Merge pull request #11 from cconlon/05.23.2019

danielinux · web-flow · commit c5c9b5319680 · 2019-09-26T17:54:29.000+02:00
Python3 fixes, feature detection, ssl module compatibility fixes
diff --git a/setup.py b/setup.py
@@ -23,7 +23,6 @@
 
 import os
 import sys
-import pip
 from setuptools import setup
 from setuptools.command.build_ext import build_ext
 
@@ -34,6 +33,7 @@
 
 import wolfssl
 from wolfssl._build_wolfssl import build_wolfssl
+from wolfssl._build_wolfssl import wolfssl_inc_path, wolfssl_lib_path
 
 
 # long_description
@@ -44,6 +44,26 @@
     long_description = long_description.replace(".. include:: LICENSING.rst\n",
                                                 licensing_file.read())
 
+def verify_wolfssl_config():
+    # verify wolfSSL library has been configured correctly, so that cffi
+    # binding work correctly.
+
+    # open <wolfssl/options.h> header to parse for #define's
+    # This will throw a FileNotFoundError if not able to find options.h
+    optionsHeaderPath = wolfssl_inc_path() + "/wolfssl/options.h"
+    optionsHeader = open(optionsHeaderPath, 'r')
+    optionsHeaderStr = optionsHeader.read()
+    optionsHeader.close()
+
+    # require HAVE_SNI (--enable-sni) in native lib
+    if '#define HAVE_SNI' not in optionsHeaderStr:
+        raise RuntimeError("wolfSSL needs to be compiled with --enable-sni")
+
+    # require OPENSSL_EXTRA (--enable-opensslextra) in native lib
+    if '#define OPENSSL_EXTRA' not in optionsHeaderStr:
+        raise RuntimeError("wolfSSL needs to be compiled with "
+            "--enable-opensslextra")
+
 class cffiBuilder(build_ext, object):
 
     def build_extension(self, ext):
@@ -55,6 +75,8 @@ def build_extension(self, ext):
         if os.environ.get("USE_LOCAL_WOLFSSL") is None:
             build_wolfssl(wolfssl.__wolfssl_version__)
 
+        verify_wolfssl_config()
+
         super(cffiBuilder, self).build_extension(ext)
 
 setup(
@@ -71,6 +93,7 @@ def build_extension(self, ext):
     package_dir={"":package_dir},
 
     zip_safe=False,
+    cffi_modules=["./src/wolfssl/_build_ffi.py:ffi"],
 
     keywords="wolfssl, wolfcrypt, security, cryptography",
     classifiers=[
@@ -87,7 +110,6 @@ def build_extension(self, ext):
     ],
 
     setup_requires=["cffi"],
-    cffi_modules=["./src/wolfssl/_build_ffi.py:ffi"],
     install_requires=["cffi"],
     test_suite="tests",
     tests_require=["tox", "pytest"],
diff --git a/src/wolfssl/__init__.py b/src/wolfssl/__init__.py
@@ -249,8 +249,9 @@ def set_ciphers(self, ciphers):
         be selected (because compile-time options or other configuration
         forbids use of all the specified ciphers), an SSLError will be raised.
         """
+        cipherBytes = t2b(ciphers)
         ret = _lib.wolfSSL_CTX_set_cipher_list(self.native_object,
-                                               t2b(ciphers))
+                                               _ffi.new("char[]", cipherBytes))
 
         if ret != _SSL_SUCCESS:
             raise SSLError("Unable to set cipher list")
@@ -259,8 +260,11 @@ def use_sni(self, server_hostname):
         """
         Sets the SNI hostname, wraps native wolfSSL_CTX_UseSNI()
         """
+
+        sni = t2b(server_hostname)
+
         ret = _lib.wolfSSL_CTX_UseSNI(self.native_object, 0,
-                                      server_hostname, len(server_hostname))
+                                      sni, len(sni))
 
         if ret != _SSL_SUCCESS:
             raise SSLError("Unable to set wolfSSL CTX SNI")
@@ -355,7 +359,7 @@ def __init__(self, sock=None, keyfile=None, certfile=None,
         # set options
         self.do_handshake_on_connect = do_handshake_on_connect
         self.suppress_ragged_eofs = suppress_ragged_eofs
-        self.server_side = server_side
+        self._server_side = server_side
 
         # save socket
         self._sock = sock
@@ -421,8 +425,10 @@ def __init__(self, sock=None, keyfile=None, certfile=None,
         # match domain name / host name if set in context
         if server_hostname is not None:
             if self._context.check_hostname:
+
+                sni = _ffi.new("char[]", server_hostname.encode("utf-8"))
                 _lib.wolfSSL_check_domain_name(self.native_object,
-                                               server_hostname)
+                                               sni)
 
         if connected:
             try:
@@ -441,13 +447,22 @@ def _release_native_object(self):
             _lib.wolfSSL_free(self.native_object)
             self.native_object = _ffi.NULL
 
+    def pending(self):
+        return _lib.wolfSSL_pending(self.native_object)
+
     @property
     def context(self):
         """
         Returns the context used by this object.
         """
         return self._context
 
+    def server_side(self):
+        """
+        Returns True for server-side socket, otherwise False.
+        """
+        return self._server_side;
+
     def dup(self):
         raise NotImplementedError("Can't dup() %s instances" %
                                   self.__class__.__name__)
@@ -468,8 +483,11 @@ def use_sni(self, server_hostname):
         """
         Sets the SNI hostname, wraps native wolfSSL_UseSNI()
         """
+
+        sni = t2b(server_hostname)
+
         ret = _lib.wolfSSL_UseSNI(self.native_object, 0,
-                                  server_hostname, len(server_hostname))
+                                  sni, len(sni))
 
         if ret != _SSL_SUCCESS:
             raise SSLError("Unable to set wolfSSL SNI")
@@ -502,9 +520,17 @@ def sendall(self, data, flags=0):
         sent = 0
 
         while sent < length:
-            sent += self.write(data[sent:])
+            ret = self.write(data[sent:])
+            if (ret < 0):
+                err = _lib.wolfSSL_get_error(self.native_object, 0)
+                if err == _SSL_ERROR_WANT_WRITE:
+                    raise SSLWantWriteError()
+                else:
+                    raise SSLError("wolfSSL_write error (%d)" % err)
+
+            sent += ret
 
-        return sent
+        return None
 
     def sendto(self, data, flags_or_addr, addr=None):
         # Ensures not to send unencrypted data trying to use this method
@@ -606,7 +632,7 @@ def shutdown(self, how):
         if self.native_object != _ffi.NULL:
             _lib.wolfSSL_shutdown(self.native_object)
             self._release_native_object()
-        socket.shutdown(self._sock, how)
+        self._sock.shutdown(how)
 
     def unwrap(self):
         """
@@ -620,22 +646,20 @@ def unwrap(self):
                       sock_type=self._sock.type,
                       proto=self._sock.proto,
                       fileno=self._sock.fileno())
+
         sock.settimeout(self._sock.gettimeout())
         self._sock.detach()
 
         return sock
 
-    def close(self):
-        self._sock.close()
-
     def do_handshake(self, block=False):  # pylint: disable=unused-argument
         """
         Perform a TLS/SSL handshake.
         """
         self._check_closed("do_handshake")
         self._check_connected()
 
-        if self.server_side:
+        if self._server_side:
             ret = _lib.wolfSSL_accept(self.native_object)
         else:
             ret = _lib.wolfSSL_connect(self.native_object)
@@ -678,7 +702,7 @@ def do_handshake(self, block=False):  # pylint: disable=unused-argument
                                    (err, eStr))
 
     def _real_connect(self, addr, connect_ex):
-        if self.server_side:
+        if self._server_side:
             raise ValueError("can't connect in server-side mode")
 
         # Here we assume that the socket is client-side, and not
@@ -687,10 +711,10 @@ def _real_connect(self, addr, connect_ex):
             raise ValueError("attempt to connect already-connected SSLSocket!")
 
         if connect_ex:
-            err = socket.connect_ex(self._sock, addr)
+            err = self._sock.connect_ex(addr)
         else:
             err = 0
-            socket.connect(self._sock, addr)
+            self._sock.connect(addr)
 
         if err == 0:
             self._connected = True
@@ -719,10 +743,10 @@ def accept(self):
         containing that new connection wrapped with a server-side secure
         channel, and the address of the remote client.
         """
-        if not self.server_side:
+        if not self._server_side:
             raise ValueError("can't accept in client-side mode")
 
-        newsock, addr = socket.accept(self._sock)
+        newsock, addr = self._sock.accept()
         newsock = self.context.wrap_socket(
             newsock,
             do_handshake_on_connect=self.do_handshake_on_connect,
@@ -758,6 +782,43 @@ def getpeercert(self, binary_form=False):
         return {'subject': ((('commonName', x509.get_subject_cn()),),),
                 'subjectAltName': x509.get_altnames() }
 
+    # The following functions expose functionality of the underlying
+    # Socket object. These are also expsed through Python's ssl module
+    # API and are provided here for compatibility.
+    def close(self):
+        self._sock.close()
+
+    def fileno(self):
+        """
+        Return file descriptor of underlying socket.
+        """
+        return self._sock.fileno()
+
+    def gettimeout(self):
+        """
+        Return the socket timeout of the underlying wrapped socket
+        """
+        return self._sock.gettimeout()
+
+    def settimeout(self, timeout):
+        """
+        Set the timeout on the underlying wrapped socket
+        """
+        self._sock.settimeout(timeout)
+
+    def getpeername(self):
+        """
+        Return the remote address that the underlying socket is connected to
+        """
+        return self._sock.getpeername()
+
+    def getsockname(self):
+        """
+        Return the underlying socket's address
+        """
+        return self._sock.getsockname()
+
+
 
 def wrap_socket(sock, keyfile=None, certfile=None, server_side=False,
                 cert_reqs=CERT_NONE, ssl_version=PROTOCOL_TLS, ca_certs=None,
diff --git a/src/wolfssl/_build_ffi.py b/src/wolfssl/_build_ffi.py
@@ -114,13 +114,14 @@
     int wolfSSL_accept(void*);
     int wolfSSL_write(void*, const void*, int);
     int wolfSSL_read(void*, void*, int);
+    int wolfSSL_pending(void*);
     int wolfSSL_shutdown(void*);
     void* wolfSSL_get_peer_certificate(void*);
     int wolfSSL_UseSNI(void*, unsigned char, const void*, unsigned short);
     int wolfSSL_check_domain_name(void*, const char*);
     int wolfSSL_get_alert_history(void*, WOLFSSL_ALERT_HISTORY*);
-    char* wolfSSL_alert_type_string_long(int);
-    char* wolfSSL_alert_desc_string_long(int);
+    const char* wolfSSL_alert_type_string_long(int);
+    const char* wolfSSL_alert_desc_string_long(int);
 
     /**
      * WOLFSSL_X509 functions
@@ -132,4 +133,4 @@
 )
 
 if __name__ == "__main__":
-    ffi.compile(verbose=1)
+    ffi.compile(verbose=True)
diff --git a/src/wolfssl/exceptions.py b/src/wolfssl/exceptions.py
@@ -23,6 +23,7 @@
 # pylint: disable=missing-docstring
 
 from socket import error as socket_error
+from errno import EWOULDBLOCK
 
 
 class SSLError(socket_error):
@@ -52,6 +53,11 @@ class SSLWantReadError(SSLError):
     read or write data, but more data needs to be received on the underlying
     TCP transport before the request can be fulfilled.
     """
+    def __init__(self):
+        self.code = EWOULDBLOCK
+        self.msg = "Socket would read block"
+        self.args = (self.code, self.msg)
+
     pass
 
 
@@ -61,6 +67,11 @@ class SSLWantWriteError(SSLError):
     read or write data, but more data needs to be sent on the underlying TCP
     transport before the request can be fulfilled.
     """
+    def __init__(self):
+        self.code = EWOULDBLOCK
+        self.msg = "Socket would write block"
+        self.args = (self.code, self.msg)
+
     pass
 
 
diff --git a/src/wolfssl/utils.py b/src/wolfssl/utils.py
@@ -32,7 +32,7 @@
 
 def t2b(string):
     """
-    Converts text to bynary.
+    Converts text to binary.
     """
     if isinstance(string, _BINARY_TYPE):
         return string
