Lines 2093-2128
Link Here
|
2093 |
int proto_version = PY_SSL_VERSION_TLS; |
2093 |
int proto_version = PY_SSL_VERSION_TLS; |
2094 |
long options; |
2094 |
long options; |
2095 |
SSL_CTX *ctx = NULL; |
2095 |
SSL_CTX *ctx = NULL; |
2096 |
|
2096 |
int result = 0; |
|
|
2097 |
|
2097 |
if (!PyArg_ParseTupleAndKeywords( |
2098 |
if (!PyArg_ParseTupleAndKeywords( |
2098 |
args, kwds, "i:_SSLContext", kwlist, |
2099 |
args, kwds, "i:_SSLContext", kwlist, |
2099 |
&proto_version)) |
2100 |
&proto_version)) |
2100 |
return NULL; |
2101 |
return NULL; |
2101 |
|
2102 |
|
2102 |
PySSL_BEGIN_ALLOW_THREADS |
2103 |
PySSL_BEGIN_ALLOW_THREADS |
2103 |
if (proto_version == PY_SSL_VERSION_TLS1) |
2104 |
switch (proto_version) { |
|
|
2105 |
#ifndef OPENSSL_VERSION_1_1 |
2106 |
/* OpenSSL < 1.1 */ |
2107 |
#ifndef OPENSSL_NO_SSL2 |
2108 |
case PY_SSL_VERSION_SSL2: |
2109 |
ctx = SSL_CTX_new(SSLv2_method()); |
2110 |
break; |
2111 |
#endif |
2112 |
#ifndef OPENSSL_NO_SSL3 |
2113 |
case PY_SSL_VERSION_SSL3: |
2114 |
ctx = SSL_CTX_new(SSLv3_method()); |
2115 |
break; |
2116 |
#endif |
2117 |
#ifndef OPENSSL_NO_TLS1 |
2118 |
case PY_SSL_VERSION_TLS1: |
2104 |
ctx = SSL_CTX_new(TLSv1_method()); |
2119 |
ctx = SSL_CTX_new(TLSv1_method()); |
2105 |
#if HAVE_TLSv1_2 |
2120 |
break; |
2106 |
else if (proto_version == PY_SSL_VERSION_TLS1_1) |
2121 |
#endif |
|
|
2122 |
#if !defined(OPENSSL_NO_TLS1_1) && HAVE_TLSv1_2 |
2123 |
case PY_SSL_VERSION_TLS1_1: |
2107 |
ctx = SSL_CTX_new(TLSv1_1_method()); |
2124 |
ctx = SSL_CTX_new(TLSv1_1_method()); |
2108 |
else if (proto_version == PY_SSL_VERSION_TLS1_2) |
2125 |
break; |
|
|
2126 |
#endif |
2127 |
#if !defined(OPENSSL_NO_TLS1_2) && HAVE_TLSv1_2 |
2128 |
case PY_SSL_VERSION_TLS1_2: |
2109 |
ctx = SSL_CTX_new(TLSv1_2_method()); |
2129 |
ctx = SSL_CTX_new(TLSv1_2_method()); |
|
|
2130 |
break; |
2110 |
#endif |
2131 |
#endif |
|
|
2132 |
#else |
2133 |
/* OpenSSL >= 1.1 |
2134 |
* create context with TLS_method for all protocols |
2135 |
* no SSLv2_method in OpenSSL 1.1. |
2136 |
*/ |
2111 |
#ifndef OPENSSL_NO_SSL3 |
2137 |
#ifndef OPENSSL_NO_SSL3 |
2112 |
else if (proto_version == PY_SSL_VERSION_SSL3) |
2138 |
case PY_SSL_VERSION_SSL3: /* fallthrough */ |
2113 |
ctx = SSL_CTX_new(SSLv3_method()); |
|
|
2114 |
#endif |
2139 |
#endif |
2115 |
#ifndef OPENSSL_NO_SSL2 |
2140 |
#ifndef OPENSSL_NO_TLS1 |
2116 |
else if (proto_version == PY_SSL_VERSION_SSL2) |
2141 |
case PY_SSL_VERSION_TLS1: /* fallthrough */ |
2117 |
ctx = SSL_CTX_new(SSLv2_method()); |
2142 |
#endif |
|
|
2143 |
#if !defined(OPENSSL_NO_TLS1_1) && HAVE_TLSv1_2 |
2144 |
case PY_SSL_VERSION_TLS1_1: /* fallthrough */ |
2118 |
#endif |
2145 |
#endif |
2119 |
else if (proto_version == PY_SSL_VERSION_TLS) |
2146 |
#if !defined(OPENSSL_NO_TLS1_2) && HAVE_TLSv1_2 |
|
|
2147 |
case PY_SSL_VERSION_TLS1_2: /* fallthrough */ |
2148 |
#endif |
2149 |
#endif /* OpenSSL >= 1.1 */ |
2150 |
case PY_SSL_VERSION_TLS: |
2151 |
/* SSLv23 */ |
2120 |
ctx = SSL_CTX_new(TLS_method()); |
2152 |
ctx = SSL_CTX_new(TLS_method()); |
2121 |
else |
2153 |
break; |
2122 |
proto_version = -1; |
2154 |
default: |
|
|
2155 |
result = -1; |
2156 |
break; |
2157 |
} |
2123 |
PySSL_END_ALLOW_THREADS |
2158 |
PySSL_END_ALLOW_THREADS |
2124 |
|
2159 |
|
2125 |
if (proto_version == -1) { |
2160 |
if (result == -1) { |
2126 |
PyErr_SetString(PyExc_ValueError, |
2161 |
PyErr_SetString(PyExc_ValueError, |
2127 |
"invalid protocol version"); |
2162 |
"invalid protocol version"); |
2128 |
return NULL; |
2163 |
return NULL; |
Lines 2133-2138
Link Here
|
2133 |
return NULL; |
2168 |
return NULL; |
2134 |
} |
2169 |
} |
2135 |
|
2170 |
|
|
|
2171 |
#ifdef OPENSSL_VERSION_1_1 |
2172 |
/* Emulate version specific methods with set min/max proto version */ |
2173 |
switch (proto_version) { |
2174 |
case PY_SSL_VERSION_SSL3: |
2175 |
/* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */ |
2176 |
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); |
2177 |
if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION)) |
2178 |
result = -1; |
2179 |
if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION)) |
2180 |
result = -1; |
2181 |
break; |
2182 |
case PY_SSL_VERSION_TLS1: |
2183 |
if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION)) |
2184 |
result = -1; |
2185 |
if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION)) |
2186 |
result = -1; |
2187 |
break; |
2188 |
case PY_SSL_VERSION_TLS1_1: |
2189 |
if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION)) |
2190 |
result = -1; |
2191 |
if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION)) |
2192 |
result = -1; |
2193 |
break; |
2194 |
case PY_SSL_VERSION_TLS1_2: |
2195 |
if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) |
2196 |
result = -1; |
2197 |
if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)) |
2198 |
result = -1; |
2199 |
break; |
2200 |
default: |
2201 |
break; |
2202 |
} |
2203 |
if (result == -1) { |
2204 |
SSL_CTX_free(ctx); |
2205 |
_setSSLError(NULL, 0, __FILE__, __LINE__); |
2206 |
return NULL; |
2207 |
} |
2208 |
#endif |
2209 |
|
2136 |
assert(type != NULL && type->tp_alloc != NULL); |
2210 |
assert(type != NULL && type->tp_alloc != NULL); |
2137 |
self = (PySSLContext *) type->tp_alloc(type, 0); |
2211 |
self = (PySSLContext *) type->tp_alloc(type, 0); |
2138 |
if (self == NULL) { |
2212 |
if (self == NULL) { |