| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
| |
The ownership semantics of SSL_set_tlsext_status_ocsp_resp are not as
complex as the comment suggests. There's no leak or complex lifetime.
It's an ownership transfer of an OPENSSL_malloc'd buffer. The
documentation is lacking, and making the copy internally would have been
tidier (though less efficient if the OCSP response where generated by
i2d_OCSP_RESPONSE), but this sort of thing has precedent in OpenSSL's
API.
|
|
|
|
|
|
| |
See also https://github.com/pyca/cryptography/pull/4227. I suspect this
is a no-op since cffi is probably just generating its own function
stubs and every ABI makes const and non-const pointers the same. Still,
better to match things.
|
|
|
|
|
|
|
|
| |
This makes it possible to retrieve the local certificate (if any)
for a Connection.
An example where this is useful is when negotiating a DTLS-SRTP
connection, the fingerprint of the local certificate needs to be
communicated to the remote party out-of-band via SDP.
|
|
|
|
|
|
|
|
|
|
|
| |
* Make sure a NotImplementedError is always raised on Connection.makefile
With this patch, code which calls (for example) conn.makefile('rb') will
get a NotImplementedError instead of a confusing TypeError:
TypeError: makefile() takes 1 positional argument but 2 were given
* ignore any args/kwargs passed
|
|
|
|
| |
This allows negotiating SRTP keying material, which is useful when using
DTLS-SRTP, as WebRTC does for example.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* test using auto retry
* add/update changelog and add comment
* wordsmithing
* Update CHANGELOG.rst
* Update CHANGELOG.rst
|
| |
|
|
|
|
|
|
|
|
|
| |
Without this patch this fails:
>>> from OpenSSL.SSL import *
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/cryptography/utils.py", line 124, in __getattr__
obj = getattr(self._module, attr)
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
|
|
|
|
|
|
|
|
| |
* Use autodoc for OpenSSL.crypto
* Use autodoc for the SSL.Context class
* Use autodoc for SSL.Connection
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* added method to export keying material from an ssl connection
* updated tests to use bytestrings to avoid breaking python3 tests
* added additional comments to test
* simplify export_keying_material
* add changelog
* address review feedback
|
|
|
|
|
|
|
|
| |
* fix a memory leak and a potential UAF and also #722
* sanity check
* bump cryptography minimum version, add changelog
|
| |
|
|
|
|
|
|
|
|
| |
* Don't use things after they're freed...duh
* changelog
* more details
|
|
|
|
|
|
|
|
|
|
| |
* fix errors with latest flake8
* Also fix the macOS builds
* fix?
* allow urllib3 to fail for now
|
|
|
| |
Address issue #701
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fix #664
bytes and strings are different things.
* update changelog
* let's just make the sentinel values byte strings
* flake8
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Simplify code
* dead code
* unused...
* write imports normally
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* try loading trusted certs from a list of fallbacks
pyca/cryptography will shortly begin shipping a wheel. Since
SSL_CTX_set_default_verify_paths uses a hardcoded path compiled into the
library, this will start failing to load the proper certificates for
users on many linux distributions. To avoid this we can use the Go
solution of iterating over a list of potential candidates and loading
it when found.
* capath is lazy loaded so we need to do a lot more checks
This now checks to see if env vars are set as well as seeing if the
dir exists and has valid certs in it. If either of those are true (or
the number of certs is > 0) it won't load the fallback. If it does do
the fallback it will also attempt to load certs from a dir as a final
fallback
* remove an early return
* this shouldn't be commented out
* oops
* very limited testing
* sigh, can't use these py3 exceptions of course
* expand the tests a bit
* coverage!
* don't need this now
* change the approach to use a pyca/cryptography guard value
* test fix
* older python sometimes calls itself linux2
* flake8
* add changelog
* coverage
* slash opt
|
|
|
|
|
|
|
|
| |
* Fixed #486 -- deprecate the backwards compat names
* remove the docs for these, pretend they don't exist
* CHANGELOG
|
|
|
|
|
|
| |
* limit SSL_write bufsize to avoid OverflowErrors
* fix .send() truncation, add test
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Modify tests to detect empty crypto.Errors from load_privatekey
This reproduces #119 and #456.
* Prevent _PassphraseHelper.raise_if_problem() from eating exceptions.
This resolves #119, resolves #456.
`_PassphraseHelper.raise_if_problem()` always flushes the OpenSSL
exception queue, but does not always raise an exception. In some cases,
other code attempts to raise an error from OpenSSL after
`raise_if_problem()` has flushed the queue, thus causing an empty
exception to be raised (i.e. `raise Error([])`).
This commit modifies `_PassphraseHelper.raise_if_problem` to flush the
OpenSSL error queue only if it has en exception to raise. Subsequent
code that detects an error should now be able to raise an non-empty
exception.
* Add CHANGELOG entry for #581.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Define the OCSPCallbackHelper.
* Define set_ocsp_status_callback function.
* Reframe this as the "server" helper.
* Add OCSP helper.
* Allow clients to request OCSP
* Some tests for OCSP.
* Don't forget to throw callback errors.
* Add changelog entry for OCSP stapling.
* Require at least cryptography 1.7
* Sorry Flake8, won't happen again.
* How does spelling work?
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
Refs #478
|
|
|
|
|
|
| |
* remove attempts to test against openssl 0.9.8
* remove some untested branches
|
|
|
|
| |
aka EVERYBODY GET READY FOR OPENSSL 1.1.0
|
|
|
| |
Caught by @davidben
|
| |
|
| |
|
| |
|
|
|
|
|
| |
A bit more consistent naming. Rename is possible because the method
hasn't been part of a release yet.
|
| |
|
| |
|
| |
|
|
|
|
| |
Also port forward a few changes from #422.
|
| |
|
|
Prevents accidental imports when running tests.
|