET_TOO_LARGE_FOR_SELECT; 1121 #endif 1122 1123 /* Construct the arguments to select */ 1124 tv.tv_sec = (int)s->sock_timeout; 1125 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6); 1126 FD_ZERO(&fds); 1127 FD_SET(s->sock_fd, &fds); 1128 1129 /* See if the socket is ready */ 1130 PySSL_BEGIN_ALLOW_THREADS 1131 if (writing) 1132 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv); 1133 else 1134 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv); 1135 PySSL_END_ALLOW_THREADS 1215 /* Guard against socket too large for select*/ 1216 if (!_PyIsSelectable_fd(s->sock_fd)) 1217 return SOCKET_TOO_LARGE_FOR_SELECT; 1218 1219 /* Construct the arguments to select */ 1220 tv.tv_sec = (int)s->sock_timeout; 1221 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6); 1222 FD_ZERO(&fds); 1223 FD_SET(s->sock_fd, &fds); 1224 1225 /* See if the socket is ready */ 1226 PySSL_BEGIN_ALLOW_THREADS 1227 if (writing) 1228 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv); 1229 else 1230 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv); 1231 PySSL_END_ALLOW_THREADS 1136 1232 1137 1233 #ifdef HAVE_POLL 1138 1234 normal_return: 1139 1235 #endif 1140 1141 1142 1236 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise 1237 (when we are able to write or when there's something to read) */ 1238 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK; 1143 1239 } 1144 1240 1145 1241 static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args) 1146 1242 { 1147 char *data; 1148 int len; 1149 int count; 1150 int sockstate; 1151 int err; 1152 int nonblocking; 1153 1154 if (!PyArg_ParseTuple(args, "s#:write", &data, &count)) 1155 return NULL; 1156 1157 /* just in case the blocking state of the socket has been changed */ 1158 nonblocking = (self->Socket->sock_timeout >= 0.0); 1159 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 1160 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 1161 1162 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); 1163 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1164 PyErr_SetString(PySSLErrorObject, 1165 "The write operation timed out"); 1166 return NULL; 1167 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1168 PyErr_SetString(PySSLErrorObject, 1169 "Underlying socket has been closed."); 1170 return NULL; 1171 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 1172 PyErr_SetString(PySSLErrorObject, 1173 "Underlying socket too large for select()."); 1174 return NULL; 1175 } 1176 do { 1177 err = 0; 1178 PySSL_BEGIN_ALLOW_THREADS 1179 len = SSL_write(self->ssl, data, count); 1180 err = SSL_get_error(self->ssl, len); 1181 PySSL_END_ALLOW_THREADS 1182 if(PyErr_CheckSignals()) { 1183 return NULL; 1184 } 1185 if (err == SSL_ERROR_WANT_READ) { 1186 sockstate = 1187 check_socket_and_wait_for_timeout(self->Socket, 0); 1188 } else if (err == SSL_ERROR_WANT_WRITE) { 1189 sockstate = 1190 check_socket_and_wait_for_timeout(self->Socket, 1); 1191 } else { 1192 sockstate = SOCKET_OPERATION_OK; 1193 } 1194 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1195 PyErr_SetString(PySSLErrorObject, 1196 "The write operation timed out"); 1197 return NULL; 1198 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1199 PyErr_SetString(PySSLErrorObject, 1200 "Underlying socket has been closed."); 1201 return NULL; 1202 } else if (sockstate == SOCKET_IS_NONBLOCKING) { 1203 break; 1204 } 1205 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); 1206 if (len > 0) 1207 return PyInt_FromLong(len); 1208 else 1209 return PySSL_SetError(self, len, __FILE__, __LINE__); 1243 Py_buffer buf; 1244 int len; 1245 int sockstate; 1246 int err; 1247 int nonblocking; 1248 1249 if (!PyArg_ParseTuple(args, "s*:write", &buf)) 1250 return NULL; 1251 1252 if (buf.len > INT_MAX) { 1253 PyErr_Format(PyExc_OverflowError, 1254 "string longer than %d bytes", INT_MAX); 1255 goto error; 1256 } 1257 1258 /* just in case the blocking state of the socket has been changed */ 1259 nonblocking = (self->Socket->sock_timeout >= 0.0); 1260 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 1261 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 1262 1263 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); 1264 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1265 PyErr_SetString(PySSLErrorObject, 1266 "The write operation timed out"); 1267 goto error; 1268 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1269 PyErr_SetString(PySSLErrorObject, 1270 "Underlying socket has been closed."); 1271 goto error; 1272 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 1273 PyErr_SetString(PySSLErrorObject, 1274 "Underlying socket too large for select()."); 1275 goto error; 1276 } 1277 do { 1278 PySSL_BEGIN_ALLOW_THREADS 1279 len = SSL_write(self->ssl, buf.buf, (int)buf.len); 1280 err = SSL_get_error(self->ssl, len); 1281 PySSL_END_ALLOW_THREADS 1282 if (PyErr_CheckSignals()) { 1283 goto error; 1284 } 1285 if (err == SSL_ERROR_WANT_READ) { 1286 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); 1287 } else if (err == SSL_ERROR_WANT_WRITE) { 1288 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); 1289 } else { 1290 sockstate = SOCKET_OPERATION_OK; 1291 } 1292 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1293 PyErr_SetString(PySSLErrorObject, 1294 "The write operation timed out"); 1295 goto error; 1296 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1297 PyErr_SetString(PySSLErrorObject, 1298 "Underlying socket has been closed."); 1299 goto error; 1300 } else if (sockstate == SOCKET_IS_NONBLOCKING) { 1301 break; 1302 } 1303 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); 1304 1305 PyBuffer_Release(&buf); 1306 if (len > 0) 1307 return PyInt_FromLong(len); 1308 else 1309 return PySSL_SetError(self, len, __FILE__, __LINE__); 1310 1311 error: 1312 PyBuffer_Release(&buf); 1313 return NULL; 1210 1314 } 1211 1315 … … 1218 1322 static PyObject *PySSL_SSLpending(PySSLObject *self) 1219 1323 { 1220 1221 1222 1223 1224 1225 1226 1227 1228 1324 int count = 0; 1325 1326 PySSL_BEGIN_ALLOW_THREADS 1327 count = SSL_pending(self->ssl); 1328 PySSL_END_ALLOW_THREADS 1329 if (count < 0) 1330 return PySSL_SetError(self, count, __FILE__, __LINE__); 1331 else 1332 return PyInt_FromLong(count); 1229 1333 } 1230 1334 … … 1237 1341 static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args) 1238 1342 { 1239 PyObject *buf; 1240 int count = 0; 1241 int len = 1024; 1242 int sockstate; 1243 int err; 1244 int nonblocking; 1245 1246 if (!PyArg_ParseTuple(args, "|i:read", &len)) 1247 return NULL; 1248 1249 if (!(buf = PyString_FromStringAndSize((char *) 0, len))) 1250 return NULL; 1251 1252 /* just in case the blocking state of the socket has been changed */ 1253 nonblocking = (self->Socket->sock_timeout >= 0.0); 1254 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 1255 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 1256 1257 /* first check if there are bytes ready to be read */ 1258 PySSL_BEGIN_ALLOW_THREADS 1259 count = SSL_pending(self->ssl); 1260 PySSL_END_ALLOW_THREADS 1261 1262 if (!count) { 1263 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); 1264 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1265 PyErr_SetString(PySSLErrorObject, 1266 "The read operation timed out"); 1267 Py_DECREF(buf); 1268 return NULL; 1269 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 1270 PyErr_SetString(PySSLErrorObject, 1271 "Underlying socket too large for select()."); 1272 Py_DECREF(buf); 1273 return NULL; 1274 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1275 if (SSL_get_shutdown(self->ssl) != 1276 SSL_RECEIVED_SHUTDOWN) 1277 { 1278 Py_DECREF(buf); 1279 PyErr_SetString(PySSLErrorObject, 1280 "Socket closed without SSL shutdown handshake"); 1281 return NULL; 1282 } else { 1283 /* should contain a zero-length string */ 1284 _PyString_Resize(&buf, 0); 1285 return buf; 1286 } 1287 } 1288 } 1289 do { 1290 err = 0; 1291 PySSL_BEGIN_ALLOW_THREADS 1292 count = SSL_read(self->ssl, PyString_AsString(buf), len); 1293 err = SSL_get_error(self->ssl, count); 1294 PySSL_END_ALLOW_THREADS 1295 if(PyErr_CheckSignals()) { 1296 Py_DECREF(buf); 1297 return NULL; 1298 } 1299 if (err == SSL_ERROR_WANT_READ) { 1300 sockstate = 1301 check_socket_and_wait_for_timeout(self->Socket, 0); 1302 } else if (err == SSL_ERROR_WANT_WRITE) { 1303 sockstate = 1304 check_socket_and_wait_for_timeout(self->Socket, 1); 1305 } else if ((err == SSL_ERROR_ZERO_RETURN) && 1306 (SSL_get_shutdown(self->ssl) == 1307 SSL_RECEIVED_SHUTDOWN)) 1308 { 1309 _PyString_Resize(&buf, 0); 1310 return buf; 1311 } else { 1312 sockstate = SOCKET_OPERATION_OK; 1313 } 1314 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1315 PyErr_SetString(PySSLErrorObject, 1316 "The read operation timed out"); 1317 Py_DECREF(buf); 1318 return NULL; 1319 } else if (sockstate == SOCKET_IS_NONBLOCKING) { 1320 break; 1321 } 1322 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); 1323 if (count <= 0) { 1324 Py_DECREF(buf); 1325 return PySSL_SetError(self, count, __FILE__, __LINE__); 1326 } 1327 if (count != len) 1328 _PyString_Resize(&buf, count); 1329 return buf; 1343 PyObject *buf; 1344 int count = 0; 1345 int len = 1024; 1346 int sockstate; 1347 int err; 1348 int nonblocking; 1349 1350 if (!PyArg_ParseTuple(args, "|i:read", &len)) 1351 return NULL; 1352 1353 if (!(buf = PyString_FromStringAndSize((char *) 0, len))) 1354 return NULL; 1355 1356 /* just in case the blocking state of the socket has been changed */ 1357 nonblocking = (self->Socket->sock_timeout >= 0.0); 1358 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 1359 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 1360 1361 /* first check if there are bytes ready to be read */ 1362 PySSL_BEGIN_ALLOW_THREADS 1363 count = SSL_pending(self->ssl); 1364 PySSL_END_ALLOW_THREADS 1365 1366 if (!count) { 1367 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); 1368 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1369 PyErr_SetString(PySSLErrorObject, 1370 "The read operation timed out"); 1371 Py_DECREF(buf); 1372 return NULL; 1373 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 1374 PyErr_SetString(PySSLErrorObject, 1375 "Underlying socket too large for select()."); 1376 Py_DECREF(buf); 1377 return NULL; 1378 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1379 if (SSL_get_shutdown(self->ssl) != 1380 SSL_RECEIVED_SHUTDOWN) 1381 { 1382 Py_DECREF(buf); 1383 PyErr_SetString(PySSLErrorObject, 1384 "Socket closed without SSL shutdown handshake"); 1385 return NULL; 1386 } else { 1387 /* should contain a zero-length string */ 1388 _PyString_Resize(&buf, 0); 1389 return buf; 1390 } 1391 } 1392 } 1393 do { 1394 PySSL_BEGIN_ALLOW_THREADS 1395 count = SSL_read(self->ssl, PyString_AsString(buf), len); 1396 err = SSL_get_error(self->ssl, count); 1397 PySSL_END_ALLOW_THREADS 1398 if(PyErr_CheckSignals()) { 1399 Py_DECREF(buf); 1400 return NULL; 1401 } 1402 if (err == SSL_ERROR_WANT_READ) { 1403 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); 1404 } else if (err == SSL_ERROR_WANT_WRITE) { 1405 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); 1406 } else if ((err == SSL_ERROR_ZERO_RETURN) && 1407 (SSL_get_shutdown(self->ssl) == 1408 SSL_RECEIVED_SHUTDOWN)) 1409 { 1410 _PyString_Resize(&buf, 0); 1411 return buf; 1412 } else { 1413 sockstate = SOCKET_OPERATION_OK; 1414 } 1415 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1416 PyErr_SetString(PySSLErrorObject, 1417 "The read operation timed out"); 1418 Py_DECREF(buf); 1419 return NULL; 1420 } else if (sockstate == SOCKET_IS_NONBLOCKING) { 1421 break; 1422 } 1423 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); 1424 if (count <= 0) { 1425 Py_DECREF(buf); 1426 return PySSL_SetError(self, count, __FILE__, __LINE__); 1427 } 1428 if (count != len) 1429 _PyString_Resize(&buf, count); 1430 return buf; 1330 1431 } 1331 1432 … … 1337 1438 static PyObject *PySSL_SSLshutdown(PySSLObject *self) 1338 1439 { 1339 int err; 1340 1341 /* Guard against closed socket */ 1342 if (self->Socket->sock_fd < 0) { 1343 PyErr_SetString(PySSLErrorObject, 1344 "Underlying socket has been closed."); 1345 return NULL; 1346 } 1347 1348 PySSL_BEGIN_ALLOW_THREADS 1349 err = SSL_shutdown(self->ssl); 1350 if (err == 0) { 1351 /* we need to call it again to finish the shutdown */ 1352 err = SSL_shutdown(self->ssl); 1353 } 1354 PySSL_END_ALLOW_THREADS 1355 1356 if (err < 0) 1357 return PySSL_SetError(self, err, __FILE__, __LINE__); 1358 else { 1359 Py_INCREF(self->Socket); 1360 return (PyObject *) (self->Socket); 1361 } 1440 int err, ssl_err, sockstate, nonblocking; 1441 int zeros = 0; 1442 1443 /* Guard against closed socket */ 1444 if (self->Socket->sock_fd < 0) { 1445 PyErr_SetString(PySSLErrorObject, 1446 "Underlying socket has been closed."); 1447 return NULL; 1448 } 1449 1450 /* Just in case the blocking state of the socket has been changed */ 1451 nonblocking = (self->Socket->sock_timeout >= 0.0); 1452 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 1453 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 1454 1455 while (1) { 1456 PySSL_BEGIN_ALLOW_THREADS 1457 /* Disable read-ahead so that unwrap can work correctly. 1458 * Otherwise OpenSSL might read in too much data, 1459 * eating clear text data that happens to be 1460 * transmitted after the SSL shutdown. 1461 * Should be safe to call repeatedly every time this 1462 * function is used and the shutdown_seen_zero != 0 1463 * condition is met. 1464 */ 1465 if (self->shutdown_seen_zero) 1466 SSL_set_read_ahead(self->ssl, 0); 1467 err = SSL_shutdown(self->ssl); 1468 PySSL_END_ALLOW_THREADS 1469 /* If err == 1, a secure shutdown with SSL_shutdown() is complete */ 1470 if (err > 0) 1471 break; 1472 if (err == 0) { 1473 /* Don't loop endlessly; instead preserve legacy 1474 behaviour of trying SSL_shutdown() only twice. 1475 This looks necessary for OpenSSL < 0.9.8m */ 1476 if (++zeros > 1) 1477 break; 1478 /* Shutdown was sent, now try receiving */ 1479 self->shutdown_seen_zero = 1; 1480 continue; 1481 } 1482 1483 /* Possibly retry shutdown until timeout or failure */ 1484 ssl_err = SSL_get_error(self->ssl, err); 1485 if (ssl_err == SSL_ERROR_WANT_READ) 1486 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); 1487 else if (ssl_err == SSL_ERROR_WANT_WRITE) 1488 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); 1489 else 1490 break; 1491 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1492 if (ssl_err == SSL_ERROR_WANT_READ) 1493 PyErr_SetString(PySSLErrorObject, 1494 "The read operation timed out"); 1495 else 1496 PyErr_SetString(PySSLErrorObject, 1497 "The write operation timed out"); 1498 return NULL; 1499 } 1500 else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 1501 PyErr_SetString(PySSLErrorObject, 1502 "Underlying socket too large for select()."); 1503 return NULL; 1504 } 1505 else if (sockstate != SOCKET_OPERATION_OK) 1506 /* Retain the SSL error code */ 1507 break; 1508 } 1509 1510 if (err < 0) 1511 return PySSL_SetError(self, err, __FILE__, __LINE__); 1512 else { 1513 Py_INCREF(self->Socket); 1514 return (PyObject *) (self->Socket); 1515 } 1362 1516 } 1363 1517 … … 1369 1523 1370 1524 static PyMethodDef PySSLMethods[] = { 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1525 {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS}, 1526 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS, 1527 PySSL_SSLwrite_doc}, 1528 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS, 1529 PySSL_SSLread_doc}, 1530 {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS, 1531 PySSL_SSLpending_doc}, 1532 {"server", (PyCFunction)PySSL_server, METH_NOARGS}, 1533 {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS}, 1534 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS, 1535 PySSL_peercert_doc}, 1536 {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS}, 1537 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS, 1538 PySSL_SSLshutdown_doc}, 1539 {NULL, NULL} 1386 1540 }; 1387 1541 1388 1542 static PyObject *PySSL_getattr(PySSLObject *self, char *name) 1389 1543 { 1390 1544 return Py_FindMethod(PySSLMethods, (PyObject *)self, name); 1391 1545 } 1392 1546 1393 1547 static PyTypeObject PySSL_Type = { 1394 1395 "ssl.SSLContext",/*tp_name*/1396 sizeof(PySSLObject),/*tp_basicsize*/1397 0,/*tp_itemsize*/1398 1399 (destructor)PySSL_dealloc,/*tp_dealloc*/1400 0,/*tp_print*/1401 (getattrfunc)PySSL_getattr,/*tp_getattr*/1402 0,/*tp_setattr*/1403 0,/*tp_compare*/1404 0,/*tp_repr*/1405 0,/*tp_as_number*/1406 0,/*tp_as_sequence*/1407 0,/*tp_as_mapping*/1408 0,/*tp_hash*/1548 PyVarObject_HEAD_INIT(NULL, 0) 1549 "ssl.SSLContext", /*tp_name*/ 1550 sizeof(PySSLObject), /*tp_basicsize*/ 1551 0, /*tp_itemsize*/ 1552 /* methods */ 1553 (destructor)PySSL_dealloc, /*tp_dealloc*/ 1554 0, /*tp_print*/ 1555 (getattrfunc)PySSL_getattr, /*tp_getattr*/ 1556 0, /*tp_setattr*/ 1557 0, /*tp_compare*/ 1558 0, /*tp_repr*/ 1559 0, /*tp_as_number*/ 1560 0, /*tp_as_sequence*/ 1561 0, /*tp_as_mapping*/ 1562 0, /*tp_hash*/ 1409 1563 }; 1410 1564 … … 1420 1574 1421 1575 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy)) 1422 1576 return NULL; 1423 1577 RAND_add(buf, len, entropy); 1424 1578 Py_INCREF(Py_None); … … 1451 1605 1452 1606 if (!PyString_Check(arg)) 1453 1454 1455 1607 return PyErr_Format(PyExc_TypeError, 1608 "RAND_egd() expected string, found %s", 1609 Py_TYPE(arg)->tp_name); 1456 1610 bytes = RAND_egd(PyString_AS_STRING(arg)); 1457 1611 if (bytes == -1) { 1458 1459 1460 1461 1612 PyErr_SetString(PySSLErrorObject, 1613 "EGD connection failed or EGD did not return " 1614 "enough data to seed the PRNG"); 1615 return NULL; 1462 1616 } 1463 1617 return PyInt_FromLong(bytes); … … 1469 1623 Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\ 1470 1624 Returns number of bytes read. Raises SSLError if connection to EGD\n\ 1471 fails or if it does provide enough data to seed PRNG."); 1472 1625 fails or if it does not provide enough data to seed PRNG."); 1626 1627 #endif /* HAVE_OPENSSL_RAND */ 1628 1629 1630 /* List of functions exported by this module. */ 1631 1632 static PyMethodDef PySSL_methods[] = { 1633 {"sslwrap", PySSL_sslwrap, 1634 METH_VARARGS, ssl_doc}, 1635 {"_test_decode_cert", PySSL_test_decode_certificate, 1636 METH_VARARGS}, 1637 #ifdef HAVE_OPENSSL_RAND 1638 {"RAND_add", PySSL_RAND_add, METH_VARARGS, 1639 PySSL_RAND_add_doc}, 1640 {"RAND_egd", PySSL_RAND_egd, METH_O, 1641 PySSL_RAND_egd_doc}, 1642 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS, 1643 PySSL_RAND_status_doc}, 1473 1644 #endif 1474 1475 /* List of functions exported by this module. */ 1476 1477 static PyMethodDef PySSL_methods[] = { 1478 {"sslwrap", PySSL_sslwrap, 1479 METH_VARARGS, ssl_doc}, 1480 {"_test_decode_cert", PySSL_test_decode_certificate, 1481 METH_VARARGS}, 1482 #ifdef HAVE_OPENSSL_RAND 1483 {"RAND_add", PySSL_RAND_add, METH_VARARGS, 1484 PySSL_RAND_add_doc}, 1485 {"RAND_egd", PySSL_RAND_egd, METH_O, 1486 PySSL_RAND_egd_doc}, 1487 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS, 1488 PySSL_RAND_status_doc}, 1489 #endif 1490 {NULL, NULL} /* Sentinel */ 1645 {NULL, NULL} /* Sentinel */ 1491 1646 }; 1492 1647 … … 1499 1654 static PyThread_type_lock *_ssl_locks = NULL; 1500 1655 1501 static unsigned long _ssl_thread_id_function (void) { 1502 return PyThread_get_thread_ident(); 1503 } 1656 #if OPENSSL_VERSION_NUMBER >= 0x10000000 1657 /* use new CRYPTO_THREADID API. */ 1658 static void 1659 _ssl_threadid_callback(CRYPTO_THREADID *id) 1660 { 1661 CRYPTO_THREADID_set_numeric(id, 1662 (unsigned long)PyThread_get_thread_ident()); 1663 } 1664 #else 1665 /* deprecated CRYPTO_set_id_callback() API. */ 1666 static unsigned long 1667 _ssl_thread_id_function (void) { 1668 return PyThread_get_thread_ident(); 1669 } 1670 #endif 1504 1671 1505 1672 static void _ssl_thread_locking_function (int mode, int n, const char *file, int line) { 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1673 /* this function is needed to perform locking on shared data 1674 structures. (Note that OpenSSL uses a number of global data 1675 structures that will be implicitly shared whenever multiple threads 1676 use OpenSSL.) Multi-threaded applications will crash at random if 1677 it is not set. 1678 1679 locking_function() must be able to handle up to CRYPTO_num_locks() 1680 different mutex locks. It sets the n-th lock if mode & CRYPTO_LOCK, and 1681 releases it otherwise. 1682 1683 file and line are the file number of the function setting the 1684 lock. They can be useful for debugging. 1685 */ 1686 1687 if ((_ssl_locks == NULL) || 1688 (n < 0) || ((unsigned)n >= _ssl_locks_count)) 1689 return; 1690 1691 if (mode & CRYPTO_LOCK) { 1692 PyThread_acquire_lock(_ssl_locks[n], 1); 1693 } else { 1694 PyThread_release_lock(_ssl_locks[n]); 1695 } 1529 1696 } 1530 1697 1531 1698 static int _setup_ssl_threads(void) { 1532 1699 1533 unsigned int i; 1534 1535 if (_ssl_locks == NULL) { 1536 _ssl_locks_count = CRYPTO_num_locks(); 1537 _ssl_locks = (PyThread_type_lock *) 1538 malloc(sizeof(PyThread_type_lock) * _ssl_locks_count); 1539 if (_ssl_locks == NULL) 1540 return 0; 1541 memset(_ssl_locks, 0, sizeof(PyThread_type_lock) * _ssl_locks_count); 1542 for (i = 0; i < _ssl_locks_count; i++) { 1543 _ssl_locks[i] = PyThread_allocate_lock(); 1544 if (_ssl_locks[i] == NULL) { 1545 unsigned int j; 1546 for (j = 0; j < i; j++) { 1547 PyThread_free_lock(_ssl_locks[j]); 1548 } 1549 free(_ssl_locks); 1550 return 0; 1551 } 1552 } 1553 CRYPTO_set_locking_callback(_ssl_thread_locking_function); 1554 CRYPTO_set_id_callback(_ssl_thread_id_function); 1555 } 1556 return 1; 1557 } 1558 1559 #endif /* def HAVE_THREAD */ 1700 unsigned int i; 1701 1702 if (_ssl_locks == NULL) { 1703 _ssl_locks_count = CRYPTO_num_locks(); 1704 _ssl_locks = (PyThread_type_lock *) 1705 malloc(sizeof(PyThread_type_lock) * _ssl_locks_count); 1706 if (_ssl_locks == NULL) 1707 return 0; 1708 memset(_ssl_locks, 0, sizeof(PyThread_type_lock) * _ssl_locks_count); 1709 for (i = 0; i < _ssl_locks_count; i++) { 1710 _ssl_locks[i] = PyThread_allocate_lock(); 1711 if (_ssl_locks[i] == NULL) { 1712 unsigned int j; 1713 for (j = 0; j < i; j++) { 1714 PyThread_free_lock(_ssl_locks[j]); 1715 } 1716 free(_ssl_locks); 1717 return 0; 1718 } 1719 } 1720 CRYPTO_set_locking_callback(_ssl_thread_locking_function); 1721 #if OPENSSL_VERSION_NUMBER >= 0x10000000 1722 CRYPTO_THREADID_set_callback(_ssl_threadid_callback); 1723 #else 1724 CRYPTO_set_id_callback(_ssl_thread_id_function); 1725 #endif 1726 } 1727 return 1; 1728 } 1729 1730 #endif /* def HAVE_THREAD */ 1560 1731 1561 1732 PyDoc_STRVAR(module_doc, … … 1566 1737 init_ssl(void) 1567 1738 { 1568 PyObject *m, *d; 1569 1570 Py_TYPE(&PySSL_Type) = &PyType_Type; 1571 1572 m = Py_InitModule3("_ssl", PySSL_methods, module_doc); 1573 if (m == NULL) 1574 return; 1575 d = PyModule_GetDict(m); 1576 1577 /* Load _socket module and its C API */ 1578 if (PySocketModule_ImportModuleAndAPI()) 1579 return; 1580 1581 /* Init OpenSSL */ 1582 SSL_load_error_strings(); 1739 PyObject *m, *d, *r; 1740 unsigned long libver; 1741 unsigned int major, minor, fix, patch, status; 1742 1743 Py_TYPE(&PySSL_Type) = &PyType_Type; 1744 1745 m = Py_InitModule3("_ssl", PySSL_methods, module_doc); 1746 if (m == NULL) 1747 return; 1748 d = PyModule_GetDict(m); 1749 1750 /* Load _socket module and its C API */ 1751 if (PySocketModule_ImportModuleAndAPI()) 1752 return; 1753 1754 /* Init OpenSSL */ 1755 SSL_load_error_strings(); 1756 SSL_library_init(); 1583 1757 #ifdef WITH_THREAD 1584 1585 1586 1587 1758 /* note that this will start threading if not already started */ 1759 if (!_setup_ssl_threads()) { 1760 return; 1761 } 1588 1762 #endif 1589 SSLeay_add_ssl_algorithms(); 1590 1591 /* Add symbols to module dict */ 1592 PySSLErrorObject = PyErr_NewException("ssl.SSLError", 1593 PySocketModule.error, 1594 NULL); 1595 if (PySSLErrorObject == NULL) 1596 return; 1597 if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0) 1598 return; 1599 if (PyDict_SetItemString(d, "SSLType", 1600 (PyObject *)&PySSL_Type) != 0) 1601 return; 1602 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN", 1603 PY_SSL_ERROR_ZERO_RETURN); 1604 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ", 1605 PY_SSL_ERROR_WANT_READ); 1606 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE", 1607 PY_SSL_ERROR_WANT_WRITE); 1608 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP", 1609 PY_SSL_ERROR_WANT_X509_LOOKUP); 1610 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL", 1611 PY_SSL_ERROR_SYSCALL); 1612 PyModule_AddIntConstant(m, "SSL_ERROR_SSL", 1613 PY_SSL_ERROR_SSL); 1614 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT", 1615 PY_SSL_ERROR_WANT_CONNECT); 1616 /* non ssl.h errorcodes */ 1617 PyModule_AddIntConstant(m, "SSL_ERROR_EOF", 1618 PY_SSL_ERROR_EOF); 1619 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE", 1620 PY_SSL_ERROR_INVALID_ERROR_CODE); 1621 /* cert requirements */ 1622 PyModule_AddIntConstant(m, "CERT_NONE", 1623 PY_SSL_CERT_NONE); 1624 PyModule_AddIntConstant(m, "CERT_OPTIONAL", 1625 PY_SSL_CERT_OPTIONAL); 1626 PyModule_AddIntConstant(m, "CERT_REQUIRED", 1627 PY_SSL_CERT_REQUIRED); 1628 1629 /* protocol versions */ 1630 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2", 1631 PY_SSL_VERSION_SSL2); 1632 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3", 1633 PY_SSL_VERSION_SSL3); 1634 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", 1635 PY_SSL_VERSION_SSL23); 1636 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", 1637 PY_SSL_VERSION_TLS1); 1638 } 1763 OpenSSL_add_all_algorithms(); 1764 1765 /* Add symbols to module dict */ 1766 PySSLErrorObject = PyErr_NewException("ssl.SSLError", 1767 PySocketModule.error, 1768 NULL); 1769 if (PySSLErrorObject == NULL) 1770 return; 1771 if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0) 1772 return; 1773 if (PyDict_SetItemString(d, "SSLType", 1774 (PyObject *)&PySSL_Type) != 0) 1775 return; 1776 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN", 1777 PY_SSL_ERROR_ZERO_RETURN); 1778 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ", 1779 PY_SSL_ERROR_WANT_READ); 1780 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE", 1781 PY_SSL_ERROR_WANT_WRITE); 1782 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP", 1783 PY_SSL_ERROR_WANT_X509_LOOKUP); 1784 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL", 1785 PY_SSL_ERROR_SYSCALL); 1786 PyModule_AddIntConstant(m, "SSL_ERROR_SSL", 1787 PY_SSL_ERROR_SSL); 1788 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT", 1789 PY_SSL_ERROR_WANT_CONNECT); 1790 /* non ssl.h errorcodes */ 1791 PyModule_AddIntConstant(m, "SSL_ERROR_EOF", 1792 PY_SSL_ERROR_EOF); 1793 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE", 1794 PY_SSL_ERROR_INVALID_ERROR_CODE); 1795 /* cert requirements */ 1796 PyModule_AddIntConstant(m, "CERT_NONE", 1797 PY_SSL_CERT_NONE); 1798 PyModule_AddIntConstant(m, "CERT_OPTIONAL", 1799 PY_SSL_CERT_OPTIONAL); 1800 PyModule_AddIntConstant(m, "CERT_REQUIRED", 1801 PY_SSL_CERT_REQUIRED); 1802 1803 /* protocol versions */ 1804 #ifndef OPENSSL_NO_SSL2 1805 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2", 1806 PY_SSL_VERSION_SSL2); 1807 #endif 1808 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3", 1809 PY_SSL_VERSION_SSL3); 1810 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", 1811 PY_SSL_VERSION_SSL23); 1812 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", 1813 PY_SSL_VERSION_TLS1); 1814 1815 /* OpenSSL version */ 1816 /* SSLeay() gives us the version of the library linked against, 1817 which could be different from the headers version. 1818 */ 1819 libver = SSLeay(); 1820 r = PyLong_FromUnsignedLong(libver); 1821 if (r == NULL) 1822 return; 1823 if (PyModule_AddObject(m, "OPENSSL_VERSION_NUMBER", r)) 1824 return; 1825 status = libver & 0xF; 1826 libver >>= 4; 1827 patch = libver & 0xFF; 1828 libver >>= 8; 1829 fix = libver & 0xFF; 1830 libver >>= 8; 1831 minor = libver & 0xFF; 1832 libver >>= 8; 1833 major = libver & 0xFF; 1834 r = Py_BuildValue("IIIII", major, minor, fix, patch, status); 1835 if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r)) 1836 return; 1837 r = PyString_FromString(SSLeay_version(SSLEAY_VERSION)); 1838 if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r)) 1839 return; 1840 1841 }
Note:
See TracChangeset
for help on using the changeset viewer.
