[Python-checkins] bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (#5876)
Christian Heimes
webhook-mailer at python.org
Sun Feb 25 06:31:36 EST 2018
https://github.com/python/cpython/commit/29eab55309b9f78b79074d26db16a44e7841c639
commit: 29eab55309b9f78b79074d26db16a44e7841c639
branch: master
author: Christian Heimes <christian at python.org>
committer: GitHub <noreply at github.com>
date: 2018-02-25T12:31:33+01:00
summary:
bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (#5876)
Signed-off-by: Christian Heimes <christian at python.org>
files:
M Modules/_ssl.c
M Modules/clinic/_ssl.c.h
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index ed6b7a835a94..52695fe39c71 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -157,21 +157,26 @@ static void _PySSLFixErrno(void) {
#endif
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
-# define HAVE_ALPN
+# define HAVE_ALPN 1
+#else
+# define HAVE_ALPN 0
#endif
/* We cannot rely on OPENSSL_NO_NEXTPROTONEG because LibreSSL 2.6.1 dropped
* NPN support but did not set OPENSSL_NO_NEXTPROTONEG for compatibility
* reasons. The check for TLSEXT_TYPE_next_proto_neg works with
* OpenSSL 1.0.1+ and LibreSSL.
+ * OpenSSL 1.1.1-pre1 dropped NPN but still has TLSEXT_TYPE_next_proto_neg.
*/
#ifdef OPENSSL_NO_NEXTPROTONEG
-# define HAVE_NPN 0
+# define HAVE_NPN 0
+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
+# define HAVE_NPN 0
#elif defined(TLSEXT_TYPE_next_proto_neg)
-# define HAVE_NPN 1
+# define HAVE_NPN 1
#else
-# define HAVE_NPN 0
-# endif
+# define HAVE_NPN 0
+#endif
#ifndef INVALID_SOCKET /* MS defines this */
#define INVALID_SOCKET (-1)
@@ -341,11 +346,11 @@ static unsigned int _ssl_locks_count = 0;
typedef struct {
PyObject_HEAD
SSL_CTX *ctx;
-#ifdef HAVE_NPN
+#if HAVE_NPN
unsigned char *npn_protocols;
int npn_protocols_len;
#endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
unsigned char *alpn_protocols;
unsigned int alpn_protocols_len;
#endif
@@ -1922,7 +1927,7 @@ _ssl__SSLSocket_version_impl(PySSLSocket *self)
return PyUnicode_FromString(version);
}
-#ifdef HAVE_NPN
+#if HAVE_NPN
/*[clinic input]
_ssl._SSLSocket.selected_npn_protocol
[clinic start generated code]*/
@@ -1943,7 +1948,7 @@ _ssl__SSLSocket_selected_npn_protocol_impl(PySSLSocket *self)
}
#endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
/*[clinic input]
_ssl._SSLSocket.selected_alpn_protocol
[clinic start generated code]*/
@@ -2887,10 +2892,10 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
self->ctx = ctx;
self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
self->protocol = proto_version;
-#ifdef HAVE_NPN
+#if HAVE_NPN
self->npn_protocols = NULL;
#endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
self->alpn_protocols = NULL;
#endif
#ifndef OPENSSL_NO_TLSEXT
@@ -3026,10 +3031,10 @@ context_dealloc(PySSLContext *self)
PyObject_GC_UnTrack(self);
context_clear(self);
SSL_CTX_free(self->ctx);
-#ifdef HAVE_NPN
+#if HAVE_NPN
PyMem_FREE(self->npn_protocols);
#endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
PyMem_FREE(self->alpn_protocols);
#endif
Py_TYPE(self)->tp_free(self);
@@ -3104,7 +3109,7 @@ _ssl__SSLContext_get_ciphers_impl(PySSLContext *self)
#endif
-#if defined(HAVE_NPN) || defined(HAVE_ALPN)
+#if HAVE_NPN || HAVE_ALPN
static int
do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -3130,7 +3135,7 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
}
#endif
-#ifdef HAVE_NPN
+#if HAVE_NPN
/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
static int
_advertiseNPN_cb(SSL *s,
@@ -3173,7 +3178,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self,
Py_buffer *protos)
/*[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]*/
{
-#ifdef HAVE_NPN
+#if HAVE_NPN
PyMem_Free(self->npn_protocols);
self->npn_protocols = PyMem_Malloc(protos->len);
if (self->npn_protocols == NULL)
@@ -3198,7 +3203,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self,
#endif
}
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
static int
_selectALPN_cb(SSL *s,
const unsigned char **out, unsigned char *outlen,
@@ -3223,7 +3228,7 @@ _ssl__SSLContext__set_alpn_protocols_impl(PySSLContext *self,
Py_buffer *protos)
/*[clinic end generated code: output=87599a7f76651a9b input=9bba964595d519be]*/
{
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
if ((size_t)protos->len > UINT_MAX) {
PyErr_Format(PyExc_OverflowError,
"protocols longer than %d bytes", UINT_MAX);
@@ -5718,7 +5723,7 @@ PyInit__ssl(void)
Py_INCREF(r);
PyModule_AddObject(m, "HAS_ECDH", r);
-#ifdef HAVE_NPN
+#if HAVE_NPN
r = Py_True;
#else
r = Py_False;
@@ -5726,7 +5731,7 @@ PyInit__ssl(void)
Py_INCREF(r);
PyModule_AddObject(m, "HAS_NPN", r);
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
r = Py_True;
#else
r = Py_False;
diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h
index 1ee1bfb21d3e..5ba34eca594f 100644
--- a/Modules/clinic/_ssl.c.h
+++ b/Modules/clinic/_ssl.c.h
@@ -132,7 +132,7 @@ _ssl__SSLSocket_version(PySSLSocket *self, PyObject *Py_UNUSED(ignored))
return _ssl__SSLSocket_version_impl(self);
}
-#if defined(HAVE_NPN)
+#if (HAVE_NPN)
PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__,
"selected_npn_protocol($self, /)\n"
@@ -151,9 +151,9 @@ _ssl__SSLSocket_selected_npn_protocol(PySSLSocket *self, PyObject *Py_UNUSED(ign
return _ssl__SSLSocket_selected_npn_protocol_impl(self);
}
-#endif /* defined(HAVE_NPN) */
+#endif /* (HAVE_NPN) */
-#if defined(HAVE_ALPN)
+#if (HAVE_ALPN)
PyDoc_STRVAR(_ssl__SSLSocket_selected_alpn_protocol__doc__,
"selected_alpn_protocol($self, /)\n"
@@ -172,7 +172,7 @@ _ssl__SSLSocket_selected_alpn_protocol(PySSLSocket *self, PyObject *Py_UNUSED(ig
return _ssl__SSLSocket_selected_alpn_protocol_impl(self);
}
-#endif /* defined(HAVE_ALPN) */
+#endif /* (HAVE_ALPN) */
PyDoc_STRVAR(_ssl__SSLSocket_compression__doc__,
"compression($self, /)\n"
@@ -1175,4 +1175,4 @@ _ssl_enum_crls(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObje
#ifndef _SSL_ENUM_CRLS_METHODDEF
#define _SSL_ENUM_CRLS_METHODDEF
#endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */
-/*[clinic end generated code: output=a00fef6a470cfc2c input=a9049054013a1b77]*/
+/*[clinic end generated code: output=e2417fee28666f7c input=a9049054013a1b77]*/
More information about the Python-checkins
mailing list