| Age | Commit message (Collapse) | Author |
|---|
|
Added SPDX-license-identifier-Apache-2.0 to:
Android.bp
src/OpenSSL/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: Ie0212b5c649e8e7e05eea24d5b3de8732f8017f1
|
|
Test: make
Change-Id: Icdf65bde24f056bd011ee39635e7d66662ef4d4d
|
|
|
|
* Test on OpenSSL 1.1.0 w/ Debian stretch
* Make pyOpenSSL compatible with openssl 1.1.0 again
Co-authored-by: Shane Harvey <shnhrv@gmail.com>
|
|
|
|
|
|
* fix a memleak
* black
|
|
* Keep reference to SSL verify_call in Connection object
If a set_verify is used on a context before and after a Connection
the reference in the SSL* object still points to the old _verify_helper
object. Since this object has no longer any references to it, the
callback can result in a segfault.
This commit fixes the issues by ensuring that as long as the
Connection object/SSL* object lives a reference to the callback
function is held.
* Add Unit test for set_verify_callback deference
|
|
|
|
Co-authored-by: Michael Lazar <mlazar@doctorondemand.com>
|
|
* Drop CI for OpenSSL 1.0.2
* Delete code for coverage reasons
* Bump minimum cryptography version
|
|
* Fixing issue #798, thanks to @reaperhulk; removing undocumented '%s' option and getting the date in a more robust way
Co-authored-by: Joseba Alberdi <j.alberdi@simuneatomistics.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
|
|
|
* crypto._PassphraseHelper: pass non-callable passphrase using callback
Fixes #945
Before this commit, we would pass a bytes passphrase as a null terminated string.
This causes issue when a randomly generated key's first byte is null because
OpenSSL rightly determines the key length is 0.
This commit modifies the passphrase helper to pass the passphrase via the
callback
* Update changelog to document bug fix
|
|
X509StoreContext (#948)
The additional certificates provided in the new `chain` parameter will be
untrusted but may be used to build the chain.
This makes it easier to validate a certificate against a store which
contains only root ca certificates, and the intermediates come from e.g.
the same untrusted source as the certificate to be verified.
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
|
Add X509Store.load_locations() to set a CA bundle file and/or an OpenSSL-
style hashed CA/CRL lookup directory, similar to the already existing
SSL.Context.load_verify_locations().
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
|
|
|
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
|
* Context.set_verify: allow omission of callback
* squeeze to 80 chars
* make it clear that default callback is used
|
|
* Allow accessing a connection's verfied certificate chain
Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain.
Add Connection.get_verified_chain using SSL_get0_verified_chain if
available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain
otherwise.
Fixes #740.
* TLSv1_METHOD -> SSLv23_METHOD
* Use X509_up_ref instead of X509_dup
* Add _openssl_assert where appropriate
* SSL_get_peer_cert_chain should not be null
* Reformat with black
* Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0>
* Add Changelog entry
* Remove _add_chain
|
|
|
|
* focal time
* larger dh params, assert on something
* urllib3 fix
* actually check an error
|
|
* remove npn support entirely. you should be using alpn
* flake8
|
|
* newer pypy
* missed one
* we don't support ancient cffi any more
|
|
* add SSL.Context.set_keylog_callback
* don't fail on missing attribute
* lint!
* make it black
|
|
|
|
|
|
|
|
|
|
* fix PKey.check for some broken keys
RSA_check_key is documented to return 1 for valid keys.
It (currently) returns 0 or -1 for invalid ones.
The previous code accepted invalid keys if RSA_check_key returns -1!
* add test
|
|
|
|
|
|
|
|
|
|
* ALPN: complete handshake without accepting a client's protocols.
The callback passed to `SSL_CTX_set_alpn_select_cb` can return
`SSL_TLSEXT_ERR_NOACK` to allow the handshake to continue without
accepting any of the client's offered protocols.
This commit introduces `NO_OVERLAPPING_PROTOCOLS`, which the Python
callback passed to `Context.set_alpn_select_callback` can return to
achieve the same thing.
It does not change the previous meaning of an empty string, which
still terminates the handshake.
* Update src/OpenSSL/SSL.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Address @alex's review.
* Use recorded value in test, fix lint error.
* Cover TypeError branch in _ALPNHelper.callback
|
|
* use _ffi.from_buffer(buf) in send, to support bytearray
* add bytearray test
* update CHANGELOG.rst
* move from_buffer before 'buffer too long' check
* context-managed from_buffer + black
* don't shadow buf in send()
* test return count for sendall
* test sending an array
* fix test
* also use from_buffer in bio_write
* de-format _util.py
* formatting
* add simple bio_write tests
* wrap line
|
|
* Fix for Python 4
* Fix for Python 4
|
|
* Expose OP_NO_TLSv1_3
* Support openssl <1.1.1
|
|
|
|
pyopenssl 19.0.0 and added in misc files.
Bug: 122778810
Test: None
Change-Id: Iba5da7e8b2b559ca37912f1892be98f505ef8b6e
|
|
|
|
* Deprecated NPN
* arithmetic is hard
* oops
* oops
|
|
* Raise an Error with "no cipher match" even with TLS 1.3
This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString
and seamlessly work with TLS 1.3:
https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767
* Split TestContext.test_set_cipher_list_wrong_args into two tests.
|
|
* Removed deprecated Type aliases
* typo
* typo
* missed this somehow
* Line wrap
|
|
2566 is not a valid digest, whoops!
|
|
|
|
|
|
|
|
|
|
rtype for the following was incorrect:
X509Req.from_cryptography
X509.from_cryptography
|
