From: Antoine Pitrou Date: Thu, 9 Jan 2014 19:09:03 +0000 (+0100) Subject: Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked... X-Git-Tag: v3.4.0b3~197 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=78ace81c93568da30c789f85f8a8ebafb2ed89b2;p=python Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for. --- 78ace81c93568da30c789f85f8a8ebafb2ed89b2 diff --cc Misc/NEWS index cb59a68a1e,1fcae77b42..e58df2a335 --- a/Misc/NEWS +++ b/Misc/NEWS @@@ -22,77 -22,8 +22,80 @@@ Core and Builtin already cached the zip's table of contents we detect this and recover rather than read bad data from the .zip (causing odd import errors). +Library +------- + ++- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly ++ asked for. ++ +- Issue #18960: The tokenize module now ignore the source encoding declaration + on the second line if the first line contains anything except a comment. + +- Issue #20078: Reading malformed zipfiles no longer hangs with 100% CPU + consumption. + +- Issue #20113: os.readv() and os.writev() now raise an OSError exception on + error instead of returning -1. + +- Issue #19719: Make importlib.abc.MetaPathFinder.find_module(), + PathEntryFinder.find_loader(), and Loader.load_module() use PEP 451 APIs to + help with backwards-compatibility. + +- Issue #20144: inspect.Signature now supports parsing simple symbolic + constants as parameter default values in __text_signature__. + +- Issue #20072: Fixed multiple errors in tkinter with wantobjects is False. + +IDLE +---- + +- Issue #18960: IDLE now ignores the source encoding declaration on the second + line if the first line contains anything except a comment. + +Tools/Demos +----------- + +- Issue #18960: 2to3 and the findnocoding.py script now ignore the source + encoding declaration on the second line if the first line contains anything + except a comment. + +- Issue #19723: The marker comments Argument Clinic uses have been changed + to improve readability. + +- Issue #20157: When Argument Clinic renames a parameter because its name + collides with a C keyword, it no longer exposes that rename to PyArg_Parse. + +- Issue #20141: Improved Argument Clinic's support for the PyArg_Parse "O!" + format unit. + +- Issue #20144: Argument Clinic now supports simple symbolic constants + as parameter default values. + +- Issue #20143: The line numbers reported in Argument Clinic errors are + now more accurate. + +- Issue #20142: Py_buffer variables generated by Argument Clinic are now + initialized with a default value. + +Build +----- + +- Issue #12837: Silence a tautological comparison warning on OS X under Clang in + socketmodule.c. + +What's New in Python 3.4.0 Beta 2? +================================== + +Release date: 2014-01-05 + +Core and Builtins +----------------- + - Issue #17432: Drop UCS2 from names of Unicode functions in python3.def. +- Issue #19526: Exclude all new API from the stable ABI. Exceptions can be + made if a need is demonstrated. + - Issue #19969: PyBytes_FromFormatV() now raises an OverflowError if "%c" argument is not in range [0; 255]. diff --cc Modules/_ssl.c index a370b1b41e,c34b200088..2e3c5b1187 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@@ -76,78 -123,6 +76,76 @@@ static PyObject *err_codes_to_names static PyObject *err_names_to_codes; static PyObject *lib_codes_to_names; +struct py_ssl_error_code { + const char *mnemonic; + int library, reason; +}; +struct py_ssl_library_code { + const char *library; + int code; +}; + +/* Include generated data (error codes) */ +#include "_ssl_data.h" + +/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1 + http://www.openssl.org/news/changelog.html + */ +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +# define HAVE_TLSv1_2 1 +#else +# define HAVE_TLSv1_2 0 +#endif + +/* SNI support (client- and server-side) appeared in OpenSSL 1.0.0 and 0.9.8f + * This includes the SSL_set_SSL_CTX() function. + */ +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +# define HAVE_SNI 1 +#else +# define HAVE_SNI 0 +#endif + +enum py_ssl_error { + /* these mirror ssl.h */ + PY_SSL_ERROR_NONE, + PY_SSL_ERROR_SSL, + PY_SSL_ERROR_WANT_READ, + PY_SSL_ERROR_WANT_WRITE, + PY_SSL_ERROR_WANT_X509_LOOKUP, + PY_SSL_ERROR_SYSCALL, /* look at error stack/return value/errno */ + PY_SSL_ERROR_ZERO_RETURN, + PY_SSL_ERROR_WANT_CONNECT, + /* start of non ssl.h errorcodes */ + PY_SSL_ERROR_EOF, /* special case of SSL_ERROR_SYSCALL */ + PY_SSL_ERROR_NO_SOCKET, /* socket has been GC'd */ + PY_SSL_ERROR_INVALID_ERROR_CODE +}; + +enum py_ssl_server_or_client { + PY_SSL_CLIENT, + PY_SSL_SERVER +}; + +enum py_ssl_cert_requirements { + PY_SSL_CERT_NONE, + PY_SSL_CERT_OPTIONAL, + PY_SSL_CERT_REQUIRED +}; + +enum py_ssl_version { - #ifndef OPENSSL_NO_SSL2 + PY_SSL_VERSION_SSL2, - #endif + PY_SSL_VERSION_SSL3=1, + PY_SSL_VERSION_SSL23, +#if HAVE_TLSv1_2 + PY_SSL_VERSION_TLS1, + PY_SSL_VERSION_TLS1_1, + PY_SSL_VERSION_TLS1_2 +#else + PY_SSL_VERSION_TLS1 +#endif +}; + #ifdef WITH_THREAD /* serves as a flag to see whether we've initialized the SSL thread support. */ @@@ -2048,15 -1779,12 +2047,17 @@@ context_new(PyTypeObject *type, PyObjec #ifdef OPENSSL_NPN_NEGOTIATED self->npn_protocols = NULL; #endif +#ifndef OPENSSL_NO_TLSEXT + self->set_hostname = NULL; +#endif + /* Don't check host name by default */ + self->check_hostname = 0; /* Defaults */ SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); - SSL_CTX_set_options(self->ctx, - SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); + options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + if (proto_version != PY_SSL_VERSION_SSL2) + options |= SSL_OP_NO_SSLv2; + SSL_CTX_set_options(self->ctx, options); #define SID_CTX "Python" SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,