summaryrefslogtreecommitdiff
path: root/src/OpenSSL/SSL.py
Commit message (Collapse)AuthorAgeFilesLines
...
* Tone down the comment around SSL_set_tlsext_status_ocsp_resp. (#764)David Benjamin2018-05-221-7/+2
| | | | | | | | | The ownership semantics of SSL_set_tlsext_status_ocsp_resp are not as complex as the comment suggests. There's no leak or complex lifetime. It's an ownership transfer of an OPENSSL_malloc'd buffer. The documentation is lacking, and making the copy internally would have been tidier (though less efficient if the OCSP response where generated by i2d_OCSP_RESPONSE), but this sort of thing has precedent in OpenSSL's API.
* Fix SSL_CTX_set_tlsext_servername_callback type signature. (#763)David Benjamin2018-05-221-1/+1
| | | | | | See also https://github.com/pyca/cryptography/pull/4227. I suspect this is a no-op since cffi is probably just generating its own function stubs and every ABI makes const and non-const pointers the same. Still, better to match things.
* Add Connection.get_certificate method (#733)Jeremy Lainé2018-05-161-0/+12
| | | | | | | | This makes it possible to retrieve the local certificate (if any) for a Connection. An example where this is useful is when negotiating a DTLS-SRTP connection, the fingerprint of the local certificate needs to be communicated to the remote party out-of-band via SDP.
* Make sure a NotImplementedError is always raised on Connection.makefile() (#744)Ayke2018-05-161-1/+1
| | | | | | | | | | | * Make sure a NotImplementedError is always raised on Connection.makefile With this patch, code which calls (for example) conn.makefile('rb') will get a NotImplementedError instead of a confusing TypeError: TypeError: makefile() takes 1 positional argument but 2 were given * ignore any args/kwargs passed
* Add Context.set_tlsext_use_srtp (#734)Jeremy Lainé2018-05-161-0/+15
| | | | This allows negotiating SRTP keying material, which is useful when using DTLS-SRTP, as WebRTC does for example.
* Always enable auto retry (#753)Paul Kehrer2018-05-141-0/+5
| | | | | | | | | | | | * test using auto retry * add/update changelog and add comment * wordsmithing * Update CHANGELOG.rst * Update CHANGELOG.rst
* Raise minimum cryptography version to 2.2.1, drop python 2.6 (#742)Jeremy Lainé2018-03-211-14/+4
|
* Don't add not supported SSL_ST_* into _all_, fixies #738 (#739)Ondřej Nový2018-03-011-4/+6
| | | | | | | | | Without this patch this fails: >>> from OpenSSL.SSL import * Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/cryptography/utils.py", line 124, in __getattr__ obj = getattr(self._module, attr) AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
* Use autofocus for all module documentation/docstrings (#737)Alex Chan2018-02-151-110/+233
| | | | | | | | * Use autodoc for OpenSSL.crypto * Use autodoc for the SSL.Context class * Use autodoc for SSL.Connection
* Export keying material support (#725)Paul Kehrer2017-11-301-0/+24
| | | | | | | | | | | | | | * added method to export keying material from an ssl connection * updated tests to use bytestrings to avoid breaking python3 tests * added additional comments to test * simplify export_keying_material * add changelog * address review feedback
* fix a memory leak and a potential UAF and also #722 (#723)Paul Kehrer2017-11-301-2/+3
| | | | | | | | * fix a memory leak and a potential UAF and also #722 * sanity check * bump cryptography minimum version, add changelog
* define __all__ to make wildcard import work (#719)Nicolas Karolak2017-11-261-0/+89
|
* Don't use things after they're freed...duh (#709)Alex Gaynor2017-11-201-5/+2
| | | | | | | | * Don't use things after they're freed...duh * changelog * more details
* fix errors with latest flake8 (#710)Alex Gaynor2017-11-201-4/+4
| | | | | | | | | | * fix errors with latest flake8 * Also fix the macOS builds * fix? * allow urllib3 to fail for now
* Improve documentation for passphrase callback (#703)Diego Fernandez2017-10-121-1/+1
| | | Address issue #701
* fix #664 (#665)Paul Kehrer2017-07-191-2/+4
| | | | | | | | | | | | * fix #664 bytes and strings are different things. * update changelog * let's just make the sentinel values byte strings * flake8
* Kill some commented out code and other cleanups (#649)Alex Gaynor2017-06-301-9/+2
|
* Kill dead code (#647)Alex Gaynor2017-06-291-6/+5
| | | | | | | | | | * Simplify code * dead code * unused... * write imports normally
* try loading trusted certs from a list of fallbacks (#633)Paul Kehrer2017-06-291-0/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * try loading trusted certs from a list of fallbacks pyca/cryptography will shortly begin shipping a wheel. Since SSL_CTX_set_default_verify_paths uses a hardcoded path compiled into the library, this will start failing to load the proper certificates for users on many linux distributions. To avoid this we can use the Go solution of iterating over a list of potential candidates and loading it when found. * capath is lazy loaded so we need to do a lot more checks This now checks to see if env vars are set as well as seeing if the dir exists and has valid certs in it. If either of those are true (or the number of certs is > 0) it won't load the fallback. If it does do the fallback it will also attempt to load certs from a dir as a final fallback * remove an early return * this shouldn't be commented out * oops * very limited testing * sigh, can't use these py3 exceptions of course * expand the tests a bit * coverage! * don't need this now * change the approach to use a pyca/cryptography guard value * test fix * older python sometimes calls itself linux2 * flake8 * add changelog * coverage * slash opt
* Fixed #486 -- deprecate the backwards compat names (#643)Alex Gaynor2017-06-291-2/+11
| | | | | | | | * Fixed #486 -- deprecate the backwards compat names * remove the docs for these, pretend they don't exist * CHANGELOG
* Limit SSL_write bufsize to avoid OverflowErrors (#603)Maximilian Hils2017-02-101-1/+9
| | | | | | * limit SSL_write bufsize to avoid OverflowErrors * fix .send() truncation, add test
* Prevent _PassphraseHelper.raise_if_problem() from eating exceptions (#581)Greg Bowser2017-01-251-5/+4
| | | | | | | | | | | | | | | | | | | | | | | * Modify tests to detect empty crypto.Errors from load_privatekey This reproduces #119 and #456. * Prevent _PassphraseHelper.raise_if_problem() from eating exceptions. This resolves #119, resolves #456. `_PassphraseHelper.raise_if_problem()` always flushes the OpenSSL exception queue, but does not always raise an exception. In some cases, other code attempts to raise an error from OpenSSL after `raise_if_problem()` has flushed the queue, thus causing an empty exception to be raised (i.e. `raise Error([])`). This commit modifies `_PassphraseHelper.raise_if_problem` to flush the OpenSSL error queue only if it has en exception to raise. Subsequent code that detects an error should now be able to raise an non-empty exception. * Add CHANGELOG entry for #581.
* Add support for OCSP stapling. (#580)Cory Benfield2017-01-241-0/+206
| | | | | | | | | | | | | | | | | | | | | | | | * Define the OCSPCallbackHelper. * Define set_ocsp_status_callback function. * Reframe this as the "server" helper. * Add OCSP helper. * Allow clients to request OCSP * Some tests for OCSP. * Don't forget to throw callback errors. * Add changelog entry for OCSP stapling. * Require at least cryptography 1.7 * Sorry Flake8, won't happen again. * How does spelling work?
* automatically set SSL_CTX_set_ecdh_auto when available (#575)Paul Kehrer2016-12-191-0/+9
|
* Don't zero memory when we don't have to. (#578)Cory Benfield2016-11-281-7/+8
|
* Convert X509ExtTests to use pytest-style tests (#564)Alex Chan2016-11-181-0/+1
|
* Test on OpenSSL 1.1.0 with travis. Fixes #524 (#526)Alex Gaynor2016-09-241-7/+9
|
* fix cffi warnings for proper buffer types (#545)Paul Kehrer2016-09-201-3/+3
|
* Simplify a few more branches to improve coverage (#500)Alex Gaynor2016-07-031-8/+2
|
* Port the easy cases of SSL.py to _openssl_assert (#499)Alex Gaynor2016-07-031-9/+3
|
* Remove a bunch of untested stuff. (#487)Alex Gaynor2016-06-041-19/+8
| | | Refs #478
* remove attempts to test against openssl 0.9.8 (#484)Alex Gaynor2016-06-041-8/+2
| | | | | | * remove attempts to test against openssl 0.9.8 * remove some untested branches
* We have always been at war with easy to read code.Alex Gaynor2016-06-011-12/+23
| | | | aka EVERYBODY GET READY FOR OPENSSL 1.1.0
* Removed nonsense docstringAlex Gaynor2016-05-271-3/+1
| | | Caught by @davidben
* Factor out common code of requires decoratorsCory Benfield2016-03-291-35/+26
|
* Raise NotImplementedError when SNI not present.Cory Benfield2016-03-291-0/+19
|
* Implement Context.set_session_idHynek Schlawack2016-03-161-10/+34
|
* Rename state_name to get_state_nameHynek Schlawack2016-03-141-2/+3
| | | | | A bit more consistent naming. Rename is possible because the method hasn't been part of a release yet.
* Pluck more unrelated bits from #422Hynek Schlawack2016-03-131-4/+4
|
* More explicit assertHynek Schlawack2016-03-111-1/+1
|
* GrammarHynek Schlawack2016-03-111-1/+1
|
* Fix set_cipher_list on modern OpenSSLHynek Schlawack2016-03-111-12/+15
| | | | Also port forward a few changes from #422.
* Fixed AttributeError when calling get_app_data()Todd Chapman2016-01-181-0/+1
|
* Move package into srcHynek Schlawack2015-10-171-0/+1915
Prevents accidental imports when running tests.
View Lorry Controller Status