Attachment #186660 for bug #222552

View | Details | Raw Unified | Return to bug 222552
Collapse All | Expand All

Lines 13-20 Link Here

(-)lang/python27/Makefile (-2 lines)
13		13
14	LICENSE= PSFL	14	LICENSE= PSFL
15		15
16	BROKEN_SSL= openssl-devel
17
18	USES= cpe ncurses pathfix pkgconfig readline:port ssl tar:xz shebangfix	16	USES= cpe ncurses pathfix pkgconfig readline:port ssl tar:xz shebangfix
19	PATHFIX_MAKEFILEIN= Makefile.pre.in	17	PATHFIX_MAKEFILEIN= Makefile.pre.in
20	USE_LDCONFIG= yes	18	USE_LDCONFIG= yes




From 72ed233167b10d3a488d30a8ec3a17e412a7dd69 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 5 Sep 2017 01:11:40 +0200
Subject: [PATCH] [2.7] bpo-30622: Change NPN detection: (GH-2079) (#3316)

* Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True

* Refine NPN guard:

- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		!defined(OPENSSL_NPN_NEGOTIATED)
	GH-	define OPENSSL_NPN_UNSUPPORTED 0
	GH-	define OPENSSL_NPN_NEGOTIATED 1
	GH-	define OPENSSL_NPN_NO_OVERLAP 2
	GH-endif

[1] https://github.com/openssl/openssl/commit/68b33cc5c7.
(cherry picked from commit b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8)
---
 Modules/_ssl.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 213c7d21510..832b5f96bff 100644
--- Modules/_ssl.c.orig
+++ Modules/_ssl.c
@@ -280,7 +280,7 @@ static unsigned int _ssl_locks_count = 0;
 typedef struct {
     PyObject_HEAD
     SSL_CTX *ctx;
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     unsigned char *npn_protocols;
     int npn_protocols_len;
 #endif
@@ -1502,7 +1502,7 @@ static PyObject *PySSL_version(PySSLSocket *self)
     return PyUnicode_FromString(version);
 }
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {
     const unsigned char *out;
     unsigned int outlen;
@@ -2036,7 +2036,7 @@ static PyMethodDef PySSLMethods[] = {
      PySSL_peercert_doc},
     {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
     {"version", (PyCFunction)PySSL_version, METH_NOARGS},
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
 #endif
 #ifdef HAVE_ALPN
@@ -2140,7 +2140,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
         return NULL;
     }
     self->ctx = ctx;
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     self->npn_protocols = NULL;
 #endif
 #ifdef HAVE_ALPN
@@ -2218,7 +2218,7 @@ context_dealloc(PySSLContext *self)
     PyObject_GC_UnTrack(self);
     context_clear(self);
     SSL_CTX_free(self->ctx);
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     PyMem_FREE(self->npn_protocols);
 #endif
 #ifdef HAVE_ALPN
@@ -2248,7 +2248,7 @@ set_ciphers(PySSLContext *self, PyObject *args)
     Py_RETURN_NONE;
 }
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN)
 static int
 do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
                       const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -2272,7 +2272,9 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
 
     return SSL_TLSEXT_ERR_OK;
 }
+#endif
 
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
 static int
 _advertiseNPN_cb(SSL *s,
@@ -2307,7 +2309,7 @@ _selectNPN_cb(SSL *s,
 static PyObject *
 _set_npn_protocols(PySSLContext *self, PyObject *args)
 {
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     Py_buffer protos;
 
     if (!PyArg_ParseTuple(args, "s*:set_npn_protocols", &protos))
@@ -4305,7 +4307,7 @@ init_ssl(void)
     Py_INCREF(r);
     PyModule_AddObject(m, "HAS_ECDH", r);
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     r = Py_True;
 #else
     r = Py_False;

Lines 14-21 Link Here

(-)lang/python35/Makefile (-2 lines)
14		14
15	LICENSE= PSFL	15	LICENSE= PSFL
16		16
17	BROKEN_SSL= openssl-devel
18
19	USES= cpe ncurses pathfix pkgconfig readline:port ssl tar:xz shebangfix	17	USES= cpe ncurses pathfix pkgconfig readline:port ssl tar:xz shebangfix
20	PATHFIX_MAKEFILEIN= Makefile.pre.in	18	PATHFIX_MAKEFILEIN= Makefile.pre.in
21	USE_LDCONFIG= yes	19	USE_LDCONFIG= yes




From 7316c6d4a57931e9786c06eae168b227d7463317 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 5 Sep 2017 16:00:44 +0200
Subject: [PATCH] [3.6] bpo-30622: Change NPN detection: (GH-2079) (#3314)

* Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True

* Refine NPN guard:

- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		!defined(OPENSSL_NPN_NEGOTIATED)
	GH-	define OPENSSL_NPN_UNSUPPORTED 0
	GH-	define OPENSSL_NPN_NEGOTIATED 1
	GH-	define OPENSSL_NPN_NO_OVERLAP 2
	GH-endif

[1] https://github.com/openssl/openssl/commit/68b33cc5c7
(cherry picked from commit b2d096b)
---
 Modules/_ssl.c          | 16 +++++++++-------
 Modules/clinic/_ssl.c.h |  6 +++---
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index ae38386ca02..6b6f2b1135c 100644
--- Modules/_ssl.c.orig
+++ Modules/_ssl.c
@@ -279,7 +279,7 @@ static unsigned int _ssl_locks_count = 0;
 typedef struct {
     PyObject_HEAD
     SSL_CTX *ctx;
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     unsigned char *npn_protocols;
     int npn_protocols_len;
 #endif
@@ -1693,7 +1693,7 @@ _ssl__SSLSocket_version_impl(PySSLSocket *self)
     return PyUnicode_FromString(version);
 }
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 /*[clinic input]
 _ssl._SSLSocket.selected_npn_protocol
 [clinic start generated code]*/
@@ -2645,7 +2645,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
         return NULL;
     }
     self->ctx = ctx;
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     self->npn_protocols = NULL;
 #endif
 #ifdef HAVE_ALPN
@@ -2780,7 +2780,7 @@ context_dealloc(PySSLContext *self)
     PyObject_GC_UnTrack(self);
     context_clear(self);
     SSL_CTX_free(self->ctx);
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     PyMem_FREE(self->npn_protocols);
 #endif
 #ifdef HAVE_ALPN
@@ -2858,7 +2858,7 @@ _ssl__SSLContext_get_ciphers_impl(PySSLContext *self)
 #endif
 
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN)
 static int
 do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
                       const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -2882,7 +2882,9 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
 
     return SSL_TLSEXT_ERR_OK;
 }
+#endif
 
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
 static int
 _advertiseNPN_cb(SSL *s,
@@ -2925,7 +2927,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self,
                                          Py_buffer *protos)
 /*[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]*/
 {
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     PyMem_Free(self->npn_protocols);
     self->npn_protocols = PyMem_Malloc(protos->len);
     if (self->npn_protocols == NULL)
@@ -5391,7 +5393,7 @@ PyInit__ssl(void)
     Py_INCREF(r);
     PyModule_AddObject(m, "HAS_ECDH", r);
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     r = Py_True;
 #else
     r = Py_False;
diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h
index 75f8f5a60bb..6f748903f4e 100644
--- Modules/clinic/_ssl.c.h.orig
+++ Modules/clinic/_ssl.c.h
@@ -132,7 +132,7 @@ _ssl__SSLSocket_version(PySSLSocket *self, PyObject *Py_UNUSED(ignored))
     return _ssl__SSLSocket_version_impl(self);
 }
 
-#if defined(OPENSSL_NPN_NEGOTIATED)
+#if (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG))
 
 PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__,
 "selected_npn_protocol($self, /)\n"
@@ -151,7 +151,7 @@ _ssl__SSLSocket_selected_npn_protocol(PySSLSocket *self, PyObject *Py_UNUSED(ign
     return _ssl__SSLSocket_selected_npn_protocol_impl(self);
 }
 
-#endif /* defined(OPENSSL_NPN_NEGOTIATED) */
+#endif /* (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)) */
 
 #if defined(HAVE_ALPN)
 
@@ -1168,4 +1168,4 @@ _ssl_enum_crls(PyObject *module, PyObject **args, Py_ssize_t nargs, PyObject *kw
 #ifndef _SSL_ENUM_CRLS_METHODDEF
     #define _SSL_ENUM_CRLS_METHODDEF
 #endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */
-/*[clinic end generated code: output=56cead8610faa505 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=a8b184655068c238 input=a9049054013a1b77]*/

Lines 22-29 Link Here

(-)lang/python36/Makefile (-2 lines)
22	python_CMD= ${PREFIX}/bin/python${PYTHON_PORTVERSION:R}	22	python_CMD= ${PREFIX}/bin/python${PYTHON_PORTVERSION:R}
23	SHEBANG_FILES= Lib/lib2to3/tests/data/.py Lib/encodings/.py	23	SHEBANG_FILES= Lib/lib2to3/tests/data/.py Lib/encodings/.py
24		24
25	BROKEN_SSL= openssl-devel
26
27	CPE_VENDOR= python	25	CPE_VENDOR= python
28	CPE_PRODUCT= ${CPE_VENDOR}	26	CPE_PRODUCT= ${CPE_VENDOR}
29		27




From 7316c6d4a57931e9786c06eae168b227d7463317 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 5 Sep 2017 16:00:44 +0200
Subject: [PATCH] [3.6] bpo-30622: Change NPN detection: (GH-2079) (#3314)

* Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True

* Refine NPN guard:

- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		!defined(OPENSSL_NPN_NEGOTIATED)
	GH-	define OPENSSL_NPN_UNSUPPORTED 0
	GH-	define OPENSSL_NPN_NEGOTIATED 1
	GH-	define OPENSSL_NPN_NO_OVERLAP 2
	GH-endif

[1] https://github.com/openssl/openssl/commit/68b33cc5c7
(cherry picked from commit b2d096b)
---
 Modules/_ssl.c          | 16 +++++++++-------
 Modules/clinic/_ssl.c.h |  6 +++---
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index ae38386ca02..6b6f2b1135c 100644
--- Modules/_ssl.c.orig
+++ Modules/_ssl.c
@@ -279,7 +279,7 @@ static unsigned int _ssl_locks_count = 0;
 typedef struct {
     PyObject_HEAD
     SSL_CTX *ctx;
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     unsigned char *npn_protocols;
     int npn_protocols_len;
 #endif
@@ -1693,7 +1693,7 @@ _ssl__SSLSocket_version_impl(PySSLSocket *self)
     return PyUnicode_FromString(version);
 }
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 /*[clinic input]
 _ssl._SSLSocket.selected_npn_protocol
 [clinic start generated code]*/
@@ -2645,7 +2645,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
         return NULL;
     }
     self->ctx = ctx;
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     self->npn_protocols = NULL;
 #endif
 #ifdef HAVE_ALPN
@@ -2780,7 +2780,7 @@ context_dealloc(PySSLContext *self)
     PyObject_GC_UnTrack(self);
     context_clear(self);
     SSL_CTX_free(self->ctx);
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     PyMem_FREE(self->npn_protocols);
 #endif
 #ifdef HAVE_ALPN
@@ -2858,7 +2858,7 @@ _ssl__SSLContext_get_ciphers_impl(PySSLContext *self)
 #endif
 
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN)
 static int
 do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
                       const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -2882,7 +2882,9 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
 
     return SSL_TLSEXT_ERR_OK;
 }
+#endif
 
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
 static int
 _advertiseNPN_cb(SSL *s,
@@ -2925,7 +2927,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self,
                                          Py_buffer *protos)
 /*[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]*/
 {
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     PyMem_Free(self->npn_protocols);
     self->npn_protocols = PyMem_Malloc(protos->len);
     if (self->npn_protocols == NULL)
@@ -5391,7 +5393,7 @@ PyInit__ssl(void)
     Py_INCREF(r);
     PyModule_AddObject(m, "HAS_ECDH", r);
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     r = Py_True;
 #else
     r = Py_False;
diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h
index 75f8f5a60bb..6f748903f4e 100644
--- Modules/clinic/_ssl.c.h.orig
+++ Modules/clinic/_ssl.c.h
@@ -132,7 +132,7 @@ _ssl__SSLSocket_version(PySSLSocket *self, PyObject *Py_UNUSED(ignored))
     return _ssl__SSLSocket_version_impl(self);
 }
 
-#if defined(OPENSSL_NPN_NEGOTIATED)
+#if (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG))
 
 PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__,
 "selected_npn_protocol($self, /)\n"
@@ -151,7 +151,7 @@ _ssl__SSLSocket_selected_npn_protocol(PySSLSocket *self, PyObject *Py_UNUSED(ign
     return _ssl__SSLSocket_selected_npn_protocol_impl(self);
 }
 
-#endif /* defined(OPENSSL_NPN_NEGOTIATED) */
+#endif /* (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)) */
 
 #if defined(HAVE_ALPN)
 
@@ -1168,4 +1168,4 @@ _ssl_enum_crls(PyObject *module, PyObject **args, Py_ssize_t nargs, PyObject *kw
 #ifndef _SSL_ENUM_CRLS_METHODDEF
     #define _SSL_ENUM_CRLS_METHODDEF
 #endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */
-/*[clinic end generated code: output=56cead8610faa505 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=a8b184655068c238 input=a9049054013a1b77]*/

Return to bug 222552

Line 0 Link Here

(-)lang/python27/files/patch-issue30622 (+134 lines)
		1	From 72ed233167b10d3a488d30a8ec3a17e412a7dd69 Mon Sep 17 00:00:00 2001
		2	From: Christian Heimes <christian@python.org>
		3	Date: Tue, 5 Sep 2017 01:11:40 +0200
		4	Subject: [PATCH] [2.7] bpo-30622: Change NPN detection: (GH-2079) (#3316)
		5
		6	* Change NPN detection:
		7
		8	Version breakdown, support disabled (pre-patch/post-patch):
		9	- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
		10	- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
		11	False/False
		12	- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
		13	OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
		14
		15	Version breakdown support enabled (pre-patch/post-patch):
		16	- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
		17	- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
		18	OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
		19	- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
		20	OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
		21
		22	* Refine NPN guard:
		23
		24	- If NPN is disabled, but ALPN is available we need our callback
		25	- Make clinic's ssl behave the same way
		26
		27	This created a working ssl module for me, with NPN disabled and ALPN
		28	enabled for OpenSSL 1.1.0f.
		29
		30	Concerns to address:
		31	The initial commit for NPN support into OpenSSL [1], had the
		32	OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
		33	guard. The question is if that ever made it into a release.
		34	This would need an ugly hack, something like:
		35
		36	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		37	!defined(OPENSSL_NPN_NEGOTIATED)
		38	GH- define OPENSSL_NPN_UNSUPPORTED 0
		39	GH- define OPENSSL_NPN_NEGOTIATED 1
		40	GH- define OPENSSL_NPN_NO_OVERLAP 2
		41	GH-endif
		42
		43	[1] https://github.com/openssl/openssl/commit/68b33cc5c7.
		44	(cherry picked from commit b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8)
		45	---
		46	Modules/_ssl.c \| 16 +++++++++-------
		47	1 file changed, 9 insertions(+), 7 deletions(-)
		48
		49	diff --git a/Modules/_ssl.c b/Modules/_ssl.c
		50	index 213c7d21510..832b5f96bff 100644
		51	--- Modules/_ssl.c.orig
		52	+++ Modules/_ssl.c
		53	@@ -280,7 +280,7 @@ static unsigned int _ssl_locks_count = 0;
		54	typedef struct {
		55	PyObject_HEAD
		56	SSL_CTX *ctx;
		57	-#ifdef OPENSSL_NPN_NEGOTIATED
		58	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
		59	unsigned char *npn_protocols;
		60	int npn_protocols_len;
		61	#endif
		62	@@ -1502,7 +1502,7 @@ static PyObject PySSL_version(PySSLSocket self)
		63	return PyUnicode_FromString(version);
		64	}
65
66	-#ifdef OPENSSL_NPN_NEGOTIATED
67	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
68	static PyObject PySSL_selected_npn_protocol(PySSLSocket self) {
69	const unsigned char *out;
70	unsigned int outlen;
71	@@ -2036,7 +2036,7 @@ static PyMethodDef PySSLMethods[] = {
72	PySSL_peercert_doc},
73	{"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
74	{"version", (PyCFunction)PySSL_version, METH_NOARGS},
75	-#ifdef OPENSSL_NPN_NEGOTIATED
76	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
77	{"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
78	#endif
79	#ifdef HAVE_ALPN
80	@@ -2140,7 +2140,7 @@ context_new(PyTypeObject type, PyObject args, PyObject *kwds)
81	return NULL;
82	}
83	self->ctx = ctx;
84	-#ifdef OPENSSL_NPN_NEGOTIATED
85	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
86	self->npn_protocols = NULL;
87	#endif
88	#ifdef HAVE_ALPN
89	@@ -2218,7 +2218,7 @@ context_dealloc(PySSLContext *self)
90	PyObject_GC_UnTrack(self);
91	context_clear(self);
92	SSL_CTX_free(self->ctx);
93	-#ifdef OPENSSL_NPN_NEGOTIATED
94	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
95	PyMem_FREE(self->npn_protocols);
96	#endif
97	#ifdef HAVE_ALPN
98	@@ -2248,7 +2248,7 @@ set_ciphers(PySSLContext self, PyObject args)
99	Py_RETURN_NONE;
100	}
101
102	-#ifdef OPENSSL_NPN_NEGOTIATED
103	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) \|\| defined(HAVE_ALPN)
104	static int
105	do_protocol_selection(int alpn, unsigned char *out, unsigned char outlen,
106	const unsigned char *server_protocols, unsigned int server_protocols_len,
107	@@ -2272,7 +2272,9 @@ do_protocol_selection(int alpn, unsigned char *out, unsigned char outlen,
108
109	return SSL_TLSEXT_ERR_OK;
110	}
111	+#endif
112
113	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
114	/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
115	static int
116	_advertiseNPN_cb(SSL *s,
117	@@ -2307,7 +2309,7 @@ _selectNPN_cb(SSL *s,
118	static PyObject *
119	_set_npn_protocols(PySSLContext self, PyObject args)
120	{
121	-#ifdef OPENSSL_NPN_NEGOTIATED
122	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
123	Py_buffer protos;
124
125	if (!PyArg_ParseTuple(args, "s*:set_npn_protocols", &protos))
126	@@ -4305,7 +4307,7 @@ init_ssl(void)
127	Py_INCREF(r);
128	PyModule_AddObject(m, "HAS_ECDH", r);
129
130	-#ifdef OPENSSL_NPN_NEGOTIATED
131	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
132	r = Py_True;
133	#else
134	r = Py_False;

Line 0 Link Here

(-)lang/python35/files/patch-issue30622 (+154 lines)
		1	From 7316c6d4a57931e9786c06eae168b227d7463317 Mon Sep 17 00:00:00 2001
		2	From: Christian Heimes <christian@python.org>
		3	Date: Tue, 5 Sep 2017 16:00:44 +0200
		4	Subject: [PATCH] [3.6] bpo-30622: Change NPN detection: (GH-2079) (#3314)
		5
		6	* Change NPN detection:
		7
		8	Version breakdown, support disabled (pre-patch/post-patch):
		9	- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
		10	- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
		11	False/False
		12	- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
		13	OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
		14
		15	Version breakdown support enabled (pre-patch/post-patch):
		16	- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
		17	- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
		18	OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
		19	- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
		20	OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
		21
		22	* Refine NPN guard:
		23
		24	- If NPN is disabled, but ALPN is available we need our callback
		25	- Make clinic's ssl behave the same way
		26
		27	This created a working ssl module for me, with NPN disabled and ALPN
		28	enabled for OpenSSL 1.1.0f.
		29
		30	Concerns to address:
		31	The initial commit for NPN support into OpenSSL [1], had the
		32	OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
		33	guard. The question is if that ever made it into a release.
		34	This would need an ugly hack, something like:
		35
		36	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		37	!defined(OPENSSL_NPN_NEGOTIATED)
		38	GH- define OPENSSL_NPN_UNSUPPORTED 0
		39	GH- define OPENSSL_NPN_NEGOTIATED 1
		40	GH- define OPENSSL_NPN_NO_OVERLAP 2
		41	GH-endif
		42
		43	[1] https://github.com/openssl/openssl/commit/68b33cc5c7
		44	(cherry picked from commit b2d096b)
		45	---
		46	Modules/_ssl.c \| 16 +++++++++-------
		47	Modules/clinic/_ssl.c.h \| 6 +++---
		48	2 files changed, 12 insertions(+), 10 deletions(-)
		49
		50	diff --git a/Modules/_ssl.c b/Modules/_ssl.c
		51	index ae38386ca02..6b6f2b1135c 100644
		52	--- Modules/_ssl.c.orig
		53	+++ Modules/_ssl.c
		54	@@ -279,7 +279,7 @@ static unsigned int _ssl_locks_count = 0;
		55	typedef struct {
		56	PyObject_HEAD
		57	SSL_CTX *ctx;
		58	-#ifdef OPENSSL_NPN_NEGOTIATED
		59	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
		60	unsigned char *npn_protocols;
		61	int npn_protocols_len;
		62	#endif
		63	@@ -1693,7 +1693,7 @@ _ssl__SSLSocket_version_impl(PySSLSocket *self)
		64	return PyUnicode_FromString(version);
65	}
66
67	-#ifdef OPENSSL_NPN_NEGOTIATED
68	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
69	/*[clinic input]
70	_ssl._SSLSocket.selected_npn_protocol
71	[clinic start generated code]*/
72	@@ -2645,7 +2645,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
73	return NULL;
74	}
75	self->ctx = ctx;
76	-#ifdef OPENSSL_NPN_NEGOTIATED
77	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
78	self->npn_protocols = NULL;
79	#endif
80	#ifdef HAVE_ALPN
81	@@ -2780,7 +2780,7 @@ context_dealloc(PySSLContext *self)
82	PyObject_GC_UnTrack(self);
83	context_clear(self);
84	SSL_CTX_free(self->ctx);
85	-#ifdef OPENSSL_NPN_NEGOTIATED
86	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
87	PyMem_FREE(self->npn_protocols);
88	#endif
89	#ifdef HAVE_ALPN
90	@@ -2858,7 +2858,7 @@ _ssl__SSLContext_get_ciphers_impl(PySSLContext *self)
91	#endif
92
93
94	-#ifdef OPENSSL_NPN_NEGOTIATED
95	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) \|\| defined(HAVE_ALPN)
96	static int
97	do_protocol_selection(int alpn, unsigned char *out, unsigned char outlen,
98	const unsigned char *server_protocols, unsigned int server_protocols_len,
99	@@ -2882,7 +2882,9 @@ do_protocol_selection(int alpn, unsigned char *out, unsigned char outlen,
100
101	return SSL_TLSEXT_ERR_OK;
102	}
103	+#endif
104
105	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
106	/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
107	static int
108	_advertiseNPN_cb(SSL *s,
109	@@ -2925,7 +2927,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self,
110	Py_buffer *protos)
111	/[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]/
112	{
113	-#ifdef OPENSSL_NPN_NEGOTIATED
114	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
115	PyMem_Free(self->npn_protocols);
116	self->npn_protocols = PyMem_Malloc(protos->len);
117	if (self->npn_protocols == NULL)
118	@@ -5391,7 +5393,7 @@ PyInit__ssl(void)
119	Py_INCREF(r);
120	PyModule_AddObject(m, "HAS_ECDH", r);
121
122	-#ifdef OPENSSL_NPN_NEGOTIATED
123	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
124	r = Py_True;
125	#else
126	r = Py_False;
127	diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h
128	index 75f8f5a60bb..6f748903f4e 100644
129	--- Modules/clinic/_ssl.c.h.orig
130	+++ Modules/clinic/_ssl.c.h
131	@@ -132,7 +132,7 @@ _ssl__SSLSocket_version(PySSLSocket self, PyObject Py_UNUSED(ignored))
132	return _ssl__SSLSocket_version_impl(self);
133	}
134
135	-#if defined(OPENSSL_NPN_NEGOTIATED)
136	+#if (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG))
137
138	PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__,
139	"selected_npn_protocol($self, /)\n"
140	@@ -151,7 +151,7 @@ _ssl__SSLSocket_selected_npn_protocol(PySSLSocket self, PyObject Py_UNUSED(ign
141	return _ssl__SSLSocket_selected_npn_protocol_impl(self);
142	}
143
144	-#endif /* defined(OPENSSL_NPN_NEGOTIATED) */
145	+#endif /* (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)) */
146
147	#if defined(HAVE_ALPN)
148
149	@@ -1168,4 +1168,4 @@ _ssl_enum_crls(PyObject module, PyObject args, Py_ssize_t nargs, PyObject kw
150	#ifndef _SSL_ENUM_CRLS_METHODDEF
151	#define _SSL_ENUM_CRLS_METHODDEF
152	#endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */
153	-/[clinic end generated code: output=56cead8610faa505 input=a9049054013a1b77]/
154	+/[clinic end generated code: output=a8b184655068c238 input=a9049054013a1b77]/

Line 0 Link Here

(-)lang/python36/files/patch-issue30622 (+154 lines)
		1	From 7316c6d4a57931e9786c06eae168b227d7463317 Mon Sep 17 00:00:00 2001
		2	From: Christian Heimes <christian@python.org>
		3	Date: Tue, 5 Sep 2017 16:00:44 +0200
		4	Subject: [PATCH] [3.6] bpo-30622: Change NPN detection: (GH-2079) (#3314)
		5
		6	* Change NPN detection:
		7
		8	Version breakdown, support disabled (pre-patch/post-patch):
		9	- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
		10	- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
		11	False/False
		12	- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
		13	OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
		14
		15	Version breakdown support enabled (pre-patch/post-patch):
		16	- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
		17	- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
		18	OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
		19	- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
		20	OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
		21
		22	* Refine NPN guard:
		23
		24	- If NPN is disabled, but ALPN is available we need our callback
		25	- Make clinic's ssl behave the same way
		26
		27	This created a working ssl module for me, with NPN disabled and ALPN
		28	enabled for OpenSSL 1.1.0f.
		29
		30	Concerns to address:
		31	The initial commit for NPN support into OpenSSL [1], had the
		32	OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
		33	guard. The question is if that ever made it into a release.
		34	This would need an ugly hack, something like:
		35
		36	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		37	!defined(OPENSSL_NPN_NEGOTIATED)
		38	GH- define OPENSSL_NPN_UNSUPPORTED 0
		39	GH- define OPENSSL_NPN_NEGOTIATED 1
		40	GH- define OPENSSL_NPN_NO_OVERLAP 2
		41	GH-endif
		42
		43	[1] https://github.com/openssl/openssl/commit/68b33cc5c7
		44	(cherry picked from commit b2d096b)
		45	---
		46	Modules/_ssl.c \| 16 +++++++++-------
		47	Modules/clinic/_ssl.c.h \| 6 +++---
		48	2 files changed, 12 insertions(+), 10 deletions(-)
		49
		50	diff --git a/Modules/_ssl.c b/Modules/_ssl.c
		51	index ae38386ca02..6b6f2b1135c 100644
		52	--- Modules/_ssl.c.orig
		53	+++ Modules/_ssl.c
		54	@@ -279,7 +279,7 @@ static unsigned int _ssl_locks_count = 0;
		55	typedef struct {
		56	PyObject_HEAD
		57	SSL_CTX *ctx;
		58	-#ifdef OPENSSL_NPN_NEGOTIATED
		59	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
		60	unsigned char *npn_protocols;
		61	int npn_protocols_len;
		62	#endif
		63	@@ -1693,7 +1693,7 @@ _ssl__SSLSocket_version_impl(PySSLSocket *self)
		64	return PyUnicode_FromString(version);
65	}
66
67	-#ifdef OPENSSL_NPN_NEGOTIATED
68	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
69	/*[clinic input]
70	_ssl._SSLSocket.selected_npn_protocol
71	[clinic start generated code]*/
72	@@ -2645,7 +2645,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
73	return NULL;
74	}
75	self->ctx = ctx;
76	-#ifdef OPENSSL_NPN_NEGOTIATED
77	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
78	self->npn_protocols = NULL;
79	#endif
80	#ifdef HAVE_ALPN
81	@@ -2780,7 +2780,7 @@ context_dealloc(PySSLContext *self)
82	PyObject_GC_UnTrack(self);
83	context_clear(self);
84	SSL_CTX_free(self->ctx);
85	-#ifdef OPENSSL_NPN_NEGOTIATED
86	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
87	PyMem_FREE(self->npn_protocols);
88	#endif
89	#ifdef HAVE_ALPN
90	@@ -2858,7 +2858,7 @@ _ssl__SSLContext_get_ciphers_impl(PySSLContext *self)
91	#endif
92
93
94	-#ifdef OPENSSL_NPN_NEGOTIATED
95	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) \|\| defined(HAVE_ALPN)
96	static int
97	do_protocol_selection(int alpn, unsigned char *out, unsigned char outlen,
98	const unsigned char *server_protocols, unsigned int server_protocols_len,
99	@@ -2882,7 +2882,9 @@ do_protocol_selection(int alpn, unsigned char *out, unsigned char outlen,
100
101	return SSL_TLSEXT_ERR_OK;
102	}
103	+#endif
104
105	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
106	/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
107	static int
108	_advertiseNPN_cb(SSL *s,
109	@@ -2925,7 +2927,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self,
110	Py_buffer *protos)
111	/[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]/
112	{
113	-#ifdef OPENSSL_NPN_NEGOTIATED
114	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
115	PyMem_Free(self->npn_protocols);
116	self->npn_protocols = PyMem_Malloc(protos->len);
117	if (self->npn_protocols == NULL)
118	@@ -5391,7 +5393,7 @@ PyInit__ssl(void)
119	Py_INCREF(r);
120	PyModule_AddObject(m, "HAS_ECDH", r);
121
122	-#ifdef OPENSSL_NPN_NEGOTIATED
123	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
124	r = Py_True;
125	#else
126	r = Py_False;
127	diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h
128	index 75f8f5a60bb..6f748903f4e 100644
129	--- Modules/clinic/_ssl.c.h.orig
130	+++ Modules/clinic/_ssl.c.h
131	@@ -132,7 +132,7 @@ _ssl__SSLSocket_version(PySSLSocket self, PyObject Py_UNUSED(ignored))
132	return _ssl__SSLSocket_version_impl(self);
133	}
134
135	-#if defined(OPENSSL_NPN_NEGOTIATED)
136	+#if (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG))
137
138	PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__,
139	"selected_npn_protocol($self, /)\n"
140	@@ -151,7 +151,7 @@ _ssl__SSLSocket_selected_npn_protocol(PySSLSocket self, PyObject Py_UNUSED(ign
141	return _ssl__SSLSocket_selected_npn_protocol_impl(self);
142	}
143
144	-#endif /* defined(OPENSSL_NPN_NEGOTIATED) */
145	+#endif /* (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)) */
146
147	#if defined(HAVE_ALPN)
148
149	@@ -1168,4 +1168,4 @@ _ssl_enum_crls(PyObject module, PyObject args, Py_ssize_t nargs, PyObject kw
150	#ifndef _SSL_ENUM_CRLS_METHODDEF
151	#define _SSL_ENUM_CRLS_METHODDEF
152	#endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */
153	-/[clinic end generated code: output=56cead8610faa505 input=a9049054013a1b77]/
154	+/[clinic end generated code: output=a8b184655068c238 input=a9049054013a1b77]/