Commit Graph

23 Commits

Author SHA1 Message Date
Christian Heimes 2756ef3165 [3.7] bpo-34670: Add TLS 1.3 post handshake auth (GH-9460) (GH-9505)
Add SSLContext.post_handshake_auth and
SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake
authentication.

Signed-off-by: Christian Heimes <christian@python.org>q

https://bugs.python.org/issue34670.
(cherry picked from commit 9fb051f032)

Co-authored-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue34670
2018-09-23 00:22:52 -07:00
Miss Islington (bot) 961774184e [3.7] bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (GH-5876) (#5880)
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 29eab55309)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-25 13:18:43 +01:00
Miss Islington (bot) 01d9c23e47 [3.7] bpo-30622: Improve NPN support detection (GH-5859) (#5860)
The ssl module now detects missing NPN support in LibreSSL.

Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6cdb7954b0)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-24 23:04:27 +01:00
Miss Islington (bot) 8fa8478dde [3.7] bpo-24334: Cleanup SSLSocket (GH-5252) (#5857)
* The SSLSocket is no longer implemented on top of SSLObject to
  avoid an extra level of indirection.
* Owner and session are now handled in the internal constructor.
* _ssl._SSLSocket now uses the same method names as SSLSocket and
  SSLObject.
* Channel binding type check is now handled in C code. Channel binding
  is always available.

The patch also changes the signature of SSLObject.__init__(). In my
opinion it's fine. A SSLObject is not a user-constructable object.
SSLContext.wrap_bio() is the only valid factory.
(cherry picked from commit 141c5e8c24)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-24 21:51:56 +01:00
Miss Islington (bot) 1c37e27719 [bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128) (GH-5843)
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.

After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
(cherry picked from commit 11a1493bc4)

Co-authored-by: Christian Heimes <christian@python.org>
2018-02-23 19:18:28 -08:00
Serhiy Storchaka a5552f023e
bpo-32240: Add the const qualifier to declarations of PyObject* array arguments. (#4746) 2017-12-15 13:11:11 +02:00
Zachary Ware af64aff9f7 Regen Moduls/clinic/_ssl.c.h (GH-3320)
Broken in GH-2079
2017-09-04 15:45:18 -07:00
Melvyn Sopacua b2d096bd2a bpo-30622: Change NPN detection: (#2079)
* Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True

* Refine NPN guard:

- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

	#if defined(OPENSSL_NO_NEXTPROTONEG) && \
		!defined(OPENSSL_NPN_NEGOTIATED)
	#	define OPENSSL_NPN_UNSUPPORTED 0
	#	define OPENSSL_NPN_NEGOTIATED 1
	#	define OPENSSL_NPN_NO_OVERLAP 2
	#endif

[1] https://github.com/openssl/openssl/commit/68b33cc5c7
2017-09-04 23:35:15 +02:00
Serhiy Storchaka 6969eaf468 bpo-29464: Rename METH_FASTCALL to METH_FASTCALL|METH_KEYWORDS and make (#1955)
the bare METH_FASTCALL be used for functions with positional-only
parameters.
2017-07-03 21:20:15 +03:00
Serhiy Storchaka 5f31d5cf6e Regenerate Argument Clinic code for bpo-19180. (#2073) 2017-06-10 13:13:51 +03:00
Sylvain 7445381c60 bpo-30600: Fix error messages (condition order in Argument Clinic) (#2051)
The function '_PyArg_ParseStack()' and
'_PyArg_UnpackStack' were failing (with error
"XXX() takes Y argument (Z given)") before
the function '_PyArg_NoStackKeywords()' was called.
Thus, the latter did not raise its more meaningful
error : "XXX() takes no keyword arguments".
2017-06-10 07:51:48 +03:00
Chandan Kumar 63c2c8ac17 bpo-19180: Updated references for RFC 1750, RFC 3280 & RFC 4366 (GH-148)
* RFC 1750 has been been obsoleted by RFC 4086.
* RFC 3280 has been obsoleted by RFC 5280.
* RFC 4366 has been obsoleted by RFC 6066.
2017-06-09 19:43:58 +10:00
Victor Stinner 259f0e4437 Run Argument Clinic: METH_VARARGS=>METH_FASTCALL
Issue #29286. Run Argument Clinic to get the new faster METH_FASTCALL calling
convention for functions using only positional arguments.
2017-01-17 01:35:17 +01:00
Victor Stinner 3e1fad6913 Rename _PyArg_ParseStack to _PyArg_ParseStackAndKeywords
Issue #29286.
2017-01-17 01:29:01 +01:00
Victor Stinner 37e4ef7b17 Issue #27810: Rerun Argument Clinic on all modules 2016-09-09 20:00:13 -07:00
Christian Heimes 25bfcd5d9e Issue #27866: Add SSLContext.get_ciphers() method to get a list of all enabled ciphers. 2016-09-06 00:04:45 +02:00
Serhiy Storchaka 9171a8b4ce Issue #27574: Decreased an overhead of parsing keyword arguments in functions
implemented with using Argument Clinic.
2016-08-14 10:52:18 +03:00
Serhiy Storchaka 2954f83999 - Issue #27332: Fixed the type of the first argument of module-level functions
generated by Argument Clinic.  Patch by Petr Viktorin.
2016-07-07 18:20:03 +03:00
Serhiy Storchaka 1a2b24f02d Issue #27332: Fixed the type of the first argument of module-level functions
generated by Argument Clinic.  Patch by Petr Viktorin.
2016-07-07 17:35:15 +03:00
Benjamin Peterson 50600a78cb merge 3.5 (#24557) 2016-07-06 23:58:16 -07:00
Benjamin Peterson b8a2f51ceb assume egd unless OPENSSL_NO_EGD is defined—remove configure check (closes #24557) 2016-07-06 23:55:15 -07:00
Serhiy Storchaka 5dee6551e2 Issue #26305: Argument Clinic now uses braces in C code as required by PEP 7. 2016-06-09 16:16:06 +03:00
Serhiy Storchaka 4b7b82f133 Issue #20179: Converted the _ssl module to Argument Clinic. 2015-05-03 16:14:08 +03:00