| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Changed maintainer and URL.
|
| |
|
|
|
|
|
|
|
|
| |
Uses socket.getaddrinfo to convert both inputs to the same string;
notably the OpenSSL formatting of subjectAltName is using non-canonical
forms like 0:0:0:0:0:0:0:1 .
Fixes #52
|
|
|
|
|
|
|
|
|
|
|
| |
The test tests that a modification of MAC is detected by replacing one
character by 'X', but from time to time the original MAC may have an 'X'
in that place, in which case the modification doesn’t happen.
To reproduce:
for i in $(seq 1 1000); do j=$(python tests/test_authcookie.py 2>&1); if echo "$j" | grep -q FAIL; then echo "$i": "$j"; break; fi; done
Fixes #53
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The test case uses OpenSSL’s default algorithm; the length 1243
corresponds to SHA-1, 1263 to SHA-256.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fedora OpenSSL-1.0.1j-3 has disabled SSLv3 by default. This test
verifies that TLS1 client against a server which refuses TLS1 returns
an error; however, the way Fedora has disabled SSLv3, the server instead
falls through to a last-resort error state which just closes the
connection.
This modifies the test to accept both outcomes.
Alternatively we could modify the test to re-enable SSLv3, but that
would test a less realistic scenario and we would have to start wrapping
SSL_CTX_clear_options().
|
|
|
|
|
|
|
|
|
|
| |
See analysis and previous patches in
https://github.com/martinpaljak/M2Crypto/issues/60 and
https://github.com/swig/swig/issues/344, in particular this adds the
build machinery to patch
https://github.com/martinpaljak/M2Crypto/issues/60#issuecomment-75735489
Fixes #47
|
|
|
|
|
|
|
|
|
|
|
|
| |
A X509_name_hash_old() return value differs because the DER
encoding of a X509_NAME differs because global_mask in
crypto/asn1/a_strnid.c changed from 0xFFFFFFFFL to
B_ASN1_UTF8STRING between OpenSSL 1.0.1e and 1.0.1h.
See https://bugzilla.redhat.com/show_bug.cgi?id=1106146 for more
information.
Fixes https://github.com/martinpaljak/M2Crypto/issues/42
|
|
|
|
|
|
|
| |
Originally workaround for the multiple runs of the testsuite of
M2Crypto running on the same machine (e.g., when it is build for
various archs), but generally random ports while testing are The
Right Thing™ anyway.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
M2Crypto doesn't support SNI (Server Name Indication).
http://en.wikipedia.org/wiki/Server_Name_Indication This feature
is necessary for selecting the right SSL-protected web site
hosted using name-based virtual hosting on a shared IP address.
All modern browsers support this feature.
However, Python programs which use M2Crypto for programmatic
access to SSL-protected web services can't use SNI because it's
not implemented in M2Crypto. The manifestation of lack of SNI
support is error message about wrong site certificate.
See https://bugzilla.redhat.com/show_bug.cgi?id=1029246 for more
information.
|
|
|
|
|
|
|
|
|
| |
When in FIPS mode M2Crypto when using disallowed version of SSL returned
a rather non-sensical TypeError exception. This patches changes it to
M2Crypto.SSL.SSLError: null ssl method passed
See https://bugzilla.redhat.com/show_bug.cgi?id=879043 for more
information.
|
|
|
|
|
|
|
|
|
|
| |
Original "-no_tls1 -no_ssl3" was meant as a synonym for SSLv2.
However, with the progressing deterioration of old SSL versions,
this could actually end with something else. So, we ask
specifically for SSLv2 when we want it.
See https://bugzilla.redhat.com/show_bug.cgi?id=1004437 for more
information on the issue.
|
|
|
|
|
|
| |
Testing certificates in the testsuite were replaced the ones with
the expiration date Jan 8 15:33:54 2023 GMT which should be
enough for some time.
|
|
|
|
|
|
|
|
|
|
|
| |
Make m2urllib2 allow use of the relative paths in requests, which
make M2Crypto more proxy-friendly and working with some caches
which don't allow mixing two different URLs for the same
resource.
See https://bugzilla.redhat.com/show_bug.cgi?id=803554 and
https://bugzilla.redhat.com/show_bug.cgi?id=491674 for more
information.
|
|
|
|
|
| |
See https://bugzilla.redhat.com/show_bug.cgi?id=742914 for more
information.
|
|
|
|
|
|
|
|
| |
See https://bugzilla.redhat.com/show_bug.cgi?id=659881 for more
information.
A buffer out is malloced in the size of the encrypted cipherstring, but
never freed.
|
|
|
|
|
|
| |
See https://bugzilla.redhat.com/show_bug.cgi?id=618500 for more.
Rather large reproducer is also included in the bug report.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See https://bugzilla.redhat.com/show_bug.cgi?id=702766 for more
information.
Accommodation of M2Crypto to the incompatible C API changes caused by
https://docs.python.org/2.6/whatsnew/2.6.html#pep-3118-revised-buffer-protocol.
Probably caused by changes introduced in 8cdcb2308a
This is a reproducer from the bug:
import mmap
import os
import M2Crypto
if __name__ == '__main__':
filename = '/etc/issue'
fd = open(filename, 'rb')
mapped = mmap.mmap(fd.fileno(),
os.path.getsize(filename),
mmap.MAP_SHARED,
mmap.PROT_READ)
buf = buffer(mapped)
c = M2Crypto.m2.ssl_ctx_new(M2Crypto.m2.tlsv1_method())
s = M2Crypto.m2.ssl_new(c)
M2Crypto.m2.ssl_write(s, buf)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See https://bugzilla.redhat.com/show_bug.cgi?id=610906 for more.
Example of use of the changed API is this (for permitting connection to
the sites with invalid certificates):
import M2Crypto
import urlgrabber
ctx = M2Crypto.SSL.Context()
ctx.set_allow_unknown_ca(True)
ctx.set_verify(M2Crypto.SSL.verify_none, -1)
def checker(*args):
return True
ctx.post_connection_check = checker
## Test opener directly
opener = M2Crypto.m2urllib2.build_opener(ctx)
f = opener.open('https://localhost:443/test.txt')
print f.read()
f.close()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
More comments and rationale is at
https://bugzilla.redhat.com/show_bug.cgi?id=565662
* Some algorithms are not available in FIPS mode, in particular MD5.
* Ignoring the error returned by HMAC_Init IIRC results in a NULL
deference.
* FIPS mode prohibits 512-bit RSA keys, so the tests have to increase
the key length.
* MD5 is prohibited in FIPS mode, had to use a different algorithm (and
different known answers) for testing HMAC.
* RC4 is unavailable in FIPS mode. Should probably use @unittest.skip
nowadays.
* The same goes for RIPEMD-160
|
|
|
|
| |
Fixes #48
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See for discussion of this patch
https://bugzilla.redhat.com/show_bug.cgi?id=210966
This patch adds timeout to SSL Operations, but it breaks API. From the
linked bug comment:
This patch seems to change the API, likely breaking any currently
working code that uses nonblocking sockets.
- the patch completely changes the semantics of non-blocking
operations (with timeout==0.0): instead of returning 0L, None or
-1, they would raise exceptions
- although SSL.Connection._{read,write}_{,n}bio uses the "internal
use" naming convention, they are used in the shipped demo and
contrib code, so I wouldn't be surprised if they were used in
applications as well
- SSL.Connection.makefile() supports write-only and read-write file
objects, while SSLFile is supports only reading.
ALSO, BE AWARE THAT THIS BUG USES LINUX SYSTEM CALL POLL() IN ITS
C PART, SO IT IS NOT WORKING ON WINDOWS.
|
|
|
|
| |
Add .gitignore
|
| |
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/tags/0.21.1@738 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/branches/0.21@737 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/branches/0.21@735 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/branches/0.21@726 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@724 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
|
| |
interacted with the Python runtime, potentially causing crashes and other
weirdness, fix by Miloslav Trmac.
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@723 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@722 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
| |
test_smime.py.
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@721 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
| |
ENGINE_finish can be exposed, thanks to Erlo (see http://stackoverflow.com/questions/2195179/need-help-using-m2crypto-engine-to-access-usb-token).
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@720 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@716 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
| |
disabling RSA PSS methods when using such old OpenSSL.
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@715 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@714 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@713 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@709 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
| |
make it private.
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@704 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
|
|
| |
epydoc --no-private --config=epydoc.conf
(for some reason the private options does not work in the config file).
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@703 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@702 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@698 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
| |
OpenSSL. Make the tests use the same digest algorithm as we are testing the signature with. These fix the tests for 64-bit platforms.
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@697 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
| |
on 64-bit systems. This causes things like cert.get_serial_number() to be 5-6% slower, for example.
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@696 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
| |
Miloslav Trmac. This bumps swig dependency to >= 1.3.28.
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@695 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
|
|
| |
to support X509 certificates with large serial numbers, patch by Mikhail Vorozhtsov and testcase by Barry G.
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@694 2715db39-9adf-0310-9c64-84f055769b4b
|
|
|
|
| |
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@693 2715db39-9adf-0310-9c64-84f055769b4b
|