summaryrefslogtreecommitdiffstats
path: root/Modules/_ssl.c
Commit message (Collapse)AuthorAgeFilesLines
* bpo-31431: SSLContext.check_hostname auto-sets CERT_REQUIRED (#3531)Christian Heimes2017-09-151-4/+4
| | | Signed-off-by: Christian Heimes <christian@python.org>
* _ssl_: Fix compiler warning (#3559)Victor Stinner2017-09-141-1/+1
| | | | | | | Cast Py_buffer.len (Py_ssize_t, signed) to size_t (unsigned) to prevent the following warning: Modules/_ssl.c:3089:21: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
* bpo-31400: Improve SSL error handling on Windows (#3463)Steve Dower2017-09-081-10/+48
| | | | | | * bpo-31392: Improve SSL error handling on Windows * Remove unnecessary Windows mention in NEWS
* bpo-28182: restore backwards compatibility (#3464)Christian Heimes2017-09-081-0/+5
| | | | | b3ad0e5 broke backwards compatibility with OpenSSL < 1.0.2. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-28182: Expose OpenSSL verification results (#3412)Christian Heimes2017-09-081-17/+91
| | | | | | | | | The SSL module now raises SSLCertVerificationError when OpenSSL fails to verify the peer's certificate. The exception contains more information about the error. Original patch by Chi Hsuan Yen Signed-off-by: Christian Heimes <christian@python.org>
* bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363)Christian Heimes2017-09-081-0/+13
| | | | | | | | | | | | | | | | * bpo-29136: Add TLS 1.3 support TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. Since Python sets its own set of permitted ciphers, TLS 1.3 handshake will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common AES-GCM and ChaCha20 suites. Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 now. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-28958: Improve SSLContext error reporting. (#3414)Christian Heimes2017-09-071-2/+1
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31370: Remove support for threads-less builds (#3385)Antoine Pitrou2017-09-071-29/+1
| | | | | | * Remove Setup.config * Always define WITH_THREAD for compatibility.
* bpo-29781: Fix SSLObject.version before handshake (#3364)Christian Heimes2017-09-061-0/+4
| | | | | | SSLObject.version() now correctly returns None when handshake over BIO has not been performed yet. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-30102: Call OPENSSL_add_all_algorithms_noconf (#3112)Christian Heimes2017-09-051-1/+5
| | | | | | | | The ssl and hashlib modules now call OPENSSL_add_all_algorithms_noconf() on OpenSSL < 1.1.0. The function detects CPU features and enables optimizations on some CPU architectures such as POWER8. Patch is based on research from Gustavo Serra Scalet. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-30502: Fix handling of long oids in ssl. (#2909)Serhiy Storchaka2017-09-041-43/+47
|
* bpo-30622: Change NPN detection: (#2079)Melvyn Sopacua2017-09-041-7/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Change NPN detection: Version breakdown, support disabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False Version breakdown support enabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True * Refine NPN guard: - If NPN is disabled, but ALPN is available we need our callback - Make clinic's ssl behave the same way This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f. Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like: #if defined(OPENSSL_NO_NEXTPROTONEG) && \ !defined(OPENSSL_NPN_NEGOTIATED) # define OPENSSL_NPN_UNSUPPORTED 0 # define OPENSSL_NPN_NEGOTIATED 1 # define OPENSSL_NPN_NO_OVERLAP 2 #endif [1] https://github.com/openssl/openssl/commit/68b33cc5c7
* bpo-31095: fix potential crash during GC (GH-2974)INADA Naoki2017-08-241-0/+3
|
* bpo-9566: Fixed _ssl module warnings (#2495)Segev Finer2017-07-261-6/+13
| | | | | | | | * bpo-9566: Fixed some _ssl warnings * bpo-9566: _ssl: Fixup the fixes and also fix the remainings warnings * Add a comment about the downcast
* [bpo-30916] Pre-build OpenSSL and Tcl/Tk for Windows (#2688)Steve Dower2017-07-171-1/+37
| | | Updates ssl and tkinter projects to use pre-built externals
* Regenerate Argument Clinic code for bpo-19180. (#2073)Serhiy Storchaka2017-06-101-1/+1
|
* bpo-19180: Updated references for RFC 1750, RFC 3280 & RFC 4366 (GH-148)Chandan Kumar2017-06-091-1/+1
| | | | | * RFC 1750 has been been obsoleted by RFC 4086. * RFC 3280 has been obsoleted by RFC 5280. * RFC 4366 has been obsoleted by RFC 6066.
* bpo-30594: Fixed refcounting in newPySSLSocket (#1992)Nathaniel J. Smith2017-06-081-2/+1
| | | If pass a server_hostname= that fails IDNA decoding to SSLContext.wrap_socket or SSLContext.wrap_bio, then the SSLContext object had a spurious Py_DECREF called on it, eventually leading to segfaults.
* Simplify X.509 extension handling code (#1855)Alex Gaynor2017-06-061-30/+4
| | | | | | | | * Simplify X.509 extension handling code The previous implementation had grown organically over time, as OpenSSL's API evolved. * Delete even more code
* bpo-29334: Fix ssl.getpeercert for auto-handshake (#1769)Christian Heimes2017-05-231-19/+11
| | | | | | | | | | | | Drop handshake_done and peer_cert members from PySSLSocket struct. The peer certificate can be acquired from *SSL directly. SSL_get_peer_certificate() does not trigger any network activity. Instead of manually tracking the handshake state, simply use SSL_is_init_finished(). In combination these changes fix auto-handshake for non-blocking MemoryBIO connections. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-30022: Get rid of using EnvironmentError and IOError (except test… (#1051)Serhiy Storchaka2017-04-161-3/+3
|
* bpo-29738: Fix memory leak in _get_crl_dp (GH-526)Olivier Vielpeau2017-04-151-7/+1
| | | | | | | | | * Remove conditional on free of `dps`, since `dps` is now allocated for all versions of OpenSSL * Remove call to `x509_check_ca` since it was only used to cache the `crldp` field of the certificate CRL_DIST_POINTS_free is available in all supported versions of OpenSSL (recent 0.9.8+) and LibreSSL.
* bpo-6532: Make the thread id an unsigned integer. (#781)Serhiy Storchaka2017-03-231-2/+1
| | | | | | | | | | | * bpo-6532: Make the thread id an unsigned integer. From C API side the type of results of PyThread_start_new_thread() and PyThread_get_thread_ident(), the id parameter of PyThreadState_SetAsyncExc(), and the thread_id field of PyThreadState changed from "long" to "unsigned long". * Restore a check in thread_get_ident().
* bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-395)Donald Stufft2017-03-021-2/+2
|
* Issue #28999: Use Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE whereverSerhiy Storchaka2017-01-231-4/+2
| | | | possible. Patch is writen with Coccinelle.
* Use _PyObject_CallNoArg()Victor Stinner2016-12-061-1/+1
| | | | | | | Replace: PyObject_CallFunctionObjArgs(callable, NULL) with: _PyObject_CallNoArg(callable)
* Backed out changeset b9c9691c72c5Victor Stinner2016-12-041-1/+1
| | | | | | Issue #28858: The change b9c9691c72c5 introduced a regression. It seems like _PyObject_CallArg1() uses more stack memory than PyObject_CallFunctionObjArgs().
* Replace PyObject_CallFunctionObjArgs() with fastcallVictor Stinner2016-12-011-1/+1
| | | | | | | | | | | | | | * PyObject_CallFunctionObjArgs(func, NULL) => _PyObject_CallNoArg(func) * PyObject_CallFunctionObjArgs(func, arg, NULL) => _PyObject_CallArg1(func, arg) PyObject_CallFunctionObjArgs() allocates 40 bytes on the C stack and requires extra work to "parse" C arguments to build a C array of PyObject*. _PyObject_CallNoArg() and _PyObject_CallArg1() are simpler and don't allocate memory on the C stack. This change is part of the fastcall project. The change on listsort() is related to the issue #23507.
* TypoChristian Heimes2016-09-241-1/+1
|
* Finish GC code for SSLSession and increase test coverageChristian Heimes2016-09-241-4/+9
|
* Issue #28188: Use PyMem_Calloc() to get rid of a type-limits warning and an ↵Christian Heimes2016-09-131-3/+2
| | | | extra memset() call in _ssl.c.
* Issue #27866: Fix refleak in cipher_to_dict()Victor Stinner2016-09-121-12/+1
|
* Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContextChristian Heimes2016-09-111-21/+59
|
* Issue #19500: Add client-side SSL session resumption to the ssl module.Christian Heimes2016-09-101-2/+370
|
* Issue 28043: SSLContext has improved default settingsChristian Heimes2016-09-101-0/+31
| | | | The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
* Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-1/+34
|\ | | | | | | fields in X.509 certs.
| * Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-1/+34
| | | | | | | | fields in X.509 certs.
* | Issue #26470: Use short name rather than name for compression name to fix ↵Christian Heimes2016-09-051-6/+1
|\ \ | |/ | | | | #27958.
| * Issue #26470: Use short name rather than name for compression name to fix ↵Christian Heimes2016-09-051-6/+1
| | | | | | | | #27958.
* | Issue #27866: Add SSLContext.get_ciphers() method to get a list of all ↵Christian Heimes2016-09-051-0/+117
| | | | | | | | enabled ciphers.
* | Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-45/+136
|\ \ | |/
| * Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-45/+136
| |
* | merge 3.5 (#27773)Benjamin Peterson2016-08-161-6/+4
|\ \ | |/
| * fix corner cases in the management of server_hostname (closes #27773)Benjamin Peterson2016-08-161-6/+4
| |
* | Merge 3.5 (INVALID_SOCKET)Victor Stinner2016-07-221-2/+6
|\ \ | |/
| * socket: use INVALID_SOCKETVictor Stinner2016-07-221-2/+6
| | | | | | | | | | | | | | | | * Replace "fd = -1" with "fd = INVALID_SOCKET" * Replace "fd < 0" with "fd == INVALID_SOCKET": SOCKET_T is unsigned on Windows Bug found by Pavel Belikov ("Fragment N1"): http://www.viva64.com/en/b/0414/#ID0ECDAE
* | Issue #23804: Merge SSL recv() fix from 3.5Martin Panter2016-07-111-0/+8
|\ \ | |/
| * Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOFMartin Panter2016-07-111-0/+8
| |
* | - Issue #27332: Fixed the type of the first argument of module-level functionsSerhiy Storchaka2016-07-071-22/+22
|\ \ | |/ | | | | generated by Argument Clinic. Patch by Petr Viktorin.
| * Issue #27332: Fixed the type of the first argument of module-level functionsSerhiy Storchaka2016-07-071-22/+22
| | | | | | | | generated by Argument Clinic. Patch by Petr Viktorin.
generated by cgit v0.12 at 2024-10-22 11:28:26 (GMT)