diff options
author | Fedor Brunner <fedor.brunner@azet.sk> | 2014-03-28 13:18:38 +0100 |
---|---|---|
committer | Fedor Brunner <fedor.brunner@azet.sk> | 2014-03-28 13:18:38 +0100 |
commit | 416f4a1d5cfd3c76736ebd68f33c4f76af27568b (patch) | |
tree | 40322a66f62148cc6d1f5cea8ed46db73390d202 | |
parent | 5747b93d4c6eee7551fcff5e879c3e281f052036 (diff) | |
download | pyopenssl-416f4a1d5cfd3c76736ebd68f33c4f76af27568b.tar.gz |
Added dependency for cryptography>=0.3.
Test split into multiple methods.
Added changelog entry.
If you use these methods to
implement TLS channel binding (RFC 5929) disable session
resumption because triple handshake attacks against TLS.
https://www.ietf.org/mail-archive/web/tls/current/msg11337.html
https://secure-resumption.com/tlsauth.pdf
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | OpenSSL/SSL.py | 10 | ||||
-rw-r--r-- | OpenSSL/test/test_ssl.py | 46 | ||||
-rw-r--r-- | doc/api/ssl.rst | 13 | ||||
-rwxr-xr-x | setup.py | 2 |
5 files changed, 72 insertions, 8 deletions
@@ -1,3 +1,12 @@ +2014-03-28 Fedor Brunner <fedor.brunner@azet.sk> + + * OpenSSL/ssl.py: Add ``get_finished``, ``get_peer_finished`` + methods to ``Connection``. If you use these methods to + implement TLS channel binding (RFC 5929) disable session + resumption because triple handshake attacks against TLS. + <https://www.ietf.org/mail-archive/web/tls/current/msg11337.html> + <https://secure-resumption.com/tlsauth.pdf> + 2014-03-02 Stephen Holsapple <sholsapp@gmail.com> * OpenSSL/crypto.py: Add ``get_extensions`` method to ``X509Req``. diff --git a/OpenSSL/SSL.py b/OpenSSL/SSL.py index e4d2d3b..41d764d 100644 --- a/OpenSSL/SSL.py +++ b/OpenSSL/SSL.py @@ -1421,7 +1421,10 @@ class Connection(object): """ Obtain latest Finished message that we sent. - :return: A string representing the Finished message + :return: The Finished message or :py:obj:`None` if the TLS handshake + is not completed. + :rtype: :py:data:`bytes` + """ # The size of Finished message is 12 bytes in TLS, # 36 bytes in SSL protocol, but let's be safe with @@ -1438,7 +1441,10 @@ class Connection(object): """ Obtain latest Finished message that we expected from peer. - :return: A string representing the Finished message + :return: The Finished message or :py:obj:`None` if the TLS handshake + is not completed. + :rtype: :py:data:`bytes` + """ # Same buffer size as in get_finished bufsiz = 128 diff --git a/OpenSSL/test/test_ssl.py b/OpenSSL/test/test_ssl.py index 8861972..5af8d86 100644 --- a/OpenSSL/test/test_ssl.py +++ b/OpenSSL/test/test_ssl.py @@ -1932,25 +1932,61 @@ class ConnectionTests(TestCase, _LoopbackMixin): # XXX want_read - def test_finished(self): + def test_get_finished_before_connect(self): """ - :py:obj:`Connection.get_finished` and :py:obj:`Connection.get_peer_finished` - methods return the TLS Finished messages. Finished messages are send - during TLS handshake. Before handshake :py:obj:`Connection.get_finished` and - :py:obj:`Connection.get_peer_finished` return None. + :py:obj:`Connection.get_finished` returns :py:obj:`None` + before TLS handshake is completed. """ ctx = Context(TLSv1_METHOD) connection = Connection(ctx, None) self.assertEqual(connection.get_finished(), None) + + def test_get_peer_finished_before_connect(self): + """ + :py:obj:`Connection.get_peer_finished` returns :py:obj:`None` + before TLS handshake is completed. + """ + + ctx = Context(TLSv1_METHOD) + connection = Connection(ctx, None) self.assertEqual(connection.get_peer_finished(), None) + def test_get_finished(self): + """ + :py:obj:`Connection.get_finished` method returns the TLS Finished + message send from client, or server. Finished messages are send + during TLS handshake. + """ + server, client = self._loopback() self.assertNotEqual(server.get_finished(), None) self.assertTrue(len(server.get_finished()) > 0) + + def test_get_peer_finished(self): + """ + :py:obj:`Connection.get_peer_finished` method returns the TLS Finished + message received from client, or server. Finished messages are send + during TLS handshake. + """ + + server, client = self._loopback() + + self.assertNotEqual(server.get_peer_finished(), None) self.assertTrue(len(server.get_peer_finished()) > 0) + def test_tls_finished_message_symmetry(self): + """ + The TLS Finished message send by server muss be the TLS Finished message + received by client. + + The TLS Finished message send by client muss be the TLS Finished message + received by server. + """ + + server, client = self._loopback() + self.assertEqual(server.get_finished(), client.get_peer_finished()) self.assertEqual(client.get_finished(), server.get_peer_finished()) diff --git a/doc/api/ssl.rst b/doc/api/ssl.rst index b506757..df21a1d 100644 --- a/doc/api/ssl.rst +++ b/doc/api/ssl.rst @@ -765,6 +765,19 @@ Connection objects have the following methods: .. versionadded:: 0.14 +.. py:method:: Connection.get_finished() + + Obtain latest TLS Finished message that we sent, or :py:obj:`None` if + handshake is not completed. + + .. versionadded:: 0.15 + +.. py:method:: Connection.get_peer_finished() + + Obtain latest TLS Finished message that we expected from peer, or + :py:obj:`None` if handshake is not completed. + + .. versionadded:: 0.15 .. Rubric:: Footnotes @@ -34,7 +34,7 @@ setup(name='pyOpenSSL', version=__version__, maintainer_email = 'exarkun@twistedmatrix.com', url = 'https://github.com/pyca/pyopenssl', license = 'APL2', - install_requires=["cryptography>=0.2.1", "six>=1.5.2"], + install_requires=["cryptography>=0.3", "six>=1.5.2"], long_description = """\ High-level wrapper around a subset of the OpenSSL library, includes * SSL.Connection objects, wrapping the methods of Python's portable |