tls: Split context into context and buffer

Author: Synss

ChangeLog

@@ -1,5 +1,9 @@
 [next]
 
+* tls: Context and TLSWrappedBuffer are now entirely separated.
+** The contexts are now picklable.
+** The contexts do not support TLSWrappedBuffer API anymore.
+* tls: TLSSession currently *unsupported*!
 * Update wheels to mbedtls 2.28.0 (current LTS).
 
 [1.7.0] - 2022-03-23

README.rst

@@ -504,22 +504,6 @@ Content-Type: text/html
 <p>Successful connection.</p>
 <BLANKLINE>
 
-Now, it is possible to cache the session before closing the client side
-
->>> from mbedtls.tls import TLSSession
->>> session = TLSSession()
->>> session.save(tls_cli.context)
-
-and resume it later
-
->>> other_cli = session.resume(
-...     tls.TLSConfiguration(
-...         trust_store=trust_store,
-...         validate_certificates=True,
-...     )
-... )
-...
-
 The last step is to stop the extra process and close the sockets.
 
 >>> tls_cli.close()

src/mbedtls/_tls.pxd

@@ -450,8 +450,12 @@ cdef struct _C_Buffers:
 
 
 cdef class _BaseContext:
-    cdef mbedtls_ssl_context _ctx
     cdef _BaseConfiguration _conf
+
+
+cdef class MbedTLSBuffer:
+    cdef _BaseContext _context
+    cdef mbedtls_ssl_context _ctx
     cdef _C_Buffers _c_buffers
     cpdef set_bio(self, _rb.RingBuffer input, _rb.RingBuffer output)
     # DTLS only:

src/mbedtls/_tls.pyx

@@ -1096,23 +1096,6 @@ cdef class TLSSession:
     def __repr__(self):
         return "%s()" % type(self).__name__
 
-    def save(self, _BaseContext context not None):
-        # Client only
-        try:
-            _exc.check_error(
-                _tls.mbedtls_ssl_get_session(&context._ctx, &self._ctx)
-            )
-        except _exc.TLSError as exc:
-            raise ValueError(context) from exc
-
-    def resume(self, _BaseConfiguration configuration not None):
-        # Client only
-        cdef _BaseContext client = _BaseContext(configuration)
-        _exc.check_error(
-            _tls.mbedtls_ssl_set_session(&client._ctx, &self._ctx)
-        )
-        return client
-
 
 cdef class _BaseContext:
     # _pep543._BaseContext
@@ -1130,9 +1113,30 @@ cdef class _BaseContext:
                 Purpose.CLIENT_AUTH: _tls.MBEDTLS_SSL_IS_CLIENT,
                 Purpose.SERVER_AUTH: _tls.MBEDTLS_SSL_IS_SERVER,
             }[self._purpose])
-        _exc.check_error(_tls.mbedtls_ssl_setup(&self._ctx, &self._conf._ctx))
 
-    def __cinit__(self):
+    def __eq__(self, other):
+        if not isinstance(other, type(self)):
+            return False
+        if not type(self) is type(other):
+            return False
+        return self.configuration == other.configuration
+
+    @property
+    def configuration(self):
+        # PEP 543
+        return self._conf
+
+    @property
+    def _purpose(self) -> Purpose:
+        raise NotImplementedError
+
+
+cdef class MbedTLSBuffer:
+    def __init__(self, _BaseContext context):
+        self._context = context
+        _exc.check_error(_tls.mbedtls_ssl_setup(&self._ctx, &self._context._conf._ctx))
+
+    def __cinit__(self, _BaseContext context):
         """Initialize an `ssl_context`."""
         _tls.mbedtls_ssl_init(&self._ctx)
         _tls.mbedtls_ssl_set_timer_cb(
@@ -1158,24 +1162,16 @@ cdef class _BaseContext:
     def __getstate__(self):
         raise TypeError(f"cannot pickle {self.__class__.__name__!r} object")
 
-    def __repr__(self):
-        return "%s(%r)" % (type(self).__name__, self._conf)
-
     @property
-    def configuration(self):
-        # PEP 543
-        return self._conf
-
-    @property
-    def _purpose(self) -> Purpose:
-        raise NotImplementedError
+    def context(self):
+        return self._context
 
     @property
     def _verified(self):
         return _tls.mbedtls_ssl_get_verify_result(&self._ctx) == 0
 
     @property
-    def _hostname(self):
+    def _server_hostname(self):
         # Client side
         if self._ctx.hostname is NULL:
             return None
@@ -1298,11 +1294,11 @@ cdef class _BaseContext:
         return cipher[0]
 
     @property
-    def _state(self):
+    def _handshake_state(self):
         return HandshakeStep(self._ctx.state)
 
     def do_handshake(self):
-        if self._state is HandshakeStep.HANDSHAKE_OVER:
+        if self._handshake_state is HandshakeStep.HANDSHAKE_OVER:
             raise ValueError("handshake already over")
         self._handle_handshake_response(_tls.mbedtls_ssl_handshake_step(&self._ctx))
 

src/mbedtls/tls.py

@@ -19,6 +19,7 @@
     DTLSVersion,
     HandshakeStep,
     HelloVerifyRequest,
+    MbedTLSBuffer,
     NextProtocol,
     Purpose,
     RaggedEOF,
@@ -149,8 +150,7 @@ def wrap_socket(self, socket, server_hostname):
     def wrap_buffers(self, server_hostname):
         """Create an in-memory stream for TLS."""
         # PEP 543
-        self._set_hostname(server_hostname)
-        return TLSWrappedBuffer(self)
+        return TLSWrappedBuffer(self, server_hostname)
 
 
 class ServerContext(_BaseContext):
@@ -172,11 +172,12 @@ def wrap_buffers(self):
 
 class TLSWrappedBuffer:
     # _pep543.TLSWrappedBuffer
-    def __init__(self, context):
+    def __init__(self, context, server_hostname=None):
         self._output_buffer = _rb.RingBuffer(TLS_BUFFER_CAPACITY)
         self._input_buffer = _rb.RingBuffer(TLS_BUFFER_CAPACITY)
-        context.set_bio(self._output_buffer, self._input_buffer)
-        self._context = context
+        self._tlsbuf = MbedTLSBuffer(context)
+        self._tlsbuf.set_bio(self._output_buffer, self._input_buffer)
+        self._tlsbuf._set_hostname(server_hostname)
 
     def __repr__(self):
         return "%s(%r)" % (type(self).__name__, self.context)
@@ -185,6 +186,14 @@ def __getstate__(self):
         # We could make this pickable by copying the buffers.
         raise TypeError(f"cannot pickle {self.__class__.__name__!r} object")
 
+    @property
+    def _server_hostname(self):
+        return self._tlsbuf._server_hostname
+
+    @property
+    def _handshake_state(self):
+        return self._tlsbuf._handshake_state
+
     def read(self, amt):
         # PEP 543
         if amt <= 0:
@@ -198,39 +207,42 @@ def read(self, amt):
 
     def readinto(self, buffer, amt):
         # PEP 543
-        return self.context.readinto(buffer, amt)
+        return self._tlsbuf.readinto(buffer, amt)
 
     def write(self, buffer):
         # PEP 543
-        amt = self.context.write(buffer)
+        amt = self._tlsbuf.write(buffer)
         assert amt == len(buffer)
         return len(self._output_buffer)
 
     def do_handshake(self):
         # PEP 543
-        self.context.do_handshake()
+        self._tlsbuf.do_handshake()
+
+    def setcookieparam(self, param):
+        self._tlsbuf.setcookieparam(param)
 
     def cipher(self):
         # PEP 543
-        return self.context.cipher()
+        return self._tlsbuf.cipher()
 
     def negotiated_protocol(self):
         # PEP 543
-        return self.context.negotiated_protocol()
+        return self._tlsbuf.negotiated_protocol()
 
     @property
     def context(self):
         # PEP 543
         """The ``Context`` object this buffer is tied to."""
-        return self._context
+        return self._tlsbuf.context
 
     def negotiated_tls_version(self):
         # PEP 543
-        return self.context.negotiated_tls_version()
+        return self._tlsbuf.negotiated_tls_version()
 
     def shutdown(self):
         # PEP 543
-        self.context.shutdown()
+        self._tlsbuf.shutdown()
 
     def receive_from_network(self, data):
         # PEP 543
@@ -311,7 +323,7 @@ def bind(self, address):
 
     def close(self):
         self._closed = True
-        self.context.shutdown()
+        self._buffer.shutdown()
         self._socket.close()
 
     def connect(self, address):
@@ -414,15 +426,16 @@ def setsockopt(self, level, optname, value):
 
     def shutdown(self, how):
         self._buffer.shutdown()
-        self._context.shutdown()
         self._socket.shutdown(how)
 
     # PEP 543 adds the following methods.
 
     def do_handshake(self):
-        while self.context._state is not HandshakeStep.HANDSHAKE_OVER:
+        while (
+            self._buffer._handshake_state is not HandshakeStep.HANDSHAKE_OVER
+        ):
             try:
-                self.context.do_handshake()
+                self._buffer.do_handshake()
                 amt = self._socket.send(self._buffer.peek_outgoing(1024))
                 self._buffer.consume_outgoing(amt)
             except WantReadError:
@@ -433,22 +446,21 @@ def do_handshake(self):
                 self._buffer.receive_from_network(data)
 
     def setcookieparam(self, param):
-        self.context.setcookieparam(param)
+        self._buffer.setcookieparam(param)
 
     def cipher(self):
-        return self.context.cipher()
+        return self._buffer.cipher()
 
     def negotiated_protocol(self):
-        return self.context.negotiated_protocol()
+        return self._buffer.negotiated_protocol()
 
     @property
     def context(self):
-        return self._context
+        return self._buffer.context
 
     def negotiated_tls_version(self):
-        return self.context.negotiated_tls_version()
+        return self._buffer.negotiated_tls_version()
 
     def unwrap(self):
         self._buffer.shutdown()
-        self.context.shutdown()
         return self._socket