| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
| |
Cast Py_buffer.len (Py_ssize_t, signed) to size_t (unsigned) to
prevent the following warning:
Modules/_ssl.c:3089:21: warning: comparison between signed and
unsigned integer expressions [-Wsign-compare]
|
|
|
|
|
|
| |
* bpo-31392: Improve SSL error handling on Windows
* Remove unnecessary Windows mention in NEWS
|
|
|
|
|
| |
b3ad0e5 broke backwards compatibility with OpenSSL < 1.0.2.
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
| |
The SSL module now raises SSLCertVerificationError when OpenSSL fails to
verify the peer's certificate. The exception contains more information about
the error.
Original patch by Chi Hsuan Yen
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-29136: Add TLS 1.3 support
TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.
Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
| |
* Remove Setup.config
* Always define WITH_THREAD for compatibility.
|
|
|
|
|
|
| |
SSLObject.version() now correctly returns None when handshake over BIO has
not been performed yet.
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
| |
The ssl and hashlib modules now call OPENSSL_add_all_algorithms_noconf() on
OpenSSL < 1.1.0. The function detects CPU features and enables optimizations
on some CPU architectures such as POWER8. Patch is based on research from
Gustavo Serra Scalet.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
* Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.
Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:
#if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
# define OPENSSL_NPN_UNSUPPORTED 0
# define OPENSSL_NPN_NEGOTIATED 1
# define OPENSSL_NPN_NO_OVERLAP 2
#endif
[1] https://github.com/openssl/openssl/commit/68b33cc5c7
|
| |
|
|
|
|
|
|
|
|
| |
* bpo-9566: Fixed some _ssl warnings
* bpo-9566: _ssl: Fixup the fixes and also fix the remainings warnings
* Add a comment about the downcast
|
|
|
| |
Updates ssl and tkinter projects to use pre-built externals
|
| |
|
|
|
|
|
| |
* RFC 1750 has been been obsoleted by RFC 4086.
* RFC 3280 has been obsoleted by RFC 5280.
* RFC 4366 has been obsoleted by RFC 6066.
|
|
|
| |
If pass a server_hostname= that fails IDNA decoding to SSLContext.wrap_socket or SSLContext.wrap_bio, then the SSLContext object had a spurious Py_DECREF called on it, eventually leading to segfaults.
|
|
|
|
|
|
|
|
| |
* Simplify X.509 extension handling code
The previous implementation had grown organically over time, as OpenSSL's API evolved.
* Delete even more code
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop handshake_done and peer_cert members from PySSLSocket struct. The
peer certificate can be acquired from *SSL directly.
SSL_get_peer_certificate() does not trigger any network activity.
Instead of manually tracking the handshake state, simply use
SSL_is_init_finished().
In combination these changes fix auto-handshake for non-blocking
MemoryBIO connections.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
* Remove conditional on free of `dps`, since `dps` is now allocated for
all versions of OpenSSL
* Remove call to `x509_check_ca` since it was only used to cache
the `crldp` field of the certificate
CRL_DIST_POINTS_free is available in all supported versions of OpenSSL
(recent 0.9.8+) and LibreSSL.
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-6532: Make the thread id an unsigned integer.
From C API side the type of results of PyThread_start_new_thread() and
PyThread_get_thread_ident(), the id parameter of
PyThreadState_SetAsyncExc(), and the thread_id field of PyThreadState
changed from "long" to "unsigned long".
* Restore a check in thread_get_ident().
|
| |
|
|
|
|
| |
possible. Patch is writen with Coccinelle.
|
|
|
|
|
|
|
| |
Replace:
PyObject_CallFunctionObjArgs(callable, NULL)
with:
_PyObject_CallNoArg(callable)
|
|
|
|
|
|
| |
Issue #28858: The change b9c9691c72c5 introduced a regression. It seems like
_PyObject_CallArg1() uses more stack memory than
PyObject_CallFunctionObjArgs().
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* PyObject_CallFunctionObjArgs(func, NULL) => _PyObject_CallNoArg(func)
* PyObject_CallFunctionObjArgs(func, arg, NULL) => _PyObject_CallArg1(func, arg)
PyObject_CallFunctionObjArgs() allocates 40 bytes on the C stack and requires
extra work to "parse" C arguments to build a C array of PyObject*.
_PyObject_CallNoArg() and _PyObject_CallArg1() are simpler and don't allocate
memory on the C stack.
This change is part of the fastcall project. The change on listsort() is
related to the issue #23507.
|
| |
|
| |
|
|
|
|
| |
extra memset() call in _ssl.c.
|
| |
|
| |
|
| |
|
|
|
|
| |
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
|
|\
| |
| |
| | |
fields in X.509 certs.
|
| |
| |
| |
| | |
fields in X.509 certs.
|
|\ \
| |/
| |
| | |
#27958.
|
| |
| |
| |
| | |
#27958.
|
| |
| |
| |
| | |
enabled ciphers.
|
|\ \
| |/ |
|
| | |
|
|\ \
| |/ |
|
| | |
|
|\ \
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
* Replace "fd = -1" with "fd = INVALID_SOCKET"
* Replace "fd < 0" with "fd == INVALID_SOCKET": SOCKET_T is unsigned on Windows
Bug found by Pavel Belikov ("Fragment N1"):
http://www.viva64.com/en/b/0414/#ID0ECDAE
|
|\ \
| |/ |
|
| | |
|
|\ \
| |/
| |
| | |
generated by Argument Clinic. Patch by Petr Viktorin.
|
| |
| |
| |
| | |
generated by Argument Clinic. Patch by Petr Viktorin.
|