enable SSL_MODE_RELEASE_BUFFERS

Patch by Cory Benfield.
This commit is contained in:
Benjamin Peterson 2016-01-07 21:37:37 -08:00
parent 03abf6dd98
commit 3b1a8b3bbe
2 changed files with 20 additions and 0 deletions

View File

@ -41,6 +41,9 @@ Core and Builtins
Library
-------
- Issue #25672: In the ssl module, enable the SSL_MODE_RELEASE_BUFFERS mode
option if it is safe to do so.
- Issue #22570: Add 'path' attribute to pathlib.Path objects,
returning the same as str(), to make it more similar to DirEntry.
Library code can now write getattr(p, 'path', p) to get the path as

View File

@ -2219,6 +2219,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
PySSLContext *self;
long options;
SSL_CTX *ctx = NULL;
unsigned long libver;
PySSL_BEGIN_ALLOW_THREADS
if (proto_version == PY_SSL_VERSION_TLS1)
@ -2281,6 +2282,22 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
options |= SSL_OP_NO_SSLv3;
SSL_CTX_set_options(self->ctx, options);
#if defined(SSL_MODE_RELEASE_BUFFERS)
/* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory
usage for no cost at all. However, don't do this for OpenSSL versions
between 1.0.1 and 1.0.1h or 1.0.0 and 1.0.0m, which are affected by CVE
2014-0198. I can't find exactly which beta fixed this CVE, so be
conservative and assume it wasn't fixed until release. We do this check
at runtime to avoid problems from the dynamic linker.
See #25672 for more on this. */
libver = SSLeay();
if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) &&
!(libver >= 0x10000000UL && libver < 0x100000dfUL)) {
SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
}
#endif
#ifndef OPENSSL_NO_ECDH
/* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
prime256v1 by default. This is Apache mod_ssl's initialization