PageRenderTime 147ms CodeModel.GetById 7ms app.highlight 119ms RepoModel.GetById 1ms app.codeStats 1ms

/Modules/_ssl.c

http://unladen-swallow.googlecode.com/
C | 1638 lines | 1305 code | 208 blank | 125 comment | 341 complexity | 2912a1f48f5be2acd5ce6f3d16f6b558 MD5 | raw file
   1/* SSL socket module
   2
   3   SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
   4   Re-worked a bit by Bill Janssen to add server-side support and
   5   certificate decoding.  Chris Stawarz contributed some non-blocking
   6   patches.
   7
   8   This module is imported by ssl.py. It should *not* be used
   9   directly.
  10
  11   XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE?
  12
  13   XXX what about SSL_MODE_AUTO_RETRY?
  14*/
  15
  16#include "Python.h"
  17
  18#ifdef WITH_THREAD
  19#include "pythread.h"
  20#define PySSL_BEGIN_ALLOW_THREADS { \
  21			PyThreadState *_save = NULL;  \
  22			if (_ssl_locks_count>0) {_save = PyEval_SaveThread();}
  23#define PySSL_BLOCK_THREADS	if (_ssl_locks_count>0){PyEval_RestoreThread(_save)};
  24#define PySSL_UNBLOCK_THREADS	if (_ssl_locks_count>0){_save = PyEval_SaveThread()};
  25#define PySSL_END_ALLOW_THREADS	if (_ssl_locks_count>0){PyEval_RestoreThread(_save);} \
  26		 }
  27
  28#else	/* no WITH_THREAD */
  29
  30#define PySSL_BEGIN_ALLOW_THREADS
  31#define PySSL_BLOCK_THREADS
  32#define PySSL_UNBLOCK_THREADS
  33#define PySSL_END_ALLOW_THREADS
  34
  35#endif
  36
  37enum py_ssl_error {
  38	/* these mirror ssl.h */
  39	PY_SSL_ERROR_NONE,
  40	PY_SSL_ERROR_SSL,
  41	PY_SSL_ERROR_WANT_READ,
  42	PY_SSL_ERROR_WANT_WRITE,
  43	PY_SSL_ERROR_WANT_X509_LOOKUP,
  44	PY_SSL_ERROR_SYSCALL,     /* look at error stack/return value/errno */
  45	PY_SSL_ERROR_ZERO_RETURN,
  46	PY_SSL_ERROR_WANT_CONNECT,
  47	/* start of non ssl.h errorcodes */
  48	PY_SSL_ERROR_EOF,         /* special case of SSL_ERROR_SYSCALL */
  49	PY_SSL_ERROR_INVALID_ERROR_CODE
  50};
  51
  52enum py_ssl_server_or_client {
  53	PY_SSL_CLIENT,
  54	PY_SSL_SERVER
  55};
  56
  57enum py_ssl_cert_requirements {
  58	PY_SSL_CERT_NONE,
  59	PY_SSL_CERT_OPTIONAL,
  60	PY_SSL_CERT_REQUIRED
  61};
  62
  63enum py_ssl_version {
  64	PY_SSL_VERSION_SSL2,
  65	PY_SSL_VERSION_SSL3,
  66	PY_SSL_VERSION_SSL23,
  67	PY_SSL_VERSION_TLS1,
  68};
  69
  70/* Include symbols from _socket module */
  71#include "socketmodule.h"
  72
  73#if defined(HAVE_POLL_H)
  74#include <poll.h>
  75#elif defined(HAVE_SYS_POLL_H)
  76#include <sys/poll.h>
  77#endif
  78
  79/* Include OpenSSL header files */
  80#include "openssl/rsa.h"
  81#include "openssl/crypto.h"
  82#include "openssl/x509.h"
  83#include "openssl/x509v3.h"
  84#include "openssl/pem.h"
  85#include "openssl/ssl.h"
  86#include "openssl/err.h"
  87#include "openssl/rand.h"
  88
  89/* SSL error object */
  90static PyObject *PySSLErrorObject;
  91
  92#ifdef WITH_THREAD
  93
  94/* serves as a flag to see whether we've initialized the SSL thread support. */
  95/* 0 means no, greater than 0 means yes */
  96
  97static unsigned int _ssl_locks_count = 0;
  98
  99#endif /* def WITH_THREAD */
 100
 101/* SSL socket object */
 102
 103#define X509_NAME_MAXLEN 256
 104
 105/* RAND_* APIs got added to OpenSSL in 0.9.5 */
 106#if OPENSSL_VERSION_NUMBER >= 0x0090500fL
 107# define HAVE_OPENSSL_RAND 1
 108#else
 109# undef HAVE_OPENSSL_RAND
 110#endif
 111
 112typedef struct {
 113	PyObject_HEAD
 114	PySocketSockObject *Socket;	/* Socket on which we're layered */
 115	SSL_CTX*	ctx;
 116	SSL*		ssl;
 117	X509*		peer_cert;
 118	char		server[X509_NAME_MAXLEN];
 119	char		issuer[X509_NAME_MAXLEN];
 120
 121} PySSLObject;
 122
 123static PyTypeObject PySSL_Type;
 124static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args);
 125static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args);
 126static int check_socket_and_wait_for_timeout(PySocketSockObject *s,
 127					     int writing);
 128static PyObject *PySSL_peercert(PySSLObject *self, PyObject *args);
 129static PyObject *PySSL_cipher(PySSLObject *self);
 130
 131#define PySSLObject_Check(v)	(Py_TYPE(v) == &PySSL_Type)
 132
 133typedef enum {
 134	SOCKET_IS_NONBLOCKING,
 135	SOCKET_IS_BLOCKING,
 136	SOCKET_HAS_TIMED_OUT,
 137	SOCKET_HAS_BEEN_CLOSED,
 138	SOCKET_TOO_LARGE_FOR_SELECT,
 139	SOCKET_OPERATION_OK
 140} timeout_state;
 141
 142/* Wrap error strings with filename and line # */
 143#define STRINGIFY1(x) #x
 144#define STRINGIFY2(x) STRINGIFY1(x)
 145#define ERRSTR1(x,y,z) (x ":" y ": " z)
 146#define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x)
 147
 148/* XXX It might be helpful to augment the error message generated
 149   below with the name of the SSL function that generated the error.
 150   I expect it's obvious most of the time.
 151*/
 152
 153static PyObject *
 154PySSL_SetError(PySSLObject *obj, int ret, char *filename, int lineno)
 155{
 156	PyObject *v;
 157	char buf[2048];
 158	char *errstr;
 159	int err;
 160	enum py_ssl_error p = PY_SSL_ERROR_NONE;
 161
 162	assert(ret <= 0);
 163
 164	if (obj->ssl != NULL) {
 165		err = SSL_get_error(obj->ssl, ret);
 166
 167		switch (err) {
 168		case SSL_ERROR_ZERO_RETURN:
 169			errstr = "TLS/SSL connection has been closed";
 170			p = PY_SSL_ERROR_ZERO_RETURN;
 171			break;
 172		case SSL_ERROR_WANT_READ:
 173			errstr = "The operation did not complete (read)";
 174			p = PY_SSL_ERROR_WANT_READ;
 175			break;
 176		case SSL_ERROR_WANT_WRITE:
 177			p = PY_SSL_ERROR_WANT_WRITE;
 178			errstr = "The operation did not complete (write)";
 179			break;
 180		case SSL_ERROR_WANT_X509_LOOKUP:
 181			p = PY_SSL_ERROR_WANT_X509_LOOKUP;
 182			errstr =
 183                            "The operation did not complete (X509 lookup)";
 184			break;
 185		case SSL_ERROR_WANT_CONNECT:
 186			p = PY_SSL_ERROR_WANT_CONNECT;
 187			errstr = "The operation did not complete (connect)";
 188			break;
 189		case SSL_ERROR_SYSCALL:
 190		{
 191			unsigned long e = ERR_get_error();
 192			if (e == 0) {
 193				if (ret == 0 || !obj->Socket) {
 194				  p = PY_SSL_ERROR_EOF;
 195				  errstr =
 196                                      "EOF occurred in violation of protocol";
 197				} else if (ret == -1) {
 198				  /* underlying BIO reported an I/O error */
 199                                  return obj->Socket->errorhandler();
 200				} else { /* possible? */
 201                                  p = PY_SSL_ERROR_SYSCALL;
 202                                  errstr = "Some I/O error occurred";
 203				}
 204			} else {
 205				p = PY_SSL_ERROR_SYSCALL;
 206				/* XXX Protected by global interpreter lock */
 207				errstr = ERR_error_string(e, NULL);
 208			}
 209			break;
 210		}
 211		case SSL_ERROR_SSL:
 212		{
 213			unsigned long e = ERR_get_error();
 214			p = PY_SSL_ERROR_SSL;
 215			if (e != 0)
 216				/* XXX Protected by global interpreter lock */
 217				errstr = ERR_error_string(e, NULL);
 218			else {	/* possible? */
 219				errstr =
 220                                    "A failure in the SSL library occurred";
 221			}
 222			break;
 223		}
 224		default:
 225			p = PY_SSL_ERROR_INVALID_ERROR_CODE;
 226			errstr = "Invalid error code";
 227		}
 228	} else {
 229		errstr = ERR_error_string(ERR_peek_last_error(), NULL);
 230	}
 231	PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
 232	v = Py_BuildValue("(is)", p, buf);
 233	if (v != NULL) {
 234		PyErr_SetObject(PySSLErrorObject, v);
 235		Py_DECREF(v);
 236	}
 237	return NULL;
 238}
 239
 240static PyObject *
 241_setSSLError (char *errstr, int errcode, char *filename, int lineno) {
 242
 243	char buf[2048];
 244	PyObject *v;
 245
 246	if (errstr == NULL) {
 247		errcode = ERR_peek_last_error();
 248		errstr = ERR_error_string(errcode, NULL);
 249	}
 250	PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
 251	v = Py_BuildValue("(is)", errcode, buf);
 252	if (v != NULL) {
 253		PyErr_SetObject(PySSLErrorObject, v);
 254		Py_DECREF(v);
 255	}
 256	return NULL;
 257}
 258
 259static PySSLObject *
 260newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
 261	       enum py_ssl_server_or_client socket_type,
 262	       enum py_ssl_cert_requirements certreq,
 263	       enum py_ssl_version proto_version,
 264	       char *cacerts_file)
 265{
 266	PySSLObject *self;
 267	char *errstr = NULL;
 268	int ret;
 269	int verification_mode;
 270
 271	self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
 272	if (self == NULL)
 273		return NULL;
 274	memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN);
 275	memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN);
 276	self->peer_cert = NULL;
 277	self->ssl = NULL;
 278	self->ctx = NULL;
 279	self->Socket = NULL;
 280
 281	/* Make sure the SSL error state is initialized */
 282	(void) ERR_get_state();
 283	ERR_clear_error();
 284
 285	if ((key_file && !cert_file) || (!key_file && cert_file)) {
 286		errstr = ERRSTR("Both the key & certificate files "
 287                                "must be specified");
 288		goto fail;
 289	}
 290
 291	if ((socket_type == PY_SSL_SERVER) &&
 292	    ((key_file == NULL) || (cert_file == NULL))) {
 293		errstr = ERRSTR("Both the key & certificate files "
 294                                "must be specified for server-side operation");
 295		goto fail;
 296	}
 297
 298	PySSL_BEGIN_ALLOW_THREADS
 299	if (proto_version == PY_SSL_VERSION_TLS1)
 300		self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
 301	else if (proto_version == PY_SSL_VERSION_SSL3)
 302		self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
 303	else if (proto_version == PY_SSL_VERSION_SSL2)
 304		self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
 305	else if (proto_version == PY_SSL_VERSION_SSL23)
 306		self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
 307	PySSL_END_ALLOW_THREADS
 308
 309	if (self->ctx == NULL) {
 310		errstr = ERRSTR("Invalid SSL protocol variant specified.");
 311		goto fail;
 312	}
 313
 314	if (certreq != PY_SSL_CERT_NONE) {
 315		if (cacerts_file == NULL) {
 316			errstr = ERRSTR("No root certificates specified for "
 317                                  "verification of other-side certificates.");
 318			goto fail;
 319		} else {
 320			PySSL_BEGIN_ALLOW_THREADS
 321			ret = SSL_CTX_load_verify_locations(self->ctx,
 322							    cacerts_file,
 323                                                            NULL);
 324			PySSL_END_ALLOW_THREADS
 325			if (ret != 1) {
 326				_setSSLError(NULL, 0, __FILE__, __LINE__);
 327				goto fail;
 328			}
 329		}
 330	}
 331	if (key_file) {
 332		PySSL_BEGIN_ALLOW_THREADS
 333		ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
 334						  SSL_FILETYPE_PEM);
 335		PySSL_END_ALLOW_THREADS
 336		if (ret != 1) {
 337			_setSSLError(NULL, ret, __FILE__, __LINE__);
 338			goto fail;
 339		}
 340
 341		PySSL_BEGIN_ALLOW_THREADS
 342		ret = SSL_CTX_use_certificate_chain_file(self->ctx,
 343							 cert_file);
 344		PySSL_END_ALLOW_THREADS
 345		if (ret != 1) {
 346			/*
 347			fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n",
 348				ret, ERR_peek_error(), ERR_peek_last_error(), cert_file);
 349				*/
 350			if (ERR_peek_last_error() != 0) {
 351				_setSSLError(NULL, ret, __FILE__, __LINE__);
 352				goto fail;
 353			}
 354		}
 355	}
 356
 357        /* ssl compatibility */
 358        SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
 359
 360	verification_mode = SSL_VERIFY_NONE;
 361	if (certreq == PY_SSL_CERT_OPTIONAL)
 362		verification_mode = SSL_VERIFY_PEER;
 363	else if (certreq == PY_SSL_CERT_REQUIRED)
 364		verification_mode = (SSL_VERIFY_PEER |
 365				     SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
 366	SSL_CTX_set_verify(self->ctx, verification_mode,
 367			   NULL); /* set verify lvl */
 368
 369	PySSL_BEGIN_ALLOW_THREADS
 370	self->ssl = SSL_new(self->ctx); /* New ssl struct */
 371	PySSL_END_ALLOW_THREADS
 372	SSL_set_fd(self->ssl, Sock->sock_fd);	/* Set the socket for SSL */
 373
 374	/* If the socket is in non-blocking mode or timeout mode, set the BIO
 375	 * to non-blocking mode (blocking is the default)
 376	 */
 377	if (Sock->sock_timeout >= 0.0) {
 378		/* Set both the read and write BIO's to non-blocking mode */
 379		BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
 380		BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
 381	}
 382
 383	PySSL_BEGIN_ALLOW_THREADS
 384	if (socket_type == PY_SSL_CLIENT)
 385		SSL_set_connect_state(self->ssl);
 386	else
 387		SSL_set_accept_state(self->ssl);
 388	PySSL_END_ALLOW_THREADS
 389
 390	self->Socket = Sock;
 391	Py_INCREF(self->Socket);
 392	return self;
 393 fail:
 394	if (errstr)
 395		PyErr_SetString(PySSLErrorObject, errstr);
 396	Py_DECREF(self);
 397	return NULL;
 398}
 399
 400static PyObject *
 401PySSL_sslwrap(PyObject *self, PyObject *args)
 402{
 403	PySocketSockObject *Sock;
 404	int server_side = 0;
 405	int verification_mode = PY_SSL_CERT_NONE;
 406	int protocol = PY_SSL_VERSION_SSL23;
 407	char *key_file = NULL;
 408	char *cert_file = NULL;
 409	char *cacerts_file = NULL;
 410
 411	if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap",
 412			      PySocketModule.Sock_Type,
 413			      &Sock,
 414			      &server_side,
 415			      &key_file, &cert_file,
 416			      &verification_mode, &protocol,
 417			      &cacerts_file))
 418		return NULL;
 419
 420	/*
 421	fprintf(stderr,
 422		"server_side is %d, keyfile %p, certfile %p, verify_mode %d, "
 423		"protocol %d, certs %p\n",
 424		server_side, key_file, cert_file, verification_mode,
 425		protocol, cacerts_file);
 426	 */
 427
 428	return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
 429					   server_side, verification_mode,
 430					   protocol, cacerts_file);
 431}
 432
 433PyDoc_STRVAR(ssl_doc,
 434"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
 435"                              cacertsfile]) -> sslobject");
 436
 437/* SSL object methods */
 438
 439static PyObject *PySSL_SSLdo_handshake(PySSLObject *self)
 440{
 441	int ret;
 442	int err;
 443	int sockstate;
 444
 445	/* Actually negotiate SSL connection */
 446	/* XXX If SSL_do_handshake() returns 0, it's also a failure. */
 447	sockstate = 0;
 448	do {
 449		PySSL_BEGIN_ALLOW_THREADS
 450		ret = SSL_do_handshake(self->ssl);
 451		err = SSL_get_error(self->ssl, ret);
 452		PySSL_END_ALLOW_THREADS
 453		if(PyErr_CheckSignals()) {
 454			return NULL;
 455		}
 456		if (err == SSL_ERROR_WANT_READ) {
 457			sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
 458		} else if (err == SSL_ERROR_WANT_WRITE) {
 459			sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
 460		} else {
 461			sockstate = SOCKET_OPERATION_OK;
 462		}
 463		if (sockstate == SOCKET_HAS_TIMED_OUT) {
 464			PyErr_SetString(PySSLErrorObject,
 465				ERRSTR("The handshake operation timed out"));
 466			return NULL;
 467		} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
 468			PyErr_SetString(PySSLErrorObject,
 469				ERRSTR("Underlying socket has been closed."));
 470			return NULL;
 471		} else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
 472			PyErr_SetString(PySSLErrorObject,
 473			  ERRSTR("Underlying socket too large for select()."));
 474			return NULL;
 475		} else if (sockstate == SOCKET_IS_NONBLOCKING) {
 476			break;
 477		}
 478	} while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
 479	if (ret < 1)
 480		return PySSL_SetError(self, ret, __FILE__, __LINE__);
 481	self->ssl->debug = 1;
 482
 483	if (self->peer_cert)
 484		X509_free (self->peer_cert);
 485	PySSL_BEGIN_ALLOW_THREADS
 486	if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) {
 487		X509_NAME_oneline(X509_get_subject_name(self->peer_cert),
 488				  self->server, X509_NAME_MAXLEN);
 489		X509_NAME_oneline(X509_get_issuer_name(self->peer_cert),
 490				  self->issuer, X509_NAME_MAXLEN);
 491	}
 492	PySSL_END_ALLOW_THREADS
 493
 494	Py_INCREF(Py_None);
 495	return Py_None;
 496}
 497
 498static PyObject *
 499PySSL_server(PySSLObject *self)
 500{
 501	return PyString_FromString(self->server);
 502}
 503
 504static PyObject *
 505PySSL_issuer(PySSLObject *self)
 506{
 507	return PyString_FromString(self->issuer);
 508}
 509
 510static PyObject *
 511_create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) {
 512
 513	char namebuf[X509_NAME_MAXLEN];
 514	int buflen;
 515	PyObject *name_obj;
 516	PyObject *value_obj;
 517	PyObject *attr;
 518	unsigned char *valuebuf = NULL;
 519
 520	buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0);
 521	if (buflen < 0) {
 522		_setSSLError(NULL, 0, __FILE__, __LINE__);
 523		goto fail;
 524	}
 525	name_obj = PyString_FromStringAndSize(namebuf, buflen);
 526	if (name_obj == NULL)
 527		goto fail;
 528	
 529	buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
 530	if (buflen < 0) {
 531		_setSSLError(NULL, 0, __FILE__, __LINE__);
 532		Py_DECREF(name_obj);
 533		goto fail;
 534	}
 535	value_obj = PyUnicode_DecodeUTF8((char *) valuebuf,
 536						 buflen, "strict");
 537	OPENSSL_free(valuebuf);
 538	if (value_obj == NULL) {
 539		Py_DECREF(name_obj);
 540		goto fail;
 541	}
 542	attr = PyTuple_New(2);
 543	if (attr == NULL) {
 544		Py_DECREF(name_obj);
 545		Py_DECREF(value_obj);
 546		goto fail;
 547	}
 548	PyTuple_SET_ITEM(attr, 0, name_obj);
 549	PyTuple_SET_ITEM(attr, 1, value_obj);
 550	return attr;
 551
 552  fail:
 553	return NULL;
 554}
 555
 556static PyObject *
 557_create_tuple_for_X509_NAME (X509_NAME *xname)
 558{
 559	PyObject *dn = NULL;    /* tuple which represents the "distinguished name" */
 560        PyObject *rdn = NULL;   /* tuple to hold a "relative distinguished name" */
 561	PyObject *rdnt;
 562        PyObject *attr = NULL;   /* tuple to hold an attribute */
 563        int entry_count = X509_NAME_entry_count(xname);
 564	X509_NAME_ENTRY *entry;
 565	ASN1_OBJECT *name;
 566	ASN1_STRING *value;
 567	int index_counter;
 568	int rdn_level = -1;
 569	int retcode;
 570
 571        dn = PyList_New(0);
 572	if (dn == NULL)
 573		return NULL;
 574        /* now create another tuple to hold the top-level RDN */
 575        rdn = PyList_New(0);
 576	if (rdn == NULL)
 577		goto fail0;
 578
 579	for (index_counter = 0;
 580	     index_counter < entry_count;
 581	     index_counter++)
 582	{
 583		entry = X509_NAME_get_entry(xname, index_counter);
 584
 585		/* check to see if we've gotten to a new RDN */
 586		if (rdn_level >= 0) {
 587			if (rdn_level != entry->set) {
 588				/* yes, new RDN */
 589				/* add old RDN to DN */
 590				rdnt = PyList_AsTuple(rdn);
 591				Py_DECREF(rdn);
 592				if (rdnt == NULL)
 593					goto fail0;
 594				retcode = PyList_Append(dn, rdnt);
 595				Py_DECREF(rdnt);
 596				if (retcode < 0)
 597					goto fail0;
 598				/* create new RDN */
 599				rdn = PyList_New(0);
 600				if (rdn == NULL)
 601					goto fail0;
 602			}
 603		}
 604		rdn_level = entry->set;
 605
 606		/* now add this attribute to the current RDN */
 607		name = X509_NAME_ENTRY_get_object(entry);
 608		value = X509_NAME_ENTRY_get_data(entry);
 609		attr = _create_tuple_for_attribute(name, value);
 610                /*
 611                fprintf(stderr, "RDN level %d, attribute %s: %s\n",
 612                        entry->set,
 613                        PyString_AS_STRING(PyTuple_GET_ITEM(attr, 0)),
 614                        PyString_AS_STRING(PyTuple_GET_ITEM(attr, 1)));                        
 615                */
 616		if (attr == NULL)
 617			goto fail1;
 618                retcode = PyList_Append(rdn, attr);
 619		Py_DECREF(attr);
 620		if (retcode < 0)
 621			goto fail1;
 622	}
 623	/* now, there's typically a dangling RDN */
 624	if ((rdn != NULL) && (PyList_Size(rdn) > 0)) {
 625		rdnt = PyList_AsTuple(rdn);
 626		Py_DECREF(rdn);
 627		if (rdnt == NULL)
 628			goto fail0;
 629		retcode = PyList_Append(dn, rdnt);
 630		Py_DECREF(rdnt);
 631		if (retcode < 0)
 632			goto fail0;
 633	}
 634
 635	/* convert list to tuple */
 636	rdnt = PyList_AsTuple(dn);
 637	Py_DECREF(dn);
 638	if (rdnt == NULL)
 639		return NULL;
 640	return rdnt;
 641
 642  fail1:
 643	Py_XDECREF(rdn);
 644
 645  fail0:
 646	Py_XDECREF(dn);
 647	return NULL;
 648}
 649
 650static PyObject *
 651_get_peer_alt_names (X509 *certificate) {
 652                  
 653	/* this code follows the procedure outlined in
 654	   OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print()
 655	   function to extract the STACK_OF(GENERAL_NAME),
 656	   then iterates through the stack to add the
 657	   names. */
 658
 659	int i, j;
 660	PyObject *peer_alt_names = Py_None;
 661	PyObject *v, *t;
 662	X509_EXTENSION *ext = NULL;
 663	GENERAL_NAMES *names = NULL;
 664	GENERAL_NAME *name;
 665	X509V3_EXT_METHOD *method;	
 666	BIO *biobuf = NULL;
 667	char buf[2048];
 668	char *vptr;
 669	int len;
 670	const unsigned char *p;
 671
 672	if (certificate == NULL)
 673		return peer_alt_names;
 674
 675	/* get a memory buffer */
 676	biobuf = BIO_new(BIO_s_mem());
 677
 678	i = 0;
 679	while ((i = X509_get_ext_by_NID(
 680			certificate, NID_subject_alt_name, i)) >= 0) {
 681
 682		if (peer_alt_names == Py_None) {
 683                        peer_alt_names = PyList_New(0);
 684                        if (peer_alt_names == NULL)
 685				goto fail;
 686		}
 687		
 688		/* now decode the altName */
 689		ext = X509_get_ext(certificate, i);
 690		if(!(method = X509V3_EXT_get(ext))) {
 691			PyErr_SetString(PySSLErrorObject,
 692					ERRSTR("No method for internalizing subjectAltName!"));
 693			goto fail;
 694		}
 695
 696		p = ext->value->data;
 697		if (method->it)
 698			names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL,
 699								&p,
 700								ext->value->length,
 701								ASN1_ITEM_ptr(method->it)));
 702		else
 703			names = (GENERAL_NAMES*) (method->d2i(NULL,
 704							      &p,
 705							      ext->value->length));
 706
 707		for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
 708
 709			/* get a rendering of each name in the set of names */
 710
 711			name = sk_GENERAL_NAME_value(names, j);
 712			if (name->type == GEN_DIRNAME) {
 713
 714				/* we special-case DirName as a tuple of tuples of attributes */
 715
 716				t = PyTuple_New(2);
 717				if (t == NULL) {
 718					goto fail;
 719				}
 720
 721				v = PyString_FromString("DirName");
 722				if (v == NULL) {
 723					Py_DECREF(t);
 724					goto fail;
 725				}
 726				PyTuple_SET_ITEM(t, 0, v);
 727
 728				v = _create_tuple_for_X509_NAME (name->d.dirn);
 729				if (v == NULL) {
 730					Py_DECREF(t);
 731					goto fail;
 732				}
 733				PyTuple_SET_ITEM(t, 1, v);
 734				
 735			} else {
 736
 737				/* for everything else, we use the OpenSSL print form */
 738
 739				(void) BIO_reset(biobuf);
 740				GENERAL_NAME_print(biobuf, name);
 741				len = BIO_gets(biobuf, buf, sizeof(buf)-1);
 742				if (len < 0) {
 743					_setSSLError(NULL, 0, __FILE__, __LINE__);
 744					goto fail;
 745				}
 746				vptr = strchr(buf, ':');
 747				if (vptr == NULL)
 748					goto fail;
 749				t = PyTuple_New(2);
 750				if (t == NULL)
 751					goto fail;
 752				v = PyString_FromStringAndSize(buf, (vptr - buf));
 753				if (v == NULL) {
 754					Py_DECREF(t);
 755					goto fail;
 756				}
 757				PyTuple_SET_ITEM(t, 0, v);
 758				v = PyString_FromStringAndSize((vptr + 1), (len - (vptr - buf + 1)));
 759				if (v == NULL) {
 760					Py_DECREF(t);
 761					goto fail;
 762				}
 763				PyTuple_SET_ITEM(t, 1, v);
 764			}
 765
 766			/* and add that rendering to the list */
 767
 768			if (PyList_Append(peer_alt_names, t) < 0) {
 769				Py_DECREF(t);
 770				goto fail;
 771			}
 772			Py_DECREF(t);
 773		}
 774	}
 775	BIO_free(biobuf);
 776	if (peer_alt_names != Py_None) {
 777		v = PyList_AsTuple(peer_alt_names);
 778		Py_DECREF(peer_alt_names);
 779		return v;
 780	} else {
 781		return peer_alt_names;
 782	}
 783	
 784
 785  fail:
 786	if (biobuf != NULL)
 787		BIO_free(biobuf);
 788
 789	if (peer_alt_names != Py_None) {
 790		Py_XDECREF(peer_alt_names);
 791	}
 792
 793	return NULL;
 794}
 795
 796static PyObject *
 797_decode_certificate (X509 *certificate, int verbose) {
 798
 799	PyObject *retval = NULL;
 800	BIO *biobuf = NULL;
 801	PyObject *peer;
 802	PyObject *peer_alt_names = NULL;
 803	PyObject *issuer;
 804	PyObject *version;
 805	PyObject *sn_obj;
 806	ASN1_INTEGER *serialNumber;
 807	char buf[2048];
 808	int len;
 809	ASN1_TIME *notBefore, *notAfter;
 810	PyObject *pnotBefore, *pnotAfter;
 811
 812	retval = PyDict_New();
 813	if (retval == NULL)
 814		return NULL;
 815
 816	peer = _create_tuple_for_X509_NAME(
 817		X509_get_subject_name(certificate));
 818	if (peer == NULL)
 819		goto fail0;
 820	if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) {
 821		Py_DECREF(peer);
 822		goto fail0;
 823	}
 824	Py_DECREF(peer);
 825
 826	if (verbose) {
 827		issuer = _create_tuple_for_X509_NAME(
 828			X509_get_issuer_name(certificate));
 829		if (issuer == NULL)
 830			goto fail0;
 831		if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
 832			Py_DECREF(issuer);
 833			goto fail0;
 834		}
 835		Py_DECREF(issuer);
 836	
 837		version = PyInt_FromLong(X509_get_version(certificate) + 1);
 838		if (PyDict_SetItemString(retval, "version", version) < 0) {
 839			Py_DECREF(version);
 840			goto fail0;
 841		}
 842		Py_DECREF(version);
 843	}
 844	
 845	/* get a memory buffer */
 846	biobuf = BIO_new(BIO_s_mem());
 847	
 848	if (verbose) {
 849
 850		(void) BIO_reset(biobuf);
 851		serialNumber = X509_get_serialNumber(certificate);
 852		/* should not exceed 20 octets, 160 bits, so buf is big enough */
 853		i2a_ASN1_INTEGER(biobuf, serialNumber);
 854		len = BIO_gets(biobuf, buf, sizeof(buf)-1);
 855		if (len < 0) {
 856			_setSSLError(NULL, 0, __FILE__, __LINE__);
 857			goto fail1;
 858		}
 859		sn_obj = PyString_FromStringAndSize(buf, len);
 860		if (sn_obj == NULL)
 861			goto fail1;
 862		if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) {
 863			Py_DECREF(sn_obj);
 864			goto fail1;
 865		}
 866		Py_DECREF(sn_obj);
 867
 868		(void) BIO_reset(biobuf);
 869		notBefore = X509_get_notBefore(certificate);
 870		ASN1_TIME_print(biobuf, notBefore);
 871		len = BIO_gets(biobuf, buf, sizeof(buf)-1);
 872		if (len < 0) {
 873			_setSSLError(NULL, 0, __FILE__, __LINE__);
 874			goto fail1;
 875		}
 876		pnotBefore = PyString_FromStringAndSize(buf, len);
 877		if (pnotBefore == NULL)
 878			goto fail1;
 879		if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
 880			Py_DECREF(pnotBefore);
 881			goto fail1;
 882		}
 883		Py_DECREF(pnotBefore);
 884	}
 885
 886	(void) BIO_reset(biobuf);
 887	notAfter = X509_get_notAfter(certificate);
 888	ASN1_TIME_print(biobuf, notAfter);
 889	len = BIO_gets(biobuf, buf, sizeof(buf)-1);
 890	if (len < 0) {
 891		_setSSLError(NULL, 0, __FILE__, __LINE__);
 892		goto fail1;
 893	}
 894	pnotAfter = PyString_FromStringAndSize(buf, len);
 895	if (pnotAfter == NULL)
 896		goto fail1;
 897	if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) {
 898		Py_DECREF(pnotAfter);
 899		goto fail1;
 900	}
 901	Py_DECREF(pnotAfter);
 902
 903	/* Now look for subjectAltName */
 904
 905	peer_alt_names = _get_peer_alt_names(certificate);
 906	if (peer_alt_names == NULL)
 907		goto fail1;
 908	else if (peer_alt_names != Py_None) {
 909		if (PyDict_SetItemString(retval, "subjectAltName",
 910					 peer_alt_names) < 0) {
 911			Py_DECREF(peer_alt_names);
 912			goto fail1;
 913		}
 914		Py_DECREF(peer_alt_names);
 915	}
 916	
 917	BIO_free(biobuf);
 918	return retval;
 919
 920  fail1:
 921	if (biobuf != NULL)
 922		BIO_free(biobuf);
 923  fail0:
 924	Py_XDECREF(retval);
 925	return NULL;
 926}
 927
 928
 929static PyObject *
 930PySSL_test_decode_certificate (PyObject *mod, PyObject *args) {
 931
 932	PyObject *retval = NULL;
 933	char *filename = NULL;
 934	X509 *x=NULL;
 935	BIO *cert;
 936	int verbose = 1;
 937
 938	if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", &filename, &verbose))
 939		return NULL;
 940
 941	if ((cert=BIO_new(BIO_s_file())) == NULL) {
 942		PyErr_SetString(PySSLErrorObject, "Can't malloc memory to read file");
 943		goto fail0;
 944	}
 945
 946	if (BIO_read_filename(cert,filename) <= 0) {
 947		PyErr_SetString(PySSLErrorObject, "Can't open file");
 948		goto fail0;
 949	}
 950
 951	x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL);
 952	if (x == NULL) {
 953		PyErr_SetString(PySSLErrorObject, "Error decoding PEM-encoded file");
 954		goto fail0;
 955	}
 956
 957	retval = _decode_certificate(x, verbose);
 958
 959  fail0:
 960		
 961	if (cert != NULL) BIO_free(cert);
 962	return retval;
 963}
 964
 965
 966static PyObject *
 967PySSL_peercert(PySSLObject *self, PyObject *args)
 968{
 969	PyObject *retval = NULL;
 970	int len;
 971	int verification;
 972	PyObject *binary_mode = Py_None;
 973
 974	if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode))
 975		return NULL;
 976
 977	if (!self->peer_cert)
 978		Py_RETURN_NONE;
 979
 980	if (PyObject_IsTrue(binary_mode)) {
 981		/* return cert in DER-encoded format */
 982
 983		unsigned char *bytes_buf = NULL;
 984
 985		bytes_buf = NULL;
 986		len = i2d_X509(self->peer_cert, &bytes_buf);
 987		if (len < 0) {
 988			PySSL_SetError(self, len, __FILE__, __LINE__);
 989			return NULL;
 990		}
 991		retval = PyString_FromStringAndSize((const char *) bytes_buf, len);
 992		OPENSSL_free(bytes_buf);
 993		return retval;
 994
 995	} else {
 996
 997		verification = SSL_CTX_get_verify_mode(self->ctx);
 998		if ((verification & SSL_VERIFY_PEER) == 0)
 999			return PyDict_New();
1000		else
1001			return _decode_certificate (self->peer_cert, 0);
1002	}
1003}
1004
1005PyDoc_STRVAR(PySSL_peercert_doc,
1006"peer_certificate([der=False]) -> certificate\n\
1007\n\
1008Returns the certificate for the peer.  If no certificate was provided,\n\
1009returns None.  If a certificate was provided, but not validated, returns\n\
1010an empty dictionary.  Otherwise returns a dict containing information\n\
1011about the peer certificate.\n\
1012\n\
1013If the optional argument is True, returns a DER-encoded copy of the\n\
1014peer certificate, or None if no certificate was provided.  This will\n\
1015return the certificate even if it wasn't validated.");
1016
1017static PyObject *PySSL_cipher (PySSLObject *self) {
1018
1019	PyObject *retval, *v;
1020	SSL_CIPHER *current;
1021	char *cipher_name;
1022	char *cipher_protocol;
1023
1024	if (self->ssl == NULL)
1025		return Py_None;
1026	current = SSL_get_current_cipher(self->ssl);
1027	if (current == NULL)
1028		return Py_None;
1029
1030	retval = PyTuple_New(3);
1031	if (retval == NULL)
1032		return NULL;
1033
1034	cipher_name = (char *) SSL_CIPHER_get_name(current);
1035	if (cipher_name == NULL) {
1036		PyTuple_SET_ITEM(retval, 0, Py_None);
1037	} else {
1038		v = PyString_FromString(cipher_name);
1039		if (v == NULL)
1040			goto fail0;
1041		PyTuple_SET_ITEM(retval, 0, v);
1042	}
1043	cipher_protocol = SSL_CIPHER_get_version(current);
1044	if (cipher_protocol == NULL) {
1045		PyTuple_SET_ITEM(retval, 1, Py_None);
1046	} else {
1047		v = PyString_FromString(cipher_protocol);
1048		if (v == NULL)
1049			goto fail0;
1050		PyTuple_SET_ITEM(retval, 1, v);
1051	}
1052	v = PyInt_FromLong(SSL_CIPHER_get_bits(current, NULL));
1053	if (v == NULL)
1054		goto fail0;
1055	PyTuple_SET_ITEM(retval, 2, v);
1056	return retval;
1057	
1058  fail0:
1059	Py_DECREF(retval);
1060	return NULL;
1061}
1062
1063static void PySSL_dealloc(PySSLObject *self)
1064{
1065	if (self->peer_cert)	/* Possible not to have one? */
1066		X509_free (self->peer_cert);
1067	if (self->ssl)
1068		SSL_free(self->ssl);
1069	if (self->ctx)
1070		SSL_CTX_free(self->ctx);
1071	Py_XDECREF(self->Socket);
1072	PyObject_Del(self);
1073}
1074
1075/* If the socket has a timeout, do a select()/poll() on the socket.
1076   The argument writing indicates the direction.
1077   Returns one of the possibilities in the timeout_state enum (above).
1078 */
1079
1080static int
1081check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing)
1082{
1083	fd_set fds;
1084	struct timeval tv;
1085	int rc;
1086
1087	/* Nothing to do unless we're in timeout mode (not non-blocking) */
1088	if (s->sock_timeout < 0.0)
1089		return SOCKET_IS_BLOCKING;
1090	else if (s->sock_timeout == 0.0)
1091		return SOCKET_IS_NONBLOCKING;
1092
1093	/* Guard against closed socket */
1094	if (s->sock_fd < 0)
1095		return SOCKET_HAS_BEEN_CLOSED;
1096
1097	/* Prefer poll, if available, since you can poll() any fd
1098	 * which can't be done with select(). */
1099#ifdef HAVE_POLL
1100	{
1101		struct pollfd pollfd;
1102		int timeout;
1103
1104		pollfd.fd = s->sock_fd;
1105		pollfd.events = writing ? POLLOUT : POLLIN;
1106
1107		/* s->sock_timeout is in seconds, timeout in ms */
1108		timeout = (int)(s->sock_timeout * 1000 + 0.5);
1109		PySSL_BEGIN_ALLOW_THREADS
1110		rc = poll(&pollfd, 1, timeout);
1111		PySSL_END_ALLOW_THREADS
1112
1113		goto normal_return;
1114	}
1115#endif
1116
1117	/* Guard against socket too large for select*/
1118#ifndef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE
1119	if (s->sock_fd >= FD_SETSIZE)
1120		return SOCKET_TOO_LARGE_FOR_SELECT;
1121#endif
1122
1123	/* Construct the arguments to select */
1124	tv.tv_sec = (int)s->sock_timeout;
1125	tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6);
1126	FD_ZERO(&fds);
1127	FD_SET(s->sock_fd, &fds);
1128
1129	/* See if the socket is ready */
1130	PySSL_BEGIN_ALLOW_THREADS
1131	if (writing)
1132		rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv);
1133	else
1134		rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
1135	PySSL_END_ALLOW_THREADS
1136
1137#ifdef HAVE_POLL
1138normal_return:
1139#endif
1140	/* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
1141	   (when we are able to write or when there's something to read) */
1142	return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
1143}
1144
1145static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args)
1146{
1147	char *data;
1148	int len;
1149	int count;
1150	int sockstate;
1151	int err;
1152        int nonblocking;
1153
1154	if (!PyArg_ParseTuple(args, "s#:write", &data, &count))
1155		return NULL;
1156
1157        /* just in case the blocking state of the socket has been changed */
1158	nonblocking = (self->Socket->sock_timeout >= 0.0);
1159        BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1160        BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1161
1162	sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
1163	if (sockstate == SOCKET_HAS_TIMED_OUT) {
1164		PyErr_SetString(PySSLErrorObject,
1165                                "The write operation timed out");
1166		return NULL;
1167	} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1168		PyErr_SetString(PySSLErrorObject,
1169                                "Underlying socket has been closed.");
1170		return NULL;
1171	} else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1172		PyErr_SetString(PySSLErrorObject,
1173                                "Underlying socket too large for select().");
1174		return NULL;
1175	}
1176	do {
1177		err = 0;
1178		PySSL_BEGIN_ALLOW_THREADS
1179		len = SSL_write(self->ssl, data, count);
1180		err = SSL_get_error(self->ssl, len);
1181		PySSL_END_ALLOW_THREADS
1182		if(PyErr_CheckSignals()) {
1183			return NULL;
1184		}
1185		if (err == SSL_ERROR_WANT_READ) {
1186			sockstate =
1187                            check_socket_and_wait_for_timeout(self->Socket, 0);
1188		} else if (err == SSL_ERROR_WANT_WRITE) {
1189			sockstate =
1190                            check_socket_and_wait_for_timeout(self->Socket, 1);
1191		} else {
1192			sockstate = SOCKET_OPERATION_OK;
1193		}
1194		if (sockstate == SOCKET_HAS_TIMED_OUT) {
1195			PyErr_SetString(PySSLErrorObject,
1196                                        "The write operation timed out");
1197			return NULL;
1198		} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1199			PyErr_SetString(PySSLErrorObject,
1200                                        "Underlying socket has been closed.");
1201			return NULL;
1202		} else if (sockstate == SOCKET_IS_NONBLOCKING) {
1203			break;
1204		}
1205	} while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
1206	if (len > 0)
1207		return PyInt_FromLong(len);
1208	else
1209		return PySSL_SetError(self, len, __FILE__, __LINE__);
1210}
1211
1212PyDoc_STRVAR(PySSL_SSLwrite_doc,
1213"write(s) -> len\n\
1214\n\
1215Writes the string s into the SSL object.  Returns the number\n\
1216of bytes written.");
1217
1218static PyObject *PySSL_SSLpending(PySSLObject *self)
1219{
1220	int count = 0;
1221
1222	PySSL_BEGIN_ALLOW_THREADS
1223	count = SSL_pending(self->ssl);
1224	PySSL_END_ALLOW_THREADS
1225	if (count < 0)
1226		return PySSL_SetError(self, count, __FILE__, __LINE__);
1227	else
1228		return PyInt_FromLong(count);
1229}
1230
1231PyDoc_STRVAR(PySSL_SSLpending_doc,
1232"pending() -> count\n\
1233\n\
1234Returns the number of already decrypted bytes available for read,\n\
1235pending on the connection.\n");
1236
1237static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args)
1238{
1239	PyObject *buf;
1240	int count = 0;
1241	int len = 1024;
1242	int sockstate;
1243	int err;
1244        int nonblocking;
1245
1246	if (!PyArg_ParseTuple(args, "|i:read", &len))
1247		return NULL;
1248
1249	if (!(buf = PyString_FromStringAndSize((char *) 0, len)))
1250		return NULL;
1251
1252        /* just in case the blocking state of the socket has been changed */
1253	nonblocking = (self->Socket->sock_timeout >= 0.0);
1254        BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1255        BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1256
1257	/* first check if there are bytes ready to be read */
1258	PySSL_BEGIN_ALLOW_THREADS
1259	count = SSL_pending(self->ssl);
1260	PySSL_END_ALLOW_THREADS
1261
1262	if (!count) {
1263		sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
1264		if (sockstate == SOCKET_HAS_TIMED_OUT) {
1265			PyErr_SetString(PySSLErrorObject,
1266					"The read operation timed out");
1267			Py_DECREF(buf);
1268			return NULL;
1269		} else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1270			PyErr_SetString(PySSLErrorObject,
1271				"Underlying socket too large for select().");
1272			Py_DECREF(buf);
1273			return NULL;
1274		} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1275			if (SSL_get_shutdown(self->ssl) !=
1276			    SSL_RECEIVED_SHUTDOWN)
1277			{
1278                            Py_DECREF(buf);
1279                            PyErr_SetString(PySSLErrorObject,
1280                              "Socket closed without SSL shutdown handshake");
1281				return NULL;
1282			} else {
1283				/* should contain a zero-length string */
1284				_PyString_Resize(&buf, 0);
1285				return buf;
1286			}
1287		}
1288	}
1289	do {
1290		err = 0;
1291		PySSL_BEGIN_ALLOW_THREADS
1292		count = SSL_read(self->ssl, PyString_AsString(buf), len);
1293		err = SSL_get_error(self->ssl, count);
1294		PySSL_END_ALLOW_THREADS
1295		if(PyErr_CheckSignals()) {
1296			Py_DECREF(buf);
1297			return NULL;
1298		}
1299		if (err == SSL_ERROR_WANT_READ) {
1300			sockstate =
1301			  check_socket_and_wait_for_timeout(self->Socket, 0);
1302		} else if (err == SSL_ERROR_WANT_WRITE) {
1303			sockstate =
1304			  check_socket_and_wait_for_timeout(self->Socket, 1);
1305		} else if ((err == SSL_ERROR_ZERO_RETURN) &&
1306			   (SSL_get_shutdown(self->ssl) ==
1307			    SSL_RECEIVED_SHUTDOWN))
1308		{
1309			_PyString_Resize(&buf, 0);
1310			return buf;
1311		} else {
1312			sockstate = SOCKET_OPERATION_OK;
1313		}
1314		if (sockstate == SOCKET_HAS_TIMED_OUT) {
1315			PyErr_SetString(PySSLErrorObject,
1316					"The read operation timed out");
1317			Py_DECREF(buf);
1318			return NULL;
1319		} else if (sockstate == SOCKET_IS_NONBLOCKING) {
1320			break;
1321		}
1322	} while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
1323	if (count <= 0) {
1324		Py_DECREF(buf);
1325		return PySSL_SetError(self, count, __FILE__, __LINE__);
1326	}
1327	if (count != len)
1328		_PyString_Resize(&buf, count);
1329	return buf;
1330}
1331
1332PyDoc_STRVAR(PySSL_SSLread_doc,
1333"read([len]) -> string\n\
1334\n\
1335Read up to len bytes from the SSL socket.");
1336
1337static PyObject *PySSL_SSLshutdown(PySSLObject *self)
1338{
1339	int err;
1340
1341	/* Guard against closed socket */
1342	if (self->Socket->sock_fd < 0) {
1343		PyErr_SetString(PySSLErrorObject,
1344				"Underlying socket has been closed.");
1345		return NULL;
1346	}
1347
1348	PySSL_BEGIN_ALLOW_THREADS
1349	err = SSL_shutdown(self->ssl);
1350	if (err == 0) {
1351		/* we need to call it again to finish the shutdown */
1352		err = SSL_shutdown(self->ssl);
1353	}
1354	PySSL_END_ALLOW_THREADS
1355
1356	if (err < 0)
1357		return PySSL_SetError(self, err, __FILE__, __LINE__);
1358	else {
1359		Py_INCREF(self->Socket);
1360		return (PyObject *) (self->Socket);
1361	}
1362}
1363
1364PyDoc_STRVAR(PySSL_SSLshutdown_doc,
1365"shutdown(s) -> socket\n\
1366\n\
1367Does the SSL shutdown handshake with the remote end, and returns\n\
1368the underlying socket object.");
1369
1370static PyMethodDef PySSLMethods[] = {
1371	{"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS},
1372	{"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
1373	 PySSL_SSLwrite_doc},
1374	{"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
1375	 PySSL_SSLread_doc},
1376	{"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS,
1377	 PySSL_SSLpending_doc},
1378	{"server", (PyCFunction)PySSL_server, METH_NOARGS},
1379	{"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS},
1380	{"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS,
1381	 PySSL_peercert_doc},
1382	{"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
1383	{"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS,
1384         PySSL_SSLshutdown_doc},
1385	{NULL, NULL}
1386};
1387
1388static PyObject *PySSL_getattr(PySSLObject *self, char *name)
1389{
1390	return Py_FindMethod(PySSLMethods, (PyObject *)self, name);
1391}
1392
1393static PyTypeObject PySSL_Type = {
1394	PyVarObject_HEAD_INIT(NULL, 0)
1395	"ssl.SSLContext",		/*tp_name*/
1396	sizeof(PySSLObject),		/*tp_basicsize*/
1397	0,				/*tp_itemsize*/
1398	/* methods */
1399	(destructor)PySSL_dealloc,	/*tp_dealloc*/
1400	0,				/*tp_print*/
1401	(getattrfunc)PySSL_getattr,	/*tp_getattr*/
1402	0,				/*tp_setattr*/
1403	0,				/*tp_compare*/
1404	0,				/*tp_repr*/
1405	0,				/*tp_as_number*/
1406	0,				/*tp_as_sequence*/
1407	0,				/*tp_as_mapping*/
1408	0,				/*tp_hash*/
1409};
1410
1411#ifdef HAVE_OPENSSL_RAND
1412
1413/* helper routines for seeding the SSL PRNG */
1414static PyObject *
1415PySSL_RAND_add(PyObject *self, PyObject *args)
1416{
1417    char *buf;
1418    int len;
1419    double entropy;
1420
1421    if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy))
1422	return NULL;
1423    RAND_add(buf, len, entropy);
1424    Py_INCREF(Py_None);
1425    return Py_None;
1426}
1427
1428PyDoc_STRVAR(PySSL_RAND_add_doc,
1429"RAND_add(string, entropy)\n\
1430\n\
1431Mix string into the OpenSSL PRNG state.  entropy (a float) is a lower\n\
1432bound on the entropy contained in string.  See RFC 1750.");
1433
1434static PyObject *
1435PySSL_RAND_status(PyObject *self)
1436{
1437    return PyInt_FromLong(RAND_status());
1438}
1439
1440PyDoc_STRVAR(PySSL_RAND_status_doc,
1441"RAND_status() -> 0 or 1\n\
1442\n\
1443Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\
1444It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
1445using the ssl() function.");
1446
1447static PyObject *
1448PySSL_RAND_egd(PyObject *self, PyObject *arg)
1449{
1450    int bytes;
1451
1452    if (!PyString_Check(arg))
1453	return PyErr_Format(PyExc_TypeError,
1454			    "RAND_egd() expected string, found %s",
1455			    Py_TYPE(arg)->tp_name);
1456    bytes = RAND_egd(PyString_AS_STRING(arg));
1457    if (bytes == -1) {
1458	PyErr_SetString(PySSLErrorObject,
1459			"EGD connection failed or EGD did not return "
1460			"enough data to seed the PRNG");
1461	return NULL;
1462    }
1463    return PyInt_FromLong(bytes);
1464}
1465
1466PyDoc_STRVAR(PySSL_RAND_egd_doc,
1467"RAND_egd(path) -> bytes\n\
1468\n\
1469Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
1470Returns number of bytes read.  Raises SSLError if connection to EGD\n\
1471fails or if it does provide enough data to seed PRNG.");
1472
1473#endif
1474
1475/* List of functions exported by this module. */
1476
1477static PyMethodDef PySSL_methods[] = {
1478	{"sslwrap",             PySSL_sslwrap,
1479         METH_VARARGS, ssl_doc},
1480	{"_test_decode_cert",	PySSL_test_decode_certificate,
1481	 METH_VARARGS},
1482#ifdef HAVE_OPENSSL_RAND
1483	{"RAND_add",            PySSL_RAND_add, METH_VARARGS,
1484	 PySSL_RAND_add_doc},
1485	{"RAND_egd",            PySSL_RAND_egd, METH_O,
1486	 PySSL_RAND_egd_doc},
1487	{"RAND_status",         (PyCFunction)PySSL_RAND_status, METH_NOARGS,
1488	 PySSL_RAND_status_doc},
1489#endif
1490	{NULL,                  NULL}            /* Sentinel */
1491};
1492
1493
1494#ifdef WITH_THREAD
1495
1496/* an implementation of OpenSSL threading operations in terms
1497   of the Python C thread library */
1498
1499static PyThread_type_lock *_ssl_locks = NULL;
1500
1501static unsigned long _ssl_thread_id_function (void) {
1502	return PyThread_get_thread_ident();
1503}
1504
1505static void _ssl_thread_locking_function (int mode, int n, const char *file, int line) {
1506	/* this function is needed to perform locking on shared data
1507	   structures. (Note that OpenSSL uses a number of global data
1508	   structures that will be implicitly shared whenever multiple threads
1509	   use OpenSSL.) Multi-threaded applications will crash at random if
1510	   it is not set.
1511
1512	   locking_function() must be able to handle up to CRYPTO_num_locks()
1513	   different mutex locks. It sets the n-th lock if mode & CRYPTO_LOCK, and
1514	   releases it otherwise.
1515
1516	   file and line are the file number of the function setting the
1517	   lock. They can be useful for debugging.
1518	*/
1519
1520	if ((_ssl_locks == NULL) ||
1521	    (n < 0) || ((unsigned)n >= _ssl_locks_count))
1522		return;
1523
1524	if (mode & CRYPTO_LOCK) {
1525		PyThread_acquire_lock(_ssl_locks[n], 1);
1526	} else {
1527		PyThread_release_lock(_ssl_locks[n]);
1528	}
1529}
1530
1531static int _setup_ssl_threads(void) {
1532
1533	unsigned int i;
1534
1535	if (_ssl_locks == NULL) {
1536		_ssl_locks_count = CRYPTO_num_locks();
1537		_ssl_locks = (PyThread_type_lock *)
1538			malloc(sizeof(PyThread_type_lock) * _ssl_locks_count);
1539		if (_ssl_locks == NULL)
1540			return 0;
1541		memset(_ssl_locks, 0, sizeof(PyThread_type_lock) * _ssl_locks_count);
1542		for (i = 0;  i < _ssl_locks_count;  i++) {
1543			_ssl_locks[i] = PyThread_allocate_lock();
1544			if (_ssl_locks[i] == NULL) {
1545				unsigned int j;
1546				for (j = 0;  j < i;  j++) {
1547					PyThread_free_lock(_ssl_locks[j]);
1548				}
1549				free(_ssl_locks);
1550				return 0;
1551			}
1552		}
1553		CRYPTO_set_locking_callback(_ssl_thread_locking_function);
1554		CRYPTO_set_id_callback(_ssl_thread_id_function);
1555	}
1556	return 1;
1557}
1558
1559#endif	/* def HAVE_THREAD */
1560
1561PyDoc_STRVAR(module_doc,
1562"Implementation module for SSL socket operations.  See the socket module\n\
1563for documentation.");
1564
1565PyMODINIT_FUNC
1566init_ssl(void)
1567{
1568	PyObject *m, *d;
1569
1570	Py_TYPE(&PySSL_Type) = &PyType_Type;
1571
1572	m = Py_InitModule3("_ssl", PySSL_methods, module_doc);
1573	if (m == NULL)
1574		return;
1575	d = PyModule_GetDict(m);
1576
1577	/* Load _socket module and its C API */
1578	if (PySocketModule_ImportModuleAndAPI())
1579		return;
1580
1581	/* Init OpenSSL */
1582	SSL_load_error_strings();
1583#ifdef WITH_THREAD
1584	/* note that this will start threading if not already started */
1585	if (!_setup_ssl_threads()) {
1586		return;
1587	}
1588#endif
1589	SSLeay_add_ssl_algorithms();
1590
1591	/* Add symbols to module dict */
1592	PySSLErrorObject = PyErr_NewException("ssl.SSLError",
1593					      PySocketModule.error,
1594					      NULL);
1595	if (PySSLErrorObject == NULL)
1596		return;
1597	if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0)
1598		return;
1599	if (PyDict_SetItemString(d, "SSLType",
1600				 (PyObject *)&PySSL_Type) != 0)
1601		return;
1602	PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
1603				PY_SSL_ERROR_ZERO_RETURN);
1604	PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
1605				PY_SSL_ERROR_WANT_READ);
1606	PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
1607				PY_SSL_ERROR_WANT_WRITE);
1608	PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
1609				PY_SSL_ERROR_WANT_X509_LOOKUP);
1610	PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
1611				PY_SSL_ERROR_SYSCALL);
1612	PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
1613				PY_SSL_ERROR_SSL);
1614	PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
1615				PY_SSL_ERROR_WANT_CONNECT);
1616	/* non ssl.h errorcodes */
1617	PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
1618				PY_SSL_ERROR_EOF);
1619	PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
1620				PY_SSL_ERROR_INVALID_ERROR_CODE);
1621	/* cert requirements */
1622	PyModule_AddIntConstant(m, "CERT_NONE",
1623				PY_SSL_CERT_NONE);
1624	PyModule_AddIntConstant(m, "CERT_OPTIONAL",
1625				PY_SSL_CERT_OPTIONAL);
1626	PyModule_AddIntConstant(m, "CERT_REQUIRED",
1627				PY_SSL_CERT_REQUIRED);
1628
1629	/* protocol versions */
1630	PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
1631				PY_SSL_VERSION_SSL2);
1632	PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
1633				PY_SSL_VERSION_SSL3);
1634	PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
1635				PY_SSL_VERSION_SSL23);
1636	PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
1637				PY_SSL_VERSION_TLS1);
1638}