From 6e027dba9339887feeb947fa409e18a6f44e210b Mon Sep 17 00:00:00 2001 From: Bill Janssen Date: Thu, 15 Nov 2007 22:23:56 +0000 Subject: [PATCH] get SSL support to work again --- Lib/ssl.py | 461 ++++++++++++++++--------------------------- Lib/test/test_ssl.py | 317 +++++++++++++++-------------- Modules/_ssl.c | 328 ++++++++++++++++++------------ 3 files changed, 536 insertions(+), 570 deletions(-) diff --git a/Lib/ssl.py b/Lib/ssl.py index 9a120f25814..92855c15e73 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -1,8 +1,6 @@ # Wrapper module for _ssl, providing some additional facilities # implemented in Python. Written by Bill Janssen. -raise ImportError("ssl.py is temporarily out of order") - """\ This module provides some more Pythonic support for SSL. @@ -76,9 +74,11 @@ from _ssl import \ SSL_ERROR_EOF, \ SSL_ERROR_INVALID_ERROR_CODE -from socket import socket +from socket import socket, AF_INET, SOCK_STREAM, error from socket import getnameinfo as _getnameinfo +from socket import error as socket_error import base64 # for DER-to-PEM translation +_can_dup_socket = hasattr(socket, "dup") class SSLSocket (socket): @@ -86,10 +86,38 @@ class SSLSocket (socket): the underlying OS socket in an SSL context when necessary, and provides read and write methods over that channel.""" - def __init__(self, sock, keyfile=None, certfile=None, + def __init__(self, sock=None, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, - ssl_version=PROTOCOL_SSLv23, ca_certs=None): - socket.__init__(self, _sock=sock._sock) + ssl_version=PROTOCOL_SSLv23, ca_certs=None, + do_handshake_on_connect=True, + family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None, + suppress_ragged_eofs=True): + + self._base = None + + if sock is not None: + # copied this code from socket.accept() + fd = sock.fileno() + nfd = fd + if _can_dup_socket: + nfd = os.dup(fd) + try: + wrapper = socket.__init__(self, family=sock.family, type=sock.type, proto=sock.proto, fileno=nfd) + except: + if nfd != fd: + os.close(nfd) + else: + if fd != nfd: + sock.close() + sock = None + + elif fileno is not None: + socket.__init__(self, fileno=fileno) + else: + socket.__init__(self, family=family, type=type, proto=proto) + + self._closed = False + if certfile and not keyfile: keyfile = certfile # see if it's connected @@ -100,27 +128,52 @@ class SSLSocket (socket): self._sslobj = None else: # yes, create the SSL object - self._sslobj = _ssl.sslwrap(self._sock, server_side, - keyfile, certfile, - cert_reqs, ssl_version, ca_certs) + try: + self._sslobj = _ssl.sslwrap(self, server_side, + keyfile, certfile, + cert_reqs, ssl_version, ca_certs) + if do_handshake_on_connect: + self.do_handshake() + except socket_error as x: + self.close() + raise x + + self._base = sock self.keyfile = keyfile self.certfile = certfile self.cert_reqs = cert_reqs self.ssl_version = ssl_version self.ca_certs = ca_certs + self.do_handshake_on_connect = do_handshake_on_connect + self.suppress_ragged_eofs = suppress_ragged_eofs - def read(self, len=1024): + def _checkClosed(self, msg=None): + # raise an exception here if you wish to check for spurious closes + pass + + def read(self, len=1024, buffer=None): """Read up to LEN bytes and return them. Return zero-length string on EOF.""" - return self._sslobj.read(len) + self._checkClosed() + try: + if buffer: + return self._sslobj.read(buffer, len) + else: + return self._sslobj.read(len) + except SSLError as x: + if x.args[0] == SSL_ERROR_EOF and self.suppress_ragged_eofs: + return b'' + else: + raise def write(self, data): """Write DATA to the underlying SSL channel. Returns number of bytes of DATA actually transmitted.""" + self._checkClosed() return self._sslobj.write(data) def getpeercert(self, binary_form=False): @@ -130,26 +183,42 @@ class SSLSocket (socket): Return None if no certificate was provided, {} if a certificate was provided, but not validated.""" + self._checkClosed() return self._sslobj.peer_certificate(binary_form) def cipher (self): + self._checkClosed() if not self._sslobj: return None else: return self._sslobj.cipher() def send (self, data, flags=0): + + self._checkClosed() if self._sslobj: if flags != 0: raise ValueError( "non-zero flags not allowed in calls to send() on %s" % self.__class__) - return self._sslobj.write(data) + while True: + try: + v = self._sslobj.write(data) + except SSLError as x: + if x.args[0] == SSL_ERROR_WANT_READ: + return 0 + elif x.args[0] == SSL_ERROR_WANT_WRITE: + return 0 + else: + raise + else: + return v else: return socket.send(self, data, flags) def send_to (self, data, addr, flags=0): + self._checkClosed() if self._sslobj: raise ValueError("send_to not allowed on instances of %s" % self.__class__) @@ -157,39 +226,95 @@ class SSLSocket (socket): return socket.send_to(self, data, addr, flags) def sendall (self, data, flags=0): + self._checkClosed() if self._sslobj: - if flags != 0: - raise ValueError( - "non-zero flags not allowed in calls to sendall() on %s" % - self.__class__) - return self._sslobj.write(data) + amount = len(data) + count = 0 + while (count < amount): + v = self.send(data[count:]) + count += v + return amount else: return socket.sendall(self, data, flags) def recv (self, buflen=1024, flags=0): + self._checkClosed() if self._sslobj: if flags != 0: raise ValueError( - "non-zero flags not allowed in calls to sendall() on %s" % + "non-zero flags not allowed in calls to recv_into() on %s" % self.__class__) - return self._sslobj.read(data, buflen) + while True: + try: + return self.read(buflen) + except SSLError as x: + if x.args[0] == SSL_ERROR_WANT_READ: + continue + else: + raise x else: return socket.recv(self, buflen, flags) + def recv_into (self, buffer, nbytes=None, flags=0): + self._checkClosed() + if buffer and (nbytes is None): + nbytes = len(buffer) + elif nbytes is None: + nbytes = 1024 + if self._sslobj: + if flags != 0: + raise ValueError( + "non-zero flags not allowed in calls to recv_into() on %s" % + self.__class__) + while True: + try: + v = self.read(nbytes, buffer) + sys.stdout.flush() + return v + except SSLError as x: + if x.args[0] == SSL_ERROR_WANT_READ: + continue + else: + raise x + else: + return socket.recv_into(self, buffer, nbytes, flags) + def recv_from (self, addr, buflen=1024, flags=0): + self._checkClosed() if self._sslobj: raise ValueError("recv_from not allowed on instances of %s" % self.__class__) else: return socket.recv_from(self, addr, buflen, flags) - def shutdown(self, how): + def pending (self): + self._checkClosed() + if self._sslobj: + return self._sslobj.pending() + else: + return 0 + + def shutdown (self, how): + self._checkClosed() self._sslobj = None socket.shutdown(self, how) - def close(self): + def _real_close (self): self._sslobj = None - socket.close(self) + # self._closed = True + if self._base: + self._base.close() + socket._real_close(self) + + def do_handshake (self): + + """Perform a TLS/SSL handshake.""" + + try: + self._sslobj.do_handshake() + except: + self._sslobj = None + raise def connect(self, addr): @@ -201,9 +326,11 @@ class SSLSocket (socket): if self._sslobj: raise ValueError("attempt to connect already-connected SSLSocket!") socket.connect(self, addr) - self._sslobj = _ssl.sslwrap(self._sock, False, self.keyfile, self.certfile, + self._sslobj = _ssl.sslwrap(self, False, self.keyfile, self.certfile, self.cert_reqs, self.ssl_version, self.ca_certs) + if self.do_handshake_on_connect: + self.do_handshake() def accept(self): @@ -212,260 +339,24 @@ class SSLSocket (socket): SSL channel, and the address of the remote client.""" newsock, addr = socket.accept(self) - return (SSLSocket(newsock, True, self.keyfile, self.certfile, - self.cert_reqs, self.ssl_version, - self.ca_certs), addr) - - - def makefile(self, mode='r', bufsize=-1): - - """Ouch. Need to make and return a file-like object that - works with the SSL connection.""" - - if self._sslobj: - return SSLFileStream(self._sslobj, mode, bufsize) - else: - return socket.makefile(self, mode, bufsize) - - -class SSLFileStream: - - """A class to simulate a file stream on top of a socket. - Most of this is just lifted from the socket module, and - adjusted to work with an SSL stream instead of a socket.""" - - - default_bufsize = 8192 - name = "" - - __slots__ = ["mode", "bufsize", "softspace", - # "closed" is a property, see below - "_sslobj", "_rbufsize", "_wbufsize", "_rbuf", "_wbuf", - "_close", "_fileno"] - - def __init__(self, sslobj, mode='rb', bufsize=-1, close=False): - self._sslobj = sslobj - self.mode = mode # Not actually used in this version - if bufsize < 0: - bufsize = self.default_bufsize - self.bufsize = bufsize - self.softspace = False - if bufsize == 0: - self._rbufsize = 1 - elif bufsize == 1: - self._rbufsize = self.default_bufsize - else: - self._rbufsize = bufsize - self._wbufsize = bufsize - self._rbuf = "" # A string - self._wbuf = [] # A list of strings - self._close = close - self._fileno = -1 - - def _getclosed(self): - return self._sslobj is None - closed = property(_getclosed, doc="True if the file is closed") - - def fileno(self): - return self._fileno - - def close(self): - try: - if self._sslobj: - self.flush() - finally: - if self._close and self._sslobj: - self._sslobj.close() - self._sslobj = None - - def __del__(self): - try: - self.close() - except: - # close() may fail if __init__ didn't complete - pass - - def flush(self): - if self._wbuf: - buffer = "".join(self._wbuf) - self._wbuf = [] - count = 0 - while (count < len(buffer)): - written = self._sslobj.write(buffer) - count += written - buffer = buffer[written:] - - def write(self, data): - data = str(data) # XXX Should really reject non-string non-buffers - if not data: - return - self._wbuf.append(data) - if (self._wbufsize == 0 or - self._wbufsize == 1 and '\n' in data or - self._get_wbuf_len() >= self._wbufsize): - self.flush() - - def writelines(self, list): - # XXX We could do better here for very long lists - # XXX Should really reject non-string non-buffers - self._wbuf.extend(filter(None, map(str, list))) - if (self._wbufsize <= 1 or - self._get_wbuf_len() >= self._wbufsize): - self.flush() - - def _get_wbuf_len(self): - buf_len = 0 - for x in self._wbuf: - buf_len += len(x) - return buf_len - - def read(self, size=-1): - data = self._rbuf - if size < 0: - # Read until EOF - buffers = [] - if data: - buffers.append(data) - self._rbuf = "" - if self._rbufsize <= 1: - recv_size = self.default_bufsize - else: - recv_size = self._rbufsize - while True: - data = self._sslobj.read(recv_size) - if not data: - break - buffers.append(data) - return "".join(buffers) - else: - # Read until size bytes or EOF seen, whichever comes first - buf_len = len(data) - if buf_len >= size: - self._rbuf = data[size:] - return data[:size] - buffers = [] - if data: - buffers.append(data) - self._rbuf = "" - while True: - left = size - buf_len - recv_size = max(self._rbufsize, left) - data = self._sslobj.read(recv_size) - if not data: - break - buffers.append(data) - n = len(data) - if n >= left: - self._rbuf = data[left:] - buffers[-1] = data[:left] - break - buf_len += n - return "".join(buffers) - - def readline(self, size=-1): - data = self._rbuf - if size < 0: - # Read until \n or EOF, whichever comes first - if self._rbufsize <= 1: - # Speed up unbuffered case - assert data == "" - buffers = [] - while data != "\n": - data = self._sslobj.read(1) - if not data: - break - buffers.append(data) - return "".join(buffers) - nl = data.find('\n') - if nl >= 0: - nl += 1 - self._rbuf = data[nl:] - return data[:nl] - buffers = [] - if data: - buffers.append(data) - self._rbuf = "" - while True: - data = self._sslobj.read(self._rbufsize) - if not data: - break - buffers.append(data) - nl = data.find('\n') - if nl >= 0: - nl += 1 - self._rbuf = data[nl:] - buffers[-1] = data[:nl] - break - return "".join(buffers) - else: - # Read until size bytes or \n or EOF seen, whichever comes first - nl = data.find('\n', 0, size) - if nl >= 0: - nl += 1 - self._rbuf = data[nl:] - return data[:nl] - buf_len = len(data) - if buf_len >= size: - self._rbuf = data[size:] - return data[:size] - buffers = [] - if data: - buffers.append(data) - self._rbuf = "" - while True: - data = self._sslobj.read(self._rbufsize) - if not data: - break - buffers.append(data) - left = size - buf_len - nl = data.find('\n', 0, left) - if nl >= 0: - nl += 1 - self._rbuf = data[nl:] - buffers[-1] = data[:nl] - break - n = len(data) - if n >= left: - self._rbuf = data[left:] - buffers[-1] = data[:left] - break - buf_len += n - return "".join(buffers) - - def readlines(self, sizehint=0): - total = 0 - list = [] - while True: - line = self.readline() - if not line: - break - list.append(line) - total += len(line) - if sizehint and total >= sizehint: - break - return list - - # Iterator protocols - - def __iter__(self): - return self - - def next(self): - line = self.readline() - if not line: - raise StopIteration - return line - - + return (SSLSocket(sock=newsock, + keyfile=self.keyfile, certfile=self.certfile, + server_side=True, + cert_reqs=self.cert_reqs, ssl_version=self.ssl_version, + ca_certs=self.ca_certs, + do_handshake_on_connect=self.do_handshake_on_connect), + addr) def wrap_socket(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, - ssl_version=PROTOCOL_SSLv23, ca_certs=None): + ssl_version=PROTOCOL_SSLv23, ca_certs=None, + do_handshake_on_connect=True): - return SSLSocket(sock, keyfile=keyfile, certfile=certfile, + return SSLSocket(sock=sock, keyfile=keyfile, certfile=certfile, server_side=server_side, cert_reqs=cert_reqs, - ssl_version=ssl_version, ca_certs=ca_certs) + ssl_version=ssl_version, ca_certs=ca_certs, + do_handshake_on_connect=do_handshake_on_connect) # some utility functions @@ -486,16 +377,10 @@ def DER_cert_to_PEM_cert(der_cert_bytes): """Takes a certificate in binary DER format and returns the PEM version of it as a string.""" - if hasattr(base64, 'standard_b64encode'): - # preferred because older API gets line-length wrong - f = base64.standard_b64encode(der_cert_bytes) - return (PEM_HEADER + '\n' + - textwrap.fill(f, 64) + - PEM_FOOTER + '\n') - else: - return (PEM_HEADER + '\n' + - base64.encodestring(der_cert_bytes) + - PEM_FOOTER + '\n') + f = str(base64.standard_b64encode(der_cert_bytes), 'ASCII', 'strict') + return (PEM_HEADER + '\n' + + textwrap.fill(f, 64) + '\n' + + PEM_FOOTER + '\n') def PEM_cert_to_DER_cert(pem_cert_string): @@ -509,7 +394,7 @@ def PEM_cert_to_DER_cert(pem_cert_string): raise ValueError("Invalid PEM encoding; must end with %s" % PEM_FOOTER) d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)] - return base64.decodestring(d) + return base64.decodestring(d.encode('ASCII', 'strict')) def get_server_certificate (addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None): @@ -541,15 +426,3 @@ def get_protocol_name (protocol_code): return "SSLv3" else: return "" - - -# a replacement for the old socket.ssl function - -def sslwrap_simple (sock, keyfile=None, certfile=None): - - """A replacement for the old socket.ssl function. Designed - for compability with Python 2.5 and earlier. Will disappear in - Python 3.0.""" - - return _ssl.sslwrap(sock._sock, 0, keyfile, certfile, CERT_NONE, - PROTOCOL_SSLv23, None) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 81c9c7a4da7..18df3f4422d 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4,6 +4,7 @@ import sys import unittest from test import test_support import socket +import select import errno import subprocess import time @@ -36,27 +37,6 @@ def handle_error(prefix): class BasicTests(unittest.TestCase): - def testSSLconnect(self): - import os - s = ssl.wrap_socket(socket.socket(socket.AF_INET), - cert_reqs=ssl.CERT_NONE) - s.connect(("svn.python.org", 443)) - c = s.getpeercert() - if c: - raise test_support.TestFailed("Peer cert %s shouldn't be here!") - s.close() - - # this should fail because we have no verification certs - s = ssl.wrap_socket(socket.socket(socket.AF_INET), - cert_reqs=ssl.CERT_REQUIRED) - try: - s.connect(("svn.python.org", 443)) - except ssl.SSLError: - pass - finally: - s.close() - - def testCrucialConstants(self): ssl.PROTOCOL_SSLv2 ssl.PROTOCOL_SSLv23 @@ -97,11 +77,31 @@ class BasicTests(unittest.TestCase): if (d1 != d2): raise test_support.TestFailed("PEM-to-DER or DER-to-PEM translation failed") +class NetworkedTests(unittest.TestCase): -class NetworkTests(unittest.TestCase): + def testFetchServerCert(self): + + pem = ssl.get_server_certificate(("svn.python.org", 443)) + if not pem: + raise test_support.TestFailed("No server certificate on svn.python.org:443!") + + try: + pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=CERTFILE) + except ssl.SSLError as x: + #should fail + if test_support.verbose: + sys.stdout.write("%s\n" % x) + else: + raise test_support.TestFailed("Got server certificate %s for svn.python.org!" % pem) + + pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=SVN_PYTHON_ORG_ROOT_CERT) + if not pem: + raise test_support.TestFailed("No server certificate on svn.python.org:443!") + if test_support.verbose: + sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem) def testConnect(self): - import os + s = ssl.wrap_socket(socket.socket(socket.AF_INET), cert_reqs=ssl.CERT_NONE) s.connect(("svn.python.org", 443)) @@ -131,25 +131,29 @@ class NetworkTests(unittest.TestCase): finally: s.close() - def testFetchServerCert(self): - - pem = ssl.get_server_certificate(("svn.python.org", 443)) - if not pem: - raise test_support.TestFailed("No server certificate on svn.python.org:443!") - - try: - pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=CERTFILE) - except ssl.SSLError: - #should fail - pass - else: - raise test_support.TestFailed("Got server certificate %s for svn.python.org!" % pem) - - pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=SVN_PYTHON_ORG_ROOT_CERT) - if not pem: - raise test_support.TestFailed("No server certificate on svn.python.org:443!") + def testNonBlockingHandshake(self): + s = socket.socket(socket.AF_INET) + s.connect(("svn.python.org", 443)) + s.setblocking(False) + s = ssl.wrap_socket(s, + cert_reqs=ssl.CERT_NONE, + do_handshake_on_connect=False) + count = 0 + while True: + try: + count += 1 + s.do_handshake() + break + except ssl.SSLError as err: + if err.args[0] == ssl.SSL_ERROR_WANT_READ: + select.select([s], [], []) + elif err.args[0] == ssl.SSL_ERROR_WANT_WRITE: + select.select([], [s], []) + else: + raise + s.close() if test_support.verbose: - sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem) + sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count) try: @@ -168,10 +172,11 @@ else: with and without the SSL wrapper around the socket connection, so that we can test the STARTTLS functionality.""" - def __init__(self, server, connsock): + def __init__(self, server, connsock, addr): self.server = server self.running = False self.sock = connsock + self.addr = addr self.sock.setblocking(1) self.sslconn = None threading.Thread.__init__(self) @@ -186,8 +191,7 @@ else: cert_reqs=self.server.certreqs) except: if self.server.chatty: - handle_error("\n server: bad connection attempt from " + - str(self.sock.getpeername()) + ":\n") + handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n") if not self.server.expect_bad_connects: # here, we want to stop the server, because this shouldn't # happen in the context of our test case @@ -195,6 +199,7 @@ else: # normally, we'd just stop here, but for the test # harness, we want to stop the server self.server.stop() + self.close() return False else: @@ -236,19 +241,21 @@ else: while self.running: try: msg = self.read() + amsg = (msg and str(msg, 'ASCII', 'strict')) or '' if not msg: # eof, so quit this handler self.running = False self.close() - elif msg.strip() == 'over': + elif amsg.strip() == 'over': if test_support.verbose and self.server.connectionchatty: sys.stdout.write(" server: client closed connection\n") self.close() return - elif self.server.starttls_server and msg.strip() == 'STARTTLS': + elif (self.server.starttls_server and + amsg.strip() == 'STARTTLS'): if test_support.verbose and self.server.connectionchatty: sys.stdout.write(" server: read STARTTLS from client, sending OK...\n") - self.write("OK\n") + self.write("OK\n".encode("ASCII", "strict")) if not self.wrap_conn(): return else: @@ -257,8 +264,8 @@ else: ctype = (self.sslconn and "encrypted") or "unencrypted" sys.stdout.write(" server: read %s (%s), sending back %s (%s)...\n" % (repr(msg), ctype, repr(msg.lower()), ctype)) - self.write(msg.lower()) - except ssl.SSLError: + self.write(amsg.lower().encode('ASCII', 'strict')) + except socket.error: if self.server.chatty: handle_error("Test server failure:\n") self.close() @@ -311,8 +318,8 @@ else: newconn, connaddr = self.sock.accept() if test_support.verbose and self.chatty: sys.stdout.write(' server: new connection from ' - + str(connaddr) + '\n') - handler = self.ConnectionHandler(self, newconn) + + repr(connaddr) + '\n') + handler = self.ConnectionHandler(self, newconn, connaddr) handler.start() except socket.timeout: pass @@ -321,11 +328,10 @@ else: except: if self.chatty: handle_error("Test server failure:\n") + self.sock.close() def stop (self): self.active = False - self.sock.close() - class AsyncoreHTTPSServer(threading.Thread): @@ -339,6 +345,12 @@ else: self.active = False self.allow_reuse_address = True + def __str__(self): + return ('<%s %s:%s>' % + (self.__class__.__name__, + self.server_name, + self.server_port)) + def get_request (self): # override this to wrap socket with SSL sock, addr = self.socket.accept() @@ -415,8 +427,8 @@ else: # we override this to suppress logging unless "verbose" if test_support.verbose: - sys.stdout.write(" server (%s, %d, %s):\n [%s] %s\n" % - (self.server.server_name, + sys.stdout.write(" server (%s:%d %s):\n [%s] %s\n" % + (self.server.server_address, self.server.server_port, self.request.cipher(), self.log_date_time_string(), @@ -433,9 +445,7 @@ else: self.setDaemon(True) def __str__(self): - return '<%s %s:%d>' % (self.__class__.__name__, - self.server.server_name, - self.server.server_port) + return "<%s %s>" % (self.__class__.__name__, self.server) def start (self, flag=None): self.flag = flag @@ -456,7 +466,8 @@ else: def badCertTest (certfile): server = ThreadedEchoServer(TESTPORT, CERTFILE, certreqs=ssl.CERT_REQUIRED, - cacerts=CERTFILE, chatty=False) + cacerts=CERTFILE, chatty=False, + connectionchatty=False) flag = threading.Event() server.start(flag) # wait for it to start @@ -470,7 +481,7 @@ else: s.connect(('127.0.0.1', TESTPORT)) except ssl.SSLError as x: if test_support.verbose: - sys.stdout.write("\nSSLError is %s\n" % x[1]) + sys.stdout.write("\nSSLError is %s\n" % x) else: raise test_support.TestFailed( "Use of invalid cert should have failed!") @@ -479,15 +490,16 @@ else: server.join() def serverParamsTest (certfile, protocol, certreqs, cacertsfile, - client_certfile, client_protocol=None, indata="FOO\n", - chatty=True, connectionchatty=False): + client_certfile, client_protocol=None, + indata="FOO\n", + chatty=False, connectionchatty=False): server = ThreadedEchoServer(TESTPORT, certfile, certreqs=certreqs, ssl_version=protocol, cacerts=cacertsfile, chatty=chatty, - connectionchatty=connectionchatty) + connectionchatty=False) flag = threading.Event() server.start(flag) # wait for it to start @@ -496,37 +508,37 @@ else: if client_protocol is None: client_protocol = protocol try: - try: - s = ssl.wrap_socket(socket.socket(), - certfile=client_certfile, - ca_certs=cacertsfile, - cert_reqs=certreqs, - ssl_version=client_protocol) - s.connect(('127.0.0.1', TESTPORT)) - except ssl.SSLError as x: - raise test_support.TestFailed("Unexpected SSL error: " + str(x)) - except Exception as x: - raise test_support.TestFailed("Unexpected exception: " + str(x)) - else: - if connectionchatty: - if test_support.verbose: - sys.stdout.write( - " client: sending %s...\n" % (repr(indata))) - s.write(indata) - outdata = s.read() - if connectionchatty: - if test_support.verbose: - sys.stdout.write(" client: read %s\n" % repr(outdata)) - if outdata != indata.lower(): - raise test_support.TestFailed( - "bad data <<%s>> (%d) received; expected <<%s>> (%d)\n" - % (outdata[:min(len(outdata),20)], len(outdata), - indata[:min(len(indata),20)].lower(), len(indata))) - s.write("over\n") - if connectionchatty: - if test_support.verbose: - sys.stdout.write(" client: closing connection.\n") - s.close() + s = ssl.wrap_socket(socket.socket(), + certfile=client_certfile, + ca_certs=cacertsfile, + cert_reqs=certreqs, + ssl_version=client_protocol) + s.connect(('127.0.0.1', TESTPORT)) + except ssl.SSLError as x: + raise test_support.TestFailed("Unexpected SSL error: " + str(x)) + except Exception as x: + raise test_support.TestFailed("Unexpected exception: " + str(x)) + else: + if connectionchatty: + if test_support.verbose: + sys.stdout.write( + " client: sending %s...\n" % (repr(indata))) + s.write(indata.encode('ASCII', 'strict')) + outdata = s.read() + if connectionchatty: + if test_support.verbose: + sys.stdout.write(" client: read %s\n" % repr(outdata)) + outdata = str(outdata, 'ASCII', 'strict') + if outdata != indata.lower(): + raise test_support.TestFailed( + "bad data <<%s>> (%d) received; expected <<%s>> (%d)\n" + % (repr(outdata[:min(len(outdata),20)]), len(outdata), + repr(indata[:min(len(indata),20)].lower()), len(indata))) + s.write("over\n".encode("ASCII", "strict")) + if connectionchatty: + if test_support.verbose: + sys.stdout.write(" client: closing connection.\n") + s.close() finally: server.stop() server.join() @@ -553,7 +565,8 @@ else: certtype)) try: serverParamsTest(CERTFILE, server_protocol, certsreqs, - CERTFILE, CERTFILE, client_protocol, chatty=False) + CERTFILE, CERTFILE, client_protocol, + chatty=False, connectionchatty=False) except test_support.TestFailed: if expectedToWork: raise @@ -565,47 +578,7 @@ else: ssl.get_protocol_name(server_protocol))) - class ConnectedTests(unittest.TestCase): - - def testRudeShutdown(self): - - listener_ready = threading.Event() - listener_gone = threading.Event() - - # `listener` runs in a thread. It opens a socket listening on - # PORT, and sits in an accept() until the main thread connects. - # Then it rudely closes the socket, and sets Event `listener_gone` - # to let the main thread know the socket is gone. - def listener(): - s = socket.socket() - if hasattr(socket, 'SO_REUSEADDR'): - s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - if hasattr(socket, 'SO_REUSEPORT'): - s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) - s.bind(('127.0.0.1', TESTPORT)) - s.listen(5) - listener_ready.set() - s.accept() - s = None # reclaim the socket object, which also closes it - listener_gone.set() - - def connector(): - listener_ready.wait() - s = socket.socket() - s.connect(('127.0.0.1', TESTPORT)) - listener_gone.wait() - try: - ssl_sock = ssl.wrap_socket(s) - except socket.sslerror: - pass - else: - raise test_support.TestFailed( - 'connecting to closed SSL socket should have failed') - - t = threading.Thread(target=listener) - t.start() - connector() - t.join() + class ThreadedTests(unittest.TestCase): def testEcho (self): @@ -656,7 +629,7 @@ else: if test_support.verbose: sys.stdout.write(pprint.pformat(cert) + '\n') sys.stdout.write("Connection cipher is " + str(cipher) + '.\n') - if not cert.has_key('subject'): + if 'subject' not in cert: raise test_support.TestFailed( "No subject field in certificate: %s." % pprint.pformat(cert)) @@ -680,6 +653,46 @@ else: badCertTest(os.path.join(os.path.dirname(__file__) or os.curdir, "badkey.pem")) + def testRudeShutdown(self): + + listener_ready = threading.Event() + listener_gone = threading.Event() + + # `listener` runs in a thread. It opens a socket listening on + # PORT, and sits in an accept() until the main thread connects. + # Then it rudely closes the socket, and sets Event `listener_gone` + # to let the main thread know the socket is gone. + def listener(): + s = socket.socket() + if hasattr(socket, 'SO_REUSEADDR'): + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + if hasattr(socket, 'SO_REUSEPORT'): + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) + s.bind(('127.0.0.1', TESTPORT)) + s.listen(5) + listener_ready.set() + s.accept() + s = None # reclaim the socket object, which also closes it + listener_gone.set() + + def connector(): + listener_ready.wait() + s = socket.socket() + s.connect(('127.0.0.1', TESTPORT)) + listener_gone.wait() + try: + ssl_sock = ssl.wrap_socket(s) + except IOError: + pass + else: + raise test_support.TestFailed( + 'connecting to closed SSL socket should have failed') + + t = threading.Thread(target=listener) + t.start() + connector() + t.join() + def testProtocolSSL2(self): if test_support.verbose: sys.stdout.write("\n") @@ -759,39 +772,47 @@ else: if test_support.verbose: sys.stdout.write("\n") for indata in msgs: + msg = indata.encode('ASCII', 'replace') if test_support.verbose: sys.stdout.write( - " client: sending %s...\n" % repr(indata)) + " client: sending %s...\n" % repr(msg)) if wrapped: - conn.write(indata) + conn.write(msg) outdata = conn.read() else: - s.send(indata) + s.send(msg) outdata = s.recv(1024) if (indata == "STARTTLS" and - outdata.strip().lower().startswith("ok")): + str(outdata, 'ASCII', 'replace').strip().lower().startswith("ok")): if test_support.verbose: + msg = str(outdata, 'ASCII', 'replace') sys.stdout.write( " client: read %s from server, starting TLS...\n" - % repr(outdata)) + % repr(msg)) conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) wrapped = True else: if test_support.verbose: + msg = str(outdata, 'ASCII', 'replace') sys.stdout.write( - " client: read %s from server\n" % repr(outdata)) + " client: read %s from server\n" % repr(msg)) if test_support.verbose: sys.stdout.write(" client: closing connection.\n") if wrapped: - conn.write("over\n") + conn.write("over\n".encode("ASCII", "strict")) else: s.send("over\n") + if wrapped: + conn.close() + else: s.close() finally: server.stop() server.join() + class AsyncoreTests(unittest.TestCase): + def testAsyncore(self): server = AsyncoreHTTPSServer(TESTPORT, CERTFILE) @@ -824,6 +845,8 @@ else: raise test_support.TestFailed(msg) else: if not (d1 == d2): + print("d1 is", len(d1), repr(d1)) + print("d2 is", len(d2), repr(d2)) raise test_support.TestFailed( "Couldn't fetch data from HTTPS server") finally: @@ -863,6 +886,7 @@ def test_main(verbose=False): if (not os.path.exists(CERTFILE) or not os.path.exists(SVN_PYTHON_ORG_ROOT_CERT)): raise test_support.TestFailed("Can't read certificate files!") + TESTPORT = findtestsocket(10025, 12000) if not TESTPORT: raise test_support.TestFailed("Can't find open port to test servers on!") @@ -870,12 +894,13 @@ def test_main(verbose=False): tests = [BasicTests] if test_support.is_resource_enabled('network'): - tests.append(NetworkTests) + tests.append(NetworkedTests) if _have_threads: thread_info = test_support.threading_setup() if thread_info and test_support.is_resource_enabled('network'): - tests.append(ConnectedTests) + tests.append(ThreadedTests) + tests.append(AsyncoreTests) test_support.run_unittest(*tests) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index b680c411bec..64f4578f746 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2,14 +2,15 @@ SSL support based on patches by Brian E Gallew and Laszlo Kovacs. Re-worked a bit by Bill Janssen to add server-side support and - certificate decoding. + certificate decoding. Chris Stawarz contributed some non-blocking + patches. This module is imported by ssl.py. It should *not* be used directly. XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE? - XXX what about SSL_MODE_AUTO_RETRY + XXX what about SSL_MODE_AUTO_RETRY? */ #include "Python.h" @@ -17,7 +18,7 @@ #ifdef WITH_THREAD #include "pythread.h" #define PySSL_BEGIN_ALLOW_THREADS { \ - PyThreadState *_save; \ + PyThreadState *_save = NULL; \ if (_ssl_locks_count>0) {_save = PyEval_SaveThread();} #define PySSL_BLOCK_THREADS if (_ssl_locks_count>0){PyEval_RestoreThread(_save)}; #define PySSL_UNBLOCK_THREADS if (_ssl_locks_count>0){_save = PyEval_SaveThread()}; @@ -114,8 +115,6 @@ typedef struct { SSL_CTX* ctx; SSL* ssl; X509* peer_cert; - char server[X509_NAME_MAXLEN]; - char issuer[X509_NAME_MAXLEN]; } PySSLObject; @@ -265,15 +264,11 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, PySSLObject *self; char *errstr = NULL; int ret; - int err; - int sockstate; int verification_mode; self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ if (self == NULL) return NULL; - memset(self->server, '\0', sizeof(char) * X509_NAME_MAXLEN); - memset(self->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN); self->peer_cert = NULL; self->ssl = NULL; self->ctx = NULL; @@ -388,57 +383,6 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, SSL_set_accept_state(self->ssl); PySSL_END_ALLOW_THREADS - /* Actually negotiate SSL connection */ - /* XXX If SSL_connect() returns 0, it's also a failure. */ - sockstate = 0; - do { - PySSL_BEGIN_ALLOW_THREADS - if (socket_type == PY_SSL_CLIENT) - ret = SSL_connect(self->ssl); - else - ret = SSL_accept(self->ssl); - err = SSL_get_error(self->ssl, ret); - PySSL_END_ALLOW_THREADS - if(PyErr_CheckSignals()) { - goto fail; - } - if (err == SSL_ERROR_WANT_READ) { - sockstate = check_socket_and_wait_for_timeout(Sock, 0); - } else if (err == SSL_ERROR_WANT_WRITE) { - sockstate = check_socket_and_wait_for_timeout(Sock, 1); - } else { - sockstate = SOCKET_OPERATION_OK; - } - if (sockstate == SOCKET_HAS_TIMED_OUT) { - PyErr_SetString(PySSLErrorObject, - ERRSTR("The connect operation timed out")); - goto fail; - } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { - PyErr_SetString(PySSLErrorObject, - ERRSTR("Underlying socket has been closed.")); - goto fail; - } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { - PyErr_SetString(PySSLErrorObject, - ERRSTR("Underlying socket too large for select().")); - goto fail; - } else if (sockstate == SOCKET_IS_NONBLOCKING) { - break; - } - } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); - if (ret < 1) { - PySSL_SetError(self, ret, __FILE__, __LINE__); - goto fail; - } - self->ssl->debug = 1; - - PySSL_BEGIN_ALLOW_THREADS - if ((self->peer_cert = SSL_get_peer_certificate(self->ssl))) { - X509_NAME_oneline(X509_get_subject_name(self->peer_cert), - self->server, X509_NAME_MAXLEN); - X509_NAME_oneline(X509_get_issuer_name(self->peer_cert), - self->issuer, X509_NAME_MAXLEN); - } - PySSL_END_ALLOW_THREADS self->Socket = Sock; Py_INCREF(self->Socket); return self; @@ -488,16 +432,58 @@ PyDoc_STRVAR(ssl_doc, /* SSL object methods */ -static PyObject * -PySSL_server(PySSLObject *self) +static PyObject *PySSL_SSLdo_handshake(PySSLObject *self) { - return PyUnicode_FromString(self->server); -} + int ret; + int err; + int sockstate; -static PyObject * -PySSL_issuer(PySSLObject *self) -{ - return PyUnicode_FromString(self->issuer); + /* Actually negotiate SSL connection */ + /* XXX If SSL_do_handshake() returns 0, it's also a failure. */ + sockstate = 0; + do { + PySSL_BEGIN_ALLOW_THREADS + ret = SSL_do_handshake(self->ssl); + err = SSL_get_error(self->ssl, ret); + PySSL_END_ALLOW_THREADS + if(PyErr_CheckSignals()) { + return NULL; + } + if (err == SSL_ERROR_WANT_READ) { + sockstate = check_socket_and_wait_for_timeout(self->Socket, 0); + } else if (err == SSL_ERROR_WANT_WRITE) { + sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); + } else { + sockstate = SOCKET_OPERATION_OK; + } + if (sockstate == SOCKET_HAS_TIMED_OUT) { + PyErr_SetString(PySSLErrorObject, + ERRSTR("The handshake operation timed out")); + return NULL; + } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { + PyErr_SetString(PySSLErrorObject, + ERRSTR("Underlying socket has been closed.")); + return NULL; + } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { + PyErr_SetString(PySSLErrorObject, + ERRSTR("Underlying socket too large for select().")); + return NULL; + } else if (sockstate == SOCKET_IS_NONBLOCKING) { + break; + } + } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); + if (ret < 1) + return PySSL_SetError(self, ret, __FILE__, __LINE__); + self->ssl->debug = 1; + + if (self->peer_cert) + X509_free (self->peer_cert); + PySSL_BEGIN_ALLOW_THREADS + self->peer_cert = SSL_get_peer_certificate(self->ssl); + PySSL_END_ALLOW_THREADS + + Py_INCREF(Py_None); + return Py_None; } static PyObject * @@ -515,7 +501,7 @@ _create_tuple_for_attribute (ASN1_OBJECT *name, ASN1_STRING *value) { _setSSLError(NULL, 0, __FILE__, __LINE__); goto fail; } - name_obj = PyString_FromStringAndSize(namebuf, buflen); + name_obj = PyUnicode_FromStringAndSize(namebuf, buflen); if (name_obj == NULL) goto fail; @@ -681,21 +667,24 @@ _get_peer_alt_names (X509 *certificate) { /* now decode the altName */ ext = X509_get_ext(certificate, i); if(!(method = X509V3_EXT_get(ext))) { - PyErr_SetString(PySSLErrorObject, - ERRSTR("No method for internalizing subjectAltName!")); + PyErr_SetString + (PySSLErrorObject, + ERRSTR("No method for internalizing subjectAltName!")); goto fail; } p = ext->value->data; if(method->it) - names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL, - &p, - ext->value->length, - ASN1_ITEM_ptr(method->it))); + names = (GENERAL_NAMES*) + (ASN1_item_d2i(NULL, + &p, + ext->value->length, + ASN1_ITEM_ptr(method->it))); else - names = (GENERAL_NAMES*) (method->d2i(NULL, - &p, - ext->value->length)); + names = (GENERAL_NAMES*) + (method->d2i(NULL, + &p, + ext->value->length)); for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { @@ -704,14 +693,15 @@ _get_peer_alt_names (X509 *certificate) { name = sk_GENERAL_NAME_value(names, j); if (name->type == GEN_DIRNAME) { - /* we special-case DirName as a tuple of tuples of attributes */ + /* we special-case DirName as a tuple of + tuples of attributes */ t = PyTuple_New(2); if (t == NULL) { goto fail; } - v = PyString_FromString("DirName"); + v = PyUnicode_FromString("DirName"); if (v == NULL) { Py_DECREF(t); goto fail; @@ -742,13 +732,14 @@ _get_peer_alt_names (X509 *certificate) { t = PyTuple_New(2); if (t == NULL) goto fail; - v = PyString_FromStringAndSize(buf, (vptr - buf)); + v = PyUnicode_FromStringAndSize(buf, (vptr - buf)); if (v == NULL) { Py_DECREF(t); goto fail; } PyTuple_SET_ITEM(t, 0, v); - v = PyString_FromStringAndSize((vptr + 1), (len - (vptr - buf + 1))); + v = PyUnicode_FromStringAndSize((vptr + 1), + (len - (vptr - buf + 1))); if (v == NULL) { Py_DECREF(t); goto fail; @@ -849,7 +840,7 @@ _decode_certificate (X509 *certificate, int verbose) { _setSSLError(NULL, 0, __FILE__, __LINE__); goto fail1; } - sn_obj = PyString_FromStringAndSize(buf, len); + sn_obj = PyUnicode_FromStringAndSize(buf, len); if (sn_obj == NULL) goto fail1; if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) { @@ -866,7 +857,7 @@ _decode_certificate (X509 *certificate, int verbose) { _setSSLError(NULL, 0, __FILE__, __LINE__); goto fail1; } - pnotBefore = PyString_FromStringAndSize(buf, len); + pnotBefore = PyUnicode_FromStringAndSize(buf, len); if (pnotBefore == NULL) goto fail1; if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) { @@ -884,7 +875,7 @@ _decode_certificate (X509 *certificate, int verbose) { _setSSLError(NULL, 0, __FILE__, __LINE__); goto fail1; } - pnotAfter = PyString_FromStringAndSize(buf, len); + pnotAfter = PyUnicode_FromStringAndSize(buf, len); if (pnotAfter == NULL) goto fail1; if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) { @@ -928,22 +919,26 @@ PySSL_test_decode_certificate (PyObject *mod, PyObject *args) { BIO *cert; int verbose = 1; - if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", &filename, &verbose)) + if (!PyArg_ParseTuple(args, "s|i:test_decode_certificate", + &filename, &verbose)) return NULL; if ((cert=BIO_new(BIO_s_file())) == NULL) { - PyErr_SetString(PySSLErrorObject, "Can't malloc memory to read file"); + PyErr_SetString(PySSLErrorObject, + "Can't malloc memory to read file"); goto fail0; } if (BIO_read_filename(cert,filename) <= 0) { - PyErr_SetString(PySSLErrorObject, "Can't open file"); + PyErr_SetString(PySSLErrorObject, + "Can't open file"); goto fail0; } x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL); if (x == NULL) { - PyErr_SetString(PySSLErrorObject, "Error decoding PEM-encoded file"); + PyErr_SetString(PySSLErrorObject, + "Error decoding PEM-encoded file"); goto fail0; } @@ -981,7 +976,9 @@ PySSL_peercert(PySSLObject *self, PyObject *args) PySSL_SetError(self, len, __FILE__, __LINE__); return NULL; } - retval = PyString_FromStringAndSize((const char *) bytes_buf, len); + /* this is actually an immutable bytes sequence */ + retval = PyBytes_FromStringAndSize + ((const char *) bytes_buf, len); OPENSSL_free(bytes_buf); return retval; @@ -1028,7 +1025,7 @@ static PyObject *PySSL_cipher (PySSLObject *self) { if (cipher_name == NULL) { PyTuple_SET_ITEM(retval, 0, Py_None); } else { - v = PyString_FromString(cipher_name); + v = PyUnicode_FromString(cipher_name); if (v == NULL) goto fail0; PyTuple_SET_ITEM(retval, 0, v); @@ -1037,7 +1034,7 @@ static PyObject *PySSL_cipher (PySSLObject *self) { if (cipher_protocol == NULL) { PyTuple_SET_ITEM(retval, 1, Py_None); } else { - v = PyString_FromString(cipher_protocol); + v = PyUnicode_FromString(cipher_protocol); if (v == NULL) goto fail0; PyTuple_SET_ITEM(retval, 1, v); @@ -1127,7 +1124,9 @@ check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing) rc = select(s->sock_fd+1, &fds, NULL, NULL, &tv); PySSL_END_ALLOW_THREADS +#ifdef HAVE_POLL normal_return: +#endif /* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise (when we are able to write or when there's something to read) */ return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK; @@ -1140,10 +1139,16 @@ static PyObject *PySSL_SSLwrite(PySSLObject *self, PyObject *args) int count; int sockstate; int err; + int nonblocking; - if (!PyArg_ParseTuple(args, "s#:write", &data, &count)) + if (!PyArg_ParseTuple(args, "y#:write", &data, &count)) return NULL; + /* just in case the blocking state of the socket has been changed */ + nonblocking = (self->Socket->sock_timeout >= 0.0); + BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); + BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); + sockstate = check_socket_and_wait_for_timeout(self->Socket, 1); if (sockstate == SOCKET_HAS_TIMED_OUT) { PyErr_SetString(PySSLErrorObject, @@ -1200,19 +1205,58 @@ PyDoc_STRVAR(PySSL_SSLwrite_doc, Writes the string s into the SSL object. Returns the number\n\ of bytes written."); +static PyObject *PySSL_SSLpending(PySSLObject *self) +{ + int count = 0; + + PySSL_BEGIN_ALLOW_THREADS + count = SSL_pending(self->ssl); + PySSL_END_ALLOW_THREADS + if (count < 0) + return PySSL_SetError(self, count, __FILE__, __LINE__); + else + return PyInt_FromLong(count); +} + +PyDoc_STRVAR(PySSL_SSLpending_doc, +"pending() -> count\n\ +\n\ +Returns the number of already decrypted bytes available for read,\n\ +pending on the connection.\n"); + static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args) { - PyObject *buf; - int count = 0; + PyObject *buf = NULL; + int buf_passed = 0; + int count = -1; int len = 1024; int sockstate; int err; + int nonblocking; - if (!PyArg_ParseTuple(args, "|i:read", &len)) + if (!PyArg_ParseTuple(args, "|Oi:read", &buf, &count)) return NULL; - if (!(buf = PyBytes_FromStringAndSize((char *) 0, len))) - return NULL; + if ((buf == NULL) || (buf == Py_None)) { + if (!(buf = PyBytes_FromStringAndSize((char *) 0, len))) + return NULL; + } else if (PyInt_Check(buf)) { + len = PyInt_AS_LONG(buf); + if (!(buf = PyBytes_FromStringAndSize((char *) 0, len))) + return NULL; + } else { + if (!PyBytes_Check(buf)) + return NULL; + len = PyBytes_Size(buf); + if ((count > 0) && (count <= len)) + len = count; + buf_passed = 1; + } + + /* just in case the blocking state of the socket has been changed */ + nonblocking = (self->Socket->sock_timeout >= 0.0); + BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); + BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); /* first check if there are bytes ready to be read */ PySSL_BEGIN_ALLOW_THREADS @@ -1224,27 +1268,38 @@ static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args) if (sockstate == SOCKET_HAS_TIMED_OUT) { PyErr_SetString(PySSLErrorObject, "The read operation timed out"); - Py_DECREF(buf); + if (!buf_passed) { + Py_DECREF(buf); + } return NULL; } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { PyErr_SetString(PySSLErrorObject, "Underlying socket too large for select()."); + if (!buf_passed) { + Py_DECREF(buf); + } Py_DECREF(buf); return NULL; } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { /* should contain a zero-length string */ - _PyString_Resize(&buf, 0); - return buf; + if (!buf_passed) { + PyBytes_Resize(buf, 0); + return buf; + } else { + return PyInt_FromLong(0); + } } } do { err = 0; PySSL_BEGIN_ALLOW_THREADS - count = SSL_read(self->ssl, PyBytes_AS_STRING(buf), len); + count = SSL_read(self->ssl, PyBytes_AsString(buf), len); err = SSL_get_error(self->ssl, count); PySSL_END_ALLOW_THREADS if(PyErr_CheckSignals()) { - Py_DECREF(buf); + if (!buf_passed) { + Py_DECREF(buf); + } return NULL; } if (err == SSL_ERROR_WANT_READ) { @@ -1257,44 +1312,55 @@ static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args) (SSL_get_shutdown(self->ssl) == SSL_RECEIVED_SHUTDOWN)) { - _PyString_Resize(&buf, 0); - return buf; + if (!buf_passed) { + PyBytes_Resize(buf, 0); + return buf; + } else { + return PyInt_FromLong(0); + } } else { sockstate = SOCKET_OPERATION_OK; } if (sockstate == SOCKET_HAS_TIMED_OUT) { PyErr_SetString(PySSLErrorObject, "The read operation timed out"); - Py_DECREF(buf); + if (!buf_passed) { + Py_DECREF(buf); + } return NULL; } else if (sockstate == SOCKET_IS_NONBLOCKING) { break; } } while (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); if (count <= 0) { - Py_DECREF(buf); + if (!buf_passed) { + Py_DECREF(buf); + } return PySSL_SetError(self, count, __FILE__, __LINE__); } - if (count != len) - if (PyBytes_Resize(buf, count) < 0) { - Py_DECREF(buf); - return NULL; - } - return buf; + if (!buf_passed) { + if (count != len) { + PyBytes_Resize(buf, count); + } + return buf; + } else { + return PyInt_FromLong(count); + } } PyDoc_STRVAR(PySSL_SSLread_doc, -"read([len]) -> bytes\n\ +"read([len]) -> string\n\ \n\ Read up to len bytes from the SSL socket."); static PyMethodDef PySSLMethods[] = { + {"do_handshake", (PyCFunction)PySSL_SSLdo_handshake, METH_NOARGS}, {"write", (PyCFunction)PySSL_SSLwrite, METH_VARARGS, PySSL_SSLwrite_doc}, {"read", (PyCFunction)PySSL_SSLread, METH_VARARGS, PySSL_SSLread_doc}, - {"server", (PyCFunction)PySSL_server, METH_NOARGS}, - {"issuer", (PyCFunction)PySSL_issuer, METH_NOARGS}, + {"pending", (PyCFunction)PySSL_SSLpending, METH_NOARGS, + PySSL_SSLpending_doc}, {"peer_certificate", (PyCFunction)PySSL_peercert, METH_VARARGS, PySSL_peercert_doc}, {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS}, @@ -1350,26 +1416,26 @@ bound on the entropy contained in string. See RFC 1750."); static PyObject * PySSL_RAND_status(PyObject *self) { - return PyBool_FromLong(RAND_status()); + return PyInt_FromLong(RAND_status()); } PyDoc_STRVAR(PySSL_RAND_status_doc, "RAND_status() -> 0 or 1\n\ \n\ -Returns True if the OpenSSL PRNG has been seeded with enough data and\n\ -False if not. It is necessary to seed the PRNG with RAND_add()\n\ -on some platforms before using the ssl() function."); +Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.\n\ +It is necessary to seed the PRNG with RAND_add() on some platforms before\n\ +using the ssl() function."); static PyObject * PySSL_RAND_egd(PyObject *self, PyObject *arg) { int bytes; - if (!PyString_Check(arg)) + if (!PyUnicode_Check(arg)) return PyErr_Format(PyExc_TypeError, "RAND_egd() expected string, found %s", Py_Type(arg)->tp_name); - bytes = RAND_egd(PyString_AS_STRING(arg)); + bytes = RAND_egd(PyUnicode_AsString(arg)); if (bytes == -1) { PyErr_SetString(PySSLErrorObject, "EGD connection failed or EGD did not return " @@ -1418,16 +1484,17 @@ static unsigned long _ssl_thread_id_function (void) { return PyThread_get_thread_ident(); } -static void _ssl_thread_locking_function (int mode, int n, const char *file, int line) { +static void _ssl_thread_locking_function + (int mode, int n, const char *file, int line) { /* this function is needed to perform locking on shared data structures. (Note that OpenSSL uses a number of global data - structures that will be implicitly shared whenever multiple threads - use OpenSSL.) Multi-threaded applications will crash at random if - it is not set. + structures that will be implicitly shared whenever multiple + threads use OpenSSL.) Multi-threaded applications will + crash at random if it is not set. - locking_function() must be able to handle up to CRYPTO_num_locks() - different mutex locks. It sets the n-th lock if mode & CRYPTO_LOCK, and - releases it otherwise. + locking_function() must be able to handle up to + CRYPTO_num_locks() different mutex locks. It sets the n-th + lock if mode & CRYPTO_LOCK, and releases it otherwise. file and line are the file number of the function setting the lock. They can be useful for debugging. @@ -1454,7 +1521,8 @@ static int _setup_ssl_threads(void) { malloc(sizeof(PyThread_type_lock) * _ssl_locks_count); if (_ssl_locks == NULL) return 0; - memset(_ssl_locks, 0, sizeof(PyThread_type_lock) * _ssl_locks_count); + memset(_ssl_locks, 0, + sizeof(PyThread_type_lock) * _ssl_locks_count); for (i = 0; i < _ssl_locks_count; i++) { _ssl_locks[i] = PyThread_allocate_lock(); if (_ssl_locks[i] == NULL) {