├── src └── OpenSSL │ ├── py.typed │ ├── __init__.py │ ├── version.py │ ├── debug.py │ ├── rand.py │ └── _util.py ├── doc ├── install.rst ├── changelog.rst ├── images │ ├── pyopenssl-icon.png │ ├── pyopenssl-logo.png │ ├── pyopenssl-brand.png │ └── pyopenssl.svg ├── Quotes ├── README ├── api.rst ├── backward-compatibility.rst ├── index.rst ├── introduction.rst ├── internals.rst ├── Makefile ├── api │ ├── crypto.rst │ └── ssl.rst ├── make.bat ├── conf.py └── ChangeLog_old.txt ├── tests ├── __init__.py ├── test_debug.py ├── util.py ├── test_util.py ├── conftest.py └── test_rand.py ├── .github ├── dependabot.yml ├── workflows │ ├── lock.yml │ ├── release.yml │ └── ci.yml ├── downstream.d │ ├── twisted.sh │ ├── certbot-josepy.sh │ └── certbot.sh └── actions │ └── upload-coverage │ └── action.yml ├── .gitignore ├── .readthedocs.yml ├── MANIFEST.in ├── setup.cfg ├── INSTALL.rst ├── pyproject.toml ├── README.rst ├── noxfile.py ├── CODE_OF_CONDUCT.rst ├── setup.py ├── CONTRIBUTING.rst ├── LICENSE └── CHANGELOG.rst /src/OpenSSL/py.typed: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /doc/install.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../INSTALL.rst 2 | -------------------------------------------------------------------------------- /doc/changelog.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../CHANGELOG.rst 2 | -------------------------------------------------------------------------------- /doc/images/pyopenssl-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyca/pyopenssl/HEAD/doc/images/pyopenssl-icon.png -------------------------------------------------------------------------------- /doc/images/pyopenssl-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyca/pyopenssl/HEAD/doc/images/pyopenssl-logo.png -------------------------------------------------------------------------------- /doc/images/pyopenssl-brand.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyca/pyopenssl/HEAD/doc/images/pyopenssl-brand.png -------------------------------------------------------------------------------- /doc/Quotes: -------------------------------------------------------------------------------- 1 | < Screwtape> I like how developing against OpenSSL is like a text adventure game with a maze of twisty passages, all alike. 2 | % 3 | -------------------------------------------------------------------------------- /doc/README: -------------------------------------------------------------------------------- 1 | This is the pyOpenSSL documentation source. It uses Sphinx. To build the 2 | documentation, install Sphinx and run: 3 | 4 | $ make html 5 | -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) Jean-Paul Calderone 2 | # See LICENSE for details. 3 | 4 | """ 5 | Package containing unit tests for :py:mod:`OpenSSL`. 6 | """ 7 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directories: 5 | - "/" 6 | - "/.github/actions/*/" 7 | schedule: 8 | interval: "daily" 9 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | build 2 | dist 3 | *.egg-info 4 | *.pyc 5 | *.pyo 6 | __pycache__ 7 | .nox 8 | doc/_build/ 9 | .coverage* 10 | .eggs 11 | examples/simple/*.cert 12 | examples/simple/*.pkey 13 | .cache 14 | .mypy_cache -------------------------------------------------------------------------------- /.readthedocs.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | sphinx: 4 | configuration: doc/conf.py 5 | 6 | build: 7 | os: "ubuntu-24.04" 8 | tools: 9 | python: "3" 10 | jobs: 11 | post_install: 12 | - pip install .[docs] 13 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include LICENSE MANIFEST.in *.rst noxfile.py .coveragerc src/OpenSSL/py.typed 2 | exclude .readthedocs.yml mypy.ini 3 | recursive-include tests *.py 4 | recursive-include doc * 5 | prune doc/_build 6 | -------------------------------------------------------------------------------- /tests/test_debug.py: -------------------------------------------------------------------------------- 1 | from OpenSSL import version 2 | from OpenSSL.debug import _env_info 3 | 4 | 5 | def test_debug_info() -> None: 6 | """ 7 | Debug info contains correct data. 8 | """ 9 | # Just check a sample we control. 10 | assert version.__version__ in _env_info 11 | -------------------------------------------------------------------------------- /.github/workflows/lock.yml: -------------------------------------------------------------------------------- 1 | name: Lock Issues 2 | on: 3 | schedule: 4 | - cron: '0 0 * * *' 5 | 6 | permissions: 7 | issues: "write" 8 | 9 | jobs: 10 | lock: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: dessant/lock-threads@v6 14 | with: 15 | github-token: ${{ secrets.GITHUB_TOKEN }} 16 | issue-inactive-days: 90 17 | pr-inactive-days: 90 18 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | [metadata] 2 | # Ensure LICENSE is included in wheels. 3 | license_file = LICENSE 4 | 5 | # bdist_rpm settings contributed by Mihai Ibanescu 6 | # This is currently *not* actively tested. 7 | [bdist_rpm] 8 | release = 1 9 | build_requires = openssl-devel python-devel python-sphinx 10 | group = Development/Libraries 11 | build_script = rpm/build_script 12 | doc_files = doc/_build/html 13 | -------------------------------------------------------------------------------- /.github/downstream.d/twisted.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -ex 2 | 3 | case "${1}" in 4 | install) 5 | git clone --depth=1 https://github.com/twisted/twisted 6 | cd twisted 7 | git rev-parse HEAD 8 | pip install ".[all_non_platform]" 9 | ;; 10 | run) 11 | cd twisted 12 | python -m twisted.trial -j4 src/twisted 13 | ;; 14 | *) 15 | exit 1 16 | ;; 17 | esac 18 | -------------------------------------------------------------------------------- /doc/api.rst: -------------------------------------------------------------------------------- 1 | .. _openssl: 2 | 3 | :py:mod:`OpenSSL` --- Python interface to OpenSSL 4 | ================================================= 5 | 6 | .. py:module:: OpenSSL 7 | :synopsis: Python interface to OpenSSL 8 | 9 | 10 | This package provides a high-level interface to the functions in the 11 | OpenSSL library. The following modules are defined: 12 | 13 | .. toctree:: 14 | :maxdepth: 2 15 | 16 | api/crypto 17 | api/ssl 18 | -------------------------------------------------------------------------------- /doc/backward-compatibility.rst: -------------------------------------------------------------------------------- 1 | Backward Compatibility 2 | ====================== 3 | 4 | pyOpenSSL has a very strong backward compatibility policy. 5 | Generally speaking, you shouldn't ever be afraid of updating. 6 | 7 | If breaking changes are needed do be done, they are: 8 | 9 | #. …announced in the :doc:`changelog`. 10 | #. …the old behavior raises a :exc:`DeprecationWarning` for a year. 11 | #. …are done with another announcement in the :doc:`changelog`. 12 | -------------------------------------------------------------------------------- /tests/util.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) Jean-Paul Calderone 2 | # Copyright (C) Twisted Matrix Laboratories. 3 | # See LICENSE for details. 4 | """ 5 | Helpers for the OpenSSL test suite, largely copied from 6 | U{Twisted}. 7 | """ 8 | 9 | # This is the UTF-8 encoding of the SNOWMAN unicode code point. 10 | NON_ASCII = b"\xe2\x98\x83".decode("utf-8") 11 | 12 | # The type name expected in warnings about using the wrong string type. 13 | WARNING_TYPE_EXPECTED = "str" 14 | -------------------------------------------------------------------------------- /src/OpenSSL/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) AB Strakt 2 | # See LICENSE for details. 3 | 4 | """ 5 | pyOpenSSL - A simple wrapper around the OpenSSL library 6 | """ 7 | 8 | from OpenSSL import SSL, crypto 9 | from OpenSSL.version import ( 10 | __author__, 11 | __copyright__, 12 | __email__, 13 | __license__, 14 | __summary__, 15 | __title__, 16 | __uri__, 17 | __version__, 18 | ) 19 | 20 | __all__ = [ 21 | "SSL", 22 | "__author__", 23 | "__copyright__", 24 | "__email__", 25 | "__license__", 26 | "__summary__", 27 | "__title__", 28 | "__uri__", 29 | "__version__", 30 | "crypto", 31 | ] 32 | -------------------------------------------------------------------------------- /.github/downstream.d/certbot-josepy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -ex 2 | 3 | case "${1}" in 4 | install) 5 | git clone --depth=1 https://github.com/certbot/josepy 6 | cd josepy 7 | git rev-parse HEAD 8 | curl -sSL https://install.python-poetry.org | python3 - 9 | "${HOME}/.local/bin/poetry" self add poetry-plugin-export 10 | "${HOME}/.local/bin/poetry" export -f constraints.txt --dev --without-hashes -o constraints.txt 11 | pip install -e . pytest -c constraints.txt 12 | ;; 13 | run) 14 | cd josepy 15 | pytest tests 16 | ;; 17 | *) 18 | exit 1 19 | ;; 20 | esac 21 | -------------------------------------------------------------------------------- /tests/test_util.py: -------------------------------------------------------------------------------- 1 | import pytest 2 | 3 | from OpenSSL._util import exception_from_error_queue, lib 4 | 5 | 6 | class TestErrors: 7 | """ 8 | Tests for handling of certain OpenSSL error cases. 9 | """ 10 | 11 | def test_exception_from_error_queue_nonexistent_reason(self) -> None: 12 | """ 13 | :func:`exception_from_error_queue` raises ``ValueError`` when it 14 | encounters an OpenSSL error code which does not have a reason string. 15 | """ 16 | lib.ERR_put_error(lib.ERR_LIB_EVP, 0, 1112, b"", 10) 17 | with pytest.raises(ValueError) as exc: 18 | exception_from_error_queue(ValueError) 19 | assert exc.value.args[0][0][2] == "" 20 | -------------------------------------------------------------------------------- /.github/downstream.d/certbot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -ex 2 | 3 | case "${1}" in 4 | install) 5 | git clone --depth=1 https://github.com/certbot/certbot 6 | cd certbot 7 | git rev-parse HEAD 8 | tools/pip_install.py -e ./acme[test] 9 | tools/pip_install.py -e ./certbot[test] 10 | pip install -U pyopenssl 11 | ;; 12 | run) 13 | cd certbot 14 | # Ignore some warnings for now since they're now automatically promoted 15 | # to errors. We can probably remove this when acme gets split into 16 | # its own repo 17 | pytest -Wignore certbot 18 | pytest acme 19 | ;; 20 | *) 21 | exit 1 22 | ;; 23 | esac 24 | -------------------------------------------------------------------------------- /tests/conftest.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) The pyOpenSSL developers 2 | # See LICENSE for details. 3 | 4 | import pathlib 5 | from tempfile import mktemp 6 | 7 | import pytest 8 | 9 | 10 | def pytest_report_header(config: pytest.Config) -> str: 11 | import cryptography 12 | 13 | import OpenSSL.SSL 14 | 15 | return ( 16 | f"OpenSSL: " 17 | f"{OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION)!r}\n" 18 | f"cryptography: {cryptography.__version__}" 19 | ) 20 | 21 | 22 | @pytest.fixture 23 | def tmpfile(tmp_path: pathlib.Path) -> bytes: 24 | """ 25 | Return UTF-8-encoded bytes of a path to a tmp file. 26 | 27 | The file will be cleaned up after the test run. 28 | """ 29 | return mktemp(dir=tmp_path).encode("utf-8") 30 | -------------------------------------------------------------------------------- /src/OpenSSL/version.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) AB Strakt 2 | # Copyright (C) Jean-Paul Calderone 3 | # See LICENSE for details. 4 | 5 | """ 6 | pyOpenSSL - A simple wrapper around the OpenSSL library 7 | """ 8 | 9 | __all__ = [ 10 | "__author__", 11 | "__copyright__", 12 | "__email__", 13 | "__license__", 14 | "__summary__", 15 | "__title__", 16 | "__uri__", 17 | "__version__", 18 | ] 19 | 20 | __version__ = "25.3.0" 21 | 22 | __title__ = "pyOpenSSL" 23 | __uri__ = "https://pyopenssl.org/" 24 | __summary__ = "Python wrapper module around the OpenSSL library" 25 | __author__ = "The pyOpenSSL developers" 26 | __email__ = "cryptography-dev@python.org" 27 | __license__ = "Apache License, Version 2.0" 28 | __copyright__ = f"Copyright 2001-2025 {__author__}" 29 | -------------------------------------------------------------------------------- /.github/actions/upload-coverage/action.yml: -------------------------------------------------------------------------------- 1 | name: Upload Coverage 2 | description: Upload coverage files 3 | 4 | runs: 5 | using: "composite" 6 | 7 | steps: 8 | - run: | 9 | COVERAGE_UUID=$(python3 -c "import uuid; print(uuid.uuid4())") 10 | echo "COVERAGE_UUID=${COVERAGE_UUID}" >> $GITHUB_OUTPUT 11 | if [ -f .coverage ]; then 12 | mv .coverage .coverage.${COVERAGE_UUID} 13 | fi 14 | id: coverage-uuid 15 | shell: bash 16 | - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 17 | with: 18 | name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} 19 | path: | 20 | .coverage.* 21 | if-no-files-found: ignore 22 | include-hidden-files: true 23 | -------------------------------------------------------------------------------- /doc/index.rst: -------------------------------------------------------------------------------- 1 | ===================================== 2 | Welcome to pyOpenSSL's documentation! 3 | ===================================== 4 | 5 | Release v\ |release| (:doc:`What's new? `). 6 | 7 | pyOpenSSL is a rather thin wrapper around (a subset of) the OpenSSL library. 8 | With thin wrapper we mean that a lot of the object methods do nothing more than 9 | calling a corresponding function in the OpenSSL library. 10 | 11 | 12 | Contents: 13 | ========= 14 | 15 | .. toctree:: 16 | :maxdepth: 2 17 | 18 | introduction 19 | install 20 | api 21 | internals 22 | 23 | 24 | 25 | Meta 26 | ---- 27 | 28 | .. toctree:: 29 | :maxdepth: 1 30 | 31 | backward-compatibility 32 | changelog 33 | 34 | 35 | Indices and tables 36 | ================== 37 | 38 | * :ref:`genindex` 39 | * :ref:`modindex` 40 | * :ref:`search` 41 | -------------------------------------------------------------------------------- /tests/test_rand.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) Frederick Dean 2 | # See LICENSE for details. 3 | 4 | """ 5 | Unit tests for `OpenSSL.rand`. 6 | """ 7 | 8 | from __future__ import annotations 9 | 10 | import pytest 11 | 12 | from OpenSSL import rand 13 | 14 | 15 | class TestRand: 16 | @pytest.mark.parametrize("args", [(b"foo", None), (None, 3)]) 17 | def test_add_wrong_args(self, args: tuple[object, object]) -> None: 18 | """ 19 | `OpenSSL.rand.add` raises `TypeError` if called with arguments not of 20 | type `str` and `int`. 21 | """ 22 | with pytest.raises(TypeError): 23 | rand.add(*args) # type: ignore[arg-type] 24 | 25 | def test_add(self) -> None: 26 | """ 27 | `OpenSSL.rand.add` adds entropy to the PRNG. 28 | """ 29 | rand.add(b"hamburger", 3) 30 | 31 | def test_status(self) -> None: 32 | """ 33 | `OpenSSL.rand.status` returns `1` if the PRNG has sufficient entropy, 34 | `0` otherwise. 35 | """ 36 | assert rand.status() == 1 37 | -------------------------------------------------------------------------------- /src/OpenSSL/debug.py: -------------------------------------------------------------------------------- 1 | import ssl 2 | import sys 3 | 4 | import cffi 5 | import cryptography 6 | 7 | import OpenSSL.SSL 8 | 9 | from . import version 10 | 11 | _env_info = """\ 12 | pyOpenSSL: {pyopenssl} 13 | cryptography: {cryptography} 14 | cffi: {cffi} 15 | cryptography's compiled against OpenSSL: {crypto_openssl_compile} 16 | cryptography's linked OpenSSL: {crypto_openssl_link} 17 | Python's OpenSSL: {python_openssl} 18 | Python executable: {python} 19 | Python version: {python_version} 20 | Platform: {platform} 21 | sys.path: {sys_path}""".format( 22 | pyopenssl=version.__version__, 23 | crypto_openssl_compile=OpenSSL._util.ffi.string( 24 | OpenSSL._util.lib.OPENSSL_VERSION_TEXT, 25 | ).decode("ascii"), 26 | crypto_openssl_link=OpenSSL.SSL.SSLeay_version( 27 | OpenSSL.SSL.SSLEAY_VERSION 28 | ).decode("ascii"), 29 | python_openssl=getattr(ssl, "OPENSSL_VERSION", "n/a"), 30 | cryptography=cryptography.__version__, 31 | cffi=cffi.__version__, 32 | python=sys.executable, 33 | python_version=sys.version, 34 | platform=sys.platform, 35 | sys_path=sys.path, 36 | ) 37 | 38 | 39 | if __name__ == "__main__": 40 | print(_env_info) 41 | -------------------------------------------------------------------------------- /doc/introduction.rst: -------------------------------------------------------------------------------- 1 | .. _intro: 2 | 3 | ============ 4 | Introduction 5 | ============ 6 | 7 | 8 | History 9 | ======= 10 | 11 | pyOpenSSL was originally created by Martin Sjögren because the SSL support in the standard library in Python 2.1 (the contemporary version of Python when the pyOpenSSL project was begun) was severely limited. 12 | Other OpenSSL wrappers for Python at the time were also limited, though in different ways. 13 | 14 | Later it was maintained by `Jean-Paul Calderone`_ who among other things managed to make pyOpenSSL a pure Python project which the current maintainers are *very* grateful for. 15 | 16 | Over the time the standard library's ``ssl`` module improved, never reaching the completeness of pyOpenSSL's API coverage. 17 | pyOpenSSL remains the only choice for full-featured TLS code in Python versions 3.8+ and PyPy_. 18 | 19 | 20 | Development 21 | =========== 22 | 23 | pyOpenSSL is collaboratively developed by the Python Cryptography Authority (PyCA_) that also maintains the low-level bindings called cryptography_. 24 | 25 | 26 | .. include:: ../CONTRIBUTING.rst 27 | 28 | 29 | .. _Jean-Paul Calderone: https://github.com/exarkun 30 | .. _PyPy: http://pypy.org 31 | .. _PyCA: https://github.com/pyca 32 | .. _cryptography: https://github.com/pyca/cryptography 33 | -------------------------------------------------------------------------------- /INSTALL.rst: -------------------------------------------------------------------------------- 1 | Installation 2 | ============ 3 | 4 | To install pyOpenSSL:: 5 | 6 | $ pip install pyopenssl 7 | 8 | If you are installing in order to *develop* on pyOpenSSL, move to the root directory of a pyOpenSSL checkout, and run:: 9 | 10 | $ pip install -e .[test] 11 | 12 | 13 | .. warning:: 14 | 15 | As of 0.14, pyOpenSSL is a pure-Python project. 16 | That means that if you encounter *any* kind of compiler errors, pyOpenSSL's bugtracker is the **wrong** place to report them because we *cannot* help you. 17 | 18 | Please take the time to read the errors and report them/ask help from the appropriate project. 19 | The most likely culprit being `cryptography `_ that contains OpenSSL's library bindings. 20 | 21 | 22 | Supported OpenSSL Versions 23 | -------------------------- 24 | 25 | pyOpenSSL supports the same platforms and releases as the upstream cryptography project `does `_. 26 | 27 | You can always find out the versions of pyOpenSSL, cryptography, and the linked OpenSSL by running ``python -m OpenSSL.debug``. 28 | 29 | 30 | Documentation 31 | ------------- 32 | 33 | The documentation is written in reStructuredText and built using Sphinx:: 34 | 35 | $ cd doc 36 | $ make html 37 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [tool.coverage.run] 2 | branch = true 3 | relative_files = true 4 | source = ["OpenSSL", "tests/"] 5 | 6 | [tool.coverage.paths] 7 | source = [ 8 | "src/OpenSSL", 9 | "*.nox/*/lib/python*/site-packages/OpenSSL", 10 | "*.nox/*/lib/pypy*/site-packages/OpenSSL", 11 | "*.nox/pypy/site-packages/OpenSSL", 12 | "*.nox\\*\\Lib\\site-packages\\OpenSSL", 13 | ] 14 | 15 | [tool.coverage.report] 16 | exclude_also = ["assert False"] 17 | show_missing = true 18 | 19 | [tool.mypy] 20 | warn_unused_configs = true 21 | strict = true 22 | strict_bytes = true 23 | 24 | [[tool.mypy.overrides]] 25 | module = "OpenSSL.*" 26 | warn_return_any = false 27 | 28 | [[tool.mypy.overrides]] 29 | module = "cryptography.*" 30 | ignore_missing_imports = true 31 | 32 | [[tool.mypy.overrides]] 33 | module = "cffi.*" 34 | ignore_missing_imports = true 35 | 36 | [[tool.mypy.overrides]] 37 | module = ["pretend"] 38 | ignore_missing_imports = true 39 | 40 | [tool.pytest.ini_options] 41 | addopts = "-r s --strict-markers" 42 | testpaths = ["tests"] 43 | 44 | [tool.ruff] 45 | lint.select = ['E', 'F', 'I', 'W', 'UP', 'RUF'] 46 | line-length = 79 47 | # Remove if/when we move setup.py python-requires metadata to pyproject.toml 48 | target-version = "py37" 49 | 50 | [tool.ruff.lint.isort] 51 | known-first-party = ["OpenSSL", "tests"] 52 | -------------------------------------------------------------------------------- /src/OpenSSL/rand.py: -------------------------------------------------------------------------------- 1 | """ 2 | PRNG management routines, thin wrappers. 3 | """ 4 | 5 | from __future__ import annotations 6 | 7 | import warnings 8 | 9 | from OpenSSL._util import lib as _lib 10 | 11 | warnings.warn( 12 | "OpenSSL.rand is deprecated - you should use os.urandom instead", 13 | DeprecationWarning, 14 | stacklevel=3, 15 | ) 16 | 17 | 18 | def add(buffer: bytes, entropy: int) -> None: 19 | """ 20 | Mix bytes from *string* into the PRNG state. 21 | 22 | The *entropy* argument is (the lower bound of) an estimate of how much 23 | randomness is contained in *string*, measured in bytes. 24 | 25 | For more information, see e.g. :rfc:`1750`. 26 | 27 | This function is only relevant if you are forking Python processes and 28 | need to reseed the CSPRNG after fork. 29 | 30 | :param buffer: Buffer with random data. 31 | :param entropy: The entropy (in bytes) measurement of the buffer. 32 | 33 | :return: :obj:`None` 34 | """ 35 | if not isinstance(buffer, bytes): 36 | raise TypeError("buffer must be a byte string") 37 | 38 | if not isinstance(entropy, int): 39 | raise TypeError("entropy must be an integer") 40 | 41 | _lib.RAND_add(buffer, len(buffer), entropy) 42 | 43 | 44 | def status() -> int: 45 | """ 46 | Check whether the PRNG has been seeded with enough data. 47 | 48 | :return: 1 if the PRNG is seeded enough, 0 otherwise. 49 | """ 50 | return _lib.RAND_status() 51 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | on: 2 | workflow_dispatch: 3 | push: 4 | tags: 5 | - "*.*.*" 6 | 7 | name: release 8 | 9 | permissions: 10 | contents: read 11 | 12 | jobs: 13 | build: 14 | name: Build distributions for PyPI 15 | runs-on: ubuntu-latest 16 | 17 | steps: 18 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1 19 | 20 | - name: Set up Python 21 | uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 22 | 23 | - name: Install build dependencies 24 | run: python -m pip install uv 25 | 26 | - name: Build distributions 27 | run: python -m uv build 28 | 29 | - name: Upload distributions 30 | uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 31 | with: 32 | name: pyopenssl-dists 33 | path: dist/ 34 | 35 | pypi: 36 | name: Publish to PyPI 37 | runs-on: ubuntu-latest 38 | needs: 39 | - build 40 | 41 | permissions: 42 | # Used to authenticate to PyPI via OIDC. 43 | id-token: write 44 | 45 | steps: 46 | - name: fetch dists 47 | uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 48 | with: 49 | name: pyopenssl-dists 50 | path: dist/ 51 | 52 | - name: publish 53 | if: github.event_name == 'push' 54 | uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 55 | with: 56 | attestations: true 57 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | ======================================================== 2 | pyOpenSSL -- A Python wrapper around the OpenSSL library 3 | ======================================================== 4 | 5 | .. image:: https://readthedocs.org/projects/pyopenssl/badge/?version=stable 6 | :target: https://pyopenssl.org/en/stable/ 7 | :alt: Stable Docs 8 | 9 | .. image:: https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main 10 | :target: https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain 11 | 12 | **Note:** The Python Cryptographic Authority **strongly suggests** the use of `pyca/cryptography`_ 13 | where possible. If you are using pyOpenSSL for anything other than making a TLS connection 14 | **you should move to cryptography and drop your pyOpenSSL dependency**. 15 | 16 | High-level wrapper around a subset of the OpenSSL library. Includes 17 | 18 | * ``SSL.Connection`` objects, wrapping the methods of Python's portable sockets 19 | * Callbacks written in Python 20 | * Extensive error-handling mechanism, mirroring OpenSSL's error codes 21 | 22 | ... and much more. 23 | 24 | You can find more information in the documentation_. 25 | Development takes place on GitHub_. 26 | 27 | 28 | Discussion 29 | ========== 30 | 31 | If you run into bugs, you can file them in our `issue tracker`_. 32 | 33 | We maintain a cryptography-dev_ mailing list for both user and development discussions. 34 | 35 | You can also join ``#pyca`` on ``irc.libera.chat`` to ask questions or get involved. 36 | 37 | 38 | .. _documentation: https://pyopenssl.org/ 39 | .. _`issue tracker`: https://github.com/pyca/pyopenssl/issues 40 | .. _cryptography-dev: https://mail.python.org/mailman/listinfo/cryptography-dev 41 | .. _GitHub: https://github.com/pyca/pyopenssl 42 | .. _`pyca/cryptography`: https://github.com/pyca/cryptography 43 | -------------------------------------------------------------------------------- /noxfile.py: -------------------------------------------------------------------------------- 1 | import nox 2 | 3 | nox.options.reuse_existing_virtualenvs = True 4 | nox.options.default_venv_backend = "uv|virtualenv" 5 | 6 | MINIMUM_CRYPTOGRAPHY_VERSION = "46.0.0" 7 | 8 | 9 | @nox.session 10 | @nox.session(name="tests-cryptography-main") 11 | @nox.session(name="tests-cryptography-minimum") 12 | @nox.session(name="tests-wheel") 13 | @nox.session(name="tests-cryptography-minimum-wheel") 14 | @nox.session(name="tests-random-order") 15 | def tests(session: nox.Session) -> None: 16 | cryptography_version = None 17 | use_wheel = False 18 | random_order = False 19 | 20 | if "cryptography-main" in session.name: 21 | cryptography_version = "main" 22 | elif "cryptography-minimum" in session.name: 23 | cryptography_version = "minimum" 24 | 25 | if "wheel" in session.name: 26 | use_wheel = True 27 | 28 | if "random-order" in session.name: 29 | random_order = True 30 | 31 | session.env.update( 32 | { 33 | "PIP_NO_BINARY": "" if use_wheel else "cryptography", 34 | } 35 | ) 36 | 37 | deps = ["coverage>=4.2"] 38 | 39 | if cryptography_version == "minimum": 40 | deps.append(f"cryptography=={MINIMUM_CRYPTOGRAPHY_VERSION}") 41 | 42 | if random_order: 43 | deps.append("pytest-randomly") 44 | 45 | session.install(*deps) 46 | session.install("-e", ".[test]") 47 | if cryptography_version == "main": 48 | session.install("git+https://github.com/pyca/cryptography.git") 49 | 50 | session.run("openssl", "version", external=True) 51 | session.run("coverage", "run", "--parallel", "-m", "OpenSSL.debug") 52 | session.run( 53 | "coverage", "run", "--parallel", "-m", "pytest", "-v", *session.posargs 54 | ) 55 | 56 | 57 | @nox.session 58 | def lint(session: nox.Session) -> None: 59 | session.install("ruff") 60 | session.run("ruff", "check", ".") 61 | session.run("ruff", "format", "--check", ".") 62 | 63 | 64 | @nox.session 65 | def mypy(session: nox.Session) -> None: 66 | session.install("-e", ".[test]") 67 | session.install("mypy") 68 | session.run("mypy", "src/", "tests/") 69 | 70 | 71 | @nox.session(name="check-manifest") 72 | def check_manifest(session: nox.Session) -> None: 73 | session.install("check-manifest") 74 | session.run("check-manifest") 75 | 76 | 77 | @nox.session 78 | def docs(session: nox.Session) -> None: 79 | session.install("-e", ".[docs]") 80 | session.run( 81 | "sphinx-build", 82 | "-W", 83 | "-b", 84 | "html", 85 | "doc", 86 | "doc/_build/html", 87 | *session.posargs, 88 | ) 89 | -------------------------------------------------------------------------------- /doc/internals.rst: -------------------------------------------------------------------------------- 1 | .. _internals: 2 | 3 | Internals 4 | ========= 5 | 6 | We ran into three main problems developing this: Exceptions, callbacks and 7 | accessing socket methods. This is what this chapter is about. 8 | 9 | 10 | .. _exceptions: 11 | 12 | Exceptions 13 | ---------- 14 | 15 | We realized early that most of the exceptions would be raised by the I/O 16 | functions of OpenSSL, so it felt natural to mimic OpenSSL's error code system, 17 | translating them into Python exceptions. This naturally gives us the exceptions 18 | :py:exc:`.SSL.ZeroReturnError`, :py:exc:`.SSL.WantReadError`, 19 | :py:exc:`.SSL.WantWriteError`, :py:exc:`.SSL.WantX509LookupError` and 20 | :py:exc:`.SSL.SysCallError`. 21 | 22 | For more information about this, see section :ref:`openssl-ssl`. 23 | 24 | 25 | .. _callbacks: 26 | 27 | Callbacks 28 | --------- 29 | 30 | Callbacks were more of a problem when pyOpenSSL was written in C. 31 | Having switched to being written in Python using cffi, callbacks are now straightforward. 32 | The problems that originally existed no longer do 33 | (if you are interested in the details you can find descriptions of those problems in the version control history for this document). 34 | 35 | .. _socket-methods: 36 | 37 | Accessing Socket Methods 38 | ------------------------ 39 | 40 | We quickly saw the benefit of wrapping socket methods in the 41 | :py:class:`.SSL.Connection` class, for an easy transition into using SSL. The 42 | problem here is that the :py:mod:`socket` module lacks a C API, and all the 43 | methods are declared static. One approach would be to have :py:mod:`.OpenSSL` as 44 | a submodule to the :py:mod:`socket` module, placing all the code in 45 | ``socketmodule.c``, but this is obviously not a good solution, since you 46 | might not want to import tonnes of extra stuff you're not going to use when 47 | importing the :py:mod:`socket` module. The other approach is to somehow get a 48 | pointer to the method to be called, either the C function, or a callable Python 49 | object. This is not really a good solution either, since there's a lot of 50 | lookups involved. 51 | 52 | The way it works is that you have to supply a :py:class:`socket`- **like** transport 53 | object to the :py:class:`.SSL.Connection`. The only requirement of this object is 54 | that it has a :py:meth:`fileno()` method that returns a file descriptor that's 55 | valid at the C level (i.e. you can use the system calls read and write). If you 56 | want to use the :py:meth:`connect()` or :py:meth:`accept()` methods of the 57 | :py:class:`.SSL.Connection` object, the transport object has to supply such 58 | methods too. Apart from them, any method lookups in the :py:class:`.SSL.Connection` 59 | object that fail are passed on to the underlying transport object. 60 | 61 | Future changes might be to allow Python-level transport objects, that instead 62 | of having :py:meth:`fileno()` methods, have :py:meth:`read()` and :py:meth:`write()` 63 | methods, so more advanced features of Python can be used. This would probably 64 | entail some sort of OpenSSL **BIOs**, but converting Python strings back and 65 | forth is expensive, so this shouldn't be used unless necessary. Other nice 66 | things would be to be able to pass in different transport objects for reading 67 | and writing, but then the :py:meth:`fileno()` method of :py:class:`.SSL.Connection` 68 | becomes virtually useless. Also, should the method resolution be used on the 69 | read-transport or the write-transport? 70 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.rst: -------------------------------------------------------------------------------- 1 | Contributor Covenant Code of Conduct 2 | ==================================== 3 | 4 | Our Pledge 5 | ---------- 6 | 7 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. 8 | 9 | Our Standards 10 | ------------- 11 | 12 | Examples of behavior that contributes to creating a positive environment include: 13 | 14 | * Using welcoming and inclusive language 15 | * Being respectful of differing viewpoints and experiences 16 | * Gracefully accepting constructive criticism 17 | * Focusing on what is best for the community 18 | * Showing empathy towards other community members 19 | 20 | Examples of unacceptable behavior by participants include: 21 | 22 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 23 | * Trolling, insulting/derogatory comments, and personal or political attacks 24 | * Public or private harassment 25 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 26 | * Other conduct which could reasonably be considered inappropriate in a professional setting 27 | 28 | Our Responsibilities 29 | -------------------- 30 | 31 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 32 | 33 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 34 | 35 | Scope 36 | ----- 37 | 38 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. 39 | Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 40 | Representation of a project may be further defined and clarified by project maintainers. 41 | 42 | Enforcement 43 | ----------- 44 | 45 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting either the project maintainer Hynek Schlawack at hs@ox.cx or -- e.g. in case of a conflict of interest -- Amber Brown at hawkowl@atleastfornow.net. 46 | All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 47 | The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 48 | Further details of specific enforcement policies may be posted separately. 49 | 50 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 51 | 52 | Attribution 53 | ----------- 54 | 55 | This Code of Conduct is adapted from the `Contributor Covenant `_, version 1.4, available at http://contributor-covenant.org/version/1/4. 56 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Copyright (C) Jean-Paul Calderone 2008-2015, All rights reserved 4 | # 5 | 6 | """ 7 | Installation script for the OpenSSL package. 8 | """ 9 | 10 | import os 11 | import re 12 | 13 | from setuptools import find_packages, setup 14 | 15 | HERE = os.path.abspath(os.path.dirname(__file__)) 16 | META_PATH = os.path.join("src", "OpenSSL", "version.py") 17 | 18 | 19 | def read_file(*parts): 20 | """ 21 | Build an absolute path from *parts* and return the contents of the 22 | resulting file. Assume UTF-8 encoding. 23 | """ 24 | with open(os.path.join(HERE, *parts), encoding="utf-8", newline=None) as f: 25 | return f.read() 26 | 27 | 28 | META_FILE = read_file(META_PATH) 29 | 30 | 31 | def find_meta(meta): 32 | """ 33 | Extract __*meta*__ from META_FILE. 34 | """ 35 | meta_match = re.search( 36 | rf"^__{meta}__ = ['\"]([^'\"]*)['\"]", META_FILE, re.M 37 | ) 38 | if meta_match: 39 | return meta_match.group(1) 40 | raise RuntimeError(f"Unable to find __{meta}__ string.") 41 | 42 | 43 | URI = find_meta("uri") 44 | LONG = ( 45 | read_file("README.rst") 46 | + "\n\n" 47 | + "Release Information\n" 48 | + "===================\n\n" 49 | + re.search( 50 | r"(\d{2}.\d.\d \(.*?\)\n.*?)\n\n\n----\n", 51 | read_file("CHANGELOG.rst"), 52 | re.S, 53 | ).group(1) 54 | + "\n\n`Full changelog " 55 | + "<{uri}en/stable/changelog.html>`_.\n\n" 56 | ).format(uri=URI) 57 | 58 | 59 | if __name__ == "__main__": 60 | setup( 61 | name=find_meta("title"), 62 | version=find_meta("version"), 63 | description=find_meta("summary"), 64 | long_description=LONG, 65 | author=find_meta("author"), 66 | author_email=find_meta("email"), 67 | url=URI, 68 | project_urls={ 69 | "Source": "https://github.com/pyca/pyopenssl", 70 | }, 71 | license=find_meta("license"), 72 | classifiers=[ 73 | "Development Status :: 6 - Mature", 74 | "Intended Audience :: Developers", 75 | "License :: OSI Approved :: Apache Software License", 76 | "Operating System :: MacOS :: MacOS X", 77 | "Operating System :: Microsoft :: Windows", 78 | "Operating System :: POSIX", 79 | "Programming Language :: Python :: 3", 80 | "Programming Language :: Python :: 3.8", 81 | "Programming Language :: Python :: 3.9", 82 | "Programming Language :: Python :: 3.10", 83 | "Programming Language :: Python :: 3.11", 84 | "Programming Language :: Python :: 3.12", 85 | "Programming Language :: Python :: 3.13", 86 | "Programming Language :: Python :: Implementation :: CPython", 87 | "Programming Language :: Python :: Implementation :: PyPy", 88 | "Topic :: Security :: Cryptography", 89 | "Topic :: Software Development :: Libraries :: Python Modules", 90 | "Topic :: System :: Networking", 91 | ], 92 | python_requires=">=3.8", 93 | packages=find_packages(where="src"), 94 | package_dir={"": "src"}, 95 | install_requires=[ 96 | "cryptography>=46.0.0,<47", 97 | ( 98 | "typing-extensions>=4.9; " 99 | "python_version < '3.13' and python_version >= '3.8'" 100 | ), 101 | ], 102 | extras_require={ 103 | "test": ["pytest-rerunfailures", "pretend", "pytest>=3.0.1"], 104 | "docs": [ 105 | "sphinx!=5.2.0,!=5.2.0.post0,!=7.2.5", 106 | "sphinx_rtd_theme", 107 | ], 108 | }, 109 | ) 110 | -------------------------------------------------------------------------------- /src/OpenSSL/_util.py: -------------------------------------------------------------------------------- 1 | from __future__ import annotations 2 | 3 | import os 4 | import sys 5 | import warnings 6 | from typing import Any, Callable, NoReturn, Union 7 | 8 | from cryptography.hazmat.bindings.openssl.binding import Binding 9 | 10 | if sys.version_info >= (3, 9): 11 | StrOrBytesPath = Union[str, bytes, os.PathLike[str], os.PathLike[bytes]] 12 | else: 13 | StrOrBytesPath = Union[str, bytes, os.PathLike] 14 | 15 | binding = Binding() 16 | ffi = binding.ffi 17 | lib: Any = binding.lib 18 | 19 | 20 | # This is a special CFFI allocator that does not bother to zero its memory 21 | # after allocation. This has vastly better performance on large allocations and 22 | # so should be used whenever we don't need the memory zeroed out. 23 | no_zero_allocator = ffi.new_allocator(should_clear_after_alloc=False) 24 | 25 | 26 | def text(charp: Any) -> str: 27 | """ 28 | Get a native string type representing of the given CFFI ``char*`` object. 29 | 30 | :param charp: A C-style string represented using CFFI. 31 | 32 | :return: :class:`str` 33 | """ 34 | if not charp: 35 | return "" 36 | return ffi.string(charp).decode("utf-8") 37 | 38 | 39 | def exception_from_error_queue(exception_type: type[Exception]) -> NoReturn: 40 | """ 41 | Convert an OpenSSL library failure into a Python exception. 42 | 43 | When a call to the native OpenSSL library fails, this is usually signalled 44 | by the return value, and an error code is stored in an error queue 45 | associated with the current thread. The err library provides functions to 46 | obtain these error codes and textual error messages. 47 | """ 48 | errors = [] 49 | 50 | while True: 51 | error = lib.ERR_get_error() 52 | if error == 0: 53 | break 54 | errors.append( 55 | ( 56 | text(lib.ERR_lib_error_string(error)), 57 | text(lib.ERR_func_error_string(error)), 58 | text(lib.ERR_reason_error_string(error)), 59 | ) 60 | ) 61 | 62 | raise exception_type(errors) 63 | 64 | 65 | def make_assert(error: type[Exception]) -> Callable[[bool], Any]: 66 | """ 67 | Create an assert function that uses :func:`exception_from_error_queue` to 68 | raise an exception wrapped by *error*. 69 | """ 70 | 71 | def openssl_assert(ok: bool) -> None: 72 | """ 73 | If *ok* is not True, retrieve the error from OpenSSL and raise it. 74 | """ 75 | if ok is not True: 76 | exception_from_error_queue(error) 77 | 78 | return openssl_assert 79 | 80 | 81 | def path_bytes(s: StrOrBytesPath) -> bytes: 82 | """ 83 | Convert a Python path to a :py:class:`bytes` for the path which can be 84 | passed into an OpenSSL API accepting a filename. 85 | 86 | :param s: A path (valid for os.fspath). 87 | 88 | :return: An instance of :py:class:`bytes`. 89 | """ 90 | b = os.fspath(s) 91 | 92 | if isinstance(b, str): 93 | return b.encode(sys.getfilesystemencoding()) 94 | else: 95 | return b 96 | 97 | 98 | def byte_string(s: str) -> bytes: 99 | return s.encode("charmap") 100 | 101 | 102 | # A marker object to observe whether some optional arguments are passed any 103 | # value or not. 104 | UNSPECIFIED = object() 105 | 106 | _TEXT_WARNING = "str for {0} is no longer accepted, use bytes" 107 | 108 | 109 | def text_to_bytes_and_warn(label: str, obj: Any) -> Any: 110 | """ 111 | If ``obj`` is text, emit a warning that it should be bytes instead and try 112 | to convert it to bytes automatically. 113 | 114 | :param str label: The name of the parameter from which ``obj`` was taken 115 | (so a developer can easily find the source of the problem and correct 116 | it). 117 | 118 | :return: If ``obj`` is the text string type, a ``bytes`` object giving the 119 | UTF-8 encoding of that text is returned. Otherwise, ``obj`` itself is 120 | returned. 121 | """ 122 | if isinstance(obj, str): 123 | warnings.warn( 124 | _TEXT_WARNING.format(label), 125 | category=DeprecationWarning, 126 | stacklevel=3, 127 | ) 128 | return obj.encode("utf-8") 129 | return obj 130 | -------------------------------------------------------------------------------- /doc/Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | PAPER = 8 | BUILDDIR = _build 9 | 10 | # Internal variables. 11 | PAPEROPT_a4 = -D latex_paper_size=a4 12 | PAPEROPT_letter = -D latex_paper_size=letter 13 | ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 14 | 15 | .PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest 16 | 17 | help: 18 | @echo "Please use \`make ' where is one of" 19 | @echo " html to make standalone HTML files" 20 | @echo " dirhtml to make HTML files named index.html in directories" 21 | @echo " singlehtml to make a single large HTML file" 22 | @echo " pickle to make pickle files" 23 | @echo " json to make JSON files" 24 | @echo " htmlhelp to make HTML files and a HTML help project" 25 | @echo " qthelp to make HTML files and a qthelp project" 26 | @echo " devhelp to make HTML files and a Devhelp project" 27 | @echo " epub to make an epub" 28 | @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" 29 | @echo " latexpdf to make LaTeX files and run them through pdflatex" 30 | @echo " text to make text files" 31 | @echo " man to make manual pages" 32 | @echo " changes to make an overview of all changed/added/deprecated items" 33 | @echo " linkcheck to check all external links for integrity" 34 | @echo " doctest to run all doctests embedded in the documentation (if enabled)" 35 | 36 | clean: 37 | -rm -rf $(BUILDDIR)/* 38 | 39 | html: 40 | $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html 41 | @echo 42 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." 43 | 44 | dirhtml: 45 | $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml 46 | @echo 47 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." 48 | 49 | singlehtml: 50 | $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml 51 | @echo 52 | @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." 53 | 54 | pickle: 55 | $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle 56 | @echo 57 | @echo "Build finished; now you can process the pickle files." 58 | 59 | json: 60 | $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json 61 | @echo 62 | @echo "Build finished; now you can process the JSON files." 63 | 64 | htmlhelp: 65 | $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp 66 | @echo 67 | @echo "Build finished; now you can run HTML Help Workshop with the" \ 68 | ".hhp project file in $(BUILDDIR)/htmlhelp." 69 | 70 | qthelp: 71 | $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp 72 | @echo 73 | @echo "Build finished; now you can run "qcollectiongenerator" with the" \ 74 | ".qhcp project file in $(BUILDDIR)/qthelp, like this:" 75 | @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/pyOpenSSL.qhcp" 76 | @echo "To view the help file:" 77 | @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/pyOpenSSL.qhc" 78 | 79 | devhelp: 80 | $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp 81 | @echo 82 | @echo "Build finished." 83 | @echo "To view the help file:" 84 | @echo "# mkdir -p $$HOME/.local/share/devhelp/pyOpenSSL" 85 | @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/pyOpenSSL" 86 | @echo "# devhelp" 87 | 88 | epub: 89 | $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub 90 | @echo 91 | @echo "Build finished. The epub file is in $(BUILDDIR)/epub." 92 | 93 | latex: 94 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 95 | @echo 96 | @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." 97 | @echo "Run \`make' in that directory to run these through (pdf)latex" \ 98 | "(use \`make latexpdf' here to do that automatically)." 99 | 100 | latexpdf: 101 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 102 | @echo "Running LaTeX files through pdflatex..." 103 | make -C $(BUILDDIR)/latex all-pdf 104 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 105 | 106 | text: 107 | $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text 108 | @echo 109 | @echo "Build finished. The text files are in $(BUILDDIR)/text." 110 | 111 | man: 112 | $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man 113 | @echo 114 | @echo "Build finished. The manual pages are in $(BUILDDIR)/man." 115 | 116 | changes: 117 | $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes 118 | @echo 119 | @echo "The overview file is in $(BUILDDIR)/changes." 120 | 121 | linkcheck: 122 | $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck 123 | @echo 124 | @echo "Link check complete; look for any errors in the above output " \ 125 | "or in $(BUILDDIR)/linkcheck/output.txt." 126 | 127 | doctest: 128 | $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest 129 | @echo "Testing of doctests in the sources finished, look at the " \ 130 | "results in $(BUILDDIR)/doctest/output.txt." 131 | -------------------------------------------------------------------------------- /doc/api/crypto.rst: -------------------------------------------------------------------------------- 1 | .. _openssl-crypto: 2 | 3 | :py:mod:`crypto` --- Generic cryptographic module 4 | ================================================= 5 | 6 | .. py:module:: OpenSSL.crypto 7 | :synopsis: Generic cryptographic module 8 | 9 | .. danger:: 10 | 11 | **This module is pending deprecation, use pyca/cryptography instead.** 12 | 13 | `pyca/cryptography`_ is likely a better choice than using this module. 14 | It contains a complete set of cryptographic primitives as well as a significantly better and more powerful X509 API. 15 | If necessary you can convert to and from cryptography objects using the ``to_cryptography`` and ``from_cryptography`` methods on ``X509``, ``X509Req``, ``CRL``, and ``PKey``. 16 | 17 | 18 | Elliptic curves 19 | --------------- 20 | 21 | .. autofunction:: get_elliptic_curves 22 | 23 | .. autofunction:: get_elliptic_curve 24 | 25 | Serialization and deserialization 26 | --------------------------------- 27 | 28 | The following serialization functions take one of these constants to determine the format. 29 | 30 | .. py:data:: FILETYPE_PEM 31 | 32 | :data:`FILETYPE_PEM` serializes data to a Base64-encoded encoded representation of the underlying ASN.1 data structure. This representation includes delimiters that define what data structure is contained within the Base64-encoded block: for example, for a certificate, the delimiters are ``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----``. 33 | 34 | .. py:data:: FILETYPE_ASN1 35 | 36 | :data:`FILETYPE_ASN1` serializes data to the underlying ASN.1 data structure. The format used by :data:`FILETYPE_ASN1` is also sometimes referred to as DER. 37 | 38 | Certificates 39 | ~~~~~~~~~~~~ 40 | 41 | .. autofunction:: dump_certificate 42 | 43 | .. autofunction:: load_certificate 44 | 45 | Certificate signing requests 46 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 47 | 48 | .. autofunction:: dump_certificate_request 49 | 50 | .. autofunction:: load_certificate_request 51 | 52 | Private keys 53 | ~~~~~~~~~~~~ 54 | 55 | .. autofunction:: dump_privatekey 56 | 57 | .. autofunction:: load_privatekey 58 | 59 | Public keys 60 | ~~~~~~~~~~~ 61 | 62 | .. autofunction:: dump_publickey 63 | 64 | .. autofunction:: load_publickey 65 | 66 | 67 | .. _openssl-x509: 68 | 69 | X509 objects 70 | ------------ 71 | 72 | .. autoclass:: X509 73 | :members: 74 | 75 | .. _openssl-x509name: 76 | 77 | X509Name objects 78 | ---------------- 79 | 80 | .. autoclass:: X509Name 81 | :members: 82 | :special-members: 83 | :exclude-members: __repr__, __getattr__, __weakref__ 84 | 85 | .. _openssl-x509req: 86 | 87 | X509Req objects 88 | --------------- 89 | 90 | .. autoclass:: X509Req 91 | :members: 92 | :special-members: 93 | :exclude-members: __weakref__ 94 | 95 | .. _openssl-x509store: 96 | 97 | X509Store objects 98 | ----------------- 99 | 100 | .. autoclass:: X509Store 101 | :members: 102 | 103 | .. _openssl-x509storecontexterror: 104 | 105 | X509StoreContextError objects 106 | ----------------------------- 107 | 108 | .. autoclass:: X509StoreContextError 109 | :members: 110 | 111 | .. _openssl-x509storecontext: 112 | 113 | X509StoreContext objects 114 | ------------------------ 115 | 116 | .. autoclass:: X509StoreContext 117 | :members: 118 | 119 | .. _openssl-pkey: 120 | 121 | X509StoreFlags constants 122 | ------------------------ 123 | 124 | .. autoclass:: X509StoreFlags 125 | 126 | .. data:: CRL_CHECK 127 | .. data:: CRL_CHECK_ALL 128 | .. data:: IGNORE_CRITICAL 129 | .. data:: X509_STRICT 130 | .. data:: ALLOW_PROXY_CERTS 131 | .. data:: POLICY_CHECK 132 | .. data:: EXPLICIT_POLICY 133 | .. data:: INHIBIT_MAP 134 | .. data:: NOTIFY_POLICY 135 | .. data:: CHECK_SS_SIGNATURE 136 | .. data:: PARTIAL_CHAIN 137 | 138 | .. _openssl-x509storeflags: 139 | 140 | PKey objects 141 | ------------ 142 | 143 | .. autoclass:: PKey 144 | :members: 145 | 146 | .. py:data:: TYPE_RSA 147 | TYPE_DSA 148 | 149 | Key type constants. 150 | 151 | .. _openssl-509ext: 152 | 153 | X509Extension objects 154 | --------------------- 155 | 156 | .. autoclass:: X509Extension 157 | :members: 158 | :special-members: 159 | :exclude-members: __weakref__ 160 | 161 | Exceptions 162 | ---------- 163 | 164 | .. py:exception:: Error 165 | 166 | Generic exception used in the :py:mod:`.crypto` module. 167 | 168 | 169 | Digest names 170 | ------------ 171 | 172 | Several of the functions and methods in this module take a digest name. 173 | These must be strings describing a digest algorithm supported by OpenSSL (by ``EVP_get_digestbyname``, specifically). 174 | For example, :const:`b"sha256"` or :const:`b"sha384"`. 175 | 176 | More information and a list of these digest names can be found in the ``EVP_DigestInit(3)`` man page of your OpenSSL installation. 177 | This page can be found online for the latest version of OpenSSL: 178 | https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html 179 | 180 | .. _`pyca/cryptography`: https://cryptography.io 181 | -------------------------------------------------------------------------------- /doc/make.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | REM Command file for Sphinx documentation 4 | 5 | if "%SPHINXBUILD%" == "" ( 6 | set SPHINXBUILD=sphinx-build 7 | ) 8 | set BUILDDIR=_build 9 | set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% . 10 | if NOT "%PAPER%" == "" ( 11 | set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS% 12 | ) 13 | 14 | if "%1" == "" goto help 15 | 16 | if "%1" == "help" ( 17 | :help 18 | echo.Please use `make ^` where ^ is one of 19 | echo. html to make standalone HTML files 20 | echo. dirhtml to make HTML files named index.html in directories 21 | echo. singlehtml to make a single large HTML file 22 | echo. pickle to make pickle files 23 | echo. json to make JSON files 24 | echo. htmlhelp to make HTML files and a HTML help project 25 | echo. qthelp to make HTML files and a qthelp project 26 | echo. devhelp to make HTML files and a Devhelp project 27 | echo. epub to make an epub 28 | echo. latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter 29 | echo. text to make text files 30 | echo. man to make manual pages 31 | echo. changes to make an overview over all changed/added/deprecated items 32 | echo. linkcheck to check all external links for integrity 33 | echo. doctest to run all doctests embedded in the documentation if enabled 34 | goto end 35 | ) 36 | 37 | if "%1" == "clean" ( 38 | for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i 39 | del /q /s %BUILDDIR%\* 40 | goto end 41 | ) 42 | 43 | if "%1" == "html" ( 44 | %SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html 45 | if errorlevel 1 exit /b 1 46 | echo. 47 | echo.Build finished. The HTML pages are in %BUILDDIR%/html. 48 | goto end 49 | ) 50 | 51 | if "%1" == "dirhtml" ( 52 | %SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml 53 | if errorlevel 1 exit /b 1 54 | echo. 55 | echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml. 56 | goto end 57 | ) 58 | 59 | if "%1" == "singlehtml" ( 60 | %SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml 61 | if errorlevel 1 exit /b 1 62 | echo. 63 | echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml. 64 | goto end 65 | ) 66 | 67 | if "%1" == "pickle" ( 68 | %SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle 69 | if errorlevel 1 exit /b 1 70 | echo. 71 | echo.Build finished; now you can process the pickle files. 72 | goto end 73 | ) 74 | 75 | if "%1" == "json" ( 76 | %SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json 77 | if errorlevel 1 exit /b 1 78 | echo. 79 | echo.Build finished; now you can process the JSON files. 80 | goto end 81 | ) 82 | 83 | if "%1" == "htmlhelp" ( 84 | %SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp 85 | if errorlevel 1 exit /b 1 86 | echo. 87 | echo.Build finished; now you can run HTML Help Workshop with the ^ 88 | .hhp project file in %BUILDDIR%/htmlhelp. 89 | goto end 90 | ) 91 | 92 | if "%1" == "qthelp" ( 93 | %SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp 94 | if errorlevel 1 exit /b 1 95 | echo. 96 | echo.Build finished; now you can run "qcollectiongenerator" with the ^ 97 | .qhcp project file in %BUILDDIR%/qthelp, like this: 98 | echo.^> qcollectiongenerator %BUILDDIR%\qthelp\pyOpenSSL.qhcp 99 | echo.To view the help file: 100 | echo.^> assistant -collectionFile %BUILDDIR%\qthelp\pyOpenSSL.ghc 101 | goto end 102 | ) 103 | 104 | if "%1" == "devhelp" ( 105 | %SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp 106 | if errorlevel 1 exit /b 1 107 | echo. 108 | echo.Build finished. 109 | goto end 110 | ) 111 | 112 | if "%1" == "epub" ( 113 | %SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub 114 | if errorlevel 1 exit /b 1 115 | echo. 116 | echo.Build finished. The epub file is in %BUILDDIR%/epub. 117 | goto end 118 | ) 119 | 120 | if "%1" == "latex" ( 121 | %SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex 122 | if errorlevel 1 exit /b 1 123 | echo. 124 | echo.Build finished; the LaTeX files are in %BUILDDIR%/latex. 125 | goto end 126 | ) 127 | 128 | if "%1" == "text" ( 129 | %SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text 130 | if errorlevel 1 exit /b 1 131 | echo. 132 | echo.Build finished. The text files are in %BUILDDIR%/text. 133 | goto end 134 | ) 135 | 136 | if "%1" == "man" ( 137 | %SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man 138 | if errorlevel 1 exit /b 1 139 | echo. 140 | echo.Build finished. The manual pages are in %BUILDDIR%/man. 141 | goto end 142 | ) 143 | 144 | if "%1" == "changes" ( 145 | %SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes 146 | if errorlevel 1 exit /b 1 147 | echo. 148 | echo.The overview file is in %BUILDDIR%/changes. 149 | goto end 150 | ) 151 | 152 | if "%1" == "linkcheck" ( 153 | %SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck 154 | if errorlevel 1 exit /b 1 155 | echo. 156 | echo.Link check complete; look for any errors in the above output ^ 157 | or in %BUILDDIR%/linkcheck/output.txt. 158 | goto end 159 | ) 160 | 161 | if "%1" == "doctest" ( 162 | %SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest 163 | if errorlevel 1 exit /b 1 164 | echo. 165 | echo.Testing of doctests in the sources finished, look at the ^ 166 | results in %BUILDDIR%/doctest/output.txt. 167 | goto end 168 | ) 169 | 170 | :end 171 | -------------------------------------------------------------------------------- /CONTRIBUTING.rst: -------------------------------------------------------------------------------- 1 | Contributing 2 | ============ 3 | 4 | First of all, thank you for your interest in contributing to pyOpenSSL! 5 | This project has no company backing its development therefore we're dependent on help by the community. 6 | 7 | 8 | Filing bug reports 9 | ------------------ 10 | 11 | Bug reports are very welcome. 12 | Please file them on the `GitHub issue tracker`_. 13 | Good bug reports come with extensive descriptions of the error and how to reproduce it. 14 | Reporters are strongly encouraged to include an `short, self contained, correct example `_. 15 | 16 | 17 | Patches 18 | ------- 19 | 20 | All patches to pyOpenSSL should be submitted in the form of pull requests to the main pyOpenSSL repository, `pyca/pyopenssl`_. 21 | These pull requests should satisfy the following properties: 22 | 23 | 24 | Code 25 | ^^^^ 26 | 27 | - The pull request should focus on one particular improvement to pyOpenSSL. 28 | Create different pull requests for unrelated features or bugfixes. 29 | - Code should follow `PEP 8`_, especially in the "do what code around you does" sense. 30 | Follow OpenSSL naming for callables whenever possible is preferred. 31 | - Pull requests that introduce code must test all new behavior they introduce as well as for previously untested or poorly tested behavior that they touch. 32 | - Pull requests are not allowed to break existing tests. 33 | We usually don't comment on pull requests that are breaking the CI because we consider them work in progress. 34 | Please note that not having 100% code coverage for the code you wrote/touched also causes our CI to fail. 35 | 36 | 37 | Documentation 38 | ^^^^^^^^^^^^^ 39 | 40 | When introducing new functionality, please remember to write documentation. 41 | 42 | - New functions and methods should have a docstring describing what they do, what parameters they takes, and what they return. They should also come with `type hints`_. 43 | 44 | .. code-block:: python 45 | 46 | def dump_publickey(type: int, pkey: PKey) -> bytes: 47 | """ 48 | Dump a public key to a buffer. 49 | 50 | :param type: The file type (one of :data:`FILETYPE_PEM` or 51 | :data:`FILETYPE_ASN1`). 52 | :param pkey: The PKey to dump. 53 | 54 | :return: The buffer with the dumped key in it. 55 | """ 56 | 57 | 58 | Don't forget to add an ``.. auto(function|class|method)::`` statement to the relevant API document found in ``doc/api/`` to actually add your function to the Sphinx documentation. 59 | - Do *not* use ``:py:`` prefixes when cross-linking (Python is default). 60 | Do *not* use the generic ``:data:`` or ``:obj:``. 61 | Instead use more specific types like ``:class:``, ``:func:`` or ``:meth:`` if applicable. 62 | - Pull requests that introduce features or fix bugs should note those changes in the CHANGELOG.rst_ file. 63 | Please add new entries to the *top* of the *current* Changes section followed by a line linking to the relevant pull request: 64 | 65 | .. code-block:: rst 66 | 67 | - Added ``OpenSSL.crypto.some_func()`` to do something awesome. 68 | [`#1 `_] 69 | 70 | 71 | - Use `semantic newlines`_ in reStructuredText_ files (files ending in ``.rst``). 72 | 73 | 74 | Review 75 | ------ 76 | 77 | Finally, pull requests must be reviewed before merging. 78 | This process mirrors the `cryptography code review process`_. 79 | Everyone can perform reviews; this is a very valuable way to contribute, and is highly encouraged. 80 | 81 | Pull requests are merged by `members of PyCA`_. 82 | They should, of course, keep all the requirements detailed in this document as well as the ``pyca/cryptography`` merge requirements in mind. 83 | 84 | The final responsibility for the reviewing of merged code lies with the person merging it. 85 | Since pyOpenSSL is a sensitive project from a security perspective, reviewers are strongly encouraged to take this review and merge process very seriously. 86 | 87 | 88 | Finding Help 89 | ------------ 90 | 91 | If you need any help with the contribution process, you'll find us hanging out at ``#cryptography-dev`` on Freenode_ IRC. 92 | You can also ask questions on our `mailing list`_. 93 | 94 | Please note that this project is released with a Contributor `Code of Conduct`_. 95 | By participating in this project you agree to abide by its terms. 96 | 97 | 98 | Security 99 | -------- 100 | 101 | If you feel that you found a security-relevant bug that you would prefer to discuss in private, please send us a GPG_-encrypted e-mail. 102 | 103 | The maintainer can be reached at hs@ox.cx and his GPG key ID is ``0xAE2536227F69F181`` (Fingerprint: ``C2A0 4F86 ACE2 8ADC F817 DBB7 AE25 3622 7F69 F181``). 104 | Feel free to cross-check this information with Keybase_. 105 | 106 | 107 | .. _GitHub issue tracker: https://github.com/pyca/pyopenssl/issues 108 | .. _GPG: https://en.wikipedia.org/wiki/GNU_Privacy_Guard 109 | .. _Keybase: https://keybase.io/hynek 110 | .. _pyca/pyopenssl: https://github.com/pyca/pyopenssl 111 | .. _PEP 8: https://www.python.org/dev/peps/pep-0008/ 112 | .. _`type hints`: https://docs.python.org/3/library/typing.html 113 | .. _cryptography code review process: https://cryptography.io/en/latest/development/reviewing-patches/ 114 | .. _freenode: https://freenode.net 115 | .. _mailing list: https://mail.python.org/mailman/listinfo/cryptography-dev 116 | .. _members of PyCA: https://github.com/orgs/pyca/people 117 | .. _semantic newlines: http://rhodesmill.org/brandon/2012/one-sentence-per-line/ 118 | .. _reStructuredText: http://sphinx-doc.org/rest.html 119 | .. _CHANGELOG.rst: https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst 120 | .. _`Code of Conduct`: https://github.com/pyca/pyopenssl/blob/main/CODE_OF_CONDUCT.rst 121 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: 3 | pull_request: {} 4 | push: {} 5 | 6 | jobs: 7 | linux: 8 | runs-on: ${{ matrix.PYTHON.OS || 'ubuntu-latest' }} 9 | strategy: 10 | fail-fast: false 11 | matrix: 12 | PYTHON: 13 | # Base builds 14 | - {VERSION: "3.8", NOXSESSION: "tests"} 15 | - {VERSION: "3.9", NOXSESSION: "tests"} 16 | - {VERSION: "3.10", NOXSESSION: "tests"} 17 | - {VERSION: "3.11", NOXSESSION: "tests"} 18 | - {VERSION: "3.12", NOXSESSION: "tests"} 19 | - {VERSION: "3.13", NOXSESSION: "tests"} 20 | - {VERSION: "3.14", NOXSESSION: "tests"} 21 | - {VERSION: "3.14t", NOXSESSION: "tests"} 22 | - {VERSION: "pypy-3.11", NOXSESSION: "tests"} 23 | - {VERSION: "3.11", NOXSESSION: "tests-wheel", OS: "windows-latest"} 24 | - {VERSION: "3.14t", NOXSESSION: "tests-wheel", OS: "windows-latest"} 25 | # -cryptography-main 26 | - {VERSION: "3.8", NOXSESSION: "tests-cryptography-main"} 27 | - {VERSION: "3.9", NOXSESSION: "tests-cryptography-main"} 28 | - {VERSION: "3.10", NOXSESSION: "tests-cryptography-main"} 29 | - {VERSION: "3.11", NOXSESSION: "tests-cryptography-main"} 30 | - {VERSION: "3.12", NOXSESSION: "tests-cryptography-main"} 31 | - {VERSION: "3.13", NOXSESSION: "tests-cryptography-main"} 32 | - {VERSION: "3.14", NOXSESSION: "tests-cryptography-main"} 33 | - {VERSION: "3.14t", NOXSESSION: "tests-cryptography-main"} 34 | - {VERSION: "pypy-3.11", NOXSESSION: "tests-cryptography-main"} 35 | # -cryptography-minimum 36 | - {VERSION: "3.8", NOXSESSION: "tests-cryptography-minimum"} 37 | - {VERSION: "3.9", NOXSESSION: "tests-cryptography-minimum"} 38 | - {VERSION: "3.10", NOXSESSION: "tests-cryptography-minimum"} 39 | - {VERSION: "3.11", NOXSESSION: "tests-cryptography-minimum"} 40 | - {VERSION: "3.12", NOXSESSION: "tests-cryptography-minimum"} 41 | - {VERSION: "3.13", NOXSESSION: "tests-cryptography-minimum"} 42 | - {VERSION: "pypy-3.11", NOXSESSION: "tests-cryptography-minimum"} 43 | # Cryptography wheels 44 | - {VERSION: "3.9", NOXSESSION: "tests-cryptography-minimum-wheel"} 45 | - {VERSION: "3.9", NOXSESSION: "tests-wheel"} 46 | # Random order 47 | - {VERSION: "3.9", NOXSESSION: "tests-random-order"} 48 | # Meta 49 | - {VERSION: "3.9", NOXSESSION: "check-manifest"} 50 | - {VERSION: "3.11", NOXSESSION: "lint"} 51 | - {VERSION: "3.13", NOXSESSION: "mypy"} 52 | - {VERSION: "3.9", NOXSESSION: "docs"} 53 | steps: 54 | - uses: actions/checkout@v6.0.1 55 | - name: Setup python 56 | uses: actions/setup-python@v6.1.0 57 | with: 58 | python-version: ${{ matrix.PYTHON.VERSION }} 59 | - run: python -m pip install nox 60 | - run: nox 61 | env: 62 | NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} 63 | - uses: ./.github/actions/upload-coverage 64 | 65 | linux-docker: 66 | runs-on: ubuntu-latest 67 | container: ghcr.io/pyca/cryptography-runner-${{ matrix.TEST.CONTAINER }} 68 | strategy: 69 | fail-fast: false 70 | matrix: 71 | TEST: 72 | # cryptography-main used since there's no wheel 73 | - {CONTAINER: "ubuntu-rolling", NOXSESSION: "tests-cryptography-main"} 74 | name: "${{ matrix.TEST.NOXSESSION }} on ${{ matrix.TEST.CONTAINER }}" 75 | steps: 76 | - uses: actions/checkout@v6.0.1 77 | - run: /venv/bin/pip install nox 78 | - run: /venv/bin/nox 79 | env: 80 | RUSTUP_HOME: /root/.rustup 81 | NOXSESSION: ${{ matrix.TEST.NOXSESSION }} 82 | - uses: ./.github/actions/upload-coverage 83 | 84 | linux-downstream: 85 | runs-on: ubuntu-latest 86 | strategy: 87 | fail-fast: false 88 | matrix: 89 | DOWNSTREAM: 90 | - twisted 91 | - certbot 92 | - certbot-josepy 93 | PYTHON: 94 | - 3.12 95 | name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" 96 | steps: 97 | - uses: actions/checkout@v6.0.1 98 | - name: Setup python 99 | uses: actions/setup-python@v6.1.0 100 | with: 101 | python-version: ${{ matrix.PYTHON }} 102 | - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install 103 | - run: pip install . 104 | - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run 105 | 106 | all-green: 107 | runs-on: ubuntu-latest 108 | needs: [linux, linux-docker, linux-downstream] 109 | if: ${{ always() }} 110 | timeout-minutes: 3 111 | steps: 112 | - name: Decide whether the needed jobs succeeded or failed 113 | uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 114 | with: 115 | jobs: ${{ toJSON(needs) }} 116 | 117 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1 118 | timeout-minutes: 3 119 | with: 120 | persist-credentials: false 121 | - name: Setup python 122 | uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 123 | with: 124 | python-version: '3.12' 125 | timeout-minutes: 3 126 | - run: pip install coverage[toml] 127 | - name: Download coverage data 128 | uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 129 | with: 130 | pattern: coverage-data-* 131 | merge-multiple: true 132 | - name: Combine coverage and fail if it's too low 133 | id: combinecoverage 134 | run: | 135 | set +e 136 | python -m coverage combine 137 | echo "## Python Coverage" >> $GITHUB_STEP_SUMMARY 138 | python -m coverage report -m --fail-under=98 > COV_REPORT 139 | COV_EXIT_CODE=$? 140 | cat COV_REPORT 141 | if [ $COV_EXIT_CODE -ne 0 ]; then 142 | echo "🚨 Python Coverage failed. Coverage too low." | tee -a $GITHUB_STEP_SUMMARY 143 | fi 144 | echo '```' >> $GITHUB_STEP_SUMMARY 145 | cat COV_REPORT >> $GITHUB_STEP_SUMMARY 146 | echo '```' >> $GITHUB_STEP_SUMMARY 147 | exit $COV_EXIT_CODE 148 | - name: Create coverage HTML 149 | run: python -m coverage html 150 | if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} 151 | - name: Upload HTML report. 152 | uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 153 | with: 154 | name: _html-report 155 | path: htmlcov 156 | if-no-files-found: ignore 157 | -------------------------------------------------------------------------------- /doc/images/pyopenssl.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 20 | 22 | 45 | 47 | 48 | 50 | image/svg+xml 51 | 53 | 54 | 55 | 56 | 61 | 64 | 69 | 73 | 77 | 82 | 86 | 87 | 90 | 100 | 110 | 111 | 114 | 124 | 134 | 135 | 136 | 140 | 147 | 151 | 152 | 153 | -------------------------------------------------------------------------------- /doc/conf.py: -------------------------------------------------------------------------------- 1 | # 2 | # pyOpenSSL documentation build configuration file, created by 3 | # sphinx-quickstart on Sat Jul 16 07:12:22 2011. 4 | # 5 | # This file is execfile()d with the current directory set to its parent dir. 6 | # 7 | # Note that not all possible configuration values are present in this 8 | # autogenerated file. 9 | # 10 | # All configuration values have a default; values that are commented out 11 | # serve to show the default. 12 | 13 | import codecs 14 | import os 15 | import re 16 | import sys 17 | 18 | HERE = os.path.abspath(os.path.dirname(__file__)) 19 | 20 | 21 | def read_file(*parts): 22 | """ 23 | Build an absolute path from *parts* and return the contents of the 24 | resulting file. Assume UTF-8 encoding. 25 | """ 26 | with codecs.open(os.path.join(HERE, *parts), "rb", "ascii") as f: 27 | return f.read() 28 | 29 | 30 | def find_version(*file_paths): 31 | version_file = read_file(*file_paths) 32 | version_match = re.search( 33 | r"^__version__ = ['\"]([^'\"]*)['\"]", version_file, re.M 34 | ) 35 | if version_match: 36 | return version_match.group(1) 37 | raise RuntimeError("Unable to find version string.") 38 | 39 | 40 | DOC_DIR = os.path.abspath(os.path.dirname(__file__)) 41 | sys.path.insert(0, os.path.abspath(os.path.join(DOC_DIR, ".."))) 42 | 43 | # If extensions (or modules to document with autodoc) are in another directory, 44 | # add these directories to sys.path here. If the directory is relative to the 45 | # documentation root, use os.path.abspath to make it absolute, like shown here. 46 | # sys.path.insert(0, os.path.abspath('.')) 47 | 48 | # -- General configuration ---------------------------------------------------- 49 | 50 | # If your documentation needs a minimal Sphinx version, state it here. 51 | needs_sphinx = "1.0" 52 | 53 | # Add any Sphinx extension module names here, as strings. They can be 54 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones. 55 | extensions = [ 56 | "sphinx.ext.autodoc", 57 | "sphinx.ext.intersphinx", 58 | ] 59 | 60 | # Add any paths that contain templates here, relative to this directory. 61 | templates_path = ["_templates"] 62 | 63 | # The suffix of source filenames. 64 | source_suffix = ".rst" 65 | 66 | # The encoding of source files. 67 | # source_encoding = 'utf-8-sig' 68 | 69 | # The master toctree document. 70 | master_doc = "index" 71 | 72 | # General information about the project. 73 | project = "pyOpenSSL" 74 | authors = "The pyOpenSSL developers" 75 | copyright = "2001 " + authors 76 | 77 | # The version info for the project you're documenting, acts as replacement for 78 | # |version| and |release|, also used in various other places throughout the 79 | # built documents. 80 | # 81 | # The short X.Y version. 82 | version = find_version("..", "src", "OpenSSL", "version.py") 83 | # The full version, including alpha/beta/rc tags. 84 | release = version 85 | 86 | # The language for content autogenerated by Sphinx. Refer to documentation 87 | # for a list of supported languages. 88 | # language = None 89 | 90 | # There are two options for replacing |today|: either, you set today to some 91 | # non-false value, then it is used: 92 | # today = '' 93 | # Else, today_fmt is used as the format for a strftime call. 94 | # today_fmt = '%B %d, %Y' 95 | 96 | # List of patterns, relative to source directory, that match files and 97 | # directories to ignore when looking for source files. 98 | exclude_patterns = ["_build"] 99 | 100 | # The reST default role (used for this markup `text`) to use for all documents. 101 | # default_role = None 102 | 103 | # If true, '()' will be appended to :func: etc. cross-reference text. 104 | # add_function_parentheses = True 105 | 106 | # If true, the current module name will be prepended to all description 107 | # unit titles (such as .. function::). 108 | # add_module_names = True 109 | 110 | # If true, sectionauthor and moduleauthor directives will be shown in the 111 | # output. They are ignored by default. 112 | # show_authors = False 113 | 114 | # The name of the Pygments (syntax highlighting) style to use. 115 | pygments_style = "sphinx" 116 | 117 | # A list of ignored prefixes for module index sorting. 118 | # modindex_common_prefix = [] 119 | 120 | 121 | # -- Options for HTML output -------------------------------------------------- 122 | 123 | # The theme to use for HTML and HTML Help pages. See the documentation for 124 | # a list of builtin themes. 125 | if os.environ.get("READTHEDOCS", None) == "True": 126 | html_baseurl = os.environ.get("READTHEDOCS_CANONICAL_URL", "") 127 | 128 | if "html_context" not in globals(): 129 | html_context = {} 130 | html_context["READTHEDOCS"] = True 131 | 132 | html_theme = "sphinx_rtd_theme" 133 | 134 | # Theme options are theme-specific and customize the look and feel of a theme 135 | # further. For a list of options available for each theme, see the 136 | # documentation. 137 | # html_theme_options = {} 138 | 139 | # Add any paths that contain custom themes here, relative to this directory. 140 | # html_theme_path = [] 141 | 142 | # The name for this set of Sphinx documents. If None, it defaults to 143 | # " v documentation". 144 | # html_title = None 145 | 146 | # A shorter title for the navigation bar. Default is the same as html_title. 147 | # html_short_title = None 148 | 149 | # The name of an image file (relative to this directory) to place at the top 150 | # of the sidebar. 151 | # html_logo = None 152 | 153 | # The name of an image file (within the static path) to use as favicon of the 154 | # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 155 | # pixels large. 156 | # html_favicon = None 157 | 158 | # Add any paths that contain custom static files (such as style sheets) here, 159 | # relative to this directory. They are copied after the builtin static files, 160 | # so a file named "default.css" will overwrite the builtin "default.css". 161 | # html_static_path = ['_static'] 162 | 163 | # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, 164 | # using the given strftime format. 165 | # html_last_updated_fmt = '%b %d, %Y' 166 | 167 | # If true, SmartyPants will be used to convert quotes and dashes to 168 | # typographically correct entities. 169 | # html_use_smartypants = True 170 | 171 | # Custom sidebar templates, maps document names to template names. 172 | # html_sidebars = {} 173 | 174 | # Additional templates that should be rendered to pages, maps page names to 175 | # template names. 176 | # html_additional_pages = {} 177 | 178 | # If false, no module index is generated. 179 | # html_domain_indices = True 180 | 181 | # If false, no index is generated. 182 | # html_use_index = True 183 | 184 | # If true, the index is split into individual pages for each letter. 185 | # html_split_index = False 186 | 187 | # If true, links to the reST sources are added to the pages. 188 | # html_show_sourcelink = True 189 | 190 | # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. 191 | # html_show_sphinx = True 192 | 193 | # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. 194 | # html_show_copyright = True 195 | 196 | # If true, an OpenSearch description file will be output, and all pages will 197 | # contain a tag referring to it. The value of this option must be the 198 | # base URL from which the finished HTML is served. 199 | # html_use_opensearch = '' 200 | 201 | # This is the file name suffix for HTML files (e.g. ".xhtml"). 202 | # html_file_suffix = None 203 | 204 | # Output file base name for HTML help builder. 205 | htmlhelp_basename = "pyOpenSSLdoc" 206 | 207 | 208 | # -- Options for LaTeX output ------------------------------------------------- 209 | 210 | # The paper size ('letter' or 'a4'). 211 | # latex_paper_size = 'letter' 212 | 213 | # The font size ('10pt', '11pt' or '12pt'). 214 | # latex_font_size = '10pt' 215 | 216 | # Grouping the document tree into LaTeX files. List of tuples 217 | # (source start file, target name, title, author, documentclass [howto/manual]) 218 | latex_documents = [ 219 | ("index", "pyOpenSSL.tex", "pyOpenSSL Documentation", authors, "manual"), 220 | ] 221 | 222 | # The name of an image file (relative to this directory) to place at the top of 223 | # the title page. 224 | # latex_logo = None 225 | 226 | # For "manual" documents, if this is true, then toplevel headings are parts, 227 | # not chapters. 228 | # latex_use_parts = False 229 | 230 | # If true, show page references after internal links. 231 | # latex_show_pagerefs = False 232 | 233 | # If true, show URL addresses after external links. 234 | # latex_show_urls = False 235 | 236 | # Additional stuff for the LaTeX preamble. 237 | # latex_preamble = '' 238 | 239 | # Documents to append as an appendix to all manuals. 240 | # latex_appendices = [] 241 | 242 | # If false, no module index is generated. 243 | # latex_domain_indices = True 244 | 245 | 246 | # -- Options for manual page output ------------------------------------------- 247 | 248 | # One entry per manual page. List of tuples 249 | # (source start file, name, description, authors, manual section). 250 | man_pages = [("index", "pyopenssl", "pyOpenSSL Documentation", [authors], 1)] 251 | 252 | intersphinx_mapping = { 253 | "python": ("https://docs.python.org/3", None), 254 | "cryptography": ("https://cryptography.io/en/latest/", None), 255 | } 256 | -------------------------------------------------------------------------------- /doc/api/ssl.rst: -------------------------------------------------------------------------------- 1 | .. _openssl-ssl: 2 | 3 | :py:mod:`SSL` --- An interface to the SSL-specific parts of OpenSSL 4 | =================================================================== 5 | 6 | .. py:module:: OpenSSL.SSL 7 | :synopsis: An interface to the SSL-specific parts of OpenSSL 8 | 9 | 10 | This module handles things specific to SSL. There are two objects defined: 11 | Context, Connection. 12 | 13 | .. py:data:: TLS_METHOD 14 | TLS_SERVER_METHOD 15 | TLS_CLIENT_METHOD 16 | SSLv2_METHOD 17 | SSLv3_METHOD 18 | SSLv23_METHOD 19 | TLSv1_METHOD 20 | TLSv1_1_METHOD 21 | TLSv1_2_METHOD 22 | 23 | These constants represent the different SSL methods to use when creating a 24 | context object. New code should only use ``TLS_METHOD``, ``TLS_SERVER_METHOD``, 25 | or ``TLS_CLIENT_METHOD``. If the underlying OpenSSL build is missing support 26 | for any of these protocols, constructing a :py:class:`Context` using the 27 | corresponding :py:const:`*_METHOD` will raise an exception. 28 | 29 | 30 | .. py:data:: SSL3_VERSION 31 | TLS1_VERSION 32 | TLS1_1_VERSION 33 | TLS1_2_VERSION 34 | TLS1_3_VERSION 35 | 36 | These constants represent the different TLS versions to use when 37 | setting the minimum or maximum TLS version. 38 | 39 | .. py:data:: VERIFY_NONE 40 | VERIFY_PEER 41 | VERIFY_FAIL_IF_NO_PEER_CERT 42 | 43 | These constants represent the verification mode used by the Context 44 | object's :py:meth:`set_verify` method. 45 | 46 | 47 | .. py:data:: FILETYPE_PEM 48 | FILETYPE_ASN1 49 | 50 | File type constants used with the :py:meth:`use_certificate_file` and 51 | :py:meth:`use_privatekey_file` methods of Context objects. 52 | 53 | 54 | .. py:data:: OP_SINGLE_DH_USE 55 | OP_SINGLE_ECDH_USE 56 | 57 | Constants used with :py:meth:`set_options` of Context objects. 58 | 59 | When these options are used, a new key will always be created when using 60 | ephemeral (Elliptic curve) Diffie-Hellman. 61 | 62 | 63 | .. py:data:: OP_EPHEMERAL_RSA 64 | 65 | Constant used with :py:meth:`set_options` of Context objects. 66 | 67 | When this option is used, ephemeral RSA keys will always be used when doing 68 | RSA operations. 69 | 70 | 71 | .. py:data:: OP_NO_TICKET 72 | 73 | Constant used with :py:meth:`set_options` of Context objects. 74 | 75 | When this option is used, the session ticket extension will not be used. 76 | 77 | 78 | .. py:data:: OP_NO_COMPRESSION 79 | 80 | Constant used with :py:meth:`set_options` of Context objects. 81 | 82 | When this option is used, compression will not be used. 83 | 84 | 85 | .. py:data:: OP_NO_SSLv2 86 | OP_NO_SSLv3 87 | OP_NO_TLSv1 88 | OP_NO_TLSv1_1 89 | OP_NO_TLSv1_2 90 | OP_NO_TLSv1_3 91 | 92 | Constants used with :py:meth:`set_options` of Context objects. 93 | 94 | Each of these options disables one version of the SSL/TLS protocol. This 95 | is interesting if you're using e.g. :py:const:`SSLv23_METHOD` to get an 96 | SSLv2-compatible handshake, but don't want to use SSLv2. If the underlying 97 | OpenSSL build is missing support for any of these protocols, the 98 | :py:const:`OP_NO_*` constant may be undefined. 99 | 100 | 101 | .. py:data:: OPENSSL_VERSION 102 | OPENSSL_CFLAGS 103 | OPENSSL_BUILT_ON 104 | OPENSSL_PLATFORM 105 | OPENSSL_DIR 106 | 107 | .. versionchanged:: 22.1.0 108 | 109 | Previously these were all named ``SSLEAY_*``. Those names are still 110 | available for backwards compatibility, but the ``OPENSSL_*`` names are 111 | preferred. 112 | 113 | Constants used with :py:meth:`OpenSSL_version` to specify what OpenSSL version 114 | information to retrieve. See the man page for the :py:func:`OpenSSL_version` C 115 | API for details. 116 | 117 | 118 | .. py:data:: SESS_CACHE_OFF 119 | SESS_CACHE_CLIENT 120 | SESS_CACHE_SERVER 121 | SESS_CACHE_BOTH 122 | SESS_CACHE_NO_AUTO_CLEAR 123 | SESS_CACHE_NO_INTERNAL_LOOKUP 124 | SESS_CACHE_NO_INTERNAL_STORE 125 | SESS_CACHE_NO_INTERNAL 126 | 127 | Constants used with :py:meth:`Context.set_session_cache_mode` to specify 128 | the behavior of the session cache and potential session reuse. See the man 129 | page for the :py:func:`SSL_CTX_set_session_cache_mode` C API for details. 130 | 131 | .. versionadded:: 0.14 132 | 133 | 134 | .. py:data:: OPENSSL_VERSION_NUMBER 135 | 136 | An integer giving the version number of the OpenSSL library used to build this 137 | version of pyOpenSSL. See the man page for the :py:func:`SSLeay_version` C API 138 | for details. 139 | 140 | 141 | .. py:data:: NO_OVERLAPPING_PROTOCOLS 142 | 143 | A sentinel value that can be returned by the callback passed to 144 | :py:meth:`Context.set_alpn_select_callback` to indicate that 145 | the handshake can continue without a specific application protocol. 146 | 147 | .. versionadded:: 19.1 148 | 149 | 150 | .. autofunction:: OpenSSL_version 151 | 152 | 153 | .. autoclass:: Context 154 | :noindex: 155 | 156 | .. autoclass:: Session 157 | 158 | 159 | .. py:class:: Connection(context, socket) 160 | :noindex: 161 | 162 | A class representing SSL connections. 163 | 164 | *context* should be an instance of :py:class:`Context` and *socket* 165 | should be a socket [#connection-context-socket]_ object. *socket* may be 166 | *None*; in this case, the Connection is created with a memory BIO: see 167 | the :py:meth:`bio_read`, :py:meth:`bio_write`, and :py:meth:`bio_shutdown` 168 | methods. 169 | 170 | .. py:exception:: Error 171 | 172 | This exception is used as a base class for the other SSL-related 173 | exceptions, but may also be raised directly. 174 | 175 | Whenever this exception is raised directly, it has a list of error messages 176 | from the OpenSSL error queue, where each item is a tuple *(lib, function, 177 | reason)*. Here *lib*, *function* and *reason* are all strings, describing 178 | where and what the problem is. See :manpage:`err(3)` for more information. 179 | 180 | 181 | .. py:exception:: ZeroReturnError 182 | 183 | This exception matches the error return code 184 | :py:data:`SSL_ERROR_ZERO_RETURN`, and is raised when the SSL Connection has 185 | been closed. In SSL 3.0 and TLS 1.0, this only occurs if a closure alert has 186 | occurred in the protocol, i.e. the connection has been closed cleanly. Note 187 | that this does not necessarily mean that the transport layer (e.g. a socket) 188 | has been closed. 189 | 190 | It may seem a little strange that this is an exception, but it does match an 191 | :py:data:`SSL_ERROR` code, and is very convenient. 192 | 193 | 194 | .. py:exception:: WantReadError 195 | 196 | The operation did not complete; the same I/O method should be called again 197 | later, with the same arguments. Any I/O method can lead to this since new 198 | handshakes can occur at any time. 199 | 200 | The wanted read is for **dirty** data sent over the network, not the 201 | **clean** data inside the tunnel. For a socket based SSL connection, 202 | **read** means data coming at us over the network. Until that read 203 | succeeds, the attempted :py:meth:`OpenSSL.SSL.Connection.recv`, 204 | :py:meth:`OpenSSL.SSL.Connection.send`, or 205 | :py:meth:`OpenSSL.SSL.Connection.do_handshake` is prevented or incomplete. You 206 | probably want to :py:meth:`select()` on the socket before trying again. 207 | 208 | 209 | .. py:exception:: WantWriteError 210 | 211 | See :py:exc:`WantReadError`. The socket send buffer may be too full to 212 | write more data. 213 | 214 | 215 | .. py:exception:: WantX509LookupError 216 | 217 | The operation did not complete because an application callback has asked to be 218 | called again. The I/O method should be called again later, with the same 219 | arguments. 220 | 221 | .. note:: This won't occur in this version, as there are no such 222 | callbacks in this version. 223 | 224 | 225 | .. py:exception:: SysCallError 226 | 227 | The :py:exc:`SysCallError` occurs when there's an I/O error and OpenSSL's 228 | error queue does not contain any information. This can mean two things: An 229 | error in the transport protocol, or an end of file that violates the protocol. 230 | The parameter to the exception is always a pair *(errnum, 231 | errstr)*. 232 | 233 | 234 | 235 | .. _openssl-context: 236 | 237 | Context objects 238 | --------------- 239 | 240 | Context objects have the following methods: 241 | 242 | .. autoclass:: OpenSSL.SSL.Context 243 | :members: 244 | 245 | .. _openssl-session: 246 | 247 | Session objects 248 | --------------- 249 | 250 | Session objects have no methods. 251 | 252 | 253 | .. _openssl-connection: 254 | 255 | Connection objects 256 | ------------------ 257 | 258 | Connection objects have the following methods: 259 | 260 | .. autoclass:: OpenSSL.SSL.Connection 261 | :members: 262 | 263 | 264 | .. Rubric:: Footnotes 265 | 266 | .. [#connection-context-socket] Actually, all that is required is an object that 267 | **behaves** like a socket, you could even use files, even though it'd be 268 | tricky to get the handshakes right! 269 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /CHANGELOG.rst: -------------------------------------------------------------------------------- 1 | Changelog 2 | ========= 3 | 4 | Versions are year-based with a strict backward-compatibility policy. 5 | The third digit is only for regressions. 6 | 7 | 25.4.0 (UNRELEASED) 8 | ------------------- 9 | 10 | Backward-incompatible changes: 11 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 12 | 13 | - Dropped support for Python 3.7. 14 | - The minimum ``cryptography`` version is now 46.0.0. 15 | 16 | Deprecations: 17 | ^^^^^^^^^^^^^ 18 | 19 | Changes: 20 | ^^^^^^^^ 21 | 22 | - Added ``OpenSSL.SSL.Connection.get_group_name`` to determine which group name was negotiated. 23 | 24 | 25.3.0 (2025-09-16) 25 | ------------------- 26 | 27 | Backward-incompatible changes: 28 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 29 | 30 | Deprecations: 31 | ^^^^^^^^^^^^^ 32 | 33 | Changes: 34 | ^^^^^^^^ 35 | 36 | - Maximum supported ``cryptography`` version is now 46.x. 37 | 38 | 39 | 25.2.0 (2025-09-14) 40 | ------------------- 41 | 42 | Backward-incompatible changes: 43 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 44 | 45 | - The minimum ``cryptography`` version is now 45.0.7. 46 | 47 | Deprecations: 48 | ^^^^^^^^^^^^^ 49 | 50 | Changes: 51 | ^^^^^^^^ 52 | 53 | - pyOpenSSL now sets ``SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER`` on connections by default, matching CPython's behavior. 54 | - Added ``OpenSSL.SSL.Context.clear_mode``. 55 | - Added ``OpenSSL.SSL.Context.set_tls13_ciphersuites`` to set the allowed TLS 1.3 ciphers. 56 | - Added ``OpenSSL.SSL.Connection.set_info_callback`` 57 | 58 | 25.1.0 (2025-05-17) 59 | ------------------- 60 | 61 | Backward-incompatible changes: 62 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 63 | 64 | Deprecations: 65 | ^^^^^^^^^^^^^ 66 | 67 | - Attempting using any methods that mutate an ``OpenSSL.SSL.Context`` after it 68 | has been used to create an ``OpenSSL.SSL.Connection`` will emit a warning. In 69 | a future release, this will raise an exception. 70 | 71 | Changes: 72 | ^^^^^^^^ 73 | 74 | * ``cryptography`` maximum version has been increased to 45.0.x. 75 | 76 | 77 | 25.0.0 (2025-01-12) 78 | ------------------- 79 | 80 | Backward-incompatible changes: 81 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 82 | 83 | Deprecations: 84 | ^^^^^^^^^^^^^ 85 | 86 | Changes: 87 | ^^^^^^^^ 88 | 89 | - Corrected type annotations on ``Context.set_alpn_select_callback``, ``Context.set_session_cache_mode``, ``Context.set_options``, ``Context.set_mode``, ``X509.subject_name_hash``, and ``X509Store.load_locations``. 90 | - Deprecated APIs are now marked using ``warnings.deprecated``. ``mypy`` will emit deprecation notices for them when used with ``--enable-error-code deprecated``. 91 | 92 | 24.3.0 (2024-11-27) 93 | ------------------- 94 | 95 | Backward-incompatible changes: 96 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 97 | 98 | - Removed the deprecated ``OpenSSL.crypto.CRL``, ``OpenSSL.crypto.Revoked``, ``OpenSSL.crypto.dump_crl``, and ``OpenSSL.crypto.load_crl``. ``cryptography.x509``'s CRL functionality should be used instead. 99 | - Removed the deprecated ``OpenSSL.crypto.sign`` and ``OpenSSL.crypto.verify``. ``cryptography.hazmat.primitives.asymmetric``'s signature APIs should be used instead. 100 | 101 | Deprecations: 102 | ^^^^^^^^^^^^^ 103 | 104 | - Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead. 105 | - Deprecated ``add_extensions`` and ``get_extensions`` on ``OpenSSL.crypto.X509Req`` and ``OpenSSL.crypto.X509``. These should have been deprecated at the same time ``X509Extension`` was. Users should use pyca/cryptography's X.509 APIs instead. 106 | - Deprecated ``OpenSSL.crypto.get_elliptic_curves`` and ``OpenSSL.crypto.get_elliptic_curve``, as well as passing the reult of them to ``OpenSSL.SSL.Context.set_tmp_ecdh``, users should instead pass curves from ``cryptography``. 107 | - Deprecated passing ``X509`` objects to ``OpenSSL.SSL.Context.use_certificate``, ``OpenSSL.SSL.Connection.use_certificate``, ``OpenSSL.SSL.Context.add_extra_chain_cert``, and ``OpenSSL.SSL.Context.add_client_ca``, users should instead pass ``cryptography.x509.Certificate`` instances. This is in preparation for deprecating pyOpenSSL's ``X509`` entirely. 108 | - Deprecated passing ``PKey`` objects to ``OpenSSL.SSL.Context.use_privatekey`` and ``OpenSSL.SSL.Connection.use_privatekey``, users should instead pass ``cryptography`` private key instances. This is in preparation for deprecating pyOpenSSL's ``PKey`` entirely. 109 | 110 | Changes: 111 | ^^^^^^^^ 112 | 113 | * ``cryptography`` maximum version has been increased to 44.0.x. 114 | * ``OpenSSL.SSL.Connection.get_certificate``, ``OpenSSL.SSL.Connection.get_peer_certificate``, ``OpenSSL.SSL.Connection.get_peer_cert_chain``, and ``OpenSSL.SSL.Connection.get_verified_chain`` now take an ``as_cryptography`` keyword-argument. When ``True`` is passed then ``cryptography.x509.Certificate`` are returned, instead of ``OpenSSL.crypto.X509``. In the future, passing ``False`` (the default) will be deprecated. 115 | 116 | 117 | 24.2.1 (2024-07-20) 118 | ------------------- 119 | 120 | Backward-incompatible changes: 121 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 122 | 123 | Deprecations: 124 | ^^^^^^^^^^^^^ 125 | 126 | Changes: 127 | ^^^^^^^^ 128 | 129 | - Fixed changelog to remove sphinx specific restructured text strings. 130 | 131 | 132 | 24.2.0 (2024-07-20) 133 | ------------------- 134 | 135 | Backward-incompatible changes: 136 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 137 | 138 | Deprecations: 139 | ^^^^^^^^^^^^^ 140 | 141 | - Deprecated ``OpenSSL.crypto.X509Req``, ``OpenSSL.crypto.load_certificate_request``, ``OpenSSL.crypto.dump_certificate_request``. Instead, ``cryptography.x509.CertificateSigningRequest``, ``cryptography.x509.CertificateSigningRequestBuilder``, ``cryptography.x509.load_der_x509_csr``, or ``cryptography.x509.load_pem_x509_csr`` should be used. 142 | 143 | Changes: 144 | ^^^^^^^^ 145 | 146 | - Added type hints for the ``SSL`` module. 147 | `#1308 `_. 148 | - Changed ``OpenSSL.crypto.PKey.from_cryptography_key`` to accept public and private EC, ED25519, ED448 keys. 149 | `#1310 `_. 150 | 151 | 24.1.0 (2024-03-09) 152 | ------------------- 153 | 154 | Backward-incompatible changes: 155 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 156 | 157 | * Removed the deprecated ``OpenSSL.crypto.PKCS12`` and 158 | ``OpenSSL.crypto.NetscapeSPKI``. ``OpenSSL.crypto.PKCS12`` may be replaced 159 | by the PKCS#12 APIs in the ``cryptography`` package. 160 | 161 | Deprecations: 162 | ^^^^^^^^^^^^^ 163 | 164 | Changes: 165 | ^^^^^^^^ 166 | 167 | 24.0.0 (2024-01-22) 168 | ------------------- 169 | 170 | Backward-incompatible changes: 171 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 172 | 173 | Deprecations: 174 | ^^^^^^^^^^^^^ 175 | 176 | Changes: 177 | ^^^^^^^^ 178 | 179 | - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated. 180 | `#1279 `_. 181 | 182 | 23.3.0 (2023-10-25) 183 | ------------------- 184 | 185 | Backward-incompatible changes: 186 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 187 | 188 | - Dropped support for Python 3.6. 189 | - The minimum ``cryptography`` version is now 41.0.5. 190 | - Removed ``OpenSSL.crypto.load_pkcs7`` and ``OpenSSL.crypto.load_pkcs12`` which had been deprecated for 3 years. 191 | - Added ``OpenSSL.SSL.OP_LEGACY_SERVER_CONNECT`` to allow legacy insecure renegotiation between OpenSSL and unpatched servers. 192 | `#1234 `_. 193 | 194 | Deprecations: 195 | ^^^^^^^^^^^^^ 196 | 197 | - Deprecated ``OpenSSL.crypto.PKCS12`` (which was intended to have been deprecated at the same time as ``OpenSSL.crypto.load_pkcs12``). 198 | - Deprecated ``OpenSSL.crypto.NetscapeSPKI``. 199 | - Deprecated ``OpenSSL.crypto.CRL`` 200 | - Deprecated ``OpenSSL.crypto.Revoked`` 201 | - Deprecated ``OpenSSL.crypto.load_crl`` and ``OpenSSL.crypto.dump_crl`` 202 | - Deprecated ``OpenSSL.crypto.sign`` and ``OpenSSL.crypto.verify`` 203 | - Deprecated ``OpenSSL.crypto.X509Extension`` 204 | 205 | Changes: 206 | ^^^^^^^^ 207 | 208 | - Changed ``OpenSSL.crypto.X509Store.add_crl`` to also accept 209 | ``cryptography``'s ``x509.CertificateRevocationList`` arguments in addition 210 | to the now deprecated ``OpenSSL.crypto.CRL`` arguments. 211 | - Fixed ``test_set_default_verify_paths`` test so that it is skipped if no 212 | network connection is available. 213 | 214 | 23.2.0 (2023-05-30) 215 | ------------------- 216 | 217 | Backward-incompatible changes: 218 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 219 | 220 | - Removed ``X509StoreFlags.NOTIFY_POLICY``. 221 | `#1213 `_. 222 | 223 | Deprecations: 224 | ^^^^^^^^^^^^^ 225 | 226 | Changes: 227 | ^^^^^^^^ 228 | 229 | - ``cryptography`` maximum version has been increased to 41.0.x. 230 | - Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``. 231 | - Added ``X509VerificationCodes`` to ``OpenSSL.SSL``. 232 | `#1202 `_. 233 | 234 | 23.1.1 (2023-03-28) 235 | ------------------- 236 | 237 | Backward-incompatible changes: 238 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 239 | 240 | Deprecations: 241 | ^^^^^^^^^^^^^ 242 | 243 | Changes: 244 | ^^^^^^^^ 245 | 246 | - Worked around an issue in OpenSSL 3.1.0 which caused `X509Extension.get_short_name` to raise an exception when no short name was known to OpenSSL. 247 | `#1204 `_. 248 | 249 | 23.1.0 (2023-03-24) 250 | ------------------- 251 | 252 | Backward-incompatible changes: 253 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 254 | 255 | Deprecations: 256 | ^^^^^^^^^^^^^ 257 | 258 | Changes: 259 | ^^^^^^^^ 260 | 261 | - ``cryptography`` maximum version has been increased to 40.0.x. 262 | - Add ``OpenSSL.SSL.Connection.DTLSv1_get_timeout`` and ``OpenSSL.SSL.Connection.DTLSv1_handle_timeout`` 263 | to support DTLS timeouts `#1180 `_. 264 | 265 | 23.0.0 (2023-01-01) 266 | ------------------- 267 | 268 | Backward-incompatible changes: 269 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 270 | 271 | Deprecations: 272 | ^^^^^^^^^^^^^ 273 | 274 | Changes: 275 | ^^^^^^^^ 276 | 277 | - Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users 278 | to perform certificate verification on partial certificate chains. 279 | `#1166 `_ 280 | - ``cryptography`` maximum version has been increased to 39.0.x. 281 | 282 | 22.1.0 (2022-09-25) 283 | ------------------- 284 | 285 | Backward-incompatible changes: 286 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 287 | 288 | - Remove support for SSLv2 and SSLv3. 289 | - The minimum ``cryptography`` version is now 38.0.x (and we now pin releases 290 | against ``cryptography`` major versions to prevent future breakage) 291 | - The ``OpenSSL.crypto.X509StoreContextError`` exception has been refactored, 292 | changing its internal attributes. 293 | `#1133 `_ 294 | 295 | Deprecations: 296 | ^^^^^^^^^^^^^ 297 | 298 | - ``OpenSSL.SSL.SSLeay_version`` is deprecated in favor of 299 | ``OpenSSL.SSL.OpenSSL_version``. The constants ``OpenSSL.SSL.SSLEAY_*`` are 300 | deprecated in favor of ``OpenSSL.SSL.OPENSSL_*``. 301 | 302 | Changes: 303 | ^^^^^^^^ 304 | 305 | - Add ``OpenSSL.SSL.Connection.set_verify`` and ``OpenSSL.SSL.Connection.get_verify_mode`` 306 | to override the context object's verification flags. 307 | `#1073 `_ 308 | - Add ``OpenSSL.SSL.Connection.use_certificate`` and ``OpenSSL.SSL.Connection.use_privatekey`` 309 | to set a certificate per connection (and not just per context) `#1121 `_. 310 | 311 | 22.0.0 (2022-01-29) 312 | ------------------- 313 | 314 | Backward-incompatible changes: 315 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 316 | 317 | - Drop support for Python 2.7. 318 | `#1047 `_ 319 | - The minimum ``cryptography`` version is now 35.0. 320 | 321 | Deprecations: 322 | ^^^^^^^^^^^^^ 323 | 324 | Changes: 325 | ^^^^^^^^ 326 | 327 | - Expose wrappers for some `DTLS 328 | `_ 329 | primitives. `#1026 `_ 330 | 331 | 21.0.0 (2021-09-28) 332 | ------------------- 333 | 334 | Backward-incompatible changes: 335 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 336 | 337 | - The minimum ``cryptography`` version is now 3.3. 338 | - Drop support for Python 3.5 339 | 340 | Deprecations: 341 | ^^^^^^^^^^^^^ 342 | 343 | Changes: 344 | ^^^^^^^^ 345 | 346 | - Raise an error when an invalid ALPN value is set. 347 | `#993 `_ 348 | - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version`` 349 | to set the minimum and maximum supported TLS version `#985 `_. 350 | - Updated ``to_cryptography`` and ``from_cryptography`` methods to support an upcoming release of ``cryptography`` without raising deprecation warnings. 351 | `#1030 `_ 352 | 353 | 20.0.1 (2020-12-15) 354 | ------------------- 355 | 356 | Backward-incompatible changes: 357 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 358 | 359 | Deprecations: 360 | ^^^^^^^^^^^^^ 361 | 362 | Changes: 363 | ^^^^^^^^ 364 | 365 | - Fixed compatibility with OpenSSL 1.1.0. 366 | 367 | 20.0.0 (2020-11-27) 368 | ------------------- 369 | 370 | 371 | Backward-incompatible changes: 372 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 373 | 374 | - The minimum ``cryptography`` version is now 3.2. 375 | - Remove deprecated ``OpenSSL.tsafe`` module. 376 | - Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``. 377 | - Drop support for Python 3.4 378 | - Drop support for OpenSSL 1.0.1 and 1.0.2 379 | 380 | Deprecations: 381 | ^^^^^^^^^^^^^ 382 | 383 | - Deprecated ``OpenSSL.crypto.load_pkcs7`` and ``OpenSSL.crypto.load_pkcs12``. 384 | 385 | Changes: 386 | ^^^^^^^^ 387 | 388 | - Added a new optional ``chain`` parameter to ``OpenSSL.crypto.X509StoreContext()`` 389 | where additional untrusted certificates can be specified to help chain building. 390 | `#948 `_ 391 | - Added ``OpenSSL.crypto.X509Store.load_locations`` to set trusted 392 | certificate file bundles and/or directories for verification. 393 | `#943 `_ 394 | - Added ``Context.set_keylog_callback`` to log key material. 395 | `#910 `_ 396 | - Added ``OpenSSL.SSL.Connection.get_verified_chain`` to retrieve the 397 | verified certificate chain of the peer. 398 | `#894 `_. 399 | - Make verification callback optional in ``Context.set_verify``. 400 | If omitted, OpenSSL's default verification is used. 401 | `#933 `_ 402 | - Fixed a bug that could truncate or cause a zero-length key error due to a 403 | null byte in private key passphrase in ``OpenSSL.crypto.load_privatekey`` 404 | and ``OpenSSL.crypto.dump_privatekey``. 405 | `#947 `_ 406 | 407 | 19.1.0 (2019-11-18) 408 | ------------------- 409 | 410 | 411 | Backward-incompatible changes: 412 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 413 | 414 | - Removed deprecated ``ContextType``, ``ConnectionType``, ``PKeyType``, ``X509NameType``, ``X509ReqType``, ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``, and ``NetscapeSPKIType`` aliases. 415 | Use the classes without the ``Type`` suffix instead. 416 | `#814 `_ 417 | - The minimum ``cryptography`` version is now 2.8 due to issues on macOS with a transitive dependency. 418 | `#875 `_ 419 | 420 | Deprecations: 421 | ^^^^^^^^^^^^^ 422 | 423 | - Deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``. 424 | ALPN should be used instead. 425 | `#820 `_ 426 | 427 | 428 | Changes: 429 | ^^^^^^^^ 430 | 431 | - Support ``bytearray`` in ``SSL.Connection.send()`` by using cffi's from_buffer. 432 | `#852 `_ 433 | - The ``OpenSSL.SSL.Context.set_alpn_select_callback`` can return a new ``NO_OVERLAPPING_PROTOCOLS`` sentinel value 434 | to allow a TLS handshake to complete without an application protocol. 435 | 436 | 437 | ---- 438 | 439 | 19.0.0 (2019-01-21) 440 | ------------------- 441 | 442 | 443 | Backward-incompatible changes: 444 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 445 | 446 | - ``X509Store.add_cert`` no longer raises an error if you add a duplicate cert. 447 | `#787 `_ 448 | 449 | 450 | Deprecations: 451 | ^^^^^^^^^^^^^ 452 | 453 | *none* 454 | 455 | 456 | Changes: 457 | ^^^^^^^^ 458 | 459 | - pyOpenSSL now works with OpenSSL 1.1.1. 460 | `#805 `_ 461 | - pyOpenSSL now handles NUL bytes in ``X509Name.get_components()`` 462 | `#804 `_ 463 | 464 | 465 | 466 | ---- 467 | 468 | 18.0.0 (2018-05-16) 469 | ------------------- 470 | 471 | 472 | Backward-incompatible changes: 473 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 474 | 475 | - The minimum ``cryptography`` version is now 2.2.1. 476 | - Support for Python 2.6 has been dropped. 477 | 478 | 479 | Deprecations: 480 | ^^^^^^^^^^^^^ 481 | 482 | *none* 483 | 484 | 485 | Changes: 486 | ^^^^^^^^ 487 | 488 | - Added ``Connection.get_certificate`` to retrieve the local certificate. 489 | `#733 `_ 490 | - ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by default. 491 | `#753 `_ 492 | - Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP keying material. 493 | `#734 `_ 494 | 495 | 496 | ---- 497 | 498 | 17.5.0 (2017-11-30) 499 | ------------------- 500 | 501 | 502 | Backward-incompatible changes: 503 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 504 | 505 | - The minimum ``cryptography`` version is now 2.1.4. 506 | 507 | 508 | Deprecations: 509 | ^^^^^^^^^^^^^ 510 | 511 | *none* 512 | 513 | 514 | Changes: 515 | ^^^^^^^^ 516 | 517 | - Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``. 518 | `#723 `_ 519 | - Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material. 520 | `#725 `_ 521 | 522 | ---- 523 | 524 | 525 | 526 | 17.4.0 (2017-11-21) 527 | ------------------- 528 | 529 | 530 | Backward-incompatible changes: 531 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 532 | 533 | *none* 534 | 535 | 536 | Deprecations: 537 | ^^^^^^^^^^^^^ 538 | 539 | *none* 540 | 541 | 542 | Changes: 543 | ^^^^^^^^ 544 | 545 | 546 | - Re-added a subset of the ``OpenSSL.rand`` module. 547 | This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. 548 | `#708 `_ 549 | - Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. 550 | `#709 `_ 551 | 552 | ---- 553 | 554 | 555 | 17.3.0 (2017-09-14) 556 | ------------------- 557 | 558 | 559 | Backward-incompatible changes: 560 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 561 | 562 | - Dropped support for Python 3.3. 563 | `#677 `_ 564 | - Removed the deprecated ``OpenSSL.rand`` module. 565 | This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden. 566 | ``os.urandom()`` should be used instead. 567 | `#675 `_ 568 | 569 | 570 | Deprecations: 571 | ^^^^^^^^^^^^^ 572 | 573 | - Deprecated ``OpenSSL.tsafe``. 574 | `#673 `_ 575 | 576 | Changes: 577 | ^^^^^^^^ 578 | 579 | - Fixed a memory leak in ``OpenSSL.crypto.CRL``. 580 | `#690 `_ 581 | - Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``. 582 | `#691 `_ 583 | 584 | 585 | ---- 586 | 587 | 588 | 17.2.0 (2017-07-20) 589 | ------------------- 590 | 591 | 592 | Backward-incompatible changes: 593 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 594 | 595 | *none* 596 | 597 | 598 | Deprecations: 599 | ^^^^^^^^^^^^^ 600 | 601 | - Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead. 602 | `#658 `_ 603 | 604 | 605 | Changes: 606 | ^^^^^^^^ 607 | 608 | - Fixed a bug causing ``Context.set_default_verify_paths()`` to not work with cryptography ``manylinux1`` wheels on Python 3.x. 609 | `#665 `_ 610 | - Fixed a crash with (EC)DSA signatures in some cases. 611 | `#670 `_ 612 | 613 | 614 | ---- 615 | 616 | 617 | 17.1.0 (2017-06-30) 618 | ------------------- 619 | 620 | 621 | Backward-incompatible changes: 622 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 623 | 624 | - Removed the deprecated ``OpenSSL.rand.egd()`` function. 625 | Applications should prefer ``os.urandom()`` for random number generation. 626 | `#630 `_ 627 | - Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``. 628 | Callers must now always pass an explicit ``digest``. 629 | `#652 `_ 630 | - Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``, 631 | ``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``, 632 | and ``Revoked.set_lastUpdate()``. You must now pass times in the form 633 | ``YYYYMMDDhhmmssZ``. ``YYYYMMDDhhmmss+hhmm`` and ``YYYYMMDDhhmmss-hhmm`` 634 | will no longer work. `#612 `_ 635 | 636 | 637 | Deprecations: 638 | ^^^^^^^^^^^^^ 639 | 640 | 641 | - Deprecated the legacy "Type" aliases: ``ContextType``, ``ConnectionType``, ``PKeyType``, ``X509NameType``, ``X509ExtensionType``, ``X509ReqType``, ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``, ``NetscapeSPKIType``. 642 | The names without the "Type"-suffix should be used instead. 643 | 644 | 645 | Changes: 646 | ^^^^^^^^ 647 | 648 | - Added ``OpenSSL.crypto.X509.from_cryptography()`` and ``OpenSSL.crypto.X509.to_cryptography()`` for converting X.509 certificate to and from pyca/cryptography objects. 649 | `#640 `_ 650 | - Added ``OpenSSL.crypto.X509Req.from_cryptography()``, ``OpenSSL.crypto.X509Req.to_cryptography()``, ``OpenSSL.crypto.CRL.from_cryptography()``, and ``OpenSSL.crypto.CRL.to_cryptography()`` for converting X.509 CSRs and CRLs to and from pyca/cryptography objects. 651 | `#645 `_ 652 | - Added ``OpenSSL.debug`` that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using ``python -m OpenSSL.debug``. 653 | `#620 `_ 654 | - Added a fallback path to ``Context.set_default_verify_paths()`` to accommodate the upcoming release of ``cryptography`` ``manylinux1`` wheels. 655 | `#633 `_ 656 | 657 | 658 | ---- 659 | 660 | 661 | 17.0.0 (2017-04-20) 662 | ------------------- 663 | 664 | Backward-incompatible changes: 665 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 666 | 667 | *none* 668 | 669 | 670 | Deprecations: 671 | ^^^^^^^^^^^^^ 672 | 673 | *none* 674 | 675 | 676 | Changes: 677 | ^^^^^^^^ 678 | 679 | - Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains. 680 | `#567 `_ 681 | - Added a collection of functions for working with OCSP stapling. 682 | None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided. 683 | Users will need to write their own code to handle OCSP assertions. 684 | We specifically added: ``Context.set_ocsp_server_callback()``, ``Context.set_ocsp_client_callback()``, and ``Connection.request_ocsp()``. 685 | `#580 `_ 686 | - Changed the ``SSL`` module's memory allocation policy to avoid zeroing memory it allocates when unnecessary. 687 | This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation. 688 | For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements. 689 | `#578 `_ 690 | - Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``. 691 | `#575 `_ 692 | - Fix empty exceptions from ``OpenSSL.crypto.load_privatekey()``. 693 | `#581 `_ 694 | 695 | 696 | ---- 697 | 698 | 699 | 16.2.0 (2016-10-15) 700 | ------------------- 701 | 702 | Backward-incompatible changes: 703 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 704 | 705 | *none* 706 | 707 | 708 | Deprecations: 709 | ^^^^^^^^^^^^^ 710 | 711 | *none* 712 | 713 | 714 | Changes: 715 | ^^^^^^^^ 716 | 717 | - Fixed compatibility errors with OpenSSL 1.1.0. 718 | - Fixed an issue that caused failures with subinterpreters and embedded Pythons. 719 | `#552 `_ 720 | 721 | 722 | ---- 723 | 724 | 725 | 16.1.0 (2016-08-26) 726 | ------------------- 727 | 728 | Backward-incompatible changes: 729 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 730 | 731 | *none* 732 | 733 | 734 | Deprecations: 735 | ^^^^^^^^^^^^^ 736 | 737 | - Dropped support for OpenSSL 0.9.8. 738 | 739 | 740 | Changes: 741 | ^^^^^^^^ 742 | 743 | - Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``. 744 | `#496 `_ 745 | - Enable use of CRL (and more) in verify context. 746 | `#483 `_ 747 | - ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such. 748 | `#439 `_ 749 | - Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility. 750 | 751 | 752 | ---- 753 | 754 | 755 | 16.0.0 (2016-03-19) 756 | ------------------- 757 | 758 | This is the first release under full stewardship of PyCA. 759 | We have made *many* changes to make local development more pleasing. 760 | The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2. 761 | It has been moved to `pytest `_, all CI test runs are part of `tox `_ and the source code has been made fully `flake8 `_ compliant. 762 | 763 | We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations. 764 | 765 | 766 | Backward-incompatible changes: 767 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 768 | 769 | - Python 3.2 support has been dropped. 770 | It never had significant real world usage and has been dropped by our main dependency ``cryptography``. 771 | Affected users should upgrade to Python 3.3 or later. 772 | 773 | 774 | Deprecations: 775 | ^^^^^^^^^^^^^ 776 | 777 | - The support for EGD has been removed. 778 | The only affected function ``OpenSSL.rand.egd()`` now uses ``os.urandom()`` to seed the internal PRNG instead. 779 | Please see `pyca/cryptography#1636 `_ for more background information on this decision. 780 | In accordance with our backward compatibility policy ``OpenSSL.rand.egd()`` will be *removed* no sooner than a year from the release of 16.0.0. 781 | 782 | Please note that you should `use urandom `_ for all your secure random number needs. 783 | - Python 2.6 support has been deprecated. 784 | Our main dependency ``cryptography`` deprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it. 785 | pyOpenSSL will drop Python 2.6 support once ``cryptography`` does. 786 | 787 | 788 | Changes: 789 | ^^^^^^^^ 790 | 791 | - Fixed ``OpenSSL.SSL.Context.set_session_id``, ``OpenSSL.SSL.Connection.renegotiate``, ``OpenSSL.SSL.Connection.renegotiate_pending``, and ``OpenSSL.SSL.Context.load_client_ca``. 792 | They were lacking an implementation since 0.14. 793 | `#422 `_ 794 | - Fixed segmentation fault when using keys larger than 4096-bit to sign data. 795 | `#428 `_ 796 | - Fixed ``AttributeError`` when ``OpenSSL.SSL.Connection.get_app_data()`` was called before setting any app data. 797 | `#304 `_ 798 | - Added ``OpenSSL.crypto.dump_publickey()`` to dump ``OpenSSL.crypto.PKey`` objects that represent public keys, and ``OpenSSL.crypto.load_publickey()`` to load such objects from serialized representations. 799 | `#382 `_ 800 | - Added ``OpenSSL.crypto.dump_crl()`` to dump a certificate revocation list out to a string buffer. 801 | `#368 `_ 802 | - Added ``OpenSSL.SSL.Connection.get_state_string()`` using the OpenSSL binding ``state_string_long``. 803 | `#358 `_ 804 | - Added support for the ``socket.MSG_PEEK`` flag to ``OpenSSL.SSL.Connection.recv()`` and ``OpenSSL.SSL.Connection.recv_into()``. 805 | `#294 `_ 806 | - Added ``OpenSSL.SSL.Connection.get_protocol_version()`` and ``OpenSSL.SSL.Connection.get_protocol_version_name()``. 807 | `#244 `_ 808 | - Switched to ``utf8string`` mask by default. 809 | OpenSSL formerly defaulted to a ``T61String`` if there were UTF-8 characters present. 810 | This was changed to default to ``UTF8String`` in the config around 2005, but the actual code didn't change it until late last year. 811 | This will default us to the setting that actually works. 812 | To revert this you can call ``OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")``. 813 | `#234 `_ 814 | 815 | 816 | ---- 817 | 818 | 819 | Older Changelog Entries 820 | ----------------------- 821 | 822 | The changes from before release 16.0.0 are preserved in the `repository `_. 823 | -------------------------------------------------------------------------------- /doc/ChangeLog_old.txt: -------------------------------------------------------------------------------- 1 | This file only contains the changes up to release 0.15.1. Newer changes can be 2 | found at . 3 | 4 | *** 5 | 6 | 2015-04-14 Hynek Schlawack 7 | 8 | * Release 0.15.1 9 | 10 | 2015-04-14 Glyph Lefkowitz 11 | 12 | * OpenSSL/SSL.py, OpenSSL/test/test_ssl.py: Fix a regression 13 | present in 0.15, where when an error occurs and no errno() is set, 14 | a KeyError is raised. This happens, for example, if 15 | Connection.shutdown() is called when the underlying transport has 16 | gone away. 17 | 18 | 2015-04-14 Hynek Schlawack 19 | 20 | * Release 0.15 21 | 22 | 2015-04-12 Jean-Paul Calderone 23 | 24 | * OpenSSL/rand.py, OpenSSL/SSL.py: APIs which previously accepted 25 | filenames only as bytes now accept them as either bytes or 26 | unicode (and respect sys.getfilesystemencoding()). 27 | 28 | 2015-03-23 Jean-Paul Calderone 29 | 30 | * OpenSSL/SSL.py: Add Cory Benfield's next-protocol-negotiation 31 | (NPN) bindings. 32 | 33 | 2015-03-15 Jean-Paul Calderone 34 | 35 | * OpenSSL/SSL.py: Add ``Connection.recv_into``, mirroring the 36 | builtin ``socket.recv_into``. Based on work from Cory Benfield. 37 | * OpenSSL/test/test_ssl.py: Add tests for ``recv_into``. 38 | 39 | 2015-01-30 Stephen Holsapple 40 | 41 | * OpenSSL/crypto.py: Expose ``X509StoreContext`` for verifying certificates. 42 | * OpenSSL/test/test_crypto.py: Add intermediate certificates for 43 | 44 | 2015-01-08 Paul Aurich 45 | 46 | * OpenSSL/SSL.py: ``Connection.shutdown`` now propagates errors from the 47 | underlying socket. 48 | 49 | 2014-12-11 Jean-Paul Calderone 50 | 51 | * OpenSSL/SSL.py: Fixed a regression ``Context.check_privatekey`` 52 | causing it to always succeed - even if it should fail. 53 | 54 | 2014-08-21 Alex Gaynor 55 | 56 | * OpenSSL/crypto.py: Fixed a regression where calling ``load_pkcs7_data`` 57 | with ``FILETYPE_ASN1`` would fail with a ``NameError``. 58 | 59 | 2014-05-05 Jean-Paul Calderone 60 | 61 | * OpenSSL/SSL.py: Fix a regression in which the first argument of 62 | the "verify" callback was incorrectly passed a ``Context`` instance 63 | instead of the ``Connection`` instance. 64 | * OpenSSL/test/test_ssl.py: Add a test for the value passed as the 65 | first argument of the "verify" callback. 66 | 67 | 2014-04-19 Jean-Paul Calderone 68 | 69 | * OpenSSL/crypto.py: Based on work from Alex Gaynor, Andrew 70 | Lutomirski, Tobias Oberstein, Laurens Van Houtven, and Hynek 71 | Schlawack, add ``get_elliptic_curve`` and ``get_elliptic_curves`` 72 | to support TLS ECDHE modes. 73 | * OpenSSL/SSL.py: Add ``Context.set_tmp_ecdh`` to configure a TLS 74 | context with a particular elliptic curve for ECDHE modes. 75 | 76 | 2014-04-19 Markus Unterwaditzer 77 | 78 | * OpenSSL/SSL.py: ``Connection.send`` and ``Connection.sendall`` 79 | now also accept the ``buffer`` type as data. 80 | 81 | 2014-04-05 Stephen Holsapple 82 | 83 | * OpenSSL/crypto.py: Make ``load_pkcs12`` backwards compatible with 84 | pyOpenSSL 0.13 by making passphrase optional. 85 | 86 | 2014-03-30 Fedor Brunner 87 | 88 | * OpenSSL/SSL.py: Add ``get_finished``, ``get_peer_finished`` 89 | methods to ``Connection``. If you use these methods to 90 | implement TLS channel binding (RFC 5929) disable session 91 | resumption because triple handshake attacks against TLS. 92 | 93 | 94 | 95 | 2014-03-29 Fedor Brunner 96 | 97 | * OpenSSL/SSL.py: Add ``get_cipher_name``, ``get_cipher_bits``, 98 | and ``get_cipher_version`` to ``Connection``. 99 | 100 | 2014-03-28 Jean-Paul Calderone 101 | 102 | * OpenSSL/tsafe.py: Replace the use of ``apply`` (which has been 103 | removed in Python 3) with the equivalent syntax. 104 | 105 | 2014-03-28 Jonathan Giannuzzi 106 | 107 | * OpenSSL/crypto.py: Fix memory leak in _X509_REVOKED_dup. 108 | * leakcheck/crypto.py: Add checks for _X509_REVOKED_dup, CRL.add_revoked 109 | and CRL.get_revoked. 110 | * setup.py: Require cryptography 0.3 to have the ASN1_TIME_free binding. 111 | 112 | 2014-03-02 Stephen Holsapple 113 | 114 | * OpenSSL/crypto.py: Add ``get_extensions`` method to ``X509Req``. 115 | 116 | 2014-02-23 Jean-Paul Calderone 117 | 118 | * Release 0.14 119 | 120 | 2014-01-09 Jean-Paul Calderone 121 | 122 | * OpenSSL: Port to the cffi-based OpenSSL bindings provided by 123 | 124 | 125 | 2013-10-06 Jean-Paul Calderone 126 | 127 | * OpenSSL/ssl/context.c: Add support for negotiating TLS v1.1 or 128 | v1.2. 129 | 130 | 2013-10-03 Christian Heimes 131 | 132 | * OpenSSL/crypto/x509.c: Fix an inconsistency in memory management 133 | in X509.get_serial_number which leads to crashes on some runtimes 134 | (certain Windows/Python 3.3 environments, at least). 135 | 136 | 2013-08-11 Christian Heimes 137 | 138 | * OpenSSL/crypto/x509ext.c: Fix handling of NULL bytes inside 139 | subjectAltName general names when formatting an X509 extension 140 | as a string. 141 | * OpenSSL/crypto/x509.c: Fix memory leak in get_extension(). 142 | 143 | 2012-04-03 Jean-Paul Calderone 144 | 145 | * OpenSSL/crypto/pkey.c: Release the GIL around RSA and DSA key 146 | generation, based on code from INADA Naoki. 147 | 148 | 2012-02-13 Jean-Paul Calderone 149 | 150 | * OpenSSL/ssl/ssl.c: Add session cache related constants for use 151 | with the new Context.set_session_cache_mode method. 152 | 153 | * OpenSSL/ssl/context.c: Add new Context methods 154 | set_session_cache_mode and get_session_cache_mode. 155 | 156 | 2011-11-01 Jean-Paul Calderone 157 | 158 | * OpenSSL/crypto/pkey.c: Raise TypeError when trying to check a 159 | PKey instance which has no private component, instead of crashing. 160 | Based on fix by . 161 | 162 | 2011-09-14 Žiga Seilnacht 163 | 164 | * OpenSSL/crypto/crypto.c: Allow exceptions from passphrase 165 | callbacks to propagate up out of load_privatekey 166 | * OpenSSL/crypto/crypto.c: Raise an exception when a too-long 167 | passphrase is returned from a passphrase callback, instead of 168 | silently truncating it. 169 | * OpenSSL/crypto/crypto.c: Fix a memory leak when a passphrase 170 | callback returns the wrong type. 171 | 172 | 2011-09-13 Jean-Paul Calderone 173 | 174 | * OpenSSL/crypto/crl.c: Add error handling for the use of 175 | X509_CRL_sign. 176 | 177 | 2011-09-11 Jonathan Ballet 178 | 179 | * doc/: Convert the LaTeX documentation to Sphinx-using ReST. 180 | * OpenSSL/: Convert the epytext API documentation to Sphinx-using ReST. 181 | 182 | 2011-09-08 Guillermo Gonzalez 183 | 184 | * OpenSSL/ssl/context.c: Add Context.set_mode method. 185 | * OpenSSL/ssl/ssl.c: Add MODE_RELEASE_BUFFERS and OP_NO_COMPRESSION 186 | constants. 187 | 188 | 2011-09-02 Jean-Paul Calderone 189 | 190 | * Release 0.13 191 | 192 | 2011-06-12 Jean-Paul Calderone 193 | 194 | * OpenSSL/crypto/pkey.c: Add the PKey.check method, mostly 195 | implemented by Rick Dean, to verify the internal consistency of a 196 | PKey instance. 197 | 198 | 2011-06-12 Jean-Paul Calderone 199 | 200 | * OpenSSL/crypto/crypto.c: Fix the sign and verify functions so 201 | they handle data with embedded NULs. Fix by David Brodsky 202 | . 203 | 204 | 2011-05-20 Jean-Paul Calderone 205 | 206 | * OpenSSL/ssl/connection.c, OpenSSL/test/test_ssl.py: Add a new 207 | method to the Connection type, get_peer_cert_chain, for retrieving 208 | the peer's certificate chain. 209 | 210 | 2011-05-19 Jean-Paul Calderone 211 | 212 | * OpenSSL/crypto/x509.c, OpenSSL/test/test_crypto.py: Add a new 213 | method to the X509 type, get_signature_algorithm, for inspecting 214 | the signature algorithm field of the certificate. Based on a 215 | patch from . 216 | 217 | 2011-05-10 Jean-Paul Calderone 218 | 219 | * OpenSSL/crypto/crypto.h: Work around a Windows/OpenSSL 1.0 issue 220 | explicitly including a Windows header before any OpenSSL headers. 221 | 222 | * OpenSSL/crypto/pkcs12.c: Work around an OpenSSL 1.0 issue by 223 | explicitly flushing errors known to be uninteresting after calling 224 | PKCS12_parse. 225 | 226 | * OpenSSL/ssl/context.c: Remove SSLv2 support if the underlying 227 | OpenSSL library does not provide it. 228 | 229 | * OpenSSL/test/test_crypto.py: Support an OpenSSL 1.0 change from 230 | MD5 to SHA1 by allowing either hash algorithm's result as the 231 | return value of X509.subject_name_hash. 232 | 233 | * OpenSSL/test/test_ssl.py: Support an OpenSSL 1.0 change from MD5 234 | to SHA1 by constructing certificate files named using both hash 235 | algorithms' results when testing Context.load_verify_locations. 236 | 237 | * Support OpenSSL 1.0.0a. 238 | 239 | 2011-04-15 Jean-Paul Calderone 240 | 241 | * OpenSSL/ssl/ssl.c: Add OPENSSL_VERSION_NUMBER, SSLeay_version 242 | and related constants for retrieving version information about the 243 | underlying OpenSSL library. 244 | 245 | 2011-04-07 Jean-Paul Calderone 246 | 247 | * Release 0.12 248 | 249 | 2011-04-06 Jean-Paul Calderone 250 | 251 | * OpenSSL/crypto/x509.c: Add get_extension_count and get_extension 252 | to the X509 type, allowing read access to certificate extensions. 253 | 254 | * OpenSSL/crypto/x509ext.c: Add get_short_name and get_data to the 255 | X509Extension type, allowing read access to the contents of an 256 | extension. 257 | 258 | 2011-03-21 Olivier Hervieu 259 | 260 | * OpenSSL/ssl/ssl.c: Expose a number of symbolic constants for 261 | values passed to the connection "info" callback. 262 | 263 | 2011-01-22 Jean-Paul Calderone 264 | 265 | * OpenSSL/ssl/connection.py: Add support for new-style 266 | buffers (primarily memoryviews) to Connection.send and 267 | Connection.sendall. 268 | 269 | 2010-11-01 Jean-Paul Calderone 270 | 271 | * Release 0.11 272 | 273 | 2010-10-07 Jean-Paul Calderone 274 | 275 | * Initial support for Python 3.x throughout the codebase. 276 | 277 | 2010-09-14 Jean-Paul Calderone 278 | 279 | * OpenSSL/crypto/netscape_spki.c: Fix an off-by-one mistake in the 280 | error handling for NetscapeSPKI.verify. Add additional error 281 | checking to NetscapeSPKI.sign to handle the case where there is no 282 | private key. 283 | 284 | * OpenSSL/crypto/x509.c: Fix an overflow bug in the subject_name_hash 285 | method of the X509 type which would cause it to return negative 286 | values on 32 bit systems. 287 | 288 | * OpenSSL/crypto/x509req.c: Fix an off-by-one mistake in the error 289 | handling for X509Req.verify. 290 | 291 | * OpenSSL/ssl/context.c: Fix the error handling in the load_tmp_dh 292 | method of the Context type which would cause it to always raise 293 | MemoryError, regardless of the actual error (such as a bad file 294 | name). 295 | 296 | * OpenSSL/test/: Numerous unit tests added, both for above fixes 297 | and for other previously untested code paths. 298 | 299 | 2010-07-27 Jean-Paul Calderone 300 | 301 | * Re-arrange the repository so that the package can be built and 302 | used in-place without requiring installation. 303 | 304 | 2010-02-27 James Yonan 305 | 306 | * src/crypto/crypto.c: Added crypto.sign and crypto.verify methods 307 | that wrap EVP_Sign and EVP_Verify function families, using code 308 | derived from Dave Cridland's PyOpenSSL branch. 309 | 310 | * test/test_crypto.py: Added unit tests for crypto.sign and 311 | crypto.verify. 312 | 313 | 2010-01-27 Jean-Paul Calderone 314 | 315 | * src/ssl/connection.c, src/util.h: Apply patch from Sandro Tosi to 316 | fix misspellings of "compatibility". 317 | 318 | 2009-11-13 Jean-Paul Calderone 319 | 320 | * Release 0.10 321 | 322 | 2009-11-07 Žiga Seilnacht, Jean-Paul Calderone 323 | 324 | * src/ssl/connection.c, src/ssl/context.c: Add set_client_ca_list, 325 | add_client_ca, and get_client_ca_list to Context for manipulating 326 | the list of certificate authority names which are sent by servers 327 | with the certificate request message. 328 | * src/util.h: Add ssize-related defines if the version of Python 329 | being used does not have them. 330 | * setup.py: Significant changes to the way Windows builds are done, 331 | particularly the way OpenSSL headers and libraries are found (with 332 | the new --with-openssl argument to build_ext). 333 | 334 | 2009-08-27 Rick Dean , Jean-Paul Calderone 335 | 336 | * src/crypto/pkcs12.c: Add setters to the PKCS12 type for the 337 | certificate, private key, ca certificate list, and friendly 338 | name, and add a getter for the friendly name. Also add a method 339 | for exporting a PKCS12 object as a string. 340 | * test/test_crypto.py: Add lots of additional tests for the PKCS12 341 | type. 342 | * doc/pyOpenSSL.tex: Documentation for the new PKCS12 methods. 343 | 344 | 2009-07-17 Rick Dean , Jean-Paul Calderone 345 | 346 | * src/crypto/x509ext.c: Add subject and issuer parameters to 347 | X509Extension, allowing creation of extensions which require that 348 | information. Fixes LP#322813. 349 | 350 | 2009-07-16 Jean-Paul Calderone 351 | 352 | * test/util.py: Changed the base TestCase's tearDown to assert that 353 | no errors were left in the OpenSSL error queue by the test. 354 | * src/crypto/crypto.c: Add a private helper in support of the 355 | TestCase.tearDown change. 356 | * src/crypto/x509name.c: Changed X509Name's getattr implementation 357 | to clean up the error queue. Fixes LP#314814. 358 | * test/util.c: Changed flush_error_queue to avoid a reference 359 | counting bug caused by macro expansion. 360 | 361 | 2009-07-16 Rick Dean 362 | 363 | * src/rand.c: Added OpenSSL.rand.bytes to get random bytes directly. 364 | * src/util.c: Added generic exceptions_from_error_queue to replace 365 | the various other implementations of this function. Also updated 366 | the rest of the codebase to use this version instead. 367 | 368 | 2009-07-05 Jean-Paul Calderone 369 | 370 | * test/util.py, test/test_ssl.py, test/test_crypto.py: Fold the 371 | Python 2.3 compatibility TestCase mixin into the TestCase defined 372 | in util.py. 373 | 374 | 2009-07-05 Jean-Paul Calderone 375 | 376 | * test/util.py, test/test_ssl.py, test/test_crypto.py: Stop trying 377 | to use Twisted's TestCase even when it's available. Instead, 378 | always use the stdlib TestCase with a few enhancements. 379 | 380 | 2009-07-04 Jean-Paul Calderone 381 | 382 | * Changed most extension types so that they can be instantiated 383 | using the type object rather than a factory function. The old 384 | factory functions are now aliases for the type objects. 385 | Fixes LP#312786. 386 | 387 | 2009-05-27 Jean-Paul Calderone 388 | 389 | * Changed all docstrings in extension modules to be friendlier 390 | towards Python programmers. Fixes LP#312787. 391 | 392 | 2009-05-27 Jean-Paul Calderone 393 | 394 | * src/crypto/x509ext.c: Correctly deallocate the new Extension 395 | instance when there is an error initializing it and it is not 396 | going to be returned. Resolves LP#368043. 397 | 398 | 2009-05-11 Jean-Paul Calderone 399 | 400 | * test/test_crypto.py: Use binary mode for the pipe to talk to the 401 | external openssl binary. The data being transported over this 402 | pipe is indeed binary, so previously it would often be truncated 403 | or otherwise mangled. 404 | 405 | * src/ssl/connection.h, src/ssl/connection.c, test/test_ssl.py: 406 | Extend the Connection class with support for in-memory BIOs. This 407 | allows SSL to be run without a real socket, useful for 408 | implementing EAP-TLS or using SSL with Windows IO completion 409 | ports, for example. Based heavily on contributions from Rick 410 | Dean. 411 | 412 | 2009-04-25 Jean-Paul Calderone 413 | 414 | * Release 0.9 415 | 416 | 2009-04-01 Jean-Paul Calderone 417 | Samuele Pedroni 418 | 419 | * src/util.h: Delete the TLS key before trying to set a new value 420 | for it in case the current thread identifier is a recycled one (if 421 | it is recycled, the key won't be set because there is already a 422 | value from the previous thread to have this identifier and to use 423 | the pyOpenSSL API). 424 | 425 | 2009-04-01 Jean-Paul Calderone 426 | 427 | * src/crypto/crypto.c: Add FILETYPE_TEXT for dumping keys and 428 | certificates and certificate signature requests to a text format. 429 | 430 | 2008-12-31 Jean-Paul Calderone 431 | 432 | * src/crypto/x509ext.c, test/test_crypto.py: Add the get_short_name 433 | method to X509Extension based on patch from Alex Stapleton. 434 | 435 | 2008-12-31 Jean-Paul Calderone 436 | 437 | * src/crypto/x509ext.c, test/test_crypto.py: Fix X509Extension so 438 | that it is possible to instantiate extensions which use s2i or r2i 439 | instead of v2i (an extremely obscure extension implementation 440 | detail). 441 | 442 | 2008-12-30 Jean-Paul Calderone 443 | 444 | * MANIFEST.in, src/crypto/crypto.c, src/crypto/x509.c, 445 | src/crypto/x509name.c, src/rand/rand.c, src/ssl/context.c: Changes 446 | which eliminate compiler warnings but should not change any 447 | behavior. 448 | 449 | 2008-12-28 Jean-Paul Calderone 450 | 451 | * test/test_ssl.py, src/ssl/ssl.c: Expose DTLS-related constants, 452 | OP_NO_QUERY_MTU, OP_COOKIE_EXCHANGE, and OP_NO_TICKET. 453 | 454 | 2008-12-28 Jean-Paul Calderone 455 | 456 | * src/ssl/context.c: Add a capath parameter to 457 | Context.load_verify_locations to allow Python code to specify 458 | either or both arguments to the underlying 459 | SSL_CTX_load_verify_locations API. 460 | * src/ssl/context.c: Add Context.set_default_verify_paths, a wrapper 461 | around SSL_CTX_set_default_verify_paths. 462 | 463 | 2008-12-28 Jean-Paul Calderone 464 | 465 | * test/test_crypto.py, src/crypto/x509req.c: Added get_version and 466 | set_version_methods to X509ReqType based on patch from Wouter van 467 | Bommel. Resolves LP#274418. 468 | 469 | 2008-09-22 Jean-Paul Calderone 470 | 471 | * Release 0.8 472 | 473 | 2008-10-19 Jean-Paul Calderone 474 | 475 | * tsafe.py: Revert the deprecation of the thread-safe Connection 476 | wrapper. The Connection class should not segfault if used from 477 | multiple threads now, but it generally cannot be relied on to 478 | produce correct results if used without the thread-safe wrapper. 479 | * doc/pyOpenSSL.tex: Correct the documentation for the set_passwd_cb 480 | callback parameter so that it accurately describes the required 481 | signature. 482 | 483 | 2008-09-22 Jean-Paul Calderone 484 | 485 | * Release 0.8a1 486 | 487 | 2008-09-21 Jean-Paul Calderone 488 | 489 | * src/ssl/ssl.h, src/ssl/ssl.c: Add a thread-local storage key 490 | which will be used to store and retrieve PyThreadState pointers 491 | whenever it is necessary to release or re-acquire the GIL. 492 | 493 | * src/ssl/context.c: Change global_verify_callback so that it 494 | unconditionally manipulates the Python threadstate, rather than 495 | checking the tstate field which is now always NULL. 496 | 497 | 2008-04-26 Jean-Paul Calderone 498 | 499 | * src/ssl/context.c: Change global_passphrase_callback and 500 | global_info_callback so that they acquire the GIL before 501 | invoking any CPython APIs and do not release it until after they 502 | are finished invoking all of them (based heavily on on patch 503 | from Dan Williams). 504 | * src/ssl/crypto.c: Initialize OpenSSL thread support so that it 505 | is valid to use OpenSSL APIs from more than one thread (based on 506 | patch from Dan Williams). 507 | * test/test_crypto.py: Add tests for load_privatekey and 508 | dump_privatekey when a passphrase or a passphrase callback is 509 | supplied. 510 | * test/test_ssl.py: Add tests for Context.set_passwd_cb and 511 | Context.set_info_callback. 512 | 513 | 2008-04-11 Jean-Paul Calderone 514 | 515 | * Release 0.7 516 | 517 | 2008-03-26 Jean-Paul Calderone 518 | 519 | * src/crypto/x509name.c: Add X509Name.get_components 520 | 521 | 2008-03-25 Jean-Paul Calderone 522 | 523 | * src/crypto/x509name.c: Add hash and der methods to X509Name. 524 | * src/crypto/x509.c: Fix a bug in X509.get_notBefore and 525 | X509.get_notAfter preventing UTCTIME format timestamps from 526 | working. 527 | 528 | 2008-03-12 Jean-Paul Calderone 529 | 530 | * Fix coding problems in examples/. Remove keys and certificates 531 | and add a note about how to generate new ones. 532 | 533 | 2008-03-09 Jean-Paul Calderone 534 | 535 | * src/crypto/x509.c: Add getters and setters for the notBefore and 536 | notAfter attributes of X509s. 537 | * src/crypto/pkey.h, src/crypto/pkey.c, src/crypto/x509req.c, 538 | src/crypto/x509.c: Track the initialized and public/private state 539 | of EVP_PKEY structures underlying the crypto_PKeyObj type and 540 | reject X509Req signature operations on keys not suitable for the 541 | task. 542 | 543 | 2008-03-06 Jean-Paul Calderone 544 | 545 | * src/crypto/x509name.c: Fix tp_compare so it only returns -1, 0, or 546 | 1. This eliminates a RuntimeWarning emitted by Python. 547 | * src/crypto/x509req.c: Fix reference counting for X509Name returned 548 | by X509Req.get_subject. This removes a segfault when the subject 549 | name outlives the request object. 550 | * src/crypto/x509.c: Change get_serial_number and set_serial_number 551 | to accept Python longs. 552 | * doc/pyOpenSSL.tex: A number of minor corrections. 553 | 554 | 2008-03-03 Jean-Paul Calderone 555 | 556 | * src/crypto/crypto.c: Expose X509_verify_cert_error_string. (patch 557 | from Victor Stinner) 558 | 559 | 2008-02-22 Jean-Paul Calderone 560 | 561 | * src/ssl/connection.c src/ssl/context.c src/ssl/ssl.c: Fix 562 | compilation on Windows. (patch from Michael Schneider) 563 | 564 | 2008-02-21 Jean-Paul Calderone 565 | 566 | * src/ssl/connection.c: Expose SSL_get_shutdown and 567 | SSL_set_shutdown. (patch from James Knight) 568 | * src/ssl/ssl.c: Expose SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN. 569 | (patch from James Knight) 570 | 571 | 2008-02-19 Jean-Paul Calderone 572 | 573 | * src/ssl/context.c: Expose SSL_CTX_add_extra_chain_cert. 574 | * src/crypto/x509name.c: Fix memory leaks in __getattr__ and 575 | __setattr_ implementations. 576 | * src/crypto/x509.c: Fix memory leak in X509.get_pubkey(). 577 | * leakcheck/: An attempt at a systematic approach to leak 578 | elimination. 579 | 580 | 2004-08-13 Martin Sjögren 581 | 582 | * Released version 0.6. 583 | 584 | 2004-08-11 Martin Sjögren 585 | 586 | * doc/pyOpenSSL.tex: Updates to the docs. 587 | 588 | 2004-08-10 Martin Sjögren 589 | 590 | * src/crypto/x509.c: Add X509.add_extensions based on a patch 591 | from Han S. Lee. 592 | * src/ssl/ssl.c: Add more SSL_OP_ constants. Patch from Mihai 593 | Ibanescu. 594 | 595 | 2004-08-09 Martin Sjögren 596 | 597 | * setup.py src/crypto/: Add support for Netscape SPKI extensions 598 | based on a patch from Tollef Fog Heen. 599 | * src/crypto/crypto.c: Add support for python passphrase callbacks 600 | based on a patch from Robert Olson. 601 | 602 | 2004-08-03 Martin Sjögren 603 | 604 | * src/ssl/context.c: Applied patch from Frederic Peters to add 605 | Context.use_certificate_chain_file. 606 | * src/crypto/x509.c: Applid patch from Tollef Fog Heen to add 607 | X509.subject_name_hash and X509.digest. 608 | 609 | 2004-08-02 Martin Sjögren 610 | 611 | * src/crypto/crypto.c src/ssl/ssl.c: Applied patch from Bastian 612 | Kleineidam to fix full names of exceptions. 613 | 614 | 2004-07-19 Martin Sjögren 615 | 616 | * doc/pyOpenSSL.tex: Fix the errors regarding X509Name's field names. 617 | 618 | 2004-07-18 Martin Sjögren 619 | 620 | * examples/certgen.py: Fixed wrong attributes in doc string, thanks 621 | Remy. (SFbug#913315) 622 | * __init__.py, setup.py, version.py: Add __version__, as suggested by 623 | Ronald Oussoren in SFbug#888729. 624 | * examples/proxy.py: Fix typos, thanks Mihai Ibanescu. (SFpatch#895820) 625 | 626 | 2003-01-09 Martin Sjögren 627 | 628 | * Use cyclic GC protocol in SSL.Connection, SSL.Context, crypto.PKCS12 629 | and crypto.X509Name. 630 | 631 | 2002-12-02 Martin Sjögren 632 | 633 | * tsafe.py: Add some missing methods. 634 | 635 | 2002-10-06 Martin Sjögren 636 | 637 | * __init__.py: Import tsafe too! 638 | 639 | 2002-10-05 Martin Sjögren 640 | 641 | * src/crypto/x509name.c: Use unicode strings instead of ordinary 642 | strings in getattr/setattr. Note that plain ascii strings should 643 | still work. 644 | 645 | 2002-09-17 Martin Sjögren 646 | 647 | * Released version 0.5.1. 648 | 649 | 2002-09-09 Martin Sjögren 650 | 651 | * setup.cfg: Fixed build requirements for rpms. 652 | 653 | 2002-09-07 Martin Sjögren 654 | 655 | * src/ssl/connection.c: Fix sendall() method. It segfaulted because 656 | it was too generous about giving away the GIL. 657 | * Added SecureXMLRPCServer example, contributed by Michal Wallace. 658 | 659 | 2002-09-06 Martin Sjögren 660 | 661 | * setup.cfg: Updated the build requirements. 662 | * src/ssl/connection.c: Fix includes for AIX. 663 | 664 | 2002-09-04 Anders Hammarquist 665 | 666 | * Added type checks in all the other places where we expect 667 | specific types of objects passed. 668 | 669 | 2002-09-04 Martin Sjögren 670 | 671 | * src/crypto/crypto.c: Added an explicit type check in the dump_* 672 | functions, so that they won't die when e.g. None is passed in. 673 | 674 | 2002-08-25 Martin Sjögren 675 | 676 | * doc/pyOpenSSL.tex: Docs for PKCS12. 677 | 678 | 2002-08-24 Martin Sjögren 679 | 680 | * src/crypto: Added basic PKCS12 support, thanks to Mark Welch 681 | 682 | 683 | 2002-08-16 Martin Sjögren 684 | 685 | * D'oh! Fixes for python 1.5 and python 2.1. 686 | 687 | 2002-08-15 Martin Sjögren 688 | 689 | * Version 0.5. Yay! 690 | 691 | 2002-07-25 Martin Sjögren 692 | 693 | * src/ssl/context.c: Added set_options method. 694 | * src/ssl/ssl.c: Added constants for Context.set_options method. 695 | 696 | 2002-07-23 Martin Sjögren 697 | 698 | * Updated docs 699 | * src/ssl/connection.c: Changed the get_cipher_list method to actually 700 | return a list! WARNING: This change makes the API incompatible with 701 | earlier versions! 702 | 703 | 2002-07-15 Martin Sjögren 704 | 705 | * src/ssl/connection.[ch]: Removed the fileno method, it uses the 706 | transport object's fileno instead. 707 | 708 | 2002-07-09 Martin Sjögren 709 | 710 | * src/crypto/x509.c src/crypto/x509name.c: Fixed segfault bug where 711 | you used an X509Name after its X509 had been destroyed. 712 | * src/crypto/crypto.[ch] src/crypto/x509req.c src/crypto/x509ext.[ch]: 713 | Added X509 Extension support. Thanks to maas-Maarten Zeeman 714 | 715 | * src/crypto/pkey.c: Added bits() and type() methods. 716 | 717 | 2002-07-08 Martin Sjögren 718 | 719 | * src/ssl/connection.c: Moved the contents of setup_ssl into the 720 | constructor, thereby fixing some segfault bugs :) 721 | * src/ssl/connection.c: Added connect_ex and sendall methods. 722 | * src/crypto/x509name.c: Cleaned up comparisons and NID lookup. 723 | Thank you Maas-Maarten Zeeman 724 | * src/rand/rand.c: Fix RAND_screen import. 725 | * src/crypto/crypto.c src/crypto/pkcs7.[ch]: Added PKCS7 management, 726 | courtesy of Maas-Maarten Zeeman 727 | * src/crypto/x509req.c: Added verify method. 728 | 729 | 2002-06-17 Martin Sjögren 730 | 731 | * rpm/, setup.cfg: Added improved RPM-building stuff, thanks to 732 | Mihai Ibanescu 733 | 734 | 2002-06-14 Martin Sjögren 735 | 736 | * examples/proxy.py: Example code for using OpenSSL through a proxy 737 | contributed by Mihai Ibanescu 738 | * Updated installation instruction and added them to the TeX manual. 739 | 740 | 2002-06-13 Martin Sjögren 741 | 742 | * src/ssl/context.c: Changed global_verify_callback so that it uses 743 | PyObject_IsTrue instead of requiring ints. 744 | * Added pymemcompat.h to make the memory management uniform and 745 | backwards-compatible. 746 | * src/util.h: Added conditional definition of PyModule_AddObject and 747 | PyModule_AddIntConstant 748 | * src/ssl/connection.c: Socket methods are no longer explicitly 749 | wrapped. fileno() is the only method the transport layer object HAS 750 | to support, but if you want to use connect, accept or sock_shutdown, 751 | then the transport layer object has to supply connect, accept 752 | and shutdown respectively. 753 | 754 | 2002-06-12 Martin Sjögren 755 | 756 | * Changed comments to docstrings that are visible in Python. 757 | * src/ssl/connection.c: Added set_connect_state and set_accept_state 758 | methods. Thanks to Mark Welch for this. 759 | 760 | 2002-06-11 Martin Sjögren 761 | 762 | * src/ssl/connection.c: accept and connect now use SSL_set_accept_state 763 | and SSL_set_connect_state respectively, instead of SSL_accept and 764 | SSL_connect. 765 | * src/ssl/connection.c: Added want_read and want_write methods. 766 | 767 | 2002-06-05 Martin Sjögren 768 | 769 | * src/ssl/connection.c: Added error messages for windows. The code is 770 | copied from Python's socketmodule.c. Ick. 771 | * src/ssl/connection.c: Changed the parameters to the SysCallError. It 772 | always has a tuple (number, string) now, even though the number 773 | might not always be useful. 774 | 775 | 2002-04-05 Martin Sjögren 776 | 777 | * Worked more on the Debian packaging, hopefully the packages 778 | are getting into the main Debian archive soon. 779 | 780 | 2002-01-10 Martin Sjögren 781 | 782 | * Worked some more on the Debian packaging, it's turning out real 783 | nice. 784 | * Changed format on this file, I'm going to try to be a bit more 785 | verbose about my changes, and this format makes it easier. 786 | 787 | 2002-01-08 Martin Sjögren 788 | 789 | * Version 0.4.1 790 | * Added some example code 791 | * Added the thread safe Connection object in the 'tsafe' submodule 792 | * New Debian packaging 793 | 794 | 2001-08-09 Martin Sjögren 795 | 796 | * Version 0.4 797 | * Added a compare function for X509Name structures. 798 | * Moved the submodules to separate .so files, with tiny C APIs so they 799 | can communicate 800 | * Skeletal OpenSSL/__init__.py 801 | * Removed the err submodule, use crypto.Error and SSL.Error instead 802 | 803 | 2001-08-06 Martin Sjögren 804 | 805 | * Version 0.3 806 | * Added more types for dealing with certificates (X509Store, X509Req, 807 | PKey) 808 | * Functionality to load private keys, certificates and certificate 809 | requests from memory buffers, and store them too 810 | * X509 and X509Name objects can now be modified as well, very neat when 811 | creating certificates ;) 812 | * Added SSL_MODE_AUTO_RETRY to smooth things for blocking sockets 813 | * Added a sock_shutdown() method to the Connection type 814 | * I don't understand why, but I can't use Py_InitModule() to create 815 | submodules in Python 2.0, the interpreter segfaults on the cleanup 816 | process when I do. I added a conditional compile on the version 817 | number, falling back to my own routine. It would of course be nice to 818 | investigate what is happening, but I don't have the time to do so 819 | * Do INCREF on the type objects before inserting them in the 820 | dictionary, so they will never reach refcount 0 (they are, after all, 821 | statically allocated) 822 | 823 | 2001-07-30 Martin Sjögren 824 | 825 | * Version 0.2 826 | * Lots of tweaking and comments in the code 827 | * Now uses distutils instead of the stupid Setup file 828 | * Hacked doc/tools/mkhowto, html generation should now work 829 | 830 | 2001-07-16 Martin Sjögren 831 | 832 | * Initial release (0.1, don't expect much from this one :-) 833 | 834 | --------------------------------------------------------------------------------