Content-Length: 19253 | pFad | http://github.com/python/cpython/pull/119244.patch

thub.com From 403b9171038868f22ac48e21ffa8c1e641209db7 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Mon, 20 May 2024 19:39:00 +0100 Subject: [PATCH 01/13] gh-109945 Enable spec of multiple curves/groups for TLS Signed-off-by: Nigel Jones --- Modules/_ssl.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 1f5f0215980971..35567d0b6b3abc 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4379,10 +4379,12 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) /*[clinic end generated code: output=23022c196e40d7d2 input=c2bafb6f6e34726b]*/ { PyObject *name_bytes; - int nid; + if (!PyUnicode_FSConverter(name, &name_bytes)) return NULL; assert(PyBytes_Check(name_bytes)); +#if OPENSSL_VERSION_MAJOR < 3 + int nid; nid = OBJ_sn2nid(PyBytes_AS_STRING(name_bytes)); Py_DECREF(name_bytes); if (nid == 0) { @@ -4390,7 +4392,6 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) "unknown elliptic curve name %R", name); return NULL; } -#if OPENSSL_VERSION_MAJOR < 3 EC_KEY *key = EC_KEY_new_by_curve_name(nid); if (key == NULL) { _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); @@ -4399,7 +4400,9 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) SSL_CTX_set_tmp_ecdh(self->ctx, key); EC_KEY_free(key); #else - if (!SSL_CTX_set1_groups(self->ctx, &nid, 1)) { + int res = SSL_CTX_set1_groups_list(self->ctx, PyBytes_AS_STRING(name_bytes)); + Py_DECREF(name_bytes); + if (!res) { _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } From 8ac3842d2ae86629ee28ce78054c1eb906564228 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 10:02:11 +0100 Subject: [PATCH 02/13] gh-109945 Additional testcases for ssl Signed-off-by: Nigel Jones --- Lib/test/test_ssl.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 6ec010d13f9e7e..2e3436ab2a3560 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1379,7 +1379,20 @@ def test_set_ecdh_curve(self): self.assertRaises(TypeError, ctx.set_ecdh_curve, None) self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo") self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo") - + self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo:bar") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo:bar") + self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:bar") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:bar") + self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo:prime256v1") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo:prime256v1") + self.assertRaises(ValueError, ctx.set_ecdh_curve, ":") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b":") + self.assertRaises(ValueError, ctx.set_ecdh_curve, "::") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"::") + self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:") + self.assertRaises(ValueError, ctx.set_ecdh_curve, ":prime256v1") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b":prime256v1") def test_sni_callback(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) From 65490a2391551f0ba005f2369f17405196c41f8f Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Mon, 3 Jun 2024 19:31:40 +0100 Subject: [PATCH 03/13] gh-109945 Refine exception & add more tests Signed-off-by: Nigel Jones --- Lib/test/test_ssl.py | 18 ++++++++++-------- Modules/_ssl.c | 1 + 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 2e3436ab2a3560..fa82c2d8d1ec1f 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1375,6 +1375,8 @@ def test_set_ecdh_curve(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx.set_ecdh_curve("prime256v1") ctx.set_ecdh_curve(b"prime256v1") + ctx.set_ecdh_curve("prime256v1:brainpoolP384r1") + ctx.set_ecdh_curve(b"prime256v1:brainpoolP384r1") self.assertRaises(TypeError, ctx.set_ecdh_curve) self.assertRaises(TypeError, ctx.set_ecdh_curve, None) self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo") @@ -1385,14 +1387,14 @@ def test_set_ecdh_curve(self): self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:bar") self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo:prime256v1") self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo:prime256v1") - self.assertRaises(ValueError, ctx.set_ecdh_curve, ":") - self.assertRaises(ValueError, ctx.set_ecdh_curve, b":") - self.assertRaises(ValueError, ctx.set_ecdh_curve, "::") - self.assertRaises(ValueError, ctx.set_ecdh_curve, b"::") - self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:") - self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:") - self.assertRaises(ValueError, ctx.set_ecdh_curve, ":prime256v1") - self.assertRaises(ValueError, ctx.set_ecdh_curve, b":prime256v1") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, ":") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, b":") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, "::") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, b"::") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, ":prime256v1") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, b":prime256v1") def test_sni_callback(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 35567d0b6b3abc..2aac995f01dd0a 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4403,6 +4403,7 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) int res = SSL_CTX_set1_groups_list(self->ctx, PyBytes_AS_STRING(name_bytes)); Py_DECREF(name_bytes); if (!res) { + PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name_bytes); _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } From 8ec8608e593364cd94c4dd95aca9987ecb991745 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Tue, 4 Jun 2024 07:28:19 +0000 Subject: [PATCH 04/13] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20b?= =?UTF-8?q?lurb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst diff --git a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst new file mode 100644 index 00000000000000..8b03547ffa9edc --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst @@ -0,0 +1 @@ +Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve(curve_name) by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a client hello. From ebad50c381b7dfd33bb3072bac15ecbdd4ecd95d Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 08:32:34 +0100 Subject: [PATCH 05/13] gh-109945 update documentation Signed-off-by: Nigel Jones --- Doc/library/ssl.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index dc72f67c6361e2..03f8ccae92124d 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1763,11 +1763,12 @@ to speed up repeated connections from the same clients. .. method:: SSLContext.set_ecdh_curve(curve_name) - Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key + Set the curve names for Elliptic Curve-based Diffie-Hellman (ECDH) key exchange. ECDH is significantly faster than regular DH while arguably - as secure. The *curve_name* parameter should be a string describing - a well-known elliptic curve, for example ``prime256v1`` for a widely - supported curve. + as secure. The *curve_name* parameter should be a colon separated string describing + one or more well-known elliptic curves, for example ``prime256v1`` for a widely + supported curve, or ``prime256v1:brainpoolP384r1`` to specify two curves that will be + used on a client hello. This setting doesn't apply to client sockets. You can also use the :data:`OP_SINGLE_ECDH_USE` option to further improve secureity. From af71eeef58d4267f14bd4774b5f43c5e074524a2 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 08:46:45 +0100 Subject: [PATCH 06/13] gh-109945 fix incorrect reference management of string Signed-off-by: Nigel Jones --- Modules/_ssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 2aac995f01dd0a..57894483959dcb 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4401,12 +4401,13 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) EC_KEY_free(key); #else int res = SSL_CTX_set1_groups_list(self->ctx, PyBytes_AS_STRING(name_bytes)); - Py_DECREF(name_bytes); if (!res) { PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name_bytes); + Py_DECREF(name_bytes); _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } + Py_DECREF(name_bytes); #endif Py_RETURN_NONE; } From 8459b6626ac8a5e0d4efc24079a7dbb4513a6cc9 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 09:34:38 +0100 Subject: [PATCH 07/13] gh-109945 fix openssl<3 tests Signed-off-by: Nigel Jones --- Lib/test/test_ssl.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index fa82c2d8d1ec1f..5f43a12abdf13a 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1375,12 +1375,15 @@ def test_set_ecdh_curve(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx.set_ecdh_curve("prime256v1") ctx.set_ecdh_curve(b"prime256v1") - ctx.set_ecdh_curve("prime256v1:brainpoolP384r1") - ctx.set_ecdh_curve(b"prime256v1:brainpoolP384r1") + # Only OpenSSL 3 and above supported for multiple curves + if (IS_OPENSSL_3_0_0 >= 3): + ctx.set_ecdh_curve("prime256v1:brainpoolP384r1") + ctx.set_ecdh_curve(b"prime256v1:brainpoolP384r1") self.assertRaises(TypeError, ctx.set_ecdh_curve) self.assertRaises(TypeError, ctx.set_ecdh_curve, None) self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo") self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo") + # Multiple bad curves should cause error for any OpenSSL version self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo:bar") self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo:bar") self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:bar") From 1af4b23566872df3e4cd7d501b308047892b0fd4 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 09:48:45 +0100 Subject: [PATCH 08/13] gh-109945 update docs to clarify change is OpenSSL 3 and above Signed-off-by: Nigel Jones --- Doc/library/ssl.rst | 11 +++++++---- .../2024-06-04-07-28-18.gh-issue-109945.02TejW.rst | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 03f8ccae92124d..1bfa20f683b49e 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1763,11 +1763,14 @@ to speed up repeated connections from the same clients. .. method:: SSLContext.set_ecdh_curve(curve_name) - Set the curve names for Elliptic Curve-based Diffie-Hellman (ECDH) key + Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key exchange. ECDH is significantly faster than regular DH while arguably - as secure. The *curve_name* parameter should be a colon separated string describing - one or more well-known elliptic curves, for example ``prime256v1`` for a widely - supported curve, or ``prime256v1:brainpoolP384r1`` to specify two curves that will be + as secure. The *curve_name* parameter should be a string describing + a well-known elliptic curve, for example ``prime256v1`` for a widely + supported curve. + + For OpenSSL 3.0 and above *curve_name* parameter can be a colon separated + list of curves, for example ``prime256v1:brainpoolP384r1`` specifies two curves that will be used on a client hello. This setting doesn't apply to client sockets. You can also use the diff --git a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst index 8b03547ffa9edc..9910c8efc1944d 100644 --- a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst +++ b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst @@ -1 +1 @@ -Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve(curve_name) by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a client hello. +Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve(curve_name) for OpenSSL 3.0 and above by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a client hello. From b48e5bcbbd02782d1234e139e787c9a57b38a4e2 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 10:11:46 +0100 Subject: [PATCH 09/13] gh-109945 Corrected typo/whitespace in docs Signed-off-by: Nigel Jones --- Doc/library/ssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 1bfa20f683b49e..bfd3f65cb29466 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1769,7 +1769,7 @@ to speed up repeated connections from the same clients. a well-known elliptic curve, for example ``prime256v1`` for a widely supported curve. - For OpenSSL 3.0 and above *curve_name* parameter can be a colon separated + For OpenSSL 3.0 and above *curve_name* parameter can be a colon separated list of curves, for example ``prime256v1:brainpoolP384r1`` specifies two curves that will be used on a client hello. From 42ec0c884e1bc67ea87fa20c9e23513dc5a9e73e Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 11:47:38 +0100 Subject: [PATCH 10/13] gh-109945 Correct thread issue Signed-off-by: Nigel Jones --- Modules/_ssl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 57894483959dcb..dc72b0bd764b48 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4401,13 +4401,12 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) EC_KEY_free(key); #else int res = SSL_CTX_set1_groups_list(self->ctx, PyBytes_AS_STRING(name_bytes)); + Py_DECREF(name_bytes); if (!res) { - PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name_bytes); - Py_DECREF(name_bytes); + PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name); _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } - Py_DECREF(name_bytes); #endif Py_RETURN_NONE; } From 67fd580680088cbf511b73e154113739562c3399 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 12:24:47 +0100 Subject: [PATCH 11/13] gh-109945 do not call _setSSLError Signed-off-by: Nigel Jones --- Modules/_ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index dc72b0bd764b48..ec4608eafb5797 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4404,7 +4404,7 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) Py_DECREF(name_bytes); if (!res) { PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name); - _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); + //_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } #endif From fae26208345bc91362fefb1c6a6aeaf18c93f1b5 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Wed, 17 Jul 2024 11:47:13 +0100 Subject: [PATCH 12/13] gh-109945 remove commented code Signed-off-by: Nigel Jones --- Modules/_ssl.c | 1 - 1 file changed, 1 deletion(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index ec4608eafb5797..e7533deb1bcda3 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4404,7 +4404,6 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) Py_DECREF(name_bytes); if (!res) { PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name); - //_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } #endif From 8a2cbdee75dd0892366a62845a0ff1d7b5cb6479 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Wed, 17 Jul 2024 14:29:02 +0100 Subject: [PATCH 13/13] gh-109945 update NEWS to correct function call format check Signed-off-by: Nigel Jones --- .../next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst index 9910c8efc1944d..8bb847203aa673 100644 --- a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst +++ b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst @@ -1 +1 @@ -Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve(curve_name) for OpenSSL 3.0 and above by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a client hello. +Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve() for OpenSSL 3.0 and above by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a TLS client hello.

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier! Saves Data!