[pypy-commit] pypy cffi-libs: more hacking - should upstream SSL_OP_NO_SSLv2
mattip
pypy.commits at gmail.com
Sat May 11 19:11:50 EDT 2019
Author: Matti Picus <matti.picus at gmail.com>
Branch: cffi-libs
Changeset: r96603:a5de172c4337
Date: 2019-05-10 08:08 -0700
http://bitbucket.org/pypy/pypy/changeset/a5de172c4337/
Log: more hacking - should upstream SSL_OP_NO_SSLv2
diff --git a/lib_pypy/_cffi_ssl/_cffi_src/openssl/ssl.py b/lib_pypy/_cffi_ssl/_cffi_src/openssl/ssl.py
--- a/lib_pypy/_cffi_ssl/_cffi_src/openssl/ssl.py
+++ b/lib_pypy/_cffi_ssl/_cffi_src/openssl/ssl.py
@@ -71,6 +71,7 @@
static const long SSL_OP_MICROSOFT_SESS_ID_BUG;
static const long SSL_OP_NETSCAPE_CHALLENGE_BUG;
static const long SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
+static const long SSL_OP_NO_SSLv2;
static const long SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG;
static const long SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER;
static const long SSL_OP_MSIE_SSLV2_RSA_PADDING;
diff --git a/lib_pypy/_cffi_ssl/_stdssl/__init__.py b/lib_pypy/_cffi_ssl/_stdssl/__init__.py
--- a/lib_pypy/_cffi_ssl/_stdssl/__init__.py
+++ b/lib_pypy/_cffi_ssl/_stdssl/__init__.py
@@ -68,7 +68,7 @@
globals()[name[4:]] = getattr(lib, name)
OP_ALL = lib.SSL_OP_ALL & ~lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-OP_NO_SSL_v2 = lib.SSL_OP_NO_SSL_v2
+OP_NO_SSLv2 = lib.SSL_OP_NO_SSLv2
SSL_CLIENT = 0
SSL_SERVER = 1
@@ -77,7 +77,8 @@
if lib.Cryptography_HAS_SSL2:
PROTOCOL_SSLv2 = 0
-PROTOCOL_SSLv3 = 1
+if lib.Cryptography_HAS_SSL3_METHOD:
+ PROTOCOL_SSLv3 = 1
PROTOCOL_SSLv23 = 2
PROTOCOL_TLS = PROTOCOL_SSLv23
PROTOCOL_TLSv1 = 3
@@ -156,7 +157,7 @@
ffi.memmove(buf, password, len(password))
return len(password)
-if lib.Cryptography_STATIC_CALLBACKS:
+if 0: # lib.Cryptography_STATIC_CALLBACKS:
ffi.def_extern(_Cryptography_pem_password_cb)
Cryptography_pem_password_cb = lib.Cryptography_pem_password_cb
else:
@@ -530,7 +531,7 @@
short_name = lib.SSL_COMP_get_name(comp_method)
if short_name == ffi.NULL:
return None
- return _cstr_decode_fs(short_name)
+ return _str_from_buf(short_name)
def version(self):
if self.ssl == ffi.NULL:
@@ -781,7 +782,7 @@
method = lib.TLSv1_1_method()
elif lib.Cryptography_HAS_TLSv1_2 and protocol == PROTOCOL_TLSv1_2 :
method = lib.TLSv1_2_method()
- elif protocol == PROTOCOL_SSLv3 and lib.Cryptography_HAS_SSL3_METHOD:
+ elif lib.Cryptography_HAS_SSL3_METHOD and protocol == PROTOCOL_SSLv3:
method = lib.SSLv3_method()
elif lib.Cryptography_HAS_SSL2 and protocol == PROTOCOL_SSLv2:
method = lib.SSLv2_method()
@@ -812,7 +813,7 @@
options = lib.SSL_OP_ALL & ~lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
if not lib.Cryptography_HAS_SSL2 or protocol != PROTOCOL_SSLv2:
options |= lib.SSL_OP_NO_SSLv2
- if protocol != PROTOCOL_SSLv3:
+ if not lib.Cryptography_HAS_SSL3_METHOD or protocol != PROTOCOL_SSLv3:
options |= lib.SSL_OP_NO_SSLv3
# Minimal security flags for server and client side context.
# Client sockets ignore server-side parameters.
@@ -976,7 +977,7 @@
_errno = ffi.errno
if _errno:
lib.ERR_clear_error()
- raise OSError(_errno, "Error")
+ raise IOError(_errno, "Error")
else:
raise ssl_error(None)
@@ -991,7 +992,7 @@
_errno = ffi.errno
if _errno:
lib.ERR_clear_error()
- raise OSError(_errno, None)
+ raise IOError(_errno, None)
else:
raise ssl_error(None)
@@ -1016,7 +1017,7 @@
if cadata is None:
ca_file_type = -1
else:
- if not isinstance(cadata, str):
+ if not isinstance(cadata, unicode):
ca_file_type = lib.SSL_FILETYPE_ASN1
else:
ca_file_type = lib.SSL_FILETYPE_PEM
@@ -1024,8 +1025,11 @@
cadata = cadata.encode('ascii')
except UnicodeEncodeError:
raise TypeError("cadata should be a ASCII string or a bytes-like object")
- if cafile is None and capath is None and cadata is None:
- raise TypeError("cafile and capath cannot be both omitted")
+ if cafile is None and capath is None:
+ if cadata is None:
+ raise TypeError("cafile and capath cannot be both omitted")
+ if not cadata:
+ raise ssl_error(None)
# load from cadata
if cadata is not None:
buf = _str_to_ffi_buffer(cadata)
@@ -1046,7 +1050,7 @@
_errno = ffi.errno
if _errno:
lib.ERR_clear_error()
- raise OSError(_errno, '')
+ raise IOError(_errno, '')
else:
raise ssl_error(None)
@@ -1143,7 +1147,7 @@
if bio == ffi.NULL:
_errno = ffi.errno
lib.ERR_clear_error()
- raise OSError(_errno, '')
+ raise IOError(_errno, '')
try:
dh = lib.PEM_read_bio_DHparams(bio, ffi.NULL, ffi.NULL, ffi.NULL)
finally:
@@ -1473,16 +1477,16 @@
def get_default_verify_paths():
- ofile_env = _cstr_decode_fs(lib.X509_get_default_cert_file_env())
+ ofile_env = _str_from_buf(lib.X509_get_default_cert_file_env())
if ofile_env is None:
return None
- ofile = _cstr_decode_fs(lib.X509_get_default_cert_file())
+ ofile = _str_from_buf(lib.X509_get_default_cert_file())
if ofile is None:
return None
- odir_env = _cstr_decode_fs(lib.X509_get_default_cert_dir_env())
+ odir_env = _str_from_buf(lib.X509_get_default_cert_dir_env())
if odir_env is None:
return None
- odir = _cstr_decode_fs(lib.X509_get_default_cert_dir())
+ odir = _str_from_buf(lib.X509_get_default_cert_dir())
if odir is None:
return odir
return (ofile_env, ofile, odir_env, odir);
diff --git a/lib_pypy/_cffi_ssl/_stdssl/utility.py b/lib_pypy/_cffi_ssl/_stdssl/utility.py
--- a/lib_pypy/_cffi_ssl/_stdssl/utility.py
+++ b/lib_pypy/_cffi_ssl/_stdssl/utility.py
@@ -8,13 +8,13 @@
return _str_with_len(ffi.cast("char*",data), length)
def _str_with_len(char_ptr, length):
- return ffi.buffer(char_ptr, length)[:].decode('utf-8')
+ return ffi.buffer(char_ptr, length)[:]
def _bytes_with_len(char_ptr, length):
return ffi.buffer(char_ptr, length)[:]
def _str_to_ffi_buffer(view):
- if isinstance(view, str):
+ if isinstance(view, unicode):
return ffi.from_buffer(view.encode())
elif isinstance(view, memoryview):
# NOTE pypy limitation StringBuffer does not allow
@@ -25,7 +25,7 @@
return ffi.from_buffer(view)
def _str_from_buf(buf):
- return ffi.string(buf).decode('utf-8')
+ return ffi.string(buf)
def _cstr_decode_fs(buf):
if buf == ffi.NULL:
diff --git a/lib_pypy/_ssl/__init__.py b/lib_pypy/_ssl/__init__.py
--- a/lib_pypy/_ssl/__init__.py
+++ b/lib_pypy/_ssl/__init__.py
@@ -3,6 +3,8 @@
from _cffi_ssl import _stdssl
from _cffi_ssl._stdssl import *
+OP_SINGLE_DH_USE = lib.SSL_OP_SINGLE_DH_USE
+OP_SINGLE_ECDH_USE = lib.SSL_OP_SINGLE_ECDH_USE
try: from __pypy__ import builtinify
except ImportError: builtinify = lambda f: f
More information about the pypy-commit
mailing list