| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1 has introduced a new API to set the minimum and maximum
supported protocol version. The API is easier to use than the old
OP_NO_TLS1 option flags, too.
Since OpenSSL has no call to set minimum version to highest supported,
the implementation emulate maximum_version = MINIMUM_SUPPORTED and
minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and
maximum supported version at compile time.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 698dde16f60729d9e3f53c23a4ddb8e5ffe818bf)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes
Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.
I'm going to address these issues when OpenSSL 1.1.1 reaches beta.
OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 05d9fe32a1245b9a798e49e0c1eb91f110935b69)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(cherry picked from commit 19e7d48ce89422091f9af93038b9fee075d46e9e)
Co-authored-by: animalize <animalize@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
(GH-5832)
(cherry picked from commit 6f600ff1734ca2fdcdd37a809adf8130f0d8cc4e)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
| |
* Support sendfile on Windows Proactor event loop naively.
(cherry picked from commit a19fb3c6aaa7632410d1d9dcb395d7101d124da4)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 29eab55309b9f78b79074d26db16a44e7841c639)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
The 'optimization' is for space in the executable file, not for run time.
(cherry picked from commit 186b606d8a2ea4fd51b7286813302c8e8c7006cc)
Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
The ssl module now detects missing NPN support in LibreSSL.
Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6cdb7954b0a578d899e4b78b868ea59eef08480a)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* The SSLSocket is no longer implemented on top of SSLObject to
avoid an extra level of indirection.
* Owner and session are now handled in the internal constructor.
* _ssl._SSLSocket now uses the same method names as SSLSocket and
SSLObject.
* Channel binding type check is now handled in C code. Channel binding
is always available.
The patch also changes the signature of SSLObject.__init__(). In my
opinion it's fine. A SSLObject is not a user-constructable object.
SSLContext.wrap_bio() is the only valid factory.
(cherry picked from commit 141c5e8c2437a9fed95a04c81e400ef725592a17)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(cherry picked from commit 42c35d9c0c8175332f50fbe034a001fe52f057b9)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.
After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
(cherry picked from commit 11a1493bc4198f1def5e572049485779cf54dc57)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(cherry picked from commit a049f5790e38fe1b1ba1d4c10ed5ab35150806fa)
Co-authored-by: Paul Ganssle <pganssle@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
now correctly convert from bytes. (GH-5761)
(cherry picked from commit 23ad6d0d1a7a6145a01494f4f3913a63d1f0250c)
Co-authored-by: Steve Dower <steve.dower@microsoft.com>
|
| |
|
|
|
|
| |
The CPython runtime assumes that there is a one-to-one relationship (for a given interpreter) between PyThreadState and OS threads. Sending and receiving on a channel in the same interpreter was causing crashes because of this (specifically due to a check in PyThreadState_Swap()). The solution is to not switch threads if the interpreter is the same.
(cherry picked from commit f53d9f2778a87bdd48eb9030f782a4ebf9e7622f)
Co-authored-by: Eric Snow <ericsnowcurrently@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
os.dup2() tests for dup3() system call availability at runtime,
but doesn't remember the result across calls, repeating
the test on each call with inheritable=False.
Since the caller of os.dup2() is expected to hold the GIL,
fix this by making the variable holding the test result static.
(cherry picked from commit b3caf388a0418f6c031e4dbdcc0c1ce7e5cc36bd)
Co-authored-by: Alexey Izbyshev <izbyshev@users.noreply.github.com>
|
| | |
|
| |
|
|
| |
This adds C versions of methods used by ABCMeta that
improve performance of various ABC operations.
|
| |
|
|
|
|
|
| |
(gh-5710)
(cherry picked from commit 4c6955e2b0ccf88c705f8d1fac685a8e65f9699e)
Co-authored-by: Eric Snow <ericsnowcurrently@gmail.com>
|
| |
|
|
|
|
|
|
| |
A closing parentheses was missing.
Signed-off-by: Ngie Cooper <yaneurabeya@gmail.com>
(cherry picked from commit 7745ec4e356ac1f4eaf43b155f4482c20a907d48)
Co-authored-by: ngie-eign <1574099+ngie-eign@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit d019bc8319ea35e93bf4baa38098ff1b57cd3ee5)
Co-authored-by: Oren Milman <orenmn@gmail.com>
|
| |
|
|
|
|
|
| |
The PrintNameOffset field of the reparse data buffer
was treated as a number of characters instead of bytes.
(cherry picked from commit 3c34aad4e7a95913ec7db8e5e948a8fc69047bf7)
Co-authored-by: SSE4 <tomskside@gmail.com>
|
| |
|
|
|
|
|
| |
(#5641)
(cherry picked from commit 7766b96ab80b04509bbac708ee5ecf3c1c5934fc)
Co-authored-by: Коренберг Марк <socketpair@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit bfe4fd5f2e96e72eecb5b8a0c7df0ac1689f3b7e)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-5562)
Fix a rare but potential pre-exec child process deadlock in subprocess on POSIX systems when marking file descriptors inheritable on exec in the child process. This bug appears to have been introduced in 3.4 with the inheritable file descriptors support.
This also changes Python/fileutils.c `set_inheritable` to use the "slow" two `fcntl` syscall path instead of the "fast" single `ioctl` syscall path when asked to be async signal safe (by way of being asked not to raise exceptions). `ioctl` is not a POSIX async-signal-safe approved function.
ref: http://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html
(cherry picked from commit c1e46e94de38a92f98736af9a42d89c3975a9919)
Co-authored-by: Alexey Izbyshev <izbyshev@users.noreply.github.com>
|
| |
|
|
|
|
| |
Fix typos found by codespell in docs, docstrings, and comments.
(cherry picked from commit c3d9508ff22ece9a96892b628dd5813e2fb0cd80)
Co-authored-by: Leo Arias <leo.arias@canonical.com>
|
| |
|
|
|
| |
(cherry picked from commit 4e9da0d163731caa79811c723c703ee416c31826)
Co-authored-by: Eric Snow <ericsnowcurrently@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 72a0d218dcc94a3cc409a9ef32dfcd5a7bbcb43c.
The reverted commit had a few issues so it was unanimously decided
to undo it. See the bpo issue for details.
(cherry picked from commit 383b32fe108ea627699cc9c644fba5f8bae95d73)
Co-authored-by: Yury Selivanov <yury@magic.io>
|
| |
|
|
|
| |
EPOLL_CLOEXEC is not defined on Android.
Co-Authored-By: Wataru Matsumoto <sxsns243@gmail.com>
|
| |
|
|
|
| |
(GH-5346)
See https://bugs.python.org/issue32441 for where this was introduced.
|
| | |
|
| |
|
|
|
| |
(gh-1748)
The module is primarily intended for internal use in the test suite. Building the module under Windows will come in a follow-up PR.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix socket(fileno=fd) by auto-detecting the socket's family, type,
and proto from the file descriptor. The auto-detection can be overruled
by passing in family, type, and proto explicitly.
Without the fix, all socket except for TCP/IP over IPv4 are basically broken:
>>> s = socket.create_connection(('www.python.org', 443))
>>> s
<socket.socket fd=3, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('2003:58:bc4a:3b00:56ee:75ff:fe47:ca7b', 59730, 0, 0), raddr=('2a04:4e42:1b::223', 443, 0, 0)>
>>> socket.socket(fileno=s.fileno())
<socket.socket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('2003:58:bc4a:3b00::%2550471192', 59730, 0, 2550471192), raddr=('2a04:4e42:1b:0:700c:e70b:ff7f:0%2550471192', 443, 0, 2550471192)>
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* Fix memory leaks and error handling in posix spawn
* Improve error handling when destroying the file_actions object
* Py_DECREF the result of PySequence_Fast on error
* Handle uninitialized pid
* Use OSError if file actions fails to initialize
* Move _file_actions to outer scope to avoid undefined behaviour
* Remove HAVE_POSIX_SPAWN define in Modules/posixmodule.c
* Unshadow exception and clean error message
|
| |
|
| |
When the C imp module became _imp in 6f44d66bc491bad5b8d897a68da68e009e27829d, the initialization function should have been renamed from PyInit_imp to PyInit__imp.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.
Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| |
|
|
|
| |
Add os.posix_spawn to wrap the low level POSIX API of the same name.
Contributed by Pablo Galindo.
|
| | |
|
| |
|
|
|
| |
(#5394)
This reverts commit 47c0b1f7d4115e6f15e6776c1f91d28e7d96fe0c.
|
| |
|
| |
Ensure that ``truncate()`` preserves the file position (as reported by ``tell()``) after writes longer than the buffer size.
|
| | |
|
| |
|
|
|
|
| |
* bpo-32659: Solaris "stat" should support "st_fstype"
* Add 'versionadded'
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bpo-31399: Let OpenSSL verify hostname and IP
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.
* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
Add close(fd) function to the socket module
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
| |
The hmac module now has hmac.digest(), which provides an optimized HMAC
digest for short messages. hmac.digest() is up to three times faster
than hmac.HMAC().digest().
Signed-off-by: Christian Heimes <christian@python.org>
|
