Christian Heimes
e06d47c70c
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:58:00 +02:00
Christian Heimes
824f7f366d
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:54:47 +02:00
Christian Heimes
9bfcaa6fb3
Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if
...
X509_get_version() grows beyond our small int cache.
CID 1058279
2013-07-26 15:51:35 +02:00
Christian Heimes
5962bef8aa
Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if
...
X509_get_version() grows beyond our small int cache.
CID 1058279
2013-07-26 15:51:18 +02:00
Victor Stinner
11ebff2757
Issue #18203 : Replace malloc() with PyMem_Malloc() in _ssl for the password
2013-07-07 17:07:52 +02:00
Victor Stinner
b64049183c
Issue #18203 : Replace malloc() with PyMem_Malloc() in Python modules
...
Replace malloc() with PyMem_Malloc() when the GIL is held, or with
PyMem_RawMalloc() otherwise.
2013-07-07 16:21:41 +02:00
Victor Stinner
7e00151e1f
_ssl.c: strip trailing spaces
2013-06-25 00:44:31 +02:00
Victor Stinner
86073dc3c2
(Merge 3.3) Issue #18135 : ssl.SSLSocket.write() now raises an OverflowError if
...
the input string in longer than 2 gigabytes, and
ssl.SSLContext.load_cert_chain() raises a ValueError if the password is longer
than 2 gigabytes. The ssl module does not support partial write.
2013-06-25 00:43:47 +02:00
Victor Stinner
6efa965a27
Issue #18135 : ssl.SSLSocket.write() now raises an OverflowError if the input
...
string in longer than 2 gigabytes, and ssl.SSLContext.load_cert_chain() raises
a ValueError if the password is longer than 2 gigabytes. The ssl module does
not support partial write.
2013-06-25 00:42:31 +02:00
Victor Stinner
8cfd67cfe7
(Merge 3.3) Issue #18135 : Fix a possible integer overflow in
...
ssl.SSLSocket.write() and in ssl.SSLContext.load_cert_chain() for strings and
passwords longer than 2 gigabytes.
2013-06-23 15:09:26 +02:00
Victor Stinner
9ee0203057
Issue #18135 : Fix a possible integer overflow in ssl.SSLSocket.write()
...
and in ssl.SSLContext.load_cert_chain() for strings and passwords longer
than 2 gigabytes.
2013-06-23 15:08:23 +02:00
Victor Stinner
4569cd5eab
_ssl.c: strip trailing spaces
2013-06-23 14:58:43 +02:00
Christian Heimes
9a5395ae2b
Issue #18147 : Add diagnostic functions to ssl.SSLContext().
...
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
2013-06-17 15:44:12 +02:00
Christian Heimes
200bb1b08c
Simplify return value of ssl.get_default_verify_paths
...
prefix function with PySSL_, too. Other module level functions have a prefix, too.
2013-06-14 15:14:29 +02:00
Christian Heimes
75b8426698
fixd refleak
2013-06-10 10:47:22 +02:00
Christian Heimes
46bebee25f
Issue #17134 : Add ssl.enum_cert_store() as interface to Windows' cert store.
2013-06-09 19:03:31 +02:00
Christian Heimes
142ec2c014
get_default_verify_paths doesn't belong inside the ifdef block
2013-06-09 18:29:54 +02:00
Christian Heimes
6d7ad13a45
Issue #18143 : Implement ssl.get_default_verify_paths() in order to debug
...
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
Antoine Pitrou
19fef69b75
Fix compilation under MSVC: ssl_set_mode() is a macro, and the MSVC preprocessor doesn't process #ifdef's inside a macro argument list.
...
(found explanation at http://www.tech-archive.net/Archive/VC/microsoft.public.vc.language/2007-05/msg00385.html )
2013-05-25 13:23:03 +02:00
Antoine Pitrou
3a65ad7f08
Issue #8240 : Set the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag on SSL sockets.
2013-05-25 13:02:32 +02:00
Antoine Pitrou
50b24d0d7c
Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
...
Patch by Kazuhiro Yoshida.
(originally issue #8109 )
2013-04-11 20:48:42 +02:00
Antoine Pitrou
ce852cb8b9
Fix comment about the OpenSSL version in which SNI version was introduced.
2013-03-30 16:45:04 +01:00
Antoine Pitrou
edbc18e9d0
Improve set_servername_callback docstring.
2013-03-30 16:40:27 +01:00
Antoine Pitrou
a596338bb8
Fix previous fix (the cause was actually a misplaced #endif, or so it seems)
2013-03-30 16:39:00 +01:00
Antoine Pitrou
41f8c4f5e4
Further compiling fixes (issue #17581 )
2013-03-30 16:36:54 +01:00
Antoine Pitrou
912fbff105
Issue #17581 : try to fix building on old OpenSSL versions
2013-03-30 16:29:32 +01:00
Antoine Pitrou
2463e5fee4
Issue #16692 : The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù.
2013-03-28 22:24:43 +01:00
Stefan Krah
20d60803d5
Issue #16982 : Fix --without-threads build failure.
2013-01-17 17:07:17 +01:00
Antoine Pitrou
1e37e9efa9
SSLContext.load_dh_params() now properly closes the input file.
2013-01-12 21:44:33 +01:00
Antoine Pitrou
457a2292ca
SSLContext.load_dh_params() now properly closes the input file.
2013-01-12 21:43:45 +01:00
Antoine Pitrou
5dd12a5978
Fix returning uninitialized variable (issue #8109 ).
...
Found by Christian with Coverity.
2013-01-06 15:25:36 +01:00
Antoine Pitrou
58ddc9d743
Issue #8109 : The ssl module now has support for server-side SNI, thanks to a :meth:`SSLContext.set_servername_callback` method.
...
Patch by Daniel Black.
2013-01-05 21:20:29 +01:00
Christian Heimes
5cb31c9277
Issue #15977 : Fix memory leak in Modules/_ssl.c when the function _set_npn_protocols() is called multiple times
2012-09-20 12:42:54 +02:00
Jesus Cea
b7a2800831
MERGE: Closes #15793 : Stack corruption in ssl.RAND_egd()
2012-09-11 02:08:48 +02:00
Jesus Cea
c8754a13e6
Closes #15793 : Stack corruption in ssl.RAND_egd()
2012-09-11 02:00:58 +02:00
Antoine Pitrou
721738fbee
Issue #15604 : Update uses of PyObject_IsTrue() to check for and handle errors correctly.
...
Patch by Serhiy Storchaka.
2012-08-15 23:20:39 +02:00
Antoine Pitrou
6f430e4963
Issue #15604 : Update uses of PyObject_IsTrue() to check for and handle errors correctly.
...
Patch by Serhiy Storchaka.
2012-08-15 23:18:25 +02:00
Antoine Pitrou
3b36fb1f53
Issue #14837 : SSL errors now have `library` and `reason` attributes describing precisely what happened and in which OpenSSL submodule.
...
The str() of a SSLError is also enhanced accordingly.
NOTE: this commit creates a reference leak. The leak seems tied to the
use of PyType_FromSpec() to create the SSLError type. The leak is on the
type object when it is instantiated:
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
35
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
36
>>> e = ssl.SSLError()
>>> sys.getrefcount(ssl.SSLError)
37
2012-06-22 21:11:52 +02:00
Antoine Pitrou
d5d17eb653
Issue #14204 : The ssl module now has support for the Next Protocol Negotiation extension, if available in the underlying OpenSSL library.
...
Patch by Colin Marc.
2012-03-22 00:23:03 +01:00
Antoine Pitrou
c135fa424e
Fix last remaining build issues of _ssl under old OpenSSLs. Patch by Vinay.
2012-02-19 21:22:39 +01:00
Antoine Pitrou
a9bf2ac726
Try to really fix compilation failures of the _ssl module under very old OpenSSLs.
2012-02-17 18:47:54 +01:00
Antoine Pitrou
e9fccb360f
Fix compilation when SSL_OP_SINGLE_ECDH_USE isn't defined
2012-02-17 11:53:10 +01:00
Antoine Pitrou
04d4ee4e56
Issue #13014 : Fix a possible reference leak in SSLSocket.getpeercert().
2012-02-15 22:28:21 +01:00
Antoine Pitrou
2f5a163dfc
Issue #13014 : Fix a possible reference leak in SSLSocket.getpeercert().
2012-02-15 22:25:27 +01:00
Antoine Pitrou
9e2e5329dc
Issue #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
2012-01-27 09:53:29 +01:00
Antoine Pitrou
3f366314e8
Issue #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
2012-01-27 09:50:45 +01:00
Antoine Pitrou
f2bf8a6ac5
Issue #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
2012-01-27 09:48:47 +01:00
Antoine Pitrou
0e576f1f50
Issue #13626 : Add support for SSL Diffie-Hellman key exchange, through the
...
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.
2011-12-22 10:03:38 +01:00
Antoine Pitrou
501da61671
Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
...
(followup to issue #13627 )
2011-12-21 09:27:41 +01:00
Antoine Pitrou
8abdb8abd8
Issue #13634 : Add support for querying and disabling SSL compression.
2011-12-20 10:13:40 +01:00
Antoine Pitrou
923df6f22a
Issue #13627 : Add support for SSL Elliptic Curve-based Diffie-Hellman
...
key exchange, through the SSLContext.set_ecdh_curve() method and the
ssl.OP_SINGLE_ECDH_USE option.
2011-12-19 17:16:51 +01:00
Antoine Pitrou
6db4944cc5
Issue #13635 : Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
...
choose the cipher based on their own preferences, rather than on the
client's.
2011-12-19 13:27:11 +01:00
Antoine Pitrou
bc53032408
Issue #13458 : Fix a memory leak in the ssl module when decoding a certificate with a subjectAltName.
...
Patch by Robert Xiao.
2011-11-23 01:42:52 +01:00
Antoine Pitrou
116d6b98bf
Issue #13458 : Fix a memory leak in the ssl module when decoding a certificate with a subjectAltName.
...
Patch by Robert Xiao.
2011-11-23 01:39:19 +01:00
Antoine Pitrou
41032a69c1
Issue #11183 : Add finer-grained exceptions to the ssl module, so that
...
you don't have to inspect the exception's attributes in the common case.
2011-10-27 23:56:55 +02:00
Antoine Pitrou
a0e0e23299
Add a docstring to SSLError
2011-10-22 23:41:52 +02:00
Antoine Pitrou
b7705b7792
Use PyExc_OSError directly instead of grabbing it from the socket module API
2011-10-22 23:37:51 +02:00
Antoine Pitrou
a02a12c517
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:22:30 +02:00
Antoine Pitrou
d8c347a8de
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:20:25 +02:00
Charles-François Natali
ac7e9e058d
Issue #12287 : Fix a stack corruption in ossaudiodev module when the FD is
...
greater than FD_SETSIZE.
2011-08-28 18:10:27 +02:00
Charles-François Natali
aa26b27503
Issue #12287 : Fix a stack corruption in ossaudiodev module when the FD is
...
greater than FD_SETSIZE.
2011-08-28 17:51:43 +02:00
Antoine Pitrou
4fd1e6a3ba
Issue #12803 : SSLContext.load_cert_chain() now accepts a password argument
...
to be used if the private key is encrypted. Patch by Adam Simpkins.
2011-08-25 14:39:44 +02:00
Antoine Pitrou
d649480739
Issue #12551 : Provide a get_channel_binding() method on SSL sockets so as
...
to get channel binding data for the current SSL session (only the
"tls-unique" channel binding is implemented). This allows the
implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS.
Patch by Jacek Konieczny.
2011-07-21 01:11:30 +02:00
Antoine Pitrou
7128f95bd2
Issue #12440 : When testing whether some bits in SSLContext.options can be
...
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:49:07 +02:00
Antoine Pitrou
b9ac25d1c3
Issue #12440 : When testing whether some bits in SSLContext.options can be
...
reset, check the version of the OpenSSL headers Python was compiled against,
rather than the runtime version of the OpenSSL library.
2011-07-08 18:47:06 +02:00
Victor Stinner
99c8b16143
Issue #12049 : Add RAND_bytes() and RAND_pseudo_bytes() functions to the ssl
...
module.
2011-05-24 12:05:19 +02:00
Victor Stinner
17ca323e7c
(Merge 3.1) Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:48:41 +02:00
Victor Stinner
ee18b6f2fd
Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 00:38:00 +02:00
Victor Stinner
3de49192aa
Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-09 00:42:58 +02:00
Antoine Pitrou
a7caec74aa
Merge fix for issue #11746
2011-04-03 18:16:50 +02:00
Antoine Pitrou
9c25486093
Issue #11746 : Fix SSLContext.load_cert_chain() to accept elliptic curve private keys.
2011-04-03 18:15:34 +02:00
Brett Cannon
b94767ff44
Issue #8914 : fix various warnings from the Clang static analyzer v254.
2011-02-22 20:15:44 +00:00
Victor Stinner
80f75e684e
Issue #10989 : Fix a crash on SSLContext.load_verify_locations(None, True).
...
Patch reviewed by Antoine Pitrou, okayed by Georg Brandl.
2011-01-29 11:31:20 +00:00
Hirokazu Yamamoto
8e63c687ef
Merged revisions 87140 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r87140 | hirokazu.yamamoto | 2010-12-09 19:49:00 +0900 (木, 09 12 2010) | 2 lines
Should call Py_INCREF for Py_None (Modules/_ssl.c: PySSL_cipher)
........
2010-12-09 12:30:05 +00:00
Hirokazu Yamamoto
524f10359b
Should call Py_INCREF for Py_None (Modules/_ssl.c: PySSL_cipher)
2010-12-09 10:49:00 +00:00
Antoine Pitrou
c4df784514
Issue #10272 : The ssl module now raises socket.timeout instead of a generic
...
SSLError on socket timeouts.
2010-12-03 19:59:41 +00:00
Antoine Pitrou
664c2d1fc0
Issue #10443 : Add the SSLContext.set_default_verify_paths() method.
2010-11-17 20:29:42 +00:00
Antoine Pitrou
fb0469112f
Issue #10022 : The dictionary returned by the `getpeercert()` method
...
of SSL sockets now has additional items such as `issuer` and `notBefore`.
2010-11-09 20:21:19 +00:00
Antoine Pitrou
d532321f7b
Issue #5639 : Add a *server_hostname* argument to `SSLContext.wrap_socket`
...
in order to support the TLS SNI extension. `HTTPSConnection` and
`urlopen()` also use this argument, so that HTTPS virtual hosts are now
supported.
2010-10-22 18:19:07 +00:00
Benjamin Peterson
31370951c0
Merged revisions 85432 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r85432 | benjamin.peterson | 2010-10-13 17:06:39 -0500 (Wed, 13 Oct 2010) | 1 line
constify to appease compiler warnings
........
2010-10-13 22:20:48 +00:00
Benjamin Peterson
eb1410fc40
constify to appease compiler warnings
2010-10-13 22:06:39 +00:00
Antoine Pitrou
fc113eeb7d
Define a "session_id_context" at context creation. This is recommended
...
for the OpenSSL server-side session cache.
2010-10-13 12:46:13 +00:00
Gregory P. Smith
bd4dacb3f9
Fix compile on NetBSD 5.0 (or anything else using an old 0.9.9-dev OpenSSL).
2010-10-13 03:53:21 +00:00
Antoine Pitrou
b0182c8ca5
Issue #10075 : Add a session_stats() method to SSLContext objects.
2010-10-12 20:09:02 +00:00
Antoine Pitrou
10c4c23a25
Merged revisions 84464 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r84464 | antoine.pitrou | 2010-09-03 20:38:17 +0200 (ven., 03 sept. 2010) | 3 lines
Issue #3805 : clean up implementation of the _read method in _ssl.c.
........
2010-09-03 18:39:47 +00:00
Antoine Pitrou
24e561ae04
Issue #3805 : clean up implementation of the _read method in _ssl.c.
2010-09-03 18:38:17 +00:00
Antoine Pitrou
67e8e5633e
Try to fix some buildbot failures on test_ssl
2010-09-01 20:55:41 +00:00
Giampaolo Rodolà
e0f9863a61
Issue #9693 - msg 115273: attempt to fix ssl module failures on certain OpenSSL versions by calling ERR_clear_error() before raising IOError
2010-09-01 19:28:49 +00:00
Giampaolo Rodolà
745ab3807e
Fix issue issue9706: provides a better error handling for various SSL operations
2010-08-29 19:25:49 +00:00
Mark Dickinson
732cc9be1e
Merged revisions 83677 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r83677 | mark.dickinson | 2010-08-03 19:31:54 +0100 (Tue, 03 Aug 2010) | 1 line
Fix memory leak in ssl module.
........
2010-08-03 18:33:11 +00:00
Mark Dickinson
ee55df5c85
Fix memory leak in ssl module.
2010-08-03 18:31:54 +00:00
Antoine Pitrou
4b261d2073
Merged revisions 82211 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
................
r82211 | antoine.pitrou | 2010-06-25 02:07:34 +0200 (ven., 25 juin 2010) | 10 lines
Merged revisions 82210 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk
........
r82210 | antoine.pitrou | 2010-06-25 02:03:21 +0200 (ven., 25 juin 2010) | 4 lines
Issue #9075 : In the ssl module, remove the setting of a `debug` flag
on an OpenSSL structure.
........
................
2010-06-25 00:13:19 +00:00
Antoine Pitrou
6186bfb735
Merged revisions 82210 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r82210 | antoine.pitrou | 2010-06-25 02:03:21 +0200 (ven., 25 juin 2010) | 4 lines
Issue #9075 : In the ssl module, remove the setting of a `debug` flag
on an OpenSSL structure.
........
2010-06-25 00:07:34 +00:00
Antoine Pitrou
94fbaac58d
Merged revisions 82204 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r82204 | antoine.pitrou | 2010-06-25 00:34:04 +0200 (ven., 25 juin 2010) | 5 lines
Issue #8682 : The ssl module now temporary increments the reference count of
a socket object got through `PyWeakref_GetObject`, so as to avoid possible
deallocation while the object is still being used.
........
2010-06-24 22:49:57 +00:00
Antoine Pitrou
8bae4ec622
Issue #8682 : The ssl module now temporary increments the reference count of
...
a socket object got through `PyWeakref_GetObject`, so as to avoid possible
deallocation while the object is still being used.
2010-06-24 22:34:04 +00:00
Antoine Pitrou
b52187710e
Issue #4870 : Add an `options` attribute to SSL contexts, as well as
...
several ``OP_*`` constants to the `ssl` module. This allows to selectively
disable protocol versions, when used in combination with `PROTOCOL_SSLv23`.
2010-05-21 09:56:06 +00:00
Antoine Pitrou
321257da1a
Merged revisions 81242 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
................
r81242 | antoine.pitrou | 2010-05-17 01:14:22 +0200 (lun., 17 mai 2010) | 10 lines
Merged revisions 81241 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk
........
r81241 | antoine.pitrou | 2010-05-17 01:11:46 +0200 (lun., 17 mai 2010) | 4 lines
Clear the OpenSSL error queue each time an error is signalled.
When the error queue is not emptied, strange things can happen on the next SSL call, depending on the OpenSSL version.
........
................
2010-05-16 23:18:00 +00:00
Antoine Pitrou
9d74b42aca
Merged revisions 81241 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r81241 | antoine.pitrou | 2010-05-17 01:11:46 +0200 (lun., 17 mai 2010) | 4 lines
Clear the OpenSSL error queue each time an error is signalled.
When the error queue is not emptied, strange things can happen on the next SSL call, depending on the OpenSSL version.
........
2010-05-16 23:14:22 +00:00
Victor Stinner
f9faaad801
Issue #8477 : ssl.RAND_egd() supports str with surrogates and bytes for the path
2010-05-16 21:36:37 +00:00
Victor Stinner
3800e1e961
Issue #8477 : _ssl._test_decode_cert() supports str with surrogates and bytes
...
for the filename
2010-05-16 21:23:48 +00:00