bpo-30622: Change NPN detection: (#2079)

* Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True

* Refine NPN guard:

- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

	#if defined(OPENSSL_NO_NEXTPROTONEG) && \
		!defined(OPENSSL_NPN_NEGOTIATED)
	#	define OPENSSL_NPN_UNSUPPORTED 0
	#	define OPENSSL_NPN_NEGOTIATED 1
	#	define OPENSSL_NPN_NO_OVERLAP 2
	#endif

[1] https://github.com/openssl/openssl/commit/68b33cc5c7
This commit is contained in:
Melvyn Sopacua 2017-09-04 23:35:15 +02:00 committed by Christian Heimes
parent 973b901212
commit b2d096bd2a
2 changed files with 11 additions and 9 deletions

View File

@ -315,7 +315,7 @@ static unsigned int _ssl_locks_count = 0;
typedef struct { typedef struct {
PyObject_HEAD PyObject_HEAD
SSL_CTX *ctx; SSL_CTX *ctx;
#ifdef OPENSSL_NPN_NEGOTIATED #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
unsigned char *npn_protocols; unsigned char *npn_protocols;
int npn_protocols_len; int npn_protocols_len;
#endif #endif
@ -1697,7 +1697,7 @@ _ssl__SSLSocket_version_impl(PySSLSocket *self)
return PyUnicode_FromString(version); return PyUnicode_FromString(version);
} }
#ifdef OPENSSL_NPN_NEGOTIATED #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
/*[clinic input] /*[clinic input]
_ssl._SSLSocket.selected_npn_protocol _ssl._SSLSocket.selected_npn_protocol
[clinic start generated code]*/ [clinic start generated code]*/
@ -2647,7 +2647,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
return NULL; return NULL;
} }
self->ctx = ctx; self->ctx = ctx;
#ifdef OPENSSL_NPN_NEGOTIATED #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
self->npn_protocols = NULL; self->npn_protocols = NULL;
#endif #endif
#ifdef HAVE_ALPN #ifdef HAVE_ALPN
@ -2782,7 +2782,7 @@ context_dealloc(PySSLContext *self)
PyObject_GC_UnTrack(self); PyObject_GC_UnTrack(self);
context_clear(self); context_clear(self);
SSL_CTX_free(self->ctx); SSL_CTX_free(self->ctx);
#ifdef OPENSSL_NPN_NEGOTIATED #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
PyMem_FREE(self->npn_protocols); PyMem_FREE(self->npn_protocols);
#endif #endif
#ifdef HAVE_ALPN #ifdef HAVE_ALPN
@ -2860,7 +2860,7 @@ _ssl__SSLContext_get_ciphers_impl(PySSLContext *self)
#endif #endif
#ifdef OPENSSL_NPN_NEGOTIATED #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN)
static int static int
do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
const unsigned char *server_protocols, unsigned int server_protocols_len, const unsigned char *server_protocols, unsigned int server_protocols_len,
@ -2884,7 +2884,9 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
return SSL_TLSEXT_ERR_OK; return SSL_TLSEXT_ERR_OK;
} }
#endif
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */ /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
static int static int
_advertiseNPN_cb(SSL *s, _advertiseNPN_cb(SSL *s,
@ -2927,7 +2929,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self,
Py_buffer *protos) Py_buffer *protos)
/*[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]*/ /*[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]*/
{ {
#ifdef OPENSSL_NPN_NEGOTIATED #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
PyMem_Free(self->npn_protocols); PyMem_Free(self->npn_protocols);
self->npn_protocols = PyMem_Malloc(protos->len); self->npn_protocols = PyMem_Malloc(protos->len);
if (self->npn_protocols == NULL) if (self->npn_protocols == NULL)
@ -5397,7 +5399,7 @@ PyInit__ssl(void)
Py_INCREF(r); Py_INCREF(r);
PyModule_AddObject(m, "HAS_ECDH", r); PyModule_AddObject(m, "HAS_ECDH", r);
#ifdef OPENSSL_NPN_NEGOTIATED #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
r = Py_True; r = Py_True;
#else #else
r = Py_False; r = Py_False;

View File

@ -132,7 +132,7 @@ _ssl__SSLSocket_version(PySSLSocket *self, PyObject *Py_UNUSED(ignored))
return _ssl__SSLSocket_version_impl(self); return _ssl__SSLSocket_version_impl(self);
} }
#if defined(OPENSSL_NPN_NEGOTIATED) #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__, PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__,
"selected_npn_protocol($self, /)\n" "selected_npn_protocol($self, /)\n"
@ -151,7 +151,7 @@ _ssl__SSLSocket_selected_npn_protocol(PySSLSocket *self, PyObject *Py_UNUSED(ign
return _ssl__SSLSocket_selected_npn_protocol_impl(self); return _ssl__SSLSocket_selected_npn_protocol_impl(self);
} }
#endif /* defined(OPENSSL_NPN_NEGOTIATED) */ #endif /* defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) */
#if defined(HAVE_ALPN) #if defined(HAVE_ALPN)