[pypy-commit] pypy cffi-libs: more hacking - should upstream SSL_OP_NO_SSLv2

mattip pypy.commits at gmail.com
Sat May 11 19:11:50 EDT 2019 

Author: Matti Picus <matti.picus at gmail.com>
Branch: cffi-libs
Changeset: r96603:a5de172c4337
Date: 2019-05-10 08:08 -0700
http://bitbucket.org/pypy/pypy/changeset/a5de172c4337/

Log:	more hacking - should upstream SSL_OP_NO_SSLv2

diff --git a/lib_pypy/_cffi_ssl/_cffi_src/openssl/ssl.py b/lib_pypy/_cffi_ssl/_cffi_src/openssl/ssl.py
--- a/lib_pypy/_cffi_ssl/_cffi_src/openssl/ssl.py
+++ b/lib_pypy/_cffi_ssl/_cffi_src/openssl/ssl.py
@@ -71,6 +71,7 @@
 static const long SSL_OP_MICROSOFT_SESS_ID_BUG;
 static const long SSL_OP_NETSCAPE_CHALLENGE_BUG;
 static const long SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
+static const long SSL_OP_NO_SSLv2;
 static const long SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG;
 static const long SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER;
 static const long SSL_OP_MSIE_SSLV2_RSA_PADDING;
diff --git a/lib_pypy/_cffi_ssl/_stdssl/__init__.py b/lib_pypy/_cffi_ssl/_stdssl/__init__.py
--- a/lib_pypy/_cffi_ssl/_stdssl/__init__.py
+++ b/lib_pypy/_cffi_ssl/_stdssl/__init__.py
@@ -68,7 +68,7 @@
             globals()[name[4:]] = getattr(lib, name)
 
 OP_ALL = lib.SSL_OP_ALL & ~lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-OP_NO_SSL_v2 = lib.SSL_OP_NO_SSL_v2
+OP_NO_SSLv2 = lib.SSL_OP_NO_SSLv2
 
 SSL_CLIENT = 0
 SSL_SERVER = 1
@@ -77,7 +77,8 @@
 
 if lib.Cryptography_HAS_SSL2:
     PROTOCOL_SSLv2  = 0
-PROTOCOL_SSLv3  = 1
+if lib.Cryptography_HAS_SSL3_METHOD:
+    PROTOCOL_SSLv3  = 1
 PROTOCOL_SSLv23 = 2
 PROTOCOL_TLS    = PROTOCOL_SSLv23
 PROTOCOL_TLSv1    = 3
@@ -156,7 +157,7 @@
     ffi.memmove(buf, password, len(password))
     return len(password)
 
-if lib.Cryptography_STATIC_CALLBACKS:
+if 0: # lib.Cryptography_STATIC_CALLBACKS:
     ffi.def_extern(_Cryptography_pem_password_cb)
     Cryptography_pem_password_cb = lib.Cryptography_pem_password_cb
 else:
@@ -530,7 +531,7 @@
         short_name = lib.SSL_COMP_get_name(comp_method)
         if short_name == ffi.NULL:
             return None
-        return _cstr_decode_fs(short_name)
+        return _str_from_buf(short_name)
 
     def version(self):
         if self.ssl == ffi.NULL:
@@ -781,7 +782,7 @@
             method = lib.TLSv1_1_method()
         elif lib.Cryptography_HAS_TLSv1_2 and protocol == PROTOCOL_TLSv1_2 :
             method = lib.TLSv1_2_method()
-        elif protocol == PROTOCOL_SSLv3 and lib.Cryptography_HAS_SSL3_METHOD:
+        elif lib.Cryptography_HAS_SSL3_METHOD and protocol == PROTOCOL_SSLv3:
             method = lib.SSLv3_method()
         elif lib.Cryptography_HAS_SSL2 and protocol == PROTOCOL_SSLv2:
             method = lib.SSLv2_method()
@@ -812,7 +813,7 @@
         options = lib.SSL_OP_ALL & ~lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
         if not lib.Cryptography_HAS_SSL2 or protocol != PROTOCOL_SSLv2:
             options |= lib.SSL_OP_NO_SSLv2
-        if protocol != PROTOCOL_SSLv3:
+        if not lib.Cryptography_HAS_SSL3_METHOD or protocol != PROTOCOL_SSLv3:
             options |= lib.SSL_OP_NO_SSLv3
         # Minimal security flags for server and client side context.
         # Client sockets ignore server-side parameters.
@@ -976,7 +977,7 @@
                 _errno = ffi.errno
                 if _errno:
                     lib.ERR_clear_error()
-                    raise OSError(_errno, "Error")
+                    raise IOError(_errno, "Error")
                 else:
                     raise ssl_error(None)
 
@@ -991,7 +992,7 @@
                 _errno = ffi.errno
                 if _errno:
                     lib.ERR_clear_error()
-                    raise OSError(_errno, None)
+                    raise IOError(_errno, None)
                 else:
                     raise ssl_error(None)
 
@@ -1016,7 +1017,7 @@
         if cadata is None:
             ca_file_type = -1
         else:
-            if not isinstance(cadata, str):
+            if not isinstance(cadata, unicode):
                 ca_file_type = lib.SSL_FILETYPE_ASN1
             else:
                 ca_file_type = lib.SSL_FILETYPE_PEM
@@ -1024,8 +1025,11 @@
                     cadata = cadata.encode('ascii')
                 except UnicodeEncodeError:
                     raise TypeError("cadata should be a ASCII string or a bytes-like object")
-        if cafile is None and capath is None and cadata is None:
-            raise TypeError("cafile and capath cannot be both omitted")
+        if cafile is None and capath is None:
+            if cadata is None:
+                raise TypeError("cafile and capath cannot be both omitted")
+            if not cadata:
+                raise ssl_error(None)
         # load from cadata
         if cadata is not None:
             buf = _str_to_ffi_buffer(cadata)
@@ -1046,7 +1050,7 @@
                 _errno = ffi.errno
                 if _errno:
                     lib.ERR_clear_error()
-                    raise OSError(_errno, '')
+                    raise IOError(_errno, '')
                 else:
                     raise ssl_error(None)
 
@@ -1143,7 +1147,7 @@
         if bio == ffi.NULL:
             _errno = ffi.errno
             lib.ERR_clear_error()
-            raise OSError(_errno, '')
+            raise IOError(_errno, '')
         try:
             dh = lib.PEM_read_bio_DHparams(bio, ffi.NULL, ffi.NULL, ffi.NULL)
         finally:
@@ -1473,16 +1477,16 @@
 
 def get_default_verify_paths():
 
-    ofile_env = _cstr_decode_fs(lib.X509_get_default_cert_file_env())
+    ofile_env = _str_from_buf(lib.X509_get_default_cert_file_env())
     if ofile_env is None:
         return None
-    ofile = _cstr_decode_fs(lib.X509_get_default_cert_file())
+    ofile = _str_from_buf(lib.X509_get_default_cert_file())
     if ofile is None:
         return None
-    odir_env = _cstr_decode_fs(lib.X509_get_default_cert_dir_env())
+    odir_env = _str_from_buf(lib.X509_get_default_cert_dir_env())
     if odir_env is None:
         return None
-    odir = _cstr_decode_fs(lib.X509_get_default_cert_dir())
+    odir = _str_from_buf(lib.X509_get_default_cert_dir())
     if odir is None:
         return odir
     return (ofile_env, ofile, odir_env, odir);
diff --git a/lib_pypy/_cffi_ssl/_stdssl/utility.py b/lib_pypy/_cffi_ssl/_stdssl/utility.py
--- a/lib_pypy/_cffi_ssl/_stdssl/utility.py
+++ b/lib_pypy/_cffi_ssl/_stdssl/utility.py
@@ -8,13 +8,13 @@
     return _str_with_len(ffi.cast("char*",data), length)
 
 def _str_with_len(char_ptr, length):
-    return ffi.buffer(char_ptr, length)[:].decode('utf-8')
+    return ffi.buffer(char_ptr, length)[:]
 
 def _bytes_with_len(char_ptr, length):
     return ffi.buffer(char_ptr, length)[:]
 
 def _str_to_ffi_buffer(view):
-    if isinstance(view, str):
+    if isinstance(view, unicode):
         return ffi.from_buffer(view.encode())
     elif isinstance(view, memoryview):
         # NOTE pypy limitation StringBuffer does not allow
@@ -25,7 +25,7 @@
     return ffi.from_buffer(view)
 
 def _str_from_buf(buf):
-    return ffi.string(buf).decode('utf-8')
+    return ffi.string(buf)
 
 def _cstr_decode_fs(buf):
     if buf == ffi.NULL:
diff --git a/lib_pypy/_ssl/__init__.py b/lib_pypy/_ssl/__init__.py
--- a/lib_pypy/_ssl/__init__.py
+++ b/lib_pypy/_ssl/__init__.py
@@ -3,6 +3,8 @@
 from _cffi_ssl import _stdssl
 from _cffi_ssl._stdssl import *
 
+OP_SINGLE_DH_USE = lib.SSL_OP_SINGLE_DH_USE
+OP_SINGLE_ECDH_USE = lib.SSL_OP_SINGLE_ECDH_USE
 
 try: from __pypy__ import builtinify
 except ImportError: builtinify = lambda f: f

More information about the pypy-commit mailing list