[Python-checkins] cpython (merge 3.5 -> default): merge 3.5 (closes #25672)

benjamin.peterson python-checkins at python.org
Fri Jan 8 00:39:44 EST 2016 

https://hg.python.org/cpython/rev/b5b0394ed20b
changeset:   99805:b5b0394ed20b
parent:      99803:74adca5e885c
parent:      99804:efc8627dcf28
user:        Benjamin Peterson <benjamin at python.org>
date:        Thu Jan 07 21:38:51 2016 -0800
summary:
  merge 3.5 (closes #25672)

files:
  Misc/NEWS      |   3 +++
  Modules/_ssl.c |  17 +++++++++++++++++
  2 files changed, 20 insertions(+), 0 deletions(-)


diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -128,6 +128,9 @@
 Library
 -------
 
+- Issue #25672: In the ssl module, enable the SSL_MODE_RELEASE_BUFFERS mode
+  option if it is safe to do so.
+
 - Issue #22570: Add 'path' attribute to pathlib.Path objects,
   returning the same as str(), to make it more similar to DirEntry.
   Library code can now write getattr(p, 'path', p) to get the path as
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2219,6 +2219,7 @@
     PySSLContext *self;
     long options;
     SSL_CTX *ctx = NULL;
+    unsigned long libver;
 
     PySSL_BEGIN_ALLOW_THREADS
     if (proto_version == PY_SSL_VERSION_TLS1)
@@ -2281,6 +2282,22 @@
         options |= SSL_OP_NO_SSLv3;
     SSL_CTX_set_options(self->ctx, options);
 
+#if defined(SSL_MODE_RELEASE_BUFFERS)
+    /* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory
+       usage for no cost at all. However, don't do this for OpenSSL versions
+       between 1.0.1 and 1.0.1h or 1.0.0 and 1.0.0m, which are affected by CVE
+       2014-0198. I can't find exactly which beta fixed this CVE, so be
+       conservative and assume it wasn't fixed until release. We do this check
+       at runtime to avoid problems from the dynamic linker.
+       See #25672 for more on this. */
+    libver = SSLeay();
+    if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) &&
+        !(libver >= 0x10000000UL && libver < 0x100000dfUL)) {
+        SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
+    }
+#endif
+
+
 #ifndef OPENSSL_NO_ECDH
     /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
        prime256v1 by default.  This is Apache mod_ssl's initialization

-- 
Repository URL: https://hg.python.org/cpython

More information about the Python-checkins mailing list