From 6a8cd11e8662473ff14cec81cae0507b27336eb2 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Wed, 2 Apr 2014 21:09:08 -0400 Subject: [PATCH 1/5] Add a test that verifies the first argument passed to the verify callback. And make it pass. --- OpenSSL/SSL.py | 8 ++++++-- OpenSSL/test/test_ssl.py | 41 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/OpenSSL/SSL.py b/OpenSSL/SSL.py index fbb18f0be..40fe5a6c5 100644 --- a/OpenSSL/SSL.py +++ b/OpenSSL/SSL.py @@ -161,7 +161,7 @@ class SysCallError(Error): class _VerifyHelper(object): - def __init__(self, connection, callback): + def __init__(self, callback): self._problems = [] @wraps(callback) @@ -171,6 +171,10 @@ def wrapper(ok, store_ctx): error_number = _lib.X509_STORE_CTX_get_error(store_ctx) error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx) + index = _lib.SSL_get_ex_data_X509_STORE_CTX_idx() + ssl = _lib.X509_STORE_CTX_get_ex_data(store_ctx, index) + connection = Connection._reverse_mapping[ssl] + try: result = callback(connection, cert, error_number, error_depth, ok) except Exception as e: @@ -542,7 +546,7 @@ def set_verify(self, mode, callback): if not callable(callback): raise TypeError("callback must be callable") - self._verify_helper = _VerifyHelper(self, callback) + self._verify_helper = _VerifyHelper(callback) self._verify_callback = self._verify_helper.callback _lib.SSL_CTX_set_verify(self._context, mode, self._verify_callback) diff --git a/OpenSSL/test/test_ssl.py b/OpenSSL/test/test_ssl.py index bfe3114da..369b1b642 100644 --- a/OpenSSL/test/test_ssl.py +++ b/OpenSSL/test/test_ssl.py @@ -277,6 +277,19 @@ def _interactInMemory(self, client_conn, server_conn): write.bio_write(dirty) + def _handshakeInMemory(self, client_conn, server_conn): + client_conn.set_connect_state() + server_conn.set_accept_state() + + for conn in [client_conn, server_conn]: + try: + conn.do_handshake() + except WantReadError: + pass + + self._interactInMemory(client_conn, server_conn) + + class VersionTests(TestCase): """ @@ -981,6 +994,34 @@ def _handshake_test(self, serverContext, clientContext): pass + def test_set_verify_callback_connection_argument(self): + """ + The first argument passed to the verify callback is the + :py:class:`Connection` instance for which verification is taking place. + """ + serverContext = Context(TLSv1_METHOD) + serverContext.use_privatekey( + load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)) + serverContext.use_certificate( + load_certificate(FILETYPE_PEM, cleartextCertificatePEM)) + serverConnection = Connection(serverContext, None) + + class VerifyCallback(object): + def callback(self, connection, *args): + self.connection = connection + return 1 + + verify = VerifyCallback() + clientContext = Context(TLSv1_METHOD) + clientContext.set_verify(VERIFY_PEER, verify.callback) + clientConnection = Connection(clientContext, None) + clientConnection.set_connect_state() + + self._handshakeInMemory(clientConnection, serverConnection) + + self.assertIdentical(verify.connection, clientConnection) + + def test_set_verify_callback_exception(self): """ If the verify callback passed to :py:obj:`Context.set_verify` raises an From 4ca24eedfa42ddb326cb2cb3aef73e1397c7e70f Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Wed, 2 Apr 2014 21:10:57 -0400 Subject: [PATCH 2/5] ChangeLog --- ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index e36f2d2e3..86e644f7e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2014-04-02 Jean-Paul Calderone + + * OpenSSL/SSL.py: Fix a regression in which the first argument of + the "verify" callback was incorrectly a ``Context`` instance + instead of the ``Connection`` instance. + * OpenSSL/test/test_ssl.py: Add a test for the value passed as the + first argument of the "verify" callback. + 2014-03-30 Fedor Brunner * OpenSSL/SSL.py: Add ``get_finished``, ``get_peer_finished`` From a293f5ef8858d5bdd4a8db6c10a189953f71b491 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 5 May 2014 13:03:00 -0400 Subject: [PATCH 3/5] This depends on a new feature first introduced in cryptography 0.4. --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index f12714d5b..3d3fe04a5 100755 --- a/setup.py +++ b/setup.py @@ -34,7 +34,7 @@ maintainer_email = 'exarkun@twistedmatrix.com', url = 'https://github.com/pyca/pyopenssl', license = 'APL2', - install_requires=["cryptography>=0.3", "six>=1.5.2"], + install_requires=["cryptography>=0.4", "six>=1.5.2"], long_description = """\ High-level wrapper around a subset of the OpenSSL library, includes * SSL.Connection objects, wrapping the methods of Python's portable From b2b4078dc79b18d1d4a1912359f1d55c425669cd Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Tue, 6 May 2014 08:47:40 -0400 Subject: [PATCH 4/5] the minimal documentation requirements --- OpenSSL/test/test_ssl.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/OpenSSL/test/test_ssl.py b/OpenSSL/test/test_ssl.py index b30bed48f..6409b8ee1 100644 --- a/OpenSSL/test/test_ssl.py +++ b/OpenSSL/test/test_ssl.py @@ -280,6 +280,10 @@ def _interactInMemory(self, client_conn, server_conn): def _handshakeInMemory(self, client_conn, server_conn): + """ + Perform the TLS handshake between two :py:class:`Connection` instances + connected to each other via memory BIOs. + """ client_conn.set_connect_state() server_conn.set_accept_state() From 774230a95d8bb18819251c78d53481cf3f1850b1 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Tue, 6 May 2014 08:59:49 -0400 Subject: [PATCH 5/5] add a missing word --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c22aaae3c..9ad9317b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,7 @@ 2014-05-05 Jean-Paul Calderone * OpenSSL/SSL.py: Fix a regression in which the first argument of - the "verify" callback was incorrectly a ``Context`` instance + the "verify" callback was incorrectly passed a ``Context`` instance instead of the ``Connection`` instance. * OpenSSL/test/test_ssl.py: Add a test for the value passed as the first argument of the "verify" callback.