--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
-@@ -48,7 +48,9 @@
+@@ -45,10 +45,12 @@
+
+ #define MUNCH_SIZE INT_MAX
+
++#if !defined(LIBRESSL_VERSION_NUMBER)
#define PY_OPENSSL_HAS_SCRYPT 1
#define PY_OPENSSL_HAS_SHA3 1
#define PY_OPENSSL_HAS_SHAKE 1
-+#ifndef OPENSSL_NO_BLAKE2
#define PY_OPENSSL_HAS_BLAKE2 1
+#endif
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define PY_EVP_MD EVP_MD
+@@ -119,6 +121,7 @@ static const py_hashentry_t py_hashes[]
+ PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256),
+ PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384),
+ PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512),
++#if !defined(LIBRESSL_VERSION_NUMBER)
+ /* truncated sha2 */
+ PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224),
+ PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256),
+@@ -133,6 +136,7 @@ static const py_hashentry_t py_hashes[]
+ /* blake2 digest */
+ PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256),
+ PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512),
++#endif
+ PY_HASH_ENTRY(NULL, NULL, NULL, 0),
+ };
+
+@@ -873,11 +877,15 @@ py_evp_fromname(PyObject *module, const
+ goto exit;
+ }
+
++#if defined(LIBRESSL_VERSION_NUMBER)
++ type = get_hashlib_state(module)->EVPtype;
++#else
+ if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) {
+ type = get_hashlib_state(module)->EVPXOFtype;
+ } else {
+ type = get_hashlib_state(module)->EVPtype;
+ }
++#endif
+
+ self = newEVPobject(type);
+ if (self == NULL) {
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
-@@ -67,7 +67,18 @@
+@@ -67,6 +67,12 @@
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif
-+#ifdef OPENWRT_HOST_BUILD
-+#undef TLS1_3_VERSION
-+static STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
-+{
-+ return NULL;
-+}
-
++#ifdef LIBRESSL_VERSION_NUMBER
+static int SSL_CTX_get_security_level(const SSL_CTX *ctx)
+{
-+ return 0;
++ return 1;
+}
+#endif
- struct py_ssl_error_code {
- const char *mnemonic;
-@@ -291,8 +302,10 @@ typedef struct {
- int post_handshake_auth;
- #endif
- PyObject *msg_cb;
-+#ifndef OPENWRT_HOST_BUILD
- PyObject *keylog_filename;
- BIO *keylog_bio;
-+#endif
- /* Cached module state, also used in SSLSocket and SSLSession code. */
- _sslmodulestate *state;
- } PySSLContext;
-@@ -2358,8 +2371,14 @@ _ssl__SSLSocket_write_impl(PySSLSocket *
-
- do {
- PySSL_BEGIN_ALLOW_THREADS
-+#ifdef OPENWRT_HOST_BUILD
-+ retval = SSL_write(self->ssl, b->buf, (int)b->len);
-+ if (retval > 0) count = retval;
-+ err = _PySSL_errno(retval <= 0, self->ssl, retval);
-+#else
- retval = SSL_write_ex(self->ssl, b->buf, (size_t)b->len, &count);
- err = _PySSL_errno(retval == 0, self->ssl, retval);
-+#endif
- PySSL_END_ALLOW_THREADS
- self->err = err;
-
-@@ -2510,8 +2529,14 @@ _ssl__SSLSocket_read_impl(PySSLSocket *s
- do {
- PySSL_BEGIN_ALLOW_THREADS
-+#ifdef OPENWRT_HOST_BUILD
-+ retval = SSL_read(self->ssl, mem, len);
-+ if (retval > 0) count = retval;
-+ err = _PySSL_errno(retval <= 0, self->ssl, retval);
+ struct py_ssl_error_code {
+@@ -169,7 +175,11 @@ extern const SSL_METHOD *TLSv1_2_method(
+ * Based on Hynek's excellent blog post (update 2021-02-11)
+ * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ */
++#ifndef LIBRESSL_VERSION_NUMBER
+ #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
+#else
- retval = SSL_read_ex(self->ssl, mem, (size_t)len, &count);
- err = _PySSL_errno(retval == 0, self->ssl, retval);
-+#endif
- PySSL_END_ALLOW_THREADS
- self->err = err;
-
-@@ -3074,8 +3099,10 @@ _ssl__SSLContext_impl(PyTypeObject *type
- self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
- self->protocol = proto_version;
- self->msg_cb = NULL;
-+#ifndef OPENWRT_HOST_BUILD
- self->keylog_filename = NULL;
- self->keylog_bio = NULL;
-+#endif
- self->alpn_protocols = NULL;
- self->set_sni_cb = NULL;
- self->state = get_ssl_state(module);
-@@ -3199,6 +3226,7 @@ context_clear(PySSLContext *self)
- {
- Py_CLEAR(self->set_sni_cb);
- Py_CLEAR(self->msg_cb);
-+#ifndef OPENWRT_HOST_BUILD
- Py_CLEAR(self->keylog_filename);
- if (self->keylog_bio != NULL) {
- PySSL_BEGIN_ALLOW_THREADS
-@@ -3206,6 +3234,7 @@ context_clear(PySSLContext *self)
- PySSL_END_ALLOW_THREADS
- self->keylog_bio = NULL;
- }
-+#endif
- return 0;
- }
-
-@@ -4615,8 +4644,10 @@ static PyGetSetDef context_getsetlist[]
- (setter) set_minimum_version, NULL},
- {"maximum_version", (getter) get_maximum_version,
- (setter) set_maximum_version, NULL},
-+#ifndef OPENWRT_HOST_BUILD
- {"keylog_filename", (getter) _PySSLContext_get_keylog_filename,
- (setter) _PySSLContext_set_keylog_filename, NULL},
-+#endif
- {"_msg_callback", (getter) _PySSLContext_get_msg_callback,
- (setter) _PySSLContext_set_msg_callback, NULL},
- {"sni_callback", (getter) get_sni_callback,
---- a/Modules/_ssl/debughelpers.c
-+++ b/Modules/_ssl/debughelpers.c
-@@ -114,6 +114,8 @@ _PySSLContext_set_msg_callback(PySSLCont
- return 0;
- }
-
-+#ifndef OPENWRT_HOST_BUILD
-+
- static void
- _PySSL_keylog_callback(const SSL *ssl, const char *line)
- {
-@@ -217,3 +219,5 @@ _PySSLContext_set_keylog_filename(PySSLC
- SSL_CTX_set_keylog_callback(self->ctx, _PySSL_keylog_callback);
- return 0;
- }
-+
++ #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
+#endif
+ #ifndef PY_SSL_MIN_PROTOCOL
+ #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
+ #endif
git.99rst.org / openwrt-packages.git / commitdiff