From 3b935060e878f9a331e240e0b42bccc44b1232ab Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sun, 18 Nov 2018 16:08:28 -0800 Subject: [PATCH] python3: Fix compilation with deprecated OpenSSL APIs Also refreshed patches. Signed-off-by: Rosen Penev --- lang/python/python3/Makefile | 2 +- .../python3/patches/001-enable-zlib.patch | 2 +- .../003-do-not-run-distutils-tests.patch | 4 +- ...06-remove-multi-arch-and-local-paths.patch | 2 +- ...add-rt-lib-dirs-when-cross-compiling.patch | 2 +- ...uildinfo-date-time-source-date-epoch.patch | 4 +- .../014-remove-platform-so-suffix.patch | 4 +- .../patches/015-abort-on-failed-modules.patch | 2 +- .../patches/016-adjust-config-paths.patch | 8 +- .../020-ssl-module-emulate-tls-methods.patch | 193 ++++++++++++++++++ .../patches/021-openssl-deprecated.patch | 117 +++++++++++ 11 files changed, 325 insertions(+), 15 deletions(-) create mode 100644 lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch create mode 100644 lang/python/python3/patches/021-openssl-deprecated.patch diff --git a/lang/python/python3/Makefile b/lang/python/python3/Makefile index 19129e05a..34e8d294a 100644 --- a/lang/python/python3/Makefile +++ b/lang/python/python3/Makefile @@ -14,7 +14,7 @@ PYTHON_VERSION:=$(PYTHON3_VERSION) PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO) PKG_NAME:=python3 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO) PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz diff --git a/lang/python/python3/patches/001-enable-zlib.patch b/lang/python/python3/patches/001-enable-zlib.patch index 4ea3f54ad..287b147d1 100644 --- a/lang/python/python3/patches/001-enable-zlib.patch +++ b/lang/python/python3/patches/001-enable-zlib.patch @@ -17,4 +17,4 @@ Subject: [PATCH] enable zlib +zlib zlibmodule.c -lz # Interface to the Expat XML parser - # + # More information on Expat can be found at www.libexpat.org. diff --git a/lang/python/python3/patches/003-do-not-run-distutils-tests.patch b/lang/python/python3/patches/003-do-not-run-distutils-tests.patch index bfcd8d62e..e4fabd43e 100644 --- a/lang/python/python3/patches/003-do-not-run-distutils-tests.patch +++ b/lang/python/python3/patches/003-do-not-run-distutils-tests.patch @@ -1,6 +1,6 @@ --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -1381,6 +1381,7 @@ libinstall: build_all $(srcdir)/Modules/ +@@ -1389,6 +1389,7 @@ libinstall: build_all $(srcdir)/Modules/ $(INSTALL_DATA) `cat pybuilddir.txt`/_sysconfigdata_$(ABIFLAGS)_$(MACHDEP)_$(MULTIARCH).py \ $(DESTDIR)$(LIBDEST); \ $(INSTALL_DATA) $(srcdir)/LICENSE $(DESTDIR)$(LIBDEST)/LICENSE.txt @@ -8,7 +8,7 @@ if test -d $(DESTDIR)$(LIBDEST)/distutils/tests; then \ $(INSTALL_DATA) $(srcdir)/Modules/xxmodule.c \ $(DESTDIR)$(LIBDEST)/distutils/tests ; \ -@@ -1416,6 +1417,7 @@ libinstall: build_all $(srcdir)/Modules/ +@@ -1424,6 +1425,7 @@ libinstall: build_all $(srcdir)/Modules/ $(PYTHON_FOR_BUILD) -m lib2to3.pgen2.driver $(DESTDIR)$(LIBDEST)/lib2to3/Grammar.txt -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ $(PYTHON_FOR_BUILD) -m lib2to3.pgen2.driver $(DESTDIR)$(LIBDEST)/lib2to3/PatternGrammar.txt diff --git a/lang/python/python3/patches/006-remove-multi-arch-and-local-paths.patch b/lang/python/python3/patches/006-remove-multi-arch-and-local-paths.patch index 57fc9bc38..72d31be9a 100644 --- a/lang/python/python3/patches/006-remove-multi-arch-and-local-paths.patch +++ b/lang/python/python3/patches/006-remove-multi-arch-and-local-paths.patch @@ -1,6 +1,6 @@ --- a/setup.py +++ b/setup.py -@@ -537,16 +537,9 @@ class PyBuildExt(build_ext): +@@ -542,16 +542,9 @@ class PyBuildExt(build_ext): os.unlink(tmpfile) def detect_modules(self): diff --git a/lang/python/python3/patches/010-do-not-add-rt-lib-dirs-when-cross-compiling.patch b/lang/python/python3/patches/010-do-not-add-rt-lib-dirs-when-cross-compiling.patch index be5fcb940..c5d11d232 100644 --- a/lang/python/python3/patches/010-do-not-add-rt-lib-dirs-when-cross-compiling.patch +++ b/lang/python/python3/patches/010-do-not-add-rt-lib-dirs-when-cross-compiling.patch @@ -1,6 +1,6 @@ --- a/setup.py +++ b/setup.py -@@ -547,8 +547,9 @@ class PyBuildExt(build_ext): +@@ -552,8 +552,9 @@ class PyBuildExt(build_ext): # directly since an inconsistently reproducible issue comes up where # the environment variable is not set even though the value were passed # into configure and stored in the Makefile (issue found on OS X 10.3). diff --git a/lang/python/python3/patches/013-getbuildinfo-date-time-source-date-epoch.patch b/lang/python/python3/patches/013-getbuildinfo-date-time-source-date-epoch.patch index a3bdb3345..a31f4c7d2 100644 --- a/lang/python/python3/patches/013-getbuildinfo-date-time-source-date-epoch.patch +++ b/lang/python/python3/patches/013-getbuildinfo-date-time-source-date-epoch.patch @@ -1,6 +1,6 @@ --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -743,6 +743,16 @@ regen-all: regen-opcode regen-opcode-tar +@@ -751,6 +751,16 @@ regen-all: regen-opcode regen-opcode-tar ############################################################################ # Special rules for object files @@ -17,7 +17,7 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ $(OBJECT_OBJS) \ $(PYTHON_OBJS) \ -@@ -750,6 +760,8 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ +@@ -758,6 +768,8 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ $(MODOBJS) \ $(srcdir)/Modules/getbuildinfo.c $(CC) -c $(PY_CORE_CFLAGS) \ diff --git a/lang/python/python3/patches/014-remove-platform-so-suffix.patch b/lang/python/python3/patches/014-remove-platform-so-suffix.patch index de7badd99..b9d3cd165 100644 --- a/lang/python/python3/patches/014-remove-platform-so-suffix.patch +++ b/lang/python/python3/patches/014-remove-platform-so-suffix.patch @@ -1,6 +1,6 @@ --- a/configure +++ b/configure -@@ -14962,7 +14962,7 @@ $as_echo_n "checking ABIFLAGS... " >&6; +@@ -15129,7 +15129,7 @@ $as_echo_n "checking ABIFLAGS... " >&6; $as_echo "$ABIFLAGS" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking SOABI" >&5 $as_echo_n "checking SOABI... " >&6; } @@ -11,7 +11,7 @@ --- a/configure.ac +++ b/configure.ac -@@ -4665,7 +4665,7 @@ AC_SUBST(SOABI) +@@ -4719,7 +4719,7 @@ AC_SUBST(SOABI) AC_MSG_CHECKING(ABIFLAGS) AC_MSG_RESULT($ABIFLAGS) AC_MSG_CHECKING(SOABI) diff --git a/lang/python/python3/patches/015-abort-on-failed-modules.patch b/lang/python/python3/patches/015-abort-on-failed-modules.patch index 9d7579418..5150b77e8 100644 --- a/lang/python/python3/patches/015-abort-on-failed-modules.patch +++ b/lang/python/python3/patches/015-abort-on-failed-modules.patch @@ -1,6 +1,6 @@ --- a/setup.py +++ b/setup.py -@@ -354,6 +354,7 @@ class PyBuildExt(build_ext): +@@ -359,6 +359,7 @@ class PyBuildExt(build_ext): print("Failed to build these modules:") print_three_column(failed) print() diff --git a/lang/python/python3/patches/016-adjust-config-paths.patch b/lang/python/python3/patches/016-adjust-config-paths.patch index dbd15cda9..3749a1590 100644 --- a/lang/python/python3/patches/016-adjust-config-paths.patch +++ b/lang/python/python3/patches/016-adjust-config-paths.patch @@ -20,7 +20,7 @@ abi=sys.abiflags, --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -1390,7 +1390,7 @@ libinstall: build_all $(srcdir)/Modules/ +@@ -1398,7 +1398,7 @@ libinstall: build_all $(srcdir)/Modules/ esac; \ done; \ done @@ -29,7 +29,7 @@ $(DESTDIR)$(LIBDEST); \ $(INSTALL_DATA) $(srcdir)/LICENSE $(DESTDIR)$(LIBDEST)/LICENSE.txt ifeq (@COMPILE_ALL_TESTS@,yes) -@@ -1525,7 +1525,7 @@ sharedinstall: sharedmods +@@ -1543,7 +1543,7 @@ sharedinstall: sharedmods --install-scripts=$(BINDIR) \ --install-platlib=$(DESTSHARED) \ --root=$(DESTDIR)/ @@ -40,7 +40,7 @@ # Here are a couple of targets for MacOSX again, to install a full --- a/configure +++ b/configure -@@ -14981,7 +14981,7 @@ LDVERSION='$(VERSION)$(ABIFLAGS)' +@@ -15148,7 +15148,7 @@ LDVERSION='$(VERSION)$(ABIFLAGS)' $as_echo "$LDVERSION" >&6; } @@ -51,7 +51,7 @@ LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}-${PLATFORM_TRIPLET}" --- a/configure.ac +++ b/configure.ac -@@ -4682,7 +4682,7 @@ AC_MSG_RESULT($LDVERSION) +@@ -4736,7 +4736,7 @@ AC_MSG_RESULT($LDVERSION) dnl define LIBPL after ABIFLAGS and LDVERSION is defined. AC_SUBST(PY_ENABLE_SHARED) diff --git a/lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch b/lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch new file mode 100644 index 000000000..cf334886c --- /dev/null +++ b/lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch @@ -0,0 +1,193 @@ +From 991f0176e188227647bf4c993d8da81cf794b3ae Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Sun, 25 Feb 2018 20:03:07 +0100 +Subject: [PATCH] bpo-30008: SSL module: emulate tls methods + +OpenSSL 1.1 compatility: emulate version specific TLS methods with +SSL_CTX_set_min/max_proto_version(). +--- + .../2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst | 4 + + Modules/_ssl.c | 134 ++++++++++++++++----- + 2 files changed, 108 insertions(+), 30 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst + +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst +@@ -0,0 +1,4 @@ ++The ssl module no longer uses function that are deprecated since OpenSSL ++1.1.0. The version specific TLS methods are emulated with TLS_method() plus ++SSL_CTX_set_min/max_proto_version(). Pseudo random numbers are generated ++with RAND_bytes(). +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -45,14 +45,6 @@ static PySocketModule_APIObject PySocketModule; + #include + #endif + +-/* Don't warn about deprecated functions */ +-#ifdef __GNUC__ +-#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +-#endif +-#ifdef __clang__ +-#pragma clang diagnostic ignored "-Wdeprecated-declarations" +-#endif +- + /* Include OpenSSL header files */ + #include "openssl/rsa.h" + #include "openssl/crypto.h" +@@ -201,6 +193,7 @@ static void _PySSLFixErrno(void) { + #ifndef PY_OPENSSL_1_1_API + /* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */ + ++#define ASN1_STRING_get0_data ASN1_STRING_data + #define TLS_method SSLv23_method + #define TLS_client_method SSLv23_client_method + #define TLS_server_method SSLv23_server_method +@@ -1319,8 +1312,9 @@ _get_peer_alt_names (X509 *certificate) { + goto fail; + } + PyTuple_SET_ITEM(t, 0, v); +- v = PyUnicode_FromStringAndSize((char *)ASN1_STRING_data(as), +- ASN1_STRING_length(as)); ++ v = PyUnicode_FromStringAndSize( ++ (char *)ASN1_STRING_get0_data(as), ++ ASN1_STRING_length(as)); + if (v == NULL) { + Py_DECREF(t); + goto fail; +@@ -2959,38 +2953,118 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) + #endif + + PySSL_BEGIN_ALLOW_THREADS +- if (proto_version == PY_SSL_VERSION_TLS1) ++ switch (proto_version) { ++#if OPENSSL_VERSION_NUMBER <= 0x10100000L ++ /* OpenSSL < 1.1.0 or not LibreSSL ++ * Use old-style methods for OpenSSL 1.0.2 ++ */ ++#if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2) ++ case PY_SSL_VERSION_SSL2: ++ ctx = SSL_CTX_new(SSLv2_method()); ++ break; ++#endif ++#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3) ++ case PY_SSL_VERSION_SSL3: ++ ctx = SSL_CTX_new(SSLv3_method()); ++ break; ++#endif ++#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1) ++ case PY_SSL_VERSION_TLS1: + ctx = SSL_CTX_new(TLSv1_method()); +-#if HAVE_TLSv1_2 +- else if (proto_version == PY_SSL_VERSION_TLS1_1) ++ break; ++#endif ++#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1) ++ case PY_SSL_VERSION_TLS1_1: + ctx = SSL_CTX_new(TLSv1_1_method()); +- else if (proto_version == PY_SSL_VERSION_TLS1_2) ++ break; ++#endif ++#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2) ++ case PY_SSL_VERSION_TLS1_2: + ctx = SSL_CTX_new(TLSv1_2_method()); ++ break; + #endif +-#ifndef OPENSSL_NO_SSL3 +- else if (proto_version == PY_SSL_VERSION_SSL3) +- ctx = SSL_CTX_new(SSLv3_method()); ++#else ++ /* OpenSSL >= 1.1 or LibreSSL ++ * create context with TLS_method for all protocols ++ * no SSLv2_method in OpenSSL 1.1. ++ */ ++#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3) ++ case PY_SSL_VERSION_SSL3: ++ ctx = SSL_CTX_new(TLS_method()); ++ if (ctx != NULL) { ++ /* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */ ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); ++ if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION)) ++ result = -2; ++ if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION)) ++ result = -2; ++ } ++ break; + #endif +-#ifndef OPENSSL_NO_SSL2 +- else if (proto_version == PY_SSL_VERSION_SSL2) +- ctx = SSL_CTX_new(SSLv2_method()); ++#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1) ++ case PY_SSL_VERSION_TLS1: ++ ctx = SSL_CTX_new(TLS_method()); ++ if (ctx != NULL) { ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1); ++ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION)) ++ result = -2; ++ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION)) ++ result = -2; ++ } ++ break; ++#endif ++#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1) ++ case PY_SSL_VERSION_TLS1_1: ++ ctx = SSL_CTX_new(TLS_method()); ++ if (ctx != NULL) { ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); ++ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION)) ++ result = -2; ++ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION)) ++ result = -2; ++ } ++ break; ++#endif ++#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2) ++ case PY_SSL_VERSION_TLS1_2: ++ ctx = SSL_CTX_new(TLS_method()); ++ if (ctx != NULL) { ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); ++ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) ++ result = -2; ++ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)) ++ result = -2; ++ } ++ break; + #endif +- else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */ ++#endif /* OpenSSL >= 1.1 */ ++ case PY_SSL_VERSION_TLS: ++ /* SSLv23 */ + ctx = SSL_CTX_new(TLS_method()); +- else if (proto_version == PY_SSL_VERSION_TLS_CLIENT) ++ break; ++ case PY_SSL_VERSION_TLS_CLIENT: + ctx = SSL_CTX_new(TLS_client_method()); +- else if (proto_version == PY_SSL_VERSION_TLS_SERVER) ++ break; ++ case PY_SSL_VERSION_TLS_SERVER: + ctx = SSL_CTX_new(TLS_server_method()); +- else +- proto_version = -1; ++ break; ++ default: ++ result = -1; ++ break; ++ } + PySSL_END_ALLOW_THREADS + +- if (proto_version == -1) { ++ if (result == -1) { + PyErr_SetString(PyExc_ValueError, + "invalid protocol version"); + return NULL; + } +- if (ctx == NULL) { ++ else if (result == -2) { ++ PyErr_SetString(PyExc_ValueError, ++ "protocol configuration error"); ++ return NULL; ++ } ++ else if (ctx == NULL) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + return NULL; + } diff --git a/lang/python/python3/patches/021-openssl-deprecated.patch b/lang/python/python3/patches/021-openssl-deprecated.patch new file mode 100644 index 000000000..c3650ff0c --- /dev/null +++ b/lang/python/python3/patches/021-openssl-deprecated.patch @@ -0,0 +1,117 @@ +--- a/Modules/_hashopenssl.c ++++ b/Modules/_hashopenssl.c +@@ -1071,7 +1071,7 @@ PyInit__hashlib(void) + { + PyObject *m, *openssl_md_meth_names; + +-#ifndef OPENSSL_VERSION_1_1 ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* Load all digest algorithms and initialize cpuid */ + OPENSSL_add_all_algorithms_noconf(); + ERR_load_crypto_strings(); +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -47,6 +47,7 @@ static PySocketModule_APIObject PySocketModule; + + /* Include OpenSSL header files */ + #include "openssl/rsa.h" ++#include "openssl/dh.h" + #include "openssl/crypto.h" + #include "openssl/x509.h" + #include "openssl/x509v3.h" +@@ -128,13 +129,13 @@ static void _PySSLFixErrno(void) { + #include "_ssl_data.h" + + #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) +-# define OPENSSL_VERSION_1_1 1 +-# define PY_OPENSSL_1_1_API 1 ++# define OPENSSL_VERSION_1_1 1 ++# define PY_OPENSSL_1_1_API 1 + #endif + + /* LibreSSL 2.7.0 provides necessary OpenSSL 1.1.0 APIs */ + #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL +-# define PY_OPENSSL_1_1_API 1 ++# define PY_OPENSSL_1_1_API 1 + #endif + + /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1 +@@ -197,6 +198,11 @@ static void _PySSLFixErrno(void) { + #define TLS_method SSLv23_method + #define TLS_client_method SSLv23_client_method + #define TLS_server_method SSLv23_server_method ++#define X509_getm_notBefore X509_get_notBefore ++#define X509_getm_notAfter X509_get_notAfter ++#define OpenSSL_version_num SSLeay ++#define OpenSSL_version SSLeay_version ++#define OPENSSL_VERSION SSLEAY_VERSION + + static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) + { +@@ -859,7 +865,7 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname) + goto error; + } + } else { +- if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_data(ip), ++ if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_get0_data(ip), + ASN1_STRING_length(ip))) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + goto error; +@@ -1624,7 +1630,7 @@ _decode_certificate(X509 *certificate) { + Py_DECREF(sn_obj); + + (void) BIO_reset(biobuf); +- notBefore = X509_get_notBefore(certificate); ++ notBefore = X509_getm_notBefore(certificate); + ASN1_TIME_print(biobuf, notBefore); + len = BIO_gets(biobuf, buf, sizeof(buf)-1); + if (len < 0) { +@@ -1641,7 +1647,7 @@ _decode_certificate(X509 *certificate) { + Py_DECREF(pnotBefore); + + (void) BIO_reset(biobuf); +- notAfter = X509_get_notAfter(certificate); ++ notAfter = X509_getm_notAfter(certificate); + ASN1_TIME_print(biobuf, notAfter); + len = BIO_gets(biobuf, buf, sizeof(buf)-1); + if (len < 0) { +@@ -3152,7 +3158,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) + conservative and assume it wasn't fixed until release. We do this check + at runtime to avoid problems from the dynamic linker. + See #25672 for more on this. */ +- libver = SSLeay(); ++ libver = OpenSSL_version_num(); + if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) && + !(libver >= 0x10000000UL && libver < 0x100000dfUL)) { + SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS); +@@ -5159,7 +5175,7 @@ PySSL_RAND(int len, int pseudo) + if (bytes == NULL) + return NULL; + if (pseudo) { +- ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len); ++ ok = RAND_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len); + if (ok == 0 || ok == 1) + return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False); + } +@@ -6176,10 +6192,10 @@ PyInit__ssl(void) + return NULL; + + /* OpenSSL version */ +- /* SSLeay() gives us the version of the library linked against, ++ /* OpenSSL_version_num() gives us the version of the library linked against, + which could be different from the headers version. + */ +- libver = SSLeay(); ++ libver = OpenSSL_version_num(); + r = PyLong_FromUnsignedLong(libver); + if (r == NULL) + return NULL; +@@ -6199,7 +6205,7 @@ PyInit__ssl(void) + r = Py_BuildValue("IIIII", major, minor, fix, patch, status); + if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r)) + return NULL; +- r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION)); ++ r = PyUnicode_FromString(OpenSSL_version(OPENSSL_VERSION)); + if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r)) + return NULL; +