Attachment #190080 for bug #222795

View | Details | Raw Unified | Return to bug 222795
Collapse All | Expand All

Lines 13-20 Link Here

(-)lang/python27/Makefile (-2 lines)
13		13
14	LICENSE= PSFL	14	LICENSE= PSFL
15		15
16	BROKEN_SSL= openssl-devel
17
18	USES= cpe ncurses pathfix pkgconfig readline:port ssl tar:xz shebangfix	16	USES= cpe ncurses pathfix pkgconfig readline:port ssl tar:xz shebangfix
19	PATHFIX_MAKEFILEIN= Makefile.pre.in	17	PATHFIX_MAKEFILEIN= Makefile.pre.in
20	USE_LDCONFIG= yes	18	USE_LDCONFIG= yes




From 206dcead747e04e97c0d9c54d77cf0b5e4636f7a Mon Sep 17 00:00:00 2001
From: Melvyn Sopacua <melvyn-sopacua@users.noreply.github.com>
Date: Mon, 4 Sep 2017 23:35:15 +0200
Subject: [PATCH] [2.7] bpo-30622: Change NPN detection: (GH-2079)

* Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True

* Refine NPN guard:

- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		!defined(OPENSSL_NPN_NEGOTIATED)
	GH-	define OPENSSL_NPN_UNSUPPORTED 0
	GH-	define OPENSSL_NPN_NEGOTIATED 1
	GH-	define OPENSSL_NPN_NO_OVERLAP 2
	GH-endif

[1] https://github.com/openssl/openssl/commit/68b33cc5c7.
(cherry picked from commit b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8)
---
 Modules/_ssl.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 213c7d21510..832b5f96bff 100644
--- Modules/_ssl.c.orig
+++ Modules/_ssl.c
@@ -280,7 +280,7 @@ static unsigned int _ssl_locks_count = 0;
 typedef struct {
     PyObject_HEAD
     SSL_CTX *ctx;
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     unsigned char *npn_protocols;
     int npn_protocols_len;
 #endif
@@ -1502,7 +1502,7 @@ static PyObject *PySSL_version(PySSLSocket *self)
     return PyUnicode_FromString(version);
 }
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {
     const unsigned char *out;
     unsigned int outlen;
@@ -2030,7 +2030,7 @@ static PyMethodDef PySSLMethods[] = {
      PySSL_peercert_doc},
     {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
     {"version", (PyCFunction)PySSL_version, METH_NOARGS},
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
 #endif
 #ifdef HAVE_ALPN
@@ -2140,7 +2140,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
         return NULL;
     }
     self->ctx = ctx;
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     self->npn_protocols = NULL;
 #endif
 #ifdef HAVE_ALPN
@@ -2218,7 +2218,7 @@ context_dealloc(PySSLContext *self)
     PyObject_GC_UnTrack(self);
     context_clear(self);
     SSL_CTX_free(self->ctx);
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     PyMem_FREE(self->npn_protocols);
 #endif
 #ifdef HAVE_ALPN
@@ -2248,7 +2248,7 @@ set_ciphers(PySSLContext *self, PyObject *args)
     Py_RETURN_NONE;
 }
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN)
 static int
 do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
                       const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -2272,7 +2272,9 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
 
     return SSL_TLSEXT_ERR_OK;
 }
+#endif
 
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
 static int
 _advertiseNPN_cb(SSL *s,
@@ -2307,7 +2309,7 @@ _selectNPN_cb(SSL *s,
 static PyObject *
 _set_npn_protocols(PySSLContext *self, PyObject *args)
 {
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     Py_buffer protos;
 
     if (!PyArg_ParseTuple(args, "s*:set_npn_protocols", &protos))
@@ -4305,7 +4307,7 @@ init_ssl(void)
     Py_INCREF(r);
     PyModule_AddObject(m, "HAS_ECDH", r);
 
-#ifdef OPENSSL_NPN_NEGOTIATED
+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     r = Py_True;
 #else
     r = Py_False;

Return to bug 222795

Line 0 Link Here

(-)lang/python27/files/patch-issue30622 (+134 lines)
		1	From 206dcead747e04e97c0d9c54d77cf0b5e4636f7a Mon Sep 17 00:00:00 2001
		2	From: Melvyn Sopacua <melvyn-sopacua@users.noreply.github.com>
		3	Date: Mon, 4 Sep 2017 23:35:15 +0200
		4	Subject: [PATCH] [2.7] bpo-30622: Change NPN detection: (GH-2079)
		5
		6	* Change NPN detection:
		7
		8	Version breakdown, support disabled (pre-patch/post-patch):
		9	- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
		10	- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
		11	False/False
		12	- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
		13	OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
		14
		15	Version breakdown support enabled (pre-patch/post-patch):
		16	- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
		17	- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
		18	OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
		19	- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
		20	OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
		21
		22	* Refine NPN guard:
		23
		24	- If NPN is disabled, but ALPN is available we need our callback
		25	- Make clinic's ssl behave the same way
		26
		27	This created a working ssl module for me, with NPN disabled and ALPN
		28	enabled for OpenSSL 1.1.0f.
		29
		30	Concerns to address:
		31	The initial commit for NPN support into OpenSSL [1], had the
		32	OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
		33	guard. The question is if that ever made it into a release.
		34	This would need an ugly hack, something like:
		35
		36	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		37	!defined(OPENSSL_NPN_NEGOTIATED)
		38	GH- define OPENSSL_NPN_UNSUPPORTED 0
		39	GH- define OPENSSL_NPN_NEGOTIATED 1
		40	GH- define OPENSSL_NPN_NO_OVERLAP 2
		41	GH-endif
		42
		43	[1] https://github.com/openssl/openssl/commit/68b33cc5c7.
		44	(cherry picked from commit b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8)
		45	---
		46	Modules/_ssl.c \| 16 +++++++++-------
		47	1 file changed, 9 insertions(+), 7 deletions(-)
		48
		49	diff --git a/Modules/_ssl.c b/Modules/_ssl.c
		50	index 213c7d21510..832b5f96bff 100644
		51	--- Modules/_ssl.c.orig
		52	+++ Modules/_ssl.c
		53	@@ -280,7 +280,7 @@ static unsigned int _ssl_locks_count = 0;
		54	typedef struct {
		55	PyObject_HEAD
		56	SSL_CTX *ctx;
		57	-#ifdef OPENSSL_NPN_NEGOTIATED
		58	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
		59	unsigned char *npn_protocols;
		60	int npn_protocols_len;
		61	#endif
		62	@@ -1502,7 +1502,7 @@ static PyObject PySSL_version(PySSLSocket self)
		63	return PyUnicode_FromString(version);
		64	}
65
66	-#ifdef OPENSSL_NPN_NEGOTIATED
67	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
68	static PyObject PySSL_selected_npn_protocol(PySSLSocket self) {
69	const unsigned char *out;
70	unsigned int outlen;
71	@@ -2030,7 +2030,7 @@ static PyMethodDef PySSLMethods[] = {
72	PySSL_peercert_doc},
73	{"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
74	{"version", (PyCFunction)PySSL_version, METH_NOARGS},
75	-#ifdef OPENSSL_NPN_NEGOTIATED
76	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
77	{"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
78	#endif
79	#ifdef HAVE_ALPN
80	@@ -2140,7 +2140,7 @@ context_new(PyTypeObject type, PyObject args, PyObject *kwds)
81	return NULL;
82	}
83	self->ctx = ctx;
84	-#ifdef OPENSSL_NPN_NEGOTIATED
85	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
86	self->npn_protocols = NULL;
87	#endif
88	#ifdef HAVE_ALPN
89	@@ -2218,7 +2218,7 @@ context_dealloc(PySSLContext *self)
90	PyObject_GC_UnTrack(self);
91	context_clear(self);
92	SSL_CTX_free(self->ctx);
93	-#ifdef OPENSSL_NPN_NEGOTIATED
94	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
95	PyMem_FREE(self->npn_protocols);
96	#endif
97	#ifdef HAVE_ALPN
98	@@ -2248,7 +2248,7 @@ set_ciphers(PySSLContext self, PyObject args)
99	Py_RETURN_NONE;
100	}
101
102	-#ifdef OPENSSL_NPN_NEGOTIATED
103	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) \|\| defined(HAVE_ALPN)
104	static int
105	do_protocol_selection(int alpn, unsigned char *out, unsigned char outlen,
106	const unsigned char *server_protocols, unsigned int server_protocols_len,
107	@@ -2272,7 +2272,9 @@ do_protocol_selection(int alpn, unsigned char *out, unsigned char outlen,
108
109	return SSL_TLSEXT_ERR_OK;
110	}
111	+#endif
112
113	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
114	/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
115	static int
116	_advertiseNPN_cb(SSL *s,
117	@@ -2307,7 +2309,7 @@ _selectNPN_cb(SSL *s,
118	static PyObject *
119	_set_npn_protocols(PySSLContext self, PyObject args)
120	{
121	-#ifdef OPENSSL_NPN_NEGOTIATED
122	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
123	Py_buffer protos;
124
125	if (!PyArg_ParseTuple(args, "s*:set_npn_protocols", &protos))
126	@@ -4305,7 +4307,7 @@ init_ssl(void)
127	Py_INCREF(r);
128	PyModule_AddObject(m, "HAS_ECDH", r);
129
130	-#ifdef OPENSSL_NPN_NEGOTIATED
131	+#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
132	r = Py_True;
133	#else
134	r = Py_False;