summaryrefslogtreecommitdiffstats
path: root/Modules
Commit message (Collapse)AuthorAgeFilesLines
* bpo-43434: Clean up sqlite3.connect() after GH-25818 (GH-25823)Erlend Egeberg Aasland2021-05-021-8/+1
|
* bpo-43434: Move sqlite3.connect audit events to sqlite3.Connection.__init__ ↵Erlend Egeberg Aasland2021-05-022-9/+8
| | | | (GH-25818)
* bpo-32745: Fix a regression in the handling of ctypes' c_wchar_p type (#8721)Zackery Spytz2021-05-021-1/+2
| | | | | | Embedded nulls would cause a ValueError to be raised. Thanks go to Eryk Sun for their analysis. Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* bpo-43908: Mark ssl, hash, and hmac types as immutable (GH-25792)Christian Heimes2021-05-0210-18/+18
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)Christian Heimes2021-05-011-5/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack's research. ``` $ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 $ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ``` Signed-off-by: Christian Heimes <christian@python.org>
* bpo-41486: Fix initial buffer size can't > UINT32_MAX in zlib module (GH-25738)Ma Lin2021-04-303-71/+77
| | | | | | | | | | | | | | | | * Fix initial buffer size can't > UINT32_MAX in zlib module After commit f9bedb630e8a0b7d94e1c7e609b20dfaa2b22231, in 64-bit build, if the initial buffer size > UINT32_MAX, ValueError will be raised. These two functions are affected: 1. zlib.decompress(data, /, wbits=MAX_WBITS, bufsize=DEF_BUF_SIZE) 2. zlib.Decompress.flush([length]) This commit re-allows the size > UINT32_MAX. * adds curly braces per PEP 7. * Renames `Buffer_*` to `OutputBuffer_*` for clarity
* bpo-43916: _md5.md5 uses Py_TPFLAGS_DISALLOW_INSTANTIATION (GH-25753)Victor Stinner2021-04-304-7/+7
| | | | | | | | | | The following types use Py_TPFLAGS_DISALLOW_INSTANTIATION flag: * _md5.md5 * _sha1.sha1 * _sha256.sha224 * _sha256.sha256 * _sha512.sha384 * _sha512.sha512
* bpo-43916: select.devpoll uses Py_TPFLAGS_DISALLOW_INSTANTIATION (GH-25751)Victor Stinner2021-04-301-9/+1
|
* bpo-43916: Apply Py_TPFLAGS_DISALLOW_INSTANTIATION to selected types (GH-25748)Erlend Egeberg Aasland2021-04-3011-24/+29
| | | | | | | | | | | | | | | | | | | | | Apply Py_TPFLAGS_DISALLOW_INSTANTIATION to the following types: * _dbm.dbm * _gdbm.gdbm * _multibytecodec.MultibyteCodec * _sre..SRE_Scanner * _thread._localdummy * _thread.lock * _winapi.Overlapped * array.arrayiterator * functools.KeyWrapper * functools._lru_list_elem * pyexpat.xmlparser * re.Match * re.Pattern * unicodedata.UCD * zlib.Compress * zlib.Decompress
* bpo-43916: select.poll uses Py_TPFLAGS_DISALLOW_INSTANTIATION (GH-25750)Erlend Egeberg Aasland2021-04-301-13/+4
|
* bpo-43916: Remove _disabled_new() function (GH-25745)Victor Stinner2021-04-302-27/+6
| | | | | posix and _hashlib use the new Py_TPFLAGS_DISALLOW_INSTANTIATION flag on their heap types, rather than using a custom tp_new function (_disabled_new).
* bpo-43916: Add Py_TPFLAGS_DISALLOW_INSTANTIATION type flag (GH-25721)Victor Stinner2021-04-304-33/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new Py_TPFLAGS_DISALLOW_INSTANTIATION type flag to disallow creating type instances: set tp_new to NULL and don't create the "__new__" key in the type dictionary. The flag is set automatically on static types if tp_base is NULL or &PyBaseObject_Type and tp_new is NULL. Use the flag on the following types: * _curses.ncurses_version type * _curses_panel.panel * _tkinter.Tcl_Obj * _tkinter.tkapp * _tkinter.tktimertoken * _xxsubinterpretersmodule.ChannelID * sys.flags type * sys.getwindowsversion() type * sys.version_info type Update MyStr example in the C API documentation to use Py_TPFLAGS_DISALLOW_INSTANTIATION. Add _PyStructSequence_InitType() function to create a structseq type with the Py_TPFLAGS_DISALLOW_INSTANTIATION flag set. type_new() calls _PyType_CheckConsistency() at exit.
* bpo-43977: Use tp_flags for collection matching (GH-25723)Mark Shannon2021-04-303-2/+37
| | | | | | | | | | | | | * Add Py_TPFLAGS_SEQUENCE and Py_TPFLAGS_MAPPING, add to all relevant standard builtin classes. * Set relevant flags on collections.abc.Sequence and Mapping. * Use flags in MATCH_SEQUENCE and MATCH_MAPPING opcodes. * Inherit Py_TPFLAGS_SEQUENCE and Py_TPFLAGS_MAPPING. * Add NEWS * Remove interpreter-state map_abc and seq_abc fields.
* bpo-43908: Make array.array type immutable (GH-25696)Erlend Egeberg Aasland2021-04-291-1/+2
| | | Co-authored-by: Victor Stinner <vstinner@python.org>
* bpo-43908: Make re types immutable (GH-25697)Erlend Egeberg Aasland2021-04-291-3/+3
| | | Co-authored-by: Victor Stinner <vstinner@python.org>
* bpo-28254: _posixsubprocess uses PyGC_Enable/PyGC_Disable (GH-25693)Victor Stinner2021-04-281-111/+5
|
* bpo-28254: Add a C-API for controlling the GC state (GH-25687)scoder2021-04-282-6/+91
| | | | | | | | Add new C-API functions to control the state of the garbage collector: PyGC_Enable(), PyGC_Disable(), PyGC_IsEnabled(), corresponding to the functions in the gc module. Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org>
* bpo-41486: Faster bz2/lzma/zlib via new output buffering (GH-21740)Ma Lin2021-04-283-253/+332
| | | | | | | | | Faster bz2/lzma/zlib via new output buffering. Also adds .readall() function to _compression.DecompressReader class to take best advantage of this in the consume-all-output at once scenario. Often a 5-20% speedup in common scenarios due to less data copying. Contributed by Ma Lin.
* bpo-43963: Add _signal module state (GH-25676)Victor Stinner2021-04-281-84/+153
| | | | | | | | | | | | | * Add signal_state_t structure and signal_global_state variable. * Add a module state to the _signal module. * Move and rename variables: * DefaultHandler becomes state->default_handler * IgnoreHandler becomes state->ignore_handler * sigint_event becomes state->sigint_event * ItimerError becomes modstate->itimer_error * Rename SetHandler() to set_handler() to be consistent with get_handler().
* bpo-43963: Fix import _signal in subinterpreters (GH-25674)Victor Stinner2021-04-271-27/+41
| | | | | | | Importing the _signal module in a subinterpreter has no longer side effects. signal_module_exec() no longer modifies Handlers and no longer attempts to set SIGINT signal handler in subinterpreters.
* Fix thread locks in zlib module may go wrong in rare case. (#22126)Ma Lin2021-04-271-9/+10
| | | Setting `next_in` before acquiring the thread lock may mix up compress/decompress state in other threads.
* bpo-43762: Add audit events for loading of sqlite3 extensions (GH-25246)Erlend Egeberg Aasland2021-04-262-0/+17
|
* bpo-18233: Add internal methods to access peer chain (GH-25467)Christian Heimes2021-04-266-3/+487
| | | | | | | | | | | | The internal `_ssl._SSLSocket` object now provides methods to retrieve the peer cert chain and verified cert chain as a list of Certificate objects. Certificate objects have methods to convert the cert to a dict, PEM, or DER (ASN.1). These are private APIs for now. There is a slim chance to stabilize the approach and provide a public API for 3.10. Otherwise I'll provide a stable API in 3.11. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-39529: Deprecate creating new event loop in asyncio.get_event_loop() ↵Serhiy Storchaka2021-04-252-4/+63
| | | | | | (GH-23554) asyncio.get_event_loop() emits now a deprecation warning when it creates a new event loop. In future releases it will became an alias of asyncio.get_running_loop().
* bpo-30555: Fix WindowsConsoleIO fails in the presence of fd redirection ↵Segev Finer2021-04-234-83/+78
| | | | | | | | (GH-1927) This works by not caching the handle and instead getting the handle from the file descriptor each time, so that if the actual handle changes by fd redirection closing/opening the console handle beneath our feet, we will keep working correctly.
* bpo-43538: Add extra arguments to os.startfile (GH-25538)Steve Dower2021-04-232-19/+93
|
* bpo-35114: Make ssl.RAND_status() return a bool (GH-20063)Zackery Spytz2021-04-232-5/+5
|
* bpo-43920: Make load_verify_locations(cadata) error message consistent ↵Christian Heimes2021-04-231-7/+16
| | | | | (GH-25554) Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43852: Improve tuple creation in sqlite3 (GH-25421)Erlend Egeberg Aasland2021-04-232-18/+10
|
* bpo-38222: Check specifically for a drive, not just a colon (GH-25540)Steve Dower2021-04-221-2/+2
|
* bpo-38822: Fixed os.stat failing on inaccessible directories. (GH-25527)Steve Dower2021-04-221-2/+21
| | | It would just fail if the path was inaccessible and had a trailing slash. It should fall back to the parent directory's metadata.
* bpo-43475: Fix worst case collision behavior for NaN instances (GH-25493)Raymond Hettinger2021-04-221-4/+1
|
* bpo-26227: Fixes decoding of host names on Windows from ANSI instead of ↵Steve Dower2021-04-211-1/+1
| | | | UTF-8 (GH-25510)
* bpo-40137: Add pycore_moduleobject.h internal header (GH-25507)Victor Stinner2021-04-2113-25/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add pycore_moduleobject.h internal header file with static inline functions to access module members: * _PyModule_GetDict() * _PyModule_GetDef() * _PyModule_GetState() These functions don't check at runtime if their argument has a valid type and can be inlined even if Python is not built with LTO. _PyType_GetModuleByDef() uses _PyModule_GetDef(). Replace PyModule_GetState() with _PyModule_GetState() in the extension modules, considered as performance sensitive: * _abc * _functools * _operator * _pickle * _queue * _random * _sre * _struct * _thread * _winapi * array * posix The following extensions are now built with the Py_BUILD_CORE_MODULE macro defined, to be able to use the internal pycore_moduleobject.h header: _abc, array, _operator, _queue, _sre, _struct.
* bpo-43472: Ensure PyInterpreterState_New audit events are raised when called ↵Steve Dower2021-04-211-1/+1
| | | | through _xxsubinterpreters module (GH-25506)
* bpo-40137: Move state lookups out of the critical path (GH-25492)Raymond Hettinger2021-04-211-28/+36
|
* bpo-43799: Also define SSLv3_method() (GH-25481)Christian Heimes2021-04-201-0/+3
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)l0x2021-04-191-0/+5
| | | This short PR exposes an openssl flag that wasn't exposed. I've also updated to doc to reflect the change. It's heavily inspired by 990fcaac3c428569697f62a80fd95ab4d4b93151.
* bpo-43880: Show DeprecationWarnings for deprecated ssl module features ↵Christian Heimes2021-04-191-14/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-25455) * ssl.OP_NO_SSLv2 * ssl.OP_NO_SSLv3 * ssl.OP_NO_TLSv1 * ssl.OP_NO_TLSv1_1 * ssl.OP_NO_TLSv1_2 * ssl.OP_NO_TLSv1_3 * ssl.PROTOCOL_SSLv2 * ssl.PROTOCOL_SSLv3 * ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS) * ssl.PROTOCOL_TLS * ssl.PROTOCOL_TLSv1 * ssl.PROTOCOL_TLSv1_1 * ssl.PROTOCOL_TLSv1_2 * ssl.TLSVersion.SSLv3 * ssl.TLSVersion.TLSv1 * ssl.TLSVersion.TLSv1_1 * ssl.wrap_socket() * ssl.RAND_pseudo_bytes() * ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1) * ssl.SSLContext() without a protocol argument * ssl.match_hostname() * hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL function will stay) Signed-off-by: Christian Heimes <christian@python.org>
* bpo-42854: Use SSL_read/write_ex() (GH-25468)Christian Heimes2021-04-191-18/+14
| | | | | | | | The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex`` internally. The functions support reading and writing of data larger than 2 GB. Writing zero-length data no longer fails with a protocol violation error. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43362: Fix invalid free and return check in _sha3 module (GH-25463)Christian Heimes2021-04-181-3/+9
| | | | | | | | | | | Commit 93d50a6a8d0c5d332c11aef267e66573a09765ac / GH-21855 changed the order of variable definitions, which introduced a potential invalid free bug. Py_buffer object is now initialized earlier and the result of Keccak initialize is verified. Co-authored-by: Alex Henrie <alexhenrie24@gmail.com> Signed-off-by: Christian Heimes <christian@python.org> Co-authored-by: Alex Henrie <alexhenrie24@gmail.com>
* bpo-42333: Port _ssl extension to multiphase initialization (PEP 489) (GH-23253)Christian Heimes2021-04-174-357/+466
| | | | | | | | | - Introduce sslmodule_slots - Introduce sslmodulestate - Use sslmodulestate - Get rid of PyState_FindModule - Move new structs and helpers to header file - Use macros to access state - Keep a strong ref to socket type
* bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)Christian Heimes2021-04-172-72/+1
|
* bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014)Christian Heimes2021-04-176-696/+34
| | | | | | | | | | | | | | | | | | | | | | | | - Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check - Update hashopenssl to require OpenSSL 1.1.1 - multissltests only OpenSSL > 1.1.0 - ALPN is always supported - SNI is always supported - Remove deprecated NPN code. Python wrappers are no-op. - ECDH is always supported - Remove OPENSSL_VERSION_1_1 macro - Remove locking callbacks - Drop PY_OPENSSL_1_1_API macro - Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro - SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now - security level is always available now - get_num_tickets is available with TLS 1.3 - X509_V_ERR MISMATCH is always available now - Always set SSL_MODE_RELEASE_BUFFERS - X509_V_FLAG_TRUSTED_FIRST is always available - get_ciphers is always supported - SSL_CTX_set_keylog_callback is always available - Update Modules/Setup with static link example - Mention PEP in whatsnew - Drop 1.0.2 and 1.1.0 from GHA tests
* bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)Christian Heimes2021-04-171-0/+5
| | | | | | Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43296: Handle sqlite3_value_blob() errors (GH-24674)Erlend Egeberg Aasland2021-04-141-7/+17
|
* bpo-43505: Explicitly initialize and shutdown sqlite3 (GH-25404)Erlend Egeberg Aasland2021-04-141-11/+14
|
* bpo-43265: Improve sqlite3.Connection.backup error handling (GH-24586)Erlend Egeberg Aasland2021-04-141-45/+34
|
* bpo-43752: Fix sqlite3 regression for zero-sized blobs with converters ↵Erlend Egeberg Aasland2021-04-141-11/+14
| | | | (GH-25228)
* bpo-43799: OpenSSL 3.0.0: declare OPENSSL_API_COMPAT 1.1.1 (GH-25329)Christian Heimes2021-04-132-24/+24
| | | Signed-off-by: Christian Heimes <christian@python.org>