diff options
author | Jean-Paul Calderone <exarkun@divmod.com> | 2010-07-27 20:37:50 -0400 |
---|---|---|
committer | Jean-Paul Calderone <exarkun@divmod.com> | 2010-07-27 20:37:50 -0400 |
commit | 024375aeee517b3290c7d9ccdca2b264912e52f3 (patch) | |
tree | 988e1ceaa97d8755e2115bf677471f46f16a5dfc /OpenSSL/ssl/context.c | |
parent | c0c64ef48cf68198b6ecf4c9bb60d664a9376709 (diff) | |
download | pyopenssl-024375aeee517b3290c7d9ccdca2b264912e52f3.tar.gz |
Move the src directory to an OpenSSL directory so it can be a package even in a source checkout; also dump the __init__.py into it
Diffstat (limited to 'OpenSSL/ssl/context.c')
-rw-r--r-- | OpenSSL/ssl/context.c | 1312 |
1 files changed, 1312 insertions, 0 deletions
diff --git a/OpenSSL/ssl/context.c b/OpenSSL/ssl/context.c new file mode 100644 index 0000000..ebaf164 --- /dev/null +++ b/OpenSSL/ssl/context.c @@ -0,0 +1,1312 @@ +/* + * context.c + * + * Copyright (C) AB Strakt 2001, All rights reserved + * Copyright (C) Jean-Paul Calderone 2008, All rights reserved + * + * SSL Context objects and their methods. + * See the file RATIONALE for a short explanation of why this module was written. + * + * Reviewed 2001-07-23 + */ +#include <Python.h> + +#if PY_VERSION_HEX >= 0x02050000 +# define PYARG_PARSETUPLE_FORMAT const char +# define PYOBJECT_GETATTRSTRING_TYPE const char* +#else +# define PYARG_PARSETUPLE_FORMAT char +# define PYOBJECT_GETATTRSTRING_TYPE char* +#endif + +#ifndef MS_WINDOWS +# include <sys/socket.h> +# include <netinet/in.h> +# if !(defined(__BEOS__) || defined(__CYGWIN__)) +# include <netinet/tcp.h> +# endif +#else +# include <winsock.h> +# include <wincrypt.h> +#endif + +#define SSL_MODULE +#include "ssl.h" + +/* + * CALLBACKS + * + * Callbacks work like this: We provide a "global" callback in C which + * transforms the arguments into a Python argument tuple and calls the + * corresponding Python callback, and then parsing the return value back into + * things the C function can return. + * + * Three caveats: + * + How do we find the Context object where the Python callbacks are stored? + * + What about multithreading and execution frames? + * + What about Python callbacks that raise exceptions? + * + * The solution to the first issue is trivial if the callback provides + * "userdata" functionality. Since the only callbacks that don't provide + * userdata do provide a pointer to an SSL structure, we can associate an SSL + * object and a Connection one-to-one via the SSL_set/get_app_data() + * functions. + * + * The solution to the other issue is to rewrite the Py_BEGIN_ALLOW_THREADS + * macro allowing it (or rather a new macro) to specify where to save the + * thread state (in our case, as a member of the Connection/Context object) so + * we can retrieve it again before calling the Python callback. + */ + +/* + * Globally defined passphrase callback. This is called from OpenSSL + * internally. The GIL will not be held when this function is invoked. It + * must not be held when the function returns. + * + * Arguments: buf - Buffer to store the returned passphrase in + * maxlen - Maximum length of the passphrase + * verify - If true, the passphrase callback should ask for a + * password twice and verify they're equal. If false, only + * ask once. + * arg - User data, always a Context object + * Returns: The length of the password if successful, 0 otherwise + */ +static int +global_passphrase_callback(char *buf, int maxlen, int verify, void *arg) +{ + /* + * Initialize len here because we're always going to return it, and we + * might jump to the return before it gets initialized in any other way. + */ + int len = 0; + char *str; + PyObject *argv, *ret = NULL; + ssl_ContextObj *ctx = (ssl_ContextObj *)arg; + + /* + * GIL isn't held yet. First things first - acquire it, or any Python API + * we invoke might segfault or blow up the sun. The reverse will be done + * before returning. + */ + MY_END_ALLOW_THREADS(ctx->tstate); + + /* The Python callback is called with a (maxlen,verify,userdata) tuple */ + argv = Py_BuildValue("(iiO)", maxlen, verify, ctx->passphrase_userdata); + + /* + * XXX Didn't check argv to see if it was NULL. -exarkun + */ + ret = PyEval_CallObject(ctx->passphrase_callback, argv); + Py_DECREF(argv); + + if (ret == NULL) { + /* + * XXX The callback raised an exception. At the very least, it should + * be printed out here. An *actual* solution would be to raise it up + * through OpenSSL. That might be a bit tricky, but it's probably + * possible. -exarkun + */ + goto out; + } + + if (!PyObject_IsTrue(ret)) { + /* + * Returned "", or None, or something. Treat it as no passphrase. + */ + Py_DECREF(ret); + goto out; + } + + if (!PyString_Check(ret)) { + /* + * XXX Returned something that wasn't a string. This is bogus. We + * should report an error or raise an exception (again, through OpenSSL + * - tricky). -exarkun + */ + Py_DECREF(ret); + goto out; + } + + len = PyString_Size(ret); + if (len > maxlen) { + /* + * XXX Returned more than we said they were allowed to return. Report + * an error or raise an exception (tricky blah blah). -exarkun + */ + len = maxlen; + } + + str = PyString_AsString(ret); + strncpy(buf, str, len); + Py_XDECREF(ret); + + out: + /* + * This function is returning into OpenSSL. Release the GIL again. + */ + MY_BEGIN_ALLOW_THREADS(ctx->tstate); + return len; +} + +/* + * Globally defined verify callback + * + * Arguments: ok - True everything is OK "so far", false otherwise + * x509_ctx - Contains the certificate being checked, the current + * error number and depth, and the Connection we're + * dealing with + * Returns: True if everything is okay, false otherwise + */ +static int +global_verify_callback(int ok, X509_STORE_CTX *x509_ctx) +{ + PyObject *argv, *ret; + SSL *ssl; + ssl_ConnectionObj *conn; + crypto_X509Obj *cert; + int errnum, errdepth, c_ret; + + // Get Connection object to check thread state + ssl = (SSL *)X509_STORE_CTX_get_app_data(x509_ctx); + conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl); + + MY_END_ALLOW_THREADS(conn->tstate); + + cert = crypto_X509_New(X509_STORE_CTX_get_current_cert(x509_ctx), 0); + errnum = X509_STORE_CTX_get_error(x509_ctx); + errdepth = X509_STORE_CTX_get_error_depth(x509_ctx); + + argv = Py_BuildValue("(OOiii)", (PyObject *)conn, (PyObject *)cert, + errnum, errdepth, ok); + Py_DECREF(cert); + ret = PyEval_CallObject(conn->context->verify_callback, argv); + Py_DECREF(argv); + + if (ret != NULL && PyObject_IsTrue(ret)) { + X509_STORE_CTX_set_error(x509_ctx, X509_V_OK); + Py_DECREF(ret); + c_ret = 1; + } else { + c_ret = 0; + } + + MY_BEGIN_ALLOW_THREADS(conn->tstate); + return c_ret; +} + +/* + * Globally defined info callback. This is called from OpenSSL internally. + * The GIL will not be held when this function is invoked. It must not be held + * when the function returns. + * + * Arguments: ssl - The Connection + * where - The part of the SSL code that called us + * _ret - The return code of the SSL function that called us + * Returns: None + */ +static void +global_info_callback(const SSL *ssl, int where, int _ret) +{ + ssl_ConnectionObj *conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl); + PyObject *argv, *ret; + + /* + * GIL isn't held yet. First things first - acquire it, or any Python API + * we invoke might segfault or blow up the sun. The reverse will be done + * before returning. + */ + MY_END_ALLOW_THREADS(conn->tstate); + + argv = Py_BuildValue("(Oii)", (PyObject *)conn, where, _ret); + ret = PyEval_CallObject(conn->context->info_callback, argv); + Py_DECREF(argv); + + if (ret == NULL) { + /* + * XXX - This should be reported somehow. -exarkun + */ + PyErr_Clear(); + } else { + Py_DECREF(ret); + } + + /* + * This function is returning into OpenSSL. Release the GIL again. + */ + MY_BEGIN_ALLOW_THREADS(conn->tstate); + return; +} + + +static char ssl_Context_doc[] = "\n\ +Context(method) -> Context instance\n\ +\n\ +OpenSSL.SSL.Context instances define the parameters for setting up new SSL\n\ +connections.\n\ +\n\ +@param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or\n\ + TLSv1_METHOD.\n\ +"; + +static char ssl_Context_load_verify_locations_doc[] = "\n\ +Let SSL know where we can find trusted certificates for the certificate\n\ +chain\n\ +\n\ +@param cafile: In which file we can find the certificates\n\ +@param capath: In which directory we can find the certificates\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_load_verify_locations(ssl_ContextObj *self, PyObject *args) { + char *cafile = NULL; + char *capath = NULL; + + if (!PyArg_ParseTuple(args, "z|z:load_verify_locations", &cafile, &capath)) { + return NULL; + } + + if (!SSL_CTX_load_verify_locations(self->ctx, cafile, capath)) + { + exception_from_error_queue(ssl_Error); + return NULL; + } + else + { + Py_INCREF(Py_None); + return Py_None; + } +} + +static char ssl_Context_set_default_verify_paths_doc[] = "\n\ +Use the platform-specific CA certificate locations\n\ +\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_set_default_verify_paths(ssl_ContextObj *self, PyObject *args) { + if (!PyArg_ParseTuple(args, ":set_default_verify_paths")) { + return NULL; + } + + /* + * XXX Error handling for SSL_CTX_set_default_verify_paths is untested. + * -exarkun + */ + if (!SSL_CTX_set_default_verify_paths(self->ctx)) { + exception_from_error_queue(ssl_Error); + return NULL; + } + Py_INCREF(Py_None); + return Py_None; +}; + + +static char ssl_Context_set_passwd_cb_doc[] = "\n\ +Set the passphrase callback\n\ +\n\ +@param callback: The Python callback to use\n\ +@param userdata: (optional) A Python object which will be given as\n\ + argument to the callback\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_set_passwd_cb(ssl_ContextObj *self, PyObject *args) +{ + PyObject *callback = NULL, *userdata = Py_None; + + if (!PyArg_ParseTuple(args, "O|O:set_passwd_cb", &callback, &userdata)) + return NULL; + + if (!PyCallable_Check(callback)) + { + PyErr_SetString(PyExc_TypeError, "expected PyCallable"); + return NULL; + } + + Py_DECREF(self->passphrase_callback); + Py_INCREF(callback); + self->passphrase_callback = callback; + SSL_CTX_set_default_passwd_cb(self->ctx, global_passphrase_callback); + + Py_DECREF(self->passphrase_userdata); + Py_INCREF(userdata); + self->passphrase_userdata = userdata; + SSL_CTX_set_default_passwd_cb_userdata(self->ctx, (void *)self); + + Py_INCREF(Py_None); + return Py_None; +} + +static PyTypeObject * +type_modified_error(const char *name) { + PyErr_Format(PyExc_RuntimeError, + "OpenSSL.crypto's '%s' attribute has been modified", + name); + return NULL; +} + +static PyTypeObject * +import_crypto_type(const char *name, size_t objsize) { + PyObject *module, *type, *name_attr; + PyTypeObject *res; + int right_name; + + module = PyImport_ImportModule("OpenSSL.crypto"); + if (module == NULL) { + return NULL; + } + type = PyObject_GetAttrString(module, (PYOBJECT_GETATTRSTRING_TYPE)name); + Py_DECREF(module); + if (type == NULL) { + return NULL; + } + if (!(PyType_Check(type))) { + Py_DECREF(type); + return type_modified_error(name); + } + name_attr = PyObject_GetAttrString(type, "__name__"); + if (name_attr == NULL) { + Py_DECREF(type); + return NULL; + } + right_name = (PyString_CheckExact(name_attr) && + strcmp(name, PyString_AsString(name_attr)) == 0); + Py_DECREF(name_attr); + res = (PyTypeObject *)type; + if (!right_name || res->tp_basicsize != objsize) { + Py_DECREF(type); + return type_modified_error(name); + } + return res; +} + +static crypto_X509Obj * +parse_certificate_argument(const char* format, PyObject* args) { + static PyTypeObject *crypto_X509_type = NULL; + crypto_X509Obj *cert; + + if (!crypto_X509_type) { + crypto_X509_type = import_crypto_type("X509", sizeof(crypto_X509Obj)); + if (!crypto_X509_type) { + return NULL; + } + } + if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format, + crypto_X509_type, &cert)) { + return NULL; + } + return cert; +} + +static char ssl_Context_add_extra_chain_cert_doc[] = "\n\ +Add certificate to chain\n\ +\n\ +@param certobj: The X509 certificate object to add to the chain\n\ +@return: None\n\ +"; + +static PyObject * +ssl_Context_add_extra_chain_cert(ssl_ContextObj *self, PyObject *args) +{ + X509* cert_original; + crypto_X509Obj *cert = parse_certificate_argument( + "O!:add_extra_chain_cert", args); + if (cert == NULL) + { + return NULL; + } + if (!(cert_original = X509_dup(cert->x509))) + { + /* exception_from_error_queue(ssl_Error); */ + PyErr_SetString(PyExc_RuntimeError, "X509_dup failed"); + return NULL; + } + if (!SSL_CTX_add_extra_chain_cert(self->ctx, cert_original)) + { + X509_free(cert_original); + exception_from_error_queue(ssl_Error); + return NULL; + } + else + { + Py_INCREF(Py_None); + return Py_None; + } +} + + +static char ssl_Context_use_certificate_chain_file_doc[] = "\n\ +Load a certificate chain from a file\n\ +\n\ +@param certfile: The name of the certificate chain file\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_use_certificate_chain_file(ssl_ContextObj *self, PyObject *args) +{ + char *certfile; + + if (!PyArg_ParseTuple(args, "s:use_certificate_chain_file", &certfile)) + return NULL; + + if (!SSL_CTX_use_certificate_chain_file(self->ctx, certfile)) + { + exception_from_error_queue(ssl_Error); + return NULL; + } + else + { + Py_INCREF(Py_None); + return Py_None; + } +} + + +static char ssl_Context_use_certificate_file_doc[] = "\n\ +Load a certificate from a file\n\ +\n\ +@param certfile: The name of the certificate file\n\ +@param filetype: (optional) The encoding of the file, default is PEM\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_use_certificate_file(ssl_ContextObj *self, PyObject *args) +{ + char *certfile; + int filetype = SSL_FILETYPE_PEM; + + if (!PyArg_ParseTuple(args, "s|i:use_certificate_file", &certfile, &filetype)) + return NULL; + + if (!SSL_CTX_use_certificate_file(self->ctx, certfile, filetype)) + { + exception_from_error_queue(ssl_Error); + return NULL; + } + else + { + Py_INCREF(Py_None); + return Py_None; + } +} + +static char ssl_Context_use_certificate_doc[] = "\n\ +Load a certificate from a X509 object\n\ +\n\ +@param cert: The X509 object\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_use_certificate(ssl_ContextObj *self, PyObject *args) +{ + crypto_X509Obj *cert = parse_certificate_argument( + "O!:use_certificate", args); + if (cert == NULL) { + return NULL; + } + + if (!SSL_CTX_use_certificate(self->ctx, cert->x509)) + { + exception_from_error_queue(ssl_Error); + return NULL; + } + else + { + Py_INCREF(Py_None); + return Py_None; + } +} + +static char ssl_Context_use_privatekey_file_doc[] = "\n\ +Load a private key from a file\n\ +\n\ +@param keyfile: The name of the key file\n\ +@param filetype: (optional) The encoding of the file, default is PEM\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_use_privatekey_file(ssl_ContextObj *self, PyObject *args) +{ + char *keyfile; + int filetype = SSL_FILETYPE_PEM, ret; + + if (!PyArg_ParseTuple(args, "s|i:use_privatekey_file", &keyfile, &filetype)) + return NULL; + + MY_BEGIN_ALLOW_THREADS(self->tstate); + ret = SSL_CTX_use_PrivateKey_file(self->ctx, keyfile, filetype); + MY_END_ALLOW_THREADS(self->tstate); + + if (PyErr_Occurred()) + { + flush_error_queue(); + return NULL; + } + + if (!ret) + { + exception_from_error_queue(ssl_Error); + return NULL; + } + else + { + Py_INCREF(Py_None); + return Py_None; + } +} + +static char ssl_Context_use_privatekey_doc[] = "\n\ +Load a private key from a PKey object\n\ +\n\ +@param pkey: The PKey object\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_use_privatekey(ssl_ContextObj *self, PyObject *args) { + static PyTypeObject *crypto_PKey_type = NULL; + crypto_PKeyObj *pkey; + + if (!crypto_PKey_type) { + crypto_PKey_type = import_crypto_type("PKey", sizeof(crypto_PKeyObj)); + if (!crypto_PKey_type) { + return NULL; + } + } + if (!PyArg_ParseTuple(args, "O!:use_privatekey", crypto_PKey_type, &pkey)) { + return NULL; + } + + if (!SSL_CTX_use_PrivateKey(self->ctx, pkey->pkey)) { + exception_from_error_queue(ssl_Error); + return NULL; + } else { + Py_INCREF(Py_None); + return Py_None; + } +} + +static char ssl_Context_check_privatekey_doc[] = "\n\ +Check that the private key and certificate match up\n\ +\n\ +@return: None (raises an exception if something's wrong)\n\ +"; +static PyObject * +ssl_Context_check_privatekey(ssl_ContextObj *self, PyObject *args) +{ + if (!PyArg_ParseTuple(args, ":check_privatekey")) + return NULL; + + if (!SSL_CTX_check_private_key(self->ctx)) + { + exception_from_error_queue(ssl_Error); + return NULL; + } + else + { + Py_INCREF(Py_None); + return Py_None; + } +} + +static char ssl_Context_load_client_ca_doc[] = "\n\ +Load the trusted certificates that will be sent to the client (basically\n\ +telling the client \"These are the guys I trust\")\n\ +\n\ +@param cafile: The name of the certificates file\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_load_client_ca(ssl_ContextObj *self, PyObject *args) +{ + char *cafile; + + if (!PyArg_ParseTuple(args, "s:load_client_ca", &cafile)) + return NULL; + + SSL_CTX_set_client_CA_list(self->ctx, SSL_load_client_CA_file(cafile)); + + Py_INCREF(Py_None); + return Py_None; +} + +static char ssl_Context_set_session_id_doc[] = "\n\ +Set the session identifier, this is needed if you want to do session\n\ +resumption (which, ironically, isn't implemented yet)\n\ +\n\ +@param buf: A Python object that can be safely converted to a string\n\ +@returns: None\n\ +"; +static PyObject * +ssl_Context_set_session_id(ssl_ContextObj *self, PyObject *args) +{ + unsigned char *buf; + unsigned int len; + + if (!PyArg_ParseTuple(args, "s#:set_session_id", &buf, &len)) + return NULL; + + if (!SSL_CTX_set_session_id_context(self->ctx, buf, len)) + { + exception_from_error_queue(ssl_Error); + return NULL; + } + else + { + Py_INCREF(Py_None); + return Py_None; + } +} + +static char ssl_Context_set_verify_doc[] = "\n\ +Set the verify mode and verify callback\n\ +\n\ +@param mode: The verify mode, this is either VERIFY_NONE or\n\ + VERIFY_PEER combined with possible other flags\n\ +@param callback: The Python callback to use\n\ +@return: None\n\ +\n\ +See SSL_CTX_set_verify(3SSL) for further details.\n\ +"; +static PyObject * +ssl_Context_set_verify(ssl_ContextObj *self, PyObject *args) +{ + int mode; + PyObject *callback = NULL; + + if (!PyArg_ParseTuple(args, "iO:set_verify", &mode, &callback)) + return NULL; + + if (!PyCallable_Check(callback)) + { + PyErr_SetString(PyExc_TypeError, "expected PyCallable"); + return NULL; + } + + Py_DECREF(self->verify_callback); + Py_INCREF(callback); + self->verify_callback = callback; + SSL_CTX_set_verify(self->ctx, mode, global_verify_callback); + + Py_INCREF(Py_None); + return Py_None; +} + +static char ssl_Context_set_verify_depth_doc[] = "\n\ +Set the verify depth\n\ +\n\ +@param depth: An integer specifying the verify depth\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_set_verify_depth(ssl_ContextObj *self, PyObject *args) +{ + int depth; + + if (!PyArg_ParseTuple(args, "i:set_verify_depth", &depth)) + return NULL; + + SSL_CTX_set_verify_depth(self->ctx, depth); + Py_INCREF(Py_None); + return Py_None; +} + +static char ssl_Context_get_verify_mode_doc[] = "\n\ +Get the verify mode\n\ +\n\ +@return: The verify mode\n\ +"; +static PyObject * +ssl_Context_get_verify_mode(ssl_ContextObj *self, PyObject *args) +{ + int mode; + + if (!PyArg_ParseTuple(args, ":get_verify_mode")) + return NULL; + + mode = SSL_CTX_get_verify_mode(self->ctx); + return PyInt_FromLong((long)mode); +} + +static char ssl_Context_get_verify_depth_doc[] = "\n\ +Get the verify depth\n\ +\n\ +@return: The verify depth\n\ +"; +static PyObject * +ssl_Context_get_verify_depth(ssl_ContextObj *self, PyObject *args) +{ + int depth; + + if (!PyArg_ParseTuple(args, ":get_verify_depth")) + return NULL; + + depth = SSL_CTX_get_verify_depth(self->ctx); + return PyInt_FromLong((long)depth); +} + +static char ssl_Context_load_tmp_dh_doc[] = "\n\ +Load parameters for Ephemeral Diffie-Hellman\n\ +\n\ +@param dhfile: The file to load EDH parameters from\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_load_tmp_dh(ssl_ContextObj *self, PyObject *args) +{ + char *dhfile; + BIO *bio; + DH *dh; + + if (!PyArg_ParseTuple(args, "s:load_tmp_dh", &dhfile)) + return NULL; + + bio = BIO_new_file(dhfile, "r"); + if (bio == NULL) + return PyErr_NoMemory(); + + dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + SSL_CTX_set_tmp_dh(self->ctx, dh); + DH_free(dh); + BIO_free(bio); + + Py_INCREF(Py_None); + return Py_None; +} + +static char ssl_Context_set_cipher_list_doc[] = "\n\ +Change the cipher list\n\ +\n\ +@param cipher_list: A cipher list, see ciphers(1)\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_set_cipher_list(ssl_ContextObj *self, PyObject *args) +{ + char *cipher_list; + + if (!PyArg_ParseTuple(args, "s:set_cipher_list", &cipher_list)) + return NULL; + + if (!SSL_CTX_set_cipher_list(self->ctx, cipher_list)) + { + exception_from_error_queue(ssl_Error); + return NULL; + } + else + { + Py_INCREF(Py_None); + return Py_None; + } +} + +static char ssl_Context_set_client_ca_list_doc[] = "\n\ +Set the list of preferred client certificate signers for this server context.\n\ +\n\ +This list of certificate authorities will be sent to the client when the\n\ +server requests a client certificate.\n\ +\n\ +@param certificate_authorities: a sequence of X509Names.\n\ +@return: None\n\ +"; + +static PyObject * +ssl_Context_set_client_ca_list(ssl_ContextObj *self, PyObject *args) +{ + static PyTypeObject *X509NameType; + PyObject *sequence, *tuple, *item; + crypto_X509NameObj *name; + X509_NAME *sslname; + STACK_OF(X509_NAME) *CANames; + Py_ssize_t length; + int i; + + if (X509NameType == NULL) { + X509NameType = import_crypto_type("X509Name", sizeof(crypto_X509NameObj)); + if (X509NameType == NULL) { + return NULL; + } + } + if (!PyArg_ParseTuple(args, "O:set_client_ca_list", &sequence)) { + return NULL; + } + tuple = PySequence_Tuple(sequence); + if (tuple == NULL) { + return NULL; + } + length = PyTuple_Size(tuple); + if (length >= INT_MAX) { + PyErr_SetString(PyExc_ValueError, "client CA list is too long"); + Py_DECREF(tuple); + return NULL; + } + CANames = sk_X509_NAME_new_null(); + if (CANames == NULL) { + Py_DECREF(tuple); + exception_from_error_queue(ssl_Error); + return NULL; + } + for (i = 0; i < length; i++) { + item = PyTuple_GetItem(tuple, i); + if (item->ob_type != X509NameType) { + PyErr_Format(PyExc_TypeError, + "client CAs must be X509Name objects, not %s objects", + item->ob_type->tp_name); + sk_X509_NAME_free(CANames); + Py_DECREF(tuple); + return NULL; + } + name = (crypto_X509NameObj *)item; + sslname = X509_NAME_dup(name->x509_name); + if (sslname == NULL) { + sk_X509_NAME_free(CANames); + Py_DECREF(tuple); + exception_from_error_queue(ssl_Error); + return NULL; + } + if (!sk_X509_NAME_push(CANames, sslname)) { + X509_NAME_free(sslname); + sk_X509_NAME_free(CANames); + Py_DECREF(tuple); + exception_from_error_queue(ssl_Error); + return NULL; + } + } + Py_DECREF(tuple); + SSL_CTX_set_client_CA_list(self->ctx, CANames); + Py_INCREF(Py_None); + return Py_None; +} + +static char ssl_Context_add_client_ca_doc[] = "\n\ +Add the CA certificate to the list of preferred signers for this context.\n\ +\n\ +The list of certificate authorities will be sent to the client when the\n\ +server requests a client certificate.\n\ +\n\ +@param certificate_authority: certificate authority's X509 certificate.\n\ +@return: None\n\ +"; + +static PyObject * +ssl_Context_add_client_ca(ssl_ContextObj *self, PyObject *args) +{ + crypto_X509Obj *cert; + + cert = parse_certificate_argument("O!:add_client_ca", args); + if (cert == NULL) { + return NULL; + } + if (!SSL_CTX_add_client_CA(self->ctx, cert->x509)) { + exception_from_error_queue(ssl_Error); + return NULL; + } + Py_INCREF(Py_None); + return Py_None; +} + +static char ssl_Context_set_timeout_doc[] = "\n\ +Set session timeout\n\ +\n\ +@param timeout: The timeout in seconds\n\ +@return: The previous session timeout\n\ +"; +static PyObject * +ssl_Context_set_timeout(ssl_ContextObj *self, PyObject *args) +{ + long t, ret; + + if (!PyArg_ParseTuple(args, "l:set_timeout", &t)) + return NULL; + + ret = SSL_CTX_set_timeout(self->ctx, t); + return PyLong_FromLong(ret); +} + +static char ssl_Context_get_timeout_doc[] = "\n\ +Get the session timeout\n\ +\n\ +@return: The session timeout\n\ +"; +static PyObject * +ssl_Context_get_timeout(ssl_ContextObj *self, PyObject *args) +{ + long ret; + + if (!PyArg_ParseTuple(args, ":get_timeout")) + return NULL; + + ret = SSL_CTX_get_timeout(self->ctx); + return PyLong_FromLong(ret); +} + +static char ssl_Context_set_info_callback_doc[] = "\n\ +Set the info callback\n\ +\n\ +@param callback: The Python callback to use\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_set_info_callback(ssl_ContextObj *self, PyObject *args) +{ + PyObject *callback; + + if (!PyArg_ParseTuple(args, "O:set_info_callback", &callback)) + return NULL; + + if (!PyCallable_Check(callback)) + { + PyErr_SetString(PyExc_TypeError, "expected PyCallable"); + return NULL; + } + + Py_DECREF(self->info_callback); + Py_INCREF(callback); + self->info_callback = callback; + SSL_CTX_set_info_callback(self->ctx, global_info_callback); + + Py_INCREF(Py_None); + return Py_None; +} + +static char ssl_Context_get_app_data_doc[] = "\n\ +Get the application data (supplied via set_app_data())\n\ +\n\ +@return: The application data\n\ +"; +static PyObject * +ssl_Context_get_app_data(ssl_ContextObj *self, PyObject *args) +{ + if (!PyArg_ParseTuple(args, ":get_app_data")) + return NULL; + + Py_INCREF(self->app_data); + return self->app_data; +} + +static char ssl_Context_set_app_data_doc[] = "\n\ +Set the application data (will be returned from get_app_data())\n\ +\n\ +@param data: Any Python object\n\ +@return: None\n\ +"; +static PyObject * +ssl_Context_set_app_data(ssl_ContextObj *self, PyObject *args) +{ + PyObject *data; + + if (!PyArg_ParseTuple(args, "O:set_app_data", &data)) + return NULL; + + Py_DECREF(self->app_data); + Py_INCREF(data); + self->app_data = data; + + Py_INCREF(Py_None); + return Py_None; +} + +static char ssl_Context_get_cert_store_doc[] = "\n\ +Get the certificate store for the context\n\ +\n\ +@return: A X509Store object\n\ +"; +static PyObject * +ssl_Context_get_cert_store(ssl_ContextObj *self, PyObject *args) +{ + X509_STORE *store; + + if (!PyArg_ParseTuple(args, ":get_cert_store")) + return NULL; + + if ((store = SSL_CTX_get_cert_store(self->ctx)) == NULL) + { + Py_INCREF(Py_None); + return Py_None; + } + else + { + return (PyObject *)crypto_X509Store_New(store, 0); + } +} + +static char ssl_Context_set_options_doc[] = "\n\ +Add options. Options set before are not cleared!\n\ +\n\ +@param options: The options to add.\n\ +@return: The new option bitmask.\n\ +"; +static PyObject * +ssl_Context_set_options(ssl_ContextObj *self, PyObject *args) +{ + long options; + + if (!PyArg_ParseTuple(args, "l:set_options", &options)) + return NULL; + + return PyInt_FromLong(SSL_CTX_set_options(self->ctx, options)); +} + + +/* + * Member methods in the Context object + * ADD_METHOD(name) expands to a correct PyMethodDef declaration + * { 'name', (PyCFunction)ssl_Context_name, METH_VARARGS } + * for convenience + * ADD_ALIAS(name,real) creates an "alias" of the ssl_Context_real + * function with the name 'name' + */ +#define ADD_METHOD(name) { #name, (PyCFunction)ssl_Context_##name, METH_VARARGS, ssl_Context_##name##_doc } +static PyMethodDef ssl_Context_methods[] = { + ADD_METHOD(load_verify_locations), + ADD_METHOD(set_passwd_cb), + ADD_METHOD(set_default_verify_paths), + ADD_METHOD(use_certificate_chain_file), + ADD_METHOD(use_certificate_file), + ADD_METHOD(use_certificate), + ADD_METHOD(add_extra_chain_cert), + ADD_METHOD(use_privatekey_file), + ADD_METHOD(use_privatekey), + ADD_METHOD(check_privatekey), + ADD_METHOD(load_client_ca), + ADD_METHOD(set_session_id), + ADD_METHOD(set_verify), + ADD_METHOD(set_verify_depth), + ADD_METHOD(get_verify_mode), + ADD_METHOD(get_verify_depth), + ADD_METHOD(load_tmp_dh), + ADD_METHOD(set_cipher_list), + ADD_METHOD(set_client_ca_list), + ADD_METHOD(add_client_ca), + ADD_METHOD(set_timeout), + ADD_METHOD(get_timeout), + ADD_METHOD(set_info_callback), + ADD_METHOD(get_app_data), + ADD_METHOD(set_app_data), + ADD_METHOD(get_cert_store), + ADD_METHOD(set_options), + { NULL, NULL } +}; +#undef ADD_METHOD + +/* + * Despite the name which might suggest otherwise, this is not the tp_init for + * the Context type. It's just the common initialization code shared by the + * two _{Nn}ew functions below. + */ +static ssl_ContextObj* +ssl_Context_init(ssl_ContextObj *self, int i_method) { + SSL_METHOD *method; + + switch (i_method) { + case ssl_SSLv2_METHOD: + method = SSLv2_method(); + break; + case ssl_SSLv23_METHOD: + method = SSLv23_method(); + break; + case ssl_SSLv3_METHOD: + method = SSLv3_method(); + break; + case ssl_TLSv1_METHOD: + method = TLSv1_method(); + break; + default: + PyErr_SetString(PyExc_ValueError, "No such protocol"); + return NULL; + } + + self->ctx = SSL_CTX_new(method); + Py_INCREF(Py_None); + self->passphrase_callback = Py_None; + Py_INCREF(Py_None); + self->verify_callback = Py_None; + Py_INCREF(Py_None); + self->info_callback = Py_None; + + Py_INCREF(Py_None); + self->passphrase_userdata = Py_None; + + Py_INCREF(Py_None); + self->app_data = Py_None; + + /* Some initialization that's required to operate smoothly in Python */ + SSL_CTX_set_app_data(self->ctx, self); + SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_AUTO_RETRY); + + self->tstate = NULL; + + return self; +} + +/* + * This one is exposed in the CObject API. I want to deprecate it. + */ +ssl_ContextObj* +ssl_Context_New(int i_method) { + ssl_ContextObj *self; + + self = PyObject_GC_New(ssl_ContextObj, &ssl_Context_Type); + if (self == NULL) { + return (ssl_ContextObj *)PyErr_NoMemory(); + } + self = ssl_Context_init(self, i_method); + PyObject_GC_Track((PyObject *)self); + return self; +} + + +/* + * This one is the tp_new of the Context type. It's great. + */ +static PyObject* +ssl_Context_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs) { + int i_method; + ssl_ContextObj *self; + static char *kwlist[] = {"method", NULL}; + + if (!PyArg_ParseTupleAndKeywords(args, kwargs, "i:Context", kwlist, &i_method)) { + return NULL; + } + + self = (ssl_ContextObj *)subtype->tp_alloc(subtype, 1); + if (self == NULL) { + return NULL; + } + + return (PyObject *)ssl_Context_init(self, i_method); +} + +/* + * Call the visitproc on all contained objects. + * + * Arguments: self - The Context object + * visit - Function to call + * arg - Extra argument to visit + * Returns: 0 if all goes well, otherwise the return code from the first + * call that gave non-zero result. + */ +static int +ssl_Context_traverse(ssl_ContextObj *self, visitproc visit, void *arg) +{ + int ret = 0; + + if (ret == 0 && self->passphrase_callback != NULL) + ret = visit((PyObject *)self->passphrase_callback, arg); + if (ret == 0 && self->passphrase_userdata != NULL) + ret = visit((PyObject *)self->passphrase_userdata, arg); + if (ret == 0 && self->verify_callback != NULL) + ret = visit((PyObject *)self->verify_callback, arg); + if (ret == 0 && self->info_callback != NULL) + ret = visit((PyObject *)self->info_callback, arg); + if (ret == 0 && self->app_data != NULL) + ret = visit(self->app_data, arg); + return ret; +} + +/* + * Decref all contained objects and zero the pointers. + * + * Arguments: self - The Context object + * Returns: Always 0. + */ +static int +ssl_Context_clear(ssl_ContextObj *self) +{ + Py_XDECREF(self->passphrase_callback); + self->passphrase_callback = NULL; + Py_XDECREF(self->passphrase_userdata); + self->passphrase_userdata = NULL; + Py_XDECREF(self->verify_callback); + self->verify_callback = NULL; + Py_XDECREF(self->info_callback); + self->info_callback = NULL; + Py_XDECREF(self->app_data); + self->app_data = NULL; + return 0; +} + +/* + * Deallocate the memory used by the Context object + * + * Arguments: self - The Context object + * Returns: None + */ +static void +ssl_Context_dealloc(ssl_ContextObj *self) +{ + PyObject_GC_UnTrack((PyObject *)self); + SSL_CTX_free(self->ctx); + ssl_Context_clear(self); + PyObject_GC_Del(self); +} + + +PyTypeObject ssl_Context_Type = { + PyObject_HEAD_INIT(NULL) + 0, + "OpenSSL.SSL.Context", + sizeof(ssl_ContextObj), + 0, + (destructor)ssl_Context_dealloc, /* tp_dealloc */ + NULL, /* print */ + NULL, /* tp_getattr */ + NULL, /* setattr */ + NULL, /* compare */ + NULL, /* repr */ + NULL, /* as_number */ + NULL, /* as_sequence */ + NULL, /* as_mapping */ + NULL, /* hash */ + NULL, /* call */ + NULL, /* str */ + NULL, /* getattro */ + NULL, /* setattro */ + NULL, /* as_buffer */ + Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC | Py_TPFLAGS_BASETYPE, /* tp_flags */ + ssl_Context_doc, /* tp_doc */ + (traverseproc)ssl_Context_traverse, /* tp_traverse */ + (inquiry)ssl_Context_clear, /* tp_clear */ + NULL, /* tp_richcompare */ + 0, /* tp_weaklistoffset */ + NULL, /* tp_iter */ + NULL, /* tp_iternext */ + ssl_Context_methods, /* tp_methods */ + NULL, /* tp_members */ + NULL, /* tp_getset */ + NULL, /* tp_base */ + NULL, /* tp_dict */ + NULL, /* tp_descr_get */ + NULL, /* tp_descr_set */ + 0, /* tp_dictoffset */ + NULL, /* tp_init */ + NULL, /* tp_alloc */ + ssl_Context_new, /* tp_new */ +}; + + +/* + * Initialize the Context part of the SSL sub module + * + * Arguments: dict - The OpenSSL.SSL module + * Returns: 1 for success, 0 otherwise + */ +int +init_ssl_context(PyObject *module) { + + if (PyType_Ready(&ssl_Context_Type) < 0) { + return 0; + } + + if (PyModule_AddObject(module, "Context", (PyObject *)&ssl_Context_Type) < 0) { + return 0; + } + + if (PyModule_AddObject(module, "ContextType", (PyObject *)&ssl_Context_Type) < 0) { + return 0; + } + + return 1; +} + |