Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(158475)

Delta Between Two Patch Sets: Modules/_ssl.c

Issue 23001: Accept mutable bytes-like objects
Left Patch Set: Created 5 years ago
Right Patch Set: Created 4 years, 8 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
Left: Side by side diff | Download
Right: Side by side diff | Download
« Modules/fcntlmodule.c ('K') | « Modules/socketmodule.c ('k') | no next file » | no next file with change/comment »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
LEFTRIGHT
1 /* SSL socket module 1 /* SSL socket module
2 2
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs. 3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
4 Re-worked a bit by Bill Janssen to add server-side support and 4 Re-worked a bit by Bill Janssen to add server-side support and
5 certificate decoding. Chris Stawarz contributed some non-blocking 5 certificate decoding. Chris Stawarz contributed some non-blocking
6 patches. 6 patches.
7 7
8 This module is imported by ssl.py. It should *not* be used 8 This module is imported by ssl.py. It should *not* be used
9 directly. 9 directly.
10 10
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after
100 # define HAVE_TLSv1_2 0 100 # define HAVE_TLSv1_2 0
101 #endif 101 #endif
102 102
103 /* SNI support (client- and server-side) appeared in OpenSSL 1.0.0 and 0.9.8f 103 /* SNI support (client- and server-side) appeared in OpenSSL 1.0.0 and 0.9.8f
104 * This includes the SSL_set_SSL_CTX() function. 104 * This includes the SSL_set_SSL_CTX() function.
105 */ 105 */
106 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 106 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
107 # define HAVE_SNI 1 107 # define HAVE_SNI 1
108 #else 108 #else
109 # define HAVE_SNI 0 109 # define HAVE_SNI 0
110 #endif
111
112 /* ALPN added in OpenSSL 1.0.2 */
113 #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1000200fL & & !defined(OPENSSL_NO_TLSEXT)
114 # define HAVE_ALPN
110 #endif 115 #endif
111 116
112 enum py_ssl_error { 117 enum py_ssl_error {
113 /* these mirror ssl.h */ 118 /* these mirror ssl.h */
114 PY_SSL_ERROR_NONE, 119 PY_SSL_ERROR_NONE,
115 PY_SSL_ERROR_SSL, 120 PY_SSL_ERROR_SSL,
116 PY_SSL_ERROR_WANT_READ, 121 PY_SSL_ERROR_WANT_READ,
117 PY_SSL_ERROR_WANT_WRITE, 122 PY_SSL_ERROR_WANT_WRITE,
118 PY_SSL_ERROR_WANT_X509_LOOKUP, 123 PY_SSL_ERROR_WANT_X509_LOOKUP,
119 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */ 124 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after
155 /* 0 means no, greater than 0 means yes */ 160 /* 0 means no, greater than 0 means yes */
156 161
157 static unsigned int _ssl_locks_count = 0; 162 static unsigned int _ssl_locks_count = 0;
158 163
159 #endif /* def WITH_THREAD */ 164 #endif /* def WITH_THREAD */
160 165
161 /* SSL socket object */ 166 /* SSL socket object */
162 167
163 #define X509_NAME_MAXLEN 256 168 #define X509_NAME_MAXLEN 256
164 169
165 /* RAND_* APIs got added to OpenSSL in 0.9.5 */
166 #if OPENSSL_VERSION_NUMBER >= 0x0090500fL
167 # define HAVE_OPENSSL_RAND 1
168 #else
169 # undef HAVE_OPENSSL_RAND
170 #endif
171
172 /* SSL_CTX_clear_options() and SSL_clear_options() were first added in 170 /* SSL_CTX_clear_options() and SSL_clear_options() were first added in
173 * OpenSSL 0.9.8m but do not appear in some 0.9.9-dev versions such the 171 * OpenSSL 0.9.8m but do not appear in some 0.9.9-dev versions such the
174 * 0.9.9 from "May 2008" that NetBSD 5.0 uses. */ 172 * 0.9.9 from "May 2008" that NetBSD 5.0 uses. */
175 #if OPENSSL_VERSION_NUMBER >= 0x009080dfL && OPENSSL_VERSION_NUMBER != 0x0090900 0L 173 #if OPENSSL_VERSION_NUMBER >= 0x009080dfL && OPENSSL_VERSION_NUMBER != 0x0090900 0L
176 # define HAVE_SSL_CTX_CLEAR_OPTIONS 174 # define HAVE_SSL_CTX_CLEAR_OPTIONS
177 #else 175 #else
178 # undef HAVE_SSL_CTX_CLEAR_OPTIONS 176 # undef HAVE_SSL_CTX_CLEAR_OPTIONS
179 #endif 177 #endif
180 178
181 /* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for 179 /* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for
182 * older SSL, but let's be safe */ 180 * older SSL, but let's be safe */
183 #define PySSL_CB_MAXLEN 128 181 #define PySSL_CB_MAXLEN 128
184 182
185 /* SSL_get_finished got added to OpenSSL in 0.9.5 */
186 #if OPENSSL_VERSION_NUMBER >= 0x0090500fL
187 # define HAVE_OPENSSL_FINISHED 1
188 #else
189 # define HAVE_OPENSSL_FINISHED 0
190 #endif
191
192 /* ECDH support got added to OpenSSL in 0.9.8 */
193 #if OPENSSL_VERSION_NUMBER < 0x0090800fL && !defined(OPENSSL_NO_ECDH)
194 # define OPENSSL_NO_ECDH
195 #endif
196
197 /* compression support got added to OpenSSL in 0.9.8 */
198 #if OPENSSL_VERSION_NUMBER < 0x0090800fL && !defined(OPENSSL_NO_COMP)
199 # define OPENSSL_NO_COMP
200 #endif
201
202 /* X509_VERIFY_PARAM got added to OpenSSL in 0.9.8 */
203 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
204 # define HAVE_OPENSSL_VERIFY_PARAM
205 #endif
206
207 183
208 typedef struct { 184 typedef struct {
209 PyObject_HEAD 185 PyObject_HEAD
210 SSL_CTX *ctx; 186 SSL_CTX *ctx;
211 #ifdef OPENSSL_NPN_NEGOTIATED 187 #ifdef OPENSSL_NPN_NEGOTIATED
212 char *npn_protocols; 188 unsigned char *npn_protocols;
213 int npn_protocols_len; 189 int npn_protocols_len;
190 #endif
191 #ifdef HAVE_ALPN
192 unsigned char *alpn_protocols;
193 int alpn_protocols_len;
214 #endif 194 #endif
215 #ifndef OPENSSL_NO_TLSEXT 195 #ifndef OPENSSL_NO_TLSEXT
216 PyObject *set_hostname; 196 PyObject *set_hostname;
217 #endif 197 #endif
218 int check_hostname; 198 int check_hostname;
219 } PySSLContext; 199 } PySSLContext;
220 200
221 typedef struct { 201 typedef struct {
222 PyObject_HEAD 202 PyObject_HEAD
223 PyObject *Socket; /* weakref to socket on which we're layered */ 203 PyObject *Socket; /* weakref to socket on which we're layered */
(...skipping 586 matching lines...) Expand 10 before | Expand all | Expand 10 after
810 PyObject *peer_alt_names = Py_None; 790 PyObject *peer_alt_names = Py_None;
811 PyObject *v = NULL, *t; 791 PyObject *v = NULL, *t;
812 X509_EXTENSION *ext = NULL; 792 X509_EXTENSION *ext = NULL;
813 GENERAL_NAMES *names = NULL; 793 GENERAL_NAMES *names = NULL;
814 GENERAL_NAME *name; 794 GENERAL_NAME *name;
815 const X509V3_EXT_METHOD *method; 795 const X509V3_EXT_METHOD *method;
816 BIO *biobuf = NULL; 796 BIO *biobuf = NULL;
817 char buf[2048]; 797 char buf[2048];
818 char *vptr; 798 char *vptr;
819 int len; 799 int len;
820 /* Issue #2973: ASN1_item_d2i() API changed in OpenSSL 0.9.6m */
821 #if OPENSSL_VERSION_NUMBER >= 0x009060dfL
822 const unsigned char *p; 800 const unsigned char *p;
823 #else
824 unsigned char *p;
825 #endif
826 801
827 if (certificate == NULL) 802 if (certificate == NULL)
828 return peer_alt_names; 803 return peer_alt_names;
829 804
830 /* get a memory buffer */ 805 /* get a memory buffer */
831 biobuf = BIO_new(BIO_s_mem()); 806 biobuf = BIO_new(BIO_s_mem());
832 807
833 i = -1; 808 i = -1;
834 while ((i = X509_get_ext_by_NID( 809 while ((i = X509_get_ext_by_NID(
835 certificate, NID_subject_alt_name, i)) >= 0) { 810 certificate, NID_subject_alt_name, i)) >= 0) {
(...skipping 551 matching lines...) Expand 10 before | Expand all | Expand 10 after
1387 \n\ 1362 \n\
1388 Returns the certificate for the peer. If no certificate was provided,\n\ 1363 Returns the certificate for the peer. If no certificate was provided,\n\
1389 returns None. If a certificate was provided, but not validated, returns\n\ 1364 returns None. If a certificate was provided, but not validated, returns\n\
1390 an empty dictionary. Otherwise returns a dict containing information\n\ 1365 an empty dictionary. Otherwise returns a dict containing information\n\
1391 about the peer certificate.\n\ 1366 about the peer certificate.\n\
1392 \n\ 1367 \n\
1393 If the optional argument is True, returns a DER-encoded copy of the\n\ 1368 If the optional argument is True, returns a DER-encoded copy of the\n\
1394 peer certificate, or None if no certificate was provided. This will\n\ 1369 peer certificate, or None if no certificate was provided. This will\n\
1395 return the certificate even if it wasn't validated."); 1370 return the certificate even if it wasn't validated.");
1396 1371
1397 static PyObject *PySSL_cipher (PySSLSocket *self) { 1372 static PyObject *
1398 1373 cipher_to_tuple(const SSL_CIPHER *cipher)
1399 PyObject *retval, *v; 1374 {
1400 const SSL_CIPHER *current; 1375 const char *cipher_name, *cipher_protocol;
1401 char *cipher_name; 1376 PyObject *v, *retval = PyTuple_New(3);
1402 char *cipher_protocol;
1403
1404 if (self->ssl == NULL)
1405 Py_RETURN_NONE;
1406 current = SSL_get_current_cipher(self->ssl);
1407 if (current == NULL)
1408 Py_RETURN_NONE;
1409
1410 retval = PyTuple_New(3);
1411 if (retval == NULL) 1377 if (retval == NULL)
1412 return NULL; 1378 return NULL;
1413 1379
1414 cipher_name = (char *) SSL_CIPHER_get_name(current); 1380 cipher_name = SSL_CIPHER_get_name(cipher);
1415 if (cipher_name == NULL) { 1381 if (cipher_name == NULL) {
1416 Py_INCREF(Py_None); 1382 Py_INCREF(Py_None);
1417 PyTuple_SET_ITEM(retval, 0, Py_None); 1383 PyTuple_SET_ITEM(retval, 0, Py_None);
1418 } else { 1384 } else {
1419 v = PyUnicode_FromString(cipher_name); 1385 v = PyUnicode_FromString(cipher_name);
1420 if (v == NULL) 1386 if (v == NULL)
1421 goto fail0; 1387 goto fail;
1422 PyTuple_SET_ITEM(retval, 0, v); 1388 PyTuple_SET_ITEM(retval, 0, v);
1423 } 1389 }
1424 cipher_protocol = (char *) SSL_CIPHER_get_version(current); 1390
1391 cipher_protocol = SSL_CIPHER_get_version(cipher);
1425 if (cipher_protocol == NULL) { 1392 if (cipher_protocol == NULL) {
1426 Py_INCREF(Py_None); 1393 Py_INCREF(Py_None);
1427 PyTuple_SET_ITEM(retval, 1, Py_None); 1394 PyTuple_SET_ITEM(retval, 1, Py_None);
1428 } else { 1395 } else {
1429 v = PyUnicode_FromString(cipher_protocol); 1396 v = PyUnicode_FromString(cipher_protocol);
1430 if (v == NULL) 1397 if (v == NULL)
1431 goto fail0; 1398 goto fail;
1432 PyTuple_SET_ITEM(retval, 1, v); 1399 PyTuple_SET_ITEM(retval, 1, v);
1433 } 1400 }
1434 v = PyLong_FromLong(SSL_CIPHER_get_bits(current, NULL)); 1401
1402 v = PyLong_FromLong(SSL_CIPHER_get_bits(cipher, NULL));
1435 if (v == NULL) 1403 if (v == NULL)
1436 goto fail0; 1404 goto fail;
1437 PyTuple_SET_ITEM(retval, 2, v); 1405 PyTuple_SET_ITEM(retval, 2, v);
1406
1438 return retval; 1407 return retval;
1439 1408
1440 fail0: 1409 fail:
1441 Py_DECREF(retval); 1410 Py_DECREF(retval);
1442 return NULL; 1411 return NULL;
1412 }
1413
1414 static PyObject *PySSL_shared_ciphers(PySSLSocket *self)
1415 {
1416 SSL_SESSION *sess = SSL_get_session(self->ssl);
1417 STACK_OF(SSL_CIPHER) *ciphers;
1418 int i;
1419 PyObject *res;
1420
1421 if (!sess || !sess->ciphers)
1422 Py_RETURN_NONE;
1423 ciphers = sess->ciphers;
1424 res = PyList_New(sk_SSL_CIPHER_num(ciphers));
1425 if (!res)
1426 return NULL;
1427 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1428 PyObject *tup = cipher_to_tuple(sk_SSL_CIPHER_value(ciphers, i));
1429 if (!tup) {
1430 Py_DECREF(res);
1431 return NULL;
1432 }
1433 PyList_SET_ITEM(res, i, tup);
1434 }
1435 return res;
1436 }
1437
1438 static PyObject *PySSL_cipher (PySSLSocket *self)
1439 {
1440 const SSL_CIPHER *current;
1441
1442 if (self->ssl == NULL)
1443 Py_RETURN_NONE;
1444 current = SSL_get_current_cipher(self->ssl);
1445 if (current == NULL)
1446 Py_RETURN_NONE;
1447 return cipher_to_tuple(current);
1443 } 1448 }
1444 1449
1445 static PyObject *PySSL_version(PySSLSocket *self) 1450 static PyObject *PySSL_version(PySSLSocket *self)
1446 { 1451 {
1447 const char *version; 1452 const char *version;
1448 1453
1449 if (self->ssl == NULL) 1454 if (self->ssl == NULL)
1450 Py_RETURN_NONE; 1455 Py_RETURN_NONE;
1451 version = SSL_get_version(self->ssl); 1456 version = SSL_get_version(self->ssl);
1452 if (!strcmp(version, "unknown")) 1457 if (!strcmp(version, "unknown"))
1453 Py_RETURN_NONE; 1458 Py_RETURN_NONE;
1454 return PyUnicode_FromString(version); 1459 return PyUnicode_FromString(version);
1455 } 1460 }
1456 1461
1457 #ifdef OPENSSL_NPN_NEGOTIATED 1462 #ifdef OPENSSL_NPN_NEGOTIATED
1458 static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) { 1463 static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {
1459 const unsigned char *out; 1464 const unsigned char *out;
1460 unsigned int outlen; 1465 unsigned int outlen;
1461 1466
1462 SSL_get0_next_proto_negotiated(self->ssl, 1467 SSL_get0_next_proto_negotiated(self->ssl,
1463 &out, &outlen); 1468 &out, &outlen);
1464 1469
1465 if (out == NULL) 1470 if (out == NULL)
1466 Py_RETURN_NONE; 1471 Py_RETURN_NONE;
1467 return PyUnicode_FromStringAndSize((char *) out, outlen); 1472 return PyUnicode_FromStringAndSize((char *)out, outlen);
1473 }
1474 #endif
1475
1476 #ifdef HAVE_ALPN
1477 static PyObject *PySSL_selected_alpn_protocol(PySSLSocket *self) {
1478 const unsigned char *out;
1479 unsigned int outlen;
1480
1481 SSL_get0_alpn_selected(self->ssl, &out, &outlen);
1482
1483 if (out == NULL)
1484 Py_RETURN_NONE;
1485 return PyUnicode_FromStringAndSize((char *)out, outlen);
1468 } 1486 }
1469 #endif 1487 #endif
1470 1488
1471 static PyObject *PySSL_compression(PySSLSocket *self) { 1489 static PyObject *PySSL_compression(PySSLSocket *self) {
1472 #ifdef OPENSSL_NO_COMP 1490 #ifdef OPENSSL_NO_COMP
1473 Py_RETURN_NONE; 1491 Py_RETURN_NONE;
1474 #else 1492 #else
1475 const COMP_METHOD *comp_method; 1493 const COMP_METHOD *comp_method;
1476 const char *short_name; 1494 const char *short_name;
1477 1495
(...skipping 338 matching lines...) Expand 10 before | Expand all | Expand 10 after
1816 } 1834 }
1817 } 1835 }
1818 1836
1819 if (sock != NULL) { 1837 if (sock != NULL) {
1820 /* just in case the blocking state of the socket has been changed */ 1838 /* just in case the blocking state of the socket has been changed */
1821 nonblocking = (sock->sock_timeout >= 0.0); 1839 nonblocking = (sock->sock_timeout >= 0.0);
1822 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 1840 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1823 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 1841 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1824 } 1842 }
1825 1843
1826 /* first check if there are bytes ready to be read */
1827 PySSL_BEGIN_ALLOW_THREADS
1828 count = SSL_pending(self->ssl);
1829 PySSL_END_ALLOW_THREADS
1830
1831 if (!count) {
1832 sockstate = check_socket_and_wait_for_timeout(sock, 0);
1833 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1834 PyErr_SetString(PySocketModule.timeout_error,
1835 "The read operation timed out");
1836 goto error;
1837 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1838 PyErr_SetString(PySSLErrorObject,
1839 "Underlying socket too large for select().");
1840 goto error;
1841 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1842 count = 0;
1843 goto done;
1844 }
1845 }
1846 do { 1844 do {
1847 PySSL_BEGIN_ALLOW_THREADS 1845 PySSL_BEGIN_ALLOW_THREADS
1848 count = SSL_read(self->ssl, mem, len); 1846 count = SSL_read(self->ssl, mem, len);
1849 err = SSL_get_error(self->ssl, count); 1847 err = SSL_get_error(self->ssl, count);
1850 PySSL_END_ALLOW_THREADS 1848 PySSL_END_ALLOW_THREADS
1851 if (PyErr_CheckSignals()) 1849 if (PyErr_CheckSignals())
1852 goto error; 1850 goto error;
1853 if (err == SSL_ERROR_WANT_READ) { 1851 if (err == SSL_ERROR_WANT_READ) {
1854 sockstate = check_socket_and_wait_for_timeout(sock, 0); 1852 sockstate = check_socket_and_wait_for_timeout(sock, 0);
1855 } else if (err == SSL_ERROR_WANT_WRITE) { 1853 } else if (err == SSL_ERROR_WANT_WRITE) {
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after
1991 Py_XDECREF(sock); 1989 Py_XDECREF(sock);
1992 return NULL; 1990 return NULL;
1993 } 1991 }
1994 1992
1995 PyDoc_STRVAR(PySSL_SSLshutdown_doc, 1993 PyDoc_STRVAR(PySSL_SSLshutdown_doc,
1996 "shutdown(s) -> socket\n\ 1994 "shutdown(s) -> socket\n\
1997 \n\ 1995 \n\
1998 Does the SSL shutdown handshake with the remote end, and returns\n\ 1996 Does the SSL shutdown handshake with the remote end, and returns\n\
1999 the underlying socket object."); 1997 the underlying socket object.");
2000 1998
2001 #if HAVE_OPENSSL_FINISHED
2002 static PyObject * 1999 static PyObject *
2003 PySSL_tls_unique_cb(PySSLSocket *self) 2000 PySSL_tls_unique_cb(PySSLSocket *self)
2004 { 2001 {
2005 PyObject *retval = NULL; 2002 PyObject *retval = NULL;
2006 char buf[PySSL_CB_MAXLEN]; 2003 char buf[PySSL_CB_MAXLEN];
2007 size_t len; 2004 size_t len;
2008 2005
2009 if (SSL_session_reused(self->ssl) ^ !self->socket_type) { 2006 if (SSL_session_reused(self->ssl) ^ !self->socket_type) {
2010 /* if session is resumed XOR we are the client */ 2007 /* if session is resumed XOR we are the client */
2011 len = SSL_get_finished(self->ssl, buf, PySSL_CB_MAXLEN); 2008 len = SSL_get_finished(self->ssl, buf, PySSL_CB_MAXLEN);
(...skipping 11 matching lines...) Expand all
2023 2020
2024 return retval; 2021 return retval;
2025 } 2022 }
2026 2023
2027 PyDoc_STRVAR(PySSL_tls_unique_cb_doc, 2024 PyDoc_STRVAR(PySSL_tls_unique_cb_doc,
2028 "tls_unique_cb() -> bytes\n\ 2025 "tls_unique_cb() -> bytes\n\
2029 \n\ 2026 \n\
2030 Returns the 'tls-unique' channel binding data, as defined by RFC 5929.\n\ 2027 Returns the 'tls-unique' channel binding data, as defined by RFC 5929.\n\
2031 \n\ 2028 \n\
2032 If the TLS handshake is not yet complete, None is returned"); 2029 If the TLS handshake is not yet complete, None is returned");
2033
2034 #endif /* HAVE_OPENSSL_FINISHED */
2035 2030
2036 static PyGetSetDef ssl_getsetlist[] = { 2031 static PyGetSetDef ssl_getsetlist[] = {
2037 {"context", (getter) PySSL_get_context, 2032 {"context", (getter) PySSL_get_context,
2038 (setter) PySSL_set_context, PySSL_set_context_doc}, 2033 (setter) PySSL_set_context, PySSL_set_context_doc},
2039 {"server_side", (getter) PySSL_get_server_side, NULL, 2034 {"server_side", (getter) PySSL_get_server_side, NULL,
2040 PySSL_get_server_side_doc}, 2035 PySSL_get_server_side_doc},
2041 {"server_hostname", (getter) PySSL_get_server_hostname, NULL, 2036 {"server_hostname", (getter) PySSL_get_server_hostname, NULL,
2042 PySSL_get_server_hostname_doc}, 2037 PySSL_get_server_hostname_doc},
2043 {"owner", (getter) PySSL_get_owner, (setter) PySSL_set_owner, 2038 {"owner", (getter) PySSL_get_owner, (setter) PySSL_set_owner,
2044 PySSL_get_owner_doc}, 2039 PySSL_get_owner_doc},
2045 {NULL}, /* sentinel */ 2040 {NULL}, /* sentinel */
2046 }; 2041 };
2047 2042
2048 static PyMethodDef PySSLMethods[] = { 2043 static PyMethodDef PySSLMethods[] = {
2049 {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS}, 2044 {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS},
2050 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS, 2045 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
2051 PySSL_SSLwrite_doc}, 2046 PySSL_SSLwrite_doc},
2052 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS, 2047 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
2053 PySSL_SSLread_doc}, 2048 PySSL_SSLread_doc},
2054 {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS, 2049 {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS,
2055 PySSL_SSLpending_doc}, 2050 PySSL_SSLpending_doc},
2056 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS, 2051 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS,
2057 PySSL_peercert_doc}, 2052 PySSL_peercert_doc},
2058 {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS}, 2053 {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
2054 {"shared_ciphers", (PyCFunction)PySSL_shared_ciphers, METH_NOARGS},
2059 {"version", (PyCFunction)PySSL_version, METH_NOARGS}, 2055 {"version", (PyCFunction)PySSL_version, METH_NOARGS},
2060 #ifdef OPENSSL_NPN_NEGOTIATED 2056 #ifdef OPENSSL_NPN_NEGOTIATED
2061 {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOA RGS}, 2057 {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOA RGS},
2062 #endif 2058 #endif
2059 #ifdef HAVE_ALPN
2060 {"selected_alpn_protocol", (PyCFunction)PySSL_selected_alpn_protocol, METH_N OARGS},
2061 #endif
2063 {"compression", (PyCFunction)PySSL_compression, METH_NOARGS}, 2062 {"compression", (PyCFunction)PySSL_compression, METH_NOARGS},
2064 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS, 2063 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS,
2065 PySSL_SSLshutdown_doc}, 2064 PySSL_SSLshutdown_doc},
2066 #if HAVE_OPENSSL_FINISHED
2067 {"tls_unique_cb", (PyCFunction)PySSL_tls_unique_cb, METH_NOARGS, 2065 {"tls_unique_cb", (PyCFunction)PySSL_tls_unique_cb, METH_NOARGS,
2068 PySSL_tls_unique_cb_doc}, 2066 PySSL_tls_unique_cb_doc},
2069 #endif
2070 {NULL, NULL} 2067 {NULL, NULL}
2071 }; 2068 };
2072 2069
2073 static PyTypeObject PySSLSocket_Type = { 2070 static PyTypeObject PySSLSocket_Type = {
2074 PyVarObject_HEAD_INIT(NULL, 0) 2071 PyVarObject_HEAD_INIT(NULL, 0)
2075 "_ssl._SSLSocket", /*tp_name*/ 2072 "_ssl._SSLSocket", /*tp_name*/
2076 sizeof(PySSLSocket), /*tp_basicsize*/ 2073 sizeof(PySSLSocket), /*tp_basicsize*/
2077 0, /*tp_itemsize*/ 2074 0, /*tp_itemsize*/
2078 /* methods */ 2075 /* methods */
2079 (destructor)PySSL_dealloc, /*tp_dealloc*/ 2076 (destructor)PySSL_dealloc, /*tp_dealloc*/
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after
2125 2122
2126 PySSL_BEGIN_ALLOW_THREADS 2123 PySSL_BEGIN_ALLOW_THREADS
2127 if (proto_version == PY_SSL_VERSION_TLS1) 2124 if (proto_version == PY_SSL_VERSION_TLS1)
2128 ctx = SSL_CTX_new(TLSv1_method()); 2125 ctx = SSL_CTX_new(TLSv1_method());
2129 #if HAVE_TLSv1_2 2126 #if HAVE_TLSv1_2
2130 else if (proto_version == PY_SSL_VERSION_TLS1_1) 2127 else if (proto_version == PY_SSL_VERSION_TLS1_1)
2131 ctx = SSL_CTX_new(TLSv1_1_method()); 2128 ctx = SSL_CTX_new(TLSv1_1_method());
2132 else if (proto_version == PY_SSL_VERSION_TLS1_2) 2129 else if (proto_version == PY_SSL_VERSION_TLS1_2)
2133 ctx = SSL_CTX_new(TLSv1_2_method()); 2130 ctx = SSL_CTX_new(TLSv1_2_method());
2134 #endif 2131 #endif
2132 #ifndef OPENSSL_NO_SSL3
2135 else if (proto_version == PY_SSL_VERSION_SSL3) 2133 else if (proto_version == PY_SSL_VERSION_SSL3)
2136 ctx = SSL_CTX_new(SSLv3_method()); 2134 ctx = SSL_CTX_new(SSLv3_method());
2135 #endif
2137 #ifndef OPENSSL_NO_SSL2 2136 #ifndef OPENSSL_NO_SSL2
2138 else if (proto_version == PY_SSL_VERSION_SSL2) 2137 else if (proto_version == PY_SSL_VERSION_SSL2)
2139 ctx = SSL_CTX_new(SSLv2_method()); 2138 ctx = SSL_CTX_new(SSLv2_method());
2140 #endif 2139 #endif
2141 else if (proto_version == PY_SSL_VERSION_SSL23) 2140 else if (proto_version == PY_SSL_VERSION_SSL23)
2142 ctx = SSL_CTX_new(SSLv23_method()); 2141 ctx = SSL_CTX_new(SSLv23_method());
2143 else 2142 else
2144 proto_version = -1; 2143 proto_version = -1;
2145 PySSL_END_ALLOW_THREADS 2144 PySSL_END_ALLOW_THREADS
2146 2145
(...skipping 10 matching lines...) Expand all
2157 2156
2158 assert(type != NULL && type->tp_alloc != NULL); 2157 assert(type != NULL && type->tp_alloc != NULL);
2159 self = (PySSLContext *) type->tp_alloc(type, 0); 2158 self = (PySSLContext *) type->tp_alloc(type, 0);
2160 if (self == NULL) { 2159 if (self == NULL) {
2161 SSL_CTX_free(ctx); 2160 SSL_CTX_free(ctx);
2162 return NULL; 2161 return NULL;
2163 } 2162 }
2164 self->ctx = ctx; 2163 self->ctx = ctx;
2165 #ifdef OPENSSL_NPN_NEGOTIATED 2164 #ifdef OPENSSL_NPN_NEGOTIATED
2166 self->npn_protocols = NULL; 2165 self->npn_protocols = NULL;
2166 #endif
2167 #ifdef HAVE_ALPN
2168 self->alpn_protocols = NULL;
2167 #endif 2169 #endif
2168 #ifndef OPENSSL_NO_TLSEXT 2170 #ifndef OPENSSL_NO_TLSEXT
2169 self->set_hostname = NULL; 2171 self->set_hostname = NULL;
2170 #endif 2172 #endif
2171 /* Don't check host name by default */ 2173 /* Don't check host name by default */
2172 self->check_hostname = 0; 2174 self->check_hostname = 0;
2173 /* Defaults */ 2175 /* Defaults */
2174 SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); 2176 SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
2175 options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; 2177 options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
2176 if (proto_version != PY_SSL_VERSION_SSL2) 2178 if (proto_version != PY_SSL_VERSION_SSL2)
(...skipping 13 matching lines...) Expand all
2190 EC_KEY_free(key); 2192 EC_KEY_free(key);
2191 } 2193 }
2192 #endif 2194 #endif
2193 #endif 2195 #endif
2194 2196
2195 #define SID_CTX "Python" 2197 #define SID_CTX "Python"
2196 SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, 2198 SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
2197 sizeof(SID_CTX)); 2199 sizeof(SID_CTX));
2198 #undef SID_CTX 2200 #undef SID_CTX
2199 2201
2202 #ifdef X509_V_FLAG_TRUSTED_FIRST
2203 {
2204 /* Improve trust chain building when cross-signed intermediate
2205 certificates are present. See https://bugs.python.org/issue23476. */
2206 X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
2207 X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
2208 }
2209 #endif
2210
2200 return (PyObject *)self; 2211 return (PyObject *)self;
2201 } 2212 }
2202 2213
2203 static int 2214 static int
2204 context_traverse(PySSLContext *self, visitproc visit, void *arg) 2215 context_traverse(PySSLContext *self, visitproc visit, void *arg)
2205 { 2216 {
2206 #ifndef OPENSSL_NO_TLSEXT 2217 #ifndef OPENSSL_NO_TLSEXT
2207 Py_VISIT(self->set_hostname); 2218 Py_VISIT(self->set_hostname);
2208 #endif 2219 #endif
2209 return 0; 2220 return 0;
2210 } 2221 }
2211 2222
2212 static int 2223 static int
2213 context_clear(PySSLContext *self) 2224 context_clear(PySSLContext *self)
2214 { 2225 {
2215 #ifndef OPENSSL_NO_TLSEXT 2226 #ifndef OPENSSL_NO_TLSEXT
2216 Py_CLEAR(self->set_hostname); 2227 Py_CLEAR(self->set_hostname);
2217 #endif 2228 #endif
2218 return 0; 2229 return 0;
2219 } 2230 }
2220 2231
2221 static void 2232 static void
2222 context_dealloc(PySSLContext *self) 2233 context_dealloc(PySSLContext *self)
2223 { 2234 {
2224 context_clear(self); 2235 context_clear(self);
2225 SSL_CTX_free(self->ctx); 2236 SSL_CTX_free(self->ctx);
2226 #ifdef OPENSSL_NPN_NEGOTIATED 2237 #ifdef OPENSSL_NPN_NEGOTIATED
2227 PyMem_Free(self->npn_protocols); 2238 PyMem_FREE(self->npn_protocols);
2239 #endif
2240 #ifdef HAVE_ALPN
2241 PyMem_FREE(self->alpn_protocols);
2228 #endif 2242 #endif
2229 Py_TYPE(self)->tp_free(self); 2243 Py_TYPE(self)->tp_free(self);
2230 } 2244 }
2231 2245
2232 static PyObject * 2246 static PyObject *
2233 set_ciphers(PySSLContext *self, PyObject *args) 2247 set_ciphers(PySSLContext *self, PyObject *args)
2234 { 2248 {
2235 int ret; 2249 int ret;
2236 const char *cipherlist; 2250 const char *cipherlist;
2237 2251
2238 if (!PyArg_ParseTuple(args, "s:set_ciphers", &cipherlist)) 2252 if (!PyArg_ParseTuple(args, "s:set_ciphers", &cipherlist))
2239 return NULL; 2253 return NULL;
2240 ret = SSL_CTX_set_cipher_list(self->ctx, cipherlist); 2254 ret = SSL_CTX_set_cipher_list(self->ctx, cipherlist);
2241 if (ret == 0) { 2255 if (ret == 0) {
2242 /* Clearing the error queue is necessary on some OpenSSL versions, 2256 /* Clearing the error queue is necessary on some OpenSSL versions,
2243 otherwise the error will be reported again when another SSL call 2257 otherwise the error will be reported again when another SSL call
2244 is done. */ 2258 is done. */
2245 ERR_clear_error(); 2259 ERR_clear_error();
2246 PyErr_SetString(PySSLErrorObject, 2260 PyErr_SetString(PySSLErrorObject,
2247 "No cipher can be selected."); 2261 "No cipher can be selected.");
2248 return NULL; 2262 return NULL;
2249 } 2263 }
2250 Py_RETURN_NONE; 2264 Py_RETURN_NONE;
2251 } 2265 }
2252 2266
2253 #ifdef OPENSSL_NPN_NEGOTIATED 2267 #ifdef OPENSSL_NPN_NEGOTIATED
2268 static int
2269 do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
2270 const unsigned char *server_protocols, unsigned int server _protocols_len,
2271 const unsigned char *client_protocols, unsigned int client _protocols_len)
2272 {
2273 int ret;
2274 if (client_protocols == NULL) {
2275 client_protocols = (unsigned char *)"";
2276 client_protocols_len = 0;
2277 }
2278 if (server_protocols == NULL) {
2279 server_protocols = (unsigned char *)"";
2280 server_protocols_len = 0;
2281 }
2282
2283 ret = SSL_select_next_proto(out, outlen,
2284 server_protocols, server_protocols_len,
2285 client_protocols, client_protocols_len);
2286 if (alpn && ret != OPENSSL_NPN_NEGOTIATED)
2287 return SSL_TLSEXT_ERR_NOACK;
2288
2289 return SSL_TLSEXT_ERR_OK;
2290 }
2291
2254 /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */ 2292 /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
2255 static int 2293 static int
2256 _advertiseNPN_cb(SSL *s, 2294 _advertiseNPN_cb(SSL *s,
2257 const unsigned char **data, unsigned int *len, 2295 const unsigned char **data, unsigned int *len,
2258 void *args) 2296 void *args)
2259 { 2297 {
2260 PySSLContext *ssl_ctx = (PySSLContext *) args; 2298 PySSLContext *ssl_ctx = (PySSLContext *) args;
2261 2299
2262 if (ssl_ctx->npn_protocols == NULL) { 2300 if (ssl_ctx->npn_protocols == NULL) {
2263 *data = (unsigned char *) ""; 2301 *data = (unsigned char *)"";
2264 *len = 0; 2302 *len = 0;
2265 } else { 2303 } else {
2266 *data = (unsigned char *) ssl_ctx->npn_protocols; 2304 *data = ssl_ctx->npn_protocols;
2267 *len = ssl_ctx->npn_protocols_len; 2305 *len = ssl_ctx->npn_protocols_len;
2268 } 2306 }
2269 2307
2270 return SSL_TLSEXT_ERR_OK; 2308 return SSL_TLSEXT_ERR_OK;
2271 } 2309 }
2272 /* this callback gets passed to SSL_CTX_set_next_proto_select_cb */ 2310 /* this callback gets passed to SSL_CTX_set_next_proto_select_cb */
2273 static int 2311 static int
2274 _selectNPN_cb(SSL *s, 2312 _selectNPN_cb(SSL *s,
2275 unsigned char **out, unsigned char *outlen, 2313 unsigned char **out, unsigned char *outlen,
2276 const unsigned char *server, unsigned int server_len, 2314 const unsigned char *server, unsigned int server_len,
2277 void *args) 2315 void *args)
2278 { 2316 {
2279 PySSLContext *ssl_ctx = (PySSLContext *) args; 2317 PySSLContext *ctx = (PySSLContext *)args;
2280 2318 return do_protocol_selection(0, out, outlen, server, server_len,
2281 unsigned char *client = (unsigned char *) ssl_ctx->npn_protocols; 2319 ctx->npn_protocols, ctx->npn_protocols_len);
2282 int client_len;
2283
2284 if (client == NULL) {
2285 client = (unsigned char *) "";
2286 client_len = 0;
2287 } else {
2288 client_len = ssl_ctx->npn_protocols_len;
2289 }
2290
2291 SSL_select_next_proto(out, outlen,
2292 server, server_len,
2293 client, client_len);
2294
2295 return SSL_TLSEXT_ERR_OK;
2296 } 2320 }
2297 #endif 2321 #endif
2298 2322
2299 static PyObject * 2323 static PyObject *
2300 _set_npn_protocols(PySSLContext *self, PyObject *args) 2324 _set_npn_protocols(PySSLContext *self, PyObject *args)
2301 { 2325 {
2302 #ifdef OPENSSL_NPN_NEGOTIATED 2326 #ifdef OPENSSL_NPN_NEGOTIATED
2303 Py_buffer protos; 2327 Py_buffer protos;
2304 2328
2305 if (!PyArg_ParseTuple(args, "y*:set_npn_protocols", &protos)) 2329 if (!PyArg_ParseTuple(args, "y*:set_npn_protocols", &protos))
(...skipping 18 matching lines...) Expand all
2324 self); 2348 self);
2325 SSL_CTX_set_next_proto_select_cb(self->ctx, 2349 SSL_CTX_set_next_proto_select_cb(self->ctx,
2326 _selectNPN_cb, 2350 _selectNPN_cb,
2327 self); 2351 self);
2328 2352
2329 PyBuffer_Release(&protos); 2353 PyBuffer_Release(&protos);
2330 Py_RETURN_NONE; 2354 Py_RETURN_NONE;
2331 #else 2355 #else
2332 PyErr_SetString(PyExc_NotImplementedError, 2356 PyErr_SetString(PyExc_NotImplementedError,
2333 "The NPN extension requires OpenSSL 1.0.1 or later."); 2357 "The NPN extension requires OpenSSL 1.0.1 or later.");
2358 return NULL;
2359 #endif
2360 }
2361
2362 #ifdef HAVE_ALPN
2363 static int
2364 _selectALPN_cb(SSL *s,
2365 const unsigned char **out, unsigned char *outlen,
2366 const unsigned char *client_protocols, unsigned int client_protoco ls_len,
2367 void *args)
2368 {
2369 PySSLContext *ctx = (PySSLContext *)args;
2370 return do_protocol_selection(1, (unsigned char **)out, outlen,
2371 ctx->alpn_protocols, ctx->alpn_protocols_len,
2372 client_protocols, client_protocols_len);
2373 }
2374 #endif
2375
2376 static PyObject *
2377 _set_alpn_protocols(PySSLContext *self, PyObject *args)
2378 {
2379 #ifdef HAVE_ALPN
2380 Py_buffer protos;
2381
2382 if (!PyArg_ParseTuple(args, "y*:set_npn_protocols", &protos))
2383 return NULL;
2384
2385 PyMem_FREE(self->alpn_protocols);
2386 self->alpn_protocols = PyMem_Malloc(protos.len);
2387 if (!self->alpn_protocols)
2388 return PyErr_NoMemory();
2389 memcpy(self->alpn_protocols, protos.buf, protos.len);
2390 self->alpn_protocols_len = protos.len;
2391 PyBuffer_Release(&protos);
2392
2393 if (SSL_CTX_set_alpn_protos(self->ctx, self->alpn_protocols, self->alpn_prot ocols_len))
2394 return PyErr_NoMemory();
2395 SSL_CTX_set_alpn_select_cb(self->ctx, _selectALPN_cb, self);
2396
2397 PyBuffer_Release(&protos);
2398 Py_RETURN_NONE;
2399 #else
2400 PyErr_SetString(PyExc_NotImplementedError,
2401 "The ALPN extension requires OpenSSL 1.0.2 or later.");
2334 return NULL; 2402 return NULL;
2335 #endif 2403 #endif
2336 } 2404 }
2337 2405
2338 static PyObject * 2406 static PyObject *
2339 get_verify_mode(PySSLContext *self, void *c) 2407 get_verify_mode(PySSLContext *self, void *c)
2340 { 2408 {
2341 switch (SSL_CTX_get_verify_mode(self->ctx)) { 2409 switch (SSL_CTX_get_verify_mode(self->ctx)) {
2342 case SSL_VERIFY_NONE: 2410 case SSL_VERIFY_NONE:
2343 return PyLong_FromLong(PY_SSL_CERT_NONE); 2411 return PyLong_FromLong(PY_SSL_CERT_NONE);
(...skipping 27 matching lines...) Expand all
2371 if (mode == SSL_VERIFY_NONE && self->check_hostname) { 2439 if (mode == SSL_VERIFY_NONE && self->check_hostname) {
2372 PyErr_SetString(PyExc_ValueError, 2440 PyErr_SetString(PyExc_ValueError,
2373 "Cannot set verify_mode to CERT_NONE when " 2441 "Cannot set verify_mode to CERT_NONE when "
2374 "check_hostname is enabled."); 2442 "check_hostname is enabled.");
2375 return -1; 2443 return -1;
2376 } 2444 }
2377 SSL_CTX_set_verify(self->ctx, mode, NULL); 2445 SSL_CTX_set_verify(self->ctx, mode, NULL);
2378 return 0; 2446 return 0;
2379 } 2447 }
2380 2448
2381 #ifdef HAVE_OPENSSL_VERIFY_PARAM
2382 static PyObject * 2449 static PyObject *
2383 get_verify_flags(PySSLContext *self, void *c) 2450 get_verify_flags(PySSLContext *self, void *c)
2384 { 2451 {
2385 X509_STORE *store; 2452 X509_STORE *store;
2386 unsigned long flags; 2453 unsigned long flags;
2387 2454
2388 store = SSL_CTX_get_cert_store(self->ctx); 2455 store = SSL_CTX_get_cert_store(self->ctx);
2389 flags = X509_VERIFY_PARAM_get_flags(store->param); 2456 flags = X509_VERIFY_PARAM_get_flags(store->param);
2390 return PyLong_FromUnsignedLong(flags); 2457 return PyLong_FromUnsignedLong(flags);
2391 } 2458 }
(...skipping 17 matching lines...) Expand all
2409 } 2476 }
2410 } 2477 }
2411 if (set) { 2478 if (set) {
2412 if (!X509_VERIFY_PARAM_set_flags(store->param, set)) { 2479 if (!X509_VERIFY_PARAM_set_flags(store->param, set)) {
2413 _setSSLError(NULL, 0, __FILE__, __LINE__); 2480 _setSSLError(NULL, 0, __FILE__, __LINE__);
2414 return -1; 2481 return -1;
2415 } 2482 }
2416 } 2483 }
2417 return 0; 2484 return 0;
2418 } 2485 }
2419 #endif
2420 2486
2421 static PyObject * 2487 static PyObject *
2422 get_options(PySSLContext *self, void *c) 2488 get_options(PySSLContext *self, void *c)
2423 { 2489 {
2424 return PyLong_FromLong(SSL_CTX_get_options(self->ctx)); 2490 return PyLong_FromLong(SSL_CTX_get_options(self->ctx));
2425 } 2491 }
2426 2492
2427 static int 2493 static int
2428 set_options(PySSLContext *self, PyObject *arg, void *c) 2494 set_options(PySSLContext *self, PyObject *arg, void *c)
2429 { 2495 {
(...skipping 438 matching lines...) Expand 10 before | Expand all | Expand 10 after
2868 } 2934 }
2869 } 2935 }
2870 2936
2871 static PyObject * 2937 static PyObject *
2872 load_dh_params(PySSLContext *self, PyObject *filepath) 2938 load_dh_params(PySSLContext *self, PyObject *filepath)
2873 { 2939 {
2874 FILE *f; 2940 FILE *f;
2875 DH *dh; 2941 DH *dh;
2876 2942
2877 f = _Py_fopen_obj(filepath, "rb"); 2943 f = _Py_fopen_obj(filepath, "rb");
2878 if (f == NULL) { 2944 if (f == NULL)
2879 if (!PyErr_Occurred()) 2945 return NULL;
2880 PyErr_SetFromErrnoWithFilenameObject(PyExc_OSError, filepath); 2946
2881 return NULL;
2882 }
2883 errno = 0; 2947 errno = 0;
2884 PySSL_BEGIN_ALLOW_THREADS 2948 PySSL_BEGIN_ALLOW_THREADS
2885 dh = PEM_read_DHparams(f, NULL, NULL, NULL); 2949 dh = PEM_read_DHparams(f, NULL, NULL, NULL);
2886 fclose(f); 2950 fclose(f);
2887 PySSL_END_ALLOW_THREADS 2951 PySSL_END_ALLOW_THREADS
2888 if (dh == NULL) { 2952 if (dh == NULL) {
2889 if (errno != 0) { 2953 if (errno != 0) {
2890 ERR_clear_error(); 2954 ERR_clear_error();
2891 PyErr_SetFromErrnoWithFilenameObject(PyExc_OSError, filepath); 2955 PyErr_SetFromErrnoWithFilenameObject(PyExc_OSError, filepath);
2892 } 2956 }
(...skipping 401 matching lines...) Expand 10 before | Expand all | Expand 10 after
3294 Py_XDECREF(rlist); 3358 Py_XDECREF(rlist);
3295 return NULL; 3359 return NULL;
3296 } 3360 }
3297 3361
3298 3362
3299 static PyGetSetDef context_getsetlist[] = { 3363 static PyGetSetDef context_getsetlist[] = {
3300 {"check_hostname", (getter) get_check_hostname, 3364 {"check_hostname", (getter) get_check_hostname,
3301 (setter) set_check_hostname, NULL}, 3365 (setter) set_check_hostname, NULL},
3302 {"options", (getter) get_options, 3366 {"options", (getter) get_options,
3303 (setter) set_options, NULL}, 3367 (setter) set_options, NULL},
3304 #ifdef HAVE_OPENSSL_VERIFY_PARAM
3305 {"verify_flags", (getter) get_verify_flags, 3368 {"verify_flags", (getter) get_verify_flags,
3306 (setter) set_verify_flags, NULL}, 3369 (setter) set_verify_flags, NULL},
3307 #endif
3308 {"verify_mode", (getter) get_verify_mode, 3370 {"verify_mode", (getter) get_verify_mode,
3309 (setter) set_verify_mode, NULL}, 3371 (setter) set_verify_mode, NULL},
3310 {NULL}, /* sentinel */ 3372 {NULL}, /* sentinel */
3311 }; 3373 };
3312 3374
3313 static struct PyMethodDef context_methods[] = { 3375 static struct PyMethodDef context_methods[] = {
3314 {"_wrap_socket", (PyCFunction) context_wrap_socket, 3376 {"_wrap_socket", (PyCFunction) context_wrap_socket,
3315 METH_VARARGS | METH_KEYWORDS, NULL}, 3377 METH_VARARGS | METH_KEYWORDS, NULL},
3316 {"_wrap_bio", (PyCFunction) context_wrap_bio, 3378 {"_wrap_bio", (PyCFunction) context_wrap_bio,
3317 METH_VARARGS | METH_KEYWORDS, NULL}, 3379 METH_VARARGS | METH_KEYWORDS, NULL},
3318 {"set_ciphers", (PyCFunction) set_ciphers, 3380 {"set_ciphers", (PyCFunction) set_ciphers,
3319 METH_VARARGS, NULL}, 3381 METH_VARARGS, NULL},
3382 {"_set_alpn_protocols", (PyCFunction) _set_alpn_protocols,
3383 METH_VARARGS, NULL},
3320 {"_set_npn_protocols", (PyCFunction) _set_npn_protocols, 3384 {"_set_npn_protocols", (PyCFunction) _set_npn_protocols,
3321 METH_VARARGS, NULL}, 3385 METH_VARARGS, NULL},
3322 {"load_cert_chain", (PyCFunction) load_cert_chain, 3386 {"load_cert_chain", (PyCFunction) load_cert_chain,
3323 METH_VARARGS | METH_KEYWORDS, NULL}, 3387 METH_VARARGS | METH_KEYWORDS, NULL},
3324 {"load_dh_params", (PyCFunction) load_dh_params, 3388 {"load_dh_params", (PyCFunction) load_dh_params,
3325 METH_O, NULL}, 3389 METH_O, NULL},
3326 {"load_verify_locations", (PyCFunction) load_verify_locations, 3390 {"load_verify_locations", (PyCFunction) load_verify_locations,
3327 METH_VARARGS | METH_KEYWORDS, NULL}, 3391 METH_VARARGS | METH_KEYWORDS, NULL},
3328 {"session_stats", (PyCFunction) session_stats, 3392 {"session_stats", (PyCFunction) session_stats,
3329 METH_NOARGS, NULL}, 3393 METH_NOARGS, NULL},
(...skipping 267 matching lines...) Expand 10 before | Expand all | Expand 10 after
3597 0, /*tp_dict*/ 3661 0, /*tp_dict*/
3598 0, /*tp_descr_get*/ 3662 0, /*tp_descr_get*/
3599 0, /*tp_descr_set*/ 3663 0, /*tp_descr_set*/
3600 0, /*tp_dictoffset*/ 3664 0, /*tp_dictoffset*/
3601 0, /*tp_init*/ 3665 0, /*tp_init*/
3602 0, /*tp_alloc*/ 3666 0, /*tp_alloc*/
3603 memory_bio_new, /*tp_new*/ 3667 memory_bio_new, /*tp_new*/
3604 }; 3668 };
3605 3669
3606 3670
3607 #ifdef HAVE_OPENSSL_RAND
3608
3609 /* helper routines for seeding the SSL PRNG */ 3671 /* helper routines for seeding the SSL PRNG */
3610 static PyObject * 3672 static PyObject *
3611 PySSL_RAND_add(PyObject *self, PyObject *args) 3673 PySSL_RAND_add(PyObject *self, PyObject *args)
3612 { 3674 {
3613 Py_buffer view; 3675 Py_buffer view;
3614 const char *buf; 3676 const char *buf;
3615 Py_ssize_t len, written; 3677 Py_ssize_t len, written;
3616 double entropy; 3678 double entropy;
3617 3679
3618 if (!PyArg_ParseTuple(args, "s*d:RAND_add", &view, &entropy)) 3680 if (!PyArg_ParseTuple(args, "s*d:RAND_add", &view, &entropy))
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after
3739 return PyLong_FromLong(bytes); 3801 return PyLong_FromLong(bytes);
3740 } 3802 }
3741 3803
3742 PyDoc_STRVAR(PySSL_RAND_egd_doc, 3804 PyDoc_STRVAR(PySSL_RAND_egd_doc,
3743 "RAND_egd(path) -> bytes\n\ 3805 "RAND_egd(path) -> bytes\n\
3744 \n\ 3806 \n\
3745 Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\ 3807 Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
3746 Returns number of bytes read. Raises SSLError if connection to EGD\n\ 3808 Returns number of bytes read. Raises SSLError if connection to EGD\n\
3747 fails or if it does not provide enough data to seed PRNG."); 3809 fails or if it does not provide enough data to seed PRNG.");
3748 #endif /* HAVE_RAND_EGD */ 3810 #endif /* HAVE_RAND_EGD */
3749
3750 #endif /* HAVE_OPENSSL_RAND */
3751 3811
3752 3812
3753 PyDoc_STRVAR(PySSL_get_default_verify_paths_doc, 3813 PyDoc_STRVAR(PySSL_get_default_verify_paths_doc,
3754 "get_default_verify_paths() -> tuple\n\ 3814 "get_default_verify_paths() -> tuple\n\
3755 \n\ 3815 \n\
3756 Return search paths and environment vars that are used by SSLContext's\n\ 3816 Return search paths and environment vars that are used by SSLContext's\n\
3757 set_default_verify_paths() to load default CAs. The values are\n\ 3817 set_default_verify_paths() to load default CAs. The values are\n\
3758 'cert_file_env', 'cert_file', 'cert_dir_env', 'cert_dir'."); 3818 'cert_file_env', 'cert_file', 'cert_dir_env', 'cert_dir'.");
3759 3819
3760 static PyObject * 3820 static PyObject *
(...skipping 366 matching lines...) Expand 10 before | Expand all | Expand 10 after
4127 return result; 4187 return result;
4128 } 4188 }
4129 4189
4130 #endif /* _MSC_VER */ 4190 #endif /* _MSC_VER */
4131 4191
4132 /* List of functions exported by this module. */ 4192 /* List of functions exported by this module. */
4133 4193
4134 static PyMethodDef PySSL_methods[] = { 4194 static PyMethodDef PySSL_methods[] = {
4135 {"_test_decode_cert", PySSL_test_decode_certificate, 4195 {"_test_decode_cert", PySSL_test_decode_certificate,
4136 METH_VARARGS}, 4196 METH_VARARGS},
4137 #ifdef HAVE_OPENSSL_RAND
4138 {"RAND_add", PySSL_RAND_add, METH_VARARGS, 4197 {"RAND_add", PySSL_RAND_add, METH_VARARGS,
4139 PySSL_RAND_add_doc}, 4198 PySSL_RAND_add_doc},
4140 {"RAND_bytes", PySSL_RAND_bytes, METH_VARARGS, 4199 {"RAND_bytes", PySSL_RAND_bytes, METH_VARARGS,
4141 PySSL_RAND_bytes_doc}, 4200 PySSL_RAND_bytes_doc},
4142 {"RAND_pseudo_bytes", PySSL_RAND_pseudo_bytes, METH_VARARGS, 4201 {"RAND_pseudo_bytes", PySSL_RAND_pseudo_bytes, METH_VARARGS,
4143 PySSL_RAND_pseudo_bytes_doc}, 4202 PySSL_RAND_pseudo_bytes_doc},
4144 #ifdef HAVE_RAND_EGD 4203 #ifdef HAVE_RAND_EGD
4145 {"RAND_egd", PySSL_RAND_egd, METH_VARARGS, 4204 {"RAND_egd", PySSL_RAND_egd, METH_VARARGS,
4146 PySSL_RAND_egd_doc}, 4205 PySSL_RAND_egd_doc},
4147 #endif 4206 #endif
4148 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS, 4207 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
4149 PySSL_RAND_status_doc}, 4208 PySSL_RAND_status_doc},
4150 #endif
4151 {"get_default_verify_paths", (PyCFunction)PySSL_get_default_verify_paths, 4209 {"get_default_verify_paths", (PyCFunction)PySSL_get_default_verify_paths,
4152 METH_NOARGS, PySSL_get_default_verify_paths_doc}, 4210 METH_NOARGS, PySSL_get_default_verify_paths_doc},
4153 #ifdef _MSC_VER 4211 #ifdef _MSC_VER
4154 {"enum_certificates", (PyCFunction)PySSL_enum_certificates, 4212 {"enum_certificates", (PyCFunction)PySSL_enum_certificates,
4155 METH_VARARGS | METH_KEYWORDS, PySSL_enum_certificates_doc}, 4213 METH_VARARGS | METH_KEYWORDS, PySSL_enum_certificates_doc},
4156 {"enum_crls", (PyCFunction)PySSL_enum_crls, 4214 {"enum_crls", (PyCFunction)PySSL_enum_crls,
4157 METH_VARARGS | METH_KEYWORDS, PySSL_enum_crls_doc}, 4215 METH_VARARGS | METH_KEYWORDS, PySSL_enum_crls_doc},
4158 #endif 4216 #endif
4159 {"txt2obj", (PyCFunction)PySSL_txt2obj, 4217 {"txt2obj", (PyCFunction)PySSL_txt2obj,
4160 METH_VARARGS | METH_KEYWORDS, PySSL_txt2obj_doc}, 4218 METH_VARARGS | METH_KEYWORDS, PySSL_txt2obj_doc},
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after
4213 PyThread_release_lock(_ssl_locks[n]); 4271 PyThread_release_lock(_ssl_locks[n]);
4214 } 4272 }
4215 } 4273 }
4216 4274
4217 static int _setup_ssl_threads(void) { 4275 static int _setup_ssl_threads(void) {
4218 4276
4219 unsigned int i; 4277 unsigned int i;
4220 4278
4221 if (_ssl_locks == NULL) { 4279 if (_ssl_locks == NULL) {
4222 _ssl_locks_count = CRYPTO_num_locks(); 4280 _ssl_locks_count = CRYPTO_num_locks();
4223 _ssl_locks = (PyThread_type_lock *) 4281 _ssl_locks = PyMem_New(PyThread_type_lock, _ssl_locks_count);
4224 PyMem_Malloc(sizeof(PyThread_type_lock) * _ssl_locks_count); 4282 if (_ssl_locks == NULL) {
4225 if (_ssl_locks == NULL) 4283 PyErr_NoMemory();
4226 return 0; 4284 return 0;
4285 }
4227 memset(_ssl_locks, 0, 4286 memset(_ssl_locks, 0,
4228 sizeof(PyThread_type_lock) * _ssl_locks_count); 4287 sizeof(PyThread_type_lock) * _ssl_locks_count);
4229 for (i = 0; i < _ssl_locks_count; i++) { 4288 for (i = 0; i < _ssl_locks_count; i++) {
4230 _ssl_locks[i] = PyThread_allocate_lock(); 4289 _ssl_locks[i] = PyThread_allocate_lock();
4231 if (_ssl_locks[i] == NULL) { 4290 if (_ssl_locks[i] == NULL) {
4232 unsigned int j; 4291 unsigned int j;
4233 for (j = 0; j < i; j++) { 4292 for (j = 0; j < i; j++) {
4234 PyThread_free_lock(_ssl_locks[j]); 4293 PyThread_free_lock(_ssl_locks[j]);
4235 } 4294 }
4236 PyMem_Free(_ssl_locks); 4295 PyMem_Free(_ssl_locks);
(...skipping 157 matching lines...) Expand 10 before | Expand all | Expand 10 after
4394 PY_SSL_CERT_REQUIRED); 4453 PY_SSL_CERT_REQUIRED);
4395 /* CRL verification for verification_flags */ 4454 /* CRL verification for verification_flags */
4396 PyModule_AddIntConstant(m, "VERIFY_DEFAULT", 4455 PyModule_AddIntConstant(m, "VERIFY_DEFAULT",
4397 0); 4456 0);
4398 PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_LEAF", 4457 PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_LEAF",
4399 X509_V_FLAG_CRL_CHECK); 4458 X509_V_FLAG_CRL_CHECK);
4400 PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_CHAIN", 4459 PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_CHAIN",
4401 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); 4460 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
4402 PyModule_AddIntConstant(m, "VERIFY_X509_STRICT", 4461 PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
4403 X509_V_FLAG_X509_STRICT); 4462 X509_V_FLAG_X509_STRICT);
4463 #ifdef X509_V_FLAG_TRUSTED_FIRST
4464 PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
4465 X509_V_FLAG_TRUSTED_FIRST);
4466 #endif
4404 4467
4405 /* Alert Descriptions from ssl.h */ 4468 /* Alert Descriptions from ssl.h */
4406 /* note RESERVED constants no longer intended for use have been removed */ 4469 /* note RESERVED constants no longer intended for use have been removed */
4407 /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-par ameters-6 */ 4470 /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-par ameters-6 */
4408 4471
4409 #define ADD_AD_CONSTANT(s) \ 4472 #define ADD_AD_CONSTANT(s) \
4410 PyModule_AddIntConstant(m, "ALERT_DESCRIPTION_"#s, \ 4473 PyModule_AddIntConstant(m, "ALERT_DESCRIPTION_"#s, \
4411 SSL_AD_##s) 4474 SSL_AD_##s)
4412 4475
4413 ADD_AD_CONSTANT(CLOSE_NOTIFY); 4476 ADD_AD_CONSTANT(CLOSE_NOTIFY);
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
4451 ADD_AD_CONSTANT(UNKNOWN_PSK_IDENTITY); 4514 ADD_AD_CONSTANT(UNKNOWN_PSK_IDENTITY);
4452 #endif 4515 #endif
4453 4516
4454 #undef ADD_AD_CONSTANT 4517 #undef ADD_AD_CONSTANT
4455 4518
4456 /* protocol versions */ 4519 /* protocol versions */
4457 #ifndef OPENSSL_NO_SSL2 4520 #ifndef OPENSSL_NO_SSL2
4458 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2", 4521 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
4459 PY_SSL_VERSION_SSL2); 4522 PY_SSL_VERSION_SSL2);
4460 #endif 4523 #endif
4524 #ifndef OPENSSL_NO_SSL3
4461 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3", 4525 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
4462 PY_SSL_VERSION_SSL3); 4526 PY_SSL_VERSION_SSL3);
4527 #endif
4463 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", 4528 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
4464 PY_SSL_VERSION_SSL23); 4529 PY_SSL_VERSION_SSL23);
4465 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", 4530 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
4466 PY_SSL_VERSION_TLS1); 4531 PY_SSL_VERSION_TLS1);
4467 #if HAVE_TLSv1_2 4532 #if HAVE_TLSv1_2
4468 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_1", 4533 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_1",
4469 PY_SSL_VERSION_TLS1_1); 4534 PY_SSL_VERSION_TLS1_1);
4470 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_2", 4535 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_2",
4471 PY_SSL_VERSION_TLS1_2); 4536 PY_SSL_VERSION_TLS1_2);
4472 #endif 4537 #endif
(...skipping 20 matching lines...) Expand all
4493 #endif 4558 #endif
4494 4559
4495 #if HAVE_SNI 4560 #if HAVE_SNI
4496 r = Py_True; 4561 r = Py_True;
4497 #else 4562 #else
4498 r = Py_False; 4563 r = Py_False;
4499 #endif 4564 #endif
4500 Py_INCREF(r); 4565 Py_INCREF(r);
4501 PyModule_AddObject(m, "HAS_SNI", r); 4566 PyModule_AddObject(m, "HAS_SNI", r);
4502 4567
4503 #if HAVE_OPENSSL_FINISHED
4504 r = Py_True; 4568 r = Py_True;
4505 #else
4506 r = Py_False;
4507 #endif
4508 Py_INCREF(r); 4569 Py_INCREF(r);
4509 PyModule_AddObject(m, "HAS_TLS_UNIQUE", r); 4570 PyModule_AddObject(m, "HAS_TLS_UNIQUE", r);
4510 4571
4511 #ifdef OPENSSL_NO_ECDH 4572 #ifdef OPENSSL_NO_ECDH
4512 r = Py_False; 4573 r = Py_False;
4513 #else 4574 #else
4514 r = Py_True; 4575 r = Py_True;
4515 #endif 4576 #endif
4516 Py_INCREF(r); 4577 Py_INCREF(r);
4517 PyModule_AddObject(m, "HAS_ECDH", r); 4578 PyModule_AddObject(m, "HAS_ECDH", r);
4518 4579
4519 #ifdef OPENSSL_NPN_NEGOTIATED 4580 #ifdef OPENSSL_NPN_NEGOTIATED
4520 r = Py_True; 4581 r = Py_True;
4521 #else 4582 #else
4522 r = Py_False; 4583 r = Py_False;
4523 #endif 4584 #endif
4524 Py_INCREF(r); 4585 Py_INCREF(r);
4525 PyModule_AddObject(m, "HAS_NPN", r); 4586 PyModule_AddObject(m, "HAS_NPN", r);
4587
4588 #ifdef HAVE_ALPN
4589 r = Py_True;
4590 #else
4591 r = Py_False;
4592 #endif
4593 Py_INCREF(r);
4594 PyModule_AddObject(m, "HAS_ALPN", r);
4526 4595
4527 /* Mappings for error codes */ 4596 /* Mappings for error codes */
4528 err_codes_to_names = PyDict_New(); 4597 err_codes_to_names = PyDict_New();
4529 err_names_to_codes = PyDict_New(); 4598 err_names_to_codes = PyDict_New();
4530 if (err_codes_to_names == NULL || err_names_to_codes == NULL) 4599 if (err_codes_to_names == NULL || err_names_to_codes == NULL)
4531 return NULL; 4600 return NULL;
4532 errcode = error_codes; 4601 errcode = error_codes;
4533 while (errcode->mnemonic != NULL) { 4602 while (errcode->mnemonic != NULL) {
4534 PyObject *mnemo, *key; 4603 PyObject *mnemo, *key;
4535 mnemo = PyUnicode_FromString(errcode->mnemonic); 4604 mnemo = PyUnicode_FromString(errcode->mnemonic);
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after
4587 return NULL; 4656 return NULL;
4588 4657
4589 libver = OPENSSL_VERSION_NUMBER; 4658 libver = OPENSSL_VERSION_NUMBER;
4590 parse_openssl_version(libver, &major, &minor, &fix, &patch, &status); 4659 parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
4591 r = Py_BuildValue("IIIII", major, minor, fix, patch, status); 4660 r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
4592 if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r)) 4661 if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
4593 return NULL; 4662 return NULL;
4594 4663
4595 return m; 4664 return m;
4596 } 4665 }
LEFTRIGHT

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+