diff options
author | Christopher Baines <mail@cbaines.net> | 2015-12-22 13:47:07 +0000 |
---|---|---|
committer | Christopher Baines <mail@cbaines.net> | 2015-12-22 13:48:06 +0000 |
commit | 79f51e45f74dd32f9c1a103150ded9d575f5f94c (patch) | |
tree | adcea8da78181c97b46d4483657877b2b348833a /requests/packages/urllib3/util/ssl_.py | |
parent | 59759b30c8a8f23377afe562a44ddc893dbbb833 (diff) | |
parent | 08c16e06ad11c6fcb26f4ca1ea3f11093598092f (diff) | |
download | python-requests-79f51e45f74dd32f9c1a103150ded9d575f5f94c.tar python-requests-79f51e45f74dd32f9c1a103150ded9d575f5f94c.tar.gz |
change version to 2.9.1-1 (UNRELEASED)
New upstream release 2.9.1
Diffstat (limited to 'requests/packages/urllib3/util/ssl_.py')
-rw-r--r-- | requests/packages/urllib3/util/ssl_.py | 39 |
1 files changed, 35 insertions, 4 deletions
diff --git a/requests/packages/urllib3/util/ssl_.py b/requests/packages/urllib3/util/ssl_.py index 47b817e..67f8344 100644 --- a/requests/packages/urllib3/util/ssl_.py +++ b/requests/packages/urllib3/util/ssl_.py @@ -1,7 +1,12 @@ +from __future__ import absolute_import +import errno +import warnings +import hmac + from binascii import hexlify, unhexlify from hashlib import md5, sha1, sha256 -from ..exceptions import SSLError, InsecurePlatformWarning +from ..exceptions import SSLError, InsecurePlatformWarning, SNIMissingWarning SSLContext = None @@ -15,8 +20,23 @@ HASHFUNC_MAP = { 64: sha256, } -import errno -import warnings + +def _const_compare_digest_backport(a, b): + """ + Compare two digests of equal length in constant time. + + The digests must be of type str/bytes. + Returns True if the digests match, and False otherwise. + """ + result = abs(len(a) - len(b)) + for l, r in zip(bytearray(a), bytearray(b)): + result |= l ^ r + return result == 0 + + +_const_compare_digest = getattr(hmac, 'compare_digest', + _const_compare_digest_backport) + try: # Test for SSL features import ssl @@ -134,7 +154,7 @@ def assert_fingerprint(cert, fingerprint): cert_digest = hashfunc(cert).digest() - if cert_digest != fingerprint_bytes: + if not _const_compare_digest(cert_digest, fingerprint_bytes): raise SSLError('Fingerprints did not match. Expected "{0}", got "{1}".' .format(fingerprint, hexlify(cert_digest))) @@ -283,4 +303,15 @@ def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) + + warnings.warn( + 'An HTTPS request has been made, but the SNI (Subject Name ' + 'Indication) extension to TLS is not available on this platform. ' + 'This may cause the server to present an incorrect TLS ' + 'certificate, which can cause validation failures. For more ' + 'information, see ' + 'https://urllib3.readthedocs.org/en/latest/security.html' + '#snimissingwarning.', + SNIMissingWarning + ) return context.wrap_socket(sock) |