a43a125b90
- Mark DEPRECATED, EXPIRES Feb 2016 [1] - Backport issue21356 RAND_egd fix [2] - Fix build for openssl -nossl3 [1] https://www.python.org/dev/peps/pep-0392/#lifespan [2] http://bugs.python.org/issue21356 PR: 195513 Reviewed by: koobs (mentor, python), feld (mentor) Approved by: koobs (python, mentor) Differential Revision: https://reviews.freebsd.org/D4701
175 lines
6.4 KiB
Plaintext
175 lines
6.4 KiB
Plaintext
--- Lib/ssl.py.orig 2014-10-12 08:52:02.000000000 +0200
|
|
+++ Lib/ssl.py 2015-12-23 11:29:24.243085919 +0100
|
|
@@ -63,7 +63,16 @@ from _ssl import OPENSSL_VERSION_NUMBER,
|
|
from _ssl import _SSLContext, SSLError
|
|
from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
|
|
from _ssl import OP_ALL, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1
|
|
-from _ssl import RAND_status, RAND_egd, RAND_add
|
|
+### Fix build with LibreSSL (does not have RAND_egd)
|
|
+### PR195513, http://bugs.python.org/issue21356
|
|
+from _ssl import RAND_status, RAND_add
|
|
+try:
|
|
+ from _ssl import RAND_egd
|
|
+except ImportError:
|
|
+ # LibreSSL does not provide RAND_egd
|
|
+ pass
|
|
+### End PR195513
|
|
+
|
|
from _ssl import (
|
|
SSL_ERROR_ZERO_RETURN,
|
|
SSL_ERROR_WANT_READ,
|
|
@@ -76,13 +85,12 @@ from _ssl import (
|
|
SSL_ERROR_INVALID_ERROR_CODE,
|
|
)
|
|
from _ssl import HAS_SNI
|
|
-from _ssl import PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1
|
|
+from _ssl import PROTOCOL_SSLv23, PROTOCOL_TLSv1
|
|
from _ssl import _OPENSSL_API_VERSION
|
|
|
|
_PROTOCOL_NAMES = {
|
|
PROTOCOL_TLSv1: "TLSv1",
|
|
PROTOCOL_SSLv23: "SSLv23",
|
|
- PROTOCOL_SSLv3: "SSLv3",
|
|
}
|
|
try:
|
|
from _ssl import PROTOCOL_SSLv2
|
|
@@ -91,6 +99,13 @@ except ImportError:
|
|
_SSLv2_IF_EXISTS = None
|
|
else:
|
|
_PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
|
|
+try:
|
|
+ from _ssl import PROTOCOL_SSLv3
|
|
+ _SSLv3_IF_EXISTS = PROTOCOL_SSLv3
|
|
+except ImportError:
|
|
+ _SSLv3_IF_EXISTS = None
|
|
+else:
|
|
+ _PROTOCOL_NAMES[PROTOCOL_SSLv3] = "SSLv3"
|
|
|
|
from socket import getnameinfo as _getnameinfo
|
|
from socket import error as socket_error
|
|
@@ -557,7 +572,7 @@ def PEM_cert_to_DER_cert(pem_cert_string
|
|
d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
|
|
return base64.decodebytes(d.encode('ASCII', 'strict'))
|
|
|
|
-def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
|
|
+def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None):
|
|
"""Retrieve the certificate from the server at the specified address,
|
|
and return it as a PEM-encoded string.
|
|
If 'ca_certs' is specified, validate the server cert against it.
|
|
--- Lib/test/test_ssl.py.orig 2014-10-12 08:52:03.000000000 +0200
|
|
+++ Lib/test/test_ssl.py 2015-12-23 11:29:24.245086385 +0100
|
|
@@ -21,11 +21,12 @@ import functools
|
|
ssl = support.import_module("ssl")
|
|
|
|
PROTOCOLS = [
|
|
- ssl.PROTOCOL_SSLv3,
|
|
ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1
|
|
]
|
|
if hasattr(ssl, 'PROTOCOL_SSLv2'):
|
|
PROTOCOLS.append(ssl.PROTOCOL_SSLv2)
|
|
+if hasattr(ssl, 'PROTOCOL_SSLv3'):
|
|
+ PROTOCOLS.append(ssl.PROTOCOL_SSLv3)
|
|
|
|
HOST = support.HOST
|
|
|
|
@@ -104,8 +105,12 @@ class BasicSocketTests(unittest.TestCase
|
|
sys.stdout.write("\n RAND_status is %d (%s)\n"
|
|
% (v, (v and "sufficient randomness") or
|
|
"insufficient randomness"))
|
|
- self.assertRaises(TypeError, ssl.RAND_egd, 1)
|
|
- self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1)
|
|
+### Fix build with LibreSSL (does not have RAND_egd)
|
|
+### PR195513, http://bugs.python.org/issue21356
|
|
+ if hasattr(ssl, 'RAND_egd'):
|
|
+ self.assertRaises(TypeError, ssl.RAND_egd, 1)
|
|
+ self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1)
|
|
+### End PR195513
|
|
ssl.RAND_add("this is a random string", 75.0)
|
|
|
|
def test_parse_cert(self):
|
|
@@ -380,7 +385,8 @@ class ContextTests(unittest.TestCase):
|
|
if hasattr(ssl, 'PROTOCOL_SSLv2'):
|
|
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv2)
|
|
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|
|
- ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
|
|
+ if hasattr(ssl, 'PROTOCOL_SSLv3'):
|
|
+ ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
|
|
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
|
self.assertRaises(TypeError, ssl.SSLContext)
|
|
self.assertRaises(ValueError, ssl.SSLContext, -1)
|
|
@@ -1372,6 +1378,7 @@ else:
|
|
|
|
|
|
@skip_if_broken_ubuntu_ssl
|
|
+ @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv3'), "need SSLv3")
|
|
def test_protocol_sslv3(self):
|
|
"""Connecting to an SSLv3 server with various client options"""
|
|
if support.verbose:
|
|
--- Modules/_ssl.c.orig 2014-10-12 08:52:03.000000000 +0200
|
|
+++ Modules/_ssl.c 2015-12-23 11:29:24.242085898 +0100
|
|
@@ -66,7 +66,9 @@ enum py_ssl_version {
|
|
#ifndef OPENSSL_NO_SSL2
|
|
PY_SSL_VERSION_SSL2,
|
|
#endif
|
|
- PY_SSL_VERSION_SSL3=1,
|
|
+#ifndef OPENSSL_NO_SSL3
|
|
+ PY_SSL_VERSION_SSL3,
|
|
+#endif
|
|
PY_SSL_VERSION_SSL23,
|
|
PY_SSL_VERSION_TLS1
|
|
};
|
|
@@ -1512,8 +1514,10 @@ context_new(PyTypeObject *type, PyObject
|
|
PySSL_BEGIN_ALLOW_THREADS
|
|
if (proto_version == PY_SSL_VERSION_TLS1)
|
|
ctx = SSL_CTX_new(TLSv1_method());
|
|
+#ifndef OPENSSL_NO_SSL3
|
|
else if (proto_version == PY_SSL_VERSION_SSL3)
|
|
ctx = SSL_CTX_new(SSLv3_method());
|
|
+#endif
|
|
#ifndef OPENSSL_NO_SSL2
|
|
else if (proto_version == PY_SSL_VERSION_SSL2)
|
|
ctx = SSL_CTX_new(SSLv2_method());
|
|
@@ -1965,6 +1969,9 @@ Returns 1 if the OpenSSL PRNG has been s
|
|
It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
|
|
using the ssl() function.");
|
|
|
|
+/* ### Fix build with LibreSSL (does not have RAND_egd)
|
|
+ ### PR195513, http://bugs.python.org/issue21356 */
|
|
+#ifndef OPENSSL_NO_EGD
|
|
static PyObject *
|
|
PySSL_RAND_egd(PyObject *self, PyObject *args)
|
|
{
|
|
@@ -1992,6 +1999,8 @@ PyDoc_STRVAR(PySSL_RAND_egd_doc,
|
|
Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
|
|
Returns number of bytes read. Raises SSLError if connection to EGD\n\
|
|
fails or if it does provide enough data to seed PRNG.");
|
|
+#endif /* OPENSSL_NO_EGD */
|
|
+/* ### End PR195513 */
|
|
|
|
#endif
|
|
|
|
@@ -2005,8 +2014,12 @@ static PyMethodDef PySSL_methods[] = {
|
|
#ifdef HAVE_OPENSSL_RAND
|
|
{"RAND_add", PySSL_RAND_add, METH_VARARGS,
|
|
PySSL_RAND_add_doc},
|
|
+/* ### Fix build with LibreSSL (does not have RAND_egd)
|
|
+ ### PR195513, http://bugs.python.org/issue21356 */
|
|
+#ifndef OPENSSL_NO_EGD
|
|
{"RAND_egd", PySSL_RAND_egd, METH_VARARGS,
|
|
PySSL_RAND_egd_doc},
|
|
+#endif /* OPENSSL_NO_EGD */
|
|
{"RAND_status", (PyCFunction)PySSL_RAND_status, METH_NOARGS,
|
|
PySSL_RAND_status_doc},
|
|
#endif
|
|
@@ -2199,8 +2212,10 @@ PyInit__ssl(void)
|
|
PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
|
|
PY_SSL_VERSION_SSL2);
|
|
#endif
|
|
+#ifndef OPENSSL_NO_SSL3
|
|
PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
|
|
PY_SSL_VERSION_SSL3);
|
|
+#endif
|
|
PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
|
|
PY_SSL_VERSION_SSL23);
|
|
PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
|