diff options
author | Benjamin Peterson <benjamin@python.org> | 2016-01-08 05:37:37 (GMT) |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2016-01-08 05:37:37 (GMT) |
commit | 3b1a8b3bbe2ff77975a13255c23a0f0bb4d55ebe (patch) | |
tree | 7180083bcf76296934a3630f3692803098811df4 /Modules/_ssl.c | |
parent | 03abf6dd98d083cd6db24db75d70457578d80767 (diff) | |
download | cpython-3b1a8b3bbe2ff77975a13255c23a0f0bb4d55ebe.zip cpython-3b1a8b3bbe2ff77975a13255c23a0f0bb4d55ebe.tar.gz cpython-3b1a8b3bbe2ff77975a13255c23a0f0bb4d55ebe.tar.bz2 |
enable SSL_MODE_RELEASE_BUFFERS
Patch by Cory Benfield.
Diffstat (limited to 'Modules/_ssl.c')
-rw-r--r-- | Modules/_ssl.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 8818d26..1c68000 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2219,6 +2219,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) PySSLContext *self; long options; SSL_CTX *ctx = NULL; + unsigned long libver; PySSL_BEGIN_ALLOW_THREADS if (proto_version == PY_SSL_VERSION_TLS1) @@ -2281,6 +2282,22 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) options |= SSL_OP_NO_SSLv3; SSL_CTX_set_options(self->ctx, options); +#if defined(SSL_MODE_RELEASE_BUFFERS) + /* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory + usage for no cost at all. However, don't do this for OpenSSL versions + between 1.0.1 and 1.0.1h or 1.0.0 and 1.0.0m, which are affected by CVE + 2014-0198. I can't find exactly which beta fixed this CVE, so be + conservative and assume it wasn't fixed until release. We do this check + at runtime to avoid problems from the dynamic linker. + See #25672 for more on this. */ + libver = SSLeay(); + if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) && + !(libver >= 0x10000000UL && libver < 0x100000dfUL)) { + SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS); + } +#endif + + #ifndef OPENSSL_NO_ECDH /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use prime256v1 by default. This is Apache mod_ssl's initialization |