From e35d1ba9eab07a59b98b700c5e18ceb13b2561a6 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 3 Jun 2019 20:40:15 +0200 Subject: [PATCH] bpo-34271: Fix compatibility with 1.0.2 (GH-13728) Fix various compatibility issues with LibreSSL and OpenSSL 1.0.2 introduced by bpo-34271. Signed-off-by: Christian Heimes --- Lib/ssl.py | 6 ++--- Lib/test/test_ssl.py | 48 ++++++------------------------------- Modules/_ssl/debughelpers.c | 11 ++++++++- Tools/ssl/multissltests.py | 3 ++- 4 files changed, 22 insertions(+), 46 deletions(-) diff --git a/Lib/ssl.py b/Lib/ssl.py index 4afa46e5da5..61bd775f759 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -658,12 +658,12 @@ class SSLContext(_SSLContext): def inner(conn, direction, version, content_type, msg_type, data): try: version = TLSVersion(version) - except TypeError: + except ValueError: pass try: content_type = _TLSContentType(content_type) - except TypeError: + except ValueError: pass if content_type == _TLSContentType.HEADER: @@ -674,7 +674,7 @@ class SSLContext(_SSLContext): msg_enum = _TLSMessageType try: msg_type = msg_enum(msg_type) - except TypeError: + except ValueError: pass return callback(conn, direction, version, diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index a72d7913218..455a12ea7f2 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -3703,7 +3703,7 @@ class ThreadedTests(unittest.TestCase): # client 1.0, server 1.2 (mismatch) server_context.minimum_version = ssl.TLSVersion.TLSv1_2 server_context.maximum_version = ssl.TLSVersion.TLSv1_2 - client_context.minimum_version = ssl.TLSVersion.TLSv1 + client_context.maximum_version = ssl.TLSVersion.TLSv1 client_context.maximum_version = ssl.TLSVersion.TLSv1 with ThreadedEchoServer(context=server_context) as server: with client_context.wrap_socket(socket.socket(), @@ -4529,50 +4529,16 @@ class TestSSLDebug(unittest.TestCase): server_hostname=hostname) as s: s.connect((HOST, server.port)) - self.assertEqual(msg, [ - ("write", TLSVersion.TLSv1, _TLSContentType.HEADER, - _TLSMessageType.CERTIFICATE_STATUS), - ("write", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE, - _TLSMessageType.CLIENT_HELLO), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.CERTIFICATE_STATUS), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE, - _TLSMessageType.SERVER_HELLO), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.CERTIFICATE_STATUS), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE, - _TLSMessageType.CERTIFICATE), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.CERTIFICATE_STATUS), + self.assertIn( ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE, _TLSMessageType.SERVER_KEY_EXCHANGE), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.CERTIFICATE_STATUS), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE, - _TLSMessageType.SERVER_DONE), - ("write", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.CERTIFICATE_STATUS), - ("write", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE, - _TLSMessageType.CLIENT_KEY_EXCHANGE), - ("write", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.FINISHED), + msg + ) + self.assertIn( ("write", TLSVersion.TLSv1_2, _TLSContentType.CHANGE_CIPHER_SPEC, _TLSMessageType.CHANGE_CIPHER_SPEC), - ("write", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.CERTIFICATE_STATUS), - ("write", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE, - _TLSMessageType.FINISHED), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.CERTIFICATE_STATUS), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE, - _TLSMessageType.NEWSESSION_TICKET), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.FINISHED), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HEADER, - _TLSMessageType.CERTIFICATE_STATUS), - ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE, - _TLSMessageType.FINISHED), - ]) + msg + ) def test_main(verbose=False): diff --git a/Modules/_ssl/debughelpers.c b/Modules/_ssl/debughelpers.c index 53b96674932..858b3d7955c 100644 --- a/Modules/_ssl/debughelpers.c +++ b/Modules/_ssl/debughelpers.c @@ -1,5 +1,12 @@ /* Debug helpers */ +#ifndef SSL3_MT_CHANGE_CIPHER_SPEC +/* Dummy message type for handling CCS like a normal handshake message + * not defined in OpenSSL 1.0.2 + */ +#define SSL3_MT_CHANGE_CIPHER_SPEC 0x0101 +#endif + static void _PySSL_msg_callback(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) @@ -41,11 +48,13 @@ _PySSL_msg_callback(int write_p, int version, int content_type, case SSL3_RT_HANDSHAKE: msg_type = (int)cbuf[0]; break; +#ifdef SSL3_RT_HEADER case SSL3_RT_HEADER: /* frame header encodes version in bytes 1..2 */ version = cbuf[1] << 8 | cbuf[2]; msg_type = (int)cbuf[0]; break; +#endif #ifdef SSL3_RT_INNER_CONTENT_TYPE case SSL3_RT_INNER_CONTENT_TYPE: msg_type = (int)cbuf[0]; @@ -210,4 +219,4 @@ _PySSLContext_set_keylog_filename(PySSLContext *self, PyObject *arg, void *c) { return 0; } -#endif \ No newline at end of file +#endif diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index 07bd9b016d9..7fda4df55a6 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -51,10 +51,11 @@ OPENSSL_RECENT_VERSIONS = [ ] LIBRESSL_OLD_VERSIONS = [ + "2.9.2", ] LIBRESSL_RECENT_VERSIONS = [ - "2.7.4", + "2.8.3", ] # store files in ../multissl