3
3
SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
4
4
Re-worked a bit by Bill Janssen to add server-side support and
5
certificate decoding. Chris Stawarz contributed some non-blocking
7
8
This module is imported by ssl.py. It should *not* be used
10
11
XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE?
12
XXX what about SSL_MODE_AUTO_RETRY
13
XXX what about SSL_MODE_AUTO_RETRY?
15
16
#include "Python.h"
388
387
SSL_set_accept_state(self->ssl);
389
388
PySSL_END_ALLOW_THREADS
391
/* Actually negotiate SSL connection */
392
/* XXX If SSL_connect() returns 0, it's also a failure. */
395
PySSL_BEGIN_ALLOW_THREADS
396
if (socket_type == PY_SSL_CLIENT)
397
ret = SSL_connect(self->ssl);
399
ret = SSL_accept(self->ssl);
400
err = SSL_get_error(self->ssl, ret);
401
PySSL_END_ALLOW_THREADS
402
if(PyErr_CheckSignals()) {
405
if (err == SSL_ERROR_WANT_READ) {
406
sockstate = check_socket_and_wait_for_timeout(Sock, 0);
407
} else if (err == SSL_ERROR_WANT_WRITE) {
408
sockstate = check_socket_and_wait_for_timeout(Sock, 1);
410
sockstate = SOCKET_OPERATION_OK;
412
if (sockstate == SOCKET_HAS_TIMED_OUT) {
413
PyErr_SetString(PySSLErrorObject,
414
ERRSTR("The connect operation timed out"));
416
} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
417
PyErr_SetString(PySSLErrorObject,
418
ERRSTR("Underlying socket has been closed."));
420
} else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
421
PyErr_SetString(PySSLErrorObject,
422
ERRSTR("Underlying socket too large for select()."));
424
} else if (sockstate == SOCKET_IS_NONBLOCKING) {
427
} while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
429
PySSL_SetError(self, ret, __FILE__, __LINE__);
432
self->ssl->debug = 1;
434
PySSL_BEGIN_ALLOW_THREADS
435
if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) {
436
X509_NAME_oneline(X509_get_subject_name(self->peer_cert),
437
self->server, X509_NAME_MAXLEN);
438
X509_NAME_oneline(X509_get_issuer_name(self->peer_cert),
439
self->issuer, X509_NAME_MAXLEN);
441
PySSL_END_ALLOW_THREADS
442
390
self->Socket = Sock;
443
391
Py_INCREF(self->Socket);
489
437
/* SSL object methods */
439
static PyObject *PySSL_SSLdo_handshake(PySSLObject *self)
445
/* Actually negotiate SSL connection */
446
/* XXX If SSL_do_handshake() returns 0, it's also a failure. */
449
PySSL_BEGIN_ALLOW_THREADS
450
ret = SSL_do_handshake(self->ssl);
451
err = SSL_get_error(self->ssl, ret);
452
PySSL_END_ALLOW_THREADS
453
if(PyErr_CheckSignals()) {
456
if (err == SSL_ERROR_WANT_READ) {
457
sockstate = check_socket_and_wait_for_timeout(self->Socket, 0);
458
} else if (err == SSL_ERROR_WANT_WRITE) {
459
sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
461
sockstate = SOCKET_OPERATION_OK;
463
if (sockstate == SOCKET_HAS_TIMED_OUT) {
464
PyErr_SetString(PySSLErrorObject,
465
ERRSTR("The handshake operation timed out"));
467
} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
468
PyErr_SetString(PySSLErrorObject,
469
ERRSTR("Underlying socket has been closed."));
471
} else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
472
PyErr_SetString(PySSLErrorObject,
473
ERRSTR("Underlying socket too large for select()."));
475
} else if (sockstate == SOCKET_IS_NONBLOCKING) {
478
} while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
480
return PySSL_SetError(self, ret, __FILE__, __LINE__);
481
self->ssl->debug = 1;
484
X509_free (self->peer_cert);
485
PySSL_BEGIN_ALLOW_THREADS
486
if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) {
487
X509_NAME_oneline(X509_get_subject_name(self->peer_cert),
488
self->server, X509_NAME_MAXLEN);
489
X509_NAME_oneline(X509_get_issuer_name(self->peer_cert),
490
self->issuer, X509_NAME_MAXLEN);
492
PySSL_END_ALLOW_THREADS
491
498
static PyObject *
492
499
PySSL_server(PySSLObject *self)
1127
1134
rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv);
1128
1135
PySSL_END_ALLOW_THREADS
1131
1140
/* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
1132
1141
(when we are able to write or when there's something to read) */
1133
1142
return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
1144
1154
if (!PyArg_ParseTuple(args, "s#:write", &data, &count))
1157
/* just in case the blocking state of the socket has been changed */
1158
nonblocking = (self->Socket->sock_timeout >= 0.0);
1159
BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1160
BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1147
1162
sockstate = check_socket_and_wait_for_timeout(self->Socket, 1);
1148
1163
if (sockstate == SOCKET_HAS_TIMED_OUT) {
1149
1164
PyErr_SetString(PySSLErrorObject,
1200
1215
Writes the string s into the SSL object. Returns the number\n\
1201
1216
of bytes written.");
1218
static PyObject *PySSL_SSLpending(PySSLObject *self)
1222
PySSL_BEGIN_ALLOW_THREADS
1223
count = SSL_pending(self->ssl);
1224
PySSL_END_ALLOW_THREADS
1226
return PySSL_SetError(self, count, __FILE__, __LINE__);
1228
return PyInt_FromLong(count);
1231
PyDoc_STRVAR(PySSL_SSLpending_doc,
1232
"pending() -> count\n\
1234
Returns the number of already decrypted bytes available for read,\n\
1235
pending on the connection.\n");
1203
1237
static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args)
1214
1249
if (!(buf = PyString_FromStringAndSize((char *) 0, len)))
1252
/* just in case the blocking state of the socket has been changed */
1253
nonblocking = (self->Socket->sock_timeout >= 0.0);
1254
BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1255
BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1217
1257
/* first check if there are bytes ready to be read */
1218
1258
PySSL_BEGIN_ALLOW_THREADS
1219
1259
count = SSL_pending(self->ssl);
1232
1272
Py_DECREF(buf);
1234
1274
} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1235
/* should contain a zero-length string */
1236
_PyString_Resize(&buf, 0);
1275
if (SSL_get_shutdown(self->ssl) !=
1276
SSL_RECEIVED_SHUTDOWN)
1279
PyErr_SetString(PySSLErrorObject,
1280
"Socket closed without SSL shutdown handshake");
1283
/* should contain a zero-length string */
1284
_PyString_Resize(&buf, 0);
1286
1335
Read up to len bytes from the SSL socket.");
1337
static PyObject *PySSL_SSLshutdown(PySSLObject *self)
1341
/* Guard against closed socket */
1342
if (self->Socket->sock_fd < 0) {
1343
PyErr_SetString(PySSLErrorObject,
1344
"Underlying socket has been closed.");
1348
PySSL_BEGIN_ALLOW_THREADS
1349
err = SSL_shutdown(self->ssl);
1351
/* we need to call it again to finish the shutdown */
1352
err = SSL_shutdown(self->ssl);
1354
PySSL_END_ALLOW_THREADS
1357
return PySSL_SetError(self, err, __FILE__, __LINE__);
1359
Py_INCREF(self->Socket);
1360
return (PyObject *) (self->Socket);
1364
PyDoc_STRVAR(PySSL_SSLshutdown_doc,
1365
"shutdown(s) -> socket\n\
1367
Does the SSL shutdown handshake with the remote end, and returns\n\
1368
the underlying socket object.");
1288
1370
static PyMethodDef PySSLMethods[] = {
1371
{"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS},
1289
1372
{"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS,
1290
1373
PySSL_SSLwrite_doc},
1291
1374
{"read", (PyCFunction)PySSL_SSLread, METH_VARARGS,
1292
1375
PySSL_SSLread_doc},
1376
{"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS,
1377
PySSL_SSLpending_doc},
1293
1378
{"server", (PyCFunction)PySSL_server, METH_NOARGS},
1294
1379
{"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS},
1295
1380
{"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS,
1296
1381
PySSL_peercert_doc},
1297
1382
{"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
1383
{"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS,
1384
PySSL_SSLshutdown_doc},