Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 416f4a1d5cfd3c76736ebd68f33c4f76af27568b^! / .
commit416f4a1d5cfd3c76736ebd68f33c4f76af27568b[log] [tgz]
authorFedor Brunner <fedor.brunner@azet.sk>Fri Mar 28 13:18:38 2014 +0100
committerFedor Brunner <fedor.brunner@azet.sk>Fri Mar 28 13:18:38 2014 +0100
tree40322a66f62148cc6d1f5cea8ed46db73390d202
parent5747b93d4c6eee7551fcff5e879c3e281f052036 [diff]
Added dependency for cryptography>=0.3.
Test split into multiple methods.
Added changelog entry.

If you use these methods to
implement TLS channel binding (RFC 5929) disable session
resumption because triple handshake attacks against TLS.
https://www.ietf.org/mail-archive/web/tls/current/msg11337.html
https://secure-resumption.com/tlsauth.pdf

diff --git a/ChangeLog b/ChangeLog
index 873c1c4..c37fa8a 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,3 +1,12 @@
+2014-03-28  Fedor Brunner  <fedor.brunner@azet.sk>
+
+	* OpenSSL/ssl.py: Add ``get_finished``, ``get_peer_finished``
+	  methods to ``Connection``. If you use these methods to
+	  implement TLS channel binding (RFC 5929) disable session
+	  resumption because triple handshake attacks against TLS.
+	  <https://www.ietf.org/mail-archive/web/tls/current/msg11337.html>
+	  <https://secure-resumption.com/tlsauth.pdf>
+
 2014-03-02  Stephen Holsapple  <sholsapp@gmail.com>
 
 	* OpenSSL/crypto.py: Add ``get_extensions`` method to ``X509Req``.

diff --git a/OpenSSL/SSL.py b/OpenSSL/SSL.py
index e4d2d3b..41d764d 100644
--- a/OpenSSL/SSL.py
+++ b/OpenSSL/SSL.py

@@ -1421,7 +1421,10 @@
         """
         Obtain latest Finished message that we sent.
 
-        :return: A string representing the Finished message
+        :return: The Finished message or :py:obj:`None` if the TLS handshake
+            is not completed.
+        :rtype: :py:data:`bytes`
+
         """
         # The size of Finished message is 12 bytes in TLS,
         # 36 bytes in SSL protocol, but let's be safe with
@@ -1438,7 +1441,10 @@
         """
         Obtain latest Finished message that we expected from peer.
 
-        :return: A string representing the Finished message
+        :return: The Finished message or :py:obj:`None` if the TLS handshake
+            is not completed.
+        :rtype: :py:data:`bytes`
+
         """
         # Same buffer size as in get_finished
         bufsiz = 128

diff --git a/OpenSSL/test/test_ssl.py b/OpenSSL/test/test_ssl.py
index 8861972..5af8d86 100644
--- a/OpenSSL/test/test_ssl.py
+++ b/OpenSSL/test/test_ssl.py

@@ -1932,25 +1932,61 @@
 
     # XXX want_read
 
-    def test_finished(self):
+    def test_get_finished_before_connect(self):
         """
-        :py:obj:`Connection.get_finished` and :py:obj:`Connection.get_peer_finished`
-        methods return the TLS Finished messages. Finished messages are send
-        during TLS handshake. Before handshake :py:obj:`Connection.get_finished` and
-        :py:obj:`Connection.get_peer_finished` return None.
+        :py:obj:`Connection.get_finished` returns  :py:obj:`None`
+            before TLS handshake is completed.
         """
 
         ctx = Context(TLSv1_METHOD)
         connection = Connection(ctx, None)
         self.assertEqual(connection.get_finished(), None)
+
+    def test_get_peer_finished_before_connect(self):
+        """
+        :py:obj:`Connection.get_peer_finished` returns  :py:obj:`None`
+            before TLS handshake is completed.
+        """
+
+        ctx = Context(TLSv1_METHOD)
+        connection = Connection(ctx, None)
         self.assertEqual(connection.get_peer_finished(), None)
 
+    def test_get_finished(self):
+        """
+        :py:obj:`Connection.get_finished` method returns the TLS Finished
+            message send from client, or server. Finished messages are send
+            during TLS handshake.
+        """
+
         server, client = self._loopback()
 
         self.assertNotEqual(server.get_finished(), None)
         self.assertTrue(len(server.get_finished()) > 0)
+
+    def test_get_peer_finished(self):
+        """
+        :py:obj:`Connection.get_peer_finished` method returns the TLS Finished
+            message received from client, or server. Finished messages are send
+            during TLS handshake.
+        """
+
+        server, client = self._loopback()
+
+        self.assertNotEqual(server.get_peer_finished(), None)
         self.assertTrue(len(server.get_peer_finished()) > 0)
 
+    def test_tls_finished_message_symmetry(self):
+        """
+        The TLS Finished message send by server muss be the TLS Finished message
+        received by client.
+
+        The TLS Finished message send by client muss be the TLS Finished message
+        received by server.
+        """
+
+        server, client = self._loopback()
+
         self.assertEqual(server.get_finished(), client.get_peer_finished())
         self.assertEqual(client.get_finished(), server.get_peer_finished())
 

diff --git a/doc/api/ssl.rst b/doc/api/ssl.rst
index b506757..df21a1d 100644
--- a/doc/api/ssl.rst
+++ b/doc/api/ssl.rst

@@ -765,6 +765,19 @@
 
     .. versionadded:: 0.14
 
+.. py:method:: Connection.get_finished()
+
+    Obtain latest TLS Finished message that we sent, or :py:obj:`None` if
+    handshake is not completed.
+
+    .. versionadded:: 0.15
+
+.. py:method:: Connection.get_peer_finished()
+
+    Obtain latest TLS Finished message that we expected from peer, or
+    :py:obj:`None` if handshake is not completed.
+
+    .. versionadded:: 0.15
 
 .. Rubric:: Footnotes
 

diff --git a/setup.py b/setup.py
index 058ad7b..f12714d 100755
--- a/setup.py
+++ b/setup.py

@@ -34,7 +34,7 @@
       maintainer_email = 'exarkun@twistedmatrix.com',
       url = 'https://github.com/pyca/pyopenssl',
       license = 'APL2',
-      install_requires=["cryptography>=0.2.1", "six>=1.5.2"],
+      install_requires=["cryptography>=0.3", "six>=1.5.2"],
       long_description = """\
 High-level wrapper around a subset of the OpenSSL library, includes
  * SSL.Connection objects, wrapping the methods of Python's portable