[Python-checkins] gh-103242: Migrate SSLContext.set_ecdh_curve not to use deprecated APIs (GH-103378)
miss-islington
webhook-mailer at python.org
Sat Apr 8 14:21:34 EDT 2023
https://github.com/python/cpython/commit/4fa5fda14b11457dda7ef389e5486bfe3ea7b8f5
commit: 4fa5fda14b11457dda7ef389e5486bfe3ea7b8f5
branch: 3.11
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: miss-islington <31488909+miss-islington at users.noreply.github.com>
date: 2023-04-08T11:21:27-07:00
summary:
gh-103242: Migrate SSLContext.set_ecdh_curve not to use deprecated APIs (GH-103378)
Migrate `SSLContext.set_ecdh_curve()` not to use deprecated OpenSSL APIs.
(cherry picked from commit 35167043e3a21055a94cf3de6ceccd1585554cb8)
Co-authored-by: Dong-hee Na <donghee.na at python.org>
files:
A Misc/NEWS.d/next/Core and Builtins/2023-04-08-17-13-07.gh-issue-103242.ysI1b3.rst
M Modules/_ssl.c
diff --git a/Misc/NEWS.d/next/Core and Builtins/2023-04-08-17-13-07.gh-issue-103242.ysI1b3.rst b/Misc/NEWS.d/next/Core and Builtins/2023-04-08-17-13-07.gh-issue-103242.ysI1b3.rst
new file mode 100644
index 000000000000..38b107f3be17
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2023-04-08-17-13-07.gh-issue-103242.ysI1b3.rst
@@ -0,0 +1,2 @@
+Migrate :meth:`~ssl.SSLContext.set_ecdh_curve` method not to use deprecated
+OpenSSL APIs. Patch by Dong-hee Na.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 61490783e9ba..1a4102434ede 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4355,8 +4355,6 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name)
{
PyObject *name_bytes;
int nid;
- EC_KEY *key;
-
if (!PyUnicode_FSConverter(name, &name_bytes))
return NULL;
assert(PyBytes_Check(name_bytes));
@@ -4367,13 +4365,20 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name)
"unknown elliptic curve name %R", name);
return NULL;
}
- key = EC_KEY_new_by_curve_name(nid);
+#if OPENSSL_VERSION_MAJOR < 3
+ EC_KEY *key = EC_KEY_new_by_curve_name(nid);
if (key == NULL) {
_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
return NULL;
}
SSL_CTX_set_tmp_ecdh(self->ctx, key);
EC_KEY_free(key);
+#else
+ if (!SSL_CTX_set1_groups(self->ctx, &nid, 1)) {
+ _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
+ return NULL;
+ }
+#endif
Py_RETURN_NONE;
}
More information about the Python-checkins
mailing list