[pypy-commit] pypy stdlib-2.7.9: provide SSLContext.check_hostname

Sun Dec 21 18:32:53 CET 2014

Author: Brian Kearns <bdkearns at gmail.com>
Branch: stdlib-2.7.9
Changeset: r75052:fcae7464203b
Date: 2014-12-21 12:32 -0500
http://bitbucket.org/pypy/pypy/changeset/fcae7464203b/

Log:	provide SSLContext.check_hostname

diff --git a/pypy/module/_ssl/interp_ssl.py b/pypy/module/_ssl/interp_ssl.py
--- a/pypy/module/_ssl/interp_ssl.py
+++ b/pypy/module/_ssl/interp_ssl.py
@@ -839,6 +839,7 @@
 
         self = space.allocate_instance(_SSLContext, w_subtype)
         self.ctx = ctx
+        self.check_hostname = False
         options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
         if protocol != PY_SSL_VERSION_SSL2:
             options |= SSL_OP_NO_SSLv2
@@ -894,8 +895,23 @@
         else:
             raise oefmt(space.w_ValueError,
                         "invalid value for verify_mode")
+        if mode == SSL_VERIFY_NONE and self.check_hostname:
+            raise oefmt(space.w_ValueError,
+                        "Cannot set verify_mode to CERT_NONE when "
+                        "check_hostname is enabled.")
         libssl_SSL_CTX_set_verify(self.ctx, mode, None)
 
+    def descr_get_check_hostname(self, space):
+        return space.newbool(self.check_hostname)
+
+    def descr_set_check_hostname(self, space, w_obj):
+        check_hostname = space.is_true(w_obj)
+        if check_hostname and libssl_SSL_CTX_get_verify_mode(self.ctx) == SSL_VERIFY_NONE:
+            raise oefmt(space.w_ValueError,
+                        "check_hostname needs a SSL context with either "
+                        "CERT_OPTIONAL or CERT_REQUIRED")
+        self.check_hostname = check_hostname
+
 _SSLContext.typedef = TypeDef("_SSLContext",
     __module__ = "_ssl",
     __new__ = interp2app(_SSLContext.descr_new),
@@ -905,6 +921,8 @@
                              _SSLContext.descr_set_options),
     verify_mode = GetSetProperty(_SSLContext.descr_get_verify_mode,
                                  _SSLContext.descr_set_verify_mode),
+    check_hostname = GetSetProperty(_SSLContext.descr_get_check_hostname,
+                                    _SSLContext.descr_set_check_hostname),
 )
 
 
diff --git a/pypy/module/_ssl/test/test_ssl.py b/pypy/module/_ssl/test/test_ssl.py
--- a/pypy/module/_ssl/test/test_ssl.py
+++ b/pypy/module/_ssl/test/test_ssl.py
@@ -120,12 +120,24 @@
         assert not s.options & _ssl.OP_NO_SSLv2
         raises(TypeError, "s.options = 2.5")
 
+        assert not s.check_hostname
+        exc = raises(ValueError, "s.check_hostname = True")
+        assert str(exc.value) == "check_hostname needs a SSL context with " \
+                                 "either CERT_OPTIONAL or CERT_REQUIRED"
+
         assert s.verify_mode == _ssl.CERT_NONE
         s.verify_mode = _ssl.CERT_REQUIRED
         assert s.verify_mode == _ssl.CERT_REQUIRED
         exc = raises(ValueError, "s.verify_mode = 1234")
         assert str(exc.value) == "invalid value for verify_mode"
 
+        s.check_hostname = True
+        assert s.check_hostname
+
+        exc = raises(ValueError, "s.verify_mode = _ssl.CERT_NONE")
+        assert str(exc.value) == "Cannot set verify_mode to CERT_NONE " \
+                                 "when check_hostname is enabled."
+
 
 class AppTestConnectedSSL:
     spaceconfig = {
