Blame - src/OpenSSL/SSL.py - platform/external/python/pyopenssl

2015-08-17 19:27:20 +0200

[diff] [blame]

1

import socket

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

2

from sys import platform

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

3

from functools import wraps, partial

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

4

from itertools import count, chain

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

5

from weakref import WeakValueDictionary

6

from errno import errorcode

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

7

Cory Benfield

63759dc

2015-04-12 08:57:03 -0400

[diff] [blame]

8

from six import binary_type as _binary_type

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

9

from six import integer_types as integer_types

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

10

from six import int2byte, indexbytes

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

11

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

12

from OpenSSL._util import (

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

13

UNSPECIFIED as _UNSPECIFIED,

14

exception_from_error_queue as _exception_from_error_queue,

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

15

ffi as _ffi,

16

lib as _lib,

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

17

make_assert as _make_assert,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

18

native as _native,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

19

path_string as _path_string,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

20

text_to_bytes_and_warn as _text_to_bytes_and_warn,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

21

)

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

22

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

23

from OpenSSL.crypto import (

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

24

FILETYPE_PEM, _PassphraseHelper, PKey, X509Name, X509, X509Store)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

25

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

26

try:

27

_memoryview = memoryview

28

except NameError:

29

class _memoryview(object):

30

pass

31

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

try:

_buffer = buffer

except NameError:

class _buffer(object):

36

pass

37

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

38

OPENSSL_VERSION_NUMBER = _lib.OPENSSL_VERSION_NUMBER

39

SSLEAY_VERSION = _lib.SSLEAY_VERSION

40

SSLEAY_CFLAGS = _lib.SSLEAY_CFLAGS

41

SSLEAY_PLATFORM = _lib.SSLEAY_PLATFORM

42

SSLEAY_DIR = _lib.SSLEAY_DIR

43

SSLEAY_BUILT_ON = _lib.SSLEAY_BUILT_ON

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

44

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

45

SENT_SHUTDOWN = _lib.SSL_SENT_SHUTDOWN

46

RECEIVED_SHUTDOWN = _lib.SSL_RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

SSLv2_METHOD = 1

SSLv3_METHOD = 2

SSLv23_METHOD = 3

TLSv1_METHOD = 4

Jean-Paul Calderone

56bff94

2013-11-03 11:30:43 -0500

[diff] [blame]

52

TLSv1_1_METHOD = 5

53

TLSv1_2_METHOD = 6

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

54

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

55

OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2

56

OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3

57

OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

58

59

OP_NO_TLSv1_1 = getattr(_lib, "SSL_OP_NO_TLSv1_1", 0)

60

OP_NO_TLSv1_2 = getattr(_lib, "SSL_OP_NO_TLSv1_2", 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

61

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

62

MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

63

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

64

OP_SINGLE_DH_USE = _lib.SSL_OP_SINGLE_DH_USE

Akihiro Yamazaki

e64d80c

2015-09-06 00:16:57 +0900

[diff] [blame]

65

OP_SINGLE_ECDH_USE = _lib.SSL_OP_SINGLE_ECDH_USE

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

66

OP_EPHEMERAL_RSA = _lib.SSL_OP_EPHEMERAL_RSA

67

OP_MICROSOFT_SESS_ID_BUG = _lib.SSL_OP_MICROSOFT_SESS_ID_BUG

68

OP_NETSCAPE_CHALLENGE_BUG = _lib.SSL_OP_NETSCAPE_CHALLENGE_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

69

OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = (

70

_lib.SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

71

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

72

OP_SSLREF2_REUSE_CERT_TYPE_BUG = _lib.SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG

73

OP_MICROSOFT_BIG_SSLV3_BUFFER = _lib.SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER

Alex Gaynor

5bb2bd1

2016-07-03 10:48:32 -0400

[diff] [blame^]

74

OP_MSIE_SSLV2_RSA_PADDING = _lib.SSL_OP_MSIE_SSLV2_RSA_PADDING

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

75

OP_SSLEAY_080_CLIENT_DH_BUG = _lib.SSL_OP_SSLEAY_080_CLIENT_DH_BUG

76

OP_TLS_D5_BUG = _lib.SSL_OP_TLS_D5_BUG

77

OP_TLS_BLOCK_PADDING_BUG = _lib.SSL_OP_TLS_BLOCK_PADDING_BUG

78

OP_DONT_INSERT_EMPTY_FRAGMENTS = _lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

79

OP_CIPHER_SERVER_PREFERENCE = _lib.SSL_OP_CIPHER_SERVER_PREFERENCE

80

OP_TLS_ROLLBACK_BUG = _lib.SSL_OP_TLS_ROLLBACK_BUG

81

OP_PKCS1_CHECK_1 = _lib.SSL_OP_PKCS1_CHECK_1

82

OP_PKCS1_CHECK_2 = _lib.SSL_OP_PKCS1_CHECK_2

83

OP_NETSCAPE_CA_DN_BUG = _lib.SSL_OP_NETSCAPE_CA_DN_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

84

OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = (

85

_lib.SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

86

)

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

87

OP_NO_COMPRESSION = _lib.SSL_OP_NO_COMPRESSION

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

88

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

89

OP_NO_QUERY_MTU = _lib.SSL_OP_NO_QUERY_MTU

90

OP_COOKIE_EXCHANGE = _lib.SSL_OP_COOKIE_EXCHANGE

Alex Gaynor

5bb2bd1

2016-07-03 10:48:32 -0400

[diff] [blame^]

91

OP_NO_TICKET = _lib.SSL_OP_NO_TICKET

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

92

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

93

OP_ALL = _lib.SSL_OP_ALL

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

94

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

95

VERIFY_PEER = _lib.SSL_VERIFY_PEER

96

VERIFY_FAIL_IF_NO_PEER_CERT = _lib.SSL_VERIFY_FAIL_IF_NO_PEER_CERT

97

VERIFY_CLIENT_ONCE = _lib.SSL_VERIFY_CLIENT_ONCE

98

VERIFY_NONE = _lib.SSL_VERIFY_NONE

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

99

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

100

SESS_CACHE_OFF = _lib.SSL_SESS_CACHE_OFF

101

SESS_CACHE_CLIENT = _lib.SSL_SESS_CACHE_CLIENT

102

SESS_CACHE_SERVER = _lib.SSL_SESS_CACHE_SERVER

103

SESS_CACHE_BOTH = _lib.SSL_SESS_CACHE_BOTH

104

SESS_CACHE_NO_AUTO_CLEAR = _lib.SSL_SESS_CACHE_NO_AUTO_CLEAR

105

SESS_CACHE_NO_INTERNAL_LOOKUP = _lib.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP

106

SESS_CACHE_NO_INTERNAL_STORE = _lib.SSL_SESS_CACHE_NO_INTERNAL_STORE

107

SESS_CACHE_NO_INTERNAL = _lib.SSL_SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

d39a3f6

2013-03-04 12:23:51 -0800

[diff] [blame]

108

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

109

SSL_ST_CONNECT = _lib.SSL_ST_CONNECT

110

SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT

111

SSL_ST_MASK = _lib.SSL_ST_MASK

112

SSL_ST_INIT = _lib.SSL_ST_INIT

113

SSL_ST_BEFORE = _lib.SSL_ST_BEFORE

114

SSL_ST_OK = _lib.SSL_ST_OK

115

SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

116

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

117

SSL_CB_LOOP = _lib.SSL_CB_LOOP

118

SSL_CB_EXIT = _lib.SSL_CB_EXIT

119

SSL_CB_READ = _lib.SSL_CB_READ

120

SSL_CB_WRITE = _lib.SSL_CB_WRITE

121

SSL_CB_ALERT = _lib.SSL_CB_ALERT

122

SSL_CB_READ_ALERT = _lib.SSL_CB_READ_ALERT

123

SSL_CB_WRITE_ALERT = _lib.SSL_CB_WRITE_ALERT

124

SSL_CB_ACCEPT_LOOP = _lib.SSL_CB_ACCEPT_LOOP

125

SSL_CB_ACCEPT_EXIT = _lib.SSL_CB_ACCEPT_EXIT

126

SSL_CB_CONNECT_LOOP = _lib.SSL_CB_CONNECT_LOOP

127

SSL_CB_CONNECT_EXIT = _lib.SSL_CB_CONNECT_EXIT

128

SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START

129

SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

130

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

131

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

132

class Error(Exception):

Jean-Paul Calderone

511cde0

2013-12-29 10:31:13 -0500

[diff] [blame]

133

"""

134

An error occurred in an `OpenSSL.SSL` API.

135

"""

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

136

137

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

138

_raise_current_error = partial(_exception_from_error_queue, Error)

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

139

_openssl_assert = _make_assert(Error)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

140

141

142

class WantReadError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

146

class WantWriteError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

150

class WantX509LookupError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

154

class ZeroReturnError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

158

class SysCallError(Error):

pass

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

162

class _CallbackExceptionHelper(object):

163

"""

164

A base class for wrapper classes that allow for intelligent exception

165

handling in OpenSSL callbacks.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

166

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

167

:ivar list _problems: Any exceptions that occurred while executing in a

168

context where they could not be raised in the normal way. Typically

169

this is because OpenSSL has called into some Python code and requires a

170

return value. The exceptions are saved to be raised later when it is

171

possible to do so.

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

172

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

173

Jean-Paul Calderone

09540d7

2015-03-22 19:37:20 -0400

[diff] [blame]

174

def __init__(self):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

175

self._problems = []

176

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

177

def raise_if_problem(self):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

178

"""

179

Raise an exception from the OpenSSL error queue or that was previously

180

captured whe running a callback.

181

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

182

if self._problems:

183

try:

184

_raise_current_error()

185

except Error:

186

pass

187

raise self._problems.pop(0)

188

189

190

class _VerifyHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

191

"""

192

Wrap a callback such that it can be used as a certificate verification

193

callback.

194

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

195

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

196

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

197

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

198

199

@wraps(callback)

200

def wrapper(ok, store_ctx):

201

cert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

202

cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)

203

error_number = _lib.X509_STORE_CTX_get_error(store_ctx)

204

error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

205

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

206

index = _lib.SSL_get_ex_data_X509_STORE_CTX_idx()

207

ssl = _lib.X509_STORE_CTX_get_ex_data(store_ctx, index)

208

connection = Connection._reverse_mapping[ssl]

209

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

210

try:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

211

result = callback(

212

connection, cert, error_number, error_depth, ok

213

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

214

except Exception as e:

215

self._problems.append(e)

216

return 0

217

else:

218

if result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

219

_lib.X509_STORE_CTX_set_error(store_ctx, _lib.X509_V_OK)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

return 1

else:

return 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

224

self.callback = _ffi.callback(

225

"int (*)(int, X509_STORE_CTX *)", wrapper)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

226

227

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

228

class _NpnAdvertiseHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

229

"""

230

Wrap a callback such that it can be used as an NPN advertisement callback.

231

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

232

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

233

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

234

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

235

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

236

@wraps(callback)

237

def wrapper(ssl, out, outlen, arg):

238

try:

239

conn = Connection._reverse_mapping[ssl]

240

protos = callback(conn)

241

242

# Join the protocols into a Python bytestring, length-prefixing

243

# each element.

244

protostr = b''.join(

245

chain.from_iterable((int2byte(len(p)), p) for p in protos)

246

)

247

248

# Save our callback arguments on the connection object. This is

249

# done to make sure that they don't get freed before OpenSSL

250

# uses them. Then, return them appropriately in the output

251

# parameters.

252

conn._npn_advertise_callback_args = [

253

_ffi.new("unsigned int *", len(protostr)),

254

_ffi.new("unsigned char[]", protostr),

255

]

256

outlen[0] = conn._npn_advertise_callback_args[0][0]

257

out[0] = conn._npn_advertise_callback_args[1]

258

return 0

259

except Exception as e:

260

self._problems.append(e)

261

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

262

263

self.callback = _ffi.callback(

264

"int (*)(SSL *, const unsigned char **, unsigned int *, void *)",

wrapper

)

class _NpnSelectHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

270

"""

271

Wrap a callback such that it can be used as an NPN selection callback.

272

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

273

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

274

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

275

_CallbackExceptionHelper.__init__(self)

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

276

277

@wraps(callback)

278

def wrapper(ssl, out, outlen, in_, inlen, arg):

279

try:

280

conn = Connection._reverse_mapping[ssl]

281

282

# The string passed to us is actually made up of multiple

283

# length-prefixed bytestrings. We need to split that into a

284

# list.

285

instr = _ffi.buffer(in_, inlen)[:]

286

protolist = []

287

while instr:

288

l = indexbytes(instr, 0)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

289

proto = instr[1:l + 1]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

290

protolist.append(proto)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

291

instr = instr[l + 1:]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

292

293

# Call the callback

294

outstr = callback(conn, protolist)

295

296

# Save our callback arguments on the connection object. This is

297

# done to make sure that they don't get freed before OpenSSL

298

# uses them. Then, return them appropriately in the output

299

# parameters.

300

conn._npn_select_callback_args = [

301

_ffi.new("unsigned char *", len(outstr)),

302

_ffi.new("unsigned char[]", outstr),

303

]

304

outlen[0] = conn._npn_select_callback_args[0][0]

305

out[0] = conn._npn_select_callback_args[1]

306

return 0

307

except Exception as e:

308

self._problems.append(e)

309

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

310

311

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

312

("int (*)(SSL *, unsigned char **, unsigned char *, "

313

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

314

wrapper

315

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

316

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

317

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

318

class _ALPNSelectHelper(_CallbackExceptionHelper):

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

319

"""

320

Wrap a callback such that it can be used as an ALPN selection callback.

321

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

322

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

323

def __init__(self, callback):

324

_CallbackExceptionHelper.__init__(self)

325

326

@wraps(callback)

327

def wrapper(ssl, out, outlen, in_, inlen, arg):

328

try:

329

conn = Connection._reverse_mapping[ssl]

330

331

# The string passed to us is made up of multiple

332

# length-prefixed bytestrings. We need to split that into a

333

# list.

334

instr = _ffi.buffer(in_, inlen)[:]

335

protolist = []

336

while instr:

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

337

encoded_len = indexbytes(instr, 0)

338

proto = instr[1:encoded_len + 1]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

339

protolist.append(proto)

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

340

instr = instr[encoded_len + 1:]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

341

342

# Call the callback

343

outstr = callback(conn, protolist)

344

345

if not isinstance(outstr, _binary_type):

346

raise TypeError("ALPN callback must return a bytestring.")

347

348

# Save our callback arguments on the connection object to make

349

# sure that they don't get freed before OpenSSL can use them.

350

# Then, return them in the appropriate output parameters.

351

conn._alpn_select_callback_args = [

352

_ffi.new("unsigned char *", len(outstr)),

353

_ffi.new("unsigned char[]", outstr),

354

]

355

outlen[0] = conn._alpn_select_callback_args[0][0]

356

out[0] = conn._alpn_select_callback_args[1]

357

return 0

358

except Exception as e:

359

self._problems.append(e)

360

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

361

362

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

363

("int (*)(SSL *, unsigned char **, unsigned char *, "

364

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

wrapper

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

369

def _asFileDescriptor(obj):

370

fd = None

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

371

if not isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

372

meth = getattr(obj, "fileno", None)

373

if meth is not None:

374

obj = meth()

375

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

376

if isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

377

fd = obj

378

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

379

if not isinstance(fd, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

380

raise TypeError("argument must be an int, or have a fileno() method.")

381

elif fd < 0:

382

raise ValueError(

383

"file descriptor cannot be a negative integer (%i)" % (fd,))

return fd

Jean-Paul Calderone

2013-03-04 12:23:51 -0800

[diff] [blame]

388

def SSLeay_version(type):

389

"""

390

Return a string describing the version of OpenSSL in use.

391

392

:param type: One of the SSLEAY_ constants defined in this module.

393

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

394

return _ffi.string(_lib.SSLeay_version(type))

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

395

396

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

397

def _make_requires(flag, error):

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

398

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

399

Builds a decorator that ensures that functions that rely on OpenSSL

400

functions that are not present in this build raise NotImplementedError,

401

rather than AttributeError coming out of cryptography.

402

403

:param flag: A cryptography flag that guards the functions, e.g.

404

``Cryptography_HAS_NEXTPROTONEG``.

405

:param error: The string to be used in the exception if the flag is false.

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

406

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

407

def _requires_decorator(func):

408

if not flag:

409

@wraps(func)

410

def explode(*args, **kwargs):

411

raise NotImplementedError(error)

412

return explode

413

else:

414

return func

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

415

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

416

return _requires_decorator

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

417

418

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

419

_requires_npn = _make_requires(

420

_lib.Cryptography_HAS_NEXTPROTONEG, "NPN not available"

421

)

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

422

423

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

424

_requires_alpn = _make_requires(

425

_lib.Cryptography_HAS_ALPN, "ALPN not available"

426

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

427

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

428

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

429

_requires_sni = _make_requires(

430

_lib.Cryptography_HAS_TLSEXT_HOSTNAME, "SNI not available"

431

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

432

433

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

434

class Session(object):

pass

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

438

class Context(object):

439

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

440

:class:`OpenSSL.SSL.Context` instances define the parameters for setting

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

441

up new SSL connections.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

442

"""

443

_methods = {

Andrew Dunham

ec84a0a

2014-02-24 12:41:37 -0800

[diff] [blame]

444

SSLv2_METHOD: "SSLv2_method",

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

445

SSLv3_METHOD: "SSLv3_method",

446

SSLv23_METHOD: "SSLv23_method",

447

TLSv1_METHOD: "TLSv1_method",

448

TLSv1_1_METHOD: "TLSv1_1_method",

449

TLSv1_2_METHOD: "TLSv1_2_method",

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

450

}

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

451

_methods = dict(

452

(identifier, getattr(_lib, name))

453

for (identifier, name) in _methods.items()

454

if getattr(_lib, name, None) is not None)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

455

456

def __init__(self, method):

457

"""

458

:param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or

459

TLSv1_METHOD.

460

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

461

if not isinstance(method, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

462

raise TypeError("method must be an integer")

463

464

try:

465

method_func = self._methods[method]

466

except KeyError:

467

raise ValueError("No such protocol")

468

469

method_obj = method_func()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

470

_openssl_assert(method_obj != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

471

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

472

context = _lib.SSL_CTX_new(method_obj)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

473

_openssl_assert(context != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

474

context = _ffi.gc(context, _lib.SSL_CTX_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

475

476

self._context = context

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

477

self._passphrase_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

478

self._passphrase_callback = None

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

479

self._passphrase_userdata = None

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

480

self._verify_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

481

self._verify_callback = None

482

self._info_callback = None

483

self._tlsext_servername_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

484

self._app_data = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

485

self._npn_advertise_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

486

self._npn_advertise_callback = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

487

self._npn_select_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

488

self._npn_select_callback = None

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

489

self._alpn_select_helper = None

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

490

self._alpn_select_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

491

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

492

# SSL_CTX_set_app_data(self->ctx, self);

493

# SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |

494

# SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |

495

# SSL_MODE_AUTO_RETRY);

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

496

self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

497

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

498

def load_verify_locations(self, cafile, capath=None):

499

"""

500

Let SSL know where we can find trusted certificates for the certificate

501

chain

502

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

503

:param cafile: In which file we can find the certificates (``bytes`` or

504

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

505

:param capath: In which directory we can find the certificates

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

506

(``bytes`` or ``unicode``).

507

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

508

:return: None

509

"""

510

if cafile is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

511

cafile = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

512

else:

513

cafile = _path_string(cafile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

514

515

if capath is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

516

capath = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

517

else:

518

capath = _path_string(capath)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

519

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

520

load_result = _lib.SSL_CTX_load_verify_locations(

521

self._context, cafile, capath

522

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

523

if not load_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

524

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

525

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

526

def _wrap_callback(self, callback):

527

@wraps(callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

528

def wrapper(size, verify, userdata):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

529

return callback(size, verify, self._passphrase_userdata)

530

return _PassphraseHelper(

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

531

FILETYPE_PEM, wrapper, more_args=True, truncate=True)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

532

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

533

def set_passwd_cb(self, callback, userdata=None):

534

"""

535

Set the passphrase callback

536

537

:param callback: The Python callback to use

538

:param userdata: (optional) A Python object which will be given as

539

argument to the callback

540

:return: None

541

"""

542

if not callable(callback):

543

raise TypeError("callback must be callable")

544

545

self._passphrase_helper = self._wrap_callback(callback)

546

self._passphrase_callback = self._passphrase_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

547

_lib.SSL_CTX_set_default_passwd_cb(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

548

self._context, self._passphrase_callback)

549

self._passphrase_userdata = userdata

550

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

551

def set_default_verify_paths(self):

552

"""

553

Use the platform-specific CA certificate locations

554

555

:return: None

556

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

557

set_result = _lib.SSL_CTX_set_default_verify_paths(self._context)

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame]

558

_openssl_assert(set_result == 1)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

559

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

560

def use_certificate_chain_file(self, certfile):

561

"""

562

Load a certificate chain from a file

563

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

564

:param certfile: The name of the certificate chain file (``bytes`` or

565

``unicode``).

566

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

567

:return: None

568

"""

Jean-Paul Calderone

aac43a3

2015-04-12 09:51:21 -0400

[diff] [blame]

569

certfile = _path_string(certfile)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

570

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

571

result = _lib.SSL_CTX_use_certificate_chain_file(

572

self._context, certfile

573

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

574

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

575

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

576

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

577

def use_certificate_file(self, certfile, filetype=FILETYPE_PEM):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

578

"""

579

Load a certificate from a file

580

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

581

:param certfile: The name of the certificate file (``bytes`` or

582

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

583

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

584

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

585

:return: None

586

"""

Jean-Paul Calderone

d57a7b6

2015-04-12 09:57:36 -0400

[diff] [blame]

587

certfile = _path_string(certfile)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

588

if not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

589

raise TypeError("filetype must be an integer")

590

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

591

use_result = _lib.SSL_CTX_use_certificate_file(

592

self._context, certfile, filetype

593

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

594

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

595

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

596

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

597

def use_certificate(self, cert):

598

"""

599

Load a certificate from a X509 object

600

601

:param cert: The X509 object

602

:return: None

603

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

604

if not isinstance(cert, X509):

605

raise TypeError("cert must be an X509 instance")

606

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

607

use_result = _lib.SSL_CTX_use_certificate(self._context, cert._x509)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

608

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

609

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

610

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

611

def add_extra_chain_cert(self, certobj):

612

"""

613

Add certificate to chain

614

615

:param certobj: The X509 certificate object to add to the chain

616

:return: None

617

"""

618

if not isinstance(certobj, X509):

619

raise TypeError("certobj must be an X509 instance")

620

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

621

copy = _lib.X509_dup(certobj._x509)

622

add_result = _lib.SSL_CTX_add_extra_chain_cert(self._context, copy)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

623

if not add_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

624

# TODO: This is untested.

625

_lib.X509_free(copy)

626

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

627

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

628

def _raise_passphrase_exception(self):

629

if self._passphrase_helper is None:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

630

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

631

exception = self._passphrase_helper.raise_if_problem(Error)

632

if exception is not None:

633

raise exception

634

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

635

def use_privatekey_file(self, keyfile, filetype=_UNSPECIFIED):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

636

"""

637

Load a private key from a file

638

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

639

:param keyfile: The name of the key file (``bytes`` or ``unicode``)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

640

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

641

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

642

:return: None

643

"""

Jean-Paul Calderone

69a4e5b

2015-04-12 10:04:28 -0400

[diff] [blame]

644

keyfile = _path_string(keyfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

645

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

646

if filetype is _UNSPECIFIED:

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

647

filetype = FILETYPE_PEM

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

648

elif not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

649

raise TypeError("filetype must be an integer")

650

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

651

use_result = _lib.SSL_CTX_use_PrivateKey_file(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

652

self._context, keyfile, filetype)

653

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

654

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

655

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

656

def use_privatekey(self, pkey):

657

"""

658

Load a private key from a PKey object

659

660

:param pkey: The PKey object

661

:return: None

662

"""

663

if not isinstance(pkey, PKey):

664

raise TypeError("pkey must be a PKey instance")

665

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

666

use_result = _lib.SSL_CTX_use_PrivateKey(self._context, pkey._pkey)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

667

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

668

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

669

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

670

def check_privatekey(self):

671

"""

672

Check that the private key and certificate match up

673

674

:return: None (raises an exception if something's wrong)

675

"""

Jean-Paul Calderone

a034492

2014-12-11 14:02:31 -0500

[diff] [blame]

676

if not _lib.SSL_CTX_check_private_key(self._context):

677

_raise_current_error()

678

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

679

def load_client_ca(self, cafile):

680

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

681

Load the trusted certificates that will be sent to the client. Does

682

not actually imply any of the certificates are trusted; that must be

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

683

configured separately.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

684

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

685

:param bytes cafile: The path to a certificates file in PEM format.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

686

:return: None

687

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

688

ca_list = _lib.SSL_load_client_CA_file(

689

_text_to_bytes_and_warn("cafile", cafile)

690

)

691

_openssl_assert(ca_list != _ffi.NULL)

692

# SSL_CTX_set_client_CA_list doesn't return anything.

693

_lib.SSL_CTX_set_client_CA_list(self._context, ca_list)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

694

695

def set_session_id(self, buf):

696

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

697

Set the session id to *buf* within which a session can be reused for

698

this Context object. This is needed when doing session resumption,

699

because there is no way for a stored session to know which Context

700

object it is associated with.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

701

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

702

:param bytes buf: The session id.

703

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

704

:returns: None

705

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

706

buf = _text_to_bytes_and_warn("buf", buf)

707

_openssl_assert(

708

_lib.SSL_CTX_set_session_id_context(

self._context,

buf,

len(buf),

) == 1

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

714

715

def set_session_cache_mode(self, mode):

716

"""

717

Enable/disable session caching and specify the mode used.

718

719

:param mode: One or more of the SESS_CACHE_* flags (combine using

720

bitwise or)

721

:returns: The previously set caching mode.

722

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

723

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

724

raise TypeError("mode must be an integer")

725

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

726

return _lib.SSL_CTX_set_session_cache_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

727

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

728

def get_session_cache_mode(self):

729

"""

730

:returns: The currently used cache mode.

731

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

732

return _lib.SSL_CTX_get_session_cache_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

733

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

734

def set_verify(self, mode, callback):

735

"""

736

Set the verify mode and verify callback

737

738

:param mode: The verify mode, this is either VERIFY_NONE or

739

VERIFY_PEER combined with possible other flags

740

:param callback: The Python callback to use

741

:return: None

742

743

See SSL_CTX_set_verify(3SSL) for further details.

744

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

745

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

746

raise TypeError("mode must be an integer")

747

748

if not callable(callback):

749

raise TypeError("callback must be callable")

750

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

751

self._verify_helper = _VerifyHelper(callback)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

752

self._verify_callback = self._verify_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

753

_lib.SSL_CTX_set_verify(self._context, mode, self._verify_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

754

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

755

def set_verify_depth(self, depth):

"""

Set the verify depth

:param depth: An integer specifying the verify depth

760

:return: None

761

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

762

if not isinstance(depth, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

763

raise TypeError("depth must be an integer")

764

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

765

_lib.SSL_CTX_set_verify_depth(self._context, depth)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

766

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

767

def get_verify_mode(self):

"""

Get the verify mode

:return: The verify mode

772

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

773

return _lib.SSL_CTX_get_verify_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

774

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

775

def get_verify_depth(self):

"""

Get the verify depth

:return: The verify depth

780

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

781

return _lib.SSL_CTX_get_verify_depth(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

782

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

783

def load_tmp_dh(self, dhfile):

784

"""

785

Load parameters for Ephemeral Diffie-Hellman

786

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

787

:param dhfile: The file to load EDH parameters from (``bytes`` or

788

``unicode``).

789

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

790

:return: None

791

"""

Jean-Paul Calderone

9e1c1dd

2015-04-12 10:13:13 -0400

[diff] [blame]

792

dhfile = _path_string(dhfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

793

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

794

bio = _lib.BIO_new_file(dhfile, b"r")

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

795

if bio == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

796

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

797

bio = _ffi.gc(bio, _lib.BIO_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

798

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

799

dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)

800

dh = _ffi.gc(dh, _lib.DH_free)

801

_lib.SSL_CTX_set_tmp_dh(self._context, dh)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

802

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

803

def set_tmp_ecdh(self, curve):

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

804

"""

Andy Lutomirski

76a6133

2014-03-12 15:02:56 -0700

[diff] [blame]

805

Select a curve to use for ECDHE key exchange.

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

806

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

807

:param curve: A curve object to use as returned by either

808

:py:meth:`OpenSSL.crypto.get_elliptic_curve` or

809

:py:meth:`OpenSSL.crypto.get_elliptic_curves`.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

810

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

811

:return: None

812

"""

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

813

_lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

814

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

815

def set_cipher_list(self, cipher_list):

816

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

817

Set the list of ciphers to be used in this context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

818

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

819

See the OpenSSL manual for more information (e.g.

820

:manpage:`ciphers(1)`).

821

822

:param bytes cipher_list: An OpenSSL cipher string.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

823

:return: None

824

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

825

cipher_list = _text_to_bytes_and_warn("cipher_list", cipher_list)

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

826

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

827

if not isinstance(cipher_list, bytes):

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

828

raise TypeError("cipher_list must be a byte string.")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

829

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

830

_openssl_assert(

Hynek Schlawack

22a4b66

2016-03-11 14:59:39 +0100

[diff] [blame]

831

_lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

832

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

833

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

834

def set_client_ca_list(self, certificate_authorities):

835

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

836

Set the list of preferred client certificate signers for this server

837

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

838

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

839

This list of certificate authorities will be sent to the client when

840

the server requests a client certificate.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

841

842

:param certificate_authorities: a sequence of X509Names.

843

:return: None

844

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

845

name_stack = _lib.sk_X509_NAME_new_null()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

846

_openssl_assert(name_stack != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

847

848

try:

849

for ca_name in certificate_authorities:

850

if not isinstance(ca_name, X509Name):

851

raise TypeError(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

852

"client CAs must be X509Name objects, not %s "

853

"objects" % (

854

type(ca_name).__name__,

855

)

856

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

857

copy = _lib.X509_NAME_dup(ca_name._name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

858

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

859

push_result = _lib.sk_X509_NAME_push(name_stack, copy)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

860

if not push_result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

861

_lib.X509_NAME_free(copy)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

862

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

863

except:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

864

_lib.sk_X509_NAME_free(name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

865

raise

866

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

867

_lib.SSL_CTX_set_client_CA_list(self._context, name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

868

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

869

def add_client_ca(self, certificate_authority):

870

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

871

Add the CA certificate to the list of preferred signers for this

872

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

873

874

The list of certificate authorities will be sent to the client when the

875

server requests a client certificate.

876

877

:param certificate_authority: certificate authority's X509 certificate.

878

:return: None

879

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

880

if not isinstance(certificate_authority, X509):

881

raise TypeError("certificate_authority must be an X509 instance")

882

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

883

add_result = _lib.SSL_CTX_add_client_CA(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

884

self._context, certificate_authority._x509)

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame]

885

_openssl_assert(add_result == 1)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

886

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

887

def set_timeout(self, timeout):

"""

Set session timeout

:param timeout: The timeout in seconds

892

:return: The previous session timeout

893

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

894

if not isinstance(timeout, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

895

raise TypeError("timeout must be an integer")

896

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

897

return _lib.SSL_CTX_set_timeout(self._context, timeout)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

898

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

899

def get_timeout(self):

900

"""

901

Get the session timeout

902

903

:return: The session timeout

904

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

905

return _lib.SSL_CTX_get_timeout(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

906

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

907

def set_info_callback(self, callback):

908

"""

909

Set the info callback

910

911

:param callback: The Python callback to use

912

:return: None

913

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

914

@wraps(callback)

915

def wrapper(ssl, where, return_code):

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

916

callback(Connection._reverse_mapping[ssl], where, return_code)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

917

self._info_callback = _ffi.callback(

918

"void (*)(const SSL *, int, int)", wrapper)

919

_lib.SSL_CTX_set_info_callback(self._context, self._info_callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

920

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

921

def get_app_data(self):

922

"""

923

Get the application data (supplied via set_app_data())

924

925

:return: The application data

926

"""

927

return self._app_data

928

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

929

def set_app_data(self, data):

930

"""

931

Set the application data (will be returned from get_app_data())

932

933

:param data: Any Python object

934

:return: None

935

"""

936

self._app_data = data

937

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

938

def get_cert_store(self):

939

"""

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

940

Get the certificate store for the context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

941

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

942

:return: A X509Store object or None if it does not have one.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

943

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

944

store = _lib.SSL_CTX_get_cert_store(self._context)

945

if store == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

946

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

947

return None

948

949

pystore = X509Store.__new__(X509Store)

950

pystore._store = store

951

return pystore

952

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

953

def set_options(self, options):

954

"""

955

Add options. Options set before are not cleared!

956

957

:param options: The options to add.

958

:return: The new option bitmask.

959

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

960

if not isinstance(options, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

961

raise TypeError("options must be an integer")

962

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

963

return _lib.SSL_CTX_set_options(self._context, options)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

964

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

965

def set_mode(self, mode):

966

"""

967

Add modes via bitmask. Modes set before are not cleared!

968

969

:param mode: The mode to add.

970

:return: The new mode bitmask.

971

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

972

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

973

raise TypeError("mode must be an integer")

974

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

975

return _lib.SSL_CTX_set_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

976

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

977

@_requires_sni

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

978

def set_tlsext_servername_callback(self, callback):

979

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

980

Specify a callback function to be called when clients specify a server

981

name.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

982

983

:param callback: The callback function. It will be invoked with one

984

argument, the Connection instance.

985

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

986

@wraps(callback)

987

def wrapper(ssl, alert, arg):

988

callback(Connection._reverse_mapping[ssl])

989

return 0

990

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

991

self._tlsext_servername_callback = _ffi.callback(

992

"int (*)(const SSL *, int *, void *)", wrapper)

993

_lib.SSL_CTX_set_tlsext_servername_callback(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

994

self._context, self._tlsext_servername_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

995

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

996

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

997

def set_npn_advertise_callback(self, callback):

998

"""

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

999

Specify a callback function that will be called when offering `Next

1000

Protocol Negotiation

1001

<https://technotes.googlecode.com/git/nextprotoneg.html>`_ as a server.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1002

1003

:param callback: The callback function. It will be invoked with one

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1004

argument, the Connection instance. It should return a list of

1005

bytestrings representing the advertised protocols, like

1006

``[b'http/1.1', b'spdy/2']``.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1007

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1008

self._npn_advertise_helper = _NpnAdvertiseHelper(callback)

1009

self._npn_advertise_callback = self._npn_advertise_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1010

_lib.SSL_CTX_set_next_protos_advertised_cb(

1011

self._context, self._npn_advertise_callback, _ffi.NULL)

1012

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1013

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1014

def set_npn_select_callback(self, callback):

1015

"""

1016

Specify a callback function that will be called when a server offers

1017

Next Protocol Negotiation options.

1018

1019

:param callback: The callback function. It will be invoked with two

1020

arguments: the Connection, and a list of offered protocols as

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1021

bytestrings, e.g. ``[b'http/1.1', b'spdy/2']``. It should return

1022

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1023

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1024

self._npn_select_helper = _NpnSelectHelper(callback)

1025

self._npn_select_callback = self._npn_select_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1026

_lib.SSL_CTX_set_next_proto_select_cb(

1027

self._context, self._npn_select_callback, _ffi.NULL)

1028

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1029

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1030

def set_alpn_protos(self, protos):

1031

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1032

Specify the clients ALPN protocol list.

1033

1034

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1035

1036

:param protos: A list of the protocols to be offered to the server.

1037

This list should be a Python list of bytestrings representing the

1038

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1039

"""

1040

# Take the list of protocols and join them together, prefixing them

1041

# with their lengths.

1042

protostr = b''.join(

1043

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1044

)

1045

1046

# Build a C string from the list. We don't need to save this off

1047

# because OpenSSL immediately copies the data out.

1048

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

e871af5

2015-04-11 17:57:50 -0400

[diff] [blame]

1049

input_str_len = _ffi.cast("unsigned", len(protostr))

1050

_lib.SSL_CTX_set_alpn_protos(self._context, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1051

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1052

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1053

def set_alpn_select_callback(self, callback):

1054

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1055

Set the callback to handle ALPN protocol choice.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1056

1057

:param callback: The callback function. It will be invoked with two

1058

arguments: the Connection, and a list of offered protocols as

1059

bytestrings, e.g ``[b'http/1.1', b'spdy/2']``. It should return

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1060

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1061

"""

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

1062

self._alpn_select_helper = _ALPNSelectHelper(callback)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1063

self._alpn_select_callback = self._alpn_select_helper.callback

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1064

_lib.SSL_CTX_set_alpn_select_cb(

1065

self._context, self._alpn_select_callback, _ffi.NULL)

1066

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1067

ContextType = Context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1068

1069

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1070

class Connection(object):

1071

"""

1072

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1073

_reverse_mapping = WeakValueDictionary()

1074

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1075

def __init__(self, context, socket=None):

1076

"""

1077

Create a new Connection object, using the given OpenSSL.SSL.Context

1078

instance and socket.

1079

1080

:param context: An SSL Context to use for this connection

1081

:param socket: The socket to use for transport layer

1082

"""

1083

if not isinstance(context, Context):

1084

raise TypeError("context must be a Context instance")

1085

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1086

ssl = _lib.SSL_new(context._context)

1087

self._ssl = _ffi.gc(ssl, _lib.SSL_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1088

self._context = context

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

1089

self._app_data = None

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1090

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1091

# References to strings used for Next Protocol Negotiation. OpenSSL's

1092

# header files suggest that these might get copied at some point, but

1093

# doesn't specify when, so we store them here to make sure they don't

1094

# get freed before OpenSSL uses them.

1095

self._npn_advertise_callback_args = None

1096

self._npn_select_callback_args = None

1097

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1098

# References to strings used for Application Layer Protocol

1099

# Negotiation. These strings get copied at some point but it's well

1100

# after the callback returns, so we have to hang them somewhere to

1101

# avoid them getting freed.

1102

self._alpn_select_callback_args = None

1103

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1104

self._reverse_mapping[self._ssl] = self

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1105

1106

if socket is None:

1107

self._socket = None

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1108

# Don't set up any gc for these, SSL_free will take care of them.

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1109

self._into_ssl = _lib.BIO_new(_lib.BIO_s_mem())

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1110

_openssl_assert(self._into_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1111

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1112

self._from_ssl = _lib.BIO_new(_lib.BIO_s_mem())

1113

_openssl_assert(self._from_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1114

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1115

_lib.SSL_set_bio(self._ssl, self._into_ssl, self._from_ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1116

else:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1117

self._into_ssl = None

1118

self._from_ssl = None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1119

self._socket = socket

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1120

set_result = _lib.SSL_set_fd(

1121

self._ssl, _asFileDescriptor(self._socket))

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame]

1122

_openssl_assert(set_result == 1)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1123

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1124

def __getattr__(self, name):

1125

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1126

Look up attributes on the wrapped socket object if they are not found

1127

on the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1128

"""

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1129

if self._socket is None:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1130

raise AttributeError("'%s' object has no attribute '%s'" % (

1131

self.__class__.__name__, name

1132

))

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1133

else:

1134

return getattr(self._socket, name)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1135

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1136

def _raise_ssl_error(self, ssl, result):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1137

if self._context._verify_helper is not None:

1138

self._context._verify_helper.raise_if_problem()

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1139

if self._context._npn_advertise_helper is not None:

1140

self._context._npn_advertise_helper.raise_if_problem()

1141

if self._context._npn_select_helper is not None:

1142

self._context._npn_select_helper.raise_if_problem()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1143

if self._context._alpn_select_helper is not None:

1144

self._context._alpn_select_helper.raise_if_problem()

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1145

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1146

error = _lib.SSL_get_error(ssl, result)

1147

if error == _lib.SSL_ERROR_WANT_READ:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1148

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1149

elif error == _lib.SSL_ERROR_WANT_WRITE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1150

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1151

elif error == _lib.SSL_ERROR_ZERO_RETURN:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1152

raise ZeroReturnError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1153

elif error == _lib.SSL_ERROR_WANT_X509_LOOKUP:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1154

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1155

raise WantX509LookupError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1156

elif error == _lib.SSL_ERROR_SYSCALL:

1157

if _lib.ERR_peek_error() == 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1158

if result < 0:

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

1159

if platform == "win32":

1160

errno = _ffi.getwinerror()[0]

1161

else:

1162

errno = _ffi.errno

Glyph

3afdba8

2015-04-14 17:30:53 -0400

[diff] [blame]

1163

raise SysCallError(errno, errorcode.get(errno))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1164

else:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1165

raise SysCallError(-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1166

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1167

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1168

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1169

elif error == _lib.SSL_ERROR_NONE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1170

pass

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1171

else:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1172

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1173

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1174

def get_context(self):

1175

"""

1176

Get session context

1177

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1178

return self._context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1179

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1180

def set_context(self, context):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1181

"""

1182

Switch this connection to a new session context

1183

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1184

:param context: A :py:class:`Context` instance giving the new session

1185

context to use.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1186

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1187

if not isinstance(context, Context):

1188

raise TypeError("context must be a Context instance")

1189

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1190

_lib.SSL_set_SSL_CTX(self._ssl, context._context)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1191

self._context = context

1192

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1193

@_requires_sni

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1194

def get_servername(self):

1195

"""

1196

Retrieve the servername extension value if provided in the client hello

1197

message, or None if there wasn't one.

1198

1199

:return: A byte string giving the server name or :py:data:`None`.

1200

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1201

name = _lib.SSL_get_servername(

1202

self._ssl, _lib.TLSEXT_NAMETYPE_host_name

1203

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1204

if name == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1205

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1206

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1207

return _ffi.string(name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1208

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1209

@_requires_sni

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1210

def set_tlsext_host_name(self, name):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1211

"""

1212

Set the value of the servername extension to send in the client hello.

1213

1214

:param name: A byte string giving the name.

1215

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1216

if not isinstance(name, bytes):

1217

raise TypeError("name must be a byte string")

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1218

elif b"\0" in name:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1219

raise TypeError("name must not contain NUL byte")

1220

1221

# XXX I guess this can fail sometimes?

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1222

_lib.SSL_set_tlsext_host_name(self._ssl, name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1223

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1224

def pending(self):

1225

"""

1226

Get the number of bytes that can be safely read from the connection

1227

1228

:return: The number of bytes available in the receive buffer.

1229

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1230

return _lib.SSL_pending(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1231

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1232

def send(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1233

"""

1234

Send data on the connection. NOTE: If you get one of the WantRead,

1235

WantWrite or WantX509Lookup exceptions on this, you have to call the

1236

method again with the SAME buffer.

1237

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1238

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1239

:param flags: (optional) Included for compatibility with the socket

1240

API, the value is ignored

1241

:return: The number of bytes written

1242

"""

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1243

# Backward compatibility

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1244

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1245

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1246

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1247

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1248

if isinstance(buf, _buffer):

1249

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1250

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1251

raise TypeError("data must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1252

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1253

result = _lib.SSL_write(self._ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1254

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return result

write = send

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1258

def sendall(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1259

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1260

Send "all" data on the connection. This calls send() repeatedly until

1261

all data is sent. If an error occurs, it's impossible to tell how much

1262

data has been sent.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1263

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1264

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1265

:param flags: (optional) Included for compatibility with the socket

1266

API, the value is ignored

1267

:return: The number of bytes written

1268

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1269

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1270

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1271

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1272

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1273

if isinstance(buf, _buffer):

1274

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1275

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1276

raise TypeError("buf must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1277

1278

left_to_send = len(buf)

1279

total_sent = 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1280

data = _ffi.new("char[]", buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1281

1282

while left_to_send:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1283

result = _lib.SSL_write(self._ssl, data + total_sent, left_to_send)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1284

self._raise_ssl_error(self._ssl, result)

1285

total_sent += result

1286

left_to_send -= result

1287

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1288

def recv(self, bufsiz, flags=None):

1289

"""

Alex Gaynor

67fc8c9

2016-05-27 08:27:19 -0400

[diff] [blame]

1290

Receive data on the connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1291

1292

:param bufsiz: The maximum number of bytes to read

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1293

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1294

all other flags are ignored.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1295

:return: The string read from the Connection

1296

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1297

buf = _ffi.new("char[]", bufsiz)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1298

if flags is not None and flags & socket.MSG_PEEK:

1299

result = _lib.SSL_peek(self._ssl, buf, bufsiz)

1300

else:

1301

result = _lib.SSL_read(self._ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1302

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1303

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1304

read = recv

1305

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1306

def recv_into(self, buffer, nbytes=None, flags=None):

1307

"""

1308

Receive data on the connection and store the data into a buffer rather

1309

than creating a new string.

1310

1311

:param buffer: The buffer to copy into.

1312

:param nbytes: (optional) The maximum number of bytes to read into the

1313

buffer. If not present, defaults to the size of the buffer. If

1314

larger than the size of the buffer, is reduced to the size of the

1315

buffer.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1316

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1317

all other flags are ignored.

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1318

:return: The number of bytes read into the buffer.

"""

if nbytes is None:

nbytes = len(buffer)

else:

nbytes = min(nbytes, len(buffer))

1324

1325

# We need to create a temporary buffer. This is annoying, it would be

1326

# better if we could pass memoryviews straight into the SSL_read call,

1327

# but right now we can't. Revisit this if CFFI gets that ability.

1328

buf = _ffi.new("char[]", nbytes)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1329

if flags is not None and flags & socket.MSG_PEEK:

1330

result = _lib.SSL_peek(self._ssl, buf, nbytes)

1331

else:

1332

result = _lib.SSL_read(self._ssl, buf, nbytes)

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1333

self._raise_ssl_error(self._ssl, result)

1334

1335

# This strange line is all to avoid a memory copy. The buffer protocol

1336

# should allow us to assign a CFFI buffer to the LHS of this line, but

1337

# on CPython 3.3+ that segfaults. As a workaround, we can temporarily

1338

# wrap it in a memoryview, except on Python 2.6 which doesn't have a

1339

# memoryview type.

1340

try:

1341

buffer[:result] = memoryview(_ffi.buffer(buf, result))

1342

except NameError:

1343

buffer[:result] = _ffi.buffer(buf, result)

return result

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1347

def _handle_bio_errors(self, bio, result):

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1348

if _lib.BIO_should_retry(bio):

1349

if _lib.BIO_should_read(bio):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1350

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1351

elif _lib.BIO_should_write(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1352

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1353

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1354

elif _lib.BIO_should_io_special(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1355

# TODO: This is untested. I think io_special means the socket

1356

# BIO has a not-yet connected socket.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1357

raise ValueError("BIO_should_io_special")

1358

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1359

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1360

raise ValueError("unknown bio failure")

1361

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1362

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1363

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1364

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1365

def bio_read(self, bufsiz):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1366

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1367

When using non-socket connections this function reads the "dirty" data

1368

that would have traveled away on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1369

1370

:param bufsiz: The maximum number of bytes to read

1371

:return: The string read.

1372

"""

Jean-Paul Calderone

97e041d

2013-03-05 21:03:12 -0800

[diff] [blame]

1373

if self._from_ssl is None:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1374

raise TypeError("Connection sock was not None")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1375

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1376

if not isinstance(bufsiz, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1377

raise TypeError("bufsiz must be an integer")

1378

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1379

buf = _ffi.new("char[]", bufsiz)

1380

result = _lib.BIO_read(self._from_ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1381

if result <= 0:

1382

self._handle_bio_errors(self._from_ssl, result)

1383

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1384

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1385

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1386

def bio_write(self, buf):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1387

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1388

When using non-socket connections this function sends "dirty" data that

1389

would have traveled in on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1390

1391

:param buf: The string to put into the memory BIO.

1392

:return: The number of bytes written

1393

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1394

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1395

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1396

if self._into_ssl is None:

1397

raise TypeError("Connection sock was not None")

1398

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1399

result = _lib.BIO_write(self._into_ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1400

if result <= 0:

1401

self._handle_bio_errors(self._into_ssl, result)

1402

return result

1403

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1404

def renegotiate(self):

1405

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1406

Renegotiate the session.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1407

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1408

:return: True if the renegotiation can be started, False otherwise

1409

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1410

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1411

if not self.renegotiate_pending():

1412

_openssl_assert(_lib.SSL_renegotiate(self._ssl) == 1)

1413

return True

1414

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1415

1416

def do_handshake(self):

1417

"""

1418

Perform an SSL handshake (usually called after renegotiate() or one of

1419

set_*_state()). This can raise the same exceptions as send and recv.

1420

1421

:return: None.

1422

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1423

result = _lib.SSL_do_handshake(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1424

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1425

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1426

def renegotiate_pending(self):

1427

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1428

Check if there's a renegotiation in progress, it will return False once

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1429

a renegotiation is finished.

1430

1431

:return: Whether there's a renegotiation in progress

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1432

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1433

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1434

return _lib.SSL_renegotiate_pending(self._ssl) == 1

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1435

1436

def total_renegotiations(self):

1437

"""

1438

Find out the total number of renegotiations.

1439

1440

:return: The number of renegotiations.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1441

:rtype: int

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1442

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1443

return _lib.SSL_total_renegotiations(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1444

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1445

def connect(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1446

"""

1447

Connect to remote host and set up client-side SSL

1448

1449

:param addr: A remote address

1450

:return: What the socket's connect method returns

1451

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1452

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1453

return self._socket.connect(addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1454

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1455

def connect_ex(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1456

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1457

Connect to remote host and set up client-side SSL. Note that if the

1458

socket's connect_ex method doesn't return 0, SSL won't be initialized.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1459

1460

:param addr: A remove address

1461

:return: What the socket's connect_ex method returns

1462

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1463

connect_ex = self._socket.connect_ex

1464

self.set_connect_state()

1465

return connect_ex(addr)

1466

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1467

def accept(self):

1468

"""

1469

Accept incoming connection and set up SSL on it

1470

1471

:return: A (conn,addr) pair where conn is a Connection and addr is an

1472

address

1473

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1474

client, addr = self._socket.accept()

1475

conn = Connection(self._context, client)

1476

conn.set_accept_state()

1477

return (conn, addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1478

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1479

def bio_shutdown(self):

1480

"""

1481

When using non-socket connections this function signals end of

1482

data on the input for this connection.

1483

1484

:return: None

1485

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1486

if self._from_ssl is None:

1487

raise TypeError("Connection sock was not None")

1488

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1489

_lib.BIO_set_mem_eof_return(self._into_ssl, 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1490

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

def shutdown(self):

"""

Send closure alert

:return: True if the shutdown completed successfully (i.e. both sides

1496

have sent closure alerts), false otherwise (i.e. you have to

1497

wait for a ZeroReturnError on a recv() method call

1498

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1499

result = _lib.SSL_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1500

if result < 0:

Paul Aurich

bff1d1a

2015-01-08 08:36:53 -0800

[diff] [blame]

1501

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1502

elif result > 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1503

return True

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

else:

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1507

def get_cipher_list(self):

1508

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1509

Retrieve the list of ciphers used by the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1510

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1511

:return: A list of native cipher strings.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1512

"""

1513

ciphers = []

1514

for i in count():

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1515

result = _lib.SSL_get_cipher_list(self._ssl, i)

1516

if result == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1517

break

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1518

ciphers.append(_native(_ffi.string(result)))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1519

return ciphers

1520

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1521

def get_client_ca_list(self):

1522

"""

1523

Get CAs whose certificates are suggested for client authentication.

1524

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1525

:return: If this is a server connection, a list of X509Names

1526

representing the acceptable CAs as set by

1527

:py:meth:`OpenSSL.SSL.Context.set_client_ca_list` or

1528

:py:meth:`OpenSSL.SSL.Context.add_client_ca`. If this is a client

1529

connection, the list of such X509Names sent by the server, or an

1530

empty list if that has not yet happened.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1531

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1532

ca_names = _lib.SSL_get_client_CA_list(self._ssl)

1533

if ca_names == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1534

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1535

return []

1536

1537

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1538

for i in range(_lib.sk_X509_NAME_num(ca_names)):

1539

name = _lib.sk_X509_NAME_value(ca_names, i)

1540

copy = _lib.X509_NAME_dup(name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1541

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1542

1543

pyname = X509Name.__new__(X509Name)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1544

pyname._name = _ffi.gc(copy, _lib.X509_NAME_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1545

result.append(pyname)

1546

return result

1547

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1548

def makefile(self):

1549

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1550

The makefile() method is not implemented, since there is no dup

1551

semantics for SSL connections

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1552

Jean-Paul Calderone

6749ec2

2014-04-17 16:30:21 -0400

[diff] [blame]

1553

:raise: NotImplementedError

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1554

"""

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

1555

raise NotImplementedError(

1556

"Cannot make file object of OpenSSL.SSL.Connection")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1557

1558

def get_app_data(self):

"""

Get application data

:return: The application data

1563

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1564

return self._app_data

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1565

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1566

def set_app_data(self, data):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set application data

:param data - The application data

1571

:return: None

1572

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1573

self._app_data = data

1574

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1575

def get_shutdown(self):

"""

Get shutdown state

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1579

:return: The shutdown state, a bitvector of SENT_SHUTDOWN,

1580

RECEIVED_SHUTDOWN.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1581

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1582

return _lib.SSL_get_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1583

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1584

def set_shutdown(self, state):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set shutdown state

:param state - bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN.

1589

:return: None

1590

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

1591

if not isinstance(state, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1592

raise TypeError("state must be an integer")

1593

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1594

_lib.SSL_set_shutdown(self._ssl, state)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1595

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1596

def get_state_string(self):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1597

"""

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1598

Retrieve a verbose string detailing the state of the Connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1599

1600

:return: A string representing the state

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1601

:rtype: bytes

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1602

"""

kjav

c704a2e

2015-09-07 12:12:27 +0100

[diff] [blame]

1603

return _ffi.string(_lib.SSL_state_string_long(self._ssl))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1604

1605

def server_random(self):

1606

"""

1607

Get a copy of the server hello nonce.

1608

1609

:return: A string representing the state

1610

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1611

session = _lib.SSL_get_session(self._ssl)

1612

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1613

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1614

length = _lib.SSL_get_server_random(self._ssl, _ffi.NULL, 0)

1615

assert length > 0

1616

outp = _ffi.new("char[]", length)

1617

_lib.SSL_get_server_random(self._ssl, outp, length)

1618

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1619

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1620

def client_random(self):

1621

"""

1622

Get a copy of the client hello nonce.

1623

1624

:return: A string representing the state

1625

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1626

session = _lib.SSL_get_session(self._ssl)

1627

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1628

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1629

1630

length = _lib.SSL_get_client_random(self._ssl, _ffi.NULL, 0)

1631

assert length > 0

1632

outp = _ffi.new("char[]", length)

1633

_lib.SSL_get_client_random(self._ssl, outp, length)

1634

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1635

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1636

def master_key(self):

1637

"""

1638

Get a copy of the master key.

1639

1640

:return: A string representing the state

1641

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1642

session = _lib.SSL_get_session(self._ssl)

1643

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1644

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1645

1646

length = _lib.SSL_SESSION_get_master_key(session, _ffi.NULL, 0)

1647

assert length > 0

1648

outp = _ffi.new("char[]", length)

1649

_lib.SSL_SESSION_get_master_key(session, outp, length)

1650

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1651

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1652

def sock_shutdown(self, *args, **kwargs):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

See shutdown(2)

:return: What the socket's shutdown() method returns

1657

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1658

return self._socket.shutdown(*args, **kwargs)

1659

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1660

def get_peer_certificate(self):

1661

"""

1662

Retrieve the other side's certificate (if any)

1663

1664

:return: The peer's certificate

1665

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1666

cert = _lib.SSL_get_peer_certificate(self._ssl)

1667

if cert != _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1668

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1669

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return pycert

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1673

def get_peer_cert_chain(self):

1674

"""

1675

Retrieve the other side's certificate (if any)

1676

1677

:return: A list of X509 instances giving the peer's certificate chain,

1678

or None if it does not have one.

1679

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1680

cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)

1681

if cert_stack == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1682

return None

1683

1684

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1685

for i in range(_lib.sk_X509_num(cert_stack)):

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1686

# TODO could incref instead of dup here

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1687

cert = _lib.X509_dup(_lib.sk_X509_value(cert_stack, i))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1688

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1689

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1690

result.append(pycert)

1691

return result

1692

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1693

def want_read(self):

1694

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1695

Checks if more data has to be read from the transport layer to complete

1696

an operation.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1697

1698

:return: True iff more data has to be read

1699

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1700

return _lib.SSL_want_read(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1701

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1702

def want_write(self):

1703

"""

1704

Checks if there is data to write to the transport layer to complete an

1705

operation.

1706

1707

:return: True iff there is data to write

1708

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1709

return _lib.SSL_want_write(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1710

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1711

def set_accept_state(self):

1712

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1713

Set the connection to work in server mode. The handshake will be

1714

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1715

1716

:return: None

1717

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1718

_lib.SSL_set_accept_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1719

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1720

def set_connect_state(self):

1721

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1722

Set the connection to work in client mode. The handshake will be

1723

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1724

1725

:return: None

1726

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1727

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1728

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1729

def get_session(self):

1730

"""

1731

Returns the Session currently used.

1732

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1733

@return: An instance of :py:class:`OpenSSL.SSL.Session` or

1734

:py:obj:`None` if no session exists.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1735

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1736

session = _lib.SSL_get1_session(self._ssl)

1737

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1738

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1739

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1740

pysession = Session.__new__(Session)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1741

pysession._session = _ffi.gc(session, _lib.SSL_SESSION_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1742

return pysession

1743

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1744

def set_session(self, session):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1745

"""

1746

Set the session to be used when the TLS/SSL connection is established.

1747

1748

:param session: A Session instance representing the session to use.

1749

:returns: None

1750

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1751

if not isinstance(session, Session):

1752

raise TypeError("session must be a Session instance")

1753

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1754

result = _lib.SSL_set_session(self._ssl, session._session)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1755

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1756

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1757

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1758

def _get_finished_message(self, function):

1759

"""

1760

Helper to implement :py:meth:`get_finished` and

1761

:py:meth:`get_peer_finished`.

1762

1763

:param function: Either :py:data:`SSL_get_finished`: or

1764

:py:data:`SSL_get_peer_finished`.

1765

1766

:return: :py:data:`None` if the desired message has not yet been

1767

received, otherwise the contents of the message.

1768

:rtype: :py:class:`bytes` or :py:class:`NoneType`

1769

"""

Jean-Paul Calderone

01af904

2014-03-30 11:40:42 -0400

[diff] [blame]

1770

# The OpenSSL documentation says nothing about what might happen if the

1771

# count argument given is zero. Specifically, it doesn't say whether

1772

# the output buffer may be NULL in that case or not. Inspection of the

1773

# implementation reveals that it calls memcpy() unconditionally.

1774

# Section 7.1.4, paragraph 1 of the C standard suggests that

1775

# memcpy(NULL, source, 0) is not guaranteed to produce defined (let

1776

# alone desirable) behavior (though it probably does on just about

1777

# every implementation...)

1778

#

1779

# Allocate a tiny buffer to pass in (instead of just passing NULL as

1780

# one might expect) for the initial call so as to be safe against this

1781

# potentially undefined behavior.

1782

empty = _ffi.new("char[]", 0)

1783

size = function(self._ssl, empty, 0)

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1784

if size == 0:

1785

# No Finished message so far.

1786

return None

1787

1788

buf = _ffi.new("char[]", size)

1789

function(self._ssl, buf, size)

1790

return _ffi.buffer(buf, size)[:]

1791

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1792

def get_finished(self):

1793

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1794

Obtain the latest `handshake finished` message sent to the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1795

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1796

:return: The contents of the message or :py:obj:`None` if the TLS

1797

handshake has not yet completed.

1798

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1799

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1800

return self._get_finished_message(_lib.SSL_get_finished)

1801

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1802

def get_peer_finished(self):

1803

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1804

Obtain the latest `handshake finished` message received from the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1805

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1806

:return: The contents of the message or :py:obj:`None` if the TLS

1807

handshake has not yet completed.

1808

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1809

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1810

return self._get_finished_message(_lib.SSL_get_peer_finished)

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1811

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1812

def get_cipher_name(self):

1813

"""

1814

Obtain the name of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1815

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1816

:returns: The name of the currently used cipher or :py:obj:`None`

1817

if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1818

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1819

"""

1820

cipher = _lib.SSL_get_current_cipher(self._ssl)

1821

if cipher == _ffi.NULL:

1822

return None

1823

else:

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1824

name = _ffi.string(_lib.SSL_CIPHER_get_name(cipher))

1825

return name.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1826

1827

def get_cipher_bits(self):

1828

"""

1829

Obtain the number of secret bits of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1830

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1831

:returns: The number of secret bits of the currently used cipher

1832

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1833

:rtype: :py:class:`int` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1834

"""

1835

cipher = _lib.SSL_get_current_cipher(self._ssl)

1836

if cipher == _ffi.NULL:

1837

return None

1838

else:

1839

return _lib.SSL_CIPHER_get_bits(cipher, _ffi.NULL)

1840

1841

def get_cipher_version(self):

1842

"""

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1843

Obtain the protocol version of the currently used cipher.

1844

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1845

:returns: The protocol name of the currently used cipher

1846

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1847

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1848

"""

1849

cipher = _lib.SSL_get_current_cipher(self._ssl)

1850

if cipher == _ffi.NULL:

1851

return None

1852

else:

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

1853

version = _ffi.string(_lib.SSL_CIPHER_get_version(cipher))

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1854

return version.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1855

Jim Shaver

abff188

2015-05-27 09:15:55 -0400

[diff] [blame]

1856

def get_protocol_version_name(self):

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1857

"""

1858

Obtain the protocol version of the current connection.

1859

1860

:returns: The TLS version of the current connection, for example

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1861

the value for TLS 1.2 would be ``TLSv1.2``or ``Unknown``

Jim Shaver

b5b6b0e

2015-05-28 16:47:36 -0400

[diff] [blame]

1862

for connections that were not successfully established.

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1863

:rtype: :py:class:`unicode`

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1864

"""

Jim Shaver

d1c896e

2015-05-27 17:50:21 -0400

[diff] [blame]

1865

version = _ffi.string(_lib.SSL_get_version(self._ssl))

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1866

return version.decode("utf-8")

Jim Shaver

b296792

2015-04-26 23:58:52 -0400

[diff] [blame]

1867

Jim Shaver

208438c

2015-05-28 09:52:38 -0400

[diff] [blame]

1868

def get_protocol_version(self):

1869

"""

1870

Obtain the protocol version of the current connection.

1871

1872

:returns: The TLS version of the current connection, for example

1873

the value for TLS 1 would be 0x769.

1874

:rtype: :py:class:`int`

1875

"""

1876

version = _lib.SSL_version(self._ssl)

1877

return version

1878

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1879

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1880

def get_next_proto_negotiated(self):

1881

"""

1882

Get the protocol that was negotiated by NPN.

1883

"""

1884

data = _ffi.new("unsigned char **")

1885

data_len = _ffi.new("unsigned int *")

1886

1887

_lib.SSL_get0_next_proto_negotiated(self._ssl, data, data_len)

1888

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

1889

return _ffi.buffer(data[0], data_len[0])[:]

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1890

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1891

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1892

def set_alpn_protos(self, protos):

1893

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1894

Specify the client's ALPN protocol list.

1895

1896

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1897

1898

:param protos: A list of the protocols to be offered to the server.

1899

This list should be a Python list of bytestrings representing the

1900

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1901

"""

1902

# Take the list of protocols and join them together, prefixing them

1903

# with their lengths.

1904

protostr = b''.join(

1905

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1906

)

1907

1908

# Build a C string from the list. We don't need to save this off

1909

# because OpenSSL immediately copies the data out.

1910

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

9c1979a

2015-04-12 08:51:52 -0400

[diff] [blame]

1911

input_str_len = _ffi.cast("unsigned", len(protostr))

1912

_lib.SSL_set_alpn_protos(self._ssl, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1913

Maximilian Hils

66ded6a

2015-08-26 06:02:03 +0200

[diff] [blame]

1914

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1915

def get_alpn_proto_negotiated(self):

Cory Benfield

222f30e

2015-04-13 18:10:21 -0400

[diff] [blame]

1916

"""

1917

Get the protocol that was negotiated by ALPN.

1918

"""

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1919

data = _ffi.new("unsigned char **")

1920

data_len = _ffi.new("unsigned int *")

1921

1922

_lib.SSL_get0_alpn_selected(self._ssl, data, data_len)

1923

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

if not data_len:

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1927

return _ffi.buffer(data[0], data_len[0])[:]

1928

1929

Jean-Paul Calderone