From 72ed233167b10d3a488d30a8ec3a17e412a7dd69 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 5 Sep 2017 01:11:40 +0200 Subject: [PATCH] [2.7] bpo-30622: Change NPN detection: (GH-2079) (#3316) * Change NPN detection: Version breakdown, support disabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will be defined -> True/False Version breakdown support enabled (pre-patch/post-patch): - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True * Refine NPN guard: - If NPN is disabled, but ALPN is available we need our callback - Make clinic's ssl behave the same way This created a working ssl module for me, with NPN disabled and ALPN enabled for OpenSSL 1.1.0f. Concerns to address: The initial commit for NPN support into OpenSSL [1], had the OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG guard. The question is if that ever made it into a release. This would need an ugly hack, something like: GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \ !defined(OPENSSL_NPN_NEGOTIATED) GH- define OPENSSL_NPN_UNSUPPORTED 0 GH- define OPENSSL_NPN_NEGOTIATED 1 GH- define OPENSSL_NPN_NO_OVERLAP 2 GH-endif [1] https://github.com/openssl/openssl/commit/68b33cc5c7. (cherry picked from commit b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8) --- Modules/_ssl.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 213c7d21510..832b5f96bff 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -280,7 +280,7 @@ static unsigned int _ssl_locks_count = 0; typedef struct { PyObject_HEAD SSL_CTX *ctx; -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) unsigned char *npn_protocols; int npn_protocols_len; #endif @@ -1502,7 +1502,7 @@ static PyObject *PySSL_version(PySSLSocket *self) return PyUnicode_FromString(version); } -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) { const unsigned char *out; unsigned int outlen; @@ -2140,7 +2140,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) return NULL; } self->ctx = ctx; -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) self->npn_protocols = NULL; #endif #ifdef HAVE_ALPN @@ -2218,7 +2218,7 @@ context_dealloc(PySSLContext *self) PyObject_GC_UnTrack(self); context_clear(self); SSL_CTX_free(self->ctx); -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) PyMem_FREE(self->npn_protocols); #endif #ifdef HAVE_ALPN @@ -2248,7 +2248,7 @@ set_ciphers(PySSLContext *self, PyObject *args) Py_RETURN_NONE; } -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN) static int do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, const unsigned char *server_protocols, unsigned int server_protocols_len, @@ -2272,7 +2272,9 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, return SSL_TLSEXT_ERR_OK; } +#endif +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */ static int _advertiseNPN_cb(SSL *s, @@ -2307,7 +2309,7 @@ _selectNPN_cb(SSL *s, static PyObject * _set_npn_protocols(PySSLContext *self, PyObject *args) { -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) Py_buffer protos; if (!PyArg_ParseTuple(args, "s*:set_npn_protocols", &protos)) @@ -4305,7 +4307,7 @@ init_ssl(void) Py_INCREF(r); PyModule_AddObject(m, "HAS_ECDH", r); -#ifdef OPENSSL_NPN_NEGOTIATED +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) r = Py_True; #else r = Py_False;