1
0
mirror of https://github.com/openSUSE/osc.git synced 2024-12-31 20:26:13 +01:00
Commit Graph

35 Commits

Author SHA1 Message Date
Marcus Huewe
b730f880cf Disable ssl session resumption
The old code could potentially yield to a use-after-free situation,
which results in UB. For this, consider the following scenario, where
osc performs several HTTPS requests (assumption: the server supports
ssl session resumption):

- HTTPS Request 1:
  * a new SSL *s connection is established, which also creates a new
    SSL_SESSION *ss => ss->references == 1
  * once the handshake is done, the ss is put into the session cache
    (see ssl_update_cache) => ss->references == 2
  - osc saves the session ss in a class variable
  - s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1

- HTTPS Request 2:
  * setup a new SSL *s connection that reuses the saved session ss
    => ss->references == 2
  * once the handshake is done, ssl_update_cache is called, which is a
    NOP, because s->hit == 1 (that is, the session was resumed)
  * osc saves the session ss in a class variable
  * s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1

...

> 2 hours later (see tls1_default_timeout)

...

- HTTPS Request 256:
  * setup a new SSL *s connection that reuses the saved session ss
    => ss->references == 2
  * once the handshake is done, ssl_update_cache is called, but is
    _no_ NOP anymore
  * ssl_update_cache flushes the session cache (this is done every
    255/256 (depending on the way we count) connections) => ss is
    SSL_SESSION_free()d => ss->references == 1
  * osc saves the session ss in a class variable
  * s is SSL_free()d, which calls SSL_SESSION_free:
    since ss->references == 1, ss is eventually free()d

- HTTPS Request 257:
  * setup a new SSL *s connection that reuses the saved session ss

Since ss does not exist anymore, the remaining program execution is UB.

(Note: SSL_free(...) is _NOT_ called, if M2Crypto 0.29 is used.
M2Crypto 0.30 calls SSL_free(...) again.)

Due to a bug in OpenSSL_1_1_0h (see openssl commit 8e405776858) the
scenario from above can be triggered with exactly 2 HTTPS requests (the
SSL_SESSION is not cached, because we configured SSL_VERIFY_PEER, but
no sid_ctx was set). This is fixed in openssl commit c4fa1f7fc01.

In order to reliably reuse a session, we probably need to listen to the
session cache changes. Such callbacks could be registered via
SSL_CTX_sess_set_new_cb and/or SSL_CTX_sess_set_remove_cb, but both
functions are not provided by M2Crypto. Another idea is to directly utilize
the session cache, but this also has to be implemented in M2Crypto first.
Yet another approach is to retrieve the session via SSL_get1_session, which
increases the session's refcnt, but this also needs to be implemented in
M2Crypto first (if we choose to use this approach, we also have to make
sure that we eventually free the session manually...).

Fixes: #398 ("SIGSEGV on \"osc commit\"")
2018-05-08 14:32:33 +02:00
305501f92c Revert "handle SSL connection closing ourself as advised in boo#1068470 bye"
This reverts commit 0ddb598743.

was incomplete and seems to be the wrong approach
2018-02-26 15:54:20 +01:00
0ddb598743 handle SSL connection closing ourself as advised in boo#1068470 bye
M2Crypto upstream maintainer.

Should fix hanging connections
2018-02-23 07:33:27 +01:00
Marcus Huewe
ff19a5f539 Fix SSL.Connection instantiation in case of an old M2Crypto
Do not pass a family parameter to SSL.Connection's constructor if it
does not support it. If the family parameter is not supported, we
_try_ to fallback to socket.AF_INET, which is implicitly used by
older versions of the SSL.Connection class.

Fixes: #274 ("osc 0.157 Exception AttributeError: "Connection
instance has no attribute 'ssl_close_flag'"")
2017-03-09 13:34:17 +01:00
Marcus Huewe
3b3bb21645 Fix IPv6 support in myHTTPSConnection.connect
So far, the AF_INET family was implicitly used. Now, we try all families,
which are returned by socket.getaddrinfo.

Fixes: #261
2017-01-29 22:43:42 +01:00
Oleg Girko
c62c9f54a0 Add support for TLS SNI if M2Crypto supports it.
Currently osc can't access API URLs which share the same IP address
with other SSL-enabled sites, complaining about certificate
not matching hostname.

This change solves this problem by instructing M2Crypto.SSL.Connection
to send the desired hostname to https server using TLS SNI extension,
thus allowing the server to present the right certificate and choose
the right virtual site.

This is useful for those who can't afford to have a separate IP address
for OBS API.

For TLS SNI to work correctly, M2Crypto should be patched:
https://bugzilla.osafoundation.org/show_bug.cgi?id=13073
Some distributions (like Fedora) already include this patch.

For unpatched M2Crypto osc degrades to operation without TLS SNI.

Signed-off-by: Oleg Girko <ol@infoserver.lv>
2015-08-13 11:11:42 +01:00
Christian Berendt
d35983d5b8 Resolve PEP8 issue W291
* W291 trailing whitespace
2014-08-12 15:01:16 +02:00
Marcus Huewe
0ac1d32945 - oscssl.verify_certificate: also print cert info if http_debug is set
If http_debug is set we redirect sys.stdout to an StringIO
instance in order to do some header filtering (see conf module)
so we have to use the "original" stdout for printing the certificate
information.
2013-06-15 08:53:26 +02:00
Danny Al-Gaaf
c84f413c10 oscssl.py: remove reimport of m2 from M2Crypto
Signed-off-by: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
2013-05-27 13:47:48 +02:00
Michal Vyskocil
419367fca3 python3 compatibility: urllib
fixes all renames in urllib, urllib2, urlparse modules in python3
2013-04-16 10:51:42 +02:00
Michal Vyskocil
5cc72902e0 python3 compatibility: raw_input
raw_input has been removed and equals to input in py3. Unfortunatelly no
__future__ statement exists for that. Ensure all modules uses
osc.core.raw_input except osc.cmdln, where there is NameError way
implemented.
2013-04-16 10:51:41 +02:00
Michal Vyskocil
b534ae0a6a python3 compatibility: raise
support for old style exceptions has been removed from python3
2013-04-16 10:51:41 +02:00
Michal Vyskocil
7f2031558c python3 compatibility: print function
The most visible change in python3 - removal of print statement and all
the crufty
   print >> sys.stderr, foo,

The from __future__ import print_function makes it available in python
2.6
2013-04-16 10:51:41 +02:00
Michal Vyskocil
87d354e1a0 python3 compatibility: import proper modules
Some modules (httplib, StringIO, ...) were renamed in python3. This
patch try to import the proper symbols from python3 and then fallback to
python2 in a case ImportError will appear.

There is one exception, python 2.7 got the io module with StringIO, but
it allow unicode arguments only. Therefor the old module is poked before
new one.
2013-04-16 10:51:18 +02:00
Michal Vyskocil
3a93ac6d10 python3 compatibility: except
changes 'except FooError, fe' to 'except FooError as fe'

available in python 2.6
2013-04-16 10:51:17 +02:00
Cristian Rodríguez
0770470596 watchout the BEAST...
This patch workarounds the BEAST attack in the client side
making OSC to prefer TLS v1.1 or v1.2 ciphers/key exchanges
when available.
Now, as long as openSUSE API webservers do not support
these protocols it will prefer the RC4-SHA1 combination to
be in the safe side.
2012-07-15 23:20:19 -04:00
Ludwig Nussel
0f2e8e257d relax the cipher string to make it work with real world deployments again 2012-01-18 16:50:46 +01:00
Ludwig Nussel
1f8bed8221 don't set SSL_OP_ALL
SSL_OP_ALL contains SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS which actually
fixes a weakness in SSL.
2012-01-18 16:50:46 +01:00
Cristian Rodríguez
931d216ea0 Set the SSL client cipher list to only use very strong algorithms. 2011-08-16 11:33:56 +02:00
Ludwig Nussel
e8505d829b allow TLS only 2011-04-20 14:12:59 +02:00
Ludwig Nussel
eee8c96d0c use ssl session resumption
saves some cycles if osc makes several requests
2011-04-18 11:03:42 +02:00
Marcus Huewe
186d4ae4f7 - fix for 3892117558 2011-01-05 17:00:19 +01:00
Michal Čihař
3892117558 Print warnings to stderr.
This way we can avoid confusion for programs which do parse osc output.
2011-01-05 16:32:41 +01:00
Marcus Huewe
306507748c - fixed proxy handling (broken by 53361a50f1)
- this fixes #657958 ("openSUSE:Tools/osc: Bug")
- oscssl.myProxyHTTPSConnection: proxy auth works again
2010-12-17 18:14:11 +01:00
Marcus Huewe
53361a50f1 - oscssl.myHTTPSHandler.https_open: use selector instead of fullurl
- fixes an issue with lighttpd 1.5
2010-11-16 21:29:33 +01:00
Marcus Huewe
6b9621b5b9 - fix for python2.7/m2crypto: M2Crypto.httpslib.ProxyHTTPSConnection defines "endheaders" without parameters
Now "myProxyHTTPSConnection" inherits from "M2Crypto.httpslib.ProxyHTTPSConnection" _and_ "httplib.HTTPSConnection".
The latter class is only used to call "httplib.HTTPSConnection.endheaders". This multiple inheritance shouldn't have any side-effects
because "M2Crypto.httpslib.ProxyHTTPSConnection" already inherits from "httplib.HTTPSConnection" (and mro will pick the methods from
"M2Crypto.httpslib.ProxyHTTPSConnection" first).
2010-09-16 14:28:14 +02:00
Juergen Weigert
f25bfa6ad1 made URLError readable, instead of a bogus stack-trace.
added full_url, to even give a hint about the cause.
2010-03-07 21:56:29 +01:00
Pavol Rusnak
8d551e0a69 fix whitespace 2010-02-28 02:30:13 +01:00
Ludwig Nussel
32e99306b4 add vim mode lines to avoid evil tab characters :-) 2010-02-25 09:53:45 +01:00
Marcus Huewe
f16cc7e667 - convert tabs to spaces... 2010-02-24 20:02:52 +01:00
Marcus Huewe
14288a9468 - changed appname handling 2010-01-20 14:46:10 +01:00
Ludwig Nussel
f2f948388e appname should be osc for ssl support 2010-01-20 09:15:51 +01:00
Marcus Huewe
52b22b19a5 - fixed proxy support when using m2crypto 2010-01-08 22:20:40 +01:00
Ludwig Nussel
11c22ac9c1 reset Validation errors after each connect 2009-11-17 13:39:40 +00:00
Ludwig Nussel
c3f6f03e3c better ssl certificate verification
+ now allows to store&compare peer certificate
- needs more python hacks
2009-11-13 10:46:23 +00:00