| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Expose X509_V_* constants.
* Switch to strategy where cryptography 40.0.2 exposes the constants.
* Fix bad merge.
* Fix flake.
* Link to PR.
* Check availability, rather than versions.
* Add namespacing.
* Add success code to namespace.
* Fix lint.
* Remove unnecessary conditional.
* Update CHANGELOG.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Itamar Turner-Trauring <itamar@pythonspeed.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
|
|
|
|
|
|
|
|
| |
* remove X509StoreFlags.NOTIFY_POLICY
fixes #1212
* also fix twisted
* more CI fixes, sigh
|
|
|
|
|
|
|
|
|
|
|
| |
* Reject invalid versions in X509Req.set_version
* Update CHANGELOG.rst
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
---------
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
|
|
|
|
| |
* port changelog
* forward port the nid2sn workaround
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for DTLS timeouts
When performing a DTLS handshake, the DTLS state machine may need to be
updated based on the passage of time, for instance in response to packet
loss.
OpenSSL supports this by means of the `DTLSv1_get_timeout` and
`DTLSv1_handle_timeout` methods, both of which are included in
cryptography's bindings. This change adds Python wrappers for these
methods in the `Connection` class.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
* Add support for X509_V_FLAG_PARTIAL_CHAIN
* Remove unneeded import
* Update changelog to add PR number.
* Fix whitespace issue identified by black
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* add `Connection.use_(certificate|privatekey)`
* bump minimum cryptography version
* deduplicate tests
* black!
* max line length
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* OpenSSL/crypto: make X509StoreContextError's message friendlier
Closes #1132.
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests: update exception tests
Signed-off-by: William Woodruff <william@trailofbits.com>
* OpenSSL/crypto: blacken
Signed-off-by: William Woodruff <william@trailofbits.com>
* CHANGELOG: record changes
Signed-off-by: William Woodruff <william@trailofbits.com>
|
|
|
|
|
|
|
|
|
|
|
| |
* add `Connection.set_verify`, fix #255
* show that it works with cryptography main
* Revert "show that it works with cryptography main"
This reverts commit fb0136a8e5aa5d2c6e0c16f8f4ecee2f3c72a16b.
* make it black
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* repair CI
* more fixes
* pypy39 requires latest cryptography
* Apply suggestions from code review
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* use constant
* bump minimum version
* remove unneeded try
* fix
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Expose DTLS_METHOD and friends
* Expose OP_NO_RENEGOTIATION
* Expose DTLS MTU-related functions
* Expose DTLSv1_listen and associated callbacks
* Add a basic DTLS test
* Cope with old versions of openssl/libressl
* blacken
* Soothe flake8
* Add temporary hack to skip DTLS test on old cryptography versions
* Update for cryptography v35 release
* Add changelog entry
* Fix versionadded::
* get_cleartext_mtu doesn't exist on decrepit old openssl
* Rewrite DTLS test to work around stupid OpenSSL misbehavior
* flake8 go away
* minor tidying
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* py27 going, going, gone
* black
* more black
* ok then
* forgot to remove pypy2
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add Context.set_*_proto_version, fix #860
* docs: add new openssl tls methods
* accept the fact that nothing can be taken for granted
* bump minimum required cryptography version to 3.3
* drop support for Python 3.5
* use binary wheels for cryptography
* Revert "use binary wheels for cryptography"
This reverts commit 91a04c612ed1d0dd9fd541dfefe21cac7c25b1c1.
* docker ci: compile cryptography with rust
|
|
|
|
|
|
|
| |
* check return code of SSL_CTX_set_alpn_protos, fix #992
* paint it black!
* fix line lengths as well :upside_down_face:
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
* Drop CI for OpenSSL 1.0.2
* Delete code for coverage reasons
* Bump minimum cryptography version
|
|
|
|
|
|
|
|
|
|
|
|
| |
* crypto._PassphraseHelper: pass non-callable passphrase using callback
Fixes #945
Before this commit, we would pass a bytes passphrase as a null terminated string.
This causes issue when a randomly generated key's first byte is null because
OpenSSL rightly determines the key length is 0.
This commit modifies the passphrase helper to pass the passphrase via the
callback
* Update changelog to document bug fix
|
|
|
|
|
|
|
|
|
|
|
|
| |
X509StoreContext (#948)
The additional certificates provided in the new `chain` parameter will be
untrusted but may be used to build the chain.
This makes it easier to validate a certificate against a store which
contains only root ca certificates, and the intermediates come from e.g.
the same untrusted source as the certificate to be verified.
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
|
|
|
|
|
|
| |
Add X509Store.load_locations() to set a CA bundle file and/or an OpenSSL-
style hashed CA/CRL lookup directory, similar to the already existing
SSL.Context.load_verify_locations().
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
|
|
|
|
|
|
| |
* Context.set_verify: allow omission of callback
* squeeze to 80 chars
* make it clear that default callback is used
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Allow accessing a connection's verfied certificate chain
Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain.
Add Connection.get_verified_chain using SSL_get0_verified_chain if
available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain
otherwise.
Fixes #740.
* TLSv1_METHOD -> SSLv23_METHOD
* Use X509_up_ref instead of X509_dup
* Add _openssl_assert where appropriate
* SSL_get_peer_cert_chain should not be null
* Reformat with black
* Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0>
* Add Changelog entry
* Remove _add_chain
|
| |
|
|
|
|
|
| |
* remove npn support entirely. you should be using alpn
* flake8
|
|
|
|
|
|
|
|
|
| |
* add SSL.Context.set_keylog_callback
* don't fail on missing attribute
* lint!
* make it black
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ALPN: complete handshake without accepting a client's protocols.
The callback passed to `SSL_CTX_set_alpn_select_cb` can return
`SSL_TLSEXT_ERR_NOACK` to allow the handshake to continue without
accepting any of the client's offered protocols.
This commit introduces `NO_OVERLAPPING_PROTOCOLS`, which the Python
callback passed to `Context.set_alpn_select_callback` can return to
achieve the same thing.
It does not change the previous meaning of an empty string, which
still terminates the handshake.
* Update src/OpenSSL/SSL.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Address @alex's review.
* Use recorded value in test, fix lint error.
* Cover TypeError branch in _ALPNHelper.callback
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* use _ffi.from_buffer(buf) in send, to support bytearray
* add bytearray test
* update CHANGELOG.rst
* move from_buffer before 'buffer too long' check
* context-managed from_buffer + black
* don't shadow buf in send()
* test return count for sendall
* test sending an array
* fix test
* also use from_buffer in bio_write
* de-format _util.py
* formatting
* add simple bio_write tests
* wrap line
|
|
|
|
|
|
|
| |
Users with older cryptography (and hence potentially older asn1crypto, a
transitive dependency) are seeing a serious bug on macOS catalina due to
the way older asn1crypto loads a shared library. While this isn't a
pyOpenSSL bug bumping this dep might prevent the bug from impacting
some users.
|
|
|
|
|
|
|
|
|
|
| |
* Deprecated NPN
* arithmetic is hard
* oops
* oops
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Removed deprecated Type aliases
* typo
* typo
* missed this somehow
* Line wrap
|