From 89c044ccb72bb1976556ddfb5323e16f081960f0 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sat, 24 Feb 2018 22:12:40 +0100 Subject: [PATCH] bpo-30622: Improve NPN support detection (GH-5859) The ssl module now detects missing NPN support in LibreSSL. Co-Authored-By: Bernard Spil Signed-off-by: Christian Heimes (cherry picked from commit 6cdb7954b0a578d899e4b78b868ea59eef08480a) Co-authored-by: Christian Heimes --- Doc/library/ssl.rst | 17 +++++++++++ .../2018-02-24-21-40-42.bpo-30622.dQjxSe.rst | 1 + Modules/_ssl.c | 29 ++++++++++++++----- Modules/clinic/_ssl.c.h | 6 ++-- 4 files changed, 42 insertions(+), 11 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2018-02-24-21-40-42.bpo-30622.dQjxSe.rst diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 4cad9f667c48d0..7371024dce4e30 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -2434,6 +2434,23 @@ successful call of :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or :func:`~ssl.RAND_pseudo_bytes` is sufficient. +.. ssl-libressl: + +LibreSSL support +---------------- + +LibreSSL is a fork of OpenSSL 1.0.1. The ssl module has limited support for +LibreSSL. Some features are not available when the ssl module is compiled +with LibreSSL. + +* LibreSSL >= 2.6.1 no longer supports NPN. The methods + :meth:`SSLContext.set_npn_protocols` and + :meth:`SSLSocket.selected_npn_protocol` are not available. +* :meth:`SSLContext.set_default_verify_paths` ignores the env vars + :envvar:`SSL_CERT_FILE` and :envvar:`SSL_CERT_PATH` although + :func:`get_default_verify_paths` still reports them. + + .. seealso:: Class :class:`socket.socket` diff --git a/Misc/NEWS.d/next/Library/2018-02-24-21-40-42.bpo-30622.dQjxSe.rst b/Misc/NEWS.d/next/Library/2018-02-24-21-40-42.bpo-30622.dQjxSe.rst new file mode 100644 index 00000000000000..bcb659b24dd348 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2018-02-24-21-40-42.bpo-30622.dQjxSe.rst @@ -0,0 +1 @@ +The ssl module now detects missing NPN support in LibreSSL. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 2136cbdeae47e7..ed6b7a835a9432 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -160,6 +160,19 @@ static void _PySSLFixErrno(void) { # define HAVE_ALPN #endif +/* We cannot rely on OPENSSL_NO_NEXTPROTONEG because LibreSSL 2.6.1 dropped + * NPN support but did not set OPENSSL_NO_NEXTPROTONEG for compatibility + * reasons. The check for TLSEXT_TYPE_next_proto_neg works with + * OpenSSL 1.0.1+ and LibreSSL. + */ +#ifdef OPENSSL_NO_NEXTPROTONEG +# define HAVE_NPN 0 +#elif defined(TLSEXT_TYPE_next_proto_neg) +# define HAVE_NPN 1 +#else +# define HAVE_NPN 0 +# endif + #ifndef INVALID_SOCKET /* MS defines this */ #define INVALID_SOCKET (-1) #endif @@ -328,7 +341,7 @@ static unsigned int _ssl_locks_count = 0; typedef struct { PyObject_HEAD SSL_CTX *ctx; -#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifdef HAVE_NPN unsigned char *npn_protocols; int npn_protocols_len; #endif @@ -1909,7 +1922,7 @@ _ssl__SSLSocket_version_impl(PySSLSocket *self) return PyUnicode_FromString(version); } -#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifdef HAVE_NPN /*[clinic input] _ssl._SSLSocket.selected_npn_protocol [clinic start generated code]*/ @@ -2874,7 +2887,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) self->ctx = ctx; self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; self->protocol = proto_version; -#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifdef HAVE_NPN self->npn_protocols = NULL; #endif #ifdef HAVE_ALPN @@ -3013,7 +3026,7 @@ context_dealloc(PySSLContext *self) PyObject_GC_UnTrack(self); context_clear(self); SSL_CTX_free(self->ctx); -#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifdef HAVE_NPN PyMem_FREE(self->npn_protocols); #endif #ifdef HAVE_ALPN @@ -3091,7 +3104,7 @@ _ssl__SSLContext_get_ciphers_impl(PySSLContext *self) #endif -#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN) +#if defined(HAVE_NPN) || defined(HAVE_ALPN) static int do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, const unsigned char *server_protocols, unsigned int server_protocols_len, @@ -3117,7 +3130,7 @@ do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, } #endif -#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifdef HAVE_NPN /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */ static int _advertiseNPN_cb(SSL *s, @@ -3160,7 +3173,7 @@ _ssl__SSLContext__set_npn_protocols_impl(PySSLContext *self, Py_buffer *protos) /*[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]*/ { -#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifdef HAVE_NPN PyMem_Free(self->npn_protocols); self->npn_protocols = PyMem_Malloc(protos->len); if (self->npn_protocols == NULL) @@ -5705,7 +5718,7 @@ PyInit__ssl(void) Py_INCREF(r); PyModule_AddObject(m, "HAS_ECDH", r); -#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifdef HAVE_NPN r = Py_True; #else r = Py_False; diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h index 5b6c4af11fb787..1ee1bfb21d3e53 100644 --- a/Modules/clinic/_ssl.c.h +++ b/Modules/clinic/_ssl.c.h @@ -132,7 +132,7 @@ _ssl__SSLSocket_version(PySSLSocket *self, PyObject *Py_UNUSED(ignored)) return _ssl__SSLSocket_version_impl(self); } -#if (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)) +#if defined(HAVE_NPN) PyDoc_STRVAR(_ssl__SSLSocket_selected_npn_protocol__doc__, "selected_npn_protocol($self, /)\n" @@ -151,7 +151,7 @@ _ssl__SSLSocket_selected_npn_protocol(PySSLSocket *self, PyObject *Py_UNUSED(ign return _ssl__SSLSocket_selected_npn_protocol_impl(self); } -#endif /* (defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)) */ +#endif /* defined(HAVE_NPN) */ #if defined(HAVE_ALPN) @@ -1175,4 +1175,4 @@ _ssl_enum_crls(PyObject *module, PyObject *const *args, Py_ssize_t nargs, PyObje #ifndef _SSL_ENUM_CRLS_METHODDEF #define _SSL_ENUM_CRLS_METHODDEF #endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */ -/*[clinic end generated code: output=d987411caeb106e7 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=a00fef6a470cfc2c input=a9049054013a1b77]*/