Skip to content

Expose support for using ecdhe with SSL connections #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 8 commits into from
Closed

Expose support for using ecdhe with SSL connections #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
7b8d57a
Expose support for using ecdhe with SSL connections
alex Jan 17, 2014
a683fc0
Corrected a typo
alex Jan 17, 2014
12dc084
Added tests
alex Jan 17, 2014
2c04e86
Added a gitignore
alex Jan 17, 2014
807853c
Use the internal name
alex Jan 17, 2014
d5419e2
Added documentation
alex Jan 20, 2014
479878d
Merge branch 'master' into ecdhe-support
alex Feb 21, 2014
32f016f
Merge branch 'master' into ecdhe-support
alex Feb 22, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
*.py[co]
build
dist
*.egg-info
*.egg-info
31 changes: 31 additions & 0 deletions OpenSSL/SSL.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,17 @@ class _memoryview(object):
SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE


NID_X9_62_prime192v1 = _lib.NID_X9_62_prime192v1
NID_X9_62_prime192v2 = _lib.NID_X9_62_prime192v2
NID_X9_62_prime192v3 = _lib.NID_X9_62_prime192v3
NID_X9_62_prime239v1 = _lib.NID_X9_62_prime239v1
NID_X9_62_prime239v2 = _lib.NID_X9_62_prime239v2
NID_X9_62_prime239v3 = _lib.NID_X9_62_prime239v3
NID_X9_62_prime256v1 = _lib.NID_X9_62_prime256v1

_Cryptography_HAS_EC = _lib.Cryptography_HAS_EC


class Error(Exception):
"""
An error occurred in an `OpenSSL.SSL` API.
Expand Down Expand Up @@ -594,6 +605,26 @@ def load_tmp_dh(self, dhfile):
_lib.SSL_CTX_set_tmp_dh(self._context, dh)


def set_tmp_ecdh_by_curve_name(self, curve_name):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the idiom thus far in pyOpenSSL is to wrap the kind of stateful object that a ... EC_KEY* (what SSL_CTX_set_tmp_ecdh takes) is in a thin object and unwrap it as necessary when going down to OpenSSL.

What do you think about an ... EllipticalCurveKey class that wraps this EC_KEY* and changing this method so that it is merely a wrapper around SSL_CTX_set_tmp_ecdh? EllipcitalCurveKey.new_by_curve_name(nid) might be the way the other half of this functionality is accessed.

Just thinking out loud here, let me know if this sounds dumb.

"""
Configure this connection to people to use Elliptical Curve
Diffie-Hellman key exchanges.

:param curve_name: One of the named curve constants.
:return: None
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

`None`

I think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of the other places uses backticks.

On Fri, Jan 17, 2014 at 12:11 PM, Hynek Schlawack
notifications@github.comwrote:

In OpenSSL/SSL.py:

@@ -581,6 +590,26 @@ def load_tmp_dh(self, dhfile):
_lib.SSL_CTX_set_tmp_dh(self._context, dh)

  • def set_tmp_ecdh_by_curve_name(
    self, curve_name):
  •    """

  •    Configure this connection to people to use Elliptical Curve

  •    Diffie-Hellman key exchanges.

  •    :param curve_name: One of the named curve constsants.

  •    :return: None

None

I think?


Reply to this email directly or view it on GitHubhttps://github.com//pull/9/files#r8974448
.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

"""
if _lib.Cryptography_HAS_EC:
ecdh = _lib.EC_KEY_new_by_curve_name(curve_name)
if ecdh == _ffi.NULL:
raise ValueError(
"OpenSSL could not load the requested elliptic curve"
)
_lib.SSL_CTX_set_tmp_ecdh(self._context, ecdh)
_lib.EC_KEY_free(ecdh)
else:
raise ValueError("OpenSSL is compiled without ECDH support")


def set_cipher_list(self, cipher_list):
"""
Change the cipher list
Expand Down
12 changes: 12 additions & 0 deletions OpenSSL/test/test_ssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,
SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,
SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)
from OpenSSL.SSL import NID_X9_62_prime256v1, _Cryptography_HAS_EC

from OpenSSL.SSL import (
Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)
Expand Down Expand Up @@ -1172,6 +1173,17 @@ def test_load_tmp_dh(self):
# XXX What should I assert here? -exarkun


if _Cryptography_HAS_EC:
def test_set_tmp_ecdh_by_curve_name(self):
"""
:py:obj:`Context.set_tmp_ecdh_by_curve_name` sets the Eliptical
Curve for Diffie-Hellman by the named curve.
"""
context = Context(TLSv1_METHOD)
context.set_tmp_ecdh_by_curve_name(NID_X9_62_prime256v1)
# XXX What should I assert here? -alex
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something about the cipher that is used by a connection established using this context? With this you should be able to get something that starts with ECDH- and without it you should not be able to?



def test_set_cipher_list_bytes(self):
"""
:py:obj:`Context.set_cipher_list` accepts a :py:obj:`bytes` naming the
Expand Down
22 changes: 22 additions & 0 deletions doc/api/ssl.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,18 @@ Context, Connection.
.. versionadded:: 0.14


.. py:data:: NID_X9_62_prime192v1
NID_X9_62_prime192v2
NID_X9_62_prime192v3
NID_X9_62_prime239v1
NID_X9_62_prime239v2
NID_X9_62_prime239v3
NID_X9_62_prime256v1

Constants used with :py:meth:`Context.set_tmp_ecdh_by_curve_name` to
specify which elliptical curve should be used.


.. py:data:: OPENSSL_VERSION_NUMBER

An integer giving the version number of the OpenSSL library used to build this
Expand Down Expand Up @@ -322,6 +334,16 @@ Context objects have the following methods:

Load parameters for Ephemeral Diffie-Hellman from *dhfile*.

.. py:method:: Context.set_tmp_ecdh_by_curve_name(curve_name)

Configure this connection to people to use Elliptical Curve Diffie-Hellman
key exchanges.

``curve_name`` should be one of the named curve constants, such as
:py:data:`NID_X9_62_prime256v1`.

Raises a ``ValueError`` if the linked OpenSSL was not compiled with
elliptical curve support, or the specified curve is not available.

.. py:method:: Context.set_app_data(data)

Expand Down