bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210)

LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects
LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and
LibreSSL < 2.7.

Documentation updates and fixes for failing tests will be provided in
another patch set.

Signed-off-by: Christian Heimes <christian@python.org>
This commit is contained in:
Christian Heimes 2018-03-24 15:41:37 +01:00 committed by GitHub
parent e42ae91509
commit 4ca0739c9d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 7 deletions

View File

@ -0,0 +1 @@
The ssl module now compiles with LibreSSL 2.7.1.

View File

@ -136,6 +136,12 @@ static void _PySSLFixErrno(void) {
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
# define OPENSSL_VERSION_1_1 1 # define OPENSSL_VERSION_1_1 1
# define PY_OPENSSL_1_1_API 1
#endif
/* LibreSSL 2.7.0 provides necessary OpenSSL 1.1.0 APIs */
#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
# define PY_OPENSSL_1_1_API 1
#endif #endif
/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1 /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
@ -182,13 +188,17 @@ static void _PySSLFixErrno(void) {
#define INVALID_SOCKET (-1) #define INVALID_SOCKET (-1)
#endif #endif
#ifdef OPENSSL_VERSION_1_1 /* OpenSSL 1.0.2 and LibreSSL needs extra code for locking */
/* OpenSSL 1.1.0+ */ #ifndef OPENSSL_VERSION_1_1
#ifndef OPENSSL_NO_SSL2 #define HAVE_OPENSSL_CRYPTO_LOCK
#endif
#if defined(OPENSSL_VERSION_1_1) && !defined(OPENSSL_NO_SSL2)
#define OPENSSL_NO_SSL2 #define OPENSSL_NO_SSL2
#endif #endif
#else /* OpenSSL < 1.1.0 */
#define HAVE_OPENSSL_CRYPTO_LOCK #ifndef PY_OPENSSL_1_1_API
/* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
#define TLS_method SSLv23_method #define TLS_method SSLv23_method
#define TLS_client_method SSLv23_client_method #define TLS_client_method SSLv23_client_method
@ -250,7 +260,7 @@ SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
return s->tlsext_tick_lifetime_hint; return s->tlsext_tick_lifetime_hint;
} }
#endif /* OpenSSL < 1.1.0 or LibreSSL */ #endif /* OpenSSL < 1.1.0 or LibreSSL < 2.7.0 */
/* Default cipher suites */ /* Default cipher suites */
#ifndef PY_SSL_DEFAULT_CIPHERS #ifndef PY_SSL_DEFAULT_CIPHERS

View File

@ -54,7 +54,7 @@ LIBRESSL_OLD_VERSIONS = [
] ]
LIBRESSL_RECENT_VERSIONS = [ LIBRESSL_RECENT_VERSIONS = [
# "2.6.5", "2.7.1",
] ]
# store files in ../multissl # store files in ../multissl