Christian Heimes
ff5be6e810
bpo-32598: Use autoconf to detect usable OpenSSL ( #5242 )
...
Add https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
to auto-detect compiler flags, linker flags and libraries to compile
OpenSSL extensions. The M4 macro uses pkg-config and falls back to
manual detection.
Add autoconf magic to detect usable X509_VERIFY_PARAM_set1_host()
and related functions.
Refactor setup.py to use new config vars to compile _ssl and _hashlib
modules.
Signed-off-by: Christian Heimes <christian@python.org>
2018-01-20 13:19:21 +01:00
Semen Zhydenko
1295e11d39
completly -> completely ( #3999 ) (closes bpo-31788)
2017-10-15 12:28:31 -07:00
Christian Heimes
e82c034496
bpo-31431: SSLContext.check_hostname auto-sets CERT_REQUIRED ( #3531 )
...
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:29:57 +02:00
Victor Stinner
5a61559fb0
_ssl_: Fix compiler warning ( #3559 )
...
Cast Py_buffer.len (Py_ssize_t, signed) to size_t (unsigned) to
prevent the following warning:
Modules/_ssl.c:3089:21: warning: comparison between signed and
unsigned integer expressions [-Wsign-compare]
2017-09-14 10:10:30 +02:00
Steve Dower
e6eb48c10d
bpo-31400: Improve SSL error handling on Windows ( #3463 )
...
* bpo-31392: Improve SSL error handling on Windows
* Remove unnecessary Windows mention in NEWS
2017-09-08 15:16:15 -07:00
Christian Heimes
0915360b9e
bpo-28182: restore backwards compatibility ( #3464 )
...
b3ad0e5
broke backwards compatibility with OpenSSL < 1.0.2.
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-08 14:47:58 -07:00
Christian Heimes
b3ad0e5127
bpo-28182: Expose OpenSSL verification results ( #3412 )
...
The SSL module now raises SSLCertVerificationError when OpenSSL fails to
verify the peer's certificate. The exception contains more information about
the error.
Original patch by Chi Hsuan Yen
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-08 12:00:19 -07:00
Christian Heimes
cb5b68abde
bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 ( #1363 )
...
* bpo-29136: Add TLS 1.3 support
TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.
Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-07 18:07:00 -07:00
Christian Heimes
17c9ac927b
bpo-28958: Improve SSLContext error reporting. ( #3414 )
...
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-07 14:14:00 -07:00
Antoine Pitrou
a6a4dc816d
bpo-31370: Remove support for threads-less builds ( #3385 )
...
* Remove Setup.config
* Always define WITH_THREAD for compatibility.
2017-09-07 18:56:24 +02:00
Christian Heimes
6877111648
bpo-29781: Fix SSLObject.version before handshake ( #3364 )
...
SSLObject.version() now correctly returns None when handshake over BIO has
not been performed yet.
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-05 21:55:40 -07:00
Christian Heimes
c941e6238a
bpo-30102: Call OPENSSL_add_all_algorithms_noconf ( #3112 )
...
The ssl and hashlib modules now call OPENSSL_add_all_algorithms_noconf() on
OpenSSL < 1.1.0. The function detects CPU features and enables optimizations
on some CPU architectures such as POWER8. Patch is based on research from
Gustavo Serra Scalet.
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-05 15:47:11 +02:00
Serhiy Storchaka
e503ca5288
bpo-30502: Fix handling of long oids in ssl. ( #2909 )
2017-09-05 00:28:53 +02:00
Melvyn Sopacua
b2d096bd2a
bpo-30622: Change NPN detection: ( #2079 )
...
* Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
* Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.
Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:
#if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
# define OPENSSL_NPN_UNSUPPORTED 0
# define OPENSSL_NPN_NEGOTIATED 1
# define OPENSSL_NPN_NO_OVERLAP 2
#endif
[1] https://github.com/openssl/openssl/commit/68b33cc5c7
2017-09-04 23:35:15 +02:00
INADA Naoki
a6296d34a4
bpo-31095: fix potential crash during GC (GH-2974)
2017-08-24 14:55:17 +09:00
Segev Finer
5cff637979
bpo-9566: Fixed _ssl module warnings ( #2495 )
...
* bpo-9566: Fixed some _ssl warnings
* bpo-9566: _ssl: Fixup the fixes and also fix the remainings warnings
* Add a comment about the downcast
2017-07-26 15:19:17 -07:00
Steve Dower
68d663cf85
[bpo-30916] Pre-build OpenSSL and Tcl/Tk for Windows ( #2688 )
...
Updates ssl and tkinter projects to use pre-built externals
2017-07-17 11:15:48 +02:00
Serhiy Storchaka
5f31d5cf6e
Regenerate Argument Clinic code for bpo-19180. ( #2073 )
2017-06-10 13:13:51 +03:00
Chandan Kumar
63c2c8ac17
bpo-19180: Updated references for RFC 1750, RFC 3280 & RFC 4366 (GH-148)
...
* RFC 1750 has been been obsoleted by RFC 4086.
* RFC 3280 has been obsoleted by RFC 5280.
* RFC 4366 has been obsoleted by RFC 6066.
2017-06-09 19:43:58 +10:00
Nathaniel J. Smith
65ece7ca23
bpo-30594: Fixed refcounting in newPySSLSocket ( #1992 )
...
If pass a server_hostname= that fails IDNA decoding to SSLContext.wrap_socket or SSLContext.wrap_bio, then the SSLContext object had a spurious Py_DECREF called on it, eventually leading to segfaults.
2017-06-08 09:30:43 +03:00
Alex Gaynor
b87c0dfe90
Simplify X.509 extension handling code ( #1855 )
...
* Simplify X.509 extension handling code
The previous implementation had grown organically over time, as OpenSSL's API evolved.
* Delete even more code
2017-06-06 07:53:11 -04:00
Christian Heimes
66dc33b682
bpo-29334: Fix ssl.getpeercert for auto-handshake ( #1769 )
...
Drop handshake_done and peer_cert members from PySSLSocket struct. The
peer certificate can be acquired from *SSL directly.
SSL_get_peer_certificate() does not trigger any network activity.
Instead of manually tracking the handshake state, simply use
SSL_is_init_finished().
In combination these changes fix auto-handshake for non-blocking
MemoryBIO connections.
Signed-off-by: Christian Heimes <christian@python.org>
2017-05-23 16:02:02 -07:00
Serhiy Storchaka
55fe1ae970
bpo-30022: Get rid of using EnvironmentError and IOError (except test… ( #1051 )
2017-04-16 10:46:38 +03:00
Olivier Vielpeau
2849cc34a8
bpo-29738: Fix memory leak in _get_crl_dp (GH-526)
...
* Remove conditional on free of `dps`, since `dps` is now allocated for
all versions of OpenSSL
* Remove call to `x509_check_ca` since it was only used to cache
the `crldp` field of the certificate
CRL_DIST_POINTS_free is available in all supported versions of OpenSSL
(recent 0.9.8+) and LibreSSL.
2017-04-14 18:06:07 -07:00
Serhiy Storchaka
aefa7ebf0f
bpo-6532: Make the thread id an unsigned integer. ( #781 )
...
* bpo-6532: Make the thread id an unsigned integer.
From C API side the type of results of PyThread_start_new_thread() and
PyThread_get_thread_ident(), the id parameter of
PyThreadState_SetAsyncExc(), and the thread_id field of PyThreadState
changed from "long" to "unsigned long".
* Restore a check in thread_get_ident().
2017-03-23 14:48:39 +01:00
Donald Stufft
8ae264ce6d
bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-395)
2017-03-02 11:45:29 -05:00
Serhiy Storchaka
228b12edcc
Issue #28999 : Use Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE wherever
...
possible. Patch is writen with Coccinelle.
2017-01-23 09:47:21 +02:00
Victor Stinner
f17c3de263
Use _PyObject_CallNoArg()
...
Replace:
PyObject_CallFunctionObjArgs(callable, NULL)
with:
_PyObject_CallNoArg(callable)
2016-12-06 18:46:19 +01:00
Victor Stinner
de4ae3d486
Backed out changeset b9c9691c72c5
...
Issue #28858 : The change b9c9691c72c5 introduced a regression. It seems like
_PyObject_CallArg1() uses more stack memory than
PyObject_CallFunctionObjArgs().
2016-12-04 22:59:09 +01:00
Victor Stinner
27580c1fb5
Replace PyObject_CallFunctionObjArgs() with fastcall
...
* PyObject_CallFunctionObjArgs(func, NULL) => _PyObject_CallNoArg(func)
* PyObject_CallFunctionObjArgs(func, arg, NULL) => _PyObject_CallArg1(func, arg)
PyObject_CallFunctionObjArgs() allocates 40 bytes on the C stack and requires
extra work to "parse" C arguments to build a C array of PyObject*.
_PyObject_CallNoArg() and _PyObject_CallArg1() are simpler and don't allocate
memory on the C stack.
This change is part of the fastcall project. The change on listsort() is
related to the issue #23507 .
2016-12-01 14:43:22 +01:00
Christian Heimes
1a63b9f288
Typo
2016-09-24 12:07:21 +02:00
Christian Heimes
a5d0765990
Finish GC code for SSLSession and increase test coverage
2016-09-24 10:48:05 +02:00
Christian Heimes
f6365e3816
Issue #28188 : Use PyMem_Calloc() to get rid of a type-limits warning and an extra memset() call in _ssl.c.
2016-09-13 20:48:13 +02:00
Victor Stinner
410b9887e1
Issue #27866 : Fix refleak in cipher_to_dict()
2016-09-12 12:00:23 +02:00
Christian Heimes
5fe668c672
Issue #28085 : Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext
2016-09-12 00:01:11 +02:00
Christian Heimes
99a6570295
Issue #19500 : Add client-side SSL session resumption to the ssl module.
2016-09-10 23:44:53 +02:00
Christian Heimes
358cfd426c
Issue 28043: SSLContext has improved default settings
...
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
2016-09-10 22:43:48 +02:00
Christian Heimes
fe3c9c1ee9
Issue #27691 : Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
2016-09-06 23:27:06 +02:00
Christian Heimes
1c03abd026
Issue #27691 : Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
2016-09-06 23:25:35 +02:00
Christian Heimes
0061bf5892
Issue #26470 : Use short name rather than name for compression name to fix #27958 .
2016-09-06 01:14:34 +02:00
Christian Heimes
281e5f8839
Issue #26470 : Use short name rather than name for compression name to fix #27958 .
2016-09-06 01:10:39 +02:00
Christian Heimes
25bfcd5d9e
Issue #27866 : Add SSLContext.get_ciphers() method to get a list of all enabled ciphers.
2016-09-06 00:04:45 +02:00
Christian Heimes
01113faef9
Issue #26470 : Port ssl and hashlib module to OpenSSL 1.1.0.
2016-09-05 23:23:24 +02:00
Christian Heimes
598894ff48
Issue #26470 : Port ssl and hashlib module to OpenSSL 1.1.0.
2016-09-05 23:19:05 +02:00
Benjamin Peterson
a853c479ee
merge 3.5 ( #27773 )
2016-08-15 21:56:11 -07:00
Benjamin Peterson
81b9ecd2a3
fix corner cases in the management of server_hostname ( closes #27773 )
2016-08-15 21:55:37 -07:00
Victor Stinner
d3afb62b8f
Merge 3.5 (INVALID_SOCKET)
2016-07-22 17:47:09 +02:00
Victor Stinner
524714eeda
socket: use INVALID_SOCKET
...
* Replace "fd = -1" with "fd = INVALID_SOCKET"
* Replace "fd < 0" with "fd == INVALID_SOCKET": SOCKET_T is unsigned on Windows
Bug found by Pavel Belikov ("Fragment N1"):
http://www.viva64.com/en/b/0414/#ID0ECDAE
2016-07-22 17:43:59 +02:00
Martin Panter
7386268ffd
Issue #23804 : Merge SSL recv() fix from 3.5
2016-07-11 01:32:09 +00:00
Martin Panter
bed7f1a512
Issue #23804 : Fix SSL zero-length recv() calls to not block and raise EOF
2016-07-11 00:17:13 +00:00
Serhiy Storchaka
2954f83999
- Issue #27332 : Fixed the type of the first argument of module-level functions
...
generated by Argument Clinic. Patch by Petr Viktorin.
2016-07-07 18:20:03 +03:00
Serhiy Storchaka
1a2b24f02d
Issue #27332 : Fixed the type of the first argument of module-level functions
...
generated by Argument Clinic. Patch by Petr Viktorin.
2016-07-07 17:35:15 +03:00
Benjamin Peterson
50600a78cb
merge 3.5 ( #24557 )
2016-07-06 23:58:16 -07:00
Benjamin Peterson
b8a2f51ceb
assume egd unless OPENSSL_NO_EGD is defined—remove configure check ( closes #24557 )
2016-07-06 23:55:15 -07:00
Berker Peksag
2c164b738d
Fix unused variable 'libver' warning in Modules/_ssl.c
...
It can be seen on various buildbots like 3.x.cea-indiana-amd64
and 3.x.murray-snowleopard:
/export/home/buildbot/64bits/3.x.cea-indiana-amd64/build/Modules/_ssl.c:2227: warning: unused variable 'libver'
/Users/buildbot/buildarea/3.x.murray-snowleopard/build/Modules/_ssl.c:2227: warning: unused variable ‘libver’
2016-04-14 16:49:21 +03:00
Berker Peksag
dfcb041195
Fix unused variable 'libver' warning in Modules/_ssl.c
...
It can be seen on various buildbots like 3.x.cea-indiana-amd64
and 3.x.murray-snowleopard:
/export/home/buildbot/64bits/3.x.cea-indiana-amd64/build/Modules/_ssl.c:2227: warning: unused variable 'libver'
/Users/buildbot/buildarea/3.x.murray-snowleopard/build/Modules/_ssl.c:2227: warning: unused variable ‘libver’
2016-04-14 16:48:48 +03:00
Serhiy Storchaka
f01e408c16
Issue #26200 : Added Py_SETREF and replaced Py_XSETREF with Py_SETREF
...
in places where Py_DECREF was used.
2016-04-10 18:12:01 +03:00
Serhiy Storchaka
57a01d3a0e
Issue #26200 : Added Py_SETREF and replaced Py_XSETREF with Py_SETREF
...
in places where Py_DECREF was used.
2016-04-10 18:05:40 +03:00
Serhiy Storchaka
ec39756960
Issue #22570 : Renamed Py_SETREF to Py_XSETREF.
2016-04-06 09:50:03 +03:00
Serhiy Storchaka
48842714b9
Issue #22570 : Renamed Py_SETREF to Py_XSETREF.
2016-04-06 09:45:48 +03:00
Martin Panter
afd465d497
Issue #26644 : Merge SSL negative read fix from 3.5
2016-03-27 10:40:22 +00:00
Martin Panter
5503d4731e
Issue #26644 : Raise ValueError for negative SSLSocket.recv() and read()
2016-03-27 05:35:19 +00:00
Benjamin Peterson
4a180a693f
merge 3.5 ( closes #25939 )
2016-02-17 22:18:35 -08:00
Benjamin Peterson
1378f7ca68
merge 3.4 ( closes #25939 )
2016-02-17 22:18:20 -08:00
Benjamin Peterson
9491272751
open the cert store readonly
...
Patch from Chi Hsuan Yen.
2016-02-17 22:13:19 -08:00
Benjamin Peterson
5db60aa84e
merge 3.5 ( closes #25672 )
2016-01-07 21:38:51 -08:00
Benjamin Peterson
3b1a8b3bbe
enable SSL_MODE_RELEASE_BUFFERS
...
Patch by Cory Benfield.
2016-01-07 21:37:37 -08:00
Serhiy Storchaka
ef1585eb9a
Issue #25923 : Added more const qualifiers to signatures of static and private functions.
2015-12-25 20:01:53 +02:00
Serhiy Storchaka
5a57ade58e
Issue #20440 : Massive replacing unsafe attribute setting code with special
...
macro Py_SETREF.
2015-12-24 10:35:59 +02:00
Benjamin Peterson
fcc2e71e99
merge 3.4 ( #25578 )
2015-11-14 15:14:42 -08:00
Benjamin Peterson
025a1fd990
rm trailing ws
2015-11-14 15:12:38 -08:00
Benjamin Peterson
f0c9038a36
fix possible memory lea k in _get_aia_uri ( closes #25578 )
2015-11-14 15:12:18 -08:00
Benjamin Peterson
2463001a15
merge 3.4 ( #25569 )
2015-11-14 00:11:09 -08:00
Benjamin Peterson
806fb25405
fix build with older openssl ( #25569 )
2015-11-14 00:09:22 -08:00
Benjamin Peterson
45bde5d2ee
merge 3.4 ( #25530 )
2015-11-11 22:45:22 -08:00
Benjamin Peterson
a9dcdabccb
always set OP_NO_SSLv3 by default ( closes #25530 )
2015-11-11 22:38:41 -08:00
Benjamin Peterson
86429bd174
merge 3.5 ( #25569 )
2015-11-11 22:14:08 -08:00
Benjamin Peterson
eda06c8f5e
fix memory leak in _get_crl_dp ( closes #25569 )
...
Patch started by Stéphane Wirtel.
2015-11-11 22:07:38 -08:00
Serhiy Storchaka
f51d715845
Issue #25523 : Further a-to-an corrections new in 3.5.
2015-11-02 14:40:41 +02:00
Serhiy Storchaka
a84f6c3dd3
Issue #25523 : Merge a-to-an corrections from 3.4.
2015-11-02 14:39:05 +02:00
Serhiy Storchaka
d65c9496da
Issue #25523 : Further a-to-an corrections.
2015-11-02 14:10:23 +02:00
Benjamin Peterson
d330822c12
detect alpn by feature flag not openssl version ( closes #23329 )
2015-09-27 00:09:02 -07:00
Benjamin Peterson
d113c967b4
improve style of the convert macro ( #24655 )
...
Patch by Brian Cain.
2015-07-18 10:59:13 -07:00
Benjamin Peterson
0544cf0eb9
merge 3.4 ( #24655 )
2015-07-18 11:00:00 -07:00
Larry Hastings
dbfdc380df
Issue #24001 : Argument Clinic converters now use accept={type}
...
instead of types={'type'} to specify the types the converter accepts.
2015-05-04 06:59:46 -07:00
Serhiy Storchaka
4b7b82f133
Issue #20179 : Converted the _ssl module to Argument Clinic.
2015-05-03 16:14:08 +03:00
Victor Stinner
146907081c
Issue #23853 : Methods of SSL socket don't reset the socket timeout anymore each
...
time bytes are received or sent. The socket timeout is now the maximum total
duration of the method.
This change fixes a denial of service if the application is regulary
interrupted by a signal and the signal handler does not raise an exception.
2015-04-06 22:46:13 +02:00
Benjamin Peterson
7d71c97ec3
merge 3.4 ( #23875 )
2015-04-06 13:06:21 -04:00
Benjamin Peterson
43b842775f
remove extra arguments in arg parsing format codes ( closes #23875 )
2015-04-06 13:05:22 -04:00
Victor Stinner
4e3cfa46dc
Issue #23853 : Cleanup _ssl.c
...
* Rename check_socket_and_wait_for_timeout() to PySSL_select()
* PySSL_select() is now clearly splitted betwen poll() and select()
* Add empty lines for readability
2015-04-02 21:28:28 +02:00
Victor Stinner
869e1778c0
Issue #22117 : Replace usage of _PyTime_ROUND_UP with _PyTime_ROUND_CEILING
...
All these functions only accept positive timeouts, so this change has no effect
in practice.
2015-03-30 03:49:14 +02:00
Victor Stinner
ea9c0dd2c2
Issue #22117 : Fix usage of _PyTime_AsTimeval()
...
Add _PyTime_AsTimeval_noraise() function. Call it when it's not possible (or
not useful) to raise a Python exception on overflow.
2015-03-30 02:51:13 +02:00
Victor Stinner
e245231fab
Issue #22117 : Fix ssl to use _PyTime_t API on sock_timeout
...
I didn't notice that the ssl module uses private attributes of socket objects.
2015-03-28 03:00:46 +01:00
Serhiy Storchaka
8490f5acfe
Issue #23001 : Few functions in modules mmap, ossaudiodev, socket, ssl, and
...
codecs, that accepted only read-only bytes-like object now accept writable
bytes-like object too.
2015-03-20 09:00:36 +02:00
Victor Stinner
e42ccd2bfd
Issue #23694 : Enhance _Py_fopen(), it now raises an exception on error
...
* If fopen() fails, OSError is raised with the original filename object.
* The GIL is now released while calling fopen()
2015-03-18 01:39:23 +01:00
Benjamin Peterson
de8eca4638
merge 3.4
2015-03-04 22:50:25 -05:00
Benjamin Peterson
990fcaac3c
expose X509_V_FLAG_TRUSTED_FIRST
2015-03-04 22:49:41 -05:00
Benjamin Peterson
b64ae7bf2d
merge 3.4 ( #23476 )
2015-03-04 22:11:48 -05:00
Benjamin Peterson
fdb1971587
enable X509_V_FLAG_TRUSTED_FIRST when possible ( closes #23476 )
2015-03-04 22:11:12 -05:00
Antoine Pitrou
0bfd0a4048
Issue #23576 : Avoid stalling in SSL reads when EOF has been reached in the SSL layer but the underlying connection hasn't been closed.
2015-03-04 20:54:57 +01:00
Antoine Pitrou
f7f3b0a14a
Issue #23576 : Avoid stalling in SSL reads when EOF has been reached in the SSL layer but the underlying connection hasn't been closed.
2015-03-04 20:51:55 +01:00
Serhiy Storchaka
4d0d982985
Issue #23446 : Use PyMem_New instead of PyMem_Malloc to avoid possible integer
...
overflows. Added few missed PyErr_NoMemory().
2015-02-16 13:33:32 +02:00
Serhiy Storchaka
1a1ff29659
Issue #23446 : Use PyMem_New instead of PyMem_Malloc to avoid possible integer
...
overflows. Added few missed PyErr_NoMemory().
2015-02-16 13:28:22 +02:00
Benjamin Peterson
c54de47759
ifdef our way to compatibility with old openssl ( closes #23335 )
2015-01-28 12:06:39 -05:00
Benjamin Peterson
07f0515667
disable ALPN on LibreSSL, which has a large version number, but not ALPN support ( closes #23329 )
2015-01-27 11:10:18 -05:00
Benjamin Peterson
8861502e07
prefer server alpn ordering over the client's
2015-01-23 17:30:26 -05:00
Benjamin Peterson
cca2732a82
add support for ALPN ( closes #20188 )
2015-01-23 16:35:37 -05:00
Benjamin Peterson
baf7c1e546
use SSL_get_session
2015-01-07 11:32:00 -06:00
Benjamin Peterson
4cb17812d9
expose the client's cipher suites from the handshake ( closes #23186 )
2015-01-07 11:14:26 -06:00
Victor Stinner
fcfed19913
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:54:58 +01:00
Antoine Pitrou
5e8430d02c
Issue #23143 : Remove compatibility with OpenSSLs older than 0.9.8.
...
(the last 0.9.7 release was in 2007)
2015-01-03 23:17:23 +01:00
Benjamin Peterson
e32467cf6a
allow ssl module to compile if openssl doesn't support SSL 3 ( closes #22935 )
...
Patch by Kurt Roeckx.
2014-12-05 21:59:35 -05:00
Benjamin Peterson
7243b574e5
don't require OpenSSL SNI to pass hostname to ssl functions ( #22921 )
...
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
Benjamin Peterson
22293df016
merge 3.4 ( #22935 )
2014-12-05 22:11:33 -05:00
Victor Stinner
beeb512fe1
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation.
Patch written by Bernard Spil.
2014-11-28 13:28:25 +01:00
Benjamin Peterson
f9284ae8ed
merge 3.4 ( #22921 )
2014-11-23 17:06:39 -06:00
Antoine Pitrou
b1fdf47ff5
Issue #21965 : Add support for in-memory SSL to the ssl module.
...
Patch by Geert Jansen.
2014-10-05 20:41:53 +02:00
Antoine Pitrou
47e40429fb
Issue #20421 : Add a .version() method to SSL sockets exposing the actual protocol version in use.
2014-09-04 21:00:10 +02:00
Victor Stinner
e03de09ff2
(Merge 3.4) Issue #21781 , _ssl: Fix asn1obj2py() on Windows 64-bit, "s#" format
...
requires size to be a Py_ssize_t, not an int. _ssl.c is now "Py_ssize_t clean".
2014-07-07 21:52:49 +02:00
Victor Stinner
cd75298611
Issue #21781 , _ssl: Fix asn1obj2py() on Windows 64-bit, "s#" format requires
...
size to be a Py_ssize_t, not an int. _ssl.c is now "Py_ssize_t clean".
2014-07-07 21:52:29 +02:00
Victor Stinner
7f084064e8
(Merge 3.4) Issue #21781 : Make the ssl module "ssize_t clean" for parsing
...
parameters. ssl.RAND_add() now supports strings longer than 2 GB.
2014-07-01 16:39:23 +02:00
Victor Stinner
2e57b4e488
Issue #21781 : Make the ssl module "ssize_t clean" for parsing parameters.
...
ssl.RAND_add() now supports strings longer than 2 GB.
2014-07-01 16:37:17 +02:00
Victor Stinner
45e8e2f218
Issue #21490 : Add new C macros: Py_ABS() and Py_STRINGIFY()
...
Keep _Py_STRINGIZE() in PC/pyconfig.h to not introduce a dependency between
pyconfig.h and pymacros.h.
2014-05-14 17:24:35 +02:00
Antoine Pitrou
0bebbc33fa
Issue #21015 : SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1".
...
(should also fix a buildbot failure introduced by #20995 )
2014-03-22 18:13:50 +01:00
Gregory P. Smith
83fed26953
avoid a compiler warning about assigning const char * to char *.
2014-01-17 12:09:05 -08:00
Gregory P. Smith
f34890937b
avoid a compiler warning about assigning const char * to char *.
2014-01-17 12:08:49 -08:00
Antoine Pitrou
78ace81c93
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:09:03 +01:00
Antoine Pitrou
2f7c31678a
Remove conditional: it is useless at this point (OpenSSL headers are not yet included)
2014-01-09 20:07:41 +01:00
Antoine Pitrou
cd3d7cabef
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 20:02:20 +01:00
Victor Stinner
36e96b8716
(Merge 3.3) Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now
...
raise a ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:25 +01:00
Victor Stinner
1e81a399a2
Issue #20025 : ssl.RAND_bytes() and ssl.RAND_pseudo_bytes() now raise a
...
ValueError if num is negative (instead of raising a SystemError).
2013-12-19 16:47:04 +01:00
Christian Heimes
1aa9a75fbf
Issue #19509 : Add SSLContext.check_hostname to match the peer's certificate
...
with server_hostname on handshake.
2013-12-02 02:41:19 +01:00
Christian Heimes
470fba1f9f
SNI was added in OpenSSL 0.9.8f [11 Oct 2007], too
2013-11-28 15:12:15 +01:00
Christian Heimes
2427b50fdd
Issue #8813 : X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
...
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
2013-11-23 11:24:32 +01:00
Christian Heimes
5398e1a56e
Issue #19448 : report name / NID in exception message of ASN1Object
2013-11-22 16:20:53 +01:00
Christian Heimes
f22e8e5426
Issue #18147 : Add missing documentation for SSLContext.get_ca_certs().
...
Also change the argument name to the same name as getpeercert()
2013-11-22 02:22:51 +01:00
Christian Heimes
44109d7de7
Issue #17134 : Finalize interface to Windows' certificate store. Cert and
...
CRL enumeration are now two functions. enum_certificates() also returns
purpose flags as set of OIDs.
2013-11-22 01:51:30 +01:00
Christian Heimes
1dbf61fa46
downcast len to int. The code has already checked that len < INT_MAX
2013-11-22 00:34:18 +01:00
Christian Heimes
18fc7be80d
lst might be NULL here
...
CID 1130752: Dereference after null check (FORWARD_NULL)
2013-11-21 23:57:49 +01:00
Christian Heimes
225877917e
Issue #8813 : Add SSLContext.verify_flags to change the verification flags
...
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
2013-11-21 23:56:13 +01:00
Christian Heimes
949ec14209
Issue #19682 : Fix compatibility issue with old version of OpenSSL that
...
was introduced by Issue #18379 .
2013-11-21 16:26:51 +01:00
Christian Heimes
bd3a7f90b5
Issue #18379 : SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
...
and CRL distribution points.
2013-11-21 03:40:15 +01:00
Christian Heimes
efff7060f8
Issue #18138 : Implement cadata argument of SSLContext.load_verify_location()
...
to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.
2013-11-21 03:35:02 +01:00
Christian Heimes
b08ff7dcb4
Safely downcast SOCKET_T to int in _ssl module
2013-11-18 10:04:07 +01:00
Christian Heimes
a6bc95aa02
Issue #19448 : Add private API to SSL module to lookup ASN.1 objects by OID, NID, short name and long name.
2013-11-17 19:59:14 +01:00
Victor Stinner
a9eb38f02a
Issue #19437 : Fix newPySSLSocket(), handle PyWeakref_NewRef() failure
2013-10-31 16:35:38 +01:00
Victor Stinner
ba9be477b0
Issue #19437 : Fix fill_and_set_sslerror() of _ssl, handle Py_BuildValue()
...
failure
Don't call PyObject_CallObject() with NULL parameters and an exception set.
2013-10-31 15:00:24 +01:00
Christian Heimes
ee0bac66b2
Issue #19227 / Issue #18747 : Remove pthread_atfork() handler to remove OpenSSL re-seeding
...
It is causing trouble like e.g. hanging processes.
2013-10-29 21:11:55 +01:00
Christian Heimes
fb6b44e830
Issue #19227 / Issue #18747 : Remove pthread_atfork() handler to remove OpenSSL re-seeding
...
It is causing trouble like e.g. hanging processes.
2013-10-29 20:50:01 +01:00
Georg Brandl
81be27d53e
Issue #19227 : Try to fix deadlocks caused by re-seeding then OpenSSL
...
pseudo-random number generator on fork().
2013-10-27 07:56:11 +01:00
Georg Brandl
fb404f528a
#19227 : merge with 3.3
2013-10-27 07:57:42 +01:00
Antoine Pitrou
b2201e1aa6
Properly initialize all fields of a SSL object after allocation.
2013-09-29 19:53:45 +02:00
Antoine Pitrou
860aee75b8
Properly initialize all fields of a SSL object after allocation.
2013-09-29 19:52:45 +02:00
Antoine Pitrou
20b85557f2
Issue #19095 : SSLSocket.getpeercert() now raises ValueError when the SSL handshake hasn't been done.
2013-09-29 19:50:53 +02:00
Christian Heimes
2d7aba3db1
Issue #18709 : GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
2013-09-05 16:04:50 +02:00
Christian Heimes
60bf2fc25b
Issue #18709 : GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
2013-09-05 16:04:35 +02:00
Victor Stinner
daf455554b
Issue #18571 : Implementation of the PEP 446: file descriptors and file handles
...
are now created non-inheritable; add functions os.get/set_inheritable(),
os.get/set_handle_inheritable() and socket.socket.get/set_inheritable().
2013-08-28 00:53:59 +02:00
Christian Heimes
cfa47962c2
Issue #18747 : Fix spelling errors in my commit message and comments,
...
thanks to Vajrasky Kok for proof-reading.
2013-08-25 14:19:29 +02:00
Christian Heimes
61636e7105
Issue #18747 : Fix spelling errors in my commit message and comments,
...
thanks to Vajrasky Kok for proof-reading.
2013-08-25 14:19:16 +02:00
Richard Oudkerk
cabbde9e1e
Fix compiler warning on Windows.
2013-08-24 23:46:27 +01:00
Christian Heimes
f54c24628b
Issue #18747 : Use a parent atfork handler instead of a child atfork handler.
...
fork() is suppose to be async-signal safe but the handler calls unsafe functions. A parent handler mitigates the issue.
2013-08-22 13:19:56 +02:00
Christian Heimes
80c5de93f9
Issue #18747 : Use a parent atfork handler instead of a child atfork handler.
...
fork() is suppose to be async-signal safe but the handler calls unsafe functions. A parent handler mitigates the issue.
2013-08-22 13:19:48 +02:00
Christian Heimes
6acbe2aaa3
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:34 +02:00
Christian Heimes
f77b4b20e9
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:05 +02:00
Christian Heimes
85532eb212
Issue #18777 : The ssl module now uses the new CRYPTO_THREADID API of
...
OpenSSL 1.0.0+ instead of the deprecated CRYPTO id callback function.
2013-08-19 17:36:39 +02:00
Christian Heimes
4d98ca9ff6
Issue #18777 : The ssl module now uses the new CRYPTO_THREADID API of
...
OpenSSL 1.0.0+ instead of the deprecated CRYPTO id callback function.
2013-08-19 17:36:29 +02:00
Christian Heimes
f920a1c1f1
Issue 18768: Correct doc string of RAND_edg(). Patch by Vajrasky Kok.
2013-08-17 17:25:27 +02:00
Christian Heimes
3c2593b2bb
Issue 18768: Correct doc string of RAND_edg(). Patch by Vajrasky Kok.
2013-08-17 17:25:18 +02:00
Christian Heimes
9b5907cbd5
Issue #18768 : coding style nitpick. Thanks to Vajrasky Kok
2013-08-17 17:19:03 +02:00
Christian Heimes
474afdda60
Issue #18768 : coding style nitpick. Thanks to Vajrasky Kok
2013-08-17 17:18:56 +02:00
Ezio Melotti
a7e7497d88
#18466 : merge with 3.3.
2013-08-17 16:58:13 +03:00
Ezio Melotti
85a8629d21
#18466 : fix more typos. Patch by Févry Thibault.
2013-08-17 16:57:41 +03:00
Christian Heimes
e06d47c70c
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:58:00 +02:00
Christian Heimes
824f7f366d
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:54:47 +02:00
Christian Heimes
9bfcaa6fb3
Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if
...
X509_get_version() grows beyond our small int cache.
CID 1058279
2013-07-26 15:51:35 +02:00
Christian Heimes
5962bef8aa
Check return value of PyLong_FromLong(X509_get_version()). It might be NULL if
...
X509_get_version() grows beyond our small int cache.
CID 1058279
2013-07-26 15:51:18 +02:00
Victor Stinner
11ebff2757
Issue #18203 : Replace malloc() with PyMem_Malloc() in _ssl for the password
2013-07-07 17:07:52 +02:00
Victor Stinner
b64049183c
Issue #18203 : Replace malloc() with PyMem_Malloc() in Python modules
...
Replace malloc() with PyMem_Malloc() when the GIL is held, or with
PyMem_RawMalloc() otherwise.
2013-07-07 16:21:41 +02:00
Victor Stinner
7e00151e1f
_ssl.c: strip trailing spaces
2013-06-25 00:44:31 +02:00
Victor Stinner
86073dc3c2
(Merge 3.3) Issue #18135 : ssl.SSLSocket.write() now raises an OverflowError if
...
the input string in longer than 2 gigabytes, and
ssl.SSLContext.load_cert_chain() raises a ValueError if the password is longer
than 2 gigabytes. The ssl module does not support partial write.
2013-06-25 00:43:47 +02:00
Victor Stinner
6efa965a27
Issue #18135 : ssl.SSLSocket.write() now raises an OverflowError if the input
...
string in longer than 2 gigabytes, and ssl.SSLContext.load_cert_chain() raises
a ValueError if the password is longer than 2 gigabytes. The ssl module does
not support partial write.
2013-06-25 00:42:31 +02:00
Victor Stinner
8cfd67cfe7
(Merge 3.3) Issue #18135 : Fix a possible integer overflow in
...
ssl.SSLSocket.write() and in ssl.SSLContext.load_cert_chain() for strings and
passwords longer than 2 gigabytes.
2013-06-23 15:09:26 +02:00
Victor Stinner
9ee0203057
Issue #18135 : Fix a possible integer overflow in ssl.SSLSocket.write()
...
and in ssl.SSLContext.load_cert_chain() for strings and passwords longer
than 2 gigabytes.
2013-06-23 15:08:23 +02:00
Victor Stinner
4569cd5eab
_ssl.c: strip trailing spaces
2013-06-23 14:58:43 +02:00
Christian Heimes
9a5395ae2b
Issue #18147 : Add diagnostic functions to ssl.SSLContext().
...
get_ca_list() lists all loaded CA certificates and cert_store_stats() returns
amount of loaded X.509 certs, X.509 CA certs and CRLs.
2013-06-17 15:44:12 +02:00
Christian Heimes
200bb1b08c
Simplify return value of ssl.get_default_verify_paths
...
prefix function with PySSL_, too. Other module level functions have a prefix, too.
2013-06-14 15:14:29 +02:00
Christian Heimes
75b8426698
fixd refleak
2013-06-10 10:47:22 +02:00
Christian Heimes
46bebee25f
Issue #17134 : Add ssl.enum_cert_store() as interface to Windows' cert store.
2013-06-09 19:03:31 +02:00
Christian Heimes
142ec2c014
get_default_verify_paths doesn't belong inside the ifdef block
2013-06-09 18:29:54 +02:00
Christian Heimes
6d7ad13a45
Issue #18143 : Implement ssl.get_default_verify_paths() in order to debug
...
the default locations for cafile and capath.
2013-06-09 18:02:55 +02:00
Antoine Pitrou
19fef69b75
Fix compilation under MSVC: ssl_set_mode() is a macro, and the MSVC preprocessor doesn't process #ifdef's inside a macro argument list.
...
(found explanation at http://www.tech-archive.net/Archive/VC/microsoft.public.vc.language/2007-05/msg00385.html )
2013-05-25 13:23:03 +02:00
Antoine Pitrou
3a65ad7f08
Issue #8240 : Set the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag on SSL sockets.
2013-05-25 13:02:32 +02:00
Antoine Pitrou
50b24d0d7c
Fix a crash when setting a servername callback on a SSL server socket and the client doesn't send a server name.
...
Patch by Kazuhiro Yoshida.
(originally issue #8109 )
2013-04-11 20:48:42 +02:00
Antoine Pitrou
ce852cb8b9
Fix comment about the OpenSSL version in which SNI version was introduced.
2013-03-30 16:45:04 +01:00
Antoine Pitrou
edbc18e9d0
Improve set_servername_callback docstring.
2013-03-30 16:40:27 +01:00
Antoine Pitrou
a596338bb8
Fix previous fix (the cause was actually a misplaced #endif, or so it seems)
2013-03-30 16:39:00 +01:00
Antoine Pitrou
41f8c4f5e4
Further compiling fixes (issue #17581 )
2013-03-30 16:36:54 +01:00
Antoine Pitrou
912fbff105
Issue #17581 : try to fix building on old OpenSSL versions
2013-03-30 16:29:32 +01:00
Antoine Pitrou
2463e5fee4
Issue #16692 : The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù.
2013-03-28 22:24:43 +01:00
Stefan Krah
20d60803d5
Issue #16982 : Fix --without-threads build failure.
2013-01-17 17:07:17 +01:00