| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#108406)
* In preauth tests of test_ssl, explicitly break reference cycles
invoving SingleConnectionTestServerThread to make sure that the
thread is deleted. Otherwise, the test marks the environment as
altered because the threading module sees a "dangling thread"
(SingleConnectionTestServerThread). This test leak was introduced
by the test added for the fix of issue gh-108310.
* Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds
timeout.
* SingleConnectionTestServerThread.run() catchs TimeoutError
* Fix a race condition (missing synchronization) in
test_preauth_data_to_tls_client(): the server now waits until the
client connect() completed in call_after_accept().
* test_https_client_non_tls_response_ignored() calls server.join()
explicitly.
* Replace "localhost" with server.listener.getsockname()[0].
(cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
flaw (#108318)
gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw
Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GH-25309 enabled SSL_OP_IGNORE_UNEXPECTED_EOF by default, with a comment
that it restores OpenSSL 1.1.1 behavior, but this wasn't quite right.
That option causes OpenSSL to treat transport EOF as the same as
close_notify (i.e. SSL_ERROR_ZERO_RETURN), whereas Python actually has
distinct SSLEOFError and SSLZeroReturnError exceptions. (The latter is
usually mapped to a zero return from read.) In OpenSSL 1.1.1, the ssl
module would raise them for transport EOF and close_notify,
respectively. In OpenSSL 3.0, both act like close_notify.
Fix this by, instead, just detecting SSL_R_UNEXPECTED_EOF_WHILE_READING
and mapping that to the other exception type.
There doesn't seem to have been any unit test of this error, so fill in
the missing one. This had to be done with the BIO path because it's
actually slightly tricky to simulate a transport EOF with Python's fd
based APIs. (If you instruct the server to close the socket, it gets
confused, probably because the server's SSL object is still referencing
the now dead fd?)
(cherry picked from commit 420bbb783b43216cc897dc8914851899db37a31d)
Co-authored-by: David Benjamin <davidben@google.com>
|
| |
|
|
|
|
|
|
| |
(GH-96932) (#102919)
gh-96931: Fix incorrect results in ssl.SSLSocket.shared_ciphers (GH-96932)
(cherry picked from commit af9c34f6ef8dceb21871206eb3e4d350f6e3d3dc)
Co-authored-by: Benjamin Fogle <benfogle@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 565403038b75eb64ea483b2757ba30769246d853)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(cherry picked from commit 2985feac4e02d590bb78bcce9e30864be53280ac)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of explicitly enumerate test classes for run_unittest()
use the unittest ability to discover tests. This also makes these
tests discoverable and runnable with unittest.
load_tests() can be used for dynamic generating tests and adding
doctests. setUpModule(), tearDownModule() and addModuleCleanup()
can be used for running code before and after all module tests.
(cherry picked from commit 40348acc180580371d25f75f46b27048e35f2435)
|
| |
|
|
|
|
|
|
| |
(GH-27380)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 11749e2dc20ad6a76e9a39e948853e89b2b4bbed)
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
| |
|
| |
* [Enum] revert enum module to 3.9
|
| |
|
|
|
|
|
|
| |
tests (GH-26905) (GH-26907)
(cherry picked from commit 22e7effad571f8e524d2f71ff55bbf2a25306753)
Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit b5a52eef67997246b4235b5407e52a01e822ce56)
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
|
| |
|
|
|
|
|
|
|
| |
(GH-26885)
(cherry picked from commit 4f725261c6cf23d259e8fdc205e12b76ef4d2d31, fbff5387c3e1f3904420fa5a27738c6c5881305b, and 8cec740820fc875117bfa7b6bdb10202ebeb8fd5)
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
Automerge-Triggered-By: GH:vstinner
|
| |
|
|
|
|
| |
`ssl.SSL_NO_TLS` should be `ssl.OP_NO_TLS`.
(cherry picked from commit c544393b89f9b3e2b1a22588fc9ae58019314879)
Co-authored-by: Joe <nigelchiang@outlook.com>
|
| |
|
|
|
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit bf527277d4e4907e32d76ca7ba667ab3149fe258)
Co-authored-by: Christian Heimes <christian@python.org>
Automerge-Triggered-By: GH:tiran
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit e26014f1c47d26d6097ff7a0f25384bfbde714a9)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
| |
Fix test_ssl.test_wrong_cert_tls13(): use suppress_ragged_eofs=False,
since read() can raise ssl.SSLEOFError on Windows.
(cherry picked from commit ea0210fa8ccca769896847f25fc6fadfe9a717bc)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
| |
Fix test_pha_required_nocert() of test_ssl: catch two more EOF cases
(when the recv() method returns an empty string).
(cherry picked from commit 320eaa7f42b413cd5e5436ec92d4dc5ba150395f)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
| |
(GH-25850)
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The internal `_ssl._SSLSocket` object now provides methods to retrieve
the peer cert chain and verified cert chain as a list of Certificate
objects. Certificate objects have methods to convert the cert to a dict,
PEM, or DER (ASN.1).
These are private APIs for now. There is a slim chance to stabilize the
approach and provide a public API for 3.10. Otherwise I'll provide a
stable API in 3.11.
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Revert 73ea546, increase logging, and improve stability of test.
Handle all OSErrors in a single block. OSError also takes care of
SSLError and socket's connection errors.
Partly reverts commit fb7e750. The
threaded connection handler must not raise an unhandled exception.
|
| |
|
|
| |
Some OS do not support millisecond granularity in select(). Use 100ms
timeout and a server callback with sleep to emulate a slow server.
|
| | |
|
| |
|
|
|
|
|
| |
test_wrong_cert_tls13 sometimes fails on some Windows buildbots. Turn
failing test case into skipped test case until we have more time to
investigate.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(GH-25554)
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
add:
* `_simple_enum` decorator to transform a normal class into an enum
* `_test_simple_enum` function to compare
* `_old_convert_` to enable checking `_convert_` generated enums
`_simple_enum` takes a normal class and converts it into an enum:
@simple_enum(Enum)
class Color:
RED = 1
GREEN = 2
BLUE = 3
`_old_convert_` works much like` _convert_` does, using the original logic:
# in a test file
import socket, enum
CheckedAddressFamily = enum._old_convert_(
enum.IntEnum, 'AddressFamily', 'socket',
lambda C: C.isupper() and C.startswith('AF_'),
source=_socket,
)
`_test_simple_enum` takes a traditional enum and a simple enum and
compares the two:
# in the REPL or the same module as Color
class CheckedColor(Enum):
RED = 1
GREEN = 2
BLUE = 3
_test_simple_enum(CheckedColor, Color)
_test_simple_enum(CheckedAddressFamily, socket.AddressFamily)
Any important differences will raise a TypeError
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
| |
This reverts commit dbac8f40e81eb0a29dc833e6409a1abf47467da6.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
add:
_simple_enum decorator to transform a normal class into an enum
_test_simple_enum function to compare
_old_convert_ to enable checking _convert_ generated enums
_simple_enum takes a normal class and converts it into an enum:
@simple_enum(Enum)
class Color:
RED = 1
GREEN = 2
BLUE = 3
_old_convert_ works much like _convert_ does, using the original logic:
# in a test file
import socket, enum
CheckedAddressFamily = enum._old_convert_(
enum.IntEnum, 'AddressFamily', 'socket',
lambda C: C.isupper() and C.startswith('AF_'),
source=_socket,
)
test_simple_enum takes a traditional enum and a simple enum and
compares the two:
# in the REPL or the same module as Color
class CheckedColor(Enum):
RED = 1
GREEN = 2
BLUE = 3
_test_simple_enum(CheckedColor, Color)
_test_simple_enum(CheckedAddressFamily, socket.AddressFamily)
Any important differences will raise a TypeError
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-25455)
* ssl.OP_NO_SSLv2
* ssl.OP_NO_SSLv3
* ssl.OP_NO_TLSv1
* ssl.OP_NO_TLSv1_1
* ssl.OP_NO_TLSv1_2
* ssl.OP_NO_TLSv1_3
* ssl.PROTOCOL_SSLv2
* ssl.PROTOCOL_SSLv3
* ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS)
* ssl.PROTOCOL_TLS
* ssl.PROTOCOL_TLSv1
* ssl.PROTOCOL_TLSv1_1
* ssl.PROTOCOL_TLSv1_2
* ssl.TLSVersion.SSLv3
* ssl.TLSVersion.TLSv1
* ssl.TLSVersion.TLSv1_1
* ssl.wrap_socket()
* ssl.RAND_pseudo_bytes()
* ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1)
* ssl.SSLContext() without a protocol argument
* ssl.match_hostname()
* hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL
function will stay)
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
| |
The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex``
internally. The functions support reading and writing of data larger
than 2 GB. Writing zero-length data no longer fails with a protocol
violation error.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many servers in the cloud environment require SNI to be used during the
SSL/TLS handshake, therefore it is not possible to fetch their certificates
using the ssl.get_server_certificate interface.
This change adds an additional optional hostname argument that can be used to
set the SNI. Note that it is intentionally a separate argument instead of
using the host part of the addr tuple, because one might want to explicitly
fetch the default certificate or fetch a certificate from a specific IP
address with the specified SNI hostname. A separate argument also works better
for backwards compatibility.
Automerge-Triggered-By: GH:tiran
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check
- Update hashopenssl to require OpenSSL 1.1.1
- multissltests only OpenSSL > 1.1.0
- ALPN is always supported
- SNI is always supported
- Remove deprecated NPN code. Python wrappers are no-op.
- ECDH is always supported
- Remove OPENSSL_VERSION_1_1 macro
- Remove locking callbacks
- Drop PY_OPENSSL_1_1_API macro
- Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro
- SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now
- security level is always available now
- get_num_tickets is available with TLS 1.3
- X509_V_ERR MISMATCH is always available now
- Always set SSL_MODE_RELEASE_BUFFERS
- X509_V_FLAG_TRUSTED_FIRST is always available
- get_ciphers is always supported
- SSL_CTX_set_keylog_callback is always available
- Update Modules/Setup with static link example
- Mention PEP in whatsnew
- Drop 1.0.2 and 1.1.0 from GHA tests
|
| |
|
|
|
|
| |
Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not
copy hostflags from *struct SSL_CTX* to *struct SSL*.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
| |
* Enum: streamline repr() and str(); improve docs
- repr() is now ``enum_class.member_name``
- stdlib global enums are ``module_name.member_name``
- str() is now ``member_name``
- add HOW-TO section for ``Enum``
- change main documentation to be an API reference
|
| |
|
| |
This test checks result code of the connection directly, so it never raises an exception that can be suppressed by `support.transient_internet`. Directly support skipping the test in case of unreachable network.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-24957)
OpenSSL copies the internal message callback from SSL_CTX->msg_callback to
SSL->msg_callback. SSL_set_SSL_CTX() does not update SSL->msg_callback
to use the callback value of the new context.
PySSL_set_context() now resets the callback and _PySSL_msg_callback()
resets thread state in error path.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
| |
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level
2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow
TLS 1.0 and 1.1 on security level 2.
See:
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
| |
Exposes the `X509_V_FLAG_ALLOW_PROXY_CERTS` constant as `ssl.VERIFY_ALLOW_PROXY_CERTS` to allow for proxy certificate validation as described in: https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html
|
| |
|
|
| |
(GH-21684)
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
skip test_min_max_version_mismatch when TLS 1.0 is not available
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Add an accessor under SSLContext.security_level as a wrapper around
SSL_CTX_get_security_level, see:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html
------
This is my first time contributing, so please pull me up on all the things I missed or did incorrectly.
Automerge-Triggered-By: @tiran
|
