From b330cc3f61e9b619e83eda45935a4a6e81367e23 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Tue, 9 Oct 2018 23:09:22 +0200 Subject: [PATCH 1/7] Add support for server hostname verification --- src/OpenSSL/SSL.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 5cf39c0d9..095a27b48 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -1688,6 +1688,12 @@ def set_tlsext_host_name(self, name): # XXX I guess this can fail sometimes? _lib.SSL_set_tlsext_host_name(self._ssl, name) + def set_verify_host(self, hostname): + param = _lib.SSL_get0_param(self._ssl) + _lib.X509_VERIFY_PARAM_set_hostflags(param, _lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS) + if not _lib.X509_VERIFY_PARAM_set1_host(param, hostname, len(hostname)): + raise Error("set1_host call") + def pending(self): """ Get the number of bytes that can be safely read from the SSL buffer From fa858c056fd83395bc50368dda71a90fbf0f6f42 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Wed, 10 Oct 2018 14:28:07 +0200 Subject: [PATCH 2/7] Protect new code with Cryptography_HAS_102_VERIFICATION_PARAMS --- src/OpenSSL/SSL.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 095a27b48..330d701db 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -665,6 +665,11 @@ def explode(*args, **kwargs): ) +_requires_x509_verify = _make_requires( + _lib.Cryptography_HAS_102_VERIFICATION_PARAMS, "X509 verification not available" +) + + class Session(object): """ A class representing an SSL session. A session defines certain connection @@ -1688,11 +1693,12 @@ def set_tlsext_host_name(self, name): # XXX I guess this can fail sometimes? _lib.SSL_set_tlsext_host_name(self._ssl, name) + @_requires_x509_verify def set_verify_host(self, hostname): param = _lib.SSL_get0_param(self._ssl) _lib.X509_VERIFY_PARAM_set_hostflags(param, _lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS) if not _lib.X509_VERIFY_PARAM_set1_host(param, hostname, len(hostname)): - raise Error("set1_host call") + raise Error("X509_VERIFY_PARAM_set1_host call failed") def pending(self): """ From dd473fb887193fb5ce0c3072b4ed804f6c2a58a9 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Wed, 10 Oct 2018 21:52:34 +0200 Subject: [PATCH 3/7] Use SAN only hostname verification, don't fall back to subject. Use function name set_verify_host_name. --- src/OpenSSL/SSL.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 330d701db..f908876f7 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -1694,9 +1694,12 @@ def set_tlsext_host_name(self, name): _lib.SSL_set_tlsext_host_name(self._ssl, name) @_requires_x509_verify - def set_verify_host(self, hostname): + def set_verify_host_name(self, hostname): param = _lib.SSL_get0_param(self._ssl) - _lib.X509_VERIFY_PARAM_set_hostflags(param, _lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS) + flags = _lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; + if _lib.Cryptography_HAS_110_VERIFICATION_PARAMS: + flags |= _lib.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; + _lib.X509_VERIFY_PARAM_set_hostflags(param, flags) if not _lib.X509_VERIFY_PARAM_set1_host(param, hostname, len(hostname)): raise Error("X509_VERIFY_PARAM_set1_host call failed") From 872ab00d23b41d28c059b141d64329b903b74c25 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Wed, 10 Oct 2018 21:54:33 +0200 Subject: [PATCH 4/7] drop unnecessary semicolons --- src/OpenSSL/SSL.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index f908876f7..49e14e640 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -1696,9 +1696,9 @@ def set_tlsext_host_name(self, name): @_requires_x509_verify def set_verify_host_name(self, hostname): param = _lib.SSL_get0_param(self._ssl) - flags = _lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; + flags = _lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS if _lib.Cryptography_HAS_110_VERIFICATION_PARAMS: - flags |= _lib.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; + flags |= _lib.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT _lib.X509_VERIFY_PARAM_set_hostflags(param, flags) if not _lib.X509_VERIFY_PARAM_set1_host(param, hostname, len(hostname)): raise Error("X509_VERIFY_PARAM_set1_host call failed") From 37be205dfd95331a82f85ff69b076246fda4fb98 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Fri, 12 Oct 2018 01:20:56 +0200 Subject: [PATCH 5/7] fix whitespace --- src/OpenSSL/SSL.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 49e14e640..dad326820 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -1695,13 +1695,13 @@ def set_tlsext_host_name(self, name): @_requires_x509_verify def set_verify_host_name(self, hostname): - param = _lib.SSL_get0_param(self._ssl) - flags = _lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS - if _lib.Cryptography_HAS_110_VERIFICATION_PARAMS: - flags |= _lib.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT - _lib.X509_VERIFY_PARAM_set_hostflags(param, flags) - if not _lib.X509_VERIFY_PARAM_set1_host(param, hostname, len(hostname)): - raise Error("X509_VERIFY_PARAM_set1_host call failed") + param = _lib.SSL_get0_param(self._ssl) + flags = _lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + if _lib.Cryptography_HAS_110_VERIFICATION_PARAMS: + flags |= _lib.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT + _lib.X509_VERIFY_PARAM_set_hostflags(param, flags) + if not _lib.X509_VERIFY_PARAM_set1_host(param, hostname, len(hostname)): + raise Error("X509_VERIFY_PARAM_set1_host call failed") def pending(self): """ From 571134823f1afb3a79c76546184371d28bc1226f Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Fri, 12 Oct 2018 01:26:14 +0200 Subject: [PATCH 6/7] avoid lines >= 80 chars --- src/OpenSSL/SSL.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index dad326820..4dc56dbab 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -666,7 +666,8 @@ def explode(*args, **kwargs): _requires_x509_verify = _make_requires( - _lib.Cryptography_HAS_102_VERIFICATION_PARAMS, "X509 verification not available" + _lib.Cryptography_HAS_102_VERIFICATION_PARAMS, + "X509 verification not available" ) @@ -1700,7 +1701,8 @@ def set_verify_host_name(self, hostname): if _lib.Cryptography_HAS_110_VERIFICATION_PARAMS: flags |= _lib.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT _lib.X509_VERIFY_PARAM_set_hostflags(param, flags) - if not _lib.X509_VERIFY_PARAM_set1_host(param, hostname, len(hostname)): + if not _lib.X509_VERIFY_PARAM_set1_host(param, hostname, + len(hostname)): raise Error("X509_VERIFY_PARAM_set1_host call failed") def pending(self): From ff6db2c74d18f17453f42e0b072dfae786ae4dbb Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Fri, 12 Oct 2018 01:32:26 +0200 Subject: [PATCH 7/7] Fix hanging indent --- src/OpenSSL/SSL.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 4dc56dbab..6117ec500 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -667,7 +667,7 @@ def explode(*args, **kwargs): _requires_x509_verify = _make_requires( _lib.Cryptography_HAS_102_VERIFICATION_PARAMS, - "X509 verification not available" + "X509 verification not available" )