From f5ad068453cb32e03cb87e482cc28abb7c2bf89f Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Sun, 23 May 2021 00:53:40 -0700 Subject: [PATCH 01/16] Expose DTLS_METHOD and friends --- src/OpenSSL/SSL.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 59f21cecc..fda0c1988 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -45,6 +45,9 @@ "TLS_METHOD", "TLS_SERVER_METHOD", "TLS_CLIENT_METHOD", + "DTLS_METHOD", + "DTLS_SERVER_METHOD", + "DTLS_CLIENT_METHOD", "SSL3_VERSION", "TLS1_VERSION", "TLS1_1_VERSION", @@ -149,6 +152,9 @@ class _buffer(object): TLS_METHOD = 7 TLS_SERVER_METHOD = 8 TLS_CLIENT_METHOD = 9 +DTLS_METHOD = 10 +DTLS_SERVER_METHOD = 11 +DTLS_CLIENT_METHOD = 12 try: SSL3_VERSION = _lib.SSL3_VERSION @@ -628,7 +634,8 @@ class Context(object): :class:`OpenSSL.SSL.Context` instances define the parameters for setting up new SSL connections. - :param method: One of TLS_METHOD, TLS_CLIENT_METHOD, or TLS_SERVER_METHOD. + :param method: One of TLS_METHOD, TLS_CLIENT_METHOD, TLS_SERVER_METHOD, + DTLS_METHOD, DTLS_CLIENT_METHOD, or DTLS_SERVER_METHOD. SSLv23_METHOD, TLSv1_METHOD, etc. are deprecated and should not be used. """ @@ -643,6 +650,9 @@ class Context(object): TLS_METHOD: "TLS_method", TLS_SERVER_METHOD: "TLS_server_method", TLS_CLIENT_METHOD: "TLS_client_method", + DTLS_METHOD: "DTLS_method", + DTLS_SERVER_METHOD: "DTLS_server_method", + DTLS_CLIENT_METHOD: "DTLS_client_method", } _methods = dict( (identifier, getattr(_lib, name)) From 71699068ae0e8e3dc4cdb93a4bececed44b4066a Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Sun, 23 May 2021 00:53:52 -0700 Subject: [PATCH 02/16] Expose OP_NO_RENEGOTIATION --- src/OpenSSL/SSL.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index fda0c1988..5c8ce2d0d 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -83,6 +83,7 @@ "OP_NO_QUERY_MTU", "OP_COOKIE_EXCHANGE", "OP_NO_TICKET", + "OP_NO_RENEGOTIATION", "OP_ALL", "VERIFY_PEER", "VERIFY_FAIL_IF_NO_PEER_CERT", @@ -211,6 +212,7 @@ class _buffer(object): OP_NO_QUERY_MTU = _lib.SSL_OP_NO_QUERY_MTU OP_COOKIE_EXCHANGE = _lib.SSL_OP_COOKIE_EXCHANGE OP_NO_TICKET = _lib.SSL_OP_NO_TICKET +OP_NO_RENEGOTIATION = _lib.SSL_OP_NO_RENEGOTIATION OP_ALL = _lib.SSL_OP_ALL From 7df5fa9461fe279f70489ee21c7bd85ce7a57f4b Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Sun, 23 May 2021 00:54:12 -0700 Subject: [PATCH 03/16] Expose DTLS MTU-related functions --- src/OpenSSL/SSL.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 5c8ce2d0d..9dbaa8e99 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -1678,6 +1678,32 @@ def get_servername(self): return _ffi.string(name) + def set_ciphertext_mtu(self, mtu): + """ + For DTLS, set the maximum UDP payload size (*not* including IP/UDP + overhead). + + Note that you might have to set :data:`OP_NO_QUERY_MTU` to prevent + OpenSSL from spontaneously clearing this. + + :param mtu: An integer giving the maximum transmission unit. + + .. versionadded:: 21.0 + """ + _lib.SSL_set_mtu(self._ssl, mtu) + + def get_cleartext_mtu(self): + """ + For DTLS, get the maximum size of unencrypted data you can pass to + :meth:`write` without exceeding the MTU (as passed to + :meth:`set_ciphertext_mtu`). + + :return: The effective MTU as an integer. + + .. versionadded:: 21.0 + """ + return _lib.DTLS_get_data_mtu(self._ssl) + def set_tlsext_host_name(self, name): """ Set the value of the servername extension to send in the client hello. From b94109938f623d6fd8b87e31e8f7ac52883249a3 Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Sun, 23 May 2021 00:56:28 -0700 Subject: [PATCH 04/16] Expose DTLSv1_listen and associated callbacks --- src/OpenSSL/SSL.py | 88 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 9dbaa8e99..0b223ef20 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -555,6 +555,48 @@ def wrapper(ssl, cdata): self.callback = _ffi.callback("int (*)(SSL *, void *)", wrapper) +class _CookieGenerateCallbackHelper(_CallbackExceptionHelper): + def __init__(self, callback): + _CallbackExceptionHelper.__init__(self) + + @wraps(callback) + def wrapper(ssl, out, outlen): + try: + conn = Connection._reverse_mapping[ssl] + cookie = callback(conn) + out[0:len(cookie)] = cookie + outlen[0] = len(cookie) + return 1 + except Exception as e: + self._problems.append(e) + # "a zero return value can be used to abort the handshake" + return 0 + + self.callback = _ffi.callback( + "int (*)(SSL *, unsigned char *, unsigned int *)", + wrapper, + ) + + +class _CookieVerifyCallbackHelper(_CallbackExceptionHelper): + def __init__(self, callback): + _CallbackExceptionHelper.__init__(self) + + @wraps(callback) + def wrapper(ssl, c_cookie, cookie_len): + try: + conn = Connection._reverse_mapping[ssl] + return callback(conn, bytes(c_cookie[0:cookie_len])) + except Exception as e: + self._problems.append(e) + return 0 + + self.callback = _ffi.callback( + "int (*)(SSL *, unsigned char *, unsigned int)", + wrapper, + ) + + def _asFileDescriptor(obj): fd = None if not isinstance(obj, int): @@ -699,6 +741,8 @@ def __init__(self, method): self._ocsp_helper = None self._ocsp_callback = None self._ocsp_data = None + self._cookie_generate_helper = None + self._cookie_verify_helper = None self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE) @@ -1533,6 +1577,20 @@ def set_ocsp_client_callback(self, callback, data=None): helper = _OCSPClientCallbackHelper(callback) self._set_ocsp_callback(helper, data) + def set_cookie_generate_callback(self, callback): + self._cookie_generate_helper = _CookieGenerateCallbackHelper(callback) + _lib.SSL_CTX_set_cookie_generate_cb( + self._context, + self._cookie_generate_helper.callback, + ) + + def set_cookie_verify_callback(self, callback): + self._cookie_verify_helper = _CookieVerifyCallbackHelper(callback) + _lib.SSL_CTX_set_cookie_verify_cb( + self._context, + self._cookie_verify_helper.callback, + ) + class Connection(object): _reverse_mapping = WeakValueDictionary() @@ -1570,6 +1628,10 @@ def __init__(self, context, socket=None): self._verify_helper = context._verify_helper self._verify_callback = context._verify_callback + # And likewise for the cookie callbacks + self._cookie_generate_helper = context._cookie_generate_helper + self._cookie_verify_helper = context._cookie_verify_helper + self._reverse_mapping[self._ssl] = self if socket is None: @@ -1989,6 +2051,32 @@ def accept(self): conn.set_accept_state() return (conn, addr) + def DTLSv1_listen(self): + """ + Call the OpenSSL function DTLSv1_listen on this connection. See the + OpenSSL manual for more details. + + :return: None + """ + # Possible future extension: return the BIO_ADDR in some form. + bio_addr = _lib.BIO_ADDR_new() + try: + result = _lib.DTLSv1_listen(self._ssl, bio_addr) + finally: + _lib.BIO_ADDR_free(bio_addr) + # DTLSv1_listen is weird. A zero return value means 'didn't find a + # ClientHello with valid cookie, but keep trying'. So basically + # WantReadError. But it doesn't work correctly with _raise_ssl_error. + # So we raise it manually instead. + if self._cookie_generate_helper is not None: + self._cookie_generate_helper.raise_if_problem() + if self._cookie_verify_helper is not None: + self._cookie_verify_helper.raise_if_problem() + if result == 0: + raise WantReadError() + if result < 0: + self._raise_ssl_error(self._ssl, result) + def bio_shutdown(self): """ If the Connection was created with a memory BIO, this method can be From 0ff80a4e357d2b0abdc2696ec08e4718c5451a1b Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Sat, 26 Jun 2021 02:02:55 -0700 Subject: [PATCH 05/16] Add a basic DTLS test --- tests/test_ssl.py | 68 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 63 insertions(+), 5 deletions(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index ffc505d8f..d6879c18b 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -20,11 +20,14 @@ ESHUTDOWN, ) from sys import platform, getfilesystemencoding -from socket import AF_INET, AF_INET6, MSG_PEEK, SHUT_RDWR, error, socket +from socket import ( + AF_INET, AF_INET6, MSG_PEEK, SHUT_RDWR, error, socket, SOCK_DGRAM, SOCK_STREAM, +) from os import makedirs from os.path import join from weakref import ref from warnings import simplefilter +from concurrent.futures import ThreadPoolExecutor import flaky @@ -54,6 +57,7 @@ TLS1_3_VERSION, TLS1_2_VERSION, TLS1_1_VERSION, + DTLS_METHOD, ) from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN @@ -164,12 +168,12 @@ """ -def socket_any_family(): +def socket_any_family(type=SOCK_STREAM): try: - return socket(AF_INET) + return socket(AF_INET, type=type) except error as e: if e.errno == EAFNOSUPPORT: - return socket(AF_INET6) + return socket(AF_INET6, type=type) raise @@ -604,7 +608,7 @@ def test_method(self): with pytest.raises(TypeError): Context("") with pytest.raises(ValueError): - Context(10) + Context(13) def test_type(self): """ @@ -4212,3 +4216,57 @@ def client_callback(*args): # pragma: nocover with pytest.raises(TypeError): handshake_in_memory(client, server) + + +class TestDTLS(object): + def test_it_works_at_all(self): + s_ctx = Context(DTLS_METHOD) + + def generate_cookie(ssl): + return b"xyzzy" + + def verify_cookie(ssl, cookie): + return cookie == b"xyzzy" + + s_ctx.set_cookie_generate_callback(generate_cookie) + s_ctx.set_cookie_verify_callback(verify_cookie) + + s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) + s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) + + s_sock = socket_any_family(type=SOCK_DGRAM) + s_sock.bind((loopback_address(s_sock), 0)) + s = Connection(s_ctx, s_sock) + s.set_accept_state() + + c_sock = socket(s_sock.family, type=SOCK_DGRAM) + c = loopback_client_factory(c_sock, DTLS_METHOD) + + c_sock.connect(s_sock.getsockname()) + s_sock.connect(c_sock.getsockname()) + + def s_handler(): + s.DTLSv1_listen() + s.do_handshake() + s.write(b"hello") + assert s.read(100) == b"goodbye" + return "ok" + + def c_handler(): + c.do_handshake() + assert c.read(100) == b"hello" + c.write(b"goodbye") + return "ok" + + with ThreadPoolExecutor(max_workers=2) as executor: + s_fut = executor.submit(s_handler) + c_fut = executor.submit(c_handler) + + assert s_fut.result() == "ok" + assert c_fut.result() == "ok" + + # Check that the MTU set/query functions are doing *something*, at least + c.set_ciphertext_mtu(1000) + assert 500 < c.get_cleartext_mtu() < 1000 + c.set_ciphertext_mtu(500) + assert 0 < c.get_cleartext_mtu() < 500 From 0c69ee035bebb0d872e6b258f9cd7336383c2563 Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Mon, 28 Jun 2021 05:25:53 -0700 Subject: [PATCH 06/16] Cope with old versions of openssl/libressl --- src/OpenSSL/SSL.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 0b223ef20..c82f67e25 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -212,7 +212,11 @@ class _buffer(object): OP_NO_QUERY_MTU = _lib.SSL_OP_NO_QUERY_MTU OP_COOKIE_EXCHANGE = _lib.SSL_OP_COOKIE_EXCHANGE OP_NO_TICKET = _lib.SSL_OP_NO_TICKET -OP_NO_RENEGOTIATION = _lib.SSL_OP_NO_RENEGOTIATION + +try: + OP_NO_RENEGOTIATION = _lib.SSL_OP_NO_RENEGOTIATION +except AttributeError: + pass OP_ALL = _lib.SSL_OP_ALL @@ -1764,6 +1768,9 @@ def get_cleartext_mtu(self): .. versionadded:: 21.0 """ + + if not hasattr(_lib, "DTLS_get_data_mtu"): + raise NotImplementedError("requires OpenSSL 1.1.1 or better") return _lib.DTLS_get_data_mtu(self._ssl) def set_tlsext_host_name(self, name): From 862fa35312bdc8474587ad520bf1dd61d9760f5c Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Wed, 30 Jun 2021 11:43:35 -0700 Subject: [PATCH 07/16] blacken --- src/OpenSSL/SSL.py | 2 +- tests/test_ssl.py | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index c82f67e25..4dc5ded49 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -568,7 +568,7 @@ def wrapper(ssl, out, outlen): try: conn = Connection._reverse_mapping[ssl] cookie = callback(conn) - out[0:len(cookie)] = cookie + out[0 : len(cookie)] = cookie outlen[0] = len(cookie) return 1 except Exception as e: diff --git a/tests/test_ssl.py b/tests/test_ssl.py index d6879c18b..635ac14a6 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -21,7 +21,14 @@ ) from sys import platform, getfilesystemencoding from socket import ( - AF_INET, AF_INET6, MSG_PEEK, SHUT_RDWR, error, socket, SOCK_DGRAM, SOCK_STREAM, + AF_INET, + AF_INET6, + MSG_PEEK, + SHUT_RDWR, + error, + socket, + SOCK_DGRAM, + SOCK_STREAM, ) from os import makedirs from os.path import join From 689f38dd46c50abd305f114ea4f39fbd2db9aa83 Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Wed, 30 Jun 2021 11:51:41 -0700 Subject: [PATCH 08/16] Soothe flake8 --- tests/test_ssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 635ac14a6..7e99802dd 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -4272,7 +4272,7 @@ def c_handler(): assert s_fut.result() == "ok" assert c_fut.result() == "ok" - # Check that the MTU set/query functions are doing *something*, at least + # Check that the MTU set/query functions are doing *something* c.set_ciphertext_mtu(1000) assert 500 < c.get_cleartext_mtu() < 1000 c.set_ciphertext_mtu(500) From ace31fe5a724d85b944a83b880d6100f1137c040 Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Wed, 30 Jun 2021 12:12:39 -0700 Subject: [PATCH 09/16] Add temporary hack to skip DTLS test on old cryptography versions --- tests/test_ssl.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 7e99802dd..1d01aa114 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -4225,6 +4225,11 @@ def client_callback(*args): # pragma: nocover handshake_in_memory(client, server) +# XX remove this skipif before merging +@pytest.mark.skipif( + not hasattr(SSL._lib, "DTLSv1_listen"), + reason="need newer cryptography", +) class TestDTLS(object): def test_it_works_at_all(self): s_ctx = Context(DTLS_METHOD) From 71eb48e5c69a78463561e143c77545ce13ae7d4f Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Thu, 30 Sep 2021 03:28:39 -0700 Subject: [PATCH 10/16] Update for cryptography v35 release --- setup.py | 2 +- tests/test_ssl.py | 5 ----- tox.ini | 2 +- 3 files changed, 2 insertions(+), 7 deletions(-) diff --git a/setup.py b/setup.py index 85c45692d..ecc23cca3 100755 --- a/setup.py +++ b/setup.py @@ -93,7 +93,7 @@ def find_meta(meta): package_dir={"": "src"}, install_requires=[ # Fix cryptographyMinimum in tox.ini when changing this! - "cryptography>=3.3", + "cryptography>=35.0", ], extras_require={ "test": ["flaky", "pretend", "pytest>=3.0.1"], diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 1d01aa114..7e99802dd 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -4225,11 +4225,6 @@ def client_callback(*args): # pragma: nocover handshake_in_memory(client, server) -# XX remove this skipif before merging -@pytest.mark.skipif( - not hasattr(SSL._lib, "DTLSv1_listen"), - reason="need newer cryptography", -) class TestDTLS(object): def test_it_works_at_all(self): s_ctx = Context(DTLS_METHOD) diff --git a/tox.ini b/tox.ini index 110b7378c..b1011e568 100644 --- a/tox.ini +++ b/tox.ini @@ -10,7 +10,7 @@ extras = deps = coverage>=4.2 cryptographyMain: git+https://github.com/pyca/cryptography.git - cryptographyMinimum: cryptography==3.3 + cryptographyMinimum: cryptography==35.0 randomorder: pytest-randomly setenv = # Do not allow the executing environment to pollute the test environment From ead0fbb58136c300d05b11ba266688dfa4659886 Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Tue, 26 Oct 2021 10:23:07 -0700 Subject: [PATCH 11/16] Add changelog entry --- CHANGELOG.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 6fb31ccf9..b27ad002c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -12,6 +12,7 @@ Backward-incompatible changes: - Drop support for Python 2.7. `#1047 `_ +- The minimum ``cryptography`` version is now 35.0. Deprecations: ^^^^^^^^^^^^^ @@ -19,6 +20,10 @@ Deprecations: Changes: ^^^^^^^^ +- Expose wrappers for some `DTLS + `_ + primitives. `#1026 `_ + 21.0.0 (2021-09-28) ------------------- From 501ab2c8f68684aa9129eecef2efd076342d613f Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Tue, 26 Oct 2021 10:23:15 -0700 Subject: [PATCH 12/16] Fix versionadded:: --- src/OpenSSL/SSL.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 4dc5ded49..4e5a632ce 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -1754,7 +1754,7 @@ def set_ciphertext_mtu(self, mtu): :param mtu: An integer giving the maximum transmission unit. - .. versionadded:: 21.0 + .. versionadded:: 21.1 """ _lib.SSL_set_mtu(self._ssl, mtu) @@ -1766,7 +1766,7 @@ def get_cleartext_mtu(self): :return: The effective MTU as an integer. - .. versionadded:: 21.0 + .. versionadded:: 21.1 """ if not hasattr(_lib, "DTLS_get_data_mtu"): From 7f8b052d38a349778ccf02dd44cb980355faef5a Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Tue, 26 Oct 2021 20:39:43 -0700 Subject: [PATCH 13/16] get_cleartext_mtu doesn't exist on decrepit old openssl --- tests/test_ssl.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 7e99802dd..3338e687f 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -4274,6 +4274,12 @@ def c_handler(): # Check that the MTU set/query functions are doing *something* c.set_ciphertext_mtu(1000) - assert 500 < c.get_cleartext_mtu() < 1000 + try: + assert 500 < c.get_cleartext_mtu() < 1000 + except NotImplementedError: # OpenSSL 1.1.0 and earlier + pass c.set_ciphertext_mtu(500) - assert 0 < c.get_cleartext_mtu() < 500 + try: + assert 0 < c.get_cleartext_mtu() < 500 + except NotImplementedError: # OpenSSL 1.1.0 and earlier + pass From a601c73e6d5944baa63cf420f6b28bb48ec7642d Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Mon, 1 Nov 2021 22:01:38 -0700 Subject: [PATCH 14/16] Rewrite DTLS test to work around stupid OpenSSL misbehavior --- tests/test_ssl.py | 172 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 147 insertions(+), 25 deletions(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 3338e687f..55015c89e 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -4226,7 +4226,78 @@ def client_callback(*args): # pragma: nocover class TestDTLS(object): + # The way you would expect DTLSv1_listen to work is: + # + # - it reads packets in a loop + # - when it finds a valid ClientHello, it returns + # - now the handshake can proceed + # + # However, on older versions of OpenSSL, it did something "cleverer". The + # way it worked is: + # + # - it "peeks" into the BIO to see the next packet without consuming it + # - if *not* a valid ClientHello, then it reads the packet to consume it + # and loops around + # - if it *is* a valid ClientHello, it *leaves the packet in the BIO*, and + # returns + # - then the handshake finds the ClientHello in the BIO and reads it a + # second time. + # + # I'm not sure exactly when this switched over. The OpenSSL v1.1.1 in + # Ubuntu 18.04 has the old behavior. The OpenSSL v1.1.1 in Ubuntu 20.04 has + # the new behavior. There doesn't seem to be any mention of this change in + # the OpenSSL v1.1.1 changelog, but presumably it changed in some point + # release or another. Presumably in 2025 or so there will be only new + # OpenSSLs around we can delete this whole comment and the weird + # workaround. If anyone is still using this library by then, which seems + # both depressing and inevitable. + # + # Anyway, why do we care? The reason is that the old strategy has a + # problem: the "peek" operation is only defined on "DGRAM BIOs", which are + # a special type of object that is different from the more familiar "socket + # BIOs" and "memory BIOs". If you *don't* have a DGRAM BIO, and you try to + # peek into the BIO... then it silently degrades to a full-fledged "read" + # operation that consumes the packet. Which is a problem if your algorithm + # depends on leaving the packet in the BIO to be read again later. + # + # So on old OpenSSL, we have a problem: + # + # - we can't use a DGRAM BIO, because cryptography/pyopenssl don't wrap the + # relevant APIs, nor should they. + # + # - if we use a socket BIO, then the first time DTLSv1_listen sees an + # invalid packet (like for example... the challenge packet that *every + # DTLS handshake starts with before the real ClientHello!*), it tries to + # first "peek" it, and then "read" it. But since the first "peek" + # consumes the packet, the second "read" ends up hanging or consuming + # some unrelated packet, which is undesirable. So you can't even get to + # the handshake stage successfully. + # + # - if we use a memory BIO, then DTLSv1_listen works OK on invalid packets + # -- first the "peek" consumes them, and then it tries to "read" again to + # consume them, which fails immediately, and OpenSSL ignores the failure. + # So it works by accident. BUT, when we get a valid ClientHello, we have + # a problem: DTLSv1_listen tries to "peek" it and then leave it in the + # read BIO for do_handshake to consume. But instead "peek" consumes the + # packet, so it's not there where do_handshake is expecting it, and the + # handshake fails. + # + # Fortunately (if that's the word), we can work around the memory BIO + # problem. (Which is good, because in real life probably all our users will + # be using memory BIOs.) All we have to do is to save the valid ClientHello + # before calling DTLSv1_listen, and then after it returns we push *a second + # copy of it* of the packet memory BIO before calling do_handshake. This + # fakes out OpenSSL and makes it think the "peek" operation worked + # correctly, and we can go on with our lives. + # + # In fact, we push the second copy of the ClientHello unconditionally. On + # new versions of OpenSSL, this is unnecessary, but harmless, because the + # DTLS state machine treats it like a network hiccup that duplicated a + # packet, which DTLS is robust against. def test_it_works_at_all(self): + # arbitrary number larger than any conceivable handshake volley + LARGE_BUFFER = 65536 + s_ctx = Context(DTLS_METHOD) def generate_cookie(ssl): @@ -4237,40 +4308,91 @@ def verify_cookie(ssl, cookie): s_ctx.set_cookie_generate_callback(generate_cookie) s_ctx.set_cookie_verify_callback(verify_cookie) - s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) - - s_sock = socket_any_family(type=SOCK_DGRAM) - s_sock.bind((loopback_address(s_sock), 0)) - s = Connection(s_ctx, s_sock) + s_ctx.set_options(OP_NO_QUERY_MTU) + s = Connection(s_ctx) s.set_accept_state() - c_sock = socket(s_sock.family, type=SOCK_DGRAM) - c = loopback_client_factory(c_sock, DTLS_METHOD) + c_ctx = Context(DTLS_METHOD) + c_ctx.set_options(OP_NO_QUERY_MTU) + c = Connection(c_ctx) + c.set_connect_state() - c_sock.connect(s_sock.getsockname()) - s_sock.connect(c_sock.getsockname()) + # These are mandatory, because openssl can't guess the MTU for a memory bio and + # will produce a mysterious error if you make it try. + c.set_ciphertext_mtu(1500) + s.set_ciphertext_mtu(1500) - def s_handler(): - s.DTLSv1_listen() - s.do_handshake() - s.write(b"hello") - assert s.read(100) == b"goodbye" - return "ok" + latest_client_hello = None - def c_handler(): - c.do_handshake() - assert c.read(100) == b"hello" - c.write(b"goodbye") - return "ok" + def pump_membio(label, source, sink): + try: + chunk = source.bio_read(LARGE_BUFFER) + except WantReadError: + return False + if not chunk: + return False + # Gross hack: if this is a ClientHello, save it so we can find it + # later. See giant comment above. + try: + # if ContentType == handshake and HandshakeType == client_hello: + if chunk[0] == 22 and chunk[13] == 1: + nonlocal latest_client_hello + latest_client_hello = chunk + except IndexError: + pass + print(f"{label}: {chunk.hex()}") + sink.bio_write(chunk) + return True + + def pump(): + # Raises if there was no data to pump, to avoid infinite loops if we aren't + # making progress. + assert pump_membio("s -> c", s, c) or pump_membio("c -> s", c, s) + + c_handshaking = True + s_listening = True + s_handshaking = False + first = True + while c_handshaking or s_listening or s_handshaking: + if not first: + pump() + first = False + + if c_handshaking: + try: + c.do_handshake() + except WantReadError: + pass + else: + c_handshaking = False - with ThreadPoolExecutor(max_workers=2) as executor: - s_fut = executor.submit(s_handler) - c_fut = executor.submit(c_handler) + if s_listening: + try: + s.DTLSv1_listen() + except WantReadError: + pass + else: + s_listening = False + s_handshaking = True + # Write the duplicate ClientHello. See giant comment above. + s.bio_write(latest_client_hello) - assert s_fut.result() == "ok" - assert c_fut.result() == "ok" + if s_handshaking: + try: + s.do_handshake() + except WantReadError: + pass + else: + s_handshaking = False + + s.write(b"hello") + pump() + assert c.read(100) == b"hello" + c.write(b"goodbye") + pump() + assert s.read(100) == b"goodbye" # Check that the MTU set/query functions are doing *something* c.set_ciphertext_mtu(1000) From d24865cb6991eb81f305ebaf39859caef59c6ff9 Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Mon, 1 Nov 2021 22:08:02 -0700 Subject: [PATCH 15/16] flake8 go away --- tests/test_ssl.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 55015c89e..7b5870f18 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -27,14 +27,12 @@ SHUT_RDWR, error, socket, - SOCK_DGRAM, SOCK_STREAM, ) from os import makedirs from os.path import join from weakref import ref from warnings import simplefilter -from concurrent.futures import ThreadPoolExecutor import flaky @@ -4319,8 +4317,8 @@ def verify_cookie(ssl, cookie): c = Connection(c_ctx) c.set_connect_state() - # These are mandatory, because openssl can't guess the MTU for a memory bio and - # will produce a mysterious error if you make it try. + # These are mandatory, because openssl can't guess the MTU for a memory + # bio and will produce a mysterious error if you make it try. c.set_ciphertext_mtu(1500) s.set_ciphertext_mtu(1500) @@ -4336,7 +4334,8 @@ def pump_membio(label, source, sink): # Gross hack: if this is a ClientHello, save it so we can find it # later. See giant comment above. try: - # if ContentType == handshake and HandshakeType == client_hello: + # if ContentType == handshake and HandshakeType == + # client_hello: if chunk[0] == 22 and chunk[13] == 1: nonlocal latest_client_hello latest_client_hello = chunk @@ -4347,8 +4346,8 @@ def pump_membio(label, source, sink): return True def pump(): - # Raises if there was no data to pump, to avoid infinite loops if we aren't - # making progress. + # Raises if there was no data to pump, to avoid infinite loops if + # we aren't making progress. assert pump_membio("s -> c", s, c) or pump_membio("c -> s", c, s) c_handshaking = True From 85ad2a3e537219ea6d9e9372c7a229e3c08da7ef Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Mon, 1 Nov 2021 22:14:16 -0700 Subject: [PATCH 16/16] minor tidying --- tests/test_ssl.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 7b5870f18..3ee635940 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -27,7 +27,6 @@ SHUT_RDWR, error, socket, - SOCK_STREAM, ) from os import makedirs from os.path import join @@ -173,12 +172,12 @@ """ -def socket_any_family(type=SOCK_STREAM): +def socket_any_family(): try: - return socket(AF_INET, type=type) + return socket(AF_INET) except error as e: if e.errno == EAFNOSUPPORT: - return socket(AF_INET6, type=type) + return socket(AF_INET6) raise @@ -4329,7 +4328,9 @@ def pump_membio(label, source, sink): chunk = source.bio_read(LARGE_BUFFER) except WantReadError: return False - if not chunk: + # I'm not sure this check is needed, but I'm not sure it's *not* + # needed either: + if not chunk: # pragma: no cover return False # Gross hack: if this is a ClientHello, save it so we can find it # later. See giant comment above. @@ -4339,7 +4340,7 @@ def pump_membio(label, source, sink): if chunk[0] == 22 and chunk[13] == 1: nonlocal latest_client_hello latest_client_hello = chunk - except IndexError: + except IndexError: # pragma: no cover pass print(f"{label}: {chunk.hex()}") sink.bio_write(chunk)