diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/_cffi_src/openssl/ssl.py | 21 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 4 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/_conditional.py | 6 | ||||
| -rw-r--r-- | src/cryptography/x509/base.py | 11 | ||||
| -rw-r--r-- | src/cryptography/x509/oid.py | 30 |
5 files changed, 44 insertions, 28 deletions
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 83a7386f..64e4e2f0 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -301,15 +301,6 @@ unsigned long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); /* methods */ -/* SSLv2 support is compiled out of some versions of OpenSSL. These will - * get special support when we generate the bindings so that if they are - * available they will be wrapped, but if they are not they won't cause - * problems (like link errors). - */ -const SSL_METHOD *SSLv2_method(void); -const SSL_METHOD *SSLv2_server_method(void); -const SSL_METHOD *SSLv2_client_method(void); - /* * TLSv1_1 and TLSv1_2 are recent additions. Only sufficiently new versions of * OpenSSL support them. @@ -441,14 +432,12 @@ const long SSL_OP_LEGACY_SERVER_CONNECT = 0; #else static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1; #endif -#ifdef OPENSSL_NO_SSL2 + +/* Cryptography now compiles out all SSLv2 bindings. This exists to allow + * clients that use it to check for SSLv2 support to keep functioning as + * expected. + */ static const long Cryptography_HAS_SSL2 = 0; -SSL_METHOD* (*SSLv2_method)(void) = NULL; -SSL_METHOD* (*SSLv2_client_method)(void) = NULL; -SSL_METHOD* (*SSLv2_server_method)(void) = NULL; -#else -static const long Cryptography_HAS_SSL2 = 1; -#endif #ifdef OPENSSL_NO_SSL3_METHOD static const long Cryptography_HAS_SSL3_METHOD = 0; diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 8d9e5e0e..768559cf 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1372,7 +1372,7 @@ class Backend(object): # Set the subject's name. res = self._lib.X509_set_subject_name( - x509_cert, _encode_name(self, list(builder._subject_name)) + x509_cert, _encode_name_gc(self, list(builder._subject_name)) ) self.openssl_assert(res == 1) @@ -1423,7 +1423,7 @@ class Backend(object): # Set the issuer name. res = self._lib.X509_set_issuer_name( - x509_cert, _encode_name(self, list(builder._issuer_name)) + x509_cert, _encode_name_gc(self, list(builder._issuer_name)) ) self.openssl_assert(res == 1) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index dad37436..206c2915 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -276,12 +276,6 @@ CONDITIONAL_NAMES = { "TLSv1_2_client_method", ], - "Cryptography_HAS_SSL2": [ - "SSLv2_method", - "SSLv2_client_method", - "SSLv2_server_method", - ], - "Cryptography_HAS_SSL3_METHOD": [ "SSLv3_method", "SSLv3_client_method", diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index c56ca5ee..49761046 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -436,6 +436,11 @@ class CertificateBuilder(object): if time <= _UNIX_EPOCH: raise ValueError('The not valid before date must be after the unix' ' epoch (1970 January 1).') + if self._not_valid_after is not None and time > self._not_valid_after: + raise ValueError( + 'The not valid before date must be before the not valid after ' + 'date.' + ) return CertificateBuilder( self._issuer_name, self._subject_name, self._public_key, self._serial_number, time, @@ -453,6 +458,12 @@ class CertificateBuilder(object): if time <= _UNIX_EPOCH: raise ValueError('The not valid after date must be after the unix' ' epoch (1970 January 1).') + if (self._not_valid_before is not None and + time < self._not_valid_before): + raise ValueError( + 'The not valid after date must be after the not valid before ' + 'date.' + ) return CertificateBuilder( self._issuer_name, self._subject_name, self._public_key, self._serial_number, self._not_valid_before, diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index f2d84d31..27fab86b 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -12,12 +12,34 @@ class ObjectIdentifier(object): def __init__(self, dotted_string): self._dotted_string = dotted_string - # Basic validation for being well-formed - for part in self._dotted_string.split("."): + nodes = self._dotted_string.split(".") + intnodes = [] + + # There must be at least 2 nodes, the first node must be 0..2, and + # if less than 2, the second node cannot have a value outside the + # range 0..39. All nodes must be integers. + for node in nodes: try: - int(part, 0) + intnodes.append(int(node, 0)) except ValueError: - raise ValueError("Malformed OID: %s" % (self._dotted_string)) + raise ValueError( + "Malformed OID: %s (non-integer nodes)" % ( + self._dotted_string)) + + if len(nodes) < 2: + raise ValueError( + "Malformed OID: %s (insufficient number of nodes)" % ( + self._dotted_string)) + + if intnodes[0] > 2: + raise ValueError( + "Malformed OID: %s (first node outside valid range)" % ( + self._dotted_string)) + + if intnodes[0] < 2 and intnodes[1] >= 40: + raise ValueError( + "Malformed OID: %s (second node outside valid range)" % ( + self._dotted_string)) def __eq__(self, other): if not isinstance(other, ObjectIdentifier): |