summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Fix spelling of set in set_verify docstring (#959)Arne Schwabe2020-11-131-2/+2
|
* Fix typo in debug command output (#957)Michael Lazar2020-11-121-1/+1
| | | Co-authored-by: Michael Lazar <mlazar@doctorondemand.com>
* Drop CI for OpenSSL 1.0.2 (#953)Alex Gaynor2020-10-262-49/+8
| | | | | | | * Drop CI for OpenSSL 1.0.2 * Delete code for coverage reasons * Bump minimum cryptography version
* Fixing issue #798 (#907)jalberdi0042020-10-181-1/+4
| | | | | | * Fixing issue #798, thanks to @reaperhulk; removing undocumented '%s' option and getting the date in a more robust way Co-authored-by: Joseba Alberdi <j.alberdi@simuneatomistics.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Correct typos in crypto.py (#949)Felix Yan2020-10-141-2/+2
|
* crypto._PassphraseHelper: pass non-callable passphrase using callback (#947)Huw Jones2020-10-121-10/+9
| | | | | | | | | | | | * crypto._PassphraseHelper: pass non-callable passphrase using callback Fixes #945 Before this commit, we would pass a bytes passphrase as a null terminated string. This causes issue when a randomly generated key's first byte is null because OpenSSL rightly determines the key length is 0. This commit modifies the passphrase helper to pass the passphrase via the callback * Update changelog to document bug fix
* Allow using additional untrusted certificates for chain building in ↵Sándor Oroszi2020-10-121-2/+34
| | | | | | | | | | | | X509StoreContext (#948) The additional certificates provided in the new `chain` parameter will be untrusted but may be used to build the chain. This makes it easier to validate a certificate against a store which contains only root ca certificates, and the intermediates come from e.g. the same untrusted source as the certificate to be verified. Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
* Allow using an OpenSSL hashed directory for verification in X509Store (#943)Sándor Oroszi2020-09-111-0/+48
| | | | | | | Add X509Store.load_locations() to set a CA bundle file and/or an OpenSSL- style hashed CA/CRL lookup directory, similar to the already existing SSL.Context.load_verify_locations(). Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
* I'm back in black (#941)Alex Gaynor2020-08-261-4/+5
|
* Switch to new notBefore/After APIs (#843)Rosen Penev2020-08-131-6/+6
| | | Signed-off-by: Rosen Penev <rosenp@gmail.com>
* Context.set_verify: allow omission of callback (#933)Maximilian Hils2020-08-071-11/+17
| | | | | | | * Context.set_verify: allow omission of callback * squeeze to 80 chars * make it clear that default callback is used
* Allow accessing a connection's verfied certificate chain (#894)Shane Harvey2020-08-052-8/+95
| | | | | | | | | | | | | | | | | | | | | | | | | * Allow accessing a connection's verfied certificate chain Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain. Add Connection.get_verified_chain using SSL_get0_verified_chain if available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain otherwise. Fixes #740. * TLSv1_METHOD -> SSLv23_METHOD * Use X509_up_ref instead of X509_dup * Add _openssl_assert where appropriate * SSL_get_peer_cert_chain should not be null * Reformat with black * Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0> * Add Changelog entry * Remove _add_chain
* Deprecated pkcs7 and pkcs12 support (#921)Alex Gaynor2020-08-051-1/+23
|
* focal time (#929)Paul Kehrer2020-08-051-1/+2
| | | | | | | | | * focal time * larger dh params, assert on something * urllib3 fix * actually check an error
* remove npn support entirely. you should be using alpn (#932)Paul Kehrer2020-08-031-180/+0
| | | | | * remove npn support entirely. you should be using alpn * flake8
* newer pypy (#928)Paul Kehrer2020-08-031-12/+1
| | | | | | | * newer pypy * missed one * we don't support ancient cffi any more
* Add SSL.Context.set_keylog_callback (#910)Maximilian Hils2020-07-281-0/+31
| | | | | | | | | * add SSL.Context.set_keylog_callback * don't fail on missing attribute * lint! * make it black
* Paint it Black by the Rolling Stones (#920)Alex Gaynor2020-07-235-272/+387
|
* Remove deprecated tsafe module. (#913)Benjamin Peterson2020-05-221-31/+0
|
* Drop OpenSSL 1.0.1 (#908)Alex Gaynor2020-04-071-10/+6
|
* Remove asserts (#904)Adrián Chaves2020-03-312-5/+5
|
* Fix PKey.check for some broken keys (#897)Mrmaxmeier2020-03-111-1/+1
| | | | | | | | | * fix PKey.check for some broken keys RSA_check_key is documented to return 1 for valid keys. It (currently) returns 0 or -1 for invalid ones. The previous code accepted invalid keys if RSA_check_key returns -1! * add test
* Make the code slightly resillient to python4 (#880)Alex Gaynor2019-11-181-2/+2
|
* Random cleanup around our usage of binary_type (#879)Alex Gaynor2019-11-182-9/+7
|
* reopen master, call it 20.0 because let's be honest with ourselves (#878)Paul Kehrer2019-11-181-1/+1
|
* version bump for 19.1 release (#877)19.1.0Paul Kehrer2019-11-171-1/+1
|
* ALPN: complete handshake without accepting a client's protocols. (#876)Mark Williams2019-11-181-10/+25
| | | | | | | | | | | | | | | | | | | | | | | | | * ALPN: complete handshake without accepting a client's protocols. The callback passed to `SSL_CTX_set_alpn_select_cb` can return `SSL_TLSEXT_ERR_NOACK` to allow the handshake to continue without accepting any of the client's offered protocols. This commit introduces `NO_OVERLAPPING_PROTOCOLS`, which the Python callback passed to `Context.set_alpn_select_callback` can return to achieve the same thing. It does not change the previous meaning of an empty string, which still terminates the handshake. * Update src/OpenSSL/SSL.py Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com> * Address @alex's review. * Use recorded value in test, fix lint error. * Cover TypeError branch in _ALPNHelper.callback
* use _ffi.from_buffer() to support bytearray (#852)Daniel Holth2019-11-182-37/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * use _ffi.from_buffer(buf) in send, to support bytearray * add bytearray test * update CHANGELOG.rst * move from_buffer before 'buffer too long' check * context-managed from_buffer + black * don't shadow buf in send() * test return count for sendall * test sending an array * fix test * also use from_buffer in bio_write * de-format _util.py * formatting * add simple bio_write tests * wrap line
* Fix for Python 4 (#862)Hugo van Kemenade2019-08-291-8/+8
| | | | | | * Fix for Python 4 * Fix for Python 4
* Expose OP_NO_TLSv1_3 (#861)Nathaniel J. Smith2019-08-021-0/+5
| | | | | | * Expose OP_NO_TLSv1_3 * Support openssl <1.1.1
* Update SSL.py docstring (#849)Daniel Holth2019-07-051-1/+1
|
* OpenSSL always has SNI (#821)Alex Gaynor2019-02-221-8/+0
|
* Deprecated NPN (#820)Alex Gaynor2019-02-221-0/+9
| | | | | | | | | | * Deprecated NPN * arithmetic is hard * oops * oops
* Raise an Error with "no cipher match" even with TLS 1.3 (#818)Mark Williams2019-02-141-3/+12
| | | | | | | | | | | * Raise an Error with "no cipher match" even with TLS 1.3 This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString and seamlessly work with TLS 1.3: https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767 * Split TestContext.test_set_cipher_list_wrong_args into two tests.
* Removed deprecated Type aliases (#814)Alex Gaynor2019-02-072-85/+0
| | | | | | | | | | | | * Removed deprecated Type aliases * typo * typo * missed this somehow * Line wrap
* Provide a valid digest option (#811)Wayne Werner2019-01-301-1/+1
| | | 2566 is not a valid digest, whoops!
* Reopen master for 19.1 (#810)Alex Gaynor2019-01-211-1/+1
|
* release 19.0.0 (#808)19.0.0Paul Kehrer2019-01-211-1/+1
|
* changelog and call it 19 now (#807)Paul Kehrer2019-01-211-1/+1
|
* add key types consts (#776)Igr2019-01-211-0/+2
|
* Fixes incorrect rtype in documentation (#802)Gaurav Malhotra2019-01-211-2/+2
| | | | | rtype for the following was incorrect: X509Req.from_cryptography X509.from_cryptography
* Handle NULL bytes in get_components() values (#804)Romuald Brunet2019-01-211-5/+5
| | | | | | | | | | | * Handle NULL bytes in get_components() values Some old software may generate "bogus" CN with each character preceded by a NULL. This is already handled in commonName, but wasn't in get_components() * review fixes (fix py3 test & avoid unpack/cast)
* Hypothetically fixes pyOpenSSL tests (#805)Paul Kehrer2019-01-211-0/+13
| | | | | | | | | | | | | | | * fix openssl CLI testing for 1.1.1 * various 1.1.1 related fixes some of which are just admitting TLS 1.3 is fundamentally different and pinning the tests to TLS 1.2 * flake8 fixes * allow travis_infra env var through * fix twisted
* Update OpenSSL manpage link to x509v3_config (#789)Cyril Stoller2018-08-271-1/+1
|
* Add note on zero-based certificate version value (#790)Cyril Stoller2018-08-271-1/+2
|
* X509Store.add_cert no longer raises an error on duplicate cert (#787)Paul Kehrer2018-08-231-1/+10
| | | | | | * X509Store.add_cert no longer raises an error on duplicate cert * move changelog entry
* Only allocate exponent in the TYPE_RSA path. (#767)David Benjamin2018-06-051-5/+5
| | | Not much point in making it otherwise.
* Tone down the comment around SSL_set_tlsext_status_ocsp_resp. (#764)David Benjamin2018-05-221-7/+2
| | | | | | | | | The ownership semantics of SSL_set_tlsext_status_ocsp_resp are not as complex as the comment suggests. There's no leak or complex lifetime. It's an ownership transfer of an OPENSSL_malloc'd buffer. The documentation is lacking, and making the copy internally would have been tidier (though less efficient if the OCSP response where generated by i2d_OCSP_RESPONSE), but this sort of thing has precedent in OpenSSL's API.
* Fix SSL_CTX_set_tlsext_servername_callback type signature. (#763)David Benjamin2018-05-221-1/+1
| | | | | | See also https://github.com/pyca/cryptography/pull/4227. I suspect this is a no-op since cffi is probably just generating its own function stubs and every ABI makes const and non-const pointers the same. Still, better to match things.
* reopen master for 18.1 (#761)Paul Kehrer2018-05-161-1/+1
| | | | | | * reopen master for 18.1 * there are four dashes