diff options
| author | Christian Heimes <christian@python.org> | 2017-09-05 14:00:44 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-05 14:00:44 (GMT) |
| commit | 7316c6d4a57931e9786c06eae168b227d7463317 (patch) | |
| tree | f82cbf83fbb647391eb4d8995254fc6a320da595 /Modules | |
| parent | e2543a67fb8e84ac982929f07e1ae98ec1e23fa4 (diff) | |
| download | cpython-7316c6d4a57931e9786c06eae168b227d7463317.zip cpython-7316c6d4a57931e9786c06eae168b227d7463317.tar.gz cpython-7316c6d4a57931e9786c06eae168b227d7463317.tar.bz2 | |
[3.6] bpo-30622: Change NPN detection: (GH-2079) (#3314)
* Change NPN detection:
Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
* Refine NPN guard:
- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way
This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.
Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:
GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
!defined(OPENSSL_NPN_NEGOTIATED)
GH- define OPENSSL_NPN_UNSUPPORTED 0
GH- define OPENSSL_NPN_NEGOTIATED 1
GH- define OPENSSL_NPN_NO_OVERLAP 2
GH-endif
[1] https://github.com/openssl/openssl/commit/68b33cc5c7
(cherry picked from commit b2d096b)
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/_ssl.c | 16 | ||||
| -rw-r--r-- | Modules/clinic/_ssl.c.h | 6 |
2 files changed, 12 insertions, 10 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index ae38386..6b6f2b1 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -279,7 +279,7 @@ static unsigned int _ssl_locks_count = 0; typedef struct { PyObject_HEAD SSL_CTX *ctx; -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) unsigned char *npn_protocols; int npn_protocols_len; #endif @@ -1693,7 +1693,7 @@ _ssl__SSLSocket_version_impl(PySSLSocket *self) return PyUnicode_FromString(version); } -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) /*[clinic input] _ssl._SSLSocket.selected_npn_protocol [clinic start generated code]*/ @@ -2645,7 +2645,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) return NULL; } self->ctx = ctx; -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) self->npn_protocols = NULL; #endif #ifdef HAVE_ALPN @@ -2780,7 +2780,7 @@ context_dealloc(PySSLContext *self) PyObject_GC_UnTrack(self); context_clear(self); SSL_CTX_free(self->ctx); -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) PyMem_FREE(self->npn_protocols); #endif #ifdef HAVE_ALPN @@ -2858,7 +2858,7 @@ _ssl__SSLContext_get_ciphers_impl(PySSLContext *self) #endif -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN) static int do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, const unsigned char *server_protocols, unsigned int server_protocols_len, @@ -2882,7 +2882,9 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, return SSL_TLSEXT_ERR_OK; } +#endif +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */ static int _advertiseNPN_cb(SSL *s, @@ -2925,7 +2927,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self, Py_buffer *protos) /*[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]*/ { -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) PyMem_Free(self->npn_protocols); self->npn_protocols = PyMem_Malloc(protos->len); if (self->npn_protocols == NULL) @@ -5391,7 +5393,7 @@ PyInit__ssl(void) Py_INCREF(r); PyModule_AddObject(m, "HAS_ECDH", r); -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) r = Py_True; #else r = Py_False; diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h index 75f8f5a..6f74890 100644 --- a/Modules/clinic/_ssl.c.h +++ b/Modules/clinic/_ssl.c.h @@ -132,7 +132,7 @@ _ssl__SSLSocket_version(PySSLSocket *self, PyObject *Py_UNUSED(ignored)) return _ssl__SSLSocket_version_impl(self); } -#if defined(OPENSSL_NPN_NEGOTIATED) +#if (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)) PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__, "selected_npn_protocol($self, /)\n" @@ -151,7 +151,7 @@ _ssl__SSLSocket_selected_npn_protocol(PySSLSocket *self, PyObject *Py_UNUSED(ign return _ssl__SSLSocket_selected_npn_protocol_impl(self); } -#endif /* defined(OPENSSL_NPN_NEGOTIATED) */ +#endif /* (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)) */ #if defined(HAVE_ALPN) @@ -1168,4 +1168,4 @@ exit: #ifndef _SSL_ENUM_CRLS_METHODDEF #define _SSL_ENUM_CRLS_METHODDEF #endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */ -/*[clinic end generated code: output=56cead8610faa505 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=a8b184655068c238 input=a9049054013a1b77]*/ |