Blame - src/OpenSSL/SSL.py - platform/external/python/pyopenssl

2015-08-17 19:27:20 +0200

[diff] [blame]

1

import socket

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

2

from sys import platform

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

3

from functools import wraps, partial

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

4

from itertools import count, chain

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

5

from weakref import WeakValueDictionary

6

from errno import errorcode

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

7

Cory Benfield

63759dc

2015-04-12 08:57:03 -0400

[diff] [blame]

8

from six import binary_type as _binary_type

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

9

from six import integer_types as integer_types

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

10

from six import int2byte, indexbytes

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

11

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

12

from OpenSSL._util import (

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

13

UNSPECIFIED as _UNSPECIFIED,

14

exception_from_error_queue as _exception_from_error_queue,

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

15

ffi as _ffi,

16

lib as _lib,

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

17

make_assert as _make_assert,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

18

native as _native,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

19

path_string as _path_string,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

20

text_to_bytes_and_warn as _text_to_bytes_and_warn,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

21

)

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

22

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

23

from OpenSSL.crypto import (

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

24

FILETYPE_PEM, _PassphraseHelper, PKey, X509Name, X509, X509Store)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

25

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

26

try:

27

_memoryview = memoryview

28

except NameError:

29

class _memoryview(object):

30

pass

31

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

try:

_buffer = buffer

except NameError:

class _buffer(object):

36

pass

37

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

38

OPENSSL_VERSION_NUMBER = _lib.OPENSSL_VERSION_NUMBER

39

SSLEAY_VERSION = _lib.SSLEAY_VERSION

40

SSLEAY_CFLAGS = _lib.SSLEAY_CFLAGS

41

SSLEAY_PLATFORM = _lib.SSLEAY_PLATFORM

42

SSLEAY_DIR = _lib.SSLEAY_DIR

43

SSLEAY_BUILT_ON = _lib.SSLEAY_BUILT_ON

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

44

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

45

SENT_SHUTDOWN = _lib.SSL_SENT_SHUTDOWN

46

RECEIVED_SHUTDOWN = _lib.SSL_RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

SSLv2_METHOD = 1

SSLv3_METHOD = 2

SSLv23_METHOD = 3

TLSv1_METHOD = 4

Jean-Paul Calderone

56bff94

2013-11-03 11:30:43 -0500

[diff] [blame]

52

TLSv1_1_METHOD = 5

53

TLSv1_2_METHOD = 6

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

54

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

55

OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2

56

OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3

57

OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

58

59

OP_NO_TLSv1_1 = getattr(_lib, "SSL_OP_NO_TLSv1_1", 0)

60

OP_NO_TLSv1_2 = getattr(_lib, "SSL_OP_NO_TLSv1_2", 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

61

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

62

MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

63

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

64

OP_SINGLE_DH_USE = _lib.SSL_OP_SINGLE_DH_USE

Akihiro Yamazaki

e64d80c

2015-09-06 00:16:57 +0900

[diff] [blame]

65

OP_SINGLE_ECDH_USE = _lib.SSL_OP_SINGLE_ECDH_USE

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

66

OP_EPHEMERAL_RSA = _lib.SSL_OP_EPHEMERAL_RSA

67

OP_MICROSOFT_SESS_ID_BUG = _lib.SSL_OP_MICROSOFT_SESS_ID_BUG

68

OP_NETSCAPE_CHALLENGE_BUG = _lib.SSL_OP_NETSCAPE_CHALLENGE_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

69

OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = (

70

_lib.SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

71

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

72

OP_SSLREF2_REUSE_CERT_TYPE_BUG = _lib.SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG

73

OP_MICROSOFT_BIG_SSLV3_BUFFER = _lib.SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER

Alex Gaynor

5bb2bd1

2016-07-03 10:48:32 -0400

[diff] [blame]

74

OP_MSIE_SSLV2_RSA_PADDING = _lib.SSL_OP_MSIE_SSLV2_RSA_PADDING

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

75

OP_SSLEAY_080_CLIENT_DH_BUG = _lib.SSL_OP_SSLEAY_080_CLIENT_DH_BUG

76

OP_TLS_D5_BUG = _lib.SSL_OP_TLS_D5_BUG

77

OP_TLS_BLOCK_PADDING_BUG = _lib.SSL_OP_TLS_BLOCK_PADDING_BUG

78

OP_DONT_INSERT_EMPTY_FRAGMENTS = _lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

79

OP_CIPHER_SERVER_PREFERENCE = _lib.SSL_OP_CIPHER_SERVER_PREFERENCE

80

OP_TLS_ROLLBACK_BUG = _lib.SSL_OP_TLS_ROLLBACK_BUG

81

OP_PKCS1_CHECK_1 = _lib.SSL_OP_PKCS1_CHECK_1

82

OP_PKCS1_CHECK_2 = _lib.SSL_OP_PKCS1_CHECK_2

83

OP_NETSCAPE_CA_DN_BUG = _lib.SSL_OP_NETSCAPE_CA_DN_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

84

OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = (

85

_lib.SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

86

)

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

87

OP_NO_COMPRESSION = _lib.SSL_OP_NO_COMPRESSION

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

88

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

89

OP_NO_QUERY_MTU = _lib.SSL_OP_NO_QUERY_MTU

90

OP_COOKIE_EXCHANGE = _lib.SSL_OP_COOKIE_EXCHANGE

Alex Gaynor

5bb2bd1

2016-07-03 10:48:32 -0400

[diff] [blame]

91

OP_NO_TICKET = _lib.SSL_OP_NO_TICKET

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

92

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

93

OP_ALL = _lib.SSL_OP_ALL

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

94

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

95

VERIFY_PEER = _lib.SSL_VERIFY_PEER

96

VERIFY_FAIL_IF_NO_PEER_CERT = _lib.SSL_VERIFY_FAIL_IF_NO_PEER_CERT

97

VERIFY_CLIENT_ONCE = _lib.SSL_VERIFY_CLIENT_ONCE

98

VERIFY_NONE = _lib.SSL_VERIFY_NONE

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

99

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

100

SESS_CACHE_OFF = _lib.SSL_SESS_CACHE_OFF

101

SESS_CACHE_CLIENT = _lib.SSL_SESS_CACHE_CLIENT

102

SESS_CACHE_SERVER = _lib.SSL_SESS_CACHE_SERVER

103

SESS_CACHE_BOTH = _lib.SSL_SESS_CACHE_BOTH

104

SESS_CACHE_NO_AUTO_CLEAR = _lib.SSL_SESS_CACHE_NO_AUTO_CLEAR

105

SESS_CACHE_NO_INTERNAL_LOOKUP = _lib.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP

106

SESS_CACHE_NO_INTERNAL_STORE = _lib.SSL_SESS_CACHE_NO_INTERNAL_STORE

107

SESS_CACHE_NO_INTERNAL = _lib.SSL_SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

d39a3f6

2013-03-04 12:23:51 -0800

[diff] [blame]

108

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

109

SSL_ST_CONNECT = _lib.SSL_ST_CONNECT

110

SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT

111

SSL_ST_MASK = _lib.SSL_ST_MASK

Alex Gaynor

5af32d0

2016-09-24 01:52:21 -0400

[diff] [blame^]

112

if _lib.Cryptography_HAS_SSL_ST:

113

SSL_ST_INIT = _lib.SSL_ST_INIT

114

SSL_ST_BEFORE = _lib.SSL_ST_BEFORE

115

SSL_ST_OK = _lib.SSL_ST_OK

116

SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

117

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

118

SSL_CB_LOOP = _lib.SSL_CB_LOOP

119

SSL_CB_EXIT = _lib.SSL_CB_EXIT

120

SSL_CB_READ = _lib.SSL_CB_READ

121

SSL_CB_WRITE = _lib.SSL_CB_WRITE

122

SSL_CB_ALERT = _lib.SSL_CB_ALERT

123

SSL_CB_READ_ALERT = _lib.SSL_CB_READ_ALERT

124

SSL_CB_WRITE_ALERT = _lib.SSL_CB_WRITE_ALERT

125

SSL_CB_ACCEPT_LOOP = _lib.SSL_CB_ACCEPT_LOOP

126

SSL_CB_ACCEPT_EXIT = _lib.SSL_CB_ACCEPT_EXIT

127

SSL_CB_CONNECT_LOOP = _lib.SSL_CB_CONNECT_LOOP

128

SSL_CB_CONNECT_EXIT = _lib.SSL_CB_CONNECT_EXIT

129

SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START

130

SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

131

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

132

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

133

class Error(Exception):

Jean-Paul Calderone

511cde0

2013-12-29 10:31:13 -0500

[diff] [blame]

134

"""

135

An error occurred in an `OpenSSL.SSL` API.

136

"""

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

137

138

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

139

_raise_current_error = partial(_exception_from_error_queue, Error)

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

140

_openssl_assert = _make_assert(Error)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

141

142

143

class WantReadError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

147

class WantWriteError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

151

class WantX509LookupError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

155

class ZeroReturnError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

159

class SysCallError(Error):

pass

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

163

class _CallbackExceptionHelper(object):

164

"""

165

A base class for wrapper classes that allow for intelligent exception

166

handling in OpenSSL callbacks.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

167

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

168

:ivar list _problems: Any exceptions that occurred while executing in a

169

context where they could not be raised in the normal way. Typically

170

this is because OpenSSL has called into some Python code and requires a

171

return value. The exceptions are saved to be raised later when it is

172

possible to do so.

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

173

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

174

Jean-Paul Calderone

09540d7

2015-03-22 19:37:20 -0400

[diff] [blame]

175

def __init__(self):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

176

self._problems = []

177

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

178

def raise_if_problem(self):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

179

"""

180

Raise an exception from the OpenSSL error queue or that was previously

181

captured whe running a callback.

182

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

183

if self._problems:

184

try:

185

_raise_current_error()

186

except Error:

187

pass

188

raise self._problems.pop(0)

189

190

191

class _VerifyHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

192

"""

193

Wrap a callback such that it can be used as a certificate verification

194

callback.

195

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

196

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

197

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

198

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

199

200

@wraps(callback)

201

def wrapper(ok, store_ctx):

202

cert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

203

cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)

204

error_number = _lib.X509_STORE_CTX_get_error(store_ctx)

205

error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

206

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

207

index = _lib.SSL_get_ex_data_X509_STORE_CTX_idx()

208

ssl = _lib.X509_STORE_CTX_get_ex_data(store_ctx, index)

209

connection = Connection._reverse_mapping[ssl]

210

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

211

try:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

212

result = callback(

213

connection, cert, error_number, error_depth, ok

214

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

215

except Exception as e:

216

self._problems.append(e)

217

return 0

218

else:

219

if result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

220

_lib.X509_STORE_CTX_set_error(store_ctx, _lib.X509_V_OK)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

return 1

else:

return 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

225

self.callback = _ffi.callback(

226

"int (*)(int, X509_STORE_CTX *)", wrapper)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

227

228

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

229

class _NpnAdvertiseHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

230

"""

231

Wrap a callback such that it can be used as an NPN advertisement callback.

232

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

233

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

234

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

235

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

236

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

237

@wraps(callback)

238

def wrapper(ssl, out, outlen, arg):

239

try:

240

conn = Connection._reverse_mapping[ssl]

241

protos = callback(conn)

242

243

# Join the protocols into a Python bytestring, length-prefixing

244

# each element.

245

protostr = b''.join(

246

chain.from_iterable((int2byte(len(p)), p) for p in protos)

247

)

248

249

# Save our callback arguments on the connection object. This is

250

# done to make sure that they don't get freed before OpenSSL

251

# uses them. Then, return them appropriately in the output

252

# parameters.

253

conn._npn_advertise_callback_args = [

254

_ffi.new("unsigned int *", len(protostr)),

255

_ffi.new("unsigned char[]", protostr),

256

]

257

outlen[0] = conn._npn_advertise_callback_args[0][0]

258

out[0] = conn._npn_advertise_callback_args[1]

259

return 0

260

except Exception as e:

261

self._problems.append(e)

262

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

263

264

self.callback = _ffi.callback(

265

"int (*)(SSL *, const unsigned char **, unsigned int *, void *)",

wrapper

)

class _NpnSelectHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

271

"""

272

Wrap a callback such that it can be used as an NPN selection callback.

273

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

274

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

275

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

276

_CallbackExceptionHelper.__init__(self)

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

277

278

@wraps(callback)

279

def wrapper(ssl, out, outlen, in_, inlen, arg):

280

try:

281

conn = Connection._reverse_mapping[ssl]

282

283

# The string passed to us is actually made up of multiple

284

# length-prefixed bytestrings. We need to split that into a

285

# list.

286

instr = _ffi.buffer(in_, inlen)[:]

287

protolist = []

288

while instr:

289

l = indexbytes(instr, 0)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

290

proto = instr[1:l + 1]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

291

protolist.append(proto)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

292

instr = instr[l + 1:]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

293

294

# Call the callback

295

outstr = callback(conn, protolist)

296

297

# Save our callback arguments on the connection object. This is

298

# done to make sure that they don't get freed before OpenSSL

299

# uses them. Then, return them appropriately in the output

300

# parameters.

301

conn._npn_select_callback_args = [

302

_ffi.new("unsigned char *", len(outstr)),

303

_ffi.new("unsigned char[]", outstr),

304

]

305

outlen[0] = conn._npn_select_callback_args[0][0]

306

out[0] = conn._npn_select_callback_args[1]

307

return 0

308

except Exception as e:

309

self._problems.append(e)

310

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

311

312

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

313

("int (*)(SSL *, unsigned char **, unsigned char *, "

314

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

315

wrapper

316

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

317

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

318

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

319

class _ALPNSelectHelper(_CallbackExceptionHelper):

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

320

"""

321

Wrap a callback such that it can be used as an ALPN selection callback.

322

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

323

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

324

def __init__(self, callback):

325

_CallbackExceptionHelper.__init__(self)

326

327

@wraps(callback)

328

def wrapper(ssl, out, outlen, in_, inlen, arg):

329

try:

330

conn = Connection._reverse_mapping[ssl]

331

332

# The string passed to us is made up of multiple

333

# length-prefixed bytestrings. We need to split that into a

334

# list.

335

instr = _ffi.buffer(in_, inlen)[:]

336

protolist = []

337

while instr:

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

338

encoded_len = indexbytes(instr, 0)

339

proto = instr[1:encoded_len + 1]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

340

protolist.append(proto)

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

341

instr = instr[encoded_len + 1:]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

342

343

# Call the callback

344

outstr = callback(conn, protolist)

345

346

if not isinstance(outstr, _binary_type):

347

raise TypeError("ALPN callback must return a bytestring.")

348

349

# Save our callback arguments on the connection object to make

350

# sure that they don't get freed before OpenSSL can use them.

351

# Then, return them in the appropriate output parameters.

352

conn._alpn_select_callback_args = [

353

_ffi.new("unsigned char *", len(outstr)),

354

_ffi.new("unsigned char[]", outstr),

355

]

356

outlen[0] = conn._alpn_select_callback_args[0][0]

357

out[0] = conn._alpn_select_callback_args[1]

358

return 0

359

except Exception as e:

360

self._problems.append(e)

361

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

362

363

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

364

("int (*)(SSL *, unsigned char **, unsigned char *, "

365

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

wrapper

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

370

def _asFileDescriptor(obj):

371

fd = None

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

372

if not isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

373

meth = getattr(obj, "fileno", None)

374

if meth is not None:

375

obj = meth()

376

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

377

if isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

378

fd = obj

379

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

380

if not isinstance(fd, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

381

raise TypeError("argument must be an int, or have a fileno() method.")

382

elif fd < 0:

383

raise ValueError(

384

"file descriptor cannot be a negative integer (%i)" % (fd,))

return fd

Jean-Paul Calderone

2013-03-04 12:23:51 -0800

[diff] [blame]

389

def SSLeay_version(type):

390

"""

391

Return a string describing the version of OpenSSL in use.

392

393

:param type: One of the SSLEAY_ constants defined in this module.

394

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

395

return _ffi.string(_lib.SSLeay_version(type))

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

396

397

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

398

def _make_requires(flag, error):

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

399

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

400

Builds a decorator that ensures that functions that rely on OpenSSL

401

functions that are not present in this build raise NotImplementedError,

402

rather than AttributeError coming out of cryptography.

403

404

:param flag: A cryptography flag that guards the functions, e.g.

405

``Cryptography_HAS_NEXTPROTONEG``.

406

:param error: The string to be used in the exception if the flag is false.

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

407

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

408

def _requires_decorator(func):

409

if not flag:

410

@wraps(func)

411

def explode(*args, **kwargs):

412

raise NotImplementedError(error)

413

return explode

414

else:

415

return func

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

416

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

417

return _requires_decorator

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

418

419

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

420

_requires_npn = _make_requires(

421

_lib.Cryptography_HAS_NEXTPROTONEG, "NPN not available"

422

)

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

423

424

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

425

_requires_alpn = _make_requires(

426

_lib.Cryptography_HAS_ALPN, "ALPN not available"

427

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

428

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

429

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

430

_requires_sni = _make_requires(

431

_lib.Cryptography_HAS_TLSEXT_HOSTNAME, "SNI not available"

432

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

433

434

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

435

class Session(object):

pass

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

439

class Context(object):

440

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

441

:class:`OpenSSL.SSL.Context` instances define the parameters for setting

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

442

up new SSL connections.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

443

"""

444

_methods = {

Andrew Dunham

ec84a0a

2014-02-24 12:41:37 -0800

[diff] [blame]

445

SSLv2_METHOD: "SSLv2_method",

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

446

SSLv3_METHOD: "SSLv3_method",

447

SSLv23_METHOD: "SSLv23_method",

448

TLSv1_METHOD: "TLSv1_method",

449

TLSv1_1_METHOD: "TLSv1_1_method",

450

TLSv1_2_METHOD: "TLSv1_2_method",

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

451

}

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

452

_methods = dict(

453

(identifier, getattr(_lib, name))

454

for (identifier, name) in _methods.items()

455

if getattr(_lib, name, None) is not None)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

456

457

def __init__(self, method):

458

"""

459

:param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or

460

TLSv1_METHOD.

461

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

462

if not isinstance(method, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

463

raise TypeError("method must be an integer")

464

465

try:

466

method_func = self._methods[method]

467

except KeyError:

468

raise ValueError("No such protocol")

469

470

method_obj = method_func()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

471

_openssl_assert(method_obj != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

472

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

473

context = _lib.SSL_CTX_new(method_obj)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

474

_openssl_assert(context != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

475

context = _ffi.gc(context, _lib.SSL_CTX_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

476

477

self._context = context

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

478

self._passphrase_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

479

self._passphrase_callback = None

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

480

self._passphrase_userdata = None

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

481

self._verify_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

482

self._verify_callback = None

483

self._info_callback = None

484

self._tlsext_servername_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

485

self._app_data = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

486

self._npn_advertise_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

487

self._npn_advertise_callback = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

488

self._npn_select_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

489

self._npn_select_callback = None

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

490

self._alpn_select_helper = None

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

491

self._alpn_select_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

492

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

493

# SSL_CTX_set_app_data(self->ctx, self);

494

# SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |

495

# SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |

496

# SSL_MODE_AUTO_RETRY);

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

497

self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

498

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

499

def load_verify_locations(self, cafile, capath=None):

500

"""

501

Let SSL know where we can find trusted certificates for the certificate

502

chain

503

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

504

:param cafile: In which file we can find the certificates (``bytes`` or

505

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

506

:param capath: In which directory we can find the certificates

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

507

(``bytes`` or ``unicode``).

508

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

509

:return: None

510

"""

511

if cafile is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

512

cafile = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

513

else:

514

cafile = _path_string(cafile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

515

516

if capath is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

517

capath = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

518

else:

519

capath = _path_string(capath)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

520

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

521

load_result = _lib.SSL_CTX_load_verify_locations(

522

self._context, cafile, capath

523

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

524

if not load_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

525

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

526

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

527

def _wrap_callback(self, callback):

528

@wraps(callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

529

def wrapper(size, verify, userdata):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

530

return callback(size, verify, self._passphrase_userdata)

531

return _PassphraseHelper(

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

532

FILETYPE_PEM, wrapper, more_args=True, truncate=True)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

533

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

534

def set_passwd_cb(self, callback, userdata=None):

535

"""

536

Set the passphrase callback

537

538

:param callback: The Python callback to use

539

:param userdata: (optional) A Python object which will be given as

540

argument to the callback

541

:return: None

542

"""

543

if not callable(callback):

544

raise TypeError("callback must be callable")

545

546

self._passphrase_helper = self._wrap_callback(callback)

547

self._passphrase_callback = self._passphrase_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

548

_lib.SSL_CTX_set_default_passwd_cb(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

549

self._context, self._passphrase_callback)

550

self._passphrase_userdata = userdata

551

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

552

def set_default_verify_paths(self):

553

"""

554

Use the platform-specific CA certificate locations

555

556

:return: None

557

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

558

set_result = _lib.SSL_CTX_set_default_verify_paths(self._context)

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame]

559

_openssl_assert(set_result == 1)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

560

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

561

def use_certificate_chain_file(self, certfile):

562

"""

563

Load a certificate chain from a file

564

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

565

:param certfile: The name of the certificate chain file (``bytes`` or

566

``unicode``).

567

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

568

:return: None

569

"""

Jean-Paul Calderone

aac43a3

2015-04-12 09:51:21 -0400

[diff] [blame]

570

certfile = _path_string(certfile)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

571

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

572

result = _lib.SSL_CTX_use_certificate_chain_file(

573

self._context, certfile

574

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

575

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

576

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

577

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

578

def use_certificate_file(self, certfile, filetype=FILETYPE_PEM):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

579

"""

580

Load a certificate from a file

581

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

582

:param certfile: The name of the certificate file (``bytes`` or

583

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

584

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

585

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

586

:return: None

587

"""

Jean-Paul Calderone

d57a7b6

2015-04-12 09:57:36 -0400

[diff] [blame]

588

certfile = _path_string(certfile)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

589

if not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

590

raise TypeError("filetype must be an integer")

591

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

592

use_result = _lib.SSL_CTX_use_certificate_file(

593

self._context, certfile, filetype

594

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

595

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

596

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

597

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

598

def use_certificate(self, cert):

599

"""

600

Load a certificate from a X509 object

601

602

:param cert: The X509 object

603

:return: None

604

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

605

if not isinstance(cert, X509):

606

raise TypeError("cert must be an X509 instance")

607

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

608

use_result = _lib.SSL_CTX_use_certificate(self._context, cert._x509)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

609

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

610

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

611

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

612

def add_extra_chain_cert(self, certobj):

613

"""

614

Add certificate to chain

615

616

:param certobj: The X509 certificate object to add to the chain

617

:return: None

618

"""

619

if not isinstance(certobj, X509):

620

raise TypeError("certobj must be an X509 instance")

621

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

622

copy = _lib.X509_dup(certobj._x509)

623

add_result = _lib.SSL_CTX_add_extra_chain_cert(self._context, copy)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

624

if not add_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

625

# TODO: This is untested.

626

_lib.X509_free(copy)

627

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

628

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

629

def _raise_passphrase_exception(self):

630

if self._passphrase_helper is None:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

631

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

632

exception = self._passphrase_helper.raise_if_problem(Error)

633

if exception is not None:

634

raise exception

635

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

636

def use_privatekey_file(self, keyfile, filetype=_UNSPECIFIED):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

637

"""

638

Load a private key from a file

639

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

640

:param keyfile: The name of the key file (``bytes`` or ``unicode``)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

641

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

642

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

643

:return: None

644

"""

Jean-Paul Calderone

69a4e5b

2015-04-12 10:04:28 -0400

[diff] [blame]

645

keyfile = _path_string(keyfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

646

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

647

if filetype is _UNSPECIFIED:

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

648

filetype = FILETYPE_PEM

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

649

elif not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

650

raise TypeError("filetype must be an integer")

651

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

652

use_result = _lib.SSL_CTX_use_PrivateKey_file(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

653

self._context, keyfile, filetype)

654

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

655

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

656

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

657

def use_privatekey(self, pkey):

658

"""

659

Load a private key from a PKey object

660

661

:param pkey: The PKey object

662

:return: None

663

"""

664

if not isinstance(pkey, PKey):

665

raise TypeError("pkey must be a PKey instance")

666

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

667

use_result = _lib.SSL_CTX_use_PrivateKey(self._context, pkey._pkey)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

668

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

669

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

670

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

671

def check_privatekey(self):

672

"""

673

Check that the private key and certificate match up

674

675

:return: None (raises an exception if something's wrong)

676

"""

Jean-Paul Calderone

a034492

2014-12-11 14:02:31 -0500

[diff] [blame]

677

if not _lib.SSL_CTX_check_private_key(self._context):

678

_raise_current_error()

679

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

680

def load_client_ca(self, cafile):

681

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

682

Load the trusted certificates that will be sent to the client. Does

683

not actually imply any of the certificates are trusted; that must be

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

684

configured separately.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

685

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

686

:param bytes cafile: The path to a certificates file in PEM format.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

687

:return: None

688

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

689

ca_list = _lib.SSL_load_client_CA_file(

690

_text_to_bytes_and_warn("cafile", cafile)

691

)

692

_openssl_assert(ca_list != _ffi.NULL)

693

# SSL_CTX_set_client_CA_list doesn't return anything.

694

_lib.SSL_CTX_set_client_CA_list(self._context, ca_list)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

695

696

def set_session_id(self, buf):

697

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

698

Set the session id to *buf* within which a session can be reused for

699

this Context object. This is needed when doing session resumption,

700

because there is no way for a stored session to know which Context

701

object it is associated with.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

702

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

703

:param bytes buf: The session id.

704

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

705

:returns: None

706

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

707

buf = _text_to_bytes_and_warn("buf", buf)

708

_openssl_assert(

709

_lib.SSL_CTX_set_session_id_context(

self._context,

buf,

len(buf),

) == 1

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

715

716

def set_session_cache_mode(self, mode):

717

"""

718

Enable/disable session caching and specify the mode used.

719

720

:param mode: One or more of the SESS_CACHE_* flags (combine using

721

bitwise or)

722

:returns: The previously set caching mode.

723

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

724

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

725

raise TypeError("mode must be an integer")

726

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

727

return _lib.SSL_CTX_set_session_cache_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

728

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

729

def get_session_cache_mode(self):

730

"""

731

:returns: The currently used cache mode.

732

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

733

return _lib.SSL_CTX_get_session_cache_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

734

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

735

def set_verify(self, mode, callback):

736

"""

737

Set the verify mode and verify callback

738

739

:param mode: The verify mode, this is either VERIFY_NONE or

740

VERIFY_PEER combined with possible other flags

741

:param callback: The Python callback to use

742

:return: None

743

744

See SSL_CTX_set_verify(3SSL) for further details.

745

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

746

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

747

raise TypeError("mode must be an integer")

748

749

if not callable(callback):

750

raise TypeError("callback must be callable")

751

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

752

self._verify_helper = _VerifyHelper(callback)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

753

self._verify_callback = self._verify_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

754

_lib.SSL_CTX_set_verify(self._context, mode, self._verify_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

755

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

756

def set_verify_depth(self, depth):

"""

Set the verify depth

:param depth: An integer specifying the verify depth

761

:return: None

762

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

763

if not isinstance(depth, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

764

raise TypeError("depth must be an integer")

765

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

766

_lib.SSL_CTX_set_verify_depth(self._context, depth)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

767

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

768

def get_verify_mode(self):

"""

Get the verify mode

:return: The verify mode

773

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

774

return _lib.SSL_CTX_get_verify_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

775

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

776

def get_verify_depth(self):

"""

Get the verify depth

:return: The verify depth

781

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

782

return _lib.SSL_CTX_get_verify_depth(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

783

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

784

def load_tmp_dh(self, dhfile):

785

"""

786

Load parameters for Ephemeral Diffie-Hellman

787

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

788

:param dhfile: The file to load EDH parameters from (``bytes`` or

789

``unicode``).

790

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

791

:return: None

792

"""

Jean-Paul Calderone

9e1c1dd

2015-04-12 10:13:13 -0400

[diff] [blame]

793

dhfile = _path_string(dhfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

794

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

795

bio = _lib.BIO_new_file(dhfile, b"r")

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

796

if bio == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

797

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

798

bio = _ffi.gc(bio, _lib.BIO_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

799

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

800

dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)

801

dh = _ffi.gc(dh, _lib.DH_free)

802

_lib.SSL_CTX_set_tmp_dh(self._context, dh)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

803

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

804

def set_tmp_ecdh(self, curve):

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

805

"""

Andy Lutomirski

76a6133

2014-03-12 15:02:56 -0700

[diff] [blame]

806

Select a curve to use for ECDHE key exchange.

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

807

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

808

:param curve: A curve object to use as returned by either

809

:py:meth:`OpenSSL.crypto.get_elliptic_curve` or

810

:py:meth:`OpenSSL.crypto.get_elliptic_curves`.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

811

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

812

:return: None

813

"""

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

814

_lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

815

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

816

def set_cipher_list(self, cipher_list):

817

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

818

Set the list of ciphers to be used in this context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

819

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

820

See the OpenSSL manual for more information (e.g.

821

:manpage:`ciphers(1)`).

822

823

:param bytes cipher_list: An OpenSSL cipher string.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

824

:return: None

825

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

826

cipher_list = _text_to_bytes_and_warn("cipher_list", cipher_list)

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

827

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

828

if not isinstance(cipher_list, bytes):

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

829

raise TypeError("cipher_list must be a byte string.")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

830

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

831

_openssl_assert(

Hynek Schlawack

22a4b66

2016-03-11 14:59:39 +0100

[diff] [blame]

832

_lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

833

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

834

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

835

def set_client_ca_list(self, certificate_authorities):

836

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

837

Set the list of preferred client certificate signers for this server

838

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

839

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

840

This list of certificate authorities will be sent to the client when

841

the server requests a client certificate.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

842

843

:param certificate_authorities: a sequence of X509Names.

844

:return: None

845

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

846

name_stack = _lib.sk_X509_NAME_new_null()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

847

_openssl_assert(name_stack != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

848

849

try:

850

for ca_name in certificate_authorities:

851

if not isinstance(ca_name, X509Name):

852

raise TypeError(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

853

"client CAs must be X509Name objects, not %s "

854

"objects" % (

855

type(ca_name).__name__,

856

)

857

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

858

copy = _lib.X509_NAME_dup(ca_name._name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

859

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

860

push_result = _lib.sk_X509_NAME_push(name_stack, copy)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

861

if not push_result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

862

_lib.X509_NAME_free(copy)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

863

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

864

except:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

865

_lib.sk_X509_NAME_free(name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

866

raise

867

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

868

_lib.SSL_CTX_set_client_CA_list(self._context, name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

869

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

870

def add_client_ca(self, certificate_authority):

871

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

872

Add the CA certificate to the list of preferred signers for this

873

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

874

875

The list of certificate authorities will be sent to the client when the

876

server requests a client certificate.

877

878

:param certificate_authority: certificate authority's X509 certificate.

879

:return: None

880

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

881

if not isinstance(certificate_authority, X509):

882

raise TypeError("certificate_authority must be an X509 instance")

883

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

884

add_result = _lib.SSL_CTX_add_client_CA(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

885

self._context, certificate_authority._x509)

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame]

886

_openssl_assert(add_result == 1)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

887

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

888

def set_timeout(self, timeout):

"""

Set session timeout

:param timeout: The timeout in seconds

893

:return: The previous session timeout

894

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

895

if not isinstance(timeout, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

896

raise TypeError("timeout must be an integer")

897

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

898

return _lib.SSL_CTX_set_timeout(self._context, timeout)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

899

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

900

def get_timeout(self):

901

"""

902

Get the session timeout

903

904

:return: The session timeout

905

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

906

return _lib.SSL_CTX_get_timeout(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

907

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

908

def set_info_callback(self, callback):

909

"""

910

Set the info callback

911

912

:param callback: The Python callback to use

913

:return: None

914

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

915

@wraps(callback)

916

def wrapper(ssl, where, return_code):

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

917

callback(Connection._reverse_mapping[ssl], where, return_code)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

918

self._info_callback = _ffi.callback(

919

"void (*)(const SSL *, int, int)", wrapper)

920

_lib.SSL_CTX_set_info_callback(self._context, self._info_callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

921

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

922

def get_app_data(self):

923

"""

924

Get the application data (supplied via set_app_data())

925

926

:return: The application data

927

"""

928

return self._app_data

929

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

930

def set_app_data(self, data):

931

"""

932

Set the application data (will be returned from get_app_data())

933

934

:param data: Any Python object

935

:return: None

936

"""

937

self._app_data = data

938

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

939

def get_cert_store(self):

940

"""

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

941

Get the certificate store for the context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

942

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

943

:return: A X509Store object or None if it does not have one.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

944

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

945

store = _lib.SSL_CTX_get_cert_store(self._context)

946

if store == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

947

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

948

return None

949

950

pystore = X509Store.__new__(X509Store)

951

pystore._store = store

952

return pystore

953

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

954

def set_options(self, options):

955

"""

956

Add options. Options set before are not cleared!

957

958

:param options: The options to add.

959

:return: The new option bitmask.

960

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

961

if not isinstance(options, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

962

raise TypeError("options must be an integer")

963

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

964

return _lib.SSL_CTX_set_options(self._context, options)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

965

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

966

def set_mode(self, mode):

967

"""

968

Add modes via bitmask. Modes set before are not cleared!

969

970

:param mode: The mode to add.

971

:return: The new mode bitmask.

972

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

973

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

974

raise TypeError("mode must be an integer")

975

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

976

return _lib.SSL_CTX_set_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

977

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

978

@_requires_sni

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

979

def set_tlsext_servername_callback(self, callback):

980

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

981

Specify a callback function to be called when clients specify a server

982

name.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

983

984

:param callback: The callback function. It will be invoked with one

985

argument, the Connection instance.

986

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

987

@wraps(callback)

988

def wrapper(ssl, alert, arg):

989

callback(Connection._reverse_mapping[ssl])

990

return 0

991

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

992

self._tlsext_servername_callback = _ffi.callback(

993

"int (*)(const SSL *, int *, void *)", wrapper)

994

_lib.SSL_CTX_set_tlsext_servername_callback(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

995

self._context, self._tlsext_servername_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

996

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

997

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

998

def set_npn_advertise_callback(self, callback):

999

"""

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1000

Specify a callback function that will be called when offering `Next

1001

Protocol Negotiation

1002

<https://technotes.googlecode.com/git/nextprotoneg.html>`_ as a server.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1003

1004

:param callback: The callback function. It will be invoked with one

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1005

argument, the Connection instance. It should return a list of

1006

bytestrings representing the advertised protocols, like

1007

``[b'http/1.1', b'spdy/2']``.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1008

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1009

self._npn_advertise_helper = _NpnAdvertiseHelper(callback)

1010

self._npn_advertise_callback = self._npn_advertise_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1011

_lib.SSL_CTX_set_next_protos_advertised_cb(

1012

self._context, self._npn_advertise_callback, _ffi.NULL)

1013

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1014

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1015

def set_npn_select_callback(self, callback):

1016

"""

1017

Specify a callback function that will be called when a server offers

1018

Next Protocol Negotiation options.

1019

1020

:param callback: The callback function. It will be invoked with two

1021

arguments: the Connection, and a list of offered protocols as

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1022

bytestrings, e.g. ``[b'http/1.1', b'spdy/2']``. It should return

1023

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1024

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1025

self._npn_select_helper = _NpnSelectHelper(callback)

1026

self._npn_select_callback = self._npn_select_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1027

_lib.SSL_CTX_set_next_proto_select_cb(

1028

self._context, self._npn_select_callback, _ffi.NULL)

1029

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1030

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1031

def set_alpn_protos(self, protos):

1032

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1033

Specify the clients ALPN protocol list.

1034

1035

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1036

1037

:param protos: A list of the protocols to be offered to the server.

1038

This list should be a Python list of bytestrings representing the

1039

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1040

"""

1041

# Take the list of protocols and join them together, prefixing them

1042

# with their lengths.

1043

protostr = b''.join(

1044

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1045

)

1046

1047

# Build a C string from the list. We don't need to save this off

1048

# because OpenSSL immediately copies the data out.

1049

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

e871af5

2015-04-11 17:57:50 -0400

[diff] [blame]

1050

input_str_len = _ffi.cast("unsigned", len(protostr))

1051

_lib.SSL_CTX_set_alpn_protos(self._context, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1052

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1053

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1054

def set_alpn_select_callback(self, callback):

1055

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1056

Set the callback to handle ALPN protocol choice.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1057

1058

:param callback: The callback function. It will be invoked with two

1059

arguments: the Connection, and a list of offered protocols as

1060

bytestrings, e.g ``[b'http/1.1', b'spdy/2']``. It should return

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1061

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1062

"""

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

1063

self._alpn_select_helper = _ALPNSelectHelper(callback)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1064

self._alpn_select_callback = self._alpn_select_helper.callback

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1065

_lib.SSL_CTX_set_alpn_select_cb(

1066

self._context, self._alpn_select_callback, _ffi.NULL)

1067

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1068

ContextType = Context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1069

1070

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1071

class Connection(object):

1072

"""

1073

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1074

_reverse_mapping = WeakValueDictionary()

1075

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1076

def __init__(self, context, socket=None):

1077

"""

1078

Create a new Connection object, using the given OpenSSL.SSL.Context

1079

instance and socket.

1080

1081

:param context: An SSL Context to use for this connection

1082

:param socket: The socket to use for transport layer

1083

"""

1084

if not isinstance(context, Context):

1085

raise TypeError("context must be a Context instance")

1086

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1087

ssl = _lib.SSL_new(context._context)

1088

self._ssl = _ffi.gc(ssl, _lib.SSL_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1089

self._context = context

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

1090

self._app_data = None

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1091

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1092

# References to strings used for Next Protocol Negotiation. OpenSSL's

1093

# header files suggest that these might get copied at some point, but

1094

# doesn't specify when, so we store them here to make sure they don't

1095

# get freed before OpenSSL uses them.

1096

self._npn_advertise_callback_args = None

1097

self._npn_select_callback_args = None

1098

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1099

# References to strings used for Application Layer Protocol

1100

# Negotiation. These strings get copied at some point but it's well

1101

# after the callback returns, so we have to hang them somewhere to

1102

# avoid them getting freed.

1103

self._alpn_select_callback_args = None

1104

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1105

self._reverse_mapping[self._ssl] = self

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1106

1107

if socket is None:

1108

self._socket = None

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1109

# Don't set up any gc for these, SSL_free will take care of them.

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1110

self._into_ssl = _lib.BIO_new(_lib.BIO_s_mem())

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1111

_openssl_assert(self._into_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1112

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1113

self._from_ssl = _lib.BIO_new(_lib.BIO_s_mem())

1114

_openssl_assert(self._from_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1115

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1116

_lib.SSL_set_bio(self._ssl, self._into_ssl, self._from_ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1117

else:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1118

self._into_ssl = None

1119

self._from_ssl = None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1120

self._socket = socket

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1121

set_result = _lib.SSL_set_fd(

1122

self._ssl, _asFileDescriptor(self._socket))

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame]

1123

_openssl_assert(set_result == 1)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1124

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1125

def __getattr__(self, name):

1126

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1127

Look up attributes on the wrapped socket object if they are not found

1128

on the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1129

"""

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1130

if self._socket is None:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1131

raise AttributeError("'%s' object has no attribute '%s'" % (

1132

self.__class__.__name__, name

1133

))

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1134

else:

1135

return getattr(self._socket, name)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1136

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1137

def _raise_ssl_error(self, ssl, result):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1138

if self._context._verify_helper is not None:

1139

self._context._verify_helper.raise_if_problem()

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1140

if self._context._npn_advertise_helper is not None:

1141

self._context._npn_advertise_helper.raise_if_problem()

1142

if self._context._npn_select_helper is not None:

1143

self._context._npn_select_helper.raise_if_problem()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1144

if self._context._alpn_select_helper is not None:

1145

self._context._alpn_select_helper.raise_if_problem()

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1146

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1147

error = _lib.SSL_get_error(ssl, result)

1148

if error == _lib.SSL_ERROR_WANT_READ:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1149

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1150

elif error == _lib.SSL_ERROR_WANT_WRITE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1151

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1152

elif error == _lib.SSL_ERROR_ZERO_RETURN:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1153

raise ZeroReturnError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1154

elif error == _lib.SSL_ERROR_WANT_X509_LOOKUP:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1155

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1156

raise WantX509LookupError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1157

elif error == _lib.SSL_ERROR_SYSCALL:

1158

if _lib.ERR_peek_error() == 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1159

if result < 0:

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

1160

if platform == "win32":

1161

errno = _ffi.getwinerror()[0]

1162

else:

1163

errno = _ffi.errno

Alex Gaynor

5af32d0

2016-09-24 01:52:21 -0400

[diff] [blame^]

1164

1165

if errno != 0:

1166

raise SysCallError(errno, errorcode.get(errno))

1167

raise SysCallError(-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1168

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1169

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1170

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1171

elif error == _lib.SSL_ERROR_NONE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1172

pass

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1173

else:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1174

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1175

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1176

def get_context(self):

1177

"""

1178

Get session context

1179

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1180

return self._context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1181

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1182

def set_context(self, context):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1183

"""

1184

Switch this connection to a new session context

1185

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1186

:param context: A :py:class:`Context` instance giving the new session

1187

context to use.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1188

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1189

if not isinstance(context, Context):

1190

raise TypeError("context must be a Context instance")

1191

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1192

_lib.SSL_set_SSL_CTX(self._ssl, context._context)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1193

self._context = context

1194

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1195

@_requires_sni

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1196

def get_servername(self):

1197

"""

1198

Retrieve the servername extension value if provided in the client hello

1199

message, or None if there wasn't one.

1200

1201

:return: A byte string giving the server name or :py:data:`None`.

1202

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1203

name = _lib.SSL_get_servername(

1204

self._ssl, _lib.TLSEXT_NAMETYPE_host_name

1205

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1206

if name == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1207

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1208

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1209

return _ffi.string(name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1210

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1211

@_requires_sni

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1212

def set_tlsext_host_name(self, name):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1213

"""

1214

Set the value of the servername extension to send in the client hello.

1215

1216

:param name: A byte string giving the name.

1217

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1218

if not isinstance(name, bytes):

1219

raise TypeError("name must be a byte string")

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1220

elif b"\0" in name:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1221

raise TypeError("name must not contain NUL byte")

1222

1223

# XXX I guess this can fail sometimes?

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1224

_lib.SSL_set_tlsext_host_name(self._ssl, name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1225

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1226

def pending(self):

1227

"""

1228

Get the number of bytes that can be safely read from the connection

1229

1230

:return: The number of bytes available in the receive buffer.

1231

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1232

return _lib.SSL_pending(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1233

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1234

def send(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1235

"""

1236

Send data on the connection. NOTE: If you get one of the WantRead,

1237

WantWrite or WantX509Lookup exceptions on this, you have to call the

1238

method again with the SAME buffer.

1239

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1240

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1241

:param flags: (optional) Included for compatibility with the socket

1242

API, the value is ignored

1243

:return: The number of bytes written

1244

"""

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1245

# Backward compatibility

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1246

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1247

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1248

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1249

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1250

if isinstance(buf, _buffer):

1251

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1252

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1253

raise TypeError("data must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1254

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1255

result = _lib.SSL_write(self._ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1256

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return result

write = send

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1260

def sendall(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1261

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1262

Send "all" data on the connection. This calls send() repeatedly until

1263

all data is sent. If an error occurs, it's impossible to tell how much

1264

data has been sent.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1265

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1266

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1267

:param flags: (optional) Included for compatibility with the socket

1268

API, the value is ignored

1269

:return: The number of bytes written

1270

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1271

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1272

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1273

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1274

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1275

if isinstance(buf, _buffer):

1276

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1277

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1278

raise TypeError("buf must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1279

1280

left_to_send = len(buf)

1281

total_sent = 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1282

data = _ffi.new("char[]", buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1283

1284

while left_to_send:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1285

result = _lib.SSL_write(self._ssl, data + total_sent, left_to_send)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1286

self._raise_ssl_error(self._ssl, result)

1287

total_sent += result

1288

left_to_send -= result

1289

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1290

def recv(self, bufsiz, flags=None):

1291

"""

Alex Gaynor

67fc8c9

2016-05-27 08:27:19 -0400

[diff] [blame]

1292

Receive data on the connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1293

1294

:param bufsiz: The maximum number of bytes to read

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1295

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1296

all other flags are ignored.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1297

:return: The string read from the Connection

1298

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1299

buf = _ffi.new("char[]", bufsiz)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1300

if flags is not None and flags & socket.MSG_PEEK:

1301

result = _lib.SSL_peek(self._ssl, buf, bufsiz)

1302

else:

1303

result = _lib.SSL_read(self._ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1304

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1305

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1306

read = recv

1307

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1308

def recv_into(self, buffer, nbytes=None, flags=None):

1309

"""

1310

Receive data on the connection and store the data into a buffer rather

1311

than creating a new string.

1312

1313

:param buffer: The buffer to copy into.

1314

:param nbytes: (optional) The maximum number of bytes to read into the

1315

buffer. If not present, defaults to the size of the buffer. If

1316

larger than the size of the buffer, is reduced to the size of the

1317

buffer.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1318

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1319

all other flags are ignored.

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1320

:return: The number of bytes read into the buffer.

"""

if nbytes is None:

nbytes = len(buffer)

else:

nbytes = min(nbytes, len(buffer))

1326

1327

# We need to create a temporary buffer. This is annoying, it would be

1328

# better if we could pass memoryviews straight into the SSL_read call,

1329

# but right now we can't. Revisit this if CFFI gets that ability.

1330

buf = _ffi.new("char[]", nbytes)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1331

if flags is not None and flags & socket.MSG_PEEK:

1332

result = _lib.SSL_peek(self._ssl, buf, nbytes)

1333

else:

1334

result = _lib.SSL_read(self._ssl, buf, nbytes)

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1335

self._raise_ssl_error(self._ssl, result)

1336

1337

# This strange line is all to avoid a memory copy. The buffer protocol

1338

# should allow us to assign a CFFI buffer to the LHS of this line, but

1339

# on CPython 3.3+ that segfaults. As a workaround, we can temporarily

1340

# wrap it in a memoryview, except on Python 2.6 which doesn't have a

1341

# memoryview type.

1342

try:

1343

buffer[:result] = memoryview(_ffi.buffer(buf, result))

1344

except NameError:

1345

buffer[:result] = _ffi.buffer(buf, result)

return result

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1349

def _handle_bio_errors(self, bio, result):

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1350

if _lib.BIO_should_retry(bio):

1351

if _lib.BIO_should_read(bio):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1352

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1353

elif _lib.BIO_should_write(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1354

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1355

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1356

elif _lib.BIO_should_io_special(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1357

# TODO: This is untested. I think io_special means the socket

1358

# BIO has a not-yet connected socket.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1359

raise ValueError("BIO_should_io_special")

1360

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1361

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1362

raise ValueError("unknown bio failure")

1363

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1364

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1365

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1366

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1367

def bio_read(self, bufsiz):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1368

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1369

When using non-socket connections this function reads the "dirty" data

1370

that would have traveled away on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1371

1372

:param bufsiz: The maximum number of bytes to read

1373

:return: The string read.

1374

"""

Jean-Paul Calderone

97e041d

2013-03-05 21:03:12 -0800

[diff] [blame]

1375

if self._from_ssl is None:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1376

raise TypeError("Connection sock was not None")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1377

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1378

if not isinstance(bufsiz, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1379

raise TypeError("bufsiz must be an integer")

1380

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1381

buf = _ffi.new("char[]", bufsiz)

1382

result = _lib.BIO_read(self._from_ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1383

if result <= 0:

1384

self._handle_bio_errors(self._from_ssl, result)

1385

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1386

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1387

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1388

def bio_write(self, buf):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1389

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1390

When using non-socket connections this function sends "dirty" data that

1391

would have traveled in on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1392

1393

:param buf: The string to put into the memory BIO.

1394

:return: The number of bytes written

1395

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1396

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1397

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1398

if self._into_ssl is None:

1399

raise TypeError("Connection sock was not None")

1400

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1401

result = _lib.BIO_write(self._into_ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1402

if result <= 0:

1403

self._handle_bio_errors(self._into_ssl, result)

1404

return result

1405

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1406

def renegotiate(self):

1407

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1408

Renegotiate the session.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1409

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1410

:return: True if the renegotiation can be started, False otherwise

1411

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1412

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1413

if not self.renegotiate_pending():

1414

_openssl_assert(_lib.SSL_renegotiate(self._ssl) == 1)

1415

return True

1416

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1417

1418

def do_handshake(self):

1419

"""

1420

Perform an SSL handshake (usually called after renegotiate() or one of

1421

set_*_state()). This can raise the same exceptions as send and recv.

1422

1423

:return: None.

1424

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1425

result = _lib.SSL_do_handshake(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1426

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1427

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1428

def renegotiate_pending(self):

1429

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1430

Check if there's a renegotiation in progress, it will return False once

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1431

a renegotiation is finished.

1432

1433

:return: Whether there's a renegotiation in progress

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1434

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1435

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1436

return _lib.SSL_renegotiate_pending(self._ssl) == 1

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1437

1438

def total_renegotiations(self):

1439

"""

1440

Find out the total number of renegotiations.

1441

1442

:return: The number of renegotiations.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1443

:rtype: int

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1444

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1445

return _lib.SSL_total_renegotiations(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1446

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1447

def connect(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1448

"""

1449

Connect to remote host and set up client-side SSL

1450

1451

:param addr: A remote address

1452

:return: What the socket's connect method returns

1453

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1454

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1455

return self._socket.connect(addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1456

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1457

def connect_ex(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1458

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1459

Connect to remote host and set up client-side SSL. Note that if the

1460

socket's connect_ex method doesn't return 0, SSL won't be initialized.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1461

1462

:param addr: A remove address

1463

:return: What the socket's connect_ex method returns

1464

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1465

connect_ex = self._socket.connect_ex

1466

self.set_connect_state()

1467

return connect_ex(addr)

1468

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1469

def accept(self):

1470

"""

1471

Accept incoming connection and set up SSL on it

1472

1473

:return: A (conn,addr) pair where conn is a Connection and addr is an

1474

address

1475

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1476

client, addr = self._socket.accept()

1477

conn = Connection(self._context, client)

1478

conn.set_accept_state()

1479

return (conn, addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1480

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1481

def bio_shutdown(self):

1482

"""

1483

When using non-socket connections this function signals end of

1484

data on the input for this connection.

1485

1486

:return: None

1487

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1488

if self._from_ssl is None:

1489

raise TypeError("Connection sock was not None")

1490

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1491

_lib.BIO_set_mem_eof_return(self._into_ssl, 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1492

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

def shutdown(self):

"""

Send closure alert

:return: True if the shutdown completed successfully (i.e. both sides

1498

have sent closure alerts), false otherwise (i.e. you have to

1499

wait for a ZeroReturnError on a recv() method call

1500

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1501

result = _lib.SSL_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1502

if result < 0:

Paul Aurich

bff1d1a

2015-01-08 08:36:53 -0800

[diff] [blame]

1503

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1504

elif result > 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1505

return True

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

else:

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1509

def get_cipher_list(self):

1510

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1511

Retrieve the list of ciphers used by the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1512

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1513

:return: A list of native cipher strings.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1514

"""

1515

ciphers = []

1516

for i in count():

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1517

result = _lib.SSL_get_cipher_list(self._ssl, i)

1518

if result == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1519

break

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1520

ciphers.append(_native(_ffi.string(result)))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1521

return ciphers

1522

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1523

def get_client_ca_list(self):

1524

"""

1525

Get CAs whose certificates are suggested for client authentication.

1526

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1527

:return: If this is a server connection, a list of X509Names

1528

representing the acceptable CAs as set by

1529

:py:meth:`OpenSSL.SSL.Context.set_client_ca_list` or

1530

:py:meth:`OpenSSL.SSL.Context.add_client_ca`. If this is a client

1531

connection, the list of such X509Names sent by the server, or an

1532

empty list if that has not yet happened.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1533

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1534

ca_names = _lib.SSL_get_client_CA_list(self._ssl)

1535

if ca_names == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1536

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1537

return []

1538

1539

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1540

for i in range(_lib.sk_X509_NAME_num(ca_names)):

1541

name = _lib.sk_X509_NAME_value(ca_names, i)

1542

copy = _lib.X509_NAME_dup(name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1543

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1544

1545

pyname = X509Name.__new__(X509Name)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1546

pyname._name = _ffi.gc(copy, _lib.X509_NAME_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1547

result.append(pyname)

1548

return result

1549

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1550

def makefile(self):

1551

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1552

The makefile() method is not implemented, since there is no dup

1553

semantics for SSL connections

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1554

Jean-Paul Calderone

6749ec2

2014-04-17 16:30:21 -0400

[diff] [blame]

1555

:raise: NotImplementedError

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1556

"""

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

1557

raise NotImplementedError(

1558

"Cannot make file object of OpenSSL.SSL.Connection")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1559

1560

def get_app_data(self):

"""

Get application data

:return: The application data

1565

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1566

return self._app_data

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1567

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1568

def set_app_data(self, data):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set application data

:param data - The application data

1573

:return: None

1574

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1575

self._app_data = data

1576

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1577

def get_shutdown(self):

"""

Get shutdown state

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1581

:return: The shutdown state, a bitvector of SENT_SHUTDOWN,

1582

RECEIVED_SHUTDOWN.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1583

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1584

return _lib.SSL_get_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1585

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1586

def set_shutdown(self, state):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set shutdown state

:param state - bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN.

1591

:return: None

1592

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

1593

if not isinstance(state, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1594

raise TypeError("state must be an integer")

1595

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1596

_lib.SSL_set_shutdown(self._ssl, state)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1597

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1598

def get_state_string(self):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1599

"""

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1600

Retrieve a verbose string detailing the state of the Connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1601

1602

:return: A string representing the state

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1603

:rtype: bytes

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1604

"""

kjav

c704a2e

2015-09-07 12:12:27 +0100

[diff] [blame]

1605

return _ffi.string(_lib.SSL_state_string_long(self._ssl))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1606

1607

def server_random(self):

1608

"""

1609

Get a copy of the server hello nonce.

1610

1611

:return: A string representing the state

1612

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1613

session = _lib.SSL_get_session(self._ssl)

1614

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1615

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1616

length = _lib.SSL_get_server_random(self._ssl, _ffi.NULL, 0)

1617

assert length > 0

Paul Kehrer

9f9113a

2016-09-20 20:10:25 -0500

[diff] [blame]

1618

outp = _ffi.new("unsigned char[]", length)

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1619

_lib.SSL_get_server_random(self._ssl, outp, length)

1620

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1621

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1622

def client_random(self):

1623

"""

1624

Get a copy of the client hello nonce.

1625

1626

:return: A string representing the state

1627

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1628

session = _lib.SSL_get_session(self._ssl)

1629

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1630

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1631

1632

length = _lib.SSL_get_client_random(self._ssl, _ffi.NULL, 0)

1633

assert length > 0

Paul Kehrer

9f9113a

2016-09-20 20:10:25 -0500

[diff] [blame]

1634

outp = _ffi.new("unsigned char[]", length)

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1635

_lib.SSL_get_client_random(self._ssl, outp, length)

1636

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1637

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1638

def master_key(self):

1639

"""

1640

Get a copy of the master key.

1641

1642

:return: A string representing the state

1643

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1644

session = _lib.SSL_get_session(self._ssl)

1645

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1646

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1647

1648

length = _lib.SSL_SESSION_get_master_key(session, _ffi.NULL, 0)

1649

assert length > 0

Paul Kehrer

9f9113a

2016-09-20 20:10:25 -0500

[diff] [blame]

1650

outp = _ffi.new("unsigned char[]", length)

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1651

_lib.SSL_SESSION_get_master_key(session, outp, length)

1652

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1653

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1654

def sock_shutdown(self, *args, **kwargs):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

See shutdown(2)

:return: What the socket's shutdown() method returns

1659

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1660

return self._socket.shutdown(*args, **kwargs)

1661

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1662

def get_peer_certificate(self):

1663

"""

1664

Retrieve the other side's certificate (if any)

1665

1666

:return: The peer's certificate

1667

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1668

cert = _lib.SSL_get_peer_certificate(self._ssl)

1669

if cert != _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1670

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1671

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return pycert

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1675

def get_peer_cert_chain(self):

1676

"""

1677

Retrieve the other side's certificate (if any)

1678

1679

:return: A list of X509 instances giving the peer's certificate chain,

1680

or None if it does not have one.

1681

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1682

cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)

1683

if cert_stack == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1684

return None

1685

1686

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1687

for i in range(_lib.sk_X509_num(cert_stack)):

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1688

# TODO could incref instead of dup here

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1689

cert = _lib.X509_dup(_lib.sk_X509_value(cert_stack, i))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1690

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1691

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1692

result.append(pycert)

1693

return result

1694

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1695

def want_read(self):

1696

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1697

Checks if more data has to be read from the transport layer to complete

1698

an operation.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1699

1700

:return: True iff more data has to be read

1701

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1702

return _lib.SSL_want_read(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1703

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1704

def want_write(self):

1705

"""

1706

Checks if there is data to write to the transport layer to complete an

1707

operation.

1708

1709

:return: True iff there is data to write

1710

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1711

return _lib.SSL_want_write(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1712

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1713

def set_accept_state(self):

1714

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1715

Set the connection to work in server mode. The handshake will be

1716

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1717

1718

:return: None

1719

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1720

_lib.SSL_set_accept_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1721

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1722

def set_connect_state(self):

1723

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1724

Set the connection to work in client mode. The handshake will be

1725

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1726

1727

:return: None

1728

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1729

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1730

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1731

def get_session(self):

1732

"""

1733

Returns the Session currently used.

1734

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1735

@return: An instance of :py:class:`OpenSSL.SSL.Session` or

1736

:py:obj:`None` if no session exists.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1737

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1738

session = _lib.SSL_get1_session(self._ssl)

1739

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1740

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1741

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1742

pysession = Session.__new__(Session)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1743

pysession._session = _ffi.gc(session, _lib.SSL_SESSION_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1744

return pysession

1745

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1746

def set_session(self, session):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1747

"""

1748

Set the session to be used when the TLS/SSL connection is established.

1749

1750

:param session: A Session instance representing the session to use.

1751

:returns: None

1752

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1753

if not isinstance(session, Session):

1754

raise TypeError("session must be a Session instance")

1755

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1756

result = _lib.SSL_set_session(self._ssl, session._session)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1757

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1758

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1759

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1760

def _get_finished_message(self, function):

1761

"""

1762

Helper to implement :py:meth:`get_finished` and

1763

:py:meth:`get_peer_finished`.

1764

1765

:param function: Either :py:data:`SSL_get_finished`: or

1766

:py:data:`SSL_get_peer_finished`.

1767

1768

:return: :py:data:`None` if the desired message has not yet been

1769

received, otherwise the contents of the message.

1770

:rtype: :py:class:`bytes` or :py:class:`NoneType`

1771

"""

Jean-Paul Calderone

01af904

2014-03-30 11:40:42 -0400

[diff] [blame]

1772

# The OpenSSL documentation says nothing about what might happen if the

1773

# count argument given is zero. Specifically, it doesn't say whether

1774

# the output buffer may be NULL in that case or not. Inspection of the

1775

# implementation reveals that it calls memcpy() unconditionally.

1776

# Section 7.1.4, paragraph 1 of the C standard suggests that

1777

# memcpy(NULL, source, 0) is not guaranteed to produce defined (let

1778

# alone desirable) behavior (though it probably does on just about

1779

# every implementation...)

1780

#

1781

# Allocate a tiny buffer to pass in (instead of just passing NULL as

1782

# one might expect) for the initial call so as to be safe against this

1783

# potentially undefined behavior.

1784

empty = _ffi.new("char[]", 0)

1785

size = function(self._ssl, empty, 0)

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1786

if size == 0:

1787

# No Finished message so far.

1788

return None

1789

1790

buf = _ffi.new("char[]", size)

1791

function(self._ssl, buf, size)

1792

return _ffi.buffer(buf, size)[:]

1793

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1794

def get_finished(self):

1795

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1796

Obtain the latest `handshake finished` message sent to the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1797

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1798

:return: The contents of the message or :py:obj:`None` if the TLS

1799

handshake has not yet completed.

1800

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1801

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1802

return self._get_finished_message(_lib.SSL_get_finished)

1803

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1804

def get_peer_finished(self):

1805

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1806

Obtain the latest `handshake finished` message received from the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1807

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1808

:return: The contents of the message or :py:obj:`None` if the TLS

1809

handshake has not yet completed.

1810

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1811

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1812

return self._get_finished_message(_lib.SSL_get_peer_finished)

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1813

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1814

def get_cipher_name(self):

1815

"""

1816

Obtain the name of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1817

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1818

:returns: The name of the currently used cipher or :py:obj:`None`

1819

if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1820

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1821

"""

1822

cipher = _lib.SSL_get_current_cipher(self._ssl)

1823

if cipher == _ffi.NULL:

1824

return None

1825

else:

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1826

name = _ffi.string(_lib.SSL_CIPHER_get_name(cipher))

1827

return name.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1828

1829

def get_cipher_bits(self):

1830

"""

1831

Obtain the number of secret bits of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1832

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1833

:returns: The number of secret bits of the currently used cipher

1834

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1835

:rtype: :py:class:`int` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1836

"""

1837

cipher = _lib.SSL_get_current_cipher(self._ssl)

1838

if cipher == _ffi.NULL:

1839

return None

1840

else:

1841

return _lib.SSL_CIPHER_get_bits(cipher, _ffi.NULL)

1842

1843

def get_cipher_version(self):

1844

"""

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1845

Obtain the protocol version of the currently used cipher.

1846

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1847

:returns: The protocol name of the currently used cipher

1848

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1849

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1850

"""

1851

cipher = _lib.SSL_get_current_cipher(self._ssl)

1852

if cipher == _ffi.NULL:

1853

return None

1854

else:

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

1855

version = _ffi.string(_lib.SSL_CIPHER_get_version(cipher))

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1856

return version.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1857

Jim Shaver

abff188

2015-05-27 09:15:55 -0400

[diff] [blame]

1858

def get_protocol_version_name(self):

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1859

"""

1860

Obtain the protocol version of the current connection.

1861

1862

:returns: The TLS version of the current connection, for example

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1863

the value for TLS 1.2 would be ``TLSv1.2``or ``Unknown``

Jim Shaver

b5b6b0e

2015-05-28 16:47:36 -0400

[diff] [blame]

1864

for connections that were not successfully established.

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1865

:rtype: :py:class:`unicode`

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1866

"""

Jim Shaver

d1c896e

2015-05-27 17:50:21 -0400

[diff] [blame]

1867

version = _ffi.string(_lib.SSL_get_version(self._ssl))

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1868

return version.decode("utf-8")

Jim Shaver

b296792

2015-04-26 23:58:52 -0400

[diff] [blame]

1869

Jim Shaver

208438c

2015-05-28 09:52:38 -0400

[diff] [blame]

1870

def get_protocol_version(self):

1871

"""

1872

Obtain the protocol version of the current connection.

1873

1874

:returns: The TLS version of the current connection, for example

1875

the value for TLS 1 would be 0x769.

1876

:rtype: :py:class:`int`

1877

"""

1878

version = _lib.SSL_version(self._ssl)

1879

return version

1880

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1881

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1882

def get_next_proto_negotiated(self):

1883

"""

1884

Get the protocol that was negotiated by NPN.

1885

"""

1886

data = _ffi.new("unsigned char **")

1887

data_len = _ffi.new("unsigned int *")

1888

1889

_lib.SSL_get0_next_proto_negotiated(self._ssl, data, data_len)

1890

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

1891

return _ffi.buffer(data[0], data_len[0])[:]

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1892

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1893

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1894

def set_alpn_protos(self, protos):

1895

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1896

Specify the client's ALPN protocol list.

1897

1898

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1899

1900

:param protos: A list of the protocols to be offered to the server.

1901

This list should be a Python list of bytestrings representing the

1902

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1903

"""

1904

# Take the list of protocols and join them together, prefixing them

1905

# with their lengths.

1906

protostr = b''.join(

1907

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1908

)

1909

1910

# Build a C string from the list. We don't need to save this off

1911

# because OpenSSL immediately copies the data out.

1912

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

9c1979a

2015-04-12 08:51:52 -0400

[diff] [blame]

1913

input_str_len = _ffi.cast("unsigned", len(protostr))

1914

_lib.SSL_set_alpn_protos(self._ssl, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1915

Maximilian Hils

66ded6a

2015-08-26 06:02:03 +0200

[diff] [blame]

1916

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1917

def get_alpn_proto_negotiated(self):

Cory Benfield

222f30e

2015-04-13 18:10:21 -0400

[diff] [blame]

1918

"""

1919

Get the protocol that was negotiated by ALPN.

1920

"""

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1921

data = _ffi.new("unsigned char **")

1922

data_len = _ffi.new("unsigned int *")

1923

1924

_lib.SSL_get0_alpn_selected(self._ssl, data, data_len)

1925

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

if not data_len:

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1929

return _ffi.buffer(data[0], data_len[0])[:]

1930

1931

Jean-Paul Calderone