Python code coverage for Modules/_ssl.c

#	count	content
1	n/a	/* SSL socket module
2	n/a
3	n/a	SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
4	n/a	Re-worked a bit by Bill Janssen to add server-side support and
5	n/a	certificate decoding. Chris Stawarz contributed some non-blocking
6	n/a	patches.
7	n/a
8	n/a	This module is imported by ssl.py. It should not be used
9	n/a	directly.
10	n/a
11	n/a	XXX should partial writes be enabled, SSL_MODE_ENABLE_PARTIAL_WRITE?
12	n/a
13	n/a	XXX integrate several "shutdown modes" as suggested in
14	n/a	http://bugs.python.org/issue8108#msg102867 ?
15	n/a	*/
16	n/a
17	n/a	#define PY_SSIZE_T_CLEAN
18	n/a
19	n/a	#include "Python.h"
20	n/a
21	n/a	#ifdef WITH_THREAD
22	n/a	#include "pythread.h"
23	n/a
24	n/a
25	n/a	#define PySSL_BEGIN_ALLOW_THREADS_S(save) \
26	n/a	do { if (_ssl_locks_count>0) { (save) = PyEval_SaveThread(); } } while (0)
27	n/a	#define PySSL_END_ALLOW_THREADS_S(save) \
28	n/a	do { if (_ssl_locks_count>0) { PyEval_RestoreThread(save); } } while (0)
29	n/a	#define PySSL_BEGIN_ALLOW_THREADS { \
30	n/a	PyThreadState *_save = NULL; \
31	n/a	PySSL_BEGIN_ALLOW_THREADS_S(_save);
32	n/a	#define PySSL_BLOCK_THREADS PySSL_END_ALLOW_THREADS_S(_save);
33	n/a	#define PySSL_UNBLOCK_THREADS PySSL_BEGIN_ALLOW_THREADS_S(_save);
34	n/a	#define PySSL_END_ALLOW_THREADS PySSL_END_ALLOW_THREADS_S(_save); }
35	n/a
36	n/a	#else /* no WITH_THREAD */
37	n/a
38	n/a	#define PySSL_BEGIN_ALLOW_THREADS_S(save)
39	n/a	#define PySSL_END_ALLOW_THREADS_S(save)
40	n/a	#define PySSL_BEGIN_ALLOW_THREADS
41	n/a	#define PySSL_BLOCK_THREADS
42	n/a	#define PySSL_UNBLOCK_THREADS
43	n/a	#define PySSL_END_ALLOW_THREADS
44	n/a
45	n/a	#endif
46	n/a
47	n/a	/* Include symbols from _socket module */
48	n/a	#include "socketmodule.h"
49	n/a
50	n/a	static PySocketModule_APIObject PySocketModule;
51	n/a
52	n/a	#if defined(HAVE_POLL_H)
53	n/a	#include <poll.h>
54	n/a	#elif defined(HAVE_SYS_POLL_H)
55	n/a	#include <sys/poll.h>
56	n/a	#endif
57	n/a
58	n/a	/* Don't warn about deprecated functions */
59	n/a	#ifdef __GNUC__
60	n/a	#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
61	n/a	#endif
62	n/a	#ifdef __clang__
63	n/a	#pragma clang diagnostic ignored "-Wdeprecated-declarations"
64	n/a	#endif
65	n/a
66	n/a	/* Include OpenSSL header files */
67	n/a	#include "openssl/rsa.h"
68	n/a	#include "openssl/crypto.h"
69	n/a	#include "openssl/x509.h"
70	n/a	#include "openssl/x509v3.h"
71	n/a	#include "openssl/pem.h"
72	n/a	#include "openssl/ssl.h"
73	n/a	#include "openssl/err.h"
74	n/a	#include "openssl/rand.h"
75	n/a	#include "openssl/bio.h"
76	n/a
77	n/a	/* SSL error object */
78	n/a	static PyObject *PySSLErrorObject;
79	n/a	static PyObject *PySSLZeroReturnErrorObject;
80	n/a	static PyObject *PySSLWantReadErrorObject;
81	n/a	static PyObject *PySSLWantWriteErrorObject;
82	n/a	static PyObject *PySSLSyscallErrorObject;
83	n/a	static PyObject *PySSLEOFErrorObject;
84	n/a
85	n/a	/* Error mappings */
86	n/a	static PyObject *err_codes_to_names;
87	n/a	static PyObject *err_names_to_codes;
88	n/a	static PyObject *lib_codes_to_names;
89	n/a
90	n/a	struct py_ssl_error_code {
91	n/a	const char *mnemonic;
92	n/a	int library, reason;
93	n/a	};
94	n/a	struct py_ssl_library_code {
95	n/a	const char *library;
96	n/a	int code;
97	n/a	};
98	n/a
99	n/a	/* Include generated data (error codes) */
100	n/a	#include "_ssl_data.h"
101	n/a
102	n/a	#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
103	n/a	# define OPENSSL_VERSION_1_1 1
104	n/a	#endif
105	n/a
106	n/a	/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
107	n/a	http://www.openssl.org/news/changelog.html
108	n/a	*/
109	n/a	#if OPENSSL_VERSION_NUMBER >= 0x10001000L
110	n/a	# define HAVE_TLSv1_2 1
111	n/a	#else
112	n/a	# define HAVE_TLSv1_2 0
113	n/a	#endif
114	n/a
115	n/a	/* SNI support (client- and server-side) appeared in OpenSSL 1.0.0 and 0.9.8f
116	n/a	* This includes the SSL_set_SSL_CTX() function.
117	n/a	*/
118	n/a	#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
119	n/a	# define HAVE_SNI 1
120	n/a	#else
121	n/a	# define HAVE_SNI 0
122	n/a	#endif
123	n/a
124	n/a	#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
125	n/a	# define HAVE_ALPN
126	n/a	#endif
127	n/a
128	n/a	#ifndef INVALID_SOCKET /* MS defines this */
129	n/a	#define INVALID_SOCKET (-1)
130	n/a	#endif
131	n/a
132	n/a	#ifdef OPENSSL_VERSION_1_1
133	n/a	/* OpenSSL 1.1.0+ */
134	n/a	#ifndef OPENSSL_NO_SSL2
135	n/a	#define OPENSSL_NO_SSL2
136	n/a	#endif
137	n/a	#else /* OpenSSL < 1.1.0 */
138	n/a	#if defined(WITH_THREAD)
139	n/a	#define HAVE_OPENSSL_CRYPTO_LOCK
140	n/a	#endif
141	n/a
142	n/a	#define TLS_method SSLv23_method
143	n/a	#define TLS_client_method SSLv23_client_method
144	n/a	#define TLS_server_method SSLv23_server_method
145	n/a
146	n/a	static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
147	n/a	{
148	n/a	return ne->set;
149	n/a	}
150	n/a
151	n/a	#ifndef OPENSSL_NO_COMP
152	n/a	/* LCOV_EXCL_START */
153	n/a	static int COMP_get_type(const COMP_METHOD *meth)
154	n/a	{
155	n/a	return meth->type;
156	n/a	}
157	n/a	/* LCOV_EXCL_STOP */
158	n/a	#endif
159	n/a
160	n/a	static pem_password_cb SSL_CTX_get_default_passwd_cb(SSL_CTX ctx)
161	n/a	{
162	n/a	return ctx->default_passwd_callback;
163	n/a	}
164	n/a
165	n/a	static void SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX ctx)
166	n/a	{
167	n/a	return ctx->default_passwd_callback_userdata;
168	n/a	}
169	n/a
170	n/a	static int X509_OBJECT_get_type(X509_OBJECT *x)
171	n/a	{
172	n/a	return x->type;
173	n/a	}
174	n/a
175	n/a	static X509 X509_OBJECT_get0_X509(X509_OBJECT x)
176	n/a	{
177	n/a	return x->data.x509;
178	n/a	}
179	n/a
180	n/a	static int BIO_up_ref(BIO *b)
181	n/a	{
182	n/a	CRYPTO_add(&b->references, 1, CRYPTO_LOCK_BIO);
183	n/a	return 1;
184	n/a	}
185	n/a
186	n/a	static STACK_OF(X509_OBJECT) X509_STORE_get0_objects(X509_STORE store) {
187	n/a	return store->objs;
188	n/a	}
189	n/a
190	n/a	static X509_VERIFY_PARAM X509_STORE_get0_param(X509_STORE store)
191	n/a	{
192	n/a	return store->param;
193	n/a	}
194	n/a
195	n/a	static int
196	n/a	SSL_SESSION_has_ticket(const SSL_SESSION *s)
197	n/a	{
198	n/a	return (s->tlsext_ticklen > 0) ? 1 : 0;
199	n/a	}
200	n/a
201	n/a	static unsigned long
202	n/a	SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
203	n/a	{
204	n/a	return s->tlsext_tick_lifetime_hint;
205	n/a	}
206	n/a
207	n/a	#endif /* OpenSSL < 1.1.0 or LibreSSL */
208	n/a
209	n/a
210	n/a	enum py_ssl_error {
211	n/a	/* these mirror ssl.h */
212	n/a	PY_SSL_ERROR_NONE,
213	n/a	PY_SSL_ERROR_SSL,
214	n/a	PY_SSL_ERROR_WANT_READ,
215	n/a	PY_SSL_ERROR_WANT_WRITE,
216	n/a	PY_SSL_ERROR_WANT_X509_LOOKUP,
217	n/a	PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */
218	n/a	PY_SSL_ERROR_ZERO_RETURN,
219	n/a	PY_SSL_ERROR_WANT_CONNECT,
220	n/a	/* start of non ssl.h errorcodes */
221	n/a	PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */
222	n/a	PY_SSL_ERROR_NO_SOCKET, /* socket has been GC'd */
223	n/a	PY_SSL_ERROR_INVALID_ERROR_CODE
224	n/a	};
225	n/a
226	n/a	enum py_ssl_server_or_client {
227	n/a	PY_SSL_CLIENT,
228	n/a	PY_SSL_SERVER
229	n/a	};
230	n/a
231	n/a	enum py_ssl_cert_requirements {
232	n/a	PY_SSL_CERT_NONE,
233	n/a	PY_SSL_CERT_OPTIONAL,
234	n/a	PY_SSL_CERT_REQUIRED
235	n/a	};
236	n/a
237	n/a	enum py_ssl_version {
238	n/a	PY_SSL_VERSION_SSL2,
239	n/a	PY_SSL_VERSION_SSL3=1,
240	n/a	PY_SSL_VERSION_TLS, /* SSLv23 */
241	n/a	#if HAVE_TLSv1_2
242	n/a	PY_SSL_VERSION_TLS1,
243	n/a	PY_SSL_VERSION_TLS1_1,
244	n/a	PY_SSL_VERSION_TLS1_2,
245	n/a	#else
246	n/a	PY_SSL_VERSION_TLS1,
247	n/a	#endif
248	n/a	PY_SSL_VERSION_TLS_CLIENT=0x10,
249	n/a	PY_SSL_VERSION_TLS_SERVER,
250	n/a	};
251	n/a
252	n/a	#ifdef WITH_THREAD
253	n/a
254	n/a	/* serves as a flag to see whether we've initialized the SSL thread support. */
255	n/a	/* 0 means no, greater than 0 means yes */
256	n/a
257	n/a	static unsigned int _ssl_locks_count = 0;
258	n/a
259	n/a	#endif /* def WITH_THREAD */
260	n/a
261	n/a	/* SSL socket object */
262	n/a
263	n/a	#define X509_NAME_MAXLEN 256
264	n/a
265	n/a	/* SSL_CTX_clear_options() and SSL_clear_options() were first added in
266	n/a	* OpenSSL 0.9.8m but do not appear in some 0.9.9-dev versions such the
267	n/a	* 0.9.9 from "May 2008" that NetBSD 5.0 uses. */
268	n/a	#if OPENSSL_VERSION_NUMBER >= 0x009080dfL && OPENSSL_VERSION_NUMBER != 0x00909000L
269	n/a	# define HAVE_SSL_CTX_CLEAR_OPTIONS
270	n/a	#else
271	n/a	# undef HAVE_SSL_CTX_CLEAR_OPTIONS
272	n/a	#endif
273	n/a
274	n/a	/* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for
275	n/a	* older SSL, but let's be safe */
276	n/a	#define PySSL_CB_MAXLEN 128
277	n/a
278	n/a
279	n/a	typedef struct {
280	n/a	PyObject_HEAD
281	n/a	SSL_CTX *ctx;
282	n/a	#ifdef OPENSSL_NPN_NEGOTIATED
283	n/a	unsigned char *npn_protocols;
284	n/a	int npn_protocols_len;
285	n/a	#endif
286	n/a	#ifdef HAVE_ALPN
287	n/a	unsigned char *alpn_protocols;
288	n/a	int alpn_protocols_len;
289	n/a	#endif
290	n/a	#ifndef OPENSSL_NO_TLSEXT
291	n/a	PyObject *set_hostname;
292	n/a	#endif
293	n/a	int check_hostname;
294	n/a	} PySSLContext;
295	n/a
296	n/a	typedef struct {
297	n/a	PyObject_HEAD
298	n/a	PyObject Socket; / weakref to socket on which we're layered */
299	n/a	SSL *ssl;
300	n/a	PySSLContext ctx; / weakref to SSL context */
301	n/a	X509 *peer_cert;
302	n/a	char shutdown_seen_zero;
303	n/a	char handshake_done;
304	n/a	enum py_ssl_server_or_client socket_type;
305	n/a	PyObject owner; / Python level "owner" passed to servername callback */
306	n/a	PyObject *server_hostname;
307	n/a	} PySSLSocket;
308	n/a
309	n/a	typedef struct {
310	n/a	PyObject_HEAD
311	n/a	BIO *bio;
312	n/a	int eof_written;
313	n/a	} PySSLMemoryBIO;
314	n/a
315	n/a	typedef struct {
316	n/a	PyObject_HEAD
317	n/a	SSL_SESSION *session;
318	n/a	PySSLContext *ctx;
319	n/a	} PySSLSession;
320	n/a
321	n/a	static PyTypeObject PySSLContext_Type;
322	n/a	static PyTypeObject PySSLSocket_Type;
323	n/a	static PyTypeObject PySSLMemoryBIO_Type;
324	n/a	static PyTypeObject PySSLSession_Type;
325	n/a
326	n/a	/*[clinic input]
327	n/a	module _ssl
328	n/a	class _ssl._SSLContext "PySSLContext *" "&PySSLContext_Type"
329	n/a	class _ssl._SSLSocket "PySSLSocket *" "&PySSLSocket_Type"
330	n/a	class _ssl.MemoryBIO "PySSLMemoryBIO *" "&PySSLMemoryBIO_Type"
331	n/a	class _ssl.SSLSession "PySSLSession *" "&PySSLSession_Type"
332	n/a	[clinic start generated code]*/
333	n/a	/[clinic end generated code: output=da39a3ee5e6b4b0d input=bdc67fafeeaa8109]/
334	n/a
335	n/a	#include "clinic/_ssl.c.h"
336	n/a
337	n/a	static int PySSL_select(PySocketSockObject *s, int writing, _PyTime_t timeout);
338	n/a
339	n/a
340	n/a	#define PySSLContext_Check(v) (Py_TYPE(v) == &PySSLContext_Type)
341	n/a	#define PySSLSocket_Check(v) (Py_TYPE(v) == &PySSLSocket_Type)
342	n/a	#define PySSLMemoryBIO_Check(v) (Py_TYPE(v) == &PySSLMemoryBIO_Type)
343	n/a	#define PySSLSession_Check(v) (Py_TYPE(v) == &PySSLSession_Type)
344	n/a
345	n/a	typedef enum {
346	n/a	SOCKET_IS_NONBLOCKING,
347	n/a	SOCKET_IS_BLOCKING,
348	n/a	SOCKET_HAS_TIMED_OUT,
349	n/a	SOCKET_HAS_BEEN_CLOSED,
350	n/a	SOCKET_TOO_LARGE_FOR_SELECT,
351	n/a	SOCKET_OPERATION_OK
352	n/a	} timeout_state;
353	n/a
354	n/a	/* Wrap error strings with filename and line # */
355	n/a	#define ERRSTR1(x,y,z) (x ":" y ": " z)
356	n/a	#define ERRSTR(x) ERRSTR1("_ssl.c", Py_STRINGIFY(__LINE__), x)
357	n/a
358	n/a	/* Get the socket from a PySSLSocket, if it has one */
359	n/a	#define GET_SOCKET(obj) ((obj)->Socket ? \
360	n/a	(PySocketSockObject *) PyWeakref_GetObject((obj)->Socket) : NULL)
361	n/a
362	n/a	/* If sock is NULL, use a timeout of 0 second */
363	n/a	#define GET_SOCKET_TIMEOUT(sock) \
364	n/a	((sock != NULL) ? (sock)->sock_timeout : 0)
365	n/a
366	n/a	/*
367	n/a	* SSL errors.
368	n/a	*/
369	n/a
370	n/a	PyDoc_STRVAR(SSLError_doc,
371	n/a	"An error occurred in the SSL implementation.");
372	n/a
373	n/a	PyDoc_STRVAR(SSLZeroReturnError_doc,
374	n/a	"SSL/TLS session closed cleanly.");
375	n/a
376	n/a	PyDoc_STRVAR(SSLWantReadError_doc,
377	n/a	"Non-blocking SSL socket needs to read more data\n"
378	n/a	"before the requested operation can be completed.");
379	n/a
380	n/a	PyDoc_STRVAR(SSLWantWriteError_doc,
381	n/a	"Non-blocking SSL socket needs to write more data\n"
382	n/a	"before the requested operation can be completed.");
383	n/a
384	n/a	PyDoc_STRVAR(SSLSyscallError_doc,
385	n/a	"System error when attempting SSL operation.");
386	n/a
387	n/a	PyDoc_STRVAR(SSLEOFError_doc,
388	n/a	"SSL/TLS connection terminated abruptly.");
389	n/a
390	n/a	static PyObject *
391	n/a	SSLError_str(PyOSErrorObject *self)
392	n/a	{
393	n/a	if (self->strerror != NULL && PyUnicode_Check(self->strerror)) {
394	n/a	Py_INCREF(self->strerror);
395	n/a	return self->strerror;
396	n/a	}
397	n/a	else
398	n/a	return PyObject_Str(self->args);
399	n/a	}
400	n/a
401	n/a	static PyType_Slot sslerror_type_slots[] = {
402	n/a	{Py_tp_base, NULL}, /* Filled out in module init as it's not a constant */
403	n/a	{Py_tp_doc, SSLError_doc},
404	n/a	{Py_tp_str, SSLError_str},
405	n/a	{0, 0},
406	n/a	};
407	n/a
408	n/a	static PyType_Spec sslerror_type_spec = {
409	n/a	"ssl.SSLError",
410	n/a	sizeof(PyOSErrorObject),
411	n/a	0,
412	n/a	Py_TPFLAGS_DEFAULT \| Py_TPFLAGS_BASETYPE,
413	n/a	sslerror_type_slots
414	n/a	};
415	n/a
416	n/a	static void
417	n/a	fill_and_set_sslerror(PyObject type, int ssl_errno, const char errstr,
418	n/a	int lineno, unsigned long errcode)
419	n/a	{
420	n/a	PyObject err_value = NULL, reason_obj = NULL, *lib_obj = NULL;
421	n/a	PyObject init_value, msg, *key;
422	n/a	_Py_IDENTIFIER(reason);
423	n/a	_Py_IDENTIFIER(library);
424	n/a
425	n/a	if (errcode != 0) {
426	n/a	int lib, reason;
427	n/a
428	n/a	lib = ERR_GET_LIB(errcode);
429	n/a	reason = ERR_GET_REASON(errcode);
430	n/a	key = Py_BuildValue("ii", lib, reason);
431	n/a	if (key == NULL)
432	n/a	goto fail;
433	n/a	reason_obj = PyDict_GetItem(err_codes_to_names, key);
434	n/a	Py_DECREF(key);
435	n/a	if (reason_obj == NULL) {
436	n/a	/* XXX if reason < 100, it might reflect a library number (!!) */
437	n/a	PyErr_Clear();
438	n/a	}
439	n/a	key = PyLong_FromLong(lib);
440	n/a	if (key == NULL)
441	n/a	goto fail;
442	n/a	lib_obj = PyDict_GetItem(lib_codes_to_names, key);
443	n/a	Py_DECREF(key);
444	n/a	if (lib_obj == NULL) {
445	n/a	PyErr_Clear();
446	n/a	}
447	n/a	if (errstr == NULL)
448	n/a	errstr = ERR_reason_error_string(errcode);
449	n/a	}
450	n/a	if (errstr == NULL)
451	n/a	errstr = "unknown error";
452	n/a
453	n/a	if (reason_obj && lib_obj)
454	n/a	msg = PyUnicode_FromFormat("[%S: %S] %s (_ssl.c:%d)",
455	n/a	lib_obj, reason_obj, errstr, lineno);
456	n/a	else if (lib_obj)
457	n/a	msg = PyUnicode_FromFormat("[%S] %s (_ssl.c:%d)",
458	n/a	lib_obj, errstr, lineno);
459	n/a	else
460	n/a	msg = PyUnicode_FromFormat("%s (_ssl.c:%d)", errstr, lineno);
461	n/a	if (msg == NULL)
462	n/a	goto fail;
463	n/a
464	n/a	init_value = Py_BuildValue("iN", ssl_errno, msg);
465	n/a	if (init_value == NULL)
466	n/a	goto fail;
467	n/a
468	n/a	err_value = PyObject_CallObject(type, init_value);
469	n/a	Py_DECREF(init_value);
470	n/a	if (err_value == NULL)
471	n/a	goto fail;
472	n/a
473	n/a	if (reason_obj == NULL)
474	n/a	reason_obj = Py_None;
475	n/a	if (_PyObject_SetAttrId(err_value, &PyId_reason, reason_obj))
476	n/a	goto fail;
477	n/a	if (lib_obj == NULL)
478	n/a	lib_obj = Py_None;
479	n/a	if (_PyObject_SetAttrId(err_value, &PyId_library, lib_obj))
480	n/a	goto fail;
481	n/a	PyErr_SetObject(type, err_value);
482	n/a	fail:
483	n/a	Py_XDECREF(err_value);
484	n/a	}
485	n/a
486	n/a	static PyObject *
487	n/a	PySSL_SetError(PySSLSocket obj, int ret, const char filename, int lineno)
488	n/a	{
489	n/a	PyObject *type = PySSLErrorObject;
490	n/a	char *errstr = NULL;
491	n/a	int err;
492	n/a	enum py_ssl_error p = PY_SSL_ERROR_NONE;
493	n/a	unsigned long e = 0;
494	n/a
495	n/a	assert(ret <= 0);
496	n/a	e = ERR_peek_last_error();
497	n/a
498	n/a	if (obj->ssl != NULL) {
499	n/a	err = SSL_get_error(obj->ssl, ret);
500	n/a
501	n/a	switch (err) {
502	n/a	case SSL_ERROR_ZERO_RETURN:
503	n/a	errstr = "TLS/SSL connection has been closed (EOF)";
504	n/a	type = PySSLZeroReturnErrorObject;
505	n/a	p = PY_SSL_ERROR_ZERO_RETURN;
506	n/a	break;
507	n/a	case SSL_ERROR_WANT_READ:
508	n/a	errstr = "The operation did not complete (read)";
509	n/a	type = PySSLWantReadErrorObject;
510	n/a	p = PY_SSL_ERROR_WANT_READ;
511	n/a	break;
512	n/a	case SSL_ERROR_WANT_WRITE:
513	n/a	p = PY_SSL_ERROR_WANT_WRITE;
514	n/a	type = PySSLWantWriteErrorObject;
515	n/a	errstr = "The operation did not complete (write)";
516	n/a	break;
517	n/a	case SSL_ERROR_WANT_X509_LOOKUP:
518	n/a	p = PY_SSL_ERROR_WANT_X509_LOOKUP;
519	n/a	errstr = "The operation did not complete (X509 lookup)";
520	n/a	break;
521	n/a	case SSL_ERROR_WANT_CONNECT:
522	n/a	p = PY_SSL_ERROR_WANT_CONNECT;
523	n/a	errstr = "The operation did not complete (connect)";
524	n/a	break;
525	n/a	case SSL_ERROR_SYSCALL:
526	n/a	{
527	n/a	if (e == 0) {
528	n/a	PySocketSockObject *s = GET_SOCKET(obj);
529	n/a	if (ret == 0 \|\| (((PyObject *)s) == Py_None)) {
530	n/a	p = PY_SSL_ERROR_EOF;
531	n/a	type = PySSLEOFErrorObject;
532	n/a	errstr = "EOF occurred in violation of protocol";
533	n/a	} else if (s && ret == -1) {
534	n/a	/* underlying BIO reported an I/O error */
535	n/a	Py_INCREF(s);
536	n/a	ERR_clear_error();
537	n/a	s->errorhandler();
538	n/a	Py_DECREF(s);
539	n/a	return NULL;
540	n/a	} else { /* possible? */
541	n/a	p = PY_SSL_ERROR_SYSCALL;
542	n/a	type = PySSLSyscallErrorObject;
543	n/a	errstr = "Some I/O error occurred";
544	n/a	}
545	n/a	} else {
546	n/a	p = PY_SSL_ERROR_SYSCALL;
547	n/a	}
548	n/a	break;
549	n/a	}
550	n/a	case SSL_ERROR_SSL:
551	n/a	{
552	n/a	p = PY_SSL_ERROR_SSL;
553	n/a	if (e == 0)
554	n/a	/* possible? */
555	n/a	errstr = "A failure in the SSL library occurred";
556	n/a	break;
557	n/a	}
558	n/a	default:
559	n/a	p = PY_SSL_ERROR_INVALID_ERROR_CODE;
560	n/a	errstr = "Invalid error code";
561	n/a	}
562	n/a	}
563	n/a	fill_and_set_sslerror(type, p, errstr, lineno, e);
564	n/a	ERR_clear_error();
565	n/a	return NULL;
566	n/a	}
567	n/a
568	n/a	static PyObject *
569	n/a	_setSSLError (const char errstr, int errcode, const char filename, int lineno) {
570	n/a
571	n/a	if (errstr == NULL)
572	n/a	errcode = ERR_peek_last_error();
573	n/a	else
574	n/a	errcode = 0;
575	n/a	fill_and_set_sslerror(PySSLErrorObject, errcode, errstr, lineno, errcode);
576	n/a	ERR_clear_error();
577	n/a	return NULL;
578	n/a	}
579	n/a
580	n/a	/*
581	n/a	* SSL objects
582	n/a	*/
583	n/a
584	n/a	static PySSLSocket *
585	n/a	newPySSLSocket(PySSLContext sslctx, PySocketSockObject sock,
586	n/a	enum py_ssl_server_or_client socket_type,
587	n/a	char *server_hostname,
588	n/a	PySSLMemoryBIO inbio, PySSLMemoryBIO outbio)
589	n/a	{
590	n/a	PySSLSocket *self;
591	n/a	SSL_CTX *ctx = sslctx->ctx;
592	n/a	long mode;
593	n/a
594	n/a	self = PyObject_New(PySSLSocket, &PySSLSocket_Type);
595	n/a	if (self == NULL)
596	n/a	return NULL;
597	n/a
598	n/a	self->peer_cert = NULL;
599	n/a	self->ssl = NULL;
600	n/a	self->Socket = NULL;
601	n/a	self->ctx = sslctx;
602	n/a	self->shutdown_seen_zero = 0;
603	n/a	self->handshake_done = 0;
604	n/a	self->owner = NULL;
605	n/a	self->server_hostname = NULL;
606	n/a	if (server_hostname != NULL) {
607	n/a	PyObject *hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname),
608	n/a	"idna", "strict");
609	n/a	if (hostname == NULL) {
610	n/a	Py_DECREF(self);
611	n/a	return NULL;
612	n/a	}
613	n/a	self->server_hostname = hostname;
614	n/a	}
615	n/a
616	n/a	Py_INCREF(sslctx);
617	n/a
618	n/a	/* Make sure the SSL error state is initialized */
619	n/a	(void) ERR_get_state();
620	n/a	ERR_clear_error();
621	n/a
622	n/a	PySSL_BEGIN_ALLOW_THREADS
623	n/a	self->ssl = SSL_new(ctx);
624	n/a	PySSL_END_ALLOW_THREADS
625	n/a	SSL_set_app_data(self->ssl, self);
626	n/a	if (sock) {
627	n/a	SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int));
628	n/a	} else {
629	n/a	/* BIOs are reference counted and SSL_set_bio borrows our reference.
630	n/a	* To prevent a double free in memory_bio_dealloc() we need to take an
631	n/a	* extra reference here. */
632	n/a	BIO_up_ref(inbio->bio);
633	n/a	BIO_up_ref(outbio->bio);
634	n/a	SSL_set_bio(self->ssl, inbio->bio, outbio->bio);
635	n/a	}
636	n/a	mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
637	n/a	#ifdef SSL_MODE_AUTO_RETRY
638	n/a	mode \|= SSL_MODE_AUTO_RETRY;
639	n/a	#endif
640	n/a	SSL_set_mode(self->ssl, mode);
641	n/a
642	n/a	#if HAVE_SNI
643	n/a	if (server_hostname != NULL)
644	n/a	SSL_set_tlsext_host_name(self->ssl, server_hostname);
645	n/a	#endif
646	n/a
647	n/a	/* If the socket is in non-blocking mode or timeout mode, set the BIO
648	n/a	* to non-blocking mode (blocking is the default)
649	n/a	*/
650	n/a	if (sock && sock->sock_timeout >= 0) {
651	n/a	BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
652	n/a	BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
653	n/a	}
654	n/a
655	n/a	PySSL_BEGIN_ALLOW_THREADS
656	n/a	if (socket_type == PY_SSL_CLIENT)
657	n/a	SSL_set_connect_state(self->ssl);
658	n/a	else
659	n/a	SSL_set_accept_state(self->ssl);
660	n/a	PySSL_END_ALLOW_THREADS
661	n/a
662	n/a	self->socket_type = socket_type;
663	n/a	if (sock != NULL) {
664	n/a	self->Socket = PyWeakref_NewRef((PyObject *) sock, NULL);
665	n/a	if (self->Socket == NULL) {
666	n/a	Py_DECREF(self);
667	n/a	return NULL;
668	n/a	}
669	n/a	}
670	n/a	return self;
671	n/a	}
672	n/a
673	n/a	/* SSL object methods */
674	n/a
675	n/a	/*[clinic input]
676	n/a	_ssl._SSLSocket.do_handshake
677	n/a	[clinic start generated code]*/
678	n/a
679	n/a	static PyObject *
680	n/a	_ssl__SSLSocket_do_handshake_impl(PySSLSocket *self)
681	n/a	/[clinic end generated code: output=6c0898a8936548f6 input=d2d737de3df018c8]/
682	n/a	{
683	n/a	int ret;
684	n/a	int err;
685	n/a	int sockstate, nonblocking;
686	n/a	PySocketSockObject *sock = GET_SOCKET(self);
687	n/a	_PyTime_t timeout, deadline = 0;
688	n/a	int has_timeout;
689	n/a
690	n/a	if (sock) {
691	n/a	if (((PyObject*)sock) == Py_None) {
692	n/a	_setSSLError("Underlying socket connection gone",
693	n/a	PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
694	n/a	return NULL;
695	n/a	}
696	n/a	Py_INCREF(sock);
697	n/a
698	n/a	/* just in case the blocking state of the socket has been changed */
699	n/a	nonblocking = (sock->sock_timeout >= 0);
700	n/a	BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
701	n/a	BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
702	n/a	}
703	n/a
704	n/a	timeout = GET_SOCKET_TIMEOUT(sock);
705	n/a	has_timeout = (timeout > 0);
706	n/a	if (has_timeout)
707	n/a	deadline = _PyTime_GetMonotonicClock() + timeout;
708	n/a
709	n/a	/* Actually negotiate SSL connection */
710	n/a	/* XXX If SSL_do_handshake() returns 0, it's also a failure. */
711	n/a	do {
712	n/a	PySSL_BEGIN_ALLOW_THREADS
713	n/a	ret = SSL_do_handshake(self->ssl);
714	n/a	err = SSL_get_error(self->ssl, ret);
715	n/a	PySSL_END_ALLOW_THREADS
716	n/a
717	n/a	if (PyErr_CheckSignals())
718	n/a	goto error;
719	n/a
720	n/a	if (has_timeout)
721	n/a	timeout = deadline - _PyTime_GetMonotonicClock();
722	n/a
723	n/a	if (err == SSL_ERROR_WANT_READ) {
724	n/a	sockstate = PySSL_select(sock, 0, timeout);
725	n/a	} else if (err == SSL_ERROR_WANT_WRITE) {
726	n/a	sockstate = PySSL_select(sock, 1, timeout);
727	n/a	} else {
728	n/a	sockstate = SOCKET_OPERATION_OK;
729	n/a	}
730	n/a
731	n/a	if (sockstate == SOCKET_HAS_TIMED_OUT) {
732	n/a	PyErr_SetString(PySocketModule.timeout_error,
733	n/a	ERRSTR("The handshake operation timed out"));
734	n/a	goto error;
735	n/a	} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
736	n/a	PyErr_SetString(PySSLErrorObject,
737	n/a	ERRSTR("Underlying socket has been closed."));
738	n/a	goto error;
739	n/a	} else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
740	n/a	PyErr_SetString(PySSLErrorObject,
741	n/a	ERRSTR("Underlying socket too large for select()."));
742	n/a	goto error;
743	n/a	} else if (sockstate == SOCKET_IS_NONBLOCKING) {
744	n/a	break;
745	n/a	}
746	n/a	} while (err == SSL_ERROR_WANT_READ \|\| err == SSL_ERROR_WANT_WRITE);
747	n/a	Py_XDECREF(sock);
748	n/a	if (ret < 1)
749	n/a	return PySSL_SetError(self, ret, __FILE__, __LINE__);
750	n/a
751	n/a	if (self->peer_cert)
752	n/a	X509_free (self->peer_cert);
753	n/a	PySSL_BEGIN_ALLOW_THREADS
754	n/a	self->peer_cert = SSL_get_peer_certificate(self->ssl);
755	n/a	PySSL_END_ALLOW_THREADS
756	n/a	self->handshake_done = 1;
757	n/a
758	n/a	Py_RETURN_NONE;
759	n/a
760	n/a	error:
761	n/a	Py_XDECREF(sock);
762	n/a	return NULL;
763	n/a	}
764	n/a
765	n/a	static PyObject *
766	n/a	_create_tuple_for_attribute (ASN1_OBJECT name, ASN1_STRING value) {
767	n/a
768	n/a	char namebuf[X509_NAME_MAXLEN];
769	n/a	int buflen;
770	n/a	PyObject *name_obj;
771	n/a	PyObject *value_obj;
772	n/a	PyObject *attr;
773	n/a	unsigned char *valuebuf = NULL;
774	n/a
775	n/a	buflen = OBJ_obj2txt(namebuf, sizeof(namebuf), name, 0);
776	n/a	if (buflen < 0) {
777	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
778	n/a	goto fail;
779	n/a	}
780	n/a	name_obj = PyUnicode_FromStringAndSize(namebuf, buflen);
781	n/a	if (name_obj == NULL)
782	n/a	goto fail;
783	n/a
784	n/a	buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
785	n/a	if (buflen < 0) {
786	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
787	n/a	Py_DECREF(name_obj);
788	n/a	goto fail;
789	n/a	}
790	n/a	value_obj = PyUnicode_DecodeUTF8((char *) valuebuf,
791	n/a	buflen, "strict");
792	n/a	OPENSSL_free(valuebuf);
793	n/a	if (value_obj == NULL) {
794	n/a	Py_DECREF(name_obj);
795	n/a	goto fail;
796	n/a	}
797	n/a	attr = PyTuple_New(2);
798	n/a	if (attr == NULL) {
799	n/a	Py_DECREF(name_obj);
800	n/a	Py_DECREF(value_obj);
801	n/a	goto fail;
802	n/a	}
803	n/a	PyTuple_SET_ITEM(attr, 0, name_obj);
804	n/a	PyTuple_SET_ITEM(attr, 1, value_obj);
805	n/a	return attr;
806	n/a
807	n/a	fail:
808	n/a	return NULL;
809	n/a	}
810	n/a
811	n/a	static PyObject *
812	n/a	_create_tuple_for_X509_NAME (X509_NAME *xname)
813	n/a	{
814	n/a	PyObject dn = NULL; / tuple which represents the "distinguished name" */
815	n/a	PyObject rdn = NULL; / tuple to hold a "relative distinguished name" */
816	n/a	PyObject *rdnt;
817	n/a	PyObject attr = NULL; / tuple to hold an attribute */
818	n/a	int entry_count = X509_NAME_entry_count(xname);
819	n/a	X509_NAME_ENTRY *entry;
820	n/a	ASN1_OBJECT *name;
821	n/a	ASN1_STRING *value;
822	n/a	int index_counter;
823	n/a	int rdn_level = -1;
824	n/a	int retcode;
825	n/a
826	n/a	dn = PyList_New(0);
827	n/a	if (dn == NULL)
828	n/a	return NULL;
829	n/a	/* now create another tuple to hold the top-level RDN */
830	n/a	rdn = PyList_New(0);
831	n/a	if (rdn == NULL)
832	n/a	goto fail0;
833	n/a
834	n/a	for (index_counter = 0;
835	n/a	index_counter < entry_count;
836	n/a	index_counter++)
837	n/a	{
838	n/a	entry = X509_NAME_get_entry(xname, index_counter);
839	n/a
840	n/a	/* check to see if we've gotten to a new RDN */
841	n/a	if (rdn_level >= 0) {
842	n/a	if (rdn_level != X509_NAME_ENTRY_set(entry)) {
843	n/a	/* yes, new RDN */
844	n/a	/* add old RDN to DN */
845	n/a	rdnt = PyList_AsTuple(rdn);
846	n/a	Py_DECREF(rdn);
847	n/a	if (rdnt == NULL)
848	n/a	goto fail0;
849	n/a	retcode = PyList_Append(dn, rdnt);
850	n/a	Py_DECREF(rdnt);
851	n/a	if (retcode < 0)
852	n/a	goto fail0;
853	n/a	/* create new RDN */
854	n/a	rdn = PyList_New(0);
855	n/a	if (rdn == NULL)
856	n/a	goto fail0;
857	n/a	}
858	n/a	}
859	n/a	rdn_level = X509_NAME_ENTRY_set(entry);
860	n/a
861	n/a	/* now add this attribute to the current RDN */
862	n/a	name = X509_NAME_ENTRY_get_object(entry);
863	n/a	value = X509_NAME_ENTRY_get_data(entry);
864	n/a	attr = _create_tuple_for_attribute(name, value);
865	n/a	/*
866	n/a	fprintf(stderr, "RDN level %d, attribute %s: %s\n",
867	n/a	entry->set,
868	n/a	PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 0)),
869	n/a	PyBytes_AS_STRING(PyTuple_GET_ITEM(attr, 1)));
870	n/a	*/
871	n/a	if (attr == NULL)
872	n/a	goto fail1;
873	n/a	retcode = PyList_Append(rdn, attr);
874	n/a	Py_DECREF(attr);
875	n/a	if (retcode < 0)
876	n/a	goto fail1;
877	n/a	}
878	n/a	/* now, there's typically a dangling RDN */
879	n/a	if (rdn != NULL) {
880	n/a	if (PyList_GET_SIZE(rdn) > 0) {
881	n/a	rdnt = PyList_AsTuple(rdn);
882	n/a	Py_DECREF(rdn);
883	n/a	if (rdnt == NULL)
884	n/a	goto fail0;
885	n/a	retcode = PyList_Append(dn, rdnt);
886	n/a	Py_DECREF(rdnt);
887	n/a	if (retcode < 0)
888	n/a	goto fail0;
889	n/a	}
890	n/a	else {
891	n/a	Py_DECREF(rdn);
892	n/a	}
893	n/a	}
894	n/a
895	n/a	/* convert list to tuple */
896	n/a	rdnt = PyList_AsTuple(dn);
897	n/a	Py_DECREF(dn);
898	n/a	if (rdnt == NULL)
899	n/a	return NULL;
900	n/a	return rdnt;
901	n/a
902	n/a	fail1:
903	n/a	Py_XDECREF(rdn);
904	n/a
905	n/a	fail0:
906	n/a	Py_XDECREF(dn);
907	n/a	return NULL;
908	n/a	}
909	n/a
910	n/a	static PyObject *
911	n/a	_get_peer_alt_names (X509 *certificate) {
912	n/a
913	n/a	/* this code follows the procedure outlined in
914	n/a	OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print()
915	n/a	function to extract the STACK_OF(GENERAL_NAME),
916	n/a	then iterates through the stack to add the
917	n/a	names. */
918	n/a
919	n/a	int i, j;
920	n/a	PyObject *peer_alt_names = Py_None;
921	n/a	PyObject v = NULL, t;
922	n/a	X509_EXTENSION *ext = NULL;
923	n/a	GENERAL_NAMES *names = NULL;
924	n/a	GENERAL_NAME *name;
925	n/a	const X509V3_EXT_METHOD *method;
926	n/a	BIO *biobuf = NULL;
927	n/a	char buf[2048];
928	n/a	char *vptr;
929	n/a	int len;
930	n/a	const unsigned char *p;
931	n/a
932	n/a	if (certificate == NULL)
933	n/a	return peer_alt_names;
934	n/a
935	n/a	/* get a memory buffer */
936	n/a	biobuf = BIO_new(BIO_s_mem());
937	n/a
938	n/a	i = -1;
939	n/a	while ((i = X509_get_ext_by_NID(
940	n/a	certificate, NID_subject_alt_name, i)) >= 0) {
941	n/a
942	n/a	if (peer_alt_names == Py_None) {
943	n/a	peer_alt_names = PyList_New(0);
944	n/a	if (peer_alt_names == NULL)
945	n/a	goto fail;
946	n/a	}
947	n/a
948	n/a	/* now decode the altName */
949	n/a	ext = X509_get_ext(certificate, i);
950	n/a	if(!(method = X509V3_EXT_get(ext))) {
951	n/a	PyErr_SetString
952	n/a	(PySSLErrorObject,
953	n/a	ERRSTR("No method for internalizing subjectAltName!"));
954	n/a	goto fail;
955	n/a	}
956	n/a
957	n/a	p = X509_EXTENSION_get_data(ext)->data;
958	n/a	if (method->it)
959	n/a	names = (GENERAL_NAMES*)
960	n/a	(ASN1_item_d2i(NULL,
961	n/a	&p,
962	n/a	X509_EXTENSION_get_data(ext)->length,
963	n/a	ASN1_ITEM_ptr(method->it)));
964	n/a	else
965	n/a	names = (GENERAL_NAMES*)
966	n/a	(method->d2i(NULL,
967	n/a	&p,
968	n/a	X509_EXTENSION_get_data(ext)->length));
969	n/a
970	n/a	for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
971	n/a	/* get a rendering of each name in the set of names */
972	n/a	int gntype;
973	n/a	ASN1_STRING *as = NULL;
974	n/a
975	n/a	name = sk_GENERAL_NAME_value(names, j);
976	n/a	gntype = name->type;
977	n/a	switch (gntype) {
978	n/a	case GEN_DIRNAME:
979	n/a	/* we special-case DirName as a tuple of
980	n/a	tuples of attributes */
981	n/a
982	n/a	t = PyTuple_New(2);
983	n/a	if (t == NULL) {
984	n/a	goto fail;
985	n/a	}
986	n/a
987	n/a	v = PyUnicode_FromString("DirName");
988	n/a	if (v == NULL) {
989	n/a	Py_DECREF(t);
990	n/a	goto fail;
991	n/a	}
992	n/a	PyTuple_SET_ITEM(t, 0, v);
993	n/a
994	n/a	v = _create_tuple_for_X509_NAME (name->d.dirn);
995	n/a	if (v == NULL) {
996	n/a	Py_DECREF(t);
997	n/a	goto fail;
998	n/a	}
999	n/a	PyTuple_SET_ITEM(t, 1, v);
1000	n/a	break;
1001	n/a
1002	n/a	case GEN_EMAIL:
1003	n/a	case GEN_DNS:
1004	n/a	case GEN_URI:
1005	n/a	/* GENERAL_NAME_print() doesn't handle NULL bytes in ASN1_string
1006	n/a	correctly, CVE-2013-4238 */
1007	n/a	t = PyTuple_New(2);
1008	n/a	if (t == NULL)
1009	n/a	goto fail;
1010	n/a	switch (gntype) {
1011	n/a	case GEN_EMAIL:
1012	n/a	v = PyUnicode_FromString("email");
1013	n/a	as = name->d.rfc822Name;
1014	n/a	break;
1015	n/a	case GEN_DNS:
1016	n/a	v = PyUnicode_FromString("DNS");
1017	n/a	as = name->d.dNSName;
1018	n/a	break;
1019	n/a	case GEN_URI:
1020	n/a	v = PyUnicode_FromString("URI");
1021	n/a	as = name->d.uniformResourceIdentifier;
1022	n/a	break;
1023	n/a	}
1024	n/a	if (v == NULL) {
1025	n/a	Py_DECREF(t);
1026	n/a	goto fail;
1027	n/a	}
1028	n/a	PyTuple_SET_ITEM(t, 0, v);
1029	n/a	v = PyUnicode_FromStringAndSize((char *)ASN1_STRING_data(as),
1030	n/a	ASN1_STRING_length(as));
1031	n/a	if (v == NULL) {
1032	n/a	Py_DECREF(t);
1033	n/a	goto fail;
1034	n/a	}
1035	n/a	PyTuple_SET_ITEM(t, 1, v);
1036	n/a	break;
1037	n/a
1038	n/a	case GEN_RID:
1039	n/a	t = PyTuple_New(2);
1040	n/a	if (t == NULL)
1041	n/a	goto fail;
1042	n/a
1043	n/a	v = PyUnicode_FromString("Registered ID");
1044	n/a	if (v == NULL) {
1045	n/a	Py_DECREF(t);
1046	n/a	goto fail;
1047	n/a	}
1048	n/a	PyTuple_SET_ITEM(t, 0, v);
1049	n/a
1050	n/a	len = i2t_ASN1_OBJECT(buf, sizeof(buf)-1, name->d.rid);
1051	n/a	if (len < 0) {
1052	n/a	Py_DECREF(t);
1053	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
1054	n/a	goto fail;
1055	n/a	} else if (len >= (int)sizeof(buf)) {
1056	n/a	v = PyUnicode_FromString("<INVALID>");
1057	n/a	} else {
1058	n/a	v = PyUnicode_FromStringAndSize(buf, len);
1059	n/a	}
1060	n/a	if (v == NULL) {
1061	n/a	Py_DECREF(t);
1062	n/a	goto fail;
1063	n/a	}
1064	n/a	PyTuple_SET_ITEM(t, 1, v);
1065	n/a	break;
1066	n/a
1067	n/a	default:
1068	n/a	/* for everything else, we use the OpenSSL print form */
1069	n/a	switch (gntype) {
1070	n/a	/* check for new general name type */
1071	n/a	case GEN_OTHERNAME:
1072	n/a	case GEN_X400:
1073	n/a	case GEN_EDIPARTY:
1074	n/a	case GEN_IPADD:
1075	n/a	case GEN_RID:
1076	n/a	break;
1077	n/a	default:
1078	n/a	if (PyErr_WarnFormat(PyExc_RuntimeWarning, 1,
1079	n/a	"Unknown general name type %d",
1080	n/a	gntype) == -1) {
1081	n/a	goto fail;
1082	n/a	}
1083	n/a	break;
1084	n/a	}
1085	n/a	(void) BIO_reset(biobuf);
1086	n/a	GENERAL_NAME_print(biobuf, name);
1087	n/a	len = BIO_gets(biobuf, buf, sizeof(buf)-1);
1088	n/a	if (len < 0) {
1089	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
1090	n/a	goto fail;
1091	n/a	}
1092	n/a	vptr = strchr(buf, ':');
1093	n/a	if (vptr == NULL) {
1094	n/a	PyErr_Format(PyExc_ValueError,
1095	n/a	"Invalid value %.200s",
1096	n/a	buf);
1097	n/a	goto fail;
1098	n/a	}
1099	n/a	t = PyTuple_New(2);
1100	n/a	if (t == NULL)
1101	n/a	goto fail;
1102	n/a	v = PyUnicode_FromStringAndSize(buf, (vptr - buf));
1103	n/a	if (v == NULL) {
1104	n/a	Py_DECREF(t);
1105	n/a	goto fail;
1106	n/a	}
1107	n/a	PyTuple_SET_ITEM(t, 0, v);
1108	n/a	v = PyUnicode_FromStringAndSize((vptr + 1),
1109	n/a	(len - (vptr - buf + 1)));
1110	n/a	if (v == NULL) {
1111	n/a	Py_DECREF(t);
1112	n/a	goto fail;
1113	n/a	}
1114	n/a	PyTuple_SET_ITEM(t, 1, v);
1115	n/a	break;
1116	n/a	}
1117	n/a
1118	n/a	/* and add that rendering to the list */
1119	n/a
1120	n/a	if (PyList_Append(peer_alt_names, t) < 0) {
1121	n/a	Py_DECREF(t);
1122	n/a	goto fail;
1123	n/a	}
1124	n/a	Py_DECREF(t);
1125	n/a	}
1126	n/a	sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1127	n/a	}
1128	n/a	BIO_free(biobuf);
1129	n/a	if (peer_alt_names != Py_None) {
1130	n/a	v = PyList_AsTuple(peer_alt_names);
1131	n/a	Py_DECREF(peer_alt_names);
1132	n/a	return v;
1133	n/a	} else {
1134	n/a	return peer_alt_names;
1135	n/a	}
1136	n/a
1137	n/a
1138	n/a	fail:
1139	n/a	if (biobuf != NULL)
1140	n/a	BIO_free(biobuf);
1141	n/a
1142	n/a	if (peer_alt_names != Py_None) {
1143	n/a	Py_XDECREF(peer_alt_names);
1144	n/a	}
1145	n/a
1146	n/a	return NULL;
1147	n/a	}
1148	n/a
1149	n/a	static PyObject *
1150	n/a	_get_aia_uri(X509 *certificate, int nid) {
1151	n/a	PyObject lst = NULL, ostr = NULL;
1152	n/a	int i, result;
1153	n/a	AUTHORITY_INFO_ACCESS *info;
1154	n/a
1155	n/a	info = X509_get_ext_d2i(certificate, NID_info_access, NULL, NULL);
1156	n/a	if (info == NULL)
1157	n/a	return Py_None;
1158	n/a	if (sk_ACCESS_DESCRIPTION_num(info) == 0) {
1159	n/a	AUTHORITY_INFO_ACCESS_free(info);
1160	n/a	return Py_None;
1161	n/a	}
1162	n/a
1163	n/a	if ((lst = PyList_New(0)) == NULL) {
1164	n/a	goto fail;
1165	n/a	}
1166	n/a
1167	n/a	for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
1168	n/a	ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
1169	n/a	ASN1_IA5STRING *uri;
1170	n/a
1171	n/a	if ((OBJ_obj2nid(ad->method) != nid) \|\|
1172	n/a	(ad->location->type != GEN_URI)) {
1173	n/a	continue;
1174	n/a	}
1175	n/a	uri = ad->location->d.uniformResourceIdentifier;
1176	n/a	ostr = PyUnicode_FromStringAndSize((char *)uri->data,
1177	n/a	uri->length);
1178	n/a	if (ostr == NULL) {
1179	n/a	goto fail;
1180	n/a	}
1181	n/a	result = PyList_Append(lst, ostr);
1182	n/a	Py_DECREF(ostr);
1183	n/a	if (result < 0) {
1184	n/a	goto fail;
1185	n/a	}
1186	n/a	}
1187	n/a	AUTHORITY_INFO_ACCESS_free(info);
1188	n/a
1189	n/a	/* convert to tuple or None */
1190	n/a	if (PyList_Size(lst) == 0) {
1191	n/a	Py_DECREF(lst);
1192	n/a	return Py_None;
1193	n/a	} else {
1194	n/a	PyObject *tup;
1195	n/a	tup = PyList_AsTuple(lst);
1196	n/a	Py_DECREF(lst);
1197	n/a	return tup;
1198	n/a	}
1199	n/a
1200	n/a	fail:
1201	n/a	AUTHORITY_INFO_ACCESS_free(info);
1202	n/a	Py_XDECREF(lst);
1203	n/a	return NULL;
1204	n/a	}
1205	n/a
1206	n/a	static PyObject *
1207	n/a	_get_crl_dp(X509 *certificate) {
1208	n/a	STACK_OF(DIST_POINT) *dps;
1209	n/a	int i, j;
1210	n/a	PyObject lst, res = NULL;
1211	n/a
1212	n/a	#if OPENSSL_VERSION_NUMBER >= 0x10001000L
1213	n/a	/* Calls x509v3_cache_extensions and sets up crldp */
1214	n/a	X509_check_ca(certificate);
1215	n/a	#endif
1216	n/a	dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points, NULL, NULL);
1217	n/a
1218	n/a	if (dps == NULL)
1219	n/a	return Py_None;
1220	n/a
1221	n/a	lst = PyList_New(0);
1222	n/a	if (lst == NULL)
1223	n/a	goto done;
1224	n/a
1225	n/a	for (i=0; i < sk_DIST_POINT_num(dps); i++) {
1226	n/a	DIST_POINT *dp;
1227	n/a	STACK_OF(GENERAL_NAME) *gns;
1228	n/a
1229	n/a	dp = sk_DIST_POINT_value(dps, i);
1230	n/a	gns = dp->distpoint->name.fullname;
1231	n/a
1232	n/a	for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
1233	n/a	GENERAL_NAME *gn;
1234	n/a	ASN1_IA5STRING *uri;
1235	n/a	PyObject *ouri;
1236	n/a	int err;
1237	n/a
1238	n/a	gn = sk_GENERAL_NAME_value(gns, j);
1239	n/a	if (gn->type != GEN_URI) {
1240	n/a	continue;
1241	n/a	}
1242	n/a	uri = gn->d.uniformResourceIdentifier;
1243	n/a	ouri = PyUnicode_FromStringAndSize((char *)uri->data,
1244	n/a	uri->length);
1245	n/a	if (ouri == NULL)
1246	n/a	goto done;
1247	n/a
1248	n/a	err = PyList_Append(lst, ouri);
1249	n/a	Py_DECREF(ouri);
1250	n/a	if (err < 0)
1251	n/a	goto done;
1252	n/a	}
1253	n/a	}
1254	n/a
1255	n/a	/* Convert to tuple. */
1256	n/a	res = (PyList_GET_SIZE(lst) > 0) ? PyList_AsTuple(lst) : Py_None;
1257	n/a
1258	n/a	done:
1259	n/a	Py_XDECREF(lst);
1260	n/a	#if OPENSSL_VERSION_NUMBER < 0x10001000L
1261	n/a	sk_DIST_POINT_free(dps);
1262	n/a	#endif
1263	n/a	return res;
1264	n/a	}
1265	n/a
1266	n/a	static PyObject *
1267	n/a	_decode_certificate(X509 *certificate) {
1268	n/a
1269	n/a	PyObject *retval = NULL;
1270	n/a	BIO *biobuf = NULL;
1271	n/a	PyObject *peer;
1272	n/a	PyObject *peer_alt_names = NULL;
1273	n/a	PyObject *issuer;
1274	n/a	PyObject *version;
1275	n/a	PyObject *sn_obj;
1276	n/a	PyObject *obj;
1277	n/a	ASN1_INTEGER *serialNumber;
1278	n/a	char buf[2048];
1279	n/a	int len, result;
1280	n/a	ASN1_TIME notBefore, notAfter;
1281	n/a	PyObject pnotBefore, pnotAfter;
1282	n/a
1283	n/a	retval = PyDict_New();
1284	n/a	if (retval == NULL)
1285	n/a	return NULL;
1286	n/a
1287	n/a	peer = _create_tuple_for_X509_NAME(
1288	n/a	X509_get_subject_name(certificate));
1289	n/a	if (peer == NULL)
1290	n/a	goto fail0;
1291	n/a	if (PyDict_SetItemString(retval, (const char *) "subject", peer) < 0) {
1292	n/a	Py_DECREF(peer);
1293	n/a	goto fail0;
1294	n/a	}
1295	n/a	Py_DECREF(peer);
1296	n/a
1297	n/a	issuer = _create_tuple_for_X509_NAME(
1298	n/a	X509_get_issuer_name(certificate));
1299	n/a	if (issuer == NULL)
1300	n/a	goto fail0;
1301	n/a	if (PyDict_SetItemString(retval, (const char *)"issuer", issuer) < 0) {
1302	n/a	Py_DECREF(issuer);
1303	n/a	goto fail0;
1304	n/a	}
1305	n/a	Py_DECREF(issuer);
1306	n/a
1307	n/a	version = PyLong_FromLong(X509_get_version(certificate) + 1);
1308	n/a	if (version == NULL)
1309	n/a	goto fail0;
1310	n/a	if (PyDict_SetItemString(retval, "version", version) < 0) {
1311	n/a	Py_DECREF(version);
1312	n/a	goto fail0;
1313	n/a	}
1314	n/a	Py_DECREF(version);
1315	n/a
1316	n/a	/* get a memory buffer */
1317	n/a	biobuf = BIO_new(BIO_s_mem());
1318	n/a
1319	n/a	(void) BIO_reset(biobuf);
1320	n/a	serialNumber = X509_get_serialNumber(certificate);
1321	n/a	/* should not exceed 20 octets, 160 bits, so buf is big enough */
1322	n/a	i2a_ASN1_INTEGER(biobuf, serialNumber);
1323	n/a	len = BIO_gets(biobuf, buf, sizeof(buf)-1);
1324	n/a	if (len < 0) {
1325	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
1326	n/a	goto fail1;
1327	n/a	}
1328	n/a	sn_obj = PyUnicode_FromStringAndSize(buf, len);
1329	n/a	if (sn_obj == NULL)
1330	n/a	goto fail1;
1331	n/a	if (PyDict_SetItemString(retval, "serialNumber", sn_obj) < 0) {
1332	n/a	Py_DECREF(sn_obj);
1333	n/a	goto fail1;
1334	n/a	}
1335	n/a	Py_DECREF(sn_obj);
1336	n/a
1337	n/a	(void) BIO_reset(biobuf);
1338	n/a	notBefore = X509_get_notBefore(certificate);
1339	n/a	ASN1_TIME_print(biobuf, notBefore);
1340	n/a	len = BIO_gets(biobuf, buf, sizeof(buf)-1);
1341	n/a	if (len < 0) {
1342	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
1343	n/a	goto fail1;
1344	n/a	}
1345	n/a	pnotBefore = PyUnicode_FromStringAndSize(buf, len);
1346	n/a	if (pnotBefore == NULL)
1347	n/a	goto fail1;
1348	n/a	if (PyDict_SetItemString(retval, "notBefore", pnotBefore) < 0) {
1349	n/a	Py_DECREF(pnotBefore);
1350	n/a	goto fail1;
1351	n/a	}
1352	n/a	Py_DECREF(pnotBefore);
1353	n/a
1354	n/a	(void) BIO_reset(biobuf);
1355	n/a	notAfter = X509_get_notAfter(certificate);
1356	n/a	ASN1_TIME_print(biobuf, notAfter);
1357	n/a	len = BIO_gets(biobuf, buf, sizeof(buf)-1);
1358	n/a	if (len < 0) {
1359	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
1360	n/a	goto fail1;
1361	n/a	}
1362	n/a	pnotAfter = PyUnicode_FromStringAndSize(buf, len);
1363	n/a	if (pnotAfter == NULL)
1364	n/a	goto fail1;
1365	n/a	if (PyDict_SetItemString(retval, "notAfter", pnotAfter) < 0) {
1366	n/a	Py_DECREF(pnotAfter);
1367	n/a	goto fail1;
1368	n/a	}
1369	n/a	Py_DECREF(pnotAfter);
1370	n/a
1371	n/a	/* Now look for subjectAltName */
1372	n/a
1373	n/a	peer_alt_names = _get_peer_alt_names(certificate);
1374	n/a	if (peer_alt_names == NULL)
1375	n/a	goto fail1;
1376	n/a	else if (peer_alt_names != Py_None) {
1377	n/a	if (PyDict_SetItemString(retval, "subjectAltName",
1378	n/a	peer_alt_names) < 0) {
1379	n/a	Py_DECREF(peer_alt_names);
1380	n/a	goto fail1;
1381	n/a	}
1382	n/a	Py_DECREF(peer_alt_names);
1383	n/a	}
1384	n/a
1385	n/a	/* Authority Information Access: OCSP URIs */
1386	n/a	obj = _get_aia_uri(certificate, NID_ad_OCSP);
1387	n/a	if (obj == NULL) {
1388	n/a	goto fail1;
1389	n/a	} else if (obj != Py_None) {
1390	n/a	result = PyDict_SetItemString(retval, "OCSP", obj);
1391	n/a	Py_DECREF(obj);
1392	n/a	if (result < 0) {
1393	n/a	goto fail1;
1394	n/a	}
1395	n/a	}
1396	n/a
1397	n/a	obj = _get_aia_uri(certificate, NID_ad_ca_issuers);
1398	n/a	if (obj == NULL) {
1399	n/a	goto fail1;
1400	n/a	} else if (obj != Py_None) {
1401	n/a	result = PyDict_SetItemString(retval, "caIssuers", obj);
1402	n/a	Py_DECREF(obj);
1403	n/a	if (result < 0) {
1404	n/a	goto fail1;
1405	n/a	}
1406	n/a	}
1407	n/a
1408	n/a	/* CDP (CRL distribution points) */
1409	n/a	obj = _get_crl_dp(certificate);
1410	n/a	if (obj == NULL) {
1411	n/a	goto fail1;
1412	n/a	} else if (obj != Py_None) {
1413	n/a	result = PyDict_SetItemString(retval, "crlDistributionPoints", obj);
1414	n/a	Py_DECREF(obj);
1415	n/a	if (result < 0) {
1416	n/a	goto fail1;
1417	n/a	}
1418	n/a	}
1419	n/a
1420	n/a	BIO_free(biobuf);
1421	n/a	return retval;
1422	n/a
1423	n/a	fail1:
1424	n/a	if (biobuf != NULL)
1425	n/a	BIO_free(biobuf);
1426	n/a	fail0:
1427	n/a	Py_XDECREF(retval);
1428	n/a	return NULL;
1429	n/a	}
1430	n/a
1431	n/a	static PyObject *
1432	n/a	_certificate_to_der(X509 *certificate)
1433	n/a	{
1434	n/a	unsigned char *bytes_buf = NULL;
1435	n/a	int len;
1436	n/a	PyObject *retval;
1437	n/a
1438	n/a	bytes_buf = NULL;
1439	n/a	len = i2d_X509(certificate, &bytes_buf);
1440	n/a	if (len < 0) {
1441	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
1442	n/a	return NULL;
1443	n/a	}
1444	n/a	/* this is actually an immutable bytes sequence */
1445	n/a	retval = PyBytes_FromStringAndSize((const char *) bytes_buf, len);
1446	n/a	OPENSSL_free(bytes_buf);
1447	n/a	return retval;
1448	n/a	}
1449	n/a
1450	n/a	/*[clinic input]
1451	n/a	_ssl._test_decode_cert
1452	n/a	path: object(converter="PyUnicode_FSConverter")
1453	n/a	/
1454	n/a
1455	n/a	[clinic start generated code]*/
1456	n/a
1457	n/a	static PyObject *
1458	n/a	_ssl__test_decode_cert_impl(PyObject module, PyObject path)
1459	n/a	/[clinic end generated code: output=96becb9abb23c091 input=cdeaaf02d4346628]/
1460	n/a	{
1461	n/a	PyObject *retval = NULL;
1462	n/a	X509 *x=NULL;
1463	n/a	BIO *cert;
1464	n/a
1465	n/a	if ((cert=BIO_new(BIO_s_file())) == NULL) {
1466	n/a	PyErr_SetString(PySSLErrorObject,
1467	n/a	"Can't malloc memory to read file");
1468	n/a	goto fail0;
1469	n/a	}
1470	n/a
1471	n/a	if (BIO_read_filename(cert, PyBytes_AsString(path)) <= 0) {
1472	n/a	PyErr_SetString(PySSLErrorObject,
1473	n/a	"Can't open file");
1474	n/a	goto fail0;
1475	n/a	}
1476	n/a
1477	n/a	x = PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL);
1478	n/a	if (x == NULL) {
1479	n/a	PyErr_SetString(PySSLErrorObject,
1480	n/a	"Error decoding PEM-encoded file");
1481	n/a	goto fail0;
1482	n/a	}
1483	n/a
1484	n/a	retval = _decode_certificate(x);
1485	n/a	X509_free(x);
1486	n/a
1487	n/a	fail0:
1488	n/a	Py_DECREF(path);
1489	n/a	if (cert != NULL) BIO_free(cert);
1490	n/a	return retval;
1491	n/a	}
1492	n/a
1493	n/a
1494	n/a	/*[clinic input]
1495	n/a	_ssl._SSLSocket.peer_certificate
1496	n/a	der as binary_mode: bool = False
1497	n/a	/
1498	n/a
1499	n/a	Returns the certificate for the peer.
1500	n/a
1501	n/a	If no certificate was provided, returns None. If a certificate was
1502	n/a	provided, but not validated, returns an empty dictionary. Otherwise
1503	n/a	returns a dict containing information about the peer certificate.
1504	n/a
1505	n/a	If the optional argument is True, returns a DER-encoded copy of the
1506	n/a	peer certificate, or None if no certificate was provided. This will
1507	n/a	return the certificate even if it wasn't validated.
1508	n/a	[clinic start generated code]*/
1509	n/a
1510	n/a	static PyObject *
1511	n/a	_ssl__SSLSocket_peer_certificate_impl(PySSLSocket *self, int binary_mode)
1512	n/a	/[clinic end generated code: output=f0dc3e4d1d818a1d input=8281bd1d193db843]/
1513	n/a	{
1514	n/a	int verification;
1515	n/a
1516	n/a	if (!self->handshake_done) {
1517	n/a	PyErr_SetString(PyExc_ValueError,
1518	n/a	"handshake not done yet");
1519	n/a	return NULL;
1520	n/a	}
1521	n/a	if (!self->peer_cert)
1522	n/a	Py_RETURN_NONE;
1523	n/a
1524	n/a	if (binary_mode) {
1525	n/a	/* return cert in DER-encoded format */
1526	n/a	return _certificate_to_der(self->peer_cert);
1527	n/a	} else {
1528	n/a	verification = SSL_CTX_get_verify_mode(SSL_get_SSL_CTX(self->ssl));
1529	n/a	if ((verification & SSL_VERIFY_PEER) == 0)
1530	n/a	return PyDict_New();
1531	n/a	else
1532	n/a	return _decode_certificate(self->peer_cert);
1533	n/a	}
1534	n/a	}
1535	n/a
1536	n/a	static PyObject *
1537	n/a	cipher_to_tuple(const SSL_CIPHER *cipher)
1538	n/a	{
1539	n/a	const char cipher_name, cipher_protocol;
1540	n/a	PyObject v, retval = PyTuple_New(3);
1541	n/a	if (retval == NULL)
1542	n/a	return NULL;
1543	n/a
1544	n/a	cipher_name = SSL_CIPHER_get_name(cipher);
1545	n/a	if (cipher_name == NULL) {
1546	n/a	Py_INCREF(Py_None);
1547	n/a	PyTuple_SET_ITEM(retval, 0, Py_None);
1548	n/a	} else {
1549	n/a	v = PyUnicode_FromString(cipher_name);
1550	n/a	if (v == NULL)
1551	n/a	goto fail;
1552	n/a	PyTuple_SET_ITEM(retval, 0, v);
1553	n/a	}
1554	n/a
1555	n/a	cipher_protocol = SSL_CIPHER_get_version(cipher);
1556	n/a	if (cipher_protocol == NULL) {
1557	n/a	Py_INCREF(Py_None);
1558	n/a	PyTuple_SET_ITEM(retval, 1, Py_None);
1559	n/a	} else {
1560	n/a	v = PyUnicode_FromString(cipher_protocol);
1561	n/a	if (v == NULL)
1562	n/a	goto fail;
1563	n/a	PyTuple_SET_ITEM(retval, 1, v);
1564	n/a	}
1565	n/a
1566	n/a	v = PyLong_FromLong(SSL_CIPHER_get_bits(cipher, NULL));
1567	n/a	if (v == NULL)
1568	n/a	goto fail;
1569	n/a	PyTuple_SET_ITEM(retval, 2, v);
1570	n/a
1571	n/a	return retval;
1572	n/a
1573	n/a	fail:
1574	n/a	Py_DECREF(retval);
1575	n/a	return NULL;
1576	n/a	}
1577	n/a
1578	n/a	#if OPENSSL_VERSION_NUMBER >= 0x10002000UL
1579	n/a	static PyObject *
1580	n/a	cipher_to_dict(const SSL_CIPHER *cipher)
1581	n/a	{
1582	n/a	const char cipher_name, cipher_protocol;
1583	n/a
1584	n/a	unsigned long cipher_id;
1585	n/a	int alg_bits, strength_bits, len;
1586	n/a	char buf[512] = {0};
1587	n/a	#if OPENSSL_VERSION_1_1
1588	n/a	int aead, nid;
1589	n/a	const char skcipher = NULL, digest = NULL, kx = NULL, auth = NULL;
1590	n/a	#endif
1591	n/a
1592	n/a	/* can be NULL */
1593	n/a	cipher_name = SSL_CIPHER_get_name(cipher);
1594	n/a	cipher_protocol = SSL_CIPHER_get_version(cipher);
1595	n/a	cipher_id = SSL_CIPHER_get_id(cipher);
1596	n/a	SSL_CIPHER_description(cipher, buf, sizeof(buf) - 1);
1597	n/a	len = strlen(buf);
1598	n/a	if (len > 1 && buf[len-1] == '\n')
1599	n/a	buf[len-1] = '\0';
1600	n/a	strength_bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
1601	n/a
1602	n/a	#if OPENSSL_VERSION_1_1
1603	n/a	aead = SSL_CIPHER_is_aead(cipher);
1604	n/a	nid = SSL_CIPHER_get_cipher_nid(cipher);
1605	n/a	skcipher = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
1606	n/a	nid = SSL_CIPHER_get_digest_nid(cipher);
1607	n/a	digest = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
1608	n/a	nid = SSL_CIPHER_get_kx_nid(cipher);
1609	n/a	kx = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
1610	n/a	nid = SSL_CIPHER_get_auth_nid(cipher);
1611	n/a	auth = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
1612	n/a	#endif
1613	n/a
1614	n/a	return Py_BuildValue(
1615	n/a	"{sksssssssisi"
1616	n/a	#if OPENSSL_VERSION_1_1
1617	n/a	"sOssssssss"
1618	n/a	#endif
1619	n/a	"}",
1620	n/a	"id", cipher_id,
1621	n/a	"name", cipher_name,
1622	n/a	"protocol", cipher_protocol,
1623	n/a	"description", buf,
1624	n/a	"strength_bits", strength_bits,
1625	n/a	"alg_bits", alg_bits
1626	n/a	#if OPENSSL_VERSION_1_1
1627	n/a	,"aead", aead ? Py_True : Py_False,
1628	n/a	"symmetric", skcipher,
1629	n/a	"digest", digest,
1630	n/a	"kea", kx,
1631	n/a	"auth", auth
1632	n/a	#endif
1633	n/a	);
1634	n/a	}
1635	n/a	#endif
1636	n/a
1637	n/a	/*[clinic input]
1638	n/a	_ssl._SSLSocket.shared_ciphers
1639	n/a	[clinic start generated code]*/
1640	n/a
1641	n/a	static PyObject *
1642	n/a	_ssl__SSLSocket_shared_ciphers_impl(PySSLSocket *self)
1643	n/a	/[clinic end generated code: output=3d174ead2e42c4fd input=0bfe149da8fe6306]/
1644	n/a	{
1645	n/a	STACK_OF(SSL_CIPHER) *ciphers;
1646	n/a	int i;
1647	n/a	PyObject *res;
1648	n/a
1649	n/a	ciphers = SSL_get_ciphers(self->ssl);
1650	n/a	if (!ciphers)
1651	n/a	Py_RETURN_NONE;
1652	n/a	res = PyList_New(sk_SSL_CIPHER_num(ciphers));
1653	n/a	if (!res)
1654	n/a	return NULL;
1655	n/a	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1656	n/a	PyObject *tup = cipher_to_tuple(sk_SSL_CIPHER_value(ciphers, i));
1657	n/a	if (!tup) {
1658	n/a	Py_DECREF(res);
1659	n/a	return NULL;
1660	n/a	}
1661	n/a	PyList_SET_ITEM(res, i, tup);
1662	n/a	}
1663	n/a	return res;
1664	n/a	}
1665	n/a
1666	n/a	/*[clinic input]
1667	n/a	_ssl._SSLSocket.cipher
1668	n/a	[clinic start generated code]*/
1669	n/a
1670	n/a	static PyObject *
1671	n/a	_ssl__SSLSocket_cipher_impl(PySSLSocket *self)
1672	n/a	/[clinic end generated code: output=376417c16d0e5815 input=548fb0e27243796d]/
1673	n/a	{
1674	n/a	const SSL_CIPHER *current;
1675	n/a
1676	n/a	if (self->ssl == NULL)
1677	n/a	Py_RETURN_NONE;
1678	n/a	current = SSL_get_current_cipher(self->ssl);
1679	n/a	if (current == NULL)
1680	n/a	Py_RETURN_NONE;
1681	n/a	return cipher_to_tuple(current);
1682	n/a	}
1683	n/a
1684	n/a	/*[clinic input]
1685	n/a	_ssl._SSLSocket.version
1686	n/a	[clinic start generated code]*/
1687	n/a
1688	n/a	static PyObject *
1689	n/a	_ssl__SSLSocket_version_impl(PySSLSocket *self)
1690	n/a	/[clinic end generated code: output=178aed33193b2cdb input=900186a503436fd6]/
1691	n/a	{
1692	n/a	const char *version;
1693	n/a
1694	n/a	if (self->ssl == NULL)
1695	n/a	Py_RETURN_NONE;
1696	n/a	version = SSL_get_version(self->ssl);
1697	n/a	if (!strcmp(version, "unknown"))
1698	n/a	Py_RETURN_NONE;
1699	n/a	return PyUnicode_FromString(version);
1700	n/a	}
1701	n/a
1702	n/a	#ifdef OPENSSL_NPN_NEGOTIATED
1703	n/a	/*[clinic input]
1704	n/a	_ssl._SSLSocket.selected_npn_protocol
1705	n/a	[clinic start generated code]*/
1706	n/a
1707	n/a	static PyObject *
1708	n/a	_ssl__SSLSocket_selected_npn_protocol_impl(PySSLSocket *self)
1709	n/a	/[clinic end generated code: output=b91d494cd207ecf6 input=c28fde139204b826]/
1710	n/a	{
1711	n/a	const unsigned char *out;
1712	n/a	unsigned int outlen;
1713	n/a
1714	n/a	SSL_get0_next_proto_negotiated(self->ssl,
1715	n/a	&out, &outlen);
1716	n/a
1717	n/a	if (out == NULL)
1718	n/a	Py_RETURN_NONE;
1719	n/a	return PyUnicode_FromStringAndSize((char *)out, outlen);
1720	n/a	}
1721	n/a	#endif
1722	n/a
1723	n/a	#ifdef HAVE_ALPN
1724	n/a	/*[clinic input]
1725	n/a	_ssl._SSLSocket.selected_alpn_protocol
1726	n/a	[clinic start generated code]*/
1727	n/a
1728	n/a	static PyObject *
1729	n/a	_ssl__SSLSocket_selected_alpn_protocol_impl(PySSLSocket *self)
1730	n/a	/[clinic end generated code: output=ec33688b303d250f input=442de30e35bc2913]/
1731	n/a	{
1732	n/a	const unsigned char *out;
1733	n/a	unsigned int outlen;
1734	n/a
1735	n/a	SSL_get0_alpn_selected(self->ssl, &out, &outlen);
1736	n/a
1737	n/a	if (out == NULL)
1738	n/a	Py_RETURN_NONE;
1739	n/a	return PyUnicode_FromStringAndSize((char *)out, outlen);
1740	n/a	}
1741	n/a	#endif
1742	n/a
1743	n/a	/*[clinic input]
1744	n/a	_ssl._SSLSocket.compression
1745	n/a	[clinic start generated code]*/
1746	n/a
1747	n/a	static PyObject *
1748	n/a	_ssl__SSLSocket_compression_impl(PySSLSocket *self)
1749	n/a	/[clinic end generated code: output=bd16cb1bb4646ae7 input=5d059d0a2bbc32c8]/
1750	n/a	{
1751	n/a	#ifdef OPENSSL_NO_COMP
1752	n/a	Py_RETURN_NONE;
1753	n/a	#else
1754	n/a	const COMP_METHOD *comp_method;
1755	n/a	const char *short_name;
1756	n/a
1757	n/a	if (self->ssl == NULL)
1758	n/a	Py_RETURN_NONE;
1759	n/a	comp_method = SSL_get_current_compression(self->ssl);
1760	n/a	if (comp_method == NULL \|\| COMP_get_type(comp_method) == NID_undef)
1761	n/a	Py_RETURN_NONE;
1762	n/a	short_name = OBJ_nid2sn(COMP_get_type(comp_method));
1763	n/a	if (short_name == NULL)
1764	n/a	Py_RETURN_NONE;
1765	n/a	return PyUnicode_DecodeFSDefault(short_name);
1766	n/a	#endif
1767	n/a	}
1768	n/a
1769	n/a	static PySSLContext PySSL_get_context(PySSLSocket self, void *closure) {
1770	n/a	Py_INCREF(self->ctx);
1771	n/a	return self->ctx;
1772	n/a	}
1773	n/a
1774	n/a	static int PySSL_set_context(PySSLSocket self, PyObject value,
1775	n/a	void *closure) {
1776	n/a
1777	n/a	if (PyObject_TypeCheck(value, &PySSLContext_Type)) {
1778	n/a	#if !HAVE_SNI
1779	n/a	PyErr_SetString(PyExc_NotImplementedError, "setting a socket's "
1780	n/a	"context is not supported by your OpenSSL library");
1781	n/a	return -1;
1782	n/a	#else
1783	n/a	Py_INCREF(value);
1784	n/a	Py_SETREF(self->ctx, (PySSLContext *)value);
1785	n/a	SSL_set_SSL_CTX(self->ssl, self->ctx->ctx);
1786	n/a	#endif
1787	n/a	} else {
1788	n/a	PyErr_SetString(PyExc_TypeError, "The value must be a SSLContext");
1789	n/a	return -1;
1790	n/a	}
1791	n/a
1792	n/a	return 0;
1793	n/a	}
1794	n/a
1795	n/a	PyDoc_STRVAR(PySSL_set_context_doc,
1796	n/a	"_setter_context(ctx)\n\
1797	n/a	\
1798	n/a	This changes the context associated with the SSLSocket. This is typically\n\
1799	n/a	used from within a callback function set by the set_servername_callback\n\
1800	n/a	on the SSLContext to change the certificate information associated with the\n\
1801	n/a	SSLSocket before the cryptographic exchange handshake messages\n");
1802	n/a
1803	n/a
1804	n/a	static PyObject *
1805	n/a	PySSL_get_server_side(PySSLSocket self, void c)
1806	n/a	{
1807	n/a	return PyBool_FromLong(self->socket_type == PY_SSL_SERVER);
1808	n/a	}
1809	n/a
1810	n/a	PyDoc_STRVAR(PySSL_get_server_side_doc,
1811	n/a	"Whether this is a server-side socket.");
1812	n/a
1813	n/a	static PyObject *
1814	n/a	PySSL_get_server_hostname(PySSLSocket self, void c)
1815	n/a	{
1816	n/a	if (self->server_hostname == NULL)
1817	n/a	Py_RETURN_NONE;
1818	n/a	Py_INCREF(self->server_hostname);
1819	n/a	return self->server_hostname;
1820	n/a	}
1821	n/a
1822	n/a	PyDoc_STRVAR(PySSL_get_server_hostname_doc,
1823	n/a	"The currently set server hostname (for SNI).");
1824	n/a
1825	n/a	static PyObject *
1826	n/a	PySSL_get_owner(PySSLSocket self, void c)
1827	n/a	{
1828	n/a	PyObject *owner;
1829	n/a
1830	n/a	if (self->owner == NULL)
1831	n/a	Py_RETURN_NONE;
1832	n/a
1833	n/a	owner = PyWeakref_GetObject(self->owner);
1834	n/a	Py_INCREF(owner);
1835	n/a	return owner;
1836	n/a	}
1837	n/a
1838	n/a	static int
1839	n/a	PySSL_set_owner(PySSLSocket self, PyObject value, void *c)
1840	n/a	{
1841	n/a	Py_XSETREF(self->owner, PyWeakref_NewRef(value, NULL));
1842	n/a	if (self->owner == NULL)
1843	n/a	return -1;
1844	n/a	return 0;
1845	n/a	}
1846	n/a
1847	n/a	PyDoc_STRVAR(PySSL_get_owner_doc,
1848	n/a	"The Python-level owner of this object.\
1849	n/a	Passed as \"self\" in servername callback.");
1850	n/a
1851	n/a
1852	n/a	static void PySSL_dealloc(PySSLSocket *self)
1853	n/a	{
1854	n/a	if (self->peer_cert) /* Possible not to have one? */
1855	n/a	X509_free (self->peer_cert);
1856	n/a	if (self->ssl)
1857	n/a	SSL_free(self->ssl);
1858	n/a	Py_XDECREF(self->Socket);
1859	n/a	Py_XDECREF(self->ctx);
1860	n/a	Py_XDECREF(self->server_hostname);
1861	n/a	Py_XDECREF(self->owner);
1862	n/a	PyObject_Del(self);
1863	n/a	}
1864	n/a
1865	n/a	/* If the socket has a timeout, do a select()/poll() on the socket.
1866	n/a	The argument writing indicates the direction.
1867	n/a	Returns one of the possibilities in the timeout_state enum (above).
1868	n/a	*/
1869	n/a
1870	n/a	static int
1871	n/a	PySSL_select(PySocketSockObject *s, int writing, _PyTime_t timeout)
1872	n/a	{
1873	n/a	int rc;
1874	n/a	#ifdef HAVE_POLL
1875	n/a	struct pollfd pollfd;
1876	n/a	_PyTime_t ms;
1877	n/a	#else
1878	n/a	int nfds;
1879	n/a	fd_set fds;
1880	n/a	struct timeval tv;
1881	n/a	#endif
1882	n/a
1883	n/a	/* Nothing to do unless we're in timeout mode (not non-blocking) */
1884	n/a	if ((s == NULL) \|\| (timeout == 0))
1885	n/a	return SOCKET_IS_NONBLOCKING;
1886	n/a	else if (timeout < 0) {
1887	n/a	if (s->sock_timeout > 0)
1888	n/a	return SOCKET_HAS_TIMED_OUT;
1889	n/a	else
1890	n/a	return SOCKET_IS_BLOCKING;
1891	n/a	}
1892	n/a
1893	n/a	/* Guard against closed socket */
1894	n/a	if (s->sock_fd == INVALID_SOCKET)
1895	n/a	return SOCKET_HAS_BEEN_CLOSED;
1896	n/a
1897	n/a	/* Prefer poll, if available, since you can poll() any fd
1898	n/a	* which can't be done with select(). */
1899	n/a	#ifdef HAVE_POLL
1900	n/a	pollfd.fd = s->sock_fd;
1901	n/a	pollfd.events = writing ? POLLOUT : POLLIN;
1902	n/a
1903	n/a	/* timeout is in seconds, poll() uses milliseconds */
1904	n/a	ms = (int)_PyTime_AsMilliseconds(timeout, _PyTime_ROUND_CEILING);
1905	n/a	assert(ms <= INT_MAX);
1906	n/a
1907	n/a	PySSL_BEGIN_ALLOW_THREADS
1908	n/a	rc = poll(&pollfd, 1, (int)ms);
1909	n/a	PySSL_END_ALLOW_THREADS
1910	n/a	#else
1911	n/a	/* Guard against socket too large for select*/
1912	n/a	if (!_PyIsSelectable_fd(s->sock_fd))
1913	n/a	return SOCKET_TOO_LARGE_FOR_SELECT;
1914	n/a
1915	n/a	_PyTime_AsTimeval_noraise(timeout, &tv, _PyTime_ROUND_CEILING);
1916	n/a
1917	n/a	FD_ZERO(&fds);
1918	n/a	FD_SET(s->sock_fd, &fds);
1919	n/a
1920	n/a	/* Wait until the socket becomes ready */
1921	n/a	PySSL_BEGIN_ALLOW_THREADS
1922	n/a	nfds = Py_SAFE_DOWNCAST(s->sock_fd+1, SOCKET_T, int);
1923	n/a	if (writing)
1924	n/a	rc = select(nfds, NULL, &fds, NULL, &tv);
1925	n/a	else
1926	n/a	rc = select(nfds, &fds, NULL, NULL, &tv);
1927	n/a	PySSL_END_ALLOW_THREADS
1928	n/a	#endif
1929	n/a
1930	n/a	/* Return SOCKET_TIMED_OUT on timeout, SOCKET_OPERATION_OK otherwise
1931	n/a	(when we are able to write or when there's something to read) */
1932	n/a	return rc == 0 ? SOCKET_HAS_TIMED_OUT : SOCKET_OPERATION_OK;
1933	n/a	}
1934	n/a
1935	n/a	/*[clinic input]
1936	n/a	_ssl._SSLSocket.write
1937	n/a	b: Py_buffer
1938	n/a	/
1939	n/a
1940	n/a	Writes the bytes-like object b into the SSL object.
1941	n/a
1942	n/a	Returns the number of bytes written.
1943	n/a	[clinic start generated code]*/
1944	n/a
1945	n/a	static PyObject *
1946	n/a	_ssl__SSLSocket_write_impl(PySSLSocket self, Py_buffer b)
1947	n/a	/[clinic end generated code: output=aa7a6be5527358d8 input=77262d994fe5100a]/
1948	n/a	{
1949	n/a	int len;
1950	n/a	int sockstate;
1951	n/a	int err;
1952	n/a	int nonblocking;
1953	n/a	PySocketSockObject *sock = GET_SOCKET(self);
1954	n/a	_PyTime_t timeout, deadline = 0;
1955	n/a	int has_timeout;
1956	n/a
1957	n/a	if (sock != NULL) {
1958	n/a	if (((PyObject*)sock) == Py_None) {
1959	n/a	_setSSLError("Underlying socket connection gone",
1960	n/a	PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1961	n/a	return NULL;
1962	n/a	}
1963	n/a	Py_INCREF(sock);
1964	n/a	}
1965	n/a
1966	n/a	if (b->len > INT_MAX) {
1967	n/a	PyErr_Format(PyExc_OverflowError,
1968	n/a	"string longer than %d bytes", INT_MAX);
1969	n/a	goto error;
1970	n/a	}
1971	n/a
1972	n/a	if (sock != NULL) {
1973	n/a	/* just in case the blocking state of the socket has been changed */
1974	n/a	nonblocking = (sock->sock_timeout >= 0);
1975	n/a	BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1976	n/a	BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1977	n/a	}
1978	n/a
1979	n/a	timeout = GET_SOCKET_TIMEOUT(sock);
1980	n/a	has_timeout = (timeout > 0);
1981	n/a	if (has_timeout)
1982	n/a	deadline = _PyTime_GetMonotonicClock() + timeout;
1983	n/a
1984	n/a	sockstate = PySSL_select(sock, 1, timeout);
1985	n/a	if (sockstate == SOCKET_HAS_TIMED_OUT) {
1986	n/a	PyErr_SetString(PySocketModule.timeout_error,
1987	n/a	"The write operation timed out");
1988	n/a	goto error;
1989	n/a	} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1990	n/a	PyErr_SetString(PySSLErrorObject,
1991	n/a	"Underlying socket has been closed.");
1992	n/a	goto error;
1993	n/a	} else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1994	n/a	PyErr_SetString(PySSLErrorObject,
1995	n/a	"Underlying socket too large for select().");
1996	n/a	goto error;
1997	n/a	}
1998	n/a
1999	n/a	do {
2000	n/a	PySSL_BEGIN_ALLOW_THREADS
2001	n/a	len = SSL_write(self->ssl, b->buf, (int)b->len);
2002	n/a	err = SSL_get_error(self->ssl, len);
2003	n/a	PySSL_END_ALLOW_THREADS
2004	n/a
2005	n/a	if (PyErr_CheckSignals())
2006	n/a	goto error;
2007	n/a
2008	n/a	if (has_timeout)
2009	n/a	timeout = deadline - _PyTime_GetMonotonicClock();
2010	n/a
2011	n/a	if (err == SSL_ERROR_WANT_READ) {
2012	n/a	sockstate = PySSL_select(sock, 0, timeout);
2013	n/a	} else if (err == SSL_ERROR_WANT_WRITE) {
2014	n/a	sockstate = PySSL_select(sock, 1, timeout);
2015	n/a	} else {
2016	n/a	sockstate = SOCKET_OPERATION_OK;
2017	n/a	}
2018	n/a
2019	n/a	if (sockstate == SOCKET_HAS_TIMED_OUT) {
2020	n/a	PyErr_SetString(PySocketModule.timeout_error,
2021	n/a	"The write operation timed out");
2022	n/a	goto error;
2023	n/a	} else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
2024	n/a	PyErr_SetString(PySSLErrorObject,
2025	n/a	"Underlying socket has been closed.");
2026	n/a	goto error;
2027	n/a	} else if (sockstate == SOCKET_IS_NONBLOCKING) {
2028	n/a	break;
2029	n/a	}
2030	n/a	} while (err == SSL_ERROR_WANT_READ \|\| err == SSL_ERROR_WANT_WRITE);
2031	n/a
2032	n/a	Py_XDECREF(sock);
2033	n/a	if (len > 0)
2034	n/a	return PyLong_FromLong(len);
2035	n/a	else
2036	n/a	return PySSL_SetError(self, len, __FILE__, __LINE__);
2037	n/a
2038	n/a	error:
2039	n/a	Py_XDECREF(sock);
2040	n/a	return NULL;
2041	n/a	}
2042	n/a
2043	n/a	/*[clinic input]
2044	n/a	_ssl._SSLSocket.pending
2045	n/a
2046	n/a	Returns the number of already decrypted bytes available for read, pending on the connection.
2047	n/a	[clinic start generated code]*/
2048	n/a
2049	n/a	static PyObject *
2050	n/a	_ssl__SSLSocket_pending_impl(PySSLSocket *self)
2051	n/a	/[clinic end generated code: output=983d9fecdc308a83 input=2b77487d6dfd597f]/
2052	n/a	{
2053	n/a	int count = 0;
2054	n/a
2055	n/a	PySSL_BEGIN_ALLOW_THREADS
2056	n/a	count = SSL_pending(self->ssl);
2057	n/a	PySSL_END_ALLOW_THREADS
2058	n/a	if (count < 0)
2059	n/a	return PySSL_SetError(self, count, __FILE__, __LINE__);
2060	n/a	else
2061	n/a	return PyLong_FromLong(count);
2062	n/a	}
2063	n/a
2064	n/a	/*[clinic input]
2065	n/a	_ssl._SSLSocket.read
2066	n/a	size as len: int
2067	n/a	[
2068	n/a	buffer: Py_buffer(accept={rwbuffer})
2069	n/a	]
2070	n/a	/
2071	n/a
2072	n/a	Read up to size bytes from the SSL socket.
2073	n/a	[clinic start generated code]*/
2074	n/a
2075	n/a	static PyObject *
2076	n/a	_ssl__SSLSocket_read_impl(PySSLSocket *self, int len, int group_right_1,
2077	n/a	Py_buffer *buffer)
2078	n/a	/[clinic end generated code: output=00097776cec2a0af input=ff157eb918d0905b]/
2079	n/a	{
2080	n/a	PyObject *dest = NULL;
2081	n/a	char *mem;
2082	n/a	int count;
2083	n/a	int sockstate;
2084	n/a	int err;
2085	n/a	int nonblocking;
2086	n/a	PySocketSockObject *sock = GET_SOCKET(self);
2087	n/a	_PyTime_t timeout, deadline = 0;
2088	n/a	int has_timeout;
2089	n/a
2090	n/a	if (!group_right_1 && len < 0) {
2091	n/a	PyErr_SetString(PyExc_ValueError, "size should not be negative");
2092	n/a	return NULL;
2093	n/a	}
2094	n/a
2095	n/a	if (sock != NULL) {
2096	n/a	if (((PyObject*)sock) == Py_None) {
2097	n/a	_setSSLError("Underlying socket connection gone",
2098	n/a	PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
2099	n/a	return NULL;
2100	n/a	}
2101	n/a	Py_INCREF(sock);
2102	n/a	}
2103	n/a
2104	n/a	if (!group_right_1) {
2105	n/a	dest = PyBytes_FromStringAndSize(NULL, len);
2106	n/a	if (dest == NULL)
2107	n/a	goto error;
2108	n/a	if (len == 0) {
2109	n/a	Py_XDECREF(sock);
2110	n/a	return dest;
2111	n/a	}
2112	n/a	mem = PyBytes_AS_STRING(dest);
2113	n/a	}
2114	n/a	else {
2115	n/a	mem = buffer->buf;
2116	n/a	if (len <= 0 \|\| len > buffer->len) {
2117	n/a	len = (int) buffer->len;
2118	n/a	if (buffer->len != len) {
2119	n/a	PyErr_SetString(PyExc_OverflowError,
2120	n/a	"maximum length can't fit in a C 'int'");
2121	n/a	goto error;
2122	n/a	}
2123	n/a	if (len == 0) {
2124	n/a	count = 0;
2125	n/a	goto done;
2126	n/a	}
2127	n/a	}
2128	n/a	}
2129	n/a
2130	n/a	if (sock != NULL) {
2131	n/a	/* just in case the blocking state of the socket has been changed */
2132	n/a	nonblocking = (sock->sock_timeout >= 0);
2133	n/a	BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
2134	n/a	BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
2135	n/a	}
2136	n/a
2137	n/a	timeout = GET_SOCKET_TIMEOUT(sock);
2138	n/a	has_timeout = (timeout > 0);
2139	n/a	if (has_timeout)
2140	n/a	deadline = _PyTime_GetMonotonicClock() + timeout;
2141	n/a
2142	n/a	do {
2143	n/a	PySSL_BEGIN_ALLOW_THREADS
2144	n/a	count = SSL_read(self->ssl, mem, len);
2145	n/a	err = SSL_get_error(self->ssl, count);
2146	n/a	PySSL_END_ALLOW_THREADS
2147	n/a
2148	n/a	if (PyErr_CheckSignals())
2149	n/a	goto error;
2150	n/a
2151	n/a	if (has_timeout)
2152	n/a	timeout = deadline - _PyTime_GetMonotonicClock();
2153	n/a
2154	n/a	if (err == SSL_ERROR_WANT_READ) {
2155	n/a	sockstate = PySSL_select(sock, 0, timeout);
2156	n/a	} else if (err == SSL_ERROR_WANT_WRITE) {
2157	n/a	sockstate = PySSL_select(sock, 1, timeout);
2158	n/a	} else if (err == SSL_ERROR_ZERO_RETURN &&
2159	n/a	SSL_get_shutdown(self->ssl) == SSL_RECEIVED_SHUTDOWN)
2160	n/a	{
2161	n/a	count = 0;
2162	n/a	goto done;
2163	n/a	}
2164	n/a	else
2165	n/a	sockstate = SOCKET_OPERATION_OK;
2166	n/a
2167	n/a	if (sockstate == SOCKET_HAS_TIMED_OUT) {
2168	n/a	PyErr_SetString(PySocketModule.timeout_error,
2169	n/a	"The read operation timed out");
2170	n/a	goto error;
2171	n/a	} else if (sockstate == SOCKET_IS_NONBLOCKING) {
2172	n/a	break;
2173	n/a	}
2174	n/a	} while (err == SSL_ERROR_WANT_READ \|\| err == SSL_ERROR_WANT_WRITE);
2175	n/a
2176	n/a	if (count <= 0) {
2177	n/a	PySSL_SetError(self, count, __FILE__, __LINE__);
2178	n/a	goto error;
2179	n/a	}
2180	n/a
2181	n/a	done:
2182	n/a	Py_XDECREF(sock);
2183	n/a	if (!group_right_1) {
2184	n/a	_PyBytes_Resize(&dest, count);
2185	n/a	return dest;
2186	n/a	}
2187	n/a	else {
2188	n/a	return PyLong_FromLong(count);
2189	n/a	}
2190	n/a
2191	n/a	error:
2192	n/a	Py_XDECREF(sock);
2193	n/a	if (!group_right_1)
2194	n/a	Py_XDECREF(dest);
2195	n/a	return NULL;
2196	n/a	}
2197	n/a
2198	n/a	/*[clinic input]
2199	n/a	_ssl._SSLSocket.shutdown
2200	n/a
2201	n/a	Does the SSL shutdown handshake with the remote end.
2202	n/a
2203	n/a	Returns the underlying socket object.
2204	n/a	[clinic start generated code]*/
2205	n/a
2206	n/a	static PyObject *
2207	n/a	_ssl__SSLSocket_shutdown_impl(PySSLSocket *self)
2208	n/a	/[clinic end generated code: output=ca1aa7ed9d25ca42 input=ede2cc1a2ddf0ee4]/
2209	n/a	{
2210	n/a	int err, ssl_err, sockstate, nonblocking;
2211	n/a	int zeros = 0;
2212	n/a	PySocketSockObject *sock = GET_SOCKET(self);
2213	n/a	_PyTime_t timeout, deadline = 0;
2214	n/a	int has_timeout;
2215	n/a
2216	n/a	if (sock != NULL) {
2217	n/a	/* Guard against closed socket */
2218	n/a	if ((((PyObject*)sock) == Py_None) \|\| (sock->sock_fd == INVALID_SOCKET)) {
2219	n/a	_setSSLError("Underlying socket connection gone",
2220	n/a	PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
2221	n/a	return NULL;
2222	n/a	}
2223	n/a	Py_INCREF(sock);
2224	n/a
2225	n/a	/* Just in case the blocking state of the socket has been changed */
2226	n/a	nonblocking = (sock->sock_timeout >= 0);
2227	n/a	BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
2228	n/a	BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
2229	n/a	}
2230	n/a
2231	n/a	timeout = GET_SOCKET_TIMEOUT(sock);
2232	n/a	has_timeout = (timeout > 0);
2233	n/a	if (has_timeout)
2234	n/a	deadline = _PyTime_GetMonotonicClock() + timeout;
2235	n/a
2236	n/a	while (1) {
2237	n/a	PySSL_BEGIN_ALLOW_THREADS
2238	n/a	/* Disable read-ahead so that unwrap can work correctly.
2239	n/a	* Otherwise OpenSSL might read in too much data,
2240	n/a	* eating clear text data that happens to be
2241	n/a	* transmitted after the SSL shutdown.
2242	n/a	* Should be safe to call repeatedly every time this
2243	n/a	* function is used and the shutdown_seen_zero != 0
2244	n/a	* condition is met.
2245	n/a	*/
2246	n/a	if (self->shutdown_seen_zero)
2247	n/a	SSL_set_read_ahead(self->ssl, 0);
2248	n/a	err = SSL_shutdown(self->ssl);
2249	n/a	PySSL_END_ALLOW_THREADS
2250	n/a
2251	n/a	/* If err == 1, a secure shutdown with SSL_shutdown() is complete */
2252	n/a	if (err > 0)
2253	n/a	break;
2254	n/a	if (err == 0) {
2255	n/a	/* Don't loop endlessly; instead preserve legacy
2256	n/a	behaviour of trying SSL_shutdown() only twice.
2257	n/a	This looks necessary for OpenSSL < 0.9.8m */
2258	n/a	if (++zeros > 1)
2259	n/a	break;
2260	n/a	/* Shutdown was sent, now try receiving */
2261	n/a	self->shutdown_seen_zero = 1;
2262	n/a	continue;
2263	n/a	}
2264	n/a
2265	n/a	if (has_timeout)
2266	n/a	timeout = deadline - _PyTime_GetMonotonicClock();
2267	n/a
2268	n/a	/* Possibly retry shutdown until timeout or failure */
2269	n/a	ssl_err = SSL_get_error(self->ssl, err);
2270	n/a	if (ssl_err == SSL_ERROR_WANT_READ)
2271	n/a	sockstate = PySSL_select(sock, 0, timeout);
2272	n/a	else if (ssl_err == SSL_ERROR_WANT_WRITE)
2273	n/a	sockstate = PySSL_select(sock, 1, timeout);
2274	n/a	else
2275	n/a	break;
2276	n/a
2277	n/a	if (sockstate == SOCKET_HAS_TIMED_OUT) {
2278	n/a	if (ssl_err == SSL_ERROR_WANT_READ)
2279	n/a	PyErr_SetString(PySocketModule.timeout_error,
2280	n/a	"The read operation timed out");
2281	n/a	else
2282	n/a	PyErr_SetString(PySocketModule.timeout_error,
2283	n/a	"The write operation timed out");
2284	n/a	goto error;
2285	n/a	}
2286	n/a	else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
2287	n/a	PyErr_SetString(PySSLErrorObject,
2288	n/a	"Underlying socket too large for select().");
2289	n/a	goto error;
2290	n/a	}
2291	n/a	else if (sockstate != SOCKET_OPERATION_OK)
2292	n/a	/* Retain the SSL error code */
2293	n/a	break;
2294	n/a	}
2295	n/a
2296	n/a	if (err < 0) {
2297	n/a	Py_XDECREF(sock);
2298	n/a	return PySSL_SetError(self, err, __FILE__, __LINE__);
2299	n/a	}
2300	n/a	if (sock)
2301	n/a	/* It's already INCREF'ed */
2302	n/a	return (PyObject *) sock;
2303	n/a	else
2304	n/a	Py_RETURN_NONE;
2305	n/a
2306	n/a	error:
2307	n/a	Py_XDECREF(sock);
2308	n/a	return NULL;
2309	n/a	}
2310	n/a
2311	n/a	/*[clinic input]
2312	n/a	_ssl._SSLSocket.tls_unique_cb
2313	n/a
2314	n/a	Returns the 'tls-unique' channel binding data, as defined by RFC 5929.
2315	n/a
2316	n/a	If the TLS handshake is not yet complete, None is returned.
2317	n/a	[clinic start generated code]*/
2318	n/a
2319	n/a	static PyObject *
2320	n/a	_ssl__SSLSocket_tls_unique_cb_impl(PySSLSocket *self)
2321	n/a	/[clinic end generated code: output=f3a832d603f586af input=439525c7b3d8d34d]/
2322	n/a	{
2323	n/a	PyObject *retval = NULL;
2324	n/a	char buf[PySSL_CB_MAXLEN];
2325	n/a	size_t len;
2326	n/a
2327	n/a	if (SSL_session_reused(self->ssl) ^ !self->socket_type) {
2328	n/a	/* if session is resumed XOR we are the client */
2329	n/a	len = SSL_get_finished(self->ssl, buf, PySSL_CB_MAXLEN);
2330	n/a	}
2331	n/a	else {
2332	n/a	/* if a new session XOR we are the server */
2333	n/a	len = SSL_get_peer_finished(self->ssl, buf, PySSL_CB_MAXLEN);
2334	n/a	}
2335	n/a
2336	n/a	/* It cannot be negative in current OpenSSL version as of July 2011 */
2337	n/a	if (len == 0)
2338	n/a	Py_RETURN_NONE;
2339	n/a
2340	n/a	retval = PyBytes_FromStringAndSize(buf, len);
2341	n/a
2342	n/a	return retval;
2343	n/a	}
2344	n/a
2345	n/a	#ifdef OPENSSL_VERSION_1_1
2346	n/a
2347	n/a	static SSL_SESSION*
2348	n/a	_ssl_session_dup(SSL_SESSION *session) {
2349	n/a	SSL_SESSION *newsession = NULL;
2350	n/a	int slen;
2351	n/a	unsigned char senc = NULL, p;
2352	n/a	const unsigned char *const_p;
2353	n/a
2354	n/a	if (session == NULL) {
2355	n/a	PyErr_SetString(PyExc_ValueError, "Invalid session");
2356	n/a	goto error;
2357	n/a	}
2358	n/a
2359	n/a	/* get length */
2360	n/a	slen = i2d_SSL_SESSION(session, NULL);
2361	n/a	if (slen == 0 \|\| slen > 0xFF00) {
2362	n/a	PyErr_SetString(PyExc_ValueError, "i2d() failed.");
2363	n/a	goto error;
2364	n/a	}
2365	n/a	if ((senc = PyMem_Malloc(slen)) == NULL) {
2366	n/a	PyErr_NoMemory();
2367	n/a	goto error;
2368	n/a	}
2369	n/a	p = senc;
2370	n/a	if (!i2d_SSL_SESSION(session, &p)) {
2371	n/a	PyErr_SetString(PyExc_ValueError, "i2d() failed.");
2372	n/a	goto error;
2373	n/a	}
2374	n/a	const_p = senc;
2375	n/a	newsession = d2i_SSL_SESSION(NULL, &const_p, slen);
2376	n/a	if (session == NULL) {
2377	n/a	goto error;
2378	n/a	}
2379	n/a	PyMem_Free(senc);
2380	n/a	return newsession;
2381	n/a	error:
2382	n/a	if (senc != NULL) {
2383	n/a	PyMem_Free(senc);
2384	n/a	}
2385	n/a	return NULL;
2386	n/a	}
2387	n/a	#endif
2388	n/a
2389	n/a	static PyObject *
2390	n/a	PySSL_get_session(PySSLSocket self, void closure) {
2391	n/a	/* get_session can return sessions from a server-side connection,
2392	n/a	* it does not check for handshake done or client socket. */
2393	n/a	PySSLSession *pysess;
2394	n/a	SSL_SESSION *session;
2395	n/a
2396	n/a	#ifdef OPENSSL_VERSION_1_1
2397	n/a	/* duplicate session as workaround for session bug in OpenSSL 1.1.0,
2398	n/a	* https://github.com/openssl/openssl/issues/1550 */
2399	n/a	session = SSL_get0_session(self->ssl); /* borrowed reference */
2400	n/a	if (session == NULL) {
2401	n/a	Py_RETURN_NONE;
2402	n/a	}
2403	n/a	if ((session = _ssl_session_dup(session)) == NULL) {
2404	n/a	return NULL;
2405	n/a	}
2406	n/a	#else
2407	n/a	session = SSL_get1_session(self->ssl);
2408	n/a	if (session == NULL) {
2409	n/a	Py_RETURN_NONE;
2410	n/a	}
2411	n/a	#endif
2412	n/a	pysess = PyObject_GC_New(PySSLSession, &PySSLSession_Type);
2413	n/a	if (pysess == NULL) {
2414	n/a	SSL_SESSION_free(session);
2415	n/a	return NULL;
2416	n/a	}
2417	n/a
2418	n/a	assert(self->ctx);
2419	n/a	pysess->ctx = self->ctx;
2420	n/a	Py_INCREF(pysess->ctx);
2421	n/a	pysess->session = session;
2422	n/a	PyObject_GC_Track(pysess);
2423	n/a	return (PyObject *)pysess;
2424	n/a	}
2425	n/a
2426	n/a	static int PySSL_set_session(PySSLSocket self, PyObject value,
2427	n/a	void *closure)
2428	n/a	{
2429	n/a	PySSLSession *pysess;
2430	n/a	#ifdef OPENSSL_VERSION_1_1
2431	n/a	SSL_SESSION *session;
2432	n/a	#endif
2433	n/a	int result;
2434	n/a
2435	n/a	if (!PySSLSession_Check(value)) {
2436	n/a	PyErr_SetString(PyExc_TypeError, "Value is not a SSLSession.");
2437	n/a	return -1;
2438	n/a	}
2439	n/a	pysess = (PySSLSession *)value;
2440	n/a
2441	n/a	if (self->ctx->ctx != pysess->ctx->ctx) {
2442	n/a	PyErr_SetString(PyExc_ValueError,
2443	n/a	"Session refers to a different SSLContext.");
2444	n/a	return -1;
2445	n/a	}
2446	n/a	if (self->socket_type != PY_SSL_CLIENT) {
2447	n/a	PyErr_SetString(PyExc_ValueError,
2448	n/a	"Cannot set session for server-side SSLSocket.");
2449	n/a	return -1;
2450	n/a	}
2451	n/a	if (self->handshake_done) {
2452	n/a	PyErr_SetString(PyExc_ValueError,
2453	n/a	"Cannot set session after handshake.");
2454	n/a	return -1;
2455	n/a	}
2456	n/a	#ifdef OPENSSL_VERSION_1_1
2457	n/a	/* duplicate session */
2458	n/a	if ((session = _ssl_session_dup(pysess->session)) == NULL) {
2459	n/a	return -1;
2460	n/a	}
2461	n/a	result = SSL_set_session(self->ssl, session);
2462	n/a	/* free duplicate, SSL_set_session() bumps ref count */
2463	n/a	SSL_SESSION_free(session);
2464	n/a	#else
2465	n/a	result = SSL_set_session(self->ssl, pysess->session);
2466	n/a	#endif
2467	n/a	if (result == 0) {
2468	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
2469	n/a	return -1;
2470	n/a	}
2471	n/a	return 0;
2472	n/a	}
2473	n/a
2474	n/a	PyDoc_STRVAR(PySSL_set_session_doc,
2475	n/a	"_setter_session(session)\n\
2476	n/a	\
2477	n/a	Get / set SSLSession.");
2478	n/a
2479	n/a	static PyObject *
2480	n/a	PySSL_get_session_reused(PySSLSocket self, void closure) {
2481	n/a	if (SSL_session_reused(self->ssl)) {
2482	n/a	Py_RETURN_TRUE;
2483	n/a	} else {
2484	n/a	Py_RETURN_FALSE;
2485	n/a	}
2486	n/a	}
2487	n/a
2488	n/a	PyDoc_STRVAR(PySSL_get_session_reused_doc,
2489	n/a	"Was the client session reused during handshake?");
2490	n/a
2491	n/a	static PyGetSetDef ssl_getsetlist[] = {
2492	n/a	{"context", (getter) PySSL_get_context,
2493	n/a	(setter) PySSL_set_context, PySSL_set_context_doc},
2494	n/a	{"server_side", (getter) PySSL_get_server_side, NULL,
2495	n/a	PySSL_get_server_side_doc},
2496	n/a	{"server_hostname", (getter) PySSL_get_server_hostname, NULL,
2497	n/a	PySSL_get_server_hostname_doc},
2498	n/a	{"owner", (getter) PySSL_get_owner, (setter) PySSL_set_owner,
2499	n/a	PySSL_get_owner_doc},
2500	n/a	{"session", (getter) PySSL_get_session,
2501	n/a	(setter) PySSL_set_session, PySSL_set_session_doc},
2502	n/a	{"session_reused", (getter) PySSL_get_session_reused, NULL,
2503	n/a	PySSL_get_session_reused_doc},
2504	n/a	{NULL}, /* sentinel */
2505	n/a	};
2506	n/a
2507	n/a	static PyMethodDef PySSLMethods[] = {
2508	n/a	_SSL__SSLSOCKET_DO_HANDSHAKE_METHODDEF
2509	n/a	_SSL__SSLSOCKET_WRITE_METHODDEF
2510	n/a	_SSL__SSLSOCKET_READ_METHODDEF
2511	n/a	_SSL__SSLSOCKET_PENDING_METHODDEF
2512	n/a	_SSL__SSLSOCKET_PEER_CERTIFICATE_METHODDEF
2513	n/a	_SSL__SSLSOCKET_CIPHER_METHODDEF
2514	n/a	_SSL__SSLSOCKET_SHARED_CIPHERS_METHODDEF
2515	n/a	_SSL__SSLSOCKET_VERSION_METHODDEF
2516	n/a	_SSL__SSLSOCKET_SELECTED_NPN_PROTOCOL_METHODDEF
2517	n/a	_SSL__SSLSOCKET_SELECTED_ALPN_PROTOCOL_METHODDEF
2518	n/a	_SSL__SSLSOCKET_COMPRESSION_METHODDEF
2519	n/a	_SSL__SSLSOCKET_SHUTDOWN_METHODDEF
2520	n/a	_SSL__SSLSOCKET_TLS_UNIQUE_CB_METHODDEF
2521	n/a	{NULL, NULL}
2522	n/a	};
2523	n/a
2524	n/a	static PyTypeObject PySSLSocket_Type = {
2525	n/a	PyVarObject_HEAD_INIT(NULL, 0)
2526	n/a	"_ssl._SSLSocket", /tp_name/
2527	n/a	sizeof(PySSLSocket), /tp_basicsize/
2528	n/a	0, /tp_itemsize/
2529	n/a	/* methods */
2530	n/a	(destructor)PySSL_dealloc, /tp_dealloc/
2531	n/a	0, /tp_print/
2532	n/a	0, /tp_getattr/
2533	n/a	0, /tp_setattr/
2534	n/a	0, /tp_reserved/
2535	n/a	0, /tp_repr/
2536	n/a	0, /tp_as_number/
2537	n/a	0, /tp_as_sequence/
2538	n/a	0, /tp_as_mapping/
2539	n/a	0, /tp_hash/
2540	n/a	0, /tp_call/
2541	n/a	0, /tp_str/
2542	n/a	0, /tp_getattro/
2543	n/a	0, /tp_setattro/
2544	n/a	0, /tp_as_buffer/
2545	n/a	Py_TPFLAGS_DEFAULT, /tp_flags/
2546	n/a	0, /tp_doc/
2547	n/a	0, /tp_traverse/
2548	n/a	0, /tp_clear/
2549	n/a	0, /tp_richcompare/
2550	n/a	0, /tp_weaklistoffset/
2551	n/a	0, /tp_iter/
2552	n/a	0, /tp_iternext/
2553	n/a	PySSLMethods, /tp_methods/
2554	n/a	0, /tp_members/
2555	n/a	ssl_getsetlist, /tp_getset/
2556	n/a	};
2557	n/a
2558	n/a
2559	n/a	/*
2560	n/a	* _SSLContext objects
2561	n/a	*/
2562	n/a
2563	n/a	static int
2564	n/a	_set_verify_mode(SSL_CTX *ctx, enum py_ssl_cert_requirements n)
2565	n/a	{
2566	n/a	int mode;
2567	n/a	int (verify_cb)(int, X509_STORE_CTX ) = NULL;
2568	n/a
2569	n/a	switch(n) {
2570	n/a	case PY_SSL_CERT_NONE:
2571	n/a	mode = SSL_VERIFY_NONE;
2572	n/a	break;
2573	n/a	case PY_SSL_CERT_OPTIONAL:
2574	n/a	mode = SSL_VERIFY_PEER;
2575	n/a	break;
2576	n/a	case PY_SSL_CERT_REQUIRED:
2577	n/a	mode = SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
2578	n/a	break;
2579	n/a	default:
2580	n/a	PyErr_SetString(PyExc_ValueError,
2581	n/a	"invalid value for verify_mode");
2582	n/a	return -1;
2583	n/a	}
2584	n/a	/* keep current verify cb */
2585	n/a	verify_cb = SSL_CTX_get_verify_callback(ctx);
2586	n/a	SSL_CTX_set_verify(ctx, mode, verify_cb);
2587	n/a	return 0;
2588	n/a	}
2589	n/a
2590	n/a	/*[clinic input]
2591	n/a	@classmethod
2592	n/a	_ssl._SSLContext.__new__
2593	n/a	protocol as proto_version: int
2594	n/a	/
2595	n/a	[clinic start generated code]*/
2596	n/a
2597	n/a	static PyObject *
2598	n/a	_ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
2599	n/a	/[clinic end generated code: output=2cf0d7a0741b6bd1 input=8d58a805b95fc534]/
2600	n/a	{
2601	n/a	PySSLContext *self;
2602	n/a	long options;
2603	n/a	SSL_CTX *ctx = NULL;
2604	n/a	int result;
2605	n/a	#if defined(SSL_MODE_RELEASE_BUFFERS)
2606	n/a	unsigned long libver;
2607	n/a	#endif
2608	n/a
2609	n/a	PySSL_BEGIN_ALLOW_THREADS
2610	n/a	if (proto_version == PY_SSL_VERSION_TLS1)
2611	n/a	ctx = SSL_CTX_new(TLSv1_method());
2612	n/a	#if HAVE_TLSv1_2
2613	n/a	else if (proto_version == PY_SSL_VERSION_TLS1_1)
2614	n/a	ctx = SSL_CTX_new(TLSv1_1_method());
2615	n/a	else if (proto_version == PY_SSL_VERSION_TLS1_2)
2616	n/a	ctx = SSL_CTX_new(TLSv1_2_method());
2617	n/a	#endif
2618	n/a	#ifndef OPENSSL_NO_SSL3
2619	n/a	else if (proto_version == PY_SSL_VERSION_SSL3)
2620	n/a	ctx = SSL_CTX_new(SSLv3_method());
2621	n/a	#endif
2622	n/a	#ifndef OPENSSL_NO_SSL2
2623	n/a	else if (proto_version == PY_SSL_VERSION_SSL2)
2624	n/a	ctx = SSL_CTX_new(SSLv2_method());
2625	n/a	#endif
2626	n/a	else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */
2627	n/a	ctx = SSL_CTX_new(TLS_method());
2628	n/a	else if (proto_version == PY_SSL_VERSION_TLS_CLIENT)
2629	n/a	ctx = SSL_CTX_new(TLS_client_method());
2630	n/a	else if (proto_version == PY_SSL_VERSION_TLS_SERVER)
2631	n/a	ctx = SSL_CTX_new(TLS_server_method());
2632	n/a	else
2633	n/a	proto_version = -1;
2634	n/a	PySSL_END_ALLOW_THREADS
2635	n/a
2636	n/a	if (proto_version == -1) {
2637	n/a	PyErr_SetString(PyExc_ValueError,
2638	n/a	"invalid protocol version");
2639	n/a	return NULL;
2640	n/a	}
2641	n/a	if (ctx == NULL) {
2642	n/a	PyErr_SetString(PySSLErrorObject,
2643	n/a	"failed to allocate SSL context");
2644	n/a	return NULL;
2645	n/a	}
2646	n/a
2647	n/a	assert(type != NULL && type->tp_alloc != NULL);
2648	n/a	self = (PySSLContext *) type->tp_alloc(type, 0);
2649	n/a	if (self == NULL) {
2650	n/a	SSL_CTX_free(ctx);
2651	n/a	return NULL;
2652	n/a	}
2653	n/a	self->ctx = ctx;
2654	n/a	#ifdef OPENSSL_NPN_NEGOTIATED
2655	n/a	self->npn_protocols = NULL;
2656	n/a	#endif
2657	n/a	#ifdef HAVE_ALPN
2658	n/a	self->alpn_protocols = NULL;
2659	n/a	#endif
2660	n/a	#ifndef OPENSSL_NO_TLSEXT
2661	n/a	self->set_hostname = NULL;
2662	n/a	#endif
2663	n/a	/* Don't check host name by default */
2664	n/a	if (proto_version == PY_SSL_VERSION_TLS_CLIENT) {
2665	n/a	self->check_hostname = 1;
2666	n/a	if (_set_verify_mode(self->ctx, PY_SSL_CERT_REQUIRED) == -1) {
2667	n/a	Py_DECREF(self);
2668	n/a	return NULL;
2669	n/a	}
2670	n/a	} else {
2671	n/a	self->check_hostname = 0;
2672	n/a	if (_set_verify_mode(self->ctx, PY_SSL_CERT_NONE) == -1) {
2673	n/a	Py_DECREF(self);
2674	n/a	return NULL;
2675	n/a	}
2676	n/a	}
2677	n/a	/* Defaults */
2678	n/a	options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
2679	n/a	if (proto_version != PY_SSL_VERSION_SSL2)
2680	n/a	options \|= SSL_OP_NO_SSLv2;
2681	n/a	if (proto_version != PY_SSL_VERSION_SSL3)
2682	n/a	options \|= SSL_OP_NO_SSLv3;
2683	n/a	/* Minimal security flags for server and client side context.
2684	n/a	* Client sockets ignore server-side parameters. */
2685	n/a	#ifdef SSL_OP_NO_COMPRESSION
2686	n/a	options \|= SSL_OP_NO_COMPRESSION;
2687	n/a	#endif
2688	n/a	#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2689	n/a	options \|= SSL_OP_CIPHER_SERVER_PREFERENCE;
2690	n/a	#endif
2691	n/a	#ifdef SSL_OP_SINGLE_DH_USE
2692	n/a	options \|= SSL_OP_SINGLE_DH_USE;
2693	n/a	#endif
2694	n/a	#ifdef SSL_OP_SINGLE_ECDH_USE
2695	n/a	options \|= SSL_OP_SINGLE_ECDH_USE;
2696	n/a	#endif
2697	n/a	SSL_CTX_set_options(self->ctx, options);
2698	n/a
2699	n/a	/* A bare minimum cipher list without completly broken cipher suites.
2700	n/a	* It's far from perfect but gives users a better head start. */
2701	n/a	if (proto_version != PY_SSL_VERSION_SSL2) {
2702	n/a	result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL:!MD5");
2703	n/a	} else {
2704	n/a	/* SSLv2 needs MD5 */
2705	n/a	result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL");
2706	n/a	}
2707	n/a	if (result == 0) {
2708	n/a	Py_DECREF(self);
2709	n/a	ERR_clear_error();
2710	n/a	PyErr_SetString(PySSLErrorObject,
2711	n/a	"No cipher can be selected.");
2712	n/a	return NULL;
2713	n/a	}
2714	n/a
2715	n/a	#if defined(SSL_MODE_RELEASE_BUFFERS)
2716	n/a	/* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory
2717	n/a	usage for no cost at all. However, don't do this for OpenSSL versions
2718	n/a	between 1.0.1 and 1.0.1h or 1.0.0 and 1.0.0m, which are affected by CVE
2719	n/a	2014-0198. I can't find exactly which beta fixed this CVE, so be
2720	n/a	conservative and assume it wasn't fixed until release. We do this check
2721	n/a	at runtime to avoid problems from the dynamic linker.
2722	n/a	See #25672 for more on this. */
2723	n/a	libver = SSLeay();
2724	n/a	if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) &&
2725	n/a	!(libver >= 0x10000000UL && libver < 0x100000dfUL)) {
2726	n/a	SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
2727	n/a	}
2728	n/a	#endif
2729	n/a
2730	n/a
2731	n/a	#ifndef OPENSSL_NO_ECDH
2732	n/a	/* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
2733	n/a	prime256v1 by default. This is Apache mod_ssl's initialization
2734	n/a	policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
2735	n/a	*/
2736	n/a	#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
2737	n/a	SSL_CTX_set_ecdh_auto(self->ctx, 1);
2738	n/a	#else
2739	n/a	{
2740	n/a	EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2741	n/a	SSL_CTX_set_tmp_ecdh(self->ctx, key);
2742	n/a	EC_KEY_free(key);
2743	n/a	}
2744	n/a	#endif
2745	n/a	#endif
2746	n/a
2747	n/a	#define SID_CTX "Python"
2748	n/a	SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
2749	n/a	sizeof(SID_CTX));
2750	n/a	#undef SID_CTX
2751	n/a
2752	n/a	#ifdef X509_V_FLAG_TRUSTED_FIRST
2753	n/a	{
2754	n/a	/* Improve trust chain building when cross-signed intermediate
2755	n/a	certificates are present. See https://bugs.python.org/issue23476. */
2756	n/a	X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
2757	n/a	X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
2758	n/a	}
2759	n/a	#endif
2760	n/a
2761	n/a	return (PyObject *)self;
2762	n/a	}
2763	n/a
2764	n/a	static int
2765	n/a	context_traverse(PySSLContext self, visitproc visit, void arg)
2766	n/a	{
2767	n/a	#ifndef OPENSSL_NO_TLSEXT
2768	n/a	Py_VISIT(self->set_hostname);
2769	n/a	#endif
2770	n/a	return 0;
2771	n/a	}
2772	n/a
2773	n/a	static int
2774	n/a	context_clear(PySSLContext *self)
2775	n/a	{
2776	n/a	#ifndef OPENSSL_NO_TLSEXT
2777	n/a	Py_CLEAR(self->set_hostname);
2778	n/a	#endif
2779	n/a	return 0;
2780	n/a	}
2781	n/a
2782	n/a	static void
2783	n/a	context_dealloc(PySSLContext *self)
2784	n/a	{
2785	n/a	context_clear(self);
2786	n/a	SSL_CTX_free(self->ctx);
2787	n/a	#ifdef OPENSSL_NPN_NEGOTIATED
2788	n/a	PyMem_FREE(self->npn_protocols);
2789	n/a	#endif
2790	n/a	#ifdef HAVE_ALPN
2791	n/a	PyMem_FREE(self->alpn_protocols);
2792	n/a	#endif
2793	n/a	Py_TYPE(self)->tp_free(self);
2794	n/a	}
2795	n/a
2796	n/a	/*[clinic input]
2797	n/a	_ssl._SSLContext.set_ciphers
2798	n/a	cipherlist: str
2799	n/a	/
2800	n/a	[clinic start generated code]*/
2801	n/a
2802	n/a	static PyObject *
2803	n/a	_ssl__SSLContext_set_ciphers_impl(PySSLContext self, const char cipherlist)
2804	n/a	/[clinic end generated code: output=3a3162f3557c0f3f input=a7ac931b9f3ca7fc]/
2805	n/a	{
2806	n/a	int ret = SSL_CTX_set_cipher_list(self->ctx, cipherlist);
2807	n/a	if (ret == 0) {
2808	n/a	/* Clearing the error queue is necessary on some OpenSSL versions,
2809	n/a	otherwise the error will be reported again when another SSL call
2810	n/a	is done. */
2811	n/a	ERR_clear_error();
2812	n/a	PyErr_SetString(PySSLErrorObject,
2813	n/a	"No cipher can be selected.");
2814	n/a	return NULL;
2815	n/a	}
2816	n/a	Py_RETURN_NONE;
2817	n/a	}
2818	n/a
2819	n/a	#if OPENSSL_VERSION_NUMBER >= 0x10002000UL
2820	n/a	/*[clinic input]
2821	n/a	_ssl._SSLContext.get_ciphers
2822	n/a	[clinic start generated code]*/
2823	n/a
2824	n/a	static PyObject *
2825	n/a	_ssl__SSLContext_get_ciphers_impl(PySSLContext *self)
2826	n/a	/[clinic end generated code: output=a56e4d68a406dfc4 input=a2aadc9af89b79c5]/
2827	n/a	{
2828	n/a	SSL *ssl = NULL;
2829	n/a	STACK_OF(SSL_CIPHER) *sk = NULL;
2830	n/a	const SSL_CIPHER *cipher;
2831	n/a	int i=0;
2832	n/a	PyObject result = NULL, dct;
2833	n/a
2834	n/a	ssl = SSL_new(self->ctx);
2835	n/a	if (ssl == NULL) {
2836	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
2837	n/a	goto exit;
2838	n/a	}
2839	n/a	sk = SSL_get_ciphers(ssl);
2840	n/a
2841	n/a	result = PyList_New(sk_SSL_CIPHER_num(sk));
2842	n/a	if (result == NULL) {
2843	n/a	goto exit;
2844	n/a	}
2845	n/a
2846	n/a	for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
2847	n/a	cipher = sk_SSL_CIPHER_value(sk, i);
2848	n/a	dct = cipher_to_dict(cipher);
2849	n/a	if (dct == NULL) {
2850	n/a	Py_CLEAR(result);
2851	n/a	goto exit;
2852	n/a	}
2853	n/a	PyList_SET_ITEM(result, i, dct);
2854	n/a	}
2855	n/a
2856	n/a	exit:
2857	n/a	if (ssl != NULL)
2858	n/a	SSL_free(ssl);
2859	n/a	return result;
2860	n/a
2861	n/a	}
2862	n/a	#endif
2863	n/a
2864	n/a
2865	n/a	#ifdef OPENSSL_NPN_NEGOTIATED
2866	n/a	static int
2867	n/a	do_protocol_selection(int alpn, unsigned char *out, unsigned char outlen,
2868	n/a	const unsigned char *server_protocols, unsigned int server_protocols_len,
2869	n/a	const unsigned char *client_protocols, unsigned int client_protocols_len)
2870	n/a	{
2871	n/a	int ret;
2872	n/a	if (client_protocols == NULL) {
2873	n/a	client_protocols = (unsigned char *)"";
2874	n/a	client_protocols_len = 0;
2875	n/a	}
2876	n/a	if (server_protocols == NULL) {
2877	n/a	server_protocols = (unsigned char *)"";
2878	n/a	server_protocols_len = 0;
2879	n/a	}
2880	n/a
2881	n/a	ret = SSL_select_next_proto(out, outlen,
2882	n/a	server_protocols, server_protocols_len,
2883	n/a	client_protocols, client_protocols_len);
2884	n/a	if (alpn && ret != OPENSSL_NPN_NEGOTIATED)
2885	n/a	return SSL_TLSEXT_ERR_NOACK;
2886	n/a
2887	n/a	return SSL_TLSEXT_ERR_OK;
2888	n/a	}
2889	n/a
2890	n/a	/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
2891	n/a	static int
2892	n/a	_advertiseNPN_cb(SSL *s,
2893	n/a	const unsigned char *data, unsigned int len,
2894	n/a	void *args)
2895	n/a	{
2896	n/a	PySSLContext ssl_ctx = (PySSLContext ) args;
2897	n/a
2898	n/a	if (ssl_ctx->npn_protocols == NULL) {
2899	n/a	data = (unsigned char )"";
2900	n/a	*len = 0;
2901	n/a	} else {
2902	n/a	*data = ssl_ctx->npn_protocols;
2903	n/a	*len = ssl_ctx->npn_protocols_len;
2904	n/a	}
2905	n/a
2906	n/a	return SSL_TLSEXT_ERR_OK;
2907	n/a	}
2908	n/a	/* this callback gets passed to SSL_CTX_set_next_proto_select_cb */
2909	n/a	static int
2910	n/a	_selectNPN_cb(SSL *s,
2911	n/a	unsigned char *out, unsigned char outlen,
2912	n/a	const unsigned char *server, unsigned int server_len,
2913	n/a	void *args)
2914	n/a	{
2915	n/a	PySSLContext ctx = (PySSLContext )args;
2916	n/a	return do_protocol_selection(0, out, outlen, server, server_len,
2917	n/a	ctx->npn_protocols, ctx->npn_protocols_len);
2918	n/a	}
2919	n/a	#endif
2920	n/a
2921	n/a	/*[clinic input]
2922	n/a	_ssl._SSLContext._set_npn_protocols
2923	n/a	protos: Py_buffer
2924	n/a	/
2925	n/a	[clinic start generated code]*/
2926	n/a
2927	n/a	static PyObject *
2928	n/a	_ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self,
2929	n/a	Py_buffer *protos)
2930	n/a	/[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]/
2931	n/a	{
2932	n/a	#ifdef OPENSSL_NPN_NEGOTIATED
2933	n/a	PyMem_Free(self->npn_protocols);
2934	n/a	self->npn_protocols = PyMem_Malloc(protos->len);
2935	n/a	if (self->npn_protocols == NULL)
2936	n/a	return PyErr_NoMemory();
2937	n/a	memcpy(self->npn_protocols, protos->buf, protos->len);
2938	n/a	self->npn_protocols_len = (int) protos->len;
2939	n/a
2940	n/a	/* set both server and client callbacks, because the context can
2941	n/a	* be used to create both types of sockets */
2942	n/a	SSL_CTX_set_next_protos_advertised_cb(self->ctx,
2943	n/a	_advertiseNPN_cb,
2944	n/a	self);
2945	n/a	SSL_CTX_set_next_proto_select_cb(self->ctx,
2946	n/a	_selectNPN_cb,
2947	n/a	self);
2948	n/a
2949	n/a	Py_RETURN_NONE;
2950	n/a	#else
2951	n/a	PyErr_SetString(PyExc_NotImplementedError,
2952	n/a	"The NPN extension requires OpenSSL 1.0.1 or later.");
2953	n/a	return NULL;
2954	n/a	#endif
2955	n/a	}
2956	n/a
2957	n/a	#ifdef HAVE_ALPN
2958	n/a	static int
2959	n/a	_selectALPN_cb(SSL *s,
2960	n/a	const unsigned char *out, unsigned char outlen,
2961	n/a	const unsigned char *client_protocols, unsigned int client_protocols_len,
2962	n/a	void *args)
2963	n/a	{
2964	n/a	PySSLContext ctx = (PySSLContext )args;
2965	n/a	return do_protocol_selection(1, (unsigned char **)out, outlen,
2966	n/a	ctx->alpn_protocols, ctx->alpn_protocols_len,
2967	n/a	client_protocols, client_protocols_len);
2968	n/a	}
2969	n/a	#endif
2970	n/a
2971	n/a	/*[clinic input]
2972	n/a	_ssl._SSLContext._set_alpn_protocols
2973	n/a	protos: Py_buffer
2974	n/a	/
2975	n/a	[clinic start generated code]*/
2976	n/a
2977	n/a	static PyObject *
2978	n/a	_ssl__SSLContext__set_alpn_protocols_impl(PySSLContext *self,
2979	n/a	Py_buffer *protos)
2980	n/a	/[clinic end generated code: output=87599a7f76651a9b input=9bba964595d519be]/
2981	n/a	{
2982	n/a	#ifdef HAVE_ALPN
2983	n/a	PyMem_FREE(self->alpn_protocols);
2984	n/a	self->alpn_protocols = PyMem_Malloc(protos->len);
2985	n/a	if (!self->alpn_protocols)
2986	n/a	return PyErr_NoMemory();
2987	n/a	memcpy(self->alpn_protocols, protos->buf, protos->len);
2988	n/a	self->alpn_protocols_len = protos->len;
2989	n/a
2990	n/a	if (SSL_CTX_set_alpn_protos(self->ctx, self->alpn_protocols, self->alpn_protocols_len))
2991	n/a	return PyErr_NoMemory();
2992	n/a	SSL_CTX_set_alpn_select_cb(self->ctx, _selectALPN_cb, self);
2993	n/a
2994	n/a	Py_RETURN_NONE;
2995	n/a	#else
2996	n/a	PyErr_SetString(PyExc_NotImplementedError,
2997	n/a	"The ALPN extension requires OpenSSL 1.0.2 or later.");
2998	n/a	return NULL;
2999	n/a	#endif
3000	n/a	}
3001	n/a
3002	n/a	static PyObject *
3003	n/a	get_verify_mode(PySSLContext self, void c)
3004	n/a	{
3005	n/a	switch (SSL_CTX_get_verify_mode(self->ctx)) {
3006	n/a	case SSL_VERIFY_NONE:
3007	n/a	return PyLong_FromLong(PY_SSL_CERT_NONE);
3008	n/a	case SSL_VERIFY_PEER:
3009	n/a	return PyLong_FromLong(PY_SSL_CERT_OPTIONAL);
3010	n/a	case SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT:
3011	n/a	return PyLong_FromLong(PY_SSL_CERT_REQUIRED);
3012	n/a	}
3013	n/a	PyErr_SetString(PySSLErrorObject,
3014	n/a	"invalid return value from SSL_CTX_get_verify_mode");
3015	n/a	return NULL;
3016	n/a	}
3017	n/a
3018	n/a	static int
3019	n/a	set_verify_mode(PySSLContext self, PyObject arg, void *c)
3020	n/a	{
3021	n/a	int n;
3022	n/a	if (!PyArg_Parse(arg, "i", &n))
3023	n/a	return -1;
3024	n/a	if (n == PY_SSL_CERT_NONE && self->check_hostname) {
3025	n/a	PyErr_SetString(PyExc_ValueError,
3026	n/a	"Cannot set verify_mode to CERT_NONE when "
3027	n/a	"check_hostname is enabled.");
3028	n/a	return -1;
3029	n/a	}
3030	n/a	return _set_verify_mode(self->ctx, n);
3031	n/a	}
3032	n/a
3033	n/a	static PyObject *
3034	n/a	get_verify_flags(PySSLContext self, void c)
3035	n/a	{
3036	n/a	X509_STORE *store;
3037	n/a	X509_VERIFY_PARAM *param;
3038	n/a	unsigned long flags;
3039	n/a
3040	n/a	store = SSL_CTX_get_cert_store(self->ctx);
3041	n/a	param = X509_STORE_get0_param(store);
3042	n/a	flags = X509_VERIFY_PARAM_get_flags(param);
3043	n/a	return PyLong_FromUnsignedLong(flags);
3044	n/a	}
3045	n/a
3046	n/a	static int
3047	n/a	set_verify_flags(PySSLContext self, PyObject arg, void *c)
3048	n/a	{
3049	n/a	X509_STORE *store;
3050	n/a	X509_VERIFY_PARAM *param;
3051	n/a	unsigned long new_flags, flags, set, clear;
3052	n/a
3053	n/a	if (!PyArg_Parse(arg, "k", &new_flags))
3054	n/a	return -1;
3055	n/a	store = SSL_CTX_get_cert_store(self->ctx);
3056	n/a	param = X509_STORE_get0_param(store);
3057	n/a	flags = X509_VERIFY_PARAM_get_flags(param);
3058	n/a	clear = flags & ~new_flags;
3059	n/a	set = ~flags & new_flags;
3060	n/a	if (clear) {
3061	n/a	if (!X509_VERIFY_PARAM_clear_flags(param, clear)) {
3062	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3063	n/a	return -1;
3064	n/a	}
3065	n/a	}
3066	n/a	if (set) {
3067	n/a	if (!X509_VERIFY_PARAM_set_flags(param, set)) {
3068	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3069	n/a	return -1;
3070	n/a	}
3071	n/a	}
3072	n/a	return 0;
3073	n/a	}
3074	n/a
3075	n/a	static PyObject *
3076	n/a	get_options(PySSLContext self, void c)
3077	n/a	{
3078	n/a	return PyLong_FromLong(SSL_CTX_get_options(self->ctx));
3079	n/a	}
3080	n/a
3081	n/a	static int
3082	n/a	set_options(PySSLContext self, PyObject arg, void *c)
3083	n/a	{
3084	n/a	long new_opts, opts, set, clear;
3085	n/a	if (!PyArg_Parse(arg, "l", &new_opts))
3086	n/a	return -1;
3087	n/a	opts = SSL_CTX_get_options(self->ctx);
3088	n/a	clear = opts & ~new_opts;
3089	n/a	set = ~opts & new_opts;
3090	n/a	if (clear) {
3091	n/a	#ifdef HAVE_SSL_CTX_CLEAR_OPTIONS
3092	n/a	SSL_CTX_clear_options(self->ctx, clear);
3093	n/a	#else
3094	n/a	PyErr_SetString(PyExc_ValueError,
3095	n/a	"can't clear options before OpenSSL 0.9.8m");
3096	n/a	return -1;
3097	n/a	#endif
3098	n/a	}
3099	n/a	if (set)
3100	n/a	SSL_CTX_set_options(self->ctx, set);
3101	n/a	return 0;
3102	n/a	}
3103	n/a
3104	n/a	static PyObject *
3105	n/a	get_check_hostname(PySSLContext self, void c)
3106	n/a	{
3107	n/a	return PyBool_FromLong(self->check_hostname);
3108	n/a	}
3109	n/a
3110	n/a	static int
3111	n/a	set_check_hostname(PySSLContext self, PyObject arg, void *c)
3112	n/a	{
3113	n/a	int check_hostname;
3114	n/a	if (!PyArg_Parse(arg, "p", &check_hostname))
3115	n/a	return -1;
3116	n/a	if (check_hostname &&
3117	n/a	SSL_CTX_get_verify_mode(self->ctx) == SSL_VERIFY_NONE) {
3118	n/a	PyErr_SetString(PyExc_ValueError,
3119	n/a	"check_hostname needs a SSL context with either "
3120	n/a	"CERT_OPTIONAL or CERT_REQUIRED");
3121	n/a	return -1;
3122	n/a	}
3123	n/a	self->check_hostname = check_hostname;
3124	n/a	return 0;
3125	n/a	}
3126	n/a
3127	n/a
3128	n/a	typedef struct {
3129	n/a	PyThreadState *thread_state;
3130	n/a	PyObject *callable;
3131	n/a	char *password;
3132	n/a	int size;
3133	n/a	int error;
3134	n/a	} _PySSLPasswordInfo;
3135	n/a
3136	n/a	static int
3137	n/a	_pwinfo_set(_PySSLPasswordInfo pw_info, PyObject password,
3138	n/a	const char *bad_type_error)
3139	n/a	{
3140	n/a	/* Set the password and size fields of a _PySSLPasswordInfo struct
3141	n/a	from a unicode, bytes, or byte array object.
3142	n/a	The password field will be dynamically allocated and must be freed
3143	n/a	by the caller */
3144	n/a	PyObject *password_bytes = NULL;
3145	n/a	const char *data = NULL;
3146	n/a	Py_ssize_t size;
3147	n/a
3148	n/a	if (PyUnicode_Check(password)) {
3149	n/a	password_bytes = PyUnicode_AsEncodedString(password, NULL, NULL);
3150	n/a	if (!password_bytes) {
3151	n/a	goto error;
3152	n/a	}
3153	n/a	data = PyBytes_AS_STRING(password_bytes);
3154	n/a	size = PyBytes_GET_SIZE(password_bytes);
3155	n/a	} else if (PyBytes_Check(password)) {
3156	n/a	data = PyBytes_AS_STRING(password);
3157	n/a	size = PyBytes_GET_SIZE(password);
3158	n/a	} else if (PyByteArray_Check(password)) {
3159	n/a	data = PyByteArray_AS_STRING(password);
3160	n/a	size = PyByteArray_GET_SIZE(password);
3161	n/a	} else {
3162	n/a	PyErr_SetString(PyExc_TypeError, bad_type_error);
3163	n/a	goto error;
3164	n/a	}
3165	n/a
3166	n/a	if (size > (Py_ssize_t)INT_MAX) {
3167	n/a	PyErr_Format(PyExc_ValueError,
3168	n/a	"password cannot be longer than %d bytes", INT_MAX);
3169	n/a	goto error;
3170	n/a	}
3171	n/a
3172	n/a	PyMem_Free(pw_info->password);
3173	n/a	pw_info->password = PyMem_Malloc(size);
3174	n/a	if (!pw_info->password) {
3175	n/a	PyErr_SetString(PyExc_MemoryError,
3176	n/a	"unable to allocate password buffer");
3177	n/a	goto error;
3178	n/a	}
3179	n/a	memcpy(pw_info->password, data, size);
3180	n/a	pw_info->size = (int)size;
3181	n/a
3182	n/a	Py_XDECREF(password_bytes);
3183	n/a	return 1;
3184	n/a
3185	n/a	error:
3186	n/a	Py_XDECREF(password_bytes);
3187	n/a	return 0;
3188	n/a	}
3189	n/a
3190	n/a	static int
3191	n/a	_password_callback(char buf, int size, int rwflag, void userdata)
3192	n/a	{
3193	n/a	_PySSLPasswordInfo pw_info = (_PySSLPasswordInfo) userdata;
3194	n/a	PyObject *fn_ret = NULL;
3195	n/a
3196	n/a	PySSL_END_ALLOW_THREADS_S(pw_info->thread_state);
3197	n/a
3198	n/a	if (pw_info->callable) {
3199	n/a	fn_ret = _PyObject_CallNoArg(pw_info->callable);
3200	n/a	if (!fn_ret) {
3201	n/a	/* TODO: It would be nice to move _ctypes_add_traceback() into the
3202	n/a	core python API, so we could use it to add a frame here */
3203	n/a	goto error;
3204	n/a	}
3205	n/a
3206	n/a	if (!_pwinfo_set(pw_info, fn_ret,
3207	n/a	"password callback must return a string")) {
3208	n/a	goto error;
3209	n/a	}
3210	n/a	Py_CLEAR(fn_ret);
3211	n/a	}
3212	n/a
3213	n/a	if (pw_info->size > size) {
3214	n/a	PyErr_Format(PyExc_ValueError,
3215	n/a	"password cannot be longer than %d bytes", size);
3216	n/a	goto error;
3217	n/a	}
3218	n/a
3219	n/a	PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state);
3220	n/a	memcpy(buf, pw_info->password, pw_info->size);
3221	n/a	return pw_info->size;
3222	n/a
3223	n/a	error:
3224	n/a	Py_XDECREF(fn_ret);
3225	n/a	PySSL_BEGIN_ALLOW_THREADS_S(pw_info->thread_state);
3226	n/a	pw_info->error = 1;
3227	n/a	return -1;
3228	n/a	}
3229	n/a
3230	n/a	/*[clinic input]
3231	n/a	_ssl._SSLContext.load_cert_chain
3232	n/a	certfile: object
3233	n/a	keyfile: object = NULL
3234	n/a	password: object = NULL
3235	n/a
3236	n/a	[clinic start generated code]*/
3237	n/a
3238	n/a	static PyObject *
3239	n/a	_ssl__SSLContext_load_cert_chain_impl(PySSLContext self, PyObject certfile,
3240	n/a	PyObject keyfile, PyObject password)
3241	n/a	/[clinic end generated code: output=9480bc1c380e2095 input=7cf9ac673cbee6fc]/
3242	n/a	{
3243	n/a	PyObject certfile_bytes = NULL, keyfile_bytes = NULL;
3244	n/a	pem_password_cb *orig_passwd_cb = SSL_CTX_get_default_passwd_cb(self->ctx);
3245	n/a	void *orig_passwd_userdata = SSL_CTX_get_default_passwd_cb_userdata(self->ctx);
3246	n/a	_PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 };
3247	n/a	int r;
3248	n/a
3249	n/a	errno = 0;
3250	n/a	ERR_clear_error();
3251	n/a	if (keyfile == Py_None)
3252	n/a	keyfile = NULL;
3253	n/a	if (!PyUnicode_FSConverter(certfile, &certfile_bytes)) {
3254	n/a	PyErr_SetString(PyExc_TypeError,
3255	n/a	"certfile should be a valid filesystem path");
3256	n/a	return NULL;
3257	n/a	}
3258	n/a	if (keyfile && !PyUnicode_FSConverter(keyfile, &keyfile_bytes)) {
3259	n/a	PyErr_SetString(PyExc_TypeError,
3260	n/a	"keyfile should be a valid filesystem path");
3261	n/a	goto error;
3262	n/a	}
3263	n/a	if (password && password != Py_None) {
3264	n/a	if (PyCallable_Check(password)) {
3265	n/a	pw_info.callable = password;
3266	n/a	} else if (!_pwinfo_set(&pw_info, password,
3267	n/a	"password should be a string or callable")) {
3268	n/a	goto error;
3269	n/a	}
3270	n/a	SSL_CTX_set_default_passwd_cb(self->ctx, _password_callback);
3271	n/a	SSL_CTX_set_default_passwd_cb_userdata(self->ctx, &pw_info);
3272	n/a	}
3273	n/a	PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
3274	n/a	r = SSL_CTX_use_certificate_chain_file(self->ctx,
3275	n/a	PyBytes_AS_STRING(certfile_bytes));
3276	n/a	PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
3277	n/a	if (r != 1) {
3278	n/a	if (pw_info.error) {
3279	n/a	ERR_clear_error();
3280	n/a	/* the password callback has already set the error information */
3281	n/a	}
3282	n/a	else if (errno != 0) {
3283	n/a	ERR_clear_error();
3284	n/a	PyErr_SetFromErrno(PyExc_IOError);
3285	n/a	}
3286	n/a	else {
3287	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3288	n/a	}
3289	n/a	goto error;
3290	n/a	}
3291	n/a	PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
3292	n/a	r = SSL_CTX_use_PrivateKey_file(self->ctx,
3293	n/a	PyBytes_AS_STRING(keyfile ? keyfile_bytes : certfile_bytes),
3294	n/a	SSL_FILETYPE_PEM);
3295	n/a	PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
3296	n/a	Py_CLEAR(keyfile_bytes);
3297	n/a	Py_CLEAR(certfile_bytes);
3298	n/a	if (r != 1) {
3299	n/a	if (pw_info.error) {
3300	n/a	ERR_clear_error();
3301	n/a	/* the password callback has already set the error information */
3302	n/a	}
3303	n/a	else if (errno != 0) {
3304	n/a	ERR_clear_error();
3305	n/a	PyErr_SetFromErrno(PyExc_IOError);
3306	n/a	}
3307	n/a	else {
3308	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3309	n/a	}
3310	n/a	goto error;
3311	n/a	}
3312	n/a	PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
3313	n/a	r = SSL_CTX_check_private_key(self->ctx);
3314	n/a	PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
3315	n/a	if (r != 1) {
3316	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3317	n/a	goto error;
3318	n/a	}
3319	n/a	SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb);
3320	n/a	SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata);
3321	n/a	PyMem_Free(pw_info.password);
3322	n/a	Py_RETURN_NONE;
3323	n/a
3324	n/a	error:
3325	n/a	SSL_CTX_set_default_passwd_cb(self->ctx, orig_passwd_cb);
3326	n/a	SSL_CTX_set_default_passwd_cb_userdata(self->ctx, orig_passwd_userdata);
3327	n/a	PyMem_Free(pw_info.password);
3328	n/a	Py_XDECREF(keyfile_bytes);
3329	n/a	Py_XDECREF(certfile_bytes);
3330	n/a	return NULL;
3331	n/a	}
3332	n/a
3333	n/a	/* internal helper function, returns -1 on error
3334	n/a	*/
3335	n/a	static int
3336	n/a	_add_ca_certs(PySSLContext self, void data, Py_ssize_t len,
3337	n/a	int filetype)
3338	n/a	{
3339	n/a	BIO *biobuf = NULL;
3340	n/a	X509_STORE *store;
3341	n/a	int retval = 0, err, loaded = 0;
3342	n/a
3343	n/a	assert(filetype == SSL_FILETYPE_ASN1 \|\| filetype == SSL_FILETYPE_PEM);
3344	n/a
3345	n/a	if (len <= 0) {
3346	n/a	PyErr_SetString(PyExc_ValueError,
3347	n/a	"Empty certificate data");
3348	n/a	return -1;
3349	n/a	} else if (len > INT_MAX) {
3350	n/a	PyErr_SetString(PyExc_OverflowError,
3351	n/a	"Certificate data is too long.");
3352	n/a	return -1;
3353	n/a	}
3354	n/a
3355	n/a	biobuf = BIO_new_mem_buf(data, (int)len);
3356	n/a	if (biobuf == NULL) {
3357	n/a	_setSSLError("Can't allocate buffer", 0, __FILE__, __LINE__);
3358	n/a	return -1;
3359	n/a	}
3360	n/a
3361	n/a	store = SSL_CTX_get_cert_store(self->ctx);
3362	n/a	assert(store != NULL);
3363	n/a
3364	n/a	while (1) {
3365	n/a	X509 *cert = NULL;
3366	n/a	int r;
3367	n/a
3368	n/a	if (filetype == SSL_FILETYPE_ASN1) {
3369	n/a	cert = d2i_X509_bio(biobuf, NULL);
3370	n/a	} else {
3371	n/a	cert = PEM_read_bio_X509(biobuf, NULL,
3372	n/a	SSL_CTX_get_default_passwd_cb(self->ctx),
3373	n/a	SSL_CTX_get_default_passwd_cb_userdata(self->ctx)
3374	n/a	);
3375	n/a	}
3376	n/a	if (cert == NULL) {
3377	n/a	break;
3378	n/a	}
3379	n/a	r = X509_STORE_add_cert(store, cert);
3380	n/a	X509_free(cert);
3381	n/a	if (!r) {
3382	n/a	err = ERR_peek_last_error();
3383	n/a	if ((ERR_GET_LIB(err) == ERR_LIB_X509) &&
3384	n/a	(ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
3385	n/a	/* cert already in hash table, not an error */
3386	n/a	ERR_clear_error();
3387	n/a	} else {
3388	n/a	break;
3389	n/a	}
3390	n/a	}
3391	n/a	loaded++;
3392	n/a	}
3393	n/a
3394	n/a	err = ERR_peek_last_error();
3395	n/a	if ((filetype == SSL_FILETYPE_ASN1) &&
3396	n/a	(loaded > 0) &&
3397	n/a	(ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
3398	n/a	(ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
3399	n/a	/* EOF ASN1 file, not an error */
3400	n/a	ERR_clear_error();
3401	n/a	retval = 0;
3402	n/a	} else if ((filetype == SSL_FILETYPE_PEM) &&
3403	n/a	(loaded > 0) &&
3404	n/a	(ERR_GET_LIB(err) == ERR_LIB_PEM) &&
3405	n/a	(ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
3406	n/a	/* EOF PEM file, not an error */
3407	n/a	ERR_clear_error();
3408	n/a	retval = 0;
3409	n/a	} else {
3410	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3411	n/a	retval = -1;
3412	n/a	}
3413	n/a
3414	n/a	BIO_free(biobuf);
3415	n/a	return retval;
3416	n/a	}
3417	n/a
3418	n/a
3419	n/a	/*[clinic input]
3420	n/a	_ssl._SSLContext.load_verify_locations
3421	n/a	cafile: object = NULL
3422	n/a	capath: object = NULL
3423	n/a	cadata: object = NULL
3424	n/a
3425	n/a	[clinic start generated code]*/
3426	n/a
3427	n/a	static PyObject *
3428	n/a	_ssl__SSLContext_load_verify_locations_impl(PySSLContext *self,
3429	n/a	PyObject *cafile,
3430	n/a	PyObject *capath,
3431	n/a	PyObject *cadata)
3432	n/a	/[clinic end generated code: output=454c7e41230ca551 input=997f1fb3a784ef88]/
3433	n/a	{
3434	n/a	PyObject cafile_bytes = NULL, capath_bytes = NULL;
3435	n/a	const char cafile_buf = NULL, capath_buf = NULL;
3436	n/a	int r = 0, ok = 1;
3437	n/a
3438	n/a	errno = 0;
3439	n/a	if (cafile == Py_None)
3440	n/a	cafile = NULL;
3441	n/a	if (capath == Py_None)
3442	n/a	capath = NULL;
3443	n/a	if (cadata == Py_None)
3444	n/a	cadata = NULL;
3445	n/a
3446	n/a	if (cafile == NULL && capath == NULL && cadata == NULL) {
3447	n/a	PyErr_SetString(PyExc_TypeError,
3448	n/a	"cafile, capath and cadata cannot be all omitted");
3449	n/a	goto error;
3450	n/a	}
3451	n/a	if (cafile && !PyUnicode_FSConverter(cafile, &cafile_bytes)) {
3452	n/a	PyErr_SetString(PyExc_TypeError,
3453	n/a	"cafile should be a valid filesystem path");
3454	n/a	goto error;
3455	n/a	}
3456	n/a	if (capath && !PyUnicode_FSConverter(capath, &capath_bytes)) {
3457	n/a	PyErr_SetString(PyExc_TypeError,
3458	n/a	"capath should be a valid filesystem path");
3459	n/a	goto error;
3460	n/a	}
3461	n/a
3462	n/a	/* validata cadata type and load cadata */
3463	n/a	if (cadata) {
3464	n/a	Py_buffer buf;
3465	n/a	PyObject *cadata_ascii = NULL;
3466	n/a
3467	n/a	if (PyObject_GetBuffer(cadata, &buf, PyBUF_SIMPLE) == 0) {
3468	n/a	if (!PyBuffer_IsContiguous(&buf, 'C') \|\| buf.ndim > 1) {
3469	n/a	PyBuffer_Release(&buf);
3470	n/a	PyErr_SetString(PyExc_TypeError,
3471	n/a	"cadata should be a contiguous buffer with "
3472	n/a	"a single dimension");
3473	n/a	goto error;
3474	n/a	}
3475	n/a	r = _add_ca_certs(self, buf.buf, buf.len, SSL_FILETYPE_ASN1);
3476	n/a	PyBuffer_Release(&buf);
3477	n/a	if (r == -1) {
3478	n/a	goto error;
3479	n/a	}
3480	n/a	} else {
3481	n/a	PyErr_Clear();
3482	n/a	cadata_ascii = PyUnicode_AsASCIIString(cadata);
3483	n/a	if (cadata_ascii == NULL) {
3484	n/a	PyErr_SetString(PyExc_TypeError,
3485	n/a	"cadata should be an ASCII string or a "
3486	n/a	"bytes-like object");
3487	n/a	goto error;
3488	n/a	}
3489	n/a	r = _add_ca_certs(self,
3490	n/a	PyBytes_AS_STRING(cadata_ascii),
3491	n/a	PyBytes_GET_SIZE(cadata_ascii),
3492	n/a	SSL_FILETYPE_PEM);
3493	n/a	Py_DECREF(cadata_ascii);
3494	n/a	if (r == -1) {
3495	n/a	goto error;
3496	n/a	}
3497	n/a	}
3498	n/a	}
3499	n/a
3500	n/a	/* load cafile or capath */
3501	n/a	if (cafile \|\| capath) {
3502	n/a	if (cafile)
3503	n/a	cafile_buf = PyBytes_AS_STRING(cafile_bytes);
3504	n/a	if (capath)
3505	n/a	capath_buf = PyBytes_AS_STRING(capath_bytes);
3506	n/a	PySSL_BEGIN_ALLOW_THREADS
3507	n/a	r = SSL_CTX_load_verify_locations(self->ctx, cafile_buf, capath_buf);
3508	n/a	PySSL_END_ALLOW_THREADS
3509	n/a	if (r != 1) {
3510	n/a	ok = 0;
3511	n/a	if (errno != 0) {
3512	n/a	ERR_clear_error();
3513	n/a	PyErr_SetFromErrno(PyExc_IOError);
3514	n/a	}
3515	n/a	else {
3516	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3517	n/a	}
3518	n/a	goto error;
3519	n/a	}
3520	n/a	}
3521	n/a	goto end;
3522	n/a
3523	n/a	error:
3524	n/a	ok = 0;
3525	n/a	end:
3526	n/a	Py_XDECREF(cafile_bytes);
3527	n/a	Py_XDECREF(capath_bytes);
3528	n/a	if (ok) {
3529	n/a	Py_RETURN_NONE;
3530	n/a	} else {
3531	n/a	return NULL;
3532	n/a	}
3533	n/a	}
3534	n/a
3535	n/a	/*[clinic input]
3536	n/a	_ssl._SSLContext.load_dh_params
3537	n/a	path as filepath: object
3538	n/a	/
3539	n/a
3540	n/a	[clinic start generated code]*/
3541	n/a
3542	n/a	static PyObject *
3543	n/a	_ssl__SSLContext_load_dh_params(PySSLContext self, PyObject filepath)
3544	n/a	/[clinic end generated code: output=1c8e57a38e055af0 input=c8871f3c796ae1d6]/
3545	n/a	{
3546	n/a	FILE *f;
3547	n/a	DH *dh;
3548	n/a
3549	n/a	f = _Py_fopen_obj(filepath, "rb");
3550	n/a	if (f == NULL)
3551	n/a	return NULL;
3552	n/a
3553	n/a	errno = 0;
3554	n/a	PySSL_BEGIN_ALLOW_THREADS
3555	n/a	dh = PEM_read_DHparams(f, NULL, NULL, NULL);
3556	n/a	fclose(f);
3557	n/a	PySSL_END_ALLOW_THREADS
3558	n/a	if (dh == NULL) {
3559	n/a	if (errno != 0) {
3560	n/a	ERR_clear_error();
3561	n/a	PyErr_SetFromErrnoWithFilenameObject(PyExc_OSError, filepath);
3562	n/a	}
3563	n/a	else {
3564	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3565	n/a	}
3566	n/a	return NULL;
3567	n/a	}
3568	n/a	if (SSL_CTX_set_tmp_dh(self->ctx, dh) == 0)
3569	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3570	n/a	DH_free(dh);
3571	n/a	Py_RETURN_NONE;
3572	n/a	}
3573	n/a
3574	n/a	/*[clinic input]
3575	n/a	_ssl._SSLContext._wrap_socket
3576	n/a	sock: object(subclass_of="PySocketModule.Sock_Type")
3577	n/a	server_side: int
3578	n/a	server_hostname as hostname_obj: object = None
3579	n/a
3580	n/a	[clinic start generated code]*/
3581	n/a
3582	n/a	static PyObject *
3583	n/a	_ssl__SSLContext__wrap_socket_impl(PySSLContext self, PyObject sock,
3584	n/a	int server_side, PyObject *hostname_obj)
3585	n/a	/[clinic end generated code: output=6973e4b60995e933 input=83859b9156ddfc63]/
3586	n/a	{
3587	n/a	char *hostname = NULL;
3588	n/a	PyObject *res;
3589	n/a
3590	n/a	/* server_hostname is either None (or absent), or to be encoded
3591	n/a	using the idna encoding. */
3592	n/a	if (hostname_obj != Py_None) {
3593	n/a	if (!PyArg_Parse(hostname_obj, "et", "idna", &hostname))
3594	n/a	return NULL;
3595	n/a	}
3596	n/a
3597	n/a	res = (PyObject ) newPySSLSocket(self, (PySocketSockObject )sock,
3598	n/a	server_side, hostname,
3599	n/a	NULL, NULL);
3600	n/a	if (hostname != NULL)
3601	n/a	PyMem_Free(hostname);
3602	n/a	return res;
3603	n/a	}
3604	n/a
3605	n/a	/*[clinic input]
3606	n/a	_ssl._SSLContext._wrap_bio
3607	n/a	incoming: object(subclass_of="&PySSLMemoryBIO_Type", type="PySSLMemoryBIO *")
3608	n/a	outgoing: object(subclass_of="&PySSLMemoryBIO_Type", type="PySSLMemoryBIO *")
3609	n/a	server_side: int
3610	n/a	server_hostname as hostname_obj: object = None
3611	n/a
3612	n/a	[clinic start generated code]*/
3613	n/a
3614	n/a	static PyObject *
3615	n/a	_ssl__SSLContext__wrap_bio_impl(PySSLContext self, PySSLMemoryBIO incoming,
3616	n/a	PySSLMemoryBIO *outgoing, int server_side,
3617	n/a	PyObject *hostname_obj)
3618	n/a	/[clinic end generated code: output=4fe4ba75ad95940d input=17725ecdac0bf220]/
3619	n/a	{
3620	n/a	char *hostname = NULL;
3621	n/a	PyObject *res;
3622	n/a
3623	n/a	/* server_hostname is either None (or absent), or to be encoded
3624	n/a	using the idna encoding. */
3625	n/a	if (hostname_obj != Py_None) {
3626	n/a	if (!PyArg_Parse(hostname_obj, "et", "idna", &hostname))
3627	n/a	return NULL;
3628	n/a	}
3629	n/a
3630	n/a	res = (PyObject *) newPySSLSocket(self, NULL, server_side, hostname,
3631	n/a	incoming, outgoing);
3632	n/a
3633	n/a	PyMem_Free(hostname);
3634	n/a	return res;
3635	n/a	}
3636	n/a
3637	n/a	/*[clinic input]
3638	n/a	_ssl._SSLContext.session_stats
3639	n/a	[clinic start generated code]*/
3640	n/a
3641	n/a	static PyObject *
3642	n/a	_ssl__SSLContext_session_stats_impl(PySSLContext *self)
3643	n/a	/[clinic end generated code: output=0d96411c42893bfb input=7e0a81fb11102c8b]/
3644	n/a	{
3645	n/a	int r;
3646	n/a	PyObject value, stats = PyDict_New();
3647	n/a	if (!stats)
3648	n/a	return NULL;
3649	n/a
3650	n/a	#define ADD_STATS(SSL_NAME, KEY_NAME) \
3651	n/a	value = PyLong_FromLong(SSL_CTX_sess_ ## SSL_NAME (self->ctx)); \
3652	n/a	if (value == NULL) \
3653	n/a	goto error; \
3654	n/a	r = PyDict_SetItemString(stats, KEY_NAME, value); \
3655	n/a	Py_DECREF(value); \
3656	n/a	if (r < 0) \
3657	n/a	goto error;
3658	n/a
3659	n/a	ADD_STATS(number, "number");
3660	n/a	ADD_STATS(connect, "connect");
3661	n/a	ADD_STATS(connect_good, "connect_good");
3662	n/a	ADD_STATS(connect_renegotiate, "connect_renegotiate");
3663	n/a	ADD_STATS(accept, "accept");
3664	n/a	ADD_STATS(accept_good, "accept_good");
3665	n/a	ADD_STATS(accept_renegotiate, "accept_renegotiate");
3666	n/a	ADD_STATS(accept, "accept");
3667	n/a	ADD_STATS(hits, "hits");
3668	n/a	ADD_STATS(misses, "misses");
3669	n/a	ADD_STATS(timeouts, "timeouts");
3670	n/a	ADD_STATS(cache_full, "cache_full");
3671	n/a
3672	n/a	#undef ADD_STATS
3673	n/a
3674	n/a	return stats;
3675	n/a
3676	n/a	error:
3677	n/a	Py_DECREF(stats);
3678	n/a	return NULL;
3679	n/a	}
3680	n/a
3681	n/a	/*[clinic input]
3682	n/a	_ssl._SSLContext.set_default_verify_paths
3683	n/a	[clinic start generated code]*/
3684	n/a
3685	n/a	static PyObject *
3686	n/a	_ssl__SSLContext_set_default_verify_paths_impl(PySSLContext *self)
3687	n/a	/[clinic end generated code: output=0bee74e6e09deaaa input=35f3408021463d74]/
3688	n/a	{
3689	n/a	if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
3690	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3691	n/a	return NULL;
3692	n/a	}
3693	n/a	Py_RETURN_NONE;
3694	n/a	}
3695	n/a
3696	n/a	#ifndef OPENSSL_NO_ECDH
3697	n/a	/*[clinic input]
3698	n/a	_ssl._SSLContext.set_ecdh_curve
3699	n/a	name: object
3700	n/a	/
3701	n/a
3702	n/a	[clinic start generated code]*/
3703	n/a
3704	n/a	static PyObject *
3705	n/a	_ssl__SSLContext_set_ecdh_curve(PySSLContext self, PyObject name)
3706	n/a	/[clinic end generated code: output=23022c196e40d7d2 input=c2bafb6f6e34726b]/
3707	n/a	{
3708	n/a	PyObject *name_bytes;
3709	n/a	int nid;
3710	n/a	EC_KEY *key;
3711	n/a
3712	n/a	if (!PyUnicode_FSConverter(name, &name_bytes))
3713	n/a	return NULL;
3714	n/a	assert(PyBytes_Check(name_bytes));
3715	n/a	nid = OBJ_sn2nid(PyBytes_AS_STRING(name_bytes));
3716	n/a	Py_DECREF(name_bytes);
3717	n/a	if (nid == 0) {
3718	n/a	PyErr_Format(PyExc_ValueError,
3719	n/a	"unknown elliptic curve name %R", name);
3720	n/a	return NULL;
3721	n/a	}
3722	n/a	key = EC_KEY_new_by_curve_name(nid);
3723	n/a	if (key == NULL) {
3724	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
3725	n/a	return NULL;
3726	n/a	}
3727	n/a	SSL_CTX_set_tmp_ecdh(self->ctx, key);
3728	n/a	EC_KEY_free(key);
3729	n/a	Py_RETURN_NONE;
3730	n/a	}
3731	n/a	#endif
3732	n/a
3733	n/a	#if HAVE_SNI && !defined(OPENSSL_NO_TLSEXT)
3734	n/a	static int
3735	n/a	_servername_callback(SSL s, int al, void *args)
3736	n/a	{
3737	n/a	int ret;
3738	n/a	PySSLContext ssl_ctx = (PySSLContext ) args;
3739	n/a	PySSLSocket *ssl;
3740	n/a	PyObject *servername_o;
3741	n/a	PyObject *servername_idna;
3742	n/a	PyObject *result;
3743	n/a	/* The high-level ssl.SSLSocket object */
3744	n/a	PyObject *ssl_socket;
3745	n/a	const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3746	n/a	#ifdef WITH_THREAD
3747	n/a	PyGILState_STATE gstate = PyGILState_Ensure();
3748	n/a	#endif
3749	n/a
3750	n/a	if (ssl_ctx->set_hostname == NULL) {
3751	n/a	/* remove race condition in this the call back while if removing the
3752	n/a	* callback is in progress */
3753	n/a	#ifdef WITH_THREAD
3754	n/a	PyGILState_Release(gstate);
3755	n/a	#endif
3756	n/a	return SSL_TLSEXT_ERR_OK;
3757	n/a	}
3758	n/a
3759	n/a	ssl = SSL_get_app_data(s);
3760	n/a	assert(PySSLSocket_Check(ssl));
3761	n/a
3762	n/a	/* The servername callback expects an argument that represents the current
3763	n/a	* SSL connection and that has a .context attribute that can be changed to
3764	n/a	* identify the requested hostname. Since the official API is the Python
3765	n/a	* level API we want to pass the callback a Python level object rather than
3766	n/a	* a _ssl.SSLSocket instance. If there's an "owner" (typically an
3767	n/a	* SSLObject) that will be passed. Otherwise if there's a socket then that
3768	n/a	* will be passed. If both do not exist only then the C-level object is
3769	n/a	* passed. */
3770	n/a	if (ssl->owner)
3771	n/a	ssl_socket = PyWeakref_GetObject(ssl->owner);
3772	n/a	else if (ssl->Socket)
3773	n/a	ssl_socket = PyWeakref_GetObject(ssl->Socket);
3774	n/a	else
3775	n/a	ssl_socket = (PyObject *) ssl;
3776	n/a
3777	n/a	Py_INCREF(ssl_socket);
3778	n/a	if (ssl_socket == Py_None)
3779	n/a	goto error;
3780	n/a
3781	n/a	if (servername == NULL) {
3782	n/a	result = PyObject_CallFunctionObjArgs(ssl_ctx->set_hostname, ssl_socket,
3783	n/a	Py_None, ssl_ctx, NULL);
3784	n/a	}
3785	n/a	else {
3786	n/a	servername_o = PyBytes_FromString(servername);
3787	n/a	if (servername_o == NULL) {
3788	n/a	PyErr_WriteUnraisable((PyObject *) ssl_ctx);
3789	n/a	goto error;
3790	n/a	}
3791	n/a	servername_idna = PyUnicode_FromEncodedObject(servername_o, "idna", NULL);
3792	n/a	if (servername_idna == NULL) {
3793	n/a	PyErr_WriteUnraisable(servername_o);
3794	n/a	Py_DECREF(servername_o);
3795	n/a	goto error;
3796	n/a	}
3797	n/a	Py_DECREF(servername_o);
3798	n/a	result = PyObject_CallFunctionObjArgs(ssl_ctx->set_hostname, ssl_socket,
3799	n/a	servername_idna, ssl_ctx, NULL);
3800	n/a	Py_DECREF(servername_idna);
3801	n/a	}
3802	n/a	Py_DECREF(ssl_socket);
3803	n/a
3804	n/a	if (result == NULL) {
3805	n/a	PyErr_WriteUnraisable(ssl_ctx->set_hostname);
3806	n/a	*al = SSL_AD_HANDSHAKE_FAILURE;
3807	n/a	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3808	n/a	}
3809	n/a	else {
3810	n/a	if (result != Py_None) {
3811	n/a	*al = (int) PyLong_AsLong(result);
3812	n/a	if (PyErr_Occurred()) {
3813	n/a	PyErr_WriteUnraisable(result);
3814	n/a	*al = SSL_AD_INTERNAL_ERROR;
3815	n/a	}
3816	n/a	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3817	n/a	}
3818	n/a	else {
3819	n/a	ret = SSL_TLSEXT_ERR_OK;
3820	n/a	}
3821	n/a	Py_DECREF(result);
3822	n/a	}
3823	n/a
3824	n/a	#ifdef WITH_THREAD
3825	n/a	PyGILState_Release(gstate);
3826	n/a	#endif
3827	n/a	return ret;
3828	n/a
3829	n/a	error:
3830	n/a	Py_DECREF(ssl_socket);
3831	n/a	*al = SSL_AD_INTERNAL_ERROR;
3832	n/a	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3833	n/a	#ifdef WITH_THREAD
3834	n/a	PyGILState_Release(gstate);
3835	n/a	#endif
3836	n/a	return ret;
3837	n/a	}
3838	n/a	#endif
3839	n/a
3840	n/a	/*[clinic input]
3841	n/a	_ssl._SSLContext.set_servername_callback
3842	n/a	method as cb: object
3843	n/a	/
3844	n/a
3845	n/a	Set a callback that will be called when a server name is provided by the SSL/TLS client in the SNI extension.
3846	n/a
3847	n/a	If the argument is None then the callback is disabled. The method is called
3848	n/a	with the SSLSocket, the server name as a string, and the SSLContext object.
3849	n/a	See RFC 6066 for details of the SNI extension.
3850	n/a	[clinic start generated code]*/
3851	n/a
3852	n/a	static PyObject *
3853	n/a	_ssl__SSLContext_set_servername_callback(PySSLContext self, PyObject cb)
3854	n/a	/[clinic end generated code: output=3439a1b2d5d3b7ea input=a2a83620197d602b]/
3855	n/a	{
3856	n/a	#if HAVE_SNI && !defined(OPENSSL_NO_TLSEXT)
3857	n/a	Py_CLEAR(self->set_hostname);
3858	n/a	if (cb == Py_None) {
3859	n/a	SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
3860	n/a	}
3861	n/a	else {
3862	n/a	if (!PyCallable_Check(cb)) {
3863	n/a	SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
3864	n/a	PyErr_SetString(PyExc_TypeError,
3865	n/a	"not a callable object");
3866	n/a	return NULL;
3867	n/a	}
3868	n/a	Py_INCREF(cb);
3869	n/a	self->set_hostname = cb;
3870	n/a	SSL_CTX_set_tlsext_servername_callback(self->ctx, _servername_callback);
3871	n/a	SSL_CTX_set_tlsext_servername_arg(self->ctx, self);
3872	n/a	}
3873	n/a	Py_RETURN_NONE;
3874	n/a	#else
3875	n/a	PyErr_SetString(PyExc_NotImplementedError,
3876	n/a	"The TLS extension servername callback, "
3877	n/a	"SSL_CTX_set_tlsext_servername_callback, "
3878	n/a	"is not in the current OpenSSL library.");
3879	n/a	return NULL;
3880	n/a	#endif
3881	n/a	}
3882	n/a
3883	n/a	/*[clinic input]
3884	n/a	_ssl._SSLContext.cert_store_stats
3885	n/a
3886	n/a	Returns quantities of loaded X.509 certificates.
3887	n/a
3888	n/a	X.509 certificates with a CA extension and certificate revocation lists
3889	n/a	inside the context's cert store.
3890	n/a
3891	n/a	NOTE: Certificates in a capath directory aren't loaded unless they have
3892	n/a	been used at least once.
3893	n/a	[clinic start generated code]*/
3894	n/a
3895	n/a	static PyObject *
3896	n/a	_ssl__SSLContext_cert_store_stats_impl(PySSLContext *self)
3897	n/a	/[clinic end generated code: output=5f356f4d9cca874d input=eb40dd0f6d0e40cf]/
3898	n/a	{
3899	n/a	X509_STORE *store;
3900	n/a	STACK_OF(X509_OBJECT) *objs;
3901	n/a	X509_OBJECT *obj;
3902	n/a	int x509 = 0, crl = 0, ca = 0, i;
3903	n/a
3904	n/a	store = SSL_CTX_get_cert_store(self->ctx);
3905	n/a	objs = X509_STORE_get0_objects(store);
3906	n/a	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
3907	n/a	obj = sk_X509_OBJECT_value(objs, i);
3908	n/a	switch (X509_OBJECT_get_type(obj)) {
3909	n/a	case X509_LU_X509:
3910	n/a	x509++;
3911	n/a	if (X509_check_ca(X509_OBJECT_get0_X509(obj))) {
3912	n/a	ca++;
3913	n/a	}
3914	n/a	break;
3915	n/a	case X509_LU_CRL:
3916	n/a	crl++;
3917	n/a	break;
3918	n/a	default:
3919	n/a	/* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.
3920	n/a	* As far as I can tell they are internal states and never
3921	n/a	* stored in a cert store */
3922	n/a	break;
3923	n/a	}
3924	n/a	}
3925	n/a	return Py_BuildValue("{sisisi}", "x509", x509, "crl", crl,
3926	n/a	"x509_ca", ca);
3927	n/a	}
3928	n/a
3929	n/a	/*[clinic input]
3930	n/a	_ssl._SSLContext.get_ca_certs
3931	n/a	binary_form: bool = False
3932	n/a
3933	n/a	Returns a list of dicts with information of loaded CA certs.
3934	n/a
3935	n/a	If the optional argument is True, returns a DER-encoded copy of the CA
3936	n/a	certificate.
3937	n/a
3938	n/a	NOTE: Certificates in a capath directory aren't loaded unless they have
3939	n/a	been used at least once.
3940	n/a	[clinic start generated code]*/
3941	n/a
3942	n/a	static PyObject *
3943	n/a	_ssl__SSLContext_get_ca_certs_impl(PySSLContext *self, int binary_form)
3944	n/a	/[clinic end generated code: output=0d58f148f37e2938 input=6887b5a09b7f9076]/
3945	n/a	{
3946	n/a	X509_STORE *store;
3947	n/a	STACK_OF(X509_OBJECT) *objs;
3948	n/a	PyObject ci = NULL, rlist = NULL;
3949	n/a	int i;
3950	n/a
3951	n/a	if ((rlist = PyList_New(0)) == NULL) {
3952	n/a	return NULL;
3953	n/a	}
3954	n/a
3955	n/a	store = SSL_CTX_get_cert_store(self->ctx);
3956	n/a	objs = X509_STORE_get0_objects(store);
3957	n/a	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
3958	n/a	X509_OBJECT *obj;
3959	n/a	X509 *cert;
3960	n/a
3961	n/a	obj = sk_X509_OBJECT_value(objs, i);
3962	n/a	if (X509_OBJECT_get_type(obj) != X509_LU_X509) {
3963	n/a	/* not a x509 cert */
3964	n/a	continue;
3965	n/a	}
3966	n/a	/* CA for any purpose */
3967	n/a	cert = X509_OBJECT_get0_X509(obj);
3968	n/a	if (!X509_check_ca(cert)) {
3969	n/a	continue;
3970	n/a	}
3971	n/a	if (binary_form) {
3972	n/a	ci = _certificate_to_der(cert);
3973	n/a	} else {
3974	n/a	ci = _decode_certificate(cert);
3975	n/a	}
3976	n/a	if (ci == NULL) {
3977	n/a	goto error;
3978	n/a	}
3979	n/a	if (PyList_Append(rlist, ci) == -1) {
3980	n/a	goto error;
3981	n/a	}
3982	n/a	Py_CLEAR(ci);
3983	n/a	}
3984	n/a	return rlist;
3985	n/a
3986	n/a	error:
3987	n/a	Py_XDECREF(ci);
3988	n/a	Py_XDECREF(rlist);
3989	n/a	return NULL;
3990	n/a	}
3991	n/a
3992	n/a
3993	n/a	static PyGetSetDef context_getsetlist[] = {
3994	n/a	{"check_hostname", (getter) get_check_hostname,
3995	n/a	(setter) set_check_hostname, NULL},
3996	n/a	{"options", (getter) get_options,
3997	n/a	(setter) set_options, NULL},
3998	n/a	{"verify_flags", (getter) get_verify_flags,
3999	n/a	(setter) set_verify_flags, NULL},
4000	n/a	{"verify_mode", (getter) get_verify_mode,
4001	n/a	(setter) set_verify_mode, NULL},
4002	n/a	{NULL}, /* sentinel */
4003	n/a	};
4004	n/a
4005	n/a	static struct PyMethodDef context_methods[] = {
4006	n/a	_SSL__SSLCONTEXT__WRAP_SOCKET_METHODDEF
4007	n/a	_SSL__SSLCONTEXT__WRAP_BIO_METHODDEF
4008	n/a	_SSL__SSLCONTEXT_SET_CIPHERS_METHODDEF
4009	n/a	_SSL__SSLCONTEXT__SET_ALPN_PROTOCOLS_METHODDEF
4010	n/a	_SSL__SSLCONTEXT__SET_NPN_PROTOCOLS_METHODDEF
4011	n/a	_SSL__SSLCONTEXT_LOAD_CERT_CHAIN_METHODDEF
4012	n/a	_SSL__SSLCONTEXT_LOAD_DH_PARAMS_METHODDEF
4013	n/a	_SSL__SSLCONTEXT_LOAD_VERIFY_LOCATIONS_METHODDEF
4014	n/a	_SSL__SSLCONTEXT_SESSION_STATS_METHODDEF
4015	n/a	_SSL__SSLCONTEXT_SET_DEFAULT_VERIFY_PATHS_METHODDEF
4016	n/a	_SSL__SSLCONTEXT_SET_ECDH_CURVE_METHODDEF
4017	n/a	_SSL__SSLCONTEXT_SET_SERVERNAME_CALLBACK_METHODDEF
4018	n/a	_SSL__SSLCONTEXT_CERT_STORE_STATS_METHODDEF
4019	n/a	_SSL__SSLCONTEXT_GET_CA_CERTS_METHODDEF
4020	n/a	_SSL__SSLCONTEXT_GET_CIPHERS_METHODDEF
4021	n/a	{NULL, NULL} /* sentinel */
4022	n/a	};
4023	n/a
4024	n/a	static PyTypeObject PySSLContext_Type = {
4025	n/a	PyVarObject_HEAD_INIT(NULL, 0)
4026	n/a	"_ssl._SSLContext", /tp_name/
4027	n/a	sizeof(PySSLContext), /tp_basicsize/
4028	n/a	0, /tp_itemsize/
4029	n/a	(destructor)context_dealloc, /tp_dealloc/
4030	n/a	0, /tp_print/
4031	n/a	0, /tp_getattr/
4032	n/a	0, /tp_setattr/
4033	n/a	0, /tp_reserved/
4034	n/a	0, /tp_repr/
4035	n/a	0, /tp_as_number/
4036	n/a	0, /tp_as_sequence/
4037	n/a	0, /tp_as_mapping/
4038	n/a	0, /tp_hash/
4039	n/a	0, /tp_call/
4040	n/a	0, /tp_str/
4041	n/a	0, /tp_getattro/
4042	n/a	0, /tp_setattro/
4043	n/a	0, /tp_as_buffer/
4044	n/a	Py_TPFLAGS_DEFAULT \| Py_TPFLAGS_BASETYPE \| Py_TPFLAGS_HAVE_GC, /tp_flags/
4045	n/a	0, /tp_doc/
4046	n/a	(traverseproc) context_traverse, /tp_traverse/
4047	n/a	(inquiry) context_clear, /tp_clear/
4048	n/a	0, /tp_richcompare/
4049	n/a	0, /tp_weaklistoffset/
4050	n/a	0, /tp_iter/
4051	n/a	0, /tp_iternext/
4052	n/a	context_methods, /tp_methods/
4053	n/a	0, /tp_members/
4054	n/a	context_getsetlist, /tp_getset/
4055	n/a	0, /tp_base/
4056	n/a	0, /tp_dict/
4057	n/a	0, /tp_descr_get/
4058	n/a	0, /tp_descr_set/
4059	n/a	0, /tp_dictoffset/
4060	n/a	0, /tp_init/
4061	n/a	0, /tp_alloc/
4062	n/a	_ssl__SSLContext, /tp_new/
4063	n/a	};
4064	n/a
4065	n/a
4066	n/a	/*
4067	n/a	* MemoryBIO objects
4068	n/a	*/
4069	n/a
4070	n/a	/*[clinic input]
4071	n/a	@classmethod
4072	n/a	_ssl.MemoryBIO.__new__
4073	n/a
4074	n/a	[clinic start generated code]*/
4075	n/a
4076	n/a	static PyObject *
4077	n/a	_ssl_MemoryBIO_impl(PyTypeObject *type)
4078	n/a	/[clinic end generated code: output=8820a58db78330ac input=26d22e4909ecb1b5]/
4079	n/a	{
4080	n/a	BIO *bio;
4081	n/a	PySSLMemoryBIO *self;
4082	n/a
4083	n/a	bio = BIO_new(BIO_s_mem());
4084	n/a	if (bio == NULL) {
4085	n/a	PyErr_SetString(PySSLErrorObject,
4086	n/a	"failed to allocate BIO");
4087	n/a	return NULL;
4088	n/a	}
4089	n/a	/* Since our BIO is non-blocking an empty read() does not indicate EOF,
4090	n/a	* just that no data is currently available. The SSL routines should retry
4091	n/a	* the read, which we can achieve by calling BIO_set_retry_read(). */
4092	n/a	BIO_set_retry_read(bio);
4093	n/a	BIO_set_mem_eof_return(bio, -1);
4094	n/a
4095	n/a	assert(type != NULL && type->tp_alloc != NULL);
4096	n/a	self = (PySSLMemoryBIO *) type->tp_alloc(type, 0);
4097	n/a	if (self == NULL) {
4098	n/a	BIO_free(bio);
4099	n/a	return NULL;
4100	n/a	}
4101	n/a	self->bio = bio;
4102	n/a	self->eof_written = 0;
4103	n/a
4104	n/a	return (PyObject *) self;
4105	n/a	}
4106	n/a
4107	n/a	static void
4108	n/a	memory_bio_dealloc(PySSLMemoryBIO *self)
4109	n/a	{
4110	n/a	BIO_free(self->bio);
4111	n/a	Py_TYPE(self)->tp_free(self);
4112	n/a	}
4113	n/a
4114	n/a	static PyObject *
4115	n/a	memory_bio_get_pending(PySSLMemoryBIO self, void c)
4116	n/a	{
4117	n/a	return PyLong_FromLong(BIO_ctrl_pending(self->bio));
4118	n/a	}
4119	n/a
4120	n/a	PyDoc_STRVAR(PySSL_memory_bio_pending_doc,
4121	n/a	"The number of bytes pending in the memory BIO.");
4122	n/a
4123	n/a	static PyObject *
4124	n/a	memory_bio_get_eof(PySSLMemoryBIO self, void c)
4125	n/a	{
4126	n/a	return PyBool_FromLong((BIO_ctrl_pending(self->bio) == 0)
4127	n/a	&& self->eof_written);
4128	n/a	}
4129	n/a
4130	n/a	PyDoc_STRVAR(PySSL_memory_bio_eof_doc,
4131	n/a	"Whether the memory BIO is at EOF.");
4132	n/a
4133	n/a	/*[clinic input]
4134	n/a	_ssl.MemoryBIO.read
4135	n/a	size as len: int = -1
4136	n/a	/
4137	n/a
4138	n/a	Read up to size bytes from the memory BIO.
4139	n/a
4140	n/a	If size is not specified, read the entire buffer.
4141	n/a	If the return value is an empty bytes instance, this means either
4142	n/a	EOF or that no data is available. Use the "eof" property to
4143	n/a	distinguish between the two.
4144	n/a	[clinic start generated code]*/
4145	n/a
4146	n/a	static PyObject *
4147	n/a	_ssl_MemoryBIO_read_impl(PySSLMemoryBIO *self, int len)
4148	n/a	/[clinic end generated code: output=a657aa1e79cd01b3 input=574d7be06a902366]/
4149	n/a	{
4150	n/a	int avail, nbytes;
4151	n/a	PyObject *result;
4152	n/a
4153	n/a	avail = BIO_ctrl_pending(self->bio);
4154	n/a	if ((len < 0) \|\| (len > avail))
4155	n/a	len = avail;
4156	n/a
4157	n/a	result = PyBytes_FromStringAndSize(NULL, len);
4158	n/a	if ((result == NULL) \|\| (len == 0))
4159	n/a	return result;
4160	n/a
4161	n/a	nbytes = BIO_read(self->bio, PyBytes_AS_STRING(result), len);
4162	n/a	/* There should never be any short reads but check anyway. */
4163	n/a	if ((nbytes < len) && (_PyBytes_Resize(&result, len) < 0)) {
4164	n/a	Py_DECREF(result);
4165	n/a	return NULL;
4166	n/a	}
4167	n/a
4168	n/a	return result;
4169	n/a	}
4170	n/a
4171	n/a	/*[clinic input]
4172	n/a	_ssl.MemoryBIO.write
4173	n/a	b: Py_buffer
4174	n/a	/
4175	n/a
4176	n/a	Writes the bytes b into the memory BIO.
4177	n/a
4178	n/a	Returns the number of bytes written.
4179	n/a	[clinic start generated code]*/
4180	n/a
4181	n/a	static PyObject *
4182	n/a	_ssl_MemoryBIO_write_impl(PySSLMemoryBIO self, Py_buffer b)
4183	n/a	/[clinic end generated code: output=156ec59110d75935 input=e45757b3e17c4808]/
4184	n/a	{
4185	n/a	int nbytes;
4186	n/a
4187	n/a	if (b->len > INT_MAX) {
4188	n/a	PyErr_Format(PyExc_OverflowError,
4189	n/a	"string longer than %d bytes", INT_MAX);
4190	n/a	return NULL;
4191	n/a	}
4192	n/a
4193	n/a	if (self->eof_written) {
4194	n/a	PyErr_SetString(PySSLErrorObject,
4195	n/a	"cannot write() after write_eof()");
4196	n/a	return NULL;
4197	n/a	}
4198	n/a
4199	n/a	nbytes = BIO_write(self->bio, b->buf, b->len);
4200	n/a	if (nbytes < 0) {
4201	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
4202	n/a	return NULL;
4203	n/a	}
4204	n/a
4205	n/a	return PyLong_FromLong(nbytes);
4206	n/a	}
4207	n/a
4208	n/a	/*[clinic input]
4209	n/a	_ssl.MemoryBIO.write_eof
4210	n/a
4211	n/a	Write an EOF marker to the memory BIO.
4212	n/a
4213	n/a	When all data has been read, the "eof" property will be True.
4214	n/a	[clinic start generated code]*/
4215	n/a
4216	n/a	static PyObject *
4217	n/a	_ssl_MemoryBIO_write_eof_impl(PySSLMemoryBIO *self)
4218	n/a	/[clinic end generated code: output=d4106276ccd1ed34 input=56a945f1d29e8bd6]/
4219	n/a	{
4220	n/a	self->eof_written = 1;
4221	n/a	/* After an EOF is written, a zero return from read() should be a real EOF
4222	n/a	* i.e. it should not be retried. Clear the SHOULD_RETRY flag. */
4223	n/a	BIO_clear_retry_flags(self->bio);
4224	n/a	BIO_set_mem_eof_return(self->bio, 0);
4225	n/a
4226	n/a	Py_RETURN_NONE;
4227	n/a	}
4228	n/a
4229	n/a	static PyGetSetDef memory_bio_getsetlist[] = {
4230	n/a	{"pending", (getter) memory_bio_get_pending, NULL,
4231	n/a	PySSL_memory_bio_pending_doc},
4232	n/a	{"eof", (getter) memory_bio_get_eof, NULL,
4233	n/a	PySSL_memory_bio_eof_doc},
4234	n/a	{NULL}, /* sentinel */
4235	n/a	};
4236	n/a
4237	n/a	static struct PyMethodDef memory_bio_methods[] = {
4238	n/a	_SSL_MEMORYBIO_READ_METHODDEF
4239	n/a	_SSL_MEMORYBIO_WRITE_METHODDEF
4240	n/a	_SSL_MEMORYBIO_WRITE_EOF_METHODDEF
4241	n/a	{NULL, NULL} /* sentinel */
4242	n/a	};
4243	n/a
4244	n/a	static PyTypeObject PySSLMemoryBIO_Type = {
4245	n/a	PyVarObject_HEAD_INIT(NULL, 0)
4246	n/a	"_ssl.MemoryBIO", /tp_name/
4247	n/a	sizeof(PySSLMemoryBIO), /tp_basicsize/
4248	n/a	0, /tp_itemsize/
4249	n/a	(destructor)memory_bio_dealloc, /tp_dealloc/
4250	n/a	0, /tp_print/
4251	n/a	0, /tp_getattr/
4252	n/a	0, /tp_setattr/
4253	n/a	0, /tp_reserved/
4254	n/a	0, /tp_repr/
4255	n/a	0, /tp_as_number/
4256	n/a	0, /tp_as_sequence/
4257	n/a	0, /tp_as_mapping/
4258	n/a	0, /tp_hash/
4259	n/a	0, /tp_call/
4260	n/a	0, /tp_str/
4261	n/a	0, /tp_getattro/
4262	n/a	0, /tp_setattro/
4263	n/a	0, /tp_as_buffer/
4264	n/a	Py_TPFLAGS_DEFAULT, /tp_flags/
4265	n/a	0, /tp_doc/
4266	n/a	0, /tp_traverse/
4267	n/a	0, /tp_clear/
4268	n/a	0, /tp_richcompare/
4269	n/a	0, /tp_weaklistoffset/
4270	n/a	0, /tp_iter/
4271	n/a	0, /tp_iternext/
4272	n/a	memory_bio_methods, /tp_methods/
4273	n/a	0, /tp_members/
4274	n/a	memory_bio_getsetlist, /tp_getset/
4275	n/a	0, /tp_base/
4276	n/a	0, /tp_dict/
4277	n/a	0, /tp_descr_get/
4278	n/a	0, /tp_descr_set/
4279	n/a	0, /tp_dictoffset/
4280	n/a	0, /tp_init/
4281	n/a	0, /tp_alloc/
4282	n/a	_ssl_MemoryBIO, /tp_new/
4283	n/a	};
4284	n/a
4285	n/a
4286	n/a	/*
4287	n/a	* SSL Session object
4288	n/a	*/
4289	n/a
4290	n/a	static void
4291	n/a	PySSLSession_dealloc(PySSLSession *self)
4292	n/a	{
4293	n/a	PyObject_GC_UnTrack(self);
4294	n/a	Py_XDECREF(self->ctx);
4295	n/a	if (self->session != NULL) {
4296	n/a	SSL_SESSION_free(self->session);
4297	n/a	}
4298	n/a	PyObject_GC_Del(self);
4299	n/a	}
4300	n/a
4301	n/a	static PyObject *
4302	n/a	PySSLSession_richcompare(PyObject left, PyObject right, int op)
4303	n/a	{
4304	n/a	int result;
4305	n/a
4306	n/a	if (left == NULL \|\| right == NULL) {
4307	n/a	PyErr_BadInternalCall();
4308	n/a	return NULL;
4309	n/a	}
4310	n/a
4311	n/a	if (!PySSLSession_Check(left) \|\| !PySSLSession_Check(right)) {
4312	n/a	Py_RETURN_NOTIMPLEMENTED;
4313	n/a	}
4314	n/a
4315	n/a	if (left == right) {
4316	n/a	result = 0;
4317	n/a	} else {
4318	n/a	const unsigned char left_id, right_id;
4319	n/a	unsigned int left_len, right_len;
4320	n/a	left_id = SSL_SESSION_get_id(((PySSLSession *)left)->session,
4321	n/a	&left_len);
4322	n/a	right_id = SSL_SESSION_get_id(((PySSLSession *)right)->session,
4323	n/a	&right_len);
4324	n/a	if (left_len == right_len) {
4325	n/a	result = memcmp(left_id, right_id, left_len);
4326	n/a	} else {
4327	n/a	result = 1;
4328	n/a	}
4329	n/a	}
4330	n/a
4331	n/a	switch (op) {
4332	n/a	case Py_EQ:
4333	n/a	if (result == 0) {
4334	n/a	Py_RETURN_TRUE;
4335	n/a	} else {
4336	n/a	Py_RETURN_FALSE;
4337	n/a	}
4338	n/a	break;
4339	n/a	case Py_NE:
4340	n/a	if (result != 0) {
4341	n/a	Py_RETURN_TRUE;
4342	n/a	} else {
4343	n/a	Py_RETURN_FALSE;
4344	n/a	}
4345	n/a	break;
4346	n/a	case Py_LT:
4347	n/a	case Py_LE:
4348	n/a	case Py_GT:
4349	n/a	case Py_GE:
4350	n/a	Py_RETURN_NOTIMPLEMENTED;
4351	n/a	break;
4352	n/a	default:
4353	n/a	PyErr_BadArgument();
4354	n/a	return NULL;
4355	n/a	}
4356	n/a	}
4357	n/a
4358	n/a	static int
4359	n/a	PySSLSession_traverse(PySSLSession self, visitproc visit, void arg)
4360	n/a	{
4361	n/a	Py_VISIT(self->ctx);
4362	n/a	return 0;
4363	n/a	}
4364	n/a
4365	n/a	static int
4366	n/a	PySSLSession_clear(PySSLSession *self)
4367	n/a	{
4368	n/a	Py_CLEAR(self->ctx);
4369	n/a	return 0;
4370	n/a	}
4371	n/a
4372	n/a
4373	n/a	static PyObject *
4374	n/a	PySSLSession_get_time(PySSLSession self, void closure) {
4375	n/a	return PyLong_FromLong(SSL_SESSION_get_time(self->session));
4376	n/a	}
4377	n/a
4378	n/a	PyDoc_STRVAR(PySSLSession_get_time_doc,
4379	n/a	"Session creation time (seconds since epoch).");
4380	n/a
4381	n/a
4382	n/a	static PyObject *
4383	n/a	PySSLSession_get_timeout(PySSLSession self, void closure) {
4384	n/a	return PyLong_FromLong(SSL_SESSION_get_timeout(self->session));
4385	n/a	}
4386	n/a
4387	n/a	PyDoc_STRVAR(PySSLSession_get_timeout_doc,
4388	n/a	"Session timeout (delta in seconds).");
4389	n/a
4390	n/a
4391	n/a	static PyObject *
4392	n/a	PySSLSession_get_ticket_lifetime_hint(PySSLSession self, void closure) {
4393	n/a	unsigned long hint = SSL_SESSION_get_ticket_lifetime_hint(self->session);
4394	n/a	return PyLong_FromUnsignedLong(hint);
4395	n/a	}
4396	n/a
4397	n/a	PyDoc_STRVAR(PySSLSession_get_ticket_lifetime_hint_doc,
4398	n/a	"Ticket life time hint.");
4399	n/a
4400	n/a
4401	n/a	static PyObject *
4402	n/a	PySSLSession_get_session_id(PySSLSession self, void closure) {
4403	n/a	const unsigned char *id;
4404	n/a	unsigned int len;
4405	n/a	id = SSL_SESSION_get_id(self->session, &len);
4406	n/a	return PyBytes_FromStringAndSize((const char *)id, len);
4407	n/a	}
4408	n/a
4409	n/a	PyDoc_STRVAR(PySSLSession_get_session_id_doc,
4410	n/a	"Session id");
4411	n/a
4412	n/a
4413	n/a	static PyObject *
4414	n/a	PySSLSession_get_has_ticket(PySSLSession self, void closure) {
4415	n/a	if (SSL_SESSION_has_ticket(self->session)) {
4416	n/a	Py_RETURN_TRUE;
4417	n/a	} else {
4418	n/a	Py_RETURN_FALSE;
4419	n/a	}
4420	n/a	}
4421	n/a
4422	n/a	PyDoc_STRVAR(PySSLSession_get_has_ticket_doc,
4423	n/a	"Does the session contain a ticket?");
4424	n/a
4425	n/a
4426	n/a	static PyGetSetDef PySSLSession_getsetlist[] = {
4427	n/a	{"has_ticket", (getter) PySSLSession_get_has_ticket, NULL,
4428	n/a	PySSLSession_get_has_ticket_doc},
4429	n/a	{"id", (getter) PySSLSession_get_session_id, NULL,
4430	n/a	PySSLSession_get_session_id_doc},
4431	n/a	{"ticket_lifetime_hint", (getter) PySSLSession_get_ticket_lifetime_hint,
4432	n/a	NULL, PySSLSession_get_ticket_lifetime_hint_doc},
4433	n/a	{"time", (getter) PySSLSession_get_time, NULL,
4434	n/a	PySSLSession_get_time_doc},
4435	n/a	{"timeout", (getter) PySSLSession_get_timeout, NULL,
4436	n/a	PySSLSession_get_timeout_doc},
4437	n/a	{NULL}, /* sentinel */
4438	n/a	};
4439	n/a
4440	n/a	static PyTypeObject PySSLSession_Type = {
4441	n/a	PyVarObject_HEAD_INIT(NULL, 0)
4442	n/a	"_ssl.Session", /tp_name/
4443	n/a	sizeof(PySSLSession), /tp_basicsize/
4444	n/a	0, /tp_itemsize/
4445	n/a	(destructor)PySSLSession_dealloc, /tp_dealloc/
4446	n/a	0, /tp_print/
4447	n/a	0, /tp_getattr/
4448	n/a	0, /tp_setattr/
4449	n/a	0, /tp_reserved/
4450	n/a	0, /tp_repr/
4451	n/a	0, /tp_as_number/
4452	n/a	0, /tp_as_sequence/
4453	n/a	0, /tp_as_mapping/
4454	n/a	0, /tp_hash/
4455	n/a	0, /tp_call/
4456	n/a	0, /tp_str/
4457	n/a	0, /tp_getattro/
4458	n/a	0, /tp_setattro/
4459	n/a	0, /tp_as_buffer/
4460	n/a	Py_TPFLAGS_DEFAULT \| Py_TPFLAGS_HAVE_GC, /tp_flags/
4461	n/a	0, /tp_doc/
4462	n/a	(traverseproc)PySSLSession_traverse, /tp_traverse/
4463	n/a	(inquiry)PySSLSession_clear, /tp_clear/
4464	n/a	PySSLSession_richcompare, /tp_richcompare/
4465	n/a	0, /tp_weaklistoffset/
4466	n/a	0, /tp_iter/
4467	n/a	0, /tp_iternext/
4468	n/a	0, /tp_methods/
4469	n/a	0, /tp_members/
4470	n/a	PySSLSession_getsetlist, /tp_getset/
4471	n/a	};
4472	n/a
4473	n/a
4474	n/a	/* helper routines for seeding the SSL PRNG */
4475	n/a	/*[clinic input]
4476	n/a	_ssl.RAND_add
4477	n/a	string as view: Py_buffer(accept={str, buffer})
4478	n/a	entropy: double
4479	n/a	/
4480	n/a
4481	n/a	Mix string into the OpenSSL PRNG state.
4482	n/a
4483	n/a	entropy (a float) is a lower bound on the entropy contained in
4484	n/a	string. See RFC 1750.
4485	n/a	[clinic start generated code]*/
4486	n/a
4487	n/a	static PyObject *
4488	n/a	_ssl_RAND_add_impl(PyObject module, Py_buffer view, double entropy)
4489	n/a	/[clinic end generated code: output=e6dd48df9c9024e9 input=580c85e6a3a4fe29]/
4490	n/a	{
4491	n/a	const char *buf;
4492	n/a	Py_ssize_t len, written;
4493	n/a
4494	n/a	buf = (const char *)view->buf;
4495	n/a	len = view->len;
4496	n/a	do {
4497	n/a	written = Py_MIN(len, INT_MAX);
4498	n/a	RAND_add(buf, (int)written, entropy);
4499	n/a	buf += written;
4500	n/a	len -= written;
4501	n/a	} while (len);
4502	n/a	Py_RETURN_NONE;
4503	n/a	}
4504	n/a
4505	n/a	static PyObject *
4506	n/a	PySSL_RAND(int len, int pseudo)
4507	n/a	{
4508	n/a	int ok;
4509	n/a	PyObject *bytes;
4510	n/a	unsigned long err;
4511	n/a	const char *errstr;
4512	n/a	PyObject *v;
4513	n/a
4514	n/a	if (len < 0) {
4515	n/a	PyErr_SetString(PyExc_ValueError, "num must be positive");
4516	n/a	return NULL;
4517	n/a	}
4518	n/a
4519	n/a	bytes = PyBytes_FromStringAndSize(NULL, len);
4520	n/a	if (bytes == NULL)
4521	n/a	return NULL;
4522	n/a	if (pseudo) {
4523	n/a	ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
4524	n/a	if (ok == 0 \|\| ok == 1)
4525	n/a	return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
4526	n/a	}
4527	n/a	else {
4528	n/a	ok = RAND_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
4529	n/a	if (ok == 1)
4530	n/a	return bytes;
4531	n/a	}
4532	n/a	Py_DECREF(bytes);
4533	n/a
4534	n/a	err = ERR_get_error();
4535	n/a	errstr = ERR_reason_error_string(err);
4536	n/a	v = Py_BuildValue("(ks)", err, errstr);
4537	n/a	if (v != NULL) {
4538	n/a	PyErr_SetObject(PySSLErrorObject, v);
4539	n/a	Py_DECREF(v);
4540	n/a	}
4541	n/a	return NULL;
4542	n/a	}
4543	n/a
4544	n/a	/*[clinic input]
4545	n/a	_ssl.RAND_bytes
4546	n/a	n: int
4547	n/a	/
4548	n/a
4549	n/a	Generate n cryptographically strong pseudo-random bytes.
4550	n/a	[clinic start generated code]*/
4551	n/a
4552	n/a	static PyObject *
4553	n/a	_ssl_RAND_bytes_impl(PyObject *module, int n)
4554	n/a	/[clinic end generated code: output=977da635e4838bc7 input=678ddf2872dfebfc]/
4555	n/a	{
4556	n/a	return PySSL_RAND(n, 0);
4557	n/a	}
4558	n/a
4559	n/a	/*[clinic input]
4560	n/a	_ssl.RAND_pseudo_bytes
4561	n/a	n: int
4562	n/a	/
4563	n/a
4564	n/a	Generate n pseudo-random bytes.
4565	n/a
4566	n/a	Return a pair (bytes, is_cryptographic). is_cryptographic is True
4567	n/a	if the bytes generated are cryptographically strong.
4568	n/a	[clinic start generated code]*/
4569	n/a
4570	n/a	static PyObject *
4571	n/a	_ssl_RAND_pseudo_bytes_impl(PyObject *module, int n)
4572	n/a	/[clinic end generated code: output=b1509e937000e52d input=58312bd53f9bbdd0]/
4573	n/a	{
4574	n/a	return PySSL_RAND(n, 1);
4575	n/a	}
4576	n/a
4577	n/a	/*[clinic input]
4578	n/a	_ssl.RAND_status
4579	n/a
4580	n/a	Returns 1 if the OpenSSL PRNG has been seeded with enough data and 0 if not.
4581	n/a
4582	n/a	It is necessary to seed the PRNG with RAND_add() on some platforms before
4583	n/a	using the ssl() function.
4584	n/a	[clinic start generated code]*/
4585	n/a
4586	n/a	static PyObject *
4587	n/a	_ssl_RAND_status_impl(PyObject *module)
4588	n/a	/[clinic end generated code: output=7e0aaa2d39fdc1ad input=8a774b02d1dc81f3]/
4589	n/a	{
4590	n/a	return PyLong_FromLong(RAND_status());
4591	n/a	}
4592	n/a
4593	n/a	#ifndef OPENSSL_NO_EGD
4594	n/a	/* LCOV_EXCL_START */
4595	n/a	/*[clinic input]
4596	n/a	_ssl.RAND_egd
4597	n/a	path: object(converter="PyUnicode_FSConverter")
4598	n/a	/
4599	n/a
4600	n/a	Queries the entropy gather daemon (EGD) on the socket named by 'path'.
4601	n/a
4602	n/a	Returns number of bytes read. Raises SSLError if connection to EGD
4603	n/a	fails or if it does not provide enough data to seed PRNG.
4604	n/a	[clinic start generated code]*/
4605	n/a
4606	n/a	static PyObject *
4607	n/a	_ssl_RAND_egd_impl(PyObject module, PyObject path)
4608	n/a	/[clinic end generated code: output=02a67c7c367f52fa input=1aeb7eb948312195]/
4609	n/a	{
4610	n/a	int bytes = RAND_egd(PyBytes_AsString(path));
4611	n/a	Py_DECREF(path);
4612	n/a	if (bytes == -1) {
4613	n/a	PyErr_SetString(PySSLErrorObject,
4614	n/a	"EGD connection failed or EGD did not return "
4615	n/a	"enough data to seed the PRNG");
4616	n/a	return NULL;
4617	n/a	}
4618	n/a	return PyLong_FromLong(bytes);
4619	n/a	}
4620	n/a	/* LCOV_EXCL_STOP */
4621	n/a	#endif /* OPENSSL_NO_EGD */
4622	n/a
4623	n/a
4624	n/a
4625	n/a	/*[clinic input]
4626	n/a	_ssl.get_default_verify_paths
4627	n/a
4628	n/a	Return search paths and environment vars that are used by SSLContext's set_default_verify_paths() to load default CAs.
4629	n/a
4630	n/a	The values are 'cert_file_env', 'cert_file', 'cert_dir_env', 'cert_dir'.
4631	n/a	[clinic start generated code]*/
4632	n/a
4633	n/a	static PyObject *
4634	n/a	_ssl_get_default_verify_paths_impl(PyObject *module)
4635	n/a	/[clinic end generated code: output=e5b62a466271928b input=5210c953d98c3eb5]/
4636	n/a	{
4637	n/a	PyObject *ofile_env = NULL;
4638	n/a	PyObject *ofile = NULL;
4639	n/a	PyObject *odir_env = NULL;
4640	n/a	PyObject *odir = NULL;
4641	n/a
4642	n/a	#define CONVERT(info, target) { \
4643	n/a	const char *tmp = (info); \
4644	n/a	target = NULL; \
4645	n/a	if (!tmp) { Py_INCREF(Py_None); target = Py_None; } \
4646	n/a	else if ((target = PyUnicode_DecodeFSDefault(tmp)) == NULL) { \
4647	n/a	target = PyBytes_FromString(tmp); } \
4648	n/a	if (!target) goto error; \
4649	n/a	}
4650	n/a
4651	n/a	CONVERT(X509_get_default_cert_file_env(), ofile_env);
4652	n/a	CONVERT(X509_get_default_cert_file(), ofile);
4653	n/a	CONVERT(X509_get_default_cert_dir_env(), odir_env);
4654	n/a	CONVERT(X509_get_default_cert_dir(), odir);
4655	n/a	#undef CONVERT
4656	n/a
4657	n/a	return Py_BuildValue("NNNN", ofile_env, ofile, odir_env, odir);
4658	n/a
4659	n/a	error:
4660	n/a	Py_XDECREF(ofile_env);
4661	n/a	Py_XDECREF(ofile);
4662	n/a	Py_XDECREF(odir_env);
4663	n/a	Py_XDECREF(odir);
4664	n/a	return NULL;
4665	n/a	}
4666	n/a
4667	n/a	static PyObject*
4668	n/a	asn1obj2py(ASN1_OBJECT *obj)
4669	n/a	{
4670	n/a	int nid;
4671	n/a	const char ln, sn;
4672	n/a	char buf[100];
4673	n/a	Py_ssize_t buflen;
4674	n/a
4675	n/a	nid = OBJ_obj2nid(obj);
4676	n/a	if (nid == NID_undef) {
4677	n/a	PyErr_Format(PyExc_ValueError, "Unknown object");
4678	n/a	return NULL;
4679	n/a	}
4680	n/a	sn = OBJ_nid2sn(nid);
4681	n/a	ln = OBJ_nid2ln(nid);
4682	n/a	buflen = OBJ_obj2txt(buf, sizeof(buf), obj, 1);
4683	n/a	if (buflen < 0) {
4684	n/a	_setSSLError(NULL, 0, __FILE__, __LINE__);
4685	n/a	return NULL;
4686	n/a	}
4687	n/a	if (buflen) {
4688	n/a	return Py_BuildValue("isss#", nid, sn, ln, buf, buflen);
4689	n/a	} else {
4690	n/a	return Py_BuildValue("issO", nid, sn, ln, Py_None);
4691	n/a	}
4692	n/a	}
4693	n/a
4694	n/a	/*[clinic input]
4695	n/a	_ssl.txt2obj
4696	n/a	txt: str
4697	n/a	name: bool = False
4698	n/a
4699	n/a	Lookup NID, short name, long name and OID of an ASN1_OBJECT.
4700	n/a
4701	n/a	By default objects are looked up by OID. With name=True short and
4702	n/a	long name are also matched.
4703	n/a	[clinic start generated code]*/
4704	n/a
4705	n/a	static PyObject *
4706	n/a	_ssl_txt2obj_impl(PyObject module, const char txt, int name)
4707	n/a	/[clinic end generated code: output=c38e3991347079c1 input=1c1e7d0aa7c48602]/
4708	n/a	{
4709	n/a	PyObject *result = NULL;
4710	n/a	ASN1_OBJECT *obj;
4711	n/a
4712	n/a	obj = OBJ_txt2obj(txt, name ? 0 : 1);
4713	n/a	if (obj == NULL) {
4714	n/a	PyErr_Format(PyExc_ValueError, "unknown object '%.100s'", txt);
4715	n/a	return NULL;
4716	n/a	}
4717	n/a	result = asn1obj2py(obj);
4718	n/a	ASN1_OBJECT_free(obj);
4719	n/a	return result;
4720	n/a	}
4721	n/a
4722	n/a	/*[clinic input]
4723	n/a	_ssl.nid2obj
4724	n/a	nid: int
4725	n/a	/
4726	n/a
4727	n/a	Lookup NID, short name, long name and OID of an ASN1_OBJECT by NID.
4728	n/a	[clinic start generated code]*/
4729	n/a
4730	n/a	static PyObject *
4731	n/a	_ssl_nid2obj_impl(PyObject *module, int nid)
4732	n/a	/[clinic end generated code: output=4a98ab691cd4f84a input=51787a3bee7d8f98]/
4733	n/a	{
4734	n/a	PyObject *result = NULL;
4735	n/a	ASN1_OBJECT *obj;
4736	n/a
4737	n/a	if (nid < NID_undef) {
4738	n/a	PyErr_SetString(PyExc_ValueError, "NID must be positive.");
4739	n/a	return NULL;
4740	n/a	}
4741	n/a	obj = OBJ_nid2obj(nid);
4742	n/a	if (obj == NULL) {
4743	n/a	PyErr_Format(PyExc_ValueError, "unknown NID %i", nid);
4744	n/a	return NULL;
4745	n/a	}
4746	n/a	result = asn1obj2py(obj);
4747	n/a	ASN1_OBJECT_free(obj);
4748	n/a	return result;
4749	n/a	}
4750	n/a
4751	n/a	#ifdef _MSC_VER
4752	n/a
4753	n/a	static PyObject*
4754	n/a	certEncodingType(DWORD encodingType)
4755	n/a	{
4756	n/a	static PyObject *x509_asn = NULL;
4757	n/a	static PyObject *pkcs_7_asn = NULL;
4758	n/a
4759	n/a	if (x509_asn == NULL) {
4760	n/a	x509_asn = PyUnicode_InternFromString("x509_asn");
4761	n/a	if (x509_asn == NULL)
4762	n/a	return NULL;
4763	n/a	}
4764	n/a	if (pkcs_7_asn == NULL) {
4765	n/a	pkcs_7_asn = PyUnicode_InternFromString("pkcs_7_asn");
4766	n/a	if (pkcs_7_asn == NULL)
4767	n/a	return NULL;
4768	n/a	}
4769	n/a	switch(encodingType) {
4770	n/a	case X509_ASN_ENCODING:
4771	n/a	Py_INCREF(x509_asn);
4772	n/a	return x509_asn;
4773	n/a	case PKCS_7_ASN_ENCODING:
4774	n/a	Py_INCREF(pkcs_7_asn);
4775	n/a	return pkcs_7_asn;
4776	n/a	default:
4777	n/a	return PyLong_FromLong(encodingType);
4778	n/a	}
4779	n/a	}
4780	n/a
4781	n/a	static PyObject*
4782	n/a	parseKeyUsage(PCCERT_CONTEXT pCertCtx, DWORD flags)
4783	n/a	{
4784	n/a	CERT_ENHKEY_USAGE *usage;
4785	n/a	DWORD size, error, i;
4786	n/a	PyObject *retval;
4787	n/a
4788	n/a	if (!CertGetEnhancedKeyUsage(pCertCtx, flags, NULL, &size)) {
4789	n/a	error = GetLastError();
4790	n/a	if (error == CRYPT_E_NOT_FOUND) {
4791	n/a	Py_RETURN_TRUE;
4792	n/a	}
4793	n/a	return PyErr_SetFromWindowsErr(error);
4794	n/a	}
4795	n/a
4796	n/a	usage = (CERT_ENHKEY_USAGE*)PyMem_Malloc(size);
4797	n/a	if (usage == NULL) {
4798	n/a	return PyErr_NoMemory();
4799	n/a	}
4800	n/a
4801	n/a	/* Now get the actual enhanced usage property */
4802	n/a	if (!CertGetEnhancedKeyUsage(pCertCtx, flags, usage, &size)) {
4803	n/a	PyMem_Free(usage);
4804	n/a	error = GetLastError();
4805	n/a	if (error == CRYPT_E_NOT_FOUND) {
4806	n/a	Py_RETURN_TRUE;
4807	n/a	}
4808	n/a	return PyErr_SetFromWindowsErr(error);
4809	n/a	}
4810	n/a	retval = PySet_New(NULL);
4811	n/a	if (retval == NULL) {
4812	n/a	goto error;
4813	n/a	}
4814	n/a	for (i = 0; i < usage->cUsageIdentifier; ++i) {
4815	n/a	if (usage->rgpszUsageIdentifier[i]) {
4816	n/a	PyObject *oid;
4817	n/a	int err;
4818	n/a	oid = PyUnicode_FromString(usage->rgpszUsageIdentifier[i]);
4819	n/a	if (oid == NULL) {
4820	n/a	Py_CLEAR(retval);
4821	n/a	goto error;
4822	n/a	}
4823	n/a	err = PySet_Add(retval, oid);
4824	n/a	Py_DECREF(oid);
4825	n/a	if (err == -1) {
4826	n/a	Py_CLEAR(retval);
4827	n/a	goto error;
4828	n/a	}
4829	n/a	}
4830	n/a	}
4831	n/a	error:
4832	n/a	PyMem_Free(usage);
4833	n/a	return retval;
4834	n/a	}
4835	n/a
4836	n/a	/*[clinic input]
4837	n/a	_ssl.enum_certificates
4838	n/a	store_name: str
4839	n/a
4840	n/a	Retrieve certificates from Windows' cert store.
4841	n/a
4842	n/a	store_name may be one of 'CA', 'ROOT' or 'MY'. The system may provide
4843	n/a	more cert storages, too. The function returns a list of (bytes,
4844	n/a	encoding_type, trust) tuples. The encoding_type flag can be interpreted
4845	n/a	with X509_ASN_ENCODING or PKCS_7_ASN_ENCODING. The trust setting is either
4846	n/a	a set of OIDs or the boolean True.
4847	n/a	[clinic start generated code]*/
4848	n/a
4849	n/a	static PyObject *
4850	n/a	_ssl_enum_certificates_impl(PyObject module, const char store_name)
4851	n/a	/[clinic end generated code: output=5134dc8bb3a3c893 input=915f60d70461ea4e]/
4852	n/a	{
4853	n/a	HCERTSTORE hStore = NULL;
4854	n/a	PCCERT_CONTEXT pCertCtx = NULL;
4855	n/a	PyObject keyusage = NULL, cert = NULL, enc = NULL, tup = NULL;
4856	n/a	PyObject *result = NULL;
4857	n/a
4858	n/a	result = PyList_New(0);
4859	n/a	if (result == NULL) {
4860	n/a	return NULL;
4861	n/a	}
4862	n/a	hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, (HCRYPTPROV)NULL,
4863	n/a	CERT_STORE_READONLY_FLAG \| CERT_SYSTEM_STORE_LOCAL_MACHINE,
4864	n/a	store_name);
4865	n/a	if (hStore == NULL) {
4866	n/a	Py_DECREF(result);
4867	n/a	return PyErr_SetFromWindowsErr(GetLastError());
4868	n/a	}
4869	n/a
4870	n/a	while (pCertCtx = CertEnumCertificatesInStore(hStore, pCertCtx)) {
4871	n/a	cert = PyBytes_FromStringAndSize((const char*)pCertCtx->pbCertEncoded,
4872	n/a	pCertCtx->cbCertEncoded);
4873	n/a	if (!cert) {
4874	n/a	Py_CLEAR(result);
4875	n/a	break;
4876	n/a	}
4877	n/a	if ((enc = certEncodingType(pCertCtx->dwCertEncodingType)) == NULL) {
4878	n/a	Py_CLEAR(result);
4879	n/a	break;
4880	n/a	}
4881	n/a	keyusage = parseKeyUsage(pCertCtx, CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG);
4882	n/a	if (keyusage == Py_True) {
4883	n/a	Py_DECREF(keyusage);
4884	n/a	keyusage = parseKeyUsage(pCertCtx, CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG);
4885	n/a	}
4886	n/a	if (keyusage == NULL) {
4887	n/a	Py_CLEAR(result);
4888	n/a	break;
4889	n/a	}
4890	n/a	if ((tup = PyTuple_New(3)) == NULL) {
4891	n/a	Py_CLEAR(result);
4892	n/a	break;
4893	n/a	}
4894	n/a	PyTuple_SET_ITEM(tup, 0, cert);
4895	n/a	cert = NULL;
4896	n/a	PyTuple_SET_ITEM(tup, 1, enc);
4897	n/a	enc = NULL;
4898	n/a	PyTuple_SET_ITEM(tup, 2, keyusage);
4899	n/a	keyusage = NULL;
4900	n/a	if (PyList_Append(result, tup) < 0) {
4901	n/a	Py_CLEAR(result);
4902	n/a	break;
4903	n/a	}
4904	n/a	Py_CLEAR(tup);
4905	n/a	}
4906	n/a	if (pCertCtx) {
4907	n/a	/* loop ended with an error, need to clean up context manually */
4908	n/a	CertFreeCertificateContext(pCertCtx);
4909	n/a	}
4910	n/a
4911	n/a	/* In error cases cert, enc and tup may not be NULL */
4912	n/a	Py_XDECREF(cert);
4913	n/a	Py_XDECREF(enc);
4914	n/a	Py_XDECREF(keyusage);
4915	n/a	Py_XDECREF(tup);
4916	n/a
4917	n/a	if (!CertCloseStore(hStore, 0)) {
4918	n/a	/* This error case might shadow another exception.*/
4919	n/a	Py_XDECREF(result);
4920	n/a	return PyErr_SetFromWindowsErr(GetLastError());
4921	n/a	}
4922	n/a	return result;
4923	n/a	}
4924	n/a
4925	n/a	/*[clinic input]
4926	n/a	_ssl.enum_crls
4927	n/a	store_name: str
4928	n/a
4929	n/a	Retrieve CRLs from Windows' cert store.
4930	n/a
4931	n/a	store_name may be one of 'CA', 'ROOT' or 'MY'. The system may provide
4932	n/a	more cert storages, too. The function returns a list of (bytes,
4933	n/a	encoding_type) tuples. The encoding_type flag can be interpreted with
4934	n/a	X509_ASN_ENCODING or PKCS_7_ASN_ENCODING.
4935	n/a	[clinic start generated code]*/
4936	n/a
4937	n/a	static PyObject *
4938	n/a	_ssl_enum_crls_impl(PyObject module, const char store_name)
4939	n/a	/[clinic end generated code: output=bce467f60ccd03b6 input=a1f1d7629f1c5d3d]/
4940	n/a	{
4941	n/a	HCERTSTORE hStore = NULL;
4942	n/a	PCCRL_CONTEXT pCrlCtx = NULL;
4943	n/a	PyObject crl = NULL, enc = NULL, *tup = NULL;
4944	n/a	PyObject *result = NULL;
4945	n/a
4946	n/a	result = PyList_New(0);
4947	n/a	if (result == NULL) {
4948	n/a	return NULL;
4949	n/a	}
4950	n/a	hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, (HCRYPTPROV)NULL,
4951	n/a	CERT_STORE_READONLY_FLAG \| CERT_SYSTEM_STORE_LOCAL_MACHINE,
4952	n/a	store_name);
4953	n/a	if (hStore == NULL) {
4954	n/a	Py_DECREF(result);
4955	n/a	return PyErr_SetFromWindowsErr(GetLastError());
4956	n/a	}
4957	n/a
4958	n/a	while (pCrlCtx = CertEnumCRLsInStore(hStore, pCrlCtx)) {
4959	n/a	crl = PyBytes_FromStringAndSize((const char*)pCrlCtx->pbCrlEncoded,
4960	n/a	pCrlCtx->cbCrlEncoded);
4961	n/a	if (!crl) {
4962	n/a	Py_CLEAR(result);
4963	n/a	break;
4964	n/a	}
4965	n/a	if ((enc = certEncodingType(pCrlCtx->dwCertEncodingType)) == NULL) {
4966	n/a	Py_CLEAR(result);
4967	n/a	break;
4968	n/a	}
4969	n/a	if ((tup = PyTuple_New(2)) == NULL) {
4970	n/a	Py_CLEAR(result);
4971	n/a	break;
4972	n/a	}
4973	n/a	PyTuple_SET_ITEM(tup, 0, crl);
4974	n/a	crl = NULL;
4975	n/a	PyTuple_SET_ITEM(tup, 1, enc);
4976	n/a	enc = NULL;
4977	n/a
4978	n/a	if (PyList_Append(result, tup) < 0) {
4979	n/a	Py_CLEAR(result);
4980	n/a	break;
4981	n/a	}
4982	n/a	Py_CLEAR(tup);
4983	n/a	}
4984	n/a	if (pCrlCtx) {
4985	n/a	/* loop ended with an error, need to clean up context manually */
4986	n/a	CertFreeCRLContext(pCrlCtx);
4987	n/a	}
4988	n/a
4989	n/a	/* In error cases cert, enc and tup may not be NULL */
4990	n/a	Py_XDECREF(crl);
4991	n/a	Py_XDECREF(enc);
4992	n/a	Py_XDECREF(tup);
4993	n/a
4994	n/a	if (!CertCloseStore(hStore, 0)) {
4995	n/a	/* This error case might shadow another exception.*/
4996	n/a	Py_XDECREF(result);
4997	n/a	return PyErr_SetFromWindowsErr(GetLastError());
4998	n/a	}
4999	n/a	return result;
5000	n/a	}
5001	n/a
5002	n/a	#endif /* _MSC_VER */
5003	n/a
5004	n/a	/* List of functions exported by this module. */
5005	n/a	static PyMethodDef PySSL_methods[] = {
5006	n/a	_SSL__TEST_DECODE_CERT_METHODDEF
5007	n/a	_SSL_RAND_ADD_METHODDEF
5008	n/a	_SSL_RAND_BYTES_METHODDEF
5009	n/a	_SSL_RAND_PSEUDO_BYTES_METHODDEF
5010	n/a	_SSL_RAND_EGD_METHODDEF
5011	n/a	_SSL_RAND_STATUS_METHODDEF
5012	n/a	_SSL_GET_DEFAULT_VERIFY_PATHS_METHODDEF
5013	n/a	_SSL_ENUM_CERTIFICATES_METHODDEF
5014	n/a	_SSL_ENUM_CRLS_METHODDEF
5015	n/a	_SSL_TXT2OBJ_METHODDEF
5016	n/a	_SSL_NID2OBJ_METHODDEF
5017	n/a	{NULL, NULL} /* Sentinel */
5018	n/a	};
5019	n/a
5020	n/a
5021	n/a	#ifdef HAVE_OPENSSL_CRYPTO_LOCK
5022	n/a
5023	n/a	/* an implementation of OpenSSL threading operations in terms
5024	n/a	* of the Python C thread library
5025	n/a	* Only used up to 1.0.2. OpenSSL 1.1.0+ has its own locking code.
5026	n/a	*/
5027	n/a
5028	n/a	static PyThread_type_lock *_ssl_locks = NULL;
5029	n/a
5030	n/a	#if OPENSSL_VERSION_NUMBER >= 0x10000000
5031	n/a	/* use new CRYPTO_THREADID API. */
5032	n/a	static void
5033	n/a	_ssl_threadid_callback(CRYPTO_THREADID *id)
5034	n/a	{
5035	n/a	CRYPTO_THREADID_set_numeric(id,
5036	n/a	(unsigned long)PyThread_get_thread_ident());
5037	n/a	}
5038	n/a	#else
5039	n/a	/* deprecated CRYPTO_set_id_callback() API. */
5040	n/a	static unsigned long
5041	n/a	_ssl_thread_id_function (void) {
5042	n/a	return PyThread_get_thread_ident();
5043	n/a	}
5044	n/a	#endif
5045	n/a
5046	n/a	static void _ssl_thread_locking_function
5047	n/a	(int mode, int n, const char *file, int line) {
5048	n/a	/* this function is needed to perform locking on shared data
5049	n/a	structures. (Note that OpenSSL uses a number of global data
5050	n/a	structures that will be implicitly shared whenever multiple
5051	n/a	threads use OpenSSL.) Multi-threaded applications will
5052	n/a	crash at random if it is not set.
5053	n/a
5054	n/a	locking_function() must be able to handle up to
5055	n/a	CRYPTO_num_locks() different mutex locks. It sets the n-th
5056	n/a	lock if mode & CRYPTO_LOCK, and releases it otherwise.
5057	n/a
5058	n/a	file and line are the file number of the function setting the
5059	n/a	lock. They can be useful for debugging.
5060	n/a	*/
5061	n/a
5062	n/a	if ((_ssl_locks == NULL) \|\|
5063	n/a	(n < 0) \|\| ((unsigned)n >= _ssl_locks_count))
5064	n/a	return;
5065	n/a
5066	n/a	if (mode & CRYPTO_LOCK) {
5067	n/a	PyThread_acquire_lock(_ssl_locks[n], 1);
5068	n/a	} else {
5069	n/a	PyThread_release_lock(_ssl_locks[n]);
5070	n/a	}
5071	n/a	}
5072	n/a
5073	n/a	static int _setup_ssl_threads(void) {
5074	n/a
5075	n/a	unsigned int i;
5076	n/a
5077	n/a	if (_ssl_locks == NULL) {
5078	n/a	_ssl_locks_count = CRYPTO_num_locks();
5079	n/a	_ssl_locks = PyMem_Calloc(_ssl_locks_count,
5080	n/a	sizeof(PyThread_type_lock));
5081	n/a	if (_ssl_locks == NULL) {
5082	n/a	PyErr_NoMemory();
5083	n/a	return 0;
5084	n/a	}
5085	n/a	for (i = 0; i < _ssl_locks_count; i++) {
5086	n/a	_ssl_locks[i] = PyThread_allocate_lock();
5087	n/a	if (_ssl_locks[i] == NULL) {
5088	n/a	unsigned int j;
5089	n/a	for (j = 0; j < i; j++) {
5090	n/a	PyThread_free_lock(_ssl_locks[j]);
5091	n/a	}
5092	n/a	PyMem_Free(_ssl_locks);
5093	n/a	return 0;
5094	n/a	}
5095	n/a	}
5096	n/a	CRYPTO_set_locking_callback(_ssl_thread_locking_function);
5097	n/a	#if OPENSSL_VERSION_NUMBER >= 0x10000000
5098	n/a	CRYPTO_THREADID_set_callback(_ssl_threadid_callback);
5099	n/a	#else
5100	n/a	CRYPTO_set_id_callback(_ssl_thread_id_function);
5101	n/a	#endif
5102	n/a	}
5103	n/a	return 1;
5104	n/a	}
5105	n/a
5106	n/a	#endif /* HAVE_OPENSSL_CRYPTO_LOCK for WITH_THREAD && OpenSSL < 1.1.0 */
5107	n/a
5108	n/a	PyDoc_STRVAR(module_doc,
5109	n/a	"Implementation module for SSL socket operations. See the socket module\n\
5110	n/a	for documentation.");
5111	n/a
5112	n/a
5113	n/a	static struct PyModuleDef _sslmodule = {
5114	n/a	PyModuleDef_HEAD_INIT,
5115	n/a	"_ssl",
5116	n/a	module_doc,
5117	n/a	-1,
5118	n/a	PySSL_methods,
5119	n/a	NULL,
5120	n/a	NULL,
5121	n/a	NULL,
5122	n/a	NULL
5123	n/a	};
5124	n/a
5125	n/a
5126	n/a	static void
5127	n/a	parse_openssl_version(unsigned long libver,
5128	n/a	unsigned int major, unsigned int minor,
5129	n/a	unsigned int fix, unsigned int patch,
5130	n/a	unsigned int *status)
5131	n/a	{
5132	n/a	*status = libver & 0xF;
5133	n/a	libver >>= 4;
5134	n/a	*patch = libver & 0xFF;
5135	n/a	libver >>= 8;
5136	n/a	*fix = libver & 0xFF;
5137	n/a	libver >>= 8;
5138	n/a	*minor = libver & 0xFF;
5139	n/a	libver >>= 8;
5140	n/a	*major = libver & 0xFF;
5141	n/a	}
5142	n/a
5143	n/a	PyMODINIT_FUNC
5144	n/a	PyInit__ssl(void)
5145	n/a	{
5146	n/a	PyObject m, d, *r;
5147	n/a	unsigned long libver;
5148	n/a	unsigned int major, minor, fix, patch, status;
5149	n/a	PySocketModule_APIObject *socket_api;
5150	n/a	struct py_ssl_error_code *errcode;
5151	n/a	struct py_ssl_library_code *libcode;
5152	n/a
5153	n/a	if (PyType_Ready(&PySSLContext_Type) < 0)
5154	n/a	return NULL;
5155	n/a	if (PyType_Ready(&PySSLSocket_Type) < 0)
5156	n/a	return NULL;
5157	n/a	if (PyType_Ready(&PySSLMemoryBIO_Type) < 0)
5158	n/a	return NULL;
5159	n/a	if (PyType_Ready(&PySSLSession_Type) < 0)
5160	n/a	return NULL;
5161	n/a
5162	n/a
5163	n/a	m = PyModule_Create(&_sslmodule);
5164	n/a	if (m == NULL)
5165	n/a	return NULL;
5166	n/a	d = PyModule_GetDict(m);
5167	n/a
5168	n/a	/* Load _socket module and its C API */
5169	n/a	socket_api = PySocketModule_ImportModuleAndAPI();
5170	n/a	if (!socket_api)
5171	n/a	return NULL;
5172	n/a	PySocketModule = *socket_api;
5173	n/a
5174	n/a	/* Init OpenSSL */
5175	n/a	SSL_load_error_strings();
5176	n/a	SSL_library_init();
5177	n/a	#ifdef WITH_THREAD
5178	n/a	#ifdef HAVE_OPENSSL_CRYPTO_LOCK
5179	n/a	/* note that this will start threading if not already started */
5180	n/a	if (!_setup_ssl_threads()) {
5181	n/a	return NULL;
5182	n/a	}
5183	n/a	#elif OPENSSL_VERSION_1_1 && defined(OPENSSL_THREADS)
5184	n/a	/* OpenSSL 1.1.0 builtin thread support is enabled */
5185	n/a	_ssl_locks_count++;
5186	n/a	#endif
5187	n/a	#endif /* WITH_THREAD */
5188	n/a	OpenSSL_add_all_algorithms();
5189	n/a
5190	n/a	/* Add symbols to module dict */
5191	n/a	sslerror_type_slots[0].pfunc = PyExc_OSError;
5192	n/a	PySSLErrorObject = PyType_FromSpec(&sslerror_type_spec);
5193	n/a	if (PySSLErrorObject == NULL)
5194	n/a	return NULL;
5195	n/a
5196	n/a	PySSLZeroReturnErrorObject = PyErr_NewExceptionWithDoc(
5197	n/a	"ssl.SSLZeroReturnError", SSLZeroReturnError_doc,
5198	n/a	PySSLErrorObject, NULL);
5199	n/a	PySSLWantReadErrorObject = PyErr_NewExceptionWithDoc(
5200	n/a	"ssl.SSLWantReadError", SSLWantReadError_doc,
5201	n/a	PySSLErrorObject, NULL);
5202	n/a	PySSLWantWriteErrorObject = PyErr_NewExceptionWithDoc(
5203	n/a	"ssl.SSLWantWriteError", SSLWantWriteError_doc,
5204	n/a	PySSLErrorObject, NULL);
5205	n/a	PySSLSyscallErrorObject = PyErr_NewExceptionWithDoc(
5206	n/a	"ssl.SSLSyscallError", SSLSyscallError_doc,
5207	n/a	PySSLErrorObject, NULL);
5208	n/a	PySSLEOFErrorObject = PyErr_NewExceptionWithDoc(
5209	n/a	"ssl.SSLEOFError", SSLEOFError_doc,
5210	n/a	PySSLErrorObject, NULL);
5211	n/a	if (PySSLZeroReturnErrorObject == NULL
5212	n/a	\|\| PySSLWantReadErrorObject == NULL
5213	n/a	\|\| PySSLWantWriteErrorObject == NULL
5214	n/a	\|\| PySSLSyscallErrorObject == NULL
5215	n/a	\|\| PySSLEOFErrorObject == NULL)
5216	n/a	return NULL;
5217	n/a	if (PyDict_SetItemString(d, "SSLError", PySSLErrorObject) != 0
5218	n/a	\|\| PyDict_SetItemString(d, "SSLZeroReturnError", PySSLZeroReturnErrorObject) != 0
5219	n/a	\|\| PyDict_SetItemString(d, "SSLWantReadError", PySSLWantReadErrorObject) != 0
5220	n/a	\|\| PyDict_SetItemString(d, "SSLWantWriteError", PySSLWantWriteErrorObject) != 0
5221	n/a	\|\| PyDict_SetItemString(d, "SSLSyscallError", PySSLSyscallErrorObject) != 0
5222	n/a	\|\| PyDict_SetItemString(d, "SSLEOFError", PySSLEOFErrorObject) != 0)
5223	n/a	return NULL;
5224	n/a	if (PyDict_SetItemString(d, "_SSLContext",
5225	n/a	(PyObject *)&PySSLContext_Type) != 0)
5226	n/a	return NULL;
5227	n/a	if (PyDict_SetItemString(d, "_SSLSocket",
5228	n/a	(PyObject *)&PySSLSocket_Type) != 0)
5229	n/a	return NULL;
5230	n/a	if (PyDict_SetItemString(d, "MemoryBIO",
5231	n/a	(PyObject *)&PySSLMemoryBIO_Type) != 0)
5232	n/a	return NULL;
5233	n/a	if (PyDict_SetItemString(d, "SSLSession",
5234	n/a	(PyObject *)&PySSLSession_Type) != 0)
5235	n/a	return NULL;
5236	n/a
5237	n/a	PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
5238	n/a	PY_SSL_ERROR_ZERO_RETURN);
5239	n/a	PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
5240	n/a	PY_SSL_ERROR_WANT_READ);
5241	n/a	PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
5242	n/a	PY_SSL_ERROR_WANT_WRITE);
5243	n/a	PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
5244	n/a	PY_SSL_ERROR_WANT_X509_LOOKUP);
5245	n/a	PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
5246	n/a	PY_SSL_ERROR_SYSCALL);
5247	n/a	PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
5248	n/a	PY_SSL_ERROR_SSL);
5249	n/a	PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
5250	n/a	PY_SSL_ERROR_WANT_CONNECT);
5251	n/a	/* non ssl.h errorcodes */
5252	n/a	PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
5253	n/a	PY_SSL_ERROR_EOF);
5254	n/a	PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
5255	n/a	PY_SSL_ERROR_INVALID_ERROR_CODE);
5256	n/a	/* cert requirements */
5257	n/a	PyModule_AddIntConstant(m, "CERT_NONE",
5258	n/a	PY_SSL_CERT_NONE);
5259	n/a	PyModule_AddIntConstant(m, "CERT_OPTIONAL",
5260	n/a	PY_SSL_CERT_OPTIONAL);
5261	n/a	PyModule_AddIntConstant(m, "CERT_REQUIRED",
5262	n/a	PY_SSL_CERT_REQUIRED);
5263	n/a	/* CRL verification for verification_flags */
5264	n/a	PyModule_AddIntConstant(m, "VERIFY_DEFAULT",
5265	n/a	0);
5266	n/a	PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_LEAF",
5267	n/a	X509_V_FLAG_CRL_CHECK);
5268	n/a	PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_CHAIN",
5269	n/a	X509_V_FLAG_CRL_CHECK\|X509_V_FLAG_CRL_CHECK_ALL);
5270	n/a	PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
5271	n/a	X509_V_FLAG_X509_STRICT);
5272	n/a	#ifdef X509_V_FLAG_TRUSTED_FIRST
5273	n/a	PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
5274	n/a	X509_V_FLAG_TRUSTED_FIRST);
5275	n/a	#endif
5276	n/a
5277	n/a	/* Alert Descriptions from ssl.h */
5278	n/a	/* note RESERVED constants no longer intended for use have been removed */
5279	n/a	/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 */
5280	n/a
5281	n/a	#define ADD_AD_CONSTANT(s) \
5282	n/a	PyModule_AddIntConstant(m, "ALERT_DESCRIPTION_"#s, \
5283	n/a	SSL_AD_##s)
5284	n/a
5285	n/a	ADD_AD_CONSTANT(CLOSE_NOTIFY);
5286	n/a	ADD_AD_CONSTANT(UNEXPECTED_MESSAGE);
5287	n/a	ADD_AD_CONSTANT(BAD_RECORD_MAC);
5288	n/a	ADD_AD_CONSTANT(RECORD_OVERFLOW);
5289	n/a	ADD_AD_CONSTANT(DECOMPRESSION_FAILURE);
5290	n/a	ADD_AD_CONSTANT(HANDSHAKE_FAILURE);
5291	n/a	ADD_AD_CONSTANT(BAD_CERTIFICATE);
5292	n/a	ADD_AD_CONSTANT(UNSUPPORTED_CERTIFICATE);
5293	n/a	ADD_AD_CONSTANT(CERTIFICATE_REVOKED);
5294	n/a	ADD_AD_CONSTANT(CERTIFICATE_EXPIRED);
5295	n/a	ADD_AD_CONSTANT(CERTIFICATE_UNKNOWN);
5296	n/a	ADD_AD_CONSTANT(ILLEGAL_PARAMETER);
5297	n/a	ADD_AD_CONSTANT(UNKNOWN_CA);
5298	n/a	ADD_AD_CONSTANT(ACCESS_DENIED);
5299	n/a	ADD_AD_CONSTANT(DECODE_ERROR);
5300	n/a	ADD_AD_CONSTANT(DECRYPT_ERROR);
5301	n/a	ADD_AD_CONSTANT(PROTOCOL_VERSION);
5302	n/a	ADD_AD_CONSTANT(INSUFFICIENT_SECURITY);
5303	n/a	ADD_AD_CONSTANT(INTERNAL_ERROR);
5304	n/a	ADD_AD_CONSTANT(USER_CANCELLED);
5305	n/a	ADD_AD_CONSTANT(NO_RENEGOTIATION);
5306	n/a	/* Not all constants are in old OpenSSL versions */
5307	n/a	#ifdef SSL_AD_UNSUPPORTED_EXTENSION
5308	n/a	ADD_AD_CONSTANT(UNSUPPORTED_EXTENSION);
5309	n/a	#endif
5310	n/a	#ifdef SSL_AD_CERTIFICATE_UNOBTAINABLE
5311	n/a	ADD_AD_CONSTANT(CERTIFICATE_UNOBTAINABLE);
5312	n/a	#endif
5313	n/a	#ifdef SSL_AD_UNRECOGNIZED_NAME
5314	n/a	ADD_AD_CONSTANT(UNRECOGNIZED_NAME);
5315	n/a	#endif
5316	n/a	#ifdef SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
5317	n/a	ADD_AD_CONSTANT(BAD_CERTIFICATE_STATUS_RESPONSE);
5318	n/a	#endif
5319	n/a	#ifdef SSL_AD_BAD_CERTIFICATE_HASH_VALUE
5320	n/a	ADD_AD_CONSTANT(BAD_CERTIFICATE_HASH_VALUE);
5321	n/a	#endif
5322	n/a	#ifdef SSL_AD_UNKNOWN_PSK_IDENTITY
5323	n/a	ADD_AD_CONSTANT(UNKNOWN_PSK_IDENTITY);
5324	n/a	#endif
5325	n/a
5326	n/a	#undef ADD_AD_CONSTANT
5327	n/a
5328	n/a	/* protocol versions */
5329	n/a	#ifndef OPENSSL_NO_SSL2
5330	n/a	PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
5331	n/a	PY_SSL_VERSION_SSL2);
5332	n/a	#endif
5333	n/a	#ifndef OPENSSL_NO_SSL3
5334	n/a	PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
5335	n/a	PY_SSL_VERSION_SSL3);
5336	n/a	#endif
5337	n/a	PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
5338	n/a	PY_SSL_VERSION_TLS);
5339	n/a	PyModule_AddIntConstant(m, "PROTOCOL_TLS",
5340	n/a	PY_SSL_VERSION_TLS);
5341	n/a	PyModule_AddIntConstant(m, "PROTOCOL_TLS_CLIENT",
5342	n/a	PY_SSL_VERSION_TLS_CLIENT);
5343	n/a	PyModule_AddIntConstant(m, "PROTOCOL_TLS_SERVER",
5344	n/a	PY_SSL_VERSION_TLS_SERVER);
5345	n/a	PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
5346	n/a	PY_SSL_VERSION_TLS1);
5347	n/a	#if HAVE_TLSv1_2
5348	n/a	PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_1",
5349	n/a	PY_SSL_VERSION_TLS1_1);
5350	n/a	PyModule_AddIntConstant(m, "PROTOCOL_TLSv1_2",
5351	n/a	PY_SSL_VERSION_TLS1_2);
5352	n/a	#endif
5353	n/a
5354	n/a	/* protocol options */
5355	n/a	PyModule_AddIntConstant(m, "OP_ALL",
5356	n/a	SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
5357	n/a	PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
5358	n/a	PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
5359	n/a	PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
5360	n/a	#if HAVE_TLSv1_2
5361	n/a	PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1);
5362	n/a	PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2);
5363	n/a	#endif
5364	n/a	PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
5365	n/a	SSL_OP_CIPHER_SERVER_PREFERENCE);
5366	n/a	PyModule_AddIntConstant(m, "OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE);
5367	n/a	PyModule_AddIntConstant(m, "OP_NO_TICKET", SSL_OP_NO_TICKET);
5368	n/a	#ifdef SSL_OP_SINGLE_ECDH_USE
5369	n/a	PyModule_AddIntConstant(m, "OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE);
5370	n/a	#endif
5371	n/a	#ifdef SSL_OP_NO_COMPRESSION
5372	n/a	PyModule_AddIntConstant(m, "OP_NO_COMPRESSION",
5373	n/a	SSL_OP_NO_COMPRESSION);
5374	n/a	#endif
5375	n/a
5376	n/a	#if HAVE_SNI
5377	n/a	r = Py_True;
5378	n/a	#else
5379	n/a	r = Py_False;
5380	n/a	#endif
5381	n/a	Py_INCREF(r);
5382	n/a	PyModule_AddObject(m, "HAS_SNI", r);
5383	n/a
5384	n/a	r = Py_True;
5385	n/a	Py_INCREF(r);
5386	n/a	PyModule_AddObject(m, "HAS_TLS_UNIQUE", r);
5387	n/a
5388	n/a	#ifdef OPENSSL_NO_ECDH
5389	n/a	r = Py_False;
5390	n/a	#else
5391	n/a	r = Py_True;
5392	n/a	#endif
5393	n/a	Py_INCREF(r);
5394	n/a	PyModule_AddObject(m, "HAS_ECDH", r);
5395	n/a
5396	n/a	#ifdef OPENSSL_NPN_NEGOTIATED
5397	n/a	r = Py_True;
5398	n/a	#else
5399	n/a	r = Py_False;
5400	n/a	#endif
5401	n/a	Py_INCREF(r);
5402	n/a	PyModule_AddObject(m, "HAS_NPN", r);
5403	n/a
5404	n/a	#ifdef HAVE_ALPN
5405	n/a	r = Py_True;
5406	n/a	#else
5407	n/a	r = Py_False;
5408	n/a	#endif
5409	n/a	Py_INCREF(r);
5410	n/a	PyModule_AddObject(m, "HAS_ALPN", r);
5411	n/a
5412	n/a	/* Mappings for error codes */
5413	n/a	err_codes_to_names = PyDict_New();
5414	n/a	err_names_to_codes = PyDict_New();
5415	n/a	if (err_codes_to_names == NULL \|\| err_names_to_codes == NULL)
5416	n/a	return NULL;
5417	n/a	errcode = error_codes;
5418	n/a	while (errcode->mnemonic != NULL) {
5419	n/a	PyObject mnemo, key;
5420	n/a	mnemo = PyUnicode_FromString(errcode->mnemonic);
5421	n/a	key = Py_BuildValue("ii", errcode->library, errcode->reason);
5422	n/a	if (mnemo == NULL \|\| key == NULL)
5423	n/a	return NULL;
5424	n/a	if (PyDict_SetItem(err_codes_to_names, key, mnemo))
5425	n/a	return NULL;
5426	n/a	if (PyDict_SetItem(err_names_to_codes, mnemo, key))
5427	n/a	return NULL;
5428	n/a	Py_DECREF(key);
5429	n/a	Py_DECREF(mnemo);
5430	n/a	errcode++;
5431	n/a	}
5432	n/a	if (PyModule_AddObject(m, "err_codes_to_names", err_codes_to_names))
5433	n/a	return NULL;
5434	n/a	if (PyModule_AddObject(m, "err_names_to_codes", err_names_to_codes))
5435	n/a	return NULL;
5436	n/a
5437	n/a	lib_codes_to_names = PyDict_New();
5438	n/a	if (lib_codes_to_names == NULL)
5439	n/a	return NULL;
5440	n/a	libcode = library_codes;
5441	n/a	while (libcode->library != NULL) {
5442	n/a	PyObject mnemo, key;
5443	n/a	key = PyLong_FromLong(libcode->code);
5444	n/a	mnemo = PyUnicode_FromString(libcode->library);
5445	n/a	if (key == NULL \|\| mnemo == NULL)
5446	n/a	return NULL;
5447	n/a	if (PyDict_SetItem(lib_codes_to_names, key, mnemo))
5448	n/a	return NULL;
5449	n/a	Py_DECREF(key);
5450	n/a	Py_DECREF(mnemo);
5451	n/a	libcode++;
5452	n/a	}
5453	n/a	if (PyModule_AddObject(m, "lib_codes_to_names", lib_codes_to_names))
5454	n/a	return NULL;
5455	n/a
5456	n/a	/* OpenSSL version */
5457	n/a	/* SSLeay() gives us the version of the library linked against,
5458	n/a	which could be different from the headers version.
5459	n/a	*/
5460	n/a	libver = SSLeay();
5461	n/a	r = PyLong_FromUnsignedLong(libver);
5462	n/a	if (r == NULL)
5463	n/a	return NULL;
5464	n/a	if (PyModule_AddObject(m, "OPENSSL_VERSION_NUMBER", r))
5465	n/a	return NULL;
5466	n/a	parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
5467	n/a	r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
5468	n/a	if (r == NULL \|\| PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r))
5469	n/a	return NULL;
5470	n/a	r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION));
5471	n/a	if (r == NULL \|\| PyModule_AddObject(m, "OPENSSL_VERSION", r))
5472	n/a	return NULL;
5473	n/a
5474	n/a	libver = OPENSSL_VERSION_NUMBER;
5475	n/a	parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
5476	n/a	r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
5477	n/a	if (r == NULL \|\| PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
5478	n/a	return NULL;
5479	n/a
5480	n/a	return m;
5481	n/a	}