Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

python3: remove OpenSSL deprecated API patch

Browse source 
Fixes: https://github.com/openwrt/packages/issues/8399

These 2 patches cause some breakage for other packages.
For now, we drop them and wait for upstream to finalize a fix.
We can live with deprecated SSL APIs for a while. No need to hurry, since
this doesn't seem to help.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This commit is contained in:
Alexandru Ardelean 2019-03-18 10:52:44 +02:00 committed by Yousong Zhou
parent a99b9f128d
commit b485a90aa3
3 changed files with 1 additions and 311 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lang/python/python3/Makefile
View file

@ -14,7 +14,7 @@ PYTHON_VERSION:=$(PYTHON3_VERSION)
PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO) PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO)
PKG_NAME:=python3 PKG_NAME:=python3
PKG_RELEASE:=6 PKG_RELEASE:=7
PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO) PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO)
PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz

193
lang/python/python3/patches/020-ssl-module-emulate-tls-methods.patch
View file

@ -1,193 +0,0 @@
From 991f0176e188227647bf4c993d8da81cf794b3ae Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Sun, 25 Feb 2018 20:03:07 +0100
Subject: [PATCH] bpo-30008: SSL module: emulate tls methods
OpenSSL 1.1 compatility: emulate version specific TLS methods with
SSL_CTX_set_min/max_proto_version().
---
.../2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst | 4 +
Modules/_ssl.c | 134 ++++++++++++++++-----
2 files changed, 108 insertions(+), 30 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst
@@ -0,0 +1,4 @@
+The ssl module no longer uses function that are deprecated since OpenSSL
+1.1.0. The version specific TLS methods are emulated with TLS_method() plus
+SSL_CTX_set_min/max_proto_version(). Pseudo random numbers are generated
+with RAND_bytes().
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -45,14 +45,6 @@ static PySocketModule_APIObject PySocketModule;
#include <sys/poll.h>
#endif
-/* Don't warn about deprecated functions */
-#ifdef __GNUC__
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-#endif
-#ifdef __clang__
-#pragma clang diagnostic ignored "-Wdeprecated-declarations"
-#endif
-
/* Include OpenSSL header files */
#include "openssl/rsa.h"
#include "openssl/crypto.h"
@@ -201,6 +193,7 @@ static void _PySSLFixErrno(void) {
#ifndef PY_OPENSSL_1_1_API
/* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
+#define ASN1_STRING_get0_data ASN1_STRING_data
#define TLS_method SSLv23_method
#define TLS_client_method SSLv23_client_method
#define TLS_server_method SSLv23_server_method
@@ -1319,8 +1312,9 @@ _get_peer_alt_names (X509 *certificate) {
goto fail;
}
PyTuple_SET_ITEM(t, 0, v);
- v = PyUnicode_FromStringAndSize((char *)ASN1_STRING_data(as),
- ASN1_STRING_length(as));
+ v = PyUnicode_FromStringAndSize(
+ (char *)ASN1_STRING_get0_data(as),
+ ASN1_STRING_length(as));
if (v == NULL) {
Py_DECREF(t);
goto fail;
@@ -2959,38 +2953,118 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
#endif
PySSL_BEGIN_ALLOW_THREADS
- if (proto_version == PY_SSL_VERSION_TLS1)
+ switch (proto_version) {
+#if OPENSSL_VERSION_NUMBER <= 0x10100000L
+ /* OpenSSL < 1.1.0 or not LibreSSL
+ * Use old-style methods for OpenSSL 1.0.2
+ */
+#if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2)
+ case PY_SSL_VERSION_SSL2:
+ ctx = SSL_CTX_new(SSLv2_method());
+ break;
+#endif
+#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
+ case PY_SSL_VERSION_SSL3:
+ ctx = SSL_CTX_new(SSLv3_method());
+ break;
+#endif
+#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)
+ case PY_SSL_VERSION_TLS1:
ctx = SSL_CTX_new(TLSv1_method());
-#if HAVE_TLSv1_2
- else if (proto_version == PY_SSL_VERSION_TLS1_1)
+ break;
+#endif
+#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1)
+ case PY_SSL_VERSION_TLS1_1:
ctx = SSL_CTX_new(TLSv1_1_method());
- else if (proto_version == PY_SSL_VERSION_TLS1_2)
+ break;
+#endif
+#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2)
+ case PY_SSL_VERSION_TLS1_2:
ctx = SSL_CTX_new(TLSv1_2_method());
+ break;
#endif
-#ifndef OPENSSL_NO_SSL3
- else if (proto_version == PY_SSL_VERSION_SSL3)
- ctx = SSL_CTX_new(SSLv3_method());
+#else
+ /* OpenSSL >= 1.1 or LibreSSL
+ * create context with TLS_method for all protocols
+ * no SSLv2_method in OpenSSL 1.1.
+ */
+#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
+ case PY_SSL_VERSION_SSL3:
+ ctx = SSL_CTX_new(TLS_method());
+ if (ctx != NULL) {
+ /* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+ if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION))
+ result = -2;
+ if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION))
+ result = -2;
+ }
+ break;
#endif
-#ifndef OPENSSL_NO_SSL2
- else if (proto_version == PY_SSL_VERSION_SSL2)
- ctx = SSL_CTX_new(SSLv2_method());
+#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)
+ case PY_SSL_VERSION_TLS1:
+ ctx = SSL_CTX_new(TLS_method());
+ if (ctx != NULL) {
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
+ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION))
+ result = -2;
+ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION))
+ result = -2;
+ }
+ break;
+#endif
+#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1)
+ case PY_SSL_VERSION_TLS1_1:
+ ctx = SSL_CTX_new(TLS_method());
+ if (ctx != NULL) {
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1);
+ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION))
+ result = -2;
+ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION))
+ result = -2;
+ }
+ break;
+#endif
+#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2)
+ case PY_SSL_VERSION_TLS1_2:
+ ctx = SSL_CTX_new(TLS_method());
+ if (ctx != NULL) {
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2);
+ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION))
+ result = -2;
+ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
+ result = -2;
+ }
+ break;
#endif
- else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */
+#endif /* OpenSSL >= 1.1 */
+ case PY_SSL_VERSION_TLS:
+ /* SSLv23 */
ctx = SSL_CTX_new(TLS_method());
- else if (proto_version == PY_SSL_VERSION_TLS_CLIENT)
+ break;
+ case PY_SSL_VERSION_TLS_CLIENT:
ctx = SSL_CTX_new(TLS_client_method());
- else if (proto_version == PY_SSL_VERSION_TLS_SERVER)
+ break;
+ case PY_SSL_VERSION_TLS_SERVER:
ctx = SSL_CTX_new(TLS_server_method());
- else
- proto_version = -1;
+ break;
+ default:
+ result = -1;
+ break;
+ }
PySSL_END_ALLOW_THREADS
- if (proto_version == -1) {
+ if (result == -1) {
PyErr_SetString(PyExc_ValueError,
"invalid protocol version");
return NULL;
}
- if (ctx == NULL) {
+ else if (result == -2) {
+ PyErr_SetString(PyExc_ValueError,
+ "protocol configuration error");
+ return NULL;
+ }
+ else if (ctx == NULL) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
return NULL;
}

117
lang/python/python3/patches/021-openssl-deprecated.patch
View file

@ -1,117 +0,0 @@
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -1071,7 +1071,7 @@ PyInit__hashlib(void)
{
PyObject *m, *openssl_md_meth_names;
-#ifndef OPENSSL_VERSION_1_1
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* Load all digest algorithms and initialize cpuid */
OPENSSL_add_all_algorithms_noconf();
ERR_load_crypto_strings();
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -47,6 +47,7 @@ static PySocketModule_APIObject PySocketModule;
/* Include OpenSSL header files */
#include "openssl/rsa.h"
+#include "openssl/dh.h"
#include "openssl/crypto.h"
#include "openssl/x509.h"
#include "openssl/x509v3.h"
@@ -128,13 +129,13 @@ static void _PySSLFixErrno(void) {
#include "_ssl_data.h"
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
-# define OPENSSL_VERSION_1_1 1
-# define PY_OPENSSL_1_1_API 1
+# define OPENSSL_VERSION_1_1 1
+# define PY_OPENSSL_1_1_API 1
#endif
/* LibreSSL 2.7.0 provides necessary OpenSSL 1.1.0 APIs */
#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
-# define PY_OPENSSL_1_1_API 1
+# define PY_OPENSSL_1_1_API 1
#endif
/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
@@ -197,6 +198,11 @@ static void _PySSLFixErrno(void) {
#define TLS_method SSLv23_method
#define TLS_client_method SSLv23_client_method
#define TLS_server_method SSLv23_server_method
+#define X509_getm_notBefore X509_get_notBefore
+#define X509_getm_notAfter X509_get_notAfter
+#define OpenSSL_version_num SSLeay
+#define OpenSSL_version SSLeay_version
+#define OPENSSL_VERSION SSLEAY_VERSION
static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
{
@@ -859,7 +865,7 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname)
goto error;
}
} else {
- if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_data(ip),
+ if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_get0_data(ip),
ASN1_STRING_length(ip))) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
goto error;
@@ -1624,7 +1630,7 @@ _decode_certificate(X509 *certificate) {
Py_DECREF(sn_obj);
(void) BIO_reset(biobuf);
- notBefore = X509_get_notBefore(certificate);
+ notBefore = X509_getm_notBefore(certificate);
ASN1_TIME_print(biobuf, notBefore);
len = BIO_gets(biobuf, buf, sizeof(buf)-1);
if (len < 0) {
@@ -1641,7 +1647,7 @@ _decode_certificate(X509 *certificate) {
Py_DECREF(pnotBefore);
(void) BIO_reset(biobuf);
- notAfter = X509_get_notAfter(certificate);
+ notAfter = X509_getm_notAfter(certificate);
ASN1_TIME_print(biobuf, notAfter);
len = BIO_gets(biobuf, buf, sizeof(buf)-1);
if (len < 0) {
@@ -3152,7 +3158,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
conservative and assume it wasn't fixed until release. We do this check
at runtime to avoid problems from the dynamic linker.
See #25672 for more on this. */
- libver = SSLeay();
+ libver = OpenSSL_version_num();
if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) &&
!(libver >= 0x10000000UL && libver < 0x100000dfUL)) {
SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
@@ -5159,7 +5175,7 @@ PySSL_RAND(int len, int pseudo)
if (bytes == NULL)
return NULL;
if (pseudo) {
- ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
+ ok = RAND_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
if (ok == 0 || ok == 1)
return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
}
@@ -6176,10 +6192,10 @@ PyInit__ssl(void)
return NULL;
/* OpenSSL version */
- /* SSLeay() gives us the version of the library linked against,
+ /* OpenSSL_version_num() gives us the version of the library linked against,
which could be different from the headers version.
*/
- libver = SSLeay();
+ libver = OpenSSL_version_num();
r = PyLong_FromUnsignedLong(libver);
if (r == NULL)
return NULL;
@@ -6199,7 +6205,7 @@ PyInit__ssl(void)
r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r))
return NULL;
- r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION));
+ r = PyUnicode_FromString(OpenSSL_version(OPENSSL_VERSION));
if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r))
return NULL;