Nathaniel J. Smith
65ece7ca23
bpo-30594: Fixed refcounting in newPySSLSocket ( #1992 )
...
If pass a server_hostname= that fails IDNA decoding to SSLContext.wrap_socket or SSLContext.wrap_bio, then the SSLContext object had a spurious Py_DECREF called on it, eventually leading to segfaults.
2017-06-08 09:30:43 +03:00
Alex Gaynor
b87c0dfe90
Simplify X.509 extension handling code ( #1855 )
...
* Simplify X.509 extension handling code
The previous implementation had grown organically over time, as OpenSSL's API evolved.
* Delete even more code
2017-06-06 07:53:11 -04:00
Christian Heimes
66dc33b682
bpo-29334: Fix ssl.getpeercert for auto-handshake ( #1769 )
...
Drop handshake_done and peer_cert members from PySSLSocket struct. The
peer certificate can be acquired from *SSL directly.
SSL_get_peer_certificate() does not trigger any network activity.
Instead of manually tracking the handshake state, simply use
SSL_is_init_finished().
In combination these changes fix auto-handshake for non-blocking
MemoryBIO connections.
Signed-off-by: Christian Heimes <christian@python.org>
2017-05-23 16:02:02 -07:00
Serhiy Storchaka
55fe1ae970
bpo-30022: Get rid of using EnvironmentError and IOError (except test… ( #1051 )
2017-04-16 10:46:38 +03:00
Olivier Vielpeau
2849cc34a8
bpo-29738: Fix memory leak in _get_crl_dp (GH-526)
...
* Remove conditional on free of `dps`, since `dps` is now allocated for
all versions of OpenSSL
* Remove call to `x509_check_ca` since it was only used to cache
the `crldp` field of the certificate
CRL_DIST_POINTS_free is available in all supported versions of OpenSSL
(recent 0.9.8+) and LibreSSL.
2017-04-14 18:06:07 -07:00
Serhiy Storchaka
aefa7ebf0f
bpo-6532: Make the thread id an unsigned integer. ( #781 )
...
* bpo-6532: Make the thread id an unsigned integer.
From C API side the type of results of PyThread_start_new_thread() and
PyThread_get_thread_ident(), the id parameter of
PyThreadState_SetAsyncExc(), and the thread_id field of PyThreadState
changed from "long" to "unsigned long".
* Restore a check in thread_get_ident().
2017-03-23 14:48:39 +01:00
Donald Stufft
8ae264ce6d
bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-395)
2017-03-02 11:45:29 -05:00
Serhiy Storchaka
228b12edcc
Issue #28999 : Use Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE wherever
...
possible. Patch is writen with Coccinelle.
2017-01-23 09:47:21 +02:00
Victor Stinner
f17c3de263
Use _PyObject_CallNoArg()
...
Replace:
PyObject_CallFunctionObjArgs(callable, NULL)
with:
_PyObject_CallNoArg(callable)
2016-12-06 18:46:19 +01:00
Victor Stinner
de4ae3d486
Backed out changeset b9c9691c72c5
...
Issue #28858 : The change b9c9691c72c5 introduced a regression. It seems like
_PyObject_CallArg1() uses more stack memory than
PyObject_CallFunctionObjArgs().
2016-12-04 22:59:09 +01:00
Victor Stinner
27580c1fb5
Replace PyObject_CallFunctionObjArgs() with fastcall
...
* PyObject_CallFunctionObjArgs(func, NULL) => _PyObject_CallNoArg(func)
* PyObject_CallFunctionObjArgs(func, arg, NULL) => _PyObject_CallArg1(func, arg)
PyObject_CallFunctionObjArgs() allocates 40 bytes on the C stack and requires
extra work to "parse" C arguments to build a C array of PyObject*.
_PyObject_CallNoArg() and _PyObject_CallArg1() are simpler and don't allocate
memory on the C stack.
This change is part of the fastcall project. The change on listsort() is
related to the issue #23507 .
2016-12-01 14:43:22 +01:00
Christian Heimes
1a63b9f288
Typo
2016-09-24 12:07:21 +02:00
Christian Heimes
a5d0765990
Finish GC code for SSLSession and increase test coverage
2016-09-24 10:48:05 +02:00
Christian Heimes
f6365e3816
Issue #28188 : Use PyMem_Calloc() to get rid of a type-limits warning and an extra memset() call in _ssl.c.
2016-09-13 20:48:13 +02:00
Victor Stinner
410b9887e1
Issue #27866 : Fix refleak in cipher_to_dict()
2016-09-12 12:00:23 +02:00
Christian Heimes
5fe668c672
Issue #28085 : Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext
2016-09-12 00:01:11 +02:00
Christian Heimes
99a6570295
Issue #19500 : Add client-side SSL session resumption to the ssl module.
2016-09-10 23:44:53 +02:00
Christian Heimes
358cfd426c
Issue 28043: SSLContext has improved default settings
...
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
2016-09-10 22:43:48 +02:00
Christian Heimes
fe3c9c1ee9
Issue #27691 : Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
2016-09-06 23:27:06 +02:00
Christian Heimes
1c03abd026
Issue #27691 : Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
2016-09-06 23:25:35 +02:00
Christian Heimes
0061bf5892
Issue #26470 : Use short name rather than name for compression name to fix #27958 .
2016-09-06 01:14:34 +02:00
Christian Heimes
281e5f8839
Issue #26470 : Use short name rather than name for compression name to fix #27958 .
2016-09-06 01:10:39 +02:00
Christian Heimes
25bfcd5d9e
Issue #27866 : Add SSLContext.get_ciphers() method to get a list of all enabled ciphers.
2016-09-06 00:04:45 +02:00
Christian Heimes
01113faef9
Issue #26470 : Port ssl and hashlib module to OpenSSL 1.1.0.
2016-09-05 23:23:24 +02:00
Christian Heimes
598894ff48
Issue #26470 : Port ssl and hashlib module to OpenSSL 1.1.0.
2016-09-05 23:19:05 +02:00
Benjamin Peterson
a853c479ee
merge 3.5 ( #27773 )
2016-08-15 21:56:11 -07:00
Benjamin Peterson
81b9ecd2a3
fix corner cases in the management of server_hostname ( closes #27773 )
2016-08-15 21:55:37 -07:00
Victor Stinner
d3afb62b8f
Merge 3.5 (INVALID_SOCKET)
2016-07-22 17:47:09 +02:00
Victor Stinner
524714eeda
socket: use INVALID_SOCKET
...
* Replace "fd = -1" with "fd = INVALID_SOCKET"
* Replace "fd < 0" with "fd == INVALID_SOCKET": SOCKET_T is unsigned on Windows
Bug found by Pavel Belikov ("Fragment N1"):
http://www.viva64.com/en/b/0414/#ID0ECDAE
2016-07-22 17:43:59 +02:00
Martin Panter
7386268ffd
Issue #23804 : Merge SSL recv() fix from 3.5
2016-07-11 01:32:09 +00:00
Martin Panter
bed7f1a512
Issue #23804 : Fix SSL zero-length recv() calls to not block and raise EOF
2016-07-11 00:17:13 +00:00
Serhiy Storchaka
2954f83999
- Issue #27332 : Fixed the type of the first argument of module-level functions
...
generated by Argument Clinic. Patch by Petr Viktorin.
2016-07-07 18:20:03 +03:00
Serhiy Storchaka
1a2b24f02d
Issue #27332 : Fixed the type of the first argument of module-level functions
...
generated by Argument Clinic. Patch by Petr Viktorin.
2016-07-07 17:35:15 +03:00
Benjamin Peterson
50600a78cb
merge 3.5 ( #24557 )
2016-07-06 23:58:16 -07:00
Benjamin Peterson
b8a2f51ceb
assume egd unless OPENSSL_NO_EGD is defined—remove configure check ( closes #24557 )
2016-07-06 23:55:15 -07:00
Berker Peksag
2c164b738d
Fix unused variable 'libver' warning in Modules/_ssl.c
...
It can be seen on various buildbots like 3.x.cea-indiana-amd64
and 3.x.murray-snowleopard:
/export/home/buildbot/64bits/3.x.cea-indiana-amd64/build/Modules/_ssl.c:2227: warning: unused variable 'libver'
/Users/buildbot/buildarea/3.x.murray-snowleopard/build/Modules/_ssl.c:2227: warning: unused variable ‘libver’
2016-04-14 16:49:21 +03:00
Berker Peksag
dfcb041195
Fix unused variable 'libver' warning in Modules/_ssl.c
...
It can be seen on various buildbots like 3.x.cea-indiana-amd64
and 3.x.murray-snowleopard:
/export/home/buildbot/64bits/3.x.cea-indiana-amd64/build/Modules/_ssl.c:2227: warning: unused variable 'libver'
/Users/buildbot/buildarea/3.x.murray-snowleopard/build/Modules/_ssl.c:2227: warning: unused variable ‘libver’
2016-04-14 16:48:48 +03:00
Serhiy Storchaka
f01e408c16
Issue #26200 : Added Py_SETREF and replaced Py_XSETREF with Py_SETREF
...
in places where Py_DECREF was used.
2016-04-10 18:12:01 +03:00
Serhiy Storchaka
57a01d3a0e
Issue #26200 : Added Py_SETREF and replaced Py_XSETREF with Py_SETREF
...
in places where Py_DECREF was used.
2016-04-10 18:05:40 +03:00
Serhiy Storchaka
ec39756960
Issue #22570 : Renamed Py_SETREF to Py_XSETREF.
2016-04-06 09:50:03 +03:00
Serhiy Storchaka
48842714b9
Issue #22570 : Renamed Py_SETREF to Py_XSETREF.
2016-04-06 09:45:48 +03:00
Martin Panter
afd465d497
Issue #26644 : Merge SSL negative read fix from 3.5
2016-03-27 10:40:22 +00:00
Martin Panter
5503d4731e
Issue #26644 : Raise ValueError for negative SSLSocket.recv() and read()
2016-03-27 05:35:19 +00:00
Benjamin Peterson
4a180a693f
merge 3.5 ( closes #25939 )
2016-02-17 22:18:35 -08:00
Benjamin Peterson
1378f7ca68
merge 3.4 ( closes #25939 )
2016-02-17 22:18:20 -08:00
Benjamin Peterson
9491272751
open the cert store readonly
...
Patch from Chi Hsuan Yen.
2016-02-17 22:13:19 -08:00
Benjamin Peterson
5db60aa84e
merge 3.5 ( closes #25672 )
2016-01-07 21:38:51 -08:00
Benjamin Peterson
3b1a8b3bbe
enable SSL_MODE_RELEASE_BUFFERS
...
Patch by Cory Benfield.
2016-01-07 21:37:37 -08:00
Serhiy Storchaka
ef1585eb9a
Issue #25923 : Added more const qualifiers to signatures of static and private functions.
2015-12-25 20:01:53 +02:00
Serhiy Storchaka
5a57ade58e
Issue #20440 : Massive replacing unsafe attribute setting code with special
...
macro Py_SETREF.
2015-12-24 10:35:59 +02:00
Benjamin Peterson
fcc2e71e99
merge 3.4 ( #25578 )
2015-11-14 15:14:42 -08:00
Benjamin Peterson
025a1fd990
rm trailing ws
2015-11-14 15:12:38 -08:00
Benjamin Peterson
f0c9038a36
fix possible memory lea k in _get_aia_uri ( closes #25578 )
2015-11-14 15:12:18 -08:00
Benjamin Peterson
2463001a15
merge 3.4 ( #25569 )
2015-11-14 00:11:09 -08:00
Benjamin Peterson
806fb25405
fix build with older openssl ( #25569 )
2015-11-14 00:09:22 -08:00
Benjamin Peterson
45bde5d2ee
merge 3.4 ( #25530 )
2015-11-11 22:45:22 -08:00
Benjamin Peterson
a9dcdabccb
always set OP_NO_SSLv3 by default ( closes #25530 )
2015-11-11 22:38:41 -08:00
Benjamin Peterson
86429bd174
merge 3.5 ( #25569 )
2015-11-11 22:14:08 -08:00
Benjamin Peterson
eda06c8f5e
fix memory leak in _get_crl_dp ( closes #25569 )
...
Patch started by Stéphane Wirtel.
2015-11-11 22:07:38 -08:00
Serhiy Storchaka
f51d715845
Issue #25523 : Further a-to-an corrections new in 3.5.
2015-11-02 14:40:41 +02:00
Serhiy Storchaka
a84f6c3dd3
Issue #25523 : Merge a-to-an corrections from 3.4.
2015-11-02 14:39:05 +02:00
Serhiy Storchaka
d65c9496da
Issue #25523 : Further a-to-an corrections.
2015-11-02 14:10:23 +02:00
Benjamin Peterson
d330822c12
detect alpn by feature flag not openssl version ( closes #23329 )
2015-09-27 00:09:02 -07:00
Benjamin Peterson
d113c967b4
improve style of the convert macro ( #24655 )
...
Patch by Brian Cain.
2015-07-18 10:59:13 -07:00
Benjamin Peterson
0544cf0eb9
merge 3.4 ( #24655 )
2015-07-18 11:00:00 -07:00
Larry Hastings
dbfdc380df
Issue #24001 : Argument Clinic converters now use accept={type}
...
instead of types={'type'} to specify the types the converter accepts.
2015-05-04 06:59:46 -07:00
Serhiy Storchaka
4b7b82f133
Issue #20179 : Converted the _ssl module to Argument Clinic.
2015-05-03 16:14:08 +03:00
Victor Stinner
146907081c
Issue #23853 : Methods of SSL socket don't reset the socket timeout anymore each
...
time bytes are received or sent. The socket timeout is now the maximum total
duration of the method.
This change fixes a denial of service if the application is regulary
interrupted by a signal and the signal handler does not raise an exception.
2015-04-06 22:46:13 +02:00
Benjamin Peterson
7d71c97ec3
merge 3.4 ( #23875 )
2015-04-06 13:06:21 -04:00
Benjamin Peterson
43b842775f
remove extra arguments in arg parsing format codes ( closes #23875 )
2015-04-06 13:05:22 -04:00
Victor Stinner
4e3cfa46dc
Issue #23853 : Cleanup _ssl.c
...
* Rename check_socket_and_wait_for_timeout() to PySSL_select()
* PySSL_select() is now clearly splitted betwen poll() and select()
* Add empty lines for readability
2015-04-02 21:28:28 +02:00
Victor Stinner
869e1778c0
Issue #22117 : Replace usage of _PyTime_ROUND_UP with _PyTime_ROUND_CEILING
...
All these functions only accept positive timeouts, so this change has no effect
in practice.
2015-03-30 03:49:14 +02:00
Victor Stinner
ea9c0dd2c2
Issue #22117 : Fix usage of _PyTime_AsTimeval()
...
Add _PyTime_AsTimeval_noraise() function. Call it when it's not possible (or
not useful) to raise a Python exception on overflow.
2015-03-30 02:51:13 +02:00
Victor Stinner
e245231fab
Issue #22117 : Fix ssl to use _PyTime_t API on sock_timeout
...
I didn't notice that the ssl module uses private attributes of socket objects.
2015-03-28 03:00:46 +01:00
Serhiy Storchaka
8490f5acfe
Issue #23001 : Few functions in modules mmap, ossaudiodev, socket, ssl, and
...
codecs, that accepted only read-only bytes-like object now accept writable
bytes-like object too.
2015-03-20 09:00:36 +02:00
Victor Stinner
e42ccd2bfd
Issue #23694 : Enhance _Py_fopen(), it now raises an exception on error
...
* If fopen() fails, OSError is raised with the original filename object.
* The GIL is now released while calling fopen()
2015-03-18 01:39:23 +01:00
Benjamin Peterson
de8eca4638
merge 3.4
2015-03-04 22:50:25 -05:00
Benjamin Peterson
990fcaac3c
expose X509_V_FLAG_TRUSTED_FIRST
2015-03-04 22:49:41 -05:00
Benjamin Peterson
b64ae7bf2d
merge 3.4 ( #23476 )
2015-03-04 22:11:48 -05:00
Benjamin Peterson
fdb1971587
enable X509_V_FLAG_TRUSTED_FIRST when possible ( closes #23476 )
2015-03-04 22:11:12 -05:00
Antoine Pitrou
0bfd0a4048
Issue #23576 : Avoid stalling in SSL reads when EOF has been reached in the SSL layer but the underlying connection hasn't been closed.
2015-03-04 20:54:57 +01:00
Antoine Pitrou
f7f3b0a14a
Issue #23576 : Avoid stalling in SSL reads when EOF has been reached in the SSL layer but the underlying connection hasn't been closed.
2015-03-04 20:51:55 +01:00
Serhiy Storchaka
4d0d982985
Issue #23446 : Use PyMem_New instead of PyMem_Malloc to avoid possible integer
...
overflows. Added few missed PyErr_NoMemory().
2015-02-16 13:33:32 +02:00
Serhiy Storchaka
1a1ff29659
Issue #23446 : Use PyMem_New instead of PyMem_Malloc to avoid possible integer
...
overflows. Added few missed PyErr_NoMemory().
2015-02-16 13:28:22 +02:00
Benjamin Peterson
c54de47759
ifdef our way to compatibility with old openssl ( closes #23335 )
2015-01-28 12:06:39 -05:00
Benjamin Peterson
07f0515667
disable ALPN on LibreSSL, which has a large version number, but not ALPN support ( closes #23329 )
2015-01-27 11:10:18 -05:00
Benjamin Peterson
8861502e07
prefer server alpn ordering over the client's
2015-01-23 17:30:26 -05:00
Benjamin Peterson
cca2732a82
add support for ALPN ( closes #20188 )
2015-01-23 16:35:37 -05:00
Benjamin Peterson
baf7c1e546
use SSL_get_session
2015-01-07 11:32:00 -06:00
Benjamin Peterson
4cb17812d9
expose the client's cipher suites from the handshake ( closes #23186 )
2015-01-07 11:14:26 -06:00
Victor Stinner
fcfed19913
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation. Patch written
by Bernard Spil.
2015-01-06 13:54:58 +01:00
Antoine Pitrou
5e8430d02c
Issue #23143 : Remove compatibility with OpenSSLs older than 0.9.8.
...
(the last 0.9.7 release was in 2007)
2015-01-03 23:17:23 +01:00
Benjamin Peterson
e32467cf6a
allow ssl module to compile if openssl doesn't support SSL 3 ( closes #22935 )
...
Patch by Kurt Roeckx.
2014-12-05 21:59:35 -05:00
Benjamin Peterson
7243b574e5
don't require OpenSSL SNI to pass hostname to ssl functions ( #22921 )
...
Patch by Donald Stufft.
2014-11-23 17:04:34 -06:00
Benjamin Peterson
22293df016
merge 3.4 ( #22935 )
2014-12-05 22:11:33 -05:00
Victor Stinner
beeb512fe1
Issue #21356 : Make ssl.RAND_egd() optional to support LibreSSL. The
...
availability of the function is checked during the compilation.
Patch written by Bernard Spil.
2014-11-28 13:28:25 +01:00
Benjamin Peterson
f9284ae8ed
merge 3.4 ( #22921 )
2014-11-23 17:06:39 -06:00
Antoine Pitrou
b1fdf47ff5
Issue #21965 : Add support for in-memory SSL to the ssl module.
...
Patch by Geert Jansen.
2014-10-05 20:41:53 +02:00
Antoine Pitrou
47e40429fb
Issue #20421 : Add a .version() method to SSL sockets exposing the actual protocol version in use.
2014-09-04 21:00:10 +02:00
Victor Stinner
e03de09ff2
(Merge 3.4) Issue #21781 , _ssl: Fix asn1obj2py() on Windows 64-bit, "s#" format
...
requires size to be a Py_ssize_t, not an int. _ssl.c is now "Py_ssize_t clean".
2014-07-07 21:52:49 +02:00