traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[3.8] bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190) (GH-17499) 

test_openssl_version now accepts version 3.0.0.

getpeercert() no longer returns IPv6 addresses with a trailing new line.

Signed-off-by: Christian Heimes <christian@python.org>


https://bugs.python.org/issue38820
(cherry picked from commit 2b7de6696b)


Co-authored-by: Christian Heimes <christian@python.org>


https://bugs.python.org/issue38820



Automerge-Triggered-By: @tiran
This commit is contained in:
Miss Islington (bot) 2019-12-07 09:20:27 -08:00 committed by GitHub
parent 930cef2770
commit 9d3cacd590
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 59 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Doc/library/ssl.rst
View File

@ -1256,6 +1256,9 @@ SSL sockets also have the following additional methods and attributes:
The returned dictionary includes additional X509v3 extension items The returned dictionary includes additional X509v3 extension items
such as ``crlDistributionPoints``, ``caIssuers`` and ``OCSP`` URIs. such as ``crlDistributionPoints``, ``caIssuers`` and ``OCSP`` URIs.
.. versionchanged:: 3.8.1
IPv6 address strings no longer have a trailing new line.
.. method:: SSLSocket.cipher() .. method:: SSLSocket.cipher()
Returns a three-value tuple containing the name of the cipher being used, the Returns a three-value tuple containing the name of the cipher being used, the

12
Lib/test/test_ssl.py
View File

@ -485,7 +485,7 @@ class BasicSocketTests(unittest.TestCase):
('email', 'null@python.org\x00user@example.org'), ('email', 'null@python.org\x00user@example.org'),
('URI', 'http://null.python.org\x00http://example.org'), ('URI', 'http://null.python.org\x00http://example.org'),
('IP Address', '192.0.2.1'), ('IP Address', '192.0.2.1'),
('IP Address', '2001:DB8:0:0:0:0:0:1\n')) ('IP Address', '2001:DB8:0:0:0:0:0:1'))
else: else:
# OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
san = (('DNS', 'altnull.python.org\x00example.com'), san = (('DNS', 'altnull.python.org\x00example.com'),
@ -512,7 +512,7 @@ class BasicSocketTests(unittest.TestCase):
(('commonName', 'dirname example'),))), (('commonName', 'dirname example'),))),
('URI', 'https://www.python.org/'), ('URI', 'https://www.python.org/'),
('IP Address', '127.0.0.1'), ('IP Address', '127.0.0.1'),
('IP Address', '0:0:0:0:0:0:0:1\n'), ('IP Address', '0:0:0:0:0:0:0:1'),
('Registered ID', '1.2.3.4.5') ('Registered ID', '1.2.3.4.5')
) )
) )
@ -539,11 +539,11 @@ class BasicSocketTests(unittest.TestCase):
# Some sanity checks follow # Some sanity checks follow
# >= 0.9 # >= 0.9
self.assertGreaterEqual(n, 0x900000) self.assertGreaterEqual(n, 0x900000)
# < 3.0 # < 4.0
self.assertLess(n, 0x30000000) self.assertLess(n, 0x40000000)
major, minor, fix, patch, status = t major, minor, fix, patch, status = t
self.assertGreaterEqual(major, 0) self.assertGreaterEqual(major, 1)
self.assertLess(major, 3) self.assertLess(major, 4)
self.assertGreaterEqual(minor, 0) self.assertGreaterEqual(minor, 0)
self.assertLess(minor, 256) self.assertLess(minor, 256)
self.assertGreaterEqual(fix, 0) self.assertGreaterEqual(fix, 0)

2
Misc/NEWS.d/next/Library/2019-11-16-16-09-07.bpo-38820.ivhUSV.rst Normal file
View File

@ -0,0 +1,2 @@
Make Python compatible with OpenSSL 3.0.0. :func:`ssl.SSLSocket.getpeercert`
no longer returns IPv6 addresses with a trailing new line.

49
Modules/_ssl.c
View File

@ -1410,6 +1410,54 @@ _get_peer_alt_names (X509 *certificate) {
PyTuple_SET_ITEM(t, 1, v); PyTuple_SET_ITEM(t, 1, v);
break; break;
case GEN_IPADD:
/* OpenSSL < 3.0.0 adds a trailing \n to IPv6. 3.0.0 removed
* the trailing newline. Remove it in all versions
*/
t = PyTuple_New(2);
if (t == NULL)
goto fail;
v = PyUnicode_FromString("IP Address");
if (v == NULL) {
Py_DECREF(t);
goto fail;
}
PyTuple_SET_ITEM(t, 0, v);
if (name->d.ip->length == 4) {
unsigned char *p = name->d.ip->data;
v = PyUnicode_FromFormat(
"%d.%d.%d.%d",
p[0], p[1], p[2], p[3]
);
} else if (name->d.ip->length == 16) {
/* PyUnicode_FromFormat() does not support %X */
unsigned char *p = name->d.ip->data;
len = sprintf(
buf,
"%X:%X:%X:%X:%X:%X:%X:%X",
p[0] << 8 | p[1],
p[2] << 8 | p[3],
p[4] << 8 | p[5],
p[6] << 8 | p[7],
p[8] << 8 | p[9],
p[10] << 8 | p[11],
p[12] << 8 | p[13],
p[14] << 8 | p[15]
);
v = PyUnicode_FromStringAndSize(buf, len);
} else {
v = PyUnicode_FromString("<invalid>");
}
if (v == NULL) {
Py_DECREF(t);
goto fail;
}
PyTuple_SET_ITEM(t, 1, v);
break;
default: default:
/* for everything else, we use the OpenSSL print form */ /* for everything else, we use the OpenSSL print form */
switch (gntype) { switch (gntype) {
@ -1417,7 +1465,6 @@ _get_peer_alt_names (X509 *certificate) {
case GEN_OTHERNAME: case GEN_OTHERNAME:
case GEN_X400: case GEN_X400:
case GEN_EDIPARTY: case GEN_EDIPARTY:
case GEN_IPADD:
case GEN_RID: case GEN_RID:
break; break;
default: default: