From 7b8d57a7b806b7af9c5650e8152357d5a5755ca7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 17 Jan 2014 12:08:54 -0600 Subject: [PATCH 1/6] Expose support for using ecdhe with SSL connections --- OpenSSL/SSL.py | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/OpenSSL/SSL.py b/OpenSSL/SSL.py index 8da25e2e0..d960eb36e 100644 --- a/OpenSSL/SSL.py +++ b/OpenSSL/SSL.py @@ -119,6 +119,15 @@ class _memoryview(object): SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE +NID_X9_62_prime192v1 = _lib.NID_X9_62_prime192v1 +NID_X9_62_prime192v2 = _lib.NID_X9_62_prime192v2 +NID_X9_62_prime192v3 = _lib.NID_X9_62_prime192v3 +NID_X9_62_prime239v1 = _lib.NID_X9_62_prime239v1 +NID_X9_62_prime239v2 = _lib.NID_X9_62_prime239v2 +NID_X9_62_prime239v3 = _lib.NID_X9_62_prime239v3 +NID_X9_62_prime256v1 = _lib.NID_X9_62_prime256v1 + + class Error(Exception): """ An error occurred in an `OpenSSL.SSL` API. @@ -581,6 +590,26 @@ def load_tmp_dh(self, dhfile): _lib.SSL_CTX_set_tmp_dh(self._context, dh) + def set_tmp_ecdh_by_curve_name(self, curve_name): + """ + Configure this connection to people to use Elliptical Curve + Diffie-Hellman key exchanges. + + :param curve_name: One of the named curve constsants. + :return: None + """ + if _lib.Cryptography_HAS_EC: + ecdh = _lib.EC_KEY_new_by_curve_name(curve_name) + if ecdh == _ffi.NULL: + raise ValueError( + "OpenSSL could not load the requested elliptic curve" + ) + _lib.SSL_CTX_set_tmp_ecdh(self._context, ecdh) + _lib.EC_KEY_free(ecdh) + else: + raise ValueError("OpenSSL is compiled without ECDH support") + + def set_cipher_list(self, cipher_list): """ Change the cipher list From a683fc0b8fabb4d763c77d7d04d8bf87799c9ca3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 17 Jan 2014 12:45:56 -0600 Subject: [PATCH 2/6] Corrected a typo --- OpenSSL/SSL.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OpenSSL/SSL.py b/OpenSSL/SSL.py index d960eb36e..325b82568 100644 --- a/OpenSSL/SSL.py +++ b/OpenSSL/SSL.py @@ -595,7 +595,7 @@ def set_tmp_ecdh_by_curve_name(self, curve_name): Configure this connection to people to use Elliptical Curve Diffie-Hellman key exchanges. - :param curve_name: One of the named curve constsants. + :param curve_name: One of the named curve constants. :return: None """ if _lib.Cryptography_HAS_EC: From 12dc084f3a4e087d240e8393d9dc529240b12e44 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 17 Jan 2014 12:51:31 -0600 Subject: [PATCH 3/6] Added tests --- OpenSSL/SSL.py | 2 ++ OpenSSL/test/test_ssl.py | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/OpenSSL/SSL.py b/OpenSSL/SSL.py index 325b82568..e80ea3c49 100644 --- a/OpenSSL/SSL.py +++ b/OpenSSL/SSL.py @@ -127,6 +127,8 @@ class _memoryview(object): NID_X9_62_prime239v3 = _lib.NID_X9_62_prime239v3 NID_X9_62_prime256v1 = _lib.NID_X9_62_prime256v1 +OPENSSL_NO_EC = not _lib.Cryptography_HAS_EC + class Error(Exception): """ diff --git a/OpenSSL/test/test_ssl.py b/OpenSSL/test/test_ssl.py index 95cb538b4..c884148e7 100644 --- a/OpenSSL/test/test_ssl.py +++ b/OpenSSL/test/test_ssl.py @@ -33,6 +33,7 @@ SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH, SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP, SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL) +from OpenSSL.SSL import NID_X9_62_prime256v1, OPENSSL_NO_EC from OpenSSL.SSL import ( Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError) @@ -1057,6 +1058,17 @@ def test_load_tmp_dh(self): # XXX What should I assert here? -exarkun + if not OPENSSL_NO_EC: + def test_set_tmp_ecdh_by_curve_name(self): + """ + :py:obj:`Context.set_tmp_ecdh_by_curve_name` sets the Eliptical + Curve for Diffie-Hellman by the named curve. + """ + context = Context(TLSv1_METHOD) + context.set_tmp_ecdh_by_curve_name(NID_X9_62_prime256v1) + # XXX What should I assert here? -alex + + def test_set_cipher_list(self): """ :py:obj:`Context.set_cipher_list` accepts a :py:obj:`str` naming the ciphers which From 2c04e86b244055f4f3c9e05eb5cb1e1be787db77 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 17 Jan 2014 12:52:29 -0600 Subject: [PATCH 4/6] Added a gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..539da7411 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.py[co] From 807853c55afd447e821c30232801a72c88a048b4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 17 Jan 2014 13:03:27 -0600 Subject: [PATCH 5/6] Use the internal name --- OpenSSL/SSL.py | 2 +- OpenSSL/test/test_ssl.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/OpenSSL/SSL.py b/OpenSSL/SSL.py index e80ea3c49..62ce6c1c4 100644 --- a/OpenSSL/SSL.py +++ b/OpenSSL/SSL.py @@ -127,7 +127,7 @@ class _memoryview(object): NID_X9_62_prime239v3 = _lib.NID_X9_62_prime239v3 NID_X9_62_prime256v1 = _lib.NID_X9_62_prime256v1 -OPENSSL_NO_EC = not _lib.Cryptography_HAS_EC +_Cryptography_HAS_EC = _lib.Cryptography_HAS_EC class Error(Exception): diff --git a/OpenSSL/test/test_ssl.py b/OpenSSL/test/test_ssl.py index c884148e7..5e08e9ba4 100644 --- a/OpenSSL/test/test_ssl.py +++ b/OpenSSL/test/test_ssl.py @@ -33,7 +33,7 @@ SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH, SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP, SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL) -from OpenSSL.SSL import NID_X9_62_prime256v1, OPENSSL_NO_EC +from OpenSSL.SSL import NID_X9_62_prime256v1, _Cryptography_HAS_EC from OpenSSL.SSL import ( Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError) @@ -1058,7 +1058,7 @@ def test_load_tmp_dh(self): # XXX What should I assert here? -exarkun - if not OPENSSL_NO_EC: + if _Cryptography_HAS_EC: def test_set_tmp_ecdh_by_curve_name(self): """ :py:obj:`Context.set_tmp_ecdh_by_curve_name` sets the Eliptical From d5419e2a78be9d39ddd3983c38fa7e0ec3b23265 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 19 Jan 2014 21:03:36 -0600 Subject: [PATCH 6/6] Added documentation --- doc/api/ssl.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/doc/api/ssl.rst b/doc/api/ssl.rst index b506757d3..76fb0ad06 100644 --- a/doc/api/ssl.rst +++ b/doc/api/ssl.rst @@ -116,6 +116,18 @@ Context, Connection. .. versionadded:: 0.14 +.. py:data:: NID_X9_62_prime192v1 + NID_X9_62_prime192v2 + NID_X9_62_prime192v3 + NID_X9_62_prime239v1 + NID_X9_62_prime239v2 + NID_X9_62_prime239v3 + NID_X9_62_prime256v1 + + Constants used with :py:meth:`Context.set_tmp_ecdh_by_curve_name` to + specify which elliptical curve should be used. + + .. py:data:: OPENSSL_VERSION_NUMBER An integer giving the version number of the OpenSSL library used to build this @@ -322,6 +334,16 @@ Context objects have the following methods: Load parameters for Ephemeral Diffie-Hellman from *dhfile*. +.. py:method:: Context.set_tmp_ecdh_by_curve_name(curve_name) + + Configure this connection to people to use Elliptical Curve Diffie-Hellman + key exchanges. + + ``curve_name`` should be one of the named curve constants, such as + :py:data:`NID_X9_62_prime256v1`. + + Raises a ``ValueError`` if the linked OpenSSL was not compiled with + elliptical curve support, or the specified curve is not available. .. py:method:: Context.set_app_data(data)