+++ /dev/null
-From 991f0176e188227647bf4c993d8da81cf794b3ae Mon Sep 17 00:00:00 2001
-From: Christian Heimes <christian@python.org>
-Date: Sun, 25 Feb 2018 20:03:07 +0100
-Subject: [PATCH] bpo-30008: SSL module: emulate tls methods
-
-OpenSSL 1.1 compatility: emulate version specific TLS methods with
-SSL_CTX_set_min/max_proto_version().
----
- .../2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst | 4 +
- Modules/_ssl.c | 134 ++++++++++++++++-----
- 2 files changed, 108 insertions(+), 30 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst
-
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst
-@@ -0,0 +1,4 @@
-+The ssl module no longer uses function that are deprecated since OpenSSL
-+1.1.0. The version specific TLS methods are emulated with TLS_method() plus
-+SSL_CTX_set_min/max_proto_version(). Pseudo random numbers are generated
-+with RAND_bytes().
---- a/Modules/_ssl.c
-+++ b/Modules/_ssl.c
-@@ -45,14 +45,6 @@ static PySocketModule_APIObject PySocketModule;
- #include <sys/poll.h>
- #endif
-
--/* Don't warn about deprecated functions */
--#ifdef __GNUC__
--#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
--#endif
--#ifdef __clang__
--#pragma clang diagnostic ignored "-Wdeprecated-declarations"
--#endif
--
- /* Include OpenSSL header files */
- #include "openssl/rsa.h"
- #include "openssl/crypto.h"
-@@ -201,6 +193,7 @@ static void _PySSLFixErrno(void) {
- #ifndef PY_OPENSSL_1_1_API
- /* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
-
-+#define ASN1_STRING_get0_data ASN1_STRING_data
- #define TLS_method SSLv23_method
- #define TLS_client_method SSLv23_client_method
- #define TLS_server_method SSLv23_server_method
-@@ -1319,8 +1312,9 @@ _get_peer_alt_names (X509 *certificate) {
- goto fail;
- }
- PyTuple_SET_ITEM(t, 0, v);
-- v = PyUnicode_FromStringAndSize((char *)ASN1_STRING_data(as),
-- ASN1_STRING_length(as));
-+ v = PyUnicode_FromStringAndSize(
-+ (char *)ASN1_STRING_get0_data(as),
-+ ASN1_STRING_length(as));
- if (v == NULL) {
- Py_DECREF(t);
- goto fail;
-@@ -2959,38 +2953,118 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
- #endif
-
- PySSL_BEGIN_ALLOW_THREADS
-- if (proto_version == PY_SSL_VERSION_TLS1)
-+ switch (proto_version) {
-+#if OPENSSL_VERSION_NUMBER <= 0x10100000L
-+ /* OpenSSL < 1.1.0 or not LibreSSL
-+ * Use old-style methods for OpenSSL 1.0.2
-+ */
-+#if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2)
-+ case PY_SSL_VERSION_SSL2:
-+ ctx = SSL_CTX_new(SSLv2_method());
-+ break;
-+#endif
-+#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
-+ case PY_SSL_VERSION_SSL3:
-+ ctx = SSL_CTX_new(SSLv3_method());
-+ break;
-+#endif
-+#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)
-+ case PY_SSL_VERSION_TLS1:
- ctx = SSL_CTX_new(TLSv1_method());
--#if HAVE_TLSv1_2
-- else if (proto_version == PY_SSL_VERSION_TLS1_1)
-+ break;
-+#endif
-+#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1)
-+ case PY_SSL_VERSION_TLS1_1:
- ctx = SSL_CTX_new(TLSv1_1_method());
-- else if (proto_version == PY_SSL_VERSION_TLS1_2)
-+ break;
-+#endif
-+#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2)
-+ case PY_SSL_VERSION_TLS1_2:
- ctx = SSL_CTX_new(TLSv1_2_method());
-+ break;
- #endif
--#ifndef OPENSSL_NO_SSL3
-- else if (proto_version == PY_SSL_VERSION_SSL3)
-- ctx = SSL_CTX_new(SSLv3_method());
-+#else
-+ /* OpenSSL >= 1.1 or LibreSSL
-+ * create context with TLS_method for all protocols
-+ * no SSLv2_method in OpenSSL 1.1.
-+ */
-+#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
-+ case PY_SSL_VERSION_SSL3:
-+ ctx = SSL_CTX_new(TLS_method());
-+ if (ctx != NULL) {
-+ /* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+ if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION))
-+ result = -2;
-+ if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION))
-+ result = -2;
-+ }
-+ break;
- #endif
--#ifndef OPENSSL_NO_SSL2
-- else if (proto_version == PY_SSL_VERSION_SSL2)
-- ctx = SSL_CTX_new(SSLv2_method());
-+#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)
-+ case PY_SSL_VERSION_TLS1:
-+ ctx = SSL_CTX_new(TLS_method());
-+ if (ctx != NULL) {
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
-+ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION))
-+ result = -2;
-+ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION))
-+ result = -2;
-+ }
-+ break;
-+#endif
-+#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1)
-+ case PY_SSL_VERSION_TLS1_1:
-+ ctx = SSL_CTX_new(TLS_method());
-+ if (ctx != NULL) {
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1);
-+ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION))
-+ result = -2;
-+ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION))
-+ result = -2;
-+ }
-+ break;
-+#endif
-+#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2)
-+ case PY_SSL_VERSION_TLS1_2:
-+ ctx = SSL_CTX_new(TLS_method());
-+ if (ctx != NULL) {
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2);
-+ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION))
-+ result = -2;
-+ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
-+ result = -2;
-+ }
-+ break;
- #endif
-- else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */
-+#endif /* OpenSSL >= 1.1 */
-+ case PY_SSL_VERSION_TLS:
-+ /* SSLv23 */
- ctx = SSL_CTX_new(TLS_method());
-- else if (proto_version == PY_SSL_VERSION_TLS_CLIENT)
-+ break;
-+ case PY_SSL_VERSION_TLS_CLIENT:
- ctx = SSL_CTX_new(TLS_client_method());
-- else if (proto_version == PY_SSL_VERSION_TLS_SERVER)
-+ break;
-+ case PY_SSL_VERSION_TLS_SERVER:
- ctx = SSL_CTX_new(TLS_server_method());
-- else
-- proto_version = -1;
-+ break;
-+ default:
-+ result = -1;
-+ break;
-+ }
- PySSL_END_ALLOW_THREADS
-
-- if (proto_version == -1) {
-+ if (result == -1) {
- PyErr_SetString(PyExc_ValueError,
- "invalid protocol version");
- return NULL;
- }
-- if (ctx == NULL) {
-+ else if (result == -2) {
-+ PyErr_SetString(PyExc_ValueError,
-+ "protocol configuration error");
-+ return NULL;
-+ }
-+ else if (ctx == NULL) {
- _setSSLError(NULL, 0, __FILE__, __LINE__);
- return NULL;
- }
+++ /dev/null
---- a/Modules/_hashopenssl.c
-+++ b/Modules/_hashopenssl.c
-@@ -1071,7 +1071,7 @@ PyInit__hashlib(void)
- {
- PyObject *m, *openssl_md_meth_names;
-
--#ifndef OPENSSL_VERSION_1_1
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /* Load all digest algorithms and initialize cpuid */
- OPENSSL_add_all_algorithms_noconf();
- ERR_load_crypto_strings();
---- a/Modules/_ssl.c
-+++ b/Modules/_ssl.c
-@@ -47,6 +47,7 @@ static PySocketModule_APIObject PySocketModule;
-
- /* Include OpenSSL header files */
- #include "openssl/rsa.h"
-+#include "openssl/dh.h"
- #include "openssl/crypto.h"
- #include "openssl/x509.h"
- #include "openssl/x509v3.h"
-@@ -128,13 +129,13 @@ static void _PySSLFixErrno(void) {
- #include "_ssl_data.h"
-
- #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
--# define OPENSSL_VERSION_1_1 1
--# define PY_OPENSSL_1_1_API 1
-+# define OPENSSL_VERSION_1_1 1
-+# define PY_OPENSSL_1_1_API 1
- #endif
-
- /* LibreSSL 2.7.0 provides necessary OpenSSL 1.1.0 APIs */
- #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
--# define PY_OPENSSL_1_1_API 1
-+# define PY_OPENSSL_1_1_API 1
- #endif
-
- /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
-@@ -197,6 +198,11 @@ static void _PySSLFixErrno(void) {
- #define TLS_method SSLv23_method
- #define TLS_client_method SSLv23_client_method
- #define TLS_server_method SSLv23_server_method
-+#define X509_getm_notBefore X509_get_notBefore
-+#define X509_getm_notAfter X509_get_notAfter
-+#define OpenSSL_version_num SSLeay
-+#define OpenSSL_version SSLeay_version
-+#define OPENSSL_VERSION SSLEAY_VERSION
-
- static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
- {
-@@ -859,7 +865,7 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname)
- goto error;
- }
- } else {
-- if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_data(ip),
-+ if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_get0_data(ip),
- ASN1_STRING_length(ip))) {
- _setSSLError(NULL, 0, __FILE__, __LINE__);
- goto error;
-@@ -1624,7 +1630,7 @@ _decode_certificate(X509 *certificate) {
- Py_DECREF(sn_obj);
-
- (void) BIO_reset(biobuf);
-- notBefore = X509_get_notBefore(certificate);
-+ notBefore = X509_getm_notBefore(certificate);
- ASN1_TIME_print(biobuf, notBefore);
- len = BIO_gets(biobuf, buf, sizeof(buf)-1);
- if (len < 0) {
-@@ -1641,7 +1647,7 @@ _decode_certificate(X509 *certificate) {
- Py_DECREF(pnotBefore);
-
- (void) BIO_reset(biobuf);
-- notAfter = X509_get_notAfter(certificate);
-+ notAfter = X509_getm_notAfter(certificate);
- ASN1_TIME_print(biobuf, notAfter);
- len = BIO_gets(biobuf, buf, sizeof(buf)-1);
- if (len < 0) {
-@@ -3152,7 +3158,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
- conservative and assume it wasn't fixed until release. We do this check
- at runtime to avoid problems from the dynamic linker.
- See #25672 for more on this. */
-- libver = SSLeay();
-+ libver = OpenSSL_version_num();
- if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) &&
- !(libver >= 0x10000000UL && libver < 0x100000dfUL)) {
- SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
-@@ -5159,7 +5175,7 @@ PySSL_RAND(int len, int pseudo)
- if (bytes == NULL)
- return NULL;
- if (pseudo) {
-- ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
-+ ok = RAND_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
- if (ok == 0 || ok == 1)
- return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
- }
-@@ -6176,10 +6192,10 @@ PyInit__ssl(void)
- return NULL;
-
- /* OpenSSL version */
-- /* SSLeay() gives us the version of the library linked against,
-+ /* OpenSSL_version_num() gives us the version of the library linked against,
- which could be different from the headers version.
- */
-- libver = SSLeay();
-+ libver = OpenSSL_version_num();
- r = PyLong_FromUnsignedLong(libver);
- if (r == NULL)
- return NULL;
-@@ -6199,7 +6205,7 @@ PyInit__ssl(void)
- r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
- if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r))
- return NULL;
-- r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION));
-+ r = PyUnicode_FromString(OpenSSL_version(OPENSSL_VERSION));
- if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r))
- return NULL;
-
git.99rst.org / openwrt-packages.git / commitdiff