Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity
116,725 Commits 6 Branches 593 Tags 2.8 GiB
Commit Graph

465 Commits

Author SHA1 Message Date
Christian Heimes fe3c9c1ee9 Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs. 2016-09-06 23:27:06 +02:00
Christian Heimes 1c03abd026 Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs. 2016-09-06 23:25:35 +02:00
Christian Heimes 0061bf5892 Issue #26470: Use short name rather than name for compression name to fix #27958. 2016-09-06 01:14:34 +02:00
Christian Heimes 281e5f8839 Issue #26470: Use short name rather than name for compression name to fix #27958. 2016-09-06 01:10:39 +02:00
Christian Heimes 25bfcd5d9e Issue #27866: Add SSLContext.get_ciphers() method to get a list of all enabled ciphers. 2016-09-06 00:04:45 +02:00
Christian Heimes 01113faef9 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:23:24 +02:00
Christian Heimes 598894ff48 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:19:05 +02:00
Benjamin Peterson a853c479ee merge 3.5 (#27773) 2016-08-15 21:56:11 -07:00
Benjamin Peterson 81b9ecd2a3 fix corner cases in the management of server_hostname (closes #27773) 2016-08-15 21:55:37 -07:00
Victor Stinner d3afb62b8f Merge 3.5 (INVALID_SOCKET) 2016-07-22 17:47:09 +02:00
Victor Stinner 524714eeda socket: use INVALID_SOCKET 
* Replace "fd = -1" with "fd = INVALID_SOCKET"
* Replace "fd < 0" with "fd == INVALID_SOCKET": SOCKET_T is unsigned on Windows

Bug found by Pavel Belikov ("Fragment N1"):
http://www.viva64.com/en/b/0414/#ID0ECDAE
 2016-07-22 17:43:59 +02:00
Martin Panter 7386268ffd Issue #23804: Merge SSL recv() fix from 3.5 2016-07-11 01:32:09 +00:00
Martin Panter bed7f1a512 Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOF 2016-07-11 00:17:13 +00:00
Serhiy Storchaka 2954f83999 - Issue #27332: Fixed the type of the first argument of module-level functions 
generated by Argument Clinic.  Patch by Petr Viktorin.
 2016-07-07 18:20:03 +03:00
Serhiy Storchaka 1a2b24f02d Issue #27332: Fixed the type of the first argument of module-level functions 
generated by Argument Clinic.  Patch by Petr Viktorin.
 2016-07-07 17:35:15 +03:00
Benjamin Peterson 50600a78cb merge 3.5 (#24557) 2016-07-06 23:58:16 -07:00
Benjamin Peterson b8a2f51ceb assume egd unless OPENSSL_NO_EGD is defined—remove configure check (closes #24557) 2016-07-06 23:55:15 -07:00
Berker Peksag 2c164b738d Fix unused variable 'libver' warning in Modules/_ssl.c 
It can be seen on various buildbots like 3.x.cea-indiana-amd64
and 3.x.murray-snowleopard:

/export/home/buildbot/64bits/3.x.cea-indiana-amd64/build/Modules/_ssl.c:2227: warning: unused variable 'libver'

/Users/buildbot/buildarea/3.x.murray-snowleopard/build/Modules/_ssl.c:2227: warning: unused variable ‘libver’
 2016-04-14 16:49:21 +03:00
Berker Peksag dfcb041195 Fix unused variable 'libver' warning in Modules/_ssl.c 
It can be seen on various buildbots like 3.x.cea-indiana-amd64
and 3.x.murray-snowleopard:

/export/home/buildbot/64bits/3.x.cea-indiana-amd64/build/Modules/_ssl.c:2227: warning: unused variable 'libver'

/Users/buildbot/buildarea/3.x.murray-snowleopard/build/Modules/_ssl.c:2227: warning: unused variable ‘libver’
 2016-04-14 16:48:48 +03:00
Serhiy Storchaka f01e408c16 Issue #26200: Added Py_SETREF and replaced Py_XSETREF with Py_SETREF 
in places where Py_DECREF was used.
 2016-04-10 18:12:01 +03:00
Serhiy Storchaka 57a01d3a0e Issue #26200: Added Py_SETREF and replaced Py_XSETREF with Py_SETREF 
in places where Py_DECREF was used.
 2016-04-10 18:05:40 +03:00
Serhiy Storchaka ec39756960 Issue #22570: Renamed Py_SETREF to Py_XSETREF. 2016-04-06 09:50:03 +03:00
Serhiy Storchaka 48842714b9 Issue #22570: Renamed Py_SETREF to Py_XSETREF. 2016-04-06 09:45:48 +03:00
Martin Panter afd465d497 Issue #26644: Merge SSL negative read fix from 3.5 2016-03-27 10:40:22 +00:00
Martin Panter 5503d4731e Issue #26644: Raise ValueError for negative SSLSocket.recv() and read() 2016-03-27 05:35:19 +00:00
Benjamin Peterson 4a180a693f merge 3.5 (closes #25939) 2016-02-17 22:18:35 -08:00
Benjamin Peterson 1378f7ca68 merge 3.4 (closes #25939) 2016-02-17 22:18:20 -08:00
Benjamin Peterson 9491272751 open the cert store readonly 
Patch from Chi Hsuan Yen.
 2016-02-17 22:13:19 -08:00
Benjamin Peterson 5db60aa84e merge 3.5 (closes #25672) 2016-01-07 21:38:51 -08:00
Benjamin Peterson 3b1a8b3bbe enable SSL_MODE_RELEASE_BUFFERS 
Patch by Cory Benfield.
 2016-01-07 21:37:37 -08:00
Serhiy Storchaka ef1585eb9a Issue #25923: Added more const qualifiers to signatures of static and private functions. 2015-12-25 20:01:53 +02:00
Serhiy Storchaka 5a57ade58e Issue #20440: Massive replacing unsafe attribute setting code with special 
macro Py_SETREF.
 2015-12-24 10:35:59 +02:00
Benjamin Peterson fcc2e71e99 merge 3.4 (#25578) 2015-11-14 15:14:42 -08:00
Benjamin Peterson 025a1fd990 rm trailing ws 2015-11-14 15:12:38 -08:00
Benjamin Peterson f0c9038a36 fix possible memory lea k in _get_aia_uri (closes #25578) 2015-11-14 15:12:18 -08:00
Benjamin Peterson 2463001a15 merge 3.4 (#25569) 2015-11-14 00:11:09 -08:00
Benjamin Peterson 806fb25405 fix build with older openssl (#25569) 2015-11-14 00:09:22 -08:00
Benjamin Peterson 45bde5d2ee merge 3.4 (#25530) 2015-11-11 22:45:22 -08:00
Benjamin Peterson a9dcdabccb always set OP_NO_SSLv3 by default (closes #25530) 2015-11-11 22:38:41 -08:00
Benjamin Peterson 86429bd174 merge 3.5 (#25569) 2015-11-11 22:14:08 -08:00
Benjamin Peterson eda06c8f5e fix memory leak in _get_crl_dp (closes #25569) 
Patch started by Stéphane Wirtel.
 2015-11-11 22:07:38 -08:00
Serhiy Storchaka f51d715845 Issue #25523: Further a-to-an corrections new in 3.5. 2015-11-02 14:40:41 +02:00
Serhiy Storchaka a84f6c3dd3 Issue #25523: Merge a-to-an corrections from 3.4. 2015-11-02 14:39:05 +02:00
Serhiy Storchaka d65c9496da Issue #25523: Further a-to-an corrections. 2015-11-02 14:10:23 +02:00
Benjamin Peterson d330822c12 detect alpn by feature flag not openssl version (closes #23329) 2015-09-27 00:09:02 -07:00
Benjamin Peterson d113c967b4 improve style of the convert macro (#24655) 
Patch by Brian Cain.
 2015-07-18 10:59:13 -07:00
Benjamin Peterson 0544cf0eb9 merge 3.4 (#24655) 2015-07-18 11:00:00 -07:00
Larry Hastings dbfdc380df Issue #24001: Argument Clinic converters now use accept={type} 
instead of types={'type'} to specify the types the converter accepts.
 2015-05-04 06:59:46 -07:00
Serhiy Storchaka 4b7b82f133 Issue #20179: Converted the _ssl module to Argument Clinic. 2015-05-03 16:14:08 +03:00
Victor Stinner 146907081c Issue #23853: Methods of SSL socket don't reset the socket timeout anymore each 
time bytes are received or sent. The socket timeout is now the maximum total
duration of the method.

This change fixes a denial of service if the application is regulary
interrupted by a signal and the signal handler does not raise an exception.
 2015-04-06 22:46:13 +02:00
Benjamin Peterson 7d71c97ec3 merge 3.4 (#23875) 2015-04-06 13:06:21 -04:00
Benjamin Peterson 43b842775f remove extra arguments in arg parsing format codes (closes #23875) 2015-04-06 13:05:22 -04:00
Victor Stinner 4e3cfa46dc Issue #23853: Cleanup _ssl.c 
* Rename check_socket_and_wait_for_timeout() to PySSL_select()
* PySSL_select() is now clearly splitted betwen poll() and select()
* Add empty lines for readability
 2015-04-02 21:28:28 +02:00
Victor Stinner 869e1778c0 Issue #22117: Replace usage of _PyTime_ROUND_UP with _PyTime_ROUND_CEILING 
All these functions only accept positive timeouts, so this change has no effect
in practice.
 2015-03-30 03:49:14 +02:00
Victor Stinner ea9c0dd2c2 Issue #22117: Fix usage of _PyTime_AsTimeval() 
Add _PyTime_AsTimeval_noraise() function. Call it when it's not possible (or
not useful) to raise a Python exception on overflow.
 2015-03-30 02:51:13 +02:00
Victor Stinner e245231fab Issue #22117: Fix ssl to use _PyTime_t API on sock_timeout 
I didn't notice that the ssl module uses private attributes of socket objects.
 2015-03-28 03:00:46 +01:00
Serhiy Storchaka 8490f5acfe Issue #23001: Few functions in modules mmap, ossaudiodev, socket, ssl, and 
codecs, that accepted only read-only bytes-like object now accept writable
bytes-like object too.
 2015-03-20 09:00:36 +02:00
Victor Stinner e42ccd2bfd Issue #23694: Enhance _Py_fopen(), it now raises an exception on error 
* If fopen() fails, OSError is raised with the original filename object.
* The GIL is now released while calling fopen()
 2015-03-18 01:39:23 +01:00
Benjamin Peterson de8eca4638 merge 3.4 2015-03-04 22:50:25 -05:00
Benjamin Peterson 990fcaac3c expose X509_V_FLAG_TRUSTED_FIRST 2015-03-04 22:49:41 -05:00
Benjamin Peterson b64ae7bf2d merge 3.4 (#23476) 2015-03-04 22:11:48 -05:00
Benjamin Peterson fdb1971587 enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476) 2015-03-04 22:11:12 -05:00
Antoine Pitrou 0bfd0a4048 Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the SSL layer but the underlying connection hasn't been closed. 2015-03-04 20:54:57 +01:00
Antoine Pitrou f7f3b0a14a Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the SSL layer but the underlying connection hasn't been closed. 2015-03-04 20:51:55 +01:00
Serhiy Storchaka 4d0d982985 Issue #23446: Use PyMem_New instead of PyMem_Malloc to avoid possible integer 
overflows.  Added few missed PyErr_NoMemory().
 2015-02-16 13:33:32 +02:00
Serhiy Storchaka 1a1ff29659 Issue #23446: Use PyMem_New instead of PyMem_Malloc to avoid possible integer 
overflows.  Added few missed PyErr_NoMemory().
 2015-02-16 13:28:22 +02:00
Benjamin Peterson c54de47759 ifdef our way to compatibility with old openssl (closes #23335) 2015-01-28 12:06:39 -05:00
Benjamin Peterson 07f0515667 disable ALPN on LibreSSL, which has a large version number, but not ALPN support (closes #23329) 2015-01-27 11:10:18 -05:00
Benjamin Peterson 8861502e07 prefer server alpn ordering over the client's 2015-01-23 17:30:26 -05:00
Benjamin Peterson cca2732a82 add support for ALPN (closes #20188) 2015-01-23 16:35:37 -05:00
Benjamin Peterson baf7c1e546 use SSL_get_session 2015-01-07 11:32:00 -06:00
Benjamin Peterson 4cb17812d9 expose the client's cipher suites from the handshake (closes #23186) 2015-01-07 11:14:26 -06:00
Victor Stinner fcfed19913 Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. The 
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
 2015-01-06 13:54:58 +01:00
Antoine Pitrou 5e8430d02c Issue #23143: Remove compatibility with OpenSSLs older than 0.9.8. 
(the last 0.9.7 release was in 2007)
 2015-01-03 23:17:23 +01:00
Benjamin Peterson e32467cf6a allow ssl module to compile if openssl doesn't support SSL 3 (closes #22935) 
Patch by Kurt Roeckx.
 2014-12-05 21:59:35 -05:00
Benjamin Peterson 7243b574e5 don't require OpenSSL SNI to pass hostname to ssl functions (#22921) 
Patch by Donald Stufft.
 2014-11-23 17:04:34 -06:00
Benjamin Peterson 22293df016 merge 3.4 (#22935) 2014-12-05 22:11:33 -05:00
Victor Stinner beeb512fe1 Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. The 
availability of the function is checked during the compilation.

Patch written by Bernard Spil.
 2014-11-28 13:28:25 +01:00
Benjamin Peterson f9284ae8ed merge 3.4 (#22921) 2014-11-23 17:06:39 -06:00
Antoine Pitrou b1fdf47ff5 Issue #21965: Add support for in-memory SSL to the ssl module. 
Patch by Geert Jansen.
 2014-10-05 20:41:53 +02:00
Antoine Pitrou 47e40429fb Issue #20421: Add a .version() method to SSL sockets exposing the actual protocol version in use. 2014-09-04 21:00:10 +02:00
Victor Stinner e03de09ff2 (Merge 3.4) Issue #21781, _ssl: Fix asn1obj2py() on Windows 64-bit, "s#" format 
requires size to be a Py_ssize_t, not an int. _ssl.c is now "Py_ssize_t clean".
 2014-07-07 21:52:49 +02:00
Victor Stinner cd75298611 Issue #21781, _ssl: Fix asn1obj2py() on Windows 64-bit, "s#" format requires 
size to be a Py_ssize_t, not an int. _ssl.c is now "Py_ssize_t clean".
 2014-07-07 21:52:29 +02:00
Victor Stinner 7f084064e8 (Merge 3.4) Issue #21781: Make the ssl module "ssize_t clean" for parsing 
parameters.  ssl.RAND_add() now supports strings longer than 2 GB.
 2014-07-01 16:39:23 +02:00
Victor Stinner 2e57b4e488 Issue #21781: Make the ssl module "ssize_t clean" for parsing parameters. 
ssl.RAND_add() now supports strings longer than 2 GB.
 2014-07-01 16:37:17 +02:00
Victor Stinner 45e8e2f218 Issue #21490: Add new C macros: Py_ABS() and Py_STRINGIFY() 
Keep _Py_STRINGIZE() in PC/pyconfig.h to not introduce a dependency between
pyconfig.h and pymacros.h.
 2014-05-14 17:24:35 +02:00
Antoine Pitrou 0bebbc33fa Issue #21015: SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1". 
(should also fix a buildbot failure introduced by #20995)
 2014-03-22 18:13:50 +01:00
Gregory P. Smith 83fed26953 avoid a compiler warning about assigning const char * to char *. 2014-01-17 12:09:05 -08:00
Gregory P. Smith f34890937b avoid a compiler warning about assigning const char * to char *. 2014-01-17 12:08:49 -08:00
Antoine Pitrou 78ace81c93 Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for. 2014-01-09 20:09:03 +01:00
Antoine Pitrou 2f7c31678a Remove conditional: it is useless at this point (OpenSSL headers are not yet included) 2014-01-09 20:07:41 +01:00
Antoine Pitrou cd3d7cabef Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for. 2014-01-09 20:02:20 +01:00
Victor Stinner 36e96b8716 (Merge 3.3) Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now 
raise a ValueError if num is negative (instead of raising a SystemError).
 2013-12-19 16:47:25 +01:00
Victor Stinner 1e81a399a2 Issue #20025: ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise a 
ValueError if num is negative (instead of raising a SystemError).
 2013-12-19 16:47:04 +01:00
Christian Heimes 1aa9a75fbf Issue #19509: Add SSLContext.check_hostname to match the peer's certificate 
with server_hostname on handshake.
 2013-12-02 02:41:19 +01:00
Christian Heimes 470fba1f9f SNI was added in OpenSSL 0.9.8f [11 Oct 2007], too 2013-11-28 15:12:15 +01:00
Christian Heimes 2427b50fdd Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+ 
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
 2013-11-23 11:24:32 +01:00
Christian Heimes 5398e1a56e Issue #19448: report name / NID in exception message of ASN1Object 2013-11-22 16:20:53 +01:00
Christian Heimes f22e8e5426 Issue #18147: Add missing documentation for SSLContext.get_ca_certs(). 
Also change the argument name to the same name as getpeercert()
 2013-11-22 02:22:51 +01:00
Christian Heimes 44109d7de7 Issue #17134: Finalize interface to Windows' certificate store. Cert and 
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
 2013-11-22 01:51:30 +01:00
Christian Heimes 1dbf61fa46 downcast len to int. The code has already checked that len < INT_MAX 2013-11-22 00:34:18 +01:00
Christian Heimes 18fc7be80d lst might be NULL here 
CID 1130752:  Dereference after null check  (FORWARD_NULL)
 2013-11-21 23:57:49 +01:00
Christian Heimes 225877917e Issue #8813: Add SSLContext.verify_flags to change the verification flags 
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
 2013-11-21 23:56:13 +01:00
Christian Heimes 949ec14209 Issue #19682: Fix compatibility issue with old version of OpenSSL that 
was introduced by Issue #18379.
 2013-11-21 16:26:51 +01:00
Christian Heimes bd3a7f90b5 Issue #18379: SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP 
and CRL distribution points.
 2013-11-21 03:40:15 +01:00
Christian Heimes efff7060f8 Issue #18138: Implement cadata argument of SSLContext.load_verify_location() 
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
 2013-11-21 03:35:02 +01:00
Christian Heimes b08ff7dcb4 Safely downcast SOCKET_T to int in _ssl module 2013-11-18 10:04:07 +01:00
Christian Heimes a6bc95aa02 Issue #19448: Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name. 2013-11-17 19:59:14 +01:00
Victor Stinner a9eb38f02a Issue #19437: Fix newPySSLSocket(), handle PyWeakref_NewRef() failure 2013-10-31 16:35:38 +01:00
Victor Stinner ba9be477b0 Issue #19437: Fix fill_and_set_sslerror() of _ssl, handle Py_BuildValue() 
failure

Don't call PyObject_CallObject() with NULL parameters and an exception set.
 2013-10-31 15:00:24 +01:00
Christian Heimes ee0bac66b2 Issue #19227 / Issue #18747: Remove pthread_atfork() handler to remove OpenSSL re-seeding 
It is causing trouble like e.g. hanging processes.
 2013-10-29 21:11:55 +01:00
Christian Heimes fb6b44e830 Issue #19227 / Issue #18747: Remove pthread_atfork() handler to remove OpenSSL re-seeding 
It is causing trouble like e.g. hanging processes.
 2013-10-29 20:50:01 +01:00
Georg Brandl 81be27d53e Issue #19227: Try to fix deadlocks caused by re-seeding then OpenSSL 
pseudo-random number generator on fork().
 2013-10-27 07:56:11 +01:00
Georg Brandl fb404f528a #19227: merge with 3.3 2013-10-27 07:57:42 +01:00
Antoine Pitrou b2201e1aa6 Properly initialize all fields of a SSL object after allocation. 2013-09-29 19:53:45 +02:00
Antoine Pitrou 860aee75b8 Properly initialize all fields of a SSL object after allocation. 2013-09-29 19:52:45 +02:00
Antoine Pitrou 20b85557f2 Issue #19095: SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done. 2013-09-29 19:50:53 +02:00
Christian Heimes 2d7aba3db1 Issue #18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case 2013-09-05 16:04:50 +02:00
Christian Heimes 60bf2fc25b Issue #18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case 2013-09-05 16:04:35 +02:00
Victor Stinner daf455554b Issue #18571: Implementation of the PEP 446: file descriptors and file handles 
are now created non-inheritable; add functions os.get/set_inheritable(),
os.get/set_handle_inheritable() and socket.socket.get/set_inheritable().
 2013-08-28 00:53:59 +02:00
Christian Heimes cfa47962c2 Issue #18747: Fix spelling errors in my commit message and comments, 
thanks to Vajrasky Kok for proof-reading.
 2013-08-25 14:19:29 +02:00
Christian Heimes 61636e7105 Issue #18747: Fix spelling errors in my commit message and comments, 
thanks to Vajrasky Kok for proof-reading.
 2013-08-25 14:19:16 +02:00
Richard Oudkerk cabbde9e1e Fix compiler warning on Windows. 2013-08-24 23:46:27 +01:00
Christian Heimes f54c24628b Issue #18747: Use a parent atfork handler instead of a child atfork handler. 
fork() is suppose to be async-signal safe but the handler calls unsafe functions. A parent handler mitigates the issue.
 2013-08-22 13:19:56 +02:00
Christian Heimes 80c5de93f9 Issue #18747: Use a parent atfork handler instead of a child atfork handler. 
fork() is suppose to be async-signal safe but the handler calls unsafe functions. A parent handler mitigates the issue.
 2013-08-22 13:19:48 +02:00
Christian Heimes 6acbe2aaa3 Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork. 
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
 2013-08-21 13:26:34 +02:00
Christian Heimes f77b4b20e9 Issue #18747: Re-seed OpenSSL's pseudo-random number generator after fork. 
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
 2013-08-21 13:26:05 +02:00
Christian Heimes 85532eb212 Issue #18777: The ssl module now uses the new CRYPTO_THREADID API of 
OpenSSL 1.0.0+ instead of the deprecated CRYPTO id callback function.
 2013-08-19 17:36:39 +02:00
Christian Heimes 4d98ca9ff6 Issue #18777: The ssl module now uses the new CRYPTO_THREADID API of 
OpenSSL 1.0.0+ instead of the deprecated CRYPTO id callback function.
 2013-08-19 17:36:29 +02:00
Christian Heimes f920a1c1f1 Issue 18768: Correct doc string of RAND_edg(). Patch by Vajrasky Kok. 2013-08-17 17:25:27 +02:00
Christian Heimes 3c2593b2bb Issue 18768: Correct doc string of RAND_edg(). Patch by Vajrasky Kok. 2013-08-17 17:25:18 +02:00
Christian Heimes 9b5907cbd5 Issue #18768: coding style nitpick. Thanks to Vajrasky Kok 2013-08-17 17:19:03 +02:00
Christian Heimes 474afdda60 Issue #18768: coding style nitpick. Thanks to Vajrasky Kok 2013-08-17 17:18:56 +02:00
Ezio Melotti a7e7497d88 #18466: merge with 3.3. 2013-08-17 16:58:13 +03:00
Ezio Melotti 85a8629d21 #18466: fix more typos. Patch by Févry Thibault. 2013-08-17 16:57:41 +03:00
Christian Heimes e06d47c70c Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes 
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
 2013-08-17 00:58:00 +02:00
Christian Heimes 824f7f366d Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes 
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
 2013-08-17 00:54:47 +02:00
Christian Heimes 9bfcaa6fb3 Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if 
X509_get_version() grows beyond our small int cache.
CID 1058279
 2013-07-26 15:51:35 +02:00
Christian Heimes 5962bef8aa Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if 
X509_get_version() grows beyond our small int cache.
CID 1058279
 2013-07-26 15:51:18 +02:00
Victor Stinner 11ebff2757 Issue #18203: Replace malloc() with PyMem_Malloc() in _ssl for the password 2013-07-07 17:07:52 +02:00
Victor Stinner b64049183c Issue #18203: Replace malloc() with PyMem_Malloc() in Python modules 
Replace malloc() with PyMem_Malloc() when the GIL is held, or with
PyMem_RawMalloc() otherwise.
 2013-07-07 16:21:41 +02:00
Victor Stinner 7e00151e1f _ssl.c: strip trailing spaces 2013-06-25 00:44:31 +02:00
Victor Stinner 86073dc3c2 (Merge 3.3) Issue #18135: ssl.SSLSocket.write() now raises an OverflowError if 
the input string in longer than 2 gigabytes, and
ssl.SSLContext.load_cert_chain() raises a ValueError if the password is longer
than 2 gigabytes. The ssl module does not support partial write.
 2013-06-25 00:43:47 +02:00
Victor Stinner 6efa965a27 Issue #18135: ssl.SSLSocket.write() now raises an OverflowError if the input 
string in longer than 2 gigabytes, and ssl.SSLContext.load_cert_chain() raises
a ValueError if the password is longer than 2 gigabytes. The ssl module does
not support partial write.
 2013-06-25 00:42:31 +02:00
Victor Stinner 8cfd67cfe7 (Merge 3.3) Issue #18135: Fix a possible integer overflow in 
ssl.SSLSocket.write() and in ssl.SSLContext.load_cert_chain() for strings and
passwords longer than 2 gigabytes.
 2013-06-23 15:09:26 +02:00
Victor Stinner 9ee0203057 Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write() 
and in ssl.SSLContext.load_cert_chain() for strings and passwords longer
than 2 gigabytes.
 2013-06-23 15:08:23 +02:00
Victor Stinner 4569cd5eab _ssl.c: strip trailing spaces 2013-06-23 14:58:43 +02:00
Christian Heimes 9a5395ae2b Issue #18147: Add diagnostic functions to ssl.SSLContext(). 
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
 2013-06-17 15:44:12 +02:00
Christian Heimes 200bb1b08c Simplify return value of ssl.get_default_verify_paths 
prefix function with PySSL_, too. Other module level functions have a prefix, too.
 2013-06-14 15:14:29 +02:00
Christian Heimes 75b8426698 fixd refleak 2013-06-10 10:47:22 +02:00
Christian Heimes 46bebee25f Issue #17134: Add ssl.enum_cert_store() as interface to Windows' cert store. 2013-06-09 19:03:31 +02:00
Christian Heimes 142ec2c014 get_default_verify_paths doesn't belong inside the ifdef block 2013-06-09 18:29:54 +02:00
Christian Heimes 6d7ad13a45 Issue #18143: Implement ssl.get_default_verify_paths() in order to debug 
the default locations for cafile and capath.
 2013-06-09 18:02:55 +02:00
Antoine Pitrou 19fef69b75 Fix compilation under MSVC: ssl_set_mode() is a macro, and the MSVC preprocessor doesn't process #ifdef's inside a macro argument list. 
(found explanation at http://www.tech-archive.net/Archive/VC/microsoft.public.vc.language/2007-05/msg00385.html)
 2013-05-25 13:23:03 +02:00
Antoine Pitrou 3a65ad7f08 Issue #8240: Set the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag on SSL sockets. 2013-05-25 13:02:32 +02:00
Antoine Pitrou 50b24d0d7c Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name. 
Patch by Kazuhiro Yoshida.
(originally issue #8109)
 2013-04-11 20:48:42 +02:00
Antoine Pitrou ce852cb8b9 Fix comment about the OpenSSL version in which SNI version was introduced. 2013-03-30 16:45:04 +01:00
Antoine Pitrou edbc18e9d0 Improve set_servername_callback docstring. 2013-03-30 16:40:27 +01:00
Antoine Pitrou a596338bb8 Fix previous fix (the cause was actually a misplaced #endif, or so it seems) 2013-03-30 16:39:00 +01:00
Antoine Pitrou 41f8c4f5e4 Further compiling fixes (issue #17581) 2013-03-30 16:36:54 +01:00
Antoine Pitrou 912fbff105 Issue #17581: try to fix building on old OpenSSL versions 2013-03-30 16:29:32 +01:00
Antoine Pitrou 2463e5fee4 Issue #16692: The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù. 2013-03-28 22:24:43 +01:00
Stefan Krah 20d60803d5 Issue #16982: Fix --without-threads build failure. 2013-01-17 17:07:17 +01:00
Antoine Pitrou 1e37e9efa9 SSLContext.load_dh_params() now properly closes the input file. 2013-01-12 21:44:33 +01:00
Antoine Pitrou 457a2292ca SSLContext.load_dh_params() now properly closes the input file. 2013-01-12 21:43:45 +01:00
Antoine Pitrou 5dd12a5978 Fix returning uninitialized variable (issue #8109). 
Found by Christian with Coverity.
 2013-01-06 15:25:36 +01:00
Antoine Pitrou 58ddc9d743 Issue #8109: The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method. 
Patch by Daniel Black.
 2013-01-05 21:20:29 +01:00
Christian Heimes 5cb31c9277 Issue #15977: Fix memory leak in Modules/_ssl.c when the function _set_npn_protocols() is called multiple times 2012-09-20 12:42:54 +02:00
Jesus Cea b7a2800831 MERGE: Closes #15793: Stack corruption in ssl.RAND_egd() 2012-09-11 02:08:48 +02:00
Jesus Cea c8754a13e6 Closes #15793: Stack corruption in ssl.RAND_egd() 2012-09-11 02:00:58 +02:00
Antoine Pitrou 721738fbee Issue #15604: Update uses of PyObject_IsTrue() to check for and handle errors correctly. 
Patch by Serhiy Storchaka.
 2012-08-15 23:20:39 +02:00
Antoine Pitrou 6f430e4963 Issue #15604: Update uses of PyObject_IsTrue() to check for and handle errors correctly. 
Patch by Serhiy Storchaka.
 2012-08-15 23:18:25 +02:00
Antoine Pitrou 3b36fb1f53 Issue #14837: SSL errors now have `library` and `reason` attributes describing precisely what happened and in which OpenSSL submodule. 
The str() of a SSLError is also enhanced accordingly.

NOTE: this commit creates a reference leak.  The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type.  The leak is on the
type object when it is instantiated:

>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37
 2012-06-22 21:11:52 +02:00
Antoine Pitrou d5d17eb653 Issue #14204: The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library. 
Patch by Colin Marc.
 2012-03-22 00:23:03 +01:00
Antoine Pitrou c135fa424e Fix last remaining build issues of _ssl under old OpenSSLs. Patch by Vinay. 2012-02-19 21:22:39 +01:00
Antoine Pitrou a9bf2ac726 Try to really fix compilation failures of the _ssl module under very old OpenSSLs. 2012-02-17 18:47:54 +01:00
Antoine Pitrou e9fccb360f Fix compilation when SSL_OP_SINGLE_ECDH_USE isn't defined 2012-02-17 11:53:10 +01:00
Antoine Pitrou 04d4ee4e56 Issue #13014: Fix a possible reference leak in SSLSocket.getpeercert(). 2012-02-15 22:28:21 +01:00
Antoine Pitrou 2f5a163dfc Issue #13014: Fix a possible reference leak in SSLSocket.getpeercert(). 2012-02-15 22:25:27 +01:00
Antoine Pitrou 9e2e5329dc Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. 2012-01-27 09:53:29 +01:00
Antoine Pitrou 3f366314e8 Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. 2012-01-27 09:50:45 +01:00
Antoine Pitrou f2bf8a6ac5 Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. 2012-01-27 09:48:47 +01:00
Antoine Pitrou 0e576f1f50 Issue #13626: Add support for SSL Diffie-Hellman key exchange, through the 
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
 2011-12-22 10:03:38 +01:00
Antoine Pitrou 501da61671 Fix ssl module compilation if ECDH support was disabled in the OpenSSL build. 
(followup to issue #13627)
 2011-12-21 09:27:41 +01:00
Antoine Pitrou 8abdb8abd8 Issue #13634: Add support for querying and disabling SSL compression. 2011-12-20 10:13:40 +01:00
Antoine Pitrou 923df6f22a Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman 
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
 2011-12-19 17:16:51 +01:00
Antoine Pitrou 6db4944cc5 Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers 
choose the cipher based on their own preferences, rather than on the
client's.
 2011-12-19 13:27:11 +01:00
Antoine Pitrou bc53032408 Issue #13458: Fix a memory leak in the ssl module when decoding a certificate with a subjectAltName. 
Patch by Robert Xiao.
 2011-11-23 01:42:52 +01:00
Antoine Pitrou 116d6b98bf Issue #13458: Fix a memory leak in the ssl module when decoding a certificate with a subjectAltName. 
Patch by Robert Xiao.
 2011-11-23 01:39:19 +01:00
Antoine Pitrou 41032a69c1 Issue #11183: Add finer-grained exceptions to the ssl module, so that 
you don't have to inspect the exception's attributes in the common case.
 2011-10-27 23:56:55 +02:00
Antoine Pitrou a0e0e23299 Add a docstring to SSLError 2011-10-22 23:41:52 +02:00
Antoine Pitrou b7705b7792 Use PyExc_OSError directly instead of grabbing it from the socket module API 2011-10-22 23:37:51 +02:00
Antoine Pitrou a02a12c517 Issue #13034: When decoding some SSL certificates, the subjectAltName extension could be unreported. 2011-10-01 19:22:30 +02:00
Antoine Pitrou d8c347a8de Issue #13034: When decoding some SSL certificates, the subjectAltName extension could be unreported. 2011-10-01 19:20:25 +02:00
Charles-François Natali ac7e9e058d Issue #12287: Fix a stack corruption in ossaudiodev module when the FD is 
greater than FD_SETSIZE.
 2011-08-28 18:10:27 +02:00
Charles-François Natali aa26b27503 Issue #12287: Fix a stack corruption in ossaudiodev module when the FD is 
greater than FD_SETSIZE.
 2011-08-28 17:51:43 +02:00
Antoine Pitrou 4fd1e6a3ba Issue #12803: SSLContext.load_cert_chain() now accepts a password argument 
to be used if the private key is encrypted.  Patch by Adam Simpkins.
 2011-08-25 14:39:44 +02:00
Antoine Pitrou d649480739 Issue #12551: Provide a get_channel_binding() method on SSL sockets so as 
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented).  This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.

Patch by Jacek Konieczny.
 2011-07-21 01:11:30 +02:00
Antoine Pitrou 7128f95bd2 Issue #12440: When testing whether some bits in SSLContext.options can be 
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
 2011-07-08 18:49:07 +02:00
Antoine Pitrou b9ac25d1c3 Issue #12440: When testing whether some bits in SSLContext.options can be 
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
 2011-07-08 18:47:06 +02:00