|
1 /* SSL socket module |
|
2 |
|
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs. |
|
4 Re-worked a bit by Bill Janssen to add server-side support and |
|
5 certificate decoding. Chris Stawarz contributed some non-blocking |
|
6 patches. |
|
7 |
|
8 This module is imported by ssl.py. It should *not* be used |
|
9 directly. |
|
10 |
|
11 XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE? |
|
12 |
|
13 XXX what about SSL_MODE_AUTO_RETRY? |
|
14 */ |
|
15 |
|
16 #include "Python.h" |
|
17 |
|
18 #ifdef WITH_THREAD |
|
19 #include "pythread.h" |
|
20 #define PySSL_BEGIN_ALLOW_THREADS { \ |
|
21 PyThreadState *_save = NULL; \ |
|
22 if (_ssl_locks_count>0) {_save = PyEval_SaveThread();} |
|
23 #define PySSL_BLOCK_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save)}; |
|
24 #define PySSL_UNBLOCK_THREADS if (_ssl_locks_count>0){_save = PyEval_SaveThread()}; |
|
25 #define PySSL_END_ALLOW_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save);} \ |
|
26 } |
|
27 |
|
28 #else /* no WITH_THREAD */ |
|
29 |
|
30 #define PySSL_BEGIN_ALLOW_THREADS |
|
31 #define PySSL_BLOCK_THREADS |
|
32 #define PySSL_UNBLOCK_THREADS |
|
33 #define PySSL_END_ALLOW_THREADS |
|
34 |
|
35 #endif |
|
36 |
|
37 enum py_ssl_error { |
|
38 /* these mirror ssl.h */ |
|
39 PY_SSL_ERROR_NONE, |
|
40 PY_SSL_ERROR_SSL, |
|
41 PY_SSL_ERROR_WANT_READ, |
|
42 PY_SSL_ERROR_WANT_WRITE, |
|
43 PY_SSL_ERROR_WANT_X509_LOOKUP, |
|
44 PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */ |
|
45 PY_SSL_ERROR_ZERO_RETURN, |
|
46 PY_SSL_ERROR_WANT_CONNECT, |
|
47 /* start of non ssl.h errorcodes */ |
|
48 PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */ |
|
49 PY_SSL_ERROR_INVALID_ERROR_CODE |
|
50 }; |
|
51 |
|
52 enum py_ssl_server_or_client { |
|
53 PY_SSL_CLIENT, |
|
54 PY_SSL_SERVER |
|
55 }; |
|
56 |
|
57 enum py_ssl_cert_requirements { |
|
58 PY_SSL_CERT_NONE, |
|
59 PY_SSL_CERT_OPTIONAL, |
|
60 PY_SSL_CERT_REQUIRED |
|
61 }; |
|
62 |
|
63 enum py_ssl_version { |
|
64 PY_SSL_VERSION_SSL2, |
|
65 PY_SSL_VERSION_SSL3, |
|
66 PY_SSL_VERSION_SSL23, |
|
67 PY_SSL_VERSION_TLS1, |
|
68 }; |
|
69 |
|
70 /* Include symbols from _socket module */ |
|
71 #include "socketmodule.h" |
|
72 |
|
73 #if defined(HAVE_POLL_H) |
|
74 #include <poll.h> |
|
75 #elif defined(HAVE_SYS_POLL_H) |
|
76 #include <sys/poll.h> |
|
77 #endif |
|
78 |
|
79 /* Include OpenSSL header files */ |
|
80 #include "openssl/rsa.h" |
|
81 #include "openssl/crypto.h" |
|
82 #include "openssl/x509.h" |
|
83 #include "openssl/x509v3.h" |
|
84 #include "openssl/pem.h" |
|
85 #include "openssl/ssl.h" |
|
86 #include "openssl/err.h" |
|
87 #include "openssl/rand.h" |
|
88 |
|
89 /* SSL error object */ |
|
90 static PyObject *PySSLErrorObject; |
|
91 |
|
92 #ifdef WITH_THREAD |
|
93 |
|
94 /* serves as a flag to see whether we've initialized the SSL thread support. */ |
|
95 /* 0 means no, greater than 0 means yes */ |
|
96 |
|
97 static unsigned int _ssl_locks_count = 0; |
|
98 |
|
99 #endif /* def WITH_THREAD */ |
|
100 |
|
101 /* SSL socket object */ |
|
102 |
|
103 #define X509_NAME_MAXLEN 256 |
|
104 |
|
105 /* RAND_* APIs got added to OpenSSL in 0.9.5 */ |
|
106 #if OPENSSL_VERSION_NUMBER >= 0x0090500fL |
|
107 # define HAVE_OPENSSL_RAND 1 |
|
108 #else |
|
109 # undef HAVE_OPENSSL_RAND |
|
110 #endif |
|
111 |
|
112 typedef struct { |
|
113 PyObject_HEAD |
|
114 PySocketSockObject *Socket; /* Socket on which we're layered */ |
|
115 SSL_CTX* ctx; |
|
116 SSL* ssl; |
|
117 X509* peer_cert; |
|
118 char server[X509_NAME_MAXLEN]; |
|
119 char issuer[X509_NAME_MAXLEN]; |
|
120 |
|
121 } PySSLObject; |
|
122 |
|
123 static PyTypeObject PySSL_Type; |
|
124 static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args); |
|
125 static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args); |
|
126 static int check_socket_and_wait_for_timeout(PySocketSockObject *s, |
|
127 int writing); |
|
128 static PyObject *PySSL_peercert(PySSLObject *self, PyObject *args); |
|
129 static PyObject *PySSL_cipher(PySSLObject *self); |
|
130 |
|
131 #define PySSLObject_Check(v) (Py_TYPE(v) == &PySSL_Type) |
|
132 |
|
133 typedef enum { |
|
134 SOCKET_IS_NONBLOCKING, |
|
135 SOCKET_IS_BLOCKING, |
|
136 SOCKET_HAS_TIMED_OUT, |
|
137 SOCKET_HAS_BEEN_CLOSED, |
|
138 SOCKET_TOO_LARGE_FOR_SELECT, |
|
139 SOCKET_OPERATION_OK |
|
140 } timeout_state; |
|
141 |
|
142 /* Wrap error strings with filename and line # */ |
|
143 #define STRINGIFY1(x) #x |
|
144 #define STRINGIFY2(x) STRINGIFY1(x) |
|
145 #define ERRSTR1(x,y,z) (x ":" y ": " z) |
|
146 #define ERRSTR(x) ERRSTR1("_ssl.c", STRINGIFY2(__LINE__), x) |
|
147 |
|
148 /* XXX It might be helpful to augment the error message generated |
|
149 below with the name of the SSL function that generated the error. |
|
150 I expect it's obvious most of the time. |
|
151 */ |
|
152 |
|
153 static PyObject * |
|
154 PySSL_SetError(PySSLObject *obj, int ret, char *filename, int lineno) |
|
155 { |
|
156 PyObject *v; |
|
157 char buf[2048]; |
|
158 char *errstr; |
|
159 int err; |
|
160 enum py_ssl_error p = PY_SSL_ERROR_NONE; |
|
161 |
|
162 assert(ret <= 0); |
|
163 |
|
164 if (obj->ssl != NULL) { |
|
165 err = SSL_get_error(obj->ssl, ret); |
|
166 |
|
167 switch (err) { |
|
168 case SSL_ERROR_ZERO_RETURN: |
|
169 errstr = "TLS/SSL connection has been closed"; |
|
170 p = PY_SSL_ERROR_ZERO_RETURN; |
|
171 break; |
|
172 case SSL_ERROR_WANT_READ: |
|
173 errstr = "The operation did not complete (read)"; |
|
174 p = PY_SSL_ERROR_WANT_READ; |
|
175 break; |
|
176 case SSL_ERROR_WANT_WRITE: |
|
177 p = PY_SSL_ERROR_WANT_WRITE; |
|
178 errstr = "The operation did not complete (write)"; |
|
179 break; |
|
180 case SSL_ERROR_WANT_X509_LOOKUP: |
|
181 p = PY_SSL_ERROR_WANT_X509_LOOKUP; |
|
182 errstr = |
|
183 "The operation did not complete (X509 lookup)"; |
|
184 break; |
|
185 case SSL_ERROR_WANT_CONNECT: |
|
186 p = PY_SSL_ERROR_WANT_CONNECT; |
|
187 errstr = "The operation did not complete (connect)"; |
|
188 break; |
|
189 case SSL_ERROR_SYSCALL: |
|
190 { |
|
191 unsigned long e = ERR_get_error(); |
|
192 if (e == 0) { |
|
193 if (ret == 0 || !obj->Socket) { |
|
194 p = PY_SSL_ERROR_EOF; |
|
195 errstr = |
|
196 "EOF occurred in violation of protocol"; |
|
197 } else if (ret == -1) { |
|
198 /* underlying BIO reported an I/O error */ |
|
199 return obj->Socket->errorhandler(); |
|
200 } else { /* possible? */ |
|
201 p = PY_SSL_ERROR_SYSCALL; |
|
202 errstr = "Some I/O error occurred"; |
|
203 } |
|
204 } else { |
|
205 p = PY_SSL_ERROR_SYSCALL; |
|
206 /* XXX Protected by global interpreter lock */ |
|
207 errstr = ERR_error_string(e, NULL); |
|
208 } |
|
209 break; |
|
210 } |
|
211 case SSL_ERROR_SSL: |
|
212 { |
|
213 unsigned long e = ERR_get_error(); |
|
214 p = PY_SSL_ERROR_SSL; |
|
215 if (e != 0) |
|
216 /* XXX Protected by global interpreter lock */ |
|
217 errstr = ERR_error_string(e, NULL); |
|
218 else { /* possible? */ |
|
219 errstr = |
|
220 "A failure in the SSL library occurred"; |
|
221 } |
|
222 break; |
|
223 } |
|
224 default: |
|
225 p = PY_SSL_ERROR_INVALID_ERROR_CODE; |
|
226 errstr = "Invalid error code"; |
|
227 } |
|
228 } else { |
|
229 errstr = ERR_error_string(ERR_peek_last_error(), NULL); |
|
230 } |
|
231 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); |
|
232 v = Py_BuildValue("(is)", p, buf); |
|
233 if (v != NULL) { |
|
234 PyErr_SetObject(PySSLErrorObject, v); |
|
235 Py_DECREF(v); |
|
236 } |
|
237 return NULL; |
|
238 } |
|
239 |
|
240 static PyObject * |
|
241 _setSSLError (char *errstr, int errcode, char *filename, int lineno) { |
|
242 |
|
243 char buf[2048]; |
|
244 PyObject *v; |
|
245 |
|
246 if (errstr == NULL) { |
|
247 errcode = ERR_peek_last_error(); |
|
248 errstr = ERR_error_string(errcode, NULL); |
|
249 } |
|
250 PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr); |
|
251 v = Py_BuildValue("(is)", errcode, buf); |
|
252 if (v != NULL) { |
|
253 PyErr_SetObject(PySSLErrorObject, v); |
|
254 Py_DECREF(v); |
|
255 } |
|
256 return NULL; |
|
257 } |
|
258 |
|
259 static PySSLObject * |
|
260 newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, |
|
261 enum py_ssl_server_or_client socket_type, |
|
262 enum py_ssl_cert_requirements certreq, |
|
263 enum py_ssl_version proto_version, |
|
264 char *cacerts_file) |
|
265 { |
|
266 PySSLObject *self; |
|
267 char *errstr = NULL; |
|
268 int ret; |
|
269 int verification_mode; |
|
270 |
|
271 self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ |
|
272 if (self == NULL) |
|
273 return NULL; |
|
274 memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN); |
|
275 memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN); |
|
276 self->peer_cert = NULL; |
|
277 self->ssl = NULL; |
|
278 self->ctx = NULL; |
|
279 self->Socket = NULL; |
|
280 |
|
281 /* Make sure the SSL error state is initialized */ |
|
282 (void) ERR_get_state(); |
|
283 ERR_clear_error(); |
|
284 |
|
285 if ((key_file && !cert_file) || (!key_file && cert_file)) { |
|
286 errstr = ERRSTR("Both the key & certificate files " |
|
287 "must be specified"); |
|
288 goto fail; |
|
289 } |
|
290 |
|
291 if ((socket_type == PY_SSL_SERVER) && |
|
292 ((key_file == NULL) || (cert_file == NULL))) { |
|
293 errstr = ERRSTR("Both the key & certificate files " |
|
294 "must be specified for server-side operation"); |
|
295 goto fail; |
|
296 } |
|
297 |
|
298 PySSL_BEGIN_ALLOW_THREADS |
|
299 if (proto_version == PY_SSL_VERSION_TLS1) |
|
300 self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */ |
|
301 else if (proto_version == PY_SSL_VERSION_SSL3) |
|
302 self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */ |
|
303 else if (proto_version == PY_SSL_VERSION_SSL2) |
|
304 self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */ |
|
305 else if (proto_version == PY_SSL_VERSION_SSL23) |
|
306 self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */ |
|
307 PySSL_END_ALLOW_THREADS |
|
308 |
|
309 if (self->ctx == NULL) { |
|
310 errstr = ERRSTR("Invalid SSL protocol variant specified."); |
|
311 goto fail; |
|
312 } |
|
313 |
|
314 if (certreq != PY_SSL_CERT_NONE) { |
|
315 if (cacerts_file == NULL) { |
|
316 errstr = ERRSTR("No root certificates specified for " |
|
317 "verification of other-side certificates."); |
|
318 goto fail; |
|
319 } else { |
|
320 PySSL_BEGIN_ALLOW_THREADS |
|
321 ret = SSL_CTX_load_verify_locations(self->ctx, |
|
322 cacerts_file, |
|
323 NULL); |
|
324 PySSL_END_ALLOW_THREADS |
|
325 if (ret != 1) { |
|
326 _setSSLError(NULL, 0, __FILE__, __LINE__); |
|
327 goto fail; |
|
328 } |
|
329 } |
|
330 } |
|
331 if (key_file) { |
|
332 PySSL_BEGIN_ALLOW_THREADS |
|
333 ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file, |
|
334 SSL_FILETYPE_PEM); |
|
335 PySSL_END_ALLOW_THREADS |
|
336 if (ret != 1) { |
|
337 _setSSLError(NULL, ret, __FILE__, __LINE__); |
|
338 goto fail; |
|
339 } |
|
340 |
|
341 PySSL_BEGIN_ALLOW_THREADS |
|
342 ret = SSL_CTX_use_certificate_chain_file(self->ctx, |
|
343 cert_file); |
|
344 PySSL_END_ALLOW_THREADS |
|
345 if (ret != 1) { |
|
346 /* |
|
347 fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n", |
|
348 ret, ERR_peek_error(), ERR_peek_last_error(), cert_file); |
|
349 */ |
|
350 if (ERR_peek_last_error() != 0) { |
|
351 _setSSLError(NULL, ret, __FILE__, __LINE__); |
|
352 goto fail; |
|
353 } |
|
354 } |
|
355 } |
|
356 |
|
357 /* ssl compatibility */ |
|
358 SSL_CTX_set_options(self->ctx, SSL_OP_ALL); |
|
359 |
|
360 verification_mode = SSL_VERIFY_NONE; |
|
361 if (certreq == PY_SSL_CERT_OPTIONAL) |
|
362 verification_mode = SSL_VERIFY_PEER; |
|
363 else if (certreq == PY_SSL_CERT_REQUIRED) |
|
364 verification_mode = (SSL_VERIFY_PEER | |
|
365 SSL_VERIFY_FAIL_IF_NO_PEER_CERT); |
|
366 SSL_CTX_set_verify(self->ctx, verification_mode, |
|
367 NULL); /* set verify lvl */ |
|
368 |
|
369 PySSL_BEGIN_ALLOW_THREADS |
|
370 self->ssl = SSL_new(self->ctx); /* New ssl struct */ |
|
371 PySSL_END_ALLOW_THREADS |
|
372 SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */ |
|
373 |
|
374 /* If the socket is in non-blocking mode or timeout mode, set the BIO |
|
375 * to non-blocking mode (blocking is the default) |
|
376 */ |
|
377 if (Sock->sock_timeout >= 0.0) { |
|
378 /* Set both the read and write BIO's to non-blocking mode */ |
|
379 BIO_set_nbio(SSL_get_rbio(self->ssl), 1); |
|
380 BIO_set_nbio(SSL_get_wbio(self->ssl), 1); |
|
381 } |
|
382 |
|
383 PySSL_BEGIN_ALLOW_THREADS |
|
384 if (socket_type == PY_SSL_CLIENT) |
|
385 SSL_set_connect_state(self->ssl); |
|
386 else |
|
387 SSL_set_accept_state(self->ssl); |
|
388 PySSL_END_ALLOW_THREADS |
|
389 |
|
390 self->Socket = Sock; |
|
391 Py_INCREF(self->Socket); |
|
392 return self; |
|
393 fail: |
|
394 if (errstr) |
|
395 PyErr_SetString(PySSLErrorObject, errstr); |
|
396 Py_DECREF(self); |
|
397 return NULL; |
|
398 } |
|
399 |
|
400 static PyObject * |
|
401 PySSL_sslwrap(PyObject *self, PyObject *args) |
|
402 { |
|
403 PySocketSockObject *Sock; |
|
404 int server_side = 0; |
|
405 int verification_mode = PY_SSL_CERT_NONE; |
|
406 int protocol = PY_SSL_VERSION_SSL23; |
|
407 char *key_file = NULL; |
|
408 char *cert_file = NULL; |
|
409 char *cacerts_file = NULL; |
|
410 |
|
411 if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap", |
|
412 PySocketModule.Sock_Type, |
|
413 &Sock, |
|
414 &server_side, |
|
415 &key_file, &cert_file, |
|
416 &verification_mode, &protocol, |
|
417 &cacerts_file)) |
|
418 return NULL; |
|
419 |
|
420 /* |
|
421 fprintf(stderr, |
|
422 "server_side is %d, keyfile %p, certfile %p, verify_mode %d, " |
|
423 "protocol %d, certs %p\n", |
|
424 server_side, key_file, cert_file, verification_mode, |
|
425 protocol, cacerts_file); |
|
426 */ |
|
427 |
|
428 return (PyObject *) newPySSLObject(Sock, key_file, cert_file, |
|
429 server_side, verification_mode, |
|
430 protocol, cacerts_file); |
|
431 } |
|
432 |
|
433 PyDoc_STRVAR(ssl_doc, |
|
434 "sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n" |
|
435 " cacertsfile]) -> sslobject"); |
|
436 |
|
437 /* SSL object methods */ |
|
438 |
|
439 static PyObject *PySSL_SSLdo_handshake(PySSLObject *self) |
|
440 { |
|
441 int ret; |
|
442 int err; |
|
443 int sockstate; |
|
444 |
|
445 /* Actually negotiate SSL connection */ |
|
446 /* XXX If SSL_do_handshake() returns 0, it's also a failure. */ |
|
447 sockstate = 0; |
|
448 do { |
|
449 PySSL_BEGIN_ALLOW_THREADS |
|
450 ret = SSL_do_handshake(self->ssl); |
|
451 err = SSL_get_error(self->ssl, ret); |
|
452 PySSL_END_ALLOW_THREADS |
|
453 if(PyErr_CheckSignals()) { |
|
454 return NULL; |
|
455 } |
|
456 if (err == SSL_ERROR_WANT_READ) { |
|
457 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); |
|
458 } else if (err == SSL_ERROR_WANT_WRITE) { |
|
459 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); |
|
460 } else { |
|
461 sockstate = SOCKET_OPERATION_OK; |
|
462 } |
|
463 if (sockstate == SOCKET_HAS_TIMED_OUT) { |
|
464 PyErr_SetString(PySSLErrorObject, |
|
465 ERRSTR("The handshake operation timed out")); |
|
466 return NULL; |
|
467 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { |
|
468 PyErr_SetString(PySSLErrorObject, |
|
469 ERRSTR("Underlying socket has been closed.")); |
|
470 return NULL; |
|
471 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { |
|
472 PyErr_SetString(PySSLErrorObject, |
|
473 ERRSTR("Underlying socket too large for select().")); |
|
474 return NULL; |
|
475 } else if (sockstate == SOCKET_IS_NONBLOCKING) { |
|
476 break; |
|
477 } |
|
478 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); |
|
479 if (ret < 1) |
|
480 return PySSL_SetError(self, ret, __FILE__, __LINE__); |
|
481 self->ssl->debug = 1; |
|
482 |
|
483 if (self->peer_cert) |
|
484 X509_free (self->peer_cert); |
|
485 PySSL_BEGIN_ALLOW_THREADS |
|
486 if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) { |
|
487 X509_NAME_oneline(X509_get_subject_name(self->peer_cert), |
|
488 self->server, X509_NAME_MAXLEN); |
|
489 X509_NAME_oneline(X509_get_issuer_name(self->peer_cert), |
|
490 self->issuer, X509_NAME_MAXLEN); |
|
491 } |
|
492 PySSL_END_ALLOW_THREADS |
|
493 |
|
494 Py_INCREF(Py_None); |
|
495 return Py_None; |
|
496 } |
|
497 |
|
498 static PyObject * |
|
499 PySSL_server(PySSLObject *self) |
|
500 { |
|
501 return PyString_FromString(self->server); |
|
502 } |
|
503 |
|
504 static PyObject * |
|
505 PySSL_issuer(PySSLObject *self) |
|
506 { |
|
507 return PyString_FromString(self->issuer); |
|
508 } |
|
509 |
|
510 static PyObject * |
|
511 _create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) { |
|
512 |
|
513 char namebuf[X509_NAME_MAXLEN]; |
|
514 int buflen; |
|
515 PyObject *name_obj; |
|
516 PyObject *value_obj; |
|
517 PyObject *attr; |
|
518 unsigned char *valuebuf = NULL; |
|
519 |
|
520 buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0); |
|
521 if (buflen < 0) { |
|
522 _setSSLError(NULL, 0, __FILE__, __LINE__); |
|
523 goto fail; |
|
524 } |
|
525 name_obj = PyString_FromStringAndSize(namebuf, buflen); |
|
526 if (name_obj == NULL) |
|
527 goto fail; |
|
528 |
|
529 buflen = ASN1_STRING_to_UTF8(&valuebuf, value); |
|
530 if (buflen < 0) { |
|
531 _setSSLError(NULL, 0, __FILE__, __LINE__); |
|
532 Py_DECREF(name_obj); |
|
533 goto fail; |
|
534 } |
|
535 value_obj = PyUnicode_DecodeUTF8((char *) valuebuf, |
|
536 buflen, "strict"); |
|
537 OPENSSL_free(valuebuf); |
|
538 if (value_obj == NULL) { |
|
539 Py_DECREF(name_obj); |
|
540 goto fail; |
|
541 } |
|
542 attr = PyTuple_New(2); |
|
543 if (attr == NULL) { |
|
544 Py_DECREF(name_obj); |
|
545 Py_DECREF(value_obj); |
|
546 goto fail; |
|
547 } |
|
548 PyTuple_SET_ITEM(attr, 0, name_obj); |
|
549 PyTuple_SET_ITEM(attr, 1, value_obj); |
|
550 return attr; |
|
551 |
|
552 fail: |
|
553 return NULL; |
|
554 } |
|
555 |
|
556 static PyObject * |
|
557 _create_tuple_for_X509_NAME (X509_NAME *xname) |
|
558 { |
|
559 PyObject *dn = NULL; /* tuple which represents the "distinguished name" */ |
|
560 PyObject *rdn = NULL; /* tuple to hold a "relative distinguished name" */ |
|
561 PyObject *rdnt; |
|
562 PyObject *attr = NULL; /* tuple to hold an attribute */ |
|
563 int entry_count = X509_NAME_entry_count(xname); |
|
564 X509_NAME_ENTRY *entry; |
|
565 ASN1_OBJECT *name; |
|
566 ASN1_STRING *value; |
|
567 int index_counter; |
|
568 int rdn_level = -1; |
|
569 int retcode; |
|
570 |
|
571 dn = PyList_New(0); |
|
572 if (dn == NULL) |
|
573 return NULL; |
|
574 /* now create another tuple to hold the top-level RDN */ |
|
575 rdn = PyList_New(0); |
|
576 if (rdn == NULL) |
|
577 goto fail0; |
|
578 |
|
579 for (index_counter = 0; |
|
580 index_counter < entry_count; |
|
581 index_counter++) |
|
582 { |
|
583 entry = X509_NAME_get_entry(xname, index_counter); |
|
584 |
|
585 /* check to see if we've gotten to a new RDN */ |
|
586 if (rdn_level >= 0) { |
|
587 if (rdn_level != entry->set) { |
|
588 /* yes, new RDN */ |
|
589 /* add old RDN to DN */ |
|
590 rdnt = PyList_AsTuple(rdn); |
|
591 Py_DECREF(rdn); |
|
592 if (rdnt == NULL) |
|
593 goto fail0; |
|
594 retcode = PyList_Append(dn, rdnt); |
|
595 Py_DECREF(rdnt); |
|
596 if (retcode < 0) |
|
597 goto fail0; |
|
598 /* create new RDN */ |
|
599 rdn = PyList_New(0); |
|
600 if (rdn == NULL) |
|
601 goto fail0; |
|
602 } |
|
603 } |
|
604 rdn_level = entry->set; |
|
605 |
|
606 /* now add this attribute to the current RDN */ |
|
607 name = X509_NAME_ENTRY_get_object(entry); |
|
608 value = X509_NAME_ENTRY_get_data(entry); |
|
609 attr = _create_tuple_for_attribute(name, value); |
|
610 /* |
|
611 fprintf(stderr, "RDN level %d, attribute %s: %s\n", |
|
612 entry->set, |
|
613 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 0)), |
|
614 PyString_AS_STRING(PyTuple_GET_ITEM(attr, 1))); |
|
615 */ |
|
616 if (attr == NULL) |
|
617 goto fail1; |
|
618 retcode = PyList_Append(rdn, attr); |
|
619 Py_DECREF(attr); |
|
620 if (retcode < 0) |
|
621 goto fail1; |
|
622 } |
|
623 /* now, there's typically a dangling RDN */ |
|
624 if ((rdn != NULL) && (PyList_Size(rdn) > 0)) { |
|
625 rdnt = PyList_AsTuple(rdn); |
|
626 Py_DECREF(rdn); |
|
627 if (rdnt == NULL) |
|
628 goto fail0; |
|
629 retcode = PyList_Append(dn, rdnt); |
|
630 Py_DECREF(rdnt); |
|
631 if (retcode < 0) |
|
632 goto fail0; |
|
633 } |
|
634 |
|
635 /* convert list to tuple */ |
|
636 rdnt = PyList_AsTuple(dn); |
|
637 Py_DECREF(dn); |
|
638 if (rdnt == NULL) |
|
639 return NULL; |
|
640 return rdnt; |
|
641 |
|
642 fail1: |
|
643 Py_XDECREF(rdn); |
|
644 |
|
645 fail0: |
|
646 Py_XDECREF(dn); |
|
647 return NULL; |
|
648 } |
|
649 |
|
650 static PyObject * |
|
651 _get_peer_alt_names (X509 *certificate) { |
|
652 |
|
653 /* this code follows the procedure outlined in |
|
654 OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print() |
|
655 function to extract the STACK_OF(GENERAL_NAME), |
|
656 then iterates through the stack to add the |
|
657 names. */ |
|
658 |
|
659 int i, j; |
|
660 PyObject *peer_alt_names = Py_None; |
|
661 PyObject *v, *t; |
|
662 X509_EXTENSION *ext = NULL; |
|
663 GENERAL_NAMES *names = NULL; |
|
664 GENERAL_NAME *name; |
|
665 X509V3_EXT_METHOD *method; |
|
666 BIO *biobuf = NULL; |
|
667 char buf[2048]; |
|
668 char *vptr; |
|
669 int len; |
|
670 const unsigned char *p; |
|
671 |
|
672 if (certificate == NULL) |
|
673 return peer_alt_names; |
|
674 |
|
675 /* get a memory buffer */ |
|
676 biobuf = BIO_new(BIO_s_mem()); |
|
677 |
|
678 i = 0; |
|
679 while ((i = X509_get_ext_by_NID( |
|
680 certificate, NID_subject_alt_name, i)) >= 0) { |
|
681 |
|
682 if (peer_alt_names == Py_None) { |
|
683 peer_alt_names = PyList_New(0); |
|
684 if (peer_alt_names == NULL) |
|
685 goto fail; |
|
686 } |
|
687 |
|
688 /* now decode the altName */ |
|
689 ext = X509_get_ext(certificate, i); |
|
690 if(!(method = X509V3_EXT_get(ext))) { |
|
691 PyErr_SetString(PySSLErrorObject, |
|
692 ERRSTR("No method for internalizing subjectAltName!")); |
|
693 goto fail; |
|
694 } |
|
695 |
|
696 p = ext->value->data; |
|
697 if (method->it) |
|
698 names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL, |
|
699 &p, |
|
700 ext->value->length, |
|
701 ASN1_ITEM_ptr(method->it))); |
|
702 else |
|
703 names = (GENERAL_NAMES*) (method->d2i(NULL, |
|
704 &p, |
|
705 ext->value->length)); |
|
706 |
|
707 for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { |
|
708 |
|
709 /* get a rendering of each name in the set of names */ |
|
710 |
|
711 name = sk_GENERAL_NAME_value(names, j); |
|
712 if (name->type == GEN_DIRNAME) { |
|
713 |
|
714 /* we special-case DirName as a tuple of tuples of attributes */ |
|
715 |
|
716 t = PyTuple_New(2); |
|
717 if (t == NULL) { |
|
718 goto fail; |
|
719 } |
|
720 |
|
721 v = PyString_FromString("DirName"); |
|
722 if (v == NULL) { |
|
723 Py_DECREF(t); |
|
724 goto fail; |
|
725 } |
|
726 PyTuple_SET_ITEM(t, 0, v); |
|
727 |
|
728 v = _create_tuple_for_X509_NAME (name->d.dirn); |
|
729 if (v == NULL) { |
|
730 Py_DECREF(t); |
|
731 goto fail; |
|
732 } |
|
733 PyTuple_SET_ITEM(t, 1, v); |
|
734 |
|
735 } else { |
|
736 |
|
737 /* for everything else, we use the OpenSSL print form */ |
|
738 |
|
739 (void) BIO_reset(biobuf); |
|
740 GENERAL_NAME_print(biobuf, name); |
|
741 len = BIO_gets(biobuf, buf, sizeof(buf)-1); |
|
742 if (len < 0) { |
|
743 _setSSLError(NULL, 0, __FILE__, __LINE__); |
|
744 goto fail; |
|
745 } |
|
746 vptr = strchr(buf, ':'); |
|
747 if (vptr == NULL) |
|
748 goto fail; |
|
749 t = PyTuple_New(2); |
|
750 if (t == NULL) |
|
751 goto fail; |
|
752 v = PyString_FromStringAndSize(buf, (vptr - buf)); |
|
753 if (v == NULL) { |
|
754 Py_DECREF(t); |
|
755 goto fail; |
|
756 } |
|
757 PyTuple_SET_ITEM(t, 0, v); |
|
758 v = PyString_FromStringAndSize((vptr + 1), (len - (vptr - buf + 1))); |
|
759 if (v == NULL) { |
|
760 Py_DECREF(t); |
|
761 goto fail; |
|
762 } |
|
763 PyTuple_SET_ITEM(t, 1, v); |
|
764 } |
|
765 |
|
766 /* and add that rendering to the list */ |
|
767 |
|
768 if (PyList_Append(peer_alt_names, t) < 0) { |
|
769 Py_DECREF(t); |
|
770 goto fail; |
|
771 } |
|
772 Py_DECREF(t); |
|
773 } |
|
774 } |
|
775 BIO_free(biobuf); |
|
776 if (peer_alt_names != Py_None) { |
|
777 v = PyList_AsTuple(peer_alt_names); |
|
778 Py_DECREF(peer_alt_names); |
|
779 return v; |
|
780 } else { |
|
781 return peer_alt_names; |
|
782 } |
|
783 |
|
784 |
|
785 fail: |
|
786 if (biobuf != NULL) |
|
787 BIO_free(biobuf); |
|
788 |
|
789 if (peer_alt_names != Py_None) { |
|
790 Py_XDECREF(peer_alt_names); |
|
791 } |
|
792 |
|
793 return NULL; |
|
794 } |
|
795 |
|
796 static PyObject * |
|
797 _decode_certificate (X509 *certificate, int verbose) { |
|
798 |
|
799 PyObject *retval = NULL; |
|
800 BIO *biobuf = NULL; |
|
801 PyObject *peer; |
|
802 PyObject *peer_alt_names = NULL; |
|
803 PyObject *issuer; |
|
804 PyObject *version; |
|
805 PyObject *sn_obj; |
|
806 ASN1_INTEGER *serialNumber; |
|
807 char buf[2048]; |
|
808 int len; |
|
809 ASN1_TIME *notBefore, *notAfter; |
|
810 PyObject *pnotBefore, *pnotAfter; |
|
811 |
|
812 retval = PyDict_New(); |
|
813 if (retval == NULL) |
|
814 return NULL; |
|
815 |
|
816 peer = _create_tuple_for_X509_NAME( |
|
817 X509_get_subject_name(certificate)); |
|
818 if (peer == NULL) |
|
819 goto fail0; |
|
820 if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) { |
|
821 Py_DECREF(peer); |
|
822 goto fail0; |
|
823 } |
|
824 Py_DECREF(peer); |
|
825 |
|
826 if (verbose) { |
|
827 issuer = _create_tuple_for_X509_NAME( |
|
828 X509_get_issuer_name(certificate)); |
|
829 if (issuer == NULL) |
|
830 goto fail0; |
|
831 if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) { |
|
832 Py_DECREF(issuer); |
|
833 goto fail0; |
|
834 } |
|
835 Py_DECREF(issuer); |
|
836 |
|
837 version = PyInt_FromLong(X509_get_version(certificate) + 1); |
|
838 if (PyDict_SetItemString(retval, "version", version) < 0) { |
|
839 Py_DECREF(version); |
|
840 goto fail0; |
|
841 } |
|
842 Py_DECREF(version); |
|
843 } |
|
844 |
|
845 /* get a memory buffer */ |
|
846 biobuf = BIO_new(BIO_s_mem()); |
|
847 |
|
848 if (verbose) { |
|
849 |
|
850 (void) BIO_reset(biobuf); |
|
851 serialNumber = X509_get_serialNumber(certificate); |
|
852 /* should not exceed 20 octets, 160 bits, so buf is big enough */ |
|
853 i2a_ASN1_INTEGER(biobuf, serialNumber); |
|
854 len = BIO_gets(biobuf, buf, sizeof(buf)-1); |
|
855 if (len < 0) { |
|
856 _setSSLError(NULL, 0, __FILE__, __LINE__); |
|
857 goto fail1; |
|
858 } |
|
859 sn_obj = PyString_FromStringAndSize(buf, len); |
|
860 if (sn_obj == NULL) |
|
861 goto fail1; |
|
862 if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) { |
|
863 Py_DECREF(sn_obj); |
|
864 goto fail1; |
|
865 } |
|
866 Py_DECREF(sn_obj); |
|
867 |
|
868 (void) BIO_reset(biobuf); |
|
869 notBefore = X509_get_notBefore(certificate); |
|
870 ASN1_TIME_print(biobuf, notBefore); |
|
871 len = BIO_gets(biobuf, buf, sizeof(buf)-1); |
|
872 if (len < 0) { |
|
873 _setSSLError(NULL, 0, __FILE__, __LINE__); |
|
874 goto fail1; |
|
875 } |
|
876 pnotBefore = PyString_FromStringAndSize(buf, len); |
|
877 if (pnotBefore == NULL) |
|
878 goto fail1; |
|
879 if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) { |
|
880 Py_DECREF(pnotBefore); |
|
881 goto fail1; |
|
882 } |
|
883 Py_DECREF(pnotBefore); |
|
884 } |
|
885 |
|
886 (void) BIO_reset(biobuf); |
|
887 notAfter = X509_get_notAfter(certificate); |
|
888 ASN1_TIME_print(biobuf, notAfter); |
|
889 len = BIO_gets(biobuf, buf, sizeof(buf)-1); |
|
890 if (len < 0) { |
|
891 _setSSLError(NULL, 0, __FILE__, __LINE__); |
|
892 goto fail1; |
|
893 } |
|
894 pnotAfter = PyString_FromStringAndSize(buf, len); |
|
895 if (pnotAfter == NULL) |
|
896 goto fail1; |
|
897 if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) { |
|
898 Py_DECREF(pnotAfter); |
|
899 goto fail1; |
|
900 } |
|
901 Py_DECREF(pnotAfter); |
|
902 |
|
903 /* Now look for subjectAltName */ |
|
904 |
|
905 peer_alt_names = _get_peer_alt_names(certificate); |
|
906 if (peer_alt_names == NULL) |
|
907 goto fail1; |
|
908 else if (peer_alt_names != Py_None) { |
|
909 if (PyDict_SetItemString(retval, "subjectAltName", |
|
910 peer_alt_names) < 0) { |
|
911 Py_DECREF(peer_alt_names); |
|
912 goto fail1; |
|
913 } |
|
914 Py_DECREF(peer_alt_names); |
|
915 } |
|
916 |
|
917 BIO_free(biobuf); |
|
918 return retval; |
|
919 |
|
920 fail1: |
|
921 if (biobuf != NULL) |
|
922 BIO_free(biobuf); |
|
923 fail0: |
|
924 Py_XDECREF(retval); |
|
925 return NULL; |
|
926 } |
|
927 |
|
928 |
|
929 static PyObject * |
|
930 PySSL_test_decode_certificate (PyObject *mod, PyObject *args) { |
|
931 |
|
932 PyObject *retval = NULL; |
|
933 char *filename = NULL; |
|
934 X509 *x=NULL; |
|
935 BIO *cert; |
|
936 int verbose = 1; |
|
937 |
|
938 if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", &filename, &verbose)) |
|
939 return NULL; |
|
940 |
|
941 if ((cert=BIO_new(BIO_s_file())) == NULL) { |
|
942 PyErr_SetString(PySSLErrorObject, "Can't malloc memory to read file"); |
|
943 goto fail0; |
|
944 } |
|
945 |
|
946 if (BIO_read_filename(cert,filename) <= 0) { |
|
947 PyErr_SetString(PySSLErrorObject, "Can't open file"); |
|
948 goto fail0; |
|
949 } |
|
950 |
|
951 x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL); |
|
952 if (x == NULL) { |
|
953 PyErr_SetString(PySSLErrorObject, "Error decoding PEM-encoded file"); |
|
954 goto fail0; |
|
955 } |
|
956 |
|
957 retval = _decode_certificate(x, verbose); |
|
958 |
|
959 fail0: |
|
960 |
|
961 if (cert != NULL) BIO_free(cert); |
|
962 return retval; |
|
963 } |
|
964 |
|
965 |
|
966 static PyObject * |
|
967 PySSL_peercert(PySSLObject *self, PyObject *args) |
|
968 { |
|
969 PyObject *retval = NULL; |
|
970 int len; |
|
971 int verification; |
|
972 PyObject *binary_mode = Py_None; |
|
973 |
|
974 if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode)) |
|
975 return NULL; |
|
976 |
|
977 if (!self->peer_cert) |
|
978 Py_RETURN_NONE; |
|
979 |
|
980 if (PyObject_IsTrue(binary_mode)) { |
|
981 /* return cert in DER-encoded format */ |
|
982 |
|
983 unsigned char *bytes_buf = NULL; |
|
984 |
|
985 bytes_buf = NULL; |
|
986 len = i2d_X509(self->peer_cert, &bytes_buf); |
|
987 if (len < 0) { |
|
988 PySSL_SetError(self, len, __FILE__, __LINE__); |
|
989 return NULL; |
|
990 } |
|
991 retval = PyString_FromStringAndSize((const char *) bytes_buf, len); |
|
992 OPENSSL_free(bytes_buf); |
|
993 return retval; |
|
994 |
|
995 } else { |
|
996 |
|
997 verification = SSL_CTX_get_verify_mode(self->ctx); |
|
998 if ((verification & SSL_VERIFY_PEER) == 0) |
|
999 return PyDict_New(); |
|
1000 else |
|
1001 return _decode_certificate (self->peer_cert, 0); |
|
1002 } |
|
1003 } |
|
1004 |
|
1005 PyDoc_STRVAR(PySSL_peercert_doc, |
|
1006 "peer_certificate([der=False]) -> certificate\n\ |
|
1007 \n\ |
|
1008 Returns the certificate for the peer. If no certificate was provided,\n\ |
|
1009 returns None. If a certificate was provided, but not validated, returns\n\ |
|
1010 an empty dictionary. Otherwise returns a dict containing information\n\ |
|
1011 about the peer certificate.\n\ |
|
1012 \n\ |
|
1013 If the optional argument is True, returns a DER-encoded copy of the\n\ |
|
1014 peer certificate, or None if no certificate was provided. This will\n\ |
|
1015 return the certificate even if it wasn't validated."); |
|
1016 |
|
1017 static PyObject *PySSL_cipher (PySSLObject *self) { |
|
1018 |
|
1019 PyObject *retval, *v; |
|
1020 SSL_CIPHER *current; |
|
1021 char *cipher_name; |
|
1022 char *cipher_protocol; |
|
1023 |
|
1024 if (self->ssl == NULL) |
|
1025 return Py_None; |
|
1026 current = SSL_get_current_cipher(self->ssl); |
|
1027 if (current == NULL) |
|
1028 return Py_None; |
|
1029 |
|
1030 retval = PyTuple_New(3); |
|
1031 if (retval == NULL) |
|
1032 return NULL; |
|
1033 |
|
1034 cipher_name = (char *) SSL_CIPHER_get_name(current); |
|
1035 if (cipher_name == NULL) { |
|
1036 PyTuple_SET_ITEM(retval, 0, Py_None); |
|
1037 } else { |
|
1038 v = PyString_FromString(cipher_name); |
|
1039 if (v == NULL) |
|
1040 goto fail0; |
|
1041 PyTuple_SET_ITEM(retval, 0, v); |
|
1042 } |
|
1043 cipher_protocol = SSL_CIPHER_get_version(current); |
|
1044 if (cipher_protocol == NULL) { |
|
1045 PyTuple_SET_ITEM(retval, 1, Py_None); |
|
1046 } else { |
|
1047 v = PyString_FromString(cipher_protocol); |
|
1048 if (v == NULL) |
|
1049 goto fail0; |
|
1050 PyTuple_SET_ITEM(retval, 1, v); |
|
1051 } |
|
1052 v = PyInt_FromLong(SSL_CIPHER_get_bits(current, NULL)); |
|
1053 if (v == NULL) |
|
1054 goto fail0; |
|
1055 PyTuple_SET_ITEM(retval, 2, v); |
|
1056 return retval; |
|
1057 |
|
1058 fail0: |
|
1059 Py_DECREF(retval); |
|
1060 return NULL; |
|
1061 } |
|
1062 |
|
1063 static void PySSL_dealloc(PySSLObject *self) |
|
1064 { |
|
1065 if (self->peer_cert) /* Possible not to have one? */ |
|
1066 X509_free (self->peer_cert); |
|
1067 if (self->ssl) |
|
1068 SSL_free(self->ssl); |
|
1069 if (self->ctx) |
|
1070 SSL_CTX_free(self->ctx); |
|
1071 Py_XDECREF(self->Socket); |
|
1072 PyObject_Del(self); |
|
1073 } |
|
1074 |
|
1075 /* If the socket has a timeout, do a select()/poll() on the socket. |
|
1076 The argument writing indicates the direction. |
|
1077 Returns one of the possibilities in the timeout_state enum (above). |
|
1078 */ |
|
1079 |
|
1080 static int |
|
1081 check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing) |
|
1082 { |
|
1083 fd_set fds; |
|
1084 struct timeval tv; |
|
1085 int rc; |
|
1086 |
|
1087 /* Nothing to do unless we're in timeout mode (not non-blocking) */ |
|
1088 if (s->sock_timeout < 0.0) |
|
1089 return SOCKET_IS_BLOCKING; |
|
1090 else if (s->sock_timeout == 0.0) |
|
1091 return SOCKET_IS_NONBLOCKING; |
|
1092 |
|
1093 /* Guard against closed socket */ |
|
1094 if (s->sock_fd < 0) |
|
1095 return SOCKET_HAS_BEEN_CLOSED; |
|
1096 |
|
1097 /* Prefer poll, if available, since you can poll() any fd |
|
1098 * which can't be done with select(). */ |
|
1099 #ifdef HAVE_POLL |
|
1100 { |
|
1101 struct pollfd pollfd; |
|
1102 int timeout; |
|
1103 |
|
1104 pollfd.fd = s->sock_fd; |
|
1105 pollfd.events = writing ? POLLOUT : POLLIN; |
|
1106 |
|
1107 /* s->sock_timeout is in seconds, timeout in ms */ |
|
1108 timeout = (int)(s->sock_timeout * 1000 + 0.5); |
|
1109 PySSL_BEGIN_ALLOW_THREADS |
|
1110 rc = poll(&pollfd, 1, timeout); |
|
1111 PySSL_END_ALLOW_THREADS |
|
1112 |
|
1113 goto normal_return; |
|
1114 } |
|
1115 #endif |
|
1116 |
|
1117 /* Guard against socket too large for select*/ |
|
1118 #ifndef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE |
|
1119 if (s->sock_fd >= FD_SETSIZE) |
|
1120 return SOCKET_TOO_LARGE_FOR_SELECT; |
|
1121 #endif |
|
1122 |
|
1123 /* Construct the arguments to select */ |
|
1124 tv.tv_sec = (int)s->sock_timeout; |
|
1125 tv.tv_usec = (int)((s->sock_timeout - tv.tv_sec) * 1e6); |
|
1126 FD_ZERO(&fds); |
|
1127 FD_SET(s->sock_fd, &fds); |
|
1128 |
|
1129 /* See if the socket is ready */ |
|
1130 PySSL_BEGIN_ALLOW_THREADS |
|
1131 if (writing) |
|
1132 rc = select(s->sock_fd+1, NULL, &fds, NULL, &tv); |
|
1133 else |
|
1134 rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv); |
|
1135 PySSL_END_ALLOW_THREADS |
|
1136 |
|
1137 #ifdef HAVE_POLL |
|
1138 normal_return: |
|
1139 #endif |
|
1140 /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise |
|
1141 (when we are able to write or when there's something to read) */ |
|
1142 return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK; |
|
1143 } |
|
1144 |
|
1145 static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args) |
|
1146 { |
|
1147 char *data; |
|
1148 int len; |
|
1149 int count; |
|
1150 int sockstate; |
|
1151 int err; |
|
1152 int nonblocking; |
|
1153 |
|
1154 if (!PyArg_ParseTuple(args, "s#:write", &data, &count)) |
|
1155 return NULL; |
|
1156 |
|
1157 /* just in case the blocking state of the socket has been changed */ |
|
1158 nonblocking = (self->Socket->sock_timeout >= 0.0); |
|
1159 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); |
|
1160 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); |
|
1161 |
|
1162 sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); |
|
1163 if (sockstate == SOCKET_HAS_TIMED_OUT) { |
|
1164 PyErr_SetString(PySSLErrorObject, |
|
1165 "The write operation timed out"); |
|
1166 return NULL; |
|
1167 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { |
|
1168 PyErr_SetString(PySSLErrorObject, |
|
1169 "Underlying socket has been closed."); |
|
1170 return NULL; |
|
1171 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { |
|
1172 PyErr_SetString(PySSLErrorObject, |
|
1173 "Underlying socket too large for select()."); |
|
1174 return NULL; |
|
1175 } |
|
1176 do { |
|
1177 err = 0; |
|
1178 PySSL_BEGIN_ALLOW_THREADS |
|
1179 len = SSL_write(self->ssl, data, count); |
|
1180 err = SSL_get_error(self->ssl, len); |
|
1181 PySSL_END_ALLOW_THREADS |
|
1182 if(PyErr_CheckSignals()) { |
|
1183 return NULL; |
|
1184 } |
|
1185 if (err == SSL_ERROR_WANT_READ) { |
|
1186 sockstate = |
|
1187 check_socket_and_wait_for_timeout(self->Socket, 0); |
|
1188 } else if (err == SSL_ERROR_WANT_WRITE) { |
|
1189 sockstate = |
|
1190 check_socket_and_wait_for_timeout(self->Socket, 1); |
|
1191 } else { |
|
1192 sockstate = SOCKET_OPERATION_OK; |
|
1193 } |
|
1194 if (sockstate == SOCKET_HAS_TIMED_OUT) { |
|
1195 PyErr_SetString(PySSLErrorObject, |
|
1196 "The write operation timed out"); |
|
1197 return NULL; |
|
1198 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { |
|
1199 PyErr_SetString(PySSLErrorObject, |
|
1200 "Underlying socket has been closed."); |
|
1201 return NULL; |
|
1202 } else if (sockstate == SOCKET_IS_NONBLOCKING) { |
|
1203 break; |
|
1204 } |
|
1205 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); |
|
1206 if (len > 0) |
|
1207 return PyInt_FromLong(len); |
|
1208 else |
|
1209 return PySSL_SetError(self, len, __FILE__, __LINE__); |
|
1210 } |
|
1211 |
|
1212 PyDoc_STRVAR(PySSL_SSLwrite_doc, |
|
1213 "write(s) -> len\n\ |
|
1214 \n\ |
|
1215 Writes the string s into the SSL object. Returns the number\n\ |
|
1216 of bytes written."); |
|
1217 |
|
1218 static PyObject *PySSL_SSLpending(PySSLObject *self) |
|
1219 { |
|
1220 int count = 0; |
|
1221 |
|
1222 PySSL_BEGIN_ALLOW_THREADS |
|
1223 count = SSL_pending(self->ssl); |
|
1224 PySSL_END_ALLOW_THREADS |
|
1225 if (count < 0) |
|
1226 return PySSL_SetError(self, count, __FILE__, __LINE__); |
|
1227 else |
|
1228 return PyInt_FromLong(count); |
|
1229 } |
|
1230 |
|
1231 PyDoc_STRVAR(PySSL_SSLpending_doc, |
|
1232 "pending() -> count\n\ |
|
1233 \n\ |
|
1234 Returns the number of already decrypted bytes available for read,\n\ |
|
1235 pending on the connection.\n"); |
|
1236 |
|
1237 static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args) |
|
1238 { |
|
1239 PyObject *buf; |
|
1240 int count = 0; |
|
1241 int len = 1024; |
|
1242 int sockstate; |
|
1243 int err; |
|
1244 int nonblocking; |
|
1245 |
|
1246 if (!PyArg_ParseTuple(args, "|i:read", &len)) |
|
1247 return NULL; |
|
1248 |
|
1249 if (!(buf = PyString_FromStringAndSize((char *) 0, len))) |
|
1250 return NULL; |
|
1251 |
|
1252 /* just in case the blocking state of the socket has been changed */ |
|
1253 nonblocking = (self->Socket->sock_timeout >= 0.0); |
|
1254 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); |
|
1255 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); |
|
1256 |
|
1257 /* first check if there are bytes ready to be read */ |
|
1258 PySSL_BEGIN_ALLOW_THREADS |
|
1259 count = SSL_pending(self->ssl); |
|
1260 PySSL_END_ALLOW_THREADS |
|
1261 |
|
1262 if (!count) { |
|
1263 sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); |
|
1264 if (sockstate == SOCKET_HAS_TIMED_OUT) { |
|
1265 PyErr_SetString(PySSLErrorObject, |
|
1266 "The read operation timed out"); |
|
1267 Py_DECREF(buf); |
|
1268 return NULL; |
|
1269 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { |
|
1270 PyErr_SetString(PySSLErrorObject, |
|
1271 "Underlying socket too large for select()."); |
|
1272 Py_DECREF(buf); |
|
1273 return NULL; |
|
1274 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { |
|
1275 if (SSL_get_shutdown(self->ssl) != |
|
1276 SSL_RECEIVED_SHUTDOWN) |
|
1277 { |
|
1278 Py_DECREF(buf); |
|
1279 PyErr_SetString(PySSLErrorObject, |
|
1280 "Socket closed without SSL shutdown handshake"); |
|
1281 return NULL; |
|
1282 } else { |
|
1283 /* should contain a zero-length string */ |
|
1284 _PyString_Resize(&buf, 0); |
|
1285 return buf; |
|
1286 } |
|
1287 } |
|
1288 } |
|
1289 do { |
|
1290 err = 0; |
|
1291 PySSL_BEGIN_ALLOW_THREADS |
|
1292 count = SSL_read(self->ssl, PyString_AsString(buf), len); |
|
1293 err = SSL_get_error(self->ssl, count); |
|
1294 PySSL_END_ALLOW_THREADS |
|
1295 if(PyErr_CheckSignals()) { |
|
1296 Py_DECREF(buf); |
|
1297 return NULL; |
|
1298 } |
|
1299 if (err == SSL_ERROR_WANT_READ) { |
|
1300 sockstate = |
|
1301 check_socket_and_wait_for_timeout(self->Socket, 0); |
|
1302 } else if (err == SSL_ERROR_WANT_WRITE) { |
|
1303 sockstate = |
|
1304 check_socket_and_wait_for_timeout(self->Socket, 1); |
|
1305 } else if ((err == SSL_ERROR_ZERO_RETURN) && |
|
1306 (SSL_get_shutdown(self->ssl) == |
|
1307 SSL_RECEIVED_SHUTDOWN)) |
|
1308 { |
|
1309 _PyString_Resize(&buf, 0); |
|
1310 return buf; |
|
1311 } else { |
|
1312 sockstate = SOCKET_OPERATION_OK; |
|
1313 } |
|
1314 if (sockstate == SOCKET_HAS_TIMED_OUT) { |
|
1315 PyErr_SetString(PySSLErrorObject, |
|
1316 "The read operation timed out"); |
|
1317 Py_DECREF(buf); |
|
1318 return NULL; |
|
1319 } else if (sockstate == SOCKET_IS_NONBLOCKING) { |
|
1320 break; |
|
1321 } |
|
1322 } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); |
|
1323 if (count <= 0) { |
|
1324 Py_DECREF(buf); |
|
1325 return PySSL_SetError(self, count, __FILE__, __LINE__); |
|
1326 } |
|
1327 if (count != len) |
|
1328 _PyString_Resize(&buf, count); |
|
1329 return buf; |
|
1330 } |
|
1331 |
|
1332 PyDoc_STRVAR(PySSL_SSLread_doc, |
|
1333 "read([len]) -> string\n\ |
|
1334 \n\ |
|
1335 Read up to len bytes from the SSL socket."); |
|
1336 |
|
1337 static PyObject *PySSL_SSLshutdown(PySSLObject *self) |
|
1338 { |
|
1339 int err; |
|
1340 |
|
1341 /* Guard against closed socket */ |
|
1342 if (self->Socket->sock_fd < 0) { |
|
1343 PyErr_SetString(PySSLErrorObject, |
|
1344 "Underlying socket has been closed."); |
|
1345 return NULL; |
|
1346 } |
|
1347 |
|
1348 PySSL_BEGIN_ALLOW_THREADS |
|
1349 err = SSL_shutdown(self->ssl); |
|
1350 if (err == 0) { |
|
1351 /* we need to call it again to finish the shutdown */ |
|
1352 err = SSL_shutdown(self->ssl); |
|
1353 } |
|
1354 PySSL_END_ALLOW_THREADS |
|
1355 |
|
1356 if (err < 0) |
|
1357 return PySSL_SetError(self, err, __FILE__, __LINE__); |
|
1358 else { |
|
1359 Py_INCREF(self->Socket); |
|
1360 return (PyObject *) (self->Socket); |
|
1361 } |
|
1362 } |
|
1363 |
|
1364 PyDoc_STRVAR(PySSL_SSLshutdown_doc, |
|
1365 "shutdown(s) -> socket\n\ |
|
1366 \n\ |
|
1367 Does the SSL shutdown handshake with the remote end, and returns\n\ |
|
1368 the underlying socket object."); |
|
1369 |
|
1370 static PyMethodDef PySSLMethods[] = { |
|
1371 {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS}, |
|
1372 {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS, |
|
1373 PySSL_SSLwrite_doc}, |
|
1374 {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS, |
|
1375 PySSL_SSLread_doc}, |
|
1376 {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS, |
|
1377 PySSL_SSLpending_doc}, |
|
1378 {"server", (PyCFunction)PySSL_server, METH_NOARGS}, |
|
1379 {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS}, |
|
1380 {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS, |
|
1381 PySSL_peercert_doc}, |
|
1382 {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS}, |
|
1383 {"shutdown", (PyCFunction)PySSL_SSLshutdown, METH_NOARGS, |
|
1384 PySSL_SSLshutdown_doc}, |
|
1385 {NULL, NULL} |
|
1386 }; |
|
1387 |
|
1388 static PyObject *PySSL_getattr(PySSLObject *self, char *name) |
|
1389 { |
|
1390 return Py_FindMethod(PySSLMethods, (PyObject *)self, name); |
|
1391 } |
|
1392 |
|
1393 static PyTypeObject PySSL_Type = { |
|
1394 PyVarObject_HEAD_INIT(NULL, 0) |
|
1395 "ssl.SSLContext", /*tp_name*/ |
|
1396 sizeof(PySSLObject), /*tp_basicsize*/ |
|
1397 0, /*tp_itemsize*/ |
|
1398 /* methods */ |
|
1399 (destructor)PySSL_dealloc, /*tp_dealloc*/ |
|
1400 0, /*tp_print*/ |
|
1401 (getattrfunc)PySSL_getattr, /*tp_getattr*/ |
|
1402 0, /*tp_setattr*/ |
|
1403 0, /*tp_compare*/ |
|
1404 0, /*tp_repr*/ |
|
1405 0, /*tp_as_number*/ |
|
1406 0, /*tp_as_sequence*/ |
|
1407 0, /*tp_as_mapping*/ |
|
1408 0, /*tp_hash*/ |
|
1409 }; |
|
1410 |
|
1411 #ifdef HAVE_OPENSSL_RAND |
|
1412 |
|
1413 /* helper routines for seeding the SSL PRNG */ |
|
1414 static PyObject * |
|
1415 PySSL_RAND_add(PyObject *self, PyObject *args) |
|
1416 { |
|
1417 char *buf; |
|
1418 int len; |
|
1419 double entropy; |
|
1420 |
|
1421 if (!PyArg_ParseTuple(args, "s#d:RAND_add", &buf, &len, &entropy)) |
|
1422 return NULL; |
|
1423 RAND_add(buf, len, entropy); |
|
1424 Py_INCREF(Py_None); |
|
1425 return Py_None; |
|
1426 } |
|
1427 |
|
1428 PyDoc_STRVAR(PySSL_RAND_add_doc, |
|
1429 "RAND_add(string, entropy)\n\ |
|
1430 \n\ |
|
1431 Mix string into the OpenSSL PRNG state. entropy (a float) is a lower\n\ |
|
1432 bound on the entropy contained in string. See RFC 1750."); |
|
1433 |
|
1434 static PyObject * |
|
1435 PySSL_RAND_status(PyObject *self) |
|
1436 { |
|
1437 return PyInt_FromLong(RAND_status()); |
|
1438 } |
|
1439 |
|
1440 PyDoc_STRVAR(PySSL_RAND_status_doc, |
|
1441 "RAND_status() -> 0 or 1\n\ |
|
1442 \n\ |
|
1443 Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\ |
|
1444 It is necessary to seed the PRNG with RAND_add() on some platforms before\n\ |
|
1445 using the ssl() function."); |
|
1446 |
|
1447 static PyObject * |
|
1448 PySSL_RAND_egd(PyObject *self, PyObject *arg) |
|
1449 { |
|
1450 int bytes; |
|
1451 |
|
1452 if (!PyString_Check(arg)) |
|
1453 return PyErr_Format(PyExc_TypeError, |
|
1454 "RAND_egd() expected string, found %s", |
|
1455 Py_TYPE(arg)->tp_name); |
|
1456 bytes = RAND_egd(PyString_AS_STRING(arg)); |
|
1457 if (bytes == -1) { |
|
1458 PyErr_SetString(PySSLErrorObject, |
|
1459 "EGD connection failed or EGD did not return " |
|
1460 "enough data to seed the PRNG"); |
|
1461 return NULL; |
|
1462 } |
|
1463 return PyInt_FromLong(bytes); |
|
1464 } |
|
1465 |
|
1466 PyDoc_STRVAR(PySSL_RAND_egd_doc, |
|
1467 "RAND_egd(path) -> bytes\n\ |
|
1468 \n\ |
|
1469 Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\ |
|
1470 Returns number of bytes read. Raises SSLError if connection to EGD\n\ |
|
1471 fails or if it does provide enough data to seed PRNG."); |
|
1472 |
|
1473 #endif |
|
1474 |
|
1475 /* List of functions exported by this module. */ |
|
1476 |
|
1477 static PyMethodDef PySSL_methods[] = { |
|
1478 {"sslwrap", PySSL_sslwrap, |
|
1479 METH_VARARGS, ssl_doc}, |
|
1480 {"_test_decode_cert", PySSL_test_decode_certificate, |
|
1481 METH_VARARGS}, |
|
1482 #ifdef HAVE_OPENSSL_RAND |
|
1483 {"RAND_add", PySSL_RAND_add, METH_VARARGS, |
|
1484 PySSL_RAND_add_doc}, |
|
1485 {"RAND_egd", PySSL_RAND_egd, METH_O, |
|
1486 PySSL_RAND_egd_doc}, |
|
1487 {"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS, |
|
1488 PySSL_RAND_status_doc}, |
|
1489 #endif |
|
1490 {NULL, NULL} /* Sentinel */ |
|
1491 }; |
|
1492 |
|
1493 |
|
1494 #ifdef WITH_THREAD |
|
1495 |
|
1496 /* an implementation of OpenSSL threading operations in terms |
|
1497 of the Python C thread library */ |
|
1498 |
|
1499 static PyThread_type_lock *_ssl_locks = NULL; |
|
1500 |
|
1501 static unsigned long _ssl_thread_id_function (void) { |
|
1502 return PyThread_get_thread_ident(); |
|
1503 } |
|
1504 |
|
1505 static void _ssl_thread_locking_function (int mode, int n, const char *file, int line) { |
|
1506 /* this function is needed to perform locking on shared data |
|
1507 structures. (Note that OpenSSL uses a number of global data |
|
1508 structures that will be implicitly shared whenever multiple threads |
|
1509 use OpenSSL.) Multi-threaded applications will crash at random if |
|
1510 it is not set. |
|
1511 |
|
1512 locking_function() must be able to handle up to CRYPTO_num_locks() |
|
1513 different mutex locks. It sets the n-th lock if mode & CRYPTO_LOCK, and |
|
1514 releases it otherwise. |
|
1515 |
|
1516 file and line are the file number of the function setting the |
|
1517 lock. They can be useful for debugging. |
|
1518 */ |
|
1519 |
|
1520 if ((_ssl_locks == NULL) || |
|
1521 (n < 0) || ((unsigned)n >= _ssl_locks_count)) |
|
1522 return; |
|
1523 |
|
1524 if (mode & CRYPTO_LOCK) { |
|
1525 PyThread_acquire_lock(_ssl_locks[n], 1); |
|
1526 } else { |
|
1527 PyThread_release_lock(_ssl_locks[n]); |
|
1528 } |
|
1529 } |
|
1530 |
|
1531 static int _setup_ssl_threads(void) { |
|
1532 |
|
1533 unsigned int i; |
|
1534 |
|
1535 if (_ssl_locks == NULL) { |
|
1536 _ssl_locks_count = CRYPTO_num_locks(); |
|
1537 _ssl_locks = (PyThread_type_lock *) |
|
1538 malloc(sizeof(PyThread_type_lock) * _ssl_locks_count); |
|
1539 if (_ssl_locks == NULL) |
|
1540 return 0; |
|
1541 memset(_ssl_locks, 0, sizeof(PyThread_type_lock) * _ssl_locks_count); |
|
1542 for (i = 0; i < _ssl_locks_count; i++) { |
|
1543 _ssl_locks[i] = PyThread_allocate_lock(); |
|
1544 if (_ssl_locks[i] == NULL) { |
|
1545 int j; |
|
1546 for (j = 0; j < i; j++) { |
|
1547 PyThread_free_lock(_ssl_locks[j]); |
|
1548 } |
|
1549 free(_ssl_locks); |
|
1550 return 0; |
|
1551 } |
|
1552 } |
|
1553 CRYPTO_set_locking_callback(_ssl_thread_locking_function); |
|
1554 CRYPTO_set_id_callback(_ssl_thread_id_function); |
|
1555 } |
|
1556 return 1; |
|
1557 } |
|
1558 |
|
1559 #endif /* def HAVE_THREAD */ |
|
1560 |
|
1561 PyDoc_STRVAR(module_doc, |
|
1562 "Implementation module for SSL socket operations. See the socket module\n\ |
|
1563 for documentation."); |
|
1564 |
|
1565 PyMODINIT_FUNC |
|
1566 init_ssl(void) |
|
1567 { |
|
1568 PyObject *m, *d; |
|
1569 |
|
1570 Py_TYPE(&PySSL_Type) = &PyType_Type; |
|
1571 |
|
1572 m = Py_InitModule3("_ssl", PySSL_methods, module_doc); |
|
1573 if (m == NULL) |
|
1574 return; |
|
1575 d = PyModule_GetDict(m); |
|
1576 |
|
1577 /* Load _socket module and its C API */ |
|
1578 if (PySocketModule_ImportModuleAndAPI()) |
|
1579 return; |
|
1580 |
|
1581 /* Init OpenSSL */ |
|
1582 SSL_load_error_strings(); |
|
1583 #ifdef WITH_THREAD |
|
1584 /* note that this will start threading if not already started */ |
|
1585 if (!_setup_ssl_threads()) { |
|
1586 return; |
|
1587 } |
|
1588 #endif |
|
1589 SSLeay_add_ssl_algorithms(); |
|
1590 |
|
1591 /* Add symbols to module dict */ |
|
1592 PySSLErrorObject = PyErr_NewException("ssl.SSLError", |
|
1593 PySocketModule.error, |
|
1594 NULL); |
|
1595 if (PySSLErrorObject == NULL) |
|
1596 return; |
|
1597 if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0) |
|
1598 return; |
|
1599 if (PyDict_SetItemString(d, "SSLType", |
|
1600 (PyObject *)&PySSL_Type) != 0) |
|
1601 return; |
|
1602 PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN", |
|
1603 PY_SSL_ERROR_ZERO_RETURN); |
|
1604 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ", |
|
1605 PY_SSL_ERROR_WANT_READ); |
|
1606 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE", |
|
1607 PY_SSL_ERROR_WANT_WRITE); |
|
1608 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP", |
|
1609 PY_SSL_ERROR_WANT_X509_LOOKUP); |
|
1610 PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL", |
|
1611 PY_SSL_ERROR_SYSCALL); |
|
1612 PyModule_AddIntConstant(m, "SSL_ERROR_SSL", |
|
1613 PY_SSL_ERROR_SSL); |
|
1614 PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT", |
|
1615 PY_SSL_ERROR_WANT_CONNECT); |
|
1616 /* non ssl.h errorcodes */ |
|
1617 PyModule_AddIntConstant(m, "SSL_ERROR_EOF", |
|
1618 PY_SSL_ERROR_EOF); |
|
1619 PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE", |
|
1620 PY_SSL_ERROR_INVALID_ERROR_CODE); |
|
1621 /* cert requirements */ |
|
1622 PyModule_AddIntConstant(m, "CERT_NONE", |
|
1623 PY_SSL_CERT_NONE); |
|
1624 PyModule_AddIntConstant(m, "CERT_OPTIONAL", |
|
1625 PY_SSL_CERT_OPTIONAL); |
|
1626 PyModule_AddIntConstant(m, "CERT_REQUIRED", |
|
1627 PY_SSL_CERT_REQUIRED); |
|
1628 |
|
1629 /* protocol versions */ |
|
1630 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2", |
|
1631 PY_SSL_VERSION_SSL2); |
|
1632 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3", |
|
1633 PY_SSL_VERSION_SSL3); |
|
1634 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", |
|
1635 PY_SSL_VERSION_SSL23); |
|
1636 PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", |
|
1637 PY_SSL_VERSION_TLS1); |
|
1638 } |