summaryrefslogtreecommitdiffstats
path: root/Modules/_ssl.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix typo in a comment in Modules/_ssl.c: s/validata/validate/ (GH-27993) ↵Miss Islington (bot)2021-08-271-1/+1
| | | | | | | (GH-27998) (cherry picked from commit 28db1f61f20352c02e4ae1518e5aeb6505df3045) Co-authored-by: Adam Dangoor <adamdangoor@gmail.com>
* [3.9] bpo-43920: Make load_verify_locations(cadata) error message consistent ↵Christian Heimes2021-04-231-7/+16
| | | | | | | | (GH-25554) (GH-25555) Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit b9ad88be0304136c3fe5959c65a5d2c75490cd80) Co-authored-by: Christian Heimes <christian@python.org>
* [3.9] bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899) ↵Christian Heimes2021-04-171-0/+5
| | | | | | | | | | | (GH-25451) Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit b467d9a24011992242c95d9157d3455f8a84466b) Co-authored-by: Christian Heimes <christian@python.org>
* [3.9] bpo-43799: OpenSSL 3.0.0: declare OPENSSL_API_COMPAT 1.1.1 (GH-25329) ↵Miss Islington (bot)2021-04-131-19/+14
| | | | | | | | | | | (GH-25382) Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit a4833883c9b81b6b272cc7c5b67fa1658b65304c) Co-authored-by: Christian Heimes <christian@python.org> Automerge-Triggered-By: GH:tiran
* [3.9] bpo-43788: Generate version specific _ssl_data.h (GH-25300) (GH-25310)Christian Heimes2021-04-091-0/+6
| | | | | (cherry picked from commit 150af7543214e1541fa582374502ac1cd70e8eb4) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)Miss Islington (bot)2021-04-091-0/+8
| | | | | | Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-43789: OpenSSL 3.0.0 Don't call passwd callback again in error case ↵Miss Islington (bot)2021-04-091-0/+7
| | | | | | | (GH-25303) (cherry picked from commit d3b73f32ef7c693a6ae8c54eb0e62df3b5315caf) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-43577: Fix deadlock with SSLContext._msg_callback and sni_callback ↵Miss Islington (bot)2021-03-211-0/+5
| | | | | | | | | | | | | | | (GH-24957) OpenSSL copies the internal message callback from SSL_CTX->msg_callback to SSL->msg_callback. SSL_set_SSL_CTX() does not update SSL->msg_callback to use the callback value of the new context. PySSL_set_context() now resets the callback and _PySSL_msg_callback() resets thread state in error path. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 77cde5042a2f1eae489c11a67540afaf43cd5cdf) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-42144: Add a missing "goto error;" in the _ssl module (GH-22959)Miss Skeleton (bot)2020-10-251-0/+1
| | | | | (cherry picked from commit c32f2976b8f4034724c3270397aa16f38daf470f) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* bpo-31122: ssl.wrap_socket() now raises ssl.SSLEOFError rather than OSError ↵Miss Islington (bot)2020-08-151-4/+5
| | | | | | | | | | when peer closes connection during TLS negotiation (GH-18772) [bpo-31122](): ssl.wrap_socket() now raises ssl.SSLEOFError rather than OSError when peer closes connection during TLS negotiation Reproducer: http://tiny.cc/f4ztnz (tiny url because some bot keeps renaming b.p.o.-nnn as bpo links) (cherry picked from commit 495bd035662fda29639f9d52bb6baebea31d72fa) Co-authored-by: Dima Tisnek <dimaqq@gmail.com>
* bpo-41252: Fix incorrect refcounting in _ssl.c's _servername_callback() ↵Miss Islington (bot)2020-07-091-1/+2
| | | | | | | (GH-21407) (cherry picked from commit ee96f32ca24779656d3c8736d26671fc3689f0a3) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* closes bpo-41235: Fix the error handling in SSLContext.load_dh_params() ↵Miss Islington (bot)2020-07-081-2/+4
| | | | | | | (GH-21385) (cherry picked from commit aebc0495572c5bb85d2bd97d27cf93ab038b5a6a) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)Miss Islington (bot)2020-06-011-11/+45
| | | | | | | | | | | | Fix :mod:`ssl`` code to be compatible with OpenSSL 1.1.x builds that use ``no-deprecated`` and ``--api=1.1.0``. Note: Tests assume full OpenSSL API and fail with limited API. Signed-off-by: Christian Heimes <christian@python.org> Co-authored-by: Mark Wright <gienah@gentoo.org> (cherry picked from commit a871f692b4a2e6c7d45579693e787edc0af1a02c) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-40457: Support OpenSSL without TLS 1.0/1.1 (GH-19862)Christian Heimes2020-05-161-34/+27
| | | | | | | | | | | OpenSSL can be build without support for TLS 1.0 and 1.1. The ssl module now correctly adheres to OPENSSL_NO_TLS1 and OPENSSL_NO_TLS1_1 flags. Also update multissltest to test with latest OpenSSL and LibreSSL releases. Signed-off-by: Christian Heimes <christian@python.org> Automerge-Triggered-By: @tiran
* bpo-40515: Require OPENSSL_THREADS (GH-19953)Christian Heimes2020-05-151-1/+5
| | | | | | | The ``ssl`` and ``hashlib`` modules now actively check that OpenSSL is build with thread support. Python 3.7.0 made thread support mandatory and no longer works safely with a no-thread builds. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-40268: Remove explicit pythread.h includes (#19529)Victor Stinner2020-04-151-2/+0
| | | | Remove explicit pythread.h includes: it is always included by Python.h.
* bpo-39943: Add the const qualifier to pointers on non-mutable PyBytes data. ↵Serhiy Storchaka2020-04-121-1/+1
| | | | (GH-19472)
* bpo-39573: Clean up modules and headers to use Py_IS_TYPE() function (GH-18521)Dong-hee Na2020-02-171-3/+3
|
* bpo-39272: Remove dead assignment from ↵Alex Henrie2020-01-091-1/+0
| | | | _ssl__SSLContext_load_verify_locations_impl (GH-17916)
* bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190)Christian Heimes2019-12-071-1/+48
| | | | | | | | | | test_openssl_version now accepts version 3.0.0. getpeercert() no longer returns IPv6 addresses with a trailing new line. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38820
* bpo-37206: Unrepresentable default values no longer represented as None. ↵Serhiy Storchaka2019-09-141-8/+8
| | | | | | | (GH-13933) In ArgumentClinic, value "NULL" should now be used only for unrepresentable default values (like in the optional third parameter of getattr). "None" should be used if None is accepted as argument and passing None has the same effect as not passing the argument at all.
* bpo-35941: Fix performance regression in new code (GH-12610)Christian Heimes2019-09-091-28/+27
| | | | | | | | Accumulate certificates in a set instead of doing a costly list contain operation. A Windows cert store can easily contain over hundred certificates. The old code would result in way over 5,000 comparison operations Signed-off-by: Christian Heimes <christian@python.org>
* bpo-37702: Fix SSL's certificate-store leak on Windows (GH-15632)neonene2019-09-091-0/+1
| | | | | ssl_collect_certificates function in _ssl.c has a memory leak. Calling CertOpenStore() and CertAddStoreToCollection(), a store's refcnt gets incremented by 2. But CertCloseStore() is called only once and the refcnt leaves 1.
* Replace usage of the obscure PEM_read_bio_X509_AUX with the more standard ↵Alex Gaynor2019-08-151-1/+1
| | | | | | | PEM_read_bio_X509 (GH-15303) X509_AUX is an odd, note widely used, OpenSSL extension to the X509 file format. This function doesn't actually use any of the extra metadata that it parses, so just use the standard API. Automerge-Triggered-By: @tiran
* bpo-37648: Fixed minor inconsistency in some __contains__. (GH-14904)Serhiy Storchaka2019-08-041-2/+1
| | | | | The collection's item is now always at the left and the needle is on the right of ==.
* bpo-37120: Fix _ssl get_num_tickets() (GH-14668)Victor Stinner2019-07-091-1/+1
| | | | | | | Replace PyLong_FromLong() with PyLong_FromSize_t(): SSL_CTX_get_num_tickets() return type is size_t. https://bugs.python.org/issue37120
* bpo-37428: Don't set PHA verify flag on client side (GH-14421)Christian Heimes2019-07-011-17/+26
| | | | | | | | | | | | SSLContext.post_handshake_auth = True no longer sets SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the option is documented as ignored for clients, OpenSSL implicitly enables cert chain validation when the flag is set. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue37428
* bpo-37120: Add SSLContext.num_tickets (GH-13719)Christian Heimes2019-06-031-0/+37
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-34271: Add ssl debugging helpers (GH-10031)Christian Heimes2019-05-311-11/+93
| | | | | | | | | | | The ssl module now can dump key material to a keylog file and trace TLS protocol messages with a tracing callback. The default and stdlib contexts also support SSLKEYLOGFILE env var. The msg_callback and related enums are private members. The feature is designed for internal debugging and not for end users. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-339827: Do not swallow exceptions in the _ssl module. (GH-12756)Serhiy Storchaka2019-05-311-37/+52
|
* bpo-36974: tp_print -> tp_vectorcall_offset and tp_reserved -> tp_as_async ↵Jeroen Demeyer2019-05-311-8/+8
| | | | | | | | | (GH-13464) Automatically replace tp_print -> tp_vectorcall_offset tp_compare -> tp_as_async tp_reserved -> tp_as_async
* bpo-35926: Add support for OpenSSL 1.1.1b on Windows (GH-11779)Paul Monson2019-05-151-1/+1
|
* bpo-36641: Add "const" to PyDoc_VAR macro (GH-12854)Inada Naoki2019-04-161-1/+1
| | | It reduces "data" segment in python about 200KB.
* bpo-35941: Fix ssl certificate enumeration for windows (GH-12486)kctherookie2019-03-281-20/+89
| | | Add a function to collect certificates from several certificate stores into one certificate collection store that is then enumerated. This ensures we load as many certificates as we can access.
* bpo-36254: Fix invalid uses of %d in format strings in C. (GH-12264)Serhiy Storchaka2019-03-131-1/+1
|
* bpo-35746: Fix segfault in ssl's cert parser (GH-11569)Christian Heimes2019-01-151-0/+4
| | | | | | | | | | | Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue35746
* bpo-35504: Fix segfaults and SystemErrors when deleting certain attrs. ↵Zackery Spytz2018-12-171-0/+4
| | | | (GH-11175)
* bpo-35436: Add missing PyErr_NoMemory() calls and other minor bug fixes. ↵Zackery Spytz2018-12-071-0/+13
| | | | | | (GH-11015) Set MemoryError when appropriate, add missing failure checks, and fix some potential leaks.
* bpo-35059: Cleanup usage of Python macros (GH-10648)Victor Stinner2018-11-221-3/+6
| | | | | | | | | | | | | Don't pass complex expressions but regular variables to Python macros. * _datetimemodule.c: split single large "if" into two "if" in date_new(), time_new() and datetime_new(). * _pickle.c, load_extension(): flatten complex "if" expression into more regular C code. * _ssl.c: addbool() now uses a temporary bool_obj to only evaluate the value once. * weakrefobject.c: replace "Py_INCREF(result = proxy);" with "result = proxy; Py_INCREF(result);"
* bpo-34824: Fix a possible NULL pointer dereference in _ssl.c (GH-9606)Zackery Spytz2018-10-061-2/+7
| | | | | | | On failure, _PyBytes_Resize() will deallocate the bytes object and set "result" to NULL. https://bugs.python.org/issue34824
* bpo-34906: Doc: Fix typos (GH-9712)Stéphane Wirtel2018-10-051-1/+1
|
* bpo-34670: Add TLS 1.3 post handshake auth (GH-9460)Christian Heimes2018-09-231-8/+92
| | | | | | | | | | Add SSLContext.post_handshake_auth and SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake authentication. Signed-off-by: Christian Heimes <christian@python.org>q https://bugs.python.org/issue34670
* bpo-34759: Fix error handling in ssl 'unwrap()' (GH-9468)Nathaniel J. Smith2018-09-221-2/+2
| | | | | | | | | | | | | | | OpenSSL follows the convention that whenever you call a function, it returns an error indicator value; and if this value is negative, then you need to go look at the actual error code to see what happened. Commit c6fd1c1c3a introduced a small mistake in _ssl__SSLSocket_shutdown_impl: instead of checking whether the error indicator was negative, it started checking whether the actual error code was negative, and it turns out that the error codes are never negative. So the effect was that 'unwrap()' lost the ability to raise SSL errors. https://bugs.python.org/issue34759
* bpo-32533: Fixed thread-safety of error handling in _ssl. (GH-7158)Steve Dower2018-09-171-60/+68
|
* bpo-34710: fix SSL module build (GH-9347)Alexandru Ardelean2018-09-171-0/+1
| | | | | | Include ``openssl/dh.h`` header file to fix implicit function declaration of ``DH_free()``. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* bpo-31432: Revert unrelated code changes to _ssl.c and test_ssl (GH-7650)Ned Deily2018-06-121-2/+2
|
* bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530)Christian Heimes2018-06-111-2/+2
| | | | | | | | | The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were misleading and partly wrong. It fails to explain that OpenSSL behaves differently in client and server mode. Also OpenSSL does validate the cert chain everytime. With SSL_VERIFY_NONE a validation error is not fatal in client mode and does not request a client cert in server mode. Also discourage people from using CERT_OPTIONAL in client mode.
* Remove an unneeded call into OpenSSL (GH-6887)Alex Gaynor2018-05-161-1/+0
|
* bpo-32257: Add ssl.OP_NO_RENEGOTIATION (GH-5904)Christian Heimes2018-05-151-0/+4
| | | | | | | | The ssl module now contains OP_NO_RENEGOTIATION constant, available with OpenSSL 1.1.0h or 1.1.1. Note, OpenSSL 1.1.0h hasn't been released yet. Signed-off-by: Christian Heimes <christian@python.org>
* Fixed an unused variable warning introduced in GH-6800 (GH-6816)Alex Gaynor2018-05-141-1/+0
|
generated by cgit v0.12 at 2024-11-28 01:31:57 (GMT)