[Python-checkins] [2.7] bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (GH-5876) (#5882)

Christian Heimes webhook-mailer at python.org
Sun Feb 25 08:28:58 EST 2018 

https://github.com/python/cpython/commit/df1732a4734190fefc8814687895fc1168716c37
commit: df1732a4734190fefc8814687895fc1168716c37
branch: 2.7
author: Christian Heimes <christian at python.org>
committer: GitHub <noreply at github.com>
date: 2018-02-25T14:28:55+01:00
summary:

[2.7] bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (GH-5876) (#5882)

Signed-off-by: Christian Heimes <christian at python.org>.
(cherry picked from commit 29eab55309b9f78b79074d26db16a44e7841c639)

Co-authored-by: Christian Heimes <christian at python.org>

files:
M Modules/_ssl.c

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index f9ed94dee1e1..da8b20f54f35 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -123,22 +123,27 @@ struct py_ssl_library_code {
 #endif
 
 /* ALPN added in OpenSSL 1.0.2 */
-#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_TLSEXT)
-# define HAVE_ALPN
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+# define HAVE_ALPN 1
+#else
+# define HAVE_ALPN 0
 #endif
 
 /* We cannot rely on OPENSSL_NO_NEXTPROTONEG because LibreSSL 2.6.1 dropped
  * NPN support but did not set OPENSSL_NO_NEXTPROTONEG for compatibility
  * reasons. The check for TLSEXT_TYPE_next_proto_neg works with
  * OpenSSL 1.0.1+ and LibreSSL.
+ * OpenSSL 1.1.1-pre1 dropped NPN but still has TLSEXT_TYPE_next_proto_neg.
  */
 #ifdef OPENSSL_NO_NEXTPROTONEG
-#  define HAVE_NPN 0
+# define HAVE_NPN 0
+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
+# define HAVE_NPN 0
 #elif defined(TLSEXT_TYPE_next_proto_neg)
-#  define HAVE_NPN 1
+# define HAVE_NPN 1
 #else
-#  define HAVE_NPN 0
-# endif
+# define HAVE_NPN 0
+#endif
 
 #ifndef INVALID_SOCKET /* MS defines this */
 #define INVALID_SOCKET (-1)
@@ -298,11 +303,11 @@ static unsigned int _ssl_locks_count = 0;
 typedef struct {
     PyObject_HEAD
     SSL_CTX *ctx;
-#ifdef HAVE_NPN
+#if HAVE_NPN
     unsigned char *npn_protocols;
     int npn_protocols_len;
 #endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
     unsigned char *alpn_protocols;
     int alpn_protocols_len;
 #endif
@@ -1586,7 +1591,7 @@ static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {
 }
 #endif
 
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
 static PyObject *PySSL_selected_alpn_protocol(PySSLSocket *self) {
     const unsigned char *out;
     unsigned int outlen;
@@ -2103,7 +2108,7 @@ static PyMethodDef PySSLMethods[] = {
 #ifdef OPENSSL_NPN_NEGOTIATED
     {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
 #endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
     {"selected_alpn_protocol", (PyCFunction)PySSL_selected_alpn_protocol, METH_NOARGS},
 #endif
     {"compression", (PyCFunction)PySSL_compression, METH_NOARGS},
@@ -2209,10 +2214,10 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
         return NULL;
     }
     self->ctx = ctx;
-#ifdef HAVE_NPN
+#if HAVE_NPN
     self->npn_protocols = NULL;
 #endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
     self->alpn_protocols = NULL;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
@@ -2287,10 +2292,10 @@ context_dealloc(PySSLContext *self)
     PyObject_GC_UnTrack(self);
     context_clear(self);
     SSL_CTX_free(self->ctx);
-#ifdef HAVE_NPN
+#if HAVE_NPN
     PyMem_FREE(self->npn_protocols);
 #endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
     PyMem_FREE(self->alpn_protocols);
 #endif
     Py_TYPE(self)->tp_free(self);
@@ -2317,7 +2322,7 @@ set_ciphers(PySSLContext *self, PyObject *args)
     Py_RETURN_NONE;
 }
 
-#if defined(HAVE_NPN) || defined(HAVE_ALPN)
+#if HAVE_NPN || HAVE_ALPN
 static int
 do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
                       const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -2343,7 +2348,7 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
 }
 #endif
 
-#ifdef HAVE_NPN
+#if HAVE_NPN
 /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
 static int
 _advertiseNPN_cb(SSL *s,
@@ -2378,7 +2383,7 @@ _selectNPN_cb(SSL *s,
 static PyObject *
 _set_npn_protocols(PySSLContext *self, PyObject *args)
 {
-#ifdef HAVE_NPN
+#if HAVE_NPN
     Py_buffer protos;
 
     if (!PyArg_ParseTuple(args, "s*:set_npn_protocols", &protos))
@@ -2414,7 +2419,7 @@ _set_npn_protocols(PySSLContext *self, PyObject *args)
 #endif
 }
 
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
 static int
 _selectALPN_cb(SSL *s,
               const unsigned char **out, unsigned char *outlen,
@@ -2431,7 +2436,7 @@ _selectALPN_cb(SSL *s,
 static PyObject *
 _set_alpn_protocols(PySSLContext *self, PyObject *args)
 {
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
     Py_buffer protos;
 
     if (!PyArg_ParseTuple(args, "s*:set_npn_protocols", &protos))
@@ -4387,7 +4392,7 @@ init_ssl(void)
     Py_INCREF(r);
     PyModule_AddObject(m, "HAS_ECDH", r);
 
-#ifdef HAVE_NPN
+#if HAVE_NPN
     r = Py_True;
 #else
     r = Py_False;
@@ -4395,7 +4400,7 @@ init_ssl(void)
     Py_INCREF(r);
     PyModule_AddObject(m, "HAS_NPN", r);
 
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
     r = Py_True;
 #else
     r = Py_False;

More information about the Python-checkins mailing list