tlslite.tlsrecordlayer module

Helper class for TLSConnection.

class tlslite.tlsrecordlayer.TLSRecordLayer(sock)[source]

Bases: object

This class handles data transmission for a TLS connection.

Its only subclass is TLSConnection. We’ve separated the code in this class from TLSConnection to make things more readable.

Variables:

sock (socket.socket) – The underlying socket object.
session (Session) – The session corresponding to this connection. Due to TLS session resumption, multiple connections can correspond to the same underlying session.
~.version (tuple) – The TLS version being used for this connection. (3,0) means SSL 3.0, and (3,1) means TLS 1.0.
closed (bool) – If this connection is closed.
resumed (bool) – If this connection is based on a resumed session.
allegedSrpUsername (str or None) – This is set to the SRP username asserted by the client, whether the handshake succeeded or not. If the handshake fails, this can be inspected to determine if a guessing attack is in progress against a particular user account.
closeSocket (bool) –
If the socket should be closed when the connection is closed, defaults to True (writable).

If you set this to True, TLS Lite will assume the responsibility of closing the socket when the TLS Connection is shutdown (either through an error or through the user calling close()). The default is False.
ignoreAbruptClose (bool) –
If an abrupt close of the socket should raise an error (writable).

If you set this to True, TLS Lite will not raise a TLSAbruptCloseError exception if the underlying socket is unexpectedly closed. Such an unexpected closure could be caused by an attacker. However, it also occurs with some incorrect TLS implementations.

You should set this to True only if you’re not worried about an attacker truncating the connection, and only if necessary to avoid spurious errors. The default is False.
~.encryptThenMAC (bool) – Whether the connection uses the encrypt-then-MAC construct for CBC cipher suites, will be False also if connection uses RC4 or AEAD.
recordSize (int) – maximum size of data to be sent in a single record layer message. Note that after encryption is established (generally after handshake protocol has finished) the actual amount of data written to network socket will be larger because of the record layer header, padding or encryption overhead. It can be set to low value (so that there is no fragmentation on Ethernet, IP and TCP level) at the beginning of connection to reduce latency and set to protocol max (2**14) to maximise throughput after sending the first few kiB of data. If negotiated, record_size_limit extension may limit it though, causing reading of the variable to return lower value that was initially set. See also: HandshakeSettings.record_size_limit.
tickets (list of bytearray) – list of session tickets received from server, oldest first.
client_cert_required (bool) – Set to True to make the post-handshake authentication fail when client doesn’t provide a certificate in response

__init__(sock)[source]

clearReadBuffer()[source]

clearWriteBuffer()[source]

close()[source]

Close the TLS connection.

This function will block until it has exchanged close_notify alerts with the other party. After doing so, it will shut down the TLS connection. Further attempts to read through this connection will return “”. Further attempts to write through this connection will raise ValueError.

If makefile() has been called on this connection, the connection will be not be closed until the connection object and all file objects have been closed.

Even if an exception is raised, the connection will have been closed.

Raises:

socket.error – If a socket error occurs.
tlslite.errors.TLSAbruptCloseError – If the socket is closed without a preceding alert.
tlslite.errors.TLSAlert – If a TLS alert is signalled.

closeAsync()[source]

Start a close operation on the TLS connection.

This function returns a generator which behaves similarly to close(). Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or will raise StopIteration if the close operation has completed.

Return type:: iterable
Returns:: A generator; see above for details.

property encryptThenMAC: Whether the connection uses Encrypt Then MAC (RFC 7366)

fileno()[source]: Not implement in TLS Lite.

getCipherImplementation()[source]

Get the name of the cipher implementation used with this connection.

Return type:: str
Returns:: The name of the cipher implementation used with this connection. Either ‘python’, ‘openssl’, or ‘pycrypto’.

getCipherName()[source]

Get the name of the cipher used with this connection.

Return type:: str
Returns:: The name of the cipher used with this connection. Either ‘aes128’, ‘aes256’, ‘rc4’, or ‘3des’.

getVersionName()[source]

Get the name of this TLS version.

Return type:: str
Returns:: The name of the TLS version used with this connection. Either None, ‘SSL 3.0’, ‘TLS 1.0’, ‘TLS 1.1’, ‘TLS 1.2’ or ‘TLS 1.3’.

getpeername()[source]: Return the remote address to which the socket is connected (socket emulation).

getsockname()[source]: Return the socket’s own address (socket emulation).

gettimeout()[source]: Return the timeout associated with socket operations (socket emulation).

makefile(mode='r', bufsize=-1)[source]

Create a file object for the TLS connection (socket emulation).

Return type:: socket._fileobject

read(max=None, min=1)[source]

Read some data from the TLS connection.

This function will block until at least ‘min’ bytes are available (or the connection is closed).

If an exception is raised, the connection will have been automatically closed.

Parameters:

max (int) – The maximum number of bytes to return.
min (int) – The minimum number of bytes to return

Return type:

str

Returns:

A string of no more than ‘max’ bytes, and no fewer than ‘min’ (unless the connection has been closed, in which case fewer than ‘min’ bytes may be returned).

Raises:

socket.error – If a socket error occurs.
tlslite.errors.TLSAbruptCloseError – If the socket is closed without a preceding alert.
tlslite.errors.TLSAlert – If a TLS alert is signalled.

readAsync(max=None, min=1)[source]

Start a read operation on the TLS connection.

This function returns a generator which behaves similarly to read(). Successive invocations of the generator will return 0 if it is waiting to read from the socket, 1 if it is waiting to write to the socket, or a string if the read operation has completed.

Return type:: iterable
Returns:: A generator; see above for details.

property recordSize: Maximum size of the records that will be sent out.

recv(bufsize)[source]

Get some data from the TLS connection (socket emulation).

Raises:

socket.error – If a socket error occurs.
tlslite.errors.TLSAbruptCloseError – If the socket is closed without a preceding alert.
tlslite.errors.TLSAlert – If a TLS alert is signalled.

recv_into(b)[source]

send(s)[source]

Send data to the TLS connection (socket emulation).

Raises:: socket.error – If a socket error occurs.

send_heartbeat_request(payload, padding_length)[source]

Synchronous version of write_heartbeat function.

Parameters:

payload (bytes) – Payload, that we want send in request and get at response.
padding_length (int) – Length of padding.

Raises:

socket.error – If a socket error occurs.

send_keyupdate_request(message_type)[source]

Send a KeyUpdate message.

Parameters:: payload (int) – Type of KeyUpdate message.
Raises:: socket.error – If a socket error occurs.

sendall(s)[source]

Send data to the TLS connection (socket emulation).

Raises:: socket.error – If a socket error occurs.

setsockopt(level, optname, value)[source]: Set the value of the given socket option (socket emulation).

settimeout(value)[source]: Set a timeout on blocking socket operations (socket emulation).

shutdown(how)[source]: Shutdown the underlying socket.

unread(b)[source]: Add bytes to the front of the socket read buffer for future reading. Be careful using this in the context of select(…): if you unread the last data from a socket, that won’t wake up selected waiters, and those waiters may hang forever.

property version: Get the SSL protocol version of connection

write(s)[source]

Write some data to the TLS connection.

This function will block until all the data has been sent.

If an exception is raised, the connection will have been automatically closed.

Parameters:: s (str) – The data to transmit to the other party.
Raises:: socket.error – If a socket error occurs.

writeAsync(s)[source]

Start a write operation on the TLS connection.

This function returns a generator which behaves similarly to write(). Successive invocations of the generator will return 1 if it is waiting to write to the socket, or will raise StopIteration if the write operation has completed.

Return type:: iterable
Returns:: A generator; see above for details.

write_heartbeat(payload, padding_length)[source]

Start a write operation of heartbeat_request.

Parameters:

payload (bytes) – Payload, that we want send in request and get at response.
padding_length (int) – Length of padding.

Raises:

socket.error – If a socket error occurs.

tlslite.tlsrecordlayer.bytes_to_int(bytes, byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes: Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.
byteorder: The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.
signed: Indicates whether two’s complement is used to represent the integer.