Make msg_callback a private debug function

tiran · tiran · commit 9bbf7a463411 · 2019-05-31T11:25:10.000+02:00
The msg_callback and related enums are now private members. The feature
is designed for internal debugging and not for end users.

Signed-off-by: Christian Heimes &lt;christian@python.org&gt;
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
@@ -1064,27 +1064,6 @@ Constants
 
    SSL 3.0 to TLS 1.3.
 
-.. class:: TLSContentType
-
-   :class:`enum.IntEnum` collection of SSL and TLS content types from
-   :rfc:`8443`, section B.1.
-
-   .. versionadded:: 3.8
-
-.. class:: TLSMessageType
-
-   :class:`enum.IntEnum` collection of SSL and TLS message types from
-   :rfc:`8443`, section B.3.
-
-   .. versionadded:: 3.8
-
-.. class:: TLSAlertType
-
-   :class:`enum.IntEnum` collection of SSL and TLS alert types from
-   :rfc:`8443`, section B.2.
-
-   .. versionadded:: 3.8
-
 
 SSL Sockets
 -----------
@@ -1936,7 +1915,7 @@ to speed up repeated connections from the same clients.
    Write TLS keys to a keylog file, whenever key material is generated or
    received. The keylog file is designed for debugging purposes only. The
    file format is specified by NSS and used by many traffic analyzers such
-   as Wireshark. The log file is opened in append-only mode. Writes a
+   as Wireshark. The log file is opened in append-only mode. Writes are
    synchronized between threads, but not between processes.
 
    .. versionadded:: 3.8
@@ -1980,78 +1959,6 @@ to speed up repeated connections from the same clients.
 
    .. versionadded:: 3.7
 
-.. attribute:: SSLContext.msg_callback
-
-   The message callback provides a debugging hook to analyze TLS connections.
-   The callback is called for any TLS protocol message (header, handshake,
-   alert, and more), but not for application data. Due to technical
-   limitations, the callback can't be used to filter traffic or to abort a
-   connection. Any exception raised in the callback is delayed until the
-   handshake, read, or write operation has been performed.
-
-   Example::
-
-       def msg_cb(conn, direction, version, content_type, msg_type, data):
-          print(f"{direction:5} {version._name_:7} {content_type._name_:18} "
-                f"{msg_type._name_:20} {len(data):4}")
-
-       ctx = ssl.create_default_context()
-       ctx.msg_callback = msg_cb
-       host = 'tls13.crypto.mozilla.org'
-       with ctx.wrap_socket(socket.socket(), server_hostname=host) as s:
-           s.connect((host, 443))
-           s.sendall(b'HEAD / HTTP/1.1\r\n')
-           s.sendall(b'Host: %s\r\n\r\n' % host)
-           s.recv(4096)
-           s.unwrap()
-
-   Output::
-
-        write TLSv1   HEADER             HANDSHAKE               5
-        write TLSv1_3 HANDSHAKE          CLIENT_HELLO          512
-        read  TLSv1_2 HEADER             HANDSHAKE               5
-        read  TLSv1_3 HANDSHAKE          SERVER_HELLO          122
-        read  TLSv1_2 HEADER             CHANGE_CIPHER_SPEC      5
-        read  TLSv1_2 HEADER             APPLICATION_DATA        5
-        read  TLSv1_3 INNER_CONTENT_TYPE CERTIFICATE_STATUS      1
-        read  TLSv1_3 HANDSHAKE          ENCRYPTED_EXTENSIONS    6
-        read  TLSv1_3 HANDSHAKE          CERTIFICATE          3226
-        read  TLSv1_3 HANDSHAKE          CERTIFICATE_VERIFY     79
-        read  TLSv1_3 HANDSHAKE          FINISHED               52
-        write TLSv1_2 HEADER             CHANGE_CIPHER_SPEC      5
-        write TLSv1_3 CHANGE_CIPHER_SPEC CHANGE_CIPHER_SPEC      1
-        write TLSv1_2 HEADER             APPLICATION_DATA        5
-        write TLSv1_3 INNER_CONTENT_TYPE CERTIFICATE_STATUS      1
-        write TLSv1_3 HANDSHAKE          FINISHED               52
-        write TLSv1_2 HEADER             APPLICATION_DATA        5
-        write TLSv1_3 INNER_CONTENT_TYPE SUPPLEMENTAL_DATA       1
-        write TLSv1_2 HEADER             APPLICATION_DATA        5
-        write TLSv1_3 INNER_CONTENT_TYPE SUPPLEMENTAL_DATA       1
-        read  TLSv1_2 HEADER             APPLICATION_DATA        5
-        read  TLSv1_3 INNER_CONTENT_TYPE CERTIFICATE_STATUS      1
-        read  TLSv1_3 HANDSHAKE          NEWSESSION_TICKET     238
-        read  TLSv1_3 HANDSHAKE          NEWSESSION_TICKET     238
-
-
-   conn
-     :class:`SSLSocket` or :class:`SSLObject` instance
-   direction
-     ``read`` or ``write``
-   version
-     :class:`TLSVersion` enum member or int for unknown version. For a
-     frame header, it's the header version.
-   content_type
-     :class:`TLSContentType` enum member or int for unsupported content type.
-   msg_type
-     Either a :class:`TLSContentType` enum number for a header message,
-     a :class:`TLSAlertType` enum member for an alert message,
-     a :class:`TLSMessageType` enum member for other messages, or int for
-     unsupported message types.
-   data
-     Raw, decrypted message content as bytes
-
-   .. versionadded:: 3.8
-
 .. attribute:: SSLContext.options
 
    An integer representing the set of SSL options enabled on this context.
diff --git a/Lib/ssl.py b/Lib/ssl.py
@@ -165,7 +165,7 @@ class TLSVersion(_IntEnum):
     MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED
 
 
-class TLSContentType(_IntEnum):
+class _TLSContentType(_IntEnum):
     """Content types (record layer)
 
     See RFC 8446, section B.1
@@ -179,7 +179,7 @@ class TLSContentType(_IntEnum):
     INNER_CONTENT_TYPE = 0x101
 
 
-class TLSAlertType(_IntEnum):
+class _TLSAlertType(_IntEnum):
     """Alert types for TLSContentType.ALERT messages
 
     See RFC 8466, section B.2
@@ -220,7 +220,7 @@ class TLSAlertType(_IntEnum):
     NO_APPLICATION_PROTOCOL = 120
 
 
-class TLSMessageType(_IntEnum):
+class _TLSMessageType(_IntEnum):
     """Message types (handshake protocol)
 
     See RFC 8446, section B.3
@@ -608,13 +608,48 @@ def hostname_checks_common_name(self):
             return True
 
     @property
-    def msg_callback(self):
-        return super().msg_callback.user_function
+    def _msg_callback(self):
+        """TLS message callback
+
+        The message callback provides a debugging hook to analyze TLS
+        connections. The callback is called for any TLS protocol message
+        (header, handshake, alert, and more), but not for application data.
+        Due to technical  limitations, the callback can't be used to filter
+        traffic or to abort a connection. Any exception raised in the
+        callback is delayed until the handshake, read, or write operation
+        has been performed.
+
+        def msg_cb(conn, direction, version, content_type, msg_type, data):
+            pass
+
+        conn
+            :class:`SSLSocket` or :class:`SSLObject` instance
+        direction
+            ``read`` or ``write``
+        version
+            :class:`TLSVersion` enum member or int for unknown version. For a
+            frame header, it's the header version.
+        content_type
+            :class:`_TLSContentType` enum member or int for unsupported
+            content type.
+        msg_type
+            Either a :class:`_TLSContentType` enum number for a header
+            message, a :class:`_TLSAlertType` enum member for an alert
+            message, a :class:`_TLSMessageType` enum member for other
+            messages, or int for unsupported message types.
+        data
+            Raw, decrypted message content as bytes
+        """
+        inner = super()._msg_callback
+        if inner is not None:
+            return inner.user_function
+        else:
+            return None
 
-    @msg_callback.setter
-    def msg_callback(self, callback):
+    @_msg_callback.setter
+    def _msg_callback(self, callback):
         if callback is None:
-            super(SSLContext, SSLContext).msg_callback.__set__(self, None)
+            super(SSLContext, SSLContext)._msg_callback.__set__(self, None)
             return
 
         if not hasattr(callback, '__call__'):
@@ -627,16 +662,16 @@ def inner(conn, direction, version, content_type, msg_type, data):
                 pass
 
             try:
-                content_type = TLSContentType(content_type)
+                content_type = _TLSContentType(content_type)
             except TypeError:
                 pass
 
-            if content_type == TLSContentType.HEADER:
-                msg_enum = TLSContentType
-            elif content_type == TLSContentType.ALERT:
-                msg_enum = TLSAlertType
+            if content_type == _TLSContentType.HEADER:
+                msg_enum = _TLSContentType
+            elif content_type == _TLSContentType.ALERT:
+                msg_enum = _TLSAlertType
             else:
-                msg_enum = TLSMessageType
+                msg_enum = _TLSMessageType
             try:
                 msg_type = msg_enum(msg_type)
             except TypeError:
@@ -647,7 +682,7 @@ def inner(conn, direction, version, content_type, msg_type, data):
 
         inner.user_function = callback
 
-        super(SSLContext, SSLContext).msg_callback.__set__(self, inner)
+        super(SSLContext, SSLContext)._msg_callback.__set__(self, inner)
 
     @property
     def protocol(self):
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
@@ -26,7 +26,7 @@
 
 ssl = support.import_module("ssl")
 
-from ssl import TLSVersion, TLSContentType, TLSMessageType, TLSAlertType
+from ssl import TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
 
 PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
 HOST = support.HOST
@@ -4493,6 +4493,18 @@ def test_keylog_env(self):
             ctx = ssl._create_stdlib_context()
             self.assertEqual(ctx.keylog_filename, support.TESTFN)
 
+    def test_msg_callback(self):
+        client_context, server_context, hostname = testing_context()
+
+        def msg_cb(conn, direction, version, content_type, msg_type, data):
+            pass
+
+        self.assertIs(client_context._msg_callback, None)
+        client_context._msg_callback = msg_cb
+        self.assertIs(client_context._msg_callback, msg_cb)
+        with self.assertRaises(TypeError):
+            client_context._msg_callback = object()
+
     def test_msg_callback_tls12(self):
         client_context, server_context, hostname = testing_context()
         client_context.options |= ssl.OP_NO_TLSv1_3
@@ -4505,7 +4517,7 @@ def msg_cb(conn, direction, version, content_type, msg_type, data):
             self.assertIn(direction, {'read', 'write'})
             msg.append((direction, version, content_type, msg_type))
 
-        client_context.msg_callback = msg_cb
+        client_context._msg_callback = msg_cb
 
         server = ThreadedEchoServer(context=server_context, chatty=False)
         with server:
@@ -4514,48 +4526,48 @@ def msg_cb(conn, direction, version, content_type, msg_type, data):
                 s.connect((HOST, server.port))
 
         self.assertEqual(msg, [
-            ("write", TLSVersion.TLSv1, TLSContentType.HEADER,
-             TLSMessageType.CERTIFICATE_STATUS),
-            ("write", TLSVersion.TLSv1_2, TLSContentType.HANDSHAKE,
-             TLSMessageType.CLIENT_HELLO),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.CERTIFICATE_STATUS),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HANDSHAKE,
-             TLSMessageType.SERVER_HELLO),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.CERTIFICATE_STATUS),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HANDSHAKE,
-             TLSMessageType.CERTIFICATE),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.CERTIFICATE_STATUS),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HANDSHAKE,
-             TLSMessageType.SERVER_KEY_EXCHANGE),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.CERTIFICATE_STATUS),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HANDSHAKE,
-             TLSMessageType.SERVER_DONE),
-            ("write", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.CERTIFICATE_STATUS),
-            ("write", TLSVersion.TLSv1_2, TLSContentType.HANDSHAKE,
-             TLSMessageType.CLIENT_KEY_EXCHANGE),
-            ("write", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.FINISHED),
-            ("write", TLSVersion.TLSv1_2, TLSContentType.CHANGE_CIPHER_SPEC,
-             TLSMessageType.CHANGE_CIPHER_SPEC),
-            ("write", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.CERTIFICATE_STATUS),
-            ("write", TLSVersion.TLSv1_2, TLSContentType.HANDSHAKE,
-             TLSMessageType.FINISHED),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.CERTIFICATE_STATUS),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HANDSHAKE,
-             TLSMessageType.NEWSESSION_TICKET),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.FINISHED),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HEADER,
-             TLSMessageType.CERTIFICATE_STATUS),
-            ("read", TLSVersion.TLSv1_2, TLSContentType.HANDSHAKE,
-             TLSMessageType.FINISHED),
+            ("write", TLSVersion.TLSv1, _TLSContentType.HEADER,
+             _TLSMessageType.CERTIFICATE_STATUS),
+            ("write", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
+             _TLSMessageType.CLIENT_HELLO),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.CERTIFICATE_STATUS),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
+             _TLSMessageType.SERVER_HELLO),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.CERTIFICATE_STATUS),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
+             _TLSMessageType.CERTIFICATE),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.CERTIFICATE_STATUS),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
+             _TLSMessageType.SERVER_KEY_EXCHANGE),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.CERTIFICATE_STATUS),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
+             _TLSMessageType.SERVER_DONE),
+            ("write", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.CERTIFICATE_STATUS),
+            ("write", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
+             _TLSMessageType.CLIENT_KEY_EXCHANGE),
+            ("write", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.FINISHED),
+            ("write", TLSVersion.TLSv1_2, _TLSContentType.CHANGE_CIPHER_SPEC,
+             _TLSMessageType.CHANGE_CIPHER_SPEC),
+            ("write", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.CERTIFICATE_STATUS),
+            ("write", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
+             _TLSMessageType.FINISHED),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.CERTIFICATE_STATUS),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
+             _TLSMessageType.NEWSESSION_TICKET),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.FINISHED),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER,
+             _TLSMessageType.CERTIFICATE_STATUS),
+            ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
+             _TLSMessageType.FINISHED),
         ])
 
 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -4650,8 +4650,8 @@ static PyGetSetDef context_getsetlist[] = {
     {"keylog_filename", (getter) _PySSLContext_get_keylog_filename,
                         (setter) _PySSLContext_set_keylog_filename, NULL},
 #endif
-    {"msg_callback", (getter) _PySSLContext_get_msg_callback,
-                     (setter) _PySSLContext_set_msg_callback, NULL},
+    {"_msg_callback", (getter) _PySSLContext_get_msg_callback,
+                      (setter) _PySSLContext_set_msg_callback, NULL},
     {"sni_callback", (getter) get_sni_callback,
                      (setter) set_sni_callback, PySSLContext_sni_callback_doc},
     {"options", (getter) get_options,
