Blame - src/OpenSSL/SSL.py - platform/external/python/pyopenssl

2015-08-17 19:27:20 +0200

[diff] [blame]

1

import socket

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

2

from sys import platform

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

3

from functools import wraps, partial

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

4

from itertools import count, chain

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

5

from weakref import WeakValueDictionary

6

from errno import errorcode

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

7

Cory Benfield

63759dc

2015-04-12 08:57:03 -0400

[diff] [blame]

8

from six import binary_type as _binary_type

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

9

from six import integer_types as integer_types

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

10

from six import int2byte, indexbytes

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

11

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

12

from OpenSSL._util import (

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

13

UNSPECIFIED as _UNSPECIFIED,

14

exception_from_error_queue as _exception_from_error_queue,

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

15

ffi as _ffi,

16

lib as _lib,

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

17

make_assert as _make_assert,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

18

native as _native,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

19

path_string as _path_string,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

20

text_to_bytes_and_warn as _text_to_bytes_and_warn,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

21

)

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

22

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

23

from OpenSSL.crypto import (

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

24

FILETYPE_PEM, _PassphraseHelper, PKey, X509Name, X509, X509Store)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

25

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

26

try:

27

_memoryview = memoryview

28

except NameError:

29

class _memoryview(object):

30

pass

31

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

try:

_buffer = buffer

except NameError:

class _buffer(object):

36

pass

37

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

38

OPENSSL_VERSION_NUMBER = _lib.OPENSSL_VERSION_NUMBER

39

SSLEAY_VERSION = _lib.SSLEAY_VERSION

40

SSLEAY_CFLAGS = _lib.SSLEAY_CFLAGS

41

SSLEAY_PLATFORM = _lib.SSLEAY_PLATFORM

42

SSLEAY_DIR = _lib.SSLEAY_DIR

43

SSLEAY_BUILT_ON = _lib.SSLEAY_BUILT_ON

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

44

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

45

SENT_SHUTDOWN = _lib.SSL_SENT_SHUTDOWN

46

RECEIVED_SHUTDOWN = _lib.SSL_RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

SSLv2_METHOD = 1

SSLv3_METHOD = 2

SSLv23_METHOD = 3

TLSv1_METHOD = 4

Jean-Paul Calderone

56bff94

2013-11-03 11:30:43 -0500

[diff] [blame]

52

TLSv1_1_METHOD = 5

53

TLSv1_2_METHOD = 6

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

54

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

55

OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2

56

OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3

57

OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

58

59

OP_NO_TLSv1_1 = getattr(_lib, "SSL_OP_NO_TLSv1_1", 0)

60

OP_NO_TLSv1_2 = getattr(_lib, "SSL_OP_NO_TLSv1_2", 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

61

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

62

MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

63

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

64

OP_SINGLE_DH_USE = _lib.SSL_OP_SINGLE_DH_USE

Akihiro Yamazaki

e64d80c

2015-09-06 00:16:57 +0900

[diff] [blame]

65

OP_SINGLE_ECDH_USE = _lib.SSL_OP_SINGLE_ECDH_USE

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

66

OP_EPHEMERAL_RSA = _lib.SSL_OP_EPHEMERAL_RSA

67

OP_MICROSOFT_SESS_ID_BUG = _lib.SSL_OP_MICROSOFT_SESS_ID_BUG

68

OP_NETSCAPE_CHALLENGE_BUG = _lib.SSL_OP_NETSCAPE_CHALLENGE_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

69

OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = (

70

_lib.SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

71

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

72

OP_SSLREF2_REUSE_CERT_TYPE_BUG = _lib.SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG

73

OP_MICROSOFT_BIG_SSLV3_BUFFER = _lib.SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER

Jean-Paul Calderone

0d7e8a1

2014-01-08 16:54:13 -0500

[diff] [blame]

74

try:

75

OP_MSIE_SSLV2_RSA_PADDING = _lib.SSL_OP_MSIE_SSLV2_RSA_PADDING

76

except AttributeError:

77

pass

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

78

OP_SSLEAY_080_CLIENT_DH_BUG = _lib.SSL_OP_SSLEAY_080_CLIENT_DH_BUG

79

OP_TLS_D5_BUG = _lib.SSL_OP_TLS_D5_BUG

80

OP_TLS_BLOCK_PADDING_BUG = _lib.SSL_OP_TLS_BLOCK_PADDING_BUG

81

OP_DONT_INSERT_EMPTY_FRAGMENTS = _lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

82

OP_CIPHER_SERVER_PREFERENCE = _lib.SSL_OP_CIPHER_SERVER_PREFERENCE

83

OP_TLS_ROLLBACK_BUG = _lib.SSL_OP_TLS_ROLLBACK_BUG

84

OP_PKCS1_CHECK_1 = _lib.SSL_OP_PKCS1_CHECK_1

85

OP_PKCS1_CHECK_2 = _lib.SSL_OP_PKCS1_CHECK_2

86

OP_NETSCAPE_CA_DN_BUG = _lib.SSL_OP_NETSCAPE_CA_DN_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

87

OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = (

88

_lib.SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

89

)

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

90

OP_NO_COMPRESSION = _lib.SSL_OP_NO_COMPRESSION

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

91

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

92

OP_NO_QUERY_MTU = _lib.SSL_OP_NO_QUERY_MTU

93

OP_COOKIE_EXCHANGE = _lib.SSL_OP_COOKIE_EXCHANGE

Arturo Filastò

5f8c7a8

2014-03-09 20:01:25 +0100

[diff] [blame]

94

try:

95

OP_NO_TICKET = _lib.SSL_OP_NO_TICKET

96

except AttributeError:

97

pass

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

98

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

99

OP_ALL = _lib.SSL_OP_ALL

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

100

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

101

VERIFY_PEER = _lib.SSL_VERIFY_PEER

102

VERIFY_FAIL_IF_NO_PEER_CERT = _lib.SSL_VERIFY_FAIL_IF_NO_PEER_CERT

103

VERIFY_CLIENT_ONCE = _lib.SSL_VERIFY_CLIENT_ONCE

104

VERIFY_NONE = _lib.SSL_VERIFY_NONE

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

105

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

106

SESS_CACHE_OFF = _lib.SSL_SESS_CACHE_OFF

107

SESS_CACHE_CLIENT = _lib.SSL_SESS_CACHE_CLIENT

108

SESS_CACHE_SERVER = _lib.SSL_SESS_CACHE_SERVER

109

SESS_CACHE_BOTH = _lib.SSL_SESS_CACHE_BOTH

110

SESS_CACHE_NO_AUTO_CLEAR = _lib.SSL_SESS_CACHE_NO_AUTO_CLEAR

111

SESS_CACHE_NO_INTERNAL_LOOKUP = _lib.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP

112

SESS_CACHE_NO_INTERNAL_STORE = _lib.SSL_SESS_CACHE_NO_INTERNAL_STORE

113

SESS_CACHE_NO_INTERNAL = _lib.SSL_SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

d39a3f6

2013-03-04 12:23:51 -0800

[diff] [blame]

114

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

115

SSL_ST_CONNECT = _lib.SSL_ST_CONNECT

116

SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT

117

SSL_ST_MASK = _lib.SSL_ST_MASK

118

SSL_ST_INIT = _lib.SSL_ST_INIT

119

SSL_ST_BEFORE = _lib.SSL_ST_BEFORE

120

SSL_ST_OK = _lib.SSL_ST_OK

121

SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

122

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

123

SSL_CB_LOOP = _lib.SSL_CB_LOOP

124

SSL_CB_EXIT = _lib.SSL_CB_EXIT

125

SSL_CB_READ = _lib.SSL_CB_READ

126

SSL_CB_WRITE = _lib.SSL_CB_WRITE

127

SSL_CB_ALERT = _lib.SSL_CB_ALERT

128

SSL_CB_READ_ALERT = _lib.SSL_CB_READ_ALERT

129

SSL_CB_WRITE_ALERT = _lib.SSL_CB_WRITE_ALERT

130

SSL_CB_ACCEPT_LOOP = _lib.SSL_CB_ACCEPT_LOOP

131

SSL_CB_ACCEPT_EXIT = _lib.SSL_CB_ACCEPT_EXIT

132

SSL_CB_CONNECT_LOOP = _lib.SSL_CB_CONNECT_LOOP

133

SSL_CB_CONNECT_EXIT = _lib.SSL_CB_CONNECT_EXIT

134

SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START

135

SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

136

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

137

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

138

class Error(Exception):

Jean-Paul Calderone

511cde0

2013-12-29 10:31:13 -0500

[diff] [blame]

139

"""

140

An error occurred in an `OpenSSL.SSL` API.

141

"""

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

142

143

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

144

_raise_current_error = partial(_exception_from_error_queue, Error)

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

145

_openssl_assert = _make_assert(Error)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

146

147

148

class WantReadError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

152

class WantWriteError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

156

class WantX509LookupError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

160

class ZeroReturnError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

164

class SysCallError(Error):

pass

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

168

class _CallbackExceptionHelper(object):

169

"""

170

A base class for wrapper classes that allow for intelligent exception

171

handling in OpenSSL callbacks.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

172

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

173

:ivar list _problems: Any exceptions that occurred while executing in a

174

context where they could not be raised in the normal way. Typically

175

this is because OpenSSL has called into some Python code and requires a

176

return value. The exceptions are saved to be raised later when it is

177

possible to do so.

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

178

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

179

Jean-Paul Calderone

09540d7

2015-03-22 19:37:20 -0400

[diff] [blame]

180

def __init__(self):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

181

self._problems = []

182

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

183

def raise_if_problem(self):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

184

"""

185

Raise an exception from the OpenSSL error queue or that was previously

186

captured whe running a callback.

187

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

188

if self._problems:

189

try:

190

_raise_current_error()

191

except Error:

192

pass

193

raise self._problems.pop(0)

194

195

196

class _VerifyHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

197

"""

198

Wrap a callback such that it can be used as a certificate verification

199

callback.

200

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

201

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

202

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

203

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

204

205

@wraps(callback)

206

def wrapper(ok, store_ctx):

207

cert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

208

cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)

209

error_number = _lib.X509_STORE_CTX_get_error(store_ctx)

210

error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

211

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

212

index = _lib.SSL_get_ex_data_X509_STORE_CTX_idx()

213

ssl = _lib.X509_STORE_CTX_get_ex_data(store_ctx, index)

214

connection = Connection._reverse_mapping[ssl]

215

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

216

try:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

217

result = callback(

218

connection, cert, error_number, error_depth, ok

219

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

220

except Exception as e:

221

self._problems.append(e)

222

return 0

223

else:

224

if result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

225

_lib.X509_STORE_CTX_set_error(store_ctx, _lib.X509_V_OK)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

return 1

else:

return 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

230

self.callback = _ffi.callback(

231

"int (*)(int, X509_STORE_CTX *)", wrapper)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

232

233

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

234

class _NpnAdvertiseHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

235

"""

236

Wrap a callback such that it can be used as an NPN advertisement callback.

237

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

238

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

239

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

240

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

241

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

242

@wraps(callback)

243

def wrapper(ssl, out, outlen, arg):

244

try:

245

conn = Connection._reverse_mapping[ssl]

246

protos = callback(conn)

247

248

# Join the protocols into a Python bytestring, length-prefixing

249

# each element.

250

protostr = b''.join(

251

chain.from_iterable((int2byte(len(p)), p) for p in protos)

252

)

253

254

# Save our callback arguments on the connection object. This is

255

# done to make sure that they don't get freed before OpenSSL

256

# uses them. Then, return them appropriately in the output

257

# parameters.

258

conn._npn_advertise_callback_args = [

259

_ffi.new("unsigned int *", len(protostr)),

260

_ffi.new("unsigned char[]", protostr),

261

]

262

outlen[0] = conn._npn_advertise_callback_args[0][0]

263

out[0] = conn._npn_advertise_callback_args[1]

264

return 0

265

except Exception as e:

266

self._problems.append(e)

267

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

268

269

self.callback = _ffi.callback(

270

"int (*)(SSL *, const unsigned char **, unsigned int *, void *)",

wrapper

)

class _NpnSelectHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

276

"""

277

Wrap a callback such that it can be used as an NPN selection callback.

278

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

279

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

280

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

281

_CallbackExceptionHelper.__init__(self)

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

282

283

@wraps(callback)

284

def wrapper(ssl, out, outlen, in_, inlen, arg):

285

try:

286

conn = Connection._reverse_mapping[ssl]

287

288

# The string passed to us is actually made up of multiple

289

# length-prefixed bytestrings. We need to split that into a

290

# list.

291

instr = _ffi.buffer(in_, inlen)[:]

292

protolist = []

293

while instr:

294

l = indexbytes(instr, 0)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

295

proto = instr[1:l + 1]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

296

protolist.append(proto)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

297

instr = instr[l + 1:]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

298

299

# Call the callback

300

outstr = callback(conn, protolist)

301

302

# Save our callback arguments on the connection object. This is

303

# done to make sure that they don't get freed before OpenSSL

304

# uses them. Then, return them appropriately in the output

305

# parameters.

306

conn._npn_select_callback_args = [

307

_ffi.new("unsigned char *", len(outstr)),

308

_ffi.new("unsigned char[]", outstr),

309

]

310

outlen[0] = conn._npn_select_callback_args[0][0]

311

out[0] = conn._npn_select_callback_args[1]

312

return 0

313

except Exception as e:

314

self._problems.append(e)

315

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

316

317

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

318

("int (*)(SSL *, unsigned char **, unsigned char *, "

319

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

320

wrapper

321

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

322

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

323

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

324

class _ALPNSelectHelper(_CallbackExceptionHelper):

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

325

"""

326

Wrap a callback such that it can be used as an ALPN selection callback.

327

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

328

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

329

def __init__(self, callback):

330

_CallbackExceptionHelper.__init__(self)

331

332

@wraps(callback)

333

def wrapper(ssl, out, outlen, in_, inlen, arg):

334

try:

335

conn = Connection._reverse_mapping[ssl]

336

337

# The string passed to us is made up of multiple

338

# length-prefixed bytestrings. We need to split that into a

339

# list.

340

instr = _ffi.buffer(in_, inlen)[:]

341

protolist = []

342

while instr:

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

343

encoded_len = indexbytes(instr, 0)

344

proto = instr[1:encoded_len + 1]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

345

protolist.append(proto)

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

346

instr = instr[encoded_len + 1:]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

347

348

# Call the callback

349

outstr = callback(conn, protolist)

350

351

if not isinstance(outstr, _binary_type):

352

raise TypeError("ALPN callback must return a bytestring.")

353

354

# Save our callback arguments on the connection object to make

355

# sure that they don't get freed before OpenSSL can use them.

356

# Then, return them in the appropriate output parameters.

357

conn._alpn_select_callback_args = [

358

_ffi.new("unsigned char *", len(outstr)),

359

_ffi.new("unsigned char[]", outstr),

360

]

361

outlen[0] = conn._alpn_select_callback_args[0][0]

362

out[0] = conn._alpn_select_callback_args[1]

363

return 0

364

except Exception as e:

365

self._problems.append(e)

366

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

367

368

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

369

("int (*)(SSL *, unsigned char **, unsigned char *, "

370

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

wrapper

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

375

def _asFileDescriptor(obj):

376

fd = None

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

377

if not isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

378

meth = getattr(obj, "fileno", None)

379

if meth is not None:

380

obj = meth()

381

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

382

if isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

383

fd = obj

384

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

385

if not isinstance(fd, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

386

raise TypeError("argument must be an int, or have a fileno() method.")

387

elif fd < 0:

388

raise ValueError(

389

"file descriptor cannot be a negative integer (%i)" % (fd,))

return fd

Jean-Paul Calderone

2013-03-04 12:23:51 -0800

[diff] [blame]

394

def SSLeay_version(type):

395

"""

396

Return a string describing the version of OpenSSL in use.

397

398

:param type: One of the SSLEAY_ constants defined in this module.

399

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

400

return _ffi.string(_lib.SSLeay_version(type))

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

401

402

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

403

def _make_requires(flag, error):

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

404

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

405

Builds a decorator that ensures that functions that rely on OpenSSL

406

functions that are not present in this build raise NotImplementedError,

407

rather than AttributeError coming out of cryptography.

408

409

:param flag: A cryptography flag that guards the functions, e.g.

410

``Cryptography_HAS_NEXTPROTONEG``.

411

:param error: The string to be used in the exception if the flag is false.

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

412

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

413

def _requires_decorator(func):

414

if not flag:

415

@wraps(func)

416

def explode(*args, **kwargs):

417

raise NotImplementedError(error)

418

return explode

419

else:

420

return func

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

421

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

422

return _requires_decorator

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

423

424

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

425

_requires_npn = _make_requires(

426

_lib.Cryptography_HAS_NEXTPROTONEG, "NPN not available"

427

)

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

428

429

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

430

_requires_alpn = _make_requires(

431

_lib.Cryptography_HAS_ALPN, "ALPN not available"

432

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

433

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

434

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

435

_requires_sni = _make_requires(

436

_lib.Cryptography_HAS_TLSEXT_HOSTNAME, "SNI not available"

437

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

438

439

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

440

class Session(object):

pass

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

444

class Context(object):

445

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

446

:class:`OpenSSL.SSL.Context` instances define the parameters for setting

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

447

up new SSL connections.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

448

"""

449

_methods = {

Andrew Dunham

ec84a0a

2014-02-24 12:41:37 -0800

[diff] [blame]

450

SSLv2_METHOD: "SSLv2_method",

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

451

SSLv3_METHOD: "SSLv3_method",

452

SSLv23_METHOD: "SSLv23_method",

453

TLSv1_METHOD: "TLSv1_method",

454

TLSv1_1_METHOD: "TLSv1_1_method",

455

TLSv1_2_METHOD: "TLSv1_2_method",

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

456

}

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

457

_methods = dict(

458

(identifier, getattr(_lib, name))

459

for (identifier, name) in _methods.items()

460

if getattr(_lib, name, None) is not None)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

461

462

def __init__(self, method):

463

"""

464

:param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or

465

TLSv1_METHOD.

466

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

467

if not isinstance(method, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

468

raise TypeError("method must be an integer")

469

470

try:

471

method_func = self._methods[method]

472

except KeyError:

473

raise ValueError("No such protocol")

474

475

method_obj = method_func()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame^]

476

_openssl_assert(method_obj != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

477

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

478

context = _lib.SSL_CTX_new(method_obj)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame^]

479

_openssl_assert(context != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

480

context = _ffi.gc(context, _lib.SSL_CTX_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

481

482

self._context = context

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

483

self._passphrase_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

484

self._passphrase_callback = None

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

485

self._passphrase_userdata = None

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

486

self._verify_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

487

self._verify_callback = None

488

self._info_callback = None

489

self._tlsext_servername_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

490

self._app_data = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

491

self._npn_advertise_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

492

self._npn_advertise_callback = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

493

self._npn_select_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

494

self._npn_select_callback = None

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

495

self._alpn_select_helper = None

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

496

self._alpn_select_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

497

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

498

# SSL_CTX_set_app_data(self->ctx, self);

499

# SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |

500

# SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |

501

# SSL_MODE_AUTO_RETRY);

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

502

self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

503

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

504

def load_verify_locations(self, cafile, capath=None):

505

"""

506

Let SSL know where we can find trusted certificates for the certificate

507

chain

508

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

509

:param cafile: In which file we can find the certificates (``bytes`` or

510

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

511

:param capath: In which directory we can find the certificates

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

512

(``bytes`` or ``unicode``).

513

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

514

:return: None

515

"""

516

if cafile is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

517

cafile = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

518

else:

519

cafile = _path_string(cafile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

520

521

if capath is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

522

capath = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

523

else:

524

capath = _path_string(capath)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

525

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

526

load_result = _lib.SSL_CTX_load_verify_locations(

527

self._context, cafile, capath

528

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

529

if not load_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

530

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

531

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

532

def _wrap_callback(self, callback):

533

@wraps(callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

534

def wrapper(size, verify, userdata):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

535

return callback(size, verify, self._passphrase_userdata)

536

return _PassphraseHelper(

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

537

FILETYPE_PEM, wrapper, more_args=True, truncate=True)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

538

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

539

def set_passwd_cb(self, callback, userdata=None):

540

"""

541

Set the passphrase callback

542

543

:param callback: The Python callback to use

544

:param userdata: (optional) A Python object which will be given as

545

argument to the callback

546

:return: None

547

"""

548

if not callable(callback):

549

raise TypeError("callback must be callable")

550

551

self._passphrase_helper = self._wrap_callback(callback)

552

self._passphrase_callback = self._passphrase_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

553

_lib.SSL_CTX_set_default_passwd_cb(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

554

self._context, self._passphrase_callback)

555

self._passphrase_userdata = userdata

556

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

557

def set_default_verify_paths(self):

558

"""

559

Use the platform-specific CA certificate locations

560

561

:return: None

562

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

563

set_result = _lib.SSL_CTX_set_default_verify_paths(self._context)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

564

if not set_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

565

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

566

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

567

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

568

def use_certificate_chain_file(self, certfile):

569

"""

570

Load a certificate chain from a file

571

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

572

:param certfile: The name of the certificate chain file (``bytes`` or

573

``unicode``).

574

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

575

:return: None

576

"""

Jean-Paul Calderone

aac43a3

2015-04-12 09:51:21 -0400

[diff] [blame]

577

certfile = _path_string(certfile)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

578

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

579

result = _lib.SSL_CTX_use_certificate_chain_file(

580

self._context, certfile

581

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

582

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

583

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

584

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

585

def use_certificate_file(self, certfile, filetype=FILETYPE_PEM):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

586

"""

587

Load a certificate from a file

588

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

589

:param certfile: The name of the certificate file (``bytes`` or

590

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

591

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

592

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

593

:return: None

594

"""

Jean-Paul Calderone

d57a7b6

2015-04-12 09:57:36 -0400

[diff] [blame]

595

certfile = _path_string(certfile)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

596

if not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

597

raise TypeError("filetype must be an integer")

598

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

599

use_result = _lib.SSL_CTX_use_certificate_file(

600

self._context, certfile, filetype

601

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

602

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

603

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

604

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

605

def use_certificate(self, cert):

606

"""

607

Load a certificate from a X509 object

608

609

:param cert: The X509 object

610

:return: None

611

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

612

if not isinstance(cert, X509):

613

raise TypeError("cert must be an X509 instance")

614

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

615

use_result = _lib.SSL_CTX_use_certificate(self._context, cert._x509)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

616

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

617

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

618

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

619

def add_extra_chain_cert(self, certobj):

620

"""

621

Add certificate to chain

622

623

:param certobj: The X509 certificate object to add to the chain

624

:return: None

625

"""

626

if not isinstance(certobj, X509):

627

raise TypeError("certobj must be an X509 instance")

628

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

629

copy = _lib.X509_dup(certobj._x509)

630

add_result = _lib.SSL_CTX_add_extra_chain_cert(self._context, copy)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

631

if not add_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

632

# TODO: This is untested.

633

_lib.X509_free(copy)

634

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

635

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

636

def _raise_passphrase_exception(self):

637

if self._passphrase_helper is None:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

638

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

639

exception = self._passphrase_helper.raise_if_problem(Error)

640

if exception is not None:

641

raise exception

642

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

643

def use_privatekey_file(self, keyfile, filetype=_UNSPECIFIED):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

644

"""

645

Load a private key from a file

646

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

647

:param keyfile: The name of the key file (``bytes`` or ``unicode``)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

648

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

649

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

650

:return: None

651

"""

Jean-Paul Calderone

69a4e5b

2015-04-12 10:04:28 -0400

[diff] [blame]

652

keyfile = _path_string(keyfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

653

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

654

if filetype is _UNSPECIFIED:

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

655

filetype = FILETYPE_PEM

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

656

elif not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

657

raise TypeError("filetype must be an integer")

658

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

659

use_result = _lib.SSL_CTX_use_PrivateKey_file(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

660

self._context, keyfile, filetype)

661

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

662

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

663

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

664

def use_privatekey(self, pkey):

665

"""

666

Load a private key from a PKey object

667

668

:param pkey: The PKey object

669

:return: None

670

"""

671

if not isinstance(pkey, PKey):

672

raise TypeError("pkey must be a PKey instance")

673

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

674

use_result = _lib.SSL_CTX_use_PrivateKey(self._context, pkey._pkey)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

675

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

676

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

677

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

678

def check_privatekey(self):

679

"""

680

Check that the private key and certificate match up

681

682

:return: None (raises an exception if something's wrong)

683

"""

Jean-Paul Calderone

a034492

2014-12-11 14:02:31 -0500

[diff] [blame]

684

if not _lib.SSL_CTX_check_private_key(self._context):

685

_raise_current_error()

686

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

687

def load_client_ca(self, cafile):

688

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

689

Load the trusted certificates that will be sent to the client. Does

690

not actually imply any of the certificates are trusted; that must be

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

691

configured separately.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

692

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

693

:param bytes cafile: The path to a certificates file in PEM format.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

694

:return: None

695

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

696

ca_list = _lib.SSL_load_client_CA_file(

697

_text_to_bytes_and_warn("cafile", cafile)

698

)

699

_openssl_assert(ca_list != _ffi.NULL)

700

# SSL_CTX_set_client_CA_list doesn't return anything.

701

_lib.SSL_CTX_set_client_CA_list(self._context, ca_list)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

702

703

def set_session_id(self, buf):

704

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

705

Set the session id to *buf* within which a session can be reused for

706

this Context object. This is needed when doing session resumption,

707

because there is no way for a stored session to know which Context

708

object it is associated with.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

709

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

710

:param bytes buf: The session id.

711

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

712

:returns: None

713

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

714

buf = _text_to_bytes_and_warn("buf", buf)

715

_openssl_assert(

716

_lib.SSL_CTX_set_session_id_context(

self._context,

buf,

len(buf),

) == 1

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

722

723

def set_session_cache_mode(self, mode):

724

"""

725

Enable/disable session caching and specify the mode used.

726

727

:param mode: One or more of the SESS_CACHE_* flags (combine using

728

bitwise or)

729

:returns: The previously set caching mode.

730

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

731

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

732

raise TypeError("mode must be an integer")

733

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

734

return _lib.SSL_CTX_set_session_cache_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

735

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

736

def get_session_cache_mode(self):

737

"""

738

:returns: The currently used cache mode.

739

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

740

return _lib.SSL_CTX_get_session_cache_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

741

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

742

def set_verify(self, mode, callback):

743

"""

744

Set the verify mode and verify callback

745

746

:param mode: The verify mode, this is either VERIFY_NONE or

747

VERIFY_PEER combined with possible other flags

748

:param callback: The Python callback to use

749

:return: None

750

751

See SSL_CTX_set_verify(3SSL) for further details.

752

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

753

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

754

raise TypeError("mode must be an integer")

755

756

if not callable(callback):

757

raise TypeError("callback must be callable")

758

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

759

self._verify_helper = _VerifyHelper(callback)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

760

self._verify_callback = self._verify_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

761

_lib.SSL_CTX_set_verify(self._context, mode, self._verify_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

762

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

763

def set_verify_depth(self, depth):

"""

Set the verify depth

:param depth: An integer specifying the verify depth

768

:return: None

769

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

770

if not isinstance(depth, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

771

raise TypeError("depth must be an integer")

772

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

773

_lib.SSL_CTX_set_verify_depth(self._context, depth)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

774

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

775

def get_verify_mode(self):

"""

Get the verify mode

:return: The verify mode

780

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

781

return _lib.SSL_CTX_get_verify_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

782

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

783

def get_verify_depth(self):

"""

Get the verify depth

:return: The verify depth

788

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

789

return _lib.SSL_CTX_get_verify_depth(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

790

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

791

def load_tmp_dh(self, dhfile):

792

"""

793

Load parameters for Ephemeral Diffie-Hellman

794

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

795

:param dhfile: The file to load EDH parameters from (``bytes`` or

796

``unicode``).

797

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

798

:return: None

799

"""

Jean-Paul Calderone

9e1c1dd

2015-04-12 10:13:13 -0400

[diff] [blame]

800

dhfile = _path_string(dhfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

801

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

802

bio = _lib.BIO_new_file(dhfile, b"r")

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

803

if bio == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

804

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

805

bio = _ffi.gc(bio, _lib.BIO_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

806

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

807

dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)

808

dh = _ffi.gc(dh, _lib.DH_free)

809

_lib.SSL_CTX_set_tmp_dh(self._context, dh)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

810

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

811

def set_tmp_ecdh(self, curve):

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

812

"""

Andy Lutomirski

76a6133

2014-03-12 15:02:56 -0700

[diff] [blame]

813

Select a curve to use for ECDHE key exchange.

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

814

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

815

:param curve: A curve object to use as returned by either

816

:py:meth:`OpenSSL.crypto.get_elliptic_curve` or

817

:py:meth:`OpenSSL.crypto.get_elliptic_curves`.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

818

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

819

:return: None

820

"""

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

821

_lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

822

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

823

def set_cipher_list(self, cipher_list):

824

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

825

Set the list of ciphers to be used in this context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

826

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

827

See the OpenSSL manual for more information (e.g.

828

:manpage:`ciphers(1)`).

829

830

:param bytes cipher_list: An OpenSSL cipher string.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

831

:return: None

832

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

833

cipher_list = _text_to_bytes_and_warn("cipher_list", cipher_list)

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

834

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

835

if not isinstance(cipher_list, bytes):

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

836

raise TypeError("cipher_list must be a byte string.")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

837

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

838

_openssl_assert(

Hynek Schlawack

22a4b66

2016-03-11 14:59:39 +0100

[diff] [blame]

839

_lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

840

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

841

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

842

def set_client_ca_list(self, certificate_authorities):

843

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

844

Set the list of preferred client certificate signers for this server

845

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

846

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

847

This list of certificate authorities will be sent to the client when

848

the server requests a client certificate.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

849

850

:param certificate_authorities: a sequence of X509Names.

851

:return: None

852

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

853

name_stack = _lib.sk_X509_NAME_new_null()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame^]

854

_openssl_assert(name_stack != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

855

856

try:

857

for ca_name in certificate_authorities:

858

if not isinstance(ca_name, X509Name):

859

raise TypeError(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

860

"client CAs must be X509Name objects, not %s "

861

"objects" % (

862

type(ca_name).__name__,

863

)

864

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

865

copy = _lib.X509_NAME_dup(ca_name._name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame^]

866

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

867

push_result = _lib.sk_X509_NAME_push(name_stack, copy)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

868

if not push_result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

869

_lib.X509_NAME_free(copy)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

870

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

871

except:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

872

_lib.sk_X509_NAME_free(name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

873

raise

874

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

875

_lib.SSL_CTX_set_client_CA_list(self._context, name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

876

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

877

def add_client_ca(self, certificate_authority):

878

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

879

Add the CA certificate to the list of preferred signers for this

880

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

881

882

The list of certificate authorities will be sent to the client when the

883

server requests a client certificate.

884

885

:param certificate_authority: certificate authority's X509 certificate.

886

:return: None

887

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

888

if not isinstance(certificate_authority, X509):

889

raise TypeError("certificate_authority must be an X509 instance")

890

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

891

add_result = _lib.SSL_CTX_add_client_CA(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

892

self._context, certificate_authority._x509)

893

if not add_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

894

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

895

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

896

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

897

def set_timeout(self, timeout):

"""

Set session timeout

:param timeout: The timeout in seconds

902

:return: The previous session timeout

903

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

904

if not isinstance(timeout, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

905

raise TypeError("timeout must be an integer")

906

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

907

return _lib.SSL_CTX_set_timeout(self._context, timeout)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

908

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

909

def get_timeout(self):

910

"""

911

Get the session timeout

912

913

:return: The session timeout

914

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

915

return _lib.SSL_CTX_get_timeout(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

916

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

917

def set_info_callback(self, callback):

918

"""

919

Set the info callback

920

921

:param callback: The Python callback to use

922

:return: None

923

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

924

@wraps(callback)

925

def wrapper(ssl, where, return_code):

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

926

callback(Connection._reverse_mapping[ssl], where, return_code)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

927

self._info_callback = _ffi.callback(

928

"void (*)(const SSL *, int, int)", wrapper)

929

_lib.SSL_CTX_set_info_callback(self._context, self._info_callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

930

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

931

def get_app_data(self):

932

"""

933

Get the application data (supplied via set_app_data())

934

935

:return: The application data

936

"""

937

return self._app_data

938

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

939

def set_app_data(self, data):

940

"""

941

Set the application data (will be returned from get_app_data())

942

943

:param data: Any Python object

944

:return: None

945

"""

946

self._app_data = data

947

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

948

def get_cert_store(self):

949

"""

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

950

Get the certificate store for the context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

951

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

952

:return: A X509Store object or None if it does not have one.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

953

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

954

store = _lib.SSL_CTX_get_cert_store(self._context)

955

if store == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

956

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

957

return None

958

959

pystore = X509Store.__new__(X509Store)

960

pystore._store = store

961

return pystore

962

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

963

def set_options(self, options):

964

"""

965

Add options. Options set before are not cleared!

966

967

:param options: The options to add.

968

:return: The new option bitmask.

969

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

970

if not isinstance(options, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

971

raise TypeError("options must be an integer")

972

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

973

return _lib.SSL_CTX_set_options(self._context, options)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

974

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

975

def set_mode(self, mode):

976

"""

977

Add modes via bitmask. Modes set before are not cleared!

978

979

:param mode: The mode to add.

980

:return: The new mode bitmask.

981

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

982

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

983

raise TypeError("mode must be an integer")

984

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

985

return _lib.SSL_CTX_set_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

986

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

987

@_requires_sni

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

988

def set_tlsext_servername_callback(self, callback):

989

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

990

Specify a callback function to be called when clients specify a server

991

name.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

992

993

:param callback: The callback function. It will be invoked with one

994

argument, the Connection instance.

995

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

996

@wraps(callback)

997

def wrapper(ssl, alert, arg):

998

callback(Connection._reverse_mapping[ssl])

999

return 0

1000

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1001

self._tlsext_servername_callback = _ffi.callback(

1002

"int (*)(const SSL *, int *, void *)", wrapper)

1003

_lib.SSL_CTX_set_tlsext_servername_callback(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1004

self._context, self._tlsext_servername_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1005

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1006

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1007

def set_npn_advertise_callback(self, callback):

1008

"""

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1009

Specify a callback function that will be called when offering `Next

1010

Protocol Negotiation

1011

<https://technotes.googlecode.com/git/nextprotoneg.html>`_ as a server.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1012

1013

:param callback: The callback function. It will be invoked with one

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1014

argument, the Connection instance. It should return a list of

1015

bytestrings representing the advertised protocols, like

1016

``[b'http/1.1', b'spdy/2']``.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1017

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1018

self._npn_advertise_helper = _NpnAdvertiseHelper(callback)

1019

self._npn_advertise_callback = self._npn_advertise_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1020

_lib.SSL_CTX_set_next_protos_advertised_cb(

1021

self._context, self._npn_advertise_callback, _ffi.NULL)

1022

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1023

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1024

def set_npn_select_callback(self, callback):

1025

"""

1026

Specify a callback function that will be called when a server offers

1027

Next Protocol Negotiation options.

1028

1029

:param callback: The callback function. It will be invoked with two

1030

arguments: the Connection, and a list of offered protocols as

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1031

bytestrings, e.g. ``[b'http/1.1', b'spdy/2']``. It should return

1032

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1033

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1034

self._npn_select_helper = _NpnSelectHelper(callback)

1035

self._npn_select_callback = self._npn_select_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1036

_lib.SSL_CTX_set_next_proto_select_cb(

1037

self._context, self._npn_select_callback, _ffi.NULL)

1038

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1039

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1040

def set_alpn_protos(self, protos):

1041

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1042

Specify the clients ALPN protocol list.

1043

1044

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1045

1046

:param protos: A list of the protocols to be offered to the server.

1047

This list should be a Python list of bytestrings representing the

1048

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1049

"""

1050

# Take the list of protocols and join them together, prefixing them

1051

# with their lengths.

1052

protostr = b''.join(

1053

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1054

)

1055

1056

# Build a C string from the list. We don't need to save this off

1057

# because OpenSSL immediately copies the data out.

1058

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

e871af5

2015-04-11 17:57:50 -0400

[diff] [blame]

1059

input_str_len = _ffi.cast("unsigned", len(protostr))

1060

_lib.SSL_CTX_set_alpn_protos(self._context, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1061

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1062

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1063

def set_alpn_select_callback(self, callback):

1064

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1065

Set the callback to handle ALPN protocol choice.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1066

1067

:param callback: The callback function. It will be invoked with two

1068

arguments: the Connection, and a list of offered protocols as

1069

bytestrings, e.g ``[b'http/1.1', b'spdy/2']``. It should return

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1070

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1071

"""

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

1072

self._alpn_select_helper = _ALPNSelectHelper(callback)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1073

self._alpn_select_callback = self._alpn_select_helper.callback

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1074

_lib.SSL_CTX_set_alpn_select_cb(

1075

self._context, self._alpn_select_callback, _ffi.NULL)

1076

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1077

ContextType = Context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1078

1079

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1080

class Connection(object):

1081

"""

1082

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1083

_reverse_mapping = WeakValueDictionary()

1084

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1085

def __init__(self, context, socket=None):

1086

"""

1087

Create a new Connection object, using the given OpenSSL.SSL.Context

1088

instance and socket.

1089

1090

:param context: An SSL Context to use for this connection

1091

:param socket: The socket to use for transport layer

1092

"""

1093

if not isinstance(context, Context):

1094

raise TypeError("context must be a Context instance")

1095

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1096

ssl = _lib.SSL_new(context._context)

1097

self._ssl = _ffi.gc(ssl, _lib.SSL_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1098

self._context = context

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

1099

self._app_data = None

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1100

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1101

# References to strings used for Next Protocol Negotiation. OpenSSL's

1102

# header files suggest that these might get copied at some point, but

1103

# doesn't specify when, so we store them here to make sure they don't

1104

# get freed before OpenSSL uses them.

1105

self._npn_advertise_callback_args = None

1106

self._npn_select_callback_args = None

1107

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1108

# References to strings used for Application Layer Protocol

1109

# Negotiation. These strings get copied at some point but it's well

1110

# after the callback returns, so we have to hang them somewhere to

1111

# avoid them getting freed.

1112

self._alpn_select_callback_args = None

1113

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1114

self._reverse_mapping[self._ssl] = self

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1115

1116

if socket is None:

1117

self._socket = None

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1118

# Don't set up any gc for these, SSL_free will take care of them.

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1119

self._into_ssl = _lib.BIO_new(_lib.BIO_s_mem())

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame^]

1120

_openssl_assert(self._into_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1121

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame^]

1122

self._from_ssl = _lib.BIO_new(_lib.BIO_s_mem())

1123

_openssl_assert(self._from_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1124

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1125

_lib.SSL_set_bio(self._ssl, self._into_ssl, self._from_ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1126

else:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1127

self._into_ssl = None

1128

self._from_ssl = None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1129

self._socket = socket

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1130

set_result = _lib.SSL_set_fd(

1131

self._ssl, _asFileDescriptor(self._socket))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1132

if not set_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1133

# TODO: This is untested.

1134

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1135

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1136

def __getattr__(self, name):

1137

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1138

Look up attributes on the wrapped socket object if they are not found

1139

on the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1140

"""

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1141

if self._socket is None:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1142

raise AttributeError("'%s' object has no attribute '%s'" % (

1143

self.__class__.__name__, name

1144

))

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1145

else:

1146

return getattr(self._socket, name)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1147

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1148

def _raise_ssl_error(self, ssl, result):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1149

if self._context._verify_helper is not None:

1150

self._context._verify_helper.raise_if_problem()

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1151

if self._context._npn_advertise_helper is not None:

1152

self._context._npn_advertise_helper.raise_if_problem()

1153

if self._context._npn_select_helper is not None:

1154

self._context._npn_select_helper.raise_if_problem()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1155

if self._context._alpn_select_helper is not None:

1156

self._context._alpn_select_helper.raise_if_problem()

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1157

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1158

error = _lib.SSL_get_error(ssl, result)

1159

if error == _lib.SSL_ERROR_WANT_READ:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1160

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1161

elif error == _lib.SSL_ERROR_WANT_WRITE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1162

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1163

elif error == _lib.SSL_ERROR_ZERO_RETURN:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1164

raise ZeroReturnError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1165

elif error == _lib.SSL_ERROR_WANT_X509_LOOKUP:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1166

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1167

raise WantX509LookupError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1168

elif error == _lib.SSL_ERROR_SYSCALL:

1169

if _lib.ERR_peek_error() == 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1170

if result < 0:

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

1171

if platform == "win32":

1172

errno = _ffi.getwinerror()[0]

1173

else:

1174

errno = _ffi.errno

Glyph

3afdba8

2015-04-14 17:30:53 -0400

[diff] [blame]

1175

raise SysCallError(errno, errorcode.get(errno))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1176

else:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1177

raise SysCallError(-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1178

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1179

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1180

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1181

elif error == _lib.SSL_ERROR_NONE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1182

pass

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1183

else:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1184

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1185

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1186

def get_context(self):

1187

"""

1188

Get session context

1189

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1190

return self._context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1191

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1192

def set_context(self, context):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1193

"""

1194

Switch this connection to a new session context

1195

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1196

:param context: A :py:class:`Context` instance giving the new session

1197

context to use.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1198

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1199

if not isinstance(context, Context):

1200

raise TypeError("context must be a Context instance")

1201

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1202

_lib.SSL_set_SSL_CTX(self._ssl, context._context)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1203

self._context = context

1204

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1205

@_requires_sni

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1206

def get_servername(self):

1207

"""

1208

Retrieve the servername extension value if provided in the client hello

1209

message, or None if there wasn't one.

1210

1211

:return: A byte string giving the server name or :py:data:`None`.

1212

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1213

name = _lib.SSL_get_servername(

1214

self._ssl, _lib.TLSEXT_NAMETYPE_host_name

1215

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1216

if name == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1217

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1218

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1219

return _ffi.string(name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1220

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1221

@_requires_sni

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1222

def set_tlsext_host_name(self, name):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1223

"""

1224

Set the value of the servername extension to send in the client hello.

1225

1226

:param name: A byte string giving the name.

1227

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1228

if not isinstance(name, bytes):

1229

raise TypeError("name must be a byte string")

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1230

elif b"\0" in name:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1231

raise TypeError("name must not contain NUL byte")

1232

1233

# XXX I guess this can fail sometimes?

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1234

_lib.SSL_set_tlsext_host_name(self._ssl, name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1235

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1236

def pending(self):

1237

"""

1238

Get the number of bytes that can be safely read from the connection

1239

1240

:return: The number of bytes available in the receive buffer.

1241

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1242

return _lib.SSL_pending(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1243

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1244

def send(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1245

"""

1246

Send data on the connection. NOTE: If you get one of the WantRead,

1247

WantWrite or WantX509Lookup exceptions on this, you have to call the

1248

method again with the SAME buffer.

1249

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1250

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1251

:param flags: (optional) Included for compatibility with the socket

1252

API, the value is ignored

1253

:return: The number of bytes written

1254

"""

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1255

# Backward compatibility

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1256

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1257

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1258

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1259

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1260

if isinstance(buf, _buffer):

1261

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1262

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1263

raise TypeError("data must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1264

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1265

result = _lib.SSL_write(self._ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1266

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return result

write = send

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1270

def sendall(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1271

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1272

Send "all" data on the connection. This calls send() repeatedly until

1273

all data is sent. If an error occurs, it's impossible to tell how much

1274

data has been sent.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1275

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1276

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1277

:param flags: (optional) Included for compatibility with the socket

1278

API, the value is ignored

1279

:return: The number of bytes written

1280

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1281

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1282

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1283

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1284

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1285

if isinstance(buf, _buffer):

1286

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1287

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1288

raise TypeError("buf must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1289

1290

left_to_send = len(buf)

1291

total_sent = 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1292

data = _ffi.new("char[]", buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1293

1294

while left_to_send:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1295

result = _lib.SSL_write(self._ssl, data + total_sent, left_to_send)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1296

self._raise_ssl_error(self._ssl, result)

1297

total_sent += result

1298

left_to_send -= result

1299

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1300

def recv(self, bufsiz, flags=None):

1301

"""

Alex Gaynor

67fc8c9

2016-05-27 08:27:19 -0400

[diff] [blame]

1302

Receive data on the connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1303

1304

:param bufsiz: The maximum number of bytes to read

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1305

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1306

all other flags are ignored.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1307

:return: The string read from the Connection

1308

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1309

buf = _ffi.new("char[]", bufsiz)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1310

if flags is not None and flags & socket.MSG_PEEK:

1311

result = _lib.SSL_peek(self._ssl, buf, bufsiz)

1312

else:

1313

result = _lib.SSL_read(self._ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1314

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1315

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1316

read = recv

1317

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1318

def recv_into(self, buffer, nbytes=None, flags=None):

1319

"""

1320

Receive data on the connection and store the data into a buffer rather

1321

than creating a new string.

1322

1323

:param buffer: The buffer to copy into.

1324

:param nbytes: (optional) The maximum number of bytes to read into the

1325

buffer. If not present, defaults to the size of the buffer. If

1326

larger than the size of the buffer, is reduced to the size of the

1327

buffer.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1328

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1329

all other flags are ignored.

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1330

:return: The number of bytes read into the buffer.

"""

if nbytes is None:

nbytes = len(buffer)

else:

nbytes = min(nbytes, len(buffer))

1336

1337

# We need to create a temporary buffer. This is annoying, it would be

1338

# better if we could pass memoryviews straight into the SSL_read call,

1339

# but right now we can't. Revisit this if CFFI gets that ability.

1340

buf = _ffi.new("char[]", nbytes)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1341

if flags is not None and flags & socket.MSG_PEEK:

1342

result = _lib.SSL_peek(self._ssl, buf, nbytes)

1343

else:

1344

result = _lib.SSL_read(self._ssl, buf, nbytes)

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1345

self._raise_ssl_error(self._ssl, result)

1346

1347

# This strange line is all to avoid a memory copy. The buffer protocol

1348

# should allow us to assign a CFFI buffer to the LHS of this line, but

1349

# on CPython 3.3+ that segfaults. As a workaround, we can temporarily

1350

# wrap it in a memoryview, except on Python 2.6 which doesn't have a

1351

# memoryview type.

1352

try:

1353

buffer[:result] = memoryview(_ffi.buffer(buf, result))

1354

except NameError:

1355

buffer[:result] = _ffi.buffer(buf, result)

return result

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1359

def _handle_bio_errors(self, bio, result):

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1360

if _lib.BIO_should_retry(bio):

1361

if _lib.BIO_should_read(bio):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1362

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1363

elif _lib.BIO_should_write(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1364

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1365

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1366

elif _lib.BIO_should_io_special(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1367

# TODO: This is untested. I think io_special means the socket

1368

# BIO has a not-yet connected socket.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1369

raise ValueError("BIO_should_io_special")

1370

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1371

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1372

raise ValueError("unknown bio failure")

1373

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1374

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1375

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1376

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1377

def bio_read(self, bufsiz):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1378

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1379

When using non-socket connections this function reads the "dirty" data

1380

that would have traveled away on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1381

1382

:param bufsiz: The maximum number of bytes to read

1383

:return: The string read.

1384

"""

Jean-Paul Calderone

97e041d

2013-03-05 21:03:12 -0800

[diff] [blame]

1385

if self._from_ssl is None:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1386

raise TypeError("Connection sock was not None")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1387

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1388

if not isinstance(bufsiz, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1389

raise TypeError("bufsiz must be an integer")

1390

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1391

buf = _ffi.new("char[]", bufsiz)

1392

result = _lib.BIO_read(self._from_ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1393

if result <= 0:

1394

self._handle_bio_errors(self._from_ssl, result)

1395

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1396

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1397

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1398

def bio_write(self, buf):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1399

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1400

When using non-socket connections this function sends "dirty" data that

1401

would have traveled in on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1402

1403

:param buf: The string to put into the memory BIO.

1404

:return: The number of bytes written

1405

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1406

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1407

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1408

if self._into_ssl is None:

1409

raise TypeError("Connection sock was not None")

1410

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1411

result = _lib.BIO_write(self._into_ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1412

if result <= 0:

1413

self._handle_bio_errors(self._into_ssl, result)

1414

return result

1415

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1416

def renegotiate(self):

1417

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1418

Renegotiate the session.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1419

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1420

:return: True if the renegotiation can be started, False otherwise

1421

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1422

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1423

if not self.renegotiate_pending():

1424

_openssl_assert(_lib.SSL_renegotiate(self._ssl) == 1)

1425

return True

1426

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1427

1428

def do_handshake(self):

1429

"""

1430

Perform an SSL handshake (usually called after renegotiate() or one of

1431

set_*_state()). This can raise the same exceptions as send and recv.

1432

1433

:return: None.

1434

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1435

result = _lib.SSL_do_handshake(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1436

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1437

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1438

def renegotiate_pending(self):

1439

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1440

Check if there's a renegotiation in progress, it will return False once

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1441

a renegotiation is finished.

1442

1443

:return: Whether there's a renegotiation in progress

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1444

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1445

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1446

return _lib.SSL_renegotiate_pending(self._ssl) == 1

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1447

1448

def total_renegotiations(self):

1449

"""

1450

Find out the total number of renegotiations.

1451

1452

:return: The number of renegotiations.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1453

:rtype: int

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1454

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1455

return _lib.SSL_total_renegotiations(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1456

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1457

def connect(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1458

"""

1459

Connect to remote host and set up client-side SSL

1460

1461

:param addr: A remote address

1462

:return: What the socket's connect method returns

1463

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1464

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1465

return self._socket.connect(addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1466

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1467

def connect_ex(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1468

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1469

Connect to remote host and set up client-side SSL. Note that if the

1470

socket's connect_ex method doesn't return 0, SSL won't be initialized.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1471

1472

:param addr: A remove address

1473

:return: What the socket's connect_ex method returns

1474

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1475

connect_ex = self._socket.connect_ex

1476

self.set_connect_state()

1477

return connect_ex(addr)

1478

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1479

def accept(self):

1480

"""

1481

Accept incoming connection and set up SSL on it

1482

1483

:return: A (conn,addr) pair where conn is a Connection and addr is an

1484

address

1485

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1486

client, addr = self._socket.accept()

1487

conn = Connection(self._context, client)

1488

conn.set_accept_state()

1489

return (conn, addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1490

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1491

def bio_shutdown(self):

1492

"""

1493

When using non-socket connections this function signals end of

1494

data on the input for this connection.

1495

1496

:return: None

1497

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1498

if self._from_ssl is None:

1499

raise TypeError("Connection sock was not None")

1500

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1501

_lib.BIO_set_mem_eof_return(self._into_ssl, 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1502

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

def shutdown(self):

"""

Send closure alert

:return: True if the shutdown completed successfully (i.e. both sides

1508

have sent closure alerts), false otherwise (i.e. you have to

1509

wait for a ZeroReturnError on a recv() method call

1510

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1511

result = _lib.SSL_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1512

if result < 0:

Paul Aurich

bff1d1a

2015-01-08 08:36:53 -0800

[diff] [blame]

1513

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1514

elif result > 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1515

return True

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

else:

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1519

def get_cipher_list(self):

1520

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1521

Retrieve the list of ciphers used by the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1522

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1523

:return: A list of native cipher strings.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1524

"""

1525

ciphers = []

1526

for i in count():

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1527

result = _lib.SSL_get_cipher_list(self._ssl, i)

1528

if result == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1529

break

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1530

ciphers.append(_native(_ffi.string(result)))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1531

return ciphers

1532

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1533

def get_client_ca_list(self):

1534

"""

1535

Get CAs whose certificates are suggested for client authentication.

1536

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1537

:return: If this is a server connection, a list of X509Names

1538

representing the acceptable CAs as set by

1539

:py:meth:`OpenSSL.SSL.Context.set_client_ca_list` or

1540

:py:meth:`OpenSSL.SSL.Context.add_client_ca`. If this is a client

1541

connection, the list of such X509Names sent by the server, or an

1542

empty list if that has not yet happened.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1543

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1544

ca_names = _lib.SSL_get_client_CA_list(self._ssl)

1545

if ca_names == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1546

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1547

return []

1548

1549

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1550

for i in range(_lib.sk_X509_NAME_num(ca_names)):

1551

name = _lib.sk_X509_NAME_value(ca_names, i)

1552

copy = _lib.X509_NAME_dup(name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame^]

1553

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1554

1555

pyname = X509Name.__new__(X509Name)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1556

pyname._name = _ffi.gc(copy, _lib.X509_NAME_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1557

result.append(pyname)

1558

return result

1559

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1560

def makefile(self):

1561

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1562

The makefile() method is not implemented, since there is no dup

1563

semantics for SSL connections

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1564

Jean-Paul Calderone

6749ec2

2014-04-17 16:30:21 -0400

[diff] [blame]

1565

:raise: NotImplementedError

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1566

"""

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

1567

raise NotImplementedError(

1568

"Cannot make file object of OpenSSL.SSL.Connection")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1569

1570

def get_app_data(self):

"""

Get application data

:return: The application data

1575

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1576

return self._app_data

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1577

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1578

def set_app_data(self, data):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set application data

:param data - The application data

1583

:return: None

1584

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1585

self._app_data = data

1586

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1587

def get_shutdown(self):

"""

Get shutdown state

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1591

:return: The shutdown state, a bitvector of SENT_SHUTDOWN,

1592

RECEIVED_SHUTDOWN.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1593

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1594

return _lib.SSL_get_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1595

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1596

def set_shutdown(self, state):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set shutdown state

:param state - bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN.

1601

:return: None

1602

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

1603

if not isinstance(state, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1604

raise TypeError("state must be an integer")

1605

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1606

_lib.SSL_set_shutdown(self._ssl, state)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1607

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1608

def get_state_string(self):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1609

"""

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1610

Retrieve a verbose string detailing the state of the Connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1611

1612

:return: A string representing the state

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1613

:rtype: bytes

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1614

"""

kjav

c704a2e

2015-09-07 12:12:27 +0100

[diff] [blame]

1615

return _ffi.string(_lib.SSL_state_string_long(self._ssl))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1616

1617

def server_random(self):

1618

"""

1619

Get a copy of the server hello nonce.

1620

1621

:return: A string representing the state

1622

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1623

session = _lib.SSL_get_session(self._ssl)

1624

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1625

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1626

length = _lib.SSL_get_server_random(self._ssl, _ffi.NULL, 0)

1627

assert length > 0

1628

outp = _ffi.new("char[]", length)

1629

_lib.SSL_get_server_random(self._ssl, outp, length)

1630

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1631

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1632

def client_random(self):

1633

"""

1634

Get a copy of the client hello nonce.

1635

1636

:return: A string representing the state

1637

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1638

session = _lib.SSL_get_session(self._ssl)

1639

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1640

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1641

1642

length = _lib.SSL_get_client_random(self._ssl, _ffi.NULL, 0)

1643

assert length > 0

1644

outp = _ffi.new("char[]", length)

1645

_lib.SSL_get_client_random(self._ssl, outp, length)

1646

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1647

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1648

def master_key(self):

1649

"""

1650

Get a copy of the master key.

1651

1652

:return: A string representing the state

1653

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1654

session = _lib.SSL_get_session(self._ssl)

1655

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1656

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1657

1658

length = _lib.SSL_SESSION_get_master_key(session, _ffi.NULL, 0)

1659

assert length > 0

1660

outp = _ffi.new("char[]", length)

1661

_lib.SSL_SESSION_get_master_key(session, outp, length)

1662

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1663

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1664

def sock_shutdown(self, *args, **kwargs):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

See shutdown(2)

:return: What the socket's shutdown() method returns

1669

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1670

return self._socket.shutdown(*args, **kwargs)

1671

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1672

def get_peer_certificate(self):

1673

"""

1674

Retrieve the other side's certificate (if any)

1675

1676

:return: The peer's certificate

1677

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1678

cert = _lib.SSL_get_peer_certificate(self._ssl)

1679

if cert != _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1680

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1681

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return pycert

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1685

def get_peer_cert_chain(self):

1686

"""

1687

Retrieve the other side's certificate (if any)

1688

1689

:return: A list of X509 instances giving the peer's certificate chain,

1690

or None if it does not have one.

1691

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1692

cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)

1693

if cert_stack == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1694

return None

1695

1696

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1697

for i in range(_lib.sk_X509_num(cert_stack)):

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1698

# TODO could incref instead of dup here

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1699

cert = _lib.X509_dup(_lib.sk_X509_value(cert_stack, i))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1700

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1701

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1702

result.append(pycert)

1703

return result

1704

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1705

def want_read(self):

1706

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1707

Checks if more data has to be read from the transport layer to complete

1708

an operation.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1709

1710

:return: True iff more data has to be read

1711

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1712

return _lib.SSL_want_read(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1713

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1714

def want_write(self):

1715

"""

1716

Checks if there is data to write to the transport layer to complete an

1717

operation.

1718

1719

:return: True iff there is data to write

1720

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1721

return _lib.SSL_want_write(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1722

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1723

def set_accept_state(self):

1724

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1725

Set the connection to work in server mode. The handshake will be

1726

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1727

1728

:return: None

1729

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1730

_lib.SSL_set_accept_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1731

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1732

def set_connect_state(self):

1733

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1734

Set the connection to work in client mode. The handshake will be

1735

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1736

1737

:return: None

1738

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1739

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1740

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1741

def get_session(self):

1742

"""

1743

Returns the Session currently used.

1744

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1745

@return: An instance of :py:class:`OpenSSL.SSL.Session` or

1746

:py:obj:`None` if no session exists.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1747

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1748

session = _lib.SSL_get1_session(self._ssl)

1749

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1750

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1751

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1752

pysession = Session.__new__(Session)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1753

pysession._session = _ffi.gc(session, _lib.SSL_SESSION_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1754

return pysession

1755

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1756

def set_session(self, session):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1757

"""

1758

Set the session to be used when the TLS/SSL connection is established.

1759

1760

:param session: A Session instance representing the session to use.

1761

:returns: None

1762

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1763

if not isinstance(session, Session):

1764

raise TypeError("session must be a Session instance")

1765

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1766

result = _lib.SSL_set_session(self._ssl, session._session)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1767

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1768

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1769

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1770

def _get_finished_message(self, function):

1771

"""

1772

Helper to implement :py:meth:`get_finished` and

1773

:py:meth:`get_peer_finished`.

1774

1775

:param function: Either :py:data:`SSL_get_finished`: or

1776

:py:data:`SSL_get_peer_finished`.

1777

1778

:return: :py:data:`None` if the desired message has not yet been

1779

received, otherwise the contents of the message.

1780

:rtype: :py:class:`bytes` or :py:class:`NoneType`

1781

"""

Jean-Paul Calderone

01af904

2014-03-30 11:40:42 -0400

[diff] [blame]

1782

# The OpenSSL documentation says nothing about what might happen if the

1783

# count argument given is zero. Specifically, it doesn't say whether

1784

# the output buffer may be NULL in that case or not. Inspection of the

1785

# implementation reveals that it calls memcpy() unconditionally.

1786

# Section 7.1.4, paragraph 1 of the C standard suggests that

1787

# memcpy(NULL, source, 0) is not guaranteed to produce defined (let

1788

# alone desirable) behavior (though it probably does on just about

1789

# every implementation...)

1790

#

1791

# Allocate a tiny buffer to pass in (instead of just passing NULL as

1792

# one might expect) for the initial call so as to be safe against this

1793

# potentially undefined behavior.

1794

empty = _ffi.new("char[]", 0)

1795

size = function(self._ssl, empty, 0)

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1796

if size == 0:

1797

# No Finished message so far.

1798

return None

1799

1800

buf = _ffi.new("char[]", size)

1801

function(self._ssl, buf, size)

1802

return _ffi.buffer(buf, size)[:]

1803

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1804

def get_finished(self):

1805

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1806

Obtain the latest `handshake finished` message sent to the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1807

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1808

:return: The contents of the message or :py:obj:`None` if the TLS

1809

handshake has not yet completed.

1810

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1811

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1812

return self._get_finished_message(_lib.SSL_get_finished)

1813

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1814

def get_peer_finished(self):

1815

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1816

Obtain the latest `handshake finished` message received from the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1817

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1818

:return: The contents of the message or :py:obj:`None` if the TLS

1819

handshake has not yet completed.

1820

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1821

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1822

return self._get_finished_message(_lib.SSL_get_peer_finished)

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1823

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1824

def get_cipher_name(self):

1825

"""

1826

Obtain the name of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1827

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1828

:returns: The name of the currently used cipher or :py:obj:`None`

1829

if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1830

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1831

"""

1832

cipher = _lib.SSL_get_current_cipher(self._ssl)

1833

if cipher == _ffi.NULL:

1834

return None

1835

else:

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1836

name = _ffi.string(_lib.SSL_CIPHER_get_name(cipher))

1837

return name.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1838

1839

def get_cipher_bits(self):

1840

"""

1841

Obtain the number of secret bits of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1842

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1843

:returns: The number of secret bits of the currently used cipher

1844

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1845

:rtype: :py:class:`int` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1846

"""

1847

cipher = _lib.SSL_get_current_cipher(self._ssl)

1848

if cipher == _ffi.NULL:

1849

return None

1850

else:

1851

return _lib.SSL_CIPHER_get_bits(cipher, _ffi.NULL)

1852

1853

def get_cipher_version(self):

1854

"""

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1855

Obtain the protocol version of the currently used cipher.

1856

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1857

:returns: The protocol name of the currently used cipher

1858

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1859

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1860

"""

1861

cipher = _lib.SSL_get_current_cipher(self._ssl)

1862

if cipher == _ffi.NULL:

1863

return None

1864

else:

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

1865

version = _ffi.string(_lib.SSL_CIPHER_get_version(cipher))

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1866

return version.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1867

Jim Shaver

abff188

2015-05-27 09:15:55 -0400

[diff] [blame]

1868

def get_protocol_version_name(self):

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1869

"""

1870

Obtain the protocol version of the current connection.

1871

1872

:returns: The TLS version of the current connection, for example

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1873

the value for TLS 1.2 would be ``TLSv1.2``or ``Unknown``

Jim Shaver

b5b6b0e

2015-05-28 16:47:36 -0400

[diff] [blame]

1874

for connections that were not successfully established.

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1875

:rtype: :py:class:`unicode`

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1876

"""

Jim Shaver

d1c896e

2015-05-27 17:50:21 -0400

[diff] [blame]

1877

version = _ffi.string(_lib.SSL_get_version(self._ssl))

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1878

return version.decode("utf-8")

Jim Shaver

b296792

2015-04-26 23:58:52 -0400

[diff] [blame]

1879

Jim Shaver

208438c

2015-05-28 09:52:38 -0400

[diff] [blame]

1880

def get_protocol_version(self):

1881

"""

1882

Obtain the protocol version of the current connection.

1883

1884

:returns: The TLS version of the current connection, for example

1885

the value for TLS 1 would be 0x769.

1886

:rtype: :py:class:`int`

1887

"""

1888

version = _lib.SSL_version(self._ssl)

1889

return version

1890

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1891

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1892

def get_next_proto_negotiated(self):

1893

"""

1894

Get the protocol that was negotiated by NPN.

1895

"""

1896

data = _ffi.new("unsigned char **")

1897

data_len = _ffi.new("unsigned int *")

1898

1899

_lib.SSL_get0_next_proto_negotiated(self._ssl, data, data_len)

1900

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

1901

return _ffi.buffer(data[0], data_len[0])[:]

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1902

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1903

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1904

def set_alpn_protos(self, protos):

1905

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1906

Specify the client's ALPN protocol list.

1907

1908

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1909

1910

:param protos: A list of the protocols to be offered to the server.

1911

This list should be a Python list of bytestrings representing the

1912

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1913

"""

1914

# Take the list of protocols and join them together, prefixing them

1915

# with their lengths.

1916

protostr = b''.join(

1917

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1918

)

1919

1920

# Build a C string from the list. We don't need to save this off

1921

# because OpenSSL immediately copies the data out.

1922

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

9c1979a

2015-04-12 08:51:52 -0400

[diff] [blame]

1923

input_str_len = _ffi.cast("unsigned", len(protostr))

1924

_lib.SSL_set_alpn_protos(self._ssl, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1925

Maximilian Hils

66ded6a

2015-08-26 06:02:03 +0200

[diff] [blame]

1926

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1927

def get_alpn_proto_negotiated(self):

Cory Benfield

222f30e

2015-04-13 18:10:21 -0400

[diff] [blame]

1928

"""

1929

Get the protocol that was negotiated by ALPN.

1930

"""

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1931

data = _ffi.new("unsigned char **")

1932

data_len = _ffi.new("unsigned int *")

1933

1934

_lib.SSL_get0_alpn_selected(self._ssl, data, data_len)

1935

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

if not data_len:

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1939

return _ffi.buffer(data[0], data_len[0])[:]

1940

1941

Jean-Paul Calderone