Blame - src/OpenSSL/SSL.py - platform/external/python/pyopenssl

2015-08-17 19:27:20 +0200

[diff] [blame]

1

import socket

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

2

from sys import platform

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

3

from functools import wraps, partial

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

4

from itertools import count, chain

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

5

from weakref import WeakValueDictionary

6

from errno import errorcode

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

7

Cory Benfield

63759dc

2015-04-12 08:57:03 -0400

[diff] [blame]

8

from six import binary_type as _binary_type

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

9

from six import integer_types as integer_types

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

10

from six import int2byte, indexbytes

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

11

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

12

from OpenSSL._util import (

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

13

UNSPECIFIED as _UNSPECIFIED,

14

exception_from_error_queue as _exception_from_error_queue,

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

15

ffi as _ffi,

16

lib as _lib,

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

17

make_assert as _make_assert,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

18

native as _native,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

19

path_string as _path_string,

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

20

text_to_bytes_and_warn as _text_to_bytes_and_warn,

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

21

)

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

22

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

23

from OpenSSL.crypto import (

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

24

FILETYPE_PEM, _PassphraseHelper, PKey, X509Name, X509, X509Store)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

25

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

26

try:

27

_memoryview = memoryview

28

except NameError:

29

class _memoryview(object):

30

pass

31

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

try:

_buffer = buffer

except NameError:

class _buffer(object):

36

pass

37

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

38

OPENSSL_VERSION_NUMBER = _lib.OPENSSL_VERSION_NUMBER

39

SSLEAY_VERSION = _lib.SSLEAY_VERSION

40

SSLEAY_CFLAGS = _lib.SSLEAY_CFLAGS

41

SSLEAY_PLATFORM = _lib.SSLEAY_PLATFORM

42

SSLEAY_DIR = _lib.SSLEAY_DIR

43

SSLEAY_BUILT_ON = _lib.SSLEAY_BUILT_ON

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

44

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

45

SENT_SHUTDOWN = _lib.SSL_SENT_SHUTDOWN

46

RECEIVED_SHUTDOWN = _lib.SSL_RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

SSLv2_METHOD = 1

SSLv3_METHOD = 2

SSLv23_METHOD = 3

TLSv1_METHOD = 4

Jean-Paul Calderone

56bff94

2013-11-03 11:30:43 -0500

[diff] [blame]

52

TLSv1_1_METHOD = 5

53

TLSv1_2_METHOD = 6

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

54

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

55

OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2

56

OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3

57

OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

58

59

OP_NO_TLSv1_1 = getattr(_lib, "SSL_OP_NO_TLSv1_1", 0)

60

OP_NO_TLSv1_2 = getattr(_lib, "SSL_OP_NO_TLSv1_2", 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

61

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

62

MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

63

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

64

OP_SINGLE_DH_USE = _lib.SSL_OP_SINGLE_DH_USE

Akihiro Yamazaki

e64d80c

2015-09-06 00:16:57 +0900

[diff] [blame]

65

OP_SINGLE_ECDH_USE = _lib.SSL_OP_SINGLE_ECDH_USE

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

66

OP_EPHEMERAL_RSA = _lib.SSL_OP_EPHEMERAL_RSA

67

OP_MICROSOFT_SESS_ID_BUG = _lib.SSL_OP_MICROSOFT_SESS_ID_BUG

68

OP_NETSCAPE_CHALLENGE_BUG = _lib.SSL_OP_NETSCAPE_CHALLENGE_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

69

OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = (

70

_lib.SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

71

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

72

OP_SSLREF2_REUSE_CERT_TYPE_BUG = _lib.SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG

73

OP_MICROSOFT_BIG_SSLV3_BUFFER = _lib.SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER

Alex Gaynor

5bb2bd1

2016-07-03 10:48:32 -0400

[diff] [blame]

74

OP_MSIE_SSLV2_RSA_PADDING = _lib.SSL_OP_MSIE_SSLV2_RSA_PADDING

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

75

OP_SSLEAY_080_CLIENT_DH_BUG = _lib.SSL_OP_SSLEAY_080_CLIENT_DH_BUG

76

OP_TLS_D5_BUG = _lib.SSL_OP_TLS_D5_BUG

77

OP_TLS_BLOCK_PADDING_BUG = _lib.SSL_OP_TLS_BLOCK_PADDING_BUG

78

OP_DONT_INSERT_EMPTY_FRAGMENTS = _lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

79

OP_CIPHER_SERVER_PREFERENCE = _lib.SSL_OP_CIPHER_SERVER_PREFERENCE

80

OP_TLS_ROLLBACK_BUG = _lib.SSL_OP_TLS_ROLLBACK_BUG

81

OP_PKCS1_CHECK_1 = _lib.SSL_OP_PKCS1_CHECK_1

82

OP_PKCS1_CHECK_2 = _lib.SSL_OP_PKCS1_CHECK_2

83

OP_NETSCAPE_CA_DN_BUG = _lib.SSL_OP_NETSCAPE_CA_DN_BUG

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

84

OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = (

85

_lib.SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

86

)

Alex Gaynor

bf01287

2016-06-04 13:18:39 -0700

[diff] [blame]

87

OP_NO_COMPRESSION = _lib.SSL_OP_NO_COMPRESSION

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

88

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

89

OP_NO_QUERY_MTU = _lib.SSL_OP_NO_QUERY_MTU

90

OP_COOKIE_EXCHANGE = _lib.SSL_OP_COOKIE_EXCHANGE

Alex Gaynor

5bb2bd1

2016-07-03 10:48:32 -0400

[diff] [blame]

91

OP_NO_TICKET = _lib.SSL_OP_NO_TICKET

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

92

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

93

OP_ALL = _lib.SSL_OP_ALL

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

94

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

95

VERIFY_PEER = _lib.SSL_VERIFY_PEER

96

VERIFY_FAIL_IF_NO_PEER_CERT = _lib.SSL_VERIFY_FAIL_IF_NO_PEER_CERT

97

VERIFY_CLIENT_ONCE = _lib.SSL_VERIFY_CLIENT_ONCE

98

VERIFY_NONE = _lib.SSL_VERIFY_NONE

Jean-Paul Calderone

2013-03-04 08:11:19 -0800

[diff] [blame]

99

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

100

SESS_CACHE_OFF = _lib.SSL_SESS_CACHE_OFF

101

SESS_CACHE_CLIENT = _lib.SSL_SESS_CACHE_CLIENT

102

SESS_CACHE_SERVER = _lib.SSL_SESS_CACHE_SERVER

103

SESS_CACHE_BOTH = _lib.SSL_SESS_CACHE_BOTH

104

SESS_CACHE_NO_AUTO_CLEAR = _lib.SSL_SESS_CACHE_NO_AUTO_CLEAR

105

SESS_CACHE_NO_INTERNAL_LOOKUP = _lib.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP

106

SESS_CACHE_NO_INTERNAL_STORE = _lib.SSL_SESS_CACHE_NO_INTERNAL_STORE

107

SESS_CACHE_NO_INTERNAL = _lib.SSL_SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

d39a3f6

2013-03-04 12:23:51 -0800

[diff] [blame]

108

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

109

SSL_ST_CONNECT = _lib.SSL_ST_CONNECT

110

SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT

111

SSL_ST_MASK = _lib.SSL_ST_MASK

Alex Gaynor

5af32d0

2016-09-24 01:52:21 -0400

[diff] [blame]

112

if _lib.Cryptography_HAS_SSL_ST:

113

SSL_ST_INIT = _lib.SSL_ST_INIT

114

SSL_ST_BEFORE = _lib.SSL_ST_BEFORE

115

SSL_ST_OK = _lib.SSL_ST_OK

116

SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

117

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

118

SSL_CB_LOOP = _lib.SSL_CB_LOOP

119

SSL_CB_EXIT = _lib.SSL_CB_EXIT

120

SSL_CB_READ = _lib.SSL_CB_READ

121

SSL_CB_WRITE = _lib.SSL_CB_WRITE

122

SSL_CB_ALERT = _lib.SSL_CB_ALERT

123

SSL_CB_READ_ALERT = _lib.SSL_CB_READ_ALERT

124

SSL_CB_WRITE_ALERT = _lib.SSL_CB_WRITE_ALERT

125

SSL_CB_ACCEPT_LOOP = _lib.SSL_CB_ACCEPT_LOOP

126

SSL_CB_ACCEPT_EXIT = _lib.SSL_CB_ACCEPT_EXIT

127

SSL_CB_CONNECT_LOOP = _lib.SSL_CB_CONNECT_LOOP

128

SSL_CB_CONNECT_EXIT = _lib.SSL_CB_CONNECT_EXIT

129

SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START

130

SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

131

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

132

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

133

class Error(Exception):

Jean-Paul Calderone

511cde0

2013-12-29 10:31:13 -0500

[diff] [blame]

134

"""

135

An error occurred in an `OpenSSL.SSL` API.

136

"""

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

137

138

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

139

_raise_current_error = partial(_exception_from_error_queue, Error)

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

140

_openssl_assert = _make_assert(Error)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

141

142

143

class WantReadError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

147

class WantWriteError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

151

class WantX509LookupError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

155

class ZeroReturnError(Error):

pass

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

159

class SysCallError(Error):

pass

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

163

class _CallbackExceptionHelper(object):

164

"""

165

A base class for wrapper classes that allow for intelligent exception

166

handling in OpenSSL callbacks.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

167

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

168

:ivar list _problems: Any exceptions that occurred while executing in a

169

context where they could not be raised in the normal way. Typically

170

this is because OpenSSL has called into some Python code and requires a

171

return value. The exceptions are saved to be raised later when it is

172

possible to do so.

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

173

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

174

Jean-Paul Calderone

09540d7

2015-03-22 19:37:20 -0400

[diff] [blame]

175

def __init__(self):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

176

self._problems = []

177

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

178

def raise_if_problem(self):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

179

"""

180

Raise an exception from the OpenSSL error queue or that was previously

181

captured whe running a callback.

182

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

183

if self._problems:

184

try:

185

_raise_current_error()

186

except Error:

187

pass

188

raise self._problems.pop(0)

189

190

191

class _VerifyHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

192

"""

193

Wrap a callback such that it can be used as a certificate verification

194

callback.

195

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

196

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

197

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

198

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

199

200

@wraps(callback)

201

def wrapper(ok, store_ctx):

202

cert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

203

cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)

204

error_number = _lib.X509_STORE_CTX_get_error(store_ctx)

205

error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

206

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

207

index = _lib.SSL_get_ex_data_X509_STORE_CTX_idx()

208

ssl = _lib.X509_STORE_CTX_get_ex_data(store_ctx, index)

209

connection = Connection._reverse_mapping[ssl]

210

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

211

try:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

212

result = callback(

213

connection, cert, error_number, error_depth, ok

214

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

215

except Exception as e:

216

self._problems.append(e)

217

return 0

218

else:

219

if result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

220

_lib.X509_STORE_CTX_set_error(store_ctx, _lib.X509_V_OK)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

return 1

else:

return 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

225

self.callback = _ffi.callback(

226

"int (*)(int, X509_STORE_CTX *)", wrapper)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

227

228

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

229

class _NpnAdvertiseHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

230

"""

231

Wrap a callback such that it can be used as an NPN advertisement callback.

232

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

233

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

234

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

235

_CallbackExceptionHelper.__init__(self)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

236

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

237

@wraps(callback)

238

def wrapper(ssl, out, outlen, arg):

239

try:

240

conn = Connection._reverse_mapping[ssl]

241

protos = callback(conn)

242

243

# Join the protocols into a Python bytestring, length-prefixing

244

# each element.

245

protostr = b''.join(

246

chain.from_iterable((int2byte(len(p)), p) for p in protos)

247

)

248

249

# Save our callback arguments on the connection object. This is

250

# done to make sure that they don't get freed before OpenSSL

251

# uses them. Then, return them appropriately in the output

252

# parameters.

253

conn._npn_advertise_callback_args = [

254

_ffi.new("unsigned int *", len(protostr)),

255

_ffi.new("unsigned char[]", protostr),

256

]

257

outlen[0] = conn._npn_advertise_callback_args[0][0]

258

out[0] = conn._npn_advertise_callback_args[1]

259

return 0

260

except Exception as e:

261

self._problems.append(e)

262

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

263

264

self.callback = _ffi.callback(

265

"int (*)(SSL *, const unsigned char **, unsigned int *, void *)",

wrapper

)

class _NpnSelectHelper(_CallbackExceptionHelper):

Jean-Paul Calderone

2015-03-22 19:37:11 -0400

[diff] [blame]

271

"""

272

Wrap a callback such that it can be used as an NPN selection callback.

273

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

274

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

275

def __init__(self, callback):

Jean-Paul Calderone

837f403

2015-03-22 17:38:28 -0400

[diff] [blame]

276

_CallbackExceptionHelper.__init__(self)

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

277

278

@wraps(callback)

279

def wrapper(ssl, out, outlen, in_, inlen, arg):

280

try:

281

conn = Connection._reverse_mapping[ssl]

282

283

# The string passed to us is actually made up of multiple

284

# length-prefixed bytestrings. We need to split that into a

285

# list.

286

instr = _ffi.buffer(in_, inlen)[:]

287

protolist = []

288

while instr:

289

l = indexbytes(instr, 0)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

290

proto = instr[1:l + 1]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

291

protolist.append(proto)

Alex Gaynor

ca87ff6

2015-09-04 23:31:03 -0400

[diff] [blame]

292

instr = instr[l + 1:]

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

293

294

# Call the callback

295

outstr = callback(conn, protolist)

296

297

# Save our callback arguments on the connection object. This is

298

# done to make sure that they don't get freed before OpenSSL

299

# uses them. Then, return them appropriately in the output

300

# parameters.

301

conn._npn_select_callback_args = [

302

_ffi.new("unsigned char *", len(outstr)),

303

_ffi.new("unsigned char[]", outstr),

304

]

305

outlen[0] = conn._npn_select_callback_args[0][0]

306

out[0] = conn._npn_select_callback_args[1]

307

return 0

308

except Exception as e:

309

self._problems.append(e)

310

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

311

312

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

313

("int (*)(SSL *, unsigned char **, unsigned char *, "

314

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

315

wrapper

316

)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

317

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

318

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

319

class _ALPNSelectHelper(_CallbackExceptionHelper):

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

320

"""

321

Wrap a callback such that it can be used as an ALPN selection callback.

322

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

323

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

324

def __init__(self, callback):

325

_CallbackExceptionHelper.__init__(self)

326

327

@wraps(callback)

328

def wrapper(ssl, out, outlen, in_, inlen, arg):

329

try:

330

conn = Connection._reverse_mapping[ssl]

331

332

# The string passed to us is made up of multiple

333

# length-prefixed bytestrings. We need to split that into a

334

# list.

335

instr = _ffi.buffer(in_, inlen)[:]

336

protolist = []

337

while instr:

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

338

encoded_len = indexbytes(instr, 0)

339

proto = instr[1:encoded_len + 1]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

340

protolist.append(proto)

Cory Benfield

93134db

2015-04-13 17:22:13 -0400

[diff] [blame]

341

instr = instr[encoded_len + 1:]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

342

343

# Call the callback

344

outstr = callback(conn, protolist)

345

346

if not isinstance(outstr, _binary_type):

347

raise TypeError("ALPN callback must return a bytestring.")

348

349

# Save our callback arguments on the connection object to make

350

# sure that they don't get freed before OpenSSL can use them.

351

# Then, return them in the appropriate output parameters.

352

conn._alpn_select_callback_args = [

353

_ffi.new("unsigned char *", len(outstr)),

354

_ffi.new("unsigned char[]", outstr),

355

]

356

outlen[0] = conn._alpn_select_callback_args[0][0]

357

out[0] = conn._alpn_select_callback_args[1]

358

return 0

359

except Exception as e:

360

self._problems.append(e)

361

return 2 # SSL_TLSEXT_ERR_ALERT_FATAL

362

363

self.callback = _ffi.callback(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

364

("int (*)(SSL *, unsigned char **, unsigned char *, "

365

"const unsigned char *, unsigned int, void *)"),

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

wrapper

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

370

def _asFileDescriptor(obj):

371

fd = None

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

372

if not isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

373

meth = getattr(obj, "fileno", None)

374

if meth is not None:

375

obj = meth()

376

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

377

if isinstance(obj, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

378

fd = obj

379

Konstantinos Koukopoulos

2014-01-28 00:21:50 -0800

[diff] [blame]

380

if not isinstance(fd, integer_types):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

381

raise TypeError("argument must be an int, or have a fileno() method.")

382

elif fd < 0:

383

raise ValueError(

384

"file descriptor cannot be a negative integer (%i)" % (fd,))

return fd

Jean-Paul Calderone

2013-03-04 12:23:51 -0800

[diff] [blame]

389

def SSLeay_version(type):

390

"""

391

Return a string describing the version of OpenSSL in use.

392

393

:param type: One of the SSLEAY_ constants defined in this module.

394

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

395

return _ffi.string(_lib.SSLeay_version(type))

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

396

397

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

398

def _make_requires(flag, error):

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

399

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

400

Builds a decorator that ensures that functions that rely on OpenSSL

401

functions that are not present in this build raise NotImplementedError,

402

rather than AttributeError coming out of cryptography.

403

404

:param flag: A cryptography flag that guards the functions, e.g.

405

``Cryptography_HAS_NEXTPROTONEG``.

406

:param error: The string to be used in the exception if the flag is false.

Cory Benfield

a876cef

2015-04-13 17:29:12 -0400

[diff] [blame]

407

"""

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

408

def _requires_decorator(func):

409

if not flag:

410

@wraps(func)

411

def explode(*args, **kwargs):

412

raise NotImplementedError(error)

413

return explode

414

else:

415

return func

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

416

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

417

return _requires_decorator

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

418

419

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

420

_requires_npn = _make_requires(

421

_lib.Cryptography_HAS_NEXTPROTONEG, "NPN not available"

422

)

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

423

424

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

425

_requires_alpn = _make_requires(

426

_lib.Cryptography_HAS_ALPN, "ALPN not available"

427

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

428

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

429

Cory Benfield

2016-03-29 15:32:48 +0100

[diff] [blame]

430

_requires_sni = _make_requires(

431

_lib.Cryptography_HAS_TLSEXT_HOSTNAME, "SNI not available"

432

)

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

433

434

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

435

class Session(object):

pass

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

439

class Context(object):

440

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

441

:class:`OpenSSL.SSL.Context` instances define the parameters for setting

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

442

up new SSL connections.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

443

"""

444

_methods = {

Andrew Dunham

ec84a0a

2014-02-24 12:41:37 -0800

[diff] [blame]

445

SSLv2_METHOD: "SSLv2_method",

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

446

SSLv3_METHOD: "SSLv3_method",

447

SSLv23_METHOD: "SSLv23_method",

448

TLSv1_METHOD: "TLSv1_method",

449

TLSv1_1_METHOD: "TLSv1_1_method",

450

TLSv1_2_METHOD: "TLSv1_2_method",

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

451

}

Jean-Paul Calderone

be2bb42

2013-12-29 07:34:08 -0500

[diff] [blame]

452

_methods = dict(

453

(identifier, getattr(_lib, name))

454

for (identifier, name) in _methods.items()

455

if getattr(_lib, name, None) is not None)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

456

457

def __init__(self, method):

458

"""

459

:param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or

460

TLSv1_METHOD.

461

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

462

if not isinstance(method, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

463

raise TypeError("method must be an integer")

464

465

try:

466

method_func = self._methods[method]

467

except KeyError:

468

raise ValueError("No such protocol")

469

470

method_obj = method_func()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

471

_openssl_assert(method_obj != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

472

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

473

context = _lib.SSL_CTX_new(method_obj)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

474

_openssl_assert(context != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

475

context = _ffi.gc(context, _lib.SSL_CTX_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

476

477

self._context = context

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

478

self._passphrase_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

479

self._passphrase_callback = None

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

480

self._passphrase_userdata = None

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

481

self._verify_helper = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

482

self._verify_callback = None

483

self._info_callback = None

484

self._tlsext_servername_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

485

self._app_data = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

486

self._npn_advertise_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

487

self._npn_advertise_callback = None

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

488

self._npn_select_helper = None

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

489

self._npn_select_callback = None

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

490

self._alpn_select_helper = None

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

491

self._alpn_select_callback = None

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

492

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

493

# SSL_CTX_set_app_data(self->ctx, self);

494

# SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |

495

# SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |

496

# SSL_MODE_AUTO_RETRY);

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

497

self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

498

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

499

def load_verify_locations(self, cafile, capath=None):

500

"""

501

Let SSL know where we can find trusted certificates for the certificate

502

chain

503

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

504

:param cafile: In which file we can find the certificates (``bytes`` or

505

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

506

:param capath: In which directory we can find the certificates

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

507

(``bytes`` or ``unicode``).

508

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

509

:return: None

510

"""

511

if cafile is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

512

cafile = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

513

else:

514

cafile = _path_string(cafile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

515

516

if capath is None:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

517

capath = _ffi.NULL

Jean-Paul Calderone

2015-04-12 09:31:03 -0400

[diff] [blame]

518

else:

519

capath = _path_string(capath)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

520

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

521

load_result = _lib.SSL_CTX_load_verify_locations(

522

self._context, cafile, capath

523

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

524

if not load_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

525

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

526

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

527

def _wrap_callback(self, callback):

528

@wraps(callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

529

def wrapper(size, verify, userdata):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

530

return callback(size, verify, self._passphrase_userdata)

531

return _PassphraseHelper(

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

532

FILETYPE_PEM, wrapper, more_args=True, truncate=True)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

533

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

534

def set_passwd_cb(self, callback, userdata=None):

535

"""

536

Set the passphrase callback

537

538

:param callback: The Python callback to use

539

:param userdata: (optional) A Python object which will be given as

540

argument to the callback

541

:return: None

542

"""

543

if not callable(callback):

544

raise TypeError("callback must be callable")

545

546

self._passphrase_helper = self._wrap_callback(callback)

547

self._passphrase_callback = self._passphrase_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

548

_lib.SSL_CTX_set_default_passwd_cb(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

549

self._context, self._passphrase_callback)

550

self._passphrase_userdata = userdata

551

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

552

def set_default_verify_paths(self):

553

"""

554

Use the platform-specific CA certificate locations

555

556

:return: None

557

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

558

set_result = _lib.SSL_CTX_set_default_verify_paths(self._context)

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame]

559

_openssl_assert(set_result == 1)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

560

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

561

def use_certificate_chain_file(self, certfile):

562

"""

563

Load a certificate chain from a file

564

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

565

:param certfile: The name of the certificate chain file (``bytes`` or

566

``unicode``).

567

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

568

:return: None

569

"""

Jean-Paul Calderone

aac43a3

2015-04-12 09:51:21 -0400

[diff] [blame]

570

certfile = _path_string(certfile)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

571

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

572

result = _lib.SSL_CTX_use_certificate_chain_file(

573

self._context, certfile

574

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

575

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

576

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

577

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

578

def use_certificate_file(self, certfile, filetype=FILETYPE_PEM):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

579

"""

580

Load a certificate from a file

581

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

582

:param certfile: The name of the certificate file (``bytes`` or

583

``unicode``).

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

584

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

585

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

586

:return: None

587

"""

Jean-Paul Calderone

d57a7b6

2015-04-12 09:57:36 -0400

[diff] [blame]

588

certfile = _path_string(certfile)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

589

if not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

590

raise TypeError("filetype must be an integer")

591

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

592

use_result = _lib.SSL_CTX_use_certificate_file(

593

self._context, certfile, filetype

594

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

595

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

596

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

597

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

598

def use_certificate(self, cert):

599

"""

600

Load a certificate from a X509 object

601

602

:param cert: The X509 object

603

:return: None

604

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

605

if not isinstance(cert, X509):

606

raise TypeError("cert must be an X509 instance")

607

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

608

use_result = _lib.SSL_CTX_use_certificate(self._context, cert._x509)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

609

if not use_result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

610

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

611

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

612

def add_extra_chain_cert(self, certobj):

613

"""

614

Add certificate to chain

615

616

:param certobj: The X509 certificate object to add to the chain

617

:return: None

618

"""

619

if not isinstance(certobj, X509):

620

raise TypeError("certobj must be an X509 instance")

621

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

622

copy = _lib.X509_dup(certobj._x509)

623

add_result = _lib.SSL_CTX_add_extra_chain_cert(self._context, copy)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

624

if not add_result:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

625

# TODO: This is untested.

626

_lib.X509_free(copy)

627

_raise_current_error()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

628

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

629

def _raise_passphrase_exception(self):

630

if self._passphrase_helper is None:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

631

_raise_current_error()

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

632

exception = self._passphrase_helper.raise_if_problem(Error)

633

if exception is not None:

634

raise exception

635

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

636

def use_privatekey_file(self, keyfile, filetype=_UNSPECIFIED):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

637

"""

638

Load a private key from a file

639

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

640

:param keyfile: The name of the key file (``bytes`` or ``unicode``)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

641

:param filetype: (optional) The encoding of the file, default is PEM

Jean-Paul Calderone

2015-04-13 10:10:06 -0400

[diff] [blame]

642

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

643

:return: None

644

"""

Jean-Paul Calderone

69a4e5b

2015-04-12 10:04:28 -0400

[diff] [blame]

645

keyfile = _path_string(keyfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

646

Jean-Paul Calderone

00f84eb

2015-04-13 12:47:21 -0400

[diff] [blame]

647

if filetype is _UNSPECIFIED:

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

648

filetype = FILETYPE_PEM

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

649

elif not isinstance(filetype, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

650

raise TypeError("filetype must be an integer")

651

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

652

use_result = _lib.SSL_CTX_use_PrivateKey_file(

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

653

self._context, keyfile, filetype)

654

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

655

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

656

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

657

def use_privatekey(self, pkey):

658

"""

659

Load a private key from a PKey object

660

661

:param pkey: The PKey object

662

:return: None

663

"""

664

if not isinstance(pkey, PKey):

665

raise TypeError("pkey must be a PKey instance")

666

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

667

use_result = _lib.SSL_CTX_use_PrivateKey(self._context, pkey._pkey)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

668

if not use_result:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

669

self._raise_passphrase_exception()

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

670

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

671

def check_privatekey(self):

672

"""

673

Check that the private key and certificate match up

674

675

:return: None (raises an exception if something's wrong)

676

"""

Jean-Paul Calderone

a034492

2014-12-11 14:02:31 -0500

[diff] [blame]

677

if not _lib.SSL_CTX_check_private_key(self._context):

678

_raise_current_error()

679

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

680

def load_client_ca(self, cafile):

681

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

682

Load the trusted certificates that will be sent to the client. Does

683

not actually imply any of the certificates are trusted; that must be

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

684

configured separately.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

685

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

686

:param bytes cafile: The path to a certificates file in PEM format.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

687

:return: None

688

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

689

ca_list = _lib.SSL_load_client_CA_file(

690

_text_to_bytes_and_warn("cafile", cafile)

691

)

692

_openssl_assert(ca_list != _ffi.NULL)

693

# SSL_CTX_set_client_CA_list doesn't return anything.

694

_lib.SSL_CTX_set_client_CA_list(self._context, ca_list)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

695

696

def set_session_id(self, buf):

697

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

698

Set the session id to *buf* within which a session can be reused for

699

this Context object. This is needed when doing session resumption,

700

because there is no way for a stored session to know which Context

701

object it is associated with.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

702

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

703

:param bytes buf: The session id.

704

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

705

:returns: None

706

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

707

buf = _text_to_bytes_and_warn("buf", buf)

708

_openssl_assert(

709

_lib.SSL_CTX_set_session_id_context(

self._context,

buf,

len(buf),

) == 1

)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

715

716

def set_session_cache_mode(self, mode):

717

"""

718

Enable/disable session caching and specify the mode used.

719

720

:param mode: One or more of the SESS_CACHE_* flags (combine using

721

bitwise or)

722

:returns: The previously set caching mode.

723

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

724

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

725

raise TypeError("mode must be an integer")

726

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

727

return _lib.SSL_CTX_set_session_cache_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

728

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

729

def get_session_cache_mode(self):

730

"""

731

:returns: The currently used cache mode.

732

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

733

return _lib.SSL_CTX_get_session_cache_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

734

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

735

def set_verify(self, mode, callback):

736

"""

737

Set the verify mode and verify callback

738

739

:param mode: The verify mode, this is either VERIFY_NONE or

740

VERIFY_PEER combined with possible other flags

741

:param callback: The Python callback to use

742

:return: None

743

744

See SSL_CTX_set_verify(3SSL) for further details.

745

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

746

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

747

raise TypeError("mode must be an integer")

748

749

if not callable(callback):

750

raise TypeError("callback must be callable")

751

Jean-Paul Calderone

6a8cd11

2014-04-02 21:09:08 -0400

[diff] [blame]

752

self._verify_helper = _VerifyHelper(callback)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

753

self._verify_callback = self._verify_helper.callback

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

754

_lib.SSL_CTX_set_verify(self._context, mode, self._verify_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

755

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

756

def set_verify_depth(self, depth):

"""

Set the verify depth

:param depth: An integer specifying the verify depth

761

:return: None

762

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

763

if not isinstance(depth, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

764

raise TypeError("depth must be an integer")

765

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

766

_lib.SSL_CTX_set_verify_depth(self._context, depth)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

767

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

768

def get_verify_mode(self):

"""

Get the verify mode

:return: The verify mode

773

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

774

return _lib.SSL_CTX_get_verify_mode(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

775

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

776

def get_verify_depth(self):

"""

Get the verify depth

:return: The verify depth

781

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

782

return _lib.SSL_CTX_get_verify_depth(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

783

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

784

def load_tmp_dh(self, dhfile):

785

"""

786

Load parameters for Ephemeral Diffie-Hellman

787

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

788

:param dhfile: The file to load EDH parameters from (``bytes`` or

789

``unicode``).

790

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

791

:return: None

792

"""

Jean-Paul Calderone

9e1c1dd

2015-04-12 10:13:13 -0400

[diff] [blame]

793

dhfile = _path_string(dhfile)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

794

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

795

bio = _lib.BIO_new_file(dhfile, b"r")

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

796

if bio == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

797

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

798

bio = _ffi.gc(bio, _lib.BIO_free)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

799

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

800

dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)

801

dh = _ffi.gc(dh, _lib.DH_free)

802

_lib.SSL_CTX_set_tmp_dh(self._context, dh)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

803

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

804

def set_tmp_ecdh(self, curve):

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

805

"""

Andy Lutomirski

76a6133

2014-03-12 15:02:56 -0700

[diff] [blame]

806

Select a curve to use for ECDHE key exchange.

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

807

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

808

:param curve: A curve object to use as returned by either

809

:py:meth:`OpenSSL.crypto.get_elliptic_curve` or

810

:py:meth:`OpenSSL.crypto.get_elliptic_curves`.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

811

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

812

:return: None

813

"""

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

814

_lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())

Alex Gaynor

2014-01-17 12:08:54 -0600

[diff] [blame]

815

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

816

def set_cipher_list(self, cipher_list):

817

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

818

Set the list of ciphers to be used in this context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

819

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

820

See the OpenSSL manual for more information (e.g.

821

:manpage:`ciphers(1)`).

822

823

:param bytes cipher_list: An OpenSSL cipher string.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

824

:return: None

825

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

826

cipher_list = _text_to_bytes_and_warn("cipher_list", cipher_list)

Jean-Paul Calderone

63eab69

2014-01-18 10:19:56 -0500

[diff] [blame]

827

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

828

if not isinstance(cipher_list, bytes):

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

829

raise TypeError("cipher_list must be a byte string.")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

830

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

831

_openssl_assert(

Hynek Schlawack

22a4b66

2016-03-11 14:59:39 +0100

[diff] [blame]

832

_lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

833

)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

834

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

835

def set_client_ca_list(self, certificate_authorities):

836

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

837

Set the list of preferred client certificate signers for this server

838

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

839

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

840

This list of certificate authorities will be sent to the client when

841

the server requests a client certificate.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

842

843

:param certificate_authorities: a sequence of X509Names.

844

:return: None

845

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

846

name_stack = _lib.sk_X509_NAME_new_null()

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

847

_openssl_assert(name_stack != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

848

849

try:

850

for ca_name in certificate_authorities:

851

if not isinstance(ca_name, X509Name):

852

raise TypeError(

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

853

"client CAs must be X509Name objects, not %s "

854

"objects" % (

855

type(ca_name).__name__,

856

)

857

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

858

copy = _lib.X509_NAME_dup(ca_name._name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

859

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

860

push_result = _lib.sk_X509_NAME_push(name_stack, copy)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

861

if not push_result:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

862

_lib.X509_NAME_free(copy)

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

863

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

864

except:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

865

_lib.sk_X509_NAME_free(name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

866

raise

867

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

868

_lib.SSL_CTX_set_client_CA_list(self._context, name_stack)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

869

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

870

def add_client_ca(self, certificate_authority):

871

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

872

Add the CA certificate to the list of preferred signers for this

873

context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

874

875

The list of certificate authorities will be sent to the client when the

876

server requests a client certificate.

877

878

:param certificate_authority: certificate authority's X509 certificate.

879

:return: None

880

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

881

if not isinstance(certificate_authority, X509):

882

raise TypeError("certificate_authority must be an X509 instance")

883

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

884

add_result = _lib.SSL_CTX_add_client_CA(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

885

self._context, certificate_authority._x509)

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame]

886

_openssl_assert(add_result == 1)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

887

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

888

def set_timeout(self, timeout):

"""

Set session timeout

:param timeout: The timeout in seconds

893

:return: The previous session timeout

894

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

895

if not isinstance(timeout, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

896

raise TypeError("timeout must be an integer")

897

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

898

return _lib.SSL_CTX_set_timeout(self._context, timeout)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

899

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

900

def get_timeout(self):

901

"""

902

Get the session timeout

903

904

:return: The session timeout

905

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

906

return _lib.SSL_CTX_get_timeout(self._context)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

907

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

908

def set_info_callback(self, callback):

909

"""

910

Set the info callback

911

912

:param callback: The Python callback to use

913

:return: None

914

"""

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

915

@wraps(callback)

916

def wrapper(ssl, where, return_code):

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

917

callback(Connection._reverse_mapping[ssl], where, return_code)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

918

self._info_callback = _ffi.callback(

919

"void (*)(const SSL *, int, int)", wrapper)

920

_lib.SSL_CTX_set_info_callback(self._context, self._info_callback)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

921

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

922

def get_app_data(self):

923

"""

924

Get the application data (supplied via set_app_data())

925

926

:return: The application data

927

"""

928

return self._app_data

929

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

930

def set_app_data(self, data):

931

"""

932

Set the application data (will be returned from get_app_data())

933

934

:param data: Any Python object

935

:return: None

936

"""

937

self._app_data = data

938

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

939

def get_cert_store(self):

940

"""

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

941

Get the certificate store for the context.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

942

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

943

:return: A X509Store object or None if it does not have one.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

944

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

945

store = _lib.SSL_CTX_get_cert_store(self._context)

946

if store == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

947

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

948

return None

949

950

pystore = X509Store.__new__(X509Store)

951

pystore._store = store

952

return pystore

953

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

954

def set_options(self, options):

955

"""

956

Add options. Options set before are not cleared!

957

958

:param options: The options to add.

959

:return: The new option bitmask.

960

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

961

if not isinstance(options, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

962

raise TypeError("options must be an integer")

963

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

964

return _lib.SSL_CTX_set_options(self._context, options)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

965

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

966

def set_mode(self, mode):

967

"""

968

Add modes via bitmask. Modes set before are not cleared!

969

970

:param mode: The mode to add.

971

:return: The new mode bitmask.

972

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

973

if not isinstance(mode, integer_types):

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

974

raise TypeError("mode must be an integer")

975

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

976

return _lib.SSL_CTX_set_mode(self._context, mode)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

977

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

978

@_requires_sni

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

979

def set_tlsext_servername_callback(self, callback):

980

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

981

Specify a callback function to be called when clients specify a server

982

name.

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

983

984

:param callback: The callback function. It will be invoked with one

985

argument, the Connection instance.

986

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

987

@wraps(callback)

988

def wrapper(ssl, alert, arg):

989

callback(Connection._reverse_mapping[ssl])

990

return 0

991

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

992

self._tlsext_servername_callback = _ffi.callback(

993

"int (*)(const SSL *, int *, void *)", wrapper)

994

_lib.SSL_CTX_set_tlsext_servername_callback(

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

995

self._context, self._tlsext_servername_callback)

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

996

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

997

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

998

def set_npn_advertise_callback(self, callback):

999

"""

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1000

Specify a callback function that will be called when offering `Next

1001

Protocol Negotiation

1002

<https://technotes.googlecode.com/git/nextprotoneg.html>`_ as a server.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1003

1004

:param callback: The callback function. It will be invoked with one

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1005

argument, the Connection instance. It should return a list of

1006

bytestrings representing the advertised protocols, like

1007

``[b'http/1.1', b'spdy/2']``.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1008

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1009

self._npn_advertise_helper = _NpnAdvertiseHelper(callback)

1010

self._npn_advertise_callback = self._npn_advertise_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1011

_lib.SSL_CTX_set_next_protos_advertised_cb(

1012

self._context, self._npn_advertise_callback, _ffi.NULL)

1013

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1014

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1015

def set_npn_select_callback(self, callback):

1016

"""

1017

Specify a callback function that will be called when a server offers

1018

Next Protocol Negotiation options.

1019

1020

:param callback: The callback function. It will be invoked with two

1021

arguments: the Connection, and a list of offered protocols as

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1022

bytestrings, e.g. ``[b'http/1.1', b'spdy/2']``. It should return

1023

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1024

"""

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1025

self._npn_select_helper = _NpnSelectHelper(callback)

1026

self._npn_select_callback = self._npn_select_helper.callback

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1027

_lib.SSL_CTX_set_next_proto_select_cb(

1028

self._context, self._npn_select_callback, _ffi.NULL)

1029

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1030

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1031

def set_alpn_protos(self, protos):

1032

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1033

Specify the clients ALPN protocol list.

1034

1035

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1036

1037

:param protos: A list of the protocols to be offered to the server.

1038

This list should be a Python list of bytestrings representing the

1039

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1040

"""

1041

# Take the list of protocols and join them together, prefixing them

1042

# with their lengths.

1043

protostr = b''.join(

1044

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1045

)

1046

1047

# Build a C string from the list. We don't need to save this off

1048

# because OpenSSL immediately copies the data out.

1049

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

e871af5

2015-04-11 17:57:50 -0400

[diff] [blame]

1050

input_str_len = _ffi.cast("unsigned", len(protostr))

1051

_lib.SSL_CTX_set_alpn_protos(self._context, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1052

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1053

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1054

def set_alpn_select_callback(self, callback):

1055

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1056

Set the callback to handle ALPN protocol choice.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1057

1058

:param callback: The callback function. It will be invoked with two

1059

arguments: the Connection, and a list of offered protocols as

1060

bytestrings, e.g ``[b'http/1.1', b'spdy/2']``. It should return

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1061

one of those bytestrings, the chosen protocol.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1062

"""

Cory Benfield

9da5ffb

2015-04-13 17:20:14 -0400

[diff] [blame]

1063

self._alpn_select_helper = _ALPNSelectHelper(callback)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1064

self._alpn_select_callback = self._alpn_select_helper.callback

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1065

_lib.SSL_CTX_set_alpn_select_cb(

1066

self._context, self._alpn_select_callback, _ffi.NULL)

1067

Alex Chan

c607706

2016-11-18 13:53:39 +0000

[diff] [blame^]

1068

Jean-Paul Calderone

2013-03-05 07:57:57 -0800

[diff] [blame]

1069

ContextType = Context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1070

1071

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1072

class Connection(object):

1073

"""

1074

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1075

_reverse_mapping = WeakValueDictionary()

1076

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1077

def __init__(self, context, socket=None):

1078

"""

1079

Create a new Connection object, using the given OpenSSL.SSL.Context

1080

instance and socket.

1081

1082

:param context: An SSL Context to use for this connection

1083

:param socket: The socket to use for transport layer

1084

"""

1085

if not isinstance(context, Context):

1086

raise TypeError("context must be a Context instance")

1087

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1088

ssl = _lib.SSL_new(context._context)

1089

self._ssl = _ffi.gc(ssl, _lib.SSL_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1090

self._context = context

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

1091

self._app_data = None

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1092

Cory Benfield

2014-05-10 09:48:55 +0100

[diff] [blame]

1093

# References to strings used for Next Protocol Negotiation. OpenSSL's

1094

# header files suggest that these might get copied at some point, but

1095

# doesn't specify when, so we store them here to make sure they don't

1096

# get freed before OpenSSL uses them.

1097

self._npn_advertise_callback_args = None

1098

self._npn_select_callback_args = None

1099

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1100

# References to strings used for Application Layer Protocol

1101

# Negotiation. These strings get copied at some point but it's well

1102

# after the callback returns, so we have to hang them somewhere to

1103

# avoid them getting freed.

1104

self._alpn_select_callback_args = None

1105

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1106

self._reverse_mapping[self._ssl] = self

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1107

1108

if socket is None:

1109

self._socket = None

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1110

# Don't set up any gc for these, SSL_free will take care of them.

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1111

self._into_ssl = _lib.BIO_new(_lib.BIO_s_mem())

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1112

_openssl_assert(self._into_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1113

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1114

self._from_ssl = _lib.BIO_new(_lib.BIO_s_mem())

1115

_openssl_assert(self._from_ssl != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1116

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1117

_lib.SSL_set_bio(self._ssl, self._into_ssl, self._from_ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1118

else:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1119

self._into_ssl = None

1120

self._from_ssl = None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1121

self._socket = socket

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1122

set_result = _lib.SSL_set_fd(

1123

self._ssl, _asFileDescriptor(self._socket))

Alex Gaynor

09f19f5

2016-07-03 09:54:09 -0400

[diff] [blame]

1124

_openssl_assert(set_result == 1)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1125

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1126

def __getattr__(self, name):

1127

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1128

Look up attributes on the wrapped socket object if they are not found

1129

on the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1130

"""

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1131

if self._socket is None:

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1132

raise AttributeError("'%s' object has no attribute '%s'" % (

1133

self.__class__.__name__, name

1134

))

kjav

0b66fa1

2015-09-02 11:51:26 +0100

[diff] [blame]

1135

else:

1136

return getattr(self._socket, name)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1137

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1138

def _raise_ssl_error(self, ssl, result):

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1139

if self._context._verify_helper is not None:

1140

self._context._verify_helper.raise_if_problem()

Cory Benfield

2015-03-22 09:05:28 +0000

[diff] [blame]

1141

if self._context._npn_advertise_helper is not None:

1142

self._context._npn_advertise_helper.raise_if_problem()

1143

if self._context._npn_select_helper is not None:

1144

self._context._npn_select_helper.raise_if_problem()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1145

if self._context._alpn_select_helper is not None:

1146

self._context._alpn_select_helper.raise_if_problem()

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1147

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1148

error = _lib.SSL_get_error(ssl, result)

1149

if error == _lib.SSL_ERROR_WANT_READ:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1150

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1151

elif error == _lib.SSL_ERROR_WANT_WRITE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1152

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1153

elif error == _lib.SSL_ERROR_ZERO_RETURN:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1154

raise ZeroReturnError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1155

elif error == _lib.SSL_ERROR_WANT_X509_LOOKUP:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1156

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1157

raise WantX509LookupError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1158

elif error == _lib.SSL_ERROR_SYSCALL:

1159

if _lib.ERR_peek_error() == 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1160

if result < 0:

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

1161

if platform == "win32":

1162

errno = _ffi.getwinerror()[0]

1163

else:

1164

errno = _ffi.errno

Alex Gaynor

5af32d0

2016-09-24 01:52:21 -0400

[diff] [blame]

1165

1166

if errno != 0:

1167

raise SysCallError(errno, errorcode.get(errno))

1168

raise SysCallError(-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1169

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1170

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1171

_raise_current_error()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1172

elif error == _lib.SSL_ERROR_NONE:

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1173

pass

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1174

else:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1175

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1176

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1177

def get_context(self):

1178

"""

1179

Get session context

1180

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1181

return self._context

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1182

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1183

def set_context(self, context):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1184

"""

1185

Switch this connection to a new session context

1186

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1187

:param context: A :py:class:`Context` instance giving the new session

1188

context to use.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1189

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1190

if not isinstance(context, Context):

1191

raise TypeError("context must be a Context instance")

1192

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1193

_lib.SSL_set_SSL_CTX(self._ssl, context._context)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1194

self._context = context

1195

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1196

@_requires_sni

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1197

def get_servername(self):

1198

"""

1199

Retrieve the servername extension value if provided in the client hello

1200

message, or None if there wasn't one.

1201

1202

:return: A byte string giving the server name or :py:data:`None`.

1203

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1204

name = _lib.SSL_get_servername(

1205

self._ssl, _lib.TLSEXT_NAMETYPE_host_name

1206

)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1207

if name == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1208

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1209

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1210

return _ffi.string(name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1211

Cory Benfield

2016-03-29 11:21:04 +0100

[diff] [blame]

1212

@_requires_sni

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1213

def set_tlsext_host_name(self, name):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1214

"""

1215

Set the value of the servername extension to send in the client hello.

1216

1217

:param name: A byte string giving the name.

1218

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1219

if not isinstance(name, bytes):

1220

raise TypeError("name must be a byte string")

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1221

elif b"\0" in name:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1222

raise TypeError("name must not contain NUL byte")

1223

1224

# XXX I guess this can fail sometimes?

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1225

_lib.SSL_set_tlsext_host_name(self._ssl, name)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1226

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1227

def pending(self):

1228

"""

1229

Get the number of bytes that can be safely read from the connection

1230

1231

:return: The number of bytes available in the receive buffer.

1232

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1233

return _lib.SSL_pending(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1234

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1235

def send(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1236

"""

1237

Send data on the connection. NOTE: If you get one of the WantRead,

1238

WantWrite or WantX509Lookup exceptions on this, you have to call the

1239

method again with the SAME buffer.

1240

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1241

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1242

:param flags: (optional) Included for compatibility with the socket

1243

API, the value is ignored

1244

:return: The number of bytes written

1245

"""

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1246

# Backward compatibility

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1247

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1248

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1249

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1250

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1251

if isinstance(buf, _buffer):

1252

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1253

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1254

raise TypeError("data must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1255

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1256

result = _lib.SSL_write(self._ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1257

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return result

write = send

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1261

def sendall(self, buf, flags=0):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1262

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1263

Send "all" data on the connection. This calls send() repeatedly until

1264

all data is sent. If an error occurs, it's impossible to tell how much

1265

data has been sent.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1266

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1267

:param buf: The string, buffer or memoryview to send

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1268

:param flags: (optional) Included for compatibility with the socket

1269

API, the value is ignored

1270

:return: The number of bytes written

1271

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1272

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1273

Jean-Paul Calderone

8fb5318

2013-12-30 08:35:49 -0500

[diff] [blame]

1274

if isinstance(buf, _memoryview):

Jean-Paul Calderone

1aba416

2013-03-05 18:50:00 -0800

[diff] [blame]

1275

buf = buf.tobytes()

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1276

if isinstance(buf, _buffer):

1277

buf = str(buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1278

if not isinstance(buf, bytes):

Markus Unterwaditzer

2014-04-19 12:27:11 +0200

[diff] [blame]

1279

raise TypeError("buf must be a memoryview, buffer or byte string")

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1280

1281

left_to_send = len(buf)

1282

total_sent = 0

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1283

data = _ffi.new("char[]", buf)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1284

1285

while left_to_send:

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1286

result = _lib.SSL_write(self._ssl, data + total_sent, left_to_send)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1287

self._raise_ssl_error(self._ssl, result)

1288

total_sent += result

1289

left_to_send -= result

1290

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1291

def recv(self, bufsiz, flags=None):

1292

"""

Alex Gaynor

67fc8c9

2016-05-27 08:27:19 -0400

[diff] [blame]

1293

Receive data on the connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1294

1295

:param bufsiz: The maximum number of bytes to read

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1296

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1297

all other flags are ignored.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1298

:return: The string read from the Connection

1299

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1300

buf = _ffi.new("char[]", bufsiz)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1301

if flags is not None and flags & socket.MSG_PEEK:

1302

result = _lib.SSL_peek(self._ssl, buf, bufsiz)

1303

else:

1304

result = _lib.SSL_read(self._ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1305

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1306

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1307

read = recv

1308

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1309

def recv_into(self, buffer, nbytes=None, flags=None):

1310

"""

1311

Receive data on the connection and store the data into a buffer rather

1312

than creating a new string.

1313

1314

:param buffer: The buffer to copy into.

1315

:param nbytes: (optional) The maximum number of bytes to read into the

1316

buffer. If not present, defaults to the size of the buffer. If

1317

larger than the size of the buffer, is reduced to the size of the

1318

buffer.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1319

:param flags: (optional) The only supported flag is ``MSG_PEEK``,

1320

all other flags are ignored.

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1321

:return: The number of bytes read into the buffer.

"""

if nbytes is None:

nbytes = len(buffer)

else:

nbytes = min(nbytes, len(buffer))

1327

1328

# We need to create a temporary buffer. This is annoying, it would be

1329

# better if we could pass memoryviews straight into the SSL_read call,

1330

# but right now we can't. Revisit this if CFFI gets that ability.

1331

buf = _ffi.new("char[]", nbytes)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

1332

if flags is not None and flags & socket.MSG_PEEK:

1333

result = _lib.SSL_peek(self._ssl, buf, nbytes)

1334

else:

1335

result = _lib.SSL_read(self._ssl, buf, nbytes)

Cory Benfield

62d1033

2014-06-15 10:03:41 +0100

[diff] [blame]

1336

self._raise_ssl_error(self._ssl, result)

1337

1338

# This strange line is all to avoid a memory copy. The buffer protocol

1339

# should allow us to assign a CFFI buffer to the LHS of this line, but

1340

# on CPython 3.3+ that segfaults. As a workaround, we can temporarily

1341

# wrap it in a memoryview, except on Python 2.6 which doesn't have a

1342

# memoryview type.

1343

try:

1344

buffer[:result] = memoryview(_ffi.buffer(buf, result))

1345

except NameError:

1346

buffer[:result] = _ffi.buffer(buf, result)

return result

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1350

def _handle_bio_errors(self, bio, result):

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1351

if _lib.BIO_should_retry(bio):

1352

if _lib.BIO_should_read(bio):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1353

raise WantReadError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1354

elif _lib.BIO_should_write(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1355

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1356

raise WantWriteError()

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1357

elif _lib.BIO_should_io_special(bio):

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1358

# TODO: This is untested. I think io_special means the socket

1359

# BIO has a not-yet connected socket.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1360

raise ValueError("BIO_should_io_special")

1361

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1362

# TODO: This is untested.

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

1363

raise ValueError("unknown bio failure")

1364

else:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1365

# TODO: This is untested.

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1366

_raise_current_error()

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1367

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1368

def bio_read(self, bufsiz):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1369

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1370

When using non-socket connections this function reads the "dirty" data

1371

that would have traveled away on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1372

1373

:param bufsiz: The maximum number of bytes to read

1374

:return: The string read.

1375

"""

Jean-Paul Calderone

97e041d

2013-03-05 21:03:12 -0800

[diff] [blame]

1376

if self._from_ssl is None:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1377

raise TypeError("Connection sock was not None")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1378

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1379

if not isinstance(bufsiz, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1380

raise TypeError("bufsiz must be an integer")

1381

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1382

buf = _ffi.new("char[]", bufsiz)

1383

result = _lib.BIO_read(self._from_ssl, buf, bufsiz)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1384

if result <= 0:

1385

self._handle_bio_errors(self._from_ssl, result)

1386

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1387

return _ffi.buffer(buf, result)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1388

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1389

def bio_write(self, buf):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1390

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1391

When using non-socket connections this function sends "dirty" data that

1392

would have traveled in on the network.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1393

1394

:param buf: The string to put into the memory BIO.

1395

:return: The number of bytes written

1396

"""

Jean-Paul Calderone

39a8d59

2015-04-13 20:49:50 -0400

[diff] [blame]

1397

buf = _text_to_bytes_and_warn("buf", buf)

Abraham Martin

2015-02-04 10:18:10 +0000

[diff] [blame]

1398

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1399

if self._into_ssl is None:

1400

raise TypeError("Connection sock was not None")

1401

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1402

result = _lib.BIO_write(self._into_ssl, buf, len(buf))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1403

if result <= 0:

1404

self._handle_bio_errors(self._into_ssl, result)

1405

return result

1406

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1407

def renegotiate(self):

1408

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1409

Renegotiate the session.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1410

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1411

:return: True if the renegotiation can be started, False otherwise

1412

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1413

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1414

if not self.renegotiate_pending():

1415

_openssl_assert(_lib.SSL_renegotiate(self._ssl) == 1)

1416

return True

1417

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1418

1419

def do_handshake(self):

1420

"""

1421

Perform an SSL handshake (usually called after renegotiate() or one of

1422

set_*_state()). This can raise the same exceptions as send and recv.

1423

1424

:return: None.

1425

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1426

result = _lib.SSL_do_handshake(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1427

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1428

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1429

def renegotiate_pending(self):

1430

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1431

Check if there's a renegotiation in progress, it will return False once

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1432

a renegotiation is finished.

1433

1434

:return: Whether there's a renegotiation in progress

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1435

:rtype: bool

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1436

"""

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1437

return _lib.SSL_renegotiate_pending(self._ssl) == 1

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1438

1439

def total_renegotiations(self):

1440

"""

1441

Find out the total number of renegotiations.

1442

1443

:return: The number of renegotiations.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1444

:rtype: int

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1445

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1446

return _lib.SSL_total_renegotiations(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1447

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1448

def connect(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1449

"""

1450

Connect to remote host and set up client-side SSL

1451

1452

:param addr: A remote address

1453

:return: What the socket's connect method returns

1454

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1455

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1456

return self._socket.connect(addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1457

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1458

def connect_ex(self, addr):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1459

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1460

Connect to remote host and set up client-side SSL. Note that if the

1461

socket's connect_ex method doesn't return 0, SSL won't be initialized.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1462

1463

:param addr: A remove address

1464

:return: What the socket's connect_ex method returns

1465

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1466

connect_ex = self._socket.connect_ex

1467

self.set_connect_state()

1468

return connect_ex(addr)

1469

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1470

def accept(self):

1471

"""

1472

Accept incoming connection and set up SSL on it

1473

1474

:return: A (conn,addr) pair where conn is a Connection and addr is an

1475

address

1476

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1477

client, addr = self._socket.accept()

1478

conn = Connection(self._context, client)

1479

conn.set_accept_state()

1480

return (conn, addr)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1481

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1482

def bio_shutdown(self):

1483

"""

1484

When using non-socket connections this function signals end of

1485

data on the input for this connection.

1486

1487

:return: None

1488

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1489

if self._from_ssl is None:

1490

raise TypeError("Connection sock was not None")

1491

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1492

_lib.BIO_set_mem_eof_return(self._into_ssl, 0)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1493

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

def shutdown(self):

"""

Send closure alert

:return: True if the shutdown completed successfully (i.e. both sides

1499

have sent closure alerts), false otherwise (i.e. you have to

1500

wait for a ZeroReturnError on a recv() method call

1501

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1502

result = _lib.SSL_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1503

if result < 0:

Paul Aurich

bff1d1a

2015-01-08 08:36:53 -0800

[diff] [blame]

1504

self._raise_ssl_error(self._ssl, result)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1505

elif result > 0:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1506

return True

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

else:

return False

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1510

def get_cipher_list(self):

1511

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1512

Retrieve the list of ciphers used by the Connection object.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1513

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

1514

:return: A list of native cipher strings.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1515

"""

1516

ciphers = []

1517

for i in count():

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1518

result = _lib.SSL_get_cipher_list(self._ssl, i)

1519

if result == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1520

break

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1521

ciphers.append(_native(_ffi.string(result)))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1522

return ciphers

1523

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1524

def get_client_ca_list(self):

1525

"""

1526

Get CAs whose certificates are suggested for client authentication.

1527

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1528

:return: If this is a server connection, a list of X509Names

1529

representing the acceptable CAs as set by

1530

:py:meth:`OpenSSL.SSL.Context.set_client_ca_list` or

1531

:py:meth:`OpenSSL.SSL.Context.add_client_ca`. If this is a client

1532

connection, the list of such X509Names sent by the server, or an

1533

empty list if that has not yet happened.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1534

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1535

ca_names = _lib.SSL_get_client_CA_list(self._ssl)

1536

if ca_names == _ffi.NULL:

Jean-Paul Calderone

2013-12-29 17:06:11 -0500

[diff] [blame]

1537

# TODO: This is untested.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1538

return []

1539

1540

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1541

for i in range(_lib.sk_X509_NAME_num(ca_names)):

1542

name = _lib.sk_X509_NAME_value(ca_names, i)

1543

copy = _lib.X509_NAME_dup(name)

Alex Gaynor

2016-06-04 18:16:01 -0700

[diff] [blame]

1544

_openssl_assert(copy != _ffi.NULL)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1545

1546

pyname = X509Name.__new__(X509Name)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1547

pyname._name = _ffi.gc(copy, _lib.X509_NAME_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1548

result.append(pyname)

1549

return result

1550

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1551

def makefile(self):

1552

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1553

The makefile() method is not implemented, since there is no dup

1554

semantics for SSL connections

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1555

Jean-Paul Calderone

6749ec2

2014-04-17 16:30:21 -0400

[diff] [blame]

1556

:raise: NotImplementedError

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1557

"""

Alex Gaynor

8328495

2015-09-05 10:43:30 -0400

[diff] [blame]

1558

raise NotImplementedError(

1559

"Cannot make file object of OpenSSL.SSL.Connection")

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1560

1561

def get_app_data(self):

"""

Get application data

:return: The application data

1566

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1567

return self._app_data

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1568

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1569

def set_app_data(self, data):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set application data

:param data - The application data

1574

:return: None

1575

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1576

self._app_data = data

1577

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1578

def get_shutdown(self):

"""

Get shutdown state

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1582

:return: The shutdown state, a bitvector of SENT_SHUTDOWN,

1583

RECEIVED_SHUTDOWN.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1584

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1585

return _lib.SSL_get_shutdown(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1586

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1587

def set_shutdown(self, state):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

Set shutdown state

:param state - bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN.

1592

:return: None

1593

"""

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

1594

if not isinstance(state, integer_types):

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1595

raise TypeError("state must be an integer")

1596

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1597

_lib.SSL_set_shutdown(self._ssl, state)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1598

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1599

def get_state_string(self):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1600

"""

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1601

Retrieve a verbose string detailing the state of the Connection.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1602

1603

:return: A string representing the state

Hynek Schlawack

ea94f2b

2016-03-13 16:17:53 +0100

[diff] [blame]

1604

:rtype: bytes

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1605

"""

kjav

c704a2e

2015-09-07 12:12:27 +0100

[diff] [blame]

1606

return _ffi.string(_lib.SSL_state_string_long(self._ssl))

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1607

1608

def server_random(self):

1609

"""

1610

Get a copy of the server hello nonce.

1611

1612

:return: A string representing the state

1613

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1614

session = _lib.SSL_get_session(self._ssl)

1615

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1616

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1617

length = _lib.SSL_get_server_random(self._ssl, _ffi.NULL, 0)

1618

assert length > 0

Paul Kehrer

9f9113a

2016-09-20 20:10:25 -0500

[diff] [blame]

1619

outp = _ffi.new("unsigned char[]", length)

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1620

_lib.SSL_get_server_random(self._ssl, outp, length)

1621

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1622

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1623

def client_random(self):

1624

"""

1625

Get a copy of the client hello nonce.

1626

1627

:return: A string representing the state

1628

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1629

session = _lib.SSL_get_session(self._ssl)

1630

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1631

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1632

1633

length = _lib.SSL_get_client_random(self._ssl, _ffi.NULL, 0)

1634

assert length > 0

Paul Kehrer

9f9113a

2016-09-20 20:10:25 -0500

[diff] [blame]

1635

outp = _ffi.new("unsigned char[]", length)

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1636

_lib.SSL_get_client_random(self._ssl, outp, length)

1637

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1638

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1639

def master_key(self):

1640

"""

1641

Get a copy of the master key.

1642

1643

:return: A string representing the state

1644

"""

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1645

session = _lib.SSL_get_session(self._ssl)

1646

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1647

return None

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1648

1649

length = _lib.SSL_SESSION_get_master_key(session, _ffi.NULL, 0)

1650

assert length > 0

Paul Kehrer

9f9113a

2016-09-20 20:10:25 -0500

[diff] [blame]

1651

outp = _ffi.new("unsigned char[]", length)

Alex Gaynor

2016-06-01 20:13:09 -0700

[diff] [blame]

1652

_lib.SSL_SESSION_get_master_key(session, outp, length)

1653

return _ffi.buffer(outp, length)[:]

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1654

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1655

def sock_shutdown(self, *args, **kwargs):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

"""

See shutdown(2)

:return: What the socket's shutdown() method returns

1660

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1661

return self._socket.shutdown(*args, **kwargs)

1662

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1663

def get_peer_certificate(self):

1664

"""

1665

Retrieve the other side's certificate (if any)

1666

1667

:return: The peer's certificate

1668

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1669

cert = _lib.SSL_get_peer_certificate(self._ssl)

1670

if cert != _ffi.NULL:

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1671

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1672

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

return pycert

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1676

def get_peer_cert_chain(self):

1677

"""

1678

Retrieve the other side's certificate (if any)

1679

1680

:return: A list of X509 instances giving the peer's certificate chain,

1681

or None if it does not have one.

1682

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1683

cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)

1684

if cert_stack == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1685

return None

1686

1687

result = []

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1688

for i in range(_lib.sk_X509_num(cert_stack)):

Jean-Paul Calderone

73b15c2

2013-03-05 18:30:39 -0800

[diff] [blame]

1689

# TODO could incref instead of dup here

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1690

cert = _lib.X509_dup(_lib.sk_X509_value(cert_stack, i))

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1691

pycert = X509.__new__(X509)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1692

pycert._x509 = _ffi.gc(cert, _lib.X509_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1693

result.append(pycert)

1694

return result

1695

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1696

def want_read(self):

1697

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1698

Checks if more data has to be read from the transport layer to complete

1699

an operation.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1700

1701

:return: True iff more data has to be read

1702

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1703

return _lib.SSL_want_read(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1704

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1705

def want_write(self):

1706

"""

1707

Checks if there is data to write to the transport layer to complete an

1708

operation.

1709

1710

:return: True iff there is data to write

1711

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1712

return _lib.SSL_want_write(self._ssl)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1713

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1714

def set_accept_state(self):

1715

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1716

Set the connection to work in server mode. The handshake will be

1717

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1718

1719

:return: None

1720

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1721

_lib.SSL_set_accept_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1722

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1723

def set_connect_state(self):

1724

"""

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1725

Set the connection to work in client mode. The handshake will be

1726

handled automatically by read/write.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1727

1728

:return: None

1729

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1730

_lib.SSL_set_connect_state(self._ssl)

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1731

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1732

def get_session(self):

1733

"""

1734

Returns the Session currently used.

1735

Alex Gaynor

2015-09-05 14:37:34 -0400

[diff] [blame]

1736

@return: An instance of :py:class:`OpenSSL.SSL.Session` or

1737

:py:obj:`None` if no session exists.

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1738

"""

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1739

session = _lib.SSL_get1_session(self._ssl)

1740

if session == _ffi.NULL:

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1741

return None

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1742

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1743

pysession = Session.__new__(Session)

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1744

pysession._session = _ffi.gc(session, _lib.SSL_SESSION_free)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1745

return pysession

1746

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1747

def set_session(self, session):

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1748

"""

1749

Set the session to be used when the TLS/SSL connection is established.

1750

1751

:param session: A Session instance representing the session to use.

1752

:returns: None

1753

"""

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1754

if not isinstance(session, Session):

1755

raise TypeError("session must be a Session instance")

1756

Jean-Paul Calderone

2013-12-28 18:04:00 -0500

[diff] [blame]

1757

result = _lib.SSL_set_session(self._ssl, session._session)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1758

if not result:

Jean-Paul Calderone

2013-12-29 10:25:59 -0500

[diff] [blame]

1759

_raise_current_error()

Jean-Paul Calderone

2013-03-05 11:56:19 -0800

[diff] [blame]

1760

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1761

def _get_finished_message(self, function):

1762

"""

1763

Helper to implement :py:meth:`get_finished` and

1764

:py:meth:`get_peer_finished`.

1765

1766

:param function: Either :py:data:`SSL_get_finished`: or

1767

:py:data:`SSL_get_peer_finished`.

1768

1769

:return: :py:data:`None` if the desired message has not yet been

1770

received, otherwise the contents of the message.

1771

:rtype: :py:class:`bytes` or :py:class:`NoneType`

1772

"""

Jean-Paul Calderone

01af904

2014-03-30 11:40:42 -0400

[diff] [blame]

1773

# The OpenSSL documentation says nothing about what might happen if the

1774

# count argument given is zero. Specifically, it doesn't say whether

1775

# the output buffer may be NULL in that case or not. Inspection of the

1776

# implementation reveals that it calls memcpy() unconditionally.

1777

# Section 7.1.4, paragraph 1 of the C standard suggests that

1778

# memcpy(NULL, source, 0) is not guaranteed to produce defined (let

1779

# alone desirable) behavior (though it probably does on just about

1780

# every implementation...)

1781

#

1782

# Allocate a tiny buffer to pass in (instead of just passing NULL as

1783

# one might expect) for the initial call so as to be safe against this

1784

# potentially undefined behavior.

1785

empty = _ffi.new("char[]", 0)

1786

size = function(self._ssl, empty, 0)

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1787

if size == 0:

1788

# No Finished message so far.

1789

return None

1790

1791

buf = _ffi.new("char[]", size)

1792

function(self._ssl, buf, size)

1793

return _ffi.buffer(buf, size)[:]

1794

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1795

def get_finished(self):

1796

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1797

Obtain the latest `handshake finished` message sent to the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1798

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1799

:return: The contents of the message or :py:obj:`None` if the TLS

1800

handshake has not yet completed.

1801

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1802

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1803

return self._get_finished_message(_lib.SSL_get_finished)

1804

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1805

def get_peer_finished(self):

1806

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1807

Obtain the latest `handshake finished` message received from the peer.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1808

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1809

:return: The contents of the message or :py:obj:`None` if the TLS

1810

handshake has not yet completed.

1811

:rtype: :py:class:`bytes` or :py:class:`NoneType`

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1812

"""

Jean-Paul Calderone

2014-03-30 11:26:32 -0400

[diff] [blame]

1813

return self._get_finished_message(_lib.SSL_get_peer_finished)

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

1814

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1815

def get_cipher_name(self):

1816

"""

1817

Obtain the name of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1818

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1819

:returns: The name of the currently used cipher or :py:obj:`None`

1820

if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1821

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1822

"""

1823

cipher = _lib.SSL_get_current_cipher(self._ssl)

1824

if cipher == _ffi.NULL:

1825

return None

1826

else:

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1827

name = _ffi.string(_lib.SSL_CIPHER_get_name(cipher))

1828

return name.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1829

1830

def get_cipher_bits(self):

1831

"""

1832

Obtain the number of secret bits of the currently used cipher.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1833

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1834

:returns: The number of secret bits of the currently used cipher

1835

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1836

:rtype: :py:class:`int` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1837

"""

1838

cipher = _lib.SSL_get_current_cipher(self._ssl)

1839

if cipher == _ffi.NULL:

1840

return None

1841

else:

1842

return _lib.SSL_CIPHER_get_bits(cipher, _ffi.NULL)

1843

1844

def get_cipher_version(self):

1845

"""

Jean-Paul Calderone

2014-03-29 18:13:36 -0400

[diff] [blame]

1846

Obtain the protocol version of the currently used cipher.

1847

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1848

:returns: The protocol name of the currently used cipher

1849

or :py:obj:`None` if no connection has been established.

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1850

:rtype: :py:class:`unicode` or :py:class:`NoneType`

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1851

"""

1852

cipher = _lib.SSL_get_current_cipher(self._ssl)

1853

if cipher == _ffi.NULL:

1854

return None

1855

else:

Alex Gaynor

c488981

2015-09-04 08:43:17 -0400

[diff] [blame]

1856

version = _ffi.string(_lib.SSL_CIPHER_get_version(cipher))

Jean-Paul Calderone

2014-03-30 10:34:17 -0400

[diff] [blame]

1857

return version.decode("utf-8")

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1858

Jim Shaver

abff188

2015-05-27 09:15:55 -0400

[diff] [blame]

1859

def get_protocol_version_name(self):

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1860

"""

1861

Obtain the protocol version of the current connection.

1862

1863

:returns: The TLS version of the current connection, for example

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1864

the value for TLS 1.2 would be ``TLSv1.2``or ``Unknown``

Jim Shaver

b5b6b0e

2015-05-28 16:47:36 -0400

[diff] [blame]

1865

for connections that were not successfully established.

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1866

:rtype: :py:class:`unicode`

Jim Shaver

ba65e66

2015-04-26 12:23:40 -0400

[diff] [blame]

1867

"""

Jim Shaver

d1c896e

2015-05-27 17:50:21 -0400

[diff] [blame]

1868

version = _ffi.string(_lib.SSL_get_version(self._ssl))

Jim Shaver

58d2573

2015-05-28 11:52:32 -0400

[diff] [blame]

1869

return version.decode("utf-8")

Jim Shaver

b296792

2015-04-26 23:58:52 -0400

[diff] [blame]

1870

Jim Shaver

208438c

2015-05-28 09:52:38 -0400

[diff] [blame]

1871

def get_protocol_version(self):

1872

"""

1873

Obtain the protocol version of the current connection.

1874

1875

:returns: The TLS version of the current connection, for example

1876

the value for TLS 1 would be 0x769.

1877

:rtype: :py:class:`int`

1878

"""

1879

version = _lib.SSL_version(self._ssl)

1880

return version

1881

Cory Benfield

2015-04-13 17:12:42 -0400

[diff] [blame]

1882

@_requires_npn

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1883

def get_next_proto_negotiated(self):

1884

"""

1885

Get the protocol that was negotiated by NPN.

1886

"""

1887

data = _ffi.new("unsigned char **")

1888

data_len = _ffi.new("unsigned int *")

1889

1890

_lib.SSL_get0_next_proto_negotiated(self._ssl, data, data_len)

1891

Cory Benfield

cd010f6

2014-05-15 19:00:27 +0100

[diff] [blame]

1892

return _ffi.buffer(data[0], data_len[0])[:]

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

1893

Cory Benfield

2015-04-13 17:18:25 -0400

[diff] [blame]

1894

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1895

def set_alpn_protos(self, protos):

1896

"""

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

1897

Specify the client's ALPN protocol list.

1898

1899

These protocols are offered to the server during protocol negotiation.

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1900

1901

:param protos: A list of the protocols to be offered to the server.

1902

This list should be a Python list of bytestrings representing the

1903

protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.

1904

"""

1905

# Take the list of protocols and join them together, prefixing them

1906

# with their lengths.

1907

protostr = b''.join(

1908

chain.from_iterable((int2byte(len(p)), p) for p in protos)

1909

)

1910

1911

# Build a C string from the list. We don't need to save this off

1912

# because OpenSSL immediately copies the data out.

1913

input_str = _ffi.new("unsigned char[]", protostr)

Cory Benfield

9c1979a

2015-04-12 08:51:52 -0400

[diff] [blame]

1914

input_str_len = _ffi.cast("unsigned", len(protostr))

1915

_lib.SSL_set_alpn_protos(self._ssl, input_str, input_str_len)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1916

Maximilian Hils

66ded6a

2015-08-26 06:02:03 +0200

[diff] [blame]

1917

@_requires_alpn

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1918

def get_alpn_proto_negotiated(self):

Cory Benfield

222f30e

2015-04-13 18:10:21 -0400

[diff] [blame]

1919

"""

1920

Get the protocol that was negotiated by ALPN.

1921

"""

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1922

data = _ffi.new("unsigned char **")

1923

data_len = _ffi.new("unsigned int *")

1924

1925

_lib.SSL_get0_alpn_selected(self._ssl, data, data_len)

1926

Cory Benfield

2015-04-11 17:33:48 -0400

[diff] [blame]

if not data_len:

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1930

return _ffi.buffer(data[0], data_len[0])[:]

1931

1932

Jean-Paul Calderone