Lines Matching +full:enable +full:- +full:weak +full:- +full:ssl +full:- +full:ciphers
1 /* SSL socket module
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
4 Re-worked a bit by Bill Janssen to add server-side support and
5 certificate decoding. Chris Stawarz contributed some non-blocking
8 This module is imported by ssl.py. It should *not* be used
60 #include "openssl/ssl.h"
67 # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
87 * Don't be fooled - this is horribly ugly code. The only reasonable
96 /* If ucrtbase.dll is not loaded but the SSL DLLs are, we likely in _PySSLFixErrno()
140 #define INVALID_SOCKET (-1)
143 /* OpenSSL 1.1 does not have SSL 2.0 */
161 * ECDH+*: enable ephemeral elliptic curve Diffie-Hellman
162 * DHE+*: fallback to ephemeral finite field Diffie-Hellman
164 * !aNULL:!eNULL: really no NULL ciphers
166 * !SHA1: no weak SHA1 MAC
169 * Based on Hynek's excellent blog post (update 2021-02-11)
170 * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
185 /* these mirror ssl.h */
194 /* start of non ssl.h errorcodes */
223 PY_PROTO_MINIMUM_SUPPORTED = -2,
233 PY_PROTO_MAXIMUM_SUPPORTED = -1,
268 /* SSL socket object */
273 /* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for
274 * older SSL, but let's be safe */
301 int ssl; /* last seen error from SSL */ member
311 SSL *ssl; member
312 PySSLContext *ctx; /* weakref to SSL context */
318 /* Some SSL callbacks don't have error reporting. Callback wrappers
339 static inline _PySSLError _PySSL_errno(int failed, const SSL *ssl, int retcode) in _PySSL_errno() argument
348 err.ssl = SSL_get_error(ssl, retcode); in _PySSL_errno()
355 class _ssl._SSLContext "PySSLContext *" "get_state_type(type)->PySSLContext_Type"
356 class _ssl._SSLSocket "PySSLSocket *" "get_state_type(type)->PySSLSocket_Type"
357 class _ssl.MemoryBIO "PySSLMemoryBIO *" "get_state_type(type)->PySSLMemoryBIO_Type"
358 class _ssl.SSLSession "PySSLSession *" "get_state_type(type)->PySSLSession_Type"
383 #define GET_SOCKET(obj) ((obj)->Socket ? \
384 (PySocketSockObject *) PyWeakref_GetObject((obj)->Socket) : NULL)
388 ((sock != NULL) ? (sock)->sock_timeout : 0)
393 * SSL errors.
397 "An error occurred in the SSL implementation.");
403 "SSL/TLS session closed cleanly.");
406 "Non-blocking SSL socket needs to read more data\n"
410 "Non-blocking SSL socket needs to write more data\n"
414 "System error when attempting SSL operation.");
417 "SSL/TLS connection terminated abruptly.");
422 if (self->strerror != NULL && PyUnicode_Check(self->strerror)) { in SSLError_str()
423 Py_INCREF(self->strerror); in SSLError_str()
424 return self->strerror; in SSLError_str()
427 return PyObject_Str(self->args); in SSLError_str()
437 .name = "ssl.SSLError",
464 reason_obj = PyDict_GetItemWithError(state->err_codes_to_names, key); in fill_and_set_sslerror()
472 lib_obj = PyDict_GetItemWithError(state->lib_codes_to_names, key); in fill_and_set_sslerror()
484 if ((sslsock != NULL) && (type == state->PySSLCertVerificationErrorObject)) { in fill_and_set_sslerror()
488 verify_code = SSL_get_verify_result(sslsock->ssl); in fill_and_set_sslerror()
498 sslsock->server_hostname in fill_and_set_sslerror()
504 sslsock->server_hostname in fill_and_set_sslerror()
556 if ((sslsock != NULL) && (type == state->PySSLCertVerificationErrorObject)) { in fill_and_set_sslerror()
574 if (sslsock->exc_type == NULL) in PySSL_ChainExceptions()
577 _PyErr_ChainExceptions(sslsock->exc_type, sslsock->exc_value, sslsock->exc_tb); in PySSL_ChainExceptions()
578 sslsock->exc_type = NULL; in PySSL_ChainExceptions()
579 sslsock->exc_value = NULL; in PySSL_ChainExceptions()
580 sslsock->exc_tb = NULL; in PySSL_ChainExceptions()
581 return -1; in PySSL_ChainExceptions()
596 type = state->PySSLErrorObject; in PySSL_SetError()
601 if (sslsock->ssl != NULL) { in PySSL_SetError()
602 err = sslsock->err; in PySSL_SetError()
604 switch (err.ssl) { in PySSL_SetError()
606 errstr = "TLS/SSL connection has been closed (EOF)"; in PySSL_SetError()
607 type = state->PySSLZeroReturnErrorObject; in PySSL_SetError()
612 type = state->PySSLWantReadErrorObject; in PySSL_SetError()
617 type = state->PySSLWantWriteErrorObject; in PySSL_SetError()
634 type = state->PySSLEOFErrorObject; in PySSL_SetError()
636 } else if (s && ret == -1) { in PySSL_SetError()
650 type = state->PySSLEOFErrorObject; in PySSL_SetError()
655 type = state->PySSLSyscallErrorObject; in PySSL_SetError()
668 errstr = "A failure in the SSL library occurred"; in PySSL_SetError()
672 type = state->PySSLCertVerificationErrorObject; in PySSL_SetError()
694 fill_and_set_sslerror(state, NULL, state->PySSLErrorObject, errcode, errstr, lineno, errcode); in _setSSLError()
707 if (_ssl_deprecated((name), (stacklevel)) == -1) return (ret)
710 * SSL objects
716 int retval = -1; in _ssl_configure_hostname()
725 * matched by a certificate valid for any sub-domain of name. in _ssl_configure_hostname()
746 self->server_hostname = hostname; in _ssl_configure_hostname()
748 /* Only send SNI extension for non-IP hostnames */ in _ssl_configure_hostname()
750 if (!SSL_set_tlsext_host_name(self->ssl, server_hostname)) { in _ssl_configure_hostname()
755 if (self->ctx->check_hostname) { in _ssl_configure_hostname()
756 X509_VERIFY_PARAM *param = SSL_get0_param(self->ssl); in _ssl_configure_hostname()
787 SSL_CTX *ctx = sslctx->ctx; in newPySSLSocket()
791 (sslctx->protocol == PY_SSL_VERSION_TLS_CLIENT)) { in newPySSLSocket()
798 (sslctx->protocol == PY_SSL_VERSION_TLS_SERVER)) { in newPySSLSocket()
806 get_state_ctx(sslctx)->PySSLSocket_Type); in newPySSLSocket()
810 self->ssl = NULL; in newPySSLSocket()
811 self->Socket = NULL; in newPySSLSocket()
812 self->ctx = sslctx; in newPySSLSocket()
814 self->shutdown_seen_zero = 0; in newPySSLSocket()
815 self->owner = NULL; in newPySSLSocket()
816 self->server_hostname = NULL; in newPySSLSocket()
817 self->err = err; in newPySSLSocket()
818 self->exc_type = NULL; in newPySSLSocket()
819 self->exc_value = NULL; in newPySSLSocket()
820 self->exc_tb = NULL; in newPySSLSocket()
822 /* Make sure the SSL error state is initialized */ in newPySSLSocket()
826 self->ssl = SSL_new(ctx); in newPySSLSocket()
828 if (self->ssl == NULL) { in newPySSLSocket()
835 X509_VERIFY_PARAM *ssl_params = SSL_get0_param(self->ssl); in newPySSLSocket()
836 X509_VERIFY_PARAM_set_hostflags(ssl_params, sslctx->hostflags); in newPySSLSocket()
838 SSL_set_app_data(self->ssl, self); in newPySSLSocket()
840 SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int)); in newPySSLSocket()
845 BIO_up_ref(inbio->bio); in newPySSLSocket()
846 BIO_up_ref(outbio->bio); in newPySSLSocket()
847 SSL_set_bio(self->ssl, inbio->bio, outbio->bio); in newPySSLSocket()
849 SSL_set_mode(self->ssl, in newPySSLSocket()
853 if (sslctx->post_handshake_auth == 1) { in newPySSLSocket()
855 /* bpo-37428: OpenSSL does not ignore SSL_VERIFY_POST_HANDSHAKE. in newPySSLSocket()
858 int mode = SSL_get_verify_mode(self->ssl); in newPySSLSocket()
861 verify_cb = SSL_get_verify_callback(self->ssl); in newPySSLSocket()
863 SSL_set_verify(self->ssl, mode, verify_cb); in newPySSLSocket()
867 SSL_set_post_handshake_auth(self->ssl, 1); in newPySSLSocket()
878 /* If the socket is in non-blocking mode or timeout mode, set the BIO in newPySSLSocket()
879 * to non-blocking mode (blocking is the default) in newPySSLSocket()
881 if (sock && sock->sock_timeout >= 0) { in newPySSLSocket()
882 BIO_set_nbio(SSL_get_rbio(self->ssl), 1); in newPySSLSocket()
883 BIO_set_nbio(SSL_get_wbio(self->ssl), 1); in newPySSLSocket()
888 SSL_set_connect_state(self->ssl); in newPySSLSocket()
890 SSL_set_accept_state(self->ssl); in newPySSLSocket()
893 self->socket_type = socket_type; in newPySSLSocket()
895 self->Socket = PyWeakref_NewRef((PyObject *) sock, NULL); in newPySSLSocket()
896 if (self->Socket == NULL) { in newPySSLSocket()
902 if (PySSL_set_owner(self, owner, NULL) == -1) { in newPySSLSocket()
908 if (PySSL_set_session(self, session, NULL) == -1) { in newPySSLSocket()
918 /* SSL object methods */
945 nonblocking = (sock->sock_timeout >= 0); in _ssl__SSLSocket_do_handshake_impl()
946 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); in _ssl__SSLSocket_do_handshake_impl()
947 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); in _ssl__SSLSocket_do_handshake_impl()
955 /* Actually negotiate SSL connection */ in _ssl__SSLSocket_do_handshake_impl()
959 ret = SSL_do_handshake(self->ssl); in _ssl__SSLSocket_do_handshake_impl()
960 err = _PySSL_errno(ret < 1, self->ssl, ret); in _ssl__SSLSocket_do_handshake_impl()
962 self->err = err; in _ssl__SSLSocket_do_handshake_impl()
968 timeout = deadline - _PyTime_GetMonotonicClock(); in _ssl__SSLSocket_do_handshake_impl()
970 if (err.ssl == SSL_ERROR_WANT_READ) { in _ssl__SSLSocket_do_handshake_impl()
972 } else if (err.ssl == SSL_ERROR_WANT_WRITE) { in _ssl__SSLSocket_do_handshake_impl()
983 PyErr_SetString(get_state_sock(self)->PySSLErrorObject, in _ssl__SSLSocket_do_handshake_impl()
987 PyErr_SetString(get_state_sock(self)->PySSLErrorObject, in _ssl__SSLSocket_do_handshake_impl()
993 } while (err.ssl == SSL_ERROR_WANT_READ || in _ssl__SSLSocket_do_handshake_impl()
994 err.ssl == SSL_ERROR_WANT_WRITE); in _ssl__SSLSocket_do_handshake_impl()
1021 if (buflen > X509_NAME_MAXLEN - 1) { in _asn1obj2py()
1081 int rdn_level = -1; in _create_tuple_for_X509_NAME()
1087 /* now create another tuple to hold the top-level RDN */ in _create_tuple_for_X509_NAME()
1125 entry->set, in _create_tuple_for_X509_NAME()
1193 PyErr_SetString(state->PySSLErrorObject, "failed to allocate BIO"); in _get_peer_alt_names()
1212 gntype = name->type; in _get_peer_alt_names()
1215 /* we special-case DirName as a tuple of in _get_peer_alt_names()
1230 v = _create_tuple_for_X509_NAME(state, name->d.dirn); in _get_peer_alt_names()
1242 correctly, CVE-2013-4238 */ in _get_peer_alt_names()
1249 as = name->d.rfc822Name; in _get_peer_alt_names()
1253 as = name->d.dNSName; in _get_peer_alt_names()
1257 as = name->d.uniformResourceIdentifier; in _get_peer_alt_names()
1286 len = i2t_ASN1_OBJECT(buf, sizeof(buf)-1, name->d.rid); in _get_peer_alt_names()
1318 if (name->d.ip->length == 4) { in _get_peer_alt_names()
1319 unsigned char *p = name->d.ip->data; in _get_peer_alt_names()
1324 } else if (name->d.ip->length == 16) { in _get_peer_alt_names()
1326 unsigned char *p = name->d.ip->data; in _get_peer_alt_names()
1363 gntype) == -1) { in _get_peer_alt_names()
1370 len = BIO_gets(biobuf, buf, sizeof(buf)-1); in _get_peer_alt_names()
1385 v = PyUnicode_FromStringAndSize(buf, (vptr - buf)); in _get_peer_alt_names()
1392 (len - (vptr - buf + 1))); in _get_peer_alt_names()
1454 if ((OBJ_obj2nid(ad->method) != nid) || in _get_aia_uri()
1455 (ad->location->type != GEN_URI)) { in _get_aia_uri()
1458 uri = ad->location->d.uniformResourceIdentifier; in _get_aia_uri()
1459 ostr = PyUnicode_FromStringAndSize((char *)uri->data, in _get_aia_uri()
1460 uri->length); in _get_aia_uri()
1509 if (dp->distpoint == NULL) { in _get_crl_dp()
1510 /* Ignore empty DP value, CVE-2019-5010 */ in _get_crl_dp()
1513 gns = dp->distpoint->name.fullname; in _get_crl_dp()
1522 if (gn->type != GEN_URI) { in _get_crl_dp()
1525 uri = gn->d.uniformResourceIdentifier; in _get_crl_dp()
1526 ouri = PyUnicode_FromStringAndSize((char *)uri->data, in _get_crl_dp()
1527 uri->length); in _get_crl_dp()
1602 PyErr_SetString(state->PySSLErrorObject, "failed to allocate BIO"); in _decode_certificate()
1610 len = BIO_gets(biobuf, buf, sizeof(buf)-1); in _decode_certificate()
1627 len = BIO_gets(biobuf, buf, sizeof(buf)-1); in _decode_certificate()
1644 len = BIO_gets(biobuf, buf, sizeof(buf)-1); in _decode_certificate()
1757 PyErr_SetString(state->PySSLErrorObject, in _ssl__test_decode_cert_impl()
1763 PyErr_SetString(state->PySSLErrorObject, in _ssl__test_decode_cert_impl()
1770 PyErr_SetString(state->PySSLErrorObject, in _ssl__test_decode_cert_impl()
1771 "Error decoding PEM-encoded file"); in _ssl__test_decode_cert_impl()
1796 If the optional argument is True, returns a DER-encoded copy of the
1809 if (!SSL_is_init_finished(self->ssl)) { in _ssl__SSLSocket_getpeercert_impl()
1814 peer_cert = SSL_get_peer_certificate(self->ssl); in _ssl__SSLSocket_getpeercert_impl()
1819 /* return cert in DER-encoded format */ in _ssl__SSLSocket_getpeercert_impl()
1822 verification = SSL_CTX_get_verify_mode(SSL_get_SSL_CTX(self->ssl)); in _ssl__SSLSocket_getpeercert_impl()
1842 STACK_OF(X509) *chain = SSL_get0_verified_chain(self->ssl); in _ssl__SSLSocket_get_verified_chain_impl()
1846 return _PySSL_CertificateFromX509Stack(self->ctx->state, chain, 1); in _ssl__SSLSocket_get_verified_chain_impl()
1860 /* TODO: include SSL_get_peer_certificate() for server-side sockets */ in _ssl__SSLSocket_get_unverified_chain_impl()
1861 STACK_OF(X509) *chain = SSL_get_peer_cert_chain(self->ssl); in _ssl__SSLSocket_get_unverified_chain_impl()
1865 retval = _PySSL_CertificateFromX509Stack(self->ctx->state, chain, 1); in _ssl__SSLSocket_get_unverified_chain_impl()
1870 if (self->socket_type == PY_SSL_SERVER) { in _ssl__SSLSocket_get_unverified_chain_impl()
1872 X509 *peer = SSL_get_peer_certificate(self->ssl); in _ssl__SSLSocket_get_unverified_chain_impl()
1879 peerobj = _PySSL_CertificateFromX509(self->ctx->state, peer, 0); in _ssl__SSLSocket_get_unverified_chain_impl()
1953 SSL_CIPHER_description(cipher, buf, sizeof(buf) - 1); in cipher_to_dict()
1956 if (len > 1 && buf[len-1] == '\n') in cipher_to_dict()
1957 buf[len-1] = '\0'; in cipher_to_dict()
1996 STACK_OF(SSL_CIPHER) *ciphers; in _ssl__SSLSocket_shared_ciphers_impl()
2000 ciphers = SSL_get_ciphers(self->ssl); in _ssl__SSLSocket_shared_ciphers_impl()
2001 if (!ciphers) in _ssl__SSLSocket_shared_ciphers_impl()
2003 res = PyList_New(sk_SSL_CIPHER_num(ciphers)); in _ssl__SSLSocket_shared_ciphers_impl()
2006 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { in _ssl__SSLSocket_shared_ciphers_impl()
2007 PyObject *tup = cipher_to_tuple(sk_SSL_CIPHER_value(ciphers, i)); in _ssl__SSLSocket_shared_ciphers_impl()
2027 if (self->ssl == NULL) in _ssl__SSLSocket_cipher_impl()
2029 current = SSL_get_current_cipher(self->ssl); in _ssl__SSLSocket_cipher_impl()
2045 if (self->ssl == NULL) in _ssl__SSLSocket_version_impl()
2047 if (!SSL_is_init_finished(self->ssl)) { in _ssl__SSLSocket_version_impl()
2051 version = SSL_get_version(self->ssl); in _ssl__SSLSocket_version_impl()
2068 SSL_get0_alpn_selected(self->ssl, &out, &outlen); in _ssl__SSLSocket_selected_alpn_protocol_impl()
2089 if (self->ssl == NULL) in _ssl__SSLSocket_compression_impl()
2091 comp_method = SSL_get_current_compression(self->ssl); in _ssl__SSLSocket_compression_impl()
2102 Py_INCREF(self->ctx); in PySSL_get_context()
2103 return self->ctx; in PySSL_get_context()
2109 if (PyObject_TypeCheck(value, self->ctx->state->PySSLContext_Type)) { in PySSL_set_context()
2111 Py_SETREF(self->ctx, (PySSLContext *)value); in PySSL_set_context()
2112 SSL_set_SSL_CTX(self->ssl, self->ctx->ctx); in PySSL_set_context()
2113 /* Set SSL* internal msg_callback to state of new context's state */ in PySSL_set_context()
2115 self->ssl, in PySSL_set_context()
2116 self->ctx->msg_cb ? _PySSL_msg_callback : NULL in PySSL_set_context()
2120 return -1; in PySSL_set_context()
2138 return PyBool_FromLong(self->socket_type == PY_SSL_SERVER); in PySSL_get_server_side()
2142 "Whether this is a server-side socket.");
2147 if (self->server_hostname == NULL) in PySSL_get_server_hostname()
2149 Py_INCREF(self->server_hostname); in PySSL_get_server_hostname()
2150 return self->server_hostname; in PySSL_get_server_hostname()
2161 if (self->owner == NULL) in PySSL_get_owner()
2164 owner = PyWeakref_GetObject(self->owner); in PySSL_get_owner()
2172 Py_XSETREF(self->owner, PyWeakref_NewRef(value, NULL)); in PySSL_set_owner()
2173 if (self->owner == NULL) in PySSL_set_owner()
2174 return -1; in PySSL_set_owner()
2179 "The Python-level owner of this object.\
2185 Py_VISIT(self->exc_type); in PySSL_traverse()
2186 Py_VISIT(self->exc_value); in PySSL_traverse()
2187 Py_VISIT(self->exc_tb); in PySSL_traverse()
2195 Py_CLEAR(self->exc_type); in PySSL_clear()
2196 Py_CLEAR(self->exc_value); in PySSL_clear()
2197 Py_CLEAR(self->exc_tb); in PySSL_clear()
2206 if (self->ssl) { in PySSL_dealloc()
2207 SSL_free(self->ssl); in PySSL_dealloc()
2209 Py_XDECREF(self->Socket); in PySSL_dealloc()
2210 Py_XDECREF(self->ctx); in PySSL_dealloc()
2211 Py_XDECREF(self->server_hostname); in PySSL_dealloc()
2212 Py_XDECREF(self->owner); in PySSL_dealloc()
2235 /* Nothing to do unless we're in timeout mode (not non-blocking) */ in PySSL_select()
2239 if (s->sock_timeout > 0) in PySSL_select()
2246 if (s->sock_fd == INVALID_SOCKET) in PySSL_select()
2252 pollfd.fd = s->sock_fd; in PySSL_select()
2264 if (!_PyIsSelectable_fd(s->sock_fd)) in PySSL_select()
2270 FD_SET(s->sock_fd, &fds); in PySSL_select()
2274 nfds = Py_SAFE_DOWNCAST(s->sock_fd+1, SOCKET_T, int); in PySSL_select()
2292 Writes the bytes-like object b into the SSL object.
2322 nonblocking = (sock->sock_timeout >= 0); in _ssl__SSLSocket_write_impl()
2323 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); in _ssl__SSLSocket_write_impl()
2324 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); in _ssl__SSLSocket_write_impl()
2338 PyErr_SetString(get_state_sock(self)->PySSLErrorObject, in _ssl__SSLSocket_write_impl()
2342 PyErr_SetString(get_state_sock(self)->PySSLErrorObject, in _ssl__SSLSocket_write_impl()
2349 retval = SSL_write_ex(self->ssl, b->buf, (size_t)b->len, &count); in _ssl__SSLSocket_write_impl()
2350 err = _PySSL_errno(retval == 0, self->ssl, retval); in _ssl__SSLSocket_write_impl()
2352 self->err = err; in _ssl__SSLSocket_write_impl()
2358 timeout = deadline - _PyTime_GetMonotonicClock(); in _ssl__SSLSocket_write_impl()
2360 if (err.ssl == SSL_ERROR_WANT_READ) { in _ssl__SSLSocket_write_impl()
2362 } else if (err.ssl == SSL_ERROR_WANT_WRITE) { in _ssl__SSLSocket_write_impl()
2373 PyErr_SetString(get_state_sock(self)->PySSLErrorObject, in _ssl__SSLSocket_write_impl()
2379 } while (err.ssl == SSL_ERROR_WANT_READ || in _ssl__SSLSocket_write_impl()
2380 err.ssl == SSL_ERROR_WANT_WRITE); in _ssl__SSLSocket_write_impl()
2408 count = SSL_pending(self->ssl); in _ssl__SSLSocket_pending_impl()
2409 err = _PySSL_errno(count < 0, self->ssl, count); in _ssl__SSLSocket_pending_impl()
2411 self->err = err; in _ssl__SSLSocket_pending_impl()
2427 Read up to size bytes from the SSL socket.
2472 mem = buffer->buf; in _ssl__SSLSocket_read_impl()
2473 if (len <= 0 || len > buffer->len) { in _ssl__SSLSocket_read_impl()
2474 len = (int) buffer->len; in _ssl__SSLSocket_read_impl()
2475 if (buffer->len != len) { in _ssl__SSLSocket_read_impl()
2489 nonblocking = (sock->sock_timeout >= 0); in _ssl__SSLSocket_read_impl()
2490 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); in _ssl__SSLSocket_read_impl()
2491 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); in _ssl__SSLSocket_read_impl()
2501 retval = SSL_read_ex(self->ssl, mem, (size_t)len, &count); in _ssl__SSLSocket_read_impl()
2502 err = _PySSL_errno(retval == 0, self->ssl, retval); in _ssl__SSLSocket_read_impl()
2504 self->err = err; in _ssl__SSLSocket_read_impl()
2510 timeout = deadline - _PyTime_GetMonotonicClock(); in _ssl__SSLSocket_read_impl()
2512 if (err.ssl == SSL_ERROR_WANT_READ) { in _ssl__SSLSocket_read_impl()
2514 } else if (err.ssl == SSL_ERROR_WANT_WRITE) { in _ssl__SSLSocket_read_impl()
2516 } else if (err.ssl == SSL_ERROR_ZERO_RETURN && in _ssl__SSLSocket_read_impl()
2517 SSL_get_shutdown(self->ssl) == SSL_RECEIVED_SHUTDOWN) in _ssl__SSLSocket_read_impl()
2532 } while (err.ssl == SSL_ERROR_WANT_READ || in _ssl__SSLSocket_read_impl()
2533 err.ssl == SSL_ERROR_WANT_WRITE); in _ssl__SSLSocket_read_impl()
2539 if (self->exc_type != NULL) in _ssl__SSLSocket_read_impl()
2563 Does the SSL shutdown handshake with the remote end.
2579 if ((((PyObject*)sock) == Py_None) || (sock->sock_fd == INVALID_SOCKET)) { in _ssl__SSLSocket_shutdown_impl()
2588 nonblocking = (sock->sock_timeout >= 0); in _ssl__SSLSocket_shutdown_impl()
2589 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); in _ssl__SSLSocket_shutdown_impl()
2590 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); in _ssl__SSLSocket_shutdown_impl()
2600 /* Disable read-ahead so that unwrap can work correctly. in _ssl__SSLSocket_shutdown_impl()
2603 * transmitted after the SSL shutdown. in _ssl__SSLSocket_shutdown_impl()
2608 if (self->shutdown_seen_zero) in _ssl__SSLSocket_shutdown_impl()
2609 SSL_set_read_ahead(self->ssl, 0); in _ssl__SSLSocket_shutdown_impl()
2610 ret = SSL_shutdown(self->ssl); in _ssl__SSLSocket_shutdown_impl()
2611 err = _PySSL_errno(ret < 0, self->ssl, ret); in _ssl__SSLSocket_shutdown_impl()
2613 self->err = err; in _ssl__SSLSocket_shutdown_impl()
2625 self->shutdown_seen_zero = 1; in _ssl__SSLSocket_shutdown_impl()
2630 timeout = deadline - _PyTime_GetMonotonicClock(); in _ssl__SSLSocket_shutdown_impl()
2633 if (err.ssl == SSL_ERROR_WANT_READ) in _ssl__SSLSocket_shutdown_impl()
2635 else if (err.ssl == SSL_ERROR_WANT_WRITE) in _ssl__SSLSocket_shutdown_impl()
2641 if (err.ssl == SSL_ERROR_WANT_READ) in _ssl__SSLSocket_shutdown_impl()
2650 PyErr_SetString(get_state_sock(self)->PySSLErrorObject, in _ssl__SSLSocket_shutdown_impl()
2655 /* Retain the SSL error code */ in _ssl__SSLSocket_shutdown_impl()
2663 if (self->exc_type != NULL) in _ssl__SSLSocket_shutdown_impl()
2679 cb_type: str = "tls-unique"
2685 Only 'tls-unique' channel binding data from RFC 5929 is supported.
2696 if (strcmp(cb_type, "tls-unique") == 0) { in _ssl__SSLSocket_get_channel_binding_impl()
2697 if (SSL_session_reused(self->ssl) ^ !self->socket_type) { in _ssl__SSLSocket_get_channel_binding_impl()
2699 len = SSL_get_finished(self->ssl, buf, PySSL_CB_MAXLEN); in _ssl__SSLSocket_get_channel_binding_impl()
2703 len = SSL_get_peer_finished(self->ssl, buf, PySSL_CB_MAXLEN); in _ssl__SSLSocket_get_channel_binding_impl()
2725 Initiate TLS 1.3 post-handshake authentication
2733 int err = SSL_verify_client_post_handshake(self->ssl); in _ssl__SSLSocket_verify_client_post_handshake_impl()
2740 "Post-handshake auth is not supported by your " in _ssl__SSLSocket_verify_client_post_handshake_impl()
2789 /* get_session can return sessions from a server-side connection, in PySSL_get_session()
2796 session = SSL_get0_session(self->ssl); /* borrowed reference */ in PySSL_get_session()
2803 session = SSL_get1_session(self->ssl); in PySSL_get_session()
2807 pysess = PyObject_GC_New(PySSLSession, self->ctx->state->PySSLSession_Type); in PySSL_get_session()
2813 assert(self->ctx); in PySSL_get_session()
2814 pysess->ctx = self->ctx; in PySSL_get_session()
2815 Py_INCREF(pysess->ctx); in PySSL_get_session()
2816 pysess->session = session; in PySSL_get_session()
2828 if (!Py_IS_TYPE(value, get_state_sock(self)->PySSLSession_Type)) { in PySSL_set_session()
2830 return -1; in PySSL_set_session()
2834 if (self->ctx->ctx != pysess->ctx->ctx) { in PySSL_set_session()
2837 return -1; in PySSL_set_session()
2839 if (self->socket_type != PY_SSL_CLIENT) { in PySSL_set_session()
2841 "Cannot set session for server-side SSLSocket."); in PySSL_set_session()
2842 return -1; in PySSL_set_session()
2844 if (SSL_is_init_finished(self->ssl)) { in PySSL_set_session()
2847 return -1; in PySSL_set_session()
2850 if ((session = _ssl_session_dup(pysess->session)) == NULL) { in PySSL_set_session()
2851 return -1; in PySSL_set_session()
2853 result = SSL_set_session(self->ssl, session); in PySSL_set_session()
2858 return -1; in PySSL_set_session()
2870 if (SSL_session_reused(self->ssl)) { in PySSL_get_session_reused()
2955 return -1; in _set_verify_mode()
2958 /* bpo-37428: newPySSLSocket() sets SSL_VERIFY_POST_HANDSHAKE flag for in _set_verify_mode()
2962 verify_cb = SSL_CTX_get_verify_callback(self->ctx); in _set_verify_mode()
2963 SSL_CTX_set_verify(self->ctx, mode, verify_cb); in _set_verify_mode()
2997 PY_SSL_DEPRECATED("ssl.PROTOCOL_SSLv3 is deprecated", 2, NULL); in _ssl__SSLContext_impl()
3005 PY_SSL_DEPRECATED("ssl.PROTOCOL_TLSv1 is deprecated", 2, NULL); in _ssl__SSLContext_impl()
3013 PY_SSL_DEPRECATED("ssl.PROTOCOL_TLSv1_1 is deprecated", 2, NULL); in _ssl__SSLContext_impl()
3021 PY_SSL_DEPRECATED("ssl.PROTOCOL_TLSv1_2 is deprecated", 2, NULL); in _ssl__SSLContext_impl()
3026 PY_SSL_DEPRECATED("ssl.PROTOCOL_TLS is deprecated", 2, NULL); in _ssl__SSLContext_impl()
3055 assert(type != NULL && type->tp_alloc != NULL); in _ssl__SSLContext_impl()
3056 self = (PySSLContext *) type->tp_alloc(type, 0); in _ssl__SSLContext_impl()
3061 self->ctx = ctx; in _ssl__SSLContext_impl()
3062 self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; in _ssl__SSLContext_impl()
3063 self->protocol = proto_version; in _ssl__SSLContext_impl()
3064 self->msg_cb = NULL; in _ssl__SSLContext_impl()
3065 self->keylog_filename = NULL; in _ssl__SSLContext_impl()
3066 self->keylog_bio = NULL; in _ssl__SSLContext_impl()
3067 self->alpn_protocols = NULL; in _ssl__SSLContext_impl()
3068 self->set_sni_cb = NULL; in _ssl__SSLContext_impl()
3069 self->state = get_ssl_state(module); in _ssl__SSLContext_impl()
3073 self->check_hostname = 1; in _ssl__SSLContext_impl()
3074 if (_set_verify_mode(self, PY_SSL_CERT_REQUIRED) == -1) { in _ssl__SSLContext_impl()
3079 self->check_hostname = 0; in _ssl__SSLContext_impl()
3080 if (_set_verify_mode(self, PY_SSL_CERT_NONE) == -1) { in _ssl__SSLContext_impl()
3092 * Client sockets ignore server-side parameters. */ in _ssl__SSLContext_impl()
3109 SSL_CTX_set_options(self->ctx, options); in _ssl__SSLContext_impl()
3127 PyErr_SetString(get_state_ctx(self)->PySSLErrorObject, in _ssl__SSLContext_impl()
3151 SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS); in _ssl__SSLContext_impl()
3154 SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, in _ssl__SSLContext_impl()
3158 params = SSL_CTX_get0_param(self->ctx); in _ssl__SSLContext_impl()
3159 /* Improve trust chain building when cross-signed intermediate in _ssl__SSLContext_impl()
3162 X509_VERIFY_PARAM_set_hostflags(params, self->hostflags); in _ssl__SSLContext_impl()
3165 self->post_handshake_auth = 0; in _ssl__SSLContext_impl()
3166 SSL_CTX_set_post_handshake_auth(self->ctx, self->post_handshake_auth); in _ssl__SSLContext_impl()
3179 Py_VISIT(self->set_sni_cb); in context_traverse()
3180 Py_VISIT(self->msg_cb); in context_traverse()
3188 Py_CLEAR(self->set_sni_cb); in context_clear()
3189 Py_CLEAR(self->msg_cb); in context_clear()
3190 Py_CLEAR(self->keylog_filename); in context_clear()
3191 if (self->keylog_bio != NULL) { in context_clear()
3193 BIO_free_all(self->keylog_bio); in context_clear()
3195 self->keylog_bio = NULL; in context_clear()
3204 /* bpo-31095: UnTrack is needed before calling any callbacks */ in context_dealloc()
3207 SSL_CTX_free(self->ctx); in context_dealloc()
3208 PyMem_FREE(self->alpn_protocols); in context_dealloc()
3209 Py_TYPE(self)->tp_free(self); in context_dealloc()
3223 int ret = SSL_CTX_set_cipher_list(self->ctx, cipherlist); in _ssl__SSLContext_set_ciphers_impl()
3226 otherwise the error will be reported again when another SSL call in _ssl__SSLContext_set_ciphers_impl()
3229 PyErr_SetString(get_state_ctx(self)->PySSLErrorObject, in _ssl__SSLContext_set_ciphers_impl()
3244 SSL *ssl = NULL; in _ssl__SSLContext_get_ciphers_impl() local
3250 ssl = SSL_new(self->ctx); in _ssl__SSLContext_get_ciphers_impl()
3251 if (ssl == NULL) { in _ssl__SSLContext_get_ciphers_impl()
3255 sk = SSL_get_ciphers(ssl); in _ssl__SSLContext_get_ciphers_impl()
3273 if (ssl != NULL) in _ssl__SSLContext_get_ciphers_impl()
3274 SSL_free(ssl); in _ssl__SSLContext_get_ciphers_impl()
3305 _selectALPN_cb(SSL *s, in _selectALPN_cb()
3312 ctx->alpn_protocols, ctx->alpn_protocols_len, in _selectALPN_cb()
3327 if ((size_t)protos->len > UINT_MAX) { in _ssl__SSLContext__set_alpn_protocols_impl()
3333 PyMem_Free(self->alpn_protocols); in _ssl__SSLContext__set_alpn_protocols_impl()
3334 self->alpn_protocols = PyMem_Malloc(protos->len); in _ssl__SSLContext__set_alpn_protocols_impl()
3335 if (!self->alpn_protocols) in _ssl__SSLContext__set_alpn_protocols_impl()
3337 memcpy(self->alpn_protocols, protos->buf, protos->len); in _ssl__SSLContext__set_alpn_protocols_impl()
3338 self->alpn_protocols_len = (unsigned int)protos->len; in _ssl__SSLContext__set_alpn_protocols_impl()
3340 if (SSL_CTX_set_alpn_protos(self->ctx, self->alpn_protocols, self->alpn_protocols_len)) in _ssl__SSLContext__set_alpn_protocols_impl()
3342 SSL_CTX_set_alpn_select_cb(self->ctx, _selectALPN_cb, self); in _ssl__SSLContext__set_alpn_protocols_impl()
3353 switch (SSL_CTX_get_verify_mode(self->ctx) & mask) { in get_verify_mode()
3361 PyErr_SetString(get_state_ctx(self)->PySSLErrorObject, in get_verify_mode()
3371 return -1; in set_verify_mode()
3372 if (n == PY_SSL_CERT_NONE && self->check_hostname) { in set_verify_mode()
3376 return -1; in set_verify_mode()
3387 param = SSL_CTX_get0_param(self->ctx); in get_verify_flags()
3399 return -1; in set_verify_flags()
3400 param = SSL_CTX_get0_param(self->ctx); in set_verify_flags()
3407 return -1; in set_verify_flags()
3413 return -1; in set_verify_flags()
3427 return -1; in set_min_max_proto_version()
3430 return -1; in set_min_max_proto_version()
3433 switch(self->protocol) { in set_min_max_proto_version()
3444 return -1; in set_min_max_proto_version()
3450 PY_SSL_DEPRECATED("ssl.TLSVersion.SSLv3 is deprecated", 2, -1); in set_min_max_proto_version()
3453 PY_SSL_DEPRECATED("ssl.TLSVersion.TLSv1 is deprecated", 2, -1); in set_min_max_proto_version()
3456 PY_SSL_DEPRECATED("ssl.TLSVersion.TLSv1_1 is deprecated", 2, -1); in set_min_max_proto_version()
3466 "Unsupported TLS/SSL version 0x%x", v); in set_min_max_proto_version()
3467 return -1; in set_min_max_proto_version()
3482 result = SSL_CTX_set_min_proto_version(self->ctx, v); in set_min_max_proto_version()
3496 result = SSL_CTX_set_max_proto_version(self->ctx, v); in set_min_max_proto_version()
3501 return -1; in set_min_max_proto_version()
3509 int v = SSL_CTX_ctrl(self->ctx, SSL_CTRL_GET_MIN_PROTO_VERSION, 0, NULL); in get_minimum_version()
3525 int v = SSL_CTX_ctrl(self->ctx, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL); in get_maximum_version()
3542 return PyLong_FromSize_t(SSL_CTX_get_num_tickets(self->ctx)); in get_num_tickets()
3550 return -1; in set_num_tickets()
3552 PyErr_SetString(PyExc_ValueError, "value must be non-negative"); in set_num_tickets()
3553 return -1; in set_num_tickets()
3555 if (self->protocol != PY_SSL_VERSION_TLS_SERVER) { in set_num_tickets()
3558 return -1; in set_num_tickets()
3560 if (SSL_CTX_set_num_tickets(self->ctx, num) != 1) { in set_num_tickets()
3562 return -1; in set_num_tickets()
3574 return PyLong_FromLong(SSL_CTX_get_security_level(self->ctx)); in get_security_level()
3581 return PyLong_FromLong(SSL_CTX_get_options(self->ctx)); in get_options()
3594 return -1; in set_options()
3595 opts = SSL_CTX_get_options(self->ctx); in set_options()
3600 if (_ssl_deprecated("ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are " in set_options()
3602 return -1; in set_options()
3606 SSL_CTX_clear_options(self->ctx, clear); in set_options()
3609 SSL_CTX_set_options(self->ctx, set); in set_options()
3616 return PyLong_FromUnsignedLong(self->hostflags); in get_host_flags()
3626 return -1; in set_host_flags()
3628 param = SSL_CTX_get0_param(self->ctx); in set_host_flags()
3629 self->hostflags = new_flags; in set_host_flags()
3637 return PyBool_FromLong(self->check_hostname); in get_check_hostname()
3645 return -1; in set_check_hostname()
3647 SSL_CTX_get_verify_mode(self->ctx) == SSL_VERIFY_NONE) { in set_check_hostname()
3649 if (_set_verify_mode(self, PY_SSL_CERT_REQUIRED) == -1) { in set_check_hostname()
3650 return -1; in set_check_hostname()
3653 self->check_hostname = check_hostname; in set_check_hostname()
3660 return PyBool_FromLong(self->post_handshake_auth); in get_post_handshake_auth()
3671 return -1; in set_post_handshake_auth()
3675 if (pha == -1) { in set_post_handshake_auth()
3676 return -1; in set_post_handshake_auth()
3678 self->post_handshake_auth = pha; in set_post_handshake_auth()
3680 /* bpo-37428: newPySSLSocket() sets SSL_VERIFY_POST_HANDSHAKE flag for in set_post_handshake_auth()
3689 return PyLong_FromLong(self->protocol); in get_protocol()
3736 PyMem_Free(pw_info->password); in _pwinfo_set()
3737 pw_info->password = PyMem_Malloc(size); in _pwinfo_set()
3738 if (!pw_info->password) { in _pwinfo_set()
3743 memcpy(pw_info->password, data, size); in _pwinfo_set()
3744 pw_info->size = (int)size; in _pwinfo_set()
3760 PySSL_END_ALLOW_THREADS_S(pw_info->thread_state); in _password_callback()
3762 if (pw_info->error) { in _password_callback()
3763 /* already failed previously. OpenSSL 3.0.0-alpha14 invokes the in _password_callback()
3769 if (pw_info->callable) { in _password_callback()
3770 fn_ret = _PyObject_CallNoArg(pw_info->callable); in _password_callback()
3784 if (pw_info->size > size) { in _password_callback()
3790 PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state); in _password_callback()
3791 memcpy(buf, pw_info->password, pw_info->size); in _password_callback()
3792 return pw_info->size; in _password_callback()
3796 PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state); in _password_callback()
3797 pw_info->error = 1; in _password_callback()
3798 return -1; in _password_callback()
3815 pem_password_cb *orig_passwd_cb = SSL_CTX_get_default_passwd_cb(self->ctx); in _ssl__SSLContext_load_cert_chain_impl()
3816 void *orig_passwd_userdata = SSL_CTX_get_default_passwd_cb_userdata(self->ctx); in _ssl__SSLContext_load_cert_chain_impl()
3845 SSL_CTX_set_default_passwd_cb(self->ctx, _password_callback); in _ssl__SSLContext_load_cert_chain_impl()
3846 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, &pw_info); in _ssl__SSLContext_load_cert_chain_impl()
3849 r = SSL_CTX_use_certificate_chain_file(self->ctx, in _ssl__SSLContext_load_cert_chain_impl()
3867 r = SSL_CTX_use_PrivateKey_file(self->ctx, in _ssl__SSLContext_load_cert_chain_impl()
3888 r = SSL_CTX_check_private_key(self->ctx); in _ssl__SSLContext_load_cert_chain_impl()
3894 SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb); in _ssl__SSLContext_load_cert_chain_impl()
3895 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata); in _ssl__SSLContext_load_cert_chain_impl()
3900 SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb); in _ssl__SSLContext_load_cert_chain_impl()
3901 SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata); in _ssl__SSLContext_load_cert_chain_impl()
3908 /* internal helper function, returns -1 on error
3916 int retval = -1, err, loaded = 0; in _add_ca_certs()
3923 return -1; in _add_ca_certs()
3927 return -1; in _add_ca_certs()
3933 return -1; in _add_ca_certs()
3936 store = SSL_CTX_get_cert_store(self->ctx); in _add_ca_certs()
3947 SSL_CTX_get_default_passwd_cb(self->ctx), in _add_ca_certs()
3948 SSL_CTX_get_default_passwd_cb_userdata(self->ctx) in _add_ca_certs()
3978 retval = -1; in _add_ca_certs()
3993 retval = -1; in _add_ca_certs()
4065 if (r == -1) { in _ssl__SSLContext_load_verify_locations_impl()
4083 if (r == -1) { in _ssl__SSLContext_load_verify_locations_impl()
4091 "bytes-like object"); in _ssl__SSLContext_load_verify_locations_impl()
4103 r = SSL_CTX_load_verify_locations(self->ctx, cafile_buf, capath_buf); in _ssl__SSLContext_load_verify_locations_impl()
4163 if (!SSL_CTX_set_tmp_dh(self->ctx, dh)) { in _ssl__SSLContext_load_dh_params()
4173 sock: object(subclass_of="get_state_ctx(self)->Sock_Type")
4192 as IDN A-label (ASCII str) without NULL bytes. */ in _ssl__SSLContext__wrap_socket_impl()
4209 … incoming: object(subclass_of="get_state_ctx(self)->PySSLMemoryBIO_Type", type="PySSLMemoryBIO *")
4210 … outgoing: object(subclass_of="get_state_ctx(self)->PySSLMemoryBIO_Type", type="PySSLMemoryBIO *")
4230 as IDN A-label (ASCII str) without NULL bytes. */ in _ssl__SSLContext__wrap_bio_impl()
4258 value = PyLong_FromLong(SSL_CTX_sess_ ## SSL_NAME (self->ctx)); \ in _ssl__SSLContext_session_stats_impl()
4296 if (!SSL_CTX_set_default_verify_paths(self->ctx)) { in _ssl__SSLContext_set_default_verify_paths_impl()
4333 SSL_CTX_set_tmp_ecdh(self->ctx, key); in _ssl__SSLContext_set_ecdh_curve()
4339 _servername_callback(SSL *s, int *al, void *args) in _servername_callback()
4343 PySSLSocket *ssl; in _servername_callback() local
4345 /* The high-level ssl.SSLSocket object */ in _servername_callback()
4350 if (sslctx->set_sni_cb == NULL) { in _servername_callback()
4357 ssl = SSL_get_app_data(s); in _servername_callback()
4358 assert(Py_IS_TYPE(ssl, get_state_ctx(sslctx)->PySSLSocket_Type)); in _servername_callback()
4361 * SSL connection and that has a .context attribute that can be changed to in _servername_callback()
4366 * will be passed. If both do not exist only then the C-level object is in _servername_callback()
4368 if (ssl->owner) in _servername_callback()
4369 ssl_socket = PyWeakref_GetObject(ssl->owner); in _servername_callback()
4370 else if (ssl->Socket) in _servername_callback()
4371 ssl_socket = PyWeakref_GetObject(ssl->Socket); in _servername_callback()
4373 ssl_socket = (PyObject *) ssl; in _servername_callback()
4380 result = PyObject_CallFunctionObjArgs(sslctx->set_sni_cb, ssl_socket, in _servername_callback()
4392 /* server_hostname was encoded to an A-label by our caller; put it in _servername_callback()
4393 * back into a str object, but still as an A-label (bpo-28414) in _servername_callback()
4403 sslctx->set_sni_cb, ssl_socket, servername_str, in _servername_callback()
4410 PyErr_WriteUnraisable(sslctx->set_sni_cb); in _servername_callback()
4445 PyObject *cb = self->set_sni_cb; in get_sni_callback()
4456 if (self->protocol == PY_SSL_VERSION_TLS_CLIENT) { in set_sni_callback()
4459 return -1; in set_sni_callback()
4461 Py_CLEAR(self->set_sni_cb); in set_sni_callback()
4463 SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL); in set_sni_callback()
4467 SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL); in set_sni_callback()
4470 return -1; in set_sni_callback()
4473 self->set_sni_cb = arg; in set_sni_callback()
4474 SSL_CTX_set_tlsext_servername_callback(self->ctx, _servername_callback); in set_sni_callback()
4475 SSL_CTX_set_tlsext_servername_arg(self->ctx, self); in set_sni_callback()
4481 "Set a callback that will be called when a server name is provided by the SSL/TLS client in the SNI…
4508 store = SSL_CTX_get_cert_store(self->ctx); in _ssl__SSLContext_cert_store_stats_impl()
4539 If the optional argument is True, returns a DER-encoded copy of the CA
4559 store = SSL_CTX_get_cert_store(self->ctx); in _ssl__SSLContext_get_ca_certs_impl()
4583 if (PyList_Append(rlist, ci) == -1) { in _ssl__SSLContext_get_ca_certs_impl()
4694 /* Since our BIO is non-blocking an empty read() does not indicate EOF, in _ssl_MemoryBIO_impl()
4695 * just that no data is currently available. The SSL routines should retry in _ssl_MemoryBIO_impl()
4698 BIO_set_mem_eof_return(bio, -1); in _ssl_MemoryBIO_impl()
4700 assert(type != NULL && type->tp_alloc != NULL); in _ssl_MemoryBIO_impl()
4701 self = (PySSLMemoryBIO *) type->tp_alloc(type, 0); in _ssl_MemoryBIO_impl()
4706 self->bio = bio; in _ssl_MemoryBIO_impl()
4707 self->eof_written = 0; in _ssl_MemoryBIO_impl()
4724 BIO_free(self->bio); in memory_bio_dealloc()
4725 Py_TYPE(self)->tp_free(self); in memory_bio_dealloc()
4732 return PyLong_FromSize_t(BIO_ctrl_pending(self->bio)); in memory_bio_get_pending()
4741 return PyBool_FromLong((BIO_ctrl_pending(self->bio) == 0) in memory_bio_get_eof()
4742 && self->eof_written); in memory_bio_get_eof()
4750 size as len: int = -1
4768 avail = (int)Py_MIN(BIO_ctrl_pending(self->bio), INT_MAX); in _ssl_MemoryBIO_read_impl()
4776 nbytes = BIO_read(self->bio, PyBytes_AS_STRING(result), len); in _ssl_MemoryBIO_read_impl()
4808 if (b->len > INT_MAX) { in _ssl_MemoryBIO_write_impl()
4814 if (self->eof_written) { in _ssl_MemoryBIO_write_impl()
4818 PyErr_SetString(get_ssl_state(module)->PySSLErrorObject, in _ssl_MemoryBIO_write_impl()
4823 nbytes = BIO_write(self->bio, b->buf, (int)b->len); in _ssl_MemoryBIO_write_impl()
4845 self->eof_written = 1; in _ssl_MemoryBIO_write_eof_impl()
4848 BIO_clear_retry_flags(self->bio); in _ssl_MemoryBIO_write_eof_impl()
4849 BIO_set_mem_eof_return(self->bio, 0); in _ssl_MemoryBIO_write_eof_impl()
4887 * SSL Session object
4894 /* bpo-31095: UnTrack is needed before calling any callbacks */ in PySSLSession_dealloc()
4896 Py_XDECREF(self->ctx); in PySSLSession_dealloc()
4897 if (self->session != NULL) { in PySSLSession_dealloc()
4898 SSL_SESSION_free(self->session); in PySSLSession_dealloc()
4908 PyTypeObject *sesstype = ((PySSLSession*)left)->ctx->state->PySSLSession_Type; in PySSLSession_richcompare()
4924 left_id = SSL_SESSION_get_id(((PySSLSession *)left)->session, in PySSLSession_richcompare()
4926 right_id = SSL_SESSION_get_id(((PySSLSession *)right)->session, in PySSLSession_richcompare()
4965 Py_VISIT(self->ctx); in PySSLSession_traverse()
4973 Py_CLEAR(self->ctx); in PySSLSession_clear()
4980 return PyLong_FromLong(SSL_SESSION_get_time(self->session)); in PySSLSession_get_time()
4989 return PyLong_FromLong(SSL_SESSION_get_timeout(self->session)); in PySSLSession_get_timeout()
4998 unsigned long hint = SSL_SESSION_get_ticket_lifetime_hint(self->session); in PySSLSession_get_ticket_lifetime_hint()
5010 id = SSL_SESSION_get_id(self->session, &len); in PySSLSession_get_session_id()
5020 if (SSL_SESSION_has_ticket(self->session)) { in PySSLSession_get_has_ticket()
5063 /* helper routines for seeding the SSL PRNG */
5083 buf = (const char *)view->buf; in _ssl_RAND_add_impl()
5084 len = view->len; in _ssl_RAND_add_impl()
5089 len -= written; in _ssl_RAND_add_impl()
5127 PyErr_SetObject(get_ssl_state(module)->PySSLErrorObject, v); in PySSL_RAND()
5138 Generate n cryptographically strong pseudo-random bytes.
5153 Generate n pseudo-random bytes.
5163 PY_SSL_DEPRECATED("ssl.RAND_pseudo_bytes() is deprecated", 1, NULL); in _ssl_RAND_pseudo_bytes_impl()
5173 using the ssl() function.
5361 for (i = 0; i < usage->cUsageIdentifier; ++i) { in parseKeyUsage()
5362 if (usage->rgpszUsageIdentifier[i]) { in parseKeyUsage()
5365 oid = PyUnicode_FromString(usage->rgpszUsageIdentifier[i]); in parseKeyUsage()
5372 if (err == -1) { in parseKeyUsage()
5465 cert = PyBytes_FromStringAndSize((const char*)pCertCtx->pbCertEncoded, in _ssl_enum_certificates_impl()
5466 pCertCtx->cbCertEncoded); in _ssl_enum_certificates_impl()
5471 if ((enc = certEncodingType(pCertCtx->dwCertEncodingType)) == NULL) { in _ssl_enum_certificates_impl()
5494 if (PySet_Add(result, tup) == -1) { in _ssl_enum_certificates_impl()
5563 crl = PyBytes_FromStringAndSize((const char*)pCrlCtx->pbCrlEncoded, in _ssl_enum_crls_impl()
5564 pCrlCtx->cbCrlEncoded); in _ssl_enum_crls_impl()
5569 if ((enc = certEncodingType(pCrlCtx->dwCertEncodingType)) == NULL) { in _ssl_enum_crls_impl()
5582 if (PySet_Add(result, tup) == -1) { in _ssl_enum_crls_impl()
5636 "Implementation module for SSL socket operations. See the socket module\n\
5647 (exc) = PyErr_NewExceptionWithDoc("ssl." name, (doc), (base), NULL); \ in sslmodule_init_exceptions()
5652 state->PySSLErrorObject = PyType_FromSpecWithBases( in sslmodule_init_exceptions()
5654 if (state->PySSLErrorObject == NULL) { in sslmodule_init_exceptions()
5657 if (PyModule_AddObjectRef(module, "SSLError", state->PySSLErrorObject) < 0) { in sslmodule_init_exceptions()
5661 /* ssl.CertificateError used to be a subclass of ValueError */ in sslmodule_init_exceptions()
5662 bases = PyTuple_Pack(2, state->PySSLErrorObject, PyExc_ValueError); in sslmodule_init_exceptions()
5667 state->PySSLCertVerificationErrorObject, in sslmodule_init_exceptions()
5675 state->PySSLZeroReturnErrorObject, in sslmodule_init_exceptions()
5678 state->PySSLErrorObject in sslmodule_init_exceptions()
5682 state->PySSLWantWriteErrorObject, in sslmodule_init_exceptions()
5685 state->PySSLErrorObject in sslmodule_init_exceptions()
5689 state->PySSLWantReadErrorObject, in sslmodule_init_exceptions()
5692 state->PySSLErrorObject in sslmodule_init_exceptions()
5696 state->PySSLSyscallErrorObject, in sslmodule_init_exceptions()
5699 state->PySSLErrorObject in sslmodule_init_exceptions()
5703 state->PySSLEOFErrorObject, in sslmodule_init_exceptions()
5706 state->PySSLErrorObject in sslmodule_init_exceptions()
5713 return -1; in sslmodule_init_exceptions()
5722 if ((sockmod == NULL) || (sockmod->Sock_Type == NULL)) { in sslmodule_init_socketapi()
5723 return -1; in sslmodule_init_socketapi()
5725 state->Sock_Type = sockmod->Sock_Type; in sslmodule_init_socketapi()
5726 Py_INCREF(state->Sock_Type); in sslmodule_init_socketapi()
5751 /* non ssl.h errorcodes */ in sslmodule_init_constants()
5782 /* Alert Descriptions from ssl.h */ in sslmodule_init_constants()
5784 /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 */ in sslmodule_init_constants()
5995 state->err_codes_to_names = PyDict_New(); in sslmodule_init_errorcodes()
5996 if (state->err_codes_to_names == NULL) in sslmodule_init_errorcodes()
5997 return -1; in sslmodule_init_errorcodes()
5998 state->err_names_to_codes = PyDict_New(); in sslmodule_init_errorcodes()
5999 if (state->err_names_to_codes == NULL) in sslmodule_init_errorcodes()
6000 return -1; in sslmodule_init_errorcodes()
6001 state->lib_codes_to_names = PyDict_New(); in sslmodule_init_errorcodes()
6002 if (state->lib_codes_to_names == NULL) in sslmodule_init_errorcodes()
6003 return -1; in sslmodule_init_errorcodes()
6006 while (errcode->mnemonic != NULL) { in sslmodule_init_errorcodes()
6008 mnemo = PyUnicode_FromString(errcode->mnemonic); in sslmodule_init_errorcodes()
6009 key = Py_BuildValue("ii", errcode->library, errcode->reason); in sslmodule_init_errorcodes()
6011 return -1; in sslmodule_init_errorcodes()
6012 if (PyDict_SetItem(state->err_codes_to_names, key, mnemo)) in sslmodule_init_errorcodes()
6013 return -1; in sslmodule_init_errorcodes()
6014 if (PyDict_SetItem(state->err_names_to_codes, mnemo, key)) in sslmodule_init_errorcodes()
6015 return -1; in sslmodule_init_errorcodes()
6022 while (libcode->library != NULL) { in sslmodule_init_errorcodes()
6024 key = PyLong_FromLong(libcode->code); in sslmodule_init_errorcodes()
6025 mnemo = PyUnicode_FromString(libcode->library); in sslmodule_init_errorcodes()
6027 return -1; in sslmodule_init_errorcodes()
6028 if (PyDict_SetItem(state->lib_codes_to_names, key, mnemo)) in sslmodule_init_errorcodes()
6029 return -1; in sslmodule_init_errorcodes()
6035 if (PyModule_AddObjectRef(module, "err_codes_to_names", state->err_codes_to_names)) in sslmodule_init_errorcodes()
6036 return -1; in sslmodule_init_errorcodes()
6037 if (PyModule_AddObjectRef(module, "err_names_to_codes", state->err_names_to_codes)) in sslmodule_init_errorcodes()
6038 return -1; in sslmodule_init_errorcodes()
6039 if (PyModule_AddObjectRef(module, "lib_codes_to_names", state->lib_codes_to_names)) in sslmodule_init_errorcodes()
6040 return -1; in sslmodule_init_errorcodes()
6076 return -1; in sslmodule_init_versioninfo()
6081 return -1; in sslmodule_init_versioninfo()
6085 return -1; in sslmodule_init_versioninfo()
6091 return -1; in sslmodule_init_versioninfo()
6101 state->PySSLContext_Type = (PyTypeObject *)PyType_FromModuleAndSpec( in sslmodule_init_types()
6104 if (state->PySSLContext_Type == NULL) in sslmodule_init_types()
6105 return -1; in sslmodule_init_types()
6107 state->PySSLSocket_Type = (PyTypeObject *)PyType_FromModuleAndSpec( in sslmodule_init_types()
6110 if (state->PySSLSocket_Type == NULL) in sslmodule_init_types()
6111 return -1; in sslmodule_init_types()
6113 state->PySSLMemoryBIO_Type = (PyTypeObject *)PyType_FromModuleAndSpec( in sslmodule_init_types()
6116 if (state->PySSLMemoryBIO_Type == NULL) in sslmodule_init_types()
6117 return -1; in sslmodule_init_types()
6119 state->PySSLSession_Type = (PyTypeObject *)PyType_FromModuleAndSpec( in sslmodule_init_types()
6122 if (state->PySSLSession_Type == NULL) in sslmodule_init_types()
6123 return -1; in sslmodule_init_types()
6125 state->PySSLCertificate_Type = (PyTypeObject *)PyType_FromModuleAndSpec( in sslmodule_init_types()
6128 if (state->PySSLCertificate_Type == NULL) in sslmodule_init_types()
6129 return -1; in sslmodule_init_types()
6131 if (PyModule_AddType(module, state->PySSLContext_Type)) in sslmodule_init_types()
6132 return -1; in sslmodule_init_types()
6133 if (PyModule_AddType(module, state->PySSLSocket_Type)) in sslmodule_init_types()
6134 return -1; in sslmodule_init_types()
6135 if (PyModule_AddType(module, state->PySSLMemoryBIO_Type)) in sslmodule_init_types()
6136 return -1; in sslmodule_init_types()
6137 if (PyModule_AddType(module, state->PySSLSession_Type)) in sslmodule_init_types()
6138 return -1; in sslmodule_init_types()
6139 if (PyModule_AddType(module, state->PySSLCertificate_Type)) in sslmodule_init_types()
6140 return -1; in sslmodule_init_types()
6159 Py_VISIT(state->PySSLContext_Type); in sslmodule_traverse()
6160 Py_VISIT(state->PySSLSocket_Type); in sslmodule_traverse()
6161 Py_VISIT(state->PySSLMemoryBIO_Type); in sslmodule_traverse()
6162 Py_VISIT(state->PySSLSession_Type); in sslmodule_traverse()
6163 Py_VISIT(state->PySSLCertificate_Type); in sslmodule_traverse()
6164 Py_VISIT(state->PySSLErrorObject); in sslmodule_traverse()
6165 Py_VISIT(state->PySSLCertVerificationErrorObject); in sslmodule_traverse()
6166 Py_VISIT(state->PySSLZeroReturnErrorObject); in sslmodule_traverse()
6167 Py_VISIT(state->PySSLWantReadErrorObject); in sslmodule_traverse()
6168 Py_VISIT(state->PySSLWantWriteErrorObject); in sslmodule_traverse()
6169 Py_VISIT(state->PySSLSyscallErrorObject); in sslmodule_traverse()
6170 Py_VISIT(state->PySSLEOFErrorObject); in sslmodule_traverse()
6171 Py_VISIT(state->err_codes_to_names); in sslmodule_traverse()
6172 Py_VISIT(state->err_names_to_codes); in sslmodule_traverse()
6173 Py_VISIT(state->lib_codes_to_names); in sslmodule_traverse()
6174 Py_VISIT(state->Sock_Type); in sslmodule_traverse()
6184 Py_CLEAR(state->PySSLContext_Type); in sslmodule_clear()
6185 Py_CLEAR(state->PySSLSocket_Type); in sslmodule_clear()
6186 Py_CLEAR(state->PySSLMemoryBIO_Type); in sslmodule_clear()
6187 Py_CLEAR(state->PySSLSession_Type); in sslmodule_clear()
6188 Py_CLEAR(state->PySSLCertificate_Type); in sslmodule_clear()
6189 Py_CLEAR(state->PySSLErrorObject); in sslmodule_clear()
6190 Py_CLEAR(state->PySSLCertVerificationErrorObject); in sslmodule_clear()
6191 Py_CLEAR(state->PySSLZeroReturnErrorObject); in sslmodule_clear()
6192 Py_CLEAR(state->PySSLWantReadErrorObject); in sslmodule_clear()
6193 Py_CLEAR(state->PySSLWantWriteErrorObject); in sslmodule_clear()
6194 Py_CLEAR(state->PySSLSyscallErrorObject); in sslmodule_clear()
6195 Py_CLEAR(state->PySSLEOFErrorObject); in sslmodule_clear()
6196 Py_CLEAR(state->err_codes_to_names); in sslmodule_clear()
6197 Py_CLEAR(state->err_names_to_codes); in sslmodule_clear()
6198 Py_CLEAR(state->lib_codes_to_names); in sslmodule_clear()
6199 Py_CLEAR(state->Sock_Type); in sslmodule_clear()