From 6c1d48374dfa7e6ef1ce3ba151fc6fc203a5bc17 Mon Sep 17 00:00:00 2001 From: julianz- Date: Fri, 18 Aug 2023 12:25:50 -0700 Subject: [PATCH] Fix for problem caused by SSL_WANT_READ or SSL_WANT_WRITE errors. When SSL_WANT_READ or SSL_WANT_WRITE are encountered, it's typical to retry the call but this must be repeated with the exact same arguments. Without this change, openSSL requires that the address of the buffer passed is the same. However, buffers in python can change location in some circumstances which cause the retry to fail. By add the setting SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, the requirement for the same buffer address is forgiven and the retry has a better chance of success. See cherrypy/cheroot#245 for discussion. --- CHANGELOG.rst | 17 +++++++++++++++++ setup.py | 2 +- src/OpenSSL/SSL.py | 25 +++++++++---------------- tox.ini | 2 +- 4 files changed, 28 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 6e23770d..4258fe8b 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -4,6 +4,23 @@ Changelog Versions are year-based with a strict backward-compatibility policy. The third digit is only for regressions. +24.1.0 (UNRELEASED) +------------------- + +Backward-incompatible changes: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +- ``pyOpenSSL`` now sets ``SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER`` by default, matching CPython's behavior. `#1287 `_. +- The minimum ``cryptography`` version is now 42.0.0. + +Deprecations: +^^^^^^^^^^^^^ + +Changes: +^^^^^^^^ + + + 24.0.0 (2024-01-22) ------------------- diff --git a/setup.py b/setup.py index 2f023168..790d3518 100644 --- a/setup.py +++ b/setup.py @@ -93,7 +93,7 @@ def find_meta(meta): packages=find_packages(where="src"), package_dir={"": "src"}, install_requires=[ - "cryptography>=41.0.5,<43", + "cryptography>=42.0.0,<43", ], extras_require={ "test": ["flaky", "pretend", "pytest>=3.0.1"], diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 4db5240e..06f38fd2 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -163,20 +163,11 @@ DTLS_SERVER_METHOD = 11 DTLS_CLIENT_METHOD = 12 -try: - SSL3_VERSION = _lib.SSL3_VERSION - TLS1_VERSION = _lib.TLS1_VERSION - TLS1_1_VERSION = _lib.TLS1_1_VERSION - TLS1_2_VERSION = _lib.TLS1_2_VERSION - TLS1_3_VERSION = _lib.TLS1_3_VERSION -except AttributeError: - # Hardcode constants for cryptography < 3.4, see - # https://github.com/pyca/pyopenssl/pull/985#issuecomment-775186682 - SSL3_VERSION = 768 - TLS1_VERSION = 769 - TLS1_1_VERSION = 770 - TLS1_2_VERSION = 771 - TLS1_3_VERSION = 772 +SSL3_VERSION = _lib.SSL3_VERSION +TLS1_VERSION = _lib.TLS1_VERSION +TLS1_1_VERSION = _lib.TLS1_1_VERSION +TLS1_2_VERSION = _lib.TLS1_2_VERSION +TLS1_3_VERSION = _lib.TLS1_3_VERSION OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2 OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3 @@ -864,8 +855,10 @@ def __init__(self, method): self._ocsp_data = None self._cookie_generate_helper = None self._cookie_verify_helper = None - - self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE) + self.set_mode( + _lib.SSL_MODE_ENABLE_PARTIAL_WRITE + | _lib.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER + ) if version is not None: self.set_min_proto_version(version) self.set_max_proto_version(version) diff --git a/tox.ini b/tox.ini index d0543d6a..771a0c74 100644 --- a/tox.ini +++ b/tox.ini @@ -18,7 +18,7 @@ extras = test deps = coverage>=4.2 - cryptographyMinimum: cryptography==41.0.5 + cryptographyMinimum: cryptography==42.0.0 randomorder: pytest-randomly setenv = # Do not allow the executing environment to pollute the test environment