use.  Typically, the server chooses a particular protocol version, and the

   use.  Typically, the server chooses a particular protocol version, and the

   client must adapt to the server's choice.  Most of the versions are not

   client must adapt to the server's choice.  Most of the versions are not

   interoperable with the other versions.  If not specified, the default is

   interoperable with the other versions.  If not specified, the default is

   versions.

   versions.

   Here's a table showing which versions in a client (down the side) can connect

   Here's a table showing which versions in a client (down the side) can connect

     .. table::

     .. table::

       ========================  =========  =========  ==========  =========  ===========  ===========

       ========================  =========  =========  ==========  =========  ===========  ===========

       ------------------------  ---------  ---------  ----------  ---------  -----------  -----------

       ------------------------  ---------  ---------  ----------  ---------  -----------  -----------

        *SSLv2*                    yes        no         yes         no         no         no

        *SSLv2*                    yes        no         yes         no         no         no

        *SSLv3*                    no         yes        yes         no         no         no

        *SSLv3*                    no         yes        yes         no         no         no

        *TLSv1*                    no         no         yes         yes        no         no

        *TLSv1*                    no         no         yes         yes        no         no

        *TLSv1.1*                  no         no         yes         no         yes        no

        *TLSv1.1*                  no         no         yes         no         yes        no

        *TLSv1.2*                  no         no         yes         no         no         yes

        *TLSv1.2*                  no         no         yes         no         no         yes

   :const:`None`, this function can choose to trust the system's default

   :const:`None`, this function can choose to trust the system's default

   CA certificates instead.

   CA certificates instead.

   :data:`OP_NO_SSLv3` with high encryption cipher suites without RC4 and

   :data:`OP_NO_SSLv3` with high encryption cipher suites without RC4 and

   without unauthenticated cipher suites. Passing :data:`~Purpose.SERVER_AUTH`

   without unauthenticated cipher suites. Passing :data:`~Purpose.SERVER_AUTH`

   as *purpose* sets :data:`~SSLContext.verify_mode` to :data:`CERT_REQUIRED`

   as *purpose* sets :data:`~SSLContext.verify_mode` to :data:`CERT_REQUIRED`

   .. versionadded:: 3.3

   .. versionadded:: 3.3

.. function:: RAND_status()

.. function:: RAND_status()

   Return ``True`` if the SSL pseudo-random number generator has been seeded

   Return ``True`` if the SSL pseudo-random number generator has been seeded

   See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources

   See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources

   of entropy-gathering daemons.

   of entropy-gathering daemons.

.. function:: RAND_add(bytes, entropy)

.. function:: RAND_add(bytes, entropy)

   Mix the given *bytes* into the SSL pseudo-random number generator.  The

   Mix the given *bytes* into the SSL pseudo-random number generator.  The

     >>> time.ctime(ssl.cert_time_to_seconds("May  9 00:00:00 2007 GMT"))

     >>> time.ctime(ssl.cert_time_to_seconds("May  9 00:00:00 2007 GMT"))

     'Wed May  9 00:00:00 2007'

     'Wed May  9 00:00:00 2007'

   Given the address ``addr`` of an SSL-protected server, as a (*hostname*,

   Given the address ``addr`` of an SSL-protected server, as a (*hostname*,

   *port-number*) pair, fetches the server's certificate, and returns it as a

   *port-number*) pair, fetches the server's certificate, and returns it as a

   .. versionchanged:: 3.3

   .. versionchanged:: 3.3

      This function is now IPv6-compatible.

      This function is now IPv6-compatible.

.. function:: DER_cert_to_PEM_cert(DER_cert_bytes)

.. function:: DER_cert_to_PEM_cert(DER_cert_bytes)

   Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded

   Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded

   * :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath,

   * :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath,

   * :attr:`openssl_capath` - hard coded path to a capath directory

   * :attr:`openssl_capath` - hard coded path to a capath directory

   .. versionadded:: 3.4

   .. versionadded:: 3.4

.. function:: enum_certificates(store_name)

.. function:: enum_certificates(store_name)

   .. versionadded:: 3.4.4

   .. versionadded:: 3.4.4

   Selects the highest protocol version that both the client and server support.

   Selects the highest protocol version that both the client and server support.

   Despite the name, this option can select "TLS" protocols as well as "SSL".

   Despite the name, this option can select "TLS" protocols as well as "SSL".

.. data:: PROTOCOL_SSLv2

.. data:: PROTOCOL_SSLv2

   Selects SSL version 2 as the channel encryption protocol.

   Selects SSL version 2 as the channel encryption protocol.

      SSL version 2 is insecure.  Its use is highly discouraged.

      SSL version 2 is insecure.  Its use is highly discouraged.

.. data:: PROTOCOL_SSLv3

.. data:: PROTOCOL_SSLv3

   Selects SSL version 3 as the channel encryption protocol.

   Selects SSL version 3 as the channel encryption protocol.

      SSL version 3 is insecure.  Its use is highly discouraged.

      SSL version 3 is insecure.  Its use is highly discouraged.

.. data:: PROTOCOL_TLSv1

.. data:: PROTOCOL_TLSv1

   Selects TLS version 1.0 as the channel encryption protocol.

   Selects TLS version 1.0 as the channel encryption protocol.

.. data:: PROTOCOL_TLSv1_1

.. data:: PROTOCOL_TLSv1_1

   Selects TLS version 1.1 as the channel encryption protocol.

   Selects TLS version 1.1 as the channel encryption protocol.

   .. versionadded:: 3.4

   .. versionadded:: 3.4

.. data:: PROTOCOL_TLSv1_2

.. data:: PROTOCOL_TLSv1_2

   Selects TLS version 1.2 as the channel encryption protocol. This is the

   Selects TLS version 1.2 as the channel encryption protocol. This is the

   .. versionadded:: 3.4

   .. versionadded:: 3.4

.. data:: OP_ALL

.. data:: OP_ALL

   Enables workarounds for various bugs present in other SSL implementations.

   Enables workarounds for various bugs present in other SSL implementations.

.. data:: OP_NO_SSLv2

.. data:: OP_NO_SSLv2

   Prevents an SSLv2 connection.  This option is only applicable in

   Prevents an SSLv2 connection.  This option is only applicable in

   choosing SSLv2 as the protocol version.

   choosing SSLv2 as the protocol version.

   .. versionadded:: 3.2

   .. versionadded:: 3.2

.. data:: OP_NO_SSLv3

.. data:: OP_NO_SSLv3

   Prevents an SSLv3 connection.  This option is only applicable in

   Prevents an SSLv3 connection.  This option is only applicable in

   choosing SSLv3 as the protocol version.

   choosing SSLv3 as the protocol version.

   .. versionadded:: 3.2

   .. versionadded:: 3.2

.. data:: OP_NO_TLSv1

.. data:: OP_NO_TLSv1

   Prevents a TLSv1 connection.  This option is only applicable in

   Prevents a TLSv1 connection.  This option is only applicable in

   choosing TLSv1 as the protocol version.

   choosing TLSv1 as the protocol version.

   .. versionadded:: 3.2

   .. versionadded:: 3.2

.. data:: OP_NO_TLSv1_1

.. data:: OP_NO_TLSv1_1

   Prevents a TLSv1.1 connection. This option is only applicable in conjunction

   Prevents a TLSv1.1 connection. This option is only applicable in conjunction

   the protocol version. Available only with openssl version 1.0.1+.

   the protocol version. Available only with openssl version 1.0.1+.

   .. versionadded:: 3.4

   .. versionadded:: 3.4

.. data:: OP_NO_TLSv1_2

.. data:: OP_NO_TLSv1_2

   Prevents a TLSv1.2 connection. This option is only applicable in conjunction

   Prevents a TLSv1.2 connection. This option is only applicable in conjunction

   the protocol version. Available only with openssl version 1.0.1+.

   the protocol version. Available only with openssl version 1.0.1+.

   .. versionadded:: 3.4

   .. versionadded:: 3.4

It also manages a cache of SSL sessions for server-side sockets, in order

It also manages a cache of SSL sessions for server-side sockets, in order

to speed up repeated connections from the same clients.

to speed up repeated connections from the same clients.

   of the ``PROTOCOL_*`` constants defined in this module.

   of the ``PROTOCOL_*`` constants defined in this module.

   .. seealso::

   .. seealso::

      :func:`create_default_context` lets the :mod:`ssl` module choose

      :func:`create_default_context` lets the :mod:`ssl` module choose

      security settings for a given purpose.

      security settings for a given purpose.

:class:`SSLContext` objects have the following methods and attributes:

:class:`SSLContext` objects have the following methods and attributes:

a context from scratch (but beware that you might not get the settings

a context from scratch (but beware that you might not get the settings

right)::

right)::

   >>> context.verify_mode = ssl.CERT_REQUIRED

   >>> context.verify_mode = ssl.CERT_REQUIRED

   >>> context.check_hostname = True

   >>> context.check_hostname = True

   >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")

   >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")

SSL versions 2 and 3 are considered insecure and are therefore dangerous to

SSL versions 2 and 3 are considered insecure and are therefore dangerous to

use.  If you want maximum compatibility between clients and servers, it is

use.  If you want maximum compatibility between clients and servers, it is

disable SSLv2 and SSLv3 explicitly using the :data:`SSLContext.options`

disable SSLv2 and SSLv3 explicitly using the :data:`SSLContext.options`

attribute::

attribute::

   context.options |= ssl.OP_NO_SSLv2

   context.options |= ssl.OP_NO_SSLv2

   context.options |= ssl.OP_NO_SSLv3

   context.options |= ssl.OP_NO_SSLv3

supported by your system) connections.

supported by your system) connections.

Cipher selection

Cipher selection

PROTOCOL_SSLv2

PROTOCOL_SSLv2

PROTOCOL_SSLv3

PROTOCOL_SSLv3

PROTOCOL_SSLv23

PROTOCOL_SSLv23

PROTOCOL_TLSv1

PROTOCOL_TLSv1

PROTOCOL_TLSv1_1

PROTOCOL_TLSv1_1

PROTOCOL_TLSv1_2

PROTOCOL_TLSv1_2

import sys

import sys

import os

import os

from collections import namedtuple

from collections import namedtuple

import _ssl             # if we can't import it, let the error propagate

import _ssl             # if we can't import it, let the error propagate

from _ssl import _OPENSSL_API_VERSION

from _ssl import _OPENSSL_API_VERSION

try:

try:

    _SSLv2_IF_EXISTS = PROTOCOL_SSLv2

    _SSLv2_IF_EXISTS = PROTOCOL_SSLv2

    _SSLv2_IF_EXISTS = None

    _SSLv2_IF_EXISTS = None

if sys.platform == "win32":

if sys.platform == "win32":

    from _ssl import enum_certificates, enum_crls

    from _ssl import enum_certificates, enum_crls

    __slots__ = ('protocol', '__weakref__')

    __slots__ = ('protocol', '__weakref__')

    _windows_cert_stores = ("CA", "ROOT")

    _windows_cert_stores = ("CA", "ROOT")

        self = _SSLContext.__new__(cls, protocol)

        self = _SSLContext.__new__(cls, protocol)

        if protocol != _SSLv2_IF_EXISTS:

        if protocol != _SSLv2_IF_EXISTS:

            self.set_ciphers(_DEFAULT_CIPHERS)

            self.set_ciphers(_DEFAULT_CIPHERS)

        return self

        return self

        self.protocol = protocol

        self.protocol = protocol

    def wrap_socket(self, sock, server_side=False,

    def wrap_socket(self, sock, server_side=False,

    if not isinstance(purpose, _ASN1Object):

    if not isinstance(purpose, _ASN1Object):

        raise TypeError(purpose)

        raise TypeError(purpose)

    # SSLv2 considered harmful.

    # SSLv2 considered harmful.

    context.options |= OP_NO_SSLv2

    context.options |= OP_NO_SSLv2

        context.load_default_certs(purpose)

        context.load_default_certs(purpose)

    return context

    return context

                           check_hostname=False, purpose=Purpose.SERVER_AUTH,

                           check_hostname=False, purpose=Purpose.SERVER_AUTH,

                           certfile=None, keyfile=None,

                           certfile=None, keyfile=None,

                           cafile=None, capath=None, cadata=None):

                           cafile=None, capath=None, cadata=None):

    def __init__(self, sock=None, keyfile=None, certfile=None,

    def __init__(self, sock=None, keyfile=None, certfile=None,

                 server_side=False, cert_reqs=CERT_NONE,

                 server_side=False, cert_reqs=CERT_NONE,

                 do_handshake_on_connect=True,

                 do_handshake_on_connect=True,

                 family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,

                 family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,

                 suppress_ragged_eofs=True, npn_protocols=None, ciphers=None,

                 suppress_ragged_eofs=True, npn_protocols=None, ciphers=None,

def wrap_socket(sock, keyfile=None, certfile=None,

def wrap_socket(sock, keyfile=None, certfile=None,

                server_side=False, cert_reqs=CERT_NONE,

                server_side=False, cert_reqs=CERT_NONE,

                do_handshake_on_connect=True,

                do_handshake_on_connect=True,

                suppress_ragged_eofs=True,

                suppress_ragged_eofs=True,

                ciphers=None):

                ciphers=None):

    d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]

    d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]

    return base64.decodebytes(d.encode('ASCII', 'strict'))

    return base64.decodebytes(d.encode('ASCII', 'strict'))

    """Retrieve the certificate from the server at the specified address,

    """Retrieve the certificate from the server at the specified address,

    and return it as a PEM-encoded string.

    and return it as a PEM-encoded string.

    If 'ca_certs' is specified, validate the server cert against it.

    If 'ca_certs' is specified, validate the server cert against it.

PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)

PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)

HOST = support.HOST

HOST = support.HOST

def data_file(*name):

def data_file(*name):

    return os.path.join(os.path.dirname(__file__), *name)

    return os.path.join(os.path.dirname(__file__), *name)

        self.assertIn(ssl.HAS_SNI, {True, False})

        self.assertIn(ssl.HAS_SNI, {True, False})

        self.assertIn(ssl.HAS_ECDH, {True, False})

        self.assertIn(ssl.HAS_ECDH, {True, False})

    def test_random(self):

    def test_random(self):

        v = ssl.RAND_status()

        v = ssl.RAND_status()

        if support.verbose:

        if support.verbose:

        self.assertGreaterEqual(status, 0)

        self.assertGreaterEqual(status, 0)

        self.assertLessEqual(status, 15)

        self.assertLessEqual(status, 15)

        # Version string as returned by {Open,Libre}SSL, the format might change

        # Version string as returned by {Open,Libre}SSL, the format might change

        else:

        else:

            self.assertTrue(s.startswith("OpenSSL {:d}.{:d}.{:d}".format(major, minor, fix)),

            self.assertTrue(s.startswith("OpenSSL {:d}.{:d}.{:d}".format(major, minor, fix)),

                            (s, t))

                            (s, t))

    def test_constructor(self):

    def test_constructor(self):

        for protocol in PROTOCOLS:

        for protocol in PROTOCOLS:

            ssl.SSLContext(protocol)

            ssl.SSLContext(protocol)

        self.assertRaises(ValueError, ssl.SSLContext, -1)

        self.assertRaises(ValueError, ssl.SSLContext, -1)

        self.assertRaises(ValueError, ssl.SSLContext, 42)

        self.assertRaises(ValueError, ssl.SSLContext, 42)

    def test_options(self):

    def test_options(self):

        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

        # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value

        # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value

        ctx.options |= ssl.OP_NO_TLSv1

        ctx.options |= ssl.OP_NO_TLSv1

        if can_clear_options():

        if can_clear_options():

            ctx.options = 0

            ctx.options = 0

            # Ubuntu has OP_NO_SSLv3 forced on by default

            # Ubuntu has OP_NO_SSLv3 forced on by default

            self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)

            self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)

        self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')

        self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')

    @unittest.skipIf(sys.platform == "win32", "not-Windows specific")

    @unittest.skipIf(sys.platform == "win32", "not-Windows specific")

    def test_load_default_certs_env(self):

    def test_load_default_certs_env(self):

        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

        with support.EnvironmentVarGuard() as env:

        with support.EnvironmentVarGuard() as env:

                self.assertIs(ss.context, ctx2)

                self.assertIs(ss.context, ctx2)

                self.assertIs(ss._sslobj.context, ctx2)

                self.assertIs(ss._sslobj.context, ctx2)

try:

try:

    import threading

    import threading

except ImportError:

except ImportError:

                        s.connect((HOST, server.port))

                        s.connect((HOST, server.port))

            self.assertIn("no shared cipher", str(server.conn_errors[0]))

            self.assertIn("no shared cipher", str(server.conn_errors[0]))

        @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")

        @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")

        def test_default_ecdh_curve(self):

        def test_default_ecdh_curve(self):

            # Issue #21015: elliptic curve-based Diffie Hellman key exchange

            # Issue #21015: elliptic curve-based Diffie Hellman key exchange

            self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')

            self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')

            self.assertIn("TypeError", stderr.getvalue())

            self.assertIn("TypeError", stderr.getvalue())

        def test_read_write_after_close_raises_valuerror(self):

        def test_read_write_after_close_raises_valuerror(self):

            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

            context.verify_mode = ssl.CERT_REQUIRED

            context.verify_mode = ssl.CERT_REQUIRED

/* EVP is the preferred interface to hashing in OpenSSL */

/* EVP is the preferred interface to hashing in OpenSSL */

#include <openssl/evp.h>

#include <openssl/evp.h>

/* We use the object interface to discover what hashes OpenSSL supports. */

/* We use the object interface to discover what hashes OpenSSL supports. */

#include <openssl/objects.h>

#include <openssl/objects.h>

#include "openssl/err.h"

#include "openssl/err.h"

#define HASH_OBJ_CONSTRUCTOR 0

#define HASH_OBJ_CONSTRUCTOR 0

#endif

#endif

#endif

#endif

typedef struct {

typedef struct {

    PyObject_HEAD

    PyObject_HEAD

    PyObject            *name;  /* name of this hash algorithm */

    PyObject            *name;  /* name of this hash algorithm */

#ifdef WITH_THREAD

#ifdef WITH_THREAD

    PyThread_type_lock   lock;  /* OpenSSL context lock */

    PyThread_type_lock   lock;  /* OpenSSL context lock */

#endif

#endif

#define DEFINE_CONSTS_FOR_NEW(Name)  \

#define DEFINE_CONSTS_FOR_NEW(Name)  \

    static PyObject *CONST_ ## Name ## _name_obj = NULL; \

    static PyObject *CONST_ ## Name ## _name_obj = NULL; \

    static EVP_MD_CTX *CONST_new_ ## Name ## _ctx_p = NULL;

    static EVP_MD_CTX *CONST_new_ ## Name ## _ctx_p = NULL;

DEFINE_CONSTS_FOR_NEW(md5)

DEFINE_CONSTS_FOR_NEW(md5)

#endif

#endif

static EVPobject *

static EVPobject *

newEVPobject(PyObject *name)

newEVPobject(PyObject *name)

{

{

    EVPobject *retval = (EVPobject *)PyObject_New(EVPobject, &EVPtype);

    EVPobject *retval = (EVPobject *)PyObject_New(EVPobject, &EVPtype);

    /* save the name for .name to return */

    /* save the name for .name to return */

#ifdef WITH_THREAD

#ifdef WITH_THREAD

#endif

#endif

    return retval;

    return retval;

}

}

            process = MUNCH_SIZE;

            process = MUNCH_SIZE;

        else

        else

            process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int);

            process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int);

        len -= process;

        len -= process;

        cp += process;

        cp += process;

    }

    }

    if (self->lock != NULL)

    if (self->lock != NULL)

        PyThread_free_lock(self->lock);

        PyThread_free_lock(self->lock);

#endif

#endif

    Py_XDECREF(self->name);

    Py_XDECREF(self->name);

    PyObject_Del(self);

    PyObject_Del(self);

}

}

{

{

    ENTER_HASHLIB(self);

    ENTER_HASHLIB(self);

    LEAVE_HASHLIB(self);

    LEAVE_HASHLIB(self);

}

}

/* External methods for a hash object */

/* External methods for a hash object */

    if ( (newobj = newEVPobject(self->name))==NULL)

    if ( (newobj = newEVPobject(self->name))==NULL)

        return NULL;

        return NULL;

    return (PyObject *)newobj;

    return (PyObject *)newobj;

}

}

EVP_digest(EVPobject *self, PyObject *unused)

EVP_digest(EVPobject *self, PyObject *unused)

{

{

    unsigned char digest[EVP_MAX_MD_SIZE];

    unsigned char digest[EVP_MAX_MD_SIZE];

    PyObject *retval;

    PyObject *retval;

    unsigned int digest_size;

    unsigned int digest_size;

    retval = PyBytes_FromStringAndSize((const char *)digest, digest_size);

    retval = PyBytes_FromStringAndSize((const char *)digest, digest_size);

    return retval;

    return retval;

}

}

EVP_hexdigest(EVPobject *self, PyObject *unused)

EVP_hexdigest(EVPobject *self, PyObject *unused)

{

{

    unsigned char digest[EVP_MAX_MD_SIZE];

    unsigned char digest[EVP_MAX_MD_SIZE];

    PyObject *retval;

    PyObject *retval;

    char *hex_digest;

    char *hex_digest;

    unsigned int i, j, digest_size;

    unsigned int i, j, digest_size;

    /* Get the raw (binary) digest value */

    /* Get the raw (binary) digest value */

    /* Allocate a new buffer */

    /* Allocate a new buffer */

    hex_digest = PyMem_Malloc(digest_size * 2 + 1);

    hex_digest = PyMem_Malloc(digest_size * 2 + 1);

EVP_get_block_size(EVPobject *self, void *closure)

EVP_get_block_size(EVPobject *self, void *closure)

{

{

    long block_size;

    long block_size;

    return PyLong_FromLong(block_size);

    return PyLong_FromLong(block_size);

}

}

EVP_get_digest_size(EVPobject *self, void *closure)

EVP_get_digest_size(EVPobject *self, void *closure)

{

{

    long size;

    long size;

    return PyLong_FromLong(size);

    return PyLong_FromLong(size);

}

}

            PyBuffer_Release(&view);

            PyBuffer_Release(&view);

        return -1;

        return -1;

    }

    }

    self->name = name_obj;

    self->name = name_obj;

    Py_INCREF(self->name);

    Py_INCREF(self->name);

        return NULL;

        return NULL;

    if (initial_ctx) {

    if (initial_ctx) {

    } else {

    } else {

    }

    }

    if (cp && len) {

    if (cp && len) {

#define PY_PBKDF2_HMAC 1

#define PY_PBKDF2_HMAC 1

/* Improved implementation of PKCS5_PBKDF2_HMAC()

/* Improved implementation of PKCS5_PBKDF2_HMAC()

 *

 *

 * PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of

 * PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of

    HMAC_CTX_cleanup(&hctx_tpl);

    HMAC_CTX_cleanup(&hctx_tpl);

    return 1;

    return 1;

}

}

PyDoc_STRVAR(pbkdf2_hmac__doc__,

PyDoc_STRVAR(pbkdf2_hmac__doc__,

"pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\

"pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\

    key = PyBytes_AS_STRING(key_obj);

    key = PyBytes_AS_STRING(key_obj);

    Py_BEGIN_ALLOW_THREADS

    Py_BEGIN_ALLOW_THREADS

    retval = PKCS5_PBKDF2_HMAC_fast((char*)password.buf, (int)password.len,

    retval = PKCS5_PBKDF2_HMAC_fast((char*)password.buf, (int)password.len,

                                    (unsigned char *)salt.buf, (int)salt.len,

                                    (unsigned char *)salt.buf, (int)salt.len,

                                    iterations, digest, dklen,

                                    iterations, digest, dklen,

                                    (unsigned char *)key);

                                    (unsigned char *)key);

    Py_END_ALLOW_THREADS

    Py_END_ALLOW_THREADS

    if (!retval) {

    if (!retval) {

    if (CONST_ ## NAME ## _name_obj == NULL) { \

    if (CONST_ ## NAME ## _name_obj == NULL) { \

        CONST_ ## NAME ## _name_obj = PyUnicode_FromString(#NAME); \

        CONST_ ## NAME ## _name_obj = PyUnicode_FromString(#NAME); \

        if (EVP_get_digestbyname(#NAME)) { \

        if (EVP_get_digestbyname(#NAME)) { \

            EVP_DigestInit(CONST_new_ ## NAME ## _ctx_p, EVP_get_digestbyname(#NAME)); \

            EVP_DigestInit(CONST_new_ ## NAME ## _ctx_p, EVP_get_digestbyname(#NAME)); \

        } \

        } \

    } \

    } \

#include <sys/poll.h>

#include <sys/poll.h>

#endif

#endif

/* Include OpenSSL header files */

/* Include OpenSSL header files */

#include "openssl/rsa.h"

#include "openssl/rsa.h"

#include "openssl/crypto.h"

#include "openssl/crypto.h"

/* Include generated data (error codes) */

/* Include generated data (error codes) */

#include "_ssl_data.h"

#include "_ssl_data.h"

/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1

/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1

    http://www.openssl.org/news/changelog.html

    http://www.openssl.org/news/changelog.html

 */

 */

# define HAVE_SNI 0

# define HAVE_SNI 0

#endif

#endif

enum py_ssl_error {

enum py_ssl_error {

    /* these mirror ssl.h */

    /* these mirror ssl.h */

    PY_SSL_ERROR_NONE,

    PY_SSL_ERROR_NONE,

enum py_ssl_version {

enum py_ssl_version {

    PY_SSL_VERSION_SSL2,

    PY_SSL_VERSION_SSL2,

    PY_SSL_VERSION_SSL3=1,

    PY_SSL_VERSION_SSL3=1,

#if HAVE_TLSv1_2

#if HAVE_TLSv1_2

    PY_SSL_VERSION_TLS1,

    PY_SSL_VERSION_TLS1,

    PY_SSL_VERSION_TLS1_1,

    PY_SSL_VERSION_TLS1_1,

    PySSL_BEGIN_ALLOW_THREADS

    PySSL_BEGIN_ALLOW_THREADS

    self->ssl = SSL_new(ctx);

    self->ssl = SSL_new(ctx);

    PySSL_END_ALLOW_THREADS

    PySSL_END_ALLOW_THREADS

    SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int));

    SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int));

    mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;

    mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;

#ifdef SSL_MODE_AUTO_RETRY

#ifdef SSL_MODE_AUTO_RETRY

        /* check to see if we've gotten to a new RDN */

        /* check to see if we've gotten to a new RDN */

        if (rdn_level >= 0) {

        if (rdn_level >= 0) {

                /* yes, new RDN */

                /* yes, new RDN */

                /* add old RDN to DN */

                /* add old RDN to DN */

                rdnt = PyList_AsTuple(rdn);

                rdnt = PyList_AsTuple(rdn);

                    goto fail0;

                    goto fail0;

            }

            }

        }

        }

        /* now add this attribute to the current RDN */

        /* now add this attribute to the current RDN */

        name = X509_NAME_ENTRY_get_object(entry);

        name = X509_NAME_ENTRY_get_object(entry);

            goto fail;

            goto fail;

        }

        }

        if (method->it)

        if (method->it)

            names = (GENERAL_NAMES*)

            names = (GENERAL_NAMES*)

              (ASN1_item_d2i(NULL,

              (ASN1_item_d2i(NULL,

                             &p,

                             &p,

                             ASN1_ITEM_ptr(method->it)));

                             ASN1_ITEM_ptr(method->it)));

        else

        else

            names = (GENERAL_NAMES*)

            names = (GENERAL_NAMES*)

              (method->d2i(NULL,

              (method->d2i(NULL,

                           &p,

                           &p,

        for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {

        for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {

            /* get a rendering of each name in the set of names */

            /* get a rendering of each name in the set of names */

    int i, j;

    int i, j;

    PyObject *lst, *res = NULL;

    PyObject *lst, *res = NULL;

    /* Calls x509v3_cache_extensions and sets up crldp */

    /* Calls x509v3_cache_extensions and sets up crldp */

    X509_check_ca(certificate);

    X509_check_ca(certificate);

#endif

#endif

    if (dps == NULL)

    if (dps == NULL)

        return Py_None;

        return Py_None;

    return NULL;

    return NULL;

}

}

#ifdef OPENSSL_NPN_NEGOTIATED

#ifdef OPENSSL_NPN_NEGOTIATED

static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {

static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {

    const unsigned char *out;

    const unsigned char *out;

    if (self->ssl == NULL)

    if (self->ssl == NULL)

        Py_RETURN_NONE;

        Py_RETURN_NONE;

    comp_method = SSL_get_current_compression(self->ssl);

    comp_method = SSL_get_current_compression(self->ssl);

        Py_RETURN_NONE;

        Py_RETURN_NONE;

    if (short_name == NULL)

    if (short_name == NULL)

        Py_RETURN_NONE;

        Py_RETURN_NONE;

    return PyUnicode_DecodeFSDefault(short_name);

    return PyUnicode_DecodeFSDefault(short_name);

{

{

    char *kwlist[] = {"protocol", NULL};

    char *kwlist[] = {"protocol", NULL};

    PySSLContext *self;

    PySSLContext *self;

    long options;

    long options;

    SSL_CTX *ctx = NULL;

    SSL_CTX *ctx = NULL;

    else if (proto_version == PY_SSL_VERSION_SSL2)

    else if (proto_version == PY_SSL_VERSION_SSL2)

        ctx = SSL_CTX_new(SSLv2_method());

        ctx = SSL_CTX_new(SSLv2_method());

#endif

#endif

    else

    else

        proto_version = -1;

        proto_version = -1;

    PySSL_END_ALLOW_THREADS

    PySSL_END_ALLOW_THREADS

#ifndef OPENSSL_NO_ECDH

#ifndef OPENSSL_NO_ECDH

    /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use

    /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use

       prime256v1 by default.  This is Apache mod_ssl's initialization

       prime256v1 by default.  This is Apache mod_ssl's initialization

    SSL_CTX_set_ecdh_auto(self->ctx, 1);

    SSL_CTX_set_ecdh_auto(self->ctx, 1);

#else

#else

    {

    {

get_verify_flags(PySSLContext *self, void *c)

get_verify_flags(PySSLContext *self, void *c)

{

{

    X509_STORE *store;

    X509_STORE *store;

    unsigned long flags;

    unsigned long flags;

    store = SSL_CTX_get_cert_store(self->ctx);

    store = SSL_CTX_get_cert_store(self->ctx);

    return PyLong_FromUnsignedLong(flags);

    return PyLong_FromUnsignedLong(flags);

}

}

set_verify_flags(PySSLContext *self, PyObject *arg, void *c)

set_verify_flags(PySSLContext *self, PyObject *arg, void *c)

{

{

    X509_STORE *store;

    X509_STORE *store;

    unsigned long new_flags, flags, set, clear;

    unsigned long new_flags, flags, set, clear;

    if (!PyArg_Parse(arg, "k", &new_flags))

    if (!PyArg_Parse(arg, "k", &new_flags))

        return -1;

        return -1;

    store = SSL_CTX_get_cert_store(self->ctx);

    store = SSL_CTX_get_cert_store(self->ctx);

    clear = flags & ~new_flags;

    clear = flags & ~new_flags;

    set = ~flags & new_flags;

    set = ~flags & new_flags;

    if (clear) {

    if (clear) {

            _setSSLError(NULL, 0, __FILE__, __LINE__);

            _setSSLError(NULL, 0, __FILE__, __LINE__);

            return -1;

            return -1;

        }

        }

    }

    }

    if (set) {

    if (set) {

            _setSSLError(NULL, 0, __FILE__, __LINE__);

            _setSSLError(NULL, 0, __FILE__, __LINE__);

            return -1;

            return -1;

        }

        }

    char *kwlist[] = {"certfile", "keyfile", "password", NULL};

    char *kwlist[] = {"certfile", "keyfile", "password", NULL};

    PyObject *certfile, *keyfile = NULL, *password = NULL;

    PyObject *certfile, *keyfile = NULL, *password = NULL;

    PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL;

    PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL;

    _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 };

    _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 };

    int r;

    int r;

            cert = d2i_X509_bio(biobuf, NULL);

            cert = d2i_X509_bio(biobuf, NULL);

        } else {

        } else {

            cert = PEM_read_bio_X509(biobuf, NULL,

            cert = PEM_read_bio_X509(biobuf, NULL,

        }

        }

        if (cert == NULL) {

        if (cert == NULL) {

            break;

            break;

cert_store_stats(PySSLContext *self)

cert_store_stats(PySSLContext *self)

{

{

    X509_STORE *store;

    X509_STORE *store;

    X509_OBJECT *obj;

    X509_OBJECT *obj;

    store = SSL_CTX_get_cert_store(self->ctx);

    store = SSL_CTX_get_cert_store(self->ctx);

            case X509_LU_X509:

            case X509_LU_X509:

                x509++;

                x509++;

                    ca++;

                    ca++;

                }

                }

                break;

                break;

            case X509_LU_CRL:

            case X509_LU_CRL:

                crl++;

                crl++;

                break;

                break;

            default:

            default:

                /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.

                /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.

                 * As far as I can tell they are internal states and never

                 * As far as I can tell they are internal states and never

{

{

    char *kwlist[] = {"binary_form", NULL};

    char *kwlist[] = {"binary_form", NULL};

    X509_STORE *store;

    X509_STORE *store;

    PyObject *ci = NULL, *rlist = NULL;

    PyObject *ci = NULL, *rlist = NULL;

    int i;

    int i;

    int binary_mode = 0;

    int binary_mode = 0;

    }

    }

    store = SSL_CTX_get_cert_store(self->ctx);

    store = SSL_CTX_get_cert_store(self->ctx);

        X509_OBJECT *obj;

        X509_OBJECT *obj;

        X509 *cert;

        X509 *cert;

            /* not a x509 cert */

            /* not a x509 cert */

            continue;

            continue;

        }

        }

        /* CA for any purpose */

        /* CA for any purpose */

        if (!X509_check_ca(cert)) {

        if (!X509_check_ca(cert)) {

            continue;

            continue;

        }

        }

};

};

/* an implementation of OpenSSL threading operations in terms

/* an implementation of OpenSSL threading operations in terms

static PyThread_type_lock *_ssl_locks = NULL;

static PyThread_type_lock *_ssl_locks = NULL;

    return 1;

    return 1;

}

}

PyDoc_STRVAR(module_doc,

PyDoc_STRVAR(module_doc,

"Implementation module for SSL socket operations.  See the socket module\n\

"Implementation module for SSL socket operations.  See the socket module\n\

    SSL_load_error_strings();

    SSL_load_error_strings();

    SSL_library_init();

    SSL_library_init();

#ifdef WITH_THREAD

#ifdef WITH_THREAD

    /* note that this will start threading if not already started */

    /* note that this will start threading if not already started */

    if (!_setup_ssl_threads()) {

    if (!_setup_ssl_threads()) {

        return NULL;

        return NULL;

    }

    }

#endif

#endif

    OpenSSL_add_all_algorithms();

    OpenSSL_add_all_algorithms();

    /* Add symbols to module dict */

    /* Add symbols to module dict */

                            PY_SSL_VERSION_SSL3);

                            PY_SSL_VERSION_SSL3);

#endif

#endif

    PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",

    PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",

    PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",

    PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",

                            PY_SSL_VERSION_TLS1);

                            PY_SSL_VERSION_TLS1);

#if HAVE_TLSv1_2

#if HAVE_TLSv1_2