Skip to content

Commit 73fc958

Browse files
mhilsmhils
committed
add Connection.set_verify, fix #255 
1 parent d184fbb commit 73fc958

File tree

5 files changed

+79
-2
lines changed

5 files changed

+79
-2
lines changed

CHANGELOG.rst

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ Deprecations:
2020
Changes:
2121
^^^^^^^^
2222

23+
- Add ``OpenSSL.SSL.Connection.set_verify`` and ``OpenSSL.SSL.Connection.get_verify_mode``
24+
to override the context object's verification flags.
25+
`#1073 <https://github.com/pyca/pyopenssl/pull/1073>`_
2326
- Expose wrappers for some `DTLS
2427
<https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security>`_
2528
primitives. `#1026 <https://github.com/pyca/pyopenssl/pull/1026>`_

setup.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ def find_meta(meta):
9393
package_dir={"": "src"},
9494
install_requires=[
9595
# Fix cryptographyMinimum in tox.ini when changing this!
96-
"cryptography>=35.0",
96+
"cryptography>=37.0",
9797
],
9898
extras_require={
9999
"test": ["flaky", "pretend", "pytest>=3.0.1"],

src/OpenSSL/SSL.py

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1736,6 +1736,35 @@ def get_servername(self):
17361736

17371737
return _ffi.string(name)
17381738

1739+
def set_verify(self, mode, callback=None):
1740+
"""
1741+
Override the Context object's verification flags for this specific
1742+
connection. See :py:meth:`Context.set_verify` for details.
1743+
"""
1744+
if not isinstance(mode, int):
1745+
raise TypeError("mode must be an integer")
1746+
1747+
if callback is None:
1748+
self._verify_helper = None
1749+
self._verify_callback = None
1750+
_lib.SSL_set_verify(self._ssl, mode, _ffi.NULL)
1751+
else:
1752+
if not callable(callback):
1753+
raise TypeError("callback must be callable")
1754+
1755+
self._verify_helper = _VerifyHelper(callback)
1756+
self._verify_callback = self._verify_helper.callback
1757+
_lib.SSL_set_verify(self._ssl, mode, self._verify_callback)
1758+
1759+
def get_verify_mode(self):
1760+
"""
1761+
Retrieve the Connection object's verify mode, as set by
1762+
:meth:`set_verify`.
1763+
1764+
:return: The verify mode
1765+
"""
1766+
return _lib.SSL_get_verify_mode(self._ssl)
1767+
17391768
def set_ciphertext_mtu(self, mtu):
17401769
"""
17411770
For DTLS, set the maximum UDP payload size (*not* including IP/UDP

tests/test_ssl.py

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2629,6 +2629,51 @@ def test_get_verified_chain_unconnected(self):
26292629
server = Connection(ctx, None)
26302630
assert None is server.get_verified_chain()
26312631

2632+
def test_set_verify_overrides_context(self):
2633+
context = Context(SSLv23_METHOD)
2634+
context.set_verify(VERIFY_PEER)
2635+
conn = Connection(context, None)
2636+
conn.set_verify(VERIFY_NONE)
2637+
2638+
assert context.get_verify_mode() == VERIFY_PEER
2639+
assert conn.get_verify_mode() == VERIFY_NONE
2640+
2641+
with pytest.raises(TypeError):
2642+
conn.set_verify(None)
2643+
2644+
with pytest.raises(TypeError):
2645+
conn.set_verify(VERIFY_PEER, "not a callable")
2646+
2647+
def test_set_verify_callback_reference(self):
2648+
"""
2649+
The callback for certificate verification should only be forgotten if the context and all connections
2650+
created by it do not use it anymore.
2651+
"""
2652+
def callback(conn, cert, errnum, depth, ok): # pragma: no cover
2653+
return ok
2654+
2655+
tracker = ref(callback)
2656+
2657+
context = Context(SSLv23_METHOD)
2658+
context.set_verify(VERIFY_PEER, callback)
2659+
del callback
2660+
2661+
conn = Connection(context, None)
2662+
context.set_verify(VERIFY_NONE)
2663+
2664+
collect()
2665+
collect()
2666+
assert tracker()
2667+
2668+
conn.set_verify(VERIFY_PEER, lambda conn, cert, errnum, depth, ok: ok)
2669+
collect()
2670+
collect()
2671+
callback = tracker()
2672+
if callback is not None: # pragma: nocover
2673+
referrers = get_referrers(callback)
2674+
if len(referrers) > 1:
2675+
pytest.fail("Some references remain: %r" % (referrers,))
2676+
26322677
def test_get_session_unconnected(self):
26332678
"""
26342679
`Connection.get_session` returns `None` when used with an object

tox.ini

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ extras =
1010
deps =
1111
coverage>=4.2
1212
cryptographyMain: git+https://github.com/pyca/cryptography.git
13-
cryptographyMinimum: cryptography==35.0
13+
cryptographyMinimum: cryptography==37.0
1414
randomorder: pytest-randomly
1515
setenv =
1616
# Do not allow the executing environment to pollute the test environment

0 commit comments

Comments
 (0)