Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 496f40dca9a47c0f1dfe0cd841256485708c8442 / . / OpenSSL / SSL.py
blob: 2731d64a8801a6e74172e8b4a0a964c6e31e3143 [file] [log] [blame]
Konstantinos Koukopoulos541150d2014-01-31 01:00:19 +0200[diff] [blame]1from sys import platform
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]2from functools import wraps, partial
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]3from itertools import count
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]4from weakref import WeakValueDictionary
5from errno import errorcode
Jean-Paul Calderone935d2da2013-03-04 08:11:19 -0800[diff] [blame]6
Jean-Paul Calderone63eab692014-01-18 10:19:56 -0500[diff] [blame]7from six import text_type as _text_type
Konstantinos Koukopoulosc8b13ea2014-01-28 00:21:50 -0800[diff] [blame]8from six import integer_types as integer_types
Jean-Paul Calderone63eab692014-01-18 10:19:56 -0500[diff] [blame]9
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]10from OpenSSL._util import (
11 ffi as _ffi,
12 lib as _lib,
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]13 exception_from_error_queue as _exception_from_error_queue,
14 native as _native)
Jean-Paul Calderone935d2da2013-03-04 08:11:19 -0800[diff] [blame]15
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]16from OpenSSL.crypto import (
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]17 FILETYPE_PEM, _PassphraseHelper, PKey, X509Name, X509, X509Store)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]18
19_unspecified = object()
20
Jean-Paul Calderone8fb53182013-12-30 08:35:49 -0500[diff] [blame]21try:
22 _memoryview = memoryview
23except NameError:
24 class _memoryview(object):
25 pass
26
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +0200[diff] [blame]27try:
28 _buffer = buffer
29except NameError:
30 class _buffer(object):
31 pass
32
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]33OPENSSL_VERSION_NUMBER = _lib.OPENSSL_VERSION_NUMBER
34SSLEAY_VERSION = _lib.SSLEAY_VERSION
35SSLEAY_CFLAGS = _lib.SSLEAY_CFLAGS
36SSLEAY_PLATFORM = _lib.SSLEAY_PLATFORM
37SSLEAY_DIR = _lib.SSLEAY_DIR
38SSLEAY_BUILT_ON = _lib.SSLEAY_BUILT_ON
Jean-Paul Calderone935d2da2013-03-04 08:11:19 -0800[diff] [blame]39
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]40SENT_SHUTDOWN = _lib.SSL_SENT_SHUTDOWN
41RECEIVED_SHUTDOWN = _lib.SSL_RECEIVED_SHUTDOWN
Jean-Paul Calderone935d2da2013-03-04 08:11:19 -0800[diff] [blame]42
43SSLv2_METHOD = 1
44SSLv3_METHOD = 2
45SSLv23_METHOD = 3
46TLSv1_METHOD = 4
Jean-Paul Calderone56bff942013-11-03 11:30:43 -0500[diff] [blame]47TLSv1_1_METHOD = 5
48TLSv1_2_METHOD = 6
Jean-Paul Calderone935d2da2013-03-04 08:11:19 -0800[diff] [blame]49
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]50OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2
51OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3
52OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1
Jean-Paul Calderonebe2bb422013-12-29 07:34:08 -0500[diff] [blame]53
54OP_NO_TLSv1_1 = getattr(_lib, "SSL_OP_NO_TLSv1_1", 0)
55OP_NO_TLSv1_2 = getattr(_lib, "SSL_OP_NO_TLSv1_2", 0)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]56
Jean-Paul Calderone0d7e8a12014-01-08 16:54:13 -0500[diff] [blame]57try:
58 MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS
59except AttributeError:
60 pass
Jean-Paul Calderone935d2da2013-03-04 08:11:19 -0800[diff] [blame]61
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]62OP_SINGLE_DH_USE = _lib.SSL_OP_SINGLE_DH_USE
63OP_EPHEMERAL_RSA = _lib.SSL_OP_EPHEMERAL_RSA
64OP_MICROSOFT_SESS_ID_BUG = _lib.SSL_OP_MICROSOFT_SESS_ID_BUG
65OP_NETSCAPE_CHALLENGE_BUG = _lib.SSL_OP_NETSCAPE_CHALLENGE_BUG
66OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = _lib.SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
67OP_SSLREF2_REUSE_CERT_TYPE_BUG = _lib.SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
68OP_MICROSOFT_BIG_SSLV3_BUFFER = _lib.SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
Jean-Paul Calderone0d7e8a12014-01-08 16:54:13 -0500[diff] [blame]69try:
70 OP_MSIE_SSLV2_RSA_PADDING = _lib.SSL_OP_MSIE_SSLV2_RSA_PADDING
71except AttributeError:
72 pass
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]73OP_SSLEAY_080_CLIENT_DH_BUG = _lib.SSL_OP_SSLEAY_080_CLIENT_DH_BUG
74OP_TLS_D5_BUG = _lib.SSL_OP_TLS_D5_BUG
75OP_TLS_BLOCK_PADDING_BUG = _lib.SSL_OP_TLS_BLOCK_PADDING_BUG
76OP_DONT_INSERT_EMPTY_FRAGMENTS = _lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
77OP_CIPHER_SERVER_PREFERENCE = _lib.SSL_OP_CIPHER_SERVER_PREFERENCE
78OP_TLS_ROLLBACK_BUG = _lib.SSL_OP_TLS_ROLLBACK_BUG
79OP_PKCS1_CHECK_1 = _lib.SSL_OP_PKCS1_CHECK_1
80OP_PKCS1_CHECK_2 = _lib.SSL_OP_PKCS1_CHECK_2
81OP_NETSCAPE_CA_DN_BUG = _lib.SSL_OP_NETSCAPE_CA_DN_BUG
82OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG= _lib.SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
Jean-Paul Calderonec1780342014-01-08 16:59:03 -0500[diff] [blame]83try:
84 OP_NO_COMPRESSION = _lib.SSL_OP_NO_COMPRESSION
85except AttributeError:
86 pass
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]87
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]88OP_NO_QUERY_MTU = _lib.SSL_OP_NO_QUERY_MTU
89OP_COOKIE_EXCHANGE = _lib.SSL_OP_COOKIE_EXCHANGE
Arturo Filastò5f8c7a82014-03-09 20:01:25 +0100[diff] [blame]90try:
91 OP_NO_TICKET = _lib.SSL_OP_NO_TICKET
92except AttributeError:
93 pass
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]94
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]95OP_ALL = _lib.SSL_OP_ALL
Jean-Paul Calderone935d2da2013-03-04 08:11:19 -0800[diff] [blame]96
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]97VERIFY_PEER = _lib.SSL_VERIFY_PEER
98VERIFY_FAIL_IF_NO_PEER_CERT = _lib.SSL_VERIFY_FAIL_IF_NO_PEER_CERT
99VERIFY_CLIENT_ONCE = _lib.SSL_VERIFY_CLIENT_ONCE
100VERIFY_NONE = _lib.SSL_VERIFY_NONE
Jean-Paul Calderone935d2da2013-03-04 08:11:19 -0800[diff] [blame]101
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]102SESS_CACHE_OFF = _lib.SSL_SESS_CACHE_OFF
103SESS_CACHE_CLIENT = _lib.SSL_SESS_CACHE_CLIENT
104SESS_CACHE_SERVER = _lib.SSL_SESS_CACHE_SERVER
105SESS_CACHE_BOTH = _lib.SSL_SESS_CACHE_BOTH
106SESS_CACHE_NO_AUTO_CLEAR = _lib.SSL_SESS_CACHE_NO_AUTO_CLEAR
107SESS_CACHE_NO_INTERNAL_LOOKUP = _lib.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
108SESS_CACHE_NO_INTERNAL_STORE = _lib.SSL_SESS_CACHE_NO_INTERNAL_STORE
109SESS_CACHE_NO_INTERNAL = _lib.SSL_SESS_CACHE_NO_INTERNAL
Jean-Paul Calderoned39a3f62013-03-04 12:23:51 -0800[diff] [blame]110
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]111SSL_ST_CONNECT = _lib.SSL_ST_CONNECT
112SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT
113SSL_ST_MASK = _lib.SSL_ST_MASK
114SSL_ST_INIT = _lib.SSL_ST_INIT
115SSL_ST_BEFORE = _lib.SSL_ST_BEFORE
116SSL_ST_OK = _lib.SSL_ST_OK
117SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]118
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]119SSL_CB_LOOP = _lib.SSL_CB_LOOP
120SSL_CB_EXIT = _lib.SSL_CB_EXIT
121SSL_CB_READ = _lib.SSL_CB_READ
122SSL_CB_WRITE = _lib.SSL_CB_WRITE
123SSL_CB_ALERT = _lib.SSL_CB_ALERT
124SSL_CB_READ_ALERT = _lib.SSL_CB_READ_ALERT
125SSL_CB_WRITE_ALERT = _lib.SSL_CB_WRITE_ALERT
126SSL_CB_ACCEPT_LOOP = _lib.SSL_CB_ACCEPT_LOOP
127SSL_CB_ACCEPT_EXIT = _lib.SSL_CB_ACCEPT_EXIT
128SSL_CB_CONNECT_LOOP = _lib.SSL_CB_CONNECT_LOOP
129SSL_CB_CONNECT_EXIT = _lib.SSL_CB_CONNECT_EXIT
130SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START
131SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]132
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]133class Error(Exception):
Jean-Paul Calderone511cde02013-12-29 10:31:13 -0500[diff] [blame]134 """
135 An error occurred in an `OpenSSL.SSL` API.
136 """
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]137
138
139
140_raise_current_error = partial(_exception_from_error_queue, Error)
141
142
143class WantReadError(Error):
144 pass
145
146
147
148class WantWriteError(Error):
149 pass
150
151
152
153class WantX509LookupError(Error):
154 pass
155
156
157
158class ZeroReturnError(Error):
159 pass
160
161
162
163class SysCallError(Error):
164 pass
165
166
167
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]168class _VerifyHelper(object):
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -0400[diff] [blame]169 def __init__(self, callback):
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]170 self._problems = []
171
172 @wraps(callback)
173 def wrapper(ok, store_ctx):
174 cert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]175 cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)
176 error_number = _lib.X509_STORE_CTX_get_error(store_ctx)
177 error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx)
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]178
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -0400[diff] [blame]179 index = _lib.SSL_get_ex_data_X509_STORE_CTX_idx()
180 ssl = _lib.X509_STORE_CTX_get_ex_data(store_ctx, index)
181 connection = Connection._reverse_mapping[ssl]
182
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]183 try:
184 result = callback(connection, cert, error_number, error_depth, ok)
185 except Exception as e:
186 self._problems.append(e)
187 return 0
188 else:
189 if result:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]190 _lib.X509_STORE_CTX_set_error(store_ctx, _lib.X509_V_OK)
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]191 return 1
192 else:
193 return 0
194
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]195 self.callback = _ffi.callback(
196 "int (*)(int, X509_STORE_CTX *)", wrapper)
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]197
198
199 def raise_if_problem(self):
200 if self._problems:
201 try:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]202 _raise_current_error()
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]203 except Error:
204 pass
205 raise self._problems.pop(0)
206
207
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]208
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]209def _asFileDescriptor(obj):
210 fd = None
Konstantinos Koukopoulosc8b13ea2014-01-28 00:21:50 -0800[diff] [blame]211 if not isinstance(obj, integer_types):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]212 meth = getattr(obj, "fileno", None)
213 if meth is not None:
214 obj = meth()
215
Konstantinos Koukopoulosc8b13ea2014-01-28 00:21:50 -0800[diff] [blame]216 if isinstance(obj, integer_types):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]217 fd = obj
218
Konstantinos Koukopoulosc8b13ea2014-01-28 00:21:50 -0800[diff] [blame]219 if not isinstance(fd, integer_types):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]220 raise TypeError("argument must be an int, or have a fileno() method.")
221 elif fd < 0:
222 raise ValueError(
223 "file descriptor cannot be a negative integer (%i)" % (fd,))
224
225 return fd
226
227
228
Jean-Paul Calderoned39a3f62013-03-04 12:23:51 -0800[diff] [blame]229def SSLeay_version(type):
230 """
231 Return a string describing the version of OpenSSL in use.
232
233 :param type: One of the SSLEAY_ constants defined in this module.
234 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]235 return _ffi.string(_lib.SSLeay_version(type))
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]236
237
238
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]239class Session(object):
240 pass
241
242
243
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]244class Context(object):
245 """
246 :py:obj:`OpenSSL.SSL.Context` instances define the parameters for setting up
247 new SSL connections.
248 """
249 _methods = {
Andrew Dunhamec84a0a2014-02-24 12:41:37 -0800[diff] [blame]250 SSLv2_METHOD: "SSLv2_method",
Jean-Paul Calderonebe2bb422013-12-29 07:34:08 -0500[diff] [blame]251 SSLv3_METHOD: "SSLv3_method",
252 SSLv23_METHOD: "SSLv23_method",
253 TLSv1_METHOD: "TLSv1_method",
254 TLSv1_1_METHOD: "TLSv1_1_method",
255 TLSv1_2_METHOD: "TLSv1_2_method",
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]256 }
Jean-Paul Calderonebe2bb422013-12-29 07:34:08 -0500[diff] [blame]257 _methods = dict(
258 (identifier, getattr(_lib, name))
259 for (identifier, name) in _methods.items()
260 if getattr(_lib, name, None) is not None)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]261
Jean-Paul Calderone63157872013-03-20 16:43:38 -0700[diff] [blame]262
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]263 def __init__(self, method):
264 """
265 :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or
266 TLSv1_METHOD.
267 """
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500[diff] [blame]268 if not isinstance(method, integer_types):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]269 raise TypeError("method must be an integer")
270
271 try:
272 method_func = self._methods[method]
273 except KeyError:
274 raise ValueError("No such protocol")
275
276 method_obj = method_func()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]277 if method_obj == _ffi.NULL:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]278 # TODO: This is untested.
279 _raise_current_error()
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]280
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]281 context = _lib.SSL_CTX_new(method_obj)
282 if context == _ffi.NULL:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]283 # TODO: This is untested.
284 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]285 context = _ffi.gc(context, _lib.SSL_CTX_free)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]286
287 self._context = context
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]288 self._passphrase_helper = None
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]289 self._passphrase_callback = None
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]290 self._passphrase_userdata = None
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]291 self._verify_helper = None
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]292 self._verify_callback = None
293 self._info_callback = None
294 self._tlsext_servername_callback = None
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]295 self._app_data = None
296
Jean-Paul Calderone1aba4162013-03-05 18:50:00 -0800[diff] [blame]297 # SSL_CTX_set_app_data(self->ctx, self);
298 # SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |
299 # SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
300 # SSL_MODE_AUTO_RETRY);
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]301 self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]302
303
304 def load_verify_locations(self, cafile, capath=None):
305 """
306 Let SSL know where we can find trusted certificates for the certificate
307 chain
308
309 :param cafile: In which file we can find the certificates
310 :param capath: In which directory we can find the certificates
311 :return: None
312 """
313 if cafile is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]314 cafile = _ffi.NULL
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]315 elif not isinstance(cafile, bytes):
316 raise TypeError("cafile must be None or a byte string")
317
318 if capath is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]319 capath = _ffi.NULL
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]320 elif not isinstance(capath, bytes):
321 raise TypeError("capath must be None or a byte string")
322
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]323 load_result = _lib.SSL_CTX_load_verify_locations(self._context, cafile, capath)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]324 if not load_result:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]325 _raise_current_error()
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]326
327
328 def _wrap_callback(self, callback):
329 @wraps(callback)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]330 def wrapper(size, verify, userdata):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]331 return callback(size, verify, self._passphrase_userdata)
332 return _PassphraseHelper(
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]333 FILETYPE_PEM, wrapper, more_args=True, truncate=True)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]334
335
336 def set_passwd_cb(self, callback, userdata=None):
337 """
338 Set the passphrase callback
339
340 :param callback: The Python callback to use
341 :param userdata: (optional) A Python object which will be given as
342 argument to the callback
343 :return: None
344 """
345 if not callable(callback):
346 raise TypeError("callback must be callable")
347
348 self._passphrase_helper = self._wrap_callback(callback)
349 self._passphrase_callback = self._passphrase_helper.callback
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]350 _lib.SSL_CTX_set_default_passwd_cb(
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]351 self._context, self._passphrase_callback)
352 self._passphrase_userdata = userdata
353
354
355 def set_default_verify_paths(self):
356 """
357 Use the platform-specific CA certificate locations
358
359 :return: None
360 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]361 set_result = _lib.SSL_CTX_set_default_verify_paths(self._context)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]362 if not set_result:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]363 # TODO: This is untested.
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]364 _raise_current_error()
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]365
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]366
367 def use_certificate_chain_file(self, certfile):
368 """
369 Load a certificate chain from a file
370
371 :param certfile: The name of the certificate chain file
372 :return: None
373 """
Jean-Paul Calderoned8607982014-01-18 10:30:55 -0500[diff] [blame]374 if isinstance(certfile, _text_type):
375 # Perhaps sys.getfilesystemencoding() could be better?
376 certfile = certfile.encode("utf-8")
377
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]378 if not isinstance(certfile, bytes):
Jean-Paul Calderoned8607982014-01-18 10:30:55 -0500[diff] [blame]379 raise TypeError("certfile must be bytes or unicode")
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]380
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]381 result = _lib.SSL_CTX_use_certificate_chain_file(self._context, certfile)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]382 if not result:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]383 _raise_current_error()
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]384
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]385
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]386 def use_certificate_file(self, certfile, filetype=FILETYPE_PEM):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]387 """
388 Load a certificate from a file
389
390 :param certfile: The name of the certificate file
391 :param filetype: (optional) The encoding of the file, default is PEM
392 :return: None
393 """
Jean-Paul Calderone684baf52014-01-18 10:31:19 -0500[diff] [blame]394 if isinstance(certfile, _text_type):
395 # Perhaps sys.getfilesystemencoding() could be better?
396 certfile = certfile.encode("utf-8")
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]397 if not isinstance(certfile, bytes):
Jean-Paul Calderone684baf52014-01-18 10:31:19 -0500[diff] [blame]398 raise TypeError("certfile must be bytes or unicode")
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500[diff] [blame]399 if not isinstance(filetype, integer_types):
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]400 raise TypeError("filetype must be an integer")
401
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]402 use_result = _lib.SSL_CTX_use_certificate_file(self._context, certfile, filetype)
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]403 if not use_result:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]404 _raise_current_error()
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]405
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]406
407 def use_certificate(self, cert):
408 """
409 Load a certificate from a X509 object
410
411 :param cert: The X509 object
412 :return: None
413 """
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]414 if not isinstance(cert, X509):
415 raise TypeError("cert must be an X509 instance")
416
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]417 use_result = _lib.SSL_CTX_use_certificate(self._context, cert._x509)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]418 if not use_result:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]419 _raise_current_error()
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]420
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]421
422 def add_extra_chain_cert(self, certobj):
423 """
424 Add certificate to chain
425
426 :param certobj: The X509 certificate object to add to the chain
427 :return: None
428 """
429 if not isinstance(certobj, X509):
430 raise TypeError("certobj must be an X509 instance")
431
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]432 copy = _lib.X509_dup(certobj._x509)
433 add_result = _lib.SSL_CTX_add_extra_chain_cert(self._context, copy)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]434 if not add_result:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]435 # TODO: This is untested.
436 _lib.X509_free(copy)
437 _raise_current_error()
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]438
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]439
440 def _raise_passphrase_exception(self):
441 if self._passphrase_helper is None:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]442 _raise_current_error()
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]443 exception = self._passphrase_helper.raise_if_problem(Error)
444 if exception is not None:
445 raise exception
446
447
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]448 def use_privatekey_file(self, keyfile, filetype=_unspecified):
449 """
450 Load a private key from a file
451
452 :param keyfile: The name of the key file
453 :param filetype: (optional) The encoding of the file, default is PEM
454 :return: None
455 """
Jean-Paul Calderone87e525a2014-01-18 10:31:51 -0500[diff] [blame]456 if isinstance(keyfile, _text_type):
457 # Perhaps sys.getfilesystemencoding() could be better?
458 keyfile = keyfile.encode("utf-8")
459
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]460 if not isinstance(keyfile, bytes):
461 raise TypeError("keyfile must be a byte string")
462
463 if filetype is _unspecified:
464 filetype = FILETYPE_PEM
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500[diff] [blame]465 elif not isinstance(filetype, integer_types):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]466 raise TypeError("filetype must be an integer")
467
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]468 use_result = _lib.SSL_CTX_use_PrivateKey_file(
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]469 self._context, keyfile, filetype)
470 if not use_result:
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]471 self._raise_passphrase_exception()
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]472
473
474 def use_privatekey(self, pkey):
475 """
476 Load a private key from a PKey object
477
478 :param pkey: The PKey object
479 :return: None
480 """
481 if not isinstance(pkey, PKey):
482 raise TypeError("pkey must be a PKey instance")
483
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]484 use_result = _lib.SSL_CTX_use_PrivateKey(self._context, pkey._pkey)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]485 if not use_result:
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800[diff] [blame]486 self._raise_passphrase_exception()
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]487
488
489 def check_privatekey(self):
490 """
491 Check that the private key and certificate match up
492
493 :return: None (raises an exception if something's wrong)
494 """
Jean-Paul Calderonea0344922014-12-11 14:02:31 -0500[diff] [blame]495 if not _lib.SSL_CTX_check_private_key(self._context):
496 _raise_current_error()
497
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]498
499 def load_client_ca(self, cafile):
500 """
501 Load the trusted certificates that will be sent to the client (basically
502 telling the client "These are the guys I trust"). Does not actually
503 imply any of the certificates are trusted; that must be configured
504 separately.
505
506 :param cafile: The name of the certificates file
507 :return: None
508 """
509
510 def set_session_id(self, buf):
511 """
512 Set the session identifier. This is needed if you want to do session
513 resumption.
514
515 :param buf: A Python object that can be safely converted to a string
516 :returns: None
517 """
518
519 def set_session_cache_mode(self, mode):
520 """
521 Enable/disable session caching and specify the mode used.
522
523 :param mode: One or more of the SESS_CACHE_* flags (combine using
524 bitwise or)
525 :returns: The previously set caching mode.
526 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500[diff] [blame]527 if not isinstance(mode, integer_types):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]528 raise TypeError("mode must be an integer")
529
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]530 return _lib.SSL_CTX_set_session_cache_mode(self._context, mode)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]531
532
533 def get_session_cache_mode(self):
534 """
535 :returns: The currently used cache mode.
536 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]537 return _lib.SSL_CTX_get_session_cache_mode(self._context)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]538
539
540 def set_verify(self, mode, callback):
541 """
542 Set the verify mode and verify callback
543
544 :param mode: The verify mode, this is either VERIFY_NONE or
545 VERIFY_PEER combined with possible other flags
546 :param callback: The Python callback to use
547 :return: None
548
549 See SSL_CTX_set_verify(3SSL) for further details.
550 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500[diff] [blame]551 if not isinstance(mode, integer_types):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]552 raise TypeError("mode must be an integer")
553
554 if not callable(callback):
555 raise TypeError("callback must be callable")
556
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -0400[diff] [blame]557 self._verify_helper = _VerifyHelper(callback)
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]558 self._verify_callback = self._verify_helper.callback
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]559 _lib.SSL_CTX_set_verify(self._context, mode, self._verify_callback)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]560
561
562 def set_verify_depth(self, depth):
563 """
564 Set the verify depth
565
566 :param depth: An integer specifying the verify depth
567 :return: None
568 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500[diff] [blame]569 if not isinstance(depth, integer_types):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]570 raise TypeError("depth must be an integer")
571
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]572 _lib.SSL_CTX_set_verify_depth(self._context, depth)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]573
574
575 def get_verify_mode(self):
576 """
577 Get the verify mode
578
579 :return: The verify mode
580 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]581 return _lib.SSL_CTX_get_verify_mode(self._context)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]582
583
584 def get_verify_depth(self):
585 """
586 Get the verify depth
587
588 :return: The verify depth
589 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]590 return _lib.SSL_CTX_get_verify_depth(self._context)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]591
592
593 def load_tmp_dh(self, dhfile):
594 """
595 Load parameters for Ephemeral Diffie-Hellman
596
597 :param dhfile: The file to load EDH parameters from
598 :return: None
599 """
600 if not isinstance(dhfile, bytes):
601 raise TypeError("dhfile must be a byte string")
602
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]603 bio = _lib.BIO_new_file(dhfile, b"r")
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]604 if bio == _ffi.NULL:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]605 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]606 bio = _ffi.gc(bio, _lib.BIO_free)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]607
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]608 dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
609 dh = _ffi.gc(dh, _lib.DH_free)
610 _lib.SSL_CTX_set_tmp_dh(self._context, dh)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]611
612
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -0400[diff] [blame]613 def set_tmp_ecdh(self, curve):
Alex Gaynor7b8d57a2014-01-17 12:08:54 -0600[diff] [blame]614 """
Andy Lutomirski76a61332014-03-12 15:02:56 -0700[diff] [blame]615 Select a curve to use for ECDHE key exchange.
Alex Gaynor7b8d57a2014-01-17 12:08:54 -0600[diff] [blame]616
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]617 :param curve: A curve object to use as returned by either
618 :py:meth:`OpenSSL.crypto.get_elliptic_curve` or
619 :py:meth:`OpenSSL.crypto.get_elliptic_curves`.
Andy Lutomirskif05a2732014-03-13 17:22:25 -0700[diff] [blame]620
Alex Gaynor7b8d57a2014-01-17 12:08:54 -0600[diff] [blame]621 :return: None
622 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]623 _lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())
Alex Gaynor7b8d57a2014-01-17 12:08:54 -0600[diff] [blame]624
625
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]626 def set_cipher_list(self, cipher_list):
627 """
628 Change the cipher list
629
630 :param cipher_list: A cipher list, see ciphers(1)
631 :return: None
632 """
Jean-Paul Calderone63eab692014-01-18 10:19:56 -0500[diff] [blame]633 if isinstance(cipher_list, _text_type):
634 cipher_list = cipher_list.encode("ascii")
635
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]636 if not isinstance(cipher_list, bytes):
Jean-Paul Calderone63eab692014-01-18 10:19:56 -0500[diff] [blame]637 raise TypeError("cipher_list must be bytes or unicode")
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]638
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]639 result = _lib.SSL_CTX_set_cipher_list(self._context, cipher_list)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]640 if not result:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]641 _raise_current_error()
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]642
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]643
644 def set_client_ca_list(self, certificate_authorities):
645 """
646 Set the list of preferred client certificate signers for this server context.
647
648 This list of certificate authorities will be sent to the client when the
649 server requests a client certificate.
650
651 :param certificate_authorities: a sequence of X509Names.
652 :return: None
653 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]654 name_stack = _lib.sk_X509_NAME_new_null()
655 if name_stack == _ffi.NULL:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]656 # TODO: This is untested.
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]657 _raise_current_error()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]658
659 try:
660 for ca_name in certificate_authorities:
661 if not isinstance(ca_name, X509Name):
662 raise TypeError(
663 "client CAs must be X509Name objects, not %s objects" % (
664 type(ca_name).__name__,))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]665 copy = _lib.X509_NAME_dup(ca_name._name)
666 if copy == _ffi.NULL:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]667 # TODO: This is untested.
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]668 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]669 push_result = _lib.sk_X509_NAME_push(name_stack, copy)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]670 if not push_result:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]671 _lib.X509_NAME_free(copy)
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]672 _raise_current_error()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]673 except:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]674 _lib.sk_X509_NAME_free(name_stack)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]675 raise
676
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]677 _lib.SSL_CTX_set_client_CA_list(self._context, name_stack)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]678
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]679
680 def add_client_ca(self, certificate_authority):
681 """
682 Add the CA certificate to the list of preferred signers for this context.
683
684 The list of certificate authorities will be sent to the client when the
685 server requests a client certificate.
686
687 :param certificate_authority: certificate authority's X509 certificate.
688 :return: None
689 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]690 if not isinstance(certificate_authority, X509):
691 raise TypeError("certificate_authority must be an X509 instance")
692
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]693 add_result = _lib.SSL_CTX_add_client_CA(
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]694 self._context, certificate_authority._x509)
695 if not add_result:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]696 # TODO: This is untested.
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]697 _raise_current_error()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]698
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]699
700 def set_timeout(self, timeout):
701 """
702 Set session timeout
703
704 :param timeout: The timeout in seconds
705 :return: The previous session timeout
706 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500[diff] [blame]707 if not isinstance(timeout, integer_types):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]708 raise TypeError("timeout must be an integer")
709
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]710 return _lib.SSL_CTX_set_timeout(self._context, timeout)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]711
712
713 def get_timeout(self):
714 """
715 Get the session timeout
716
717 :return: The session timeout
718 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]719 return _lib.SSL_CTX_get_timeout(self._context)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]720
721
722 def set_info_callback(self, callback):
723 """
724 Set the info callback
725
726 :param callback: The Python callback to use
727 :return: None
728 """
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]729 @wraps(callback)
730 def wrapper(ssl, where, return_code):
Jean-Paul Calderonef2bbc9c2014-02-02 10:59:14 -0500[diff] [blame]731 callback(Connection._reverse_mapping[ssl], where, return_code)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]732 self._info_callback = _ffi.callback(
733 "void (*)(const SSL *, int, int)", wrapper)
734 _lib.SSL_CTX_set_info_callback(self._context, self._info_callback)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]735
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]736
737 def get_app_data(self):
738 """
739 Get the application data (supplied via set_app_data())
740
741 :return: The application data
742 """
743 return self._app_data
744
745
746 def set_app_data(self, data):
747 """
748 Set the application data (will be returned from get_app_data())
749
750 :param data: Any Python object
751 :return: None
752 """
753 self._app_data = data
754
755
756 def get_cert_store(self):
757 """
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]758 Get the certificate store for the context.
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]759
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]760 :return: A X509Store object or None if it does not have one.
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]761 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]762 store = _lib.SSL_CTX_get_cert_store(self._context)
763 if store == _ffi.NULL:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]764 # TODO: This is untested.
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]765 return None
766
767 pystore = X509Store.__new__(X509Store)
768 pystore._store = store
769 return pystore
770
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]771
772 def set_options(self, options):
773 """
774 Add options. Options set before are not cleared!
775
776 :param options: The options to add.
777 :return: The new option bitmask.
778 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500[diff] [blame]779 if not isinstance(options, integer_types):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]780 raise TypeError("options must be an integer")
781
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]782 return _lib.SSL_CTX_set_options(self._context, options)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]783
784
785 def set_mode(self, mode):
786 """
787 Add modes via bitmask. Modes set before are not cleared!
788
789 :param mode: The mode to add.
790 :return: The new mode bitmask.
791 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500[diff] [blame]792 if not isinstance(mode, integer_types):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]793 raise TypeError("mode must be an integer")
794
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]795 return _lib.SSL_CTX_set_mode(self._context, mode)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]796
797
798 def set_tlsext_servername_callback(self, callback):
799 """
800 Specify a callback function to be called when clients specify a server name.
801
802 :param callback: The callback function. It will be invoked with one
803 argument, the Connection instance.
804 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]805 @wraps(callback)
806 def wrapper(ssl, alert, arg):
807 callback(Connection._reverse_mapping[ssl])
808 return 0
809
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]810 self._tlsext_servername_callback = _ffi.callback(
811 "int (*)(const SSL *, int *, void *)", wrapper)
812 _lib.SSL_CTX_set_tlsext_servername_callback(
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]813 self._context, self._tlsext_servername_callback)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]814
815ContextType = Context
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]816
817
818
819class Connection(object):
820 """
821 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]822 _reverse_mapping = WeakValueDictionary()
823
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]824 def __init__(self, context, socket=None):
825 """
826 Create a new Connection object, using the given OpenSSL.SSL.Context
827 instance and socket.
828
829 :param context: An SSL Context to use for this connection
830 :param socket: The socket to use for transport layer
831 """
832 if not isinstance(context, Context):
833 raise TypeError("context must be a Context instance")
834
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]835 ssl = _lib.SSL_new(context._context)
836 self._ssl = _ffi.gc(ssl, _lib.SSL_free)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]837 self._context = context
838
839 self._reverse_mapping[self._ssl] = self
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]840
841 if socket is None:
842 self._socket = None
Jean-Paul Calderone73b15c22013-03-05 18:30:39 -0800[diff] [blame]843 # Don't set up any gc for these, SSL_free will take care of them.
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]844 self._into_ssl = _lib.BIO_new(_lib.BIO_s_mem())
845 self._from_ssl = _lib.BIO_new(_lib.BIO_s_mem())
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]846
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]847 if self._into_ssl == _ffi.NULL or self._from_ssl == _ffi.NULL:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]848 # TODO: This is untested.
849 _raise_current_error()
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]850
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]851 _lib.SSL_set_bio(self._ssl, self._into_ssl, self._from_ssl)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]852 else:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]853 self._into_ssl = None
854 self._from_ssl = None
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]855 self._socket = socket
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]856 set_result = _lib.SSL_set_fd(self._ssl, _asFileDescriptor(self._socket))
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]857 if not set_result:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]858 # TODO: This is untested.
859 _raise_current_error()
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]860
861
862 def __getattr__(self, name):
863 """
864 Look up attributes on the wrapped socket object if they are not found on
865 the Connection object.
866 """
867 return getattr(self._socket, name)
868
869
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]870 def _raise_ssl_error(self, ssl, result):
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -0800[diff] [blame]871 if self._context._verify_helper is not None:
872 self._context._verify_helper.raise_if_problem()
873
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]874 error = _lib.SSL_get_error(ssl, result)
875 if error == _lib.SSL_ERROR_WANT_READ:
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]876 raise WantReadError()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]877 elif error == _lib.SSL_ERROR_WANT_WRITE:
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]878 raise WantWriteError()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]879 elif error == _lib.SSL_ERROR_ZERO_RETURN:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]880 raise ZeroReturnError()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]881 elif error == _lib.SSL_ERROR_WANT_X509_LOOKUP:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]882 # TODO: This is untested.
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]883 raise WantX509LookupError()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]884 elif error == _lib.SSL_ERROR_SYSCALL:
885 if _lib.ERR_peek_error() == 0:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]886 if result < 0:
Konstantinos Koukopoulos541150d2014-01-31 01:00:19 +0200[diff] [blame]887 if platform == "win32":
888 errno = _ffi.getwinerror()[0]
889 else:
890 errno = _ffi.errno
891 raise SysCallError(errno, errorcode[errno])
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]892 else:
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]893 raise SysCallError(-1, "Unexpected EOF")
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]894 else:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]895 # TODO: This is untested.
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]896 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]897 elif error == _lib.SSL_ERROR_NONE:
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]898 pass
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]899 else:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]900 _raise_current_error()
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]901
902
903 def get_context(self):
904 """
905 Get session context
906 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]907 return self._context
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]908
909
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]910 def set_context(self, context):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]911 """
912 Switch this connection to a new session context
913
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]914 :param context: A :py:class:`Context` instance giving the new session
915 context to use.
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]916 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]917 if not isinstance(context, Context):
918 raise TypeError("context must be a Context instance")
919
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]920 _lib.SSL_set_SSL_CTX(self._ssl, context._context)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]921 self._context = context
922
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]923
924 def get_servername(self):
925 """
926 Retrieve the servername extension value if provided in the client hello
927 message, or None if there wasn't one.
928
929 :return: A byte string giving the server name or :py:data:`None`.
930 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]931 name = _lib.SSL_get_servername(self._ssl, _lib.TLSEXT_NAMETYPE_host_name)
932 if name == _ffi.NULL:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]933 return None
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]934
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]935 return _ffi.string(name)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]936
937
938 def set_tlsext_host_name(self, name):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]939 """
940 Set the value of the servername extension to send in the client hello.
941
942 :param name: A byte string giving the name.
943 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]944 if not isinstance(name, bytes):
945 raise TypeError("name must be a byte string")
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]946 elif b"\0" in name:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]947 raise TypeError("name must not contain NUL byte")
948
949 # XXX I guess this can fail sometimes?
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]950 _lib.SSL_set_tlsext_host_name(self._ssl, name)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]951
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]952
953 def pending(self):
954 """
955 Get the number of bytes that can be safely read from the connection
956
957 :return: The number of bytes available in the receive buffer.
958 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]959 return _lib.SSL_pending(self._ssl)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]960
961
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]962 def send(self, buf, flags=0):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]963 """
964 Send data on the connection. NOTE: If you get one of the WantRead,
965 WantWrite or WantX509Lookup exceptions on this, you have to call the
966 method again with the SAME buffer.
967
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +0200[diff] [blame]968 :param buf: The string, buffer or memoryview to send
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]969 :param flags: (optional) Included for compatibility with the socket
970 API, the value is ignored
971 :return: The number of bytes written
972 """
Jean-Paul Calderone8fb53182013-12-30 08:35:49 -0500[diff] [blame]973 if isinstance(buf, _memoryview):
Jean-Paul Calderone1aba4162013-03-05 18:50:00 -0800[diff] [blame]974 buf = buf.tobytes()
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +0200[diff] [blame]975 if isinstance(buf, _buffer):
976 buf = str(buf)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]977 if not isinstance(buf, bytes):
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +0200[diff] [blame]978 raise TypeError("data must be a memoryview, buffer or byte string")
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]979
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]980 result = _lib.SSL_write(self._ssl, buf, len(buf))
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]981 self._raise_ssl_error(self._ssl, result)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]982 return result
983 write = send
984
985
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]986 def sendall(self, buf, flags=0):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]987 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]988 Send "all" data on the connection. This calls send() repeatedly until
989 all data is sent. If an error occurs, it's impossible to tell how much
990 data has been sent.
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]991
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +0200[diff] [blame]992 :param buf: The string, buffer or memoryview to send
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]993 :param flags: (optional) Included for compatibility with the socket
994 API, the value is ignored
995 :return: The number of bytes written
996 """
Jean-Paul Calderone8fb53182013-12-30 08:35:49 -0500[diff] [blame]997 if isinstance(buf, _memoryview):
Jean-Paul Calderone1aba4162013-03-05 18:50:00 -0800[diff] [blame]998 buf = buf.tobytes()
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +0200[diff] [blame]999 if isinstance(buf, _buffer):
1000 buf = str(buf)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1001 if not isinstance(buf, bytes):
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +0200[diff] [blame]1002 raise TypeError("buf must be a memoryview, buffer or byte string")
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1003
1004 left_to_send = len(buf)
1005 total_sent = 0
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1006 data = _ffi.new("char[]", buf)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1007
1008 while left_to_send:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1009 result = _lib.SSL_write(self._ssl, data + total_sent, left_to_send)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1010 self._raise_ssl_error(self._ssl, result)
1011 total_sent += result
1012 left_to_send -= result
1013
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1014
1015 def recv(self, bufsiz, flags=None):
1016 """
1017 Receive data on the connection. NOTE: If you get one of the WantRead,
1018 WantWrite or WantX509Lookup exceptions on this, you have to call the
1019 method again with the SAME buffer.
1020
1021 :param bufsiz: The maximum number of bytes to read
1022 :param flags: (optional) Included for compatibility with the socket
1023 API, the value is ignored
1024 :return: The string read from the Connection
1025 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1026 buf = _ffi.new("char[]", bufsiz)
1027 result = _lib.SSL_read(self._ssl, buf, bufsiz)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1028 self._raise_ssl_error(self._ssl, result)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1029 return _ffi.buffer(buf, result)[:]
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1030 read = recv
1031
1032
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1033 def _handle_bio_errors(self, bio, result):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1034 if _lib.BIO_should_retry(bio):
1035 if _lib.BIO_should_read(bio):
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1036 raise WantReadError()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1037 elif _lib.BIO_should_write(bio):
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]1038 # TODO: This is untested.
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]1039 raise WantWriteError()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1040 elif _lib.BIO_should_io_special(bio):
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]1041 # TODO: This is untested. I think io_special means the socket
1042 # BIO has a not-yet connected socket.
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]1043 raise ValueError("BIO_should_io_special")
1044 else:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]1045 # TODO: This is untested.
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]1046 raise ValueError("unknown bio failure")
1047 else:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]1048 # TODO: This is untested.
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]1049 _raise_current_error()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1050
1051
1052 def bio_read(self, bufsiz):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1053 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1054 When using non-socket connections this function reads the "dirty" data
1055 that would have traveled away on the network.
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1056
1057 :param bufsiz: The maximum number of bytes to read
1058 :return: The string read.
1059 """
Jean-Paul Calderone97e041d2013-03-05 21:03:12 -0800[diff] [blame]1060 if self._from_ssl is None:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1061 raise TypeError("Connection sock was not None")
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1062
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500[diff] [blame]1063 if not isinstance(bufsiz, integer_types):
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1064 raise TypeError("bufsiz must be an integer")
1065
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1066 buf = _ffi.new("char[]", bufsiz)
1067 result = _lib.BIO_read(self._from_ssl, buf, bufsiz)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1068 if result <= 0:
1069 self._handle_bio_errors(self._from_ssl, result)
1070
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1071 return _ffi.buffer(buf, result)[:]
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1072
1073
1074 def bio_write(self, buf):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1075 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1076 When using non-socket connections this function sends "dirty" data that
1077 would have traveled in on the network.
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1078
1079 :param buf: The string to put into the memory BIO.
1080 :return: The number of bytes written
1081 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1082 if self._into_ssl is None:
1083 raise TypeError("Connection sock was not None")
1084
1085 if not isinstance(buf, bytes):
1086 raise TypeError("buf must be a byte string")
1087
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1088 result = _lib.BIO_write(self._into_ssl, buf, len(buf))
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1089 if result <= 0:
1090 self._handle_bio_errors(self._into_ssl, result)
1091 return result
1092
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1093
1094 def renegotiate(self):
1095 """
1096 Renegotiate the session
1097
1098 :return: True if the renegotiation can be started, false otherwise
1099 """
1100
1101 def do_handshake(self):
1102 """
1103 Perform an SSL handshake (usually called after renegotiate() or one of
1104 set_*_state()). This can raise the same exceptions as send and recv.
1105
1106 :return: None.
1107 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1108 result = _lib.SSL_do_handshake(self._ssl)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1109 self._raise_ssl_error(self._ssl, result)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1110
1111
1112 def renegotiate_pending(self):
1113 """
1114 Check if there's a renegotiation in progress, it will return false once
1115 a renegotiation is finished.
1116
1117 :return: Whether there's a renegotiation in progress
1118 """
1119
1120 def total_renegotiations(self):
1121 """
1122 Find out the total number of renegotiations.
1123
1124 :return: The number of renegotiations.
1125 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1126 return _lib.SSL_total_renegotiations(self._ssl)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1127
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1128
1129 def connect(self, addr):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1130 """
1131 Connect to remote host and set up client-side SSL
1132
1133 :param addr: A remote address
1134 :return: What the socket's connect method returns
1135 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1136 _lib.SSL_set_connect_state(self._ssl)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1137 return self._socket.connect(addr)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1138
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1139
1140 def connect_ex(self, addr):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1141 """
1142 Connect to remote host and set up client-side SSL. Note that if the socket's
1143 connect_ex method doesn't return 0, SSL won't be initialized.
1144
1145 :param addr: A remove address
1146 :return: What the socket's connect_ex method returns
1147 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1148 connect_ex = self._socket.connect_ex
1149 self.set_connect_state()
1150 return connect_ex(addr)
1151
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1152
1153 def accept(self):
1154 """
1155 Accept incoming connection and set up SSL on it
1156
1157 :return: A (conn,addr) pair where conn is a Connection and addr is an
1158 address
1159 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1160 client, addr = self._socket.accept()
1161 conn = Connection(self._context, client)
1162 conn.set_accept_state()
1163 return (conn, addr)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1164
1165
1166 def bio_shutdown(self):
1167 """
1168 When using non-socket connections this function signals end of
1169 data on the input for this connection.
1170
1171 :return: None
1172 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1173 if self._from_ssl is None:
1174 raise TypeError("Connection sock was not None")
1175
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1176 _lib.BIO_set_mem_eof_return(self._into_ssl, 0)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1177
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1178
1179 def shutdown(self):
1180 """
1181 Send closure alert
1182
1183 :return: True if the shutdown completed successfully (i.e. both sides
1184 have sent closure alerts), false otherwise (i.e. you have to
1185 wait for a ZeroReturnError on a recv() method call
1186 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1187 result = _lib.SSL_shutdown(self._ssl)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1188 if result < 0:
Paul Aurichbff1d1a2015-01-08 08:36:53 -0800[diff] [blame]1189 self._raise_ssl_error(self._ssl, result)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1190 elif result > 0:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1191 return True
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1192 else:
1193 return False
1194
1195
1196 def get_cipher_list(self):
1197 """
1198 Get the session cipher list
1199
1200 :return: A list of cipher strings
1201 """
1202 ciphers = []
1203 for i in count():
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1204 result = _lib.SSL_get_cipher_list(self._ssl, i)
1205 if result == _ffi.NULL:
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1206 break
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1207 ciphers.append(_native(_ffi.string(result)))
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1208 return ciphers
1209
1210
1211 def get_client_ca_list(self):
1212 """
1213 Get CAs whose certificates are suggested for client authentication.
1214
1215 :return: If this is a server connection, a list of X509Names representing
1216 the acceptable CAs as set by :py:meth:`OpenSSL.SSL.Context.set_client_ca_list` or
1217 :py:meth:`OpenSSL.SSL.Context.add_client_ca`. If this is a client connection,
1218 the list of such X509Names sent by the server, or an empty list if that
1219 has not yet happened.
1220 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1221 ca_names = _lib.SSL_get_client_CA_list(self._ssl)
1222 if ca_names == _ffi.NULL:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]1223 # TODO: This is untested.
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1224 return []
1225
1226 result = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1227 for i in range(_lib.sk_X509_NAME_num(ca_names)):
1228 name = _lib.sk_X509_NAME_value(ca_names, i)
1229 copy = _lib.X509_NAME_dup(name)
1230 if copy == _ffi.NULL:
Jean-Paul Calderonea9f84ad2013-12-29 17:06:11 -0500[diff] [blame]1231 # TODO: This is untested.
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]1232 _raise_current_error()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1233
1234 pyname = X509Name.__new__(X509Name)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1235 pyname._name = _ffi.gc(copy, _lib.X509_NAME_free)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1236 result.append(pyname)
1237 return result
1238
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1239
1240 def makefile(self):
1241 """
1242 The makefile() method is not implemented, since there is no dup semantics
1243 for SSL connections
1244
Jean-Paul Calderone6749ec22014-04-17 16:30:21 -0400[diff] [blame]1245 :raise: NotImplementedError
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1246 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1247 raise NotImplementedError("Cannot make file object of OpenSSL.SSL.Connection")
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1248
1249
1250 def get_app_data(self):
1251 """
1252 Get application data
1253
1254 :return: The application data
1255 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1256 return self._app_data
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1257
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1258
1259 def set_app_data(self, data):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1260 """
1261 Set application data
1262
1263 :param data - The application data
1264 :return: None
1265 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1266 self._app_data = data
1267
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1268
1269 def get_shutdown(self):
1270 """
1271 Get shutdown state
1272
1273 :return: The shutdown state, a bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN.
1274 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1275 return _lib.SSL_get_shutdown(self._ssl)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1276
1277
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1278 def set_shutdown(self, state):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1279 """
1280 Set shutdown state
1281
1282 :param state - bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN.
1283 :return: None
1284 """
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500[diff] [blame]1285 if not isinstance(state, integer_types):
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1286 raise TypeError("state must be an integer")
1287
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1288 _lib.SSL_set_shutdown(self._ssl, state)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1289
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1290
1291 def state_string(self):
1292 """
1293 Get a verbose state description
1294
1295 :return: A string representing the state
1296 """
1297
1298 def server_random(self):
1299 """
1300 Get a copy of the server hello nonce.
1301
1302 :return: A string representing the state
1303 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1304 if self._ssl.session == _ffi.NULL:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1305 return None
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1306 return _ffi.buffer(
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1307 self._ssl.s3.server_random,
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1308 _lib.SSL3_RANDOM_SIZE)[:]
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1309
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1310
1311 def client_random(self):
1312 """
1313 Get a copy of the client hello nonce.
1314
1315 :return: A string representing the state
1316 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1317 if self._ssl.session == _ffi.NULL:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1318 return None
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1319 return _ffi.buffer(
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1320 self._ssl.s3.client_random,
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1321 _lib.SSL3_RANDOM_SIZE)[:]
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1322
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1323
1324 def master_key(self):
1325 """
1326 Get a copy of the master key.
1327
1328 :return: A string representing the state
1329 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1330 if self._ssl.session == _ffi.NULL:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1331 return None
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1332 return _ffi.buffer(
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1333 self._ssl.session.master_key,
1334 self._ssl.session.master_key_length)[:]
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1335
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1336
1337 def sock_shutdown(self, *args, **kwargs):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1338 """
1339 See shutdown(2)
1340
1341 :return: What the socket's shutdown() method returns
1342 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1343 return self._socket.shutdown(*args, **kwargs)
1344
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1345
1346 def get_peer_certificate(self):
1347 """
1348 Retrieve the other side's certificate (if any)
1349
1350 :return: The peer's certificate
1351 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1352 cert = _lib.SSL_get_peer_certificate(self._ssl)
1353 if cert != _ffi.NULL:
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1354 pycert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1355 pycert._x509 = _ffi.gc(cert, _lib.X509_free)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1356 return pycert
1357 return None
1358
1359
1360 def get_peer_cert_chain(self):
1361 """
1362 Retrieve the other side's certificate (if any)
1363
1364 :return: A list of X509 instances giving the peer's certificate chain,
1365 or None if it does not have one.
1366 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1367 cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)
1368 if cert_stack == _ffi.NULL:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1369 return None
1370
1371 result = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1372 for i in range(_lib.sk_X509_num(cert_stack)):
Jean-Paul Calderone73b15c22013-03-05 18:30:39 -0800[diff] [blame]1373 # TODO could incref instead of dup here
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1374 cert = _lib.X509_dup(_lib.sk_X509_value(cert_stack, i))
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1375 pycert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1376 pycert._x509 = _ffi.gc(cert, _lib.X509_free)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1377 result.append(pycert)
1378 return result
1379
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1380
1381 def want_read(self):
1382 """
1383 Checks if more data has to be read from the transport layer to complete an
1384 operation.
1385
1386 :return: True iff more data has to be read
1387 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1388 return _lib.SSL_want_read(self._ssl)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1389
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1390
1391 def want_write(self):
1392 """
1393 Checks if there is data to write to the transport layer to complete an
1394 operation.
1395
1396 :return: True iff there is data to write
1397 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1398 return _lib.SSL_want_write(self._ssl)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1399
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1400
1401 def set_accept_state(self):
1402 """
1403 Set the connection to work in server mode. The handshake will be handled
1404 automatically by read/write.
1405
1406 :return: None
1407 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1408 _lib.SSL_set_accept_state(self._ssl)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1409
1410
1411 def set_connect_state(self):
1412 """
1413 Set the connection to work in client mode. The handshake will be handled
1414 automatically by read/write.
1415
1416 :return: None
1417 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1418 _lib.SSL_set_connect_state(self._ssl)
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1419
1420
1421 def get_session(self):
1422 """
1423 Returns the Session currently used.
1424
1425 @return: An instance of :py:class:`OpenSSL.SSL.Session` or :py:obj:`None` if
1426 no session exists.
1427 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1428 session = _lib.SSL_get1_session(self._ssl)
1429 if session == _ffi.NULL:
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1430 return None
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1431
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1432 pysession = Session.__new__(Session)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1433 pysession._session = _ffi.gc(session, _lib.SSL_SESSION_free)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1434 return pysession
1435
1436
1437 def set_session(self, session):
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1438 """
1439 Set the session to be used when the TLS/SSL connection is established.
1440
1441 :param session: A Session instance representing the session to use.
1442 :returns: None
1443 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1444 if not isinstance(session, Session):
1445 raise TypeError("session must be a Session instance")
1446
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1447 result = _lib.SSL_set_session(self._ssl, session._session)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1448 if not result:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]1449 _raise_current_error()
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1450
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -0400[diff] [blame]1451
Jean-Paul Calderoneac209562014-03-30 11:26:32 -0400[diff] [blame]1452 def _get_finished_message(self, function):
1453 """
1454 Helper to implement :py:meth:`get_finished` and
1455 :py:meth:`get_peer_finished`.
1456
1457 :param function: Either :py:data:`SSL_get_finished`: or
1458 :py:data:`SSL_get_peer_finished`.
1459
1460 :return: :py:data:`None` if the desired message has not yet been
1461 received, otherwise the contents of the message.
1462 :rtype: :py:class:`bytes` or :py:class:`NoneType`
1463 """
Jean-Paul Calderone01af9042014-03-30 11:40:42 -0400[diff] [blame]1464 # The OpenSSL documentation says nothing about what might happen if the
1465 # count argument given is zero. Specifically, it doesn't say whether
1466 # the output buffer may be NULL in that case or not. Inspection of the
1467 # implementation reveals that it calls memcpy() unconditionally.
1468 # Section 7.1.4, paragraph 1 of the C standard suggests that
1469 # memcpy(NULL, source, 0) is not guaranteed to produce defined (let
1470 # alone desirable) behavior (though it probably does on just about
1471 # every implementation...)
1472 #
1473 # Allocate a tiny buffer to pass in (instead of just passing NULL as
1474 # one might expect) for the initial call so as to be safe against this
1475 # potentially undefined behavior.
1476 empty = _ffi.new("char[]", 0)
1477 size = function(self._ssl, empty, 0)
Jean-Paul Calderoneac209562014-03-30 11:26:32 -0400[diff] [blame]1478 if size == 0:
1479 # No Finished message so far.
1480 return None
1481
1482 buf = _ffi.new("char[]", size)
1483 function(self._ssl, buf, size)
1484 return _ffi.buffer(buf, size)[:]
1485
1486
Fedor Brunner5747b932014-03-05 14:22:34 +0100[diff] [blame]1487 def get_finished(self):
1488 """
Jean-Paul Calderoneac209562014-03-30 11:26:32 -0400[diff] [blame]1489 Obtain the latest `handshake finished` message sent to the peer.
Fedor Brunner5747b932014-03-05 14:22:34 +0100[diff] [blame]1490
Jean-Paul Calderoneac209562014-03-30 11:26:32 -0400[diff] [blame]1491 :return: The contents of the message or :py:obj:`None` if the TLS
1492 handshake has not yet completed.
1493 :rtype: :py:class:`bytes` or :py:class:`NoneType`
Fedor Brunner5747b932014-03-05 14:22:34 +0100[diff] [blame]1494 """
Jean-Paul Calderoneac209562014-03-30 11:26:32 -0400[diff] [blame]1495 return self._get_finished_message(_lib.SSL_get_finished)
1496
Fedor Brunner5747b932014-03-05 14:22:34 +0100[diff] [blame]1497
1498 def get_peer_finished(self):
1499 """
Jean-Paul Calderoneac209562014-03-30 11:26:32 -0400[diff] [blame]1500 Obtain the latest `handshake finished` message received from the peer.
Fedor Brunner5747b932014-03-05 14:22:34 +0100[diff] [blame]1501
Jean-Paul Calderoneac209562014-03-30 11:26:32 -0400[diff] [blame]1502 :return: The contents of the message or :py:obj:`None` if the TLS
1503 handshake has not yet completed.
1504 :rtype: :py:class:`bytes` or :py:class:`NoneType`
Fedor Brunner5747b932014-03-05 14:22:34 +0100[diff] [blame]1505 """
Jean-Paul Calderoneac209562014-03-30 11:26:32 -0400[diff] [blame]1506 return self._get_finished_message(_lib.SSL_get_peer_finished)
Fedor Brunner5747b932014-03-05 14:22:34 +0100[diff] [blame]1507
Jean-Paul Calderone7c556ef2014-03-30 10:45:00 -0400[diff] [blame]1508
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1509 def get_cipher_name(self):
1510 """
1511 Obtain the name of the currently used cipher.
Jean-Paul Calderone9e3ccd42014-03-29 18:13:36 -0400[diff] [blame]1512
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1513 :returns: The name of the currently used cipher or :py:obj:`None`
1514 if no connection has been established.
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -0400[diff] [blame]1515 :rtype: :py:class:`unicode` or :py:class:`NoneType`
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1516 """
1517 cipher = _lib.SSL_get_current_cipher(self._ssl)
1518 if cipher == _ffi.NULL:
1519 return None
1520 else:
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -0400[diff] [blame]1521 name = _ffi.string(_lib.SSL_CIPHER_get_name(cipher))
1522 return name.decode("utf-8")
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1523
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -0400[diff] [blame]1524
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1525 def get_cipher_bits(self):
1526 """
1527 Obtain the number of secret bits of the currently used cipher.
Jean-Paul Calderone9e3ccd42014-03-29 18:13:36 -0400[diff] [blame]1528
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1529 :returns: The number of secret bits of the currently used cipher
1530 or :py:obj:`None` if no connection has been established.
Jean-Paul Calderone9e3ccd42014-03-29 18:13:36 -0400[diff] [blame]1531 :rtype: :py:class:`int` or :py:class:`NoneType`
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1532 """
1533 cipher = _lib.SSL_get_current_cipher(self._ssl)
1534 if cipher == _ffi.NULL:
1535 return None
1536 else:
1537 return _lib.SSL_CIPHER_get_bits(cipher, _ffi.NULL)
1538
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -0400[diff] [blame]1539
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1540 def get_cipher_version(self):
1541 """
Jean-Paul Calderone9e3ccd42014-03-29 18:13:36 -0400[diff] [blame]1542 Obtain the protocol version of the currently used cipher.
1543
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1544 :returns: The protocol name of the currently used cipher
1545 or :py:obj:`None` if no connection has been established.
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -0400[diff] [blame]1546 :rtype: :py:class:`unicode` or :py:class:`NoneType`
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1547 """
1548 cipher = _lib.SSL_get_current_cipher(self._ssl)
1549 if cipher == _ffi.NULL:
1550 return None
1551 else:
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -0400[diff] [blame]1552 version =_ffi.string(_lib.SSL_CIPHER_get_version(cipher))
1553 return version.decode("utf-8")
Fedor Brunnerd95014a2014-03-03 17:34:41 +0100[diff] [blame]1554
1555
1556
Jean-Paul Calderone131052e2013-03-05 11:56:19 -0800[diff] [blame]1557ConnectionType = Connection
Jean-Paul Calderone11ed8e82014-01-18 10:21:50 -0500[diff] [blame]1558
Jean-Paul Calderonefab157b2014-01-18 11:21:38 -0500[diff] [blame]1559# This is similar to the initialization calls at the end of OpenSSL/crypto.py
1560# but is exercised mostly by the Context initializer.
Jean-Paul Calderone11ed8e82014-01-18 10:21:50 -0500[diff] [blame]1561_lib.SSL_library_init()