Blame - src/OpenSSL/SSL.py - platform/external/python/pyopenssl

2015-08-17 19:27:20 +0200

[diff] [blame]

1

import socket

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

2

from sys import platform

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

3

from functools import wraps, partial

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

4

from itertools import count, chain

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

5

from weakref import WeakValueDictionary

6

from errno import errorcode

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

7

Cory Benfield

63759dc

2015-04-12 08:57:03 -0400

[diff] [blame]

8

from six import binary_type as _binary_type

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

9

from six import integer_types as integer_types

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

10

from six import int2byte, indexbytes

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

11

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

12

from OpenSSL._util import (

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

13

UNSPECIFIED as _UNSPECIFIED,

14

exception_from_error_queue as _exception_from_error_queue,

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

15

ffi as _ffi,

16

lib as _lib,

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

17

make_assert as _make_assert,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

18

native as _native,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

19

path_string as _path_string,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

20

text_to_bytes_and_warn as _text_to_bytes_and_warn,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

21

)

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

22

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

23

from OpenSSL.crypto import (

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

24

FILETYPE_PEM, _PassphraseHelper, PKey, X509Name, X509, X509Store)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

25

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

26

try:

27

_memoryview = memoryview

28

except NameError:

29

class _memoryview(object):

30

pass

31

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

try:

_buffer = buffer

except NameError:

class _buffer(object):

36

pass

37

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

38

OPENSSL_VERSION_NUMBER = _lib.OPENSSL_VERSION_NUMBER

39

SSLEAY_VERSION = _lib.SSLEAY_VERSION

40

SSLEAY_CFLAGS = _lib.SSLEAY_CFLAGS

41

SSLEAY_PLATFORM = _lib.SSLEAY_PLATFORM

42

SSLEAY_DIR = _lib.SSLEAY_DIR

43

SSLEAY_BUILT_ON = _lib.SSLEAY_BUILT_ON

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

44

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

45

SENT_SHUTDOWN = _lib.SSL_SENT_SHUTDOWN

46

RECEIVED_SHUTDOWN = _lib.SSL_RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

SSLv2_METHOD = 1

SSLv3_METHOD = 2

SSLv23_METHOD = 3

TLSv1_METHOD = 4

Jean-Paul Calderone

56bff94

2013-11-03 11:30:43 -0500

[diff] [blame]

52

TLSv1_1_METHOD = 5

53

TLSv1_2_METHOD = 6

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

54

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

55

OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2

56

OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3

57

OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

58

59

OP_NO_TLSv1_1 = getattr(_lib, "SSL_OP_NO_TLSv1_1", 0)

60

OP_NO_TLSv1_2 = getattr(_lib, "SSL_OP_NO_TLSv1_2", 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

61

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

62

MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

63

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

64

OP_SINGLE_DH_USE = _lib.SSL_OP_SINGLE_DH_USE

Akihiro Yamazaki

e64d80c

2015-09-06 00:16:57 +0900

[diff] [blame]

65

OP_SINGLE_ECDH_USE = _lib.SSL_OP_SINGLE_ECDH_USE

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

66

OP_EPHEMERAL_RSA = _lib.SSL_OP_EPHEMERAL_RSA

67

OP_MICROSOFT_SESS_ID_BUG = _lib.SSL_OP_MICROSOFT_SESS_ID_BUG

68

OP_NETSCAPE_CHALLENGE_BUG = _lib.SSL_OP_NETSCAPE_CHALLENGE_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

69

OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = (

70

_lib.SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

71

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

72

OP_SSLREF2_REUSE_CERT_TYPE_BUG = _lib.SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG

73

OP_MICROSOFT_BIG_SSLV3_BUFFER = _lib.SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER

Jean-Paul Calderone

0d7e8a1

2014-01-08 16:54:13 -0500

[diff] [blame]

74

try:

75

OP_MSIE_SSLV2_RSA_PADDING = _lib.SSL_OP_MSIE_SSLV2_RSA_PADDING

76

except AttributeError:

77

pass

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

78

OP_SSLEAY_080_CLIENT_DH_BUG = _lib.SSL_OP_SSLEAY_080_CLIENT_DH_BUG

79

OP_TLS_D5_BUG = _lib.SSL_OP_TLS_D5_BUG

80

OP_TLS_BLOCK_PADDING_BUG = _lib.SSL_OP_TLS_BLOCK_PADDING_BUG

81

OP_DONT_INSERT_EMPTY_FRAGMENTS = _lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

82

OP_CIPHER_SERVER_PREFERENCE = _lib.SSL_OP_CIPHER_SERVER_PREFERENCE

83

OP_TLS_ROLLBACK_BUG = _lib.SSL_OP_TLS_ROLLBACK_BUG

84

OP_PKCS1_CHECK_1 = _lib.SSL_OP_PKCS1_CHECK_1

85

OP_PKCS1_CHECK_2 = _lib.SSL_OP_PKCS1_CHECK_2

86

OP_NETSCAPE_CA_DN_BUG = _lib.SSL_OP_NETSCAPE_CA_DN_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

87

OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = (

88

_lib.SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

89

)

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

90

OP_NO_COMPRESSION = _lib.SSL_OP_NO_COMPRESSION

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

91

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

92

OP_NO_QUERY_MTU = _lib.SSL_OP_NO_QUERY_MTU

93

OP_COOKIE_EXCHANGE = _lib.SSL_OP_COOKIE_EXCHANGE

Arturo Filastò

5f8c7a8

2014-03-09 20:01:25 +0100

[diff] [blame]

94

try:

95

OP_NO_TICKET = _lib.SSL_OP_NO_TICKET

96

except AttributeError:

97

pass

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

98

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

99

OP_ALL = _lib.SSL_OP_ALL

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

100

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

101

VERIFY_PEER = _lib.SSL_VERIFY_PEER

102

VERIFY_FAIL_IF_NO_PEER_CERT = _lib.SSL_VERIFY_FAIL_IF_NO_PEER_CERT

103

VERIFY_CLIENT_ONCE = _lib.SSL_VERIFY_CLIENT_ONCE

104

VERIFY_NONE = _lib.SSL_VERIFY_NONE

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

105

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

106

SESS_CACHE_OFF = _lib.SSL_SESS_CACHE_OFF

107

SESS_CACHE_CLIENT = _lib.SSL_SESS_CACHE_CLIENT

108

SESS_CACHE_SERVER = _lib.SSL_SESS_CACHE_SERVER

109

SESS_CACHE_BOTH = _lib.SSL_SESS_CACHE_BOTH

110

SESS_CACHE_NO_AUTO_CLEAR = _lib.SSL_SESS_CACHE_NO_AUTO_CLEAR

111

SESS_CACHE_NO_INTERNAL_LOOKUP = _lib.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP

112

SESS_CACHE_NO_INTERNAL_STORE = _lib.SSL_SESS_CACHE_NO_INTERNAL_STORE

113

SESS_CACHE_NO_INTERNAL = _lib.SSL_SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

d39a3f6

2013-03-04 12:23:51 -0800

[diff] [blame]

114

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

115

SSL_ST_CONNECT = _lib.SSL_ST_CONNECT

116

SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT

117

SSL_ST_MASK = _lib.SSL_ST_MASK

118

SSL_ST_INIT = _lib.SSL_ST_INIT

119

SSL_ST_BEFORE = _lib.SSL_ST_BEFORE

120

SSL_ST_OK = _lib.SSL_ST_OK

121

SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

122

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

123

SSL_CB_LOOP = _lib.SSL_CB_LOOP

124

SSL_CB_EXIT = _lib.SSL_CB_EXIT

125

SSL_CB_READ = _lib.SSL_CB_READ

126

SSL_CB_WRITE = _lib.SSL_CB_WRITE

127

SSL_CB_ALERT = _lib.SSL_CB_ALERT

128

SSL_CB_READ_ALERT = _lib.SSL_CB_READ_ALERT

129

SSL_CB_WRITE_ALERT = _lib.SSL_CB_WRITE_ALERT

130

SSL_CB_ACCEPT_LOOP = _lib.SSL_CB_ACCEPT_LOOP

131

SSL_CB_ACCEPT_EXIT = _lib.SSL_CB_ACCEPT_EXIT

132

SSL_CB_CONNECT_LOOP = _lib.SSL_CB_CONNECT_LOOP

133

SSL_CB_CONNECT_EXIT = _lib.SSL_CB_CONNECT_EXIT

134

SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START

135

SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

136

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

137

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

138

class Error(Exception):

Jean-Paul Calderone

511cde0

2013-12-29 10:31:13 -0500

[diff] [blame]

139

"""

140

An error occurred in an `OpenSSL.SSL` API.

141

"""

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

142

143

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

144

_raise_current_error = partial(_exception_from_error_queue, Error)

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

145

_openssl_assert = _make_assert(Error)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

146

147

148

class WantReadError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

152

class WantWriteError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

156

class WantX509LookupError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

160

class ZeroReturnError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

164

class SysCallError(Error):

pass

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

168

class _CallbackExceptionHelper(object):

169

"""

170

A base class for wrapper classes that allow for intelligent exception

171

handling in OpenSSL callbacks.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

172

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

173

:ivar list _problems: Any exceptions that occurred while executing in a

174

context where they could not be raised in the normal way. Typically

175

this is because OpenSSL has called into some Python code and requires a

176

return value. The exceptions are saved to be raised later when it is

177

possible to do so.

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

178

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

179

Jean-Paul Calderone

09540d7

2015-03-22 19:37:20 -0400

[diff] [blame]

180

def __init__(self):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

181

self._problems = []

182

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

183

def raise_if_problem(self):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

184

"""

185

Raise an exception from the OpenSSL error queue or that was previously

186

captured whe running a callback.

187

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

188

if self._problems:

189

try:

190

_raise_current_error()

191

except Error:

192

pass

193

raise self._problems.pop(0)

194

195

196

class _VerifyHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

197

"""

198

Wrap a callback such that it can be used as a certificate verification

199

callback.

200

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

201

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

202

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

203

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

204

205

@wraps(callback)

206

def wrapper(ok, store_ctx):

207

cert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

208

cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)

209

error_number = _lib.X509_STORE_CTX_get_error(store_ctx)

210

error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

211

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

212

index = _lib.SSL_get_ex_data_X509_STORE_CTX_idx()

213

ssl = _lib.X509_STORE_CTX_get_ex_data(store_ctx, index)

214

connection = Connection._reverse_mapping[ssl]

215

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

216

try:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

217

result = callback(

218

connection, cert, error_number, error_depth, ok

219

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

220

except Exception as e:

221

self._problems.append(e)

222

return 0

223

else:

224

if result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

225

_lib.X509_STORE_CTX_set_error(store_ctx, _lib.X509_V_OK)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

return 1

else:

return 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

230

self.callback = _ffi.callback(

231

"int (*)(int, X509_STORE_CTX *)", wrapper)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

232

233

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

234

class _NpnAdvertiseHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

235

"""

236

Wrap a callback such that it can be used as an NPN advertisement callback.

237

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

238

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

239

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

240

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

241

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

242

@wraps(callback)

243

def wrapper(ssl, out, outlen, arg):

244

try:

245

conn = Connection._reverse_mapping[ssl]

246

protos = callback(conn)

247

248

# Join the protocols into a Python bytestring, length-prefixing

249

# each element.

250

protostr = b''.join(

251

chain.from_iterable((int2byte(len(p)), p) for p in protos)

252

)

253

254

# Save our callback arguments on the connection object. This is

255

# done to make sure that they don't get freed before OpenSSL

256

# uses them. Then, return them appropriately in the output

257

# parameters.

258

conn._npn_advertise_callback_args = [

259

_ffi.new("unsigned int *", len(protostr)),

260

_ffi.new("unsigned char[]", protostr),

261

]

262

outlen[0] = conn._npn_advertise_callback_args[0][0]

263

out[0] = conn._npn_advertise_callback_args[1]

264

return 0

265

except Exception as e:

266

self._problems.append(e)

267

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

268

269

self.callback = _ffi.callback(

270

"int (*)(SSL *, const unsigned char **, unsigned int *, void *)",

wrapper

)

class _NpnSelectHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

276

"""

277

Wrap a callback such that it can be used as an NPN selection callback.

278

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

279

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

280

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

281

_CallbackExceptionHelper.__init__(self)

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

282

283

@wraps(callback)

284

def wrapper(ssl, out, outlen, in_, inlen, arg):

285

try:

286

conn = Connection._reverse_mapping[ssl]

287

288

# The string passed to us is actually made up of multiple

289

# length-prefixed bytestrings. We need to split that into a

290

# list.

291

instr = _ffi.buffer(in_, inlen)[:]

292

protolist = []

293

while instr:

294

l = indexbytes(instr, 0)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

295

proto = instr[1:l + 1]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

296

protolist.append(proto)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

297

instr = instr[l + 1:]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

298

299

# Call the callback

300

outstr = callback(conn, protolist)

301

302

# Save our callback arguments on the connection object. This is

303

# done to make sure that they don't get freed before OpenSSL

304

# uses them. Then, return them appropriately in the output

305

# parameters.

306

conn._npn_select_callback_args = [

307

_ffi.new("unsigned char *", len(outstr)),

308

_ffi.new("unsigned char[]", outstr),

309

]

310

outlen[0] = conn._npn_select_callback_args[0][0]

311

out[0] = conn._npn_select_callback_args[1]

312

return 0

313

except Exception as e:

314

self._problems.append(e)

315

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

316

317

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

318

("int (*)(SSL *, unsigned char **, unsigned char *, "

319

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

320

wrapper

321

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

322

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

323

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

324

class _ALPNSelectHelper(_CallbackExceptionHelper):

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

325

"""

326

Wrap a callback such that it can be used as an ALPN selection callback.

327

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

328

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

329

def __init__(self, callback):

330

_CallbackExceptionHelper.__init__(self)

331

332

@wraps(callback)

333

def wrapper(ssl, out, outlen, in_, inlen, arg):

334

try:

335

conn = Connection._reverse_mapping[ssl]

336

337

# The string passed to us is made up of multiple

338

# length-prefixed bytestrings. We need to split that into a

339

# list.

340

instr = _ffi.buffer(in_, inlen)[:]

341

protolist = []

342

while instr:

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

343

encoded_len = indexbytes(instr, 0)

344

proto = instr[1:encoded_len + 1]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

345

protolist.append(proto)

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

346

instr = instr[encoded_len + 1:]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

347

348

# Call the callback

349

outstr = callback(conn, protolist)

350

351

if not isinstance(outstr, _binary_type):

352

raise TypeError("ALPN callback must return a bytestring.")

353

354

# Save our callback arguments on the connection object to make

355

# sure that they don't get freed before OpenSSL can use them.

356

# Then, return them in the appropriate output parameters.

357

conn._alpn_select_callback_args = [

358

_ffi.new("unsigned char *", len(outstr)),

359

_ffi.new("unsigned char[]", outstr),

360

]

361

outlen[0] = conn._alpn_select_callback_args[0][0]

362

out[0] = conn._alpn_select_callback_args[1]

363

return 0

364

except Exception as e:

365

self._problems.append(e)

366

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

367

368

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

369

("int (*)(SSL *, unsigned char **, unsigned char *, "

370

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

wrapper

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

375

def _asFileDescriptor(obj):

376

fd = None

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

377

if not isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

378

meth = getattr(obj, "fileno", None)

379

if meth is not None:

380

obj = meth()

381

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

382

if isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

383

fd = obj

384

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

385

if not isinstance(fd, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

386

raise TypeError("argument must be an int, or have a fileno() method.")

387

elif fd < 0:

388

raise ValueError(

389

"file descriptor cannot be a negative integer (%i)" % (fd,))

return fd

Jean-Paul Calderone

2013-03-04 12:23:51 -0800

[diff] [blame]

394

def SSLeay_version(type):

395

"""

396

Return a string describing the version of OpenSSL in use.

397

398

:param type: One of the SSLEAY_ constants defined in this module.

399

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

400

return _ffi.string(_lib.SSLeay_version(type))

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

401

402

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

403

def _make_requires(flag, error):

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

404

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

405

Builds a decorator that ensures that functions that rely on OpenSSL

406

functions that are not present in this build raise NotImplementedError,

407

rather than AttributeError coming out of cryptography.

408

409

:param flag: A cryptography flag that guards the functions, e.g.

410

``Cryptography_HAS_NEXTPROTONEG``.

411

:param error: The string to be used in the exception if the flag is false.

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

412

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

413

def _requires_decorator(func):

414

if not flag:

415

@wraps(func)

416

def explode(*args, **kwargs):

417

raise NotImplementedError(error)

418

return explode

419

else:

420

return func

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

421

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

422

return _requires_decorator

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

423

424

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

425

_requires_npn = _make_requires(

426

_lib.Cryptography_HAS_NEXTPROTONEG, "NPN not available"

427

)

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

428

429

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

430

_requires_alpn = _make_requires(

431

_lib.Cryptography_HAS_ALPN, "ALPN not available"

432

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

433

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

434

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

435

_requires_sni = _make_requires(

436

_lib.Cryptography_HAS_TLSEXT_HOSTNAME, "SNI not available"

437

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

438

439

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

440

class Session(object):

pass

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

444

class Context(object):

445

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

446

:class:`OpenSSL.SSL.Context` instances define the parameters for setting

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

447

up new SSL connections.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

448

"""

449

_methods = {

Andrew Dunham

ec84a0a

2014-02-24 12:41:37 -0800

[diff] [blame]

450

SSLv2_METHOD: "SSLv2_method",

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

451

SSLv3_METHOD: "SSLv3_method",

452

SSLv23_METHOD: "SSLv23_method",

453

TLSv1_METHOD: "TLSv1_method",

454

TLSv1_1_METHOD: "TLSv1_1_method",

455

TLSv1_2_METHOD: "TLSv1_2_method",

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

456

}

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

457

_methods = dict(

458

(identifier, getattr(_lib, name))

459

for (identifier, name) in _methods.items()

460

if getattr(_lib, name, None) is not None)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

461

462

def __init__(self, method):

463

"""

464

:param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or

465

TLSv1_METHOD.

466

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

467

if not isinstance(method, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

468

raise TypeError("method must be an integer")

469

470

try:

471

method_func = self._methods[method]

472

except KeyError:

473

raise ValueError("No such protocol")

474

475

method_obj = method_func()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

476

_openssl_assert(method_obj != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

477

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

478

context = _lib.SSL_CTX_new(method_obj)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

479

_openssl_assert(context != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

480

context = _ffi.gc(context, _lib.SSL_CTX_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

481

482

self._context = context

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

483

self._passphrase_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

484

self._passphrase_callback = None

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

485

self._passphrase_userdata = None

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

486

self._verify_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

487

self._verify_callback = None

488

self._info_callback = None

489

self._tlsext_servername_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

490

self._app_data = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

491

self._npn_advertise_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

492

self._npn_advertise_callback = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

493

self._npn_select_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

494

self._npn_select_callback = None

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

495

self._alpn_select_helper = None

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

496

self._alpn_select_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

497

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

498

# SSL_CTX_set_app_data(self->ctx, self);

499

# SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |

500

# SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |

501

# SSL_MODE_AUTO_RETRY);

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

502

self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

503

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

504

def load_verify_locations(self, cafile, capath=None):

505

"""

506

Let SSL know where we can find trusted certificates for the certificate

507

chain

508

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

509

:param cafile: In which file we can find the certificates (``bytes`` or

510

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

511

:param capath: In which directory we can find the certificates

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

512

(``bytes`` or ``unicode``).

513

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

514

:return: None

515

"""

516

if cafile is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

517

cafile = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

518

else:

519

cafile = _path_string(cafile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

520

521

if capath is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

522

capath = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

523

else:

524

capath = _path_string(capath)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

525

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

526

load_result = _lib.SSL_CTX_load_verify_locations(

527

self._context, cafile, capath

528

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

529

if not load_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

530

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

531

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

532

def _wrap_callback(self, callback):

533

@wraps(callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

534

def wrapper(size, verify, userdata):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

535

return callback(size, verify, self._passphrase_userdata)

536

return _PassphraseHelper(

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

537

FILETYPE_PEM, wrapper, more_args=True, truncate=True)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

538

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

539

def set_passwd_cb(self, callback, userdata=None):

540

"""

541

Set the passphrase callback

542

543

:param callback: The Python callback to use

544

:param userdata: (optional) A Python object which will be given as

545

argument to the callback

546

:return: None

547

"""

548

if not callable(callback):

549

raise TypeError("callback must be callable")

550

551

self._passphrase_helper = self._wrap_callback(callback)

552

self._passphrase_callback = self._passphrase_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

553

_lib.SSL_CTX_set_default_passwd_cb(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

554

self._context, self._passphrase_callback)

555

self._passphrase_userdata = userdata

556

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

557

def set_default_verify_paths(self):

558

"""

559

Use the platform-specific CA certificate locations

560

561

:return: None

562

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

563

set_result = _lib.SSL_CTX_set_default_verify_paths(self._context)

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame^]

564

_openssl_assert(set_result == 1)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

565

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

566

def use_certificate_chain_file(self, certfile):

567

"""

568

Load a certificate chain from a file

569

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

570

:param certfile: The name of the certificate chain file (``bytes`` or

571

``unicode``).

572

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

573

:return: None

574

"""

Jean-Paul Calderone

aac43a3

2015-04-12 09:51:21 -0400

[diff] [blame]

575

certfile = _path_string(certfile)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

576

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

577

result = _lib.SSL_CTX_use_certificate_chain_file(

578

self._context, certfile

579

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

580

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

581

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

582

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

583

def use_certificate_file(self, certfile, filetype=FILETYPE_PEM):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

584

"""

585

Load a certificate from a file

586

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

587

:param certfile: The name of the certificate file (``bytes`` or

588

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

589

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

590

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

591

:return: None

592

"""

Jean-Paul Calderone

d57a7b6

2015-04-12 09:57:36 -0400

[diff] [blame]

593

certfile = _path_string(certfile)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

594

if not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

595

raise TypeError("filetype must be an integer")

596

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

597

use_result = _lib.SSL_CTX_use_certificate_file(

598

self._context, certfile, filetype

599

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

600

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

601

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

602

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

603

def use_certificate(self, cert):

604

"""

605

Load a certificate from a X509 object

606

607

:param cert: The X509 object

608

:return: None

609

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

610

if not isinstance(cert, X509):

611

raise TypeError("cert must be an X509 instance")

612

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

613

use_result = _lib.SSL_CTX_use_certificate(self._context, cert._x509)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

614

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

615

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

616

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

617

def add_extra_chain_cert(self, certobj):

618

"""

619

Add certificate to chain

620

621

:param certobj: The X509 certificate object to add to the chain

622

:return: None

623

"""

624

if not isinstance(certobj, X509):

625

raise TypeError("certobj must be an X509 instance")

626

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

627

copy = _lib.X509_dup(certobj._x509)

628

add_result = _lib.SSL_CTX_add_extra_chain_cert(self._context, copy)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

629

if not add_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

630

# TODO: This is untested.

631

_lib.X509_free(copy)

632

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

633

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

634

def _raise_passphrase_exception(self):

635

if self._passphrase_helper is None:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

636

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

637

exception = self._passphrase_helper.raise_if_problem(Error)

638

if exception is not None:

639

raise exception

640

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

641

def use_privatekey_file(self, keyfile, filetype=_UNSPECIFIED):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

642

"""

643

Load a private key from a file

644

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

645

:param keyfile: The name of the key file (``bytes`` or ``unicode``)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

646

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

647

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

648

:return: None

649

"""

Jean-Paul Calderone

69a4e5b

2015-04-12 10:04:28 -0400

[diff] [blame]

650

keyfile = _path_string(keyfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

651

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

652

if filetype is _UNSPECIFIED:

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

653

filetype = FILETYPE_PEM

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

654

elif not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

655

raise TypeError("filetype must be an integer")

656

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

657

use_result = _lib.SSL_CTX_use_PrivateKey_file(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

658

self._context, keyfile, filetype)

659

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

660

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

661

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

662

def use_privatekey(self, pkey):

663

"""

664

Load a private key from a PKey object

665

666

:param pkey: The PKey object

667

:return: None

668

"""

669

if not isinstance(pkey, PKey):

670

raise TypeError("pkey must be a PKey instance")

671

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

672

use_result = _lib.SSL_CTX_use_PrivateKey(self._context, pkey._pkey)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

673

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

674

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

675

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

676

def check_privatekey(self):

677

"""

678

Check that the private key and certificate match up

679

680

:return: None (raises an exception if something's wrong)

681

"""

Jean-Paul Calderone

a034492

2014-12-11 14:02:31 -0500

[diff] [blame]

682

if not _lib.SSL_CTX_check_private_key(self._context):

683

_raise_current_error()

684

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

685

def load_client_ca(self, cafile):

686

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

687

Load the trusted certificates that will be sent to the client. Does

688

not actually imply any of the certificates are trusted; that must be

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

689

configured separately.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

690

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

691

:param bytes cafile: The path to a certificates file in PEM format.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

692

:return: None

693

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

694

ca_list = _lib.SSL_load_client_CA_file(

695

_text_to_bytes_and_warn("cafile", cafile)

696

)

697

_openssl_assert(ca_list != _ffi.NULL)

698

# SSL_CTX_set_client_CA_list doesn't return anything.

699

_lib.SSL_CTX_set_client_CA_list(self._context, ca_list)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

700

701

def set_session_id(self, buf):

702

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

703

Set the session id to *buf* within which a session can be reused for

704

this Context object. This is needed when doing session resumption,

705

because there is no way for a stored session to know which Context

706

object it is associated with.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

707

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

708

:param bytes buf: The session id.

709

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

710

:returns: None

711

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

712

buf = _text_to_bytes_and_warn("buf", buf)

713

_openssl_assert(

714

_lib.SSL_CTX_set_session_id_context(

self._context,

buf,

len(buf),

) == 1

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

720

721

def set_session_cache_mode(self, mode):

722

"""

723

Enable/disable session caching and specify the mode used.

724

725

:param mode: One or more of the SESS_CACHE_* flags (combine using

726

bitwise or)

727

:returns: The previously set caching mode.

728

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

729

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

730

raise TypeError("mode must be an integer")

731

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

732

return _lib.SSL_CTX_set_session_cache_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

733

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

734

def get_session_cache_mode(self):

735

"""

736

:returns: The currently used cache mode.

737

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

738

return _lib.SSL_CTX_get_session_cache_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

739

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

740

def set_verify(self, mode, callback):

741

"""

742

Set the verify mode and verify callback

743

744

:param mode: The verify mode, this is either VERIFY_NONE or

745

VERIFY_PEER combined with possible other flags

746

:param callback: The Python callback to use

747

:return: None

748

749

See SSL_CTX_set_verify(3SSL) for further details.

750

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

751

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

752

raise TypeError("mode must be an integer")

753

754

if not callable(callback):

755

raise TypeError("callback must be callable")

756

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

757

self._verify_helper = _VerifyHelper(callback)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

758

self._verify_callback = self._verify_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

759

_lib.SSL_CTX_set_verify(self._context, mode, self._verify_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

760

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

761

def set_verify_depth(self, depth):

"""

Set the verify depth

:param depth: An integer specifying the verify depth

766

:return: None

767

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

768

if not isinstance(depth, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

769

raise TypeError("depth must be an integer")

770

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

771

_lib.SSL_CTX_set_verify_depth(self._context, depth)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

772

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

773

def get_verify_mode(self):

"""

Get the verify mode

:return: The verify mode

778

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

779

return _lib.SSL_CTX_get_verify_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

780

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

781

def get_verify_depth(self):

"""

Get the verify depth

:return: The verify depth

786

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

787

return _lib.SSL_CTX_get_verify_depth(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

788

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

789

def load_tmp_dh(self, dhfile):

790

"""

791

Load parameters for Ephemeral Diffie-Hellman

792

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

793

:param dhfile: The file to load EDH parameters from (``bytes`` or

794

``unicode``).

795

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

796

:return: None

797

"""

Jean-Paul Calderone

9e1c1dd

2015-04-12 10:13:13 -0400

[diff] [blame]

798

dhfile = _path_string(dhfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

799

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

800

bio = _lib.BIO_new_file(dhfile, b"r")

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

801

if bio == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

802

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

803

bio = _ffi.gc(bio, _lib.BIO_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

804

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

805

dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)

806

dh = _ffi.gc(dh, _lib.DH_free)

807

_lib.SSL_CTX_set_tmp_dh(self._context, dh)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

808

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

809

def set_tmp_ecdh(self, curve):

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

810

"""

Andy Lutomirski

76a6133

2014-03-12 15:02:56 -0700

[diff] [blame]

811

Select a curve to use for ECDHE key exchange.

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

812

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

813

:param curve: A curve object to use as returned by either

814

:py:meth:`OpenSSL.crypto.get_elliptic_curve` or

815

:py:meth:`OpenSSL.crypto.get_elliptic_curves`.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

816

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

817

:return: None

818

"""

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

819

_lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

820

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

821

def set_cipher_list(self, cipher_list):

822

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

823

Set the list of ciphers to be used in this context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

824

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

825

See the OpenSSL manual for more information (e.g.

826

:manpage:`ciphers(1)`).

827

828

:param bytes cipher_list: An OpenSSL cipher string.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

829

:return: None

830

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

831

cipher_list = _text_to_bytes_and_warn("cipher_list", cipher_list)

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

832

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

833

if not isinstance(cipher_list, bytes):

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

834

raise TypeError("cipher_list must be a byte string.")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

835

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

836

_openssl_assert(

Hynek Schlawack

22a4b66

2016-03-11 14:59:39 +0100

[diff] [blame]

837

_lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

838

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

839

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

840

def set_client_ca_list(self, certificate_authorities):

841

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

842

Set the list of preferred client certificate signers for this server

843

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

844

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

845

This list of certificate authorities will be sent to the client when

846

the server requests a client certificate.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

847

848

:param certificate_authorities: a sequence of X509Names.

849

:return: None

850

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

851

name_stack = _lib.sk_X509_NAME_new_null()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

852

_openssl_assert(name_stack != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

853

854

try:

855

for ca_name in certificate_authorities:

856

if not isinstance(ca_name, X509Name):

857

raise TypeError(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

858

"client CAs must be X509Name objects, not %s "

859

"objects" % (

860

type(ca_name).__name__,

861

)

862

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

863

copy = _lib.X509_NAME_dup(ca_name._name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

864

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

865

push_result = _lib.sk_X509_NAME_push(name_stack, copy)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

866

if not push_result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

867

_lib.X509_NAME_free(copy)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

868

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

869

except:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

870

_lib.sk_X509_NAME_free(name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

871

raise

872

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

873

_lib.SSL_CTX_set_client_CA_list(self._context, name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

874

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

875

def add_client_ca(self, certificate_authority):

876

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

877

Add the CA certificate to the list of preferred signers for this

878

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

879

880

The list of certificate authorities will be sent to the client when the

881

server requests a client certificate.

882

883

:param certificate_authority: certificate authority's X509 certificate.

884

:return: None

885

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

886

if not isinstance(certificate_authority, X509):

887

raise TypeError("certificate_authority must be an X509 instance")

888

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

889

add_result = _lib.SSL_CTX_add_client_CA(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

890

self._context, certificate_authority._x509)

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame^]

891

_openssl_assert(add_result == 1)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

892

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

893

def set_timeout(self, timeout):

"""

Set session timeout

:param timeout: The timeout in seconds

898

:return: The previous session timeout

899

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

900

if not isinstance(timeout, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

901

raise TypeError("timeout must be an integer")

902

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

903

return _lib.SSL_CTX_set_timeout(self._context, timeout)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

904

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

905

def get_timeout(self):

906

"""

907

Get the session timeout

908

909

:return: The session timeout

910

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

911

return _lib.SSL_CTX_get_timeout(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

912

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

913

def set_info_callback(self, callback):

914

"""

915

Set the info callback

916

917

:param callback: The Python callback to use

918

:return: None

919

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

920

@wraps(callback)

921

def wrapper(ssl, where, return_code):

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

922

callback(Connection._reverse_mapping[ssl], where, return_code)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

923

self._info_callback = _ffi.callback(

924

"void (*)(const SSL *, int, int)", wrapper)

925

_lib.SSL_CTX_set_info_callback(self._context, self._info_callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

926

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

927

def get_app_data(self):

928

"""

929

Get the application data (supplied via set_app_data())

930

931

:return: The application data

932

"""

933

return self._app_data

934

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

935

def set_app_data(self, data):

936

"""

937

Set the application data (will be returned from get_app_data())

938

939

:param data: Any Python object

940

:return: None

941

"""

942

self._app_data = data

943

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

944

def get_cert_store(self):

945

"""

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

946

Get the certificate store for the context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

947

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

948

:return: A X509Store object or None if it does not have one.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

949

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

950

store = _lib.SSL_CTX_get_cert_store(self._context)

951

if store == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

952

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

953

return None

954

955

pystore = X509Store.__new__(X509Store)

956

pystore._store = store

957

return pystore

958

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

959

def set_options(self, options):

960

"""

961

Add options. Options set before are not cleared!

962

963

:param options: The options to add.

964

:return: The new option bitmask.

965

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

966

if not isinstance(options, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

967

raise TypeError("options must be an integer")

968

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

969

return _lib.SSL_CTX_set_options(self._context, options)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

970

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

971

def set_mode(self, mode):

972

"""

973

Add modes via bitmask. Modes set before are not cleared!

974

975

:param mode: The mode to add.

976

:return: The new mode bitmask.

977

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

978

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

979

raise TypeError("mode must be an integer")

980

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

981

return _lib.SSL_CTX_set_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

982

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

983

@_requires_sni

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

984

def set_tlsext_servername_callback(self, callback):

985

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

986

Specify a callback function to be called when clients specify a server

987

name.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

988

989

:param callback: The callback function. It will be invoked with one

990

argument, the Connection instance.

991

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

992

@wraps(callback)

993

def wrapper(ssl, alert, arg):

994

callback(Connection._reverse_mapping[ssl])

995

return 0

996

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

997

self._tlsext_servername_callback = _ffi.callback(

998

"int (*)(const SSL *, int *, void *)", wrapper)

999

_lib.SSL_CTX_set_tlsext_servername_callback(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1000

self._context, self._tlsext_servername_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1001

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1002

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1003

def set_npn_advertise_callback(self, callback):

1004

"""

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1005

Specify a callback function that will be called when offering `Next

1006

Protocol Negotiation

1007

<https://technotes.googlecode.com/git/nextprotoneg.html>`_ as a server.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1008

1009

:param callback: The callback function. It will be invoked with one

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1010

argument, the Connection instance. It should return a list of

1011

bytestrings representing the advertised protocols, like

1012

``[b'http/1.1', b'spdy/2']``.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1013

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1014

self._npn_advertise_helper = _NpnAdvertiseHelper(callback)

1015

self._npn_advertise_callback = self._npn_advertise_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1016

_lib.SSL_CTX_set_next_protos_advertised_cb(

1017

self._context, self._npn_advertise_callback, _ffi.NULL)

1018

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1019

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1020

def set_npn_select_callback(self, callback):

1021

"""

1022

Specify a callback function that will be called when a server offers

1023

Next Protocol Negotiation options.

1024

1025

:param callback: The callback function. It will be invoked with two

1026

arguments: the Connection, and a list of offered protocols as

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1027

bytestrings, e.g. ``[b'http/1.1', b'spdy/2']``. It should return

1028

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1029

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1030

self._npn_select_helper = _NpnSelectHelper(callback)

1031

self._npn_select_callback = self._npn_select_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1032

_lib.SSL_CTX_set_next_proto_select_cb(

1033

self._context, self._npn_select_callback, _ffi.NULL)

1034

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1035

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1036

def set_alpn_protos(self, protos):

1037

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1038

Specify the clients ALPN protocol list.

1039

1040

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1041

1042

:param protos: A list of the protocols to be offered to the server.

1043

This list should be a Python list of bytestrings representing the

1044

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1045

"""

1046

# Take the list of protocols and join them together, prefixing them

1047

# with their lengths.

1048

protostr = b''.join(

1049

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1050

)

1051

1052

# Build a C string from the list. We don't need to save this off

1053

# because OpenSSL immediately copies the data out.

1054

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

e871af5

2015-04-11 17:57:50 -0400

[diff] [blame]

1055

input_str_len = _ffi.cast("unsigned", len(protostr))

1056

_lib.SSL_CTX_set_alpn_protos(self._context, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1057

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1058

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1059

def set_alpn_select_callback(self, callback):

1060

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1061

Set the callback to handle ALPN protocol choice.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1062

1063

:param callback: The callback function. It will be invoked with two

1064

arguments: the Connection, and a list of offered protocols as

1065

bytestrings, e.g ``[b'http/1.1', b'spdy/2']``. It should return

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1066

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1067

"""

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

1068

self._alpn_select_helper = _ALPNSelectHelper(callback)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1069

self._alpn_select_callback = self._alpn_select_helper.callback

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1070

_lib.SSL_CTX_set_alpn_select_cb(

1071

self._context, self._alpn_select_callback, _ffi.NULL)

1072

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1073

ContextType = Context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1074

1075

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1076

class Connection(object):

1077

"""

1078

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1079

_reverse_mapping = WeakValueDictionary()

1080

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1081

def __init__(self, context, socket=None):

1082

"""

1083

Create a new Connection object, using the given OpenSSL.SSL.Context

1084

instance and socket.

1085

1086

:param context: An SSL Context to use for this connection

1087

:param socket: The socket to use for transport layer

1088

"""

1089

if not isinstance(context, Context):

1090

raise TypeError("context must be a Context instance")

1091

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1092

ssl = _lib.SSL_new(context._context)

1093

self._ssl = _ffi.gc(ssl, _lib.SSL_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1094

self._context = context

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

1095

self._app_data = None

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1096

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1097

# References to strings used for Next Protocol Negotiation. OpenSSL's

1098

# header files suggest that these might get copied at some point, but

1099

# doesn't specify when, so we store them here to make sure they don't

1100

# get freed before OpenSSL uses them.

1101

self._npn_advertise_callback_args = None

1102

self._npn_select_callback_args = None

1103

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1104

# References to strings used for Application Layer Protocol

1105

# Negotiation. These strings get copied at some point but it's well

1106

# after the callback returns, so we have to hang them somewhere to

1107

# avoid them getting freed.

1108

self._alpn_select_callback_args = None

1109

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1110

self._reverse_mapping[self._ssl] = self

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1111

1112

if socket is None:

1113

self._socket = None

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1114

# Don't set up any gc for these, SSL_free will take care of them.

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1115

self._into_ssl = _lib.BIO_new(_lib.BIO_s_mem())

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1116

_openssl_assert(self._into_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1117

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1118

self._from_ssl = _lib.BIO_new(_lib.BIO_s_mem())

1119

_openssl_assert(self._from_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1120

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1121

_lib.SSL_set_bio(self._ssl, self._into_ssl, self._from_ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1122

else:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1123

self._into_ssl = None

1124

self._from_ssl = None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1125

self._socket = socket

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1126

set_result = _lib.SSL_set_fd(

1127

self._ssl, _asFileDescriptor(self._socket))

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame^]

1128

_openssl_assert(set_result == 1)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1129

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1130

def __getattr__(self, name):

1131

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1132

Look up attributes on the wrapped socket object if they are not found

1133

on the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1134

"""

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1135

if self._socket is None:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1136

raise AttributeError("'%s' object has no attribute '%s'" % (

1137

self.__class__.__name__, name

1138

))

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1139

else:

1140

return getattr(self._socket, name)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1141

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1142

def _raise_ssl_error(self, ssl, result):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1143

if self._context._verify_helper is not None:

1144

self._context._verify_helper.raise_if_problem()

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1145

if self._context._npn_advertise_helper is not None:

1146

self._context._npn_advertise_helper.raise_if_problem()

1147

if self._context._npn_select_helper is not None:

1148

self._context._npn_select_helper.raise_if_problem()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1149

if self._context._alpn_select_helper is not None:

1150

self._context._alpn_select_helper.raise_if_problem()

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1151

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1152

error = _lib.SSL_get_error(ssl, result)

1153

if error == _lib.SSL_ERROR_WANT_READ:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1154

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1155

elif error == _lib.SSL_ERROR_WANT_WRITE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1156

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1157

elif error == _lib.SSL_ERROR_ZERO_RETURN:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1158

raise ZeroReturnError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1159

elif error == _lib.SSL_ERROR_WANT_X509_LOOKUP:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1160

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1161

raise WantX509LookupError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1162

elif error == _lib.SSL_ERROR_SYSCALL:

1163

if _lib.ERR_peek_error() == 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1164

if result < 0:

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

1165

if platform == "win32":

1166

errno = _ffi.getwinerror()[0]

1167

else:

1168

errno = _ffi.errno

Glyph

3afdba8

2015-04-14 17:30:53 -0400

[diff] [blame]

1169

raise SysCallError(errno, errorcode.get(errno))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1170

else:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1171

raise SysCallError(-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1172

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1173

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1174

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1175

elif error == _lib.SSL_ERROR_NONE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1176

pass

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1177

else:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1178

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1179

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1180

def get_context(self):

1181

"""

1182

Get session context

1183

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1184

return self._context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1185

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1186

def set_context(self, context):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1187

"""

1188

Switch this connection to a new session context

1189

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1190

:param context: A :py:class:`Context` instance giving the new session

1191

context to use.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1192

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1193

if not isinstance(context, Context):

1194

raise TypeError("context must be a Context instance")

1195

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1196

_lib.SSL_set_SSL_CTX(self._ssl, context._context)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1197

self._context = context

1198

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1199

@_requires_sni

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1200

def get_servername(self):

1201

"""

1202

Retrieve the servername extension value if provided in the client hello

1203

message, or None if there wasn't one.

1204

1205

:return: A byte string giving the server name or :py:data:`None`.

1206

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1207

name = _lib.SSL_get_servername(

1208

self._ssl, _lib.TLSEXT_NAMETYPE_host_name

1209

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1210

if name == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1211

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1212

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1213

return _ffi.string(name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1214

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1215

@_requires_sni

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1216

def set_tlsext_host_name(self, name):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1217

"""

1218

Set the value of the servername extension to send in the client hello.

1219

1220

:param name: A byte string giving the name.

1221

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1222

if not isinstance(name, bytes):

1223

raise TypeError("name must be a byte string")

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1224

elif b"\0" in name:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1225

raise TypeError("name must not contain NUL byte")

1226

1227

# XXX I guess this can fail sometimes?

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1228

_lib.SSL_set_tlsext_host_name(self._ssl, name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1229

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1230

def pending(self):

1231

"""

1232

Get the number of bytes that can be safely read from the connection

1233

1234

:return: The number of bytes available in the receive buffer.

1235

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1236

return _lib.SSL_pending(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1237

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1238

def send(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1239

"""

1240

Send data on the connection. NOTE: If you get one of the WantRead,

1241

WantWrite or WantX509Lookup exceptions on this, you have to call the

1242

method again with the SAME buffer.

1243

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1244

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1245

:param flags: (optional) Included for compatibility with the socket

1246

API, the value is ignored

1247

:return: The number of bytes written

1248

"""

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1249

# Backward compatibility

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1250

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1251

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1252

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1253

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1254

if isinstance(buf, _buffer):

1255

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1256

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1257

raise TypeError("data must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1258

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1259

result = _lib.SSL_write(self._ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1260

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return result

write = send

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1264

def sendall(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1265

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1266

Send "all" data on the connection. This calls send() repeatedly until

1267

all data is sent. If an error occurs, it's impossible to tell how much

1268

data has been sent.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1269

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1270

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1271

:param flags: (optional) Included for compatibility with the socket

1272

API, the value is ignored

1273

:return: The number of bytes written

1274

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1275

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1276

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1277

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1278

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1279

if isinstance(buf, _buffer):

1280

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1281

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1282

raise TypeError("buf must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1283

1284

left_to_send = len(buf)

1285

total_sent = 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1286

data = _ffi.new("char[]", buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1287

1288

while left_to_send:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1289

result = _lib.SSL_write(self._ssl, data + total_sent, left_to_send)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1290

self._raise_ssl_error(self._ssl, result)

1291

total_sent += result

1292

left_to_send -= result

1293

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1294

def recv(self, bufsiz, flags=None):

1295

"""

Alex Gaynor

67fc8c9

2016-05-27 08:27:19 -0400

[diff] [blame]

1296

Receive data on the connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1297

1298

:param bufsiz: The maximum number of bytes to read

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1299

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1300

all other flags are ignored.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1301

:return: The string read from the Connection

1302

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1303

buf = _ffi.new("char[]", bufsiz)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1304

if flags is not None and flags & socket.MSG_PEEK:

1305

result = _lib.SSL_peek(self._ssl, buf, bufsiz)

1306

else:

1307

result = _lib.SSL_read(self._ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1308

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1309

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1310

read = recv

1311

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1312

def recv_into(self, buffer, nbytes=None, flags=None):

1313

"""

1314

Receive data on the connection and store the data into a buffer rather

1315

than creating a new string.

1316

1317

:param buffer: The buffer to copy into.

1318

:param nbytes: (optional) The maximum number of bytes to read into the

1319

buffer. If not present, defaults to the size of the buffer. If

1320

larger than the size of the buffer, is reduced to the size of the

1321

buffer.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1322

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1323

all other flags are ignored.

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1324

:return: The number of bytes read into the buffer.

"""

if nbytes is None:

nbytes = len(buffer)

else:

nbytes = min(nbytes, len(buffer))

1330

1331

# We need to create a temporary buffer. This is annoying, it would be

1332

# better if we could pass memoryviews straight into the SSL_read call,

1333

# but right now we can't. Revisit this if CFFI gets that ability.

1334

buf = _ffi.new("char[]", nbytes)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1335

if flags is not None and flags & socket.MSG_PEEK:

1336

result = _lib.SSL_peek(self._ssl, buf, nbytes)

1337

else:

1338

result = _lib.SSL_read(self._ssl, buf, nbytes)

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1339

self._raise_ssl_error(self._ssl, result)

1340

1341

# This strange line is all to avoid a memory copy. The buffer protocol

1342

# should allow us to assign a CFFI buffer to the LHS of this line, but

1343

# on CPython 3.3+ that segfaults. As a workaround, we can temporarily

1344

# wrap it in a memoryview, except on Python 2.6 which doesn't have a

1345

# memoryview type.

1346

try:

1347

buffer[:result] = memoryview(_ffi.buffer(buf, result))

1348

except NameError:

1349

buffer[:result] = _ffi.buffer(buf, result)

return result

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1353

def _handle_bio_errors(self, bio, result):

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1354

if _lib.BIO_should_retry(bio):

1355

if _lib.BIO_should_read(bio):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1356

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1357

elif _lib.BIO_should_write(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1358

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1359

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1360

elif _lib.BIO_should_io_special(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1361

# TODO: This is untested. I think io_special means the socket

1362

# BIO has a not-yet connected socket.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1363

raise ValueError("BIO_should_io_special")

1364

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1365

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1366

raise ValueError("unknown bio failure")

1367

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1368

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1369

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1370

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1371

def bio_read(self, bufsiz):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1372

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1373

When using non-socket connections this function reads the "dirty" data

1374

that would have traveled away on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1375

1376

:param bufsiz: The maximum number of bytes to read

1377

:return: The string read.

1378

"""

Jean-Paul Calderone

97e041d

2013-03-05 21:03:12 -0800

[diff] [blame]

1379

if self._from_ssl is None:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1380

raise TypeError("Connection sock was not None")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1381

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1382

if not isinstance(bufsiz, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1383

raise TypeError("bufsiz must be an integer")

1384

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1385

buf = _ffi.new("char[]", bufsiz)

1386

result = _lib.BIO_read(self._from_ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1387

if result <= 0:

1388

self._handle_bio_errors(self._from_ssl, result)

1389

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1390

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1391

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1392

def bio_write(self, buf):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1393

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1394

When using non-socket connections this function sends "dirty" data that

1395

would have traveled in on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1396

1397

:param buf: The string to put into the memory BIO.

1398

:return: The number of bytes written

1399

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1400

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1401

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1402

if self._into_ssl is None:

1403

raise TypeError("Connection sock was not None")

1404

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1405

result = _lib.BIO_write(self._into_ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1406

if result <= 0:

1407

self._handle_bio_errors(self._into_ssl, result)

1408

return result

1409

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1410

def renegotiate(self):

1411

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1412

Renegotiate the session.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1413

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1414

:return: True if the renegotiation can be started, False otherwise

1415

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1416

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1417

if not self.renegotiate_pending():

1418

_openssl_assert(_lib.SSL_renegotiate(self._ssl) == 1)

1419

return True

1420

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1421

1422

def do_handshake(self):

1423

"""

1424

Perform an SSL handshake (usually called after renegotiate() or one of

1425

set_*_state()). This can raise the same exceptions as send and recv.

1426

1427

:return: None.

1428

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1429

result = _lib.SSL_do_handshake(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1430

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1431

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1432

def renegotiate_pending(self):

1433

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1434

Check if there's a renegotiation in progress, it will return False once

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1435

a renegotiation is finished.

1436

1437

:return: Whether there's a renegotiation in progress

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1438

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1439

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1440

return _lib.SSL_renegotiate_pending(self._ssl) == 1

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1441

1442

def total_renegotiations(self):

1443

"""

1444

Find out the total number of renegotiations.

1445

1446

:return: The number of renegotiations.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1447

:rtype: int

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1448

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1449

return _lib.SSL_total_renegotiations(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1450

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1451

def connect(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1452

"""

1453

Connect to remote host and set up client-side SSL

1454

1455

:param addr: A remote address

1456

:return: What the socket's connect method returns

1457

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1458

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1459

return self._socket.connect(addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1460

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1461

def connect_ex(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1462

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1463

Connect to remote host and set up client-side SSL. Note that if the

1464

socket's connect_ex method doesn't return 0, SSL won't be initialized.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1465

1466

:param addr: A remove address

1467

:return: What the socket's connect_ex method returns

1468

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1469

connect_ex = self._socket.connect_ex

1470

self.set_connect_state()

1471

return connect_ex(addr)

1472

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1473

def accept(self):

1474

"""

1475

Accept incoming connection and set up SSL on it

1476

1477

:return: A (conn,addr) pair where conn is a Connection and addr is an

1478

address

1479

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1480

client, addr = self._socket.accept()

1481

conn = Connection(self._context, client)

1482

conn.set_accept_state()

1483

return (conn, addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1484

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1485

def bio_shutdown(self):

1486

"""

1487

When using non-socket connections this function signals end of

1488

data on the input for this connection.

1489

1490

:return: None

1491

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1492

if self._from_ssl is None:

1493

raise TypeError("Connection sock was not None")

1494

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1495

_lib.BIO_set_mem_eof_return(self._into_ssl, 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1496

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

def shutdown(self):

"""

Send closure alert

:return: True if the shutdown completed successfully (i.e. both sides

1502

have sent closure alerts), false otherwise (i.e. you have to

1503

wait for a ZeroReturnError on a recv() method call

1504

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1505

result = _lib.SSL_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1506

if result < 0:

Paul Aurich

bff1d1a

2015-01-08 08:36:53 -0800

[diff] [blame]

1507

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1508

elif result > 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1509

return True

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

else:

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1513

def get_cipher_list(self):

1514

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1515

Retrieve the list of ciphers used by the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1516

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1517

:return: A list of native cipher strings.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1518

"""

1519

ciphers = []

1520

for i in count():

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1521

result = _lib.SSL_get_cipher_list(self._ssl, i)

1522

if result == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1523

break

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1524

ciphers.append(_native(_ffi.string(result)))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1525

return ciphers

1526

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1527

def get_client_ca_list(self):

1528

"""

1529

Get CAs whose certificates are suggested for client authentication.

1530

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1531

:return: If this is a server connection, a list of X509Names

1532

representing the acceptable CAs as set by

1533

:py:meth:`OpenSSL.SSL.Context.set_client_ca_list` or

1534

:py:meth:`OpenSSL.SSL.Context.add_client_ca`. If this is a client

1535

connection, the list of such X509Names sent by the server, or an

1536

empty list if that has not yet happened.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1537

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1538

ca_names = _lib.SSL_get_client_CA_list(self._ssl)

1539

if ca_names == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1540

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1541

return []

1542

1543

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1544

for i in range(_lib.sk_X509_NAME_num(ca_names)):

1545

name = _lib.sk_X509_NAME_value(ca_names, i)

1546

copy = _lib.X509_NAME_dup(name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1547

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1548

1549

pyname = X509Name.__new__(X509Name)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1550

pyname._name = _ffi.gc(copy, _lib.X509_NAME_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1551

result.append(pyname)

1552

return result

1553

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1554

def makefile(self):

1555

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1556

The makefile() method is not implemented, since there is no dup

1557

semantics for SSL connections

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1558

Jean-Paul Calderone

6749ec2

2014-04-17 16:30:21 -0400

[diff] [blame]

1559

:raise: NotImplementedError

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1560

"""

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

1561

raise NotImplementedError(

1562

"Cannot make file object of OpenSSL.SSL.Connection")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1563

1564

def get_app_data(self):

"""

Get application data

:return: The application data

1569

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1570

return self._app_data

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1571

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1572

def set_app_data(self, data):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set application data

:param data - The application data

1577

:return: None

1578

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1579

self._app_data = data

1580

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1581

def get_shutdown(self):

"""

Get shutdown state

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1585

:return: The shutdown state, a bitvector of SENT_SHUTDOWN,

1586

RECEIVED_SHUTDOWN.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1587

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1588

return _lib.SSL_get_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1589

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1590

def set_shutdown(self, state):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set shutdown state

:param state - bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN.

1595

:return: None

1596

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

1597

if not isinstance(state, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1598

raise TypeError("state must be an integer")

1599

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1600

_lib.SSL_set_shutdown(self._ssl, state)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1601

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1602

def get_state_string(self):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1603

"""

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1604

Retrieve a verbose string detailing the state of the Connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1605

1606

:return: A string representing the state

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1607

:rtype: bytes

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1608

"""

kjav

c704a2e

2015-09-07 12:12:27 +0100

[diff] [blame]

1609

return _ffi.string(_lib.SSL_state_string_long(self._ssl))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1610

1611

def server_random(self):

1612

"""

1613

Get a copy of the server hello nonce.

1614

1615

:return: A string representing the state

1616

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1617

session = _lib.SSL_get_session(self._ssl)

1618

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1619

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1620

length = _lib.SSL_get_server_random(self._ssl, _ffi.NULL, 0)

1621

assert length > 0

1622

outp = _ffi.new("char[]", length)

1623

_lib.SSL_get_server_random(self._ssl, outp, length)

1624

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1625

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1626

def client_random(self):

1627

"""

1628

Get a copy of the client hello nonce.

1629

1630

:return: A string representing the state

1631

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1632

session = _lib.SSL_get_session(self._ssl)

1633

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1634

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1635

1636

length = _lib.SSL_get_client_random(self._ssl, _ffi.NULL, 0)

1637

assert length > 0

1638

outp = _ffi.new("char[]", length)

1639

_lib.SSL_get_client_random(self._ssl, outp, length)

1640

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1641

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1642

def master_key(self):

1643

"""

1644

Get a copy of the master key.

1645

1646

:return: A string representing the state

1647

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1648

session = _lib.SSL_get_session(self._ssl)

1649

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1650

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1651

1652

length = _lib.SSL_SESSION_get_master_key(session, _ffi.NULL, 0)

1653

assert length > 0

1654

outp = _ffi.new("char[]", length)

1655

_lib.SSL_SESSION_get_master_key(session, outp, length)

1656

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1657

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1658

def sock_shutdown(self, *args, **kwargs):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

See shutdown(2)

:return: What the socket's shutdown() method returns

1663

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1664

return self._socket.shutdown(*args, **kwargs)

1665

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1666

def get_peer_certificate(self):

1667

"""

1668

Retrieve the other side's certificate (if any)

1669

1670

:return: The peer's certificate

1671

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1672

cert = _lib.SSL_get_peer_certificate(self._ssl)

1673

if cert != _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1674

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1675

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return pycert

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1679

def get_peer_cert_chain(self):

1680

"""

1681

Retrieve the other side's certificate (if any)

1682

1683

:return: A list of X509 instances giving the peer's certificate chain,

1684

or None if it does not have one.

1685

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1686

cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)

1687

if cert_stack == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1688

return None

1689

1690

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1691

for i in range(_lib.sk_X509_num(cert_stack)):

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1692

# TODO could incref instead of dup here

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1693

cert = _lib.X509_dup(_lib.sk_X509_value(cert_stack, i))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1694

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1695

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1696

result.append(pycert)

1697

return result

1698

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1699

def want_read(self):

1700

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1701

Checks if more data has to be read from the transport layer to complete

1702

an operation.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1703

1704

:return: True iff more data has to be read

1705

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1706

return _lib.SSL_want_read(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1707

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1708

def want_write(self):

1709

"""

1710

Checks if there is data to write to the transport layer to complete an

1711

operation.

1712

1713

:return: True iff there is data to write

1714

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1715

return _lib.SSL_want_write(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1716

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1717

def set_accept_state(self):

1718

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1719

Set the connection to work in server mode. The handshake will be

1720

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1721

1722

:return: None

1723

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1724

_lib.SSL_set_accept_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1725

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1726

def set_connect_state(self):

1727

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1728

Set the connection to work in client mode. The handshake will be

1729

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1730

1731

:return: None

1732

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1733

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1734

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1735

def get_session(self):

1736

"""

1737

Returns the Session currently used.

1738

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1739

@return: An instance of :py:class:`OpenSSL.SSL.Session` or

1740

:py:obj:`None` if no session exists.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1741

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1742

session = _lib.SSL_get1_session(self._ssl)

1743

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1744

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1745

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1746

pysession = Session.__new__(Session)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1747

pysession._session = _ffi.gc(session, _lib.SSL_SESSION_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1748

return pysession

1749

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1750

def set_session(self, session):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1751

"""

1752

Set the session to be used when the TLS/SSL connection is established.

1753

1754

:param session: A Session instance representing the session to use.

1755

:returns: None

1756

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1757

if not isinstance(session, Session):

1758

raise TypeError("session must be a Session instance")

1759

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1760

result = _lib.SSL_set_session(self._ssl, session._session)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1761

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1762

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1763

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1764

def _get_finished_message(self, function):

1765

"""

1766

Helper to implement :py:meth:`get_finished` and

1767

:py:meth:`get_peer_finished`.

1768

1769

:param function: Either :py:data:`SSL_get_finished`: or

1770

:py:data:`SSL_get_peer_finished`.

1771

1772

:return: :py:data:`None` if the desired message has not yet been

1773

received, otherwise the contents of the message.

1774

:rtype: :py:class:`bytes` or :py:class:`NoneType`

1775

"""

Jean-Paul Calderone

01af904

2014-03-30 11:40:42 -0400

[diff] [blame]

1776

# The OpenSSL documentation says nothing about what might happen if the

1777

# count argument given is zero. Specifically, it doesn't say whether

1778

# the output buffer may be NULL in that case or not. Inspection of the

1779

# implementation reveals that it calls memcpy() unconditionally.

1780

# Section 7.1.4, paragraph 1 of the C standard suggests that

1781

# memcpy(NULL, source, 0) is not guaranteed to produce defined (let

1782

# alone desirable) behavior (though it probably does on just about

1783

# every implementation...)

1784

#

1785

# Allocate a tiny buffer to pass in (instead of just passing NULL as

1786

# one might expect) for the initial call so as to be safe against this

1787

# potentially undefined behavior.

1788

empty = _ffi.new("char[]", 0)

1789

size = function(self._ssl, empty, 0)

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1790

if size == 0:

1791

# No Finished message so far.

1792

return None

1793

1794

buf = _ffi.new("char[]", size)

1795

function(self._ssl, buf, size)

1796

return _ffi.buffer(buf, size)[:]

1797

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1798

def get_finished(self):

1799

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1800

Obtain the latest `handshake finished` message sent to the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1801

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1802

:return: The contents of the message or :py:obj:`None` if the TLS

1803

handshake has not yet completed.

1804

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1805

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1806

return self._get_finished_message(_lib.SSL_get_finished)

1807

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1808

def get_peer_finished(self):

1809

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1810

Obtain the latest `handshake finished` message received from the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1811

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1812

:return: The contents of the message or :py:obj:`None` if the TLS

1813

handshake has not yet completed.

1814

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1815

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1816

return self._get_finished_message(_lib.SSL_get_peer_finished)

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1817

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1818

def get_cipher_name(self):

1819

"""

1820

Obtain the name of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1821

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1822

:returns: The name of the currently used cipher or :py:obj:`None`

1823

if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1824

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1825

"""

1826

cipher = _lib.SSL_get_current_cipher(self._ssl)

1827

if cipher == _ffi.NULL:

1828

return None

1829

else:

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1830

name = _ffi.string(_lib.SSL_CIPHER_get_name(cipher))

1831

return name.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1832

1833

def get_cipher_bits(self):

1834

"""

1835

Obtain the number of secret bits of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1836

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1837

:returns: The number of secret bits of the currently used cipher

1838

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1839

:rtype: :py:class:`int` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1840

"""

1841

cipher = _lib.SSL_get_current_cipher(self._ssl)

1842

if cipher == _ffi.NULL:

1843

return None

1844

else:

1845

return _lib.SSL_CIPHER_get_bits(cipher, _ffi.NULL)

1846

1847

def get_cipher_version(self):

1848

"""

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1849

Obtain the protocol version of the currently used cipher.

1850

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1851

:returns: The protocol name of the currently used cipher

1852

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1853

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1854

"""

1855

cipher = _lib.SSL_get_current_cipher(self._ssl)

1856

if cipher == _ffi.NULL:

1857

return None

1858

else:

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

1859

version = _ffi.string(_lib.SSL_CIPHER_get_version(cipher))

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1860

return version.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1861

Jim Shaver

abff188

2015-05-27 09:15:55 -0400

[diff] [blame]

1862

def get_protocol_version_name(self):

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1863

"""

1864

Obtain the protocol version of the current connection.

1865

1866

:returns: The TLS version of the current connection, for example

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1867

the value for TLS 1.2 would be ``TLSv1.2``or ``Unknown``

Jim Shaver

b5b6b0e

2015-05-28 16:47:36 -0400

[diff] [blame]

1868

for connections that were not successfully established.

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1869

:rtype: :py:class:`unicode`

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1870

"""

Jim Shaver

d1c896e

2015-05-27 17:50:21 -0400

[diff] [blame]

1871

version = _ffi.string(_lib.SSL_get_version(self._ssl))

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1872

return version.decode("utf-8")

Jim Shaver

b296792

2015-04-26 23:58:52 -0400

[diff] [blame]

1873

Jim Shaver

208438c

2015-05-28 09:52:38 -0400

[diff] [blame]

1874

def get_protocol_version(self):

1875

"""

1876

Obtain the protocol version of the current connection.

1877

1878

:returns: The TLS version of the current connection, for example

1879

the value for TLS 1 would be 0x769.

1880

:rtype: :py:class:`int`

1881

"""

1882

version = _lib.SSL_version(self._ssl)

1883

return version

1884

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1885

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1886

def get_next_proto_negotiated(self):

1887

"""

1888

Get the protocol that was negotiated by NPN.

1889

"""

1890

data = _ffi.new("unsigned char **")

1891

data_len = _ffi.new("unsigned int *")

1892

1893

_lib.SSL_get0_next_proto_negotiated(self._ssl, data, data_len)

1894

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

1895

return _ffi.buffer(data[0], data_len[0])[:]

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1896

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1897

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1898

def set_alpn_protos(self, protos):

1899

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1900

Specify the client's ALPN protocol list.

1901

1902

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1903

1904

:param protos: A list of the protocols to be offered to the server.

1905

This list should be a Python list of bytestrings representing the

1906

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1907

"""

1908

# Take the list of protocols and join them together, prefixing them

1909

# with their lengths.

1910

protostr = b''.join(

1911

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1912

)

1913

1914

# Build a C string from the list. We don't need to save this off

1915

# because OpenSSL immediately copies the data out.

1916

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

9c1979a

2015-04-12 08:51:52 -0400

[diff] [blame]

1917

input_str_len = _ffi.cast("unsigned", len(protostr))

1918

_lib.SSL_set_alpn_protos(self._ssl, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1919

Maximilian Hils

66ded6a

2015-08-26 06:02:03 +0200

[diff] [blame]

1920

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1921

def get_alpn_proto_negotiated(self):

Cory Benfield

222f30e

2015-04-13 18:10:21 -0400

[diff] [blame]

1922

"""

1923

Get the protocol that was negotiated by ALPN.

1924

"""

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1925

data = _ffi.new("unsigned char **")

1926

data_len = _ffi.new("unsigned int *")

1927

1928

_lib.SSL_get0_alpn_selected(self._ssl, data, data_len)

1929

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

if not data_len:

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1933

return _ffi.buffer(data[0], data_len[0])[:]

1934

1935

Jean-Paul Calderone