/Modules/_ssl.c
C | 1638 lines | 1305 code | 208 blank | 125 comment | 341 complexity | 2912a1f48f5be2acd5ce6f3d16f6b558 MD5 | raw file
1/* SSL socket module 2 3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs. 4 Re-worked a bit by Bill Janssen to add server-side support and 5 certificate decoding. Chris Stawarz contributed some non-blocking 6 patches. 7 8 This module is imported by ssl.py. It should *not* be used 9 directly. 10 11 XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE? 12 13 XXX what about SSL_MODE_AUTO_RETRY? 14*/ 15 16#include "Python.h" 17 18#ifdef WITH_THREAD 19#include "pythread.h" 20#define PySSL_BEGIN_ALLOW_THREADS { \ 21 PyThreadState *_save = NULL; \ 22 if (_ssl_locks_count>0) {_save = PyEval_SaveThread();} 23#define PySSL_BLOCK_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save)}; 24#define PySSL_UNBLOCK_THREADS if (_ssl_locks_count>0){_save = PyEval_SaveThread()}; 25#define PySSL_END_ALLOW_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save);} \ 26 } 27 28#else /* no WITH_THREAD */ 29 30#define PySSL_BEGIN_ALLOW_THREADS 31#define PySSL_BLOCK_THREADS 32#define PySSL_UNBLOCK_THREADS 33#define PySSL_END_ALLOW_THREADS 34 35#endif 36 37enum py_ssl_error { 38 /* these mirror ssl.h */ 39 PY_SSL_ERROR_NONE, 40 PY_SSL_ERROR_SSL, 41 PY_SSL_ERROR_WANT_READ, 42 PY_SSL_ERROR_WANT_WRITE, 43 PY_SSL_ERROR_WANT_X509_LOOKUP, 44 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */ 45 PY_SSL_ERROR_ZERO_RETURN, 46 PY_SSL_ERROR_WANT_CONNECT, 47 /* start of non ssl.h errorcodes */ 48 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */ 49 PY_SSL_ERROR_INVALID_ERROR_CODE 50}; 51 52enum py_ssl_server_or_client { 53 PY_SSL_CLIENT, 54 PY_SSL_SERVER 55}; 56 57enum py_ssl_cert_requirements { 58 PY_SSL_CERT_NONE, 59 PY_SSL_CERT_OPTIONAL, 60 PY_SSL_CERT_REQUIRED 61}; 62 63enum py_ssl_version { 64 PY_SSL_VERSION_SSL2, 65 PY_SSL_VERSION_SSL3, 66 PY_SSL_VERSION_SSL23, 67 PY_SSL_VERSION_TLS1, 68}; 69 70/* Include symbols from _socket module */ 71#include "socketmodule.h" 72 73#if defined(HAVE_POLL_H) 74#include <poll.h> 75#elif defined(HAVE_SYS_POLL_H) 76#include <sys/poll.h> 77#endif 78 79/* Include OpenSSL header files */ 80#include "openssl/rsa.h" 81#include "openssl/crypto.h" 82#include "openssl/x509.h" 83#include "openssl/x509v3.h" 84#include "openssl/pem.h" 85#include "openssl/ssl.h" 86#include "openssl/err.h" 87#include "openssl/rand.h" 88 89/* SSL error object */ 90static PyObject *PySSLErrorObject; 91 92#ifdef WITH_THREAD 93 94/* serves as a flag to see whether we've initialized the SSL thread support. */ 95/* 0 means no, greater than 0 means yes */ 96 97static unsigned int _ssl_locks_count = 0; 98 99#endif /* def WITH_THREAD */ 100 101/* SSL socket object */ 102 103#define X509_NAME_MAXLEN 256 104 105/* RAND_* APIs got added to OpenSSL in 0.9.5 */ 106#if OPENSSL_VERSION_NUMBER >= 0x0090500fL 107# define HAVE_OPENSSL_RAND 1 108#else 109# undef HAVE_OPENSSL_RAND 110#endif 111 112typedef struct { 113 PyObject_HEAD 114 PySocketSockObject *Socket; /* Socket on which we're layered */ 115 SSL_CTX* ctx; 116 SSL* ssl; 117 X509* peer_cert; 118 char server[X509_NAME_MAXLEN]; 119 char issuer[X509_NAME_MAXLEN]; 120 121} PySSLObject; 122 123static PyTypeObject PySSL_Type; 124static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args); 125static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args); 126static int check_socket_and_wait_for_timeout(PySocketSockObject *s, 127 int writing); 128static PyObject *PySSL_peercert(PySSLObject *self, PyObject *args); 129static PyObject *PySSL_cipher(PySSLObject *self); 130 131#define PySSLObject_Check(v) (Py_TYPE(v) == &PySSL_Type) 132 133typedef enum { 134 SOCKET_IS_NONBLOCKING, 135 SOCKET_IS_BLOCKING, 136 SOCKET_HAS_TIMED_OUT, 137 SOCKET_HAS_BEEN_CLOSED, 138 SOCKET_TOO_LARGE_FOR_SELECT, 139 SOCKET_OPERATION_OK 140} timeout_state; 141 142/* Wrap error strings with filename and line # */ 143#define STRINGIFY1(x) #x 144#define STRINGIFY2(x) STRINGIFY1(x) 145#define ERRSTR1(x,y,z) (x ":" y ": " z) 146#define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x) 147 148/* XXX It might be helpful to augment the error message generated 149 below with the name of the SSL function that generated the error. 150 I expect it's obvious most of the time. 151*/ 152 153static PyObject * 154PySSL_SetError(PySSLObject *obj, int ret, char *filename, int lineno) 155{ 156 PyObject *v; 157 char buf[2048]; 158 char *errstr; 159 int err; 160 enum py_ssl_error p = PY_SSL_ERROR_NONE; 161 162 assert(ret <= 0); 163 164 if (obj->ssl != NULL) { 165 err = SSL_get_error(obj->ssl, ret); 166 167 switch (err) { 168 case SSL_ERROR_ZERO_RETURN: 169 errstr = "TLS/SSL connection has been closed"; 170 p = PY_SSL_ERROR_ZERO_RETURN; 171 break; 172 case SSL_ERROR_WANT_READ: 173 errstr = "The operation did not complete (read)"; 174 p = PY_SSL_ERROR_WANT_READ; 175 break; 176 case SSL_ERROR_WANT_WRITE: 177 p = PY_SSL_ERROR_WANT_WRITE; 178 errstr = "The operation did not complete (write)"; 179 break; 180 case SSL_ERROR_WANT_X509_LOOKUP: 181 p = PY_SSL_ERROR_WANT_X509_LOOKUP; 182 errstr = 183 "The operation did not complete (X509 lookup)"; 184 break; 185 case SSL_ERROR_WANT_CONNECT: 186 p = PY_SSL_ERROR_WANT_CONNECT; 187 errstr = "The operation did not complete (connect)"; 188 break; 189 case SSL_ERROR_SYSCALL: 190 { 191 unsigned long e = ERR_get_error(); 192 if (e == 0) { 193 if (ret == 0 || !obj->Socket) { 194 p = PY_SSL_ERROR_EOF; 195 errstr = 196 "EOF occurred in violation of protocol"; 197 } else if (ret == -1) { 198 /* underlying BIO reported an I/O error */ 199 return obj->Socket->errorhandler(); 200 } else { /* possible? */ 201 p = PY_SSL_ERROR_SYSCALL; 202 errstr = "Some I/O error occurred"; 203 } 204 } else { 205 p = PY_SSL_ERROR_SYSCALL; 206 /* XXX Protected by global interpreter lock */ 207 errstr = ERR_error_string(e, NULL); 208 } 209 break; 210 } 211 case SSL_ERROR_SSL: 212 { 213 unsigned long e = ERR_get_error(); 214 p = PY_SSL_ERROR_SSL; 215 if (e != 0) 216 /* XXX Protected by global interpreter lock */ 217 errstr = ERR_error_string(e, NULL); 218 else { /* possible? */ 219 errstr = 220 "A failure in the SSL library occurred"; 221 } 222 break; 223 } 224 default: 225 p = PY_SSL_ERROR_INVALID_ERROR_CODE; 226 errstr = "Invalid error code"; 227 } 228 } else { 229 errstr = ERR_error_string(ERR_peek_last_error(), NULL); 230 } 231 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); 232 v = Py_BuildValue("(is)", p, buf); 233 if (v != NULL) { 234 PyErr_SetObject(PySSLErrorObject, v); 235 Py_DECREF(v); 236 } 237 return NULL; 238} 239 240static PyObject * 241_setSSLError (char *errstr, int errcode, char *filename, int lineno) { 242 243 char buf[2048]; 244 PyObject *v; 245 246 if (errstr == NULL) { 247 errcode = ERR_peek_last_error(); 248 errstr = ERR_error_string(errcode, NULL); 249 } 250 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); 251 v = Py_BuildValue("(is)", errcode, buf); 252 if (v != NULL) { 253 PyErr_SetObject(PySSLErrorObject, v); 254 Py_DECREF(v); 255 } 256 return NULL; 257} 258 259static PySSLObject * 260newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, 261 enum py_ssl_server_or_client socket_type, 262 enum py_ssl_cert_requirements certreq, 263 enum py_ssl_version proto_version, 264 char *cacerts_file) 265{ 266 PySSLObject *self; 267 char *errstr = NULL; 268 int ret; 269 int verification_mode; 270 271 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ 272 if (self == NULL) 273 return NULL; 274 memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN); 275 memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN); 276 self->peer_cert = NULL; 277 self->ssl = NULL; 278 self->ctx = NULL; 279 self->Socket = NULL; 280 281 /* Make sure the SSL error state is initialized */ 282 (void) ERR_get_state(); 283 ERR_clear_error(); 284 285 if ((key_file && !cert_file) || (!key_file && cert_file)) { 286 errstr = ERRSTR("Both the key & certificate files " 287 "must be specified"); 288 goto fail; 289 } 290 291 if ((socket_type == PY_SSL_SERVER) && 292 ((key_file == NULL) || (cert_file == NULL))) { 293 errstr = ERRSTR("Both the key & certificate files " 294 "must be specified for server-side operation"); 295 goto fail; 296 } 297 298 PySSL_BEGIN_ALLOW_THREADS 299 if (proto_version == PY_SSL_VERSION_TLS1) 300 self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */ 301 else if (proto_version == PY_SSL_VERSION_SSL3) 302 self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */ 303 else if (proto_version == PY_SSL_VERSION_SSL2) 304 self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */ 305 else if (proto_version == PY_SSL_VERSION_SSL23) 306 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */ 307 PySSL_END_ALLOW_THREADS 308 309 if (self->ctx == NULL) { 310 errstr = ERRSTR("Invalid SSL protocol variant specified."); 311 goto fail; 312 } 313 314 if (certreq != PY_SSL_CERT_NONE) { 315 if (cacerts_file == NULL) { 316 errstr = ERRSTR("No root certificates specified for " 317 "verification of other-side certificates."); 318 goto fail; 319 } else { 320 PySSL_BEGIN_ALLOW_THREADS 321 ret = SSL_CTX_load_verify_locations(self->ctx, 322 cacerts_file, 323 NULL); 324 PySSL_END_ALLOW_THREADS 325 if (ret != 1) { 326 _setSSLError(NULL, 0, __FILE__, __LINE__); 327 goto fail; 328 } 329 } 330 } 331 if (key_file) { 332 PySSL_BEGIN_ALLOW_THREADS 333 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file, 334 SSL_FILETYPE_PEM); 335 PySSL_END_ALLOW_THREADS 336 if (ret != 1) { 337 _setSSLError(NULL, ret, __FILE__, __LINE__); 338 goto fail; 339 } 340 341 PySSL_BEGIN_ALLOW_THREADS 342 ret = SSL_CTX_use_certificate_chain_file(self->ctx, 343 cert_file); 344 PySSL_END_ALLOW_THREADS 345 if (ret != 1) { 346 /* 347 fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n", 348 ret, ERR_peek_error(), ERR_peek_last_error(), cert_file); 349 */ 350 if (ERR_peek_last_error() != 0) { 351 _setSSLError(NULL, ret, __FILE__, __LINE__); 352 goto fail; 353 } 354 } 355 } 356 357 /* ssl compatibility */ 358 SSL_CTX_set_options(self->ctx, SSL_OP_ALL); 359 360 verification_mode = SSL_VERIFY_NONE; 361 if (certreq == PY_SSL_CERT_OPTIONAL) 362 verification_mode = SSL_VERIFY_PEER; 363 else if (certreq == PY_SSL_CERT_REQUIRED) 364 verification_mode = (SSL_VERIFY_PEER | 365 SSL_VERIFY_FAIL_IF_NO_PEER_CERT); 366 SSL_CTX_set_verify(self->ctx, verification_mode, 367 NULL); /* set verify lvl */ 368 369 PySSL_BEGIN_ALLOW_THREADS 370 self->ssl = SSL_new(self->ctx); /* New ssl struct */ 371 PySSL_END_ALLOW_THREADS 372 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */ 373 374 /* If the socket is in non-blocking mode or timeout mode, set the BIO 375 * to non-blocking mode (blocking is the default) 376 */ 377 if (Sock->sock_timeout >= 0.0) { 378 /* Set both the read and write BIO's to non-blocking mode */ 379 BIO_set_nbio(SSL_get_rbio(self->ssl), 1); 380 BIO_set_nbio(SSL_get_wbio(self->ssl), 1); 381 } 382 383 PySSL_BEGIN_ALLOW_THREADS 384 if (socket_type == PY_SSL_CLIENT) 385 SSL_set_connect_state(self->ssl); 386 else 387 SSL_set_accept_state(self->ssl); 388 PySSL_END_ALLOW_THREADS 389 390 self->Socket = Sock; 391 Py_INCREF(self->Socket); 392 return self; 393 fail: 394 if (errstr) 395 PyErr_SetString(PySSLErrorObject, errstr); 396 Py_DECREF(self); 397 return NULL; 398} 399 400static PyObject * 401PySSL_sslwrap(PyObject *self, PyObject *args) 402{ 403 PySocketSockObject *Sock; 404 int server_side = 0; 405 int verification_mode = PY_SSL_CERT_NONE; 406 int protocol = PY_SSL_VERSION_SSL23; 407 char *key_file = NULL; 408 char *cert_file = NULL; 409 char *cacerts_file = NULL; 410 411 if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap", 412 PySocketModule.Sock_Type, 413 &Sock, 414 &server_side, 415 &key_file, &cert_file, 416 &verification_mode, &protocol, 417 &cacerts_file)) 418 return NULL; 419 420 /* 421 fprintf(stderr, 422 "server_side is %d, keyfile %p, certfile %p, verify_mode %d, " 423 "protocol %d, certs %p\n", 424 server_side, key_file, cert_file, verification_mode, 425 protocol, cacerts_file); 426 */ 427 428 return (PyObject *) newPySSLObject(Sock, key_file, cert_file, 429 server_side, verification_mode, 430 protocol, cacerts_file); 431} 432 433PyDoc_STRVAR(ssl_doc, 434"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n" 435" cacertsfile]) -> sslobject"); 436 437/* SSL object methods */ 438 439static PyObject *PySSL_SSLdo_handshake(PySSLObject *self) 440{ 441 int ret; 442 int err; 443 int sockstate; 444 445 /* Actually negotiate SSL connection */ 446 /* XXX If SSL_do_handshake() returns 0, it's also a failure. */ 447 sockstate = 0; 448 do { 449 PySSL_BEGIN_ALLOW_THREADS 450 ret = SSL_do_handshake(self->ssl); 451 err = SSL_get_error(self->ssl, ret); 452 PySSL_END_ALLOW_THREADS 453 if(PyErr_CheckSignals()) { 454 return NULL; 455 } 456 if (err == SSL_ERROR_WANT_READ) { 457 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); 458 } else if (err == SSL_ERROR_WANT_WRITE) { 459 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); 460 } else { 461 sockstate = SOCKET_OPERATION_OK; 462 } 463 if (sockstate == SOCKET_HAS_TIMED_OUT) { 464 PyErr_SetString(PySSLErrorObject, 465 ERRSTR("The handshake operation timed out")); 466 return NULL; 467 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 468 PyErr_SetString(PySSLErrorObject, 469 ERRSTR("Underlying socket has been closed.")); 470 return NULL; 471 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 472 PyErr_SetString(PySSLErrorObject, 473 ERRSTR("Underlying socket too large for select().")); 474 return NULL; 475 } else if (sockstate == SOCKET_IS_NONBLOCKING) { 476 break; 477 } 478 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); 479 if (ret < 1) 480 return PySSL_SetError(self, ret, __FILE__, __LINE__); 481 self->ssl->debug = 1; 482 483 if (self->peer_cert) 484 X509_free (self->peer_cert); 485 PySSL_BEGIN_ALLOW_THREADS 486 if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) { 487 X509_NAME_oneline(X509_get_subject_name(self->peer_cert), 488 self->server, X509_NAME_MAXLEN); 489 X509_NAME_oneline(X509_get_issuer_name(self->peer_cert), 490 self->issuer, X509_NAME_MAXLEN); 491 } 492 PySSL_END_ALLOW_THREADS 493 494 Py_INCREF(Py_None); 495 return Py_None; 496} 497 498static PyObject * 499PySSL_server(PySSLObject *self) 500{ 501 return PyString_FromString(self->server); 502} 503 504static PyObject * 505PySSL_issuer(PySSLObject *self) 506{ 507 return PyString_FromString(self->issuer); 508} 509 510static PyObject * 511_create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) { 512 513 char namebuf[X509_NAME_MAXLEN]; 514 int buflen; 515 PyObject *name_obj; 516 PyObject *value_obj; 517 PyObject *attr; 518 unsigned char *valuebuf = NULL; 519 520 buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0); 521 if (buflen < 0) { 522 _setSSLError(NULL, 0, __FILE__, __LINE__); 523 goto fail; 524 } 525 name_obj = PyString_FromStringAndSize(namebuf, buflen); 526 if (name_obj == NULL) 527 goto fail; 528 529 buflen = ASN1_STRING_to_UTF8(&valuebuf, value); 530 if (buflen < 0) { 531 _setSSLError(NULL, 0, __FILE__, __LINE__); 532 Py_DECREF(name_obj); 533 goto fail; 534 } 535 value_obj = PyUnicode_DecodeUTF8((char *) valuebuf, 536 buflen, "strict"); 537 OPENSSL_free(valuebuf); 538 if (value_obj == NULL) { 539 Py_DECREF(name_obj); 540 goto fail; 541 } 542 attr = PyTuple_New(2); 543 if (attr == NULL) { 544 Py_DECREF(name_obj); 545 Py_DECREF(value_obj); 546 goto fail; 547 } 548 PyTuple_SET_ITEM(attr, 0, name_obj); 549 PyTuple_SET_ITEM(attr, 1, value_obj); 550 return attr; 551 552 fail: 553 return NULL; 554} 555 556static PyObject * 557_create_tuple_for_X509_NAME (X509_NAME *xname) 558{ 559 PyObject *dn = NULL; /* tuple which represents the "distinguished name" */ 560 PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */ 561 PyObject *rdnt; 562 PyObject *attr = NULL; /* tuple to hold an attribute */ 563 int entry_count = X509_NAME_entry_count(xname); 564 X509_NAME_ENTRY *entry; 565 ASN1_OBJECT *name; 566 ASN1_STRING *value; 567 int index_counter; 568 int rdn_level = -1; 569 int retcode; 570 571 dn = PyList_New(0); 572 if (dn == NULL) 573 return NULL; 574 /* now create another tuple to hold the top-level RDN */ 575 rdn = PyList_New(0); 576 if (rdn == NULL) 577 goto fail0; 578 579 for (index_counter = 0; 580 index_counter < entry_count; 581 index_counter++) 582 { 583 entry = X509_NAME_get_entry(xname, index_counter); 584 585 /* check to see if we've gotten to a new RDN */ 586 if (rdn_level >= 0) { 587 if (rdn_level != entry->set) { 588 /* yes, new RDN */ 589 /* add old RDN to DN */ 590 rdnt = PyList_AsTuple(rdn); 591 Py_DECREF(rdn); 592 if (rdnt == NULL) 593 goto fail0; 594 retcode = PyList_Append(dn, rdnt); 595 Py_DECREF(rdnt); 596 if (retcode < 0) 597 goto fail0; 598 /* create new RDN */ 599 rdn = PyList_New(0); 600 if (rdn == NULL) 601 goto fail0; 602 } 603 } 604 rdn_level = entry->set; 605 606 /* now add this attribute to the current RDN */ 607 name = X509_NAME_ENTRY_get_object(entry); 608 value = X509_NAME_ENTRY_get_data(entry); 609 attr = _create_tuple_for_attribute(name, value); 610 /* 611 fprintf(stderr, "RDN level %d, attribute %s: %s\n", 612 entry->set, 613 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 0)), 614 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 1))); 615 */ 616 if (attr == NULL) 617 goto fail1; 618 retcode = PyList_Append(rdn, attr); 619 Py_DECREF(attr); 620 if (retcode < 0) 621 goto fail1; 622 } 623 /* now, there's typically a dangling RDN */ 624 if ((rdn != NULL) && (PyList_Size(rdn) > 0)) { 625 rdnt = PyList_AsTuple(rdn); 626 Py_DECREF(rdn); 627 if (rdnt == NULL) 628 goto fail0; 629 retcode = PyList_Append(dn, rdnt); 630 Py_DECREF(rdnt); 631 if (retcode < 0) 632 goto fail0; 633 } 634 635 /* convert list to tuple */ 636 rdnt = PyList_AsTuple(dn); 637 Py_DECREF(dn); 638 if (rdnt == NULL) 639 return NULL; 640 return rdnt; 641 642 fail1: 643 Py_XDECREF(rdn); 644 645 fail0: 646 Py_XDECREF(dn); 647 return NULL; 648} 649 650static PyObject * 651_get_peer_alt_names (X509 *certificate) { 652 653 /* this code follows the procedure outlined in 654 OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print() 655 function to extract the STACK_OF(GENERAL_NAME), 656 then iterates through the stack to add the 657 names. */ 658 659 int i, j; 660 PyObject *peer_alt_names = Py_None; 661 PyObject *v, *t; 662 X509_EXTENSION *ext = NULL; 663 GENERAL_NAMES *names = NULL; 664 GENERAL_NAME *name; 665 X509V3_EXT_METHOD *method; 666 BIO *biobuf = NULL; 667 char buf[2048]; 668 char *vptr; 669 int len; 670 const unsigned char *p; 671 672 if (certificate == NULL) 673 return peer_alt_names; 674 675 /* get a memory buffer */ 676 biobuf = BIO_new(BIO_s_mem()); 677 678 i = 0; 679 while ((i = X509_get_ext_by_NID( 680 certificate, NID_subject_alt_name, i)) >= 0) { 681 682 if (peer_alt_names == Py_None) { 683 peer_alt_names = PyList_New(0); 684 if (peer_alt_names == NULL) 685 goto fail; 686 } 687 688 /* now decode the altName */ 689 ext = X509_get_ext(certificate, i); 690 if(!(method = X509V3_EXT_get(ext))) { 691 PyErr_SetString(PySSLErrorObject, 692 ERRSTR("No method for internalizing subjectAltName!")); 693 goto fail; 694 } 695 696 p = ext->value->data; 697 if (method->it) 698 names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL, 699 &p, 700 ext->value->length, 701 ASN1_ITEM_ptr(method->it))); 702 else 703 names = (GENERAL_NAMES*) (method->d2i(NULL, 704 &p, 705 ext->value->length)); 706 707 for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { 708 709 /* get a rendering of each name in the set of names */ 710 711 name = sk_GENERAL_NAME_value(names, j); 712 if (name->type == GEN_DIRNAME) { 713 714 /* we special-case DirName as a tuple of tuples of attributes */ 715 716 t = PyTuple_New(2); 717 if (t == NULL) { 718 goto fail; 719 } 720 721 v = PyString_FromString("DirName"); 722 if (v == NULL) { 723 Py_DECREF(t); 724 goto fail; 725 } 726 PyTuple_SET_ITEM(t, 0, v); 727 728 v = _create_tuple_for_X509_NAME (name->d.dirn); 729 if (v == NULL) { 730 Py_DECREF(t); 731 goto fail; 732 } 733 PyTuple_SET_ITEM(t, 1, v); 734 735 } else { 736 737 /* for everything else, we use the OpenSSL print form */ 738 739 (void) BIO_reset(biobuf); 740 GENERAL_NAME_print(biobuf, name); 741 len = BIO_gets(biobuf, buf, sizeof(buf)-1); 742 if (len < 0) { 743 _setSSLError(NULL, 0, __FILE__, __LINE__); 744 goto fail; 745 } 746 vptr = strchr(buf, ':'); 747 if (vptr == NULL) 748 goto fail; 749 t = PyTuple_New(2); 750 if (t == NULL) 751 goto fail; 752 v = PyString_FromStringAndSize(buf, (vptr - buf)); 753 if (v == NULL) { 754 Py_DECREF(t); 755 goto fail; 756 } 757 PyTuple_SET_ITEM(t, 0, v); 758 v = PyString_FromStringAndSize((vptr + 1), (len - (vptr - buf + 1))); 759 if (v == NULL) { 760 Py_DECREF(t); 761 goto fail; 762 } 763 PyTuple_SET_ITEM(t, 1, v); 764 } 765 766 /* and add that rendering to the list */ 767 768 if (PyList_Append(peer_alt_names, t) < 0) { 769 Py_DECREF(t); 770 goto fail; 771 } 772 Py_DECREF(t); 773 } 774 } 775 BIO_free(biobuf); 776 if (peer_alt_names != Py_None) { 777 v = PyList_AsTuple(peer_alt_names); 778 Py_DECREF(peer_alt_names); 779 return v; 780 } else { 781 return peer_alt_names; 782 } 783 784 785 fail: 786 if (biobuf != NULL) 787 BIO_free(biobuf); 788 789 if (peer_alt_names != Py_None) { 790 Py_XDECREF(peer_alt_names); 791 } 792 793 return NULL; 794} 795 796static PyObject * 797_decode_certificate (X509 *certificate, int verbose) { 798 799 PyObject *retval = NULL; 800 BIO *biobuf = NULL; 801 PyObject *peer; 802 PyObject *peer_alt_names = NULL; 803 PyObject *issuer; 804 PyObject *version; 805 PyObject *sn_obj; 806 ASN1_INTEGER *serialNumber; 807 char buf[2048]; 808 int len; 809 ASN1_TIME *notBefore, *notAfter; 810 PyObject *pnotBefore, *pnotAfter; 811 812 retval = PyDict_New(); 813 if (retval == NULL) 814 return NULL; 815 816 peer = _create_tuple_for_X509_NAME( 817 X509_get_subject_name(certificate)); 818 if (peer == NULL) 819 goto fail0; 820 if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) { 821 Py_DECREF(peer); 822 goto fail0; 823 } 824 Py_DECREF(peer); 825 826 if (verbose) { 827 issuer = _create_tuple_for_X509_NAME( 828 X509_get_issuer_name(certificate)); 829 if (issuer == NULL) 830 goto fail0; 831 if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) { 832 Py_DECREF(issuer); 833 goto fail0; 834 } 835 Py_DECREF(issuer); 836 837 version = PyInt_FromLong(X509_get_version(certificate) + 1); 838 if (PyDict_SetItemString(retval, "version", version) < 0) { 839 Py_DECREF(version); 840 goto fail0; 841 } 842 Py_DECREF(version); 843 } 844 845 /* get a memory buffer */ 846 biobuf = BIO_new(BIO_s_mem()); 847 848 if (verbose) { 849 850 (void) BIO_reset(biobuf); 851 serialNumber = X509_get_serialNumber(certificate); 852 /* should not exceed 20 octets, 160 bits, so buf is big enough */ 853 i2a_ASN1_INTEGER(biobuf, serialNumber); 854 len = BIO_gets(biobuf, buf, sizeof(buf)-1); 855 if (len < 0) { 856 _setSSLError(NULL, 0, __FILE__, __LINE__); 857 goto fail1; 858 } 859 sn_obj = PyString_FromStringAndSize(buf, len); 860 if (sn_obj == NULL) 861 goto fail1; 862 if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) { 863 Py_DECREF(sn_obj); 864 goto fail1; 865 } 866 Py_DECREF(sn_obj); 867 868 (void) BIO_reset(biobuf); 869 notBefore = X509_get_notBefore(certificate); 870 ASN1_TIME_print(biobuf, notBefore); 871 len = BIO_gets(biobuf, buf, sizeof(buf)-1); 872 if (len < 0) { 873 _setSSLError(NULL, 0, __FILE__, __LINE__); 874 goto fail1; 875 } 876 pnotBefore = PyString_FromStringAndSize(buf, len); 877 if (pnotBefore == NULL) 878 goto fail1; 879 if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) { 880 Py_DECREF(pnotBefore); 881 goto fail1; 882 } 883 Py_DECREF(pnotBefore); 884 } 885 886 (void) BIO_reset(biobuf); 887 notAfter = X509_get_notAfter(certificate); 888 ASN1_TIME_print(biobuf, notAfter); 889 len = BIO_gets(biobuf, buf, sizeof(buf)-1); 890 if (len < 0) { 891 _setSSLError(NULL, 0, __FILE__, __LINE__); 892 goto fail1; 893 } 894 pnotAfter = PyString_FromStringAndSize(buf, len); 895 if (pnotAfter == NULL) 896 goto fail1; 897 if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) { 898 Py_DECREF(pnotAfter); 899 goto fail1; 900 } 901 Py_DECREF(pnotAfter); 902 903 /* Now look for subjectAltName */ 904 905 peer_alt_names = _get_peer_alt_names(certificate); 906 if (peer_alt_names == NULL) 907 goto fail1; 908 else if (peer_alt_names != Py_None) { 909 if (PyDict_SetItemString(retval, "subjectAltName", 910 peer_alt_names) < 0) { 911 Py_DECREF(peer_alt_names); 912 goto fail1; 913 } 914 Py_DECREF(peer_alt_names); 915 } 916 917 BIO_free(biobuf); 918 return retval; 919 920 fail1: 921 if (biobuf != NULL) 922 BIO_free(biobuf); 923 fail0: 924 Py_XDECREF(retval); 925 return NULL; 926} 927 928 929static PyObject * 930PySSL_test_decode_certificate (PyObject *mod, PyObject *args) { 931 932 PyObject *retval = NULL; 933 char *filename = NULL; 934 X509 *x=NULL; 935 BIO *cert; 936 int verbose = 1; 937 938 if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", &filename, &verbose)) 939 return NULL; 940 941 if ((cert=BIO_new(BIO_s_file())) == NULL) { 942 PyErr_SetString(PySSLErrorObject, "Can't malloc memory to read file"); 943 goto fail0; 944 } 945 946 if (BIO_read_filename(cert,filename) <= 0) { 947 PyErr_SetString(PySSLErrorObject, "Can't open file"); 948 goto fail0; 949 } 950 951 x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL); 952 if (x == NULL) { 953 PyErr_SetString(PySSLErrorObject, "Error decoding PEM-encoded file"); 954 goto fail0; 955 } 956 957 retval = _decode_certificate(x, verbose); 958 959 fail0: 960 961 if (cert != NULL) BIO_free(cert); 962 return retval; 963} 964 965 966static PyObject * 967PySSL_peercert(PySSLObject *self, PyObject *args) 968{ 969 PyObject *retval = NULL; 970 int len; 971 int verification; 972 PyObject *binary_mode = Py_None; 973 974 if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode)) 975 return NULL; 976 977 if (!self->peer_cert) 978 Py_RETURN_NONE; 979 980 if (PyObject_IsTrue(binary_mode)) { 981 /* return cert in DER-encoded format */ 982 983 unsigned char *bytes_buf = NULL; 984 985 bytes_buf = NULL; 986 len = i2d_X509(self->peer_cert, &bytes_buf); 987 if (len < 0) { 988 PySSL_SetError(self, len, __FILE__, __LINE__); 989 return NULL; 990 } 991 retval = PyString_FromStringAndSize((const char *) bytes_buf, len); 992 OPENSSL_free(bytes_buf); 993 return retval; 994 995 } else { 996 997 verification = SSL_CTX_get_verify_mode(self->ctx); 998 if ((verification & SSL_VERIFY_PEER) == 0) 999 return PyDict_New(); 1000 else 1001 return _decode_certificate (self->peer_cert, 0); 1002 } 1003} 1004 1005PyDoc_STRVAR(PySSL_peercert_doc, 1006"peer_certificate([der=False]) -> certificate\n\ 1007\n\ 1008Returns the certificate for the peer. If no certificate was provided,\n\ 1009returns None. If a certificate was provided, but not validated, returns\n\ 1010an empty dictionary. Otherwise returns a dict containing information\n\ 1011about the peer certificate.\n\ 1012\n\ 1013If the optional argument is True, returns a DER-encoded copy of the\n\ 1014peer certificate, or None if no certificate was provided. This will\n\ 1015return the certificate even if it wasn't validated."); 1016 1017static PyObject *PySSL_cipher (PySSLObject *self) { 1018 1019 PyObject *retval, *v; 1020 SSL_CIPHER *current; 1021 char *cipher_name; 1022 char *cipher_protocol; 1023 1024 if (self->ssl == NULL) 1025 return Py_None; 1026 current = SSL_get_current_cipher(self->ssl); 1027 if (current == NULL) 1028 return Py_None; 1029 1030 retval = PyTuple_New(3); 1031 if (retval == NULL) 1032 return NULL; 1033 1034 cipher_name = (char *) SSL_CIPHER_get_name(current); 1035 if (cipher_name == NULL) { 1036 PyTuple_SET_ITEM(retval, 0, Py_None); 1037 } else { 1038 v = PyString_FromString(cipher_name); 1039 if (v == NULL) 1040 goto fail0; 1041 PyTuple_SET_ITEM(retval, 0, v); 1042 } 1043 cipher_protocol = SSL_CIPHER_get_version(current); 1044 if (cipher_protocol == NULL) { 1045 PyTuple_SET_ITEM(retval, 1, Py_None); 1046 } else { 1047 v = PyString_FromString(cipher_protocol); 1048 if (v == NULL) 1049 goto fail0; 1050 PyTuple_SET_ITEM(retval, 1, v); 1051 } 1052 v = PyInt_FromLong(SSL_CIPHER_get_bits(current, NULL)); 1053 if (v == NULL) 1054 goto fail0; 1055 PyTuple_SET_ITEM(retval, 2, v); 1056 return retval; 1057 1058 fail0: 1059 Py_DECREF(retval); 1060 return NULL; 1061} 1062 1063static void PySSL_dealloc(PySSLObject *self) 1064{ 1065 if (self->peer_cert) /* Possible not to have one? */ 1066 X509_free (self->peer_cert); 1067 if (self->ssl) 1068 SSL_free(self->ssl); 1069 if (self->ctx) 1070 SSL_CTX_free(self->ctx); 1071 Py_XDECREF(self->Socket); 1072 PyObject_Del(self); 1073} 1074 1075/* If the socket has a timeout, do a select()/poll() on the socket. 1076 The argument writing indicates the direction. 1077 Returns one of the possibilities in the timeout_state enum (above). 1078 */ 1079 1080static int 1081check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing) 1082{ 1083 fd_set fds; 1084 struct timeval tv; 1085 int rc; 1086 1087 /* Nothing to do unless we're in timeout mode (not non-blocking) */ 1088 if (s->sock_timeout < 0.0) 1089 return SOCKET_IS_BLOCKING; 1090 else if (s->sock_timeout == 0.0) 1091 return SOCKET_IS_NONBLOCKING; 1092 1093 /* Guard against closed socket */ 1094 if (s->sock_fd < 0) 1095 return SOCKET_HAS_BEEN_CLOSED; 1096 1097 /* Prefer poll, if available, since you can poll() any fd 1098 * which can't be done with select(). */ 1099#ifdef HAVE_POLL 1100 { 1101 struct pollfd pollfd; 1102 int timeout; 1103 1104 pollfd.fd = s->sock_fd; 1105 pollfd.events = writing ? POLLOUT : POLLIN; 1106 1107 /* s->sock_timeout is in seconds, timeout in ms */ 1108 timeout = (int)(s->sock_timeout * 1000 + 0.5); 1109 PySSL_BEGIN_ALLOW_THREADS 1110 rc = poll(&pollfd, 1, timeout); 1111 PySSL_END_ALLOW_THREADS 1112 1113 goto normal_return; 1114 } 1115#endif 1116 1117 /* Guard against socket too large for select*/ 1118#ifndef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE 1119 if (s->sock_fd >= FD_SETSIZE) 1120 return SOCKET_TOO_LARGE_FOR_SELECT; 1121#endif 1122 1123 /* Construct the arguments to select */ 1124 tv.tv_sec = (int)s->sock_timeout; 1125 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6); 1126 FD_ZERO(&fds); 1127 FD_SET(s->sock_fd, &fds); 1128 1129 /* See if the socket is ready */ 1130 PySSL_BEGIN_ALLOW_THREADS 1131 if (writing) 1132 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv); 1133 else 1134 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv); 1135 PySSL_END_ALLOW_THREADS 1136 1137#ifdef HAVE_POLL 1138normal_return: 1139#endif 1140 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise 1141 (when we are able to write or when there's something to read) */ 1142 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK; 1143} 1144 1145static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args) 1146{ 1147 char *data; 1148 int len; 1149 int count; 1150 int sockstate; 1151 int err; 1152 int nonblocking; 1153 1154 if (!PyArg_ParseTuple(args, "s#:write", &data, &count)) 1155 return NULL; 1156 1157 /* just in case the blocking state of the socket has been changed */ 1158 nonblocking = (self->Socket->sock_timeout >= 0.0); 1159 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 1160 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 1161 1162 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); 1163 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1164 PyErr_SetString(PySSLErrorObject, 1165 "The write operation timed out"); 1166 return NULL; 1167 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1168 PyErr_SetString(PySSLErrorObject, 1169 "Underlying socket has been closed."); 1170 return NULL; 1171 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 1172 PyErr_SetString(PySSLErrorObject, 1173 "Underlying socket too large for select()."); 1174 return NULL; 1175 } 1176 do { 1177 err = 0; 1178 PySSL_BEGIN_ALLOW_THREADS 1179 len = SSL_write(self->ssl, data, count); 1180 err = SSL_get_error(self->ssl, len); 1181 PySSL_END_ALLOW_THREADS 1182 if(PyErr_CheckSignals()) { 1183 return NULL; 1184 } 1185 if (err == SSL_ERROR_WANT_READ) { 1186 sockstate = 1187 check_socket_and_wait_for_timeout(self->Socket, 0); 1188 } else if (err == SSL_ERROR_WANT_WRITE) { 1189 sockstate = 1190 check_socket_and_wait_for_timeout(self->Socket, 1); 1191 } else { 1192 sockstate = SOCKET_OPERATION_OK; 1193 } 1194 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1195 PyErr_SetString(PySSLErrorObject, 1196 "The write operation timed out"); 1197 return NULL; 1198 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1199 PyErr_SetString(PySSLErrorObject, 1200 "Underlying socket has been closed."); 1201 return NULL; 1202 } else if (sockstate == SOCKET_IS_NONBLOCKING) { 1203 break; 1204 } 1205 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); 1206 if (len > 0) 1207 return PyInt_FromLong(len); 1208 else 1209 return PySSL_SetError(self, len, __FILE__, __LINE__); 1210} 1211 1212PyDoc_STRVAR(PySSL_SSLwrite_doc, 1213"write(s) -> len\n\ 1214\n\ 1215Writes the string s into the SSL object. Returns the number\n\ 1216of bytes written."); 1217 1218static PyObject *PySSL_SSLpending(PySSLObject *self) 1219{ 1220 int count = 0; 1221 1222 PySSL_BEGIN_ALLOW_THREADS 1223 count = SSL_pending(self->ssl); 1224 PySSL_END_ALLOW_THREADS 1225 if (count < 0) 1226 return PySSL_SetError(self, count, __FILE__, __LINE__); 1227 else 1228 return PyInt_FromLong(count); 1229} 1230 1231PyDoc_STRVAR(PySSL_SSLpending_doc, 1232"pending() -> count\n\ 1233\n\ 1234Returns the number of already decrypted bytes available for read,\n\ 1235pending on the connection.\n"); 1236 1237static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args) 1238{ 1239 PyObject *buf; 1240 int count = 0; 1241 int len = 1024; 1242 int sockstate; 1243 int err; 1244 int nonblocking; 1245 1246 if (!PyArg_ParseTuple(args, "|i:read", &len)) 1247 return NULL; 1248 1249 if (!(buf = PyString_FromStringAndSize((char *) 0, len))) 1250 return NULL; 1251 1252 /* just in case the blocking state of the socket has been changed */ 1253 nonblocking = (self->Socket->sock_timeout >= 0.0); 1254 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 1255 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 1256 1257 /* first check if there are bytes ready to be read */ 1258 PySSL_BEGIN_ALLOW_THREADS 1259 count = SSL_pending(self->ssl); 1260 PySSL_END_ALLOW_THREADS 1261 1262 if (!count) { 1263 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); 1264 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1265 PyErr_SetString(PySSLErrorObject, 1266 "The read operation timed out"); 1267 Py_DECREF(buf); 1268 return NULL; 1269 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 1270 PyErr_SetString(PySSLErrorObject, 1271 "Underlying socket too large for select()."); 1272 Py_DECREF(buf); 1273 return NULL; 1274 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1275 if (SSL_get_shutdown(self->ssl) != 1276 SSL_RECEIVED_SHUTDOWN) 1277 { 1278 Py_DECREF(buf); 1279 PyErr_SetString(PySSLErrorObject, 1280 "Socket closed without SSL shutdown handshake"); 1281 return NULL; 1282 } else { 1283 /* should contain a zero-length string */ 1284 _PyString_Resize(&buf, 0); 1285 return buf; 1286 } 1287 } 1288 } 1289 do { 1290 err = 0; 1291 PySSL_BEGIN_ALLOW_THREADS 1292 count = SSL_read(self->ssl, PyString_AsString(buf), len); 1293 err = SSL_get_error(self->ssl, count); 1294 PySSL_END_ALLOW_THREADS 1295 if(PyErr_CheckSignals()) { 1296 Py_DECREF(buf); 1297 return NULL; 1298 } 1299 if (err == SSL_ERROR_WANT_READ) { 1300 sockstate = 1301 check_socket_and_wait_for_timeout(self->Socket, 0); 1302 } else if (err == SSL_ERROR_WANT_WRITE) { 1303 sockstate = 1304 check_socket_and_wait_for_timeout(self->Socket, 1); 1305 } else if ((err == SSL_ERROR_ZERO_RETURN) && 1306 (SSL_get_shutdown(self->ssl) == 1307 SSL_RECEIVED_SHUTDOWN)) 1308 { 1309 _PyString_Resize(&buf, 0); 1310 return buf; 1311 } else { 1312 sockstate = SOCKET_OPERATION_OK; 1313 } 1314 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1315 PyErr_SetString(PySSLErrorObject, 1316 "The read operation timed out"); 1317 Py_DECREF(buf); 1318 return NULL; 1319 } else if (sockstate == SOCKET_IS_NONBLOCKING) { 1320 break; 1321 } 1322 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); 1323 if (count <= 0) { 1324 Py_DECREF(buf); 1325 return PySSL_SetError(self, count, __FILE__, __LINE__); 1326 } 1327 if (count != len) 1328 _PyString_Resize(&buf, count); 1329 return buf; 1330} 1331 1332PyDoc_STRVAR(PySSL_SSLread_doc, 1333"read([len]) -> string\n\ 1334\n\ 1335Read up to len bytes from the SSL socket."); 1336 1337static PyObject *PySSL_SSLshutdown(PySSLObject *self) 1338{ 1339 int err; 1340 1341 /* Guard against closed socket */ 1342 if (self->Socket->sock_fd < 0) { 1343 PyErr_SetString(PySSLErrorObject, 1344 "Underlying socket has been closed."); 1345 return NULL; 1346 } 1347 1348 PySSL_BEGIN_ALLOW_THREADS 1349 err = SSL_shutdown(self->ssl); 1350 if (err == 0) { 1351 /* we need to call it again to finish the shutdown */ 1352 err = SSL_shutdown(self->ssl); 1353 } 1354 PySSL_END_ALLOW_THREADS 1355 1356 if (err < 0) 1357 return PySSL_SetError(self, err, __FILE__, __LINE__); 1358 else { 1359 Py_INCREF(self->Socket); 1360 return (PyObject *) (self->Socket); 1361 } 1362} 1363 1364PyDoc_STRVAR(PySSL_SSLshutdown_doc, 1365"shutdown(s) -> socket\n\ 1366\n\ 1367Does the SSL shutdown handshake with the remote end, and returns\n\ 1368the underlying socket object."); 1369 1370static PyMethodDef PySSLMethods[] = { 1371 {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS}, 1372 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS, 1373 PySSL_SSLwrite_doc}, 1374 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS, 1375 PySSL_SSLread_doc}, 1376 {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS, 1377 PySSL_SSLpending_doc}, 1378 {"server", (PyCFunction)PySSL_server, METH_NOARGS}, 1379 {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS}, 1380 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS, 1381 PySSL_peercert_doc}, 1382 {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS}, 1383 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS, 1384 PySSL_SSLshutdown_doc}, 1385 {NULL, NULL} 1386}; 1387 1388static PyObject *PySSL_getattr(PySSLObject *self, char *name) 1389{ 1390 return Py_FindMethod(PySSLMethods, (PyObject *)self, name); 1391} 1392 1393static PyTypeObject PySSL_Type = { 1394 PyVarObject_HEAD_INIT(NULL, 0) 1395 "ssl.SSLContext", /*tp_name*/ 1396 sizeof(PySSLObject), /*tp_basicsize*/ 1397 0, /*tp_itemsize*/ 1398 /* methods */ 1399 (destructor)PySSL_dealloc, /*tp_dealloc*/ 1400 0, /*tp_print*/ 1401 (getattrfunc)PySSL_getattr, /*tp_getattr*/ 1402 0, /*tp_setattr*/ 1403 0, /*tp_compare*/ 1404 0, /*tp_repr*/ 1405 0, /*tp_as_number*/ 1406 0, /*tp_as_sequence*/ 1407 0, /*tp_as_mapping*/ 1408 0, /*tp_hash*/ 1409}; 1410 1411#ifdef HAVE_OPENSSL_RAND 1412 1413/* helper routines for seeding the SSL PRNG */ 1414static PyObject * 1415PySSL_RAND_add(PyObject *self, PyObject *args) 1416{ 1417 char *buf; 1418 int len; 1419 double entropy; 1420 1421 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy)) 1422 return NULL; 1423 RAND_add(buf, len, entropy); 1424 Py_INCREF(Py_None); 1425 return Py_None; 1426} 1427 1428PyDoc_STRVAR(PySSL_RAND_add_doc, 1429"RAND_add(string, entropy)\n\ 1430\n\ 1431Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\ 1432bound on the entropy contained in string. See RFC 1750."); 1433 1434static PyObject * 1435PySSL_RAND_status(PyObject *self) 1436{ 1437 return PyInt_FromLong(RAND_status()); 1438} 1439 1440PyDoc_STRVAR(PySSL_RAND_status_doc, 1441"RAND_status() -> 0 or 1\n\ 1442\n\ 1443Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\ 1444It is necessary to seed the PRNG with RAND_add() on some platforms before\n\ 1445using the ssl() function."); 1446 1447static PyObject * 1448PySSL_RAND_egd(PyObject *self, PyObject *arg) 1449{ 1450 int bytes; 1451 1452 if (!PyString_Check(arg)) 1453 return PyErr_Format(PyExc_TypeError, 1454 "RAND_egd() expected string, found %s", 1455 Py_TYPE(arg)->tp_name); 1456 bytes = RAND_egd(PyString_AS_STRING(arg)); 1457 if (bytes == -1) { 1458 PyErr_SetString(PySSLErrorObject, 1459 "EGD connection failed or EGD did not return " 1460 "enough data to seed the PRNG"); 1461 return NULL; 1462 } 1463 return PyInt_FromLong(bytes); 1464} 1465 1466PyDoc_STRVAR(PySSL_RAND_egd_doc, 1467"RAND_egd(path) -> bytes\n\ 1468\n\ 1469Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\ 1470Returns number of bytes read. Raises SSLError if connection to EGD\n\ 1471fails or if it does provide enough data to seed PRNG."); 1472 1473#endif 1474 1475/* List of functions exported by this module. */ 1476 1477static PyMethodDef PySSL_methods[] = { 1478 {"sslwrap", PySSL_sslwrap, 1479 METH_VARARGS, ssl_doc}, 1480 {"_test_decode_cert", PySSL_test_decode_certificate, 1481 METH_VARARGS}, 1482#ifdef HAVE_OPENSSL_RAND 1483 {"RAND_add", PySSL_RAND_add, METH_VARARGS, 1484 PySSL_RAND_add_doc}, 1485 {"RAND_egd", PySSL_RAND_egd, METH_O, 1486 PySSL_RAND_egd_doc}, 1487 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS, 1488 PySSL_RAND_status_doc}, 1489#endif 1490 {NULL, NULL} /* Sentinel */ 1491}; 1492 1493 1494#ifdef WITH_THREAD 1495 1496/* an implementation of OpenSSL threading operations in terms 1497 of the Python C thread library */ 1498 1499static PyThread_type_lock *_ssl_locks = NULL; 1500 1501static unsigned long _ssl_thread_id_function (void) { 1502 return PyThread_get_thread_ident(); 1503} 1504 1505static void _ssl_thread_locking_function (int mode, int n, const char *file, int line) { 1506 /* this function is needed to perform locking on shared data 1507 structures. (Note that OpenSSL uses a number of global data 1508 structures that will be implicitly shared whenever multiple threads 1509 use OpenSSL.) Multi-threaded applications will crash at random if 1510 it is not set. 1511 1512 locking_function() must be able to handle up to CRYPTO_num_locks() 1513 different mutex locks. It sets the n-th lock if mode & CRYPTO_LOCK, and 1514 releases it otherwise. 1515 1516 file and line are the file number of the function setting the 1517 lock. They can be useful for debugging. 1518 */ 1519 1520 if ((_ssl_locks == NULL) || 1521 (n < 0) || ((unsigned)n >= _ssl_locks_count)) 1522 return; 1523 1524 if (mode & CRYPTO_LOCK) { 1525 PyThread_acquire_lock(_ssl_locks[n], 1); 1526 } else { 1527 PyThread_release_lock(_ssl_locks[n]); 1528 } 1529} 1530 1531static int _setup_ssl_threads(void) { 1532 1533 unsigned int i; 1534 1535 if (_ssl_locks == NULL) { 1536 _ssl_locks_count = CRYPTO_num_locks(); 1537 _ssl_locks = (PyThread_type_lock *) 1538 malloc(sizeof(PyThread_type_lock) * _ssl_locks_count); 1539 if (_ssl_locks == NULL) 1540 return 0; 1541 memset(_ssl_locks, 0, sizeof(PyThread_type_lock) * _ssl_locks_count); 1542 for (i = 0; i < _ssl_locks_count; i++) { 1543 _ssl_locks[i] = PyThread_allocate_lock(); 1544 if (_ssl_locks[i] == NULL) { 1545 unsigned int j; 1546 for (j = 0; j < i; j++) { 1547 PyThread_free_lock(_ssl_locks[j]); 1548 } 1549 free(_ssl_locks); 1550 return 0; 1551 } 1552 } 1553 CRYPTO_set_locking_callback(_ssl_thread_locking_function); 1554 CRYPTO_set_id_callback(_ssl_thread_id_function); 1555 } 1556 return 1; 1557} 1558 1559#endif /* def HAVE_THREAD */ 1560 1561PyDoc_STRVAR(module_doc, 1562"Implementation module for SSL socket operations. See the socket module\n\ 1563for documentation."); 1564 1565PyMODINIT_FUNC 1566init_ssl(void) 1567{ 1568 PyObject *m, *d; 1569 1570 Py_TYPE(&PySSL_Type) = &PyType_Type; 1571 1572 m = Py_InitModule3("_ssl", PySSL_methods, module_doc); 1573 if (m == NULL) 1574 return; 1575 d = PyModule_GetDict(m); 1576 1577 /* Load _socket module and its C API */ 1578 if (PySocketModule_ImportModuleAndAPI()) 1579 return; 1580 1581 /* Init OpenSSL */ 1582 SSL_load_error_strings(); 1583#ifdef WITH_THREAD 1584 /* note that this will start threading if not already started */ 1585 if (!_setup_ssl_threads()) { 1586 return; 1587 } 1588#endif 1589 SSLeay_add_ssl_algorithms(); 1590 1591 /* Add symbols to module dict */ 1592 PySSLErrorObject = PyErr_NewException("ssl.SSLError", 1593 PySocketModule.error, 1594 NULL); 1595 if (PySSLErrorObject == NULL) 1596 return; 1597 if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0) 1598 return; 1599 if (PyDict_SetItemString(d, "SSLType", 1600 (PyObject *)&PySSL_Type) != 0) 1601 return; 1602 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN", 1603 PY_SSL_ERROR_ZERO_RETURN); 1604 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ", 1605 PY_SSL_ERROR_WANT_READ); 1606 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE", 1607 PY_SSL_ERROR_WANT_WRITE); 1608 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP", 1609 PY_SSL_ERROR_WANT_X509_LOOKUP); 1610 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL", 1611 PY_SSL_ERROR_SYSCALL); 1612 PyModule_AddIntConstant(m, "SSL_ERROR_SSL", 1613 PY_SSL_ERROR_SSL); 1614 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT", 1615 PY_SSL_ERROR_WANT_CONNECT); 1616 /* non ssl.h errorcodes */ 1617 PyModule_AddIntConstant(m, "SSL_ERROR_EOF", 1618 PY_SSL_ERROR_EOF); 1619 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE", 1620 PY_SSL_ERROR_INVALID_ERROR_CODE); 1621 /* cert requirements */ 1622 PyModule_AddIntConstant(m, "CERT_NONE", 1623 PY_SSL_CERT_NONE); 1624 PyModule_AddIntConstant(m, "CERT_OPTIONAL", 1625 PY_SSL_CERT_OPTIONAL); 1626 PyModule_AddIntConstant(m, "CERT_REQUIRED", 1627 PY_SSL_CERT_REQUIRED); 1628 1629 /* protocol versions */ 1630 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2", 1631 PY_SSL_VERSION_SSL2); 1632 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3", 1633 PY_SSL_VERSION_SSL3); 1634 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", 1635 PY_SSL_VERSION_SSL23); 1636 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", 1637 PY_SSL_VERSION_TLS1); 1638}