|
Lines 2093-2128
Link Here
|
| 2093 |
int proto_version = PY_SSL_VERSION_TLS; |
2093 |
int proto_version = PY_SSL_VERSION_TLS; |
| 2094 |
long options; |
2094 |
long options; |
| 2095 |
SSL_CTX *ctx = NULL; |
2095 |
SSL_CTX *ctx = NULL; |
| 2096 |
|
2096 |
int result = 0; |
|
|
2097 |
|
| 2097 |
if (!PyArg_ParseTupleAndKeywords( |
2098 |
if (!PyArg_ParseTupleAndKeywords( |
| 2098 |
args, kwds, "i:_SSLContext", kwlist, |
2099 |
args, kwds, "i:_SSLContext", kwlist, |
| 2099 |
&proto_version)) |
2100 |
&proto_version)) |
| 2100 |
return NULL; |
2101 |
return NULL; |
| 2101 |
|
2102 |
|
| 2102 |
PySSL_BEGIN_ALLOW_THREADS |
2103 |
PySSL_BEGIN_ALLOW_THREADS |
| 2103 |
if (proto_version == PY_SSL_VERSION_TLS1) |
2104 |
switch (proto_version) { |
|
|
2105 |
#ifndef OPENSSL_VERSION_1_1 |
| 2106 |
/* OpenSSL < 1.1 */ |
| 2107 |
#ifndef OPENSSL_NO_SSL2 |
| 2108 |
case PY_SSL_VERSION_SSL2: |
| 2109 |
ctx = SSL_CTX_new(SSLv2_method()); |
| 2110 |
break; |
| 2111 |
#endif |
| 2112 |
#ifndef OPENSSL_NO_SSL3 |
| 2113 |
case PY_SSL_VERSION_SSL3: |
| 2114 |
ctx = SSL_CTX_new(SSLv3_method()); |
| 2115 |
break; |
| 2116 |
#endif |
| 2117 |
#ifndef OPENSSL_NO_TLS1 |
| 2118 |
case PY_SSL_VERSION_TLS1: |
| 2104 |
ctx = SSL_CTX_new(TLSv1_method()); |
2119 |
ctx = SSL_CTX_new(TLSv1_method()); |
| 2105 |
#if HAVE_TLSv1_2 |
2120 |
break; |
| 2106 |
else if (proto_version == PY_SSL_VERSION_TLS1_1) |
2121 |
#endif |
|
|
2122 |
#if !defined(OPENSSL_NO_TLS1_1) && HAVE_TLSv1_2 |
| 2123 |
case PY_SSL_VERSION_TLS1_1: |
| 2107 |
ctx = SSL_CTX_new(TLSv1_1_method()); |
2124 |
ctx = SSL_CTX_new(TLSv1_1_method()); |
| 2108 |
else if (proto_version == PY_SSL_VERSION_TLS1_2) |
2125 |
break; |
|
|
2126 |
#endif |
| 2127 |
#if !defined(OPENSSL_NO_TLS1_2) && HAVE_TLSv1_2 |
| 2128 |
case PY_SSL_VERSION_TLS1_2: |
| 2109 |
ctx = SSL_CTX_new(TLSv1_2_method()); |
2129 |
ctx = SSL_CTX_new(TLSv1_2_method()); |
|
|
2130 |
break; |
| 2110 |
#endif |
2131 |
#endif |
|
|
2132 |
#else |
| 2133 |
/* OpenSSL >= 1.1 |
| 2134 |
* create context with TLS_method for all protocols |
| 2135 |
* no SSLv2_method in OpenSSL 1.1. |
| 2136 |
*/ |
| 2111 |
#ifndef OPENSSL_NO_SSL3 |
2137 |
#ifndef OPENSSL_NO_SSL3 |
| 2112 |
else if (proto_version == PY_SSL_VERSION_SSL3) |
2138 |
case PY_SSL_VERSION_SSL3: /* fallthrough */ |
| 2113 |
ctx = SSL_CTX_new(SSLv3_method()); |
|
|
| 2114 |
#endif |
2139 |
#endif |
| 2115 |
#ifndef OPENSSL_NO_SSL2 |
2140 |
#ifndef OPENSSL_NO_TLS1 |
| 2116 |
else if (proto_version == PY_SSL_VERSION_SSL2) |
2141 |
case PY_SSL_VERSION_TLS1: /* fallthrough */ |
| 2117 |
ctx = SSL_CTX_new(SSLv2_method()); |
2142 |
#endif |
|
|
2143 |
#if !defined(OPENSSL_NO_TLS1_1) && HAVE_TLSv1_2 |
| 2144 |
case PY_SSL_VERSION_TLS1_1: /* fallthrough */ |
| 2118 |
#endif |
2145 |
#endif |
| 2119 |
else if (proto_version == PY_SSL_VERSION_TLS) |
2146 |
#if !defined(OPENSSL_NO_TLS1_2) && HAVE_TLSv1_2 |
|
|
2147 |
case PY_SSL_VERSION_TLS1_2: /* fallthrough */ |
| 2148 |
#endif |
| 2149 |
#endif /* OpenSSL >= 1.1 */ |
| 2150 |
case PY_SSL_VERSION_TLS: |
| 2151 |
/* SSLv23 */ |
| 2120 |
ctx = SSL_CTX_new(TLS_method()); |
2152 |
ctx = SSL_CTX_new(TLS_method()); |
| 2121 |
else |
2153 |
break; |
| 2122 |
proto_version = -1; |
2154 |
default: |
|
|
2155 |
result = -1; |
| 2156 |
break; |
| 2157 |
} |
| 2123 |
PySSL_END_ALLOW_THREADS |
2158 |
PySSL_END_ALLOW_THREADS |
| 2124 |
|
2159 |
|
| 2125 |
if (proto_version == -1) { |
2160 |
if (result == -1) { |
| 2126 |
PyErr_SetString(PyExc_ValueError, |
2161 |
PyErr_SetString(PyExc_ValueError, |
| 2127 |
"invalid protocol version"); |
2162 |
"invalid protocol version"); |
| 2128 |
return NULL; |
2163 |
return NULL; |
|
Lines 2133-2138
Link Here
|
| 2133 |
return NULL; |
2168 |
return NULL; |
| 2134 |
} |
2169 |
} |
| 2135 |
|
2170 |
|
|
|
2171 |
#ifdef OPENSSL_VERSION_1_1 |
| 2172 |
/* Emulate version specific methods with set min/max proto version */ |
| 2173 |
switch (proto_version) { |
| 2174 |
case PY_SSL_VERSION_SSL3: |
| 2175 |
/* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */ |
| 2176 |
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); |
| 2177 |
if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION)) |
| 2178 |
result = -1; |
| 2179 |
if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION)) |
| 2180 |
result = -1; |
| 2181 |
break; |
| 2182 |
case PY_SSL_VERSION_TLS1: |
| 2183 |
if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION)) |
| 2184 |
result = -1; |
| 2185 |
if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION)) |
| 2186 |
result = -1; |
| 2187 |
break; |
| 2188 |
case PY_SSL_VERSION_TLS1_1: |
| 2189 |
if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION)) |
| 2190 |
result = -1; |
| 2191 |
if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION)) |
| 2192 |
result = -1; |
| 2193 |
break; |
| 2194 |
case PY_SSL_VERSION_TLS1_2: |
| 2195 |
if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) |
| 2196 |
result = -1; |
| 2197 |
if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)) |
| 2198 |
result = -1; |
| 2199 |
break; |
| 2200 |
default: |
| 2201 |
break; |
| 2202 |
} |
| 2203 |
if (result == -1) { |
| 2204 |
SSL_CTX_free(ctx); |
| 2205 |
_setSSLError(NULL, 0, __FILE__, __LINE__); |
| 2206 |
return NULL; |
| 2207 |
} |
| 2208 |
#endif |
| 2209 |
|
| 2136 |
assert(type != NULL && type->tp_alloc != NULL); |
2210 |
assert(type != NULL && type->tp_alloc != NULL); |
| 2137 |
self = (PySSLContext *) type->tp_alloc(type, 0); |
2211 |
self = (PySSLContext *) type->tp_alloc(type, 0); |
| 2138 |
if (self == NULL) { |
2212 |
if (self == NULL) { |
