diff options
| author | Melvyn Sopacua <melvyn-sopacua@users.noreply.github.com> | 2017-09-04 21:35:15 (GMT) |
|---|---|---|
| committer | Christian Heimes <christian@python.org> | 2017-09-04 21:35:15 (GMT) |
| commit | b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8 (patch) | |
| tree | fd4406a8c07c523d5d5b13a8a5563c697b48f001 | |
| parent | 973b901212bd84d279904bab6654709f4ec32470 (diff) | |
| download | cpython-b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8.zip cpython-b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8.tar.gz cpython-b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8.tar.bz2 | |
bpo-30622: Change NPN detection: (#2079)
* Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
* Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.
Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:
#if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
# define OPENSSL_NPN_UNSUPPORTED 0
# define OPENSSL_NPN_NEGOTIATED 1
# define OPENSSL_NPN_NO_OVERLAP 2
#endif
[1] https://github.com/openssl/openssl/commit/68b33cc5c7
| -rw-r--r-- | Modules/_ssl.c | 16 | ||||
| -rw-r--r-- | Modules/clinic/_ssl.c.h | 4 |
2 files changed, 11 insertions, 9 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index e8abcb2..b7761d7 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -315,7 +315,7 @@ static unsigned int _ssl_locks_count = 0; typedef struct { PyObject_HEAD SSL_CTX *ctx; -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) unsigned char *npn_protocols; int npn_protocols_len; #endif @@ -1697,7 +1697,7 @@ _ssl__SSLSocket_version_impl(PySSLSocket *self) return PyUnicode_FromString(version); } -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) /*[clinic input] _ssl._SSLSocket.selected_npn_protocol [clinic start generated code]*/ @@ -2647,7 +2647,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) return NULL; } self->ctx = ctx; -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) self->npn_protocols = NULL; #endif #ifdef HAVE_ALPN @@ -2782,7 +2782,7 @@ context_dealloc(PySSLContext *self) PyObject_GC_UnTrack(self); context_clear(self); SSL_CTX_free(self->ctx); -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) PyMem_FREE(self->npn_protocols); #endif #ifdef HAVE_ALPN @@ -2860,7 +2860,7 @@ _ssl__SSLContext_get_ciphers_impl(PySSLContext *self) #endif -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN) static int do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, const unsigned char *server_protocols, unsigned int server_protocols_len, @@ -2884,7 +2884,9 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, return SSL_TLSEXT_ERR_OK; } +#endif +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */ static int _advertiseNPN_cb(SSL *s, @@ -2927,7 +2929,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self, Py_buffer *protos) /*[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]*/ { -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) PyMem_Free(self->npn_protocols); self->npn_protocols = PyMem_Malloc(protos->len); if (self->npn_protocols == NULL) @@ -5397,7 +5399,7 @@ PyInit__ssl(void) Py_INCREF(r); PyModule_AddObject(m, "HAS_ECDH", r); -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) r = Py_True; #else r = Py_False; diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h index ac205f6..fa4f7e2 100644 --- a/Modules/clinic/_ssl.c.h +++ b/Modules/clinic/_ssl.c.h @@ -132,7 +132,7 @@ _ssl__SSLSocket_version(PySSLSocket *self, PyObject *Py_UNUSED(ignored)) return _ssl__SSLSocket_version_impl(self); } -#if defined(OPENSSL_NPN_NEGOTIATED) +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__, "selected_npn_protocol($self, /)\n" @@ -151,7 +151,7 @@ _ssl__SSLSocket_selected_npn_protocol(PySSLSocket *self, PyObject *Py_UNUSED(ign return _ssl__SSLSocket_selected_npn_protocol_impl(self); } -#endif /* defined(OPENSSL_NPN_NEGOTIATED) */ +#endif /* defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) */ #if defined(HAVE_ALPN) |