From 403b9171038868f22ac48e21ffa8c1e641209db7 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Mon, 20 May 2024 19:39:00 +0100 Subject: [PATCH 01/13] gh-109945 Enable spec of multiple curves/groups for TLS Signed-off-by: Nigel Jones --- Modules/_ssl.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 1f5f0215980971..35567d0b6b3abc 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4379,10 +4379,12 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) /*[clinic end generated code: output=23022c196e40d7d2 input=c2bafb6f6e34726b]*/ { PyObject *name_bytes; - int nid; + if (!PyUnicode_FSConverter(name, &name_bytes)) return NULL; assert(PyBytes_Check(name_bytes)); +#if OPENSSL_VERSION_MAJOR < 3 + int nid; nid = OBJ_sn2nid(PyBytes_AS_STRING(name_bytes)); Py_DECREF(name_bytes); if (nid == 0) { @@ -4390,7 +4392,6 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) "unknown elliptic curve name %R", name); return NULL; } -#if OPENSSL_VERSION_MAJOR < 3 EC_KEY *key = EC_KEY_new_by_curve_name(nid); if (key == NULL) { _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); @@ -4399,7 +4400,9 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) SSL_CTX_set_tmp_ecdh(self->ctx, key); EC_KEY_free(key); #else - if (!SSL_CTX_set1_groups(self->ctx, &nid, 1)) { + int res = SSL_CTX_set1_groups_list(self->ctx, PyBytes_AS_STRING(name_bytes)); + Py_DECREF(name_bytes); + if (!res) { _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } From 8ac3842d2ae86629ee28ce78054c1eb906564228 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 10:02:11 +0100 Subject: [PATCH 02/13] gh-109945 Additional testcases for ssl Signed-off-by: Nigel Jones --- Lib/test/test_ssl.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 6ec010d13f9e7e..2e3436ab2a3560 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1379,7 +1379,20 @@ def test_set_ecdh_curve(self): self.assertRaises(TypeError, ctx.set_ecdh_curve, None) self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo") self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo") - + self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo:bar") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo:bar") + self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:bar") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:bar") + self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo:prime256v1") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo:prime256v1") + self.assertRaises(ValueError, ctx.set_ecdh_curve, ":") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b":") + self.assertRaises(ValueError, ctx.set_ecdh_curve, "::") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"::") + self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:") + self.assertRaises(ValueError, ctx.set_ecdh_curve, ":prime256v1") + self.assertRaises(ValueError, ctx.set_ecdh_curve, b":prime256v1") def test_sni_callback(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) From 65490a2391551f0ba005f2369f17405196c41f8f Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Mon, 3 Jun 2024 19:31:40 +0100 Subject: [PATCH 03/13] gh-109945 Refine exception & add more tests Signed-off-by: Nigel Jones --- Lib/test/test_ssl.py | 18 ++++++++++-------- Modules/_ssl.c | 1 + 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 2e3436ab2a3560..fa82c2d8d1ec1f 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1375,6 +1375,8 @@ def test_set_ecdh_curve(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx.set_ecdh_curve("prime256v1") ctx.set_ecdh_curve(b"prime256v1") + ctx.set_ecdh_curve("prime256v1:brainpoolP384r1") + ctx.set_ecdh_curve(b"prime256v1:brainpoolP384r1") self.assertRaises(TypeError, ctx.set_ecdh_curve) self.assertRaises(TypeError, ctx.set_ecdh_curve, None) self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo") @@ -1385,14 +1387,14 @@ def test_set_ecdh_curve(self): self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:bar") self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo:prime256v1") self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo:prime256v1") - self.assertRaises(ValueError, ctx.set_ecdh_curve, ":") - self.assertRaises(ValueError, ctx.set_ecdh_curve, b":") - self.assertRaises(ValueError, ctx.set_ecdh_curve, "::") - self.assertRaises(ValueError, ctx.set_ecdh_curve, b"::") - self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:") - self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:") - self.assertRaises(ValueError, ctx.set_ecdh_curve, ":prime256v1") - self.assertRaises(ValueError, ctx.set_ecdh_curve, b":prime256v1") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, ":") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, b":") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, "::") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, b"::") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, b"prime256v1:") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, ":prime256v1") + #self.assertRaises(ValueError, ctx.set_ecdh_curve, b":prime256v1") def test_sni_callback(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 35567d0b6b3abc..2aac995f01dd0a 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4403,6 +4403,7 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) int res = SSL_CTX_set1_groups_list(self->ctx, PyBytes_AS_STRING(name_bytes)); Py_DECREF(name_bytes); if (!res) { + PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name_bytes); _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } From 8ec8608e593364cd94c4dd95aca9987ecb991745 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Tue, 4 Jun 2024 07:28:19 +0000 Subject: [PATCH 04/13] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20b?= =?UTF-8?q?lurb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst diff --git a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst new file mode 100644 index 00000000000000..8b03547ffa9edc --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst @@ -0,0 +1 @@ +Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve(curve_name) by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a client hello. From ebad50c381b7dfd33bb3072bac15ecbdd4ecd95d Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 08:32:34 +0100 Subject: [PATCH 05/13] gh-109945 update documentation Signed-off-by: Nigel Jones --- Doc/library/ssl.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index dc72f67c6361e2..03f8ccae92124d 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1763,11 +1763,12 @@ to speed up repeated connections from the same clients. .. method:: SSLContext.set_ecdh_curve(curve_name) - Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key + Set the curve names for Elliptic Curve-based Diffie-Hellman (ECDH) key exchange. ECDH is significantly faster than regular DH while arguably - as secure. The *curve_name* parameter should be a string describing - a well-known elliptic curve, for example ``prime256v1`` for a widely - supported curve. + as secure. The *curve_name* parameter should be a colon separated string describing + one or more well-known elliptic curves, for example ``prime256v1`` for a widely + supported curve, or ``prime256v1:brainpoolP384r1`` to specify two curves that will be + used on a client hello. This setting doesn't apply to client sockets. You can also use the :data:`OP_SINGLE_ECDH_USE` option to further improve security. From af71eeef58d4267f14bd4774b5f43c5e074524a2 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 08:46:45 +0100 Subject: [PATCH 06/13] gh-109945 fix incorrect reference management of string Signed-off-by: Nigel Jones --- Modules/_ssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 2aac995f01dd0a..57894483959dcb 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4401,12 +4401,13 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) EC_KEY_free(key); #else int res = SSL_CTX_set1_groups_list(self->ctx, PyBytes_AS_STRING(name_bytes)); - Py_DECREF(name_bytes); if (!res) { PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name_bytes); + Py_DECREF(name_bytes); _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } + Py_DECREF(name_bytes); #endif Py_RETURN_NONE; } From 8459b6626ac8a5e0d4efc24079a7dbb4513a6cc9 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 09:34:38 +0100 Subject: [PATCH 07/13] gh-109945 fix openssl<3 tests Signed-off-by: Nigel Jones --- Lib/test/test_ssl.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index fa82c2d8d1ec1f..5f43a12abdf13a 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1375,12 +1375,15 @@ def test_set_ecdh_curve(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx.set_ecdh_curve("prime256v1") ctx.set_ecdh_curve(b"prime256v1") - ctx.set_ecdh_curve("prime256v1:brainpoolP384r1") - ctx.set_ecdh_curve(b"prime256v1:brainpoolP384r1") + # Only OpenSSL 3 and above supported for multiple curves + if (IS_OPENSSL_3_0_0 >= 3): + ctx.set_ecdh_curve("prime256v1:brainpoolP384r1") + ctx.set_ecdh_curve(b"prime256v1:brainpoolP384r1") self.assertRaises(TypeError, ctx.set_ecdh_curve) self.assertRaises(TypeError, ctx.set_ecdh_curve, None) self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo") self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo") + # Multiple bad curves should cause error for any OpenSSL version self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo:bar") self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo:bar") self.assertRaises(ValueError, ctx.set_ecdh_curve, "prime256v1:bar") From 1af4b23566872df3e4cd7d501b308047892b0fd4 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 09:48:45 +0100 Subject: [PATCH 08/13] gh-109945 update docs to clarify change is OpenSSL 3 and above Signed-off-by: Nigel Jones --- Doc/library/ssl.rst | 11 +++++++---- .../2024-06-04-07-28-18.gh-issue-109945.02TejW.rst | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 03f8ccae92124d..1bfa20f683b49e 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1763,11 +1763,14 @@ to speed up repeated connections from the same clients. .. method:: SSLContext.set_ecdh_curve(curve_name) - Set the curve names for Elliptic Curve-based Diffie-Hellman (ECDH) key + Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key exchange. ECDH is significantly faster than regular DH while arguably - as secure. The *curve_name* parameter should be a colon separated string describing - one or more well-known elliptic curves, for example ``prime256v1`` for a widely - supported curve, or ``prime256v1:brainpoolP384r1`` to specify two curves that will be + as secure. The *curve_name* parameter should be a string describing + a well-known elliptic curve, for example ``prime256v1`` for a widely + supported curve. + + For OpenSSL 3.0 and above *curve_name* parameter can be a colon separated + list of curves, for example ``prime256v1:brainpoolP384r1`` specifies two curves that will be used on a client hello. This setting doesn't apply to client sockets. You can also use the diff --git a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst index 8b03547ffa9edc..9910c8efc1944d 100644 --- a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst +++ b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst @@ -1 +1 @@ -Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve(curve_name) by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a client hello. +Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve(curve_name) for OpenSSL 3.0 and above by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a client hello. From b48e5bcbbd02782d1234e139e787c9a57b38a4e2 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 10:11:46 +0100 Subject: [PATCH 09/13] gh-109945 Corrected typo/whitespace in docs Signed-off-by: Nigel Jones --- Doc/library/ssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 1bfa20f683b49e..bfd3f65cb29466 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1769,7 +1769,7 @@ to speed up repeated connections from the same clients. a well-known elliptic curve, for example ``prime256v1`` for a widely supported curve. - For OpenSSL 3.0 and above *curve_name* parameter can be a colon separated + For OpenSSL 3.0 and above *curve_name* parameter can be a colon separated list of curves, for example ``prime256v1:brainpoolP384r1`` specifies two curves that will be used on a client hello. From 42ec0c884e1bc67ea87fa20c9e23513dc5a9e73e Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 11:47:38 +0100 Subject: [PATCH 10/13] gh-109945 Correct thread issue Signed-off-by: Nigel Jones --- Modules/_ssl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 57894483959dcb..dc72b0bd764b48 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4401,13 +4401,12 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) EC_KEY_free(key); #else int res = SSL_CTX_set1_groups_list(self->ctx, PyBytes_AS_STRING(name_bytes)); + Py_DECREF(name_bytes); if (!res) { - PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name_bytes); - Py_DECREF(name_bytes); + PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name); _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } - Py_DECREF(name_bytes); #endif Py_RETURN_NONE; } From 67fd580680088cbf511b73e154113739562c3399 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Jun 2024 12:24:47 +0100 Subject: [PATCH 11/13] gh-109945 do not call _setSSLError Signed-off-by: Nigel Jones --- Modules/_ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index dc72b0bd764b48..ec4608eafb5797 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4404,7 +4404,7 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) Py_DECREF(name_bytes); if (!res) { PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name); - _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); + //_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } #endif From fae26208345bc91362fefb1c6a6aeaf18c93f1b5 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Wed, 17 Jul 2024 11:47:13 +0100 Subject: [PATCH 12/13] gh-109945 remove commented code Signed-off-by: Nigel Jones --- Modules/_ssl.c | 1 - 1 file changed, 1 deletion(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index ec4608eafb5797..e7533deb1bcda3 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4404,7 +4404,6 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name) Py_DECREF(name_bytes); if (!res) { PyErr_Format(PyExc_ValueError,"unknown elliptic curves %R", name); - //_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } #endif From 8a2cbdee75dd0892366a62845a0ff1d7b5cb6479 Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Wed, 17 Jul 2024 14:29:02 +0100 Subject: [PATCH 13/13] gh-109945 update NEWS to correct function call format check Signed-off-by: Nigel Jones --- .../next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst index 9910c8efc1944d..8bb847203aa673 100644 --- a/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst +++ b/Misc/NEWS.d/next/Library/2024-06-04-07-28-18.gh-issue-109945.02TejW.rst @@ -1 +1 @@ -Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve(curve_name) for OpenSSL 3.0 and above by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a client hello. +Adds support for multiple curves to be specified in SSLContext.set_ecdh_curve() for OpenSSL 3.0 and above by setting curve_name to a colon separated list of curves. This allows multiple curves to be passed on a TLS client hello. pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy