Commit Graph

60 Commits

Author SHA1 Message Date
Antoine Pitrou d358e0554b Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. 2012-01-27 09:42:45 +01:00
Mark Dickinson c1ef2fa45f Merged revisions 83680,83685 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/release27-maint

................
  r83680 | mark.dickinson | 2010-08-03 19:34:53 +0100 (Tue, 03 Aug 2010) | 9 lines

  Merged revisions 83677 via svnmerge from
  svn+ssh://pythondev@svn.python.org/python/branches/py3k

  ........
    r83677 | mark.dickinson | 2010-08-03 19:31:54 +0100 (Tue, 03 Aug 2010) | 1 line

    Fix memory leak in ssl module.
  ........
................
  r83685 | mark.dickinson | 2010-08-03 19:46:28 +0100 (Tue, 03 Aug 2010) | 9 lines

  Merged revisions 83683 via svnmerge from
  svn+ssh://pythondev@svn.python.org/python/branches/py3k

  ........
    r83683 | mark.dickinson | 2010-08-03 19:44:16 +0100 (Tue, 03 Aug 2010) | 1 line

    Misc/NEWS entry for r83677.
  ........
................
2010-08-03 18:50:32 +00:00
Antoine Pitrou b4f0e644bc Merged revisions 82210 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r82210 | antoine.pitrou | 2010-06-25 02:03:21 +0200 (ven., 25 juin 2010) | 4 lines

  Issue #9075: In the ssl module, remove the setting of a `debug` flag
  on an OpenSSL structure.
........
2010-06-25 00:09:05 +00:00
Antoine Pitrou b6e3e3ab92 Merged revisions 81241 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r81241 | antoine.pitrou | 2010-05-17 01:11:46 +0200 (lun., 17 mai 2010) | 4 lines

  Clear the OpenSSL error queue each time an error is signalled.
  When the error queue is not emptied, strange things can happen on the next SSL call, depending on the OpenSSL version.
........
2010-05-16 23:14:34 +00:00
Antoine Pitrou 96125cf170 Merged revisions 81115 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r81115 | antoine.pitrou | 2010-05-12 16:02:34 +0200 (mer., 12 mai 2010) | 3 lines

  Improve _ssl.c formatting
........
2010-05-12 14:05:34 +00:00
Antoine Pitrou 7fd622afd7 Merged revisions 80789 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r80789 | antoine.pitrou | 2010-05-05 17:53:45 +0200 (mer., 05 mai 2010) | 3 lines

  Untabify Modules/_ssl.c
........
2010-05-05 15:59:19 +00:00
Antoine Pitrou bcc17e7223 Merged revisions 80540 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r80540 | antoine.pitrou | 2010-04-27 21:09:59 +0200 (mar., 27 avril 2010) | 4 lines

  Issue #8549: Fix compiling the _ssl extension under AIX.  Patch by
  Sridhar Ratnakumar.
........
2010-04-27 19:13:23 +00:00
Antoine Pitrou c689d96044 Merged revisions 80451-80452 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r80451 | antoine.pitrou | 2010-04-24 21:57:01 +0200 (sam., 24 avril 2010) | 4 lines

  The do_handshake() method of SSL objects now adjusts the blocking mode of
  the SSL structure if necessary (as other methods already do).
........
  r80452 | antoine.pitrou | 2010-04-24 22:04:58 +0200 (sam., 24 avril 2010) | 4 lines

  Issue #5103: SSL handshake would ignore the socket timeout and block
  indefinitely if the other end didn't respond.
........
2010-04-24 20:13:37 +00:00
Antoine Pitrou 07072168fb Merged revisions 80392 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r80392 | antoine.pitrou | 2010-04-23 01:33:02 +0200 (ven., 23 avril 2010) | 9 lines

  Issue #8108: Fix the unwrap() method of SSL objects when the socket has
  a non-infinite timeout.  Also make that method friendlier with applications
  wanting to continue using the socket in clear-text mode, by disabling
  OpenSSL's internal readahead.  Thanks to Darryl Miles for guidance.

  Issue #8108: test_ftplib's non-blocking SSL server now has proper handling
  of SSL shutdowns.
........
2010-04-23 21:07:58 +00:00
Antoine Pitrou 878602a284 Merged revisions 80314-80315 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r80314 | antoine.pitrou | 2010-04-21 21:28:03 +0200 (mer., 21 avril 2010) | 5 lines

  Issue #8484: Load all ciphers and digest algorithms when initializing
  the _ssl extension, such that verification of some SSL certificates
  doesn't fail because of an "unknown algorithm".
........
  r80315 | antoine.pitrou | 2010-04-21 21:36:23 +0200 (mer., 21 avril 2010) | 3 lines

  Forgot to add the sample certificate (followup to r80314)
........
2010-04-21 19:41:28 +00:00
Antoine Pitrou 206685be96 Merged revisions 79910 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r79910 | antoine.pitrou | 2010-04-09 22:38:39 +0200 (ven., 09 avril 2010) | 4 lines

  SSL_MODE_AUTO_RETRY has been added in OpenSSL 0.9.6.  Fix compilation
  with earlier versions.
........
2010-04-09 20:44:09 +00:00
Antoine Pitrou cfd6200db5 Merged revisions 79448 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r79448 | antoine.pitrou | 2010-03-26 20:27:16 +0100 (ven., 26 mars 2010) | 6 lines

  Issue #8222: Enable the SSL_MODE_AUTO_RETRY flag on SSL sockets, so that blocking
  reads and writes are always retried by OpenSSL itself.

  (this is a followup to issue #3890)
........
2010-03-26 19:33:53 +00:00
Barry Warsaw 3c67d6ae54 Reverting r78597. This is not a critical fix and we're in rc mode. 2010-03-03 12:34:43 +00:00
Victor Stinner 8898b24bf9 Merged revisions 78596 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r78596 | victor.stinner | 2010-03-02 23:44:42 +0100 (mar., 02 mars 2010) | 4 lines

  Issue #2973: Fix gcc warning on the 2nd argument of ASN1_item_d2i() and
  method->d2i(): OpenSSL API changed in OpenSSL 0.9.6m. Patch written by Daniel
  Black.
........
2010-03-02 22:46:25 +00:00
Raymond Hettinger 8fb67e038e Fix signed/unsigned mismatch. 2009-01-26 16:55:41 +00:00
Bill Janssen 934b16d0c2 various SSL fixes; issues 1251, 3162, 3212 2008-06-28 22:19:33 +00:00
Gregory P. Smith dd96db63f6 This reverts r63675 based on the discussion in this thread:
http://mail.python.org/pipermail/python-dev/2008-June/079988.html

Python 2.6 should stick with PyString_* in its codebase.  The PyBytes_* names
in the spirit of 3.0 are available via a #define only.  See the email thread.
2008-06-09 04:58:54 +00:00
Christian Heimes 593daf545b Renamed PyString to PyBytes 2008-05-26 12:51:38 +00:00
Neal Norwitz 5802bb2319 Fix compiler warnings 2008-03-27 05:03:11 +00:00
Neal Norwitz e9057ff1a9 Initialize variable to prevent warning on some platform/config. 2008-01-27 17:10:35 +00:00
Christian Heimes e93237dfcc #1629: Renamed Py_Size, Py_Type and Py_Refcnt to Py_SIZE, Py_TYPE and Py_REFCNT. Macros for b/w compatibility are available. 2007-12-19 02:37:44 +00:00
Christian Heimes a63f268351 Fixed warning in ssl module 2007-12-14 04:38:13 +00:00
Bill Janssen 296a59d3be Add support for asyncore server-side SSL support. This requires
adding the 'makefile' method to ssl.SSLSocket, and importing the
requisite fakefile class from socket.py, and making the appropriate
changes to it to make it use the SSL connection.

Added sample HTTPS server to test_ssl.py, and test that uses it.

Change SSL tests to use https://svn.python.org/, instead of
www.sf.net and pop.gmail.com.

Added utility function to ssl module, get_server_certificate,
to wrap up the several things to be done to pull a certificate
from a remote server.
2007-09-16 22:06:00 +00:00
Bill Janssen 98d19dafd9 More work on SSL support.
* Much expanded test suite:

  All protocols tested against all other protocols.
  All protocols tested with all certificate options.
  Tests for bad key and bad cert.
  Test of STARTTLS functionality.
  Test of RAND_* functions.

* Fixes for threading/malloc bug.

* Issue 1065 fixed:

  sslsocket class renamed to SSLSocket.
  sslerror class renamed to SSLError.
  Function "wrap_socket" now used to wrap an existing socket.

* Issue 1583946 finally fixed:

  Support for subjectAltName added.
  Subject name now returned as proper DN list of RDNs.

* SSLError exported from socket as "sslerror".

* RAND_* functions properly exported from ssl.py.

* Documentation improved:

  Example of how to create a self-signed certificate.
  Better indexing.
2007-09-10 21:51:02 +00:00
Bill Janssen ffe576dc78 SSL certificate distinguished names should be represented by tuples 2007-09-05 00:46:27 +00:00
Guido van Rossum 780b80dc08 > Some of the code sets the error string in this directly before
> returning NULL, and other pieces of the code call PySSL_SetError,
> which creates the error string.  I think some of the places which set
> the string directly probably shouldn't; instead, they should call
> PySSL_SetError to cons up the error name directly from the err code.
> However, PySSL_SetError only works after the construction of an ssl
> object, which means it can't be used there...  I'll take a longer look
> at it and see if there's a reasonable fix.

Here's a patch which addresses this.  It also fixes the indentation in
PySSL_SetError, bringing it into line with PEP 7, fixes a compile warning
about one of the OpenSSL macros, and makes the namespace a bit more
consistent.  I've tested it on FC 7 and OS X 10.4.

% ./python ./Lib/test/regrtest.py -R :1: -u all test_ssl
test_ssl
beginning 6 repetitions
123456
......
1 test OK.
[29244 refs]
%

[GvR: slightly edited to enforce 79-char line length, even if it required
 violating the style guide.]
2007-08-27 18:42:23 +00:00
Neal Norwitz dc988119b5 Fix a few more variables to try to get this to compile with Visual Studio. 2007-08-25 16:58:09 +00:00
Neal Norwitz 049da9e1cf Try to get this to build with Visual Studio by moving all the variable
declarations to the beginning of a scope.
2007-08-25 16:41:36 +00:00
Guido van Rossum 4f2c3ddca4 Server-side SSL and certificate validation, by Bill Janssen.
While cleaning up Bill's C style, I may have cleaned up some code
he didn't touch as well (in _ssl.c).
2007-08-25 15:08:43 +00:00
Martin v. Löwis 6819210b9e PEP 3123: Provide forward compatibility with Python 3.0, while keeping
backwards compatibility. Add Py_Refcnt, Py_Type, Py_Size, and
PyVarObject_HEAD_INIT.
2007-07-21 06:55:02 +00:00
Martin v. Löwis a811c38d8e Fix various minor errors in passing arguments to
PyArg_ParseTuple.
2006-10-19 11:00:37 +00:00
Anthony Baxter 93ab5fa191 #1494314: Fix a regression with high-numbered sockets in 2.4.3. This
means that select() on sockets > FD_SETSIZE (typically 1024) work again.
The patch makes sockets use poll() internally where available.
2006-07-11 02:04:09 +00:00
Neal Norwitz 38e3b7d2d3 Don't mask a no memory error with a less meaningful one as discussed on python-checkins 2006-05-11 07:51:59 +00:00
Neal Norwitz c6a989ac3a Fix problems found by Coverity.
longobject.c: also fix an ssize_t problem
  <a> could have been NULL, so hoist the size calc to not use <a>.

_ssl.c: under fail: self is DECREF'd, but it would have been NULL.

_elementtree.c: delete self if there was an error.

_csv.c: I'm not sure if lineterminator could have been anything other than
a string.  However, other string method calls are checked, so check this
one too.
2006-05-10 06:57:58 +00:00
Neal Norwitz c859b5c04e Remove unused field 2006-04-17 01:49:28 +00:00
Georg Brandl 43f08a85e4 Patch #1380952: fix SSL objects timing out on consecutive read()s 2006-03-31 18:01:16 +00:00
Neal Norwitz 389cea8efc Try to improve name based on discussion on python-checkins with Jim Jewett 2006-02-13 00:35:21 +00:00
Martin v. Löwis f84d1b9375 Introduce Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE.
Proposed by Tim Peters.
2006-02-11 09:27:05 +00:00
Neal Norwitz 082b2df33f Bug #876637, prevent stack corruption when socket descriptor
is larger than FD_SETSIZE.

This can only be acheived with ulimit -n SOME_NUMBER_BIGGER_THAN_FD_SETSIZE
which is typically only available to root.  Since this wouldn't normally
be run in a test (ie, run as root), it doesn't seem too worthwhile to
add a normal test.  The bug report has one version of a test.  I've
written another.  Not sure what the best thing to do is.

Do the check before calling internal_select() because we can't set
an error in between Py_BEGIN_ALLOW_THREADS and Py_END_ALLOW_THREADS.
This seemed the clearest solution, ie handle before calling internal_select()
rather than inside.  Plus there is at least one place outside
of internal_select() that needed to be handled.

Will backport.
2006-02-07 07:04:46 +00:00
Neal Norwitz 19cbcad20e Fix indentation (whitespace only). 2006-02-07 06:59:20 +00:00
Neal Norwitz 1ac754fa10 Check return result from Py_InitModule*(). This API can fail.
Probably should be backported.
2006-01-19 06:09:39 +00:00
Michael W. Hudson 5910d81c97 Add a missing decref -- PyErr_SetObject increfs the 'object'! 2004-08-04 14:59:00 +00:00
Andrew M. Kuchling 27d3dda7f1 [Patch #909007] Enable a bunch of safe bug workarounds in OpenSSL, for compatibility with various broken SSL implementations out there. 2004-07-10 21:36:55 +00:00
Andrew M. Kuchling 9c3efe3ec6 [Patch #945642] Fix non-blocking SSL sockets, which blocked on reads/writes in Python 2.3.
(It turns out that the Debian unstable packaging of Python 2.3.4 includes this patch.)
Patch by Tino Lange.
2004-07-10 21:15:17 +00:00
Brett Cannon 06c34798df Make socket.sslerror a subclass of socket.error .
Added socket.error to the socket module's C API.
2004-03-23 23:16:54 +00:00
Martin v. Löwis 405a7952fd Patch #803998: Correctly check for error in SSL_write. 2003-10-27 14:24:37 +00:00
Walter Dörwald f0dfc7ac5c Fix a bunch of typos in documentation, docstrings and comments.
(From SF patch #810751)
2003-10-20 14:01:56 +00:00
Neal Norwitz a9002f824b Fix SF #754870, SSL crash interpreter when remote side closes during connect
Also fix a memory leak.
2003-06-30 03:25:20 +00:00
Martin v. Löwis afec8e3bde Patch #751916: Check for signals, fix some refcounting errors. 2003-06-28 07:40:23 +00:00
Neal Norwitz 529baf2b57 Fix compiler warning 2003-02-02 17:08:33 +00:00