diff options
| author | Christian Heimes <christian@cheimes.de> | 2013-11-21 22:56:13 (GMT) |
|---|---|---|
| committer | Christian Heimes <christian@cheimes.de> | 2013-11-21 22:56:13 (GMT) |
| commit | 225877917e002df4b2d87e965ddd30226aa209ec (patch) | |
| tree | 490f75626736e430908c8d1550a91f91c69b7fd7 /Modules/_ssl.c | |
| parent | e079eddf2117c0af2724fcd39df639ec60c07c64 (diff) | |
| download | cpython-225877917e002df4b2d87e965ddd30226aa209ec.zip cpython-225877917e002df4b2d87e965ddd30226aa209ec.tar.gz cpython-225877917e002df4b2d87e965ddd30226aa209ec.tar.bz2 | |
Issue #8813: Add SSLContext.verify_flags to change the verification flags
of the context in order to enable certification revocation list (CRL)
checks or strict X509 rules.
Diffstat (limited to 'Modules/_ssl.c')
| -rw-r--r-- | Modules/_ssl.c | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 3a72530..634eea5 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2231,6 +2231,44 @@ set_verify_mode(PySSLContext *self, PyObject *arg, void *c) } static PyObject * +get_verify_flags(PySSLContext *self, void *c) +{ + X509_STORE *store; + unsigned long flags; + + store = SSL_CTX_get_cert_store(self->ctx); + flags = X509_VERIFY_PARAM_get_flags(store->param); + return PyLong_FromUnsignedLong(flags); +} + +static int +set_verify_flags(PySSLContext *self, PyObject *arg, void *c) +{ + X509_STORE *store; + unsigned long new_flags, flags, set, clear; + + if (!PyArg_Parse(arg, "k", &new_flags)) + return -1; + store = SSL_CTX_get_cert_store(self->ctx); + flags = X509_VERIFY_PARAM_get_flags(store->param); + clear = flags & ~new_flags; + set = ~flags & new_flags; + if (clear) { + if (!X509_VERIFY_PARAM_clear_flags(store->param, clear)) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + return -1; + } + } + if (set) { + if (!X509_VERIFY_PARAM_set_flags(store->param, set)) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + return -1; + } + } + return 0; +} + +static PyObject * get_options(PySSLContext *self, void *c) { return PyLong_FromLong(SSL_CTX_get_options(self->ctx)); @@ -3048,6 +3086,8 @@ get_ca_certs(PySSLContext *self, PyObject *args) static PyGetSetDef context_getsetlist[] = { {"options", (getter) get_options, (setter) set_options, NULL}, + {"verify_flags", (getter) get_verify_flags, + (setter) set_verify_flags, NULL}, {"verify_mode", (getter) get_verify_mode, (setter) set_verify_mode, NULL}, {NULL}, /* sentinel */ @@ -3761,6 +3801,15 @@ PyInit__ssl(void) PY_SSL_CERT_OPTIONAL); PyModule_AddIntConstant(m, "CERT_REQUIRED", PY_SSL_CERT_REQUIRED); + /* CRL verification for verification_flags */ + PyModule_AddIntConstant(m, "VERIFY_DEFAULT", + 0); + PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_LEAF", + X509_V_FLAG_CRL_CHECK); + PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_CHAIN", + X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + PyModule_AddIntConstant(m, "VERIFY_X509_STRICT", + X509_V_FLAG_X509_STRICT); #ifdef _MSC_VER /* Windows dwCertEncodingType */ |