diff options
| author | Christian Heimes <christian@python.org> | 2021-04-19 05:27:10 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-04-19 05:27:10 (GMT) |
| commit | 2875c603b2a7691b55c2046aca54831c91efda8e (patch) | |
| tree | dd22c59c35f8c113175befbe46a31fb2ecc24733 /Modules | |
| parent | 89d1550d14ba689af12eeb726e4ff8ce73cee7e1 (diff) | |
| download | cpython-2875c603b2a7691b55c2046aca54831c91efda8e.zip cpython-2875c603b2a7691b55c2046aca54831c91efda8e.tar.gz cpython-2875c603b2a7691b55c2046aca54831c91efda8e.tar.bz2 | |
bpo-43880: Show DeprecationWarnings for deprecated ssl module features (GH-25455)
* ssl.OP_NO_SSLv2
* ssl.OP_NO_SSLv3
* ssl.OP_NO_TLSv1
* ssl.OP_NO_TLSv1_1
* ssl.OP_NO_TLSv1_2
* ssl.OP_NO_TLSv1_3
* ssl.PROTOCOL_SSLv2
* ssl.PROTOCOL_SSLv3
* ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS)
* ssl.PROTOCOL_TLS
* ssl.PROTOCOL_TLSv1
* ssl.PROTOCOL_TLSv1_1
* ssl.PROTOCOL_TLSv1_2
* ssl.TLSVersion.SSLv3
* ssl.TLSVersion.TLSv1
* ssl.TLSVersion.TLSv1_1
* ssl.wrap_socket()
* ssl.RAND_pseudo_bytes()
* ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1)
* ssl.SSLContext() without a protocol argument
* ssl.match_hostname()
* hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL
function will stay)
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/_ssl.c | 84 |
1 files changed, 70 insertions, 14 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index f371d42..934c59e 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -682,6 +682,17 @@ _setSSLError (_sslmodulestate *state, const char *errstr, int errcode, const cha return NULL; } +static int +_ssl_deprecated(const char* name, int stacklevel) { + return PyErr_WarnFormat( + PyExc_DeprecationWarning, stacklevel, + "ssl module: %s is deprecated", name + ); +} + +#define PY_SSL_DEPRECATED(name, stacklevel, ret) \ + if (_ssl_deprecated((name), (stacklevel)) == -1) return (ret) + /* * SSL objects */ @@ -2863,6 +2874,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) { PySSLContext *self; long options; + const SSL_METHOD *method = NULL; SSL_CTX *ctx = NULL; X509_VERIFY_PARAM *params; int result; @@ -2876,54 +2888,62 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) return NULL; } - PySSL_BEGIN_ALLOW_THREADS switch(proto_version) { #if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3) case PY_SSL_VERSION_SSL3: - ctx = SSL_CTX_new(SSLv3_method()); + PY_SSL_DEPRECATED("PROTOCOL_SSLv3", 2, NULL); + method = SSLv3_method(); break; #endif #if (defined(TLS1_VERSION) && \ !defined(OPENSSL_NO_TLS1) && \ !defined(OPENSSL_NO_TLS1_METHOD)) case PY_SSL_VERSION_TLS1: - ctx = SSL_CTX_new(TLSv1_method()); + PY_SSL_DEPRECATED("PROTOCOL_TLSv1", 2, NULL); + method = TLSv1_method(); break; #endif #if (defined(TLS1_1_VERSION) && \ !defined(OPENSSL_NO_TLS1_1) && \ !defined(OPENSSL_NO_TLS1_1_METHOD)) case PY_SSL_VERSION_TLS1_1: - ctx = SSL_CTX_new(TLSv1_1_method()); + PY_SSL_DEPRECATED("PROTOCOL_TLSv1_1", 2, NULL); + method = TLSv1_1_method(); break; #endif #if (defined(TLS1_2_VERSION) && \ !defined(OPENSSL_NO_TLS1_2) && \ !defined(OPENSSL_NO_TLS1_2_METHOD)) case PY_SSL_VERSION_TLS1_2: - ctx = SSL_CTX_new(TLSv1_2_method()); + PY_SSL_DEPRECATED("PROTOCOL_TLSv1_2", 2, NULL); + method = TLSv1_2_method(); break; #endif case PY_SSL_VERSION_TLS: - /* SSLv23 */ - ctx = SSL_CTX_new(TLS_method()); + PY_SSL_DEPRECATED("PROTOCOL_TLS", 2, NULL); + method = TLS_method(); break; case PY_SSL_VERSION_TLS_CLIENT: - ctx = SSL_CTX_new(TLS_client_method()); + method = TLS_client_method(); break; case PY_SSL_VERSION_TLS_SERVER: - ctx = SSL_CTX_new(TLS_server_method()); + method = TLS_server_method(); break; default: - proto_version = -1; + method = NULL; } - PySSL_END_ALLOW_THREADS - if (proto_version == -1) { - PyErr_SetString(PyExc_ValueError, - "invalid or unsupported protocol version"); + if (method == NULL) { + PyErr_Format(PyExc_ValueError, + "invalid or unsupported protocol version %i", + proto_version); return NULL; } + + PySSL_BEGIN_ALLOW_THREADS + ctx = SSL_CTX_new(method); + PySSL_END_ALLOW_THREADS + if (ctx == NULL) { _setSSLError(get_ssl_state(module), NULL, 0, __FILE__, __LINE__); return NULL; @@ -3299,6 +3319,29 @@ set_min_max_proto_version(PySSLContext *self, PyObject *arg, int what) return -1; } + /* check for deprecations and supported values */ + switch(v) { + case PY_PROTO_SSLv3: + PY_SSL_DEPRECATED("TLSVersion.SSLv3", 2, -1); + break; + case PY_PROTO_TLSv1: + PY_SSL_DEPRECATED("TLSVersion.TLSv1", 2, -1); + break; + case PY_PROTO_TLSv1_1: + PY_SSL_DEPRECATED("TLSVersion.TLSv1_1", 2, -1); + break; + case PY_PROTO_MINIMUM_SUPPORTED: + case PY_PROTO_MAXIMUM_SUPPORTED: + case PY_PROTO_TLSv1_2: + case PY_PROTO_TLSv1_3: + /* ok */ + break; + default: + PyErr_Format(PyExc_ValueError, + "Unsupported TLS/SSL version 0x%x", v); + return -1; + } + if (what == 0) { switch(v) { case PY_PROTO_MINIMUM_SUPPORTED: @@ -3417,11 +3460,23 @@ static int set_options(PySSLContext *self, PyObject *arg, void *c) { long new_opts, opts, set, clear; + long opt_no = ( + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | + SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_2 + ); + if (!PyArg_Parse(arg, "l", &new_opts)) return -1; opts = SSL_CTX_get_options(self->ctx); clear = opts & ~new_opts; set = ~opts & new_opts; + + if ((set & opt_no) != 0) { + if (_ssl_deprecated("Setting OP_NO_SSL* or SSL_NO_TLS* options is " + "deprecated", 2) < 0) { + return -1; + } + } if (clear) { SSL_CTX_clear_options(self->ctx, clear); } @@ -4961,6 +5016,7 @@ static PyObject * _ssl_RAND_pseudo_bytes_impl(PyObject *module, int n) /*[clinic end generated code: output=b1509e937000e52d input=58312bd53f9bbdd0]*/ { + PY_SSL_DEPRECATED("RAND_pseudo_bytes", 1, NULL); return PySSL_RAND(module, n, 1); } |