Merge pull request #11001 from neheb/py3

python3: Fix compilation without deprecated APIs
5 years ago · 7f1704f357
--- a/lang/python/python3/Makefile
+++ b/lang/python/python3/Makefile
@ -14,7 +14,7 @@ PYTHON_VERSION:=$(PYTHON3_VERSION)
 PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO)

 PKG_NAME:=python3
 PKG_RELEASE:=1
 PKG_RELEASE:=2
 PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO)

 PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz
--- a/lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch
+++ b/lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch
@ -0,0 +1,223 @@
 From 991f0176e188227647bf4c993d8da81cf794b3ae Mon Sep 17 00:00:00 2001
 From: Christian Heimes <christian@python.org>
 Date: Sun, 25 Feb 2018 20:03:07 +0100
 Subject: [PATCH] bpo-30008: SSL module: emulate tls methods

 OpenSSL 1.1 compatility: emulate version specific TLS methods with
 SSL_CTX_set_min/max_proto_version().
 ---
 .../2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst  |   4 +
 Modules/_ssl.c                                | 134 ++++++++++++++----
 2 files changed, 108 insertions(+), 30 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst

 diff --git a/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst b/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst
 new file mode 100644
 index 000000000000..e0a08464a1e1
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst
@@ -0,0 +1,4 @@
 +The ssl module no longer uses function that are deprecated since OpenSSL
 +1.1.0. The version specific TLS methods are emulated with TLS_method() plus
 +SSL_CTX_set_min/max_proto_version(). Pseudo random numbers are generated
 +with RAND_bytes().
 diff --git a/Modules/_ssl.c b/Modules/_ssl.c
 index f50823e6947a..827026e3bf5c 100644
 --- a/Modules/_ssl.c
 +++ b/Modules/_ssl.c
@@ -45,14 +45,6 @@ static PySocketModule_APIObject PySocketModule;
 #include <sys/poll.h>
 #endif
 
 -/* Don't warn about deprecated functions */
 -#ifdef __GNUC__
 -#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 -#endif
 -#ifdef __clang__
 -#pragma clang diagnostic ignored "-Wdeprecated-declarations"
 -#endif
 -
 /* Include OpenSSL header files */
 #include "openssl/rsa.h"
 #include "openssl/crypto.h"
@@ -205,6 +197,7 @@ static void _PySSLFixErrno(void) {
 #ifndef PY_OPENSSL_1_1_API
 /* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
 
 +#define ASN1_STRING_get0_data ASN1_STRING_data
 #define TLS_method SSLv23_method
 #define TLS_client_method SSLv23_client_method
 #define TLS_server_method SSLv23_server_method
@@ -896,7 +889,7 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname)
                 goto error;
             }
         } else {
 -            if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_data(ip),
 +            if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_get0_data(ip),
                                            ASN1_STRING_length(ip))) {
                 _setSSLError(NULL, 0, __FILE__, __LINE__);
                 goto error;
@@ -1372,8 +1365,9 @@ _get_peer_alt_names (X509 *certificate) {
                     goto fail;
                 }
                 PyTuple_SET_ITEM(t, 0, v);
 -                v = PyUnicode_FromStringAndSize((char *)ASN1_STRING_data(as),
 -                                                ASN1_STRING_length(as));
 +                v = PyUnicode_FromStringAndSize(
 +                    (char *)ASN1_STRING_get0_data(as),
 +                    ASN1_STRING_length(as));
                 if (v == NULL) {
                     Py_DECREF(t);
                     goto fail;
@@ -3031,44 +3025,124 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
     long options;
     SSL_CTX *ctx = NULL;
     X509_VERIFY_PARAM *params;
 -    int result;
 +    int result = 0;
 #if defined(SSL_MODE_RELEASE_BUFFERS)
     unsigned long libver;
 #endif
 
     PySSL_BEGIN_ALLOW_THREADS
 -    if (proto_version == PY_SSL_VERSION_TLS1)
 +    switch (proto_version) {
 +#if OPENSSL_VERSION_NUMBER <= 0x10100000L
 +    /* OpenSSL < 1.1.0 or not LibreSSL
 +     * Use old-style methods for OpenSSL 1.0.2
 +     */
 +#if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2)
 +    case PY_SSL_VERSION_SSL2:
 +        ctx = SSL_CTX_new(SSLv2_method());
 +        break;
 +#endif
 +#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
 +    case PY_SSL_VERSION_SSL3:
 +        ctx = SSL_CTX_new(SSLv3_method());
 +        break;
 +#endif
 +#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)
 +    case PY_SSL_VERSION_TLS1:
         ctx = SSL_CTX_new(TLSv1_method());
 -#if HAVE_TLSv1_2
 -    else if (proto_version == PY_SSL_VERSION_TLS1_1)
 +        break;
 +#endif
 +#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1)
 +    case PY_SSL_VERSION_TLS1_1:
         ctx = SSL_CTX_new(TLSv1_1_method());
 -    else if (proto_version == PY_SSL_VERSION_TLS1_2)
 +        break;
 +#endif
 +#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2)
 +    case PY_SSL_VERSION_TLS1_2:
         ctx = SSL_CTX_new(TLSv1_2_method());
 +        break;
 #endif
 -#ifndef OPENSSL_NO_SSL3
 -    else if (proto_version == PY_SSL_VERSION_SSL3)
 -        ctx = SSL_CTX_new(SSLv3_method());
 +#else
 +    /* OpenSSL >= 1.1 or LibreSSL
 +     * create context with TLS_method for all protocols
 +     * no SSLv2_method in OpenSSL 1.1.
 +     */
 +#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
 +    case PY_SSL_VERSION_SSL3:
 +        ctx = SSL_CTX_new(TLS_method());
 +        if (ctx != NULL) {
 +            /* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */
 +            SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
 +            if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION))
 +                result = -2;
 +            if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION))
 +                result = -2;
 +        }
 +        break;
 #endif
 -#ifndef OPENSSL_NO_SSL2
 -    else if (proto_version == PY_SSL_VERSION_SSL2)
 -        ctx = SSL_CTX_new(SSLv2_method());
 +#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)
 +    case PY_SSL_VERSION_TLS1:
 +        ctx = SSL_CTX_new(TLS_method());
 +        if (ctx != NULL) {
 +            SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
 +            if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION))
 +                result = -2;
 +            if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION))
 +                result = -2;
 +        }
 +        break;
 +#endif
 +#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1)
 +    case PY_SSL_VERSION_TLS1_1:
 +        ctx = SSL_CTX_new(TLS_method());
 +        if (ctx != NULL) {
 +            SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1);
 +            if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION))
 +                result = -2;
 +            if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION))
 +                result = -2;
 +        }
 +        break;
 +#endif
 +#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2)
 +    case PY_SSL_VERSION_TLS1_2:
 +        ctx = SSL_CTX_new(TLS_method());
 +        if (ctx != NULL) {
 +            SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2);
 +            if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION))
 +                result = -2;
 +            if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
 +                result = -2;
 +        }
 +        break;
 #endif
 -    else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */
 +#endif /* OpenSSL >= 1.1 */
 +    case PY_SSL_VERSION_TLS:
 +        /* SSLv23 */
         ctx = SSL_CTX_new(TLS_method());
 -    else if (proto_version == PY_SSL_VERSION_TLS_CLIENT)
 +        break;
 +    case PY_SSL_VERSION_TLS_CLIENT:
         ctx = SSL_CTX_new(TLS_client_method());
 -    else if (proto_version == PY_SSL_VERSION_TLS_SERVER)
 +        break;
 +    case PY_SSL_VERSION_TLS_SERVER:
         ctx = SSL_CTX_new(TLS_server_method());
 -    else
 -        proto_version = -1;
 +        break;
 +    default:
 +        result = -1;
 +        break;
 +    }
     PySSL_END_ALLOW_THREADS
 
 -    if (proto_version == -1) {
 +    if (result == -1) {
         PyErr_SetString(PyExc_ValueError,
                         "invalid protocol version");
         return NULL;
     }
 -    if (ctx == NULL) {
 +    else if (result == -2) {
 +        PyErr_SetString(PyExc_ValueError,
 +                        "protocol configuration error");
 +        return NULL;
 +    }
 +    else if (ctx == NULL) {
         _setSSLError(NULL, 0, __FILE__, __LINE__);
         return NULL;
     }
@@ -5241,7 +5315,7 @@ PySSL_RAND(int len, int pseudo)
     if (bytes == NULL)
         return NULL;
     if (pseudo) {
 -        ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
 +        ok = (_PyOS_URandom((unsigned char*)PyBytes_AS_STRING(bytes), len) == 0 ? 1 : 0);
         if (ok == 0 || ok == 1)
             return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
     }
--- a/lang/python/python3/patches/021-openssl-deprecated.patch
+++ b/lang/python/python3/patches/021-openssl-deprecated.patch
@ -0,0 +1,63 @@
 --- a/Modules/_ssl.c
 +++ b/Modules/_ssl.c
@@ -201,6 +202,11 @@ static void _PySSLFixErrno(void) {
 #define TLS_method SSLv23_method
 #define TLS_client_method SSLv23_client_method
 #define TLS_server_method SSLv23_server_method
 +#define X509_getm_notBefore X509_get_notBefore
 +#define X509_getm_notAfter X509_get_notAfter
 +#define OpenSSL_version_num SSLeay
 +#define OpenSSL_version SSLeay_version
 +#define OPENSSL_VERSION SSLEAY_VERSION
 
 static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
 {
@@ -1677,7 +1683,7 @@ _decode_certificate(X509 *certificate) {
     Py_DECREF(sn_obj);
 
     (void) BIO_reset(biobuf);
 -    notBefore = X509_get_notBefore(certificate);
 +    notBefore = X509_getm_notBefore(certificate);
     ASN1_TIME_print(biobuf, notBefore);
     len = BIO_gets(biobuf, buf, sizeof(buf)-1);
     if (len < 0) {
@@ -1694,7 +1700,7 @@ _decode_certificate(X509 *certificate) {
     Py_DECREF(pnotBefore);
 
     (void) BIO_reset(biobuf);
 -    notAfter = X509_get_notAfter(certificate);
 +    notAfter = X509_getm_notAfter(certificate);
     ASN1_TIME_print(biobuf, notAfter);
     len = BIO_gets(biobuf, buf, sizeof(buf)-1);
     if (len < 0) {
@@ -3235,7 +3241,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
        conservative and assume it wasn't fixed until release. We do this check
        at runtime to avoid problems from the dynamic linker.
        See #25672 for more on this. */
 -    libver = SSLeay();
 +    libver = OpenSSL_version_num();
     if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) &&
         !(libver >= 0x10000000UL && libver < 0x100000dfUL)) {
         SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
@@ -6403,10 +6409,10 @@ PyInit__ssl(void)
         return NULL;
 
     /* OpenSSL version */
 -    /* SSLeay() gives us the version of the library linked against,
 +    /* OpenSSL_version_num() gives us the version of the library linked against,
        which could be different from the headers version.
     */
 -    libver = SSLeay();
 +    libver = OpenSSL_version_num();
     r = PyLong_FromUnsignedLong(libver);
     if (r == NULL)
         return NULL;
@@ -6416,7 +6422,7 @@ PyInit__ssl(void)
     r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
     if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r))
         return NULL;
 -    r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION));
 +    r = PyUnicode_FromString(OpenSSL_version(OPENSSL_VERSION));
     if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r))
         return NULL;