Blame - src/OpenSSL/SSL.py - platform/external/python/pyopenssl

2015-08-17 19:27:20 +0200

[diff] [blame]

1

import socket

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

2

from sys import platform

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

3

from functools import wraps, partial

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

4

from itertools import count, chain

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

5

from weakref import WeakValueDictionary

6

from errno import errorcode

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

7

Cory Benfield

63759dc

2015-04-12 08:57:03 -0400

[diff] [blame]

8

from six import binary_type as _binary_type

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

9

from six import integer_types as integer_types

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

10

from six import int2byte, indexbytes

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

11

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

12

from OpenSSL._util import (

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

13

UNSPECIFIED as _UNSPECIFIED,

14

exception_from_error_queue as _exception_from_error_queue,

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

15

ffi as _ffi,

16

lib as _lib,

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

17

make_assert as _make_assert,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

18

native as _native,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

19

path_string as _path_string,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

20

text_to_bytes_and_warn as _text_to_bytes_and_warn,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

21

)

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

22

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

23

from OpenSSL.crypto import (

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

24

FILETYPE_PEM, _PassphraseHelper, PKey, X509Name, X509, X509Store)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

25

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

26

try:

27

_memoryview = memoryview

28

except NameError:

29

class _memoryview(object):

30

pass

31

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

try:

_buffer = buffer

except NameError:

class _buffer(object):

36

pass

37

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

38

OPENSSL_VERSION_NUMBER = _lib.OPENSSL_VERSION_NUMBER

39

SSLEAY_VERSION = _lib.SSLEAY_VERSION

40

SSLEAY_CFLAGS = _lib.SSLEAY_CFLAGS

41

SSLEAY_PLATFORM = _lib.SSLEAY_PLATFORM

42

SSLEAY_DIR = _lib.SSLEAY_DIR

43

SSLEAY_BUILT_ON = _lib.SSLEAY_BUILT_ON

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

44

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

45

SENT_SHUTDOWN = _lib.SSL_SENT_SHUTDOWN

46

RECEIVED_SHUTDOWN = _lib.SSL_RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

SSLv2_METHOD = 1

SSLv3_METHOD = 2

SSLv23_METHOD = 3

TLSv1_METHOD = 4

Jean-Paul Calderone

56bff94

2013-11-03 11:30:43 -0500

[diff] [blame]

52

TLSv1_1_METHOD = 5

53

TLSv1_2_METHOD = 6

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

54

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

55

OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2

56

OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3

57

OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

58

59

OP_NO_TLSv1_1 = getattr(_lib, "SSL_OP_NO_TLSv1_1", 0)

60

OP_NO_TLSv1_2 = getattr(_lib, "SSL_OP_NO_TLSv1_2", 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

61

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame^]

62

MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

63

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

64

OP_SINGLE_DH_USE = _lib.SSL_OP_SINGLE_DH_USE

Akihiro Yamazaki

e64d80c

2015-09-06 00:16:57 +0900

[diff] [blame]

65

OP_SINGLE_ECDH_USE = _lib.SSL_OP_SINGLE_ECDH_USE

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

66

OP_EPHEMERAL_RSA = _lib.SSL_OP_EPHEMERAL_RSA

67

OP_MICROSOFT_SESS_ID_BUG = _lib.SSL_OP_MICROSOFT_SESS_ID_BUG

68

OP_NETSCAPE_CHALLENGE_BUG = _lib.SSL_OP_NETSCAPE_CHALLENGE_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

69

OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = (

70

_lib.SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

71

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

72

OP_SSLREF2_REUSE_CERT_TYPE_BUG = _lib.SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG

73

OP_MICROSOFT_BIG_SSLV3_BUFFER = _lib.SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER

Jean-Paul Calderone

0d7e8a1

2014-01-08 16:54:13 -0500

[diff] [blame]

74

try:

75

OP_MSIE_SSLV2_RSA_PADDING = _lib.SSL_OP_MSIE_SSLV2_RSA_PADDING

76

except AttributeError:

77

pass

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

78

OP_SSLEAY_080_CLIENT_DH_BUG = _lib.SSL_OP_SSLEAY_080_CLIENT_DH_BUG

79

OP_TLS_D5_BUG = _lib.SSL_OP_TLS_D5_BUG

80

OP_TLS_BLOCK_PADDING_BUG = _lib.SSL_OP_TLS_BLOCK_PADDING_BUG

81

OP_DONT_INSERT_EMPTY_FRAGMENTS = _lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

82

OP_CIPHER_SERVER_PREFERENCE = _lib.SSL_OP_CIPHER_SERVER_PREFERENCE

83

OP_TLS_ROLLBACK_BUG = _lib.SSL_OP_TLS_ROLLBACK_BUG

84

OP_PKCS1_CHECK_1 = _lib.SSL_OP_PKCS1_CHECK_1

85

OP_PKCS1_CHECK_2 = _lib.SSL_OP_PKCS1_CHECK_2

86

OP_NETSCAPE_CA_DN_BUG = _lib.SSL_OP_NETSCAPE_CA_DN_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

87

OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = (

88

_lib.SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

89

)

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame^]

90

OP_NO_COMPRESSION = _lib.SSL_OP_NO_COMPRESSION

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

91

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

92

OP_NO_QUERY_MTU = _lib.SSL_OP_NO_QUERY_MTU

93

OP_COOKIE_EXCHANGE = _lib.SSL_OP_COOKIE_EXCHANGE

Arturo Filastò

5f8c7a8

2014-03-09 20:01:25 +0100

[diff] [blame]

94

try:

95

OP_NO_TICKET = _lib.SSL_OP_NO_TICKET

96

except AttributeError:

97

pass

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

98

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

99

OP_ALL = _lib.SSL_OP_ALL

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

100

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

101

VERIFY_PEER = _lib.SSL_VERIFY_PEER

102

VERIFY_FAIL_IF_NO_PEER_CERT = _lib.SSL_VERIFY_FAIL_IF_NO_PEER_CERT

103

VERIFY_CLIENT_ONCE = _lib.SSL_VERIFY_CLIENT_ONCE

104

VERIFY_NONE = _lib.SSL_VERIFY_NONE

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

105

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

106

SESS_CACHE_OFF = _lib.SSL_SESS_CACHE_OFF

107

SESS_CACHE_CLIENT = _lib.SSL_SESS_CACHE_CLIENT

108

SESS_CACHE_SERVER = _lib.SSL_SESS_CACHE_SERVER

109

SESS_CACHE_BOTH = _lib.SSL_SESS_CACHE_BOTH

110

SESS_CACHE_NO_AUTO_CLEAR = _lib.SSL_SESS_CACHE_NO_AUTO_CLEAR

111

SESS_CACHE_NO_INTERNAL_LOOKUP = _lib.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP

112

SESS_CACHE_NO_INTERNAL_STORE = _lib.SSL_SESS_CACHE_NO_INTERNAL_STORE

113

SESS_CACHE_NO_INTERNAL = _lib.SSL_SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

d39a3f6

2013-03-04 12:23:51 -0800

[diff] [blame]

114

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

115

SSL_ST_CONNECT = _lib.SSL_ST_CONNECT

116

SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT

117

SSL_ST_MASK = _lib.SSL_ST_MASK

118

SSL_ST_INIT = _lib.SSL_ST_INIT

119

SSL_ST_BEFORE = _lib.SSL_ST_BEFORE

120

SSL_ST_OK = _lib.SSL_ST_OK

121

SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

122

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

123

SSL_CB_LOOP = _lib.SSL_CB_LOOP

124

SSL_CB_EXIT = _lib.SSL_CB_EXIT

125

SSL_CB_READ = _lib.SSL_CB_READ

126

SSL_CB_WRITE = _lib.SSL_CB_WRITE

127

SSL_CB_ALERT = _lib.SSL_CB_ALERT

128

SSL_CB_READ_ALERT = _lib.SSL_CB_READ_ALERT

129

SSL_CB_WRITE_ALERT = _lib.SSL_CB_WRITE_ALERT

130

SSL_CB_ACCEPT_LOOP = _lib.SSL_CB_ACCEPT_LOOP

131

SSL_CB_ACCEPT_EXIT = _lib.SSL_CB_ACCEPT_EXIT

132

SSL_CB_CONNECT_LOOP = _lib.SSL_CB_CONNECT_LOOP

133

SSL_CB_CONNECT_EXIT = _lib.SSL_CB_CONNECT_EXIT

134

SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START

135

SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

136

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

137

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

138

class Error(Exception):

Jean-Paul Calderone

511cde0

2013-12-29 10:31:13 -0500

[diff] [blame]

139

"""

140

An error occurred in an `OpenSSL.SSL` API.

141

"""

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

142

143

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

144

_raise_current_error = partial(_exception_from_error_queue, Error)

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

145

_openssl_assert = _make_assert(Error)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

146

147

148

class WantReadError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

152

class WantWriteError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

156

class WantX509LookupError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

160

class ZeroReturnError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

164

class SysCallError(Error):

pass

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

168

class _CallbackExceptionHelper(object):

169

"""

170

A base class for wrapper classes that allow for intelligent exception

171

handling in OpenSSL callbacks.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

172

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

173

:ivar list _problems: Any exceptions that occurred while executing in a

174

context where they could not be raised in the normal way. Typically

175

this is because OpenSSL has called into some Python code and requires a

176

return value. The exceptions are saved to be raised later when it is

177

possible to do so.

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

178

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

179

Jean-Paul Calderone

09540d7

2015-03-22 19:37:20 -0400

[diff] [blame]

180

def __init__(self):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

181

self._problems = []

182

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

183

def raise_if_problem(self):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

184

"""

185

Raise an exception from the OpenSSL error queue or that was previously

186

captured whe running a callback.

187

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

188

if self._problems:

189

try:

190

_raise_current_error()

191

except Error:

192

pass

193

raise self._problems.pop(0)

194

195

196

class _VerifyHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

197

"""

198

Wrap a callback such that it can be used as a certificate verification

199

callback.

200

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

201

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

202

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

203

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

204

205

@wraps(callback)

206

def wrapper(ok, store_ctx):

207

cert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

208

cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)

209

error_number = _lib.X509_STORE_CTX_get_error(store_ctx)

210

error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

211

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

212

index = _lib.SSL_get_ex_data_X509_STORE_CTX_idx()

213

ssl = _lib.X509_STORE_CTX_get_ex_data(store_ctx, index)

214

connection = Connection._reverse_mapping[ssl]

215

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

216

try:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

217

result = callback(

218

connection, cert, error_number, error_depth, ok

219

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

220

except Exception as e:

221

self._problems.append(e)

222

return 0

223

else:

224

if result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

225

_lib.X509_STORE_CTX_set_error(store_ctx, _lib.X509_V_OK)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

return 1

else:

return 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

230

self.callback = _ffi.callback(

231

"int (*)(int, X509_STORE_CTX *)", wrapper)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

232

233

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

234

class _NpnAdvertiseHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

235

"""

236

Wrap a callback such that it can be used as an NPN advertisement callback.

237

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

238

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

239

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

240

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

241

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

242

@wraps(callback)

243

def wrapper(ssl, out, outlen, arg):

244

try:

245

conn = Connection._reverse_mapping[ssl]

246

protos = callback(conn)

247

248

# Join the protocols into a Python bytestring, length-prefixing

249

# each element.

250

protostr = b''.join(

251

chain.from_iterable((int2byte(len(p)), p) for p in protos)

252

)

253

254

# Save our callback arguments on the connection object. This is

255

# done to make sure that they don't get freed before OpenSSL

256

# uses them. Then, return them appropriately in the output

257

# parameters.

258

conn._npn_advertise_callback_args = [

259

_ffi.new("unsigned int *", len(protostr)),

260

_ffi.new("unsigned char[]", protostr),

261

]

262

outlen[0] = conn._npn_advertise_callback_args[0][0]

263

out[0] = conn._npn_advertise_callback_args[1]

264

return 0

265

except Exception as e:

266

self._problems.append(e)

267

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

268

269

self.callback = _ffi.callback(

270

"int (*)(SSL *, const unsigned char **, unsigned int *, void *)",

wrapper

)

class _NpnSelectHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

276

"""

277

Wrap a callback such that it can be used as an NPN selection callback.

278

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

279

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

280

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

281

_CallbackExceptionHelper.__init__(self)

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

282

283

@wraps(callback)

284

def wrapper(ssl, out, outlen, in_, inlen, arg):

285

try:

286

conn = Connection._reverse_mapping[ssl]

287

288

# The string passed to us is actually made up of multiple

289

# length-prefixed bytestrings. We need to split that into a

290

# list.

291

instr = _ffi.buffer(in_, inlen)[:]

292

protolist = []

293

while instr:

294

l = indexbytes(instr, 0)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

295

proto = instr[1:l + 1]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

296

protolist.append(proto)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

297

instr = instr[l + 1:]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

298

299

# Call the callback

300

outstr = callback(conn, protolist)

301

302

# Save our callback arguments on the connection object. This is

303

# done to make sure that they don't get freed before OpenSSL

304

# uses them. Then, return them appropriately in the output

305

# parameters.

306

conn._npn_select_callback_args = [

307

_ffi.new("unsigned char *", len(outstr)),

308

_ffi.new("unsigned char[]", outstr),

309

]

310

outlen[0] = conn._npn_select_callback_args[0][0]

311

out[0] = conn._npn_select_callback_args[1]

312

return 0

313

except Exception as e:

314

self._problems.append(e)

315

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

316

317

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

318

("int (*)(SSL *, unsigned char **, unsigned char *, "

319

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

320

wrapper

321

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

322

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

323

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

324

class _ALPNSelectHelper(_CallbackExceptionHelper):

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

325

"""

326

Wrap a callback such that it can be used as an ALPN selection callback.

327

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

328

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

329

def __init__(self, callback):

330

_CallbackExceptionHelper.__init__(self)

331

332

@wraps(callback)

333

def wrapper(ssl, out, outlen, in_, inlen, arg):

334

try:

335

conn = Connection._reverse_mapping[ssl]

336

337

# The string passed to us is made up of multiple

338

# length-prefixed bytestrings. We need to split that into a

339

# list.

340

instr = _ffi.buffer(in_, inlen)[:]

341

protolist = []

342

while instr:

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

343

encoded_len = indexbytes(instr, 0)

344

proto = instr[1:encoded_len + 1]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

345

protolist.append(proto)

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

346

instr = instr[encoded_len + 1:]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

347

348

# Call the callback

349

outstr = callback(conn, protolist)

350

351

if not isinstance(outstr, _binary_type):

352

raise TypeError("ALPN callback must return a bytestring.")

353

354

# Save our callback arguments on the connection object to make

355

# sure that they don't get freed before OpenSSL can use them.

356

# Then, return them in the appropriate output parameters.

357

conn._alpn_select_callback_args = [

358

_ffi.new("unsigned char *", len(outstr)),

359

_ffi.new("unsigned char[]", outstr),

360

]

361

outlen[0] = conn._alpn_select_callback_args[0][0]

362

out[0] = conn._alpn_select_callback_args[1]

363

return 0

364

except Exception as e:

365

self._problems.append(e)

366

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

367

368

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

369

("int (*)(SSL *, unsigned char **, unsigned char *, "

370

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

wrapper

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

375

def _asFileDescriptor(obj):

376

fd = None

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

377

if not isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

378

meth = getattr(obj, "fileno", None)

379

if meth is not None:

380

obj = meth()

381

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

382

if isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

383

fd = obj

384

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

385

if not isinstance(fd, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

386

raise TypeError("argument must be an int, or have a fileno() method.")

387

elif fd < 0:

388

raise ValueError(

389

"file descriptor cannot be a negative integer (%i)" % (fd,))

return fd

Jean-Paul Calderone

2013-03-04 12:23:51 -0800

[diff] [blame]

394

def SSLeay_version(type):

395

"""

396

Return a string describing the version of OpenSSL in use.

397

398

:param type: One of the SSLEAY_ constants defined in this module.

399

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

400

return _ffi.string(_lib.SSLeay_version(type))

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

401

402

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

403

def _make_requires(flag, error):

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

404

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

405

Builds a decorator that ensures that functions that rely on OpenSSL

406

functions that are not present in this build raise NotImplementedError,

407

rather than AttributeError coming out of cryptography.

408

409

:param flag: A cryptography flag that guards the functions, e.g.

410

``Cryptography_HAS_NEXTPROTONEG``.

411

:param error: The string to be used in the exception if the flag is false.

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

412

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

413

def _requires_decorator(func):

414

if not flag:

415

@wraps(func)

416

def explode(*args, **kwargs):

417

raise NotImplementedError(error)

418

return explode

419

else:

420

return func

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

421

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

422

return _requires_decorator

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

423

424

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

425

_requires_npn = _make_requires(

426

_lib.Cryptography_HAS_NEXTPROTONEG, "NPN not available"

427

)

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

428

429

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

430

_requires_alpn = _make_requires(

431

_lib.Cryptography_HAS_ALPN, "ALPN not available"

432

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

433

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

434

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

435

_requires_sni = _make_requires(

436

_lib.Cryptography_HAS_TLSEXT_HOSTNAME, "SNI not available"

437

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

438

439

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

440

class Session(object):

pass

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

444

class Context(object):

445

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

446

:class:`OpenSSL.SSL.Context` instances define the parameters for setting

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

447

up new SSL connections.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

448

"""

449

_methods = {

Andrew Dunham

ec84a0a

2014-02-24 12:41:37 -0800

[diff] [blame]

450

SSLv2_METHOD: "SSLv2_method",

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

451

SSLv3_METHOD: "SSLv3_method",

452

SSLv23_METHOD: "SSLv23_method",

453

TLSv1_METHOD: "TLSv1_method",

454

TLSv1_1_METHOD: "TLSv1_1_method",

455

TLSv1_2_METHOD: "TLSv1_2_method",

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

456

}

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

457

_methods = dict(

458

(identifier, getattr(_lib, name))

459

for (identifier, name) in _methods.items()

460

if getattr(_lib, name, None) is not None)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

461

462

def __init__(self, method):

463

"""

464

:param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or

465

TLSv1_METHOD.

466

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

467

if not isinstance(method, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

468

raise TypeError("method must be an integer")

469

470

try:

471

method_func = self._methods[method]

472

except KeyError:

473

raise ValueError("No such protocol")

474

475

method_obj = method_func()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

476

if method_obj == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

477

# TODO: This is untested.

478

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

479

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

480

context = _lib.SSL_CTX_new(method_obj)

481

if context == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

482

# TODO: This is untested.

483

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

484

context = _ffi.gc(context, _lib.SSL_CTX_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

485

486

self._context = context

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

487

self._passphrase_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

488

self._passphrase_callback = None

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

489

self._passphrase_userdata = None

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

490

self._verify_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

491

self._verify_callback = None

492

self._info_callback = None

493

self._tlsext_servername_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

494

self._app_data = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

495

self._npn_advertise_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

496

self._npn_advertise_callback = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

497

self._npn_select_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

498

self._npn_select_callback = None

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

499

self._alpn_select_helper = None

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

500

self._alpn_select_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

501

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

502

# SSL_CTX_set_app_data(self->ctx, self);

503

# SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |

504

# SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |

505

# SSL_MODE_AUTO_RETRY);

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

506

self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

507

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

508

def load_verify_locations(self, cafile, capath=None):

509

"""

510

Let SSL know where we can find trusted certificates for the certificate

511

chain

512

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

513

:param cafile: In which file we can find the certificates (``bytes`` or

514

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

515

:param capath: In which directory we can find the certificates

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

516

(``bytes`` or ``unicode``).

517

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

518

:return: None

519

"""

520

if cafile is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

521

cafile = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

522

else:

523

cafile = _path_string(cafile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

524

525

if capath is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

526

capath = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

527

else:

528

capath = _path_string(capath)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

529

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

530

load_result = _lib.SSL_CTX_load_verify_locations(

531

self._context, cafile, capath

532

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

533

if not load_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

534

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

535

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

536

def _wrap_callback(self, callback):

537

@wraps(callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

538

def wrapper(size, verify, userdata):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

539

return callback(size, verify, self._passphrase_userdata)

540

return _PassphraseHelper(

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

541

FILETYPE_PEM, wrapper, more_args=True, truncate=True)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

542

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

543

def set_passwd_cb(self, callback, userdata=None):

544

"""

545

Set the passphrase callback

546

547

:param callback: The Python callback to use

548

:param userdata: (optional) A Python object which will be given as

549

argument to the callback

550

:return: None

551

"""

552

if not callable(callback):

553

raise TypeError("callback must be callable")

554

555

self._passphrase_helper = self._wrap_callback(callback)

556

self._passphrase_callback = self._passphrase_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

557

_lib.SSL_CTX_set_default_passwd_cb(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

558

self._context, self._passphrase_callback)

559

self._passphrase_userdata = userdata

560

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

561

def set_default_verify_paths(self):

562

"""

563

Use the platform-specific CA certificate locations

564

565

:return: None

566

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

567

set_result = _lib.SSL_CTX_set_default_verify_paths(self._context)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

568

if not set_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

569

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

570

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

571

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

572

def use_certificate_chain_file(self, certfile):

573

"""

574

Load a certificate chain from a file

575

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

576

:param certfile: The name of the certificate chain file (``bytes`` or

577

``unicode``).

578

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

579

:return: None

580

"""

Jean-Paul Calderone

aac43a3

2015-04-12 09:51:21 -0400

[diff] [blame]

581

certfile = _path_string(certfile)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

582

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

583

result = _lib.SSL_CTX_use_certificate_chain_file(

584

self._context, certfile

585

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

586

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

587

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

588

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

589

def use_certificate_file(self, certfile, filetype=FILETYPE_PEM):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

590

"""

591

Load a certificate from a file

592

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

593

:param certfile: The name of the certificate file (``bytes`` or

594

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

595

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

596

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

597

:return: None

598

"""

Jean-Paul Calderone

d57a7b6

2015-04-12 09:57:36 -0400

[diff] [blame]

599

certfile = _path_string(certfile)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

600

if not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

601

raise TypeError("filetype must be an integer")

602

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

603

use_result = _lib.SSL_CTX_use_certificate_file(

604

self._context, certfile, filetype

605

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

606

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

607

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

608

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

609

def use_certificate(self, cert):

610

"""

611

Load a certificate from a X509 object

612

613

:param cert: The X509 object

614

:return: None

615

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

616

if not isinstance(cert, X509):

617

raise TypeError("cert must be an X509 instance")

618

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

619

use_result = _lib.SSL_CTX_use_certificate(self._context, cert._x509)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

620

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

621

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

622

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

623

def add_extra_chain_cert(self, certobj):

624

"""

625

Add certificate to chain

626

627

:param certobj: The X509 certificate object to add to the chain

628

:return: None

629

"""

630

if not isinstance(certobj, X509):

631

raise TypeError("certobj must be an X509 instance")

632

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

633

copy = _lib.X509_dup(certobj._x509)

634

add_result = _lib.SSL_CTX_add_extra_chain_cert(self._context, copy)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

635

if not add_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

636

# TODO: This is untested.

637

_lib.X509_free(copy)

638

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

639

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

640

def _raise_passphrase_exception(self):

641

if self._passphrase_helper is None:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

642

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

643

exception = self._passphrase_helper.raise_if_problem(Error)

644

if exception is not None:

645

raise exception

646

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

647

def use_privatekey_file(self, keyfile, filetype=_UNSPECIFIED):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

648

"""

649

Load a private key from a file

650

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

651

:param keyfile: The name of the key file (``bytes`` or ``unicode``)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

652

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

653

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

654

:return: None

655

"""

Jean-Paul Calderone

69a4e5b

2015-04-12 10:04:28 -0400

[diff] [blame]

656

keyfile = _path_string(keyfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

657

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

658

if filetype is _UNSPECIFIED:

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

659

filetype = FILETYPE_PEM

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

660

elif not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

661

raise TypeError("filetype must be an integer")

662

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

663

use_result = _lib.SSL_CTX_use_PrivateKey_file(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

664

self._context, keyfile, filetype)

665

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

666

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

667

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

668

def use_privatekey(self, pkey):

669

"""

670

Load a private key from a PKey object

671

672

:param pkey: The PKey object

673

:return: None

674

"""

675

if not isinstance(pkey, PKey):

676

raise TypeError("pkey must be a PKey instance")

677

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

678

use_result = _lib.SSL_CTX_use_PrivateKey(self._context, pkey._pkey)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

679

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

680

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

681

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

682

def check_privatekey(self):

683

"""

684

Check that the private key and certificate match up

685

686

:return: None (raises an exception if something's wrong)

687

"""

Jean-Paul Calderone

a034492

2014-12-11 14:02:31 -0500

[diff] [blame]

688

if not _lib.SSL_CTX_check_private_key(self._context):

689

_raise_current_error()

690

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

691

def load_client_ca(self, cafile):

692

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

693

Load the trusted certificates that will be sent to the client. Does

694

not actually imply any of the certificates are trusted; that must be

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

695

configured separately.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

696

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

697

:param bytes cafile: The path to a certificates file in PEM format.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

698

:return: None

699

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

700

ca_list = _lib.SSL_load_client_CA_file(

701

_text_to_bytes_and_warn("cafile", cafile)

702

)

703

_openssl_assert(ca_list != _ffi.NULL)

704

# SSL_CTX_set_client_CA_list doesn't return anything.

705

_lib.SSL_CTX_set_client_CA_list(self._context, ca_list)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

706

707

def set_session_id(self, buf):

708

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

709

Set the session id to *buf* within which a session can be reused for

710

this Context object. This is needed when doing session resumption,

711

because there is no way for a stored session to know which Context

712

object it is associated with.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

713

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

714

:param bytes buf: The session id.

715

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

716

:returns: None

717

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

718

buf = _text_to_bytes_and_warn("buf", buf)

719

_openssl_assert(

720

_lib.SSL_CTX_set_session_id_context(

self._context,

buf,

len(buf),

) == 1

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

726

727

def set_session_cache_mode(self, mode):

728

"""

729

Enable/disable session caching and specify the mode used.

730

731

:param mode: One or more of the SESS_CACHE_* flags (combine using

732

bitwise or)

733

:returns: The previously set caching mode.

734

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

735

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

736

raise TypeError("mode must be an integer")

737

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

738

return _lib.SSL_CTX_set_session_cache_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

739

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

740

def get_session_cache_mode(self):

741

"""

742

:returns: The currently used cache mode.

743

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

744

return _lib.SSL_CTX_get_session_cache_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

745

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

746

def set_verify(self, mode, callback):

747

"""

748

Set the verify mode and verify callback

749

750

:param mode: The verify mode, this is either VERIFY_NONE or

751

VERIFY_PEER combined with possible other flags

752

:param callback: The Python callback to use

753

:return: None

754

755

See SSL_CTX_set_verify(3SSL) for further details.

756

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

757

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

758

raise TypeError("mode must be an integer")

759

760

if not callable(callback):

761

raise TypeError("callback must be callable")

762

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

763

self._verify_helper = _VerifyHelper(callback)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

764

self._verify_callback = self._verify_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

765

_lib.SSL_CTX_set_verify(self._context, mode, self._verify_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

766

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

767

def set_verify_depth(self, depth):

"""

Set the verify depth

:param depth: An integer specifying the verify depth

772

:return: None

773

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

774

if not isinstance(depth, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

775

raise TypeError("depth must be an integer")

776

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

777

_lib.SSL_CTX_set_verify_depth(self._context, depth)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

778

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

779

def get_verify_mode(self):

"""

Get the verify mode

:return: The verify mode

784

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

785

return _lib.SSL_CTX_get_verify_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

786

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

787

def get_verify_depth(self):

"""

Get the verify depth

:return: The verify depth

792

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

793

return _lib.SSL_CTX_get_verify_depth(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

794

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

795

def load_tmp_dh(self, dhfile):

796

"""

797

Load parameters for Ephemeral Diffie-Hellman

798

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

799

:param dhfile: The file to load EDH parameters from (``bytes`` or

800

``unicode``).

801

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

802

:return: None

803

"""

Jean-Paul Calderone

9e1c1dd

2015-04-12 10:13:13 -0400

[diff] [blame]

804

dhfile = _path_string(dhfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

805

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

806

bio = _lib.BIO_new_file(dhfile, b"r")

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

807

if bio == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

808

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

809

bio = _ffi.gc(bio, _lib.BIO_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

810

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

811

dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)

812

dh = _ffi.gc(dh, _lib.DH_free)

813

_lib.SSL_CTX_set_tmp_dh(self._context, dh)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

814

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

815

def set_tmp_ecdh(self, curve):

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

816

"""

Andy Lutomirski

76a6133

2014-03-12 15:02:56 -0700

[diff] [blame]

817

Select a curve to use for ECDHE key exchange.

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

818

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

819

:param curve: A curve object to use as returned by either

820

:py:meth:`OpenSSL.crypto.get_elliptic_curve` or

821

:py:meth:`OpenSSL.crypto.get_elliptic_curves`.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

822

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

823

:return: None

824

"""

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

825

_lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

826

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

827

def set_cipher_list(self, cipher_list):

828

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

829

Set the list of ciphers to be used in this context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

830

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

831

See the OpenSSL manual for more information (e.g.

832

:manpage:`ciphers(1)`).

833

834

:param bytes cipher_list: An OpenSSL cipher string.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

835

:return: None

836

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

837

cipher_list = _text_to_bytes_and_warn("cipher_list", cipher_list)

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

838

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

839

if not isinstance(cipher_list, bytes):

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

840

raise TypeError("cipher_list must be a byte string.")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

841

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

842

_openssl_assert(

Hynek Schlawack

22a4b66

2016-03-11 14:59:39 +0100

[diff] [blame]

843

_lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

844

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

845

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

846

def set_client_ca_list(self, certificate_authorities):

847

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

848

Set the list of preferred client certificate signers for this server

849

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

850

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

851

This list of certificate authorities will be sent to the client when

852

the server requests a client certificate.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

853

854

:param certificate_authorities: a sequence of X509Names.

855

:return: None

856

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

857

name_stack = _lib.sk_X509_NAME_new_null()

858

if name_stack == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

859

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

860

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

861

862

try:

863

for ca_name in certificate_authorities:

864

if not isinstance(ca_name, X509Name):

865

raise TypeError(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

866

"client CAs must be X509Name objects, not %s "

867

"objects" % (

868

type(ca_name).__name__,

869

)

870

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

871

copy = _lib.X509_NAME_dup(ca_name._name)

872

if copy == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

873

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

874

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

875

push_result = _lib.sk_X509_NAME_push(name_stack, copy)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

876

if not push_result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

877

_lib.X509_NAME_free(copy)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

878

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

879

except:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

880

_lib.sk_X509_NAME_free(name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

881

raise

882

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

883

_lib.SSL_CTX_set_client_CA_list(self._context, name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

884

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

885

def add_client_ca(self, certificate_authority):

886

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

887

Add the CA certificate to the list of preferred signers for this

888

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

889

890

The list of certificate authorities will be sent to the client when the

891

server requests a client certificate.

892

893

:param certificate_authority: certificate authority's X509 certificate.

894

:return: None

895

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

896

if not isinstance(certificate_authority, X509):

897

raise TypeError("certificate_authority must be an X509 instance")

898

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

899

add_result = _lib.SSL_CTX_add_client_CA(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

900

self._context, certificate_authority._x509)

901

if not add_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

902

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

903

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

904

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

905

def set_timeout(self, timeout):

"""

Set session timeout

:param timeout: The timeout in seconds

910

:return: The previous session timeout

911

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

912

if not isinstance(timeout, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

913

raise TypeError("timeout must be an integer")

914

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

915

return _lib.SSL_CTX_set_timeout(self._context, timeout)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

916

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

917

def get_timeout(self):

918

"""

919

Get the session timeout

920

921

:return: The session timeout

922

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

923

return _lib.SSL_CTX_get_timeout(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

924

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

925

def set_info_callback(self, callback):

926

"""

927

Set the info callback

928

929

:param callback: The Python callback to use

930

:return: None

931

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

932

@wraps(callback)

933

def wrapper(ssl, where, return_code):

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

934

callback(Connection._reverse_mapping[ssl], where, return_code)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

935

self._info_callback = _ffi.callback(

936

"void (*)(const SSL *, int, int)", wrapper)

937

_lib.SSL_CTX_set_info_callback(self._context, self._info_callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

938

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

939

def get_app_data(self):

940

"""

941

Get the application data (supplied via set_app_data())

942

943

:return: The application data

944

"""

945

return self._app_data

946

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

947

def set_app_data(self, data):

948

"""

949

Set the application data (will be returned from get_app_data())

950

951

:param data: Any Python object

952

:return: None

953

"""

954

self._app_data = data

955

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

956

def get_cert_store(self):

957

"""

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

958

Get the certificate store for the context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

959

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

960

:return: A X509Store object or None if it does not have one.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

961

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

962

store = _lib.SSL_CTX_get_cert_store(self._context)

963

if store == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

964

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

965

return None

966

967

pystore = X509Store.__new__(X509Store)

968

pystore._store = store

969

return pystore

970

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

971

def set_options(self, options):

972

"""

973

Add options. Options set before are not cleared!

974

975

:param options: The options to add.

976

:return: The new option bitmask.

977

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

978

if not isinstance(options, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

979

raise TypeError("options must be an integer")

980

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

981

return _lib.SSL_CTX_set_options(self._context, options)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

982

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

983

def set_mode(self, mode):

984

"""

985

Add modes via bitmask. Modes set before are not cleared!

986

987

:param mode: The mode to add.

988

:return: The new mode bitmask.

989

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

990

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

991

raise TypeError("mode must be an integer")

992

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

993

return _lib.SSL_CTX_set_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

994

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

995

@_requires_sni

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

996

def set_tlsext_servername_callback(self, callback):

997

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

998

Specify a callback function to be called when clients specify a server

999

name.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1000

1001

:param callback: The callback function. It will be invoked with one

1002

argument, the Connection instance.

1003

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1004

@wraps(callback)

1005

def wrapper(ssl, alert, arg):

1006

callback(Connection._reverse_mapping[ssl])

1007

return 0

1008

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1009

self._tlsext_servername_callback = _ffi.callback(

1010

"int (*)(const SSL *, int *, void *)", wrapper)

1011

_lib.SSL_CTX_set_tlsext_servername_callback(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1012

self._context, self._tlsext_servername_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1013

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1014

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1015

def set_npn_advertise_callback(self, callback):

1016

"""

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1017

Specify a callback function that will be called when offering `Next

1018

Protocol Negotiation

1019

<https://technotes.googlecode.com/git/nextprotoneg.html>`_ as a server.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1020

1021

:param callback: The callback function. It will be invoked with one

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1022

argument, the Connection instance. It should return a list of

1023

bytestrings representing the advertised protocols, like

1024

``[b'http/1.1', b'spdy/2']``.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1025

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1026

self._npn_advertise_helper = _NpnAdvertiseHelper(callback)

1027

self._npn_advertise_callback = self._npn_advertise_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1028

_lib.SSL_CTX_set_next_protos_advertised_cb(

1029

self._context, self._npn_advertise_callback, _ffi.NULL)

1030

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1031

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1032

def set_npn_select_callback(self, callback):

1033

"""

1034

Specify a callback function that will be called when a server offers

1035

Next Protocol Negotiation options.

1036

1037

:param callback: The callback function. It will be invoked with two

1038

arguments: the Connection, and a list of offered protocols as

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1039

bytestrings, e.g. ``[b'http/1.1', b'spdy/2']``. It should return

1040

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1041

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1042

self._npn_select_helper = _NpnSelectHelper(callback)

1043

self._npn_select_callback = self._npn_select_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1044

_lib.SSL_CTX_set_next_proto_select_cb(

1045

self._context, self._npn_select_callback, _ffi.NULL)

1046

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1047

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1048

def set_alpn_protos(self, protos):

1049

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1050

Specify the clients ALPN protocol list.

1051

1052

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1053

1054

:param protos: A list of the protocols to be offered to the server.

1055

This list should be a Python list of bytestrings representing the

1056

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1057

"""

1058

# Take the list of protocols and join them together, prefixing them

1059

# with their lengths.

1060

protostr = b''.join(

1061

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1062

)

1063

1064

# Build a C string from the list. We don't need to save this off

1065

# because OpenSSL immediately copies the data out.

1066

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

e871af5

2015-04-11 17:57:50 -0400

[diff] [blame]

1067

input_str_len = _ffi.cast("unsigned", len(protostr))

1068

_lib.SSL_CTX_set_alpn_protos(self._context, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1069

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1070

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1071

def set_alpn_select_callback(self, callback):

1072

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1073

Set the callback to handle ALPN protocol choice.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1074

1075

:param callback: The callback function. It will be invoked with two

1076

arguments: the Connection, and a list of offered protocols as

1077

bytestrings, e.g ``[b'http/1.1', b'spdy/2']``. It should return

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1078

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1079

"""

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

1080

self._alpn_select_helper = _ALPNSelectHelper(callback)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1081

self._alpn_select_callback = self._alpn_select_helper.callback

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1082

_lib.SSL_CTX_set_alpn_select_cb(

1083

self._context, self._alpn_select_callback, _ffi.NULL)

1084

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1085

ContextType = Context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1086

1087

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1088

class Connection(object):

1089

"""

1090

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1091

_reverse_mapping = WeakValueDictionary()

1092

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1093

def __init__(self, context, socket=None):

1094

"""

1095

Create a new Connection object, using the given OpenSSL.SSL.Context

1096

instance and socket.

1097

1098

:param context: An SSL Context to use for this connection

1099

:param socket: The socket to use for transport layer

1100

"""

1101

if not isinstance(context, Context):

1102

raise TypeError("context must be a Context instance")

1103

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1104

ssl = _lib.SSL_new(context._context)

1105

self._ssl = _ffi.gc(ssl, _lib.SSL_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1106

self._context = context

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

1107

self._app_data = None

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1108

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1109

# References to strings used for Next Protocol Negotiation. OpenSSL's

1110

# header files suggest that these might get copied at some point, but

1111

# doesn't specify when, so we store them here to make sure they don't

1112

# get freed before OpenSSL uses them.

1113

self._npn_advertise_callback_args = None

1114

self._npn_select_callback_args = None

1115

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1116

# References to strings used for Application Layer Protocol

1117

# Negotiation. These strings get copied at some point but it's well

1118

# after the callback returns, so we have to hang them somewhere to

1119

# avoid them getting freed.

1120

self._alpn_select_callback_args = None

1121

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1122

self._reverse_mapping[self._ssl] = self

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1123

1124

if socket is None:

1125

self._socket = None

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1126

# Don't set up any gc for these, SSL_free will take care of them.

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1127

self._into_ssl = _lib.BIO_new(_lib.BIO_s_mem())

1128

self._from_ssl = _lib.BIO_new(_lib.BIO_s_mem())

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1129

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1130

if self._into_ssl == _ffi.NULL or self._from_ssl == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1131

# TODO: This is untested.

1132

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1133

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1134

_lib.SSL_set_bio(self._ssl, self._into_ssl, self._from_ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1135

else:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1136

self._into_ssl = None

1137

self._from_ssl = None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1138

self._socket = socket

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1139

set_result = _lib.SSL_set_fd(

1140

self._ssl, _asFileDescriptor(self._socket))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1141

if not set_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1142

# TODO: This is untested.

1143

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1144

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1145

def __getattr__(self, name):

1146

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1147

Look up attributes on the wrapped socket object if they are not found

1148

on the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1149

"""

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1150

if self._socket is None:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1151

raise AttributeError("'%s' object has no attribute '%s'" % (

1152

self.__class__.__name__, name

1153

))

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1154

else:

1155

return getattr(self._socket, name)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1156

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1157

def _raise_ssl_error(self, ssl, result):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1158

if self._context._verify_helper is not None:

1159

self._context._verify_helper.raise_if_problem()

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1160

if self._context._npn_advertise_helper is not None:

1161

self._context._npn_advertise_helper.raise_if_problem()

1162

if self._context._npn_select_helper is not None:

1163

self._context._npn_select_helper.raise_if_problem()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1164

if self._context._alpn_select_helper is not None:

1165

self._context._alpn_select_helper.raise_if_problem()

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1166

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1167

error = _lib.SSL_get_error(ssl, result)

1168

if error == _lib.SSL_ERROR_WANT_READ:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1169

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1170

elif error == _lib.SSL_ERROR_WANT_WRITE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1171

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1172

elif error == _lib.SSL_ERROR_ZERO_RETURN:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1173

raise ZeroReturnError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1174

elif error == _lib.SSL_ERROR_WANT_X509_LOOKUP:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1175

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1176

raise WantX509LookupError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1177

elif error == _lib.SSL_ERROR_SYSCALL:

1178

if _lib.ERR_peek_error() == 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1179

if result < 0:

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

1180

if platform == "win32":

1181

errno = _ffi.getwinerror()[0]

1182

else:

1183

errno = _ffi.errno

Glyph

3afdba8

2015-04-14 17:30:53 -0400

[diff] [blame]

1184

raise SysCallError(errno, errorcode.get(errno))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1185

else:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1186

raise SysCallError(-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1187

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1188

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1189

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1190

elif error == _lib.SSL_ERROR_NONE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1191

pass

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1192

else:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1193

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1194

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1195

def get_context(self):

1196

"""

1197

Get session context

1198

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1199

return self._context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1200

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1201

def set_context(self, context):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1202

"""

1203

Switch this connection to a new session context

1204

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1205

:param context: A :py:class:`Context` instance giving the new session

1206

context to use.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1207

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1208

if not isinstance(context, Context):

1209

raise TypeError("context must be a Context instance")

1210

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1211

_lib.SSL_set_SSL_CTX(self._ssl, context._context)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1212

self._context = context

1213

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1214

@_requires_sni

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1215

def get_servername(self):

1216

"""

1217

Retrieve the servername extension value if provided in the client hello

1218

message, or None if there wasn't one.

1219

1220

:return: A byte string giving the server name or :py:data:`None`.

1221

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1222

name = _lib.SSL_get_servername(

1223

self._ssl, _lib.TLSEXT_NAMETYPE_host_name

1224

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1225

if name == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1226

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1227

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1228

return _ffi.string(name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1229

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1230

@_requires_sni

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1231

def set_tlsext_host_name(self, name):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1232

"""

1233

Set the value of the servername extension to send in the client hello.

1234

1235

:param name: A byte string giving the name.

1236

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1237

if not isinstance(name, bytes):

1238

raise TypeError("name must be a byte string")

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1239

elif b"\0" in name:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1240

raise TypeError("name must not contain NUL byte")

1241

1242

# XXX I guess this can fail sometimes?

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1243

_lib.SSL_set_tlsext_host_name(self._ssl, name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1244

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1245

def pending(self):

1246

"""

1247

Get the number of bytes that can be safely read from the connection

1248

1249

:return: The number of bytes available in the receive buffer.

1250

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1251

return _lib.SSL_pending(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1252

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1253

def send(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1254

"""

1255

Send data on the connection. NOTE: If you get one of the WantRead,

1256

WantWrite or WantX509Lookup exceptions on this, you have to call the

1257

method again with the SAME buffer.

1258

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1259

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1260

:param flags: (optional) Included for compatibility with the socket

1261

API, the value is ignored

1262

:return: The number of bytes written

1263

"""

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1264

# Backward compatibility

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1265

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1266

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1267

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1268

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1269

if isinstance(buf, _buffer):

1270

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1271

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1272

raise TypeError("data must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1273

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1274

result = _lib.SSL_write(self._ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1275

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return result

write = send

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1279

def sendall(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1280

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1281

Send "all" data on the connection. This calls send() repeatedly until

1282

all data is sent. If an error occurs, it's impossible to tell how much

1283

data has been sent.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1284

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1285

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1286

:param flags: (optional) Included for compatibility with the socket

1287

API, the value is ignored

1288

:return: The number of bytes written

1289

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1290

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1291

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1292

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1293

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1294

if isinstance(buf, _buffer):

1295

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1296

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1297

raise TypeError("buf must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1298

1299

left_to_send = len(buf)

1300

total_sent = 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1301

data = _ffi.new("char[]", buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1302

1303

while left_to_send:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1304

result = _lib.SSL_write(self._ssl, data + total_sent, left_to_send)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1305

self._raise_ssl_error(self._ssl, result)

1306

total_sent += result

1307

left_to_send -= result

1308

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1309

def recv(self, bufsiz, flags=None):

1310

"""

Alex Gaynor

67fc8c9

2016-05-27 08:27:19 -0400

[diff] [blame]

1311

Receive data on the connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1312

1313

:param bufsiz: The maximum number of bytes to read

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1314

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1315

all other flags are ignored.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1316

:return: The string read from the Connection

1317

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1318

buf = _ffi.new("char[]", bufsiz)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1319

if flags is not None and flags & socket.MSG_PEEK:

1320

result = _lib.SSL_peek(self._ssl, buf, bufsiz)

1321

else:

1322

result = _lib.SSL_read(self._ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1323

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1324

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1325

read = recv

1326

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1327

def recv_into(self, buffer, nbytes=None, flags=None):

1328

"""

1329

Receive data on the connection and store the data into a buffer rather

1330

than creating a new string.

1331

1332

:param buffer: The buffer to copy into.

1333

:param nbytes: (optional) The maximum number of bytes to read into the

1334

buffer. If not present, defaults to the size of the buffer. If

1335

larger than the size of the buffer, is reduced to the size of the

1336

buffer.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1337

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1338

all other flags are ignored.

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1339

:return: The number of bytes read into the buffer.

"""

if nbytes is None:

nbytes = len(buffer)

else:

nbytes = min(nbytes, len(buffer))

1345

1346

# We need to create a temporary buffer. This is annoying, it would be

1347

# better if we could pass memoryviews straight into the SSL_read call,

1348

# but right now we can't. Revisit this if CFFI gets that ability.

1349

buf = _ffi.new("char[]", nbytes)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1350

if flags is not None and flags & socket.MSG_PEEK:

1351

result = _lib.SSL_peek(self._ssl, buf, nbytes)

1352

else:

1353

result = _lib.SSL_read(self._ssl, buf, nbytes)

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1354

self._raise_ssl_error(self._ssl, result)

1355

1356

# This strange line is all to avoid a memory copy. The buffer protocol

1357

# should allow us to assign a CFFI buffer to the LHS of this line, but

1358

# on CPython 3.3+ that segfaults. As a workaround, we can temporarily

1359

# wrap it in a memoryview, except on Python 2.6 which doesn't have a

1360

# memoryview type.

1361

try:

1362

buffer[:result] = memoryview(_ffi.buffer(buf, result))

1363

except NameError:

1364

buffer[:result] = _ffi.buffer(buf, result)

return result

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1368

def _handle_bio_errors(self, bio, result):

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1369

if _lib.BIO_should_retry(bio):

1370

if _lib.BIO_should_read(bio):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1371

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1372

elif _lib.BIO_should_write(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1373

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1374

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1375

elif _lib.BIO_should_io_special(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1376

# TODO: This is untested. I think io_special means the socket

1377

# BIO has a not-yet connected socket.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1378

raise ValueError("BIO_should_io_special")

1379

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1380

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1381

raise ValueError("unknown bio failure")

1382

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1383

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1384

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1385

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1386

def bio_read(self, bufsiz):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1387

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1388

When using non-socket connections this function reads the "dirty" data

1389

that would have traveled away on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1390

1391

:param bufsiz: The maximum number of bytes to read

1392

:return: The string read.

1393

"""

Jean-Paul Calderone

97e041d

2013-03-05 21:03:12 -0800

[diff] [blame]

1394

if self._from_ssl is None:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1395

raise TypeError("Connection sock was not None")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1396

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1397

if not isinstance(bufsiz, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1398

raise TypeError("bufsiz must be an integer")

1399

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1400

buf = _ffi.new("char[]", bufsiz)

1401

result = _lib.BIO_read(self._from_ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1402

if result <= 0:

1403

self._handle_bio_errors(self._from_ssl, result)

1404

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1405

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1406

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1407

def bio_write(self, buf):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1408

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1409

When using non-socket connections this function sends "dirty" data that

1410

would have traveled in on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1411

1412

:param buf: The string to put into the memory BIO.

1413

:return: The number of bytes written

1414

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1415

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1416

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1417

if self._into_ssl is None:

1418

raise TypeError("Connection sock was not None")

1419

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1420

result = _lib.BIO_write(self._into_ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1421

if result <= 0:

1422

self._handle_bio_errors(self._into_ssl, result)

1423

return result

1424

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1425

def renegotiate(self):

1426

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1427

Renegotiate the session.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1428

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1429

:return: True if the renegotiation can be started, False otherwise

1430

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1431

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1432

if not self.renegotiate_pending():

1433

_openssl_assert(_lib.SSL_renegotiate(self._ssl) == 1)

1434

return True

1435

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1436

1437

def do_handshake(self):

1438

"""

1439

Perform an SSL handshake (usually called after renegotiate() or one of

1440

set_*_state()). This can raise the same exceptions as send and recv.

1441

1442

:return: None.

1443

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1444

result = _lib.SSL_do_handshake(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1445

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1446

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1447

def renegotiate_pending(self):

1448

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1449

Check if there's a renegotiation in progress, it will return False once

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1450

a renegotiation is finished.

1451

1452

:return: Whether there's a renegotiation in progress

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1453

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1454

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1455

return _lib.SSL_renegotiate_pending(self._ssl) == 1

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1456

1457

def total_renegotiations(self):

1458

"""

1459

Find out the total number of renegotiations.

1460

1461

:return: The number of renegotiations.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1462

:rtype: int

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1463

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1464

return _lib.SSL_total_renegotiations(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1465

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1466

def connect(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1467

"""

1468

Connect to remote host and set up client-side SSL

1469

1470

:param addr: A remote address

1471

:return: What the socket's connect method returns

1472

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1473

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1474

return self._socket.connect(addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1475

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1476

def connect_ex(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1477

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1478

Connect to remote host and set up client-side SSL. Note that if the

1479

socket's connect_ex method doesn't return 0, SSL won't be initialized.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1480

1481

:param addr: A remove address

1482

:return: What the socket's connect_ex method returns

1483

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1484

connect_ex = self._socket.connect_ex

1485

self.set_connect_state()

1486

return connect_ex(addr)

1487

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1488

def accept(self):

1489

"""

1490

Accept incoming connection and set up SSL on it

1491

1492

:return: A (conn,addr) pair where conn is a Connection and addr is an

1493

address

1494

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1495

client, addr = self._socket.accept()

1496

conn = Connection(self._context, client)

1497

conn.set_accept_state()

1498

return (conn, addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1499

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1500

def bio_shutdown(self):

1501

"""

1502

When using non-socket connections this function signals end of

1503

data on the input for this connection.

1504

1505

:return: None

1506

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1507

if self._from_ssl is None:

1508

raise TypeError("Connection sock was not None")

1509

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1510

_lib.BIO_set_mem_eof_return(self._into_ssl, 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1511

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

def shutdown(self):

"""

Send closure alert

:return: True if the shutdown completed successfully (i.e. both sides

1517

have sent closure alerts), false otherwise (i.e. you have to

1518

wait for a ZeroReturnError on a recv() method call

1519

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1520

result = _lib.SSL_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1521

if result < 0:

Paul Aurich

bff1d1a

2015-01-08 08:36:53 -0800

[diff] [blame]

1522

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1523

elif result > 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1524

return True

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

else:

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1528

def get_cipher_list(self):

1529

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1530

Retrieve the list of ciphers used by the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1531

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1532

:return: A list of native cipher strings.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1533

"""

1534

ciphers = []

1535

for i in count():

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1536

result = _lib.SSL_get_cipher_list(self._ssl, i)

1537

if result == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1538

break

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1539

ciphers.append(_native(_ffi.string(result)))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1540

return ciphers

1541

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1542

def get_client_ca_list(self):

1543

"""

1544

Get CAs whose certificates are suggested for client authentication.

1545

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1546

:return: If this is a server connection, a list of X509Names

1547

representing the acceptable CAs as set by

1548

:py:meth:`OpenSSL.SSL.Context.set_client_ca_list` or

1549

:py:meth:`OpenSSL.SSL.Context.add_client_ca`. If this is a client

1550

connection, the list of such X509Names sent by the server, or an

1551

empty list if that has not yet happened.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1552

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1553

ca_names = _lib.SSL_get_client_CA_list(self._ssl)

1554

if ca_names == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1555

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1556

return []

1557

1558

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1559

for i in range(_lib.sk_X509_NAME_num(ca_names)):

1560

name = _lib.sk_X509_NAME_value(ca_names, i)

1561

copy = _lib.X509_NAME_dup(name)

1562

if copy == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1563

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1564

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1565

1566

pyname = X509Name.__new__(X509Name)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1567

pyname._name = _ffi.gc(copy, _lib.X509_NAME_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1568

result.append(pyname)

1569

return result

1570

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1571

def makefile(self):

1572

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1573

The makefile() method is not implemented, since there is no dup

1574

semantics for SSL connections

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1575

Jean-Paul Calderone

6749ec2

2014-04-17 16:30:21 -0400

[diff] [blame]

1576

:raise: NotImplementedError

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1577

"""

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

1578

raise NotImplementedError(

1579

"Cannot make file object of OpenSSL.SSL.Connection")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1580

1581

def get_app_data(self):

"""

Get application data

:return: The application data

1586

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1587

return self._app_data

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1588

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1589

def set_app_data(self, data):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set application data

:param data - The application data

1594

:return: None

1595

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1596

self._app_data = data

1597

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1598

def get_shutdown(self):

"""

Get shutdown state

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1602

:return: The shutdown state, a bitvector of SENT_SHUTDOWN,

1603

RECEIVED_SHUTDOWN.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1604

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1605

return _lib.SSL_get_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1606

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1607

def set_shutdown(self, state):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set shutdown state

:param state - bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN.

1612

:return: None

1613

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

1614

if not isinstance(state, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1615

raise TypeError("state must be an integer")

1616

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1617

_lib.SSL_set_shutdown(self._ssl, state)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1618

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1619

def get_state_string(self):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1620

"""

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1621

Retrieve a verbose string detailing the state of the Connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1622

1623

:return: A string representing the state

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1624

:rtype: bytes

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1625

"""

kjav

c704a2e

2015-09-07 12:12:27 +0100

[diff] [blame]

1626

return _ffi.string(_lib.SSL_state_string_long(self._ssl))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1627

1628

def server_random(self):

1629

"""

1630

Get a copy of the server hello nonce.

1631

1632

:return: A string representing the state

1633

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1634

session = _lib.SSL_get_session(self._ssl)

1635

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1636

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1637

length = _lib.SSL_get_server_random(self._ssl, _ffi.NULL, 0)

1638

assert length > 0

1639

outp = _ffi.new("char[]", length)

1640

_lib.SSL_get_server_random(self._ssl, outp, length)

1641

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1642

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1643

def client_random(self):

1644

"""

1645

Get a copy of the client hello nonce.

1646

1647

:return: A string representing the state

1648

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1649

session = _lib.SSL_get_session(self._ssl)

1650

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1651

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1652

1653

length = _lib.SSL_get_client_random(self._ssl, _ffi.NULL, 0)

1654

assert length > 0

1655

outp = _ffi.new("char[]", length)

1656

_lib.SSL_get_client_random(self._ssl, outp, length)

1657

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1658

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1659

def master_key(self):

1660

"""

1661

Get a copy of the master key.

1662

1663

:return: A string representing the state

1664

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1665

session = _lib.SSL_get_session(self._ssl)

1666

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1667

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1668

1669

length = _lib.SSL_SESSION_get_master_key(session, _ffi.NULL, 0)

1670

assert length > 0

1671

outp = _ffi.new("char[]", length)

1672

_lib.SSL_SESSION_get_master_key(session, outp, length)

1673

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1674

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1675

def sock_shutdown(self, *args, **kwargs):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

See shutdown(2)

:return: What the socket's shutdown() method returns

1680

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1681

return self._socket.shutdown(*args, **kwargs)

1682

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1683

def get_peer_certificate(self):

1684

"""

1685

Retrieve the other side's certificate (if any)

1686

1687

:return: The peer's certificate

1688

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1689

cert = _lib.SSL_get_peer_certificate(self._ssl)

1690

if cert != _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1691

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1692

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return pycert

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1696

def get_peer_cert_chain(self):

1697

"""

1698

Retrieve the other side's certificate (if any)

1699

1700

:return: A list of X509 instances giving the peer's certificate chain,

1701

or None if it does not have one.

1702

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1703

cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)

1704

if cert_stack == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1705

return None

1706

1707

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1708

for i in range(_lib.sk_X509_num(cert_stack)):

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1709

# TODO could incref instead of dup here

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1710

cert = _lib.X509_dup(_lib.sk_X509_value(cert_stack, i))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1711

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1712

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1713

result.append(pycert)

1714

return result

1715

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1716

def want_read(self):

1717

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1718

Checks if more data has to be read from the transport layer to complete

1719

an operation.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1720

1721

:return: True iff more data has to be read

1722

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1723

return _lib.SSL_want_read(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1724

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1725

def want_write(self):

1726

"""

1727

Checks if there is data to write to the transport layer to complete an

1728

operation.

1729

1730

:return: True iff there is data to write

1731

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1732

return _lib.SSL_want_write(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1733

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1734

def set_accept_state(self):

1735

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1736

Set the connection to work in server mode. The handshake will be

1737

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1738

1739

:return: None

1740

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1741

_lib.SSL_set_accept_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1742

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1743

def set_connect_state(self):

1744

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1745

Set the connection to work in client mode. The handshake will be

1746

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1747

1748

:return: None

1749

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1750

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1751

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1752

def get_session(self):

1753

"""

1754

Returns the Session currently used.

1755

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1756

@return: An instance of :py:class:`OpenSSL.SSL.Session` or

1757

:py:obj:`None` if no session exists.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1758

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1759

session = _lib.SSL_get1_session(self._ssl)

1760

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1761

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1762

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1763

pysession = Session.__new__(Session)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1764

pysession._session = _ffi.gc(session, _lib.SSL_SESSION_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1765

return pysession

1766

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1767

def set_session(self, session):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1768

"""

1769

Set the session to be used when the TLS/SSL connection is established.

1770

1771

:param session: A Session instance representing the session to use.

1772

:returns: None

1773

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1774

if not isinstance(session, Session):

1775

raise TypeError("session must be a Session instance")

1776

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1777

result = _lib.SSL_set_session(self._ssl, session._session)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1778

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1779

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1780

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1781

def _get_finished_message(self, function):

1782

"""

1783

Helper to implement :py:meth:`get_finished` and

1784

:py:meth:`get_peer_finished`.

1785

1786

:param function: Either :py:data:`SSL_get_finished`: or

1787

:py:data:`SSL_get_peer_finished`.

1788

1789

:return: :py:data:`None` if the desired message has not yet been

1790

received, otherwise the contents of the message.

1791

:rtype: :py:class:`bytes` or :py:class:`NoneType`

1792

"""

Jean-Paul Calderone

01af904

2014-03-30 11:40:42 -0400

[diff] [blame]

1793

# The OpenSSL documentation says nothing about what might happen if the

1794

# count argument given is zero. Specifically, it doesn't say whether

1795

# the output buffer may be NULL in that case or not. Inspection of the

1796

# implementation reveals that it calls memcpy() unconditionally.

1797

# Section 7.1.4, paragraph 1 of the C standard suggests that

1798

# memcpy(NULL, source, 0) is not guaranteed to produce defined (let

1799

# alone desirable) behavior (though it probably does on just about

1800

# every implementation...)

1801

#

1802

# Allocate a tiny buffer to pass in (instead of just passing NULL as

1803

# one might expect) for the initial call so as to be safe against this

1804

# potentially undefined behavior.

1805

empty = _ffi.new("char[]", 0)

1806

size = function(self._ssl, empty, 0)

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1807

if size == 0:

1808

# No Finished message so far.

1809

return None

1810

1811

buf = _ffi.new("char[]", size)

1812

function(self._ssl, buf, size)

1813

return _ffi.buffer(buf, size)[:]

1814

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1815

def get_finished(self):

1816

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1817

Obtain the latest `handshake finished` message sent to the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1818

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1819

:return: The contents of the message or :py:obj:`None` if the TLS

1820

handshake has not yet completed.

1821

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1822

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1823

return self._get_finished_message(_lib.SSL_get_finished)

1824

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1825

def get_peer_finished(self):

1826

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1827

Obtain the latest `handshake finished` message received from the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1828

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1829

:return: The contents of the message or :py:obj:`None` if the TLS

1830

handshake has not yet completed.

1831

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1832

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1833

return self._get_finished_message(_lib.SSL_get_peer_finished)

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1834

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1835

def get_cipher_name(self):

1836

"""

1837

Obtain the name of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1838

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1839

:returns: The name of the currently used cipher or :py:obj:`None`

1840

if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1841

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1842

"""

1843

cipher = _lib.SSL_get_current_cipher(self._ssl)

1844

if cipher == _ffi.NULL:

1845

return None

1846

else:

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1847

name = _ffi.string(_lib.SSL_CIPHER_get_name(cipher))

1848

return name.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1849

1850

def get_cipher_bits(self):

1851

"""

1852

Obtain the number of secret bits of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1853

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1854

:returns: The number of secret bits of the currently used cipher

1855

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1856

:rtype: :py:class:`int` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1857

"""

1858

cipher = _lib.SSL_get_current_cipher(self._ssl)

1859

if cipher == _ffi.NULL:

1860

return None

1861

else:

1862

return _lib.SSL_CIPHER_get_bits(cipher, _ffi.NULL)

1863

1864

def get_cipher_version(self):

1865

"""

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1866

Obtain the protocol version of the currently used cipher.

1867

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1868

:returns: The protocol name of the currently used cipher

1869

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1870

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1871

"""

1872

cipher = _lib.SSL_get_current_cipher(self._ssl)

1873

if cipher == _ffi.NULL:

1874

return None

1875

else:

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

1876

version = _ffi.string(_lib.SSL_CIPHER_get_version(cipher))

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1877

return version.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1878

Jim Shaver

abff188

2015-05-27 09:15:55 -0400

[diff] [blame]

1879

def get_protocol_version_name(self):

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1880

"""

1881

Obtain the protocol version of the current connection.

1882

1883

:returns: The TLS version of the current connection, for example

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1884

the value for TLS 1.2 would be ``TLSv1.2``or ``Unknown``

Jim Shaver

b5b6b0e

2015-05-28 16:47:36 -0400

[diff] [blame]

1885

for connections that were not successfully established.

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1886

:rtype: :py:class:`unicode`

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1887

"""

Jim Shaver

d1c896e

2015-05-27 17:50:21 -0400

[diff] [blame]

1888

version = _ffi.string(_lib.SSL_get_version(self._ssl))

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1889

return version.decode("utf-8")

Jim Shaver

b296792

2015-04-26 23:58:52 -0400

[diff] [blame]

1890

Jim Shaver

208438c

2015-05-28 09:52:38 -0400

[diff] [blame]

1891

def get_protocol_version(self):

1892

"""

1893

Obtain the protocol version of the current connection.

1894

1895

:returns: The TLS version of the current connection, for example

1896

the value for TLS 1 would be 0x769.

1897

:rtype: :py:class:`int`

1898

"""

1899

version = _lib.SSL_version(self._ssl)

1900

return version

1901

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1902

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1903

def get_next_proto_negotiated(self):

1904

"""

1905

Get the protocol that was negotiated by NPN.

1906

"""

1907

data = _ffi.new("unsigned char **")

1908

data_len = _ffi.new("unsigned int *")

1909

1910

_lib.SSL_get0_next_proto_negotiated(self._ssl, data, data_len)

1911

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

1912

return _ffi.buffer(data[0], data_len[0])[:]

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1913

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1914

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1915

def set_alpn_protos(self, protos):

1916

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1917

Specify the client's ALPN protocol list.

1918

1919

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1920

1921

:param protos: A list of the protocols to be offered to the server.

1922

This list should be a Python list of bytestrings representing the

1923

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1924

"""

1925

# Take the list of protocols and join them together, prefixing them

1926

# with their lengths.

1927

protostr = b''.join(

1928

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1929

)

1930

1931

# Build a C string from the list. We don't need to save this off

1932

# because OpenSSL immediately copies the data out.

1933

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

9c1979a

2015-04-12 08:51:52 -0400

[diff] [blame]

1934

input_str_len = _ffi.cast("unsigned", len(protostr))

1935

_lib.SSL_set_alpn_protos(self._ssl, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1936

Maximilian Hils

66ded6a

2015-08-26 06:02:03 +0200

[diff] [blame]

1937

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1938

def get_alpn_proto_negotiated(self):

Cory Benfield

222f30e

2015-04-13 18:10:21 -0400

[diff] [blame]

1939

"""

1940

Get the protocol that was negotiated by ALPN.

1941

"""

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1942

data = _ffi.new("unsigned char **")

1943

data_len = _ffi.new("unsigned int *")

1944

1945

_lib.SSL_get0_alpn_selected(self._ssl, data, data_len)

1946

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

if not data_len:

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1950

return _ffi.buffer(data[0], data_len[0])[:]

1951

1952

Jean-Paul Calderone