ExternalVendorCode/tahoe-lafs
1
0
Fork 0
mirror of https://github.com/tahoe-lafs/tahoe-lafs.git synced 2025-01-12 07:52:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Get constants from OpenSSL directly.

Browse Source
This commit is contained in:
Itamar Turner-Trauring 2022-03-28 11:27:32 -04:00
parent ae8a7eff43
commit 4e58748c4a
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/allmydata/storage/http_client.py
View File

@ -26,6 +26,7 @@ import treq
from treq.client import HTTPClient from treq.client import HTTPClient
from treq.testing import StubTreq from treq.testing import StubTreq
from OpenSSL import SSL from OpenSSL import SSL
from cryptography.hazmat.bindings.openssl.binding import Binding
from .http_common import ( from .http_common import (
swissnum_auth_header, swissnum_auth_header,
@ -37,6 +38,8 @@ from .http_common import (
from .common import si_b2a from .common import si_b2a
from ..util.hashutil import timing_safe_compare from ..util.hashutil import timing_safe_compare
_OPENSSL = Binding().lib
def _encode_si(si): # type: (bytes) -> str def _encode_si(si): # type: (bytes) -> str
"""Encode the storage index into Unicode string.""" """Encode the storage index into Unicode string."""
@ -88,8 +91,8 @@ class _TLSContextFactory(CertificateOptions):
def getContext(self) -> SSL.Context: def getContext(self) -> SSL.Context:
def always_validate(conn, cert, errno, depth, preverify_ok): def always_validate(conn, cert, errno, depth, preverify_ok):
# This function is called to validate the certificate received by # This function is called to validate the certificate received by
# the other end. OpenSSL calls it multiple times, each time it # the other end. OpenSSL calls it multiple times, for each errno
# see something funny, to ask if it should proceed. # for each certificate.
# We do not care about certificate authorities or revocation # We do not care about certificate authorities or revocation
# lists, we just want to know that the certificate has a valid # lists, we just want to know that the certificate has a valid
@ -97,15 +100,12 @@ class _TLSContextFactory(CertificateOptions):
# self-signed. We need to protect against forged signatures, but # self-signed. We need to protect against forged signatures, but
# not the usual TLS concerns about invalid CAs or revoked # not the usual TLS concerns about invalid CAs or revoked
# certificates. # certificates.
# these constants are from openssl-0.9.7g/crypto/x509/x509_vfy.h
# and do not appear to be exposed by pyopenssl. Ick.
things_are_ok = ( things_are_ok = (
0, # X509_V_OK _OPENSSL.X509_V_OK,
9, # X509_V_ERR_CERT_NOT_YET_VALID _OPENSSL.X509_V_ERR_CERT_NOT_YET_VALID,
10, # X509_V_ERR_CERT_HAS_EXPIRED _OPENSSL.X509_V_ERR_CERT_HAS_EXPIRED,
18, # X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT _OPENSSL.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
19, # X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN _OPENSSL.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
) )
# TODO can we do this once instead of multiple times? # TODO can we do this once instead of multiple times?
if errno in things_are_ok and timing_safe_compare( if errno in things_are_ok and timing_safe_compare(