diff options
| author | Christian Heimes <christian@cheimes.de> | 2013-12-02 01:41:19 (GMT) |
|---|---|---|
| committer | Christian Heimes <christian@cheimes.de> | 2013-12-02 01:41:19 (GMT) |
| commit | 1aa9a75fbff2333fd07574e3de8710c629483258 (patch) | |
| tree | 0585216be74d60429cdeca7e3d54201dca78206e /Modules/_ssl.c | |
| parent | 6e6429a2cdad9ed9698013aca0066e23745a1132 (diff) | |
| download | cpython-1aa9a75fbff2333fd07574e3de8710c629483258.zip cpython-1aa9a75fbff2333fd07574e3de8710c629483258.tar.gz cpython-1aa9a75fbff2333fd07574e3de8710c629483258.tar.bz2 | |
Issue #19509: Add SSLContext.check_hostname to match the peer's certificate
with server_hostname on handshake.
Diffstat (limited to 'Modules/_ssl.c')
| -rw-r--r-- | Modules/_ssl.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 08627b6..6b0d67a 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -214,6 +214,7 @@ typedef struct { #ifndef OPENSSL_NO_TLSEXT PyObject *set_hostname; #endif + int check_hostname; } PySSLContext; typedef struct { @@ -2050,6 +2051,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) #ifndef OPENSSL_NO_TLSEXT self->set_hostname = NULL; #endif + /* Don't check host name by default */ + self->check_hostname = 0; /* Defaults */ SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_options(self->ctx, @@ -2231,6 +2234,12 @@ set_verify_mode(PySSLContext *self, PyObject *arg, void *c) "invalid value for verify_mode"); return -1; } + if (mode == SSL_VERIFY_NONE && self->check_hostname) { + PyErr_SetString(PyExc_ValueError, + "Cannot set verify_mode to CERT_NONE when " + "check_hostname is enabled."); + return -1; + } SSL_CTX_set_verify(self->ctx, mode, NULL); return 0; } @@ -2304,6 +2313,30 @@ set_options(PySSLContext *self, PyObject *arg, void *c) return 0; } +static PyObject * +get_check_hostname(PySSLContext *self, void *c) +{ + return PyBool_FromLong(self->check_hostname); +} + +static int +set_check_hostname(PySSLContext *self, PyObject *arg, void *c) +{ + int check_hostname; + if (!PyArg_Parse(arg, "p", &check_hostname)) + return -1; + if (check_hostname && + SSL_CTX_get_verify_mode(self->ctx) == SSL_VERIFY_NONE) { + PyErr_SetString(PyExc_ValueError, + "check_hostname needs a SSL context with either " + "CERT_OPTIONAL or CERT_REQUIRED"); + return -1; + } + self->check_hostname = check_hostname; + return 0; +} + + typedef struct { PyThreadState *thread_state; PyObject *callable; @@ -3093,6 +3126,8 @@ get_ca_certs(PySSLContext *self, PyObject *args, PyObject *kwds) static PyGetSetDef context_getsetlist[] = { + {"check_hostname", (getter) get_check_hostname, + (setter) set_check_hostname, NULL}, {"options", (getter) get_options, (setter) set_options, NULL}, #ifdef HAVE_OPENSSL_VERIFY_PARAM |